diff options
Diffstat (limited to 'crypto/heimdal/lib/krb5')
232 files changed, 29516 insertions, 21008 deletions
diff --git a/crypto/heimdal/lib/krb5/Makefile.am b/crypto/heimdal/lib/krb5/Makefile.am index ced9616e162c..9429535eb962 100644 --- a/crypto/heimdal/lib/krb5/Makefile.am +++ b/crypto/heimdal/lib/krb5/Makefile.am @@ -1,25 +1,29 @@ -# $Id: Makefile.am 22501 2008-01-21 15:43:21Z lha $ +# $Id$ include $(top_srcdir)/Makefile.am.common -AM_CPPFLAGS += $(INCLUDE_krb4) $(INCLUDE_hcrypto) -I../com_err -I$(srcdir)/../com_err +AM_CPPFLAGS += $(INCLUDE_krb4) $(INCLUDE_hcrypto) -I../com_err -I$(srcdir)/../com_err $(INCLUDE_sqlite3) $(INCLUDE_libintl) bin_PROGRAMS = verify_krb5_conf noinst_PROGRAMS = \ krbhst-test \ + test_gic \ test_alname \ test_crypto \ + test_rfc3961 \ test_get_addrs \ test_kuserok \ test_renew \ test_forward +noinst_LTLIBRARIES = \ + librfc3961.la + TESTS = \ aes-test \ derived-key-test \ n-fold-test \ - name-45-test \ parse-name-test \ store-test \ string-to-key-test \ @@ -27,6 +31,7 @@ TESTS = \ test_addr \ test_cc \ test_config \ + test_fx \ test_prf \ test_store \ test_crypto_wrapping \ @@ -36,25 +41,54 @@ TESTS = \ test_plugin \ test_princ \ test_pkinit_dh2key \ - test_time + test_pknistkdf \ + test_time \ + test_x500 + +check_DATA = test_config_strings.out -check_PROGRAMS = $(TESTS) test_hostname +check_PROGRAMS = $(TESTS) test_hostname test_ap-req LDADD = libkrb5.la \ $(LIB_hcrypto) \ $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la \ $(LIB_roken) if PKINIT LIB_pkinit = ../hx509/libhx509.la endif +if have_scc +use_sqlite = $(LIB_sqlite3) +endif + libkrb5_la_LIBADD = \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/ipc/libheim-ipcc.la \ + $(top_builddir)/lib/wind/libwind.la \ + $(top_builddir)/base/libheimbase.la \ $(LIB_pkinit) \ + $(use_sqlite) \ $(LIB_com_err) \ $(LIB_hcrypto) \ + $(LIB_libintl) \ + $(LIBADD_roken) \ + $(PTHREAD_LIBADD) \ + $(LIB_door_create) \ + $(LIB_dlopen) + +librfc3961_la_LIBADD = \ $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/ipc/libheim-ipcc.la \ + $(top_builddir)/lib/wind/libwind.la \ + $(LIB_pkinit) \ + $(use_sqlite) \ + $(LIB_com_err) \ + $(LIB_hcrypto) \ + $(LIB_libintl) \ $(LIBADD_roken) \ + $(PTHREAD_LIBADD) \ $(LIB_door_create) \ $(LIB_dlopen) @@ -62,7 +96,15 @@ lib_LTLIBRARIES = libkrb5.la ERR_FILES = krb5_err.c krb_err.c heim_err.c k524_err.c -libkrb5_la_CPPFLAGS = -DBUILD_KRB5_LIB $(AM_CPPFLAGS) +libkrb5_la_CPPFLAGS = \ + -DBUILD_KRB5_LIB \ + $(AM_CPPFLAGS) \ + -DHEIMDAL_LOCALEDIR='"$(localedir)"' + +librfc3961_la_CPPFLAGS = \ + -DBUILD_KRB5_LIB \ + $(AM_CPPFLAGS) \ + -DHEIMDAL_LOCALEDIR='"$(localedir)"' dist_libkrb5_la_SOURCES = \ acache.c \ @@ -79,7 +121,6 @@ dist_libkrb5_la_SOURCES = \ changepw.c \ codec.c \ config_file.c \ - config_file_netinfo.c \ convert_creds.c \ constants.c \ context.c \ @@ -87,12 +128,25 @@ dist_libkrb5_la_SOURCES = \ crc.c \ creds.c \ crypto.c \ + crypto.h \ + crypto-aes.c \ + crypto-algs.c \ + crypto-arcfour.c \ + crypto-des.c \ + crypto-des-common.c \ + crypto-des3.c \ + crypto-evp.c \ + crypto-null.c \ + crypto-pk.c \ + crypto-rand.c \ doxygen.c \ data.c \ + deprecated.c \ digest.c \ eai_to_heim_errno.c \ error_string.c \ expand_hostname.c \ + expand_path.c \ fcache.c \ free.c \ free_host_realm.c \ @@ -105,11 +159,7 @@ dist_libkrb5_la_SOURCES = \ get_for_creds.c \ get_host_realm.c \ get_in_tkt.c \ - get_in_tkt_pw.c \ - get_in_tkt_with_keytab.c \ - get_in_tkt_with_skey.c \ get_port.c \ - heim_threads.h \ init_creds.c \ init_creds_pw.c \ kcm.c \ @@ -119,7 +169,6 @@ dist_libkrb5_la_SOURCES = \ keytab_any.c \ keytab_file.c \ keytab_keyfile.c \ - keytab_krb4.c \ keytab_memory.c \ krb5_locl.h \ krb5-v4compat.h \ @@ -140,6 +189,7 @@ dist_libkrb5_la_SOURCES = \ n-fold.c \ pac.c \ padata.c \ + pcache.c \ pkinit.c \ principal.c \ prog_setup.c \ @@ -153,11 +203,18 @@ dist_libkrb5_la_SOURCES = \ read_message.c \ recvauth.c \ replay.c \ + salt.c \ + salt-aes.c \ + salt-arcfour.c \ + salt-des.c \ + salt-des3.c \ + scache.c \ send_to_kdc.c \ sendauth.c \ set_default_realm.c \ sock_principal.c \ store.c \ + store-int.c \ store-int.h \ store_emem.c \ store_fd.c \ @@ -166,7 +223,6 @@ dist_libkrb5_la_SOURCES = \ ticket.c \ time.c \ transited.c \ - v4_glue.c \ verify_init.c \ verify_user.c \ version.c \ @@ -176,45 +232,73 @@ dist_libkrb5_la_SOURCES = \ nodist_libkrb5_la_SOURCES = \ $(ERR_FILES) -libkrb5_la_LDFLAGS = -version-info 24:0:0 +libkrb5_la_DEPENDENCIES = \ + version-script.map + +libkrb5_la_LDFLAGS = -version-info 26:0:0 if versionscript libkrb5_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map endif -$(libkrb5_la_OBJECTS) $(verify_krb5_conf_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h +$(libkrb5_la_OBJECTS) $(verify_krb5_conf_OBJECTS) $(librfc3961_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h krb5_err.h heim_err.h k524_err.h krb5_err.h krb_err.h k524_err.h + +librfc3961_la_SOURCES = \ + crc.c \ + crypto.c \ + crypto.h \ + crypto-aes.c \ + crypto-algs.c \ + crypto-arcfour.c \ + crypto-des.c \ + crypto-des-common.c \ + crypto-des3.c \ + crypto-evp.c \ + crypto-null.c \ + crypto-pk.c \ + crypto-rand.c \ + crypto-stubs.c \ + data.c \ + error_string.c \ + keyblock.c \ + n-fold.c \ + salt.c \ + salt-aes.c \ + salt-arcfour.c \ + salt-des.c \ + salt-des3.c \ + store-int.c \ + warn.c + +test_rfc3961_LDADD = \ + librfc3961.la \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la \ + $(LIB_hcrypto) \ + $(LIB_roken) $(srcdir)/krb5-protos.h: - cd $(srcdir) && perl ../../cf/make-proto.pl -E KRB5_LIB_FUNCTION -q -P comment -o krb5-protos.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-protos.h + cd $(srcdir) && perl ../../cf/make-proto.pl -E KRB5_LIB -q -P comment -o krb5-protos.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-protos.h $(srcdir)/krb5-private.h: cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-private.h man_MANS = \ kerberos.8 \ - krb5.3 \ krb5.conf.5 \ krb524_convert_creds_kdc.3 \ krb5_425_conv_principal.3 \ krb5_acl_match_file.3 \ - krb5_address.3 \ krb5_aname_to_localname.3 \ krb5_appdefault.3 \ krb5_auth_context.3 \ krb5_c_make_checksum.3 \ - krb5_ccache.3 \ krb5_check_transited.3 \ - krb5_compare_creds.3 \ - krb5_config.3 \ - krb5_context.3 \ krb5_create_checksum.3 \ krb5_creds.3 \ - krb5_crypto_init.3 \ - krb5_data.3 \ krb5_digest.3 \ krb5_eai_to_heim_errno.3 \ krb5_encrypt.3 \ - krb5_expand_hostname.3 \ krb5_find_padata.3 \ krb5_generate_random_block.3 \ krb5_get_all_client_addrs.3 \ @@ -227,10 +311,7 @@ man_MANS = \ krb5_getportbyname.3 \ krb5_init_context.3 \ krb5_is_thread_safe.3 \ - krb5_keyblock.3 \ - krb5_keytab.3 \ krb5_krbhst_init.3 \ - krb5_kuserok.3 \ krb5_mk_req.3 \ krb5_mk_safe.3 \ krb5_openlog.3 \ @@ -241,14 +322,10 @@ man_MANS = \ krb5_rd_safe.3 \ krb5_set_default_realm.3 \ krb5_set_password.3 \ - krb5_storage.3 \ krb5_string_to_key.3 \ - krb5_ticket.3 \ krb5_timeofday.3 \ - krb5_unparse_name.3 \ krb5_verify_init_creds.3 \ krb5_verify_user.3 \ - krb5_warn.3 \ verify_krb5_conf.8 dist_include_HEADERS = \ @@ -257,18 +334,19 @@ dist_include_HEADERS = \ krb5-private.h \ krb5_ccapi.h -nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h +nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h # XXX use nobase_include_HEADERS = krb5/locate_plugin.h krb5dir = $(includedir)/krb5 -krb5_HEADERS = locate_plugin.h +krb5_HEADERS = locate_plugin.h send_to_kdc_plugin.h ccache_plugin.h build_HEADERZ = \ - heim_threads.h \ $(krb5_HEADERS) \ krb_err.h CLEANFILES = \ + test_config_strings.out \ + test-store-data \ krb5_err.c krb5_err.h \ krb_err.c krb_err.h \ heim_err.c heim_err.h \ @@ -276,13 +354,19 @@ CLEANFILES = \ $(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h +test_config_strings.out: test_config_strings.cfg + $(CP) $(srcdir)/test_config_strings.cfg test_config_strings.out + EXTRA_DIST = \ + NTMakefile \ + verify_krb5_conf-version.rc \ krb5_err.et \ krb_err.et \ heim_err.et \ k524_err.et \ $(man_MANS) \ version-script.map \ + test_config_strings.cfg \ krb5.moduli #sysconf_DATA = krb5.moduli diff --git a/crypto/heimdal/lib/krb5/Makefile.in b/crypto/heimdal/lib/krb5/Makefile.in index 60e09251227f..2473eb2cae51 100644 --- a/crypto/heimdal/lib/krb5/Makefile.in +++ b/crypto/heimdal/lib/krb5/Makefile.in @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -14,18 +15,19 @@ @SET_MAKE@ -# $Id: Makefile.am 22501 2008-01-21 15:43:21Z lha $ +# $Id$ -# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $ +# $Id$ -# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $ +# $Id$ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -45,26 +47,28 @@ DIST_COMMON = $(dist_include_HEADERS) $(krb5_HEADERS) \ $(top_srcdir)/Makefile.am.common \ $(top_srcdir)/cf/Makefile.am.common bin_PROGRAMS = verify_krb5_conf$(EXEEXT) -noinst_PROGRAMS = krbhst-test$(EXEEXT) test_alname$(EXEEXT) \ - test_crypto$(EXEEXT) test_get_addrs$(EXEEXT) \ +noinst_PROGRAMS = krbhst-test$(EXEEXT) test_gic$(EXEEXT) \ + test_alname$(EXEEXT) test_crypto$(EXEEXT) \ + test_rfc3961$(EXEEXT) test_get_addrs$(EXEEXT) \ test_kuserok$(EXEEXT) test_renew$(EXEEXT) \ test_forward$(EXEEXT) TESTS = aes-test$(EXEEXT) derived-key-test$(EXEEXT) \ - n-fold-test$(EXEEXT) name-45-test$(EXEEXT) \ - parse-name-test$(EXEEXT) store-test$(EXEEXT) \ - string-to-key-test$(EXEEXT) test_acl$(EXEEXT) \ - test_addr$(EXEEXT) test_cc$(EXEEXT) test_config$(EXEEXT) \ - test_prf$(EXEEXT) test_store$(EXEEXT) \ - test_crypto_wrapping$(EXEEXT) test_keytab$(EXEEXT) \ - test_mem$(EXEEXT) test_pac$(EXEEXT) test_plugin$(EXEEXT) \ - test_princ$(EXEEXT) test_pkinit_dh2key$(EXEEXT) \ - test_time$(EXEEXT) -check_PROGRAMS = $(am__EXEEXT_1) test_hostname$(EXEEXT) + n-fold-test$(EXEEXT) parse-name-test$(EXEEXT) \ + store-test$(EXEEXT) string-to-key-test$(EXEEXT) \ + test_acl$(EXEEXT) test_addr$(EXEEXT) test_cc$(EXEEXT) \ + test_config$(EXEEXT) test_fx$(EXEEXT) test_prf$(EXEEXT) \ + test_store$(EXEEXT) test_crypto_wrapping$(EXEEXT) \ + test_keytab$(EXEEXT) test_mem$(EXEEXT) test_pac$(EXEEXT) \ + test_plugin$(EXEEXT) test_princ$(EXEEXT) \ + test_pkinit_dh2key$(EXEEXT) test_pknistkdf$(EXEEXT) \ + test_time$(EXEEXT) test_x500$(EXEEXT) +check_PROGRAMS = $(am__EXEEXT_1) test_hostname$(EXEEXT) \ + test_ap-req$(EXEEXT) @versionscript_TRUE@am__append_1 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map subdir = lib/krb5 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \ + $(top_srcdir)/cf/auth-modules.m4 \ $(top_srcdir)/cf/broken-getaddrinfo.m4 \ $(top_srcdir)/cf/broken-glob.m4 \ $(top_srcdir)/cf/broken-realloc.m4 \ @@ -79,7 +83,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ - $(top_srcdir)/cf/dlopen.m4 \ + $(top_srcdir)/cf/dispatch.m4 $(top_srcdir)/cf/dlopen.m4 \ $(top_srcdir)/cf/find-func-no-libs.m4 \ $(top_srcdir)/cf/find-func-no-libs2.m4 \ $(top_srcdir)/cf/find-func.m4 \ @@ -93,9 +97,12 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ $(top_srcdir)/cf/krb-readline.m4 \ $(top_srcdir)/cf/krb-struct-spwd.m4 \ $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \ - $(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \ - $(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \ + $(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/libtool.m4 \ + $(top_srcdir)/cf/ltoptions.m4 $(top_srcdir)/cf/ltsugar.m4 \ + $(top_srcdir)/cf/ltversion.m4 $(top_srcdir)/cf/lt~obsolete.m4 \ + $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ + $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ + $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/pkg.m4 \ $(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \ $(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \ $(top_srcdir)/cf/roken-frag.m4 \ @@ -103,79 +110,97 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ $(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \ $(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \ $(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \ - $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in + $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/include/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" \ "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" \ "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)" \ "$(DESTDIR)$(krb5dir)" "$(DESTDIR)$(includedir)" -libLTLIBRARIES_INSTALL = $(INSTALL) -LTLIBRARIES = $(lib_LTLIBRARIES) +LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES) am__DEPENDENCIES_1 = -libkrb5_la_DEPENDENCIES = $(LIB_pkinit) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) +@have_scc_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1) dist_libkrb5_la_OBJECTS = libkrb5_la-acache.lo libkrb5_la-acl.lo \ libkrb5_la-add_et_list.lo libkrb5_la-addr_families.lo \ libkrb5_la-aname_to_localname.lo libkrb5_la-appdefault.lo \ libkrb5_la-asn1_glue.lo libkrb5_la-auth_context.lo \ libkrb5_la-build_ap_req.lo libkrb5_la-build_auth.lo \ libkrb5_la-cache.lo libkrb5_la-changepw.lo libkrb5_la-codec.lo \ - libkrb5_la-config_file.lo libkrb5_la-config_file_netinfo.lo \ - libkrb5_la-convert_creds.lo libkrb5_la-constants.lo \ - libkrb5_la-context.lo libkrb5_la-copy_host_realm.lo \ - libkrb5_la-crc.lo libkrb5_la-creds.lo libkrb5_la-crypto.lo \ - libkrb5_la-doxygen.lo libkrb5_la-data.lo libkrb5_la-digest.lo \ + libkrb5_la-config_file.lo libkrb5_la-convert_creds.lo \ + libkrb5_la-constants.lo libkrb5_la-context.lo \ + libkrb5_la-copy_host_realm.lo libkrb5_la-crc.lo \ + libkrb5_la-creds.lo libkrb5_la-crypto.lo \ + libkrb5_la-crypto-aes.lo libkrb5_la-crypto-algs.lo \ + libkrb5_la-crypto-arcfour.lo libkrb5_la-crypto-des.lo \ + libkrb5_la-crypto-des-common.lo libkrb5_la-crypto-des3.lo \ + libkrb5_la-crypto-evp.lo libkrb5_la-crypto-null.lo \ + libkrb5_la-crypto-pk.lo libkrb5_la-crypto-rand.lo \ + libkrb5_la-doxygen.lo libkrb5_la-data.lo \ + libkrb5_la-deprecated.lo libkrb5_la-digest.lo \ libkrb5_la-eai_to_heim_errno.lo libkrb5_la-error_string.lo \ - libkrb5_la-expand_hostname.lo libkrb5_la-fcache.lo \ - libkrb5_la-free.lo libkrb5_la-free_host_realm.lo \ + libkrb5_la-expand_hostname.lo libkrb5_la-expand_path.lo \ + libkrb5_la-fcache.lo libkrb5_la-free.lo \ + libkrb5_la-free_host_realm.lo \ libkrb5_la-generate_seq_number.lo \ libkrb5_la-generate_subkey.lo libkrb5_la-get_addrs.lo \ libkrb5_la-get_cred.lo libkrb5_la-get_default_principal.lo \ libkrb5_la-get_default_realm.lo libkrb5_la-get_for_creds.lo \ libkrb5_la-get_host_realm.lo libkrb5_la-get_in_tkt.lo \ - libkrb5_la-get_in_tkt_pw.lo \ - libkrb5_la-get_in_tkt_with_keytab.lo \ - libkrb5_la-get_in_tkt_with_skey.lo libkrb5_la-get_port.lo \ - libkrb5_la-init_creds.lo libkrb5_la-init_creds_pw.lo \ - libkrb5_la-kcm.lo libkrb5_la-keyblock.lo libkrb5_la-keytab.lo \ + libkrb5_la-get_port.lo libkrb5_la-init_creds.lo \ + libkrb5_la-init_creds_pw.lo libkrb5_la-kcm.lo \ + libkrb5_la-keyblock.lo libkrb5_la-keytab.lo \ libkrb5_la-keytab_any.lo libkrb5_la-keytab_file.lo \ - libkrb5_la-keytab_keyfile.lo libkrb5_la-keytab_krb4.lo \ - libkrb5_la-keytab_memory.lo libkrb5_la-krbhst.lo \ - libkrb5_la-kuserok.lo libkrb5_la-log.lo libkrb5_la-mcache.lo \ - libkrb5_la-misc.lo libkrb5_la-mk_error.lo \ + libkrb5_la-keytab_keyfile.lo libkrb5_la-keytab_memory.lo \ + libkrb5_la-krbhst.lo libkrb5_la-kuserok.lo libkrb5_la-log.lo \ + libkrb5_la-mcache.lo libkrb5_la-misc.lo libkrb5_la-mk_error.lo \ libkrb5_la-mk_priv.lo libkrb5_la-mk_rep.lo \ libkrb5_la-mk_req.lo libkrb5_la-mk_req_ext.lo \ libkrb5_la-mk_safe.lo libkrb5_la-mit_glue.lo \ libkrb5_la-net_read.lo libkrb5_la-net_write.lo \ libkrb5_la-n-fold.lo libkrb5_la-pac.lo libkrb5_la-padata.lo \ - libkrb5_la-pkinit.lo libkrb5_la-principal.lo \ - libkrb5_la-prog_setup.lo libkrb5_la-prompter_posix.lo \ - libkrb5_la-rd_cred.lo libkrb5_la-rd_error.lo \ - libkrb5_la-rd_priv.lo libkrb5_la-rd_rep.lo \ - libkrb5_la-rd_req.lo libkrb5_la-rd_safe.lo \ - libkrb5_la-read_message.lo libkrb5_la-recvauth.lo \ - libkrb5_la-replay.lo libkrb5_la-send_to_kdc.lo \ + libkrb5_la-pcache.lo libkrb5_la-pkinit.lo \ + libkrb5_la-principal.lo libkrb5_la-prog_setup.lo \ + libkrb5_la-prompter_posix.lo libkrb5_la-rd_cred.lo \ + libkrb5_la-rd_error.lo libkrb5_la-rd_priv.lo \ + libkrb5_la-rd_rep.lo libkrb5_la-rd_req.lo \ + libkrb5_la-rd_safe.lo libkrb5_la-read_message.lo \ + libkrb5_la-recvauth.lo libkrb5_la-replay.lo libkrb5_la-salt.lo \ + libkrb5_la-salt-aes.lo libkrb5_la-salt-arcfour.lo \ + libkrb5_la-salt-des.lo libkrb5_la-salt-des3.lo \ + libkrb5_la-scache.lo libkrb5_la-send_to_kdc.lo \ libkrb5_la-sendauth.lo libkrb5_la-set_default_realm.lo \ libkrb5_la-sock_principal.lo libkrb5_la-store.lo \ - libkrb5_la-store_emem.lo libkrb5_la-store_fd.lo \ - libkrb5_la-store_mem.lo libkrb5_la-plugin.lo \ - libkrb5_la-ticket.lo libkrb5_la-time.lo \ - libkrb5_la-transited.lo libkrb5_la-v4_glue.lo \ - libkrb5_la-verify_init.lo libkrb5_la-verify_user.lo \ - libkrb5_la-version.lo libkrb5_la-warn.lo \ - libkrb5_la-write_message.lo + libkrb5_la-store-int.lo libkrb5_la-store_emem.lo \ + libkrb5_la-store_fd.lo libkrb5_la-store_mem.lo \ + libkrb5_la-plugin.lo libkrb5_la-ticket.lo libkrb5_la-time.lo \ + libkrb5_la-transited.lo libkrb5_la-verify_init.lo \ + libkrb5_la-verify_user.lo libkrb5_la-version.lo \ + libkrb5_la-warn.lo libkrb5_la-write_message.lo am__objects_1 = libkrb5_la-krb5_err.lo libkrb5_la-krb_err.lo \ libkrb5_la-heim_err.lo libkrb5_la-k524_err.lo nodist_libkrb5_la_OBJECTS = $(am__objects_1) @@ -184,171 +209,251 @@ libkrb5_la_OBJECTS = $(dist_libkrb5_la_OBJECTS) \ libkrb5_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(libkrb5_la_LDFLAGS) $(LDFLAGS) -o $@ -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) +librfc3961_la_DEPENDENCIES = $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/ipc/libheim-ipcc.la \ + $(top_builddir)/lib/wind/libwind.la $(LIB_pkinit) \ + $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) +am_librfc3961_la_OBJECTS = librfc3961_la-crc.lo \ + librfc3961_la-crypto.lo librfc3961_la-crypto-aes.lo \ + librfc3961_la-crypto-algs.lo librfc3961_la-crypto-arcfour.lo \ + librfc3961_la-crypto-des.lo librfc3961_la-crypto-des-common.lo \ + librfc3961_la-crypto-des3.lo librfc3961_la-crypto-evp.lo \ + librfc3961_la-crypto-null.lo librfc3961_la-crypto-pk.lo \ + librfc3961_la-crypto-rand.lo librfc3961_la-crypto-stubs.lo \ + librfc3961_la-data.lo librfc3961_la-error_string.lo \ + librfc3961_la-keyblock.lo librfc3961_la-n-fold.lo \ + librfc3961_la-salt.lo librfc3961_la-salt-aes.lo \ + librfc3961_la-salt-arcfour.lo librfc3961_la-salt-des.lo \ + librfc3961_la-salt-des3.lo librfc3961_la-store-int.lo \ + librfc3961_la-warn.lo +librfc3961_la_OBJECTS = $(am_librfc3961_la_OBJECTS) am__EXEEXT_1 = aes-test$(EXEEXT) derived-key-test$(EXEEXT) \ - n-fold-test$(EXEEXT) name-45-test$(EXEEXT) \ - parse-name-test$(EXEEXT) store-test$(EXEEXT) \ - string-to-key-test$(EXEEXT) test_acl$(EXEEXT) \ - test_addr$(EXEEXT) test_cc$(EXEEXT) test_config$(EXEEXT) \ - test_prf$(EXEEXT) test_store$(EXEEXT) \ - test_crypto_wrapping$(EXEEXT) test_keytab$(EXEEXT) \ - test_mem$(EXEEXT) test_pac$(EXEEXT) test_plugin$(EXEEXT) \ - test_princ$(EXEEXT) test_pkinit_dh2key$(EXEEXT) \ - test_time$(EXEEXT) + n-fold-test$(EXEEXT) parse-name-test$(EXEEXT) \ + store-test$(EXEEXT) string-to-key-test$(EXEEXT) \ + test_acl$(EXEEXT) test_addr$(EXEEXT) test_cc$(EXEEXT) \ + test_config$(EXEEXT) test_fx$(EXEEXT) test_prf$(EXEEXT) \ + test_store$(EXEEXT) test_crypto_wrapping$(EXEEXT) \ + test_keytab$(EXEEXT) test_mem$(EXEEXT) test_pac$(EXEEXT) \ + test_plugin$(EXEEXT) test_princ$(EXEEXT) \ + test_pkinit_dh2key$(EXEEXT) test_pknistkdf$(EXEEXT) \ + test_time$(EXEEXT) test_x500$(EXEEXT) PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS) aes_test_SOURCES = aes-test.c aes_test_OBJECTS = aes-test.$(OBJEXT) aes_test_LDADD = $(LDADD) aes_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) derived_key_test_SOURCES = derived-key-test.c derived_key_test_OBJECTS = derived-key-test.$(OBJEXT) derived_key_test_LDADD = $(LDADD) derived_key_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) krbhst_test_SOURCES = krbhst-test.c krbhst_test_OBJECTS = krbhst-test.$(OBJEXT) krbhst_test_LDADD = $(LDADD) krbhst_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) n_fold_test_SOURCES = n-fold-test.c n_fold_test_OBJECTS = n-fold-test.$(OBJEXT) n_fold_test_LDADD = $(LDADD) n_fold_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -name_45_test_SOURCES = name-45-test.c -name_45_test_OBJECTS = name-45-test.$(OBJEXT) -name_45_test_LDADD = $(LDADD) -name_45_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) parse_name_test_SOURCES = parse-name-test.c parse_name_test_OBJECTS = parse-name-test.$(OBJEXT) parse_name_test_LDADD = $(LDADD) parse_name_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) store_test_SOURCES = store-test.c store_test_OBJECTS = store-test.$(OBJEXT) store_test_LDADD = $(LDADD) store_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) string_to_key_test_SOURCES = string-to-key-test.c string_to_key_test_OBJECTS = string-to-key-test.$(OBJEXT) string_to_key_test_LDADD = $(LDADD) string_to_key_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_acl_SOURCES = test_acl.c test_acl_OBJECTS = test_acl.$(OBJEXT) test_acl_LDADD = $(LDADD) test_acl_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_addr_SOURCES = test_addr.c test_addr_OBJECTS = test_addr.$(OBJEXT) test_addr_LDADD = $(LDADD) test_addr_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_alname_SOURCES = test_alname.c test_alname_OBJECTS = test_alname.$(OBJEXT) test_alname_LDADD = $(LDADD) test_alname_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) +test_ap_req_SOURCES = test_ap-req.c +test_ap_req_OBJECTS = test_ap-req.$(OBJEXT) +test_ap_req_LDADD = $(LDADD) +test_ap_req_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_cc_SOURCES = test_cc.c test_cc_OBJECTS = test_cc.$(OBJEXT) test_cc_LDADD = $(LDADD) test_cc_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_config_SOURCES = test_config.c test_config_OBJECTS = test_config.$(OBJEXT) test_config_LDADD = $(LDADD) test_config_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_crypto_SOURCES = test_crypto.c test_crypto_OBJECTS = test_crypto.$(OBJEXT) test_crypto_LDADD = $(LDADD) test_crypto_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_crypto_wrapping_SOURCES = test_crypto_wrapping.c test_crypto_wrapping_OBJECTS = test_crypto_wrapping.$(OBJEXT) test_crypto_wrapping_LDADD = $(LDADD) test_crypto_wrapping_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_forward_SOURCES = test_forward.c test_forward_OBJECTS = test_forward.$(OBJEXT) test_forward_LDADD = $(LDADD) test_forward_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) +test_fx_SOURCES = test_fx.c +test_fx_OBJECTS = test_fx.$(OBJEXT) +test_fx_LDADD = $(LDADD) +test_fx_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_get_addrs_SOURCES = test_get_addrs.c test_get_addrs_OBJECTS = test_get_addrs.$(OBJEXT) test_get_addrs_LDADD = $(LDADD) test_get_addrs_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) +test_gic_SOURCES = test_gic.c +test_gic_OBJECTS = test_gic.$(OBJEXT) +test_gic_LDADD = $(LDADD) +test_gic_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_hostname_SOURCES = test_hostname.c test_hostname_OBJECTS = test_hostname.$(OBJEXT) test_hostname_LDADD = $(LDADD) test_hostname_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_keytab_SOURCES = test_keytab.c test_keytab_OBJECTS = test_keytab.$(OBJEXT) test_keytab_LDADD = $(LDADD) test_keytab_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_kuserok_SOURCES = test_kuserok.c test_kuserok_OBJECTS = test_kuserok.$(OBJEXT) test_kuserok_LDADD = $(LDADD) test_kuserok_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_mem_SOURCES = test_mem.c test_mem_OBJECTS = test_mem.$(OBJEXT) test_mem_LDADD = $(LDADD) test_mem_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_pac_SOURCES = test_pac.c test_pac_OBJECTS = test_pac.$(OBJEXT) test_pac_LDADD = $(LDADD) test_pac_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_pkinit_dh2key_SOURCES = test_pkinit_dh2key.c test_pkinit_dh2key_OBJECTS = test_pkinit_dh2key.$(OBJEXT) test_pkinit_dh2key_LDADD = $(LDADD) test_pkinit_dh2key_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) +test_pknistkdf_SOURCES = test_pknistkdf.c +test_pknistkdf_OBJECTS = test_pknistkdf.$(OBJEXT) +test_pknistkdf_LDADD = $(LDADD) +test_pknistkdf_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_plugin_SOURCES = test_plugin.c test_plugin_OBJECTS = test_plugin.$(OBJEXT) test_plugin_LDADD = $(LDADD) test_plugin_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_prf_SOURCES = test_prf.c test_prf_OBJECTS = test_prf.$(OBJEXT) test_prf_LDADD = $(LDADD) test_prf_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_princ_SOURCES = test_princ.c test_princ_OBJECTS = test_princ.$(OBJEXT) test_princ_LDADD = $(LDADD) test_princ_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_renew_SOURCES = test_renew.c test_renew_OBJECTS = test_renew.$(OBJEXT) test_renew_LDADD = $(LDADD) test_renew_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) +test_rfc3961_SOURCES = test_rfc3961.c +test_rfc3961_OBJECTS = test_rfc3961.$(OBJEXT) +test_rfc3961_DEPENDENCIES = librfc3961.la \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) test_store_SOURCES = test_store.c test_store_OBJECTS = test_store.$(OBJEXT) test_store_LDADD = $(LDADD) test_store_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) test_time_SOURCES = test_time.c test_time_OBJECTS = test_time.$(OBJEXT) test_time_LDADD = $(LDADD) test_time_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) +test_x500_SOURCES = test_x500.c +test_x500_OBJECTS = test_x500.$(OBJEXT) +test_x500_LDADD = $(LDADD) +test_x500_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) verify_krb5_conf_SOURCES = verify_krb5_conf.c verify_krb5_conf_OBJECTS = verify_krb5_conf.$(OBJEXT) verify_krb5_conf_LDADD = $(LDADD) verify_krb5_conf_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@ -depcomp = -am__depfiles_maybe = + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ @@ -359,82 +464,93 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(dist_libkrb5_la_SOURCES) $(nodist_libkrb5_la_SOURCES) \ - aes-test.c derived-key-test.c krbhst-test.c n-fold-test.c \ - name-45-test.c parse-name-test.c store-test.c \ + $(librfc3961_la_SOURCES) aes-test.c derived-key-test.c \ + krbhst-test.c n-fold-test.c parse-name-test.c store-test.c \ string-to-key-test.c test_acl.c test_addr.c test_alname.c \ - test_cc.c test_config.c test_crypto.c test_crypto_wrapping.c \ - test_forward.c test_get_addrs.c test_hostname.c test_keytab.c \ + test_ap-req.c test_cc.c test_config.c test_crypto.c \ + test_crypto_wrapping.c test_forward.c test_fx.c \ + test_get_addrs.c test_gic.c test_hostname.c test_keytab.c \ test_kuserok.c test_mem.c test_pac.c test_pkinit_dh2key.c \ - test_plugin.c test_prf.c test_princ.c test_renew.c \ - test_store.c test_time.c verify_krb5_conf.c -DIST_SOURCES = $(dist_libkrb5_la_SOURCES) aes-test.c \ - derived-key-test.c krbhst-test.c n-fold-test.c name-45-test.c \ + test_pknistkdf.c test_plugin.c test_prf.c test_princ.c \ + test_renew.c test_rfc3961.c test_store.c test_time.c \ + test_x500.c verify_krb5_conf.c +DIST_SOURCES = $(dist_libkrb5_la_SOURCES) $(librfc3961_la_SOURCES) \ + aes-test.c derived-key-test.c krbhst-test.c n-fold-test.c \ parse-name-test.c store-test.c string-to-key-test.c test_acl.c \ - test_addr.c test_alname.c test_cc.c test_config.c \ - test_crypto.c test_crypto_wrapping.c test_forward.c \ - test_get_addrs.c test_hostname.c test_keytab.c test_kuserok.c \ - test_mem.c test_pac.c test_pkinit_dh2key.c test_plugin.c \ - test_prf.c test_princ.c test_renew.c test_store.c test_time.c \ - verify_krb5_conf.c + test_addr.c test_alname.c test_ap-req.c test_cc.c \ + test_config.c test_crypto.c test_crypto_wrapping.c \ + test_forward.c test_fx.c test_get_addrs.c test_gic.c \ + test_hostname.c test_keytab.c test_kuserok.c test_mem.c \ + test_pac.c test_pkinit_dh2key.c test_pknistkdf.c test_plugin.c \ + test_prf.c test_princ.c test_renew.c test_rfc3961.c \ + test_store.c test_time.c test_x500.c verify_krb5_conf.c man3dir = $(mandir)/man3 man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 MANS = $(man_MANS) -dist_includeHEADERS_INSTALL = $(INSTALL_HEADER) -krb5HEADERS_INSTALL = $(INSTALL_HEADER) -nodist_includeHEADERS_INSTALL = $(INSTALL_HEADER) HEADERS = $(dist_include_HEADERS) $(krb5_HEADERS) \ $(nodist_include_HEADERS) ETAGS = etags CTAGS = ctags +am__tty_colors = \ +red=; grn=; lgn=; blu=; std= DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ AMTAR = @AMTAR@ AR = @AR@ +ASN1_COMPILE = @ASN1_COMPILE@ +ASN1_COMPILE_DEP = @ASN1_COMPILE_DEP@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CANONICAL_HOST = @CANONICAL_HOST@ +CAPNG_CFLAGS = @CAPNG_CFLAGS@ +CAPNG_LIBS = @CAPNG_LIBS@ CATMAN = @CATMAN@ CATMANEXT = @CATMANEXT@ CC = @CC@ +CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ COMPILE_ET = @COMPILE_ET@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ +DBHEADER = @DBHEADER@ DBLIB = @DBLIB@ DEFS = @DEFS@ +DEPDIR = @DEPDIR@ DIR_com_err = @DIR_com_err@ DIR_hcrypto = @DIR_hcrypto@ DIR_hdbdir = @DIR_hdbdir@ DIR_roken = @DIR_roken@ -ECHO = @ECHO@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ GREP = @GREP@ GROFF = @GROFF@ INCLUDES_roken = @INCLUDES_roken@ INCLUDE_hcrypto = @INCLUDE_hcrypto@ INCLUDE_hesiod = @INCLUDE_hesiod@ INCLUDE_krb4 = @INCLUDE_krb4@ +INCLUDE_libedit = @INCLUDE_libedit@ +INCLUDE_libintl = @INCLUDE_libintl@ INCLUDE_openldap = @INCLUDE_openldap@ INCLUDE_readline = @INCLUDE_readline@ +INCLUDE_sqlite3 = @INCLUDE_sqlite3@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@ LEX = @LEX@ @@ -458,10 +574,11 @@ LIB_crypt = @LIB_crypt@ LIB_db_create = @LIB_db_create@ LIB_dbm_firstkey = @LIB_dbm_firstkey@ LIB_dbopen = @LIB_dbopen@ +LIB_dispatch_async_f = @LIB_dispatch_async_f@ LIB_dlopen = @LIB_dlopen@ LIB_dn_expand = @LIB_dn_expand@ +LIB_dns_search = @LIB_dns_search@ LIB_door_create = @LIB_door_create@ -LIB_el_init = @LIB_el_init@ LIB_freeaddrinfo = @LIB_freeaddrinfo@ LIB_gai_strerror = @LIB_gai_strerror@ LIB_getaddrinfo = @LIB_getaddrinfo@ @@ -478,6 +595,8 @@ LIB_hesiod = @LIB_hesiod@ LIB_hstrerror = @LIB_hstrerror@ LIB_kdb = @LIB_kdb@ LIB_krb4 = @LIB_krb4@ +LIB_libedit = @LIB_libedit@ +LIB_libintl = @LIB_libintl@ LIB_loadquery = @LIB_loadquery@ LIB_logout = @LIB_logout@ LIB_logwtmp = @LIB_logwtmp@ @@ -493,31 +612,45 @@ LIB_roken = @LIB_roken@ LIB_security = @LIB_security@ LIB_setsockopt = @LIB_setsockopt@ LIB_socket = @LIB_socket@ +LIB_sqlite3 = @LIB_sqlite3@ LIB_syslog = @LIB_syslog@ LIB_tgetent = @LIB_tgetent@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +NO_AFS = @NO_AFS@ NROFF = @NROFF@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PTHREADS_CFLAGS = @PTHREADS_CFLAGS@ -PTHREADS_LIBS = @PTHREADS_LIBS@ +PKG_CONFIG = @PKG_CONFIG@ +PTHREAD_CFLAGS = @PTHREAD_CFLAGS@ +PTHREAD_LDADD = @PTHREAD_LDADD@ +PTHREAD_LIBADD = @PTHREAD_LIBADD@ RANLIB = @RANLIB@ +SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SLC = @SLC@ +SLC_DEP = @SLC_DEP@ STRIP = @STRIP@ VERSION = @VERSION@ VERSIONING = @VERSIONING@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ WFLAGS = @WFLAGS@ WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ @@ -532,10 +665,12 @@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ @@ -576,50 +711,90 @@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ +subdirs = @subdirs@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ -SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \ - $(INCLUDE_krb4) $(INCLUDE_hcrypto) -I../com_err \ - -I$(srcdir)/../com_err +SUFFIXES = .et .h .x .z .hx .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 +DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include +AM_CPPFLAGS = $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_hcrypto) \ + -I../com_err -I$(srcdir)/../com_err $(INCLUDE_sqlite3) \ + $(INCLUDE_libintl) @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME AM_CFLAGS = $(WFLAGS) CP = cp buildinclude = $(top_builddir)/include +LIB_el_init = @LIB_el_init@ LIB_getattr = @LIB_getattr@ LIB_getpwent_r = @LIB_getpwent_r@ LIB_odm_initialize = @LIB_odm_initialize@ LIB_setpcred = @LIB_setpcred@ HESIODLIB = @HESIODLIB@ HESIODINCLUDE = @HESIODINCLUDE@ +libexec_heimdaldir = $(libexecdir)/heimdal NROFF_MAN = groff -mandoc -Tascii LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) @KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ @KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la -@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la +LIB_heimbase = $(top_builddir)/base/libheimbase.la @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la +noinst_LTLIBRARIES = \ + librfc3961.la + +check_DATA = test_config_strings.out LDADD = libkrb5.la \ $(LIB_hcrypto) \ $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la \ $(LIB_roken) @PKINIT_TRUE@LIB_pkinit = ../hx509/libhx509.la +@have_scc_TRUE@use_sqlite = $(LIB_sqlite3) libkrb5_la_LIBADD = \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/ipc/libheim-ipcc.la \ + $(top_builddir)/lib/wind/libwind.la \ + $(top_builddir)/base/libheimbase.la \ $(LIB_pkinit) \ + $(use_sqlite) \ $(LIB_com_err) \ $(LIB_hcrypto) \ + $(LIB_libintl) \ + $(LIBADD_roken) \ + $(PTHREAD_LIBADD) \ + $(LIB_door_create) \ + $(LIB_dlopen) + +librfc3961_la_LIBADD = \ $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/ipc/libheim-ipcc.la \ + $(top_builddir)/lib/wind/libwind.la \ + $(LIB_pkinit) \ + $(use_sqlite) \ + $(LIB_com_err) \ + $(LIB_hcrypto) \ + $(LIB_libintl) \ $(LIBADD_roken) \ + $(PTHREAD_LIBADD) \ $(LIB_door_create) \ $(LIB_dlopen) lib_LTLIBRARIES = libkrb5.la ERR_FILES = krb5_err.c krb_err.c heim_err.c k524_err.c -libkrb5_la_CPPFLAGS = -DBUILD_KRB5_LIB $(AM_CPPFLAGS) +libkrb5_la_CPPFLAGS = \ + -DBUILD_KRB5_LIB \ + $(AM_CPPFLAGS) \ + -DHEIMDAL_LOCALEDIR='"$(localedir)"' + +librfc3961_la_CPPFLAGS = \ + -DBUILD_KRB5_LIB \ + $(AM_CPPFLAGS) \ + -DHEIMDAL_LOCALEDIR='"$(localedir)"' + dist_libkrb5_la_SOURCES = \ acache.c \ acl.c \ @@ -635,7 +810,6 @@ dist_libkrb5_la_SOURCES = \ changepw.c \ codec.c \ config_file.c \ - config_file_netinfo.c \ convert_creds.c \ constants.c \ context.c \ @@ -643,12 +817,25 @@ dist_libkrb5_la_SOURCES = \ crc.c \ creds.c \ crypto.c \ + crypto.h \ + crypto-aes.c \ + crypto-algs.c \ + crypto-arcfour.c \ + crypto-des.c \ + crypto-des-common.c \ + crypto-des3.c \ + crypto-evp.c \ + crypto-null.c \ + crypto-pk.c \ + crypto-rand.c \ doxygen.c \ data.c \ + deprecated.c \ digest.c \ eai_to_heim_errno.c \ error_string.c \ expand_hostname.c \ + expand_path.c \ fcache.c \ free.c \ free_host_realm.c \ @@ -661,11 +848,7 @@ dist_libkrb5_la_SOURCES = \ get_for_creds.c \ get_host_realm.c \ get_in_tkt.c \ - get_in_tkt_pw.c \ - get_in_tkt_with_keytab.c \ - get_in_tkt_with_skey.c \ get_port.c \ - heim_threads.h \ init_creds.c \ init_creds_pw.c \ kcm.c \ @@ -675,7 +858,6 @@ dist_libkrb5_la_SOURCES = \ keytab_any.c \ keytab_file.c \ keytab_keyfile.c \ - keytab_krb4.c \ keytab_memory.c \ krb5_locl.h \ krb5-v4compat.h \ @@ -696,6 +878,7 @@ dist_libkrb5_la_SOURCES = \ n-fold.c \ pac.c \ padata.c \ + pcache.c \ pkinit.c \ principal.c \ prog_setup.c \ @@ -709,11 +892,18 @@ dist_libkrb5_la_SOURCES = \ read_message.c \ recvauth.c \ replay.c \ + salt.c \ + salt-aes.c \ + salt-arcfour.c \ + salt-des.c \ + salt-des3.c \ + scache.c \ send_to_kdc.c \ sendauth.c \ set_default_realm.c \ sock_principal.c \ store.c \ + store-int.c \ store-int.h \ store_emem.c \ store_fd.c \ @@ -722,7 +912,6 @@ dist_libkrb5_la_SOURCES = \ ticket.c \ time.c \ transited.c \ - v4_glue.c \ verify_init.c \ verify_user.c \ version.c \ @@ -732,32 +921,60 @@ dist_libkrb5_la_SOURCES = \ nodist_libkrb5_la_SOURCES = \ $(ERR_FILES) -libkrb5_la_LDFLAGS = -version-info 24:0:0 $(am__append_1) +libkrb5_la_DEPENDENCIES = \ + version-script.map + +libkrb5_la_LDFLAGS = -version-info 26:0:0 $(am__append_1) +librfc3961_la_SOURCES = \ + crc.c \ + crypto.c \ + crypto.h \ + crypto-aes.c \ + crypto-algs.c \ + crypto-arcfour.c \ + crypto-des.c \ + crypto-des-common.c \ + crypto-des3.c \ + crypto-evp.c \ + crypto-null.c \ + crypto-pk.c \ + crypto-rand.c \ + crypto-stubs.c \ + data.c \ + error_string.c \ + keyblock.c \ + n-fold.c \ + salt.c \ + salt-aes.c \ + salt-arcfour.c \ + salt-des.c \ + salt-des3.c \ + store-int.c \ + warn.c + +test_rfc3961_LDADD = \ + librfc3961.la \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/wind/libwind.la \ + $(LIB_hcrypto) \ + $(LIB_roken) + man_MANS = \ kerberos.8 \ - krb5.3 \ krb5.conf.5 \ krb524_convert_creds_kdc.3 \ krb5_425_conv_principal.3 \ krb5_acl_match_file.3 \ - krb5_address.3 \ krb5_aname_to_localname.3 \ krb5_appdefault.3 \ krb5_auth_context.3 \ krb5_c_make_checksum.3 \ - krb5_ccache.3 \ krb5_check_transited.3 \ - krb5_compare_creds.3 \ - krb5_config.3 \ - krb5_context.3 \ krb5_create_checksum.3 \ krb5_creds.3 \ - krb5_crypto_init.3 \ - krb5_data.3 \ krb5_digest.3 \ krb5_eai_to_heim_errno.3 \ krb5_encrypt.3 \ - krb5_expand_hostname.3 \ krb5_find_padata.3 \ krb5_generate_random_block.3 \ krb5_get_all_client_addrs.3 \ @@ -770,10 +987,7 @@ man_MANS = \ krb5_getportbyname.3 \ krb5_init_context.3 \ krb5_is_thread_safe.3 \ - krb5_keyblock.3 \ - krb5_keytab.3 \ krb5_krbhst_init.3 \ - krb5_kuserok.3 \ krb5_mk_req.3 \ krb5_mk_safe.3 \ krb5_openlog.3 \ @@ -784,14 +998,10 @@ man_MANS = \ krb5_rd_safe.3 \ krb5_set_default_realm.3 \ krb5_set_password.3 \ - krb5_storage.3 \ krb5_string_to_key.3 \ - krb5_ticket.3 \ krb5_timeofday.3 \ - krb5_unparse_name.3 \ krb5_verify_init_creds.3 \ krb5_verify_user.3 \ - krb5_warn.3 \ verify_krb5_conf.8 dist_include_HEADERS = \ @@ -800,47 +1010,51 @@ dist_include_HEADERS = \ krb5-private.h \ krb5_ccapi.h -nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h +nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h # XXX use nobase_include_HEADERS = krb5/locate_plugin.h krb5dir = $(includedir)/krb5 -krb5_HEADERS = locate_plugin.h +krb5_HEADERS = locate_plugin.h send_to_kdc_plugin.h ccache_plugin.h build_HEADERZ = \ - heim_threads.h \ $(krb5_HEADERS) \ krb_err.h CLEANFILES = \ + test_config_strings.out \ + test-store-data \ krb5_err.c krb5_err.h \ krb_err.c krb_err.h \ heim_err.c heim_err.h \ k524_err.c k524_err.h EXTRA_DIST = \ + NTMakefile \ + verify_krb5_conf-version.rc \ krb5_err.et \ krb_err.et \ heim_err.et \ k524_err.et \ $(man_MANS) \ version-script.map \ + test_config_strings.cfg \ krb5.moduli all: all-am .SUFFIXES: -.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj +.SUFFIXES: .et .h .x .z .hx .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps lib/krb5/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign --ignore-deps lib/krb5/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/krb5/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign lib/krb5/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -858,23 +1072,28 @@ $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ if test -f $$p; then \ - f=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ + list2="$$list2 $$p"; \ else :; fi; \ - done + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } uninstall-libLTLIBRARIES: @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ done clean-libLTLIBRARIES: @@ -885,50 +1104,80 @@ clean-libLTLIBRARIES: echo "rm -f \"$${dir}/so_locations\""; \ rm -f "$${dir}/so_locations"; \ done + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done libkrb5.la: $(libkrb5_la_OBJECTS) $(libkrb5_la_DEPENDENCIES) $(libkrb5_la_LINK) -rpath $(libdir) $(libkrb5_la_OBJECTS) $(libkrb5_la_LIBADD) $(LIBS) +librfc3961.la: $(librfc3961_la_OBJECTS) $(librfc3961_la_DEPENDENCIES) + $(LINK) $(librfc3961_la_OBJECTS) $(librfc3961_la_LIBADD) $(LIBS) install-binPROGRAMS: $(bin_PROGRAMS) @$(NORMAL_INSTALL) test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done + @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p || test -f $$p1; \ + then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \ + } \ + ; done uninstall-binPROGRAMS: @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done + @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(bindir)" && rm -f $$files clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done + @list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list clean-checkPROGRAMS: - @list='$(check_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done + @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list aes-test$(EXEEXT): $(aes_test_OBJECTS) $(aes_test_DEPENDENCIES) @rm -f aes-test$(EXEEXT) $(LINK) $(aes_test_OBJECTS) $(aes_test_LDADD) $(LIBS) @@ -941,9 +1190,6 @@ krbhst-test$(EXEEXT): $(krbhst_test_OBJECTS) $(krbhst_test_DEPENDENCIES) n-fold-test$(EXEEXT): $(n_fold_test_OBJECTS) $(n_fold_test_DEPENDENCIES) @rm -f n-fold-test$(EXEEXT) $(LINK) $(n_fold_test_OBJECTS) $(n_fold_test_LDADD) $(LIBS) -name-45-test$(EXEEXT): $(name_45_test_OBJECTS) $(name_45_test_DEPENDENCIES) - @rm -f name-45-test$(EXEEXT) - $(LINK) $(name_45_test_OBJECTS) $(name_45_test_LDADD) $(LIBS) parse-name-test$(EXEEXT): $(parse_name_test_OBJECTS) $(parse_name_test_DEPENDENCIES) @rm -f parse-name-test$(EXEEXT) $(LINK) $(parse_name_test_OBJECTS) $(parse_name_test_LDADD) $(LIBS) @@ -962,6 +1208,9 @@ test_addr$(EXEEXT): $(test_addr_OBJECTS) $(test_addr_DEPENDENCIES) test_alname$(EXEEXT): $(test_alname_OBJECTS) $(test_alname_DEPENDENCIES) @rm -f test_alname$(EXEEXT) $(LINK) $(test_alname_OBJECTS) $(test_alname_LDADD) $(LIBS) +test_ap-req$(EXEEXT): $(test_ap_req_OBJECTS) $(test_ap_req_DEPENDENCIES) + @rm -f test_ap-req$(EXEEXT) + $(LINK) $(test_ap_req_OBJECTS) $(test_ap_req_LDADD) $(LIBS) test_cc$(EXEEXT): $(test_cc_OBJECTS) $(test_cc_DEPENDENCIES) @rm -f test_cc$(EXEEXT) $(LINK) $(test_cc_OBJECTS) $(test_cc_LDADD) $(LIBS) @@ -977,9 +1226,15 @@ test_crypto_wrapping$(EXEEXT): $(test_crypto_wrapping_OBJECTS) $(test_crypto_wra test_forward$(EXEEXT): $(test_forward_OBJECTS) $(test_forward_DEPENDENCIES) @rm -f test_forward$(EXEEXT) $(LINK) $(test_forward_OBJECTS) $(test_forward_LDADD) $(LIBS) +test_fx$(EXEEXT): $(test_fx_OBJECTS) $(test_fx_DEPENDENCIES) + @rm -f test_fx$(EXEEXT) + $(LINK) $(test_fx_OBJECTS) $(test_fx_LDADD) $(LIBS) test_get_addrs$(EXEEXT): $(test_get_addrs_OBJECTS) $(test_get_addrs_DEPENDENCIES) @rm -f test_get_addrs$(EXEEXT) $(LINK) $(test_get_addrs_OBJECTS) $(test_get_addrs_LDADD) $(LIBS) +test_gic$(EXEEXT): $(test_gic_OBJECTS) $(test_gic_DEPENDENCIES) + @rm -f test_gic$(EXEEXT) + $(LINK) $(test_gic_OBJECTS) $(test_gic_LDADD) $(LIBS) test_hostname$(EXEEXT): $(test_hostname_OBJECTS) $(test_hostname_DEPENDENCIES) @rm -f test_hostname$(EXEEXT) $(LINK) $(test_hostname_OBJECTS) $(test_hostname_LDADD) $(LIBS) @@ -998,6 +1253,9 @@ test_pac$(EXEEXT): $(test_pac_OBJECTS) $(test_pac_DEPENDENCIES) test_pkinit_dh2key$(EXEEXT): $(test_pkinit_dh2key_OBJECTS) $(test_pkinit_dh2key_DEPENDENCIES) @rm -f test_pkinit_dh2key$(EXEEXT) $(LINK) $(test_pkinit_dh2key_OBJECTS) $(test_pkinit_dh2key_LDADD) $(LIBS) +test_pknistkdf$(EXEEXT): $(test_pknistkdf_OBJECTS) $(test_pknistkdf_DEPENDENCIES) + @rm -f test_pknistkdf$(EXEEXT) + $(LINK) $(test_pknistkdf_OBJECTS) $(test_pknistkdf_LDADD) $(LIBS) test_plugin$(EXEEXT): $(test_plugin_OBJECTS) $(test_plugin_DEPENDENCIES) @rm -f test_plugin$(EXEEXT) $(LINK) $(test_plugin_OBJECTS) $(test_plugin_LDADD) $(LIBS) @@ -1010,12 +1268,18 @@ test_princ$(EXEEXT): $(test_princ_OBJECTS) $(test_princ_DEPENDENCIES) test_renew$(EXEEXT): $(test_renew_OBJECTS) $(test_renew_DEPENDENCIES) @rm -f test_renew$(EXEEXT) $(LINK) $(test_renew_OBJECTS) $(test_renew_LDADD) $(LIBS) +test_rfc3961$(EXEEXT): $(test_rfc3961_OBJECTS) $(test_rfc3961_DEPENDENCIES) + @rm -f test_rfc3961$(EXEEXT) + $(LINK) $(test_rfc3961_OBJECTS) $(test_rfc3961_LDADD) $(LIBS) test_store$(EXEEXT): $(test_store_OBJECTS) $(test_store_DEPENDENCIES) @rm -f test_store$(EXEEXT) $(LINK) $(test_store_OBJECTS) $(test_store_LDADD) $(LIBS) test_time$(EXEEXT): $(test_time_OBJECTS) $(test_time_DEPENDENCIES) @rm -f test_time$(EXEEXT) $(LINK) $(test_time_OBJECTS) $(test_time_LDADD) $(LIBS) +test_x500$(EXEEXT): $(test_x500_OBJECTS) $(test_x500_DEPENDENCIES) + @rm -f test_x500$(EXEEXT) + $(LINK) $(test_x500_OBJECTS) $(test_x500_LDADD) $(LIBS) verify_krb5_conf$(EXEEXT): $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_DEPENDENCIES) @rm -f verify_krb5_conf$(EXEEXT) $(LINK) $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_LDADD) $(LIBS) @@ -1026,577 +1290,1452 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes-test.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/derived-key-test.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/krbhst-test.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-acache.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-acl.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-add_et_list.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-addr_families.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-aname_to_localname.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-appdefault.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-asn1_glue.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-auth_context.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-build_ap_req.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-build_auth.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-cache.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-changepw.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-codec.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-config_file.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-constants.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-context.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-convert_creds.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-copy_host_realm.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crc.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-creds.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-aes.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-algs.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-arcfour.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-des-common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-des.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-des3.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-evp.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-null.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-pk.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-rand.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-data.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-deprecated.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-digest.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-doxygen.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-error_string.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-expand_hostname.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-expand_path.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-fcache.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-free.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-free_host_realm.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-generate_seq_number.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-generate_subkey.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_addrs.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_cred.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_default_principal.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_default_realm.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_for_creds.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_host_realm.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_in_tkt.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_port.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-heim_err.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-init_creds.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-init_creds_pw.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-k524_err.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-kcm.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keyblock.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_any.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_file.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_keyfile.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_memory.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-krb5_err.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-krb_err.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-krbhst.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-kuserok.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-log.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mcache.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-misc.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mit_glue.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_error.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_priv.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_rep.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_req.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_req_ext.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_safe.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-n-fold.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-net_read.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-net_write.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pac.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-padata.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pcache.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pkinit.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-principal.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-prog_setup.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-prompter_posix.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_cred.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_error.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_priv.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_rep.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_req.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_safe.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-read_message.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-recvauth.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-replay.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-aes.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-arcfour.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-des.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-des3.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-scache.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-send_to_kdc.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-sendauth.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-set_default_realm.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-sock_principal.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store-int.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_emem.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_fd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_mem.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-ticket.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-time.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-transited.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-verify_init.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-verify_user.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-version.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-warn.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-write_message.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crc.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-aes.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-algs.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-arcfour.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-des-common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-des.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-des3.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-evp.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-null.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-pk.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-rand.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-stubs.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-data.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-error_string.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-keyblock.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-n-fold.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-aes.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-arcfour.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-des.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-des3.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-store-int.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-warn.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/n-fold-test.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parse-name-test.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/store-test.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/string-to-key-test.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_acl.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_addr.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_alname.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_ap-req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_cc.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_config.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_crypto.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_crypto_wrapping.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_forward.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_fx.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_get_addrs.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_gic.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_hostname.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_keytab.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_kuserok.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mem.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pac.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pkinit_dh2key.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pknistkdf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_plugin.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_prf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_princ.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_renew.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_rfc3961.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_store.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_time.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_x500.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verify_krb5_conf.Po@am__quote@ + .c.o: - $(COMPILE) -c $< +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< .c.obj: - $(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: - $(LTCOMPILE) -c -o $@ $< +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< libkrb5_la-acache.lo: acache.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-acache.lo `test -f 'acache.c' || echo '$(srcdir)/'`acache.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-acache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-acache.Tpo -c -o libkrb5_la-acache.lo `test -f 'acache.c' || echo '$(srcdir)/'`acache.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-acache.Tpo $(DEPDIR)/libkrb5_la-acache.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='acache.c' object='libkrb5_la-acache.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-acache.lo `test -f 'acache.c' || echo '$(srcdir)/'`acache.c libkrb5_la-acl.lo: acl.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-acl.lo `test -f 'acl.c' || echo '$(srcdir)/'`acl.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-acl.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-acl.Tpo -c -o libkrb5_la-acl.lo `test -f 'acl.c' || echo '$(srcdir)/'`acl.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-acl.Tpo $(DEPDIR)/libkrb5_la-acl.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='acl.c' object='libkrb5_la-acl.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-acl.lo `test -f 'acl.c' || echo '$(srcdir)/'`acl.c libkrb5_la-add_et_list.lo: add_et_list.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-add_et_list.lo `test -f 'add_et_list.c' || echo '$(srcdir)/'`add_et_list.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-add_et_list.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-add_et_list.Tpo -c -o libkrb5_la-add_et_list.lo `test -f 'add_et_list.c' || echo '$(srcdir)/'`add_et_list.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-add_et_list.Tpo $(DEPDIR)/libkrb5_la-add_et_list.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='add_et_list.c' object='libkrb5_la-add_et_list.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-add_et_list.lo `test -f 'add_et_list.c' || echo '$(srcdir)/'`add_et_list.c libkrb5_la-addr_families.lo: addr_families.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-addr_families.lo `test -f 'addr_families.c' || echo '$(srcdir)/'`addr_families.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-addr_families.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-addr_families.Tpo -c -o libkrb5_la-addr_families.lo `test -f 'addr_families.c' || echo '$(srcdir)/'`addr_families.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-addr_families.Tpo $(DEPDIR)/libkrb5_la-addr_families.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='addr_families.c' object='libkrb5_la-addr_families.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-addr_families.lo `test -f 'addr_families.c' || echo '$(srcdir)/'`addr_families.c libkrb5_la-aname_to_localname.lo: aname_to_localname.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-aname_to_localname.lo `test -f 'aname_to_localname.c' || echo '$(srcdir)/'`aname_to_localname.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-aname_to_localname.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-aname_to_localname.Tpo -c -o libkrb5_la-aname_to_localname.lo `test -f 'aname_to_localname.c' || echo '$(srcdir)/'`aname_to_localname.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-aname_to_localname.Tpo $(DEPDIR)/libkrb5_la-aname_to_localname.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='aname_to_localname.c' object='libkrb5_la-aname_to_localname.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-aname_to_localname.lo `test -f 'aname_to_localname.c' || echo '$(srcdir)/'`aname_to_localname.c libkrb5_la-appdefault.lo: appdefault.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-appdefault.lo `test -f 'appdefault.c' || echo '$(srcdir)/'`appdefault.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-appdefault.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-appdefault.Tpo -c -o libkrb5_la-appdefault.lo `test -f 'appdefault.c' || echo '$(srcdir)/'`appdefault.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-appdefault.Tpo $(DEPDIR)/libkrb5_la-appdefault.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='appdefault.c' object='libkrb5_la-appdefault.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-appdefault.lo `test -f 'appdefault.c' || echo '$(srcdir)/'`appdefault.c libkrb5_la-asn1_glue.lo: asn1_glue.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-asn1_glue.lo `test -f 'asn1_glue.c' || echo '$(srcdir)/'`asn1_glue.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-asn1_glue.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-asn1_glue.Tpo -c -o libkrb5_la-asn1_glue.lo `test -f 'asn1_glue.c' || echo '$(srcdir)/'`asn1_glue.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-asn1_glue.Tpo $(DEPDIR)/libkrb5_la-asn1_glue.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_glue.c' object='libkrb5_la-asn1_glue.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-asn1_glue.lo `test -f 'asn1_glue.c' || echo '$(srcdir)/'`asn1_glue.c libkrb5_la-auth_context.lo: auth_context.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-auth_context.lo `test -f 'auth_context.c' || echo '$(srcdir)/'`auth_context.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-auth_context.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-auth_context.Tpo -c -o libkrb5_la-auth_context.lo `test -f 'auth_context.c' || echo '$(srcdir)/'`auth_context.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-auth_context.Tpo $(DEPDIR)/libkrb5_la-auth_context.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='auth_context.c' object='libkrb5_la-auth_context.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-auth_context.lo `test -f 'auth_context.c' || echo '$(srcdir)/'`auth_context.c libkrb5_la-build_ap_req.lo: build_ap_req.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-build_ap_req.lo `test -f 'build_ap_req.c' || echo '$(srcdir)/'`build_ap_req.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-build_ap_req.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-build_ap_req.Tpo -c -o libkrb5_la-build_ap_req.lo `test -f 'build_ap_req.c' || echo '$(srcdir)/'`build_ap_req.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-build_ap_req.Tpo $(DEPDIR)/libkrb5_la-build_ap_req.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='build_ap_req.c' object='libkrb5_la-build_ap_req.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-build_ap_req.lo `test -f 'build_ap_req.c' || echo '$(srcdir)/'`build_ap_req.c libkrb5_la-build_auth.lo: build_auth.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-build_auth.lo `test -f 'build_auth.c' || echo '$(srcdir)/'`build_auth.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-build_auth.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-build_auth.Tpo -c -o libkrb5_la-build_auth.lo `test -f 'build_auth.c' || echo '$(srcdir)/'`build_auth.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-build_auth.Tpo $(DEPDIR)/libkrb5_la-build_auth.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='build_auth.c' object='libkrb5_la-build_auth.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-build_auth.lo `test -f 'build_auth.c' || echo '$(srcdir)/'`build_auth.c libkrb5_la-cache.lo: cache.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-cache.lo `test -f 'cache.c' || echo '$(srcdir)/'`cache.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-cache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-cache.Tpo -c -o libkrb5_la-cache.lo `test -f 'cache.c' || echo '$(srcdir)/'`cache.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-cache.Tpo $(DEPDIR)/libkrb5_la-cache.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='cache.c' object='libkrb5_la-cache.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-cache.lo `test -f 'cache.c' || echo '$(srcdir)/'`cache.c libkrb5_la-changepw.lo: changepw.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-changepw.lo `test -f 'changepw.c' || echo '$(srcdir)/'`changepw.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-changepw.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-changepw.Tpo -c -o libkrb5_la-changepw.lo `test -f 'changepw.c' || echo '$(srcdir)/'`changepw.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-changepw.Tpo $(DEPDIR)/libkrb5_la-changepw.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='changepw.c' object='libkrb5_la-changepw.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-changepw.lo `test -f 'changepw.c' || echo '$(srcdir)/'`changepw.c libkrb5_la-codec.lo: codec.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-codec.lo `test -f 'codec.c' || echo '$(srcdir)/'`codec.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-codec.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-codec.Tpo -c -o libkrb5_la-codec.lo `test -f 'codec.c' || echo '$(srcdir)/'`codec.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-codec.Tpo $(DEPDIR)/libkrb5_la-codec.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='codec.c' object='libkrb5_la-codec.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-codec.lo `test -f 'codec.c' || echo '$(srcdir)/'`codec.c libkrb5_la-config_file.lo: config_file.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-config_file.lo `test -f 'config_file.c' || echo '$(srcdir)/'`config_file.c - -libkrb5_la-config_file_netinfo.lo: config_file_netinfo.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-config_file_netinfo.lo `test -f 'config_file_netinfo.c' || echo '$(srcdir)/'`config_file_netinfo.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-config_file.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-config_file.Tpo -c -o libkrb5_la-config_file.lo `test -f 'config_file.c' || echo '$(srcdir)/'`config_file.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-config_file.Tpo $(DEPDIR)/libkrb5_la-config_file.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config_file.c' object='libkrb5_la-config_file.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-config_file.lo `test -f 'config_file.c' || echo '$(srcdir)/'`config_file.c libkrb5_la-convert_creds.lo: convert_creds.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-convert_creds.lo `test -f 'convert_creds.c' || echo '$(srcdir)/'`convert_creds.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-convert_creds.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-convert_creds.Tpo -c -o libkrb5_la-convert_creds.lo `test -f 'convert_creds.c' || echo '$(srcdir)/'`convert_creds.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-convert_creds.Tpo $(DEPDIR)/libkrb5_la-convert_creds.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='convert_creds.c' object='libkrb5_la-convert_creds.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-convert_creds.lo `test -f 'convert_creds.c' || echo '$(srcdir)/'`convert_creds.c libkrb5_la-constants.lo: constants.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-constants.lo `test -f 'constants.c' || echo '$(srcdir)/'`constants.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-constants.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-constants.Tpo -c -o libkrb5_la-constants.lo `test -f 'constants.c' || echo '$(srcdir)/'`constants.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-constants.Tpo $(DEPDIR)/libkrb5_la-constants.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='constants.c' object='libkrb5_la-constants.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-constants.lo `test -f 'constants.c' || echo '$(srcdir)/'`constants.c libkrb5_la-context.lo: context.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-context.lo `test -f 'context.c' || echo '$(srcdir)/'`context.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-context.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-context.Tpo -c -o libkrb5_la-context.lo `test -f 'context.c' || echo '$(srcdir)/'`context.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-context.Tpo $(DEPDIR)/libkrb5_la-context.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='context.c' object='libkrb5_la-context.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-context.lo `test -f 'context.c' || echo '$(srcdir)/'`context.c libkrb5_la-copy_host_realm.lo: copy_host_realm.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-copy_host_realm.lo `test -f 'copy_host_realm.c' || echo '$(srcdir)/'`copy_host_realm.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-copy_host_realm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-copy_host_realm.Tpo -c -o libkrb5_la-copy_host_realm.lo `test -f 'copy_host_realm.c' || echo '$(srcdir)/'`copy_host_realm.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-copy_host_realm.Tpo $(DEPDIR)/libkrb5_la-copy_host_realm.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='copy_host_realm.c' object='libkrb5_la-copy_host_realm.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-copy_host_realm.lo `test -f 'copy_host_realm.c' || echo '$(srcdir)/'`copy_host_realm.c libkrb5_la-crc.lo: crc.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crc.lo `test -f 'crc.c' || echo '$(srcdir)/'`crc.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crc.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crc.Tpo -c -o libkrb5_la-crc.lo `test -f 'crc.c' || echo '$(srcdir)/'`crc.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-crc.Tpo $(DEPDIR)/libkrb5_la-crc.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crc.c' object='libkrb5_la-crc.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crc.lo `test -f 'crc.c' || echo '$(srcdir)/'`crc.c libkrb5_la-creds.lo: creds.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-creds.lo `test -f 'creds.c' || echo '$(srcdir)/'`creds.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-creds.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-creds.Tpo -c -o libkrb5_la-creds.lo `test -f 'creds.c' || echo '$(srcdir)/'`creds.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-creds.Tpo $(DEPDIR)/libkrb5_la-creds.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='creds.c' object='libkrb5_la-creds.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-creds.lo `test -f 'creds.c' || echo '$(srcdir)/'`creds.c libkrb5_la-crypto.lo: crypto.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto.Tpo -c -o libkrb5_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-crypto.Tpo $(DEPDIR)/libkrb5_la-crypto.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto.c' object='libkrb5_la-crypto.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c + +libkrb5_la-crypto-aes.lo: crypto-aes.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-aes.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-aes.Tpo -c -o libkrb5_la-crypto-aes.lo `test -f 'crypto-aes.c' || echo '$(srcdir)/'`crypto-aes.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-crypto-aes.Tpo $(DEPDIR)/libkrb5_la-crypto-aes.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-aes.c' object='libkrb5_la-crypto-aes.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-aes.lo `test -f 'crypto-aes.c' || echo '$(srcdir)/'`crypto-aes.c + +libkrb5_la-crypto-algs.lo: crypto-algs.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-algs.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-algs.Tpo -c -o libkrb5_la-crypto-algs.lo `test -f 'crypto-algs.c' || echo '$(srcdir)/'`crypto-algs.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-crypto-algs.Tpo $(DEPDIR)/libkrb5_la-crypto-algs.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-algs.c' object='libkrb5_la-crypto-algs.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-algs.lo `test -f 'crypto-algs.c' || echo '$(srcdir)/'`crypto-algs.c + +libkrb5_la-crypto-arcfour.lo: crypto-arcfour.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-arcfour.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-arcfour.Tpo -c -o libkrb5_la-crypto-arcfour.lo `test -f 'crypto-arcfour.c' || echo '$(srcdir)/'`crypto-arcfour.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-crypto-arcfour.Tpo $(DEPDIR)/libkrb5_la-crypto-arcfour.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-arcfour.c' object='libkrb5_la-crypto-arcfour.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-arcfour.lo `test -f 'crypto-arcfour.c' || echo '$(srcdir)/'`crypto-arcfour.c + +libkrb5_la-crypto-des.lo: crypto-des.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-des.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-des.Tpo -c -o libkrb5_la-crypto-des.lo `test -f 'crypto-des.c' || echo '$(srcdir)/'`crypto-des.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-crypto-des.Tpo $(DEPDIR)/libkrb5_la-crypto-des.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-des.c' object='libkrb5_la-crypto-des.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-des.lo `test -f 'crypto-des.c' || echo '$(srcdir)/'`crypto-des.c + +libkrb5_la-crypto-des-common.lo: crypto-des-common.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-des-common.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-des-common.Tpo -c -o libkrb5_la-crypto-des-common.lo `test -f 'crypto-des-common.c' || echo '$(srcdir)/'`crypto-des-common.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-crypto-des-common.Tpo $(DEPDIR)/libkrb5_la-crypto-des-common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-des-common.c' object='libkrb5_la-crypto-des-common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-des-common.lo `test -f 'crypto-des-common.c' || echo '$(srcdir)/'`crypto-des-common.c + +libkrb5_la-crypto-des3.lo: crypto-des3.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-des3.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-des3.Tpo -c -o libkrb5_la-crypto-des3.lo `test -f 'crypto-des3.c' || echo '$(srcdir)/'`crypto-des3.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-crypto-des3.Tpo $(DEPDIR)/libkrb5_la-crypto-des3.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-des3.c' object='libkrb5_la-crypto-des3.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-des3.lo `test -f 'crypto-des3.c' || echo '$(srcdir)/'`crypto-des3.c + +libkrb5_la-crypto-evp.lo: crypto-evp.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-evp.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-evp.Tpo -c -o libkrb5_la-crypto-evp.lo `test -f 'crypto-evp.c' || echo '$(srcdir)/'`crypto-evp.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-crypto-evp.Tpo $(DEPDIR)/libkrb5_la-crypto-evp.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-evp.c' object='libkrb5_la-crypto-evp.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-evp.lo `test -f 'crypto-evp.c' || echo '$(srcdir)/'`crypto-evp.c + +libkrb5_la-crypto-null.lo: crypto-null.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-null.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-null.Tpo -c -o libkrb5_la-crypto-null.lo `test -f 'crypto-null.c' || echo '$(srcdir)/'`crypto-null.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-crypto-null.Tpo $(DEPDIR)/libkrb5_la-crypto-null.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-null.c' object='libkrb5_la-crypto-null.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-null.lo `test -f 'crypto-null.c' || echo '$(srcdir)/'`crypto-null.c + +libkrb5_la-crypto-pk.lo: crypto-pk.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-pk.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-pk.Tpo -c -o libkrb5_la-crypto-pk.lo `test -f 'crypto-pk.c' || echo '$(srcdir)/'`crypto-pk.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-crypto-pk.Tpo $(DEPDIR)/libkrb5_la-crypto-pk.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-pk.c' object='libkrb5_la-crypto-pk.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-pk.lo `test -f 'crypto-pk.c' || echo '$(srcdir)/'`crypto-pk.c + +libkrb5_la-crypto-rand.lo: crypto-rand.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-rand.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-rand.Tpo -c -o libkrb5_la-crypto-rand.lo `test -f 'crypto-rand.c' || echo '$(srcdir)/'`crypto-rand.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-crypto-rand.Tpo $(DEPDIR)/libkrb5_la-crypto-rand.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-rand.c' object='libkrb5_la-crypto-rand.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-rand.lo `test -f 'crypto-rand.c' || echo '$(srcdir)/'`crypto-rand.c libkrb5_la-doxygen.lo: doxygen.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-doxygen.lo `test -f 'doxygen.c' || echo '$(srcdir)/'`doxygen.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-doxygen.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-doxygen.Tpo -c -o libkrb5_la-doxygen.lo `test -f 'doxygen.c' || echo '$(srcdir)/'`doxygen.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-doxygen.Tpo $(DEPDIR)/libkrb5_la-doxygen.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='doxygen.c' object='libkrb5_la-doxygen.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-doxygen.lo `test -f 'doxygen.c' || echo '$(srcdir)/'`doxygen.c libkrb5_la-data.lo: data.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-data.lo `test -f 'data.c' || echo '$(srcdir)/'`data.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-data.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-data.Tpo -c -o libkrb5_la-data.lo `test -f 'data.c' || echo '$(srcdir)/'`data.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-data.Tpo $(DEPDIR)/libkrb5_la-data.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='data.c' object='libkrb5_la-data.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-data.lo `test -f 'data.c' || echo '$(srcdir)/'`data.c + +libkrb5_la-deprecated.lo: deprecated.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-deprecated.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-deprecated.Tpo -c -o libkrb5_la-deprecated.lo `test -f 'deprecated.c' || echo '$(srcdir)/'`deprecated.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-deprecated.Tpo $(DEPDIR)/libkrb5_la-deprecated.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='deprecated.c' object='libkrb5_la-deprecated.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-deprecated.lo `test -f 'deprecated.c' || echo '$(srcdir)/'`deprecated.c libkrb5_la-digest.lo: digest.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-digest.lo `test -f 'digest.c' || echo '$(srcdir)/'`digest.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-digest.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-digest.Tpo -c -o libkrb5_la-digest.lo `test -f 'digest.c' || echo '$(srcdir)/'`digest.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-digest.Tpo $(DEPDIR)/libkrb5_la-digest.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='digest.c' object='libkrb5_la-digest.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-digest.lo `test -f 'digest.c' || echo '$(srcdir)/'`digest.c libkrb5_la-eai_to_heim_errno.lo: eai_to_heim_errno.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-eai_to_heim_errno.lo `test -f 'eai_to_heim_errno.c' || echo '$(srcdir)/'`eai_to_heim_errno.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-eai_to_heim_errno.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-eai_to_heim_errno.Tpo -c -o libkrb5_la-eai_to_heim_errno.lo `test -f 'eai_to_heim_errno.c' || echo '$(srcdir)/'`eai_to_heim_errno.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-eai_to_heim_errno.Tpo $(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='eai_to_heim_errno.c' object='libkrb5_la-eai_to_heim_errno.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-eai_to_heim_errno.lo `test -f 'eai_to_heim_errno.c' || echo '$(srcdir)/'`eai_to_heim_errno.c libkrb5_la-error_string.lo: error_string.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-error_string.lo `test -f 'error_string.c' || echo '$(srcdir)/'`error_string.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-error_string.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-error_string.Tpo -c -o libkrb5_la-error_string.lo `test -f 'error_string.c' || echo '$(srcdir)/'`error_string.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-error_string.Tpo $(DEPDIR)/libkrb5_la-error_string.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='error_string.c' object='libkrb5_la-error_string.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-error_string.lo `test -f 'error_string.c' || echo '$(srcdir)/'`error_string.c libkrb5_la-expand_hostname.lo: expand_hostname.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-expand_hostname.lo `test -f 'expand_hostname.c' || echo '$(srcdir)/'`expand_hostname.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-expand_hostname.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-expand_hostname.Tpo -c -o libkrb5_la-expand_hostname.lo `test -f 'expand_hostname.c' || echo '$(srcdir)/'`expand_hostname.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-expand_hostname.Tpo $(DEPDIR)/libkrb5_la-expand_hostname.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='expand_hostname.c' object='libkrb5_la-expand_hostname.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-expand_hostname.lo `test -f 'expand_hostname.c' || echo '$(srcdir)/'`expand_hostname.c + +libkrb5_la-expand_path.lo: expand_path.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-expand_path.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-expand_path.Tpo -c -o libkrb5_la-expand_path.lo `test -f 'expand_path.c' || echo '$(srcdir)/'`expand_path.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-expand_path.Tpo $(DEPDIR)/libkrb5_la-expand_path.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='expand_path.c' object='libkrb5_la-expand_path.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-expand_path.lo `test -f 'expand_path.c' || echo '$(srcdir)/'`expand_path.c libkrb5_la-fcache.lo: fcache.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-fcache.lo `test -f 'fcache.c' || echo '$(srcdir)/'`fcache.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-fcache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-fcache.Tpo -c -o libkrb5_la-fcache.lo `test -f 'fcache.c' || echo '$(srcdir)/'`fcache.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-fcache.Tpo $(DEPDIR)/libkrb5_la-fcache.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fcache.c' object='libkrb5_la-fcache.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-fcache.lo `test -f 'fcache.c' || echo '$(srcdir)/'`fcache.c libkrb5_la-free.lo: free.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-free.lo `test -f 'free.c' || echo '$(srcdir)/'`free.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-free.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-free.Tpo -c -o libkrb5_la-free.lo `test -f 'free.c' || echo '$(srcdir)/'`free.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-free.Tpo $(DEPDIR)/libkrb5_la-free.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='free.c' object='libkrb5_la-free.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-free.lo `test -f 'free.c' || echo '$(srcdir)/'`free.c libkrb5_la-free_host_realm.lo: free_host_realm.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-free_host_realm.lo `test -f 'free_host_realm.c' || echo '$(srcdir)/'`free_host_realm.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-free_host_realm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-free_host_realm.Tpo -c -o libkrb5_la-free_host_realm.lo `test -f 'free_host_realm.c' || echo '$(srcdir)/'`free_host_realm.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-free_host_realm.Tpo $(DEPDIR)/libkrb5_la-free_host_realm.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='free_host_realm.c' object='libkrb5_la-free_host_realm.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-free_host_realm.lo `test -f 'free_host_realm.c' || echo '$(srcdir)/'`free_host_realm.c libkrb5_la-generate_seq_number.lo: generate_seq_number.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-generate_seq_number.lo `test -f 'generate_seq_number.c' || echo '$(srcdir)/'`generate_seq_number.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-generate_seq_number.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-generate_seq_number.Tpo -c -o libkrb5_la-generate_seq_number.lo `test -f 'generate_seq_number.c' || echo '$(srcdir)/'`generate_seq_number.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-generate_seq_number.Tpo $(DEPDIR)/libkrb5_la-generate_seq_number.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='generate_seq_number.c' object='libkrb5_la-generate_seq_number.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-generate_seq_number.lo `test -f 'generate_seq_number.c' || echo '$(srcdir)/'`generate_seq_number.c libkrb5_la-generate_subkey.lo: generate_subkey.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-generate_subkey.lo `test -f 'generate_subkey.c' || echo '$(srcdir)/'`generate_subkey.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-generate_subkey.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-generate_subkey.Tpo -c -o libkrb5_la-generate_subkey.lo `test -f 'generate_subkey.c' || echo '$(srcdir)/'`generate_subkey.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-generate_subkey.Tpo $(DEPDIR)/libkrb5_la-generate_subkey.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='generate_subkey.c' object='libkrb5_la-generate_subkey.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-generate_subkey.lo `test -f 'generate_subkey.c' || echo '$(srcdir)/'`generate_subkey.c libkrb5_la-get_addrs.lo: get_addrs.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_addrs.lo `test -f 'get_addrs.c' || echo '$(srcdir)/'`get_addrs.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_addrs.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_addrs.Tpo -c -o libkrb5_la-get_addrs.lo `test -f 'get_addrs.c' || echo '$(srcdir)/'`get_addrs.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-get_addrs.Tpo $(DEPDIR)/libkrb5_la-get_addrs.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='get_addrs.c' object='libkrb5_la-get_addrs.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_addrs.lo `test -f 'get_addrs.c' || echo '$(srcdir)/'`get_addrs.c libkrb5_la-get_cred.lo: get_cred.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_cred.lo `test -f 'get_cred.c' || echo '$(srcdir)/'`get_cred.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_cred.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_cred.Tpo -c -o libkrb5_la-get_cred.lo `test -f 'get_cred.c' || echo '$(srcdir)/'`get_cred.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-get_cred.Tpo $(DEPDIR)/libkrb5_la-get_cred.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='get_cred.c' object='libkrb5_la-get_cred.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_cred.lo `test -f 'get_cred.c' || echo '$(srcdir)/'`get_cred.c libkrb5_la-get_default_principal.lo: get_default_principal.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_default_principal.lo `test -f 'get_default_principal.c' || echo '$(srcdir)/'`get_default_principal.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_default_principal.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_default_principal.Tpo -c -o libkrb5_la-get_default_principal.lo `test -f 'get_default_principal.c' || echo '$(srcdir)/'`get_default_principal.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-get_default_principal.Tpo $(DEPDIR)/libkrb5_la-get_default_principal.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='get_default_principal.c' object='libkrb5_la-get_default_principal.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_default_principal.lo `test -f 'get_default_principal.c' || echo '$(srcdir)/'`get_default_principal.c libkrb5_la-get_default_realm.lo: get_default_realm.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_default_realm.lo `test -f 'get_default_realm.c' || echo '$(srcdir)/'`get_default_realm.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_default_realm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_default_realm.Tpo -c -o libkrb5_la-get_default_realm.lo `test -f 'get_default_realm.c' || echo '$(srcdir)/'`get_default_realm.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-get_default_realm.Tpo $(DEPDIR)/libkrb5_la-get_default_realm.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='get_default_realm.c' object='libkrb5_la-get_default_realm.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_default_realm.lo `test -f 'get_default_realm.c' || echo '$(srcdir)/'`get_default_realm.c libkrb5_la-get_for_creds.lo: get_for_creds.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_for_creds.lo `test -f 'get_for_creds.c' || echo '$(srcdir)/'`get_for_creds.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_for_creds.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_for_creds.Tpo -c -o libkrb5_la-get_for_creds.lo `test -f 'get_for_creds.c' || echo '$(srcdir)/'`get_for_creds.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-get_for_creds.Tpo $(DEPDIR)/libkrb5_la-get_for_creds.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='get_for_creds.c' object='libkrb5_la-get_for_creds.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_for_creds.lo `test -f 'get_for_creds.c' || echo '$(srcdir)/'`get_for_creds.c libkrb5_la-get_host_realm.lo: get_host_realm.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_host_realm.lo `test -f 'get_host_realm.c' || echo '$(srcdir)/'`get_host_realm.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_host_realm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_host_realm.Tpo -c -o libkrb5_la-get_host_realm.lo `test -f 'get_host_realm.c' || echo '$(srcdir)/'`get_host_realm.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-get_host_realm.Tpo $(DEPDIR)/libkrb5_la-get_host_realm.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='get_host_realm.c' object='libkrb5_la-get_host_realm.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_host_realm.lo `test -f 'get_host_realm.c' || echo '$(srcdir)/'`get_host_realm.c libkrb5_la-get_in_tkt.lo: get_in_tkt.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_in_tkt.lo `test -f 'get_in_tkt.c' || echo '$(srcdir)/'`get_in_tkt.c - -libkrb5_la-get_in_tkt_pw.lo: get_in_tkt_pw.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_in_tkt_pw.lo `test -f 'get_in_tkt_pw.c' || echo '$(srcdir)/'`get_in_tkt_pw.c - -libkrb5_la-get_in_tkt_with_keytab.lo: get_in_tkt_with_keytab.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_in_tkt_with_keytab.lo `test -f 'get_in_tkt_with_keytab.c' || echo '$(srcdir)/'`get_in_tkt_with_keytab.c - -libkrb5_la-get_in_tkt_with_skey.lo: get_in_tkt_with_skey.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_in_tkt_with_skey.lo `test -f 'get_in_tkt_with_skey.c' || echo '$(srcdir)/'`get_in_tkt_with_skey.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_in_tkt.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_in_tkt.Tpo -c -o libkrb5_la-get_in_tkt.lo `test -f 'get_in_tkt.c' || echo '$(srcdir)/'`get_in_tkt.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-get_in_tkt.Tpo $(DEPDIR)/libkrb5_la-get_in_tkt.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='get_in_tkt.c' object='libkrb5_la-get_in_tkt.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_in_tkt.lo `test -f 'get_in_tkt.c' || echo '$(srcdir)/'`get_in_tkt.c libkrb5_la-get_port.lo: get_port.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_port.lo `test -f 'get_port.c' || echo '$(srcdir)/'`get_port.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_port.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_port.Tpo -c -o libkrb5_la-get_port.lo `test -f 'get_port.c' || echo '$(srcdir)/'`get_port.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-get_port.Tpo $(DEPDIR)/libkrb5_la-get_port.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='get_port.c' object='libkrb5_la-get_port.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_port.lo `test -f 'get_port.c' || echo '$(srcdir)/'`get_port.c libkrb5_la-init_creds.lo: init_creds.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-init_creds.lo `test -f 'init_creds.c' || echo '$(srcdir)/'`init_creds.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-init_creds.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-init_creds.Tpo -c -o libkrb5_la-init_creds.lo `test -f 'init_creds.c' || echo '$(srcdir)/'`init_creds.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-init_creds.Tpo $(DEPDIR)/libkrb5_la-init_creds.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='init_creds.c' object='libkrb5_la-init_creds.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-init_creds.lo `test -f 'init_creds.c' || echo '$(srcdir)/'`init_creds.c libkrb5_la-init_creds_pw.lo: init_creds_pw.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-init_creds_pw.lo `test -f 'init_creds_pw.c' || echo '$(srcdir)/'`init_creds_pw.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-init_creds_pw.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-init_creds_pw.Tpo -c -o libkrb5_la-init_creds_pw.lo `test -f 'init_creds_pw.c' || echo '$(srcdir)/'`init_creds_pw.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-init_creds_pw.Tpo $(DEPDIR)/libkrb5_la-init_creds_pw.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='init_creds_pw.c' object='libkrb5_la-init_creds_pw.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-init_creds_pw.lo `test -f 'init_creds_pw.c' || echo '$(srcdir)/'`init_creds_pw.c libkrb5_la-kcm.lo: kcm.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-kcm.lo `test -f 'kcm.c' || echo '$(srcdir)/'`kcm.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-kcm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-kcm.Tpo -c -o libkrb5_la-kcm.lo `test -f 'kcm.c' || echo '$(srcdir)/'`kcm.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-kcm.Tpo $(DEPDIR)/libkrb5_la-kcm.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='kcm.c' object='libkrb5_la-kcm.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-kcm.lo `test -f 'kcm.c' || echo '$(srcdir)/'`kcm.c libkrb5_la-keyblock.lo: keyblock.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keyblock.lo `test -f 'keyblock.c' || echo '$(srcdir)/'`keyblock.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keyblock.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keyblock.Tpo -c -o libkrb5_la-keyblock.lo `test -f 'keyblock.c' || echo '$(srcdir)/'`keyblock.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-keyblock.Tpo $(DEPDIR)/libkrb5_la-keyblock.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='keyblock.c' object='libkrb5_la-keyblock.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keyblock.lo `test -f 'keyblock.c' || echo '$(srcdir)/'`keyblock.c libkrb5_la-keytab.lo: keytab.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab.lo `test -f 'keytab.c' || echo '$(srcdir)/'`keytab.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keytab.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keytab.Tpo -c -o libkrb5_la-keytab.lo `test -f 'keytab.c' || echo '$(srcdir)/'`keytab.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-keytab.Tpo $(DEPDIR)/libkrb5_la-keytab.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='keytab.c' object='libkrb5_la-keytab.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab.lo `test -f 'keytab.c' || echo '$(srcdir)/'`keytab.c libkrb5_la-keytab_any.lo: keytab_any.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_any.lo `test -f 'keytab_any.c' || echo '$(srcdir)/'`keytab_any.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keytab_any.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keytab_any.Tpo -c -o libkrb5_la-keytab_any.lo `test -f 'keytab_any.c' || echo '$(srcdir)/'`keytab_any.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-keytab_any.Tpo $(DEPDIR)/libkrb5_la-keytab_any.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='keytab_any.c' object='libkrb5_la-keytab_any.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_any.lo `test -f 'keytab_any.c' || echo '$(srcdir)/'`keytab_any.c libkrb5_la-keytab_file.lo: keytab_file.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_file.lo `test -f 'keytab_file.c' || echo '$(srcdir)/'`keytab_file.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keytab_file.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keytab_file.Tpo -c -o libkrb5_la-keytab_file.lo `test -f 'keytab_file.c' || echo '$(srcdir)/'`keytab_file.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-keytab_file.Tpo $(DEPDIR)/libkrb5_la-keytab_file.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='keytab_file.c' object='libkrb5_la-keytab_file.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_file.lo `test -f 'keytab_file.c' || echo '$(srcdir)/'`keytab_file.c libkrb5_la-keytab_keyfile.lo: keytab_keyfile.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_keyfile.lo `test -f 'keytab_keyfile.c' || echo '$(srcdir)/'`keytab_keyfile.c - -libkrb5_la-keytab_krb4.lo: keytab_krb4.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_krb4.lo `test -f 'keytab_krb4.c' || echo '$(srcdir)/'`keytab_krb4.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keytab_keyfile.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keytab_keyfile.Tpo -c -o libkrb5_la-keytab_keyfile.lo `test -f 'keytab_keyfile.c' || echo '$(srcdir)/'`keytab_keyfile.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-keytab_keyfile.Tpo $(DEPDIR)/libkrb5_la-keytab_keyfile.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='keytab_keyfile.c' object='libkrb5_la-keytab_keyfile.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_keyfile.lo `test -f 'keytab_keyfile.c' || echo '$(srcdir)/'`keytab_keyfile.c libkrb5_la-keytab_memory.lo: keytab_memory.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_memory.lo `test -f 'keytab_memory.c' || echo '$(srcdir)/'`keytab_memory.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keytab_memory.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keytab_memory.Tpo -c -o libkrb5_la-keytab_memory.lo `test -f 'keytab_memory.c' || echo '$(srcdir)/'`keytab_memory.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-keytab_memory.Tpo $(DEPDIR)/libkrb5_la-keytab_memory.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='keytab_memory.c' object='libkrb5_la-keytab_memory.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_memory.lo `test -f 'keytab_memory.c' || echo '$(srcdir)/'`keytab_memory.c libkrb5_la-krbhst.lo: krbhst.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krbhst.lo `test -f 'krbhst.c' || echo '$(srcdir)/'`krbhst.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-krbhst.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-krbhst.Tpo -c -o libkrb5_la-krbhst.lo `test -f 'krbhst.c' || echo '$(srcdir)/'`krbhst.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-krbhst.Tpo $(DEPDIR)/libkrb5_la-krbhst.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='krbhst.c' object='libkrb5_la-krbhst.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krbhst.lo `test -f 'krbhst.c' || echo '$(srcdir)/'`krbhst.c libkrb5_la-kuserok.lo: kuserok.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-kuserok.lo `test -f 'kuserok.c' || echo '$(srcdir)/'`kuserok.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-kuserok.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-kuserok.Tpo -c -o libkrb5_la-kuserok.lo `test -f 'kuserok.c' || echo '$(srcdir)/'`kuserok.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-kuserok.Tpo $(DEPDIR)/libkrb5_la-kuserok.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='kuserok.c' object='libkrb5_la-kuserok.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-kuserok.lo `test -f 'kuserok.c' || echo '$(srcdir)/'`kuserok.c libkrb5_la-log.lo: log.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-log.lo `test -f 'log.c' || echo '$(srcdir)/'`log.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-log.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-log.Tpo -c -o libkrb5_la-log.lo `test -f 'log.c' || echo '$(srcdir)/'`log.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-log.Tpo $(DEPDIR)/libkrb5_la-log.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='log.c' object='libkrb5_la-log.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-log.lo `test -f 'log.c' || echo '$(srcdir)/'`log.c libkrb5_la-mcache.lo: mcache.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mcache.lo `test -f 'mcache.c' || echo '$(srcdir)/'`mcache.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mcache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mcache.Tpo -c -o libkrb5_la-mcache.lo `test -f 'mcache.c' || echo '$(srcdir)/'`mcache.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-mcache.Tpo $(DEPDIR)/libkrb5_la-mcache.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='mcache.c' object='libkrb5_la-mcache.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mcache.lo `test -f 'mcache.c' || echo '$(srcdir)/'`mcache.c libkrb5_la-misc.lo: misc.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-misc.lo `test -f 'misc.c' || echo '$(srcdir)/'`misc.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-misc.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-misc.Tpo -c -o libkrb5_la-misc.lo `test -f 'misc.c' || echo '$(srcdir)/'`misc.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-misc.Tpo $(DEPDIR)/libkrb5_la-misc.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='misc.c' object='libkrb5_la-misc.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-misc.lo `test -f 'misc.c' || echo '$(srcdir)/'`misc.c libkrb5_la-mk_error.lo: mk_error.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_error.lo `test -f 'mk_error.c' || echo '$(srcdir)/'`mk_error.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_error.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_error.Tpo -c -o libkrb5_la-mk_error.lo `test -f 'mk_error.c' || echo '$(srcdir)/'`mk_error.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-mk_error.Tpo $(DEPDIR)/libkrb5_la-mk_error.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='mk_error.c' object='libkrb5_la-mk_error.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_error.lo `test -f 'mk_error.c' || echo '$(srcdir)/'`mk_error.c libkrb5_la-mk_priv.lo: mk_priv.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_priv.lo `test -f 'mk_priv.c' || echo '$(srcdir)/'`mk_priv.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_priv.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_priv.Tpo -c -o libkrb5_la-mk_priv.lo `test -f 'mk_priv.c' || echo '$(srcdir)/'`mk_priv.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-mk_priv.Tpo $(DEPDIR)/libkrb5_la-mk_priv.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='mk_priv.c' object='libkrb5_la-mk_priv.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_priv.lo `test -f 'mk_priv.c' || echo '$(srcdir)/'`mk_priv.c libkrb5_la-mk_rep.lo: mk_rep.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_rep.lo `test -f 'mk_rep.c' || echo '$(srcdir)/'`mk_rep.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_rep.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_rep.Tpo -c -o libkrb5_la-mk_rep.lo `test -f 'mk_rep.c' || echo '$(srcdir)/'`mk_rep.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-mk_rep.Tpo $(DEPDIR)/libkrb5_la-mk_rep.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='mk_rep.c' object='libkrb5_la-mk_rep.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_rep.lo `test -f 'mk_rep.c' || echo '$(srcdir)/'`mk_rep.c libkrb5_la-mk_req.lo: mk_req.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_req.lo `test -f 'mk_req.c' || echo '$(srcdir)/'`mk_req.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_req.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_req.Tpo -c -o libkrb5_la-mk_req.lo `test -f 'mk_req.c' || echo '$(srcdir)/'`mk_req.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-mk_req.Tpo $(DEPDIR)/libkrb5_la-mk_req.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='mk_req.c' object='libkrb5_la-mk_req.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_req.lo `test -f 'mk_req.c' || echo '$(srcdir)/'`mk_req.c libkrb5_la-mk_req_ext.lo: mk_req_ext.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_req_ext.lo `test -f 'mk_req_ext.c' || echo '$(srcdir)/'`mk_req_ext.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_req_ext.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_req_ext.Tpo -c -o libkrb5_la-mk_req_ext.lo `test -f 'mk_req_ext.c' || echo '$(srcdir)/'`mk_req_ext.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-mk_req_ext.Tpo $(DEPDIR)/libkrb5_la-mk_req_ext.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='mk_req_ext.c' object='libkrb5_la-mk_req_ext.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_req_ext.lo `test -f 'mk_req_ext.c' || echo '$(srcdir)/'`mk_req_ext.c libkrb5_la-mk_safe.lo: mk_safe.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_safe.lo `test -f 'mk_safe.c' || echo '$(srcdir)/'`mk_safe.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_safe.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_safe.Tpo -c -o libkrb5_la-mk_safe.lo `test -f 'mk_safe.c' || echo '$(srcdir)/'`mk_safe.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-mk_safe.Tpo $(DEPDIR)/libkrb5_la-mk_safe.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='mk_safe.c' object='libkrb5_la-mk_safe.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_safe.lo `test -f 'mk_safe.c' || echo '$(srcdir)/'`mk_safe.c libkrb5_la-mit_glue.lo: mit_glue.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mit_glue.lo `test -f 'mit_glue.c' || echo '$(srcdir)/'`mit_glue.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mit_glue.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mit_glue.Tpo -c -o libkrb5_la-mit_glue.lo `test -f 'mit_glue.c' || echo '$(srcdir)/'`mit_glue.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-mit_glue.Tpo $(DEPDIR)/libkrb5_la-mit_glue.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='mit_glue.c' object='libkrb5_la-mit_glue.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mit_glue.lo `test -f 'mit_glue.c' || echo '$(srcdir)/'`mit_glue.c libkrb5_la-net_read.lo: net_read.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-net_read.lo `test -f 'net_read.c' || echo '$(srcdir)/'`net_read.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-net_read.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-net_read.Tpo -c -o libkrb5_la-net_read.lo `test -f 'net_read.c' || echo '$(srcdir)/'`net_read.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-net_read.Tpo $(DEPDIR)/libkrb5_la-net_read.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='net_read.c' object='libkrb5_la-net_read.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-net_read.lo `test -f 'net_read.c' || echo '$(srcdir)/'`net_read.c libkrb5_la-net_write.lo: net_write.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-net_write.lo `test -f 'net_write.c' || echo '$(srcdir)/'`net_write.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-net_write.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-net_write.Tpo -c -o libkrb5_la-net_write.lo `test -f 'net_write.c' || echo '$(srcdir)/'`net_write.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-net_write.Tpo $(DEPDIR)/libkrb5_la-net_write.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='net_write.c' object='libkrb5_la-net_write.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-net_write.lo `test -f 'net_write.c' || echo '$(srcdir)/'`net_write.c libkrb5_la-n-fold.lo: n-fold.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-n-fold.lo `test -f 'n-fold.c' || echo '$(srcdir)/'`n-fold.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-n-fold.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-n-fold.Tpo -c -o libkrb5_la-n-fold.lo `test -f 'n-fold.c' || echo '$(srcdir)/'`n-fold.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-n-fold.Tpo $(DEPDIR)/libkrb5_la-n-fold.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='n-fold.c' object='libkrb5_la-n-fold.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-n-fold.lo `test -f 'n-fold.c' || echo '$(srcdir)/'`n-fold.c libkrb5_la-pac.lo: pac.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pac.lo `test -f 'pac.c' || echo '$(srcdir)/'`pac.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-pac.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-pac.Tpo -c -o libkrb5_la-pac.lo `test -f 'pac.c' || echo '$(srcdir)/'`pac.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-pac.Tpo $(DEPDIR)/libkrb5_la-pac.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='pac.c' object='libkrb5_la-pac.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pac.lo `test -f 'pac.c' || echo '$(srcdir)/'`pac.c libkrb5_la-padata.lo: padata.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-padata.lo `test -f 'padata.c' || echo '$(srcdir)/'`padata.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-padata.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-padata.Tpo -c -o libkrb5_la-padata.lo `test -f 'padata.c' || echo '$(srcdir)/'`padata.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-padata.Tpo $(DEPDIR)/libkrb5_la-padata.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='padata.c' object='libkrb5_la-padata.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-padata.lo `test -f 'padata.c' || echo '$(srcdir)/'`padata.c + +libkrb5_la-pcache.lo: pcache.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-pcache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-pcache.Tpo -c -o libkrb5_la-pcache.lo `test -f 'pcache.c' || echo '$(srcdir)/'`pcache.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-pcache.Tpo $(DEPDIR)/libkrb5_la-pcache.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='pcache.c' object='libkrb5_la-pcache.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pcache.lo `test -f 'pcache.c' || echo '$(srcdir)/'`pcache.c libkrb5_la-pkinit.lo: pkinit.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pkinit.lo `test -f 'pkinit.c' || echo '$(srcdir)/'`pkinit.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-pkinit.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-pkinit.Tpo -c -o libkrb5_la-pkinit.lo `test -f 'pkinit.c' || echo '$(srcdir)/'`pkinit.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-pkinit.Tpo $(DEPDIR)/libkrb5_la-pkinit.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='pkinit.c' object='libkrb5_la-pkinit.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pkinit.lo `test -f 'pkinit.c' || echo '$(srcdir)/'`pkinit.c libkrb5_la-principal.lo: principal.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-principal.lo `test -f 'principal.c' || echo '$(srcdir)/'`principal.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-principal.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-principal.Tpo -c -o libkrb5_la-principal.lo `test -f 'principal.c' || echo '$(srcdir)/'`principal.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-principal.Tpo $(DEPDIR)/libkrb5_la-principal.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='principal.c' object='libkrb5_la-principal.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-principal.lo `test -f 'principal.c' || echo '$(srcdir)/'`principal.c libkrb5_la-prog_setup.lo: prog_setup.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-prog_setup.lo `test -f 'prog_setup.c' || echo '$(srcdir)/'`prog_setup.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-prog_setup.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-prog_setup.Tpo -c -o libkrb5_la-prog_setup.lo `test -f 'prog_setup.c' || echo '$(srcdir)/'`prog_setup.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-prog_setup.Tpo $(DEPDIR)/libkrb5_la-prog_setup.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='prog_setup.c' object='libkrb5_la-prog_setup.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-prog_setup.lo `test -f 'prog_setup.c' || echo '$(srcdir)/'`prog_setup.c libkrb5_la-prompter_posix.lo: prompter_posix.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-prompter_posix.lo `test -f 'prompter_posix.c' || echo '$(srcdir)/'`prompter_posix.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-prompter_posix.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-prompter_posix.Tpo -c -o libkrb5_la-prompter_posix.lo `test -f 'prompter_posix.c' || echo '$(srcdir)/'`prompter_posix.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-prompter_posix.Tpo $(DEPDIR)/libkrb5_la-prompter_posix.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='prompter_posix.c' object='libkrb5_la-prompter_posix.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-prompter_posix.lo `test -f 'prompter_posix.c' || echo '$(srcdir)/'`prompter_posix.c libkrb5_la-rd_cred.lo: rd_cred.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_cred.lo `test -f 'rd_cred.c' || echo '$(srcdir)/'`rd_cred.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_cred.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_cred.Tpo -c -o libkrb5_la-rd_cred.lo `test -f 'rd_cred.c' || echo '$(srcdir)/'`rd_cred.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-rd_cred.Tpo $(DEPDIR)/libkrb5_la-rd_cred.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='rd_cred.c' object='libkrb5_la-rd_cred.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_cred.lo `test -f 'rd_cred.c' || echo '$(srcdir)/'`rd_cred.c libkrb5_la-rd_error.lo: rd_error.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_error.lo `test -f 'rd_error.c' || echo '$(srcdir)/'`rd_error.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_error.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_error.Tpo -c -o libkrb5_la-rd_error.lo `test -f 'rd_error.c' || echo '$(srcdir)/'`rd_error.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-rd_error.Tpo $(DEPDIR)/libkrb5_la-rd_error.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='rd_error.c' object='libkrb5_la-rd_error.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_error.lo `test -f 'rd_error.c' || echo '$(srcdir)/'`rd_error.c libkrb5_la-rd_priv.lo: rd_priv.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_priv.lo `test -f 'rd_priv.c' || echo '$(srcdir)/'`rd_priv.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_priv.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_priv.Tpo -c -o libkrb5_la-rd_priv.lo `test -f 'rd_priv.c' || echo '$(srcdir)/'`rd_priv.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-rd_priv.Tpo $(DEPDIR)/libkrb5_la-rd_priv.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='rd_priv.c' object='libkrb5_la-rd_priv.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_priv.lo `test -f 'rd_priv.c' || echo '$(srcdir)/'`rd_priv.c libkrb5_la-rd_rep.lo: rd_rep.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_rep.lo `test -f 'rd_rep.c' || echo '$(srcdir)/'`rd_rep.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_rep.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_rep.Tpo -c -o libkrb5_la-rd_rep.lo `test -f 'rd_rep.c' || echo '$(srcdir)/'`rd_rep.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-rd_rep.Tpo $(DEPDIR)/libkrb5_la-rd_rep.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='rd_rep.c' object='libkrb5_la-rd_rep.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_rep.lo `test -f 'rd_rep.c' || echo '$(srcdir)/'`rd_rep.c libkrb5_la-rd_req.lo: rd_req.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_req.lo `test -f 'rd_req.c' || echo '$(srcdir)/'`rd_req.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_req.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_req.Tpo -c -o libkrb5_la-rd_req.lo `test -f 'rd_req.c' || echo '$(srcdir)/'`rd_req.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-rd_req.Tpo $(DEPDIR)/libkrb5_la-rd_req.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='rd_req.c' object='libkrb5_la-rd_req.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_req.lo `test -f 'rd_req.c' || echo '$(srcdir)/'`rd_req.c libkrb5_la-rd_safe.lo: rd_safe.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_safe.lo `test -f 'rd_safe.c' || echo '$(srcdir)/'`rd_safe.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_safe.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_safe.Tpo -c -o libkrb5_la-rd_safe.lo `test -f 'rd_safe.c' || echo '$(srcdir)/'`rd_safe.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-rd_safe.Tpo $(DEPDIR)/libkrb5_la-rd_safe.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='rd_safe.c' object='libkrb5_la-rd_safe.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_safe.lo `test -f 'rd_safe.c' || echo '$(srcdir)/'`rd_safe.c libkrb5_la-read_message.lo: read_message.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-read_message.lo `test -f 'read_message.c' || echo '$(srcdir)/'`read_message.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-read_message.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-read_message.Tpo -c -o libkrb5_la-read_message.lo `test -f 'read_message.c' || echo '$(srcdir)/'`read_message.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-read_message.Tpo $(DEPDIR)/libkrb5_la-read_message.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='read_message.c' object='libkrb5_la-read_message.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-read_message.lo `test -f 'read_message.c' || echo '$(srcdir)/'`read_message.c libkrb5_la-recvauth.lo: recvauth.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-recvauth.lo `test -f 'recvauth.c' || echo '$(srcdir)/'`recvauth.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-recvauth.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-recvauth.Tpo -c -o libkrb5_la-recvauth.lo `test -f 'recvauth.c' || echo '$(srcdir)/'`recvauth.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-recvauth.Tpo $(DEPDIR)/libkrb5_la-recvauth.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='recvauth.c' object='libkrb5_la-recvauth.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-recvauth.lo `test -f 'recvauth.c' || echo '$(srcdir)/'`recvauth.c libkrb5_la-replay.lo: replay.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-replay.lo `test -f 'replay.c' || echo '$(srcdir)/'`replay.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-replay.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-replay.Tpo -c -o libkrb5_la-replay.lo `test -f 'replay.c' || echo '$(srcdir)/'`replay.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-replay.Tpo $(DEPDIR)/libkrb5_la-replay.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='replay.c' object='libkrb5_la-replay.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-replay.lo `test -f 'replay.c' || echo '$(srcdir)/'`replay.c + +libkrb5_la-salt.lo: salt.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt.Tpo -c -o libkrb5_la-salt.lo `test -f 'salt.c' || echo '$(srcdir)/'`salt.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-salt.Tpo $(DEPDIR)/libkrb5_la-salt.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='salt.c' object='libkrb5_la-salt.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt.lo `test -f 'salt.c' || echo '$(srcdir)/'`salt.c + +libkrb5_la-salt-aes.lo: salt-aes.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt-aes.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt-aes.Tpo -c -o libkrb5_la-salt-aes.lo `test -f 'salt-aes.c' || echo '$(srcdir)/'`salt-aes.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-salt-aes.Tpo $(DEPDIR)/libkrb5_la-salt-aes.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='salt-aes.c' object='libkrb5_la-salt-aes.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt-aes.lo `test -f 'salt-aes.c' || echo '$(srcdir)/'`salt-aes.c + +libkrb5_la-salt-arcfour.lo: salt-arcfour.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt-arcfour.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt-arcfour.Tpo -c -o libkrb5_la-salt-arcfour.lo `test -f 'salt-arcfour.c' || echo '$(srcdir)/'`salt-arcfour.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-salt-arcfour.Tpo $(DEPDIR)/libkrb5_la-salt-arcfour.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='salt-arcfour.c' object='libkrb5_la-salt-arcfour.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt-arcfour.lo `test -f 'salt-arcfour.c' || echo '$(srcdir)/'`salt-arcfour.c + +libkrb5_la-salt-des.lo: salt-des.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt-des.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt-des.Tpo -c -o libkrb5_la-salt-des.lo `test -f 'salt-des.c' || echo '$(srcdir)/'`salt-des.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-salt-des.Tpo $(DEPDIR)/libkrb5_la-salt-des.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='salt-des.c' object='libkrb5_la-salt-des.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt-des.lo `test -f 'salt-des.c' || echo '$(srcdir)/'`salt-des.c + +libkrb5_la-salt-des3.lo: salt-des3.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt-des3.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt-des3.Tpo -c -o libkrb5_la-salt-des3.lo `test -f 'salt-des3.c' || echo '$(srcdir)/'`salt-des3.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-salt-des3.Tpo $(DEPDIR)/libkrb5_la-salt-des3.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='salt-des3.c' object='libkrb5_la-salt-des3.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt-des3.lo `test -f 'salt-des3.c' || echo '$(srcdir)/'`salt-des3.c + +libkrb5_la-scache.lo: scache.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-scache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-scache.Tpo -c -o libkrb5_la-scache.lo `test -f 'scache.c' || echo '$(srcdir)/'`scache.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-scache.Tpo $(DEPDIR)/libkrb5_la-scache.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='scache.c' object='libkrb5_la-scache.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-scache.lo `test -f 'scache.c' || echo '$(srcdir)/'`scache.c libkrb5_la-send_to_kdc.lo: send_to_kdc.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-send_to_kdc.lo `test -f 'send_to_kdc.c' || echo '$(srcdir)/'`send_to_kdc.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-send_to_kdc.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-send_to_kdc.Tpo -c -o libkrb5_la-send_to_kdc.lo `test -f 'send_to_kdc.c' || echo '$(srcdir)/'`send_to_kdc.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-send_to_kdc.Tpo $(DEPDIR)/libkrb5_la-send_to_kdc.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='send_to_kdc.c' object='libkrb5_la-send_to_kdc.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-send_to_kdc.lo `test -f 'send_to_kdc.c' || echo '$(srcdir)/'`send_to_kdc.c libkrb5_la-sendauth.lo: sendauth.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-sendauth.lo `test -f 'sendauth.c' || echo '$(srcdir)/'`sendauth.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-sendauth.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-sendauth.Tpo -c -o libkrb5_la-sendauth.lo `test -f 'sendauth.c' || echo '$(srcdir)/'`sendauth.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-sendauth.Tpo $(DEPDIR)/libkrb5_la-sendauth.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sendauth.c' object='libkrb5_la-sendauth.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-sendauth.lo `test -f 'sendauth.c' || echo '$(srcdir)/'`sendauth.c libkrb5_la-set_default_realm.lo: set_default_realm.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-set_default_realm.lo `test -f 'set_default_realm.c' || echo '$(srcdir)/'`set_default_realm.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-set_default_realm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-set_default_realm.Tpo -c -o libkrb5_la-set_default_realm.lo `test -f 'set_default_realm.c' || echo '$(srcdir)/'`set_default_realm.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-set_default_realm.Tpo $(DEPDIR)/libkrb5_la-set_default_realm.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='set_default_realm.c' object='libkrb5_la-set_default_realm.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-set_default_realm.lo `test -f 'set_default_realm.c' || echo '$(srcdir)/'`set_default_realm.c libkrb5_la-sock_principal.lo: sock_principal.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-sock_principal.lo `test -f 'sock_principal.c' || echo '$(srcdir)/'`sock_principal.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-sock_principal.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-sock_principal.Tpo -c -o libkrb5_la-sock_principal.lo `test -f 'sock_principal.c' || echo '$(srcdir)/'`sock_principal.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-sock_principal.Tpo $(DEPDIR)/libkrb5_la-sock_principal.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sock_principal.c' object='libkrb5_la-sock_principal.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-sock_principal.lo `test -f 'sock_principal.c' || echo '$(srcdir)/'`sock_principal.c libkrb5_la-store.lo: store.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store.lo `test -f 'store.c' || echo '$(srcdir)/'`store.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store.Tpo -c -o libkrb5_la-store.lo `test -f 'store.c' || echo '$(srcdir)/'`store.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-store.Tpo $(DEPDIR)/libkrb5_la-store.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='store.c' object='libkrb5_la-store.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store.lo `test -f 'store.c' || echo '$(srcdir)/'`store.c + +libkrb5_la-store-int.lo: store-int.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store-int.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store-int.Tpo -c -o libkrb5_la-store-int.lo `test -f 'store-int.c' || echo '$(srcdir)/'`store-int.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-store-int.Tpo $(DEPDIR)/libkrb5_la-store-int.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='store-int.c' object='libkrb5_la-store-int.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store-int.lo `test -f 'store-int.c' || echo '$(srcdir)/'`store-int.c libkrb5_la-store_emem.lo: store_emem.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_emem.lo `test -f 'store_emem.c' || echo '$(srcdir)/'`store_emem.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store_emem.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store_emem.Tpo -c -o libkrb5_la-store_emem.lo `test -f 'store_emem.c' || echo '$(srcdir)/'`store_emem.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-store_emem.Tpo $(DEPDIR)/libkrb5_la-store_emem.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='store_emem.c' object='libkrb5_la-store_emem.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_emem.lo `test -f 'store_emem.c' || echo '$(srcdir)/'`store_emem.c libkrb5_la-store_fd.lo: store_fd.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_fd.lo `test -f 'store_fd.c' || echo '$(srcdir)/'`store_fd.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store_fd.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store_fd.Tpo -c -o libkrb5_la-store_fd.lo `test -f 'store_fd.c' || echo '$(srcdir)/'`store_fd.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-store_fd.Tpo $(DEPDIR)/libkrb5_la-store_fd.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='store_fd.c' object='libkrb5_la-store_fd.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_fd.lo `test -f 'store_fd.c' || echo '$(srcdir)/'`store_fd.c libkrb5_la-store_mem.lo: store_mem.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_mem.lo `test -f 'store_mem.c' || echo '$(srcdir)/'`store_mem.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store_mem.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store_mem.Tpo -c -o libkrb5_la-store_mem.lo `test -f 'store_mem.c' || echo '$(srcdir)/'`store_mem.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-store_mem.Tpo $(DEPDIR)/libkrb5_la-store_mem.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='store_mem.c' object='libkrb5_la-store_mem.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_mem.lo `test -f 'store_mem.c' || echo '$(srcdir)/'`store_mem.c libkrb5_la-plugin.lo: plugin.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-plugin.lo `test -f 'plugin.c' || echo '$(srcdir)/'`plugin.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-plugin.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-plugin.Tpo -c -o libkrb5_la-plugin.lo `test -f 'plugin.c' || echo '$(srcdir)/'`plugin.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-plugin.Tpo $(DEPDIR)/libkrb5_la-plugin.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='plugin.c' object='libkrb5_la-plugin.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-plugin.lo `test -f 'plugin.c' || echo '$(srcdir)/'`plugin.c libkrb5_la-ticket.lo: ticket.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-ticket.lo `test -f 'ticket.c' || echo '$(srcdir)/'`ticket.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-ticket.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-ticket.Tpo -c -o libkrb5_la-ticket.lo `test -f 'ticket.c' || echo '$(srcdir)/'`ticket.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-ticket.Tpo $(DEPDIR)/libkrb5_la-ticket.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ticket.c' object='libkrb5_la-ticket.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-ticket.lo `test -f 'ticket.c' || echo '$(srcdir)/'`ticket.c libkrb5_la-time.lo: time.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-time.lo `test -f 'time.c' || echo '$(srcdir)/'`time.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-time.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-time.Tpo -c -o libkrb5_la-time.lo `test -f 'time.c' || echo '$(srcdir)/'`time.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-time.Tpo $(DEPDIR)/libkrb5_la-time.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='time.c' object='libkrb5_la-time.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-time.lo `test -f 'time.c' || echo '$(srcdir)/'`time.c libkrb5_la-transited.lo: transited.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-transited.lo `test -f 'transited.c' || echo '$(srcdir)/'`transited.c - -libkrb5_la-v4_glue.lo: v4_glue.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-v4_glue.lo `test -f 'v4_glue.c' || echo '$(srcdir)/'`v4_glue.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-transited.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-transited.Tpo -c -o libkrb5_la-transited.lo `test -f 'transited.c' || echo '$(srcdir)/'`transited.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-transited.Tpo $(DEPDIR)/libkrb5_la-transited.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='transited.c' object='libkrb5_la-transited.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-transited.lo `test -f 'transited.c' || echo '$(srcdir)/'`transited.c libkrb5_la-verify_init.lo: verify_init.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-verify_init.lo `test -f 'verify_init.c' || echo '$(srcdir)/'`verify_init.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-verify_init.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-verify_init.Tpo -c -o libkrb5_la-verify_init.lo `test -f 'verify_init.c' || echo '$(srcdir)/'`verify_init.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-verify_init.Tpo $(DEPDIR)/libkrb5_la-verify_init.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='verify_init.c' object='libkrb5_la-verify_init.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-verify_init.lo `test -f 'verify_init.c' || echo '$(srcdir)/'`verify_init.c libkrb5_la-verify_user.lo: verify_user.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-verify_user.lo `test -f 'verify_user.c' || echo '$(srcdir)/'`verify_user.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-verify_user.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-verify_user.Tpo -c -o libkrb5_la-verify_user.lo `test -f 'verify_user.c' || echo '$(srcdir)/'`verify_user.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-verify_user.Tpo $(DEPDIR)/libkrb5_la-verify_user.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='verify_user.c' object='libkrb5_la-verify_user.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-verify_user.lo `test -f 'verify_user.c' || echo '$(srcdir)/'`verify_user.c libkrb5_la-version.lo: version.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-version.lo `test -f 'version.c' || echo '$(srcdir)/'`version.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-version.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-version.Tpo -c -o libkrb5_la-version.lo `test -f 'version.c' || echo '$(srcdir)/'`version.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-version.Tpo $(DEPDIR)/libkrb5_la-version.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='version.c' object='libkrb5_la-version.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-version.lo `test -f 'version.c' || echo '$(srcdir)/'`version.c libkrb5_la-warn.lo: warn.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-warn.lo `test -f 'warn.c' || echo '$(srcdir)/'`warn.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-warn.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-warn.Tpo -c -o libkrb5_la-warn.lo `test -f 'warn.c' || echo '$(srcdir)/'`warn.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-warn.Tpo $(DEPDIR)/libkrb5_la-warn.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='warn.c' object='libkrb5_la-warn.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-warn.lo `test -f 'warn.c' || echo '$(srcdir)/'`warn.c libkrb5_la-write_message.lo: write_message.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-write_message.lo `test -f 'write_message.c' || echo '$(srcdir)/'`write_message.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-write_message.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-write_message.Tpo -c -o libkrb5_la-write_message.lo `test -f 'write_message.c' || echo '$(srcdir)/'`write_message.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-write_message.Tpo $(DEPDIR)/libkrb5_la-write_message.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='write_message.c' object='libkrb5_la-write_message.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-write_message.lo `test -f 'write_message.c' || echo '$(srcdir)/'`write_message.c libkrb5_la-krb5_err.lo: krb5_err.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krb5_err.lo `test -f 'krb5_err.c' || echo '$(srcdir)/'`krb5_err.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-krb5_err.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-krb5_err.Tpo -c -o libkrb5_la-krb5_err.lo `test -f 'krb5_err.c' || echo '$(srcdir)/'`krb5_err.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-krb5_err.Tpo $(DEPDIR)/libkrb5_la-krb5_err.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='krb5_err.c' object='libkrb5_la-krb5_err.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krb5_err.lo `test -f 'krb5_err.c' || echo '$(srcdir)/'`krb5_err.c libkrb5_la-krb_err.lo: krb_err.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krb_err.lo `test -f 'krb_err.c' || echo '$(srcdir)/'`krb_err.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-krb_err.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-krb_err.Tpo -c -o libkrb5_la-krb_err.lo `test -f 'krb_err.c' || echo '$(srcdir)/'`krb_err.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-krb_err.Tpo $(DEPDIR)/libkrb5_la-krb_err.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='krb_err.c' object='libkrb5_la-krb_err.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krb_err.lo `test -f 'krb_err.c' || echo '$(srcdir)/'`krb_err.c libkrb5_la-heim_err.lo: heim_err.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-heim_err.lo `test -f 'heim_err.c' || echo '$(srcdir)/'`heim_err.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-heim_err.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-heim_err.Tpo -c -o libkrb5_la-heim_err.lo `test -f 'heim_err.c' || echo '$(srcdir)/'`heim_err.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-heim_err.Tpo $(DEPDIR)/libkrb5_la-heim_err.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='heim_err.c' object='libkrb5_la-heim_err.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-heim_err.lo `test -f 'heim_err.c' || echo '$(srcdir)/'`heim_err.c libkrb5_la-k524_err.lo: k524_err.c - $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-k524_err.lo `test -f 'k524_err.c' || echo '$(srcdir)/'`k524_err.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-k524_err.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-k524_err.Tpo -c -o libkrb5_la-k524_err.lo `test -f 'k524_err.c' || echo '$(srcdir)/'`k524_err.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libkrb5_la-k524_err.Tpo $(DEPDIR)/libkrb5_la-k524_err.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='k524_err.c' object='libkrb5_la-k524_err.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-k524_err.lo `test -f 'k524_err.c' || echo '$(srcdir)/'`k524_err.c + +librfc3961_la-crc.lo: crc.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crc.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crc.Tpo -c -o librfc3961_la-crc.lo `test -f 'crc.c' || echo '$(srcdir)/'`crc.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-crc.Tpo $(DEPDIR)/librfc3961_la-crc.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crc.c' object='librfc3961_la-crc.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crc.lo `test -f 'crc.c' || echo '$(srcdir)/'`crc.c + +librfc3961_la-crypto.lo: crypto.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto.Tpo -c -o librfc3961_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-crypto.Tpo $(DEPDIR)/librfc3961_la-crypto.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto.c' object='librfc3961_la-crypto.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c + +librfc3961_la-crypto-aes.lo: crypto-aes.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-aes.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-aes.Tpo -c -o librfc3961_la-crypto-aes.lo `test -f 'crypto-aes.c' || echo '$(srcdir)/'`crypto-aes.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-crypto-aes.Tpo $(DEPDIR)/librfc3961_la-crypto-aes.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-aes.c' object='librfc3961_la-crypto-aes.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-aes.lo `test -f 'crypto-aes.c' || echo '$(srcdir)/'`crypto-aes.c + +librfc3961_la-crypto-algs.lo: crypto-algs.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-algs.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-algs.Tpo -c -o librfc3961_la-crypto-algs.lo `test -f 'crypto-algs.c' || echo '$(srcdir)/'`crypto-algs.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-crypto-algs.Tpo $(DEPDIR)/librfc3961_la-crypto-algs.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-algs.c' object='librfc3961_la-crypto-algs.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-algs.lo `test -f 'crypto-algs.c' || echo '$(srcdir)/'`crypto-algs.c + +librfc3961_la-crypto-arcfour.lo: crypto-arcfour.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-arcfour.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-arcfour.Tpo -c -o librfc3961_la-crypto-arcfour.lo `test -f 'crypto-arcfour.c' || echo '$(srcdir)/'`crypto-arcfour.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-crypto-arcfour.Tpo $(DEPDIR)/librfc3961_la-crypto-arcfour.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-arcfour.c' object='librfc3961_la-crypto-arcfour.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-arcfour.lo `test -f 'crypto-arcfour.c' || echo '$(srcdir)/'`crypto-arcfour.c + +librfc3961_la-crypto-des.lo: crypto-des.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-des.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-des.Tpo -c -o librfc3961_la-crypto-des.lo `test -f 'crypto-des.c' || echo '$(srcdir)/'`crypto-des.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-crypto-des.Tpo $(DEPDIR)/librfc3961_la-crypto-des.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-des.c' object='librfc3961_la-crypto-des.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-des.lo `test -f 'crypto-des.c' || echo '$(srcdir)/'`crypto-des.c + +librfc3961_la-crypto-des-common.lo: crypto-des-common.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-des-common.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-des-common.Tpo -c -o librfc3961_la-crypto-des-common.lo `test -f 'crypto-des-common.c' || echo '$(srcdir)/'`crypto-des-common.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-crypto-des-common.Tpo $(DEPDIR)/librfc3961_la-crypto-des-common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-des-common.c' object='librfc3961_la-crypto-des-common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-des-common.lo `test -f 'crypto-des-common.c' || echo '$(srcdir)/'`crypto-des-common.c + +librfc3961_la-crypto-des3.lo: crypto-des3.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-des3.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-des3.Tpo -c -o librfc3961_la-crypto-des3.lo `test -f 'crypto-des3.c' || echo '$(srcdir)/'`crypto-des3.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-crypto-des3.Tpo $(DEPDIR)/librfc3961_la-crypto-des3.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-des3.c' object='librfc3961_la-crypto-des3.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-des3.lo `test -f 'crypto-des3.c' || echo '$(srcdir)/'`crypto-des3.c + +librfc3961_la-crypto-evp.lo: crypto-evp.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-evp.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-evp.Tpo -c -o librfc3961_la-crypto-evp.lo `test -f 'crypto-evp.c' || echo '$(srcdir)/'`crypto-evp.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-crypto-evp.Tpo $(DEPDIR)/librfc3961_la-crypto-evp.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-evp.c' object='librfc3961_la-crypto-evp.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-evp.lo `test -f 'crypto-evp.c' || echo '$(srcdir)/'`crypto-evp.c + +librfc3961_la-crypto-null.lo: crypto-null.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-null.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-null.Tpo -c -o librfc3961_la-crypto-null.lo `test -f 'crypto-null.c' || echo '$(srcdir)/'`crypto-null.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-crypto-null.Tpo $(DEPDIR)/librfc3961_la-crypto-null.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-null.c' object='librfc3961_la-crypto-null.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-null.lo `test -f 'crypto-null.c' || echo '$(srcdir)/'`crypto-null.c + +librfc3961_la-crypto-pk.lo: crypto-pk.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-pk.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-pk.Tpo -c -o librfc3961_la-crypto-pk.lo `test -f 'crypto-pk.c' || echo '$(srcdir)/'`crypto-pk.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-crypto-pk.Tpo $(DEPDIR)/librfc3961_la-crypto-pk.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-pk.c' object='librfc3961_la-crypto-pk.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-pk.lo `test -f 'crypto-pk.c' || echo '$(srcdir)/'`crypto-pk.c + +librfc3961_la-crypto-rand.lo: crypto-rand.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-rand.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-rand.Tpo -c -o librfc3961_la-crypto-rand.lo `test -f 'crypto-rand.c' || echo '$(srcdir)/'`crypto-rand.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-crypto-rand.Tpo $(DEPDIR)/librfc3961_la-crypto-rand.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-rand.c' object='librfc3961_la-crypto-rand.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-rand.lo `test -f 'crypto-rand.c' || echo '$(srcdir)/'`crypto-rand.c + +librfc3961_la-crypto-stubs.lo: crypto-stubs.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-stubs.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-stubs.Tpo -c -o librfc3961_la-crypto-stubs.lo `test -f 'crypto-stubs.c' || echo '$(srcdir)/'`crypto-stubs.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-crypto-stubs.Tpo $(DEPDIR)/librfc3961_la-crypto-stubs.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto-stubs.c' object='librfc3961_la-crypto-stubs.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-stubs.lo `test -f 'crypto-stubs.c' || echo '$(srcdir)/'`crypto-stubs.c + +librfc3961_la-data.lo: data.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-data.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-data.Tpo -c -o librfc3961_la-data.lo `test -f 'data.c' || echo '$(srcdir)/'`data.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-data.Tpo $(DEPDIR)/librfc3961_la-data.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='data.c' object='librfc3961_la-data.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-data.lo `test -f 'data.c' || echo '$(srcdir)/'`data.c + +librfc3961_la-error_string.lo: error_string.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-error_string.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-error_string.Tpo -c -o librfc3961_la-error_string.lo `test -f 'error_string.c' || echo '$(srcdir)/'`error_string.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-error_string.Tpo $(DEPDIR)/librfc3961_la-error_string.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='error_string.c' object='librfc3961_la-error_string.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-error_string.lo `test -f 'error_string.c' || echo '$(srcdir)/'`error_string.c + +librfc3961_la-keyblock.lo: keyblock.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-keyblock.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-keyblock.Tpo -c -o librfc3961_la-keyblock.lo `test -f 'keyblock.c' || echo '$(srcdir)/'`keyblock.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-keyblock.Tpo $(DEPDIR)/librfc3961_la-keyblock.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='keyblock.c' object='librfc3961_la-keyblock.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-keyblock.lo `test -f 'keyblock.c' || echo '$(srcdir)/'`keyblock.c + +librfc3961_la-n-fold.lo: n-fold.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-n-fold.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-n-fold.Tpo -c -o librfc3961_la-n-fold.lo `test -f 'n-fold.c' || echo '$(srcdir)/'`n-fold.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-n-fold.Tpo $(DEPDIR)/librfc3961_la-n-fold.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='n-fold.c' object='librfc3961_la-n-fold.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-n-fold.lo `test -f 'n-fold.c' || echo '$(srcdir)/'`n-fold.c + +librfc3961_la-salt.lo: salt.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt.Tpo -c -o librfc3961_la-salt.lo `test -f 'salt.c' || echo '$(srcdir)/'`salt.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-salt.Tpo $(DEPDIR)/librfc3961_la-salt.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='salt.c' object='librfc3961_la-salt.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt.lo `test -f 'salt.c' || echo '$(srcdir)/'`salt.c + +librfc3961_la-salt-aes.lo: salt-aes.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt-aes.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt-aes.Tpo -c -o librfc3961_la-salt-aes.lo `test -f 'salt-aes.c' || echo '$(srcdir)/'`salt-aes.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-salt-aes.Tpo $(DEPDIR)/librfc3961_la-salt-aes.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='salt-aes.c' object='librfc3961_la-salt-aes.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt-aes.lo `test -f 'salt-aes.c' || echo '$(srcdir)/'`salt-aes.c + +librfc3961_la-salt-arcfour.lo: salt-arcfour.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt-arcfour.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt-arcfour.Tpo -c -o librfc3961_la-salt-arcfour.lo `test -f 'salt-arcfour.c' || echo '$(srcdir)/'`salt-arcfour.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-salt-arcfour.Tpo $(DEPDIR)/librfc3961_la-salt-arcfour.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='salt-arcfour.c' object='librfc3961_la-salt-arcfour.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt-arcfour.lo `test -f 'salt-arcfour.c' || echo '$(srcdir)/'`salt-arcfour.c + +librfc3961_la-salt-des.lo: salt-des.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt-des.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt-des.Tpo -c -o librfc3961_la-salt-des.lo `test -f 'salt-des.c' || echo '$(srcdir)/'`salt-des.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-salt-des.Tpo $(DEPDIR)/librfc3961_la-salt-des.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='salt-des.c' object='librfc3961_la-salt-des.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt-des.lo `test -f 'salt-des.c' || echo '$(srcdir)/'`salt-des.c + +librfc3961_la-salt-des3.lo: salt-des3.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt-des3.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt-des3.Tpo -c -o librfc3961_la-salt-des3.lo `test -f 'salt-des3.c' || echo '$(srcdir)/'`salt-des3.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-salt-des3.Tpo $(DEPDIR)/librfc3961_la-salt-des3.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='salt-des3.c' object='librfc3961_la-salt-des3.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt-des3.lo `test -f 'salt-des3.c' || echo '$(srcdir)/'`salt-des3.c + +librfc3961_la-store-int.lo: store-int.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-store-int.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-store-int.Tpo -c -o librfc3961_la-store-int.lo `test -f 'store-int.c' || echo '$(srcdir)/'`store-int.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-store-int.Tpo $(DEPDIR)/librfc3961_la-store-int.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='store-int.c' object='librfc3961_la-store-int.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-store-int.lo `test -f 'store-int.c' || echo '$(srcdir)/'`store-int.c + +librfc3961_la-warn.lo: warn.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-warn.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-warn.Tpo -c -o librfc3961_la-warn.lo `test -f 'warn.c' || echo '$(srcdir)/'`warn.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/librfc3961_la-warn.Tpo $(DEPDIR)/librfc3961_la-warn.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='warn.c' object='librfc3961_la-warn.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-warn.lo `test -f 'warn.c' || echo '$(srcdir)/'`warn.c mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs -install-man3: $(man3_MANS) $(man_MANS) +install-man3: $(man_MANS) @$(NORMAL_INSTALL) test -z "$(man3dir)" || $(MKDIR_P) "$(DESTDIR)$(man3dir)" - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ + @list=''; test -n "$(man3dir)" || exit 0; \ + { for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.3[a-z]*$$/p'; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst" || exit $$?; \ + fi; \ done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst"; \ - done + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man3dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man3dir)" || exit $$?; }; \ + done; } + uninstall-man3: @$(NORMAL_UNINSTALL) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man3dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man3dir)/$$inst"; \ - done -install-man5: $(man5_MANS) $(man_MANS) + @list=''; test -n "$(man3dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.3[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + test -z "$$files" || { \ + echo " ( cd '$(DESTDIR)$(man3dir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(man3dir)" && rm -f $$files; } +install-man5: $(man_MANS) @$(NORMAL_INSTALL) test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" - @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.5*) list="$$list $$i" ;; \ - esac; \ + @list=''; test -n "$(man5dir)" || exit 0; \ + { for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.5[a-z]*$$/p'; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ + fi; \ done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 5*) ;; \ - *) ext='5' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ - done + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ + done; } + uninstall-man5: @$(NORMAL_UNINSTALL) - @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.5*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 5*) ;; \ - *) ext='5' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ - done -install-man8: $(man8_MANS) $(man_MANS) + @list=''; test -n "$(man5dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.5[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + test -z "$$files" || { \ + echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(man5dir)" && rm -f $$files; } +install-man8: $(man_MANS) @$(NORMAL_INSTALL) test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ + @list=''; test -n "$(man8dir)" || exit 0; \ + { for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + uninstall-man8: @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + test -z "$$files" || { \ + echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(man8dir)" && rm -f $$files; } install-dist_includeHEADERS: $(dist_include_HEADERS) @$(NORMAL_INSTALL) test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)" - @list='$(dist_include_HEADERS)'; for p in $$list; do \ + @list='$(dist_include_HEADERS)'; test -n "$(includedir)" || list=; \ + for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f=$(am__strip_dir) \ - echo " $(dist_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(dist_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \ + $(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \ done uninstall-dist_includeHEADERS: @$(NORMAL_UNINSTALL) - @list='$(dist_include_HEADERS)'; for p in $$list; do \ - f=$(am__strip_dir) \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done + @list='$(dist_include_HEADERS)'; test -n "$(includedir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(includedir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(includedir)" && rm -f $$files install-krb5HEADERS: $(krb5_HEADERS) @$(NORMAL_INSTALL) test -z "$(krb5dir)" || $(MKDIR_P) "$(DESTDIR)$(krb5dir)" - @list='$(krb5_HEADERS)'; for p in $$list; do \ + @list='$(krb5_HEADERS)'; test -n "$(krb5dir)" || list=; \ + for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f=$(am__strip_dir) \ - echo " $(krb5HEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(krb5dir)/$$f'"; \ - $(krb5HEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(krb5dir)/$$f"; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(krb5dir)'"; \ + $(INSTALL_HEADER) $$files "$(DESTDIR)$(krb5dir)" || exit $$?; \ done uninstall-krb5HEADERS: @$(NORMAL_UNINSTALL) - @list='$(krb5_HEADERS)'; for p in $$list; do \ - f=$(am__strip_dir) \ - echo " rm -f '$(DESTDIR)$(krb5dir)/$$f'"; \ - rm -f "$(DESTDIR)$(krb5dir)/$$f"; \ - done + @list='$(krb5_HEADERS)'; test -n "$(krb5dir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(krb5dir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(krb5dir)" && rm -f $$files install-nodist_includeHEADERS: $(nodist_include_HEADERS) @$(NORMAL_INSTALL) test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)" - @list='$(nodist_include_HEADERS)'; for p in $$list; do \ + @list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \ + for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f=$(am__strip_dir) \ - echo " $(nodist_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(nodist_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \ + $(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \ done uninstall-nodist_includeHEADERS: @$(NORMAL_UNINSTALL) - @list='$(nodist_include_HEADERS)'; for p in $$list; do \ - f=$(am__strip_dir) \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done + @list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(includedir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(includedir)" && rm -f $$files ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags check-TESTS: $(TESTS) - @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + @failed=0; all=0; xfail=0; xpass=0; skip=0; \ srcdir=$(srcdir); export srcdir; \ list=' $(TESTS) '; \ + $(am__tty_colors); \ if test -n "$$list"; then \ for tst in $$list; do \ if test -f ./$$tst; then dir=./; \ @@ -1605,49 +2744,63 @@ check-TESTS: $(TESTS) if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ all=`expr $$all + 1`; \ case " $(XFAIL_TESTS) " in \ - *$$ws$$tst$$ws*) \ + *[\ \ ]$$tst[\ \ ]*) \ xpass=`expr $$xpass + 1`; \ failed=`expr $$failed + 1`; \ - echo "XPASS: $$tst"; \ + col=$$red; res=XPASS; \ ;; \ *) \ - echo "PASS: $$tst"; \ + col=$$grn; res=PASS; \ ;; \ esac; \ elif test $$? -ne 77; then \ all=`expr $$all + 1`; \ case " $(XFAIL_TESTS) " in \ - *$$ws$$tst$$ws*) \ + *[\ \ ]$$tst[\ \ ]*) \ xfail=`expr $$xfail + 1`; \ - echo "XFAIL: $$tst"; \ + col=$$lgn; res=XFAIL; \ ;; \ *) \ failed=`expr $$failed + 1`; \ - echo "FAIL: $$tst"; \ + col=$$red; res=FAIL; \ ;; \ esac; \ else \ skip=`expr $$skip + 1`; \ - echo "SKIP: $$tst"; \ + col=$$blu; res=SKIP; \ fi; \ + echo "$${col}$$res$${std}: $$tst"; \ done; \ + if test "$$all" -eq 1; then \ + tests="test"; \ + All=""; \ + else \ + tests="tests"; \ + All="All "; \ + fi; \ if test "$$failed" -eq 0; then \ if test "$$xfail" -eq 0; then \ - banner="All $$all tests passed"; \ + banner="$$All$$all $$tests passed"; \ else \ - banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ + banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ fi; \ else \ if test "$$xpass" -eq 0; then \ - banner="$$failed of $$all tests failed"; \ + banner="$$failed of $$all $$tests failed"; \ else \ - banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ + banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ fi; \ fi; \ dashes="$$banner"; \ skipped=""; \ if test "$$skip" -ne 0; then \ - skipped="($$skip tests were not run)"; \ + if test "$$skip" -eq 1; then \ + skipped="($$skip test was not run)"; \ + else \ + skipped="($$skip tests were not run)"; \ + fi; \ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ dashes="$$skipped"; \ fi; \ @@ -1658,15 +2811,32 @@ check-TESTS: $(TESTS) dashes="$$report"; \ fi; \ dashes=`echo "$$dashes" | sed s/./=/g`; \ - echo "$$dashes"; \ + if test "$$failed" -eq 0; then \ + echo "$$grn$$dashes"; \ + else \ + echo "$$red$$dashes"; \ + fi; \ echo "$$banner"; \ test -z "$$skipped" || echo "$$skipped"; \ test -z "$$report" || echo "$$report"; \ - echo "$$dashes"; \ + echo "$$dashes$$std"; \ test "$$failed" -eq 0; \ else :; fi distdir: $(DISTFILES) + @list='$(MANS)'; if test -n "$$list"; then \ + list=`for p in $$list; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ + if test -n "$$list" && \ + grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ + echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ + grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ + echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ + echo " typically \`make maintainer-clean' will remove them" >&2; \ + exit 1; \ + else :; fi; \ + else :; fi @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1682,13 +2852,17 @@ distdir: $(DISTFILES) if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -1696,7 +2870,7 @@ distdir: $(DISTFILES) top_distdir="$(top_distdir)" distdir="$(distdir)" \ dist-hook check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(check_DATA) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local check: check-am all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) \ @@ -1728,6 +2902,7 @@ clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -1735,10 +2910,11 @@ maintainer-clean-generic: clean: clean-am clean-am: clean-binPROGRAMS clean-checkPROGRAMS clean-generic \ - clean-libLTLIBRARIES clean-libtool clean-noinstPROGRAMS \ - mostlyclean-am + clean-libLTLIBRARIES clean-libtool clean-noinstLTLIBRARIES \ + clean-noinstPROGRAMS mostlyclean-am distclean: distclean-am + -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1749,6 +2925,8 @@ dvi-am: html: html-am +html-am: + info: info-am info-am: @@ -1757,26 +2935,35 @@ install-data-am: install-dist_includeHEADERS install-krb5HEADERS \ install-man install-nodist_includeHEADERS @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) install-data-hook - install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-binPROGRAMS install-libLTLIBRARIES @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-man3 install-man5 install-man8 install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1798,24 +2985,24 @@ uninstall-am: uninstall-binPROGRAMS uninstall-dist_includeHEADERS \ uninstall-nodist_includeHEADERS @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) uninstall-hook - uninstall-man: uninstall-man3 uninstall-man5 uninstall-man8 -.MAKE: install-am install-data-am install-exec-am install-strip \ - uninstall-am +.MAKE: check-am install-am install-data-am install-exec-am \ + install-strip uninstall-am .PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \ check-local clean clean-binPROGRAMS clean-checkPROGRAMS \ clean-generic clean-libLTLIBRARIES clean-libtool \ - clean-noinstPROGRAMS ctags dist-hook distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-binPROGRAMS install-data \ - install-data-am install-data-hook install-dist_includeHEADERS \ - install-dvi install-dvi-am install-exec install-exec-am \ - install-exec-hook install-html install-html-am install-info \ - install-info-am install-krb5HEADERS install-libLTLIBRARIES \ - install-man install-man3 install-man5 install-man8 \ + clean-noinstLTLIBRARIES clean-noinstPROGRAMS ctags dist-hook \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-binPROGRAMS \ + install-data install-data-am install-data-hook \ + install-dist_includeHEADERS install-dvi install-dvi-am \ + install-exec install-exec-am install-exec-hook install-html \ + install-html-am install-info install-info-am \ + install-krb5HEADERS install-libLTLIBRARIES install-man \ + install-man3 install-man5 install-man8 \ install-nodist_includeHEADERS install-pdf install-pdf-am \ install-ps install-ps-am install-strip installcheck \ installcheck-am installdirs maintainer-clean \ @@ -1896,6 +3083,9 @@ check-local:: .x.c: @cmp -s $< $@ 2> /dev/null || cp $< $@ + +.hx.h: + @cmp -s $< $@ 2> /dev/null || cp $< $@ #NROFF_MAN = nroff -man .1.cat1: $(NROFF_MAN) $< > $@ @@ -1981,7 +3171,7 @@ uninstall-hook: uninstall-cat-mans check-valgrind: tobjdir=`cd $(top_builddir) && pwd` ; \ tsrcdir=`cd $(top_srcdir) && pwd` ; \ - env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check + env TESTS_ENVIRONMENT="$${tsrcdir}/cf/maybe-valgrind.sh -s $${tsrcdir} -o $${tobjdir}" make check # # Target to please samba build farm, builds distfiles in-tree. @@ -1995,16 +3185,19 @@ distdir-in-tree: $(DISTFILES) $(INFO_DEPS) fi ; \ done -$(libkrb5_la_OBJECTS) $(verify_krb5_conf_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h +$(libkrb5_la_OBJECTS) $(verify_krb5_conf_OBJECTS) $(librfc3961_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h krb5_err.h heim_err.h k524_err.h krb5_err.h krb_err.h k524_err.h $(srcdir)/krb5-protos.h: - cd $(srcdir) && perl ../../cf/make-proto.pl -E KRB5_LIB_FUNCTION -q -P comment -o krb5-protos.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-protos.h + cd $(srcdir) && perl ../../cf/make-proto.pl -E KRB5_LIB -q -P comment -o krb5-protos.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-protos.h $(srcdir)/krb5-private.h: cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-private.h $(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h +test_config_strings.out: test_config_strings.cfg + $(CP) $(srcdir)/test_config_strings.cfg test_config_strings.out + #sysconf_DATA = krb5.moduli # to help stupid solaris make @@ -2016,6 +3209,7 @@ krb_err.h: krb_err.et heim_err.h: heim_err.et k524_err.h: k524_err.et + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/crypto/heimdal/lib/krb5/acache.c b/crypto/heimdal/lib/krb5/acache.c index 30a6d90c3451..19eeecda429b 100644 --- a/crypto/heimdal/lib/krb5/acache.c +++ b/crypto/heimdal/lib/krb5/acache.c @@ -1,34 +1,36 @@ /* - * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" @@ -37,14 +39,15 @@ #include <dlfcn.h> #endif -RCSID("$Id: acache.c 22099 2007-12-03 17:14:34Z lha $"); +#ifndef KCM_IS_API_CACHE -/* XXX should we fetch these for each open ? */ static HEIMDAL_MUTEX acc_mutex = HEIMDAL_MUTEX_INITIALIZER; static cc_initialize_func init_func; +static void (KRB5_CALLCONV *set_target_uid)(uid_t); +static void (KRB5_CALLCONV *clear_target)(void); #ifdef HAVE_DLOPEN -static void *cc_handle; +static void *cc_handle; #endif typedef struct krb5_acc { @@ -53,7 +56,7 @@ typedef struct krb5_acc { cc_ccache_t ccache; } krb5_acc; -static krb5_error_code acc_close(krb5_context, krb5_ccache); +static krb5_error_code KRB5_CALLCONV acc_close(krb5_context, krb5_ccache); #define ACACHE(X) ((krb5_acc *)(X)->data.data) @@ -68,14 +71,15 @@ static const struct { { ccIteratorEnd, KRB5_CC_END }, { ccErrNoMem, KRB5_CC_NOMEM }, { ccErrServerUnavailable, KRB5_CC_NOSUPP }, + { ccErrInvalidCCache, KRB5_CC_BADNAME }, { ccNoError, 0 } }; static krb5_error_code translate_cc_error(krb5_context context, cc_int32 error) { - int i; - krb5_clear_error_string(context); + size_t i; + krb5_clear_error_message(context); for(i = 0; i < sizeof(cc_errors)/sizeof(cc_errors[0]); i++) if (cc_errors[i].error == error) return cc_errors[i].ret; @@ -85,21 +89,25 @@ translate_cc_error(krb5_context context, cc_int32 error) static krb5_error_code init_ccapi(krb5_context context) { - const char *lib; + const char *lib = NULL; HEIMDAL_MUTEX_lock(&acc_mutex); if (init_func) { HEIMDAL_MUTEX_unlock(&acc_mutex); - krb5_clear_error_string(context); + if (context) + krb5_clear_error_message(context); return 0; } - lib = krb5_config_get_string(context, NULL, - "libdefaults", "ccapi_library", - NULL); + if (context) + lib = krb5_config_get_string(context, NULL, + "libdefaults", "ccapi_library", + NULL); if (lib == NULL) { #ifdef __APPLE__ lib = "/System/Library/Frameworks/Kerberos.framework/Kerberos"; +#elif defined(KRB5_USE_PATH_TOKENS) && defined(_WIN32) + lib = "%{LIBDIR}/libkrb5_cc.dll"; #else lib = "/usr/lib/libkrb5_cc.so"; #endif @@ -110,19 +118,42 @@ init_ccapi(krb5_context context) #ifndef RTLD_LAZY #define RTLD_LAZY 0 #endif +#ifndef RTLD_LOCAL +#define RTLD_LOCAL 0 +#endif + +#ifdef KRB5_USE_PATH_TOKENS + { + char * explib = NULL; + if (_krb5_expand_path_tokens(context, lib, &explib) == 0) { + cc_handle = dlopen(explib, RTLD_LAZY|RTLD_LOCAL); + free(explib); + } + } +#else + cc_handle = dlopen(lib, RTLD_LAZY|RTLD_LOCAL); +#endif - cc_handle = dlopen(lib, RTLD_LAZY); if (cc_handle == NULL) { HEIMDAL_MUTEX_unlock(&acc_mutex); - krb5_set_error_string(context, "Failed to load %s", lib); + if (context) + krb5_set_error_message(context, KRB5_CC_NOSUPP, + N_("Failed to load API cache module %s", "file"), + lib); return KRB5_CC_NOSUPP; } init_func = (cc_initialize_func)dlsym(cc_handle, "cc_initialize"); + set_target_uid = (void (KRB5_CALLCONV *)(uid_t)) + dlsym(cc_handle, "krb5_ipc_client_set_target_uid"); + clear_target = (void (KRB5_CALLCONV *)(void)) + dlsym(cc_handle, "krb5_ipc_client_clear_target"); HEIMDAL_MUTEX_unlock(&acc_mutex); if (init_func == NULL) { - krb5_set_error_string(context, "Failed to find cc_initialize" - "in %s: %s", lib, dlerror()); + if (context) + krb5_set_error_message(context, KRB5_CC_NOSUPP, + N_("Failed to find cc_initialize" + "in %s: %s", "file, error"), lib, dlerror()); dlclose(cc_handle); return KRB5_CC_NOSUPP; } @@ -130,10 +161,28 @@ init_ccapi(krb5_context context) return 0; #else HEIMDAL_MUTEX_unlock(&acc_mutex); - krb5_set_error_string(context, "no support for shared object"); + if (context) + krb5_set_error_message(context, KRB5_CC_NOSUPP, + N_("no support for shared object", "")); return KRB5_CC_NOSUPP; #endif -} +} + +void +_heim_krb5_ipc_client_set_target_uid(uid_t uid) +{ + init_ccapi(NULL); + if (set_target_uid != NULL) + (*set_target_uid)(uid); +} + +void +_heim_krb5_ipc_client_clear_target(void) +{ + init_ccapi(NULL); + if (clear_target != NULL) + (*clear_target)(); +} static krb5_error_code make_cred_from_ccred(krb5_context context, @@ -141,7 +190,7 @@ make_cred_from_ccred(krb5_context context, krb5_creds *cred) { krb5_error_code ret; - int i; + unsigned int i; memset(cred, 0, sizeof(*cred)); @@ -180,13 +229,13 @@ make_cred_from_ccred(krb5_context context, cred->authdata.val = NULL; cred->authdata.len = 0; - + cred->addresses.val = NULL; cred->addresses.len = 0; - + for (i = 0; incred->authdata && incred->authdata[i]; i++) ; - + if (i) { cred->authdata.val = calloc(i, sizeof(cred->authdata.val[0])); if (cred->authdata.val == NULL) @@ -201,16 +250,16 @@ make_cred_from_ccred(krb5_context context, goto nomem; } } - + for (i = 0; incred->addresses && incred->addresses[i]; i++) ; - + if (i) { cred->addresses.val = calloc(i, sizeof(cred->addresses.val[0])); if (cred->addresses.val == NULL) goto nomem; cred->addresses.len = i; - + for (i = 0; i < cred->addresses.len; i++) { cred->addresses.val[i].addr_type = incred->addresses[i]->type; ret = krb5_data_copy(&cred->addresses.val[i].address, @@ -220,7 +269,7 @@ make_cred_from_ccred(krb5_context context, goto nomem; } } - + cred->flags.i = 0; if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDABLE) cred->flags.b.forwardable = 1; @@ -252,11 +301,11 @@ make_cred_from_ccred(krb5_context context, cred->flags.b.anonymous = 1; return 0; - + nomem: ret = ENOMEM; - krb5_set_error_string(context, "malloc - out of memory"); - + krb5_set_error_message(context, ret, N_("malloc: out of memory", "malloc")); + fail: krb5_free_cred_contents(context, cred); return ret; @@ -288,7 +337,7 @@ make_ccred_from_cred(krb5_context context, cc_credentials_v5_t *cred) { krb5_error_code ret; - int i; + size_t i; memset(cred, 0, sizeof(*cred)); @@ -317,8 +366,8 @@ make_ccred_from_cred(krb5_context context, /* XXX this one should also be filled in */ cred->authdata = NULL; - - cred->addresses = calloc(incred->addresses.len + 1, + + cred->addresses = calloc(incred->addresses.len + 1, sizeof(cred->addresses[0])); if (cred->addresses == NULL) { @@ -337,10 +386,11 @@ make_ccred_from_cred(krb5_context context, addr->length = incred->addresses.val[i].address.length; addr->data = malloc(addr->length); if (addr->data == NULL) { + free(addr); ret = ENOMEM; goto fail; } - memcpy(addr->data, incred->addresses.val[i].address.data, + memcpy(addr->data, incred->addresses.val[i].address.data, addr->length); cred->addresses[i] = addr; } @@ -378,49 +428,69 @@ make_ccred_from_cred(krb5_context context, return 0; -fail: +fail: free_ccred(cred); - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } -static char * -get_cc_name(cc_ccache_t cache) +static cc_int32 +get_cc_name(krb5_acc *a) { cc_string_t name; cc_int32 error; - char *str; - error = (*cache->func->get_name)(cache, &name); + error = (*a->ccache->func->get_name)(a->ccache, &name); if (error) - return NULL; + return error; - str = strdup(name->data); + a->cache_name = strdup(name->data); (*name->func->release)(name); - return str; + if (a->cache_name == NULL) + return ccErrNoMem; + return ccNoError; } -static const char* +static const char* KRB5_CALLCONV acc_get_name(krb5_context context, krb5_ccache id) { krb5_acc *a = ACACHE(id); - static char n[255]; - char *name; + int32_t error; + + if (a->cache_name == NULL) { + krb5_error_code ret; + krb5_principal principal; + char *name; - name = get_cc_name(a->ccache); - if (name == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return NULL; + ret = _krb5_get_default_principal_local(context, &principal); + if (ret) + return NULL; + + ret = krb5_unparse_name(context, principal, &name); + krb5_free_principal(context, principal); + if (ret) + return NULL; + + error = (*a->context->func->create_new_ccache)(a->context, + cc_credentials_v5, + name, + &a->ccache); + krb5_xfree(name); + if (error) + return NULL; + + error = get_cc_name(a); + if (error) + return NULL; } - strlcpy(n, name, sizeof(n)); - free(name); - return n; + + return a->cache_name; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_alloc(krb5_context context, krb5_ccache *id) { krb5_error_code ret; @@ -433,10 +503,10 @@ acc_alloc(krb5_context context, krb5_ccache *id) ret = krb5_data_alloc(&(*id)->data, sizeof(*a)); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } - + a = ACACHE(*id); error = (*init_func)(&a->context, ccapi_version_3, NULL, NULL); @@ -450,7 +520,7 @@ acc_alloc(krb5_context context, krb5_ccache *id) return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_resolve(krb5_context context, krb5_ccache *id, const char *res) { krb5_error_code ret; @@ -463,20 +533,25 @@ acc_resolve(krb5_context context, krb5_ccache *id, const char *res) a = ACACHE(*id); - error = (*a->context->func->open_ccache)(a->context, res, - &a->ccache); - if (error == 0) { - a->cache_name = get_cc_name(a->ccache); - if (a->cache_name == NULL) { + error = (*a->context->func->open_ccache)(a->context, res, &a->ccache); + if (error == ccNoError) { + cc_time_t offset; + error = get_cc_name(a); + if (error != ccNoError) { acc_close(context, *id); *id = NULL; - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; + return translate_cc_error(context, error); } + + error = (*a->ccache->func->get_kdc_time_offset)(a->ccache, + cc_credentials_v5, + &offset); + if (error == 0) + context->kdc_sec_offset = offset; + } else if (error == ccErrCCacheNotFound) { a->ccache = NULL; a->cache_name = NULL; - error = 0; } else { *id = NULL; return translate_cc_error(context, error); @@ -485,7 +560,7 @@ acc_resolve(krb5_context context, krb5_ccache *id, const char *res) return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_gen_new(krb5_context context, krb5_ccache *id) { krb5_error_code ret; @@ -503,7 +578,7 @@ acc_gen_new(krb5_context context, krb5_ccache *id) return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_initialize(krb5_context context, krb5_ccache id, krb5_principal primary_principal) @@ -517,16 +592,47 @@ acc_initialize(krb5_context context, if (ret) return ret; - error = (*a->context->func->create_new_ccache)(a->context, - cc_credentials_v5, - name, - &a->ccache); - free(name); + if (a->cache_name == NULL) { + error = (*a->context->func->create_new_ccache)(a->context, + cc_credentials_v5, + name, + &a->ccache); + free(name); + if (error == ccNoError) + error = get_cc_name(a); + } else { + cc_credentials_iterator_t iter; + cc_credentials_t ccred; + + error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter); + if (error) { + free(name); + return translate_cc_error(context, error); + } + + while (1) { + error = (*iter->func->next)(iter, &ccred); + if (error) + break; + (*a->ccache->func->remove_credentials)(a->ccache, ccred); + (*ccred->func->release)(ccred); + } + (*iter->func->release)(iter); + + error = (*a->ccache->func->set_principal)(a->ccache, + cc_credentials_v5, + name); + } + + if (error == 0 && context->kdc_sec_offset) + error = (*a->ccache->func->set_kdc_time_offset)(a->ccache, + cc_credentials_v5, + context->kdc_sec_offset); return translate_cc_error(context, error); } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_close(krb5_context context, krb5_ccache id) { @@ -540,13 +646,15 @@ acc_close(krb5_context context, free(a->cache_name); a->cache_name = NULL; } - (*a->context->func->release)(a->context); - a->context = NULL; + if (a->context) { + (*a->context->func->release)(a->context); + a->context = NULL; + } krb5_data_free(&id->data); return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_destroy(krb5_context context, krb5_ccache id) { @@ -564,7 +672,7 @@ acc_destroy(krb5_context context, return translate_cc_error(context, error); } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_store_cred(krb5_context context, krb5_ccache id, krb5_creds *creds) @@ -574,16 +682,17 @@ acc_store_cred(krb5_context context, cc_credentials_v5_t v5cred; krb5_error_code ret; cc_int32 error; - + if (a->ccache == NULL) { - krb5_set_error_string(context, "No API credential found"); + krb5_set_error_message(context, KRB5_CC_NOTFOUND, + N_("No API credential found", "")); return KRB5_CC_NOTFOUND; } cred.version = cc_credentials_v5; cred.credentials.credentials_v5 = &v5cred; - ret = make_ccred_from_cred(context, + ret = make_ccred_from_cred(context, creds, &v5cred); if (ret) @@ -598,7 +707,7 @@ acc_store_cred(krb5_context context, return ret; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *principal) @@ -609,7 +718,8 @@ acc_get_principal(krb5_context context, cc_string_t name; if (a->ccache == NULL) { - krb5_set_error_string(context, "No API credential found"); + krb5_set_error_message(context, KRB5_CC_NOTFOUND, + N_("No API credential found", "")); return KRB5_CC_NOTFOUND; } @@ -618,14 +728,14 @@ acc_get_principal(krb5_context context, &name); if (error) return translate_cc_error(context, error); - + ret = krb5_parse_name(context, name->data, principal); - + (*name->func->release)(name); return ret; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_get_first (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) @@ -633,15 +743,16 @@ acc_get_first (krb5_context context, cc_credentials_iterator_t iter; krb5_acc *a = ACACHE(id); int32_t error; - + if (a->ccache == NULL) { - krb5_set_error_string(context, "No API credential found"); + krb5_set_error_message(context, KRB5_CC_NOTFOUND, + N_("No API credential found", "")); return KRB5_CC_NOTFOUND; } error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter); if (error) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ENOENT; } *cursor = iter; @@ -649,7 +760,7 @@ acc_get_first (krb5_context context, } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_get_next (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, @@ -669,14 +780,14 @@ acc_get_next (krb5_context context, (*cred->func->release)(cred); } - ret = make_cred_from_ccred(context, + ret = make_cred_from_ccred(context, cred->data->credentials.credentials_v5, creds); (*cred->func->release)(cred); return ret; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_end_get (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) @@ -686,7 +797,7 @@ acc_end_get (krb5_context context, return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_remove_cred(krb5_context context, krb5_ccache id, krb5_flags which, @@ -698,9 +809,10 @@ acc_remove_cred(krb5_context context, krb5_error_code ret; cc_int32 error; char *client, *server; - + if (a->ccache == NULL) { - krb5_set_error_string(context, "No API credential found"); + krb5_set_error_message(context, KRB5_CC_NOTFOUND, + N_("No API credential found", "")); return KRB5_CC_NOTFOUND; } @@ -752,15 +864,16 @@ acc_remove_cred(krb5_context context, (*iter->func->release)(iter); if (ret) - krb5_set_error_string(context, "Can't find credential %s in cache", - server); + krb5_set_error_message(context, ret, + N_("Can't find credential %s in cache", + "principal"), server); free(server); free(client); return ret; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags) @@ -768,19 +881,19 @@ acc_set_flags(krb5_context context, return 0; } -static krb5_error_code +static int KRB5_CALLCONV acc_get_version(krb5_context context, krb5_ccache id) { return 0; } - + struct cache_iter { cc_context_t context; cc_ccache_iterator_t iter; }; -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) { struct cache_iter *iter; @@ -793,7 +906,7 @@ acc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) iter = calloc(1, sizeof(*iter)); if (iter == NULL) { - krb5_set_error_string(context, "malloc - out of memory"); + krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); return ENOMEM; } @@ -807,14 +920,14 @@ acc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) &iter->iter); if (error) { free(iter); - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ENOENT; } *cursor = iter; return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id) { struct cache_iter *iter = cursor; @@ -843,17 +956,16 @@ acc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id) a = ACACHE(*id); a->ccache = cache; - a->cache_name = get_cc_name(a->ccache); - if (a->cache_name == NULL) { + error = get_cc_name(a); + if (error) { acc_close(context, *id); *id = NULL; - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } + return translate_cc_error(context, error); + } return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_end_cache_get(krb5_context context, krb5_cc_cursor cursor) { struct cache_iter *iter = cursor; @@ -866,7 +978,7 @@ acc_end_cache_get(krb5_context context, krb5_cc_cursor cursor) return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV acc_move(krb5_context context, krb5_ccache from, krb5_ccache to) { krb5_acc *afrom = ACACHE(from); @@ -881,7 +993,7 @@ acc_move(krb5_context context, krb5_ccache from, krb5_ccache to) &name); if (error) return translate_cc_error(context, error); - + error = (*ato->context->func->create_new_ccache)(ato->context, cc_credentials_v5, name->data, @@ -891,13 +1003,15 @@ acc_move(krb5_context context, krb5_ccache from, krb5_ccache to) return translate_cc_error(context, error); } - error = (*ato->ccache->func->move)(afrom->ccache, ato->ccache); + + acc_destroy(context, from); + return translate_cc_error(context, error); } -static krb5_error_code -acc_default_name(krb5_context context, char **str) +static krb5_error_code KRB5_CALLCONV +acc_get_default_name(krb5_context context, char **str) { krb5_error_code ret; cc_context_t cc; @@ -917,18 +1031,58 @@ acc_default_name(krb5_context context, char **str) (*cc->func->release)(cc); return translate_cc_error(context, error); } - - asprintf(str, "API:%s", name->data); + + error = asprintf(str, "API:%s", name->data); (*name->func->release)(name); (*cc->func->release)(cc); - if (*str == NULL) { - krb5_set_error_string(context, "out of memory"); + if (error < 0 || *str == NULL) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } return 0; } +static krb5_error_code KRB5_CALLCONV +acc_set_default(krb5_context context, krb5_ccache id) +{ + krb5_acc *a = ACACHE(id); + cc_int32 error; + + if (a->ccache == NULL) { + krb5_set_error_message(context, KRB5_CC_NOTFOUND, + N_("No API credential found", "")); + return KRB5_CC_NOTFOUND; + } + + error = (*a->ccache->func->set_default)(a->ccache); + if (error) + return translate_cc_error(context, error); + + return 0; +} + +static krb5_error_code KRB5_CALLCONV +acc_lastchange(krb5_context context, krb5_ccache id, krb5_timestamp *mtime) +{ + krb5_acc *a = ACACHE(id); + cc_int32 error; + cc_time_t t; + + if (a->ccache == NULL) { + krb5_set_error_message(context, KRB5_CC_NOTFOUND, + N_("No API credential found", "")); + return KRB5_CC_NOTFOUND; + } + + error = (*a->ccache->func->get_change_time)(a->ccache, &t); + if (error) + return translate_cc_error(context, error); + + *mtime = t; + + return 0; +} /** * Variable containing the API based credential cache implemention. @@ -936,7 +1090,8 @@ acc_default_name(krb5_context context, char **str) * @ingroup krb5_ccache */ -const krb5_cc_ops krb5_acc_ops = { +KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops = { + KRB5_CC_OPS_VERSION, "API", acc_get_name, acc_resolve, @@ -957,5 +1112,11 @@ const krb5_cc_ops krb5_acc_ops = { acc_get_cache_next, acc_end_cache_get, acc_move, - acc_default_name + acc_get_default_name, + acc_set_default, + acc_lastchange, + NULL, + NULL, }; + +#endif diff --git a/crypto/heimdal/lib/krb5/acl.c b/crypto/heimdal/lib/krb5/acl.c index cab68367f80a..c94aae361b8e 100644 --- a/crypto/heimdal/lib/krb5/acl.c +++ b/crypto/heimdal/lib/krb5/acl.c @@ -1,23 +1,23 @@ /* - * Copyright (c) 2000 - 2002, 2004 Kungliga Tekniska Högskolan + * Copyright (c) 2000 - 2002, 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * + * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -34,8 +34,6 @@ #include "krb5_locl.h" #include <fnmatch.h> -RCSID("$Id: acl.c 22119 2007-12-03 22:02:48Z lha $"); - struct acl_field { enum { acl_string, acl_fnmatch, acl_retval } type; union { @@ -83,7 +81,8 @@ acl_parse_format(krb5_context context, for(p = format; *p != '\0'; p++) { tmp = malloc(sizeof(*tmp)); if(tmp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); acl_free_list(acl, 0); return ENOMEM; } @@ -98,8 +97,9 @@ acl_parse_format(krb5_context context, tmp->u.retv = va_arg(ap, char **); *tmp->u.retv = NULL; } else { - krb5_set_error_string(context, "acl_parse_format: " - "unknown format specifier %c", *p); + krb5_set_error_message(context, EINVAL, + N_("Unknown format specifier %c while " + "parsing ACL", "specifier"), *p); acl_free_list(acl, 0); free(tmp); return EINVAL; @@ -180,7 +180,7 @@ acl_match_acl(krb5_context context, * * @code * char *s; - * + * * ret = krb5_acl_match_string(context, "foo", "s", "foo"); * if (ret) * krb5_errx(context, 1, "acl didn't match"); @@ -198,7 +198,7 @@ acl_match_acl(krb5_context context, * @ingroup krb5_support */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_acl_match_string(krb5_context context, const char *string, const char *format, @@ -220,11 +220,11 @@ krb5_acl_match_string(krb5_context context, if (found) { return 0; } else { - krb5_set_error_string(context, "ACL did not match"); + krb5_set_error_message(context, EACCES, N_("ACL did not match", "")); return EACCES; } } - + /** * krb5_acl_match_file matches ACL format against each line in a file * using krb5_acl_match_string(). Lines starting with # are treated @@ -241,7 +241,7 @@ krb5_acl_match_string(krb5_context context, * @ingroup krb5_support */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_acl_match_file(krb5_context context, const char *file, const char *format, @@ -257,11 +257,13 @@ krb5_acl_match_file(krb5_context context, f = fopen(file, "r"); if(f == NULL) { int save_errno = errno; - - krb5_set_error_string(context, "open(%s): %s", file, - strerror(save_errno)); + rk_strerror_r(save_errno, buf, sizeof(buf)); + krb5_set_error_message(context, save_errno, + N_("open(%s): %s", "file, errno"), + file, buf); return save_errno; } + rk_cloexec_file(f); va_start(ap, format); ret = acl_parse_format(context, &acl, format, ap); @@ -287,7 +289,7 @@ krb5_acl_match_file(krb5_context context, if (found) { return 0; } else { - krb5_set_error_string(context, "ACL did not match"); + krb5_set_error_message(context, EACCES, N_("ACL did not match", "")); return EACCES; } } diff --git a/crypto/heimdal/lib/krb5/add_et_list.c b/crypto/heimdal/lib/krb5/add_et_list.c index a6005c685903..082014e107a7 100644 --- a/crypto/heimdal/lib/krb5/add_et_list.c +++ b/crypto/heimdal/lib/krb5/add_et_list.c @@ -1,47 +1,53 @@ /* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * Copyright (c) 1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: add_et_list.c 13713 2004-04-13 14:33:45Z lha $"); - -/* +/** * Add a specified list of error messages to the et list in context. * Call func (probably a comerr-generated function) with a pointer to * the current et_list. + * + * @param context A kerberos context. + * @param func The generated com_err et function. + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_add_et_list (krb5_context context, void (*func)(struct et_list **)) { diff --git a/crypto/heimdal/lib/krb5/addr_families.c b/crypto/heimdal/lib/krb5/addr_families.c index f364f5974d47..5d321a7e917d 100644 --- a/crypto/heimdal/lib/krb5/addr_families.c +++ b/crypto/heimdal/lib/krb5/addr_families.c @@ -1,40 +1,38 @@ /* - * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: addr_families.c 22039 2007-11-10 11:47:35Z lha $"); - struct addr_operations { int af; krb5_address_type atype; @@ -46,14 +44,15 @@ struct addr_operations { void (*h_addr2sockaddr)(const char *, struct sockaddr *, krb5_socklen_t *, int); krb5_error_code (*h_addr2addr)(const char *, krb5_address *); krb5_boolean (*uninteresting)(const struct sockaddr *); + krb5_boolean (*is_loopback)(const struct sockaddr *); void (*anyaddr)(struct sockaddr *, krb5_socklen_t *, int); int (*print_addr)(const krb5_address *, char *, size_t); int (*parse_addr)(krb5_context, const char*, krb5_address *); int (*order_addr)(krb5_context, const krb5_address*, const krb5_address*); int (*free_addr)(krb5_context, krb5_address*); int (*copy_addr)(krb5_context, const krb5_address*, krb5_address*); - int (*mask_boundary)(krb5_context, const krb5_address*, unsigned long, - krb5_address*, krb5_address*); + int (*mask_boundary)(krb5_context, const krb5_address*, unsigned long, + krb5_address*, krb5_address*); }; /* @@ -138,6 +137,17 @@ ipv4_uninteresting (const struct sockaddr *sa) return FALSE; } +static krb5_boolean +ipv4_is_loopback (const struct sockaddr *sa) +{ + const struct sockaddr_in *sin4 = (const struct sockaddr_in *)sa; + + if ((ntohl(sin4->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET) + return TRUE; + + return FALSE; +} + static void ipv4_anyaddr (struct sockaddr *sa, krb5_socklen_t *sa_size, int port) { @@ -177,16 +187,8 @@ ipv4_parse_addr (krb5_context context, const char *address, krb5_address *addr) return -1; } else p = address; -#ifdef HAVE_INET_ATON if(inet_aton(p, &a) == 0) return -1; -#elif defined(HAVE_INET_ADDR) - a.s_addr = inet_addr(p); - if(a.s_addr == INADDR_NONE) - return -1; -#else - return -1; -#endif addr->addr_type = KRB5_ADDRESS_INET; if(krb5_data_alloc(&addr->address, 4) != 0) return -1; @@ -202,7 +204,8 @@ ipv4_mask_boundary(krb5_context context, const krb5_address *inaddr, uint32_t l, h, m = 0xffffffff; if (len > 32) { - krb5_set_error_string(context, "IPv4 prefix too large (%ld)", len); + krb5_set_error_message(context, KRB5_PROG_ATYPE_NOSUPP, + N_("IPv4 prefix too large (%ld)", "len"), len); return KRB5_PROG_ATYPE_NOSUPP; } m = m << (32 - len); @@ -310,7 +313,7 @@ ipv6_h_addr2addr (const char *addr, } /* - * + * */ static krb5_boolean @@ -318,12 +321,20 @@ ipv6_uninteresting (const struct sockaddr *sa) { const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa; const struct in6_addr *in6 = (const struct in6_addr *)&sin6->sin6_addr; - - return - IN6_IS_ADDR_LINKLOCAL(in6) + + return IN6_IS_ADDR_LINKLOCAL(in6) || IN6_IS_ADDR_V4COMPAT(in6); } +static krb5_boolean +ipv6_is_loopback (const struct sockaddr *sa) +{ + const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa; + const struct in6_addr *in6 = (const struct in6_addr *)&sin6->sin6_addr; + + return (IN6_IS_ADDR_LOOPBACK(in6)); +} + static void ipv6_anyaddr (struct sockaddr *sa, krb5_socklen_t *sa_size, int port) { @@ -340,12 +351,10 @@ static int ipv6_print_addr (const krb5_address *addr, char *str, size_t len) { char buf[128], buf2[3]; -#ifdef HAVE_INET_NTOP if(inet_ntop(AF_INET6, addr->address.data, buf, sizeof(buf)) == NULL) -#endif { /* XXX this is pretty ugly, but better than abort() */ - int i; + size_t i; unsigned char *p = addr->address.data; buf[0] = '\0'; for(i = 0; i < addr->address.length; i++) { @@ -395,12 +404,14 @@ ipv6_mask_boundary(krb5_context context, const krb5_address *inaddr, int i, sub_len; if (len > 128) { - krb5_set_error_string(context, "IPv6 prefix too large (%ld)", len); + krb5_set_error_message(context, KRB5_PROG_ATYPE_NOSUPP, + N_("IPv6 prefix too large (%ld)", "length"), len); return KRB5_PROG_ATYPE_NOSUPP; } if (inaddr->address.length != sizeof(addr)) { - krb5_set_error_string(context, "IPv6 addr bad length"); + krb5_set_error_message(context, KRB5_PROG_ATYPE_NOSUPP, + N_("IPv6 addr bad length", "")); return KRB5_PROG_ATYPE_NOSUPP; } @@ -410,7 +421,7 @@ ipv6_mask_boundary(krb5_context context, const krb5_address *inaddr, sub_len = min(8, len); m = 0xff << (8 - sub_len); - + laddr.s6_addr[i] = addr.s6_addr[i] & m; haddr.s6_addr[i] = (addr.s6_addr[i] & m) | ~m; @@ -437,6 +448,8 @@ ipv6_mask_boundary(krb5_context context, const krb5_address *inaddr, #endif /* IPv6 */ +#ifndef HEIMDAL_SMALLER + /* * table */ @@ -449,17 +462,17 @@ struct arange { }; static int -arange_parse_addr (krb5_context context, +arange_parse_addr (krb5_context context, const char *address, krb5_address *addr) { char buf[1024], *p; krb5_address low0, high0; struct arange *a; krb5_error_code ret; - + if(strncasecmp(address, "RANGE:", 6) != 0) return -1; - + address += 6; p = strrchr(address, '/'); @@ -478,7 +491,7 @@ arange_parse_addr (krb5_context context, krb5_free_addresses(context, &addrmask); return -1; } - + address += p - address + 1; num = strtol(address, &q, 10); @@ -495,7 +508,7 @@ arange_parse_addr (krb5_context context, } else { krb5_addresses low, high; - + strsep_copy(&address, "-", buf, sizeof(buf)); ret = krb5_parse_address(context, buf, &low); if(ret) @@ -504,14 +517,14 @@ arange_parse_addr (krb5_context context, krb5_free_addresses(context, &low); return -1; } - + strsep_copy(&address, "-", buf, sizeof(buf)); ret = krb5_parse_address(context, buf, &high); if(ret) { krb5_free_addresses(context, &low); return ret; } - + if(high.len != 1 && high.val[0].addr_type != low.val[0].addr_type) { krb5_free_addresses(context, &low); krb5_free_addresses(context, &high); @@ -557,7 +570,7 @@ arange_free (krb5_context context, krb5_address *addr) static int -arange_copy (krb5_context context, const krb5_address *inaddr, +arange_copy (krb5_context context, const krb5_address *inaddr, krb5_address *outaddr) { krb5_error_code ret; @@ -597,7 +610,7 @@ arange_print_addr (const krb5_address *addr, char *str, size_t len) if (l > len) l = len; size = l; - + ret = krb5_print_address (&a->low, str + size, len - size, &l); if (ret) return ret; @@ -623,8 +636,8 @@ arange_print_addr (const krb5_address *addr, char *str, size_t len) } static int -arange_order_addr(krb5_context context, - const krb5_address *addr1, +arange_order_addr(krb5_context context, + const krb5_address *addr1, const krb5_address *addr2) { int tmp1, tmp2, sign; @@ -639,9 +652,11 @@ arange_order_addr(krb5_context context, a = addr2->address.data; a2 = addr1; sign = -1; - } else + } else { abort(); - + UNREACHABLE(return 0); + } + if(a2->addr_type == KRB5_ADDRESS_ARANGE) { struct arange *b = a2->address.data; tmp1 = krb5_address_order(context, &a->low, &b->low); @@ -661,6 +676,8 @@ arange_order_addr(krb5_context context, } } +#endif /* HEIMDAL_SMALLER */ + static int addrport_print_addr (const krb5_address *addr, char *str, size_t len) { @@ -671,6 +688,9 @@ addrport_print_addr (const krb5_address *addr, char *str, size_t len) krb5_storage *sp; sp = krb5_storage_from_data((krb5_data*)rk_UNCONST(&addr->address)); + if (sp == NULL) + return ENOMEM; + /* for totally obscure reasons, these are not in network byteorder */ krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE); @@ -709,32 +729,78 @@ addrport_print_addr (const krb5_address *addr, char *str, size_t len) } static struct addr_operations at[] = { - {AF_INET, KRB5_ADDRESS_INET, sizeof(struct sockaddr_in), - ipv4_sockaddr2addr, - ipv4_sockaddr2port, - ipv4_addr2sockaddr, - ipv4_h_addr2sockaddr, - ipv4_h_addr2addr, - ipv4_uninteresting, ipv4_anyaddr, ipv4_print_addr, ipv4_parse_addr, - NULL, NULL, NULL, ipv4_mask_boundary }, + { + AF_INET, KRB5_ADDRESS_INET, sizeof(struct sockaddr_in), + ipv4_sockaddr2addr, + ipv4_sockaddr2port, + ipv4_addr2sockaddr, + ipv4_h_addr2sockaddr, + ipv4_h_addr2addr, + ipv4_uninteresting, + ipv4_is_loopback, + ipv4_anyaddr, + ipv4_print_addr, + ipv4_parse_addr, + NULL, + NULL, + NULL, + ipv4_mask_boundary + }, #ifdef HAVE_IPV6 - {AF_INET6, KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6), - ipv6_sockaddr2addr, - ipv6_sockaddr2port, - ipv6_addr2sockaddr, - ipv6_h_addr2sockaddr, - ipv6_h_addr2addr, - ipv6_uninteresting, ipv6_anyaddr, ipv6_print_addr, ipv6_parse_addr, - NULL, NULL, NULL, ipv6_mask_boundary } , + { + AF_INET6, KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6), + ipv6_sockaddr2addr, + ipv6_sockaddr2port, + ipv6_addr2sockaddr, + ipv6_h_addr2sockaddr, + ipv6_h_addr2addr, + ipv6_uninteresting, + ipv6_is_loopback, + ipv6_anyaddr, + ipv6_print_addr, + ipv6_parse_addr, + NULL, + NULL, + NULL, + ipv6_mask_boundary + } , #endif - {KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0, - NULL, NULL, NULL, NULL, NULL, - NULL, NULL, addrport_print_addr, NULL, NULL, NULL, NULL }, +#ifndef HEIMDAL_SMALLER /* fake address type */ - {KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange), - NULL, NULL, NULL, NULL, NULL, NULL, NULL, - arange_print_addr, arange_parse_addr, - arange_order_addr, arange_free, arange_copy } + { + KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange), + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + arange_print_addr, + arange_parse_addr, + arange_order_addr, + arange_free, + arange_copy, + NULL + }, +#endif + { + KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + addrport_print_addr, + NULL, + NULL, + NULL, + NULL + } }; static int num_addrs = sizeof(at) / sizeof(at[0]); @@ -757,7 +823,7 @@ find_af(int af) } static struct addr_operations * -find_atype(int atype) +find_atype(krb5_address_type atype) { struct addr_operations *a; @@ -769,7 +835,7 @@ find_atype(int atype) /** * krb5_sockaddr2address stores a address a "struct sockaddr" sa in - * the krb5_address addr. + * the krb5_address addr. * * @param context a Keberos context * @param sa a struct sockaddr to extract the address from @@ -780,14 +846,15 @@ find_atype(int atype) * @ingroup krb5_address */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sockaddr2address (krb5_context context, const struct sockaddr *sa, krb5_address *addr) { struct addr_operations *a = find_af(sa->sa_family); if (a == NULL) { - krb5_set_error_string (context, "Address family %d not supported", - sa->sa_family); + krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP, + N_("Address family %d not supported", ""), + sa->sa_family); return KRB5_PROG_ATYPE_NOSUPP; } return (*a->sockaddr2addr)(sa, addr); @@ -807,14 +874,15 @@ krb5_sockaddr2address (krb5_context context, * @ingroup krb5_address */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sockaddr2port (krb5_context context, const struct sockaddr *sa, int16_t *port) { struct addr_operations *a = find_af(sa->sa_family); if (a == NULL) { - krb5_set_error_string (context, "Address family %d not supported", - sa->sa_family); + krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP, + N_("Address family %d not supported", ""), + sa->sa_family); return KRB5_PROG_ATYPE_NOSUPP; } return (*a->sockaddr2port)(sa, port); @@ -841,7 +909,7 @@ krb5_sockaddr2port (krb5_context context, * @ingroup krb5_address */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_addr2sockaddr (krb5_context context, const krb5_address *addr, struct sockaddr *sa, @@ -851,14 +919,17 @@ krb5_addr2sockaddr (krb5_context context, struct addr_operations *a = find_atype(addr->addr_type); if (a == NULL) { - krb5_set_error_string (context, "Address type %d not supported", - addr->addr_type); + krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP, + N_("Address type %d not supported", + "krb5_address type"), + addr->addr_type); return KRB5_PROG_ATYPE_NOSUPP; } if (a->addr2sockaddr == NULL) { - krb5_set_error_string (context, - "Can't convert address type %d to sockaddr", - addr->addr_type); + krb5_set_error_message (context, + KRB5_PROG_ATYPE_NOSUPP, + N_("Can't convert address type %d to sockaddr", ""), + addr->addr_type); return KRB5_PROG_ATYPE_NOSUPP; } (*a->addr2sockaddr)(addr, sa, sa_size, port); @@ -874,7 +945,7 @@ krb5_addr2sockaddr (krb5_context context, * @ingroup krb5_address */ -size_t KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL krb5_max_sockaddr_size (void) { if (max_sockaddr_size == 0) { @@ -898,7 +969,7 @@ krb5_max_sockaddr_size (void) * @ingroup krb5_address */ -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_sockaddr_uninteresting(const struct sockaddr *sa) { struct addr_operations *a = find_af(sa->sa_family); @@ -907,6 +978,15 @@ krb5_sockaddr_uninteresting(const struct sockaddr *sa) return (*a->uninteresting)(sa); } +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_sockaddr_is_loopback(const struct sockaddr *sa) +{ + struct addr_operations *a = find_af(sa->sa_family); + if (a == NULL || a->is_loopback == NULL) + return TRUE; + return (*a->is_loopback)(sa); +} + /** * krb5_h_addr2sockaddr initializes a "struct sockaddr sa" from af and * the "struct hostent" (see gethostbyname(3) ) h_addr_list @@ -926,7 +1006,7 @@ krb5_sockaddr_uninteresting(const struct sockaddr *sa) * @ingroup krb5_address */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_h_addr2sockaddr (krb5_context context, int af, const char *addr, struct sockaddr *sa, @@ -935,7 +1015,8 @@ krb5_h_addr2sockaddr (krb5_context context, { struct addr_operations *a = find_af(af); if (a == NULL) { - krb5_set_error_string (context, "Address family %d not supported", af); + krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP, + "Address family %d not supported", af); return KRB5_PROG_ATYPE_NOSUPP; } (*a->h_addr2sockaddr)(addr, sa, sa_size, port); @@ -956,14 +1037,15 @@ krb5_h_addr2sockaddr (krb5_context context, * @ingroup krb5_address */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_h_addr2addr (krb5_context context, int af, const char *haddr, krb5_address *addr) { struct addr_operations *a = find_af(af); if (a == NULL) { - krb5_set_error_string (context, "Address family %d not supported", af); + krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP, + N_("Address family %d not supported", ""), af); return KRB5_PROG_ATYPE_NOSUPP; } return (*a->h_addr2addr)(haddr, addr); @@ -986,7 +1068,7 @@ krb5_h_addr2addr (krb5_context context, * @ingroup krb5_address */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_anyaddr (krb5_context context, int af, struct sockaddr *sa, @@ -996,7 +1078,8 @@ krb5_anyaddr (krb5_context context, struct addr_operations *a = find_af (af); if (a == NULL) { - krb5_set_error_string (context, "Address family %d not supported", af); + krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP, + N_("Address family %d not supported", ""), af); return KRB5_PROG_ATYPE_NOSUPP; } @@ -1020,8 +1103,8 @@ krb5_anyaddr (krb5_context context, * @ingroup krb5_address */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_print_address (const krb5_address *addr, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_print_address (const krb5_address *addr, char *str, size_t len, size_t *ret_len) { struct addr_operations *a = find_atype(addr->addr_type); @@ -1030,17 +1113,17 @@ krb5_print_address (const krb5_address *addr, if (a == NULL || a->print_addr == NULL) { char *s; int l; - int i; + size_t i; s = str; l = snprintf(s, len, "TYPE_%d:", addr->addr_type); - if (l < 0 || l >= len) + if (l < 0 || (size_t)l >= len) return EINVAL; s += l; len -= l; for(i = 0; i < addr->address.length; i++) { l = snprintf(s, len, "%02x", ((char*)addr->address.data)[i]); - if (l < 0 || l >= len) + if (l < 0 || (size_t)l >= len) return EINVAL; len -= l; s += l; @@ -1070,7 +1153,7 @@ krb5_print_address (const krb5_address *addr, * @ingroup krb5_address */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_parse_address(krb5_context context, const char *string, krb5_addresses *addresses) @@ -1089,7 +1172,8 @@ krb5_parse_address(krb5_context context, if((*at[i].parse_addr)(context, string, &addr) == 0) { ALLOC_SEQ(addresses, 1); if (addresses->val == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } addresses->val[0] = addr; @@ -1100,18 +1184,22 @@ krb5_parse_address(krb5_context context, error = getaddrinfo (string, NULL, NULL, &ai); if (error) { + krb5_error_code ret2; save_errno = errno; - krb5_set_error_string (context, "%s: %s", string, gai_strerror(error)); - return krb5_eai_to_heim_errno(error, save_errno); + ret2 = krb5_eai_to_heim_errno(error, save_errno); + krb5_set_error_message (context, ret2, "%s: %s", + string, gai_strerror(error)); + return ret2; } - + n = 0; for (a = ai; a != NULL; a = a->ai_next) ++n; ALLOC_SEQ(addresses, n); if (addresses->val == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); freeaddrinfo(ai); return ENOMEM; } @@ -1120,10 +1208,12 @@ krb5_parse_address(krb5_context context, for (a = ai, i = 0; a != NULL; a = a->ai_next) { if (krb5_sockaddr2address (context, ai->ai_addr, &addresses->val[i])) continue; - if(krb5_address_search(context, &addresses->val[i], addresses)) + if(krb5_address_search(context, &addresses->val[i], addresses)) { + krb5_free_address(context, &addresses->val[i]); continue; - addresses->len = i; + } i++; + addresses->len = i; } freeaddrinfo (ai); return 0; @@ -1132,7 +1222,7 @@ krb5_parse_address(krb5_context context, /** * krb5_address_order compares the addresses addr1 and addr2 so that * it can be used for sorting addresses. If the addresses are the same - * address krb5_address_order will return 0. Behavies like memcmp(2). + * address krb5_address_order will return 0. Behavies like memcmp(2). * * @param context a Keberos context * @param addr1 krb5_address to compare @@ -1144,7 +1234,7 @@ krb5_parse_address(krb5_context context, * @ingroup krb5_address */ -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_address_order(krb5_context context, const krb5_address *addr1, const krb5_address *addr2) @@ -1152,21 +1242,23 @@ krb5_address_order(krb5_context context, /* this sucks; what if both addresses have order functions, which should we call? this works for now, though */ struct addr_operations *a; - a = find_atype(addr1->addr_type); + a = find_atype(addr1->addr_type); if(a == NULL) { - krb5_set_error_string (context, "Address family %d not supported", - addr1->addr_type); + krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP, + N_("Address family %d not supported", ""), + addr1->addr_type); return KRB5_PROG_ATYPE_NOSUPP; } - if(a->order_addr != NULL) - return (*a->order_addr)(context, addr1, addr2); - a = find_atype(addr2->addr_type); + if(a->order_addr != NULL) + return (*a->order_addr)(context, addr1, addr2); + a = find_atype(addr2->addr_type); if(a == NULL) { - krb5_set_error_string (context, "Address family %d not supported", - addr2->addr_type); + krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP, + N_("Address family %d not supported", ""), + addr2->addr_type); return KRB5_PROG_ATYPE_NOSUPP; } - if(a->order_addr != NULL) + if(a->order_addr != NULL) return (*a->order_addr)(context, addr1, addr2); if(addr1->addr_type != addr2->addr_type) @@ -1191,7 +1283,7 @@ krb5_address_order(krb5_context context, * @ingroup krb5_address */ -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_address_compare(krb5_context context, const krb5_address *addr1, const krb5_address *addr2) @@ -1212,12 +1304,12 @@ krb5_address_compare(krb5_context context, * @ingroup krb5_address */ -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_address_search(krb5_context context, const krb5_address *addr, const krb5_addresses *addrlist) { - int i; + size_t i; for (i = 0; i < addrlist->len; ++i) if (krb5_address_compare (context, addr, &addrlist->val[i])) @@ -1237,7 +1329,7 @@ krb5_address_search(krb5_context context, * @ingroup krb5_address */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_address(krb5_context context, krb5_address *address) { @@ -1261,11 +1353,11 @@ krb5_free_address(krb5_context context, * @ingroup krb5_address */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_addresses(krb5_context context, krb5_addresses *addresses) { - int i; + size_t i; for(i = 0; i < addresses->len; i++) krb5_free_address(context, &addresses->val[i]); free(addresses->val); @@ -1287,7 +1379,7 @@ krb5_free_addresses(krb5_context context, * @ingroup krb5_address */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_address(krb5_context context, const krb5_address *inaddr, krb5_address *outaddr) @@ -1311,12 +1403,12 @@ krb5_copy_address(krb5_context context, * @ingroup krb5_address */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_addresses(krb5_context context, const krb5_addresses *inaddr, krb5_addresses *outaddr) { - int i; + size_t i; ALLOC_SEQ(outaddr, inaddr->len); if(inaddr->len > 0 && outaddr->val == NULL) return ENOMEM; @@ -1338,18 +1430,19 @@ krb5_copy_addresses(krb5_context context, * @ingroup krb5_address */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_append_addresses(krb5_context context, krb5_addresses *dest, const krb5_addresses *source) { krb5_address *tmp; krb5_error_code ret; - int i; + size_t i; if(source->len > 0) { tmp = realloc(dest->val, (dest->len + source->len) * sizeof(*tmp)); if(tmp == NULL) { - krb5_set_error_string(context, "realloc: out of memory"); + krb5_set_error_message (context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } dest->val = tmp; @@ -1357,8 +1450,8 @@ krb5_append_addresses(krb5_context context, /* skip duplicates */ if(krb5_address_search(context, &source->val[i], dest)) continue; - ret = krb5_copy_address(context, - &source->val[i], + ret = krb5_copy_address(context, + &source->val[i], &dest->val[dest->len]); if(ret) return ret; @@ -1381,7 +1474,7 @@ krb5_append_addresses(krb5_context context, * @ingroup krb5_address */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_make_addrport (krb5_context context, krb5_address **res, const krb5_address *addr, int16_t port) { @@ -1391,13 +1484,15 @@ krb5_make_addrport (krb5_context context, *res = malloc (sizeof(**res)); if (*res == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message (context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } (*res)->addr_type = KRB5_ADDRESS_ADDRPORT; ret = krb5_data_alloc (&(*res)->address, len); if (ret) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message (context, ret, + N_("malloc: out of memory", "")); free (*res); *res = NULL; return ret; @@ -1427,7 +1522,6 @@ krb5_make_addrport (krb5_context context, *p++ = (2 >> 24) & 0xFF; memcpy (p, &port, 2); - p += 2; return 0; } @@ -1447,7 +1541,7 @@ krb5_make_addrport (krb5_context context, * @ingroup krb5_address */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_address_prefixlen_boundary(krb5_context context, const krb5_address *inaddr, unsigned long prefixlen, @@ -1457,7 +1551,9 @@ krb5_address_prefixlen_boundary(krb5_context context, struct addr_operations *a = find_atype (inaddr->addr_type); if(a != NULL && a->mask_boundary != NULL) return (*a->mask_boundary)(context, inaddr, prefixlen, low, high); - krb5_set_error_string(context, "Address family %d doesn't support " - "address mask operation", inaddr->addr_type); + krb5_set_error_message(context, KRB5_PROG_ATYPE_NOSUPP, + N_("Address family %d doesn't support " + "address mask operation", ""), + inaddr->addr_type); return KRB5_PROG_ATYPE_NOSUPP; } diff --git a/crypto/heimdal/lib/krb5/aes-test.c b/crypto/heimdal/lib/krb5/aes-test.c index 82b3431add54..19b0ddd07502 100644 --- a/crypto/heimdal/lib/krb5/aes-test.c +++ b/crypto/heimdal/lib/krb5/aes-test.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -33,13 +33,12 @@ #include "krb5_locl.h" #include <hex.h> #include <err.h> +#include <assert.h> #ifdef HAVE_OPENSSL #include <openssl/evp.h> #endif -RCSID("$Id: aes-test.c 18301 2006-10-07 13:50:34Z lha $"); - static int verbose = 0; static void @@ -62,16 +61,16 @@ struct { char *pbkdf2; char *key; } keys[] = { - { + { "password", "ATHENA.MIT.EDUraeburn", -1, - 1, + 1, ETYPE_AES128_CTS_HMAC_SHA1_96, 16, "\xcd\xed\xb5\x28\x1b\xb2\xf8\x01\x56\x5a\x11\x22\xb2\x56\x35\x15", "\x42\x26\x3c\x6e\x89\xf4\xfc\x28\xb8\xdf\x68\xee\x09\x79\x9f\x15" }, { "password", "ATHENA.MIT.EDUraeburn", -1, - 1, + 1, ETYPE_AES256_CTS_HMAC_SHA1_96, 32, "\xcd\xed\xb5\x28\x1b\xb2\xf8\x01\x56\x5a\x11\x22\xb2\x56\x35\x15" "\x0a\xd1\xf7\xa0\x4b\xb9\xf3\xa3\x33\xec\xc0\xe2\xe1\xf7\x08\x37", @@ -87,7 +86,7 @@ struct { }, { "password", "ATHENA.MIT.EDUraeburn", -1, - 2, + 2, ETYPE_AES256_CTS_HMAC_SHA1_96, 32, "\x01\xdb\xee\x7f\x4a\x9e\x24\x3e\x98\x8b\x62\xc7\x3c\xda\x93\x5d" "\xa0\x53\x78\xb9\x32\x44\xec\x8f\x48\xa9\x9e\x61\xad\x79\x9d\x86", @@ -96,14 +95,14 @@ struct { }, { "password", "ATHENA.MIT.EDUraeburn", -1, - 1200, + 1200, ETYPE_AES128_CTS_HMAC_SHA1_96, 16, "\x5c\x08\xeb\x61\xfd\xf7\x1e\x4e\x4e\xc3\xcf\x6b\xa1\xf5\x51\x2b", "\x4c\x01\xcd\x46\xd6\x32\xd0\x1e\x6d\xbe\x23\x0a\x01\xed\x64\x2a" }, { "password", "ATHENA.MIT.EDUraeburn", -1, - 1200, + 1200, ETYPE_AES256_CTS_HMAC_SHA1_96, 32, "\x5c\x08\xeb\x61\xfd\xf7\x1e\x4e\x4e\xc3\xcf\x6b\xa1\xf5\x51\x2b" "\xa7\xe5\x2d\xdb\xc5\xe5\x14\x2f\x70\x8a\x31\xe2\xe6\x2b\x1e\x13", @@ -180,14 +179,14 @@ struct { "\x57\x18\x48\xb7\x84\xa3\xd6\xbd\xc3\x46\x58\x9a\x3e\x39\x3f\x9e" }, { - "foo", "", -1, + "foo", "", -1, 0, ETYPE_ARCFOUR_HMAC_MD5, 16, NULL, "\xac\x8e\x65\x7f\x83\xdf\x82\xbe\xea\x5d\x43\xbd\xaf\x78\x00\xcc" }, { - "test", "", -1, + "test", "", -1, 0, ETYPE_ARCFOUR_HMAC_MD5, 16, NULL, @@ -215,11 +214,11 @@ string_to_key_test(krb5_context context) salt.saltvalue.length = strlen(salt.saltvalue.data); else salt.saltvalue.length = keys[i].saltlen; - + opaque.data = iter; opaque.length = sizeof(iter); _krb5_put_int(iter, keys[i].iterations, 4); - + if (keys[i].pbkdf2) { unsigned char keyout[32]; @@ -228,15 +227,15 @@ string_to_key_test(krb5_context context) PKCS5_PBKDF2_HMAC_SHA1(password.data, password.length, salt.saltvalue.data, salt.saltvalue.length, - keys[i].iterations, + keys[i].iterations, keys[i].keylen, keyout); - + if (memcmp(keyout, keys[i].pbkdf2, keys[i].keylen) != 0) { krb5_warnx(context, "%d: pbkdf2", i); val = 1; continue; } - + if (verbose) { printf("PBKDF2:\n"); hex_dump_data(keyout, keys[i].keylen); @@ -248,31 +247,31 @@ string_to_key_test(krb5_context context) ret = krb5_string_to_key_data_salt_opaque (context, keys[i].enctype, - password, - salt, - opaque, + password, + salt, + opaque, &key); if (ret) { - krb5_warn(context, ret, "%d: string_to_key_data_salt_opaque", + krb5_warn(context, ret, "%d: string_to_key_data_salt_opaque", i); val = 1; continue; } - + if (key.keyvalue.length != keys[i].keylen) { krb5_warnx(context, "%d: key wrong length (%lu/%lu)", - i, (unsigned long)key.keyvalue.length, + i, (unsigned long)key.keyvalue.length, (unsigned long)keys[i].keylen); val = 1; continue; } - + if (memcmp(key.keyvalue.data, keys[i].key, keys[i].keylen) != 0) { krb5_warnx(context, "%d: key wrong", i); val = 1; continue; } - + if (verbose) { printf("key:\n"); hex_dump_data(key.keyvalue.data, key.keyvalue.length); @@ -283,333 +282,249 @@ string_to_key_test(krb5_context context) return val; } -struct enc_test { - size_t len; - char *input; - char *output; - char *nextiv; -}; +static int +krb_enc(krb5_context context, + krb5_crypto crypto, + unsigned usage, + krb5_data *cipher, + krb5_data *clear) +{ + krb5_data decrypt; + krb5_error_code ret; -struct enc_test encs1[] = { - { - 17, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20", - "\xc6\x35\x35\x68\xf2\xbf\x8c\xb4\xd8\xa5\x80\x36\x2d\xa7\xff\x7f" - "\x97", - "\xc6\x35\x35\x68\xf2\xbf\x8c\xb4\xd8\xa5\x80\x36\x2d\xa7\xff\x7f" - }, - { - 31, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20", - "\xfc\x00\x78\x3e\x0e\xfd\xb2\xc1\xd4\x45\xd4\xc8\xef\xf7\xed\x22" - "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5", - "\xfc\x00\x78\x3e\x0e\xfd\xb2\xc1\xd4\x45\xd4\xc8\xef\xf7\xed\x22" - }, - { - 32, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43", - "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8" - "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84", - "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8" - }, - { - 47, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" - "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c", - "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84" - "\xb3\xff\xfd\x94\x0c\x16\xa1\x8c\x1b\x55\x49\xd2\xf8\x38\x02\x9e" - "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5", - "\xb3\xff\xfd\x94\x0c\x16\xa1\x8c\x1b\x55\x49\xd2\xf8\x38\x02\x9e" - }, - { - 48, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" - "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20", - "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84" - "\x9d\xad\x8b\xbb\x96\xc4\xcd\xc0\x3b\xc1\x03\xe1\xa1\x94\xbb\xd8" - "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8", - "\x9d\xad\x8b\xbb\x96\xc4\xcd\xc0\x3b\xc1\x03\xe1\xa1\x94\xbb\xd8" - }, - { - 64, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" - "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20" - "\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e", - "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84" - "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8" - "\x48\x07\xef\xe8\x36\xee\x89\xa5\x26\x73\x0d\xbc\x2f\x7b\xc8\x40" - "\x9d\xad\x8b\xbb\x96\xc4\xcd\xc0\x3b\xc1\x03\xe1\xa1\x94\xbb\xd8", - "\x48\x07\xef\xe8\x36\xee\x89\xa5\x26\x73\x0d\xbc\x2f\x7b\xc8\x40" + krb5_data_zero(&decrypt); + + ret = krb5_decrypt(context, + crypto, + usage, + cipher->data, + cipher->length, + &decrypt); + + if (ret) { + krb5_warn(context, ret, "krb5_decrypt"); + return ret; } -}; - -struct enc_test encs2[] = { - { - 17, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20", - "\x5c\x13\x26\x27\xc4\xcb\xca\x04\x14\x43\x8a\xb5\x97\x97\x7c\x10" - "\x16" - }, - { - 31, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20", - "\x16\xb3\xd8\xe5\xcd\x93\xe6\x2c\x28\x70\xa0\x36\x6e\x9a\xb9\x74" - "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53" - }, - { - 32, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43", - "\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8" - "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c" - }, - { - 47, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" - "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c", - "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c" - "\xe5\x56\xb4\x88\x41\xb9\xde\x27\xf0\x07\xa1\x6e\x89\x94\x47\xf1" - "\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff" - }, - { - 48, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" - "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20", - "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c" - "\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30" - "\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8" - }, - { - 64, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" - "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20" - "\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e", - "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c" - "\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8" - "\x70\x29\xf2\x6f\x7c\x79\xc1\x77\x91\xad\x94\xb0\x78\x62\x27\x67" - "\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30" - }, - { - 78, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" - "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20" - "\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41", - "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c" - "\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8" - "\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30" - "\x73\xfb\x2c\x36\x76\xaf\xcf\x31\xff\xe3\x8a\x89\x0c\x7e\x99\x3f" - "\x70\x29\xf2\x6f\x7c\x79\xc1\x77\x91\xad\x94\xb0\x78\x62" - }, - { - 83, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" - "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20" - "\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41", - "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c" - "\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8" - "\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30" - "\x70\x29\xf2\x6f\x7c\x79\xc1\x77\x91\xad\x94\xb0\x78\x62\x27\x67" - "\x65\x39\x3a\xdb\x92\x05\x4d\x4f\x08\xa1\xfa\x59\xda\x56\x58\x0e" - "\x3b\xac\x12" - }, - { - 92, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" - "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20" - "\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41", - "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c" - "\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8" - "\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30" - "\x70\x29\xf2\x6f\x7c\x79\xc1\x77\x91\xad\x94\xb0\x78\x62\x27\x67" - "\x0c\xff\xd7\x63\x50\xf8\x4e\xf9\xec\x56\x1c\x79\xc5\xc8\xfe\x50" - "\x3b\xac\x12\x6e\xd3\x2d\x02\xc4\xe5\x06\x43\x5f" - }, - { - 96, - "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" - "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" - "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20" - "\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41", - "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c" - "\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8" - "\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30" - "\x70\x29\xf2\x6f\x7c\x79\xc1\x77\x91\xad\x94\xb0\x78\x62\x27\x67" - "\x08\x28\x49\xad\xfc\x2d\x8e\x86\xae\x69\xa5\xa8\xd9\x29\x9e\xe4" - "\x3b\xac\x12\x6e\xd3\x2d\x02\xc4\xe5\x06\x43\x5f\x4c\x41\xd1\xb8" + if (decrypt.length != clear->length || + memcmp(decrypt.data, clear->data, decrypt.length) != 0) { + krb5_warnx(context, "clear text not same"); + return EINVAL; } -}; + krb5_data_free(&decrypt); + + return 0; +} + +static int +krb_enc_iov2(krb5_context context, + krb5_crypto crypto, + unsigned usage, + size_t cipher_len, + krb5_data *clear) +{ + krb5_crypto_iov iov[4]; + krb5_data decrypt; + int ret; + char *p, *q; + size_t len, i; + + p = clear->data; + len = clear->length; + iov[0].flags = KRB5_CRYPTO_TYPE_HEADER; + krb5_crypto_length(context, crypto, iov[0].flags, &iov[0].data.length); + iov[0].data.data = emalloc(iov[0].data.length); -char *aes_key1 = - "\x63\x68\x69\x63\x6b\x65\x6e\x20\x74\x65\x72\x69\x79\x61\x6b\x69"; + iov[1].flags = KRB5_CRYPTO_TYPE_DATA; + iov[1].data.length = len; + iov[1].data.data = emalloc(iov[1].data.length); + memcpy(iov[1].data.data, p, iov[1].data.length); -char *aes_key2 = - "\x63\x68\x69\x63\x6b\x65\x6e\x20\x74\x65\x72\x69\x79\x61\x6b\x69" - "\x2c\x20\x79\x75\x6d\x6d\x79\x20\x79\x75\x6d\x6d\x79\x21\x21\x21"; + /* padding buffer */ + iov[2].flags = KRB5_CRYPTO_TYPE_PADDING; + krb5_crypto_length(context, crypto, KRB5_CRYPTO_TYPE_PADDING, &iov[2].data.length); + iov[2].data.data = emalloc(iov[2].data.length); + iov[3].flags = KRB5_CRYPTO_TYPE_TRAILER; + krb5_crypto_length(context, crypto, iov[3].flags, &iov[3].data.length); + iov[3].data.data = emalloc(iov[3].data.length); -static int -samep(int testn, char *type, const void *pp1, const void *pp2, size_t len) -{ - const unsigned char *p1 = pp1, *p2 = pp2; - size_t i; - int val = 1; - - for (i = 0; i < len; i++) { - if (p1[i] != p2[i]) { - if (verbose) - printf("M"); - val = 0; - } else { - if (verbose) - printf("."); - } + ret = krb5_encrypt_iov_ivec(context, crypto, usage, + iov, sizeof(iov)/sizeof(iov[0]), NULL); + if (ret) + errx(1, "encrypt iov failed: %d", ret); + + /* check len */ + for (i = 0, len = 0; i < sizeof(iov)/sizeof(iov[0]); i++) + len += iov[i].data.length; + if (len != cipher_len) + errx(1, "cipher len wrong"); + + /* + * Plain decrypt + */ + + p = q = emalloc(len); + for (i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) { + memcpy(q, iov[i].data.data, iov[i].data.length); + q += iov[i].data.length; } - if (verbose) - printf("\n"); - return val; -} -static int -encryption_test(krb5_context context, const void *key, size_t keylen, - struct enc_test *enc, int numenc) -{ - unsigned char iv[AES_BLOCK_SIZE]; - int i, val, failed = 0; - AES_KEY ekey, dkey; - unsigned char *p; + ret = krb5_decrypt(context, crypto, usage, p, len, &decrypt); + if (ret) + krb5_err(context, 1, ret, "krb5_decrypt"); + else + krb5_data_free(&decrypt); - AES_set_encrypt_key(key, keylen, &ekey); - AES_set_decrypt_key(key, keylen, &dkey); + free(p); - for (i = 0; i < numenc; i++) { - val = 0; + /* + * Now decrypt use iov + */ - if (verbose) - printf("test: %d\n", i); - memset(iv, 0, sizeof(iv)); + /* padding turn into data */ + p = q = emalloc(iov[1].data.length + iov[2].data.length); - p = malloc(enc[i].len + 1); - if (p == NULL) - krb5_errx(context, 1, "malloc"); + memcpy(q, iov[1].data.data, iov[1].data.length); + q += iov[1].data.length; + memcpy(q, iov[2].data.data, iov[2].data.length); - p[enc[i].len] = '\0'; + free(iov[1].data.data); + free(iov[2].data.data); - memcpy(p, enc[i].input, enc[i].len); + iov[1].data.data = p; + iov[1].data.length += iov[2].data.length; - _krb5_aes_cts_encrypt(p, p, enc[i].len, - &ekey, iv, AES_ENCRYPT); + iov[2].flags = KRB5_CRYPTO_TYPE_EMPTY; + iov[2].data.length = 0; - if (p[enc[i].len] != '\0') { - krb5_warnx(context, "%d: encrypt modified off end", i); - val = 1; - } + ret = krb5_decrypt_iov_ivec(context, crypto, usage, + iov, sizeof(iov)/sizeof(iov[0]), NULL); + free(iov[0].data.data); + free(iov[3].data.data); - if (!samep(i, "cipher", p, enc[i].output, enc[i].len)) { - krb5_warnx(context, "%d: cipher", i); - val = 1; - } + if (ret) + krb5_err(context, 1, ret, "decrypt iov failed: %d", ret); - if (enc[i].nextiv && !samep(i, "iv", iv, enc[i].nextiv, 16)){ /*XXX*/ - krb5_warnx(context, "%d: iv", i); - val = 1; - } + if (clear->length != iov[1].data.length) + errx(1, "length incorrect"); - memset(iv, 0, sizeof(iv)); + p = clear->data; + if (memcmp(iov[1].data.data, p, iov[1].data.length) != 0) + errx(1, "iov[1] incorrect"); - _krb5_aes_cts_encrypt(p, p, enc[i].len, - &dkey, iv, AES_DECRYPT); + free(iov[1].data.data); - if (p[enc[i].len] != '\0') { - krb5_warnx(context, "%d: decrypt modified off end", i); - val = 1; - } + return 0; +} - if (!samep(i, "clear", p, enc[i].input, enc[i].len)) - val = 1; - if (enc[i].nextiv && !samep(i, "iv", iv, enc[i].nextiv, 16)){ /*XXX*/ - krb5_warnx(context, "%d: iv", i); - val = 1; - } +static int +krb_enc_iov(krb5_context context, + krb5_crypto crypto, + unsigned usage, + krb5_data *cipher, + krb5_data *clear) +{ + krb5_crypto_iov iov[3]; + int ret; + char *p; + size_t len; - free(p); + p = cipher->data; + len = cipher->length; + + iov[0].flags = KRB5_CRYPTO_TYPE_HEADER; + krb5_crypto_length(context, crypto, iov[0].flags, &iov[0].data.length); + iov[0].data.data = emalloc(iov[0].data.length); + memcpy(iov[0].data.data, p, iov[0].data.length); + p += iov[0].data.length; + len -= iov[0].data.length; + + iov[1].flags = KRB5_CRYPTO_TYPE_TRAILER; + krb5_crypto_length(context, crypto, iov[1].flags, &iov[1].data.length); + iov[1].data.data = emalloc(iov[1].data.length); + memcpy(iov[1].data.data, p + len - iov[1].data.length, iov[1].data.length); + len -= iov[1].data.length; + + iov[2].flags = KRB5_CRYPTO_TYPE_DATA; + iov[2].data.length = len; + iov[2].data.data = emalloc(len); + memcpy(iov[2].data.data, p, len); + + ret = krb5_decrypt_iov_ivec(context, crypto, usage, + iov, sizeof(iov)/sizeof(iov[0]), NULL); + if (ret) + krb5_err(context, 1, ret, "krb_enc_iov decrypt iov failed: %d", ret); - if (val) { - printf("test %d failed\n", i); - failed = 1; - } - val = 0; - } - return failed; + if (clear->length != iov[2].data.length) + errx(1, "length incorrect"); + + p = clear->data; + if (memcmp(iov[2].data.data, p, iov[2].data.length) != 0) + errx(1, "iov[2] incorrect"); + + free(iov[0].data.data); + free(iov[1].data.data); + free(iov[2].data.data); + + + return 0; } static int -krb_enc(krb5_context context, - krb5_crypto crypto, - unsigned usage, - krb5_data *cipher, - krb5_data *clear) +krb_checksum_iov(krb5_context context, + krb5_crypto crypto, + unsigned usage, + krb5_data *plain) { - krb5_data decrypt; - krb5_error_code ret; + krb5_crypto_iov iov[4]; + int ret; + char *p; + size_t len; - krb5_data_zero(&decrypt); + p = plain->data; + len = plain->length; - ret = krb5_decrypt(context, - crypto, - usage, - cipher->data, - cipher->length, - &decrypt); + iov[0].flags = KRB5_CRYPTO_TYPE_CHECKSUM; + krb5_crypto_length(context, crypto, iov[0].flags, &iov[0].data.length); + iov[0].data.data = emalloc(iov[0].data.length); - if (ret) { - krb5_warn(context, ret, "krb5_decrypt"); - return ret; - } + iov[1].flags = KRB5_CRYPTO_TYPE_DATA; + iov[1].data.length = len; + iov[1].data.data = p; - if (decrypt.length != clear->length || - memcmp(decrypt.data, clear->data, decrypt.length) != 0) { - krb5_warnx(context, "clear text not same"); - return EINVAL; - } + iov[2].flags = KRB5_CRYPTO_TYPE_TRAILER; + krb5_crypto_length(context, crypto, iov[0].flags, &iov[2].data.length); + iov[2].data.data = malloc(iov[2].data.length); - krb5_data_free(&decrypt); + ret = krb5_create_checksum_iov(context, crypto, usage, + iov, sizeof(iov)/sizeof(iov[0]), NULL); + if (ret) + krb5_err(context, 1, ret, "krb5_create_checksum_iov failed"); + + ret = krb5_verify_checksum_iov(context, crypto, usage, iov, sizeof(iov)/sizeof(iov[0]), NULL); + if (ret) + krb5_err(context, 1, ret, "krb5_verify_checksum_iov"); + + free(iov[0].data.data); + free(iov[2].data.data); return 0; } + static int krb_enc_mit(krb5_context context, krb5_enctype enctype, krb5_keyblock *key, unsigned usage, - krb5_data *cipher, + krb5_data *cipher, krb5_data *clear) { +#ifndef HEIMDAL_SMALLER krb5_error_code ret; krb5_enc_data e; krb5_data decrypt; @@ -640,7 +555,7 @@ krb_enc_mit(krb5_context context, (unsigned long)len, (unsigned long)cipher->length); return EINVAL; } - +#endif /* HEIMDAL_SMALLER */ return 0; } @@ -655,10 +570,10 @@ struct { size_t plen; void *pdata; } krbencs[] = { - { + { ETYPE_AES256_CTS_HMAC_SHA1_96, 7, - 32, + 32, "\x47\x75\x69\x64\x65\x6c\x69\x6e\x65\x73\x20\x74\x6f\x20\x41\x75" "\x74\x68\x6f\x72\x73\x20\x6f\x66\x20\x49\x6e\x74\x65\x72\x6e\x65", 44, @@ -678,7 +593,7 @@ krb_enc_test(krb5_context context) krb5_crypto crypto; krb5_keyblock kb; krb5_data cipher, plain; - int i, failed = 0; + int i; for (i = 0; i < sizeof(krbencs)/sizeof(krbencs[0]); i++) { @@ -692,28 +607,217 @@ krb_enc_test(krb5_context context) cipher.data = krbencs[i].edata; plain.length = krbencs[i].plen; plain.data = krbencs[i].pdata; - + ret = krb_enc(context, crypto, krbencs[i].usage, &cipher, &plain); - - if (ret) { - failed = 1; - printf("krb_enc failed with %d\n", ret); - } + + if (ret) + errx(1, "krb_enc failed with %d for test %d", ret, i); + + ret = krb_enc_iov(context, crypto, krbencs[i].usage, &cipher, &plain); + if (ret) + errx(1, "krb_enc_iov failed with %d for test %d", ret, i); + + ret = krb_enc_iov2(context, crypto, krbencs[i].usage, + cipher.length, &plain); + if (ret) + errx(1, "krb_enc_iov2 failed with %d for test %d", ret, i); + + ret = krb_checksum_iov(context, crypto, krbencs[i].usage, &plain); + if (ret) + errx(1, "krb_checksum_iov failed with %d for test %d", ret, i); + krb5_crypto_destroy(context, crypto); - ret = krb_enc_mit(context, krbencs[i].enctype, &kb, + ret = krb_enc_mit(context, krbencs[i].enctype, &kb, krbencs[i].usage, &cipher, &plain); - if (ret) { - failed = 1; - printf("krb_enc_mit failed with %d\n", ret); - } + if (ret) + errx(1, "krb_enc_mit failed with %d for test %d", ret, i); + } + + return 0; +} + +static int +iov_test(krb5_context context) +{ + krb5_enctype enctype = ENCTYPE_AES256_CTS_HMAC_SHA1_96; + krb5_error_code ret; + krb5_crypto crypto; + krb5_keyblock key; + krb5_data signonly, in, in2; + krb5_crypto_iov iov[6]; + size_t len, i; + unsigned char *base, *p; + + ret = krb5_generate_random_keyblock(context, enctype, &key); + if (ret) + krb5_err(context, 1, ret, "krb5_generate_random_keyblock"); + + ret = krb5_crypto_init(context, &key, 0, &crypto); + if (ret) + krb5_err(context, 1, ret, "krb5_crypto_init"); + + ret = krb5_crypto_length(context, crypto, KRB5_CRYPTO_TYPE_HEADER, &len); + if (ret) + krb5_err(context, 1, ret, "krb5_crypto_length"); + + signonly.data = "This should be signed"; + signonly.length = strlen(signonly.data); + in.data = "inputdata"; + in.length = strlen(in.data); + + in2.data = "INPUTDATA"; + in2.length = strlen(in2.data); + + + memset(iov, 0, sizeof(iov)); + + iov[0].flags = KRB5_CRYPTO_TYPE_HEADER; + iov[1].flags = KRB5_CRYPTO_TYPE_DATA; + iov[1].data = in; + iov[2].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; + iov[2].data = signonly; + iov[3].flags = KRB5_CRYPTO_TYPE_EMPTY; + iov[4].flags = KRB5_CRYPTO_TYPE_PADDING; + iov[5].flags = KRB5_CRYPTO_TYPE_TRAILER; + + ret = krb5_crypto_length_iov(context, crypto, iov, + sizeof(iov)/sizeof(iov[0])); + if (ret) + krb5_err(context, 1, ret, "krb5_crypto_length_iov"); + + for (len = 0, i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) { + if (iov[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY) + continue; + len += iov[i].data.length; + } + + base = emalloc(len); + + /* + * Allocate data for the fields + */ + + for (p = base, i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) { + if (iov[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY) + continue;; + iov[i].data.data = p; + p += iov[i].data.length; } + assert(iov[1].data.length == in.length); + memcpy(iov[1].data.data, in.data, iov[1].data.length); + + /* + * Encrypt + */ + + ret = krb5_encrypt_iov_ivec(context, crypto, 7, iov, + sizeof(iov)/sizeof(iov[0]), NULL); + if (ret) + krb5_err(context, 1, ret, "krb5_encrypt_iov_ivec"); + + /* + * Decrypt + */ + + ret = krb5_decrypt_iov_ivec(context, crypto, 7, + iov, sizeof(iov)/sizeof(iov[0]), NULL); + if (ret) + krb5_err(context, 1, ret, "krb5_decrypt_iov_ivec"); + + /* + * Verify data + */ + + if (krb5_data_cmp(&iov[1].data, &in) != 0) + krb5_errx(context, 1, "decrypted data not same"); + + /* + * Free memory + */ + + free(base); + + /* Set up for second try */ + + iov[3].flags = KRB5_CRYPTO_TYPE_DATA; + iov[3].data = in; + + ret = krb5_crypto_length_iov(context, crypto, + iov, sizeof(iov)/sizeof(iov[0])); + if (ret) + krb5_err(context, 1, ret, "krb5_crypto_length_iov"); - return failed; + for (len = 0, i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) { + if (iov[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY) + continue; + len += iov[i].data.length; + } + + base = emalloc(len); + + /* + * Allocate data for the fields + */ + + for (p = base, i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) { + if (iov[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY) + continue;; + iov[i].data.data = p; + p += iov[i].data.length; + } + assert(iov[1].data.length == in.length); + memcpy(iov[1].data.data, in.data, iov[1].data.length); + + assert(iov[3].data.length == in2.length); + memcpy(iov[3].data.data, in2.data, iov[3].data.length); + + + + /* + * Encrypt + */ + + ret = krb5_encrypt_iov_ivec(context, crypto, 7, + iov, sizeof(iov)/sizeof(iov[0]), NULL); + if (ret) + krb5_err(context, 1, ret, "krb5_encrypt_iov_ivec"); + + /* + * Decrypt + */ + + ret = krb5_decrypt_iov_ivec(context, crypto, 7, + iov, sizeof(iov)/sizeof(iov[0]), NULL); + if (ret) + krb5_err(context, 1, ret, "krb5_decrypt_iov_ivec"); + + /* + * Verify data + */ + + if (krb5_data_cmp(&iov[1].data, &in) != 0) + krb5_errx(context, 1, "decrypted data 2.1 not same"); + + if (krb5_data_cmp(&iov[3].data, &in2) != 0) + krb5_errx(context, 1, "decrypted data 2.2 not same"); + + /* + * Free memory + */ + + free(base); + + krb5_crypto_destroy(context, crypto); + + krb5_free_keyblock_contents(context, &key); + + return 0; } + static int random_to_key(krb5_context context) { @@ -746,26 +850,22 @@ random_to_key(krb5_context context) return 0; } - int main(int argc, char **argv) { krb5_error_code ret; krb5_context context; int val = 0; - + ret = krb5_init_context (&context); if (ret) errx (1, "krb5_init_context failed: %d", ret); val |= string_to_key_test(context); - val |= encryption_test(context, aes_key1, 128, - encs1, sizeof(encs1)/sizeof(encs1[0])); - val |= encryption_test(context, aes_key2, 256, - encs2, sizeof(encs2)/sizeof(encs2[0])); val |= krb_enc_test(context); val |= random_to_key(context); + val |= iov_test(context); if (verbose && val == 0) printf("all ok\n"); diff --git a/crypto/heimdal/lib/krb5/aname_to_localname.c b/crypto/heimdal/lib/krb5/aname_to_localname.c index 5800404d9819..7bfd861da94e 100644 --- a/crypto/heimdal/lib/krb5/aname_to_localname.c +++ b/crypto/heimdal/lib/krb5/aname_to_localname.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997 - 1999, 2002 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 1999, 2002 - 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> +#include "krb5_locl.h" -RCSID("$Id: aname_to_localname.c 13863 2004-05-25 21:46:46Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_aname_to_localname (krb5_context context, krb5_const_principal aname, size_t lnsize, @@ -74,7 +72,7 @@ krb5_aname_to_localname (krb5_context context, ret = krb5_copy_principal(context, aname, &rootprinc); if (ret) return ret; - + userok = krb5_kuserok(context, rootprinc, res); krb5_free_principal(context, rootprinc); if (!userok) diff --git a/crypto/heimdal/lib/krb5/appdefault.c b/crypto/heimdal/lib/krb5/appdefault.c index b0bb171f4a14..d4e963d74ab1 100644 --- a/crypto/heimdal/lib/krb5/appdefault.c +++ b/crypto/heimdal/lib/krb5/appdefault.c @@ -1,118 +1,116 @@ /* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: appdefault.c 14465 2005-01-05 05:40:59Z lukeh $"); - -void KRB5_LIB_FUNCTION -krb5_appdefault_boolean(krb5_context context, const char *appname, +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_appdefault_boolean(krb5_context context, const char *appname, krb5_const_realm realm, const char *option, krb5_boolean def_val, krb5_boolean *ret_val) { - + if(appname == NULL) appname = getprogname(); - def_val = krb5_config_get_bool_default(context, NULL, def_val, + def_val = krb5_config_get_bool_default(context, NULL, def_val, "libdefaults", option, NULL); if(realm != NULL) - def_val = krb5_config_get_bool_default(context, NULL, def_val, + def_val = krb5_config_get_bool_default(context, NULL, def_val, "realms", realm, option, NULL); - - def_val = krb5_config_get_bool_default(context, NULL, def_val, - "appdefaults", - option, + + def_val = krb5_config_get_bool_default(context, NULL, def_val, + "appdefaults", + option, NULL); if(realm != NULL) def_val = krb5_config_get_bool_default(context, NULL, def_val, - "appdefaults", - realm, - option, + "appdefaults", + realm, + option, NULL); if(appname != NULL) { - def_val = krb5_config_get_bool_default(context, NULL, def_val, - "appdefaults", - appname, - option, + def_val = krb5_config_get_bool_default(context, NULL, def_val, + "appdefaults", + appname, + option, NULL); if(realm != NULL) def_val = krb5_config_get_bool_default(context, NULL, def_val, - "appdefaults", - appname, - realm, - option, + "appdefaults", + appname, + realm, + option, NULL); } *ret_val = def_val; } -void KRB5_LIB_FUNCTION -krb5_appdefault_string(krb5_context context, const char *appname, +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_appdefault_string(krb5_context context, const char *appname, krb5_const_realm realm, const char *option, const char *def_val, char **ret_val) { if(appname == NULL) appname = getprogname(); - def_val = krb5_config_get_string_default(context, NULL, def_val, + def_val = krb5_config_get_string_default(context, NULL, def_val, "libdefaults", option, NULL); if(realm != NULL) - def_val = krb5_config_get_string_default(context, NULL, def_val, + def_val = krb5_config_get_string_default(context, NULL, def_val, "realms", realm, option, NULL); - def_val = krb5_config_get_string_default(context, NULL, def_val, - "appdefaults", - option, + def_val = krb5_config_get_string_default(context, NULL, def_val, + "appdefaults", + option, NULL); if(realm != NULL) def_val = krb5_config_get_string_default(context, NULL, def_val, - "appdefaults", - realm, - option, + "appdefaults", + realm, + option, NULL); if(appname != NULL) { - def_val = krb5_config_get_string_default(context, NULL, def_val, - "appdefaults", - appname, - option, + def_val = krb5_config_get_string_default(context, NULL, def_val, + "appdefaults", + appname, + option, NULL); if(realm != NULL) def_val = krb5_config_get_string_default(context, NULL, def_val, - "appdefaults", - appname, - realm, - option, + "appdefaults", + appname, + realm, + option, NULL); } if(def_val != NULL) @@ -121,7 +119,7 @@ krb5_appdefault_string(krb5_context context, const char *appname, *ret_val = NULL; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_appdefault_time(krb5_context context, const char *appname, krb5_const_realm realm, const char *option, time_t def_val, time_t *ret_val) diff --git a/crypto/heimdal/lib/krb5/asn1_glue.c b/crypto/heimdal/lib/krb5/asn1_glue.c index b3f775b4bea3..a821faff93e8 100644 --- a/crypto/heimdal/lib/krb5/asn1_glue.c +++ b/crypto/heimdal/lib/krb5/asn1_glue.c @@ -1,34 +1,34 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ /* @@ -37,28 +37,36 @@ #include "krb5_locl.h" -RCSID("$Id: asn1_glue.c 21745 2007-07-31 16:11:25Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_principal2principalname (PrincipalName *p, const krb5_principal from) { return copy_PrincipalName(&from->name, p); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_principalname2krb5_principal (krb5_context context, krb5_principal *principal, const PrincipalName from, const Realm realm) { - krb5_principal p = malloc(sizeof(*p)); + krb5_error_code ret; + krb5_principal p; + + p = malloc(sizeof(*p)); if (p == NULL) return ENOMEM; - copy_PrincipalName(&from, &p->name); + ret = copy_PrincipalName(&from, &p->name); + if (ret) { + free(p); + return ret; + } p->realm = strdup(realm); - if (p->realm == NULL) + if (p->realm == NULL) { + free_PrincipalName(&p->name); + free(p); return ENOMEM; + } *principal = p; return 0; } diff --git a/crypto/heimdal/lib/krb5/auth_context.c b/crypto/heimdal/lib/krb5/auth_context.c index 323f17a24534..25ae15cf0f3b 100644 --- a/crypto/heimdal/lib/krb5/auth_context.c +++ b/crypto/heimdal/lib/krb5/auth_context.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: auth_context.c 21745 2007-07-31 16:11:25Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context) { @@ -43,13 +41,13 @@ krb5_auth_con_init(krb5_context context, ALLOC(p, 1); if(!p) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } memset(p, 0, sizeof(*p)); ALLOC(p->authenticator, 1); if (!p->authenticator) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); free(p); return ENOMEM; } @@ -60,13 +58,13 @@ krb5_auth_con_init(krb5_context context, p->remote_address = NULL; p->local_port = 0; p->remote_port = 0; - p->keytype = KEYTYPE_NULL; + p->keytype = ENCTYPE_NULL; p->cksumtype = CKSUMTYPE_NONE; *auth_context = p; return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) { @@ -88,7 +86,7 @@ krb5_auth_con_free(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, int32_t flags) @@ -98,7 +96,7 @@ krb5_auth_con_setflags(krb5_context context, } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context, int32_t *flags) @@ -107,7 +105,7 @@ krb5_auth_con_getflags(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_addflags(krb5_context context, krb5_auth_context auth_context, int32_t addflags, @@ -119,7 +117,7 @@ krb5_auth_con_addflags(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_removeflags(krb5_context context, krb5_auth_context auth_context, int32_t removeflags, @@ -131,7 +129,7 @@ krb5_auth_con_removeflags(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address *local_addr, @@ -156,10 +154,10 @@ krb5_auth_con_setaddrs(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_auth_con_genaddrs(krb5_context context, - krb5_auth_context auth_context, - int fd, int flags) +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_auth_con_genaddrs(krb5_context context, + krb5_auth_context auth_context, + krb5_socket_t fd, int flags) { krb5_error_code ret; krb5_address local_k_address, remote_k_address; @@ -172,10 +170,11 @@ krb5_auth_con_genaddrs(krb5_context context, if(flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR) { if (auth_context->local_address == NULL) { len = sizeof(ss_local); - if(getsockname(fd, local, &len) < 0) { - ret = errno; - krb5_set_error_string (context, "getsockname: %s", - strerror(ret)); + if(rk_IS_SOCKET_ERROR(getsockname(fd, local, &len))) { + char buf[128]; + ret = rk_SOCK_ERRNO; + rk_strerror_r(ret, buf, sizeof(buf)); + krb5_set_error_message(context, ret, "getsockname: %s", buf); goto out; } ret = krb5_sockaddr2address (context, local, &local_k_address); @@ -189,9 +188,11 @@ krb5_auth_con_genaddrs(krb5_context context, } if(flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR) { len = sizeof(ss_remote); - if(getpeername(fd, remote, &len) < 0) { - ret = errno; - krb5_set_error_string (context, "getpeername: %s", strerror(ret)); + if(rk_IS_SOCKET_ERROR(getpeername(fd, remote, &len))) { + char buf[128]; + ret = rk_SOCK_ERRNO; + rk_strerror_r(ret, buf, sizeof(buf)); + krb5_set_error_message(context, ret, "getpeername: %s", buf); goto out; } ret = krb5_sockaddr2address (context, remote, &remote_k_address); @@ -215,12 +216,12 @@ krb5_auth_con_genaddrs(krb5_context context, } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setaddrs_from_fd (krb5_context context, krb5_auth_context auth_context, void *p_fd) { - int fd = *(int*)p_fd; + krb5_socket_t fd = *(krb5_socket_t *)p_fd; int flags = 0; if(auth_context->local_address == NULL) flags |= KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR; @@ -229,7 +230,7 @@ krb5_auth_con_setaddrs_from_fd (krb5_context context, return krb5_auth_con_genaddrs(context, auth_context, fd, flags); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address **local_addr, @@ -239,7 +240,7 @@ krb5_auth_con_getaddrs(krb5_context context, krb5_free_address (context, *local_addr); *local_addr = malloc (sizeof(**local_addr)); if (*local_addr == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } krb5_copy_address(context, @@ -250,7 +251,7 @@ krb5_auth_con_getaddrs(krb5_context context, krb5_free_address (context, *remote_addr); *remote_addr = malloc (sizeof(**remote_addr)); if (*remote_addr == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); krb5_free_address (context, *local_addr); *local_addr = NULL; return ENOMEM; @@ -261,6 +262,7 @@ krb5_auth_con_getaddrs(krb5_context context, return 0; } +/* coverity[+alloc : arg-*2] */ static krb5_error_code copy_key(krb5_context context, krb5_keyblock *in, @@ -272,7 +274,7 @@ copy_key(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) @@ -280,7 +282,7 @@ krb5_auth_con_getkey(krb5_context context, return copy_key(context, auth_context->keyblock, keyblock); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) @@ -288,7 +290,8 @@ krb5_auth_con_getlocalsubkey(krb5_context context, return copy_key(context, auth_context->local_subkey, keyblock); } -krb5_error_code KRB5_LIB_FUNCTION +/* coverity[+alloc : arg-*2] */ +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) @@ -296,7 +299,7 @@ krb5_auth_con_getremotesubkey(krb5_context context, return copy_key(context, auth_context->remote_subkey, keyblock); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock) @@ -306,7 +309,7 @@ krb5_auth_con_setkey(krb5_context context, return copy_key(context, keyblock, &auth_context->keyblock); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock) @@ -316,7 +319,7 @@ krb5_auth_con_setlocalsubkey(krb5_context context, return copy_key(context, keyblock, &auth_context->local_subkey); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_generatelocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *key) @@ -336,7 +339,7 @@ krb5_auth_con_generatelocalsubkey(krb5_context context, } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock) @@ -346,7 +349,7 @@ krb5_auth_con_setremotesubkey(krb5_context context, return copy_key(context, keyblock, &auth_context->remote_subkey); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setcksumtype(krb5_context context, krb5_auth_context auth_context, krb5_cksumtype cksumtype) @@ -355,7 +358,7 @@ krb5_auth_con_setcksumtype(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getcksumtype(krb5_context context, krb5_auth_context auth_context, krb5_cksumtype *cksumtype) @@ -364,7 +367,7 @@ krb5_auth_con_getcksumtype(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setkeytype (krb5_context context, krb5_auth_context auth_context, krb5_keytype keytype) @@ -373,7 +376,7 @@ krb5_auth_con_setkeytype (krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getkeytype (krb5_context context, krb5_auth_context auth_context, krb5_keytype *keytype) @@ -383,7 +386,7 @@ krb5_auth_con_getkeytype (krb5_context context, } #if 0 -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setenctype(krb5_context context, krb5_auth_context auth_context, krb5_enctype etype) @@ -397,7 +400,7 @@ krb5_auth_con_setenctype(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getenctype(krb5_context context, krb5_auth_context auth_context, krb5_enctype *etype) @@ -406,7 +409,7 @@ krb5_auth_con_getenctype(krb5_context context, } #endif -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getlocalseqnumber(krb5_context context, krb5_auth_context auth_context, int32_t *seqnumber) @@ -415,7 +418,7 @@ krb5_auth_con_getlocalseqnumber(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setlocalseqnumber (krb5_context context, krb5_auth_context auth_context, int32_t seqnumber) @@ -424,16 +427,16 @@ krb5_auth_con_setlocalseqnumber (krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_auth_getremoteseqnumber(krb5_context context, - krb5_auth_context auth_context, - int32_t *seqnumber) +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_auth_con_getremoteseqnumber(krb5_context context, + krb5_auth_context auth_context, + int32_t *seqnumber) { *seqnumber = auth_context->remote_seqnumber; return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setremoteseqnumber (krb5_context context, krb5_auth_context auth_context, int32_t seqnumber) @@ -443,14 +446,14 @@ krb5_auth_con_setremoteseqnumber (krb5_context context, } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context, krb5_authenticator *authenticator) { *authenticator = malloc(sizeof(**authenticator)); if (*authenticator == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } @@ -460,7 +463,7 @@ krb5_auth_con_getauthenticator(krb5_context context, } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_authenticator(krb5_context context, krb5_authenticator *authenticator) { @@ -470,7 +473,7 @@ krb5_free_authenticator(krb5_context context, } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setuserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock) @@ -480,7 +483,7 @@ krb5_auth_con_setuserkey(krb5_context context, return krb5_copy_keyblock(context, keyblock, &auth_context->keyblock); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache *rcache) @@ -489,7 +492,7 @@ krb5_auth_con_getrcache(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache rcache) @@ -500,7 +503,7 @@ krb5_auth_con_setrcache(krb5_context context, #if 0 /* not implemented */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context) { @@ -508,7 +511,7 @@ krb5_auth_con_initivector(krb5_context context, } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setivector(krb5_context context, krb5_auth_context auth_context, krb5_pointer ivector) diff --git a/crypto/heimdal/lib/krb5/build_ap_req.c b/crypto/heimdal/lib/krb5/build_ap_req.c index b1968fe817b7..d56a0a194e1e 100644 --- a/crypto/heimdal/lib/krb5/build_ap_req.c +++ b/crypto/heimdal/lib/krb5/build_ap_req.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> +#include "krb5_locl.h" -RCSID("$Id: build_ap_req.c 13863 2004-05-25 21:46:46Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_build_ap_req (krb5_context context, krb5_enctype enctype, krb5_creds *cred, @@ -47,13 +45,13 @@ krb5_build_ap_req (krb5_context context, AP_REQ ap; Ticket t; size_t len; - + ap.pvno = 5; ap.msg_type = krb_ap_req; memset(&ap.ap_options, 0, sizeof(ap.ap_options)); ap.ap_options.use_session_key = (ap_options & AP_OPTS_USE_SESSION_KEY) > 0; ap.ap_options.mutual_required = (ap_options & AP_OPTS_MUTUAL_REQUIRED) > 0; - + ap.ticket.tkt_vno = 5; copy_Realm(&cred->server->realm, &ap.ticket.realm); copy_PrincipalName(&cred->server->name, &ap.ticket.sname); diff --git a/crypto/heimdal/lib/krb5/build_auth.c b/crypto/heimdal/lib/krb5/build_auth.c index f8739c044d16..01145a28c604 100644 --- a/crypto/heimdal/lib/krb5/build_auth.c +++ b/crypto/heimdal/lib/krb5/build_auth.c @@ -1,39 +1,37 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> - -RCSID("$Id: build_auth.c 17033 2006-04-10 08:53:21Z lha $"); +#include "krb5_locl.h" static krb5_error_code make_etypelist(krb5_context context, @@ -43,10 +41,12 @@ make_etypelist(krb5_context context, krb5_error_code ret; krb5_authdata ad; u_char *buf; - size_t len; + size_t len = 0; size_t buf_size; - - ret = krb5_init_etype(context, &etypes.len, &etypes.val, NULL); + + ret = _krb5_init_etype(context, KRB5_PDU_NONE, + &etypes.len, &etypes.val, + NULL); if (ret) return ret; @@ -62,7 +62,7 @@ make_etypelist(krb5_context context, ALLOC_SEQ(&ad, 1); if (ad.val == NULL) { free(buf); - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } @@ -74,21 +74,23 @@ make_etypelist(krb5_context context, if (ret) { free_AuthorizationData(&ad); return ret; - } + } if(buf_size != len) krb5_abortx(context, "internal error in ASN.1 encoder"); free_AuthorizationData(&ad); ALLOC(*auth_data, 1); if (*auth_data == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + free(buf); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } ALLOC_SEQ(*auth_data, 1); if ((*auth_data)->val == NULL) { + free(*auth_data); free(buf); - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } @@ -99,71 +101,76 @@ make_etypelist(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_build_authenticator (krb5_context context, - krb5_auth_context auth_context, - krb5_enctype enctype, - krb5_creds *cred, - Checksum *cksum, - Authenticator **auth_result, - krb5_data *result, - krb5_key_usage usage) +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +_krb5_build_authenticator (krb5_context context, + krb5_auth_context auth_context, + krb5_enctype enctype, + krb5_creds *cred, + Checksum *cksum, + krb5_data *result, + krb5_key_usage usage) { - Authenticator *auth; + Authenticator auth; u_char *buf = NULL; size_t buf_size; - size_t len; + size_t len = 0; krb5_error_code ret; krb5_crypto crypto; - auth = calloc(1, sizeof(*auth)); - if (auth == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } + memset(&auth, 0, sizeof(auth)); + + auth.authenticator_vno = 5; + copy_Realm(&cred->client->realm, &auth.crealm); + copy_PrincipalName(&cred->client->name, &auth.cname); - auth->authenticator_vno = 5; - copy_Realm(&cred->client->realm, &auth->crealm); - copy_PrincipalName(&cred->client->name, &auth->cname); + krb5_us_timeofday (context, &auth.ctime, &auth.cusec); - krb5_us_timeofday (context, &auth->ctime, &auth->cusec); - - ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth->subkey); + ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth.subkey); if(ret) goto fail; if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { if(auth_context->local_seqnumber == 0) krb5_generate_seq_number (context, - &cred->session, + &cred->session, &auth_context->local_seqnumber); - ALLOC(auth->seq_number, 1); - if(auth->seq_number == NULL) { + ALLOC(auth.seq_number, 1); + if(auth.seq_number == NULL) { ret = ENOMEM; goto fail; } - *auth->seq_number = auth_context->local_seqnumber; + *auth.seq_number = auth_context->local_seqnumber; } else - auth->seq_number = NULL; - auth->authorization_data = NULL; - auth->cksum = cksum; - - if (cksum != NULL && cksum->cksumtype == CKSUMTYPE_GSSAPI) { - /* - * This is not GSS-API specific, we only enable it for - * GSS for now - */ - ret = make_etypelist(context, &auth->authorization_data); + auth.seq_number = NULL; + auth.authorization_data = NULL; + + if (cksum) { + ALLOC(auth.cksum, 1); + if (auth.cksum == NULL) { + ret = ENOMEM; + goto fail; + } + ret = copy_Checksum(cksum, auth.cksum); if (ret) goto fail; + + if (auth.cksum->cksumtype == CKSUMTYPE_GSSAPI) { + /* + * This is not GSS-API specific, we only enable it for + * GSS for now + */ + ret = make_etypelist(context, &auth.authorization_data); + if (ret) + goto fail; + } } /* XXX - Copy more to auth_context? */ - auth_context->authenticator->ctime = auth->ctime; - auth_context->authenticator->cusec = auth->cusec; + auth_context->authenticator->ctime = auth.ctime; + auth_context->authenticator->cusec = auth.cusec; - ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, auth, &len, ret); + ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, &auth, &len, ret); if (ret) goto fail; if(buf_size != len) @@ -175,7 +182,7 @@ krb5_build_authenticator (krb5_context context, ret = krb5_encrypt (context, crypto, usage /* KRB5_KU_AP_REQ_AUTH */, - buf + buf_size - len, + buf, len, result); krb5_crypto_destroy(context, crypto); @@ -183,20 +190,9 @@ krb5_build_authenticator (krb5_context context, if (ret) goto fail; + fail: + free_Authenticator (&auth); free (buf); - if (auth_result) - *auth_result = auth; - else { - /* Don't free the `cksum', it's allocated by the caller */ - auth->cksum = NULL; - free_Authenticator (auth); - free (auth); - } - return ret; - fail: - free_Authenticator (auth); - free (auth); - free (buf); return ret; } diff --git a/crypto/heimdal/lib/krb5/cache.c b/crypto/heimdal/lib/krb5/cache.c index 5db6d2b2cf8a..88040cbc6f35 100644 --- a/crypto/heimdal/lib/krb5/cache.c +++ b/crypto/heimdal/lib/krb5/cache.c @@ -1,39 +1,104 @@ /* - * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: cache.c 22127 2007-12-04 00:54:37Z lha $"); +/** + * @page krb5_ccache_intro The credential cache functions + * @section section_krb5_ccache Kerberos credential caches + * + * krb5_ccache structure holds a Kerberos credential cache. + * + * Heimdal support the follow types of credential caches: + * + * - SCC + * Store the credential in a database + * - FILE + * Store the credential in memory + * - MEMORY + * Store the credential in memory + * - API + * A credential cache server based solution for Mac OS X + * - KCM + * A credential cache server based solution for all platforms + * + * @subsection Example + * + * This is a minimalistic version of klist: +@code +#include <krb5.h> + +int +main (int argc, char **argv) +{ + krb5_context context; + krb5_cc_cursor cursor; + krb5_error_code ret; + krb5_ccache id; + krb5_creds creds; + + if (krb5_init_context (&context) != 0) + errx(1, "krb5_context"); + + ret = krb5_cc_default (context, &id); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_default"); + + ret = krb5_cc_start_seq_get(context, id, &cursor); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_start_seq_get"); + + while((ret = krb5_cc_next_cred(context, id, &cursor, &creds)) == 0){ + char *principal; + + krb5_unparse_name(context, creds.server, &principal); + printf("principal: %s\\n", principal); + free(principal); + krb5_free_cred_contents (context, &creds); + } + ret = krb5_cc_end_seq_get(context, id, &cursor); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_end_seq_get"); + + krb5_cc_close(context, id); + + krb5_free_context(context); + return 0; +} +* @endcode +*/ /** * Add a new ccache type with operations `ops', overwriting any @@ -44,43 +109,44 @@ RCSID("$Id: cache.c 22127 2007-12-04 00:54:37Z lha $"); * @param override flag to select if the registration is to overide * an existing ops with the same name. * - * @return Return an error code or 0. + * @return Return an error code or 0, see krb5_get_error_message(). * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_cc_register(krb5_context context, - const krb5_cc_ops *ops, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_register(krb5_context context, + const krb5_cc_ops *ops, krb5_boolean override) { int i; - for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) { - if(strcmp(context->cc_ops[i].prefix, ops->prefix) == 0) { + for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) { + if(strcmp(context->cc_ops[i]->prefix, ops->prefix) == 0) { if(!override) { - krb5_set_error_string(context, - "ccache type %s already exists", - ops->prefix); + krb5_set_error_message(context, + KRB5_CC_TYPE_EXISTS, + N_("cache type %s already exists", "type"), + ops->prefix); return KRB5_CC_TYPE_EXISTS; } break; } } if(i == context->num_cc_ops) { - krb5_cc_ops *o = realloc(context->cc_ops, - (context->num_cc_ops + 1) * - sizeof(*context->cc_ops)); + const krb5_cc_ops **o = realloc(rk_UNCONST(context->cc_ops), + (context->num_cc_ops + 1) * + sizeof(context->cc_ops[0])); if(o == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, KRB5_CC_NOMEM, + N_("malloc: out of memory", "")); return KRB5_CC_NOMEM; } - context->num_cc_ops++; context->cc_ops = o; - memset(context->cc_ops + i, 0, - (context->num_cc_ops - i) * sizeof(*context->cc_ops)); + context->cc_ops[context->num_cc_ops] = NULL; + context->num_cc_ops++; } - memcpy(&context->cc_ops[i], ops, sizeof(context->cc_ops[i])); + context->cc_ops[i] = ops; return 0; } @@ -90,7 +156,7 @@ krb5_cc_register(krb5_context context, */ krb5_error_code -_krb5_cc_allocate(krb5_context context, +_krb5_cc_allocate(krb5_context context, const krb5_cc_ops *ops, krb5_ccache *id) { @@ -98,7 +164,8 @@ _krb5_cc_allocate(krb5_context context, p = malloc (sizeof(*p)); if(p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, KRB5_CC_NOMEM, + N_("malloc: out of memory", "")); return KRB5_CC_NOMEM; } p->ops = ops; @@ -119,16 +186,58 @@ allocate_ccache (krb5_context context, krb5_ccache *id) { krb5_error_code ret; +#ifdef KRB5_USE_PATH_TOKENS + char * exp_residual = NULL; - ret = _krb5_cc_allocate(context, ops, id); + ret = _krb5_expand_path_tokens(context, residual, &exp_residual); if (ret) return ret; + + residual = exp_residual; +#endif + + ret = _krb5_cc_allocate(context, ops, id); + if (ret) { +#ifdef KRB5_USE_PATH_TOKENS + if (exp_residual) + free(exp_residual); +#endif + return ret; + } + ret = (*id)->ops->resolve(context, id, residual); - if(ret) + if(ret) { free(*id); + *id = NULL; + } + +#ifdef KRB5_USE_PATH_TOKENS + if (exp_residual) + free(exp_residual); +#endif + return ret; } +static int +is_possible_path_name(const char * name) +{ + const char * colon; + + if ((colon = strchr(name, ':')) == NULL) + return TRUE; + +#ifdef _WIN32 + /* <drive letter>:\path\to\cache ? */ + + if (colon == name + 1 && + strchr(colon + 1, ':') == NULL) + return TRUE; +#endif + + return FALSE; +} + /** * Find and allocate a ccache in `id' from the specification in `residual'. * If the ccache name doesn't contain any colon, interpret it as a file name. @@ -138,13 +247,13 @@ allocate_ccache (krb5_context context, * @param id return pointer to a found credential cache. * * @return Return 0 or an error code. In case of an error, id is set - * to NULL. + * to NULL, see krb5_get_error_message(). * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_resolve(krb5_context context, const char *name, krb5_ccache *id) @@ -153,73 +262,60 @@ krb5_cc_resolve(krb5_context context, *id = NULL; - for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) { - size_t prefix_len = strlen(context->cc_ops[i].prefix); + for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) { + size_t prefix_len = strlen(context->cc_ops[i]->prefix); - if(strncmp(context->cc_ops[i].prefix, name, prefix_len) == 0 + if(strncmp(context->cc_ops[i]->prefix, name, prefix_len) == 0 && name[prefix_len] == ':') { - return allocate_ccache (context, &context->cc_ops[i], + return allocate_ccache (context, context->cc_ops[i], name + prefix_len + 1, id); } } - if (strchr (name, ':') == NULL) + if (is_possible_path_name(name)) return allocate_ccache (context, &krb5_fcc_ops, name, id); else { - krb5_set_error_string(context, "unknown ccache type %s", name); + krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, + N_("unknown ccache type %s", "name"), name); return KRB5_CC_UNKNOWN_TYPE; } } /** - * Generate a new ccache of type `ops' in `id'. - * - * @return Return 0 or an error code. - * - * @ingroup krb5_ccache - */ - - -krb5_error_code KRB5_LIB_FUNCTION -krb5_cc_gen_new(krb5_context context, - const krb5_cc_ops *ops, - krb5_ccache *id) -{ - return krb5_cc_new_unique(context, ops->prefix, NULL, id); -} - -/** * Generates a new unique ccache of `type` in `id'. If `type' is NULL, * the library chooses the default credential cache type. The supplied * `hint' (that can be NULL) is a string that the credential cache * type can use to base the name of the credential on, this is to make * it easier for the user to differentiate the credentials. * - * @return Returns 0 or an error code. + * @return Return an error code or 0, see krb5_get_error_message(). * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_cc_new_unique(krb5_context context, const char *type, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_new_unique(krb5_context context, const char *type, const char *hint, krb5_ccache *id) { - const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE; + const krb5_cc_ops *ops; krb5_error_code ret; - if (type) { - ops = krb5_cc_get_prefix_ops(context, type); - if (ops == NULL) { - krb5_set_error_string(context, - "Credential cache type %s is unknown", type); - return KRB5_CC_UNKNOWN_TYPE; - } + ops = krb5_cc_get_prefix_ops(context, type); + if (ops == NULL) { + krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, + "Credential cache type %s is unknown", type); + return KRB5_CC_UNKNOWN_TYPE; } ret = _krb5_cc_allocate(context, ops, id); if (ret) return ret; - return (*id)->ops->gen_new(context, id); + ret = (*id)->ops->gen_new(context, id); + if (ret) { + free(*id); + *id = NULL; + } + return ret; } /** @@ -229,7 +325,7 @@ krb5_cc_new_unique(krb5_context context, const char *type, */ -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_cc_get_name(krb5_context context, krb5_ccache id) { @@ -243,7 +339,7 @@ krb5_cc_get_name(krb5_context context, */ -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_cc_get_type(krb5_context context, krb5_ccache id) { @@ -251,15 +347,19 @@ krb5_cc_get_type(krb5_context context, } /** - * Return the complete resolvable name the ccache `id' in `str´. - * `str` should be freed with free(3). - * Returns 0 or an error (and then *str is set to NULL). + * Return the complete resolvable name the cache + + * @param context a Keberos context + * @param id return pointer to a found credential cache + * @param str the returned name of a credential cache, free with krb5_xfree() + * + * @return Returns 0 or an error (and then *str is set to NULL). * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_get_full_name(krb5_context context, krb5_ccache id, char **str) @@ -270,18 +370,20 @@ krb5_cc_get_full_name(krb5_context context, type = krb5_cc_get_type(context, id); if (type == NULL) { - krb5_set_error_string(context, "cache have no name of type"); + krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, + "cache have no name of type"); return KRB5_CC_UNKNOWN_TYPE; } name = krb5_cc_get_name(context, id); if (name == NULL) { - krb5_set_error_string(context, "cache of type %s have no name", type); + krb5_set_error_message(context, KRB5_CC_BADNAME, + "cache of type %s have no name", type); return KRB5_CC_BADNAME; } - + if (asprintf(str, "%s:%s", type, name) == -1) { - krb5_set_error_string(context, "malloc - out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); *str = NULL; return ENOMEM; } @@ -295,7 +397,7 @@ krb5_cc_get_full_name(krb5_context context, */ -const krb5_cc_ops * +KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL krb5_cc_get_ops(krb5_context context, krb5_ccache id) { return id->ops; @@ -308,68 +410,7 @@ krb5_cc_get_ops(krb5_context context, krb5_ccache id) krb5_error_code _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res) { - size_t tlen, len = 0; - char *tmp, *tmp2, *append; - - *res = NULL; - - while (str && *str) { - tmp = strstr(str, "%{"); - if (tmp && tmp != str) { - append = malloc((tmp - str) + 1); - if (append) { - memcpy(append, str, tmp - str); - append[tmp - str] = '\0'; - } - str = tmp; - } else if (tmp) { - tmp2 = strchr(tmp, '}'); - if (tmp2 == NULL) { - free(*res); - *res = NULL; - krb5_set_error_string(context, "variable missing }"); - return KRB5_CONFIG_BADFORMAT; - } - if (strncasecmp(tmp, "%{uid}", 6) == 0) - asprintf(&append, "%u", (unsigned)getuid()); - else if (strncasecmp(tmp, "%{null}", 7) == 0) - append = strdup(""); - else { - free(*res); - *res = NULL; - krb5_set_error_string(context, - "expand default cache unknown " - "variable \"%.*s\"", - (int)(tmp2 - tmp) - 2, tmp + 2); - return KRB5_CONFIG_BADFORMAT; - } - str = tmp2 + 1; - } else { - append = strdup(str); - str = NULL; - } - if (append == NULL) { - free(*res); - *res = NULL; - krb5_set_error_string(context, "malloc - out of memory"); - return ENOMEM; - } - - tlen = strlen(append); - tmp = realloc(*res, len + tlen + 1); - if (tmp == NULL) { - free(append); - free(*res); - *res = NULL; - krb5_set_error_string(context, "malloc - out of memory"); - return ENOMEM; - } - *res = tmp; - memcpy(*res + len, append, tlen + 1); - len = len + tlen; - free(append); - } - return 0; + return _krb5_expand_path_tokens(context, str, res); } /* @@ -386,6 +427,12 @@ environment_changed(krb5_context context) if (context->default_cc_name_set) return 0; + /* XXX performance: always ask KCM/API if default name has changed */ + if (context->default_cc_name && + (strncmp(context->default_cc_name, "KCM:", 4) == 0 || + strncmp(context->default_cc_name, "API:", 4) == 0)) + return 1; + if(issuid()) return 0; @@ -406,17 +453,55 @@ environment_changed(krb5_context context) } /** - * Set the default cc name for `context' to `name'. + * Switch the default default credential cache for a specific + * credcache type (and name for some implementations). + * + * @return Return an error code or 0, see krb5_get_error_message(). * * @ingroup krb5_ccache */ +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_switch(krb5_context context, krb5_ccache id) +{ +#ifdef _WIN32 + _krb5_set_default_cc_name_to_registry(context, id); +#endif + + if (id->ops->set_default == NULL) + return 0; + + return (*id->ops->set_default)(context, id); +} + +/** + * Return true if the default credential cache support switch + * + * @ingroup krb5_ccache + */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_cc_support_switch(krb5_context context, const char *type) +{ + const krb5_cc_ops *ops; + + ops = krb5_cc_get_prefix_ops(context, type); + if (ops && ops->set_default) + return 1; + return FALSE; +} + +/** + * Set the default cc name for `context' to `name'. + * + * @ingroup krb5_ccache + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_set_default_name(krb5_context context, const char *name) { krb5_error_code ret = 0; - char *p; + char *p = NULL, *exp_p = NULL; if (name == NULL) { const char *e = NULL; @@ -430,6 +515,12 @@ krb5_cc_set_default_name(krb5_context context, const char *name) context->default_cc_name_env = strdup(e); } } + +#ifdef _WIN32 + if (e == NULL) { + e = p = _krb5_get_default_cc_name_from_registry(context); + } +#endif if (e == NULL) { e = krb5_config_get_string(context, NULL, "libdefaults", "default_cc_name", NULL); @@ -440,7 +531,19 @@ krb5_cc_set_default_name(krb5_context context, const char *name) } if (e == NULL) { const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE; - ret = (*ops->default_name)(context, &p); + e = krb5_config_get_string(context, NULL, "libdefaults", + "default_cc_type", NULL); + if (e) { + ops = krb5_cc_get_prefix_ops(context, e); + if (ops == NULL) { + krb5_set_error_message(context, + KRB5_CC_UNKNOWN_TYPE, + "Credential cache type %s " + "is unknown", e); + return KRB5_CC_UNKNOWN_TYPE; + } + } + ret = (*ops->get_default_name)(context, &p); if (ret) return ret; } @@ -452,16 +555,21 @@ krb5_cc_set_default_name(krb5_context context, const char *name) } if (p == NULL) { - krb5_set_error_string(context, "malloc - out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } + ret = _krb5_expand_path_tokens(context, p, &exp_p); + free(p); + if (ret) + return ret; + if (context->default_cc_name) free(context->default_cc_name); - context->default_cc_name = p; + context->default_cc_name = exp_p; - return ret; + return 0; } /** @@ -474,7 +582,7 @@ krb5_cc_set_default_name(krb5_context context, const char *name) */ -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_cc_default_name(krb5_context context) { if (context->default_cc_name == NULL || environment_changed(context)) @@ -486,20 +594,20 @@ krb5_cc_default_name(krb5_context context) /** * Open the default ccache in `id'. * - * @return Return 0 or an error code. + * @return Return an error code or 0, see krb5_get_error_message(). * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_default(krb5_context context, krb5_ccache *id) { const char *p = krb5_cc_default_name(context); if (p == NULL) { - krb5_set_error_string(context, "malloc - out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } return krb5_cc_resolve(context, p, id); @@ -508,13 +616,13 @@ krb5_cc_default(krb5_context context, /** * Create a new ccache in `id' for `primary_principal'. * - * @return Return 0 or an error code. + * @return Return an error code or 0, see krb5_get_error_message(). * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_initialize(krb5_context context, krb5_ccache id, krb5_principal primary_principal) @@ -526,13 +634,13 @@ krb5_cc_initialize(krb5_context context, /** * Remove the ccache `id'. * - * @return Return 0 or an error code. + * @return Return an error code or 0, see krb5_get_error_message(). * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_destroy(krb5_context context, krb5_ccache id) { @@ -546,13 +654,13 @@ krb5_cc_destroy(krb5_context context, /** * Stop using the ccache `id' and free the related resources. * - * @return Return 0 or an error code. + * @return Return an error code or 0, see krb5_get_error_message(). * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_close(krb5_context context, krb5_ccache id) { @@ -565,13 +673,13 @@ krb5_cc_close(krb5_context context, /** * Store `creds' in the ccache `id'. * - * @return Return 0 or an error code. + * @return Return an error code or 0, see krb5_get_error_message(). * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_store_cred(krb5_context context, krb5_ccache id, krb5_creds *creds) @@ -584,13 +692,20 @@ krb5_cc_store_cred(krb5_context context, * from `id' in `creds'. 'creds' must be free by the caller using * krb5_free_cred_contents. * - * @return Return 0 or an error code. + * @param context A Kerberos 5 context + * @param id a Kerberos 5 credential cache + * @param whichfields what fields to use for matching credentials, same + * flags as whichfields in krb5_compare_creds() + * @param mcreds template credential to use for comparing + * @param creds returned credential, free with krb5_free_cred_contents() + * + * @return Return an error code or 0, see krb5_get_error_message(). * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_retrieve_cred(krb5_context context, krb5_ccache id, krb5_flags whichfields, @@ -622,13 +737,13 @@ krb5_cc_retrieve_cred(krb5_context context, /** * Return the principal of `id' in `principal'. * - * @return Return 0 or an error code. + * @return Return an error code or 0, see krb5_get_error_message(). * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *principal) @@ -638,15 +753,15 @@ krb5_cc_get_principal(krb5_context context, /** * Start iterating over `id', `cursor' is initialized to the - * beginning. + * beginning. Caller must free the cursor with krb5_cc_end_seq_get(). * - * @return Return 0 or an error code. + * @return Return an error code or 0, see krb5_get_error_message(). * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_start_seq_get (krb5_context context, const krb5_ccache id, krb5_cc_cursor *cursor) @@ -658,13 +773,13 @@ krb5_cc_start_seq_get (krb5_context context, * Retrieve the next cred pointed to by (`id', `cursor') in `creds' * and advance `cursor'. * - * @return Return 0 or an error code. + * @return Return an error code or 0, see krb5_get_error_message(). * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_next_cred (krb5_context context, const krb5_ccache id, krb5_cc_cursor *cursor, @@ -674,39 +789,13 @@ krb5_cc_next_cred (krb5_context context, } /** - * Like krb5_cc_next_cred, but allow for selective retrieval - * - * @ingroup krb5_ccache - */ - - -krb5_error_code KRB5_LIB_FUNCTION -krb5_cc_next_cred_match(krb5_context context, - const krb5_ccache id, - krb5_cc_cursor * cursor, - krb5_creds * creds, - krb5_flags whichfields, - const krb5_creds * mcreds) -{ - krb5_error_code ret; - while (1) { - ret = krb5_cc_next_cred(context, id, cursor, creds); - if (ret) - return ret; - if (mcreds == NULL || krb5_compare_creds(context, whichfields, mcreds, creds)) - return 0; - krb5_free_cred_contents(context, creds); - } -} - -/** * Destroy the cursor `cursor'. * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_end_seq_get (krb5_context context, const krb5_ccache id, krb5_cc_cursor *cursor) @@ -721,16 +810,17 @@ krb5_cc_end_seq_get (krb5_context context, */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_remove_cred(krb5_context context, krb5_ccache id, krb5_flags which, krb5_creds *cred) { if(id->ops->remove_cred == NULL) { - krb5_set_error_string(context, - "ccache %s does not support remove_cred", - id->ops->prefix); + krb5_set_error_message(context, + EACCES, + "ccache %s does not support remove_cred", + id->ops->prefix); return EACCES; /* XXX */ } return (*id->ops->remove_cred)(context, id, which, cred); @@ -743,34 +833,61 @@ krb5_cc_remove_cred(krb5_context context, */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags) { return (*id->ops->set_flags)(context, id, flags); } - + /** - * Copy the contents of `from' to `to'. + * Get the flags of `id', store them in `flags'. * * @ingroup krb5_ccache */ +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_get_flags(krb5_context context, + krb5_ccache id, + krb5_flags *flags) +{ + *flags = 0; + return 0; +} + +/** + * Copy the contents of `from' to `to' if the given match function + * return true. + * + * @param context A Kerberos 5 context. + * @param from the cache to copy data from. + * @param to the cache to copy data to. + * @param match a match function that should return TRUE if cred argument should be copied, if NULL, all credentials are copied. + * @param matchctx context passed to match function. + * @param matched set to true if there was a credential that matched, may be NULL. + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_ccache + */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_cc_copy_cache_match(krb5_context context, - const krb5_ccache from, - krb5_ccache to, - krb5_flags whichfields, - const krb5_creds * mcreds, - unsigned int *matched) +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_copy_match_f(krb5_context context, + const krb5_ccache from, + krb5_ccache to, + krb5_boolean (*match)(krb5_context, void *, const krb5_creds *), + void *matchctx, + unsigned int *matched) { krb5_error_code ret; krb5_cc_cursor cursor; krb5_creds cred; krb5_principal princ; + if (matched) + *matched = 0; + ret = krb5_cc_get_principal(context, from, &princ); if (ret) return ret; @@ -784,34 +901,36 @@ krb5_cc_copy_cache_match(krb5_context context, krb5_free_principal(context, princ); return ret; } - if (matched) - *matched = 0; - while (ret == 0 && - krb5_cc_next_cred_match(context, from, &cursor, &cred, - whichfields, mcreds) == 0) { - if (matched) - (*matched)++; - ret = krb5_cc_store_cred(context, to, &cred); - krb5_free_cred_contents(context, &cred); + + while ((ret = krb5_cc_next_cred(context, from, &cursor, &cred)) == 0) { + if (match == NULL || (*match)(context, matchctx, &cred) == 0) { + if (matched) + (*matched)++; + ret = krb5_cc_store_cred(context, to, &cred); + if (ret) + break; + } + krb5_free_cred_contents(context, &cred); } krb5_cc_end_seq_get(context, from, &cursor); krb5_free_principal(context, princ); + if (ret == KRB5_CC_END) + ret = 0; return ret; } /** - * Just like krb5_cc_copy_cache_match, but copy everything. + * Just like krb5_cc_copy_match_f(), but copy everything. * - * @ingroup krb5_ccache + * @ingroup @krb5_ccache */ - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_copy_cache(krb5_context context, const krb5_ccache from, krb5_ccache to) { - return krb5_cc_copy_cache_match(context, from, to, 0, NULL, NULL); + return krb5_cc_copy_match_f(context, from, to, NULL, NULL, NULL); } /** @@ -821,7 +940,7 @@ krb5_cc_copy_cache(krb5_context context, */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_get_version(krb5_context context, const krb5_ccache id) { @@ -838,7 +957,7 @@ krb5_cc_get_version(krb5_context context, */ -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_cc_clear_mcred(krb5_creds *mcred) { memset(mcred, 0, sizeof(*mcred)); @@ -846,37 +965,41 @@ krb5_cc_clear_mcred(krb5_creds *mcred) /** * Get the cc ops that is registered in `context' to handle the - * `prefix'. `prefix' can be a complete credential cache name or a + * prefix. prefix can be a complete credential cache name or a * prefix, the function will only use part up to the first colon (:) - * if there is one. - * Returns NULL if ops not found. + * if there is one. If prefix the argument is NULL, the default ccache + * implemtation is returned. + * + * @return Returns NULL if ops not found. * * @ingroup krb5_ccache */ -const krb5_cc_ops * +KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL krb5_cc_get_prefix_ops(krb5_context context, const char *prefix) { char *p, *p1; int i; - + + if (prefix == NULL) + return KRB5_DEFAULT_CCTYPE; if (prefix[0] == '/') return &krb5_fcc_ops; p = strdup(prefix); if (p == NULL) { - krb5_set_error_string(context, "malloc - out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return NULL; } p1 = strchr(p, ':'); if (p1) *p1 = '\0'; - for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) { - if(strcmp(context->cc_ops[i].prefix, p) == 0) { + for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) { + if(strcmp(context->cc_ops[i]->prefix, p) == 0) { free(p); - return &context->cc_ops[i]; + return context->cc_ops[i]; } } free(p); @@ -889,16 +1012,20 @@ struct krb5_cc_cache_cursor_data { }; /** - * Start iterating over all caches of `type'. If `type' is NULL, the - * default type is * used. `cursor' is initialized to the beginning. + * Start iterating over all caches of specified type. See also + * krb5_cccol_cursor_new(). + + * @param context A Kerberos 5 context + * @param type optional type to iterate over, if NULL, the default cache is used. + * @param cursor cursor should be freed with krb5_cc_cache_end_seq_get(). * - * @return Return 0 or an error code. + * @return Return an error code or 0, see krb5_get_error_message(). * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_cache_get_first (krb5_context context, const char *type, krb5_cc_cache_cursor *cursor) @@ -911,20 +1038,23 @@ krb5_cc_cache_get_first (krb5_context context, ops = krb5_cc_get_prefix_ops(context, type); if (ops == NULL) { - krb5_set_error_string(context, "Unknown type \"%s\" when iterating " - "trying to iterate the credential caches", type); + krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, + "Unknown type \"%s\" when iterating " + "trying to iterate the credential caches", type); return KRB5_CC_UNKNOWN_TYPE; } if (ops->get_cache_first == NULL) { - krb5_set_error_string(context, "Credential cache type %s doesn't support " - "iterations over caches", ops->prefix); + krb5_set_error_message(context, KRB5_CC_NOSUPP, + N_("Credential cache type %s doesn't support " + "iterations over caches", "type"), + ops->prefix); return KRB5_CC_NOSUPP; } *cursor = calloc(1, sizeof(**cursor)); if (*cursor == NULL) { - krb5_set_error_string(context, "malloc - out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } @@ -942,13 +1072,18 @@ krb5_cc_cache_get_first (krb5_context context, * Retrieve the next cache pointed to by (`cursor') in `id' * and advance `cursor'. * - * @return Return 0 or an error code. + * @param context A Kerberos 5 context + * @param cursor the iterator cursor, returned by krb5_cc_cache_get_first() + * @param id next ccache + * + * @return Return 0 or an error code. Returns KRB5_CC_END when the end + * of caches is reached, see krb5_get_error_message(). * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_cache_next (krb5_context context, krb5_cc_cache_cursor cursor, krb5_ccache *id) @@ -959,13 +1094,13 @@ krb5_cc_cache_next (krb5_context context, /** * Destroy the cursor `cursor'. * - * @return Return 0 or an error code. + * @return Return an error code or 0, see krb5_get_error_message(). * * @ingroup krb5_ccache */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_cache_end_seq_get (krb5_context context, krb5_cc_cache_cursor cursor) { @@ -977,10 +1112,13 @@ krb5_cc_cache_end_seq_get (krb5_context context, } /** - * Search for a matching credential cache of type `type' that have the - * `principal' as the default principal. If NULL is used for `type', - * the default type is used. On success, `id' needs to be freed with - * krb5_cc_close or krb5_cc_destroy. + * Search for a matching credential cache that have the + * `principal' as the default principal. On success, `id' needs to be + * freed with krb5_cc_close() or krb5_cc_destroy(). + * + * @param context A Kerberos 5 context + * @param client The principal to search for + * @param id the returned credential cache * * @return On failure, error code is returned and `id' is set to NULL. * @@ -988,29 +1126,28 @@ krb5_cc_cache_end_seq_get (krb5_context context, */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_cache_match (krb5_context context, krb5_principal client, - const char *type, krb5_ccache *id) { - krb5_cc_cache_cursor cursor; + krb5_cccol_cursor cursor; krb5_error_code ret; krb5_ccache cache = NULL; *id = NULL; - ret = krb5_cc_cache_get_first (context, type, &cursor); + ret = krb5_cccol_cursor_new (context, &cursor); if (ret) return ret; - while ((ret = krb5_cc_cache_next (context, cursor, &cache)) == 0) { + while (krb5_cccol_cursor_next (context, cursor, &cache) == 0 && cache != NULL) { krb5_principal principal; ret = krb5_cc_get_principal(context, cache, &principal); if (ret == 0) { krb5_boolean match; - + match = krb5_principal_compare(context, principal, client); krb5_free_principal(context, principal); if (match) @@ -1021,15 +1158,17 @@ krb5_cc_cache_match (krb5_context context, cache = NULL; } - krb5_cc_cache_end_seq_get(context, cursor); + krb5_cccol_cursor_free(context, &cursor); if (cache == NULL) { char *str; krb5_unparse_name(context, client, &str); - krb5_set_error_string(context, "Principal %s not found in a " - "credential cache", str ? str : "<out of memory>"); + krb5_set_error_message(context, KRB5_CC_NOTFOUND, + N_("Principal %s not found in any " + "credential cache", ""), + str ? str : "<out of memory>"); if (str) free(str); return KRB5_CC_NOTFOUND; @@ -1041,26 +1180,27 @@ krb5_cc_cache_match (krb5_context context, /** * Move the content from one credential cache to another. The - * operation is an atomic switch. + * operation is an atomic switch. * * @param context a Keberos context * @param from the credential cache to move the content from * @param to the credential cache to move the content to * @return On sucess, from is freed. On failure, error code is - * returned and from and to are both still allocated. + * returned and from and to are both still allocated, see krb5_get_error_message(). * * @ingroup krb5_ccache */ -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to) { krb5_error_code ret; if (strcmp(from->ops->prefix, to->ops->prefix) != 0) { - krb5_set_error_string(context, "Moving credentials between diffrent " - "types not yet supported"); + krb5_set_error_message(context, KRB5_CC_NOSUPP, + N_("Moving credentials between diffrent " + "types not yet supported", "")); return KRB5_CC_NOSUPP; } @@ -1071,3 +1211,553 @@ krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to) } return ret; } + +#define KRB5_CONF_NAME "krb5_ccache_conf_data" +#define KRB5_REALM_NAME "X-CACHECONF:" + +static krb5_error_code +build_conf_principals(krb5_context context, krb5_ccache id, + krb5_const_principal principal, + const char *name, krb5_creds *cred) +{ + krb5_principal client; + krb5_error_code ret; + char *pname = NULL; + + memset(cred, 0, sizeof(*cred)); + + ret = krb5_cc_get_principal(context, id, &client); + if (ret) + return ret; + + if (principal) { + ret = krb5_unparse_name(context, principal, &pname); + if (ret) + return ret; + } + + ret = krb5_make_principal(context, &cred->server, + KRB5_REALM_NAME, + KRB5_CONF_NAME, name, pname, NULL); + free(pname); + if (ret) { + krb5_free_principal(context, client); + return ret; + } + ret = krb5_copy_principal(context, client, &cred->client); + krb5_free_principal(context, client); + return ret; +} + +/** + * Return TRUE (non zero) if the principal is a configuration + * principal (generated part of krb5_cc_set_config()). Returns FALSE + * (zero) if not a configuration principal. + * + * @param context a Keberos context + * @param principal principal to check if it a configuration principal + * + * @ingroup krb5_ccache + */ + +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_is_config_principal(krb5_context context, + krb5_const_principal principal) +{ + if (strcmp(principal->realm, KRB5_REALM_NAME) != 0) + return FALSE; + + if (principal->name.name_string.len == 0 || + strcmp(principal->name.name_string.val[0], KRB5_CONF_NAME) != 0) + return FALSE; + + return TRUE; +} + +/** + * Store some configuration for the credential cache in the cache. + * Existing configuration under the same name is over-written. + * + * @param context a Keberos context + * @param id the credential cache to store the data for + * @param principal configuration for a specific principal, if + * NULL, global for the whole cache. + * @param name name under which the configuraion is stored. + * @param data data to store, if NULL, configure is removed. + * + * @ingroup krb5_ccache + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_set_config(krb5_context context, krb5_ccache id, + krb5_const_principal principal, + const char *name, krb5_data *data) +{ + krb5_error_code ret; + krb5_creds cred; + + ret = build_conf_principals(context, id, principal, name, &cred); + if (ret) + goto out; + + /* Remove old configuration */ + ret = krb5_cc_remove_cred(context, id, 0, &cred); + if (ret && ret != KRB5_CC_NOTFOUND) + goto out; + + if (data) { + /* not that anyone care when this expire */ + cred.times.authtime = time(NULL); + cred.times.endtime = cred.times.authtime + 3600 * 24 * 30; + + ret = krb5_data_copy(&cred.ticket, data->data, data->length); + if (ret) + goto out; + + ret = krb5_cc_store_cred(context, id, &cred); + } + +out: + krb5_free_cred_contents (context, &cred); + return ret; +} + +/** + * Get some configuration for the credential cache in the cache. + * + * @param context a Keberos context + * @param id the credential cache to store the data for + * @param principal configuration for a specific principal, if + * NULL, global for the whole cache. + * @param name name under which the configuraion is stored. + * @param data data to fetched, free with krb5_data_free() + * + * @ingroup krb5_ccache + */ + + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_get_config(krb5_context context, krb5_ccache id, + krb5_const_principal principal, + const char *name, krb5_data *data) +{ + krb5_creds mcred, cred; + krb5_error_code ret; + + memset(&cred, 0, sizeof(cred)); + krb5_data_zero(data); + + ret = build_conf_principals(context, id, principal, name, &mcred); + if (ret) + goto out; + + ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred); + if (ret) + goto out; + + ret = krb5_data_copy(data, cred.ticket.data, cred.ticket.length); + +out: + krb5_free_cred_contents (context, &cred); + krb5_free_cred_contents (context, &mcred); + return ret; +} + +/* + * + */ + +struct krb5_cccol_cursor_data { + int idx; + krb5_cc_cache_cursor cursor; +}; + +/** + * Get a new cache interation cursor that will interate over all + * credentials caches independent of type. + * + * @param context a Keberos context + * @param cursor passed into krb5_cccol_cursor_next() and free with krb5_cccol_cursor_free(). + * + * @return Returns 0 or and error code, see krb5_get_error_message(). + * + * @ingroup krb5_ccache + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor) +{ + *cursor = calloc(1, sizeof(**cursor)); + if (*cursor == NULL) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } + (*cursor)->idx = 0; + (*cursor)->cursor = NULL; + + return 0; +} + +/** + * Get next credential cache from the iteration. + * + * @param context A Kerberos 5 context + * @param cursor the iteration cursor + * @param cache the returned cursor, pointer is set to NULL on failure + * and a cache on success. The returned cache needs to be freed + * with krb5_cc_close() or destroyed with krb5_cc_destroy(). + * MIT Kerberos behavies slightly diffrent and sets cache to NULL + * when all caches are iterated over and return 0. + * + * @return Return 0 or and error, KRB5_CC_END is returned at the end + * of iteration. See krb5_get_error_message(). + * + * @ingroup krb5_ccache + */ + + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor, + krb5_ccache *cache) +{ + krb5_error_code ret; + + *cache = NULL; + + while (cursor->idx < context->num_cc_ops) { + + if (cursor->cursor == NULL) { + ret = krb5_cc_cache_get_first (context, + context->cc_ops[cursor->idx]->prefix, + &cursor->cursor); + if (ret) { + cursor->idx++; + continue; + } + } + ret = krb5_cc_cache_next(context, cursor->cursor, cache); + if (ret == 0) + break; + + krb5_cc_cache_end_seq_get(context, cursor->cursor); + cursor->cursor = NULL; + if (ret != KRB5_CC_END) + break; + + cursor->idx++; + } + if (cursor->idx >= context->num_cc_ops) { + krb5_set_error_message(context, KRB5_CC_END, + N_("Reached end of credential caches", "")); + return KRB5_CC_END; + } + + return 0; +} + +/** + * End an iteration and free all resources, can be done before end is reached. + * + * @param context A Kerberos 5 context + * @param cursor the iteration cursor to be freed. + * + * @return Return 0 or and error, KRB5_CC_END is returned at the end + * of iteration. See krb5_get_error_message(). + * + * @ingroup krb5_ccache + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor) +{ + krb5_cccol_cursor c = *cursor; + + *cursor = NULL; + if (c) { + if (c->cursor) + krb5_cc_cache_end_seq_get(context, c->cursor); + free(c); + } + return 0; +} + +/** + * Return the last time the credential cache was modified. + * + * @param context A Kerberos 5 context + * @param id The credential cache to probe + * @param mtime the last modification time, set to 0 on error. + + * @return Return 0 or and error. See krb5_get_error_message(). + * + * @ingroup krb5_ccache + */ + + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_last_change_time(krb5_context context, + krb5_ccache id, + krb5_timestamp *mtime) +{ + *mtime = 0; + return (*id->ops->lastchange)(context, id, mtime); +} + +/** + * Return the last modfication time for a cache collection. The query + * can be limited to a specific cache type. If the function return 0 + * and mtime is 0, there was no credentials in the caches. + * + * @param context A Kerberos 5 context + * @param type The credential cache to probe, if NULL, all type are traversed. + * @param mtime the last modification time, set to 0 on error. + + * @return Return 0 or and error. See krb5_get_error_message(). + * + * @ingroup krb5_ccache + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cccol_last_change_time(krb5_context context, + const char *type, + krb5_timestamp *mtime) +{ + krb5_cccol_cursor cursor; + krb5_error_code ret; + krb5_ccache id; + krb5_timestamp t = 0; + + *mtime = 0; + + ret = krb5_cccol_cursor_new (context, &cursor); + if (ret) + return ret; + + while (krb5_cccol_cursor_next(context, cursor, &id) == 0 && id != NULL) { + + if (type && strcmp(krb5_cc_get_type(context, id), type) != 0) + continue; + + ret = krb5_cc_last_change_time(context, id, &t); + krb5_cc_close(context, id); + if (ret) + continue; + if (t > *mtime) + *mtime = t; + } + + krb5_cccol_cursor_free(context, &cursor); + + return 0; +} +/** + * Return a friendly name on credential cache. Free the result with krb5_xfree(). + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_ccache + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_get_friendly_name(krb5_context context, + krb5_ccache id, + char **name) +{ + krb5_error_code ret; + krb5_data data; + + ret = krb5_cc_get_config(context, id, NULL, "FriendlyName", &data); + if (ret) { + krb5_principal principal; + ret = krb5_cc_get_principal(context, id, &principal); + if (ret) + return ret; + ret = krb5_unparse_name(context, principal, name); + krb5_free_principal(context, principal); + } else { + ret = asprintf(name, "%.*s", (int)data.length, (char *)data.data); + krb5_data_free(&data); + if (ret <= 0) { + ret = ENOMEM; + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); + } else + ret = 0; + } + + return ret; +} + +/** + * Set the friendly name on credential cache. + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_ccache + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_set_friendly_name(krb5_context context, + krb5_ccache id, + const char *name) +{ + krb5_data data; + + data.data = rk_UNCONST(name); + data.length = strlen(name); + + return krb5_cc_set_config(context, id, NULL, "FriendlyName", &data); +} + +/** + * Get the lifetime of the initial ticket in the cache + * + * Get the lifetime of the initial ticket in the cache, if the initial + * ticket was not found, the error code KRB5_CC_END is returned. + * + * @param context A Kerberos 5 context. + * @param id a credential cache + * @param t the relative lifetime of the initial ticket + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_ccache + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t) +{ + krb5_cc_cursor cursor; + krb5_error_code ret; + krb5_creds cred; + time_t now; + + *t = 0; + now = time(NULL); + + ret = krb5_cc_start_seq_get(context, id, &cursor); + if (ret) + return ret; + + while ((ret = krb5_cc_next_cred(context, id, &cursor, &cred)) == 0) { + if (cred.flags.b.initial) { + if (now < cred.times.endtime) + *t = cred.times.endtime - now; + krb5_free_cred_contents(context, &cred); + break; + } + krb5_free_cred_contents(context, &cred); + } + + krb5_cc_end_seq_get(context, id, &cursor); + + return ret; +} + +/** + * Set the time offset betwen the client and the KDC + * + * If the backend doesn't support KDC offset, use the context global setting. + * + * @param context A Kerberos 5 context. + * @param id a credential cache + * @param offset the offset in seconds + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_ccache + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset) +{ + if (id->ops->set_kdc_offset == NULL) { + context->kdc_sec_offset = offset; + context->kdc_usec_offset = 0; + return 0; + } + return (*id->ops->set_kdc_offset)(context, id, offset); +} + +/** + * Get the time offset betwen the client and the KDC + * + * If the backend doesn't support KDC offset, use the context global setting. + * + * @param context A Kerberos 5 context. + * @param id a credential cache + * @param offset the offset in seconds + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_ccache + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *offset) +{ + if (id->ops->get_kdc_offset == NULL) { + *offset = context->kdc_sec_offset; + return 0; + } + return (*id->ops->get_kdc_offset)(context, id, offset); +} + + +#ifdef _WIN32 + +#define REGPATH_MIT_KRB5 "SOFTWARE\\MIT\\Kerberos5" +char * +_krb5_get_default_cc_name_from_registry(krb5_context context) +{ + HKEY hk_k5 = 0; + LONG code; + char * ccname = NULL; + + code = RegOpenKeyEx(HKEY_CURRENT_USER, + REGPATH_MIT_KRB5, + 0, KEY_READ, &hk_k5); + + if (code != ERROR_SUCCESS) + return NULL; + + ccname = _krb5_parse_reg_value_as_string(context, hk_k5, "ccname", + REG_NONE, 0); + + RegCloseKey(hk_k5); + + return ccname; +} + +int +_krb5_set_default_cc_name_to_registry(krb5_context context, krb5_ccache id) +{ + HKEY hk_k5 = 0; + LONG code; + int ret = -1; + char * ccname = NULL; + + code = RegOpenKeyEx(HKEY_CURRENT_USER, + REGPATH_MIT_KRB5, + 0, KEY_READ|KEY_WRITE, &hk_k5); + + if (code != ERROR_SUCCESS) + return -1; + + ret = asprintf(&ccname, "%s:%s", krb5_cc_get_type(context, id), krb5_cc_get_name(context, id)); + if (ret < 0) + goto cleanup; + + ret = _krb5_store_string_to_reg_value(context, hk_k5, "ccname", + REG_SZ, ccname, -1, 0); + + cleanup: + + if (ccname) + free(ccname); + + RegCloseKey(hk_k5); + + return ret; +} + +#endif diff --git a/crypto/heimdal/lib/krb5/ccache_plugin.h b/crypto/heimdal/lib/krb5/ccache_plugin.h new file mode 100644 index 000000000000..f6871d65d16b --- /dev/null +++ b/crypto/heimdal/lib/krb5/ccache_plugin.h @@ -0,0 +1,39 @@ +/*********************************************************************** + * Copyright (c) 2010, Secure Endpoints Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + **********************************************************************/ + +#ifndef HEIMDAL_KRB5_CCACHE_PLUGIN_H +#define HEIMDAL_KRB5_CCACHE_PLUGIN_H 1 + +#include <krb5.h> + +#define KRB5_PLUGIN_CCACHE "ccache_ops" + +#endif /* HEIMDAL_KRB5_CCACHE_PLUGIN_H */ diff --git a/crypto/heimdal/lib/krb5/changepw.c b/crypto/heimdal/lib/krb5/changepw.c index 703cf43eb6fb..1e7cd0d464f0 100644 --- a/crypto/heimdal/lib/krb5/changepw.c +++ b/crypto/heimdal/lib/krb5/changepw.c @@ -1,39 +1,41 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> +#include "krb5_locl.h" + +#undef __attribute__ +#define __attribute__(X) -RCSID("$Id: changepw.c 21505 2007-07-12 12:28:38Z lha $"); static void str2data (krb5_data *d, @@ -57,7 +59,7 @@ str2data (krb5_data *d, /* * Change password protocol defined by * draft-ietf-cat-kerb-chg-password-02.txt - * + * * Share the response part of the protocol with MS set password * (RFC3244) */ @@ -68,7 +70,7 @@ chgpw_send_request (krb5_context context, krb5_creds *creds, krb5_principal targprinc, int is_stream, - int sock, + rk_socket_t sock, const char *passwd, const char *host) { @@ -78,7 +80,6 @@ chgpw_send_request (krb5_context context, krb5_data passwd_data; size_t len; u_char header[6]; - u_char *p; struct iovec iov[3]; struct msghdr msghdr; @@ -114,13 +115,12 @@ chgpw_send_request (krb5_context context, goto out2; len = 6 + ap_req_data.length + krb_priv_data.length; - p = header; - *p++ = (len >> 8) & 0xFF; - *p++ = (len >> 0) & 0xFF; - *p++ = 0; - *p++ = 1; - *p++ = (ap_req_data.length >> 8) & 0xFF; - *p++ = (ap_req_data.length >> 0) & 0xFF; + header[0] = (len >> 8) & 0xFF; + header[1] = (len >> 0) & 0xFF; + header[2] = 0; + header[3] = 1; + header[4] = (ap_req_data.length >> 8) & 0xFF; + header[5] = (ap_req_data.length >> 0) & 0xFF; memset(&msghdr, 0, sizeof(msghdr)); msghdr.msg_name = NULL; @@ -139,9 +139,10 @@ chgpw_send_request (krb5_context context, iov[2].iov_base = krb_priv_data.data; iov[2].iov_len = krb_priv_data.length; - if (sendmsg (sock, &msghdr, 0) < 0) { - ret = errno; - krb5_set_error_string(context, "sendmsg %s: %s", host, strerror(ret)); + if (rk_IS_SOCKET_ERROR( sendmsg (sock, &msghdr, 0) )) { + ret = rk_SOCK_ERRNO; + krb5_set_error_message(context, ret, "sendmsg %s: %s", + host, strerror(ret)); } krb5_data_free (&krb_priv_data); @@ -161,7 +162,7 @@ setpw_send_request (krb5_context context, krb5_creds *creds, krb5_principal targprinc, int is_stream, - int sock, + rk_socket_t sock, const char *passwd, const char *host) { @@ -170,7 +171,7 @@ setpw_send_request (krb5_context context, krb5_data krb_priv_data; krb5_data pwd_data; ChangePasswdDataMS chpw; - size_t len; + size_t len = 0; u_char header[4 + 6]; u_char *p; struct iovec iov[3]; @@ -196,7 +197,7 @@ setpw_send_request (krb5_context context, chpw.targname = NULL; chpw.targrealm = NULL; } - + ASN1_MALLOC_ENCODE(ChangePasswdDataMS, pwd_data.data, pwd_data.length, &chpw, &len, ret); if (ret) { @@ -226,7 +227,7 @@ setpw_send_request (krb5_context context, *p++ = 0xff; *p++ = 0x80; *p++ = (ap_req_data.length >> 8) & 0xFF; - *p++ = (ap_req_data.length >> 0) & 0xFF; + *p = (ap_req_data.length >> 0) & 0xFF; memset(&msghdr, 0, sizeof(msghdr)); msghdr.msg_name = NULL; @@ -248,9 +249,10 @@ setpw_send_request (krb5_context context, iov[2].iov_base = krb_priv_data.data; iov[2].iov_len = krb_priv_data.length; - if (sendmsg (sock, &msghdr, 0) < 0) { - ret = errno; - krb5_set_error_string(context, "sendmsg %s: %s", host, strerror(ret)); + if (rk_IS_SOCKET_ERROR( sendmsg (sock, &msghdr, 0) )) { + ret = rk_SOCK_ERRNO; + krb5_set_error_message(context, ret, "sendmsg %s: %s", + host, strerror(ret)); } krb5_data_free (&krb_priv_data); @@ -264,7 +266,7 @@ static krb5_error_code process_reply (krb5_context context, krb5_auth_context auth_context, int is_stream, - int sock, + rk_socket_t sock, int *result_code, krb5_data *result_code_string, krb5_data *result_string, @@ -272,7 +274,7 @@ process_reply (krb5_context context, { krb5_error_code ret; u_char reply[1024 * 3]; - ssize_t len; + size_t len; uint16_t pkt_len, pkt_ver; krb5_data ap_rep_data; int save_errno; @@ -282,15 +284,16 @@ process_reply (krb5_context context, while (len < sizeof(reply)) { unsigned long size; - ret = recvfrom (sock, reply + len, sizeof(reply) - len, + ret = recvfrom (sock, reply + len, sizeof(reply) - len, 0, NULL, NULL); - if (ret < 0) { - save_errno = errno; - krb5_set_error_string(context, "recvfrom %s: %s", - host, strerror(save_errno)); + if (rk_IS_SOCKET_ERROR(ret)) { + save_errno = rk_SOCK_ERRNO; + krb5_set_error_message(context, save_errno, + "recvfrom %s: %s", + host, strerror(save_errno)); return save_errno; } else if (ret == 0) { - krb5_set_error_string(context, "recvfrom timeout %s", host); + krb5_set_error_message(context, 1,"recvfrom timeout %s", host); return 1; } len += ret; @@ -299,21 +302,23 @@ process_reply (krb5_context context, _krb5_get_int(reply, &size, 4); if (size + 4 < len) continue; - memmove(reply, reply + 4, size); + memmove(reply, reply + 4, size); len = size; break; } if (len == sizeof(reply)) { - krb5_set_error_string(context, "message too large from %s", - host); + krb5_set_error_message(context, ENOMEM, + N_("Message too large from %s", "host"), + host); return ENOMEM; } } else { ret = recvfrom (sock, reply, sizeof(reply), 0, NULL, NULL); - if (ret < 0) { - save_errno = errno; - krb5_set_error_string(context, "recvfrom %s: %s", - host, strerror(save_errno)); + if (rk_IS_SOCKET_ERROR(ret)) { + save_errno = rk_SOCK_ERRNO; + krb5_set_error_message(context, save_errno, + "recvfrom %s: %s", + host, strerror(save_errno)); return save_errno; } len = ret; @@ -321,7 +326,7 @@ process_reply (krb5_context context, if (len < 6) { str2data (result_string, "server %s sent to too short message " - "(%ld bytes)", host, (long)len); + "(%zu bytes)", host, len); *result_code = KRB5_KPASSWD_MALFORMED; return 0; } @@ -352,7 +357,7 @@ process_reply (krb5_context context, *result_code = (p[0] << 8) | p[1]; if (error.e_data->length == 2) str2data(result_string, "server only sent error code"); - else + else krb5_data_copy (result_string, p + 2, error.e_data->length - 2); @@ -374,7 +379,7 @@ process_reply (krb5_context context, ap_rep_data.data = reply + 6; ap_rep_data.length = (reply[4] << 8) | (reply[5]); - + if (reply + len < (u_char *)ap_rep_data.data + ap_rep_data.length) { str2data (result_string, "client: wrong AP len in reply"); *result_code = KRB5_KPASSWD_MALFORMED; @@ -416,7 +421,7 @@ process_reply (krb5_context context, } p = result_code_string->data; - + *result_code = (p[0] << 8) | p[1]; krb5_data_copy (result_string, (unsigned char*)result_code_string->data + 2, @@ -426,7 +431,7 @@ process_reply (krb5_context context, KRB_ERROR error; size_t size; u_char *p; - + ret = decode_KRB_ERROR(reply + 6, len - 6, &error, &size); if (ret) { return ret; @@ -457,13 +462,13 @@ typedef krb5_error_code (*kpwd_send_request) (krb5_context, krb5_creds *, krb5_principal, int, - int, + rk_socket_t, const char *, const char *); typedef krb5_error_code (*kpwd_process_reply) (krb5_context, krb5_auth_context, int, - int, + rk_socket_t, int *, krb5_data *, krb5_data *, @@ -478,9 +483,9 @@ static struct kpwd_proc { kpwd_process_reply process_rep; } procs[] = { { - "MS set password", + "MS set password", SUPPORT_TCP|SUPPORT_UDP, - setpw_send_request, + setpw_send_request, process_reply }, { @@ -489,20 +494,9 @@ static struct kpwd_proc { chgpw_send_request, process_reply }, - { NULL } + { NULL, 0, NULL, NULL } }; -static struct kpwd_proc * -find_chpw_proto(const char *name) -{ - struct kpwd_proc *p; - for (p = procs; p->name != NULL; p++) { - if (strcmp(p->name, name) == 0) - return p; - } - return NULL; -} - /* * */ @@ -521,8 +515,8 @@ change_password_loop (krb5_context context, krb5_auth_context auth_context = NULL; krb5_krbhst_handle handle = NULL; krb5_krbhst_info *hi; - int sock; - int i; + rk_socket_t sock; + unsigned int i; int done = 0; krb5_realm realm; @@ -568,20 +562,21 @@ change_password_loop (krb5_context context, for (a = ai; !done && a != NULL; a = a->ai_next) { int replied = 0; - sock = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (sock < 0) + sock = socket (a->ai_family, a->ai_socktype | SOCK_CLOEXEC, a->ai_protocol); + if (rk_IS_BAD_SOCKET(sock)) continue; + rk_cloexec(sock); ret = connect(sock, a->ai_addr, a->ai_addrlen); - if (ret < 0) { - close (sock); + if (rk_IS_SOCKET_ERROR(ret)) { + rk_closesocket (sock); goto out; } ret = krb5_auth_con_genaddrs (context, auth_context, sock, KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR); if (ret) { - close (sock); + rk_closesocket (sock); goto out; } @@ -591,7 +586,7 @@ change_password_loop (krb5_context context, if (!replied) { replied = 0; - + ret = (*proc->send_req) (context, &auth_context, creds, @@ -601,17 +596,20 @@ change_password_loop (krb5_context context, newpw, hi->hostname); if (ret) { - close(sock); + rk_closesocket(sock); goto out; } } - + +#ifndef NO_LIMIT_FD_SETSIZE if (sock >= FD_SETSIZE) { - krb5_set_error_string(context, "fd %d too large", sock); ret = ERANGE; - close (sock); + krb5_set_error_message(context, ret, + "fd %d too large", sock); + rk_closesocket (sock); goto out; } +#endif FD_ZERO(&fdset); FD_SET(sock, &fdset); @@ -619,8 +617,8 @@ change_password_loop (krb5_context context, tv.tv_sec = 1 + (1 << i); ret = select (sock + 1, &fdset, NULL, NULL, &tv); - if (ret < 0 && errno != EINTR) { - close(sock); + if (rk_IS_SOCKET_ERROR(ret) && rk_SOCK_ERRNO != EINTR) { + rk_closesocket(sock); goto out; } if (ret == 1) { @@ -640,40 +638,60 @@ change_password_loop (krb5_context context, ret = KRB5_KDC_UNREACH; } } - close (sock); + rk_closesocket (sock); } } out: krb5_krbhst_free (context, handle); krb5_auth_con_free (context, auth_context); - if (done) - return 0; - else { - if (ret == KRB5_KDC_UNREACH) { - krb5_set_error_string(context, - "unable to reach any changepw server " - " in realm %s", realm); - *result_code = KRB5_KPASSWD_HARDERROR; - } - return ret; + + if (ret == KRB5_KDC_UNREACH) { + krb5_set_error_message(context, + ret, + N_("Unable to reach any changepw server " + " in realm %s", "realm"), realm); + *result_code = KRB5_KPASSWD_HARDERROR; } + return ret; } +#ifndef HEIMDAL_SMALLER -/* - * change the password using the credentials in `creds' (for the - * principal indicated in them) to `newpw', storing the result of - * the operation in `result_*' and an error code or 0. +static struct kpwd_proc * +find_chpw_proto(const char *name) +{ + struct kpwd_proc *p; + for (p = procs; p->name != NULL; p++) { + if (strcmp(p->name, name) == 0) + return p; + } + return NULL; +} + +/** + * Deprecated: krb5_change_password() is deprecated, use krb5_set_password(). + * + * @param context a Keberos context + * @param creds + * @param newpw + * @param result_code + * @param result_code_string + * @param result_string + * + * @return On sucess password is changed. + + * @ingroup @krb5_deprecated */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_change_password (krb5_context context, krb5_creds *creds, const char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string) + KRB5_DEPRECATED_FUNCTION("Use X instead") { struct kpwd_proc *p = find_chpw_proto("change password"); @@ -684,16 +702,31 @@ krb5_change_password (krb5_context context, if (p == NULL) return KRB5_KPASSWD_MALFORMED; - return change_password_loop(context, creds, NULL, newpw, - result_code, result_code_string, + return change_password_loop(context, creds, NULL, newpw, + result_code, result_code_string, result_string, p); } +#endif /* HEIMDAL_SMALLER */ -/* +/** + * Change password using creds. + * + * @param context a Keberos context + * @param creds The initial kadmin/passwd for the principal or an admin principal + * @param newpw The new password to set + * @param targprinc if unset, the default principal is used. + * @param result_code Result code, KRB5_KPASSWD_SUCCESS is when password is changed. + * @param result_code_string binary message from the server, contains + * at least the result_code. + * @param result_string A message from the kpasswd service or the + * library in human printable form. The string is NUL terminated. * + * @return On sucess and *result_code is KRB5_KPASSWD_SUCCESS, the password is changed. + + * @ingroup @krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_password(krb5_context context, krb5_creds *creds, const char *newpw, @@ -707,8 +740,8 @@ krb5_set_password(krb5_context context, int i; *result_code = KRB5_KPASSWD_MALFORMED; - result_code_string->data = result_string->data = NULL; - result_code_string->length = result_string->length = 0; + krb5_data_zero(result_code_string); + krb5_data_zero(result_string); if (targprinc == NULL) { ret = krb5_get_default_principal(context, &principal); @@ -719,9 +752,9 @@ krb5_set_password(krb5_context context, for (i = 0; procs[i].name != NULL; i++) { *result_code = 0; - ret = change_password_loop(context, creds, principal, newpw, - result_code, result_code_string, - result_string, + ret = change_password_loop(context, creds, principal, newpw, + result_code, result_code_string, + result_string, &procs[i]); if (ret == 0 && *result_code == 0) break; @@ -736,7 +769,7 @@ krb5_set_password(krb5_context context, * */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache, const char *newpw, @@ -762,7 +795,7 @@ krb5_set_password_using_ccache(krb5_context context, } else principal = targprinc; - ret = krb5_make_principal(context, &creds.server, + ret = krb5_make_principal(context, &creds.server, krb5_principal_get_realm(context, principal), "kadmin", "changepw", NULL); if (ret) @@ -788,7 +821,7 @@ krb5_set_password_using_ccache(krb5_context context, result_code_string, result_string); - krb5_free_creds(context, credsp); + krb5_free_creds(context, credsp); return ret; out: @@ -801,7 +834,7 @@ krb5_set_password_using_ccache(krb5_context context, * */ -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_passwd_result_to_string (krb5_context context, int result) { diff --git a/crypto/heimdal/lib/krb5/codec.c b/crypto/heimdal/lib/krb5/codec.c index 0d36b4b44268..5e754c60cba7 100644 --- a/crypto/heimdal/lib/krb5/codec.c +++ b/crypto/heimdal/lib/krb5/codec.c @@ -1,196 +1,214 @@ /* - * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: codec.c 13863 2004-05-25 21:46:46Z lha $"); +#ifndef HEIMDAL_SMALLER -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncTicketPart (krb5_context context, const void *data, size_t length, EncTicketPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_EncTicketPart(data, length, t, len); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncTicketPart (krb5_context context, void *data, size_t length, EncTicketPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_EncTicketPart(data, length, t, len); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncASRepPart (krb5_context context, const void *data, size_t length, EncASRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_EncASRepPart(data, length, t, len); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncASRepPart (krb5_context context, void *data, size_t length, EncASRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_EncASRepPart(data, length, t, len); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncTGSRepPart (krb5_context context, const void *data, size_t length, EncTGSRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_EncTGSRepPart(data, length, t, len); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncTGSRepPart (krb5_context context, void *data, size_t length, EncTGSRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_EncTGSRepPart(data, length, t, len); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncAPRepPart (krb5_context context, const void *data, size_t length, EncAPRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_EncAPRepPart(data, length, t, len); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncAPRepPart (krb5_context context, void *data, size_t length, EncAPRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_EncAPRepPart(data, length, t, len); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_Authenticator (krb5_context context, const void *data, size_t length, Authenticator *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_Authenticator(data, length, t, len); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_Authenticator (krb5_context context, void *data, size_t length, Authenticator *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_Authenticator(data, length, t, len); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncKrbCredPart (krb5_context context, const void *data, size_t length, EncKrbCredPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_EncKrbCredPart(data, length, t, len); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncKrbCredPart (krb5_context context, void *data, size_t length, EncKrbCredPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_EncKrbCredPart (data, length, t, len); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_ETYPE_INFO (krb5_context context, const void *data, size_t length, ETYPE_INFO *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_ETYPE_INFO(data, length, t, len); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_ETYPE_INFO (krb5_context context, void *data, size_t length, ETYPE_INFO *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_ETYPE_INFO (data, length, t, len); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_ETYPE_INFO2 (krb5_context context, const void *data, size_t length, ETYPE_INFO2 *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_ETYPE_INFO2(data, length, t, len); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_ETYPE_INFO2 (krb5_context context, void *data, size_t length, ETYPE_INFO2 *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_ETYPE_INFO2 (data, length, t, len); } + +#endif /* HEIMDAL_SMALLER */ diff --git a/crypto/heimdal/lib/krb5/config_file.c b/crypto/heimdal/lib/krb5/config_file.c index ac5eba39dcff..4ac25ae28703 100644 --- a/crypto/heimdal/lib/krb5/config_file.c +++ b/crypto/heimdal/lib/krb5/config_file.c @@ -1,40 +1,43 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: config_file.c 19213 2006-12-04 23:36:36Z lha $"); -#ifndef HAVE_NETINFO +#ifdef __APPLE__ +#include <CoreFoundation/CoreFoundation.h> +#endif /* Gaah! I want a portable funopen */ struct fileptr { @@ -58,7 +61,7 @@ config_fgets(char *str, size_t len, struct fileptr *ptr) p = ptr->s + strcspn(ptr->s, "\n"); if(*p == '\n') p++; - l = min(len, p - ptr->s); + l = min(len, (size_t)(p - ptr->s)); if(len > 0) { memcpy(str, ptr->s, l); str[l] = '\0'; @@ -70,23 +73,23 @@ config_fgets(char *str, size_t len, struct fileptr *ptr) static krb5_error_code parse_section(char *p, krb5_config_section **s, krb5_config_section **res, - const char **error_message); + const char **err_message); static krb5_error_code parse_binding(struct fileptr *f, unsigned *lineno, char *p, krb5_config_binding **b, krb5_config_binding **parent, - const char **error_message); + const char **err_message); static krb5_error_code parse_list(struct fileptr *f, unsigned *lineno, krb5_config_binding **parent, - const char **error_message); + const char **err_message); -static krb5_config_section * -get_entry(krb5_config_section **parent, const char *name, int type) +krb5_config_section * +_krb5_config_get_entry(krb5_config_section **parent, const char *name, int type) { krb5_config_section **q; for(q = parent; *q != NULL; q = &(*q)->next) - if(type == krb5_config_list && - type == (*q)->type && + if(type == krb5_config_list && + (unsigned)type == (*q)->type && strcmp(name, (*q)->name) == 0) return *q; *q = calloc(1, sizeof(**q)); @@ -111,28 +114,28 @@ get_entry(krb5_config_section **parent, const char *name, int type) * a * } * ... - * + * * starting at the line in `p', storing the resulting structure in * `s' and hooking it into `parent'. - * Store the error message in `error_message'. + * Store the error message in `err_message'. */ static krb5_error_code parse_section(char *p, krb5_config_section **s, krb5_config_section **parent, - const char **error_message) + const char **err_message) { char *p1; krb5_config_section *tmp; p1 = strchr (p + 1, ']'); if (p1 == NULL) { - *error_message = "missing ]"; + *err_message = "missing ]"; return KRB5_CONFIG_BADFORMAT; } *p1 = '\0'; - tmp = get_entry(parent, p + 1, krb5_config_list); + tmp = _krb5_config_get_entry(parent, p + 1, krb5_config_list); if(tmp == NULL) { - *error_message = "out of memory"; + *err_message = "out of memory"; return KRB5_CONFIG_BADFORMAT; } *s = tmp; @@ -142,14 +145,14 @@ parse_section(char *p, krb5_config_section **s, krb5_config_section **parent, /* * Parse a brace-enclosed list from `f', hooking in the structure at * `parent'. - * Store the error message in `error_message'. + * Store the error message in `err_message'. */ static krb5_error_code parse_list(struct fileptr *f, unsigned *lineno, krb5_config_binding **parent, - const char **error_message) + const char **err_message) { - char buf[BUFSIZ]; + char buf[KRB5_BUFSIZ]; krb5_error_code ret; krb5_config_binding *b = NULL; unsigned beg_lineno = *lineno; @@ -170,12 +173,12 @@ parse_list(struct fileptr *f, unsigned *lineno, krb5_config_binding **parent, return 0; if (*p == '\0') continue; - ret = parse_binding (f, lineno, p, &b, parent, error_message); + ret = parse_binding (f, lineno, p, &b, parent, err_message); if (ret) return ret; } *lineno = beg_lineno; - *error_message = "unclosed {"; + *err_message = "unclosed {"; return KRB5_CONFIG_BADFORMAT; } @@ -186,7 +189,7 @@ parse_list(struct fileptr *f, unsigned *lineno, krb5_config_binding **parent, static krb5_error_code parse_binding(struct fileptr *f, unsigned *lineno, char *p, krb5_config_binding **b, krb5_config_binding **parent, - const char **error_message) + const char **err_message) { krb5_config_binding *tmp; char *p1, *p2; @@ -196,14 +199,14 @@ parse_binding(struct fileptr *f, unsigned *lineno, char *p, while (*p && *p != '=' && !isspace((unsigned char)*p)) ++p; if (*p == '\0') { - *error_message = "missing ="; + *err_message = "missing ="; return KRB5_CONFIG_BADFORMAT; } p2 = p; while (isspace((unsigned char)*p)) ++p; if (*p != '=') { - *error_message = "missing ="; + *err_message = "missing ="; return KRB5_CONFIG_BADFORMAT; } ++p; @@ -211,16 +214,16 @@ parse_binding(struct fileptr *f, unsigned *lineno, char *p, ++p; *p2 = '\0'; if (*p == '{') { - tmp = get_entry(parent, p1, krb5_config_list); + tmp = _krb5_config_get_entry(parent, p1, krb5_config_list); if (tmp == NULL) { - *error_message = "out of memory"; + *err_message = "out of memory"; return KRB5_CONFIG_BADFORMAT; } - ret = parse_list (f, lineno, &tmp->u.list, error_message); + ret = parse_list (f, lineno, &tmp->u.list, err_message); } else { - tmp = get_entry(parent, p1, krb5_config_string); + tmp = _krb5_config_get_entry(parent, p1, krb5_config_string); if (tmp == NULL) { - *error_message = "out of memory"; + *err_message = "out of memory"; return KRB5_CONFIG_BADFORMAT; } p1 = p; @@ -234,20 +237,120 @@ parse_binding(struct fileptr *f, unsigned *lineno, char *p, return ret; } +#if defined(__APPLE__) + +#if MAC_OS_X_VERSION_MIN_REQUIRED >= 1060 +#define HAVE_CFPROPERTYLISTCREATEWITHSTREAM 1 +#endif + +static char * +cfstring2cstring(CFStringRef string) +{ + CFIndex len; + char *str; + + str = (char *) CFStringGetCStringPtr(string, kCFStringEncodingUTF8); + if (str) + return strdup(str); + + len = CFStringGetLength(string); + len = 1 + CFStringGetMaximumSizeForEncoding(len, kCFStringEncodingUTF8); + str = malloc(len); + if (str == NULL) + return NULL; + + if (!CFStringGetCString (string, str, len, kCFStringEncodingUTF8)) { + free (str); + return NULL; + } + return str; +} + +static void +convert_content(const void *key, const void *value, void *context) +{ + krb5_config_section *tmp, **parent = context; + char *k; + + if (CFGetTypeID(key) != CFStringGetTypeID()) + return; + + k = cfstring2cstring(key); + if (k == NULL) + return; + + if (CFGetTypeID(value) == CFStringGetTypeID()) { + tmp = _krb5_config_get_entry(parent, k, krb5_config_string); + tmp->u.string = cfstring2cstring(value); + } else if (CFGetTypeID(value) == CFDictionaryGetTypeID()) { + tmp = _krb5_config_get_entry(parent, k, krb5_config_list); + CFDictionaryApplyFunction(value, convert_content, &tmp->u.list); + } else { + /* log */ + } + free(k); +} + +static krb5_error_code +parse_plist_config(krb5_context context, const char *path, krb5_config_section **parent) +{ + CFReadStreamRef s; + CFDictionaryRef d; + CFURLRef url; + + url = CFURLCreateFromFileSystemRepresentation(kCFAllocatorDefault, (UInt8 *)path, strlen(path), FALSE); + if (url == NULL) { + krb5_clear_error_message(context); + return ENOMEM; + } + + s = CFReadStreamCreateWithFile(kCFAllocatorDefault, url); + CFRelease(url); + if (s == NULL) { + krb5_clear_error_message(context); + return ENOMEM; + } + + if (!CFReadStreamOpen(s)) { + CFRelease(s); + krb5_clear_error_message(context); + return ENOENT; + } + +#ifdef HAVE_CFPROPERTYLISTCREATEWITHSTREAM + d = (CFDictionaryRef)CFPropertyListCreateWithStream(NULL, s, 0, kCFPropertyListImmutable, NULL, NULL); +#else + d = (CFDictionaryRef)CFPropertyListCreateFromStream(NULL, s, 0, kCFPropertyListImmutable, NULL, NULL); +#endif + CFRelease(s); + if (d == NULL) { + krb5_clear_error_message(context); + return ENOENT; + } + + CFDictionaryApplyFunction(d, convert_content, parent); + CFRelease(d); + + return 0; +} + +#endif + + /* * Parse the config file `fname', generating the structures into `res' - * returning error messages in `error_message' + * returning error messages in `err_message' */ static krb5_error_code krb5_config_parse_debug (struct fileptr *f, krb5_config_section **res, unsigned *lineno, - const char **error_message) + const char **err_message) { krb5_config_section *s = NULL; krb5_config_binding *b = NULL; - char buf[BUFSIZ]; + char buf[KRB5_BUFSIZ]; krb5_error_code ret; while (config_fgets(buf, sizeof(buf), f) != NULL) { @@ -261,19 +364,19 @@ krb5_config_parse_debug (struct fileptr *f, if (*p == '#' || *p == ';') continue; if (*p == '[') { - ret = parse_section(p, &s, res, error_message); - if (ret) + ret = parse_section(p, &s, res, err_message); + if (ret) return ret; b = NULL; } else if (*p == '}') { - *error_message = "unmatched }"; + *err_message = "unmatched }"; return EINVAL; /* XXX */ } else if(*p != '\0') { if (s == NULL) { - *error_message = "binding before section"; + *err_message = "binding before section"; return EINVAL; } - ret = parse_binding(f, lineno, p, &b, &s->u.list, error_message); + ret = parse_binding(f, lineno, p, &b, &s->u.list, err_message); if (ret) return ret; } @@ -281,53 +384,142 @@ krb5_config_parse_debug (struct fileptr *f, return 0; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_config_parse_string_multi(krb5_context context, - const char *string, - krb5_config_section **res) +static int +is_plist_file(const char *fname) { - const char *str; - unsigned lineno = 0; - krb5_error_code ret; - struct fileptr f; - f.f = NULL; - f.s = string; - - ret = krb5_config_parse_debug (&f, res, &lineno, &str); - if (ret) { - krb5_set_error_string (context, "%s:%u: %s", "<constant>", lineno, str); - return ret; - } - return 0; + size_t len = strlen(fname); + char suffix[] = ".plist"; + if (len < sizeof(suffix)) + return 0; + if (strcasecmp(&fname[len - (sizeof(suffix) - 1)], suffix) != 0) + return 0; + return 1; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Parse a configuration file and add the result into res. This + * interface can be used to parse several configuration files into one + * resulting krb5_config_section by calling it repeatably. + * + * @param context a Kerberos 5 context. + * @param fname a file name to a Kerberos configuration file + * @param res the returned result, must be free with krb5_free_config_files(). + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_config_parse_file_multi (krb5_context context, const char *fname, krb5_config_section **res) { const char *str; + char *newfname = NULL; unsigned lineno = 0; krb5_error_code ret; struct fileptr f; - f.f = fopen(fname, "r"); - f.s = NULL; - if(f.f == NULL) { - ret = errno; - krb5_set_error_string (context, "open %s: %s", fname, strerror(ret)); - return ret; + + /** + * If the fname starts with "~/" parse configuration file in the + * current users home directory. The behavior can be disabled and + * enabled by calling krb5_set_home_dir_access(). + */ + if (fname[0] == '~' && fname[1] == '/') { +#ifndef KRB5_USE_PATH_TOKENS + const char *home = NULL; + + if (!_krb5_homedir_access(context)) { + krb5_set_error_message(context, EPERM, + "Access to home directory not allowed"); + return EPERM; + } + + if(!issuid()) + home = getenv("HOME"); + + if (home == NULL) { + struct passwd *pw = getpwuid(getuid()); + if(pw != NULL) + home = pw->pw_dir; + } + if (home) { + asprintf(&newfname, "%s%s", home, &fname[1]); + if (newfname == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + fname = newfname; + } +#else /* KRB5_USE_PATH_TOKENS */ + if (asprintf(&newfname, "%%{USERCONFIG}%s", &fname[1]) < 0 || + newfname == NULL) + { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + fname = newfname; +#endif } - ret = krb5_config_parse_debug (&f, res, &lineno, &str); - fclose(f.f); - if (ret) { - krb5_set_error_string (context, "%s:%u: %s", fname, lineno, str); - return ret; + if (is_plist_file(fname)) { +#ifdef __APPLE__ + ret = parse_plist_config(context, fname, res); + if (ret) { + krb5_set_error_message(context, ret, + "Failed to parse plist %s", fname); + if (newfname) + free(newfname); + return ret; + } +#else + krb5_set_error_message(context, ENOENT, + "no support for plist configuration files"); + return ENOENT; +#endif + } else { +#ifdef KRB5_USE_PATH_TOKENS + char * exp_fname = NULL; + + ret = _krb5_expand_path_tokens(context, fname, &exp_fname); + if (ret) { + if (newfname) + free(newfname); + return ret; + } + + if (newfname) + free(newfname); + fname = newfname = exp_fname; +#endif + + f.f = fopen(fname, "r"); + f.s = NULL; + if(f.f == NULL) { + ret = errno; + krb5_set_error_message (context, ret, "open %s: %s", + fname, strerror(ret)); + if (newfname) + free(newfname); + return ret; + } + + ret = krb5_config_parse_debug (&f, res, &lineno, &str); + fclose(f.f); + if (ret) { + krb5_set_error_message (context, ret, "%s:%u: %s", + fname, lineno, str); + if (newfname) + free(newfname); + return ret; + } } return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_config_parse_file (krb5_context context, const char *fname, krb5_config_section **res) @@ -336,8 +528,6 @@ krb5_config_parse_file (krb5_context context, return krb5_config_parse_file_multi(context, fname, res); } -#endif /* !HAVE_NETINFO */ - static void free_binding (krb5_context context, krb5_config_binding *b) { @@ -350,7 +540,7 @@ free_binding (krb5_context context, krb5_config_binding *b) else if (b->type == krb5_config_list) free_binding (context, b->u.list); else - krb5_abortx(context, "unknown binding type (%d) in free_binding", + krb5_abortx(context, "unknown binding type (%d) in free_binding", b->type); next_b = b->next; free (b); @@ -358,25 +548,76 @@ free_binding (krb5_context context, krb5_config_binding *b) } } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Free configuration file section, the result of + * krb5_config_parse_file() and krb5_config_parse_file_multi(). + * + * @param context A Kerberos 5 context + * @param s the configuration section to free + * + * @return returns 0 on successes, otherwise an error code, see + * krb5_get_error_message() + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_config_file_free (krb5_context context, krb5_config_section *s) { free_binding (context, s); return 0; } -const void * -krb5_config_get_next (krb5_context context, - const krb5_config_section *c, - const krb5_config_binding **pointer, - int type, - ...) +#ifndef HEIMDAL_SMALLER + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +_krb5_config_copy(krb5_context context, + krb5_config_section *c, + krb5_config_section **head) +{ + krb5_config_binding *d, *previous = NULL; + + *head = NULL; + + while (c) { + d = calloc(1, sizeof(*d)); + + if (*head == NULL) + *head = d; + + d->name = strdup(c->name); + d->type = c->type; + if (d->type == krb5_config_string) + d->u.string = strdup(c->u.string); + else if (d->type == krb5_config_list) + _krb5_config_copy (context, c->u.list, &d->u.list); + else + krb5_abortx(context, + "unknown binding type (%d) in krb5_config_copy", + d->type); + if (previous) + previous->next = d; + + previous = d; + c = c->next; + } + return 0; +} + +#endif /* HEIMDAL_SMALLER */ + +KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL +_krb5_config_get_next (krb5_context context, + const krb5_config_section *c, + const krb5_config_binding **pointer, + int type, + ...) { const char *ret; va_list args; va_start(args, type); - ret = krb5_config_vget_next (context, c, pointer, type, args); + ret = _krb5_config_vget_next (context, c, pointer, type, args); va_end(args); return ret; } @@ -392,7 +633,7 @@ vget_next(krb5_context context, const char *p = va_arg(args, const char *); while(b != NULL) { if(strcmp(b->name, name) == 0) { - if(b->type == type && p == NULL) { + if(b->type == (unsigned)type && p == NULL) { *pointer = b; return b->u.generic; } else if(b->type == krb5_config_list && p != NULL) { @@ -404,12 +645,12 @@ vget_next(krb5_context context, return NULL; } -const void * -krb5_config_vget_next (krb5_context context, - const krb5_config_section *c, - const krb5_config_binding **pointer, - int type, - va_list args) +KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL +_krb5_config_vget_next (krb5_context context, + const krb5_config_section *c, + const krb5_config_binding **pointer, + int type, + va_list args) { const krb5_config_binding *b; const char *p; @@ -432,7 +673,7 @@ krb5_config_vget_next (krb5_context context, /* we were called again, so just look for more entries with the same name and type */ for (b = (*pointer)->next; b != NULL; b = b->next) { - if(strcmp(b->name, (*pointer)->name) == 0 && b->type == type) { + if(strcmp(b->name, (*pointer)->name) == 0 && b->type == (unsigned)type) { *pointer = b; return b->u.generic; } @@ -440,33 +681,46 @@ krb5_config_vget_next (krb5_context context, return NULL; } -const void * -krb5_config_get (krb5_context context, - const krb5_config_section *c, - int type, - ...) +KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL +_krb5_config_get (krb5_context context, + const krb5_config_section *c, + int type, + ...) { const void *ret; va_list args; va_start(args, type); - ret = krb5_config_vget (context, c, type, args); + ret = _krb5_config_vget (context, c, type, args); va_end(args); return ret; } + const void * -krb5_config_vget (krb5_context context, - const krb5_config_section *c, - int type, - va_list args) +_krb5_config_vget (krb5_context context, + const krb5_config_section *c, + int type, + va_list args) { const krb5_config_binding *foo = NULL; - return krb5_config_vget_next (context, c, &foo, type, args); + return _krb5_config_vget_next (context, c, &foo, type, args); } -const krb5_config_binding * +/** + * Get a list of configuration binding list for more processing + * + * @param context A Kerberos 5 context. + * @param c a configuration section, or NULL to use the section from context + * @param ... a list of names, terminated with NULL. + * + * @return NULL if configuration list is not found, a list otherwise + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION const krb5_config_binding * KRB5_LIB_CALL krb5_config_get_list (krb5_context context, const krb5_config_section *c, ...) @@ -480,15 +734,42 @@ krb5_config_get_list (krb5_context context, return ret; } -const krb5_config_binding * +/** + * Get a list of configuration binding list for more processing + * + * @param context A Kerberos 5 context. + * @param c a configuration section, or NULL to use the section from context + * @param args a va_list of arguments + * + * @return NULL if configuration list is not found, a list otherwise + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION const krb5_config_binding * KRB5_LIB_CALL krb5_config_vget_list (krb5_context context, const krb5_config_section *c, va_list args) { - return krb5_config_vget (context, c, krb5_config_list, args); + return _krb5_config_vget (context, c, krb5_config_list, args); } -const char* KRB5_LIB_FUNCTION +/** + * Returns a "const char *" to a string in the configuration database. + * The string may not be valid after a reload of the configuration + * database so a caller should make a local copy if it needs to keep + * the string. + * + * @param context A Kerberos 5 context. + * @param c a configuration section, or NULL to use the section from context + * @param ... a list of names, terminated with NULL. + * + * @return NULL if configuration string not found, a string otherwise + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_config_get_string (krb5_context context, const krb5_config_section *c, ...) @@ -502,15 +783,42 @@ krb5_config_get_string (krb5_context context, return ret; } -const char* KRB5_LIB_FUNCTION +/** + * Like krb5_config_get_string(), but uses a va_list instead of ... + * + * @param context A Kerberos 5 context. + * @param c a configuration section, or NULL to use the section from context + * @param args a va_list of arguments + * + * @return NULL if configuration string not found, a string otherwise + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_config_vget_string (krb5_context context, const krb5_config_section *c, va_list args) { - return krb5_config_vget (context, c, krb5_config_string, args); + return _krb5_config_vget (context, c, krb5_config_string, args); } -const char* KRB5_LIB_FUNCTION +/** + * Like krb5_config_vget_string(), but instead of returning NULL, + * instead return a default value. + * + * @param context A Kerberos 5 context. + * @param c a configuration section, or NULL to use the section from context + * @param def_value the default value to return if no configuration + * found in the database. + * @param args a va_list of arguments + * + * @return a configuration string + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_config_vget_string_default (krb5_context context, const krb5_config_section *c, const char *def_value, @@ -524,7 +832,22 @@ krb5_config_vget_string_default (krb5_context context, return ret; } -const char* KRB5_LIB_FUNCTION +/** + * Like krb5_config_get_string(), but instead of returning NULL, + * instead return a default value. + * + * @param context A Kerberos 5 context. + * @param c a configuration section, or NULL to use the section from context + * @param def_value the default value to return if no configuration + * found in the database. + * @param ... a list of names, terminated with NULL. + * + * @return a configuration string + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_config_get_string_default (krb5_context context, const krb5_config_section *c, const char *def_value, @@ -539,7 +862,64 @@ krb5_config_get_string_default (krb5_context context, return ret; } -char ** KRB5_LIB_FUNCTION +static char * +next_component_string(char * begin, const char * delims, char **state) +{ + char * end; + + if (begin == NULL) + begin = *state; + + if (*begin == '\0') + return NULL; + + end = begin; + while (*end == '"') { + char * t = strchr(end + 1, '"'); + + if (t) + end = ++t; + else + end += strlen(end); + } + + if (*end != '\0') { + size_t pos; + + pos = strcspn(end, delims); + end = end + pos; + } + + if (*end != '\0') { + *end = '\0'; + *state = end + 1; + if (*begin == '"' && *(end - 1) == '"' && begin + 1 < end) { + begin++; *(end - 1) = '\0'; + } + return begin; + } + + *state = end; + if (*begin == '"' && *(end - 1) == '"' && begin + 1 < end) { + begin++; *(end - 1) = '\0'; + } + return begin; +} + +/** + * Get a list of configuration strings, free the result with + * krb5_config_free_strings(). + * + * @param context A Kerberos 5 context. + * @param c a configuration section, or NULL to use the section from context + * @param args a va_list of arguments + * + * @return TRUE or FALSE + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION char ** KRB5_LIB_CALL krb5_config_vget_strings(krb5_context context, const krb5_config_section *c, va_list args) @@ -549,14 +929,14 @@ krb5_config_vget_strings(krb5_context context, const krb5_config_binding *b = NULL; const char *p; - while((p = krb5_config_vget_next(context, c, &b, - krb5_config_string, args))) { + while((p = _krb5_config_vget_next(context, c, &b, + krb5_config_string, args))) { char *tmp = strdup(p); char *pos = NULL; char *s; if(tmp == NULL) goto cleanup; - s = strtok_r(tmp, " \t", &pos); + s = next_component_string(tmp, " \t", &pos); while(s){ char **tmp2 = realloc(strings, (nstr + 1) * sizeof(*strings)); if(tmp2 == NULL) @@ -566,7 +946,7 @@ krb5_config_vget_strings(krb5_context context, nstr++; if(strings[nstr-1] == NULL) goto cleanup; - s = strtok_r(NULL, " \t", &pos); + s = next_component_string(NULL, " \t", &pos); } free(tmp); } @@ -586,7 +966,20 @@ cleanup: } -char** +/** + * Get a list of configuration strings, free the result with + * krb5_config_free_strings(). + * + * @param context A Kerberos 5 context. + * @param c a configuration section, or NULL to use the section from context + * @param ... a list of names, terminated with NULL. + * + * @return TRUE or FALSE + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION char** KRB5_LIB_CALL krb5_config_get_strings(krb5_context context, const krb5_config_section *c, ...) @@ -599,7 +992,16 @@ krb5_config_get_strings(krb5_context context, return ret; } -void KRB5_LIB_FUNCTION +/** + * Free the resulting strings from krb5_config-get_strings() and + * krb5_config_vget_strings(). + * + * @param strings strings to free + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_config_free_strings(char **strings) { char **s = strings; @@ -610,7 +1012,25 @@ krb5_config_free_strings(char **strings) free(strings); } -krb5_boolean KRB5_LIB_FUNCTION +/** + * Like krb5_config_get_bool_default() but with a va_list list of + * configuration selection. + * + * Configuration value to a boolean value, where yes/true and any + * non-zero number means TRUE and other value is FALSE. + * + * @param context A Kerberos 5 context. + * @param c a configuration section, or NULL to use the section from context + * @param def_value the default value to return if no configuration + * found in the database. + * @param args a va_list of arguments + * + * @return TRUE or FALSE + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_config_vget_bool_default (krb5_context context, const krb5_config_section *c, krb5_boolean def_value, @@ -626,7 +1046,21 @@ krb5_config_vget_bool_default (krb5_context context, return FALSE; } -krb5_boolean KRB5_LIB_FUNCTION +/** + * krb5_config_get_bool() will convert the configuration + * option value to a boolean value, where yes/true and any non-zero + * number means TRUE and other value is FALSE. + * + * @param context A Kerberos 5 context. + * @param c a configuration section, or NULL to use the section from context + * @param args a va_list of arguments + * + * @return TRUE or FALSE + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_config_vget_bool (krb5_context context, const krb5_config_section *c, va_list args) @@ -634,7 +1068,23 @@ krb5_config_vget_bool (krb5_context context, return krb5_config_vget_bool_default (context, c, FALSE, args); } -krb5_boolean KRB5_LIB_FUNCTION +/** + * krb5_config_get_bool_default() will convert the configuration + * option value to a boolean value, where yes/true and any non-zero + * number means TRUE and other value is FALSE. + * + * @param context A Kerberos 5 context. + * @param c a configuration section, or NULL to use the section from context + * @param def_value the default value to return if no configuration + * found in the database. + * @param ... a list of names, terminated with NULL. + * + * @return TRUE or FALSE + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_config_get_bool_default (krb5_context context, const krb5_config_section *c, krb5_boolean def_value, @@ -648,7 +1098,23 @@ krb5_config_get_bool_default (krb5_context context, return ret; } -krb5_boolean KRB5_LIB_FUNCTION +/** + * Like krb5_config_get_bool() but with a va_list list of + * configuration selection. + * + * Configuration value to a boolean value, where yes/true and any + * non-zero number means TRUE and other value is FALSE. + * + * @param context A Kerberos 5 context. + * @param c a configuration section, or NULL to use the section from context + * @param ... a list of names, terminated with NULL. + * + * @return TRUE or FALSE + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_config_get_bool (krb5_context context, const krb5_config_section *c, ...) @@ -661,7 +1127,24 @@ krb5_config_get_bool (krb5_context context, return ret; } -int KRB5_LIB_FUNCTION +/** + * Get the time from the configuration file using a relative time. + * + * Like krb5_config_get_time_default() but with a va_list list of + * configuration selection. + * + * @param context A Kerberos 5 context. + * @param c a configuration section, or NULL to use the section from context + * @param def_value the default value to return if no configuration + * found in the database. + * @param args a va_list of arguments + * + * @return parsed the time (or def_value on parse error) + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_config_vget_time_default (krb5_context context, const krb5_config_section *c, int def_value, @@ -678,7 +1161,19 @@ krb5_config_vget_time_default (krb5_context context, return t; } -int KRB5_LIB_FUNCTION +/** + * Get the time from the configuration file using a relative time, for example: 1h30s + * + * @param context A Kerberos 5 context. + * @param c a configuration section, or NULL to use the section from context + * @param args a va_list of arguments + * + * @return parsed the time or -1 on error + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_config_vget_time (krb5_context context, const krb5_config_section *c, va_list args) @@ -686,7 +1181,21 @@ krb5_config_vget_time (krb5_context context, return krb5_config_vget_time_default (context, c, -1, args); } -int KRB5_LIB_FUNCTION +/** + * Get the time from the configuration file using a relative time, for example: 1h30s + * + * @param context A Kerberos 5 context. + * @param c a configuration section, or NULL to use the section from context + * @param def_value the default value to return if no configuration + * found in the database. + * @param ... a list of names, terminated with NULL. + * + * @return parsed the time (or def_value on parse error) + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_config_get_time_default (krb5_context context, const krb5_config_section *c, int def_value, @@ -700,7 +1209,19 @@ krb5_config_get_time_default (krb5_context context, return ret; } -int KRB5_LIB_FUNCTION +/** + * Get the time from the configuration file using a relative time, for example: 1h30s + * + * @param context A Kerberos 5 context. + * @param c a configuration section, or NULL to use the section from context + * @param ... a list of names, terminated with NULL. + * + * @return parsed the time or -1 on error + * + * @ingroup krb5_support + */ + +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_config_get_time (krb5_context context, const krb5_config_section *c, ...) @@ -714,7 +1235,7 @@ krb5_config_get_time (krb5_context context, } -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_config_vget_int_default (krb5_context context, const krb5_config_section *c, int def_value, @@ -724,18 +1245,18 @@ krb5_config_vget_int_default (krb5_context context, str = krb5_config_vget_string (context, c, args); if(str == NULL) return def_value; - else { - char *endptr; - long l; - l = strtol(str, &endptr, 0); - if (endptr == str) - return def_value; - else + else { + char *endptr; + long l; + l = strtol(str, &endptr, 0); + if (endptr == str) + return def_value; + else return l; } } -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_config_vget_int (krb5_context context, const krb5_config_section *c, va_list args) @@ -743,7 +1264,7 @@ krb5_config_vget_int (krb5_context context, return krb5_config_vget_int_default (context, c, -1, args); } -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_config_get_int_default (krb5_context context, const krb5_config_section *c, int def_value, @@ -757,7 +1278,7 @@ krb5_config_get_int_default (krb5_context context, return ret; } -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_config_get_int (krb5_context context, const krb5_config_section *c, ...) @@ -769,3 +1290,36 @@ krb5_config_get_int (krb5_context context, va_end(ap); return ret; } + + +#ifndef HEIMDAL_SMALLER + +/** + * Deprecated: configuration files are not strings + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_config_parse_string_multi(krb5_context context, + const char *string, + krb5_config_section **res) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + const char *str; + unsigned lineno = 0; + krb5_error_code ret; + struct fileptr f; + f.f = NULL; + f.s = string; + + ret = krb5_config_parse_debug (&f, res, &lineno, &str); + if (ret) { + krb5_set_error_message (context, ret, "%s:%u: %s", + "<constant>", lineno, str); + return ret; + } + return 0; +} + +#endif diff --git a/crypto/heimdal/lib/krb5/config_file_netinfo.c b/crypto/heimdal/lib/krb5/config_file_netinfo.c deleted file mode 100644 index 1e01e7c5ffbc..000000000000 --- a/crypto/heimdal/lib/krb5/config_file_netinfo.c +++ /dev/null @@ -1,180 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -RCSID("$Id: config_file_netinfo.c 13863 2004-05-25 21:46:46Z lha $"); - -/* - * Netinfo implementation from Luke Howard <lukeh@xedoc.com.au> - */ - -#ifdef HAVE_NETINFO -#include <netinfo/ni.h> -static ni_status -ni_proplist2binding(ni_proplist *pl, krb5_config_section **ret) -{ - int i, j; - krb5_config_section **next = NULL; - - for (i = 0; i < pl->ni_proplist_len; i++) { - if (!strcmp(pl->nipl_val[i].nip_name, "name")) - continue; - - for (j = 0; j < pl->nipl_val[i].nip_val.ni_namelist_len; j++) { - krb5_config_binding *b; - - b = malloc(sizeof(*b)); - if (b == NULL) - return NI_FAILED; - - b->next = NULL; - b->type = krb5_config_string; - b->name = ni_name_dup(pl->nipl_val[i].nip_name); - b->u.string = ni_name_dup(pl->nipl_val[i].nip_val.ninl_val[j]); - - if (next == NULL) { - *ret = b; - } else { - *next = b; - } - next = &b->next; - } - } - return NI_OK; -} - -static ni_status -ni_idlist2binding(void *ni, ni_idlist *idlist, krb5_config_section **ret) -{ - int i; - ni_status nis; - krb5_config_section **next; - - for (i = 0; i < idlist->ni_idlist_len; i++) { - ni_proplist pl; - ni_id nid; - ni_idlist children; - krb5_config_binding *b; - ni_index index; - - nid.nii_instance = 0; - nid.nii_object = idlist->ni_idlist_val[i]; - - nis = ni_read(ni, &nid, &pl); - - if (nis != NI_OK) { - return nis; - } - index = ni_proplist_match(pl, "name", NULL); - b = malloc(sizeof(*b)); - if (b == NULL) return NI_FAILED; - - if (i == 0) { - *ret = b; - } else { - *next = b; - } - - b->type = krb5_config_list; - b->name = ni_name_dup(pl.nipl_val[index].nip_val.ninl_val[0]); - b->next = NULL; - b->u.list = NULL; - - /* get the child directories */ - nis = ni_children(ni, &nid, &children); - if (nis == NI_OK) { - nis = ni_idlist2binding(ni, &children, &b->u.list); - if (nis != NI_OK) { - return nis; - } - } - - nis = ni_proplist2binding(&pl, b->u.list == NULL ? &b->u.list : &b->u.list->next); - ni_proplist_free(&pl); - if (nis != NI_OK) { - return nis; - } - next = &b->next; - } - ni_idlist_free(idlist); - return NI_OK; -} - -krb5_error_code KRB5_LIB_FUNCTION -krb5_config_parse_file (krb5_context context, - const char *fname, - krb5_config_section **res) -{ - void *ni = NULL, *lastni = NULL; - int i; - ni_status nis; - ni_id nid; - ni_idlist children; - - krb5_config_section *s; - int ret; - - s = NULL; - - for (i = 0; i < 256; i++) { - if (i == 0) { - nis = ni_open(NULL, ".", &ni); - } else { - if (lastni != NULL) ni_free(lastni); - lastni = ni; - nis = ni_open(lastni, "..", &ni); - } - if (nis != NI_OK) - break; - nis = ni_pathsearch(ni, &nid, "/locations/kerberos"); - if (nis == NI_OK) { - nis = ni_children(ni, &nid, &children); - if (nis != NI_OK) - break; - nis = ni_idlist2binding(ni, &children, &s); - break; - } - } - - if (ni != NULL) ni_free(ni); - if (ni != lastni && lastni != NULL) ni_free(lastni); - - ret = (nis == NI_OK) ? 0 : -1; - if (ret == 0) { - *res = s; - } else { - *res = NULL; - } - return ret; -} -#endif /* HAVE_NETINFO */ diff --git a/crypto/heimdal/lib/krb5/constants.c b/crypto/heimdal/lib/krb5/constants.c index 5188a1d3a864..bbb4832657fb 100644 --- a/crypto/heimdal/lib/krb5/constants.c +++ b/crypto/heimdal/lib/krb5/constants.c @@ -1,43 +1,61 @@ /* - * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: constants.c 14253 2004-09-23 07:57:37Z joda $"); - -const char *krb5_config_file = +KRB5_LIB_VARIABLE const char *krb5_config_file = #ifdef __APPLE__ -"/Library/Preferences/edu.mit.Kerberos:" +"~/Library/Preferences/com.apple.Kerberos.plist" PATH_SEP +"/Library/Preferences/com.apple.Kerberos.plist" PATH_SEP +"~/Library/Preferences/edu.mit.Kerberos" PATH_SEP +"/Library/Preferences/edu.mit.Kerberos" PATH_SEP +#endif /* __APPLE__ */ +"~/.krb5/config" PATH_SEP +SYSCONFDIR "/krb5.conf" +#ifdef _WIN32 +PATH_SEP "%{COMMON_APPDATA}/Kerberos/krb5.conf" +PATH_SEP "%{WINDOWS}/krb5.ini" +#else +PATH_SEP "/etc/krb5.conf" #endif -SYSCONFDIR "/krb5.conf:/etc/krb5.conf"; -const char *krb5_defkeyname = KEYTAB_DEFAULT; +; + +KRB5_LIB_VARIABLE const char *krb5_defkeyname = KEYTAB_DEFAULT; + +KRB5_LIB_VARIABLE const char *krb5_cc_type_api = "API"; +KRB5_LIB_VARIABLE const char *krb5_cc_type_file = "FILE"; +KRB5_LIB_VARIABLE const char *krb5_cc_type_memory = "MEMORY"; +KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm = "KCM"; +KRB5_LIB_VARIABLE const char *krb5_cc_type_scc = "SCC"; diff --git a/crypto/heimdal/lib/krb5/context.c b/crypto/heimdal/lib/krb5/context.c index 256783310e93..99bf1b419b0a 100644 --- a/crypto/heimdal/lib/krb5/context.c +++ b/crypto/heimdal/lib/krb5/context.c @@ -1,41 +1,42 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" +#include <assert.h> #include <com_err.h> -RCSID("$Id: context.c 22293 2007-12-14 05:25:59Z lha $"); - #define INIT_FIELD(C, T, E, D, F) \ (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \ "libdefaults", F, NULL) @@ -60,7 +61,7 @@ set_etypes (krb5_context context, char **etypes_str; krb5_enctype *etypes = NULL; - etypes_str = krb5_config_get_strings(context, NULL, "libdefaults", + etypes_str = krb5_config_get_strings(context, NULL, "libdefaults", name, NULL); if(etypes_str){ int i, j, k; @@ -68,7 +69,7 @@ set_etypes (krb5_context context, etypes = malloc((i+1) * sizeof(*etypes)); if (etypes == NULL) { krb5_config_free_strings (etypes_str); - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } for(j = 0, k = 0; j < i; j++) { @@ -81,7 +82,7 @@ set_etypes (krb5_context context, } etypes[k] = ETYPE_NULL; krb5_config_free_strings(etypes_str); - } + } *ret_enctypes = etypes; return 0; } @@ -95,6 +96,7 @@ init_context_from_config_file(krb5_context context) { krb5_error_code ret; const char * tmp; + char **s; krb5_enctype *tmptypes; INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew"); @@ -102,19 +104,49 @@ init_context_from_config_file(krb5_context context) INIT_FIELD(context, int, max_retries, 3, "max_retries"); INIT_FIELD(context, string, http_proxy, NULL, "http_proxy"); - + + ret = krb5_config_get_bool_default(context, NULL, FALSE, + "libdefaults", + "allow_weak_crypto", NULL); + if (ret) { + krb5_enctype_enable(context, ETYPE_DES_CBC_CRC); + krb5_enctype_enable(context, ETYPE_DES_CBC_MD4); + krb5_enctype_enable(context, ETYPE_DES_CBC_MD5); + krb5_enctype_enable(context, ETYPE_DES_CBC_NONE); + krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE); + krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE); + } + ret = set_etypes (context, "default_etypes", &tmptypes); if(ret) return ret; free(context->etypes); context->etypes = tmptypes; - + ret = set_etypes (context, "default_etypes_des", &tmptypes); if(ret) return ret; free(context->etypes_des); context->etypes_des = tmptypes; + ret = set_etypes (context, "default_as_etypes", &tmptypes); + if(ret) + return ret; + free(context->as_etypes); + context->as_etypes = tmptypes; + + ret = set_etypes (context, "default_tgs_etypes", &tmptypes); + if(ret) + return ret; + free(context->tgs_etypes); + context->tgs_etypes = tmptypes; + + ret = set_etypes (context, "permitted_enctypes", &tmptypes); + if(ret) + return ret; + free(context->permitted_enctypes); + context->permitted_enctypes = tmptypes; + /* default keytab name */ tmp = NULL; if(!issuid()) @@ -122,27 +154,27 @@ init_context_from_config_file(krb5_context context) if(tmp != NULL) context->default_keytab = tmp; else - INIT_FIELD(context, string, default_keytab, + INIT_FIELD(context, string, default_keytab, KEYTAB_DEFAULT, "default_keytab_name"); - INIT_FIELD(context, string, default_keytab_modify, + INIT_FIELD(context, string, default_keytab_modify, NULL, "default_keytab_modify_name"); - INIT_FIELD(context, string, time_fmt, + INIT_FIELD(context, string, time_fmt, "%Y-%m-%dT%H:%M:%S", "time_format"); - INIT_FIELD(context, string, date_fmt, + INIT_FIELD(context, string, date_fmt, "%Y-%m-%d", "date_format"); - INIT_FIELD(context, bool, log_utc, + INIT_FIELD(context, bool, log_utc, FALSE, "log_utc"); - + /* init dns-proxy slime */ - tmp = krb5_config_get_string(context, NULL, "libdefaults", + tmp = krb5_config_get_string(context, NULL, "libdefaults", "dns_proxy", NULL); - if(tmp) + if(tmp) roken_gethostby_setup(context->http_proxy, tmp); krb5_free_host_realm (context, context->default_realms); context->default_realms = NULL; @@ -152,9 +184,9 @@ init_context_from_config_file(krb5_context context) char **adr, **a; krb5_set_extra_addresses(context, NULL); - adr = krb5_config_get_strings(context, NULL, - "libdefaults", - "extra_addresses", + adr = krb5_config_get_strings(context, NULL, + "libdefaults", + "extra_addresses", NULL); memset(&addresses, 0, sizeof(addresses)); for(a = adr; a && *a; a++) { @@ -167,9 +199,9 @@ init_context_from_config_file(krb5_context context) krb5_config_free_strings(adr); krb5_set_ignore_addresses(context, NULL); - adr = krb5_config_get_strings(context, NULL, - "libdefaults", - "ignore_addresses", + adr = krb5_config_get_strings(context, NULL, + "libdefaults", + "ignore_addresses", NULL); memset(&addresses, 0, sizeof(addresses)); for(a = adr; a && *a; a++) { @@ -181,7 +213,7 @@ init_context_from_config_file(krb5_context context) } krb5_config_free_strings(adr); } - + INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces"); INIT_FIELD(context, int, fcache_vno, 0, "fcache_version"); /* prefer dns_lookup_kdc over srv_lookup. */ @@ -192,9 +224,138 @@ init_context_from_config_file(krb5_context context) INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac"); context->default_cc_name = NULL; context->default_cc_name_set = 0; + + s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL); + if(s) { + char **p; + krb5_initlog(context, "libkrb5", &context->debug_dest); + for(p = s; *p; p++) + krb5_addlog_dest(context, context->debug_dest, *p); + krb5_config_free_strings(s); + } + + tmp = krb5_config_get_string(context, NULL, "libdefaults", + "check-rd-req-server", NULL); + if (tmp == NULL && !issuid()) + tmp = getenv("KRB5_CHECK_RD_REQ_SERVER"); + if(tmp) { + if (strcasecmp(tmp, "ignore") == 0) + context->flags |= KRB5_CTX_F_RD_REQ_IGNORE; + } + return 0; } +static krb5_error_code +cc_ops_register(krb5_context context) +{ + context->cc_ops = NULL; + context->num_cc_ops = 0; + +#ifndef KCM_IS_API_CACHE + krb5_cc_register(context, &krb5_acc_ops, TRUE); +#endif + krb5_cc_register(context, &krb5_fcc_ops, TRUE); + krb5_cc_register(context, &krb5_mcc_ops, TRUE); +#ifdef HAVE_SCC + krb5_cc_register(context, &krb5_scc_ops, TRUE); +#endif +#ifdef HAVE_KCM +#ifdef KCM_IS_API_CACHE + krb5_cc_register(context, &krb5_akcm_ops, TRUE); +#endif + krb5_cc_register(context, &krb5_kcm_ops, TRUE); +#endif + _krb5_load_ccache_plugins(context); + return 0; +} + +static krb5_error_code +cc_ops_copy(krb5_context context, const krb5_context src_context) +{ + const krb5_cc_ops **cc_ops; + + context->cc_ops = NULL; + context->num_cc_ops = 0; + + if (src_context->num_cc_ops == 0) + return 0; + + cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops); + if (cc_ops == NULL) { + krb5_set_error_message(context, KRB5_CC_NOMEM, + N_("malloc: out of memory", "")); + return KRB5_CC_NOMEM; + } + + memcpy(rk_UNCONST(cc_ops), src_context->cc_ops, + sizeof(cc_ops[0]) * src_context->num_cc_ops); + context->cc_ops = cc_ops; + context->num_cc_ops = src_context->num_cc_ops; + + return 0; +} + +static krb5_error_code +kt_ops_register(krb5_context context) +{ + context->num_kt_types = 0; + context->kt_types = NULL; + + krb5_kt_register (context, &krb5_fkt_ops); + krb5_kt_register (context, &krb5_wrfkt_ops); + krb5_kt_register (context, &krb5_javakt_ops); + krb5_kt_register (context, &krb5_mkt_ops); +#ifndef HEIMDAL_SMALLER + krb5_kt_register (context, &krb5_akf_ops); +#endif + krb5_kt_register (context, &krb5_any_ops); + return 0; +} + +static krb5_error_code +kt_ops_copy(krb5_context context, const krb5_context src_context) +{ + context->num_kt_types = 0; + context->kt_types = NULL; + + if (src_context->num_kt_types == 0) + return 0; + + context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types); + if (context->kt_types == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + + context->num_kt_types = src_context->num_kt_types; + memcpy(context->kt_types, src_context->kt_types, + sizeof(context->kt_types[0]) * src_context->num_kt_types); + + return 0; +} + +static const char *sysplugin_dirs[] = { + LIBDIR "/plugin/krb5", +#ifdef __APPLE__ + "/Library/KerberosPlugins/KerberosFrameworkPlugins", + "/System/Library/KerberosPlugins/KerberosFrameworkPlugins", +#endif + NULL +}; + +static void +init_context_once(void *ctx) +{ + krb5_context context = ctx; + + _krb5_load_plugins(context, "krb5", sysplugin_dirs); + + bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR); +} + + /** * Initializes the context structure and reads the configuration file * /etc/krb5.conf. The structure should be freed by calling @@ -210,9 +371,10 @@ init_context_from_config_file(krb5_context context) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_init_context(krb5_context *context) { + static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT; krb5_context p; krb5_error_code ret; char **files; @@ -230,55 +392,181 @@ krb5_init_context(krb5_context *context) } HEIMDAL_MUTEX_init(p->mutex); + p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS; + ret = krb5_get_default_config_files(&files); - if(ret) + if(ret) goto out; ret = krb5_set_config_files(p, files); krb5_free_config_files(files); - if(ret) + if(ret) goto out; /* init error tables */ krb5_init_ets(p); + cc_ops_register(p); + kt_ops_register(p); - p->cc_ops = NULL; - p->num_cc_ops = 0; - krb5_cc_register(p, &krb5_acc_ops, TRUE); - krb5_cc_register(p, &krb5_fcc_ops, TRUE); - krb5_cc_register(p, &krb5_mcc_ops, TRUE); -#ifdef HAVE_KCM - krb5_cc_register(p, &krb5_kcm_ops, TRUE); +#ifdef PKINIT + ret = hx509_context_init(&p->hx509ctx); + if (ret) + goto out; #endif - - p->num_kt_types = 0; - p->kt_types = NULL; - krb5_kt_register (p, &krb5_fkt_ops); - krb5_kt_register (p, &krb5_wrfkt_ops); - krb5_kt_register (p, &krb5_javakt_ops); - krb5_kt_register (p, &krb5_mkt_ops); - krb5_kt_register (p, &krb5_akf_ops); - krb5_kt_register (p, &krb4_fkt_ops); - krb5_kt_register (p, &krb5_srvtab_fkt_ops); - krb5_kt_register (p, &krb5_any_ops); + if (rk_SOCK_INIT()) + p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED; out: if(ret) { krb5_free_context(p); p = NULL; + } else { + heim_base_once_f(&init_context, p, init_context_once); } *context = p; return ret; } +#ifndef HEIMDAL_SMALLER + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_get_permitted_enctypes(krb5_context context, + krb5_enctype **etypes) +{ + return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes); +} + +/* + * + */ + +static krb5_error_code +copy_etypes (krb5_context context, + krb5_enctype *enctypes, + krb5_enctype **ret_enctypes) +{ + unsigned int i; + + for (i = 0; enctypes[i]; i++) + ; + i++; + + *ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i); + if (*ret_enctypes == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + memcpy(*ret_enctypes, enctypes, sizeof(ret_enctypes[0]) * i); + return 0; +} + +/** + * Make a copy for the Kerberos 5 context, the new krb5_context shoud + * be freed with krb5_free_context(). + * + * @param context the Kerberos context to copy + * @param out the copy of the Kerberos, set to NULL error. + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_copy_context(krb5_context context, krb5_context *out) +{ + krb5_error_code ret; + krb5_context p; + + *out = NULL; + + p = calloc(1, sizeof(*p)); + if (p == NULL) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } + + p->mutex = malloc(sizeof(HEIMDAL_MUTEX)); + if (p->mutex == NULL) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + free(p); + return ENOMEM; + } + HEIMDAL_MUTEX_init(p->mutex); + + + if (context->default_cc_name) + p->default_cc_name = strdup(context->default_cc_name); + if (context->default_cc_name_env) + p->default_cc_name_env = strdup(context->default_cc_name_env); + + if (context->etypes) { + ret = copy_etypes(context, context->etypes, &p->etypes); + if (ret) + goto out; + } + if (context->etypes_des) { + ret = copy_etypes(context, context->etypes_des, &p->etypes_des); + if (ret) + goto out; + } + + if (context->default_realms) { + ret = krb5_copy_host_realm(context, + context->default_realms, &p->default_realms); + if (ret) + goto out; + } + + ret = _krb5_config_copy(context, context->cf, &p->cf); + if (ret) + goto out; + + /* XXX should copy */ + krb5_init_ets(p); + + cc_ops_copy(p, context); + kt_ops_copy(p, context); + +#if 0 /* XXX */ + if(context->warn_dest != NULL) + ; + if(context->debug_dest != NULL) + ; +#endif + + ret = krb5_set_extra_addresses(p, context->extra_addresses); + if (ret) + goto out; + ret = krb5_set_extra_addresses(p, context->ignore_addresses); + if (ret) + goto out; + + ret = _krb5_copy_send_to_kdc_func(p, context); + if (ret) + goto out; + + *out = p; + + return 0; + + out: + krb5_free_context(p); + return ret; +} + +#endif + /** * Frees the krb5_context allocated by krb5_init_context(). * * @param context context to be freed. * - * @ingroup krb5 -*/ + * @ingroup krb5 + */ -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_context(krb5_context context) { if (context->default_cc_name) @@ -290,18 +578,28 @@ krb5_free_context(krb5_context context) krb5_free_host_realm (context, context->default_realms); krb5_config_file_free (context, context->cf); free_error_table (context->et_list); - free(context->cc_ops); + free(rk_UNCONST(context->cc_ops)); free(context->kt_types); - krb5_clear_error_string(context); + krb5_clear_error_message(context); if(context->warn_dest != NULL) krb5_closelog(context, context->warn_dest); + if(context->debug_dest != NULL) + krb5_closelog(context, context->debug_dest); krb5_set_extra_addresses(context, NULL); krb5_set_ignore_addresses(context, NULL); krb5_set_send_to_kdc_func(context, NULL, NULL); - if (context->mutex != NULL) { - HEIMDAL_MUTEX_destroy(context->mutex); - free(context->mutex); + +#ifdef PKINIT + if (context->hx509ctx) + hx509_context_free(&context->hx509ctx); +#endif + + HEIMDAL_MUTEX_destroy(context->mutex); + free(context->mutex); + if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) { + rk_SOCK_EXIT(); } + memset(context, 0, sizeof(*context)); free(context); } @@ -318,14 +616,14 @@ krb5_free_context(krb5_context context) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_config_files(krb5_context context, char **filenames) { krb5_error_code ret; krb5_config_binding *tmp = NULL; while(filenames != NULL && *filenames != NULL && **filenames != '\0') { ret = krb5_config_parse_file_multi(context, *filenames, &tmp); - if(ret != 0 && ret != ENOENT && ret != EACCES) { + if(ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM) { krb5_config_file_free(context, tmp); return ret; } @@ -337,6 +635,11 @@ krb5_set_config_files(krb5_context context, char **filenames) if(tmp == NULL) return ENXIO; #endif + +#ifdef _WIN32 + _krb5_load_config_from_registry(context, &tmp); +#endif + krb5_config_file_free(context, context->cf); context->cf = tmp; ret = init_context_from_config_file(context); @@ -373,7 +676,7 @@ add_file(char ***pfilenames, int *len, char *file) * `pq' isn't free, it's up the the caller */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp) { krb5_error_code ret; @@ -389,7 +692,7 @@ krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp) while(1) { ssize_t l; q = p; - l = strsep_copy(&q, ":", NULL, 0); + l = strsep_copy(&q, PATH_SEP, NULL, 0); if(l == -1) break; fn = malloc(l + 1); @@ -397,7 +700,7 @@ krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp) krb5_free_config_files(pp); return ENOMEM; } - l = strsep_copy(&p, ":", fn, l + 1); + (void)strsep_copy(&p, PATH_SEP, fn, l + 1); ret = add_file(&pp, &len, fn); if (ret) { krb5_free_config_files(pp); @@ -438,12 +741,12 @@ krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_prepend_config_files_default(const char *filelist, char ***pfilenames) { krb5_error_code ret; char **defpp, **pp = NULL; - + ret = krb5_get_default_config_files(&defpp); if (ret) return ret; @@ -452,11 +755,50 @@ krb5_prepend_config_files_default(const char *filelist, char ***pfilenames) krb5_free_config_files(defpp); if (ret) { return ret; - } + } *pfilenames = pp; return 0; } +#ifdef _WIN32 + +/** + * Checks the registry for configuration file location + * + * Kerberos for Windows and other legacy Kerberos applications expect + * to find the configuration file location in the + * SOFTWARE\MIT\Kerberos registry key under the value "config". + */ +char * +_krb5_get_default_config_config_files_from_registry() +{ + static const char * KeyName = "Software\\MIT\\Kerberos"; + char *config_file = NULL; + LONG rcode; + HKEY key; + + rcode = RegOpenKeyEx(HKEY_CURRENT_USER, KeyName, 0, KEY_READ, &key); + if (rcode == ERROR_SUCCESS) { + config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config", + REG_NONE, 0, PATH_SEP); + RegCloseKey(key); + } + + if (config_file) + return config_file; + + rcode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, KeyName, 0, KEY_READ, &key); + if (rcode == ERROR_SUCCESS) { + config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config", + REG_NONE, 0, PATH_SEP); + RegCloseKey(key); + } + + return config_file; +} + +#endif + /** * Get the global configuration list. * @@ -468,7 +810,7 @@ krb5_prepend_config_files_default(const char *filelist, char ***pfilenames) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_default_config_files(char ***pfilenames) { const char *files = NULL; @@ -477,6 +819,22 @@ krb5_get_default_config_files(char ***pfilenames) return EINVAL; if(!issuid()) files = getenv("KRB5_CONFIG"); + +#ifdef _WIN32 + if (files == NULL) { + char * reg_files; + reg_files = _krb5_get_default_config_config_files_from_registry(); + if (reg_files != NULL) { + krb5_error_code code; + + code = krb5_prepend_config_files(reg_files, NULL, pfilenames); + free(reg_files); + + return code; + } + } +#endif + if (files == NULL) files = krb5_config_file; @@ -486,7 +844,8 @@ krb5_get_default_config_files(char ***pfilenames) /** * Free a list of configuration files. * - * @param filenames list to be freed. + * @param filenames list, terminated with a NULL pointer, to be + * freed. NULL is an valid argument. * * @return Returns 0 to indicate success. Otherwise an kerberos et * error code is returned, see krb5_get_error_message(). @@ -494,11 +853,11 @@ krb5_get_default_config_files(char ***pfilenames) * @ingroup krb5 */ -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_config_files(char **filenames) { char **p; - for(p = filenames; *p != NULL; p++) + for(p = filenames; p && *p != NULL; p++) free(*p); free(filenames); } @@ -516,7 +875,7 @@ krb5_free_config_files(char **filenames) * @ingroup krb5 */ -const krb5_enctype * KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL krb5_kerberos_enctypes(krb5_context context) { static const krb5_enctype p[] = { @@ -534,36 +893,51 @@ krb5_kerberos_enctypes(krb5_context context) } /* - * set `etype' to a malloced list of the default enctypes + * */ static krb5_error_code -default_etypes(krb5_context context, krb5_enctype **etype) +copy_enctypes(krb5_context context, + const krb5_enctype *in, + krb5_enctype **out) { - const krb5_enctype *p; - krb5_enctype *e = NULL, *ep; - int i, n = 0; - - p = krb5_kerberos_enctypes(context); + krb5_enctype *p = NULL; + size_t m, n; - for (i = 0; p[i] != ETYPE_NULL; i++) { - if (krb5_enctype_valid(context, p[i]) != 0) + for (n = 0; in[n]; n++) + ; + n++; + ALLOC(p, n); + if(p == NULL) + return krb5_enomem(context); + for (n = 0, m = 0; in[n]; n++) { + if (krb5_enctype_valid(context, in[n]) != 0) continue; - ep = realloc(e, (n + 2) * sizeof(*e)); - if (ep == NULL) { - free(e); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - e = ep; - e[n] = p[i]; - e[n + 1] = ETYPE_NULL; - n++; + p[m++] = in[n]; } - *etype = e; + p[m] = KRB5_ENCTYPE_NULL; + if (m == 0) { + free(p); + krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, + N_("no valid enctype set", "")); + return KRB5_PROG_ETYPE_NOSUPP; + } + *out = p; return 0; } + +/* + * set `etype' to a malloced list of the default enctypes + */ + +static krb5_error_code +default_etypes(krb5_context context, krb5_enctype **etype) +{ + const krb5_enctype *p = krb5_kerberos_enctypes(context); + return copy_enctypes(context, p, etype); +} + /** * Set the default encryption types that will be use in communcation * with the KDC, clients and servers. @@ -577,27 +951,17 @@ default_etypes(krb5_context context, krb5_enctype **etype) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_set_default_in_tkt_etypes(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_set_default_in_tkt_etypes(krb5_context context, const krb5_enctype *etypes) { + krb5_error_code ret; krb5_enctype *p = NULL; - int i; if(etypes) { - for (i = 0; etypes[i]; ++i) { - krb5_error_code ret; - ret = krb5_enctype_valid(context, etypes[i]); - if (ret) - return ret; - } - ++i; - ALLOC(p, i); - if(!p) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - memmove(p, etypes, i * sizeof(krb5_enctype)); + ret = copy_enctypes(context, etypes, &p); + if (ret) + return ret; } if(context->etypes) free(context->etypes); @@ -619,75 +983,69 @@ krb5_set_default_in_tkt_etypes(krb5_context context, * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_default_in_tkt_etypes(krb5_context context, + krb5_pdu pdu_type, krb5_enctype **etypes) { - krb5_enctype *p; - int i; - krb5_error_code ret; - - if(context->etypes) { - for(i = 0; context->etypes[i]; i++); - ++i; - ALLOC(p, i); - if(!p) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; + krb5_enctype *enctypes = NULL; + krb5_error_code ret; + krb5_enctype *p; + + heim_assert(pdu_type == KRB5_PDU_AS_REQUEST || + pdu_type == KRB5_PDU_TGS_REQUEST || + pdu_type == KRB5_PDU_NONE, "pdu contant not as expected"); + + if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL) + enctypes = context->as_etypes; + else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL) + enctypes = context->tgs_etypes; + else if (context->etypes != NULL) + enctypes = context->etypes; + + if (enctypes != NULL) { + ret = copy_enctypes(context, enctypes, &p); + if (ret) + return ret; + } else { + ret = default_etypes(context, &p); + if (ret) + return ret; } - memmove(p, context->etypes, i * sizeof(krb5_enctype)); - } else { - ret = default_etypes(context, &p); - if (ret) - return ret; - } - *etypes = p; - return 0; -} - -/** - * Return the error string for the error code. The caller must not - * free the string. - * - * @param context Kerberos 5 context. - * @param code Kerberos error code. - * - * @return the error message matching code - * - * @ingroup krb5 - */ - -const char* KRB5_LIB_FUNCTION -krb5_get_err_text(krb5_context context, krb5_error_code code) -{ - const char *p = NULL; - if(context != NULL) - p = com_right(context->et_list, code); - if(p == NULL) - p = strerror(code); - if (p == NULL) - p = "Unknown error"; - return p; + *etypes = p; + return 0; } /** - * Init the built-in ets in the Kerberos library. + * Init the built-in ets in the Kerberos library. * * @param context kerberos context to add the ets too * * @ingroup krb5 */ -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_init_ets(krb5_context context) { if(context->et_list == NULL){ krb5_add_et_list(context, initialize_krb5_error_table_r); krb5_add_et_list(context, initialize_asn1_error_table_r); krb5_add_et_list(context, initialize_heim_error_table_r); + krb5_add_et_list(context, initialize_k524_error_table_r); + +#ifdef COM_ERR_BINDDOMAIN_krb5 + bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR); + bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR); + bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR); + bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR); +#endif + #ifdef PKINIT krb5_add_et_list(context, initialize_hx_error_table_r); +#ifdef COM_ERR_BINDDOMAIN_hx + bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR); +#endif #endif } } @@ -701,7 +1059,7 @@ krb5_init_ets(krb5_context context) * @ingroup krb5 */ -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag) { context->use_admin_kdc = flag; @@ -717,7 +1075,7 @@ krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag) * @ingroup krb5 */ -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_get_use_admin_kdc (krb5_context context) { return context->use_admin_kdc; @@ -736,12 +1094,12 @@ krb5_get_use_admin_kdc (krb5_context context) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses) { if(context->extra_addresses) - return krb5_append_addresses(context, + return krb5_append_addresses(context, context->extra_addresses, addresses); else return krb5_set_extra_addresses(context, addresses); @@ -760,7 +1118,7 @@ krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses) { if(context->extra_addresses) @@ -776,7 +1134,7 @@ krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses) if(context->extra_addresses == NULL) { context->extra_addresses = malloc(sizeof(*context->extra_addresses)); if(context->extra_addresses == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } } @@ -796,7 +1154,7 @@ krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses) { if(context->extra_addresses == NULL) { @@ -819,12 +1177,12 @@ krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses) { if(context->ignore_addresses) - return krb5_append_addresses(context, + return krb5_append_addresses(context, context->ignore_addresses, addresses); else return krb5_set_ignore_addresses(context, addresses); @@ -843,7 +1201,7 @@ krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses) { if(context->ignore_addresses) @@ -858,7 +1216,7 @@ krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses) if(context->ignore_addresses == NULL) { context->ignore_addresses = malloc(sizeof(*context->ignore_addresses)); if(context->ignore_addresses == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } } @@ -878,7 +1236,7 @@ krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses) { if(context->ignore_addresses == NULL) { @@ -900,7 +1258,7 @@ krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_fcache_version(krb5_context context, int version) { context->fcache_vno = version; @@ -919,7 +1277,7 @@ krb5_set_fcache_version(krb5_context context, int version) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_fcache_version(krb5_context context, int *version) { *version = context->fcache_vno; @@ -935,7 +1293,7 @@ krb5_get_fcache_version(krb5_context context, int *version) */ -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_is_thread_safe(void) { #ifdef ENABLE_PTHREAD_SUPPORT @@ -954,7 +1312,7 @@ krb5_is_thread_safe(void) * @ingroup krb5 */ -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag) { if (flag) @@ -973,7 +1331,7 @@ krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag) * @ingroup krb5 */ -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_get_dns_canonicalize_hostname (krb5_context context) { return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0; @@ -986,12 +1344,12 @@ krb5_get_dns_canonicalize_hostname (krb5_context context) * @param sec seconds part of offset. * @param usec micro seconds part of offset. * - * @return return non zero if the library uses DNS to canonicalize hostnames. + * @return returns zero * * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec) { if (sec) @@ -1002,6 +1360,27 @@ krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec) } /** + * Set current offset in time to the KDC. + * + * @param context Kerberos 5 context. + * @param sec seconds part of offset. + * @param usec micro seconds part of offset. + * + * @return returns zero + * + * @ingroup krb5 + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec) +{ + context->kdc_sec_offset = sec; + if (usec >= 0) + context->kdc_usec_offset = usec; + return 0; +} + +/** * Get max time skew allowed. * * @param context Kerberos 5 context. @@ -1011,7 +1390,7 @@ krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec) * @ingroup krb5 */ -time_t KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL krb5_get_max_time_skew (krb5_context context) { return context->max_skew; @@ -1026,8 +1405,112 @@ krb5_get_max_time_skew (krb5_context context) * @ingroup krb5 */ -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_set_max_time_skew (krb5_context context, time_t t) { context->max_skew = t; } + +/* + * Init encryption types in len, val with etypes. + * + * @param context Kerberos 5 context. + * @param pdu_type type of pdu + * @param len output length of val. + * @param val output array of enctypes. + * @param etypes etypes to set val and len to, if NULL, use default enctypes. + + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +_krb5_init_etype(krb5_context context, + krb5_pdu pdu_type, + unsigned *len, + krb5_enctype **val, + const krb5_enctype *etypes) +{ + krb5_error_code ret; + + if (etypes == NULL) + ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val); + else + ret = copy_enctypes(context, etypes, val); + if (ret) + return ret; + + if (len) { + *len = 0; + while ((*val)[*len] != KRB5_ENCTYPE_NULL) + (*len)++; + } + return 0; +} + +/* + * Allow homedir accces + */ + +static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER; +static krb5_boolean allow_homedir = TRUE; + +krb5_boolean +_krb5_homedir_access(krb5_context context) +{ + krb5_boolean allow; + +#ifdef HAVE_GETEUID + /* is never allowed for root */ + if (geteuid() == 0) + return FALSE; +#endif + + if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0) + return FALSE; + + HEIMDAL_MUTEX_lock(&homedir_mutex); + allow = allow_homedir; + HEIMDAL_MUTEX_unlock(&homedir_mutex); + return allow; +} + +/** + * Enable and disable home directory access on either the global state + * or the krb5_context state. By calling krb5_set_home_dir_access() + * with context set to NULL, the global state is configured otherwise + * the state for the krb5_context is modified. + * + * For home directory access to be allowed, both the global state and + * the krb5_context state have to be allowed. + * + * Administrator (root user), never uses the home directory. + * + * @param context a Kerberos 5 context or NULL + * @param allow allow if TRUE home directory + * @return the old value + * + * @ingroup krb5 + */ + +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_set_home_dir_access(krb5_context context, krb5_boolean allow) +{ + krb5_boolean old; + if (context) { + old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE; + if (allow) + context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS; + else + context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS; + } else { + HEIMDAL_MUTEX_lock(&homedir_mutex); + old = allow_homedir; + allow_homedir = allow; + HEIMDAL_MUTEX_unlock(&homedir_mutex); + } + + return old; +} diff --git a/crypto/heimdal/lib/krb5/convert_creds.c b/crypto/heimdal/lib/krb5/convert_creds.c index b2af0187eac3..fc371c637764 100644 --- a/crypto/heimdal/lib/krb5/convert_creds.c +++ b/crypto/heimdal/lib/krb5/convert_creds.c @@ -1,46 +1,40 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: convert_creds.c 22050 2007-11-11 11:20:46Z lha $"); - #include "krb5-v4compat.h" -static krb5_error_code -check_ticket_flags(TicketFlags f) -{ - return 0; /* maybe add some more tests here? */ -} +#ifndef HEIMDAL_SMALLER /** * Convert the v5 credentials in in_cred to v4-dito in v4creds. This @@ -58,90 +52,16 @@ check_ticket_flags(TicketFlags f) * @ingroup krb5_v4compat */ -krb5_error_code KRB5_LIB_FUNCTION -krb524_convert_creds_kdc(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb524_convert_creds_kdc(krb5_context context, krb5_creds *in_cred, struct credentials *v4creds) + KRB5_DEPRECATED_FUNCTION("Use X instead") { - krb5_error_code ret; - krb5_data reply; - krb5_storage *sp; - int32_t tmp; - krb5_data ticket; - char realm[REALM_SZ]; - krb5_creds *v5_creds = in_cred; - - ret = check_ticket_flags(v5_creds->flags.b); - if(ret) - goto out2; - - { - krb5_krbhst_handle handle; - - ret = krb5_krbhst_init(context, - krb5_principal_get_realm(context, - v5_creds->server), - KRB5_KRBHST_KRB524, - &handle); - if (ret) - goto out2; - - ret = krb5_sendto (context, - &v5_creds->ticket, - handle, - &reply); - krb5_krbhst_free(context, handle); - if (ret) - goto out2; - } - sp = krb5_storage_from_mem(reply.data, reply.length); - if(sp == NULL) { - ret = ENOMEM; - krb5_set_error_string (context, "malloc: out of memory"); - goto out2; - } - krb5_ret_int32(sp, &tmp); - ret = tmp; - if(ret == 0) { - memset(v4creds, 0, sizeof(*v4creds)); - ret = krb5_ret_int32(sp, &tmp); - if(ret) - goto out; - v4creds->kvno = tmp; - ret = krb5_ret_data(sp, &ticket); - if(ret) - goto out; - v4creds->ticket_st.length = ticket.length; - memcpy(v4creds->ticket_st.dat, ticket.data, ticket.length); - krb5_data_free(&ticket); - ret = krb5_524_conv_principal(context, - v5_creds->server, - v4creds->service, - v4creds->instance, - v4creds->realm); - if(ret) - goto out; - v4creds->issue_date = v5_creds->times.starttime; - v4creds->lifetime = _krb5_krb_time_to_life(v4creds->issue_date, - v5_creds->times.endtime); - ret = krb5_524_conv_principal(context, v5_creds->client, - v4creds->pname, - v4creds->pinst, - realm); - if(ret) - goto out; - memcpy(v4creds->session, v5_creds->session.keyvalue.data, 8); - } else { - krb5_set_error_string(context, "converting credentials: %s", - krb5_get_err_text(context, ret)); - } -out: - krb5_storage_free(sp); - krb5_data_free(&reply); -out2: - if (v5_creds != in_cred) - krb5_free_creds (context, v5_creds); - return ret; + memset(v4creds, 0, sizeof(*v4creds)); + krb5_set_error_message(context, EINVAL, + N_("krb524_convert_creds_kdc not supported", "")); + return EINVAL; } /** @@ -159,46 +79,17 @@ out2: * @ingroup krb5_v4compat */ -krb5_error_code KRB5_LIB_FUNCTION -krb524_convert_creds_kdc_ccache(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb524_convert_creds_kdc_ccache(krb5_context context, krb5_ccache ccache, krb5_creds *in_cred, struct credentials *v4creds) + KRB5_DEPRECATED_FUNCTION("Use X instead") { - krb5_error_code ret; - krb5_creds *v5_creds = in_cred; - krb5_keytype keytype; - - keytype = v5_creds->session.keytype; - - if (keytype != ENCTYPE_DES_CBC_CRC) { - /* MIT krb524d doesn't like nothing but des-cbc-crc tickets, - so go get one */ - krb5_creds template; - - memset (&template, 0, sizeof(template)); - template.session.keytype = ENCTYPE_DES_CBC_CRC; - ret = krb5_copy_principal (context, in_cred->client, &template.client); - if (ret) { - krb5_free_cred_contents (context, &template); - return ret; - } - ret = krb5_copy_principal (context, in_cred->server, &template.server); - if (ret) { - krb5_free_cred_contents (context, &template); - return ret; - } - - ret = krb5_get_credentials (context, 0, ccache, - &template, &v5_creds); - krb5_free_cred_contents (context, &template); - if (ret) - return ret; - } - - ret = krb524_convert_creds_kdc(context, v5_creds, v4creds); - - if (v5_creds != in_cred) - krb5_free_creds (context, v5_creds); - return ret; + memset(v4creds, 0, sizeof(*v4creds)); + krb5_set_error_message(context, EINVAL, + N_("krb524_convert_creds_kdc_ccache not supported", "")); + return EINVAL; } + +#endif diff --git a/crypto/heimdal/lib/krb5/copy_host_realm.c b/crypto/heimdal/lib/krb5/copy_host_realm.c index 8c4f39b4ac4c..73bc117f12af 100644 --- a/crypto/heimdal/lib/krb5/copy_host_realm.c +++ b/crypto/heimdal/lib/krb5/copy_host_realm.c @@ -1,40 +1,38 @@ /* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: copy_host_realm.c 22057 2007-11-11 15:13:13Z lha $"); - /** * Copy the list of realms from `from' to `to'. * @@ -48,29 +46,30 @@ RCSID("$Id: copy_host_realm.c 22057 2007-11-11 15:13:13Z lha $"); * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_host_realm(krb5_context context, const krb5_realm *from, krb5_realm **to) { - int n, i; + unsigned int n, i; const krb5_realm *p; - for (n = 0, p = from; *p != NULL; ++p) + for (n = 1, p = from; *p != NULL; ++p) ++n; - ++n; - *to = malloc (n * sizeof(**to)); + + *to = calloc (n, sizeof(**to)); if (*to == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message (context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } - for (i = 0; i < n; ++i) - (*to)[i] = NULL; + for (i = 0, p = from; *p != NULL; ++p, ++i) { (*to)[i] = strdup(*p); if ((*to)[i] == NULL) { krb5_free_host_realm (context, *to); - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message (context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } } diff --git a/crypto/heimdal/lib/krb5/crc.c b/crypto/heimdal/lib/krb5/crc.c index 072c29d68974..eab946541db7 100644 --- a/crypto/heimdal/lib/krb5/crc.c +++ b/crypto/heimdal/lib/krb5/crc.c @@ -1,40 +1,38 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: crc.c 17442 2006-05-05 09:31:15Z lha $"); - static u_long table[256]; #define CRC_GEN 0xEDB88320L @@ -44,8 +42,8 @@ _krb5_crc_init_table(void) { static int flag = 0; unsigned long crc, poly; - int i, j; - + unsigned int i, j; + if(flag) return; poly = CRC_GEN; for (i = 0; i < 256; i++) { diff --git a/crypto/heimdal/lib/krb5/creds.c b/crypto/heimdal/lib/krb5/creds.c index 17ef46dfa3b6..7ef8eb96095f 100644 --- a/crypto/heimdal/lib/krb5/creds.c +++ b/crypto/heimdal/lib/krb5/creds.c @@ -1,50 +1,38 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: creds.c 22062 2007-11-11 15:41:50Z lha $"); - -#undef __attribute__ -#define __attribute__(X) - -/* keep this for compatibility with older code */ -krb5_error_code KRB5_LIB_FUNCTION __attribute__((deprecated)) -krb5_free_creds_contents (krb5_context context, krb5_creds *c) -{ - return krb5_free_cred_contents (context, c); -} - /** * Free content of krb5_creds. * @@ -57,7 +45,7 @@ krb5_free_creds_contents (krb5_context context, krb5_creds *c) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_cred_contents (krb5_context context, krb5_creds *c) { krb5_free_principal (context, c->client); @@ -86,7 +74,7 @@ krb5_free_cred_contents (krb5_context context, krb5_creds *c) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_creds_contents (krb5_context context, const krb5_creds *incred, krb5_creds *c) @@ -143,7 +131,7 @@ fail: * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_creds (krb5_context context, const krb5_creds *incred, krb5_creds **outcred) @@ -152,7 +140,8 @@ krb5_copy_creds (krb5_context context, c = malloc (sizeof (*c)); if (c == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message (context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } memset (c, 0, sizeof(*c)); @@ -172,7 +161,7 @@ krb5_copy_creds (krb5_context context, * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_creds (krb5_context context, krb5_creds *c) { krb5_free_cred_contents (context, c); @@ -194,6 +183,18 @@ krb5_times_equal(const krb5_times *a, const krb5_times *b) * Return TRUE if `mcreds' and `creds' are equal (`whichfields' * determines what equal means). * + * + * The following flags, set in whichfields affects the comparison: + * - KRB5_TC_MATCH_SRV_NAMEONLY Consider all realms equal when comparing the service principal. + * - KRB5_TC_MATCH_KEYTYPE Compare enctypes. + * - KRB5_TC_MATCH_FLAGS_EXACT Make sure that the ticket flags are identical. + * - KRB5_TC_MATCH_FLAGS Make sure that all ticket flags set in mcreds are also present in creds . + * - KRB5_TC_MATCH_TIMES_EXACT Compares the ticket times exactly. + * - KRB5_TC_MATCH_TIMES Compares only the expiration times of the creds. + * - KRB5_TC_MATCH_AUTHDATA Compares the authdata fields. + * - KRB5_TC_MATCH_2ND_TKT Compares the second tickets (used by user-to-user authentication). + * - KRB5_TC_MATCH_IS_SKEY Compares the existance of the second ticket. + * * @param context Kerberos 5 context. * @param whichfields which fields to compare. * @param mcreds cred to compare with. @@ -204,34 +205,32 @@ krb5_times_equal(const krb5_times *a, const krb5_times *b) * @ingroup krb5 */ -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_compare_creds(krb5_context context, krb5_flags whichfields, const krb5_creds * mcreds, const krb5_creds * creds) { krb5_boolean match = TRUE; - + if (match && mcreds->server) { - if (whichfields & (KRB5_TC_DONT_MATCH_REALM | KRB5_TC_MATCH_SRV_NAMEONLY)) - match = krb5_principal_compare_any_realm (context, mcreds->server, + if (whichfields & (KRB5_TC_DONT_MATCH_REALM | KRB5_TC_MATCH_SRV_NAMEONLY)) + match = krb5_principal_compare_any_realm (context, mcreds->server, creds->server); else - match = krb5_principal_compare (context, mcreds->server, + match = krb5_principal_compare (context, mcreds->server, creds->server); } if (match && mcreds->client) { if(whichfields & KRB5_TC_DONT_MATCH_REALM) - match = krb5_principal_compare_any_realm (context, mcreds->client, + match = krb5_principal_compare_any_realm (context, mcreds->client, creds->client); else - match = krb5_principal_compare (context, mcreds->client, + match = krb5_principal_compare (context, mcreds->client, creds->client); } - + if (match && (whichfields & KRB5_TC_MATCH_KEYTYPE)) - match = krb5_enctypes_compatible_keys(context, - mcreds->session.keytype, - creds->session.keytype); + match = mcreds->session.keytype == creds->session.keytype; if (match && (whichfields & KRB5_TC_MATCH_FLAGS_EXACT)) match = mcreds->flags.i == creds->flags.i; @@ -241,7 +240,7 @@ krb5_compare_creds(krb5_context context, krb5_flags whichfields, if (match && (whichfields & KRB5_TC_MATCH_TIMES_EXACT)) match = krb5_times_equal(&mcreds->times, &creds->times); - + if (match && (whichfields & KRB5_TC_MATCH_TIMES)) /* compare only expiration times */ match = (mcreds->times.renew_till <= creds->times.renew_till) && @@ -253,7 +252,7 @@ krb5_compare_creds(krb5_context context, krb5_flags whichfields, match = FALSE; else for(i = 0; match && i < mcreds->authdata.len; i++) - match = (mcreds->authdata.val[i].ad_type == + match = (mcreds->authdata.val[i].ad_type == creds->authdata.val[i].ad_type) && (krb5_data_cmp(&mcreds->authdata.val[i].ad_data, &creds->authdata.val[i].ad_data) == 0); @@ -262,8 +261,25 @@ krb5_compare_creds(krb5_context context, krb5_flags whichfields, match = (krb5_data_cmp(&mcreds->second_ticket, &creds->second_ticket) == 0); if (match && (whichfields & KRB5_TC_MATCH_IS_SKEY)) - match = ((mcreds->second_ticket.length == 0) == + match = ((mcreds->second_ticket.length == 0) == (creds->second_ticket.length == 0)); return match; } + +/** + * Returns the ticket flags for the credentials in creds. + * See also krb5_ticket_get_flags(). + * + * @param creds credential to get ticket flags from + * + * @return ticket flags + * + * @ingroup krb5 + */ + +KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL +krb5_creds_get_ticket_flags(krb5_creds *creds) +{ + return TicketFlags2int(creds->flags.b); +} diff --git a/crypto/heimdal/lib/krb5/crypto-aes.c b/crypto/heimdal/lib/krb5/crypto-aes.c new file mode 100644 index 000000000000..b97854206ced --- /dev/null +++ b/crypto/heimdal/lib/krb5/crypto-aes.c @@ -0,0 +1,170 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +/* + * AES + */ + +static struct _krb5_key_type keytype_aes128 = { + ENCTYPE_AES128_CTS_HMAC_SHA1_96, + "aes-128", + 128, + 16, + sizeof(struct _krb5_evp_schedule), + NULL, + _krb5_evp_schedule, + _krb5_AES_salt, + NULL, + _krb5_evp_cleanup, + EVP_aes_128_cbc +}; + +static struct _krb5_key_type keytype_aes256 = { + ENCTYPE_AES256_CTS_HMAC_SHA1_96, + "aes-256", + 256, + 32, + sizeof(struct _krb5_evp_schedule), + NULL, + _krb5_evp_schedule, + _krb5_AES_salt, + NULL, + _krb5_evp_cleanup, + EVP_aes_256_cbc +}; + +struct _krb5_checksum_type _krb5_checksum_hmac_sha1_aes128 = { + CKSUMTYPE_HMAC_SHA1_96_AES_128, + "hmac-sha1-96-aes128", + 64, + 12, + F_KEYED | F_CPROOF | F_DERIVED, + _krb5_SP_HMAC_SHA1_checksum, + NULL +}; + +struct _krb5_checksum_type _krb5_checksum_hmac_sha1_aes256 = { + CKSUMTYPE_HMAC_SHA1_96_AES_256, + "hmac-sha1-96-aes256", + 64, + 12, + F_KEYED | F_CPROOF | F_DERIVED, + _krb5_SP_HMAC_SHA1_checksum, + NULL +}; + +static krb5_error_code +AES_PRF(krb5_context context, + krb5_crypto crypto, + const krb5_data *in, + krb5_data *out) +{ + struct _krb5_checksum_type *ct = crypto->et->checksum; + krb5_error_code ret; + Checksum result; + krb5_keyblock *derived; + + result.cksumtype = ct->type; + ret = krb5_data_alloc(&result.checksum, ct->checksumsize); + if (ret) { + krb5_set_error_message(context, ret, N_("malloc: out memory", "")); + return ret; + } + + ret = (*ct->checksum)(context, NULL, in->data, in->length, 0, &result); + if (ret) { + krb5_data_free(&result.checksum); + return ret; + } + + if (result.checksum.length < crypto->et->blocksize) + krb5_abortx(context, "internal prf error"); + + derived = NULL; + ret = krb5_derive_key(context, crypto->key.key, + crypto->et->type, "prf", 3, &derived); + if (ret) + krb5_abortx(context, "krb5_derive_key"); + + ret = krb5_data_alloc(out, crypto->et->blocksize); + if (ret) + krb5_abortx(context, "malloc failed"); + + { + const EVP_CIPHER *c = (*crypto->et->keytype->evp)(); + EVP_CIPHER_CTX ctx; + + EVP_CIPHER_CTX_init(&ctx); /* ivec all zero */ + EVP_CipherInit_ex(&ctx, c, NULL, derived->keyvalue.data, NULL, 1); + EVP_Cipher(&ctx, out->data, result.checksum.data, + crypto->et->blocksize); + EVP_CIPHER_CTX_cleanup(&ctx); + } + + krb5_data_free(&result.checksum); + krb5_free_keyblock(context, derived); + + return ret; +} + +struct _krb5_encryption_type _krb5_enctype_aes128_cts_hmac_sha1 = { + ETYPE_AES128_CTS_HMAC_SHA1_96, + "aes128-cts-hmac-sha1-96", + 16, + 1, + 16, + &keytype_aes128, + &_krb5_checksum_sha1, + &_krb5_checksum_hmac_sha1_aes128, + F_DERIVED, + _krb5_evp_encrypt_cts, + 16, + AES_PRF +}; + +struct _krb5_encryption_type _krb5_enctype_aes256_cts_hmac_sha1 = { + ETYPE_AES256_CTS_HMAC_SHA1_96, + "aes256-cts-hmac-sha1-96", + 16, + 1, + 16, + &keytype_aes256, + &_krb5_checksum_sha1, + &_krb5_checksum_hmac_sha1_aes256, + F_DERIVED, + _krb5_evp_encrypt_cts, + 16, + AES_PRF +}; diff --git a/crypto/heimdal/lib/krb5/crypto-algs.c b/crypto/heimdal/lib/krb5/crypto-algs.c new file mode 100644 index 000000000000..ed31377bd070 --- /dev/null +++ b/crypto/heimdal/lib/krb5/crypto-algs.c @@ -0,0 +1,87 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +#ifndef HEIMDAL_SMALLER +#define DES3_OLD_ENCTYPE 1 +#endif + +struct _krb5_checksum_type *_krb5_checksum_types[] = { + &_krb5_checksum_none, +#ifdef HEIM_WEAK_CRYPTO + &_krb5_checksum_crc32, + &_krb5_checksum_rsa_md4, + &_krb5_checksum_rsa_md4_des, + &_krb5_checksum_rsa_md5_des, +#endif +#ifdef DES3_OLD_ENCTYPE + &_krb5_checksum_rsa_md5_des3, +#endif + &_krb5_checksum_rsa_md5, + &_krb5_checksum_sha1, + &_krb5_checksum_hmac_sha1_des3, + &_krb5_checksum_hmac_sha1_aes128, + &_krb5_checksum_hmac_sha1_aes256, + &_krb5_checksum_hmac_md5 +}; + +int _krb5_num_checksums + = sizeof(_krb5_checksum_types) / sizeof(_krb5_checksum_types[0]); + +/* + * these should currently be in reverse preference order. + * (only relevant for !F_PSEUDO) */ + +struct _krb5_encryption_type *_krb5_etypes[] = { + &_krb5_enctype_aes256_cts_hmac_sha1, + &_krb5_enctype_aes128_cts_hmac_sha1, + &_krb5_enctype_des3_cbc_sha1, + &_krb5_enctype_des3_cbc_none, /* used by the gss-api mech */ + &_krb5_enctype_arcfour_hmac_md5, +#ifdef DES3_OLD_ENCTYPE + &_krb5_enctype_des3_cbc_md5, + &_krb5_enctype_old_des3_cbc_sha1, +#endif +#ifdef HEIM_WEAK_CRYPTO + &_krb5_enctype_des_cbc_md5, + &_krb5_enctype_des_cbc_md4, + &_krb5_enctype_des_cbc_crc, + &_krb5_enctype_des_cbc_none, + &_krb5_enctype_des_cfb64_none, + &_krb5_enctype_des_pcbc_none, +#endif + &_krb5_enctype_null +}; + +int _krb5_num_etypes = sizeof(_krb5_etypes) / sizeof(_krb5_etypes[0]); diff --git a/crypto/heimdal/lib/krb5/crypto-arcfour.c b/crypto/heimdal/lib/krb5/crypto-arcfour.c new file mode 100644 index 000000000000..1b369d2fda14 --- /dev/null +++ b/crypto/heimdal/lib/krb5/crypto-arcfour.c @@ -0,0 +1,325 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * ARCFOUR + */ + +#include "krb5_locl.h" + +static struct _krb5_key_type keytype_arcfour = { + ENCTYPE_ARCFOUR_HMAC_MD5, + "arcfour", + 128, + 16, + sizeof(struct _krb5_evp_schedule), + NULL, + _krb5_evp_schedule, + _krb5_arcfour_salt, + NULL, + _krb5_evp_cleanup, + EVP_rc4 +}; + +/* + * checksum according to section 5. of draft-brezak-win2k-krb-rc4-hmac-03.txt + */ + +krb5_error_code +_krb5_HMAC_MD5_checksum(krb5_context context, + struct _krb5_key_data *key, + const void *data, + size_t len, + unsigned usage, + Checksum *result) +{ + EVP_MD_CTX *m; + struct _krb5_checksum_type *c = _krb5_find_checksum (CKSUMTYPE_RSA_MD5); + const char signature[] = "signaturekey"; + Checksum ksign_c; + struct _krb5_key_data ksign; + krb5_keyblock kb; + unsigned char t[4]; + unsigned char tmp[16]; + unsigned char ksign_c_data[16]; + krb5_error_code ret; + + m = EVP_MD_CTX_create(); + if (m == NULL) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } + ksign_c.checksum.length = sizeof(ksign_c_data); + ksign_c.checksum.data = ksign_c_data; + ret = _krb5_internal_hmac(context, c, signature, sizeof(signature), + 0, key, &ksign_c); + if (ret) { + EVP_MD_CTX_destroy(m); + return ret; + } + ksign.key = &kb; + kb.keyvalue = ksign_c.checksum; + EVP_DigestInit_ex(m, EVP_md5(), NULL); + t[0] = (usage >> 0) & 0xFF; + t[1] = (usage >> 8) & 0xFF; + t[2] = (usage >> 16) & 0xFF; + t[3] = (usage >> 24) & 0xFF; + EVP_DigestUpdate(m, t, 4); + EVP_DigestUpdate(m, data, len); + EVP_DigestFinal_ex (m, tmp, NULL); + EVP_MD_CTX_destroy(m); + + ret = _krb5_internal_hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result); + if (ret) + return ret; + return 0; +} + +struct _krb5_checksum_type _krb5_checksum_hmac_md5 = { + CKSUMTYPE_HMAC_MD5, + "hmac-md5", + 64, + 16, + F_KEYED | F_CPROOF, + _krb5_HMAC_MD5_checksum, + NULL +}; + +/* + * section 6 of draft-brezak-win2k-krb-rc4-hmac-03 + * + * warning: not for small children + */ + +static krb5_error_code +ARCFOUR_subencrypt(krb5_context context, + struct _krb5_key_data *key, + void *data, + size_t len, + unsigned usage, + void *ivec) +{ + EVP_CIPHER_CTX ctx; + struct _krb5_checksum_type *c = _krb5_find_checksum (CKSUMTYPE_RSA_MD5); + Checksum k1_c, k2_c, k3_c, cksum; + struct _krb5_key_data ke; + krb5_keyblock kb; + unsigned char t[4]; + unsigned char *cdata = data; + unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16]; + krb5_error_code ret; + + t[0] = (usage >> 0) & 0xFF; + t[1] = (usage >> 8) & 0xFF; + t[2] = (usage >> 16) & 0xFF; + t[3] = (usage >> 24) & 0xFF; + + k1_c.checksum.length = sizeof(k1_c_data); + k1_c.checksum.data = k1_c_data; + + ret = _krb5_internal_hmac(NULL, c, t, sizeof(t), 0, key, &k1_c); + if (ret) + krb5_abortx(context, "hmac failed"); + + memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data)); + + k2_c.checksum.length = sizeof(k2_c_data); + k2_c.checksum.data = k2_c_data; + + ke.key = &kb; + kb.keyvalue = k2_c.checksum; + + cksum.checksum.length = 16; + cksum.checksum.data = data; + + ret = _krb5_internal_hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum); + if (ret) + krb5_abortx(context, "hmac failed"); + + ke.key = &kb; + kb.keyvalue = k1_c.checksum; + + k3_c.checksum.length = sizeof(k3_c_data); + k3_c.checksum.data = k3_c_data; + + ret = _krb5_internal_hmac(NULL, c, data, 16, 0, &ke, &k3_c); + if (ret) + krb5_abortx(context, "hmac failed"); + + EVP_CIPHER_CTX_init(&ctx); + + EVP_CipherInit_ex(&ctx, EVP_rc4(), NULL, k3_c.checksum.data, NULL, 1); + EVP_Cipher(&ctx, cdata + 16, cdata + 16, len - 16); + EVP_CIPHER_CTX_cleanup(&ctx); + + memset (k1_c_data, 0, sizeof(k1_c_data)); + memset (k2_c_data, 0, sizeof(k2_c_data)); + memset (k3_c_data, 0, sizeof(k3_c_data)); + return 0; +} + +static krb5_error_code +ARCFOUR_subdecrypt(krb5_context context, + struct _krb5_key_data *key, + void *data, + size_t len, + unsigned usage, + void *ivec) +{ + EVP_CIPHER_CTX ctx; + struct _krb5_checksum_type *c = _krb5_find_checksum (CKSUMTYPE_RSA_MD5); + Checksum k1_c, k2_c, k3_c, cksum; + struct _krb5_key_data ke; + krb5_keyblock kb; + unsigned char t[4]; + unsigned char *cdata = data; + unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16]; + unsigned char cksum_data[16]; + krb5_error_code ret; + + t[0] = (usage >> 0) & 0xFF; + t[1] = (usage >> 8) & 0xFF; + t[2] = (usage >> 16) & 0xFF; + t[3] = (usage >> 24) & 0xFF; + + k1_c.checksum.length = sizeof(k1_c_data); + k1_c.checksum.data = k1_c_data; + + ret = _krb5_internal_hmac(NULL, c, t, sizeof(t), 0, key, &k1_c); + if (ret) + krb5_abortx(context, "hmac failed"); + + memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data)); + + k2_c.checksum.length = sizeof(k2_c_data); + k2_c.checksum.data = k2_c_data; + + ke.key = &kb; + kb.keyvalue = k1_c.checksum; + + k3_c.checksum.length = sizeof(k3_c_data); + k3_c.checksum.data = k3_c_data; + + ret = _krb5_internal_hmac(NULL, c, cdata, 16, 0, &ke, &k3_c); + if (ret) + krb5_abortx(context, "hmac failed"); + + EVP_CIPHER_CTX_init(&ctx); + EVP_CipherInit_ex(&ctx, EVP_rc4(), NULL, k3_c.checksum.data, NULL, 0); + EVP_Cipher(&ctx, cdata + 16, cdata + 16, len - 16); + EVP_CIPHER_CTX_cleanup(&ctx); + + ke.key = &kb; + kb.keyvalue = k2_c.checksum; + + cksum.checksum.length = 16; + cksum.checksum.data = cksum_data; + + ret = _krb5_internal_hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum); + if (ret) + krb5_abortx(context, "hmac failed"); + + memset (k1_c_data, 0, sizeof(k1_c_data)); + memset (k2_c_data, 0, sizeof(k2_c_data)); + memset (k3_c_data, 0, sizeof(k3_c_data)); + + if (ct_memcmp (cksum.checksum.data, data, 16) != 0) { + krb5_clear_error_message (context); + return KRB5KRB_AP_ERR_BAD_INTEGRITY; + } else { + return 0; + } +} + +/* + * convert the usage numbers used in + * draft-ietf-cat-kerb-key-derivation-00.txt to the ones in + * draft-brezak-win2k-krb-rc4-hmac-04.txt + */ + +krb5_error_code +_krb5_usage2arcfour(krb5_context context, unsigned *usage) +{ + switch (*usage) { + case KRB5_KU_AS_REP_ENC_PART : /* 3 */ + *usage = 8; + return 0; + case KRB5_KU_USAGE_SEAL : /* 22 */ + *usage = 13; + return 0; + case KRB5_KU_USAGE_SIGN : /* 23 */ + *usage = 15; + return 0; + case KRB5_KU_USAGE_SEQ: /* 24 */ + *usage = 0; + return 0; + default : + return 0; + } +} + +static krb5_error_code +ARCFOUR_encrypt(krb5_context context, + struct _krb5_key_data *key, + void *data, + size_t len, + krb5_boolean encryptp, + int usage, + void *ivec) +{ + krb5_error_code ret; + unsigned keyusage = usage; + + if((ret = _krb5_usage2arcfour (context, &keyusage)) != 0) + return ret; + + if (encryptp) + return ARCFOUR_subencrypt (context, key, data, len, keyusage, ivec); + else + return ARCFOUR_subdecrypt (context, key, data, len, keyusage, ivec); +} + +struct _krb5_encryption_type _krb5_enctype_arcfour_hmac_md5 = { + ETYPE_ARCFOUR_HMAC_MD5, + "arcfour-hmac-md5", + 1, + 1, + 8, + &keytype_arcfour, + &_krb5_checksum_hmac_md5, + NULL, + F_SPECIAL, + ARCFOUR_encrypt, + 0, + NULL +}; diff --git a/crypto/heimdal/lib/krb5/crypto-des-common.c b/crypto/heimdal/lib/krb5/crypto-des-common.c new file mode 100644 index 000000000000..f8313952dc7c --- /dev/null +++ b/crypto/heimdal/lib/krb5/crypto-des-common.c @@ -0,0 +1,152 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* Functions which are used by both single and triple DES enctypes */ + +#include "krb5_locl.h" + +/* + * A = A xor B. A & B are 8 bytes. + */ + +void +_krb5_xor (DES_cblock *key, const unsigned char *b) +{ + unsigned char *a = (unsigned char*)key; + a[0] ^= b[0]; + a[1] ^= b[1]; + a[2] ^= b[2]; + a[3] ^= b[3]; + a[4] ^= b[4]; + a[5] ^= b[5]; + a[6] ^= b[6]; + a[7] ^= b[7]; +} + +#if defined(DES3_OLD_ENCTYPE) || defined(HEIM_WEAK_CRYPTO) +krb5_error_code +_krb5_des_checksum(krb5_context context, + const EVP_MD *evp_md, + struct _krb5_key_data *key, + const void *data, + size_t len, + Checksum *cksum) +{ + struct _krb5_evp_schedule *ctx = key->schedule->data; + EVP_MD_CTX *m; + DES_cblock ivec; + unsigned char *p = cksum->checksum.data; + + krb5_generate_random_block(p, 8); + + m = EVP_MD_CTX_create(); + if (m == NULL) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } + + EVP_DigestInit_ex(m, evp_md, NULL); + EVP_DigestUpdate(m, p, 8); + EVP_DigestUpdate(m, data, len); + EVP_DigestFinal_ex (m, p + 8, NULL); + EVP_MD_CTX_destroy(m); + memset (&ivec, 0, sizeof(ivec)); + EVP_CipherInit_ex(&ctx->ectx, NULL, NULL, NULL, (void *)&ivec, -1); + EVP_Cipher(&ctx->ectx, p, p, 24); + + return 0; +} + +krb5_error_code +_krb5_des_verify(krb5_context context, + const EVP_MD *evp_md, + struct _krb5_key_data *key, + const void *data, + size_t len, + Checksum *C) +{ + struct _krb5_evp_schedule *ctx = key->schedule->data; + EVP_MD_CTX *m; + unsigned char tmp[24]; + unsigned char res[16]; + DES_cblock ivec; + krb5_error_code ret = 0; + + m = EVP_MD_CTX_create(); + if (m == NULL) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } + + memset(&ivec, 0, sizeof(ivec)); + EVP_CipherInit_ex(&ctx->dctx, NULL, NULL, NULL, (void *)&ivec, -1); + EVP_Cipher(&ctx->dctx, tmp, C->checksum.data, 24); + + EVP_DigestInit_ex(m, evp_md, NULL); + EVP_DigestUpdate(m, tmp, 8); /* confounder */ + EVP_DigestUpdate(m, data, len); + EVP_DigestFinal_ex (m, res, NULL); + EVP_MD_CTX_destroy(m); + if(ct_memcmp(res, tmp + 8, sizeof(res)) != 0) { + krb5_clear_error_message (context); + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + } + memset(tmp, 0, sizeof(tmp)); + memset(res, 0, sizeof(res)); + return ret; +} + +#endif + +static krb5_error_code +RSA_MD5_checksum(krb5_context context, + struct _krb5_key_data *key, + const void *data, + size_t len, + unsigned usage, + Checksum *C) +{ + if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_md5(), NULL) != 1) + krb5_abortx(context, "md5 checksum failed"); + return 0; +} + +struct _krb5_checksum_type _krb5_checksum_rsa_md5 = { + CKSUMTYPE_RSA_MD5, + "rsa-md5", + 64, + 16, + F_CPROOF, + RSA_MD5_checksum, + NULL +}; diff --git a/crypto/heimdal/lib/krb5/crypto-des.c b/crypto/heimdal/lib/krb5/crypto-des.c new file mode 100644 index 000000000000..f6f1c6881c91 --- /dev/null +++ b/crypto/heimdal/lib/krb5/crypto-des.c @@ -0,0 +1,377 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +#ifdef HEIM_WEAK_CRYPTO + + +static void +krb5_DES_random_key(krb5_context context, + krb5_keyblock *key) +{ + DES_cblock *k = key->keyvalue.data; + do { + krb5_generate_random_block(k, sizeof(DES_cblock)); + DES_set_odd_parity(k); + } while(DES_is_weak_key(k)); +} + +static void +krb5_DES_schedule_old(krb5_context context, + struct _krb5_key_type *kt, + struct _krb5_key_data *key) +{ + DES_set_key_unchecked(key->key->keyvalue.data, key->schedule->data); +} + +static void +krb5_DES_random_to_key(krb5_context context, + krb5_keyblock *key, + const void *data, + size_t size) +{ + DES_cblock *k = key->keyvalue.data; + memcpy(k, data, key->keyvalue.length); + DES_set_odd_parity(k); + if(DES_is_weak_key(k)) + _krb5_xor(k, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); +} + +static struct _krb5_key_type keytype_des_old = { + ETYPE_DES_CBC_CRC, + "des-old", + 56, + 8, + sizeof(DES_key_schedule), + krb5_DES_random_key, + krb5_DES_schedule_old, + _krb5_des_salt, + krb5_DES_random_to_key, + NULL, + NULL +}; + +static struct _krb5_key_type keytype_des = { + ETYPE_DES_CBC_CRC, + "des", + 56, + 8, + sizeof(struct _krb5_evp_schedule), + krb5_DES_random_key, + _krb5_evp_schedule, + _krb5_des_salt, + krb5_DES_random_to_key, + _krb5_evp_cleanup, + EVP_des_cbc +}; + +static krb5_error_code +CRC32_checksum(krb5_context context, + struct _krb5_key_data *key, + const void *data, + size_t len, + unsigned usage, + Checksum *C) +{ + uint32_t crc; + unsigned char *r = C->checksum.data; + _krb5_crc_init_table (); + crc = _krb5_crc_update (data, len, 0); + r[0] = crc & 0xff; + r[1] = (crc >> 8) & 0xff; + r[2] = (crc >> 16) & 0xff; + r[3] = (crc >> 24) & 0xff; + return 0; +} + +static krb5_error_code +RSA_MD4_checksum(krb5_context context, + struct _krb5_key_data *key, + const void *data, + size_t len, + unsigned usage, + Checksum *C) +{ + if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_md4(), NULL) != 1) + krb5_abortx(context, "md4 checksum failed"); + return 0; +} + +static krb5_error_code +RSA_MD4_DES_checksum(krb5_context context, + struct _krb5_key_data *key, + const void *data, + size_t len, + unsigned usage, + Checksum *cksum) +{ + return _krb5_des_checksum(context, EVP_md4(), key, data, len, cksum); +} + +static krb5_error_code +RSA_MD4_DES_verify(krb5_context context, + struct _krb5_key_data *key, + const void *data, + size_t len, + unsigned usage, + Checksum *C) +{ + return _krb5_des_verify(context, EVP_md4(), key, data, len, C); +} + +static krb5_error_code +RSA_MD5_DES_checksum(krb5_context context, + struct _krb5_key_data *key, + const void *data, + size_t len, + unsigned usage, + Checksum *C) +{ + return _krb5_des_checksum(context, EVP_md5(), key, data, len, C); +} + +static krb5_error_code +RSA_MD5_DES_verify(krb5_context context, + struct _krb5_key_data *key, + const void *data, + size_t len, + unsigned usage, + Checksum *C) +{ + return _krb5_des_verify(context, EVP_md5(), key, data, len, C); +} + +struct _krb5_checksum_type _krb5_checksum_crc32 = { + CKSUMTYPE_CRC32, + "crc32", + 1, + 4, + 0, + CRC32_checksum, + NULL +}; + +struct _krb5_checksum_type _krb5_checksum_rsa_md4 = { + CKSUMTYPE_RSA_MD4, + "rsa-md4", + 64, + 16, + F_CPROOF, + RSA_MD4_checksum, + NULL +}; + +struct _krb5_checksum_type _krb5_checksum_rsa_md4_des = { + CKSUMTYPE_RSA_MD4_DES, + "rsa-md4-des", + 64, + 24, + F_KEYED | F_CPROOF | F_VARIANT, + RSA_MD4_DES_checksum, + RSA_MD4_DES_verify +}; + +struct _krb5_checksum_type _krb5_checksum_rsa_md5_des = { + CKSUMTYPE_RSA_MD5_DES, + "rsa-md5-des", + 64, + 24, + F_KEYED | F_CPROOF | F_VARIANT, + RSA_MD5_DES_checksum, + RSA_MD5_DES_verify +}; + +static krb5_error_code +evp_des_encrypt_null_ivec(krb5_context context, + struct _krb5_key_data *key, + void *data, + size_t len, + krb5_boolean encryptp, + int usage, + void *ignore_ivec) +{ + struct _krb5_evp_schedule *ctx = key->schedule->data; + EVP_CIPHER_CTX *c; + DES_cblock ivec; + memset(&ivec, 0, sizeof(ivec)); + c = encryptp ? &ctx->ectx : &ctx->dctx; + EVP_CipherInit_ex(c, NULL, NULL, NULL, (void *)&ivec, -1); + EVP_Cipher(c, data, data, len); + return 0; +} + +static krb5_error_code +evp_des_encrypt_key_ivec(krb5_context context, + struct _krb5_key_data *key, + void *data, + size_t len, + krb5_boolean encryptp, + int usage, + void *ignore_ivec) +{ + struct _krb5_evp_schedule *ctx = key->schedule->data; + EVP_CIPHER_CTX *c; + DES_cblock ivec; + memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); + c = encryptp ? &ctx->ectx : &ctx->dctx; + EVP_CipherInit_ex(c, NULL, NULL, NULL, (void *)&ivec, -1); + EVP_Cipher(c, data, data, len); + return 0; +} + +static krb5_error_code +DES_CFB64_encrypt_null_ivec(krb5_context context, + struct _krb5_key_data *key, + void *data, + size_t len, + krb5_boolean encryptp, + int usage, + void *ignore_ivec) +{ + DES_cblock ivec; + int num = 0; + DES_key_schedule *s = key->schedule->data; + memset(&ivec, 0, sizeof(ivec)); + + DES_cfb64_encrypt(data, data, len, s, &ivec, &num, encryptp); + return 0; +} + +static krb5_error_code +DES_PCBC_encrypt_key_ivec(krb5_context context, + struct _krb5_key_data *key, + void *data, + size_t len, + krb5_boolean encryptp, + int usage, + void *ignore_ivec) +{ + DES_cblock ivec; + DES_key_schedule *s = key->schedule->data; + memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); + + DES_pcbc_encrypt(data, data, len, s, &ivec, encryptp); + return 0; +} + +struct _krb5_encryption_type _krb5_enctype_des_cbc_crc = { + ETYPE_DES_CBC_CRC, + "des-cbc-crc", + 8, + 8, + 8, + &keytype_des, + &_krb5_checksum_crc32, + NULL, + F_DISABLED|F_WEAK, + evp_des_encrypt_key_ivec, + 0, + NULL +}; + +struct _krb5_encryption_type _krb5_enctype_des_cbc_md4 = { + ETYPE_DES_CBC_MD4, + "des-cbc-md4", + 8, + 8, + 8, + &keytype_des, + &_krb5_checksum_rsa_md4, + &_krb5_checksum_rsa_md4_des, + F_DISABLED|F_WEAK, + evp_des_encrypt_null_ivec, + 0, + NULL +}; + +struct _krb5_encryption_type _krb5_enctype_des_cbc_md5 = { + ETYPE_DES_CBC_MD5, + "des-cbc-md5", + 8, + 8, + 8, + &keytype_des, + &_krb5_checksum_rsa_md5, + &_krb5_checksum_rsa_md5_des, + F_DISABLED|F_WEAK, + evp_des_encrypt_null_ivec, + 0, + NULL +}; + +struct _krb5_encryption_type _krb5_enctype_des_cbc_none = { + ETYPE_DES_CBC_NONE, + "des-cbc-none", + 8, + 8, + 0, + &keytype_des, + &_krb5_checksum_none, + NULL, + F_PSEUDO|F_DISABLED|F_WEAK, + evp_des_encrypt_null_ivec, + 0, + NULL +}; + +struct _krb5_encryption_type _krb5_enctype_des_cfb64_none = { + ETYPE_DES_CFB64_NONE, + "des-cfb64-none", + 1, + 1, + 0, + &keytype_des_old, + &_krb5_checksum_none, + NULL, + F_PSEUDO|F_DISABLED|F_WEAK, + DES_CFB64_encrypt_null_ivec, + 0, + NULL +}; + +struct _krb5_encryption_type _krb5_enctype_des_pcbc_none = { + ETYPE_DES_PCBC_NONE, + "des-pcbc-none", + 8, + 8, + 0, + &keytype_des_old, + &_krb5_checksum_none, + NULL, + F_PSEUDO|F_DISABLED|F_WEAK, + DES_PCBC_encrypt_key_ivec, + 0, + NULL +}; +#endif /* HEIM_WEAK_CRYPTO */ diff --git a/crypto/heimdal/lib/krb5/crypto-des3.c b/crypto/heimdal/lib/krb5/crypto-des3.c new file mode 100644 index 000000000000..43806038b714 --- /dev/null +++ b/crypto/heimdal/lib/krb5/crypto-des3.c @@ -0,0 +1,226 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +/* + * + */ + +static void +DES3_random_key(krb5_context context, + krb5_keyblock *key) +{ + DES_cblock *k = key->keyvalue.data; + do { + krb5_generate_random_block(k, 3 * sizeof(DES_cblock)); + DES_set_odd_parity(&k[0]); + DES_set_odd_parity(&k[1]); + DES_set_odd_parity(&k[2]); + } while(DES_is_weak_key(&k[0]) || + DES_is_weak_key(&k[1]) || + DES_is_weak_key(&k[2])); +} + + +#ifdef DES3_OLD_ENCTYPE +static struct _krb5_key_type keytype_des3 = { + ETYPE_OLD_DES3_CBC_SHA1, + "des3", + 168, + 24, + sizeof(struct _krb5_evp_schedule), + DES3_random_key, + _krb5_evp_schedule, + _krb5_des3_salt, + _krb5_DES3_random_to_key, + _krb5_evp_cleanup, + EVP_des_ede3_cbc +}; +#endif + +static struct _krb5_key_type keytype_des3_derived = { + ETYPE_OLD_DES3_CBC_SHA1, + "des3", + 168, + 24, + sizeof(struct _krb5_evp_schedule), + DES3_random_key, + _krb5_evp_schedule, + _krb5_des3_salt_derived, + _krb5_DES3_random_to_key, + _krb5_evp_cleanup, + EVP_des_ede3_cbc +}; + +#ifdef DES3_OLD_ENCTYPE +static krb5_error_code +RSA_MD5_DES3_checksum(krb5_context context, + struct _krb5_key_data *key, + const void *data, + size_t len, + unsigned usage, + Checksum *C) +{ + return _krb5_des_checksum(context, EVP_md5(), key, data, len, C); +} + +static krb5_error_code +RSA_MD5_DES3_verify(krb5_context context, + struct _krb5_key_data *key, + const void *data, + size_t len, + unsigned usage, + Checksum *C) +{ + return _krb5_des_verify(context, EVP_md5(), key, data, len, C); +} + +struct _krb5_checksum_type _krb5_checksum_rsa_md5_des3 = { + CKSUMTYPE_RSA_MD5_DES3, + "rsa-md5-des3", + 64, + 24, + F_KEYED | F_CPROOF | F_VARIANT, + RSA_MD5_DES3_checksum, + RSA_MD5_DES3_verify +}; +#endif + +struct _krb5_checksum_type _krb5_checksum_hmac_sha1_des3 = { + CKSUMTYPE_HMAC_SHA1_DES3, + "hmac-sha1-des3", + 64, + 20, + F_KEYED | F_CPROOF | F_DERIVED, + _krb5_SP_HMAC_SHA1_checksum, + NULL +}; + +#ifdef DES3_OLD_ENCTYPE +struct _krb5_encryption_type _krb5_enctype_des3_cbc_md5 = { + ETYPE_DES3_CBC_MD5, + "des3-cbc-md5", + 8, + 8, + 8, + &keytype_des3, + &_krb5_checksum_rsa_md5, + &_krb5_checksum_rsa_md5_des3, + 0, + _krb5_evp_encrypt, + 0, + NULL +}; +#endif + +struct _krb5_encryption_type _krb5_enctype_des3_cbc_sha1 = { + ETYPE_DES3_CBC_SHA1, + "des3-cbc-sha1", + 8, + 8, + 8, + &keytype_des3_derived, + &_krb5_checksum_sha1, + &_krb5_checksum_hmac_sha1_des3, + F_DERIVED, + _krb5_evp_encrypt, + 0, + NULL +}; + +#ifdef DES3_OLD_ENCTYPE +struct _krb5_encryption_type _krb5_enctype_old_des3_cbc_sha1 = { + ETYPE_OLD_DES3_CBC_SHA1, + "old-des3-cbc-sha1", + 8, + 8, + 8, + &keytype_des3, + &_krb5_checksum_sha1, + &_krb5_checksum_hmac_sha1_des3, + 0, + _krb5_evp_encrypt, + 0, + NULL +}; +#endif + +struct _krb5_encryption_type _krb5_enctype_des3_cbc_none = { + ETYPE_DES3_CBC_NONE, + "des3-cbc-none", + 8, + 8, + 0, + &keytype_des3_derived, + &_krb5_checksum_none, + NULL, + F_PSEUDO, + _krb5_evp_encrypt, + 0, + NULL +}; + +void +_krb5_DES3_random_to_key(krb5_context context, + krb5_keyblock *key, + const void *data, + size_t size) +{ + unsigned char *x = key->keyvalue.data; + const u_char *q = data; + DES_cblock *k; + int i, j; + + memset(key->keyvalue.data, 0, key->keyvalue.length); + for (i = 0; i < 3; ++i) { + unsigned char foo; + for (j = 0; j < 7; ++j) { + unsigned char b = q[7 * i + j]; + + x[8 * i + j] = b; + } + foo = 0; + for (j = 6; j >= 0; --j) { + foo |= q[7 * i + j] & 1; + foo <<= 1; + } + x[8 * i + 7] = foo; + } + k = key->keyvalue.data; + for (i = 0; i < 3; i++) { + DES_set_odd_parity(&k[i]); + if(DES_is_weak_key(&k[i])) + _krb5_xor(&k[i], (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); + } +} diff --git a/crypto/heimdal/lib/krb5/crypto-evp.c b/crypto/heimdal/lib/krb5/crypto-evp.c new file mode 100644 index 000000000000..e8fb1caf6ae8 --- /dev/null +++ b/crypto/heimdal/lib/krb5/crypto-evp.c @@ -0,0 +1,182 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +void +_krb5_evp_schedule(krb5_context context, + struct _krb5_key_type *kt, + struct _krb5_key_data *kd) +{ + struct _krb5_evp_schedule *key = kd->schedule->data; + const EVP_CIPHER *c = (*kt->evp)(); + + EVP_CIPHER_CTX_init(&key->ectx); + EVP_CIPHER_CTX_init(&key->dctx); + + EVP_CipherInit_ex(&key->ectx, c, NULL, kd->key->keyvalue.data, NULL, 1); + EVP_CipherInit_ex(&key->dctx, c, NULL, kd->key->keyvalue.data, NULL, 0); +} + +void +_krb5_evp_cleanup(krb5_context context, struct _krb5_key_data *kd) +{ + struct _krb5_evp_schedule *key = kd->schedule->data; + EVP_CIPHER_CTX_cleanup(&key->ectx); + EVP_CIPHER_CTX_cleanup(&key->dctx); +} + +krb5_error_code +_krb5_evp_encrypt(krb5_context context, + struct _krb5_key_data *key, + void *data, + size_t len, + krb5_boolean encryptp, + int usage, + void *ivec) +{ + struct _krb5_evp_schedule *ctx = key->schedule->data; + EVP_CIPHER_CTX *c; + c = encryptp ? &ctx->ectx : &ctx->dctx; + if (ivec == NULL) { + /* alloca ? */ + size_t len2 = EVP_CIPHER_CTX_iv_length(c); + void *loiv = malloc(len2); + if (loiv == NULL) { + krb5_clear_error_message(context); + return ENOMEM; + } + memset(loiv, 0, len2); + EVP_CipherInit_ex(c, NULL, NULL, NULL, loiv, -1); + free(loiv); + } else + EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1); + EVP_Cipher(c, data, data, len); + return 0; +} + +static const unsigned char zero_ivec[EVP_MAX_BLOCK_LENGTH] = { 0 }; + +krb5_error_code +_krb5_evp_encrypt_cts(krb5_context context, + struct _krb5_key_data *key, + void *data, + size_t len, + krb5_boolean encryptp, + int usage, + void *ivec) +{ + size_t i, blocksize; + struct _krb5_evp_schedule *ctx = key->schedule->data; + unsigned char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH]; + EVP_CIPHER_CTX *c; + unsigned char *p; + + c = encryptp ? &ctx->ectx : &ctx->dctx; + + blocksize = EVP_CIPHER_CTX_block_size(c); + + if (len < blocksize) { + krb5_set_error_message(context, EINVAL, + "message block too short"); + return EINVAL; + } else if (len == blocksize) { + EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1); + EVP_Cipher(c, data, data, len); + return 0; + } + + if (ivec) + EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1); + else + EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1); + + if (encryptp) { + + p = data; + i = ((len - 1) / blocksize) * blocksize; + EVP_Cipher(c, p, p, i); + p += i - blocksize; + len -= i; + memcpy(ivec2, p, blocksize); + + for (i = 0; i < len; i++) + tmp[i] = p[i + blocksize] ^ ivec2[i]; + for (; i < blocksize; i++) + tmp[i] = 0 ^ ivec2[i]; + + EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1); + EVP_Cipher(c, p, tmp, blocksize); + + memcpy(p + blocksize, ivec2, len); + if (ivec) + memcpy(ivec, p, blocksize); + } else { + unsigned char tmp2[EVP_MAX_BLOCK_LENGTH], tmp3[EVP_MAX_BLOCK_LENGTH]; + + p = data; + if (len > blocksize * 2) { + /* remove last two blocks and round up, decrypt this with cbc, then do cts dance */ + i = ((((len - blocksize * 2) + blocksize - 1) / blocksize) * blocksize); + memcpy(ivec2, p + i - blocksize, blocksize); + EVP_Cipher(c, p, p, i); + p += i; + len -= i + blocksize; + } else { + if (ivec) + memcpy(ivec2, ivec, blocksize); + else + memcpy(ivec2, zero_ivec, blocksize); + len -= blocksize; + } + + memcpy(tmp, p, blocksize); + EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1); + EVP_Cipher(c, tmp2, p, blocksize); + + memcpy(tmp3, p + blocksize, len); + memcpy(tmp3 + len, tmp2 + len, blocksize - len); /* xor 0 */ + + for (i = 0; i < len; i++) + p[i + blocksize] = tmp2[i] ^ tmp3[i]; + + EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1); + EVP_Cipher(c, p, tmp3, blocksize); + + for (i = 0; i < blocksize; i++) + p[i] ^= ivec2[i]; + if (ivec) + memcpy(ivec, tmp, blocksize); + } + return 0; +} diff --git a/crypto/heimdal/lib/krb5/crypto-null.c b/crypto/heimdal/lib/krb5/crypto-null.c new file mode 100644 index 000000000000..3b643123f529 --- /dev/null +++ b/crypto/heimdal/lib/krb5/crypto-null.c @@ -0,0 +1,97 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +#ifndef HEIMDAL_SMALLER +#define DES3_OLD_ENCTYPE 1 +#endif + +static struct _krb5_key_type keytype_null = { + ENCTYPE_NULL, + "null", + 0, + 0, + 0, + NULL, + NULL, + NULL +}; + +static krb5_error_code +NONE_checksum(krb5_context context, + struct _krb5_key_data *key, + const void *data, + size_t len, + unsigned usage, + Checksum *C) +{ + return 0; +} + +struct _krb5_checksum_type _krb5_checksum_none = { + CKSUMTYPE_NONE, + "none", + 1, + 0, + 0, + NONE_checksum, + NULL +}; + +static krb5_error_code +NULL_encrypt(krb5_context context, + struct _krb5_key_data *key, + void *data, + size_t len, + krb5_boolean encryptp, + int usage, + void *ivec) +{ + return 0; +} + +struct _krb5_encryption_type _krb5_enctype_null = { + ETYPE_NULL, + "null", + 1, + 1, + 0, + &keytype_null, + &_krb5_checksum_none, + NULL, + F_DISABLED, + NULL_encrypt, + 0, + NULL +}; diff --git a/crypto/heimdal/lib/krb5/crypto-pk.c b/crypto/heimdal/lib/krb5/crypto-pk.c new file mode 100644 index 000000000000..7fedb65c9ede --- /dev/null +++ b/crypto/heimdal/lib/krb5/crypto-pk.c @@ -0,0 +1,301 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +#include <pkinit_asn1.h> + +krb5_error_code +_krb5_pk_octetstring2key(krb5_context context, + krb5_enctype type, + const void *dhdata, + size_t dhsize, + const heim_octet_string *c_n, + const heim_octet_string *k_n, + krb5_keyblock *key) +{ + struct _krb5_encryption_type *et = _krb5_find_enctype(type); + krb5_error_code ret; + size_t keylen, offset; + void *keydata; + unsigned char counter; + unsigned char shaoutput[SHA_DIGEST_LENGTH]; + EVP_MD_CTX *m; + + if(et == NULL) { + krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, + N_("encryption type %d not supported", ""), + type); + return KRB5_PROG_ETYPE_NOSUPP; + } + keylen = (et->keytype->bits + 7) / 8; + + keydata = malloc(keylen); + if (keydata == NULL) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } + + m = EVP_MD_CTX_create(); + if (m == NULL) { + free(keydata); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } + + counter = 0; + offset = 0; + do { + + EVP_DigestInit_ex(m, EVP_sha1(), NULL); + EVP_DigestUpdate(m, &counter, 1); + EVP_DigestUpdate(m, dhdata, dhsize); + + if (c_n) + EVP_DigestUpdate(m, c_n->data, c_n->length); + if (k_n) + EVP_DigestUpdate(m, k_n->data, k_n->length); + + EVP_DigestFinal_ex(m, shaoutput, NULL); + + memcpy((unsigned char *)keydata + offset, + shaoutput, + min(keylen - offset, sizeof(shaoutput))); + + offset += sizeof(shaoutput); + counter++; + } while(offset < keylen); + memset(shaoutput, 0, sizeof(shaoutput)); + + EVP_MD_CTX_destroy(m); + + ret = krb5_random_to_key(context, type, keydata, keylen, key); + memset(keydata, 0, sizeof(keylen)); + free(keydata); + return ret; +} + +static krb5_error_code +encode_uvinfo(krb5_context context, krb5_const_principal p, krb5_data *data) +{ + KRB5PrincipalName pn; + krb5_error_code ret; + size_t size = 0; + + pn.principalName = p->name; + pn.realm = p->realm; + + ASN1_MALLOC_ENCODE(KRB5PrincipalName, data->data, data->length, + &pn, &size, ret); + if (ret) { + krb5_data_zero(data); + krb5_set_error_message(context, ret, + N_("Failed to encode KRB5PrincipalName", "")); + return ret; + } + if (data->length != size) + krb5_abortx(context, "asn1 compiler internal error"); + return 0; +} + +static krb5_error_code +encode_otherinfo(krb5_context context, + const AlgorithmIdentifier *ai, + krb5_const_principal client, + krb5_const_principal server, + krb5_enctype enctype, + const krb5_data *as_req, + const krb5_data *pk_as_rep, + const Ticket *ticket, + krb5_data *other) +{ + PkinitSP80056AOtherInfo otherinfo; + PkinitSuppPubInfo pubinfo; + krb5_error_code ret; + krb5_data pub; + size_t size = 0; + + krb5_data_zero(other); + memset(&otherinfo, 0, sizeof(otherinfo)); + memset(&pubinfo, 0, sizeof(pubinfo)); + + pubinfo.enctype = enctype; + pubinfo.as_REQ = *as_req; + pubinfo.pk_as_rep = *pk_as_rep; + pubinfo.ticket = *ticket; + ASN1_MALLOC_ENCODE(PkinitSuppPubInfo, pub.data, pub.length, + &pubinfo, &size, ret); + if (ret) { + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); + return ret; + } + if (pub.length != size) + krb5_abortx(context, "asn1 compiler internal error"); + + ret = encode_uvinfo(context, client, &otherinfo.partyUInfo); + if (ret) { + free(pub.data); + return ret; + } + ret = encode_uvinfo(context, server, &otherinfo.partyVInfo); + if (ret) { + free(otherinfo.partyUInfo.data); + free(pub.data); + return ret; + } + + otherinfo.algorithmID = *ai; + otherinfo.suppPubInfo = &pub; + + ASN1_MALLOC_ENCODE(PkinitSP80056AOtherInfo, other->data, other->length, + &otherinfo, &size, ret); + free(otherinfo.partyUInfo.data); + free(otherinfo.partyVInfo.data); + free(pub.data); + if (ret) { + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); + return ret; + } + if (other->length != size) + krb5_abortx(context, "asn1 compiler internal error"); + + return 0; +} + + + +krb5_error_code +_krb5_pk_kdf(krb5_context context, + const struct AlgorithmIdentifier *ai, + const void *dhdata, + size_t dhsize, + krb5_const_principal client, + krb5_const_principal server, + krb5_enctype enctype, + const krb5_data *as_req, + const krb5_data *pk_as_rep, + const Ticket *ticket, + krb5_keyblock *key) +{ + struct _krb5_encryption_type *et; + krb5_error_code ret; + krb5_data other; + size_t keylen, offset; + uint32_t counter; + unsigned char *keydata; + unsigned char shaoutput[SHA512_DIGEST_LENGTH]; + const EVP_MD *md; + EVP_MD_CTX *m; + + if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha1, &ai->algorithm) == 0) { + md = EVP_sha1(); + } else if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha256, &ai->algorithm) == 0) { + md = EVP_sha256(); + } else if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha512, &ai->algorithm) == 0) { + md = EVP_sha512(); + } else { + krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, + N_("KDF not supported", "")); + return KRB5_PROG_ETYPE_NOSUPP; + } + if (ai->parameters != NULL && + (ai->parameters->length != 2 || + memcmp(ai->parameters->data, "\x05\x00", 2) != 0)) + { + krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, + N_("kdf params not NULL or the NULL-type", + "")); + return KRB5_PROG_ETYPE_NOSUPP; + } + + et = _krb5_find_enctype(enctype); + if(et == NULL) { + krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, + N_("encryption type %d not supported", ""), + enctype); + return KRB5_PROG_ETYPE_NOSUPP; + } + keylen = (et->keytype->bits + 7) / 8; + + keydata = malloc(keylen); + if (keydata == NULL) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } + + ret = encode_otherinfo(context, ai, client, server, + enctype, as_req, pk_as_rep, ticket, &other); + if (ret) { + free(keydata); + return ret; + } + + m = EVP_MD_CTX_create(); + if (m == NULL) { + free(keydata); + free(other.data); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } + + offset = 0; + counter = 1; + do { + unsigned char cdata[4]; + + EVP_DigestInit_ex(m, md, NULL); + _krb5_put_int(cdata, counter, 4); + EVP_DigestUpdate(m, cdata, 4); + EVP_DigestUpdate(m, dhdata, dhsize); + EVP_DigestUpdate(m, other.data, other.length); + + EVP_DigestFinal_ex(m, shaoutput, NULL); + + memcpy((unsigned char *)keydata + offset, + shaoutput, + min(keylen - offset, EVP_MD_CTX_size(m))); + + offset += EVP_MD_CTX_size(m); + counter++; + } while(offset < keylen); + memset(shaoutput, 0, sizeof(shaoutput)); + + EVP_MD_CTX_destroy(m); + free(other.data); + + ret = krb5_random_to_key(context, enctype, keydata, keylen, key); + memset(keydata, 0, sizeof(keylen)); + free(keydata); + + return ret; +} diff --git a/crypto/heimdal/lib/krb5/crypto-rand.c b/crypto/heimdal/lib/krb5/crypto-rand.c new file mode 100644 index 000000000000..49bd67936259 --- /dev/null +++ b/crypto/heimdal/lib/krb5/crypto-rand.c @@ -0,0 +1,109 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +#define ENTROPY_NEEDED 128 + +static HEIMDAL_MUTEX crypto_mutex = HEIMDAL_MUTEX_INITIALIZER; + +static int +seed_something(void) +{ + char buf[1024], seedfile[256]; + + /* If there is a seed file, load it. But such a file cannot be trusted, + so use 0 for the entropy estimate */ + if (RAND_file_name(seedfile, sizeof(seedfile))) { + int fd; + fd = open(seedfile, O_RDONLY | O_BINARY | O_CLOEXEC); + if (fd >= 0) { + ssize_t ret; + rk_cloexec(fd); + ret = read(fd, buf, sizeof(buf)); + if (ret > 0) + RAND_add(buf, ret, 0.0); + close(fd); + } else + seedfile[0] = '\0'; + } else + seedfile[0] = '\0'; + + /* Calling RAND_status() will try to use /dev/urandom if it exists so + we do not have to deal with it. */ + if (RAND_status() != 1) { +#ifndef _WIN32 + krb5_context context; + const char *p; + + /* Try using egd */ + if (!krb5_init_context(&context)) { + p = krb5_config_get_string(context, NULL, "libdefaults", + "egd_socket", NULL); + if (p != NULL) + RAND_egd_bytes(p, ENTROPY_NEEDED); + krb5_free_context(context); + } +#else + /* TODO: Once a Windows CryptoAPI RAND method is defined, we + can use that and failover to another method. */ +#endif + } + + if (RAND_status() == 1) { + /* Update the seed file */ + if (seedfile[0]) + RAND_write_file(seedfile); + + return 0; + } else + return -1; +} + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_generate_random_block(void *buf, size_t len) +{ + static int rng_initialized = 0; + + HEIMDAL_MUTEX_lock(&crypto_mutex); + if (!rng_initialized) { + if (seed_something()) + krb5_abortx(NULL, "Fatal: could not seed the " + "random number generator"); + + rng_initialized = 1; + } + HEIMDAL_MUTEX_unlock(&crypto_mutex); + if (RAND_bytes(buf, len) <= 0) + krb5_abortx(NULL, "Failed to generate random block"); +} diff --git a/crypto/heimdal/lib/krb5/crypto-stubs.c b/crypto/heimdal/lib/krb5/crypto-stubs.c new file mode 100644 index 000000000000..b462680643fb --- /dev/null +++ b/crypto/heimdal/lib/krb5/crypto-stubs.c @@ -0,0 +1,102 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <krb5_locl.h> + +/* These are stub functions for the standalone RFC3961 crypto library */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_context(krb5_context *context) +{ + krb5_context p; + + *context = NULL; + + /* should have a run_once */ + bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR); + + p = calloc(1, sizeof(*p)); + if(!p) + return ENOMEM; + + p->mutex = malloc(sizeof(HEIMDAL_MUTEX)); + if (p->mutex == NULL) { + free(p); + return ENOMEM; + } + HEIMDAL_MUTEX_init(p->mutex); + + *context = p; + return 0; +} + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_free_context(krb5_context context) +{ + krb5_clear_error_message(context); + + HEIMDAL_MUTEX_destroy(context->mutex); + free(context->mutex); + if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) { + rk_SOCK_EXIT(); + } + + memset(context, 0, sizeof(*context)); + free(context); +} + +krb5_boolean +_krb5_homedir_access(krb5_context context) { + return 0; +} + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_log(krb5_context context, + krb5_log_facility *fac, + int level, + const char *fmt, + ...) +{ + return 0; +} + +/* This function is currently just used to get the location of the EGD + * socket. If we're not using an EGD, then we can just return NULL */ + +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL +krb5_config_get_string (krb5_context context, + const krb5_config_section *c, + ...) +{ + return NULL; +} diff --git a/crypto/heimdal/lib/krb5/crypto.c b/crypto/heimdal/lib/krb5/crypto.c index 21d10261bd7d..4b66035155dd 100644 --- a/crypto/heimdal/lib/krb5/crypto.c +++ b/crypto/heimdal/lib/krb5/crypto.c @@ -1,1135 +1,146 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: crypto.c 22200 2007-12-07 13:48:01Z lha $"); -/* RCSID("$FreeBSD$"); */ -#undef CRYPTO_DEBUG -#ifdef CRYPTO_DEBUG -static void krb5_crypto_debug(krb5_context, int, size_t, krb5_keyblock*); -#endif - - -struct key_data { - krb5_keyblock *key; - krb5_data *schedule; -}; - -struct key_usage { +struct _krb5_key_usage { unsigned usage; - struct key_data key; + struct _krb5_key_data key; }; -struct krb5_crypto_data { - struct encryption_type *et; - struct key_data key; - int num_key_usage; - struct key_usage *key_usage; -}; -#define CRYPTO_ETYPE(C) ((C)->et->type) - -/* bits for `flags' below */ -#define F_KEYED 1 /* checksum is keyed */ -#define F_CPROOF 2 /* checksum is collision proof */ -#define F_DERIVED 4 /* uses derived keys */ -#define F_VARIANT 8 /* uses `variant' keys (6.4.3) */ -#define F_PSEUDO 16 /* not a real protocol type */ -#define F_SPECIAL 32 /* backwards */ -#define F_DISABLED 64 /* enctype/checksum disabled */ - -struct salt_type { - krb5_salttype type; - const char *name; - krb5_error_code (*string_to_key)(krb5_context, krb5_enctype, krb5_data, - krb5_salt, krb5_data, krb5_keyblock*); -}; - -struct key_type { - krb5_keytype type; /* XXX */ - const char *name; - size_t bits; - size_t size; - size_t schedule_size; -#if 0 - krb5_enctype best_etype; +#ifndef HEIMDAL_SMALLER +#define DES3_OLD_ENCTYPE 1 #endif - void (*random_key)(krb5_context, krb5_keyblock*); - void (*schedule)(krb5_context, struct key_data *); - struct salt_type *string_to_key; - void (*random_to_key)(krb5_context, krb5_keyblock*, const void*, size_t); -}; - -struct checksum_type { - krb5_cksumtype type; - const char *name; - size_t blocksize; - size_t checksumsize; - unsigned flags; - void (*checksum)(krb5_context context, - struct key_data *key, - const void *buf, size_t len, - unsigned usage, - Checksum *csum); - krb5_error_code (*verify)(krb5_context context, - struct key_data *key, - const void *buf, size_t len, - unsigned usage, - Checksum *csum); -}; - -struct encryption_type { - krb5_enctype type; - const char *name; - heim_oid *oid; - size_t blocksize; - size_t padsize; - size_t confoundersize; - struct key_type *keytype; - struct checksum_type *checksum; - struct checksum_type *keyed_checksum; - unsigned flags; - krb5_error_code (*encrypt)(krb5_context context, - struct key_data *key, - void *data, size_t len, - krb5_boolean encryptp, - int usage, - void *ivec); - size_t prf_length; - krb5_error_code (*prf)(krb5_context, - krb5_crypto, const krb5_data *, krb5_data *); -}; - -#define ENCRYPTION_USAGE(U) (((U) << 8) | 0xAA) -#define INTEGRITY_USAGE(U) (((U) << 8) | 0x55) -#define CHECKSUM_USAGE(U) (((U) << 8) | 0x99) - -static struct checksum_type *_find_checksum(krb5_cksumtype type); -static struct encryption_type *_find_enctype(krb5_enctype type); -static struct key_type *_find_keytype(krb5_keytype type); -static krb5_error_code _get_derived_key(krb5_context, krb5_crypto, - unsigned, struct key_data**); -static struct key_data *_new_derived_key(krb5_crypto crypto, unsigned usage); -static krb5_error_code derive_key(krb5_context context, - struct encryption_type *et, - struct key_data *key, - const void *constant, - size_t len); -static krb5_error_code hmac(krb5_context context, - struct checksum_type *cm, - const void *data, - size_t len, - unsigned usage, - struct key_data *keyblock, - Checksum *result); -static void free_key_data(krb5_context context, struct key_data *key); -static krb5_error_code usage2arcfour (krb5_context, unsigned *); -static void xor (DES_cblock *, const unsigned char *); - -/************************************************************ - * * - ************************************************************/ - -static HEIMDAL_MUTEX crypto_mutex = HEIMDAL_MUTEX_INITIALIZER; - - -static void -krb5_DES_random_key(krb5_context context, - krb5_keyblock *key) -{ - DES_cblock *k = key->keyvalue.data; - do { - krb5_generate_random_block(k, sizeof(DES_cblock)); - DES_set_odd_parity(k); - } while(DES_is_weak_key(k)); -} - -static void -krb5_DES_schedule(krb5_context context, - struct key_data *key) -{ - DES_set_key(key->key->keyvalue.data, key->schedule->data); -} - -#ifdef ENABLE_AFS_STRING_TO_KEY - -/* This defines the Andrew string_to_key function. It accepts a password - * string as input and converts it via a one-way encryption algorithm to a DES - * encryption key. It is compatible with the original Andrew authentication - * service password database. - */ - -/* - * Short passwords, i.e 8 characters or less. - */ -static void -krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, - krb5_data cell, - DES_cblock *key) -{ - char password[8+1]; /* crypt is limited to 8 chars anyway */ - int i; - - for(i = 0; i < 8; i++) { - char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^ - ((i < cell.length) ? - tolower(((unsigned char*)cell.data)[i]) : 0); - password[i] = c ? c : 'X'; - } - password[8] = '\0'; - - memcpy(key, crypt(password, "p1") + 2, sizeof(DES_cblock)); - - /* parity is inserted into the LSB so left shift each byte up one - bit. This allows ascii characters with a zero MSB to retain as - much significance as possible. */ - for (i = 0; i < sizeof(DES_cblock); i++) - ((unsigned char*)key)[i] <<= 1; - DES_set_odd_parity (key); -} - -/* - * Long passwords, i.e 9 characters or more. - */ -static void -krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw, - krb5_data cell, - DES_cblock *key) -{ - DES_key_schedule schedule; - DES_cblock temp_key; - DES_cblock ivec; - char password[512]; - size_t passlen; - - memcpy(password, pw.data, min(pw.length, sizeof(password))); - if(pw.length < sizeof(password)) { - int len = min(cell.length, sizeof(password) - pw.length); - int i; - - memcpy(password + pw.length, cell.data, len); - for (i = pw.length; i < pw.length + len; ++i) - password[i] = tolower((unsigned char)password[i]); - } - passlen = min(sizeof(password), pw.length + cell.length); - memcpy(&ivec, "kerberos", 8); - memcpy(&temp_key, "kerberos", 8); - DES_set_odd_parity (&temp_key); - DES_set_key (&temp_key, &schedule); - DES_cbc_cksum ((void*)password, &ivec, passlen, &schedule, &ivec); - - memcpy(&temp_key, &ivec, 8); - DES_set_odd_parity (&temp_key); - DES_set_key (&temp_key, &schedule); - DES_cbc_cksum ((void*)password, key, passlen, &schedule, &ivec); - memset(&schedule, 0, sizeof(schedule)); - memset(&temp_key, 0, sizeof(temp_key)); - memset(&ivec, 0, sizeof(ivec)); - memset(password, 0, sizeof(password)); - - DES_set_odd_parity (key); -} - -static krb5_error_code -DES_AFS3_string_to_key(krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) -{ - DES_cblock tmp; - if(password.length > 8) - krb5_DES_AFS3_Transarc_string_to_key(password, salt.saltvalue, &tmp); - else - krb5_DES_AFS3_CMU_string_to_key(password, salt.saltvalue, &tmp); - key->keytype = enctype; - krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp)); - memset(&key, 0, sizeof(key)); - return 0; -} -#endif /* ENABLE_AFS_STRING_TO_KEY */ - -static void -DES_string_to_key_int(unsigned char *data, size_t length, DES_cblock *key) -{ - DES_key_schedule schedule; - int i; - int reverse = 0; - unsigned char *p; - - unsigned char swap[] = { 0x0, 0x8, 0x4, 0xc, 0x2, 0xa, 0x6, 0xe, - 0x1, 0x9, 0x5, 0xd, 0x3, 0xb, 0x7, 0xf }; - memset(key, 0, 8); - - p = (unsigned char*)key; - for (i = 0; i < length; i++) { - unsigned char tmp = data[i]; - if (!reverse) - *p++ ^= (tmp << 1); - else - *--p ^= (swap[tmp & 0xf] << 4) | swap[(tmp & 0xf0) >> 4]; - if((i % 8) == 7) - reverse = !reverse; - } - DES_set_odd_parity(key); - if(DES_is_weak_key(key)) - (*key)[7] ^= 0xF0; - DES_set_key(key, &schedule); - DES_cbc_cksum((void*)data, key, length, &schedule, key); - memset(&schedule, 0, sizeof(schedule)); - DES_set_odd_parity(key); - if(DES_is_weak_key(key)) - (*key)[7] ^= 0xF0; -} - -static krb5_error_code -krb5_DES_string_to_key(krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) -{ - unsigned char *s; - size_t len; - DES_cblock tmp; - -#ifdef ENABLE_AFS_STRING_TO_KEY - if (opaque.length == 1) { - unsigned long v; - _krb5_get_int(opaque.data, &v, 1); - if (v == 1) - return DES_AFS3_string_to_key(context, enctype, password, - salt, opaque, key); - } -#endif - - len = password.length + salt.saltvalue.length; - s = malloc(len); - if(len > 0 && s == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memcpy(s, password.data, password.length); - memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length); - DES_string_to_key_int(s, len, &tmp); - key->keytype = enctype; - krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp)); - memset(&tmp, 0, sizeof(tmp)); - memset(s, 0, len); - free(s); - return 0; -} - -static void -krb5_DES_random_to_key(krb5_context context, - krb5_keyblock *key, - const void *data, - size_t size) -{ - DES_cblock *k = key->keyvalue.data; - memcpy(k, data, key->keyvalue.length); - DES_set_odd_parity(k); - if(DES_is_weak_key(k)) - xor(k, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); -} - -/* - * - */ -static void -DES3_random_key(krb5_context context, - krb5_keyblock *key) -{ - DES_cblock *k = key->keyvalue.data; - do { - krb5_generate_random_block(k, 3 * sizeof(DES_cblock)); - DES_set_odd_parity(&k[0]); - DES_set_odd_parity(&k[1]); - DES_set_odd_parity(&k[2]); - } while(DES_is_weak_key(&k[0]) || - DES_is_weak_key(&k[1]) || - DES_is_weak_key(&k[2])); -} +static krb5_error_code _get_derived_key(krb5_context, krb5_crypto, + unsigned, struct _krb5_key_data**); +static struct _krb5_key_data *_new_derived_key(krb5_crypto crypto, unsigned usage); -static void -DES3_schedule(krb5_context context, - struct key_data *key) -{ - DES_cblock *k = key->key->keyvalue.data; - DES_key_schedule *s = key->schedule->data; - DES_set_key(&k[0], &s[0]); - DES_set_key(&k[1], &s[1]); - DES_set_key(&k[2], &s[2]); -} +static void free_key_schedule(krb5_context, + struct _krb5_key_data *, + struct _krb5_encryption_type *); -/* - * A = A xor B. A & B are 8 bytes. +/* + * Converts etype to a user readable string and sets as a side effect + * the krb5_error_message containing this string. Returns + * KRB5_PROG_ETYPE_NOSUPP in not the conversion of the etype failed in + * which case the error code of the etype convesion is returned. */ -static void -xor (DES_cblock *key, const unsigned char *b) -{ - unsigned char *a = (unsigned char*)key; - a[0] ^= b[0]; - a[1] ^= b[1]; - a[2] ^= b[2]; - a[3] ^= b[3]; - a[4] ^= b[4]; - a[5] ^= b[5]; - a[6] ^= b[6]; - a[7] ^= b[7]; -} - static krb5_error_code -DES3_string_to_key(krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) +unsupported_enctype(krb5_context context, krb5_enctype etype) { - char *str; - size_t len; - unsigned char tmp[24]; - DES_cblock keys[3]; krb5_error_code ret; - - len = password.length + salt.saltvalue.length; - str = malloc(len); - if(len != 0 && str == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memcpy(str, password.data, password.length); - memcpy(str + password.length, salt.saltvalue.data, salt.saltvalue.length); - { - DES_cblock ivec; - DES_key_schedule s[3]; - int i; - - ret = _krb5_n_fold(str, len, tmp, 24); - if (ret) { - memset(str, 0, len); - free(str); - krb5_set_error_string(context, "out of memory"); - return ret; - } - - for(i = 0; i < 3; i++){ - memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); - DES_set_odd_parity(keys + i); - if(DES_is_weak_key(keys + i)) - xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); - DES_set_key(keys + i, &s[i]); - } - memset(&ivec, 0, sizeof(ivec)); - DES_ede3_cbc_encrypt(tmp, - tmp, sizeof(tmp), - &s[0], &s[1], &s[2], &ivec, DES_ENCRYPT); - memset(s, 0, sizeof(s)); - memset(&ivec, 0, sizeof(ivec)); - for(i = 0; i < 3; i++){ - memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); - DES_set_odd_parity(keys + i); - if(DES_is_weak_key(keys + i)) - xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); - } - memset(tmp, 0, sizeof(tmp)); - } - key->keytype = enctype; - krb5_data_copy(&key->keyvalue, keys, sizeof(keys)); - memset(keys, 0, sizeof(keys)); - memset(str, 0, len); - free(str); - return 0; -} - -static krb5_error_code -DES3_string_to_key_derived(krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) -{ - krb5_error_code ret; - size_t len = password.length + salt.saltvalue.length; - char *s; - - s = malloc(len); - if(len != 0 && s == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memcpy(s, password.data, password.length); - memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length); - ret = krb5_string_to_key_derived(context, - s, - len, - enctype, - key); - memset(s, 0, len); - free(s); - return ret; -} - -static void -DES3_random_to_key(krb5_context context, - krb5_keyblock *key, - const void *data, - size_t size) -{ - unsigned char *x = key->keyvalue.data; - const u_char *q = data; - DES_cblock *k; - int i, j; - - memset(x, 0, sizeof(x)); - for (i = 0; i < 3; ++i) { - unsigned char foo; - for (j = 0; j < 7; ++j) { - unsigned char b = q[7 * i + j]; - - x[8 * i + j] = b; - } - foo = 0; - for (j = 6; j >= 0; --j) { - foo |= q[7 * i + j] & 1; - foo <<= 1; - } - x[8 * i + 7] = foo; - } - k = key->keyvalue.data; - for (i = 0; i < 3; i++) { - DES_set_odd_parity(&k[i]); - if(DES_is_weak_key(&k[i])) - xor(&k[i], (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); - } -} - -/* - * ARCFOUR - */ - -static void -ARCFOUR_schedule(krb5_context context, - struct key_data *kd) -{ - RC4_set_key (kd->schedule->data, - kd->key->keyvalue.length, kd->key->keyvalue.data); -} - -static krb5_error_code -ARCFOUR_string_to_key(krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) -{ - char *s, *p; - size_t len; - int i; - MD4_CTX m; - krb5_error_code ret; - - len = 2 * password.length; - s = malloc (len); - if (len != 0 && s == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - goto out; - } - for (p = s, i = 0; i < password.length; ++i) { - *p++ = ((char *)password.data)[i]; - *p++ = 0; - } - MD4_Init (&m); - MD4_Update (&m, s, len); - key->keytype = enctype; - ret = krb5_data_alloc (&key->keyvalue, 16); - if (ret) { - krb5_set_error_string(context, "malloc: out of memory"); - goto out; - } - MD4_Final (key->keyvalue.data, &m); - memset (s, 0, len); - ret = 0; -out: - free (s); - return ret; -} - -/* - * AES - */ - -int _krb5_AES_string_to_default_iterator = 4096; - -static krb5_error_code -AES_string_to_key(krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) -{ - krb5_error_code ret; - uint32_t iter; - struct encryption_type *et; - struct key_data kd; - - if (opaque.length == 0) - iter = _krb5_AES_string_to_default_iterator; - else if (opaque.length == 4) { - unsigned long v; - _krb5_get_int(opaque.data, &v, 4); - iter = ((uint32_t)v); - } else - return KRB5_PROG_KEYTYPE_NOSUPP; /* XXX */ - - et = _find_enctype(enctype); - if (et == NULL) - return KRB5_PROG_KEYTYPE_NOSUPP; - - kd.schedule = NULL; - ALLOC(kd.key, 1); - if(kd.key == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - kd.key->keytype = enctype; - ret = krb5_data_alloc(&kd.key->keyvalue, et->keytype->size); - if (ret) { - krb5_set_error_string(context, "Failed to allocate pkcs5 key"); - return ret; - } - - ret = PKCS5_PBKDF2_HMAC_SHA1(password.data, password.length, - salt.saltvalue.data, salt.saltvalue.length, - iter, - et->keytype->size, kd.key->keyvalue.data); - if (ret != 1) { - free_key_data(context, &kd); - krb5_set_error_string(context, "Error calculating s2k"); - return KRB5_PROG_KEYTYPE_NOSUPP; - } - - ret = derive_key(context, et, &kd, "kerberos", strlen("kerberos")); - if (ret == 0) - ret = krb5_copy_keyblock_contents(context, kd.key, key); - free_key_data(context, &kd); - - return ret; -} - -struct krb5_aes_schedule { - AES_KEY ekey; - AES_KEY dkey; -}; - -static void -AES_schedule(krb5_context context, - struct key_data *kd) -{ - struct krb5_aes_schedule *key = kd->schedule->data; - int bits = kd->key->keyvalue.length * 8; - - memset(key, 0, sizeof(*key)); - AES_set_encrypt_key(kd->key->keyvalue.data, bits, &key->ekey); - AES_set_decrypt_key(kd->key->keyvalue.data, bits, &key->dkey); -} - -/* - * - */ - -static struct salt_type des_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - krb5_DES_string_to_key - }, -#ifdef ENABLE_AFS_STRING_TO_KEY - { - KRB5_AFS3_SALT, - "afs3-salt", - DES_AFS3_string_to_key - }, -#endif - { 0 } -}; - -static struct salt_type des3_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - DES3_string_to_key - }, - { 0 } -}; - -static struct salt_type des3_salt_derived[] = { - { - KRB5_PW_SALT, - "pw-salt", - DES3_string_to_key_derived - }, - { 0 } -}; - -static struct salt_type AES_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - AES_string_to_key - }, - { 0 } -}; - -static struct salt_type arcfour_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - ARCFOUR_string_to_key - }, - { 0 } -}; - -/* - * - */ - -static struct key_type keytype_null = { - KEYTYPE_NULL, - "null", - 0, - 0, - 0, - NULL, - NULL, - NULL -}; - -static struct key_type keytype_des = { - KEYTYPE_DES, - "des", - 56, - sizeof(DES_cblock), - sizeof(DES_key_schedule), - krb5_DES_random_key, - krb5_DES_schedule, - des_salt, - krb5_DES_random_to_key -}; - -static struct key_type keytype_des3 = { - KEYTYPE_DES3, - "des3", - 168, - 3 * sizeof(DES_cblock), - 3 * sizeof(DES_key_schedule), - DES3_random_key, - DES3_schedule, - des3_salt, - DES3_random_to_key -}; - -static struct key_type keytype_des3_derived = { - KEYTYPE_DES3, - "des3", - 168, - 3 * sizeof(DES_cblock), - 3 * sizeof(DES_key_schedule), - DES3_random_key, - DES3_schedule, - des3_salt_derived, - DES3_random_to_key -}; - -static struct key_type keytype_aes128 = { - KEYTYPE_AES128, - "aes-128", - 128, - 16, - sizeof(struct krb5_aes_schedule), - NULL, - AES_schedule, - AES_salt -}; - -static struct key_type keytype_aes256 = { - KEYTYPE_AES256, - "aes-256", - 256, - 32, - sizeof(struct krb5_aes_schedule), - NULL, - AES_schedule, - AES_salt -}; - -static struct key_type keytype_arcfour = { - KEYTYPE_ARCFOUR, - "arcfour", - 128, - 16, - sizeof(RC4_KEY), - NULL, - ARCFOUR_schedule, - arcfour_salt -}; - -static struct key_type *keytypes[] = { - &keytype_null, - &keytype_des, - &keytype_des3_derived, - &keytype_des3, - &keytype_aes128, - &keytype_aes256, - &keytype_arcfour -}; - -static int num_keytypes = sizeof(keytypes) / sizeof(keytypes[0]); - -static struct key_type * -_find_keytype(krb5_keytype type) -{ - int i; - for(i = 0; i < num_keytypes; i++) - if(keytypes[i]->type == type) - return keytypes[i]; - return NULL; -} - - -krb5_error_code KRB5_LIB_FUNCTION -krb5_salttype_to_string (krb5_context context, - krb5_enctype etype, - krb5_salttype stype, - char **string) -{ - struct encryption_type *e; - struct salt_type *st; - - e = _find_enctype (etype); - if (e == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - etype); - return KRB5_PROG_ETYPE_NOSUPP; - } - for (st = e->keytype->string_to_key; st && st->type; st++) { - if (st->type == stype) { - *string = strdup (st->name); - if (*string == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - return 0; - } - } - krb5_set_error_string(context, "salttype %d not supported", stype); - return HEIM_ERR_SALTTYPE_NOSUPP; -} - -krb5_error_code KRB5_LIB_FUNCTION -krb5_string_to_salttype (krb5_context context, - krb5_enctype etype, - const char *string, - krb5_salttype *salttype) -{ - struct encryption_type *e; - struct salt_type *st; - - e = _find_enctype (etype); - if (e == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - etype); - return KRB5_PROG_ETYPE_NOSUPP; - } - for (st = e->keytype->string_to_key; st && st->type; st++) { - if (strcasecmp (st->name, string) == 0) { - *salttype = st->type; - return 0; - } - } - krb5_set_error_string(context, "salttype %s not supported", string); - return HEIM_ERR_SALTTYPE_NOSUPP; -} + char *name; -krb5_error_code KRB5_LIB_FUNCTION -krb5_get_pw_salt(krb5_context context, - krb5_const_principal principal, - krb5_salt *salt) -{ - size_t len; - int i; - krb5_error_code ret; - char *p; - - salt->salttype = KRB5_PW_SALT; - len = strlen(principal->realm); - for (i = 0; i < principal->name.name_string.len; ++i) - len += strlen(principal->name.name_string.val[i]); - ret = krb5_data_alloc (&salt->saltvalue, len); + ret = krb5_enctype_to_string(context, etype, &name); if (ret) return ret; - p = salt->saltvalue.data; - memcpy (p, principal->realm, strlen(principal->realm)); - p += strlen(principal->realm); - for (i = 0; i < principal->name.name_string.len; ++i) { - memcpy (p, - principal->name.name_string.val[i], - strlen(principal->name.name_string.val[i])); - p += strlen(principal->name.name_string.val[i]); - } - return 0; -} -krb5_error_code KRB5_LIB_FUNCTION -krb5_free_salt(krb5_context context, - krb5_salt salt) -{ - krb5_data_free(&salt.saltvalue); - return 0; -} - -krb5_error_code KRB5_LIB_FUNCTION -krb5_string_to_key_data (krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_principal principal, - krb5_keyblock *key) -{ - krb5_error_code ret; - krb5_salt salt; - - ret = krb5_get_pw_salt(context, principal, &salt); - if(ret) - return ret; - ret = krb5_string_to_key_data_salt(context, enctype, password, salt, key); - krb5_free_salt(context, salt); - return ret; -} - -krb5_error_code KRB5_LIB_FUNCTION -krb5_string_to_key (krb5_context context, - krb5_enctype enctype, - const char *password, - krb5_principal principal, - krb5_keyblock *key) -{ - krb5_data pw; - pw.data = rk_UNCONST(password); - pw.length = strlen(password); - return krb5_string_to_key_data(context, enctype, pw, principal, key); -} - -krb5_error_code KRB5_LIB_FUNCTION -krb5_string_to_key_data_salt (krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_keyblock *key) -{ - krb5_data opaque; - krb5_data_zero(&opaque); - return krb5_string_to_key_data_salt_opaque(context, enctype, password, - salt, opaque, key); -} - -/* - * Do a string -> key for encryption type `enctype' operation on - * `password' (with salt `salt' and the enctype specific data string - * `opaque'), returning the resulting key in `key' - */ - -krb5_error_code KRB5_LIB_FUNCTION -krb5_string_to_key_data_salt_opaque (krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) -{ - struct encryption_type *et =_find_enctype(enctype); - struct salt_type *st; - if(et == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - enctype); - return KRB5_PROG_ETYPE_NOSUPP; - } - for(st = et->keytype->string_to_key; st && st->type; st++) - if(st->type == salt.salttype) - return (*st->string_to_key)(context, enctype, password, - salt, opaque, key); - krb5_set_error_string(context, "salt type %d not supported", - salt.salttype); - return HEIM_ERR_SALTTYPE_NOSUPP; + krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, + N_("Encryption type %s not supported", ""), + name); + free(name); + return KRB5_PROG_ETYPE_NOSUPP; } /* - * Do a string -> key for encryption type `enctype' operation on the - * string `password' (with salt `salt'), returning the resulting key - * in `key' + * */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_string_to_key_salt (krb5_context context, - krb5_enctype enctype, - const char *password, - krb5_salt salt, - krb5_keyblock *key) -{ - krb5_data pw; - pw.data = rk_UNCONST(password); - pw.length = strlen(password); - return krb5_string_to_key_data_salt(context, enctype, pw, salt, key); -} - -krb5_error_code KRB5_LIB_FUNCTION -krb5_string_to_key_salt_opaque (krb5_context context, - krb5_enctype enctype, - const char *password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) -{ - krb5_data pw; - pw.data = rk_UNCONST(password); - pw.length = strlen(password); - return krb5_string_to_key_data_salt_opaque(context, enctype, - pw, salt, opaque, key); -} - -krb5_error_code KRB5_LIB_FUNCTION -krb5_keytype_to_string(krb5_context context, - krb5_keytype keytype, - char **string) -{ - struct key_type *kt = _find_keytype(keytype); - if(kt == NULL) { - krb5_set_error_string(context, "key type %d not supported", keytype); - return KRB5_PROG_KEYTYPE_NOSUPP; - } - *string = strdup(kt->name); - if(*string == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - return 0; -} - -krb5_error_code KRB5_LIB_FUNCTION -krb5_string_to_keytype(krb5_context context, - const char *string, - krb5_keytype *keytype) -{ - int i; - for(i = 0; i < num_keytypes; i++) - if(strcasecmp(keytypes[i]->name, string) == 0){ - *keytype = keytypes[i]->type; - return 0; - } - krb5_set_error_string(context, "key type %s not supported", string); - return KRB5_PROG_KEYTYPE_NOSUPP; -} - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_enctype_keysize(krb5_context context, krb5_enctype type, size_t *keysize) { - struct encryption_type *et = _find_enctype(type); + struct _krb5_encryption_type *et = _krb5_find_enctype(type); if(et == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - type); - return KRB5_PROG_ETYPE_NOSUPP; + return unsupported_enctype (context, type); } *keysize = et->keytype->size; return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_enctype_keybits(krb5_context context, krb5_enctype type, size_t *keybits) { - struct encryption_type *et = _find_enctype(type); + struct _krb5_encryption_type *et = _krb5_find_enctype(type); if(et == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - type); - return KRB5_PROG_ETYPE_NOSUPP; + return unsupported_enctype (context, type); } *keybits = et->keytype->bits; return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_generate_random_keyblock(krb5_context context, krb5_enctype type, krb5_keyblock *key) { krb5_error_code ret; - struct encryption_type *et = _find_enctype(type); + struct _krb5_encryption_type *et = _krb5_find_enctype(type); if(et == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - type); - return KRB5_PROG_ETYPE_NOSUPP; + return unsupported_enctype (context, type); } ret = krb5_data_alloc(&key->keyvalue, et->keytype->size); - if(ret) + if(ret) return ret; key->keytype = type; if(et->keytype->random_key) (*et->keytype->random_key)(context, key); else - krb5_generate_random_block(key->keyvalue.data, + krb5_generate_random_block(key->keyvalue.data, key->keyvalue.length); return 0; } static krb5_error_code _key_schedule(krb5_context context, - struct key_data *key) + struct _krb5_key_data *key) { krb5_error_code ret; - struct encryption_type *et = _find_enctype(key->key->keytype); - struct key_type *kt = et->keytype; + struct _krb5_encryption_type *et = _krb5_find_enctype(key->key->keytype); + struct _krb5_key_type *kt; + + if (et == NULL) { + return unsupported_enctype (context, + key->key->keytype); + } + + kt = et->keytype; if(kt->schedule == NULL) return 0; @@ -1137,7 +148,7 @@ _key_schedule(krb5_context context, return 0; ALLOC(key->schedule, 1); if(key->schedule == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } ret = krb5_data_alloc(key->schedule, kt->schedule_size); @@ -1146,7 +157,7 @@ _key_schedule(krb5_context context, key->schedule = NULL; return ret; } - (*kt->schedule)(context, key); + (*kt->schedule)(context, kt, key); return 0; } @@ -1154,277 +165,34 @@ _key_schedule(krb5_context context, * * ************************************************************/ -static void -NONE_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ -} - -static void -CRC32_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - uint32_t crc; - unsigned char *r = C->checksum.data; - _krb5_crc_init_table (); - crc = _krb5_crc_update (data, len, 0); - r[0] = crc & 0xff; - r[1] = (crc >> 8) & 0xff; - r[2] = (crc >> 16) & 0xff; - r[3] = (crc >> 24) & 0xff; -} - -static void -RSA_MD4_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - MD4_CTX m; - - MD4_Init (&m); - MD4_Update (&m, data, len); - MD4_Final (C->checksum.data, &m); -} - -static void -RSA_MD4_DES_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *cksum) -{ - MD4_CTX md4; - DES_cblock ivec; - unsigned char *p = cksum->checksum.data; - - krb5_generate_random_block(p, 8); - MD4_Init (&md4); - MD4_Update (&md4, p, 8); - MD4_Update (&md4, data, len); - MD4_Final (p + 8, &md4); - memset (&ivec, 0, sizeof(ivec)); - DES_cbc_encrypt(p, - p, - 24, - key->schedule->data, - &ivec, - DES_ENCRYPT); -} - static krb5_error_code -RSA_MD4_DES_verify(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - MD4_CTX md4; - unsigned char tmp[24]; - unsigned char res[16]; - DES_cblock ivec; - krb5_error_code ret = 0; - - memset(&ivec, 0, sizeof(ivec)); - DES_cbc_encrypt(C->checksum.data, - (void*)tmp, - C->checksum.length, - key->schedule->data, - &ivec, - DES_DECRYPT); - MD4_Init (&md4); - MD4_Update (&md4, tmp, 8); /* confounder */ - MD4_Update (&md4, data, len); - MD4_Final (res, &md4); - if(memcmp(res, tmp + 8, sizeof(res)) != 0) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - } - memset(tmp, 0, sizeof(tmp)); - memset(res, 0, sizeof(res)); - return ret; -} - -static void -RSA_MD5_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - MD5_CTX m; - - MD5_Init (&m); - MD5_Update(&m, data, len); - MD5_Final (C->checksum.data, &m); -} - -static void -RSA_MD5_DES_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - MD5_CTX md5; - DES_cblock ivec; - unsigned char *p = C->checksum.data; - - krb5_generate_random_block(p, 8); - MD5_Init (&md5); - MD5_Update (&md5, p, 8); - MD5_Update (&md5, data, len); - MD5_Final (p + 8, &md5); - memset (&ivec, 0, sizeof(ivec)); - DES_cbc_encrypt(p, - p, - 24, - key->schedule->data, - &ivec, - DES_ENCRYPT); -} - -static krb5_error_code -RSA_MD5_DES_verify(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - MD5_CTX md5; - unsigned char tmp[24]; - unsigned char res[16]; - DES_cblock ivec; - DES_key_schedule *sched = key->schedule->data; - krb5_error_code ret = 0; - - memset(&ivec, 0, sizeof(ivec)); - DES_cbc_encrypt(C->checksum.data, - (void*)tmp, - C->checksum.length, - &sched[0], - &ivec, - DES_DECRYPT); - MD5_Init (&md5); - MD5_Update (&md5, tmp, 8); /* confounder */ - MD5_Update (&md5, data, len); - MD5_Final (res, &md5); - if(memcmp(res, tmp + 8, sizeof(res)) != 0) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - } - memset(tmp, 0, sizeof(tmp)); - memset(res, 0, sizeof(res)); - return ret; -} - -static void -RSA_MD5_DES3_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - MD5_CTX md5; - DES_cblock ivec; - unsigned char *p = C->checksum.data; - DES_key_schedule *sched = key->schedule->data; - - krb5_generate_random_block(p, 8); - MD5_Init (&md5); - MD5_Update (&md5, p, 8); - MD5_Update (&md5, data, len); - MD5_Final (p + 8, &md5); - memset (&ivec, 0, sizeof(ivec)); - DES_ede3_cbc_encrypt(p, - p, - 24, - &sched[0], &sched[1], &sched[2], - &ivec, - DES_ENCRYPT); -} - -static krb5_error_code -RSA_MD5_DES3_verify(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *C) -{ - MD5_CTX md5; - unsigned char tmp[24]; - unsigned char res[16]; - DES_cblock ivec; - DES_key_schedule *sched = key->schedule->data; - krb5_error_code ret = 0; - - memset(&ivec, 0, sizeof(ivec)); - DES_ede3_cbc_encrypt(C->checksum.data, - (void*)tmp, - C->checksum.length, - &sched[0], &sched[1], &sched[2], - &ivec, - DES_DECRYPT); - MD5_Init (&md5); - MD5_Update (&md5, tmp, 8); /* confounder */ - MD5_Update (&md5, data, len); - MD5_Final (res, &md5); - if(memcmp(res, tmp + 8, sizeof(res)) != 0) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - } - memset(tmp, 0, sizeof(tmp)); - memset(res, 0, sizeof(res)); - return ret; -} - -static void SHA1_checksum(krb5_context context, - struct key_data *key, + struct _krb5_key_data *key, const void *data, size_t len, unsigned usage, Checksum *C) { - SHA_CTX m; - - SHA1_Init(&m); - SHA1_Update(&m, data, len); - SHA1_Final(C->checksum.data, &m); + if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_sha1(), NULL) != 1) + krb5_abortx(context, "sha1 checksum failed"); + return 0; } /* HMAC according to RFC2104 */ -static krb5_error_code -hmac(krb5_context context, - struct checksum_type *cm, - const void *data, - size_t len, - unsigned usage, - struct key_data *keyblock, - Checksum *result) +krb5_error_code +_krb5_internal_hmac(krb5_context context, + struct _krb5_checksum_type *cm, + const void *data, + size_t len, + unsigned usage, + struct _krb5_key_data *keyblock, + Checksum *result) { unsigned char *ipad, *opad; unsigned char *key; size_t key_len; - int i; - + size_t i; + ipad = malloc(cm->blocksize + len); if (ipad == NULL) return ENOMEM; @@ -1437,10 +205,10 @@ hmac(krb5_context context, memset(opad, 0x5c, cm->blocksize); if(keyblock->key->keyvalue.length > cm->blocksize){ - (*cm->checksum)(context, - keyblock, - keyblock->key->keyvalue.data, - keyblock->key->keyvalue.length, + (*cm->checksum)(context, + keyblock, + keyblock->key->keyvalue.data, + keyblock->key->keyvalue.length, usage, result); key = result->checksum.data; @@ -1456,9 +224,9 @@ hmac(krb5_context context, memcpy(ipad + cm->blocksize, data, len); (*cm->checksum)(context, keyblock, ipad, cm->blocksize + len, usage, result); - memcpy(opad + cm->blocksize, result->checksum.data, + memcpy(opad + cm->blocksize, result->checksum.data, result->checksum.length); - (*cm->checksum)(context, keyblock, opad, + (*cm->checksum)(context, keyblock, opad, cm->blocksize + cm->checksumsize, usage, result); memset(ipad, 0, cm->blocksize + len); free(ipad); @@ -1468,45 +236,46 @@ hmac(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_hmac(krb5_context context, krb5_cksumtype cktype, const void *data, size_t len, - unsigned usage, + unsigned usage, krb5_keyblock *key, Checksum *result) { - struct checksum_type *c = _find_checksum(cktype); - struct key_data kd; + struct _krb5_checksum_type *c = _krb5_find_checksum(cktype); + struct _krb5_key_data kd; krb5_error_code ret; if (c == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - cktype); + krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("checksum type %d not supported", ""), + cktype); return KRB5_PROG_SUMTYPE_NOSUPP; } kd.key = key; kd.schedule = NULL; - ret = hmac(context, c, data, len, usage, &kd, result); + ret = _krb5_internal_hmac(context, c, data, len, usage, &kd, result); if (kd.schedule) krb5_free_data(context, kd.schedule); return ret; - } +} -static void -SP_HMAC_SHA1_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *result) +krb5_error_code +_krb5_SP_HMAC_SHA1_checksum(krb5_context context, + struct _krb5_key_data *key, + const void *data, + size_t len, + unsigned usage, + Checksum *result) { - struct checksum_type *c = _find_checksum(CKSUMTYPE_SHA1); + struct _krb5_checksum_type *c = _krb5_find_checksum(CKSUMTYPE_SHA1); Checksum res; char sha1_data[20]; krb5_error_code ret; @@ -1514,183 +283,14 @@ SP_HMAC_SHA1_checksum(krb5_context context, res.checksum.data = sha1_data; res.checksum.length = sizeof(sha1_data); - ret = hmac(context, c, data, len, usage, key, &res); + ret = _krb5_internal_hmac(context, c, data, len, usage, key, &res); if (ret) krb5_abortx(context, "hmac failed"); memcpy(result->checksum.data, res.checksum.data, result->checksum.length); + return 0; } -/* - * checksum according to section 5. of draft-brezak-win2k-krb-rc4-hmac-03.txt - */ - -static void -HMAC_MD5_checksum(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *result) -{ - MD5_CTX md5; - struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); - const char signature[] = "signaturekey"; - Checksum ksign_c; - struct key_data ksign; - krb5_keyblock kb; - unsigned char t[4]; - unsigned char tmp[16]; - unsigned char ksign_c_data[16]; - krb5_error_code ret; - - ksign_c.checksum.length = sizeof(ksign_c_data); - ksign_c.checksum.data = ksign_c_data; - ret = hmac(context, c, signature, sizeof(signature), 0, key, &ksign_c); - if (ret) - krb5_abortx(context, "hmac failed"); - ksign.key = &kb; - kb.keyvalue = ksign_c.checksum; - MD5_Init (&md5); - t[0] = (usage >> 0) & 0xFF; - t[1] = (usage >> 8) & 0xFF; - t[2] = (usage >> 16) & 0xFF; - t[3] = (usage >> 24) & 0xFF; - MD5_Update (&md5, t, 4); - MD5_Update (&md5, data, len); - MD5_Final (tmp, &md5); - ret = hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result); - if (ret) - krb5_abortx(context, "hmac failed"); -} - -/* - * same as previous but being used while encrypting. - */ - -static void -HMAC_MD5_checksum_enc(krb5_context context, - struct key_data *key, - const void *data, - size_t len, - unsigned usage, - Checksum *result) -{ - struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); - Checksum ksign_c; - struct key_data ksign; - krb5_keyblock kb; - unsigned char t[4]; - unsigned char ksign_c_data[16]; - krb5_error_code ret; - - t[0] = (usage >> 0) & 0xFF; - t[1] = (usage >> 8) & 0xFF; - t[2] = (usage >> 16) & 0xFF; - t[3] = (usage >> 24) & 0xFF; - - ksign_c.checksum.length = sizeof(ksign_c_data); - ksign_c.checksum.data = ksign_c_data; - ret = hmac(context, c, t, sizeof(t), 0, key, &ksign_c); - if (ret) - krb5_abortx(context, "hmac failed"); - ksign.key = &kb; - kb.keyvalue = ksign_c.checksum; - ret = hmac(context, c, data, len, 0, &ksign, result); - if (ret) - krb5_abortx(context, "hmac failed"); -} - -static struct checksum_type checksum_none = { - CKSUMTYPE_NONE, - "none", - 1, - 0, - 0, - NONE_checksum, - NULL -}; -static struct checksum_type checksum_crc32 = { - CKSUMTYPE_CRC32, - "crc32", - 1, - 4, - 0, - CRC32_checksum, - NULL -}; -static struct checksum_type checksum_rsa_md4 = { - CKSUMTYPE_RSA_MD4, - "rsa-md4", - 64, - 16, - F_CPROOF, - RSA_MD4_checksum, - NULL -}; -static struct checksum_type checksum_rsa_md4_des = { - CKSUMTYPE_RSA_MD4_DES, - "rsa-md4-des", - 64, - 24, - F_KEYED | F_CPROOF | F_VARIANT, - RSA_MD4_DES_checksum, - RSA_MD4_DES_verify -}; -#if 0 -static struct checksum_type checksum_des_mac = { - CKSUMTYPE_DES_MAC, - "des-mac", - 0, - 0, - 0, - DES_MAC_checksum -}; -static struct checksum_type checksum_des_mac_k = { - CKSUMTYPE_DES_MAC_K, - "des-mac-k", - 0, - 0, - 0, - DES_MAC_K_checksum -}; -static struct checksum_type checksum_rsa_md4_des_k = { - CKSUMTYPE_RSA_MD4_DES_K, - "rsa-md4-des-k", - 0, - 0, - 0, - RSA_MD4_DES_K_checksum, - RSA_MD4_DES_K_verify -}; -#endif -static struct checksum_type checksum_rsa_md5 = { - CKSUMTYPE_RSA_MD5, - "rsa-md5", - 64, - 16, - F_CPROOF, - RSA_MD5_checksum, - NULL -}; -static struct checksum_type checksum_rsa_md5_des = { - CKSUMTYPE_RSA_MD5_DES, - "rsa-md5-des", - 64, - 24, - F_KEYED | F_CPROOF | F_VARIANT, - RSA_MD5_DES_checksum, - RSA_MD5_DES_verify -}; -static struct checksum_type checksum_rsa_md5_des3 = { - CKSUMTYPE_RSA_MD5_DES3, - "rsa-md5-des3", - 64, - 24, - F_KEYED | F_CPROOF | F_VARIANT, - RSA_MD5_DES3_checksum, - RSA_MD5_DES3_verify -}; -static struct checksum_type checksum_sha1 = { +struct _krb5_checksum_type _krb5_checksum_sha1 = { CKSUMTYPE_SHA1, "sha1", 64, @@ -1699,115 +299,43 @@ static struct checksum_type checksum_sha1 = { SHA1_checksum, NULL }; -static struct checksum_type checksum_hmac_sha1_des3 = { - CKSUMTYPE_HMAC_SHA1_DES3, - "hmac-sha1-des3", - 64, - 20, - F_KEYED | F_CPROOF | F_DERIVED, - SP_HMAC_SHA1_checksum, - NULL -}; - -static struct checksum_type checksum_hmac_sha1_aes128 = { - CKSUMTYPE_HMAC_SHA1_96_AES_128, - "hmac-sha1-96-aes128", - 64, - 12, - F_KEYED | F_CPROOF | F_DERIVED, - SP_HMAC_SHA1_checksum, - NULL -}; - -static struct checksum_type checksum_hmac_sha1_aes256 = { - CKSUMTYPE_HMAC_SHA1_96_AES_256, - "hmac-sha1-96-aes256", - 64, - 12, - F_KEYED | F_CPROOF | F_DERIVED, - SP_HMAC_SHA1_checksum, - NULL -}; - -static struct checksum_type checksum_hmac_md5 = { - CKSUMTYPE_HMAC_MD5, - "hmac-md5", - 64, - 16, - F_KEYED | F_CPROOF, - HMAC_MD5_checksum, - NULL -}; - -static struct checksum_type checksum_hmac_md5_enc = { - CKSUMTYPE_HMAC_MD5_ENC, - "hmac-md5-enc", - 64, - 16, - F_KEYED | F_CPROOF | F_PSEUDO, - HMAC_MD5_checksum_enc, - NULL -}; - -static struct checksum_type *checksum_types[] = { - &checksum_none, - &checksum_crc32, - &checksum_rsa_md4, - &checksum_rsa_md4_des, -#if 0 - &checksum_des_mac, - &checksum_des_mac_k, - &checksum_rsa_md4_des_k, -#endif - &checksum_rsa_md5, - &checksum_rsa_md5_des, - &checksum_rsa_md5_des3, - &checksum_sha1, - &checksum_hmac_sha1_des3, - &checksum_hmac_sha1_aes128, - &checksum_hmac_sha1_aes256, - &checksum_hmac_md5, - &checksum_hmac_md5_enc -}; - -static int num_checksums = sizeof(checksum_types) / sizeof(checksum_types[0]); -static struct checksum_type * -_find_checksum(krb5_cksumtype type) +struct _krb5_checksum_type * +_krb5_find_checksum(krb5_cksumtype type) { int i; - for(i = 0; i < num_checksums; i++) - if(checksum_types[i]->type == type) - return checksum_types[i]; + for(i = 0; i < _krb5_num_checksums; i++) + if(_krb5_checksum_types[i]->type == type) + return _krb5_checksum_types[i]; return NULL; } static krb5_error_code -get_checksum_key(krb5_context context, +get_checksum_key(krb5_context context, krb5_crypto crypto, unsigned usage, /* not krb5_key_usage */ - struct checksum_type *ct, - struct key_data **key) + struct _krb5_checksum_type *ct, + struct _krb5_key_data **key) { krb5_error_code ret = 0; if(ct->flags & F_DERIVED) ret = _get_derived_key(context, crypto, usage, key); else if(ct->flags & F_VARIANT) { - int i; + size_t i; *key = _new_derived_key(crypto, 0xff/* KRB5_KU_RFC1510_VARIANT */); if(*key == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } ret = krb5_copy_keyblock(context, crypto->key.key, &(*key)->key); - if(ret) + if(ret) return ret; for(i = 0; i < (*key)->key->keyvalue.length; i++) ((unsigned char*)(*key)->key->keyvalue.data)[i] ^= 0xF0; } else { - *key = &crypto->key; + *key = &crypto->key; } if(ret == 0) ret = _key_schedule(context, *key); @@ -1816,7 +344,7 @@ get_checksum_key(krb5_context context, static krb5_error_code create_checksum (krb5_context context, - struct checksum_type *ct, + struct _krb5_checksum_type *ct, krb5_crypto crypto, unsigned usage, void *data, @@ -1824,18 +352,19 @@ create_checksum (krb5_context context, Checksum *result) { krb5_error_code ret; - struct key_data *dkey; + struct _krb5_key_data *dkey; int keyed_checksum; - + if (ct->flags & F_DISABLED) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5_PROG_SUMTYPE_NOSUPP; } keyed_checksum = (ct->flags & F_KEYED) != 0; if(keyed_checksum && crypto == NULL) { - krb5_set_error_string (context, "Checksum type %s is keyed " - "but no crypto context (key) was passed in", - ct->name); + krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("Checksum type %s is keyed but no " + "crypto context (key) was passed in", ""), + ct->name); return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ } if(keyed_checksum) { @@ -1848,18 +377,17 @@ create_checksum (krb5_context context, ret = krb5_data_alloc(&result->checksum, ct->checksumsize); if (ret) return (ret); - (*ct->checksum)(context, dkey, data, len, usage, result); - return 0; + return (*ct->checksum)(context, dkey, data, len, usage, result); } static int -arcfour_checksum_p(struct checksum_type *ct, krb5_crypto crypto) +arcfour_checksum_p(struct _krb5_checksum_type *ct, krb5_crypto crypto) { return (ct->type == CKSUMTYPE_HMAC_MD5) && (crypto->key.key->keytype == KEYTYPE_ARCFOUR); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_create_checksum(krb5_context context, krb5_crypto crypto, krb5_key_usage usage, @@ -1868,12 +396,12 @@ krb5_create_checksum(krb5_context context, size_t len, Checksum *result) { - struct checksum_type *ct = NULL; + struct _krb5_checksum_type *ct = NULL; unsigned keyusage; /* type 0 -> pick from crypto */ if (type) { - ct = _find_checksum(type); + ct = _krb5_find_checksum(type); } else if (crypto) { ct = crypto->et->keyed_checksum; if (ct == NULL) @@ -1881,14 +409,15 @@ krb5_create_checksum(krb5_context context, } if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); + krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("checksum type %d not supported", ""), + type); return KRB5_PROG_SUMTYPE_NOSUPP; } if (arcfour_checksum_p(ct, crypto)) { keyusage = usage; - usage2arcfour(context, &keyusage); + _krb5_usage2arcfour(context, &keyusage); } else keyusage = CHECKSUM_USAGE(usage); @@ -1905,45 +434,85 @@ verify_checksum(krb5_context context, Checksum *cksum) { krb5_error_code ret; - struct key_data *dkey; + struct _krb5_key_data *dkey; int keyed_checksum; Checksum c; - struct checksum_type *ct; + struct _krb5_checksum_type *ct; - ct = _find_checksum(cksum->cksumtype); + ct = _krb5_find_checksum(cksum->cksumtype); if (ct == NULL || (ct->flags & F_DISABLED)) { - krb5_set_error_string (context, "checksum type %d not supported", - cksum->cksumtype); + krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("checksum type %d not supported", ""), + cksum->cksumtype); return KRB5_PROG_SUMTYPE_NOSUPP; } if(ct->checksumsize != cksum->checksum.length) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); + krb5_set_error_message(context, KRB5KRB_AP_ERR_BAD_INTEGRITY, + N_("Decrypt integrity check failed for checksum type %s, " + "length was %u, expected %u", ""), + ct->name, (unsigned)cksum->checksum.length, + (unsigned)ct->checksumsize); + return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */ } keyed_checksum = (ct->flags & F_KEYED) != 0; - if(keyed_checksum && crypto == NULL) { - krb5_set_error_string (context, "Checksum type %s is keyed " - "but no crypto context (key) was passed in", - ct->name); - return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ - } - if(keyed_checksum) + if(keyed_checksum) { + struct _krb5_checksum_type *kct; + if (crypto == NULL) { + krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("Checksum type %s is keyed but no " + "crypto context (key) was passed in", ""), + ct->name); + return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ + } + kct = crypto->et->keyed_checksum; + if (kct != NULL && kct->type != ct->type) { + krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("Checksum type %s is keyed, but " + "the key type %s passed didnt have that checksum " + "type as the keyed type", ""), + ct->name, crypto->et->name); + return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ + } + ret = get_checksum_key(context, crypto, usage, ct, &dkey); - else + if (ret) + return ret; + } else dkey = NULL; - if(ct->verify) - return (*ct->verify)(context, dkey, data, len, usage, cksum); + + /* + * If checksum have a verify function, lets use that instead of + * calling ->checksum and then compare result. + */ + + if(ct->verify) { + ret = (*ct->verify)(context, dkey, data, len, usage, cksum); + if (ret) + krb5_set_error_message(context, ret, + N_("Decrypt integrity check failed for checksum " + "type %s, key type %s", ""), + ct->name, (crypto != NULL)? crypto->et->name : "(none)"); + return ret; + } ret = krb5_data_alloc (&c.checksum, ct->checksumsize); if (ret) return ret; - (*ct->checksum)(context, dkey, data, len, usage, &c); + ret = (*ct->checksum)(context, dkey, data, len, usage, &c); + if (ret) { + krb5_data_free(&c.checksum); + return ret; + } - if(c.checksum.length != cksum->checksum.length || - memcmp(c.checksum.data, cksum->checksum.data, c.checksum.length)) { - krb5_clear_error_string (context); + if(krb5_data_ct_cmp(&c.checksum, &cksum->checksum) != 0) { ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + krb5_set_error_message(context, ret, + N_("Decrypt integrity check failed for checksum " + "type %s, key type %s", ""), + ct->name, crypto ? crypto->et->name : "(unkeyed)"); } else { ret = 0; } @@ -1951,27 +520,28 @@ verify_checksum(krb5_context context, return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verify_checksum(krb5_context context, krb5_crypto crypto, - krb5_key_usage usage, + krb5_key_usage usage, void *data, size_t len, Checksum *cksum) { - struct checksum_type *ct; + struct _krb5_checksum_type *ct; unsigned keyusage; - ct = _find_checksum(cksum->cksumtype); + ct = _krb5_find_checksum(cksum->cksumtype); if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - cksum->cksumtype); + krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("checksum type %d not supported", ""), + cksum->cksumtype); return KRB5_PROG_SUMTYPE_NOSUPP; } if (arcfour_checksum_p(ct, crypto)) { keyusage = usage; - usage2arcfour(context, &keyusage); + _krb5_usage2arcfour(context, &keyusage); } else keyusage = CHECKSUM_USAGE(usage); @@ -1979,82 +549,87 @@ krb5_verify_checksum(krb5_context context, data, len, cksum); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_get_checksum_type(krb5_context context, krb5_crypto crypto, krb5_cksumtype *type) { - struct checksum_type *ct = NULL; - + struct _krb5_checksum_type *ct = NULL; + if (crypto != NULL) { ct = crypto->et->keyed_checksum; if (ct == NULL) ct = crypto->et->checksum; } - + if (ct == NULL) { - krb5_set_error_string (context, "checksum type not found"); + krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("checksum type not found", "")); return KRB5_PROG_SUMTYPE_NOSUPP; - } + } *type = ct->type; - - return 0; + + return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_checksumsize(krb5_context context, krb5_cksumtype type, size_t *size) { - struct checksum_type *ct = _find_checksum(type); + struct _krb5_checksum_type *ct = _krb5_find_checksum(type); if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); + krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("checksum type %d not supported", ""), + type); return KRB5_PROG_SUMTYPE_NOSUPP; } *size = ct->checksumsize; return 0; } -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_checksum_is_keyed(krb5_context context, krb5_cksumtype type) { - struct checksum_type *ct = _find_checksum(type); + struct _krb5_checksum_type *ct = _krb5_find_checksum(type); if(ct == NULL) { if (context) - krb5_set_error_string (context, "checksum type %d not supported", - type); + krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("checksum type %d not supported", ""), + type); return KRB5_PROG_SUMTYPE_NOSUPP; } return ct->flags & F_KEYED; } -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_checksum_is_collision_proof(krb5_context context, krb5_cksumtype type) { - struct checksum_type *ct = _find_checksum(type); + struct _krb5_checksum_type *ct = _krb5_find_checksum(type); if(ct == NULL) { if (context) - krb5_set_error_string (context, "checksum type %d not supported", - type); + krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("checksum type %d not supported", ""), + type); return KRB5_PROG_SUMTYPE_NOSUPP; } return ct->flags & F_CPROOF; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_checksum_disable(krb5_context context, krb5_cksumtype type) { - struct checksum_type *ct = _find_checksum(type); + struct _krb5_checksum_type *ct = _krb5_find_checksum(type); if(ct == NULL) { if (context) - krb5_set_error_string (context, "checksum type %d not supported", - type); + krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("checksum type %d not supported", ""), + type); return KRB5_PROG_SUMTYPE_NOSUPP; } ct->flags |= F_DISABLED; @@ -2065,912 +640,157 @@ krb5_checksum_disable(krb5_context context, * * ************************************************************/ -static krb5_error_code -NULL_encrypt(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encryptp, - int usage, - void *ivec) -{ - return 0; -} - -static krb5_error_code -DES_CBC_encrypt_null_ivec(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encryptp, - int usage, - void *ignore_ivec) -{ - DES_cblock ivec; - DES_key_schedule *s = key->schedule->data; - memset(&ivec, 0, sizeof(ivec)); - DES_cbc_encrypt(data, data, len, s, &ivec, encryptp); - return 0; -} - -static krb5_error_code -DES_CBC_encrypt_key_ivec(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encryptp, - int usage, - void *ignore_ivec) -{ - DES_cblock ivec; - DES_key_schedule *s = key->schedule->data; - memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); - DES_cbc_encrypt(data, data, len, s, &ivec, encryptp); - return 0; -} - -static krb5_error_code -DES3_CBC_encrypt(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encryptp, - int usage, - void *ivec) -{ - DES_cblock local_ivec; - DES_key_schedule *s = key->schedule->data; - if(ivec == NULL) { - ivec = &local_ivec; - memset(local_ivec, 0, sizeof(local_ivec)); - } - DES_ede3_cbc_encrypt(data, data, len, &s[0], &s[1], &s[2], ivec, encryptp); - return 0; -} - -static krb5_error_code -DES_CFB64_encrypt_null_ivec(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encryptp, - int usage, - void *ignore_ivec) -{ - DES_cblock ivec; - int num = 0; - DES_key_schedule *s = key->schedule->data; - memset(&ivec, 0, sizeof(ivec)); - - DES_cfb64_encrypt(data, data, len, s, &ivec, &num, encryptp); - return 0; -} - -static krb5_error_code -DES_PCBC_encrypt_key_ivec(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encryptp, - int usage, - void *ignore_ivec) -{ - DES_cblock ivec; - DES_key_schedule *s = key->schedule->data; - memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); - - DES_pcbc_encrypt(data, data, len, s, &ivec, encryptp); - return 0; -} - -/* - * AES draft-raeburn-krb-rijndael-krb-02 - */ - -void KRB5_LIB_FUNCTION -_krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, - size_t len, const AES_KEY *key, - unsigned char *ivec, const int encryptp) -{ - unsigned char tmp[AES_BLOCK_SIZE]; - int i; - - /* - * In the framework of kerberos, the length can never be shorter - * then at least one blocksize. - */ - - if (encryptp) { - - while(len > AES_BLOCK_SIZE) { - for (i = 0; i < AES_BLOCK_SIZE; i++) - tmp[i] = in[i] ^ ivec[i]; - AES_encrypt(tmp, out, key); - memcpy(ivec, out, AES_BLOCK_SIZE); - len -= AES_BLOCK_SIZE; - in += AES_BLOCK_SIZE; - out += AES_BLOCK_SIZE; - } - - for (i = 0; i < len; i++) - tmp[i] = in[i] ^ ivec[i]; - for (; i < AES_BLOCK_SIZE; i++) - tmp[i] = 0 ^ ivec[i]; - - AES_encrypt(tmp, out - AES_BLOCK_SIZE, key); - - memcpy(out, ivec, len); - memcpy(ivec, out - AES_BLOCK_SIZE, AES_BLOCK_SIZE); - - } else { - unsigned char tmp2[AES_BLOCK_SIZE]; - unsigned char tmp3[AES_BLOCK_SIZE]; - - while(len > AES_BLOCK_SIZE * 2) { - memcpy(tmp, in, AES_BLOCK_SIZE); - AES_decrypt(in, out, key); - for (i = 0; i < AES_BLOCK_SIZE; i++) - out[i] ^= ivec[i]; - memcpy(ivec, tmp, AES_BLOCK_SIZE); - len -= AES_BLOCK_SIZE; - in += AES_BLOCK_SIZE; - out += AES_BLOCK_SIZE; - } - - len -= AES_BLOCK_SIZE; - - memcpy(tmp, in, AES_BLOCK_SIZE); /* save last iv */ - AES_decrypt(in, tmp2, key); - - memcpy(tmp3, in + AES_BLOCK_SIZE, len); - memcpy(tmp3 + len, tmp2 + len, AES_BLOCK_SIZE - len); /* xor 0 */ - - for (i = 0; i < len; i++) - out[i + AES_BLOCK_SIZE] = tmp2[i] ^ tmp3[i]; - - AES_decrypt(tmp3, out, key); - for (i = 0; i < AES_BLOCK_SIZE; i++) - out[i] ^= ivec[i]; - memcpy(ivec, tmp, AES_BLOCK_SIZE); - } -} - -static krb5_error_code -AES_CTS_encrypt(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encryptp, - int usage, - void *ivec) -{ - struct krb5_aes_schedule *aeskey = key->schedule->data; - char local_ivec[AES_BLOCK_SIZE]; - AES_KEY *k; - - if (encryptp) - k = &aeskey->ekey; - else - k = &aeskey->dkey; - - if (len < AES_BLOCK_SIZE) - krb5_abortx(context, "invalid use of AES_CTS_encrypt"); - if (len == AES_BLOCK_SIZE) { - if (encryptp) - AES_encrypt(data, data, k); - else - AES_decrypt(data, data, k); - } else { - if(ivec == NULL) { - memset(local_ivec, 0, sizeof(local_ivec)); - ivec = local_ivec; - } - _krb5_aes_cts_encrypt(data, data, len, k, ivec, encryptp); - } - - return 0; -} - -/* - * section 6 of draft-brezak-win2k-krb-rc4-hmac-03 - * - * warning: not for small children - */ - -static krb5_error_code -ARCFOUR_subencrypt(krb5_context context, - struct key_data *key, - void *data, - size_t len, - unsigned usage, - void *ivec) -{ - struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); - Checksum k1_c, k2_c, k3_c, cksum; - struct key_data ke; - krb5_keyblock kb; - unsigned char t[4]; - RC4_KEY rc4_key; - unsigned char *cdata = data; - unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16]; - krb5_error_code ret; - - t[0] = (usage >> 0) & 0xFF; - t[1] = (usage >> 8) & 0xFF; - t[2] = (usage >> 16) & 0xFF; - t[3] = (usage >> 24) & 0xFF; - - k1_c.checksum.length = sizeof(k1_c_data); - k1_c.checksum.data = k1_c_data; - - ret = hmac(NULL, c, t, sizeof(t), 0, key, &k1_c); - if (ret) - krb5_abortx(context, "hmac failed"); - - memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data)); - - k2_c.checksum.length = sizeof(k2_c_data); - k2_c.checksum.data = k2_c_data; - - ke.key = &kb; - kb.keyvalue = k2_c.checksum; - - cksum.checksum.length = 16; - cksum.checksum.data = data; - - ret = hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum); - if (ret) - krb5_abortx(context, "hmac failed"); - - ke.key = &kb; - kb.keyvalue = k1_c.checksum; - - k3_c.checksum.length = sizeof(k3_c_data); - k3_c.checksum.data = k3_c_data; - - ret = hmac(NULL, c, data, 16, 0, &ke, &k3_c); - if (ret) - krb5_abortx(context, "hmac failed"); - - RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data); - RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16); - memset (k1_c_data, 0, sizeof(k1_c_data)); - memset (k2_c_data, 0, sizeof(k2_c_data)); - memset (k3_c_data, 0, sizeof(k3_c_data)); - return 0; -} - -static krb5_error_code -ARCFOUR_subdecrypt(krb5_context context, - struct key_data *key, - void *data, - size_t len, - unsigned usage, - void *ivec) -{ - struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); - Checksum k1_c, k2_c, k3_c, cksum; - struct key_data ke; - krb5_keyblock kb; - unsigned char t[4]; - RC4_KEY rc4_key; - unsigned char *cdata = data; - unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16]; - unsigned char cksum_data[16]; - krb5_error_code ret; - - t[0] = (usage >> 0) & 0xFF; - t[1] = (usage >> 8) & 0xFF; - t[2] = (usage >> 16) & 0xFF; - t[3] = (usage >> 24) & 0xFF; - - k1_c.checksum.length = sizeof(k1_c_data); - k1_c.checksum.data = k1_c_data; - - ret = hmac(NULL, c, t, sizeof(t), 0, key, &k1_c); - if (ret) - krb5_abortx(context, "hmac failed"); - - memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data)); - - k2_c.checksum.length = sizeof(k2_c_data); - k2_c.checksum.data = k2_c_data; - - ke.key = &kb; - kb.keyvalue = k1_c.checksum; - - k3_c.checksum.length = sizeof(k3_c_data); - k3_c.checksum.data = k3_c_data; - - ret = hmac(NULL, c, cdata, 16, 0, &ke, &k3_c); - if (ret) - krb5_abortx(context, "hmac failed"); - - RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data); - RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16); - - ke.key = &kb; - kb.keyvalue = k2_c.checksum; - - cksum.checksum.length = 16; - cksum.checksum.data = cksum_data; - - ret = hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum); - if (ret) - krb5_abortx(context, "hmac failed"); - - memset (k1_c_data, 0, sizeof(k1_c_data)); - memset (k2_c_data, 0, sizeof(k2_c_data)); - memset (k3_c_data, 0, sizeof(k3_c_data)); - - if (memcmp (cksum.checksum.data, data, 16) != 0) { - krb5_clear_error_string (context); - return KRB5KRB_AP_ERR_BAD_INTEGRITY; - } else { - return 0; - } -} - -/* - * convert the usage numbers used in - * draft-ietf-cat-kerb-key-derivation-00.txt to the ones in - * draft-brezak-win2k-krb-rc4-hmac-04.txt - */ - -static krb5_error_code -usage2arcfour (krb5_context context, unsigned *usage) -{ - switch (*usage) { - case KRB5_KU_AS_REP_ENC_PART : /* 3 */ - case KRB5_KU_TGS_REP_ENC_PART_SUB_KEY : /* 9 */ - *usage = 8; - return 0; - case KRB5_KU_USAGE_SEAL : /* 22 */ - *usage = 13; - return 0; - case KRB5_KU_USAGE_SIGN : /* 23 */ - *usage = 15; - return 0; - case KRB5_KU_USAGE_SEQ: /* 24 */ - *usage = 0; - return 0; - default : - return 0; - } -} - -static krb5_error_code -ARCFOUR_encrypt(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encryptp, - int usage, - void *ivec) -{ - krb5_error_code ret; - unsigned keyusage = usage; - - if((ret = usage2arcfour (context, &keyusage)) != 0) - return ret; - - if (encryptp) - return ARCFOUR_subencrypt (context, key, data, len, keyusage, ivec); - else - return ARCFOUR_subdecrypt (context, key, data, len, keyusage, ivec); -} - - -/* - * - */ - -static krb5_error_code -AES_PRF(krb5_context context, - krb5_crypto crypto, - const krb5_data *in, - krb5_data *out) -{ - struct checksum_type *ct = crypto->et->checksum; - krb5_error_code ret; - Checksum result; - krb5_keyblock *derived; - - result.cksumtype = ct->type; - ret = krb5_data_alloc(&result.checksum, ct->checksumsize); - if (ret) { - krb5_set_error_string(context, "out memory"); - return ret; - } - - (*ct->checksum)(context, NULL, in->data, in->length, 0, &result); - - if (result.checksum.length < crypto->et->blocksize) - krb5_abortx(context, "internal prf error"); - - derived = NULL; - ret = krb5_derive_key(context, crypto->key.key, - crypto->et->type, "prf", 3, &derived); - if (ret) - krb5_abortx(context, "krb5_derive_key"); - - ret = krb5_data_alloc(out, crypto->et->blocksize); - if (ret) - krb5_abortx(context, "malloc failed"); - - { - AES_KEY key; - - AES_set_encrypt_key(derived->keyvalue.data, - crypto->et->keytype->bits, &key); - AES_encrypt(result.checksum.data, out->data, &key); - memset(&key, 0, sizeof(key)); - } - - krb5_data_free(&result.checksum); - krb5_free_keyblock(context, derived); - - return ret; -} - -/* - * these should currently be in reverse preference order. - * (only relevant for !F_PSEUDO) */ - -static struct encryption_type enctype_null = { - ETYPE_NULL, - "null", - NULL, - 1, - 1, - 0, - &keytype_null, - &checksum_none, - NULL, - F_DISABLED, - NULL_encrypt, - 0, - NULL -}; -static struct encryption_type enctype_des_cbc_crc = { - ETYPE_DES_CBC_CRC, - "des-cbc-crc", - NULL, - 8, - 8, - 8, - &keytype_des, - &checksum_crc32, - NULL, - 0, - DES_CBC_encrypt_key_ivec, - 0, - NULL -}; -static struct encryption_type enctype_des_cbc_md4 = { - ETYPE_DES_CBC_MD4, - "des-cbc-md4", - NULL, - 8, - 8, - 8, - &keytype_des, - &checksum_rsa_md4, - &checksum_rsa_md4_des, - 0, - DES_CBC_encrypt_null_ivec, - 0, - NULL -}; -static struct encryption_type enctype_des_cbc_md5 = { - ETYPE_DES_CBC_MD5, - "des-cbc-md5", - NULL, - 8, - 8, - 8, - &keytype_des, - &checksum_rsa_md5, - &checksum_rsa_md5_des, - 0, - DES_CBC_encrypt_null_ivec, - 0, - NULL -}; -static struct encryption_type enctype_arcfour_hmac_md5 = { - ETYPE_ARCFOUR_HMAC_MD5, - "arcfour-hmac-md5", - NULL, - 1, - 1, - 8, - &keytype_arcfour, - &checksum_hmac_md5, - NULL, - F_SPECIAL, - ARCFOUR_encrypt, - 0, - NULL -}; -static struct encryption_type enctype_des3_cbc_md5 = { - ETYPE_DES3_CBC_MD5, - "des3-cbc-md5", - NULL, - 8, - 8, - 8, - &keytype_des3, - &checksum_rsa_md5, - &checksum_rsa_md5_des3, - 0, - DES3_CBC_encrypt, - 0, - NULL -}; -static struct encryption_type enctype_des3_cbc_sha1 = { - ETYPE_DES3_CBC_SHA1, - "des3-cbc-sha1", - NULL, - 8, - 8, - 8, - &keytype_des3_derived, - &checksum_sha1, - &checksum_hmac_sha1_des3, - F_DERIVED, - DES3_CBC_encrypt, - 0, - NULL -}; -static struct encryption_type enctype_old_des3_cbc_sha1 = { - ETYPE_OLD_DES3_CBC_SHA1, - "old-des3-cbc-sha1", - NULL, - 8, - 8, - 8, - &keytype_des3, - &checksum_sha1, - &checksum_hmac_sha1_des3, - 0, - DES3_CBC_encrypt, - 0, - NULL -}; -static struct encryption_type enctype_aes128_cts_hmac_sha1 = { - ETYPE_AES128_CTS_HMAC_SHA1_96, - "aes128-cts-hmac-sha1-96", - NULL, - 16, - 1, - 16, - &keytype_aes128, - &checksum_sha1, - &checksum_hmac_sha1_aes128, - F_DERIVED, - AES_CTS_encrypt, - 16, - AES_PRF -}; -static struct encryption_type enctype_aes256_cts_hmac_sha1 = { - ETYPE_AES256_CTS_HMAC_SHA1_96, - "aes256-cts-hmac-sha1-96", - NULL, - 16, - 1, - 16, - &keytype_aes256, - &checksum_sha1, - &checksum_hmac_sha1_aes256, - F_DERIVED, - AES_CTS_encrypt, - 16, - AES_PRF -}; -static struct encryption_type enctype_des_cbc_none = { - ETYPE_DES_CBC_NONE, - "des-cbc-none", - NULL, - 8, - 8, - 0, - &keytype_des, - &checksum_none, - NULL, - F_PSEUDO, - DES_CBC_encrypt_null_ivec, - 0, - NULL -}; -static struct encryption_type enctype_des_cfb64_none = { - ETYPE_DES_CFB64_NONE, - "des-cfb64-none", - NULL, - 1, - 1, - 0, - &keytype_des, - &checksum_none, - NULL, - F_PSEUDO, - DES_CFB64_encrypt_null_ivec, - 0, - NULL -}; -static struct encryption_type enctype_des_pcbc_none = { - ETYPE_DES_PCBC_NONE, - "des-pcbc-none", - NULL, - 8, - 8, - 0, - &keytype_des, - &checksum_none, - NULL, - F_PSEUDO, - DES_PCBC_encrypt_key_ivec, - 0, - NULL -}; -static struct encryption_type enctype_des3_cbc_none = { - ETYPE_DES3_CBC_NONE, - "des3-cbc-none", - NULL, - 8, - 8, - 0, - &keytype_des3_derived, - &checksum_none, - NULL, - F_PSEUDO, - DES3_CBC_encrypt, - 0, - NULL -}; - -static struct encryption_type *etypes[] = { - &enctype_null, - &enctype_des_cbc_crc, - &enctype_des_cbc_md4, - &enctype_des_cbc_md5, - &enctype_arcfour_hmac_md5, - &enctype_des3_cbc_md5, - &enctype_des3_cbc_sha1, - &enctype_old_des3_cbc_sha1, - &enctype_aes128_cts_hmac_sha1, - &enctype_aes256_cts_hmac_sha1, - &enctype_des_cbc_none, - &enctype_des_cfb64_none, - &enctype_des_pcbc_none, - &enctype_des3_cbc_none -}; - -static unsigned num_etypes = sizeof(etypes) / sizeof(etypes[0]); - - -static struct encryption_type * -_find_enctype(krb5_enctype type) +struct _krb5_encryption_type * +_krb5_find_enctype(krb5_enctype type) { int i; - for(i = 0; i < num_etypes; i++) - if(etypes[i]->type == type) - return etypes[i]; + for(i = 0; i < _krb5_num_etypes; i++) + if(_krb5_etypes[i]->type == type) + return _krb5_etypes[i]; return NULL; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_enctype_to_string(krb5_context context, krb5_enctype etype, char **string) { - struct encryption_type *e; - e = _find_enctype(etype); + struct _krb5_encryption_type *e; + e = _krb5_find_enctype(etype); if(e == NULL) { - krb5_set_error_string (context, "encryption type %d not supported", - etype); + krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, + N_("encryption type %d not supported", ""), + etype); *string = NULL; return KRB5_PROG_ETYPE_NOSUPP; } *string = strdup(e->name); if(*string == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_string_to_enctype(krb5_context context, const char *string, krb5_enctype *etype) { int i; - for(i = 0; i < num_etypes; i++) - if(strcasecmp(etypes[i]->name, string) == 0){ - *etype = etypes[i]->type; - return 0; - } - krb5_set_error_string (context, "encryption type %s not supported", - string); - return KRB5_PROG_ETYPE_NOSUPP; -} - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_enctype_to_oid(krb5_context context, - krb5_enctype etype, - heim_oid *oid) -{ - struct encryption_type *et = _find_enctype(etype); - if(et == NULL) { - krb5_set_error_string (context, "encryption type %d not supported", - etype); - return KRB5_PROG_ETYPE_NOSUPP; - } - if(et->oid == NULL) { - krb5_set_error_string (context, "%s have not oid", et->name); - return KRB5_PROG_ETYPE_NOSUPP; - } - krb5_clear_error_string(context); - return der_copy_oid(et->oid, oid); -} - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_oid_to_enctype(krb5_context context, - const heim_oid *oid, - krb5_enctype *etype) -{ - int i; - for(i = 0; i < num_etypes; i++) { - if(etypes[i]->oid && der_heim_oid_cmp(etypes[i]->oid, oid) == 0) { - *etype = etypes[i]->type; + for(i = 0; i < _krb5_num_etypes; i++) + if(strcasecmp(_krb5_etypes[i]->name, string) == 0){ + *etype = _krb5_etypes[i]->type; return 0; } - } - krb5_set_error_string(context, "enctype for oid not supported"); + krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, + N_("encryption type %s not supported", ""), + string); return KRB5_PROG_ETYPE_NOSUPP; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_enctype_to_keytype(krb5_context context, krb5_enctype etype, krb5_keytype *keytype) { - struct encryption_type *e = _find_enctype(etype); + struct _krb5_encryption_type *e = _krb5_find_enctype(etype); if(e == NULL) { - krb5_set_error_string (context, "encryption type %d not supported", - etype); - return KRB5_PROG_ETYPE_NOSUPP; + return unsupported_enctype (context, etype); } *keytype = e->keytype->type; /* XXX */ return 0; } -#if 0 -krb5_error_code KRB5_LIB_FUNCTION -krb5_keytype_to_enctype(krb5_context context, - krb5_keytype keytype, - krb5_enctype *etype) -{ - struct key_type *kt = _find_keytype(keytype); - krb5_warnx(context, "krb5_keytype_to_enctype(%u)", keytype); - if(kt == NULL) - return KRB5_PROG_KEYTYPE_NOSUPP; - *etype = kt->best_etype; - return 0; -} -#endif - -krb5_error_code KRB5_LIB_FUNCTION -krb5_keytype_to_enctypes (krb5_context context, - krb5_keytype keytype, - unsigned *len, - krb5_enctype **val) -{ - int i; - unsigned n = 0; - krb5_enctype *ret; +/** + * Check if a enctype is valid, return 0 if it is. + * + * @param context Kerberos context + * @param etype enctype to check if its valid or not + * + * @return Return an error code for an failure or 0 on success (enctype valid). + * @ingroup krb5_crypto + */ - for (i = num_etypes - 1; i >= 0; --i) { - if (etypes[i]->keytype->type == keytype - && !(etypes[i]->flags & F_PSEUDO)) - ++n; - } - ret = malloc(n * sizeof(*ret)); - if (ret == NULL && n != 0) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - n = 0; - for (i = num_etypes - 1; i >= 0; --i) { - if (etypes[i]->keytype->type == keytype - && !(etypes[i]->flags & F_PSEUDO)) - ret[n++] = etypes[i]->type; +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_enctype_valid(krb5_context context, + krb5_enctype etype) +{ + struct _krb5_encryption_type *e = _krb5_find_enctype(etype); + if(e && (e->flags & F_DISABLED) == 0) + return 0; + if (context == NULL) + return KRB5_PROG_ETYPE_NOSUPP; + if(e == NULL) { + return unsupported_enctype (context, etype); } - *len = n; - *val = ret; - return 0; + /* Must be (e->flags & F_DISABLED) */ + krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, + N_("encryption type %s is disabled", ""), + e->name); + return KRB5_PROG_ETYPE_NOSUPP; } -/* - * First take the configured list of etypes for `keytype' if available, - * else, do `krb5_keytype_to_enctypes'. +/** + * Return the coresponding encryption type for a checksum type. + * + * @param context Kerberos context + * @param ctype The checksum type to get the result enctype for + * @param etype The returned encryption, when the matching etype is + * not found, etype is set to ETYPE_NULL. + * + * @return Return an error code for an failure or 0 on success. + * @ingroup krb5_crypto */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_keytype_to_enctypes_default (krb5_context context, - krb5_keytype keytype, - unsigned *len, - krb5_enctype **val) + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cksumtype_to_enctype(krb5_context context, + krb5_cksumtype ctype, + krb5_enctype *etype) { - int i, n; - krb5_enctype *ret; + int i; - if (keytype != KEYTYPE_DES || context->etypes_des == NULL) - return krb5_keytype_to_enctypes (context, keytype, len, val); + *etype = ETYPE_NULL; - for (n = 0; context->etypes_des[n]; ++n) - ; - ret = malloc (n * sizeof(*ret)); - if (ret == NULL && n != 0) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; + for(i = 0; i < _krb5_num_etypes; i++) { + if(_krb5_etypes[i]->keyed_checksum && + _krb5_etypes[i]->keyed_checksum->type == ctype) + { + *etype = _krb5_etypes[i]->type; + return 0; + } } - for (i = 0; i < n; ++i) - ret[i] = context->etypes_des[i]; - *len = n; - *val = ret; - return 0; -} -krb5_error_code KRB5_LIB_FUNCTION -krb5_enctype_valid(krb5_context context, - krb5_enctype etype) -{ - struct encryption_type *e = _find_enctype(etype); - if(e == NULL) { - krb5_set_error_string (context, "encryption type %d not supported", - etype); - return KRB5_PROG_ETYPE_NOSUPP; - } - if (e->flags & F_DISABLED) { - krb5_set_error_string (context, "encryption type %s is disabled", - e->name); - return KRB5_PROG_ETYPE_NOSUPP; - } - return 0; + krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("checksum type %d not supported", ""), + (int)ctype); + return KRB5_PROG_SUMTYPE_NOSUPP; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_cksumtype_valid(krb5_context context, + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cksumtype_valid(krb5_context context, krb5_cksumtype ctype) { - struct checksum_type *c = _find_checksum(ctype); + struct _krb5_checksum_type *c = _krb5_find_checksum(ctype); if (c == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - ctype); + krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("checksum type %d not supported", ""), + ctype); return KRB5_PROG_SUMTYPE_NOSUPP; } if (c->flags & F_DISABLED) { - krb5_set_error_string (context, "checksum type %s is disabled", - c->name); + krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("checksum type %s is disabled", ""), + c->name); return KRB5_PROG_SUMTYPE_NOSUPP; } return 0; } -/* if two enctypes have compatible keys */ -krb5_boolean KRB5_LIB_FUNCTION -krb5_enctypes_compatible_keys(krb5_context context, - krb5_enctype etype1, - krb5_enctype etype2) -{ - struct encryption_type *e1 = _find_enctype(etype1); - struct encryption_type *e2 = _find_enctype(etype2); - return e1 != NULL && e2 != NULL && e1->keytype == e2->keytype; -} - static krb5_boolean derived_crypto(krb5_context context, krb5_crypto crypto) @@ -3001,9 +821,9 @@ encrypt_internal_derived(krb5_context context, Checksum cksum; unsigned char *p, *q; krb5_error_code ret; - struct key_data *dkey; - const struct encryption_type *et = crypto->et; - + struct _krb5_key_data *dkey; + const struct _krb5_encryption_type *et = crypto->et; + checksum_sz = CHECKSUMSIZE(et->keyed_checksum); sz = et->confoundersize + len; @@ -3011,25 +831,25 @@ encrypt_internal_derived(krb5_context context, total_sz = block_sz + checksum_sz; p = calloc(1, total_sz); if(p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } - + q = p; krb5_generate_random_block(q, et->confoundersize); /* XXX */ q += et->confoundersize; memcpy(q, data, len); - - ret = create_checksum(context, + + ret = create_checksum(context, et->keyed_checksum, - crypto, + crypto, INTEGRITY_USAGE(usage), - p, + p, block_sz, &cksum); if(ret == 0 && cksum.checksum.length != checksum_sz) { free_Checksum (&cksum); - krb5_clear_error_string (context); + krb5_clear_error_message (context); ret = KRB5_CRYPTO_INTERNAL; } if(ret) @@ -3042,9 +862,6 @@ encrypt_internal_derived(krb5_context context, ret = _key_schedule(context, dkey); if(ret) goto fail; -#ifdef CRYPTO_DEBUG - krb5_crypto_debug(context, 1, block_sz, dkey->key); -#endif ret = (*et->encrypt)(context, dkey, p, block_sz, 1, usage, ivec); if (ret) goto fail; @@ -3070,18 +887,18 @@ encrypt_internal(krb5_context context, Checksum cksum; unsigned char *p, *q; krb5_error_code ret; - const struct encryption_type *et = crypto->et; - + const struct _krb5_encryption_type *et = crypto->et; + checksum_sz = CHECKSUMSIZE(et->checksum); - + sz = et->confoundersize + checksum_sz + len; block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */ p = calloc(1, block_sz); if(p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } - + q = p; krb5_generate_random_block(q, et->confoundersize); /* XXX */ q += et->confoundersize; @@ -3089,15 +906,15 @@ encrypt_internal(krb5_context context, q += checksum_sz; memcpy(q, data, len); - ret = create_checksum(context, + ret = create_checksum(context, et->checksum, crypto, 0, - p, + p, block_sz, &cksum); if(ret == 0 && cksum.checksum.length != checksum_sz) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); free_Checksum(&cksum); ret = KRB5_CRYPTO_INTERNAL; } @@ -3108,9 +925,6 @@ encrypt_internal(krb5_context context, ret = _key_schedule(context, &crypto->key); if(ret) goto fail; -#ifdef CRYPTO_DEBUG - krb5_crypto_debug(context, 1, block_sz, crypto->key.key); -#endif ret = (*et->encrypt)(context, &crypto->key, p, block_sz, 1, 0, ivec); if (ret) { memset(p, 0, block_sz); @@ -3135,7 +949,7 @@ encrypt_internal_special(krb5_context context, krb5_data *result, void *ivec) { - struct encryption_type *et = crypto->et; + struct _krb5_encryption_type *et = crypto->et; size_t cksum_sz = CHECKSUMSIZE(et->checksum); size_t sz = len + cksum_sz + et->confoundersize; char *tmp, *p; @@ -3143,7 +957,7 @@ encrypt_internal_special(krb5_context context, tmp = malloc (sz); if (tmp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } p = tmp; @@ -3176,25 +990,26 @@ decrypt_internal_derived(krb5_context context, Checksum cksum; unsigned char *p; krb5_error_code ret; - struct key_data *dkey; - struct encryption_type *et = crypto->et; + struct _krb5_key_data *dkey; + struct _krb5_encryption_type *et = crypto->et; unsigned long l; - + checksum_sz = CHECKSUMSIZE(et->keyed_checksum); if (len < checksum_sz + et->confoundersize) { - krb5_set_error_string(context, "Encrypted data shorter then " - "checksum + confunder"); + krb5_set_error_message(context, KRB5_BAD_MSIZE, + N_("Encrypted data shorter then " + "checksum + confunder", "")); return KRB5_BAD_MSIZE; } if (((len - checksum_sz) % et->padsize) != 0) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return KRB5_BAD_MSIZE; } p = malloc(len); if(len != 0 && p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } memcpy(p, data, len); @@ -3211,9 +1026,6 @@ decrypt_internal_derived(krb5_context context, free(p); return ret; } -#ifdef CRYPTO_DEBUG - krb5_crypto_debug(context, 0, len, dkey->key); -#endif ret = (*et->encrypt)(context, dkey, p, len, 0, usage, ivec); if (ret) { free(p); @@ -3239,7 +1051,7 @@ decrypt_internal_derived(krb5_context context, result->data = realloc(p, l); if(result->data == NULL && l != 0) { free(p); - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } result->length = l; @@ -3258,29 +1070,32 @@ decrypt_internal(krb5_context context, unsigned char *p; Checksum cksum; size_t checksum_sz, l; - struct encryption_type *et = crypto->et; - + struct _krb5_encryption_type *et = crypto->et; + if ((len % et->padsize) != 0) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return KRB5_BAD_MSIZE; } - checksum_sz = CHECKSUMSIZE(et->checksum); + if (len < checksum_sz + et->confoundersize) { + krb5_set_error_message(context, KRB5_BAD_MSIZE, + N_("Encrypted data shorter then " + "checksum + confunder", "")); + return KRB5_BAD_MSIZE; + } + p = malloc(len); if(len != 0 && p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } memcpy(p, data, len); - + ret = _key_schedule(context, &crypto->key); if(ret) { free(p); return ret; } -#ifdef CRYPTO_DEBUG - krb5_crypto_debug(context, 0, len, crypto->key.key); -#endif ret = (*et->encrypt)(context, &crypto->key, p, len, 0, 0, ivec); if (ret) { free(p); @@ -3304,7 +1119,7 @@ decrypt_internal(krb5_context context, result->data = realloc(p, l); if(result->data == NULL && l != 0) { free(p); - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } result->length = l; @@ -3320,24 +1135,30 @@ decrypt_internal_special(krb5_context context, krb5_data *result, void *ivec) { - struct encryption_type *et = crypto->et; + struct _krb5_encryption_type *et = crypto->et; size_t cksum_sz = CHECKSUMSIZE(et->checksum); size_t sz = len - cksum_sz - et->confoundersize; unsigned char *p; krb5_error_code ret; if ((len % et->padsize) != 0) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); + return KRB5_BAD_MSIZE; + } + if (len < cksum_sz + et->confoundersize) { + krb5_set_error_message(context, KRB5_BAD_MSIZE, + N_("Encrypted data shorter then " + "checksum + confunder", "")); return KRB5_BAD_MSIZE; } p = malloc (len); if (p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } memcpy(p, data, len); - + ret = (*et->encrypt)(context, &crypto->key, p, len, FALSE, usage, ivec); if (ret) { free(p); @@ -3348,15 +1169,583 @@ decrypt_internal_special(krb5_context context, result->data = realloc(p, sz); if(result->data == NULL && sz != 0) { free(p); - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } result->length = sz; return 0; } +static krb5_crypto_iov * +find_iv(krb5_crypto_iov *data, size_t num_data, unsigned type) +{ + size_t i; + for (i = 0; i < num_data; i++) + if (data[i].flags == type) + return &data[i]; + return NULL; +} + +/** + * Inline encrypt a kerberos message + * + * @param context Kerberos context + * @param crypto Kerberos crypto context + * @param usage Key usage for this buffer + * @param data array of buffers to process + * @param num_data length of array + * @param ivec initial cbc/cts vector + * + * @return Return an error code or 0. + * @ingroup krb5_crypto + * + * Kerberos encrypted data look like this: + * + * 1. KRB5_CRYPTO_TYPE_HEADER + * 2. array [1,...] KRB5_CRYPTO_TYPE_DATA and array [0,...] + * KRB5_CRYPTO_TYPE_SIGN_ONLY in any order, however the receiver + * have to aware of the order. KRB5_CRYPTO_TYPE_SIGN_ONLY is + * commonly used headers and trailers. + * 3. KRB5_CRYPTO_TYPE_PADDING, at least on padsize long if padsize > 1 + * 4. KRB5_CRYPTO_TYPE_TRAILER + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_encrypt_iov_ivec(krb5_context context, + krb5_crypto crypto, + unsigned usage, + krb5_crypto_iov *data, + int num_data, + void *ivec) +{ + size_t headersz, trailersz, len; + int i; + size_t sz, block_sz, pad_sz; + Checksum cksum; + unsigned char *p, *q; + krb5_error_code ret; + struct _krb5_key_data *dkey; + const struct _krb5_encryption_type *et = crypto->et; + krb5_crypto_iov *tiv, *piv, *hiv; + + if (num_data < 0) { + krb5_clear_error_message(context); + return KRB5_CRYPTO_INTERNAL; + } + + if(!derived_crypto(context, crypto)) { + krb5_clear_error_message(context); + return KRB5_CRYPTO_INTERNAL; + } + + headersz = et->confoundersize; + trailersz = CHECKSUMSIZE(et->keyed_checksum); + + for (len = 0, i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA) + continue; + len += data[i].data.length; + } + + sz = headersz + len; + block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */ + + pad_sz = block_sz - sz; + + /* header */ + + hiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_HEADER); + if (hiv == NULL || hiv->data.length != headersz) + return KRB5_BAD_MSIZE; + + krb5_generate_random_block(hiv->data.data, hiv->data.length); + + /* padding */ + piv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_PADDING); + /* its ok to have no TYPE_PADDING if there is no padding */ + if (piv == NULL && pad_sz != 0) + return KRB5_BAD_MSIZE; + if (piv) { + if (piv->data.length < pad_sz) + return KRB5_BAD_MSIZE; + piv->data.length = pad_sz; + if (pad_sz) + memset(piv->data.data, pad_sz, pad_sz); + else + piv = NULL; + } + + /* trailer */ + tiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_TRAILER); + if (tiv == NULL || tiv->data.length != trailersz) + return KRB5_BAD_MSIZE; + + /* + * XXX replace with EVP_Sign? at least make create_checksum an iov + * function. + * XXX CTS EVP is broken, can't handle multi buffers :( + */ + + len = block_sz; + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) + continue; + len += data[i].data.length; + } + + p = q = malloc(len); + + memcpy(q, hiv->data.data, hiv->data.length); + q += hiv->data.length; + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA && + data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) + continue; + memcpy(q, data[i].data.data, data[i].data.length); + q += data[i].data.length; + } + if (piv) + memset(q, 0, piv->data.length); + + ret = create_checksum(context, + et->keyed_checksum, + crypto, + INTEGRITY_USAGE(usage), + p, + len, + &cksum); + free(p); + if(ret == 0 && cksum.checksum.length != trailersz) { + free_Checksum (&cksum); + krb5_clear_error_message (context); + ret = KRB5_CRYPTO_INTERNAL; + } + if(ret) + return ret; + + /* save cksum at end */ + memcpy(tiv->data.data, cksum.checksum.data, cksum.checksum.length); + free_Checksum (&cksum); + + /* XXX replace with EVP_Cipher */ + p = q = malloc(block_sz); + if(p == NULL) + return ENOMEM; + + memcpy(q, hiv->data.data, hiv->data.length); + q += hiv->data.length; + + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA) + continue; + memcpy(q, data[i].data.data, data[i].data.length); + q += data[i].data.length; + } + if (piv) + memset(q, 0, piv->data.length); + + + ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey); + if(ret) { + free(p); + return ret; + } + ret = _key_schedule(context, dkey); + if(ret) { + free(p); + return ret; + } + + ret = (*et->encrypt)(context, dkey, p, block_sz, 1, usage, ivec); + if (ret) { + free(p); + return ret; + } + + /* now copy data back to buffers */ + q = p; + + memcpy(hiv->data.data, q, hiv->data.length); + q += hiv->data.length; + + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA) + continue; + memcpy(data[i].data.data, q, data[i].data.length); + q += data[i].data.length; + } + if (piv) + memcpy(piv->data.data, q, pad_sz); + + free(p); + + return ret; +} + +/** + * Inline decrypt a Kerberos message. + * + * @param context Kerberos context + * @param crypto Kerberos crypto context + * @param usage Key usage for this buffer + * @param data array of buffers to process + * @param num_data length of array + * @param ivec initial cbc/cts vector + * + * @return Return an error code or 0. + * @ingroup krb5_crypto + * + * 1. KRB5_CRYPTO_TYPE_HEADER + * 2. one KRB5_CRYPTO_TYPE_DATA and array [0,...] of KRB5_CRYPTO_TYPE_SIGN_ONLY in + * any order, however the receiver have to aware of the + * order. KRB5_CRYPTO_TYPE_SIGN_ONLY is commonly used unencrypoted + * protocol headers and trailers. The output data will be of same + * size as the input data or shorter. + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_decrypt_iov_ivec(krb5_context context, + krb5_crypto crypto, + unsigned usage, + krb5_crypto_iov *data, + unsigned int num_data, + void *ivec) +{ + unsigned int i; + size_t headersz, trailersz, len; + Checksum cksum; + unsigned char *p, *q; + krb5_error_code ret; + struct _krb5_key_data *dkey; + struct _krb5_encryption_type *et = crypto->et; + krb5_crypto_iov *tiv, *hiv; + + if(!derived_crypto(context, crypto)) { + krb5_clear_error_message(context); + return KRB5_CRYPTO_INTERNAL; + } + + headersz = et->confoundersize; + + hiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_HEADER); + if (hiv == NULL || hiv->data.length != headersz) + return KRB5_BAD_MSIZE; -krb5_error_code KRB5_LIB_FUNCTION + /* trailer */ + trailersz = CHECKSUMSIZE(et->keyed_checksum); + + tiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_TRAILER); + if (tiv->data.length != trailersz) + return KRB5_BAD_MSIZE; + + /* Find length of data we will decrypt */ + + len = headersz; + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA) + continue; + len += data[i].data.length; + } + + if ((len % et->padsize) != 0) { + krb5_clear_error_message(context); + return KRB5_BAD_MSIZE; + } + + /* XXX replace with EVP_Cipher */ + + p = q = malloc(len); + if (p == NULL) + return ENOMEM; + + memcpy(q, hiv->data.data, hiv->data.length); + q += hiv->data.length; + + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA) + continue; + memcpy(q, data[i].data.data, data[i].data.length); + q += data[i].data.length; + } + + ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey); + if(ret) { + free(p); + return ret; + } + ret = _key_schedule(context, dkey); + if(ret) { + free(p); + return ret; + } + + ret = (*et->encrypt)(context, dkey, p, len, 0, usage, ivec); + if (ret) { + free(p); + return ret; + } + + /* copy data back to buffers */ + memcpy(hiv->data.data, p, hiv->data.length); + q = p + hiv->data.length; + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA) + continue; + memcpy(data[i].data.data, q, data[i].data.length); + q += data[i].data.length; + } + + free(p); + + /* check signature */ + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) + continue; + len += data[i].data.length; + } + + p = q = malloc(len); + if (p == NULL) + return ENOMEM; + + memcpy(q, hiv->data.data, hiv->data.length); + q += hiv->data.length; + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA && + data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) + continue; + memcpy(q, data[i].data.data, data[i].data.length); + q += data[i].data.length; + } + + cksum.checksum.data = tiv->data.data; + cksum.checksum.length = tiv->data.length; + cksum.cksumtype = CHECKSUMTYPE(et->keyed_checksum); + + ret = verify_checksum(context, + crypto, + INTEGRITY_USAGE(usage), + p, + len, + &cksum); + free(p); + return ret; +} + +/** + * Create a Kerberos message checksum. + * + * @param context Kerberos context + * @param crypto Kerberos crypto context + * @param usage Key usage for this buffer + * @param data array of buffers to process + * @param num_data length of array + * @param type output data + * + * @return Return an error code or 0. + * @ingroup krb5_crypto + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_create_checksum_iov(krb5_context context, + krb5_crypto crypto, + unsigned usage, + krb5_crypto_iov *data, + unsigned int num_data, + krb5_cksumtype *type) +{ + Checksum cksum; + krb5_crypto_iov *civ; + krb5_error_code ret; + size_t i; + size_t len; + char *p, *q; + + if(!derived_crypto(context, crypto)) { + krb5_clear_error_message(context); + return KRB5_CRYPTO_INTERNAL; + } + + civ = find_iv(data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM); + if (civ == NULL) + return KRB5_BAD_MSIZE; + + len = 0; + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA && + data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) + continue; + len += data[i].data.length; + } + + p = q = malloc(len); + + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA && + data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) + continue; + memcpy(q, data[i].data.data, data[i].data.length); + q += data[i].data.length; + } + + ret = krb5_create_checksum(context, crypto, usage, 0, p, len, &cksum); + free(p); + if (ret) + return ret; + + if (type) + *type = cksum.cksumtype; + + if (cksum.checksum.length > civ->data.length) { + krb5_set_error_message(context, KRB5_BAD_MSIZE, + N_("Checksum larger then input buffer", "")); + free_Checksum(&cksum); + return KRB5_BAD_MSIZE; + } + + civ->data.length = cksum.checksum.length; + memcpy(civ->data.data, cksum.checksum.data, civ->data.length); + free_Checksum(&cksum); + + return 0; +} + +/** + * Verify a Kerberos message checksum. + * + * @param context Kerberos context + * @param crypto Kerberos crypto context + * @param usage Key usage for this buffer + * @param data array of buffers to process + * @param num_data length of array + * @param type return checksum type if not NULL + * + * @return Return an error code or 0. + * @ingroup krb5_crypto + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_verify_checksum_iov(krb5_context context, + krb5_crypto crypto, + unsigned usage, + krb5_crypto_iov *data, + unsigned int num_data, + krb5_cksumtype *type) +{ + struct _krb5_encryption_type *et = crypto->et; + Checksum cksum; + krb5_crypto_iov *civ; + krb5_error_code ret; + size_t i; + size_t len; + char *p, *q; + + if(!derived_crypto(context, crypto)) { + krb5_clear_error_message(context); + return KRB5_CRYPTO_INTERNAL; + } + + civ = find_iv(data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM); + if (civ == NULL) + return KRB5_BAD_MSIZE; + + len = 0; + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA && + data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) + continue; + len += data[i].data.length; + } + + p = q = malloc(len); + + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA && + data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) + continue; + memcpy(q, data[i].data.data, data[i].data.length); + q += data[i].data.length; + } + + cksum.cksumtype = CHECKSUMTYPE(et->keyed_checksum); + cksum.checksum.length = civ->data.length; + cksum.checksum.data = civ->data.data; + + ret = krb5_verify_checksum(context, crypto, usage, p, len, &cksum); + free(p); + + if (ret == 0 && type) + *type = cksum.cksumtype; + + return ret; +} + + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_crypto_length(krb5_context context, + krb5_crypto crypto, + int type, + size_t *len) +{ + if (!derived_crypto(context, crypto)) { + krb5_set_error_message(context, EINVAL, "not a derived crypto"); + return EINVAL; + } + + switch(type) { + case KRB5_CRYPTO_TYPE_EMPTY: + *len = 0; + return 0; + case KRB5_CRYPTO_TYPE_HEADER: + *len = crypto->et->blocksize; + return 0; + case KRB5_CRYPTO_TYPE_DATA: + case KRB5_CRYPTO_TYPE_SIGN_ONLY: + /* len must already been filled in */ + return 0; + case KRB5_CRYPTO_TYPE_PADDING: + if (crypto->et->padsize > 1) + *len = crypto->et->padsize; + else + *len = 0; + return 0; + case KRB5_CRYPTO_TYPE_TRAILER: + *len = CHECKSUMSIZE(crypto->et->keyed_checksum); + return 0; + case KRB5_CRYPTO_TYPE_CHECKSUM: + if (crypto->et->keyed_checksum) + *len = CHECKSUMSIZE(crypto->et->keyed_checksum); + else + *len = CHECKSUMSIZE(crypto->et->checksum); + return 0; + } + krb5_set_error_message(context, EINVAL, + "%d not a supported type", type); + return EINVAL; +} + + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_crypto_length_iov(krb5_context context, + krb5_crypto crypto, + krb5_crypto_iov *data, + unsigned int num_data) +{ + krb5_error_code ret; + size_t i; + + for (i = 0; i < num_data; i++) { + ret = krb5_crypto_length(context, crypto, + data[i].flags, + &data[i].data.length); + if (ret) + return ret; + } + return 0; +} + + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encrypt_ivec(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3366,7 +1755,7 @@ krb5_encrypt_ivec(krb5_context context, void *ivec) { if(derived_crypto(context, crypto)) - return encrypt_internal_derived(context, crypto, usage, + return encrypt_internal_derived(context, crypto, usage, data, len, result, ivec); else if (special_crypto(context, crypto)) return encrypt_internal_special (context, crypto, usage, @@ -3375,7 +1764,7 @@ krb5_encrypt_ivec(krb5_context context, return encrypt_internal(context, crypto, data, len, result, ivec); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encrypt(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3386,7 +1775,7 @@ krb5_encrypt(krb5_context context, return krb5_encrypt_ivec(context, crypto, usage, data, len, result, NULL); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encrypt_EncryptedData(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3404,7 +1793,7 @@ krb5_encrypt_EncryptedData(krb5_context context, return krb5_encrypt(context, crypto, usage, data, len, &result->cipher); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decrypt_ivec(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3414,7 +1803,7 @@ krb5_decrypt_ivec(krb5_context context, void *ivec) { if(derived_crypto(context, crypto)) - return decrypt_internal_derived(context, crypto, usage, + return decrypt_internal_derived(context, crypto, usage, data, len, result, ivec); else if (special_crypto (context, crypto)) return decrypt_internal_special(context, crypto, usage, @@ -3423,7 +1812,7 @@ krb5_decrypt_ivec(krb5_context context, return decrypt_internal(context, crypto, data, len, result, ivec); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decrypt(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3435,14 +1824,14 @@ krb5_decrypt(krb5_context context, NULL); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decrypt_EncryptedData(krb5_context context, krb5_crypto crypto, unsigned usage, const EncryptedData *e, krb5_data *result) { - return krb5_decrypt(context, crypto, usage, + return krb5_decrypt(context, crypto, usage, e->cipher.data, e->cipher.length, result); } @@ -3450,96 +1839,17 @@ krb5_decrypt_EncryptedData(krb5_context context, * * ************************************************************/ -#define ENTROPY_NEEDED 128 - -static int -seed_something(void) -{ - char buf[1024], seedfile[256]; - - /* If there is a seed file, load it. But such a file cannot be trusted, - so use 0 for the entropy estimate */ - if (RAND_file_name(seedfile, sizeof(seedfile))) { - int fd; - fd = open(seedfile, O_RDONLY); - if (fd >= 0) { - ssize_t ret; - ret = read(fd, buf, sizeof(buf)); - if (ret > 0) - RAND_add(buf, ret, 0.0); - close(fd); - } else - seedfile[0] = '\0'; - } else - seedfile[0] = '\0'; - - /* Calling RAND_status() will try to use /dev/urandom if it exists so - we do not have to deal with it. */ - if (RAND_status() != 1) { - krb5_context context; - const char *p; - - /* Try using egd */ - if (!krb5_init_context(&context)) { - p = krb5_config_get_string(context, NULL, "libdefaults", - "egd_socket", NULL); - if (p != NULL) - RAND_egd_bytes(p, ENTROPY_NEEDED); - krb5_free_context(context); - } - } - - if (RAND_status() == 1) { - /* Update the seed file */ - if (seedfile[0]) - RAND_write_file(seedfile); - - return 0; - } else - return -1; -} - -void KRB5_LIB_FUNCTION -krb5_generate_random_block(void *buf, size_t len) -{ - static int rng_initialized = 0; - - HEIMDAL_MUTEX_lock(&crypto_mutex); - if (!rng_initialized) { - if (seed_something()) - krb5_abortx(NULL, "Fatal: could not seed the " - "random number generator"); - - rng_initialized = 1; - } - HEIMDAL_MUTEX_unlock(&crypto_mutex); - if (RAND_bytes(buf, len) != 1) - krb5_abortx(NULL, "Failed to generate random block"); -} - -static void -DES3_postproc(krb5_context context, - unsigned char *k, size_t len, struct key_data *key) -{ - DES3_random_to_key(context, key->key, k, len); - - if (key->schedule) { - krb5_free_data(context, key->schedule); - key->schedule = NULL; - } -} - -static krb5_error_code -derive_key(krb5_context context, - struct encryption_type *et, - struct key_data *key, - const void *constant, - size_t len) +krb5_error_code +_krb5_derive_key(krb5_context context, + struct _krb5_encryption_type *et, + struct _krb5_key_data *key, + const void *constant, + size_t len) { - unsigned char *k; + unsigned char *k = NULL; unsigned int nblocks = 0, i; krb5_error_code ret = 0; - struct key_type *kt = et->keytype; + struct _krb5_key_type *kt = et->keytype; ret = _key_schedule(context, key); if(ret) @@ -3548,18 +1858,19 @@ derive_key(krb5_context context, nblocks = (kt->bits + et->blocksize * 8 - 1) / (et->blocksize * 8); k = malloc(nblocks * et->blocksize); if(k == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; + ret = ENOMEM; + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); + goto out; } ret = _krb5_n_fold(constant, len, k, et->blocksize); if (ret) { - free(k); - krb5_set_error_string(context, "out of memory"); - return ret; + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); + goto out; } + for(i = 0; i < nblocks; i++) { if(i > 0) - memcpy(k + i * et->blocksize, + memcpy(k + i * et->blocksize, k + (i - 1) * et->blocksize, et->blocksize); (*et->encrypt)(context, key, k + i * et->blocksize, et->blocksize, @@ -3571,55 +1882,59 @@ derive_key(krb5_context context, size_t res_len = (kt->bits + 7) / 8; if(len != 0 && c == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; + ret = ENOMEM; + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); + goto out; } memcpy(c, constant, len); (*et->encrypt)(context, key, c, len, 1, 0, NULL); k = malloc(res_len); if(res_len != 0 && k == NULL) { free(c); - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; + ret = ENOMEM; + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); + goto out; } ret = _krb5_n_fold(c, len, k, res_len); + free(c); if (ret) { - free(k); - krb5_set_error_string(context, "out of memory"); - return ret; + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); + goto out; } - free(c); } - + /* XXX keytype dependent post-processing */ switch(kt->type) { - case KEYTYPE_DES3: - DES3_postproc(context, k, nblocks * et->blocksize, key); + case ETYPE_OLD_DES3_CBC_SHA1: + _krb5_DES3_random_to_key(context, key->key, k, nblocks * et->blocksize); break; - case KEYTYPE_AES128: - case KEYTYPE_AES256: + case ENCTYPE_AES128_CTS_HMAC_SHA1_96: + case ENCTYPE_AES256_CTS_HMAC_SHA1_96: memcpy(key->key->keyvalue.data, k, key->key->keyvalue.length); break; default: - krb5_set_error_string(context, - "derive_key() called with unknown keytype (%u)", - kt->type); ret = KRB5_CRYPTO_INTERNAL; + krb5_set_error_message(context, ret, + N_("derive_key() called with unknown keytype (%u)", ""), + kt->type); break; } + out: if (key->schedule) { - krb5_free_data(context, key->schedule); + free_key_schedule(context, key, et); key->schedule = NULL; } - memset(k, 0, nblocks * et->blocksize); - free(k); + if (k) { + memset(k, 0, nblocks * et->blocksize); + free(k); + } return ret; } -static struct key_data * +static struct _krb5_key_data * _new_derived_key(krb5_crypto crypto, unsigned usage) { - struct key_usage *d = crypto->key_usage; + struct _krb5_key_usage *d = crypto->key_usage; d = realloc(d, (crypto->num_key_usage + 1) * sizeof(*d)); if(d == NULL) return NULL; @@ -3630,7 +1945,7 @@ _new_derived_key(krb5_crypto crypto, unsigned usage) return &d->key; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_derive_key(krb5_context context, const krb5_keyblock *key, krb5_enctype etype, @@ -3639,16 +1954,14 @@ krb5_derive_key(krb5_context context, krb5_keyblock **derived_key) { krb5_error_code ret; - struct encryption_type *et; - struct key_data d; + struct _krb5_encryption_type *et; + struct _krb5_key_data d; *derived_key = NULL; - et = _find_enctype (etype); + et = _krb5_find_enctype (etype); if (et == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - etype); - return KRB5_PROG_ETYPE_NOSUPP; + return unsupported_enctype (context, etype); } ret = krb5_copy_keyblock(context, key, &d.key); @@ -3656,21 +1969,21 @@ krb5_derive_key(krb5_context context, return ret; d.schedule = NULL; - ret = derive_key(context, et, &d, constant, constant_len); + ret = _krb5_derive_key(context, et, &d, constant, constant_len); if (ret == 0) ret = krb5_copy_keyblock(context, d.key, derived_key); - free_key_data(context, &d); + _krb5_free_key_data(context, &d, et); return ret; } static krb5_error_code -_get_derived_key(krb5_context context, - krb5_crypto crypto, - unsigned usage, - struct key_data **key) +_get_derived_key(krb5_context context, + krb5_crypto crypto, + unsigned usage, + struct _krb5_key_data **key) { int i; - struct key_data *d; + struct _krb5_key_data *d; unsigned char constant[5]; for(i = 0; i < crypto->num_key_usage; i++) @@ -3680,18 +1993,35 @@ _get_derived_key(krb5_context context, } d = _new_derived_key(crypto, usage); if(d == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } krb5_copy_keyblock(context, crypto->key.key, &d->key); _krb5_put_int(constant, usage, 5); - derive_key(context, crypto->et, d, constant, sizeof(constant)); + _krb5_derive_key(context, crypto->et, d, constant, sizeof(constant)); *key = d; return 0; } +/** + * Create a crypto context used for all encryption and signature + * operation. The encryption type to use is taken from the key, but + * can be overridden with the enctype parameter. This can be useful + * for encryptions types which is compatiable (DES for example). + * + * To free the crypto context, use krb5_crypto_destroy(). + * + * @param context Kerberos context + * @param key the key block information with all key data + * @param etype the encryption type + * @param crypto the resulting crypto context + * + * @return Return an error code or 0. + * + * @ingroup krb5_crypto + */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_init(krb5_context context, const krb5_keyblock *key, krb5_enctype etype, @@ -3700,23 +2030,22 @@ krb5_crypto_init(krb5_context context, krb5_error_code ret; ALLOC(*crypto, 1); if(*crypto == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } if(etype == ETYPE_NULL) etype = key->keytype; - (*crypto)->et = _find_enctype(etype); + (*crypto)->et = _krb5_find_enctype(etype); if((*crypto)->et == NULL || ((*crypto)->et->flags & F_DISABLED)) { free(*crypto); *crypto = NULL; - krb5_set_error_string (context, "encryption type %d not supported", - etype); - return KRB5_PROG_ETYPE_NOSUPP; + return unsupported_enctype(context, etype); } if((*crypto)->et->keytype->size != key->keyvalue.length) { free(*crypto); *crypto = NULL; - krb5_set_error_string (context, "encryption key has bad length"); + krb5_set_error_message (context, KRB5_BAD_KEYSIZE, + "encryption key has bad length"); return KRB5_BAD_KEYSIZE; } ret = krb5_copy_keyblock(context, key, &(*crypto)->key.key); @@ -3732,36 +2061,72 @@ krb5_crypto_init(krb5_context context, } static void -free_key_data(krb5_context context, struct key_data *key) +free_key_schedule(krb5_context context, + struct _krb5_key_data *key, + struct _krb5_encryption_type *et) +{ + if (et->keytype->cleanup) + (*et->keytype->cleanup)(context, key); + memset(key->schedule->data, 0, key->schedule->length); + krb5_free_data(context, key->schedule); +} + +void +_krb5_free_key_data(krb5_context context, struct _krb5_key_data *key, + struct _krb5_encryption_type *et) { krb5_free_keyblock(context, key->key); if(key->schedule) { - memset(key->schedule->data, 0, key->schedule->length); - krb5_free_data(context, key->schedule); + free_key_schedule(context, key, et); + key->schedule = NULL; } } static void -free_key_usage(krb5_context context, struct key_usage *ku) +free_key_usage(krb5_context context, struct _krb5_key_usage *ku, + struct _krb5_encryption_type *et) { - free_key_data(context, &ku->key); + _krb5_free_key_data(context, &ku->key, et); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Free a crypto context created by krb5_crypto_init(). + * + * @param context Kerberos context + * @param crypto crypto context to free + * + * @return Return an error code or 0. + * + * @ingroup krb5_crypto + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_destroy(krb5_context context, krb5_crypto crypto) { int i; - + for(i = 0; i < crypto->num_key_usage; i++) - free_key_usage(context, &crypto->key_usage[i]); + free_key_usage(context, &crypto->key_usage[i], crypto->et); free(crypto->key_usage); - free_key_data(context, &crypto->key); + _krb5_free_key_data(context, &crypto->key, crypto->et); free (crypto); return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Return the blocksize used algorithm referenced by the crypto context + * + * @param context Kerberos context + * @param crypto crypto context to query + * @param blocksize the resulting blocksize + * + * @return Return an error code or 0. + * + * @ingroup krb5_crypto + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_getblocksize(krb5_context context, krb5_crypto crypto, size_t *blocksize) @@ -3770,25 +2135,61 @@ krb5_crypto_getblocksize(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Return the encryption type used by the crypto context + * + * @param context Kerberos context + * @param crypto crypto context to query + * @param enctype the resulting encryption type + * + * @return Return an error code or 0. + * + * @ingroup krb5_crypto + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_getenctype(krb5_context context, krb5_crypto crypto, krb5_enctype *enctype) { *enctype = crypto->et->type; - return 0; + return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Return the padding size used by the crypto context + * + * @param context Kerberos context + * @param crypto crypto context to query + * @param padsize the return padding size + * + * @return Return an error code or 0. + * + * @ingroup krb5_crypto + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_getpadsize(krb5_context context, krb5_crypto crypto, - size_t *padsize) + size_t *padsize) { *padsize = crypto->et->padsize; return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Return the confounder size used by the crypto context + * + * @param context Kerberos context + * @param crypto crypto context to query + * @param confoundersize the returned confounder size + * + * @return Return an error code or 0. + * + * @ingroup krb5_crypto + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_getconfoundersize(krb5_context context, krb5_crypto crypto, size_t *confoundersize) @@ -3797,76 +2198,86 @@ krb5_crypto_getconfoundersize(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION + +/** + * Disable encryption type + * + * @param context Kerberos 5 context + * @param enctype encryption type to disable + * + * @return Return an error code or 0. + * + * @ingroup krb5_crypto + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_enctype_disable(krb5_context context, krb5_enctype enctype) { - struct encryption_type *et = _find_enctype(enctype); + struct _krb5_encryption_type *et = _krb5_find_enctype(enctype); if(et == NULL) { if (context) - krb5_set_error_string (context, "encryption type %d not supported", - enctype); + krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, + N_("encryption type %d not supported", ""), + enctype); return KRB5_PROG_ETYPE_NOSUPP; } et->flags |= F_DISABLED; return 0; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_string_to_key_derived(krb5_context context, - const void *str, - size_t len, - krb5_enctype etype, - krb5_keyblock *key) -{ - struct encryption_type *et = _find_enctype(etype); - krb5_error_code ret; - struct key_data kd; - size_t keylen; - u_char *tmp; +/** + * Enable encryption type + * + * @param context Kerberos 5 context + * @param enctype encryption type to enable + * + * @return Return an error code or 0. + * + * @ingroup krb5_crypto + */ +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_enctype_enable(krb5_context context, + krb5_enctype enctype) +{ + struct _krb5_encryption_type *et = _krb5_find_enctype(enctype); if(et == NULL) { - krb5_set_error_string (context, "encryption type %d not supported", - etype); + if (context) + krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, + N_("encryption type %d not supported", ""), + enctype); return KRB5_PROG_ETYPE_NOSUPP; } - keylen = et->keytype->bits / 8; + et->flags &= ~F_DISABLED; + return 0; +} - ALLOC(kd.key, 1); - if(kd.key == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - ret = krb5_data_alloc(&kd.key->keyvalue, et->keytype->size); - if(ret) { - free(kd.key); - return ret; - } - kd.key->keytype = etype; - tmp = malloc (keylen); - if(tmp == NULL) { - krb5_free_keyblock(context, kd.key); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - ret = _krb5_n_fold(str, len, tmp, keylen); - if (ret) { - free(tmp); - krb5_set_error_string(context, "out of memory"); - return ret; - } - kd.schedule = NULL; - DES3_postproc (context, tmp, keylen, &kd); /* XXX */ - memset(tmp, 0, keylen); - free(tmp); - ret = derive_key(context, - et, - &kd, - "kerberos", /* XXX well known constant */ - strlen("kerberos")); - ret = krb5_copy_keyblock_contents(context, kd.key, key); - free_key_data(context, &kd); - return ret; +/** + * Enable or disable all weak encryption types + * + * @param context Kerberos 5 context + * @param enable true to enable, false to disable + * + * @return Return an error code or 0. + * + * @ingroup krb5_crypto + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_allow_weak_crypto(krb5_context context, + krb5_boolean enable) +{ + int i; + + for(i = 0; i < _krb5_num_etypes; i++) + if(_krb5_etypes[i]->flags & F_WEAK) { + if(enable) + _krb5_etypes[i]->flags &= ~F_DISABLED; + else + _krb5_etypes[i]->flags |= F_DISABLED; + } + return 0; } static size_t @@ -3874,7 +2285,7 @@ wrapped_length (krb5_context context, krb5_crypto crypto, size_t data_len) { - struct encryption_type *et = crypto->et; + struct _krb5_encryption_type *et = crypto->et; size_t padsize = et->padsize; size_t checksumsize = CHECKSUMSIZE(et->checksum); size_t res; @@ -3889,7 +2300,7 @@ wrapped_length_dervied (krb5_context context, krb5_crypto crypto, size_t data_len) { - struct encryption_type *et = crypto->et; + struct _krb5_encryption_type *et = crypto->et; size_t padsize = et->padsize; size_t res; @@ -3906,7 +2317,7 @@ wrapped_length_dervied (krb5_context context, * Return the size of an encrypted packet of length `data_len' */ -size_t +KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL krb5_get_wrapped_length (krb5_context context, krb5_crypto crypto, size_t data_len) @@ -3925,7 +2336,7 @@ static size_t crypto_overhead (krb5_context context, krb5_crypto crypto) { - struct encryption_type *et = crypto->et; + struct _krb5_encryption_type *et = crypto->et; size_t res; res = CHECKSUMSIZE(et->checksum); @@ -3939,7 +2350,7 @@ static size_t crypto_overhead_dervied (krb5_context context, krb5_crypto crypto) { - struct encryption_type *et = crypto->et; + struct _krb5_encryption_type *et = crypto->et; size_t res; if (et->keyed_checksum) @@ -3952,7 +2363,7 @@ crypto_overhead_dervied (krb5_context context, return res; } -size_t +KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL krb5_crypto_overhead (krb5_context context, krb5_crypto crypto) { if (derived_crypto (context, crypto)) @@ -3961,7 +2372,24 @@ krb5_crypto_overhead (krb5_context context, krb5_crypto crypto) return crypto_overhead (context, crypto); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Converts the random bytestring to a protocol key according to + * Kerberos crypto frame work. It may be assumed that all the bits of + * the input string are equally random, even though the entropy + * present in the random source may be limited. + * + * @param context Kerberos 5 context + * @param type the enctype resulting key will be of + * @param data input random data to convert to a key + * @param size size of input random data, at least krb5_enctype_keysize() long + * @param key key, output key, free with krb5_free_keyblock_contents() + * + * @return Return an error code or 0. + * + * @ingroup krb5_crypto + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_random_to_key(krb5_context context, krb5_enctype type, const void *data, @@ -3969,20 +2397,23 @@ krb5_random_to_key(krb5_context context, krb5_keyblock *key) { krb5_error_code ret; - struct encryption_type *et = _find_enctype(type); + struct _krb5_encryption_type *et = _krb5_find_enctype(type); if(et == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - type); + krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, + N_("encryption type %d not supported", ""), + type); return KRB5_PROG_ETYPE_NOSUPP; } if ((et->keytype->bits + 7) / 8 > size) { - krb5_set_error_string(context, "encryption key %s needs %d bytes " - "of random to make an encryption key out of it", - et->name, (int)et->keytype->size); + krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, + N_("encryption key %s needs %d bytes " + "of random to make an encryption key " + "out of it", ""), + et->name, (int)et->keytype->size); return KRB5_PROG_ETYPE_NOSUPP; } ret = krb5_data_alloc(&key->keyvalue, et->keytype->size); - if(ret) + if(ret) return ret; key->keytype = type; if (et->keytype->random_to_key) @@ -3993,74 +2424,19 @@ krb5_random_to_key(krb5_context context, return 0; } -krb5_error_code -_krb5_pk_octetstring2key(krb5_context context, - krb5_enctype type, - const void *dhdata, - size_t dhsize, - const heim_octet_string *c_n, - const heim_octet_string *k_n, - krb5_keyblock *key) -{ - struct encryption_type *et = _find_enctype(type); - krb5_error_code ret; - size_t keylen, offset; - void *keydata; - unsigned char counter; - unsigned char shaoutput[20]; - - if(et == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - type); - return KRB5_PROG_ETYPE_NOSUPP; - } - keylen = (et->keytype->bits + 7) / 8; - - keydata = malloc(keylen); - if (keydata == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - counter = 0; - offset = 0; - do { - SHA_CTX m; - - SHA1_Init(&m); - SHA1_Update(&m, &counter, 1); - SHA1_Update(&m, dhdata, dhsize); - if (c_n) - SHA1_Update(&m, c_n->data, c_n->length); - if (k_n) - SHA1_Update(&m, k_n->data, k_n->length); - SHA1_Final(shaoutput, &m); - - memcpy((unsigned char *)keydata + offset, - shaoutput, - min(keylen - offset, sizeof(shaoutput))); - - offset += sizeof(shaoutput); - counter++; - } while(offset < keylen); - memset(shaoutput, 0, sizeof(shaoutput)); - - ret = krb5_random_to_key(context, type, keydata, keylen, key); - memset(keydata, 0, sizeof(keylen)); - free(keydata); - return ret; -} -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_prf_length(krb5_context context, krb5_enctype type, size_t *length) { - struct encryption_type *et = _find_enctype(type); + struct _krb5_encryption_type *et = _krb5_find_enctype(type); if(et == NULL || et->prf_length == 0) { - krb5_set_error_string(context, "encryption type %d not supported", - type); + krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, + N_("encryption type %d not supported", ""), + type); return KRB5_PROG_ETYPE_NOSUPP; } @@ -4068,126 +2444,207 @@ krb5_crypto_prf_length(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_prf(krb5_context context, const krb5_crypto crypto, - const krb5_data *input, + const krb5_data *input, krb5_data *output) { - struct encryption_type *et = crypto->et; + struct _krb5_encryption_type *et = crypto->et; krb5_data_zero(output); if(et->prf == NULL) { - krb5_set_error_string(context, "kerberos prf for %s not supported", - et->name); + krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, + "kerberos prf for %s not supported", + et->name); return KRB5_PROG_ETYPE_NOSUPP; } return (*et->prf)(context, crypto, input, output); } - +static krb5_error_code +krb5_crypto_prfplus(krb5_context context, + const krb5_crypto crypto, + const krb5_data *input, + size_t length, + krb5_data *output) +{ + krb5_error_code ret; + krb5_data input2; + unsigned char i = 1; + unsigned char *p; + krb5_data_zero(&input2); + krb5_data_zero(output); -#ifdef CRYPTO_DEBUG + krb5_clear_error_message(context); -static krb5_error_code -krb5_get_keyid(krb5_context context, - krb5_keyblock *key, - uint32_t *keyid) -{ - MD5_CTX md5; - unsigned char tmp[16]; + ret = krb5_data_alloc(output, length); + if (ret) goto out; + ret = krb5_data_alloc(&input2, input->length + 1); + if (ret) goto out; - MD5_Init (&md5); - MD5_Update (&md5, key->keyvalue.data, key->keyvalue.length); - MD5_Final (tmp, &md5); - *keyid = (tmp[12] << 24) | (tmp[13] << 16) | (tmp[14] << 8) | tmp[15]; - return 0; -} + krb5_clear_error_message(context); -static void -krb5_crypto_debug(krb5_context context, - int encryptp, - size_t len, - krb5_keyblock *key) -{ - uint32_t keyid; - char *kt; - krb5_get_keyid(context, key, &keyid); - krb5_enctype_to_string(context, key->keytype, &kt); - krb5_warnx(context, "%s %lu bytes with key-id %#x (%s)", - encryptp ? "encrypting" : "decrypting", - (unsigned long)len, - keyid, - kt); - free(kt); + memcpy(((unsigned char *)input2.data) + 1, input->data, input->length); + + p = output->data; + + while (length) { + krb5_data block; + + ((unsigned char *)input2.data)[0] = i++; + + ret = krb5_crypto_prf(context, crypto, &input2, &block); + if (ret) + goto out; + + if (block.length < length) { + memcpy(p, block.data, block.length); + length -= block.length; + } else { + memcpy(p, block.data, length); + length = 0; + } + p += block.length; + krb5_data_free(&block); + } + + out: + krb5_data_free(&input2); + if (ret) + krb5_data_free(output); + return 0; } -#endif /* CRYPTO_DEBUG */ +/** + * The FX-CF2 key derivation function, used in FAST and preauth framework. + * + * @param context Kerberos 5 context + * @param crypto1 first key to combine + * @param crypto2 second key to combine + * @param pepper1 factor to combine with first key to garante uniqueness + * @param pepper2 factor to combine with second key to garante uniqueness + * @param enctype the encryption type of the resulting key + * @param res allocated key, free with krb5_free_keyblock_contents() + * + * @return Return an error code or 0. + * + * @ingroup krb5_crypto + */ -#if 0 -int -main() +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_crypto_fx_cf2(krb5_context context, + const krb5_crypto crypto1, + const krb5_crypto crypto2, + krb5_data *pepper1, + krb5_data *pepper2, + krb5_enctype enctype, + krb5_keyblock *res) { -#if 0 - int i; - krb5_context context; - krb5_crypto crypto; - struct key_data *d; - krb5_keyblock key; - char constant[4]; - unsigned usage = ENCRYPTION_USAGE(3); krb5_error_code ret; + krb5_data os1, os2; + size_t i, keysize; + + memset(res, 0, sizeof(*res)); - ret = krb5_init_context(&context); + ret = krb5_enctype_keysize(context, enctype, &keysize); if (ret) - errx (1, "krb5_init_context failed: %d", ret); + return ret; - key.keytype = ETYPE_NEW_DES3_CBC_SHA1; - key.keyvalue.data = "\xb3\x85\x58\x94\xd9\xdc\x7c\xc8" - "\x25\xe9\x85\xab\x3e\xb5\xfb\x0e" - "\xc8\xdf\xab\x26\x86\x64\x15\x25"; - key.keyvalue.length = 24; + ret = krb5_data_alloc(&res->keyvalue, keysize); + if (ret) + goto out; + ret = krb5_crypto_prfplus(context, crypto1, pepper1, keysize, &os1); + if (ret) + goto out; + ret = krb5_crypto_prfplus(context, crypto2, pepper2, keysize, &os2); + if (ret) + goto out; - krb5_crypto_init(context, &key, 0, &crypto); + res->keytype = enctype; + { + unsigned char *p1 = os1.data, *p2 = os2.data, *p3 = res->keyvalue.data; + for (i = 0; i < keysize; i++) + p3[i] = p1[i] ^ p2[i]; + } + out: + if (ret) + krb5_data_free(&res->keyvalue); + krb5_data_free(&os1); + krb5_data_free(&os2); - d = _new_derived_key(crypto, usage); - if(d == NULL) - krb5_errx(context, 1, "_new_derived_key failed"); - krb5_copy_keyblock(context, crypto->key.key, &d->key); - _krb5_put_int(constant, usage, 4); - derive_key(context, crypto->et, d, constant, sizeof(constant)); - return 0; -#else - int i; - krb5_context context; - krb5_crypto crypto; - struct key_data *d; - krb5_keyblock key; - krb5_error_code ret; - Checksum res; + return ret; +} - char *data = "what do ya want for nothing?"; - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - key.keytype = ETYPE_NEW_DES3_CBC_SHA1; - key.keyvalue.data = "Jefe"; - /* "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" - "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"; */ - key.keyvalue.length = 4; +#ifndef HEIMDAL_SMALLER + +/** + * Deprecated: keytypes doesn't exists, they are really enctypes. + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_keytype_to_enctypes (krb5_context context, + krb5_keytype keytype, + unsigned *len, + krb5_enctype **val) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + int i; + unsigned n = 0; + krb5_enctype *ret; - d = ecalloc(1, sizeof(*d)); - d->key = &key; - res.checksum.length = 20; - res.checksum.data = emalloc(res.checksum.length); - SP_HMAC_SHA1_checksum(context, d, data, 28, &res); + for (i = _krb5_num_etypes - 1; i >= 0; --i) { + if (_krb5_etypes[i]->keytype->type == keytype + && !(_krb5_etypes[i]->flags & F_PSEUDO) + && krb5_enctype_valid(context, _krb5_etypes[i]->type) == 0) + ++n; + } + if (n == 0) { + krb5_set_error_message(context, KRB5_PROG_KEYTYPE_NOSUPP, + "Keytype have no mapping"); + return KRB5_PROG_KEYTYPE_NOSUPP; + } + ret = malloc(n * sizeof(*ret)); + if (ret == NULL && n != 0) { + krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); + return ENOMEM; + } + n = 0; + for (i = _krb5_num_etypes - 1; i >= 0; --i) { + if (_krb5_etypes[i]->keytype->type == keytype + && !(_krb5_etypes[i]->flags & F_PSEUDO) + && krb5_enctype_valid(context, _krb5_etypes[i]->type) == 0) + ret[n++] = _krb5_etypes[i]->type; + } + *len = n; + *val = ret; return 0; -#endif } -#endif + +/** + * Deprecated: keytypes doesn't exists, they are really enctypes. + * + * @ingroup krb5_deprecated + */ + +/* if two enctypes have compatible keys */ +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_enctypes_compatible_keys(krb5_context context, + krb5_enctype etype1, + krb5_enctype etype2) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + struct _krb5_encryption_type *e1 = _krb5_find_enctype(etype1); + struct _krb5_encryption_type *e2 = _krb5_find_enctype(etype2); + return e1 != NULL && e2 != NULL && e1->keytype == e2->keytype; +} + +#endif /* HEIMDAL_SMALLER */ diff --git a/crypto/heimdal/lib/krb5/crypto.h b/crypto/heimdal/lib/krb5/crypto.h new file mode 100644 index 000000000000..9b95b8f0cbcc --- /dev/null +++ b/crypto/heimdal/lib/krb5/crypto.h @@ -0,0 +1,179 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifndef HEIMDAL_SMALLER +#define DES3_OLD_ENCTYPE 1 +#endif + +struct _krb5_key_data { + krb5_keyblock *key; + krb5_data *schedule; +}; + +struct _krb5_key_usage; + +struct krb5_crypto_data { + struct _krb5_encryption_type *et; + struct _krb5_key_data key; + int num_key_usage; + struct _krb5_key_usage *key_usage; +}; + +#define CRYPTO_ETYPE(C) ((C)->et->type) + +/* bits for `flags' below */ +#define F_KEYED 1 /* checksum is keyed */ +#define F_CPROOF 2 /* checksum is collision proof */ +#define F_DERIVED 4 /* uses derived keys */ +#define F_VARIANT 8 /* uses `variant' keys (6.4.3) */ +#define F_PSEUDO 16 /* not a real protocol type */ +#define F_SPECIAL 32 /* backwards */ +#define F_DISABLED 64 /* enctype/checksum disabled */ +#define F_WEAK 128 /* enctype is considered weak */ + +struct salt_type { + krb5_salttype type; + const char *name; + krb5_error_code (*string_to_key)(krb5_context, krb5_enctype, krb5_data, + krb5_salt, krb5_data, krb5_keyblock*); +}; + +struct _krb5_key_type { + krb5_enctype type; + const char *name; + size_t bits; + size_t size; + size_t schedule_size; + void (*random_key)(krb5_context, krb5_keyblock*); + void (*schedule)(krb5_context, struct _krb5_key_type *, struct _krb5_key_data *); + struct salt_type *string_to_key; + void (*random_to_key)(krb5_context, krb5_keyblock*, const void*, size_t); + void (*cleanup)(krb5_context, struct _krb5_key_data *); + const EVP_CIPHER *(*evp)(void); +}; + +struct _krb5_checksum_type { + krb5_cksumtype type; + const char *name; + size_t blocksize; + size_t checksumsize; + unsigned flags; + krb5_error_code (*checksum)(krb5_context context, + struct _krb5_key_data *key, + const void *buf, size_t len, + unsigned usage, + Checksum *csum); + krb5_error_code (*verify)(krb5_context context, + struct _krb5_key_data *key, + const void *buf, size_t len, + unsigned usage, + Checksum *csum); +}; + +struct _krb5_encryption_type { + krb5_enctype type; + const char *name; + size_t blocksize; + size_t padsize; + size_t confoundersize; + struct _krb5_key_type *keytype; + struct _krb5_checksum_type *checksum; + struct _krb5_checksum_type *keyed_checksum; + unsigned flags; + krb5_error_code (*encrypt)(krb5_context context, + struct _krb5_key_data *key, + void *data, size_t len, + krb5_boolean encryptp, + int usage, + void *ivec); + size_t prf_length; + krb5_error_code (*prf)(krb5_context, + krb5_crypto, const krb5_data *, krb5_data *); +}; + +#define ENCRYPTION_USAGE(U) (((U) << 8) | 0xAA) +#define INTEGRITY_USAGE(U) (((U) << 8) | 0x55) +#define CHECKSUM_USAGE(U) (((U) << 8) | 0x99) + +/* Checksums */ + +extern struct _krb5_checksum_type _krb5_checksum_none; +extern struct _krb5_checksum_type _krb5_checksum_crc32; +extern struct _krb5_checksum_type _krb5_checksum_rsa_md4; +extern struct _krb5_checksum_type _krb5_checksum_rsa_md4_des; +extern struct _krb5_checksum_type _krb5_checksum_rsa_md5_des; +extern struct _krb5_checksum_type _krb5_checksum_rsa_md5_des3; +extern struct _krb5_checksum_type _krb5_checksum_rsa_md5; +extern struct _krb5_checksum_type _krb5_checksum_hmac_sha1_des3; +extern struct _krb5_checksum_type _krb5_checksum_hmac_sha1_aes128; +extern struct _krb5_checksum_type _krb5_checksum_hmac_sha1_aes256; +extern struct _krb5_checksum_type _krb5_checksum_hmac_md5; +extern struct _krb5_checksum_type _krb5_checksum_sha1; + +extern struct _krb5_checksum_type *_krb5_checksum_types[]; +extern int _krb5_num_checksums; + +/* Salts */ + +extern struct salt_type _krb5_AES_salt[]; +extern struct salt_type _krb5_arcfour_salt[]; +extern struct salt_type _krb5_des_salt[]; +extern struct salt_type _krb5_des3_salt[]; +extern struct salt_type _krb5_des3_salt_derived[]; + +/* Encryption types */ + +extern struct _krb5_encryption_type _krb5_enctype_aes256_cts_hmac_sha1; +extern struct _krb5_encryption_type _krb5_enctype_aes128_cts_hmac_sha1; +extern struct _krb5_encryption_type _krb5_enctype_des3_cbc_sha1; +extern struct _krb5_encryption_type _krb5_enctype_des3_cbc_md5; +extern struct _krb5_encryption_type _krb5_enctype_des3_cbc_none; +extern struct _krb5_encryption_type _krb5_enctype_arcfour_hmac_md5; +extern struct _krb5_encryption_type _krb5_enctype_des_cbc_md5; +extern struct _krb5_encryption_type _krb5_enctype_old_des3_cbc_sha1; +extern struct _krb5_encryption_type _krb5_enctype_des_cbc_crc; +extern struct _krb5_encryption_type _krb5_enctype_des_cbc_md4; +extern struct _krb5_encryption_type _krb5_enctype_des_cbc_md5; +extern struct _krb5_encryption_type _krb5_enctype_des_cbc_none; +extern struct _krb5_encryption_type _krb5_enctype_des_cfb64_none; +extern struct _krb5_encryption_type _krb5_enctype_des_pcbc_none; +extern struct _krb5_encryption_type _krb5_enctype_null; + +extern struct _krb5_encryption_type *_krb5_etypes[]; +extern int _krb5_num_etypes; + +/* Interface to the EVP crypto layer provided by hcrypto */ +struct _krb5_evp_schedule { + EVP_CIPHER_CTX ectx; + EVP_CIPHER_CTX dctx; +}; diff --git a/crypto/heimdal/lib/krb5/data.c b/crypto/heimdal/lib/krb5/data.c index eda1a8b2598b..f62a5532ab60 100644 --- a/crypto/heimdal/lib/krb5/data.c +++ b/crypto/heimdal/lib/krb5/data.c @@ -1,40 +1,38 @@ /* - * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: data.c 22064 2007-11-11 16:28:14Z lha $"); - /** * Reset the (potentially uninitalized) krb5_data structure. * @@ -43,7 +41,7 @@ RCSID("$Id: data.c 22064 2007-11-11 16:28:14Z lha $"); * @ingroup krb5 */ -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_data_zero(krb5_data *p) { p->length = 0; @@ -52,14 +50,16 @@ krb5_data_zero(krb5_data *p) /** * Free the content of krb5_data structure, its ok to free a zeroed - * structure. When done, the structure will be zeroed. - * + * structure (with memset() or krb5_data_zero()). When done, the + * structure will be zeroed. The same function is called + * krb5_free_data_contents() in MIT Kerberos. + * * @param p krb5_data to free. * * @ingroup krb5 */ -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_data_free(krb5_data *p) { if(p->data != NULL) @@ -68,30 +68,15 @@ krb5_data_free(krb5_data *p) } /** - * Same as krb5_data_free(). - * - * @param context Kerberos 5 context. - * @param data krb5_data to free. - * - * @ingroup krb5 - */ - -void KRB5_LIB_FUNCTION -krb5_free_data_contents(krb5_context context, krb5_data *data) -{ - krb5_data_free(data); -} - -/** * Free krb5_data (and its content). - * + * * @param context Kerberos 5 context. * @param p krb5_data to free. * * @ingroup krb5 */ -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_data(krb5_context context, krb5_data *p) { @@ -101,8 +86,8 @@ krb5_free_data(krb5_context context, /** * Allocate data of and krb5_data. - * - * @param p krb5_data to free. + * + * @param p krb5_data to allocate. * @param len size to allocate. * * @return Returns 0 to indicate success. Otherwise an kerberos et @@ -111,7 +96,7 @@ krb5_free_data(krb5_context context, * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_data_alloc(krb5_data *p, int len) { p->data = malloc(len); @@ -123,7 +108,7 @@ krb5_data_alloc(krb5_data *p, int len) /** * Grow (or shrink) the content of krb5_data to a new size. - * + * * @param p krb5_data to free. * @param len new size. * @@ -133,7 +118,7 @@ krb5_data_alloc(krb5_data *p, int len) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_data_realloc(krb5_data *p, int len) { void *tmp; @@ -147,7 +132,7 @@ krb5_data_realloc(krb5_data *p, int len) /** * Copy the data of len into the krb5_data. - * + * * @param p krb5_data to copy into. * @param data data to copy.. * @param len new size. @@ -158,7 +143,7 @@ krb5_data_realloc(krb5_data *p, int len) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_data_copy(krb5_data *p, const void *data, size_t len) { if (len) { @@ -173,7 +158,7 @@ krb5_data_copy(krb5_data *p, const void *data, size_t len) /** * Copy the data into a newly allocated krb5_data. - * + * * @param context Kerberos 5 context. * @param indata the krb5_data data to copy * @param outdata new krb5_date to copy too. Free with krb5_free_data(). @@ -184,20 +169,20 @@ krb5_data_copy(krb5_data *p, const void *data, size_t len) * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_copy_data(krb5_context context, - const krb5_data *indata, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_copy_data(krb5_context context, + const krb5_data *indata, krb5_data **outdata) { krb5_error_code ret; ALLOC(*outdata, 1); if(*outdata == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); return ENOMEM; } ret = der_copy_octet_string(indata, *outdata); if(ret) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); free(*outdata); *outdata = NULL; } @@ -206,7 +191,7 @@ krb5_copy_data(krb5_context context, /** * Compare to data. - * + * * @param data1 krb5_data to compare * @param data2 krb5_data to compare * @@ -215,10 +200,29 @@ krb5_copy_data(krb5_context context, * @ingroup krb5 */ -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_data_cmp(const krb5_data *data1, const krb5_data *data2) { if (data1->length != data2->length) return data1->length - data2->length; return memcmp(data1->data, data2->data, data1->length); } + +/** + * Compare to data not exposing timing information from the checksum data + * + * @param data1 krb5_data to compare + * @param data2 krb5_data to compare + * + * @return returns zero for same data, otherwise non zero. + * + * @ingroup krb5 + */ + +KRB5_LIB_FUNCTION int KRB5_LIB_CALL +krb5_data_ct_cmp(const krb5_data *data1, const krb5_data *data2) +{ + if (data1->length != data2->length) + return data1->length - data2->length; + return ct_memcmp(data1->data, data2->data, data1->length); +} diff --git a/crypto/heimdal/lib/krb5/deprecated.c b/crypto/heimdal/lib/krb5/deprecated.c new file mode 100644 index 000000000000..1d44d21b1706 --- /dev/null +++ b/crypto/heimdal/lib/krb5/deprecated.c @@ -0,0 +1,609 @@ +/* + * Copyright (c) 1997 - 2009 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +#undef __attribute__ +#define __attribute__(x) + +#ifndef HEIMDAL_SMALLER + +/** + * Same as krb5_data_free(). MIT compat. + * + * Deprecated: use krb5_data_free(). + * + * @param context Kerberos 5 context. + * @param data krb5_data to free. + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_free_data_contents(krb5_context context, krb5_data *data) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + krb5_data_free(data); +} + +/** + * Deprecated: keytypes doesn't exists, they are really enctypes. + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_keytype_to_enctypes_default (krb5_context context, + krb5_keytype keytype, + unsigned *len, + krb5_enctype **val) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + unsigned int i, n; + krb5_enctype *ret; + + if (keytype != KEYTYPE_DES || context->etypes_des == NULL) + return krb5_keytype_to_enctypes (context, keytype, len, val); + + for (n = 0; context->etypes_des[n]; ++n) + ; + ret = malloc (n * sizeof(*ret)); + if (ret == NULL && n != 0) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } + for (i = 0; i < n; ++i) + ret[i] = context->etypes_des[i]; + *len = n; + *val = ret; + return 0; +} + + +static struct { + const char *name; + krb5_keytype type; +} keys[] = { + { "null", ENCTYPE_NULL }, + { "des", ETYPE_DES_CBC_CRC }, + { "des3", ETYPE_OLD_DES3_CBC_SHA1 }, + { "aes-128", ETYPE_AES128_CTS_HMAC_SHA1_96 }, + { "aes-256", ETYPE_AES256_CTS_HMAC_SHA1_96 }, + { "arcfour", ETYPE_ARCFOUR_HMAC_MD5 }, + { "arcfour-56", ETYPE_ARCFOUR_HMAC_MD5_56 } +}; + +static int num_keys = sizeof(keys) / sizeof(keys[0]); + +/** + * Deprecated: keytypes doesn't exists, they are really enctypes in + * most cases, use krb5_enctype_to_string(). + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_keytype_to_string(krb5_context context, + krb5_keytype keytype, + char **string) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + const char *name = NULL; + int i; + + for(i = 0; i < num_keys; i++) { + if(keys[i].type == keytype) { + name = keys[i].name; + break; + } + } + + if(i >= num_keys) { + krb5_set_error_message(context, KRB5_PROG_KEYTYPE_NOSUPP, + "key type %d not supported", keytype); + return KRB5_PROG_KEYTYPE_NOSUPP; + } + *string = strdup(name); + if(*string == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + return 0; +} + +/** + * Deprecated: keytypes doesn't exists, they are really enctypes in + * most cases, use krb5_string_to_enctype(). + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_string_to_keytype(krb5_context context, + const char *string, + krb5_keytype *keytype) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + char *end; + int i; + + for(i = 0; i < num_keys; i++) + if(strcasecmp(keys[i].name, string) == 0){ + *keytype = keys[i].type; + return 0; + } + + /* check if the enctype is a number */ + *keytype = strtol(string, &end, 0); + if(*end == '\0' && *keytype != 0) { + if (krb5_enctype_valid(context, *keytype) == 0) + return 0; + } + + krb5_set_error_message(context, KRB5_PROG_KEYTYPE_NOSUPP, + "key type %s not supported", string); + return KRB5_PROG_KEYTYPE_NOSUPP; +} + +/** + * Deprecated: use krb5_get_init_creds() and friends. + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_CALLCONV +krb5_password_key_proc (krb5_context context, + krb5_enctype type, + krb5_salt salt, + krb5_const_pointer keyseed, + krb5_keyblock **key) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + krb5_error_code ret; + const char *password = (const char *)keyseed; + char buf[BUFSIZ]; + + *key = malloc (sizeof (**key)); + if (*key == NULL) { + krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); + return ENOMEM; + } + if (password == NULL) { + if(UI_UTIL_read_pw_string (buf, sizeof(buf), "Password: ", 0)) { + free (*key); + krb5_clear_error_message(context); + return KRB5_LIBOS_PWDINTR; + } + password = buf; + } + ret = krb5_string_to_key_salt (context, type, password, salt, *key); + memset (buf, 0, sizeof(buf)); + return ret; +} + +/** + * Deprecated: use krb5_get_init_creds() and friends. + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_get_in_tkt_with_password (krb5_context context, + krb5_flags options, + krb5_addresses *addrs, + const krb5_enctype *etypes, + const krb5_preauthtype *pre_auth_types, + const char *password, + krb5_ccache ccache, + krb5_creds *creds, + krb5_kdc_rep *ret_as_reply) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + return krb5_get_in_tkt (context, + options, + addrs, + etypes, + pre_auth_types, + krb5_password_key_proc, + password, + NULL, + NULL, + creds, + ccache, + ret_as_reply); +} + +static krb5_error_code KRB5_CALLCONV +krb5_skey_key_proc (krb5_context context, + krb5_enctype type, + krb5_salt salt, + krb5_const_pointer keyseed, + krb5_keyblock **key) +{ + return krb5_copy_keyblock (context, keyseed, key); +} + +/** + * Deprecated: use krb5_get_init_creds() and friends. + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_get_in_tkt_with_skey (krb5_context context, + krb5_flags options, + krb5_addresses *addrs, + const krb5_enctype *etypes, + const krb5_preauthtype *pre_auth_types, + const krb5_keyblock *key, + krb5_ccache ccache, + krb5_creds *creds, + krb5_kdc_rep *ret_as_reply) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + if(key == NULL) + return krb5_get_in_tkt_with_keytab (context, + options, + addrs, + etypes, + pre_auth_types, + NULL, + ccache, + creds, + ret_as_reply); + else + return krb5_get_in_tkt (context, + options, + addrs, + etypes, + pre_auth_types, + krb5_skey_key_proc, + key, + NULL, + NULL, + creds, + ccache, + ret_as_reply); +} + +/** + * Deprecated: use krb5_get_init_creds() and friends. + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_CALLCONV +krb5_keytab_key_proc (krb5_context context, + krb5_enctype enctype, + krb5_salt salt, + krb5_const_pointer keyseed, + krb5_keyblock **key) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + krb5_keytab_key_proc_args *args = rk_UNCONST(keyseed); + krb5_keytab keytab = args->keytab; + krb5_principal principal = args->principal; + krb5_error_code ret; + krb5_keytab real_keytab; + krb5_keytab_entry entry; + + if(keytab == NULL) + krb5_kt_default(context, &real_keytab); + else + real_keytab = keytab; + + ret = krb5_kt_get_entry (context, real_keytab, principal, + 0, enctype, &entry); + + if (keytab == NULL) + krb5_kt_close (context, real_keytab); + + if (ret) + return ret; + + ret = krb5_copy_keyblock (context, &entry.keyblock, key); + krb5_kt_free_entry(context, &entry); + return ret; +} + +/** + * Deprecated: use krb5_get_init_creds() and friends. + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_get_in_tkt_with_keytab (krb5_context context, + krb5_flags options, + krb5_addresses *addrs, + const krb5_enctype *etypes, + const krb5_preauthtype *pre_auth_types, + krb5_keytab keytab, + krb5_ccache ccache, + krb5_creds *creds, + krb5_kdc_rep *ret_as_reply) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + krb5_keytab_key_proc_args a; + + a.principal = creds->client; + a.keytab = keytab; + + return krb5_get_in_tkt (context, + options, + addrs, + etypes, + pre_auth_types, + krb5_keytab_key_proc, + &a, + NULL, + NULL, + creds, + ccache, + ret_as_reply); +} + +/** + * Generate a new ccache of type `ops' in `id'. + * + * Deprecated: use krb5_cc_new_unique() instead. + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_ccache + */ + + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_gen_new(krb5_context context, + const krb5_cc_ops *ops, + krb5_ccache *id) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + return krb5_cc_new_unique(context, ops->prefix, NULL, id); +} + +/** + * Deprecated: use krb5_principal_get_realm() + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_realm * KRB5_LIB_CALL +krb5_princ_realm(krb5_context context, + krb5_principal principal) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + return &principal->realm; +} + + +/** + * Deprecated: use krb5_principal_set_realm() + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_princ_set_realm(krb5_context context, + krb5_principal principal, + krb5_realm *realm) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + principal->realm = *realm; +} + +/** + * Deprecated: use krb5_free_cred_contents() + * + * @ingroup krb5_deprecated + */ + +/* keep this for compatibility with older code */ +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_free_creds_contents (krb5_context context, krb5_creds *c) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + return krb5_free_cred_contents (context, c); +} + +/** + * Free the error message returned by krb5_get_error_string(). + * + * Deprecated: use krb5_free_error_message() + * + * @param context Kerberos context + * @param str error message to free + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_free_error_string(krb5_context context, char *str) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + krb5_free_error_message(context, str); +} + +/** + * Set the error message returned by krb5_get_error_string(). + * + * Deprecated: use krb5_get_error_message() + * + * @param context Kerberos context + * @param fmt error message to free + * + * @return Return an error code or 0. + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_set_error_string(krb5_context context, const char *fmt, ...) + __attribute__((format (printf, 2, 3))) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + va_list ap; + + va_start(ap, fmt); + krb5_vset_error_message (context, 0, fmt, ap); + va_end(ap); + return 0; +} + +/** + * Set the error message returned by krb5_get_error_string(), + * deprecated, use krb5_set_error_message(). + * + * Deprecated: use krb5_vset_error_message() + * + * @param context Kerberos context + * @param msg error message to free + * + * @return Return an error code or 0. + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_vset_error_string(krb5_context context, const char *fmt, va_list args) + __attribute__ ((format (printf, 2, 0))) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + krb5_vset_error_message(context, 0, fmt, args); + return 0; +} + +/** + * Clear the error message returned by krb5_get_error_string(). + * + * Deprecated: use krb5_clear_error_message() + * + * @param context Kerberos context + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_clear_error_string(krb5_context context) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + krb5_clear_error_message(context); +} + +/** + * Deprecated: use krb5_get_credentials_with_flags(). + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_get_cred_from_kdc_opt(krb5_context context, + krb5_ccache ccache, + krb5_creds *in_creds, + krb5_creds **out_creds, + krb5_creds ***ret_tgts, + krb5_flags flags) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + krb5_kdc_flags f; + f.i = flags; + return _krb5_get_cred_kdc_any(context, f, ccache, + in_creds, NULL, NULL, + out_creds, ret_tgts); +} + +/** + * Deprecated: use krb5_get_credentials_with_flags(). + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_get_cred_from_kdc(krb5_context context, + krb5_ccache ccache, + krb5_creds *in_creds, + krb5_creds **out_creds, + krb5_creds ***ret_tgts) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + return krb5_get_cred_from_kdc_opt(context, ccache, + in_creds, out_creds, ret_tgts, 0); +} + +/** + * Deprecated: use krb5_xfree(). + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_free_unparsed_name(krb5_context context, char *str) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + krb5_xfree(str); +} + +/** + * Deprecated: use krb5_generate_subkey_extended() + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_generate_subkey(krb5_context context, + const krb5_keyblock *key, + krb5_keyblock **subkey) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + return krb5_generate_subkey_extended(context, key, ETYPE_NULL, subkey); +} + +/** + * Deprecated: use krb5_auth_con_getremoteseqnumber() + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_auth_getremoteseqnumber(krb5_context context, + krb5_auth_context auth_context, + int32_t *seqnumber) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + *seqnumber = auth_context->remote_seqnumber; + return 0; +} + +#endif /* HEIMDAL_SMALLER */ diff --git a/crypto/heimdal/lib/krb5/derived-key-test.c b/crypto/heimdal/lib/krb5/derived-key-test.c index debadb8bb956..a67c95a54cb6 100644 --- a/crypto/heimdal/lib/krb5/derived-key-test.c +++ b/crypto/heimdal/lib/krb5/derived-key-test.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -33,8 +33,6 @@ #include "krb5_locl.h" #include <err.h> -RCSID("$Id: derived-key-test.c 16342 2005-12-02 14:14:43Z lha $"); - enum { MAXSIZE = 24 }; static struct testcase { @@ -77,7 +75,7 @@ static struct testcase { {0} }; -int KRB5_LIB_FUNCTION +int main(int argc, char **argv) { struct testcase *t; diff --git a/crypto/heimdal/lib/krb5/digest.c b/crypto/heimdal/lib/krb5/digest.c index 6e612ed6bbb0..ef3267b3a766 100644 --- a/crypto/heimdal/lib/krb5/digest.c +++ b/crypto/heimdal/lib/krb5/digest.c @@ -1,40 +1,41 @@ /* - * Copyright (c) 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: digest.c 22156 2007-12-04 20:02:49Z lha $"); #include "digest_asn1.h" +#ifndef HEIMDAL_SMALLER + struct krb5_digest_data { char *cbtype; char *cbbinding; @@ -45,7 +46,7 @@ struct krb5_digest_data { DigestResponse response; }; -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_alloc(krb5_context context, krb5_digest *digest) { krb5_digest d; @@ -53,7 +54,7 @@ krb5_digest_alloc(krb5_context context, krb5_digest *digest) d = calloc(1, sizeof(*d)); if (d == NULL) { *digest = NULL; - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } *digest = d; @@ -61,7 +62,7 @@ krb5_digest_alloc(krb5_context context, krb5_digest *digest) return 0; } -void +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_digest_free(krb5_digest digest) { if (digest == NULL) @@ -75,14 +76,15 @@ krb5_digest_free(krb5_digest digest) return; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_server_cb(krb5_context context, krb5_digest digest, const char *type, const char *binding) { if (digest->init.channel) { - krb5_set_error_string(context, "server channel binding already set"); + krb5_set_error_message(context, EINVAL, + N_("server channel binding already set", "")); return EINVAL; } digest->init.channel = calloc(1, sizeof(*digest->init.channel)); @@ -94,54 +96,54 @@ krb5_digest_set_server_cb(krb5_context context, goto error; digest->init.channel->cb_binding = strdup(binding); - if (digest->init.channel->cb_binding == NULL) + if (digest->init.channel->cb_binding == NULL) goto error; return 0; -error: + error: if (digest->init.channel) { free(digest->init.channel->cb_type); free(digest->init.channel->cb_binding); free(digest->init.channel); digest->init.channel = NULL; } - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_type(krb5_context context, krb5_digest digest, const char *type) { if (digest->init.type) { - krb5_set_error_string(context, "client type already set"); + krb5_set_error_message(context, EINVAL, "client type already set"); return EINVAL; } digest->init.type = strdup(type); if (digest->init.type == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_hostname(krb5_context context, krb5_digest digest, const char *hostname) { if (digest->init.hostname) { - krb5_set_error_string(context, "server hostname already set"); + krb5_set_error_message(context, EINVAL, "server hostname already set"); return EINVAL; } digest->init.hostname = malloc(sizeof(*digest->init.hostname)); if (digest->init.hostname == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } *digest->init.hostname = strdup(hostname); if (*digest->init.hostname == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); free(digest->init.hostname); digest->init.hostname = NULL; return ENOMEM; @@ -149,55 +151,55 @@ krb5_digest_set_hostname(krb5_context context, return 0; } -const char * +KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL krb5_digest_get_server_nonce(krb5_context context, krb5_digest digest) { return digest->initReply.nonce; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_server_nonce(krb5_context context, krb5_digest digest, const char *nonce) { if (digest->request.serverNonce) { - krb5_set_error_string(context, "nonce already set"); + krb5_set_error_message(context, EINVAL, N_("nonce already set", "")); return EINVAL; } digest->request.serverNonce = strdup(nonce); if (digest->request.serverNonce == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } return 0; } -const char * +KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL krb5_digest_get_opaque(krb5_context context, krb5_digest digest) { return digest->initReply.opaque; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_opaque(krb5_context context, krb5_digest digest, const char *opaque) { if (digest->request.opaque) { - krb5_set_error_string(context, "opaque already set"); + krb5_set_error_message(context, EINVAL, "opaque already set"); return EINVAL; } digest->request.opaque = strdup(opaque); if (digest->request.opaque == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } return 0; } -const char * +KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL krb5_digest_get_identifier(krb5_context context, krb5_digest digest) { @@ -206,23 +208,23 @@ krb5_digest_get_identifier(krb5_context context, return *digest->initReply.identifier; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_identifier(krb5_context context, krb5_digest digest, const char *id) { if (digest->request.identifier) { - krb5_set_error_string(context, "identifier already set"); + krb5_set_error_message(context, EINVAL, N_("identifier already set", "")); return EINVAL; } digest->request.identifier = calloc(1, sizeof(*digest->request.identifier)); if (digest->request.identifier == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } *digest->request.identifier = strdup(id); if (*digest->request.identifier == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); free(digest->request.identifier); digest->request.identifier = NULL; return ENOMEM; @@ -242,7 +244,7 @@ digest_request(krb5_context context, DigestREP rep; krb5_error_code ret; krb5_data data, data2; - size_t size; + size_t size = 0; krb5_crypto crypto = NULL; krb5_auth_context ac = NULL; krb5_principal principal = NULL; @@ -272,7 +274,7 @@ digest_request(krb5_context context, * */ - ret = krb5_make_principal(context, &principal, + ret = krb5_make_principal(context, &principal, r, KRB5_DIGEST_NAME, r, NULL); if (ret) goto out; @@ -280,14 +282,14 @@ digest_request(krb5_context context, ASN1_MALLOC_ENCODE(DigestReqInner, data.data, data.length, ireq, &size, ret); if (ret) { - krb5_set_error_string(context, - "Failed to encode digest inner request"); + krb5_set_error_message(context, ret, + N_("Failed to encode digest inner request", "")); goto out; } if (size != data.length) krb5_abortx(context, "ASN.1 internal encoder error"); - ret = krb5_mk_req_exact(context, &ac, + ret = krb5_mk_req_exact(context, &ac, AP_OPTS_USE_SUBKEY|AP_OPTS_MUTUAL_REQUIRED, principal, NULL, id, &req.apReq); if (ret) @@ -300,8 +302,9 @@ digest_request(krb5_context context, if (ret) goto out; if (key == NULL) { - krb5_set_error_string(context, "Digest failed to get local subkey"); ret = EINVAL; + krb5_set_error_message(context, ret, + N_("Digest failed to get local subkey", "")); goto out; } @@ -312,7 +315,7 @@ digest_request(krb5_context context, } ret = krb5_encrypt_EncryptedData(context, crypto, usage, - data.data, data.length, 0, + data.data, data.length, 0, &req.innerReq); if (ret) goto out; @@ -322,7 +325,8 @@ digest_request(krb5_context context, ASN1_MALLOC_ENCODE(DigestREQ, data.data, data.length, &req, &size, ret); if (ret) { - krb5_set_error_string(context, "Failed to encode DigestREQest"); + krb5_set_error_message(context, ret, + N_("Failed to encode DigestREQest", "")); goto out; } if (size != data.length) @@ -334,7 +338,8 @@ digest_request(krb5_context context, ret = decode_DigestREP(data2.data, data2.length, &rep, NULL); if (ret) { - krb5_set_error_string(context, "Failed to parse digest response"); + krb5_set_error_message(context, ret, + N_("Failed to parse digest response", "")); goto out; } @@ -355,8 +360,8 @@ digest_request(krb5_context context, goto out; if (key == NULL) { ret = EINVAL; - krb5_set_error_string(context, - "Digest reply have no remote subkey"); + krb5_set_error_message(context, ret, + N_("Digest reply have no remote subkey", "")); goto out; } @@ -372,14 +377,15 @@ digest_request(krb5_context context, &rep.innerRep, &data); if (ret) goto out; - + ret = decode_DigestRepInner(data.data, data.length, irep, NULL); if (ret) { - krb5_set_error_string(context, "Failed to decode digest inner reply"); + krb5_set_error_message(context, ret, + N_("Failed to decode digest inner reply", "")); goto out; } -out: + out: if (ccache == NULL && id) krb5_cc_close(context, id); if (realm == NULL && r) @@ -400,7 +406,7 @@ out: return ret; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_init_request(krb5_context context, krb5_digest digest, krb5_realm realm, @@ -414,7 +420,8 @@ krb5_digest_init_request(krb5_context context, memset(&irep, 0, sizeof(irep)); if (digest->init.type == NULL) { - krb5_set_error_string(context, "Type missing from init req"); + krb5_set_error_message(context, EINVAL, + N_("Type missing from init req", "")); return EINVAL; } @@ -427,49 +434,52 @@ krb5_digest_init_request(krb5_context context, goto out; if (irep.element == choice_DigestRepInner_error) { - krb5_set_error_string(context, "Digest init error: %s", - irep.u.error.reason); ret = irep.u.error.code; + krb5_set_error_message(context, ret, N_("Digest init error: %s", ""), + irep.u.error.reason); goto out; } if (irep.element != choice_DigestRepInner_initReply) { - krb5_set_error_string(context, "digest reply not an initReply"); ret = EINVAL; + krb5_set_error_message(context, ret, + N_("digest reply not an initReply", "")); goto out; } ret = copy_DigestInitReply(&irep.u.initReply, &digest->initReply); if (ret) { - krb5_set_error_string(context, "Failed to copy initReply"); + krb5_set_error_message(context, ret, + N_("Failed to copy initReply", "")); goto out; } -out: + out: free_DigestRepInner(&irep); return ret; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_client_nonce(krb5_context context, krb5_digest digest, const char *nonce) { if (digest->request.clientNonce) { - krb5_set_error_string(context, "clientNonce already set"); + krb5_set_error_message(context, EINVAL, + N_("clientNonce already set", "")); return EINVAL; } - digest->request.clientNonce = + digest->request.clientNonce = calloc(1, sizeof(*digest->request.clientNonce)); if (digest->request.clientNonce == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } *digest->request.clientNonce = strdup(nonce); if (*digest->request.clientNonce == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); free(digest->request.clientNonce); digest->request.clientNonce = NULL; return ENOMEM; @@ -477,57 +487,58 @@ krb5_digest_set_client_nonce(krb5_context context, return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_digest(krb5_context context, krb5_digest digest, const char *dgst) { if (digest->request.digest) { - krb5_set_error_string(context, "digest already set"); + krb5_set_error_message(context, EINVAL, + N_("digest already set", "")); return EINVAL; } digest->request.digest = strdup(dgst); if (digest->request.digest == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_username(krb5_context context, krb5_digest digest, const char *username) { if (digest->request.username) { - krb5_set_error_string(context, "username already set"); + krb5_set_error_message(context, EINVAL, "username already set"); return EINVAL; } digest->request.username = strdup(username); if (digest->request.username == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_authid(krb5_context context, krb5_digest digest, const char *authid) { if (digest->request.authid) { - krb5_set_error_string(context, "authid already set"); + krb5_set_error_message(context, EINVAL, "authid already set"); return EINVAL; } digest->request.authid = malloc(sizeof(*digest->request.authid)); if (digest->request.authid == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } *digest->request.authid = strdup(authid); if (*digest->request.authid == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); free(digest->request.authid); digest->request.authid = NULL; return ENOMEM; @@ -535,7 +546,7 @@ krb5_digest_set_authid(krb5_context context, return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_authentication_user(krb5_context context, krb5_digest digest, krb5_principal authentication_user) @@ -543,36 +554,35 @@ krb5_digest_set_authentication_user(krb5_context context, krb5_error_code ret; if (digest->request.authentication_user) { - krb5_set_error_string(context, "authentication_user already set"); + krb5_set_error_message(context, EINVAL, + N_("authentication_user already set", "")); return EINVAL; } ret = krb5_copy_principal(context, authentication_user, &digest->request.authentication_user); - if (digest->request.authentication_user == NULL) { - krb5_set_error_string(context, "out of memory"); - return ENOMEM; - } + if (ret) + return ret; return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_realm(krb5_context context, krb5_digest digest, const char *realm) { if (digest->request.realm) { - krb5_set_error_string(context, "realm already set"); + krb5_set_error_message(context, EINVAL, "realm already set"); return EINVAL; } digest->request.realm = malloc(sizeof(*digest->request.realm)); if (digest->request.realm == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } *digest->request.realm = strdup(realm); if (*digest->request.realm == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); free(digest->request.realm); digest->request.realm = NULL; return ENOMEM; @@ -580,23 +590,24 @@ krb5_digest_set_realm(krb5_context context, return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_method(krb5_context context, krb5_digest digest, const char *method) { if (digest->request.method) { - krb5_set_error_string(context, "method already set"); + krb5_set_error_message(context, EINVAL, + N_("method already set", "")); return EINVAL; } digest->request.method = malloc(sizeof(*digest->request.method)); if (digest->request.method == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } *digest->request.method = strdup(method); if (*digest->request.method == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); free(digest->request.method); digest->request.method = NULL; return ENOMEM; @@ -604,23 +615,23 @@ krb5_digest_set_method(krb5_context context, return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_uri(krb5_context context, krb5_digest digest, const char *uri) { if (digest->request.uri) { - krb5_set_error_string(context, "uri already set"); + krb5_set_error_message(context, EINVAL, N_("uri already set", "")); return EINVAL; } digest->request.uri = malloc(sizeof(*digest->request.uri)); if (digest->request.uri == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } *digest->request.uri = strdup(uri); if (*digest->request.uri == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); free(digest->request.uri); digest->request.uri = NULL; return ENOMEM; @@ -628,24 +639,25 @@ krb5_digest_set_uri(krb5_context context, return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_nonceCount(krb5_context context, krb5_digest digest, const char *nonce_count) { if (digest->request.nonceCount) { - krb5_set_error_string(context, "nonceCount already set"); + krb5_set_error_message(context, EINVAL, + N_("nonceCount already set", "")); return EINVAL; } - digest->request.nonceCount = + digest->request.nonceCount = malloc(sizeof(*digest->request.nonceCount)); if (digest->request.nonceCount == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } *digest->request.nonceCount = strdup(nonce_count); if (*digest->request.nonceCount == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); free(digest->request.nonceCount); digest->request.nonceCount = NULL; return ENOMEM; @@ -653,23 +665,23 @@ krb5_digest_set_nonceCount(krb5_context context, return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_qop(krb5_context context, krb5_digest digest, const char *qop) { if (digest->request.qop) { - krb5_set_error_string(context, "qop already set"); + krb5_set_error_message(context, EINVAL, "qop already set"); return EINVAL; } digest->request.qop = malloc(sizeof(*digest->request.qop)); if (digest->request.qop == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } *digest->request.qop = strdup(qop); if (*digest->request.qop == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); free(digest->request.qop); digest->request.qop = NULL; return ENOMEM; @@ -677,20 +689,20 @@ krb5_digest_set_qop(krb5_context context, return 0; } -int +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_digest_set_responseData(krb5_context context, krb5_digest digest, const char *response) { digest->request.responseData = strdup(response); if (digest->request.responseData == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_request(krb5_context context, krb5_digest digest, krb5_realm realm, @@ -708,14 +720,17 @@ krb5_digest_request(krb5_context context, if (digest->request.type == NULL) { if (digest->init.type == NULL) { - krb5_set_error_string(context, "Type missing from req"); + krb5_set_error_message(context, EINVAL, + N_("Type missing from req", "")); return EINVAL; } ireq.u.digestRequest.type = digest->init.type; } - if (ireq.u.digestRequest.digest == NULL) - ireq.u.digestRequest.digest = "md5"; + if (ireq.u.digestRequest.digest == NULL) { + static char md5[] = "md5"; + ireq.u.digestRequest.digest = md5; + } ret = digest_request(context, realm, ccache, KRB5_KU_DIGEST_ENCRYPT, &ireq, &irep); @@ -723,38 +738,41 @@ krb5_digest_request(krb5_context context, return ret; if (irep.element == choice_DigestRepInner_error) { - krb5_set_error_string(context, "Digest response error: %s", - irep.u.error.reason); ret = irep.u.error.code; + krb5_set_error_message(context, ret, + N_("Digest response error: %s", ""), + irep.u.error.reason); goto out; } if (irep.element != choice_DigestRepInner_response) { - krb5_set_error_string(context, "digest reply not an DigestResponse"); + krb5_set_error_message(context, EINVAL, + N_("digest reply not an DigestResponse", "")); ret = EINVAL; goto out; } ret = copy_DigestResponse(&irep.u.response, &digest->response); if (ret) { - krb5_set_error_string(context, "Failed to copy initReply"); + krb5_set_error_message(context, ret, + N_("Failed to copy initReply,", "")); goto out; } -out: + out: free_DigestRepInner(&irep); return ret; } -krb5_boolean -krb5_digest_rep_get_status(krb5_context context, +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_digest_rep_get_status(krb5_context context, krb5_digest digest) { return digest->response.success ? TRUE : FALSE; } -const char * +KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL krb5_digest_get_rsp(krb5_context context, krb5_digest digest) { @@ -763,7 +781,7 @@ krb5_digest_get_rsp(krb5_context context, return *digest->response.rsp; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_get_tickets(krb5_context context, krb5_digest digest, Ticket **tickets) @@ -773,7 +791,7 @@ krb5_digest_get_tickets(krb5_context context, } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_get_client_binding(krb5_context context, krb5_digest digest, char **type, @@ -785,7 +803,7 @@ krb5_digest_get_client_binding(krb5_context context, if (*type == NULL || *binding == NULL) { free(*type); free(*binding); - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } } else { @@ -795,7 +813,7 @@ krb5_digest_get_client_binding(krb5_context context, return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_get_session_key(krb5_context context, krb5_digest digest, krb5_data *data) @@ -807,7 +825,7 @@ krb5_digest_get_session_key(krb5_context context, return 0; ret = der_copy_octet_string(digest->response.session_key, data); if (ret) - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } @@ -819,19 +837,19 @@ struct krb5_ntlm_data { NTLMResponse response; }; -krb5_error_code -krb5_ntlm_alloc(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_ntlm_alloc(krb5_context context, krb5_ntlm *ntlm) { *ntlm = calloc(1, sizeof(**ntlm)); if (*ntlm == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_free(krb5_context context, krb5_ntlm ntlm) { free_NTLMInit(&ntlm->init); @@ -844,8 +862,8 @@ krb5_ntlm_free(krb5_context context, krb5_ntlm ntlm) } -krb5_error_code -krb5_ntlm_init_request(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_ntlm_init_request(krb5_context context, krb5_ntlm ntlm, krb5_realm realm, krb5_ccache ccache, @@ -879,31 +897,33 @@ krb5_ntlm_init_request(krb5_context context, goto out; if (irep.element == choice_DigestRepInner_error) { - krb5_set_error_string(context, "Digest init error: %s", - irep.u.error.reason); ret = irep.u.error.code; + krb5_set_error_message(context, ret, N_("Digest init error: %s", ""), + irep.u.error.reason); goto out; } if (irep.element != choice_DigestRepInner_ntlmInitReply) { - krb5_set_error_string(context, "ntlm reply not an initReply"); ret = EINVAL; + krb5_set_error_message(context, ret, + N_("ntlm reply not an initReply", "")); goto out; } ret = copy_NTLMInitReply(&irep.u.ntlmInitReply, &ntlm->initReply); if (ret) { - krb5_set_error_string(context, "Failed to copy initReply"); + krb5_set_error_message(context, ret, + N_("Failed to copy initReply", "")); goto out; } -out: + out: free_DigestRepInner(&irep); return ret; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_init_get_flags(krb5_context context, krb5_ntlm ntlm, uint32_t *flags) @@ -912,7 +932,7 @@ krb5_ntlm_init_get_flags(krb5_context context, return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_init_get_challange(krb5_context context, krb5_ntlm ntlm, krb5_data *challange) @@ -921,12 +941,12 @@ krb5_ntlm_init_get_challange(krb5_context context, ret = der_copy_octet_string(&ntlm->initReply.challange, challange); if (ret) - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_init_get_opaque(krb5_context context, krb5_ntlm ntlm, krb5_data *opaque) @@ -935,25 +955,25 @@ krb5_ntlm_init_get_opaque(krb5_context context, ret = der_copy_octet_string(&ntlm->initReply.opaque, opaque); if (ret) - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_init_get_targetname(krb5_context context, krb5_ntlm ntlm, char **name) { *name = strdup(ntlm->initReply.targetname); if (*name == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ENOMEM; } return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_init_get_targetinfo(krb5_context context, krb5_ntlm ntlm, krb5_data *data) @@ -969,14 +989,14 @@ krb5_ntlm_init_get_targetinfo(krb5_context context, ntlm->initReply.targetinfo->data, ntlm->initReply.targetinfo->length); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_request(krb5_context context, krb5_ntlm ntlm, krb5_realm realm, @@ -998,32 +1018,35 @@ krb5_ntlm_request(krb5_context context, return ret; if (irep.element == choice_DigestRepInner_error) { - krb5_set_error_string(context, "NTLM response error: %s", - irep.u.error.reason); ret = irep.u.error.code; + krb5_set_error_message(context, ret, + N_("NTLM response error: %s", ""), + irep.u.error.reason); goto out; } if (irep.element != choice_DigestRepInner_ntlmResponse) { - krb5_set_error_string(context, "NTLM reply not an NTLMResponse"); ret = EINVAL; + krb5_set_error_message(context, ret, + N_("NTLM reply not an NTLMResponse", "")); goto out; } ret = copy_NTLMResponse(&irep.u.ntlmResponse, &ntlm->response); if (ret) { - krb5_set_error_string(context, "Failed to copy NTLMResponse"); + krb5_set_error_message(context, ret, + N_("Failed to copy NTLMResponse", "")); goto out; } -out: + out: free_DigestRepInner(&irep); return ret; } -krb5_error_code -krb5_ntlm_req_set_flags(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_ntlm_req_set_flags(krb5_context context, krb5_ntlm ntlm, uint32_t flags) { @@ -1031,40 +1054,40 @@ krb5_ntlm_req_set_flags(krb5_context context, return 0; } -krb5_error_code -krb5_ntlm_req_set_username(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_ntlm_req_set_username(krb5_context context, krb5_ntlm ntlm, const char *username) { ntlm->request.username = strdup(username); if (ntlm->request.username == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } return 0; } -krb5_error_code -krb5_ntlm_req_set_targetname(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_ntlm_req_set_targetname(krb5_context context, krb5_ntlm ntlm, const char *targetname) { ntlm->request.targetname = strdup(targetname); if (ntlm->request.targetname == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } return 0; } -krb5_error_code -krb5_ntlm_req_set_lm(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_ntlm_req_set_lm(krb5_context context, krb5_ntlm ntlm, void *hash, size_t len) { ntlm->request.lm.data = malloc(len); - if (ntlm->request.lm.data == NULL) { - krb5_set_error_string(context, "out of memory"); + if (ntlm->request.lm.data == NULL && len != 0) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } ntlm->request.lm.length = len; @@ -1072,14 +1095,14 @@ krb5_ntlm_req_set_lm(krb5_context context, return 0; } -krb5_error_code -krb5_ntlm_req_set_ntlm(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_ntlm_req_set_ntlm(krb5_context context, krb5_ntlm ntlm, void *hash, size_t len) { ntlm->request.ntlm.data = malloc(len); - if (ntlm->request.ntlm.data == NULL) { - krb5_set_error_string(context, "out of memory"); + if (ntlm->request.ntlm.data == NULL && len != 0) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } ntlm->request.ntlm.length = len; @@ -1087,14 +1110,14 @@ krb5_ntlm_req_set_ntlm(krb5_context context, return 0; } -krb5_error_code -krb5_ntlm_req_set_opaque(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_ntlm_req_set_opaque(krb5_context context, krb5_ntlm ntlm, krb5_data *opaque) { ntlm->request.opaque.data = malloc(opaque->length); - if (ntlm->request.opaque.data == NULL) { - krb5_set_error_string(context, "out of memory"); + if (ntlm->request.opaque.data == NULL && opaque->length != 0) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } ntlm->request.opaque.length = opaque->length; @@ -1102,19 +1125,19 @@ krb5_ntlm_req_set_opaque(krb5_context context, return 0; } -krb5_error_code -krb5_ntlm_req_set_session(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_ntlm_req_set_session(krb5_context context, krb5_ntlm ntlm, void *sessionkey, size_t length) { ntlm->request.sessionkey = calloc(1, sizeof(*ntlm->request.sessionkey)); if (ntlm->request.sessionkey == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } ntlm->request.sessionkey->data = malloc(length); - if (ntlm->request.sessionkey->data == NULL) { - krb5_set_error_string(context, "out of memory"); + if (ntlm->request.sessionkey->data == NULL && length != 0) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } memcpy(ntlm->request.sessionkey->data, sessionkey, length); @@ -1122,23 +1145,24 @@ krb5_ntlm_req_set_session(krb5_context context, return 0; } -krb5_boolean -krb5_ntlm_rep_get_status(krb5_context context, +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_ntlm_rep_get_status(krb5_context context, krb5_ntlm ntlm) { return ntlm->response.success ? TRUE : FALSE; } -krb5_error_code -krb5_ntlm_rep_get_sessionkey(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_ntlm_rep_get_sessionkey(krb5_context context, krb5_ntlm ntlm, krb5_data *data) { if (ntlm->response.sessionkey == NULL) { - krb5_set_error_string(context, "no ntlm session key"); + krb5_set_error_message(context, EINVAL, + N_("no ntlm session key", "")); return EINVAL; } - krb5_clear_error_string(context); + krb5_clear_error_message(context); return krb5_data_copy(data, ntlm->response.sessionkey->data, ntlm->response.sessionkey->length); @@ -1157,7 +1181,7 @@ krb5_ntlm_rep_get_sessionkey(krb5_context context, * @ingroup krb5_digest */ -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_probe(krb5_context context, krb5_realm realm, krb5_ccache ccache, @@ -1178,22 +1202,24 @@ krb5_digest_probe(krb5_context context, goto out; if (irep.element == choice_DigestRepInner_error) { - krb5_set_error_string(context, "Digest probe error: %s", - irep.u.error.reason); ret = irep.u.error.code; + krb5_set_error_message(context, ret, "Digest probe error: %s", + irep.u.error.reason); goto out; } if (irep.element != choice_DigestRepInner_supportedMechs) { - krb5_set_error_string(context, "Digest reply not an probe"); ret = EINVAL; + krb5_set_error_message(context, ret, "Digest reply not an probe"); goto out; } *flags = DigestTypes2int(irep.u.supportedMechs); -out: + out: free_DigestRepInner(&irep); return ret; } + +#endif /* HEIMDAL_SMALLER */ diff --git a/crypto/heimdal/lib/krb5/doxygen.c b/crypto/heimdal/lib/krb5/doxygen.c index b7c6f8fcfdd0..fec9a671930a 100644 --- a/crypto/heimdal/lib/krb5/doxygen.c +++ b/crypto/heimdal/lib/krb5/doxygen.c @@ -1,67 +1,700 @@ /* - * Copyright (c) 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * Copyright (c) 2007-2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id$"); /** - * + * */ -/*! \mainpage Heimdal Kerberos 5 library +/*! @mainpage Heimdal Kerberos 5 library * - * \section intro Introduction + * @section intro Introduction * * Heimdal libkrb5 library is a implementation of the Kerberos * protocol. - * + * * Kerberos is a system for authenticating users and services on a * network. It is built upon the assumption that the network is * ``unsafe''. For example, data sent over the network can be * eavesdropped and altered, and addresses can also be faked. * Therefore they cannot be used for authentication purposes. * - * The project web page:\n - * http://www.h5l.org/ + * + * - @ref krb5_introduction + * - @ref krb5_principal_intro + * - @ref krb5_ccache_intro + * - @ref krb5_keytab_intro + * + * If you want to know more about the file formats that is used by + * Heimdal, please see: @ref krb5_fileformats + * + * The project web page: http://www.h5l.org/ * */ /** @defgroup krb5 Heimdal Kerberos 5 library */ /** @defgroup krb5_address Heimdal Kerberos 5 address functions */ +/** @defgroup krb5_principal Heimdal Kerberos 5 principal functions */ /** @defgroup krb5_ccache Heimdal Kerberos 5 credential cache functions */ +/** @defgroup krb5_crypto Heimdal Kerberos 5 cryptography functions */ /** @defgroup krb5_credential Heimdal Kerberos 5 credential handing functions */ /** @defgroup krb5_deprecated Heimdal Kerberos 5 deprecated functions */ /** @defgroup krb5_digest Heimdal Kerberos 5 digest service */ /** @defgroup krb5_error Heimdal Kerberos 5 error reporting functions */ +/** @defgroup krb5_keytab Heimdal Kerberos 5 keytab handling functions */ +/** @defgroup krb5_ticket Heimdal Kerberos 5 ticket functions */ +/** @defgroup krb5_pac Heimdal Kerberos 5 PAC handling functions */ /** @defgroup krb5_v4compat Heimdal Kerberos 4 compatiblity functions */ +/** @defgroup krb5_storage Heimdal Kerberos 5 storage functions */ /** @defgroup krb5_support Heimdal Kerberos 5 support functions */ +/** @defgroup krb5_auth Heimdal Kerberos 5 authentication functions */ + + +/** + * @page krb5_introduction Introduction to the Kerberos 5 API + * @section api_overview Kerberos 5 API Overview + * + * All functions are documented in manual pages. This section tries + * to give an overview of the major components used in Kerberos + * library, and point to where to look for a specific function. + * + * @subsection intro_krb5_context Kerberos context + * + * A kerberos context (krb5_context) holds all per thread state. All + * global variables that are context specific are stored in this + * structure, including default encryption types, credential cache + * (for example, a ticket file), and default realms. + * + * The internals of the structure should never be accessed directly, + * functions exist for extracting information. + * + * See the manual page for krb5_init_context() how to create a context + * and module @ref krb5 for more information about the functions. + * + * @subsection intro_krb5_auth_context Kerberos authentication context + * + * Kerberos authentication context (krb5_auth_context) holds all + * context related to an authenticated connection, in a similar way to + * the kerberos context that holds the context for the thread or + * process. + * + * The krb5_auth_context is used by various functions that are + * directly related to authentication between the + * server/client. Example of data that this structure contains are + * various flags, addresses of client and server, port numbers, + * keyblocks (and subkeys), sequence numbers, replay cache, and + * checksum types. + * + * @subsection intro_krb5_principal Kerberos principal + * + * The Kerberos principal is the structure that identifies a user or + * service in Kerberos. The structure that holds the principal is the + * krb5_principal. There are function to extract the realm and + * elements of the principal, but most applications have no reason to + * inspect the content of the structure. + * + * The are several ways to create a principal (with different degree of + * portability), and one way to free it. + * + * See also the page @ref krb5_principal_intro for more information and also + * module @ref krb5_principal. + * + * @subsection intro_krb5_ccache Credential cache + * + * A credential cache holds the tickets for a user. A given user can + * have several credential caches, one for each realm where the user + * have the initial tickets (the first krbtgt). + * + * The credential cache data can be stored internally in different + * way, each of them for different proposes. File credential (FILE) + * caches and processes based (KCM) caches are for permanent + * storage. While memory caches (MEMORY) are local caches to the local + * process. + * + * Caches are opened with krb5_cc_resolve() or created with + * krb5_cc_new_unique(). + * + * If the cache needs to be opened again (using krb5_cc_resolve()) + * krb5_cc_close() will close the handle, but not the remove the + * cache. krb5_cc_destroy() will zero out the cache, remove the cache + * so it can no longer be referenced. + * + * See also @ref krb5_ccache_intro and @ref krb5_ccache . + * + * @subsection intro_krb5_error_code Kerberos errors + * + * Kerberos errors are based on the com_err library. All error codes are + * 32-bit signed numbers, the first 24 bits define what subsystem the + * error originates from, and last 8 bits are 255 error codes within the + * library. Each error code have fixed string associated with it. For + * example, the error-code -1765328383 have the symbolic name + * KRB5KDC_ERR_NAME_EXP, and associated error string ``Client's entry in + * database has expired''. + * + * This is a great improvement compared to just getting one of the unix + * error-codes back. However, Heimdal have an extention to pass back + * customised errors messages. Instead of getting ``Key table entry not + * found'', the user might back ``failed to find + * host/host.example.com\@EXAMLE.COM(kvno 3) in keytab /etc/krb5.keytab + * (des-cbc-crc)''. This improves the chance that the user find the + * cause of the error so you should use the customised error message + * whenever it's available. + * + * See also module @ref krb5_error . + * + * + * @subsection intro_krb5_keytab Keytab management + * + * A keytab is a storage for locally stored keys. Heimdal includes keytab + * support for Kerberos 5 keytabs, Kerberos 4 srvtab, AFS-KeyFile's, + * and for storing keys in memory. + * + * Keytabs are used for servers and long-running services. + * + * See also @ref krb5_keytab_intro and @ref krb5_keytab . + * + * @subsection intro_krb5_crypto Kerberos crypto + * + * Heimdal includes a implementation of the Kerberos crypto framework, + * all crypto operations. To create a crypto context call krb5_crypto_init(). + * + * See also module @ref krb5_crypto . + * + * @section kerberos5_client Walkthrough of a sample Kerberos 5 client + * + * This example contains parts of a sample TCP Kerberos 5 clients, if you + * want a real working client, please look in appl/test directory in + * the Heimdal distribution. + * + * All Kerberos error-codes that are returned from kerberos functions in + * this program are passed to krb5_err, that will print a + * descriptive text of the error code and exit. Graphical programs can + * convert error-code to a human readable error-string with the + * krb5_get_error_message() function. + * + * Note that you should not use any Kerberos function before + * krb5_init_context() have completed successfully. That is the + * reason err() is used when krb5_init_context() fails. + * + * First the client needs to call krb5_init_context to initialise + * the Kerberos 5 library. This is only needed once per thread + * in the program. If the function returns a non-zero value it indicates + * that either the Kerberos implementation is failing or it's disabled on + * this host. + * + * @code + * #include <krb5.h> + * + * int + * main(int argc, char **argv) + * { + * krb5_context context; + * + * if (krb5_init_context(&context)) + * errx (1, "krb5_context"); + * @endcode + * + * Now the client wants to connect to the host at the other end. The + * preferred way of doing this is using getaddrinfo (for + * operating system that have this function implemented), since getaddrinfo + * is neutral to the address type and can use any protocol that is available. + * + * @code + * struct addrinfo *ai, *a; + * struct addrinfo hints; + * int error; + * + * memset (&hints, 0, sizeof(hints)); + * hints.ai_socktype = SOCK_STREAM; + * hints.ai_protocol = IPPROTO_TCP; + * + * error = getaddrinfo (hostname, "pop3", &hints, &ai); + * if (error) + * errx (1, "%s: %s", hostname, gai_strerror(error)); + * + * for (a = ai; a != NULL; a = a->ai_next) { + * int s; + * + * s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); + * if (s < 0) + * continue; + * if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { + * warn ("connect(%s)", hostname); + * close (s); + * continue; + * } + * freeaddrinfo (ai); + * ai = NULL; + * } + * if (ai) { + * freeaddrinfo (ai); + * errx ("failed to contact %s", hostname); + * } + * @endcode + * + * Before authenticating, an authentication context needs to be + * created. This context keeps all information for one (to be) authenticated + * connection (see krb5_auth_context). + * + * @code + * status = krb5_auth_con_init (context, &auth_context); + * if (status) + * krb5_err (context, 1, status, "krb5_auth_con_init"); + * @endcode + * + * For setting the address in the authentication there is a help function + * krb5_auth_con_setaddrs_from_fd() that does everything that is needed + * when given a connected file descriptor to the socket. + * + * @code + * status = krb5_auth_con_setaddrs_from_fd (context, + * auth_context, + * &sock); + * if (status) + * krb5_err (context, 1, status, + * "krb5_auth_con_setaddrs_from_fd"); + * @endcode + * + * The next step is to build a server principal for the service we want + * to connect to. (See also krb5_sname_to_principal().) + * + * @code + * status = krb5_sname_to_principal (context, + * hostname, + * service, + * KRB5_NT_SRV_HST, + * &server); + * if (status) + * krb5_err (context, 1, status, "krb5_sname_to_principal"); + * @endcode + * + * The client principal is not passed to krb5_sendauth() + * function, this causes the krb5_sendauth() function to try to figure it + * out itself. + * + * The server program is using the function krb5_recvauth() to + * receive the Kerberos 5 authenticator. + * + * In this case, mutual authentication will be tried. That means that the server + * will authenticate to the client. Using mutual authentication + * is good since it enables the user to verify that they are talking to the + * right server (a server that knows the key). + * + * If you are using a non-blocking socket you will need to do all work of + * krb5_sendauth() yourself. Basically you need to send over the + * authenticator from krb5_mk_req() and, in case of mutual + * authentication, verifying the result from the server with + * krb5_rd_rep(). + * + * @code + * status = krb5_sendauth (context, + * &auth_context, + * &sock, + * VERSION, + * NULL, + * server, + * AP_OPTS_MUTUAL_REQUIRED, + * NULL, + * NULL, + * NULL, + * NULL, + * NULL, + * NULL); + * if (status) + * krb5_err (context, 1, status, "krb5_sendauth"); + * @endcode + * + * Once authentication has been performed, it is time to send some + * data. First we create a krb5_data structure, then we sign it with + * krb5_mk_safe() using the auth_context that contains the + * session-key that was exchanged in the + * krb5_sendauth()/krb5_recvauth() authentication + * sequence. + * + * @code + * data.data = "hej"; + * data.length = 3; + * + * krb5_data_zero (&packet); + * + * status = krb5_mk_safe (context, + * auth_context, + * &data, + * &packet, + * NULL); + * if (status) + * krb5_err (context, 1, status, "krb5_mk_safe"); + * @endcode + * + * And send it over the network. + * + * @code + * len = packet.length; + * net_len = htonl(len); + * + * if (krb5_net_write (context, &sock, &net_len, 4) != 4) + * err (1, "krb5_net_write"); + * if (krb5_net_write (context, &sock, packet.data, len) != len) + * err (1, "krb5_net_write"); + * @endcode + * + * To send encrypted (and signed) data krb5_mk_priv() should be + * used instead. krb5_mk_priv() works the same way as + * krb5_mk_safe(), with the exception that it encrypts the data + * in addition to signing it. + * + * @code + * data.data = "hemligt"; + * data.length = 7; + * + * krb5_data_free (&packet); + * + * status = krb5_mk_priv (context, + * auth_context, + * &data, + * &packet, + * NULL); + * if (status) + * krb5_err (context, 1, status, "krb5_mk_priv"); + * @endcode + * + * And send it over the network. + * + * @code + * len = packet.length; + * net_len = htonl(len); + * + * if (krb5_net_write (context, &sock, &net_len, 4) != 4) + * err (1, "krb5_net_write"); + * if (krb5_net_write (context, &sock, packet.data, len) != len) + * err (1, "krb5_net_write"); + * + * @endcode + * + * The server is using krb5_rd_safe() and + * krb5_rd_priv() to verify the signature and decrypt the packet. + * + * @section intro_krb5_verify_user Validating a password in an application + * + * See the manual page for krb5_verify_user(). + * + * @section mit_differences API differences to MIT Kerberos + * + * This section is somewhat disorganised, but so far there is no overall + * structure to the differences, though some of the have their root in + * that Heimdal uses an ASN.1 compiler and MIT doesn't. + * + * @subsection mit_krb5_principal Principal and realms + * + * Heimdal stores the realm as a krb5_realm, that is a char *. + * MIT Kerberos uses a krb5_data to store a realm. + * + * In Heimdal krb5_principal doesn't contain the component + * name_type; it's instead stored in component + * name.name_type. To get and set the nametype in Heimdal, use + * krb5_principal_get_type() and + * krb5_principal_set_type(). + * + * For more information about principal and realms, see + * krb5_principal. + * + * @subsection mit_krb5_error_code Error messages + * + * To get the error string, Heimdal uses + * krb5_get_error_message(). This is to return custom error messages + * (like ``Can't find host/datan.example.com\@CODE.COM in + * /etc/krb5.conf.'' instead of a ``Key table entry not found'' that + * error_message returns. + * + * Heimdal uses a threadsafe(r) version of the com_err interface; the + * global com_err table isn't initialised. Then + * error_message returns quite a boring error string (just + * the error code itself). + * + * + */ + +/** + * + * + * @page krb5_fileformats File formats + * + * @section fileformats File formats + * + * This section documents the diffrent file formats that are used in + * Heimdal and other Kerberos implementations. + * + * @subsection file_keytab keytab + * + * The keytab binary format is not a standard format. The format has + * evolved and may continue to. It is however understood by several + * Kerberos implementations including Heimdal, MIT, Sun's Java ktab and + * are created by the ktpass.exe utility from Windows. So it has + * established itself as the defacto format for storing Kerberos keys. + * + * The following C-like structure definitions illustrate the MIT keytab + * file format. All values are in network byte order. All text is ASCII. + * + * @code + * keytab { + * uint16_t file_format_version; # 0x502 + * keytab_entry entries[*]; + * }; + * + * keytab_entry { + * int32_t size; + * uint16_t num_components; # subtract 1 if version 0x501 + * counted_octet_string realm; + * counted_octet_string components[num_components]; + * uint32_t name_type; # not present if version 0x501 + * uint32_t timestamp; + * uint8_t vno8; + * keyblock key; + * uint32_t vno; #only present if >= 4 bytes left in entry + * uint32_t flags; #only present if >= 4 bytes left in entry + * }; + * + * counted_octet_string { + * uint16_t length; + * uint8_t data[length]; + * }; + * + * keyblock { + * uint16_t type; + * counted_octet_string; + * }; + * @endcode + * + * All numbers are stored in network byteorder (big endian) format. + * + * The keytab file format begins with the 16 bit file_format_version which + * at the time this document was authored is 0x502. The format of older + * keytabs is described at the end of this document. + * + * The file_format_version is immediately followed by an array of + * keytab_entry structures which are prefixed with a 32 bit size indicating + * the number of bytes that follow in the entry. Note that the size should be + * evaluated as signed. This is because a negative value indicates that the + * entry is in fact empty (e.g. it has been deleted) and that the negative + * value of that negative value (which is of course a positive value) is + * the offset to the next keytab_entry. Based on these size values alone + * the entire keytab file can be traversed. + * + * The size is followed by a 16 bit num_components field indicating the + * number of counted_octet_string components in the components array. + * + * The num_components field is followed by a counted_octet_string + * representing the realm of the principal. + * + * A counted_octet_string is simply an array of bytes prefixed with a 16 + * bit length. For the realm and name components, the counted_octet_string + * bytes are ASCII encoded text with no zero terminator. + * + * Following the realm is the components array that represents the name of + * the principal. The text of these components may be joined with slashs + * to construct the typical SPN representation. For example, the service + * principal HTTP/www.foo.net\@FOO.NET would consist of name components + * "HTTP" followed by "www.foo.net". + * + * Following the components array is the 32 bit name_type (e.g. 1 is + * KRB5_NT_PRINCIPAL, 2 is KRB5_NT_SRV_INST, 5 is KRB5_NT_UID, etc). In + * practice the name_type is almost certainly 1 meaning KRB5_NT_PRINCIPAL. + * + * The 32 bit timestamp indicates the time the key was established for that + * principal. The value represents the number of seconds since Jan 1, 1970. + * + * The 8 bit vno8 field is the version number of the key. This value is + * overridden by the 32 bit vno field if it is present. The vno8 field is + * filled with the lower 8 bits of the 32 bit protocol kvno field. + * + * The keyblock structure consists of a 16 bit value indicating the + * encryption type and is a counted_octet_string containing the key. The + * encryption type is the same as the Kerberos standard (e.g. 3 is + * des-cbc-md5, 23 is arcfour-hmac-md5, etc). + * + * The last field of the keytab_entry structure is optional. If the size of + * the keytab_entry indicates that there are at least 4 bytes remaining, + * a 32 bit value representing the key version number is present. This + * value supersedes the 8 bit vno8 value preceeding the keyblock. + * + * Older keytabs with a file_format_version of 0x501 are different in + * three ways: + * + * - All integers are in host byte order [1]. + * - The num_components field is 1 too large (i.e. after decoding, decrement by 1). + * - The 32 bit name_type field is not present. + * + * [1] The file_format_version field should really be treated as two + * separate 8 bit quantities representing the major and minor version + * number respectively. + * + * @subsection file_hdb_dump Heimdal database dump file + * + * Format of the Heimdal text dump file as of Heimdal 0.6.3: + * + * Each line in the dump file is one entry in the database. + * + * Each field of a line is separated by one or more spaces, with the + * exception of fields consisting of principals containing spaces, where + * space can be quoted with \ and \ is quoted by \. + * + * Fields and their types are: + * + * @code + * Quoted princial (quote character is \) [string] + * Keys [keys] + * Created by [event] + * Modified by [event optional] + * Valid start time [time optional] + * Valid end time [time optional] + * Password end valid time [time optional] + * Max lifetime of ticket [time optional] + * Max renew time of ticket [integer optional] + * Flags [hdb flags] + * Generation number [generation optional] + * Extensions [extentions optional] + * @endcode + * + * Fields following these silently are ignored. + * + * All optional fields will be skipped if they fail to parse (or comprise + * the optional field marker of "-", w/o quotes). + * + * Example: + * + * @code + * fred\@CODE.COM 27:1:16:e8b4c8fc7e60b9e641dcf4cff3f08a701d982a2f89ba373733d26ca59ba6c789666f6b8bfcf169412bb1e5dceb9b33cda29f3412:-:1:3:4498a933881178c744f4232172dcd774c64e81fa6d05ecdf643a7e390624a0ebf3c7407a:-:1:2:b01934b13eb795d76f3a80717d469639b4da0cfb644161340ef44fdeb375e54d684dbb85:-:1:1:ea8e16d8078bf60c781da90f508d4deccba70595258b9d31888d33987cd31af0c9cced2e:- 20020415130120:admin\@CODE.COM 20041221112428:fred\@CODE.COM - - - 86400 604800 126 20020415130120:793707:28 - + * @endcode + * + * Encoding of types are as follows: + * + * - keys + * + * @code + * kvno:[masterkvno:keytype:keydata:salt]{zero or more separated by :} + * @endcode + * + * kvno is the key version number. + * + * keydata is hex-encoded + * + * masterkvno is the kvno of the database master key. If this field is + * empty, the kadmin load and merge operations will encrypt the key data + * with the master key if there is one. Otherwise the key data will be + * imported asis. + * + * salt is encoded as "-" (no/default salt) or + * + * @code + * salt-type / + * salt-type / "string" + * salt-type / hex-encoded-data + * @endcode + * + * keytype is the protocol enctype number; see enum ENCTYPE in + * include/krb5_asn1.h for values. + * + * Example: + * @code + * 27:1:16:e8b4c8fc7e60b9e641dcf4cff3f08a701d982a2f89ba373733d26ca59ba6c789666f6b8bfcf169412bb1e5dceb9b33cda29f3412:-:1:3:4498a933881178c744f4232172dcd774c64e81fa6d05ecdf643a7e390624a0ebf3c7407a:-:1:2:b01934b13eb795d76f3a80717d469639b4da0cfb644161340ef44fdeb375e54d684dbb85:-:1:1:ea8e16d8078bf60c781da90f508d4deccba70595258b9d31888d33987cd31af0c9cced2e:- + * @endcode + * + * + * @code + * kvno=27,{key: masterkvno=1,keytype=des3-cbc-sha1,keydata=..., default salt}... + * @endcode + * + * - time + * + * Format of the time is: YYYYmmddHHMMSS, corresponding to strftime + * format "%Y%m%d%k%M%S". + * + * Time is expressed in UTC. + * + * Time can be optional (using -), when the time 0 is used. + * + * Example: + * + * @code + * 20041221112428 + * @endcode + * + * - event + * + * @code + * time:principal + * @endcode + * + * time is as given in format time + * + * principal is a string. Not quoting it may not work in earlier + * versions of Heimdal. + * + * Example: + * @code + * 20041221112428:bloggs\@CODE.COM + * @endcode + * + * - hdb flags + * + * Integer encoding of HDB flags, see HDBFlags in lib/hdb/hdb.asn1. Each + * bit in the integer is the same as the bit in the specification. + * + * - generation: + * + * @code + * time:usec:gen + * @endcode + * + * + * usec is a the microsecond, integer. + * gen is generation number, integer. + * + * The generation can be defaulted (using '-') or the empty string + * + * - extensions: + * + * @code + * first-hex-encoded-HDB-Extension[:second-...] + * @endcode + * + * HDB-extension is encoded the DER encoded HDB-Extension from + * lib/hdb/hdb.asn1. Consumers HDB extensions should be aware that + * unknown entires needs to be preserved even thought the ASN.1 data + * content might be unknown. There is a critical flag in the data to show + * to the KDC that the entry MUST be understod if the entry is to be + * used. + * + * + */ diff --git a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c index 19315cea8678..ef11e370f443 100644 --- a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c +++ b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c @@ -1,39 +1,37 @@ /* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> - -RCSID("$Id: eai_to_heim_errno.c 22065 2007-11-11 16:41:06Z lha $"); +#include "krb5_locl.h" /** * Convert the getaddrinfo() error code to a Kerberos et error code. @@ -46,7 +44,7 @@ RCSID("$Id: eai_to_heim_errno.c 22065 2007-11-11 16:41:06Z lha $"); * @ingroup krb5_error */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_eai_to_heim_errno(int eai_errno, int system_error) { switch(eai_errno) { @@ -76,8 +74,10 @@ krb5_eai_to_heim_errno(int eai_errno, int system_error) return HEIM_EAI_SERVICE; case EAI_SOCKTYPE: return HEIM_EAI_SOCKTYPE; +#ifdef EAI_SYSTEM case EAI_SYSTEM: return system_error; +#endif default: return HEIM_EAI_UNKNOWN; /* XXX */ } @@ -94,7 +94,7 @@ krb5_eai_to_heim_errno(int eai_errno, int system_error) * @ingroup krb5_error */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_h_errno_to_heim_errno(int eai_errno) { switch(eai_errno) { diff --git a/crypto/heimdal/lib/krb5/error_string.c b/crypto/heimdal/lib/krb5/error_string.c index ff6e98a3dcaf..1bfbad0bfb05 100644 --- a/crypto/heimdal/lib/krb5/error_string.c +++ b/crypto/heimdal/lib/krb5/error_string.c @@ -1,91 +1,196 @@ /* - * Copyright (c) 2001, 2003, 2005 - 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * Copyright (c) 2001, 2003, 2005 - 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: error_string.c 22142 2007-12-04 16:56:02Z lha $"); - #undef __attribute__ -#define __attribute__(X) +#define __attribute__(x) -void KRB5_LIB_FUNCTION -krb5_free_error_string(krb5_context context, char *str) +/** + * Clears the error message from the Kerberos 5 context. + * + * @param context The Kerberos 5 context to clear + * + * @ingroup krb5_error + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_clear_error_message(krb5_context context) { HEIMDAL_MUTEX_lock(context->mutex); - if (str != context->error_buf) - free(str); + if (context->error_string) + free(context->error_string); + context->error_code = 0; + context->error_string = NULL; HEIMDAL_MUTEX_unlock(context->mutex); } -void KRB5_LIB_FUNCTION -krb5_clear_error_string(krb5_context context) +/** + * Set the context full error string for a specific error code. + * The error that is stored should be internationalized. + * + * The if context is NULL, no error string is stored. + * + * @param context Kerberos 5 context + * @param ret The error code + * @param fmt Error string for the error code + * @param ... printf(3) style parameters. + * + * @ingroup krb5_error + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_set_error_message(krb5_context context, krb5_error_code ret, + const char *fmt, ...) + __attribute__ ((format (printf, 3, 4))) { + va_list ap; + + va_start(ap, fmt); + krb5_vset_error_message (context, ret, fmt, ap); + va_end(ap); +} + +/** + * Set the context full error string for a specific error code. + * + * The if context is NULL, no error string is stored. + * + * @param context Kerberos 5 context + * @param ret The error code + * @param fmt Error string for the error code + * @param args printf(3) style parameters. + * + * @ingroup krb5_error + */ + + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_vset_error_message (krb5_context context, krb5_error_code ret, + const char *fmt, va_list args) + __attribute__ ((format (printf, 3, 0))) +{ + int r; + + if (context == NULL) + return; + HEIMDAL_MUTEX_lock(context->mutex); - if (context->error_string != NULL - && context->error_string != context->error_buf) + if (context->error_string) { free(context->error_string); - context->error_string = NULL; + context->error_string = NULL; + } + context->error_code = ret; + r = vasprintf(&context->error_string, fmt, args); + if (r < 0) + context->error_string = NULL; HEIMDAL_MUTEX_unlock(context->mutex); } -krb5_error_code KRB5_LIB_FUNCTION -krb5_set_error_string(krb5_context context, const char *fmt, ...) - __attribute__((format (printf, 2, 3))) +/** + * Prepend the context full error string for a specific error code. + * The error that is stored should be internationalized. + * + * The if context is NULL, no error string is stored. + * + * @param context Kerberos 5 context + * @param ret The error code + * @param fmt Error string for the error code + * @param ... printf(3) style parameters. + * + * @ingroup krb5_error + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_prepend_error_message(krb5_context context, krb5_error_code ret, + const char *fmt, ...) + __attribute__ ((format (printf, 3, 4))) { - krb5_error_code ret; va_list ap; va_start(ap, fmt); - ret = krb5_vset_error_string (context, fmt, ap); + krb5_vprepend_error_message(context, ret, fmt, ap); va_end(ap); - return ret; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_vset_error_string(krb5_context context, const char *fmt, va_list args) - __attribute__ ((format (printf, 2, 0))) +/** + * Prepend the contexts's full error string for a specific error code. + * + * The if context is NULL, no error string is stored. + * + * @param context Kerberos 5 context + * @param ret The error code + * @param fmt Error string for the error code + * @param args printf(3) style parameters. + * + * @ingroup krb5_error + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_vprepend_error_message(krb5_context context, krb5_error_code ret, + const char *fmt, va_list args) + __attribute__ ((format (printf, 3, 0))) { - krb5_clear_error_string(context); + char *str = NULL, *str2 = NULL; + + if (context == NULL) + return; + HEIMDAL_MUTEX_lock(context->mutex); - vasprintf(&context->error_string, fmt, args); - if(context->error_string == NULL) { - vsnprintf (context->error_buf, sizeof(context->error_buf), fmt, args); - context->error_string = context->error_buf; + if (context->error_code != ret) { + HEIMDAL_MUTEX_unlock(context->mutex); + return; + } + if (vasprintf(&str, fmt, args) < 0 || str == NULL) { + HEIMDAL_MUTEX_unlock(context->mutex); + return; } + if (context->error_string) { + int e; + + e = asprintf(&str2, "%s: %s", str, context->error_string); + free(context->error_string); + if (e < 0 || str2 == NULL) + context->error_string = NULL; + else + context->error_string = str2; + free(str); + } else + context->error_string = str; HEIMDAL_MUTEX_unlock(context->mutex); - return 0; } + /** * Return the error message in context. On error or no error string, * the function returns NULL. @@ -93,12 +198,12 @@ krb5_vset_error_string(krb5_context context, const char *fmt, va_list args) * @param context Kerberos 5 context * * @return an error string, needs to be freed with - * krb5_free_error_string(). The functions return NULL on error. + * krb5_free_error_message(). The functions return NULL on error. * * @ingroup krb5_error */ -char * KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION char * KRB5_LIB_CALL krb5_get_error_string(krb5_context context) { char *ret = NULL; @@ -110,7 +215,7 @@ krb5_get_error_string(krb5_context context) return ret; } -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_have_error_string(krb5_context context) { char *str; @@ -121,35 +226,117 @@ krb5_have_error_string(krb5_context context) } /** - * Return the error message for `code' in context. On error the - * function returns NULL. + * Return the error message for `code' in context. On memory + * allocation error the function returns NULL. * * @param context Kerberos 5 context * @param code Error code related to the error * * @return an error string, needs to be freed with - * krb5_free_error_string(). The functions return NULL on error. + * krb5_free_error_message(). The functions return NULL on error. * * @ingroup krb5_error */ -char * KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL krb5_get_error_message(krb5_context context, krb5_error_code code) { - const char *cstr; - char *str; + char *str = NULL; + const char *cstr = NULL; + char buf[128]; + int free_context = 0; + + if (code == 0) + return strdup("Success"); + + /* + * The MIT version of this function ignores the krb5_context + * and several widely deployed applications call krb5_get_error_message() + * with a NULL context in order to translate an error code as a + * replacement for error_message(). Another reason a NULL context + * might be provided is if the krb5_init_context() call itself + * failed. + */ + if (context) + { + HEIMDAL_MUTEX_lock(context->mutex); + if (context->error_string && + (code == context->error_code || context->error_code == 0)) + { + str = strdup(context->error_string); + } + HEIMDAL_MUTEX_unlock(context->mutex); + + if (str) + return str; + } + else + { + if (krb5_init_context(&context) == 0) + free_context = 1; + } + + if (context) + cstr = com_right_r(context->et_list, code, buf, sizeof(buf)); + + if (free_context) + krb5_free_context(context); - str = krb5_get_error_string(context); - if (str) - return str; + if (cstr) + return strdup(cstr); - cstr = krb5_get_err_text(context, code); + cstr = error_message(code); if (cstr) - return strdup(cstr); + return strdup(cstr); - if (asprintf(&str, "<unknown error: %d>", code) == -1) + if (asprintf(&str, "<unknown error: %d>", (int)code) == -1 || str == NULL) return NULL; return str; } + +/** + * Free the error message returned by krb5_get_error_message(). + * + * @param context Kerberos context + * @param msg error message to free, returned byg + * krb5_get_error_message(). + * + * @ingroup krb5_error + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_free_error_message(krb5_context context, const char *msg) +{ + free(rk_UNCONST(msg)); +} + + +/** + * Return the error string for the error code. The caller must not + * free the string. + * + * This function is deprecated since its not threadsafe. + * + * @param context Kerberos 5 context. + * @param code Kerberos error code. + * + * @return the error message matching code + * + * @ingroup krb5 + */ + +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL +krb5_get_err_text(krb5_context context, krb5_error_code code) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + const char *p = NULL; + if(context != NULL) + p = com_right(context->et_list, code); + if(p == NULL) + p = strerror(code); + if (p == NULL) + p = "Unknown error"; + return p; +} diff --git a/crypto/heimdal/lib/krb5/expand_hostname.c b/crypto/heimdal/lib/krb5/expand_hostname.c index 28e39afb42f7..7b638d5f0176 100644 --- a/crypto/heimdal/lib/krb5/expand_hostname.c +++ b/crypto/heimdal/lib/krb5/expand_hostname.c @@ -1,40 +1,38 @@ /* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: expand_hostname.c 22229 2007-12-08 21:40:59Z lha $"); - static krb5_error_code copy_hostname(krb5_context context, const char *orig_hostname, @@ -42,19 +40,30 @@ copy_hostname(krb5_context context, { *new_hostname = strdup (orig_hostname); if (*new_hostname == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } strlwr (*new_hostname); return 0; } -/* - * Try to make `orig_hostname' into a more canonical one in the newly - * allocated space returned in `new_hostname'. +/** + * krb5_expand_hostname() tries to make orig_hostname into a more + * canonical one in the newly allocated space returned in + * new_hostname. + + * @param context a Keberos context + * @param orig_hostname hostname to canonicalise. + * @param new_hostname output hostname, caller must free hostname with + * krb5_xfree(). + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_support */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_expand_hostname (krb5_context context, const char *orig_hostname, char **new_hostname) @@ -76,7 +85,8 @@ krb5_expand_hostname (krb5_context context, *new_hostname = strdup (a->ai_canonname); freeaddrinfo (ai); if (*new_hostname == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } else { return 0; @@ -112,12 +122,25 @@ vanilla_hostname (krb5_context context, return 0; } -/* - * expand `hostname' to a name we believe to be a hostname in newly - * allocated space in `host' and return realms in `realms'. +/** + * krb5_expand_hostname_realms() expands orig_hostname to a name we + * believe to be a hostname in newly allocated space in new_hostname + * and return the realms new_hostname is believed to belong to in + * realms. + * + * @param context a Keberos context + * @param orig_hostname hostname to canonicalise. + * @param new_hostname output hostname, caller must free hostname with + * krb5_xfree(). + * @param realms output possible realms, is an array that is terminated + * with NULL. Caller must free with krb5_free_host_realm(). + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_support */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_expand_hostname_realms (krb5_context context, const char *orig_hostname, char **new_hostname, diff --git a/crypto/heimdal/lib/krb5/expand_path.c b/crypto/heimdal/lib/krb5/expand_path.c new file mode 100644 index 000000000000..4c4898a79ea1 --- /dev/null +++ b/crypto/heimdal/lib/krb5/expand_path.c @@ -0,0 +1,500 @@ + +/*********************************************************************** + * Copyright (c) 2009, Secure Endpoints Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + **********************************************************************/ + +#include "krb5_locl.h" + +typedef int PTYPE; + +#ifdef _WIN32 +#include <shlobj.h> +#include <sddl.h> + +/* + * Expand a %{TEMP} token + * + * The %{TEMP} token expands to the temporary path for the current + * user as returned by GetTempPath(). + * + * @note: Since the GetTempPath() function relies on the TMP or TEMP + * environment variables, this function will failover to the system + * temporary directory until the user profile is loaded. In addition, + * the returned path may or may not exist. + */ +static int +_expand_temp_folder(krb5_context context, PTYPE param, const char *postfix, char **ret) +{ + TCHAR tpath[MAX_PATH]; + size_t len; + + if (!GetTempPath(sizeof(tpath)/sizeof(tpath[0]), tpath)) { + if (context) + krb5_set_error_message(context, EINVAL, + "Failed to get temporary path (GLE=%d)", + GetLastError()); + return EINVAL; + } + + len = strlen(tpath); + + if (len > 0 && tpath[len - 1] == '\\') + tpath[len - 1] = '\0'; + + *ret = strdup(tpath); + + if (*ret == NULL) { + if (context) + krb5_set_error_message(context, ENOMEM, "strdup - Out of memory"); + return ENOMEM; + } + + return 0; +} + +extern HINSTANCE _krb5_hInstance; + +/* + * Expand a %{BINDIR} token + * + * This is also used to expand a few other tokens on Windows, since + * most of the executable binaries end up in the same directory. The + * "bin" directory is considered to be the directory in which the + * krb5.dll is located. + */ +static int +_expand_bin_dir(krb5_context context, PTYPE param, const char *postfix, char **ret) +{ + TCHAR path[MAX_PATH]; + TCHAR *lastSlash; + DWORD nc; + + nc = GetModuleFileName(_krb5_hInstance, path, sizeof(path)/sizeof(path[0])); + if (nc == 0 || + nc == sizeof(path)/sizeof(path[0])) { + return EINVAL; + } + + lastSlash = strrchr(path, '\\'); + if (lastSlash != NULL) { + TCHAR *fslash = strrchr(lastSlash, '/'); + + if (fslash != NULL) + lastSlash = fslash; + + *lastSlash = '\0'; + } + + if (postfix) { + if (strlcat(path, postfix, sizeof(path)/sizeof(path[0])) >= sizeof(path)/sizeof(path[0])) + return EINVAL; + } + + *ret = strdup(path); + if (*ret == NULL) + return ENOMEM; + + return 0; +} + +/* + * Expand a %{USERID} token + * + * The %{USERID} token expands to the string representation of the + * user's SID. The user account that will be used is the account + * corresponding to the current thread's security token. This means + * that: + * + * - If the current thread token has the anonymous impersonation + * level, the call will fail. + * + * - If the current thread is impersonating a token at + * SecurityIdentification level the call will fail. + * + */ +static int +_expand_userid(krb5_context context, PTYPE param, const char *postfix, char **ret) +{ + int rv = EINVAL; + HANDLE hThread = NULL; + HANDLE hToken = NULL; + PTOKEN_OWNER pOwner = NULL; + DWORD len = 0; + LPTSTR strSid = NULL; + + hThread = GetCurrentThread(); + + if (!OpenThreadToken(hThread, TOKEN_QUERY, + FALSE, /* Open the thread token as the + current thread user. */ + &hToken)) { + + DWORD le = GetLastError(); + + if (le == ERROR_NO_TOKEN) { + HANDLE hProcess = GetCurrentProcess(); + + le = 0; + if (!OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) + le = GetLastError(); + } + + if (le != 0) { + if (context) + krb5_set_error_message(context, rv, + "Can't open thread token (GLE=%d)", le); + goto _exit; + } + } + + if (!GetTokenInformation(hToken, TokenOwner, NULL, 0, &len)) { + if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) { + if (context) + krb5_set_error_message(context, rv, + "Unexpected error reading token information (GLE=%d)", + GetLastError()); + goto _exit; + } + + if (len == 0) { + if (context) + krb5_set_error_message(context, rv, + "GetTokenInformation() returned truncated buffer"); + goto _exit; + } + + pOwner = malloc(len); + if (pOwner == NULL) { + if (context) + krb5_set_error_message(context, rv, "Out of memory"); + goto _exit; + } + } else { + if (context) + krb5_set_error_message(context, rv, "GetTokenInformation() returned truncated buffer"); + goto _exit; + } + + if (!GetTokenInformation(hToken, TokenOwner, pOwner, len, &len)) { + if (context) + krb5_set_error_message(context, rv, "GetTokenInformation() failed. GLE=%d", GetLastError()); + goto _exit; + } + + if (!ConvertSidToStringSid(pOwner->Owner, &strSid)) { + if (context) + krb5_set_error_message(context, rv, "Can't convert SID to string. GLE=%d", GetLastError()); + goto _exit; + } + + *ret = strdup(strSid); + if (*ret == NULL && context) + krb5_set_error_message(context, rv, "Out of memory"); + + rv = 0; + + _exit: + if (hToken != NULL) + CloseHandle(hToken); + + if (pOwner != NULL) + free (pOwner); + + if (strSid != NULL) + LocalFree(strSid); + + return rv; +} + +/* + * Expand a folder identified by a CSIDL + */ + +static int +_expand_csidl(krb5_context context, PTYPE folder, const char *postfix, char **ret) +{ + TCHAR path[MAX_PATH]; + size_t len; + + if (SHGetFolderPath(NULL, folder, NULL, SHGFP_TYPE_CURRENT, path) != S_OK) { + if (context) + krb5_set_error_message(context, EINVAL, "Unable to determine folder path"); + return EINVAL; + } + + len = strlen(path); + + if (len > 0 && path[len - 1] == '\\') + path[len - 1] = '\0'; + + if (postfix && + strlcat(path, postfix, sizeof(path)/sizeof(path[0])) >= sizeof(path)/sizeof(path[0])) { + return ENOMEM; + } + + *ret = strdup(path); + if (*ret == NULL) { + if (context) + krb5_set_error_message(context, ENOMEM, "Out of memory"); + return ENOMEM; + } + return 0; +} + +#else + +static int +_expand_path(krb5_context context, PTYPE param, const char *postfix, char **ret) +{ + *ret = strdup(postfix); + if (*ret == NULL) { + krb5_set_error_message(context, ENOMEM, "malloc - out of memory"); + return ENOMEM; + } + return 0; +} + +static int +_expand_temp_folder(krb5_context context, PTYPE param, const char *postfix, char **ret) +{ + const char *p = NULL; + + if (issuid()) + p = getenv("TEMP"); + if (p) + *ret = strdup(p); + else + *ret = strdup("/tmp"); + if (*ret == NULL) + return ENOMEM; + return 0; +} + +static int +_expand_userid(krb5_context context, PTYPE param, const char *postfix, char **str) +{ + int ret = asprintf(str, "%ld", (unsigned long)getuid()); + if (ret < 0 || *str == NULL) + return ENOMEM; + return 0; +} + + +#endif /* _WIN32 */ + +/** + * Expand a %{null} token + * + * The expansion of a %{null} token is always the empty string. + */ + +static int +_expand_null(krb5_context context, PTYPE param, const char *postfix, char **ret) +{ + *ret = strdup(""); + if (*ret == NULL) { + if (context) + krb5_set_error_message(context, ENOMEM, "Out of memory"); + return ENOMEM; + } + return 0; +} + + +static const struct token { + const char * tok; + int ftype; +#define FTYPE_CSIDL 0 +#define FTYPE_SPECIAL 1 + + PTYPE param; + const char * postfix; + + int (*exp_func)(krb5_context, PTYPE, const char *, char **); + +#define SPECIALP(f, P) FTYPE_SPECIAL, 0, P, f +#define SPECIAL(f) SPECIALP(f, NULL) + +} tokens[] = { +#ifdef _WIN32 +#define CSIDLP(C,P) FTYPE_CSIDL, C, P, _expand_csidl +#define CSIDL(C) CSIDLP(C, NULL) + + {"APPDATA", CSIDL(CSIDL_APPDATA)}, /* Roaming application data (for current user) */ + {"COMMON_APPDATA", CSIDL(CSIDL_COMMON_APPDATA)}, /* Application data (all users) */ + {"LOCAL_APPDATA", CSIDL(CSIDL_LOCAL_APPDATA)}, /* Local application data (for current user) */ + {"SYSTEM", CSIDL(CSIDL_SYSTEM)}, /* Windows System folder (e.g. %WINDIR%\System32) */ + {"WINDOWS", CSIDL(CSIDL_WINDOWS)}, /* Windows folder */ + {"USERCONFIG", CSIDLP(CSIDL_APPDATA, "\\" PACKAGE)}, /* Per user Heimdal configuration file path */ + {"COMMONCONFIG", CSIDLP(CSIDL_COMMON_APPDATA, "\\" PACKAGE)}, /* Common Heimdal configuration file path */ + {"LIBDIR", SPECIAL(_expand_bin_dir)}, + {"BINDIR", SPECIAL(_expand_bin_dir)}, + {"LIBEXEC", SPECIAL(_expand_bin_dir)}, + {"SBINDIR", SPECIAL(_expand_bin_dir)}, +#else + {"LIBDIR", FTYPE_SPECIAL, 0, LIBDIR, _expand_path}, + {"BINDIR", FTYPE_SPECIAL, 0, BINDIR, _expand_path}, + {"LIBEXEC", FTYPE_SPECIAL, 0, LIBEXECDIR, _expand_path}, + {"SBINDIR", FTYPE_SPECIAL, 0, SBINDIR, _expand_path}, +#endif + {"TEMP", SPECIAL(_expand_temp_folder)}, + {"USERID", SPECIAL(_expand_userid)}, + {"uid", SPECIAL(_expand_userid)}, + {"null", SPECIAL(_expand_null)} +}; + +static int +_expand_token(krb5_context context, + const char *token, + const char *token_end, + char **ret) +{ + size_t i; + + *ret = NULL; + + if (token[0] != '%' || token[1] != '{' || token_end[0] != '}' || + token_end - token <= 2) { + if (context) + krb5_set_error_message(context, EINVAL,"Invalid token."); + return EINVAL; + } + + for (i = 0; i < sizeof(tokens)/sizeof(tokens[0]); i++) { + if (!strncmp(token+2, tokens[i].tok, (token_end - token) - 2)) + return tokens[i].exp_func(context, tokens[i].param, + tokens[i].postfix, ret); + } + + if (context) + krb5_set_error_message(context, EINVAL, "Invalid token."); + return EINVAL; +} + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +_krb5_expand_path_tokens(krb5_context context, + const char *path_in, + char **ppath_out) +{ + char *tok_begin, *tok_end, *append; + const char *path_left; + size_t len = 0; + + if (path_in == NULL || *path_in == '\0') { + *ppath_out = strdup(""); + return 0; + } + + *ppath_out = NULL; + + for (path_left = path_in; path_left && *path_left; ) { + + tok_begin = strstr(path_left, "%{"); + + if (tok_begin && tok_begin != path_left) { + + append = malloc((tok_begin - path_left) + 1); + if (append) { + memcpy(append, path_left, tok_begin - path_left); + append[tok_begin - path_left] = '\0'; + } + path_left = tok_begin; + + } else if (tok_begin) { + + tok_end = strchr(tok_begin, '}'); + if (tok_end == NULL) { + if (*ppath_out) + free(*ppath_out); + *ppath_out = NULL; + if (context) + krb5_set_error_message(context, EINVAL, "variable missing }"); + return EINVAL; + } + + if (_expand_token(context, tok_begin, tok_end, &append)) { + if (*ppath_out) + free(*ppath_out); + *ppath_out = NULL; + return EINVAL; + } + + path_left = tok_end + 1; + } else { + + append = strdup(path_left); + path_left = NULL; + + } + + if (append == NULL) { + + if (*ppath_out) + free(*ppath_out); + *ppath_out = NULL; + if (context) + krb5_set_error_message(context, ENOMEM, "malloc - out of memory"); + return ENOMEM; + + } + + { + size_t append_len = strlen(append); + char * new_str = realloc(*ppath_out, len + append_len + 1); + + if (new_str == NULL) { + free(append); + if (*ppath_out) + free(*ppath_out); + *ppath_out = NULL; + if (context) + krb5_set_error_message(context, ENOMEM, "malloc - out of memory"); + return ENOMEM; + } + + *ppath_out = new_str; + memcpy(*ppath_out + len, append, append_len + 1); + len = len + append_len; + free(append); + } + } + +#ifdef _WIN32 + /* Also deal with slashes */ + if (*ppath_out) { + char * c; + for (c = *ppath_out; *c; c++) + if (*c == '/') + *c = '\\'; + } +#endif + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/fcache.c b/crypto/heimdal/lib/krb5/fcache.c index 3857b58bf675..731f2934146b 100644 --- a/crypto/heimdal/lib/krb5/fcache.c +++ b/crypto/heimdal/lib/krb5/fcache.c @@ -1,40 +1,40 @@ /* - * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: fcache.c 22522 2008-01-24 11:56:25Z lha $"); - typedef struct krb5_fcache{ char *filename; int version; @@ -58,10 +58,13 @@ struct fcc_cursor { #define FCC_CURSOR(C) ((struct fcc_cursor*)(C)) -static const char* +static const char* KRB5_CALLCONV fcc_get_name(krb5_context context, krb5_ccache id) { + if (FCACHE(id) == NULL) + return NULL; + return FILENAME(id); } @@ -90,17 +93,22 @@ _krb5_xlock(krb5_context context, int fd, krb5_boolean exclusive, case 0: break; case EINVAL: /* filesystem doesn't support locking, let the user have it */ - ret = 0; + ret = 0; break; case EAGAIN: - krb5_set_error_string(context, "timed out locking cache file %s", - filename); + krb5_set_error_message(context, ret, + N_("timed out locking cache file %s", "file"), + filename); break; - default: - krb5_set_error_string(context, "error locking cache file %s: %s", - filename, strerror(ret)); + default: { + char buf[128]; + rk_strerror_r(ret, buf, sizeof(buf)); + krb5_set_error_message(context, ret, + N_("error locking cache file %s: %s", + "file, error"), filename, buf); break; } + } return ret; } @@ -124,42 +132,72 @@ _krb5_xunlock(krb5_context context, int fd) case 0: break; case EINVAL: /* filesystem doesn't support locking, let the user have it */ - ret = 0; + ret = 0; break; - default: - krb5_set_error_string(context, - "Failed to unlock file: %s", strerror(ret)); + default: { + char buf[128]; + rk_strerror_r(ret, buf, sizeof(buf)); + krb5_set_error_message(context, ret, + N_("Failed to unlock file: %s", ""), buf); break; } + } return ret; } static krb5_error_code +write_storage(krb5_context context, krb5_storage *sp, int fd) +{ + krb5_error_code ret; + krb5_data data; + ssize_t sret; + + ret = krb5_storage_to_data(sp, &data); + if (ret) { + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); + return ret; + } + sret = write(fd, data.data, data.length); + ret = (sret != (ssize_t)data.length); + krb5_data_free(&data); + if (ret) { + ret = errno; + krb5_set_error_message(context, ret, + N_("Failed to write FILE credential data", "")); + return ret; + } + return 0; +} + + +static krb5_error_code KRB5_CALLCONV fcc_lock(krb5_context context, krb5_ccache id, int fd, krb5_boolean exclusive) { return _krb5_xlock(context, fd, exclusive, fcc_get_name(context, id)); } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_unlock(krb5_context context, int fd) { return _krb5_xunlock(context, fd); } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_resolve(krb5_context context, krb5_ccache *id, const char *res) { krb5_fcache *f; f = malloc(sizeof(*f)); if(f == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, KRB5_CC_NOMEM, + N_("malloc: out of memory", "")); return KRB5_CC_NOMEM; } f->filename = strdup(res); if(f->filename == NULL){ free(f); - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, KRB5_CC_NOMEM, + N_("malloc: out of memory", "")); return KRB5_CC_NOMEM; } f->version = 0; @@ -185,13 +223,17 @@ scrub_file (int fd) return errno; memset(buf, 0, sizeof(buf)); while(pos > 0) { - ssize_t tmp = write(fd, buf, min(sizeof(buf), pos)); + ssize_t tmp = write(fd, buf, min((off_t)sizeof(buf), pos)); if (tmp < 0) return errno; pos -= tmp; } +#ifdef _MSC_VER + _commit (fd); +#else fsync (fd); +#endif return 0; } @@ -202,8 +244,8 @@ scrub_file (int fd) * hardlink) */ -static krb5_error_code -erase_file(const char *filename) +krb5_error_code +_krb5_erase_file(krb5_context context, const char *filename) { int fd; struct stat sb1, sb2; @@ -220,12 +262,20 @@ erase_file(const char *filename) else return errno; } + rk_cloexec(fd); + ret = _krb5_xlock(context, fd, 1, filename); + if (ret) { + close(fd); + return ret; + } if (unlink(filename) < 0) { + _krb5_xunlock(context, fd); close (fd); return errno; } ret = fstat (fd, &sb2); if (ret < 0) { + _krb5_xunlock(context, fd); close (fd); return errno; } @@ -233,6 +283,7 @@ erase_file(const char *filename) /* check if someone was playing with symlinks */ if (sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino) { + _krb5_xunlock(context, fd); close (fd); return EPERM; } @@ -240,43 +291,60 @@ erase_file(const char *filename) /* there are still hard links to this file */ if (sb2.st_nlink != 0) { + _krb5_xunlock(context, fd); close (fd); return 0; } ret = scrub_file (fd); + if (ret) { + _krb5_xunlock(context, fd); + close(fd); + return ret; + } + ret = _krb5_xunlock(context, fd); close (fd); return ret; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_gen_new(krb5_context context, krb5_ccache *id) { + char *file = NULL, *exp_file = NULL; + krb5_error_code ret; krb5_fcache *f; int fd; - char *file; f = malloc(sizeof(*f)); if(f == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, KRB5_CC_NOMEM, + N_("malloc: out of memory", "")); return KRB5_CC_NOMEM; } - asprintf (&file, "%sXXXXXX", KRB5_DEFAULT_CCFILE_ROOT); - if(file == NULL) { + ret = asprintf (&file, "%sXXXXXX", KRB5_DEFAULT_CCFILE_ROOT); + if(ret < 0 || file == NULL) { free(f); - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, KRB5_CC_NOMEM, + N_("malloc: out of memory", "")); return KRB5_CC_NOMEM; } - fd = mkstemp(file); + ret = _krb5_expand_path_tokens(context, file, &exp_file); + free(file); + if (ret) + return ret; + + file = exp_file; + + fd = mkstemp(exp_file); if(fd < 0) { - int ret = errno; - krb5_set_error_string(context, "mkstemp %s", file); + int xret = errno; + krb5_set_error_message(context, xret, N_("mkstemp %s failed", ""), exp_file); free(f); - free(file); - return ret; + free(exp_file); + return xret; } close(fd); - f->filename = file; + f->filename = exp_file; f->version = 0; (*id)->data.data = f; (*id)->data.length = sizeof(*f); @@ -302,13 +370,13 @@ storage_set_flags(krb5_context context, krb5_storage *sp, int vno) case KRB5_FCC_FVNO_4: break; default: - krb5_abortx(context, + krb5_abortx(context, "storage_set_flags called with bad vno (%x)", vno); } krb5_storage_set_flags(sp, flags); } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_open(krb5_context context, krb5_ccache id, int *fd_ret, @@ -318,16 +386,25 @@ fcc_open(krb5_context context, krb5_boolean exclusive = ((flags | O_WRONLY) == flags || (flags | O_RDWR) == flags); krb5_error_code ret; - const char *filename = FILENAME(id); + const char *filename; int fd; + + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + + filename = FILENAME(id); + fd = open(filename, flags, mode); if(fd < 0) { + char buf[128]; ret = errno; - krb5_set_error_string(context, "open(%s): %s", filename, - strerror(ret)); + rk_strerror_r(ret, buf, sizeof(buf)); + krb5_set_error_message(context, ret, N_("open(%s): %s", "file, error"), + filename, buf); return ret; } - + rk_cloexec(fd); + if((ret = fcc_lock(context, id, fd, exclusive)) != 0) { close(fd); return ret; @@ -336,7 +413,7 @@ fcc_open(krb5_context context, return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_initialize(krb5_context context, krb5_ccache id, krb5_principal primary_principal) @@ -344,16 +421,18 @@ fcc_initialize(krb5_context context, krb5_fcache *f = FCACHE(id); int ret = 0; int fd; - char *filename = f->filename; - unlink (filename); - - ret = fcc_open(context, id, &fd, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600); + if (f == NULL) + return krb5_einval(context, 2); + + unlink (f->filename); + + ret = fcc_open(context, id, &fd, O_RDWR | O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC, 0600); if(ret) return ret; { - krb5_storage *sp; - sp = krb5_storage_from_fd(fd); + krb5_storage *sp; + sp = krb5_storage_emem(); krb5_storage_set_eof_code(sp, KRB5_CC_END); if(context->fcache_vno != 0) f->version = context->fcache_vno; @@ -375,37 +454,47 @@ fcc_initialize(krb5_context context, } } ret |= krb5_store_principal(sp, primary_principal); - + + ret |= write_storage(context, sp, fd); + krb5_storage_free(sp); } fcc_unlock(context, fd); if (close(fd) < 0) if (ret == 0) { + char buf[128]; ret = errno; - krb5_set_error_string (context, "close %s: %s", - FILENAME(id), strerror(ret)); + rk_strerror_r(ret, buf, sizeof(buf)); + krb5_set_error_message (context, ret, N_("close %s: %s", ""), + FILENAME(id), buf); } return ret; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_close(krb5_context context, krb5_ccache id) { + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + free (FILENAME(id)); krb5_data_free(&id->data); return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_destroy(krb5_context context, krb5_ccache id) { - erase_file(FILENAME(id)); + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + + _krb5_erase_file(context, FILENAME(id)); return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_store_cred(krb5_context context, krb5_ccache id, krb5_creds *creds) @@ -413,12 +502,13 @@ fcc_store_cred(krb5_context context, int ret; int fd; - ret = fcc_open(context, id, &fd, O_WRONLY | O_APPEND | O_BINARY, 0); + ret = fcc_open(context, id, &fd, O_WRONLY | O_APPEND | O_BINARY | O_CLOEXEC, 0); if(ret) return ret; { krb5_storage *sp; - sp = krb5_storage_from_fd(fd); + + sp = krb5_storage_emem(); krb5_storage_set_eof_code(sp, KRB5_CC_END); storage_set_flags(context, sp, FCACHE(id)->version); if (!krb5_config_get_bool_default(context, NULL, TRUE, @@ -427,15 +517,20 @@ fcc_store_cred(krb5_context context, NULL)) krb5_storage_set_flags(sp, KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER); ret = krb5_store_creds(sp, creds); + if (ret == 0) + ret = write_storage(context, sp, fd); krb5_storage_free(sp); } fcc_unlock(context, fd); - if (close(fd) < 0) + if (close(fd) < 0) { if (ret == 0) { + char buf[128]; + rk_strerror_r(ret, buf, sizeof(buf)); ret = errno; - krb5_set_error_string (context, "close %s: %s", - FILENAME(id), strerror(ret)); + krb5_set_error_message (context, ret, N_("close %s: %s", ""), + FILENAME(id), buf); } + } return ret; } @@ -443,20 +538,24 @@ static krb5_error_code init_fcc (krb5_context context, krb5_ccache id, krb5_storage **ret_sp, - int *ret_fd) + int *ret_fd, + krb5_deltat *kdc_offset) { int fd; int8_t pvno, tag; krb5_storage *sp; krb5_error_code ret; - ret = fcc_open(context, id, &fd, O_RDONLY | O_BINARY, 0); + if (kdc_offset) + *kdc_offset = 0; + + ret = fcc_open(context, id, &fd, O_RDONLY | O_BINARY | O_CLOEXEC, 0); if(ret) return ret; - + sp = krb5_storage_from_fd(fd); if(sp == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } @@ -464,25 +563,28 @@ init_fcc (krb5_context context, ret = krb5_ret_int8(sp, &pvno); if(ret != 0) { if(ret == KRB5_CC_END) { - krb5_set_error_string(context, "Empty credential cache file: %s", - FILENAME(id)); ret = ENOENT; + krb5_set_error_message(context, ret, + N_("Empty credential cache file: %s", ""), + FILENAME(id)); } else - krb5_set_error_string(context, "Error reading pvno in " - "cache file: %s", FILENAME(id)); + krb5_set_error_message(context, ret, N_("Error reading pvno " + "in cache file: %s", ""), + FILENAME(id)); goto out; } if(pvno != 5) { - krb5_set_error_string(context, "Bad version number in credential " - "cache file: %s", FILENAME(id)); ret = KRB5_CCACHE_BADVNO; + krb5_set_error_message(context, ret, N_("Bad version number in credential " + "cache file: %s", ""), + FILENAME(id)); goto out; } ret = krb5_ret_int8(sp, &tag); /* should not be host byte order */ if(ret != 0) { - krb5_set_error_string(context, "Error reading tag in " - "cache file: %s", FILENAME(id)); ret = KRB5_CC_FORMAT; + krb5_set_error_message(context, ret, "Error reading tag in " + "cache file: %s", FILENAME(id)); goto out; } FCACHE(id)->version = tag; @@ -494,8 +596,9 @@ init_fcc (krb5_context context, ret = krb5_ret_int16 (sp, &length); if(ret) { ret = KRB5_CC_FORMAT; - krb5_set_error_string(context, "Error reading tag length in " - "cache file: %s", FILENAME(id)); + krb5_set_error_message(context, ret, + N_("Error reading tag length in " + "cache file: %s", ""), FILENAME(id)); goto out; } while(length > 0) { @@ -505,43 +608,49 @@ init_fcc (krb5_context context, ret = krb5_ret_int16 (sp, &dtag); if(ret) { - krb5_set_error_string(context, "Error reading dtag in " - "cache file: %s", FILENAME(id)); ret = KRB5_CC_FORMAT; + krb5_set_error_message(context, ret, N_("Error reading dtag in " + "cache file: %s", ""), + FILENAME(id)); goto out; } ret = krb5_ret_int16 (sp, &data_len); if(ret) { - krb5_set_error_string(context, "Error reading dlength in " - "cache file: %s", FILENAME(id)); ret = KRB5_CC_FORMAT; + krb5_set_error_message(context, ret, + N_("Error reading dlength " + "in cache file: %s",""), + FILENAME(id)); goto out; } switch (dtag) { - case FCC_TAG_DELTATIME : - ret = krb5_ret_int32 (sp, &context->kdc_sec_offset); - if(ret) { - krb5_set_error_string(context, "Error reading kdc_sec in " - "cache file: %s", FILENAME(id)); - ret = KRB5_CC_FORMAT; - goto out; - } - ret = krb5_ret_int32 (sp, &context->kdc_usec_offset); + case FCC_TAG_DELTATIME : { + int32_t offset; + + ret = krb5_ret_int32 (sp, &offset); + ret |= krb5_ret_int32 (sp, &context->kdc_usec_offset); if(ret) { - krb5_set_error_string(context, "Error reading kdc_usec in " - "cache file: %s", FILENAME(id)); ret = KRB5_CC_FORMAT; + krb5_set_error_message(context, ret, + N_("Error reading kdc_sec in " + "cache file: %s", ""), + FILENAME(id)); goto out; } + context->kdc_sec_offset = offset; + if (kdc_offset) + *kdc_offset = offset; break; + } default : for (i = 0; i < data_len; ++i) { ret = krb5_ret_int8 (sp, &dummy); if(ret) { - krb5_set_error_string(context, "Error reading unknown " - "tag in cache file: %s", - FILENAME(id)); ret = KRB5_CC_FORMAT; + krb5_set_error_message(context, ret, + N_("Error reading unknown " + "tag in cache file: %s", ""), + FILENAME(id)); goto out; } } @@ -557,14 +666,15 @@ init_fcc (krb5_context context, break; default : ret = KRB5_CCACHE_BADVNO; - krb5_set_error_string(context, "Unknown version number (%d) in " - "credential cache file: %s", - (int)tag, FILENAME(id)); + krb5_set_error_message(context, ret, + N_("Unknown version number (%d) in " + "credential cache file: %s", ""), + (int)tag, FILENAME(id)); goto out; } *ret_sp = sp; *ret_fd = fd; - + return 0; out: if(sp != NULL) @@ -574,7 +684,7 @@ init_fcc (krb5_context context, return ret; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *principal) @@ -583,24 +693,24 @@ fcc_get_principal(krb5_context context, int fd; krb5_storage *sp; - ret = init_fcc (context, id, &sp, &fd); + ret = init_fcc (context, id, &sp, &fd, NULL); if (ret) return ret; ret = krb5_ret_principal(sp, principal); if (ret) - krb5_clear_error_string(context); + krb5_clear_error_message(context); krb5_storage_free(sp); fcc_unlock(context, fd); close(fd); return ret; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_end_get (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor); -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_get_first (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) @@ -608,15 +718,18 @@ fcc_get_first (krb5_context context, krb5_error_code ret; krb5_principal principal; + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + *cursor = malloc(sizeof(struct fcc_cursor)); if (*cursor == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } memset(*cursor, 0, sizeof(struct fcc_cursor)); - ret = init_fcc (context, id, &FCC_CURSOR(*cursor)->sp, - &FCC_CURSOR(*cursor)->fd); + ret = init_fcc (context, id, &FCC_CURSOR(*cursor)->sp, + &FCC_CURSOR(*cursor)->fd, NULL); if (ret) { free(*cursor); *cursor = NULL; @@ -624,7 +737,7 @@ fcc_get_first (krb5_context context, } ret = krb5_ret_principal (FCC_CURSOR(*cursor)->sp, &principal); if(ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); fcc_end_get(context, id, cursor); return ret; } @@ -633,29 +746,43 @@ fcc_get_first (krb5_context context, return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_get_next (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, krb5_creds *creds) { krb5_error_code ret; + + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + + if (FCC_CURSOR(*cursor) == NULL) + return krb5_einval(context, 3); + if((ret = fcc_lock(context, id, FCC_CURSOR(*cursor)->fd, FALSE)) != 0) return ret; ret = krb5_ret_creds(FCC_CURSOR(*cursor)->sp, creds); if (ret) - krb5_clear_error_string(context); + krb5_clear_error_message(context); fcc_unlock(context, FCC_CURSOR(*cursor)->fd); return ret; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_end_get (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) { + + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + + if (FCC_CURSOR(*cursor) == NULL) + return krb5_einval(context, 3); + krb5_storage_free(FCC_CURSOR(*cursor)->sp); close (FCC_CURSOR(*cursor)->fd); free(*cursor); @@ -663,16 +790,21 @@ fcc_end_get (krb5_context context, return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_remove_cred(krb5_context context, krb5_ccache id, krb5_flags which, krb5_creds *cred) { krb5_error_code ret; - krb5_ccache copy; + krb5_ccache copy, newfile; + char *newname = NULL; + int fd; + + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); - ret = krb5_cc_gen_new(context, &krb5_mcc_ops, ©); + ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, ©); if (ret) return ret; @@ -688,49 +820,86 @@ fcc_remove_cred(krb5_context context, return ret; } - fcc_destroy(context, id); + ret = asprintf(&newname, "FILE:%s.XXXXXX", FILENAME(id)); + if (ret < 0 || newname == NULL) { + krb5_cc_destroy(context, copy); + return ENOMEM; + } - ret = krb5_cc_copy_cache(context, copy, id); + fd = mkstemp(&newname[5]); + if (fd < 0) { + ret = errno; + krb5_cc_destroy(context, copy); + return ret; + } + close(fd); + + ret = krb5_cc_resolve(context, newname, &newfile); + if (ret) { + unlink(&newname[5]); + free(newname); + krb5_cc_destroy(context, copy); + return ret; + } + + ret = krb5_cc_copy_cache(context, copy, newfile); krb5_cc_destroy(context, copy); + if (ret) { + free(newname); + krb5_cc_destroy(context, newfile); + return ret; + } + + ret = rk_rename(&newname[5], FILENAME(id)); + if (ret) + ret = errno; + free(newname); + krb5_cc_close(context, newfile); return ret; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags) { + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + return 0; /* XXX */ } -static krb5_error_code +static int KRB5_CALLCONV fcc_get_version(krb5_context context, krb5_ccache id) { + if (FCACHE(id) == NULL) + return -1; + return FCACHE(id)->version; } - + struct fcache_iter { int first; }; -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) { struct fcache_iter *iter; iter = calloc(1, sizeof(*iter)); if (iter == NULL) { - krb5_set_error_string(context, "malloc - out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; - } + } iter->first = 1; *cursor = iter; return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id) { struct fcache_iter *iter = cursor; @@ -738,47 +907,68 @@ fcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id) const char *fn; char *expandedfn = NULL; + if (iter == NULL) + return krb5_einval(context, 2); + if (!iter->first) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return KRB5_CC_END; } iter->first = 0; fn = krb5_cc_default_name(context); - if (strncasecmp(fn, "FILE:", 5) != 0) { - ret = _krb5_expand_default_cc_name(context, + if (fn == NULL || strncasecmp(fn, "FILE:", 5) != 0) { + ret = _krb5_expand_default_cc_name(context, KRB5_DEFAULT_CCNAME_FILE, &expandedfn); if (ret) return ret; + fn = expandedfn; + } + /* check if file exists, don't return a non existant "next" */ + if (strncasecmp(fn, "FILE:", 5) == 0) { + struct stat sb; + ret = stat(fn + 5, &sb); + if (ret) { + ret = KRB5_CC_END; + goto out; + } } ret = krb5_cc_resolve(context, fn, id); + out: if (expandedfn) free(expandedfn); - + return ret; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor) { struct fcache_iter *iter = cursor; + + if (iter == NULL) + return krb5_einval(context, 2); + free(iter); return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fcc_move(krb5_context context, krb5_ccache from, krb5_ccache to) { krb5_error_code ret = 0; - ret = rename(FILENAME(from), FILENAME(to)); + ret = rk_rename(FILENAME(from), FILENAME(to)); + if (ret && errno != EXDEV) { + char buf[128]; ret = errno; - krb5_set_error_string(context, - "Rename of file from %s to %s failed: %s", - FILENAME(from), FILENAME(to), - strerror(ret)); + rk_strerror_r(ret, buf, sizeof(buf)); + krb5_set_error_message(context, ret, + N_("Rename of file from %s " + "to %s failed: %s", ""), + FILENAME(from), FILENAME(to), buf); return ret; } else if (ret && errno == EXDEV) { /* make a copy and delete the orignal */ @@ -786,14 +976,14 @@ fcc_move(krb5_context context, krb5_ccache from, krb5_ccache to) int fd1, fd2; char buf[BUFSIZ]; - ret = fcc_open(context, from, &fd1, O_RDONLY | O_BINARY, 0); + ret = fcc_open(context, from, &fd1, O_RDONLY | O_BINARY | O_CLOEXEC, 0); if(ret) return ret; unlink(FILENAME(to)); - ret = fcc_open(context, to, &fd2, - O_WRONLY | O_CREAT | O_EXCL | O_BINARY, 0600); + ret = fcc_open(context, to, &fd2, + O_WRONLY | O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC, 0600); if(ret) goto out1; @@ -801,21 +991,19 @@ fcc_move(krb5_context context, krb5_ccache from, krb5_ccache to) sz2 = write(fd2, buf, sz1); if (sz1 != sz2) { ret = EIO; - krb5_set_error_string(context, - "Failed to write data from one file " - "credential cache to the other"); + krb5_set_error_message(context, ret, + N_("Failed to write data from one file " + "credential cache to the other", "")); goto out2; } } if (sz1 < 0) { ret = EIO; - krb5_set_error_string(context, - "Failed to read data from one file " - "credential cache to the other"); + krb5_set_error_message(context, ret, + N_("Failed to read data from one file " + "credential cache to the other", "")); goto out2; } - erase_file(FILENAME(from)); - out2: fcc_unlock(context, fd2); close(fd2); @@ -824,8 +1012,10 @@ fcc_move(krb5_context context, krb5_ccache from, krb5_ccache to) fcc_unlock(context, fd1); close(fd1); + _krb5_erase_file(context, FILENAME(from)); + if (ret) { - erase_file(FILENAME(to)); + _krb5_erase_file(context, FILENAME(to)); return ret; } } @@ -834,29 +1024,78 @@ fcc_move(krb5_context context, krb5_ccache from, krb5_ccache to) { krb5_storage *sp; int fd; - ret = init_fcc (context, to, &sp, &fd); - krb5_storage_free(sp); - fcc_unlock(context, fd); - close(fd); - } + if ((ret = init_fcc (context, to, &sp, &fd, NULL)) == 0) { + if (sp) + krb5_storage_free(sp); + fcc_unlock(context, fd); + close(fd); + } + } + + fcc_close(context, from); + return ret; } -static krb5_error_code -fcc_default_name(krb5_context context, char **str) +static krb5_error_code KRB5_CALLCONV +fcc_get_default_name(krb5_context context, char **str) { - return _krb5_expand_default_cc_name(context, + return _krb5_expand_default_cc_name(context, KRB5_DEFAULT_CCNAME_FILE, str); } +static krb5_error_code KRB5_CALLCONV +fcc_lastchange(krb5_context context, krb5_ccache id, krb5_timestamp *mtime) +{ + krb5_error_code ret; + struct stat sb; + int fd; + + ret = fcc_open(context, id, &fd, O_RDONLY | O_BINARY | O_CLOEXEC, 0); + if(ret) + return ret; + ret = fstat(fd, &sb); + close(fd); + if (ret) { + ret = errno; + krb5_set_error_message(context, ret, N_("Failed to stat cache file", "")); + return ret; + } + *mtime = sb.st_mtime; + return 0; +} + +static krb5_error_code KRB5_CALLCONV +fcc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat kdc_offset) +{ + return 0; +} + +static krb5_error_code KRB5_CALLCONV +fcc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset) +{ + krb5_error_code ret; + krb5_storage *sp = NULL; + int fd; + ret = init_fcc(context, id, &sp, &fd, kdc_offset); + if (sp) + krb5_storage_free(sp); + fcc_unlock(context, fd); + close(fd); + + return ret; +} + + /** * Variable containing the FILE based credential cache implemention. * * @ingroup krb5_ccache */ -const krb5_cc_ops krb5_fcc_ops = { +KRB5_LIB_VARIABLE const krb5_cc_ops krb5_fcc_ops = { + KRB5_CC_OPS_VERSION, "FILE", fcc_get_name, fcc_resolve, @@ -877,5 +1116,9 @@ const krb5_cc_ops krb5_fcc_ops = { fcc_get_cache_next, fcc_end_cache_get, fcc_move, - fcc_default_name + fcc_get_default_name, + NULL, + fcc_lastchange, + fcc_set_kdc_offset, + fcc_get_kdc_offset }; diff --git a/crypto/heimdal/lib/krb5/free.c b/crypto/heimdal/lib/krb5/free.c index 1b0bd05412f2..5bb33b443cb9 100644 --- a/crypto/heimdal/lib/krb5/free.c +++ b/crypto/heimdal/lib/krb5/free.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997 - 1999, 2004 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 1999, 2004 - 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: free.c 15175 2005-05-18 10:06:16Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *rep) { free_KDC_REP(&rep->kdc_rep); @@ -45,7 +43,7 @@ krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *rep) return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_xfree (void *ptr) { free (ptr); diff --git a/crypto/heimdal/lib/krb5/free_host_realm.c b/crypto/heimdal/lib/krb5/free_host_realm.c index 6b13ce7d0e04..0932674e9bef 100644 --- a/crypto/heimdal/lib/krb5/free_host_realm.c +++ b/crypto/heimdal/lib/krb5/free_host_realm.c @@ -1,45 +1,50 @@ /* - * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: free_host_realm.c 13863 2004-05-25 21:46:46Z lha $"); - -/* +/** * Free all memory allocated by `realmlist' + * + * @param context A Kerberos 5 context. + * @param realmlist realmlist to free, NULL is ok + * + * @return a Kerberos error code, always 0. + * + * @ingroup krb5_support */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_host_realm(krb5_context context, krb5_realm *realmlist) { diff --git a/crypto/heimdal/lib/krb5/generate_seq_number.c b/crypto/heimdal/lib/krb5/generate_seq_number.c index 8a04f048c8c8..6001d6926138 100644 --- a/crypto/heimdal/lib/krb5/generate_seq_number.c +++ b/crypto/heimdal/lib/krb5/generate_seq_number.c @@ -1,62 +1,48 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> +#include "krb5_locl.h" -RCSID("$Id: generate_seq_number.c 17442 2006-05-05 09:31:15Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, uint32_t *seqno) { - krb5_error_code ret; - krb5_keyblock *subkey; - uint32_t q; - u_char *p; - int i; - - ret = krb5_generate_subkey (context, key, &subkey); - if (ret) - return ret; - - q = 0; - for (p = (u_char *)subkey->keyvalue.data, i = 0; - i < subkey->keyvalue.length; - ++i, ++p) - q = (q << 8) | *p; - q &= 0xffffffff; - *seqno = q; - krb5_free_keyblock (context, subkey); + if (RAND_bytes((void *)seqno, sizeof(*seqno)) <= 0) + krb5_abortx(context, "Failed to generate random block"); + /* MIT used signed numbers, lets not stomp into that space directly */ + *seqno &= 0x3fffffff; + if (*seqno == 0) + *seqno = 1; return 0; } diff --git a/crypto/heimdal/lib/krb5/generate_subkey.c b/crypto/heimdal/lib/krb5/generate_subkey.c index fb99cbbf3f74..e09dc2a91685 100644 --- a/crypto/heimdal/lib/krb5/generate_subkey.c +++ b/crypto/heimdal/lib/krb5/generate_subkey.c @@ -1,49 +1,52 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> +#include "krb5_locl.h" -RCSID("$Id: generate_subkey.c 14455 2005-01-05 02:39:21Z lukeh $"); - -krb5_error_code KRB5_LIB_FUNCTION -krb5_generate_subkey(krb5_context context, - const krb5_keyblock *key, - krb5_keyblock **subkey) -{ - return krb5_generate_subkey_extended(context, key, key->keytype, subkey); -} +/** + * Generate subkey, from keyblock + * + * @param context kerberos context + * @param key session key + * @param etype encryption type of subkey, if ETYPE_NULL, use key's enctype + * @param subkey returned new, free with krb5_free_keyblock(). + * + * @return 0 on success or a Kerberos 5 error code + * +* @ingroup krb5_crypto + */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_generate_subkey_extended(krb5_context context, const krb5_keyblock *key, krb5_enctype etype, @@ -53,7 +56,7 @@ krb5_generate_subkey_extended(krb5_context context, ALLOC(*subkey, 1); if (*subkey == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM,N_("malloc: out of memory", "")); return ENOMEM; } diff --git a/crypto/heimdal/lib/krb5/get_addrs.c b/crypto/heimdal/lib/krb5/get_addrs.c index a7fd2ea84b1b..0e2bfcf66f94 100644 --- a/crypto/heimdal/lib/krb5/get_addrs.c +++ b/crypto/heimdal/lib/krb5/get_addrs.c @@ -1,40 +1,38 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: get_addrs.c 13863 2004-05-25 21:46:46Z lha $"); - #ifdef __osf__ /* hate */ struct rtentry; @@ -54,20 +52,20 @@ gethostname_fallback (krb5_context context, krb5_addresses *res) if (gethostname (hostname, sizeof(hostname))) { ret = errno; - krb5_set_error_string (context, "gethostname: %s", strerror(ret)); + krb5_set_error_message(context, ret, "gethostname: %s", strerror(ret)); return ret; } hostent = roken_gethostbyname (hostname); if (hostent == NULL) { ret = errno; - krb5_set_error_string (context, "gethostbyname %s: %s", - hostname, strerror(ret)); + krb5_set_error_message (context, ret, "gethostbyname %s: %s", + hostname, strerror(ret)); return ret; } res->len = 1; res->val = malloc (sizeof(*res->val)); if (res->val == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } res->val[0].addr_type = hostent->h_addrtype; @@ -84,8 +82,8 @@ gethostname_fallback (krb5_context context, krb5_addresses *res) } enum { - LOOP = 1, /* do include loopback interfaces */ - LOOP_IF_NONE = 2, /* include loopback if no other if's */ + LOOP = 1, /* do include loopback addrs */ + LOOP_IF_NONE = 2, /* include loopback addrs if no others */ EXTRA_ADDRESSES = 4, /* include extra addresses */ SCAN_INTERFACES = 8 /* scan interfaces for addresses */ }; @@ -100,15 +98,13 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags) { struct sockaddr sa_zero; struct ifaddrs *ifa0, *ifa; - krb5_error_code ret = ENXIO; - int num, idx; + krb5_error_code ret = ENXIO; + unsigned int num, idx; krb5_addresses ignore_addresses; - res->val = NULL; - if (getifaddrs(&ifa0) == -1) { ret = errno; - krb5_set_error_string(context, "getifaddrs: %s", strerror(ret)); + krb5_set_error_message(context, ret, "getifaddrs: %s", strerror(ret)); return (ret); } @@ -120,7 +116,7 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags) if (num == 0) { freeifaddrs(ifa0); - krb5_set_error_string(context, "no addresses found"); + krb5_set_error_message(context, ENXIO, N_("no addresses found", "")); return (ENXIO); } @@ -136,8 +132,8 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags) if (res->val == NULL) { krb5_free_addresses(context, &ignore_addresses); freeifaddrs(ifa0); - krb5_set_error_string (context, "malloc: out of memory"); - return (ENOMEM); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; } /* Now traverse the list. */ @@ -150,11 +146,9 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags) continue; if (krb5_sockaddr_uninteresting(ifa->ifa_addr)) continue; - if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) { + if (krb5_sockaddr_is_loopback(ifa->ifa_addr) && (flags & LOOP) == 0) /* We'll deal with the LOOP_IF_NONE case later. */ - if ((flags & LOOP) == 0) - continue; - } + continue; ret = krb5_sockaddr2address(context, ifa->ifa_addr, &res->val[idx]); if (ret) { @@ -167,7 +161,7 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags) continue; } /* possibly skip this address? */ - if((flags & EXTRA_ADDRESSES) && + if((flags & EXTRA_ADDRESSES) && krb5_address_search(context, &res->val[idx], &ignore_addresses)) { krb5_free_address(context, &res->val[idx]); flags &= ~LOOP_IF_NONE; /* we actually found an address, @@ -193,33 +187,32 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags) continue; if (krb5_sockaddr_uninteresting(ifa->ifa_addr)) continue; - - if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) { - ret = krb5_sockaddr2address(context, - ifa->ifa_addr, &res->val[idx]); - if (ret) { - /* - * See comment above. - */ - continue; - } - if((flags & EXTRA_ADDRESSES) && - krb5_address_search(context, &res->val[idx], - &ignore_addresses)) { - krb5_free_address(context, &res->val[idx]); - continue; - } - idx++; + if (!krb5_sockaddr_is_loopback(ifa->ifa_addr)) + continue; + if ((ifa->ifa_flags & IFF_LOOPBACK) == 0) + /* Presumably loopback addrs are only used on loopback ifs! */ + continue; + ret = krb5_sockaddr2address(context, + ifa->ifa_addr, &res->val[idx]); + if (ret) + continue; /* We don't consider this failure fatal */ + if((flags & EXTRA_ADDRESSES) && + krb5_address_search(context, &res->val[idx], + &ignore_addresses)) { + krb5_free_address(context, &res->val[idx]); + continue; } + idx++; } } if (flags & EXTRA_ADDRESSES) krb5_free_addresses(context, &ignore_addresses); freeifaddrs(ifa0); - if (ret) + if (ret) { free(res->val); - else + res->val = NULL; + } else res->len = idx; /* Now a count. */ return (ret); } @@ -229,13 +222,14 @@ get_addrs_int (krb5_context context, krb5_addresses *res, int flags) { krb5_error_code ret = -1; + res->len = 0; + res->val = NULL; + if (flags & SCAN_INTERFACES) { ret = find_all_addresses (context, res, flags); if(ret || res->len == 0) ret = gethostname_fallback (context, res); } else { - res->len = 0; - res->val = NULL; ret = 0; } @@ -268,7 +262,7 @@ get_addrs_int (krb5_context context, krb5_addresses *res, int flags) * Only include loopback address if there are no other. */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_all_client_addrs (krb5_context context, krb5_addresses *res) { int flags = LOOP_IF_NONE | EXTRA_ADDRESSES; @@ -284,7 +278,7 @@ krb5_get_all_client_addrs (krb5_context context, krb5_addresses *res) * If that fails, we return the address corresponding to `hostname'. */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_all_server_addrs (krb5_context context, krb5_addresses *res) { return get_addrs_int (context, res, LOOP | SCAN_INTERFACES); diff --git a/crypto/heimdal/lib/krb5/get_cred.c b/crypto/heimdal/lib/krb5/get_cred.c index ce0ec6d29283..e3bb23a2e9d7 100644 --- a/crypto/heimdal/lib/krb5/get_cred.c +++ b/crypto/heimdal/lib/krb5/get_cred.c @@ -1,39 +1,45 @@ /* - * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> +#include "krb5_locl.h" +#include <assert.h> -RCSID("$Id: get_cred.c 21668 2007-07-22 11:28:05Z lha $"); +static krb5_error_code +get_cred_kdc_capath(krb5_context, krb5_kdc_flags, + krb5_ccache, krb5_creds *, krb5_principal, + Ticket *, krb5_creds **, krb5_creds ***); /* * Take the `body' and encode it into `padata' using the credentials @@ -41,16 +47,15 @@ RCSID("$Id: get_cred.c 21668 2007-07-22 11:28:05Z lha $"); */ static krb5_error_code -make_pa_tgs_req(krb5_context context, +make_pa_tgs_req(krb5_context context, krb5_auth_context ac, KDC_REQ_BODY *body, PA_DATA *padata, - krb5_creds *creds, - krb5_key_usage usage) + krb5_creds *creds) { u_char *buf; size_t buf_size; - size_t len; + size_t len = 0; krb5_data in_data; krb5_error_code ret; @@ -65,8 +70,7 @@ make_pa_tgs_req(krb5_context context, ret = _krb5_mk_req_internal(context, &ac, 0, &in_data, creds, &padata->padata_value, KRB5_KU_TGS_REQ_AUTH_CKSUM, - usage - /* KRB5_KU_TGS_REQ_AUTH */); + KRB5_KU_TGS_REQ_AUTH); out: free (buf); if(ret) @@ -83,10 +87,10 @@ static krb5_error_code set_auth_data (krb5_context context, KDC_REQ_BODY *req_body, krb5_authdata *authdata, - krb5_keyblock *key) + krb5_keyblock *subkey) { if(authdata->len) { - size_t len, buf_size; + size_t len = 0, buf_size; unsigned char *buf; krb5_crypto crypto; krb5_error_code ret; @@ -101,20 +105,20 @@ set_auth_data (krb5_context context, ALLOC(req_body->enc_authorization_data, 1); if (req_body->enc_authorization_data == NULL) { free (buf); - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } - ret = krb5_crypto_init(context, key, 0, &crypto); + ret = krb5_crypto_init(context, subkey, 0, &crypto); if (ret) { free (buf); free (req_body->enc_authorization_data); req_body->enc_authorization_data = NULL; return ret; } - krb5_encrypt_EncryptedData(context, + krb5_encrypt_EncryptedData(context, crypto, - KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY, - /* KRB5_KU_TGS_REQ_AUTH_DAT_SESSION? */ + KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY, buf, len, 0, @@ -125,7 +129,7 @@ set_auth_data (krb5_context context, req_body->enc_authorization_data = NULL; } return 0; -} +} /* * Create a tgs-req in `t' with `addresses', `flags', `second_ticket' @@ -144,9 +148,9 @@ init_tgs_req (krb5_context context, unsigned nonce, const METHOD_DATA *padata, krb5_keyblock **subkey, - TGS_REQ *t, - krb5_key_usage usage) + TGS_REQ *t) { + krb5_auth_context ac = NULL; krb5_error_code ret = 0; memset(t, 0, sizeof(*t)); @@ -156,15 +160,17 @@ init_tgs_req (krb5_context context, ALLOC_SEQ(&t->req_body.etype, 1); if(t->req_body.etype.val == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto fail; } t->req_body.etype.val[0] = in_creds->session.keytype; } else { - ret = krb5_init_etype(context, - &t->req_body.etype.len, - &t->req_body.etype.val, - NULL); + ret = _krb5_init_etype(context, + KRB5_PDU_TGS_REQUEST, + &t->req_body.etype.len, + &t->req_body.etype.val, + NULL); } if (ret) goto fail; @@ -176,7 +182,7 @@ init_tgs_req (krb5_context context, ALLOC(t->req_body.sname, 1); if (t->req_body.sname == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } @@ -192,107 +198,83 @@ init_tgs_req (krb5_context context, ALLOC(t->req_body.till, 1); if(t->req_body.till == NULL){ ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } *t->req_body.till = in_creds->times.endtime; - + t->req_body.nonce = nonce; if(second_ticket){ ALLOC(t->req_body.additional_tickets, 1); if (t->req_body.additional_tickets == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto fail; } ALLOC_SEQ(t->req_body.additional_tickets, 1); if (t->req_body.additional_tickets->val == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto fail; } - ret = copy_Ticket(second_ticket, t->req_body.additional_tickets->val); + ret = copy_Ticket(second_ticket, t->req_body.additional_tickets->val); if (ret) goto fail; } ALLOC(t->padata, 1); if (t->padata == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } ALLOC_SEQ(t->padata, 1 + padata->len); if (t->padata->val == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } { - int i; + size_t i; for (i = 0; i < padata->len; i++) { ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]); if (ret) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto fail; } } } - { - krb5_auth_context ac; - krb5_keyblock *key = NULL; + ret = krb5_auth_con_init(context, &ac); + if(ret) + goto fail; - ret = krb5_auth_con_init(context, &ac); - if(ret) - goto fail; + ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session); + if (ret) + goto fail; - if (krb5_config_get_bool_default(context, NULL, FALSE, - "realms", - krbtgt->server->realm, - "tgs_require_subkey", - NULL)) - { - ret = krb5_generate_subkey (context, &krbtgt->session, &key); - if (ret) { - krb5_auth_con_free (context, ac); - goto fail; - } + ret = set_auth_data (context, &t->req_body, &in_creds->authdata, + ac->local_subkey); + if (ret) + goto fail; - ret = krb5_auth_con_setlocalsubkey(context, ac, key); - if (ret) { - if (key) - krb5_free_keyblock (context, key); - krb5_auth_con_free (context, ac); - goto fail; - } - } + ret = make_pa_tgs_req(context, + ac, + &t->req_body, + &t->padata->val[0], + krbtgt); + if(ret) + goto fail; - ret = set_auth_data (context, &t->req_body, &in_creds->authdata, - key ? key : &krbtgt->session); - if (ret) { - if (key) - krb5_free_keyblock (context, key); - krb5_auth_con_free (context, ac); - goto fail; - } + ret = krb5_auth_con_getlocalsubkey(context, ac, subkey); + if (ret) + goto fail; - ret = make_pa_tgs_req(context, - ac, - &t->req_body, - &t->padata->val[0], - krbtgt, - usage); - if(ret) { - if (key) - krb5_free_keyblock (context, key); - krb5_auth_con_free(context, ac); - goto fail; - } - *subkey = key; - - krb5_auth_con_free(context, ac); - } fail: + if (ac) + krb5_auth_con_free(context, ac); if (ret) { t->req_body.addresses = NULL; free_TGS_REQ (t); @@ -315,7 +297,7 @@ _krb5_get_krbtgt(krb5_context context, if (ret) return ret; - ret = krb5_make_principal(context, + ret = krb5_make_principal(context, &tmp_cred.server, realm, KRB5_TGS_NAME, @@ -338,29 +320,27 @@ _krb5_get_krbtgt(krb5_context context, } /* DCE compatible decrypt proc */ -static krb5_error_code +static krb5_error_code KRB5_CALLCONV decrypt_tkt_with_subkey (krb5_context context, krb5_keyblock *key, krb5_key_usage usage, - krb5_const_pointer subkey, + krb5_const_pointer skey, krb5_kdc_rep *dec_rep) { - krb5_error_code ret; + const krb5_keyblock *subkey = skey; + krb5_error_code ret = 0; krb5_data data; size_t size; krb5_crypto crypto; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) - return ret; - ret = krb5_decrypt_EncryptedData (context, - crypto, - usage, - &dec_rep->kdc_rep.enc_part, - &data); - krb5_crypto_destroy(context, crypto); - if(ret && subkey){ - /* DCE compat -- try to decrypt with subkey */ + + assert(usage == 0); + + krb5_data_zero(&data); + + /* + * start out with trying with subkey if we have one + */ + if (subkey) { ret = krb5_crypto_init(context, subkey, 0, &crypto); if (ret) return ret; @@ -369,37 +349,59 @@ decrypt_tkt_with_subkey (krb5_context context, KRB5_KU_TGS_REP_ENC_PART_SUB_KEY, &dec_rep->kdc_rep.enc_part, &data); + /* + * If the is Windows 2000 DC, we need to retry with key usage + * 8 when doing ARCFOUR. + */ + if (ret && subkey->keytype == ETYPE_ARCFOUR_HMAC_MD5) { + ret = krb5_decrypt_EncryptedData(context, + crypto, + 8, + &dec_rep->kdc_rep.enc_part, + &data); + } + krb5_crypto_destroy(context, crypto); + } + if (subkey == NULL || ret) { + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + return ret; + ret = krb5_decrypt_EncryptedData (context, + crypto, + KRB5_KU_TGS_REP_ENC_PART_SESSION, + &dec_rep->kdc_rep.enc_part, + &data); krb5_crypto_destroy(context, crypto); } if (ret) return ret; - - ret = krb5_decode_EncASRepPart(context, - data.data, + + ret = decode_EncASRepPart(data.data, + data.length, + &dec_rep->enc_part, + &size); + if (ret) + ret = decode_EncTGSRepPart(data.data, data.length, - &dec_rep->enc_part, + &dec_rep->enc_part, &size); if (ret) - ret = krb5_decode_EncTGSRepPart(context, - data.data, - data.length, - &dec_rep->enc_part, - &size); + krb5_set_error_message(context, ret, + N_("Failed to decode encpart in ticket", "")); krb5_data_free (&data); return ret; } static krb5_error_code -get_cred_kdc_usage(krb5_context context, - krb5_ccache id, - krb5_kdc_flags flags, - krb5_addresses *addresses, - krb5_creds *in_creds, - krb5_creds *krbtgt, - krb5_principal impersonate_principal, - Ticket *second_ticket, - krb5_creds *out_creds, - krb5_key_usage usage) +get_cred_kdc(krb5_context context, + krb5_ccache id, + krb5_kdc_flags flags, + krb5_addresses *addresses, + krb5_creds *in_creds, + krb5_creds *krbtgt, + krb5_principal impersonate_principal, + Ticket *second_ticket, + krb5_creds *out_creds) { TGS_REQ req; krb5_data enc; @@ -409,10 +411,10 @@ get_cred_kdc_usage(krb5_context context, krb5_error_code ret; unsigned nonce; krb5_keyblock *subkey = NULL; - size_t len; + size_t len = 0; Ticket second_ticket_data; METHOD_DATA padata; - + krb5_data_zero(&resp); krb5_data_zero(&enc); padata.val = NULL; @@ -420,10 +422,10 @@ get_cred_kdc_usage(krb5_context context, krb5_generate_random_block(&nonce, sizeof(nonce)); nonce &= 0xffffffff; - + if(flags.b.enc_tkt_in_skey && second_ticket == NULL){ - ret = decode_Ticket(in_creds->second_ticket.data, - in_creds->second_ticket.length, + ret = decode_Ticket(in_creds->second_ticket.data, + in_creds->second_ticket.length, &second_ticket_data, &len); if(ret) return ret; @@ -436,12 +438,12 @@ get_cred_kdc_usage(krb5_context context, PA_S4U2Self self; krb5_data data; void *buf; - size_t size; + size_t size = 0; self.name = impersonate_principal->name; self.realm = impersonate_principal->realm; self.auth = estrdup("Kerberos"); - + ret = _krb5_s4u2self_to_checksumdata(context, &self, &data); if (ret) { free(self.auth); @@ -460,7 +462,7 @@ get_cred_kdc_usage(krb5_context context, KRB5_KU_OTHER_CKSUM, 0, data.data, - data.length, + data.length, &self.cksum); krb5_crypto_destroy(context, crypto); krb5_data_free(&data); @@ -476,8 +478,8 @@ get_cred_kdc_usage(krb5_context context, goto out; if (len != size) krb5_abortx(context, "internal asn1 error"); - - ret = krb5_padata_add(context, &padata, KRB5_PADATA_S4U2SELF, buf, len); + + ret = krb5_padata_add(context, &padata, KRB5_PADATA_FOR_USER, buf, len); if (ret) goto out; } @@ -491,14 +493,13 @@ get_cred_kdc_usage(krb5_context context, krbtgt, nonce, &padata, - &subkey, - &req, - usage); + &subkey, + &req); if (ret) goto out; ASN1_MALLOC_ENCODE(TGS_REQ, enc.data, enc.length, &req, &len, ret); - if (ret) + if (ret) goto out; if(enc.length != len) krb5_abortx(context, "internal error in ASN.1 encoder"); @@ -526,42 +527,48 @@ get_cred_kdc_usage(krb5_context context, goto out; memset(&rep, 0, sizeof(rep)); - if(decode_TGS_REP(resp.data, resp.length, &rep.kdc_rep, &len) == 0){ - ret = krb5_copy_principal(context, - in_creds->client, + if(decode_TGS_REP(resp.data, resp.length, &rep.kdc_rep, &len) == 0) { + unsigned eflags = 0; + + ret = krb5_copy_principal(context, + in_creds->client, &out_creds->client); if(ret) - goto out; - ret = krb5_copy_principal(context, - in_creds->server, + goto out2; + ret = krb5_copy_principal(context, + in_creds->server, &out_creds->server); if(ret) - goto out; + goto out2; /* this should go someplace else */ out_creds->times.endtime = in_creds->times.endtime; + /* XXX should do better testing */ + if (flags.b.constrained_delegation || impersonate_principal) + eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH; + ret = _krb5_extract_ticket(context, &rep, out_creds, &krbtgt->session, NULL, - KRB5_KU_TGS_REP_ENC_PART_SESSION, + 0, &krbtgt->addresses, nonce, - EXTRACT_TICKET_ALLOW_CNAME_MISMATCH| - EXTRACT_TICKET_ALLOW_SERVER_MISMATCH, + eflags, decrypt_tkt_with_subkey, subkey); + out2: krb5_free_kdc_rep(context, &rep); } else if(krb5_rd_error(context, &resp, &error) == 0) { ret = krb5_error_from_rd_error(context, &error, in_creds); krb5_free_error_contents(context, &error); - } else if(resp.data && ((char*)resp.data)[0] == 4) { + } else if(resp.length > 0 && ((char*)resp.data)[0] == 4) { ret = KRB5KRB_AP_ERR_V4_REPLY; - krb5_clear_error_string(context); + krb5_clear_error_message(context); } else { ret = KRB5KRB_AP_ERR_MSG_TYPE; - krb5_clear_error_string(context); + krb5_clear_error_message(context); } out: @@ -570,62 +577,58 @@ out: free_METHOD_DATA(&padata); krb5_data_free(&resp); krb5_data_free(&enc); - if(subkey){ - krb5_free_keyblock_contents(context, subkey); - free(subkey); - } + if(subkey) + krb5_free_keyblock(context, subkey); return ret; - + } +/* + * same as above, just get local addresses first if the krbtgt have + * them and the realm is not addressless + */ + static krb5_error_code -get_cred_kdc(krb5_context context, - krb5_ccache id, - krb5_kdc_flags flags, - krb5_addresses *addresses, - krb5_creds *in_creds, - krb5_creds *krbtgt, - krb5_principal impersonate_principal, - Ticket *second_ticket, - krb5_creds *out_creds) +get_cred_kdc_address(krb5_context context, + krb5_ccache id, + krb5_kdc_flags flags, + krb5_addresses *addrs, + krb5_creds *in_creds, + krb5_creds *krbtgt, + krb5_principal impersonate_principal, + Ticket *second_ticket, + krb5_creds *out_creds) { krb5_error_code ret; + krb5_addresses addresses = { 0, NULL }; - ret = get_cred_kdc_usage(context, id, flags, addresses, in_creds, - krbtgt, impersonate_principal, second_ticket, - out_creds, KRB5_KU_TGS_REQ_AUTH); - if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) { - krb5_clear_error_string (context); - ret = get_cred_kdc_usage(context, id, flags, addresses, in_creds, - krbtgt, impersonate_principal, second_ticket, - out_creds, KRB5_KU_AP_REQ_AUTH); - } - return ret; -} + /* + * Inherit the address-ness of the krbtgt if the address is not + * specified. + */ + + if (addrs == NULL && krbtgt->addresses.len != 0) { + krb5_boolean noaddr; -/* same as above, just get local addresses first */ + krb5_appdefault_boolean(context, NULL, krbtgt->server->realm, + "no-addresses", FALSE, &noaddr); -static krb5_error_code -get_cred_kdc_la(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, - krb5_creds *in_creds, krb5_creds *krbtgt, - krb5_principal impersonate_principal, Ticket *second_ticket, - krb5_creds *out_creds) -{ - krb5_error_code ret; - krb5_addresses addresses, *addrs = &addresses; - - krb5_get_all_client_addrs(context, &addresses); - /* XXX this sucks. */ - if(addresses.len == 0) - addrs = NULL; - ret = get_cred_kdc(context, id, flags, addrs, - in_creds, krbtgt, impersonate_principal, second_ticket, - out_creds); + if (!noaddr) { + krb5_get_all_client_addrs(context, &addresses); + /* XXX this sucks. */ + addrs = &addresses; + if(addresses.len == 0) + addrs = NULL; + } + } + ret = get_cred_kdc(context, id, flags, addrs, in_creds, + krbtgt, impersonate_principal, + second_ticket, out_creds); krb5_free_addresses(context, &addresses); return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_kdc_cred(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, @@ -640,7 +643,8 @@ krb5_get_kdc_cred(krb5_context context, *out_creds = calloc(1, sizeof(**out_creds)); if(*out_creds == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } ret = _krb5_get_krbtgt (context, @@ -649,29 +653,34 @@ krb5_get_kdc_cred(krb5_context context, &krbtgt); if(ret) { free(*out_creds); + *out_creds = NULL; return ret; } - ret = get_cred_kdc(context, id, flags, addresses, + ret = get_cred_kdc(context, id, flags, addresses, in_creds, krbtgt, NULL, NULL, *out_creds); krb5_free_creds (context, krbtgt); - if(ret) + if(ret) { free(*out_creds); + *out_creds = NULL; + } return ret; } -static void -not_found(krb5_context context, krb5_const_principal p) +static int +not_found(krb5_context context, krb5_const_principal p, krb5_error_code code) { krb5_error_code ret; char *str; ret = krb5_unparse_name(context, p, &str); if(ret) { - krb5_clear_error_string(context); - return; + krb5_clear_error_message(context); + return code; } - krb5_set_error_string(context, "Matching credential (%s) not found", str); + krb5_set_error_message(context, code, + N_("Matching credential (%s) not found", ""), str); free(str); + return code; } static krb5_error_code @@ -686,24 +695,23 @@ find_cred(krb5_context context, krb5_cc_clear_mcred(&mcreds); mcreds.server = server; - ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_DONT_MATCH_REALM, + ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_DONT_MATCH_REALM, &mcreds, out_creds); if(ret == 0) return 0; while(tgts && *tgts){ - if(krb5_compare_creds(context, KRB5_TC_DONT_MATCH_REALM, + if(krb5_compare_creds(context, KRB5_TC_DONT_MATCH_REALM, &mcreds, *tgts)){ ret = krb5_copy_creds_contents(context, *tgts, out_creds); return ret; } tgts++; } - not_found(context, server); - return KRB5_CC_NOTFOUND; + return not_found(context, server, KRB5_CC_NOTFOUND); } static krb5_error_code -add_cred(krb5_context context, krb5_creds ***tgts, krb5_creds *tkt) +add_cred(krb5_context context, krb5_creds const *tkt, krb5_creds ***tgts) { int i; krb5_error_code ret; @@ -712,7 +720,8 @@ add_cred(krb5_context context, krb5_creds ***tgts, krb5_creds *tkt) for(i = 0; tmp && tmp[i]; i++); /* XXX */ tmp = realloc(tmp, (i+2)*sizeof(*tmp)); if(tmp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } *tgts = tmp; @@ -721,34 +730,21 @@ add_cred(krb5_context context, krb5_creds ***tgts, krb5_creds *tkt) return ret; } -/* -get_cred(server) - creds = cc_get_cred(server) - if(creds) return creds - tgt = cc_get_cred(krbtgt/server_realm@any_realm) - if(tgt) - return get_cred_tgt(server, tgt) - if(client_realm == server_realm) - return NULL - tgt = get_cred(krbtgt/server_realm@client_realm) - while(tgt_inst != server_realm) - tgt = get_cred(krbtgt/server_realm@tgt_inst) - return get_cred_tgt(server, tgt) - */ - static krb5_error_code -get_cred_from_kdc_flags(krb5_context context, - krb5_kdc_flags flags, - krb5_ccache ccache, - krb5_creds *in_creds, - krb5_principal impersonate_principal, - Ticket *second_ticket, - krb5_creds **out_creds, - krb5_creds ***ret_tgts) +get_cred_kdc_capath_worker(krb5_context context, + krb5_kdc_flags flags, + krb5_ccache ccache, + krb5_creds *in_creds, + krb5_const_realm try_realm, + krb5_principal impersonate_principal, + Ticket *second_ticket, + krb5_creds **out_creds, + krb5_creds ***ret_tgts) { krb5_error_code ret; krb5_creds *tgt, tmp_creds; - krb5_const_realm client_realm, server_realm, try_realm; + krb5_const_realm client_realm, server_realm; + int ok_as_delegate = 1; *out_creds = NULL; @@ -759,24 +755,11 @@ get_cred_from_kdc_flags(krb5_context context, if(ret) return ret; - try_realm = krb5_config_get_string(context, NULL, "capaths", - client_realm, server_realm, NULL); - -#if 1 - /* XXX remove in future release */ - if(try_realm == NULL) - try_realm = krb5_config_get_string(context, NULL, "libdefaults", - "capath", server_realm, NULL); -#endif - - if (try_realm == NULL) - try_realm = client_realm; - ret = krb5_make_principal(context, &tmp_creds.server, try_realm, KRB5_TGS_NAME, - server_realm, + server_realm, NULL); if(ret){ krb5_free_principal(context, tmp_creds.client); @@ -784,36 +767,30 @@ get_cred_from_kdc_flags(krb5_context context, } { krb5_creds tgts; - /* XXX try krb5_cc_retrieve_cred first? */ - ret = find_cred(context, ccache, tmp_creds.server, + + ret = find_cred(context, ccache, tmp_creds.server, *ret_tgts, &tgts); if(ret == 0){ + /* only allow implicit ok_as_delegate if the realm is the clients realm */ + if (strcmp(try_realm, client_realm) != 0 || strcmp(try_realm, server_realm) != 0) + ok_as_delegate = tgts.flags.b.ok_as_delegate; + *out_creds = calloc(1, sizeof(**out_creds)); if(*out_creds == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); ret = ENOMEM; + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); } else { - krb5_boolean noaddr; - - krb5_appdefault_boolean(context, NULL, tgts.server->realm, - "no-addresses", FALSE, &noaddr); - - if (noaddr) - ret = get_cred_kdc(context, ccache, flags, NULL, - in_creds, &tgts, - impersonate_principal, - second_ticket, - *out_creds); - else - ret = get_cred_kdc_la(context, ccache, flags, - in_creds, &tgts, - impersonate_principal, - second_ticket, - *out_creds); + ret = get_cred_kdc_address(context, ccache, flags, NULL, + in_creds, &tgts, + impersonate_principal, + second_ticket, + *out_creds); if (ret) { free (*out_creds); *out_creds = NULL; - } + } else if (ok_as_delegate == 0) + (*out_creds)->flags.b.ok_as_delegate = 0; } krb5_free_cred_contents(context, &tgts); krb5_free_principal(context, tmp_creds.server); @@ -821,22 +798,30 @@ get_cred_from_kdc_flags(krb5_context context, return ret; } } - if(krb5_realm_compare(context, in_creds->client, in_creds->server)) { - not_found(context, in_creds->server); - return KRB5_CC_NOTFOUND; - } + if(krb5_realm_compare(context, in_creds->client, in_creds->server)) + return not_found(context, in_creds->server, KRB5_CC_NOTFOUND); + /* XXX this can loop forever */ while(1){ heim_general_string tgt_inst; - ret = get_cred_from_kdc_flags(context, flags, ccache, &tmp_creds, - NULL, NULL, &tgt, ret_tgts); + ret = get_cred_kdc_capath(context, flags, ccache, &tmp_creds, + NULL, NULL, &tgt, ret_tgts); if(ret) { krb5_free_principal(context, tmp_creds.server); krb5_free_principal(context, tmp_creds.client); return ret; } - ret = add_cred(context, ret_tgts, tgt); + /* + * if either of the chain or the ok_as_delegate was stripped + * by the kdc, make sure we strip it too. + */ + if (ok_as_delegate == 0 || tgt->flags.b.ok_as_delegate == 0) { + ok_as_delegate = 0; + tgt->flags.b.ok_as_delegate = 0; + } + + ret = add_cred(context, tgt, ret_tgts); if(ret) { krb5_free_principal(context, tmp_creds.server); krb5_free_principal(context, tmp_creds.client); @@ -846,7 +831,7 @@ get_cred_from_kdc_flags(krb5_context context, if(strcmp(tgt_inst, server_realm) == 0) break; krb5_free_principal(context, tmp_creds.server); - ret = krb5_make_principal(context, &tmp_creds.server, + ret = krb5_make_principal(context, &tmp_creds.server, tgt_inst, KRB5_TGS_NAME, server_realm, NULL); if(ret) { krb5_free_principal(context, tmp_creds.server); @@ -860,27 +845,17 @@ get_cred_from_kdc_flags(krb5_context context, return ret; } } - + krb5_free_principal(context, tmp_creds.server); krb5_free_principal(context, tmp_creds.client); *out_creds = calloc(1, sizeof(**out_creds)); if(*out_creds == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); ret = ENOMEM; + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); } else { - krb5_boolean noaddr; - - krb5_appdefault_boolean(context, NULL, tgt->server->realm, - "no-addresses", KRB5_ADDRESSLESS_DEFAULT, - &noaddr); - if (noaddr) - ret = get_cred_kdc (context, ccache, flags, NULL, - in_creds, tgt, NULL, NULL, - *out_creds); - else - ret = get_cred_kdc_la(context, ccache, flags, - in_creds, tgt, NULL, NULL, - *out_creds); + ret = get_cred_kdc_address (context, ccache, flags, NULL, + in_creds, tgt, impersonate_principal, + second_ticket, *out_creds); if (ret) { free (*out_creds); *out_creds = NULL; @@ -890,34 +865,259 @@ get_cred_from_kdc_flags(krb5_context context, return ret; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_get_cred_from_kdc_opt(krb5_context context, - krb5_ccache ccache, - krb5_creds *in_creds, - krb5_creds **out_creds, - krb5_creds ***ret_tgts, - krb5_flags flags) +/* +get_cred(server) + creds = cc_get_cred(server) + if(creds) return creds + tgt = cc_get_cred(krbtgt/server_realm@any_realm) + if(tgt) + return get_cred_tgt(server, tgt) + if(client_realm == server_realm) + return NULL + tgt = get_cred(krbtgt/server_realm@client_realm) + while(tgt_inst != server_realm) + tgt = get_cred(krbtgt/server_realm@tgt_inst) + return get_cred_tgt(server, tgt) + */ + +static krb5_error_code +get_cred_kdc_capath(krb5_context context, + krb5_kdc_flags flags, + krb5_ccache ccache, + krb5_creds *in_creds, + krb5_principal impersonate_principal, + Ticket *second_ticket, + krb5_creds **out_creds, + krb5_creds ***ret_tgts) +{ + krb5_error_code ret; + krb5_const_realm client_realm, server_realm, try_realm; + + client_realm = krb5_principal_get_realm(context, in_creds->client); + server_realm = krb5_principal_get_realm(context, in_creds->server); + + try_realm = client_realm; + ret = get_cred_kdc_capath_worker(context, flags, ccache, in_creds, try_realm, + impersonate_principal, second_ticket, out_creds, + ret_tgts); + + if (ret == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) { + try_realm = krb5_config_get_string(context, NULL, "capaths", + client_realm, server_realm, NULL); + + if (try_realm != NULL && strcmp(try_realm, client_realm)) { + ret = get_cred_kdc_capath_worker(context, flags, ccache, in_creds, + try_realm, impersonate_principal, + second_ticket, out_creds, ret_tgts); + } + } + + return ret; +} + +static krb5_error_code +get_cred_kdc_referral(krb5_context context, + krb5_kdc_flags flags, + krb5_ccache ccache, + krb5_creds *in_creds, + krb5_principal impersonate_principal, + Ticket *second_ticket, + krb5_creds **out_creds, + krb5_creds ***ret_tgts) { - krb5_kdc_flags f; - f.i = flags; - return get_cred_from_kdc_flags(context, f, ccache, - in_creds, NULL, NULL, - out_creds, ret_tgts); + krb5_const_realm client_realm; + krb5_error_code ret; + krb5_creds tgt, referral, ticket; + int loop = 0; + int ok_as_delegate = 1; + + if (in_creds->server->name.name_string.len < 2 && !flags.b.canonicalize) { + krb5_set_error_message(context, KRB5KDC_ERR_PATH_NOT_ACCEPTED, + N_("Name too short to do referals, skipping", "")); + return KRB5KDC_ERR_PATH_NOT_ACCEPTED; + } + + memset(&tgt, 0, sizeof(tgt)); + memset(&ticket, 0, sizeof(ticket)); + + flags.b.canonicalize = 1; + + *out_creds = NULL; + + client_realm = krb5_principal_get_realm(context, in_creds->client); + + /* find tgt for the clients base realm */ + { + krb5_principal tgtname; + + ret = krb5_make_principal(context, &tgtname, + client_realm, + KRB5_TGS_NAME, + client_realm, + NULL); + if(ret) + return ret; + + ret = find_cred(context, ccache, tgtname, *ret_tgts, &tgt); + krb5_free_principal(context, tgtname); + if (ret) + return ret; + } + + referral = *in_creds; + ret = krb5_copy_principal(context, in_creds->server, &referral.server); + if (ret) { + krb5_free_cred_contents(context, &tgt); + return ret; + } + ret = krb5_principal_set_realm(context, referral.server, client_realm); + if (ret) { + krb5_free_cred_contents(context, &tgt); + krb5_free_principal(context, referral.server); + return ret; + } + + while (loop++ < 17) { + krb5_creds **tickets; + krb5_creds mcreds; + char *referral_realm; + + /* Use cache if we are not doing impersonation or contrainte deleg */ + if (impersonate_principal == NULL || flags.b.constrained_delegation) { + krb5_cc_clear_mcred(&mcreds); + mcreds.server = referral.server; + ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcreds, &ticket); + } else + ret = EINVAL; + + if (ret) { + ret = get_cred_kdc_address(context, ccache, flags, NULL, + &referral, &tgt, impersonate_principal, + second_ticket, &ticket); + if (ret) + goto out; + } + + /* Did we get the right ticket ? */ + if (krb5_principal_compare_any_realm(context, + referral.server, + ticket.server)) + break; + + if (!krb5_principal_is_krbtgt(context, ticket.server)) { + krb5_set_error_message(context, KRB5KRB_AP_ERR_NOT_US, + N_("Got back an non krbtgt " + "ticket referrals", "")); + ret = KRB5KRB_AP_ERR_NOT_US; + goto out; + } + + referral_realm = ticket.server->name.name_string.val[1]; + + /* check that there are no referrals loops */ + tickets = *ret_tgts; + + krb5_cc_clear_mcred(&mcreds); + mcreds.server = ticket.server; + + while(tickets && *tickets){ + if(krb5_compare_creds(context, + KRB5_TC_DONT_MATCH_REALM, + &mcreds, + *tickets)) + { + krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP, + N_("Referral from %s " + "loops back to realm %s", ""), + tgt.server->realm, + referral_realm); + ret = KRB5_GET_IN_TKT_LOOP; + goto out; + } + tickets++; + } + + /* + * if either of the chain or the ok_as_delegate was stripped + * by the kdc, make sure we strip it too. + */ + + if (ok_as_delegate == 0 || ticket.flags.b.ok_as_delegate == 0) { + ok_as_delegate = 0; + ticket.flags.b.ok_as_delegate = 0; + } + + ret = add_cred(context, &ticket, ret_tgts); + if (ret) + goto out; + + /* try realm in the referral */ + ret = krb5_principal_set_realm(context, + referral.server, + referral_realm); + krb5_free_cred_contents(context, &tgt); + tgt = ticket; + memset(&ticket, 0, sizeof(ticket)); + if (ret) + goto out; + } + + ret = krb5_copy_creds(context, &ticket, out_creds); + +out: + krb5_free_principal(context, referral.server); + krb5_free_cred_contents(context, &tgt); + krb5_free_cred_contents(context, &ticket); + return ret; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_get_cred_from_kdc(krb5_context context, + +/* + * Glue function between referrals version and old client chasing + * codebase. + */ + +krb5_error_code +_krb5_get_cred_kdc_any(krb5_context context, + krb5_kdc_flags flags, krb5_ccache ccache, krb5_creds *in_creds, + krb5_principal impersonate_principal, + Ticket *second_ticket, krb5_creds **out_creds, krb5_creds ***ret_tgts) { - return krb5_get_cred_from_kdc_opt(context, ccache, - in_creds, out_creds, ret_tgts, 0); + krb5_error_code ret; + krb5_deltat offset; + + ret = krb5_cc_get_kdc_offset(context, ccache, &offset); + if (ret) { + context->kdc_sec_offset = offset; + context->kdc_usec_offset = 0; + } + + ret = get_cred_kdc_referral(context, + flags, + ccache, + in_creds, + impersonate_principal, + second_ticket, + out_creds, + ret_tgts); + if (ret == 0 || flags.b.canonicalize) + return ret; + return get_cred_kdc_capath(context, + flags, + ccache, + in_creds, + impersonate_principal, + second_ticket, + out_creds, + ret_tgts); } - -krb5_error_code KRB5_LIB_FUNCTION + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_credentials_with_flags(krb5_context context, krb5_flags options, krb5_kdc_flags flags, @@ -929,18 +1129,25 @@ krb5_get_credentials_with_flags(krb5_context context, krb5_creds **tgts; krb5_creds *res_creds; int i; - + + if (in_creds->session.keytype) { + ret = krb5_enctype_valid(context, in_creds->session.keytype); + if (ret) + return ret; + } + *out_creds = NULL; res_creds = calloc(1, sizeof(*res_creds)); if (res_creds == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } if (in_creds->session.keytype) options |= KRB5_TC_MATCH_KEYTYPE; - /* + /* * If we got a credential, check if credential is expired before * returning it. */ @@ -949,7 +1156,7 @@ krb5_get_credentials_with_flags(krb5_context context, in_creds->session.keytype ? KRB5_TC_MATCH_KEYTYPE : 0, in_creds, res_creds); - /* + /* * If we got a credential, check if credential is expired before * returning it, but only if KRB5_GC_EXPIRED_OK is not set. */ @@ -961,7 +1168,7 @@ krb5_get_credentials_with_flags(krb5_context context, *out_creds = res_creds; return 0; } - + krb5_timeofday(context, &timeret); if(res_creds->times.endtime > timeret) { *out_creds = res_creds; @@ -975,18 +1182,17 @@ krb5_get_credentials_with_flags(krb5_context context, return ret; } free(res_creds); - if(options & KRB5_GC_CACHED) { - not_found(context, in_creds->server); - return KRB5_CC_NOTFOUND; - } + if(options & KRB5_GC_CACHED) + return not_found(context, in_creds->server, KRB5_CC_NOTFOUND); + if(options & KRB5_GC_USER_USER) flags.b.enc_tkt_in_skey = 1; if (flags.b.enc_tkt_in_skey) options |= KRB5_GC_NO_STORE; tgts = NULL; - ret = get_cred_from_kdc_flags(context, flags, ccache, - in_creds, NULL, NULL, out_creds, &tgts); + ret = _krb5_get_cred_kdc_any(context, flags, ccache, + in_creds, NULL, NULL, out_creds, &tgts); for(i = 0; tgts && tgts[i]; i++) { krb5_cc_store_cred(context, ccache, tgts[i]); krb5_free_creds(context, tgts[i]); @@ -997,7 +1203,7 @@ krb5_get_credentials_with_flags(krb5_context context, return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_credentials(krb5_context context, krb5_flags options, krb5_ccache ccache, @@ -1018,27 +1224,32 @@ struct krb5_get_creds_opt_data { }; -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_creds_opt_alloc(krb5_context context, krb5_get_creds_opt *opt) { *opt = calloc(1, sizeof(**opt)); if (*opt == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } return 0; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_creds_opt_free(krb5_context context, krb5_get_creds_opt opt) { if (opt->self) krb5_free_principal(context, opt->self); + if (opt->ticket) { + free_Ticket(opt->ticket); + free(opt->ticket); + } memset(opt, 0, sizeof(*opt)); free(opt); } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_creds_opt_set_options(krb5_context context, krb5_get_creds_opt opt, krb5_flags options) @@ -1046,7 +1257,7 @@ krb5_get_creds_opt_set_options(krb5_context context, opt->options = options; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_creds_opt_add_options(krb5_context context, krb5_get_creds_opt opt, krb5_flags options) @@ -1054,7 +1265,7 @@ krb5_get_creds_opt_add_options(krb5_context context, opt->options |= options; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_creds_opt_set_enctype(krb5_context context, krb5_get_creds_opt opt, krb5_enctype enctype) @@ -1062,7 +1273,7 @@ krb5_get_creds_opt_set_enctype(krb5_context context, opt->enctype = enctype; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_creds_opt_set_impersonate(krb5_context context, krb5_get_creds_opt opt, krb5_const_principal self) @@ -1072,7 +1283,7 @@ krb5_get_creds_opt_set_impersonate(krb5_context context, return krb5_copy_principal(context, self, &opt->self); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_creds_opt_set_ticket(krb5_context context, krb5_get_creds_opt opt, const Ticket *ticket) @@ -1087,14 +1298,16 @@ krb5_get_creds_opt_set_ticket(krb5_context context, opt->ticket = malloc(sizeof(*ticket)); if (opt->ticket == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } ret = copy_Ticket(ticket, opt->ticket); if (ret) { free(opt->ticket); opt->ticket = NULL; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); return ret; } } @@ -1103,7 +1316,7 @@ krb5_get_creds_opt_set_ticket(krb5_context context, -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_creds(krb5_context context, krb5_get_creds_opt opt, krb5_ccache ccache, @@ -1117,7 +1330,13 @@ krb5_get_creds(krb5_context context, krb5_creds **tgts; krb5_creds *res_creds; int i; - + + if (opt && opt->enctype) { + ret = krb5_enctype_valid(context, opt->enctype); + if (ret) + return ret; + } + memset(&in_creds, 0, sizeof(in_creds)); in_creds.server = rk_UNCONST(inprinc); @@ -1125,31 +1344,35 @@ krb5_get_creds(krb5_context context, if (ret) return ret; - options = opt->options; + if (opt) + options = opt->options; + else + options = 0; flags.i = 0; *out_creds = NULL; res_creds = calloc(1, sizeof(*res_creds)); if (res_creds == NULL) { krb5_free_principal(context, in_creds.client); - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } - if (opt->enctype) { + if (opt && opt->enctype) { in_creds.session.keytype = opt->enctype; options |= KRB5_TC_MATCH_KEYTYPE; } - /* + /* * If we got a credential, check if credential is expired before * returning it. */ ret = krb5_cc_retrieve_cred(context, ccache, - opt->enctype ? KRB5_TC_MATCH_KEYTYPE : 0, + options & KRB5_TC_MATCH_KEYTYPE, &in_creds, res_creds); - /* + /* * If we got a credential, check if credential is expired before * returning it, but only if KRB5_GC_EXPIRED_OK is not set. */ @@ -1160,14 +1383,14 @@ krb5_get_creds(krb5_context context, if(options & KRB5_GC_EXPIRED_OK) { *out_creds = res_creds; krb5_free_principal(context, in_creds.client); - return 0; + goto out; } - + krb5_timeofday(context, &timeret); if(res_creds->times.endtime > timeret) { *out_creds = res_creds; krb5_free_principal(context, in_creds.client); - return 0; + goto out; } if(options & KRB5_GC_CACHED) krb5_cc_remove_cred(context, ccache, 0, res_creds); @@ -1175,13 +1398,13 @@ krb5_get_creds(krb5_context context, } else if(ret != KRB5_CC_END) { free(res_creds); krb5_free_principal(context, in_creds.client); - return ret; + goto out; } free(res_creds); if(options & KRB5_GC_CACHED) { - not_found(context, in_creds.server); krb5_free_principal(context, in_creds.client); - return KRB5_CC_NOTFOUND; + ret = not_found(context, in_creds.server, KRB5_CC_NOTFOUND); + goto out; } if(options & KRB5_GC_USER_USER) { flags.b.enc_tkt_in_skey = 1; @@ -1195,11 +1418,13 @@ krb5_get_creds(krb5_context context, flags.b.request_anonymous = 1; /* XXX ARGH confusion */ flags.b.constrained_delegation = 1; } + if (options & KRB5_GC_CANONICALIZE) + flags.b.canonicalize = 1; tgts = NULL; - ret = get_cred_from_kdc_flags(context, flags, ccache, - &in_creds, opt->self, opt->ticket, - out_creds, &tgts); + ret = _krb5_get_cred_kdc_any(context, flags, ccache, + &in_creds, opt->self, opt->ticket, + out_creds, &tgts); krb5_free_principal(context, in_creds.client); for(i = 0; tgts && tgts[i]; i++) { krb5_cc_store_cred(context, ccache, tgts[i]); @@ -1208,6 +1433,10 @@ krb5_get_creds(krb5_context context, free(tgts); if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0) krb5_cc_store_cred(context, ccache, *out_creds); + + out: + _krb5_debug(context, 5, "krb5_get_creds: ret = %d", ret); + return ret; } @@ -1215,7 +1444,7 @@ krb5_get_creds(krb5_context context, * */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_renewed_creds(krb5_context context, krb5_creds *creds, krb5_const_principal client, @@ -1241,7 +1470,7 @@ krb5_get_renewed_creds(krb5_context context, } } else { const char *realm = krb5_principal_get_realm(context, client); - + ret = krb5_make_principal(context, &in.server, realm, KRB5_TGS_NAME, realm, NULL); if (ret) { diff --git a/crypto/heimdal/lib/krb5/get_default_principal.c b/crypto/heimdal/lib/krb5/get_default_principal.c index 83fb2b0fa984..44baa6d1c2cd 100644 --- a/crypto/heimdal/lib/krb5/get_default_principal.c +++ b/crypto/heimdal/lib/krb5/get_default_principal.c @@ -1,40 +1,38 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: get_default_principal.c 14870 2005-04-20 20:53:29Z lha $"); - /* * Try to find out what's a reasonable default principal. */ @@ -50,6 +48,8 @@ get_env_user(void) return user; } +#ifndef _WIN32 + /* * Will only use operating-system dependant operation to get the * default principal, for use of functions that in ccache layer to @@ -57,7 +57,7 @@ get_env_user(void) */ krb5_error_code -_krb5_get_default_principal_local (krb5_context context, +_krb5_get_default_principal_local (krb5_context context, krb5_principal *princ) { krb5_error_code ret; @@ -66,7 +66,7 @@ _krb5_get_default_principal_local (krb5_context context, *princ = NULL; - uid = getuid(); + uid = getuid(); if(uid == 0) { user = getlogin(); if(user == NULL) @@ -76,7 +76,7 @@ _krb5_get_default_principal_local (krb5_context context, else ret = krb5_make_principal(context, princ, NULL, "root", NULL); } else { - struct passwd *pw = getpwuid(uid); + struct passwd *pw = getpwuid(uid); if(pw != NULL) user = pw->pw_name; else { @@ -85,8 +85,9 @@ _krb5_get_default_principal_local (krb5_context context, user = getlogin(); } if(user == NULL) { - krb5_set_error_string(context, - "unable to figure out current principal"); + krb5_set_error_message(context, ENOTTY, + N_("unable to figure out current " + "principal", "")); return ENOTTY; /* XXX */ } ret = krb5_make_principal(context, princ, NULL, user, NULL); @@ -94,7 +95,56 @@ _krb5_get_default_principal_local (krb5_context context, return ret; } -krb5_error_code KRB5_LIB_FUNCTION +#else /* _WIN32 */ + +#define SECURITY_WIN32 +#include <security.h> + +krb5_error_code +_krb5_get_default_principal_local(krb5_context context, + krb5_principal *princ) +{ + /* See if we can get the principal first. We only expect this to + work if logged into a domain. */ + { + char username[1024]; + ULONG sz = sizeof(username); + + if (GetUserNameEx(NameUserPrincipal, username, &sz)) { + return krb5_parse_name_flags(context, username, + KRB5_PRINCIPAL_PARSE_ENTERPRISE, + princ); + } + } + + /* Just get the Windows username. This should pretty much always + work. */ + { + char username[1024]; + DWORD dsz = sizeof(username); + + if (GetUserName(username, &dsz)) { + return krb5_make_principal(context, princ, NULL, username, NULL); + } + } + + /* Failing that, we look at the environment */ + { + const char * username = get_env_user(); + + if (username == NULL) { + krb5_set_error_string(context, + "unable to figure out current principal"); + return ENOTTY; /* Really? */ + } + + return krb5_make_principal(context, princ, NULL, username, NULL); + } +} + +#endif + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_default_principal (krb5_context context, krb5_principal *princ) { diff --git a/crypto/heimdal/lib/krb5/get_default_realm.c b/crypto/heimdal/lib/krb5/get_default_realm.c index 09c8577b2601..2a4933a62a7d 100644 --- a/crypto/heimdal/lib/krb5/get_default_realm.c +++ b/crypto/heimdal/lib/krb5/get_default_realm.c @@ -1,46 +1,44 @@ /* - * Copyright (c) 1997 - 2001, 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2001, 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: get_default_realm.c 13863 2004-05-25 21:46:46Z lha $"); - /* * Return a NULL-terminated list of default realms in `realms'. * Free this memory with krb5_free_host_realm. */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_default_realms (krb5_context context, krb5_realm **realms) { @@ -59,7 +57,7 @@ krb5_get_default_realms (krb5_context context, * Return the first default realm. For compatibility. */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_default_realm(krb5_context context, krb5_realm *realm) { @@ -68,7 +66,7 @@ krb5_get_default_realm(krb5_context context, if (context->default_realms == NULL || context->default_realms[0] == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = krb5_set_default_realm (context, NULL); if (ret) return ret; @@ -76,7 +74,8 @@ krb5_get_default_realm(krb5_context context, res = strdup (context->default_realms[0]); if (res == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } *realm = res; diff --git a/crypto/heimdal/lib/krb5/get_for_creds.c b/crypto/heimdal/lib/krb5/get_for_creds.c index cb8b7c8641a6..979fc9b0ae99 100644 --- a/crypto/heimdal/lib/krb5/get_for_creds.c +++ b/crypto/heimdal/lib/krb5/get_for_creds.c @@ -1,39 +1,37 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> - -RCSID("$Id: get_for_creds.c 22504 2008-01-21 15:49:58Z lha $"); +#include "krb5_locl.h" static krb5_error_code add_addrs(krb5_context context, @@ -51,8 +49,8 @@ add_addrs(krb5_context context, tmp = realloc(addr->val, (addr->len + n) * sizeof(*addr->val)); if (tmp == NULL && (addr->len + n) != 0) { - krb5_set_error_string(context, "malloc: out of memory"); ret = ENOMEM; + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } addr->val = tmp; @@ -72,7 +70,7 @@ add_addrs(krb5_context context, addr->val[i++] = ad; } else if (ret == KRB5_PROG_ATYPE_NOSUPP) - krb5_clear_error_string (context); + krb5_clear_error_message (context); else goto fail; addr->len = i; @@ -102,7 +100,7 @@ fail: * @ingroup krb5_credential */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_fwd_tgt_creds (krb5_context context, krb5_auth_context auth_context, const char *hostname, @@ -129,23 +127,22 @@ krb5_fwd_tgt_creds (krb5_context context, if (inst != NULL && strcmp(inst, "host") == 0 && - host != NULL && + host != NULL && krb5_principal_get_comp_string(context, server, 2) == NULL) hostname = host; } client_realm = krb5_principal_get_realm(context, client); - + memset (&creds, 0, sizeof(creds)); creds.client = client; - ret = krb5_build_principal(context, - &creds.server, - strlen(client_realm), - client_realm, - KRB5_TGS_NAME, - client_realm, - NULL); + ret = krb5_make_principal(context, + &creds.server, + client_realm, + KRB5_TGS_NAME, + client_realm, + NULL); if (ret) return ret; @@ -163,7 +160,7 @@ krb5_fwd_tgt_creds (krb5_context context, * Gets tickets forwarded to hostname. If the tickets that are * forwarded are address-less, the forwarded tickets will also be * address-less. - * + * * If the ticket have any address, hostname will be used for figure * out the address to forward the ticket too. This since this might * use DNS, its insecure and also doesn't represent configured all @@ -186,7 +183,7 @@ krb5_fwd_tgt_creds (krb5_context context, * @ingroup krb5_credential */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_forwarded_creds (krb5_context context, krb5_auth_context auth_context, krb5_ccache ccache, @@ -207,7 +204,6 @@ krb5_get_forwarded_creds (krb5_context context, krb5_kdc_flags kdc_flags; krb5_crypto crypto; struct addrinfo *ai; - int save_errno; krb5_creds *ticket; paddrs = NULL; @@ -222,14 +218,14 @@ krb5_get_forwarded_creds (krb5_context context, } else { krb5_boolean noaddr; krb5_appdefault_boolean(context, NULL, - krb5_principal_get_realm(context, + krb5_principal_get_realm(context, in_creds->client), "no-addresses", KRB5_ADDRESSLESS_DEFAULT, &noaddr); if (!noaddr) paddrs = &addrs; } - + /* * If tickets have addresses, get the address of the remote host. */ @@ -238,18 +234,20 @@ krb5_get_forwarded_creds (krb5_context context, ret = getaddrinfo (hostname, NULL, NULL, &ai); if (ret) { - save_errno = errno; - krb5_set_error_string(context, "resolving %s: %s", + krb5_error_code ret2 = krb5_eai_to_heim_errno(ret, errno); + krb5_set_error_message(context, ret2, + N_("resolving host %s failed: %s", + "hostname, error"), hostname, gai_strerror(ret)); - return krb5_eai_to_heim_errno(ret, save_errno); + return ret2; } - + ret = add_addrs (context, &addrs, ai); freeaddrinfo (ai); if (ret) return ret; } - + kdc_flags.b = int2KDCOptions(flags); ret = krb5_get_kdc_cred (context, @@ -269,7 +267,7 @@ krb5_get_forwarded_creds (krb5_context context, ALLOC_SEQ(&cred.tickets, 1); if (cred.tickets.val == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out2; } ret = decode_Ticket(out_creds->ticket.data, @@ -282,27 +280,27 @@ krb5_get_forwarded_creds (krb5_context context, ALLOC_SEQ(&enc_krb_cred_part.ticket_info, 1); if (enc_krb_cred_part.ticket_info.val == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out4; } - + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_timestamp sec; int32_t usec; - + krb5_us_timeofday (context, &sec, &usec); - + ALLOC(enc_krb_cred_part.timestamp, 1); if (enc_krb_cred_part.timestamp == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out4; } *enc_krb_cred_part.timestamp = sec; ALLOC(enc_krb_cred_part.usec, 1); if (enc_krb_cred_part.usec == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out4; } *enc_krb_cred_part.usec = usec; @@ -346,7 +344,8 @@ krb5_get_forwarded_creds (krb5_context context, ALLOC(enc_krb_cred_part.r_address, 1); if (enc_krb_cred_part.r_address == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto out4; } @@ -389,7 +388,7 @@ krb5_get_forwarded_creds (krb5_context context, /* encode EncKrbCredPart */ - ASN1_MALLOC_ENCODE(EncKrbCredPart, buf, buf_size, + ASN1_MALLOC_ENCODE(EncKrbCredPart, buf, buf_size, &enc_krb_cred_part, &len, ret); free_EncKrbCredPart (&enc_krb_cred_part); if (ret) { @@ -413,13 +412,13 @@ krb5_get_forwarded_creds (krb5_context context, cred.enc_part.cipher.data = buf; cred.enc_part.cipher.length = buf_size; } else { - /* + /* * Here older versions then 0.7.2 of Heimdal used the local or * remote subkey. That is wrong, the session key should be * used. Heimdal 0.7.2 and newer have code to try both in the * receiving end. */ - + ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); if (ret) { free(buf); diff --git a/crypto/heimdal/lib/krb5/get_host_realm.c b/crypto/heimdal/lib/krb5/get_host_realm.c index d709e4b38d17..ed7f54b3d698 100644 --- a/crypto/heimdal/lib/krb5/get_host_realm.c +++ b/crypto/heimdal/lib/krb5/get_host_realm.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" #include <resolve.h> -RCSID("$Id: get_host_realm.c 18541 2006-10-17 19:28:36Z lha $"); - /* To automagically find the correct realm of a host (without * [domain_realm] in krb5.conf) add a text record for your domain with * the name of your realm, like this: @@ -51,14 +49,14 @@ RCSID("$Id: get_host_realm.c 18541 2006-10-17 19:28:36Z lha $"); */ static int -copy_txt_to_realms (struct resource_record *head, +copy_txt_to_realms (struct rk_resource_record *head, krb5_realm **realms) { - struct resource_record *rr; - int n, i; + struct rk_resource_record *rr; + unsigned int n, i; for(n = 0, rr = head; rr; rr = rr->next) - if (rr->type == T_TXT) + if (rr->type == rk_ns_t_txt) ++n; if (n == 0) @@ -72,7 +70,7 @@ copy_txt_to_realms (struct resource_record *head, (*realms)[i] = NULL; for (i = 0, rr = head; rr; rr = rr->next) { - if (rr->type == T_TXT) { + if (rr->type == rk_ns_t_txt) { char *tmp; tmp = strdup(rr->u.txt); @@ -96,11 +94,11 @@ dns_find_realm(krb5_context context, { static const char *default_labels[] = { "_kerberos", NULL }; char dom[MAXHOSTNAMELEN]; - struct dns_reply *r; + struct rk_dns_reply *r; const char **labels; char **config_labels; int i, ret; - + config_labels = krb5_config_get_strings(context, NULL, "libdefaults", "dns_lookup_realm_labels", NULL); if(config_labels != NULL) @@ -111,15 +109,15 @@ dns_find_realm(krb5_context context, domain++; for (i = 0; labels[i] != NULL; i++) { ret = snprintf(dom, sizeof(dom), "%s.%s.", labels[i], domain); - if(ret < 0 || ret >= sizeof(dom)) { + if(ret < 0 || (size_t)ret >= sizeof(dom)) { if (config_labels) krb5_config_free_strings(config_labels); return -1; } - r = dns_lookup(dom, "TXT"); + r = rk_dns_lookup(dom, "TXT"); if(r != NULL) { ret = copy_txt_to_realms (r->head, realms); - dns_free_data(r); + rk_dns_free_data(r); if(ret == 0) { if (config_labels) krb5_config_free_strings(config_labels); @@ -138,8 +136,8 @@ dns_find_realm(krb5_context context, */ static int -config_find_realm(krb5_context context, - const char *domain, +config_find_realm(krb5_context context, + const char *domain, krb5_realm **realms) { char **tmp = krb5_config_get_strings (context, NULL, @@ -160,7 +158,7 @@ config_find_realm(krb5_context context, * fall back to guessing */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_get_host_realm_int (krb5_context context, const char *host, krb5_boolean use_dns, @@ -178,8 +176,8 @@ _krb5_get_host_realm_int (krb5_context context, for (q = host; q != NULL; q = strchr(q + 1, '.')) if(dns_find_realm(context, q, realms) == 0) return 0; - continue; - } else + continue; + } else return 0; } else if(use_dns && dns_locate_enable) { @@ -192,21 +190,23 @@ _krb5_get_host_realm_int (krb5_context context, p++; *realms = malloc(2 * sizeof(krb5_realm)); if (*realms == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } (*realms)[0] = strdup(p); if((*realms)[0] == NULL) { free(*realms); - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } strupr((*realms)[0]); (*realms)[1] = NULL; return 0; } - krb5_set_error_string(context, "unable to find realm of host %s", host); + krb5_set_error_message(context, KRB5_ERR_HOST_REALM_UNKNOWN, + N_("unable to find realm of host %s", ""), + host); return KRB5_ERR_HOST_REALM_UNKNOWN; } @@ -215,7 +215,7 @@ _krb5_get_host_realm_int (krb5_context context, * `realms'. Free `realms' with krb5_free_host_realm(). */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_host_realm(krb5_context context, const char *targethost, krb5_realm **realms) @@ -233,7 +233,7 @@ krb5_get_host_realm(krb5_context context, host = hostname; } - /* + /* * If our local hostname is without components, don't even try to dns. */ @@ -248,8 +248,9 @@ krb5_get_host_realm(krb5_context context, */ ret = krb5_get_default_realms(context, realms); if (ret) { - krb5_set_error_string(context, "Unable to find realm of host %s", - host); + krb5_set_error_message(context, KRB5_ERR_HOST_REALM_UNKNOWN, + N_("Unable to find realm of host %s", ""), + host); return KRB5_ERR_HOST_REALM_UNKNOWN; } } diff --git a/crypto/heimdal/lib/krb5/get_in_tkt.c b/crypto/heimdal/lib/krb5/get_in_tkt.c index ffd4ca2b04e4..41618b9616a4 100644 --- a/crypto/heimdal/lib/krb5/get_in_tkt.c +++ b/crypto/heimdal/lib/krb5/get_in_tkt.c @@ -1,331 +1,54 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: get_in_tkt.c 20226 2007-02-16 03:31:50Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION -krb5_init_etype (krb5_context context, - unsigned *len, - krb5_enctype **val, - const krb5_enctype *etypes) -{ - int i; - krb5_error_code ret; - krb5_enctype *tmp = NULL; - - ret = 0; - if (etypes == NULL) { - ret = krb5_get_default_in_tkt_etypes(context, - &tmp); - if (ret) - return ret; - etypes = tmp; - } - - for (i = 0; etypes[i]; ++i) - ; - *len = i; - *val = malloc(i * sizeof(**val)); - if (i != 0 && *val == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto cleanup; - } - memmove (*val, - etypes, - i * sizeof(*tmp)); -cleanup: - if (tmp != NULL) - free (tmp); - return ret; -} - - -static krb5_error_code -decrypt_tkt (krb5_context context, - krb5_keyblock *key, - krb5_key_usage usage, - krb5_const_pointer decrypt_arg, - krb5_kdc_rep *dec_rep) -{ - krb5_error_code ret; - krb5_data data; - size_t size; - krb5_crypto crypto; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) - return ret; - - ret = krb5_decrypt_EncryptedData (context, - crypto, - usage, - &dec_rep->kdc_rep.enc_part, - &data); - krb5_crypto_destroy(context, crypto); - - if (ret) - return ret; - - ret = krb5_decode_EncASRepPart(context, - data.data, - data.length, - &dec_rep->enc_part, - &size); - if (ret) - ret = krb5_decode_EncTGSRepPart(context, - data.data, - data.length, - &dec_rep->enc_part, - &size); - krb5_data_free (&data); - if (ret) - return ret; - return 0; -} - -int -_krb5_extract_ticket(krb5_context context, - krb5_kdc_rep *rep, - krb5_creds *creds, - krb5_keyblock *key, - krb5_const_pointer keyseed, - krb5_key_usage key_usage, - krb5_addresses *addrs, - unsigned nonce, - unsigned flags, - krb5_decrypt_proc decrypt_proc, - krb5_const_pointer decryptarg) -{ - krb5_error_code ret; - krb5_principal tmp_principal; - int tmp; - size_t len; - time_t tmp_time; - krb5_timestamp sec_now; - - ret = _krb5_principalname2krb5_principal (context, - &tmp_principal, - rep->kdc_rep.cname, - rep->kdc_rep.crealm); - if (ret) - goto out; - - /* compare client */ - - if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0){ - tmp = krb5_principal_compare (context, tmp_principal, creds->client); - if (!tmp) { - krb5_free_principal (context, tmp_principal); - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_MODIFIED; - goto out; - } - } - - krb5_free_principal (context, creds->client); - creds->client = tmp_principal; - - /* extract ticket */ - ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length, - &rep->kdc_rep.ticket, &len, ret); - if(ret) - goto out; - if (creds->ticket.length != len) - krb5_abortx(context, "internal error in ASN.1 encoder"); - creds->second_ticket.length = 0; - creds->second_ticket.data = NULL; - - /* compare server */ - - ret = _krb5_principalname2krb5_principal (context, - &tmp_principal, - rep->kdc_rep.ticket.sname, - rep->kdc_rep.ticket.realm); - if (ret) - goto out; - if(flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH){ - krb5_free_principal(context, creds->server); - creds->server = tmp_principal; - tmp_principal = NULL; - } else { - tmp = krb5_principal_compare (context, tmp_principal, - creds->server); - krb5_free_principal (context, tmp_principal); - if (!tmp) { - ret = KRB5KRB_AP_ERR_MODIFIED; - krb5_clear_error_string (context); - goto out; - } - } - - /* decrypt */ - - if (decrypt_proc == NULL) - decrypt_proc = decrypt_tkt; - - ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep); - if (ret) - goto out; - - /* verify names */ - if(flags & EXTRACT_TICKET_MATCH_REALM){ - const char *srealm = krb5_principal_get_realm(context, creds->server); - const char *crealm = krb5_principal_get_realm(context, creds->client); - - if (strcmp(rep->enc_part.srealm, srealm) != 0 || - strcmp(rep->enc_part.srealm, crealm) != 0) - { - ret = KRB5KRB_AP_ERR_MODIFIED; - krb5_clear_error_string(context); - goto out; - } - } - - /* compare nonces */ - - if (nonce != rep->enc_part.nonce) { - ret = KRB5KRB_AP_ERR_MODIFIED; - krb5_set_error_string(context, "malloc: out of memory"); - goto out; - } - - /* set kdc-offset */ - - krb5_timeofday (context, &sec_now); - if (rep->enc_part.flags.initial - && context->kdc_sec_offset == 0 - && krb5_config_get_bool (context, NULL, - "libdefaults", - "kdc_timesync", - NULL)) { - context->kdc_sec_offset = rep->enc_part.authtime - sec_now; - krb5_timeofday (context, &sec_now); - } - - /* check all times */ - - if (rep->enc_part.starttime) { - tmp_time = *rep->enc_part.starttime; - } else - tmp_time = rep->enc_part.authtime; - - if (creds->times.starttime == 0 - && abs(tmp_time - sec_now) > context->max_skew) { - ret = KRB5KRB_AP_ERR_SKEW; - krb5_set_error_string (context, - "time skew (%d) larger than max (%d)", - abs(tmp_time - sec_now), - (int)context->max_skew); - goto out; - } - - if (creds->times.starttime != 0 - && tmp_time != creds->times.starttime) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_MODIFIED; - goto out; - } - - creds->times.starttime = tmp_time; - - if (rep->enc_part.renew_till) { - tmp_time = *rep->enc_part.renew_till; - } else - tmp_time = 0; - - if (creds->times.renew_till != 0 - && tmp_time > creds->times.renew_till) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_MODIFIED; - goto out; - } - - creds->times.renew_till = tmp_time; - - creds->times.authtime = rep->enc_part.authtime; - - if (creds->times.endtime != 0 - && rep->enc_part.endtime > creds->times.endtime) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_MODIFIED; - goto out; - } - - creds->times.endtime = rep->enc_part.endtime; - - if(rep->enc_part.caddr) - krb5_copy_addresses (context, rep->enc_part.caddr, &creds->addresses); - else if(addrs) - krb5_copy_addresses (context, addrs, &creds->addresses); - else { - creds->addresses.len = 0; - creds->addresses.val = NULL; - } - creds->flags.b = rep->enc_part.flags; - - creds->authdata.len = 0; - creds->authdata.val = NULL; - creds->session.keyvalue.length = 0; - creds->session.keyvalue.data = NULL; - creds->session.keytype = rep->enc_part.key.keytype; - ret = krb5_data_copy (&creds->session.keyvalue, - rep->enc_part.key.keyvalue.data, - rep->enc_part.key.keyvalue.length); - -out: - memset (rep->enc_part.key.keyvalue.data, 0, - rep->enc_part.key.keyvalue.length); - return ret; -} - +#ifndef HEIMDAL_SMALLER static krb5_error_code -make_pa_enc_timestamp(krb5_context context, PA_DATA *pa, +make_pa_enc_timestamp(krb5_context context, PA_DATA *pa, krb5_enctype etype, krb5_keyblock *key) { PA_ENC_TS_ENC p; unsigned char *buf; size_t buf_size; - size_t len; + size_t len = 0; EncryptedData encdata; krb5_error_code ret; int32_t usec; int usec2; krb5_crypto crypto; - + krb5_us_timeofday (context, &p.patimestamp, &usec); usec2 = usec; p.pausec = &usec2; @@ -340,7 +63,7 @@ make_pa_enc_timestamp(krb5_context context, PA_DATA *pa, free(buf); return ret; } - ret = krb5_encrypt_EncryptedData(context, + ret = krb5_encrypt_EncryptedData(context, crypto, KRB5_KU_PA_ENC_TIMESTAMP, buf, @@ -351,7 +74,7 @@ make_pa_enc_timestamp(krb5_context context, PA_DATA *pa, krb5_crypto_destroy(context, crypto); if (ret) return ret; - + ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret); free_EncryptedData(&encdata); if (ret) @@ -366,7 +89,7 @@ make_pa_enc_timestamp(krb5_context context, PA_DATA *pa, static krb5_error_code add_padata(krb5_context context, - METHOD_DATA *md, + METHOD_DATA *md, krb5_principal client, krb5_key_proc key_proc, krb5_const_pointer keyseed, @@ -378,11 +101,13 @@ add_padata(krb5_context context, PA_DATA *pa2; krb5_salt salt2; krb5_enctype *ep; - int i; - + size_t i; + if(salt == NULL) { /* default to standard salt */ ret = krb5_get_pw_salt (context, client, &salt2); + if (ret) + return ret; salt = &salt2; } if (!enctypes) { @@ -393,7 +118,7 @@ add_padata(krb5_context context, } pa2 = realloc (md->val, (md->len + netypes) * sizeof(*md->val)); if (pa2 == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } md->val = pa2; @@ -440,13 +165,13 @@ init_as_req (krb5_context context, a->req_body.cname = malloc(sizeof(*a->req_body.cname)); if (a->req_body.cname == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } a->req_body.sname = malloc(sizeof(*a->req_body.sname)); if (a->req_body.sname == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } ret = _krb5_principal2principalname (a->req_body.cname, creds->client); @@ -463,7 +188,7 @@ init_as_req (krb5_context context, a->req_body.from = malloc(sizeof(*a->req_body.from)); if (a->req_body.from == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } *a->req_body.from = creds->times.starttime; @@ -476,13 +201,14 @@ init_as_req (krb5_context context, a->req_body.rtime = malloc(sizeof(*a->req_body.rtime)); if (a->req_body.rtime == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } *a->req_body.rtime = creds->times.renew_till; } a->req_body.nonce = nonce; - ret = krb5_init_etype (context, + ret = _krb5_init_etype(context, + KRB5_PDU_AS_REQUEST, &a->req_body.etype.len, &a->req_body.etype.val, etypes); @@ -499,7 +225,7 @@ init_as_req (krb5_context context, a->req_body.addresses = malloc(sizeof(*a->req_body.addresses)); if (a->req_body.addresses == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } @@ -520,18 +246,18 @@ init_as_req (krb5_context context, a->req_body.additional_tickets = NULL; if(preauth != NULL) { - int i; + size_t i; ALLOC(a->padata, 1); if(a->padata == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } a->padata->val = NULL; a->padata->len = 0; for(i = 0; i < preauth->len; i++) { if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){ - int j; + size_t j; for(j = 0; j < preauth->val[i].info.len; j++) { krb5_salt *sp = &salt; @@ -546,8 +272,8 @@ init_as_req (krb5_context context, sp = NULL; else krb5_data_zero(&salt.saltvalue); - ret = add_padata(context, a->padata, creds->client, - key_proc, keyseed, + ret = add_padata(context, a->padata, creds->client, + key_proc, keyseed, &preauth->val[i].info.val[j].etype, 1, sp); if (ret == 0) @@ -555,7 +281,7 @@ init_as_req (krb5_context context, } } } - } else + } else /* not sure this is the way to use `ptypes' */ if (ptypes == NULL || *ptypes == KRB5_PADATA_NONE) a->padata = NULL; @@ -563,27 +289,28 @@ init_as_req (krb5_context context, ALLOC(a->padata, 1); if (a->padata == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } a->padata->len = 0; a->padata->val = NULL; /* make a v5 salted pa-data */ - add_padata(context, a->padata, creds->client, + add_padata(context, a->padata, creds->client, key_proc, keyseed, a->req_body.etype.val, a->req_body.etype.len, NULL); - + /* make a v4 salted pa-data */ salt.salttype = KRB5_PW_SALT; krb5_data_zero(&salt.saltvalue); - add_padata(context, a->padata, creds->client, + add_padata(context, a->padata, creds->client, key_proc, keyseed, a->req_body.etype.val, a->req_body.etype.len, &salt); } else { - krb5_set_error_string (context, "pre-auth type %d not supported", - *ptypes); ret = KRB5_PREAUTH_BAD_TYPE; + krb5_set_error_message (context, ret, + N_("pre-auth type %d not supported", ""), + *ptypes); goto fail; } return 0; @@ -594,7 +321,7 @@ fail: static int set_ptypes(krb5_context context, - KRB_ERROR *error, + KRB_ERROR *error, const krb5_preauthtype **ptypes, krb5_preauthdata **preauth) { @@ -603,10 +330,10 @@ set_ptypes(krb5_context context, if(error->e_data) { METHOD_DATA md; - int i; - decode_METHOD_DATA(error->e_data->data, - error->e_data->length, - &md, + size_t i; + decode_METHOD_DATA(error->e_data->data, + error->e_data->length, + &md, NULL); for(i = 0; i < md.len; i++){ switch(md.val[i].padata_type){ @@ -617,11 +344,10 @@ set_ptypes(krb5_context context, *preauth = &preauth2; ALLOC_SEQ(*preauth, 1); (*preauth)->val[0].type = KRB5_PADATA_ENC_TIMESTAMP; - krb5_decode_ETYPE_INFO(context, - md.val[i].padata_value.data, - md.val[i].padata_value.length, - &(*preauth)->val[0].info, - NULL); + decode_ETYPE_INFO(md.val[i].padata_value.data, + md.val[i].padata_value.length, + &(*preauth)->val[0].info, + NULL); break; default: break; @@ -634,7 +360,7 @@ set_ptypes(krb5_context context, return(1); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_in_cred(krb5_context context, krb5_flags options, const krb5_addresses *addrs, @@ -647,12 +373,13 @@ krb5_get_in_cred(krb5_context context, krb5_const_pointer decryptarg, krb5_creds *creds, krb5_kdc_rep *ret_as_reply) + KRB5_DEPRECATED_FUNCTION("Use X instead") { krb5_error_code ret; AS_REQ a; krb5_kdc_rep rep; krb5_data req, resp; - size_t len; + size_t len = 0; krb5_salt salt; krb5_keyblock *key; size_t size; @@ -725,7 +452,7 @@ krb5_get_in_cred(krb5_context context, done = 0; preauth = my_preauth; krb5_free_error_contents(context, &error); - krb5_clear_error_string(context); + krb5_clear_error_message(context); continue; } if(ret_as_reply) @@ -738,29 +465,29 @@ krb5_get_in_cred(krb5_context context, } krb5_data_free(&resp); } while(!done); - + pa = NULL; etype = rep.kdc_rep.enc_part.etype; if(rep.kdc_rep.padata){ int i = 0; - pa = krb5_find_padata(rep.kdc_rep.padata->val, rep.kdc_rep.padata->len, + pa = krb5_find_padata(rep.kdc_rep.padata->val, rep.kdc_rep.padata->len, KRB5_PADATA_PW_SALT, &i); if(pa == NULL) { i = 0; - pa = krb5_find_padata(rep.kdc_rep.padata->val, - rep.kdc_rep.padata->len, + pa = krb5_find_padata(rep.kdc_rep.padata->val, + rep.kdc_rep.padata->len, KRB5_PADATA_AFS3_SALT, &i); } } if(pa) { - salt.salttype = pa->padata_type; + salt.salttype = (krb5_salttype)pa->padata_type; salt.saltvalue = pa->padata_value; - + ret = (*key_proc)(context, etype, salt, keyseed, &key); } else { /* make a v5 salted pa-data */ ret = krb5_get_pw_salt (context, creds->client, &salt); - + if (ret) goto out; ret = (*key_proc)(context, etype, salt, keyseed, &key); @@ -768,22 +495,22 @@ krb5_get_in_cred(krb5_context context, } if (ret) goto out; - + { - unsigned flags = 0; + unsigned flags = EXTRACT_TICKET_TIMESYNC; if (opts.request_anonymous) flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH; - ret = _krb5_extract_ticket(context, - &rep, - creds, - key, - keyseed, + ret = _krb5_extract_ticket(context, + &rep, + creds, + key, + keyseed, KRB5_KU_AS_REP_ENC_PART, - NULL, - nonce, + NULL, + nonce, flags, - decrypt_proc, + decrypt_proc, decryptarg); } memset (key->keyvalue.data, 0, key->keyvalue.length); @@ -798,7 +525,7 @@ out: return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_in_tkt(krb5_context context, krb5_flags options, const krb5_addresses *addrs, @@ -811,9 +538,10 @@ krb5_get_in_tkt(krb5_context context, krb5_creds *creds, krb5_ccache ccache, krb5_kdc_rep *ret_as_reply) + KRB5_DEPRECATED_FUNCTION("Use X instead") { krb5_error_code ret; - + ret = krb5_get_in_cred (context, options, addrs, @@ -826,9 +554,11 @@ krb5_get_in_tkt(krb5_context context, decryptarg, creds, ret_as_reply); - if(ret) + if(ret) return ret; if (ccache) ret = krb5_cc_store_cred (context, ccache, creds); return ret; } + +#endif /* HEIMDAL_SMALLER */ diff --git a/crypto/heimdal/lib/krb5/get_in_tkt_pw.c b/crypto/heimdal/lib/krb5/get_in_tkt_pw.c deleted file mode 100644 index 21b27c61b47e..000000000000 --- a/crypto/heimdal/lib/krb5/get_in_tkt_pw.c +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: get_in_tkt_pw.c 13863 2004-05-25 21:46:46Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION -krb5_password_key_proc (krb5_context context, - krb5_enctype type, - krb5_salt salt, - krb5_const_pointer keyseed, - krb5_keyblock **key) -{ - krb5_error_code ret; - const char *password = (const char *)keyseed; - char buf[BUFSIZ]; - - *key = malloc (sizeof (**key)); - if (*key == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - if (password == NULL) { - if(UI_UTIL_read_pw_string (buf, sizeof(buf), "Password: ", 0)) { - free (*key); - krb5_clear_error_string(context); - return KRB5_LIBOS_PWDINTR; - } - password = buf; - } - ret = krb5_string_to_key_salt (context, type, password, salt, *key); - memset (buf, 0, sizeof(buf)); - return ret; -} - -krb5_error_code KRB5_LIB_FUNCTION -krb5_get_in_tkt_with_password (krb5_context context, - krb5_flags options, - krb5_addresses *addrs, - const krb5_enctype *etypes, - const krb5_preauthtype *pre_auth_types, - const char *password, - krb5_ccache ccache, - krb5_creds *creds, - krb5_kdc_rep *ret_as_reply) -{ - return krb5_get_in_tkt (context, - options, - addrs, - etypes, - pre_auth_types, - krb5_password_key_proc, - password, - NULL, - NULL, - creds, - ccache, - ret_as_reply); -} diff --git a/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c b/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c deleted file mode 100644 index 52f95c4bc45e..000000000000 --- a/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c +++ /dev/null @@ -1,99 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: get_in_tkt_with_keytab.c 15477 2005-06-17 04:56:44Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION -krb5_keytab_key_proc (krb5_context context, - krb5_enctype enctype, - krb5_salt salt, - krb5_const_pointer keyseed, - krb5_keyblock **key) -{ - krb5_keytab_key_proc_args *args = rk_UNCONST(keyseed); - krb5_keytab keytab = args->keytab; - krb5_principal principal = args->principal; - krb5_error_code ret; - krb5_keytab real_keytab; - krb5_keytab_entry entry; - - if(keytab == NULL) - krb5_kt_default(context, &real_keytab); - else - real_keytab = keytab; - - ret = krb5_kt_get_entry (context, real_keytab, principal, - 0, enctype, &entry); - - if (keytab == NULL) - krb5_kt_close (context, real_keytab); - - if (ret) - return ret; - - ret = krb5_copy_keyblock (context, &entry.keyblock, key); - krb5_kt_free_entry(context, &entry); - return ret; -} - -krb5_error_code KRB5_LIB_FUNCTION -krb5_get_in_tkt_with_keytab (krb5_context context, - krb5_flags options, - krb5_addresses *addrs, - const krb5_enctype *etypes, - const krb5_preauthtype *pre_auth_types, - krb5_keytab keytab, - krb5_ccache ccache, - krb5_creds *creds, - krb5_kdc_rep *ret_as_reply) -{ - krb5_keytab_key_proc_args a; - - a.principal = creds->client; - a.keytab = keytab; - - return krb5_get_in_tkt (context, - options, - addrs, - etypes, - pre_auth_types, - krb5_keytab_key_proc, - &a, - NULL, - NULL, - creds, - ccache, - ret_as_reply); -} diff --git a/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c b/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c deleted file mode 100644 index 1936fa166458..000000000000 --- a/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: get_in_tkt_with_skey.c 13863 2004-05-25 21:46:46Z lha $"); - -static krb5_error_code -krb5_skey_key_proc (krb5_context context, - krb5_enctype type, - krb5_salt salt, - krb5_const_pointer keyseed, - krb5_keyblock **key) -{ - return krb5_copy_keyblock (context, keyseed, key); -} - -krb5_error_code KRB5_LIB_FUNCTION -krb5_get_in_tkt_with_skey (krb5_context context, - krb5_flags options, - krb5_addresses *addrs, - const krb5_enctype *etypes, - const krb5_preauthtype *pre_auth_types, - const krb5_keyblock *key, - krb5_ccache ccache, - krb5_creds *creds, - krb5_kdc_rep *ret_as_reply) -{ - if(key == NULL) - return krb5_get_in_tkt_with_keytab (context, - options, - addrs, - etypes, - pre_auth_types, - NULL, - ccache, - creds, - ret_as_reply); - else - return krb5_get_in_tkt (context, - options, - addrs, - etypes, - pre_auth_types, - krb5_skey_key_proc, - key, - NULL, - NULL, - creds, - ccache, - ret_as_reply); -} diff --git a/crypto/heimdal/lib/krb5/get_port.c b/crypto/heimdal/lib/krb5/get_port.c index 85587ea76620..93d9433cd039 100644 --- a/crypto/heimdal/lib/krb5/get_port.c +++ b/crypto/heimdal/lib/krb5/get_port.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> +#include "krb5_locl.h" -RCSID("$Id: get_port.c 13863 2004-05-25 21:46:46Z lha $"); - -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_getportbyname (krb5_context context, const char *service, const char *proto, @@ -45,7 +43,7 @@ krb5_getportbyname (krb5_context context, if ((sp = roken_getservbyname (service, proto)) == NULL) { #if 0 - krb5_warnx(context, "%s/%s unknown service, using default port %d", + krb5_warnx(context, "%s/%s unknown service, using default port %d", service, proto, default_port); #endif return htons(default_port); diff --git a/crypto/heimdal/lib/krb5/heim_err.et b/crypto/heimdal/lib/krb5/heim_err.et index 1b8ab49bc11e..c47f77092f13 100644 --- a/crypto/heimdal/lib/krb5/heim_err.et +++ b/crypto/heimdal/lib/krb5/heim_err.et @@ -3,7 +3,7 @@ # # This might look like a com_err file, but is not # -id "$Id: heim_err.et 13352 2004-02-13 16:23:40Z lha $" +id "$Id$" error_table heim @@ -17,6 +17,9 @@ error_code OPNOTSUPP, "Operation not supported" error_code EOF, "End of file" error_code BAD_MKEY, "Failed to get the master key" error_code SERVICE_NOMATCH, "Unacceptable service used" +error_code NOT_SEEKABLE, "File descriptor not seekable" +error_code TOO_BIG, "Offset too large" +error_code BAD_HDBENT_ENCODING, "Invalid HDB entry encoding" index 64 prefix HEIM_PKINIT diff --git a/crypto/heimdal/lib/krb5/heim_threads.h b/crypto/heimdal/lib/krb5/heim_threads.h deleted file mode 100644 index 3c27d13d81b9..000000000000 --- a/crypto/heimdal/lib/krb5/heim_threads.h +++ /dev/null @@ -1,175 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: heim_threads.h 14409 2004-12-18 16:03:38Z lha $ */ - -/* - * Provide wrapper macros for thread synchronization primitives so we - * can use native thread functions for those operating system that - * supports it. - * - * This is so libkrb5.so (or more importantly, libgssapi.so) can have - * thread support while the program that that dlopen(3)s the library - * don't need to be linked to libpthread. - */ - -#ifndef HEIM_THREADS_H -#define HEIM_THREADS_H 1 - -/* assume headers already included */ - -#if defined(__NetBSD__) && __NetBSD_Version__ >= 106120000 && __NetBSD_Version__< 299001200 && defined(ENABLE_PTHREAD_SUPPORT) - -/* - * NetBSD have a thread lib that we can use that part of libc that - * works regardless if application are linked to pthreads or not. - * NetBSD newer then 2.99.11 just use pthread.h, and the same thing - * will happen. - */ -#include <threadlib.h> - -#define HEIMDAL_MUTEX mutex_t -#define HEIMDAL_MUTEX_INITIALIZER MUTEX_INITIALIZER -#define HEIMDAL_MUTEX_init(m) mutex_init(m, NULL) -#define HEIMDAL_MUTEX_lock(m) mutex_lock(m) -#define HEIMDAL_MUTEX_unlock(m) mutex_unlock(m) -#define HEIMDAL_MUTEX_destroy(m) mutex_destroy(m) - -#define HEIMDAL_RWLOCK rwlock_t -#define HEIMDAL_RWLOCK_INITIALIZER RWLOCK_INITIALIZER -#define HEIMDAL_RWLOCK_init(l) rwlock_init(l, NULL) -#define HEIMDAL_RWLOCK_rdlock(l) rwlock_rdlock(l) -#define HEIMDAL_RWLOCK_wrlock(l) rwlock_wrlock(l) -#define HEIMDAL_RWLOCK_tryrdlock(l) rwlock_tryrdlock(l) -#define HEIMDAL_RWLOCK_trywrlock(l) rwlock_trywrlock(l) -#define HEIMDAL_RWLOCK_unlock(l) rwlock_unlock(l) -#define HEIMDAL_RWLOCK_destroy(l) rwlock_destroy(l) - -#define HEIMDAL_thread_key thread_key_t -#define HEIMDAL_key_create(k,d,r) do { r = thr_keycreate(k,d); } while(0) -#define HEIMDAL_setspecific(k,s,r) do { r = thr_setspecific(k,s); } while(0) -#define HEIMDAL_getspecific(k) thr_getspecific(k) -#define HEIMDAL_key_delete(k) thr_keydelete(k) - -#elif defined(ENABLE_PTHREAD_SUPPORT) && (!defined(__NetBSD__) || __NetBSD_Version__ >= 299001200) - -#include <pthread.h> - -#define HEIMDAL_MUTEX pthread_mutex_t -#define HEIMDAL_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER -#define HEIMDAL_MUTEX_init(m) pthread_mutex_init(m, NULL) -#define HEIMDAL_MUTEX_lock(m) pthread_mutex_lock(m) -#define HEIMDAL_MUTEX_unlock(m) pthread_mutex_unlock(m) -#define HEIMDAL_MUTEX_destroy(m) pthread_mutex_destroy(m) - -#define HEIMDAL_RWLOCK rwlock_t -#define HEIMDAL_RWLOCK_INITIALIZER RWLOCK_INITIALIZER -#define HEIMDAL_RWLOCK_init(l) pthread_rwlock_init(l, NULL) -#define HEIMDAL_RWLOCK_rdlock(l) pthread_rwlock_rdlock(l) -#define HEIMDAL_RWLOCK_wrlock(l) pthread_rwlock_wrlock(l) -#define HEIMDAL_RWLOCK_tryrdlock(l) pthread_rwlock_tryrdlock(l) -#define HEIMDAL_RWLOCK_trywrlock(l) pthread_rwlock_trywrlock(l) -#define HEIMDAL_RWLOCK_unlock(l) pthread_rwlock_unlock(l) -#define HEIMDAL_RWLOCK_destroy(l) pthread_rwlock_destroy(l) - -#define HEIMDAL_thread_key pthread_key_t -#define HEIMDAL_key_create(k,d,r) do { r = pthread_key_create(k,d); } while(0) -#define HEIMDAL_setspecific(k,s,r) do { r = pthread_setspecific(k,s); } while(0) -#define HEIMDAL_getspecific(k) pthread_getspecific(k) -#define HEIMDAL_key_delete(k) pthread_key_delete(k) - -#elif defined(HEIMDAL_DEBUG_THREADS) - -/* no threads support, just do consistency checks */ -#include <stdlib.h> - -#define HEIMDAL_MUTEX int -#define HEIMDAL_MUTEX_INITIALIZER 0 -#define HEIMDAL_MUTEX_init(m) do { (*(m)) = 0; } while(0) -#define HEIMDAL_MUTEX_lock(m) do { if ((*(m))++ != 0) abort(); } while(0) -#define HEIMDAL_MUTEX_unlock(m) do { if ((*(m))-- != 1) abort(); } while(0) -#define HEIMDAL_MUTEX_destroy(m) do {if ((*(m)) != 0) abort(); } while(0) - -#define HEIMDAL_RWLOCK rwlock_t int -#define HEIMDAL_RWLOCK_INITIALIZER 0 -#define HEIMDAL_RWLOCK_init(l) do { } while(0) -#define HEIMDAL_RWLOCK_rdlock(l) do { } while(0) -#define HEIMDAL_RWLOCK_wrlock(l) do { } while(0) -#define HEIMDAL_RWLOCK_tryrdlock(l) do { } while(0) -#define HEIMDAL_RWLOCK_trywrlock(l) do { } while(0) -#define HEIMDAL_RWLOCK_unlock(l) do { } while(0) -#define HEIMDAL_RWLOCK_destroy(l) do { } while(0) - -#define HEIMDAL_internal_thread_key 1 - -#else /* no thread support, no debug case */ - -#define HEIMDAL_MUTEX int -#define HEIMDAL_MUTEX_INITIALIZER 0 -#define HEIMDAL_MUTEX_init(m) do { (void)(m); } while(0) -#define HEIMDAL_MUTEX_lock(m) do { (void)(m); } while(0) -#define HEIMDAL_MUTEX_unlock(m) do { (void)(m); } while(0) -#define HEIMDAL_MUTEX_destroy(m) do { (void)(m); } while(0) - -#define HEIMDAL_RWLOCK rwlock_t int -#define HEIMDAL_RWLOCK_INITIALIZER 0 -#define HEIMDAL_RWLOCK_init(l) do { } while(0) -#define HEIMDAL_RWLOCK_rdlock(l) do { } while(0) -#define HEIMDAL_RWLOCK_wrlock(l) do { } while(0) -#define HEIMDAL_RWLOCK_tryrdlock(l) do { } while(0) -#define HEIMDAL_RWLOCK_trywrlock(l) do { } while(0) -#define HEIMDAL_RWLOCK_unlock(l) do { } while(0) -#define HEIMDAL_RWLOCK_destroy(l) do { } while(0) - -#define HEIMDAL_internal_thread_key 1 - -#endif /* no thread support */ - -#ifdef HEIMDAL_internal_thread_key - -typedef struct heim_thread_key { - void *value; - void (*destructor)(void *); -} heim_thread_key; - -#define HEIMDAL_thread_key heim_thread_key -#define HEIMDAL_key_create(k,d,r) \ - do { (k)->value = NULL; (k)->destructor = (d); r = 0; } while(0) -#define HEIMDAL_setspecific(k,s,r) do { (k).value = s ; r = 0; } while(0) -#define HEIMDAL_getspecific(k) ((k).value) -#define HEIMDAL_key_delete(k) do { (*(k).destructor)((k).value); } while(0) - -#undef HEIMDAL_internal_thread_key -#endif /* HEIMDAL_internal_thread_key */ - -#endif /* HEIM_THREADS_H */ diff --git a/crypto/heimdal/lib/krb5/init_creds.c b/crypto/heimdal/lib/krb5/init_creds.c index a59c903bd9e1..25bef0f34045 100644 --- a/crypto/heimdal/lib/krb5/init_creds.c +++ b/crypto/heimdal/lib/krb5/init_creds.c @@ -1,8 +1,10 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -33,32 +35,41 @@ #include "krb5_locl.h" -RCSID("$Id: init_creds.c 21711 2007-07-27 14:22:02Z lha $"); +#undef __attribute__ +#define __attribute__(x) -void KRB5_LIB_FUNCTION -krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) -{ - memset (opt, 0, sizeof(*opt)); - opt->flags = 0; - opt->opt_private = NULL; -} +/** + * @page krb5_init_creds_intro The initial credential handing functions + * @section section_krb5_init_creds Initial credential + * + * Functions to get initial credentials: @ref krb5_credential . + */ + +/** + * Allocate a new krb5_get_init_creds_opt structure, free with + * krb5_get_init_creds_opt_free(). + * + * @ingroup krb5_credential + */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_get_init_creds_opt_alloc(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_get_init_creds_opt_alloc(krb5_context context, krb5_get_init_creds_opt **opt) { krb5_get_init_creds_opt *o; - + *opt = NULL; o = calloc(1, sizeof(*o)); if (o == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } - krb5_get_init_creds_opt_init(o); + o->opt_private = calloc(1, sizeof(*o->opt_private)); if (o->opt_private == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); free(o); return ENOMEM; } @@ -67,69 +78,13 @@ krb5_get_init_creds_opt_alloc(krb5_context context, return 0; } -krb5_error_code -_krb5_get_init_creds_opt_copy(krb5_context context, - const krb5_get_init_creds_opt *in, - krb5_get_init_creds_opt **out) -{ - krb5_get_init_creds_opt *opt; - - *out = NULL; - opt = calloc(1, sizeof(*opt)); - if (opt == NULL) { - krb5_set_error_string(context, "out of memory"); - return ENOMEM; - } - if (in) - *opt = *in; - if(opt->opt_private == NULL) { - opt->opt_private = calloc(1, sizeof(*opt->opt_private)); - if (opt->opt_private == NULL) { - krb5_set_error_string(context, "out of memory"); - free(opt); - return ENOMEM; - } - opt->opt_private->refcount = 1; - } else - opt->opt_private->refcount++; - *out = opt; - return 0; -} - -void KRB5_LIB_FUNCTION -_krb5_get_init_creds_opt_free_krb5_error(krb5_get_init_creds_opt *opt) -{ - if (opt->opt_private == NULL || opt->opt_private->error == NULL) - return; - free_KRB_ERROR(opt->opt_private->error); - free(opt->opt_private->error); - opt->opt_private->error = NULL; -} - -void KRB5_LIB_FUNCTION -_krb5_get_init_creds_opt_set_krb5_error(krb5_context context, - krb5_get_init_creds_opt *opt, - const KRB_ERROR *error) -{ - krb5_error_code ret; - - if (opt->opt_private == NULL) - return; - - _krb5_get_init_creds_opt_free_krb5_error(opt); - - opt->opt_private->error = malloc(sizeof(*opt->opt_private->error)); - if (opt->opt_private->error == NULL) - return; - ret = copy_KRB_ERROR(error, opt->opt_private->error); - if (ret) { - free(opt->opt_private->error); - opt->opt_private->error = NULL; - } -} - +/** + * Free krb5_get_init_creds_opt structure. + * + * @ingroup krb5_credential + */ -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_free(krb5_context context, krb5_get_init_creds_opt *opt) { @@ -138,7 +93,6 @@ krb5_get_init_creds_opt_free(krb5_context context, if (opt->opt_private->refcount < 1) /* abort ? */ return; if (--opt->opt_private->refcount == 0) { - _krb5_get_init_creds_opt_free_krb5_error(opt); _krb5_get_init_creds_opt_free_pkinit(opt); free(opt->opt_private); } @@ -172,20 +126,21 @@ get_config_time (krb5_context context, static krb5_boolean get_config_bool (krb5_context context, + krb5_boolean def_value, const char *realm, const char *name) { - return krb5_config_get_bool (context, - NULL, - "realms", - realm, - name, - NULL) - || krb5_config_get_bool (context, - NULL, - "libdefaults", - name, - NULL); + krb5_boolean b; + + b = krb5_config_get_bool_default(context, NULL, def_value, + "realms", realm, name, NULL); + if (b != def_value) + return b; + b = krb5_config_get_bool_default (context, NULL, def_value, + "libdefaults", name, NULL); + if (b != def_value) + return b; + return def_value; } /* @@ -195,7 +150,7 @@ get_config_bool (krb5_context context, * [realms] or [libdefaults] for some of the values. */ -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_default_flags(krb5_context context, const char *appname, krb5_const_realm realm, @@ -204,11 +159,12 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context, krb5_boolean b; time_t t; - b = get_config_bool (context, realm, "forwardable"); + b = get_config_bool (context, KRB5_FORWARDABLE_DEFAULT, + realm, "forwardable"); krb5_appdefault_boolean(context, appname, realm, "forwardable", b, &b); krb5_get_init_creds_opt_set_forwardable(opt, b); - b = get_config_bool (context, realm, "proxiable"); + b = get_config_bool (context, FALSE, realm, "proxiable"); krb5_appdefault_boolean(context, appname, realm, "proxiable", b, &b); krb5_get_init_creds_opt_set_proxiable (opt, b); @@ -224,7 +180,7 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context, if(t != 0) krb5_get_init_creds_opt_set_renew_life(opt, t); - krb5_appdefault_boolean(context, appname, realm, "no-addresses", + krb5_appdefault_boolean(context, appname, realm, "no-addresses", KRB5_ADDRESSLESS_DEFAULT, &b); krb5_get_init_creds_opt_set_addressless (context, opt, b); @@ -245,7 +201,7 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context, } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, krb5_deltat tkt_life) { @@ -253,7 +209,7 @@ krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, opt->tkt_life = tkt_life; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, krb5_deltat renew_life) { @@ -261,7 +217,7 @@ krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, opt->renew_life = renew_life; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, int forwardable) { @@ -269,7 +225,7 @@ krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, opt->forwardable = forwardable; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, int proxiable) { @@ -277,7 +233,7 @@ krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, opt->proxiable = proxiable; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, krb5_enctype *etype_list, int etype_list_length) @@ -287,7 +243,7 @@ krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, opt->etype_list_length = etype_list_length; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, krb5_addresses *addresses) { @@ -295,7 +251,7 @@ krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, opt->address_list = addresses; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, krb5_preauthtype *preauth_list, int preauth_list_length) @@ -305,7 +261,7 @@ krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, opt->preauth_list = preauth_list; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, krb5_data *salt) { @@ -313,7 +269,7 @@ krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, opt->salt = salt; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt, int anonymous) { @@ -327,13 +283,14 @@ require_ext_opt(krb5_context context, const char *type) { if (opt->opt_private == NULL) { - krb5_set_error_string(context, "%s on non extendable opt", type); + krb5_set_error_message(context, EINVAL, + N_("%s on non extendable opt", ""), type); return EINVAL; } return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_set_pa_password(krb5_context context, krb5_get_init_creds_opt *opt, const char *password, @@ -348,7 +305,7 @@ krb5_get_init_creds_opt_set_pa_password(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_set_pac_request(krb5_context context, krb5_get_init_creds_opt *opt, krb5_boolean req_pac) @@ -363,36 +320,7 @@ krb5_get_init_creds_opt_set_pac_request(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_get_init_creds_opt_get_error(krb5_context context, - krb5_get_init_creds_opt *opt, - KRB_ERROR **error) -{ - krb5_error_code ret; - - *error = NULL; - - ret = require_ext_opt(context, opt, "init_creds_opt_get_error"); - if (ret) - return ret; - - if (opt->opt_private->error == NULL) - return 0; - - *error = malloc(sizeof(**error)); - if (*error == NULL) { - krb5_set_error_string(context, "malloc - out memory"); - return ENOMEM; - } - - ret = copy_KRB_ERROR(opt->opt_private->error, *error); - if (ret) - krb5_clear_error_string(context); - - return 0; -} - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_set_addressless(krb5_context context, krb5_get_init_creds_opt *opt, krb5_boolean addressless) @@ -408,7 +336,7 @@ krb5_get_init_creds_opt_set_addressless(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_set_canonicalize(krb5_context context, krb5_get_init_creds_opt *opt, krb5_boolean req) @@ -424,7 +352,7 @@ krb5_get_init_creds_opt_set_canonicalize(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_set_win2k(krb5_context context, krb5_get_init_creds_opt *opt, krb5_boolean req) @@ -433,10 +361,74 @@ krb5_get_init_creds_opt_set_win2k(krb5_context context, ret = require_ext_opt(context, opt, "init_creds_opt_set_win2k"); if (ret) return ret; - if (req) + if (req) { opt->opt_private->flags |= KRB5_INIT_CREDS_NO_C_CANON_CHECK; - else + opt->opt_private->flags |= KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK; + } else { opt->opt_private->flags &= ~KRB5_INIT_CREDS_NO_C_CANON_CHECK; + opt->opt_private->flags &= ~KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK; + } + return 0; +} + + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_get_init_creds_opt_set_process_last_req(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_gic_process_last_req func, + void *ctx) +{ + krb5_error_code ret; + ret = require_ext_opt(context, opt, "init_creds_opt_set_win2k"); + if (ret) + return ret; + + opt->opt_private->lr.func = func; + opt->opt_private->lr.ctx = ctx; + + return 0; +} + + +#ifndef HEIMDAL_SMALLER + +/** + * Deprecated: use krb5_get_init_creds_opt_alloc(). + * + * The reason krb5_get_init_creds_opt_init() is deprecated is that + * krb5_get_init_creds_opt is a static structure and for ABI reason it + * can't grow, ie can't add new functionality. + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + memset (opt, 0, sizeof(*opt)); +} + +/** + * Deprecated: use the new krb5_init_creds_init() and + * krb5_init_creds_get_error(). + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_get_init_creds_opt_get_error(krb5_context context, + krb5_get_init_creds_opt *opt, + KRB_ERROR **error) + KRB5_DEPRECATED_FUNCTION("Use X instead") +{ + *error = calloc(1, sizeof(**error)); + if (*error == NULL) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } + return 0; } +#endif /* HEIMDAL_SMALLER */ diff --git a/crypto/heimdal/lib/krb5/init_creds_pw.c b/crypto/heimdal/lib/krb5/init_creds_pw.c index 441adff8fdf9..37f4147c372a 100644 --- a/crypto/heimdal/lib/krb5/init_creds_pw.c +++ b/crypto/heimdal/lib/krb5/init_creds_pw.c @@ -1,47 +1,47 @@ /* - * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: init_creds_pw.c 21931 2007-08-27 14:11:55Z lha $"); - typedef struct krb5_get_init_creds_ctx { KDCOptions flags; krb5_creds cred; krb5_addresses *addrs; krb5_enctype *etypes; krb5_preauthtype *pre_auth_types; - const char *in_tkt_service; + char *in_tkt_service; unsigned nonce; unsigned pk_nonce; @@ -49,17 +49,53 @@ typedef struct krb5_get_init_creds_ctx { AS_REQ as_req; int pa_counter; - const char *password; - krb5_s2k_proc key_proc; + /* password and keytab_data is freed on completion */ + char *password; + krb5_keytab_key_proc_args *keytab_data; + + krb5_pointer *keyseed; + krb5_s2k_proc keyproc; krb5_get_init_creds_tristate req_pac; krb5_pk_init_ctx pk_init_ctx; int ic_flags; + + int used_pa_types; +#define USED_PKINIT 1 +#define USED_PKINIT_W2K 2 +#define USED_ENC_TS_GUESS 4 +#define USED_ENC_TS_INFO 8 + + METHOD_DATA md; + KRB_ERROR error; + AS_REP as_rep; + EncKDCRepPart enc_part; + + krb5_prompter_fct prompter; + void *prompter_data; + + struct pa_info_data *ppaid; + } krb5_get_init_creds_ctx; -static krb5_error_code -default_s2k_func(krb5_context context, krb5_enctype type, + +struct pa_info_data { + krb5_enctype etype; + krb5_salt salt; + krb5_data *s2kparams; +}; + +static void +free_paid(krb5_context context, struct pa_info_data *ppaid) +{ + krb5_free_salt(context, ppaid->salt); + if (ppaid->s2kparams) + krb5_free_data(context, ppaid->s2kparams); +} + +static krb5_error_code KRB5_CALLCONV +default_s2k_func(krb5_context context, krb5_enctype type, krb5_const_pointer keyseed, krb5_salt salt, krb5_data *s2kparms, krb5_keyblock **key) @@ -68,13 +104,15 @@ default_s2k_func(krb5_context context, krb5_enctype type, krb5_data password; krb5_data opaque; + _krb5_debug(context, 5, "krb5_get_init_creds: using default_s2k_func"); + password.data = rk_UNCONST(keyseed); password.length = strlen(keyseed); if (s2kparms) opaque = *s2kparms; else krb5_data_zero(&opaque); - + *key = malloc(sizeof(**key)); if (*key == NULL) return ENOMEM; @@ -88,14 +126,32 @@ default_s2k_func(krb5_context context, krb5_enctype type, } static void -free_init_creds_ctx(krb5_context context, krb5_get_init_creds_ctx *ctx) +free_init_creds_ctx(krb5_context context, krb5_init_creds_context ctx) { if (ctx->etypes) free(ctx->etypes); if (ctx->pre_auth_types) free (ctx->pre_auth_types); + if (ctx->in_tkt_service) + free(ctx->in_tkt_service); + if (ctx->keytab_data) + free(ctx->keytab_data); + if (ctx->password) { + memset(ctx->password, 0, strlen(ctx->password)); + free(ctx->password); + } + krb5_data_free(&ctx->req_buffer); + krb5_free_cred_contents(context, &ctx->cred); + free_METHOD_DATA(&ctx->md); + free_AS_REP(&ctx->as_rep); + free_EncKDCRepPart(&ctx->enc_part); + free_KRB_ERROR(&ctx->error); free_AS_REQ(&ctx->as_req); - memset(&ctx->as_req, 0, sizeof(ctx->as_req)); + if (ctx->ppaid) { + free_paid(context, ctx->ppaid); + free(ctx->ppaid); + } + memset(ctx, 0, sizeof(*ctx)); } static int @@ -127,18 +183,16 @@ init_cred (krb5_context context, krb5_creds *cred, krb5_principal client, krb5_deltat start_time, - const char *in_tkt_service, krb5_get_init_creds_opt *options) { krb5_error_code ret; - krb5_const_realm client_realm; int tmp; krb5_timestamp now; krb5_timeofday (context, &now); memset (cred, 0, sizeof(*cred)); - + if (client) krb5_copy_principal(context, client, &cred->client); else { @@ -148,8 +202,6 @@ init_cred (krb5_context context, goto out; } - client_realm = krb5_principal_get_realm (context, cred->client); - if (start_time) cred->times.starttime = now + start_time; @@ -164,22 +216,6 @@ init_cred (krb5_context context, cred->times.renew_till = now + options->renew_life; } - if (in_tkt_service) { - krb5_realm server_realm; - - ret = krb5_parse_name (context, in_tkt_service, &cred->server); - if (ret) - goto out; - server_realm = strdup (client_realm); - free (*krb5_princ_realm(context, cred->server)); - krb5_princ_set_realm (context, cred->server, &server_realm); - } else { - ret = krb5_make_principal(context, &cred->server, - client_realm, KRB5_TGS_NAME, client_realm, - NULL); - if (ret) - goto out; - } return 0; out: @@ -198,29 +234,73 @@ report_expiration (krb5_context context, const char *str, time_t now) { - char *p; - - asprintf (&p, "%s%s", str, ctime(&now)); - (*prompter) (context, data, NULL, p, 0, NULL); - free (p); + char *p = NULL; + + if (asprintf(&p, "%s%s", str, ctime(&now)) < 0 || p == NULL) + return; + (*prompter)(context, data, NULL, p, 0, NULL); + free(p); } /* - * Parse the last_req data and show it to the user if it's interesting + * Check the context, and in the case there is a expiration warning, + * use the prompter to print the warning. + * + * @param context A Kerberos 5 context. + * @param options An GIC options structure + * @param ctx The krb5_init_creds_context check for expiration. */ -static void -print_expire (krb5_context context, - krb5_const_realm realm, - krb5_kdc_rep *rep, - krb5_prompter_fct prompter, - krb5_data *data) +static krb5_error_code +process_last_request(krb5_context context, + krb5_get_init_creds_opt *options, + krb5_init_creds_context ctx) { - int i; - LastReq *lr = &rep->enc_part.last_req; + krb5_const_realm realm; + LastReq *lr; + krb5_boolean reported = FALSE; krb5_timestamp sec; time_t t; - krb5_boolean reported = FALSE; + size_t i; + + /* + * First check if there is a API consumer. + */ + + realm = krb5_principal_get_realm (context, ctx->cred.client); + lr = &ctx->enc_part.last_req; + + if (options && options->opt_private && options->opt_private->lr.func) { + krb5_last_req_entry **lre; + + lre = calloc(lr->len + 1, sizeof(**lre)); + if (lre == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + for (i = 0; i < lr->len; i++) { + lre[i] = calloc(1, sizeof(*lre[i])); + if (lre[i] == NULL) + break; + lre[i]->lr_type = lr->val[i].lr_type; + lre[i]->value = lr->val[i].lr_value; + } + + (*options->opt_private->lr.func)(context, lre, + options->opt_private->lr.ctx); + + for (i = 0; i < lr->len; i++) + free(lre[i]); + free(lre); + } + + /* + * Now check if we should prompt the user + */ + + if (ctx->prompter == NULL) + return 0; krb5_timeofday (context, &sec); @@ -233,13 +313,15 @@ print_expire (krb5_context context, if (lr->val[i].lr_value <= t) { switch (abs(lr->val[i].lr_type)) { case LR_PW_EXPTIME : - report_expiration(context, prompter, data, + report_expiration(context, ctx->prompter, + ctx->prompter_data, "Your password will expire at ", lr->val[i].lr_value); reported = TRUE; break; case LR_ACCT_EXPTIME : - report_expiration(context, prompter, data, + report_expiration(context, ctx->prompter, + ctx->prompter_data, "Your account will expire at ", lr->val[i].lr_value); reported = TRUE; @@ -249,12 +331,14 @@ print_expire (krb5_context context, } if (!reported - && rep->enc_part.key_expiration - && *rep->enc_part.key_expiration <= t) { - report_expiration(context, prompter, data, + && ctx->enc_part.key_expiration + && *ctx->enc_part.key_expiration <= t) { + report_expiration(context, ctx->prompter, + ctx->prompter_data, "Your password/account will expire at ", - *rep->enc_part.key_expiration); + *ctx->enc_part.key_expiration); } + return 0; } static krb5_addresses no_addrs = { 0, NULL }; @@ -263,11 +347,10 @@ static krb5_error_code get_init_creds_common(krb5_context context, krb5_principal client, krb5_deltat start_time, - const char *in_tkt_service, krb5_get_init_creds_opt *options, - krb5_get_init_creds_ctx *ctx) + krb5_init_creds_context ctx) { - krb5_get_init_creds_opt default_opt; + krb5_get_init_creds_opt *default_opt = NULL; krb5_error_code ret; krb5_enctype *etypes; krb5_preauthtype *pre_auth_types; @@ -275,37 +358,51 @@ get_init_creds_common(krb5_context context, memset(ctx, 0, sizeof(*ctx)); if (options == NULL) { - krb5_get_init_creds_opt_init (&default_opt); - options = &default_opt; - } else { - _krb5_get_init_creds_opt_free_krb5_error(options); + const char *realm = krb5_principal_get_realm(context, client); + + krb5_get_init_creds_opt_alloc (context, &default_opt); + options = default_opt; + krb5_get_init_creds_opt_set_default_flags(context, NULL, realm, options); } if (options->opt_private) { - ctx->password = options->opt_private->password; - ctx->key_proc = options->opt_private->key_proc; + if (options->opt_private->password) { + ret = krb5_init_creds_set_password(context, ctx, + options->opt_private->password); + if (ret) + goto out; + } + + ctx->keyproc = options->opt_private->key_proc; ctx->req_pac = options->opt_private->req_pac; ctx->pk_init_ctx = options->opt_private->pk_init_ctx; ctx->ic_flags = options->opt_private->flags; } else ctx->req_pac = KRB5_INIT_CREDS_TRISTATE_UNSET; - if (ctx->key_proc == NULL) - ctx->key_proc = default_s2k_func; + if (ctx->keyproc == NULL) + ctx->keyproc = default_s2k_func; - if (ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) + /* Enterprise name implicitly turns on canonicalize */ + if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) || + krb5_principal_get_type(context, client) == KRB5_NT_ENTERPRISE_PRINCIPAL) ctx->flags.canonicalize = 1; ctx->pre_auth_types = NULL; ctx->addrs = NULL; ctx->etypes = NULL; ctx->pre_auth_types = NULL; - ctx->in_tkt_service = in_tkt_service; - ret = init_cred (context, &ctx->cred, client, start_time, - in_tkt_service, options); - if (ret) + ret = init_cred(context, &ctx->cred, client, start_time, options); + if (ret) { + if (default_opt) + krb5_get_init_creds_opt_free(context, default_opt); return ret; + } + + ret = krb5_init_creds_set_service(context, ctx, NULL); + if (ret) + goto out; if (options->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE) ctx->flags.forwardable = options->forwardable; @@ -337,11 +434,15 @@ get_init_creds_common(krb5_context context, } } if (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST) { + if (ctx->etypes) + free(ctx->etypes); + etypes = malloc((options->etype_list_length + 1) * sizeof(krb5_enctype)); if (etypes == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; + ret = ENOMEM; + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); + goto out; } memcpy (etypes, options->etype_list, options->etype_list_length * sizeof(krb5_enctype)); @@ -352,19 +453,24 @@ get_init_creds_common(krb5_context context, pre_auth_types = malloc((options->preauth_list_length + 1) * sizeof(krb5_preauthtype)); if (pre_auth_types == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; + ret = ENOMEM; + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); + goto out; } memcpy (pre_auth_types, options->preauth_list, options->preauth_list_length * sizeof(krb5_preauthtype)); pre_auth_types[options->preauth_list_length] = KRB5_PADATA_NONE; ctx->pre_auth_types = pre_auth_types; } - if (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT) - ; /* XXX */ if (options->flags & KRB5_GET_INIT_CREDS_OPT_ANONYMOUS) ctx->flags.request_anonymous = options->anonymous; + if (default_opt) + krb5_get_init_creds_opt_free(context, default_opt); return 0; + out: + if (default_opt) + krb5_get_init_creds_opt_free(context, default_opt); + return ret; } static krb5_error_code @@ -386,18 +492,20 @@ change_password (krb5_context context, krb5_data result_code_string; krb5_data result_string; char *p; - krb5_get_init_creds_opt options; + krb5_get_init_creds_opt *options; memset (&cpw_cred, 0, sizeof(cpw_cred)); - krb5_get_init_creds_opt_init (&options); - krb5_get_init_creds_opt_set_tkt_life (&options, 60); - krb5_get_init_creds_opt_set_forwardable (&options, FALSE); - krb5_get_init_creds_opt_set_proxiable (&options, FALSE); + ret = krb5_get_init_creds_opt_alloc(context, &options); + if (ret) + return ret; + krb5_get_init_creds_opt_set_tkt_life (options, 60); + krb5_get_init_creds_opt_set_forwardable (options, FALSE); + krb5_get_init_creds_opt_set_proxiable (options, FALSE); if (old_options && old_options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) - krb5_get_init_creds_opt_set_preauth_list (&options, + krb5_get_init_creds_opt_set_preauth_list (options, old_options->preauth_list, - old_options->preauth_list_length); + old_options->preauth_list_length); krb5_data_zero (&result_code_string); krb5_data_zero (&result_string); @@ -410,7 +518,8 @@ change_password (krb5_context context, data, 0, "kadmin/changepw", - &options); + options); + krb5_get_init_creds_opt_free(context, options); if (ret) goto out; @@ -444,28 +553,36 @@ change_password (krb5_context context, memset (buf1, 0, sizeof(buf1)); memset (buf2, 0, sizeof(buf2)); } - - ret = krb5_change_password (context, - &cpw_cred, - buf1, - &result_code, - &result_code_string, - &result_string); + + ret = krb5_set_password (context, + &cpw_cred, + buf1, + client, + &result_code, + &result_code_string, + &result_string); if (ret) goto out; - asprintf (&p, "%s: %.*s\n", - result_code ? "Error" : "Success", - (int)result_string.length, - result_string.length > 0 ? (char*)result_string.data : ""); + if (asprintf(&p, "%s: %.*s\n", + result_code ? "Error" : "Success", + (int)result_string.length, + result_string.length > 0 ? (char*)result_string.data : "") < 0) + { + ret = ENOMEM; + goto out; + } + + /* return the result */ + (*prompter) (context, data, NULL, p, 0, NULL); - ret = (*prompter) (context, data, NULL, p, 0, NULL); free (p); if (result_code == 0) { strlcpy (newpw, buf1, newpw_sz); ret = 0; } else { - krb5_set_error_string (context, "failed changing password"); ret = ENOTTY; + krb5_set_error_message(context, ret, + N_("failed changing password", "")); } out: @@ -477,7 +594,8 @@ out: return ret; } -krb5_error_code KRB5_LIB_FUNCTION + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_keyblock_key_proc (krb5_context context, krb5_keytype type, krb5_data *salt, @@ -487,68 +605,17 @@ krb5_keyblock_key_proc (krb5_context context, return krb5_copy_keyblock (context, keyseed, key); } -krb5_error_code KRB5_LIB_FUNCTION -krb5_get_init_creds_keytab(krb5_context context, - krb5_creds *creds, - krb5_principal client, - krb5_keytab keytab, - krb5_deltat start_time, - const char *in_tkt_service, - krb5_get_init_creds_opt *options) -{ - krb5_get_init_creds_ctx ctx; - krb5_error_code ret; - krb5_keytab_key_proc_args *a; - - ret = get_init_creds_common(context, client, start_time, - in_tkt_service, options, &ctx); - if (ret) - goto out; - - a = malloc (sizeof(*a)); - if (a == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - goto out; - } - a->principal = ctx.cred.client; - a->keytab = keytab; - - ret = krb5_get_in_cred (context, - KDCOptions2int(ctx.flags), - ctx.addrs, - ctx.etypes, - ctx.pre_auth_types, - NULL, - krb5_keytab_key_proc, - a, - NULL, - NULL, - &ctx.cred, - NULL); - free (a); - - if (ret == 0 && creds) - *creds = ctx.cred; - else - krb5_free_cred_contents (context, &ctx.cred); - - out: - free_init_creds_ctx(context, &ctx); - return ret; -} - /* * */ static krb5_error_code -init_creds_init_as_req (krb5_context context, - KDCOptions opts, - const krb5_creds *creds, - const krb5_addresses *addrs, - const krb5_enctype *etypes, - AS_REQ *a) +init_as_req (krb5_context context, + KDCOptions opts, + const krb5_creds *creds, + const krb5_addresses *addrs, + const krb5_enctype *etypes, + AS_REQ *a) { krb5_error_code ret; @@ -560,13 +627,13 @@ init_creds_init_as_req (krb5_context context, a->req_body.cname = malloc(sizeof(*a->req_body.cname)); if (a->req_body.cname == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } a->req_body.sname = malloc(sizeof(*a->req_body.sname)); if (a->req_body.sname == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } @@ -585,7 +652,7 @@ init_creds_init_as_req (krb5_context context, a->req_body.from = malloc(sizeof(*a->req_body.from)); if (a->req_body.from == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } *a->req_body.from = creds->times.starttime; @@ -598,13 +665,14 @@ init_creds_init_as_req (krb5_context context, a->req_body.rtime = malloc(sizeof(*a->req_body.rtime)); if (a->req_body.rtime == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } *a->req_body.rtime = creds->times.renew_till; } a->req_body.nonce = 0; - ret = krb5_init_etype (context, + ret = _krb5_init_etype(context, + KRB5_PDU_AS_REQUEST, &a->req_body.etype.len, &a->req_body.etype.val, etypes); @@ -621,7 +689,7 @@ init_creds_init_as_req (krb5_context context, a->req_body.addresses = malloc(sizeof(*a->req_body.addresses)); if (a->req_body.addresses == NULL) { ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } @@ -650,20 +718,6 @@ init_creds_init_as_req (krb5_context context, return ret; } -struct pa_info_data { - krb5_enctype etype; - krb5_salt salt; - krb5_data *s2kparams; -}; - -static void -free_paid(krb5_context context, struct pa_info_data *ppaid) -{ - krb5_free_salt(context, ppaid->salt); - if (ppaid->s2kparams) - krb5_free_data(context, ppaid->s2kparams); -} - static krb5_error_code set_paid(struct pa_info_data *paid, krb5_context context, @@ -675,7 +729,7 @@ set_paid(struct pa_info_data *paid, krb5_context context, paid->salt.salttype = salttype; paid->salt.saltvalue.data = malloc(salt_len + 1); if (paid->salt.saltvalue.data == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ENOMEM; } memcpy(paid->salt.saltvalue.data, salt_string, salt_len); @@ -686,7 +740,7 @@ set_paid(struct pa_info_data *paid, krb5_context context, ret = krb5_copy_data(context, s2kparams, &paid->s2kparams); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); krb5_free_salt(context, paid->salt); return ret; } @@ -698,15 +752,15 @@ set_paid(struct pa_info_data *paid, krb5_context context, static struct pa_info_data * pa_etype_info2(krb5_context context, - const krb5_principal client, + const krb5_principal client, const AS_REQ *asreq, - struct pa_info_data *paid, + struct pa_info_data *paid, heim_octet_string *data) { krb5_error_code ret; ETYPE_INFO2 e; size_t sz; - int i, j; + size_t i, j; memset(&e, 0, sizeof(e)); ret = decode_ETYPE_INFO2(data->data, data->length, &e, &sz); @@ -728,7 +782,7 @@ pa_etype_info2(krb5_context context, if (ret == 0) ret = set_paid(paid, context, e.val[i].etype, KRB5_PW_SALT, - salt.saltvalue.data, + salt.saltvalue.data, salt.saltvalue.length, e.val[i].s2kparams); if (e.val[i].salt == NULL) @@ -747,7 +801,7 @@ pa_etype_info2(krb5_context context, static struct pa_info_data * pa_etype_info(krb5_context context, - const krb5_principal client, + const krb5_principal client, const AS_REQ *asreq, struct pa_info_data *paid, heim_octet_string *data) @@ -755,7 +809,7 @@ pa_etype_info(krb5_context context, krb5_error_code ret; ETYPE_INFO e; size_t sz; - int i, j; + size_t i, j; memset(&e, 0, sizeof(e)); ret = decode_ETYPE_INFO(data->data, data->length, &e, &sz); @@ -779,7 +833,7 @@ pa_etype_info(krb5_context context, if (ret == 0) { ret = set_paid(paid, context, e.val[i].etype, salt.salttype, - salt.saltvalue.data, + salt.saltvalue.data, salt.saltvalue.length, NULL); if (e.val[i].salt == NULL) @@ -799,7 +853,7 @@ pa_etype_info(krb5_context context, static struct pa_info_data * pa_pw_or_afs3_salt(krb5_context context, - const krb5_principal client, + const krb5_principal client, const AS_REQ *asreq, struct pa_info_data *paid, heim_octet_string *data) @@ -807,10 +861,10 @@ pa_pw_or_afs3_salt(krb5_context context, krb5_error_code ret; if (paid->etype == ENCTYPE_NULL) return NULL; - ret = set_paid(paid, context, + ret = set_paid(paid, context, paid->etype, paid->salt.salttype, - data->data, + data->data, data->length, NULL); if (ret) @@ -822,9 +876,9 @@ pa_pw_or_afs3_salt(krb5_context context, struct pa_info { krb5_preauthtype type; struct pa_info_data *(*salt_info)(krb5_context, - const krb5_principal, + const krb5_principal, const AS_REQ *, - struct pa_info_data *, + struct pa_info_data *, heim_octet_string *); }; @@ -834,11 +888,11 @@ static struct pa_info pa_prefs[] = { { KRB5_PADATA_PW_SALT, pa_pw_or_afs3_salt }, { KRB5_PADATA_AFS3_SALT, pa_pw_or_afs3_salt } }; - + static PA_DATA * -find_pa_data(const METHOD_DATA *md, int type) +find_pa_data(const METHOD_DATA *md, unsigned type) { - int i; + size_t i; if (md == NULL) return NULL; for (i = 0; i < md->len; i++) @@ -848,20 +902,20 @@ find_pa_data(const METHOD_DATA *md, int type) } static struct pa_info_data * -process_pa_info(krb5_context context, - const krb5_principal client, +process_pa_info(krb5_context context, + const krb5_principal client, const AS_REQ *asreq, struct pa_info_data *paid, METHOD_DATA *md) { struct pa_info_data *p = NULL; - int i; + size_t i; for (i = 0; p == NULL && i < sizeof(pa_prefs)/sizeof(pa_prefs[0]); i++) { PA_DATA *pa = find_pa_data(md, pa_prefs[i].type); if (pa == NULL) continue; - paid->salt.salttype = pa_prefs[i].type; + paid->salt.salttype = (krb5_salttype)pa_prefs[i].type; p = (*pa_prefs[i].salt_info)(context, client, asreq, paid, &pa->padata_value); } @@ -869,19 +923,19 @@ process_pa_info(krb5_context context, } static krb5_error_code -make_pa_enc_timestamp(krb5_context context, METHOD_DATA *md, +make_pa_enc_timestamp(krb5_context context, METHOD_DATA *md, krb5_enctype etype, krb5_keyblock *key) { PA_ENC_TS_ENC p; unsigned char *buf; size_t buf_size; - size_t len; + size_t len = 0; EncryptedData encdata; krb5_error_code ret; int32_t usec; int usec2; krb5_crypto crypto; - + krb5_us_timeofday (context, &p.patimestamp, &usec); usec2 = usec; p.pausec = &usec2; @@ -897,7 +951,7 @@ make_pa_enc_timestamp(krb5_context context, METHOD_DATA *md, free(buf); return ret; } - ret = krb5_encrypt_EncryptedData(context, + ret = krb5_encrypt_EncryptedData(context, crypto, KRB5_KU_PA_ENC_TIMESTAMP, buf, @@ -908,7 +962,7 @@ make_pa_enc_timestamp(krb5_context context, METHOD_DATA *md, krb5_crypto_destroy(context, crypto); if (ret) return ret; - + ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret); free_EncryptedData(&encdata); if (ret) @@ -924,9 +978,9 @@ make_pa_enc_timestamp(krb5_context context, METHOD_DATA *md, static krb5_error_code add_enc_ts_padata(krb5_context context, - METHOD_DATA *md, + METHOD_DATA *md, krb5_principal client, - krb5_s2k_proc key_proc, + krb5_s2k_proc keyproc, krb5_const_pointer keyseed, krb5_enctype *enctypes, unsigned netypes, @@ -936,11 +990,13 @@ add_enc_ts_padata(krb5_context context, krb5_error_code ret; krb5_salt salt2; krb5_enctype *ep; - int i; - + size_t i; + if(salt == NULL) { /* default to standard salt */ ret = krb5_get_pw_salt (context, client, &salt2); + if (ret) + return ret; salt = &salt2; } if (!enctypes) { @@ -953,8 +1009,10 @@ add_enc_ts_padata(krb5_context context, for (i = 0; i < netypes; ++i) { krb5_keyblock *key; - ret = (*key_proc)(context, enctypes[i], keyseed, - *salt, s2kparams, &key); + _krb5_debug(context, 5, "krb5_get_init_creds: using ENC-TS with enctype %d", enctypes[i]); + + ret = (*keyproc)(context, enctypes[i], keyseed, + *salt, s2kparams, &key); if (ret) continue; ret = make_pa_enc_timestamp (context, md, enctypes[i], key); @@ -975,29 +1033,31 @@ pa_data_to_md_ts_enc(krb5_context context, struct pa_info_data *ppaid, METHOD_DATA *md) { - if (ctx->key_proc == NULL || ctx->password == NULL) + if (ctx->keyproc == NULL || ctx->keyseed == NULL) return 0; if (ppaid) { - add_enc_ts_padata(context, md, client, - ctx->key_proc, ctx->password, + add_enc_ts_padata(context, md, client, + ctx->keyproc, ctx->keyseed, &ppaid->etype, 1, &ppaid->salt, ppaid->s2kparams); } else { krb5_salt salt; - + + _krb5_debug(context, 5, "krb5_get_init_creds: pa-info not found, guessing salt"); + /* make a v5 salted pa-data */ - add_enc_ts_padata(context, md, client, - ctx->key_proc, ctx->password, - a->req_body.etype.val, a->req_body.etype.len, + add_enc_ts_padata(context, md, client, + ctx->keyproc, ctx->keyseed, + a->req_body.etype.val, a->req_body.etype.len, NULL, NULL); - + /* make a v4 salted pa-data */ salt.salttype = KRB5_PW_SALT; krb5_data_zero(&salt.saltvalue); - add_enc_ts_padata(context, md, client, - ctx->key_proc, ctx->password, - a->req_body.etype.val, a->req_body.etype.len, + add_enc_ts_padata(context, md, client, + ctx->keyproc, ctx->keyseed, + a->req_body.etype.val, a->req_body.etype.len, &salt, NULL); } return 0; @@ -1014,7 +1074,7 @@ pa_data_to_key_plain(krb5_context context, { krb5_error_code ret; - ret = (*ctx->key_proc)(context, etype, ctx->password, + ret = (*ctx->keyproc)(context, etype, ctx->keyseed, salt, s2kparams, key); return ret; } @@ -1024,6 +1084,7 @@ static krb5_error_code pa_data_to_md_pkinit(krb5_context context, const AS_REQ *a, const krb5_principal client, + int win2k, krb5_get_init_creds_ctx *ctx, METHOD_DATA *md) { @@ -1031,12 +1092,15 @@ pa_data_to_md_pkinit(krb5_context context, return 0; #ifdef PKINIT return _krb5_pk_mk_padata(context, - ctx->pk_init_ctx, - &a->req_body, - ctx->pk_nonce, - md); + ctx->pk_init_ctx, + ctx->ic_flags, + win2k, + &a->req_body, + ctx->pk_nonce, + md); #else - krb5_set_error_string(context, "no support for PKINIT compiled in"); + krb5_set_error_message(context, EINVAL, + N_("no support for PKINIT compiled in", "")); return EINVAL; #endif } @@ -1046,11 +1110,11 @@ pa_data_add_pac_request(krb5_context context, krb5_get_init_creds_ctx *ctx, METHOD_DATA *md) { - size_t len, length; + size_t len = 0, length; krb5_error_code ret; PA_PAC_REQUEST req; void *buf; - + switch (ctx->req_pac) { case KRB5_INIT_CREDS_TRISTATE_UNSET: return 0; /* don't bother */ @@ -1059,9 +1123,9 @@ pa_data_add_pac_request(krb5_context context, break; case KRB5_INIT_CREDS_TRISTATE_FALSE: req.include_pac = 0; - } + } - ASN1_MALLOC_ENCODE(PA_PAC_REQUEST, buf, length, + ASN1_MALLOC_ENCODE(PA_PAC_REQUEST, buf, length, &req, &len, ret); if (ret) return ret; @@ -1093,12 +1157,19 @@ process_pa_data_to_md(krb5_context context, ALLOC(*out_md, 1); if (*out_md == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } (*out_md)->len = 0; (*out_md)->val = NULL; - + + if (_krb5_have_debug(context, 5)) { + unsigned i; + _krb5_debug(context, 5, "KDC send %d patypes", in_md->len); + for (i = 0; i < in_md->len; i++) + _krb5_debug(context, 5, "KDC send PA-DATA type: %d", in_md->val[i].padata_type); + } + /* * Make sure we don't sent both ENC-TS and PK-INIT pa data, no * need to expose our password protecting our PKCS12 key. @@ -1106,21 +1177,62 @@ process_pa_data_to_md(krb5_context context, if (ctx->pk_init_ctx) { - ret = pa_data_to_md_pkinit(context, a, creds->client, ctx, *out_md); + _krb5_debug(context, 5, "krb5_get_init_creds: " + "prepareing PKINIT padata (%s)", + (ctx->used_pa_types & USED_PKINIT_W2K) ? "win2k" : "ietf"); + + if (ctx->used_pa_types & USED_PKINIT_W2K) { + krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP, + "Already tried pkinit, looping"); + return KRB5_GET_IN_TKT_LOOP; + } + + ret = pa_data_to_md_pkinit(context, a, creds->client, + (ctx->used_pa_types & USED_PKINIT), + ctx, *out_md); if (ret) return ret; + if (ctx->used_pa_types & USED_PKINIT) + ctx->used_pa_types |= USED_PKINIT_W2K; + else + ctx->used_pa_types |= USED_PKINIT; + } else if (in_md->len != 0) { - struct pa_info_data paid, *ppaid; - - memset(&paid, 0, sizeof(paid)); - - paid.etype = ENCTYPE_NULL; - ppaid = process_pa_info(context, creds->client, a, &paid, in_md); - + struct pa_info_data *paid, *ppaid; + unsigned flag; + + paid = calloc(1, sizeof(*paid)); + + paid->etype = ENCTYPE_NULL; + ppaid = process_pa_info(context, creds->client, a, paid, in_md); + + if (ppaid) + flag = USED_ENC_TS_INFO; + else + flag = USED_ENC_TS_GUESS; + + if (ctx->used_pa_types & flag) { + if (ppaid) + free_paid(context, ppaid); + krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP, + "Already tried ENC-TS-%s, looping", + flag == USED_ENC_TS_INFO ? "info" : "guess"); + return KRB5_GET_IN_TKT_LOOP; + } + pa_data_to_md_ts_enc(context, a, creds->client, ctx, ppaid, *out_md); - if (ppaid) - free_paid(context, ppaid); + + ctx->used_pa_types |= flag; + + if (ppaid) { + if (ctx->ppaid) { + free_paid(context, ctx->ppaid); + free(ctx->ppaid); + } + ctx->ppaid = ppaid; + } else + free(paid); } pa_data_add_pac_request(context, ctx, *out_md); @@ -1138,7 +1250,7 @@ process_pa_data_to_key(krb5_context context, krb5_get_init_creds_ctx *ctx, krb5_creds *creds, AS_REQ *a, - krb5_kdc_rep *rep, + AS_REP *rep, const krb5_krbhst_info *hi, krb5_keyblock **key) { @@ -1149,38 +1261,43 @@ process_pa_data_to_key(krb5_context context, memset(&paid, 0, sizeof(paid)); - etype = rep->kdc_rep.enc_part.etype; + etype = rep->enc_part.etype; - if (rep->kdc_rep.padata) { + if (rep->padata) { paid.etype = etype; - ppaid = process_pa_info(context, creds->client, a, &paid, - rep->kdc_rep.padata); + ppaid = process_pa_info(context, creds->client, a, &paid, + rep->padata); } + if (ppaid == NULL) + ppaid = ctx->ppaid; if (ppaid == NULL) { ret = krb5_get_pw_salt (context, creds->client, &paid.salt); if (ret) return ret; paid.etype = etype; paid.s2kparams = NULL; + ppaid = &paid; } pa = NULL; - if (rep->kdc_rep.padata) { + if (rep->padata) { int idx = 0; - pa = krb5_find_padata(rep->kdc_rep.padata->val, - rep->kdc_rep.padata->len, + pa = krb5_find_padata(rep->padata->val, + rep->padata->len, KRB5_PADATA_PK_AS_REP, &idx); if (pa == NULL) { idx = 0; - pa = krb5_find_padata(rep->kdc_rep.padata->val, - rep->kdc_rep.padata->len, + pa = krb5_find_padata(rep->padata->val, + rep->padata->len, KRB5_PADATA_PK_AS_REP_19, &idx); } } if (pa && ctx->pk_init_ctx) { #ifdef PKINIT + _krb5_debug(context, 5, "krb5_get_init_creds: using PKINIT"); + ret = _krb5_pk_rd_pa_reply(context, a->req_body.realm, ctx->pk_init_ctx, @@ -1191,124 +1308,442 @@ process_pa_data_to_key(krb5_context context, pa, key); #else - krb5_set_error_string(context, "no support for PKINIT compiled in"); ret = EINVAL; + krb5_set_error_message(context, ret, N_("no support for PKINIT compiled in", "")); #endif - } else if (ctx->password) - ret = pa_data_to_key_plain(context, creds->client, ctx, - paid.salt, paid.s2kparams, etype, key); - else { - krb5_set_error_string(context, "No usable pa data type"); + } else if (ctx->keyseed) { + _krb5_debug(context, 5, "krb5_get_init_creds: using keyproc"); + ret = pa_data_to_key_plain(context, creds->client, ctx, + ppaid->salt, ppaid->s2kparams, etype, key); + } else { ret = EINVAL; + krb5_set_error_message(context, ret, N_("No usable pa data type", "")); } free_paid(context, &paid); return ret; } -static krb5_error_code -init_cred_loop(krb5_context context, - krb5_get_init_creds_opt *init_cred_opts, - const krb5_prompter_fct prompter, - void *prompter_data, - krb5_get_init_creds_ctx *ctx, - krb5_creds *creds, - krb5_kdc_rep *ret_as_reply) +/** + * Start a new context to get a new initial credential. + * + * @param context A Kerberos 5 context. + * @param client The Kerberos principal to get the credential for, if + * NULL is given, the default principal is used as determined by + * krb5_get_default_principal(). + * @param prompter + * @param prompter_data + * @param start_time the time the ticket should start to be valid or 0 for now. + * @param options a options structure, can be NULL for default options. + * @param rctx A new allocated free with krb5_init_creds_free(). + * + * @return 0 for success or an Kerberos 5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_credential + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_init(krb5_context context, + krb5_principal client, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_deltat start_time, + krb5_get_init_creds_opt *options, + krb5_init_creds_context *rctx) { + krb5_init_creds_context ctx; krb5_error_code ret; - krb5_kdc_rep rep; - METHOD_DATA md; - krb5_data resp; - size_t len; - size_t size; - krb5_krbhst_info *hi = NULL; - krb5_sendto_ctx stctx = NULL; - - - memset(&md, 0, sizeof(md)); - memset(&rep, 0, sizeof(rep)); - _krb5_get_init_creds_opt_free_krb5_error(init_cred_opts); + *rctx = NULL; - if (ret_as_reply) - memset(ret_as_reply, 0, sizeof(*ret_as_reply)); + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } - ret = init_creds_init_as_req(context, ctx->flags, creds, - ctx->addrs, ctx->etypes, &ctx->as_req); - if (ret) + ret = get_init_creds_common(context, client, start_time, options, ctx); + if (ret) { + free(ctx); return ret; - - ret = krb5_sendto_ctx_alloc(context, &stctx); - if (ret) - goto out; - krb5_sendto_ctx_set_func(stctx, _krb5_kdc_retry, NULL); + } /* Set a new nonce. */ krb5_generate_random_block (&ctx->nonce, sizeof(ctx->nonce)); - ctx->nonce &= 0xffffffff; + ctx->nonce &= 0x7fffffff; /* XXX these just needs to be the same when using Windows PK-INIT */ ctx->pk_nonce = ctx->nonce; + ctx->prompter = prompter; + ctx->prompter_data = prompter_data; + + *rctx = ctx; + + return ret; +} + +/** + * Sets the service that the is requested. This call is only neede for + * special initial tickets, by default the a krbtgt is fetched in the default realm. + * + * @param context a Kerberos 5 context. + * @param ctx a krb5_init_creds_context context. + * @param service the service given as a string, for example + * "kadmind/admin". If NULL, the default krbtgt in the clients + * realm is set. + * + * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message(). + * @ingroup krb5_credential + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_set_service(krb5_context context, + krb5_init_creds_context ctx, + const char *service) +{ + krb5_const_realm client_realm; + krb5_principal principal; + krb5_error_code ret; + + client_realm = krb5_principal_get_realm (context, ctx->cred.client); + + if (service) { + ret = krb5_parse_name (context, service, &principal); + if (ret) + return ret; + krb5_principal_set_realm (context, principal, client_realm); + } else { + ret = krb5_make_principal(context, &principal, + client_realm, KRB5_TGS_NAME, client_realm, + NULL); + if (ret) + return ret; + } + /* - * Increase counter when we want other pre-auth types then - * KRB5_PA_ENC_TIMESTAMP. + * This is for Windows RODC that are picky about what name type + * the server principal have, and the really strange part is that + * they are picky about the AS-REQ name type and not the TGS-REQ + * later. Oh well. */ -#define MAX_PA_COUNTER 3 - ctx->pa_counter = 0; - while (ctx->pa_counter < MAX_PA_COUNTER) { + if (krb5_principal_is_krbtgt(context, principal)) + krb5_principal_set_type(context, principal, KRB5_NT_SRV_INST); + + krb5_free_principal(context, ctx->cred.server); + ctx->cred.server = principal; + + return 0; +} - ctx->pa_counter++; +/** + * Sets the password that will use for the request. + * + * @param context a Kerberos 5 context. + * @param ctx ctx krb5_init_creds_context context. + * @param password the password to use. + * + * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message(). + * @ingroup krb5_credential + */ - if (ctx->as_req.padata) { - free_METHOD_DATA(ctx->as_req.padata); - free(ctx->as_req.padata); - ctx->as_req.padata = NULL; +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_set_password(krb5_context context, + krb5_init_creds_context ctx, + const char *password) +{ + if (ctx->password) { + memset(ctx->password, 0, strlen(ctx->password)); + free(ctx->password); + } + if (password) { + ctx->password = strdup(password); + if (ctx->password == NULL) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; } + ctx->keyseed = (void *) ctx->password; + } else { + ctx->keyseed = NULL; + ctx->password = NULL; + } - /* Set a new nonce. */ - ctx->as_req.req_body.nonce = ctx->nonce; + return 0; +} - /* fill_in_md_data */ - ret = process_pa_data_to_md(context, creds, &ctx->as_req, ctx, - &md, &ctx->as_req.padata, - prompter, prompter_data); - if (ret) - goto out; +static krb5_error_code KRB5_CALLCONV +keytab_key_proc(krb5_context context, krb5_enctype enctype, + krb5_const_pointer keyseed, + krb5_salt salt, krb5_data *s2kparms, + krb5_keyblock **key) +{ + krb5_keytab_key_proc_args *args = rk_UNCONST(keyseed); + krb5_keytab keytab = args->keytab; + krb5_principal principal = args->principal; + krb5_error_code ret; + krb5_keytab real_keytab; + krb5_keytab_entry entry; + + if(keytab == NULL) + krb5_kt_default(context, &real_keytab); + else + real_keytab = keytab; - krb5_data_free(&ctx->req_buffer); + ret = krb5_kt_get_entry (context, real_keytab, principal, + 0, enctype, &entry); - ASN1_MALLOC_ENCODE(AS_REQ, - ctx->req_buffer.data, ctx->req_buffer.length, - &ctx->as_req, &len, ret); - if (ret) - goto out; - if(len != ctx->req_buffer.length) - krb5_abortx(context, "internal error in ASN.1 encoder"); + if (keytab == NULL) + krb5_kt_close (context, real_keytab); - ret = krb5_sendto_context (context, stctx, &ctx->req_buffer, - creds->client->realm, &resp); - if (ret) - goto out; + if (ret) + return ret; + + ret = krb5_copy_keyblock (context, &entry.keyblock, key); + krb5_kt_free_entry(context, &entry); + return ret; +} + + +/** + * Set the keytab to use for authentication. + * + * @param context a Kerberos 5 context. + * @param ctx ctx krb5_init_creds_context context. + * @param keytab the keytab to read the key from. + * + * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message(). + * @ingroup krb5_credential + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_set_keytab(krb5_context context, + krb5_init_creds_context ctx, + krb5_keytab keytab) +{ + krb5_keytab_key_proc_args *a; + krb5_keytab_entry entry; + krb5_kt_cursor cursor; + krb5_enctype *etypes = NULL; + krb5_error_code ret; + size_t netypes = 0; + int kvno = 0; + + a = malloc(sizeof(*a)); + if (a == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + + a->principal = ctx->cred.client; + a->keytab = keytab; + + ctx->keytab_data = a; + ctx->keyseed = (void *)a; + ctx->keyproc = keytab_key_proc; + + /* + * We need to the KDC what enctypes we support for this keytab, + * esp if the keytab is really a password based entry, then the + * KDC might have more enctypes in the database then what we have + * in the keytab. + */ + + ret = krb5_kt_start_seq_get(context, keytab, &cursor); + if(ret) + goto out; + + while(krb5_kt_next_entry(context, keytab, &entry, &cursor) == 0){ + void *ptr; + + if (!krb5_principal_compare(context, entry.principal, ctx->cred.client)) + goto next; + + /* check if we ahve this kvno already */ + if (entry.vno > kvno) { + /* remove old list of etype */ + if (etypes) + free(etypes); + etypes = NULL; + netypes = 0; + kvno = entry.vno; + } else if (entry.vno != kvno) + goto next; + + /* check if enctype is supported */ + if (krb5_enctype_valid(context, entry.keyblock.keytype) != 0) + goto next; + + /* add enctype to supported list */ + ptr = realloc(etypes, sizeof(etypes[0]) * (netypes + 2)); + if (ptr == NULL) + goto next; + + etypes = ptr; + etypes[netypes] = entry.keyblock.keytype; + etypes[netypes + 1] = ETYPE_NULL; + netypes++; + next: + krb5_kt_free_entry(context, &entry); + } + krb5_kt_end_seq_get(context, keytab, &cursor); - memset (&rep, 0, sizeof(rep)); - ret = decode_AS_REP(resp.data, resp.length, &rep.kdc_rep, &size); + if (etypes) { + if (ctx->etypes) + free(ctx->etypes); + ctx->etypes = etypes; + } + + out: + return 0; +} + +static krb5_error_code KRB5_CALLCONV +keyblock_key_proc(krb5_context context, krb5_enctype enctype, + krb5_const_pointer keyseed, + krb5_salt salt, krb5_data *s2kparms, + krb5_keyblock **key) +{ + return krb5_copy_keyblock (context, keyseed, key); +} + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_set_keyblock(krb5_context context, + krb5_init_creds_context ctx, + krb5_keyblock *keyblock) +{ + ctx->keyseed = (void *)keyblock; + ctx->keyproc = keyblock_key_proc; + + return 0; +} + +/** + * The core loop if krb5_get_init_creds() function family. Create the + * packets and have the caller send them off to the KDC. + * + * If the caller want all work been done for them, use + * krb5_init_creds_get() instead. + * + * @param context a Kerberos 5 context. + * @param ctx ctx krb5_init_creds_context context. + * @param in input data from KDC, first round it should be reset by krb5_data_zer(). + * @param out reply to KDC. + * @param hostinfo KDC address info, first round it can be NULL. + * @param flags status of the round, if + * KRB5_INIT_CREDS_STEP_FLAG_CONTINUE is set, continue one more round. + * + * @return 0 for success, or an Kerberos 5 error code, see + * krb5_get_error_message(). + * + * @ingroup krb5_credential + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_step(krb5_context context, + krb5_init_creds_context ctx, + krb5_data *in, + krb5_data *out, + krb5_krbhst_info *hostinfo, + unsigned int *flags) +{ + krb5_error_code ret; + size_t len = 0; + size_t size; + + krb5_data_zero(out); + + if (ctx->as_req.req_body.cname == NULL) { + ret = init_as_req(context, ctx->flags, &ctx->cred, + ctx->addrs, ctx->etypes, &ctx->as_req); + if (ret) { + free_init_creds_ctx(context, ctx); + return ret; + } + } + +#define MAX_PA_COUNTER 10 + if (ctx->pa_counter > MAX_PA_COUNTER) { + krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP, + N_("Looping %d times while getting " + "initial credentials", ""), + ctx->pa_counter); + return KRB5_GET_IN_TKT_LOOP; + } + ctx->pa_counter++; + + _krb5_debug(context, 5, "krb5_get_init_creds: loop %d", ctx->pa_counter); + + /* Lets process the input packet */ + if (in && in->length) { + krb5_kdc_rep rep; + + memset(&rep, 0, sizeof(rep)); + + _krb5_debug(context, 5, "krb5_get_init_creds: processing input"); + + ret = decode_AS_REP(in->data, in->length, &rep.kdc_rep, &size); if (ret == 0) { - krb5_data_free(&resp); - krb5_clear_error_string(context); - break; + krb5_keyblock *key = NULL; + unsigned eflags = EXTRACT_TICKET_AS_REQ | EXTRACT_TICKET_TIMESYNC; + + if (ctx->flags.canonicalize) { + eflags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH; + eflags |= EXTRACT_TICKET_MATCH_REALM; + } + if (ctx->ic_flags & KRB5_INIT_CREDS_NO_C_CANON_CHECK) + eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH; + + ret = process_pa_data_to_key(context, ctx, &ctx->cred, + &ctx->as_req, &rep.kdc_rep, hostinfo, &key); + if (ret) { + free_AS_REP(&rep.kdc_rep); + goto out; + } + + _krb5_debug(context, 5, "krb5_get_init_creds: extracting ticket"); + + ret = _krb5_extract_ticket(context, + &rep, + &ctx->cred, + key, + NULL, + KRB5_KU_AS_REP_ENC_PART, + NULL, + ctx->nonce, + eflags, + NULL, + NULL); + krb5_free_keyblock(context, key); + + *flags = 0; + + if (ret == 0) + ret = copy_EncKDCRepPart(&rep.enc_part, &ctx->enc_part); + + free_AS_REP(&rep.kdc_rep); + free_EncASRepPart(&rep.enc_part); + + return ret; + } else { /* let's try to parse it as a KRB-ERROR */ - KRB_ERROR error; - ret = krb5_rd_error(context, &resp, &error); - if(ret && resp.data && ((char*)resp.data)[0] == 4) + _krb5_debug(context, 5, "krb5_get_init_creds: got an error"); + + free_KRB_ERROR(&ctx->error); + + ret = krb5_rd_error(context, in, &ctx->error); + if(ret && in->length && ((char*)in->data)[0] == 4) ret = KRB5KRB_AP_ERR_V4_REPLY; - krb5_data_free(&resp); - if (ret) + if (ret) { + _krb5_debug(context, 5, "krb5_get_init_creds: failed to read error"); goto out; + } + + ret = krb5_error_from_rd_error(context, &ctx->error, &ctx->cred); - ret = krb5_error_from_rd_error(context, &error, creds); + _krb5_debug(context, 5, "krb5_get_init_creds: KRB-ERROR %d", ret); /* * If no preauth was set and KDC requires it, give it one @@ -1316,223 +1751,212 @@ init_cred_loop(krb5_context context, */ if (ret == KRB5KDC_ERR_PREAUTH_REQUIRED) { - free_METHOD_DATA(&md); - memset(&md, 0, sizeof(md)); - if (error.e_data) { - ret = decode_METHOD_DATA(error.e_data->data, - error.e_data->length, - &md, + free_METHOD_DATA(&ctx->md); + memset(&ctx->md, 0, sizeof(ctx->md)); + + if (ctx->error.e_data) { + ret = decode_METHOD_DATA(ctx->error.e_data->data, + ctx->error.e_data->length, + &ctx->md, NULL); if (ret) - krb5_set_error_string(context, - "failed to decode METHOD DATA"); + krb5_set_error_message(context, ret, + N_("Failed to decode METHOD-DATA", "")); } else { - /* XXX guess what the server want here add add md */ + krb5_set_error_message(context, ret, + N_("Preauth required but no preauth " + "options send by KDC", "")); } - krb5_free_error_contents(context, &error); - if (ret) + } else if (ret == KRB5KRB_AP_ERR_SKEW && context->kdc_sec_offset == 0) { + /* + * Try adapt to timeskrew when we are using pre-auth, and + * if there was a time skew, try again. + */ + krb5_set_real_time(context, ctx->error.stime, -1); + if (context->kdc_sec_offset) + ret = 0; + + _krb5_debug(context, 10, "init_creds: err skew updateing kdc offset to %d", + context->kdc_sec_offset); + + ctx->used_pa_types = 0; + + } else if (ret == KRB5_KDC_ERR_WRONG_REALM && ctx->flags.canonicalize) { + /* client referal to a new realm */ + + if (ctx->error.crealm == NULL) { + krb5_set_error_message(context, ret, + N_("Got a client referral, not but no realm", "")); goto out; - } else { - _krb5_get_init_creds_opt_set_krb5_error(context, - init_cred_opts, - &error); - if (ret_as_reply) - rep.error = error; - else - krb5_free_error_contents(context, &error); - goto out; + } + _krb5_debug(context, 5, + "krb5_get_init_creds: got referal to realm %s", + *ctx->error.crealm); + + ret = krb5_principal_set_realm(context, + ctx->cred.client, + *ctx->error.crealm); + + ctx->used_pa_types = 0; } + if (ret) + goto out; } } - { - krb5_keyblock *key = NULL; - unsigned flags = 0; - - if (ctx->flags.request_anonymous) - flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH; - if (ctx->flags.canonicalize) { - flags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH; - flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH; - flags |= EXTRACT_TICKET_MATCH_REALM; - } - - ret = process_pa_data_to_key(context, ctx, creds, - &ctx->as_req, &rep, hi, &key); - if (ret) - goto out; - - ret = _krb5_extract_ticket(context, - &rep, - creds, - key, - NULL, - KRB5_KU_AS_REP_ENC_PART, - NULL, - ctx->nonce, - flags, - NULL, - NULL); - krb5_free_keyblock(context, key); + if (ctx->as_req.padata) { + free_METHOD_DATA(ctx->as_req.padata); + free(ctx->as_req.padata); + ctx->as_req.padata = NULL; } - /* - * Verify referral data - */ - if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) && - (ctx->ic_flags & KRB5_INIT_CREDS_NO_C_CANON_CHECK) == 0) - { - PA_ClientCanonicalized canon; - krb5_crypto crypto; - krb5_data data; - PA_DATA *pa; - size_t len; - - pa = find_pa_data(rep.kdc_rep.padata, KRB5_PADATA_CLIENT_CANONICALIZED); - if (pa == NULL) { - ret = EINVAL; - krb5_set_error_string(context, "Client canonicalizion not signed"); - goto out; - } - - ret = decode_PA_ClientCanonicalized(pa->padata_value.data, - pa->padata_value.length, - &canon, &len); - if (ret) { - krb5_set_error_string(context, "Failed to decode " - "PA_ClientCanonicalized"); - goto out; - } - ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length, - &canon.names, &len, ret); - if (ret) - goto out; - if (data.length != len) - krb5_abortx(context, "internal asn.1 error"); + /* Set a new nonce. */ + ctx->as_req.req_body.nonce = ctx->nonce; - ret = krb5_crypto_init(context, &creds->session, 0, &crypto); - if (ret) { - free(data.data); - free_PA_ClientCanonicalized(&canon); - goto out; - } + /* fill_in_md_data */ + ret = process_pa_data_to_md(context, &ctx->cred, &ctx->as_req, ctx, + &ctx->md, &ctx->as_req.padata, + ctx->prompter, ctx->prompter_data); + if (ret) + goto out; - ret = krb5_verify_checksum(context, crypto, KRB5_KU_CANONICALIZED_NAMES, - data.data, data.length, - &canon.canon_checksum); - krb5_crypto_destroy(context, crypto); - free(data.data); - free_PA_ClientCanonicalized(&canon); - if (ret) { - krb5_set_error_string(context, "Failed to verify " - "client canonicalized data"); - goto out; - } - } -out: - if (stctx) - krb5_sendto_ctx_free(context, stctx); krb5_data_free(&ctx->req_buffer); - free_METHOD_DATA(&md); - memset(&md, 0, sizeof(md)); - if (ret == 0 && ret_as_reply) - *ret_as_reply = rep; - else - krb5_free_kdc_rep (context, &rep); + ASN1_MALLOC_ENCODE(AS_REQ, + ctx->req_buffer.data, ctx->req_buffer.length, + &ctx->as_req, &len, ret); + if (ret) + goto out; + if(len != ctx->req_buffer.length) + krb5_abortx(context, "internal error in ASN.1 encoder"); + + out->data = ctx->req_buffer.data; + out->length = ctx->req_buffer.length; + + *flags = KRB5_INIT_CREDS_STEP_FLAG_CONTINUE; + + return 0; + out: return ret; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_get_init_creds(krb5_context context, - krb5_creds *creds, - krb5_principal client, - krb5_prompter_fct prompter, - void *data, - krb5_deltat start_time, - const char *in_tkt_service, - krb5_get_init_creds_opt *options) +/** + * Extract the newly acquired credentials from krb5_init_creds_context + * context. + * + * @param context A Kerberos 5 context. + * @param ctx + * @param cred credentials, free with krb5_free_cred_contents(). + * + * @return 0 for sucess or An Kerberos error code, see krb5_get_error_message(). + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_get_creds(krb5_context context, + krb5_init_creds_context ctx, + krb5_creds *cred) { - krb5_get_init_creds_ctx ctx; - krb5_kdc_rep kdc_reply; - krb5_error_code ret; - char buf[BUFSIZ]; - int done; + return krb5_copy_creds_contents(context, &ctx->cred, cred); +} + +/** + * Get the last error from the transaction. + * + * @return Returns 0 or an error code + * + * @ingroup krb5_credential + */ - memset(&kdc_reply, 0, sizeof(kdc_reply)); +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_get_error(krb5_context context, + krb5_init_creds_context ctx, + KRB_ERROR *error) +{ + krb5_error_code ret; - ret = get_init_creds_common(context, client, start_time, - in_tkt_service, options, &ctx); + ret = copy_KRB_ERROR(&ctx->error, error); if (ret) - goto out; + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); - done = 0; - while(!done) { - memset(&kdc_reply, 0, sizeof(kdc_reply)); - - ret = init_cred_loop(context, - options, - prompter, - data, - &ctx, - &ctx.cred, - &kdc_reply); - - switch (ret) { - case 0 : - done = 1; - break; - case KRB5KDC_ERR_KEY_EXPIRED : - /* try to avoid recursion */ + return ret; +} - /* don't try to change password where then where none */ - if (prompter == NULL || ctx.password == NULL) - goto out; +/** + * Free the krb5_init_creds_context allocated by krb5_init_creds_init(). + * + * @param context A Kerberos 5 context. + * @param ctx The krb5_init_creds_context to free. + * + * @ingroup krb5_credential + */ - krb5_clear_error_string (context); +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_init_creds_free(krb5_context context, + krb5_init_creds_context ctx) +{ + free_init_creds_ctx(context, ctx); + free(ctx); +} - if (ctx.in_tkt_service != NULL - && strcmp (ctx.in_tkt_service, "kadmin/changepw") == 0) - goto out; +/** + * Get new credentials as setup by the krb5_init_creds_context. + * + * @param context A Kerberos 5 context. + * @param ctx The krb5_init_creds_context to process. + * + * @ingroup krb5_credential + */ - ret = change_password (context, - client, - ctx.password, - buf, - sizeof(buf), - prompter, - data, - options); - if (ret) - goto out; - ctx.password = buf; +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx) +{ + krb5_sendto_ctx stctx = NULL; + krb5_krbhst_info *hostinfo = NULL; + krb5_error_code ret; + krb5_data in, out; + unsigned int flags = 0; + + krb5_data_zero(&in); + krb5_data_zero(&out); + + ret = krb5_sendto_ctx_alloc(context, &stctx); + if (ret) + goto out; + krb5_sendto_ctx_set_func(stctx, _krb5_kdc_retry, NULL); + + while (1) { + flags = 0; + ret = krb5_init_creds_step(context, ctx, &in, &out, hostinfo, &flags); + krb5_data_free(&in); + if (ret) + goto out; + + if ((flags & 1) == 0) break; - default: + + ret = krb5_sendto_context (context, stctx, &out, + ctx->cred.client->realm, &in); + if (ret) goto out; - } - } - if (prompter) - print_expire (context, - krb5_principal_get_realm (context, ctx.cred.client), - &kdc_reply, - prompter, - data); + } out: - memset (buf, 0, sizeof(buf)); - free_init_creds_ctx(context, &ctx); - krb5_free_kdc_rep (context, &kdc_reply); - if (ret == 0) - *creds = ctx.cred; - else - krb5_free_cred_contents (context, &ctx.cred); + if (stctx) + krb5_sendto_ctx_free(context, stctx); return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Get new credentials using password. + * + * @ingroup krb5_credential + */ + + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, krb5_principal client, @@ -1541,29 +1965,23 @@ krb5_get_init_creds_password(krb5_context context, void *data, krb5_deltat start_time, const char *in_tkt_service, - krb5_get_init_creds_opt *in_options) + krb5_get_init_creds_opt *options) { - krb5_get_init_creds_opt *options; + krb5_init_creds_context ctx; char buf[BUFSIZ]; krb5_error_code ret; + int chpw = 0; - if (in_options == NULL) { - const char *realm = krb5_principal_get_realm(context, client); - ret = krb5_get_init_creds_opt_alloc(context, &options); - if (ret == 0) - krb5_get_init_creds_opt_set_default_flags(context, - NULL, - realm, - options); - } else - ret = _krb5_get_init_creds_opt_copy(context, in_options, &options); + again: + ret = krb5_init_creds_init(context, client, prompter, data, start_time, options, &ctx); if (ret) - return ret; + goto out; - if (password == NULL && - options->opt_private->password == NULL && - options->opt_private->pk_init_ctx == NULL) - { + ret = krb5_init_creds_set_service(context, ctx, in_tkt_service); + if (ret) + goto out; + + if (prompter != NULL && ctx->password == NULL && password == NULL) { krb5_prompt prompt; krb5_data password_data; char *p, *q; @@ -1582,42 +2000,69 @@ krb5_get_init_creds_password(krb5_context context, free (q); if (ret) { memset (buf, 0, sizeof(buf)); - krb5_get_init_creds_opt_free(context, options); ret = KRB5_LIBOS_PWDINTR; - krb5_clear_error_string (context); - return ret; + krb5_clear_error_message (context); + goto out; } password = password_data.data; } - if (options->opt_private->password == NULL) { - ret = krb5_get_init_creds_opt_set_pa_password(context, options, - password, NULL); - if (ret) { - krb5_get_init_creds_opt_free(context, options); - memset(buf, 0, sizeof(buf)); - return ret; - } + if (password) { + ret = krb5_init_creds_set_password(context, ctx, password); + if (ret) + goto out; } - ret = krb5_get_init_creds(context, creds, client, prompter, - data, start_time, in_tkt_service, options); - krb5_get_init_creds_opt_free(context, options); + ret = krb5_init_creds_get(context, ctx); + + if (ret == 0) + process_last_request(context, options, ctx); + + + if (ret == KRB5KDC_ERR_KEY_EXPIRED && chpw == 0) { + char buf2[1024]; + + /* try to avoid recursion */ + if (in_tkt_service != NULL && strcmp(in_tkt_service, "kadmin/changepw") == 0) + goto out; + + /* don't try to change password where then where none */ + if (prompter == NULL) + goto out; + + ret = change_password (context, + client, + ctx->password, + buf2, + sizeof(buf), + prompter, + data, + options); + if (ret) + goto out; + chpw = 1; + krb5_init_creds_free(context, ctx); + goto again; + } + + out: + if (ret == 0) + krb5_init_creds_get_creds(context, ctx, creds); + + if (ctx) + krb5_init_creds_free(context, ctx); + memset(buf, 0, sizeof(buf)); return ret; } -static krb5_error_code -init_creds_keyblock_key_proc (krb5_context context, - krb5_enctype type, - krb5_salt salt, - krb5_const_pointer keyseed, - krb5_keyblock **key) -{ - return krb5_copy_keyblock (context, keyseed, key); -} +/** + * Get new credentials using keyblock. + * + * @ingroup krb5_credential + */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_keyblock(krb5_context context, krb5_creds *creds, krb5_principal client, @@ -1626,33 +2071,80 @@ krb5_get_init_creds_keyblock(krb5_context context, const char *in_tkt_service, krb5_get_init_creds_opt *options) { - struct krb5_get_init_creds_ctx ctx; + krb5_init_creds_context ctx; krb5_error_code ret; - - ret = get_init_creds_common(context, client, start_time, - in_tkt_service, options, &ctx); + + memset(creds, 0, sizeof(*creds)); + + ret = krb5_init_creds_init(context, client, NULL, NULL, start_time, options, &ctx); if (ret) goto out; - ret = krb5_get_in_cred (context, - KDCOptions2int(ctx.flags), - ctx.addrs, - ctx.etypes, - ctx.pre_auth_types, - NULL, - init_creds_keyblock_key_proc, - keyblock, - NULL, - NULL, - &ctx.cred, - NULL); - - if (ret == 0 && creds) - *creds = ctx.cred; - else - krb5_free_cred_contents (context, &ctx.cred); + ret = krb5_init_creds_set_service(context, ctx, in_tkt_service); + if (ret) + goto out; + + ret = krb5_init_creds_set_keyblock(context, ctx, keyblock); + if (ret) + goto out; + + ret = krb5_init_creds_get(context, ctx); + + if (ret == 0) + process_last_request(context, options, ctx); + + out: + if (ret == 0) + krb5_init_creds_get_creds(context, ctx, creds); + + if (ctx) + krb5_init_creds_free(context, ctx); + + return ret; +} + +/** + * Get new credentials using keytab. + * + * @ingroup krb5_credential + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_get_init_creds_keytab(krb5_context context, + krb5_creds *creds, + krb5_principal client, + krb5_keytab keytab, + krb5_deltat start_time, + const char *in_tkt_service, + krb5_get_init_creds_opt *options) +{ + krb5_init_creds_context ctx; + krb5_error_code ret; + + memset(creds, 0, sizeof(*creds)); + + ret = krb5_init_creds_init(context, client, NULL, NULL, start_time, options, &ctx); + if (ret) + goto out; + + ret = krb5_init_creds_set_service(context, ctx, in_tkt_service); + if (ret) + goto out; + + ret = krb5_init_creds_set_keytab(context, ctx, keytab); + if (ret) + goto out; + + ret = krb5_init_creds_get(context, ctx); + if (ret == 0) + process_last_request(context, options, ctx); out: - free_init_creds_ctx(context, &ctx); + if (ret == 0) + krb5_init_creds_get_creds(context, ctx, creds); + + if (ctx) + krb5_init_creds_free(context, ctx); + return ret; } diff --git a/crypto/heimdal/lib/krb5/k524_err.et b/crypto/heimdal/lib/krb5/k524_err.et index 0ca25f74d474..4827b397af02 100644 --- a/crypto/heimdal/lib/krb5/k524_err.et +++ b/crypto/heimdal/lib/krb5/k524_err.et @@ -3,7 +3,7 @@ # # This might look like a com_err file, but is not # -id "$Id: k524_err.et 10141 2001-06-20 02:45:58Z joda $" +id "$Id$" error_table k524 diff --git a/crypto/heimdal/lib/krb5/kcm.c b/crypto/heimdal/lib/krb5/kcm.c index 8afaa6ea80a1..5a28b5138b5f 100644 --- a/crypto/heimdal/lib/krb5/kcm.c +++ b/crypto/heimdal/lib/krb5/kcm.c @@ -2,6 +2,8 @@ * Copyright (c) 2005, PADL Software Pty Ltd. * All rights reserved. * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -37,130 +39,68 @@ * Client library for Kerberos Credentials Manager (KCM) daemon */ -#ifdef HAVE_SYS_UN_H -#include <sys/un.h> -#endif - #include "kcm.h" +#include <heim-ipc.h> -RCSID("$Id: kcm.c 22108 2007-12-03 17:23:53Z lha $"); +static krb5_error_code +kcm_set_kdc_offset(krb5_context, krb5_ccache, krb5_deltat); + +static const char *kcm_ipc_name = "ANY:org.h5l.kcm"; typedef struct krb5_kcmcache { char *name; - struct sockaddr_un path; - char *door_path; } krb5_kcmcache; -#define KCMCACHE(X) ((krb5_kcmcache *)(X)->data.data) -#define CACHENAME(X) (KCMCACHE(X)->name) -#define KCMCURSOR(C) (*(uint32_t *)(C)) +typedef struct krb5_kcm_cursor { + unsigned long offset; + unsigned long length; + kcmuuid_t *uuids; +} *krb5_kcm_cursor; -static krb5_error_code -try_door(krb5_context context, const krb5_kcmcache *k, - krb5_data *request_data, - krb5_data *response_data) -{ -#ifdef HAVE_DOOR_CREATE - door_arg_t arg; - int fd; - int ret; - - memset(&arg, 0, sizeof(arg)); - - fd = open(k->door_path, O_RDWR); - if (fd < 0) - return KRB5_CC_IO; - - arg.data_ptr = request_data->data; - arg.data_size = request_data->length; - arg.desc_ptr = NULL; - arg.desc_num = 0; - arg.rbuf = NULL; - arg.rsize = 0; - - ret = door_call(fd, &arg); - close(fd); - if (ret != 0) - return KRB5_CC_IO; - ret = krb5_data_copy(response_data, arg.rbuf, arg.rsize); - munmap(arg.rbuf, arg.rsize); - if (ret) - return ret; - - return 0; -#else - return KRB5_CC_IO; -#endif -} +#define KCMCACHE(X) ((krb5_kcmcache *)(X)->data.data) +#define CACHENAME(X) (KCMCACHE(X)->name) +#define KCMCURSOR(C) ((krb5_kcm_cursor)(C)) -static krb5_error_code -try_unix_socket(krb5_context context, const krb5_kcmcache *k, - krb5_data *request_data, - krb5_data *response_data) -{ - krb5_error_code ret; - int fd; +static HEIMDAL_MUTEX kcm_mutex = HEIMDAL_MUTEX_INITIALIZER; +static heim_ipc kcm_ipc = NULL; - fd = socket(AF_UNIX, SOCK_STREAM, 0); - if (fd < 0) - return KRB5_CC_IO; - - if (connect(fd, rk_UNCONST(&k->path), sizeof(k->path)) != 0) { - close(fd); - return KRB5_CC_IO; - } - - ret = _krb5_send_and_recv_tcp(fd, context->kdc_timeout, - request_data, response_data); - close(fd); - return ret; -} - static krb5_error_code kcm_send_request(krb5_context context, - krb5_kcmcache *k, krb5_storage *request, krb5_data *response_data) { - krb5_error_code ret; + krb5_error_code ret = 0; krb5_data request_data; - int i; - response_data->data = NULL; - response_data->length = 0; + HEIMDAL_MUTEX_lock(&kcm_mutex); + if (kcm_ipc == NULL) + ret = heim_ipc_init_context(kcm_ipc_name, &kcm_ipc); + HEIMDAL_MUTEX_unlock(&kcm_mutex); + if (ret) + return KRB5_CC_NOSUPP; ret = krb5_storage_to_data(request, &request_data); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return KRB5_CC_NOMEM; } - ret = KRB5_CC_IO; - - for (i = 0; i < context->max_retries; i++) { - ret = try_door(context, k, &request_data, response_data); - if (ret == 0 && response_data->length != 0) - break; - ret = try_unix_socket(context, k, &request_data, response_data); - if (ret == 0 && response_data->length != 0) - break; - } - + ret = heim_ipc_call(kcm_ipc, &request_data, response_data, NULL); krb5_data_free(&request_data); if (ret) { - krb5_clear_error_string(context); - ret = KRB5_CC_IO; + krb5_clear_error_message(context); + ret = KRB5_CC_NOSUPP; } return ret; } -static krb5_error_code -kcm_storage_request(krb5_context context, - kcm_operation opcode, - krb5_storage **storage_p) +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_kcm_storage_request(krb5_context context, + uint16_t opcode, + krb5_storage **storage_p) { krb5_storage *sp; krb5_error_code ret; @@ -169,7 +109,7 @@ kcm_storage_request(krb5_context context, sp = krb5_storage_emem(); if (sp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, KRB5_CC_NOMEM, N_("malloc: out of memory", "")); return KRB5_CC_NOMEM; } @@ -187,22 +127,23 @@ kcm_storage_request(krb5_context context, *storage_p = sp; fail: if (ret) { - krb5_set_error_string(context, "Failed to encode request"); + krb5_set_error_message(context, ret, + N_("Failed to encode KCM request", "")); krb5_storage_free(sp); } - - return ret; + + return ret; } static krb5_error_code kcm_alloc(krb5_context context, const char *name, krb5_ccache *id) { krb5_kcmcache *k; - const char *path; k = malloc(sizeof(*k)); if (k == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, KRB5_CC_NOMEM, + N_("malloc: out of memory", "")); return KRB5_CC_NOMEM; } @@ -210,40 +151,24 @@ kcm_alloc(krb5_context context, const char *name, krb5_ccache *id) k->name = strdup(name); if (k->name == NULL) { free(k); - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, KRB5_CC_NOMEM, + N_("malloc: out of memory", "")); return KRB5_CC_NOMEM; } } else k->name = NULL; - path = krb5_config_get_string_default(context, NULL, - _PATH_KCM_SOCKET, - "libdefaults", - "kcm_socket", - NULL); - - k->path.sun_family = AF_UNIX; - strlcpy(k->path.sun_path, path, sizeof(k->path.sun_path)); - - path = krb5_config_get_string_default(context, NULL, - _PATH_KCM_DOOR, - "libdefaults", - "kcm_door", - NULL); - k->door_path = strdup(path); - (*id)->data.data = k; (*id)->data.length = sizeof(*k); return 0; } -static krb5_error_code -kcm_call(krb5_context context, - krb5_kcmcache *k, - krb5_storage *request, - krb5_storage **response_p, - krb5_data *response_data_p) +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_kcm_call(krb5_context context, + krb5_storage *request, + krb5_storage **response_p, + krb5_data *response_data_p) { krb5_data response_data; krb5_error_code ret; @@ -253,10 +178,11 @@ kcm_call(krb5_context context, if (response_p != NULL) *response_p = NULL; - ret = kcm_send_request(context, k, request, &response_data); - if (ret) { + krb5_data_zero(&response_data); + + ret = kcm_send_request(context, request, &response_data); + if (ret) return ret; - } response = krb5_storage_from_data(&response_data); if (response == NULL) { @@ -298,13 +224,9 @@ kcm_free(krb5_context context, krb5_ccache *id) if (k != NULL) { if (k->name != NULL) free(k->name); - if (k->door_path) - free(k->door_path); memset(k, 0, sizeof(*k)); krb5_data_free(&(*id)->data); } - - *id = NULL; } static const char * @@ -340,13 +262,13 @@ kcm_gen_new(krb5_context context, krb5_ccache *id) k = KCMCACHE(*id); - ret = kcm_storage_request(context, KCM_OP_GEN_NEW, &request); + ret = krb5_kcm_storage_request(context, KCM_OP_GEN_NEW, &request); if (ret) { kcm_free(context, id); return ret; } - ret = kcm_call(context, k, request, &response, &response_data); + ret = krb5_kcm_call(context, request, &response, &response_data); if (ret) { krb5_storage_free(request); kcm_free(context, id); @@ -384,7 +306,7 @@ kcm_initialize(krb5_context context, krb5_kcmcache *k = KCMCACHE(id); krb5_storage *request; - ret = kcm_storage_request(context, KCM_OP_INITIALIZE, &request); + ret = krb5_kcm_storage_request(context, KCM_OP_INITIALIZE, &request); if (ret) return ret; @@ -400,9 +322,13 @@ kcm_initialize(krb5_context context, return ret; } - ret = kcm_call(context, k, request, NULL, NULL); + ret = krb5_kcm_call(context, request, NULL, NULL); krb5_storage_free(request); + + if (context->kdc_sec_offset) + kcm_set_kdc_offset(context, id, context->kdc_sec_offset); + return ret; } @@ -429,7 +355,7 @@ kcm_destroy(krb5_context context, krb5_kcmcache *k = KCMCACHE(id); krb5_storage *request; - ret = kcm_storage_request(context, KCM_OP_DESTROY, &request); + ret = krb5_kcm_storage_request(context, KCM_OP_DESTROY, &request); if (ret) return ret; @@ -439,7 +365,7 @@ kcm_destroy(krb5_context context, return ret; } - ret = kcm_call(context, k, request, NULL, NULL); + ret = krb5_kcm_call(context, request, NULL, NULL); krb5_storage_free(request); return ret; @@ -462,7 +388,7 @@ kcm_store_cred(krb5_context context, krb5_kcmcache *k = KCMCACHE(id); krb5_storage *request; - ret = kcm_storage_request(context, KCM_OP_STORE, &request); + ret = krb5_kcm_storage_request(context, KCM_OP_STORE, &request); if (ret) return ret; @@ -478,12 +404,13 @@ kcm_store_cred(krb5_context context, return ret; } - ret = kcm_call(context, k, request, NULL, NULL); + ret = krb5_kcm_call(context, request, NULL, NULL); krb5_storage_free(request); return ret; } +#if 0 /* * Request: * NameZ @@ -506,7 +433,7 @@ kcm_retrieve(krb5_context context, krb5_storage *request, *response; krb5_data response_data; - ret = kcm_storage_request(context, KCM_OP_RETRIEVE, &request); + ret = krb5_kcm_storage_request(context, KCM_OP_RETRIEVE, &request); if (ret) return ret; @@ -528,7 +455,7 @@ kcm_retrieve(krb5_context context, return ret; } - ret = kcm_call(context, k, request, &response, &response_data); + ret = krb5_kcm_call(context, request, &response, &response_data); if (ret) { krb5_storage_free(request); return ret; @@ -544,6 +471,7 @@ kcm_retrieve(krb5_context context, return ret; } +#endif /* * Request: @@ -562,7 +490,7 @@ kcm_get_principal(krb5_context context, krb5_storage *request, *response; krb5_data response_data; - ret = kcm_storage_request(context, KCM_OP_GET_PRINCIPAL, &request); + ret = krb5_kcm_storage_request(context, KCM_OP_GET_PRINCIPAL, &request); if (ret) return ret; @@ -572,7 +500,7 @@ kcm_get_principal(krb5_context context, return ret; } - ret = kcm_call(context, k, request, &response, &response_data); + ret = krb5_kcm_call(context, request, &response, &response_data); if (ret) { krb5_storage_free(request); return ret; @@ -603,12 +531,12 @@ kcm_get_first (krb5_context context, krb5_cc_cursor *cursor) { krb5_error_code ret; + krb5_kcm_cursor c; krb5_kcmcache *k = KCMCACHE(id); krb5_storage *request, *response; krb5_data response_data; - int32_t tmp; - ret = kcm_storage_request(context, KCM_OP_GET_FIRST, &request); + ret = krb5_kcm_storage_request(context, KCM_OP_GET_CRED_UUID_LIST, &request); if (ret) return ret; @@ -618,28 +546,57 @@ kcm_get_first (krb5_context context, return ret; } - ret = kcm_call(context, k, request, &response, &response_data); - if (ret) { - krb5_storage_free(request); + ret = krb5_kcm_call(context, request, &response, &response_data); + krb5_storage_free(request); + if (ret) + return ret; + + c = calloc(1, sizeof(*c)); + if (c == NULL) { + ret = ENOMEM; + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); return ret; } - ret = krb5_ret_int32(response, &tmp); - if (ret || tmp < 0) - ret = KRB5_CC_IO; + while (1) { + ssize_t sret; + kcmuuid_t uuid; + void *ptr; + + sret = krb5_storage_read(response, &uuid, sizeof(uuid)); + if (sret == 0) { + ret = 0; + break; + } else if (sret != sizeof(uuid)) { + ret = EINVAL; + break; + } + + ptr = realloc(c->uuids, sizeof(c->uuids[0]) * (c->length + 1)); + if (ptr == NULL) { + free(c->uuids); + free(c); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + c->uuids = ptr; + + memcpy(&c->uuids[c->length], &uuid, sizeof(uuid)); + c->length += 1; + } - krb5_storage_free(request); krb5_storage_free(response); krb5_data_free(&response_data); - if (ret) + if (ret) { + free(c->uuids); + free(c); return ret; + } - *cursor = malloc(sizeof(tmp)); - if (*cursor == NULL) - return KRB5_CC_NOMEM; - - KCMCURSOR(*cursor) = tmp; + *cursor = c; return 0; } @@ -660,10 +617,17 @@ kcm_get_next (krb5_context context, { krb5_error_code ret; krb5_kcmcache *k = KCMCACHE(id); + krb5_kcm_cursor c = KCMCURSOR(*cursor); krb5_storage *request, *response; krb5_data response_data; + ssize_t sret; + + again: + + if (c->offset >= c->length) + return KRB5_CC_END; - ret = kcm_storage_request(context, KCM_OP_GET_NEXT, &request); + ret = krb5_kcm_storage_request(context, KCM_OP_GET_CRED_BY_UUID, &request); if (ret) return ret; @@ -673,23 +637,26 @@ kcm_get_next (krb5_context context, return ret; } - ret = krb5_store_int32(request, KCMCURSOR(*cursor)); - if (ret) { + sret = krb5_storage_write(request, + &c->uuids[c->offset], + sizeof(c->uuids[c->offset])); + c->offset++; + if (sret != sizeof(c->uuids[c->offset])) { krb5_storage_free(request); - return ret; + krb5_clear_error_message(context); + return ENOMEM; } - ret = kcm_call(context, k, request, &response, &response_data); - if (ret) { - krb5_storage_free(request); - return ret; + ret = krb5_kcm_call(context, request, &response, &response_data); + krb5_storage_free(request); + if (ret == KRB5_CC_END) { + goto again; } ret = krb5_ret_creds(response, creds); if (ret) ret = KRB5_CC_IO; - krb5_storage_free(request); krb5_storage_free(response); krb5_data_free(&response_data); @@ -709,39 +676,14 @@ kcm_end_get (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) { - krb5_error_code ret; - krb5_kcmcache *k = KCMCACHE(id); - krb5_storage *request; + krb5_kcm_cursor c = KCMCURSOR(*cursor); - ret = kcm_storage_request(context, KCM_OP_END_GET, &request); - if (ret) - return ret; + free(c->uuids); + free(c); - ret = krb5_store_stringz(request, k->name); - if (ret) { - krb5_storage_free(request); - return ret; - } - - ret = krb5_store_int32(request, KCMCURSOR(*cursor)); - if (ret) { - krb5_storage_free(request); - return ret; - } - - ret = kcm_call(context, k, request, NULL, NULL); - if (ret) { - krb5_storage_free(request); - return ret; - } - - krb5_storage_free(request); - - KCMCURSOR(*cursor) = 0; - free(*cursor); *cursor = NULL; - return ret; + return 0; } /* @@ -763,7 +705,7 @@ kcm_remove_cred(krb5_context context, krb5_kcmcache *k = KCMCACHE(id); krb5_storage *request; - ret = kcm_storage_request(context, KCM_OP_REMOVE_CRED, &request); + ret = krb5_kcm_storage_request(context, KCM_OP_REMOVE_CRED, &request); if (ret) return ret; @@ -785,7 +727,7 @@ kcm_remove_cred(krb5_context context, return ret; } - ret = kcm_call(context, k, request, NULL, NULL); + ret = krb5_kcm_call(context, request, NULL, NULL); krb5_storage_free(request); return ret; @@ -800,7 +742,7 @@ kcm_set_flags(krb5_context context, krb5_kcmcache *k = KCMCACHE(id); krb5_storage *request; - ret = kcm_storage_request(context, KCM_OP_SET_FLAGS, &request); + ret = krb5_kcm_storage_request(context, KCM_OP_SET_FLAGS, &request); if (ret) return ret; @@ -816,168 +758,259 @@ kcm_set_flags(krb5_context context, return ret; } - ret = kcm_call(context, k, request, NULL, NULL); + ret = krb5_kcm_call(context, request, NULL, NULL); krb5_storage_free(request); return ret; } -static krb5_error_code +static int kcm_get_version(krb5_context context, krb5_ccache id) { return 0; } -static krb5_error_code -kcm_move(krb5_context context, krb5_ccache from, krb5_ccache to) -{ - krb5_set_error_string(context, "kcm_move not implemented"); - return EINVAL; -} +/* + * Send nothing + * get back list of uuids + */ static krb5_error_code -kcm_default_name(krb5_context context, char **str) +kcm_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) { - return _krb5_expand_default_cc_name(context, - KRB5_DEFAULT_CCNAME_KCM, - str); -} + krb5_error_code ret; + krb5_kcm_cursor c; + krb5_storage *request, *response; + krb5_data response_data; -/** - * Variable containing the KCM based credential cache implemention. - * - * @ingroup krb5_ccache - */ + *cursor = NULL; -const krb5_cc_ops krb5_kcm_ops = { - "KCM", - kcm_get_name, - kcm_resolve, - kcm_gen_new, - kcm_initialize, - kcm_destroy, - kcm_close, - kcm_store_cred, - kcm_retrieve, - kcm_get_principal, - kcm_get_first, - kcm_get_next, - kcm_end_get, - kcm_remove_cred, - kcm_set_flags, - kcm_get_version, - NULL, - NULL, - NULL, - kcm_move, - kcm_default_name -}; + c = calloc(1, sizeof(*c)); + if (c == NULL) { + ret = ENOMEM; + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); + goto out; + } -krb5_boolean -_krb5_kcm_is_running(krb5_context context) -{ - krb5_error_code ret; - krb5_ccache_data ccdata; - krb5_ccache id = &ccdata; - krb5_boolean running; + ret = krb5_kcm_storage_request(context, KCM_OP_GET_CACHE_UUID_LIST, &request); + if (ret) + goto out; - ret = kcm_alloc(context, NULL, &id); + ret = krb5_kcm_call(context, request, &response, &response_data); + krb5_storage_free(request); if (ret) - return 0; + goto out; - running = (_krb5_kcm_noop(context, id) == 0); + while (1) { + ssize_t sret; + kcmuuid_t uuid; + void *ptr; - kcm_free(context, &id); + sret = krb5_storage_read(response, &uuid, sizeof(uuid)); + if (sret == 0) { + ret = 0; + break; + } else if (sret != sizeof(uuid)) { + ret = EINVAL; + goto out; + } - return running; + ptr = realloc(c->uuids, sizeof(c->uuids[0]) * (c->length + 1)); + if (ptr == NULL) { + ret = ENOMEM; + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); + goto out; + } + c->uuids = ptr; + + memcpy(&c->uuids[c->length], &uuid, sizeof(uuid)); + c->length += 1; + } + + krb5_storage_free(response); + krb5_data_free(&response_data); + + out: + if (ret && c) { + free(c->uuids); + free(c); + } else + *cursor = c; + + return ret; } /* - * Request: - * - * Response: - * + * Send uuid + * Recv cache name */ -krb5_error_code -_krb5_kcm_noop(krb5_context context, - krb5_ccache id) + +static krb5_error_code +kcm_get_cache_next(krb5_context context, krb5_cc_cursor cursor, const krb5_cc_ops *ops, krb5_ccache *id) { krb5_error_code ret; - krb5_kcmcache *k = KCMCACHE(id); - krb5_storage *request; + krb5_kcm_cursor c = KCMCURSOR(cursor); + krb5_storage *request, *response; + krb5_data response_data; + ssize_t sret; + char *name; + + *id = NULL; - ret = kcm_storage_request(context, KCM_OP_NOOP, &request); + again: + + if (c->offset >= c->length) + return KRB5_CC_END; + + ret = krb5_kcm_storage_request(context, KCM_OP_GET_CACHE_BY_UUID, &request); if (ret) return ret; - ret = kcm_call(context, k, request, NULL, NULL); + sret = krb5_storage_write(request, + &c->uuids[c->offset], + sizeof(c->uuids[c->offset])); + c->offset++; + if (sret != sizeof(c->uuids[c->offset])) { + krb5_storage_free(request); + krb5_clear_error_message(context); + return ENOMEM; + } + ret = krb5_kcm_call(context, request, &response, &response_data); krb5_storage_free(request); + if (ret == KRB5_CC_END) + goto again; + + ret = krb5_ret_stringz(response, &name); + krb5_storage_free(response); + krb5_data_free(&response_data); + + if (ret == 0) { + ret = _krb5_cc_allocate(context, ops, id); + if (ret == 0) + ret = kcm_alloc(context, name, id); + krb5_xfree(name); + } + return ret; } +static krb5_error_code +kcm_get_cache_next_kcm(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id) +{ +#ifndef KCM_IS_API_CACHE + return kcm_get_cache_next(context, cursor, &krb5_kcm_ops, id); +#else + return KRB5_CC_END; +#endif +} -/* - * Request: - * NameZ - * Mode - * - * Response: - * - */ -krb5_error_code -_krb5_kcm_chmod(krb5_context context, - krb5_ccache id, - uint16_t mode) +static krb5_error_code +kcm_get_cache_next_api(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id) +{ + return kcm_get_cache_next(context, cursor, &krb5_akcm_ops, id); +} + + +static krb5_error_code +kcm_end_cache_get(krb5_context context, krb5_cc_cursor cursor) +{ + krb5_kcm_cursor c = KCMCURSOR(cursor); + + free(c->uuids); + free(c); + return 0; +} + + +static krb5_error_code +kcm_move(krb5_context context, krb5_ccache from, krb5_ccache to) { krb5_error_code ret; - krb5_kcmcache *k = KCMCACHE(id); + krb5_kcmcache *oldk = KCMCACHE(from); + krb5_kcmcache *newk = KCMCACHE(to); krb5_storage *request; - ret = kcm_storage_request(context, KCM_OP_CHMOD, &request); + ret = krb5_kcm_storage_request(context, KCM_OP_MOVE_CACHE, &request); if (ret) return ret; - ret = krb5_store_stringz(request, k->name); + ret = krb5_store_stringz(request, oldk->name); if (ret) { krb5_storage_free(request); return ret; } - ret = krb5_store_int16(request, mode); + ret = krb5_store_stringz(request, newk->name); if (ret) { krb5_storage_free(request); return ret; } - - ret = kcm_call(context, k, request, NULL, NULL); + ret = krb5_kcm_call(context, request, NULL, NULL); krb5_storage_free(request); return ret; } +static krb5_error_code +kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops, + const char *defstr, char **str) +{ + krb5_error_code ret; + krb5_storage *request, *response; + krb5_data response_data; + char *name; -/* - * Request: - * NameZ - * UID - * GID - * - * Response: - * - */ -krb5_error_code -_krb5_kcm_chown(krb5_context context, - krb5_ccache id, - uint32_t uid, - uint32_t gid) + *str = NULL; + + ret = krb5_kcm_storage_request(context, KCM_OP_GET_DEFAULT_CACHE, &request); + if (ret) + return ret; + + ret = krb5_kcm_call(context, request, &response, &response_data); + krb5_storage_free(request); + if (ret) + return _krb5_expand_default_cc_name(context, defstr, str); + + ret = krb5_ret_stringz(response, &name); + krb5_storage_free(response); + krb5_data_free(&response_data); + if (ret) + return ret; + + asprintf(str, "%s:%s", ops->prefix, name); + free(name); + if (str == NULL) + return ENOMEM; + + return 0; +} + +static krb5_error_code +kcm_get_default_name_api(krb5_context context, char **str) +{ + return kcm_get_default_name(context, &krb5_akcm_ops, + KRB5_DEFAULT_CCNAME_KCM_API, str); +} + +static krb5_error_code +kcm_get_default_name_kcm(krb5_context context, char **str) +{ + return kcm_get_default_name(context, &krb5_kcm_ops, + KRB5_DEFAULT_CCNAME_KCM_KCM, str); +} + +static krb5_error_code +kcm_set_default(krb5_context context, krb5_ccache id) { krb5_error_code ret; - krb5_kcmcache *k = KCMCACHE(id); krb5_storage *request; + krb5_kcmcache *k = KCMCACHE(id); - ret = kcm_storage_request(context, KCM_OP_CHOWN, &request); + ret = krb5_kcm_storage_request(context, KCM_OP_SET_DEFAULT_CACHE, &request); if (ret) return ret; @@ -987,19 +1020,184 @@ _krb5_kcm_chown(krb5_context context, return ret; } - ret = krb5_store_int32(request, uid); + ret = krb5_kcm_call(context, request, NULL, NULL); + krb5_storage_free(request); + + return ret; +} + +static krb5_error_code +kcm_lastchange(krb5_context context, krb5_ccache id, krb5_timestamp *mtime) +{ + *mtime = time(NULL); + return 0; +} + +static krb5_error_code +kcm_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat kdc_offset) +{ + krb5_kcmcache *k = KCMCACHE(id); + krb5_error_code ret; + krb5_storage *request; + + ret = krb5_kcm_storage_request(context, KCM_OP_SET_KDC_OFFSET, &request); + if (ret) + return ret; + + ret = krb5_store_stringz(request, k->name); + if (ret) { + krb5_storage_free(request); + return ret; + } + ret = krb5_store_int32(request, kdc_offset); if (ret) { krb5_storage_free(request); return ret; } - ret = krb5_store_int32(request, gid); + ret = krb5_kcm_call(context, request, NULL, NULL); + krb5_storage_free(request); + + return ret; +} + +static krb5_error_code +kcm_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset) +{ + krb5_kcmcache *k = KCMCACHE(id); + krb5_error_code ret; + krb5_storage *request, *response; + krb5_data response_data; + int32_t offset; + + ret = krb5_kcm_storage_request(context, KCM_OP_GET_KDC_OFFSET, &request); + if (ret) + return ret; + + ret = krb5_store_stringz(request, k->name); if (ret) { krb5_storage_free(request); return ret; } - ret = kcm_call(context, k, request, NULL, NULL); + ret = krb5_kcm_call(context, request, &response, &response_data); + krb5_storage_free(request); + if (ret) + return ret; + + ret = krb5_ret_int32(response, &offset); + krb5_storage_free(response); + krb5_data_free(&response_data); + if (ret) + return ret; + + *kdc_offset = offset; + + return 0; +} + +/** + * Variable containing the KCM based credential cache implemention. + * + * @ingroup krb5_ccache + */ + +KRB5_LIB_VARIABLE const krb5_cc_ops krb5_kcm_ops = { + KRB5_CC_OPS_VERSION, + "KCM", + kcm_get_name, + kcm_resolve, + kcm_gen_new, + kcm_initialize, + kcm_destroy, + kcm_close, + kcm_store_cred, + NULL /* kcm_retrieve */, + kcm_get_principal, + kcm_get_first, + kcm_get_next, + kcm_end_get, + kcm_remove_cred, + kcm_set_flags, + kcm_get_version, + kcm_get_cache_first, + kcm_get_cache_next_kcm, + kcm_end_cache_get, + kcm_move, + kcm_get_default_name_kcm, + kcm_set_default, + kcm_lastchange, + kcm_set_kdc_offset, + kcm_get_kdc_offset +}; + +KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops = { + KRB5_CC_OPS_VERSION, + "API", + kcm_get_name, + kcm_resolve, + kcm_gen_new, + kcm_initialize, + kcm_destroy, + kcm_close, + kcm_store_cred, + NULL /* kcm_retrieve */, + kcm_get_principal, + kcm_get_first, + kcm_get_next, + kcm_end_get, + kcm_remove_cred, + kcm_set_flags, + kcm_get_version, + kcm_get_cache_first, + kcm_get_cache_next_api, + kcm_end_cache_get, + kcm_move, + kcm_get_default_name_api, + kcm_set_default, + kcm_lastchange, + NULL, + NULL +}; + + +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +_krb5_kcm_is_running(krb5_context context) +{ + krb5_error_code ret; + krb5_ccache_data ccdata; + krb5_ccache id = &ccdata; + krb5_boolean running; + + ret = kcm_alloc(context, NULL, &id); + if (ret) + return 0; + + running = (_krb5_kcm_noop(context, id) == 0); + + kcm_free(context, &id); + + return running; +} + +/* + * Request: + * + * Response: + * + */ +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +_krb5_kcm_noop(krb5_context context, + krb5_ccache id) +{ + krb5_error_code ret; + krb5_storage *request; + + ret = krb5_kcm_storage_request(context, KCM_OP_NOOP, &request); + if (ret) + return ret; + + ret = krb5_kcm_call(context, request, NULL, NULL); krb5_storage_free(request); return ret; @@ -1016,17 +1214,17 @@ _krb5_kcm_chown(krb5_context context, * Repsonse: * */ -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_kcm_get_initial_ticket(krb5_context context, krb5_ccache id, krb5_principal server, krb5_keyblock *key) { - krb5_error_code ret; krb5_kcmcache *k = KCMCACHE(id); + krb5_error_code ret; krb5_storage *request; - ret = kcm_storage_request(context, KCM_OP_GET_INITIAL_TICKET, &request); + ret = krb5_kcm_storage_request(context, KCM_OP_GET_INITIAL_TICKET, &request); if (ret) return ret; @@ -1056,7 +1254,7 @@ _krb5_kcm_get_initial_ticket(krb5_context context, return ret; } - ret = kcm_call(context, k, request, NULL, NULL); + ret = krb5_kcm_call(context, request, NULL, NULL); krb5_storage_free(request); return ret; @@ -1073,7 +1271,7 @@ _krb5_kcm_get_initial_ticket(krb5_context context, * Repsonse: * */ -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_kcm_get_ticket(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, @@ -1084,7 +1282,7 @@ _krb5_kcm_get_ticket(krb5_context context, krb5_kcmcache *k = KCMCACHE(id); krb5_storage *request; - ret = kcm_storage_request(context, KCM_OP_GET_TICKET, &request); + ret = krb5_kcm_storage_request(context, KCM_OP_GET_TICKET, &request); if (ret) return ret; @@ -1112,11 +1310,10 @@ _krb5_kcm_get_ticket(krb5_context context, return ret; } - ret = kcm_call(context, k, request, NULL, NULL); + ret = krb5_kcm_call(context, request, NULL, NULL); krb5_storage_free(request); return ret; } - #endif /* HAVE_KCM */ diff --git a/crypto/heimdal/lib/krb5/kcm.h b/crypto/heimdal/lib/krb5/kcm.h index 10dfa440f1d7..27197fec3eda 100644 --- a/crypto/heimdal/lib/krb5/kcm.h +++ b/crypto/heimdal/lib/krb5/kcm.h @@ -2,6 +2,8 @@ * Copyright (c) 2005, PADL Software Pty Ltd. * All rights reserved. * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -37,9 +39,11 @@ * KCM protocol definitions */ -#define KCM_PROTOCOL_VERSION_MAJOR 1 +#define KCM_PROTOCOL_VERSION_MAJOR 2 #define KCM_PROTOCOL_VERSION_MINOR 0 +typedef unsigned char kcmuuid_t[16]; + typedef enum kcm_operation { KCM_OP_NOOP, KCM_OP_GET_NAME, @@ -50,20 +54,37 @@ typedef enum kcm_operation { KCM_OP_STORE, KCM_OP_RETRIEVE, KCM_OP_GET_PRINCIPAL, - KCM_OP_GET_FIRST, - KCM_OP_GET_NEXT, - KCM_OP_END_GET, + KCM_OP_GET_CRED_UUID_LIST, + KCM_OP_GET_CRED_BY_UUID, KCM_OP_REMOVE_CRED, KCM_OP_SET_FLAGS, KCM_OP_CHOWN, KCM_OP_CHMOD, KCM_OP_GET_INITIAL_TICKET, KCM_OP_GET_TICKET, + KCM_OP_MOVE_CACHE, + KCM_OP_GET_CACHE_UUID_LIST, + KCM_OP_GET_CACHE_BY_UUID, + KCM_OP_GET_DEFAULT_CACHE, + KCM_OP_SET_DEFAULT_CACHE, + KCM_OP_GET_KDC_OFFSET, + KCM_OP_SET_KDC_OFFSET, + /* NTLM operations */ + KCM_OP_ADD_NTLM_CRED, + KCM_OP_HAVE_NTLM_CRED, + KCM_OP_DEL_NTLM_CRED, + KCM_OP_DO_NTLM_AUTH, + KCM_OP_GET_NTLM_USER_LIST, KCM_OP_MAX } kcm_operation; #define _PATH_KCM_SOCKET "/var/run/.kcm_socket" #define _PATH_KCM_DOOR "/var/run/.kcm_door" +#define KCM_NTLM_FLAG_SESSIONKEY 1 +#define KCM_NTLM_FLAG_NTLM2_SESSION 2 +#define KCM_NTLM_FLAG_KEYEX 4 +#define KCM_NTLM_FLAG_AV_GUEST 8 + #endif /* __KCM_H__ */ diff --git a/crypto/heimdal/lib/krb5/kerberos.8 b/crypto/heimdal/lib/krb5/kerberos.8 index e45c947d10c8..94d49955180b 100644 --- a/crypto/heimdal/lib/krb5/kerberos.8 +++ b/crypto/heimdal/lib/krb5/kerberos.8 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2000 Kungliga Tekniska Högskolan +.\" Copyright (c) 2000 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: kerberos.8 16121 2005-10-03 14:24:36Z lha $ +.\" $Id$ .\" .Dd September 1, 2000 .Dt KERBEROS 8 diff --git a/crypto/heimdal/lib/krb5/keyblock.c b/crypto/heimdal/lib/krb5/keyblock.c index ff4f972e57d7..9ba9c4b290da 100644 --- a/crypto/heimdal/lib/krb5/keyblock.c +++ b/crypto/heimdal/lib/krb5/keyblock.c @@ -1,48 +1,63 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: keyblock.c 15167 2005-05-18 04:21:57Z lha $"); +/** + * Zero out a keyblock + * + * @param keyblock keyblock to zero out + * + * @ingroup krb5_crypto + */ -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_keyblock_zero(krb5_keyblock *keyblock) { keyblock->keytype = 0; krb5_data_zero(&keyblock->keyvalue); } -void KRB5_LIB_FUNCTION +/** + * Free a keyblock's content, also zero out the content of the keyblock. + * + * @param context a Kerberos 5 context + * @param keyblock keyblock content to free, NULL is valid argument + * + * @ingroup krb5_crypto + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_keyblock_contents(krb5_context context, krb5_keyblock *keyblock) { @@ -54,7 +69,17 @@ krb5_free_keyblock_contents(krb5_context context, } } -void KRB5_LIB_FUNCTION +/** + * Free a keyblock, also zero out the content of the keyblock, uses + * krb5_free_keyblock_contents() to free the content. + * + * @param context a Kerberos 5 context + * @param keyblock keyblock to free, NULL is valid argument + * + * @ingroup krb5_crypto + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_keyblock(krb5_context context, krb5_keyblock *keyblock) { @@ -64,7 +89,20 @@ krb5_free_keyblock(krb5_context context, } } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Copy a keyblock, free the output keyblock with + * krb5_free_keyblock_contents(). + * + * @param context a Kerberos 5 context + * @param inblock the key to copy + * @param to the output key. + * + * @return 0 on success or a Kerberos 5 error code + * + * @ingroup krb5_crypto + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_keyblock_contents (krb5_context context, const krb5_keyblock *inblock, krb5_keyblock *to) @@ -72,34 +110,67 @@ krb5_copy_keyblock_contents (krb5_context context, return copy_EncryptionKey(inblock, to); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Copy a keyblock, free the output keyblock with + * krb5_free_keyblock(). + * + * @param context a Kerberos 5 context + * @param inblock the key to copy + * @param to the output key. + * + * @return 0 on success or a Kerberos 5 error code + * + * @ingroup krb5_crypto + */ + + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_keyblock (krb5_context context, const krb5_keyblock *inblock, krb5_keyblock **to) { + krb5_error_code ret; krb5_keyblock *k; - k = malloc (sizeof(*k)); + *to = NULL; + + k = calloc (1, sizeof(*k)); if (k == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); return ENOMEM; } + + ret = krb5_copy_keyblock_contents (context, inblock, k); + if (ret) { + free(k); + return ret; + } *to = k; - return krb5_copy_keyblock_contents (context, inblock, k); + return 0; } -krb5_enctype +/** + * Get encryption type of a keyblock. + * + * @ingroup krb5_crypto + */ + +KRB5_LIB_FUNCTION krb5_enctype KRB5_LIB_CALL krb5_keyblock_get_enctype(const krb5_keyblock *block) { return block->keytype; } -/* +/** * Fill in `key' with key data of type `enctype' from `data' of length - * `size'. Key should be freed using krb5_free_keyblock_contents. + * `size'. Key should be freed using krb5_free_keyblock_contents(). + * + * @return 0 on success or a Kerberos 5 error code + * + * @ingroup krb5_crypto */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_keyblock_init(krb5_context context, krb5_enctype type, const void *data, @@ -116,15 +187,15 @@ krb5_keyblock_init(krb5_context context, return ret; if (len != size) { - krb5_set_error_string(context, "Encryption key %d is %lu bytes " - "long, %lu was passed in", - type, (unsigned long)len, (unsigned long)size); + krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, + "Encryption key %d is %lu bytes " + "long, %lu was passed in", + type, (unsigned long)len, (unsigned long)size); return KRB5_PROG_ETYPE_NOSUPP; } ret = krb5_data_copy(&key->keyvalue, data, len); if(ret) { - krb5_set_error_string(context, "malloc failed: %lu", - (unsigned long)len); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); return ret; } key->keytype = type; diff --git a/crypto/heimdal/lib/krb5/keytab.c b/crypto/heimdal/lib/krb5/keytab.c index f6c7858c12ec..8ca515f2133d 100644 --- a/crypto/heimdal/lib/krb5/keytab.c +++ b/crypto/heimdal/lib/krb5/keytab.c @@ -1,60 +1,161 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: keytab.c 20211 2007-02-09 07:11:03Z lha $"); +/** + * @page krb5_keytab_intro The keytab handing functions + * @section section_krb5_keytab Kerberos Keytabs + * + * See the library functions here: @ref krb5_keytab + * + * Keytabs are long term key storage for servers, their equvalment of + * password files. + * + * Normally the only function that useful for server are to specify + * what keytab to use to other core functions like krb5_rd_req() + * krb5_kt_resolve(), and krb5_kt_close(). + * + * @subsection krb5_keytab_names Keytab names + * + * A keytab name is on the form type:residual. The residual part is + * specific to each keytab-type. + * + * When a keytab-name is resolved, the type is matched with an internal + * list of keytab types. If there is no matching keytab type, + * the default keytab is used. The current default type is FILE. + * + * The default value can be changed in the configuration file + * /etc/krb5.conf by setting the variable + * [defaults]default_keytab_name. + * + * The keytab types that are implemented in Heimdal are: + * - file + * store the keytab in a file, the type's name is FILE . The + * residual part is a filename. For compatibility with other + * Kerberos implemtation WRFILE and JAVA14 is also accepted. WRFILE + * has the same format as FILE. JAVA14 have a format that is + * compatible with older versions of MIT kerberos and SUN's Java + * based installation. They store a truncted kvno, so when the knvo + * excess 255, they are truncted in this format. + * + * - keytab + * store the keytab in a AFS keyfile (usually /usr/afs/etc/KeyFile ), + * the type's name is AFSKEYFILE. The residual part is a filename. + * + * - memory + * The keytab is stored in a memory segment. This allows sensitive + * and/or temporary data not to be stored on disk. The type's name + * is MEMORY. Each MEMORY keytab is referenced counted by and + * opened by the residual name, so two handles can point to the + * same memory area. When the last user closes using krb5_kt_close() + * the keytab, the keys in they keytab is memset() to zero and freed + * and can no longer be looked up by name. + * + * + * @subsection krb5_keytab_example Keytab example + * + * This is a minimalistic version of ktutil. + * + * @code +int +main (int argc, char **argv) +{ + krb5_context context; + krb5_keytab keytab; + krb5_kt_cursor cursor; + krb5_keytab_entry entry; + krb5_error_code ret; + char *principal; + + if (krb5_init_context (&context) != 0) + errx(1, "krb5_context"); -/* - * Register a new keytab in `ops' - * Return 0 or an error. + ret = krb5_kt_default (context, &keytab); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_default"); + + ret = krb5_kt_start_seq_get(context, keytab, &cursor); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_start_seq_get"); + while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){ + krb5_unparse_name(context, entry.principal, &principal); + printf("principal: %s\n", principal); + free(principal); + krb5_kt_free_entry(context, &entry); + } + ret = krb5_kt_end_seq_get(context, keytab, &cursor); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_end_seq_get"); + ret = krb5_kt_close(context, keytab); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_close"); + krb5_free_context(context); + return 0; +} + * @endcode + * */ -krb5_error_code KRB5_LIB_FUNCTION + +/** + * Register a new keytab backend. + * + * @param context a Keberos context. + * @param ops a backend to register. + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_register(krb5_context context, const krb5_kt_ops *ops) { struct krb5_keytab_data *tmp; if (strlen(ops->prefix) > KRB5_KT_PREFIX_MAX_LEN - 1) { - krb5_set_error_string(context, "krb5_kt_register; prefix too long"); + krb5_set_error_message(context, KRB5_KT_BADNAME, + N_("can't register cache type, prefix too long", "")); return KRB5_KT_BADNAME; } tmp = realloc(context->kt_types, (context->num_kt_types + 1) * sizeof(*context->kt_types)); if(tmp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } memcpy(&tmp[context->num_kt_types], ops, @@ -64,13 +165,49 @@ krb5_kt_register(krb5_context context, return 0; } -/* +static const char * +keytab_name(const char *name, const char **type, size_t *type_len) +{ + const char *residual; + + residual = strchr(name, ':'); + + if (residual == NULL || + name[0] == '/' +#ifdef _WIN32 + /* Avoid treating <drive>:<path> as a keytab type + * specification */ + || name + 1 == residual +#endif + ) { + + *type = "FILE"; + *type_len = strlen(*type); + residual = name; + } else { + *type = name; + *type_len = residual - name; + residual++; + } + + return residual; +} + +/** * Resolve the keytab name (of the form `type:residual') in `name' * into a keytab in `id'. - * Return 0 or an error + * + * @param context a Keberos context. + * @param name name to resolve + * @param id resulting keytab, free with krb5_kt_close(). + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab */ -krb5_error_code KRB5_LIB_FUNCTION + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_resolve(krb5_context context, const char *name, krb5_keytab *id) @@ -81,30 +218,22 @@ krb5_kt_resolve(krb5_context context, size_t type_len; krb5_error_code ret; - residual = strchr(name, ':'); - if(residual == NULL) { - type = "FILE"; - type_len = strlen(type); - residual = name; - } else { - type = name; - type_len = residual - name; - residual++; - } - + residual = keytab_name(name, &type, &type_len); + for(i = 0; i < context->num_kt_types; i++) { if(strncasecmp(type, context->kt_types[i].prefix, type_len) == 0) break; } if(i == context->num_kt_types) { - krb5_set_error_string(context, "unknown keytab type %.*s", - (int)type_len, type); + krb5_set_error_message(context, KRB5_KT_UNKNOWN_TYPE, + N_("unknown keytab type %.*s", "type"), + (int)type_len, type); return KRB5_KT_UNKNOWN_TYPE; } - + k = malloc (sizeof(*k)); if (k == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } memcpy(k, &context->kt_types[i], sizeof(*k)); @@ -118,27 +247,41 @@ krb5_kt_resolve(krb5_context context, return ret; } -/* +/** * copy the name of the default keytab into `name'. - * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short. + * + * @param context a Keberos context. + * @param name buffer where the name will be written + * @param namesize length of name + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_default_name(krb5_context context, char *name, size_t namesize) { if (strlcpy (name, context->default_keytab, namesize) >= namesize) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5_CONFIG_NOTENUFSPACE; } return 0; } -/* - * copy the name of the default modify keytab into `name'. - * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short. +/** + * Copy the name of the default modify keytab into `name'. + * + * @param context a Keberos context. + * @param name buffer where the name will be written + * @param namesize length of name + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_default_modify_name(krb5_context context, char *name, size_t namesize) { const char *kt = NULL; @@ -148,40 +291,56 @@ krb5_kt_default_modify_name(krb5_context context, char *name, size_t namesize) else { size_t len = strcspn(context->default_keytab + 4, ","); if(len >= namesize) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return KRB5_CONFIG_NOTENUFSPACE; } strlcpy(name, context->default_keytab + 4, namesize); name[len] = '\0'; return 0; - } + } } else kt = context->default_keytab_modify; if (strlcpy (name, kt, namesize) >= namesize) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5_CONFIG_NOTENUFSPACE; } return 0; } -/* +/** * Set `id' to the default keytab. - * Return 0 or an error. + * + * @param context a Keberos context. + * @param id the new default keytab. + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_default(krb5_context context, krb5_keytab *id) { return krb5_kt_resolve (context, context->default_keytab, id); } -/* +/** * Read the key identified by `(principal, vno, enctype)' from the * keytab in `keyprocarg' (the default if == NULL) into `*key'. - * Return 0 or an error. + * + * @param context a Keberos context. + * @param keyprocarg + * @param principal + * @param vno + * @param enctype + * @param key + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, krb5_principal principal, @@ -210,12 +369,21 @@ krb5_kt_read_service_key(krb5_context context, return ret; } -/* +/** * Return the type of the `keytab' in the string `prefix of length * `prefixsize'. + * + * @param context a Keberos context. + * @param keytab the keytab to get the prefix for + * @param prefix prefix buffer + * @param prefixsize length of prefix buffer + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_get_type(krb5_context context, krb5_keytab keytab, char *prefix, @@ -225,13 +393,21 @@ krb5_kt_get_type(krb5_context context, return 0; } -/* +/** * Retrieve the name of the keytab `keytab' into `name', `namesize' - * Return 0 or an error. + * + * @param context a Keberos context. + * @param keytab the keytab to get the name for. + * @param name name buffer. + * @param namesize size of name buffer. + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_kt_get_name(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char *name, size_t namesize) @@ -239,21 +415,29 @@ krb5_kt_get_name(krb5_context context, return (*keytab->get_name)(context, keytab, name, namesize); } -/* +/** * Retrieve the full name of the keytab `keytab' and store the name in - * `str'. `str' needs to be freed by the caller using free(3). - * Returns 0 or an error. On error, *str is set to NULL. + * `str'. + * + * @param context a Keberos context. + * @param keytab keytab to get name for. + * @param str the name of the keytab name, usee krb5_xfree() to free + * the string. On error, *str is set to NULL. + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_kt_get_full_name(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_kt_get_full_name(krb5_context context, krb5_keytab keytab, char **str) { char type[KRB5_KT_PREFIX_MAX_LEN]; char name[MAXPATHLEN]; krb5_error_code ret; - + *str = NULL; ret = krb5_kt_get_type(context, keytab, type, sizeof(type)); @@ -265,7 +449,7 @@ krb5_kt_get_full_name(krb5_context context, return ret; if (asprintf(str, "%s:%s", type, name) == -1) { - krb5_set_error_string(context, "malloc - out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); *str = NULL; return ENOMEM; } @@ -273,13 +457,20 @@ krb5_kt_get_full_name(krb5_context context, return 0; } -/* +/** * Finish using the keytab in `id'. All resources will be released, - * even on errors. Return 0 or an error. + * even on errors. + * + * @param context a Keberos context. + * @param id keytab to close. + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_kt_close(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_kt_close(krb5_context context, krb5_keytab id) { krb5_error_code ret; @@ -290,21 +481,73 @@ krb5_kt_close(krb5_context context, return ret; } +/** + * Destroy (remove) the keytab in `id'. All resources will be released, + * even on errors, does the equvalment of krb5_kt_close() on the resources. + * + * @param context a Keberos context. + * @param id keytab to destroy. + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_kt_destroy(krb5_context context, + krb5_keytab id) +{ + krb5_error_code ret; + + ret = (*id->destroy)(context, id); + krb5_kt_close(context, id); + return ret; +} + /* + * Match any aliases in keytab `entry' with `principal'. + */ + +static krb5_boolean +compare_aliseses(krb5_context context, + krb5_keytab_entry *entry, + krb5_const_principal principal) +{ + unsigned int i; + if (entry->aliases == NULL) + return FALSE; + for (i = 0; i < entry->aliases->len; i++) + if (krb5_principal_compare(context, &entry->aliases->val[i], principal)) + return TRUE; + return FALSE; +} + +/** * Compare `entry' against `principal, vno, enctype'. * Any of `principal, vno, enctype' might be 0 which acts as a wildcard. * Return TRUE if they compare the same, FALSE otherwise. + * + * @param context a Keberos context. + * @param entry an entry to match with. + * @param principal principal to match, NULL matches all principals. + * @param vno key version to match, 0 matches all key version numbers. + * @param enctype encryption type to match, 0 matches all encryption types. + * + * @return Return TRUE or match, FALSE if not matched. + * + * @ingroup krb5_keytab */ -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_kt_compare(krb5_context context, - krb5_keytab_entry *entry, + krb5_keytab_entry *entry, krb5_const_principal principal, krb5_kvno vno, krb5_enctype enctype) { - if(principal != NULL && - !krb5_principal_compare(context, entry->principal, principal)) + if(principal != NULL && + !(krb5_principal_compare(context, entry->principal, principal) || + compare_aliseses(context, entry, principal))) return FALSE; if(vno && vno != entry->vno) return FALSE; @@ -313,14 +556,56 @@ krb5_kt_compare(krb5_context context, return TRUE; } -/* +krb5_error_code +_krb5_kt_principal_not_found(krb5_context context, + krb5_error_code ret, + krb5_keytab id, + krb5_const_principal principal, + krb5_enctype enctype, + int kvno) +{ + char princ[256], kvno_str[25], *kt_name; + char *enctype_str = NULL; + + krb5_unparse_name_fixed (context, principal, princ, sizeof(princ)); + krb5_kt_get_full_name (context, id, &kt_name); + krb5_enctype_to_string(context, enctype, &enctype_str); + + if (kvno) + snprintf(kvno_str, sizeof(kvno_str), "(kvno %d)", kvno); + else + kvno_str[0] = '\0'; + + krb5_set_error_message (context, ret, + N_("Failed to find %s%s in keytab %s (%s)", + "principal, kvno, keytab file, enctype"), + princ, + kvno_str, + kt_name ? kt_name : "unknown keytab", + enctype_str ? enctype_str : "unknown enctype"); + free(kt_name); + free(enctype_str); + return ret; +} + + +/** * Retrieve the keytab entry for `principal, kvno, enctype' into `entry' - * from the keytab `id'. - * kvno == 0 is a wildcard and gives the keytab with the highest vno. - * Return 0 or an error. + * from the keytab `id'. Matching is done like krb5_kt_compare(). + * + * @param context a Keberos context. + * @param id a keytab. + * @param principal principal to match, NULL matches all principals. + * @param kvno key version to match, 0 matches all key version numbers. + * @param enctype encryption type to match, 0 matches all encryption types. + * @param entry the returned entry, free with krb5_kt_free_entry(). + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_get_entry(krb5_context context, krb5_keytab id, krb5_const_principal principal, @@ -337,8 +622,10 @@ krb5_kt_get_entry(krb5_context context, ret = krb5_kt_start_seq_get (context, id, &cursor); if (ret) { - krb5_clear_error_string(context); - return KRB5_KT_NOTFOUND; /* XXX i.e. file not found */ + /* This is needed for krb5_verify_init_creds, but keep error + * string from previous error for the human. */ + context->error_code = KRB5_KT_NOTFOUND; + return KRB5_KT_NOTFOUND; } entry->vno = 0; @@ -361,38 +648,25 @@ krb5_kt_get_entry(krb5_context context, krb5_kt_free_entry(context, &tmp); } krb5_kt_end_seq_get (context, id, &cursor); - if (entry->vno) { - return 0; - } else { - char princ[256], kvno_str[25], *kt_name; - char *enctype_str = NULL; - - krb5_unparse_name_fixed (context, principal, princ, sizeof(princ)); - krb5_kt_get_full_name (context, id, &kt_name); - krb5_enctype_to_string(context, enctype, &enctype_str); - - if (kvno) - snprintf(kvno_str, sizeof(kvno_str), "(kvno %d)", kvno); - else - kvno_str[0] = '\0'; - - krb5_set_error_string (context, - "Failed to find %s%s in keytab %s (%s)", - princ, - kvno_str, - kt_name ? kt_name : "unknown keytab", - enctype_str ? enctype_str : "unknown enctype"); - free(kt_name); - free(enctype_str); - return KRB5_KT_NOTFOUND; - } + if (entry->vno == 0) + return _krb5_kt_principal_not_found(context, KRB5_KT_NOTFOUND, + id, principal, enctype, kvno); + return 0; } -/* +/** * Copy the contents of `in' into `out'. - * Return 0 or an error. */ + * + * @param context a Keberos context. + * @param in the keytab entry to copy. + * @param out the copy of the keytab entry, free with krb5_kt_free_entry(). + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab + */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_copy_entry_contents(krb5_context context, const krb5_keytab_entry *in, krb5_keytab_entry *out) @@ -417,11 +691,18 @@ fail: return ret; } -/* +/** * Free the contents of `entry'. + * + * @param context a Keberos context. + * @param entry the entry to free + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *entry) { @@ -431,98 +712,182 @@ krb5_kt_free_entry(krb5_context context, return 0; } -/* +/** * Set `cursor' to point at the beginning of `id'. - * Return 0 or an error. + * + * @param context a Keberos context. + * @param id a keytab. + * @param cursor a newly allocated cursor, free with krb5_kt_end_seq_get(). + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) { if(id->start_seq_get == NULL) { - krb5_set_error_string(context, - "start_seq_get is not supported in the %s " - " keytab", id->prefix); + krb5_set_error_message(context, HEIM_ERR_OPNOTSUPP, + N_("start_seq_get is not supported " + "in the %s keytab type", ""), + id->prefix); return HEIM_ERR_OPNOTSUPP; } return (*id->start_seq_get)(context, id, cursor); } -/* - * Get the next entry from `id' pointed to by `cursor' and advance the - * `cursor'. - * Return 0 or an error. +/** + * Get the next entry from keytab, advance the cursor. On last entry + * the function will return KRB5_KT_END. + * + * @param context a Keberos context. + * @param id a keytab. + * @param entry the returned entry, free with krb5_kt_free_entry(). + * @param cursor the cursor of the iteration. + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_next_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry, krb5_kt_cursor *cursor) { if(id->next_entry == NULL) { - krb5_set_error_string(context, - "next_entry is not supported in the %s " - " keytab", id->prefix); + krb5_set_error_message(context, HEIM_ERR_OPNOTSUPP, + N_("next_entry is not supported in the %s " + " keytab", ""), + id->prefix); return HEIM_ERR_OPNOTSUPP; } return (*id->next_entry)(context, id, entry, cursor); } -/* +/** * Release all resources associated with `cursor'. + * + * @param context a Keberos context. + * @param id a keytab. + * @param cursor the cursor to free. + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_end_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) { if(id->end_seq_get == NULL) { - krb5_set_error_string(context, - "end_seq_get is not supported in the %s " - " keytab", id->prefix); + krb5_set_error_message(context, HEIM_ERR_OPNOTSUPP, + "end_seq_get is not supported in the %s " + " keytab", id->prefix); return HEIM_ERR_OPNOTSUPP; } return (*id->end_seq_get)(context, id, cursor); } -/* +/** * Add the entry in `entry' to the keytab `id'. - * Return 0 or an error. + * + * @param context a Keberos context. + * @param id a keytab. + * @param entry the entry to add + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) { if(id->add == NULL) { - krb5_set_error_string(context, "Add is not supported in the %s keytab", - id->prefix); + krb5_set_error_message(context, KRB5_KT_NOWRITE, + N_("Add is not supported in the %s keytab", ""), + id->prefix); return KRB5_KT_NOWRITE; } entry->timestamp = time(NULL); return (*id->add)(context, id,entry); } -/* - * Remove the entry `entry' from the keytab `id'. - * Return 0 or an error. +/** + * Remove an entry from the keytab, matching is done using + * krb5_kt_compare(). + + * @param context a Keberos context. + * @param id a keytab. + * @param entry the entry to remove + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) { if(id->remove == NULL) { - krb5_set_error_string(context, - "Remove is not supported in the %s keytab", - id->prefix); + krb5_set_error_message(context, KRB5_KT_NOWRITE, + N_("Remove is not supported in the %s keytab", ""), + id->prefix); return KRB5_KT_NOWRITE; } return (*id->remove)(context, id, entry); } + +/** + * Return true if the keytab exists and have entries + * + * @param context a Keberos context. + * @param id a keytab. + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab + */ + +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_kt_have_content(krb5_context context, + krb5_keytab id) +{ + krb5_keytab_entry entry; + krb5_kt_cursor cursor; + krb5_error_code ret; + char *name; + + ret = krb5_kt_start_seq_get(context, id, &cursor); + if (ret) + goto notfound; + + ret = krb5_kt_next_entry(context, id, &entry, &cursor); + krb5_kt_end_seq_get(context, id, &cursor); + if (ret) + goto notfound; + + krb5_kt_free_entry(context, &entry); + + return 0; + + notfound: + ret = krb5_kt_get_full_name(context, id, &name); + if (ret == 0) { + krb5_set_error_message(context, KRB5_KT_NOTFOUND, + N_("No entry in keytab: %s", ""), name); + free(name); + } + return KRB5_KT_NOTFOUND; +} diff --git a/crypto/heimdal/lib/krb5/keytab_any.c b/crypto/heimdal/lib/krb5/keytab_any.c index 54272d48453f..d5ac4883db10 100644 --- a/crypto/heimdal/lib/krb5/keytab_any.c +++ b/crypto/heimdal/lib/krb5/keytab_any.c @@ -1,40 +1,38 @@ /* - * Copyright (c) 2001-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2001-2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: keytab_any.c 17035 2006-04-10 09:20:13Z lha $"); - struct any_data { krb5_keytab kt; char *name; @@ -55,7 +53,7 @@ free_list (krb5_context context, struct any_data *a) } } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV any_resolve(krb5_context context, const char *name, krb5_keytab id) { struct any_data *a, *a0 = NULL, *prev = NULL; @@ -63,7 +61,7 @@ any_resolve(krb5_context context, const char *name, krb5_keytab id) char buf[256]; while (strsep_copy(&name, ",", buf, sizeof(buf)) != -1) { - a = malloc(sizeof(*a)); + a = calloc(1, sizeof(*a)); if (a == NULL) { ret = ENOMEM; goto fail; @@ -72,8 +70,8 @@ any_resolve(krb5_context context, const char *name, krb5_keytab id) a0 = a; a->name = strdup(buf); if (a->name == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); ret = ENOMEM; + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } } else @@ -87,7 +85,7 @@ any_resolve(krb5_context context, const char *name, krb5_keytab id) prev = a; } if (a0 == NULL) { - krb5_set_error_string(context, "empty ANY: keytab"); + krb5_set_error_message(context, ENOENT, N_("empty ANY: keytab", "")); return ENOENT; } id->data = a0; @@ -97,7 +95,7 @@ any_resolve(krb5_context context, const char *name, krb5_keytab id) return ret; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV any_get_name (krb5_context context, krb5_keytab id, char *name, @@ -108,7 +106,7 @@ any_get_name (krb5_context context, return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV any_close (krb5_context context, krb5_keytab id) { @@ -123,9 +121,9 @@ struct any_cursor_extra_data { krb5_kt_cursor cursor; }; -static krb5_error_code -any_start_seq_get(krb5_context context, - krb5_keytab id, +static krb5_error_code KRB5_CALLCONV +any_start_seq_get(krb5_context context, + krb5_keytab id, krb5_kt_cursor *c) { struct any_data *a = id->data; @@ -134,21 +132,25 @@ any_start_seq_get(krb5_context context, c->data = malloc (sizeof(struct any_cursor_extra_data)); if(c->data == NULL){ - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } ed = (struct any_cursor_extra_data *)c->data; - ed->a = a; - ret = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor); - if (ret) { + for (ed->a = a; ed->a != NULL; ed->a = ed->a->next) { + ret = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor); + if (ret == 0) + break; + } + if (ed->a == NULL) { free (c->data); c->data = NULL; - return ret; + krb5_clear_error_message (context); + return KRB5_KT_END; } return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV any_next_entry (krb5_context context, krb5_keytab id, krb5_keytab_entry *entry, @@ -174,13 +176,13 @@ any_next_entry (krb5_context context, break; } if (ed->a == NULL) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5_KT_END; } } while (1); } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV any_end_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) @@ -196,7 +198,7 @@ any_end_seq_get(krb5_context context, return ret; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV any_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) @@ -206,8 +208,9 @@ any_add_entry(krb5_context context, while(a != NULL) { ret = krb5_kt_add_entry(context, a->kt, entry); if(ret != 0 && ret != KRB5_KT_NOWRITE) { - krb5_set_error_string(context, "failed to add entry to %s", - a->name); + krb5_set_error_message(context, ret, + N_("failed to add entry to %s", ""), + a->name); return ret; } a = a->next; @@ -215,7 +218,7 @@ any_add_entry(krb5_context context, return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV any_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) @@ -229,8 +232,10 @@ any_remove_entry(krb5_context context, found++; else { if(ret != KRB5_KT_NOWRITE && ret != KRB5_KT_NOTFOUND) { - krb5_set_error_string(context, "failed to remove entry from %s", - a->name); + krb5_set_error_message(context, ret, + N_("Failed to remove keytab " + "entry from %s", "keytab name"), + a->name); return ret; } } @@ -246,6 +251,7 @@ const krb5_kt_ops krb5_any_ops = { any_resolve, any_get_name, any_close, + NULL, /* destroy */ NULL, /* get */ any_start_seq_get, any_next_entry, diff --git a/crypto/heimdal/lib/krb5/keytab_file.c b/crypto/heimdal/lib/krb5/keytab_file.c index 4ada3a463ea8..ccaf62fcb4c2 100644 --- a/crypto/heimdal/lib/krb5/keytab_file.c +++ b/crypto/heimdal/lib/krb5/keytab_file.c @@ -1,40 +1,38 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: keytab_file.c 17457 2006-05-05 12:36:57Z lha $"); - #define KRB5_KT_VNO_1 1 #define KRB5_KT_VNO_2 2 #define KRB5_KT_VNO KRB5_KT_VNO_2 @@ -62,7 +60,7 @@ krb5_kt_ret_data(krb5_context context, data->length = size; data->data = malloc(size); if (data->data == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } ret = krb5_storage_read(sp, data->data, size); @@ -83,7 +81,7 @@ krb5_kt_ret_string(krb5_context context, return ret; *data = malloc(size + 1); if (*data == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } ret = krb5_storage_read(sp, *data, size); @@ -103,7 +101,7 @@ krb5_kt_store_data(krb5_context context, if(ret < 0) return ret; ret = krb5_storage_write(sp, data.data, data.length); - if(ret != data.length){ + if(ret != (int)data.length){ if(ret < 0) return errno; return KRB5_KT_END; @@ -121,7 +119,7 @@ krb5_kt_store_string(krb5_storage *sp, if(ret < 0) return ret; ret = krb5_storage_write(sp, data, len); - if(ret != len){ + if(ret != (int)len){ if(ret < 0) return errno; return KRB5_KT_END; @@ -130,76 +128,113 @@ krb5_kt_store_string(krb5_storage *sp, } static krb5_error_code -krb5_kt_ret_keyblock(krb5_context context, krb5_storage *sp, krb5_keyblock *p) +krb5_kt_ret_keyblock(krb5_context context, + struct fkt_data *fkt, + krb5_storage *sp, + krb5_keyblock *p) { int ret; int16_t tmp; ret = krb5_ret_int16(sp, &tmp); /* keytype + etype */ - if(ret) return ret; + if(ret) { + krb5_set_error_message(context, ret, + N_("Cant read keyblock from file %s", ""), + fkt->filename); + return ret; + } p->keytype = tmp; ret = krb5_kt_ret_data(context, sp, &p->keyvalue); + if (ret) + krb5_set_error_message(context, ret, + N_("Cant read keyblock from file %s", ""), + fkt->filename); return ret; } static krb5_error_code krb5_kt_store_keyblock(krb5_context context, - krb5_storage *sp, + struct fkt_data *fkt, + krb5_storage *sp, krb5_keyblock *p) { int ret; ret = krb5_store_int16(sp, p->keytype); /* keytype + etype */ - if(ret) return ret; + if(ret) { + krb5_set_error_message(context, ret, + N_("Cant store keyblock to file %s", ""), + fkt->filename); + return ret; + } ret = krb5_kt_store_data(context, sp, p->keyvalue); + if (ret) + krb5_set_error_message(context, ret, + N_("Cant store keyblock to file %s", ""), + fkt->filename); return ret; } static krb5_error_code krb5_kt_ret_principal(krb5_context context, + struct fkt_data *fkt, krb5_storage *sp, krb5_principal *princ) { - int i; + size_t i; int ret; krb5_principal p; int16_t len; - + ALLOC(p, 1); if(p == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } ret = krb5_ret_int16(sp, &len); if(ret) { - krb5_set_error_string(context, - "Failed decoding length of keytab principal"); + krb5_set_error_message(context, ret, + N_("Failed decoding length of " + "keytab principal in keytab file %s", ""), + fkt->filename); goto out; } if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)) len--; if (len < 0) { - krb5_set_error_string(context, - "Keytab principal contains invalid length"); ret = KRB5_KT_END; + krb5_set_error_message(context, ret, + N_("Keytab principal contains " + "invalid length in keytab %s", ""), + fkt->filename); goto out; } ret = krb5_kt_ret_string(context, sp, &p->realm); - if(ret) + if(ret) { + krb5_set_error_message(context, ret, + N_("Can't read realm from keytab: %s", ""), + fkt->filename); goto out; + } p->name.name_string.val = calloc(len, sizeof(*p->name.name_string.val)); if(p->name.name_string.val == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); ret = ENOMEM; + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; } p->name.name_string.len = len; for(i = 0; i < p->name.name_string.len; i++){ ret = krb5_kt_ret_string(context, sp, p->name.name_string.val + i); - if(ret) + if(ret) { + krb5_set_error_message(context, ret, + N_("Can't read principal from " + "keytab: %s", ""), + fkt->filename); goto out; + } } if (krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) p->name.name_type = KRB5_NT_UNKNOWN; @@ -207,8 +242,13 @@ krb5_kt_ret_principal(krb5_context context, int32_t tmp32; ret = krb5_ret_int32(sp, &tmp32); p->name.name_type = tmp32; - if (ret) + if (ret) { + krb5_set_error_message(context, ret, + N_("Can't read name-type from " + "keytab: %s", ""), + fkt->filename); goto out; + } } *princ = p; return 0; @@ -222,9 +262,9 @@ krb5_kt_store_principal(krb5_context context, krb5_storage *sp, krb5_principal p) { - int i; + size_t i; int ret; - + if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)) ret = krb5_store_int16(sp, p->name.name_string.len + 1); else @@ -246,20 +286,20 @@ krb5_kt_store_principal(krb5_context context, return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fkt_resolve(krb5_context context, const char *name, krb5_keytab id) { struct fkt_data *d; d = malloc(sizeof(*d)); if(d == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } d->filename = strdup(name); if(d->filename == NULL) { free(d); - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } d->flags = 0; @@ -267,7 +307,7 @@ fkt_resolve(krb5_context context, const char *name, krb5_keytab id) return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fkt_resolve_java14(krb5_context context, const char *name, krb5_keytab id) { krb5_error_code ret; @@ -280,7 +320,7 @@ fkt_resolve_java14(krb5_context context, const char *name, krb5_keytab id) return ret; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fkt_close(krb5_context context, krb5_keytab id) { struct fkt_data *d = id->data; @@ -289,10 +329,18 @@ fkt_close(krb5_context context, krb5_keytab id) return 0; } -static krb5_error_code -fkt_get_name(krb5_context context, - krb5_keytab id, - char *name, +static krb5_error_code KRB5_CALLCONV +fkt_destroy(krb5_context context, krb5_keytab id) +{ + struct fkt_data *d = id->data; + _krb5_erase_file(context, d->filename); + return 0; +} + +static krb5_error_code KRB5_CALLCONV +fkt_get_name(krb5_context context, + krb5_keytab id, + char *name, size_t namesize) { /* This function is XXX */ @@ -314,15 +362,15 @@ storage_set_flags(krb5_context context, krb5_storage *sp, int vno) case KRB5_KT_VNO_2: break; default: - krb5_warnx(context, + krb5_warnx(context, "storage_set_flags called with bad vno (%d)", vno); } krb5_storage_set_flags(sp, flags); } static krb5_error_code -fkt_start_seq_get_int(krb5_context context, - krb5_keytab id, +fkt_start_seq_get_int(krb5_context context, + krb5_keytab id, int flags, int exclusive, krb5_kt_cursor *c) @@ -330,14 +378,16 @@ fkt_start_seq_get_int(krb5_context context, int8_t pvno, tag; krb5_error_code ret; struct fkt_data *d = id->data; - + c->fd = open (d->filename, flags); if (c->fd < 0) { ret = errno; - krb5_set_error_string(context, "%s: %s", d->filename, - strerror(ret)); + krb5_set_error_message(context, ret, + N_("keytab %s open failed: %s", ""), + d->filename, strerror(ret)); return ret; } + rk_cloexec(c->fd); ret = _krb5_xlock(context, c->fd, exclusive, d->filename); if (ret) { close(c->fd); @@ -347,7 +397,8 @@ fkt_start_seq_get_int(krb5_context context, if (c->sp == NULL) { _krb5_xunlock(context, c->fd); close(c->fd); - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } krb5_storage_set_eof_code(c->sp, KRB5_KT_END); @@ -356,14 +407,14 @@ fkt_start_seq_get_int(krb5_context context, krb5_storage_free(c->sp); _krb5_xunlock(context, c->fd); close(c->fd); - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } if(pvno != 5) { krb5_storage_free(c->sp); _krb5_xunlock(context, c->fd); close(c->fd); - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5_KEYTAB_BADVNO; } ret = krb5_ret_int8(c->sp, &tag); @@ -371,7 +422,7 @@ fkt_start_seq_get_int(krb5_context context, krb5_storage_free(c->sp); _krb5_xunlock(context, c->fd); close(c->fd); - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } id->version = tag; @@ -379,26 +430,28 @@ fkt_start_seq_get_int(krb5_context context, return 0; } -static krb5_error_code -fkt_start_seq_get(krb5_context context, - krb5_keytab id, +static krb5_error_code KRB5_CALLCONV +fkt_start_seq_get(krb5_context context, + krb5_keytab id, krb5_kt_cursor *c) { - return fkt_start_seq_get_int(context, id, O_RDONLY | O_BINARY, 0, c); + return fkt_start_seq_get_int(context, id, O_RDONLY | O_BINARY | O_CLOEXEC, 0, c); } static krb5_error_code -fkt_next_entry_int(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry, +fkt_next_entry_int(krb5_context context, + krb5_keytab id, + krb5_keytab_entry *entry, krb5_kt_cursor *cursor, off_t *start, off_t *end) { + struct fkt_data *d = id->data; int32_t len; int ret; int8_t tmp8; int32_t tmp32; + uint32_t utmp32; off_t pos, curpos; pos = krb5_storage_seek(cursor->sp, 0, SEEK_CUR); @@ -410,18 +463,18 @@ loop: pos = krb5_storage_seek(cursor->sp, -len, SEEK_CUR); goto loop; } - ret = krb5_kt_ret_principal (context, cursor->sp, &entry->principal); + ret = krb5_kt_ret_principal (context, d, cursor->sp, &entry->principal); if (ret) goto out; - ret = krb5_ret_int32(cursor->sp, &tmp32); - entry->timestamp = tmp32; + ret = krb5_ret_uint32(cursor->sp, &utmp32); + entry->timestamp = utmp32; if (ret) goto out; ret = krb5_ret_int8(cursor->sp, &tmp8); if (ret) goto out; entry->vno = tmp8; - ret = krb5_kt_ret_keyblock (context, cursor->sp, &entry->keyblock); + ret = krb5_kt_ret_keyblock (context, d, cursor->sp, &entry->keyblock); if (ret) goto out; /* there might be a 32 bit kvno here @@ -430,10 +483,19 @@ loop: curpos = krb5_storage_seek(cursor->sp, 0, SEEK_CUR); if(len + 4 + pos - curpos >= 4) { ret = krb5_ret_int32(cursor->sp, &tmp32); - if (ret == 0 && tmp32 != 0) { + if (ret == 0 && tmp32 != 0) entry->vno = tmp32; - } } + /* there might be a flags field here */ + if(len + 4 + pos - curpos >= 8) { + ret = krb5_ret_uint32(cursor->sp, &utmp32); + if (ret == 0) + entry->flags = utmp32; + } else + entry->flags = 0; + + entry->aliases = NULL; + if(start) *start = pos; if(end) *end = pos + 4 + len; out: @@ -441,17 +503,17 @@ loop: return ret; } -static krb5_error_code -fkt_next_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry, +static krb5_error_code KRB5_CALLCONV +fkt_next_entry(krb5_context context, + krb5_keytab id, + krb5_keytab_entry *entry, krb5_kt_cursor *cursor) { return fkt_next_entry_int(context, id, entry, cursor, NULL, NULL); } -static krb5_error_code -fkt_end_seq_get(krb5_context context, +static krb5_error_code KRB5_CALLCONV +fkt_end_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) { @@ -461,7 +523,7 @@ fkt_end_seq_get(krb5_context context, return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fkt_setup_keytab(krb5_context context, krb5_keytab id, krb5_storage *sp) @@ -474,8 +536,8 @@ fkt_setup_keytab(krb5_context context, id->version = KRB5_KT_VNO; return krb5_store_int8 (sp, id->version); } - -static krb5_error_code + +static krb5_error_code KRB5_CALLCONV fkt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) @@ -486,16 +548,19 @@ fkt_add_entry(krb5_context context, struct fkt_data *d = id->data; krb5_data keytab; int32_t len; - - fd = open (d->filename, O_RDWR | O_BINARY); + + fd = open (d->filename, O_RDWR | O_BINARY | O_CLOEXEC); if (fd < 0) { - fd = open (d->filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600); + fd = open (d->filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC, 0600); if (fd < 0) { ret = errno; - krb5_set_error_string(context, "open(%s): %s", d->filename, - strerror(ret)); + krb5_set_error_message(context, ret, + N_("open(%s): %s", ""), d->filename, + strerror(ret)); return ret; } + rk_cloexec(fd); + ret = _krb5_xlock(context, fd, 1, d->filename); if (ret) { close(fd); @@ -510,6 +575,9 @@ fkt_add_entry(krb5_context context, storage_set_flags(context, sp, id->version); } else { int8_t pvno, tag; + + rk_cloexec(fd); + ret = _krb5_xlock(context, fd, 1, d->filename); if (ret) { close(fd); @@ -523,22 +591,26 @@ fkt_add_entry(krb5_context context, properly */ ret = fkt_setup_keytab(context, id, sp); if(ret) { - krb5_set_error_string(context, "%s: keytab is corrupted: %s", - d->filename, strerror(ret)); + krb5_set_error_message(context, ret, + N_("%s: keytab is corrupted: %s", ""), + d->filename, strerror(ret)); goto out; } storage_set_flags(context, sp, id->version); } else { if(pvno != 5) { ret = KRB5_KEYTAB_BADVNO; - krb5_set_error_string(context, "%s: %s", - d->filename, strerror(ret)); + krb5_set_error_message(context, ret, + N_("Bad version in keytab %s", ""), + d->filename); goto out; } ret = krb5_ret_int8 (sp, &tag); if (ret) { - krb5_set_error_string(context, "%s: reading tag: %s", - d->filename, strerror(ret)); + krb5_set_error_message(context, ret, + N_("failed reading tag from " + "keytab %s", ""), + d->filename); goto out; } id->version = tag; @@ -551,25 +623,38 @@ fkt_add_entry(krb5_context context, emem = krb5_storage_emem(); if(emem == NULL) { ret = ENOMEM; - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto out; } ret = krb5_kt_store_principal(context, emem, entry->principal); if(ret) { + krb5_set_error_message(context, ret, + N_("Failed storing principal " + "in keytab %s", ""), + d->filename); krb5_storage_free(emem); goto out; } ret = krb5_store_int32 (emem, entry->timestamp); if(ret) { + krb5_set_error_message(context, ret, + N_("Failed storing timpstamp " + "in keytab %s", ""), + d->filename); krb5_storage_free(emem); goto out; } ret = krb5_store_int8 (emem, entry->vno % 256); if(ret) { + krb5_set_error_message(context, ret, + N_("Failed storing kvno " + "in keytab %s", ""), + d->filename); krb5_storage_free(emem); goto out; } - ret = krb5_kt_store_keyblock (context, emem, &entry->keyblock); + ret = krb5_kt_store_keyblock (context, d, emem, &entry->keyblock); if(ret) { krb5_storage_free(emem); goto out; @@ -577,6 +662,19 @@ fkt_add_entry(krb5_context context, if ((d->flags & KRB5_KT_FL_JAVA) == 0) { ret = krb5_store_int32 (emem, entry->vno); if (ret) { + krb5_set_error_message(context, ret, + N_("Failed storing extended kvno " + "in keytab %s", ""), + d->filename); + krb5_storage_free(emem); + goto out; + } + ret = krb5_store_uint32 (emem, entry->flags); + if (ret) { + krb5_set_error_message(context, ret, + N_("Failed storing extended kvno " + "in keytab %s", ""), + d->filename); krb5_storage_free(emem); goto out; } @@ -584,10 +682,15 @@ fkt_add_entry(krb5_context context, ret = krb5_storage_to_data(emem, &keytab); krb5_storage_free(emem); - if(ret) + if(ret) { + krb5_set_error_message(context, ret, + N_("Failed converting keytab entry " + "to memory block for keytab %s", ""), + d->filename); goto out; + } } - + while(1) { ret = krb5_ret_int32(sp, &len); if(ret == KRB5_KT_END) { @@ -596,7 +699,7 @@ fkt_add_entry(krb5_context context, } if(len < 0) { len = -len; - if(len >= keytab.length) { + if(len >= (int)keytab.length) { krb5_storage_seek(sp, -4, SEEK_CUR); break; } @@ -604,8 +707,13 @@ fkt_add_entry(krb5_context context, krb5_storage_seek(sp, len, SEEK_CUR); } ret = krb5_store_int32(sp, len); - if(krb5_storage_write(sp, keytab.data, keytab.length) < 0) + if(krb5_storage_write(sp, keytab.data, keytab.length) < 0) { ret = errno; + krb5_set_error_message(context, ret, + N_("Failed writing keytab block " + "in keytab %s: %s", ""), + d->filename, strerror(ret)); + } memset(keytab.data, 0, keytab.length); krb5_data_free(&keytab); out: @@ -615,7 +723,7 @@ fkt_add_entry(krb5_context context, return ret; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV fkt_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) @@ -625,13 +733,13 @@ fkt_remove_entry(krb5_context context, off_t pos_start, pos_end; int found = 0; krb5_error_code ret; - - ret = fkt_start_seq_get_int(context, id, O_RDWR | O_BINARY, 1, &cursor); - if(ret != 0) + + ret = fkt_start_seq_get_int(context, id, O_RDWR | O_BINARY | O_CLOEXEC, 1, &cursor); + if(ret != 0) goto out; /* return other error here? */ - while(fkt_next_entry_int(context, id, &e, &cursor, + while(fkt_next_entry_int(context, id, &e, &cursor, &pos_start, &pos_end) == 0) { - if(krb5_kt_compare(context, &e, entry->principal, + if(krb5_kt_compare(context, &e, entry->principal, entry->vno, entry->keyblock.keytype)) { int32_t len; unsigned char buf[128]; @@ -641,8 +749,9 @@ fkt_remove_entry(krb5_context context, krb5_store_int32(cursor.sp, -len); memset(buf, 0, sizeof(buf)); while(len > 0) { - krb5_storage_write(cursor.sp, buf, min(len, sizeof(buf))); - len -= min(len, sizeof(buf)); + krb5_storage_write(cursor.sp, buf, + min((size_t)len, sizeof(buf))); + len -= min((size_t)len, sizeof(buf)); } } krb5_kt_free_entry(context, &e); @@ -650,7 +759,7 @@ fkt_remove_entry(krb5_context context, krb5_kt_end_seq_get(context, id, &cursor); out: if (!found) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5_KT_NOTFOUND; } return 0; @@ -661,6 +770,7 @@ const krb5_kt_ops krb5_fkt_ops = { fkt_resolve, fkt_get_name, fkt_close, + fkt_destroy, NULL, /* get */ fkt_start_seq_get, fkt_next_entry, @@ -674,6 +784,7 @@ const krb5_kt_ops krb5_wrfkt_ops = { fkt_resolve, fkt_get_name, fkt_close, + fkt_destroy, NULL, /* get */ fkt_start_seq_get, fkt_next_entry, @@ -687,6 +798,7 @@ const krb5_kt_ops krb5_javakt_ops = { fkt_resolve_java14, fkt_get_name, fkt_close, + fkt_destroy, NULL, /* get */ fkt_start_seq_get, fkt_next_entry, diff --git a/crypto/heimdal/lib/krb5/keytab_keyfile.c b/crypto/heimdal/lib/krb5/keytab_keyfile.c index 77455ba5f7c2..120083215542 100644 --- a/crypto/heimdal/lib/krb5/keytab_keyfile.c +++ b/crypto/heimdal/lib/krb5/keytab_keyfile.c @@ -1,45 +1,45 @@ /* - * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: keytab_keyfile.c 20695 2007-05-30 14:09:09Z lha $"); +#ifndef HEIMDAL_SMALLER /* afs keyfile operations --------------------------------------- */ /* * Minimum tools to handle the AFS KeyFile. - * + * * Format of the KeyFile is: * <int32_t numkeys> {[<int32_t kvno> <char[8] deskey>] * numkeys} * @@ -52,7 +52,7 @@ RCSID("$Id: keytab_keyfile.c 20695 2007-05-30 14:09:09Z lha $"); #define AFS_SERVERMAGICKRBCONF "/usr/afs/etc/krb.conf" struct akf_data { - int num_entries; + uint32_t num_entries; char *filename; char *cell; char *realm; @@ -72,13 +72,17 @@ get_cell_and_realm (krb5_context context, struct akf_data *d) f = fopen (AFS_SERVERTHISCELL, "r"); if (f == NULL) { ret = errno; - krb5_set_error_string (context, "open %s: %s", AFS_SERVERTHISCELL, - strerror(ret)); + krb5_set_error_message (context, ret, + N_("Open ThisCell %s: %s", ""), + AFS_SERVERTHISCELL, + strerror(ret)); return ret; } if (fgets (buf, sizeof(buf), f) == NULL) { fclose (f); - krb5_set_error_string (context, "no cell in %s", AFS_SERVERTHISCELL); + krb5_set_error_message (context, EINVAL, + N_("No cell in ThisCell file %s", ""), + AFS_SERVERTHISCELL); return EINVAL; } buf[strcspn(buf, "\n")] = '\0'; @@ -86,7 +90,8 @@ get_cell_and_realm (krb5_context context, struct akf_data *d) d->cell = strdup (buf); if (d->cell == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } @@ -96,8 +101,9 @@ get_cell_and_realm (krb5_context context, struct akf_data *d) free (d->cell); d->cell = NULL; fclose (f); - krb5_set_error_string (context, "no realm in %s", - AFS_SERVERMAGICKRBCONF); + krb5_set_error_message (context, EINVAL, + N_("No realm in ThisCell file %s", ""), + AFS_SERVERMAGICKRBCONF); return EINVAL; } buf[strcspn(buf, "\n")] = '\0'; @@ -106,12 +112,13 @@ get_cell_and_realm (krb5_context context, struct akf_data *d) /* uppercase */ for (cp = buf; *cp != '\0'; cp++) *cp = toupper((unsigned char)*cp); - + d->realm = strdup (buf); if (d->realm == NULL) { free (d->cell); d->cell = NULL; - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } return 0; @@ -121,17 +128,18 @@ get_cell_and_realm (krb5_context context, struct akf_data *d) * init and get filename */ -static krb5_error_code +static krb5_error_code KRB5_CALLCONV akf_resolve(krb5_context context, const char *name, krb5_keytab id) { int ret; struct akf_data *d = malloc(sizeof (struct akf_data)); if (d == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } - + d->num_entries = 0; ret = get_cell_and_realm (context, d); if (ret) { @@ -143,11 +151,12 @@ akf_resolve(krb5_context context, const char *name, krb5_keytab id) free (d->cell); free (d->realm); free (d); - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } id->data = d; - + return 0; } @@ -155,7 +164,7 @@ akf_resolve(krb5_context context, const char *name, krb5_keytab id) * cleanup */ -static krb5_error_code +static krb5_error_code KRB5_CALLCONV akf_close(krb5_context context, krb5_keytab id) { struct akf_data *d = id->data; @@ -170,10 +179,10 @@ akf_close(krb5_context context, krb5_keytab id) * Return filename */ -static krb5_error_code -akf_get_name(krb5_context context, - krb5_keytab id, - char *name, +static krb5_error_code KRB5_CALLCONV +akf_get_name(krb5_context context, + krb5_keytab id, + char *name, size_t name_sz) { struct akf_data *d = id->data; @@ -183,31 +192,40 @@ akf_get_name(krb5_context context, } /* - * Init + * Init */ -static krb5_error_code -akf_start_seq_get(krb5_context context, - krb5_keytab id, +static krb5_error_code KRB5_CALLCONV +akf_start_seq_get(krb5_context context, + krb5_keytab id, krb5_kt_cursor *c) { int32_t ret; struct akf_data *d = id->data; - c->fd = open (d->filename, O_RDONLY|O_BINARY, 0600); + c->fd = open (d->filename, O_RDONLY | O_BINARY | O_CLOEXEC, 0600); if (c->fd < 0) { ret = errno; - krb5_set_error_string(context, "open(%s): %s", d->filename, - strerror(ret)); + krb5_set_error_message(context, ret, + N_("keytab afs keyfile open %s failed: %s", ""), + d->filename, strerror(ret)); return ret; } + c->data = NULL; c->sp = krb5_storage_from_fd(c->fd); - ret = krb5_ret_int32(c->sp, &d->num_entries); - if(ret) { + if (c->sp == NULL) { + close(c->fd); + krb5_clear_error_message (context); + return KRB5_KT_NOTFOUND; + } + krb5_storage_set_eof_code(c->sp, KRB5_KT_END); + + ret = krb5_ret_uint32(c->sp, &d->num_entries); + if(ret || d->num_entries > INT_MAX / 8) { krb5_storage_free(c->sp); close(c->fd); - krb5_clear_error_string (context); + krb5_clear_error_message (context); if(ret == KRB5_KT_END) return KRB5_KT_NOTFOUND; return ret; @@ -216,10 +234,10 @@ akf_start_seq_get(krb5_context context, return 0; } -static krb5_error_code -akf_next_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry, +static krb5_error_code KRB5_CALLCONV +akf_next_entry(krb5_context context, + krb5_keytab id, + krb5_keytab_entry *entry, krb5_kt_cursor *cursor) { struct akf_data *d = id->data; @@ -245,12 +263,16 @@ akf_next_entry(krb5_context context, entry->vno = kvno; - entry->keyblock.keytype = ETYPE_DES_CBC_MD5; + if (cursor->data) + entry->keyblock.keytype = ETYPE_DES_CBC_MD5; + else + entry->keyblock.keytype = ETYPE_DES_CBC_CRC; entry->keyblock.keyvalue.length = 8; entry->keyblock.keyvalue.data = malloc (8); if (entry->keyblock.keyvalue.data == NULL) { krb5_free_principal (context, entry->principal); - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); ret = ENOMEM; goto out; } @@ -262,23 +284,30 @@ akf_next_entry(krb5_context context, ret = 0; entry->timestamp = time(NULL); + entry->flags = 0; + entry->aliases = NULL; out: - krb5_storage_seek(cursor->sp, pos + 4 + 8, SEEK_SET); + if (cursor->data) { + krb5_storage_seek(cursor->sp, pos + 4 + 8, SEEK_SET); + cursor->data = NULL; + } else + cursor->data = cursor; return ret; } -static krb5_error_code -akf_end_seq_get(krb5_context context, +static krb5_error_code KRB5_CALLCONV +akf_end_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) { krb5_storage_free(cursor->sp); close(cursor->fd); + cursor->data = NULL; return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV akf_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) @@ -301,14 +330,16 @@ akf_add_entry(krb5_context context, return 0; } - fd = open (d->filename, O_RDWR | O_BINARY); + fd = open (d->filename, O_RDWR | O_BINARY | O_CLOEXEC); if (fd < 0) { fd = open (d->filename, - O_RDWR | O_BINARY | O_CREAT | O_EXCL, 0600); + O_RDWR | O_BINARY | O_CREAT | O_EXCL | O_CLOEXEC, 0600); if (fd < 0) { ret = errno; - krb5_set_error_string(context, "open(%s): %s", d->filename, - strerror(ret)); + krb5_set_error_message(context, ret, + N_("open keyfile(%s): %s", ""), + d->filename, + strerror(ret)); return ret; } created = 1; @@ -317,7 +348,8 @@ akf_add_entry(krb5_context context, sp = krb5_storage_from_fd(fd); if(sp == NULL) { close(fd); - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } if (created) @@ -327,10 +359,12 @@ akf_add_entry(krb5_context context, ret = errno; krb5_storage_free(sp); close(fd); - krb5_set_error_string (context, "seek: %s", strerror(ret)); + krb5_set_error_message(context, ret, + N_("seeking in keyfile: %s", ""), + strerror(ret)); return ret; } - + ret = krb5_ret_int32(sp, &len); if(ret) { krb5_storage_free(sp); @@ -350,11 +384,15 @@ akf_add_entry(krb5_context context, for (i = 0; i < len; i++) { ret = krb5_ret_int32(sp, &kvno); if (ret) { - krb5_set_error_string (context, "Failed to get kvno "); + krb5_set_error_message (context, ret, + N_("Failed getting kvno from keyfile", "")); goto out; } if(krb5_storage_seek(sp, 8, SEEK_CUR) < 0) { - krb5_set_error_string (context, "seek: %s", strerror(ret)); + ret = errno; + krb5_set_error_message (context, ret, + N_("Failed seeing in keyfile: %s", ""), + strerror(ret)); goto out; } if (kvno == entry->vno) { @@ -365,38 +403,45 @@ akf_add_entry(krb5_context context, } len++; - + if(krb5_storage_seek(sp, 0, SEEK_SET) < 0) { ret = errno; - krb5_set_error_string (context, "seek: %s", strerror(ret)); + krb5_set_error_message (context, ret, + N_("Failed seeing in keyfile: %s", ""), + strerror(ret)); goto out; } - + ret = krb5_store_int32(sp, len); if(ret) { - krb5_set_error_string(context, "keytab keyfile failed new length"); + ret = errno; + krb5_set_error_message (context, ret, + N_("keytab keyfile failed new length", "")); return ret; } if(krb5_storage_seek(sp, (len - 1) * (8 + 4), SEEK_CUR) < 0) { ret = errno; - krb5_set_error_string (context, "seek to end: %s", strerror(ret)); + krb5_set_error_message (context, ret, + N_("seek to end: %s", ""), strerror(ret)); goto out; } - + ret = krb5_store_int32(sp, entry->vno); if(ret) { - krb5_set_error_string(context, "keytab keyfile failed store kvno"); + krb5_set_error_message(context, ret, + N_("keytab keyfile failed store kvno", "")); goto out; } - ret = krb5_storage_write(sp, entry->keyblock.keyvalue.data, + ret = krb5_storage_write(sp, entry->keyblock.keyvalue.data, entry->keyblock.keyvalue.length); if(ret != entry->keyblock.keyvalue.length) { if (ret < 0) ret = errno; else ret = ENOTTY; - krb5_set_error_string(context, "keytab keyfile failed to add key"); + krb5_set_error_message(context, ret, + N_("keytab keyfile failed to add key", "")); goto out; } ret = 0; @@ -411,6 +456,7 @@ const krb5_kt_ops krb5_akf_ops = { akf_resolve, akf_get_name, akf_close, + NULL, /* destroy */ NULL, /* get */ akf_start_seq_get, akf_next_entry, @@ -418,3 +464,5 @@ const krb5_kt_ops krb5_akf_ops = { akf_add_entry, NULL /* remove */ }; + +#endif /* HEIMDAL_SMALLER */ diff --git a/crypto/heimdal/lib/krb5/keytab_krb4.c b/crypto/heimdal/lib/krb5/keytab_krb4.c deleted file mode 100644 index 907836c144f7..000000000000 --- a/crypto/heimdal/lib/krb5/keytab_krb4.c +++ /dev/null @@ -1,448 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: keytab_krb4.c 17046 2006-04-10 17:10:53Z lha $"); - -struct krb4_kt_data { - char *filename; -}; - -static krb5_error_code -krb4_kt_resolve(krb5_context context, const char *name, krb5_keytab id) -{ - struct krb4_kt_data *d; - - d = malloc (sizeof(*d)); - if (d == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - d->filename = strdup (name); - if (d->filename == NULL) { - free(d); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - id->data = d; - return 0; -} - -static krb5_error_code -krb4_kt_get_name (krb5_context context, - krb5_keytab id, - char *name, - size_t name_sz) -{ - struct krb4_kt_data *d = id->data; - - strlcpy (name, d->filename, name_sz); - return 0; -} - -static krb5_error_code -krb4_kt_close (krb5_context context, - krb5_keytab id) -{ - struct krb4_kt_data *d = id->data; - - free (d->filename); - free (d); - return 0; -} - -struct krb4_cursor_extra_data { - krb5_keytab_entry entry; - int num; -}; - -static int -open_flock(const char *filename, int flags, int mode) -{ - int lock_mode; - int tries = 0; - int fd = open(filename, flags, mode); - if(fd < 0) - return fd; - if((flags & O_ACCMODE) == O_RDONLY) - lock_mode = LOCK_SH | LOCK_NB; - else - lock_mode = LOCK_EX | LOCK_NB; - while(flock(fd, lock_mode) < 0) { - if(++tries < 5) { - sleep(1); - } else { - close(fd); - return -1; - } - } - return fd; -} - - - -static krb5_error_code -krb4_kt_start_seq_get_int (krb5_context context, - krb5_keytab id, - int flags, - krb5_kt_cursor *c) -{ - struct krb4_kt_data *d = id->data; - struct krb4_cursor_extra_data *ed; - int ret; - - ed = malloc (sizeof(*ed)); - if (ed == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - ed->entry.principal = NULL; - ed->num = -1; - c->data = ed; - c->fd = open_flock (d->filename, flags, 0); - if (c->fd < 0) { - ret = errno; - free (ed); - krb5_set_error_string(context, "open(%s): %s", d->filename, - strerror(ret)); - return ret; - } - c->sp = krb5_storage_from_fd(c->fd); - if(c->sp == NULL) { - close(c->fd); - free(ed); - return ENOMEM; - } - krb5_storage_set_eof_code(c->sp, KRB5_KT_END); - return 0; -} - -static krb5_error_code -krb4_kt_start_seq_get (krb5_context context, - krb5_keytab id, - krb5_kt_cursor *c) -{ - return krb4_kt_start_seq_get_int (context, id, O_BINARY | O_RDONLY, c); -} - -static krb5_error_code -read_v4_entry (krb5_context context, - struct krb4_kt_data *d, - krb5_kt_cursor *c, - struct krb4_cursor_extra_data *ed) -{ - unsigned char des_key[8]; - krb5_error_code ret; - char *service, *instance, *realm; - int8_t kvno; - - ret = krb5_ret_stringz(c->sp, &service); - if (ret) - return ret; - ret = krb5_ret_stringz(c->sp, &instance); - if (ret) { - free (service); - return ret; - } - ret = krb5_ret_stringz(c->sp, &realm); - if (ret) { - free (service); - free (instance); - return ret; - } - ret = krb5_425_conv_principal (context, service, instance, realm, - &ed->entry.principal); - free (service); - free (instance); - free (realm); - if (ret) - return ret; - ret = krb5_ret_int8(c->sp, &kvno); - if (ret) { - krb5_free_principal (context, ed->entry.principal); - return ret; - } - ret = krb5_storage_read(c->sp, des_key, sizeof(des_key)); - if (ret < 0) { - krb5_free_principal(context, ed->entry.principal); - return ret; - } - if (ret < 8) { - krb5_free_principal(context, ed->entry.principal); - return EINVAL; - } - ed->entry.vno = kvno; - ret = krb5_data_copy (&ed->entry.keyblock.keyvalue, - des_key, sizeof(des_key)); - if (ret) - return ret; - ed->entry.timestamp = time(NULL); - ed->num = 0; - return 0; -} - -static krb5_error_code -krb4_kt_next_entry (krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry, - krb5_kt_cursor *c) -{ - krb5_error_code ret; - struct krb4_kt_data *d = id->data; - struct krb4_cursor_extra_data *ed = c->data; - const krb5_enctype keytypes[] = {ETYPE_DES_CBC_MD5, - ETYPE_DES_CBC_MD4, - ETYPE_DES_CBC_CRC}; - - if (ed->num == -1) { - ret = read_v4_entry (context, d, c, ed); - if (ret) - return ret; - } - ret = krb5_kt_copy_entry_contents (context, - &ed->entry, - entry); - if (ret) - return ret; - entry->keyblock.keytype = keytypes[ed->num]; - if (++ed->num == 3) { - krb5_kt_free_entry (context, &ed->entry); - ed->num = -1; - } - return 0; -} - -static krb5_error_code -krb4_kt_end_seq_get (krb5_context context, - krb5_keytab id, - krb5_kt_cursor *c) -{ - struct krb4_cursor_extra_data *ed = c->data; - - krb5_storage_free (c->sp); - if (ed->num != -1) - krb5_kt_free_entry (context, &ed->entry); - free (c->data); - close (c->fd); - return 0; -} - -static krb5_error_code -krb4_store_keytab_entry(krb5_context context, - krb5_keytab_entry *entry, - krb5_storage *sp) -{ - krb5_error_code ret; -#define ANAME_SZ 40 -#define INST_SZ 40 -#define REALM_SZ 40 - char service[ANAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; - ret = krb5_524_conv_principal (context, entry->principal, - service, instance, realm); - if (ret) - return ret; - if (entry->keyblock.keyvalue.length == 8 - && entry->keyblock.keytype == ETYPE_DES_CBC_MD5) { - ret = krb5_store_stringz(sp, service); - ret = krb5_store_stringz(sp, instance); - ret = krb5_store_stringz(sp, realm); - ret = krb5_store_int8(sp, entry->vno); - ret = krb5_storage_write(sp, entry->keyblock.keyvalue.data, 8); - } - return 0; -} - -static krb5_error_code -krb4_kt_add_entry (krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry) -{ - struct krb4_kt_data *d = id->data; - krb5_storage *sp; - krb5_error_code ret; - int fd; - - fd = open_flock (d->filename, O_WRONLY | O_APPEND | O_BINARY, 0); - if (fd < 0) { - fd = open_flock (d->filename, - O_WRONLY | O_APPEND | O_BINARY | O_CREAT, 0600); - if (fd < 0) { - ret = errno; - krb5_set_error_string(context, "open(%s): %s", d->filename, - strerror(ret)); - return ret; - } - } - sp = krb5_storage_from_fd(fd); - if(sp == NULL) { - close(fd); - return ENOMEM; - } - krb5_storage_set_eof_code(sp, KRB5_KT_END); - ret = krb4_store_keytab_entry(context, entry, sp); - krb5_storage_free(sp); - if(close (fd) < 0) - return errno; - return ret; -} - -static krb5_error_code -krb4_kt_remove_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry) -{ - struct krb4_kt_data *d = id->data; - krb5_error_code ret; - krb5_keytab_entry e; - krb5_kt_cursor cursor; - krb5_storage *sp; - int remove_flag = 0; - - sp = krb5_storage_emem(); - if (sp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - ret = krb5_kt_start_seq_get(context, id, &cursor); - if (ret) { - krb5_storage_free(sp); - return ret; - } - while(krb5_kt_next_entry(context, id, &e, &cursor) == 0) { - if(!krb5_kt_compare(context, &e, entry->principal, - entry->vno, entry->keyblock.keytype)) { - ret = krb4_store_keytab_entry(context, &e, sp); - if(ret) { - krb5_kt_free_entry(context, &e); - krb5_storage_free(sp); - return ret; - } - } else - remove_flag = 1; - krb5_kt_free_entry(context, &e); - } - krb5_kt_end_seq_get(context, id, &cursor); - if(remove_flag) { - int fd; - unsigned char buf[1024]; - ssize_t n; - krb5_data data; - struct stat st; - - krb5_storage_to_data(sp, &data); - krb5_storage_free(sp); - - fd = open_flock (d->filename, O_RDWR | O_BINARY, 0); - if(fd < 0) { - memset(data.data, 0, data.length); - krb5_data_free(&data); - if(errno == EACCES || errno == EROFS) - return KRB5_KT_NOWRITE; - return errno; - } - - if(write(fd, data.data, data.length) != data.length) { - memset(data.data, 0, data.length); - krb5_data_free(&data); - close(fd); - krb5_set_error_string(context, "failed writing to \"%s\"", d->filename); - return errno; - } - memset(data.data, 0, data.length); - if(fstat(fd, &st) < 0) { - krb5_data_free(&data); - close(fd); - krb5_set_error_string(context, "failed getting size of \"%s\"", d->filename); - return errno; - } - st.st_size -= data.length; - memset(buf, 0, sizeof(buf)); - while(st.st_size > 0) { - n = min(st.st_size, sizeof(buf)); - n = write(fd, buf, n); - if(n <= 0) { - krb5_data_free(&data); - close(fd); - krb5_set_error_string(context, "failed writing to \"%s\"", d->filename); - return errno; - - } - st.st_size -= n; - } - if(ftruncate(fd, data.length) < 0) { - krb5_data_free(&data); - close(fd); - krb5_set_error_string(context, "failed truncating \"%s\"", d->filename); - return errno; - } - krb5_data_free(&data); - if(close(fd) < 0) { - krb5_set_error_string(context, "error closing \"%s\"", d->filename); - return errno; - } - return 0; - } else { - krb5_storage_free(sp); - return KRB5_KT_NOTFOUND; - } -} - - -const krb5_kt_ops krb4_fkt_ops = { - "krb4", - krb4_kt_resolve, - krb4_kt_get_name, - krb4_kt_close, - NULL, /* get */ - krb4_kt_start_seq_get, - krb4_kt_next_entry, - krb4_kt_end_seq_get, - krb4_kt_add_entry, /* add_entry */ - krb4_kt_remove_entry /* remove_entry */ -}; - -const krb5_kt_ops krb5_srvtab_fkt_ops = { - "SRVTAB", - krb4_kt_resolve, - krb4_kt_get_name, - krb4_kt_close, - NULL, /* get */ - krb4_kt_start_seq_get, - krb4_kt_next_entry, - krb4_kt_end_seq_get, - krb4_kt_add_entry, /* add_entry */ - krb4_kt_remove_entry /* remove_entry */ -}; diff --git a/crypto/heimdal/lib/krb5/keytab_memory.c b/crypto/heimdal/lib/krb5/keytab_memory.c index 0ad8720c3fb8..0ee684d36382 100644 --- a/crypto/heimdal/lib/krb5/keytab_memory.c +++ b/crypto/heimdal/lib/krb5/keytab_memory.c @@ -1,40 +1,38 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: keytab_memory.c 16352 2005-12-05 18:39:46Z lha $"); - /* memory operations -------------------------------------------- */ struct mkt_data { @@ -45,14 +43,14 @@ struct mkt_data { struct mkt_data *next; }; -/* this mutex protects mkt_head, ->refcount, and ->next +/* this mutex protects mkt_head, ->refcount, and ->next * content is not protected (name is static and need no protection) */ static HEIMDAL_MUTEX mkt_mutex = HEIMDAL_MUTEX_INITIALIZER; static struct mkt_data *mkt_head; -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mkt_resolve(krb5_context context, const char *name, krb5_keytab id) { struct mkt_data *d; @@ -75,14 +73,16 @@ mkt_resolve(krb5_context context, const char *name, krb5_keytab id) d = calloc(1, sizeof(*d)); if(d == NULL) { HEIMDAL_MUTEX_unlock(&mkt_mutex); - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } d->name = strdup(name); if (d->name == NULL) { HEIMDAL_MUTEX_unlock(&mkt_mutex); free(d); - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } d->entries = NULL; @@ -95,7 +95,7 @@ mkt_resolve(krb5_context context, const char *name, krb5_keytab id) return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mkt_close(krb5_context context, krb5_keytab id) { struct mkt_data *d = id->data, **dp; @@ -103,7 +103,7 @@ mkt_close(krb5_context context, krb5_keytab id) HEIMDAL_MUTEX_lock(&mkt_mutex); if (d->refcount < 1) - krb5_abortx(context, + krb5_abortx(context, "krb5 internal error, memory keytab refcount < 1 on close"); if (--d->refcount > 0) { @@ -126,10 +126,10 @@ mkt_close(krb5_context context, krb5_keytab id) return 0; } -static krb5_error_code -mkt_get_name(krb5_context context, - krb5_keytab id, - char *name, +static krb5_error_code KRB5_CALLCONV +mkt_get_name(krb5_context context, + krb5_keytab id, + char *name, size_t namesize) { struct mkt_data *d = id->data; @@ -137,9 +137,9 @@ mkt_get_name(krb5_context context, return 0; } -static krb5_error_code -mkt_start_seq_get(krb5_context context, - krb5_keytab id, +static krb5_error_code KRB5_CALLCONV +mkt_start_seq_get(krb5_context context, + krb5_keytab id, krb5_kt_cursor *c) { /* XXX */ @@ -147,10 +147,10 @@ mkt_start_seq_get(krb5_context context, return 0; } -static krb5_error_code -mkt_next_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry, +static krb5_error_code KRB5_CALLCONV +mkt_next_entry(krb5_context context, + krb5_keytab id, + krb5_keytab_entry *entry, krb5_kt_cursor *c) { struct mkt_data *d = id->data; @@ -159,15 +159,15 @@ mkt_next_entry(krb5_context context, return krb5_kt_copy_entry_contents(context, &d->entries[c->fd++], entry); } -static krb5_error_code -mkt_end_seq_get(krb5_context context, +static krb5_error_code KRB5_CALLCONV +mkt_end_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) { return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mkt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) @@ -176,15 +176,16 @@ mkt_add_entry(krb5_context context, krb5_keytab_entry *tmp; tmp = realloc(d->entries, (d->num_entries + 1) * sizeof(*d->entries)); if(tmp == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } d->entries = tmp; - return krb5_kt_copy_entry_contents(context, entry, + return krb5_kt_copy_entry_contents(context, entry, &d->entries[d->num_entries++]); } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mkt_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) @@ -192,15 +193,15 @@ mkt_remove_entry(krb5_context context, struct mkt_data *d = id->data; krb5_keytab_entry *e, *end; int found = 0; - + if (d->num_entries == 0) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return KRB5_KT_NOTFOUND; } /* do this backwards to minimize copying */ for(end = d->entries + d->num_entries, e = end - 1; e >= d->entries; e--) { - if(krb5_kt_compare(context, e, entry->principal, + if(krb5_kt_compare(context, e, entry->principal, entry->vno, entry->keyblock.keytype)) { krb5_kt_free_entry(context, e); memmove(e, e + 1, (end - e - 1) * sizeof(*e)); @@ -211,7 +212,7 @@ mkt_remove_entry(krb5_context context, } } if (!found) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5_KT_NOTFOUND; } e = realloc(d->entries, d->num_entries * sizeof(*d->entries)); @@ -225,6 +226,7 @@ const krb5_kt_ops krb5_mkt_ops = { mkt_resolve, mkt_get_name, mkt_close, + NULL, /* destroy */ NULL, /* get */ mkt_start_seq_get, mkt_next_entry, diff --git a/crypto/heimdal/lib/krb5/krb5-private.h b/crypto/heimdal/lib/krb5/krb5-private.h index 7e04446fe07c..956e00e4aaf0 100644 --- a/crypto/heimdal/lib/krb5/krb5-private.h +++ b/crypto/heimdal/lib/krb5/krb5-private.h @@ -4,14 +4,59 @@ #include <stdarg.h> -void KRB5_LIB_FUNCTION -_krb5_aes_cts_encrypt ( - const unsigned char */*in*/, - unsigned char */*out*/, +#if !defined(__GNUC__) && !defined(__attribute__) +#define __attribute__(x) +#endif + +#ifndef KRB5_DEPRECATED_FUNCTION +#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 ))) +#define KRB5_DEPRECATED_FUNCTION(X) __attribute__((__deprecated__)) +#else +#define KRB5_DEPRECATED_FUNCTION(X) +#endif +#endif + + +void +_heim_krb5_ipc_client_clear_target (void); + +void +_heim_krb5_ipc_client_set_target_uid (uid_t /*uid*/); + +void +_krb5_DES3_random_to_key ( + krb5_context /*context*/, + krb5_keyblock */*key*/, + const void */*data*/, + size_t /*size*/); + +krb5_error_code +_krb5_HMAC_MD5_checksum ( + krb5_context /*context*/, + struct _krb5_key_data */*key*/, + const void */*data*/, size_t /*len*/, - const AES_KEY */*key*/, - unsigned char */*ivec*/, - const int /*encryptp*/); + unsigned /*usage*/, + Checksum */*result*/); + +krb5_error_code +_krb5_SP_HMAC_SHA1_checksum ( + krb5_context /*context*/, + struct _krb5_key_data */*key*/, + const void */*data*/, + size_t /*len*/, + unsigned /*usage*/, + Checksum */*result*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +_krb5_build_authenticator ( + krb5_context /*context*/, + krb5_auth_context /*auth_context*/, + krb5_enctype /*enctype*/, + krb5_creds */*cred*/, + Checksum */*cksum*/, + krb5_data */*result*/, + krb5_key_usage /*usage*/); krb5_error_code _krb5_cc_allocate ( @@ -19,6 +64,53 @@ _krb5_cc_allocate ( const krb5_cc_ops */*ops*/, krb5_ccache */*id*/); +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +_krb5_config_copy ( + krb5_context /*context*/, + krb5_config_section */*c*/, + krb5_config_section **/*head*/); + +KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL +_krb5_config_get ( + krb5_context /*context*/, + const krb5_config_section */*c*/, + int /*type*/, + ...); + +krb5_config_section * +_krb5_config_get_entry ( + krb5_config_section **/*parent*/, + const char */*name*/, + int /*type*/); + +KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL +_krb5_config_get_next ( + krb5_context /*context*/, + const krb5_config_section */*c*/, + const krb5_config_binding **/*pointer*/, + int /*type*/, + ...); + +const void * +_krb5_config_vget ( + krb5_context /*context*/, + const krb5_config_section */*c*/, + int /*type*/, + va_list /*args*/); + +KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL +_krb5_config_vget_next ( + krb5_context /*context*/, + const krb5_config_section */*c*/, + const krb5_config_binding **/*pointer*/, + int /*type*/, + va_list /*args*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +_krb5_copy_send_to_kdc_func ( + krb5_context /*context*/, + krb5_context /*to*/); + void _krb5_crc_init_table (void); @@ -28,6 +120,43 @@ _krb5_crc_update ( size_t /*len*/, uint32_t /*res*/); +void KRB5_LIB_FUNCTION +_krb5_debug ( + krb5_context /*context*/, + int /*level*/, + const char */*fmt*/, + ...) + __attribute__((format (printf, 3, 4))); + +void +_krb5_debug_backtrace (krb5_context /*context*/); + +krb5_error_code +_krb5_derive_key ( + krb5_context /*context*/, + struct _krb5_encryption_type */*et*/, + struct _krb5_key_data */*key*/, + const void */*constant*/, + size_t /*len*/); + +krb5_error_code +_krb5_des_checksum ( + krb5_context /*context*/, + const EVP_MD */*evp_md*/, + struct _krb5_key_data */*key*/, + const void */*data*/, + size_t /*len*/, + Checksum */*cksum*/); + +krb5_error_code +_krb5_des_verify ( + krb5_context /*context*/, + const EVP_MD */*evp_md*/, + struct _krb5_key_data */*key*/, + const void */*data*/, + size_t /*len*/, + Checksum */*C*/); + krb5_error_code _krb5_dh_group_ok ( krb5_context /*context*/, @@ -38,11 +167,47 @@ _krb5_dh_group_ok ( struct krb5_dh_moduli **/*moduli*/, char **/*name*/); -krb5_error_code KRB5_LIB_FUNCTION -_krb5_enctype_to_oid ( +krb5_error_code +_krb5_einval ( krb5_context /*context*/, - krb5_enctype /*etype*/, - heim_oid */*oid*/); + const char */*func*/, + unsigned long /*argn*/); + +krb5_error_code +_krb5_erase_file ( + krb5_context /*context*/, + const char */*filename*/); + +void +_krb5_evp_cleanup ( + krb5_context /*context*/, + struct _krb5_key_data */*kd*/); + +krb5_error_code +_krb5_evp_encrypt ( + krb5_context /*context*/, + struct _krb5_key_data */*key*/, + void */*data*/, + size_t /*len*/, + krb5_boolean /*encryptp*/, + int /*usage*/, + void */*ivec*/); + +krb5_error_code +_krb5_evp_encrypt_cts ( + krb5_context /*context*/, + struct _krb5_key_data */*key*/, + void */*data*/, + size_t /*len*/, + krb5_boolean /*encryptp*/, + int /*usage*/, + void */*ivec*/); + +void +_krb5_evp_schedule ( + krb5_context /*context*/, + struct _krb5_key_type */*kt*/, + struct _krb5_key_data */*kd*/); krb5_error_code _krb5_expand_default_cc_name ( @@ -50,6 +215,12 @@ _krb5_expand_default_cc_name ( const char */*str*/, char **/*res*/); +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +_krb5_expand_path_tokens ( + krb5_context /*context*/, + const char */*path_in*/, + char **/*ppath_out*/); + int _krb5_extract_ticket ( krb5_context /*context*/, @@ -64,6 +235,18 @@ _krb5_extract_ticket ( krb5_decrypt_proc /*decrypt_proc*/, krb5_const_pointer /*decryptarg*/); +struct _krb5_checksum_type * +_krb5_find_checksum (krb5_cksumtype /*type*/); + +struct _krb5_encryption_type * +_krb5_find_enctype (krb5_enctype /*type*/); + +void +_krb5_free_key_data ( + krb5_context /*context*/, + struct _krb5_key_data */*key*/, + struct _krb5_encryption_type */*et*/); + void _krb5_free_krbhst_info (krb5_krbhst_info */*hi*/); @@ -71,36 +254,38 @@ void _krb5_free_moduli (struct krb5_dh_moduli **/*moduli*/); krb5_error_code +_krb5_get_cred_kdc_any ( + krb5_context /*context*/, + krb5_kdc_flags /*flags*/, + krb5_ccache /*ccache*/, + krb5_creds */*in_creds*/, + krb5_principal /*impersonate_principal*/, + Ticket */*second_ticket*/, + krb5_creds **/*out_creds*/, + krb5_creds ***/*ret_tgts*/); + +char * +_krb5_get_default_cc_name_from_registry (krb5_context /*context*/); + +char * +_krb5_get_default_config_config_files_from_registry (void); + +krb5_error_code _krb5_get_default_principal_local ( krb5_context /*context*/, krb5_principal */*princ*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_get_host_realm_int ( krb5_context /*context*/, const char */*host*/, krb5_boolean /*use_dns*/, krb5_realm **/*realms*/); -krb5_error_code -_krb5_get_init_creds_opt_copy ( - krb5_context /*context*/, - const krb5_get_init_creds_opt */*in*/, - krb5_get_init_creds_opt **/*out*/); - -void KRB5_LIB_FUNCTION -_krb5_get_init_creds_opt_free_krb5_error (krb5_get_init_creds_opt */*opt*/); - -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL _krb5_get_init_creds_opt_free_pkinit (krb5_get_init_creds_opt */*opt*/); -void KRB5_LIB_FUNCTION -_krb5_get_init_creds_opt_set_krb5_error ( - krb5_context /*context*/, - krb5_get_init_creds_opt */*opt*/, - const KRB_ERROR */*error*/); - -krb5_ssize_t KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL _krb5_get_int ( void */*buffer*/, unsigned long */*value*/, @@ -113,27 +298,40 @@ _krb5_get_krbtgt ( krb5_realm /*realm*/, krb5_creds **/*cred*/); -krb5_error_code -_krb5_kcm_chmod ( +krb5_boolean KRB5_LIB_FUNCTION +_krb5_have_debug ( krb5_context /*context*/, - krb5_ccache /*id*/, - uint16_t /*mode*/); + int /*level*/); -krb5_error_code -_krb5_kcm_chown ( +krb5_boolean +_krb5_homedir_access (krb5_context /*context*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +_krb5_init_etype ( krb5_context /*context*/, - krb5_ccache /*id*/, - uint32_t /*uid*/, - uint32_t /*gid*/); + krb5_pdu /*pdu_type*/, + unsigned */*len*/, + krb5_enctype **/*val*/, + const krb5_enctype */*etypes*/); krb5_error_code +_krb5_internal_hmac ( + krb5_context /*context*/, + struct _krb5_checksum_type */*cm*/, + const void */*data*/, + size_t /*len*/, + unsigned /*usage*/, + struct _krb5_key_data */*keyblock*/, + Checksum */*result*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_kcm_get_initial_ticket ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_principal /*server*/, krb5_keyblock */*key*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_kcm_get_ticket ( krb5_context /*context*/, krb5_ccache /*id*/, @@ -141,15 +339,15 @@ _krb5_kcm_get_ticket ( krb5_enctype /*enctype*/, krb5_principal /*server*/); -krb5_boolean +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL _krb5_kcm_is_running (krb5_context /*context*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_kcm_noop ( krb5_context /*context*/, krb5_ccache /*id*/); -krb5_error_code +krb5_error_code KRB5_CALLCONV _krb5_kdc_retry ( krb5_context /*context*/, krb5_sendto_ctx /*ctx*/, @@ -157,113 +355,32 @@ _krb5_kdc_retry ( const krb5_data */*reply*/, int */*action*/); -krb5_error_code KRB5_LIB_FUNCTION -_krb5_krb_cr_err_reply ( - krb5_context /*context*/, - const char */*name*/, - const char */*inst*/, - const char */*realm*/, - uint32_t /*time_ws*/, - uint32_t /*e*/, - const char */*e_string*/, - krb5_data */*data*/); - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_krb_create_auth_reply ( - krb5_context /*context*/, - const char */*pname*/, - const char */*pinst*/, - const char */*prealm*/, - int32_t /*time_ws*/, - int /*n*/, - uint32_t /*x_date*/, - unsigned char /*kvno*/, - const krb5_data */*cipher*/, - krb5_data */*data*/); - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_krb_create_ciph ( - krb5_context /*context*/, - const krb5_keyblock */*session*/, - const char */*service*/, - const char */*instance*/, - const char */*realm*/, - uint32_t /*life*/, - unsigned char /*kvno*/, - const krb5_data */*ticket*/, - uint32_t /*kdc_time*/, - const krb5_keyblock */*key*/, - krb5_data */*enc_data*/); - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_krb_create_ticket ( - krb5_context /*context*/, - unsigned char /*flags*/, - const char */*pname*/, - const char */*pinstance*/, - const char */*prealm*/, - int32_t /*paddress*/, - const krb5_keyblock */*session*/, - int16_t /*life*/, - int32_t /*life_sec*/, - const char */*sname*/, - const char */*sinstance*/, - const krb5_keyblock */*key*/, - krb5_data */*enc_data*/); - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_krb_decomp_ticket ( - krb5_context /*context*/, - const krb5_data */*enc_ticket*/, - const krb5_keyblock */*key*/, - const char */*local_realm*/, - char **/*sname*/, - char **/*sinstance*/, - struct _krb5_krb_auth_data */*ad*/); - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_krb_dest_tkt ( - krb5_context /*context*/, - const char */*tkfile*/); - -void KRB5_LIB_FUNCTION -_krb5_krb_free_auth_data ( +krb5_error_code +_krb5_krbhost_info_move ( krb5_context /*context*/, - struct _krb5_krb_auth_data */*ad*/); - -time_t KRB5_LIB_FUNCTION -_krb5_krb_life_to_time ( - int /*start*/, - int /*life_*/); + krb5_krbhst_info */*from*/, + krb5_krbhst_info **/*to*/); -krb5_error_code KRB5_LIB_FUNCTION -_krb5_krb_rd_req ( - krb5_context /*context*/, - krb5_data */*authent*/, - const char */*service*/, - const char */*instance*/, - const char */*local_realm*/, - int32_t /*from_addr*/, - const krb5_keyblock */*key*/, - struct _krb5_krb_auth_data */*ad*/); +const char * +_krb5_krbhst_get_realm (krb5_krbhst_handle /*handle*/); -krb5_error_code KRB5_LIB_FUNCTION -_krb5_krb_tf_setup ( +krb5_error_code +_krb5_kt_principal_not_found ( krb5_context /*context*/, - struct credentials */*v4creds*/, - const char */*tkfile*/, - int /*append*/); - -int KRB5_LIB_FUNCTION -_krb5_krb_time_to_life ( - time_t /*start*/, - time_t /*end*/); + krb5_error_code /*ret*/, + krb5_keytab /*id*/, + krb5_const_principal /*principal*/, + krb5_enctype /*enctype*/, + int /*kvno*/); krb5_error_code -_krb5_krbhost_info_move ( +_krb5_load_ccache_plugins (krb5_context /*context*/); + +void +_krb5_load_plugins ( krb5_context /*context*/, - krb5_krbhst_info */*from*/, - krb5_krbhst_info **/*to*/); + const char */*name*/, + const char **/*paths*/); krb5_error_code _krb5_mk_req_internal ( @@ -276,19 +393,13 @@ _krb5_mk_req_internal ( krb5_key_usage /*checksum_usage*/, krb5_key_usage /*encrypt_usage*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_n_fold ( const void */*str*/, size_t /*len*/, void */*key*/, size_t /*size*/); -krb5_error_code KRB5_LIB_FUNCTION -_krb5_oid_to_enctype ( - krb5_context /*context*/, - const heim_oid */*oid*/, - krb5_enctype */*etype*/); - krb5_error_code _krb5_pac_sign ( krb5_context /*context*/, @@ -313,15 +424,24 @@ _krb5_parse_moduli_line ( char */*p*/, struct krb5_dh_moduli **/*m*/); -void KRB5_LIB_FUNCTION -_krb5_pk_allow_proxy_certificate ( - struct krb5_pk_identity */*id*/, - int /*boolean*/); - -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL _krb5_pk_cert_free (struct krb5_pk_cert */*cert*/); -krb5_error_code KRB5_LIB_FUNCTION +krb5_error_code +_krb5_pk_kdf ( + krb5_context /*context*/, + const struct AlgorithmIdentifier */*ai*/, + const void */*dhdata*/, + size_t /*dhsize*/, + krb5_const_principal /*client*/, + krb5_const_principal /*server*/, + krb5_enctype /*enctype*/, + const krb5_data */*as_req*/, + const krb5_data */*pk_as_rep*/, + const Ticket */*ticket*/, + krb5_keyblock */*key*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pk_load_id ( krb5_context /*context*/, struct krb5_pk_identity **/*ret_id*/, @@ -333,17 +453,19 @@ _krb5_pk_load_id ( void */*prompter_data*/, char */*password*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pk_mk_ContentInfo ( krb5_context /*context*/, const krb5_data */*buf*/, const heim_oid */*oid*/, struct ContentInfo */*content_info*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pk_mk_padata ( krb5_context /*context*/, void */*c*/, + int /*ic_flags*/, + int /*win2k*/, const KDC_REQ_BODY */*req_body*/, unsigned /*nonce*/, METHOD_DATA */*md*/); @@ -358,7 +480,7 @@ _krb5_pk_octetstring2key ( const heim_octet_string */*k_n*/, krb5_keyblock */*key*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pk_rd_pa_reply ( krb5_context /*context*/, const char */*realm*/, @@ -370,16 +492,6 @@ _krb5_pk_rd_pa_reply ( PA_DATA */*pa*/, krb5_keyblock **/*key*/); -krb5_error_code KRB5_LIB_FUNCTION -_krb5_pk_verify_sign ( - krb5_context /*context*/, - const void */*data*/, - size_t /*length*/, - struct krb5_pk_identity */*id*/, - heim_oid */*contentType*/, - krb5_data */*content*/, - struct krb5_pk_cert **/*signer*/); - krb5_error_code _krb5_plugin_find ( krb5_context /*context*/, @@ -396,30 +508,41 @@ _krb5_plugin_get_next (struct krb5_plugin */*p*/); void * _krb5_plugin_get_symbol (struct krb5_plugin */*p*/); -krb5_error_code KRB5_LIB_FUNCTION +krb5_error_code +_krb5_plugin_run_f ( + krb5_context /*context*/, + const char */*module*/, + const char */*name*/, + int /*min_version*/, + int /*flags*/, + void */*userctx*/, + krb5_error_code (*/*func*/)(krb5_context, const void *, void *, void *)); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_principal2principalname ( PrincipalName */*p*/, const krb5_principal /*from*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +_krb5_principal_compare_PrincipalName ( + krb5_context /*context*/, + krb5_const_principal /*princ1*/, + PrincipalName */*princ2*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_principalname2krb5_principal ( krb5_context /*context*/, krb5_principal */*principal*/, const PrincipalName /*from*/, const Realm /*realm*/); -krb5_ssize_t KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL _krb5_put_int ( void */*buffer*/, unsigned long /*value*/, size_t /*size*/); -krb5_error_code KRB5_LIB_FUNCTION -_krb5_rd_req_out_ctx_alloc ( - krb5_context /*context*/, - krb5_rd_req_out_ctx */*ctx*/); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_s4u2self_to_checksumdata ( krb5_context /*context*/, const PA_S4U2Self */*self*/, @@ -427,21 +550,44 @@ _krb5_s4u2self_to_checksumdata ( int _krb5_send_and_recv_tcp ( - int /*fd*/, + krb5_socket_t /*fd*/, time_t /*tmout*/, const krb5_data */*req*/, krb5_data */*rep*/); int +_krb5_set_default_cc_name_to_registry ( + krb5_context /*context*/, + krb5_ccache /*id*/); + +void +_krb5_unload_plugins ( + krb5_context /*context*/, + const char */*name*/); + +krb5_error_code +_krb5_usage2arcfour ( + krb5_context /*context*/, + unsigned */*usage*/); + +int _krb5_xlock ( krb5_context /*context*/, int /*fd*/, krb5_boolean /*exclusive*/, const char */*filename*/); +void +_krb5_xor ( + DES_cblock */*key*/, + const unsigned char */*b*/); + int _krb5_xunlock ( krb5_context /*context*/, int /*fd*/); +#undef KRB5_DEPRECATED_FUNCTION +#define KRB5_DEPRECATED_FUNCTION(X) + #endif /* __krb5_private_h__ */ diff --git a/crypto/heimdal/lib/krb5/krb5-protos.h b/crypto/heimdal/lib/krb5/krb5-protos.h index 647d8886b7cc..c72e796afe20 100644 --- a/crypto/heimdal/lib/krb5/krb5-protos.h +++ b/crypto/heimdal/lib/krb5/krb5-protos.h @@ -8,119 +8,98 @@ #define __attribute__(x) #endif +#ifndef KRB5_DEPRECATED_FUNCTION +#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 ))) +#define KRB5_DEPRECATED_FUNCTION(X) __attribute__((__deprecated__)) +#else +#define KRB5_DEPRECATED_FUNCTION(X) +#endif +#endif + + #ifdef __cplusplus extern "C" { #endif +#ifndef KRB5_LIB #ifndef KRB5_LIB_FUNCTION #if defined(_WIN32) -#define KRB5_LIB_FUNCTION _stdcall +#define KRB5_LIB_FUNCTION __declspec(dllimport) +#define KRB5_LIB_CALL __stdcall +#define KRB5_LIB_VARIABLE __declspec(dllimport) #else #define KRB5_LIB_FUNCTION +#define KRB5_LIB_CALL +#define KRB5_LIB_VARIABLE #endif #endif - -krb5_error_code KRB5_LIB_FUNCTION +#endif +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb524_convert_creds_kdc ( krb5_context /*context*/, krb5_creds */*in_cred*/, - struct credentials */*v4creds*/); + struct credentials */*v4creds*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb524_convert_creds_kdc_ccache ( krb5_context /*context*/, krb5_ccache /*ccache*/, krb5_creds */*in_cred*/, - struct credentials */*v4creds*/); - -krb5_error_code KRB5_LIB_FUNCTION -krb5_425_conv_principal ( - krb5_context /*context*/, - const char */*name*/, - const char */*instance*/, - const char */*realm*/, - krb5_principal */*princ*/); + struct credentials */*v4creds*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION -krb5_425_conv_principal_ext ( - krb5_context /*context*/, - const char */*name*/, - const char */*instance*/, - const char */*realm*/, - krb5_boolean (*/*func*/)(krb5_context, krb5_principal), - krb5_boolean /*resolve*/, - krb5_principal */*principal*/); - -krb5_error_code KRB5_LIB_FUNCTION -krb5_425_conv_principal_ext2 ( - krb5_context /*context*/, - const char */*name*/, - const char */*instance*/, - const char */*realm*/, - krb5_boolean (*/*func*/)(krb5_context, void *, krb5_principal), - void */*funcctx*/, - krb5_boolean /*resolve*/, - krb5_principal */*princ*/); - -krb5_error_code KRB5_LIB_FUNCTION -krb5_524_conv_principal ( - krb5_context /*context*/, - const krb5_principal /*principal*/, - char */*name*/, - char */*instance*/, - char */*realm*/); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_abort ( krb5_context /*context*/, krb5_error_code /*code*/, const char */*fmt*/, ...) - __attribute__ ((noreturn, format (printf, 3, 4))); + __attribute__ ((noreturn, format (printf, 3, 4))); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_abortx ( krb5_context /*context*/, const char */*fmt*/, ...) - __attribute__ ((noreturn, format (printf, 2, 3))); + __attribute__ ((noreturn, format (printf, 2, 3))); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_acl_match_file ( krb5_context /*context*/, const char */*file*/, const char */*format*/, ...); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_acl_match_string ( krb5_context /*context*/, const char */*string*/, const char */*format*/, ...); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_add_et_list ( krb5_context /*context*/, void (*/*func*/)(struct et_list **)); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_add_extra_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_add_ignore_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_addlog_dest ( krb5_context /*context*/, krb5_log_facility */*f*/, const char */*orig*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_addlog_func ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -130,7 +109,7 @@ krb5_addlog_func ( krb5_log_close_func_t /*close_func*/, void */*data*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_addr2sockaddr ( krb5_context /*context*/, const krb5_address */*addr*/, @@ -138,19 +117,19 @@ krb5_addr2sockaddr ( krb5_socklen_t */*sa_size*/, int /*port*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_address_compare ( krb5_context /*context*/, const krb5_address */*addr1*/, const krb5_address */*addr2*/); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_address_order ( krb5_context /*context*/, const krb5_address */*addr1*/, const krb5_address */*addr2*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_address_prefixlen_boundary ( krb5_context /*context*/, const krb5_address */*inaddr*/, @@ -158,20 +137,25 @@ krb5_address_prefixlen_boundary ( krb5_address */*low*/, krb5_address */*high*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_address_search ( krb5_context /*context*/, const krb5_address */*addr*/, const krb5_addresses */*addrlist*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_allow_weak_crypto ( + krb5_context /*context*/, + krb5_boolean /*enable*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_aname_to_localname ( krb5_context /*context*/, krb5_const_principal /*aname*/, size_t /*lnsize*/, char */*lname*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_anyaddr ( krb5_context /*context*/, int /*af*/, @@ -179,7 +163,7 @@ krb5_anyaddr ( krb5_socklen_t */*sa_size*/, int /*port*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_appdefault_boolean ( krb5_context /*context*/, const char */*appname*/, @@ -188,7 +172,7 @@ krb5_appdefault_boolean ( krb5_boolean /*def_val*/, krb5_boolean */*ret_val*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_appdefault_string ( krb5_context /*context*/, const char */*appname*/, @@ -197,7 +181,7 @@ krb5_appdefault_string ( const char */*def_val*/, char **/*ret_val*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_appdefault_time ( krb5_context /*context*/, const char */*appname*/, @@ -206,190 +190,221 @@ krb5_appdefault_time ( time_t /*def_val*/, time_t */*ret_val*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_append_addresses ( krb5_context /*context*/, krb5_addresses */*dest*/, const krb5_addresses */*source*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_addflags ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t /*addflags*/, int32_t */*flags*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_free ( krb5_context /*context*/, krb5_auth_context /*auth_context*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_genaddrs ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, - int /*fd*/, + krb5_socket_t /*fd*/, int /*flags*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_generatelocalsubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*key*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getaddrs ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_address **/*local_addr*/, krb5_address **/*remote_addr*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getauthenticator ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_authenticator */*authenticator*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getcksumtype ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_cksumtype */*cksumtype*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getflags ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t */*flags*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock **/*keyblock*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getkeytype ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keytype */*keytype*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getlocalseqnumber ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t */*seqnumber*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getlocalsubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock **/*keyblock*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getrcache ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_rcache */*rcache*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_auth_con_getrecvsubkey ( + krb5_context /*context*/, + krb5_auth_context /*auth_context*/, + krb5_keyblock **/*keyblock*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_auth_con_getremoteseqnumber ( + krb5_context /*context*/, + krb5_auth_context /*auth_context*/, + int32_t */*seqnumber*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getremotesubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock **/*keyblock*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_auth_con_getsendsubkey ( + krb5_context /*context*/, + krb5_auth_context /*auth_context*/, + krb5_keyblock **/*keyblock*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_init ( krb5_context /*context*/, krb5_auth_context */*auth_context*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_removeflags ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t /*removeflags*/, int32_t */*flags*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setaddrs ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_address */*local_addr*/, krb5_address */*remote_addr*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setaddrs_from_fd ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, void */*p_fd*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setcksumtype ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_cksumtype /*cksumtype*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setflags ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t /*flags*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*keyblock*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setkeytype ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keytype /*keytype*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setlocalseqnumber ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t /*seqnumber*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setlocalsubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*keyblock*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setrcache ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_rcache /*rcache*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_auth_con_setrecvsubkey ( + krb5_context /*context*/, + krb5_auth_context /*auth_context*/, + krb5_keyblock */*keyblock*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setremoteseqnumber ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t /*seqnumber*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setremotesubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*keyblock*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_auth_con_setsendsubkey ( + krb5_context /*context*/, + krb5_auth_context /*auth_context*/, + krb5_keyblock */*keyblock*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_setuserkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*keyblock*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_getremoteseqnumber ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, - int32_t */*seqnumber*/); + int32_t */*seqnumber*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_build_ap_req ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -398,18 +413,7 @@ krb5_build_ap_req ( krb5_data /*authenticator*/, krb5_data */*retdata*/); -krb5_error_code KRB5_LIB_FUNCTION -krb5_build_authenticator ( - krb5_context /*context*/, - krb5_auth_context /*auth_context*/, - krb5_enctype /*enctype*/, - krb5_creds */*cred*/, - Checksum */*cksum*/, - Authenticator **/*auth_result*/, - krb5_data */*result*/, - krb5_key_usage /*usage*/); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_build_principal ( krb5_context /*context*/, krb5_principal */*principal*/, @@ -417,7 +421,7 @@ krb5_build_principal ( krb5_const_realm /*realm*/, ...); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_build_principal_ext ( krb5_context /*context*/, krb5_principal */*principal*/, @@ -425,7 +429,7 @@ krb5_build_principal_ext ( krb5_const_realm /*realm*/, ...); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_build_principal_va ( krb5_context /*context*/, krb5_principal */*principal*/, @@ -433,7 +437,7 @@ krb5_build_principal_va ( krb5_const_realm /*realm*/, va_list /*ap*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_build_principal_va_ext ( krb5_context /*context*/, krb5_principal */*principal*/, @@ -441,19 +445,19 @@ krb5_build_principal_va_ext ( krb5_const_realm /*realm*/, va_list /*ap*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_block_size ( krb5_context /*context*/, krb5_enctype /*enctype*/, size_t */*blocksize*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_checksum_length ( krb5_context /*context*/, krb5_cksumtype /*cksumtype*/, size_t */*length*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_decrypt ( krb5_context /*context*/, const krb5_keyblock /*key*/, @@ -462,7 +466,7 @@ krb5_c_decrypt ( krb5_enc_data */*input*/, krb5_data */*output*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_encrypt ( krb5_context /*context*/, const krb5_keyblock */*key*/, @@ -471,41 +475,42 @@ krb5_c_encrypt ( const krb5_data */*input*/, krb5_enc_data */*output*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_encrypt_length ( krb5_context /*context*/, krb5_enctype /*enctype*/, size_t /*inputlen*/, size_t */*length*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_enctype_compare ( krb5_context /*context*/, krb5_enctype /*e1*/, krb5_enctype /*e2*/, - krb5_boolean */*similar*/); + krb5_boolean */*similar*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_get_checksum ( krb5_context /*context*/, const krb5_checksum */*cksum*/, krb5_cksumtype */*type*/, krb5_data **/*data*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_c_is_coll_proof_cksum (krb5_cksumtype /*ctype*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_c_is_keyed_cksum (krb5_cksumtype /*ctype*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_keylengths ( krb5_context /*context*/, krb5_enctype /*enctype*/, size_t */*ilen*/, size_t */*keylen*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_make_checksum ( krb5_context /*context*/, krb5_cksumtype /*cksumtype*/, @@ -514,39 +519,44 @@ krb5_c_make_checksum ( const krb5_data */*input*/, krb5_checksum */*cksum*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_make_random_key ( krb5_context /*context*/, krb5_enctype /*enctype*/, krb5_keyblock */*random_key*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_prf ( krb5_context /*context*/, const krb5_keyblock */*key*/, const krb5_data */*input*/, krb5_data */*output*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_prf_length ( krb5_context /*context*/, krb5_enctype /*type*/, size_t */*length*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_c_random_make_octets ( + krb5_context /*context*/, + krb5_data * /*data*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_set_checksum ( krb5_context /*context*/, krb5_checksum */*cksum*/, krb5_cksumtype /*type*/, const krb5_data */*data*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_c_valid_cksumtype (krb5_cksumtype /*ctype*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_c_valid_enctype (krb5_enctype /*etype*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_verify_checksum ( krb5_context /*context*/, const krb5_keyblock */*key*/, @@ -555,170 +565,205 @@ krb5_c_verify_checksum ( const krb5_checksum */*cksum*/, krb5_boolean */*valid*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_cache_end_seq_get ( krb5_context /*context*/, krb5_cc_cache_cursor /*cursor*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_cache_get_first ( krb5_context /*context*/, const char */*type*/, krb5_cc_cache_cursor */*cursor*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_cache_match ( krb5_context /*context*/, krb5_principal /*client*/, - const char */*type*/, krb5_ccache */*id*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_cache_next ( krb5_context /*context*/, krb5_cc_cache_cursor /*cursor*/, krb5_ccache */*id*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_cc_clear_mcred (krb5_creds */*mcred*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_close ( krb5_context /*context*/, krb5_ccache /*id*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_copy_cache ( krb5_context /*context*/, const krb5_ccache /*from*/, krb5_ccache /*to*/); -krb5_error_code KRB5_LIB_FUNCTION -krb5_cc_copy_cache_match ( +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_copy_creds ( + krb5_context /*context*/, + const krb5_ccache /*from*/, + krb5_ccache /*to*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_copy_match_f ( krb5_context /*context*/, const krb5_ccache /*from*/, krb5_ccache /*to*/, - krb5_flags /*whichfields*/, - const krb5_creds * /*mcreds*/, + krb5_boolean (*/*match*/)(krb5_context, void *, const krb5_creds *), + void */*matchctx*/, unsigned int */*matched*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_default ( krb5_context /*context*/, krb5_ccache */*id*/); -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_cc_default_name (krb5_context /*context*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_destroy ( krb5_context /*context*/, krb5_ccache /*id*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_end_seq_get ( krb5_context /*context*/, const krb5_ccache /*id*/, krb5_cc_cursor */*cursor*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_gen_new ( krb5_context /*context*/, const krb5_cc_ops */*ops*/, - krb5_ccache */*id*/); + krb5_ccache */*id*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_get_config ( + krb5_context /*context*/, + krb5_ccache /*id*/, + krb5_const_principal /*principal*/, + const char */*name*/, + krb5_data */*data*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_get_flags ( + krb5_context /*context*/, + krb5_ccache /*id*/, + krb5_flags */*flags*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_get_friendly_name ( + krb5_context /*context*/, + krb5_ccache /*id*/, + char **/*name*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_get_full_name ( krb5_context /*context*/, krb5_ccache /*id*/, char **/*str*/); -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_get_kdc_offset ( + krb5_context /*context*/, + krb5_ccache /*id*/, + krb5_deltat */*offset*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_get_lifetime ( + krb5_context /*context*/, + krb5_ccache /*id*/, + time_t */*t*/); + +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_cc_get_name ( krb5_context /*context*/, krb5_ccache /*id*/); -const krb5_cc_ops * +KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL krb5_cc_get_ops ( krb5_context /*context*/, krb5_ccache /*id*/); -const krb5_cc_ops * +KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL krb5_cc_get_prefix_ops ( krb5_context /*context*/, const char */*prefix*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_get_principal ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_principal */*principal*/); -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_cc_get_type ( krb5_context /*context*/, krb5_ccache /*id*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_get_version ( krb5_context /*context*/, const krb5_ccache /*id*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_initialize ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_principal /*primary_principal*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_last_change_time ( + krb5_context /*context*/, + krb5_ccache /*id*/, + krb5_timestamp */*mtime*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_move ( krb5_context /*context*/, krb5_ccache /*from*/, krb5_ccache /*to*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_new_unique ( krb5_context /*context*/, const char */*type*/, const char */*hint*/, krb5_ccache */*id*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_next_cred ( krb5_context /*context*/, const krb5_ccache /*id*/, krb5_cc_cursor */*cursor*/, krb5_creds */*creds*/); -krb5_error_code KRB5_LIB_FUNCTION -krb5_cc_next_cred_match ( - krb5_context /*context*/, - const krb5_ccache /*id*/, - krb5_cc_cursor * /*cursor*/, - krb5_creds * /*creds*/, - krb5_flags /*whichfields*/, - const krb5_creds * /*mcreds*/); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_register ( krb5_context /*context*/, const krb5_cc_ops */*ops*/, krb5_boolean /*override*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_remove_cred ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_flags /*which*/, krb5_creds */*cred*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_resolve ( krb5_context /*context*/, const char */*name*/, krb5_ccache */*id*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_retrieve_cred ( krb5_context /*context*/, krb5_ccache /*id*/, @@ -726,351 +771,390 @@ krb5_cc_retrieve_cred ( const krb5_creds */*mcreds*/, krb5_creds */*creds*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_set_config ( + krb5_context /*context*/, + krb5_ccache /*id*/, + krb5_const_principal /*principal*/, + const char */*name*/, + krb5_data */*data*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_set_default_name ( krb5_context /*context*/, const char */*name*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_set_flags ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_flags /*flags*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_set_friendly_name ( + krb5_context /*context*/, + krb5_ccache /*id*/, + const char */*name*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_set_kdc_offset ( + krb5_context /*context*/, + krb5_ccache /*id*/, + krb5_deltat /*offset*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_start_seq_get ( krb5_context /*context*/, const krb5_ccache /*id*/, krb5_cc_cursor */*cursor*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_store_cred ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_creds */*creds*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_cc_support_switch ( + krb5_context /*context*/, + const char */*type*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_switch ( + krb5_context /*context*/, + krb5_ccache /*id*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cccol_cursor_free ( + krb5_context /*context*/, + krb5_cccol_cursor */*cursor*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cccol_cursor_new ( + krb5_context /*context*/, + krb5_cccol_cursor */*cursor*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cccol_cursor_next ( + krb5_context /*context*/, + krb5_cccol_cursor /*cursor*/, + krb5_ccache */*cache*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cccol_last_change_time ( + krb5_context /*context*/, + const char */*type*/, + krb5_timestamp */*mtime*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_change_password ( krb5_context /*context*/, krb5_creds */*creds*/, const char */*newpw*/, int */*result_code*/, krb5_data */*result_code_string*/, - krb5_data */*result_string*/); + krb5_data */*result_string*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_check_transited ( krb5_context /*context*/, krb5_const_realm /*client_realm*/, krb5_const_realm /*server_realm*/, krb5_realm */*realms*/, - int /*num_realms*/, + unsigned int /*num_realms*/, int */*bad_realm*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_check_transited_realms ( krb5_context /*context*/, const char *const */*realms*/, - int /*num_realms*/, + unsigned int /*num_realms*/, int */*bad_realm*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_checksum_disable ( krb5_context /*context*/, krb5_cksumtype /*type*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_checksum_free ( krb5_context /*context*/, krb5_checksum */*cksum*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_checksum_is_collision_proof ( krb5_context /*context*/, krb5_cksumtype /*type*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_checksum_is_keyed ( krb5_context /*context*/, krb5_cksumtype /*type*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_checksumsize ( krb5_context /*context*/, krb5_cksumtype /*type*/, size_t */*size*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cksumtype_to_enctype ( + krb5_context /*context*/, + krb5_cksumtype /*ctype*/, + krb5_enctype */*etype*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cksumtype_valid ( krb5_context /*context*/, krb5_cksumtype /*ctype*/); -void KRB5_LIB_FUNCTION -krb5_clear_error_string (krb5_context /*context*/); +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_clear_error_message (krb5_context /*context*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_clear_error_string (krb5_context /*context*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_closelog ( krb5_context /*context*/, krb5_log_facility */*fac*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_compare_creds ( krb5_context /*context*/, krb5_flags /*whichfields*/, const krb5_creds * /*mcreds*/, const krb5_creds * /*creds*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_config_file_free ( krb5_context /*context*/, krb5_config_section */*s*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_config_free_strings (char **/*strings*/); -const void * -krb5_config_get ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - int /*type*/, - ...); - -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_config_get_bool ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_config_get_bool_default ( krb5_context /*context*/, const krb5_config_section */*c*/, krb5_boolean /*def_value*/, ...); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_config_get_int ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_config_get_int_default ( krb5_context /*context*/, const krb5_config_section */*c*/, int /*def_value*/, ...); -const krb5_config_binding * +KRB5_LIB_FUNCTION const krb5_config_binding * KRB5_LIB_CALL krb5_config_get_list ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -const void * -krb5_config_get_next ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - const krb5_config_binding **/*pointer*/, - int /*type*/, - ...); - -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_config_get_string ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_config_get_string_default ( krb5_context /*context*/, const krb5_config_section */*c*/, const char */*def_value*/, ...); -char** +KRB5_LIB_FUNCTION char** KRB5_LIB_CALL krb5_config_get_strings ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_config_get_time ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_config_get_time_default ( krb5_context /*context*/, const krb5_config_section */*c*/, int /*def_value*/, ...); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_config_parse_file ( krb5_context /*context*/, const char */*fname*/, krb5_config_section **/*res*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_config_parse_file_multi ( krb5_context /*context*/, const char */*fname*/, krb5_config_section **/*res*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_config_parse_string_multi ( krb5_context /*context*/, const char */*string*/, - krb5_config_section **/*res*/); + krb5_config_section **/*res*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -const void * -krb5_config_vget ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - int /*type*/, - va_list /*args*/); - -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_config_vget_bool ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_config_vget_bool_default ( krb5_context /*context*/, const krb5_config_section */*c*/, krb5_boolean /*def_value*/, va_list /*args*/); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_config_vget_int ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_config_vget_int_default ( krb5_context /*context*/, const krb5_config_section */*c*/, int /*def_value*/, va_list /*args*/); -const krb5_config_binding * +KRB5_LIB_FUNCTION const krb5_config_binding * KRB5_LIB_CALL krb5_config_vget_list ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -const void * -krb5_config_vget_next ( - krb5_context /*context*/, - const krb5_config_section */*c*/, - const krb5_config_binding **/*pointer*/, - int /*type*/, - va_list /*args*/); - -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_config_vget_string ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_config_vget_string_default ( krb5_context /*context*/, const krb5_config_section */*c*/, const char */*def_value*/, va_list /*args*/); -char ** KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION char ** KRB5_LIB_CALL krb5_config_vget_strings ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_config_vget_time ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_config_vget_time_default ( krb5_context /*context*/, const krb5_config_section */*c*/, int /*def_value*/, va_list /*args*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_address ( krb5_context /*context*/, const krb5_address */*inaddr*/, krb5_address */*outaddr*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_addresses ( krb5_context /*context*/, const krb5_addresses */*inaddr*/, krb5_addresses */*outaddr*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_checksum ( krb5_context /*context*/, const krb5_checksum */*old*/, krb5_checksum **/*new*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_copy_context ( + krb5_context /*context*/, + krb5_context */*out*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_creds ( krb5_context /*context*/, const krb5_creds */*incred*/, krb5_creds **/*outcred*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_creds_contents ( krb5_context /*context*/, const krb5_creds */*incred*/, krb5_creds */*c*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_data ( krb5_context /*context*/, const krb5_data */*indata*/, krb5_data **/*outdata*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_host_realm ( krb5_context /*context*/, const krb5_realm */*from*/, krb5_realm **/*to*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_keyblock ( krb5_context /*context*/, const krb5_keyblock */*inblock*/, krb5_keyblock **/*to*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_keyblock_contents ( krb5_context /*context*/, const krb5_keyblock */*inblock*/, krb5_keyblock */*to*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_principal ( krb5_context /*context*/, krb5_const_principal /*inprinc*/, krb5_principal */*outprinc*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_ticket ( krb5_context /*context*/, const krb5_ticket */*from*/, krb5_ticket **/*to*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_create_checksum ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -1080,164 +1164,213 @@ krb5_create_checksum ( size_t /*len*/, Checksum */*result*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_create_checksum_iov ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + unsigned /*usage*/, + krb5_crypto_iov */*data*/, + unsigned int /*num_data*/, + krb5_cksumtype */*type*/); + +KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL +krb5_creds_get_ticket_flags (krb5_creds */*creds*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_destroy ( krb5_context /*context*/, krb5_crypto /*crypto*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_crypto_fx_cf2 ( + krb5_context /*context*/, + const krb5_crypto /*crypto1*/, + const krb5_crypto /*crypto2*/, + krb5_data */*pepper1*/, + krb5_data */*pepper2*/, + krb5_enctype /*enctype*/, + krb5_keyblock */*res*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_get_checksum_type ( krb5_context /*context*/, krb5_crypto /*crypto*/, krb5_cksumtype */*type*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_getblocksize ( krb5_context /*context*/, krb5_crypto /*crypto*/, size_t */*blocksize*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_getconfoundersize ( krb5_context /*context*/, krb5_crypto /*crypto*/, size_t */*confoundersize*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_getenctype ( krb5_context /*context*/, krb5_crypto /*crypto*/, krb5_enctype */*enctype*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_getpadsize ( krb5_context /*context*/, krb5_crypto /*crypto*/, size_t */*padsize*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_init ( krb5_context /*context*/, const krb5_keyblock */*key*/, krb5_enctype /*etype*/, krb5_crypto */*crypto*/); -size_t +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_crypto_length ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + int /*type*/, + size_t */*len*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_crypto_length_iov ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + krb5_crypto_iov */*data*/, + unsigned int /*num_data*/); + +KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL krb5_crypto_overhead ( krb5_context /*context*/, krb5_crypto /*crypto*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_prf ( krb5_context /*context*/, const krb5_crypto /*crypto*/, const krb5_data */*input*/, krb5_data */*output*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_crypto_prf_length ( krb5_context /*context*/, krb5_enctype /*type*/, size_t */*length*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_data_alloc ( krb5_data */*p*/, int /*len*/); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_data_cmp ( const krb5_data */*data1*/, const krb5_data */*data2*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_data_copy ( krb5_data */*p*/, const void */*data*/, size_t /*len*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL +krb5_data_ct_cmp ( + const krb5_data */*data1*/, + const krb5_data */*data2*/); + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_data_free (krb5_data */*p*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_data_realloc ( krb5_data */*p*/, int /*len*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_data_zero (krb5_data */*p*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_Authenticator ( krb5_context /*context*/, const void */*data*/, size_t /*length*/, Authenticator */*t*/, - size_t */*len*/); + size_t */*len*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_ETYPE_INFO ( krb5_context /*context*/, const void */*data*/, size_t /*length*/, ETYPE_INFO */*t*/, - size_t */*len*/); + size_t */*len*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_ETYPE_INFO2 ( krb5_context /*context*/, const void */*data*/, size_t /*length*/, ETYPE_INFO2 */*t*/, - size_t */*len*/); + size_t */*len*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncAPRepPart ( krb5_context /*context*/, const void */*data*/, size_t /*length*/, EncAPRepPart */*t*/, - size_t */*len*/); + size_t */*len*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncASRepPart ( krb5_context /*context*/, const void */*data*/, size_t /*length*/, EncASRepPart */*t*/, - size_t */*len*/); + size_t */*len*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncKrbCredPart ( krb5_context /*context*/, const void */*data*/, size_t /*length*/, EncKrbCredPart */*t*/, - size_t */*len*/); + size_t */*len*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncTGSRepPart ( krb5_context /*context*/, const void */*data*/, size_t /*length*/, EncTGSRepPart */*t*/, - size_t */*len*/); + size_t */*len*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncTicketPart ( krb5_context /*context*/, const void */*data*/, size_t /*length*/, EncTicketPart */*t*/, - size_t */*len*/); + size_t */*len*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_ap_req ( krb5_context /*context*/, const krb5_data */*inbuf*/, krb5_ap_req */*ap_req*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decrypt ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -1246,7 +1379,7 @@ krb5_decrypt ( size_t /*len*/, krb5_data */*result*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decrypt_EncryptedData ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -1254,7 +1387,16 @@ krb5_decrypt_EncryptedData ( const EncryptedData */*e*/, krb5_data */*result*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_decrypt_iov_ivec ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + unsigned /*usage*/, + krb5_crypto_iov */*data*/, + unsigned int /*num_data*/, + void */*ivec*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decrypt_ivec ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -1264,7 +1406,7 @@ krb5_decrypt_ivec ( krb5_data */*result*/, void */*ivec*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decrypt_ticket ( krb5_context /*context*/, Ticket */*ticket*/, @@ -1272,7 +1414,7 @@ krb5_decrypt_ticket ( EncTicketPart */*out*/, krb5_flags /*flags*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_derive_key ( krb5_context /*context*/, const krb5_keyblock */*key*/, @@ -1281,267 +1423,275 @@ krb5_derive_key ( size_t /*constant_len*/, krb5_keyblock **/*derived_key*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_alloc ( krb5_context /*context*/, krb5_digest */*digest*/); -void +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_digest_free (krb5_digest /*digest*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_get_client_binding ( krb5_context /*context*/, krb5_digest /*digest*/, char **/*type*/, char **/*binding*/); -const char * +KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL krb5_digest_get_identifier ( krb5_context /*context*/, krb5_digest /*digest*/); -const char * +KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL krb5_digest_get_opaque ( krb5_context /*context*/, krb5_digest /*digest*/); -const char * +KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL krb5_digest_get_rsp ( krb5_context /*context*/, krb5_digest /*digest*/); -const char * +KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL krb5_digest_get_server_nonce ( krb5_context /*context*/, krb5_digest /*digest*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_get_session_key ( krb5_context /*context*/, krb5_digest /*digest*/, krb5_data */*data*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_get_tickets ( krb5_context /*context*/, krb5_digest /*digest*/, Ticket **/*tickets*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_init_request ( krb5_context /*context*/, krb5_digest /*digest*/, krb5_realm /*realm*/, krb5_ccache /*ccache*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_probe ( krb5_context /*context*/, krb5_realm /*realm*/, krb5_ccache /*ccache*/, unsigned */*flags*/); -krb5_boolean +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_digest_rep_get_status ( krb5_context /*context*/, krb5_digest /*digest*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_request ( krb5_context /*context*/, krb5_digest /*digest*/, krb5_realm /*realm*/, krb5_ccache /*ccache*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_authentication_user ( krb5_context /*context*/, krb5_digest /*digest*/, krb5_principal /*authentication_user*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_authid ( krb5_context /*context*/, krb5_digest /*digest*/, const char */*authid*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_client_nonce ( krb5_context /*context*/, krb5_digest /*digest*/, const char */*nonce*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_digest ( krb5_context /*context*/, krb5_digest /*digest*/, const char */*dgst*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_hostname ( krb5_context /*context*/, krb5_digest /*digest*/, const char */*hostname*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_identifier ( krb5_context /*context*/, krb5_digest /*digest*/, const char */*id*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_method ( krb5_context /*context*/, krb5_digest /*digest*/, const char */*method*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_nonceCount ( krb5_context /*context*/, krb5_digest /*digest*/, const char */*nonce_count*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_opaque ( krb5_context /*context*/, krb5_digest /*digest*/, const char */*opaque*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_qop ( krb5_context /*context*/, krb5_digest /*digest*/, const char */*qop*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_realm ( krb5_context /*context*/, krb5_digest /*digest*/, const char */*realm*/); -int +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_digest_set_responseData ( krb5_context /*context*/, krb5_digest /*digest*/, const char */*response*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_server_cb ( krb5_context /*context*/, krb5_digest /*digest*/, const char */*type*/, const char */*binding*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_server_nonce ( krb5_context /*context*/, krb5_digest /*digest*/, const char */*nonce*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_type ( krb5_context /*context*/, krb5_digest /*digest*/, const char */*type*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_uri ( krb5_context /*context*/, krb5_digest /*digest*/, const char */*uri*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_digest_set_username ( krb5_context /*context*/, krb5_digest /*digest*/, const char */*username*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_domain_x500_decode ( krb5_context /*context*/, krb5_data /*tr*/, char ***/*realms*/, - int */*num_realms*/, + unsigned int */*num_realms*/, const char */*client_realm*/, const char */*server_realm*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_domain_x500_encode ( char **/*realms*/, - int /*num_realms*/, + unsigned int /*num_realms*/, krb5_data */*encoding*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_eai_to_heim_errno ( int /*eai_errno*/, int /*system_error*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_Authenticator ( krb5_context /*context*/, void */*data*/, size_t /*length*/, Authenticator */*t*/, - size_t */*len*/); + size_t */*len*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_ETYPE_INFO ( krb5_context /*context*/, void */*data*/, size_t /*length*/, ETYPE_INFO */*t*/, - size_t */*len*/); + size_t */*len*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_ETYPE_INFO2 ( krb5_context /*context*/, void */*data*/, size_t /*length*/, ETYPE_INFO2 */*t*/, - size_t */*len*/); + size_t */*len*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncAPRepPart ( krb5_context /*context*/, void */*data*/, size_t /*length*/, EncAPRepPart */*t*/, - size_t */*len*/); + size_t */*len*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncASRepPart ( krb5_context /*context*/, void */*data*/, size_t /*length*/, EncASRepPart */*t*/, - size_t */*len*/); + size_t */*len*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncKrbCredPart ( krb5_context /*context*/, void */*data*/, size_t /*length*/, EncKrbCredPart */*t*/, - size_t */*len*/); + size_t */*len*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncTGSRepPart ( krb5_context /*context*/, void */*data*/, size_t /*length*/, EncTGSRepPart */*t*/, - size_t */*len*/); + size_t */*len*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncTicketPart ( krb5_context /*context*/, void */*data*/, size_t /*length*/, EncTicketPart */*t*/, - size_t */*len*/); + size_t */*len*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encrypt ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -1550,7 +1700,7 @@ krb5_encrypt ( size_t /*len*/, krb5_data */*result*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encrypt_EncryptedData ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -1560,7 +1710,16 @@ krb5_encrypt_EncryptedData ( int /*kvno*/, EncryptedData */*result*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_encrypt_iov_ivec ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + unsigned /*usage*/, + krb5_crypto_iov */*data*/, + int /*num_data*/, + void */*ivec*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encrypt_ivec ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -1570,93 +1729,99 @@ krb5_encrypt_ivec ( krb5_data */*result*/, void */*ivec*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_enctype_disable ( krb5_context /*context*/, krb5_enctype /*enctype*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_enctype_enable ( + krb5_context /*context*/, + krb5_enctype /*enctype*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_enctype_keybits ( krb5_context /*context*/, krb5_enctype /*type*/, size_t */*keybits*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_enctype_keysize ( krb5_context /*context*/, krb5_enctype /*type*/, size_t */*keysize*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_enctype_to_keytype ( krb5_context /*context*/, krb5_enctype /*etype*/, krb5_keytype */*keytype*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_enctype_to_string ( krb5_context /*context*/, krb5_enctype /*etype*/, char **/*string*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_enctype_valid ( krb5_context /*context*/, krb5_enctype /*etype*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_enctypes_compatible_keys ( krb5_context /*context*/, krb5_enctype /*etype1*/, - krb5_enctype /*etype2*/); + krb5_enctype /*etype2*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +krb5_error_code +krb5_enomem (krb5_context /*context*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_err ( krb5_context /*context*/, int /*eval*/, krb5_error_code /*code*/, const char */*fmt*/, ...) - __attribute__ ((noreturn, format (printf, 4, 5))); - -krb5_error_code KRB5_LIB_FUNCTION - __attribute__((deprecated)) krb5_free_creds_contents (krb5_context context, krb5_creds *c); + __attribute__ ((noreturn, format (printf, 4, 5))); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_error_from_rd_error ( krb5_context /*context*/, const krb5_error */*error*/, const krb5_creds */*creds*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_errx ( krb5_context /*context*/, int /*eval*/, const char */*fmt*/, ...) - __attribute__ ((noreturn, format (printf, 3, 4))); + __attribute__ ((noreturn, format (printf, 3, 4))); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_expand_hostname ( krb5_context /*context*/, const char */*orig_hostname*/, char **/*new_hostname*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_expand_hostname_realms ( krb5_context /*context*/, const char */*orig_hostname*/, char **/*new_hostname*/, char ***/*realms*/); -PA_DATA * +KRB5_LIB_FUNCTION PA_DATA * KRB5_LIB_CALL krb5_find_padata ( PA_DATA */*val*/, unsigned /*len*/, int /*type*/, int */*idx*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_format_time ( krb5_context /*context*/, time_t /*t*/, @@ -1664,118 +1829,142 @@ krb5_format_time ( size_t /*len*/, krb5_boolean /*include_time*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_address ( krb5_context /*context*/, krb5_address */*address*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_ap_rep_enc_part ( krb5_context /*context*/, krb5_ap_rep_enc_part */*val*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_authenticator ( krb5_context /*context*/, krb5_authenticator */*authenticator*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_checksum ( krb5_context /*context*/, krb5_checksum */*cksum*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_checksum_contents ( krb5_context /*context*/, krb5_checksum */*cksum*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_config_files (char **/*filenames*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_context (krb5_context /*context*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_cred_contents ( krb5_context /*context*/, krb5_creds */*c*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_creds ( krb5_context /*context*/, krb5_creds */*c*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_free_creds_contents ( + krb5_context /*context*/, + krb5_creds */*c*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_data ( krb5_context /*context*/, krb5_data */*p*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_data_contents ( krb5_context /*context*/, - krb5_data */*data*/); + krb5_data */*data*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_free_default_realm ( + krb5_context /*context*/, + krb5_realm /*realm*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_error ( krb5_context /*context*/, krb5_error */*error*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_error_contents ( krb5_context /*context*/, krb5_error */*error*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_free_error_message ( + krb5_context /*context*/, + const char */*msg*/); + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_error_string ( krb5_context /*context*/, - char */*str*/); + char */*str*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_host_realm ( krb5_context /*context*/, krb5_realm */*realmlist*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_kdc_rep ( krb5_context /*context*/, krb5_kdc_rep */*rep*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_keyblock ( krb5_context /*context*/, krb5_keyblock */*keyblock*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_keyblock_contents ( krb5_context /*context*/, krb5_keyblock */*keyblock*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_krbhst ( krb5_context /*context*/, char **/*hostlist*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_principal ( krb5_context /*context*/, krb5_principal /*p*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_salt ( krb5_context /*context*/, krb5_salt /*salt*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_ticket ( krb5_context /*context*/, krb5_ticket */*ticket*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_free_unparsed_name ( + krb5_context /*context*/, + char */*str*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_fwd_tgt_creds ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, @@ -1786,64 +1975,67 @@ krb5_fwd_tgt_creds ( int /*forwardable*/, krb5_data */*out_data*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_generate_random_block ( void */*buf*/, size_t /*len*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_generate_random_keyblock ( krb5_context /*context*/, krb5_enctype /*type*/, krb5_keyblock */*key*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_generate_seq_number ( krb5_context /*context*/, const krb5_keyblock */*key*/, uint32_t */*seqno*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_generate_subkey ( krb5_context /*context*/, const krb5_keyblock */*key*/, - krb5_keyblock **/*subkey*/); + krb5_keyblock **/*subkey*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_generate_subkey_extended ( krb5_context /*context*/, const krb5_keyblock */*key*/, krb5_enctype /*etype*/, krb5_keyblock **/*subkey*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_all_client_addrs ( krb5_context /*context*/, krb5_addresses */*res*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_all_server_addrs ( krb5_context /*context*/, krb5_addresses */*res*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_cred_from_kdc ( krb5_context /*context*/, krb5_ccache /*ccache*/, krb5_creds */*in_creds*/, krb5_creds **/*out_creds*/, - krb5_creds ***/*ret_tgts*/); + krb5_creds ***/*ret_tgts*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_cred_from_kdc_opt ( krb5_context /*context*/, krb5_ccache /*ccache*/, krb5_creds */*in_creds*/, krb5_creds **/*out_creds*/, krb5_creds ***/*ret_tgts*/, - krb5_flags /*flags*/); + krb5_flags /*flags*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_credentials ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1851,7 +2043,7 @@ krb5_get_credentials ( krb5_creds */*in_creds*/, krb5_creds **/*out_creds*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_credentials_with_flags ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1860,7 +2052,7 @@ krb5_get_credentials_with_flags ( krb5_creds */*in_creds*/, krb5_creds **/*out_creds*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_creds ( krb5_context /*context*/, krb5_get_creds_opt /*opt*/, @@ -1868,96 +2060,98 @@ krb5_get_creds ( krb5_const_principal /*inprinc*/, krb5_creds **/*out_creds*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_creds_opt_add_options ( krb5_context /*context*/, krb5_get_creds_opt /*opt*/, krb5_flags /*options*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_creds_opt_alloc ( krb5_context /*context*/, krb5_get_creds_opt */*opt*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_creds_opt_free ( krb5_context /*context*/, krb5_get_creds_opt /*opt*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_creds_opt_set_enctype ( krb5_context /*context*/, krb5_get_creds_opt /*opt*/, krb5_enctype /*enctype*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_creds_opt_set_impersonate ( krb5_context /*context*/, krb5_get_creds_opt /*opt*/, krb5_const_principal /*self*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_creds_opt_set_options ( krb5_context /*context*/, krb5_get_creds_opt /*opt*/, krb5_flags /*options*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_creds_opt_set_ticket ( krb5_context /*context*/, krb5_get_creds_opt /*opt*/, const Ticket */*ticket*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_default_config_files (char ***/*pfilenames*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_default_in_tkt_etypes ( krb5_context /*context*/, + krb5_pdu /*pdu_type*/, krb5_enctype **/*etypes*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_default_principal ( krb5_context /*context*/, krb5_principal */*princ*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_default_realm ( krb5_context /*context*/, krb5_realm */*realm*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_default_realms ( krb5_context /*context*/, krb5_realm **/*realms*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_get_dns_canonicalize_hostname (krb5_context /*context*/); -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_get_err_text ( krb5_context /*context*/, - krb5_error_code /*code*/); + krb5_error_code /*code*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -char * KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL krb5_get_error_message ( krb5_context /*context*/, krb5_error_code /*code*/); -char * KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION char * KRB5_LIB_CALL krb5_get_error_string (krb5_context /*context*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_extra_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_fcache_version ( krb5_context /*context*/, int */*version*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_forwarded_creds ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, @@ -1967,18 +2161,18 @@ krb5_get_forwarded_creds ( krb5_creds */*in_creds*/, krb5_data */*out_data*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_host_realm ( krb5_context /*context*/, const char */*targethost*/, krb5_realm **/*realms*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_ignore_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_in_cred ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1991,9 +2185,10 @@ krb5_get_in_cred ( krb5_decrypt_proc /*decrypt_proc*/, krb5_const_pointer /*decryptarg*/, krb5_creds */*creds*/, - krb5_kdc_rep */*ret_as_reply*/); + krb5_kdc_rep */*ret_as_reply*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_in_tkt ( krb5_context /*context*/, krb5_flags /*options*/, @@ -2006,9 +2201,10 @@ krb5_get_in_tkt ( krb5_const_pointer /*decryptarg*/, krb5_creds */*creds*/, krb5_ccache /*ccache*/, - krb5_kdc_rep */*ret_as_reply*/); + krb5_kdc_rep */*ret_as_reply*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_in_tkt_with_keytab ( krb5_context /*context*/, krb5_flags /*options*/, @@ -2018,9 +2214,10 @@ krb5_get_in_tkt_with_keytab ( krb5_keytab /*keytab*/, krb5_ccache /*ccache*/, krb5_creds */*creds*/, - krb5_kdc_rep */*ret_as_reply*/); + krb5_kdc_rep */*ret_as_reply*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_in_tkt_with_password ( krb5_context /*context*/, krb5_flags /*options*/, @@ -2030,9 +2227,10 @@ krb5_get_in_tkt_with_password ( const char */*password*/, krb5_ccache /*ccache*/, krb5_creds */*creds*/, - krb5_kdc_rep */*ret_as_reply*/); + krb5_kdc_rep */*ret_as_reply*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_in_tkt_with_skey ( krb5_context /*context*/, krb5_flags /*options*/, @@ -2042,20 +2240,10 @@ krb5_get_in_tkt_with_skey ( const krb5_keyblock */*key*/, krb5_ccache /*ccache*/, krb5_creds */*creds*/, - krb5_kdc_rep */*ret_as_reply*/); + krb5_kdc_rep */*ret_as_reply*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION -krb5_get_init_creds ( - krb5_context /*context*/, - krb5_creds */*creds*/, - krb5_principal /*client*/, - krb5_prompter_fct /*prompter*/, - void */*data*/, - krb5_deltat /*start_time*/, - const char */*in_tkt_service*/, - krb5_get_init_creds_opt */*options*/); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_keyblock ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -2065,7 +2253,7 @@ krb5_get_init_creds_keyblock ( const char */*in_tkt_service*/, krb5_get_init_creds_opt */*options*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_keytab ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -2075,79 +2263,81 @@ krb5_get_init_creds_keytab ( const char */*in_tkt_service*/, krb5_get_init_creds_opt */*options*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_alloc ( krb5_context /*context*/, krb5_get_init_creds_opt **/*opt*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_free ( krb5_context /*context*/, krb5_get_init_creds_opt */*opt*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_get_error ( krb5_context /*context*/, krb5_get_init_creds_opt */*opt*/, - KRB_ERROR **/*error*/); + KRB_ERROR **/*error*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -void KRB5_LIB_FUNCTION -krb5_get_init_creds_opt_init (krb5_get_init_creds_opt */*opt*/); +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_get_init_creds_opt_init (krb5_get_init_creds_opt */*opt*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_address_list ( krb5_get_init_creds_opt */*opt*/, krb5_addresses */*addresses*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_set_addressless ( krb5_context /*context*/, krb5_get_init_creds_opt */*opt*/, krb5_boolean /*addressless*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_anonymous ( krb5_get_init_creds_opt */*opt*/, int /*anonymous*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_set_canonicalize ( krb5_context /*context*/, krb5_get_init_creds_opt */*opt*/, krb5_boolean /*req*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_default_flags ( krb5_context /*context*/, const char */*appname*/, krb5_const_realm /*realm*/, krb5_get_init_creds_opt */*opt*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_etype_list ( krb5_get_init_creds_opt */*opt*/, krb5_enctype */*etype_list*/, int /*etype_list_length*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_forwardable ( krb5_get_init_creds_opt */*opt*/, int /*forwardable*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_set_pa_password ( krb5_context /*context*/, krb5_get_init_creds_opt */*opt*/, const char */*password*/, krb5_s2k_proc /*key_proc*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_set_pac_request ( krb5_context /*context*/, krb5_get_init_creds_opt */*opt*/, krb5_boolean /*req_pac*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_set_pkinit ( krb5_context /*context*/, krb5_get_init_creds_opt */*opt*/, @@ -2161,39 +2351,52 @@ krb5_get_init_creds_opt_set_pkinit ( void */*prompter_data*/, char */*password*/); -void KRB5_LIB_FUNCTION +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pkinit_user_certs ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + struct hx509_certs_data */*certs*/); + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_preauth_list ( krb5_get_init_creds_opt */*opt*/, krb5_preauthtype */*preauth_list*/, int /*preauth_list_length*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_get_init_creds_opt_set_process_last_req ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + krb5_gic_process_last_req /*func*/, + void */*ctx*/); + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_proxiable ( krb5_get_init_creds_opt */*opt*/, int /*proxiable*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_renew_life ( krb5_get_init_creds_opt */*opt*/, krb5_deltat /*renew_life*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_salt ( krb5_get_init_creds_opt */*opt*/, krb5_data */*salt*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_set_tkt_life ( krb5_get_init_creds_opt */*opt*/, krb5_deltat /*tkt_life*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_set_win2k ( krb5_context /*context*/, krb5_get_init_creds_opt */*opt*/, krb5_boolean /*req*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_password ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -2203,9 +2406,9 @@ krb5_get_init_creds_password ( void */*data*/, krb5_deltat /*start_time*/, const char */*in_tkt_service*/, - krb5_get_init_creds_opt */*in_options*/); + krb5_get_init_creds_opt */*options*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_kdc_cred ( krb5_context /*context*/, krb5_ccache /*id*/, @@ -2215,46 +2418,51 @@ krb5_get_kdc_cred ( krb5_creds */*in_creds*/, krb5_creds **out_creds ); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_kdc_sec_offset ( krb5_context /*context*/, int32_t */*sec*/, int32_t */*usec*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_krb524hst ( krb5_context /*context*/, const krb5_realm */*realm*/, char ***/*hostlist*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_krb_admin_hst ( krb5_context /*context*/, const krb5_realm */*realm*/, char ***/*hostlist*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_krb_changepw_hst ( krb5_context /*context*/, const krb5_realm */*realm*/, char ***/*hostlist*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_krbhst ( krb5_context /*context*/, const krb5_realm */*realm*/, char ***/*hostlist*/); -time_t KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL krb5_get_max_time_skew (krb5_context /*context*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_get_permitted_enctypes ( + krb5_context /*context*/, + krb5_enctype **/*etypes*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_pw_salt ( krb5_context /*context*/, krb5_const_principal /*principal*/, krb5_salt */*salt*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_renewed_creds ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -2262,39 +2470,47 @@ krb5_get_renewed_creds ( krb5_ccache /*ccache*/, const char */*in_tkt_service*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_server_rcache ( krb5_context /*context*/, const krb5_data */*piece*/, krb5_rcache */*id*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_get_use_admin_kdc (krb5_context /*context*/); -krb5_log_facility * KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_get_validated_creds ( + krb5_context /*context*/, + krb5_creds */*creds*/, + krb5_principal /*client*/, + krb5_ccache /*ccache*/, + char */*service*/); + +KRB5_LIB_FUNCTION krb5_log_facility * KRB5_LIB_CALL krb5_get_warn_dest (krb5_context /*context*/); -size_t +KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL krb5_get_wrapped_length ( krb5_context /*context*/, krb5_crypto /*crypto*/, size_t /*data_len*/); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_getportbyname ( krb5_context /*context*/, const char */*service*/, const char */*proto*/, int /*default_port*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_h_addr2addr ( krb5_context /*context*/, int /*af*/, const char */*haddr*/, krb5_address */*addr*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_h_addr2sockaddr ( krb5_context /*context*/, int /*af*/, @@ -2303,13 +2519,13 @@ krb5_h_addr2sockaddr ( krb5_socklen_t */*sa_size*/, int /*port*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_h_errno_to_heim_errno (int /*eai_errno*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_have_error_string (krb5_context /*context*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_hmac ( krb5_context /*context*/, krb5_cksumtype /*cktype*/, @@ -2319,35 +2535,111 @@ krb5_hmac ( krb5_keyblock */*key*/, Checksum */*result*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_init_context (krb5_context */*context*/); -void KRB5_LIB_FUNCTION -krb5_init_ets (krb5_context /*context*/); +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_init_creds_free ( + krb5_context /*context*/, + krb5_init_creds_context /*ctx*/); -krb5_error_code KRB5_LIB_FUNCTION -krb5_init_etype ( +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_get ( krb5_context /*context*/, - unsigned */*len*/, - krb5_enctype **/*val*/, - const krb5_enctype */*etypes*/); + krb5_init_creds_context /*ctx*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_get_creds ( + krb5_context /*context*/, + krb5_init_creds_context /*ctx*/, + krb5_creds */*cred*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_get_error ( + krb5_context /*context*/, + krb5_init_creds_context /*ctx*/, + KRB_ERROR */*error*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_init ( + krb5_context /*context*/, + krb5_principal /*client*/, + krb5_prompter_fct /*prompter*/, + void */*prompter_data*/, + krb5_deltat /*start_time*/, + krb5_get_init_creds_opt */*options*/, + krb5_init_creds_context */*rctx*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_set_keyblock ( + krb5_context /*context*/, + krb5_init_creds_context /*ctx*/, + krb5_keyblock */*keyblock*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_set_keytab ( + krb5_context /*context*/, + krb5_init_creds_context /*ctx*/, + krb5_keytab /*keytab*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_set_password ( + krb5_context /*context*/, + krb5_init_creds_context /*ctx*/, + const char */*password*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_set_service ( + krb5_context /*context*/, + krb5_init_creds_context /*ctx*/, + const char */*service*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_init_creds_step ( + krb5_context /*context*/, + krb5_init_creds_context /*ctx*/, + krb5_data */*in*/, + krb5_data */*out*/, + krb5_krbhst_info */*hostinfo*/, + unsigned int */*flags*/); + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_init_ets (krb5_context /*context*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_initlog ( krb5_context /*context*/, const char */*program*/, krb5_log_facility **/*fac*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_is_config_principal ( + krb5_context /*context*/, + krb5_const_principal /*principal*/); + +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_is_thread_safe (void); -const krb5_enctype * KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_kcm_call ( + krb5_context /*context*/, + krb5_storage */*request*/, + krb5_storage **/*response_p*/, + krb5_data */*response_data_p*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_kcm_storage_request ( + krb5_context /*context*/, + uint16_t /*opcode*/, + krb5_storage **/*storage_p*/); + +KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL krb5_kerberos_enctypes (krb5_context /*context*/); -krb5_enctype +KRB5_LIB_FUNCTION krb5_enctype KRB5_LIB_CALL krb5_keyblock_get_enctype (const krb5_keyblock */*block*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_keyblock_init ( krb5_context /*context*/, krb5_enctype /*type*/, @@ -2355,7 +2647,7 @@ krb5_keyblock_init ( size_t /*size*/, krb5_keyblock */*key*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_keyblock_key_proc ( krb5_context /*context*/, krb5_keytype /*type*/, @@ -2363,63 +2655,67 @@ krb5_keyblock_key_proc ( krb5_const_pointer /*keyseed*/, krb5_keyblock **/*key*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_keyblock_zero (krb5_keyblock */*keyblock*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_CALLCONV krb5_keytab_key_proc ( krb5_context /*context*/, krb5_enctype /*enctype*/, krb5_salt /*salt*/, krb5_const_pointer /*keyseed*/, - krb5_keyblock **/*key*/); + krb5_keyblock **/*key*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_keytype_to_enctypes ( krb5_context /*context*/, krb5_keytype /*keytype*/, unsigned */*len*/, - krb5_enctype **/*val*/); + krb5_enctype **/*val*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_keytype_to_enctypes_default ( krb5_context /*context*/, krb5_keytype /*keytype*/, unsigned */*len*/, - krb5_enctype **/*val*/); + krb5_enctype **/*val*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_keytype_to_string ( krb5_context /*context*/, krb5_keytype /*keytype*/, - char **/*string*/); + char **/*string*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_krbhst_format_string ( krb5_context /*context*/, const krb5_krbhst_info */*host*/, char */*hostname*/, size_t /*hostlen*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_krbhst_free ( krb5_context /*context*/, krb5_krbhst_handle /*handle*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_krbhst_get_addrinfo ( krb5_context /*context*/, krb5_krbhst_info */*host*/, struct addrinfo **/*ai*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_krbhst_init ( krb5_context /*context*/, const char */*realm*/, unsigned int /*type*/, krb5_krbhst_handle */*handle*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_krbhst_init_flags ( krb5_context /*context*/, const char */*realm*/, @@ -2427,36 +2723,36 @@ krb5_krbhst_init_flags ( int /*flags*/, krb5_krbhst_handle */*handle*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_krbhst_next ( krb5_context /*context*/, krb5_krbhst_handle /*handle*/, krb5_krbhst_info **/*host*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_krbhst_next_as_string ( krb5_context /*context*/, krb5_krbhst_handle /*handle*/, char */*hostname*/, size_t /*hostlen*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_krbhst_reset ( krb5_context /*context*/, krb5_krbhst_handle /*handle*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_add_entry ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_keytab_entry */*entry*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_close ( krb5_context /*context*/, krb5_keytab /*id*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_kt_compare ( krb5_context /*context*/, krb5_keytab_entry */*entry*/, @@ -2464,41 +2760,46 @@ krb5_kt_compare ( krb5_kvno /*vno*/, krb5_enctype /*enctype*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_copy_entry_contents ( krb5_context /*context*/, const krb5_keytab_entry */*in*/, krb5_keytab_entry */*out*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_default ( krb5_context /*context*/, krb5_keytab */*id*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_default_modify_name ( krb5_context /*context*/, char */*name*/, size_t /*namesize*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_default_name ( krb5_context /*context*/, char */*name*/, size_t /*namesize*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_kt_destroy ( + krb5_context /*context*/, + krb5_keytab /*id*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_end_seq_get ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_kt_cursor */*cursor*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_free_entry ( krb5_context /*context*/, krb5_keytab_entry */*entry*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_get_entry ( krb5_context /*context*/, krb5_keytab /*id*/, @@ -2507,34 +2808,39 @@ krb5_kt_get_entry ( krb5_enctype /*enctype*/, krb5_keytab_entry */*entry*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_get_full_name ( krb5_context /*context*/, krb5_keytab /*keytab*/, char **/*str*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_get_name ( krb5_context /*context*/, krb5_keytab /*keytab*/, char */*name*/, size_t /*namesize*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_get_type ( krb5_context /*context*/, krb5_keytab /*keytab*/, char */*prefix*/, size_t /*prefixsize*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_kt_have_content ( + krb5_context /*context*/, + krb5_keytab /*id*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_next_entry ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_keytab_entry */*entry*/, krb5_kt_cursor */*cursor*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_read_service_key ( krb5_context /*context*/, krb5_pointer /*keyprocarg*/, @@ -2543,45 +2849,45 @@ krb5_kt_read_service_key ( krb5_enctype /*enctype*/, krb5_keyblock **/*key*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_register ( krb5_context /*context*/, const krb5_kt_ops */*ops*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_remove_entry ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_keytab_entry */*entry*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_resolve ( krb5_context /*context*/, const char */*name*/, krb5_keytab */*id*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_kt_start_seq_get ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_kt_cursor */*cursor*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_kuserok ( krb5_context /*context*/, krb5_principal /*principal*/, const char */*luser*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_log ( krb5_context /*context*/, krb5_log_facility */*fac*/, int /*level*/, const char */*fmt*/, ...) - __attribute__((format (printf, 4, 5))); + __attribute__((format (printf, 4, 5))); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_log_msg ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -2589,26 +2895,26 @@ krb5_log_msg ( char **/*reply*/, const char */*fmt*/, ...) - __attribute__((format (printf, 5, 6))); + __attribute__((format (printf, 5, 6))); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_make_addrport ( krb5_context /*context*/, krb5_address **/*res*/, const krb5_address */*addr*/, int16_t /*port*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_make_principal ( krb5_context /*context*/, krb5_principal */*principal*/, krb5_const_realm /*realm*/, ...); -size_t KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL krb5_max_sockaddr_size (void); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_mk_error ( krb5_context /*context*/, krb5_error_code /*error_code*/, @@ -2620,7 +2926,7 @@ krb5_mk_error ( int */*client_usec*/, krb5_data */*reply*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_mk_priv ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, @@ -2628,13 +2934,13 @@ krb5_mk_priv ( krb5_data */*outbuf*/, krb5_replay_data */*outdata*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_mk_rep ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_data */*outbuf*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_mk_req ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2645,7 +2951,7 @@ krb5_mk_req ( krb5_ccache /*ccache*/, krb5_data */*outbuf*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_mk_req_exact ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2655,7 +2961,7 @@ krb5_mk_req_exact ( krb5_ccache /*ccache*/, krb5_data */*outbuf*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_mk_req_extended ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2664,7 +2970,7 @@ krb5_mk_req_extended ( krb5_creds */*in_creds*/, krb5_data */*outbuf*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_mk_safe ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, @@ -2672,21 +2978,21 @@ krb5_mk_safe ( krb5_data */*outbuf*/, krb5_replay_data */*outdata*/); -krb5_ssize_t KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL krb5_net_read ( krb5_context /*context*/, void */*p_fd*/, void */*buf*/, size_t /*len*/); -krb5_ssize_t KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL krb5_net_write ( krb5_context /*context*/, void */*p_fd*/, const void */*buf*/, size_t /*len*/); -krb5_ssize_t KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL krb5_net_write_block ( krb5_context /*context*/, void */*p_fd*/, @@ -2694,47 +3000,47 @@ krb5_net_write_block ( size_t /*len*/, time_t /*timeout*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_alloc ( krb5_context /*context*/, krb5_ntlm */*ntlm*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_free ( krb5_context /*context*/, krb5_ntlm /*ntlm*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_init_get_challange ( krb5_context /*context*/, krb5_ntlm /*ntlm*/, krb5_data */*challange*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_init_get_flags ( krb5_context /*context*/, krb5_ntlm /*ntlm*/, uint32_t */*flags*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_init_get_opaque ( krb5_context /*context*/, krb5_ntlm /*ntlm*/, krb5_data */*opaque*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_init_get_targetinfo ( krb5_context /*context*/, krb5_ntlm /*ntlm*/, krb5_data */*data*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_init_get_targetname ( krb5_context /*context*/, krb5_ntlm /*ntlm*/, char **/*name*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_init_request ( krb5_context /*context*/, krb5_ntlm /*ntlm*/, @@ -2744,114 +3050,114 @@ krb5_ntlm_init_request ( const char */*hostname*/, const char */*domainname*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_rep_get_sessionkey ( krb5_context /*context*/, krb5_ntlm /*ntlm*/, krb5_data */*data*/); -krb5_boolean +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_ntlm_rep_get_status ( krb5_context /*context*/, krb5_ntlm /*ntlm*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_req_set_flags ( krb5_context /*context*/, krb5_ntlm /*ntlm*/, uint32_t /*flags*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_req_set_lm ( krb5_context /*context*/, krb5_ntlm /*ntlm*/, void */*hash*/, size_t /*len*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_req_set_ntlm ( krb5_context /*context*/, krb5_ntlm /*ntlm*/, void */*hash*/, size_t /*len*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_req_set_opaque ( krb5_context /*context*/, krb5_ntlm /*ntlm*/, krb5_data */*opaque*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_req_set_session ( krb5_context /*context*/, krb5_ntlm /*ntlm*/, void */*sessionkey*/, size_t /*length*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_req_set_targetname ( krb5_context /*context*/, krb5_ntlm /*ntlm*/, const char */*targetname*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_req_set_username ( krb5_context /*context*/, krb5_ntlm /*ntlm*/, const char */*username*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ntlm_request ( krb5_context /*context*/, krb5_ntlm /*ntlm*/, krb5_realm /*realm*/, krb5_ccache /*ccache*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_openlog ( krb5_context /*context*/, const char */*program*/, krb5_log_facility **/*fac*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_pac_add_buffer ( krb5_context /*context*/, krb5_pac /*p*/, uint32_t /*type*/, const krb5_data */*data*/); -void +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_pac_free ( krb5_context /*context*/, krb5_pac /*pac*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_pac_get_buffer ( krb5_context /*context*/, krb5_pac /*p*/, uint32_t /*type*/, krb5_data */*data*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_pac_get_types ( krb5_context /*context*/, krb5_pac /*p*/, size_t */*len*/, uint32_t **/*types*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_pac_init ( krb5_context /*context*/, krb5_pac */*pac*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_pac_parse ( krb5_context /*context*/, const void */*ptr*/, size_t /*len*/, krb5_pac */*pac*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_pac_verify ( krb5_context /*context*/, const krb5_pac /*pac*/, @@ -2860,7 +3166,7 @@ krb5_pac_verify ( const krb5_keyblock */*server*/, const krb5_keyblock */*privsvr*/); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_padata_add ( krb5_context /*context*/, METHOD_DATA */*md*/, @@ -2868,130 +3174,165 @@ krb5_padata_add ( void */*buf*/, size_t /*len*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_parse_address ( krb5_context /*context*/, const char */*string*/, krb5_addresses */*addresses*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_parse_name ( krb5_context /*context*/, const char */*name*/, krb5_principal */*principal*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_parse_name_flags ( krb5_context /*context*/, const char */*name*/, int /*flags*/, krb5_principal */*principal*/); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_parse_nametype ( krb5_context /*context*/, const char */*str*/, int32_t */*nametype*/); -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_passwd_result_to_string ( krb5_context /*context*/, int /*result*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_CALLCONV krb5_password_key_proc ( krb5_context /*context*/, krb5_enctype /*type*/, krb5_salt /*salt*/, krb5_const_pointer /*keyseed*/, - krb5_keyblock **/*key*/); + krb5_keyblock **/*key*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_pk_enterprise_cert ( + krb5_context /*context*/, + const char */*user_id*/, + krb5_const_realm /*realm*/, + krb5_principal */*principal*/, + struct hx509_certs_data **/*res*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_plugin_register ( krb5_context /*context*/, enum krb5_plugin_type /*type*/, const char */*name*/, void */*symbol*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_prepend_config_files ( const char */*filelist*/, char **/*pq*/, char ***/*ret_pp*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_prepend_config_files_default ( const char */*filelist*/, char ***/*pfilenames*/); -krb5_realm * KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_prepend_error_message ( + krb5_context /*context*/, + krb5_error_code /*ret*/, + const char */*fmt*/, + ...) + __attribute__ ((format (printf, 3, 4))); + +KRB5_LIB_FUNCTION krb5_realm * KRB5_LIB_CALL krb5_princ_realm ( krb5_context /*context*/, - krb5_principal /*principal*/); + krb5_principal /*principal*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_princ_set_realm ( krb5_context /*context*/, krb5_principal /*principal*/, - krb5_realm */*realm*/); + krb5_realm */*realm*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_principal_compare ( krb5_context /*context*/, krb5_const_principal /*princ1*/, krb5_const_principal /*princ2*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_principal_compare_any_realm ( krb5_context /*context*/, krb5_const_principal /*princ1*/, krb5_const_principal /*princ2*/); -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_principal_get_comp_string ( krb5_context /*context*/, krb5_const_principal /*principal*/, unsigned int /*component*/); -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION unsigned int KRB5_LIB_CALL +krb5_principal_get_num_comp ( + krb5_context /*context*/, + krb5_const_principal /*principal*/); + +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_principal_get_realm ( krb5_context /*context*/, krb5_const_principal /*principal*/); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_principal_get_type ( krb5_context /*context*/, krb5_const_principal /*principal*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_principal_is_krbtgt ( + krb5_context /*context*/, + krb5_const_principal /*p*/); + +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_principal_match ( krb5_context /*context*/, krb5_const_principal /*princ*/, krb5_const_principal /*pattern*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_principal_set_realm ( + krb5_context /*context*/, + krb5_principal /*principal*/, + krb5_const_realm /*realm*/); + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_principal_set_type ( krb5_context /*context*/, krb5_principal /*principal*/, int /*type*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_print_address ( const krb5_address */*addr*/, char */*str*/, size_t /*len*/, size_t */*ret_len*/); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_program_setup ( krb5_context */*context*/, int /*argc*/, char **/*argv*/, struct getargs */*args*/, int /*num_args*/, - void (*/*usage*/)(int, struct getargs*, int)); + void (KRB5_LIB_CALL *usage)(int, struct getargs*, int)); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_CALLCONV krb5_prompter_posix ( krb5_context /*context*/, void */*data*/, @@ -3000,7 +3341,7 @@ krb5_prompter_posix ( int /*num_prompts*/, krb5_prompt prompts[]); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_random_to_key ( krb5_context /*context*/, krb5_enctype /*type*/, @@ -3008,84 +3349,84 @@ krb5_random_to_key ( size_t /*size*/, krb5_keyblock */*key*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_close ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_default ( krb5_context /*context*/, krb5_rcache */*id*/); -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_rc_default_name (krb5_context /*context*/); -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_rc_default_type (krb5_context /*context*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_destroy ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_expunge ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_get_lifespan ( krb5_context /*context*/, krb5_rcache /*id*/, krb5_deltat */*auth_lifespan*/); -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_rc_get_name ( krb5_context /*context*/, krb5_rcache /*id*/); -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_rc_get_type ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_initialize ( krb5_context /*context*/, krb5_rcache /*id*/, krb5_deltat /*auth_lifespan*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_recover ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_resolve ( krb5_context /*context*/, krb5_rcache /*id*/, const char */*name*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_resolve_full ( krb5_context /*context*/, krb5_rcache */*id*/, const char */*string_name*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_resolve_type ( krb5_context /*context*/, krb5_rcache */*id*/, const char */*type*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_store ( krb5_context /*context*/, krb5_rcache /*id*/, krb5_donot_replay */*rep*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_cred ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, @@ -3093,20 +3434,20 @@ krb5_rd_cred ( krb5_creds ***/*ret_creds*/, krb5_replay_data */*outdata*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_cred2 ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_ccache /*ccache*/, krb5_data */*in_data*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_error ( krb5_context /*context*/, const krb5_data */*msg*/, KRB_ERROR */*result*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_priv ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, @@ -3114,14 +3455,14 @@ krb5_rd_priv ( krb5_data */*outbuf*/, krb5_replay_data */*outdata*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_rep ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, const krb5_data */*inbuf*/, krb5_ap_rep_enc_part **/*repl*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_req ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -3131,7 +3472,7 @@ krb5_rd_req ( krb5_flags */*ap_req_options*/, krb5_ticket **/*ticket*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_req_ctx ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -3140,58 +3481,64 @@ krb5_rd_req_ctx ( krb5_rd_req_in_ctx /*inctx*/, krb5_rd_req_out_ctx */*outctx*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_req_in_ctx_alloc ( krb5_context /*context*/, krb5_rd_req_in_ctx */*ctx*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_rd_req_in_ctx_free ( krb5_context /*context*/, krb5_rd_req_in_ctx /*ctx*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_req_in_set_keyblock ( krb5_context /*context*/, krb5_rd_req_in_ctx /*in*/, krb5_keyblock */*keyblock*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_req_in_set_keytab ( krb5_context /*context*/, krb5_rd_req_in_ctx /*in*/, krb5_keytab /*keytab*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_req_in_set_pac_check ( krb5_context /*context*/, krb5_rd_req_in_ctx /*in*/, krb5_boolean /*flag*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_rd_req_out_ctx_free ( krb5_context /*context*/, krb5_rd_req_out_ctx /*ctx*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_req_out_get_ap_req_options ( krb5_context /*context*/, krb5_rd_req_out_ctx /*out*/, krb5_flags */*ap_req_options*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_req_out_get_keyblock ( krb5_context /*context*/, krb5_rd_req_out_ctx /*out*/, krb5_keyblock **/*keyblock*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_rd_req_out_get_server ( + krb5_context /*context*/, + krb5_rd_req_out_ctx /*out*/, + krb5_principal */*principal*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_req_out_get_ticket ( krb5_context /*context*/, krb5_rd_req_out_ctx /*out*/, krb5_ticket **/*ticket*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_req_with_keyblock ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -3201,7 +3548,7 @@ krb5_rd_req_with_keyblock ( krb5_flags */*ap_req_options*/, krb5_ticket **/*ticket*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_safe ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, @@ -3209,33 +3556,33 @@ krb5_rd_safe ( krb5_data */*outbuf*/, krb5_replay_data */*outdata*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_read_message ( krb5_context /*context*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_read_priv_message ( krb5_context /*context*/, krb5_auth_context /*ac*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_read_safe_message ( krb5_context /*context*/, krb5_auth_context /*ac*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_realm_compare ( krb5_context /*context*/, krb5_const_principal /*princ1*/, krb5_const_principal /*princ2*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_recvauth ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -3246,7 +3593,7 @@ krb5_recvauth ( krb5_keytab /*keytab*/, krb5_ticket **/*ticket*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_recvauth_match_version ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -3258,104 +3605,104 @@ krb5_recvauth_match_version ( krb5_keytab /*keytab*/, krb5_ticket **/*ticket*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_address ( krb5_storage */*sp*/, krb5_address */*adr*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_addrs ( krb5_storage */*sp*/, krb5_addresses */*adr*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_authdata ( krb5_storage */*sp*/, krb5_authdata */*auth*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_creds ( krb5_storage */*sp*/, krb5_creds */*creds*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_creds_tag ( krb5_storage */*sp*/, krb5_creds */*creds*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_data ( krb5_storage */*sp*/, krb5_data */*data*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_int16 ( krb5_storage */*sp*/, int16_t */*value*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_int32 ( krb5_storage */*sp*/, int32_t */*value*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_int8 ( krb5_storage */*sp*/, int8_t */*value*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_keyblock ( krb5_storage */*sp*/, krb5_keyblock */*p*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_principal ( krb5_storage */*sp*/, krb5_principal */*princ*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_string ( krb5_storage */*sp*/, char **/*string*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_stringnl ( krb5_storage */*sp*/, char **/*string*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_stringz ( krb5_storage */*sp*/, char **/*string*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_times ( krb5_storage */*sp*/, krb5_times */*times*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_uint16 ( krb5_storage */*sp*/, uint16_t */*value*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_uint32 ( krb5_storage */*sp*/, uint32_t */*value*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_uint8 ( krb5_storage */*sp*/, uint8_t */*value*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_salttype_to_string ( krb5_context /*context*/, krb5_enctype /*etype*/, krb5_salttype /*stype*/, char **/*string*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sendauth ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -3371,14 +3718,14 @@ krb5_sendauth ( krb5_ap_rep_enc_part **/*rep_result*/, krb5_creds **/*out_creds*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sendto ( krb5_context /*context*/, const krb5_data */*send_data*/, krb5_krbhst_handle /*handle*/, krb5_data */*receive*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sendto_context ( krb5_context /*context*/, krb5_sendto_ctx /*ctx*/, @@ -3386,43 +3733,43 @@ krb5_sendto_context ( const krb5_realm /*realm*/, krb5_data */*receive*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_sendto_ctx_add_flags ( krb5_sendto_ctx /*ctx*/, int /*flags*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sendto_ctx_alloc ( krb5_context /*context*/, krb5_sendto_ctx */*ctx*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_sendto_ctx_free ( krb5_context /*context*/, krb5_sendto_ctx /*ctx*/); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_sendto_ctx_get_flags (krb5_sendto_ctx /*ctx*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_sendto_ctx_set_func ( krb5_sendto_ctx /*ctx*/, krb5_sendto_ctx_func /*func*/, void */*data*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_sendto_ctx_set_type ( krb5_sendto_ctx /*ctx*/, int /*type*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sendto_kdc ( krb5_context /*context*/, const krb5_data */*send_data*/, const krb5_realm */*realm*/, krb5_data */*receive*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sendto_kdc_flags ( krb5_context /*context*/, const krb5_data */*send_data*/, @@ -3430,54 +3777,73 @@ krb5_sendto_kdc_flags ( krb5_data */*receive*/, int /*flags*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_config_files ( krb5_context /*context*/, char **/*filenames*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_default_in_tkt_etypes ( krb5_context /*context*/, const krb5_enctype */*etypes*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_default_realm ( krb5_context /*context*/, const char */*realm*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_set_dns_canonicalize_hostname ( krb5_context /*context*/, krb5_boolean /*flag*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_set_error_message ( + krb5_context /*context*/, + krb5_error_code /*ret*/, + const char */*fmt*/, + ...) + __attribute__ ((format (printf, 3, 4))); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_error_string ( krb5_context /*context*/, const char */*fmt*/, ...) - __attribute__((format (printf, 2, 3))); + __attribute__((format (printf, 2, 3))) KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_extra_addresses ( krb5_context /*context*/, const krb5_addresses */*addresses*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_fcache_version ( krb5_context /*context*/, int /*version*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_set_home_dir_access ( + krb5_context /*context*/, + krb5_boolean /*allow*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_ignore_addresses ( krb5_context /*context*/, const krb5_addresses */*addresses*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_set_kdc_sec_offset ( + krb5_context /*context*/, + int32_t /*sec*/, + int32_t /*usec*/); + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_set_max_time_skew ( krb5_context /*context*/, time_t /*t*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_password ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -3487,7 +3853,7 @@ krb5_set_password ( krb5_data */*result_code_string*/, krb5_data */*result_string*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_password_using_ccache ( krb5_context /*context*/, krb5_ccache /*ccache*/, @@ -3497,29 +3863,29 @@ krb5_set_password_using_ccache ( krb5_data */*result_code_string*/, krb5_data */*result_string*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_real_time ( krb5_context /*context*/, krb5_timestamp /*sec*/, int32_t /*usec*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_send_to_kdc_func ( krb5_context /*context*/, krb5_send_to_kdc_func /*func*/, void */*data*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_set_use_admin_kdc ( krb5_context /*context*/, krb5_boolean /*flag*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_warn_dest ( krb5_context /*context*/, krb5_log_facility */*fac*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sname_to_principal ( krb5_context /*context*/, const char */*hostname*/, @@ -3527,7 +3893,7 @@ krb5_sname_to_principal ( int32_t /*type*/, krb5_principal */*ret_princ*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sock_to_principal ( krb5_context /*context*/, int /*sock*/, @@ -3535,204 +3901,218 @@ krb5_sock_to_principal ( int32_t /*type*/, krb5_principal */*ret_princ*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sockaddr2address ( krb5_context /*context*/, const struct sockaddr */*sa*/, krb5_address */*addr*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sockaddr2port ( krb5_context /*context*/, const struct sockaddr */*sa*/, int16_t */*port*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_sockaddr_is_loopback (const struct sockaddr */*sa*/); + +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_sockaddr_uninteresting (const struct sockaddr */*sa*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_std_usage ( int /*code*/, struct getargs */*args*/, int /*num_args*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_storage_clear_flags ( krb5_storage */*sp*/, krb5_flags /*flags*/); -krb5_storage * KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL krb5_storage_emem (void); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_storage_free (krb5_storage */*sp*/); -krb5_storage * KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL krb5_storage_from_data (krb5_data */*data*/); -krb5_storage * KRB5_LIB_FUNCTION -krb5_storage_from_fd (int /*fd*/); +KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL +krb5_storage_from_fd (krb5_socket_t /*fd_in*/); -krb5_storage * KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL krb5_storage_from_mem ( void */*buf*/, size_t /*len*/); -krb5_storage * KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL krb5_storage_from_readonly_mem ( const void */*buf*/, size_t /*len*/); -krb5_flags KRB5_LIB_FUNCTION -krb5_storage_get_byteorder ( - krb5_storage */*sp*/, - krb5_flags /*byteorder*/); +KRB5_LIB_FUNCTION krb5_flags KRB5_LIB_CALL +krb5_storage_get_byteorder (krb5_storage */*sp*/); + +KRB5_LIB_FUNCTION int KRB5_LIB_CALL +krb5_storage_get_eof_code (krb5_storage */*sp*/); -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_storage_is_flags ( krb5_storage */*sp*/, krb5_flags /*flags*/); -krb5_ssize_t KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL krb5_storage_read ( krb5_storage */*sp*/, void */*buf*/, size_t /*len*/); -off_t KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION off_t KRB5_LIB_CALL krb5_storage_seek ( krb5_storage */*sp*/, off_t /*offset*/, int /*whence*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_storage_set_byteorder ( krb5_storage */*sp*/, krb5_flags /*byteorder*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_storage_set_eof_code ( krb5_storage */*sp*/, int /*code*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_storage_set_flags ( krb5_storage */*sp*/, krb5_flags /*flags*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_storage_set_max_alloc ( + krb5_storage */*sp*/, + size_t /*size*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_storage_to_data ( krb5_storage */*sp*/, krb5_data */*data*/); -krb5_ssize_t KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL +krb5_storage_truncate ( + krb5_storage */*sp*/, + off_t /*offset*/); + +KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL krb5_storage_write ( krb5_storage */*sp*/, const void */*buf*/, size_t /*len*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_address ( krb5_storage */*sp*/, krb5_address /*p*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_addrs ( krb5_storage */*sp*/, krb5_addresses /*p*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_authdata ( krb5_storage */*sp*/, krb5_authdata /*auth*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_creds ( krb5_storage */*sp*/, krb5_creds */*creds*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_creds_tag ( krb5_storage */*sp*/, krb5_creds */*creds*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_data ( krb5_storage */*sp*/, krb5_data /*data*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_int16 ( krb5_storage */*sp*/, int16_t /*value*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_int32 ( krb5_storage */*sp*/, int32_t /*value*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_int8 ( krb5_storage */*sp*/, int8_t /*value*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_keyblock ( krb5_storage */*sp*/, krb5_keyblock /*p*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_principal ( krb5_storage */*sp*/, krb5_const_principal /*p*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_string ( krb5_storage */*sp*/, const char */*s*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_stringnl ( krb5_storage */*sp*/, const char */*s*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_stringz ( krb5_storage */*sp*/, const char */*s*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_times ( krb5_storage */*sp*/, krb5_times /*times*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_uint16 ( krb5_storage */*sp*/, uint16_t /*value*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_uint32 ( krb5_storage */*sp*/, uint32_t /*value*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_uint8 ( krb5_storage */*sp*/, uint8_t /*value*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_string_to_deltat ( const char */*string*/, krb5_deltat */*deltat*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_string_to_enctype ( krb5_context /*context*/, const char */*string*/, krb5_enctype */*etype*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_string_to_key ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -3740,7 +4120,7 @@ krb5_string_to_key ( krb5_principal /*principal*/, krb5_keyblock */*key*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_string_to_key_data ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -3748,7 +4128,7 @@ krb5_string_to_key_data ( krb5_principal /*principal*/, krb5_keyblock */*key*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_string_to_key_data_salt ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -3756,7 +4136,7 @@ krb5_string_to_key_data_salt ( krb5_salt /*salt*/, krb5_keyblock */*key*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_string_to_key_data_salt_opaque ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -3765,7 +4145,7 @@ krb5_string_to_key_data_salt_opaque ( krb5_data /*opaque*/, krb5_keyblock */*key*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_string_to_key_derived ( krb5_context /*context*/, const void */*str*/, @@ -3773,7 +4153,7 @@ krb5_string_to_key_derived ( krb5_enctype /*etype*/, krb5_keyblock */*key*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_string_to_key_salt ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -3781,7 +4161,7 @@ krb5_string_to_key_salt ( krb5_salt /*salt*/, krb5_keyblock */*key*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_string_to_key_salt_opaque ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -3790,62 +4170,68 @@ krb5_string_to_key_salt_opaque ( krb5_data /*opaque*/, krb5_keyblock */*key*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_string_to_keytype ( krb5_context /*context*/, const char */*string*/, - krb5_keytype */*keytype*/); + krb5_keytype */*keytype*/) + KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_string_to_salttype ( krb5_context /*context*/, krb5_enctype /*etype*/, const char */*string*/, krb5_salttype */*salttype*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ticket_get_authorization_data_type ( krb5_context /*context*/, krb5_ticket */*ticket*/, int /*type*/, krb5_data */*data*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ticket_get_client ( krb5_context /*context*/, const krb5_ticket */*ticket*/, krb5_principal */*client*/); -time_t KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL krb5_ticket_get_endtime ( krb5_context /*context*/, const krb5_ticket */*ticket*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL +krb5_ticket_get_flags ( + krb5_context /*context*/, + const krb5_ticket */*ticket*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ticket_get_server ( krb5_context /*context*/, const krb5_ticket */*ticket*/, krb5_principal */*server*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_timeofday ( krb5_context /*context*/, krb5_timestamp */*timeret*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_unparse_name ( krb5_context /*context*/, krb5_const_principal /*principal*/, char **/*name*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_unparse_name_fixed ( krb5_context /*context*/, krb5_const_principal /*principal*/, char */*name*/, size_t /*len*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_unparse_name_fixed_flags ( krb5_context /*context*/, krb5_const_principal /*principal*/, @@ -3853,48 +4239,48 @@ krb5_unparse_name_fixed_flags ( char */*name*/, size_t /*len*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_unparse_name_fixed_short ( krb5_context /*context*/, krb5_const_principal /*principal*/, char */*name*/, size_t /*len*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_unparse_name_flags ( krb5_context /*context*/, krb5_const_principal /*principal*/, int /*flags*/, char **/*name*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_unparse_name_short ( krb5_context /*context*/, krb5_const_principal /*principal*/, char **/*name*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_us_timeofday ( krb5_context /*context*/, krb5_timestamp */*sec*/, int32_t */*usec*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_vabort ( krb5_context /*context*/, krb5_error_code /*code*/, const char */*fmt*/, va_list /*ap*/) - __attribute__ ((noreturn, format (printf, 3, 0))); + __attribute__ ((noreturn, format (printf, 3, 0))); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_vabortx ( krb5_context /*context*/, const char */*fmt*/, va_list /*ap*/) - __attribute__ ((noreturn, format (printf, 2, 0))); + __attribute__ ((noreturn, format (printf, 2, 0))); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verify_ap_req ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -3905,7 +4291,7 @@ krb5_verify_ap_req ( krb5_flags */*ap_req_options*/, krb5_ticket **/*ticket*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verify_ap_req2 ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -3917,14 +4303,14 @@ krb5_verify_ap_req2 ( krb5_ticket **/*ticket*/, krb5_key_usage /*usage*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verify_authenticator_checksum ( krb5_context /*context*/, krb5_auth_context /*ac*/, void */*data*/, size_t /*len*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verify_checksum ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -3933,7 +4319,16 @@ krb5_verify_checksum ( size_t /*len*/, Checksum */*cksum*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_verify_checksum_iov ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + unsigned /*usage*/, + krb5_crypto_iov */*data*/, + unsigned int /*num_data*/, + krb5_cksumtype */*type*/); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verify_init_creds ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -3942,51 +4337,51 @@ krb5_verify_init_creds ( krb5_ccache */*ccache*/, krb5_verify_init_creds_opt */*options*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_init_creds_opt_init (krb5_verify_init_creds_opt */*options*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_init_creds_opt_set_ap_req_nofail ( krb5_verify_init_creds_opt */*options*/, int /*ap_req_nofail*/); -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_verify_opt_alloc ( krb5_context /*context*/, krb5_verify_opt **/*opt*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_opt_free (krb5_verify_opt */*opt*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_opt_init (krb5_verify_opt */*opt*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_opt_set_ccache ( krb5_verify_opt */*opt*/, krb5_ccache /*ccache*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_opt_set_flags ( krb5_verify_opt */*opt*/, unsigned int /*flags*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_opt_set_keytab ( krb5_verify_opt */*opt*/, krb5_keytab /*keytab*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_opt_set_secure ( krb5_verify_opt */*opt*/, krb5_boolean /*secure*/); -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_opt_set_service ( krb5_verify_opt */*opt*/, const char */*service*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verify_user ( krb5_context /*context*/, krb5_principal /*principal*/, @@ -3995,7 +4390,7 @@ krb5_verify_user ( krb5_boolean /*secure*/, const char */*service*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verify_user_lrealm ( krb5_context /*context*/, krb5_principal /*principal*/, @@ -4004,40 +4399,40 @@ krb5_verify_user_lrealm ( krb5_boolean /*secure*/, const char */*service*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verify_user_opt ( krb5_context /*context*/, krb5_principal /*principal*/, const char */*password*/, krb5_verify_opt */*opt*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verr ( krb5_context /*context*/, int /*eval*/, krb5_error_code /*code*/, const char */*fmt*/, va_list /*ap*/) - __attribute__ ((noreturn, format (printf, 4, 0))); + __attribute__ ((noreturn, format (printf, 4, 0))); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verrx ( krb5_context /*context*/, int /*eval*/, const char */*fmt*/, va_list /*ap*/) - __attribute__ ((noreturn, format (printf, 3, 0))); + __attribute__ ((noreturn, format (printf, 3, 0))); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_vlog ( krb5_context /*context*/, krb5_log_facility */*fac*/, int /*level*/, const char */*fmt*/, va_list /*ap*/) - __attribute__((format (printf, 4, 0))); + __attribute__((format (printf, 4, 0))); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_vlog_msg ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -4045,70 +4440,88 @@ krb5_vlog_msg ( int /*level*/, const char */*fmt*/, va_list /*ap*/) - __attribute__((format (printf, 5, 0))); + __attribute__((format (printf, 5, 0))); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_vprepend_error_message ( + krb5_context /*context*/, + krb5_error_code /*ret*/, + const char */*fmt*/, + va_list /*args*/) + __attribute__ ((format (printf, 3, 0))); + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_vset_error_message ( + krb5_context /*context*/, + krb5_error_code /*ret*/, + const char */*fmt*/, + va_list /*args*/) + __attribute__ ((format (printf, 3, 0))); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_vset_error_string ( krb5_context /*context*/, const char */*fmt*/, va_list /*args*/) - __attribute__ ((format (printf, 2, 0))); + __attribute__ ((format (printf, 2, 0))) KRB5_DEPRECATED_FUNCTION("Use X instead"); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_vwarn ( krb5_context /*context*/, krb5_error_code /*code*/, const char */*fmt*/, va_list /*ap*/) - __attribute__ ((format (printf, 3, 0))); + __attribute__ ((format (printf, 3, 0))); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_vwarnx ( krb5_context /*context*/, const char */*fmt*/, va_list /*ap*/) - __attribute__ ((format (printf, 2, 0))); + __attribute__ ((format (printf, 2, 0))); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_warn ( krb5_context /*context*/, krb5_error_code /*code*/, const char */*fmt*/, ...) - __attribute__ ((format (printf, 3, 4))); + __attribute__ ((format (printf, 3, 4))); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_warnx ( krb5_context /*context*/, const char */*fmt*/, ...) - __attribute__ ((format (printf, 2, 3))); + __attribute__ ((format (printf, 2, 3))); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_write_message ( krb5_context /*context*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_write_priv_message ( krb5_context /*context*/, krb5_auth_context /*ac*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_write_safe_message ( krb5_context /*context*/, krb5_auth_context /*ac*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_xfree (void */*ptr*/); #ifdef __cplusplus } #endif +#undef KRB5_DEPRECATED_FUNCTION + #endif /* __krb5_protos_h__ */ diff --git a/crypto/heimdal/lib/krb5/krb5-v4compat.h b/crypto/heimdal/lib/krb5/krb5-v4compat.h index dfd7e944607f..324c8c1d3c89 100644 --- a/crypto/heimdal/lib/krb5/krb5-v4compat.h +++ b/crypto/heimdal/lib/krb5/krb5-v4compat.h @@ -1,44 +1,44 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -/* $Id: krb5-v4compat.h 21575 2007-07-16 07:44:54Z lha $ */ +/* $Id$ */ #ifndef __KRB5_V4COMPAT_H__ #define __KRB5_V4COMPAT_H__ #include "krb_err.h" -/* +/* * This file must only be included with v4 compat glue stuff in * heimdal sources. * @@ -105,8 +105,12 @@ struct credentials { #define CLOCK_SKEW 5*60 #ifndef TKT_ROOT +#ifdef KRB5_USE_PATH_TOKENS +#define TKT_ROOT "%{TEMP}/tkt" +#else #define TKT_ROOT "/tmp/tkt" #endif +#endif struct _krb5_krb_auth_data { int8_t k_flags; /* Flags from ticket */ @@ -120,11 +124,18 @@ struct _krb5_krb_auth_data { uint32_t address; /* Address in ticket */ }; -time_t _krb5_krb_life_to_time (int, int); -int _krb5_krb_time_to_life (time_t, time_t); -krb5_error_code _krb5_krb_tf_setup (krb5_context, struct credentials *, - const char *, int); -krb5_error_code _krb5_krb_dest_tkt(krb5_context, const char *); +KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL +_krb5_krb_life_to_time (int, int); + +KRB5_LIB_FUNCTION int KRB5_LIB_CALL +_krb5_krb_time_to_life (time_t, time_t); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +_krb5_krb_tf_setup (krb5_context, struct credentials *, + const char *, int); + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +_krb5_krb_dest_tkt(krb5_context, const char *); #define krb_time_to_life _krb5_krb_time_to_life #define krb_life_to_time _krb5_krb_life_to_time diff --git a/crypto/heimdal/lib/krb5/krb5.3 b/crypto/heimdal/lib/krb5/krb5.3 deleted file mode 100644 index 3ce8c1fe9c11..000000000000 --- a/crypto/heimdal/lib/krb5/krb5.3 +++ /dev/null @@ -1,526 +0,0 @@ -.\" Copyright (c) 2001, 2003 - 2006 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5.3 18212 2006-10-03 10:39:35Z lha $ -.\" -.Dd May 1, 2006 -.Dt KRB5 3 -.Os -.Sh NAME -.Nm krb5 -.Nd Kerberos 5 library -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Sh DESCRIPTION -These functions constitute the Kerberos 5 library, -.Em libkrb5 . -.Sh LIST OF FUNCTIONS -.sp 2 -.nf -.ta \w'krb5_ticket_get_authorization_data_type.3'u+2n +\w'Description goes here'u -\fIName/Page\fP \fIDescription\fP -.ta \w'krb5_ticket_get_authorization_data_type.3'u+2n +\w'Description goes here'u+6nC -.sp 5p -krb524_convert_creds_kdc.3 -krb524_convert_creds_kdc_cache.3 -krb5_425_conv_principal.3 -krb5_425_conv_principal_ext.3 -krb5_524_conv_principal.3 -krb5_abort.3 -krb5_abortx.3 -krb5_acl_match_file.3 -krb5_acl_match_string.3 -krb5_add_et_list.3 -krb5_add_extra_addresses.3 -krb5_add_ignore_addresses.3 -krb5_addlog_dest.3 -krb5_addlog_func.3 -krb5_addr2sockaddr.3 -krb5_address.3 -krb5_address_compare.3 -krb5_address_order.3 -krb5_address_search.3 -krb5_addresses.3 -krb5_aname_to_localname.3 -krb5_anyaddr.3 -krb5_appdefault_boolean.3 -krb5_appdefault_string.3 -krb5_appdefault_time.3 -krb5_append_addresses.3 -krb5_auth_con_addflags.3 -krb5_auth_con_free.3 -krb5_auth_con_genaddrs.3 -krb5_auth_con_generatelocalsubkey.3 -krb5_auth_con_getaddrs.3 -krb5_auth_con_getauthenticator.3 -krb5_auth_con_getcksumtype.3 -krb5_auth_con_getflags.3 -krb5_auth_con_getkey.3 -krb5_auth_con_getkeytype.3 -krb5_auth_con_getlocalseqnumber.3 -krb5_auth_con_getlocalsubkey.3 -krb5_auth_con_getrcache.3 -krb5_auth_con_getremotesubkey.3 -krb5_auth_con_getuserkey.3 -krb5_auth_con_init.3 -krb5_auth_con_initivector.3 -krb5_auth_con_removeflags.3 -krb5_auth_con_setaddrs.3 -krb5_auth_con_setaddrs_from_fd.3 -krb5_auth_con_setcksumtype.3 -krb5_auth_con_setflags.3 -krb5_auth_con_setivector.3 -krb5_auth_con_setkey.3 -krb5_auth_con_setkeytype.3 -krb5_auth_con_setlocalseqnumber.3 -krb5_auth_con_setlocalsubkey.3 -krb5_auth_con_setrcache.3 -krb5_auth_con_setremoteseqnumber.3 -krb5_auth_con_setremotesubkey.3 -krb5_auth_con_setuserkey.3 -krb5_auth_context.3 -krb5_auth_getremoteseqnumber.3 -krb5_build_principal.3 -krb5_build_principal_ext.3 -krb5_build_principal_va.3 -krb5_build_principal_va_ext.3 -krb5_c_block_size.3 -krb5_c_checksum_length.3 -krb5_c_decrypt.3 -krb5_c_encrypt.3 -krb5_c_encrypt_length.3 -krb5_c_enctype_compare.3 -krb5_c_get_checksum.3 -krb5_c_is_coll_proof_cksum.3 -krb5_c_is_keyed_cksum.3 -krb5_c_make_checksum.3 -krb5_c_make_random_key.3 -krb5_c_set_checksum.3 -krb5_c_valid_cksumtype.3 -krb5_c_valid_enctype.3 -krb5_c_verify_checksum.3 -krb5_cc_cache_end_seq_get.3 -krb5_cc_cache_get_first.3 -krb5_cc_cache_match.3 -krb5_cc_cache_next.3 -krb5_cc_close.3 -krb5_cc_copy_cache.3 -krb5_cc_default.3 -krb5_cc_default_name.3 -krb5_cc_destroy.3 -krb5_cc_end_seq_get.3 -krb5_cc_gen_new.3 -krb5_cc_get_full_name.3 -krb5_cc_get_name.3 -krb5_cc_get_ops.3 -krb5_cc_get_principal.3 -krb5_cc_get_type.3 -krb5_cc_get_version.3 -krb5_cc_initialize.3 -krb5_cc_new_unique.3 -krb5_cc_next_cred.3 -krb5_cc_register.3 -krb5_cc_remove_cred.3 -krb5_cc_resolve.3 -krb5_cc_retrieve_cred.3 -krb5_cc_set_default_name.3 -krb5_cc_set_flags.3 -krb5_cc_store_cred.3 -krb5_change_password.3 -krb5_check_transited.3 -krb5_check_transited_realms.3 -krb5_checksum_disable.3 -krb5_checksum_free.3 -krb5_checksum_is_collision_proof.3 -krb5_checksum_is_keyed.3 -krb5_checksumsize.3 -krb5_clear_error_string.3 -krb5_closelog.3 -krb5_config_file_free.3 -krb5_config_free_strings.3 -krb5_config_get.3 -krb5_config_get_bool.3 -krb5_config_get_bool_default.3 -krb5_config_get_int.3 -krb5_config_get_int_default.3 -krb5_config_get_list.3 -krb5_config_get_next.3 -krb5_config_get_string.3 -krb5_config_get_string_default.3 -krb5_config_get_strings.3 -krb5_config_get_time.3 -krb5_config_get_time_default.3 -krb5_config_parse_file.3 -krb5_config_parse_file_multi.3 -krb5_config_vget.3 -krb5_config_vget_bool.3 -krb5_config_vget_bool_default.3 -krb5_config_vget_int.3 -krb5_config_vget_int_default.3 -krb5_config_vget_list.3 -krb5_config_vget_next.3 -krb5_config_vget_string.3 -krb5_config_vget_string_default.3 -krb5_config_vget_strings.3 -krb5_config_vget_time.3 -krb5_config_vget_time_default.3 -krb5_context.3 -krb5_copy_address.3 -krb5_copy_addresses.3 -krb5_copy_checksum.3 -krb5_copy_data.3 -krb5_copy_host_realm.3 -krb5_copy_keyblock.3 -krb5_copy_keyblock_contents.3 -krb5_copy_principal.3 -krb5_copy_ticket.3 -krb5_create_checksum.3 -krb5_creds.3 -krb5_crypto_destroy.3 -krb5_crypto_get_checksum_type.3 -krb5_crypto_getblocksize.3 -krb5_crypto_getconfoundersize.3 -krb5_crypto_getenctype.3 -krb5_crypto_getpadsize.3 -krb5_crypto_init.3 -krb5_data_alloc.3 -krb5_data_copy.3 -krb5_data_free.3 -krb5_data_realloc.3 -krb5_data_zero.3 -krb5_decrypt.3 -krb5_decrypt_EncryptedData.3 -krb5_digest.3 -krb5_digest_alloc.3 -krb5_digest_free.3 -krb5_digest_get_a1_hash.3 -krb5_digest_get_client_binding.3 -krb5_digest_get_identifier.3 -krb5_digest_get_opaque.3 -krb5_digest_get_responseData.3 -krb5_digest_get_rsp.3 -krb5_digest_get_server_nonce.3 -krb5_digest_get_tickets.3 -krb5_digest_init_request.3 -krb5_digest_request.3 -krb5_digest_set_authentication_user.3 -krb5_digest_set_authid.3 -krb5_digest_set_client_nonce.3 -krb5_digest_set_digest.3 -krb5_digest_set_hostname.3 -krb5_digest_set_identifier.3 -krb5_digest_set_method.3 -krb5_digest_set_nonceCount.3 -krb5_digest_set_opaque.3 -krb5_digest_set_qop.3 -krb5_digest_set_realm.3 -krb5_digest_set_server_cb.3 -krb5_digest_set_server_nonce.3 -krb5_digest_set_type.3 -krb5_digest_set_uri.3 -krb5_digest_set_username.3 -krb5_domain_x500_decode.3 -krb5_domain_x500_encode.3 -krb5_eai_to_heim_errno.3 -krb5_encrypt.3 -krb5_encrypt_EncryptedData.3 -krb5_enctype_disable.3 -krb5_enctype_to_string.3 -krb5_enctype_valid.3 -krb5_err.3 -krb5_errx.3 -krb5_expand_hostname.3 -krb5_expand_hostname_realms.3 -krb5_find_padata.3 -krb5_format_time.3 -krb5_free_address.3 -krb5_free_addresses.3 -krb5_free_authenticator.3 -krb5_free_checksum.3 -krb5_free_checksum_contents.3 -krb5_free_config_files.3 -krb5_free_context.3 -krb5_free_data.3 -krb5_free_data_contents.3 -krb5_free_error_string.3 -krb5_free_host_realm.3 -krb5_free_kdc_rep.3 -krb5_free_keyblock.3 -krb5_free_keyblock_contents.3 -krb5_free_krbhst.3 -krb5_free_principal.3 -krb5_free_salt.3 -krb5_free_ticket.3 -krb5_fwd_tgt_creds.3 -krb5_generate_random_block.3 -krb5_generate_random_keyblock.3 -krb5_generate_subkey.3 -krb5_get_all_client_addrs.3 -krb5_get_all_server_addrs.3 -krb5_get_cred_from_kdc.3 -krb5_get_cred_from_kdc_opt.3 -krb5_get_credentials.3 -krb5_get_credentials_with_flags.3 -krb5_get_default_config_files.3 -krb5_get_default_principal.3 -krb5_get_default_realm.3 -krb5_get_default_realms.3 -krb5_get_err_text.3 -krb5_get_error_message.3 -krb5_get_error_string.3 -krb5_get_extra_addresses.3 -krb5_get_fcache_version.3 -krb5_get_forwarded_creds.3 -krb5_get_host_realm.3 -krb5_get_ignore_addresses.3 -krb5_get_in_cred.3 -krb5_get_in_tkt.3 -krb5_get_in_tkt_with_keytab.3 -krb5_get_in_tkt_with_password.3 -krb5_get_in_tkt_with_skey.3 -krb5_get_init_creds.3 -krb5_get_init_creds_keytab.3 -krb5_get_init_creds_opt_alloc.3 -krb5_get_init_creds_opt_free.3 -krb5_get_init_creds_opt_free_pkinit.3 -krb5_get_init_creds_opt_init.3 -krb5_get_init_creds_opt_set_address_list.3 -krb5_get_init_creds_opt_set_anonymous.3 -krb5_get_init_creds_opt_set_default_flags.3 -krb5_get_init_creds_opt_set_etype_list.3 -krb5_get_init_creds_opt_set_forwardable.3 -krb5_get_init_creds_opt_set_pa_password.3 -krb5_get_init_creds_opt_set_paq_request.3 -krb5_get_init_creds_opt_set_pkinit.3 -krb5_get_init_creds_opt_set_preauth_list.3 -krb5_get_init_creds_opt_set_proxiable.3 -krb5_get_init_creds_opt_set_renew_life.3 -krb5_get_init_creds_opt_set_salt.3 -krb5_get_init_creds_opt_set_tkt_life.3 -krb5_get_init_creds_password.3 -krb5_get_kdc_cred.3 -krb5_get_krb524hst.3 -krb5_get_krb_admin_hst.3 -krb5_get_krb_changepw_hst.3 -krb5_get_krbhst.3 -krb5_get_pw_salt.3 -krb5_get_server_rcache.3 -krb5_get_use_admin_kdc.3 -krb5_get_wrapped_length.3 -krb5_getportbyname.3 -krb5_h_addr2addr.3 -krb5_h_addr2sockaddr.3 -krb5_h_errno_to_heim_errno.3 -krb5_have_error_string.3 -krb5_hmac.3 -krb5_init_context.3 -krb5_init_ets.3 -krb5_initlog.3 -krb5_keyblock_get_enctype.3 -krb5_keyblock_zero.3 -krb5_keytab_entry.3 -krb5_krbhst_format_string.3 -krb5_krbhst_free.3 -krb5_krbhst_get_addrinfo.3 -krb5_krbhst_init.3 -krb5_krbhst_init_flags.3 -krb5_krbhst_next.3 -krb5_krbhst_next_as_string.3 -krb5_krbhst_reset.3 -krb5_kt_add_entry.3 -krb5_kt_close.3 -krb5_kt_compare.3 -krb5_kt_copy_entry_contents.3 -krb5_kt_cursor.3 -krb5_kt_default.3 -krb5_kt_default_modify_name.3 -krb5_kt_default_name.3 -krb5_kt_end_seq_get.3 -krb5_kt_free_entry.3 -krb5_kt_get_entry.3 -krb5_kt_get_name.3 -krb5_kt_get_type.3 -krb5_kt_next_entry.3 -krb5_kt_ops.3 -krb5_kt_read_service_key.3 -krb5_kt_register.3 -krb5_kt_remove_entry.3 -krb5_kt_resolve.3.3 -krb5_kt_start_seq_get -krb5_kuserok.3 -krb5_log.3 -krb5_log_msg.3 -krb5_make_addrport.3 -krb5_make_principal.3 -krb5_max_sockaddr_size.3 -krb5_openlog.3 -krb5_padata_add.3 -krb5_parse_address.3 -krb5_parse_name.3 -krb5_passwd_result_to_string.3 -krb5_password_key_proc.3 -krb5_prepend_config_files.3 -krb5_prepend_config_files_default.3 -krb5_princ_realm.3 -krb5_princ_set_realm.3 -krb5_principal.3 -krb5_principal_compare.3 -krb5_principal_compare_any_realm.3 -krb5_principal_get_comp_string.3 -krb5_principal_get_realm.3 -krb5_principal_get_type.3 -krb5_principal_match.3 -krb5_principal_set_type.3 -krb5_print_address.3 -krb5_rc_close.3 -krb5_rc_default.3 -krb5_rc_default_name.3 -krb5_rc_default_type.3 -krb5_rc_destroy.3 -krb5_rc_expunge.3 -krb5_rc_get_lifespan.3 -krb5_rc_get_name.3 -krb5_rc_get_type.3 -krb5_rc_initialize.3 -krb5_rc_recover.3 -krb5_rc_resolve.3 -krb5_rc_resolve_full.3 -krb5_rc_resolve_type.3 -krb5_rc_store.3 -krb5_rcache.3 -krb5_realm_compare.3 -krb5_ret_address.3 -krb5_ret_addrs.3 -krb5_ret_authdata.3 -krb5_ret_creds.3 -krb5_ret_data.3 -krb5_ret_int16.3 -krb5_ret_int32.3 -krb5_ret_int8.3 -krb5_ret_keyblock.3 -krb5_ret_principal.3 -krb5_ret_string.3 -krb5_ret_stringz.3 -krb5_ret_times.3 -krb5_set_config_files.3 -krb5_set_default_realm.3 -krb5_set_error_string.3 -krb5_set_extra_addresses.3 -krb5_set_fcache_version.3 -krb5_set_ignore_addresses.3 -krb5_set_password.3 -krb5_set_password_using_ccache.3 -krb5_set_real_time.3 -krb5_set_use_admin_kdc.3 -krb5_set_warn_dest.3 -krb5_sname_to_principal.3 -krb5_sock_to_principal.3 -krb5_sockaddr2address.3 -krb5_sockaddr2port.3 -krb5_sockaddr_uninteresting.3 -krb5_storage.3 -krb5_storage_clear_flags.3 -krb5_storage_emem.3 -krb5_storage_free.3 -krb5_storage_from_data.3 -krb5_storage_from_fd.3 -krb5_storage_from_mem.3 -krb5_storage_get_byteorder.3 -krb5_storage_is_flags.3 -krb5_storage_read.3 -krb5_storage_seek.3 -krb5_storage_set_byteorder.3 -krb5_storage_set_eof_code.3 -krb5_storage_set_flags.3 -krb5_storage_to_data.3 -krb5_storage_write.3 -krb5_store_address.3 -krb5_store_addrs.3 -krb5_store_authdata.3 -krb5_store_creds.3 -krb5_store_data.3 -krb5_store_int16.3 -krb5_store_int32.3 -krb5_store_int8.3 -krb5_store_keyblock.3 -krb5_store_principal.3 -krb5_store_string.3 -krb5_store_stringz.3 -krb5_store_times.3 -krb5_string_to_deltat.3 -krb5_string_to_enctype.3 -krb5_string_to_key.3 -krb5_string_to_key_data.3 -krb5_string_to_key_data_salt.3 -krb5_string_to_key_data_salt_opaque.3 -krb5_string_to_key_salt.3 -krb5_string_to_key_salt_opaque.3 -krb5_ticket.3 -krb5_ticket_get_authorization_data_type.3 -krb5_ticket_get_client.3 -krb5_ticket_get_server.3 -krb5_timeofday.3 -krb5_unparse_name.3 -krb5_unparse_name_fixed.3 -krb5_unparse_name_fixed_short.3 -krb5_unparse_name_short.3 -krb5_us_timeofday.3 -krb5_vabort.3 -krb5_vabortx.3 -krb5_verify_checksum.3 -krb5_verify_init_creds.3 -krb5_verify_init_creds_opt_init.3 -krb5_verify_init_creds_opt_set_ap_req_nofail.3 -krb5_verify_opt_init.3 -krb5_verify_opt_set_ccache.3 -krb5_verify_opt_set_flags.3 -krb5_verify_opt_set_keytab.3 -krb5_verify_opt_set_secure.3 -krb5_verify_opt_set_service.3 -krb5_verify_user.3 -krb5_verify_user_lrealm.3 -krb5_verify_user_opt.3 -krb5_verr.3 -krb5_verrx.3 -krb5_vlog.3 -krb5_vlog_msg.3 -krb5_vset_error_string.3 -krb5_vwarn.3 -krb5_vwarnx.3 -krb5_warn.3 -krb5_warnx.3 -.ta -.Fi -.Sh SEE ALSO -.Xr krb5.conf 5 , -.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5.conf.5 b/crypto/heimdal/lib/krb5/krb5.conf.5 index ceb16a401aa6..9e1edc7b6ca1 100644 --- a/crypto/heimdal/lib/krb5/krb5.conf.5 +++ b/crypto/heimdal/lib/krb5/krb5.conf.5 @@ -1,4 +1,4 @@ -.\" Copyright (c) 1999 - 2005 Kungliga Tekniska Högskolan +.\" Copyright (c) 1999 - 2005 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5.conf.5 15514 2005-06-23 18:43:34Z lha $ +.\" $Id$ .\" .Dd May 4, 2005 .Dt KRB5.CONF 5 @@ -143,6 +143,9 @@ Default realm to use, this is also known as your .Dq local realm . The default is the result of .Fn krb5_get_host_realm "local hostname" . +.It Li allow_weak_crypto = Va boolean +is weaks crypto algorithms allowed to be used, among others, DES is +considered weak. .It Li clockskew = Va time Maximum time differential (in seconds) allowed when comparing times. @@ -160,17 +163,28 @@ manual page. .It ... .It Li } .El -This is deprecated, see the +This is deprecated, see the .Li capaths section below. +.It Li default_cc_type = Va cctype +sets the default credentials type. .It Li default_cc_name = Va ccname the default credentials cache name. +If you want to change the type only use +.Li default_cc_type . The string can contain variables that are expanded on runtime. Only support variable now is .Li %{uid} that expands to the current user id. .It Li default_etypes = Va etypes ... -A list of default encryption types to use. +A list of default encryption types to use. (Default: all enctypes if +allow_weak_crypto = TRUE, else all enctypes except single DES enctypes.) +.It Li default_as_etypes = Va etypes ... +A list of default encryption types to use in AS requests. (Default: the +value of default_etypes.) +.It Li default_tgs_etypes = Va etypes ... +A list of default encryption types to use in TGS requests. (Default: +the value of default_etypes.) .It Li default_etypes_des = Va etypes ... A list of default encryption types to use when requesting a DES credential. .It Li default_keytab_name = Va keytab @@ -241,6 +255,11 @@ older than Heimdal 0.7. Setting this flag to .Dv TRUE make it store the MIT way, this is default for Heimdal 0.7. +.It Li check-rd-req-server +If set to "ignore", the framework will ignore any the server input to +.Xr krb5_rd_req 3, +this is very useful when the GSS-API server input the +wrong server name into the gss_accept_sec_context call. .El .It Li [domain_realm] This is a list of mappings from DNS domain to Kerberos realm. @@ -326,7 +345,7 @@ obtain credentials for a service in the .Va server-realm . Secondly, it tells the KDC (and other servers) which realms are allowed in a multi-hop traversal from -.Va client-realm +.Va client-realm to .Va server-realm . Except for the client case, the order of the realms are not important. @@ -351,7 +370,7 @@ manual page for a list of defined destinations. .Bl -tag -width "xxx" -offset indent .It Li dbname Li = Va DATABASENAME Use this database for this realm. -See the info documetation how to configure diffrent database backends. +See the info documetation how to configure different database backends. .It Li realm Li = Va REALM Specifies the realm that will be stored in this database. It realm isn't set, it will used as the default database, there can @@ -393,6 +412,24 @@ Default is the same as Should the kdc answer kdc-requests over http. .It Li enable-kaserver = Va BOOL If this kdc should emulate the AFS kaserver. +.It Li as-use-strongest-session-key = Va BOOL +If this is TRUE then the KDC will prefer the strongest key from the +client's AS-REQ enctype list, that is also supported by the KDC and the +target principal, for the ticket session key. Else it will prefer the +first key from the client's AS-REQ enctype list that is also supported +by the KDC and the target principal. Defaults to TRUE. +.It Li preauth-use-strongest-session-key = Va BOOL +Like as-use-strongest-session-key, but applies to the session key +enctype selection for PA-ETYPE-INFO2 (i.e., for password-based +pre-authentication). Defaults to TRUE. +.It Li tgs-use-strongest-session-key = Va BOOL +Like as-use-strongest-session-key, but applies to the session key +enctype of tickets issued by the TGS. Defaults to TRUE. +.It Li use-strongest-server-key = Va BOOL +If TRUE then the KDC picks, for the ticket encrypted part's key, the +first supported enctype from the target service principal's hdb entry's +current keyset. Else the KDC picks the first supported enctype from the +target service principal's hdb entry's current keyset. Defaults to TRUE. .It Li check-ticket-addresses = Va BOOL Verify the addresses in the tickets used in tgs requests. .\" XXX @@ -425,6 +462,11 @@ The default value is account . .It Li hdb-ldap-create-base Va creation dn is the dn that will be appended to the principal when creating entries. Default value is the search dn. +.It Li enable-digest = Va BOOL +Should the kdc answer digest requests. The default is FALSE. +.It Li digests_allowed = Va list of digests +Specifies the digests the kdc will reply to. The default is +.Li ntlm-v2 . .El .It Li [kadmin] .Bl -tag -width "xxx" -offset indent @@ -462,7 +504,7 @@ When true, this is the same as .Pp and is only left for backwards compatibility. .El -.It Li [password-quality] +.It Li [password_quality] Check the Password quality assurance in the info documentation for more information. .Bl -tag -width "xxx" -offset indent diff --git a/crypto/heimdal/lib/krb5/krb5.h b/crypto/heimdal/lib/krb5/krb5.h index 571eb6192ae0..2d555ea0604f 100644 --- a/crypto/heimdal/lib/krb5/krb5.h +++ b/crypto/heimdal/lib/krb5/krb5.h @@ -1,37 +1,39 @@ /* - * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -/* $Id: krb5.h 22100 2007-12-03 17:15:00Z lha $ */ +/* $Id$ */ #ifndef __KRB5_H__ #define __KRB5_H__ @@ -51,6 +53,12 @@ #define KRB5KDC_ERR_KEY_EXP KRB5KDC_ERR_KEY_EXPIRED #endif +#ifdef _WIN32 +#define KRB5_CALLCONV __stdcall +#else +#define KRB5_CALLCONV +#endif + /* simple constants */ #ifndef TRUE @@ -62,7 +70,7 @@ typedef int krb5_boolean; typedef int32_t krb5_error_code; -typedef int krb5_kvno; +typedef int32_t krb5_kvno; typedef uint32_t krb5_flags; @@ -92,6 +100,8 @@ typedef Checksum krb5_checksum; typedef ENCTYPE krb5_enctype; +typedef struct krb5_get_init_creds_ctx *krb5_init_creds_context; + typedef heim_octet_string krb5_data; /* PKINIT related forward declarations */ @@ -108,28 +118,69 @@ typedef struct krb5_enc_data { /* alternative names */ enum { - ENCTYPE_NULL = ETYPE_NULL, - ENCTYPE_DES_CBC_CRC = ETYPE_DES_CBC_CRC, - ENCTYPE_DES_CBC_MD4 = ETYPE_DES_CBC_MD4, - ENCTYPE_DES_CBC_MD5 = ETYPE_DES_CBC_MD5, - ENCTYPE_DES3_CBC_MD5 = ETYPE_DES3_CBC_MD5, - ENCTYPE_OLD_DES3_CBC_SHA1 = ETYPE_OLD_DES3_CBC_SHA1, - ENCTYPE_SIGN_DSA_GENERATE = ETYPE_SIGN_DSA_GENERATE, - ENCTYPE_ENCRYPT_RSA_PRIV = ETYPE_ENCRYPT_RSA_PRIV, - ENCTYPE_ENCRYPT_RSA_PUB = ETYPE_ENCRYPT_RSA_PUB, - ENCTYPE_DES3_CBC_SHA1 = ETYPE_DES3_CBC_SHA1, - ENCTYPE_AES128_CTS_HMAC_SHA1_96 = ETYPE_AES128_CTS_HMAC_SHA1_96, - ENCTYPE_AES256_CTS_HMAC_SHA1_96 = ETYPE_AES256_CTS_HMAC_SHA1_96, - ENCTYPE_ARCFOUR_HMAC = ETYPE_ARCFOUR_HMAC_MD5, - ENCTYPE_ARCFOUR_HMAC_MD5 = ETYPE_ARCFOUR_HMAC_MD5, - ENCTYPE_ARCFOUR_HMAC_MD5_56 = ETYPE_ARCFOUR_HMAC_MD5_56, - ENCTYPE_ENCTYPE_PK_CROSS = ETYPE_ENCTYPE_PK_CROSS, - ENCTYPE_DES_CBC_NONE = ETYPE_DES_CBC_NONE, - ENCTYPE_DES3_CBC_NONE = ETYPE_DES3_CBC_NONE, - ENCTYPE_DES_CFB64_NONE = ETYPE_DES_CFB64_NONE, - ENCTYPE_DES_PCBC_NONE = ETYPE_DES_PCBC_NONE + ENCTYPE_NULL = KRB5_ENCTYPE_NULL, + ENCTYPE_DES_CBC_CRC = KRB5_ENCTYPE_DES_CBC_CRC, + ENCTYPE_DES_CBC_MD4 = KRB5_ENCTYPE_DES_CBC_MD4, + ENCTYPE_DES_CBC_MD5 = KRB5_ENCTYPE_DES_CBC_MD5, + ENCTYPE_DES3_CBC_MD5 = KRB5_ENCTYPE_DES3_CBC_MD5, + ENCTYPE_OLD_DES3_CBC_SHA1 = KRB5_ENCTYPE_OLD_DES3_CBC_SHA1, + ENCTYPE_SIGN_DSA_GENERATE = KRB5_ENCTYPE_SIGN_DSA_GENERATE, + ENCTYPE_ENCRYPT_RSA_PRIV = KRB5_ENCTYPE_ENCRYPT_RSA_PRIV, + ENCTYPE_ENCRYPT_RSA_PUB = KRB5_ENCTYPE_ENCRYPT_RSA_PUB, + ENCTYPE_DES3_CBC_SHA1 = KRB5_ENCTYPE_DES3_CBC_SHA1, + ENCTYPE_AES128_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_AES256_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96, + ENCTYPE_ARCFOUR_HMAC = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5, + ENCTYPE_ARCFOUR_HMAC_MD5 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5, + ENCTYPE_ARCFOUR_HMAC_MD5_56 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56, + ENCTYPE_ENCTYPE_PK_CROSS = KRB5_ENCTYPE_ENCTYPE_PK_CROSS, + ENCTYPE_DES_CBC_NONE = KRB5_ENCTYPE_DES_CBC_NONE, + ENCTYPE_DES3_CBC_NONE = KRB5_ENCTYPE_DES3_CBC_NONE, + ENCTYPE_DES_CFB64_NONE = KRB5_ENCTYPE_DES_CFB64_NONE, + ENCTYPE_DES_PCBC_NONE = KRB5_ENCTYPE_DES_PCBC_NONE, + ETYPE_NULL = KRB5_ENCTYPE_NULL, + ETYPE_DES_CBC_CRC = KRB5_ENCTYPE_DES_CBC_CRC, + ETYPE_DES_CBC_MD4 = KRB5_ENCTYPE_DES_CBC_MD4, + ETYPE_DES_CBC_MD5 = KRB5_ENCTYPE_DES_CBC_MD5, + ETYPE_DES3_CBC_MD5 = KRB5_ENCTYPE_DES3_CBC_MD5, + ETYPE_OLD_DES3_CBC_SHA1 = KRB5_ENCTYPE_OLD_DES3_CBC_SHA1, + ETYPE_SIGN_DSA_GENERATE = KRB5_ENCTYPE_SIGN_DSA_GENERATE, + ETYPE_ENCRYPT_RSA_PRIV = KRB5_ENCTYPE_ENCRYPT_RSA_PRIV, + ETYPE_ENCRYPT_RSA_PUB = KRB5_ENCTYPE_ENCRYPT_RSA_PUB, + ETYPE_DES3_CBC_SHA1 = KRB5_ENCTYPE_DES3_CBC_SHA1, + ETYPE_AES128_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ETYPE_AES256_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96, + ETYPE_ARCFOUR_HMAC_MD5 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5, + ETYPE_ARCFOUR_HMAC_MD5_56 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56, + ETYPE_ENCTYPE_PK_CROSS = KRB5_ENCTYPE_ENCTYPE_PK_CROSS, + ETYPE_ARCFOUR_MD4 = KRB5_ENCTYPE_ARCFOUR_MD4, + ETYPE_ARCFOUR_HMAC_OLD = KRB5_ENCTYPE_ARCFOUR_HMAC_OLD, + ETYPE_ARCFOUR_HMAC_OLD_EXP = KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP, + ETYPE_DES_CBC_NONE = KRB5_ENCTYPE_DES_CBC_NONE, + ETYPE_DES3_CBC_NONE = KRB5_ENCTYPE_DES3_CBC_NONE, + ETYPE_DES_CFB64_NONE = KRB5_ENCTYPE_DES_CFB64_NONE, + ETYPE_DES_PCBC_NONE = KRB5_ENCTYPE_DES_PCBC_NONE, + ETYPE_DIGEST_MD5_NONE = KRB5_ENCTYPE_DIGEST_MD5_NONE, + ETYPE_CRAM_MD5_NONE = KRB5_ENCTYPE_CRAM_MD5_NONE + }; +/* PDU types */ +typedef enum krb5_pdu { + KRB5_PDU_ERROR = 0, + KRB5_PDU_TICKET = 1, + KRB5_PDU_AS_REQUEST = 2, + KRB5_PDU_AS_REPLY = 3, + KRB5_PDU_TGS_REQUEST = 4, + KRB5_PDU_TGS_REPLY = 5, + KRB5_PDU_AP_REQUEST = 6, + KRB5_PDU_AP_REPLY = 7, + KRB5_PDU_KRB_SAFE = 8, + KRB5_PDU_KRB_PRIV = 9, + KRB5_PDU_KRB_CRED = 10, + KRB5_PDU_NONE = 11 /* See krb5_get_permitted_enctypes() */ +} krb5_pdu; + typedef PADATA_TYPE krb5_preauthtype; typedef enum krb5_key_usage { @@ -205,7 +256,7 @@ typedef enum krb5_key_usage { /* acceptor sign in GSSAPI CFX krb5 mechanism */ KRB5_KU_USAGE_ACCEPTOR_SIGN = 23, /* acceptor seal in GSSAPI CFX krb5 mechanism */ - KRB5_KU_USAGE_INITIATOR_SEAL = 24, + KRB5_KU_USAGE_INITIATOR_SEAL = 24, /* initiator sign in GSSAPI CFX krb5 mechanism */ KRB5_KU_USAGE_INITIATOR_SIGN = 25, /* initiator seal in GSSAPI CFX krb5 mechanism */ @@ -219,6 +270,10 @@ typedef enum krb5_key_usage { /* Keyusage for the server referral in a TGS req */ KRB5_KU_SAM_ENC_NONCE_SAD = 27, /* Encryption of the SAM-NONCE-OR-SAD field */ + KRB5_KU_PA_PKINIT_KX = 44, + /* Encryption type of the kdc session contribution in pk-init */ + KRB5_KU_AS_REQ = 56, + /* Checksum of over the AS-REQ send by the KDC in PA-REQ-ENC-PA-REP */ KRB5_KU_DIGEST_ENCRYPT = -18, /* Encryption key usage used in the digest encryption field */ KRB5_KU_DIGEST_OPAQUE = -19, @@ -253,7 +308,7 @@ typedef struct krb5_preauthdata { krb5_preauthdata_entry *val; }krb5_preauthdata; -typedef enum krb5_address_type { +typedef enum krb5_address_type { KRB5_ADDRESS_INET = 2, KRB5_ADDRESS_NETBIOS = 20, KRB5_ADDRESS_INET6 = 24, @@ -271,15 +326,17 @@ typedef HostAddress krb5_address; typedef HostAddresses krb5_addresses; -typedef enum krb5_keytype { - KEYTYPE_NULL = 0, - KEYTYPE_DES = 1, - KEYTYPE_DES3 = 7, - KEYTYPE_AES128 = 17, - KEYTYPE_AES256 = 18, - KEYTYPE_ARCFOUR = 23, - KEYTYPE_ARCFOUR_56 = 24 -} krb5_keytype; +typedef krb5_enctype krb5_keytype; + +enum krb5_keytype_old { + KEYTYPE_NULL = ETYPE_NULL, + KEYTYPE_DES = ETYPE_DES_CBC_CRC, + KEYTYPE_DES3 = ETYPE_OLD_DES3_CBC_SHA1, + KEYTYPE_AES128 = ETYPE_AES128_CTS_HMAC_SHA1_96, + KEYTYPE_AES256 = ETYPE_AES256_CTS_HMAC_SHA1_96, + KEYTYPE_ARCFOUR = ETYPE_ARCFOUR_HMAC_MD5, + KEYTYPE_ARCFOUR_56 = ETYPE_ARCFOUR_HMAC_MD5_56 +}; typedef EncryptionKey krb5_keyblock; @@ -287,7 +344,15 @@ typedef AP_REQ krb5_ap_req; struct krb5_cc_ops; +#ifdef _WIN32 +#define KRB5_USE_PATH_TOKENS 1 +#endif + +#ifdef KRB5_USE_PATH_TOKENS +#define KRB5_DEFAULT_CCFILE_ROOT "%{TEMP}/krb5cc_" +#else #define KRB5_DEFAULT_CCFILE_ROOT "/tmp/krb5cc_" +#endif #define KRB5_DEFAULT_CCROOT "FILE:" KRB5_DEFAULT_CCFILE_ROOT @@ -297,6 +362,7 @@ struct krb5_cc_ops; NULL) typedef void *krb5_cc_cursor; +typedef struct krb5_cccol_cursor_data *krb5_cccol_cursor; typedef struct krb5_ccache_data { const struct krb5_cc_ops *ops; @@ -316,6 +382,7 @@ typedef const char *krb5_const_realm; /* stupid language */ typedef Principal krb5_principal_data; typedef struct Principal *krb5_principal; typedef const struct Principal *krb5_const_principal; +typedef struct Principals *krb5_principals; typedef time_t krb5_deltat; typedef time_t krb5_timestamp; @@ -363,6 +430,7 @@ typedef union { #define KRB5_GC_FORWARDABLE (1U << 4) #define KRB5_GC_NO_TRANSIT_CHECK (1U << 5) #define KRB5_GC_CONSTRAINED_DELEGATION (1U << 6) +#define KRB5_GC_CANONICALIZE (1U << 7) /* constants for compare_creds (and cc_retrieve_cred) */ #define KRB5_TC_DONT_MATCH_REALM (1U << 31) @@ -377,6 +445,10 @@ typedef union { #define KRB5_TC_MATCH_2ND_TKT (1 << 23) #define KRB5_TC_MATCH_IS_SKEY (1 << 22) +/* constants for get_flags and set_flags */ +#define KRB5_TC_OPENCLOSE 0x00000001 +#define KRB5_TC_NOTICKET 0x00000002 + typedef AuthorizationData krb5_authdata; typedef KRB_ERROR krb5_error; @@ -395,31 +467,39 @@ typedef struct krb5_creds { typedef struct krb5_cc_cache_cursor_data *krb5_cc_cache_cursor; +#define KRB5_CC_OPS_VERSION 3 + typedef struct krb5_cc_ops { + int version; const char *prefix; - const char* (*get_name)(krb5_context, krb5_ccache); - krb5_error_code (*resolve)(krb5_context, krb5_ccache *, const char *); - krb5_error_code (*gen_new)(krb5_context, krb5_ccache *); - krb5_error_code (*init)(krb5_context, krb5_ccache, krb5_principal); - krb5_error_code (*destroy)(krb5_context, krb5_ccache); - krb5_error_code (*close)(krb5_context, krb5_ccache); - krb5_error_code (*store)(krb5_context, krb5_ccache, krb5_creds*); - krb5_error_code (*retrieve)(krb5_context, krb5_ccache, - krb5_flags, const krb5_creds*, krb5_creds *); - krb5_error_code (*get_princ)(krb5_context, krb5_ccache, krb5_principal*); - krb5_error_code (*get_first)(krb5_context, krb5_ccache, krb5_cc_cursor *); - krb5_error_code (*get_next)(krb5_context, krb5_ccache, - krb5_cc_cursor*, krb5_creds*); - krb5_error_code (*end_get)(krb5_context, krb5_ccache, krb5_cc_cursor*); - krb5_error_code (*remove_cred)(krb5_context, krb5_ccache, - krb5_flags, krb5_creds*); - krb5_error_code (*set_flags)(krb5_context, krb5_ccache, krb5_flags); - int (*get_version)(krb5_context, krb5_ccache); - krb5_error_code (*get_cache_first)(krb5_context, krb5_cc_cursor *); - krb5_error_code (*get_cache_next)(krb5_context, krb5_cc_cursor, krb5_ccache *); - krb5_error_code (*end_cache_get)(krb5_context, krb5_cc_cursor); - krb5_error_code (*move)(krb5_context, krb5_ccache, krb5_ccache); - krb5_error_code (*default_name)(krb5_context, char **); + const char* (KRB5_CALLCONV * get_name)(krb5_context, krb5_ccache); + krb5_error_code (KRB5_CALLCONV * resolve)(krb5_context, krb5_ccache *, const char *); + krb5_error_code (KRB5_CALLCONV * gen_new)(krb5_context, krb5_ccache *); + krb5_error_code (KRB5_CALLCONV * init)(krb5_context, krb5_ccache, krb5_principal); + krb5_error_code (KRB5_CALLCONV * destroy)(krb5_context, krb5_ccache); + krb5_error_code (KRB5_CALLCONV * close)(krb5_context, krb5_ccache); + krb5_error_code (KRB5_CALLCONV * store)(krb5_context, krb5_ccache, krb5_creds*); + krb5_error_code (KRB5_CALLCONV * retrieve)(krb5_context, krb5_ccache, + krb5_flags, const krb5_creds*, krb5_creds *); + krb5_error_code (KRB5_CALLCONV * get_princ)(krb5_context, krb5_ccache, krb5_principal*); + krb5_error_code (KRB5_CALLCONV * get_first)(krb5_context, krb5_ccache, krb5_cc_cursor *); + krb5_error_code (KRB5_CALLCONV * get_next)(krb5_context, krb5_ccache, + krb5_cc_cursor*, krb5_creds*); + krb5_error_code (KRB5_CALLCONV * end_get)(krb5_context, krb5_ccache, krb5_cc_cursor*); + krb5_error_code (KRB5_CALLCONV * remove_cred)(krb5_context, krb5_ccache, + krb5_flags, krb5_creds*); + krb5_error_code (KRB5_CALLCONV * set_flags)(krb5_context, krb5_ccache, krb5_flags); + int (KRB5_CALLCONV * get_version)(krb5_context, krb5_ccache); + krb5_error_code (KRB5_CALLCONV * get_cache_first)(krb5_context, krb5_cc_cursor *); + krb5_error_code (KRB5_CALLCONV * get_cache_next)(krb5_context, krb5_cc_cursor, + krb5_ccache *); + krb5_error_code (KRB5_CALLCONV * end_cache_get)(krb5_context, krb5_cc_cursor); + krb5_error_code (KRB5_CALLCONV * move)(krb5_context, krb5_ccache, krb5_ccache); + krb5_error_code (KRB5_CALLCONV * get_default_name)(krb5_context, char **); + krb5_error_code (KRB5_CALLCONV * set_default)(krb5_context, krb5_ccache); + krb5_error_code (KRB5_CALLCONV * lastchange)(krb5_context, krb5_ccache, krb5_timestamp *); + krb5_error_code (KRB5_CALLCONV * set_kdc_offset)(krb5_context, krb5_ccache, krb5_deltat); + krb5_error_code (KRB5_CALLCONV * get_kdc_offset)(krb5_context, krb5_ccache, krb5_deltat *); } krb5_cc_ops; struct krb5_log_facility; @@ -471,6 +551,8 @@ typedef struct krb5_keytab_entry { krb5_kvno vno; krb5_keyblock keyblock; uint32_t timestamp; + uint32_t flags; + krb5_principals aliases; } krb5_keytab_entry; typedef struct krb5_kt_cursor { @@ -487,17 +569,18 @@ typedef struct krb5_keytab_data *krb5_keytab; struct krb5_keytab_data { const char *prefix; - krb5_error_code (*resolve)(krb5_context, const char*, krb5_keytab); - krb5_error_code (*get_name)(krb5_context, krb5_keytab, char*, size_t); - krb5_error_code (*close)(krb5_context, krb5_keytab); - krb5_error_code (*get)(krb5_context, krb5_keytab, krb5_const_principal, - krb5_kvno, krb5_enctype, krb5_keytab_entry*); - krb5_error_code (*start_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*); - krb5_error_code (*next_entry)(krb5_context, krb5_keytab, - krb5_keytab_entry*, krb5_kt_cursor*); - krb5_error_code (*end_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*); - krb5_error_code (*add)(krb5_context, krb5_keytab, krb5_keytab_entry*); - krb5_error_code (*remove)(krb5_context, krb5_keytab, krb5_keytab_entry*); + krb5_error_code (KRB5_CALLCONV * resolve)(krb5_context, const char*, krb5_keytab); + krb5_error_code (KRB5_CALLCONV * get_name)(krb5_context, krb5_keytab, char*, size_t); + krb5_error_code (KRB5_CALLCONV * close)(krb5_context, krb5_keytab); + krb5_error_code (KRB5_CALLCONV * destroy)(krb5_context, krb5_keytab); + krb5_error_code (KRB5_CALLCONV * get)(krb5_context, krb5_keytab, krb5_const_principal, + krb5_kvno, krb5_enctype, krb5_keytab_entry*); + krb5_error_code (KRB5_CALLCONV * start_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*); + krb5_error_code (KRB5_CALLCONV * next_entry)(krb5_context, krb5_keytab, + krb5_keytab_entry*, krb5_kt_cursor*); + krb5_error_code (KRB5_CALLCONV * end_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*); + krb5_error_code (KRB5_CALLCONV * add)(krb5_context, krb5_keytab, krb5_keytab_entry*); + krb5_error_code (KRB5_CALLCONV * remove)(krb5_context, krb5_keytab, krb5_keytab_entry*); void *data; int32_t version; }; @@ -551,14 +634,14 @@ typedef struct krb5_auth_context_data { uint32_t remote_seqnumber; krb5_authenticator authenticator; - + krb5_pointer i_vector; - + krb5_rcache rcache; - krb5_keytype keytype; /* ¿requested key type ? */ - krb5_cksumtype cksumtype; /* ¡requested checksum type! */ - + krb5_keytype keytype; /* ¿requested key type ? */ + krb5_cksumtype cksumtype; /* ¡requested checksum type! */ + }krb5_auth_context_data, *krb5_auth_context; typedef struct { @@ -569,8 +652,8 @@ typedef struct { extern const char *heimdal_version, *heimdal_long_version; -typedef void (*krb5_log_log_func_t)(const char*, const char*, void*); -typedef void (*krb5_log_close_func_t)(void*); +typedef void (KRB5_CALLCONV * krb5_log_log_func_t)(const char*, const char*, void*); +typedef void (KRB5_CALLCONV * krb5_log_close_func_t)(void*); typedef struct krb5_log_facility { char *program; @@ -586,14 +669,10 @@ typedef EncAPRepPart krb5_ap_rep_enc_part; #define KRB5_TGS_NAME_SIZE (6) #define KRB5_TGS_NAME ("krbtgt") - +#define KRB5_WELLKNOWN_NAME ("WELLKNOWN") +#define KRB5_ANON_NAME ("ANONYMOUS") #define KRB5_DIGEST_NAME ("digest") -/* variables */ - -extern const char *krb5_config_file; -extern const char *krb5_defkeyname; - typedef enum { KRB5_PROMPT_TYPE_PASSWORD = 0x1, KRB5_PROMPT_TYPE_NEW_PASSWORD = 0x2, @@ -609,32 +688,32 @@ typedef struct _krb5_prompt { krb5_prompt_type type; } krb5_prompt; -typedef int (*krb5_prompter_fct)(krb5_context /*context*/, - void * /*data*/, - const char * /*name*/, - const char * /*banner*/, - int /*num_prompts*/, - krb5_prompt /*prompts*/[]); -typedef krb5_error_code (*krb5_key_proc)(krb5_context /*context*/, - krb5_enctype /*type*/, - krb5_salt /*salt*/, - krb5_const_pointer /*keyseed*/, - krb5_keyblock ** /*key*/); -typedef krb5_error_code (*krb5_decrypt_proc)(krb5_context /*context*/, - krb5_keyblock * /*key*/, - krb5_key_usage /*usage*/, - krb5_const_pointer /*decrypt_arg*/, - krb5_kdc_rep * /*dec_rep*/); -typedef krb5_error_code (*krb5_s2k_proc)(krb5_context /*context*/, - krb5_enctype /*type*/, - krb5_const_pointer /*keyseed*/, - krb5_salt /*salt*/, - krb5_data * /*s2kparms*/, - krb5_keyblock ** /*key*/); +typedef int (KRB5_CALLCONV * krb5_prompter_fct)(krb5_context /*context*/, + void * /*data*/, + const char * /*name*/, + const char * /*banner*/, + int /*num_prompts*/, + krb5_prompt /*prompts*/[]); +typedef krb5_error_code (KRB5_CALLCONV * krb5_key_proc)(krb5_context /*context*/, + krb5_enctype /*type*/, + krb5_salt /*salt*/, + krb5_const_pointer /*keyseed*/, + krb5_keyblock ** /*key*/); +typedef krb5_error_code (KRB5_CALLCONV * krb5_decrypt_proc)(krb5_context /*context*/, + krb5_keyblock * /*key*/, + krb5_key_usage /*usage*/, + krb5_const_pointer /*decrypt_arg*/, + krb5_kdc_rep * /*dec_rep*/); +typedef krb5_error_code (KRB5_CALLCONV * krb5_s2k_proc)(krb5_context /*context*/, + krb5_enctype /*type*/, + krb5_const_pointer /*keyseed*/, + krb5_salt /*salt*/, + krb5_data * /*s2kparms*/, + krb5_keyblock ** /*key*/); struct _krb5_get_init_creds_opt_private; -typedef struct _krb5_get_init_creds_opt { +struct _krb5_get_init_creds_opt { krb5_flags flags; krb5_deltat tkt_life; krb5_deltat renew_life; @@ -650,7 +729,9 @@ typedef struct _krb5_get_init_creds_opt { int preauth_list_length; krb5_data *salt; struct _krb5_get_init_creds_opt_private *opt_private; -} krb5_get_init_creds_opt; +}; + +typedef struct _krb5_get_init_creds_opt krb5_get_init_creds_opt; #define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE 0x0001 #define KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE 0x0002 @@ -659,10 +740,13 @@ typedef struct _krb5_get_init_creds_opt { #define KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST 0x0010 #define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST 0x0020 #define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040 -#define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080 +#define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080 /* no supported */ #define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS 0x0100 #define KRB5_GET_INIT_CREDS_OPT_DISABLE_TRANSITED_CHECK 0x0200 +/* krb5_init_creds_step flags argument */ +#define KRB5_INIT_CREDS_STEP_FLAG_CONTINUE 0x0001 + typedef struct _krb5_verify_init_creds_opt { krb5_flags flags; int ap_req_nofail; @@ -681,20 +765,6 @@ typedef struct krb5_verify_opt { #define KRB5_VERIFY_LREALMS 1 #define KRB5_VERIFY_NO_ADDRESSES 2 -extern const krb5_cc_ops krb5_acc_ops; -extern const krb5_cc_ops krb5_fcc_ops; -extern const krb5_cc_ops krb5_mcc_ops; -extern const krb5_cc_ops krb5_kcm_ops; - -extern const krb5_kt_ops krb5_fkt_ops; -extern const krb5_kt_ops krb5_wrfkt_ops; -extern const krb5_kt_ops krb5_javakt_ops; -extern const krb5_kt_ops krb5_mkt_ops; -extern const krb5_kt_ops krb5_akf_ops; -extern const krb5_kt_ops krb4_fkt_ops; -extern const krb5_kt_ops krb5_srvtab_fkt_ops; -extern const krb5_kt_ops krb5_any_ops; - #define KRB5_KPASSWD_VERS_CHANGEPW 1 #define KRB5_KPASSWD_VERS_SETPW 0xff80 @@ -736,24 +806,22 @@ enum { KRB5_KRBHST_FLAGS_LARGE_MSG = 2 }; -typedef krb5_error_code (*krb5_send_to_kdc_func)(krb5_context, - void *, - krb5_krbhst_info *, - const krb5_data *, - krb5_data *); +typedef krb5_error_code +(KRB5_CALLCONV * krb5_send_to_kdc_func)(krb5_context, void *, krb5_krbhst_info *, time_t, + const krb5_data *, krb5_data *); -/* flags for krb5_parse_name_flags */ +/** flags for krb5_parse_name_flags */ enum { - KRB5_PRINCIPAL_PARSE_NO_REALM = 1, - KRB5_PRINCIPAL_PARSE_MUST_REALM = 2, - KRB5_PRINCIPAL_PARSE_ENTERPRISE = 4 + KRB5_PRINCIPAL_PARSE_NO_REALM = 1, /**< Require that there are no realm */ + KRB5_PRINCIPAL_PARSE_REQUIRE_REALM = 2, /**< Require a realm present */ + KRB5_PRINCIPAL_PARSE_ENTERPRISE = 4 /**< Parse as a NT-ENTERPRISE name */ }; -/* flags for krb5_unparse_name_flags */ +/** flags for krb5_unparse_name_flags */ enum { - KRB5_PRINCIPAL_UNPARSE_SHORT = 1, - KRB5_PRINCIPAL_UNPARSE_NO_REALM = 2, - KRB5_PRINCIPAL_UNPARSE_DISPLAY = 4 + KRB5_PRINCIPAL_UNPARSE_SHORT = 1, /**< No realm if it is the default realm */ + KRB5_PRINCIPAL_UNPARSE_NO_REALM = 2, /**< No realm */ + KRB5_PRINCIPAL_UNPARSE_DISPLAY = 4 /**< No quoting */ }; typedef struct krb5_sendto_ctx_data *krb5_sendto_ctx; @@ -762,7 +830,9 @@ typedef struct krb5_sendto_ctx_data *krb5_sendto_ctx; #define KRB5_SENDTO_RESTART 1 #define KRB5_SENDTO_CONTINUE 2 -typedef krb5_error_code (*krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *, const krb5_data *, int *); +typedef krb5_error_code +(KRB5_CALLCONV * krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *, + const krb5_data *, int *); struct krb5_plugin; enum krb5_plugin_type { @@ -774,7 +844,73 @@ struct credentials; /* this is to keep the compiler happy */ struct getargs; struct sockaddr; +/** + * Semi private, not stable yet + */ + +typedef struct krb5_crypto_iov { + unsigned int flags; + /* ignored */ +#define KRB5_CRYPTO_TYPE_EMPTY 0 + /* OUT krb5_crypto_length(KRB5_CRYPTO_TYPE_HEADER) */ +#define KRB5_CRYPTO_TYPE_HEADER 1 + /* IN and OUT */ +#define KRB5_CRYPTO_TYPE_DATA 2 + /* IN */ +#define KRB5_CRYPTO_TYPE_SIGN_ONLY 3 + /* (only for encryption) OUT krb5_crypto_length(KRB5_CRYPTO_TYPE_TRAILER) */ +#define KRB5_CRYPTO_TYPE_PADDING 4 + /* OUT krb5_crypto_length(KRB5_CRYPTO_TYPE_TRAILER) */ +#define KRB5_CRYPTO_TYPE_TRAILER 5 + /* OUT krb5_crypto_length(KRB5_CRYPTO_TYPE_CHECKSUM) */ +#define KRB5_CRYPTO_TYPE_CHECKSUM 6 + krb5_data data; +} krb5_crypto_iov; + + +/* Glue for MIT */ + +typedef struct { + int32_t lr_type; + krb5_timestamp value; +} krb5_last_req_entry; + +typedef krb5_error_code +(KRB5_CALLCONV * krb5_gic_process_last_req)(krb5_context, krb5_last_req_entry **, void *); + +/* + * + */ + +struct hx509_certs_data; + #include <krb5-protos.h> +/* variables */ + +extern KRB5_LIB_VARIABLE const char *krb5_config_file; +extern KRB5_LIB_VARIABLE const char *krb5_defkeyname; + + +extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops; +extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_fcc_ops; +extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_mcc_ops; +extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_kcm_ops; +extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops; +extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_scc_ops; + +extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_fkt_ops; +extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_wrfkt_ops; +extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_javakt_ops; +extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_mkt_ops; +extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_akf_ops; +extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_any_ops; + +extern KRB5_LIB_VARIABLE const char *krb5_cc_type_api; +extern KRB5_LIB_VARIABLE const char *krb5_cc_type_file; +extern KRB5_LIB_VARIABLE const char *krb5_cc_type_memory; +extern KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm; +extern KRB5_LIB_VARIABLE const char *krb5_cc_type_scc; + #endif /* __KRB5_H__ */ diff --git a/crypto/heimdal/lib/krb5/krb5.moduli b/crypto/heimdal/lib/krb5/krb5.moduli index f67d2b29be86..a27bae5dfa25 100644 --- a/crypto/heimdal/lib/krb5/krb5.moduli +++ b/crypto/heimdal/lib/krb5/krb5.moduli @@ -1,3 +1,3 @@ -# $Id: krb5.moduli 16154 2005-10-08 15:39:42Z lha $ +# $Id$ # comment security-bits-decimal secure-prime(p)-hex generator(g)-hex (q)-hex rfc3526-MODP-group14 1760 FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF 02 7FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E68948127044533E63A0105DF531D89CD9128A5043CC71A026EF7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122F242DABB312F3F637A262174D31BF6B585FFAE5B7A035BF6F71C35FDAD44CFD2D74F9208BE258FF324943328F6722D9EE1003E5C50B1DF82CC6D241B0E2AE9CD348B1FD47E9267AFC1B2AE91EE51D6CB0E3179AB1042A95DCF6A9483B84B4B36B3861AA7255E4C0278BA3604650C10BE19482F23171B671DF1CF3B960C074301CD93C1D17603D147DAE2AEF837A62964EF15E5FB4AAC0B8C1CCAA4BE754AB5728AE9130C4C7D02880AB9472D455655347FFFFFFFFFFFFFFF diff --git a/crypto/heimdal/lib/krb5/krb524_convert_creds_kdc.3 b/crypto/heimdal/lib/krb5/krb524_convert_creds_kdc.3 index 1f4b9bf8a9ec..511eabd915e3 100644 --- a/crypto/heimdal/lib/krb5/krb524_convert_creds_kdc.3 +++ b/crypto/heimdal/lib/krb5/krb524_convert_creds_kdc.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2004 Kungliga Tekniska Högskolan +.\" Copyright (c) 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb524_convert_creds_kdc.3 15239 2005-05-25 13:19:16Z lha $ +.\" $Id$ .\" .Dd March 20, 2004 .Dt KRB524_CONVERT_CREDS_KDC 3 @@ -66,7 +66,7 @@ to Kerberos 4 credential that is stored in .Fa credentials . .Pp .Fn krb524_convert_creds_kdc_ccache -is diffrent from +is different from .Fn krb524_convert_creds_kdc in that way that if .Fa in_cred diff --git a/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 b/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 index 16c118f8ace7..49028f42660c 100644 --- a/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 +++ b/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 1997-2003 Kungliga Tekniska Högskolan +.\" Copyright (c) 1997-2003 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_425_conv_principal.3 12734 2003-09-03 00:13:07Z lha $ +.\" $Id$ .\" .Dd September 3, 2003 .Dt KRB5_425_CONV_PRINCIPAL 3 diff --git a/crypto/heimdal/lib/krb5/krb5_acl_match_file.3 b/crypto/heimdal/lib/krb5/krb5_acl_match_file.3 index 342645edd2d2..a1eb1e4e7a25 100644 --- a/crypto/heimdal/lib/krb5/krb5_acl_match_file.3 +++ b/crypto/heimdal/lib/krb5/krb5_acl_match_file.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2004, 2006 Kungliga Tekniska Högskolan +.\" Copyright (c) 2004, 2006 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_acl_match_file.3 17534 2006-05-11 22:43:44Z lha $ +.\" $Id$ .\" .Dd May 12, 2006 .Dt KRB5_ACL_MATCH_FILE 3 diff --git a/crypto/heimdal/lib/krb5/krb5_address.3 b/crypto/heimdal/lib/krb5/krb5_address.3 deleted file mode 100644 index 06f7fa5cd02c..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_address.3 +++ /dev/null @@ -1,359 +0,0 @@ -.\" Copyright (c) 2003, 2005 - 2006 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_address.3 17461 2006-05-05 13:13:18Z lha $ -.\" -.Dd May 1, 2006 -.Dt KRB5_ADDRESS 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_address , -.Nm krb5_addresses , -.Nm krb5_sockaddr2address , -.Nm krb5_sockaddr2port , -.Nm krb5_addr2sockaddr , -.Nm krb5_max_sockaddr_size , -.Nm krb5_sockaddr_uninteresting , -.Nm krb5_h_addr2sockaddr , -.Nm krb5_h_addr2addr , -.Nm krb5_anyaddr , -.Nm krb5_print_address , -.Nm krb5_parse_address , -.Nm krb5_address_order , -.Nm krb5_address_compare , -.Nm krb5_address_search , -.Nm krb5_free_address , -.Nm krb5_free_addresses , -.Nm krb5_copy_address , -.Nm krb5_copy_addresses , -.Nm krb5_append_addresses , -.Nm krb5_make_addrport -.Nd mange addresses in Kerberos -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Pp -.Ft krb5_error_code -.Fo krb5_sockaddr2address -.Fa "krb5_context context" -.Fa "const struct sockaddr *sa" -.Fa "krb5_address *addr" -.Fc -.Ft krb5_error_code -.Fo krb5_sockaddr2port -.Fa "krb5_context context" -.Fa "const struct sockaddr *sa" -.Fa "int16_t *port" -.Fc -.Ft krb5_error_code -.Fo krb5_addr2sockaddr -.Fa "krb5_context context" -.Fa "const krb5_address *addr" -.Fa "struct sockaddr *sa" -.Fa "krb5_socklen_t *sa_size" -.Fa "int port" -.Fc -.Ft size_t -.Fo krb5_max_sockaddr_size -.Fa "void" -.Fc -.Ft "krb5_boolean" -.Fo krb5_sockaddr_uninteresting -.Fa "const struct sockaddr *sa" -.Fc -.Ft krb5_error_code -.Fo krb5_h_addr2sockaddr -.Fa "krb5_context context" -.Fa "int af" -.Fa "const char *addr" -.Fa "struct sockaddr *sa" -.Fa "krb5_socklen_t *sa_size" -.Fa "int port" -.Fc -.Ft krb5_error_code -.Fo krb5_h_addr2addr -.Fa "krb5_context context" -.Fa "int af" -.Fa "const char *haddr" -.Fa "krb5_address *addr" -.Fc -.Ft krb5_error_code -.Fo krb5_anyaddr -.Fa "krb5_context context" -.Fa "int af" -.Fa "struct sockaddr *sa" -.Fa "krb5_socklen_t *sa_size" -.Fa "int port" -.Fc -.Ft krb5_error_code -.Fo krb5_print_address -.Fa "const krb5_address *addr" -.Fa "char *str" -.Fa "size_t len" -.Fa "size_t *ret_len" -.Fc -.Ft krb5_error_code -.Fo krb5_parse_address -.Fa "krb5_context context" -.Fa "const char *string" -.Fa "krb5_addresses *addresses" -.Fc -.Ft int -.Fo "krb5_address_order" -.Fa "krb5_context context" -.Fa "const krb5_address *addr1" -.Fa "const krb5_address *addr2" -.Fc -.Ft "krb5_boolean" -.Fo krb5_address_compare -.Fa "krb5_context context" -.Fa "const krb5_address *addr1" -.Fa "const krb5_address *addr2" -.Fc -.Ft "krb5_boolean" -.Fo krb5_address_search -.Fa "krb5_context context" -.Fa "const krb5_address *addr" -.Fa "const krb5_addresses *addrlist" -.Fc -.Ft krb5_error_code -.Fo krb5_free_address -.Fa "krb5_context context" -.Fa "krb5_address *address" -.Fc -.Ft krb5_error_code -.Fo krb5_free_addresses -.Fa "krb5_context context" -.Fa "krb5_addresses *addresses" -.Fc -.Ft krb5_error_code -.Fo krb5_copy_address -.Fa "krb5_context context" -.Fa "const krb5_address *inaddr" -.Fa "krb5_address *outaddr" -.Fc -.Ft krb5_error_code -.Fo krb5_copy_addresses -.Fa "krb5_context context" -.Fa "const krb5_addresses *inaddr" -.Fa "krb5_addresses *outaddr" -.Fc -.Ft krb5_error_code -.Fo krb5_append_addresses -.Fa "krb5_context context" -.Fa "krb5_addresses *dest" -.Fa "const krb5_addresses *source" -.Fc -.Ft krb5_error_code -.Fo krb5_make_addrport -.Fa "krb5_context context" -.Fa "krb5_address **res" -.Fa "const krb5_address *addr" -.Fa "int16_t port" -.Fc -.Sh DESCRIPTION -The -.Li krb5_address -structure holds a address that can be used in Kerberos API -calls. There are help functions to set and extract address information -of the address. -.Pp -The -.Li krb5_addresses -structure holds a set of krb5_address:es. -.Pp -.Fn krb5_sockaddr2address -stores a address a -.Li "struct sockaddr" -.Fa sa -in the krb5_address -.Fa addr . -.Pp -.Fn krb5_sockaddr2port -extracts a -.Fa port -(if possible) from a -.Li "struct sockaddr" -.Fa sa . -.Pp -.Fn krb5_addr2sockaddr -sets the -struct sockaddr -.Fa sockaddr -from -.Fa addr -and -.Fa port . -The argument -.Fa sa_size -should initially contain the size of the -.Fa sa , -and after the call, it will contain the actual length of the address. -.Pp -.Fn krb5_max_sockaddr_size -returns the max size of the -.Li struct sockaddr -that the Kerberos library will return. -.Pp -.Fn krb5_sockaddr_uninteresting -returns -.Dv TRUE -for all -.Fa sa -that the kerberos library thinks are uninteresting. -One example are link local addresses. -.Pp -.Fn krb5_h_addr2sockaddr -initializes a -.Li "struct sockaddr" -.Fa sa -from -.Fa af -and the -.Li "struct hostent" -(see -.Xr gethostbyname 3 ) -.Fa h_addr_list -component. -The argument -.Fa sa_size -should initially contain the size of the -.Fa sa , -and after the call, it will contain the actual length of the address. -.Pp -.Fn krb5_h_addr2addr -works like -.Fn krb5_h_addr2sockaddr -with the exception that it operates on a -.Li krb5_address -instead of a -.Li struct sockaddr . -.Pp -.Fn krb5_anyaddr -fills in a -.Li "struct sockaddr" -.Fa sa -that can be used to -.Xr bind 2 -to. -The argument -.Fa sa_size -should initially contain the size of the -.Fa sa , -and after the call, it will contain the actual length of the address. -.Pp -.Fn krb5_print_address -prints the address in -.Fa addr -to the string -.Fa string -that have the length -.Fa len . -If -.Fa ret_len -is not -.Dv NULL , -it will be filled with the length of the string if size were unlimited (not -including the final -.Ql \e0 ) . -.Pp -.Fn krb5_parse_address -Returns the resolved hostname in -.Fa string -to the -.Li krb5_addresses -.Fa addresses . -.Pp -.Fn krb5_address_order -compares the addresses -.Fa addr1 -and -.Fa addr2 -so that it can be used for sorting addresses. If the addresses are the -same address -.Fa krb5_address_order -will return 0. -.Pp -.Fn krb5_address_compare -compares the addresses -.Fa addr1 -and -.Fa addr2 . -Returns -.Dv TRUE -if the two addresses are the same. -.Pp -.Fn krb5_address_search -checks if the address -.Fa addr -is a member of the address set list -.Fa addrlist . -.Pp -.Fn krb5_free_address -frees the data stored in the -.Fa address -that is alloced with any of the krb5_address functions. -.Pp -.Fn krb5_free_addresses -frees the data stored in the -.Fa addresses -that is alloced with any of the krb5_address functions. -.Pp -.Fn krb5_copy_address -copies the content of address -.Fa inaddr -to -.Fa outaddr . -.Pp -.Fn krb5_copy_addresses -copies the content of the address list -.Fa inaddr -to -.Fa outaddr . -.Pp -.Fn krb5_append_addresses -adds the set of addresses in -.Fa source -to -.Fa dest . -While copying the addresses, duplicates are also sorted out. -.Pp -.Fn krb5_make_addrport -allocates and creates an -krb5_address in -.Fa res -of type KRB5_ADDRESS_ADDRPORT from -.Fa ( addr , port ) . -.Sh SEE ALSO -.Xr krb5 3 , -.Xr krb5.conf 5 , -.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_aname_to_localname.3 b/crypto/heimdal/lib/krb5/krb5_aname_to_localname.3 index a0c3e4b41507..a50e935fd2ff 100644 --- a/crypto/heimdal/lib/krb5/krb5_aname_to_localname.3 +++ b/crypto/heimdal/lib/krb5/krb5_aname_to_localname.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_aname_to_localname.3 22071 2007-11-14 20:04:50Z lha $ +.\" $Id$ .\" .Dd February 18, 2006 .Dt KRB5_ANAME_TO_LOCALNAME 3 diff --git a/crypto/heimdal/lib/krb5/krb5_appdefault.3 b/crypto/heimdal/lib/krb5/krb5_appdefault.3 index f5b532937db4..780c2ff7f5e1 100644 --- a/crypto/heimdal/lib/krb5/krb5_appdefault.3 +++ b/crypto/heimdal/lib/krb5/krb5_appdefault.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2000 Kungliga Tekniska Högskolan +.\" Copyright (c) 2000 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_appdefault.3 12329 2003-05-26 14:09:04Z lha $ +.\" $Id$ .\" .Dd July 25, 2000 .Dt KRB5_APPDEFAULT 3 diff --git a/crypto/heimdal/lib/krb5/krb5_auth_context.3 b/crypto/heimdal/lib/krb5/krb5_auth_context.3 index 66d150ef8589..ec7f8b31cf85 100644 --- a/crypto/heimdal/lib/krb5/krb5_auth_context.3 +++ b/crypto/heimdal/lib/krb5/krb5_auth_context.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2001 - 2005 Kungliga Tekniska Högskolan +.\" Copyright (c) 2001 - 2005 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_auth_context.3 15240 2005-05-25 13:47:58Z lha $ +.\" $Id$ .\" .Dd May 17, 2005 .Dt KRB5_AUTH_CONTEXT 3 diff --git a/crypto/heimdal/lib/krb5/krb5_c_make_checksum.3 b/crypto/heimdal/lib/krb5/krb5_c_make_checksum.3 index a323ccee1d32..77be59adbe76 100644 --- a/crypto/heimdal/lib/krb5/krb5_c_make_checksum.3 +++ b/crypto/heimdal/lib/krb5/krb5_c_make_checksum.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_c_make_checksum.3 19066 2006-11-17 22:09:25Z lha $ +.\" $Id$ .\" .Dd Nov 17, 2006 .Dt KRB5_C_MAKE_CHECKSUM 3 @@ -112,7 +112,7 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fc .Ft krb5_error_code .Fo krb5_c_verify_checksum -.Fa "krb5_context context +.Fa "krb5_context context" .Fa "const krb5_keyblock *key" .Fa "krb5_keyusage usage" .Fa "const krb5_data *data" @@ -185,7 +185,7 @@ decrypts .Fa input and store the data in .Fa output. -If +If .Fa ivec is .Dv NULL @@ -257,7 +257,7 @@ If some either of .Fa data or .Fa checksum -is not needed for the application, +is not needed for the application, .Dv NULL can be passed in. .Pp @@ -279,14 +279,14 @@ is a keyed checksum type. .Fn krb5_c_is_coll_proof_cksum returns true if .Fa ctype -is a collition proof checksum type. +is a collision proof checksum type. .Pp .Fn krb5_c_keylengths -return the minimum length ( -.Fa inlength ) +return the minimum length +.Fa ( inlength ) bytes needed to create a key and the -length ( -.Fa keylength ) +length +.Fa ( keylength ) of the resulting key for the .Fa enctype . diff --git a/crypto/heimdal/lib/krb5/krb5_ccache.3 b/crypto/heimdal/lib/krb5/krb5_ccache.3 deleted file mode 100644 index 3fca5956e7dd..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_ccache.3 +++ /dev/null @@ -1,517 +0,0 @@ -.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_ccache.3 22071 2007-11-14 20:04:50Z lha $ -.\" -.Dd October 19, 2005 -.Dt KRB5_CCACHE 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_ccache , -.Nm krb5_cc_cursor , -.Nm krb5_cc_ops , -.Nm krb5_fcc_ops , -.Nm krb5_mcc_ops , -.Nm krb5_cc_clear_mcred , -.Nm krb5_cc_close , -.Nm krb5_cc_copy_cache , -.Nm krb5_cc_default , -.Nm krb5_cc_default_name , -.Nm krb5_cc_destroy , -.Nm krb5_cc_end_seq_get , -.Nm krb5_cc_gen_new , -.Nm krb5_cc_get_full_name , -.Nm krb5_cc_get_name , -.Nm krb5_cc_get_ops , -.Nm krb5_cc_get_prefix_ops , -.Nm krb5_cc_get_principal , -.Nm krb5_cc_get_type , -.Nm krb5_cc_get_version , -.Nm krb5_cc_initialize , -.Nm krb5_cc_next_cred , -.Nm krb5_cc_next_cred_match , -.Nm krb5_cc_new_unique , -.Nm krb5_cc_register , -.Nm krb5_cc_remove_cred , -.Nm krb5_cc_resolve , -.Nm krb5_cc_retrieve_cred , -.Nm krb5_cc_set_default_name , -.Nm krb5_cc_set_flags , -.Nm krb5_cc_start_seq_get , -.Nm krb5_cc_store_cred -.Nd mange credential cache -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Pp -.Li "struct krb5_ccache;" -.Pp -.Li "struct krb5_cc_cursor;" -.Pp -.Li "struct krb5_cc_ops;" -.Pp -.Li "struct krb5_cc_ops *krb5_fcc_ops;" -.Pp -.Li "struct krb5_cc_ops *krb5_mcc_ops;" -.Pp -.Ft void -.Fo krb5_cc_clear_mcred -.Fa "krb5_creds *mcred" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_close -.Fa "krb5_context context" -.Fa "krb5_ccache id" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_copy_cache -.Fa "krb5_context context" -.Fa "const krb5_ccache from" -.Fa "krb5_ccache to" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_default -.Fa "krb5_context context" -.Fa "krb5_ccache *id" -.Fc -.Ft "const char *" -.Fo krb5_cc_default_name -.Fa "krb5_context context" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_destroy -.Fa "krb5_context context" -.Fa "krb5_ccache id" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_end_seq_get -.Fa "krb5_context context" -.Fa "const krb5_ccache id" -.Fa "krb5_cc_cursor *cursor" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_gen_new -.Fa "krb5_context context" -.Fa "const krb5_cc_ops *ops" -.Fa "krb5_ccache *id" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_get_full_name -.Fa "krb5_context context" -.Fa "krb5_ccache id" -.Fa "char **str" -.Fc -.Ft "const char *" -.Fo krb5_cc_get_name -.Fa "krb5_context context" -.Fa "krb5_ccache id" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_get_principal -.Fa "krb5_context context" -.Fa "krb5_ccache id" -.Fa "krb5_principal *principal" -.Fc -.Ft "const char *" -.Fo krb5_cc_get_type -.Fa "krb5_context context" -.Fa "krb5_ccache id" -.Fc -.Ft "const krb5_cc_ops *" -.Fo krb5_cc_get_ops -.Fa "krb5_context context" -.Fa "krb5_ccache id" -.Fc -.Ft "const krb5_cc_ops *" -.Fo krb5_cc_get_prefix_ops -.Fa "krb5_context context" -.Fa "const char *prefix" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_get_version -.Fa "krb5_context context" -.Fa "const krb5_ccache id" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_initialize -.Fa "krb5_context context" -.Fa "krb5_ccache id" -.Fa "krb5_principal primary_principal" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_register -.Fa "krb5_context context" -.Fa "const krb5_cc_ops *ops" -.Fa "krb5_boolean override" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_resolve -.Fa "krb5_context context" -.Fa "const char *name" -.Fa "krb5_ccache *id" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_retrieve_cred -.Fa "krb5_context context" -.Fa "krb5_ccache id" -.Fa "krb5_flags whichfields" -.Fa "const krb5_creds *mcreds" -.Fa "krb5_creds *creds" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_remove_cred -.Fa "krb5_context context" -.Fa "krb5_ccache id" -.Fa "krb5_flags which" -.Fa "krb5_creds *cred" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_set_default_name -.Fa "krb5_context context" -.Fa "const char *name" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_start_seq_get -.Fa "krb5_context context" -.Fa "const krb5_ccache id" -.Fa "krb5_cc_cursor *cursor" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_store_cred -.Fa "krb5_context context" -.Fa "krb5_ccache id" -.Fa "krb5_creds *creds" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_set_flags -.Fa "krb5_context context" -.Fa "krb5_cc_set_flags id" -.Fa "krb5_flags flags" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_next_cred -.Fa "krb5_context context" -.Fa "const krb5_ccache id" -.Fa "krb5_cc_cursor *cursor" -.Fa "krb5_creds *creds" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_next_cred_match -.Fa "krb5_context context" -.Fa "const krb5_ccache id" -.Fa "krb5_cc_cursor *cursor" -.Fa "krb5_creds *creds" -.Fa "krb5_flags whichfields" -.Fa "const krb5_creds *mcreds" -.Fc -.Ft krb5_error_code -.Fo krb5_cc_new_unique -.Fa "krb5_context context" -.Fa "const char *type" -.Fa "const char *hint" -.Fa "krb5_ccache *id" -.Fc -.Sh DESCRIPTION -The -.Li krb5_ccache -structure holds a Kerberos credential cache. -.Pp -The -.Li krb5_cc_cursor -structure holds current position in a credential cache when -iterating over the cache. -.Pp -The -.Li krb5_cc_ops -structure holds a set of operations that can me preformed on a -credential cache. -.Pp -There is no component inside -.Li krb5_ccache , -.Li krb5_cc_cursor -nor -.Li krb5_fcc_ops -that is directly referable. -.Pp -The -.Li krb5_creds -holds a Kerberos credential, see manpage for -.Xr krb5_creds 3 . -.Pp -.Fn krb5_cc_default_name -and -.Fn krb5_cc_set_default_name -gets and sets the default name for the -.Fa context . -.Pp -.Fn krb5_cc_default -opens the default credential cache in -.Fa id . -Return 0 or an error code. -.Pp -.Fn krb5_cc_gen_new -generates a new credential cache of type -.Fa ops -in -.Fa id . -Return 0 or an error code. -The Heimdal version of this function also runs -.Fn krb5_cc_initialize -on the credential cache, but since the MIT version doesn't, portable -code must call krb5_cc_initialize. -.Pp -.Fn krb5_cc_new_unique -generates a new unique credential cache of -.Fa type -in -.Fa id . -If type is -.Dv NULL , -the library chooses the default credential cache type. -The supplied -.Fa hint -(that can be -.Dv NULL ) -is a string that the credential cache type can use to base the name of -the credential on, this is to make it easier for the user to -differentiate the credentials. -The returned credential cache -.Fa id -should be freed using -.Fn krb5_cc_close -or -.Fn krb5_cc_destroy . -Returns 0 or an error code. -.Pp -.Fn krb5_cc_resolve -finds and allocates a credential cache in -.Fa id -from the specification in -.Fa residual . -If the credential cache name doesn't contain any colon (:), interpret it as a -file name. -Return 0 or an error code. -.Pp -.Fn krb5_cc_initialize -creates a new credential cache in -.Fa id -for -.Fa primary_principal . -Return 0 or an error code. -.Pp -.Fn krb5_cc_close -stops using the credential cache -.Fa id -and frees the related resources. -Return 0 or an error code. -.Fn krb5_cc_destroy -removes the credential cache -and closes (by calling -.Fn krb5_cc_close ) -.Fa id . -Return 0 or an error code. -.Pp -.Fn krb5_cc_copy_cache -copys the contents of -.Fa from -to -.Fa to . -.Pp -.Fn krb5_cc_get_full_name -returns the complete resolvable name of the credential cache -.Fa id -in -.Fa str . -.Fa str -should be freed with -.Xr free 3 . -Returns 0 or an error, on error -.Fa *str -is set to -.Dv NULL . -.Pp -.Fn krb5_cc_get_name -returns the name of the credential cache -.Fa id . -.Pp -.Fn krb5_cc_get_principal -returns the principal of -.Fa id -in -.Fa principal . -Return 0 or an error code. -.Pp -.Fn krb5_cc_get_type -returns the type of the credential cache -.Fa id . -.Pp -.Fn krb5_cc_get_ops -returns the ops of the credential cache -.Fa id . -.Pp -.Fn krb5_cc_get_version -returns the version of -.Fa id . -.Pp -.Fn krb5_cc_register -Adds a new credential cache type with operations -.Fa ops , -overwriting any existing one if -.Fa override . -Return an error code or 0. -.Pp -.Fn krb5_cc_get_prefix_ops -Get the cc ops that is registered in -.Fa context -to handle the -.Fa prefix . -Returns -.Dv NULL -if ops not found. -.Pp -.Fn krb5_cc_remove_cred -removes the credential identified by -.Fa ( cred , -.Fa which ) -from -.Fa id . -.Pp -.Fn krb5_cc_store_cred -stores -.Fa creds -in the credential cache -.Fa id . -Return 0 or an error code. -.Pp -.Fn krb5_cc_set_flags -sets the flags of -.Fa id -to -.Fa flags . -.Pp -.Fn krb5_cc_clear_mcred -clears the -.Fa mcreds -argument so it is reset and can be used with -.Fa krb5_cc_retrieve_cred . -.Pp -.Fn krb5_cc_retrieve_cred , -retrieves the credential identified by -.Fa mcreds -(and -.Fa whichfields ) -from -.Fa id -in -.Fa creds . -.Fa creds -should be freed using -.Fn krb5_free_cred_contents . -Return 0 or an error code. -.Pp -.Fn krb5_cc_start_seq_get -initiates the -.Li krb5_cc_cursor -structure to be used for iteration over the credential cache. -.Pp -.Fn krb5_cc_next_cred -retrieves the next cred pointed to by -.Fa ( id , -.Fa cursor ) -in -.Fa creds , -and advance -.Fa cursor . -Return 0 or an error code. -.Pp -.Fn krb5_cc_next_cred_match -is similar to -.Fn krb5_cc_next_cred -except that it will only return creds matching -.Fa whichfields -and -.Fa mcreds -(as interpreted by -.Xr krb5_compare_creds 3 . ) -.Pp -.Fn krb5_cc_end_seq_get -Destroys the cursor -.Fa cursor . -.Sh EXAMPLE -This is a minimalistic version of -.Nm klist . -.Pp -.Bd -literal -#include <krb5.h> - -int -main (int argc, char **argv) -{ - krb5_context context; - krb5_cc_cursor cursor; - krb5_error_code ret; - krb5_ccache id; - krb5_creds creds; - - if (krb5_init_context (&context) != 0) - errx(1, "krb5_context"); - - ret = krb5_cc_default (context, &id); - if (ret) - krb5_err(context, 1, ret, "krb5_cc_default"); - - ret = krb5_cc_start_seq_get(context, id, &cursor); - if (ret) - krb5_err(context, 1, ret, "krb5_cc_start_seq_get"); - - while((ret = krb5_cc_next_cred(context, id, &cursor, &creds)) == 0){ - char *principal; - - krb5_unparse_name_short(context, creds.server, &principal); - printf("principal: %s\\n", principal); - free(principal); - krb5_free_cred_contents (context, &creds); - } - ret = krb5_cc_end_seq_get(context, id, &cursor); - if (ret) - krb5_err(context, 1, ret, "krb5_cc_end_seq_get"); - - krb5_cc_close(context, id); - - krb5_free_context(context); - return 0; -} -.Ed -.Sh SEE ALSO -.Xr krb5 3 , -.Xr krb5.conf 5 , -.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_ccapi.h b/crypto/heimdal/lib/krb5/krb5_ccapi.h index 59a38425c252..5a7fe6a41334 100644 --- a/crypto/heimdal/lib/krb5/krb5_ccapi.h +++ b/crypto/heimdal/lib/krb5/krb5_ccapi.h @@ -1,43 +1,47 @@ /* - * Copyright (c) 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -/* $Id: krb5_ccapi.h 22090 2007-12-02 23:23:43Z lha $ */ +/* $Id$ */ #ifndef KRB5_CCAPI_H #define KRB5_CCAPI_H 1 #include <krb5-types.h> + #ifdef __APPLE__ +#pragma pack(push,2) +#endif + enum { cc_credentials_v5 = 2 }; @@ -49,7 +53,7 @@ enum { enum { ccNoError = 0, - + ccIteratorEnd = 201, ccErrBadParam, ccErrNoMem, @@ -61,25 +65,25 @@ enum { ccErrInvalidCCacheIterator, ccErrInvalidCredentialsIterator, ccErrInvalidLock, - + ccErrBadName, /* 211 */ ccErrBadCredentialsVersion, ccErrBadAPIVersion, ccErrContextLocked, ccErrContextUnlocked, - + ccErrCCacheLocked, /* 216 */ ccErrCCacheUnlocked, ccErrBadLockType, ccErrNeverDefault, ccErrCredentialsNotFound, - + ccErrCCacheNotFound, /* 221 */ ccErrContextNotFound, ccErrServerUnavailable, ccErrServerInsecure, ccErrServerCantBecomeUID, - + ccErrTimeOffsetNotSet /* 226 */ }; @@ -92,7 +96,7 @@ typedef struct cc_credentials_v5_t cc_credentials_v5_t; typedef struct cc_credentials_t *cc_credentials_t; typedef struct cc_credentials_iterator_t *cc_credentials_iterator_t; typedef struct cc_string_t *cc_string_t; -typedef time_t cc_time_t; +typedef cc_uint32 cc_time_t; typedef struct cc_data { cc_uint32 type; @@ -224,7 +228,12 @@ struct cc_context_t { const struct cc_context_functions* func; }; -typedef cc_int32 +typedef cc_int32 (*cc_initialize_func)(cc_context_t*, cc_int32, cc_int32 *, char const **); +#ifdef __APPLE__ +#pragma pack(pop) +#endif + + #endif /* KRB5_CCAPI_H */ diff --git a/crypto/heimdal/lib/krb5/krb5_check_transited.3 b/crypto/heimdal/lib/krb5/krb5_check_transited.3 index 65ce0774225f..4d4dae3086c8 100644 --- a/crypto/heimdal/lib/krb5/krb5_check_transited.3 +++ b/crypto/heimdal/lib/krb5/krb5_check_transited.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2004, 2006 Kungliga Tekniska Högskolan +.\" Copyright (c) 2004, 2006 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_check_transited.3 17382 2006-05-01 07:09:16Z lha $ +.\" $Id$ .\" .Dd May 1, 2006 .Dt KRB5_CHECK_TRANSITED 3 @@ -86,7 +86,7 @@ where and .Fa num_realms is the realms between them. -If the function returns an error value, +If the function returns an error value, .Fa bad_realm will be set to the realm in the list causing the error. .Fn krb5_check_transited diff --git a/crypto/heimdal/lib/krb5/krb5_compare_creds.3 b/crypto/heimdal/lib/krb5/krb5_compare_creds.3 deleted file mode 100644 index 9fd2bbbbb684..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_compare_creds.3 +++ /dev/null @@ -1,104 +0,0 @@ -.\" Copyright (c) 2004-2005 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_compare_creds.3 15110 2005-05-10 09:21:06Z lha $ -.\" -.Dd May 10, 2005 -.Dt KRB5_COMPARE_CREDS 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_compare_creds -.Nd compare Kerberos 5 credentials -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_boolean -.Fo krb5_compare_creds -.Fa "krb5_context context" -.Fa "krb5_flags whichfields" -.Fa "const krb5_creds *mcreds" -.Fa "const krb5_creds *creds" -.Fc -.Sh DESCRIPTION -.Fn krb5_compare_creds -compares -.Fa mcreds -(usually filled in by the application) -to -.Fa creds -(most often from a credentials cache) -and return -.Dv TRUE -if they are equal. -Unless -.Va mcreds-\*[Gt]server -is -.Dv NULL , -the service of the credentials are always compared. If the client -name in -.Fa mcreds -is present, the client names are also compared. This function is -normally only called indirectly via -.Xr krb5_cc_retrieve_cred 3 . -.Pp -The following flags, set in -.Fa whichfields , -affects the comparison: -.Bl -tag -width KRB5_TC_MATCH_SRV_NAMEONLY -compact -offset indent -.It KRB5_TC_MATCH_SRV_NAMEONLY -Consider all realms equal when comparing the service principal. -.It KRB5_TC_MATCH_KEYTYPE -Compare enctypes. -.It KRB5_TC_MATCH_FLAGS_EXACT -Make sure that the ticket flags are identical. -.It KRB5_TC_MATCH_FLAGS -Make sure that all ticket flags set in -.Fa mcreds -are also present in -.Fa creds . -.It KRB5_TC_MATCH_TIMES_EXACT -Compares the ticket times exactly. -.It KRB5_TC_MATCH_TIMES -Compares only the expiration times of the creds. -.It KRB5_TC_MATCH_AUTHDATA -Compares the authdata fields. -.It KRB5_TC_MATCH_2ND_TKT -Compares the second tickets (used by user-to-user authentication). -.It KRB5_TC_MATCH_IS_SKEY -Compares the existance of the second ticket. -.El -.Sh SEE ALSO -.Xr krb5 3 , -.Xr krb5_cc_retrieve_cred 3 , -.Xr krb5_creds 3 , -.Xr krb5_get_init_creds 3 , -.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_config.3 b/crypto/heimdal/lib/krb5/krb5_config.3 deleted file mode 100644 index 9c302ae2f3a3..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_config.3 +++ /dev/null @@ -1,307 +0,0 @@ -.\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" -.\" $Id: krb5_config.3 21905 2007-08-10 10:16:45Z lha $ -.\" -.Dd August 10, 2007 -.Dt KRB5_CONFIG_GET 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_config_file_free , -.Nm krb5_config_free_strings , -.Nm krb5_config_get , -.Nm krb5_config_get_bool , -.Nm krb5_config_get_bool_default , -.Nm krb5_config_get_int , -.Nm krb5_config_get_int_default , -.Nm krb5_config_get_list , -.Nm krb5_config_get_next , -.Nm krb5_config_get_string , -.Nm krb5_config_get_string_default , -.Nm krb5_config_get_strings , -.Nm krb5_config_get_time , -.Nm krb5_config_get_time_default , -.Nm krb5_config_parse_file , -.Nm krb5_config_parse_file_multi , -.Nm krb5_config_vget , -.Nm krb5_config_vget_bool , -.Nm krb5_config_vget_bool_default , -.Nm krb5_config_vget_int , -.Nm krb5_config_vget_int_default , -.Nm krb5_config_vget_list , -.Nm krb5_config_vget_next , -.Nm krb5_config_vget_string , -.Nm krb5_config_vget_string_default , -.Nm krb5_config_vget_strings , -.Nm krb5_config_vget_time , -.Nm krb5_config_vget_time_default -.Nd get configuration value -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fo krb5_config_file_free -.Fa "krb5_context context" -.Fa "krb5_config_section *s" -.Fc -.Ft void -.Fo krb5_config_free_strings -.Fa "char **strings" -.Fc -.Ft "const void *" -.Fo krb5_config_get -.Fa "krb5_context context" -.Fa "const krb5_config_section *c" -.Fa "int type" -.Fa "..." -.Fc -.Ft krb5_boolean -.Fo krb5_config_get_bool -.Fa "krb5_context context" -.Fa "krb5_config_section *c" -.Fa "..." -.Fc -.Ft krb5_boolean -.Fo krb5_config_get_bool_default -.Fa "krb5_context context" -.Fa "krb5_config_section *c" -.Fa "krb5_boolean def_value" -.Fa "..." -.Fc -.Ft int -.Fo krb5_config_get_int -.Fa "krb5_context context" -.Fa "krb5_config_section *c" -.Fa "..." -.Fc -.Ft int -.Fo krb5_config_get_int_default -.Fa "krb5_context context" -.Fa "krb5_config_section *c" -.Fa "int def_value" -.Fa "..." -.Fc -.Ft const char* -.Fo krb5_config_get_string -.Fa "krb5_context context" -.Fa "krb5_config_section *c" -.Fa "..." -.Fc -.Ft const char* -.Fo krb5_config_get_string_default -.Fa "krb5_context context" -.Fa "krb5_config_section *c" -.Fa "const char *def_value" -.Fa "..." -.Fc -.Ft "char**" -.Fo krb5_config_get_strings -.Fa "krb5_context context" -.Fa "const krb5_config_section *c" -.Fa "..." -.Fc -.Ft int -.Fo krb5_config_get_time -.Fa "krb5_context context" -.Fa "krb5_config_section *c" -.Fa "..." -.Fc -.Ft int -.Fo krb5_config_get_time_default -.Fa "krb5_context context" -.Fa "krb5_config_section *c" -.Fa "int def_value" -.Fa "..." -.Fc -.Ft krb5_error_code -.Fo krb5_config_parse_file -.Fa "krb5_context context" -.Fa "const char *fname" -.Fa "krb5_config_section **res" -.Fc -.Ft krb5_error_code -.Fo krb5_config_parse_file_multi -.Fa "krb5_context context" -.Fa "const char *fname" -.Fa "krb5_config_section **res" -.Fc -.Ft "const void *" -.Fo krb5_config_vget -.Fa "krb5_context context" -.Fa "const krb5_config_section *c" -.Fa "int type" -.Fa "va_list args" -.Fc -.Ft krb5_boolean -.Fo krb5_config_vget_bool -.Fa "krb5_context context" -.Fa "const krb5_config_section *c" -.Fa "va_list args" -.Fc -.Ft krb5_boolean -.Fo krb5_config_vget_bool_default -.Fa "krb5_context context" -.Fa "const krb5_config_section *c" -.Fa "krb5_boolean def_value" -.Fa "va_list args" -.Fc -.Ft int -.Fo krb5_config_vget_int -.Fa "krb5_context context" -.Fa "const krb5_config_section *c" -.Fa "va_list args" -.Fc -.Ft int -.Fo krb5_config_vget_int_default -.Fa "krb5_context context" -.Fa "const krb5_config_section *c" -.Fa "int def_value" -.Fa "va_list args" -.Fc -.Ft "const krb5_config_binding *" -.Fo krb5_config_vget_list -.Fa "krb5_context context" -.Fa "const krb5_config_section *c" -.Fa "va_list args" -.Fc -.Ft "const void *" -.Fo krb5_config_vget_next -.Fa "krb5_context context" -.Fa "const krb5_config_section *c" -.Fa "const krb5_config_binding **pointer" -.Fa "int type" -.Fa "va_list args" -.Fc -.Ft "const char *" -.Fo krb5_config_vget_string -.Fa "krb5_context context" -.Fa "const krb5_config_section *c" -.Fa "va_list args" -.Fc -.Ft "const char *" -.Fo krb5_config_vget_string_default -.Fa "krb5_context context" -.Fa "const krb5_config_section *c" -.Fa "const char *def_value" -.Fa "va_list args" -.Fc -.Ft char ** -.Fo krb5_config_vget_strings -.Fa "krb5_context context" -.Fa "const krb5_config_section *c" -.Fa "va_list args" -.Fc -.Ft int -.Fo krb5_config_vget_time -.Fa "krb5_context context" -.Fa "const krb5_config_section *c" -.Fa "va_list args" -.Fc -.Ft int -.Fo krb5_config_vget_time_default -.Fa "krb5_context context" -.Fa "const krb5_config_section *c" -.Fa "int def_value" -.Fa "va_list args" -.Fc -.Sh DESCRIPTION -These functions get values from the -.Xr krb5.conf 5 -configuration file, or another configuration database specified by the -.Fa c -parameter. -.Pp -The variable arguments should be a list of strings naming each -subsection to look for. For example: -.Bd -literal -offset indent -krb5_config_get_bool_default(context, NULL, FALSE, - "libdefaults", "log_utc", NULL); -.Ed -.Pp -gets the boolean value for the -.Dv log_utc -option, defaulting to -.Dv FALSE . -.Pp -.Fn krb5_config_get_bool_default -will convert the option value to a boolean value, where -.Sq yes , -.Sq true , -and any non-zero number means -.Dv TRUE , -and any other value -.Dv FALSE . -.Pp -.Fn krb5_config_get_int_default -will convert the value to an integer. -.Pp -.Fn krb5_config_get_time_default -will convert the value to a period of time (not a time stamp) in -seconds, so the string -.Sq 2 weeks -will be converted to -1209600 (2 * 7 * 24 * 60 * 60). -.Pp -.Fn krb5_config_get_string -returns a -.Ft "const char *" -to a string in the configuration database. The string not be valid -after reload of the configuration database -.\" or a call to .Fn krb5_config_set_string , -so a caller should make a local copy if its need to keep the database. -.Pp -.Fn krb5_config_free_strings -free -.Fa strings -as returned by -.Fn krb5_config_get_strings -and -.Fn krb5_config_vget_strings . -If the argument -.Fa strings -is a -.Dv NULL -pointer, no action occurs. -.Pp -.Fn krb5_config_file_free -free the result of -.Fn krb5_config_parse_file -and -.Fn krb5_config_parse_file_multi . -.Sh SEE ALSO -.Xr krb5_appdefault 3 , -.Xr krb5_init_context 3 , -.Xr krb5.conf 5 -.Sh BUGS -For the default functions, other than for the string case, there's no -way to tell whether there was a value specified or not. diff --git a/crypto/heimdal/lib/krb5/krb5_context.3 b/crypto/heimdal/lib/krb5/krb5_context.3 deleted file mode 100644 index 5bfcc26c7103..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_context.3 +++ /dev/null @@ -1,56 +0,0 @@ -.\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_context.3 12329 2003-05-26 14:09:04Z lha $ -.\" -.Dd January 21, 2001 -.Dt KRB5_CONTEXT 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_context -.Nd krb5 state structure -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Sh DESCRIPTION -The -.Nm -structure is designed to hold all per thread state. All global -variables that are context specific are stored in this structure, -including default encryption types, credentials-cache (ticket file), and -default realms. -.Pp -The internals of the structure should never be accessed directly, -functions exist for extracting information. -.Sh SEE ALSO -.Xr krb5_init_context 3 , -.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_create_checksum.3 b/crypto/heimdal/lib/krb5/krb5_create_checksum.3 index 43d5b4e5d32c..06d806e1441e 100644 --- a/crypto/heimdal/lib/krb5/krb5_create_checksum.3 +++ b/crypto/heimdal/lib/krb5/krb5_create_checksum.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 1999-2005 Kungliga Tekniska Högskolan +.\" Copyright (c) 1999-2005 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_create_checksum.3 15921 2005-08-12 09:01:22Z lha $ +.\" $Id$ .\" .Dd August 12, 2005 .Dt NAME 3 @@ -217,7 +217,7 @@ and keyblock Note that keyusage is not always used in checksums. .Pp .Nm krb5_checksum_disable -globally disables the checksum type. +globally disables the checksum type. .\" .Sh EXAMPLE .\" .Sh BUGS .Sh SEE ALSO diff --git a/crypto/heimdal/lib/krb5/krb5_creds.3 b/crypto/heimdal/lib/krb5/krb5_creds.3 index 9eb9a2be9492..b22550e6c956 100644 --- a/crypto/heimdal/lib/krb5/krb5_creds.3 +++ b/crypto/heimdal/lib/krb5/krb5_creds.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2004, 2006 Kungliga Tekniska Högskolan +.\" Copyright (c) 2004, 2006 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_creds.3 17383 2006-05-01 07:13:03Z lha $ +.\" $Id$ .\" .Dd May 1, 2006 .Dt KRB5_CREDS 3 @@ -104,7 +104,7 @@ should be freed by the called with .Fn krb5_free_creds_contents . .Pp .Fn krb5_free_creds -frees the content of the +frees the content of the .Fa cred structure and the structure itself. .Pp diff --git a/crypto/heimdal/lib/krb5/krb5_crypto_init.3 b/crypto/heimdal/lib/krb5/krb5_crypto_init.3 deleted file mode 100644 index 822006e08f4c..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_crypto_init.3 +++ /dev/null @@ -1,67 +0,0 @@ -.\" Copyright (c) 1999 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_crypto_init.3 13563 2004-03-20 12:00:01Z lha $ -.\" -.Dd April 7, 1999 -.Dt NAME 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_crypto_destroy , -.Nm krb5_crypto_init -.Nd encryption support in krb5 -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_crypto_init "krb5_context context" "krb5_keyblock *key" "krb5_enctype enctype" "krb5_crypto *crypto" -.Ft krb5_error_code -.Fn krb5_crypto_destroy "krb5_context context" "krb5_crypto crypto" -.Sh DESCRIPTION -Heimdal exports parts of the Kerberos crypto interface for applications. -.Pp -Each kerberos encrytion/checksum function takes a crypto context. -.Pp -To setup and destroy crypto contextes there are two functions -.Fn krb5_crypto_init -and -.Fn krb5_crypto_destroy . -The encryption type to use is taken from the key, but can be overridden -with the -.Fa enctype parameter . -This can be useful for encryptions types which is compatiable (DES for -example). -.\" .Sh EXAMPLE -.\" .Sh BUGS -.Sh SEE ALSO -.Xr krb5_create_checksum 3 , -.Xr krb5_encrypt 3 diff --git a/crypto/heimdal/lib/krb5/krb5_data.3 b/crypto/heimdal/lib/krb5/krb5_data.3 deleted file mode 100644 index 2ccff19251da..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_data.3 +++ /dev/null @@ -1,159 +0,0 @@ -.\" Copyright (c) 2003 - 2005, 2007 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_data.3 20040 2007-01-23 20:35:12Z lha $ -.\" -.Dd Jan 23, 2007 -.Dt KRB5_DATA 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_data , -.Nm krb5_data_zero , -.Nm krb5_data_free , -.Nm krb5_free_data_contents , -.Nm krb5_free_data , -.Nm krb5_data_alloc , -.Nm krb5_data_realloc , -.Nm krb5_data_copy , -.Nm krb5_copy_data , -.Nm krb5_data_cmp -.Nd operates on the Kerberos datatype krb5_data -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Pp -.Li "struct krb5_data;" -.Ft void -.Fn krb5_data_zero "krb5_data *p" -.Ft void -.Fn krb5_data_free "krb5_data *p" -.Ft void -.Fn krb5_free_data_contents "krb5_context context" "krb5_data *p" -.Ft void -.Fn krb5_free_data "krb5_context context" "krb5_data *p" -.Ft krb5_error_code -.Fn krb5_data_alloc "krb5_data *p" "int len" -.Ft krb5_error_code -.Fn krb5_data_realloc "krb5_data *p" "int len" -.Ft krb5_error_code -.Fn krb5_data_copy "krb5_data *p" "const void *data" "size_t len" -.Ft krb5_error_code -.Fn krb5_copy_data "krb5_context context" "const krb5_data *indata" "krb5_data **outdata" -.Ft krb5_error_code -.Fn krb5_data_cmp "const krb5_data *data1" "const krb5_data *data2" -.Sh DESCRIPTION -The -.Li krb5_data -structure holds a data element. -The structure contains two public accessible elements -.Fa length -(the length of data) -and -.Fa data -(the data itself). -The structure must always be initiated and freed by the functions -documented in this manual. -.Pp -.Fn krb5_data_zero -resets the content of -.Fa p . -.Pp -.Fn krb5_data_free -free the data in -.Fa p -and reset the content of the structure with -.Fn krb5_data_zero . -.Pp -.Fn krb5_free_data_contents -works the same way as -.Fa krb5_data_free . -The diffrence is that krb5_free_data_contents is more portable (exists -in MIT api). -.Pp -.Fn krb5_free_data -frees the data in -.Fa p -and -.Fa p -itself. -.Pp -.Fn krb5_data_alloc -allocates -.Fa len -bytes in -.Fa p . -Returns 0 or an error. -.Pp -.Fn krb5_data_realloc -reallocates the length of -.Fa p -to the length in -.Fa len . -Returns 0 or an error. -.Pp -.Fn krb5_data_copy -copies the -.Fa data -that have the length -.Fa len -into -.Fa p . -.Fa p -is not freed so the calling function should make sure the -.Fa p -doesn't contain anything needs to be freed. -Returns 0 or an error. -.Pp -.Fn krb5_copy_data -copies the -.Li krb5_data -in -.Fa indata -to -.Fa outdata . -.Fa outdata -is not freed so the calling function should make sure the -.Fa outdata -doesn't contain anything needs to be freed. -.Fa outdata -should be freed using -.Fn krb5_free_data . -Returns 0 or an error. -.Pp -.Fn krb5_data_cmp -will compare two data object and check if they are the same in a -simular way as memcmp does it. The return value can be used for -sorting. -.Sh SEE ALSO -.Xr krb5 3 , -.Xr krb5_storage 3 , -.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_digest.3 b/crypto/heimdal/lib/krb5/krb5_digest.3 index f9d7571b072d..a4ee75631a6b 100644 --- a/crypto/heimdal/lib/krb5/krb5_digest.3 +++ b/crypto/heimdal/lib/krb5/krb5_digest.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +.\" Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_digest.3 20259 2007-02-17 23:49:54Z lha $ +.\" $Id$ .\" .Dd February 18, 2007 .Dt KRB5_DIGEST 3 diff --git a/crypto/heimdal/lib/krb5/krb5_eai_to_heim_errno.3 b/crypto/heimdal/lib/krb5/krb5_eai_to_heim_errno.3 index fcada92bc94b..0c83a33f8cd9 100644 --- a/crypto/heimdal/lib/krb5/krb5_eai_to_heim_errno.3 +++ b/crypto/heimdal/lib/krb5/krb5_eai_to_heim_errno.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2004 Kungliga Tekniska Högskolan +.\" Copyright (c) 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_eai_to_heim_errno.3 14086 2004-08-03 11:13:46Z lha $ +.\" $Id$ .\" .Dd April 13, 2004 .Dt KRB5_EAI_TO_HEIM_ERRNO 3 diff --git a/crypto/heimdal/lib/krb5/krb5_encrypt.3 b/crypto/heimdal/lib/krb5/krb5_encrypt.3 index 76cb4c700c1c..2b1f58708c81 100644 --- a/crypto/heimdal/lib/krb5/krb5_encrypt.3 +++ b/crypto/heimdal/lib/krb5/krb5_encrypt.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan +.\" Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_encrypt.3 22071 2007-11-14 20:04:50Z lha $ +.\" $Id$ .\" .Dd March 20, 2004 .Dt KRB5_ENCRYPT 3 @@ -141,7 +141,7 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Ft krb5_error_code .Fo krb5_crypto_getconfoundersize .Fa "krb5_context context" -.Fa "krb5_crypto crypto +.Fa "krb5_crypto crypto" .Fa size_t *confoundersize" .Fc .Ft krb5_error_code @@ -199,7 +199,7 @@ should be the appropriate key-usage. .Fa ivec is a pointer to a initial IV, it is modified to the end IV at the end of the round. -Ivec should be the size of +Ivec should be the size of If .Dv NULL is passed in, the default IV is used. @@ -229,7 +229,7 @@ and works similarly. .Pp .Fn krb5_decrypt_ticket -decrypts the encrypted part of +decrypts the encrypted part of .Fa ticket with .Fa key . diff --git a/crypto/heimdal/lib/krb5/krb5_err.et b/crypto/heimdal/lib/krb5/krb5_err.et index 6714401e4503..098e04b95928 100644 --- a/crypto/heimdal/lib/krb5/krb5_err.et +++ b/crypto/heimdal/lib/krb5/krb5_err.et @@ -3,7 +3,7 @@ # # This might look like a com_err file, but is not # -id "$Id: krb5_err.et 21050 2007-06-12 02:00:40Z lha $" +id "$Id$" error_table krb5 @@ -106,11 +106,17 @@ error_code PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED, "Public key encryption not suppo #error_code ERR_KDC_NOT_FOUND, "IAKERB proxy could not find a KDC" #error_code ERR_KDC_NO_RESPONSE, "IAKERB proxy never reeived a response from a KDC" -# 82-127 are reserved +# 82-93 are reserved + +index 94 +error_code INVALID_HASH_ALG, "Invalid OTP digest algorithm" +error_code INVALID_ITERATION_COUNT, "Invalid OTP iteration count" + +# 97-127 are reserved index 128 prefix -error_code KRB5_ERR_RCSID, "$Id: krb5_err.et 21050 2007-06-12 02:00:40Z lha $" +error_code KRB5_ERR_RCSID, "$Id$" error_code KRB5_LIBOS_BADLOCKFLAG, "Invalid flag for file lock mode" error_code KRB5_LIBOS_CANTREADPWD, "Cannot read password" @@ -262,5 +268,7 @@ error_code KRB5_ERR_BAD_S2K_PARAMS, "Invalid key generation parameters from KDC" error_code KRB5_ERR_NO_SERVICE, "Service not available" error_code KRB5_CC_NOSUPP, "Credential cache function not supported" error_code KRB5_DELTAT_BADFORMAT, "Invalid format of Kerberos lifetime or clock skew string" +error_code KRB5_PLUGIN_NO_HANDLE, "Supplied data not handled by this plugin" +error_code KRB5_PLUGIN_OP_NOTSUPP, "Plugin does not support the operaton" end diff --git a/crypto/heimdal/lib/krb5/krb5_expand_hostname.3 b/crypto/heimdal/lib/krb5/krb5_expand_hostname.3 deleted file mode 100644 index ffd98dad1688..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_expand_hostname.3 +++ /dev/null @@ -1,93 +0,0 @@ -.\" Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_expand_hostname.3 17461 2006-05-05 13:13:18Z lha $ -.\" -.Dd May 5, 2006 -.Dt KRB5_EXPAND_HOSTNAME 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_expand_hostname , -.Nm krb5_expand_hostname_realms -.Nd Kerberos 5 host name canonicalization functions -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Pp -.Ft krb5_error_code -.Fo krb5_expand_hostname -.Fa "krb5_context context" -.Fa "const char *orig_hostname" -.Fa "char **new_hostname" -.Fc -.Ft krb5_error_code -.Fo krb5_expand_hostname_realms -.Fa "krb5_context context" -.Fa "const char *orig_hostname" -.Fa "char **new_hostname" -.Fa "char ***realms" -.Fc -.Sh DESCRIPTION -.Fn krb5_expand_hostname -tries to make -.Fa orig_hostname -into a more canonical one in the newly allocated space returned in -.Fa new_hostname . -Caller must free the hostname with -.Xr free 3 . -.Pp -.Fn krb5_expand_hostname_realms -expands -.Fa orig_hostname -to a name we believe to be a hostname in newly -allocated space in -.Fa new_hostname -and return the realms -.Fa new_hostname -is belive to belong to in -.Fa realms . -.Fa Realms -is a array terminated with -.Dv NULL . -Caller must free the -.Fa realms -with -.Fn krb5_free_host_realm -and -.Fa new_hostname -with -.Xr free 3 . -.Sh SEE ALSO -.Xr krb5 3 , -.Xr krb5_free_host_realm 3 , -.Xr krb5_get_host_realm 3 , -.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_find_padata.3 b/crypto/heimdal/lib/krb5/krb5_find_padata.3 index b72678493152..377a2cb0efbf 100644 --- a/crypto/heimdal/lib/krb5/krb5_find_padata.3 +++ b/crypto/heimdal/lib/krb5/krb5_find_padata.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2004 Kungliga Tekniska Högskolan +.\" Copyright (c) 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_find_padata.3 13595 2004-03-21 13:17:41Z lha $ +.\" $Id$ .\" .Dd March 21, 2004 .Dt KRB5_FIND_PADATA 3 diff --git a/crypto/heimdal/lib/krb5/krb5_generate_random_block.3 b/crypto/heimdal/lib/krb5/krb5_generate_random_block.3 index 4b46954fa90a..8fad9493f4b8 100644 --- a/crypto/heimdal/lib/krb5/krb5_generate_random_block.3 +++ b/crypto/heimdal/lib/krb5/krb5_generate_random_block.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2004 Kungliga Tekniska Högskolan +.\" Copyright (c) 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_generate_random_block.3 17385 2006-05-01 08:48:55Z lha $ +.\" $Id$ .\" .Dd March 21, 2004 .Dt KRB5_GENERATE_RANDOM_BLOCK 3 diff --git a/crypto/heimdal/lib/krb5/krb5_get_all_client_addrs.3 b/crypto/heimdal/lib/krb5/krb5_get_all_client_addrs.3 index f6f4c85c97aa..56a5322399bb 100644 --- a/crypto/heimdal/lib/krb5/krb5_get_all_client_addrs.3 +++ b/crypto/heimdal/lib/krb5/krb5_get_all_client_addrs.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2001 Kungliga Tekniska Högskolan +.\" Copyright (c) 2001 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_get_all_client_addrs.3 12329 2003-05-26 14:09:04Z lha $ +.\" $Id$ .\" .Dd July 1, 2001 .Dt KRB5_GET_ADDRS 3 diff --git a/crypto/heimdal/lib/krb5/krb5_get_credentials.3 b/crypto/heimdal/lib/krb5/krb5_get_credentials.3 index 32e0ffe1eef3..112f308277e3 100644 --- a/crypto/heimdal/lib/krb5/krb5_get_credentials.3 +++ b/crypto/heimdal/lib/krb5/krb5_get_credentials.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2004 - 2005 Kungliga Tekniska Högskolan +.\" Copyright (c) 2004 - 2005 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_get_credentials.3 22071 2007-11-14 20:04:50Z lha $ +.\" $Id$ .\" .Dd July 26, 2004 .Dt KRB5_GET_CREDENTIALS 3 @@ -37,8 +37,6 @@ .Sh NAME .Nm krb5_get_credentials , .Nm krb5_get_credentials_with_flags , -.Nm krb5_get_cred_from_kdc , -.Nm krb5_get_cred_from_kdc_opt , .Nm krb5_get_kdc_cred , .Nm krb5_get_renewed_creds .Nd get credentials from the KDC using krbtgt @@ -64,23 +62,6 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_creds **out_creds" .Fc .Ft krb5_error_code -.Fo krb5_get_cred_from_kdc -.Fa "krb5_context context" -.Fa "krb5_ccache ccache" -.Fa "krb5_creds *in_creds" -.Fa "krb5_creds **out_creds" -.Fa "krb5_creds ***ret_tgts" -.Fc -.Ft krb5_error_code -.Fo krb5_get_cred_from_kdc_opt -.Fa "krb5_context context" -.Fa "krb5_ccache ccache" -.Fa "krb5_creds *in_creds" -.Fa "krb5_creds **out_creds" -.Fa "krb5_creds ***ret_tgts" -.Fa "krb5_flags flags" -.Fc -.Ft krb5_error_code .Fo krb5_get_kdc_cred .Fa "krb5_context context" .Fa "krb5_ccache id" @@ -121,7 +102,7 @@ Valid flags to pass into .Fa options argument are: .Pp -.Bl -tag -width "KRB5_GC_USER_USER" -compact +.Bl -tag -width "KRB5_GC_EXPIRED_OK" -compact .It KRB5_GC_CACHED Only check the .Fa ccache , @@ -147,14 +128,6 @@ except that the .Fa flags field is missing. .Pp -.Fn krb5_get_cred_from_kdc -and -.Fn krb5_get_cred_from_kdc_opt -fetches the credential from the KDC very much like -.Fn krb5_get_credentials, but doesn't look in the -.Fa ccache -if the credential exists there first. -.Pp .Fn krb5_get_kdc_cred does the same as the functions above, but the caller must fill in all the information andits closer to the wire protocol. @@ -185,7 +158,7 @@ getcred(krb5_context context, krb5_ccache id, krb5_creds **creds) krb5_error_code ret; krb5_creds in; - ret = krb5_parse_name(context, "client@EXAMPLE.COM", + ret = krb5_parse_name(context, "client@EXAMPLE.COM", &in.client); if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); diff --git a/crypto/heimdal/lib/krb5/krb5_get_creds.3 b/crypto/heimdal/lib/krb5/krb5_get_creds.3 index 189c93f408da..e0ab8a91db6f 100644 --- a/crypto/heimdal/lib/krb5/krb5_get_creds.3 +++ b/crypto/heimdal/lib/krb5/krb5_get_creds.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2006 Kungliga Tekniska Högskolan +.\" Copyright (c) 2006 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_get_creds.3 22071 2007-11-14 20:04:50Z lha $ +.\" $Id$ .\" .Dd June 15, 2006 .Dt KRB5_GET_CREDS 3 diff --git a/crypto/heimdal/lib/krb5/krb5_get_forwarded_creds.3 b/crypto/heimdal/lib/krb5/krb5_get_forwarded_creds.3 index bbe46ec44784..a6483177b2c9 100644 --- a/crypto/heimdal/lib/krb5/krb5_get_forwarded_creds.3 +++ b/crypto/heimdal/lib/krb5/krb5_get_forwarded_creds.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2004 Kungliga Tekniska Högskolan +.\" Copyright (c) 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_get_forwarded_creds.3 14068 2004-07-26 13:34:33Z lha $ +.\" $Id$ .\" .Dd July 26, 2004 .Dt KRB5_GET_FORWARDED_CREDS 3 diff --git a/crypto/heimdal/lib/krb5/krb5_get_in_cred.3 b/crypto/heimdal/lib/krb5/krb5_get_in_cred.3 index 290e3c5c694d..c415aeca35c0 100644 --- a/crypto/heimdal/lib/krb5/krb5_get_in_cred.3 +++ b/crypto/heimdal/lib/krb5/krb5_get_in_cred.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_get_in_cred.3 17593 2006-05-29 14:55:18Z lha $ +.\" $Id$ .\" .Dd May 31, 2003 .Dt KRB5_GET_IN_TKT 3 @@ -169,7 +169,7 @@ but are more specialized. .Nm krb5_get_in_tkt_with_password uses the clients password to authenticate. If the password argument is -.DV NULL +.Dv NULL the user user queried with the default password query function. .Pp .Nm krb5_get_in_tkt_with_keytab diff --git a/crypto/heimdal/lib/krb5/krb5_get_init_creds.3 b/crypto/heimdal/lib/krb5/krb5_get_init_creds.3 index 3838c1449a57..764efb47e441 100644 --- a/crypto/heimdal/lib/krb5/krb5_get_init_creds.3 +++ b/crypto/heimdal/lib/krb5/krb5_get_init_creds.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_get_init_creds.3 20266 2007-02-18 10:41:10Z lha $ +.\" $Id$ .\" .Dd Sep 16, 2006 .Dt KRB5_GET_INIT_CREDS 3 @@ -222,7 +222,7 @@ Getting initial credential ticket for a principal. That may include changing an expired password, and doing preauthentication. This interface that replaces the deprecated .Fa krb5_in_tkt -and +and .Fa krb5_in_cred functions. .Pp diff --git a/crypto/heimdal/lib/krb5/krb5_get_krbhst.3 b/crypto/heimdal/lib/krb5/krb5_get_krbhst.3 index d613a0d6df11..55fb8f2a0b0f 100644 --- a/crypto/heimdal/lib/krb5/krb5_get_krbhst.3 +++ b/crypto/heimdal/lib/krb5/krb5_get_krbhst.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2001 Kungliga Tekniska Högskolan +.\" Copyright (c) 2001 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_get_krbhst.3 14905 2005-04-24 07:46:59Z lha $ +.\" $Id$ .\" .Dd April 24, 2005 .Dt KRB5_GET_KRBHST 3 diff --git a/crypto/heimdal/lib/krb5/krb5_getportbyname.3 b/crypto/heimdal/lib/krb5/krb5_getportbyname.3 index 143606090031..0e9b7cbac8e0 100644 --- a/crypto/heimdal/lib/krb5/krb5_getportbyname.3 +++ b/crypto/heimdal/lib/krb5/krb5_getportbyname.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2004 Kungliga Tekniska Högskolan +.\" Copyright (c) 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_getportbyname.3 22071 2007-11-14 20:04:50Z lha $ +.\" $Id$ .\" .Dd August 15, 2004 .Dt NAME 3 diff --git a/crypto/heimdal/lib/krb5/krb5_init_context.3 b/crypto/heimdal/lib/krb5/krb5_init_context.3 index cf9d69698501..3a6199b95476 100644 --- a/crypto/heimdal/lib/krb5/krb5_init_context.3 +++ b/crypto/heimdal/lib/krb5/krb5_init_context.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2001 - 2004 Kungliga Tekniska Högskolan +.\" Copyright (c) 2001 - 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_init_context.3 19980 2007-01-17 18:06:33Z lha $ +.\" $Id$ .\" .Dd December 8, 2004 .Dt KRB5_CONTEXT 3 @@ -156,7 +156,7 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "const char *filelist" .Fa "char ***pfilenames" .Fc -.Ft krb5_error_code +.Ft krb5_error_code .Fo krb5_get_default_config_files .Fa "char ***pfilenames" .Fc @@ -211,7 +211,7 @@ libs to This is done by .Fn krb5_init_context . .Pp -.Fn krb5_add_et_list +.Fn krb5_add_et_list adds a .Xr com_err 3 error-code handler @@ -219,7 +219,7 @@ error-code handler to the specified .Fa context . The error handler must generated by the the re-rentrant version of the -.Xr compile_et 3 +.Xr compile_et 1 program. .Fn krb5_add_extra_addresses add a list of addresses that should be added when requesting tickets. @@ -265,7 +265,7 @@ set the list of configuration files to use and re-initialize the configuration from the files. .Pp .Fn krb5_prepend_config_files -parse the +parse the .Fa filelist and prepend the result to the already existing list .Fa pq @@ -275,7 +275,7 @@ and should be freed with .Fn krb5_free_config_files . .Pp .Fn krb5_prepend_config_files_default -parse the +parse the .Fa filelist and append that to the default list of configuration files. diff --git a/crypto/heimdal/lib/krb5/krb5_is_thread_safe.3 b/crypto/heimdal/lib/krb5/krb5_is_thread_safe.3 index 9f0a919d3571..1a73e853e8bb 100644 --- a/crypto/heimdal/lib/krb5/krb5_is_thread_safe.3 +++ b/crypto/heimdal/lib/krb5/krb5_is_thread_safe.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2005 Kungliga Tekniska Högskolan +.\" Copyright (c) 2005 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_is_thread_safe.3 17462 2006-05-05 13:18:39Z lha $ +.\" $Id$ .\" .Dd May 5, 2006 .Dt KRB5_IS_THREAD_SAFE 3 @@ -50,7 +50,7 @@ returns if the library was compiled with with multithread support. If the library isn't compiled, the consumer have to use a global lock to make sure Kerboros functions are not called at the same time by -diffrent threads. +different threads. .\" .Sh EXAMPLE .\" .Sh BUGS .Sh SEE ALSO diff --git a/crypto/heimdal/lib/krb5/krb5_keyblock.3 b/crypto/heimdal/lib/krb5/krb5_keyblock.3 deleted file mode 100644 index 9fabd32a0d01..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_keyblock.3 +++ /dev/null @@ -1,218 +0,0 @@ -.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_keyblock.3 17385 2006-05-01 08:48:55Z lha $ -.\" -.Dd May 1, 2006 -.Dt KRB5_KEYBLOCK 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_keyblock , -.Nm krb5_keyblock_get_enctype , -.Nm krb5_copy_keyblock , -.Nm krb5_copy_keyblock_contents , -.Nm krb5_free_keyblock , -.Nm krb5_free_keyblock_contents , -.Nm krb5_generate_random_keyblock , -.Nm krb5_generate_subkey , -.Nm krb5_generate_subkey_extended , -.Nm krb5_keyblock_init , -.Nm krb5_keyblock_zero , -.Nm krb5_random_to_key -.Nd Kerberos 5 key handling functions -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Pp -.Li krb5_keyblock ; -.Ft krb5_enctype -.Fo krb5_keyblock_get_enctype -.Fa "const krb5_keyblock *block" -.Fc -.Ft krb5_error_code -.Fo krb5_copy_keyblock -.Fa "krb5_context context" -.Fa "krb5_keyblock **to" -.Fc -.Ft krb5_error_code -.Fo krb5_copy_keyblock_contents -.Fa "krb5_context context" -.Fa "const krb5_keyblock *inblock" -.Fa "krb5_keyblock *to" -.Fc -.Ft void -.Fo krb5_free_keyblock -.Fa "krb5_context context" -.Fa "krb5_keyblock *keyblock" -.Fc -.Ft void -.Fo krb5_free_keyblock_contents -.Fa "krb5_context context" -.Fa "krb5_keyblock *keyblock" -.Fc -.Ft krb5_error_code -.Fo krb5_generate_random_keyblock -.Fa "krb5_context context" -.Fa "krb5_enctype type" -.Fa "krb5_keyblock *key" -.Fc -.Ft krb5_error_code -.Fo krb5_generate_subkey -.Fa "krb5_context context" -.Fa "const krb5_keyblock *key" -.Fa "krb5_keyblock **subkey" -.Fc -.Ft krb5_error_code -.Fo krb5_generate_subkey_extended -.Fa "krb5_context context" -.Fa "const krb5_keyblock *key" -.Fa "krb5_enctype enctype" -.Fa "krb5_keyblock **subkey" -.Fc -.Ft krb5_error_code -.Fo krb5_keyblock_init -.Fa "krb5_context context" -.Fa "krb5_enctype type" -.Fa "const void *data" -.Fa "size_t size" -.Fa "krb5_keyblock *key" -.Fc -.Ft void -.Fo krb5_keyblock_zero -.Fa "krb5_keyblock *keyblock" -.Fc -.Ft krb5_error_code -.Fo krb5_random_to_key -.Fa "krb5_context context" -.Fa "krb5_enctype type" -.Fa "const void *data" -.Fa "size_t size" -.Fa "krb5_keyblock *key" -.Fc -.Sh DESCRIPTION -.Li krb5_keyblock -holds the encryption key for a specific encryption type. -There is no component inside -.Li krb5_keyblock -that is directly referable. -.Pp -.Fn krb5_keyblock_get_enctype -returns the encryption type of the keyblock. -.Pp -.Fn krb5_copy_keyblock -makes a copy the keyblock -.Fa inblock -to the -output -.Fa out . -.Fa out -should be freed by the caller with -.Fa krb5_free_keyblock . -.Pp -.Fn krb5_copy_keyblock_contents -copies the contents of -.Fa inblock -to the -.Fa to -keyblock. -The destination keyblock is overritten. -.Pp -.Fn krb5_free_keyblock -zeros out and frees the content and the keyblock itself. -.Pp -.Fn krb5_free_keyblock_contents -zeros out and frees the content of the keyblock. -.Pp -.Fn krb5_generate_random_keyblock -creates a new content of the keyblock -.Fa key -of type encrytion type -.Fa type . -The content of -.Fa key -is overwritten and not freed, so the caller should be sure it is -freed before calling the function. -.Pp -.Fn krb5_generate_subkey -generates a -.Fa subkey -of the same type as -.Fa key . -The caller must free the subkey with -.Fa krb5_free_keyblock . -.Pp -.Fn krb5_generate_subkey_extended -generates a -.Fa subkey -of the specified encryption type -.Fa type . -If -.Fa type -is -.Dv ETYPE_NULL , -of the same type as -.Fa key . -The caller must free the subkey with -.Fa krb5_free_keyblock . -.Pp -.Fn krb5_keyblock_init -Fill in -.Fa key -with key data of type -.Fa enctype -from -.Fa data -of length -.Fa size . -Key should be freed using -.Fn krb5_free_keyblock_contents . -.Pp -.Fn krb5_keyblock_zero -zeros out the keyblock to to make sure no keymaterial is in -memory. -Note that -.Fn krb5_free_keyblock_contents -also zeros out the memory. -.Pp -.Fn krb5_random_to_key -converts the random bytestring to a protocol key according to Kerberos -crypto frame work. -It the resulting key will be of type -.Fa enctype . -It may be assumed that all the bits of the input string are equally -random, even though the entropy present in the random source may be -limited -.\" .Sh EXAMPLES -.Sh SEE ALSO -.Xr krb5_crypto_init 3 , -.Xr krb5 3 , -.Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_keytab.3 b/crypto/heimdal/lib/krb5/krb5_keytab.3 deleted file mode 100644 index b6cb1a26cc00..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_keytab.3 +++ /dev/null @@ -1,482 +0,0 @@ -.\" Copyright (c) 2001 - 2005 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_keytab.3 22071 2007-11-14 20:04:50Z lha $ -.\" -.Dd August 12, 2005 -.Dt KRB5_KEYTAB 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_kt_ops , -.Nm krb5_keytab_entry , -.Nm krb5_kt_cursor , -.Nm krb5_kt_add_entry , -.Nm krb5_kt_close , -.Nm krb5_kt_compare , -.Nm krb5_kt_copy_entry_contents , -.Nm krb5_kt_default , -.Nm krb5_kt_default_modify_name , -.Nm krb5_kt_default_name , -.Nm krb5_kt_end_seq_get , -.Nm krb5_kt_free_entry , -.Nm krb5_kt_get_entry , -.Nm krb5_kt_get_name , -.Nm krb5_kt_get_type , -.Nm krb5_kt_next_entry , -.Nm krb5_kt_read_service_key , -.Nm krb5_kt_register , -.Nm krb5_kt_remove_entry , -.Nm krb5_kt_resolve , -.Nm krb5_kt_start_seq_get -.Nd manage keytab (key storage) files -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Pp -.Ft krb5_error_code -.Fo krb5_kt_add_entry -.Fa "krb5_context context" -.Fa "krb5_keytab id" -.Fa "krb5_keytab_entry *entry" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_close -.Fa "krb5_context context" -.Fa "krb5_keytab id" -.Fc -.Ft krb5_boolean -.Fo krb5_kt_compare -.Fa "krb5_context context" -.Fa "krb5_keytab_entry *entry" -.Fa "krb5_const_principal principal" -.Fa "krb5_kvno vno" -.Fa "krb5_enctype enctype" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_copy_entry_contents -.Fa "krb5_context context" -.Fa "const krb5_keytab_entry *in" -.Fa "krb5_keytab_entry *out" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_default -.Fa "krb5_context context" -.Fa "krb5_keytab *id" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_default_modify_name -.Fa "krb5_context context" -.Fa "char *name" -.Fa "size_t namesize" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_default_name -.Fa "krb5_context context" -.Fa "char *name" -.Fa "size_t namesize" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_end_seq_get -.Fa "krb5_context context" -.Fa "krb5_keytab id" -.Fa "krb5_kt_cursor *cursor" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_free_entry -.Fa "krb5_context context" -.Fa "krb5_keytab_entry *entry" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_get_entry -.Fa "krb5_context context" -.Fa "krb5_keytab id" -.Fa "krb5_const_principal principal" -.Fa "krb5_kvno kvno" -.Fa "krb5_enctype enctype" -.Fa "krb5_keytab_entry *entry" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_get_name -.Fa "krb5_context context" -.Fa "krb5_keytab keytab" -.Fa "char *name" -.Fa "size_t namesize" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_get_type -.Fa "krb5_context context" -.Fa "krb5_keytab keytab" -.Fa "char *prefix" -.Fa "size_t prefixsize" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_next_entry -.Fa "krb5_context context" -.Fa "krb5_keytab id" -.Fa "krb5_keytab_entry *entry" -.Fa "krb5_kt_cursor *cursor" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_read_service_key -.Fa "krb5_context context" -.Fa "krb5_pointer keyprocarg" -.Fa "krb5_principal principal" -.Fa "krb5_kvno vno" -.Fa "krb5_enctype enctype" -.Fa "krb5_keyblock **key" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_register -.Fa "krb5_context context" -.Fa "const krb5_kt_ops *ops" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_remove_entry -.Fa "krb5_context context" -.Fa "krb5_keytab id" -.Fa "krb5_keytab_entry *entry" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_resolve -.Fa "krb5_context context" -.Fa "const char *name" -.Fa "krb5_keytab *id" -.Fc -.Ft krb5_error_code -.Fo krb5_kt_start_seq_get -.Fa "krb5_context context" -.Fa "krb5_keytab id" -.Fa "krb5_kt_cursor *cursor" -.Fc -.Sh DESCRIPTION -A keytab name is on the form -.Li type:residual . -The -.Li residual -part is specific to each keytab-type. -.Pp -When a keytab-name is resolved, the type is matched with an internal -list of keytab types. If there is no matching keytab type, -the default keytab is used. The current default type is -.Nm file . -The default value can be changed in the configuration file -.Pa /etc/krb5.conf -by setting the variable -.Li [defaults]default_keytab_name . -.Pp -The keytab types that are implemented in Heimdal -are: -.Bl -tag -width Ds -.It Nm file -store the keytab in a file, the type's name is -.Li FILE . -The residual part is a filename. -For compatibility with other Kerberos implemtation -.Li WRFILE -and -.LI JAVA14 -is also accepted. -.Li WRFILE -has the same format as -.Li FILE . -.Li JAVA14 -have a format that is compatible with older versions of MIT kerberos -and SUN's Java based installation. They store a truncted kvno, so -when the knvo excess 255, they are truncted in this format. -.It Nm keyfile -store the keytab in a -.Li AFS -keyfile (usually -.Pa /usr/afs/etc/KeyFile ) , -the type's name is -.Li AFSKEYFILE . -The residual part is a filename. -.It Nm krb4 -the keytab is a Kerberos 4 -.Pa srvtab -that is on-the-fly converted to a keytab. The type's name is -.Li krb4 . -The residual part is a filename. -.It Nm memory -The keytab is stored in a memory segment. This allows sensitive and/or -temporary data not to be stored on disk. The type's name is -.Li MEMORY . -Each -.Li MEMORY -keytab is referenced counted by and opened by the residual name, so two -handles can point to the same memory area. -When the last user closes the entry, it disappears. -.El -.Pp -.Nm krb5_keytab_entry -holds all data for an entry in a keytab file, like principal name, -key-type, key, key-version number, etc. -.Nm krb5_kt_cursor -holds the current position that is used when iterating through a -keytab entry with -.Fn krb5_kt_start_seq_get , -.Fn krb5_kt_next_entry , -and -.Fn krb5_kt_end_seq_get . -.Pp -.Nm krb5_kt_ops -contains the different operations that can be done to a keytab. This -structure is normally only used when doing a new keytab-type -implementation. -.Pp -.Fn krb5_kt_resolve -is the equivalent of an -.Xr open 2 -on keytab. Resolve the keytab name in -.Fa name -into a keytab in -.Fa id . -Returns 0 or an error. The opposite of -.Fn krb5_kt_resolve -is -.Fn krb5_kt_close . -.Pp -.Fn krb5_kt_close -frees all resources allocated to the keytab, even on failure. -Returns 0 or an error. -.Pp -.Fn krb5_kt_default -sets the argument -.Fa id -to the default keytab. -Returns 0 or an error. -.Pp -.Fn krb5_kt_default_modify_name -copies the name of the default modify keytab into -.Fa name . -Return 0 or KRB5_CONFIG_NOTENUFSPACE if -.Fa namesize -is too short. -.Pp -.Fn krb5_kt_default_name -copies the name of the default keytab into -.Fa name . -Return 0 or KRB5_CONFIG_NOTENUFSPACE if -.Fa namesize -is too short. -.Pp -.Fn krb5_kt_add_entry -adds a new -.Fa entry -to the keytab -.Fa id . -.Li KRB5_KT_NOWRITE -is returned if the keytab is a readonly keytab. -.Pp -.Fn krb5_kt_compare -compares the passed in -.Fa entry -against -.Fa principal , -.Fa vno , -and -.Fa enctype . -Any of -.Fa principal , -.Fa vno -or -.Fa enctype -might be 0 which acts as a wildcard. Return TRUE if they compare the -same, FALSE otherwise. -.Pp -.Fn krb5_kt_copy_entry_contents -copies the contents of -.Fa in -into -.Fa out . -Returns 0 or an error. -.Pp -.Fn krb5_kt_get_name -retrieves the name of the keytab -.Fa keytab -into -.Fa name , -.Fa namesize . -Returns 0 or an error. -.Pp -.Fn krb5_kt_get_type -retrieves the type of the keytab -.Fa keytab -and store the prefix/name for type of the keytab into -.Fa prefix , -.Fa prefixsize . -The prefix will have the maximum length of -.Dv KRB5_KT_PREFIX_MAX_LEN -(including terminating -.Dv NUL ) . -Returns 0 or an error. -.Pp -.Fn krb5_kt_free_entry -frees the contents of -.Fa entry . -.Pp -.Fn krb5_kt_start_seq_get -sets -.Fa cursor -to point at the beginning of -.Fa id . -Returns 0 or an error. -.Pp -.Fn krb5_kt_next_entry -gets the next entry from -.Fa id -pointed to by -.Fa cursor -and advance the -.Fa cursor . -On success the returne entry must be freed with -.Fn krb5_kt_free_entry . -Returns 0 or an error. -.Pp -.Fn krb5_kt_end_seq_get -releases all resources associated with -.Fa cursor . -.Pp -.Fn krb5_kt_get_entry -retrieves the keytab entry for -.Fa principal , -.Fa kvno , -.Fa enctype -into -.Fa entry -from the keytab -.Fa id . -When comparing an entry in the keytab to determine a match, the -function -.Fn krb5_kt_compare -is used, so the wildcard rules applies to the argument of -.F krb5_kt_get_entry -too. -On success the returne entry must be freed with -.Fn krb5_kt_free_entry . -Returns 0 or an error. -.Pp -.Fn krb5_kt_read_service_key -reads the key identified by -.Fa ( principal , -.Fa vno , -.Fa enctype ) -from the keytab in -.Fa keyprocarg -(the system default keytab if -.Dv NULL -is used) into -.Fa *key . -.Fa keyprocarg -is the same argument as to -.Fa name -argument to -.Fn krb5_kt_resolve . -Internal -.Fn krb5_kt_compare -will be used, so the same wildcard rules applies -to -.Fn krb5_kt_read_service_key . -On success the returned key must be freed with -.Fa krb5_free_keyblock . -Returns 0 or an error. -.Pp -.Fn krb5_kt_remove_entry -removes the entry -.Fa entry -from the keytab -.Fa id . -When comparing an entry in the keytab to determine a match, the -function -.Fn krb5_kt_compare -is use, so the wildcard rules applies to the argument of -.Fn krb5_kt_remove_entry . -Returns 0, -.Dv KRB5_KT_NOTFOUND -if not entry matched or another error. -.Pp -.Fn krb5_kt_register -registers a new keytab type -.Fa ops . -Returns 0 or an error. -.Sh EXAMPLES -This is a minimalistic version of -.Nm ktutil . -.Pp -.Bd -literal -int -main (int argc, char **argv) -{ - krb5_context context; - krb5_keytab keytab; - krb5_kt_cursor cursor; - krb5_keytab_entry entry; - krb5_error_code ret; - char *principal; - - if (krb5_init_context (&context) != 0) - errx(1, "krb5_context"); - - ret = krb5_kt_default (context, &keytab); - if (ret) - krb5_err(context, 1, ret, "krb5_kt_default"); - - ret = krb5_kt_start_seq_get(context, keytab, &cursor); - if (ret) - krb5_err(context, 1, ret, "krb5_kt_start_seq_get"); - while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){ - krb5_unparse_name_short(context, entry.principal, &principal); - printf("principal: %s\\n", principal); - free(principal); - krb5_kt_free_entry(context, &entry); - } - ret = krb5_kt_end_seq_get(context, keytab, &cursor); - if (ret) - krb5_err(context, 1, ret, "krb5_kt_end_seq_get"); - ret = krb5_kt_close(context, keytab); - if (ret) - krb5_err(context, 1, ret, "krb5_kt_close"); - krb5_free_context(context); - return 0; -} -.Ed -.Sh COMPATIBILITY -Heimdal stored the ticket flags in machine bit-field order before -Heimdal 0.7. The behavior is possible to change in with the option -.Li [libdefaults]fcc-mit-ticketflags . -Heimdal 0.7 also code to detech that ticket flags was in the wrong -order and correct them. This matters when doing delegation in GSS-API -because the client code looks at the flag to determin if it is possible -to do delegation if the user requested it. -.Sh SEE ALSO -.Xr krb5.conf 5 , -.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_krbhst_init.3 b/crypto/heimdal/lib/krb5/krb5_krbhst_init.3 index 1d906bfafc0b..8abb00fea494 100644 --- a/crypto/heimdal/lib/krb5/krb5_krbhst_init.3 +++ b/crypto/heimdal/lib/krb5/krb5_krbhst_init.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2001-2005 Kungliga Tekniska Högskolan +.\" Copyright (c) 2001-2005 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_krbhst_init.3 15110 2005-05-10 09:21:06Z lha $ +.\" $Id$ .\" .Dd May 10, 2005 .Dt KRB5_KRBHST_INIT 3 diff --git a/crypto/heimdal/lib/krb5/krb5_kuserok.3 b/crypto/heimdal/lib/krb5/krb5_kuserok.3 deleted file mode 100644 index e5e5c9937de3..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_kuserok.3 +++ /dev/null @@ -1,103 +0,0 @@ -.\" Copyright (c) 2003-2005 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_kuserok.3 15083 2005-05-04 12:11:22Z joda $ -.\" -.Dd May 4, 2005 -.Dt KRB5_KUSEROK 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_kuserok -.Nd "checks if a principal is permitted to login as a user" -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_boolean -.Fo krb5_kuserok -.Fa "krb5_context context" -.Fa "krb5_principal principal" -.Fa "const char *user" -.Fc -.Sh DESCRIPTION -This function takes the name of a local -.Fa user -and checks if -.Fa principal -is allowed to log in as that user. -.Pp -The -.Fa user -may have a -.Pa ~/.k5login -file listing principals that are allowed to login as that user. If -that file does not exist, all principals with a first component -identical to the username, and a realm considered local, are allowed -access. -.Pp -The -.Pa .k5login -file must contain one principal per line, be owned by -.Fa user , -and not be writable by group or other (but must be readable by -anyone). -.Pp -Note that if the file exists, no implicit access rights are given to -.Fa user Ns @ Ns Aq localrealm . -.Pp -Optionally, a set of files may be put in -.Pa ~/.k5login.d ( Ns -a directory), in which case they will all be checked in the same -manner as -.Pa .k5login . -The files may be called anything, but files starting with a hash -.Dq ( # ) , -or ending with a tilde -.Dq ( ~ ) -are ignored. Subdirectories are not traversed. Note that this -directory may not be checked by other implementations. -.Sh RETURN VALUES -.Nm -returns -.Dv TRUE -if access should be granted, -.Dv FALSE -otherwise. -.Sh HISTORY -The -.Pa ~/.k5login.d -feature appeared in Heimdal 0.7. -.Sh SEE ALSO -.Xr krb5_get_default_realms 3 , -.Xr krb5_verify_user 3 , -.Xr krb5_verify_user_lrealm 3 , -.Xr krb5_verify_user_opt 3 , -.Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_locl.h b/crypto/heimdal/lib/krb5/krb5_locl.h index ef812dae7c95..d0c68927ffbd 100644 --- a/crypto/heimdal/lib/krb5/krb5_locl.h +++ b/crypto/heimdal/lib/krb5/krb5_locl.h @@ -1,45 +1,44 @@ /* - * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -/* $Id: krb5_locl.h 22226 2007-12-08 21:31:53Z lha $ */ -/* $FreeBSD$ */ +/* $Id$ */ #ifndef __KRB5_LOCL_H__ #define __KRB5_LOCL_H__ -#ifdef HAVE_CONFIG_H #include <config.h> -#endif #include <errno.h> #include <ctype.h> @@ -48,6 +47,8 @@ #include <stdlib.h> #include <limits.h> +#include <krb5-types.h> + #ifdef HAVE_SYS_TYPES_H #include <sys/types.h> #endif @@ -117,6 +118,21 @@ struct sockaddr_dl; #include <sys/file.h> #endif +#include <com_err.h> + +#include <heimbase.h> + +#define HEIMDAL_TEXTDOMAIN "heimdal_krb5" + +#ifdef LIBINTL +#include <libintl.h> +#define N_(x,y) dgettext(HEIMDAL_TEXTDOMAIN, x) +#else +#define N_(x,y) (x) +#define bindtextdomain(package, localedir) +#endif + + #ifdef HAVE_CRYPT_H #undef des_encrypt #define des_encrypt wingless_pigs_mostly_fail_to_fly @@ -132,6 +148,9 @@ struct sockaddr_dl; #include <parse_time.h> #include <base64.h> +#include <wind.h> + +#define HC_DEPRECATED_CRYPTO #include "crypto-headers.h" @@ -140,9 +159,11 @@ struct sockaddr_dl; struct send_to_kdc; /* XXX glue for pkinit */ +struct hx509_certs_data; struct krb5_pk_identity; struct krb5_pk_cert; struct ContentInfo; +struct AlgorithmIdentifier; typedef struct krb5_pk_init_ctx_data *krb5_pk_init_ctx; struct krb5_dh_moduli; @@ -155,8 +176,11 @@ struct _krb5_krb_auth_data; #include <krb5_err.h> #include <asn1_err.h> #ifdef PKINIT -#include <hx509_err.h> +#include <hx509.h> #endif + +#include "crypto.h" + #include <krb5-private.h> #include "heim_threads.h" @@ -164,17 +188,37 @@ struct _krb5_krb_auth_data; #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0) +#ifndef __func__ +#define __func__ "unknown-function" +#endif + +#define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum)) + +#ifndef PATH_SEP +#define PATH_SEP ":" +#endif + /* should this be public? */ -#define KEYTAB_DEFAULT "ANY:FILE:" SYSCONFDIR "/krb5.keytab,krb4:" SYSCONFDIR "/srvtab" +#define KEYTAB_DEFAULT "FILE:" SYSCONFDIR "/krb5.keytab" #define KEYTAB_DEFAULT_MODIFY "FILE:" SYSCONFDIR "/krb5.keytab" + #define MODULI_FILE SYSCONFDIR "/krb5.moduli" #ifndef O_BINARY #define O_BINARY 0 #endif -#define KRB5_BUFSIZ 1024 +#ifndef O_CLOEXEC +#define O_CLOEXEC 0 +#endif + +#ifndef SOCK_CLOEXEC +#define SOCK_CLOEXEC 0 +#endif + + +#define KRB5_BUFSIZ 2048 typedef enum { KRB5_INIT_CREDS_TRISTATE_UNSET = 0, @@ -191,16 +235,25 @@ struct _krb5_get_init_creds_opt_private { krb5_get_init_creds_tristate req_pac; /* PKINIT */ krb5_pk_init_ctx pk_init_ctx; - KRB_ERROR *error; krb5_get_init_creds_tristate addressless; int flags; #define KRB5_INIT_CREDS_CANONICALIZE 1 #define KRB5_INIT_CREDS_NO_C_CANON_CHECK 2 +#define KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK 4 + struct { + krb5_gic_process_last_req func; + void *ctx; + } lr; }; +typedef uint32_t krb5_enctype_set; + typedef struct krb5_context_data { krb5_enctype *etypes; - krb5_enctype *etypes_des; + krb5_enctype *etypes_des;/* deprecated */ + krb5_enctype *as_etypes; + krb5_enctype *tgs_etypes; + krb5_enctype *permitted_enctypes; char **default_realms; time_t max_skew; time_t kdc_timeout; @@ -210,7 +263,8 @@ typedef struct krb5_context_data { krb5_config_section *cf; struct et_list *et_list; struct krb5_log_facility *warn_dest; - krb5_cc_ops *cc_ops; + struct krb5_log_facility *debug_dest; + const krb5_cc_ops **cc_ops; int num_cc_ops; const char *http_proxy; const char *time_fmt; @@ -228,7 +282,7 @@ typedef struct krb5_context_data { struct krb5_keytab_data *kt_types; /* registered keytab types */ const char *date_fmt; char *error_string; - char error_buf[256]; + krb5_error_code error_code; krb5_addresses *ignore_addresses; char *default_cc_name; char *default_cc_name_env; @@ -238,16 +292,29 @@ typedef struct krb5_context_data { int flags; #define KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME 1 #define KRB5_CTX_F_CHECK_PAC 2 +#define KRB5_CTX_F_HOMEDIR_ACCESS 4 +#define KRB5_CTX_F_SOCKETS_INITIALIZED 8 +#define KRB5_CTX_F_RD_REQ_IGNORE 16 struct send_to_kdc *send_to_kdc; +#ifdef PKINIT + hx509_context hx509ctx; +#endif } krb5_context_data; +#ifndef KRB5_USE_PATH_TOKENS #define KRB5_DEFAULT_CCNAME_FILE "FILE:/tmp/krb5cc_%{uid}" +#else +#define KRB5_DEFAULT_CCNAME_FILE "FILE:%{TEMP}/krb5cc_%{uid}" +#endif #define KRB5_DEFAULT_CCNAME_API "API:" -#define KRB5_DEFAULT_CCNAME_KCM "KCM:%{uid}" +#define KRB5_DEFAULT_CCNAME_KCM_KCM "KCM:%{uid}" +#define KRB5_DEFAULT_CCNAME_KCM_API "API:%{uid}" #define EXTRACT_TICKET_ALLOW_CNAME_MISMATCH 1 #define EXTRACT_TICKET_ALLOW_SERVER_MISMATCH 2 #define EXTRACT_TICKET_MATCH_REALM 4 +#define EXTRACT_TICKET_AS_REQ 8 +#define EXTRACT_TICKET_TIMESYNC 16 /* * Configurable options @@ -265,4 +332,28 @@ typedef struct krb5_context_data { #define KRB5_ADDRESSLESS_DEFAULT TRUE #endif +#ifndef KRB5_FORWARDABLE_DEFAULT +#define KRB5_FORWARDABLE_DEFAULT TRUE +#endif + +#ifdef PKINIT + +struct krb5_pk_identity { + hx509_verify_ctx verify_ctx; + hx509_certs certs; + hx509_cert cert; + hx509_certs anchors; + hx509_certs certpool; + hx509_revoke_ctx revokectx; + int flags; +#define PKINIT_BTMM 1 +}; + +enum krb5_pk_type { + PKINIT_WIN2K = 1, + PKINIT_27 = 2 +}; + +#endif /* PKINIT */ + #endif /* __KRB5_LOCL_H__ */ diff --git a/crypto/heimdal/lib/krb5/krb5_mk_req.3 b/crypto/heimdal/lib/krb5/krb5_mk_req.3 index e37d8e7e975f..41701b02992a 100644 --- a/crypto/heimdal/lib/krb5/krb5_mk_req.3 +++ b/crypto/heimdal/lib/krb5/krb5_mk_req.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2005 Kungliga Tekniska Högskolan +.\" Copyright (c) 2005 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_mk_req.3 16100 2005-09-26 05:38:55Z lha $ +.\" $Id$ .\" .Dd August 27, 2005 .Dt KRB5_MK_REQ 3 @@ -123,7 +123,7 @@ or .Dv NULL passed in, in that case, it will be allocated and freed internally. .Pp -The input data +The input data .Fa in_data will have a checksum calculated over it and checksum will be transported in the message to the server. diff --git a/crypto/heimdal/lib/krb5/krb5_mk_safe.3 b/crypto/heimdal/lib/krb5/krb5_mk_safe.3 index 25b65411f80b..e8f45598e481 100644 --- a/crypto/heimdal/lib/krb5/krb5_mk_safe.3 +++ b/crypto/heimdal/lib/krb5/krb5_mk_safe.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_mk_safe.3 17385 2006-05-01 08:48:55Z lha $ +.\" $Id$ .\" .Dd May 1, 2006 .Dt KRB5_MK_SAFE 3 diff --git a/crypto/heimdal/lib/krb5/krb5_openlog.3 b/crypto/heimdal/lib/krb5/krb5_openlog.3 index 4acad4175ae8..28e9a1f4bc88 100644 --- a/crypto/heimdal/lib/krb5/krb5_openlog.3 +++ b/crypto/heimdal/lib/krb5/krb5_openlog.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 1997, 1999, 2001 - 2002 Kungliga Tekniska Högskolan +.\" Copyright (c) 1997, 1999, 2001 - 2002 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_openlog.3 12329 2003-05-26 14:09:04Z lha $ +.\" $Id$ .Dd August 6, 1997 .Dt KRB5_OPENLOG 3 .Os HEIMDAL diff --git a/crypto/heimdal/lib/krb5/krb5_parse_name.3 b/crypto/heimdal/lib/krb5/krb5_parse_name.3 index e876ee3cb0b3..eb4a2d28c562 100644 --- a/crypto/heimdal/lib/krb5/krb5_parse_name.3 +++ b/crypto/heimdal/lib/krb5/krb5_parse_name.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 1997 Kungliga Tekniska Högskolan +.\" Copyright (c) 1997 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_parse_name.3 17385 2006-05-01 08:48:55Z lha $ +.\" $Id$ .\" .Dd May 1, 2006 .Dt KRB5_PARSE_NAME 3 diff --git a/crypto/heimdal/lib/krb5/krb5_principal.3 b/crypto/heimdal/lib/krb5/krb5_principal.3 index 1b0c2da32a97..2998130a80e3 100644 --- a/crypto/heimdal/lib/krb5/krb5_principal.3 +++ b/crypto/heimdal/lib/krb5/krb5_principal.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_principal.3 21255 2007-06-21 04:36:31Z lha $ +.\" $Id$ .\" .Dd May 1, 2006 .Dt KRB5_PRINCIPAL 3 @@ -47,7 +47,6 @@ .Nm krb5_parse_name , .Nm krb5_parse_name_flags , .Nm krb5_parse_nametype , -.Nm krb5_princ_realm , .Nm krb5_princ_set_realm , .Nm krb5_principal_compare , .Nm krb5_principal_compare_any_realm , @@ -90,8 +89,6 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fn "krb5_unparse_name_short" "krb5_context context" "krb5_const_principal principal" "char **name" .Ft krb5_error_code .Fn krb5_unparse_name_fixed_short "krb5_context context" "krb5_const_principal principal" "char *name" "size_t len" -.Ft krb5_realm * -.Fn krb5_princ_realm "krb5_context context" "krb5_principal principal" .Ft void .Fn krb5_princ_set_realm "krb5_context context" "krb5_principal principal" "krb5_realm *realm" .Ft krb5_error_code @@ -158,12 +155,12 @@ takes an extra argument the following flags can be passed in .Bl -tag -width Ds .It Dv KRB5_PRINCIPAL_PARSE_NO_REALM -requries the input string to be without a realm, and no realm is +requires the input string to be without a realm, and no realm is stored in the .Fa principal return argument. -.It Dv KRB5_PRINCIPAL_PARSE_MUST_REALM -requries the input string to with a realm. +.It Dv KRB5_PRINCIPAL_PARSE_REQUIRE_REALM +requires the input string to with a realm. .El .Pp .Fn krb5_unparse_name @@ -176,7 +173,7 @@ to the string .Fa name should be freed with .Xr free 3 . -To the +To the .Fa flags argument the following flags can be passed in .Bl -tag -width Ds @@ -287,7 +284,6 @@ is returned. and .Fn krb5_principal_get_comp_string are replacements for -.Fn krb5_princ_realm , .Fn krb5_princ_component and related macros, described as internal in the MIT API specification. @@ -309,14 +305,6 @@ get and sets the name type for a principal. Name type handling is tricky and not often needed, don't use this unless you know what you do. .Pp -.Fn krb5_princ_realm -returns the realm component of the principal. -The caller must not free realm unless -.Fn krb5_princ_set_realm -is called to set a new realm after freeing the realm. -.Fn krb5_princ_set_realm -sets the realm component of a principal. The old realm is not freed. -.Pp .Fn krb5_sname_to_principal and .Fn krb5_sock_to_principal diff --git a/crypto/heimdal/lib/krb5/krb5_rcache.3 b/crypto/heimdal/lib/krb5/krb5_rcache.3 index 0b7e83aa0717..5b121b80c6d5 100644 --- a/crypto/heimdal/lib/krb5/krb5_rcache.3 +++ b/crypto/heimdal/lib/krb5/krb5_rcache.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2004 Kungliga Tekniska Högskolan +.\" Copyright (c) 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_rcache.3 17462 2006-05-05 13:18:39Z lha $ +.\" $Id$ .\" .Dd May 1, 2006 .Dt KRB5_RCACHE 3 diff --git a/crypto/heimdal/lib/krb5/krb5_rd_error.3 b/crypto/heimdal/lib/krb5/krb5_rd_error.3 index 00203cdae240..19c092e650be 100644 --- a/crypto/heimdal/lib/krb5/krb5_rd_error.3 +++ b/crypto/heimdal/lib/krb5/krb5_rd_error.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2004 Kungliga Tekniska Högskolan +.\" Copyright (c) 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_rd_error.3 21059 2007-06-12 17:52:46Z lha $ +.\" $Id$ .\" .Dd July 26, 2004 .Dt KRB5_RD_ERROR 3 diff --git a/crypto/heimdal/lib/krb5/krb5_rd_safe.3 b/crypto/heimdal/lib/krb5/krb5_rd_safe.3 index d024ae48e206..bb6294e66dd1 100644 --- a/crypto/heimdal/lib/krb5/krb5_rd_safe.3 +++ b/crypto/heimdal/lib/krb5/krb5_rd_safe.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_rd_safe.3 17385 2006-05-01 08:48:55Z lha $ +.\" $Id$ .\" .Dd May 1, 2006 .Dt KRB5_RD_SAFE 3 diff --git a/crypto/heimdal/lib/krb5/krb5_set_default_realm.3 b/crypto/heimdal/lib/krb5/krb5_set_default_realm.3 index 27467d816b3b..b1ab61f05f3c 100644 --- a/crypto/heimdal/lib/krb5/krb5_set_default_realm.3 +++ b/crypto/heimdal/lib/krb5/krb5_set_default_realm.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_set_default_realm.3 17462 2006-05-05 13:18:39Z lha $ +.\" $Id$ .\" .Dd April 24, 2005 .Dt KRB5_SET_DEFAULT_REALM 3 diff --git a/crypto/heimdal/lib/krb5/krb5_set_password.3 b/crypto/heimdal/lib/krb5/krb5_set_password.3 index 45ed41d477f6..14cd29979afa 100644 --- a/crypto/heimdal/lib/krb5/krb5_set_password.3 +++ b/crypto/heimdal/lib/krb5/krb5_set_password.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_set_password.3 14052 2004-07-15 14:39:06Z lha $ +.\" $Id$ .\" .Dd July 15, 2004 .Dt KRB5_SET_PASSWORD 3 diff --git a/crypto/heimdal/lib/krb5/krb5_storage.3 b/crypto/heimdal/lib/krb5/krb5_storage.3 deleted file mode 100644 index cc03c5b5e24a..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_storage.3 +++ /dev/null @@ -1,427 +0,0 @@ -.\" Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_storage.3 17884 2006-08-18 08:41:09Z lha $ -.\" -.Dd Aug 18, 2006 -.Dt KRB5_STORAGE 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_storage , -.Nm krb5_storage_emem , -.Nm krb5_storage_from_data , -.Nm krb5_storage_from_fd , -.Nm krb5_storage_from_mem , -.Nm krb5_storage_set_flags , -.Nm krb5_storage_clear_flags , -.Nm krb5_storage_is_flags , -.Nm krb5_storage_set_byteorder , -.Nm krb5_storage_get_byteorder , -.Nm krb5_storage_set_eof_code , -.Nm krb5_storage_seek , -.Nm krb5_storage_read , -.Nm krb5_storage_write , -.Nm krb5_storage_free , -.Nm krb5_storage_to_data , -.Nm krb5_store_int32 , -.Nm krb5_ret_int32 , -.Nm krb5_store_uint32 , -.Nm krb5_ret_uint32 , -.Nm krb5_store_int16 , -.Nm krb5_ret_int16 , -.Nm krb5_store_uint16 , -.Nm krb5_ret_uint16 , -.Nm krb5_store_int8 , -.Nm krb5_ret_int8 , -.Nm krb5_store_uint8 , -.Nm krb5_ret_uint8 , -.Nm krb5_store_data , -.Nm krb5_ret_data , -.Nm krb5_store_string , -.Nm krb5_ret_string , -.Nm krb5_store_stringnl , -.Nm krb5_ret_stringnl , -.Nm krb5_store_stringz , -.Nm krb5_ret_stringz , -.Nm krb5_store_principal , -.Nm krb5_ret_principal , -.Nm krb5_store_keyblock , -.Nm krb5_ret_keyblock , -.Nm krb5_store_times , -.Nm krb5_ret_times , -.Nm krb5_store_address , -.Nm krb5_ret_address , -.Nm krb5_store_addrs , -.Nm krb5_ret_addrs , -.Nm krb5_store_authdata , -.Nm krb5_ret_authdata , -.Nm krb5_store_creds , -.Nm krb5_ret_creds -.Nd operates on the Kerberos datatype krb5_storage -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Pp -.Li "struct krb5_storage;" -.Pp -.Ft "krb5_storage *" -.Fn krb5_storage_from_fd "int fd" -.Ft "krb5_storage *" -.Fn krb5_storage_emem "void" -.Ft "krb5_storage *" -.Fn krb5_storage_from_mem "void *buf" "size_t len" -.Ft "krb5_storage *" -.Fn krb5_storage_from_data "krb5_data *data" -.Ft void -.Fn krb5_storage_set_flags "krb5_storage *sp" "krb5_flags flags" -.Ft void -.Fn krb5_storage_clear_flags "krb5_storage *sp" "krb5_flags flags" -.Ft krb5_boolean -.Fn krb5_storage_is_flags "krb5_storage *sp" "krb5_flags flags" -.Ft void -.Fn krb5_storage_set_byteorder "krb5_storage *sp" "krb5_flags byteorder" -.Ft krb5_flags -.Fn krb5_storage_get_byteorder "krb5_storage *sp" "krb5_flags byteorder" -.Ft void -.Fn krb5_storage_set_eof_code "krb5_storage *sp" "int code" -.Ft off_t -.Fn krb5_storage_seek "krb5_storage *sp" "off_t offset" "int whence" -.Ft krb5_ssize_t -.Fn krb5_storage_read "krb5_storage *sp" "void *buf" "size_t len" -.Ft krb5_ssize_t -.Fn krb5_storage_write "krb5_storage *sp" "const void *buf" "size_t len" -.Ft krb5_error_code -.Fn krb5_storage_free "krb5_storage *sp" -.Ft krb5_error_code -.Fn krb5_storage_to_data "krb5_storage *sp" "krb5_data *data" -.Ft krb5_error_code -.Fn krb5_store_int32 "krb5_storage *sp" "int32_t value" -.Ft krb5_error_code -.Fn krb5_ret_int32 "krb5_storage *sp" "int32_t *value" -.Ft krb5_error_code -.Fn krb5_ret_uint32 "krb5_storage *sp" "uint32_t *value" -.Ft krb5_error_code -.Fn krb5_store_uint32 "krb5_storage *sp" "uint32_t value" -.Ft krb5_error_code -.Fn krb5_store_int16 "krb5_storage *sp" "int16_t value" -.Ft krb5_error_code -.Fn krb5_ret_int16 "krb5_storage *sp" "int16_t *value" -.Ft krb5_error_code -.Fn krb5_store_uint16 "krb5_storage *sp" "uint16_t value" -.Ft krb5_error_code -.Fn krb5_ret_uint16 "krb5_storage *sp" "u_int16_t *value" -.Ft krb5_error_code -.Fn krb5_store_int8 "krb5_storage *sp" "int8_t value" -.Ft krb5_error_code -.Fn krb5_ret_int8 "krb5_storage *sp" "int8_t *value" -.Ft krb5_error_code -.Fn krb5_store_uint8 "krb5_storage *sp" "u_int8_t value" -.Ft krb5_error_code -.Fn krb5_ret_uint8 "krb5_storage *sp" "u_int8_t *value" -.Ft krb5_error_code -.Fn krb5_store_data "krb5_storage *sp" "krb5_data data" -.Ft krb5_error_code -.Fn krb5_ret_data "krb5_storage *sp" "krb5_data *data" -.Ft krb5_error_code -.Fn krb5_store_string "krb5_storage *sp" "const char *s" -.Ft krb5_error_code -.Fn krb5_ret_string "krb5_storage *sp" "char **string" -.Ft krb5_error_code -.Fn krb5_store_stringnl "krb5_storage *sp" "const char *s" -.Ft krb5_error_code -.Fn krb5_ret_stringnl "krb5_storage *sp" "char **string" -.Ft krb5_error_code -.Fn krb5_store_stringz "krb5_storage *sp" "const char *s" -.Ft krb5_error_code -.Fn krb5_ret_stringz "krb5_storage *sp" "char **string" -.Ft krb5_error_code -.Fn krb5_store_principal "krb5_storage *sp" "krb5_const_principal p" -.Ft krb5_error_code -.Fn krb5_ret_principal "krb5_storage *sp" "krb5_principal *princ" -.Ft krb5_error_code -.Fn krb5_store_keyblock "krb5_storage *sp" "krb5_keyblock p" -.Ft krb5_error_code -.Fn krb5_ret_keyblock "krb5_storage *sp" "krb5_keyblock *p" -.Ft krb5_error_code -.Fn krb5_store_times "krb5_storage *sp" "krb5_times times" -.Ft krb5_error_code -.Fn krb5_ret_times "krb5_storage *sp" "krb5_times *times" -.Ft krb5_error_code -.Fn krb5_store_address "krb5_storage *sp" "krb5_address p" -.Ft krb5_error_code -.Fn krb5_ret_address "krb5_storage *sp" "krb5_address *adr" -.Ft krb5_error_code -.Fn krb5_store_addrs "krb5_storage *sp" "krb5_addresses p" -.Ft krb5_error_code -.Fn krb5_ret_addrs "krb5_storage *sp" "krb5_addresses *adr" -.Ft krb5_error_code -.Fn krb5_store_authdata "krb5_storage *sp" "krb5_authdata auth" -.Ft krb5_error_code -.Fn krb5_ret_authdata "krb5_storage *sp" "krb5_authdata *auth" -.Ft krb5_error_code -.Fn krb5_store_creds "krb5_storage *sp" "krb5_creds *creds" -.Ft krb5_error_code -.Fn krb5_ret_creds "krb5_storage *sp" "krb5_creds *creds" -.Sh DESCRIPTION -The -.Li krb5_storage -structure holds a storage element that is used for data manipulation. -The structure contains no public accessible elements. -.Pp -.Fn krb5_storage_emem -create a memory based krb5 storage unit that dynamicly resized to the -ammount of data stored in. -The storage never returns errors, on memory allocation errors -.Xr exit 3 -will be called. -.Pp -.Fn krb5_storage_from_data -create a krb5 storage unit that will read is data from a -.Li krb5_data . -There is no copy made of the -.Fa data , -so the caller must not free -.Fa data -until the storage is freed. -.Pp -.Fn krb5_storage_from_fd -create a krb5 storage unit that will read is data from a -file descriptor. -The descriptor must be seekable if -.Fn krb5_storage_seek -is used. -Caller must not free the file descriptor before the storage is freed. -.Pp -.Fn krb5_storage_from_mem -create a krb5 storage unit that will read is data from a -memory region. -There is no copy made of the -.Fa data , -so the caller must not free -.Fa data -until the storage is freed. -.Pp -.Fn krb5_storage_set_flags -and -.Fn krb5_storage_clear_flags -modifies the behavior of the storage functions. -.Fn krb5_storage_is_flags -tests if the -.Fa flags -are set on the -.Li krb5_storage . -Valid flags to set, is and clear is are: -.Pp -.Bl -tag -width "Fan vet..." -compact -offset indent -.It KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS -Stores the number of principal componets one too many when storing -principal namees, used for compatibility with version 1 of file -keytabs and version 1 of file credential caches. -.It KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE -Doesn't store the name type in when storing a principal name, used for -compatibility with version 1 of file keytabs and version 1 of file -credential caches. -.It KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE -Stores the keyblock type twice storing a keyblock, used for -compatibility version 3 of file credential caches. -.It KRB5_STORAGE_BYTEORDER_MASK -bitmask that can be used to and out what type of byte order order is used. -.It KRB5_STORAGE_BYTEORDER_BE -Store integers in in big endian byte order, this is the default mode. -.It KRB5_STORAGE_BYTEORDER_LE -Store integers in in little endian byte order. -.It KRB5_STORAGE_BYTEORDER_HOST -Stores the integers in host byte order, used for compatibility with -version 1 of file keytabs and version 1 and 2 of file credential -caches. -.It KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER -Store the credential flags in a krb5_creds in the reverse bit order. -.El -.Pp -.Fn krb5_storage_set_byteorder -and -.Fn krb5_storage_get_byteorder -modifies the byte order used in the storage for integers. -The flags used is same as above. -The valid flags are -.Dv KRB5_STORAGE_BYTEORDER_BE , -.Dv KRB5_STORAGE_BYTEORDER_LE -and -.Dv KRB5_STORAGE_BYTEORDER_HOST . -.Pp -.Fn krb5_storage_set_eof_code -sets the error code that will be returned on end of file condition to -.Fa code . -.Pp -.Fn krb5_storage_seek -seeks -.Fa offset -bytes in the storage -.Fa sp . -The -.Fa whence -argument is one of -.Bl -tag -width SEEK_SET -compact -offset indent -.It SEEK_SET -offset is from begining of storage. -.It SEEK_CUR -offset is relative from current offset. -.It SEEK_END -offset is from end of storage. -.El -.Pp -.Fn krb5_storage_read -reads -.Fa len -(or less bytes in case of end of file) into -.Fa buf -from the current offset in the storage -.Fa sp . -.Pp -.Fn krb5_storage_write -writes -.Fa len -or (less bytes in case of end of file) from -.Fa buf -from the current offset in the storage -.Fa sp . -.Pp -.Fn krb5_storage_free -frees the storage -.Fa sp . -.Pp -.Fn krb5_storage_to_data -converts the data in storage -.Fa sp -into a -.Li krb5_data -structure. -.Fa data -must be freed with -.Fn krb5_data_free -by the caller when done with the -.Fa data . -.Pp -All -.Li krb5_store -and -.Li krb5_ret -functions move the current offset forward when the functions returns. -.Pp -.Fn krb5_store_int32 , -.Fn krb5_ret_int32 , -.Fn krb5_store_uint32 , -.Fn krb5_ret_uint32 , -.Fn krb5_store_int16 , -.Fn krb5_ret_int16 , -.Fn krb5_store_uint16 , -.Fn krb5_ret_uint16 , -.Fn krb5_store_int8 , -.Fn krb5_ret_int8 -.Fn krb5_store_uint8 , -and -.Fn krb5_ret_uint8 -stores and reads an integer from -.Fa sp -in the byte order specified by the flags set on the -.Fa sp . -.Pp -.Fn krb5_store_data -and -.Fn krb5_ret_data -store and reads a krb5_data. -The length of the data is stored with -.Fn krb5_store_int32 . -.Pp -.Fn krb5_store_string -and -.Fn krb5_ret_string -store and reads a string by storing the length of the string with -.Fn krb5_store_int32 -followed by the string itself. -.Pp -.Fn krb5_store_stringnl -and -.Fn krb5_ret_stringnl -store and reads a string by storing string followed by a -.Dv '\n' . -.Pp -.Fn krb5_store_stringz -and -.Fn krb5_ret_stringz -store and reads a string by storing string followed by a -.Dv NUL . -.Pp -.Fn krb5_store_principal -and -.Fn krb5_ret_principal -store and reads a principal. -.Pp -.Fn krb5_store_keyblock -and -.Fn krb5_ret_keyblock -store and reads a -.Li krb5_keyblock . -.Pp -.Fn krb5_store_times -.Fn krb5_ret_times -store and reads -.Li krb5_times -structure . -.Pp -.Fn krb5_store_address -and -.Fn krb5_ret_address -store and reads a -.Li krb5_address . -.Pp -.Fn krb5_store_addrs -and -.Fn krb5_ret_addrs -store and reads a -.Li krb5_addresses . -.Pp -.Fn krb5_store_authdata -and -.Fn krb5_ret_authdata -store and reads a -.Li krb5_authdata . -.Pp -.Fn krb5_store_creds -and -.Fn krb5_ret_creds -store and reads a -.Li krb5_creds . -.Sh SEE ALSO -.Xr krb5 3 , -.Xr krb5_data 3 , -.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_string_to_key.3 b/crypto/heimdal/lib/krb5/krb5_string_to_key.3 index cf96f4e013bf..c77d4594cdbb 100644 --- a/crypto/heimdal/lib/krb5/krb5_string_to_key.3 +++ b/crypto/heimdal/lib/krb5/krb5_string_to_key.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan +.\" Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_string_to_key.3 17820 2006-07-10 14:28:01Z lha $ +.\" $Id$ .\" .Dd July 10, 2006 .Dt KRB5_STRING_TO_KEY 3 @@ -114,7 +114,7 @@ The string to key functions convert a string to a kerberos key. .Pp .Fn krb5_string_to_key_data_salt_opaque is the function that does all the work, the rest of the functions are -just wrapers around +just wrappers around .Fn krb5_string_to_key_data_salt_opaque that calls it with default values. .Pp diff --git a/crypto/heimdal/lib/krb5/krb5_ticket.3 b/crypto/heimdal/lib/krb5/krb5_ticket.3 deleted file mode 100644 index 4f6d45ba5765..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_ticket.3 +++ /dev/null @@ -1,137 +0,0 @@ -.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_ticket.3 19543 2006-12-28 20:48:50Z lha $ -.\" -.Dd May 1, 2006 -.Dt KRB5_TICKET 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_ticket , -.Nm krb5_free_ticket , -.Nm krb5_copy_ticket , -.Nm krb5_ticket_get_authorization_data_type , -.Nm krb5_ticket_get_client , -.Nm krb5_ticket_get_server , -.Nm krb5_ticket_get_endtime -.Nd Kerberos 5 ticket access and handling functions -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Pp -.Li krb5_ticket ; -.Pp -.Ft krb5_error_code -.Fo krb5_free_ticket -.Fa "krb5_context context" -.Fa "krb5_ticket *ticket" -.Fc -.Ft krb5_error_code -.Fo krb5_copy_ticket -.Fa "krb5_context context" -.Fa "const krb5_ticket *from" -.Fa "krb5_ticket **to" -.Fc -.Ft krb5_error_code -.Fo krb5_ticket_get_authorization_data_type -.Fa "krb5_context context" -.Fa "krb5_ticket *ticket" -.Fa "int type" -.Fa "krb5_data *data" -.Fc -.Ft krb5_error_code -.Fo krb5_ticket_get_client -.Fa "krb5_context context" -.Fa "const krb5_ticket *ticket" -.Fa "krb5_principal *client" -.Fc -.Ft krb5_error_code -.Fo krb5_ticket_get_server -.Fa "krb5_context context" -.Fa "const krb5_ticket *ticket" -.Fa "krb5_principal *server" -.Fc -.Ft time_t -.Fo krb5_ticket_get_endtime -.Fa "krb5_context context" -.Fa "const krb5_ticket *ticket" -.Fc -.Sh DESCRIPTION -.Li krb5_ticket -holds a kerberos ticket. -The internals of the structure should never be accessed directly, -functions exist for extracting information. -.Pp -.Fn krb5_free_ticket -frees the -.Fa ticket -and its content. -Used to free the result of -.Fn krb5_copy_ticket -and -.Fn krb5_recvauth . -.Pp -.Fn krb5_copy_ticket -copies the content of the ticket -.Fa from -to the ticket -.Fa to . -The result -.Fa to -should be freed with -.Fn krb5_free_ticket . -.Pp -.Fn krb5_ticket_get_authorization_data_type -fetches the authorization data of the type -.Fa type -from the -.Fa ticket . -If there isn't any authorization data of type -.Fa type , -.Dv ENOENT -is returned. -.Fa data -needs to be freed with -.Fn krb5_data_free -on success. -.Pp -.Fn krb5_ticket_get_client -and -.Fn krb5_ticket_get_server -returns a copy of the client/server principal from the ticket. -The principal returned should be free using -.Xr krb5_free_principal 3 . -.Pp -.Fn krb5_ticket_get_endtime -return the end time of the ticket. -.Sh SEE ALSO -.Xr krb5 3 diff --git a/crypto/heimdal/lib/krb5/krb5_timeofday.3 b/crypto/heimdal/lib/krb5/krb5_timeofday.3 index 4163cc1b7165..b065ade1bdd5 100644 --- a/crypto/heimdal/lib/krb5/krb5_timeofday.3 +++ b/crypto/heimdal/lib/krb5/krb5_timeofday.3 @@ -1,6 +1,6 @@ -.\" $Id: krb5_timeofday.3 18093 2006-09-16 09:27:28Z lha $ +.\" $Id$ .\" -.\" Copyright (c) 2001, 2003, 2006 Kungliga Tekniska Högskolan +.\" Copyright (c) 2001, 2003, 2006 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -31,7 +31,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_timeofday.3 18093 2006-09-16 09:27:28Z lha $ +.\" $Id$ .\" .Dd Sepember 16, 2006 .Dt KRB5_TIMEOFDAY 3 diff --git a/crypto/heimdal/lib/krb5/krb5_unparse_name.3 b/crypto/heimdal/lib/krb5/krb5_unparse_name.3 deleted file mode 100644 index 274d638d6694..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_unparse_name.3 +++ /dev/null @@ -1,62 +0,0 @@ -.\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_unparse_name.3 12329 2003-05-26 14:09:04Z lha $ -.\" -.Dd August 8, 1997 -.Dt KRB5_UNPARSE_NAME 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_unparse_name -.\" .Nm krb5_unparse_name_ext -.Nd principal to string conversion -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_unparse_name "krb5_context context" "krb5_principal principal" "char **name" -.\" .Ft krb5_error_code -.\" .Fn krb5_unparse_name_ext "krb5_context context" "krb5_const_principal principal" "char **name" "size_t *size" -.Sh DESCRIPTION -This function takes a -.Fa principal , -and will convert in to a printable representation with the same syntax -as described in -.Xr krb5_parse_name 3 . -.Fa *name -will point to allocated data and should be freed by the caller. -.Sh SEE ALSO -.Xr krb5_425_conv_principal 3 , -.Xr krb5_build_principal 3 , -.Xr krb5_free_principal 3 , -.Xr krb5_parse_name 3 , -.Xr krb5_sname_to_principal 3 diff --git a/crypto/heimdal/lib/krb5/krb5_verify_init_creds.3 b/crypto/heimdal/lib/krb5/krb5_verify_init_creds.3 index 9a34648981b4..0fe958289a15 100644 --- a/crypto/heimdal/lib/krb5/krb5_verify_init_creds.3 +++ b/crypto/heimdal/lib/krb5/krb5_verify_init_creds.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_verify_init_creds.3 22071 2007-11-14 20:04:50Z lha $ +.\" $Id$ .\" .Dd May 1, 2006 .Dt KRB5_VERIFY_INIT_CREDS 3 diff --git a/crypto/heimdal/lib/krb5/krb5_verify_user.3 b/crypto/heimdal/lib/krb5/krb5_verify_user.3 index 8086bc04baf4..a32986d1a4ce 100644 --- a/crypto/heimdal/lib/krb5/krb5_verify_user.3 +++ b/crypto/heimdal/lib/krb5/krb5_verify_user.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2001 - 2006 Kungliga Tekniska Högskolan +.\" Copyright (c) 2001 - 2006 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_verify_user.3 22071 2007-11-14 20:04:50Z lha $ +.\" $Id$ .\" .Dd May 1, 2006 .Dt KRB5_VERIFY_USER 3 diff --git a/crypto/heimdal/lib/krb5/krb5_warn.3 b/crypto/heimdal/lib/krb5/krb5_warn.3 deleted file mode 100644 index 5610cd8dc42e..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_warn.3 +++ /dev/null @@ -1,233 +0,0 @@ -.\" Copyright (c) 1997, 2001 - 2006 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_warn.3 19085 2006-11-21 07:55:20Z lha $ -.\" -.Dd May 1, 2006 -.Dt KRB5_WARN 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_abort , -.Nm krb5_abortx , -.Nm krb5_clear_error_string , -.Nm krb5_err , -.Nm krb5_errx , -.Nm krb5_free_error_string , -.Nm krb5_get_err_text , -.Nm krb5_get_error_message , -.Nm krb5_get_error_string , -.Nm krb5_have_error_string , -.Nm krb5_set_error_string , -.Nm krb5_set_warn_dest , -.Nm krb5_get_warn_dest , -.Nm krb5_vabort , -.Nm krb5_vabortx , -.Nm krb5_verr , -.Nm krb5_verrx , -.Nm krb5_vset_error_string , -.Nm krb5_vwarn , -.Nm krb5_vwarnx , -.Nm krb5_warn , -.Nm krb5_warnx -.Nd Heimdal warning and error functions -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_abort "krb5_context context" "krb5_error_code code" "const char *fmt" "..." -.Ft krb5_error_code -.Fn krb5_abortx "krb5_context context" "krb5_error_code code" "const char *fmt" "..." -.Ft void -.Fn krb5_clear_error_string "krb5_context context" -.Ft krb5_error_code -.Fn krb5_err "krb5_context context" "int eval" "krb5_error_code code" "const char *format" "..." -.Ft krb5_error_code -.Fn krb5_errx "krb5_context context" "int eval" "const char *format" "..." -.Ft void -.Fn krb5_free_error_string "krb5_context context" "char *str" -.Ft krb5_error_code -.Fn krb5_verr "krb5_context context" "int eval" "krb5_error_code code" "const char *format" "va_list ap" -.Ft krb5_error_code -.Fn krb5_verrx "krb5_context context" "int eval" "const char *format" "va_list ap" -.Ft krb5_error_code -.Fn krb5_vset_error_string "krb5_context context" "const char *fmt" "va_list args" -.Ft krb5_error_code -.Fn krb5_vwarn "krb5_context context" "krb5_error_code code" "const char *format" "va_list ap" -.Ft krb5_error_code -.Fn krb5_vwarnx "krb5_context context" "const char *format" "va_list ap" -.Ft krb5_error_code -.Fn krb5_warn "krb5_context context" "krb5_error_code code" "const char *format" "..." -.Ft krb5_error_code -.Fn krb5_warnx "krb5_context context" "const char *format" "..." -.Ft krb5_error_code -.Fn krb5_set_error_string "krb5_context context" "const char *fmt" "..." -.Ft krb5_error_code -.Fn krb5_set_warn_dest "krb5_context context" "krb5_log_facility *facility" -.Ft "char *" -.Ft krb5_log_facility * -.Fo krb5_get_warn_dest -.Fa "krb5_context context" -.Fc -.Fn krb5_get_err_text "krb5_context context" "krb5_error_code code" -.Ft char* -.Fn krb5_get_error_string "krb5_context context" -.Ft char* -.Fn krb5_get_error_message "krb5_context context, krb5_error_code code" -.Ft krb5_boolean -.Fn krb5_have_error_string "krb5_context context" -.Ft krb5_error_code -.Fn krb5_vabortx "krb5_context context" "const char *fmt" "va_list ap" -.Ft krb5_error_code -.Fn krb5_vabort "krb5_context context" "const char *fmt" "va_list ap" -.Sh DESCRIPTION -These functions print a warning message to some destination. -.Fa format -is a printf style format specifying the message to print. The forms not ending in an -.Dq x -print the error string associated with -.Fa code -along with the message. -The -.Dq err -functions exit with exit status -.Fa eval -after printing the message. -.Pp -Applications that want to get the error message to report it to a user -or store it in a log want to use -.Fn krb5_get_error_message . -.Pp -The -.Fn krb5_set_warn_func -function sets the destination for warning messages to the specified -.Fa facility . -Messages logged with the -.Dq warn -functions have a log level of 1, while the -.Dq err -functions log with level 0. -.Pp -.Fn krb5_get_err_text -fetches the human readable strings describing the error-code. -.Pp -.Fn krb5_abort -and -.Nm krb5_abortx -behaves like -.Nm krb5_err -and -.Nm krb5_errx -but instead of exiting using the -.Xr exit 3 -call, -.Xr abort 3 -is used. -.Pp -.Fn krb5_free_error_string -frees the error string -.Fa str -returned by -.Fn krb5_get_error_string . -.Pp -.Fn krb5_clear_error_string -clears the error string from the -.Fa context . -.Pp -.Fn krb5_set_error_string -and -.Fn krb5_vset_error_string -sets an verbose error string in -.Fa context . -.Pp -.Fn krb5_get_error_string -fetches the error string from -.Fa context . -The error message in the context is consumed and must be freed using -.Fn krb5_free_error_string -by the caller. -See also -.Fn krb5_get_error_message , -what is usually less verbose to use. -.Pp -.Fn krb5_have_error_string -returns -.Dv TRUE -if there is a verbose error message in the -.Fa context . -.Pp -.Fn krb5_get_error_message -fetches the error string from the context, or if there -is no customized error string in -.Fa context , -uses -.Fa code -to return a error string. -In either case, the error message in the context is consumed and must -be freed using -.Fn krb5_free_error_string -by the caller. -.Pp -.Fn krb5_set_warn_dest -and -.Fn krb5_get_warn_dest -sets and get the log context that is used by -.Fn krb5_warn -and friends. By using this the application can control where the -output should go. For example, this is imperative to inetd servers -where logging status and error message will end up on the output -stream to the client. -.Sh EXAMPLES -Below is a simple example how to report error messages from the -Kerberos library in an application. -.Bd -literal -#include <krb5.h> - -krb5_error_code -function (krb5_context context) -{ - krb5_error_code ret; - - ret = krb5_function (context, arg1, arg2); - if (ret) { - char *s = krb5_get_error_message(context, ret); - if (s == NULL) - errx(1, "kerberos error: %d (and out of memory)", ret); - application_logger("krb5_function failed: %s", s); - krb5_free_error_string(context, s); - return ret; - } - return 0; -} -.Ed -.Sh SEE ALSO -.Xr krb5 3 , -.Xr krb5_openlog 3 diff --git a/crypto/heimdal/lib/krb5/krbhst-test.c b/crypto/heimdal/lib/krb5/krbhst-test.c index 38b0b6a36c30..873734fce77a 100644 --- a/crypto/heimdal/lib/krb5/krbhst-test.c +++ b/crypto/heimdal/lib/krb5/krbhst-test.c @@ -1,34 +1,34 @@ /* - * Copyright (c) 2001 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2001 - 2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" @@ -36,8 +36,6 @@ #include <err.h> #include <getarg.h> -RCSID("$Id: krbhst-test.c 15466 2005-06-17 04:21:47Z lha $"); - static int version_flag = 0; static int help_flag = 0; @@ -67,12 +65,12 @@ main(int argc, char **argv) KRB5_KRBHST_KRB524}; const char *type_str[] = {"kdc", "admin", "changepw", "krb524"}; int optidx = 0; - + setprogname (argv[0]); if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); - + if (help_flag) usage (0); @@ -95,7 +93,7 @@ main(int argc, char **argv) krb5_krbhst_init(context, argv[i], types[j], &handle); while(krb5_krbhst_next_as_string(context, handle, host, sizeof(host)) == 0) - printf("%s\n", host); + printf("\thost: %s\n", host); krb5_krbhst_reset(context, handle); printf ("\n"); } diff --git a/crypto/heimdal/lib/krb5/krbhst.c b/crypto/heimdal/lib/krb5/krbhst.c index 094fd4f9c64d..3242cdb99956 100644 --- a/crypto/heimdal/lib/krb5/krbhst.c +++ b/crypto/heimdal/lib/krb5/krbhst.c @@ -1,50 +1,48 @@ /* - * Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" #include <resolve.h> #include "locate_plugin.h" -RCSID("$Id: krbhst.c 21457 2007-07-10 12:53:25Z lha $"); - static int string_to_proto(const char *string) { if(strcasecmp(string, "udp") == 0) return KRB5_KRBHST_UDP; - else if(strcasecmp(string, "tcp") == 0) + else if(strcasecmp(string, "tcp") == 0) return KRB5_KRBHST_TCP; - else if(strcasecmp(string, "http") == 0) + else if(strcasecmp(string, "http") == 0) return KRB5_KRBHST_HTTP; return -1; } @@ -56,13 +54,13 @@ string_to_proto(const char *string) */ static krb5_error_code -srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, +srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, const char *realm, const char *dns_type, const char *proto, const char *service, int port) { char domain[1024]; - struct dns_reply *r; - struct resource_record *rr; + struct rk_dns_reply *r; + struct rk_resource_record *rr; int num_srv; int proto_num; int def_port; @@ -72,7 +70,9 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, proto_num = string_to_proto(proto); if(proto_num < 0) { - krb5_set_error_string(context, "unknown protocol `%s'", proto); + krb5_set_error_message(context, EINVAL, + N_("unknown protocol `%s' to lookup", ""), + proto); return EINVAL; } @@ -85,31 +85,35 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, snprintf(domain, sizeof(domain), "_%s._%s.%s.", service, proto, realm); - r = dns_lookup(domain, dns_type); - if(r == NULL) + r = rk_dns_lookup(domain, dns_type); + if(r == NULL) { + _krb5_debug(context, 0, + "DNS lookup failed domain: %s", domain); return KRB5_KDC_UNREACH; + } - for(num_srv = 0, rr = r->head; rr; rr = rr->next) - if(rr->type == T_SRV) + for(num_srv = 0, rr = r->head; rr; rr = rr->next) + if(rr->type == rk_ns_t_srv) num_srv++; *res = malloc(num_srv * sizeof(**res)); if(*res == NULL) { - dns_free_data(r); - krb5_set_error_string(context, "malloc: out of memory"); + rk_dns_free_data(r); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } - dns_srv_order(r); + rk_dns_srv_order(r); - for(num_srv = 0, rr = r->head; rr; rr = rr->next) - if(rr->type == T_SRV) { + for(num_srv = 0, rr = r->head; rr; rr = rr->next) + if(rr->type == rk_ns_t_srv) { krb5_krbhst_info *hi; size_t len = strlen(rr->u.srv->target); hi = calloc(1, sizeof(*hi) + len); if(hi == NULL) { - dns_free_data(r); + rk_dns_free_data(r); while(--num_srv >= 0) free((*res)[num_srv]); free(*res); @@ -119,7 +123,7 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, (*res)[num_srv++] = hi; hi->proto = proto_num; - + hi->def_port = def_port; if (port != 0) hi->port = port; @@ -130,8 +134,8 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, } *count = num_srv; - - dns_free_data(r); + + rk_dns_free_data(r); return 0; } @@ -149,7 +153,7 @@ struct krb5_krbhst_data { #define KD_CONFIG_EXISTS 32 #define KD_LARGE_MSG 64 #define KD_PLUGIN 128 - krb5_error_code (*get_next)(krb5_context, struct krb5_krbhst_data *, + krb5_error_code (*get_next)(krb5_context, struct krb5_krbhst_data *, krb5_krbhst_info**); unsigned int fallback_count; @@ -175,6 +179,15 @@ krbhst_get_default_proto(struct krb5_krbhst_data *kd) return KRB5_KRBHST_UDP; } +/* + * + */ + +const char * +_krb5_krbhst_get_realm(krb5_krbhst_handle handle) +{ + return handle->realm; +} /* * parse `spec' into a krb5_krbhst_info, defaulting the port to `def_port' @@ -185,13 +198,13 @@ static struct krb5_krbhst_info* parse_hostspec(krb5_context context, struct krb5_krbhst_data *kd, const char *spec, int def_port, int port) { - const char *p = spec; + const char *p = spec, *q; struct krb5_krbhst_info *hi; - + hi = calloc(1, sizeof(*hi) + strlen(spec)); if(hi == NULL) return NULL; - + hi->proto = krbhst_get_default_proto(kd); if(strncmp(p, "http://", 7) == 0){ @@ -208,7 +221,17 @@ parse_hostspec(krb5_context context, struct krb5_krbhst_data *kd, p += 4; } - if(strsep_copy(&p, ":", hi->hostname, strlen(spec) + 1) < 0) { + if (p[0] == '[' && (q = strchr(p, ']')) != NULL) { + /* if address looks like [foo:bar] or [foo:bar]: its a ipv6 + adress, strip of [] */ + memcpy(hi->hostname, &p[1], q - p - 1); + hi->hostname[q - p - 1] = '\0'; + p = q + 1; + /* get trailing : */ + if (p[0] == ':') + p++; + } else if(strsep_copy(&p, ":", hi->hostname, strlen(spec) + 1) < 0) { + /* copy everything before : */ free(hi); return NULL; } @@ -217,7 +240,7 @@ parse_hostspec(krb5_context context, struct krb5_krbhst_data *kd, strlwr(hi->hostname); hi->port = hi->def_port = def_port; - if(p != NULL) { + if(p != NULL && p[0]) { char *end; hi->port = strtol(p, &end, 0); if(end == p) { @@ -245,9 +268,10 @@ _krb5_krbhost_info_move(krb5_context context, { size_t hostnamelen = strlen(from->hostname); /* trailing NUL is included in structure */ - *to = calloc(1, sizeof(**to) + hostnamelen); + *to = calloc(1, sizeof(**to) + hostnamelen); if(*to == NULL) { - krb5_set_error_string(context, "malloc - out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } @@ -268,8 +292,8 @@ append_host_hostinfo(struct krb5_krbhst_data *kd, struct krb5_krbhst_info *host) struct krb5_krbhst_info *h; for(h = kd->hosts; h; h = h->next) - if(h->proto == host->proto && - h->port == host->port && + if(h->proto == host->proto && + h->port == host->port && strcmp(h->hostname, host->hostname) == 0) { _krb5_free_krbhst_info(host); return; @@ -287,7 +311,7 @@ append_host_string(krb5_context context, struct krb5_krbhst_data *kd, hi = parse_hostspec(context, kd, host, def_port, port); if(hi == NULL) return ENOMEM; - + append_host_hostinfo(kd, hi); return 0; } @@ -296,8 +320,8 @@ append_host_string(krb5_context context, struct krb5_krbhst_data *kd, * return a readable representation of `host' in `hostname, hostlen' */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_krbhst_format_string(krb5_context context, const krb5_krbhst_info *host, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_krbhst_format_string(krb5_context context, const krb5_krbhst_info *host, char *hostname, size_t hostlen) { const char *proto = ""; @@ -332,28 +356,66 @@ make_hints(struct addrinfo *hints, int proto) } } -/* - * return an `struct addrinfo *' in `ai' corresponding to the information - * in `host'. free:ing is handled by krb5_krbhst_free. +/** + * Return an `struct addrinfo *' for a KDC host. + * + * Returns an the struct addrinfo in in that corresponds to the + * information in `host'. free:ing is handled by krb5_krbhst_free, so + * the returned ai must not be released. + * + * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_krbhst_get_addrinfo(krb5_context context, krb5_krbhst_info *host, struct addrinfo **ai) { - struct addrinfo hints; - char portstr[NI_MAXSERV]; - int ret; + int ret = 0; if (host->ai == NULL) { - make_hints(&hints, host->proto); + struct addrinfo hints; + char portstr[NI_MAXSERV]; + char *hostname = host->hostname; + snprintf (portstr, sizeof(portstr), "%d", host->port); + make_hints(&hints, host->proto); + + /** + * First try this as an IP address, this allows us to add a + * dot at the end to stop using the search domains. + */ + + hints.ai_flags |= AI_NUMERICHOST | AI_NUMERICSERV; + ret = getaddrinfo(host->hostname, portstr, &hints, &host->ai); - if (ret) - return krb5_eai_to_heim_errno(ret, errno); + if (ret == 0) + goto out; + + /** + * If the hostname contains a dot, assumes it's a FQDN and + * don't use search domains since that might be painfully slow + * when machine is disconnected from that network. + */ + + hints.ai_flags &= ~(AI_NUMERICHOST); + + if (strchr(hostname, '.') && hostname[strlen(hostname) - 1] != '.') { + ret = asprintf(&hostname, "%s.", host->hostname); + if (ret < 0 || hostname == NULL) + return ENOMEM; + } + + ret = getaddrinfo(hostname, portstr, &hints, &host->ai); + if (hostname != host->hostname) + free(hostname); + if (ret) { + ret = krb5_eai_to_heim_errno(ret, errno); + goto out; + } } + out: *ai = host->ai; - return 0; + return ret; } static krb5_boolean @@ -369,14 +431,18 @@ get_next(struct krb5_krbhst_data *kd, krb5_krbhst_info **host) } static void -srv_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, +srv_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, const char *proto, const char *service) { + krb5_error_code ret; krb5_krbhst_info **res; int count, i; - if (srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service, - kd->port)) + ret = srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service, + kd->port); + _krb5_debug(context, 2, "searching DNS for realm %s %s.%s -> %d", + kd->realm, proto, service, ret); + if (ret) return; for(i = 0; i < count; i++) append_host_hostinfo(kd, res[i]); @@ -389,15 +455,17 @@ srv_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, */ static void -config_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, +config_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, const char *conf_string) { int i; - char **hostlist; - hostlist = krb5_config_get_strings(context, NULL, + hostlist = krb5_config_get_strings(context, NULL, "realms", kd->realm, conf_string, NULL); + _krb5_debug(context, 2, "configuration file for realm %s%s found", + kd->realm, hostlist ? "" : " not"); + if(hostlist == NULL) return; kd->flags |= KD_CONFIG_EXISTS; @@ -410,21 +478,24 @@ config_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, /* * as a fallback, look for `serv_string.kd->realm' (typically * kerberos.REALM, kerberos-1.REALM, ... - * `port' is the default port for the service, and `proto' the + * `port' is the default port for the service, and `proto' the * protocol */ static krb5_error_code -fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, +fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, const char *serv_string, int port, int proto) { - char *host; + char *host = NULL; int ret; struct addrinfo *ai; struct addrinfo hints; char portstr[NI_MAXSERV]; - /* + _krb5_debug(context, 2, "fallback lookup %d for realm %s (service %s)", + kd->fallback_count, kd->realm, serv_string); + + /* * Don't try forever in case the DNS server keep returning us * entries (like wildcard entries or the .nu TLD) */ @@ -434,14 +505,14 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, } if(kd->fallback_count == 0) - asprintf(&host, "%s.%s.", serv_string, kd->realm); + ret = asprintf(&host, "%s.%s.", serv_string, kd->realm); else - asprintf(&host, "%s-%d.%s.", - serv_string, kd->fallback_count, kd->realm); + ret = asprintf(&host, "%s-%d.%s.", + serv_string, kd->fallback_count, kd->realm); - if (host == NULL) + if (ret < 0 || host == NULL) return ENOMEM; - + make_hints(&hints, proto); snprintf(portstr, sizeof(portstr), "%d", port); ret = getaddrinfo(host, portstr, &hints, &ai); @@ -475,7 +546,7 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, * Fetch hosts from plugin */ -static krb5_error_code +static krb5_error_code add_locate(void *ctx, int type, struct sockaddr *addr) { struct krb5_krbhst_info *hi; @@ -503,7 +574,7 @@ add_locate(void *ctx, int type, struct sockaddr *addr) hi = calloc(1, sizeof(*hi) + hostlen); if(hi == NULL) return ENOMEM; - + hi->proto = krbhst_get_default_proto(kd); hi->port = hi->def_port = socket_get_port(addr); hi->ai = ai; @@ -522,12 +593,11 @@ plugin_get_hosts(krb5_context context, struct krb5_plugin *list = NULL, *e; krb5_error_code ret; - ret = _krb5_plugin_find(context, PLUGIN_TYPE_DATA, "resolve", &list); + ret = _krb5_plugin_find(context, PLUGIN_TYPE_DATA, + KRB5_PLUGIN_LOCATE, &list); if(ret != 0 || list == NULL) return; - kd->flags |= KD_CONFIG_EXISTS; - for (e = list; e != NULL; e = _krb5_plugin_get_next(e)) { krb5plugin_service_locate_ftable *service; void *ctx; @@ -535,14 +605,20 @@ plugin_get_hosts(krb5_context context, service = _krb5_plugin_get_symbol(e); if (service->minor_version != 0) continue; - + (*service->init)(context, &ctx); ret = (*service->lookup)(ctx, type, kd->realm, 0, 0, add_locate, kd); (*service->fini)(ctx); - if (ret) { - krb5_set_error_string(context, "Plugin failed to lookup"); + if (ret && ret != KRB5_PLUGIN_NO_HANDLE) { + krb5_set_error_message(context, ret, + N_("Locate plugin failed to lookup realm %s: %d", ""), + kd->realm, ret); break; + } else if (ret == 0) { + _krb5_debug(context, 2, "plugin found result for realm %s", kd->realm); + kd->flags |= KD_CONFIG_EXISTS; } + } _krb5_plugin_free(list); } @@ -572,8 +648,12 @@ kdc_get_next(krb5_context context, return 0; } - if (kd->flags & KD_CONFIG_EXISTS) - return KRB5_KDC_UNREACH; /* XXX */ + if (kd->flags & KD_CONFIG_EXISTS) { + _krb5_debug(context, 1, + "Configuration exists for realm %s, wont go to DNS", + kd->realm); + return KRB5_KDC_UNREACH; + } if(context->srv_lookup) { if((kd->flags & KD_SRV_UDP) == 0 && (kd->flags & KD_LARGE_MSG) == 0) { @@ -599,7 +679,7 @@ kdc_get_next(krb5_context context, while((kd->flags & KD_FALLBACK) == 0) { ret = fallback_get_hosts(context, kd, "kerberos", - kd->def_port, + kd->def_port, krbhst_get_default_proto(kd)); if(ret) return ret; @@ -607,6 +687,8 @@ kdc_get_next(krb5_context context, return 0; } + _krb5_debug(context, 0, "No KDC entries found for %s", kd->realm); + return KRB5_KDC_UNREACH; /* XXX */ } @@ -631,8 +713,12 @@ admin_get_next(krb5_context context, return 0; } - if (kd->flags & KD_CONFIG_EXISTS) - return KRB5_KDC_UNREACH; /* XXX */ + if (kd->flags & KD_CONFIG_EXISTS) { + _krb5_debug(context, 1, + "Configuration exists for realm %s, wont go to DNS", + kd->realm); + return KRB5_KDC_UNREACH; + } if(context->srv_lookup) { if((kd->flags & KD_SRV_TCP) == 0) { @@ -655,6 +741,8 @@ admin_get_next(krb5_context context, return 0; } + _krb5_debug(context, 0, "No admin entries found for realm %s", kd->realm); + return KRB5_KDC_UNREACH; /* XXX */ } @@ -679,8 +767,12 @@ kpasswd_get_next(krb5_context context, return 0; } - if (kd->flags & KD_CONFIG_EXISTS) - return KRB5_KDC_UNREACH; /* XXX */ + if (kd->flags & KD_CONFIG_EXISTS) { + _krb5_debug(context, 1, + "Configuration exists for realm %s, wont go to DNS", + kd->realm); + return KRB5_KDC_UNREACH; + } if(context->srv_lookup) { if((kd->flags & KD_SRV_UDP) == 0) { @@ -709,7 +801,9 @@ kpasswd_get_next(krb5_context context, return ret; } - return KRB5_KDC_UNREACH; /* XXX */ + _krb5_debug(context, 0, "No kpasswd entries found for realm %s", kd->realm); + + return KRB5_KDC_UNREACH; } static krb5_error_code @@ -731,8 +825,12 @@ krb524_get_next(krb5_context context, kd->flags |= KD_CONFIG; } - if (kd->flags & KD_CONFIG_EXISTS) - return KRB5_KDC_UNREACH; /* XXX */ + if (kd->flags & KD_CONFIG_EXISTS) { + _krb5_debug(context, 1, + "Configuration exists for realm %s, wont go to DNS", + kd->realm); + return KRB5_KDC_UNREACH; + } if(context->srv_lookup) { if((kd->flags & KD_SRV_UDP) == 0) { @@ -759,11 +857,14 @@ krb524_get_next(krb5_context context, return (*kd->get_next)(context, kd, host); } - return KRB5_KDC_UNREACH; /* XXX */ + _krb5_debug(context, 0, "No kpasswd entries found for realm %s", kd->realm); + + return KRB5_KDC_UNREACH; } static struct krb5_krbhst_data* common_init(krb5_context context, + const char *service, const char *realm, int flags) { @@ -777,6 +878,9 @@ common_init(krb5_context context, return NULL; } + _krb5_debug(context, 2, "Trying to find service %s for realm %s flags %x", + service, realm, flags); + /* For 'realms' without a . do not even think of going to DNS */ if (!strchr(realm, '.')) kd->flags |= KD_CONFIG_EXISTS; @@ -791,7 +895,7 @@ common_init(krb5_context context, * initialize `handle' to look for hosts of type `type' in realm `realm' */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_krbhst_init(krb5_context context, const char *realm, unsigned int type, @@ -800,7 +904,7 @@ krb5_krbhst_init(krb5_context context, return krb5_krbhst_init_flags(context, realm, type, 0, handle); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_krbhst_init_flags(krb5_context context, const char *realm, unsigned int type, @@ -808,34 +912,40 @@ krb5_krbhst_init_flags(krb5_context context, krb5_krbhst_handle *handle) { struct krb5_krbhst_data *kd; - krb5_error_code (*next)(krb5_context, struct krb5_krbhst_data *, + krb5_error_code (*next)(krb5_context, struct krb5_krbhst_data *, krb5_krbhst_info **); int def_port; + const char *service; switch(type) { case KRB5_KRBHST_KDC: next = kdc_get_next; def_port = ntohs(krb5_getportbyname (context, "kerberos", "udp", 88)); + service = "kdc"; break; case KRB5_KRBHST_ADMIN: next = admin_get_next; def_port = ntohs(krb5_getportbyname (context, "kerberos-adm", "tcp", 749)); + service = "admin"; break; case KRB5_KRBHST_CHANGEPW: next = kpasswd_get_next; def_port = ntohs(krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT)); + service = "change_password"; break; case KRB5_KRBHST_KRB524: next = krb524_get_next; def_port = ntohs(krb5_getportbyname (context, "krb524", "udp", 4444)); + service = "524"; break; default: - krb5_set_error_string(context, "unknown krbhst type (%u)", type); + krb5_set_error_message(context, ENOTTY, + N_("unknown krbhst type (%u)", ""), type); return ENOTTY; } - if((kd = common_init(context, realm, flags)) == NULL) + if((kd = common_init(context, service, realm, flags)) == NULL) return ENOMEM; kd->get_next = next; kd->def_port = def_port; @@ -847,7 +957,7 @@ krb5_krbhst_init_flags(krb5_context context, * return the next host information from `handle' in `host' */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_krbhst_next(krb5_context context, krb5_krbhst_handle handle, krb5_krbhst_info **host) @@ -863,7 +973,7 @@ krb5_krbhst_next(krb5_context context, * in `hostname' (or length `hostlen) */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_krbhst_next_as_string(krb5_context context, krb5_krbhst_handle handle, char *hostname, @@ -878,13 +988,13 @@ krb5_krbhst_next_as_string(krb5_context context, } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_krbhst_reset(krb5_context context, krb5_krbhst_handle handle) { handle->index = &handle->hosts; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_krbhst_free(krb5_context context, krb5_krbhst_handle handle) { krb5_krbhst_info *h, *next; @@ -904,7 +1014,7 @@ krb5_krbhst_free(krb5_context context, krb5_krbhst_handle handle) /* backwards compatibility ahead */ static krb5_error_code -gethostlist(krb5_context context, const char *realm, +gethostlist(krb5_context context, const char *realm, unsigned int type, char ***hostlist) { krb5_error_code ret; @@ -920,7 +1030,8 @@ gethostlist(krb5_context context, const char *realm, while(krb5_krbhst_next(context, handle, &hostinfo) == 0) nhost++; if(nhost == 0) { - krb5_set_error_string(context, "No KDC found for realm %s", realm); + krb5_set_error_message(context, KRB5_KDC_UNREACH, + N_("No KDC found for realm %s", ""), realm); return KRB5_KDC_UNREACH; } *hostlist = calloc(nhost + 1, sizeof(**hostlist)); @@ -931,7 +1042,7 @@ gethostlist(krb5_context context, const char *realm, krb5_krbhst_reset(context, handle); nhost = 0; - while(krb5_krbhst_next_as_string(context, handle, + while(krb5_krbhst_next_as_string(context, handle, host, sizeof(host)) == 0) { if(((*hostlist)[nhost++] = strdup(host)) == NULL) { krb5_free_krbhst(context, *hostlist); @@ -939,7 +1050,7 @@ gethostlist(krb5_context context, const char *realm, return ENOMEM; } } - (*hostlist)[nhost++] = NULL; + (*hostlist)[nhost] = NULL; krb5_krbhst_free(context, handle); return 0; } @@ -948,7 +1059,7 @@ gethostlist(krb5_context context, const char *realm, * return an malloced list of kadmin-hosts for `realm' in `hostlist' */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_krb_admin_hst (krb5_context context, const krb5_realm *realm, char ***hostlist) @@ -960,7 +1071,7 @@ krb5_get_krb_admin_hst (krb5_context context, * return an malloced list of changepw-hosts for `realm' in `hostlist' */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_krb_changepw_hst (krb5_context context, const krb5_realm *realm, char ***hostlist) @@ -972,7 +1083,7 @@ krb5_get_krb_changepw_hst (krb5_context context, * return an malloced list of 524-hosts for `realm' in `hostlist' */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_krb524hst (krb5_context context, const krb5_realm *realm, char ***hostlist) @@ -985,7 +1096,7 @@ krb5_get_krb524hst (krb5_context context, * return an malloced list of KDC's for `realm' in `hostlist' */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_krbhst (krb5_context context, const krb5_realm *realm, char ***hostlist) @@ -997,7 +1108,7 @@ krb5_get_krbhst (krb5_context context, * free all the memory allocated in `hostlist' */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_krbhst (krb5_context context, char **hostlist) { diff --git a/crypto/heimdal/lib/krb5/kuserok.c b/crypto/heimdal/lib/krb5/kuserok.c index 8f0ff996960d..2fe4e490aa41 100644 --- a/crypto/heimdal/lib/krb5/kuserok.c +++ b/crypto/heimdal/lib/krb5/kuserok.c @@ -1,62 +1,63 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" #include <dirent.h> -RCSID("$Id: kuserok.c 16048 2005-09-09 10:33:33Z lha $"); +#ifndef _WIN32 /* see if principal is mentioned in the filename access file, return TRUE (in result) if so, FALSE otherwise */ static krb5_error_code -check_one_file(krb5_context context, - const char *filename, +check_one_file(krb5_context context, + const char *filename, struct passwd *pwd, - krb5_principal principal, + krb5_principal principal, krb5_boolean *result) { FILE *f; char buf[BUFSIZ]; krb5_error_code ret; struct stat st; - + *result = FALSE; f = fopen (filename, "r"); if (f == NULL) return errno; - + rk_cloexec_file(f); + /* check type and mode of file */ if (fstat(fileno(f), &st) != 0) { fclose (f); @@ -105,10 +106,10 @@ check_one_file(krb5_context context, } static krb5_error_code -check_directory(krb5_context context, - const char *dirname, +check_directory(krb5_context context, + const char *dirname, struct passwd *pwd, - krb5_principal principal, + krb5_principal principal, krb5_boolean *result) { DIR *d; @@ -124,16 +125,15 @@ check_directory(krb5_context context, if (!S_ISDIR(st.st_mode)) return ENOTDIR; - + if (st.st_uid != pwd->pw_uid && st.st_uid != 0) return EACCES; if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) return EACCES; - if((d = opendir(dirname)) == NULL) + if((d = opendir(dirname)) == NULL) return errno; -#ifdef HAVE_DIRFD { int fd; struct stat st2; @@ -148,7 +148,6 @@ check_directory(krb5_context context, return EACCES; } } -#endif while((dent = readdir(d)) != NULL) { if(strcmp(dent->d_name, ".") == 0 || @@ -166,6 +165,8 @@ check_directory(krb5_context context, return ret; } +#endif /* !_WIN32 */ + static krb5_boolean match_local_principals(krb5_context context, krb5_principal principal, @@ -174,7 +175,7 @@ match_local_principals(krb5_context context, krb5_error_code ret; krb5_realm *realms, *r; krb5_boolean result = FALSE; - + /* multi-component principals can never match */ if(krb5_principal_get_comp_string(context, principal, 1) != NULL) return FALSE; @@ -182,7 +183,7 @@ match_local_principals(krb5_context context, ret = krb5_get_default_realms (context, &realms); if (ret) return FALSE; - + for (r = realms; *r != NULL; ++r) { if(strcmp(krb5_principal_get_realm(context, principal), *r) != 0) @@ -198,17 +199,50 @@ match_local_principals(krb5_context context, } /** - * Return TRUE iff `principal' is allowed to login as `luser'. + * This function takes the name of a local user and checks if + * principal is allowed to log in as that user. + * + * The user may have a ~/.k5login file listing principals that are + * allowed to login as that user. If that file does not exist, all + * principals with a first component identical to the username, and a + * realm considered local, are allowed access. + * + * The .k5login file must contain one principal per line, be owned by + * user and not be writable by group or other (but must be readable by + * anyone). + * + * Note that if the file exists, no implicit access rights are given + * to user@@LOCALREALM. + * + * Optionally, a set of files may be put in ~/.k5login.d (a + * directory), in which case they will all be checked in the same + * manner as .k5login. The files may be called anything, but files + * starting with a hash (#) , or ending with a tilde (~) are + * ignored. Subdirectories are not traversed. Note that this directory + * may not be checked by other Kerberos implementations. + * + * If no configuration file exists, match user against local domains, + * ie luser@@LOCAL-REALMS-IN-CONFIGURATION-FILES. + * + * @param context Kerberos 5 context. + * @param principal principal to check if allowed to login + * @param luser local user id + * + * @return returns TRUE if access should be granted, FALSE otherwise. + * + * @ingroup krb5_support */ -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_kuserok (krb5_context context, krb5_principal principal, const char *luser) { +#ifndef _WIN32 char *buf; size_t buflen; - struct passwd *pwd; + struct passwd *pwd = NULL; + char *profile_dir = NULL; krb5_error_code ret; krb5_boolean result = FALSE; @@ -225,14 +259,15 @@ krb5_kuserok (krb5_context context, #endif if (pwd == NULL) return FALSE; + profile_dir = pwd->pw_dir; #define KLOGIN "/.k5login" - buflen = strlen(pwd->pw_dir) + sizeof(KLOGIN) + 2; /* 2 for .d */ + buflen = strlen(profile_dir) + sizeof(KLOGIN) + 2; /* 2 for .d */ buf = malloc(buflen); if(buf == NULL) return FALSE; /* check user's ~/.k5login */ - strlcpy(buf, pwd->pw_dir, buflen); + strlcpy(buf, profile_dir, buflen); strlcat(buf, KLOGIN, buflen); ret = check_one_file(context, buf, pwd, principal, &result); @@ -241,7 +276,7 @@ krb5_kuserok (krb5_context context, return TRUE; } - if(ret != ENOENT) + if(ret != ENOENT) found_file = TRUE; strlcat(buf, ".d", buflen); @@ -250,7 +285,7 @@ krb5_kuserok (krb5_context context, if(ret == 0 && result == TRUE) return TRUE; - if(ret != ENOENT && ret != ENOTDIR) + if(ret != ENOENT && ret != ENOTDIR) found_file = TRUE; /* finally if no files exist, allow all principals matching @@ -259,4 +294,10 @@ krb5_kuserok (krb5_context context, return match_local_principals(context, principal, luser); return FALSE; +#else + /* The .k5login file may be on a remote profile and we don't have + access to the profile until we have a token handle for the + user's credentials. */ + return match_local_principals(context, principal, luser); +#endif } diff --git a/crypto/heimdal/lib/krb5/locate_plugin.h b/crypto/heimdal/lib/krb5/locate_plugin.h index 251712c8940d..b1b1f0ef230e 100644 --- a/crypto/heimdal/lib/krb5/locate_plugin.h +++ b/crypto/heimdal/lib/krb5/locate_plugin.h @@ -1,42 +1,42 @@ /* - * Copyright (c) 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -/* $Id: locate_plugin.h 18998 2006-11-12 19:00:03Z lha $ */ +/* $Id$ */ #ifndef HEIMDAL_KRB5_LOCATE_PLUGIN_H #define HEIMDAL_KRB5_LOCATE_PLUGIN_H 1 -#include <krb5.h> +#define KRB5_PLUGIN_LOCATE "service_locator" enum locate_service_type { locate_service_kdc = 1, @@ -46,9 +46,9 @@ enum locate_service_type { locate_service_kpasswd }; -typedef krb5_error_code +typedef krb5_error_code (*krb5plugin_service_locate_lookup) (void *, enum locate_service_type, - const char *, int, int, + const char *, int, int, int (*)(void *,int,struct sockaddr *), void *); diff --git a/crypto/heimdal/lib/krb5/log.c b/crypto/heimdal/lib/krb5/log.c index c04f50fd9aa8..4b289afd807d 100644 --- a/crypto/heimdal/lib/krb5/log.c +++ b/crypto/heimdal/lib/krb5/log.c @@ -1,39 +1,40 @@ /* - * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" - -RCSID("$Id: log.c 19088 2006-11-21 08:08:46Z lha $"); +#include <vis.h> struct facility { int min; @@ -114,27 +115,29 @@ find_value(const char *s, struct s2i *table) return table->val; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_initlog(krb5_context context, const char *program, krb5_log_facility **fac) { krb5_log_facility *f = calloc(1, sizeof(*f)); if(f == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } f->program = strdup(program); if(f->program == NULL){ free(f); - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } *fac = f; return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_addlog_func(krb5_context context, krb5_log_facility *fac, int min, @@ -145,7 +148,8 @@ krb5_addlog_func(krb5_context context, { struct facility *fp = log_realloc(fac); if(fp == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } fp->min = min; @@ -161,17 +165,17 @@ struct _heimdal_syslog_data{ int priority; }; -static void +static void KRB5_CALLCONV log_syslog(const char *timestr, const char *msg, void *data) - + { struct _heimdal_syslog_data *s = data; syslog(s->priority, "%s", msg); } -static void +static void KRB5_CALLCONV close_syslog(void *data) { free(data); @@ -187,7 +191,8 @@ open_syslog(krb5_context context, int i; if(sd == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } i = find_value(sev, syslogvals); @@ -210,24 +215,33 @@ struct file_data{ int keep_open; }; -static void +static void KRB5_CALLCONV log_file(const char *timestr, const char *msg, void *data) { struct file_data *f = data; + char *msgclean; + size_t len = strlen(msg); if(f->keep_open == 0) f->fd = fopen(f->filename, f->mode); if(f->fd == NULL) return; - fprintf(f->fd, "%s %s\n", timestr, msg); + /* make sure the log doesn't contain special chars */ + msgclean = malloc((len + 1) * 4); + if (msgclean == NULL) + goto out; + strvisx(msgclean, rk_UNCONST(msg), len, VIS_OCTAL); + fprintf(f->fd, "%s %s\n", timestr, msgclean); + free(msgclean); + out: if(f->keep_open == 0) { fclose(f->fd); f->fd = NULL; } } -static void +static void KRB5_CALLCONV close_file(void *data) { struct file_data *f = data; @@ -242,7 +256,8 @@ open_file(krb5_context context, krb5_log_facility *fac, int min, int max, { struct file_data *fd = malloc(sizeof(*fd)); if(fd == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } fd->filename = filename; @@ -255,7 +270,7 @@ open_file(krb5_context context, krb5_log_facility *fac, int min, int max, -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig) { krb5_error_code ret = 0; @@ -277,7 +292,8 @@ krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig) if(n){ p = strchr(p, '/'); if(p == NULL) { - krb5_set_error_string (context, "failed to parse \"%s\"", orig); + krb5_set_error_message(context, HEIM_ERR_LOG_PARSE, + N_("failed to parse \"%s\"", ""), orig); return HEIM_ERR_LOG_PARSE; } p++; @@ -292,25 +308,29 @@ krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig) int keep_open = 0; fn = strdup(p + 5); if(fn == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } if(p[4] == '='){ - int i = open(fn, O_WRONLY | O_CREAT | + int i = open(fn, O_WRONLY | O_CREAT | O_TRUNC | O_APPEND, 0666); if(i < 0) { ret = errno; - krb5_set_error_string (context, "open(%s): %s", fn, + krb5_set_error_message(context, ret, + N_("open(%s) logile: %s", ""), fn, strerror(ret)); free(fn); return ret; } + rk_cloexec(i); file = fdopen(i, "a"); if(file == NULL){ ret = errno; close(i); - krb5_set_error_string (context, "fdopen(%s): %s", fn, - strerror(ret)); + krb5_set_error_message(context, ret, + N_("fdopen(%s) logfile: %s", ""), + fn, strerror(ret)); free(fn); return ret; } @@ -333,14 +353,15 @@ krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig) strlcpy(facility, "AUTH", sizeof(facility)); ret = open_syslog(context, f, min, max, severity, facility); }else{ - krb5_set_error_string (context, "unknown log type: %s", p); ret = HEIM_ERR_LOG_PARSE; /* XXX */ + krb5_set_error_message (context, ret, + N_("unknown log type: %s", ""), p); } return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_openlog(krb5_context context, const char *program, krb5_log_facility **fac) @@ -356,15 +377,15 @@ krb5_openlog(krb5_context context, if(p == NULL) p = krb5_config_get_strings(context, NULL, "logging", "default", NULL); if(p){ - for(q = p; *q; q++) + for(q = p; *q && ret == 0; q++) ret = krb5_addlog_dest(context, *fac, *q); krb5_config_free_strings(p); }else ret = krb5_addlog_dest(context, *fac, "SYSLOG"); - return 0; + return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_closelog(krb5_context context, krb5_log_facility *fac) { @@ -383,7 +404,7 @@ krb5_closelog(krb5_context context, #undef __attribute__ #define __attribute__(X) -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_vlog_msg(krb5_context context, krb5_log_facility *fac, char **reply, @@ -392,7 +413,7 @@ krb5_vlog_msg(krb5_context context, va_list ap) __attribute__((format (printf, 5, 0))) { - + char *msg = NULL; const char *actual = NULL; char buf[64]; @@ -400,15 +421,15 @@ krb5_vlog_msg(krb5_context context, int i; for(i = 0; fac && i < fac->len; i++) - if(fac->val[i].min <= level && + if(fac->val[i].min <= level && (fac->val[i].max < 0 || fac->val[i].max >= level)) { if(t == 0) { t = time(NULL); krb5_format_time(context, t, buf, sizeof(buf), TRUE); } if(actual == NULL) { - vasprintf(&msg, fmt, ap); - if(msg == NULL) + int ret = vasprintf(&msg, fmt, ap); + if(ret < 0 || msg == NULL) actual = fmt; else actual = msg; @@ -422,7 +443,7 @@ krb5_vlog_msg(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_vlog(krb5_context context, krb5_log_facility *fac, int level, @@ -433,7 +454,7 @@ krb5_vlog(krb5_context context, return krb5_vlog_msg(context, fac, NULL, level, fmt, ap); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_log_msg(krb5_context context, krb5_log_facility *fac, int level, @@ -452,7 +473,7 @@ krb5_log_msg(krb5_context context, } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_log(krb5_context context, krb5_log_facility *fac, int level, @@ -469,3 +490,27 @@ krb5_log(krb5_context context, return ret; } +void KRB5_LIB_FUNCTION +_krb5_debug(krb5_context context, + int level, + const char *fmt, + ...) + __attribute__((format (printf, 3, 4))) +{ + va_list ap; + + if (context == NULL || context->debug_dest == NULL) + return; + + va_start(ap, fmt); + krb5_vlog(context, context->debug_dest, level, fmt, ap); + va_end(ap); +} + +krb5_boolean KRB5_LIB_FUNCTION +_krb5_have_debug(krb5_context context, int level) +{ + if (context == NULL || context->debug_dest == NULL) + return 0 ; + return 1; +} diff --git a/crypto/heimdal/lib/krb5/mcache.c b/crypto/heimdal/lib/krb5/mcache.c index 01bcb09d3bea..e4b90c17e7b2 100644 --- a/crypto/heimdal/lib/krb5/mcache.c +++ b/crypto/heimdal/lib/krb5/mcache.c @@ -1,40 +1,40 @@ /* - * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: mcache.c 22107 2007-12-03 17:22:51Z lha $"); - typedef struct krb5_mcache { char *name; unsigned int refcnt; @@ -45,6 +45,8 @@ typedef struct krb5_mcache { struct link *next; } *creds; struct krb5_mcache *next; + time_t mtime; + krb5_deltat kdc_offset; } krb5_mcache; static HEIMDAL_MUTEX mcc_mutex = HEIMDAL_MUTEX_INITIALIZER; @@ -54,26 +56,27 @@ static struct krb5_mcache *mcc_head; #define MISDEAD(X) ((X)->dead) -static const char* +static const char* KRB5_CALLCONV mcc_get_name(krb5_context context, krb5_ccache id) { return MCACHE(id)->name; } -static krb5_mcache * +static krb5_mcache * KRB5_CALLCONV mcc_alloc(const char *name) { krb5_mcache *m, *m_c; + int ret = 0; ALLOC(m, 1); if(m == NULL) return NULL; if(name == NULL) - asprintf(&m->name, "%p", m); + ret = asprintf(&m->name, "%p", m); else m->name = strdup(name); - if(m->name == NULL) { + if(ret < 0 || m->name == NULL) { free(m); return NULL; } @@ -93,13 +96,15 @@ mcc_alloc(const char *name) m->refcnt = 1; m->primary_principal = NULL; m->creds = NULL; + m->mtime = time(NULL); + m->kdc_offset = 0; m->next = mcc_head; mcc_head = m; HEIMDAL_MUTEX_unlock(&mcc_mutex); return m; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_resolve(krb5_context context, krb5_ccache *id, const char *res) { krb5_mcache *m; @@ -119,10 +124,11 @@ mcc_resolve(krb5_context context, krb5_ccache *id, const char *res) m = mcc_alloc(res); if (m == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, KRB5_CC_NOMEM, + N_("malloc: out of memory", "")); return KRB5_CC_NOMEM; } - + (*id)->data.data = m; (*id)->data.length = sizeof(*m); @@ -130,7 +136,7 @@ mcc_resolve(krb5_context context, krb5_ccache *id, const char *res) } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_gen_new(krb5_context context, krb5_ccache *id) { krb5_mcache *m; @@ -138,7 +144,8 @@ mcc_gen_new(krb5_context context, krb5_ccache *id) m = mcc_alloc(NULL); if (m == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, KRB5_CC_NOMEM, + N_("malloc: out of memory", "")); return KRB5_CC_NOMEM; } @@ -148,13 +155,14 @@ mcc_gen_new(krb5_context context, krb5_ccache *id) return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal primary_principal) { krb5_mcache *m = MCACHE(id); m->dead = 0; + m->mtime = time(NULL); return krb5_copy_principal (context, primary_principal, &m->primary_principal); @@ -173,7 +181,7 @@ mcc_close_internal(krb5_mcache *m) return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_close(krb5_context context, krb5_ccache id) { @@ -182,7 +190,7 @@ mcc_close(krb5_context context, return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_destroy(krb5_context context, krb5_ccache id) { @@ -212,7 +220,7 @@ mcc_destroy(krb5_context context, l = m->creds; while (l != NULL) { struct link *old; - + krb5_free_cred_contents (context, &l->cred); old = l; l = l->next; @@ -223,7 +231,7 @@ mcc_destroy(krb5_context context, return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_store_cred(krb5_context context, krb5_ccache id, krb5_creds *creds) @@ -237,7 +245,8 @@ mcc_store_cred(krb5_context context, l = malloc (sizeof(*l)); if (l == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, KRB5_CC_NOMEM, + N_("malloc: out of memory", "")); return KRB5_CC_NOMEM; } l->next = m->creds; @@ -249,10 +258,11 @@ mcc_store_cred(krb5_context context, free (l); return ret; } + m->mtime = time(NULL); return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *principal) @@ -266,7 +276,7 @@ mcc_get_principal(krb5_context context, principal); } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_get_first (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) @@ -280,7 +290,7 @@ mcc_get_first (krb5_context context, return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_get_next (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, @@ -302,7 +312,7 @@ mcc_get_next (krb5_context context, return KRB5_CC_END; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_end_get (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) @@ -310,7 +320,7 @@ mcc_end_get (krb5_context context, return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_remove_cred(krb5_context context, krb5_ccache id, krb5_flags which, @@ -323,34 +333,36 @@ mcc_remove_cred(krb5_context context, *q = p->next; krb5_free_cred_contents(context, &p->cred); free(p); + m->mtime = time(NULL); } else q = &p->next; } return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags) { return 0; /* XXX */ } - + struct mcache_iter { krb5_mcache *cache; }; -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) { struct mcache_iter *iter; iter = calloc(1, sizeof(*iter)); if (iter == NULL) { - krb5_set_error_string(context, "malloc - out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; - } + } HEIMDAL_MUTEX_lock(&mcc_mutex); iter->cache = mcc_head; @@ -362,7 +374,7 @@ mcc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id) { struct mcache_iter *iter = cursor; @@ -389,7 +401,7 @@ mcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id) return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor) { struct mcache_iter *iter = cursor; @@ -401,7 +413,7 @@ mcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor) return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_move(krb5_context context, krb5_ccache from, krb5_ccache to) { krb5_mcache *mfrom = MCACHE(from), *mto = MCACHE(to); @@ -428,23 +440,49 @@ mcc_move(krb5_context context, krb5_ccache from, krb5_ccache to) mto->primary_principal = mfrom->primary_principal; mfrom->primary_principal = principal; + mto->mtime = mfrom->mtime = time(NULL); + HEIMDAL_MUTEX_unlock(&mcc_mutex); mcc_destroy(context, from); return 0; } -static krb5_error_code +static krb5_error_code KRB5_CALLCONV mcc_default_name(krb5_context context, char **str) { *str = strdup("MEMORY:"); if (*str == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } return 0; } +static krb5_error_code KRB5_CALLCONV +mcc_lastchange(krb5_context context, krb5_ccache id, krb5_timestamp *mtime) +{ + *mtime = MCACHE(id)->mtime; + return 0; +} + +static krb5_error_code KRB5_CALLCONV +mcc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat kdc_offset) +{ + krb5_mcache *m = MCACHE(id); + m->kdc_offset = kdc_offset; + return 0; +} + +static krb5_error_code KRB5_CALLCONV +mcc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset) +{ + krb5_mcache *m = MCACHE(id); + *kdc_offset = m->kdc_offset; + return 0; +} + /** * Variable containing the MEMORY based credential cache implemention. @@ -452,7 +490,8 @@ mcc_default_name(krb5_context context, char **str) * @ingroup krb5_ccache */ -const krb5_cc_ops krb5_mcc_ops = { +KRB5_LIB_VARIABLE const krb5_cc_ops krb5_mcc_ops = { + KRB5_CC_OPS_VERSION, "MEMORY", mcc_get_name, mcc_resolve, @@ -473,5 +512,9 @@ const krb5_cc_ops krb5_mcc_ops = { mcc_get_cache_next, mcc_end_cache_get, mcc_move, - mcc_default_name + mcc_default_name, + NULL, + mcc_lastchange, + mcc_set_kdc_offset, + mcc_get_kdc_offset }; diff --git a/crypto/heimdal/lib/krb5/misc.c b/crypto/heimdal/lib/krb5/misc.c index 8050bdb9b467..ac6720c4e992 100644 --- a/crypto/heimdal/lib/krb5/misc.c +++ b/crypto/heimdal/lib/krb5/misc.c @@ -1,54 +1,55 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" +#ifdef HAVE_EXECINFO_H +#include <execinfo.h> +#endif -RCSID("$Id: misc.c 21174 2007-06-19 10:10:58Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_s4u2self_to_checksumdata(krb5_context context, - const PA_S4U2Self *self, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +_krb5_s4u2self_to_checksumdata(krb5_context context, + const PA_S4U2Self *self, krb5_data *data) { krb5_error_code ret; krb5_ssize_t ssize; krb5_storage *sp; size_t size; - int i; + size_t i; sp = krb5_storage_emem(); if (sp == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ENOMEM; } krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE); @@ -58,20 +59,20 @@ _krb5_s4u2self_to_checksumdata(krb5_context context, for (i = 0; i < self->name.name_string.len; i++) { size = strlen(self->name.name_string.val[i]); ssize = krb5_storage_write(sp, self->name.name_string.val[i], size); - if (ssize != size) { + if (ssize != (krb5_ssize_t)size) { ret = ENOMEM; goto out; } } size = strlen(self->realm); ssize = krb5_storage_write(sp, self->realm, size); - if (ssize != size) { + if (ssize != (krb5_ssize_t)size) { ret = ENOMEM; goto out; } size = strlen(self->auth); ssize = krb5_storage_write(sp, self->auth, size); - if (ssize != size) { + if (ssize != (krb5_ssize_t)size) { ret = ENOMEM; goto out; } @@ -81,6 +82,47 @@ _krb5_s4u2self_to_checksumdata(krb5_context context, return ret; out: - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } + +krb5_error_code +krb5_enomem(krb5_context context) +{ + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; +} + +void +_krb5_debug_backtrace(krb5_context context) +{ +#if defined(HAVE_BACKTRACE) && !defined(HEIMDAL_SMALLER) + void *stack[128]; + char **strs = NULL; + int i, frames = backtrace(stack, sizeof(stack) / sizeof(stack[0])); + if (frames > 0) + strs = backtrace_symbols(stack, frames); + if (strs) { + for (i = 0; i < frames; i++) + _krb5_debug(context, 10, "frame %d: %s", i, strs[i]); + free(strs); + } +#endif +} + +krb5_error_code +_krb5_einval(krb5_context context, const char *func, unsigned long argn) +{ +#ifndef HEIMDAL_SMALLER + krb5_set_error_message(context, EINVAL, + N_("programmer error: invalid argument to %s argument %lu", + "function:line"), + func, argn); + if (_krb5_have_debug(context, 10)) { + _krb5_debug(context, 10, "invalid argument to function %s argument %lu", + func, argn); + _krb5_debug_backtrace(context); + } +#endif + return EINVAL; +} diff --git a/crypto/heimdal/lib/krb5/mit_glue.c b/crypto/heimdal/lib/krb5/mit_glue.c index 7440d5476279..16c230a11f96 100644 --- a/crypto/heimdal/lib/krb5/mit_glue.c +++ b/crypto/heimdal/lib/krb5/mit_glue.c @@ -1,49 +1,50 @@ /* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: mit_glue.c 20042 2007-01-23 20:37:43Z lha $"); + +#ifndef HEIMDAL_SMALLER /* * Glue for MIT API */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_c_make_checksum(krb5_context context, - krb5_cksumtype cksumtype, - const krb5_keyblock *key, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_c_make_checksum(krb5_context context, + krb5_cksumtype cksumtype, + const krb5_keyblock *key, krb5_keyusage usage, - const krb5_data *input, + const krb5_data *input, krb5_checksum *cksum) { krb5_error_code ret; @@ -60,7 +61,7 @@ krb5_c_make_checksum(krb5_context context, return ret ; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *data, const krb5_checksum *cksum, krb5_boolean *valid) @@ -76,8 +77,7 @@ krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key, return ret; if (data_cksum.cksumtype == cksum->cksumtype - && data_cksum.checksum.length == cksum->checksum.length - && memcmp(data_cksum.checksum.data, cksum->checksum.data, cksum->checksum.length) == 0) + && krb5_data_ct_cmp(&data_cksum.checksum, &cksum->checksum) == 0) *valid = 1; krb5_free_checksum_contents(context, &data_cksum); @@ -85,7 +85,7 @@ krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_get_checksum(krb5_context context, const krb5_checksum *cksum, krb5_cksumtype *type, krb5_data **data) { @@ -108,7 +108,7 @@ krb5_c_get_checksum(krb5_context context, const krb5_checksum *cksum, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_set_checksum(krb5_context context, krb5_checksum *cksum, krb5_cksumtype type, const krb5_data *data) { @@ -116,51 +116,51 @@ krb5_c_set_checksum(krb5_context context, krb5_checksum *cksum, return der_copy_octet_string(data, &cksum->checksum); } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_checksum (krb5_context context, krb5_checksum *cksum) { krb5_checksum_free(context, cksum); free(cksum); } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_checksum_contents(krb5_context context, krb5_checksum *cksum) { krb5_checksum_free(context, cksum); memset(cksum, 0, sizeof(*cksum)); } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_checksum_free(krb5_context context, krb5_checksum *cksum) { free_Checksum(cksum); } -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_c_valid_enctype (krb5_enctype etype) { - return krb5_enctype_valid(NULL, etype); + return !krb5_enctype_valid(NULL, etype); } -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_c_valid_cksumtype(krb5_cksumtype ctype) { return krb5_cksumtype_valid(NULL, ctype); } -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype) { return krb5_checksum_is_collision_proof(NULL, ctype); } -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_c_is_keyed_cksum(krb5_cksumtype ctype) { return krb5_checksum_is_keyed(NULL, ctype); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_checksum (krb5_context context, const krb5_checksum *old, krb5_checksum **new) @@ -171,16 +171,16 @@ krb5_copy_checksum (krb5_context context, return copy_Checksum(old, *new); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_checksum_length (krb5_context context, krb5_cksumtype cksumtype, size_t *length) { return krb5_checksumsize(context, cksumtype, length); } -krb5_error_code KRB5_LIB_FUNCTION -krb5_c_block_size(krb5_context context, - krb5_enctype enctype, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_c_block_size(krb5_context context, + krb5_enctype enctype, size_t *blocksize) { krb5_error_code ret; @@ -201,12 +201,12 @@ krb5_c_block_size(krb5_context context, return ret; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_c_decrypt(krb5_context context, - const krb5_keyblock key, - krb5_keyusage usage, - const krb5_data *ivec, - krb5_enc_data *input, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_c_decrypt(krb5_context context, + const krb5_keyblock key, + krb5_keyusage usage, + const krb5_data *ivec, + krb5_enc_data *input, krb5_data *output) { krb5_error_code ret; @@ -224,16 +224,16 @@ krb5_c_decrypt(krb5_context context, krb5_crypto_destroy(context, crypto); return ret; } - + if (blocksize > ivec->length) { krb5_crypto_destroy(context, crypto); return KRB5_BAD_MSIZE; } } - ret = krb5_decrypt_ivec(context, crypto, usage, - input->ciphertext.data, input->ciphertext.length, - output, + ret = krb5_decrypt_ivec(context, crypto, usage, + input->ciphertext.data, input->ciphertext.length, + output, ivec ? ivec->data : NULL); krb5_crypto_destroy(context, crypto); @@ -241,11 +241,11 @@ krb5_c_decrypt(krb5_context context, return ret ; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_c_encrypt(krb5_context context, - const krb5_keyblock *key, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_c_encrypt(krb5_context context, + const krb5_keyblock *key, krb5_keyusage usage, - const krb5_data *ivec, + const krb5_data *ivec, const krb5_data *input, krb5_enc_data *output) { @@ -271,9 +271,9 @@ krb5_c_encrypt(krb5_context context, } } - ret = krb5_encrypt_ivec(context, crypto, usage, - input->data, input->length, - &output->ciphertext, + ret = krb5_encrypt_ivec(context, crypto, usage, + input->data, input->length, + &output->ciphertext, ivec ? ivec->data : NULL); output->kvno = 0; krb5_crypto_getenctype(context, crypto, &output->enctype); @@ -283,9 +283,9 @@ krb5_c_encrypt(krb5_context context, return ret ; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_c_encrypt_length(krb5_context context, - krb5_enctype enctype, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_c_encrypt_length(krb5_context context, + krb5_enctype enctype, size_t inputlen, size_t *length) { @@ -308,25 +308,32 @@ krb5_c_encrypt_length(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_c_enctype_compare(krb5_context context, +/** + * Deprecated: keytypes doesn't exists, they are really enctypes. + * + * @ingroup krb5_deprecated + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, - krb5_enctype e2, + krb5_enctype e2, krb5_boolean *similar) + KRB5_DEPRECATED_FUNCTION("Use X instead") { - *similar = krb5_enctypes_compatible_keys(context, e1, e2); + *similar = (e1 == e2); return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_make_random_key(krb5_context context, - krb5_enctype enctype, + krb5_enctype enctype, krb5_keyblock *random_key) { return krb5_generate_random_keyblock(context, enctype, random_key); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_keylengths(krb5_context context, krb5_enctype enctype, size_t *ilen, @@ -341,7 +348,7 @@ krb5_c_keylengths(krb5_context context, return krb5_enctype_keysize(context, enctype, keylen); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_prf_length(krb5_context context, krb5_enctype type, size_t *length) @@ -349,10 +356,10 @@ krb5_c_prf_length(krb5_context context, return krb5_crypto_prf_length(context, type, length); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_prf(krb5_context context, const krb5_keyblock *key, - const krb5_data *input, + const krb5_data *input, krb5_data *output) { krb5_crypto crypto; @@ -367,3 +374,59 @@ krb5_c_prf(krb5_context context, return ret; } + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_c_random_make_octets(krb5_context context, krb5_data * data) +{ + return krb5_generate_random_keyblock(context, data->length, data->data); +} + +/** + * MIT compat glue + * + * @ingroup krb5_ccache + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_cc_copy_creds(krb5_context context, + const krb5_ccache from, + krb5_ccache to) +{ + return krb5_cc_copy_cache(context, from, to); +} + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_auth_con_getsendsubkey(krb5_context context, krb5_auth_context auth_context, + krb5_keyblock **keyblock) +{ + return krb5_auth_con_getlocalsubkey(context, auth_context, keyblock); +} + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_auth_con_getrecvsubkey(krb5_context context, krb5_auth_context auth_context, + krb5_keyblock **keyblock) +{ + return krb5_auth_con_getremotesubkey(context, auth_context, keyblock); +} + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_auth_con_setsendsubkey(krb5_context context, krb5_auth_context auth_context, + krb5_keyblock *keyblock) +{ + return krb5_auth_con_setlocalsubkey(context, auth_context, keyblock); +} + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_auth_con_setrecvsubkey(krb5_context context, krb5_auth_context auth_context, + krb5_keyblock *keyblock) +{ + return krb5_auth_con_setremotesubkey(context, auth_context, keyblock); +} + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_free_default_realm(krb5_context context, krb5_realm realm) +{ + return krb5_xfree(realm); +} + +#endif /* HEIMDAL_SMALLER */ diff --git a/crypto/heimdal/lib/krb5/mk_error.c b/crypto/heimdal/lib/krb5/mk_error.c index 704664993435..5fee1d6bed63 100644 --- a/crypto/heimdal/lib/krb5/mk_error.c +++ b/crypto/heimdal/lib/krb5/mk_error.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: mk_error.c 15457 2005-06-16 21:16:40Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_mk_error(krb5_context context, krb5_error_code error_code, const char *e_text, @@ -46,10 +44,11 @@ krb5_mk_error(krb5_context context, int *client_usec, krb5_data *reply) { + const char *e_text2 = NULL; KRB_ERROR msg; krb5_timestamp sec; int32_t usec; - size_t len; + size_t len = 0; krb5_error_code ret = 0; krb5_us_timeofday (context, &sec, &usec); @@ -64,7 +63,7 @@ krb5_mk_error(krb5_context context, /* Make sure we only send `protocol' error codes */ if(error_code < KRB5KDC_ERR_NONE || error_code >= KRB5_ERR_RCSID) { if(e_text == NULL) - e_text = krb5_get_err_text(context, error_code); + e_text = e_text2 = krb5_get_error_message(context, error_code); error_code = KRB5KRB_ERR_GENERIC; } msg.error_code = error_code - KRB5KDC_ERR_NONE; @@ -76,7 +75,8 @@ krb5_mk_error(krb5_context context, msg.realm = server->realm; msg.sname = server->name; }else{ - msg.realm = "<unspecified realm>"; + static char unspec[] = "<unspecified realm>"; + msg.realm = unspec; } if(client){ msg.crealm = &client->realm; @@ -84,6 +84,8 @@ krb5_mk_error(krb5_context context, } ASN1_MALLOC_ENCODE(KRB_ERROR, reply->data, reply->length, &msg, &len, ret); + if (e_text2) + krb5_free_error_message(context, e_text2); if (ret) return ret; if(reply->length != len) diff --git a/crypto/heimdal/lib/krb5/mk_priv.c b/crypto/heimdal/lib/krb5/mk_priv.c index 87e429af8cba..dede6d2fa4dc 100644 --- a/crypto/heimdal/lib/krb5/mk_priv.c +++ b/crypto/heimdal/lib/krb5/mk_priv.c @@ -1,42 +1,39 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> +#include "krb5_locl.h" -RCSID("$Id: mk_priv.c 16680 2006-02-01 12:39:26Z lha $"); - - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, const krb5_data *userdata, @@ -48,12 +45,12 @@ krb5_mk_priv(krb5_context context, EncKrbPrivPart part; u_char *buf = NULL; size_t buf_size; - size_t len; + size_t len = 0; krb5_crypto crypto; krb5_keyblock *key; krb5_replay_data rdata; - if ((auth_context->flags & + if ((auth_context->flags & (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && outdata == NULL) return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */ @@ -92,7 +89,7 @@ krb5_mk_priv(krb5_context context, if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) outdata->seq = auth_context->local_seqnumber; - + part.s_address = auth_context->local_address; part.r_address = auth_context->remote_address; @@ -114,10 +111,10 @@ krb5_mk_priv(krb5_context context, free (buf); return ret; } - ret = krb5_encrypt (context, + ret = krb5_encrypt (context, crypto, KRB5_KU_KRB_PRIV, - buf + buf_size - len, + buf + buf_size - len, len, &s.enc_part.cipher); krb5_crypto_destroy(context, crypto); @@ -138,7 +135,8 @@ krb5_mk_priv(krb5_context context, ret = krb5_data_copy(outbuf, buf + buf_size - len, len); if (ret) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); free(buf); return ENOMEM; } diff --git a/crypto/heimdal/lib/krb5/mk_rep.c b/crypto/heimdal/lib/krb5/mk_rep.c index 570a83720132..84c315291c1a 100644 --- a/crypto/heimdal/lib/krb5/mk_rep.c +++ b/crypto/heimdal/lib/krb5/mk_rep.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> +#include "krb5_locl.h" -RCSID("$Id: mk_rep.c 13863 2004-05-25 21:46:46Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf) @@ -45,7 +43,7 @@ krb5_mk_rep(krb5_context context, EncAPRepPart body; u_char *buf = NULL; size_t buf_size; - size_t len; + size_t len = 0; krb5_crypto crypto; ap.pvno = 5; @@ -61,8 +59,6 @@ krb5_mk_rep(krb5_context context, auth_context, auth_context->keyblock); if(ret) { - krb5_set_error_string (context, - "krb5_mk_rep: generating subkey"); free_EncAPRepPart(&body); return ret; } @@ -70,21 +66,21 @@ krb5_mk_rep(krb5_context context, ret = krb5_copy_keyblock(context, auth_context->local_subkey, &body.subkey); if (ret) { - krb5_set_error_string (context, - "krb5_copy_keyblock: out of memory"); free_EncAPRepPart(&body); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } } else body.subkey = NULL; if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - if(auth_context->local_seqnumber == 0) + if(auth_context->local_seqnumber == 0) krb5_generate_seq_number (context, auth_context->keyblock, &auth_context->local_seqnumber); ALLOC(body.seq_number, 1); if (body.seq_number == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); free_EncAPRepPart(&body); return ENOMEM; } @@ -101,7 +97,7 @@ krb5_mk_rep(krb5_context context, return ret; if (buf_size != len) krb5_abortx(context, "internal error in ASN.1 encoder"); - ret = krb5_crypto_init(context, auth_context->keyblock, + ret = krb5_crypto_init(context, auth_context->keyblock, 0 /* ap.enc_part.etype */, &crypto); if (ret) { free (buf); @@ -110,7 +106,7 @@ krb5_mk_rep(krb5_context context, ret = krb5_encrypt (context, crypto, KRB5_KU_AP_REQ_ENC_PART, - buf + buf_size - len, + buf + buf_size - len, len, &ap.enc_part.cipher); krb5_crypto_destroy(context, crypto); diff --git a/crypto/heimdal/lib/krb5/mk_req.c b/crypto/heimdal/lib/krb5/mk_req.c index 5f64f01e9560..44e6c8b68a15 100644 --- a/crypto/heimdal/lib/krb5/mk_req.c +++ b/crypto/heimdal/lib/krb5/mk_req.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> +#include "krb5_locl.h" -RCSID("$Id: mk_req.c 13863 2004-05-25 21:46:46Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_mk_req_exact(krb5_context context, krb5_auth_context *auth_context, const krb5_flags ap_req_options, @@ -50,7 +48,7 @@ krb5_mk_req_exact(krb5_context context, memset(&this_cred, 0, sizeof(this_cred)); ret = krb5_cc_get_principal(context, ccache, &this_cred.client); - + if(ret) return ret; @@ -79,7 +77,7 @@ krb5_mk_req_exact(krb5_context context, return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_mk_req(krb5_context context, krb5_auth_context *auth_context, const krb5_flags ap_req_options, diff --git a/crypto/heimdal/lib/krb5/mk_req_ext.c b/crypto/heimdal/lib/krb5/mk_req_ext.c index b6d55c8815ac..af68e4e19530 100644 --- a/crypto/heimdal/lib/krb5/mk_req_ext.c +++ b/crypto/heimdal/lib/krb5/mk_req_ext.c @@ -1,39 +1,37 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> - -RCSID("$Id: mk_req_ext.c 19511 2006-12-27 12:07:22Z lha $"); +#include "krb5_locl.h" krb5_error_code _krb5_mk_req_internal(krb5_context context, @@ -61,10 +59,10 @@ _krb5_mk_req_internal(krb5_context context, ret = krb5_auth_con_init(context, &ac); if(ret) return ret; - + if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) { ret = krb5_auth_con_generatelocalsubkey(context, - ac, + ac, &in_creds->session); if(ret) goto out; @@ -74,7 +72,7 @@ _krb5_mk_req_internal(krb5_context context, ret = krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock); if (ret) goto out; - + /* it's unclear what type of checksum we can use. try the best one, except: * a) if it's configured differently for the current realm, or * b) if the session key is des-cbc-crc @@ -83,7 +81,7 @@ _krb5_mk_req_internal(krb5_context context, if (in_data) { if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) { /* this is to make DCE secd (and older MIT kdcs?) happy */ - ret = krb5_create_checksum(context, + ret = krb5_create_checksum(context, NULL, 0, CKSUMTYPE_RSA_MD4, @@ -94,8 +92,8 @@ _krb5_mk_req_internal(krb5_context context, ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56 || ac->keyblock->keytype == ETYPE_DES_CBC_MD4 || ac->keyblock->keytype == ETYPE_DES_CBC_MD5) { - /* this is to make MS kdc happy */ - ret = krb5_create_checksum(context, + /* this is to make MS kdc happy */ + ret = krb5_create_checksum(context, NULL, 0, CKSUMTYPE_RSA_MD5, @@ -108,7 +106,7 @@ _krb5_mk_req_internal(krb5_context context, ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto); if (ret) goto out; - ret = krb5_create_checksum(context, + ret = krb5_create_checksum(context, crypto, checksum_usage, 0, @@ -124,13 +122,12 @@ _krb5_mk_req_internal(krb5_context context, if (ret) goto out; - - ret = krb5_build_authenticator (context, + + ret = _krb5_build_authenticator(context, ac, ac->keyblock->keytype, in_creds, c_opt, - NULL, &authenticator, encrypt_usage); if (c_opt) @@ -138,7 +135,7 @@ _krb5_mk_req_internal(krb5_context context, if (ret) goto out; - ret = krb5_build_ap_req (context, ac->keyblock->keytype, + ret = krb5_build_ap_req (context, ac->keyblock->keytype, in_creds, ap_req_options, authenticator, outbuf); out: if(auth_context == NULL) @@ -146,7 +143,7 @@ out: return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, const krb5_flags ap_req_options, diff --git a/crypto/heimdal/lib/krb5/mk_safe.c b/crypto/heimdal/lib/krb5/mk_safe.c index 0b75759a5f65..b327e1ce72f6 100644 --- a/crypto/heimdal/lib/krb5/mk_safe.c +++ b/crypto/heimdal/lib/krb5/mk_safe.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> +#include "krb5_locl.h" -RCSID("$Id: mk_safe.c 13863 2004-05-25 21:46:46Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data *userdata, @@ -46,12 +44,12 @@ krb5_mk_safe(krb5_context context, KRB_SAFE s; u_char *buf = NULL; size_t buf_size; - size_t len; + size_t len = 0; krb5_crypto crypto; krb5_keyblock *key; krb5_replay_data rdata; - if ((auth_context->flags & + if ((auth_context->flags & (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && outdata == NULL) return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */ @@ -79,7 +77,7 @@ krb5_mk_safe(krb5_context context, s.safe_body.timestamp = NULL; s.safe_body.usec = NULL; } - + if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_TIME) { outdata->timestamp = rdata.timestamp; outdata->usec = rdata.usec; @@ -88,12 +86,12 @@ krb5_mk_safe(krb5_context context, if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { rdata.seq = auth_context->local_seqnumber; s.safe_body.seq_number = &rdata.seq; - } else + } else s.safe_body.seq_number = NULL; if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) outdata->seq = auth_context->local_seqnumber; - + s.safe_body.s_address = auth_context->local_address; s.safe_body.r_address = auth_context->remote_address; @@ -111,7 +109,7 @@ krb5_mk_safe(krb5_context context, free (buf); return ret; } - ret = krb5_create_checksum(context, + ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB_SAFE_CKSUM, 0, diff --git a/crypto/heimdal/lib/krb5/n-fold-test.c b/crypto/heimdal/lib/krb5/n-fold-test.c index 248e232c0569..452964522be8 100644 --- a/crypto/heimdal/lib/krb5/n-fold-test.c +++ b/crypto/heimdal/lib/krb5/n-fold-test.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -32,8 +32,6 @@ #include "krb5_locl.h" -RCSID("$Id: n-fold-test.c 21745 2007-07-31 16:11:25Z lha $"); - enum { MAXSIZE = 24 }; static struct testcase { diff --git a/crypto/heimdal/lib/krb5/n-fold.c b/crypto/heimdal/lib/krb5/n-fold.c index 53528cfd1f78..2e6092c5ca80 100644 --- a/crypto/heimdal/lib/krb5/n-fold.c +++ b/crypto/heimdal/lib/krb5/n-fold.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -32,8 +32,6 @@ #include "krb5_locl.h" -RCSID("$Id: n-fold.c 22190 2007-12-06 16:24:22Z lha $"); - static krb5_error_code rr13(unsigned char *buf, size_t len) { @@ -45,7 +43,7 @@ rr13(unsigned char *buf, size_t len) { const int bits = 13 % len; const int lbit = len % 8; - + tmp = malloc(bytes); if (tmp == NULL) return ENOMEM; @@ -66,11 +64,11 @@ rr13(unsigned char *buf, size_t len) /* byte offset and shift count */ b1 = bb / 8; s1 = bb % 8; - - if(bb + 8 > bytes * 8) + + if(bb + 8 > bytes * 8) /* watch for wraparound */ s2 = (len + 8 - s1) % 8; - else + else s2 = 8 - s1; b2 = (b1 + 1) % bytes; buf[i] = (tmp[b1] << s1) | (tmp[b2] >> s2); @@ -98,7 +96,7 @@ add1(unsigned char *a, unsigned char *b, size_t len) } } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_n_fold(const void *str, size_t len, void *key, size_t size) { /* if len < size we need at most N * len bytes, ie < 2 * size; @@ -108,9 +106,11 @@ _krb5_n_fold(const void *str, size_t len, void *key, size_t size) size_t l = 0; unsigned char *tmp = malloc(maxlen); unsigned char *buf = malloc(len); - - if (tmp == NULL || buf == NULL) - return ENOMEM; + + if (tmp == NULL || buf == NULL) { + ret = ENOMEM; + goto out; + } memcpy(buf, str, len); memset(key, 0, size); @@ -129,9 +129,13 @@ _krb5_n_fold(const void *str, size_t len, void *key, size_t size) } } while(l != 0); out: - memset(buf, 0, len); - free(buf); - memset(tmp, 0, maxlen); - free(tmp); + if (buf) { + memset(buf, 0, len); + free(buf); + } + if (tmp) { + memset(tmp, 0, maxlen); + free(tmp); + } return ret; } diff --git a/crypto/heimdal/lib/krb5/name-45-test.c b/crypto/heimdal/lib/krb5/name-45-test.c deleted file mode 100644 index 0bb05f5531a5..000000000000 --- a/crypto/heimdal/lib/krb5/name-45-test.c +++ /dev/null @@ -1,294 +0,0 @@ -/* - * Copyright (c) 2002 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "krb5_locl.h" -#include <err.h> - -RCSID("$Id: name-45-test.c 19763 2007-01-08 13:35:49Z lha $"); - -enum { MAX_COMPONENTS = 3 }; - -static struct testcase { - const char *v4_name; - const char *v4_inst; - const char *v4_realm; - - krb5_realm v5_realm; - unsigned ncomponents; - char *comp_val[MAX_COMPONENTS]; - - const char *config_file; - krb5_error_code ret; /* expected error code from 524 */ - - krb5_error_code ret2; /* expected error code from 425 */ -} tests[] = { - {"", "", "", "", 1, {""}, NULL, 0, 0}, - {"a", "", "", "", 1, {"a"}, NULL, 0, 0}, - {"a", "b", "", "", 2, {"a", "b"}, NULL, 0, 0}, - {"a", "b", "c", "c", 2, {"a", "b"}, NULL, 0, 0}, - - {"krbtgt", "FOO.SE", "FOO.SE", "FOO.SE", 2, - {"krbtgt", "FOO.SE"}, NULL, 0, 0}, - - {"foo", "bar2", "BAZ", "BAZ", 2, - {"foo", "bar2"}, NULL, 0, 0}, - {"foo", "bar2", "BAZ", "BAZ", 2, - {"foo", "bar2"}, - "[libdefaults]\n" - " v4_name_convert = {\n" - " host = {\n" - " foo = foo5\n" - " }\n" - "}\n", - HEIM_ERR_V4_PRINC_NO_CONV, 0}, - {"foo", "bar2", "BAZ", "BAZ", 2, - {"foo5", "bar2.baz"}, - "[realms]\n" - " BAZ = {\n" - " v4_name_convert = {\n" - " host = {\n" - " foo = foo5\n" - " }\n" - " }\n" - " v4_instance_convert = {\n" - " bar2 = bar2.baz\n" - " }\n" - " }\n", - 0, 0}, - - {"rcmd", "foo", "realm", "realm", 2, {"host", "foo"}, NULL, - HEIM_ERR_V4_PRINC_NO_CONV, 0}, - {"rcmd", "foo", "realm", "realm", 2, {"host", "foo.realm"}, - "[realms]\n" - " realm = {\n" - " v4_instance_convert = {\n" - " foo = foo.realm\n" - " }\n" - " }\n", - 0, 0}, - - {"pop", "mail0", "NADA.KTH.SE", "NADA.KTH.SE", 2, - {"pop", "mail0.nada.kth.se"}, "", HEIM_ERR_V4_PRINC_NO_CONV, 0}, - {"pop", "mail0", "NADA.KTH.SE", "NADA.KTH.SE", 2, - {"pop", "mail0.nada.kth.se"}, - "[realms]\n" - " NADA.KTH.SE = {\n" - " default_domain = nada.kth.se\n" - " }\n", - 0, 0}, - {"pop", "mail0", "NADA.KTH.SE", "NADA.KTH.SE", 2, - {"pop", "mail0.nada.kth.se"}, - "[libdefaults]\n" - " v4_instance_resolve = true\n", - HEIM_ERR_V4_PRINC_NO_CONV, 0}, - - {"rcmd", "hokkigai", "NADA.KTH.SE", "NADA.KTH.SE", 2, - {"host", "hokkigai.pdc.kth.se"}, "", HEIM_ERR_V4_PRINC_NO_CONV, 0}, - {"rcmd", "hokkigai", "NADA.KTH.SE", "NADA.KTH.SE", 2, - {"host", "hokkigai.pdc.kth.se"}, - "[libdefaults]\n" - " v4_instance_resolve = true\n" - "[realms]\n" - " NADA.KTH.SE = {\n" - " v4_name_convert = {\n" - " host = {\n" - " rcmd = host\n" - " }\n" - " }\n" - " default_domain = pdc.kth.se\n" - " }\n", - 0, 0}, - - {"0123456789012345678901234567890123456789", - "0123456789012345678901234567890123456789", - "0123456789012345678901234567890123456789", - "0123456789012345678901234567890123456789", - 2, {"0123456789012345678901234567890123456789", - "0123456789012345678901234567890123456789"}, NULL, - 0, KRB5_PARSE_MALFORMED}, - - {"012345678901234567890123456789012345678", - "012345678901234567890123456789012345678", - "012345678901234567890123456789012345678", - "012345678901234567890123456789012345678", - 2, {"012345678901234567890123456789012345678", - "012345678901234567890123456789012345678"}, NULL, - 0, 0}, - - {NULL, NULL, NULL, NULL, 0, {NULL}, NULL, 0} -}; - -int -main(int argc, char **argv) -{ - struct testcase *t; - krb5_context context; - krb5_error_code ret; - char hostname[1024]; - int val = 0; - - setprogname(argv[0]); - - gethostname(hostname, sizeof(hostname)); - if (!(strstr(hostname, "kth.se") != NULL || strstr(hostname, "su.se") != NULL)) - return 0; - - for (t = tests; t->v4_name; ++t) { - krb5_principal princ; - int i; - char name[40], inst[40], realm[40]; - char printable_princ[256]; - - ret = krb5_init_context (&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - if (t->config_file != NULL) { - char template[] = "/tmp/krb5-conf-XXXXXX"; - int fd = mkstemp(template); - char *files[2]; - - if (fd < 0) - krb5_err (context, 1, errno, "mkstemp %s", template); - - if (write (fd, t->config_file, strlen(t->config_file)) - != strlen(t->config_file)) - krb5_err (context, 1, errno, "write %s", template); - close (fd); - files[0] = template; - files[1] = NULL; - - ret = krb5_set_config_files (context, files); - unlink (template); - if (ret) - krb5_err (context, 1, ret, "krb5_set_config_files"); - } - - ret = krb5_425_conv_principal (context, - t->v4_name, - t->v4_inst, - t->v4_realm, - &princ); - if (ret) { - if (ret != t->ret) { - krb5_warn (context, ret, - "krb5_425_conv_principal %s.%s@%s", - t->v4_name, t->v4_inst, t->v4_realm); - val = 1; - } - } else { - if (t->ret) { - char *s; - krb5_unparse_name(context, princ, &s); - krb5_warnx (context, - "krb5_425_conv_principal %s.%s@%s " - "passed unexpected: %s", - t->v4_name, t->v4_inst, t->v4_realm, s); - free(s); - val = 1; - krb5_free_context(context); - continue; - } - } - - if (ret) { - krb5_free_context(context); - continue; - } - - if (strcmp (t->v5_realm, princ->realm) != 0) { - printf ("wrong realm (\"%s\" should be \"%s\")" - " for \"%s.%s@%s\"\n", - princ->realm, t->v5_realm, - t->v4_name, - t->v4_inst, - t->v4_realm); - val = 1; - } - - if (t->ncomponents != princ->name.name_string.len) { - printf ("wrong number of components (%u should be %u)" - " for \"%s.%s@%s\"\n", - princ->name.name_string.len, t->ncomponents, - t->v4_name, - t->v4_inst, - t->v4_realm); - val = 1; - } else { - for (i = 0; i < t->ncomponents; ++i) { - if (strcmp(t->comp_val[i], - princ->name.name_string.val[i]) != 0) { - printf ("bad component %d (\"%s\" should be \"%s\")" - " for \"%s.%s@%s\"\n", - i, - princ->name.name_string.val[i], - t->comp_val[i], - t->v4_name, - t->v4_inst, - t->v4_realm); - val = 1; - } - } - } - ret = krb5_524_conv_principal (context, princ, - name, inst, realm); - if (krb5_unparse_name_fixed(context, princ, - printable_princ, sizeof(printable_princ))) - strlcpy(printable_princ, "unknown principal", - sizeof(printable_princ)); - if (ret) { - if (ret != t->ret2) { - krb5_warn (context, ret, - "krb5_524_conv_principal %s", printable_princ); - val = 1; - } - } else { - if (t->ret2) { - krb5_warnx (context, - "krb5_524_conv_principal %s " - "passed unexpected", printable_princ); - val = 1; - krb5_free_context(context); - continue; - } - } - if (ret) { - krb5_free_principal (context, princ); - krb5_free_context(context); - continue; - } - - krb5_free_principal (context, princ); - krb5_free_context(context); - } - return val; -} diff --git a/crypto/heimdal/lib/krb5/net_read.c b/crypto/heimdal/lib/krb5/net_read.c index f0fa2ce7a0e9..f6d781c27c0b 100644 --- a/crypto/heimdal/lib/krb5/net_read.c +++ b/crypto/heimdal/lib/krb5/net_read.c @@ -1,47 +1,44 @@ /* - * Copyright (c) 1997, 1998, 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997, 1998, 2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: net_read.c 13863 2004-05-25 21:46:46Z lha $"); - -krb5_ssize_t KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL krb5_net_read (krb5_context context, void *p_fd, void *buf, size_t len) { - int fd = *((int *)p_fd); - - return net_read (fd, buf, len); + krb5_socket_t fd = *((krb5_socket_t *)p_fd); + return net_read(fd, buf, len); } diff --git a/crypto/heimdal/lib/krb5/net_write.c b/crypto/heimdal/lib/krb5/net_write.c index 868015fa9214..289b96541feb 100644 --- a/crypto/heimdal/lib/krb5/net_write.c +++ b/crypto/heimdal/lib/krb5/net_write.c @@ -1,59 +1,56 @@ /* - * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: net_write.c 13863 2004-05-25 21:46:46Z lha $"); - -krb5_ssize_t KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL krb5_net_write (krb5_context context, void *p_fd, const void *buf, size_t len) { - int fd = *((int *)p_fd); - - return net_write (fd, buf, len); + krb5_socket_t fd = *((krb5_socket_t *)p_fd); + return net_write(fd, buf, len); } -krb5_ssize_t KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL krb5_net_write_block(krb5_context context, void *p_fd, const void *buf, size_t len, time_t timeout) { - int fd = *((int *)p_fd); + krb5_socket_t fd = *((krb5_socket_t *)p_fd); int ret; struct timeval tv, *tvp; const char *cbuf = (const char *)buf; @@ -64,7 +61,7 @@ krb5_net_write_block(krb5_context context, do { FD_ZERO(&wfds); FD_SET(fd, &wfds); - + if (timeout != 0) { tv.tv_sec = timeout; tv.tv_usec = 0; @@ -73,29 +70,45 @@ krb5_net_write_block(krb5_context context, tvp = NULL; ret = select(fd + 1, NULL, &wfds, NULL, tvp); - if (ret < 0) { - if (errno == EINTR) + if (rk_IS_SOCKET_ERROR(ret)) { + if (rk_SOCK_ERRNO == EINTR) continue; return -1; - } else if (ret == 0) + } + +#ifdef HAVE_WINSOCK + if (ret == 0) { + WSASetLastError( WSAETIMEDOUT ); + return 0; + } + + count = send (fd, cbuf, rem, 0); + + if (rk_IS_SOCKET_ERROR(count)) { + return -1; + } + +#else + if (ret == 0) { return 0; - + } + if (!FD_ISSET(fd, &wfds)) { errno = ETIMEDOUT; return -1; } -#ifdef WIN32 - count = send (fd, cbuf, rem, 0); -#else count = write (fd, cbuf, rem); -#endif + if (count < 0) { if (errno == EINTR) continue; else return count; } + +#endif + cbuf += count; rem -= count; diff --git a/crypto/heimdal/lib/krb5/pac.c b/crypto/heimdal/lib/krb5/pac.c index 1b21750e5d4d..f4caaddc264b 100644 --- a/crypto/heimdal/lib/krb5/pac.c +++ b/crypto/heimdal/lib/krb5/pac.c @@ -1,39 +1,38 @@ /* - * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" - -RCSID("$Id: pac.c 21934 2007-08-27 14:21:04Z lha $"); +#include <wind.h> struct PAC_INFO_BUFFER { uint32_t type; @@ -44,7 +43,7 @@ struct PAC_INFO_BUFFER { struct PACTYPE { uint32_t numbuffers; - uint32_t version; + uint32_t version; struct PAC_INFO_BUFFER buffers[1]; }; @@ -69,7 +68,7 @@ struct krb5_pac_data { #define CHECK(r,f,l) \ do { \ if (((r) = f ) != 0) { \ - krb5_clear_error_string(context); \ + krb5_clear_error_message(context); \ goto l; \ } \ } while(0) @@ -77,10 +76,47 @@ struct krb5_pac_data { static const char zeros[PAC_ALIGNMENT] = { 0 }; /* + * HMAC-MD5 checksum over any key (needed for the PAC routines) + */ + +static krb5_error_code +HMAC_MD5_any_checksum(krb5_context context, + const krb5_keyblock *key, + const void *data, + size_t len, + unsigned usage, + Checksum *result) +{ + struct _krb5_key_data local_key; + krb5_error_code ret; + + memset(&local_key, 0, sizeof(local_key)); + + ret = krb5_copy_keyblock(context, key, &local_key.key); + if (ret) + return ret; + + ret = krb5_data_alloc (&result->checksum, 16); + if (ret) { + krb5_free_keyblock(context, local_key.key); + return ret; + } + + result->cksumtype = CKSUMTYPE_HMAC_MD5; + ret = _krb5_HMAC_MD5_checksum(context, &local_key, data, len, usage, result); + if (ret) + krb5_data_free(&result->checksum); + + krb5_free_keyblock(context, local_key.key); + return ret; +} + + +/* * */ -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_pac_parse(krb5_context context, const void *ptr, size_t len, krb5_pac *pac) { @@ -91,15 +127,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len, p = calloc(1, sizeof(*p)); if (p == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "out of memory"); + ret = krb5_enomem(context); goto out; } sp = krb5_storage_from_readonly_mem(ptr, len); if (sp == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "out of memory"); + ret = krb5_enomem(context); goto out; } krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE); @@ -107,21 +141,22 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len, CHECK(ret, krb5_ret_uint32(sp, &tmp), out); CHECK(ret, krb5_ret_uint32(sp, &tmp2), out); if (tmp < 1) { - krb5_set_error_string(context, "PAC have too few buffer"); ret = EINVAL; /* Too few buffers */ + krb5_set_error_message(context, ret, N_("PAC have too few buffer", "")); goto out; } if (tmp2 != 0) { - krb5_set_error_string(context, "PAC have wrong version"); ret = EINVAL; /* Wrong version */ + krb5_set_error_message(context, ret, + N_("PAC have wrong version %d", ""), + (int)tmp2); goto out; } - p->pac = calloc(1, + p->pac = calloc(1, sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * (tmp - 1))); if (p->pac == NULL) { - krb5_set_error_string(context, "out of memory"); - ret = ENOMEM; + ret = krb5_enomem(context); goto out; } @@ -142,51 +177,59 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len, /* consistency checks */ if (p->pac->buffers[i].offset_lo & (PAC_ALIGNMENT - 1)) { - krb5_set_error_string(context, "PAC out of allignment"); ret = EINVAL; + krb5_set_error_message(context, ret, + N_("PAC out of allignment", "")); goto out; } if (p->pac->buffers[i].offset_hi) { - krb5_set_error_string(context, "PAC high offset set"); ret = EINVAL; + krb5_set_error_message(context, ret, + N_("PAC high offset set", "")); goto out; } if (p->pac->buffers[i].offset_lo > len) { - krb5_set_error_string(context, "PAC offset off end"); ret = EINVAL; + krb5_set_error_message(context, ret, + N_("PAC offset off end", "")); goto out; } if (p->pac->buffers[i].offset_lo < header_end) { - krb5_set_error_string(context, "PAC offset inside header: %d %d", - p->pac->buffers[i].offset_lo, header_end); ret = EINVAL; + krb5_set_error_message(context, ret, + N_("PAC offset inside header: %lu %lu", ""), + (unsigned long)p->pac->buffers[i].offset_lo, + (unsigned long)header_end); goto out; } if (p->pac->buffers[i].buffersize > len - p->pac->buffers[i].offset_lo){ - krb5_set_error_string(context, "PAC length off end"); ret = EINVAL; + krb5_set_error_message(context, ret, N_("PAC length off end", "")); goto out; } /* let save pointer to data we need later */ if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) { if (p->server_checksum) { - krb5_set_error_string(context, "PAC have two server checksums"); ret = EINVAL; + krb5_set_error_message(context, ret, + N_("PAC have two server checksums", "")); goto out; } p->server_checksum = &p->pac->buffers[i]; } else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) { if (p->privsvr_checksum) { - krb5_set_error_string(context, "PAC have two KDC checksums"); ret = EINVAL; + krb5_set_error_message(context, ret, + N_("PAC have two KDC checksums", "")); goto out; } p->privsvr_checksum = &p->pac->buffers[i]; } else if (p->pac->buffers[i].type == PAC_LOGON_NAME) { if (p->logon_name) { - krb5_set_error_string(context, "PAC have two logon names"); ret = EINVAL; + krb5_set_error_message(context, ret, + N_("PAC have two logon names", "")); goto out; } p->logon_name = &p->pac->buffers[i]; @@ -215,7 +258,7 @@ out: return ret; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_pac_init(krb5_context context, krb5_pac *pac) { krb5_error_code ret; @@ -223,31 +266,27 @@ krb5_pac_init(krb5_context context, krb5_pac *pac) p = calloc(1, sizeof(*p)); if (p == NULL) { - krb5_set_error_string(context, "out of memory"); - return ENOMEM; + return krb5_enomem(context); } p->pac = calloc(1, sizeof(*p->pac)); if (p->pac == NULL) { free(p); - krb5_set_error_string(context, "out of memory"); - return ENOMEM; + return krb5_enomem(context); } ret = krb5_data_alloc(&p->data, PACTYPE_SIZE); if (ret) { free (p->pac); free(p); - krb5_set_error_string(context, "out of memory"); - return ret; + return krb5_enomem(context); } - *pac = p; return 0; } -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_pac_add_buffer(krb5_context context, krb5_pac p, uint32_t type, const krb5_data *data) { @@ -260,10 +299,9 @@ krb5_pac_add_buffer(krb5_context context, krb5_pac p, ptr = realloc(p->pac, sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * len)); - if (ptr == NULL) { - krb5_set_error_string(context, "out of memory"); - return ENOMEM; - } + if (ptr == NULL) + return krb5_enomem(context); + p->pac = ptr; for (i = 0; i < len; i++) @@ -279,20 +317,20 @@ krb5_pac_add_buffer(krb5_context context, krb5_pac p, old_end = p->data.length; len = p->data.length + data->length + PAC_INFO_BUFFER_SIZE; if (len < p->data.length) { - krb5_set_error_string(context, "integer overrun"); + krb5_set_error_message(context, EINVAL, "integer overrun"); return EINVAL; } - + /* align to PAC_ALIGNMENT */ len = ((len + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT; ret = krb5_data_realloc(&p->data, len); if (ret) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); return ret; } - /* + /* * make place for new PAC INFO BUFFER header */ header_end = PACTYPE_SIZE + (PAC_INFO_BUFFER_SIZE * p->pac->numbuffers); @@ -315,43 +353,43 @@ krb5_pac_add_buffer(krb5_context context, krb5_pac p, return 0; } -krb5_error_code +/** + * Get the PAC buffer of specific type from the pac. + * + * @param context Kerberos 5 context. + * @param p the pac structure returned by krb5_pac_parse(). + * @param type type of buffer to get + * @param data return data, free with krb5_data_free(). + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5_pac + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_pac_get_buffer(krb5_context context, krb5_pac p, uint32_t type, krb5_data *data) { krb5_error_code ret; uint32_t i; - /* - * Hide the checksums from external consumers - */ - - if (type == PAC_PRIVSVR_CHECKSUM || type == PAC_SERVER_CHECKSUM) { - ret = krb5_data_alloc(data, 16); - if (ret) { - krb5_set_error_string(context, "out of memory"); - return ret; - } - memset(data->data, 0, data->length); - return 0; - } - for (i = 0; i < p->pac->numbuffers; i++) { - size_t len = p->pac->buffers[i].buffersize; - size_t offset = p->pac->buffers[i].offset_lo; + const size_t len = p->pac->buffers[i].buffersize; + const size_t offset = p->pac->buffers[i].offset_lo; if (p->pac->buffers[i].type != type) continue; ret = krb5_data_copy(data, (unsigned char *)p->data.data + offset, len); if (ret) { - krb5_set_error_string(context, "Out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); return ret; } return 0; } - krb5_set_error_string(context, "No PAC buffer of type %lu was found", - (unsigned long)type); + krb5_set_error_message(context, ENOENT, "No PAC buffer of type %lu was found", + (unsigned long)type); return ENOENT; } @@ -359,7 +397,7 @@ krb5_pac_get_buffer(krb5_context context, krb5_pac p, * */ -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_pac_get_types(krb5_context context, krb5_pac p, size_t *len, @@ -370,8 +408,7 @@ krb5_pac_get_types(krb5_context context, *types = calloc(p->pac->numbuffers, sizeof(*types)); if (*types == NULL) { *len = 0; - krb5_set_error_string(context, "out of memory"); - return ENOMEM; + return krb5_enomem(context); } for (i = 0; i < p->pac->numbuffers; i++) (*types)[i] = p->pac->buffers[i].type; @@ -384,7 +421,7 @@ krb5_pac_get_types(krb5_context context, * */ -void +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_pac_free(krb5_context context, krb5_pac pac) { krb5_data_free(&pac->data); @@ -403,7 +440,6 @@ verify_checksum(krb5_context context, void *ptr, size_t len, const krb5_keyblock *key) { - krb5_crypto crypto = NULL; krb5_storage *sp = NULL; uint32_t type; krb5_error_code ret; @@ -413,44 +449,71 @@ verify_checksum(krb5_context context, sp = krb5_storage_from_mem((char *)data->data + sig->offset_lo, sig->buffersize); - if (sp == NULL) { - krb5_set_error_string(context, "out of memory"); - return ENOMEM; - } + if (sp == NULL) + return krb5_enomem(context); + krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE); CHECK(ret, krb5_ret_uint32(sp, &type), out); cksum.cksumtype = type; - cksum.checksum.length = + cksum.checksum.length = sig->buffersize - krb5_storage_seek(sp, 0, SEEK_CUR); cksum.checksum.data = malloc(cksum.checksum.length); if (cksum.checksum.data == NULL) { - krb5_set_error_string(context, "out of memory"); - ret = ENOMEM; + ret = krb5_enomem(context); goto out; } ret = krb5_storage_read(sp, cksum.checksum.data, cksum.checksum.length); - if (ret != cksum.checksum.length) { - krb5_set_error_string(context, "PAC checksum missing checksum"); + if (ret != (int)cksum.checksum.length) { ret = EINVAL; + krb5_set_error_message(context, ret, "PAC checksum missing checksum"); goto out; } if (!krb5_checksum_is_keyed(context, cksum.cksumtype)) { - krb5_set_error_string (context, "Checksum type %d not keyed", - cksum.cksumtype); ret = EINVAL; + krb5_set_error_message(context, ret, "Checksum type %d not keyed", + cksum.cksumtype); goto out; } - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) - goto out; + /* If the checksum is HMAC-MD5, the checksum type is not tied to + * the key type, instead the HMAC-MD5 checksum is applied blindly + * on whatever key is used for this connection, avoiding issues + * with unkeyed checksums on des-cbc-md5 and des-cbc-crc. See + * http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/8743 + * for the same issue in MIT, and + * http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx + * for Microsoft's explaination */ + + if (cksum.cksumtype == CKSUMTYPE_HMAC_MD5) { + Checksum local_checksum; + + memset(&local_checksum, 0, sizeof(local_checksum)); + + ret = HMAC_MD5_any_checksum(context, key, ptr, len, + KRB5_KU_OTHER_CKSUM, &local_checksum); + + if (ret != 0 || krb5_data_ct_cmp(&local_checksum.checksum, &cksum.checksum) != 0) { + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + krb5_set_error_message(context, ret, + N_("PAC integrity check failed for " + "hmac-md5 checksum", "")); + } + krb5_data_free(&local_checksum.checksum); + + } else { + krb5_crypto crypto = NULL; + + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + goto out; - ret = krb5_verify_checksum(context, crypto, KRB5_KU_OTHER_CKSUM, - ptr, len, &cksum); + ret = krb5_verify_checksum(context, crypto, KRB5_KU_OTHER_CKSUM, + ptr, len, &cksum); + krb5_crypto_destroy(context, crypto); + } free(cksum.checksum.data); - krb5_crypto_destroy(context, crypto); krb5_storage_free(sp); return ret; @@ -460,14 +523,13 @@ out: free(cksum.checksum.data); if (sp) krb5_storage_free(sp); - if (crypto) - krb5_crypto_destroy(context, crypto); return ret; } static krb5_error_code create_checksum(krb5_context context, const krb5_keyblock *key, + uint32_t cksumtype, void *data, size_t datalen, void *sig, size_t siglen) { @@ -475,18 +537,31 @@ create_checksum(krb5_context context, krb5_error_code ret; Checksum cksum; - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) - return ret; - - ret = krb5_create_checksum(context, crypto, KRB5_KU_OTHER_CKSUM, 0, - data, datalen, &cksum); - krb5_crypto_destroy(context, crypto); - if (ret) - return ret; + /* If the checksum is HMAC-MD5, the checksum type is not tied to + * the key type, instead the HMAC-MD5 checksum is applied blindly + * on whatever key is used for this connection, avoiding issues + * with unkeyed checksums on des-cbc-md5 and des-cbc-crc. See + * http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/8743 + * for the same issue in MIT, and + * http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx + * for Microsoft's explaination */ + + if (cksumtype == (uint32_t)CKSUMTYPE_HMAC_MD5) { + ret = HMAC_MD5_any_checksum(context, key, data, datalen, + KRB5_KU_OTHER_CKSUM, &cksum); + } else { + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + return ret; + ret = krb5_create_checksum(context, crypto, KRB5_KU_OTHER_CKSUM, 0, + data, datalen, &cksum); + krb5_crypto_destroy(context, crypto); + if (ret) + return ret; + } if (cksum.checksum.length != siglen) { - krb5_set_error_string(context, "pac checksum wrong length"); + krb5_set_error_message(context, EINVAL, "pac checksum wrong length"); free_Checksum(&cksum); return EINVAL; } @@ -528,10 +603,8 @@ verify_logonname(krb5_context context, sp = krb5_storage_from_readonly_mem((const char *)data->data + logon_name->offset_lo, logon_name->buffersize); - if (sp == NULL) { - krb5_set_error_string(context, "Out of memory"); - return ENOMEM; - } + if (sp == NULL) + return krb5_enomem(context); krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE); @@ -544,79 +617,74 @@ verify_logonname(krb5_context context, t2 = ((uint64_t)time2 << 32) | time1; if (t1 != t2) { krb5_storage_free(sp); - krb5_set_error_string(context, "PAC timestamp mismatch"); + krb5_set_error_message(context, EINVAL, "PAC timestamp mismatch"); return EINVAL; } } CHECK(ret, krb5_ret_uint16(sp, &len), out); if (len == 0) { krb5_storage_free(sp); - krb5_set_error_string(context, "PAC logon name length missing"); + krb5_set_error_message(context, EINVAL, "PAC logon name length missing"); return EINVAL; } s = malloc(len); if (s == NULL) { krb5_storage_free(sp); - krb5_set_error_string(context, "Out of memory"); - return ENOMEM; + return krb5_enomem(context); } ret = krb5_storage_read(sp, s, len); if (ret != len) { krb5_storage_free(sp); - krb5_set_error_string(context, "Failed to read pac logon name"); + krb5_set_error_message(context, EINVAL, "Failed to read PAC logon name"); return EINVAL; } krb5_storage_free(sp); -#if 1 /* cheat for now */ - { - size_t i; - - if (len & 1) { - krb5_set_error_string(context, "PAC logon name malformed"); - return EINVAL; - } - - for (i = 0; i < len / 2; i++) { - if (s[(i * 2) + 1]) { - krb5_set_error_string(context, "PAC logon name not ASCII"); - return EINVAL; - } - s[i] = s[i * 2]; - } - s[i] = '\0'; - } -#else { + size_t ucs2len = len / 2; uint16_t *ucs2; - ssize_t ucs2len; size_t u8len; + unsigned int flags = WIND_RW_LE; - ucs2 = malloc(sizeof(ucs2[0]) * len / 2); - if (ucs2) - abort(); - ucs2len = wind_ucs2read(s, len / 2, ucs2); + ucs2 = malloc(sizeof(ucs2[0]) * ucs2len); + if (ucs2 == NULL) + return krb5_enomem(context); + + ret = wind_ucs2read(s, len, &flags, ucs2, &ucs2len); free(s); - if (len < 0) - return -1; - ret = wind_ucs2toutf8(ucs2, ucs2len, NULL, &u8len); - if (ret < 0) - abort(); - s = malloc(u8len + 1); - if (s == NULL) - abort(); - wind_ucs2toutf8(ucs2, ucs2len, s, &u8len); + if (ret) { + free(ucs2); + krb5_set_error_message(context, ret, "Failed to convert string to UCS-2"); + return ret; + } + ret = wind_ucs2utf8_length(ucs2, ucs2len, &u8len); + if (ret) { + free(ucs2); + krb5_set_error_message(context, ret, "Failed to count length of UCS-2 string"); + return ret; + } + u8len += 1; /* Add space for NUL */ + s = malloc(u8len); + if (s == NULL) { + free(ucs2); + return krb5_enomem(context); + } + ret = wind_ucs2utf8(ucs2, ucs2len, s, &u8len); free(ucs2); + if (ret) { + free(s); + krb5_set_error_message(context, ret, "Failed to convert to UTF-8"); + return ret; + } } -#endif ret = krb5_parse_name_flags(context, s, KRB5_PRINCIPAL_PARSE_NO_REALM, &p2); free(s); if (ret) return ret; - + if (krb5_principal_compare_any_realm(context, principal, p2) != TRUE) { - krb5_set_error_string(context, "PAC logon name mismatch"); ret = EINVAL; + krb5_set_error_message(context, ret, "PAC logon name mismatch"); } krb5_free_principal(context, p2); return ret; @@ -629,9 +697,9 @@ out: */ static krb5_error_code -build_logon_name(krb5_context context, +build_logon_name(krb5_context context, time_t authtime, - krb5_const_principal principal, + krb5_const_principal principal, krb5_data *logon) { krb5_error_code ret; @@ -645,10 +713,9 @@ build_logon_name(krb5_context context, krb5_data_zero(logon); sp = krb5_storage_emem(); - if (sp == NULL) { - krb5_set_error_string(context, "out of memory"); - return ENOMEM; - } + if (sp == NULL) + return krb5_enomem(context); + krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE); CHECK(ret, krb5_store_uint32(sp, t & 0xffffffff), out); @@ -660,13 +727,13 @@ build_logon_name(krb5_context context, goto out; len = strlen(s); - + CHECK(ret, krb5_store_uint16(sp, len * 2), out); #if 1 /* cheat for now */ s2 = malloc(len * 2); if (s2 == NULL) { - ret = ENOMEM; + ret = krb5_enomem(context); free(s); goto out; } @@ -681,8 +748,8 @@ build_logon_name(krb5_context context, ret = krb5_storage_write(sp, s2, len * 2); free(s2); - if (ret != len * 2) { - ret = ENOMEM; + if (ret != (int)(len * 2)) { + ret = krb5_enomem(context); goto out; } ret = krb5_storage_to_data(sp, logon); @@ -697,12 +764,24 @@ out: } -/* +/** + * Verify the PAC. * + * @param context Kerberos 5 context. + * @param pac the pac structure returned by krb5_pac_parse(). + * @param authtime The time of the ticket the PAC belongs to. + * @param principal the principal to verify. + * @param server The service key, most always be given. + * @param privsvr The KDC key, may be given. + + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5_pac */ -krb5_error_code -krb5_pac_verify(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_pac_verify(krb5_context context, const krb5_pac pac, time_t authtime, krb5_const_principal principal, @@ -712,19 +791,19 @@ krb5_pac_verify(krb5_context context, krb5_error_code ret; if (pac->server_checksum == NULL) { - krb5_set_error_string(context, "PAC missing server checksum"); + krb5_set_error_message(context, EINVAL, "PAC missing server checksum"); return EINVAL; } if (pac->privsvr_checksum == NULL) { - krb5_set_error_string(context, "PAC missing kdc checksum"); + krb5_set_error_message(context, EINVAL, "PAC missing kdc checksum"); return EINVAL; } if (pac->logon_name == NULL) { - krb5_set_error_string(context, "PAC missing logon name"); + krb5_set_error_message(context, EINVAL, "PAC missing logon name"); return EINVAL; } - ret = verify_logonname(context, + ret = verify_logonname(context, pac->logon_name, &pac->data, authtime, @@ -732,7 +811,7 @@ krb5_pac_verify(krb5_context context, if (ret) return ret; - /* + /* * in the service case, clean out data option of the privsvr and * server checksum before checking the checksum. */ @@ -767,6 +846,7 @@ krb5_pac_verify(krb5_context context, return ret; } if (privsvr) { + /* The priv checksum covers the server checksum */ ret = verify_checksum(context, pac->privsvr_checksum, &pac->data, @@ -796,17 +876,16 @@ fill_zeros(krb5_context context, krb5_storage *sp, size_t len) if (l > sizeof(zeros)) l = sizeof(zeros); sret = krb5_storage_write(sp, zeros, l); - if (sret <= 0) { - krb5_set_error_string(context, "out of memory"); - return ENOMEM; - } + if (sret <= 0) + return krb5_enomem(context); + len -= sret; } return 0; } static krb5_error_code -pac_checksum(krb5_context context, +pac_checksum(krb5_context context, const krb5_keyblock *key, uint32_t *cksumtype, size_t *cksumsize) @@ -820,19 +899,19 @@ pac_checksum(krb5_context context, return ret; ret = krb5_crypto_get_checksum_type(context, crypto, &cktype); - ret = krb5_crypto_destroy(context, crypto); + krb5_crypto_destroy(context, crypto); if (ret) return ret; if (krb5_checksum_is_keyed(context, cktype) == FALSE) { - krb5_set_error_string(context, "PAC checksum type is not keyed"); - return EINVAL; + *cksumtype = CKSUMTYPE_HMAC_MD5; + *cksumsize = 16; } ret = krb5_checksumsize(context, cktype, cksumsize); if (ret) return ret; - + *cksumtype = (uint32_t)cktype; return 0; @@ -853,7 +932,8 @@ _krb5_pac_sign(krb5_context context, size_t server_size, priv_size; uint32_t server_offset = 0, priv_offset = 0; uint32_t server_cksumtype = 0, priv_cksumtype = 0; - int i, num = 0; + int num = 0; + size_t i; krb5_data logon, d; krb5_data_zero(&logon); @@ -869,10 +949,9 @@ _krb5_pac_sign(krb5_context context, void *ptr; ptr = realloc(p->pac, sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * (p->pac->numbuffers + num - 1))); - if (ptr == NULL) { - krb5_set_error_string(context, "out of memory"); - return ENOMEM; - } + if (ptr == NULL) + return krb5_enomem(context); + p->pac = ptr; if (p->logon_name == NULL) { @@ -907,17 +986,15 @@ _krb5_pac_sign(krb5_context context, /* Encode PAC */ sp = krb5_storage_emem(); - if (sp == NULL) { - krb5_set_error_string(context, "out of memory"); - return ENOMEM; - } + if (sp == NULL) + return krb5_enomem(context); + krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE); spdata = krb5_storage_emem(); if (spdata == NULL) { krb5_storage_free(sp); - krb5_set_error_string(context, "out of memory"); - return ENOMEM; + return krb5_enomem(context); } krb5_storage_set_flags(spdata, KRB5_STORAGE_BYTEORDER_LE); @@ -955,8 +1032,7 @@ _krb5_pac_sign(krb5_context context, sret = krb5_storage_write(spdata, ptr, len); if (sret != len) { - krb5_set_error_string(context, "out of memory"); - ret = ENOMEM; + ret = krb5_enomem(context); goto out; } /* XXX if not aligned, fill_zeros */ @@ -974,7 +1050,7 @@ _krb5_pac_sign(krb5_context context, end += len; e = ((end + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT; - if (end != e) { + if ((int32_t)end != e) { CHECK(ret, fill_zeros(context, spdata, e - end), out); } end = e; @@ -987,35 +1063,32 @@ _krb5_pac_sign(krb5_context context, /* export PAC */ ret = krb5_storage_to_data(spdata, &d); if (ret) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; } ret = krb5_storage_write(sp, d.data, d.length); - if (ret != d.length) { + if (ret != (int)d.length) { krb5_data_free(&d); - krb5_set_error_string(context, "out of memory"); - ret = ENOMEM; + ret = krb5_enomem(context); goto out; } krb5_data_free(&d); ret = krb5_storage_to_data(sp, &d); if (ret) { - krb5_set_error_string(context, "out of memory"); + ret = krb5_enomem(context); goto out; } /* sign */ - - ret = create_checksum(context, server_key, + ret = create_checksum(context, server_key, server_cksumtype, d.data, d.length, (char *)d.data + server_offset, server_size); if (ret) { krb5_data_free(&d); goto out; } - - ret = create_checksum(context, priv_key, + ret = create_checksum(context, priv_key, priv_cksumtype, (char *)d.data + server_offset, server_size, (char *)d.data + priv_offset, priv_size); if (ret) { diff --git a/crypto/heimdal/lib/krb5/padata.c b/crypto/heimdal/lib/krb5/padata.c index b2b70f52e786..babe22cb3876 100644 --- a/crypto/heimdal/lib/krb5/padata.c +++ b/crypto/heimdal/lib/krb5/padata.c @@ -1,50 +1,48 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: padata.c 15469 2005-06-17 04:28:35Z lha $"); - -PA_DATA * +KRB5_LIB_FUNCTION PA_DATA * KRB5_LIB_CALL krb5_find_padata(PA_DATA *val, unsigned len, int type, int *idx) { - for(; *idx < len; (*idx)++) - if(val[*idx].padata_type == type) + for(; *idx < (int)len; (*idx)++) + if(val[*idx].padata_type == (unsigned)type) return val + *idx; - return NULL; + return NULL; } -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_padata_add(krb5_context context, METHOD_DATA *md, int type, void *buf, size_t len) { @@ -52,7 +50,8 @@ krb5_padata_add(krb5_context context, METHOD_DATA *md, pa = realloc (md->val, (md->len + 1) * sizeof(*md->val)); if (pa == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } md->val = pa; @@ -60,7 +59,7 @@ krb5_padata_add(krb5_context context, METHOD_DATA *md, pa[md->len].padata_type = type; pa[md->len].padata_value.length = len; pa[md->len].padata_value.data = buf; - md->len++; + md->len++; return 0; } diff --git a/crypto/heimdal/lib/krb5/parse-name-test.c b/crypto/heimdal/lib/krb5/parse-name-test.c index 7e6070538904..bb2fc024e612 100644 --- a/crypto/heimdal/lib/krb5/parse-name-test.c +++ b/crypto/heimdal/lib/krb5/parse-name-test.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -33,8 +33,6 @@ #include "krb5_locl.h" #include <err.h> -RCSID("$Id: parse-name-test.c 16342 2005-12-02 14:14:43Z lha $"); - enum { MAX_COMPONENTS = 3 }; static struct testcase { @@ -63,7 +61,7 @@ static struct testcase { {"a/b/c", "a/b/c@", "", 3, {"a", "b", "c"}, FALSE}, {NULL, NULL, "", 0, { NULL }, FALSE}}; -int KRB5_LIB_FUNCTION +int main(int argc, char **argv) { struct testcase *t; diff --git a/crypto/heimdal/lib/krb5/pcache.c b/crypto/heimdal/lib/krb5/pcache.c new file mode 100644 index 000000000000..23d5389a607d --- /dev/null +++ b/crypto/heimdal/lib/krb5/pcache.c @@ -0,0 +1,66 @@ +/*********************************************************************** + * Copyright (c) 2010, Secure Endpoints Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + **********************************************************************/ + +#include "krb5_locl.h" +#include "ccache_plugin.h" +#ifdef HAVE_DLFCN_H +#include <dlfcn.h> +#endif +#include <assert.h> + +krb5_error_code +_krb5_load_ccache_plugins(krb5_context context) +{ + struct krb5_plugin * plist = NULL; + struct krb5_plugin *p; + krb5_error_code code; + + code = _krb5_plugin_find(context, PLUGIN_TYPE_DATA, KRB5_PLUGIN_CCACHE, + &plist); + if (code) + return code; + + for (p = plist; p != NULL; p = _krb5_plugin_get_next(p)) { + krb5_cc_ops * ccops; + krb5_error_code c_load; + + ccops = _krb5_plugin_get_symbol(p); + if (ccops != NULL && ccops->version == KRB5_CC_OPS_VERSION) { + c_load = krb5_cc_register(context, ccops, TRUE); + if (c_load != 0) + code = c_load; + } + } + + _krb5_plugin_free(plist); + + return code; +} diff --git a/crypto/heimdal/lib/krb5/pkinit.c b/crypto/heimdal/lib/krb5/pkinit.c index a0b6a4e07938..1103a17807be 100644 --- a/crypto/heimdal/lib/krb5/pkinit.c +++ b/crypto/heimdal/lib/krb5/pkinit.c @@ -1,40 +1,40 @@ /* - * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: pkinit.c 22433 2008-01-13 14:11:46Z lha $"); - struct krb5_dh_moduli { char *name; unsigned long bits; @@ -45,8 +45,6 @@ struct krb5_dh_moduli { #ifdef PKINIT -#include <heim_asn1.h> -#include <rfc2459_asn1.h> #include <cms_asn1.h> #include <pkcs8_asn1.h> #include <pkcs9_asn1.h> @@ -56,53 +54,44 @@ struct krb5_dh_moduli { #include <der.h> -#include <hx509.h> - -enum { - COMPAT_WIN2K = 1, - COMPAT_IETF = 2 -}; - -struct krb5_pk_identity { - hx509_context hx509ctx; - hx509_verify_ctx verify_ctx; - hx509_certs certs; - hx509_certs anchors; - hx509_certs certpool; - hx509_revoke_ctx revokectx; -}; - struct krb5_pk_cert { hx509_cert cert; }; struct krb5_pk_init_ctx_data { struct krb5_pk_identity *id; - DH *dh; + enum { USE_RSA, USE_DH, USE_ECDH } keyex; + union { + DH *dh; +#ifdef HAVE_OPENSSL + EC_KEY *eckey; +#endif + } u; krb5_data *clientDHNonce; struct krb5_dh_moduli **m; hx509_peer_info peer; - int type; + enum krb5_pk_type type; unsigned int require_binding:1; unsigned int require_eku:1; unsigned int require_krbtgt_otherName:1; unsigned int require_hostname_match:1; unsigned int trustedCertifiers:1; + unsigned int anonymous:1; }; static void -_krb5_pk_copy_error(krb5_context context, - hx509_context hx509ctx, - int hxret, - const char *fmt, - ...) +pk_copy_error(krb5_context context, + hx509_context hx509ctx, + int hxret, + const char *fmt, + ...) __attribute__ ((format (printf, 4, 5))); /* * */ -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL _krb5_pk_cert_free(struct krb5_pk_cert *cert) { if (cert->cert) { @@ -117,7 +106,7 @@ BN_to_integer(krb5_context context, BIGNUM *bn, heim_integer *integer) integer->length = BN_num_bytes(bn); integer->data = malloc(integer->length); if (integer->data == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ENOMEM; } BN_bn2bin(bn, integer->data); @@ -132,60 +121,136 @@ integer_to_BN(krb5_context context, const char *field, const heim_integer *f) bn = BN_bin2bn((const unsigned char *)f->data, f->length, NULL); if (bn == NULL) { - krb5_set_error_string(context, "PKINIT: parsing BN failed %s", field); + krb5_set_error_message(context, ENOMEM, + N_("PKINIT: parsing BN failed %s", ""), field); return NULL; } BN_set_negative(bn, f->negative); return bn; } - static krb5_error_code -_krb5_pk_create_sign(krb5_context context, - const heim_oid *eContentType, - krb5_data *eContent, - struct krb5_pk_identity *id, - hx509_peer_info peer, - krb5_data *sd_data) +select_dh_group(krb5_context context, DH *dh, unsigned long bits, + struct krb5_dh_moduli **moduli) { - hx509_cert cert; - hx509_query *q; - int ret; + const struct krb5_dh_moduli *m; - ret = hx509_query_alloc(id->hx509ctx, &q); - if (ret) { - _krb5_pk_copy_error(context, id->hx509ctx, ret, - "Allocate query to find signing certificate"); - return ret; + if (bits == 0) { + m = moduli[1]; /* XXX */ + if (m == NULL) + m = moduli[0]; /* XXX */ + } else { + int i; + for (i = 0; moduli[i] != NULL; i++) { + if (bits < moduli[i]->bits) + break; + } + if (moduli[i] == NULL) { + krb5_set_error_message(context, EINVAL, + N_("Did not find a DH group parameter " + "matching requirement of %lu bits", ""), + bits); + return EINVAL; + } + m = moduli[i]; } - hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); - hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); + dh->p = integer_to_BN(context, "p", &m->p); + if (dh->p == NULL) + return ENOMEM; + dh->g = integer_to_BN(context, "g", &m->g); + if (dh->g == NULL) + return ENOMEM; + dh->q = integer_to_BN(context, "q", &m->q); + if (dh->q == NULL) + return ENOMEM; - ret = hx509_certs_find(id->hx509ctx, id->certs, q, &cert); - hx509_query_free(id->hx509ctx, q); - if (ret) { - _krb5_pk_copy_error(context, id->hx509ctx, ret, - "Find certificate to signed CMS data"); - return ret; + return 0; +} + +struct certfind { + const char *type; + const heim_oid *oid; +}; + +/* + * Try searchin the key by to use by first looking for for PK-INIT + * EKU, then the Microsoft smart card EKU and last, no special EKU at all. + */ + +static krb5_error_code +find_cert(krb5_context context, struct krb5_pk_identity *id, + hx509_query *q, hx509_cert *cert) +{ + struct certfind cf[4] = { + { "MobileMe EKU" }, + { "PKINIT EKU" }, + { "MS EKU" }, + { "any (or no)" } + }; + int ret = HX509_CERT_NOT_FOUND; + size_t i, start = 1; + unsigned oids[] = { 1, 2, 840, 113635, 100, 3, 2, 1 }; + const heim_oid mobileMe = { sizeof(oids)/sizeof(oids[0]), oids }; + + + if (id->flags & PKINIT_BTMM) + start = 0; + + cf[0].oid = &mobileMe; + cf[1].oid = &asn1_oid_id_pkekuoid; + cf[2].oid = &asn1_oid_id_pkinit_ms_eku; + cf[3].oid = NULL; + + for (i = start; i < sizeof(cf)/sizeof(cf[0]); i++) { + ret = hx509_query_match_eku(q, cf[i].oid); + if (ret) { + pk_copy_error(context, context->hx509ctx, ret, + "Failed setting %s OID", cf[i].type); + return ret; + } + + ret = hx509_certs_find(context->hx509ctx, id->certs, q, cert); + if (ret == 0) + break; + pk_copy_error(context, context->hx509ctx, ret, + "Failed finding certificate with %s OID", cf[i].type); } + return ret; +} + + +static krb5_error_code +create_signature(krb5_context context, + const heim_oid *eContentType, + krb5_data *eContent, + struct krb5_pk_identity *id, + hx509_peer_info peer, + krb5_data *sd_data) +{ + int ret, flags = 0; + + if (id->cert == NULL) + flags |= HX509_CMS_SIGNATURE_NO_SIGNER; - ret = hx509_cms_create_signed_1(id->hx509ctx, - 0, + ret = hx509_cms_create_signed_1(context->hx509ctx, + flags, eContentType, eContent->data, eContent->length, NULL, - cert, + id->cert, peer, NULL, id->certs, sd_data); - if (ret) - _krb5_pk_copy_error(context, id->hx509ctx, ret, "create CMS signedData"); - hx509_cert_free(cert); + if (ret) { + pk_copy_error(context, context->hx509ctx, ret, + "Create CMS signedData"); + return ret; + } - return ret; + return 0; } static int @@ -197,6 +262,9 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c) void *p; int ret; + if (ids->len > 10) + return 0; + memset(&id, 0, sizeof(id)); ret = hx509_cert_get_subject(c, &subject); @@ -211,7 +279,7 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c) free_ExternalPrincipalIdentifier(&id); return ENOMEM; } - + ret = hx509_name_binary(subject, id.subjectName); if (ret) { hx509_name_free(&subject); @@ -231,8 +299,8 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c) { IssuerAndSerialNumber iasn; hx509_name issuer; - size_t size; - + size_t size = 0; + memset(&iasn, 0, sizeof(iasn)); ret = hx509_cert_get_issuer(c, &issuer); @@ -247,7 +315,7 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c) free_ExternalPrincipalIdentifier(&id); return ret; } - + ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber); if (ret) { free_IssuerAndSerialNumber(&iasn); @@ -256,7 +324,7 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c) } ASN1_MALLOC_ENCODE(IssuerAndSerialNumber, - id.issuerAndSerialNumber->data, + id.issuerAndSerialNumber->data, id.issuerAndSerialNumber->length, &iasn, &size, ret); free_IssuerAndSerialNumber(&iasn); @@ -268,7 +336,7 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c) id.subjectKeyIdentifier = NULL; - p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1)); + p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1)); if (p == NULL) { free_ExternalPrincipalIdentifier(&id); return ENOMEM; @@ -287,25 +355,24 @@ build_edi(krb5_context context, hx509_certs certs, ExternalPrincipalIdentifiers *ids) { - return hx509_certs_iter(hx509ctx, certs, cert2epi, ids); + return hx509_certs_iter_f(hx509ctx, certs, cert2epi, ids); } static krb5_error_code build_auth_pack(krb5_context context, unsigned nonce, krb5_pk_init_ctx ctx, - DH *dh, const KDC_REQ_BODY *body, AuthPack *a) { - size_t buf_size, len; + size_t buf_size, len = 0; krb5_error_code ret; void *buf; krb5_timestamp sec; int32_t usec; Checksum checksum; - krb5_clear_error_string(context); + krb5_clear_error_message(context); memset(&checksum, 0, sizeof(checksum)); @@ -327,12 +394,13 @@ build_auth_pack(krb5_context context, len, &checksum); free(buf); - if (ret) + if (ret) return ret; ALLOC(a->pkAuthenticator.paChecksum, 1); if (a->pkAuthenticator.paChecksum == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } @@ -342,25 +410,62 @@ build_auth_pack(krb5_context context, if (ret) return ret; - if (dh) { - DomainParameters dp; - heim_integer dh_pub_key; + if (ctx->keyex == USE_DH || ctx->keyex == USE_ECDH) { + const char *moduli_file; + unsigned long dh_min_bits; krb5_data dhbuf; - size_t size; + size_t size = 0; + + krb5_data_zero(&dhbuf); + + + + moduli_file = krb5_config_get_string(context, NULL, + "libdefaults", + "moduli", + NULL); + + dh_min_bits = + krb5_config_get_int_default(context, NULL, 0, + "libdefaults", + "pkinit_dh_min_bits", + NULL); + + ret = _krb5_parse_moduli(context, moduli_file, &ctx->m); + if (ret) + return ret; + + ctx->u.dh = DH_new(); + if (ctx->u.dh == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + + ret = select_dh_group(context, ctx->u.dh, dh_min_bits, ctx->m); + if (ret) + return ret; + + if (DH_generate_key(ctx->u.dh) != 1) { + krb5_set_error_message(context, ENOMEM, + N_("pkinit: failed to generate DH key", "")); + return ENOMEM; + } + if (1 /* support_cached_dh */) { ALLOC(a->clientDHNonce, 1); if (a->clientDHNonce == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ENOMEM; } ret = krb5_data_alloc(a->clientDHNonce, 40); if (a->clientDHNonce == NULL) { - krb5_clear_error_string(context); - return ENOMEM; + krb5_clear_error_message(context); + return ret; } - memset(a->clientDHNonce->data, 0, a->clientDHNonce->length); - ret = krb5_copy_data(context, a->clientDHNonce, + RAND_bytes(a->clientDHNonce->data, a->clientDHNonce->length); + ret = krb5_copy_data(context, a->clientDHNonce, &ctx->clientDHNonce); if (ret) return ret; @@ -369,60 +474,131 @@ build_auth_pack(krb5_context context, ALLOC(a->clientPublicValue, 1); if (a->clientPublicValue == NULL) return ENOMEM; - ret = der_copy_oid(oid_id_dhpublicnumber(), - &a->clientPublicValue->algorithm.algorithm); - if (ret) - return ret; - - memset(&dp, 0, sizeof(dp)); - ret = BN_to_integer(context, dh->p, &dp.p); - if (ret) { - free_DomainParameters(&dp); - return ret; - } - ret = BN_to_integer(context, dh->g, &dp.g); - if (ret) { - free_DomainParameters(&dp); - return ret; - } - ret = BN_to_integer(context, dh->q, &dp.q); - if (ret) { - free_DomainParameters(&dp); - return ret; - } - dp.j = NULL; - dp.validationParms = NULL; + if (ctx->keyex == USE_DH) { + DH *dh = ctx->u.dh; + DomainParameters dp; + heim_integer dh_pub_key; + + ret = der_copy_oid(&asn1_oid_id_dhpublicnumber, + &a->clientPublicValue->algorithm.algorithm); + if (ret) + return ret; + + memset(&dp, 0, sizeof(dp)); + + ret = BN_to_integer(context, dh->p, &dp.p); + if (ret) { + free_DomainParameters(&dp); + return ret; + } + ret = BN_to_integer(context, dh->g, &dp.g); + if (ret) { + free_DomainParameters(&dp); + return ret; + } + ret = BN_to_integer(context, dh->q, &dp.q); + if (ret) { + free_DomainParameters(&dp); + return ret; + } + dp.j = NULL; + dp.validationParms = NULL; - a->clientPublicValue->algorithm.parameters = - malloc(sizeof(*a->clientPublicValue->algorithm.parameters)); - if (a->clientPublicValue->algorithm.parameters == NULL) { + a->clientPublicValue->algorithm.parameters = + malloc(sizeof(*a->clientPublicValue->algorithm.parameters)); + if (a->clientPublicValue->algorithm.parameters == NULL) { + free_DomainParameters(&dp); + return ret; + } + + ASN1_MALLOC_ENCODE(DomainParameters, + a->clientPublicValue->algorithm.parameters->data, + a->clientPublicValue->algorithm.parameters->length, + &dp, &size, ret); free_DomainParameters(&dp); - return ret; - } + if (ret) + return ret; + if (size != a->clientPublicValue->algorithm.parameters->length) + krb5_abortx(context, "Internal ASN1 encoder error"); - ASN1_MALLOC_ENCODE(DomainParameters, - a->clientPublicValue->algorithm.parameters->data, - a->clientPublicValue->algorithm.parameters->length, - &dp, &size, ret); - free_DomainParameters(&dp); - if (ret) - return ret; - if (size != a->clientPublicValue->algorithm.parameters->length) - krb5_abortx(context, "Internal ASN1 encoder error"); + ret = BN_to_integer(context, dh->pub_key, &dh_pub_key); + if (ret) + return ret; - ret = BN_to_integer(context, dh->pub_key, &dh_pub_key); - if (ret) - return ret; + ASN1_MALLOC_ENCODE(DHPublicKey, dhbuf.data, dhbuf.length, + &dh_pub_key, &size, ret); + der_free_heim_integer(&dh_pub_key); + if (ret) + return ret; + if (size != dhbuf.length) + krb5_abortx(context, "asn1 internal error"); + } else if (ctx->keyex == USE_ECDH) { +#ifdef HAVE_OPENSSL + ECParameters ecp; + unsigned char *p; + int xlen; + + /* copy in public key, XXX find the best curve that the server support or use the clients curve if possible */ + + ecp.element = choice_ECParameters_namedCurve; + ret = der_copy_oid(&asn1_oid_id_ec_group_secp256r1, + &ecp.u.namedCurve); + if (ret) + return ret; - ASN1_MALLOC_ENCODE(DHPublicKey, dhbuf.data, dhbuf.length, - &dh_pub_key, &size, ret); - der_free_heim_integer(&dh_pub_key); - if (ret) - return ret; - if (size != dhbuf.length) - krb5_abortx(context, "asn1 internal error"); + ALLOC(a->clientPublicValue->algorithm.parameters, 1); + if (a->clientPublicValue->algorithm.parameters == NULL) { + free_ECParameters(&ecp); + return ENOMEM; + } + ASN1_MALLOC_ENCODE(ECParameters, p, xlen, &ecp, &size, ret); + free_ECParameters(&ecp); + if (ret) + return ret; + if ((int)size != xlen) + krb5_abortx(context, "asn1 internal error"); + + a->clientPublicValue->algorithm.parameters->data = p; + a->clientPublicValue->algorithm.parameters->length = size; + + /* copy in public key */ + + ret = der_copy_oid(&asn1_oid_id_ecPublicKey, + &a->clientPublicValue->algorithm.algorithm); + if (ret) + return ret; + + ctx->u.eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + if (ctx->u.eckey == NULL) + return ENOMEM; + + ret = EC_KEY_generate_key(ctx->u.eckey); + if (ret != 1) + return EINVAL; + /* encode onto dhkey */ + + xlen = i2o_ECPublicKey(ctx->u.eckey, NULL); + if (xlen <= 0) + abort(); + + dhbuf.data = malloc(xlen); + if (dhbuf.data == NULL) + abort(); + dhbuf.length = xlen; + p = dhbuf.data; + + xlen = i2o_ECPublicKey(ctx->u.eckey, &p); + if (xlen <= 0) + abort(); + + /* XXX verify that this is right with RFC3279 */ +#else + return EINVAL; +#endif + } else + krb5_abortx(context, "internal error"); a->clientPublicValue->subjectPublicKey.length = dhbuf.length * 8; a->clientPublicValue->subjectPublicKey.data = dhbuf.data; } @@ -432,7 +608,8 @@ build_auth_pack(krb5_context context, if (a->supportedCMSTypes == NULL) return ENOMEM; - ret = hx509_crypto_available(ctx->id->hx509ctx, HX509_SELECT_ALL, NULL, + ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL, + ctx->id->cert, &a->supportedCMSTypes->val, &a->supportedCMSTypes->len); if (ret) @@ -442,9 +619,9 @@ build_auth_pack(krb5_context context, return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pk_mk_ContentInfo(krb5_context context, - const krb5_data *buf, + const krb5_data *buf, const heim_oid *oid, struct ContentInfo *content_info) { @@ -473,16 +650,16 @@ pk_mk_padata(krb5_context context, { struct ContentInfo content_info; krb5_error_code ret; - const heim_oid *oid; - size_t size; + const heim_oid *oid = NULL; + size_t size = 0; krb5_data buf, sd_buf; - int pa_type; + int pa_type = -1; krb5_data_zero(&buf); krb5_data_zero(&sd_buf); memset(&content_info, 0, sizeof(content_info)); - if (ctx->type == COMPAT_WIN2K) { + if (ctx->type == PKINIT_WIN2K) { AuthPack_Win2k ap; krb5_timestamp sec; int32_t usec; @@ -493,13 +670,13 @@ pk_mk_padata(krb5_context context, ret = copy_PrincipalName(req_body->sname, &ap.pkAuthenticator.kdcName); if (ret) { free_AuthPack_Win2k(&ap); - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } ret = copy_Realm(&req_body->realm, &ap.pkAuthenticator.kdcRealm); if (ret) { free_AuthPack_Win2k(&ap); - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } @@ -512,19 +689,21 @@ pk_mk_padata(krb5_context context, &ap, &size, ret); free_AuthPack_Win2k(&ap); if (ret) { - krb5_set_error_string(context, "AuthPack_Win2k: %d", ret); + krb5_set_error_message(context, ret, + N_("Failed encoding AuthPackWin: %d", ""), + (int)ret); goto out; } if (buf.length != size) krb5_abortx(context, "internal ASN1 encoder error"); - oid = oid_id_pkcs7_data(); - } else if (ctx->type == COMPAT_IETF) { + oid = &asn1_oid_id_pkcs7_data; + } else if (ctx->type == PKINIT_27) { AuthPack ap; - + memset(&ap, 0, sizeof(ap)); - ret = build_auth_pack(context, nonce, ctx, ctx->dh, req_body, &ap); + ret = build_auth_pack(context, nonce, ctx, req_body, &ap); if (ret) { free_AuthPack(&ap); goto out; @@ -533,35 +712,33 @@ pk_mk_padata(krb5_context context, ASN1_MALLOC_ENCODE(AuthPack, buf.data, buf.length, &ap, &size, ret); free_AuthPack(&ap); if (ret) { - krb5_set_error_string(context, "AuthPack: %d", ret); + krb5_set_error_message(context, ret, + N_("Failed encoding AuthPack: %d", ""), + (int)ret); goto out; } if (buf.length != size) krb5_abortx(context, "internal ASN1 encoder error"); - oid = oid_id_pkauthdata(); + oid = &asn1_oid_id_pkauthdata; } else krb5_abortx(context, "internal pkinit error"); - ret = _krb5_pk_create_sign(context, - oid, - &buf, - ctx->id, - ctx->peer, - &sd_buf); + ret = create_signature(context, oid, &buf, ctx->id, + ctx->peer, &sd_buf); krb5_data_free(&buf); if (ret) goto out; - ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(), &sd_buf, &buf); + ret = hx509_cms_wrap_ContentInfo(&asn1_oid_id_pkcs7_signedData, &sd_buf, &buf); krb5_data_free(&sd_buf); if (ret) { - krb5_set_error_string(context, - "ContentInfo wrapping of signedData failed"); + krb5_set_error_message(context, ret, + N_("ContentInfo wrapping of signedData failed","")); goto out; } - if (ctx->type == COMPAT_WIN2K) { + if (ctx->type == PKINIT_WIN2K) { PA_PK_AS_REQ_Win2k winreq; pa_type = KRB5_PADATA_PK_AS_REQ_WIN; @@ -574,26 +751,30 @@ pk_mk_padata(krb5_context context, &winreq, &size, ret); free_PA_PK_AS_REQ_Win2k(&winreq); - } else if (ctx->type == COMPAT_IETF) { + } else if (ctx->type == PKINIT_27) { PA_PK_AS_REQ req; pa_type = KRB5_PADATA_PK_AS_REQ; memset(&req, 0, sizeof(req)); - req.signedAuthPack = buf; + req.signedAuthPack = buf; if (ctx->trustedCertifiers) { req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers)); if (req.trustedCertifiers == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + ret = ENOMEM; + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); free_PA_PK_AS_REQ(&req); goto out; } - ret = build_edi(context, ctx->id->hx509ctx, + ret = build_edi(context, context->hx509ctx, ctx->id->anchors, req.trustedCertifiers); if (ret) { - krb5_set_error_string(context, "pk-init: failed to build trustedCertifiers"); + krb5_set_error_message(context, ret, + N_("pk-init: failed to build " + "trustedCertifiers", "")); free_PA_PK_AS_REQ(&req); goto out; } @@ -608,7 +789,7 @@ pk_mk_padata(krb5_context context, } else krb5_abortx(context, "internal pkinit error"); if (ret) { - krb5_set_error_string(context, "PA-PK-AS-REQ %d", ret); + krb5_set_error_message(context, ret, "PA-PK-AS-REQ %d", (int)ret); goto out; } if (buf.length != size) @@ -618,19 +799,21 @@ pk_mk_padata(krb5_context context, if (ret) free(buf.data); - if (ret == 0 && ctx->type == COMPAT_WIN2K) - krb5_padata_add(context, md, KRB5_PADATA_PK_AS_09_BINDING, NULL, 0); + if (ret == 0) + krb5_padata_add(context, md, KRB5_PADATA_PK_AS_09_BINDING, NULL, 0); -out: + out: free_ContentInfo(&content_info); return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pk_mk_padata(krb5_context context, void *c, + int ic_flags, + int win2k, const KDC_REQ_BODY *req_body, unsigned nonce, METHOD_DATA *md) @@ -638,33 +821,44 @@ _krb5_pk_mk_padata(krb5_context context, krb5_pk_init_ctx ctx = c; int win2k_compat; + if (ctx->id->certs == NULL && ctx->anonymous == 0) { + krb5_set_error_message(context, HEIM_PKINIT_NO_PRIVATE_KEY, + N_("PKINIT: No user certificate given", "")); + return HEIM_PKINIT_NO_PRIVATE_KEY; + } + win2k_compat = krb5_config_get_bool_default(context, NULL, - FALSE, + win2k, "realms", req_body->realm, "pkinit_win2k", NULL); if (win2k_compat) { - ctx->require_binding = + ctx->require_binding = krb5_config_get_bool_default(context, NULL, - FALSE, + TRUE, "realms", req_body->realm, "pkinit_win2k_require_binding", NULL); - ctx->type = COMPAT_WIN2K; + ctx->type = PKINIT_WIN2K; } else - ctx->type = COMPAT_IETF; + ctx->type = PKINIT_27; - ctx->require_eku = + ctx->require_eku = krb5_config_get_bool_default(context, NULL, TRUE, "realms", req_body->realm, "pkinit_require_eku", NULL); - ctx->require_krbtgt_otherName = + if (ic_flags & KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK) + ctx->require_eku = 0; + if (ctx->id->flags & PKINIT_BTMM) + ctx->require_eku = 0; + + ctx->require_krbtgt_otherName = krb5_config_get_bool_default(context, NULL, TRUE, "realms", @@ -672,7 +866,7 @@ _krb5_pk_mk_padata(krb5_context context, "pkinit_require_krbtgt_otherName", NULL); - ctx->require_hostname_match = + ctx->require_hostname_match = krb5_config_get_bool_default(context, NULL, FALSE, "realms", @@ -680,7 +874,7 @@ _krb5_pk_mk_padata(krb5_context context, "pkinit_require_hostname_match", NULL); - ctx->trustedCertifiers = + ctx->trustedCertifiers = krb5_config_get_bool_default(context, NULL, TRUE, "realms", @@ -691,22 +885,30 @@ _krb5_pk_mk_padata(krb5_context context, return pk_mk_padata(context, ctx, req_body, nonce, md); } -krb5_error_code KRB5_LIB_FUNCTION -_krb5_pk_verify_sign(krb5_context context, - const void *data, - size_t length, - struct krb5_pk_identity *id, - heim_oid *contentType, - krb5_data *content, - struct krb5_pk_cert **signer) +static krb5_error_code +pk_verify_sign(krb5_context context, + const void *data, + size_t length, + struct krb5_pk_identity *id, + heim_oid *contentType, + krb5_data *content, + struct krb5_pk_cert **signer) { hx509_certs signer_certs; - int ret; + int ret, flags = 0; + + /* BTMM is broken in Leo and SnowLeo */ + if (id->flags & PKINIT_BTMM) { + flags |= HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH; + flags |= HX509_CMS_VS_NO_KU_CHECK; + flags |= HX509_CMS_VS_NO_VALIDATE; + } *signer = NULL; - ret = hx509_cms_verify_signed(id->hx509ctx, + ret = hx509_cms_verify_signed(context->hx509ctx, id->verify_ctx, + flags, data, length, NULL, @@ -715,26 +917,26 @@ _krb5_pk_verify_sign(krb5_context context, content, &signer_certs); if (ret) { - _krb5_pk_copy_error(context, id->hx509ctx, ret, - "CMS verify signed failed"); + pk_copy_error(context, context->hx509ctx, ret, + "CMS verify signed failed"); return ret; } *signer = calloc(1, sizeof(**signer)); if (*signer == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } - - ret = hx509_get_one_cert(id->hx509ctx, signer_certs, &(*signer)->cert); + + ret = hx509_get_one_cert(context->hx509ctx, signer_certs, &(*signer)->cert); if (ret) { - _krb5_pk_copy_error(context, id->hx509ctx, ret, - "Failed to get on of the signer certs"); + pk_copy_error(context, context->hx509ctx, ret, + "Failed to get on of the signer certs"); goto out; } -out: + out: hx509_certs_free(&signer_certs); if (ret) { if (*signer) { @@ -762,29 +964,32 @@ get_reply_key_win(krb5_context context, &key_pack, &size); if (ret) { - krb5_set_error_string(context, "PKINIT decoding reply key failed"); + krb5_set_error_message(context, ret, + N_("PKINIT decoding reply key failed", "")); free_ReplyKeyPack_Win2k(&key_pack); return ret; } - - if (key_pack.nonce != nonce) { - krb5_set_error_string(context, "PKINIT enckey nonce is wrong"); + + if ((unsigned)key_pack.nonce != nonce) { + krb5_set_error_message(context, ret, + N_("PKINIT enckey nonce is wrong", "")); free_ReplyKeyPack_Win2k(&key_pack); return KRB5KRB_AP_ERR_MODIFIED; } *key = malloc (sizeof (**key)); if (*key == NULL) { - krb5_set_error_string(context, "PKINIT failed allocating reply key"); free_ReplyKeyPack_Win2k(&key_pack); - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } ret = copy_EncryptionKey(&key_pack.replyKey, *key); free_ReplyKeyPack_Win2k(&key_pack); if (ret) { - krb5_set_error_string(context, "PKINIT failed copying reply key"); + krb5_set_error_message(context, ret, + N_("PKINIT failed copying reply key", "")); free(*key); *key = NULL; } @@ -807,15 +1012,16 @@ get_reply_key(krb5_context context, &key_pack, &size); if (ret) { - krb5_set_error_string(context, "PKINIT decoding reply key failed"); + krb5_set_error_message(context, ret, + N_("PKINIT decoding reply key failed", "")); free_ReplyKeyPack(&key_pack); return ret; } - + { krb5_crypto crypto; - /* + /* * XXX Verify kp.replyKey is a allowed enctype in the * configuration file */ @@ -838,16 +1044,17 @@ get_reply_key(krb5_context context, *key = malloc (sizeof (**key)); if (*key == NULL) { - krb5_set_error_string(context, "PKINIT failed allocating reply key"); free_ReplyKeyPack(&key_pack); - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } ret = copy_EncryptionKey(&key_pack.replyKey, *key); free_ReplyKeyPack(&key_pack); if (ret) { - krb5_set_error_string(context, "PKINIT failed copying reply key"); + krb5_set_error_message(context, ret, + N_("PKINIT failed copying reply key", "")); free(*key); *key = NULL; } @@ -866,24 +1073,27 @@ pk_verify_host(krb5_context context, krb5_error_code ret = 0; if (ctx->require_eku) { - ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert, - oid_id_pkkdcekuoid(), 0); + ret = hx509_cert_check_eku(context->hx509ctx, host->cert, + &asn1_oid_id_pkkdcekuoid, 0); if (ret) { - krb5_set_error_string(context, "No PK-INIT KDC EKU in kdc certificate"); + krb5_set_error_message(context, ret, + N_("No PK-INIT KDC EKU in kdc certificate", "")); return ret; } } if (ctx->require_krbtgt_otherName) { hx509_octet_string_list list; - int i; + size_t i; - ret = hx509_cert_find_subjectAltName_otherName(ctx->id->hx509ctx, + ret = hx509_cert_find_subjectAltName_otherName(context->hx509ctx, host->cert, - oid_id_pkinit_san(), + &asn1_oid_id_pkinit_san, &list); if (ret) { - krb5_set_error_string(context, "Failed to find the PK-INIT " - "subjectAltName in the KDC certificate"); + krb5_set_error_message(context, ret, + N_("Failed to find the PK-INIT " + "subjectAltName in the KDC " + "certificate", "")); return ret; } @@ -896,8 +1106,10 @@ pk_verify_host(krb5_context context, &r, NULL); if (ret) { - krb5_set_error_string(context, "Failed to decode the PK-INIT " - "subjectAltName in the KDC certificate"); + krb5_set_error_message(context, ret, + N_("Failed to decode the PK-INIT " + "subjectAltName in the " + "KDC certificate", "")); break; } @@ -906,11 +1118,12 @@ pk_verify_host(krb5_context context, strcmp(r.principalName.name_string.val[0], KRB5_TGS_NAME) != 0 || strcmp(r.principalName.name_string.val[1], realm) != 0 || strcmp(r.realm, realm) != 0) - { - krb5_set_error_string(context, "KDC have wrong realm name in " - "the certificate"); - ret = KRB5_KDC_ERR_INVALID_CERTIFICATE; - } + { + ret = KRB5_KDC_ERR_INVALID_CERTIFICATE; + krb5_set_error_message(context, ret, + N_("KDC have wrong realm name in " + "the certificate", "")); + } free_KRB5PrincipalName(&r); if (ret) @@ -920,17 +1133,18 @@ pk_verify_host(krb5_context context, } if (ret) return ret; - + if (hi) { - ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert, + ret = hx509_verify_hostname(context->hx509ctx, host->cert, ctx->require_hostname_match, HX509_HN_HOSTNAME, hi->hostname, hi->ai->ai_addr, hi->ai->ai_addrlen); if (ret) - krb5_set_error_string(context, "Address mismatch in " - "the KDC certificate"); + krb5_set_error_message(context, ret, + N_("Address mismatch in " + "the KDC certificate", "")); } return ret; } @@ -947,81 +1161,91 @@ pk_rd_pa_reply_enckey(krb5_context context, unsigned nonce, const krb5_data *req_buffer, PA_DATA *pa, - krb5_keyblock **key) + krb5_keyblock **key) { krb5_error_code ret; struct krb5_pk_cert *host = NULL; krb5_data content; heim_oid contentType = { 0, NULL }; + int flags = HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT; - if (der_heim_oid_cmp(oid_id_pkcs7_envelopedData(), dataType)) { - krb5_set_error_string(context, "PKINIT: Invalid content type"); + if (der_heim_oid_cmp(&asn1_oid_id_pkcs7_envelopedData, dataType)) { + krb5_set_error_message(context, EINVAL, + N_("PKINIT: Invalid content type", "")); return EINVAL; } - ret = hx509_cms_unenvelope(ctx->id->hx509ctx, + if (ctx->type == PKINIT_WIN2K) + flags |= HX509_CMS_UE_ALLOW_WEAK; + + ret = hx509_cms_unenvelope(context->hx509ctx, ctx->id->certs, - HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT, + flags, indata->data, indata->length, NULL, + 0, &contentType, &content); if (ret) { - _krb5_pk_copy_error(context, ctx->id->hx509ctx, ret, - "Failed to unenvelope CMS data in PK-INIT reply"); + pk_copy_error(context, context->hx509ctx, ret, + "Failed to unenvelope CMS data in PK-INIT reply"); return ret; } der_free_oid(&contentType); -#if 0 /* windows LH with interesting CMS packets, leaks memory */ - { - size_t ph = 1 + der_length_len (length); - unsigned char *ptr = malloc(length + ph); - size_t l; + /* win2k uses ContentInfo */ + if (type == PKINIT_WIN2K) { + heim_oid type2; + heim_octet_string out; - memcpy(ptr + ph, p, length); + ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &out, NULL); + if (ret) { + /* windows LH with interesting CMS packets */ + size_t ph = 1 + der_length_len(content.length); + unsigned char *ptr = malloc(content.length + ph); + size_t l; - ret = der_put_length_and_tag (ptr + ph - 1, ph, length, - ASN1_C_UNIV, CONS, UT_Sequence, &l); - if (ret) - return ret; - ptr += ph - l; - length += l; - p = ptr; - } -#endif + memcpy(ptr + ph, content.data, content.length); - /* win2k uses ContentInfo */ - if (type == COMPAT_WIN2K) { - heim_oid type; - heim_octet_string out; + ret = der_put_length_and_tag (ptr + ph - 1, ph, content.length, + ASN1_C_UNIV, CONS, UT_Sequence, &l); + if (ret) + return ret; + free(content.data); + content.data = ptr; + content.length += ph; - ret = hx509_cms_unwrap_ContentInfo(&content, &type, &out, NULL); - if (der_heim_oid_cmp(&type, oid_id_pkcs7_signedData())) { + ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &out, NULL); + if (ret) + goto out; + } + if (der_heim_oid_cmp(&type2, &asn1_oid_id_pkcs7_signedData)) { ret = EINVAL; /* XXX */ - krb5_set_error_string(context, "PKINIT: Invalid content type"); - der_free_oid(&type); + krb5_set_error_message(context, ret, + N_("PKINIT: Invalid content type", "")); + der_free_oid(&type2); der_free_octet_string(&out); goto out; } - der_free_oid(&type); + der_free_oid(&type2); krb5_data_free(&content); ret = krb5_data_copy(&content, out.data, out.length); der_free_octet_string(&out); if (ret) { - krb5_set_error_string(context, "PKINIT: out of memory"); + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto out; } } - ret = _krb5_pk_verify_sign(context, - content.data, - content.length, - ctx->id, - &contentType, - &content, - &host); + ret = pk_verify_sign(context, + content.data, + content.length, + ctx->id, + &contentType, + &content, + &host); if (ret) goto out; @@ -1032,28 +1256,28 @@ pk_rd_pa_reply_enckey(krb5_context context, } #if 0 - if (type == COMPAT_WIN2K) { - if (der_heim_oid_cmp(&contentType, oid_id_pkcs7_data()) != 0) { - krb5_set_error_string(context, "PKINIT: reply key, wrong oid"); + if (type == PKINIT_WIN2K) { + if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkcs7_data) != 0) { ret = KRB5KRB_AP_ERR_MSG_TYPE; + krb5_set_error_message(context, ret, "PKINIT: reply key, wrong oid"); goto out; } } else { - if (der_heim_oid_cmp(&contentType, oid_id_pkrkeydata()) != 0) { - krb5_set_error_string(context, "PKINIT: reply key, wrong oid"); + if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkrkeydata) != 0) { ret = KRB5KRB_AP_ERR_MSG_TYPE; + krb5_set_error_message(context, ret, "PKINIT: reply key, wrong oid"); goto out; } } #endif switch(type) { - case COMPAT_WIN2K: + case PKINIT_WIN2K: ret = get_reply_key(context, &content, req_buffer, key); if (ret != 0 && ctx->require_binding == 0) ret = get_reply_key_win(context, &content, nonce, key); break; - case COMPAT_IETF: + case PKINIT_27: ret = get_reply_key(context, &content, req_buffer, key); break; } @@ -1085,31 +1309,33 @@ pk_rd_pa_reply_dh(krb5_context context, PA_DATA *pa, krb5_keyblock **key) { - unsigned char *p, *dh_gen_key = NULL; + const unsigned char *p; + unsigned char *dh_gen_key = NULL; struct krb5_pk_cert *host = NULL; BIGNUM *kdc_dh_pubkey = NULL; KDCDHKeyInfo kdc_dh_info; heim_oid contentType = { 0, NULL }; krb5_data content; krb5_error_code ret; - int dh_gen_keylen; + int dh_gen_keylen = 0; size_t size; krb5_data_zero(&content); memset(&kdc_dh_info, 0, sizeof(kdc_dh_info)); - if (der_heim_oid_cmp(oid_id_pkcs7_signedData(), dataType)) { - krb5_set_error_string(context, "PKINIT: Invalid content type"); + if (der_heim_oid_cmp(&asn1_oid_id_pkcs7_signedData, dataType)) { + krb5_set_error_message(context, EINVAL, + N_("PKINIT: Invalid content type", "")); return EINVAL; } - ret = _krb5_pk_verify_sign(context, - indata->data, - indata->length, - ctx->id, - &contentType, - &content, - &host); + ret = pk_verify_sign(context, + indata->data, + indata->length, + ctx->id, + &contentType, + &content, + &host); if (ret) goto out; @@ -1118,9 +1344,10 @@ pk_rd_pa_reply_dh(krb5_context context, if (ret) goto out; - if (der_heim_oid_cmp(&contentType, oid_id_pkdhkeydata())) { - krb5_set_error_string(context, "pkinit - dh reply contains wrong oid"); + if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkdhkeydata)) { ret = KRB5KRB_AP_ERR_MSG_TYPE; + krb5_set_error_message(context, ret, + N_("pkinit - dh reply contains wrong oid", "")); goto out; } @@ -1130,35 +1357,40 @@ pk_rd_pa_reply_dh(krb5_context context, &size); if (ret) { - krb5_set_error_string(context, "pkinit - " - "failed to decode KDC DH Key Info"); + krb5_set_error_message(context, ret, + N_("pkinit - failed to decode " + "KDC DH Key Info", "")); goto out; } if (kdc_dh_info.nonce != nonce) { - krb5_set_error_string(context, "PKINIT: DH nonce is wrong"); ret = KRB5KRB_AP_ERR_MODIFIED; + krb5_set_error_message(context, ret, + N_("PKINIT: DH nonce is wrong", "")); goto out; } if (kdc_dh_info.dhKeyExpiration) { if (k_n == NULL) { - krb5_set_error_string(context, "pkinit; got key expiration " - "without server nonce"); ret = KRB5KRB_ERR_GENERIC; + krb5_set_error_message(context, ret, + N_("pkinit; got key expiration " + "without server nonce", "")); goto out; } if (c_n == NULL) { - krb5_set_error_string(context, "pkinit; got DH reuse but no " - "client nonce"); ret = KRB5KRB_ERR_GENERIC; + krb5_set_error_message(context, ret, + N_("pkinit; got DH reuse but no " + "client nonce", "")); goto out; } } else { if (k_n) { - krb5_set_error_string(context, "pkinit: got server nonce " - "without key expiration"); ret = KRB5KRB_ERR_GENERIC; + krb5_set_error_message(context, ret, + N_("pkinit: got server nonce " + "without key expiration", "")); goto out; } c_n = NULL; @@ -1168,49 +1400,110 @@ pk_rd_pa_reply_dh(krb5_context context, p = kdc_dh_info.subjectPublicKey.data; size = (kdc_dh_info.subjectPublicKey.length + 7) / 8; - { + if (ctx->keyex == USE_DH) { DHPublicKey k; ret = decode_DHPublicKey(p, size, &k, NULL); if (ret) { - krb5_set_error_string(context, "pkinit: can't decode " - "without key expiration"); + krb5_set_error_message(context, ret, + N_("pkinit: can't decode " + "without key expiration", "")); goto out; } kdc_dh_pubkey = integer_to_BN(context, "DHPublicKey", &k); free_DHPublicKey(&k); if (kdc_dh_pubkey == NULL) { + ret = ENOMEM; + goto out; + } + + + size = DH_size(ctx->u.dh); + + dh_gen_key = malloc(size); + if (dh_gen_key == NULL) { + ret = ENOMEM; + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); + goto out; + } + + dh_gen_keylen = DH_compute_key(dh_gen_key, kdc_dh_pubkey, ctx->u.dh); + if (dh_gen_keylen == -1) { ret = KRB5KRB_ERR_GENERIC; + dh_gen_keylen = 0; + krb5_set_error_message(context, ret, + N_("PKINIT: Can't compute Diffie-Hellman key", "")); goto out; } - } - - dh_gen_keylen = DH_size(ctx->dh); - size = BN_num_bytes(ctx->dh->p); - if (size < dh_gen_keylen) - size = dh_gen_keylen; + if (dh_gen_keylen < (int)size) { + size -= dh_gen_keylen; + memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen); + memset(dh_gen_key, 0, size); + } - dh_gen_key = malloc(size); - if (dh_gen_key == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - goto out; + } else { +#ifdef HAVE_OPENSSL + const EC_GROUP *group; + EC_KEY *public = NULL; + + group = EC_KEY_get0_group(ctx->u.eckey); + + public = EC_KEY_new(); + if (public == NULL) { + ret = ENOMEM; + goto out; + } + if (EC_KEY_set_group(public, group) != 1) { + EC_KEY_free(public); + ret = ENOMEM; + goto out; + } + + if (o2i_ECPublicKey(&public, &p, size) == NULL) { + EC_KEY_free(public); + ret = KRB5KRB_ERR_GENERIC; + krb5_set_error_message(context, ret, + N_("PKINIT: Can't parse ECDH public key", "")); + goto out; + } + + size = (EC_GROUP_get_degree(group) + 7) / 8; + dh_gen_key = malloc(size); + if (dh_gen_key == NULL) { + EC_KEY_free(public); + ret = ENOMEM; + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); + goto out; + } + dh_gen_keylen = ECDH_compute_key(dh_gen_key, size, + EC_KEY_get0_public_key(public), ctx->u.eckey, NULL); + EC_KEY_free(public); + if (dh_gen_keylen == -1) { + ret = KRB5KRB_ERR_GENERIC; + dh_gen_keylen = 0; + krb5_set_error_message(context, ret, + N_("PKINIT: Can't compute ECDH public key", "")); + goto out; + } +#else + ret = EINVAL; +#endif } - memset(dh_gen_key, 0, size - dh_gen_keylen); - dh_gen_keylen = DH_compute_key(dh_gen_key + (size - dh_gen_keylen), - kdc_dh_pubkey, ctx->dh); - if (dh_gen_keylen == -1) { - krb5_set_error_string(context, - "PKINIT: Can't compute Diffie-Hellman key"); - ret = KRB5KRB_ERR_GENERIC; + if (dh_gen_keylen <= 0) { + ret = EINVAL; + krb5_set_error_message(context, ret, + N_("PKINIT: resulting DH key <= 0", "")); + dh_gen_keylen = 0; goto out; } *key = malloc (sizeof (**key)); if (*key == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); ret = ENOMEM; + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto out; } @@ -1220,8 +1513,8 @@ pk_rd_pa_reply_dh(krb5_context context, c_n, k_n, *key); if (ret) { - krb5_set_error_string(context, - "PKINIT: can't create key from DH key"); + krb5_set_error_message(context, ret, + N_("PKINIT: can't create key from DH key", "")); free(*key); *key = NULL; goto out; @@ -1231,7 +1524,7 @@ pk_rd_pa_reply_dh(krb5_context context, if (kdc_dh_pubkey) BN_free(kdc_dh_pubkey); if (dh_gen_key) { - memset(dh_gen_key, 0, DH_size(ctx->dh)); + memset(dh_gen_key, 0, dh_gen_keylen); free(dh_gen_key); } if (host) @@ -1244,7 +1537,7 @@ pk_rd_pa_reply_dh(krb5_context context, return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pk_rd_pa_reply(krb5_context context, const char *realm, void *c, @@ -1260,13 +1553,14 @@ _krb5_pk_rd_pa_reply(krb5_context context, size_t size; /* Check for IETF PK-INIT first */ - if (ctx->type == COMPAT_IETF) { + if (ctx->type == PKINIT_27) { PA_PK_AS_REP rep; heim_octet_string os, data; heim_oid oid; - + if (pa->padata_type != KRB5_PADATA_PK_AS_REP) { - krb5_set_error_string(context, "PKINIT: wrong padata recv"); + krb5_set_error_message(context, EINVAL, + N_("PKINIT: wrong padata recv", "")); return EINVAL; } @@ -1275,28 +1569,65 @@ _krb5_pk_rd_pa_reply(krb5_context context, &rep, &size); if (ret) { - krb5_set_error_string(context, "Failed to decode pkinit AS rep"); + krb5_set_error_message(context, ret, + N_("Failed to decode pkinit AS rep", "")); return ret; } switch (rep.element) { case choice_PA_PK_AS_REP_dhInfo: + _krb5_debug(context, 5, "krb5_get_init_creds: using pkinit dh"); os = rep.u.dhInfo.dhSignedData; break; case choice_PA_PK_AS_REP_encKeyPack: + _krb5_debug(context, 5, "krb5_get_init_creds: using kinit enc reply key"); os = rep.u.encKeyPack; break; - default: + default: { + PA_PK_AS_REP_BTMM btmm; free_PA_PK_AS_REP(&rep); - krb5_set_error_string(context, "PKINIT: -27 reply " - "invalid content type"); - return EINVAL; + memset(&rep, 0, sizeof(rep)); + + _krb5_debug(context, 5, "krb5_get_init_creds: using BTMM kinit enc reply key"); + + ret = decode_PA_PK_AS_REP_BTMM(pa->padata_value.data, + pa->padata_value.length, + &btmm, + &size); + if (ret) { + krb5_set_error_message(context, EINVAL, + N_("PKINIT: -27 reply " + "invalid content type", "")); + return EINVAL; + } + + if (btmm.dhSignedData || btmm.encKeyPack == NULL) { + free_PA_PK_AS_REP_BTMM(&btmm); + ret = EINVAL; + krb5_set_error_message(context, ret, + N_("DH mode not supported for BTMM mode", "")); + return ret; + } + + /* + * Transform to IETF style PK-INIT reply so that free works below + */ + + rep.element = choice_PA_PK_AS_REP_encKeyPack; + rep.u.encKeyPack.data = btmm.encKeyPack->data; + rep.u.encKeyPack.length = btmm.encKeyPack->length; + btmm.encKeyPack->data = NULL; + btmm.encKeyPack->length = 0; + free_PA_PK_AS_REP_BTMM(&btmm); + os = rep.u.encKeyPack; + } } ret = hx509_cms_unwrap_ContentInfo(&os, &oid, &data, NULL); if (ret) { free_PA_PK_AS_REP(&rep); - krb5_set_error_string(context, "PKINIT: failed to unwrap CI"); + krb5_set_error_message(context, ret, + N_("PKINIT: failed to unwrap CI", "")); return ret; } @@ -1308,7 +1639,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, nonce, pa, key); break; case choice_PA_PK_AS_REP_encKeyPack: - ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &data, &oid, realm, + ret = pk_rd_pa_reply_enckey(context, PKINIT_27, &data, &oid, realm, ctx, etype, hi, nonce, req_buffer, pa, key); break; default: @@ -1318,46 +1649,49 @@ _krb5_pk_rd_pa_reply(krb5_context context, der_free_oid(&oid); free_PA_PK_AS_REP(&rep); - } else if (ctx->type == COMPAT_WIN2K) { + } else if (ctx->type == PKINIT_WIN2K) { PA_PK_AS_REP_Win2k w2krep; - /* Check for Windows encoding of the AS-REP pa data */ + /* Check for Windows encoding of the AS-REP pa data */ #if 0 /* should this be ? */ if (pa->padata_type != KRB5_PADATA_PK_AS_REP) { - krb5_set_error_string(context, "PKINIT: wrong padata recv"); + krb5_set_error_message(context, EINVAL, + "PKINIT: wrong padata recv"); return EINVAL; } #endif memset(&w2krep, 0, sizeof(w2krep)); - + ret = decode_PA_PK_AS_REP_Win2k(pa->padata_value.data, pa->padata_value.length, &w2krep, &size); if (ret) { - krb5_set_error_string(context, "PKINIT: Failed decoding windows " - "pkinit reply %d", ret); + krb5_set_error_message(context, ret, + N_("PKINIT: Failed decoding windows " + "pkinit reply %d", ""), (int)ret); return ret; } - krb5_clear_error_string(context); - + krb5_clear_error_message(context); + switch (w2krep.element) { case choice_PA_PK_AS_REP_Win2k_encKeyPack: { heim_octet_string data; heim_oid oid; - - ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack, + + ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack, &oid, &data, NULL); free_PA_PK_AS_REP_Win2k(&w2krep); if (ret) { - krb5_set_error_string(context, "PKINIT: failed to unwrap CI"); + krb5_set_error_message(context, ret, + N_("PKINIT: failed to unwrap CI", "")); return ret; } - ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &data, &oid, realm, + ret = pk_rd_pa_reply_enckey(context, PKINIT_WIN2K, &data, &oid, realm, ctx, etype, hi, nonce, req_buffer, pa, key); der_free_octet_string(&data); der_free_oid(&oid); @@ -1366,15 +1700,17 @@ _krb5_pk_rd_pa_reply(krb5_context context, } default: free_PA_PK_AS_REP_Win2k(&w2krep); - krb5_set_error_string(context, "PKINIT: win2k reply invalid " - "content type"); ret = EINVAL; + krb5_set_error_message(context, ret, + N_("PKINIT: win2k reply invalid " + "content type", "")); break; } - + } else { - krb5_set_error_string(context, "PKINIT: unknown reply type"); ret = EINVAL; + krb5_set_error_message(context, ret, + N_("PKINIT: unknown reply type", "")); } return ret; @@ -1386,14 +1722,14 @@ struct prompter { void *prompter_data; }; -static int +static int hx_pass_prompter(void *data, const hx509_prompt *prompter) { krb5_error_code ret; krb5_prompt prompt; krb5_data password_data; struct prompter *p = data; - + password_data.data = prompter->reply.data; password_data.length = prompter->reply.length; @@ -1410,8 +1746,8 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter) default: prompt.type = KRB5_PROMPT_TYPE_PASSWORD; break; - } - + } + ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt); if (ret) { memset (prompter->reply.data, 0, prompter->reply.length); @@ -1420,16 +1756,80 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter) return 0; } - -void KRB5_LIB_FUNCTION -_krb5_pk_allow_proxy_certificate(struct krb5_pk_identity *id, - int boolean) +static krb5_error_code +_krb5_pk_set_user_id(krb5_context context, + krb5_principal principal, + krb5_pk_init_ctx ctx, + struct hx509_certs_data *certs) { - hx509_verify_set_proxy_certificate(id->verify_ctx, boolean); -} + hx509_certs c = hx509_certs_ref(certs); + hx509_query *q = NULL; + int ret; + if (ctx->id->certs) + hx509_certs_free(&ctx->id->certs); + if (ctx->id->cert) { + hx509_cert_free(ctx->id->cert); + ctx->id->cert = NULL; + } -krb5_error_code KRB5_LIB_FUNCTION + ctx->id->certs = c; + ctx->anonymous = 0; + + ret = hx509_query_alloc(context->hx509ctx, &q); + if (ret) { + pk_copy_error(context, context->hx509ctx, ret, + "Allocate query to find signing certificate"); + return ret; + } + + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); + hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); + + if (principal && strncmp("LKDC:SHA1.", krb5_principal_get_realm(context, principal), 9) == 0) { + ctx->id->flags |= PKINIT_BTMM; + } + + ret = find_cert(context, ctx->id, q, &ctx->id->cert); + hx509_query_free(context->hx509ctx, q); + + if (ret == 0 && _krb5_have_debug(context, 2)) { + hx509_name name; + char *str, *sn; + heim_integer i; + + ret = hx509_cert_get_subject(ctx->id->cert, &name); + if (ret) + goto out; + + ret = hx509_name_to_string(name, &str); + hx509_name_free(&name); + if (ret) + goto out; + + ret = hx509_cert_get_serialnumber(ctx->id->cert, &i); + if (ret) { + free(str); + goto out; + } + + ret = der_print_hex_heim_integer(&i, &sn); + der_free_heim_integer(&i); + if (ret) { + free(name); + goto out; + } + + _krb5_debug(context, 2, "using cert: subject: %s sn: %s", str, sn); + free(str); + free(sn); + } + out: + + return ret; +} + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pk_load_id(krb5_context context, struct krb5_pk_identity **ret_id, const char *user_id, @@ -1441,190 +1841,187 @@ _krb5_pk_load_id(krb5_context context, char *password) { struct krb5_pk_identity *id = NULL; - hx509_lock lock = NULL; struct prompter p; int ret; *ret_id = NULL; if (anchor_id == NULL) { - krb5_set_error_string(context, "PKINIT: No anchor given"); + krb5_set_error_message(context, HEIM_PKINIT_NO_VALID_CA, + N_("PKINIT: No anchor given", "")); return HEIM_PKINIT_NO_VALID_CA; } - if (user_id == NULL) { - krb5_set_error_string(context, - "PKINIT: No user certificate given"); - return HEIM_PKINIT_NO_PRIVATE_KEY; - } - /* load cert */ id = calloc(1, sizeof(*id)); if (id == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; - } + } - ret = hx509_context_init(&id->hx509ctx); - if (ret) - goto out; + if (user_id) { + hx509_lock lock; - ret = hx509_lock_init(id->hx509ctx, &lock); - if (password && password[0]) - hx509_lock_add_password(lock, password); + ret = hx509_lock_init(context->hx509ctx, &lock); + if (ret) { + pk_copy_error(context, context->hx509ctx, ret, "Failed init lock"); + goto out; + } - if (prompter) { - p.context = context; - p.prompter = prompter; - p.prompter_data = prompter_data; + if (password && password[0]) + hx509_lock_add_password(lock, password); - ret = hx509_lock_set_prompter(lock, hx_pass_prompter, &p); - if (ret) - goto out; - } + if (prompter) { + p.context = context; + p.prompter = prompter; + p.prompter_data = prompter_data; - ret = hx509_certs_init(id->hx509ctx, user_id, 0, lock, &id->certs); - if (ret) { - _krb5_pk_copy_error(context, id->hx509ctx, ret, - "Failed to init cert certs"); - goto out; + ret = hx509_lock_set_prompter(lock, hx_pass_prompter, &p); + if (ret) { + hx509_lock_free(lock); + goto out; + } + } + + ret = hx509_certs_init(context->hx509ctx, user_id, 0, lock, &id->certs); + hx509_lock_free(lock); + if (ret) { + pk_copy_error(context, context->hx509ctx, ret, + "Failed to init cert certs"); + goto out; + } + } else { + id->certs = NULL; } - ret = hx509_certs_init(id->hx509ctx, anchor_id, 0, NULL, &id->anchors); + ret = hx509_certs_init(context->hx509ctx, anchor_id, 0, NULL, &id->anchors); if (ret) { - _krb5_pk_copy_error(context, id->hx509ctx, ret, - "Failed to init anchors"); + pk_copy_error(context, context->hx509ctx, ret, + "Failed to init anchors"); goto out; } - ret = hx509_certs_init(id->hx509ctx, "MEMORY:pkinit-cert-chain", + ret = hx509_certs_init(context->hx509ctx, "MEMORY:pkinit-cert-chain", 0, NULL, &id->certpool); if (ret) { - _krb5_pk_copy_error(context, id->hx509ctx, ret, - "Failed to init chain"); + pk_copy_error(context, context->hx509ctx, ret, + "Failed to init chain"); goto out; } while (chain_list && *chain_list) { - ret = hx509_certs_append(id->hx509ctx, id->certpool, + ret = hx509_certs_append(context->hx509ctx, id->certpool, NULL, *chain_list); if (ret) { - _krb5_pk_copy_error(context, id->hx509ctx, ret, - "Failed to laod chain %s", - *chain_list); + pk_copy_error(context, context->hx509ctx, ret, + "Failed to laod chain %s", + *chain_list); goto out; } chain_list++; } if (revoke_list) { - ret = hx509_revoke_init(id->hx509ctx, &id->revokectx); + ret = hx509_revoke_init(context->hx509ctx, &id->revokectx); if (ret) { - _krb5_pk_copy_error(context, id->hx509ctx, ret, - "Failed init revoke list"); + pk_copy_error(context, context->hx509ctx, ret, + "Failed init revoke list"); goto out; } while (*revoke_list) { - ret = hx509_revoke_add_crl(id->hx509ctx, + ret = hx509_revoke_add_crl(context->hx509ctx, id->revokectx, *revoke_list); if (ret) { - _krb5_pk_copy_error(context, id->hx509ctx, ret, - "Failed load revoke list"); + pk_copy_error(context, context->hx509ctx, ret, + "Failed load revoke list"); goto out; } revoke_list++; } } else - hx509_context_set_missing_revoke(id->hx509ctx, 1); + hx509_context_set_missing_revoke(context->hx509ctx, 1); - ret = hx509_verify_init_ctx(id->hx509ctx, &id->verify_ctx); + ret = hx509_verify_init_ctx(context->hx509ctx, &id->verify_ctx); if (ret) { - _krb5_pk_copy_error(context, id->hx509ctx, ret, - "Failed init verify context"); + pk_copy_error(context, context->hx509ctx, ret, + "Failed init verify context"); goto out; } hx509_verify_attach_anchors(id->verify_ctx, id->anchors); hx509_verify_attach_revoke(id->verify_ctx, id->revokectx); -out: + out: if (ret) { hx509_verify_destroy_ctx(id->verify_ctx); hx509_certs_free(&id->certs); hx509_certs_free(&id->anchors); hx509_certs_free(&id->certpool); hx509_revoke_free(&id->revokectx); - hx509_context_free(&id->hx509ctx); free(id); } else *ret_id = id; - hx509_lock_free(lock); - return ret; } -static krb5_error_code -select_dh_group(krb5_context context, DH *dh, unsigned long bits, - struct krb5_dh_moduli **moduli) +/* + * + */ + +static void +pk_copy_error(krb5_context context, + hx509_context hx509ctx, + int hxret, + const char *fmt, + ...) { - const struct krb5_dh_moduli *m; + va_list va; + char *s, *f; + int ret; - if (bits == 0) { - m = moduli[1]; /* XXX */ - if (m == NULL) - m = moduli[0]; /* XXX */ - } else { - int i; - for (i = 0; moduli[i] != NULL; i++) { - if (bits < moduli[i]->bits) - break; - } - if (moduli[i] == NULL) { - krb5_set_error_string(context, - "Did not find a DH group parameter " - "matching requirement of %lu bits", - bits); - return EINVAL; - } - m = moduli[i]; + va_start(va, fmt); + ret = vasprintf(&f, fmt, va); + va_end(va); + if (ret == -1 || f == NULL) { + krb5_clear_error_message(context); + return; } - dh->p = integer_to_BN(context, "p", &m->p); - if (dh->p == NULL) - return ENOMEM; - dh->g = integer_to_BN(context, "g", &m->g); - if (dh->g == NULL) - return ENOMEM; - dh->q = integer_to_BN(context, "q", &m->q); - if (dh->q == NULL) - return ENOMEM; - - return 0; + s = hx509_get_error_string(hx509ctx, hxret); + if (s == NULL) { + krb5_clear_error_message(context); + free(f); + return; + } + krb5_set_error_message(context, hxret, "%s: %s", f, s); + free(s); + free(f); } -#endif /* PKINIT */ - static int -parse_integer(krb5_context context, char **p, const char *file, int lineno, +parse_integer(krb5_context context, char **p, const char *file, int lineno, const char *name, heim_integer *integer) { int ret; char *p1; p1 = strsep(p, " \t"); if (p1 == NULL) { - krb5_set_error_string(context, "moduli file %s missing %s on line %d", - file, name, lineno); + krb5_set_error_message(context, EINVAL, + N_("moduli file %s missing %s on line %d", ""), + file, name, lineno); return EINVAL; } ret = der_parse_hex_heim_integer(p1, integer); if (ret) { - krb5_set_error_string(context, "moduli file %s failed parsing %s " - "on line %d", - file, name, lineno); + krb5_set_error_message(context, ret, + N_("moduli file %s failed parsing %s " + "on line %d", ""), + file, name, lineno); return ret; } @@ -1632,7 +2029,7 @@ parse_integer(krb5_context context, char **p, const char *file, int lineno, } krb5_error_code -_krb5_parse_moduli_line(krb5_context context, +_krb5_parse_moduli_line(krb5_context context, const char *file, int lineno, char *p, @@ -1646,43 +2043,49 @@ _krb5_parse_moduli_line(krb5_context context, m1 = calloc(1, sizeof(*m1)); if (m1 == NULL) { - krb5_set_error_string(context, "malloc - out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } while (isspace((unsigned char)*p)) p++; - if (*p == '#') + if (*p == '#') { + free(m1); return 0; + } ret = EINVAL; p1 = strsep(&p, " \t"); if (p1 == NULL) { - krb5_set_error_string(context, "moduli file %s missing name " - "on line %d", file, lineno); + krb5_set_error_message(context, ret, + N_("moduli file %s missing name on line %d", ""), + file, lineno); goto out; } m1->name = strdup(p1); - if (p1 == NULL) { - krb5_set_error_string(context, "malloc - out of memeory"); + if (m1->name == NULL) { ret = ENOMEM; + krb5_set_error_message(context, ret, N_("malloc: out of memeory", "")); goto out; } p1 = strsep(&p, " \t"); if (p1 == NULL) { - krb5_set_error_string(context, "moduli file %s missing bits on line %d", - file, lineno); + krb5_set_error_message(context, ret, + N_("moduli file %s missing bits on line %d", ""), + file, lineno); goto out; } m1->bits = atoi(p1); if (m1->bits == 0) { - krb5_set_error_string(context, "moduli file %s have un-parsable " - "bits on line %d", file, lineno); + krb5_set_error_message(context, ret, + N_("moduli file %s have un-parsable " + "bits on line %d", ""), file, lineno); goto out; } - + ret = parse_integer(context, &p, file, lineno, "p", &m1->p); if (ret) goto out; @@ -1696,7 +2099,7 @@ _krb5_parse_moduli_line(krb5_context context, *m = m1; return 0; -out: + out: free(m1->name); der_free_heim_integer(&m1->p); der_free_heim_integer(&m1->g); @@ -1788,7 +2191,8 @@ _krb5_parse_moduli(krb5_context context, const char *file, m = calloc(1, sizeof(m[0]) * 3); if (m == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } @@ -1812,11 +2216,26 @@ _krb5_parse_moduli(krb5_context context, const char *file, if (file == NULL) file = MODULI_FILE; +#ifdef KRB5_USE_PATH_TOKENS + { + char * exp_file; + + if (_krb5_expand_path_tokens(context, file, &exp_file) == 0) { + f = fopen(exp_file, "r"); + krb5_xfree(exp_file); + } else { + f = NULL; + } + } +#else f = fopen(file, "r"); +#endif + if (f == NULL) { *moduli = m; return 0; } + rk_cloexec_file(f); while(fgets(buf, sizeof(buf), f) != NULL) { struct krb5_dh_moduli *element; @@ -1826,12 +2245,13 @@ _krb5_parse_moduli(krb5_context context, const char *file, m2 = realloc(m, (n + 2) * sizeof(m[0])); if (m2 == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); _krb5_free_moduli(m); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } m = m2; - + m[n] = NULL; ret = _krb5_parse_moduli_line(context, file, lineno, buf, &element); @@ -1865,23 +2285,29 @@ _krb5_dh_group_ok(krb5_context context, unsigned long bits, if (der_heim_integer_cmp(&moduli[i]->g, g) == 0 && der_heim_integer_cmp(&moduli[i]->p, p) == 0 && (q == NULL || der_heim_integer_cmp(&moduli[i]->q, q) == 0)) - { - if (bits && bits > moduli[i]->bits) { - krb5_set_error_string(context, "PKINIT: DH group parameter %s " - "no accepted, not enough bits generated", - moduli[i]->name); - return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; + { + if (bits && bits > moduli[i]->bits) { + krb5_set_error_message(context, + KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, + N_("PKINIT: DH group parameter %s " + "no accepted, not enough bits " + "generated", ""), + moduli[i]->name); + return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; + } + if (name) + *name = strdup(moduli[i]->name); + return 0; } - if (name) - *name = strdup(moduli[i]->name); - return 0; - } } - krb5_set_error_string(context, "PKINIT: DH group parameter no ok"); + krb5_set_error_message(context, + KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, + N_("PKINIT: DH group parameter no ok", "")); return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; } +#endif /* PKINIT */ -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt) { #ifdef PKINIT @@ -1890,15 +2316,26 @@ _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt) if (opt->opt_private == NULL || opt->opt_private->pk_init_ctx == NULL) return; ctx = opt->opt_private->pk_init_ctx; - if (ctx->dh) - DH_free(ctx->dh); - ctx->dh = NULL; + switch (ctx->keyex) { + case USE_DH: + if (ctx->u.dh) + DH_free(ctx->u.dh); + break; + case USE_RSA: + break; + case USE_ECDH: +#ifdef HAVE_OPENSSL + if (ctx->u.eckey) + EC_KEY_free(ctx->u.eckey); +#endif + break; + } if (ctx->id) { hx509_verify_destroy_ctx(ctx->id->verify_ctx); hx509_certs_free(&ctx->id->certs); + hx509_cert_free(ctx->id->cert); hx509_certs_free(&ctx->id->anchors); hx509_certs_free(&ctx->id->certpool); - hx509_context_free(&ctx->id->hx509ctx); if (ctx->clientDHNonce) { krb5_free_data(NULL, ctx->clientDHNonce); @@ -1913,8 +2350,8 @@ _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt) opt->opt_private->pk_init_ctx = NULL; #endif } - -krb5_error_code KRB5_LIB_FUNCTION + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_set_pkinit(krb5_context context, krb5_get_init_creds_opt *opt, krb5_principal principal, @@ -1932,19 +2369,18 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, char *anchors = NULL; if (opt->opt_private == NULL) { - krb5_set_error_string(context, "PKINIT: on non extendable opt"); + krb5_set_error_message(context, EINVAL, + N_("PKINIT: on non extendable opt", "")); return EINVAL; } - opt->opt_private->pk_init_ctx = + opt->opt_private->pk_init_ctx = calloc(1, sizeof(*opt->opt_private->pk_init_ctx)); if (opt->opt_private->pk_init_ctx == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } - opt->opt_private->pk_init_ctx->dh = NULL; - opt->opt_private->pk_init_ctx->id = NULL; - opt->opt_private->pk_init_ctx->clientDHNonce = NULL; opt->opt_private->pk_init_ctx->require_binding = 0; opt->opt_private->pk_init_ctx->require_eku = 1; opt->opt_private->pk_init_ctx->require_krbtgt_otherName = 1; @@ -1953,23 +2389,26 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, /* XXX implement krb5_appdefault_strings */ if (pool == NULL) pool = krb5_config_get_strings(context, NULL, - "appdefaults", - "pkinit_pool", + "appdefaults", + "pkinit_pool", NULL); if (pki_revoke == NULL) pki_revoke = krb5_config_get_strings(context, NULL, - "appdefaults", - "pkinit_revoke", + "appdefaults", + "pkinit_revoke", NULL); if (x509_anchors == NULL) { krb5_appdefault_string(context, "kinit", - krb5_principal_get_realm(context, principal), + krb5_principal_get_realm(context, principal), "pkinit_anchors", NULL, &anchors); x509_anchors = anchors; } + if (flags & 4) + opt->opt_private->pk_init_ctx->anonymous = 1; + ret = _krb5_pk_load_id(context, &opt->opt_private->pk_init_ctx->id, user_id, @@ -1985,86 +2424,218 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, return ret; } - if ((flags & 2) == 0) { - const char *moduli_file; - unsigned long dh_min_bits; + if (opt->opt_private->pk_init_ctx->id->certs) { + _krb5_pk_set_user_id(context, + principal, + opt->opt_private->pk_init_ctx, + opt->opt_private->pk_init_ctx->id->certs); + } else + opt->opt_private->pk_init_ctx->id->cert = NULL; - moduli_file = krb5_config_get_string(context, NULL, - "libdefaults", - "moduli", - NULL); + if ((flags & 2) == 0) { + hx509_context hx509ctx = context->hx509ctx; + hx509_cert cert = opt->opt_private->pk_init_ctx->id->cert; - dh_min_bits = - krb5_config_get_int_default(context, NULL, 0, - "libdefaults", - "pkinit_dh_min_bits", - NULL); + opt->opt_private->pk_init_ctx->keyex = USE_DH; - ret = _krb5_parse_moduli(context, moduli_file, - &opt->opt_private->pk_init_ctx->m); - if (ret) { - _krb5_get_init_creds_opt_free_pkinit(opt); - return ret; - } - - opt->opt_private->pk_init_ctx->dh = DH_new(); - if (opt->opt_private->pk_init_ctx->dh == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - _krb5_get_init_creds_opt_free_pkinit(opt); - return ENOMEM; + /* + * If its a ECDSA certs, lets select ECDSA as the keyex algorithm. + */ + if (cert) { + AlgorithmIdentifier alg; + + ret = hx509_cert_get_SPKI_AlgorithmIdentifier(hx509ctx, cert, &alg); + if (ret == 0) { + if (der_heim_oid_cmp(&alg.algorithm, &asn1_oid_id_ecPublicKey) == 0) + opt->opt_private->pk_init_ctx->keyex = USE_ECDH; + free_AlgorithmIdentifier(&alg); + } } - ret = select_dh_group(context, opt->opt_private->pk_init_ctx->dh, - dh_min_bits, - opt->opt_private->pk_init_ctx->m); - if (ret) { - _krb5_get_init_creds_opt_free_pkinit(opt); - return ret; - } + } else { + opt->opt_private->pk_init_ctx->keyex = USE_RSA; - if (DH_generate_key(opt->opt_private->pk_init_ctx->dh) != 1) { - krb5_set_error_string(context, "pkinit: failed to generate DH key"); - _krb5_get_init_creds_opt_free_pkinit(opt); - return ENOMEM; + if (opt->opt_private->pk_init_ctx->id->certs == NULL) { + krb5_set_error_message(context, EINVAL, + N_("No anonymous pkinit support in RSA mode", "")); + return EINVAL; } } return 0; #else - krb5_set_error_string(context, "no support for PKINIT compiled in"); + krb5_set_error_message(context, EINVAL, + N_("no support for PKINIT compiled in", "")); + return EINVAL; +#endif +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pkinit_user_certs(krb5_context context, + krb5_get_init_creds_opt *opt, + struct hx509_certs_data *certs) +{ +#ifdef PKINIT + if (opt->opt_private == NULL) { + krb5_set_error_message(context, EINVAL, + N_("PKINIT: on non extendable opt", "")); + return EINVAL; + } + if (opt->opt_private->pk_init_ctx == NULL) { + krb5_set_error_message(context, EINVAL, + N_("PKINIT: on pkinit context", "")); + return EINVAL; + } + + _krb5_pk_set_user_id(context, NULL, opt->opt_private->pk_init_ctx, certs); + + return 0; +#else + krb5_set_error_message(context, EINVAL, + N_("no support for PKINIT compiled in", "")); return EINVAL; #endif } +#ifdef PKINIT + +static int +get_ms_san(hx509_context context, hx509_cert cert, char **upn) +{ + hx509_octet_string_list list; + int ret; + + *upn = NULL; + + ret = hx509_cert_find_subjectAltName_otherName(context, + cert, + &asn1_oid_id_pkinit_ms_san, + &list); + if (ret) + return 0; + + if (list.len > 0 && list.val[0].length > 0) + ret = decode_MS_UPN_SAN(list.val[0].data, list.val[0].length, + upn, NULL); + else + ret = 1; + hx509_free_octet_string_list(&list); + + return ret; +} + +static int +find_ms_san(hx509_context context, hx509_cert cert, void *ctx) +{ + char *upn; + int ret; + + ret = get_ms_san(context, cert, &upn); + if (ret == 0) + free(upn); + return ret; +} + + + +#endif + /* - * + * Private since it need to be redesigned using krb5_get_init_creds() */ -static void -_krb5_pk_copy_error(krb5_context context, - hx509_context hx509ctx, - int hxret, - const char *fmt, - ...) +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_pk_enterprise_cert(krb5_context context, + const char *user_id, + krb5_const_realm realm, + krb5_principal *principal, + struct hx509_certs_data **res) { - va_list va; - char *s, *f; +#ifdef PKINIT + krb5_error_code ret; + hx509_certs certs, result; + hx509_cert cert = NULL; + hx509_query *q; + char *name; - va_start(va, fmt); - vasprintf(&f, fmt, va); - va_end(va); - if (f == NULL) { - krb5_clear_error_string(context); - return; + *principal = NULL; + if (res) + *res = NULL; + + if (user_id == NULL) { + krb5_set_error_message(context, ENOENT, "no user id"); + return ENOENT; } - s = hx509_get_error_string(hx509ctx, hxret); - if (s == NULL) { - krb5_clear_error_string(context); - free(f); - return; + ret = hx509_certs_init(context->hx509ctx, user_id, 0, NULL, &certs); + if (ret) { + pk_copy_error(context, context->hx509ctx, ret, + "Failed to init cert certs"); + goto out; } - krb5_set_error_string(context, "%s: %s", f, s); - free(s); - free(f); + + ret = hx509_query_alloc(context->hx509ctx, &q); + if (ret) { + krb5_set_error_message(context, ret, "out of memory"); + hx509_certs_free(&certs); + goto out; + } + + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); + hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); + hx509_query_match_eku(q, &asn1_oid_id_pkinit_ms_eku); + hx509_query_match_cmp_func(q, find_ms_san, NULL); + + ret = hx509_certs_filter(context->hx509ctx, certs, q, &result); + hx509_query_free(context->hx509ctx, q); + hx509_certs_free(&certs); + if (ret) { + pk_copy_error(context, context->hx509ctx, ret, + "Failed to find PKINIT certificate"); + return ret; + } + + ret = hx509_get_one_cert(context->hx509ctx, result, &cert); + hx509_certs_free(&result); + if (ret) { + pk_copy_error(context, context->hx509ctx, ret, + "Failed to get one cert"); + goto out; + } + + ret = get_ms_san(context->hx509ctx, cert, &name); + if (ret) { + pk_copy_error(context, context->hx509ctx, ret, + "Failed to get MS SAN"); + goto out; + } + + ret = krb5_make_principal(context, principal, realm, name, NULL); + free(name); + if (ret) + goto out; + + krb5_principal_set_type(context, *principal, KRB5_NT_ENTERPRISE_PRINCIPAL); + + if (res) { + ret = hx509_certs_init(context->hx509ctx, "MEMORY:", 0, NULL, res); + if (ret) + goto out; + + ret = hx509_certs_add(context->hx509ctx, *res, cert); + if (ret) { + hx509_certs_free(res); + goto out; + } + } + + out: + hx509_cert_free(cert); + + return ret; +#else + krb5_set_error_message(context, EINVAL, + N_("no support for PKINIT compiled in", "")); + return EINVAL; +#endif } diff --git a/crypto/heimdal/lib/krb5/plugin.c b/crypto/heimdal/lib/krb5/plugin.c index bae28496aaf8..9303b6c615b7 100644 --- a/crypto/heimdal/lib/krb5/plugin.c +++ b/crypto/heimdal/lib/krb5/plugin.c @@ -1,38 +1,38 @@ /* - * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: plugin.c 22033 2007-11-10 10:39:47Z lha $"); + #ifdef HAVE_DLFCN_H #include <dlfcn.h> #endif @@ -40,21 +40,36 @@ RCSID("$Id: plugin.c 22033 2007-11-10 10:39:47Z lha $"); struct krb5_plugin { void *symbol; - void *dsohandle; struct krb5_plugin *next; }; struct plugin { - enum krb5_plugin_type type; - void *name; - void *symbol; + enum { DSO, SYMBOL } type; + union { + struct { + char *path; + void *dsohandle; + } dso; + struct { + enum krb5_plugin_type type; + char *name; + char *symbol; + } symbol; + } u; struct plugin *next; }; static HEIMDAL_MUTEX plugin_mutex = HEIMDAL_MUTEX_INITIALIZER; static struct plugin *registered = NULL; +static int plugins_needs_scan = 1; -static const char *plugin_dir = LIBDIR "/plugin/krb5"; +static const char *sysplugin_dirs[] = { + LIBDIR "/plugin/krb5", +#ifdef __APPLE__ + "/System/Library/KerberosPlugins/KerberosFrameworkPlugins", +#endif + NULL +}; /* * @@ -79,39 +94,30 @@ _krb5_plugin_get_next(struct krb5_plugin *p) #ifdef HAVE_DLOPEN static krb5_error_code -loadlib(krb5_context context, - enum krb5_plugin_type type, - const char *name, - const char *lib, - struct krb5_plugin **e) +loadlib(krb5_context context, char *path) { - *e = calloc(1, sizeof(**e)); - if (*e == NULL) { - krb5_set_error_string(context, "out of memory"); + struct plugin *e; + + e = calloc(1, sizeof(*e)); + if (e == NULL) { + krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); + free(path); return ENOMEM; } #ifndef RTLD_LAZY #define RTLD_LAZY 0 #endif +#ifndef RTLD_LOCAL +#define RTLD_LOCAL 0 +#endif + e->type = DSO; + /* ignore error from dlopen, and just keep it as negative cache entry */ + e->u.dso.dsohandle = dlopen(path, RTLD_LOCAL|RTLD_LAZY); + e->u.dso.path = path; - (*e)->dsohandle = dlopen(lib, RTLD_LAZY); - if ((*e)->dsohandle == NULL) { - free(*e); - *e = NULL; - krb5_set_error_string(context, "Failed to load %s: %s", - lib, dlerror()); - return ENOMEM; - } - - /* dlsym doesn't care about the type */ - (*e)->symbol = dlsym((*e)->dsohandle, name); - if ((*e)->symbol == NULL) { - dlclose((*e)->dsohandle); - free(*e); - krb5_clear_error_string(context); - return ENOMEM; - } + e->next = registered; + registered = e; return 0; } @@ -129,29 +135,43 @@ loadlib(krb5_context context, * @ingroup krb5_support */ -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_plugin_register(krb5_context context, enum krb5_plugin_type type, - const char *name, + const char *name, void *symbol) { struct plugin *e; + HEIMDAL_MUTEX_lock(&plugin_mutex); + + /* check for duplicates */ + for (e = registered; e != NULL; e = e->next) { + if (e->type == SYMBOL && + strcmp(e->u.symbol.name, name) == 0 && + e->u.symbol.type == type && e->u.symbol.symbol == symbol) { + HEIMDAL_MUTEX_unlock(&plugin_mutex); + return 0; + } + } + e = calloc(1, sizeof(*e)); if (e == NULL) { - krb5_set_error_string(context, "out of memory"); + HEIMDAL_MUTEX_unlock(&plugin_mutex); + krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); return ENOMEM; } - e->type = type; - e->name = strdup(name); - if (e->name == NULL) { + e->type = SYMBOL; + e->u.symbol.type = type; + e->u.symbol.name = strdup(name); + if (e->u.symbol.name == NULL) { + HEIMDAL_MUTEX_unlock(&plugin_mutex); free(e); - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); return ENOMEM; } - e->symbol = symbol; + e->u.symbol.symbol = symbol; - HEIMDAL_MUTEX_lock(&plugin_mutex); e->next = registered; registered = e; HEIMDAL_MUTEX_unlock(&plugin_mutex); @@ -159,95 +179,191 @@ krb5_plugin_register(krb5_context context, return 0; } -krb5_error_code -_krb5_plugin_find(krb5_context context, - enum krb5_plugin_type type, - const char *name, - struct krb5_plugin **list) +static int +is_valid_plugin_filename(const char * n) { - struct krb5_plugin *e; - struct plugin *p; + if (n[0] == '.' && (n[1] == '\0' || (n[1] == '.' && n[2] == '\0'))) + return 0; + +#ifdef _WIN32 + /* On Windows, we only attempt to load .dll files as plug-ins. */ + { + const char * ext; + + ext = strrchr(n, '.'); + if (ext == NULL) + return 0; + + return !stricmp(ext, ".dll"); + } +#else + return 1; +#endif +} + +static void +trim_trailing_slash(char * path) +{ + size_t l; + + l = strlen(path); + while (l > 0 && (path[l - 1] == '/' +#ifdef BACKSLASH_PATH_DELIM + || path[l - 1] == '\\' +#endif + )) { + path[--l] = '\0'; + } +} + +static krb5_error_code +load_plugins(krb5_context context) +{ + struct plugin *e; krb5_error_code ret; - char *sysdirs[2] = { NULL, NULL }; char **dirs = NULL, **di; struct dirent *entry; char *path; DIR *d = NULL; - *list = NULL; - - HEIMDAL_MUTEX_lock(&plugin_mutex); - - for (p = registered; p != NULL; p = p->next) { - if (p->type != type || strcmp(p->name, name) != 0) - continue; - - e = calloc(1, sizeof(*e)); - if (e == NULL) { - HEIMDAL_MUTEX_unlock(&plugin_mutex); - krb5_set_error_string(context, "out of memory"); - ret = ENOMEM; - goto out; - } - e->symbol = p->symbol; - e->dsohandle = NULL; - e->next = *list; - *list = e; - } - HEIMDAL_MUTEX_unlock(&plugin_mutex); + if (!plugins_needs_scan) + return 0; + plugins_needs_scan = 0; #ifdef HAVE_DLOPEN - dirs = krb5_config_get_strings(context, NULL, "libdefaults", + dirs = krb5_config_get_strings(context, NULL, "libdefaults", "plugin_dir", NULL); - if (dirs == NULL) { - sysdirs[0] = rk_UNCONST(plugin_dir); - dirs = sysdirs; - } + if (dirs == NULL) + dirs = rk_UNCONST(sysplugin_dirs); for (di = dirs; *di != NULL; di++) { + char * dir = *di; + +#ifdef KRB5_USE_PATH_TOKENS + if (_krb5_expand_path_tokens(context, *di, &dir)) + goto next_dir; +#endif + + trim_trailing_slash(dir); + + d = opendir(dir); - d = opendir(*di); if (d == NULL) - continue; + goto next_dir; + + rk_cloexec_dir(d); while ((entry = readdir(d)) != NULL) { - asprintf(&path, "%s/%s", *di, entry->d_name); - if (path == NULL) { - krb5_set_error_string(context, "out of memory"); + char *n = entry->d_name; + + /* skip . and .. */ + if (!is_valid_plugin_filename(n)) + continue; + + path = NULL; + ret = 0; +#ifdef __APPLE__ + { /* support loading bundles on MacOS */ + size_t len = strlen(n); + if (len > 7 && strcmp(&n[len - 7], ".bundle") == 0) + ret = asprintf(&path, "%s/%s/Contents/MacOS/%.*s", dir, n, (int)(len - 7), n); + } +#endif + if (ret < 0 || path == NULL) + ret = asprintf(&path, "%s/%s", dir, n); + + if (ret < 0 || path == NULL) { ret = ENOMEM; - goto out; + krb5_set_error_message(context, ret, "malloc: out of memory"); + return ret; + } + + /* check if already tried */ + for (e = registered; e != NULL; e = e->next) + if (e->type == DSO && strcmp(e->u.dso.path, path) == 0) + break; + if (e) { + free(path); + } else { + loadlib(context, path); /* store or frees path */ } - ret = loadlib(context, type, name, path, &e); - free(path); - if (ret) - continue; - - e->next = *list; - *list = e; } closedir(d); + + next_dir: + if (dir != *di) + free(dir); } - if (dirs != sysdirs) + if (dirs != rk_UNCONST(sysplugin_dirs)) krb5_config_free_strings(dirs); #endif /* HAVE_DLOPEN */ + return 0; +} - if (*list == NULL) { - krb5_set_error_string(context, "Did not find a plugin for %s", name); - return ENOENT; - } +static krb5_error_code +add_symbol(krb5_context context, struct krb5_plugin **list, void *symbol) +{ + struct krb5_plugin *e; + e = calloc(1, sizeof(*e)); + if (e == NULL) { + krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); + return ENOMEM; + } + e->symbol = symbol; + e->next = *list; + *list = e; return 0; +} + +krb5_error_code +_krb5_plugin_find(krb5_context context, + enum krb5_plugin_type type, + const char *name, + struct krb5_plugin **list) +{ + struct plugin *e; + krb5_error_code ret; -out: - if (dirs && dirs != sysdirs) - krb5_config_free_strings(dirs); - if (d) - closedir(d); - _krb5_plugin_free(*list); *list = NULL; - return ret; + HEIMDAL_MUTEX_lock(&plugin_mutex); + + load_plugins(context); + + for (ret = 0, e = registered; e != NULL; e = e->next) { + switch(e->type) { + case DSO: { + void *sym; + if (e->u.dso.dsohandle == NULL) + continue; + sym = dlsym(e->u.dso.dsohandle, name); + if (sym) + ret = add_symbol(context, list, sym); + break; + } + case SYMBOL: + if (strcmp(e->u.symbol.name, name) == 0 && e->u.symbol.type == type) + ret = add_symbol(context, list, e->u.symbol.symbol); + break; + } + if (ret) { + _krb5_plugin_free(*list); + *list = NULL; + } + } + + HEIMDAL_MUTEX_unlock(&plugin_mutex); + if (ret) + return ret; + + if (*list == NULL) { + krb5_set_error_message(context, ENOENT, "Did not find a plugin for %s", name); + return ENOENT; + } + + return 0; } void @@ -256,9 +372,264 @@ _krb5_plugin_free(struct krb5_plugin *list) struct krb5_plugin *next; while (list) { next = list->next; - if (list->dsohandle) - dlclose(list->dsohandle); free(list); list = next; } } +/* + * module - dict of { + * ModuleName = [ + * plugin = object{ + * array = { ptr, ctx } + * } + * ] + * } + */ + +static heim_dict_t modules; + +struct plugin2 { + heim_string_t path; + void *dsohandle; + heim_dict_t names; +}; + +static void +plug_dealloc(void *ptr) +{ + struct plugin2 *p = ptr; + heim_release(p->path); + heim_release(p->names); + if (p->dsohandle) + dlclose(p->dsohandle); +} + + +void +_krb5_load_plugins(krb5_context context, const char *name, const char **paths) +{ +#ifdef HAVE_DLOPEN + heim_string_t s = heim_string_create(name); + heim_dict_t module; + struct dirent *entry; + krb5_error_code ret; + const char **di; + DIR *d; + + HEIMDAL_MUTEX_lock(&plugin_mutex); + + if (modules == NULL) { + modules = heim_dict_create(11); + if (modules == NULL) { + HEIMDAL_MUTEX_unlock(&plugin_mutex); + return; + } + } + + module = heim_dict_copy_value(modules, s); + if (module == NULL) { + module = heim_dict_create(11); + if (module == NULL) { + HEIMDAL_MUTEX_unlock(&plugin_mutex); + heim_release(s); + return; + } + heim_dict_add_value(modules, s, module); + } + heim_release(s); + + for (di = paths; *di != NULL; di++) { + d = opendir(*di); + if (d == NULL) + continue; + rk_cloexec_dir(d); + + while ((entry = readdir(d)) != NULL) { + char *n = entry->d_name; + char *path = NULL; + heim_string_t spath; + struct plugin2 *p; + + /* skip . and .. */ + if (n[0] == '.' && (n[1] == '\0' || (n[1] == '.' && n[2] == '\0'))) + continue; + + ret = 0; +#ifdef __APPLE__ + { /* support loading bundles on MacOS */ + size_t len = strlen(n); + if (len > 7 && strcmp(&n[len - 7], ".bundle") == 0) + ret = asprintf(&path, "%s/%s/Contents/MacOS/%.*s", *di, n, (int)(len - 7), n); + } +#endif + if (ret < 0 || path == NULL) + ret = asprintf(&path, "%s/%s", *di, n); + + if (ret < 0 || path == NULL) + continue; + + spath = heim_string_create(n); + if (spath == NULL) { + free(path); + continue; + } + + /* check if already cached */ + p = heim_dict_copy_value(module, spath); + if (p == NULL) { + p = heim_alloc(sizeof(*p), "krb5-plugin", plug_dealloc); + if (p) + p->dsohandle = dlopen(path, RTLD_LOCAL|RTLD_LAZY); + + if (p->dsohandle) { + p->path = heim_retain(spath); + p->names = heim_dict_create(11); + heim_dict_add_value(module, spath, p); + } + } + heim_release(spath); + heim_release(p); + free(path); + } + closedir(d); + } + heim_release(module); + HEIMDAL_MUTEX_unlock(&plugin_mutex); +#endif /* HAVE_DLOPEN */ +} + +void +_krb5_unload_plugins(krb5_context context, const char *name) +{ + HEIMDAL_MUTEX_lock(&plugin_mutex); + heim_release(modules); + modules = NULL; + HEIMDAL_MUTEX_unlock(&plugin_mutex); +} + +/* + * + */ + +struct common_plugin_method { + int version; + krb5_error_code (*init)(krb5_context, void **); + void (*fini)(void *); +}; + +struct plug { + void *dataptr; + void *ctx; +}; + +static void +plug_free(void *ptr) +{ + struct plug *pl = ptr; + if (pl->dataptr) { + struct common_plugin_method *cpm = pl->dataptr; + cpm->fini(pl->ctx); + } +} + +struct iter_ctx { + krb5_context context; + heim_string_t n; + const char *name; + int min_version; + heim_array_t result; + krb5_error_code (*func)(krb5_context, const void *, void *, void *); + void *userctx; + krb5_error_code ret; +}; + +static void +search_modules(void *ctx, heim_object_t key, heim_object_t value) +{ + struct iter_ctx *s = ctx; + struct plugin2 *p = value; + struct plug *pl = heim_dict_copy_value(p->names, s->n); + struct common_plugin_method *cpm; + + if (pl == NULL) { + if (p->dsohandle == NULL) + return; + + pl = heim_alloc(sizeof(*pl), "struct-plug", plug_free); + + cpm = pl->dataptr = dlsym(p->dsohandle, s->name); + if (cpm) { + int ret; + + ret = cpm->init(s->context, &pl->ctx); + if (ret) + cpm = pl->dataptr = NULL; + } + heim_dict_add_value(p->names, s->n, pl); + } else { + cpm = pl->dataptr; + } + + if (cpm && cpm->version >= s->min_version) + heim_array_append_value(s->result, pl); + + heim_release(pl); +} + +static void +eval_results(heim_object_t value, void *ctx) +{ + struct plug *pl = value; + struct iter_ctx *s = ctx; + + if (s->ret != KRB5_PLUGIN_NO_HANDLE) + return; + + s->ret = s->func(s->context, pl->dataptr, pl->ctx, s->userctx); +} + +krb5_error_code +_krb5_plugin_run_f(krb5_context context, + const char *module, + const char *name, + int min_version, + int flags, + void *userctx, + krb5_error_code (*func)(krb5_context, const void *, void *, void *)) +{ + heim_string_t m = heim_string_create(module); + heim_dict_t dict; + struct iter_ctx s; + + HEIMDAL_MUTEX_lock(&plugin_mutex); + + dict = heim_dict_copy_value(modules, m); + heim_release(m); + if (dict == NULL) { + HEIMDAL_MUTEX_unlock(&plugin_mutex); + return KRB5_PLUGIN_NO_HANDLE; + } + + s.context = context; + s.name = name; + s.n = heim_string_create(name); + s.min_version = min_version; + s.result = heim_array_create(); + s.func = func; + s.userctx = userctx; + + heim_dict_iterate_f(dict, search_modules, &s); + + heim_release(dict); + + HEIMDAL_MUTEX_unlock(&plugin_mutex); + + s.ret = KRB5_PLUGIN_NO_HANDLE; + + heim_array_iterate_f(s.result, eval_results, &s); + + heim_release(s.result); + heim_release(s.n); + + return s.ret; +} diff --git a/crypto/heimdal/lib/krb5/principal.c b/crypto/heimdal/lib/krb5/principal.c index 8d9c8805415a..a10d2d079803 100644 --- a/crypto/heimdal/lib/krb5/principal.c +++ b/crypto/heimdal/lib/krb5/principal.c @@ -1,34 +1,50 @@ /* - * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/** + * @page krb5_principal_intro The principal handing functions. + * + * A Kerberos principal is a email address looking string that + * contains to parts separeted by a @. The later part is the kerbero + * realm the principal belongs to and the former is a list of 0 or + * more components. For example + * @verbatim +lha@SU.SE +host/hummel.it.su.se@SU.SE +host/admin@H5L.ORG +@endverbatim + * + * See the library functions here: @ref krb5_principal */ #include "krb5_locl.h" @@ -41,15 +57,26 @@ #include <fnmatch.h> #include "resolve.h" -RCSID("$Id: principal.c 21741 2007-07-31 16:00:37Z lha $"); - #define princ_num_comp(P) ((P)->name.name_string.len) #define princ_type(P) ((P)->name.name_type) #define princ_comp(P) ((P)->name.name_string.val) #define princ_ncomp(P, N) ((P)->name.name_string.val[(N)]) #define princ_realm(P) ((P)->realm) -void KRB5_LIB_FUNCTION +/** + * Frees a Kerberos principal allocated by the library with + * krb5_parse_name(), krb5_make_principal() or any other related + * principal functions. + * + * @param context A Kerberos context. + * @param p a principal to free. + * + * @return An krb5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_principal + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_principal(krb5_context context, krb5_principal p) { @@ -59,7 +86,19 @@ krb5_free_principal(krb5_context context, } } -void KRB5_LIB_FUNCTION +/** + * Set the type of the principal + * + * @param context A Kerberos context. + * @param principal principal to set the type for + * @param type the new type + * + * @return An krb5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_principal + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_principal_set_type(krb5_context context, krb5_principal principal, int type) @@ -67,21 +106,43 @@ krb5_principal_set_type(krb5_context context, princ_type(principal) = type; } -int KRB5_LIB_FUNCTION +/** + * Get the type of the principal + * + * @param context A Kerberos context. + * @param principal principal to get the type for + * + * @return the type of principal + * + * @ingroup krb5_principal + */ + +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_principal_get_type(krb5_context context, krb5_const_principal principal) { return princ_type(principal); } -const char* KRB5_LIB_FUNCTION +/** + * Get the realm of the principal + * + * @param context A Kerberos context. + * @param principal principal to get the realm for + * + * @return realm of the principal, don't free or use after krb5_principal is freed + * + * @ingroup krb5_principal + */ + +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_principal_get_realm(krb5_context context, krb5_const_principal principal) { return princ_realm(principal); -} +} -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_principal_get_comp_string(krb5_context context, krb5_const_principal principal, unsigned int component) @@ -91,7 +152,38 @@ krb5_principal_get_comp_string(krb5_context context, return princ_ncomp(principal, component); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Get number of component is principal. + * + * @param context Kerberos 5 context + * @param principal principal to query + * + * @return number of components in string + * + * @ingroup krb5_principal + */ + +KRB5_LIB_FUNCTION unsigned int KRB5_LIB_CALL +krb5_principal_get_num_comp(krb5_context context, + krb5_const_principal principal) +{ + return princ_num_comp(principal); +} + +/** + * Parse a name into a krb5_principal structure, flags controls the behavior. + * + * @param context Kerberos 5 context + * @param name name to parse into a Kerberos principal + * @param flags flags to control the behavior + * @param principal returned principal, free with krb5_free_principal(). + * + * @return An krb5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_principal + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_parse_name_flags(krb5_context context, const char *name, int flags, @@ -112,14 +204,15 @@ krb5_parse_name_flags(krb5_context context, int got_realm = 0; int first_at = 1; int enterprise = (flags & KRB5_PRINCIPAL_PARSE_ENTERPRISE); - + *principal = NULL; -#define RFLAGS (KRB5_PRINCIPAL_PARSE_NO_REALM|KRB5_PRINCIPAL_PARSE_MUST_REALM) +#define RFLAGS (KRB5_PRINCIPAL_PARSE_NO_REALM|KRB5_PRINCIPAL_PARSE_REQUIRE_REALM) if ((flags & RFLAGS) == RFLAGS) { - krb5_set_error_string(context, "Can't require both realm and " - "no realm at the same time"); + krb5_set_error_message(context, KRB5_ERR_NO_SERVICE, + N_("Can't require both realm and " + "no realm at the same time", "")); return KRB5_ERR_NO_SERVICE; } #undef RFLAGS @@ -132,8 +225,8 @@ krb5_parse_name_flags(krb5_context context, for(p = name; *p; p++){ if(*p=='\\'){ if(!p[1]) { - krb5_set_error_string (context, - "trailing \\ in principal name"); + krb5_set_error_message(context, KRB5_PARSE_MALFORMED, + N_("trailing \\ in principal name", "")); return KRB5_PARSE_MALFORMED; } p++; @@ -145,15 +238,17 @@ krb5_parse_name_flags(krb5_context context, } comp = calloc(ncomp, sizeof(*comp)); if (comp == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } - + n = 0; p = start = q = s = strdup(name); if (start == NULL) { free (comp); - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } while(*p){ @@ -169,9 +264,9 @@ krb5_parse_name_flags(krb5_context context, else if(c == '0') c = '\0'; else if(c == '\0') { - krb5_set_error_string (context, - "trailing \\ in principal name"); ret = KRB5_PARSE_MALFORMED; + krb5_set_error_message(context, ret, + N_("trailing \\ in principal name", "")); goto exit; } }else if(enterprise && first_at) { @@ -179,15 +274,16 @@ krb5_parse_name_flags(krb5_context context, first_at = 0; }else if((c == '/' && !enterprise) || c == '@'){ if(got_realm){ - krb5_set_error_string (context, - "part after realm in principal name"); ret = KRB5_PARSE_MALFORMED; + krb5_set_error_message(context, ret, + N_("part after realm in principal name", "")); goto exit; }else{ comp[n] = malloc(q - start + 1); if (comp[n] == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); ret = ENOMEM; + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto exit; } memcpy(comp[n], start, q - start); @@ -199,34 +295,37 @@ krb5_parse_name_flags(krb5_context context, start = q; continue; } - if(got_realm && (c == ':' || c == '/' || c == '\0')) { - krb5_set_error_string (context, - "part after realm in principal name"); + if(got_realm && (c == '/' || c == '\0')) { ret = KRB5_PARSE_MALFORMED; + krb5_set_error_message(context, ret, + N_("part after realm in principal name", "")); goto exit; } *q++ = c; } if(got_realm){ if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) { - krb5_set_error_string (context, "realm found in 'short' principal " - "expected to be without one"); ret = KRB5_PARSE_MALFORMED; + krb5_set_error_message(context, ret, + N_("realm found in 'short' principal " + "expected to be without one", "")); goto exit; } realm = malloc(q - start + 1); if (realm == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); ret = ENOMEM; + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto exit; } memcpy(realm, start, q - start); realm[q - start] = 0; }else{ - if (flags & KRB5_PRINCIPAL_PARSE_MUST_REALM) { - krb5_set_error_string (context, "realm NOT found in principal " - "expected to be with one"); + if (flags & KRB5_PRINCIPAL_PARSE_REQUIRE_REALM) { ret = KRB5_PARSE_MALFORMED; + krb5_set_error_message(context, ret, + N_("realm NOT found in principal " + "expected to be with one", "")); goto exit; } else if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) { realm = NULL; @@ -238,8 +337,9 @@ krb5_parse_name_flags(krb5_context context, comp[n] = malloc(q - start + 1); if (comp[n] == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); ret = ENOMEM; + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto exit; } memcpy(comp[n], start, q - start); @@ -248,8 +348,9 @@ krb5_parse_name_flags(krb5_context context, } *principal = malloc(sizeof(**principal)); if (*principal == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); ret = ENOMEM; + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto exit; } if (enterprise) @@ -271,7 +372,19 @@ exit: return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Parse a name into a krb5_principal structure + * + * @param context Kerberos 5 context + * @param name name to parse into a Kerberos principal + * @param principal returned principal, free with krb5_free_principal(). + * + * @return An krb5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_principal + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_parse_name(krb5_context context, const char *name, krb5_principal *principal) @@ -313,14 +426,15 @@ unparse_name_fixed(krb5_context context, int flags) { size_t idx = 0; - int i; + size_t i; int short_form = (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) != 0; int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) != 0; int display = (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) != 0; if (!no_realm && princ_realm(principal) == NULL) { - krb5_set_error_string(context, "Realm missing from principal, " - "can't unparse"); + krb5_set_error_message(context, ERANGE, + N_("Realm missing from principal, " + "can't unparse", "")); return ERANGE; } @@ -329,10 +443,11 @@ unparse_name_fixed(krb5_context context, add_char(name, idx, len, '/'); idx = quote_string(princ_ncomp(principal, i), name, idx, len, display); if(idx == len) { - krb5_set_error_string(context, "Out of space printing principal"); + krb5_set_error_message(context, ERANGE, + N_("Out of space printing principal", "")); return ERANGE; } - } + } /* add realm if different from default realm */ if(short_form && !no_realm) { krb5_realm r; @@ -348,15 +463,29 @@ unparse_name_fixed(krb5_context context, add_char(name, idx, len, '@'); idx = quote_string(princ_realm(principal), name, idx, len, display); if(idx == len) { - krb5_set_error_string(context, - "Out of space printing realm of principal"); + krb5_set_error_message(context, ERANGE, + N_("Out of space printing " + "realm of principal", "")); return ERANGE; } } return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Unparse the principal name to a fixed buffer + * + * @param context A Kerberos context. + * @param principal principal to unparse + * @param name buffer to write name to + * @param len length of buffer + * + * @return An krb5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_principal + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_unparse_name_fixed(krb5_context context, krb5_const_principal principal, char *name, @@ -365,17 +494,45 @@ krb5_unparse_name_fixed(krb5_context context, return unparse_name_fixed(context, principal, name, len, 0); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Unparse the principal name to a fixed buffer. The realm is skipped + * if its a default realm. + * + * @param context A Kerberos context. + * @param principal principal to unparse + * @param name buffer to write name to + * @param len length of buffer + * + * @return An krb5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_principal + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_unparse_name_fixed_short(krb5_context context, krb5_const_principal principal, char *name, size_t len) { - return unparse_name_fixed(context, principal, name, len, + return unparse_name_fixed(context, principal, name, len, KRB5_PRINCIPAL_UNPARSE_SHORT); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Unparse the principal name with unparse flags to a fixed buffer. + * + * @param context A Kerberos context. + * @param principal principal to unparse + * @param flags unparse flags + * @param name buffer to write name to + * @param len length of buffer + * + * @return An krb5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_principal + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_unparse_name_fixed_flags(krb5_context context, krb5_const_principal principal, int flags, @@ -392,7 +549,7 @@ unparse_name(krb5_context context, int flags) { size_t len = 0, plen; - int i; + size_t i; krb5_error_code ret; /* count length */ if (princ_realm(principal)) { @@ -415,7 +572,8 @@ unparse_name(krb5_context context, len++; /* '\0' */ *name = malloc(len); if(*name == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } ret = unparse_name_fixed(context, principal, *name, len, flags); @@ -426,7 +584,19 @@ unparse_name(krb5_context context, return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Unparse the Kerberos name into a string + * + * @param context Kerberos 5 context + * @param principal principal to query + * @param name resulting string, free with krb5_xfree() + * + * @return An krb5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_principal + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_unparse_name(krb5_context context, krb5_const_principal principal, char **name) @@ -434,7 +604,20 @@ krb5_unparse_name(krb5_context context, return unparse_name(context, principal, name, 0); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Unparse the Kerberos name into a string + * + * @param context Kerberos 5 context + * @param principal principal to query + * @param flags flag to determine the behavior + * @param name resulting string, free with krb5_xfree() + * + * @return An krb5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_principal + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal, int flags, @@ -443,7 +626,20 @@ krb5_unparse_name_flags(krb5_context context, return unparse_name(context, principal, name, flags); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Unparse the principal name to a allocated buffer. The realm is + * skipped if its a default realm. + * + * @param context A Kerberos context. + * @param principal principal to unparse + * @param name returned buffer, free with krb5_xfree() + * + * @return An krb5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_principal + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_unparse_name_short(krb5_context context, krb5_const_principal principal, char **name) @@ -451,37 +647,52 @@ krb5_unparse_name_short(krb5_context context, return unparse_name(context, principal, name, KRB5_PRINCIPAL_UNPARSE_SHORT); } -#if 0 /* not implemented */ - -krb5_error_code KRB5_LIB_FUNCTION -krb5_unparse_name_ext(krb5_context context, - krb5_const_principal principal, - char **name, - size_t *size) -{ - krb5_abortx(context, "unimplemented krb5_unparse_name_ext called"); -} - -#endif +/** + * Set a new realm for a principal, and as a side-effect free the + * previous realm. + * + * @param context A Kerberos context. + * @param principal principal set the realm for + * @param realm the new realm to set + * + * @return An krb5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_principal + */ -krb5_realm * KRB5_LIB_FUNCTION -krb5_princ_realm(krb5_context context, - krb5_principal principal) +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_principal_set_realm(krb5_context context, + krb5_principal principal, + krb5_const_realm realm) { - return &princ_realm(principal); -} + if (princ_realm(principal)) + free(princ_realm(principal)); - -void KRB5_LIB_FUNCTION -krb5_princ_set_realm(krb5_context context, - krb5_principal principal, - krb5_realm *realm) -{ - princ_realm(principal) = *realm; + princ_realm(principal) = strdup(realm); + if (princ_realm(principal) == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + return 0; } +#ifndef HEIMDAL_SMALLER +/** + * Build a principal using vararg style building + * + * @param context A Kerberos context. + * @param principal returned principal + * @param rlen length of realm + * @param realm realm name + * @param ... a list of components ended with NULL. + * + * @return An krb5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_principal + */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_build_principal(krb5_context context, krb5_principal *principal, int rlen, @@ -495,9 +706,46 @@ krb5_build_principal(krb5_context context, va_end(ap); return ret; } +#endif + +/** + * Build a principal using vararg style building + * + * @param context A Kerberos context. + * @param principal returned principal + * @param realm realm name + * @param ... a list of components ended with NULL. + * + * @return An krb5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_principal + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_make_principal(krb5_context context, + krb5_principal *principal, + krb5_const_realm realm, + ...) +{ + krb5_error_code ret; + krb5_realm r = NULL; + va_list ap; + if(realm == NULL) { + ret = krb5_get_default_realm(context, &r); + if(ret) + return ret; + realm = r; + } + va_start(ap, realm); + ret = krb5_build_principal_va(context, principal, strlen(realm), realm, ap); + va_end(ap); + if(r) + free(r); + return ret; +} static krb5_error_code -append_component(krb5_context context, krb5_principal p, +append_component(krb5_context context, krb5_principal p, const char *comp, size_t comp_len) { @@ -506,13 +754,15 @@ append_component(krb5_context context, krb5_principal p, tmp = realloc(princ_comp(p), (len + 1) * sizeof(*tmp)); if(tmp == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } princ_comp(p) = tmp; princ_ncomp(p, len) = malloc(comp_len + 1); if (princ_ncomp(p, len) == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } memcpy (princ_ncomp(p, len), comp, comp_len); @@ -547,7 +797,6 @@ va_princ(krb5_context context, krb5_principal p, va_list ap) } } - static krb5_error_code build_principal(krb5_context context, krb5_principal *principal, @@ -557,10 +806,11 @@ build_principal(krb5_context context, va_list ap) { krb5_principal p; - + p = calloc(1, sizeof(*p)); if (p == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } princ_type(p) = KRB5_NT_PRINCIPAL; @@ -568,41 +818,19 @@ build_principal(krb5_context context, princ_realm(p) = strdup(realm); if(p->realm == NULL){ free(p); - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } - + (*func)(context, p, ap); *principal = p; return 0; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_make_principal(krb5_context context, - krb5_principal *principal, - krb5_const_realm realm, - ...) -{ - krb5_error_code ret; - krb5_realm r = NULL; - va_list ap; - if(realm == NULL) { - ret = krb5_get_default_realm(context, &r); - if(ret) - return ret; - realm = r; - } - va_start(ap, realm); - ret = krb5_build_principal_va(context, principal, strlen(realm), realm, ap); - va_end(ap); - if(r) - free(r); - return ret; -} - -krb5_error_code KRB5_LIB_FUNCTION -krb5_build_principal_va(krb5_context context, - krb5_principal *principal, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_build_principal_va(krb5_context context, + krb5_principal *principal, int rlen, krb5_const_realm realm, va_list ap) @@ -610,9 +838,9 @@ krb5_build_principal_va(krb5_context context, return build_principal(context, principal, rlen, realm, va_princ, ap); } -krb5_error_code KRB5_LIB_FUNCTION -krb5_build_principal_va_ext(krb5_context context, - krb5_principal *principal, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_build_principal_va_ext(krb5_context context, + krb5_principal *principal, int rlen, krb5_const_realm realm, va_list ap) @@ -621,7 +849,7 @@ krb5_build_principal_va_ext(krb5_context context, } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_build_principal_ext(krb5_context context, krb5_principal *principal, int rlen, @@ -636,36 +864,60 @@ krb5_build_principal_ext(krb5_context context, return ret; } +/** + * Copy a principal + * + * @param context A Kerberos context. + * @param inprinc principal to copy + * @param outprinc copied principal, free with krb5_free_principal() + * + * @return An krb5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_principal + */ + -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_principal *outprinc) { krb5_principal p = malloc(sizeof(*p)); if (p == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } if(copy_Principal(inprinc, p)) { free(p); - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } *outprinc = p; return 0; } -/* - * return TRUE iff princ1 == princ2 (without considering the realm) +/** + * Return TRUE iff princ1 == princ2 (without considering the realm) + * + * @param context Kerberos 5 context + * @param princ1 first principal to compare + * @param princ2 second principal to compare + * + * @return non zero if equal, 0 if not + * + * @ingroup krb5_principal + * @see krb5_principal_compare() + * @see krb5_realm_compare() */ -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_principal_compare_any_realm(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) { - int i; + size_t i; if(princ_num_comp(princ1) != princ_num_comp(princ2)) return FALSE; for(i = 0; i < princ_num_comp(princ1); i++){ @@ -675,11 +927,40 @@ krb5_principal_compare_any_realm(krb5_context context, return TRUE; } +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +_krb5_principal_compare_PrincipalName(krb5_context context, + krb5_const_principal princ1, + PrincipalName *princ2) +{ + size_t i; + if (princ_num_comp(princ1) != princ2->name_string.len) + return FALSE; + for(i = 0; i < princ_num_comp(princ1); i++){ + if(strcmp(princ_ncomp(princ1, i), princ2->name_string.val[i]) != 0) + return FALSE; + } + return TRUE; +} + + +/** + * Compares the two principals, including realm of the principals and returns + * TRUE if they are the same and FALSE if not. + * + * @param context Kerberos 5 context + * @param princ1 first principal to compare + * @param princ2 second principal to compare + * + * @ingroup krb5_principal + * @see krb5_principal_compare_any_realm() + * @see krb5_realm_compare() + */ + /* * return TRUE iff princ1 == princ2 */ -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_principal_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) @@ -689,11 +970,19 @@ krb5_principal_compare(krb5_context context, return krb5_principal_compare_any_realm(context, princ1, princ2); } -/* +/** * return TRUE iff realm(princ1) == realm(princ2) + * + * @param context Kerberos 5 context + * @param princ1 first principal to compare + * @param princ2 second principal to compare + * + * @ingroup krb5_principal + * @see krb5_principal_compare_any_realm() + * @see krb5_principal_compare() */ -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) @@ -701,16 +990,18 @@ krb5_realm_compare(krb5_context context, return strcmp(princ_realm(princ1), princ_realm(princ2)) == 0; } -/* +/** * return TRUE iff princ matches pattern + * + * @ingroup krb5_principal */ -krb5_boolean KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_principal_match(krb5_context context, krb5_const_principal princ, krb5_const_principal pattern) { - int i; + size_t i; if(princ_num_comp(princ) != princ_num_comp(pattern)) return FALSE; if(fnmatch(princ_realm(pattern), princ_realm(princ), 0) != 0) @@ -722,461 +1013,23 @@ krb5_principal_match(krb5_context context, return TRUE; } - -static struct v4_name_convert { - const char *from; - const char *to; -} default_v4_name_convert[] = { - { "ftp", "ftp" }, - { "hprop", "hprop" }, - { "pop", "pop" }, - { "imap", "imap" }, - { "rcmd", "host" }, - { "smtp", "smtp" }, - { NULL, NULL } -}; - -/* - * return the converted instance name of `name' in `realm'. - * look in the configuration file and then in the default set above. - * return NULL if no conversion is appropriate. - */ - -static const char* -get_name_conversion(krb5_context context, const char *realm, const char *name) -{ - struct v4_name_convert *q; - const char *p; - - p = krb5_config_get_string(context, NULL, "realms", realm, - "v4_name_convert", "host", name, NULL); - if(p == NULL) - p = krb5_config_get_string(context, NULL, "libdefaults", - "v4_name_convert", "host", name, NULL); - if(p) - return p; - - /* XXX should be possible to override default list */ - p = krb5_config_get_string(context, NULL, - "realms", - realm, - "v4_name_convert", - "plain", - name, - NULL); - if(p) - return NULL; - p = krb5_config_get_string(context, NULL, - "libdefaults", - "v4_name_convert", - "plain", - name, - NULL); - if(p) - return NULL; - for(q = default_v4_name_convert; q->from; q++) - if(strcmp(q->from, name) == 0) - return q->to; - return NULL; -} - -/* - * convert the v4 principal `name.instance@realm' to a v5 principal in `princ'. - * if `resolve', use DNS. - * if `func', use that function for validating the conversion - */ - -krb5_error_code KRB5_LIB_FUNCTION -krb5_425_conv_principal_ext2(krb5_context context, - const char *name, - const char *instance, - const char *realm, - krb5_boolean (*func)(krb5_context, - void *, krb5_principal), - void *funcctx, - krb5_boolean resolve, - krb5_principal *princ) -{ - const char *p; - krb5_error_code ret; - krb5_principal pr; - char host[MAXHOSTNAMELEN]; - char local_hostname[MAXHOSTNAMELEN]; - - /* do the following: if the name is found in the - `v4_name_convert:host' part, is assumed to be a `host' type - principal, and the instance is looked up in the - `v4_instance_convert' part. if not found there the name is - (optionally) looked up as a hostname, and if that doesn't yield - anything, the `default_domain' is appended to the instance - */ - - if(instance == NULL) - goto no_host; - if(instance[0] == 0){ - instance = NULL; - goto no_host; - } - p = get_name_conversion(context, realm, name); - if(p == NULL) - goto no_host; - name = p; - p = krb5_config_get_string(context, NULL, "realms", realm, - "v4_instance_convert", instance, NULL); - if(p){ - instance = p; - ret = krb5_make_principal(context, &pr, realm, name, instance, NULL); - if(func == NULL || (*func)(context, funcctx, pr)){ - *princ = pr; - return 0; - } - krb5_free_principal(context, pr); - *princ = NULL; - krb5_clear_error_string (context); - return HEIM_ERR_V4_PRINC_NO_CONV; - } - if(resolve){ - krb5_boolean passed = FALSE; - char *inst = NULL; -#ifdef USE_RESOLVER - struct dns_reply *r; - - r = dns_lookup(instance, "aaaa"); - if (r) { - if (r->head && r->head->type == T_AAAA) { - inst = strdup(r->head->domain); - passed = TRUE; - } - dns_free_data(r); - } else { - r = dns_lookup(instance, "a"); - if (r) { - if(r->head && r->head->type == T_A) { - inst = strdup(r->head->domain); - passed = TRUE; - } - dns_free_data(r); - } - } -#else - struct addrinfo hints, *ai; - - memset (&hints, 0, sizeof(hints)); - hints.ai_flags = AI_CANONNAME; - ret = getaddrinfo(instance, NULL, &hints, &ai); - if (ret == 0) { - const struct addrinfo *a; - for (a = ai; a != NULL; a = a->ai_next) { - if (a->ai_canonname != NULL) { - inst = strdup (a->ai_canonname); - passed = TRUE; - break; - } - } - freeaddrinfo (ai); - } -#endif - if (passed) { - if (inst == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - strlwr(inst); - ret = krb5_make_principal(context, &pr, realm, name, inst, - NULL); - free (inst); - if(ret == 0) { - if(func == NULL || (*func)(context, funcctx, pr)){ - *princ = pr; - return 0; - } - krb5_free_principal(context, pr); - } - } - } - if(func != NULL) { - snprintf(host, sizeof(host), "%s.%s", instance, realm); - strlwr(host); - ret = krb5_make_principal(context, &pr, realm, name, host, NULL); - if((*func)(context, funcctx, pr)){ - *princ = pr; - return 0; - } - krb5_free_principal(context, pr); - } - - /* - * if the instance is the first component of the local hostname, - * the converted host should be the long hostname. - */ - - if (func == NULL && - gethostname (local_hostname, sizeof(local_hostname)) == 0 && - strncmp(instance, local_hostname, strlen(instance)) == 0 && - local_hostname[strlen(instance)] == '.') { - strlcpy(host, local_hostname, sizeof(host)); - goto local_host; - } - - { - char **domains, **d; - domains = krb5_config_get_strings(context, NULL, "realms", realm, - "v4_domains", NULL); - for(d = domains; d && *d; d++){ - snprintf(host, sizeof(host), "%s.%s", instance, *d); - ret = krb5_make_principal(context, &pr, realm, name, host, NULL); - if(func == NULL || (*func)(context, funcctx, pr)){ - *princ = pr; - krb5_config_free_strings(domains); - return 0; - } - krb5_free_principal(context, pr); - } - krb5_config_free_strings(domains); - } - - - p = krb5_config_get_string(context, NULL, "realms", realm, - "default_domain", NULL); - if(p == NULL){ - /* this should be an error, just faking a name is not good */ - krb5_clear_error_string (context); - return HEIM_ERR_V4_PRINC_NO_CONV; - } - - if (*p == '.') - ++p; - snprintf(host, sizeof(host), "%s.%s", instance, p); -local_host: - ret = krb5_make_principal(context, &pr, realm, name, host, NULL); - if(func == NULL || (*func)(context, funcctx, pr)){ - *princ = pr; - return 0; - } - krb5_free_principal(context, pr); - krb5_clear_error_string (context); - return HEIM_ERR_V4_PRINC_NO_CONV; -no_host: - p = krb5_config_get_string(context, NULL, - "realms", - realm, - "v4_name_convert", - "plain", - name, - NULL); - if(p == NULL) - p = krb5_config_get_string(context, NULL, - "libdefaults", - "v4_name_convert", - "plain", - name, - NULL); - if(p) - name = p; - - ret = krb5_make_principal(context, &pr, realm, name, instance, NULL); - if(func == NULL || (*func)(context, funcctx, pr)){ - *princ = pr; - return 0; - } - krb5_free_principal(context, pr); - krb5_clear_error_string (context); - return HEIM_ERR_V4_PRINC_NO_CONV; -} - -static krb5_boolean -convert_func(krb5_context conxtext, void *funcctx, krb5_principal principal) -{ - krb5_boolean (*func)(krb5_context, krb5_principal) = funcctx; - return (*func)(conxtext, principal); -} - -krb5_error_code KRB5_LIB_FUNCTION -krb5_425_conv_principal_ext(krb5_context context, - const char *name, - const char *instance, - const char *realm, - krb5_boolean (*func)(krb5_context, krb5_principal), - krb5_boolean resolve, - krb5_principal *principal) -{ - return krb5_425_conv_principal_ext2(context, - name, - instance, - realm, - func ? convert_func : NULL, - func, - resolve, - principal); -} - - - -krb5_error_code KRB5_LIB_FUNCTION -krb5_425_conv_principal(krb5_context context, - const char *name, - const char *instance, - const char *realm, - krb5_principal *princ) -{ - krb5_boolean resolve = krb5_config_get_bool(context, - NULL, - "libdefaults", - "v4_instance_resolve", - NULL); - - return krb5_425_conv_principal_ext(context, name, instance, realm, - NULL, resolve, princ); -} - - -static int -check_list(const krb5_config_binding *l, const char *name, const char **out) -{ - while(l){ - if (l->type != krb5_config_string) - continue; - if(strcmp(name, l->u.string) == 0) { - *out = l->name; - return 1; - } - l = l->next; - } - return 0; -} - -static int -name_convert(krb5_context context, const char *name, const char *realm, - const char **out) -{ - const krb5_config_binding *l; - l = krb5_config_get_list (context, - NULL, - "realms", - realm, - "v4_name_convert", - "host", - NULL); - if(l && check_list(l, name, out)) - return KRB5_NT_SRV_HST; - l = krb5_config_get_list (context, - NULL, - "libdefaults", - "v4_name_convert", - "host", - NULL); - if(l && check_list(l, name, out)) - return KRB5_NT_SRV_HST; - l = krb5_config_get_list (context, - NULL, - "realms", - realm, - "v4_name_convert", - "plain", - NULL); - if(l && check_list(l, name, out)) - return KRB5_NT_UNKNOWN; - l = krb5_config_get_list (context, - NULL, - "libdefaults", - "v4_name_convert", - "host", - NULL); - if(l && check_list(l, name, out)) - return KRB5_NT_UNKNOWN; - - /* didn't find it in config file, try built-in list */ - { - struct v4_name_convert *q; - for(q = default_v4_name_convert; q->from; q++) { - if(strcmp(name, q->to) == 0) { - *out = q->from; - return KRB5_NT_SRV_HST; - } - } - } - return -1; -} - -/* - * convert the v5 principal in `principal' into a v4 corresponding one - * in `name, instance, realm' - * this is limited interface since there's no length given for these - * three parameters. They have to be 40 bytes each (ANAME_SZ). +/** + * Create a principal for the service running on hostname. If + * KRB5_NT_SRV_HST is used, the hostname is canonization using DNS (or + * some other service), this is potentially insecure. + * + * @param context A Kerberos context. + * @param hostname hostname to use + * @param sname Service name to use + * @param type name type of pricipal, use KRB5_NT_SRV_HST or KRB5_NT_UNKNOWN. + * @param ret_princ return principal, free with krb5_free_principal(). + * + * @return An krb5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_principal */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_524_conv_principal(krb5_context context, - const krb5_principal principal, - char *name, - char *instance, - char *realm) -{ - const char *n, *i, *r; - char tmpinst[40]; - int type = princ_type(principal); - const int aname_sz = 40; - - r = principal->realm; - - switch(principal->name.name_string.len){ - case 1: - n = principal->name.name_string.val[0]; - i = ""; - break; - case 2: - n = principal->name.name_string.val[0]; - i = principal->name.name_string.val[1]; - break; - default: - krb5_set_error_string (context, - "cannot convert a %d component principal", - principal->name.name_string.len); - return KRB5_PARSE_MALFORMED; - } - - { - const char *tmp; - int t = name_convert(context, n, r, &tmp); - if(t >= 0) { - type = t; - n = tmp; - } - } - - if(type == KRB5_NT_SRV_HST){ - char *p; - - strlcpy (tmpinst, i, sizeof(tmpinst)); - p = strchr(tmpinst, '.'); - if(p) - *p = 0; - i = tmpinst; - } - - if (strlcpy (name, n, aname_sz) >= aname_sz) { - krb5_set_error_string (context, - "too long name component to convert"); - return KRB5_PARSE_MALFORMED; - } - if (strlcpy (instance, i, aname_sz) >= aname_sz) { - krb5_set_error_string (context, - "too long instance component to convert"); - return KRB5_PARSE_MALFORMED; - } - if (strlcpy (realm, r, aname_sz) >= aname_sz) { - krb5_set_error_string (context, - "too long realm component to convert"); - return KRB5_PARSE_MALFORMED; - } - return 0; -} - -/* - * Create a principal in `ret_princ' for the service `sname' running - * on host `hostname'. */ - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sname_to_principal (krb5_context context, const char *hostname, const char *sname, @@ -1186,14 +1039,22 @@ krb5_sname_to_principal (krb5_context context, krb5_error_code ret; char localhost[MAXHOSTNAMELEN]; char **realms, *host = NULL; - + if(type != KRB5_NT_SRV_HST && type != KRB5_NT_UNKNOWN) { - krb5_set_error_string (context, "unsupported name type %d", - type); + krb5_set_error_message(context, KRB5_SNAME_UNSUPP_NAMETYPE, + N_("unsupported name type %d", ""), + (int)type); return KRB5_SNAME_UNSUPP_NAMETYPE; } if(hostname == NULL) { - gethostname(localhost, sizeof(localhost)); + ret = gethostname(localhost, sizeof(localhost) - 1); + if (ret != 0) { + ret = errno; + krb5_set_error_message(context, ret, + N_("Failed to get local hostname", "")); + return ret; + } + localhost[sizeof(localhost) - 1] = '\0'; hostname = localhost; } if(sname == NULL) @@ -1235,20 +1096,41 @@ static const struct { { "ENT_PRINCIPAL_AND_ID", KRB5_NT_ENT_PRINCIPAL_AND_ID }, { "MS_PRINCIPAL", KRB5_NT_MS_PRINCIPAL }, { "MS_PRINCIPAL_AND_ID", KRB5_NT_MS_PRINCIPAL_AND_ID }, - { NULL } + { NULL, 0 } }; -krb5_error_code +/** + * Parse nametype string and return a nametype integer + * + * @ingroup krb5_principal + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_parse_nametype(krb5_context context, const char *str, int32_t *nametype) { size_t i; - + for(i = 0; nametypes[i].type; i++) { if (strcasecmp(nametypes[i].type, str) == 0) { *nametype = nametypes[i].value; return 0; } } - krb5_set_error_string(context, "Failed to find name type %s", str); + krb5_set_error_message(context, KRB5_PARSE_MALFORMED, + N_("Failed to find name type %s", ""), str); return KRB5_PARSE_MALFORMED; } + +/** + * Check if the cname part of the principal is a krbtgt principal + * + * @ingroup krb5_principal + */ + +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_principal_is_krbtgt(krb5_context context, krb5_const_principal p) +{ + return p->name.name_string.len == 2 && + strcmp(p->name.name_string.val[0], KRB5_TGS_NAME) == 0; + +} diff --git a/crypto/heimdal/lib/krb5/prog_setup.c b/crypto/heimdal/lib/krb5/prog_setup.c index 0586155ac461..21afbf8d1037 100644 --- a/crypto/heimdal/lib/krb5/prog_setup.c +++ b/crypto/heimdal/lib/krb5/prog_setup.c @@ -1,53 +1,51 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" #include <getarg.h> #include <err.h> -RCSID("$Id: prog_setup.c 15470 2005-06-17 04:29:41Z lha $"); - -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_std_usage(int code, struct getargs *args, int num_args) { arg_printusage(args, num_args, NULL, ""); exit(code); } -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_program_setup(krb5_context *context, int argc, char **argv, - struct getargs *args, int num_args, - void (*usage)(int, struct getargs*, int)) + struct getargs *args, int num_args, + void (KRB5_LIB_CALL *usage)(int, struct getargs*, int)) { krb5_error_code ret; int optidx = 0; @@ -59,7 +57,7 @@ krb5_program_setup(krb5_context *context, int argc, char **argv, ret = krb5_init_context(context); if (ret) errx (1, "krb5_init_context failed: %d", ret); - + if(getarg(args, num_args, argc, argv, &optidx)) (*usage)(1, args, num_args); return optidx; diff --git a/crypto/heimdal/lib/krb5/prompter_posix.c b/crypto/heimdal/lib/krb5/prompter_posix.c index e0f407fb247e..1bf748c51231 100644 --- a/crypto/heimdal/lib/krb5/prompter_posix.c +++ b/crypto/heimdal/lib/krb5/prompter_posix.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: prompter_posix.c 13863 2004-05-25 21:46:46Z lha $"); - -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_CALLCONV krb5_prompter_posix (krb5_context context, void *data, const char *name, diff --git a/crypto/heimdal/lib/krb5/rd_cred.c b/crypto/heimdal/lib/krb5/rd_cred.c index c3f732201f3d..c08547112b27 100644 --- a/crypto/heimdal/lib/krb5/rd_cred.c +++ b/crypto/heimdal/lib/krb5/rd_cred.c @@ -1,39 +1,37 @@ /* - * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> - -RCSID("$Id: rd_cred.c 20304 2007-04-11 11:15:05Z lha $"); +#include "krb5_locl.h" static krb5_error_code compare_addrs(krb5_context context, @@ -49,11 +47,12 @@ compare_addrs(krb5_context context, krb5_print_address (a, a_str, sizeof(a_str), &len); krb5_print_address (b, b_str, sizeof(b_str), &len); - krb5_set_error_string(context, "%s: %s != %s", message, b_str, a_str); + krb5_set_error_message(context, KRB5KRB_AP_ERR_BADADDR, + "%s: %s != %s", message, b_str, a_str); return KRB5KRB_AP_ERR_BADADDR; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, krb5_data *in_data, @@ -66,43 +65,44 @@ krb5_rd_cred(krb5_context context, EncKrbCredPart enc_krb_cred_part; krb5_data enc_krb_cred_part_data; krb5_crypto crypto; - int i; + size_t i; memset(&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part)); + krb5_data_zero(&enc_krb_cred_part_data); - if ((auth_context->flags & + if ((auth_context->flags & (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && outdata == NULL) return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */ *ret_creds = NULL; - ret = decode_KRB_CRED(in_data->data, in_data->length, + ret = decode_KRB_CRED(in_data->data, in_data->length, &cred, &len); if(ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } if (cred.pvno != 5) { ret = KRB5KRB_AP_ERR_BADVERSION; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto out; } if (cred.msg_type != krb_cred) { ret = KRB5KRB_AP_ERR_MSG_TYPE; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto out; } - if (cred.enc_part.etype == ETYPE_NULL) { + if (cred.enc_part.etype == ETYPE_NULL) { /* DK: MIT GSS-API Compatibility */ enc_krb_cred_part_data.length = cred.enc_part.cipher.length; enc_krb_cred_part_data.data = cred.enc_part.cipher.data; } else { /* Try both subkey and session key. - * + * * RFC4120 claims we should use the session key, but Heimdal * before 0.8 used the remote subkey if it was send in the * auth_context. @@ -119,12 +119,12 @@ krb5_rd_cred(krb5_context context, KRB5_KU_KRB_CRED, &cred.enc_part, &enc_krb_cred_part_data); - + krb5_crypto_destroy(context, crypto); } - /* - * If there was not subkey, or we failed using subkey, + /* + * If there was not subkey, or we failed using subkey, * retry using the session key */ if (auth_context->remote_subkey == NULL || ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) @@ -135,28 +135,31 @@ krb5_rd_cred(krb5_context context, if (ret) goto out; - + ret = krb5_decrypt_EncryptedData(context, crypto, KRB5_KU_KRB_CRED, &cred.enc_part, &enc_krb_cred_part_data); - + krb5_crypto_destroy(context, crypto); } if (ret) goto out; } - ret = krb5_decode_EncKrbCredPart (context, - enc_krb_cred_part_data.data, - enc_krb_cred_part_data.length, - &enc_krb_cred_part, - &len); + ret = decode_EncKrbCredPart(enc_krb_cred_part_data.data, + enc_krb_cred_part_data.length, + &enc_krb_cred_part, + &len); if (enc_krb_cred_part_data.data != cred.enc_part.cipher.data) krb5_data_free(&enc_krb_cred_part_data); - if (ret) + if (ret) { + krb5_set_error_message(context, ret, + N_("Failed to decode " + "encrypte credential part", "")); goto out; + } /* check sender address */ @@ -172,8 +175,9 @@ krb5_rd_cred(krb5_context context, goto out; - ret = compare_addrs(context, a, enc_krb_cred_part.s_address, - "sender address is wrong in received creds"); + ret = compare_addrs(context, a, enc_krb_cred_part.s_address, + N_("sender address is wrong " + "in received creds", "")); krb5_free_address(context, a); free(a); if(ret) @@ -192,9 +196,10 @@ krb5_rd_cred(krb5_context context, auth_context->local_port); if (ret) goto out; - - ret = compare_addrs(context, a, enc_krb_cred_part.r_address, - "receiver address is wrong in received creds"); + + ret = compare_addrs(context, a, enc_krb_cred_part.r_address, + N_("receiver address is wrong " + "in received creds", "")); krb5_free_address(context, a); free(a); if(ret) @@ -202,7 +207,8 @@ krb5_rd_cred(krb5_context context, } else { ret = compare_addrs(context, auth_context->local_address, enc_krb_cred_part.r_address, - "receiver address is wrong in received creds"); + N_("receiver address is wrong " + "in received creds", "")); if(ret) goto out; } @@ -218,13 +224,13 @@ krb5_rd_cred(krb5_context context, enc_krb_cred_part.usec == NULL || abs(*enc_krb_cred_part.timestamp - sec) > context->max_skew) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); ret = KRB5KRB_AP_ERR_SKEW; goto out; } } - if ((auth_context->flags & + if ((auth_context->flags & (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) { /* if these fields are not present in the cred-part, silently return zero */ @@ -236,15 +242,16 @@ krb5_rd_cred(krb5_context context, if(enc_krb_cred_part.nonce) outdata->seq = *enc_krb_cred_part.nonce; } - + /* Convert to NULL terminated list of creds */ - *ret_creds = calloc(enc_krb_cred_part.ticket_info.len + 1, + *ret_creds = calloc(enc_krb_cred_part.ticket_info.len + 1, sizeof(**ret_creds)); if (*ret_creds == NULL) { ret = ENOMEM; - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto out; } @@ -255,11 +262,12 @@ krb5_rd_cred(krb5_context context, creds = calloc(1, sizeof(*creds)); if(creds == NULL) { ret = ENOMEM; - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto out; } - ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length, + ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length, &cred.tickets.val[i], &len, ret); if (ret) { free(creds); @@ -292,9 +300,9 @@ krb5_rd_cred(krb5_context context, krb5_copy_addresses (context, kci->caddr, &creds->addresses); - + (*ret_creds)[i] = creds; - + } (*ret_creds)[i] = NULL; @@ -315,7 +323,7 @@ krb5_rd_cred(krb5_context context, return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_cred2 (krb5_context context, krb5_auth_context auth_context, krb5_ccache ccache, diff --git a/crypto/heimdal/lib/krb5/rd_error.c b/crypto/heimdal/lib/krb5/rd_error.c index e7646467afdb..d778c68cd63b 100644 --- a/crypto/heimdal/lib/krb5/rd_error.c +++ b/crypto/heimdal/lib/krb5/rd_error.c @@ -1,59 +1,57 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: rd_error.c 21057 2007-06-12 17:22:31Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_error(krb5_context context, const krb5_data *msg, KRB_ERROR *result) { - + size_t len; krb5_error_code ret; ret = decode_KRB_ERROR(msg->data, msg->length, result, &len); if(ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } result->error_code += KRB5KDC_ERR_NONE; return 0; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_error_contents (krb5_context context, krb5_error *error) { @@ -61,7 +59,7 @@ krb5_free_error_contents (krb5_context context, memset(error, 0, sizeof(*error)); } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_error (krb5_context context, krb5_error *error) { @@ -69,7 +67,7 @@ krb5_free_error (krb5_context context, free (error); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_error_from_rd_error(krb5_context context, const krb5_error *error, const krb5_creds *creds) @@ -78,7 +76,7 @@ krb5_error_from_rd_error(krb5_context context, ret = error->error_code; if (error->e_text != NULL) { - krb5_set_error_string(context, "%s", *error->e_text); + krb5_set_error_message(context, ret, "%s", *error->e_text); } else { char clientname[256], servername[256]; @@ -91,31 +89,35 @@ krb5_error_from_rd_error(krb5_context context, switch (ret) { case KRB5KDC_ERR_NAME_EXP : - krb5_set_error_string(context, "Client %s%s%s expired", - creds ? "(" : "", - creds ? clientname : "", - creds ? ")" : ""); + krb5_set_error_message(context, ret, + N_("Client %s%s%s expired", ""), + creds ? "(" : "", + creds ? clientname : "", + creds ? ")" : ""); break; case KRB5KDC_ERR_SERVICE_EXP : - krb5_set_error_string(context, "Server %s%s%s expired", - creds ? "(" : "", - creds ? servername : "", - creds ? ")" : ""); + krb5_set_error_message(context, ret, + N_("Server %s%s%s expired", ""), + creds ? "(" : "", + creds ? servername : "", + creds ? ")" : ""); break; case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN : - krb5_set_error_string(context, "Client %s%s%s unknown", - creds ? "(" : "", - creds ? clientname : "", - creds ? ")" : ""); + krb5_set_error_message(context, ret, + N_("Client %s%s%s unknown", ""), + creds ? "(" : "", + creds ? clientname : "", + creds ? ")" : ""); break; case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN : - krb5_set_error_string(context, "Server %s%s%s unknown", - creds ? "(" : "", - creds ? servername : "", - creds ? ")" : ""); + krb5_set_error_message(context, ret, + N_("Server %s%s%s unknown", ""), + creds ? "(" : "", + creds ? servername : "", + creds ? ")" : ""); break; default : - krb5_clear_error_string(context); + krb5_clear_error_message(context); break; } } diff --git a/crypto/heimdal/lib/krb5/rd_priv.c b/crypto/heimdal/lib/krb5/rd_priv.c index ed7a2ccc5278..8a46195b694f 100644 --- a/crypto/heimdal/lib/krb5/rd_priv.c +++ b/crypto/heimdal/lib/krb5/rd_priv.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> +#include "krb5_locl.h" -RCSID("$Id: rd_priv.c 21751 2007-07-31 20:42:20Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, const krb5_data *inbuf, @@ -50,29 +48,33 @@ krb5_rd_priv(krb5_context context, krb5_keyblock *key; krb5_crypto crypto; - if (outbuf) - krb5_data_zero(outbuf); + krb5_data_zero(outbuf); - if ((auth_context->flags & - (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - outdata == NULL) { - krb5_clear_error_string (context); - return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */ + if ((auth_context->flags & + (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) + { + if (outdata == NULL) { + krb5_clear_error_message (context); + return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */ + } + /* if these fields are not present in the priv-part, silently + return zero */ + memset(outdata, 0, sizeof(*outdata)); } memset(&priv, 0, sizeof(priv)); ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len); if (ret) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto failure; } if (priv.pvno != 5) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); ret = KRB5KRB_AP_ERR_BADVERSION; goto failure; } if (priv.msg_type != krb_priv) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); ret = KRB5KRB_AP_ERR_MSG_TYPE; goto failure; } @@ -93,16 +95,16 @@ krb5_rd_priv(krb5_context context, &priv.enc_part, &plain); krb5_crypto_destroy(context, crypto); - if (ret) + if (ret) goto failure; ret = decode_EncKrbPrivPart (plain.data, plain.length, &part, &len); krb5_data_free (&plain); if (ret) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto failure; } - + /* check sender address */ if (part.s_address @@ -110,7 +112,7 @@ krb5_rd_priv(krb5_context context, && !krb5_address_compare (context, auth_context->remote_address, part.s_address)) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); ret = KRB5KRB_AP_ERR_BADADDR; goto failure_part; } @@ -122,7 +124,7 @@ krb5_rd_priv(krb5_context context, && !krb5_address_compare (context, auth_context->local_address, part.r_address)) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); ret = KRB5KRB_AP_ERR_BADADDR; goto failure_part; } @@ -135,7 +137,7 @@ krb5_rd_priv(krb5_context context, if (part.timestamp == NULL || part.usec == NULL || abs(*part.timestamp - sec) > context->max_skew) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); ret = KRB5KRB_AP_ERR_SKEW; goto failure_part; } @@ -152,7 +154,7 @@ krb5_rd_priv(krb5_context context, && auth_context->remote_seqnumber != 0) || (part.seq_number != NULL && *part.seq_number != auth_context->remote_seqnumber)) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); ret = KRB5KRB_AP_ERR_BADORDER; goto failure_part; } @@ -163,11 +165,8 @@ krb5_rd_priv(krb5_context context, if (ret) goto failure_part; - if ((auth_context->flags & + if ((auth_context->flags & (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) { - /* if these fields are not present in the priv-part, silently - return zero */ - memset(outdata, 0, sizeof(*outdata)); if(part.timestamp) outdata->timestamp = *part.timestamp; if(part.usec) diff --git a/crypto/heimdal/lib/krb5/rd_rep.c b/crypto/heimdal/lib/krb5/rd_rep.c index 8c9b7bb441d7..391d81c191b8 100644 --- a/crypto/heimdal/lib/krb5/rd_rep.c +++ b/crypto/heimdal/lib/krb5/rd_rep.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> +#include "krb5_locl.h" -RCSID("$Id: rd_rep.c 17890 2006-08-21 09:19:22Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_data *inbuf, @@ -48,27 +46,26 @@ krb5_rd_rep(krb5_context context, krb5_crypto crypto; krb5_data_zero (&data); - ret = 0; ret = decode_AP_REP(inbuf->data, inbuf->length, &ap_rep, &len); if (ret) return ret; if (ap_rep.pvno != 5) { ret = KRB5KRB_AP_ERR_BADVERSION; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto out; } if (ap_rep.msg_type != krb_ap_rep) { ret = KRB5KRB_AP_ERR_MSG_TYPE; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto out; } ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); if (ret) goto out; - ret = krb5_decrypt_EncryptedData (context, - crypto, + ret = krb5_decrypt_EncryptedData (context, + crypto, KRB5_KU_AP_REQ_ENC_PART, &ap_rep.enc_part, &data); @@ -79,25 +76,23 @@ krb5_rd_rep(krb5_context context, *repl = malloc(sizeof(**repl)); if (*repl == NULL) { ret = ENOMEM; - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; } - ret = krb5_decode_EncAPRepPart(context, - data.data, - data.length, - *repl, - &len); - if (ret) + ret = decode_EncAPRepPart(data.data, data.length, *repl, &len); + if (ret) { + krb5_set_error_message(context, ret, N_("Failed to decode EncAPRepPart", "")); return ret; - - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { + } + + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { if ((*repl)->ctime != auth_context->authenticator->ctime || - (*repl)->cusec != auth_context->authenticator->cusec) + (*repl)->cusec != auth_context->authenticator->cusec) { krb5_free_ap_rep_enc_part(context, *repl); *repl = NULL; ret = KRB5KRB_AP_ERR_MUT_FAIL; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto out; } } @@ -106,14 +101,14 @@ krb5_rd_rep(krb5_context context, *((*repl)->seq_number)); if ((*repl)->subkey) krb5_auth_con_setremotesubkey(context, auth_context, (*repl)->subkey); - + out: krb5_data_free (&data); free_AP_REP (&ap_rep); return ret; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_free_ap_rep_enc_part (krb5_context context, krb5_ap_rep_enc_part *val) { diff --git a/crypto/heimdal/lib/krb5/rd_req.c b/crypto/heimdal/lib/krb5/rd_req.c index 0f33b9716454..21daeb596b55 100644 --- a/crypto/heimdal/lib/krb5/rd_req.c +++ b/crypto/heimdal/lib/krb5/rd_req.c @@ -1,39 +1,38 @@ + /* - * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> - -RCSID("$Id: rd_req.c 22235 2007-12-08 21:52:07Z lha $"); +#include "krb5_locl.h" static krb5_error_code decrypt_tkt_enc_part (krb5_context context, @@ -58,8 +57,11 @@ decrypt_tkt_enc_part (krb5_context context, if (ret) return ret; - ret = krb5_decode_EncTicketPart(context, plain.data, plain.length, - decr_part, &len); + ret = decode_EncTicketPart(plain.data, plain.length, decr_part, &len); + if (ret) + krb5_set_error_message(context, ret, + N_("Failed to decode encrypted " + "ticket part", "")); krb5_data_free (&plain); return ret; } @@ -95,13 +97,13 @@ decrypt_authenticator (krb5_context context, if (ret) return ret; - ret = krb5_decode_Authenticator(context, plain.data, plain.length, - authenticator, &len); + ret = decode_Authenticator(plain.data, plain.length, + authenticator, &len); krb5_data_free (&plain); return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_ap_req(krb5_context context, const krb5_data *inbuf, krb5_ap_req *ap_req) @@ -113,17 +115,17 @@ krb5_decode_ap_req(krb5_context context, return ret; if (ap_req->pvno != 5){ free_AP_REQ(ap_req); - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5KRB_AP_ERR_BADVERSION; } if (ap_req->msg_type != krb_ap_req){ free_AP_REQ(ap_req); - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5KRB_AP_ERR_MSG_TYPE; } if (ap_req->ticket.tkt_vno != 5){ free_AP_REQ(ap_req); - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5KRB_AP_ERR_BADVERSION; } return 0; @@ -133,10 +135,10 @@ static krb5_error_code check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) { char **realms; - int num_realms; + unsigned int num_realms, n; krb5_error_code ret; - - /* + + /* * Windows 2000 and 2003 uses this inside their TGT so it's normaly * not seen by others, however, samba4 joined with a Windows AD as * a Domain Controller gets exposed to this. @@ -150,15 +152,17 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) if(enc->transited.contents.length == 0) return 0; - ret = krb5_domain_x500_decode(context, enc->transited.contents, - &realms, &num_realms, + ret = krb5_domain_x500_decode(context, enc->transited.contents, + &realms, &num_realms, enc->crealm, ticket->realm); if(ret) return ret; - ret = krb5_check_transited(context, enc->crealm, - ticket->realm, + ret = krb5_check_transited(context, enc->crealm, + ticket->realm, realms, num_realms, NULL); + for (n = 0; n < num_realms; n++) + free(realms[n]); free(realms); return ret; } @@ -173,7 +177,7 @@ find_etypelist(krb5_context context, krb5_authdata adIfRelevant; unsigned i; - adIfRelevant.len = 0; + memset(&adIfRelevant, 0, sizeof(adIfRelevant)); etypes->len = 0; etypes->val = NULL; @@ -209,14 +213,14 @@ find_etypelist(krb5_context context, etypes, NULL); if (ret) - krb5_clear_error_string(context); + krb5_clear_error_message(context); free_AD_IF_RELEVANT(&adIfRelevant); return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decrypt_ticket(krb5_context context, Ticket *ticket, krb5_keyblock *key, @@ -228,7 +232,7 @@ krb5_decrypt_ticket(krb5_context context, ret = decrypt_tkt_enc_part (context, key, &ticket->enc_part, &t); if (ret) return ret; - + { krb5_timestamp now; time_t start = t.authtime; @@ -240,15 +244,15 @@ krb5_decrypt_ticket(krb5_context context, || (t.flags.invalid && !(flags & KRB5_VERIFY_AP_REQ_IGNORE_INVALID))) { free_EncTicketPart(&t); - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5KRB_AP_ERR_TKT_NYV; } if(now - t.endtime > context->max_skew) { free_EncTicketPart(&t); - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5KRB_AP_ERR_TKT_EXPIRED; } - + if(!t.flags.transited_policy_checked) { ret = check_transited(context, ticket, &t); if(ret) { @@ -257,7 +261,7 @@ krb5_decrypt_ticket(krb5_context context, } } } - + if(out) *out = t; else @@ -265,7 +269,7 @@ krb5_decrypt_ticket(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verify_authenticator_checksum(krb5_context context, krb5_auth_context ac, void *data, @@ -275,7 +279,7 @@ krb5_verify_authenticator_checksum(krb5_context context, krb5_keyblock *key; krb5_authenticator authenticator; krb5_crypto crypto; - + ret = krb5_auth_con_getauthenticator (context, ac, &authenticator); @@ -307,7 +311,7 @@ out: } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verify_ap_req(krb5_context context, krb5_auth_context *auth_context, krb5_ap_req *ap_req, @@ -328,7 +332,7 @@ krb5_verify_ap_req(krb5_context context, KRB5_KU_AP_REQ_AUTH); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verify_ap_req2(krb5_context context, krb5_auth_context *auth_context, krb5_ap_req *ap_req, @@ -343,7 +347,7 @@ krb5_verify_ap_req2(krb5_context context, krb5_auth_context ac; krb5_error_code ret; EtypeList etypes; - + if (ticket) *ticket = NULL; @@ -358,42 +362,37 @@ krb5_verify_ap_req2(krb5_context context, t = calloc(1, sizeof(*t)); if (t == NULL) { ret = ENOMEM; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto out; } if (ap_req->ap_options.use_session_key && ac->keyblock){ - ret = krb5_decrypt_ticket(context, &ap_req->ticket, - ac->keyblock, + ret = krb5_decrypt_ticket(context, &ap_req->ticket, + ac->keyblock, &t->ticket, flags); krb5_free_keyblock(context, ac->keyblock); ac->keyblock = NULL; }else - ret = krb5_decrypt_ticket(context, &ap_req->ticket, - keyblock, + ret = krb5_decrypt_ticket(context, &ap_req->ticket, + keyblock, &t->ticket, flags); - + if(ret) goto out; ret = _krb5_principalname2krb5_principal(context, &t->server, - ap_req->ticket.sname, + ap_req->ticket.sname, ap_req->ticket.realm); if (ret) goto out; ret = _krb5_principalname2krb5_principal(context, &t->client, - t->ticket.cname, + t->ticket.cname, t->ticket.crealm); if (ret) goto out; - /* save key */ - - ret = krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock); - if (ret) goto out; - ret = decrypt_authenticator (context, &t->ticket.key, &ap_req->authenticator, @@ -405,13 +404,13 @@ krb5_verify_ap_req2(krb5_context context, { krb5_principal p1, p2; krb5_boolean res; - + _krb5_principalname2krb5_principal(context, &p1, ac->authenticator->cname, ac->authenticator->crealm); _krb5_principalname2krb5_principal(context, - &p2, + &p2, t->ticket.cname, t->ticket.crealm); res = krb5_principal_compare (context, p1, p2); @@ -419,7 +418,7 @@ krb5_verify_ap_req2(krb5_context context, krb5_free_principal (context, p2); if (!res) { ret = KRB5KRB_AP_ERR_BADMATCH; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto out; } } @@ -432,7 +431,7 @@ krb5_verify_ap_req2(krb5_context context, ac->remote_address, t->ticket.caddr)) { ret = KRB5KRB_AP_ERR_BADADDR; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto out; } @@ -444,7 +443,7 @@ krb5_verify_ap_req2(krb5_context context, if (abs(ac->authenticator->ctime - now) > context->max_skew) { ret = KRB5KRB_AP_ERR_SKEW; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto out; } } @@ -469,7 +468,7 @@ krb5_verify_ap_req2(krb5_context context, ac->keytype = ETYPE_NULL; if (etypes.val) { - int i; + size_t i; for (i = 0; i < etypes.len; i++) { if (krb5_enctype_valid(context, etypes.val[i]) == 0) { @@ -479,6 +478,10 @@ krb5_verify_ap_req2(krb5_context context, } } + /* save key */ + ret = krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock); + if (ret) goto out; + if (ap_req_options) { *ap_req_options = 0; if (ac->keytype != ETYPE_NULL) @@ -507,7 +510,7 @@ krb5_verify_ap_req2(krb5_context context, krb5_auth_con_free (context, ac); return ret; } - + /* * */ @@ -522,47 +525,72 @@ struct krb5_rd_req_out_ctx_data { krb5_keyblock *keyblock; krb5_flags ap_req_options; krb5_ticket *ticket; + krb5_principal server; }; -/* +/** + * Allocate a krb5_rd_req_in_ctx as an input parameter to + * krb5_rd_req_ctx(). The caller should free the context with + * krb5_rd_req_in_ctx_free() when done with the context. + * + * @param context Keberos 5 context. + * @param ctx in ctx to krb5_rd_req_ctx(). * + * @return Kerberos 5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_auth */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_req_in_ctx_alloc(krb5_context context, krb5_rd_req_in_ctx *ctx) { *ctx = calloc(1, sizeof(**ctx)); if (*ctx == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } (*ctx)->check_pac = (context->flags & KRB5_CTX_F_CHECK_PAC) ? 1 : 0; return 0; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_rd_req_in_set_keytab(krb5_context context, +/** + * Set the keytab that krb5_rd_req_ctx() will use. + * + * @param context Keberos 5 context. + * @param in in ctx to krb5_rd_req_ctx(). + * @param keytab keytab that krb5_rd_req_ctx() will use, only copy the + * pointer, so the caller must free they keytab after + * krb5_rd_req_in_ctx_free() is called. + * + * @return Kerberos 5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_auth + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_rd_req_in_set_keytab(krb5_context context, krb5_rd_req_in_ctx in, krb5_keytab keytab) { - in->keytab = keytab; /* XXX should make copy */ + in->keytab = keytab; return 0; } /** * Set if krb5_rq_red() is going to check the Windows PAC or not - * + * * @param context Keberos 5 context. * @param in krb5_rd_req_in_ctx to check the option on. * @param flag flag to select if to check the pac (TRUE) or not (FALSE). * * @return Kerberos 5 error code, see krb5_get_error_message(). * - * @ingroup krb5 + * @ingroup krb5_auth */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_rd_req_in_set_pac_check(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_rd_req_in_set_pac_check(krb5_context context, krb5_rd_req_in_ctx in, krb5_boolean flag) { @@ -571,8 +599,8 @@ krb5_rd_req_in_set_pac_check(krb5_context context, } -krb5_error_code KRB5_LIB_FUNCTION -krb5_rd_req_in_set_keyblock(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_rd_req_in_set_keyblock(krb5_context context, krb5_rd_req_in_ctx in, krb5_keyblock *keyblock) { @@ -580,8 +608,8 @@ krb5_rd_req_in_set_keyblock(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_rd_req_out_get_ap_req_options(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_rd_req_out_get_ap_req_options(krb5_context context, krb5_rd_req_out_ctx out, krb5_flags *ap_req_options) { @@ -589,43 +617,66 @@ krb5_rd_req_out_get_ap_req_options(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_rd_req_out_get_ticket(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_rd_req_out_get_ticket(krb5_context context, krb5_rd_req_out_ctx out, krb5_ticket **ticket) { return krb5_copy_ticket(context, out->ticket, ticket); } -krb5_error_code KRB5_LIB_FUNCTION -krb5_rd_req_out_get_keyblock(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_rd_req_out_get_keyblock(krb5_context context, krb5_rd_req_out_ctx out, krb5_keyblock **keyblock) { return krb5_copy_keyblock(context, out->keyblock, keyblock); } -void KRB5_LIB_FUNCTION -krb5_rd_req_in_ctx_free(krb5_context context, krb5_rd_req_in_ctx ctx) +/** + * Get the principal that was used in the request from the + * client. Might not match whats in the ticket if krb5_rd_req_ctx() + * searched in the keytab for a matching key. + * + * @param context a Kerberos 5 context. + * @param out a krb5_rd_req_out_ctx from krb5_rd_req_ctx(). + * @param principal return principal, free with krb5_free_principal(). + * + * @ingroup krb5_auth + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_rd_req_out_get_server(krb5_context context, + krb5_rd_req_out_ctx out, + krb5_principal *principal) { - free(ctx); + return krb5_copy_principal(context, out->server, principal); } -krb5_error_code KRB5_LIB_FUNCTION -_krb5_rd_req_out_ctx_alloc(krb5_context context, krb5_rd_req_out_ctx *ctx) +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_rd_req_in_ctx_free(krb5_context context, krb5_rd_req_in_ctx ctx) { - *ctx = calloc(1, sizeof(**ctx)); - if (*ctx == NULL) { - krb5_set_error_string(context, "out of memory"); - return ENOMEM; - } - return 0; + free(ctx); } -void KRB5_LIB_FUNCTION +/** + * Free the krb5_rd_req_out_ctx. + * + * @param context Keberos 5 context. + * @param ctx krb5_rd_req_out_ctx context to free. + * + * @ingroup krb5_auth + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_rd_req_out_ctx_free(krb5_context context, krb5_rd_req_out_ctx ctx) { - krb5_free_keyblock(context, ctx->keyblock); + if (ctx->ticket) + krb5_free_ticket(context, ctx->ticket); + if (ctx->keyblock) + krb5_free_keyblock(context, ctx->keyblock); + if (ctx->server) + krb5_free_principal(context, ctx->server); free(ctx); } @@ -633,7 +684,7 @@ krb5_rd_req_out_ctx_free(krb5_context context, krb5_rd_req_out_ctx ctx) * */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, const krb5_data *inbuf, @@ -649,7 +700,7 @@ krb5_rd_req(krb5_context context, ret = krb5_rd_req_in_ctx_alloc(context, &in); if (ret) return ret; - + ret = krb5_rd_req_in_set_keytab(context, in, keytab); if (ret) { krb5_rd_req_in_ctx_free(context, in); @@ -678,7 +729,7 @@ out: * */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_req_with_keyblock(krb5_context context, krb5_auth_context *auth_context, const krb5_data *inbuf, @@ -694,7 +745,7 @@ krb5_rd_req_with_keyblock(krb5_context context, ret = krb5_rd_req_in_ctx_alloc(context, &in); if (ret) return ret; - + ret = krb5_rd_req_in_set_keyblock(context, in, keyblock); if (ret) { krb5_rd_req_in_ctx_free(context, in); @@ -725,7 +776,6 @@ out: static krb5_error_code get_key_from_keytab(krb5_context context, - krb5_auth_context *auth_context, krb5_ap_req *ap_req, krb5_const_principal server, krb5_keytab keytab, @@ -740,7 +790,7 @@ get_key_from_keytab(krb5_context context, krb5_kt_default(context, &real_keytab); else real_keytab = keytab; - + if (ap_req->ticket.enc_part.kvno) kvno = *ap_req->ticket.enc_part.kvno; else @@ -756,18 +806,38 @@ get_key_from_keytab(krb5_context context, goto out; ret = krb5_copy_keyblock(context, &entry.keyblock, out_key); krb5_kt_free_entry (context, &entry); -out: +out: if(keytab == NULL) krb5_kt_close(context, real_keytab); - + return ret; } -/* +/** + * The core server function that verify application authentication + * requests from clients. + * + * @param context Keberos 5 context. + * @param auth_context the authentication context, can be NULL, then + * default values for the authentication context will used. + * @param inbuf the (AP-REQ) authentication buffer * + * @param server the server with authenticate as, if NULL the function + * will try to find any available credential in the keytab + * that will verify the reply. The function will prefer the + * server the server client specified in the AP-REQ, but if + * there is no mach, it will try all keytab entries for a + * match. This have serious performance issues for larger keytabs. + * + * @param inctx control the behavior of the function, if NULL, the + * default behavior is used. + * @param outctx the return outctx, free with krb5_rd_req_out_ctx_free(). + * @return Kerberos 5 error code, see krb5_get_error_message(). + * + * @ingroup krb5_auth */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_req_ctx(krb5_context context, krb5_auth_context *auth_context, const krb5_data *inbuf, @@ -777,12 +847,18 @@ krb5_rd_req_ctx(krb5_context context, { krb5_error_code ret; krb5_ap_req ap_req; - krb5_principal service = NULL; krb5_rd_req_out_ctx o = NULL; + krb5_keytab id = NULL, keytab = NULL; + krb5_principal service = NULL; - ret = _krb5_rd_req_out_ctx_alloc(context, &o); - if (ret) - goto out; + *outctx = NULL; + + o = calloc(1, sizeof(*o)); + if (o == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } if (*auth_context == NULL) { ret = krb5_auth_con_init(context, auth_context); @@ -794,66 +870,171 @@ krb5_rd_req_ctx(krb5_context context, if(ret) goto out; - if(server == NULL){ - ret = _krb5_principalname2krb5_principal(context, - &service, - ap_req.ticket.sname, - ap_req.ticket.realm); - if (ret) - goto out; - server = service; - } + /* Save that principal that was in the request */ + ret = _krb5_principalname2krb5_principal(context, + &o->server, + ap_req.ticket.sname, + ap_req.ticket.realm); + if (ret) + goto out; + if (ap_req.ap_options.use_session_key && (*auth_context)->keyblock == NULL) { - krb5_set_error_string(context, "krb5_rd_req: user to user auth " - "without session key given"); ret = KRB5KRB_AP_ERR_NOKEY; + krb5_set_error_message(context, ret, + N_("krb5_rd_req: user to user auth " + "without session key given", "")); goto out; } + if (inctx && inctx->keytab) + id = inctx->keytab; + if((*auth_context)->keyblock){ ret = krb5_copy_keyblock(context, (*auth_context)->keyblock, &o->keyblock); if (ret) goto out; - } else if(inctx->keyblock){ + } else if(inctx && inctx->keyblock){ ret = krb5_copy_keyblock(context, inctx->keyblock, &o->keyblock); if (ret) goto out; } else { - krb5_keytab keytab = NULL; - if (inctx && inctx->keytab) - keytab = inctx->keytab; + if(id == NULL) { + krb5_kt_default(context, &keytab); + id = keytab; + } + if (id == NULL) + goto out; - ret = get_key_from_keytab(context, - auth_context, + if (server == NULL) { + ret = _krb5_principalname2krb5_principal(context, + &service, + ap_req.ticket.sname, + ap_req.ticket.realm); + if (ret) + goto out; + server = service; + } + + ret = get_key_from_keytab(context, &ap_req, server, - keytab, + id, &o->keyblock); - if(ret) - goto out; + if (ret) { + /* If caller specified a server, fail. */ + if (service == NULL && (context->flags & KRB5_CTX_F_RD_REQ_IGNORE) == 0) + goto out; + /* Otherwise, fall back to iterating over the keytab. This + * have serious performace issues for larger keytab. + */ + o->keyblock = NULL; + } } - ret = krb5_verify_ap_req2(context, - auth_context, - &ap_req, - server, - o->keyblock, - 0, - &o->ap_req_options, - &o->ticket, - KRB5_KU_AP_REQ_AUTH); + if (o->keyblock) { + /* + * We got an exact keymatch, use that. + */ - if (ret) - goto out; + ret = krb5_verify_ap_req2(context, + auth_context, + &ap_req, + server, + o->keyblock, + 0, + &o->ap_req_options, + &o->ticket, + KRB5_KU_AP_REQ_AUTH); + + if (ret) + goto out; + + } else { + /* + * Interate over keytab to find a key that can decrypt the request. + */ + + krb5_keytab_entry entry; + krb5_kt_cursor cursor; + int done = 0, kvno = 0; + + memset(&cursor, 0, sizeof(cursor)); + + if (ap_req.ticket.enc_part.kvno) + kvno = *ap_req.ticket.enc_part.kvno; + + ret = krb5_kt_start_seq_get(context, id, &cursor); + if (ret) + goto out; + + done = 0; + while (!done) { + krb5_principal p; + + ret = krb5_kt_next_entry(context, id, &entry, &cursor); + if (ret) { + _krb5_kt_principal_not_found(context, ret, id, o->server, + ap_req.ticket.enc_part.etype, + kvno); + goto out; + } + + if (entry.keyblock.keytype != ap_req.ticket.enc_part.etype) { + krb5_kt_free_entry (context, &entry); + continue; + } + + ret = krb5_verify_ap_req2(context, + auth_context, + &ap_req, + server, + &entry.keyblock, + 0, + &o->ap_req_options, + &o->ticket, + KRB5_KU_AP_REQ_AUTH); + if (ret) { + krb5_kt_free_entry (context, &entry); + continue; + } + + /* + * Found a match, save the keyblock for PAC processing, + * and update the service principal in the ticket to match + * whatever is in the keytab. + */ + + ret = krb5_copy_keyblock(context, + &entry.keyblock, + &o->keyblock); + if (ret) { + krb5_kt_free_entry (context, &entry); + goto out; + } + + ret = krb5_copy_principal(context, entry.principal, &p); + if (ret) { + krb5_kt_free_entry (context, &entry); + goto out; + } + krb5_free_principal(context, o->ticket->server); + o->ticket->server = p; + + krb5_kt_free_entry (context, &entry); + + done = 1; + } + krb5_kt_end_seq_get (context, id, &cursor); + } /* If there is a PAC, verify its server signature */ - if (inctx->check_pac) { + if (inctx == NULL || inctx->check_pac) { krb5_pac pac; krb5_data data; @@ -866,27 +1047,33 @@ krb5_rd_req_ctx(krb5_context context, krb5_data_free(&data); if (ret) goto out; - + ret = krb5_pac_verify(context, - pac, + pac, o->ticket->ticket.authtime, - o->ticket->client, - o->keyblock, + o->ticket->client, + o->keyblock, NULL); krb5_pac_free(context, pac); if (ret) goto out; - } - ret = 0; + } else + ret = 0; } out: + if (ret || outctx == NULL) { krb5_rd_req_out_ctx_free(context, o); - } else + } else *outctx = o; free_AP_REQ(&ap_req); - if(service) + + if (service) krb5_free_principal(context, service); + + if (keytab) + krb5_kt_close(context, keytab); + return ret; } diff --git a/crypto/heimdal/lib/krb5/rd_safe.c b/crypto/heimdal/lib/krb5/rd_safe.c index b2fb5c59d776..e62906b1f723 100644 --- a/crypto/heimdal/lib/krb5/rd_safe.c +++ b/crypto/heimdal/lib/krb5/rd_safe.c @@ -1,39 +1,37 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <krb5_locl.h> - -RCSID("$Id: rd_safe.c 19827 2007-01-11 02:54:59Z lha $"); +#include "krb5_locl.h" static krb5_error_code verify_checksum(krb5_context context, @@ -43,7 +41,7 @@ verify_checksum(krb5_context context, krb5_error_code ret; u_char *buf; size_t buf_size; - size_t len; + size_t len = 0; Checksum c; krb5_crypto crypto; krb5_keyblock *key; @@ -82,7 +80,7 @@ out: return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data *inbuf, @@ -93,33 +91,39 @@ krb5_rd_safe(krb5_context context, KRB_SAFE safe; size_t len; - if (outbuf) - krb5_data_zero(outbuf); + krb5_data_zero(outbuf); - if ((auth_context->flags & - (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - outdata == NULL) { - krb5_set_error_string(context, "rd_safe: need outdata to return data"); - return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */ + if ((auth_context->flags & + (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) + { + if (outdata == NULL) { + krb5_set_error_message(context, KRB5_RC_REQUIRED, + N_("rd_safe: need outdata " + "to return data", "")); + return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */ + } + /* if these fields are not present in the safe-part, silently + return zero */ + memset(outdata, 0, sizeof(*outdata)); } ret = decode_KRB_SAFE (inbuf->data, inbuf->length, &safe, &len); - if (ret) + if (ret) return ret; if (safe.pvno != 5) { ret = KRB5KRB_AP_ERR_BADVERSION; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto failure; } if (safe.msg_type != krb_safe) { ret = KRB5KRB_AP_ERR_MSG_TYPE; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto failure; } if (!krb5_checksum_is_keyed(context, safe.cksum.cksumtype) || !krb5_checksum_is_collision_proof(context, safe.cksum.cksumtype)) { ret = KRB5KRB_AP_ERR_INAPP_CKSUM; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto failure; } @@ -131,7 +135,7 @@ krb5_rd_safe(krb5_context context, auth_context->remote_address, safe.safe_body.s_address)) { ret = KRB5KRB_AP_ERR_BADADDR; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto failure; } @@ -143,7 +147,7 @@ krb5_rd_safe(krb5_context context, auth_context->local_address, safe.safe_body.r_address)) { ret = KRB5KRB_AP_ERR_BADADDR; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto failure; } @@ -157,7 +161,7 @@ krb5_rd_safe(krb5_context context, safe.safe_body.usec == NULL || abs(*safe.safe_body.timestamp - sec) > context->max_skew) { ret = KRB5KRB_AP_ERR_SKEW; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto failure; } } @@ -174,7 +178,7 @@ krb5_rd_safe(krb5_context context, && *safe.safe_body.seq_number != auth_context->remote_seqnumber)) { ret = KRB5KRB_AP_ERR_BADORDER; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto failure; } auth_context->remote_seqnumber++; @@ -183,22 +187,20 @@ krb5_rd_safe(krb5_context context, ret = verify_checksum (context, auth_context, &safe); if (ret) goto failure; - + outbuf->length = safe.safe_body.user_data.length; outbuf->data = malloc(outbuf->length); if (outbuf->data == NULL && outbuf->length != 0) { ret = ENOMEM; - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); krb5_data_zero(outbuf); goto failure; } memcpy (outbuf->data, safe.safe_body.user_data.data, outbuf->length); - if ((auth_context->flags & + if ((auth_context->flags & (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) { - /* if these fields are not present in the safe-part, silently - return zero */ - memset(outdata, 0, sizeof(*outdata)); + if(safe.safe_body.timestamp) outdata->timestamp = *safe.safe_body.timestamp; if(safe.safe_body.usec) diff --git a/crypto/heimdal/lib/krb5/read_message.c b/crypto/heimdal/lib/krb5/read_message.c index 5e03507b66a5..4e9bd012dd67 100644 --- a/crypto/heimdal/lib/krb5/read_message.c +++ b/crypto/heimdal/lib/krb5/read_message.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: read_message.c 21750 2007-07-31 20:41:25Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_read_message (krb5_context context, krb5_pointer p_fd, krb5_data *data) @@ -49,29 +47,29 @@ krb5_read_message (krb5_context context, ret = krb5_net_read (context, p_fd, buf, 4); if(ret == -1) { ret = errno; - krb5_clear_error_string (context); + krb5_clear_error_message (context); return ret; } if(ret < 4) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return HEIM_ERR_EOF; } len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]; ret = krb5_data_alloc (data, len); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } if (krb5_net_read (context, p_fd, data->data, len) != len) { ret = errno; krb5_data_free (data); - krb5_clear_error_string (context); + krb5_clear_error_message (context); return ret; } return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_read_priv_message(krb5_context context, krb5_auth_context ac, krb5_pointer p_fd, @@ -88,7 +86,7 @@ krb5_read_priv_message(krb5_context context, return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_read_safe_message(krb5_context context, krb5_auth_context ac, krb5_pointer p_fd, diff --git a/crypto/heimdal/lib/krb5/recvauth.c b/crypto/heimdal/lib/krb5/recvauth.c index 03482851268c..78e98a10fc1b 100644 --- a/crypto/heimdal/lib/krb5/recvauth.c +++ b/crypto/heimdal/lib/krb5/recvauth.c @@ -1,40 +1,38 @@ /* - * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: recvauth.c 20306 2007-04-11 11:15:55Z lha $"); - /* * See `sendauth.c' for the format. */ @@ -45,7 +43,7 @@ match_exact(const void *data, const char *appl_version) return strcmp(data, appl_version) == 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_recvauth(krb5_context context, krb5_auth_context *auth_context, krb5_pointer p_fd, @@ -61,11 +59,11 @@ krb5_recvauth(krb5_context context, keytab, ticket); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_recvauth_match_version(krb5_context context, krb5_auth_context *auth_context, krb5_pointer p_fd, - krb5_boolean (*match_appl_version)(const void *, + krb5_boolean (*match_appl_version)(const void *, const char*), const void *match_data, krb5_principal server, @@ -103,11 +101,12 @@ krb5_recvauth_match_version(krb5_context context, n = krb5_net_read (context, p_fd, &len, 4); if (n < 0) { ret = errno; - krb5_set_error_string (context, "read: %s", strerror(errno)); + krb5_set_error_message(context, ret, "read: %s", strerror(ret)); return ret; } if (n == 0) { - krb5_set_error_string (context, "Failed to receive sendauth data"); + krb5_set_error_message(context, KRB5_SENDAUTH_BADAUTHVERS, + N_("Failed to receive sendauth data", "")); return KRB5_SENDAUTH_BADAUTHVERS; } len = ntohl(len); @@ -116,7 +115,7 @@ krb5_recvauth_match_version(krb5_context context, || strncmp (version, her_version, len)) { repl = 1; krb5_net_write (context, p_fd, &repl, 1); - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5_SENDAUTH_BADAUTHVERS; } } @@ -124,11 +123,11 @@ krb5_recvauth_match_version(krb5_context context, n = krb5_net_read (context, p_fd, &len, 4); if (n < 0) { ret = errno; - krb5_set_error_string (context, "read: %s", strerror(errno)); + krb5_set_error_message(context, ret, "read: %s", strerror(ret)); return ret; } if (n == 0) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5_SENDAUTH_BADAPPLVERS; } len = ntohl(len); @@ -136,14 +135,16 @@ krb5_recvauth_match_version(krb5_context context, if (her_appl_version == NULL) { repl = 2; krb5_net_write (context, p_fd, &repl, 1); - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } if (krb5_net_read (context, p_fd, her_appl_version, len) != len || !(*match_appl_version)(match_data, her_appl_version)) { repl = 2; krb5_net_write (context, p_fd, &repl, 1); - krb5_set_error_string (context, "wrong sendauth version (%s)", + krb5_set_error_message(context, KRB5_SENDAUTH_BADAPPLVERS, + N_("wrong sendauth version (%s)", ""), her_appl_version); free (her_appl_version); return KRB5_SENDAUTH_BADAPPLVERS; @@ -153,7 +154,7 @@ krb5_recvauth_match_version(krb5_context context, repl = 0; if (krb5_net_write (context, p_fd, &repl, 1) != 1) { ret = errno; - krb5_set_error_string (context, "write: %s", strerror(errno)); + krb5_set_error_message(context, ret, "write: %s", strerror(ret)); return ret; } @@ -188,23 +189,31 @@ krb5_recvauth_match_version(krb5_context context, krb5_data_free (&error_data); } return ret; - } + } len = 0; if (krb5_net_write (context, p_fd, &len, 4) != 4) { ret = errno; - krb5_set_error_string (context, "write: %s", strerror(errno)); + krb5_set_error_message(context, ret, "write: %s", strerror(ret)); + krb5_free_ticket(context, *ticket); + *ticket = NULL; return ret; } if (ap_options & AP_OPTS_MUTUAL_REQUIRED) { ret = krb5_mk_rep (context, *auth_context, &data); - if (ret) + if (ret) { + krb5_free_ticket(context, *ticket); + *ticket = NULL; return ret; + } ret = krb5_write_message (context, p_fd, &data); - if (ret) + if (ret) { + krb5_free_ticket(context, *ticket); + *ticket = NULL; return ret; + } krb5_data_free (&data); } return 0; diff --git a/crypto/heimdal/lib/krb5/replay.c b/crypto/heimdal/lib/krb5/replay.c index 12894d96a95e..965dd44437d9 100644 --- a/crypto/heimdal/lib/krb5/replay.c +++ b/crypto/heimdal/lib/krb5/replay.c @@ -1,78 +1,79 @@ /* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" #include <vis.h> -RCSID("$Id: replay.c 17047 2006-04-10 17:13:49Z lha $"); - struct krb5_rcache_data { char *name; }; -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_resolve(krb5_context context, krb5_rcache id, const char *name) { id->name = strdup(name); if(id->name == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, KRB5_RC_MALLOC, + N_("malloc: out of memory", "")); return KRB5_RC_MALLOC; } return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_resolve_type(krb5_context context, krb5_rcache *id, const char *type) { *id = NULL; if(strcmp(type, "FILE")) { - krb5_set_error_string (context, "replay cache type %s not supported", - type); + krb5_set_error_message (context, KRB5_RC_TYPE_NOTFOUND, + N_("replay cache type %s not supported", ""), + type); return KRB5_RC_TYPE_NOTFOUND; } *id = calloc(1, sizeof(**id)); if(*id == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, KRB5_RC_MALLOC, + N_("malloc: out of memory", "")); return KRB5_RC_MALLOC; } return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_resolve_full(krb5_context context, krb5_rcache *id, const char *string_name) @@ -82,7 +83,8 @@ krb5_rc_resolve_full(krb5_context context, *id = NULL; if(strncmp(string_name, "FILE:", 5)) { - krb5_set_error_string (context, "replay cache type %s not supported", + krb5_set_error_message(context, KRB5_RC_TYPE_NOTFOUND, + N_("replay cache type %s not supported", ""), string_name); return KRB5_RC_TYPE_NOTFOUND; } @@ -97,19 +99,19 @@ krb5_rc_resolve_full(krb5_context context, return ret; } -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_rc_default_name(krb5_context context) { return "FILE:/var/run/default_rcache"; } -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_rc_default_type(krb5_context context) { return "FILE"; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_default(krb5_context context, krb5_rcache *id) { @@ -121,7 +123,7 @@ struct rc_entry{ unsigned char data[16]; }; -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_initialize(krb5_context context, krb5_rcache id, krb5_deltat auth_lifespan) @@ -131,9 +133,10 @@ krb5_rc_initialize(krb5_context context, int ret; if(f == NULL) { + char buf[128]; ret = errno; - krb5_set_error_string (context, "open(%s): %s", id->name, - strerror(ret)); + rk_strerror_r(ret, buf, sizeof(buf)); + krb5_set_error_message(context, ret, "open(%s): %s", id->name, buf); return ret; } tmp.stamp = auth_lifespan; @@ -142,29 +145,30 @@ krb5_rc_initialize(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_recover(krb5_context context, krb5_rcache id) { return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_destroy(krb5_context context, krb5_rcache id) { int ret; if(remove(id->name) < 0) { + char buf[128]; ret = errno; - krb5_set_error_string (context, "remove(%s): %s", id->name, - strerror(ret)); + rk_strerror_r(ret, buf, sizeof(buf)); + krb5_set_error_message(context, ret, "remove(%s): %s", id->name, buf); return ret; } return krb5_rc_close(context, id); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_close(krb5_context context, krb5_rcache id) { @@ -176,20 +180,23 @@ krb5_rc_close(krb5_context context, static void checksum_authenticator(Authenticator *auth, void *data) { - MD5_CTX md5; - int i; + EVP_MD_CTX *m = EVP_MD_CTX_create(); + unsigned i; + + EVP_DigestInit_ex(m, EVP_md5(), NULL); - MD5_Init (&md5); - MD5_Update (&md5, auth->crealm, strlen(auth->crealm)); + EVP_DigestUpdate(m, auth->crealm, strlen(auth->crealm)); for(i = 0; i < auth->cname.name_string.len; i++) - MD5_Update(&md5, auth->cname.name_string.val[i], + EVP_DigestUpdate(m, auth->cname.name_string.val[i], strlen(auth->cname.name_string.val[i])); - MD5_Update (&md5, &auth->ctime, sizeof(auth->ctime)); - MD5_Update (&md5, &auth->cusec, sizeof(auth->cusec)); - MD5_Final (data, &md5); + EVP_DigestUpdate(m, &auth->ctime, sizeof(auth->ctime)); + EVP_DigestUpdate(m, &auth->cusec, sizeof(auth->cusec)); + + EVP_DigestFinal_ex(m, data, NULL); + EVP_MD_CTX_destroy(m); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep) @@ -203,11 +210,13 @@ krb5_rc_store(krb5_context context, checksum_authenticator(rep, ent.data); f = fopen(id->name, "r"); if(f == NULL) { + char buf[128]; ret = errno; - krb5_set_error_string (context, "open(%s): %s", id->name, - strerror(ret)); + rk_strerror_r(ret, buf, sizeof(buf)); + krb5_set_error_message(context, ret, "open(%s): %s", id->name, buf); return ret; } + rk_cloexec_file(f); fread(&tmp, sizeof(ent), 1, f); t = ent.stamp - tmp.stamp; while(fread(&tmp, sizeof(ent), 1, f)){ @@ -215,21 +224,26 @@ krb5_rc_store(krb5_context context, continue; if(memcmp(tmp.data, ent.data, sizeof(ent.data)) == 0){ fclose(f); - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5_RC_REPLAY; } } if(ferror(f)){ + char buf[128]; ret = errno; fclose(f); - krb5_set_error_string (context, "%s: %s", id->name, strerror(ret)); + rk_strerror_r(ret, buf, sizeof(buf)); + krb5_set_error_message(context, ret, "%s: %s", + id->name, buf); return ret; } fclose(f); f = fopen(id->name, "a"); if(f == NULL) { - krb5_set_error_string (context, "open(%s): %s", id->name, - strerror(errno)); + char buf[128]; + rk_strerror_r(errno, buf, sizeof(buf)); + krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN, + "open(%s): %s", id->name, buf); return KRB5_RC_IO_UNKNOWN; } fwrite(&ent, 1, sizeof(ent), f); @@ -237,14 +251,14 @@ krb5_rc_store(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_expunge(krb5_context context, krb5_rcache id) { return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_rc_get_lifespan(krb5_context context, krb5_rcache id, krb5_deltat *auth_lifespan) @@ -258,27 +272,27 @@ krb5_rc_get_lifespan(krb5_context context, *auth_lifespan = ent.stamp; return 0; } - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5_RC_IO_UNKNOWN; } -const char* KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_rc_get_name(krb5_context context, krb5_rcache id) { return id->name; } - -const char* KRB5_LIB_FUNCTION + +KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_rc_get_type(krb5_context context, krb5_rcache id) { return "FILE"; } - -krb5_error_code KRB5_LIB_FUNCTION -krb5_get_server_rcache(krb5_context context, - const krb5_data *piece, + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_get_server_rcache(krb5_context context, + const krb5_data *piece, krb5_rcache *id) { krb5_rcache rcache; @@ -288,18 +302,20 @@ krb5_get_server_rcache(krb5_context context, char *name; if(tmp == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } strvisx(tmp, piece->data, piece->length, VIS_WHITE | VIS_OCTAL); #ifdef HAVE_GETEUID - asprintf(&name, "FILE:rc_%s_%u", tmp, (unsigned)geteuid()); + ret = asprintf(&name, "FILE:rc_%s_%u", tmp, (unsigned)geteuid()); #else - asprintf(&name, "FILE:rc_%s", tmp); + ret = asprintf(&name, "FILE:rc_%s", tmp); #endif free(tmp); - if(name == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + if(ret < 0 || name == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } diff --git a/crypto/heimdal/lib/krb5/salt-aes.c b/crypto/heimdal/lib/krb5/salt-aes.c new file mode 100644 index 000000000000..32dafd68cb88 --- /dev/null +++ b/crypto/heimdal/lib/krb5/salt-aes.c @@ -0,0 +1,103 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +int _krb5_AES_string_to_default_iterator = 4096; + +static krb5_error_code +AES_string_to_key(krb5_context context, + krb5_enctype enctype, + krb5_data password, + krb5_salt salt, + krb5_data opaque, + krb5_keyblock *key) +{ + krb5_error_code ret; + uint32_t iter; + struct _krb5_encryption_type *et; + struct _krb5_key_data kd; + + if (opaque.length == 0) + iter = _krb5_AES_string_to_default_iterator; + else if (opaque.length == 4) { + unsigned long v; + _krb5_get_int(opaque.data, &v, 4); + iter = ((uint32_t)v); + } else + return KRB5_PROG_KEYTYPE_NOSUPP; /* XXX */ + + et = _krb5_find_enctype(enctype); + if (et == NULL) + return KRB5_PROG_KEYTYPE_NOSUPP; + + kd.schedule = NULL; + ALLOC(kd.key, 1); + if(kd.key == NULL) { + krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } + kd.key->keytype = enctype; + ret = krb5_data_alloc(&kd.key->keyvalue, et->keytype->size); + if (ret) { + krb5_set_error_message (context, ret, N_("malloc: out of memory", "")); + return ret; + } + + ret = PKCS5_PBKDF2_HMAC_SHA1(password.data, password.length, + salt.saltvalue.data, salt.saltvalue.length, + iter, + et->keytype->size, kd.key->keyvalue.data); + if (ret != 1) { + _krb5_free_key_data(context, &kd, et); + krb5_set_error_message(context, KRB5_PROG_KEYTYPE_NOSUPP, + "Error calculating s2k"); + return KRB5_PROG_KEYTYPE_NOSUPP; + } + + ret = _krb5_derive_key(context, et, &kd, "kerberos", strlen("kerberos")); + if (ret == 0) + ret = krb5_copy_keyblock_contents(context, kd.key, key); + _krb5_free_key_data(context, &kd, et); + + return ret; +} + +struct salt_type _krb5_AES_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + AES_string_to_key + }, + { 0 } +}; diff --git a/crypto/heimdal/lib/krb5/salt-arcfour.c b/crypto/heimdal/lib/krb5/salt-arcfour.c new file mode 100644 index 000000000000..ab5e51270c8e --- /dev/null +++ b/crypto/heimdal/lib/krb5/salt-arcfour.c @@ -0,0 +1,112 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +static krb5_error_code +ARCFOUR_string_to_key(krb5_context context, + krb5_enctype enctype, + krb5_data password, + krb5_salt salt, + krb5_data opaque, + krb5_keyblock *key) +{ + krb5_error_code ret; + uint16_t *s = NULL; + size_t len = 0, i; + EVP_MD_CTX *m; + + m = EVP_MD_CTX_create(); + if (m == NULL) { + ret = ENOMEM; + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); + goto out; + } + + EVP_DigestInit_ex(m, EVP_md4(), NULL); + + ret = wind_utf8ucs2_length(password.data, &len); + if (ret) { + krb5_set_error_message (context, ret, + N_("Password not an UCS2 string", "")); + goto out; + } + + s = malloc (len * sizeof(s[0])); + if (len != 0 && s == NULL) { + krb5_set_error_message (context, ENOMEM, + N_("malloc: out of memory", "")); + ret = ENOMEM; + goto out; + } + + ret = wind_utf8ucs2(password.data, s, &len); + if (ret) { + krb5_set_error_message (context, ret, + N_("Password not an UCS2 string", "")); + goto out; + } + + /* LE encoding */ + for (i = 0; i < len; i++) { + unsigned char p; + p = (s[i] & 0xff); + EVP_DigestUpdate (m, &p, 1); + p = (s[i] >> 8) & 0xff; + EVP_DigestUpdate (m, &p, 1); + } + + key->keytype = enctype; + ret = krb5_data_alloc (&key->keyvalue, 16); + if (ret) { + krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); + goto out; + } + EVP_DigestFinal_ex (m, key->keyvalue.data, NULL); + + out: + EVP_MD_CTX_destroy(m); + if (s) + memset (s, 0, len); + free (s); + return ret; +} + +struct salt_type _krb5_arcfour_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + ARCFOUR_string_to_key + }, + { 0 } +}; diff --git a/crypto/heimdal/lib/krb5/salt-des.c b/crypto/heimdal/lib/krb5/salt-des.c new file mode 100644 index 000000000000..56b285f72ed0 --- /dev/null +++ b/crypto/heimdal/lib/krb5/salt-des.c @@ -0,0 +1,224 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +#ifdef HEIM_WEAK_CRYPTO + +#ifdef ENABLE_AFS_STRING_TO_KEY + +/* This defines the Andrew string_to_key function. It accepts a password + * string as input and converts it via a one-way encryption algorithm to a DES + * encryption key. It is compatible with the original Andrew authentication + * service password database. + */ + +/* + * Short passwords, i.e 8 characters or less. + */ +static void +krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, + krb5_data cell, + DES_cblock *key) +{ + char password[8+1]; /* crypt is limited to 8 chars anyway */ + size_t i; + + for(i = 0; i < 8; i++) { + char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^ + ((i < cell.length) ? + tolower(((unsigned char*)cell.data)[i]) : 0); + password[i] = c ? c : 'X'; + } + password[8] = '\0'; + + memcpy(key, crypt(password, "p1") + 2, sizeof(DES_cblock)); + + /* parity is inserted into the LSB so left shift each byte up one + bit. This allows ascii characters with a zero MSB to retain as + much significance as possible. */ + for (i = 0; i < sizeof(DES_cblock); i++) + ((unsigned char*)key)[i] <<= 1; + DES_set_odd_parity (key); +} + +/* + * Long passwords, i.e 9 characters or more. + */ +static void +krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw, + krb5_data cell, + DES_cblock *key) +{ + DES_key_schedule schedule; + DES_cblock temp_key; + DES_cblock ivec; + char password[512]; + size_t passlen; + + memcpy(password, pw.data, min(pw.length, sizeof(password))); + if(pw.length < sizeof(password)) { + int len = min(cell.length, sizeof(password) - pw.length); + size_t i; + + memcpy(password + pw.length, cell.data, len); + for (i = pw.length; i < pw.length + len; ++i) + password[i] = tolower((unsigned char)password[i]); + } + passlen = min(sizeof(password), pw.length + cell.length); + memcpy(&ivec, "kerberos", 8); + memcpy(&temp_key, "kerberos", 8); + DES_set_odd_parity (&temp_key); + DES_set_key_unchecked (&temp_key, &schedule); + DES_cbc_cksum ((void*)password, &ivec, passlen, &schedule, &ivec); + + memcpy(&temp_key, &ivec, 8); + DES_set_odd_parity (&temp_key); + DES_set_key_unchecked (&temp_key, &schedule); + DES_cbc_cksum ((void*)password, key, passlen, &schedule, &ivec); + memset(&schedule, 0, sizeof(schedule)); + memset(&temp_key, 0, sizeof(temp_key)); + memset(&ivec, 0, sizeof(ivec)); + memset(password, 0, sizeof(password)); + + DES_set_odd_parity (key); +} + +static krb5_error_code +DES_AFS3_string_to_key(krb5_context context, + krb5_enctype enctype, + krb5_data password, + krb5_salt salt, + krb5_data opaque, + krb5_keyblock *key) +{ + DES_cblock tmp; + if(password.length > 8) + krb5_DES_AFS3_Transarc_string_to_key(password, salt.saltvalue, &tmp); + else + krb5_DES_AFS3_CMU_string_to_key(password, salt.saltvalue, &tmp); + key->keytype = enctype; + krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp)); + memset(&key, 0, sizeof(key)); + return 0; +} +#endif /* ENABLE_AFS_STRING_TO_KEY */ + +static void +DES_string_to_key_int(unsigned char *data, size_t length, DES_cblock *key) +{ + DES_key_schedule schedule; + size_t i; + int reverse = 0; + unsigned char *p; + + unsigned char swap[] = { 0x0, 0x8, 0x4, 0xc, 0x2, 0xa, 0x6, 0xe, + 0x1, 0x9, 0x5, 0xd, 0x3, 0xb, 0x7, 0xf }; + memset(key, 0, 8); + + p = (unsigned char*)key; + for (i = 0; i < length; i++) { + unsigned char tmp = data[i]; + if (!reverse) + *p++ ^= (tmp << 1); + else + *--p ^= (swap[tmp & 0xf] << 4) | swap[(tmp & 0xf0) >> 4]; + if((i % 8) == 7) + reverse = !reverse; + } + DES_set_odd_parity(key); + if(DES_is_weak_key(key)) + (*key)[7] ^= 0xF0; + DES_set_key_unchecked(key, &schedule); + DES_cbc_cksum((void*)data, key, length, &schedule, key); + memset(&schedule, 0, sizeof(schedule)); + DES_set_odd_parity(key); + if(DES_is_weak_key(key)) + (*key)[7] ^= 0xF0; +} + +static krb5_error_code +krb5_DES_string_to_key(krb5_context context, + krb5_enctype enctype, + krb5_data password, + krb5_salt salt, + krb5_data opaque, + krb5_keyblock *key) +{ + unsigned char *s; + size_t len; + DES_cblock tmp; + +#ifdef ENABLE_AFS_STRING_TO_KEY + if (opaque.length == 1) { + unsigned long v; + _krb5_get_int(opaque.data, &v, 1); + if (v == 1) + return DES_AFS3_string_to_key(context, enctype, password, + salt, opaque, key); + } +#endif + + len = password.length + salt.saltvalue.length; + s = malloc(len); + if(len > 0 && s == NULL) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } + memcpy(s, password.data, password.length); + memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length); + DES_string_to_key_int(s, len, &tmp); + key->keytype = enctype; + krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp)); + memset(&tmp, 0, sizeof(tmp)); + memset(s, 0, len); + free(s); + return 0; +} + +struct salt_type _krb5_des_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + krb5_DES_string_to_key + }, +#ifdef ENABLE_AFS_STRING_TO_KEY + { + KRB5_AFS3_SALT, + "afs3-salt", + DES_AFS3_string_to_key + }, +#endif + { 0 } +}; +#endif diff --git a/crypto/heimdal/lib/krb5/salt-des3.c b/crypto/heimdal/lib/krb5/salt-des3.c new file mode 100644 index 000000000000..79140a274f9e --- /dev/null +++ b/crypto/heimdal/lib/krb5/salt-des3.c @@ -0,0 +1,150 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +#ifdef DES3_OLD_ENCTYPE +static krb5_error_code +DES3_string_to_key(krb5_context context, + krb5_enctype enctype, + krb5_data password, + krb5_salt salt, + krb5_data opaque, + krb5_keyblock *key) +{ + char *str; + size_t len; + unsigned char tmp[24]; + DES_cblock keys[3]; + krb5_error_code ret; + + len = password.length + salt.saltvalue.length; + str = malloc(len); + if(len != 0 && str == NULL) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } + memcpy(str, password.data, password.length); + memcpy(str + password.length, salt.saltvalue.data, salt.saltvalue.length); + { + DES_cblock ivec; + DES_key_schedule s[3]; + int i; + + ret = _krb5_n_fold(str, len, tmp, 24); + if (ret) { + memset(str, 0, len); + free(str); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); + return ret; + } + + for(i = 0; i < 3; i++){ + memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); + DES_set_odd_parity(keys + i); + if(DES_is_weak_key(keys + i)) + _krb5_xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); + DES_set_key_unchecked(keys + i, &s[i]); + } + memset(&ivec, 0, sizeof(ivec)); + DES_ede3_cbc_encrypt(tmp, + tmp, sizeof(tmp), + &s[0], &s[1], &s[2], &ivec, DES_ENCRYPT); + memset(s, 0, sizeof(s)); + memset(&ivec, 0, sizeof(ivec)); + for(i = 0; i < 3; i++){ + memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); + DES_set_odd_parity(keys + i); + if(DES_is_weak_key(keys + i)) + _krb5_xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); + } + memset(tmp, 0, sizeof(tmp)); + } + key->keytype = enctype; + krb5_data_copy(&key->keyvalue, keys, sizeof(keys)); + memset(keys, 0, sizeof(keys)); + memset(str, 0, len); + free(str); + return 0; +} +#endif + +static krb5_error_code +DES3_string_to_key_derived(krb5_context context, + krb5_enctype enctype, + krb5_data password, + krb5_salt salt, + krb5_data opaque, + krb5_keyblock *key) +{ + krb5_error_code ret; + size_t len = password.length + salt.saltvalue.length; + char *s; + + s = malloc(len); + if(len != 0 && s == NULL) { + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } + memcpy(s, password.data, password.length); + memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length); + ret = krb5_string_to_key_derived(context, + s, + len, + enctype, + key); + memset(s, 0, len); + free(s); + return ret; +} + + +#ifdef DES3_OLD_ENCTYPE +struct salt_type _krb5_des3_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + DES3_string_to_key + }, + { 0 } +}; +#endif + +struct salt_type _krb5_des3_salt_derived[] = { + { + KRB5_PW_SALT, + "pw-salt", + DES3_string_to_key_derived + }, + { 0 } +}; diff --git a/crypto/heimdal/lib/krb5/salt.c b/crypto/heimdal/lib/krb5/salt.c new file mode 100644 index 000000000000..5e4c8a1c8572 --- /dev/null +++ b/crypto/heimdal/lib/krb5/salt.c @@ -0,0 +1,305 @@ +/* + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +/* coverity[+alloc : arg-*3] */ +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_salttype_to_string (krb5_context context, + krb5_enctype etype, + krb5_salttype stype, + char **string) +{ + struct _krb5_encryption_type *e; + struct salt_type *st; + + e = _krb5_find_enctype (etype); + if (e == NULL) { + krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, + "encryption type %d not supported", + etype); + return KRB5_PROG_ETYPE_NOSUPP; + } + for (st = e->keytype->string_to_key; st && st->type; st++) { + if (st->type == stype) { + *string = strdup (st->name); + if (*string == NULL) { + krb5_set_error_message (context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + return 0; + } + } + krb5_set_error_message (context, HEIM_ERR_SALTTYPE_NOSUPP, + "salttype %d not supported", stype); + return HEIM_ERR_SALTTYPE_NOSUPP; +} + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_string_to_salttype (krb5_context context, + krb5_enctype etype, + const char *string, + krb5_salttype *salttype) +{ + struct _krb5_encryption_type *e; + struct salt_type *st; + + e = _krb5_find_enctype (etype); + if (e == NULL) { + krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, + N_("encryption type %d not supported", ""), + etype); + return KRB5_PROG_ETYPE_NOSUPP; + } + for (st = e->keytype->string_to_key; st && st->type; st++) { + if (strcasecmp (st->name, string) == 0) { + *salttype = st->type; + return 0; + } + } + krb5_set_error_message(context, HEIM_ERR_SALTTYPE_NOSUPP, + N_("salttype %s not supported", ""), string); + return HEIM_ERR_SALTTYPE_NOSUPP; +} + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_get_pw_salt(krb5_context context, + krb5_const_principal principal, + krb5_salt *salt) +{ + size_t len; + size_t i; + krb5_error_code ret; + char *p; + + salt->salttype = KRB5_PW_SALT; + len = strlen(principal->realm); + for (i = 0; i < principal->name.name_string.len; ++i) + len += strlen(principal->name.name_string.val[i]); + ret = krb5_data_alloc (&salt->saltvalue, len); + if (ret) + return ret; + p = salt->saltvalue.data; + memcpy (p, principal->realm, strlen(principal->realm)); + p += strlen(principal->realm); + for (i = 0; i < principal->name.name_string.len; ++i) { + memcpy (p, + principal->name.name_string.val[i], + strlen(principal->name.name_string.val[i])); + p += strlen(principal->name.name_string.val[i]); + } + return 0; +} + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_free_salt(krb5_context context, + krb5_salt salt) +{ + krb5_data_free(&salt.saltvalue); + return 0; +} + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_string_to_key_data (krb5_context context, + krb5_enctype enctype, + krb5_data password, + krb5_principal principal, + krb5_keyblock *key) +{ + krb5_error_code ret; + krb5_salt salt; + + ret = krb5_get_pw_salt(context, principal, &salt); + if(ret) + return ret; + ret = krb5_string_to_key_data_salt(context, enctype, password, salt, key); + krb5_free_salt(context, salt); + return ret; +} + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_string_to_key (krb5_context context, + krb5_enctype enctype, + const char *password, + krb5_principal principal, + krb5_keyblock *key) +{ + krb5_data pw; + pw.data = rk_UNCONST(password); + pw.length = strlen(password); + return krb5_string_to_key_data(context, enctype, pw, principal, key); +} + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_string_to_key_data_salt (krb5_context context, + krb5_enctype enctype, + krb5_data password, + krb5_salt salt, + krb5_keyblock *key) +{ + krb5_data opaque; + krb5_data_zero(&opaque); + return krb5_string_to_key_data_salt_opaque(context, enctype, password, + salt, opaque, key); +} + +/* + * Do a string -> key for encryption type `enctype' operation on + * `password' (with salt `salt' and the enctype specific data string + * `opaque'), returning the resulting key in `key' + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_string_to_key_data_salt_opaque (krb5_context context, + krb5_enctype enctype, + krb5_data password, + krb5_salt salt, + krb5_data opaque, + krb5_keyblock *key) +{ + struct _krb5_encryption_type *et =_krb5_find_enctype(enctype); + struct salt_type *st; + if(et == NULL) { + krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, + N_("encryption type %d not supported", ""), + enctype); + return KRB5_PROG_ETYPE_NOSUPP; + } + for(st = et->keytype->string_to_key; st && st->type; st++) + if(st->type == salt.salttype) + return (*st->string_to_key)(context, enctype, password, + salt, opaque, key); + krb5_set_error_message(context, HEIM_ERR_SALTTYPE_NOSUPP, + N_("salt type %d not supported", ""), + salt.salttype); + return HEIM_ERR_SALTTYPE_NOSUPP; +} + +/* + * Do a string -> key for encryption type `enctype' operation on the + * string `password' (with salt `salt'), returning the resulting key + * in `key' + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_string_to_key_salt (krb5_context context, + krb5_enctype enctype, + const char *password, + krb5_salt salt, + krb5_keyblock *key) +{ + krb5_data pw; + pw.data = rk_UNCONST(password); + pw.length = strlen(password); + return krb5_string_to_key_data_salt(context, enctype, pw, salt, key); +} + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_string_to_key_salt_opaque (krb5_context context, + krb5_enctype enctype, + const char *password, + krb5_salt salt, + krb5_data opaque, + krb5_keyblock *key) +{ + krb5_data pw; + pw.data = rk_UNCONST(password); + pw.length = strlen(password); + return krb5_string_to_key_data_salt_opaque(context, enctype, + pw, salt, opaque, key); +} + + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_string_to_key_derived(krb5_context context, + const void *str, + size_t len, + krb5_enctype etype, + krb5_keyblock *key) +{ + struct _krb5_encryption_type *et = _krb5_find_enctype(etype); + krb5_error_code ret; + struct _krb5_key_data kd; + size_t keylen; + u_char *tmp; + + if(et == NULL) { + krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, + N_("encryption type %d not supported", ""), + etype); + return KRB5_PROG_ETYPE_NOSUPP; + } + keylen = et->keytype->bits / 8; + + ALLOC(kd.key, 1); + if(kd.key == NULL) { + krb5_set_error_message (context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + ret = krb5_data_alloc(&kd.key->keyvalue, et->keytype->size); + if(ret) { + free(kd.key); + return ret; + } + kd.key->keytype = etype; + tmp = malloc (keylen); + if(tmp == NULL) { + krb5_free_keyblock(context, kd.key); + krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); + return ENOMEM; + } + ret = _krb5_n_fold(str, len, tmp, keylen); + if (ret) { + free(tmp); + krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); + return ret; + } + kd.schedule = NULL; + _krb5_DES3_random_to_key(context, kd.key, tmp, keylen); + memset(tmp, 0, keylen); + free(tmp); + ret = _krb5_derive_key(context, + et, + &kd, + "kerberos", /* XXX well known constant */ + strlen("kerberos")); + if (ret) { + _krb5_free_key_data(context, &kd, et); + return ret; + } + ret = krb5_copy_keyblock_contents(context, kd.key, key); + _krb5_free_key_data(context, &kd, et); + return ret; +} diff --git a/crypto/heimdal/lib/krb5/scache.c b/crypto/heimdal/lib/krb5/scache.c new file mode 100644 index 000000000000..5c422c6a4491 --- /dev/null +++ b/crypto/heimdal/lib/krb5/scache.c @@ -0,0 +1,1451 @@ +/* + * Copyright (c) 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +#ifdef HAVE_SCC + +#include <sqlite3.h> + +typedef struct krb5_scache { + char *name; + char *file; + sqlite3 *db; + + sqlite_uint64 cid; + + sqlite3_stmt *icred; + sqlite3_stmt *dcred; + sqlite3_stmt *iprincipal; + + sqlite3_stmt *icache; + sqlite3_stmt *ucachen; + sqlite3_stmt *ucachep; + sqlite3_stmt *dcache; + sqlite3_stmt *scache; + sqlite3_stmt *scache_name; + sqlite3_stmt *umaster; + +} krb5_scache; + +#define SCACHE(X) ((krb5_scache *)(X)->data.data) + +#define SCACHE_DEF_NAME "Default-cache" +#ifdef KRB5_USE_PATH_TOKENS +#define KRB5_SCACHE_DB "%{TEMP}/krb5scc_%{uid}" +#else +#define KRB5_SCACHE_DB "/tmp/krb5scc_%{uid}" +#endif +#define KRB5_SCACHE_NAME "SCC:" SCACHE_DEF_NAME ":" KRB5_SCACHE_DB + +#define SCACHE_INVALID_CID ((sqlite_uint64)-1) + +/* + * + */ + +#define SQL_CMASTER "" \ + "CREATE TABLE master (" \ + "oid INTEGER PRIMARY KEY," \ + "version INTEGER NOT NULL," \ + "defaultcache TEXT NOT NULL" \ + ")" + +#define SQL_SETUP_MASTER \ + "INSERT INTO master (version,defaultcache) VALUES(2, \"" SCACHE_DEF_NAME "\")" +#define SQL_UMASTER "UPDATE master SET defaultcache=? WHERE version=2" + +#define SQL_CCACHE "" \ + "CREATE TABLE caches (" \ + "oid INTEGER PRIMARY KEY," \ + "principal TEXT," \ + "name TEXT NOT NULL" \ + ")" + +#define SQL_TCACHE "" \ + "CREATE TRIGGER CacheDropCreds AFTER DELETE ON caches " \ + "FOR EACH ROW BEGIN " \ + "DELETE FROM credentials WHERE cid=old.oid;" \ + "END" + +#define SQL_ICACHE "INSERT INTO caches (name) VALUES(?)" +#define SQL_UCACHE_NAME "UPDATE caches SET name=? WHERE OID=?" +#define SQL_UCACHE_PRINCIPAL "UPDATE caches SET principal=? WHERE OID=?" +#define SQL_DCACHE "DELETE FROM caches WHERE OID=?" +#define SQL_SCACHE "SELECT principal,name FROM caches WHERE OID=?" +#define SQL_SCACHE_NAME "SELECT oid FROM caches WHERE NAME=?" + +#define SQL_CCREDS "" \ + "CREATE TABLE credentials (" \ + "oid INTEGER PRIMARY KEY," \ + "cid INTEGER NOT NULL," \ + "kvno INTEGER NOT NULL," \ + "etype INTEGER NOT NULL," \ + "created_at INTEGER NOT NULL," \ + "cred BLOB NOT NULL" \ + ")" + +#define SQL_TCRED "" \ + "CREATE TRIGGER credDropPrincipal AFTER DELETE ON credentials " \ + "FOR EACH ROW BEGIN " \ + "DELETE FROM principals WHERE credential_id=old.oid;" \ + "END" + +#define SQL_ICRED "INSERT INTO credentials (cid, kvno, etype, cred, created_at) VALUES (?,?,?,?,?)" +#define SQL_DCRED "DELETE FROM credentials WHERE cid=?" + +#define SQL_CPRINCIPALS "" \ + "CREATE TABLE principals (" \ + "oid INTEGER PRIMARY KEY," \ + "principal TEXT NOT NULL," \ + "type INTEGER NOT NULL," \ + "credential_id INTEGER NOT NULL" \ + ")" + +#define SQL_IPRINCIPAL "INSERT INTO principals (principal, type, credential_id) VALUES (?,?,?)" + +/* + * sqlite destructors + */ + +static void +free_data(void *data) +{ + free(data); +} + +static void +free_krb5(void *str) +{ + krb5_xfree(str); +} + +static void +scc_free(krb5_scache *s) +{ + if (s->file) + free(s->file); + if (s->name) + free(s->name); + + if (s->icred) + sqlite3_finalize(s->icred); + if (s->dcred) + sqlite3_finalize(s->dcred); + if (s->iprincipal) + sqlite3_finalize(s->iprincipal); + if (s->icache) + sqlite3_finalize(s->icache); + if (s->ucachen) + sqlite3_finalize(s->ucachen); + if (s->ucachep) + sqlite3_finalize(s->ucachep); + if (s->dcache) + sqlite3_finalize(s->dcache); + if (s->scache) + sqlite3_finalize(s->scache); + if (s->scache_name) + sqlite3_finalize(s->scache_name); + if (s->umaster) + sqlite3_finalize(s->umaster); + + if (s->db) + sqlite3_close(s->db); + free(s); +} + +#ifdef TRACEME +static void +trace(void* ptr, const char * str) +{ + printf("SQL: %s\n", str); +} +#endif + +static krb5_error_code +prepare_stmt(krb5_context context, sqlite3 *db, + sqlite3_stmt **stmt, const char *str) +{ + int ret; + + ret = sqlite3_prepare_v2(db, str, -1, stmt, NULL); + if (ret != SQLITE_OK) { + krb5_set_error_message(context, ENOENT, + N_("Failed to prepare stmt %s: %s", ""), + str, sqlite3_errmsg(db)); + return ENOENT; + } + return 0; +} + +static krb5_error_code +exec_stmt(krb5_context context, sqlite3 *db, const char *str, + krb5_error_code code) +{ + int ret; + + ret = sqlite3_exec(db, str, NULL, NULL, NULL); + if (ret != SQLITE_OK && code) { + krb5_set_error_message(context, code, + N_("scache execute %s: %s", ""), str, + sqlite3_errmsg(db)); + return code; + } + return 0; +} + +static krb5_error_code +default_db(krb5_context context, sqlite3 **db) +{ + char *name; + int ret; + + ret = _krb5_expand_default_cc_name(context, KRB5_SCACHE_DB, &name); + if (ret) + return ret; + + ret = sqlite3_open_v2(name, db, SQLITE_OPEN_READWRITE, NULL); + free(name); + if (ret != SQLITE_OK) { + krb5_clear_error_message(context); + return ENOENT; + } + +#ifdef TRACEME + sqlite3_trace(*db, trace, NULL); +#endif + + return 0; +} + +static krb5_error_code +get_def_name(krb5_context context, char **str) +{ + krb5_error_code ret; + sqlite3_stmt *stmt; + const char *name; + sqlite3 *db; + + ret = default_db(context, &db); + if (ret) + return ret; + + ret = prepare_stmt(context, db, &stmt, "SELECT defaultcache FROM master"); + if (ret) { + sqlite3_close(db); + return ret; + } + + ret = sqlite3_step(stmt); + if (ret != SQLITE_ROW) + goto out; + + if (sqlite3_column_type(stmt, 0) != SQLITE_TEXT) + goto out; + + name = (const char *)sqlite3_column_text(stmt, 0); + if (name == NULL) + goto out; + + *str = strdup(name); + if (*str == NULL) + goto out; + + sqlite3_finalize(stmt); + sqlite3_close(db); + return 0; +out: + sqlite3_finalize(stmt); + sqlite3_close(db); + krb5_clear_error_message(context); + return ENOENT; +} + + + +static krb5_scache * KRB5_CALLCONV +scc_alloc(krb5_context context, const char *name) +{ + krb5_error_code ret; + krb5_scache *s; + + ALLOC(s, 1); + if(s == NULL) + return NULL; + + s->cid = SCACHE_INVALID_CID; + + if (name) { + char *file; + + if (*name == '\0') { + krb5_error_code ret; + ret = get_def_name(context, &s->name); + if (ret) + s->name = strdup(SCACHE_DEF_NAME); + } else + s->name = strdup(name); + + file = strrchr(s->name, ':'); + if (file) { + *file++ = '\0'; + s->file = strdup(file); + ret = 0; + } else { + ret = _krb5_expand_default_cc_name(context, KRB5_SCACHE_DB, &s->file); + } + } else { + _krb5_expand_default_cc_name(context, KRB5_SCACHE_DB, &s->file); + ret = asprintf(&s->name, "unique-%p", s); + } + if (ret < 0 || s->file == NULL || s->name == NULL) { + scc_free(s); + return NULL; + } + + return s; +} + +static krb5_error_code +open_database(krb5_context context, krb5_scache *s, int flags) +{ + int ret; + + ret = sqlite3_open_v2(s->file, &s->db, SQLITE_OPEN_READWRITE|flags, NULL); + if (ret) { + if (s->db) { + krb5_set_error_message(context, ENOENT, + N_("Error opening scache file %s: %s", ""), + s->file, sqlite3_errmsg(s->db)); + sqlite3_close(s->db); + s->db = NULL; + } else + krb5_set_error_message(context, ENOENT, + N_("malloc: out of memory", "")); + return ENOENT; + } + return 0; +} + +static krb5_error_code +create_cache(krb5_context context, krb5_scache *s) +{ + int ret; + + sqlite3_bind_text(s->icache, 1, s->name, -1, NULL); + do { + ret = sqlite3_step(s->icache); + } while (ret == SQLITE_ROW); + if (ret != SQLITE_DONE) { + krb5_set_error_message(context, KRB5_CC_IO, + N_("Failed to add scache: %d", ""), ret); + return KRB5_CC_IO; + } + sqlite3_reset(s->icache); + + s->cid = sqlite3_last_insert_rowid(s->db); + + return 0; +} + +static krb5_error_code +make_database(krb5_context context, krb5_scache *s) +{ + int created_file = 0; + int ret; + + if (s->db) + return 0; + + ret = open_database(context, s, 0); + if (ret) { + mode_t oldumask = umask(077); + ret = open_database(context, s, SQLITE_OPEN_CREATE); + umask(oldumask); + if (ret) goto out; + + created_file = 1; + + ret = exec_stmt(context, s->db, SQL_CMASTER, KRB5_CC_IO); + if (ret) goto out; + ret = exec_stmt(context, s->db, SQL_CCACHE, KRB5_CC_IO); + if (ret) goto out; + ret = exec_stmt(context, s->db, SQL_CCREDS, KRB5_CC_IO); + if (ret) goto out; + ret = exec_stmt(context, s->db, SQL_CPRINCIPALS, KRB5_CC_IO); + if (ret) goto out; + ret = exec_stmt(context, s->db, SQL_SETUP_MASTER, KRB5_CC_IO); + if (ret) goto out; + + ret = exec_stmt(context, s->db, SQL_TCACHE, KRB5_CC_IO); + if (ret) goto out; + ret = exec_stmt(context, s->db, SQL_TCRED, KRB5_CC_IO); + if (ret) goto out; + } + +#ifdef TRACEME + sqlite3_trace(s->db, trace, NULL); +#endif + + ret = prepare_stmt(context, s->db, &s->icred, SQL_ICRED); + if (ret) goto out; + ret = prepare_stmt(context, s->db, &s->dcred, SQL_DCRED); + if (ret) goto out; + ret = prepare_stmt(context, s->db, &s->iprincipal, SQL_IPRINCIPAL); + if (ret) goto out; + ret = prepare_stmt(context, s->db, &s->icache, SQL_ICACHE); + if (ret) goto out; + ret = prepare_stmt(context, s->db, &s->ucachen, SQL_UCACHE_NAME); + if (ret) goto out; + ret = prepare_stmt(context, s->db, &s->ucachep, SQL_UCACHE_PRINCIPAL); + if (ret) goto out; + ret = prepare_stmt(context, s->db, &s->dcache, SQL_DCACHE); + if (ret) goto out; + ret = prepare_stmt(context, s->db, &s->scache, SQL_SCACHE); + if (ret) goto out; + ret = prepare_stmt(context, s->db, &s->scache_name, SQL_SCACHE_NAME); + if (ret) goto out; + ret = prepare_stmt(context, s->db, &s->umaster, SQL_UMASTER); + if (ret) goto out; + + return 0; + +out: + if (s->db) + sqlite3_close(s->db); + if (created_file) + unlink(s->file); + + return ret; +} + +static krb5_error_code +bind_principal(krb5_context context, + sqlite3 *db, + sqlite3_stmt *stmt, + int col, + krb5_const_principal principal) +{ + krb5_error_code ret; + char *str; + + ret = krb5_unparse_name(context, principal, &str); + if (ret) + return ret; + + ret = sqlite3_bind_text(stmt, col, str, -1, free_krb5); + if (ret != SQLITE_OK) { + krb5_xfree(str); + krb5_set_error_message(context, ENOMEM, + N_("scache bind principal: %s", ""), + sqlite3_errmsg(db)); + return ENOMEM; + } + return 0; +} + +/* + * + */ + +static const char* KRB5_CALLCONV +scc_get_name(krb5_context context, + krb5_ccache id) +{ + return SCACHE(id)->name; +} + +static krb5_error_code KRB5_CALLCONV +scc_resolve(krb5_context context, krb5_ccache *id, const char *res) +{ + krb5_scache *s; + int ret; + + s = scc_alloc(context, res); + if (s == NULL) { + krb5_set_error_message(context, KRB5_CC_NOMEM, + N_("malloc: out of memory", "")); + return KRB5_CC_NOMEM; + } + + ret = make_database(context, s); + if (ret) { + scc_free(s); + return ret; + } + + ret = sqlite3_bind_text(s->scache_name, 1, s->name, -1, NULL); + if (ret != SQLITE_OK) { + krb5_set_error_message(context, ENOMEM, + "bind name: %s", sqlite3_errmsg(s->db)); + scc_free(s); + return ENOMEM; + } + + if (sqlite3_step(s->scache_name) == SQLITE_ROW) { + + if (sqlite3_column_type(s->scache_name, 0) != SQLITE_INTEGER) { + sqlite3_reset(s->scache_name); + krb5_set_error_message(context, KRB5_CC_END, + N_("Cache name of wrong type " + "for scache %s", ""), + s->name); + scc_free(s); + return KRB5_CC_END; + } + + s->cid = sqlite3_column_int(s->scache_name, 0); + } else { + s->cid = SCACHE_INVALID_CID; + } + sqlite3_reset(s->scache_name); + + (*id)->data.data = s; + (*id)->data.length = sizeof(*s); + + return 0; +} + +static krb5_error_code KRB5_CALLCONV +scc_gen_new(krb5_context context, krb5_ccache *id) +{ + krb5_scache *s; + + s = scc_alloc(context, NULL); + + if (s == NULL) { + krb5_set_error_message(context, KRB5_CC_NOMEM, + N_("malloc: out of memory", "")); + return KRB5_CC_NOMEM; + } + + (*id)->data.data = s; + (*id)->data.length = sizeof(*s); + + return 0; +} + +static krb5_error_code KRB5_CALLCONV +scc_initialize(krb5_context context, + krb5_ccache id, + krb5_principal primary_principal) +{ + krb5_scache *s = SCACHE(id); + krb5_error_code ret; + + ret = make_database(context, s); + if (ret) + return ret; + + ret = exec_stmt(context, s->db, "BEGIN IMMEDIATE TRANSACTION", KRB5_CC_IO); + if (ret) return ret; + + if (s->cid == SCACHE_INVALID_CID) { + ret = create_cache(context, s); + if (ret) + goto rollback; + } else { + sqlite3_bind_int(s->dcred, 1, s->cid); + do { + ret = sqlite3_step(s->dcred); + } while (ret == SQLITE_ROW); + sqlite3_reset(s->dcred); + if (ret != SQLITE_DONE) { + ret = KRB5_CC_IO; + krb5_set_error_message(context, ret, + N_("Failed to delete old " + "credentials: %s", ""), + sqlite3_errmsg(s->db)); + goto rollback; + } + } + + ret = bind_principal(context, s->db, s->ucachep, 1, primary_principal); + if (ret) + goto rollback; + sqlite3_bind_int(s->ucachep, 2, s->cid); + + do { + ret = sqlite3_step(s->ucachep); + } while (ret == SQLITE_ROW); + sqlite3_reset(s->ucachep); + if (ret != SQLITE_DONE) { + ret = KRB5_CC_IO; + krb5_set_error_message(context, ret, + N_("Failed to bind principal to cache %s", ""), + sqlite3_errmsg(s->db)); + goto rollback; + } + + ret = exec_stmt(context, s->db, "COMMIT", KRB5_CC_IO); + if (ret) return ret; + + return 0; + +rollback: + exec_stmt(context, s->db, "ROLLBACK", 0); + + return ret; + +} + +static krb5_error_code KRB5_CALLCONV +scc_close(krb5_context context, + krb5_ccache id) +{ + scc_free(SCACHE(id)); + return 0; +} + +static krb5_error_code KRB5_CALLCONV +scc_destroy(krb5_context context, + krb5_ccache id) +{ + krb5_scache *s = SCACHE(id); + int ret; + + if (s->cid == SCACHE_INVALID_CID) + return 0; + + sqlite3_bind_int(s->dcache, 1, s->cid); + do { + ret = sqlite3_step(s->dcache); + } while (ret == SQLITE_ROW); + sqlite3_reset(s->dcache); + if (ret != SQLITE_DONE) { + krb5_set_error_message(context, KRB5_CC_IO, + N_("Failed to destroy cache %s: %s", ""), + s->name, sqlite3_errmsg(s->db)); + return KRB5_CC_IO; + } + return 0; +} + +static krb5_error_code +encode_creds(krb5_context context, krb5_creds *creds, krb5_data *data) +{ + krb5_error_code ret; + krb5_storage *sp; + + sp = krb5_storage_emem(); + if (sp == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + + ret = krb5_store_creds(sp, creds); + if (ret) { + krb5_set_error_message(context, ret, + N_("Failed to store credential in scache", "")); + krb5_storage_free(sp); + return ret; + } + + ret = krb5_storage_to_data(sp, data); + krb5_storage_free(sp); + if (ret) + krb5_set_error_message(context, ret, + N_("Failed to encode credential in scache", "")); + return ret; +} + +static krb5_error_code +decode_creds(krb5_context context, const void *data, size_t length, + krb5_creds *creds) +{ + krb5_error_code ret; + krb5_storage *sp; + + sp = krb5_storage_from_readonly_mem(data, length); + if (sp == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + + ret = krb5_ret_creds(sp, creds); + krb5_storage_free(sp); + if (ret) { + krb5_set_error_message(context, ret, + N_("Failed to read credential in scache", "")); + return ret; + } + return 0; +} + + +static krb5_error_code KRB5_CALLCONV +scc_store_cred(krb5_context context, + krb5_ccache id, + krb5_creds *creds) +{ + sqlite_uint64 credid; + krb5_scache *s = SCACHE(id); + krb5_error_code ret; + krb5_data data; + + ret = make_database(context, s); + if (ret) + return ret; + + ret = encode_creds(context, creds, &data); + if (ret) + return ret; + + sqlite3_bind_int(s->icred, 1, s->cid); + { + krb5_enctype etype = 0; + int kvno = 0; + Ticket t; + size_t len; + + ret = decode_Ticket(creds->ticket.data, + creds->ticket.length, &t, &len); + if (ret == 0) { + if(t.enc_part.kvno) + kvno = *t.enc_part.kvno; + + etype = t.enc_part.etype; + + free_Ticket(&t); + } + + sqlite3_bind_int(s->icred, 2, kvno); + sqlite3_bind_int(s->icred, 3, etype); + + } + + sqlite3_bind_blob(s->icred, 4, data.data, data.length, free_data); + sqlite3_bind_int(s->icred, 5, time(NULL)); + + ret = exec_stmt(context, s->db, "BEGIN IMMEDIATE TRANSACTION", KRB5_CC_IO); + if (ret) return ret; + + do { + ret = sqlite3_step(s->icred); + } while (ret == SQLITE_ROW); + sqlite3_reset(s->icred); + if (ret != SQLITE_DONE) { + ret = KRB5_CC_IO; + krb5_set_error_message(context, ret, + N_("Failed to add credential: %s", ""), + sqlite3_errmsg(s->db)); + goto rollback; + } + + credid = sqlite3_last_insert_rowid(s->db); + + { + bind_principal(context, s->db, s->iprincipal, 1, creds->server); + sqlite3_bind_int(s->iprincipal, 2, 1); + sqlite3_bind_int(s->iprincipal, 3, credid); + + do { + ret = sqlite3_step(s->iprincipal); + } while (ret == SQLITE_ROW); + sqlite3_reset(s->iprincipal); + if (ret != SQLITE_DONE) { + ret = KRB5_CC_IO; + krb5_set_error_message(context, ret, + N_("Failed to add principal: %s", ""), + sqlite3_errmsg(s->db)); + goto rollback; + } + } + + { + bind_principal(context, s->db, s->iprincipal, 1, creds->client); + sqlite3_bind_int(s->iprincipal, 2, 0); + sqlite3_bind_int(s->iprincipal, 3, credid); + + do { + ret = sqlite3_step(s->iprincipal); + } while (ret == SQLITE_ROW); + sqlite3_reset(s->iprincipal); + if (ret != SQLITE_DONE) { + ret = KRB5_CC_IO; + krb5_set_error_message(context, ret, + N_("Failed to add principal: %s", ""), + sqlite3_errmsg(s->db)); + goto rollback; + } + } + + ret = exec_stmt(context, s->db, "COMMIT", KRB5_CC_IO); + if (ret) return ret; + + return 0; + +rollback: + exec_stmt(context, s->db, "ROLLBACK", 0); + + return ret; +} + +static krb5_error_code KRB5_CALLCONV +scc_get_principal(krb5_context context, + krb5_ccache id, + krb5_principal *principal) +{ + krb5_scache *s = SCACHE(id); + krb5_error_code ret; + const char *str; + + *principal = NULL; + + ret = make_database(context, s); + if (ret) + return ret; + + sqlite3_bind_int(s->scache, 1, s->cid); + + if (sqlite3_step(s->scache) != SQLITE_ROW) { + sqlite3_reset(s->scache); + krb5_set_error_message(context, KRB5_CC_END, + N_("No principal for cache SCC:%s:%s", ""), + s->name, s->file); + return KRB5_CC_END; + } + + if (sqlite3_column_type(s->scache, 0) != SQLITE_TEXT) { + sqlite3_reset(s->scache); + krb5_set_error_message(context, KRB5_CC_END, + N_("Principal data of wrong type " + "for SCC:%s:%s", ""), + s->name, s->file); + return KRB5_CC_END; + } + + str = (const char *)sqlite3_column_text(s->scache, 0); + if (str == NULL) { + sqlite3_reset(s->scache); + krb5_set_error_message(context, KRB5_CC_END, + N_("Principal not set for SCC:%s:%s", ""), + s->name, s->file); + return KRB5_CC_END; + } + + ret = krb5_parse_name(context, str, principal); + + sqlite3_reset(s->scache); + + return ret; +} + +struct cred_ctx { + char *drop; + sqlite3_stmt *stmt; + sqlite3_stmt *credstmt; +}; + +static krb5_error_code KRB5_CALLCONV +scc_get_first (krb5_context context, + krb5_ccache id, + krb5_cc_cursor *cursor) +{ + krb5_scache *s = SCACHE(id); + krb5_error_code ret; + struct cred_ctx *ctx; + char *str = NULL, *name = NULL; + + *cursor = NULL; + + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + + ret = make_database(context, s); + if (ret) { + free(ctx); + return ret; + } + + if (s->cid == SCACHE_INVALID_CID) { + krb5_set_error_message(context, KRB5_CC_END, + N_("Iterating a invalid scache %s", ""), + s->name); + free(ctx); + return KRB5_CC_END; + } + + ret = asprintf(&name, "credIteration%pPid%d", + ctx, (int)getpid()); + if (ret < 0 || name == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + free(ctx); + return ENOMEM; + } + + ret = asprintf(&ctx->drop, "DROP TABLE %s", name); + if (ret < 0 || ctx->drop == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + free(name); + free(ctx); + return ENOMEM; + } + + ret = asprintf(&str, "CREATE TEMPORARY TABLE %s " + "AS SELECT oid,created_at FROM credentials WHERE cid = %lu", + name, (unsigned long)s->cid); + if (ret < 0 || str == NULL) { + free(ctx->drop); + free(name); + free(ctx); + return ENOMEM; + } + + ret = exec_stmt(context, s->db, str, KRB5_CC_IO); + free(str); + str = NULL; + if (ret) { + free(ctx->drop); + free(name); + free(ctx); + return ret; + } + + ret = asprintf(&str, "SELECT oid FROM %s ORDER BY created_at", name); + if (ret < 0 || str == NULL) { + exec_stmt(context, s->db, ctx->drop, 0); + free(ctx->drop); + free(name); + free(ctx); + return ret; + } + + ret = prepare_stmt(context, s->db, &ctx->stmt, str); + free(str); + str = NULL; + free(name); + if (ret) { + exec_stmt(context, s->db, ctx->drop, 0); + free(ctx->drop); + free(ctx); + return ret; + } + + ret = prepare_stmt(context, s->db, &ctx->credstmt, + "SELECT cred FROM credentials WHERE oid = ?"); + if (ret) { + sqlite3_finalize(ctx->stmt); + exec_stmt(context, s->db, ctx->drop, 0); + free(ctx->drop); + free(ctx); + return ret; + } + + *cursor = ctx; + + return 0; +} + +static krb5_error_code KRB5_CALLCONV +scc_get_next (krb5_context context, + krb5_ccache id, + krb5_cc_cursor *cursor, + krb5_creds *creds) +{ + struct cred_ctx *ctx = *cursor; + krb5_scache *s = SCACHE(id); + krb5_error_code ret; + sqlite_uint64 oid; + const void *data = NULL; + size_t len = 0; + +next: + ret = sqlite3_step(ctx->stmt); + if (ret == SQLITE_DONE) { + krb5_clear_error_message(context); + return KRB5_CC_END; + } else if (ret != SQLITE_ROW) { + krb5_set_error_message(context, KRB5_CC_IO, + N_("scache Database failed: %s", ""), + sqlite3_errmsg(s->db)); + return KRB5_CC_IO; + } + + oid = sqlite3_column_int64(ctx->stmt, 0); + + /* read cred from credentials table */ + + sqlite3_bind_int(ctx->credstmt, 1, oid); + + ret = sqlite3_step(ctx->credstmt); + if (ret != SQLITE_ROW) { + sqlite3_reset(ctx->credstmt); + goto next; + } + + if (sqlite3_column_type(ctx->credstmt, 0) != SQLITE_BLOB) { + krb5_set_error_message(context, KRB5_CC_END, + N_("credential of wrong type for SCC:%s:%s", ""), + s->name, s->file); + sqlite3_reset(ctx->credstmt); + return KRB5_CC_END; + } + + data = sqlite3_column_blob(ctx->credstmt, 0); + len = sqlite3_column_bytes(ctx->credstmt, 0); + + ret = decode_creds(context, data, len, creds); + sqlite3_reset(ctx->credstmt); + return ret; +} + +static krb5_error_code KRB5_CALLCONV +scc_end_get (krb5_context context, + krb5_ccache id, + krb5_cc_cursor *cursor) +{ + struct cred_ctx *ctx = *cursor; + krb5_scache *s = SCACHE(id); + + sqlite3_finalize(ctx->stmt); + sqlite3_finalize(ctx->credstmt); + + exec_stmt(context, s->db, ctx->drop, 0); + + free(ctx->drop); + free(ctx); + + return 0; +} + +static krb5_error_code KRB5_CALLCONV +scc_remove_cred(krb5_context context, + krb5_ccache id, + krb5_flags which, + krb5_creds *mcreds) +{ + krb5_scache *s = SCACHE(id); + krb5_error_code ret; + sqlite3_stmt *stmt; + sqlite_uint64 credid = 0; + const void *data = NULL; + size_t len = 0; + + ret = make_database(context, s); + if (ret) + return ret; + + ret = prepare_stmt(context, s->db, &stmt, + "SELECT cred,oid FROM credentials " + "WHERE cid = ?"); + if (ret) + return ret; + + sqlite3_bind_int(stmt, 1, s->cid); + + /* find credential... */ + while (1) { + krb5_creds creds; + + ret = sqlite3_step(stmt); + if (ret == SQLITE_DONE) { + ret = 0; + break; + } else if (ret != SQLITE_ROW) { + ret = KRB5_CC_IO; + krb5_set_error_message(context, ret, + N_("scache Database failed: %s", ""), + sqlite3_errmsg(s->db)); + break; + } + + if (sqlite3_column_type(stmt, 0) != SQLITE_BLOB) { + ret = KRB5_CC_END; + krb5_set_error_message(context, ret, + N_("Credential of wrong type " + "for SCC:%s:%s", ""), + s->name, s->file); + break; + } + + data = sqlite3_column_blob(stmt, 0); + len = sqlite3_column_bytes(stmt, 0); + + ret = decode_creds(context, data, len, &creds); + if (ret) + break; + + ret = krb5_compare_creds(context, which, mcreds, &creds); + krb5_free_cred_contents(context, &creds); + if (ret) { + credid = sqlite3_column_int64(stmt, 1); + ret = 0; + break; + } + } + + sqlite3_finalize(stmt); + + if (id) { + ret = prepare_stmt(context, s->db, &stmt, + "DELETE FROM credentials WHERE oid=?"); + if (ret) + return ret; + sqlite3_bind_int(stmt, 1, credid); + + do { + ret = sqlite3_step(stmt); + } while (ret == SQLITE_ROW); + sqlite3_finalize(stmt); + if (ret != SQLITE_DONE) { + ret = KRB5_CC_IO; + krb5_set_error_message(context, ret, + N_("failed to delete scache credental", "")); + } else + ret = 0; + } + + return ret; +} + +static krb5_error_code KRB5_CALLCONV +scc_set_flags(krb5_context context, + krb5_ccache id, + krb5_flags flags) +{ + return 0; /* XXX */ +} + +struct cache_iter { + char *drop; + sqlite3 *db; + sqlite3_stmt *stmt; +}; + +static krb5_error_code KRB5_CALLCONV +scc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) +{ + struct cache_iter *ctx; + krb5_error_code ret; + char *name = NULL, *str = NULL; + + *cursor = NULL; + + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + + ret = default_db(context, &ctx->db); + if (ctx->db == NULL) { + free(ctx); + return ret; + } + + ret = asprintf(&name, "cacheIteration%pPid%d", + ctx, (int)getpid()); + if (ret < 0 || name == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + sqlite3_close(ctx->db); + free(ctx); + return ENOMEM; + } + + ret = asprintf(&ctx->drop, "DROP TABLE %s", name); + if (ret < 0 || ctx->drop == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + sqlite3_close(ctx->db); + free(name); + free(ctx); + return ENOMEM; + } + + ret = asprintf(&str, "CREATE TEMPORARY TABLE %s AS SELECT name FROM caches", + name); + if (ret < 0 || str == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + sqlite3_close(ctx->db); + free(name); + free(ctx->drop); + free(ctx); + return ENOMEM; + } + + ret = exec_stmt(context, ctx->db, str, KRB5_CC_IO); + free(str); + str = NULL; + if (ret) { + sqlite3_close(ctx->db); + free(name); + free(ctx->drop); + free(ctx); + return ret; + } + + ret = asprintf(&str, "SELECT name FROM %s", name); + free(name); + if (ret < 0 || str == NULL) { + exec_stmt(context, ctx->db, ctx->drop, 0); + sqlite3_close(ctx->db); + free(name); + free(ctx->drop); + free(ctx); + return ENOMEM; + } + + ret = prepare_stmt(context, ctx->db, &ctx->stmt, str); + free(str); + if (ret) { + exec_stmt(context, ctx->db, ctx->drop, 0); + sqlite3_close(ctx->db); + free(ctx->drop); + free(ctx); + return ret; + } + + *cursor = ctx; + + return 0; +} + +static krb5_error_code KRB5_CALLCONV +scc_get_cache_next(krb5_context context, + krb5_cc_cursor cursor, + krb5_ccache *id) +{ + struct cache_iter *ctx = cursor; + krb5_error_code ret; + const char *name; + +again: + ret = sqlite3_step(ctx->stmt); + if (ret == SQLITE_DONE) { + krb5_clear_error_message(context); + return KRB5_CC_END; + } else if (ret != SQLITE_ROW) { + krb5_set_error_message(context, KRB5_CC_IO, + N_("Database failed: %s", ""), + sqlite3_errmsg(ctx->db)); + return KRB5_CC_IO; + } + + if (sqlite3_column_type(ctx->stmt, 0) != SQLITE_TEXT) + goto again; + + name = (const char *)sqlite3_column_text(ctx->stmt, 0); + if (name == NULL) + goto again; + + ret = _krb5_cc_allocate(context, &krb5_scc_ops, id); + if (ret) + return ret; + + return scc_resolve(context, id, name); +} + +static krb5_error_code KRB5_CALLCONV +scc_end_cache_get(krb5_context context, krb5_cc_cursor cursor) +{ + struct cache_iter *ctx = cursor; + + exec_stmt(context, ctx->db, ctx->drop, 0); + sqlite3_finalize(ctx->stmt); + sqlite3_close(ctx->db); + free(ctx->drop); + free(ctx); + return 0; +} + +static krb5_error_code KRB5_CALLCONV +scc_move(krb5_context context, krb5_ccache from, krb5_ccache to) +{ + krb5_scache *sfrom = SCACHE(from); + krb5_scache *sto = SCACHE(to); + krb5_error_code ret; + + if (strcmp(sfrom->file, sto->file) != 0) { + krb5_set_error_message(context, KRB5_CC_BADNAME, + N_("Can't handle cross database " + "credential move: %s -> %s", ""), + sfrom->file, sto->file); + return KRB5_CC_BADNAME; + } + + ret = make_database(context, sfrom); + if (ret) + return ret; + + ret = exec_stmt(context, sfrom->db, + "BEGIN IMMEDIATE TRANSACTION", KRB5_CC_IO); + if (ret) return ret; + + if (sto->cid != SCACHE_INVALID_CID) { + /* drop old cache entry */ + + sqlite3_bind_int(sfrom->dcache, 1, sto->cid); + do { + ret = sqlite3_step(sfrom->dcache); + } while (ret == SQLITE_ROW); + sqlite3_reset(sfrom->dcache); + if (ret != SQLITE_DONE) { + krb5_set_error_message(context, KRB5_CC_IO, + N_("Failed to delete old cache: %d", ""), + (int)ret); + goto rollback; + } + } + + sqlite3_bind_text(sfrom->ucachen, 1, sto->name, -1, NULL); + sqlite3_bind_int(sfrom->ucachen, 2, sfrom->cid); + + do { + ret = sqlite3_step(sfrom->ucachen); + } while (ret == SQLITE_ROW); + sqlite3_reset(sfrom->ucachen); + if (ret != SQLITE_DONE) { + krb5_set_error_message(context, KRB5_CC_IO, + N_("Failed to update new cache: %d", ""), + (int)ret); + goto rollback; + } + + sto->cid = sfrom->cid; + + ret = exec_stmt(context, sfrom->db, "COMMIT", KRB5_CC_IO); + if (ret) return ret; + + scc_free(sfrom); + + return 0; + +rollback: + exec_stmt(context, sfrom->db, "ROLLBACK", 0); + scc_free(sfrom); + + return KRB5_CC_IO; +} + +static krb5_error_code KRB5_CALLCONV +scc_get_default_name(krb5_context context, char **str) +{ + krb5_error_code ret; + char *name; + + *str = NULL; + + ret = get_def_name(context, &name); + if (ret) + return _krb5_expand_default_cc_name(context, KRB5_SCACHE_NAME, str); + + ret = asprintf(str, "SCC:%s", name); + free(name); + if (ret < 0 || *str == NULL) { + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); + return ENOMEM; + } + return 0; +} + +static krb5_error_code KRB5_CALLCONV +scc_set_default(krb5_context context, krb5_ccache id) +{ + krb5_scache *s = SCACHE(id); + krb5_error_code ret; + + if (s->cid == SCACHE_INVALID_CID) { + krb5_set_error_message(context, KRB5_CC_IO, + N_("Trying to set a invalid cache " + "as default %s", ""), + s->name); + return KRB5_CC_IO; + } + + ret = sqlite3_bind_text(s->umaster, 1, s->name, -1, NULL); + if (ret) { + sqlite3_reset(s->umaster); + krb5_set_error_message(context, KRB5_CC_IO, + N_("Failed to set name of default cache", "")); + return KRB5_CC_IO; + } + + do { + ret = sqlite3_step(s->umaster); + } while (ret == SQLITE_ROW); + sqlite3_reset(s->umaster); + if (ret != SQLITE_DONE) { + krb5_set_error_message(context, KRB5_CC_IO, + N_("Failed to update default cache", "")); + return KRB5_CC_IO; + } + + return 0; +} + +/** + * Variable containing the SCC based credential cache implemention. + * + * @ingroup krb5_ccache + */ + +KRB5_LIB_VARIABLE const krb5_cc_ops krb5_scc_ops = { + KRB5_CC_OPS_VERSION, + "SCC", + scc_get_name, + scc_resolve, + scc_gen_new, + scc_initialize, + scc_destroy, + scc_close, + scc_store_cred, + NULL, /* scc_retrieve */ + scc_get_principal, + scc_get_first, + scc_get_next, + scc_end_get, + scc_remove_cred, + scc_set_flags, + NULL, + scc_get_cache_first, + scc_get_cache_next, + scc_end_cache_get, + scc_move, + scc_get_default_name, + scc_set_default +}; + +#endif diff --git a/crypto/heimdal/lib/krb5/send_to_kdc.c b/crypto/heimdal/lib/krb5/send_to_kdc.c index 2582a615c052..edf1d33c9d1c 100644 --- a/crypto/heimdal/lib/krb5/send_to_kdc.c +++ b/crypto/heimdal/lib/krb5/send_to_kdc.c @@ -1,39 +1,38 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" - -RCSID("$Id: send_to_kdc.c 21934 2007-08-27 14:21:04Z lha $"); +#include "send_to_kdc_plugin.h" struct send_to_kdc { krb5_send_to_kdc_func func; @@ -48,7 +47,7 @@ struct send_to_kdc { */ static int -recv_loop (int fd, +recv_loop (krb5_socket_t fd, time_t tmout, int udp, size_t limit, @@ -59,9 +58,11 @@ recv_loop (int fd, int ret; int nbytes; +#ifndef NO_LIMIT_FD_SETSIZE if (fd >= FD_SETSIZE) { return -1; } +#endif krb5_data_zero(rep); do { @@ -79,7 +80,7 @@ recv_loop (int fd, } else { void *tmp; - if (ioctl (fd, FIONREAD, &nbytes) < 0) { + if (rk_SOCK_IOCTL (fd, FIONREAD, &nbytes) < 0) { krb5_data_free (rep); return -1; } @@ -87,7 +88,7 @@ recv_loop (int fd, return 0; if (limit) - nbytes = min(nbytes, limit - rep->length); + nbytes = min((size_t)nbytes, limit - rep->length); tmp = realloc (rep->data, rep->length + nbytes); if (tmp == NULL) { @@ -112,7 +113,7 @@ recv_loop (int fd, */ static int -send_and_recv_udp(int fd, +send_and_recv_udp(krb5_socket_t fd, time_t tmout, const krb5_data *req, krb5_data *rep) @@ -131,7 +132,7 @@ send_and_recv_udp(int fd, */ static int -send_and_recv_tcp(int fd, +send_and_recv_tcp(krb5_socket_t fd, time_t tmout, const krb5_data *req, krb5_data *rep) @@ -141,9 +142,9 @@ send_and_recv_tcp(int fd, krb5_data len_data; _krb5_put_int(len, req->length, 4); - if(net_write(fd, len, sizeof(len)) < 0) + if(net_write (fd, len, sizeof(len)) < 0) return -1; - if(net_write(fd, req->data, req->length) < 0) + if(net_write (fd, req->data, req->length) < 0) return -1; if (recv_loop (fd, tmout, 0, 4, &len_data) < 0) return -1; @@ -163,7 +164,7 @@ send_and_recv_tcp(int fd, } int -_krb5_send_and_recv_tcp(int fd, +_krb5_send_and_recv_tcp(krb5_socket_t fd, time_t tmout, const krb5_data *req, krb5_data *rep) @@ -176,22 +177,22 @@ _krb5_send_and_recv_tcp(int fd, */ static int -send_and_recv_http(int fd, +send_and_recv_http(krb5_socket_t fd, time_t tmout, const char *prefix, const krb5_data *req, krb5_data *rep) { - char *request; + char *request = NULL; char *str; int ret; int len = base64_encode(req->data, req->length, &str); if(len < 0) return -1; - asprintf(&request, "GET %s%s HTTP/1.0\r\n\r\n", prefix, str); + ret = asprintf(&request, "GET %s%s HTTP/1.0\r\n\r\n", prefix, str); free(str); - if (request == NULL) + if (ret < 0 || request == NULL) return -1; ret = net_write (fd, request, strlen(request)); free (request); @@ -260,14 +261,14 @@ send_via_proxy (krb5_context context, { char *proxy2 = strdup(context->http_proxy); char *proxy = proxy2; - char *prefix; + char *prefix = NULL; char *colon; struct addrinfo hints; struct addrinfo *ai, *a; int ret; - int s = -1; + krb5_socket_t s = rk_INVALID_SOCKET; char portstr[NI_MAXSERV]; - + if (proxy == NULL) return ENOMEM; if (strncmp (proxy, "http://", 7) == 0) @@ -287,11 +288,12 @@ send_via_proxy (krb5_context context, return krb5_eai_to_heim_errno(ret, errno); for (a = ai; a != NULL; a = a->ai_next) { - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); + s = socket (a->ai_family, a->ai_socktype | SOCK_CLOEXEC, a->ai_protocol); if (s < 0) continue; + rk_cloexec(s); if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { - close (s); + rk_closesocket (s); continue; } break; @@ -302,34 +304,74 @@ send_via_proxy (krb5_context context, } freeaddrinfo (ai); - asprintf(&prefix, "http://%s/", hi->hostname); - if(prefix == NULL) { + ret = asprintf(&prefix, "http://%s/", hi->hostname); + if(ret < 0 || prefix == NULL) { close(s); return 1; } ret = send_and_recv_http(s, context->kdc_timeout, prefix, send_data, receive); - close (s); + rk_closesocket (s); free(prefix); if(ret == 0 && receive->length != 0) return 0; return 1; } +static krb5_error_code +send_via_plugin(krb5_context context, + krb5_krbhst_info *hi, + time_t timeout, + const krb5_data *send_data, + krb5_data *receive) +{ + struct krb5_plugin *list = NULL, *e; + krb5_error_code ret; + + ret = _krb5_plugin_find(context, PLUGIN_TYPE_DATA, KRB5_PLUGIN_SEND_TO_KDC, &list); + if(ret != 0 || list == NULL) + return KRB5_PLUGIN_NO_HANDLE; + + for (e = list; e != NULL; e = _krb5_plugin_get_next(e)) { + krb5plugin_send_to_kdc_ftable *service; + void *ctx; + + service = _krb5_plugin_get_symbol(e); + if (service->minor_version != 0) + continue; + + (*service->init)(context, &ctx); + ret = (*service->send_to_kdc)(context, ctx, hi, + timeout, send_data, receive); + (*service->fini)(ctx); + if (ret == 0) + break; + if (ret != KRB5_PLUGIN_NO_HANDLE) { + krb5_set_error_message(context, ret, + N_("Plugin send_to_kdc failed to " + "lookup with error: %d", ""), ret); + break; + } + } + _krb5_plugin_free(list); + return KRB5_PLUGIN_NO_HANDLE; +} + + /* * Send the data `send' to one host from `handle` and get back the reply * in `receive'. */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sendto (krb5_context context, const krb5_data *send_data, - krb5_krbhst_handle handle, + krb5_krbhst_handle handle, krb5_data *receive) { krb5_error_code ret; - int fd; - int i; + krb5_socket_t fd; + size_t i; krb5_data_zero(receive); @@ -339,16 +381,27 @@ krb5_sendto (krb5_context context, while (krb5_krbhst_next(context, handle, &hi) == 0) { struct addrinfo *ai, *a; + _krb5_debug(context, 2, + "trying to communicate with host %s in realm %s", + hi->hostname, _krb5_krbhst_get_realm(handle)); + if (context->send_to_kdc) { struct send_to_kdc *s = context->send_to_kdc; - ret = (*s->func)(context, s->data, - hi, send_data, receive); + ret = (*s->func)(context, s->data, hi, + context->kdc_timeout, send_data, receive); if (ret == 0 && receive->length != 0) goto out; continue; } + ret = send_via_plugin(context, hi, context->kdc_timeout, + send_data, receive); + if (ret == 0 && receive->length != 0) + goto out; + else if (ret != KRB5_PLUGIN_NO_HANDLE) + continue; + if(hi->proto == KRB5_KRBHST_HTTP && context->http_proxy) { if (send_via_proxy (context, hi, send_data, receive) == 0) { ret = 0; @@ -362,11 +415,12 @@ krb5_sendto (krb5_context context, continue; for (a = ai; a != NULL; a = a->ai_next) { - fd = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (fd < 0) + fd = socket (a->ai_family, a->ai_socktype | SOCK_CLOEXEC, a->ai_protocol); + if (rk_IS_BAD_SOCKET(fd)) continue; + rk_cloexec(fd); if (connect (fd, a->ai_addr, a->ai_addrlen) < 0) { - close (fd); + rk_closesocket (fd); continue; } switch (hi->proto) { @@ -383,20 +437,23 @@ krb5_sendto (krb5_context context, send_data, receive); break; } - close (fd); + rk_closesocket (fd); if(ret == 0 && receive->length != 0) goto out; } } krb5_krbhst_reset(context, handle); } - krb5_clear_error_string (context); + krb5_clear_error_message (context); ret = KRB5_KDC_UNREACH; out: + _krb5_debug(context, 2, + "result of trying to talk to realm %s = %d", + _krb5_krbhst_get_realm(handle), ret); return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sendto_kdc(krb5_context context, const krb5_data *send_data, const krb5_realm *realm, @@ -405,7 +462,7 @@ krb5_sendto_kdc(krb5_context context, return krb5_sendto_kdc_flags(context, send_data, realm, receive, 0); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sendto_kdc_flags(krb5_context context, const krb5_data *send_data, const krb5_realm *realm, @@ -426,8 +483,8 @@ krb5_sendto_kdc_flags(krb5_context context, return ret; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_set_send_to_kdc_func(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_set_send_to_kdc_func(krb5_context context, krb5_send_to_kdc_func func, void *data) { @@ -439,7 +496,8 @@ krb5_set_send_to_kdc_func(krb5_context context, context->send_to_kdc = malloc(sizeof(*context->send_to_kdc)); if (context->send_to_kdc == NULL) { - krb5_set_error_string(context, "Out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } @@ -448,6 +506,19 @@ krb5_set_send_to_kdc_func(krb5_context context, return 0; } +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +_krb5_copy_send_to_kdc_func(krb5_context context, krb5_context to) +{ + if (context->send_to_kdc) + return krb5_set_send_to_kdc_func(to, + context->send_to_kdc->func, + context->send_to_kdc->data); + else + return krb5_set_send_to_kdc_func(to, NULL, NULL); +} + + + struct krb5_sendto_ctx_data { int flags; int type; @@ -455,37 +526,38 @@ struct krb5_sendto_ctx_data { void *data; }; -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sendto_ctx_alloc(krb5_context context, krb5_sendto_ctx *ctx) { *ctx = calloc(1, sizeof(**ctx)); if (*ctx == NULL) { - krb5_set_error_string(context, "out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } return 0; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_sendto_ctx_add_flags(krb5_sendto_ctx ctx, int flags) { ctx->flags |= flags; } -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_sendto_ctx_get_flags(krb5_sendto_ctx ctx) { return ctx->flags; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_sendto_ctx_set_type(krb5_sendto_ctx ctx, int type) { ctx->type = type; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_sendto_ctx_set_func(krb5_sendto_ctx ctx, krb5_sendto_ctx_func func, void *data) @@ -494,14 +566,14 @@ krb5_sendto_ctx_set_func(krb5_sendto_ctx ctx, ctx->data = data; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_sendto_ctx_free(krb5_context context, krb5_sendto_ctx ctx) { memset(ctx, 0, sizeof(*ctx)); free(ctx); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sendto_context(krb5_context context, krb5_sendto_ctx ctx, const krb5_data *send_data, @@ -530,7 +602,7 @@ krb5_sendto_context(krb5_context context, type = KRB5_KRBHST_KDC; } - if (send_data->length > context->large_msg_size) + if ((int)send_data->length > context->large_msg_size) ctx->flags |= KRB5_KRBHST_FLAGS_LARGE_MSG; /* loop until we get back a appropriate response */ @@ -541,7 +613,7 @@ krb5_sendto_context(krb5_context context, krb5_data_free(receive); if (handle == NULL) { - ret = krb5_krbhst_init_flags(context, realm, type, + ret = krb5_krbhst_init_flags(context, realm, type, ctx->flags, &handle); if (ret) { if (freectx) @@ -549,7 +621,7 @@ krb5_sendto_context(krb5_context context, return ret; } } - + ret = krb5_sendto(context, send_data, handle, receive); if (ret) break; @@ -566,8 +638,9 @@ krb5_sendto_context(krb5_context context, if (handle) krb5_krbhst_free(context, handle); if (ret == KRB5_KDC_UNREACH) - krb5_set_error_string(context, - "unable to reach any KDC in realm %s", realm); + krb5_set_error_message(context, ret, + N_("unable to reach any KDC in realm %s", ""), + realm); if (ret) krb5_data_free(receive); if (freectx) @@ -575,7 +648,7 @@ krb5_sendto_context(krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_CALLCONV _krb5_kdc_retry(krb5_context context, krb5_sendto_ctx ctx, void *data, const krb5_data *reply, int *action) { diff --git a/crypto/heimdal/lib/krb5/send_to_kdc_plugin.h b/crypto/heimdal/lib/krb5/send_to_kdc_plugin.h new file mode 100644 index 000000000000..c729a1286bae --- /dev/null +++ b/crypto/heimdal/lib/krb5/send_to_kdc_plugin.h @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id$ */ + +#ifndef HEIMDAL_KRB5_SEND_TO_KDC_PLUGIN_H +#define HEIMDAL_KRB5_SEND_TO_KDC_PLUGIN_H 1 + +#include <krb5.h> + +#define KRB5_PLUGIN_SEND_TO_KDC "send_to_kdc" + +typedef krb5_error_code +(*krb5plugin_send_to_kdc_func)(krb5_context, + void *, + krb5_krbhst_info *, + time_t timeout, + const krb5_data *, + krb5_data *); + +typedef struct krb5plugin_send_to_kdc_ftable { + int minor_version; + krb5_error_code (*init)(krb5_context, void **); + void (*fini)(void *); + krb5plugin_send_to_kdc_func send_to_kdc; +} krb5plugin_send_to_kdc_ftable; + +#endif /* HEIMDAL_KRB5_SEND_TO_KDC_PLUGIN_H */ diff --git a/crypto/heimdal/lib/krb5/sendauth.c b/crypto/heimdal/lib/krb5/sendauth.c index a7242f0daf9c..d334d34497ab 100644 --- a/crypto/heimdal/lib/krb5/sendauth.c +++ b/crypto/heimdal/lib/krb5/sendauth.c @@ -1,40 +1,38 @@ /* - * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: sendauth.c 17442 2006-05-05 09:31:15Z lha $"); - /* * The format seems to be: * client -> server @@ -62,7 +60,7 @@ RCSID("$Id: sendauth.c 17442 2006-05-05 09:31:15Z lha $"); * } */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sendauth(krb5_context context, krb5_auth_context *auth_context, krb5_pointer p_fd, @@ -93,7 +91,7 @@ krb5_sendauth(krb5_context context, if (krb5_net_write (context, p_fd, &net_len, 4) != 4 || krb5_net_write (context, p_fd, version, len) != len) { ret = errno; - krb5_set_error_string (context, "write: %s", strerror(ret)); + krb5_set_error_message (context, ret, "write: %s", strerror(ret)); return ret; } @@ -102,22 +100,22 @@ krb5_sendauth(krb5_context context, if (krb5_net_write (context, p_fd, &net_len, 4) != 4 || krb5_net_write (context, p_fd, appl_version, len) != len) { ret = errno; - krb5_set_error_string (context, "write: %s", strerror(ret)); + krb5_set_error_message (context, ret, "write: %s", strerror(ret)); return ret; } sret = krb5_net_read (context, p_fd, &repl, sizeof(repl)); if (sret < 0) { ret = errno; - krb5_set_error_string (context, "read: %s", strerror(ret)); + krb5_set_error_message (context, ret, "read: %s", strerror(ret)); return ret; } else if (sret != sizeof(repl)) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5_SENDAUTH_BADRESPONSE; } if (repl != 0) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5_SENDAUTH_REJECTED; } @@ -205,14 +203,15 @@ krb5_sendauth(krb5_context context, } return ret; } else { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } - } + } else + krb5_data_free (&error_data); if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED) { krb5_data ap_rep; - krb5_ap_rep_enc_part *ignore; + krb5_ap_rep_enc_part *ignore = NULL; krb5_data_zero (&ap_rep); ret = krb5_read_message (context, diff --git a/crypto/heimdal/lib/krb5/set_default_realm.c b/crypto/heimdal/lib/krb5/set_default_realm.c index 98040bc2e9d6..ddce677c1ac8 100644 --- a/crypto/heimdal/lib/krb5/set_default_realm.c +++ b/crypto/heimdal/lib/krb5/set_default_realm.c @@ -1,42 +1,40 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: set_default_realm.c 13863 2004-05-25 21:46:46Z lha $"); - /* - * Convert the simple string `s' into a NULL-terminated and freshly allocated + * Convert the simple string `s' into a NULL-terminated and freshly allocated * list in `list'. Return an error code. */ @@ -46,13 +44,15 @@ string_to_list (krb5_context context, const char *s, krb5_realm **list) *list = malloc (2 * sizeof(**list)); if (*list == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } (*list)[0] = strdup (s); if ((*list)[0] == NULL) { free (*list); - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } (*list)[1] = NULL; @@ -62,10 +62,10 @@ string_to_list (krb5_context context, const char *s, krb5_realm **list) /* * Set the knowledge of the default realm(s) in `context'. * If realm != NULL, that's the new default realm. - * Otherwise, the realm(s) are figured out from configuration or DNS. + * Otherwise, the realm(s) are figured out from configuration or DNS. */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_default_realm(krb5_context context, const char *realm) { diff --git a/crypto/heimdal/lib/krb5/sock_principal.c b/crypto/heimdal/lib/krb5/sock_principal.c index 9b4ba978a1b6..a43546de3405 100644 --- a/crypto/heimdal/lib/krb5/sock_principal.c +++ b/crypto/heimdal/lib/krb5/sock_principal.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: sock_principal.c 13863 2004-05-25 21:46:46Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sock_to_principal (krb5_context context, int sock, const char *sname, @@ -50,15 +48,15 @@ krb5_sock_to_principal (krb5_context context, if (getsockname (sock, sa, &salen) < 0) { ret = errno; - krb5_set_error_string (context, "getsockname: %s", strerror(ret)); + krb5_set_error_message (context, ret, "getsockname: %s", strerror(ret)); return ret; } ret = getnameinfo (sa, salen, hostname, sizeof(hostname), NULL, 0, 0); if (ret) { int save_errno = errno; - - krb5_set_error_string (context, "getnameinfo: %s", gai_strerror(ret)); - return krb5_eai_to_heim_errno(ret, save_errno); + krb5_error_code ret2 = krb5_eai_to_heim_errno(ret, save_errno); + krb5_set_error_message (context, ret2, "getnameinfo: %s", gai_strerror(ret)); + return ret2; } ret = krb5_sname_to_principal (context, diff --git a/crypto/heimdal/lib/krb5/store-int.c b/crypto/heimdal/lib/krb5/store-int.c new file mode 100644 index 000000000000..d57762971816 --- /dev/null +++ b/crypto/heimdal/lib/krb5/store-int.c @@ -0,0 +1,58 @@ +/* + * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL +_krb5_put_int(void *buffer, unsigned long value, size_t size) +{ + unsigned char *p = buffer; + int i; + for (i = size - 1; i >= 0; i--) { + p[i] = value & 0xff; + value >>= 8; + } + return size; +} + +KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL +_krb5_get_int(void *buffer, unsigned long *value, size_t size) +{ + unsigned char *p = buffer; + unsigned long v = 0; + size_t i; + for (i = 0; i < size; i++) + v = (v << 8) + p[i]; + *value = v; + return size; +} diff --git a/crypto/heimdal/lib/krb5/store-int.h b/crypto/heimdal/lib/krb5/store-int.h index 42e695a11bc6..877ccc008dc9 100644 --- a/crypto/heimdal/lib/krb5/store-int.h +++ b/crypto/heimdal/lib/krb5/store-int.h @@ -1,34 +1,34 @@ /* - * Copyright (c) 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #ifndef __store_int_h__ @@ -39,9 +39,11 @@ struct krb5_storage_data { ssize_t (*fetch)(struct krb5_storage_data*, void*, size_t); ssize_t (*store)(struct krb5_storage_data*, const void*, size_t); off_t (*seek)(struct krb5_storage_data*, off_t, int); + int (*trunc)(struct krb5_storage_data*, off_t); void (*free)(struct krb5_storage_data*); krb5_flags flags; int eof_code; + size_t max_alloc; }; #endif /* __store_int_h__ */ diff --git a/crypto/heimdal/lib/krb5/store-test.c b/crypto/heimdal/lib/krb5/store-test.c index aec2dfe7cb35..3d0f9e0b46cf 100644 --- a/crypto/heimdal/lib/krb5/store-test.c +++ b/crypto/heimdal/lib/krb5/store-test.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -32,8 +32,6 @@ #include "krb5_locl.h" -RCSID("$Id: store-test.c 16344 2005-12-02 15:15:43Z lha $"); - static void print_data(unsigned char *data, size_t len) { @@ -51,7 +49,8 @@ compare(const char *name, krb5_storage *sp, void *expected, size_t len) { int ret = 0; krb5_data data; - krb5_storage_to_data(sp, &data); + if (krb5_storage_to_data(sp, &data)) + errx(1, "krb5_storage_to_data failed"); krb5_storage_free(sp); if(data.length != len || memcmp(data.data, expected, len) != 0) { printf("%s mismatch\n", name); @@ -72,7 +71,7 @@ main(int argc, char **argv) krb5_storage *sp; krb5_context context; krb5_principal principal; - + krb5_init_context(&context); @@ -96,9 +95,9 @@ main(int argc, char **argv) { int test = 1; void *data; - if(*(char*)&test) + if(*(char*)&test) data = "\x4\x3\x2\x1"; - else + else data = "\x1\x2\x3\x4"; nerr += compare("Integer (host)", sp, data, 4); } @@ -111,7 +110,7 @@ main(int argc, char **argv) "\x0\x0\x0\x1" "\x0\x0\x0\x4TEST" "\x0\x0\x0\x6""foobar", 26); - + krb5_free_context(context); return nerr ? 1 : 0; diff --git a/crypto/heimdal/lib/krb5/store.c b/crypto/heimdal/lib/krb5/store.c index c9cbbb5cef33..3aeb8d628144 100644 --- a/crypto/heimdal/lib/krb5/store.c +++ b/crypto/heimdal/lib/krb5/store.c @@ -1,127 +1,273 @@ /* - * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" #include "store-int.h" -RCSID("$Id: store.c 22071 2007-11-14 20:04:50Z lha $"); - #define BYTEORDER_IS(SP, V) (((SP)->flags & KRB5_STORAGE_BYTEORDER_MASK) == (V)) #define BYTEORDER_IS_LE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_LE) #define BYTEORDER_IS_BE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_BE) #define BYTEORDER_IS_HOST(SP) (BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_HOST) || \ krb5_storage_is_flags((SP), KRB5_STORAGE_HOST_BYTEORDER)) -void KRB5_LIB_FUNCTION +/** + * Add the flags on a storage buffer by or-ing in the flags to the buffer. + * + * @param sp the storage buffer to set the flags on + * @param flags the flags to set + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_storage_set_flags(krb5_storage *sp, krb5_flags flags) { sp->flags |= flags; } -void KRB5_LIB_FUNCTION +/** + * Clear the flags on a storage buffer + * + * @param sp the storage buffer to clear the flags on + * @param flags the flags to clear + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_storage_clear_flags(krb5_storage *sp, krb5_flags flags) { sp->flags &= ~flags; } -krb5_boolean KRB5_LIB_FUNCTION +/** + * Return true or false depending on if the storage flags is set or + * not. NB testing for the flag 0 always return true. + * + * @param sp the storage buffer to check flags on + * @param flags The flags to test for + * + * @return true if all the flags are set, false if not. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_storage_is_flags(krb5_storage *sp, krb5_flags flags) { return (sp->flags & flags) == flags; } -void KRB5_LIB_FUNCTION +/** + * Set the new byte order of the storage buffer. + * + * @param sp the storage buffer to set the byte order for. + * @param byteorder the new byte order. + * + * The byte order are: KRB5_STORAGE_BYTEORDER_BE, + * KRB5_STORAGE_BYTEORDER_LE and KRB5_STORAGE_BYTEORDER_HOST. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_storage_set_byteorder(krb5_storage *sp, krb5_flags byteorder) { sp->flags &= ~KRB5_STORAGE_BYTEORDER_MASK; sp->flags |= byteorder; } -krb5_flags KRB5_LIB_FUNCTION -krb5_storage_get_byteorder(krb5_storage *sp, krb5_flags byteorder) +/** + * Return the current byteorder for the buffer. See krb5_storage_set_byteorder() for the list or byte order contants. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_flags KRB5_LIB_CALL +krb5_storage_get_byteorder(krb5_storage *sp) { return sp->flags & KRB5_STORAGE_BYTEORDER_MASK; } -off_t KRB5_LIB_FUNCTION +/** + * Set the max alloc value + * + * @param sp the storage buffer set the max allow for + * @param size maximum size to allocate, use 0 to remove limit + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_storage_set_max_alloc(krb5_storage *sp, size_t size) +{ + sp->max_alloc = size; +} + +/* don't allocate unresonable amount of memory */ +static krb5_error_code +size_too_large(krb5_storage *sp, size_t size) +{ + if (sp->max_alloc && sp->max_alloc < size) + return HEIM_ERR_TOO_BIG; + return 0; +} + +static krb5_error_code +size_too_large_num(krb5_storage *sp, size_t count, size_t size) +{ + if (sp->max_alloc == 0 || size == 0) + return 0; + size = sp->max_alloc / size; + if (size < count) + return HEIM_ERR_TOO_BIG; + return 0; +} + +/** + * Seek to a new offset. + * + * @param sp the storage buffer to seek in. + * @param offset the offset to seek + * @param whence relateive searching, SEEK_CUR from the current + * position, SEEK_END from the end, SEEK_SET absolute from the start. + * + * @return The new current offset + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION off_t KRB5_LIB_CALL krb5_storage_seek(krb5_storage *sp, off_t offset, int whence) { return (*sp->seek)(sp, offset, whence); } -krb5_ssize_t KRB5_LIB_FUNCTION +/** + * Truncate the storage buffer in sp to offset. + * + * @param sp the storage buffer to truncate. + * @param offset the offset to truncate too. + * + * @return An Kerberos 5 error code. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION int KRB5_LIB_CALL +krb5_storage_truncate(krb5_storage *sp, off_t offset) +{ + return (*sp->trunc)(sp, offset); +} + +/** + * Read to the storage buffer. + * + * @param sp the storage buffer to read from + * @param buf the buffer to store the data in + * @param len the length to read + * + * @return The length of data read (can be shorter then len), or negative on error. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL krb5_storage_read(krb5_storage *sp, void *buf, size_t len) { return sp->fetch(sp, buf, len); } -krb5_ssize_t KRB5_LIB_FUNCTION +/** + * Write to the storage buffer. + * + * @param sp the storage buffer to write to + * @param buf the buffer to write to the storage buffer + * @param len the length to write + * + * @return The length of data written (can be shorter then len), or negative on error. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL krb5_storage_write(krb5_storage *sp, const void *buf, size_t len) { return sp->store(sp, buf, len); } -void KRB5_LIB_FUNCTION +/** + * Set the return code that will be used when end of storage is reached. + * + * @param sp the storage + * @param code the error code to return on end of storage + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_storage_set_eof_code(krb5_storage *sp, int code) { sp->eof_code = code; } -krb5_ssize_t KRB5_LIB_FUNCTION -_krb5_put_int(void *buffer, unsigned long value, size_t size) -{ - unsigned char *p = buffer; - int i; - for (i = size - 1; i >= 0; i--) { - p[i] = value & 0xff; - value >>= 8; - } - return size; -} +/** + * Get the return code that will be used when end of storage is reached. + * + * @param sp the storage + * + * @return storage error code + * + * @ingroup krb5_storage + */ -krb5_ssize_t KRB5_LIB_FUNCTION -_krb5_get_int(void *buffer, unsigned long *value, size_t size) +KRB5_LIB_FUNCTION int KRB5_LIB_CALL +krb5_storage_get_eof_code(krb5_storage *sp) { - unsigned char *p = buffer; - unsigned long v = 0; - int i; - for (i = 0; i < size; i++) - v = (v << 8) + p[i]; - *value = v; - return size; + return sp->eof_code; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Free a krb5 storage. + * + * @param sp the storage to free. + * + * @return An Kerberos 5 error code. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_storage_free(krb5_storage *sp) { if(sp->free) @@ -131,16 +277,31 @@ krb5_storage_free(krb5_storage *sp) return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Copy the contnent of storage + * + * @param sp the storage to copy to a data + * @param data the copied data, free with krb5_data_free() + * + * @return 0 for success, or a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_storage_to_data(krb5_storage *sp, krb5_data *data) { - off_t pos; - size_t size; + off_t pos, size; krb5_error_code ret; pos = sp->seek(sp, 0, SEEK_CUR); - size = (size_t)sp->seek(sp, 0, SEEK_END); - ret = krb5_data_alloc (data, size); + if (pos < 0) + return HEIM_ERR_NOT_SEEKABLE; + size = sp->seek(sp, 0, SEEK_END); + ret = size_too_large(sp, size); + if (ret) + return ret; + ret = krb5_data_alloc(data, size); if (ret) { sp->seek(sp, pos, SEEK_SET); return ret; @@ -165,12 +326,26 @@ krb5_store_int(krb5_storage *sp, return EINVAL; _krb5_put_int(v, value, len); ret = sp->store(sp, v, len); - if (ret != len) - return (ret<0)?errno:sp->eof_code; + if (ret < 0) + return errno; + if ((size_t)ret != len) + return sp->eof_code; return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Store a int32 to storage, byte order is controlled by the settings + * on the storage, see krb5_storage_set_byteorder(). + * + * @param sp the storage to write too + * @param value the value to store + * + * @return 0 for success, or a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_int32(krb5_storage *sp, int32_t value) { @@ -181,7 +356,19 @@ krb5_store_int32(krb5_storage *sp, return krb5_store_int(sp, value, 4); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Store a uint32 to storage, byte order is controlled by the settings + * on the storage, see krb5_storage_set_byteorder(). + * + * @param sp the storage to write too + * @param value the value to store + * + * @return 0 for success, or a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_uint32(krb5_storage *sp, uint32_t value) { @@ -197,14 +384,28 @@ krb5_ret_int(krb5_storage *sp, unsigned char v[4]; unsigned long w; ret = sp->fetch(sp, v, len); - if(ret != len) - return (ret<0)?errno:sp->eof_code; + if (ret < 0) + return errno; + if ((size_t)ret != len) + return sp->eof_code; _krb5_get_int(v, &w, len); *value = w; return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Read a int32 from storage, byte order is controlled by the settings + * on the storage, see krb5_storage_set_byteorder(). + * + * @param sp the storage to write too + * @param value the value read from the buffer + * + * @return 0 for success, or a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_int32(krb5_storage *sp, int32_t *value) { @@ -218,7 +419,19 @@ krb5_ret_int32(krb5_storage *sp, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Read a uint32 from storage, byte order is controlled by the settings + * on the storage, see krb5_storage_set_byteorder(). + * + * @param sp the storage to write too + * @param value the value read from the buffer + * + * @return 0 for success, or a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_uint32(krb5_storage *sp, uint32_t *value) { @@ -232,7 +445,19 @@ krb5_ret_uint32(krb5_storage *sp, return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Store a int16 to storage, byte order is controlled by the settings + * on the storage, see krb5_storage_set_byteorder(). + * + * @param sp the storage to write too + * @param value the value to store + * + * @return 0 for success, or a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_int16(krb5_storage *sp, int16_t value) { @@ -243,14 +468,38 @@ krb5_store_int16(krb5_storage *sp, return krb5_store_int(sp, value, 2); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Store a uint16 to storage, byte order is controlled by the settings + * on the storage, see krb5_storage_set_byteorder(). + * + * @param sp the storage to write too + * @param value the value to store + * + * @return 0 for success, or a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_uint16(krb5_storage *sp, uint16_t value) { return krb5_store_int16(sp, (int16_t)value); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Read a int16 from storage, byte order is controlled by the settings + * on the storage, see krb5_storage_set_byteorder(). + * + * @param sp the storage to write too + * @param value the value read from the buffer + * + * @return 0 for success, or a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_int16(krb5_storage *sp, int16_t *value) { @@ -267,7 +516,19 @@ krb5_ret_int16(krb5_storage *sp, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Read a int16 from storage, byte order is controlled by the settings + * on the storage, see krb5_storage_set_byteorder(). + * + * @param sp the storage to write too + * @param value the value read from the buffer + * + * @return 0 for success, or a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_uint16(krb5_storage *sp, uint16_t *value) { @@ -281,7 +542,18 @@ krb5_ret_uint16(krb5_storage *sp, return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Store a int8 to storage. + * + * @param sp the storage to write too + * @param value the value to store + * + * @return 0 for success, or a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_int8(krb5_storage *sp, int8_t value) { @@ -293,14 +565,36 @@ krb5_store_int8(krb5_storage *sp, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Store a uint8 to storage. + * + * @param sp the storage to write too + * @param value the value to store + * + * @return 0 for success, or a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_uint8(krb5_storage *sp, uint8_t value) { return krb5_store_int8(sp, (int8_t)value); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Read a int8 from storage + * + * @param sp the storage to write too + * @param value the value read from the buffer + * + * @return 0 for success, or a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_int8(krb5_storage *sp, int8_t *value) { @@ -312,7 +606,18 @@ krb5_ret_int8(krb5_storage *sp, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Read a uint8 from storage + * + * @param sp the storage to write too + * @param value the value read from the buffer + * + * @return 0 for success, or a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_uint8(krb5_storage *sp, uint8_t *value) { @@ -326,7 +631,19 @@ krb5_ret_uint8(krb5_storage *sp, return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Store a data to the storage. The data is stored with an int32 as + * lenght plus the data (not padded). + * + * @param sp the storage buffer to write to + * @param data the buffer to store. + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_data(krb5_storage *sp, krb5_data data) { @@ -335,15 +652,25 @@ krb5_store_data(krb5_storage *sp, if(ret < 0) return ret; ret = sp->store(sp, data.data, data.length); - if(ret != data.length){ - if(ret < 0) - return errno; + if(ret < 0) + return errno; + if((size_t)ret != data.length) return sp->eof_code; - } return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Parse a data from the storage. + * + * @param sp the storage buffer to read from + * @param data the parsed data + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_data(krb5_storage *sp, krb5_data *data) { @@ -353,6 +680,9 @@ krb5_ret_data(krb5_storage *sp, ret = krb5_ret_int32(sp, &size); if(ret) return ret; + ret = size_too_large(sp, size); + if (ret) + return ret; ret = krb5_data_alloc (data, size); if (ret) return ret; @@ -364,7 +694,19 @@ krb5_ret_data(krb5_storage *sp, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Store a string to the buffer. The data is formated as an len:uint32 + * plus the string itself (not padded). + * + * @param sp the storage buffer to write to + * @param s the string to store. + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_string(krb5_storage *sp, const char *s) { krb5_data data; @@ -373,7 +715,19 @@ krb5_store_string(krb5_storage *sp, const char *s) return krb5_store_data(sp, data); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Parse a string from the storage. + * + * @param sp the storage buffer to read from + * @param string the parsed string + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_string(krb5_storage *sp, char **string) { @@ -391,23 +745,44 @@ krb5_ret_string(krb5_storage *sp, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Store a zero terminated string to the buffer. The data is stored + * one character at a time until a NUL is stored. + * + * @param sp the storage buffer to write to + * @param s the string to store. + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_stringz(krb5_storage *sp, const char *s) { size_t len = strlen(s) + 1; ssize_t ret; ret = sp->store(sp, s, len); - if(ret != len) { - if(ret < 0) - return ret; - else - return sp->eof_code; - } + if(ret < 0) + return ret; + if((size_t)ret != len) + return sp->eof_code; return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Parse zero terminated string from the storage. + * + * @param sp the storage buffer to read from + * @param string the parsed string + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_stringz(krb5_storage *sp, char **string) { @@ -420,6 +795,9 @@ krb5_ret_stringz(krb5_storage *sp, char *tmp; len++; + ret = size_too_large(sp, len); + if (ret) + break; tmp = realloc (s, len); if (tmp == NULL) { free (s); @@ -440,19 +818,17 @@ krb5_ret_stringz(krb5_storage *sp, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_stringnl(krb5_storage *sp, const char *s) { size_t len = strlen(s); ssize_t ret; ret = sp->store(sp, s, len); - if(ret != len) { - if(ret < 0) - return ret; - else - return sp->eof_code; - } + if(ret < 0) + return ret; + if((size_t)ret != len) + return sp->eof_code; ret = sp->store(sp, "\n", 1); if(ret != 1) { if(ret < 0) @@ -465,7 +841,7 @@ krb5_store_stringnl(krb5_storage *sp, const char *s) } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_stringnl(krb5_storage *sp, char **string) { @@ -488,6 +864,9 @@ krb5_ret_stringnl(krb5_storage *sp, } len++; + ret = size_too_large(sp, len); + if (ret) + break; tmp = realloc (s, len); if (tmp == NULL) { free (s); @@ -510,12 +889,22 @@ krb5_ret_stringnl(krb5_storage *sp, return 0; } +/** + * Write a principal block to storage. + * + * @param sp the storage buffer to write to + * @param p the principal block to write. + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_principal(krb5_storage *sp, krb5_const_principal p) { - int i; + size_t i; int ret; if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) { @@ -526,7 +915,7 @@ krb5_store_principal(krb5_storage *sp, ret = krb5_store_int32(sp, p->name.name_string.len + 1); else ret = krb5_store_int32(sp, p->name.name_string.len); - + if(ret) return ret; ret = krb5_store_string(sp, p->realm); if(ret) return ret; @@ -537,7 +926,18 @@ krb5_store_principal(krb5_storage *sp, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Parse principal from the storage. + * + * @param sp the storage buffer to read from + * @param princ the parsed principal + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_principal(krb5_storage *sp, krb5_principal *princ) { @@ -546,7 +946,7 @@ krb5_ret_principal(krb5_storage *sp, krb5_principal p; int32_t type; int32_t ncomp; - + p = calloc(1, sizeof(*p)); if(p == NULL) return ENOMEM; @@ -567,6 +967,11 @@ krb5_ret_principal(krb5_storage *sp, free(p); return EINVAL; } + ret = size_too_large_num(sp, ncomp, sizeof(p->name.name_string.val[0])); + if (ret) { + free(p); + return ret; + } p->name.name_type = type; p->name.name_string.len = ncomp; ret = krb5_ret_string(sp, &p->realm); @@ -574,7 +979,7 @@ krb5_ret_principal(krb5_storage *sp, free(p); return ret; } - p->name.name_string.val = calloc(ncomp, sizeof(*p->name.name_string.val)); + p->name.name_string.val = calloc(ncomp, sizeof(p->name.name_string.val[0])); if(p->name.name_string.val == NULL && ncomp != 0){ free(p->realm); free(p); @@ -594,7 +999,18 @@ krb5_ret_principal(krb5_storage *sp, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Store a keyblock to the storage. + * + * @param sp the storage buffer to write to + * @param p the keyblock to write + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_keyblock(krb5_storage *sp, krb5_keyblock p) { int ret; @@ -612,7 +1028,18 @@ krb5_store_keyblock(krb5_storage *sp, krb5_keyblock p) return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Read a keyblock from the storage. + * + * @param sp the storage buffer to write to + * @param p the keyblock read from storage, free using krb5_free_keyblock() + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_keyblock(krb5_storage *sp, krb5_keyblock *p) { int ret; @@ -631,7 +1058,18 @@ krb5_ret_keyblock(krb5_storage *sp, krb5_keyblock *p) return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Write a times block to storage. + * + * @param sp the storage buffer to write to + * @param times the times block to write. + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_times(krb5_storage *sp, krb5_times times) { int ret; @@ -645,7 +1083,18 @@ krb5_store_times(krb5_storage *sp, krb5_times times) return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Read a times block from the storage. + * + * @param sp the storage buffer to write to + * @param times the times block read from storage + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_times(krb5_storage *sp, krb5_times *times) { int ret; @@ -664,7 +1113,18 @@ krb5_ret_times(krb5_storage *sp, krb5_times *times) return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Write a address block to storage. + * + * @param sp the storage buffer to write to + * @param p the address block to write. + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_address(krb5_storage *sp, krb5_address p) { int ret; @@ -674,7 +1134,18 @@ krb5_store_address(krb5_storage *sp, krb5_address p) return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Read a address block from the storage. + * + * @param sp the storage buffer to write to + * @param adr the address block read from storage + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_address(krb5_storage *sp, krb5_address *adr) { int16_t t; @@ -686,10 +1157,21 @@ krb5_ret_address(krb5_storage *sp, krb5_address *adr) return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Write a addresses block to storage. + * + * @param sp the storage buffer to write to + * @param p the addresses block to write. + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_addrs(krb5_storage *sp, krb5_addresses p) { - int i; + size_t i; int ret; ret = krb5_store_int32(sp, p.len); if(ret) return ret; @@ -700,15 +1182,28 @@ krb5_store_addrs(krb5_storage *sp, krb5_addresses p) return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Read a addresses block from the storage. + * + * @param sp the storage buffer to write to + * @param adr the addresses block read from storage + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr) { - int i; + size_t i; int ret; int32_t tmp; ret = krb5_ret_int32(sp, &tmp); if(ret) return ret; + ret = size_too_large_num(sp, tmp, sizeof(adr->val[0])); + if (ret) return ret; adr->len = tmp; ALLOC(adr->val, adr->len); if (adr->val == NULL && adr->len != 0) @@ -720,11 +1215,22 @@ krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr) return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Write a auth data block to storage. + * + * @param sp the storage buffer to write to + * @param auth the auth data block to write. + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_authdata(krb5_storage *sp, krb5_authdata auth) { krb5_error_code ret; - int i; + size_t i; ret = krb5_store_int32(sp, auth.len); if(ret) return ret; for(i = 0; i < auth.len; i++){ @@ -736,7 +1242,18 @@ krb5_store_authdata(krb5_storage *sp, krb5_authdata auth) return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Read a auth data from the storage. + * + * @param sp the storage buffer to write to + * @param auth the auth data block read from storage + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth) { krb5_error_code ret; @@ -745,6 +1262,8 @@ krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth) int i; ret = krb5_ret_int32(sp, &tmp); if(ret) return ret; + ret = size_too_large_num(sp, tmp, sizeof(auth->val[0])); + if (ret) return ret; ALLOC_SEQ(auth, tmp); if (auth->val == NULL && tmp != 0) return ENOMEM; @@ -770,12 +1289,18 @@ bitswap32(int32_t b) return r; } - -/* +/** + * Write a credentials block to storage. + * + * @param sp the storage buffer to write to + * @param creds the creds block to write. + * + * @return 0 on success, a Kerberos 5 error code on failure. * + * @ingroup krb5_storage */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_creds(krb5_storage *sp, krb5_creds *creds) { int ret; @@ -816,7 +1341,18 @@ krb5_store_creds(krb5_storage *sp, krb5_creds *creds) return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Read a credentials block from the storage. + * + * @param sp the storage buffer to write to + * @param creds the credentials block read from storage + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_creds(krb5_storage *sp, krb5_creds *creds) { krb5_error_code ret; @@ -862,7 +1398,7 @@ krb5_ret_creds(krb5_storage *sp, krb5_creds *creds) ret = krb5_ret_data (sp, &creds->second_ticket); cleanup: if(ret) { -#if 0 +#if 0 krb5_free_cred_contents(context, creds); /* XXX */ #endif } @@ -877,11 +1413,18 @@ cleanup: #define SC_AUTHDATA 0x0020 #define SC_ADDRESSES 0x0040 -/* +/** + * Write a tagged credentials block to storage. * + * @param sp the storage buffer to write to + * @param creds the creds block to write. + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_creds_tag(krb5_storage *sp, krb5_creds *creds) { int ret; @@ -903,6 +1446,8 @@ krb5_store_creds_tag(krb5_storage *sp, krb5_creds *creds) header |= SC_ADDRESSES; ret = krb5_store_int32(sp, header); + if (ret) + return ret; if (creds->client) { ret = krb5_store_principal(sp, creds->client); @@ -960,7 +1505,18 @@ krb5_store_creds_tag(krb5_storage *sp, krb5_creds *creds) return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Read a tagged credentials block from the storage. + * + * @param sp the storage buffer to write to + * @param creds the credentials block read from storage + * + * @return 0 on success, a Kerberos 5 error code on failure. + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_creds_tag(krb5_storage *sp, krb5_creds *creds) { @@ -1027,7 +1583,7 @@ krb5_ret_creds_tag(krb5_storage *sp, cleanup: if(ret) { -#if 0 +#if 0 krb5_free_cred_contents(context, creds); /* XXX */ #endif } diff --git a/crypto/heimdal/lib/krb5/store_emem.c b/crypto/heimdal/lib/krb5/store_emem.c index b59a647f8043..7f91b0848627 100644 --- a/crypto/heimdal/lib/krb5/store_emem.c +++ b/crypto/heimdal/lib/krb5/store_emem.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" #include "store-int.h" -RCSID("$Id: store_emem.c 21745 2007-07-31 16:11:25Z lha $"); - typedef struct emem_storage{ unsigned char *base; size_t size; @@ -47,7 +45,7 @@ static ssize_t emem_fetch(krb5_storage *sp, void *data, size_t size) { emem_storage *s = (emem_storage*)sp->data; - if(s->base + s->len - s->ptr < size) + if((size_t)(s->base + s->len - s->ptr) < size) size = s->base + s->len - s->ptr; memmove(data, s->ptr, size); sp->seek(sp, size, SEEK_CUR); @@ -58,7 +56,7 @@ static ssize_t emem_store(krb5_storage *sp, const void *data, size_t size) { emem_storage *s = (emem_storage*)sp->data; - if(size > s->base + s->size - s->ptr){ + if(size > (size_t)(s->base + s->size - s->ptr)){ void *base; size_t sz, off; off = s->ptr - s->base; @@ -67,7 +65,7 @@ emem_store(krb5_storage *sp, const void *data, size_t size) sz *= 2; base = realloc(s->base, sz); if(base == NULL) - return 0; + return -1; s->size = sz; s->base = base; s->ptr = (unsigned char*)base + off; @@ -83,12 +81,12 @@ emem_seek(krb5_storage *sp, off_t offset, int whence) emem_storage *s = (emem_storage*)sp->data; switch(whence){ case SEEK_SET: - if(offset > s->size) + if((size_t)offset > s->size) offset = s->size; if(offset < 0) offset = 0; s->ptr = s->base + offset; - if(offset > s->len) + if((size_t)offset > s->len) s->len = offset; break; case SEEK_CUR: @@ -104,6 +102,39 @@ emem_seek(krb5_storage *sp, off_t offset, int whence) return s->ptr - s->base; } +static int +emem_trunc(krb5_storage *sp, off_t offset) +{ + emem_storage *s = (emem_storage*)sp->data; + /* + * If offset is larget then current size, or current size is + * shrunk more then half of the current size, adjust buffer. + */ + if (offset == 0) { + free(s->base); + s->size = 0; + s->base = NULL; + s->ptr = NULL; + } else if ((size_t)offset > s->size || (s->size / 2) > (size_t)offset) { + void *base; + size_t off; + off = s->ptr - s->base; + base = realloc(s->base, offset); + if(base == NULL) + return ENOMEM; + if ((size_t)offset > s->size) + memset((char *)base + s->size, 0, offset - s->size); + s->size = offset; + s->base = base; + s->ptr = (unsigned char *)base + off; + } + s->len = offset; + if ((s->ptr - s->base) > offset) + s->ptr = s->base + offset; + return 0; +} + + static void emem_free(krb5_storage *sp) { @@ -112,13 +143,32 @@ emem_free(krb5_storage *sp) free(s->base); } -krb5_storage * KRB5_LIB_FUNCTION +/** + * Create a elastic (allocating) memory storage backend. Memory is + * allocated on demand. Free returned krb5_storage with + * krb5_storage_free(). + * + * @return A krb5_storage on success, or NULL on out of memory error. + * + * @ingroup krb5_storage + * + * @sa krb5_storage_from_mem() + * @sa krb5_storage_from_readonly_mem() + * @sa krb5_storage_from_fd() + * @sa krb5_storage_from_data() + */ + +KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL krb5_storage_emem(void) { - krb5_storage *sp = malloc(sizeof(krb5_storage)); + krb5_storage *sp; + emem_storage *s; + + sp = malloc(sizeof(krb5_storage)); if (sp == NULL) return NULL; - emem_storage *s = malloc(sizeof(*s)); + + s = malloc(sizeof(*s)); if (s == NULL) { free(sp); return NULL; @@ -138,6 +188,8 @@ krb5_storage_emem(void) sp->fetch = emem_fetch; sp->store = emem_store; sp->seek = emem_seek; + sp->trunc = emem_trunc; sp->free = emem_free; + sp->max_alloc = UINT_MAX/8; return sp; } diff --git a/crypto/heimdal/lib/krb5/store_fd.c b/crypto/heimdal/lib/krb5/store_fd.c index 15f86fcac30b..2b72dea3a3fc 100644 --- a/crypto/heimdal/lib/krb5/store_fd.c +++ b/crypto/heimdal/lib/krb5/store_fd.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,8 +34,6 @@ #include "krb5_locl.h" #include "store-int.h" -RCSID("$Id: store_fd.c 17779 2006-06-30 21:23:19Z lha $"); - typedef struct fd_storage { int fd; } fd_storage; @@ -60,18 +58,53 @@ fd_seek(krb5_storage * sp, off_t offset, int whence) return lseek(FD(sp), offset, whence); } +static int +fd_trunc(krb5_storage * sp, off_t offset) +{ + if (ftruncate(FD(sp), offset) == -1) + return errno; + return 0; +} + static void fd_free(krb5_storage * sp) { close(FD(sp)); } -krb5_storage * KRB5_LIB_FUNCTION -krb5_storage_from_fd(int fd) +/** + * + * + * @return A krb5_storage on success, or NULL on out of memory error. + * + * @ingroup krb5_storage + * + * @sa krb5_storage_emem() + * @sa krb5_storage_from_mem() + * @sa krb5_storage_from_readonly_mem() + * @sa krb5_storage_from_data() + */ + +KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL +krb5_storage_from_fd(krb5_socket_t fd_in) { krb5_storage *sp; + int fd; + +#ifdef SOCKET_IS_NOT_AN_FD +#ifdef _MSC_VER + if (_get_osfhandle(fd_in) != -1) { + fd = dup(fd_in); + } else { + fd = _open_osfhandle(fd_in, 0); + } +#else +#error Dont know how to deal with fd that may or may not be a socket. +#endif +#else /* SOCKET_IS_NOT_AN_FD */ + fd = dup(fd_in); +#endif - fd = dup(fd); if (fd < 0) return NULL; @@ -93,6 +126,8 @@ krb5_storage_from_fd(int fd) sp->fetch = fd_fetch; sp->store = fd_store; sp->seek = fd_seek; + sp->trunc = fd_trunc; sp->free = fd_free; + sp->max_alloc = UINT_MAX/8; return sp; } diff --git a/crypto/heimdal/lib/krb5/store_mem.c b/crypto/heimdal/lib/krb5/store_mem.c index e6e62b5a62e4..e674a95dbad0 100644 --- a/crypto/heimdal/lib/krb5/store_mem.c +++ b/crypto/heimdal/lib/krb5/store_mem.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997 - 2000, 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2000, 2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" #include "store-int.h" -RCSID("$Id: store_mem.c 20307 2007-04-11 11:16:28Z lha $"); - typedef struct mem_storage{ unsigned char *base; size_t size; @@ -46,7 +44,7 @@ static ssize_t mem_fetch(krb5_storage *sp, void *data, size_t size) { mem_storage *s = (mem_storage*)sp->data; - if(size > s->base + s->size - s->ptr) + if(size > (size_t)(s->base + s->size - s->ptr)) size = s->base + s->size - s->ptr; memmove(data, s->ptr, size); sp->seek(sp, size, SEEK_CUR); @@ -57,7 +55,7 @@ static ssize_t mem_store(krb5_storage *sp, const void *data, size_t size) { mem_storage *s = (mem_storage*)sp->data; - if(size > s->base + s->size - s->ptr) + if(size > (size_t)(s->base + s->size - s->ptr)) size = s->base + s->size - s->ptr; memmove(s->ptr, data, size); sp->seek(sp, size, SEEK_CUR); @@ -76,7 +74,7 @@ mem_seek(krb5_storage *sp, off_t offset, int whence) mem_storage *s = (mem_storage*)sp->data; switch(whence){ case SEEK_SET: - if(offset > s->size) + if((size_t)offset > s->size) offset = s->size; if(offset < 0) offset = 0; @@ -93,7 +91,38 @@ mem_seek(krb5_storage *sp, off_t offset, int whence) return s->ptr - s->base; } -krb5_storage * KRB5_LIB_FUNCTION +static int +mem_trunc(krb5_storage *sp, off_t offset) +{ + mem_storage *s = (mem_storage*)sp->data; + if((size_t)offset > s->size) + return ERANGE; + s->size = offset; + if ((s->ptr - s->base) > offset) + s->ptr = s->base + offset; + return 0; +} + +static int +mem_no_trunc(krb5_storage *sp, off_t offset) +{ + return EINVAL; +} + +/** + * Create a fixed size memory storage block + * + * @return A krb5_storage on success, or NULL on out of memory error. + * + * @ingroup krb5_storage + * + * @sa krb5_storage_mem() + * @sa krb5_storage_from_readonly_mem() + * @sa krb5_storage_from_data() + * @sa krb5_storage_from_fd() + */ + +KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL krb5_storage_from_mem(void *buf, size_t len) { krb5_storage *sp = malloc(sizeof(krb5_storage)); @@ -114,17 +143,45 @@ krb5_storage_from_mem(void *buf, size_t len) sp->fetch = mem_fetch; sp->store = mem_store; sp->seek = mem_seek; + sp->trunc = mem_trunc; sp->free = NULL; + sp->max_alloc = UINT_MAX/8; return sp; } -krb5_storage * KRB5_LIB_FUNCTION +/** + * Create a fixed size memory storage block + * + * @return A krb5_storage on success, or NULL on out of memory error. + * + * @ingroup krb5_storage + * + * @sa krb5_storage_mem() + * @sa krb5_storage_from_mem() + * @sa krb5_storage_from_readonly_mem() + * @sa krb5_storage_from_fd() + */ + +KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL krb5_storage_from_data(krb5_data *data) { return krb5_storage_from_mem(data->data, data->length); } -krb5_storage * KRB5_LIB_FUNCTION +/** + * Create a fixed size memory storage block that is read only + * + * @return A krb5_storage on success, or NULL on out of memory error. + * + * @ingroup krb5_storage + * + * @sa krb5_storage_mem() + * @sa krb5_storage_from_mem() + * @sa krb5_storage_from_data() + * @sa krb5_storage_from_fd() + */ + +KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL krb5_storage_from_readonly_mem(const void *buf, size_t len) { krb5_storage *sp = malloc(sizeof(krb5_storage)); @@ -145,6 +202,8 @@ krb5_storage_from_readonly_mem(const void *buf, size_t len) sp->fetch = mem_fetch; sp->store = mem_no_store; sp->seek = mem_seek; + sp->trunc = mem_no_trunc; sp->free = NULL; + sp->max_alloc = UINT_MAX/8; return sp; } diff --git a/crypto/heimdal/lib/krb5/string-to-key-test.c b/crypto/heimdal/lib/krb5/string-to-key-test.c index 30075ea6b956..cb7081b9e0f4 100644 --- a/crypto/heimdal/lib/krb5/string-to-key-test.c +++ b/crypto/heimdal/lib/krb5/string-to-key-test.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -33,8 +33,6 @@ #include "krb5_locl.h" #include <err.h> -RCSID("$Id: string-to-key-test.c 16344 2005-12-02 15:15:43Z lha $"); - enum { MAXSIZE = 24 }; static struct testcase { @@ -43,12 +41,26 @@ static struct testcase { krb5_enctype enctype; unsigned char res[MAXSIZE]; } tests[] = { +#ifdef HEIM_WEAK_CRYPTO {"@", "", ETYPE_DES_CBC_MD5, {0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0xf1}}, {"nisse@FOO.SE", "hej", ETYPE_DES_CBC_MD5, {0xfe, 0x67, 0xbf, 0x9e, 0x57, 0x6b, 0xfe, 0x52}}, {"assar/liten@FOO.SE", "hemligt", ETYPE_DES_CBC_MD5, {0x5b, 0x9b, 0xcb, 0xf2, 0x97, 0x43, 0xc8, 0x40}}, + {"raeburn@ATHENA.MIT.EDU", "password", ETYPE_DES_CBC_MD5, + {0xcb, 0xc2, 0x2f, 0xae, 0x23, 0x52, 0x98, 0xe3}}, + {"danny@WHITEHOUSE.GOV", "potatoe", ETYPE_DES_CBC_MD5, + {0xdf, 0x3d, 0x32, 0xa7, 0x4f, 0xd9, 0x2a, 0x01}}, + {"buckaroo@EXAMPLE.COM", "penny", ETYPE_DES_CBC_MD5, + {0x94, 0x43, 0xa2, 0xe5, 0x32, 0xfd, 0xc4, 0xf1}}, + {"Juri\xc5\xa1i\xc4\x87@ATHENA.MIT.EDU", "\xc3\x9f", ETYPE_DES_CBC_MD5, + {0x62, 0xc8, 0x1a, 0x52, 0x32, 0xb5, 0xe6, 0x9d}}, + {"AAAAAAAA", "11119999", ETYPE_DES_CBC_MD5, + {0x98, 0x40, 0x54, 0xd0, 0xf1, 0xa7, 0x3e, 0x31}}, + {"FFFFAAAA", "NNNN6666", ETYPE_DES_CBC_MD5, + {0xc4, 0xbf, 0x6b, 0x25, 0xad, 0xf7, 0xa4, 0xf8}}, +#endif #if 0 {"@", "", ETYPE_DES3_CBC_SHA1, {0xce, 0xa2, 0x2f, 0x9b, 0x52, 0x2c, 0xb0, 0x15, 0x6e, 0x6b, 0x64, @@ -66,18 +78,6 @@ static struct testcase { {"does/not@MATTER", "foo", ETYPE_ARCFOUR_HMAC_MD5, {0xac, 0x8e, 0x65, 0x7f, 0x83, 0xdf, 0x82, 0xbe, 0xea, 0x5d, 0x43, 0xbd, 0xaf, 0x78, 0x00, 0xcc}}, - {"raeburn@ATHENA.MIT.EDU", "password", ETYPE_DES_CBC_MD5, - {0xcb, 0xc2, 0x2f, 0xae, 0x23, 0x52, 0x98, 0xe3}}, - {"danny@WHITEHOUSE.GOV", "potatoe", ETYPE_DES_CBC_MD5, - {0xdf, 0x3d, 0x32, 0xa7, 0x4f, 0xd9, 0x2a, 0x01}}, - {"buckaroo@EXAMPLE.COM", "penny", ETYPE_DES_CBC_MD5, - {0x94, 0x43, 0xa2, 0xe5, 0x32, 0xfd, 0xc4, 0xf1}}, - {"Juri\xc5\xa1i\xc4\x87@ATHENA.MIT.EDU", "\xc3\x9f", ETYPE_DES_CBC_MD5, - {0x62, 0xc8, 0x1a, 0x52, 0x32, 0xb5, 0xe6, 0x9d}}, - {"AAAAAAAA", "11119999", ETYPE_DES_CBC_MD5, - {0x98, 0x40, 0x54, 0xd0, 0xf1, 0xa7, 0x3e, 0x31}}, - {"FFFFAAAA", "NNNN6666", ETYPE_DES_CBC_MD5, - {0xc4, 0xbf, 0x6b, 0x25, 0xad, 0xf7, 0xa4, 0xf8}}, {"raeburn@ATHENA.MIT.EDU", "password", ETYPE_DES3_CBC_SHA1, {0x85, 0x0b, 0xb5, 0x13, 0x58, 0x54, 0x8c, 0xd0, 0x5e, 0x86, 0x76, 0x8c, 0x31, 0x3e, 0x3b, 0xfe, 0xf7, 0x51, 0x19, 0x37, 0xdc, 0xf7, 0x2c, 0x3e}}, {"danny@WHITEHOUSE.GOV", "potatoe", ETYPE_DES3_CBC_SHA1, diff --git a/crypto/heimdal/lib/krb5/test_acl.c b/crypto/heimdal/lib/krb5/test_acl.c index e52f31a8b5a1..9e27c0408643 100644 --- a/crypto/heimdal/lib/krb5/test_acl.c +++ b/crypto/heimdal/lib/krb5/test_acl.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -33,8 +33,6 @@ #include "krb5_locl.h" #include <err.h> -RCSID("$Id: test_acl.c 15036 2005-04-30 15:19:58Z lha $"); - #define RETVAL(c, r, e, s) \ do { if (r != e) krb5_errx(c, 1, "%s", s); } while (0) #define STRINGMATCH(c, s, _s1, _s2) \ @@ -72,6 +70,13 @@ test_match_string(krb5_context context) RETVAL(context, ret, 0, "liternal fnmatch"); ret = krb5_acl_match_string(context, "foo/bar", "f", "foo/*"); RETVAL(context, ret, 0, "foo/*"); + ret = krb5_acl_match_string(context, "foo/bar.example.org", "f", + "foo/*.example.org"); + RETVAL(context, ret, 0, "foo/*.example.org"); + ret = krb5_acl_match_string(context, "foo/bar.example.com", "f", + "foo/*.example.org"); + RETVAL(context, ret, EACCES, "foo/*.example.com"); + ret = krb5_acl_match_string(context, "foo/bar/baz", "f", "foo/*/baz"); RETVAL(context, ret, 0, "foo/*/baz"); diff --git a/crypto/heimdal/lib/krb5/test_addr.c b/crypto/heimdal/lib/krb5/test_addr.c index 1ab47aecc028..79a55ff303ef 100644 --- a/crypto/heimdal/lib/krb5/test_addr.c +++ b/crypto/heimdal/lib/krb5/test_addr.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -33,8 +33,6 @@ #include "krb5_locl.h" #include <err.h> -RCSID("$Id: test_addr.c 15036 2005-04-30 15:19:58Z lha $"); - static void print_addr(krb5_context context, const char *addr) { @@ -51,20 +49,22 @@ print_addr(krb5_context context, const char *addr) if (addresses.len < 1) krb5_err(context, 1, ret, "too few addresses"); - + for (i = 0; i < addresses.len; i++) { krb5_print_address(&addresses.val[i], buf, sizeof(buf), &len); #if 0 - printf("addr %d: %s (%d/%d)\n", i, buf, (int)len, (int)strlen(buf)); + printf("addr %d: %s (%d/%d)\n", i, buf, (int)len, (int)strlen(buf)); #endif if (strlen(buf) > sizeof(buf)) - abort(); + krb5_err(context, 1, ret, "len %d larger then buf %d", + (int)strlen(buf), (int)sizeof(buf)); krb5_print_address(&addresses.val[i], buf2, sizeof(buf2), &len); #if 0 - printf("addr %d: %s (%d/%d)\n", i, buf2, (int)len, (int)strlen(buf2)); + printf("addr %d: %s (%d/%d)\n", i, buf2, (int)len, (int)strlen(buf2)); #endif if (strlen(buf2) > sizeof(buf2)) - abort(); + krb5_err(context, 1, ret, "len %d larger then buf %d", + (int)strlen(buf2), (int)sizeof(buf2)); } krb5_free_addresses(context, &addresses); @@ -72,7 +72,7 @@ print_addr(krb5_context context, const char *addr) } static void -truncated_addr(krb5_context context, const char *addr, +truncated_addr(krb5_context context, const char *addr, size_t truncate_len, size_t outlen) { krb5_addresses addresses; @@ -88,22 +88,25 @@ truncated_addr(krb5_context context, const char *addr, if (addresses.len != 1) krb5_err(context, 1, ret, "addresses should be one"); - + krb5_print_address(&addresses.val[0], buf, truncate_len, &len); - + #if 0 - printf("addr %s (%d/%d)\n", buf, (int)len, (int)strlen(buf)); + printf("addr %s (%d/%d) should be %d\n", buf, (int)len, (int)strlen(buf), (int)outlen); #endif - + if (truncate_len > strlen(buf) + 1) - abort(); + krb5_err(context, 1, ret, "%s truncate_len %d larger then strlen %d source %s", + buf, (int)truncate_len, (int)strlen(buf), addr); + if (outlen != len) - abort(); - + krb5_err(context, 1, ret, "%s: outlen %d != len %d", + buf, (int)outlen, (int)strlen(buf)); + krb5_print_address(&addresses.val[0], buf, outlen + 1, &len); #if 0 - printf("addr %s (%d/%d)\n", buf, (int)len, (int)strlen(buf)); + printf("addr %s (%d/%d)\n", buf, (int)len, (int)strlen(buf)); #endif if (len != outlen) @@ -120,12 +123,14 @@ check_truncation(krb5_context context, const char *addr) { int i, len = strlen(addr); + truncated_addr(context, addr, len, len); + for (i = 0; i < len; i++) truncated_addr(context, addr, i, len); } static void -match_addr(krb5_context context, const char *range_addr, +match_addr(krb5_context context, const char *range_addr, const char *one_addr, int match) { krb5_addresses range, one; @@ -137,7 +142,7 @@ match_addr(krb5_context context, const char *range_addr, if (range.len != 1) krb5_err(context, 1, ret, "wrong num of addresses"); - + ret = krb5_parse_address(context, one_addr, &one); if (ret) krb5_err(context, 1, ret, "krb5_parse_address"); @@ -157,12 +162,41 @@ match_addr(krb5_context context, const char *range_addr, krb5_free_addresses(context, &one); } +#ifdef _MSC_VER + +/* For the truncation tests, calling strcpy_s() or strcat_s() with a + size of 0 results in the invalid parameter handler being invoked. + For the debug version, the runtime also throws an assert. */ + +static void +inv_param_handler(const wchar_t* expression, + const wchar_t* function, + const wchar_t* file, + unsigned int line, + uintptr_t pReserved) +{ + printf("Invalid parameter handler invoked for: %S in %S(%d) [%S]\n", + function, file, line, expression); +} + +static _invalid_parameter_handler _inv_old = NULL; + +#define SET_INVALID_PARAM_HANDLER _inv_old = _set_invalid_parameter_handler(inv_param_handler) + +#else + +#define SET_INVALID_PARAM_HANDLER ((void) 0) + +#endif + int main(int argc, char **argv) { krb5_context context; krb5_error_code ret; + SET_INVALID_PARAM_HANDLER; + setprogname(argv[0]); ret = krb5_init_context(&context); @@ -174,7 +208,7 @@ main(int argc, char **argv) print_addr(context, "RANGE:IPv4:127.0.0.0-IPv4:127.0.0.255"); print_addr(context, "RANGE:130.237.237.4/29"); #ifdef HAVE_IPV6 - print_addr(context, "RANGE:fe80::209:6bff:fea0:e522/64"); + print_addr(context, "RANGE:2001:db8:1:2:3:4:1428:7ab/64"); print_addr(context, "RANGE:IPv6:fe80::209:6bff:fea0:e522/64"); print_addr(context, "RANGE:IPv6:fe80::-IPv6:fe80::ffff:ffff:ffff:ffff"); print_addr(context, "RANGE:fe80::-fe80::ffff:ffff:ffff:ffff"); @@ -183,7 +217,10 @@ main(int argc, char **argv) check_truncation(context, "IPv4:127.0.0.0"); check_truncation(context, "RANGE:IPv4:127.0.0.0-IPv4:127.0.0.255"); #ifdef HAVE_IPV6 + check_truncation(context, "IPv6:::"); check_truncation(context, "IPv6:::1"); + check_truncation(context, "IPv6:2001:db8:1:2:3:4:1428:7ab"); + check_truncation(context, "IPv6:fe80::209:0:0:0"); check_truncation(context, "IPv6:fe80::ffff:ffff:ffff:ffff"); #endif diff --git a/crypto/heimdal/lib/krb5/test_alname.c b/crypto/heimdal/lib/krb5/test_alname.c index e8397b748026..21e4bff8d82c 100644 --- a/crypto/heimdal/lib/krb5/test_alname.c +++ b/crypto/heimdal/lib/krb5/test_alname.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -34,11 +34,9 @@ #include <getarg.h> #include <err.h> -RCSID("$Id: test_alname.c 15474 2005-06-17 04:48:02Z lha $"); - static void test_alname(krb5_context context, krb5_const_realm realm, - const char *user, const char *inst, + const char *user, const char *inst, const char *localuser, int ok) { krb5_principal p; @@ -60,20 +58,20 @@ test_alname(krb5_context context, krb5_const_realm realm, if (ret) { if (!ok) return; - krb5_err(context, 1, ret, "krb5_aname_to_localname: %s -> %s", + krb5_err(context, 1, ret, "krb5_aname_to_localname: %s -> %s", princ, localuser); } if (strcmp(localname, localuser) != 0) { if (ok) - errx(1, "compared failed %s != %s (should have succeded)", + errx(1, "compared failed %s != %s (should have succeded)", localname, localuser); } else { if (!ok) - errx(1, "compared failed %s == %s (should have failed)", + errx(1, "compared failed %s == %s (should have failed)", localname, localuser); } - + } static int version_flag = 0; @@ -109,7 +107,7 @@ main(int argc, char **argv) if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); - + if (help_flag) usage (0); @@ -140,12 +138,12 @@ main(int argc, char **argv) test_alname(context, "FOO.BAR.BAZ.KAKA", user, NULL, user, 0); test_alname(context, "FOO.BAR.BAZ.KAKA", user, "root", "root", 0); - test_alname(context, realm, user, NULL, + test_alname(context, realm, user, NULL, "not-same-as-user", 0); test_alname(context, realm, user, "root", "not-same-as-user", 0); - test_alname(context, "FOO.BAR.BAZ.KAKA", user, NULL, + test_alname(context, "FOO.BAR.BAZ.KAKA", user, NULL, "not-same-as-user", 0); test_alname(context, "FOO.BAR.BAZ.KAKA", user, "root", "not-same-as-user", 0); diff --git a/crypto/heimdal/lib/krb5/test_cc.c b/crypto/heimdal/lib/krb5/test_cc.c index 075cfe237fba..911fba52405c 100644 --- a/crypto/heimdal/lib/krb5/test_cc.c +++ b/crypto/heimdal/lib/krb5/test_cc.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -34,17 +34,21 @@ #include <getarg.h> #include <err.h> -RCSID("$Id: test_cc.c 22115 2007-12-03 21:21:42Z lha $"); - static int debug_flag = 0; static int version_flag = 0; static int help_flag = 0; +#ifdef KRB5_USE_PATH_TOKENS +#define TEST_CC_NAME "%{TEMP}/krb5-cc-test-foo" +#else +#define TEST_CC_NAME "/tmp/krb5-cc-test-foo" +#endif + static void test_default_name(krb5_context context) { krb5_error_code ret; - const char *p, *test_cc_name = "/tmp/krb5-cc-test-foo"; + const char *p, *test_cc_name = TEST_CC_NAME; char *p1, *p2, *p3; p = krb5_cc_default_name(context); @@ -63,18 +67,23 @@ test_default_name(krb5_context context) if (strcmp(p1, p2) != 0) krb5_errx (context, 1, "krb5_cc_default_name no longer same"); - + ret = krb5_cc_set_default_name(context, test_cc_name); if (p == NULL) krb5_errx (context, 1, "krb5_cc_set_default_name 1 failed"); - + p = krb5_cc_default_name(context); if (p == NULL) krb5_errx (context, 1, "krb5_cc_default_name 2 failed"); p3 = estrdup(p); - + +#ifndef KRB5_USE_PATH_TOKENS + /* If we are using path tokens, we don't expect the p3 and + test_cc_name to match since p3 is going to have expanded + tokens. */ if (strcmp(p3, test_cc_name) != 0) krb5_errx (context, 1, "krb5_cc_set_default_name 1 failed"); +#endif free(p1); free(p2); @@ -99,9 +108,9 @@ test_mcache(krb5_context context) if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); - ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id); + ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &id); if (ret) - krb5_err(context, 1, ret, "krb5_cc_gen_new"); + krb5_err(context, 1, ret, "krb5_cc_new_unique"); ret = krb5_cc_initialize(context, id, p); if (ret) @@ -115,10 +124,11 @@ test_mcache(krb5_context context) if (tc == NULL) krb5_errx(context, 1, "krb5_cc_get_name"); - asprintf(&c, "%s:%s", tc, nc); - + if (asprintf(&c, "%s:%s", tc, nc) < 0 || c == NULL) + errx(1, "malloc"); + krb5_cc_close(context, id); - + ret = krb5_cc_resolve(context, c, &id2); if (ret) krb5_err(context, 1, ret, "krb5_cc_resolve"); @@ -151,24 +161,26 @@ test_mcache(krb5_context context) */ static void -test_init_vs_destroy(krb5_context context, const krb5_cc_ops *ops) +test_init_vs_destroy(krb5_context context, const char *type) { krb5_error_code ret; krb5_ccache id, id2; krb5_principal p, p2; - char *n; + char *n = NULL; ret = krb5_parse_name(context, "lha@SU.SE", &p); if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); - ret = krb5_cc_gen_new(context, ops, &id); + ret = krb5_cc_new_unique(context, type, NULL, &id); if (ret) - krb5_err(context, 1, ret, "krb5_cc_gen_new"); + krb5_err(context, 1, ret, "krb5_cc_new_unique: %s", type); + + if (asprintf(&n, "%s:%s", + krb5_cc_get_type(context, id), + krb5_cc_get_name(context, id)) < 0 || n == NULL) + errx(1, "malloc"); - asprintf(&n, "%s:%s", - krb5_cc_get_type(context, id), - krb5_cc_get_name(context, id)); ret = krb5_cc_resolve(context, n, &id2); free(n); @@ -191,7 +203,7 @@ test_init_vs_destroy(krb5_context context, const krb5_cc_ops *ops) } static void -test_fcache_remove(krb5_context context) +test_cache_remove(krb5_context context, const char *type) { krb5_error_code ret; krb5_ccache id; @@ -202,9 +214,9 @@ test_fcache_remove(krb5_context context) if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); - ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &id); + ret = krb5_cc_new_unique(context, type, NULL, &id); if (ret) - krb5_err(context, 1, ret, "krb5_cc_gen_new"); + krb5_err(context, 1, ret, "krb5_cc_gen_new: %s", type); ret = krb5_cc_initialize(context, id, p); if (ret) @@ -280,12 +292,33 @@ struct { char *res; } cc_names[] = { { "foo", 0, "foo" }, + { "foo%}", 0, "foo%}" }, { "%{uid}", 0 }, { "foo%{null}", 0, "foo" }, { "foo%{null}bar", 0, "foobar" }, { "%{", 1 }, { "%{foo %{", 1 }, { "%{{", 1 }, + { "%{{}", 1 }, + { "%{nulll}", 1 }, + { "%{does not exist}", 1 }, + { "%{}", 1 }, +#ifdef KRB5_USE_PATH_TOKENS + { "%{APPDATA}", 0 }, + { "%{COMMON_APPDATA}", 0}, + { "%{LOCAL_APPDATA}", 0}, + { "%{SYSTEM}", 0}, + { "%{WINDOWS}", 0}, + { "%{TEMP}", 0}, + { "%{USERID}", 0}, + { "%{uid}", 0}, + { "%{USERCONFIG}", 0}, + { "%{COMMONCONFIG}", 0}, + { "%{LIBDIR}", 0}, + { "%{BINDIR}", 0}, + { "%{LIBEXEC}", 0}, + { "%{SBINDIR}", 0}, +#endif }; static void @@ -299,14 +332,14 @@ test_def_cc_name(krb5_context context) ret = _krb5_expand_default_cc_name(context, cc_names[i].str, &str); if (ret) { if (cc_names[i].fail == 0) - krb5_errx(context, 1, "test %d \"%s\" failed", + krb5_errx(context, 1, "test %d \"%s\" failed", i, cc_names[i].str); } else { if (cc_names[i].fail) - krb5_errx(context, 1, "test %d \"%s\" was successful", + krb5_errx(context, 1, "test %d \"%s\" was successful", i, cc_names[i].str); if (cc_names[i].res && strcmp(cc_names[i].res, str) != 0) - krb5_errx(context, 1, "test %d %s != %s", + krb5_errx(context, 1, "test %d %s != %s", i, cc_names[i].res, str); if (debug_flag) printf("%s => %s\n", cc_names[i].str, str); @@ -316,8 +349,7 @@ test_def_cc_name(krb5_context context) } static void -test_cache_find(krb5_context context, const char *type, const char *principal, - int find) +test_cache_find(krb5_context context, const char *principal, int find) { krb5_principal client; krb5_error_code ret; @@ -326,8 +358,8 @@ test_cache_find(krb5_context context, const char *type, const char *principal, ret = krb5_parse_name(context, principal, &client); if (ret) krb5_err(context, 1, ret, "parse_name for %s failed", principal); - - ret = krb5_cc_cache_match(context, client, type, &id); + + ret = krb5_cc_cache_match(context, client, &id); if (ret && find) krb5_err(context, 1, ret, "cc_cache_match for %s failed", principal); if (ret == 0 && !find) @@ -345,7 +377,7 @@ test_cache_iter(krb5_context context, const char *type, int destroy) krb5_cc_cache_cursor cursor; krb5_error_code ret; krb5_ccache id; - + ret = krb5_cc_cache_get_first (context, type, &cursor); if (ret == KRB5_CC_NOSUPP) return; @@ -379,36 +411,62 @@ test_cache_iter(krb5_context context, const char *type, int destroy) } static void -test_copy(krb5_context context, const char *fromtype, const char *totype) +test_cache_iter_all(krb5_context context) { - const krb5_cc_ops *from, *to; - krb5_ccache fromid, toid; + krb5_cccol_cursor cursor; krb5_error_code ret; - krb5_principal p, p2; + krb5_ccache id; + + ret = krb5_cccol_cursor_new (context, &cursor); + if (ret) + krb5_err(context, 1, ret, "krb5_cccol_cursor_new"); + + + while ((ret = krb5_cccol_cursor_next (context, cursor, &id)) == 0 && id != NULL) { + krb5_principal principal; + char *name; + + if (debug_flag) + printf("name: %s\n", krb5_cc_get_name(context, id)); + ret = krb5_cc_get_principal(context, id, &principal); + if (ret == 0) { + ret = krb5_unparse_name(context, principal, &name); + if (ret == 0) { + if (debug_flag) + printf("\tprincipal: %s\n", name); + free(name); + } + krb5_free_principal(context, principal); + } + krb5_cc_close(context, id); + } + + krb5_cccol_cursor_free(context, &cursor); +} - from = krb5_cc_get_prefix_ops(context, fromtype); - if (from == NULL) - krb5_errx(context, 1, "%s isn't a type", fromtype); - to = krb5_cc_get_prefix_ops(context, totype); - if (to == NULL) - krb5_errx(context, 1, "%s isn't a type", totype); +static void +test_copy(krb5_context context, const char *from, const char *to) +{ + krb5_ccache fromid, toid; + krb5_error_code ret; + krb5_principal p, p2; ret = krb5_parse_name(context, "lha@SU.SE", &p); if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); - ret = krb5_cc_gen_new(context, from, &fromid); + ret = krb5_cc_new_unique(context, from, NULL, &fromid); if (ret) - krb5_err(context, 1, ret, "krb5_cc_gen_new"); + krb5_err(context, 1, ret, "krb5_cc_new_unique: %s", from); ret = krb5_cc_initialize(context, fromid, p); if (ret) krb5_err(context, 1, ret, "krb5_cc_initialize"); - ret = krb5_cc_gen_new(context, to, &toid); + ret = krb5_cc_new_unique(context, to, NULL, &toid); if (ret) - krb5_err(context, 1, ret, "krb5_cc_gen_new"); + krb5_err(context, 1, ret, "krb5_cc_gen_new: %s", to); ret = krb5_cc_copy_cache(context, fromid, toid); if (ret) @@ -429,6 +487,55 @@ test_copy(krb5_context context, const char *fromtype, const char *totype) } static void +test_move(krb5_context context, const char *type) +{ + const krb5_cc_ops *ops; + krb5_ccache fromid, toid; + krb5_error_code ret; + krb5_principal p, p2; + + ops = krb5_cc_get_prefix_ops(context, type); + if (ops == NULL) + return; + + ret = krb5_cc_new_unique(context, type, NULL, &fromid); + if (ret == KRB5_CC_NOSUPP) + return; + else if (ret) + krb5_err(context, 1, ret, "krb5_cc_new_unique: %s", type); + + ret = krb5_parse_name(context, "lha@SU.SE", &p); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_cc_initialize(context, fromid, p); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_initialize"); + + ret = krb5_cc_new_unique(context, type, NULL, &toid); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_new_unique"); + + ret = krb5_cc_initialize(context, toid, p); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_initialize"); + + ret = krb5_cc_get_principal(context, toid, &p2); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_get_principal"); + + if (krb5_principal_compare(context, p, p2) == FALSE) + krb5_errx(context, 1, "p != p2"); + + krb5_free_principal(context, p); + krb5_free_principal(context, p2); + + krb5_cc_destroy(context, toid); + krb5_cc_destroy(context, fromid); +} + + +static void test_prefix_ops(krb5_context context, const char *name, const krb5_cc_ops *ops) { const krb5_cc_ops *o; @@ -441,6 +548,68 @@ test_prefix_ops(krb5_context context, const char *name, const krb5_cc_ops *ops) "the expected %s != %s", name, o->prefix, ops->prefix); } +static void +test_cc_config(krb5_context context) +{ + krb5_error_code ret; + krb5_principal p; + krb5_ccache id; + unsigned int i; + + ret = krb5_cc_new_unique(context, "MEMORY", "bar", &id); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_new_unique"); + + ret = krb5_parse_name(context, "lha@SU.SE", &p); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_cc_initialize(context, id, p); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_initialize"); + + for (i = 0; i < 1000; i++) { + krb5_data data, data2; + const char *name = "foo"; + krb5_principal p1 = NULL; + + if (i & 1) + p1 = p; + + data.data = rk_UNCONST(name); + data.length = strlen(name); + + ret = krb5_cc_set_config(context, id, p1, "FriendlyName", &data); + if (ret) + krb5_errx(context, 1, "krb5_cc_set_config: add"); + + ret = krb5_cc_get_config(context, id, p1, "FriendlyName", &data2); + if (ret) + krb5_errx(context, 1, "krb5_cc_get_config: first"); + krb5_data_free(&data2); + + ret = krb5_cc_set_config(context, id, p1, "FriendlyName", &data); + if (ret) + krb5_errx(context, 1, "krb5_cc_set_config: add -second"); + + ret = krb5_cc_get_config(context, id, p1, "FriendlyName", &data2); + if (ret) + krb5_errx(context, 1, "krb5_cc_get_config: second"); + krb5_data_free(&data2); + + ret = krb5_cc_set_config(context, id, p1, "FriendlyName", NULL); + if (ret) + krb5_errx(context, 1, "krb5_cc_set_config: delete"); + + ret = krb5_cc_get_config(context, id, p1, "FriendlyName", &data2); + if (ret == 0) + krb5_errx(context, 1, "krb5_cc_get_config: non-existant"); + } + + krb5_cc_destroy(context, id); + krb5_free_principal(context, p); +} + static struct getargs args[] = { {"debug", 'd', arg_flag, &debug_flag, @@ -470,7 +639,7 @@ main(int argc, char **argv) if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); - + if (help_flag) usage (0); @@ -486,47 +655,82 @@ main(int argc, char **argv) if (ret) errx (1, "krb5_init_context failed: %d", ret); - test_fcache_remove(context); + test_cache_remove(context, krb5_cc_type_file); + test_cache_remove(context, krb5_cc_type_memory); +#ifdef USE_SQLITE + test_cache_remove(context, krb5_cc_type_scc); +#endif + test_default_name(context); test_mcache(context); - test_init_vs_destroy(context, &krb5_mcc_ops); - test_init_vs_destroy(context, &krb5_fcc_ops); + test_init_vs_destroy(context, krb5_cc_type_memory); + test_init_vs_destroy(context, krb5_cc_type_file); +#if 0 + test_init_vs_destroy(context, krb5_cc_type_api); +#endif + test_init_vs_destroy(context, krb5_cc_type_scc); test_mcc_default(); test_def_cc_name(context); - test_cache_iter(context, "MEMORY", 0); + + test_cache_iter_all(context); + + test_cache_iter(context, krb5_cc_type_memory, 0); { krb5_principal p; - krb5_cc_new_unique(context, "MEMORY", "bar", &id1); - krb5_cc_new_unique(context, "MEMORY", "baz", &id2); + krb5_cc_new_unique(context, krb5_cc_type_memory, "bar", &id1); + krb5_cc_new_unique(context, krb5_cc_type_memory, "baz", &id2); krb5_parse_name(context, "lha@SU.SE", &p); krb5_cc_initialize(context, id1, p); krb5_free_principal(context, p); } - test_cache_find(context, "MEMORY", "lha@SU.SE", 1); - test_cache_find(context, "MEMORY", "hulabundulahotentot@SU.SE", 0); - - test_cache_iter(context, "MEMORY", 0); - test_cache_iter(context, "MEMORY", 1); - test_cache_iter(context, "MEMORY", 0); - test_cache_iter(context, "FILE", 0); - test_cache_iter(context, "API", 0); - - test_copy(context, "FILE", "FILE"); - test_copy(context, "MEMORY", "MEMORY"); - test_copy(context, "FILE", "MEMORY"); - test_copy(context, "MEMORY", "FILE"); + test_cache_find(context, "lha@SU.SE", 1); + test_cache_find(context, "hulabundulahotentot@SU.SE", 0); + + test_cache_iter(context, krb5_cc_type_memory, 0); + test_cache_iter(context, krb5_cc_type_memory, 1); + test_cache_iter(context, krb5_cc_type_memory, 0); + test_cache_iter(context, krb5_cc_type_file, 0); + test_cache_iter(context, krb5_cc_type_api, 0); + test_cache_iter(context, krb5_cc_type_scc, 0); + test_cache_iter(context, krb5_cc_type_scc, 1); + + test_copy(context, krb5_cc_type_file, krb5_cc_type_file); + test_copy(context, krb5_cc_type_memory, krb5_cc_type_memory); + test_copy(context, krb5_cc_type_file, krb5_cc_type_memory); + test_copy(context, krb5_cc_type_memory, krb5_cc_type_file); + test_copy(context, krb5_cc_type_scc, krb5_cc_type_file); + test_copy(context, krb5_cc_type_file, krb5_cc_type_scc); + test_copy(context, krb5_cc_type_scc, krb5_cc_type_memory); + test_copy(context, krb5_cc_type_memory, krb5_cc_type_scc); + + test_move(context, krb5_cc_type_file); + test_move(context, krb5_cc_type_memory); +#ifdef HAVE_KCM + test_move(context, krb5_cc_type_kcm); +#endif + test_move(context, krb5_cc_type_scc); test_prefix_ops(context, "FILE:/tmp/foo", &krb5_fcc_ops); test_prefix_ops(context, "FILE", &krb5_fcc_ops); test_prefix_ops(context, "MEMORY", &krb5_mcc_ops); test_prefix_ops(context, "MEMORY:foo", &krb5_mcc_ops); test_prefix_ops(context, "/tmp/kaka", &krb5_fcc_ops); +#ifdef HAVE_SCC + test_prefix_ops(context, "SCC:", &krb5_scc_ops); + test_prefix_ops(context, "SCC:foo", &krb5_scc_ops); +#endif krb5_cc_destroy(context, id1); krb5_cc_destroy(context, id2); + test_cc_config(context); + krb5_free_context(context); +#if 0 + sleep(60); +#endif + return 0; } diff --git a/crypto/heimdal/lib/krb5/test_config.c b/crypto/heimdal/lib/krb5/test_config.c index 7fe224e68812..a2816332dabb 100644 --- a/crypto/heimdal/lib/krb5/test_config.c +++ b/crypto/heimdal/lib/krb5/test_config.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -34,8 +34,6 @@ #include "krb5_locl.h" #include <err.h> -RCSID("$Id: test_config.c 15036 2005-04-30 15:19:58Z lha $"); - static int check_config_file(krb5_context context, char *filelist, char **res, int def) { @@ -49,39 +47,39 @@ check_config_file(krb5_context context, char *filelist, char **res, int def) ret = krb5_prepend_config_files_default(filelist, &pp); else ret = krb5_prepend_config_files(filelist, NULL, &pp); - + if (ret) krb5_err(context, 1, ret, "prepend_config_files"); - + for (i = 0; res[i] && pp[i]; i++) if (strcmp(pp[i], res[i]) != 0) krb5_errx(context, 1, "'%s' != '%s'", pp[i], res[i]); - + if (res[i] != NULL) krb5_errx(context, 1, "pp ended before res list"); - + if (def) { char **deflist; int j; - + ret = krb5_get_default_config_files(&deflist); if (ret) krb5_err(context, 1, ret, "get_default_config_files"); - + for (j = 0 ; pp[i] && deflist[j]; i++, j++) if (strcmp(pp[i], deflist[j]) != 0) krb5_errx(context, 1, "'%s' != '%s'", pp[i], deflist[j]); - + if (deflist[j] != NULL) krb5_errx(context, 1, "pp ended before def list"); krb5_free_config_files(deflist); } - + if (pp[i] != NULL) krb5_errx(context, 1, "pp ended after res (and def) list"); - + krb5_free_config_files(pp); - + return 0; } @@ -94,12 +92,12 @@ struct { char **res; } test[] = { { "/tmp/foo", NULL }, - { "/tmp/foo:/tmp/foo/bar", NULL }, + { "/tmp/foo" PATH_SEP "/tmp/foo/bar", NULL }, { "", NULL } }; -int -main(int argc, char **argv) +static void +check_config_files(void) { krb5_context context; krb5_error_code ret; @@ -119,6 +117,130 @@ main(int argc, char **argv) } krb5_free_context(context); +} + +const char *config_string_result0[] = { + "A", "B", "C", "D", NULL +}; + +const char *config_string_result1[] = { + "A", "B", "C D", NULL +}; + +const char *config_string_result2[] = { + "A", "B", "", NULL +}; + +const char *config_string_result3[] = { + "A B;C: D", NULL +}; + +const char *config_string_result4[] = { + "\"\"", "", "\"\"", NULL +}; + +const char *config_string_result5[] = { + "A\"BQd", NULL +}; + +const char *config_string_result6[] = { + "efgh\"", "ABC", NULL +}; + +const char *config_string_result7[] = { + "SnapeKills\\", "Dumbledore", NULL +}; + +const char *config_string_result8[] = { + "\"TownOf Sandwich: Massachusetts\"Oldest", "Town", "In", "Cape Cod", NULL +}; +const char *config_string_result9[] = { + "\"Begins and\"ends", "In", "One", "String", NULL +}; + +const char *config_string_result10[] = { + "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:", + "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.", + "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.", + "3. Neither the name of the Institute nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.", + "THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", + "Why do we test with such long strings? Because some people have config files", + "That", "look", "Like this.", NULL +}; + +const struct { + const char * name; + const char ** expected; +} config_strings_tests[] = { + { "foo", config_string_result0 }, + { "bar", config_string_result1 }, + { "baz", config_string_result2 }, + { "quux", config_string_result3 }, + { "questionable", config_string_result4 }, + { "mismatch1", config_string_result5 }, + { "mismatch2", config_string_result6 }, + { "internal1", config_string_result7 }, + { "internal2", config_string_result8 }, + { "internal3", config_string_result9 }, + { "longer_strings", config_string_result10 } +}; + +static void +check_escaped_strings(void) +{ + krb5_context context; + krb5_config_section *c = NULL; + krb5_error_code ret; + int i; + + ret = krb5_init_context(&context); + if (ret) + errx(1, "krb5_init_context %d", ret); + + ret = krb5_config_parse_file(context, "test_config_strings.out", &c); + if (ret) + krb5_errx(context, 1, "krb5_config_parse_file()"); + + for (i=0; i < sizeof(config_strings_tests)/sizeof(config_strings_tests[0]); i++) { + char **ps; + const char **s; + const char **e; + + ps = krb5_config_get_strings(context, c, "escapes", config_strings_tests[i].name, + NULL); + if (ps == NULL) + errx(1, "Failed to read string value %s", config_strings_tests[i].name); + + e = config_strings_tests[i].expected; + + for (s = (const char **)ps; *s && *e; s++, e++) { + if (strcmp(*s, *e)) + errx(1, + "Unexpected configuration string at value [%s].\n" + "Actual=[%s]\n" + "Expected=[%s]\n", + config_strings_tests[i].name, *s, *e); + } + + if (*s || *e) + errx(1, "Configuation string list for value [%s] has incorrect length.", + config_strings_tests[i].name); + + krb5_config_free_strings(ps); + } + + ret = krb5_config_file_free(context, c); + if (ret) + krb5_errx(context, 1, "krb5_config_file_free()"); + + krb5_free_context(context); +} + +int +main(int argc, char **argv) +{ + check_config_files(); + check_escaped_strings(); return 0; } diff --git a/crypto/heimdal/lib/krb5/test_crypto.c b/crypto/heimdal/lib/krb5/test_crypto.c index 0837911f26aa..972af0c5f47b 100644 --- a/crypto/heimdal/lib/krb5/test_crypto.c +++ b/crypto/heimdal/lib/krb5/test_crypto.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2003-2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2003-2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -34,8 +34,6 @@ #include <err.h> #include <getarg.h> -RCSID("$Id: test_crypto.c 16290 2005-11-24 09:57:50Z lha $"); - static void time_encryption(krb5_context context, size_t size, krb5_enctype etype, int iterations) @@ -79,7 +77,7 @@ time_encryption(krb5_context context, size_t size, timevalsub(&tv2, &tv1); - printf("%s size: %7lu iterations: %d time: %3ld.%06ld\n", + printf("%s size: %7lu iterations: %d time: %3ld.%06ld\n", etype_name, (unsigned long)size, iterations, (long)tv2.tv_sec, (long)tv2.tv_usec); @@ -91,7 +89,7 @@ time_encryption(krb5_context context, size_t size, static void time_s2k(krb5_context context, - krb5_enctype etype, + krb5_enctype etype, const char *password, krb5_salt salt, int iterations) @@ -124,7 +122,7 @@ time_s2k(krb5_context context, timevalsub(&tv2, &tv1); - printf("%s string2key %d iterations time: %3ld.%06ld\n", + printf("%s string2key %d iterations time: %3ld.%06ld\n", etype_name, iterations, (long)tv2.tv_sec, (long)tv2.tv_usec); free(etype_name); @@ -159,7 +157,7 @@ main(int argc, char **argv) int optidx = 0; krb5_salt salt; - krb5_enctype enctypes[] = { + krb5_enctype enctypes[] = { ETYPE_DES_CBC_CRC, ETYPE_DES3_CBC_SHA1, ETYPE_ARCFOUR_HMAC_MD5, @@ -171,7 +169,7 @@ main(int argc, char **argv) if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); - + if (help_flag) usage (0); @@ -180,9 +178,6 @@ main(int argc, char **argv) exit(0); } - argc -= optidx; - argv += optidx; - salt.salttype = KRB5_PW_SALT; salt.saltvalue.data = NULL; salt.saltvalue.length = 0; @@ -196,6 +191,8 @@ main(int argc, char **argv) for (i = 0; i < sizeof(enctypes)/sizeof(enctypes[0]); i++) { + krb5_enctype_enable(context, enctypes[i]); + time_encryption(context, 16, enctypes[i], enciter); time_encryption(context, 32, enctypes[i], enciter); time_encryption(context, 512, enctypes[i], enciter); diff --git a/crypto/heimdal/lib/krb5/test_crypto_wrapping.c b/crypto/heimdal/lib/krb5/test_crypto_wrapping.c index 1618fdf11797..81905a8eadd7 100644 --- a/crypto/heimdal/lib/krb5/test_crypto_wrapping.c +++ b/crypto/heimdal/lib/krb5/test_crypto_wrapping.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -34,8 +34,6 @@ #include <err.h> #include <getarg.h> -RCSID("$Id: test_crypto_wrapping.c 18809 2006-10-22 07:11:43Z lha $"); - static void test_wrapping(krb5_context context, size_t min_size, @@ -124,10 +122,12 @@ main(int argc, char **argv) krb5_error_code ret; int i, optidx = 0; - krb5_enctype enctypes[] = { + krb5_enctype enctypes[] = { +#ifdef HEIM_WEAK_CRYPTO ETYPE_DES_CBC_CRC, ETYPE_DES_CBC_MD4, ETYPE_DES_CBC_MD5, +#endif ETYPE_DES3_CBC_SHA1, ETYPE_ARCFOUR_HMAC_MD5, ETYPE_AES128_CTS_HMAC_SHA1_96, @@ -138,7 +138,7 @@ main(int argc, char **argv) if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); - + if (help_flag) usage (0); @@ -155,6 +155,8 @@ main(int argc, char **argv) errx (1, "krb5_init_context failed: %d", ret); for (i = 0; i < sizeof(enctypes)/sizeof(enctypes[0]); i++) { + krb5_enctype_enable(context, enctypes[i]); + test_wrapping(context, 0, 1024, 1, enctypes[i]); test_wrapping(context, 1024, 1024 * 100, 1024, enctypes[i]); } diff --git a/crypto/heimdal/lib/krb5/test_forward.c b/crypto/heimdal/lib/krb5/test_forward.c index 163995334ed9..3782e5074f6d 100644 --- a/crypto/heimdal/lib/krb5/test_forward.c +++ b/crypto/heimdal/lib/krb5/test_forward.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2008 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -34,8 +34,6 @@ #include <err.h> #include <getarg.h> -RCSID("$Id$"); - static int version_flag = 0; static int help_flag = 0; @@ -72,7 +70,7 @@ main(int argc, char **argv) if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); - + if (help_flag) usage (0); @@ -97,11 +95,11 @@ main(int argc, char **argv) ret = krb5_cc_default(context, &id); if (ret) - krb5_err(context, 1, ret, "krb5_cc_default failed: %d", ret); + krb5_err(context, 1, ret, "krb5_cc_default failed"); ret = krb5_auth_con_init(context, &ac); if (ret) - krb5_err(context, 1, ret, "krb5_auth_con_init failed: %d", ret); + krb5_err(context, 1, ret, "krb5_auth_con_init failed"); krb5_auth_con_addflags(context, ac, KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED, NULL); diff --git a/crypto/heimdal/lib/krb5/test_get_addrs.c b/crypto/heimdal/lib/krb5/test_get_addrs.c index 1d53e0eb8c68..33ca929e6e85 100644 --- a/crypto/heimdal/lib/krb5/test_get_addrs.c +++ b/crypto/heimdal/lib/krb5/test_get_addrs.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -34,8 +34,6 @@ #include <err.h> #include <getarg.h> -RCSID("$Id: test_get_addrs.c 15474 2005-06-17 04:48:02Z lha $"); - /* print all addresses that we find */ static void @@ -44,7 +42,7 @@ print_addresses (krb5_context context, const krb5_addresses *addrs) int i; char buf[256]; size_t len; - + for (i = 0; i < addrs->len; ++i) { krb5_print_address (&addrs->val[i], buf, sizeof(buf), &len); printf ("%s\n", buf); @@ -83,7 +81,7 @@ main(int argc, char **argv) if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); - + if (help_flag) usage (0); @@ -92,9 +90,6 @@ main(int argc, char **argv) exit(0); } - argc -= optidx; - argv += optidx; - ret = krb5_init_context(&context); if (ret) errx (1, "krb5_init_context failed: %d", ret); diff --git a/crypto/heimdal/lib/krb5/test_hostname.c b/crypto/heimdal/lib/krb5/test_hostname.c index 095cb391633e..fbdb5c9c322a 100644 --- a/crypto/heimdal/lib/krb5/test_hostname.c +++ b/crypto/heimdal/lib/krb5/test_hostname.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -34,8 +34,6 @@ #include <err.h> #include <getarg.h> -RCSID("$Id: test_hostname.c 15965 2005-08-23 20:18:55Z lha $"); - static int debug_flag = 0; static int version_flag = 0; static int help_flag = 0; @@ -122,7 +120,7 @@ main(int argc, char **argv) if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); - + if (help_flag) usage (0); diff --git a/crypto/heimdal/lib/krb5/test_keytab.c b/crypto/heimdal/lib/krb5/test_keytab.c index 97361cc19a31..134b0f17e693 100644 --- a/crypto/heimdal/lib/krb5/test_keytab.c +++ b/crypto/heimdal/lib/krb5/test_keytab.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -32,8 +32,7 @@ #include "krb5_locl.h" #include <err.h> - -RCSID("$Id: test_keytab.c 18809 2006-10-22 07:11:43Z lha $"); +#include <getarg.h> /* * Test that removal entry from of empty keytab doesn't corrupts @@ -55,6 +54,10 @@ test_empty_keytab(krb5_context context, const char *keytab) krb5_kt_remove_entry(context, id, &entry); + ret = krb5_kt_have_content(context, id); + if (ret == 0) + krb5_errx(context, 1, "supposed to be empty keytab isn't"); + ret = krb5_kt_close(context, id); if (ret) krb5_err(context, 1, ret, "krb5_kt_close"); @@ -167,23 +170,120 @@ test_memory_keytab(krb5_context context, const char *keytab, const char *keytab2 krb5_free_keyblock_contents(context, &entry3.keyblock); } +static void +perf_add(krb5_context context, krb5_keytab id, int times) +{ +} + +static void +perf_find(krb5_context context, krb5_keytab id, int times) +{ +} + +static void +perf_delete(krb5_context context, krb5_keytab id, int forward, int times) +{ +} + + +static int version_flag = 0; +static int help_flag = 0; +static char *perf_str = NULL; +static int times = 1000; + +static struct getargs args[] = { + {"performance", 0, arg_string, &perf_str, + "test performance for named keytab", "keytab" }, + {"times", 0, arg_integer, ×, + "number of times to run the perforamce test", "number" }, + {"version", 0, arg_flag, &version_flag, + "print version", NULL }, + {"help", 0, arg_flag, &help_flag, + NULL, NULL } +}; + +static void +usage (int ret) +{ + arg_printusage (args, + sizeof(args)/sizeof(*args), + NULL, + ""); + exit (ret); +} + int main(int argc, char **argv) { krb5_context context; krb5_error_code ret; + int optidx = 0; setprogname(argv[0]); + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) + usage(1); + + if (help_flag) + usage (0); + + if(version_flag){ + print_version(NULL); + exit(0); + } + + argc -= optidx; + argv += optidx; + + if (argc != 0) + errx(1, "argc != 0"); + ret = krb5_init_context(&context); if (ret) errx (1, "krb5_init_context failed: %d", ret); - test_empty_keytab(context, "MEMORY:foo"); - test_empty_keytab(context, "FILE:foo"); - test_empty_keytab(context, "KRB4:foo"); + if (perf_str) { + krb5_keytab id; + + ret = krb5_kt_resolve(context, perf_str, &id); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_resolve: %s", perf_str); + + /* add, find, delete on keytab */ + perf_add(context, id, times); + perf_find(context, id, times); + perf_delete(context, id, 0, times); + + /* add and find again on used keytab */ + perf_add(context, id, times); + perf_find(context, id, times); + + ret = krb5_kt_destroy(context, id); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_destroy: %s", perf_str); + + ret = krb5_kt_resolve(context, perf_str, &id); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_resolve: %s", perf_str); + + /* try delete backwards */ +#if 0 + perf_add(context, id, times); + perf_delete(context, id, 1, times); +#endif + + ret = krb5_kt_destroy(context, id); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_destroy"); + + } else { + + test_empty_keytab(context, "MEMORY:foo"); + test_empty_keytab(context, "FILE:foo"); + + test_memory_keytab(context, "MEMORY:foo", "MEMORY:foo2"); - test_memory_keytab(context, "MEMORY:foo", "MEMORY:foo2"); + } krb5_free_context(context); diff --git a/crypto/heimdal/lib/krb5/test_kuserok.c b/crypto/heimdal/lib/krb5/test_kuserok.c index 04a6f210a05e..5beb1b75732f 100644 --- a/crypto/heimdal/lib/krb5/test_kuserok.c +++ b/crypto/heimdal/lib/krb5/test_kuserok.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -34,8 +34,6 @@ #include <getarg.h> #include <err.h> -RCSID("$Id: test_kuserok.c 15033 2005-04-30 15:15:38Z lha $"); - static int version_flag = 0; static int help_flag = 0; @@ -69,7 +67,7 @@ main(int argc, char **argv) if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &o)) usage(1); - + if (help_flag) usage (0); @@ -91,7 +89,7 @@ main(int argc, char **argv) ret = krb5_parse_name(context, argv[0], &principal); if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); - + ret = krb5_unparse_name(context, principal, &p); if (ret) krb5_err(context, 1, ret, "krb5_unparse_name"); diff --git a/crypto/heimdal/lib/krb5/test_mem.c b/crypto/heimdal/lib/krb5/test_mem.c index 8989caed7484..3333d0dc6d93 100644 --- a/crypto/heimdal/lib/krb5/test_mem.c +++ b/crypto/heimdal/lib/krb5/test_mem.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -33,8 +33,6 @@ #include "krb5_locl.h" #include <err.h> -RCSID("$Id: test_mem.c 15931 2005-08-12 13:43:46Z lha $"); - /* * Test run functions, to be used with valgrind to detect memoryleaks. */ @@ -52,11 +50,11 @@ check_log(void) ret = krb5_init_context(&context); if (ret) errx (1, "krb5_init_context failed: %d", ret); - + krb5_initlog(context, "test-mem", &logfacility); krb5_addlog_dest(context, logfacility, "0/STDERR:"); krb5_set_warn_dest(context, logfacility); - + krb5_free_context(context); } } diff --git a/crypto/heimdal/lib/krb5/test_pac.c b/crypto/heimdal/lib/krb5/test_pac.c index a22fe3a8c6c5..983294ecf90c 100644 --- a/crypto/heimdal/lib/krb5/test_pac.c +++ b/crypto/heimdal/lib/krb5/test_pac.c @@ -1,58 +1,56 @@ /* - * Copyright (c) 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: test_pac.c 21934 2007-08-27 14:21:04Z lha $"); - /* * This PAC and keys are copied (with permission) from Samba torture * regression test suite, they where created by Andrew Bartlet. */ static const unsigned char saved_pac[] = { - 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd8, 0x01, 0x00, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd8, 0x01, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x40, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x58, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, - 0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x30, 0xdf, 0xa6, 0xcb, - 0x4f, 0x7d, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, + 0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x30, 0xdf, 0xa6, 0xcb, + 0x4f, 0x7d, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0xc0, 0x3c, 0x4e, 0x59, 0x62, 0x73, 0xc5, 0x01, 0xc0, 0x3c, 0x4e, 0x59, 0x62, 0x73, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x16, 0x00, 0x16, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x14, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x02, 0x00, 0x65, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x14, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x02, 0x00, 0x65, 0x00, 0x00, 0x00, 0xed, 0x03, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x02, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x16, 0x00, 0x20, 0x00, 0x02, 0x00, 0x16, 0x00, 0x18, 0x00, @@ -95,7 +93,70 @@ static const krb5_keyblock member_keyblock = { }; static time_t authtime = 1120440609; -static const char *user = "w2003final$@WIN2K3.THINKER.LOCAL"; +static const char *user = "w2003final$"; + +/* + * This pac from Christan Krause + */ + +static const unsigned char saved_pac2[] = + "\x05\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xc8\x01\x00\x00" + "\x58\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x18\x00\x00\x00" + "\x20\x02\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x70\x00\x00\x00" + "\x38\x02\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x14\x00\x00\x00" + "\xa8\x02\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x14\x00\x00\x00" + "\xc0\x02\x00\x00\x00\x00\x00\x00\x01\x10\x08\x00\xcc\xcc\xcc\xcc" + "\xb8\x01\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x7d\xee\x09\x76" + "\xf2\x39\xc9\x01\xff\xff\xff\xff\xff\xff\xff\x7f\xff\xff\xff\xff" + "\xff\xff\xff\x7f\x6d\x49\x38\x62\xf2\x39\xc9\x01\x6d\x09\xa2\x8c" + "\xbb\x3a\xc9\x01\xff\xff\xff\xff\xff\xff\xff\x7f\x0e\x00\x0e\x00" + "\x04\x00\x02\x00\x10\x00\x10\x00\x08\x00\x02\x00\x00\x00\x00\x00" + "\x0c\x00\x02\x00\x00\x00\x00\x00\x10\x00\x02\x00\x00\x00\x00\x00" + "\x14\x00\x02\x00\x00\x00\x00\x00\x18\x00\x02\x00\x02\x01\x00\x00" + "\x52\x04\x00\x00\x01\x02\x00\x00\x03\x00\x00\x00\x1c\x00\x02\x00" + "\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x10\x00\x12\x00\x20\x00\x02\x00\x0e\x00\x10\x00" + "\x24\x00\x02\x00\x28\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x10\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00" + "\x6f\x00\x70\x00\x65\x00\x6e\x00\x6d\x00\x73\x00\x70\x00\x00\x00" + "\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x6f\x00\x70\x00" + "\x65\x00\x6e\x00\x20\x00\x6d\x00\x73\x00\x70\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00" + "\x60\x04\x00\x00\x07\x00\x00\x00\x01\x02\x00\x00\x07\x00\x00\x00" + "\x5e\x04\x00\x00\x07\x00\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00" + "\x08\x00\x00\x00\x43\x00\x48\x00\x4b\x00\x52\x00\x2d\x00\x41\x00" + "\x44\x00\x53\x00\x08\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00" + "\x4d\x00\x53\x00\x50\x00\x2d\x00\x41\x00\x44\x00\x53\x00\x00\x00" + "\x04\x00\x00\x00\x01\x04\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00" + "\x91\xad\xdc\x4c\x63\xb8\xb5\x48\xd5\x53\xd2\xd1\x00\x00\x00\x00" + "\x00\x66\xeb\x75\xf2\x39\xc9\x01\x0e\x00\x6f\x00\x70\x00\x65\x00" + "\x6e\x00\x6d\x00\x73\x00\x70\x00\x38\x00\x10\x00\x28\x00\x48\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x6f\x00\x70\x00\x65\x00\x6e\x00" + "\x6d\x00\x73\x00\x70\x00\x40\x00\x6d\x00\x73\x00\x70\x00\x2d\x00" + "\x61\x00\x64\x00\x73\x00\x2e\x00\x70\x00\x65\x00\x70\x00\x70\x00" + "\x65\x00\x72\x00\x63\x00\x6f\x00\x6e\x00\x2e\x00\x64\x00\x65\x00" + "\x4d\x00\x53\x00\x50\x00\x2d\x00\x41\x00\x44\x00\x53\x00\x2e\x00" + "\x50\x00\x45\x00\x50\x00\x50\x00\x45\x00\x52\x00\x43\x00\x4f\x00" + "\x4e\x00\x2e\x00\x44\x00\x45\x00\x76\xff\xff\xff\xb3\x56\x15\x29" + "\x37\xc6\x5c\xf7\x97\x35\xfa\xec\x59\xe8\x96\xa0\x00\x00\x00\x00" + "\x76\xff\xff\xff\x50\x71\xa2\xb1\xa3\x64\x82\x5c\xfd\x23\xea\x3b" + "\xb0\x19\x12\xd4\x00\x00\x00\x00"; + + +static const krb5_keyblock member_keyblock2 = { + ETYPE_DES_CBC_MD5, + { 8, "\x9e\x37\x83\x25\x4a\x7f\xf2\xf8" } +}; + +static time_t authtime2 = 1225304188; +static const char *user2 = "openmsp"; + + int main(int argc, char **argv) @@ -104,13 +165,16 @@ main(int argc, char **argv) krb5_context context; krb5_pac pac; krb5_data data; - krb5_principal p; + krb5_principal p, p2; ret = krb5_init_context(&context); if (ret) errx(1, "krb5_init_contex"); - ret = krb5_parse_name(context, user, &p); + krb5_enctype_enable(context, ETYPE_DES_CBC_MD5); + + ret = krb5_parse_name_flags(context, user, + KRB5_PRINCIPAL_PARSE_NO_REALM, &p); if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); @@ -123,7 +187,7 @@ main(int argc, char **argv) if (ret) krb5_err(context, 1, ret, "krb5_pac_verify"); - ret = _krb5_pac_sign(context, pac, authtime, p, + ret = _krb5_pac_sign(context, pac, authtime, p, &member_keyblock, &kdc_keyblock, &data); if (ret) krb5_err(context, 1, ret, "_krb5_pac_sign"); @@ -166,10 +230,10 @@ main(int argc, char **argv) if (list[i] == 1) { if (type_1_length != data.length) - krb5_errx(context, 1, "type 1 have wrong length: %lu", + krb5_errx(context, 1, "type 1 have wrong length: %lu", (unsigned long)data.length); } else - krb5_errx(context, 1, "unknown type %lu", + krb5_errx(context, 1, "unknown type %lu", (unsigned long)list[i]); ret = krb5_pac_add_buffer(context, pac2, list[i], &data); @@ -178,29 +242,51 @@ main(int argc, char **argv) krb5_data_free(&data); } free(list); - - ret = _krb5_pac_sign(context, pac2, authtime, p, + + ret = _krb5_pac_sign(context, pac2, authtime, p, &member_keyblock, &kdc_keyblock, &data); if (ret) krb5_err(context, 1, ret, "_krb5_pac_sign 4"); - + krb5_pac_free(context, pac2); ret = krb5_pac_parse(context, data.data, data.length, &pac2); + krb5_data_free(&data); if (ret) krb5_err(context, 1, ret, "krb5_pac_parse 4"); - + ret = krb5_pac_verify(context, pac2, authtime, p, &member_keyblock, &kdc_keyblock); if (ret) krb5_err(context, 1, ret, "krb5_pac_verify 4"); - + krb5_pac_free(context, pac2); } krb5_pac_free(context, pac); /* + * check pac from Christian + */ + + ret = krb5_parse_name_flags(context, user2, + KRB5_PRINCIPAL_PARSE_NO_REALM, &p2); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_pac_parse(context, saved_pac2, sizeof(saved_pac2) -1, &pac); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_parse"); + + ret = krb5_pac_verify(context, pac, authtime2, p2, + &member_keyblock2, NULL); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_verify c1"); + + krb5_pac_free(context, pac); + krb5_free_principal(context, p2); + + /* * Test empty free */ @@ -256,7 +342,7 @@ main(int argc, char **argv) krb5_data_free(&data); } - ret = _krb5_pac_sign(context, pac, authtime, p, + ret = _krb5_pac_sign(context, pac, authtime, p, &member_keyblock, &kdc_keyblock, &data); if (ret) krb5_err(context, 1, ret, "_krb5_pac_sign"); diff --git a/crypto/heimdal/lib/krb5/test_pkinit_dh2key.c b/crypto/heimdal/lib/krb5/test_pkinit_dh2key.c index e23bef9a9ee0..e18fd174a580 100644 --- a/crypto/heimdal/lib/krb5/test_pkinit_dh2key.c +++ b/crypto/heimdal/lib/krb5/test_pkinit_dh2key.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -34,11 +34,9 @@ #include <err.h> #include <getarg.h> -RCSID("$Id: test_pkinit_dh2key.c 18809 2006-10-22 07:11:43Z lha $"); - static void test_dh2key(int i, - krb5_context context, + krb5_context context, const heim_octet_string *dh, const heim_octet_string *c_n, const heim_octet_string *k_n, @@ -191,7 +189,7 @@ main(int argc, char **argv) if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); - + if (help_flag) usage (0); @@ -208,7 +206,7 @@ main(int argc, char **argv) errx (1, "krb5_init_context failed: %d", ret); for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) { - test_dh2key(i, context, &tests[i].X, NULL, NULL, + test_dh2key(i, context, &tests[i].X, NULL, NULL, tests[i].type, &tests[i].key); } diff --git a/crypto/heimdal/lib/krb5/test_plugin.c b/crypto/heimdal/lib/krb5/test_plugin.c index 18e9fcd28674..4235442b999e 100644 --- a/crypto/heimdal/lib/krb5/test_plugin.c +++ b/crypto/heimdal/lib/krb5/test_plugin.c @@ -1,38 +1,37 @@ /* - * Copyright (c) 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include <krb5_locl.h> -RCSID("$Id: test_plugin.c 22024 2007-11-03 21:36:55Z lha $"); #include "locate_plugin.h" static krb5_error_code @@ -52,7 +51,7 @@ resolve_lookup(void *ctx, enum locate_service_type service, const char *realm, int domain, - int type, + int type, int (*add)(void *,int,struct sockaddr *), void *addctx) { @@ -97,7 +96,8 @@ main(int argc, char **argv) if (ret) errx(1, "krb5_init_contex"); - ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA, "resolve", &resolve); + ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA, + KRB5_PLUGIN_LOCATE, &resolve); if (ret) krb5_err(context, 1, ret, "krb5_plugin_register"); @@ -110,7 +110,7 @@ main(int argc, char **argv) if (ret) krb5_err(context, 1, ret, "krb5_krbhst_init_flags"); - + while(krb5_krbhst_next_as_string(context, handle, host, sizeof(host)) == 0){ found++; if (strcmp(host, "127.0.0.2") != 0) diff --git a/crypto/heimdal/lib/krb5/test_prf.c b/crypto/heimdal/lib/krb5/test_prf.c index 94fb67dffaee..26ba2a6ef49a 100644 --- a/crypto/heimdal/lib/krb5/test_prf.c +++ b/crypto/heimdal/lib/krb5/test_prf.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -33,8 +33,6 @@ #include "krb5_locl.h" -RCSID("$Id: test_prf.c 20843 2007-06-03 14:23:20Z lha $"); - #include <hex.h> #include <err.h> @@ -42,7 +40,7 @@ RCSID("$Id: test_prf.c 20843 2007-06-03 14:23:20Z lha $"); * key: string2key(aes256, "testkey", "testkey", default_params) * input: unhex(1122334455667788) * output: 58b594b8a61df6e9439b7baa991ff5c1 - * + * * key: string2key(aes128, "testkey", "testkey", default_params) * input: unhex(1122334455667788) * output: ffa2f823aa7f83a8ce3c5fb730587129 @@ -93,7 +91,7 @@ main(int argc, char **argv) krb5_data_free(&output2); krb5_crypto_destroy(context, crypto); - + krb5_free_keyblock_contents(context, &key); krb5_free_context(context); diff --git a/crypto/heimdal/lib/krb5/test_princ.c b/crypto/heimdal/lib/krb5/test_princ.c index d1036c1b3b44..98e61e3d8bf8 100644 --- a/crypto/heimdal/lib/krb5/test_princ.c +++ b/crypto/heimdal/lib/krb5/test_princ.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -33,8 +33,6 @@ #include "krb5_locl.h" #include <err.h> -RCSID("$Id: test_princ.c 22071 2007-11-14 20:04:50Z lha $"); - /* * Check that a closed cc still keeps it data and that it's no longer * there when it's destroyed. @@ -67,7 +65,7 @@ test_princ(krb5_context context) free(princ_unparsed); - ret = krb5_unparse_name_flags(context, p, + ret = krb5_unparse_name_flags(context, p, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &princ_unparsed); if (ret) @@ -76,10 +74,11 @@ test_princ(krb5_context context) if (strcmp(princ_short, princ_unparsed)) krb5_errx(context, 1, "%s != %s", princ_short, princ_unparsed); free(princ_unparsed); - + realm = krb5_principal_get_realm(context, p); - asprintf(&princ_reformed, "%s@%s", princ_short, realm); + if (asprintf(&princ_reformed, "%s@%s", princ_short, realm) < 0 || princ_reformed == NULL) + errx(1, "malloc"); ret = krb5_parse_name(context, princ_reformed, &p2); free(princ_reformed); @@ -88,7 +87,7 @@ test_princ(krb5_context context) if (!krb5_principal_compare(context, p, p2)) { krb5_errx(context, 1, "p != p2"); - } + } krb5_free_principal(context, p2); @@ -96,7 +95,7 @@ test_princ(krb5_context context) if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); - ret = krb5_unparse_name_flags(context, p, + ret = krb5_unparse_name_flags(context, p, KRB5_PRINCIPAL_UNPARSE_SHORT, &princ_unparsed); if (ret) @@ -181,20 +180,20 @@ test_princ(krb5_context context) krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed); free(princ_unparsed); - ret = krb5_parse_name_flags(context, princ, + ret = krb5_parse_name_flags(context, princ, KRB5_PRINCIPAL_PARSE_NO_REALM, &p2); if (!ret) krb5_err(context, 1, ret, "Should have failed to parse %s a " "short name", princ); - ret = krb5_parse_name_flags(context, princ_short, + ret = krb5_parse_name_flags(context, princ_short, KRB5_PRINCIPAL_PARSE_NO_REALM, &p2); if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); - ret = krb5_unparse_name_flags(context, p2, + ret = krb5_unparse_name_flags(context, p2, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &princ_unparsed); krb5_free_principal(context, p2); @@ -205,23 +204,23 @@ test_princ(krb5_context context) krb5_errx(context, 1, "'%s' != '%s'", princ_short, princ_unparsed); free(princ_unparsed); - ret = krb5_parse_name_flags(context, princ_short, - KRB5_PRINCIPAL_PARSE_MUST_REALM, + ret = krb5_parse_name_flags(context, princ_short, + KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, &p2); if (!ret) krb5_err(context, 1, ret, "Should have failed to parse %s " "because it lacked a realm", princ_short); ret = krb5_parse_name_flags(context, princ, - KRB5_PRINCIPAL_PARSE_MUST_REALM, + KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, &p2); if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); - + if (!krb5_principal_compare(context, p, p2)) krb5_errx(context, 1, "p != p2"); - ret = krb5_unparse_name_flags(context, p2, + ret = krb5_unparse_name_flags(context, p2, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &princ_unparsed); krb5_free_principal(context, p2); @@ -274,7 +273,7 @@ test_enterprise(krb5_context context) if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); - ret = krb5_parse_name_flags(context, "lha@su.se@WIN.SU.SE", + ret = krb5_parse_name_flags(context, "lha@su.se@WIN.SU.SE", KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p); if (ret) krb5_err(context, 1, ret, "krb5_parse_name_flags"); @@ -293,7 +292,7 @@ test_enterprise(krb5_context context) * */ - ret = krb5_parse_name_flags(context, "lha\\@su.se@WIN.SU.SE", + ret = krb5_parse_name_flags(context, "lha\\@su.se@WIN.SU.SE", KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p); if (ret) krb5_err(context, 1, ret, "krb5_parse_name_flags"); @@ -328,7 +327,7 @@ test_enterprise(krb5_context context) * */ - ret = krb5_parse_name_flags(context, "lha@su.se", + ret = krb5_parse_name_flags(context, "lha@su.se", KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p); if (ret) krb5_err(context, 1, ret, "krb5_parse_name_flags"); diff --git a/crypto/heimdal/lib/krb5/test_renew.c b/crypto/heimdal/lib/krb5/test_renew.c index 5fa2de1b9fa0..40d373917aba 100644 --- a/crypto/heimdal/lib/krb5/test_renew.c +++ b/crypto/heimdal/lib/krb5/test_renew.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -35,9 +35,6 @@ #include <err.h> #include <getarg.h> -RCSID("$Id$"); - - static int version_flag = 0; static int help_flag = 0; @@ -66,14 +63,14 @@ main(int argc, char **argv) const char *in_tkt_service = NULL; krb5_ccache id; krb5_error_code ret; - krb5_creds out;; + krb5_creds out; int optidx = 0; setprogname(argv[0]); if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); - + if (help_flag) usage (0); @@ -109,7 +106,7 @@ main(int argc, char **argv) in_tkt_service); if(ret) - krb5_err(context, 1, ret, "krb5_get_kdc_cred"); + krb5_err(context, 1, ret, "krb5_get_renewed_creds"); if (krb5_principal_compare(context, out.client, client) != TRUE) krb5_errx(context, 1, "return principal is not as expected"); diff --git a/crypto/heimdal/lib/krb5/test_store.c b/crypto/heimdal/lib/krb5/test_store.c index 2ce6c8dac363..6b930775c0cc 100644 --- a/crypto/heimdal/lib/krb5/test_store.c +++ b/crypto/heimdal/lib/krb5/test_store.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -33,8 +33,6 @@ #include "krb5_locl.h" #include <getarg.h> -RCSID("$Id: test_store.c 20192 2007-02-05 23:21:03Z lha $"); - static void test_int8(krb5_context context, krb5_storage *sp) { @@ -44,6 +42,8 @@ test_int8(krb5_context context, krb5_storage *sp) 0, 1, -1, 128, -127 }, v; + krb5_storage_truncate(sp, 0); + for (i = 0; i < sizeof(val[0])/sizeof(val); i++) { ret = krb5_store_int8(sp, val[i]); @@ -67,6 +67,8 @@ test_int16(krb5_context context, krb5_storage *sp) 0, 1, -1, 32768, -32767 }, v; + krb5_storage_truncate(sp, 0); + for (i = 0; i < sizeof(val[0])/sizeof(val); i++) { ret = krb5_store_int16(sp, val[i]); @@ -90,6 +92,8 @@ test_int32(krb5_context context, krb5_storage *sp) 0, 1, -1, 2147483647, -2147483646 }, v; + krb5_storage_truncate(sp, 0); + for (i = 0; i < sizeof(val[0])/sizeof(val); i++) { ret = krb5_store_int32(sp, val[i]); @@ -113,6 +117,8 @@ test_uint8(krb5_context context, krb5_storage *sp) 0, 1, 255 }, v; + krb5_storage_truncate(sp, 0); + for (i = 0; i < sizeof(val[0])/sizeof(val); i++) { ret = krb5_store_uint8(sp, val[i]); @@ -136,6 +142,8 @@ test_uint16(krb5_context context, krb5_storage *sp) 0, 1, 65535 }, v; + krb5_storage_truncate(sp, 0); + for (i = 0; i < sizeof(val[0])/sizeof(val); i++) { ret = krb5_store_uint16(sp, val[i]); @@ -159,6 +167,8 @@ test_uint32(krb5_context context, krb5_storage *sp) 0, 1, 4294967295UL }, v; + krb5_storage_truncate(sp, 0); + for (i = 0; i < sizeof(val[0])/sizeof(val); i++) { ret = krb5_store_uint32(sp, val[i]); @@ -175,22 +185,54 @@ test_uint32(krb5_context context, krb5_storage *sp) static void -test_storage(krb5_context context) +test_storage(krb5_context context, krb5_storage *sp) { - krb5_storage *sp; - - sp = krb5_storage_emem(); - if (sp == NULL) - krb5_errx(context, 1, "krb5_storage_emem: no mem"); - test_int8(context, sp); test_int16(context, sp); test_int32(context, sp); test_uint8(context, sp); test_uint16(context, sp); test_uint32(context, sp); +} - krb5_storage_free(sp); + +static void +test_truncate(krb5_context context, krb5_storage *sp, int fd) +{ + struct stat sb; + + krb5_store_string(sp, "hej"); + krb5_storage_truncate(sp, 2); + + if (fstat(fd, &sb) != 0) + krb5_err(context, 1, errno, "fstat"); + if (sb.st_size != 2) + krb5_errx(context, 1, "length not 2"); + + krb5_storage_truncate(sp, 1024); + + if (fstat(fd, &sb) != 0) + krb5_err(context, 1, errno, "fstat"); + if (sb.st_size != 1024) + krb5_errx(context, 1, "length not 2"); +} + +static void +check_too_large(krb5_context context, krb5_storage *sp) +{ + uint32_t too_big_sizes[] = { INT_MAX, INT_MAX / 2, INT_MAX / 4, INT_MAX / 8 + 1}; + krb5_error_code ret; + krb5_data data; + size_t n; + + for (n = 0; n < sizeof(too_big_sizes) / sizeof(too_big_sizes); n++) { + krb5_storage_truncate(sp, 0); + krb5_store_uint32(sp, too_big_sizes[n]); + krb5_storage_seek(sp, 0, SEEK_SET); + ret = krb5_ret_data(sp, &data); + if (ret != HEIM_ERR_TOO_BIG) + errx(1, "not too big: %lu", (unsigned long)n); + } } /* @@ -222,13 +264,15 @@ main(int argc, char **argv) { krb5_context context; krb5_error_code ret; - int optidx = 0; + int fd, optidx = 0; + krb5_storage *sp; + const char *fn = "test-store-data"; setprogname(argv[0]); if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); - + if (help_flag) usage (0); @@ -244,7 +288,48 @@ main(int argc, char **argv) if (ret) errx (1, "krb5_init_context failed: %d", ret); - test_storage(context); + /* + * Test encoding/decoding of primotive types on diffrent backends + */ + + sp = krb5_storage_emem(); + if (sp == NULL) + krb5_errx(context, 1, "krb5_storage_emem: no mem"); + + test_storage(context, sp); + check_too_large(context, sp); + krb5_storage_free(sp); + + + fd = open(fn, O_RDWR|O_CREAT|O_TRUNC, 0600); + if (fd < 0) + krb5_err(context, 1, errno, "open(%s)", fn); + + sp = krb5_storage_from_fd(fd); + close(fd); + if (sp == NULL) + krb5_errx(context, 1, "krb5_storage_from_fd: %s no mem", fn); + + test_storage(context, sp); + krb5_storage_free(sp); + unlink(fn); + + /* + * test truncate behavior + */ + + fd = open(fn, O_RDWR|O_CREAT|O_TRUNC, 0600); + if (fd < 0) + krb5_err(context, 1, errno, "open(%s)", fn); + + sp = krb5_storage_from_fd(fd); + if (sp == NULL) + krb5_errx(context, 1, "krb5_storage_from_fd: %s no mem", fn); + + test_truncate(context, sp, fd); + krb5_storage_free(sp); + close(fd); + unlink(fn); krb5_free_context(context); diff --git a/crypto/heimdal/lib/krb5/test_time.c b/crypto/heimdal/lib/krb5/test_time.c index 02a0204477c7..5f6625c90906 100644 --- a/crypto/heimdal/lib/krb5/test_time.c +++ b/crypto/heimdal/lib/krb5/test_time.c @@ -1,18 +1,18 @@ /* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without @@ -34,8 +34,6 @@ #include "krb5_locl.h" #include <err.h> -RCSID("$Id: test_time.c 18809 2006-10-22 07:11:43Z lha $"); - static void check_set_time(krb5_context context) { @@ -51,7 +49,7 @@ check_set_time(krb5_context context) ret = krb5_set_real_time(context, tv.tv_sec + diff, tv.tv_usec); if (ret) krb5_err(context, 1, ret, "krb5_us_timeofday"); - + ret = krb5_us_timeofday(context, &sec, &usec); if (ret) krb5_err(context, 1, ret, "krb5_us_timeofday"); diff --git a/crypto/heimdal/lib/krb5/ticket.c b/crypto/heimdal/lib/krb5/ticket.c index 7eb4d32fad57..4845a93d9446 100644 --- a/crypto/heimdal/lib/krb5/ticket.c +++ b/crypto/heimdal/lib/krb5/ticket.c @@ -1,41 +1,53 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: ticket.c 19544 2006-12-28 20:49:18Z lha $"); +/** + * Free ticket and content + * + * @param context a Kerberos 5 context + * @param ticket ticket to free + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_ticket(krb5_context context, krb5_ticket *ticket) { @@ -46,7 +58,20 @@ krb5_free_ticket(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Copy ticket and content + * + * @param context a Kerberos 5 context + * @param from ticket to copy + * @param to new copy of ticket, free with krb5_free_ticket() + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_copy_ticket(krb5_context context, const krb5_ticket *from, krb5_ticket **to) @@ -57,7 +82,8 @@ krb5_copy_ticket(krb5_context context, *to = NULL; tmp = malloc(sizeof(*tmp)); if(tmp == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } if((ret = copy_EncTicketPart(&from->ticket, &tmp->ticket))){ @@ -81,7 +107,20 @@ krb5_copy_ticket(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Return client principal in ticket + * + * @param context a Kerberos 5 context + * @param ticket ticket to copy + * @param client client principal, free with krb5_free_principal() + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ticket_get_client(krb5_context context, const krb5_ticket *ticket, krb5_principal *client) @@ -89,7 +128,20 @@ krb5_ticket_get_client(krb5_context context, return krb5_copy_principal(context, ticket->client, client); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Return server principal in ticket + * + * @param context a Kerberos 5 context + * @param ticket ticket to copy + * @param server server principal, free with krb5_free_principal() + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ticket_get_server(krb5_context context, const krb5_ticket *ticket, krb5_principal *server) @@ -97,16 +149,44 @@ krb5_ticket_get_server(krb5_context context, return krb5_copy_principal(context, ticket->server, server); } -time_t KRB5_LIB_FUNCTION +/** + * Return end time of ticket + * + * @param context a Kerberos 5 context + * @param ticket ticket to copy + * + * @return end time of ticket + * + * @ingroup krb5 + */ + +KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL krb5_ticket_get_endtime(krb5_context context, const krb5_ticket *ticket) { return ticket->ticket.endtime; } +/** + * Get the flags from the Kerberos ticket + * + * @param context Kerberos context + * @param ticket Kerberos ticket + * + * @return ticket flags + * + * @ingroup krb5_ticket + */ +KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL +krb5_ticket_get_flags(krb5_context context, + const krb5_ticket *ticket) +{ + return TicketFlags2int(ticket->ticket.flags); +} + static int find_type_in_ad(krb5_context context, - int type, + int type, krb5_data *data, krb5_boolean *found, krb5_boolean failp, @@ -115,12 +195,14 @@ find_type_in_ad(krb5_context context, int level) { krb5_error_code ret = 0; - int i; + size_t i; if (level > 9) { - krb5_set_error_string(context, "Authorization data nested deeper " - "then %d levels, stop searching", level); ret = ENOENT; /* XXX */ + krb5_set_error_message(context, ret, + N_("Authorization data nested deeper " + "then %d levels, stop searching", ""), + level); goto out; } @@ -133,7 +215,8 @@ find_type_in_ad(krb5_context context, if (!*found && ad->val[i].ad_type == type) { ret = der_copy_octet_string(&ad->val[i].ad_data, data); if (ret) { - krb5_set_error_string(context, "malloc - out of memory"); + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto out; } *found = TRUE; @@ -147,8 +230,10 @@ find_type_in_ad(krb5_context context, &child, NULL); if (ret) { - krb5_set_error_string(context, "Failed to decode " - "IF_RELEVANT with %d", ret); + krb5_set_error_message(context, ret, + N_("Failed to decode " + "IF_RELEVANT with %d", ""), + (int)ret); goto out; } ret = find_type_in_ad(context, type, data, found, FALSE, @@ -167,8 +252,10 @@ find_type_in_ad(krb5_context context, &child, NULL); if (ret) { - krb5_set_error_string(context, "Failed to decode " - "AD_KDCIssued with %d", ret); + krb5_set_error_message(context, ret, + N_("Failed to decode " + "AD_KDCIssued with %d", ""), + ret); goto out; } if (failp) { @@ -176,11 +263,11 @@ find_type_in_ad(krb5_context context, krb5_data buf; size_t len; - ASN1_MALLOC_ENCODE(AuthorizationData, buf.data, buf.length, + ASN1_MALLOC_ENCODE(AuthorizationData, buf.data, buf.length, &child.elements, &len, ret); if (ret) { free_AD_KDCIssued(&child); - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } if(buf.length != len) @@ -194,7 +281,7 @@ find_type_in_ad(krb5_context context, goto out; } if (!valid) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOENT; free_AD_KDCIssued(&child); goto out; @@ -211,17 +298,20 @@ find_type_in_ad(krb5_context context, case KRB5_AUTHDATA_AND_OR: if (!failp) break; - krb5_set_error_string(context, "Authorization data contains " - "AND-OR element that is unknown to the " - "application"); ret = ENOENT; /* XXX */ + krb5_set_error_message(context, ret, + N_("Authorization data contains " + "AND-OR element that is unknown to the " + "application", "")); goto out; default: if (!failp) break; - krb5_set_error_string(context, "Authorization data contains " - "unknown type (%d) ", ad->val[i].ad_type); ret = ENOENT; /* XXX */ + krb5_set_error_message(context, ret, + N_("Authorization data contains " + "unknown type (%d) ", ""), + ad->val[i].ad_type); goto out; } } @@ -235,13 +325,20 @@ out: return ret; } -/* - * Extract the authorization data type of `type' from the - * 'ticket'. Store the field in `data'. This function is to use for - * kerberos applications. +/** + * Extract the authorization data type of type from the ticket. Store + * the field in data. This function is to use for kerberos + * applications. + * + * @param context a Kerberos 5 context + * @param ticket Kerberos ticket + * @param type type to fetch + * @param data returned data, free with krb5_data_free() + * + * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ticket_get_authorization_data_type(krb5_context context, krb5_ticket *ticket, int type, @@ -255,7 +352,8 @@ krb5_ticket_get_authorization_data_type(krb5_context context, ad = ticket->ticket.authorization_data; if (ticket->ticket.authorization_data == NULL) { - krb5_set_error_string(context, "Ticket have not authorization data"); + krb5_set_error_message(context, ENOENT, + N_("Ticket have not authorization data", "")); return ENOENT; /* XXX */ } @@ -264,9 +362,489 @@ krb5_ticket_get_authorization_data_type(krb5_context context, if (ret) return ret; if (!found) { - krb5_set_error_string(context, "Ticket have not authorization " - "data of type %d", type); + krb5_set_error_message(context, ENOENT, + N_("Ticket have not " + "authorization data of type %d", ""), + type); return ENOENT; /* XXX */ } return 0; } + +static krb5_error_code +check_server_referral(krb5_context context, + krb5_kdc_rep *rep, + unsigned flags, + krb5_const_principal requested, + krb5_const_principal returned, + krb5_keyblock * key) +{ + krb5_error_code ret; + PA_ServerReferralData ref; + krb5_crypto session; + EncryptedData ed; + size_t len; + krb5_data data; + PA_DATA *pa; + int i = 0, cmp; + + if (rep->kdc_rep.padata == NULL) + goto noreferral; + + pa = krb5_find_padata(rep->kdc_rep.padata->val, + rep->kdc_rep.padata->len, + KRB5_PADATA_SERVER_REFERRAL, &i); + if (pa == NULL) + goto noreferral; + + memset(&ed, 0, sizeof(ed)); + memset(&ref, 0, sizeof(ref)); + + ret = decode_EncryptedData(pa->padata_value.data, + pa->padata_value.length, + &ed, &len); + if (ret) + return ret; + if (len != pa->padata_value.length) { + free_EncryptedData(&ed); + krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, + N_("Referral EncryptedData wrong for realm %s", + "realm"), requested->realm); + return KRB5KRB_AP_ERR_MODIFIED; + } + + ret = krb5_crypto_init(context, key, 0, &session); + if (ret) { + free_EncryptedData(&ed); + return ret; + } + + ret = krb5_decrypt_EncryptedData(context, session, + KRB5_KU_PA_SERVER_REFERRAL, + &ed, &data); + free_EncryptedData(&ed); + krb5_crypto_destroy(context, session); + if (ret) + return ret; + + ret = decode_PA_ServerReferralData(data.data, data.length, &ref, &len); + if (ret) { + krb5_data_free(&data); + return ret; + } + krb5_data_free(&data); + + if (strcmp(requested->realm, returned->realm) != 0) { + free_PA_ServerReferralData(&ref); + krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, + N_("server ref realm mismatch, " + "requested realm %s got back %s", ""), + requested->realm, returned->realm); + return KRB5KRB_AP_ERR_MODIFIED; + } + + if (krb5_principal_is_krbtgt(context, returned)) { + const char *realm = returned->name.name_string.val[1]; + + if (ref.referred_realm == NULL + || strcmp(*ref.referred_realm, realm) != 0) + { + free_PA_ServerReferralData(&ref); + krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, + N_("tgt returned with wrong ref", "")); + return KRB5KRB_AP_ERR_MODIFIED; + } + } else if (krb5_principal_compare(context, returned, requested) == 0) { + free_PA_ServerReferralData(&ref); + krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, + N_("req princ no same as returned", "")); + return KRB5KRB_AP_ERR_MODIFIED; + } + + if (ref.requested_principal_name) { + cmp = _krb5_principal_compare_PrincipalName(context, + requested, + ref.requested_principal_name); + if (!cmp) { + free_PA_ServerReferralData(&ref); + krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, + N_("referred principal not same " + "as requested", "")); + return KRB5KRB_AP_ERR_MODIFIED; + } + } else if (flags & EXTRACT_TICKET_AS_REQ) { + free_PA_ServerReferralData(&ref); + krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, + N_("Requested principal missing on AS-REQ", "")); + return KRB5KRB_AP_ERR_MODIFIED; + } + + free_PA_ServerReferralData(&ref); + + return ret; +noreferral: + /* + * Expect excact match or that we got a krbtgt + */ + if (krb5_principal_compare(context, requested, returned) != TRUE && + (krb5_realm_compare(context, requested, returned) != TRUE && + krb5_principal_is_krbtgt(context, returned) != TRUE)) + { + krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, + N_("Not same server principal returned " + "as requested", "")); + return KRB5KRB_AP_ERR_MODIFIED; + } + return 0; +} + + +/* + * Verify referral data + */ + + +static krb5_error_code +check_client_referral(krb5_context context, + krb5_kdc_rep *rep, + krb5_const_principal requested, + krb5_const_principal mapped, + krb5_keyblock const * key) +{ + krb5_error_code ret; + PA_ClientCanonicalized canon; + krb5_crypto crypto; + krb5_data data; + PA_DATA *pa; + size_t len; + int i = 0; + + if (rep->kdc_rep.padata == NULL) + goto noreferral; + + pa = krb5_find_padata(rep->kdc_rep.padata->val, + rep->kdc_rep.padata->len, + KRB5_PADATA_CLIENT_CANONICALIZED, &i); + if (pa == NULL) + goto noreferral; + + ret = decode_PA_ClientCanonicalized(pa->padata_value.data, + pa->padata_value.length, + &canon, &len); + if (ret) { + krb5_set_error_message(context, ret, + N_("Failed to decode ClientCanonicalized " + "from realm %s", ""), requested->realm); + return ret; + } + + ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length, + &canon.names, &len, ret); + if (ret) { + free_PA_ClientCanonicalized(&canon); + return ret; + } + if (data.length != len) + krb5_abortx(context, "internal asn.1 error"); + + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) { + free(data.data); + free_PA_ClientCanonicalized(&canon); + return ret; + } + + ret = krb5_verify_checksum(context, crypto, KRB5_KU_CANONICALIZED_NAMES, + data.data, data.length, + &canon.canon_checksum); + krb5_crypto_destroy(context, crypto); + free(data.data); + if (ret) { + krb5_set_error_message(context, ret, + N_("Failed to verify client canonicalized " + "data from realm %s", ""), + requested->realm); + free_PA_ClientCanonicalized(&canon); + return ret; + } + + if (!_krb5_principal_compare_PrincipalName(context, + requested, + &canon.names.requested_name)) + { + free_PA_ClientCanonicalized(&canon); + krb5_set_error_message(context, KRB5_PRINC_NOMATCH, + N_("Requested name doesn't match" + " in client referral", "")); + return KRB5_PRINC_NOMATCH; + } + if (!_krb5_principal_compare_PrincipalName(context, + mapped, + &canon.names.mapped_name)) + { + free_PA_ClientCanonicalized(&canon); + krb5_set_error_message(context, KRB5_PRINC_NOMATCH, + N_("Mapped name doesn't match" + " in client referral", "")); + return KRB5_PRINC_NOMATCH; + } + + return 0; + +noreferral: + if (krb5_principal_compare(context, requested, mapped) == FALSE) { + krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, + N_("Not same client principal returned " + "as requested", "")); + return KRB5KRB_AP_ERR_MODIFIED; + } + return 0; +} + + +static krb5_error_code KRB5_CALLCONV +decrypt_tkt (krb5_context context, + krb5_keyblock *key, + krb5_key_usage usage, + krb5_const_pointer decrypt_arg, + krb5_kdc_rep *dec_rep) +{ + krb5_error_code ret; + krb5_data data; + size_t size; + krb5_crypto crypto; + + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + return ret; + + ret = krb5_decrypt_EncryptedData (context, + crypto, + usage, + &dec_rep->kdc_rep.enc_part, + &data); + krb5_crypto_destroy(context, crypto); + + if (ret) + return ret; + + ret = decode_EncASRepPart(data.data, + data.length, + &dec_rep->enc_part, + &size); + if (ret) + ret = decode_EncTGSRepPart(data.data, + data.length, + &dec_rep->enc_part, + &size); + krb5_data_free (&data); + if (ret) { + krb5_set_error_message(context, ret, + N_("Failed to decode encpart in ticket", "")); + return ret; + } + return 0; +} + +int +_krb5_extract_ticket(krb5_context context, + krb5_kdc_rep *rep, + krb5_creds *creds, + krb5_keyblock *key, + krb5_const_pointer keyseed, + krb5_key_usage key_usage, + krb5_addresses *addrs, + unsigned nonce, + unsigned flags, + krb5_decrypt_proc decrypt_proc, + krb5_const_pointer decryptarg) +{ + krb5_error_code ret; + krb5_principal tmp_principal; + size_t len = 0; + time_t tmp_time; + krb5_timestamp sec_now; + + /* decrypt */ + + if (decrypt_proc == NULL) + decrypt_proc = decrypt_tkt; + + ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep); + if (ret) + goto out; + + /* save session key */ + + creds->session.keyvalue.length = 0; + creds->session.keyvalue.data = NULL; + creds->session.keytype = rep->enc_part.key.keytype; + ret = krb5_data_copy (&creds->session.keyvalue, + rep->enc_part.key.keyvalue.data, + rep->enc_part.key.keyvalue.length); + if (ret) { + krb5_clear_error_message(context); + goto out; + } + + /* compare client and save */ + ret = _krb5_principalname2krb5_principal (context, + &tmp_principal, + rep->kdc_rep.cname, + rep->kdc_rep.crealm); + if (ret) + goto out; + + /* check client referral and save principal */ + /* anonymous here ? */ + if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0) { + ret = check_client_referral(context, rep, + creds->client, + tmp_principal, + &creds->session); + if (ret) { + krb5_free_principal (context, tmp_principal); + goto out; + } + } + krb5_free_principal (context, creds->client); + creds->client = tmp_principal; + + /* check server referral and save principal */ + ret = _krb5_principalname2krb5_principal (context, + &tmp_principal, + rep->kdc_rep.ticket.sname, + rep->kdc_rep.ticket.realm); + if (ret) + goto out; + if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ + ret = check_server_referral(context, + rep, + flags, + creds->server, + tmp_principal, + &creds->session); + if (ret) { + krb5_free_principal (context, tmp_principal); + goto out; + } + } + krb5_free_principal(context, creds->server); + creds->server = tmp_principal; + + /* verify names */ + if(flags & EXTRACT_TICKET_MATCH_REALM){ + const char *srealm = krb5_principal_get_realm(context, creds->server); + const char *crealm = krb5_principal_get_realm(context, creds->client); + + if (strcmp(rep->enc_part.srealm, srealm) != 0 || + strcmp(rep->enc_part.srealm, crealm) != 0) + { + ret = KRB5KRB_AP_ERR_MODIFIED; + krb5_clear_error_message(context); + goto out; + } + } + + /* compare nonces */ + + if (nonce != (unsigned)rep->enc_part.nonce) { + ret = KRB5KRB_AP_ERR_MODIFIED; + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); + goto out; + } + + /* set kdc-offset */ + + krb5_timeofday (context, &sec_now); + if (rep->enc_part.flags.initial + && (flags & EXTRACT_TICKET_TIMESYNC) + && context->kdc_sec_offset == 0 + && krb5_config_get_bool (context, NULL, + "libdefaults", + "kdc_timesync", + NULL)) { + context->kdc_sec_offset = rep->enc_part.authtime - sec_now; + krb5_timeofday (context, &sec_now); + } + + /* check all times */ + + if (rep->enc_part.starttime) { + tmp_time = *rep->enc_part.starttime; + } else + tmp_time = rep->enc_part.authtime; + + if (creds->times.starttime == 0 + && abs(tmp_time - sec_now) > context->max_skew) { + ret = KRB5KRB_AP_ERR_SKEW; + krb5_set_error_message (context, ret, + N_("time skew (%d) larger than max (%d)", ""), + abs(tmp_time - sec_now), + (int)context->max_skew); + goto out; + } + + if (creds->times.starttime != 0 + && tmp_time != creds->times.starttime) { + krb5_clear_error_message (context); + ret = KRB5KRB_AP_ERR_MODIFIED; + goto out; + } + + creds->times.starttime = tmp_time; + + if (rep->enc_part.renew_till) { + tmp_time = *rep->enc_part.renew_till; + } else + tmp_time = 0; + + if (creds->times.renew_till != 0 + && tmp_time > creds->times.renew_till) { + krb5_clear_error_message (context); + ret = KRB5KRB_AP_ERR_MODIFIED; + goto out; + } + + creds->times.renew_till = tmp_time; + + creds->times.authtime = rep->enc_part.authtime; + + if (creds->times.endtime != 0 + && rep->enc_part.endtime > creds->times.endtime) { + krb5_clear_error_message (context); + ret = KRB5KRB_AP_ERR_MODIFIED; + goto out; + } + + creds->times.endtime = rep->enc_part.endtime; + + if(rep->enc_part.caddr) + krb5_copy_addresses (context, rep->enc_part.caddr, &creds->addresses); + else if(addrs) + krb5_copy_addresses (context, addrs, &creds->addresses); + else { + creds->addresses.len = 0; + creds->addresses.val = NULL; + } + creds->flags.b = rep->enc_part.flags; + + creds->authdata.len = 0; + creds->authdata.val = NULL; + + /* extract ticket */ + ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length, + &rep->kdc_rep.ticket, &len, ret); + if(ret) + goto out; + if (creds->ticket.length != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); + creds->second_ticket.length = 0; + creds->second_ticket.data = NULL; + + +out: + memset (rep->enc_part.key.keyvalue.data, 0, + rep->enc_part.key.keyvalue.length); + return ret; +} diff --git a/crypto/heimdal/lib/krb5/time.c b/crypto/heimdal/lib/krb5/time.c index 4cd992d48f27..247549ba2372 100644 --- a/crypto/heimdal/lib/krb5/time.c +++ b/crypto/heimdal/lib/krb5/time.c @@ -1,62 +1,77 @@ /* - * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: time.c 14308 2004-10-13 17:57:11Z lha $"); - -/* +/** * Set the absolute time that the caller knows the kdc has so the * kerberos library can calculate the relative diffrence beteen the * KDC time and local system time. + * + * @param context Keberos 5 context. + * @param sec The applications new of "now" in seconds + * @param usec The applications new of "now" in micro seconds + + * @return Kerberos 5 error code, see krb5_get_error_message(). + * + * @ingroup krb5 */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_real_time (krb5_context context, krb5_timestamp sec, int32_t usec) { struct timeval tv; - + gettimeofday(&tv, NULL); context->kdc_sec_offset = sec - tv.tv_sec; - context->kdc_usec_offset = usec - tv.tv_usec; - if (context->kdc_usec_offset < 0) { - context->kdc_sec_offset--; - context->kdc_usec_offset += 1000000; - } + /** + * If the caller passes in a negative usec, its assumed to be + * unknown and the function will use the current time usec. + */ + if (usec >= 0) { + context->kdc_usec_offset = usec - tv.tv_usec; + + if (context->kdc_usec_offset < 0) { + context->kdc_sec_offset--; + context->kdc_usec_offset += 1000000; + } + } else + context->kdc_usec_offset = tv.tv_usec; + return 0; } @@ -64,7 +79,7 @@ krb5_set_real_time (krb5_context context, * return ``corrected'' time in `timeret'. */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_timeofday (krb5_context context, krb5_timestamp *timeret) { @@ -76,7 +91,7 @@ krb5_timeofday (krb5_context context, * like gettimeofday but with time correction to the KDC */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_us_timeofday (krb5_context context, krb5_timestamp *sec, int32_t *usec) @@ -90,8 +105,8 @@ krb5_us_timeofday (krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_format_time(krb5_context context, time_t t, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_format_time(krb5_context context, time_t t, char *s, size_t len, krb5_boolean include_time) { struct tm *tm; @@ -105,7 +120,7 @@ krb5_format_time(krb5_context context, time_t t, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_string_to_deltat(const char *string, krb5_deltat *deltat) { if((*deltat = parse_time(string, "s")) == -1) diff --git a/crypto/heimdal/lib/krb5/transited.c b/crypto/heimdal/lib/krb5/transited.c index 9b67ecc04f26..5e21987bca91 100644 --- a/crypto/heimdal/lib/krb5/transited.c +++ b/crypto/heimdal/lib/krb5/transited.c @@ -1,40 +1,38 @@ /* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: transited.c 21745 2007-07-31 16:11:25Z lha $"); - /* this is an attempt at one of the most horrible `compression' schemes that has ever been invented; it's so amazingly brain-dead that words can not describe it, and all this just to save a few @@ -57,16 +55,15 @@ free_realms(struct tr_realm *r) r = r->next; free(p->realm); free(p); - } + } } static int make_path(krb5_context context, struct tr_realm *r, const char *from, const char *to) { - const char *p; - struct tr_realm *path = r->next; struct tr_realm *tmp; + const char *p; if(strlen(from) < strlen(to)){ const char *str; @@ -74,71 +71,65 @@ make_path(krb5_context context, struct tr_realm *r, from = to; to = str; } - + if(strcmp(from + strlen(from) - strlen(to), to) == 0){ p = from; while(1){ p = strchr(p, '.'); if(p == NULL) { - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5KDC_ERR_POLICY; } p++; if(strcmp(p, to) == 0) break; tmp = calloc(1, sizeof(*tmp)); - if(tmp == NULL){ - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - tmp->next = path; - path = tmp; - path->realm = strdup(p); - if(path->realm == NULL){ - r->next = path; /* XXX */ - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM;; + if(tmp == NULL) + return krb5_enomem(context); + tmp->next = r->next; + r->next = tmp; + tmp->realm = strdup(p); + if(tmp->realm == NULL){ + r->next = tmp->next; + free(tmp); + return krb5_enomem(context); } } }else if(strncmp(from, to, strlen(to)) == 0){ p = from + strlen(from); while(1){ while(p >= from && *p != '/') p--; - if(p == from) { - r->next = path; /* XXX */ + if(p == from) return KRB5KDC_ERR_POLICY; - } + if(strncmp(to, from, p - from) == 0) break; tmp = calloc(1, sizeof(*tmp)); - if(tmp == NULL){ - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - tmp->next = path; - path = tmp; - path->realm = malloc(p - from + 1); - if(path->realm == NULL){ - r->next = path; /* XXX */ - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; + if(tmp == NULL) + return krb5_enomem(context); + tmp->next = r->next; + r->next = tmp; + tmp->realm = malloc(p - from + 1); + if(tmp->realm == NULL){ + r->next = tmp->next; + free(tmp); + return krb5_enomem(context); } - memcpy(path->realm, from, p - from); - path->realm[p - from] = '\0'; + memcpy(tmp->realm, from, p - from); + tmp->realm[p - from] = '\0'; p--; } } else { - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5KDC_ERR_POLICY; } - r->next = path; - + return 0; } static int make_paths(krb5_context context, - struct tr_realm *realms, const char *client_realm, + struct tr_realm *realms, const char *client_realm, const char *server_realm) { struct tr_realm *r; @@ -186,8 +177,7 @@ expand_realms(krb5_context context, tmp = realloc(r->realm, len); if(tmp == NULL){ free_realms(realms); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; + return krb5_enomem(context); } r->realm = tmp; strlcat(r->realm, prev_realm, len); @@ -200,8 +190,7 @@ expand_realms(krb5_context context, tmp = malloc(len); if(tmp == NULL){ free_realms(realms); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; + return krb5_enomem(context); } strlcpy(tmp, prev_realm, len); strlcat(tmp, r->realm, len); @@ -285,17 +274,14 @@ decode_realms(krb5_context context, } if(tr[i] == ','){ tmp = malloc(tr + i - start + 1); - if(tmp == NULL){ - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } + if(tmp == NULL) + return krb5_enomem(context); memcpy(tmp, start, tr + i - start); tmp[tr + i - start] = '\0'; r = make_realm(tmp); if(r == NULL){ free_realms(*realms); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; + return krb5_enomem(context); } *realms = append_realm(*realms, r); start = tr + i + 1; @@ -304,32 +290,30 @@ decode_realms(krb5_context context, tmp = malloc(tr + i - start + 1); if(tmp == NULL){ free(*realms); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; + return krb5_enomem(context); } memcpy(tmp, start, tr + i - start); tmp[tr + i - start] = '\0'; r = make_realm(tmp); if(r == NULL){ free_realms(*realms); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; + return krb5_enomem(context); } *realms = append_realm(*realms, r); - + return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_domain_x500_decode(krb5_context context, - krb5_data tr, char ***realms, int *num_realms, + krb5_data tr, char ***realms, unsigned int *num_realms, const char *client_realm, const char *server_realm) { struct tr_realm *r = NULL; struct tr_realm *p, **q; int ret; - + if(tr.length == 0) { *realms = NULL; *num_realms = 0; @@ -340,39 +324,37 @@ krb5_domain_x500_decode(krb5_context context, ret = decode_realms(context, tr.data, tr.length, &r); if(ret) return ret; - + /* apply prefix rule */ ret = expand_realms(context, r, client_realm); if(ret) return ret; - + ret = make_paths(context, r, client_realm, server_realm); if(ret) return ret; - + /* remove empty components and count realms */ - q = &r; *num_realms = 0; - for(p = r; p; ){ - if(p->realm[0] == '\0'){ + for(q = &r; *q; ){ + if((*q)->realm[0] == '\0'){ + p = *q; + *q = (*q)->next; free(p->realm); - *q = p->next; free(p); - p = *q; }else{ - q = &p->next; - p = p->next; + q = &(*q)->next; (*num_realms)++; } } - if (*num_realms < 0 || *num_realms + 1 > UINT_MAX/sizeof(**realms)) + if (*num_realms + 1 > UINT_MAX/sizeof(**realms)) return ERANGE; { char **R; R = malloc((*num_realms + 1) * sizeof(*R)); if (R == NULL) - return ENOMEM; + return krb5_enomem(context); *realms = R; while(r){ *R++ = r->realm; @@ -384,12 +366,13 @@ krb5_domain_x500_decode(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding) +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_domain_x500_encode(char **realms, unsigned int num_realms, + krb5_data *encoding) { char *s = NULL; int len = 0; - int i; + unsigned int i; krb5_data_zero(encoding); if (num_realms == 0) return 0; @@ -404,7 +387,7 @@ krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding) return ENOMEM; *s = '\0'; for(i = 0; i < num_realms; i++){ - if(i && i < num_realms - 1) + if(i) strlcat(s, ",", len + 1); if(realms[i][0] == '/') strlcat(s, " ", len + 1); @@ -415,25 +398,25 @@ krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding) return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_check_transited(krb5_context context, krb5_const_realm client_realm, krb5_const_realm server_realm, krb5_realm *realms, - int num_realms, + unsigned int num_realms, int *bad_realm) { char **tr_realms; char **p; - int i; + size_t i; if(num_realms == 0) return 0; - - tr_realms = krb5_config_get_strings(context, NULL, - "capaths", - client_realm, - server_realm, + + tr_realms = krb5_config_get_strings(context, NULL, + "capaths", + client_realm, + server_realm, NULL); for(i = 0; i < num_realms; i++) { for(p = tr_realms; p && *p; p++) { @@ -442,8 +425,10 @@ krb5_check_transited(krb5_context context, } if(p == NULL || *p == NULL) { krb5_config_free_strings(tr_realms); - krb5_set_error_string (context, "no transit through realm %s", - realms[i]); + krb5_set_error_message (context, KRB5KRB_AP_ERR_ILL_CR_TKT, + N_("no transit allowed " + "through realm %s", ""), + realms[i]); if(bad_realm) *bad_realm = i; return KRB5KRB_AP_ERR_ILL_CR_TKT; @@ -453,17 +438,17 @@ krb5_check_transited(krb5_context context, return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_check_transited_realms(krb5_context context, - const char *const *realms, - int num_realms, + const char *const *realms, + unsigned int num_realms, int *bad_realm) { - int i; + size_t i; int ret = 0; - char **bad_realms = krb5_config_get_strings(context, NULL, - "libdefaults", - "transited_realms_reject", + char **bad_realms = krb5_config_get_strings(context, NULL, + "libdefaults", + "transited_realms_reject", NULL); if(bad_realms == NULL) return 0; @@ -472,9 +457,11 @@ krb5_check_transited_realms(krb5_context context, char **p; for(p = bad_realms; *p; p++) if(strcmp(*p, realms[i]) == 0) { - krb5_set_error_string (context, "no transit through realm %s", - *p); ret = KRB5KRB_AP_ERR_ILL_CR_TKT; + krb5_set_error_message (context, ret, + N_("no transit allowed " + "through realm %s", ""), + *p); if(bad_realm) *bad_realm = i; break; diff --git a/crypto/heimdal/lib/krb5/v4_glue.c b/crypto/heimdal/lib/krb5/v4_glue.c deleted file mode 100644 index 37b1e35dd188..000000000000 --- a/crypto/heimdal/lib/krb5/v4_glue.c +++ /dev/null @@ -1,939 +0,0 @@ -/* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" -RCSID("$Id: v4_glue.c 22071 2007-11-14 20:04:50Z lha $"); - -#include "krb5-v4compat.h" - -/* - * - */ - -#define RCHECK(r,func,label) \ - do { (r) = func ; if (r) goto label; } while(0); - - -/* include this here, to avoid dependencies on libkrb */ - -static const int _tkt_lifetimes[TKTLIFENUMFIXED] = { - 38400, 41055, 43894, 46929, 50174, 53643, 57352, 61318, - 65558, 70091, 74937, 80119, 85658, 91581, 97914, 104684, - 111922, 119661, 127935, 136781, 146239, 156350, 167161, 178720, - 191077, 204289, 218415, 233517, 249664, 266926, 285383, 305116, - 326213, 348769, 372885, 398668, 426234, 455705, 487215, 520904, - 556921, 595430, 636601, 680618, 727680, 777995, 831789, 889303, - 950794, 1016537, 1086825, 1161973, 1242318, 1328218, 1420057, 1518247, - 1623226, 1735464, 1855462, 1983758, 2120925, 2267576, 2424367, 2592000 -}; - -int KRB5_LIB_FUNCTION -_krb5_krb_time_to_life(time_t start, time_t end) -{ - int i; - time_t life = end - start; - - if (life > MAXTKTLIFETIME || life <= 0) - return 0; -#if 0 - if (krb_no_long_lifetimes) - return (life + 5*60 - 1)/(5*60); -#endif - - if (end >= NEVERDATE) - return TKTLIFENOEXPIRE; - if (life < _tkt_lifetimes[0]) - return (life + 5*60 - 1)/(5*60); - for (i=0; i<TKTLIFENUMFIXED; i++) - if (life <= _tkt_lifetimes[i]) - return i + TKTLIFEMINFIXED; - return 0; - -} - -time_t KRB5_LIB_FUNCTION -_krb5_krb_life_to_time(int start, int life_) -{ - unsigned char life = (unsigned char) life_; - -#if 0 - if (krb_no_long_lifetimes) - return start + life*5*60; -#endif - - if (life == TKTLIFENOEXPIRE) - return NEVERDATE; - if (life < TKTLIFEMINFIXED) - return start + life*5*60; - if (life > TKTLIFEMAXFIXED) - return start + MAXTKTLIFETIME; - return start + _tkt_lifetimes[life - TKTLIFEMINFIXED]; -} - -/* - * Get the name of the krb4 credentials cache, will use `tkfile' as - * the name if that is passed in. `cc' must be free()ed by caller, - */ - -static krb5_error_code -get_krb4_cc_name(const char *tkfile, char **cc) -{ - - *cc = NULL; - if(tkfile == NULL) { - char *path; - if(!issuid()) { - path = getenv("KRBTKFILE"); - if (path) - *cc = strdup(path); - } - if(*cc == NULL) - if (asprintf(cc, "%s%u", TKT_ROOT, (unsigned)getuid()) < 0) - return errno; - } else { - *cc = strdup(tkfile); - if (*cc == NULL) - return ENOMEM; - } - return 0; -} - -/* - * Write a Kerberos 4 ticket file - */ - -#define KRB5_TF_LCK_RETRY_COUNT 50 -#define KRB5_TF_LCK_RETRY 1 - -static krb5_error_code -write_v4_cc(krb5_context context, const char *tkfile, - krb5_storage *sp, int append) -{ - krb5_error_code ret; - struct stat sb; - krb5_data data; - char *path; - int fd, i; - - ret = get_krb4_cc_name(tkfile, &path); - if (ret) { - krb5_set_error_string(context, - "krb5_krb_tf_setup: failed getting " - "the krb4 credentials cache name"); - return ret; - } - - fd = open(path, O_WRONLY|O_CREAT, 0600); - if (fd < 0) { - ret = errno; - krb5_set_error_string(context, - "krb5_krb_tf_setup: error opening file %s", - path); - free(path); - return ret; - } - - if (fstat(fd, &sb) != 0 || !S_ISREG(sb.st_mode)) { - krb5_set_error_string(context, - "krb5_krb_tf_setup: tktfile %s is not a file", - path); - free(path); - close(fd); - return KRB5_FCC_PERM; - } - - for (i = 0; i < KRB5_TF_LCK_RETRY_COUNT; i++) { - if (flock(fd, LOCK_EX | LOCK_NB) < 0) { - sleep(KRB5_TF_LCK_RETRY); - } else - break; - } - if (i == KRB5_TF_LCK_RETRY_COUNT) { - krb5_set_error_string(context, - "krb5_krb_tf_setup: failed to lock %s", - path); - free(path); - close(fd); - return KRB5_FCC_PERM; - } - - if (!append) { - ret = ftruncate(fd, 0); - if (ret < 0) { - flock(fd, LOCK_UN); - krb5_set_error_string(context, - "krb5_krb_tf_setup: failed to truncate %s", - path); - free(path); - close(fd); - return KRB5_FCC_PERM; - } - } - ret = lseek(fd, 0L, SEEK_END); - if (ret < 0) { - ret = errno; - flock(fd, LOCK_UN); - free(path); - close(fd); - return ret; - } - - krb5_storage_to_data(sp, &data); - - ret = write(fd, data.data, data.length); - if (ret != data.length) - ret = KRB5_CC_IO; - - krb5_free_data_contents(context, &data); - - flock(fd, LOCK_UN); - free(path); - close(fd); - - return 0; -} - -/* - * - */ - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_krb_tf_setup(krb5_context context, - struct credentials *v4creds, - const char *tkfile, - int append) -{ - krb5_error_code ret; - krb5_storage *sp; - - sp = krb5_storage_emem(); - if (sp == NULL) - return ENOMEM; - - krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_HOST); - krb5_storage_set_eof_code(sp, KRB5_CC_IO); - - krb5_clear_error_string(context); - - if (!append) { - RCHECK(ret, krb5_store_stringz(sp, v4creds->pname), error); - RCHECK(ret, krb5_store_stringz(sp, v4creds->pinst), error); - } - - /* cred */ - RCHECK(ret, krb5_store_stringz(sp, v4creds->service), error); - RCHECK(ret, krb5_store_stringz(sp, v4creds->instance), error); - RCHECK(ret, krb5_store_stringz(sp, v4creds->realm), error); - ret = krb5_storage_write(sp, v4creds->session, 8); - if (ret != 8) { - ret = KRB5_CC_IO; - goto error; - } - RCHECK(ret, krb5_store_int32(sp, v4creds->lifetime), error); - RCHECK(ret, krb5_store_int32(sp, v4creds->kvno), error); - RCHECK(ret, krb5_store_int32(sp, v4creds->ticket_st.length), error); - - ret = krb5_storage_write(sp, v4creds->ticket_st.dat, - v4creds->ticket_st.length); - if (ret != v4creds->ticket_st.length) { - ret = KRB5_CC_IO; - goto error; - } - RCHECK(ret, krb5_store_int32(sp, v4creds->issue_date), error); - - ret = write_v4_cc(context, tkfile, sp, append); - - error: - krb5_storage_free(sp); - - return ret; -} - -/* - * - */ - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_krb_dest_tkt(krb5_context context, const char *tkfile) -{ - krb5_error_code ret; - char *path; - - ret = get_krb4_cc_name(tkfile, &path); - if (ret) { - krb5_set_error_string(context, - "krb5_krb_tf_setup: failed getting " - "the krb4 credentials cache name"); - return ret; - } - - if (unlink(path) < 0) { - ret = errno; - krb5_set_error_string(context, - "krb5_krb_dest_tkt failed removing the cache " - "with error %s", strerror(ret)); - } - free(path); - - return ret; -} - -/* - * - */ - -static krb5_error_code -decrypt_etext(krb5_context context, const krb5_keyblock *key, - const krb5_data *cdata, krb5_data *data) -{ - krb5_error_code ret; - krb5_crypto crypto; - - ret = krb5_crypto_init(context, key, ETYPE_DES_PCBC_NONE, &crypto); - if (ret) - return ret; - - ret = krb5_decrypt(context, crypto, 0, cdata->data, cdata->length, data); - krb5_crypto_destroy(context, crypto); - - return ret; -} - - -/* - * - */ - -static const char eightzeros[8] = "\x00\x00\x00\x00\x00\x00\x00\x00"; - -static krb5_error_code -storage_to_etext(krb5_context context, - krb5_storage *sp, - const krb5_keyblock *key, - krb5_data *enc_data) -{ - krb5_error_code ret; - krb5_crypto crypto; - krb5_ssize_t size; - krb5_data data; - - /* multiple of eight bytes */ - - size = krb5_storage_seek(sp, 0, SEEK_END); - if (size < 0) - return KRB4ET_RD_AP_UNDEC; - size = 8 - (size & 7); - - ret = krb5_storage_write(sp, eightzeros, size); - if (ret != size) - return KRB4ET_RD_AP_UNDEC; - - ret = krb5_storage_to_data(sp, &data); - if (ret) - return ret; - - ret = krb5_crypto_init(context, key, ETYPE_DES_PCBC_NONE, &crypto); - if (ret) { - krb5_data_free(&data); - return ret; - } - - ret = krb5_encrypt(context, crypto, 0, data.data, data.length, enc_data); - - krb5_data_free(&data); - krb5_crypto_destroy(context, crypto); - - return ret; -} - -/* - * - */ - -static krb5_error_code -put_nir(krb5_storage *sp, const char *name, - const char *instance, const char *realm) -{ - krb5_error_code ret; - - RCHECK(ret, krb5_store_stringz(sp, name), error); - RCHECK(ret, krb5_store_stringz(sp, instance), error); - if (realm) { - RCHECK(ret, krb5_store_stringz(sp, realm), error); - } - error: - return ret; -} - -/* - * - */ - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_krb_create_ticket(krb5_context context, - unsigned char flags, - const char *pname, - const char *pinstance, - const char *prealm, - int32_t paddress, - const krb5_keyblock *session, - int16_t life, - int32_t life_sec, - const char *sname, - const char *sinstance, - const krb5_keyblock *key, - krb5_data *enc_data) -{ - krb5_error_code ret; - krb5_storage *sp; - - krb5_data_zero(enc_data); - - sp = krb5_storage_emem(); - if (sp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE); - - RCHECK(ret, krb5_store_int8(sp, flags), error); - RCHECK(ret, put_nir(sp, pname, pinstance, prealm), error); - RCHECK(ret, krb5_store_int32(sp, ntohl(paddress)), error); - - /* session key */ - ret = krb5_storage_write(sp, - session->keyvalue.data, - session->keyvalue.length); - if (ret != session->keyvalue.length) { - ret = KRB4ET_INTK_PROT; - goto error; - } - - RCHECK(ret, krb5_store_int8(sp, life), error); - RCHECK(ret, krb5_store_int32(sp, life_sec), error); - RCHECK(ret, put_nir(sp, sname, sinstance, NULL), error); - - ret = storage_to_etext(context, sp, key, enc_data); - - error: - krb5_storage_free(sp); - if (ret) - krb5_set_error_string(context, "Failed to encode kerberos 4 ticket"); - - return ret; -} - -/* - * - */ - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_krb_create_ciph(krb5_context context, - const krb5_keyblock *session, - const char *service, - const char *instance, - const char *realm, - uint32_t life, - unsigned char kvno, - const krb5_data *ticket, - uint32_t kdc_time, - const krb5_keyblock *key, - krb5_data *enc_data) -{ - krb5_error_code ret; - krb5_storage *sp; - - krb5_data_zero(enc_data); - - sp = krb5_storage_emem(); - if (sp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE); - - /* session key */ - ret = krb5_storage_write(sp, - session->keyvalue.data, - session->keyvalue.length); - if (ret != session->keyvalue.length) { - ret = KRB4ET_INTK_PROT; - goto error; - } - - RCHECK(ret, put_nir(sp, service, instance, realm), error); - RCHECK(ret, krb5_store_int8(sp, life), error); - RCHECK(ret, krb5_store_int8(sp, kvno), error); - RCHECK(ret, krb5_store_int8(sp, ticket->length), error); - ret = krb5_storage_write(sp, ticket->data, ticket->length); - if (ret != ticket->length) { - ret = KRB4ET_INTK_PROT; - goto error; - } - RCHECK(ret, krb5_store_int32(sp, kdc_time), error); - - ret = storage_to_etext(context, sp, key, enc_data); - - error: - krb5_storage_free(sp); - if (ret) - krb5_set_error_string(context, "Failed to encode kerberos 4 ticket"); - - return ret; -} - -/* - * - */ - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_krb_create_auth_reply(krb5_context context, - const char *pname, - const char *pinst, - const char *prealm, - int32_t time_ws, - int n, - uint32_t x_date, - unsigned char kvno, - const krb5_data *cipher, - krb5_data *data) -{ - krb5_error_code ret; - krb5_storage *sp; - - krb5_data_zero(data); - - sp = krb5_storage_emem(); - if (sp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE); - - RCHECK(ret, krb5_store_int8(sp, KRB_PROT_VERSION), error); - RCHECK(ret, krb5_store_int8(sp, AUTH_MSG_KDC_REPLY), error); - RCHECK(ret, put_nir(sp, pname, pinst, prealm), error); - RCHECK(ret, krb5_store_int32(sp, time_ws), error); - RCHECK(ret, krb5_store_int8(sp, n), error); - RCHECK(ret, krb5_store_int32(sp, x_date), error); - RCHECK(ret, krb5_store_int8(sp, kvno), error); - RCHECK(ret, krb5_store_int16(sp, cipher->length), error); - ret = krb5_storage_write(sp, cipher->data, cipher->length); - if (ret != cipher->length) { - ret = KRB4ET_INTK_PROT; - goto error; - } - - ret = krb5_storage_to_data(sp, data); - - error: - krb5_storage_free(sp); - if (ret) - krb5_set_error_string(context, "Failed to encode kerberos 4 ticket"); - - return ret; -} - -/* - * - */ - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_krb_cr_err_reply(krb5_context context, - const char *name, - const char *inst, - const char *realm, - uint32_t time_ws, - uint32_t e, - const char *e_string, - krb5_data *data) -{ - krb5_error_code ret; - krb5_storage *sp; - - krb5_data_zero(data); - - if (name == NULL) name = ""; - if (inst == NULL) inst = ""; - if (realm == NULL) realm = ""; - if (e_string == NULL) e_string = ""; - - sp = krb5_storage_emem(); - if (sp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE); - - RCHECK(ret, krb5_store_int8(sp, KRB_PROT_VERSION), error); - RCHECK(ret, krb5_store_int8(sp, AUTH_MSG_ERR_REPLY), error); - RCHECK(ret, put_nir(sp, name, inst, realm), error); - RCHECK(ret, krb5_store_int32(sp, time_ws), error); - /* If it is a Kerberos 4 error-code, remove the et BASE */ - if (e >= ERROR_TABLE_BASE_krb && e <= ERROR_TABLE_BASE_krb + 255) - e -= ERROR_TABLE_BASE_krb; - RCHECK(ret, krb5_store_int32(sp, e), error); - RCHECK(ret, krb5_store_stringz(sp, e_string), error); - - ret = krb5_storage_to_data(sp, data); - - error: - krb5_storage_free(sp); - if (ret) - krb5_set_error_string(context, "Failed to encode kerberos 4 error"); - - return 0; -} - -static krb5_error_code -get_v4_stringz(krb5_storage *sp, char **str, size_t max_len) -{ - krb5_error_code ret; - - ret = krb5_ret_stringz(sp, str); - if (ret) - return ret; - if (strlen(*str) > max_len) { - free(*str); - *str = NULL; - return KRB4ET_INTK_PROT; - } - return 0; -} - -/* - * - */ - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_krb_decomp_ticket(krb5_context context, - const krb5_data *enc_ticket, - const krb5_keyblock *key, - const char *local_realm, - char **sname, - char **sinstance, - struct _krb5_krb_auth_data *ad) -{ - krb5_error_code ret; - krb5_ssize_t size; - krb5_storage *sp = NULL; - krb5_data ticket; - unsigned char des_key[8]; - - memset(ad, 0, sizeof(*ad)); - krb5_data_zero(&ticket); - - *sname = NULL; - *sinstance = NULL; - - RCHECK(ret, decrypt_etext(context, key, enc_ticket, &ticket), error); - - sp = krb5_storage_from_data(&ticket); - if (sp == NULL) { - krb5_data_free(&ticket); - krb5_set_error_string(context, "alloc: out of memory"); - return ENOMEM; - } - - krb5_storage_set_eof_code(sp, KRB4ET_INTK_PROT); - - RCHECK(ret, krb5_ret_int8(sp, &ad->k_flags), error); - RCHECK(ret, get_v4_stringz(sp, &ad->pname, ANAME_SZ), error); - RCHECK(ret, get_v4_stringz(sp, &ad->pinst, INST_SZ), error); - RCHECK(ret, get_v4_stringz(sp, &ad->prealm, REALM_SZ), error); - RCHECK(ret, krb5_ret_uint32(sp, &ad->address), error); - - size = krb5_storage_read(sp, des_key, sizeof(des_key)); - if (size != sizeof(des_key)) { - ret = KRB4ET_INTK_PROT; - goto error; - } - - RCHECK(ret, krb5_ret_uint8(sp, &ad->life), error); - - if (ad->k_flags & 1) - krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE); - else - krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE); - - RCHECK(ret, krb5_ret_uint32(sp, &ad->time_sec), error); - - RCHECK(ret, get_v4_stringz(sp, sname, ANAME_SZ), error); - RCHECK(ret, get_v4_stringz(sp, sinstance, INST_SZ), error); - - ret = krb5_keyblock_init(context, ETYPE_DES_PCBC_NONE, - des_key, sizeof(des_key), &ad->session); - if (ret) - goto error; - - if (strlen(ad->prealm) == 0) { - free(ad->prealm); - ad->prealm = strdup(local_realm); - if (ad->prealm == NULL) { - ret = ENOMEM; - goto error; - } - } - - error: - memset(des_key, 0, sizeof(des_key)); - if (sp) - krb5_storage_free(sp); - krb5_data_free(&ticket); - if (ret) { - if (*sname) { - free(*sname); - *sname = NULL; - } - if (*sinstance) { - free(*sinstance); - *sinstance = NULL; - } - _krb5_krb_free_auth_data(context, ad); - krb5_set_error_string(context, "Failed to decode v4 ticket"); - } - return ret; -} - -/* - * - */ - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_krb_rd_req(krb5_context context, - krb5_data *authent, - const char *service, - const char *instance, - const char *local_realm, - int32_t from_addr, - const krb5_keyblock *key, - struct _krb5_krb_auth_data *ad) -{ - krb5_error_code ret; - krb5_storage *sp; - krb5_data ticket, eaut, aut; - krb5_ssize_t size; - int little_endian; - int8_t pvno; - int8_t type; - int8_t s_kvno; - uint8_t ticket_length; - uint8_t eaut_length; - uint8_t time_5ms; - char *realm = NULL; - char *sname = NULL; - char *sinstance = NULL; - char *r_realm = NULL; - char *r_name = NULL; - char *r_instance = NULL; - - uint32_t r_time_sec; /* Coarse time from authenticator */ - unsigned long delta_t; /* Time in authenticator - local time */ - long tkt_age; /* Age of ticket */ - - struct timeval tv; - - krb5_data_zero(&ticket); - krb5_data_zero(&eaut); - krb5_data_zero(&aut); - - sp = krb5_storage_from_data(authent); - if (sp == NULL) { - krb5_set_error_string(context, "alloc: out of memory"); - return ENOMEM; - } - - krb5_storage_set_eof_code(sp, KRB4ET_INTK_PROT); - - ret = krb5_ret_int8(sp, &pvno); - if (ret) { - krb5_set_error_string(context, "Failed reading v4 pvno"); - goto error; - } - - if (pvno != KRB_PROT_VERSION) { - ret = KRB4ET_RD_AP_VERSION; - krb5_set_error_string(context, "Failed v4 pvno not 4"); - goto error; - } - - ret = krb5_ret_int8(sp, &type); - if (ret) { - krb5_set_error_string(context, "Failed readin v4 type"); - goto error; - } - - little_endian = type & 1; - type &= ~1; - - if(type != AUTH_MSG_APPL_REQUEST && type != AUTH_MSG_APPL_REQUEST_MUTUAL) { - ret = KRB4ET_RD_AP_MSG_TYPE; - krb5_set_error_string(context, "Not a valid v4 request type"); - goto error; - } - - RCHECK(ret, krb5_ret_int8(sp, &s_kvno), error); - RCHECK(ret, get_v4_stringz(sp, &realm, REALM_SZ), error); - RCHECK(ret, krb5_ret_uint8(sp, &ticket_length), error); - RCHECK(ret, krb5_ret_uint8(sp, &eaut_length), error); - RCHECK(ret, krb5_data_alloc(&ticket, ticket_length), error); - - size = krb5_storage_read(sp, ticket.data, ticket.length); - if (size != ticket.length) { - ret = KRB4ET_INTK_PROT; - krb5_set_error_string(context, "Failed reading v4 ticket"); - goto error; - } - - /* Decrypt and take apart ticket */ - ret = _krb5_krb_decomp_ticket(context, &ticket, key, local_realm, - &sname, &sinstance, ad); - if (ret) - goto error; - - RCHECK(ret, krb5_data_alloc(&eaut, eaut_length), error); - - size = krb5_storage_read(sp, eaut.data, eaut.length); - if (size != eaut.length) { - ret = KRB4ET_INTK_PROT; - krb5_set_error_string(context, "Failed reading v4 authenticator"); - goto error; - } - - krb5_storage_free(sp); - sp = NULL; - - ret = decrypt_etext(context, &ad->session, &eaut, &aut); - if (ret) - goto error; - - sp = krb5_storage_from_data(&aut); - if (sp == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "alloc: out of memory"); - goto error; - } - - if (little_endian) - krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE); - else - krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE); - - RCHECK(ret, get_v4_stringz(sp, &r_name, ANAME_SZ), error); - RCHECK(ret, get_v4_stringz(sp, &r_instance, INST_SZ), error); - RCHECK(ret, get_v4_stringz(sp, &r_realm, REALM_SZ), error); - - RCHECK(ret, krb5_ret_uint32(sp, &ad->checksum), error); - RCHECK(ret, krb5_ret_uint8(sp, &time_5ms), error); - RCHECK(ret, krb5_ret_uint32(sp, &r_time_sec), error); - - if (strcmp(ad->pname, r_name) != 0 || - strcmp(ad->pinst, r_instance) != 0 || - strcmp(ad->prealm, r_realm) != 0) { - krb5_set_error_string(context, "v4 principal mismatch"); - ret = KRB4ET_RD_AP_INCON; - goto error; - } - - if (from_addr && ad->address && from_addr != ad->address) { - krb5_set_error_string(context, "v4 bad address in ticket"); - ret = KRB4ET_RD_AP_BADD; - goto error; - } - - gettimeofday(&tv, NULL); - delta_t = abs((int)(tv.tv_sec - r_time_sec)); - if (delta_t > CLOCK_SKEW) { - ret = KRB4ET_RD_AP_TIME; - krb5_set_error_string(context, "v4 clock skew"); - goto error; - } - - /* Now check for expiration of ticket */ - - tkt_age = tv.tv_sec - ad->time_sec; - - if ((tkt_age < 0) && (-tkt_age > CLOCK_SKEW)) { - ret = KRB4ET_RD_AP_NYV; - krb5_set_error_string(context, "v4 clock skew for expiration"); - goto error; - } - - if (tv.tv_sec > _krb5_krb_life_to_time(ad->time_sec, ad->life)) { - ret = KRB4ET_RD_AP_EXP; - krb5_set_error_string(context, "v4 ticket expired"); - goto error; - } - - ret = 0; - error: - krb5_data_free(&ticket); - krb5_data_free(&eaut); - krb5_data_free(&aut); - if (realm) - free(realm); - if (sname) - free(sname); - if (sinstance) - free(sinstance); - if (r_name) - free(r_name); - if (r_instance) - free(r_instance); - if (r_realm) - free(r_realm); - if (sp) - krb5_storage_free(sp); - - if (ret) - krb5_clear_error_string(context); - - return ret; -} - -/* - * - */ - -void KRB5_LIB_FUNCTION -_krb5_krb_free_auth_data(krb5_context context, struct _krb5_krb_auth_data *ad) -{ - if (ad->pname) - free(ad->pname); - if (ad->pinst) - free(ad->pinst); - if (ad->prealm) - free(ad->prealm); - krb5_free_keyblock_contents(context, &ad->session); - memset(ad, 0, sizeof(*ad)); -} diff --git a/crypto/heimdal/lib/krb5/verify_init.c b/crypto/heimdal/lib/krb5/verify_init.c index 37db34669290..2e77b7e59d9c 100644 --- a/crypto/heimdal/lib/krb5/verify_init.c +++ b/crypto/heimdal/lib/krb5/verify_init.c @@ -1,47 +1,45 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: verify_init.c 15555 2005-07-06 00:48:16Z lha $"); - -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *options) { memset (options, 0, sizeof(*options)); } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *options, int ap_req_nofail) { @@ -69,7 +67,7 @@ fail_verify_is_ok (krb5_context context, return TRUE; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verify_init_creds(krb5_context context, krb5_creds *creds, krb5_principal ap_req_server, @@ -92,8 +90,8 @@ krb5_verify_init_creds(krb5_context context, if (gethostname (local_hostname, sizeof(local_hostname)) < 0) { ret = errno; - krb5_set_error_string (context, "gethostname: %s", - strerror(ret)); + krb5_set_error_message (context, ret, "gethostname: %s", + strerror(ret)); return ret; } @@ -117,7 +115,8 @@ krb5_verify_init_creds(krb5_context context, if (ccache && *ccache) local_ccache = *ccache; else { - ret = krb5_cc_gen_new (context, &krb5_mcc_ops, &local_ccache); + ret = krb5_cc_new_unique(context, krb5_cc_type_memory, + NULL, &local_ccache); if (ret) goto cleanup; ret = krb5_cc_initialize (context, @@ -159,7 +158,7 @@ krb5_verify_init_creds(krb5_context context, NULL, creds, &req); - + krb5_auth_con_free (context, auth_context); auth_context = NULL; @@ -197,3 +196,48 @@ cleanup: return ret; } + +/** + * Validate the newly fetch credential, see also krb5_verify_init_creds(). + * + * @param context a Kerberos 5 context + * @param creds the credentials to verify + * @param client the client name to match up + * @param ccache the credential cache to use + * @param service a service name to use, used with + * krb5_sname_to_principal() to build a hostname to use to + * verify. + * + * @ingroup krb5_ccache + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_get_validated_creds(krb5_context context, + krb5_creds *creds, + krb5_principal client, + krb5_ccache ccache, + char *service) +{ + krb5_verify_init_creds_opt vopt; + krb5_principal server; + krb5_error_code ret; + + if (krb5_principal_compare(context, creds->client, client) != TRUE) { + krb5_set_error_message(context, KRB5_PRINC_NOMATCH, + N_("Validation credentials and client " + "doesn't match", "")); + return KRB5_PRINC_NOMATCH; + } + + ret = krb5_sname_to_principal (context, NULL, service, + KRB5_NT_SRV_HST, &server); + if(ret) + return ret; + + krb5_verify_init_creds_opt_init(&vopt); + + ret = krb5_verify_init_creds(context, creds, server, NULL, NULL, &vopt); + krb5_free_principal(context, server); + + return ret; +} diff --git a/crypto/heimdal/lib/krb5/verify_krb5_conf.8 b/crypto/heimdal/lib/krb5/verify_krb5_conf.8 index 28f84aba41e0..fc580feaa2d5 100644 --- a/crypto/heimdal/lib/krb5/verify_krb5_conf.8 +++ b/crypto/heimdal/lib/krb5/verify_krb5_conf.8 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan +.\" Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: verify_krb5_conf.8 14375 2004-12-08 17:52:41Z lha $ +.\" $Id$ .\" .Dd December 8, 2004 .Dt VERIFY_KRB5_CONF 8 @@ -45,7 +45,7 @@ reads the configuration file .Pa krb5.conf , or the file given on the command line, -and parses it, thereby verifying that the syntax is not correctly wrong. +parses it, checking verifying that the syntax is not correctly wrong. .Pp If the file is syntactically correct, .Nm @@ -79,7 +79,7 @@ versa, or just that is confused. .It <path>: unknown entry Means that <string> is not known by -.Nm "" . +.Nm . .El .Sh SEE ALSO .Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/verify_krb5_conf.c b/crypto/heimdal/lib/krb5/verify_krb5_conf.c index b55fbd7a86b0..d554423a16d1 100644 --- a/crypto/heimdal/lib/krb5/verify_krb5_conf.c +++ b/crypto/heimdal/lib/krb5/verify_krb5_conf.c @@ -1,41 +1,40 @@ /* - * Copyright (c) 1999 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1999 - 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" #include <getarg.h> #include <parse_bytes.h> #include <err.h> -RCSID("$Id: verify_krb5_conf.c 22233 2007-12-08 21:43:37Z lha $"); /* verify krb5.conf */ @@ -45,9 +44,9 @@ static int help_flag = 0; static int warn_mit_syntax_flag = 0; static struct getargs args[] = { - {"dumpconfig", 0, arg_flag, &dumpconfig_flag, + {"dumpconfig", 0, arg_flag, &dumpconfig_flag, "show the parsed config files", NULL }, - {"warn-mit-syntax", 0, arg_flag, &warn_mit_syntax_flag, + {"warn-mit-syntax", 0, arg_flag, &warn_mit_syntax_flag, "show the parsed config files", NULL }, {"version", 0, arg_flag, &version_flag, "print version", NULL }, @@ -88,11 +87,17 @@ check_time(krb5_context context, const char *path, char *data) static int check_numeric(krb5_context context, const char *path, char *data) { - long int v; + long v; char *end; v = strtol(data, &end, 0); + + if ((v == LONG_MIN || v == LONG_MAX) && errno != 0) { + krb5_warnx(context, "%s: over/under flow for \"%s\"", + path, data); + return 1; + } if(*end != '\0') { - krb5_warnx(context, "%s: failed to parse \"%s\" as a number", + krb5_warnx(context, "%s: failed to parse \"%s\" as a number", path, data); return 1; } @@ -111,12 +116,12 @@ check_boolean(krb5_context context, const char *path, char *data) return 0; v = strtol(data, &end, 0); if(*end != '\0') { - krb5_warnx(context, "%s: failed to parse \"%s\" as a boolean", + krb5_warnx(context, "%s: failed to parse \"%s\" as a boolean", path, data); return 1; } if(v != 0 && v != 1) - krb5_warnx(context, "%s: numeric value \"%s\" is treated as \"true\"", + krb5_warnx(context, "%s: numeric value \"%s\" is treated as \"true\"", path, data); return 0; } @@ -130,7 +135,7 @@ check_524(krb5_context context, const char *path, char *data) strcasecmp(data, "local") == 0) return 0; - krb5_warnx(context, "%s: didn't contain a valid option `%s'", + krb5_warnx(context, "%s: didn't contain a valid option `%s'", path, data); return 1; } @@ -155,7 +160,7 @@ check_host(krb5_context context, const char *path, char *data) hints.ai_canonname = NULL; hints.ai_addr = NULL; hints.ai_next = NULL; - + /* XXX data could be a list of hosts that this code can't handle */ /* XXX copied from krbhst.c */ if(strncmp(p, "http://", 7) == 0){ @@ -191,7 +196,7 @@ check_host(krb5_context context, const char *path, char *data) char *end; int tmp = strtol(p, &end, 0); if(end == p) { - krb5_warnx(context, "%s: failed to parse port number in %s", + krb5_warnx(context, "%s: failed to parse port number in %s", path, data); return 1; } @@ -304,7 +309,7 @@ check_log(krb5_context context, const char *path, char *data) } p++; } - if(strcmp(p, "STDERR") == 0 || + if(strcmp(p, "STDERR") == 0 || strcmp(p, "CONSOLE") == 0 || (strncmp(p, "FILE", 4) == 0 && (p[4] == ':' || p[4] == '=')) || (strncmp(p, "DEVICE", 6) == 0 && p[6] == '=')) @@ -323,12 +328,12 @@ check_log(krb5_context context, const char *path, char *data) if(*facility == '\0') strlcpy(facility, "AUTH", sizeof(facility)); if(find_value(severity, syslogvals) == -1) { - krb5_warnx(context, "%s: unknown syslog facility \"%s\"", + krb5_warnx(context, "%s: unknown syslog facility \"%s\"", path, facility); ret++; } if(find_value(severity, syslogvals) == -1) { - krb5_warnx(context, "%s: unknown syslog severity \"%s\"", + krb5_warnx(context, "%s: unknown syslog severity \"%s\"", path, severity); ret++; } @@ -344,6 +349,7 @@ struct entry { const char *name; int type; void *check_data; + int deprecated; }; struct entry all_strings[] = { @@ -365,7 +371,8 @@ struct entry v4_name_convert_entries[] = { struct entry libdefaults_entries[] = { { "accept_null_addresses", krb5_config_string, check_boolean }, - { "capath", krb5_config_list, all_strings }, + { "allow_weak_crypto", krb5_config_string, check_boolean }, + { "capath", krb5_config_list, all_strings, 1 }, { "check_pac", krb5_config_string, check_boolean }, { "clockskew", krb5_config_string, check_time }, { "date_format", krb5_config_string, NULL }, @@ -395,7 +402,7 @@ struct entry libdefaults_entries[] = { { "maxretries", krb5_config_string, check_numeric }, { "scan_interfaces", krb5_config_string, check_boolean }, { "srv_lookup", krb5_config_string, check_boolean }, - { "srv_try_txt", krb5_config_string, check_boolean }, + { "srv_try_txt", krb5_config_string, check_boolean }, { "ticket_lifetime", krb5_config_string, check_time }, { "time_format", krb5_config_string, NULL }, { "transited_realms_reject", krb5_config_string, NULL }, @@ -571,17 +578,19 @@ struct entry toplevel_sections[] = { static int -check_section(krb5_context context, const char *path, krb5_config_section *cf, +check_section(krb5_context context, const char *path, krb5_config_section *cf, struct entry *entries) { int error = 0; krb5_config_section *p; struct entry *e; - + char *local; - + for(p = cf; p != NULL; p = p->next) { - asprintf(&local, "%s/%s", path, p->name); + local = NULL; + if (asprintf(&local, "%s/%s", path, p->name) < 0 || local == NULL) + errx(1, "out of memory"); for(e = entries; e->name != NULL; e++) { if(*e->name == '\0' || strcmp(e->name, p->name) == 0) { if(e->type != p->type) { @@ -592,6 +601,10 @@ check_section(krb5_context context, const char *path, krb5_config_section *cf, } else if(p->type == krb5_config_list && e->check_data != NULL) { error |= check_section(context, local, p->u.list, e->check_data); } + if(e->deprecated) { + krb5_warnx(context, "%s: is a deprecated entry", local); + error |= 1; + } break; } } @@ -646,7 +659,7 @@ main(int argc, char **argv) if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); - + if (help_flag) usage (0); @@ -671,6 +684,6 @@ main(int argc, char **argv) if(dumpconfig_flag) dumpconfig(0, tmp_cf); - + return check_section(context, "", tmp_cf, toplevel_sections); } diff --git a/crypto/heimdal/lib/krb5/verify_user.c b/crypto/heimdal/lib/krb5/verify_user.c index 1edbaff7e23b..01562ef562a3 100644 --- a/crypto/heimdal/lib/krb5/verify_user.c +++ b/crypto/heimdal/lib/krb5/verify_user.c @@ -1,40 +1,38 @@ /* - * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: verify_user.c 19078 2006-11-20 18:12:41Z lha $"); - static krb5_error_code verify_common (krb5_context context, krb5_principal principal, @@ -90,7 +88,7 @@ verify_common (krb5_context context, * As a side effect, fresh tickets are obtained and stored in `ccache'. */ -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_opt_init(krb5_verify_opt *opt) { memset(opt, 0, sizeof(*opt)); @@ -98,49 +96,50 @@ krb5_verify_opt_init(krb5_verify_opt *opt) opt->service = "host"; } -int KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION int KRB5_LIB_CALL krb5_verify_opt_alloc(krb5_context context, krb5_verify_opt **opt) { *opt = calloc(1, sizeof(**opt)); if ((*opt) == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } krb5_verify_opt_init(*opt); return 0; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_opt_free(krb5_verify_opt *opt) { free(opt); } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_opt_set_ccache(krb5_verify_opt *opt, krb5_ccache ccache) { opt->ccache = ccache; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_opt_set_keytab(krb5_verify_opt *opt, krb5_keytab keytab) { opt->keytab = keytab; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_opt_set_secure(krb5_verify_opt *opt, krb5_boolean secure) { opt->secure = secure; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_opt_set_service(krb5_verify_opt *opt, const char *service) { opt->service = service; } -void KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_verify_opt_set_flags(krb5_verify_opt *opt, unsigned int flags) { opt->flags |= flags; @@ -160,8 +159,8 @@ verify_user_opt_int(krb5_context context, ret = krb5_get_init_creds_opt_alloc (context, &opt); if (ret) return ret; - krb5_get_init_creds_opt_set_default_flags(context, NULL, - krb5_principal_get_realm(context, principal), + krb5_get_init_creds_opt_set_default_flags(context, NULL, + krb5_principal_get_realm(context, principal), opt); ret = krb5_get_init_creds_password (context, &cred, @@ -176,13 +175,13 @@ verify_user_opt_int(krb5_context context, if(ret) return ret; #define OPT(V, D) ((vopt && (vopt->V)) ? (vopt->V) : (D)) - return verify_common (context, principal, OPT(ccache, NULL), - OPT(keytab, NULL), vopt ? vopt->secure : TRUE, + return verify_common (context, principal, OPT(ccache, NULL), + OPT(keytab, NULL), vopt ? vopt->secure : TRUE, OPT(service, "host"), cred); #undef OPT } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verify_user_opt(krb5_context context, krb5_principal principal, const char *password, @@ -196,18 +195,14 @@ krb5_verify_user_opt(krb5_context context, if (ret) return ret; ret = KRB5_CONFIG_NODEFREALM; - + for (r = realms; *r != NULL && ret != 0; ++r) { - char *tmp = strdup (*r); - - if (tmp == NULL) { + ret = krb5_principal_set_realm(context, principal, *r); + if (ret) { krb5_free_host_realm (context, realms); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; + return ret; } - free (*krb5_princ_realm (context, principal)); - krb5_princ_set_realm (context, principal, &tmp); - + ret = verify_user_opt_int(context, principal, password, opt); } krb5_free_host_realm (context, realms); @@ -220,8 +215,8 @@ krb5_verify_user_opt(krb5_context context, /* compat function that calls above */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_verify_user(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_verify_user(krb5_context context, krb5_principal principal, krb5_ccache ccache, const char *password, @@ -229,13 +224,13 @@ krb5_verify_user(krb5_context context, const char *service) { krb5_verify_opt opt; - + krb5_verify_opt_init(&opt); - + krb5_verify_opt_set_ccache(&opt, ccache); krb5_verify_opt_set_secure(&opt, secure); krb5_verify_opt_set_service(&opt, service); - + return krb5_verify_user_opt(context, principal, password, &opt); } @@ -244,8 +239,8 @@ krb5_verify_user(krb5_context context, * ignored and all the local realms are tried. */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_verify_user_lrealm(krb5_context context, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_verify_user_lrealm(krb5_context context, krb5_principal principal, krb5_ccache ccache, const char *password, @@ -253,13 +248,13 @@ krb5_verify_user_lrealm(krb5_context context, const char *service) { krb5_verify_opt opt; - + krb5_verify_opt_init(&opt); - + krb5_verify_opt_set_ccache(&opt, ccache); krb5_verify_opt_set_secure(&opt, secure); krb5_verify_opt_set_service(&opt, service); krb5_verify_opt_set_flags(&opt, KRB5_VERIFY_LREALMS); - + return krb5_verify_user_opt(context, principal, password, &opt); } diff --git a/crypto/heimdal/lib/krb5/version-script.map b/crypto/heimdal/lib/krb5/version-script.map index df8804a4e316..818e6e071cbd 100644 --- a/crypto/heimdal/lib/krb5/version-script.map +++ b/crypto/heimdal/lib/krb5/version-script.map @@ -1,6 +1,4 @@ -# $Id$ - -HEIMDAL_KRB5_1.0 { +HEIMDAL_KRB5_2.0 { global: krb524_convert_creds_kdc; krb524_convert_creds_kdc_ccache; @@ -22,6 +20,7 @@ HEIMDAL_KRB5_1.0 { krb5_address_order; krb5_address_prefixlen_boundary; krb5_address_search; + krb5_allow_weak_crypto; krb5_aname_to_localname; krb5_anyaddr; krb5_appdefault_boolean; @@ -41,6 +40,7 @@ HEIMDAL_KRB5_1.0 { krb5_auth_con_getlocalseqnumber; krb5_auth_con_getlocalsubkey; krb5_auth_con_getrcache; + krb5_auth_con_getremoteseqnumber; krb5_auth_con_getremotesubkey; krb5_auth_con_init; krb5_auth_con_removeflags; @@ -58,7 +58,6 @@ HEIMDAL_KRB5_1.0 { krb5_auth_con_setuserkey; krb5_auth_getremoteseqnumber; krb5_build_ap_req; - krb5_build_authenticator; krb5_build_principal; krb5_build_principal_ext; krb5_build_principal_va; @@ -88,13 +87,17 @@ HEIMDAL_KRB5_1.0 { krb5_cc_clear_mcred; krb5_cc_close; krb5_cc_copy_cache; - krb5_cc_copy_cache_match; + krb5_cc_copy_match_f; krb5_cc_default; krb5_cc_default_name; krb5_cc_destroy; krb5_cc_end_seq_get; krb5_cc_gen_new; + krb5_cc_get_config; + krb5_cc_get_friendly_name; krb5_cc_get_full_name; + krb5_cc_get_kdc_offset; + krb5_cc_get_lifetime; krb5_cc_get_name; krb5_cc_get_ops; krb5_cc_get_prefix_ops; @@ -102,6 +105,7 @@ HEIMDAL_KRB5_1.0 { krb5_cc_get_type; krb5_cc_get_version; krb5_cc_initialize; + krb5_cc_last_change_time; krb5_cc_move; krb5_cc_new_unique; krb5_cc_next_cred; @@ -110,10 +114,15 @@ HEIMDAL_KRB5_1.0 { krb5_cc_remove_cred; krb5_cc_resolve; krb5_cc_retrieve_cred; + krb5_cc_set_config; krb5_cc_set_default_name; krb5_cc_set_flags; + krb5_cc_set_kdc_offset; krb5_cc_start_seq_get; krb5_cc_store_cred; + krb5_cc_support_switch; + krb5_cc_switch; + krb5_cc_set_friendly_name; krb5_change_password; krb5_check_transited; krb5_check_transited_realms; @@ -122,19 +131,19 @@ HEIMDAL_KRB5_1.0 { krb5_checksum_is_collision_proof; krb5_checksum_is_keyed; krb5_checksumsize; + krb5_cksumtype_to_enctype; krb5_cksumtype_valid; krb5_clear_error_string; + krb5_clear_error_message; krb5_closelog; krb5_compare_creds; krb5_config_file_free; krb5_config_free_strings; - krb5_config_get; krb5_config_get_bool; krb5_config_get_bool_default; krb5_config_get_int; krb5_config_get_int_default; krb5_config_get_list; - krb5_config_get_next; krb5_config_get_string; krb5_config_get_string_default; krb5_config_get_strings; @@ -143,13 +152,11 @@ HEIMDAL_KRB5_1.0 { krb5_config_parse_file; krb5_config_parse_file_multi; krb5_config_parse_string_multi; - krb5_config_vget; krb5_config_vget_bool; krb5_config_vget_bool_default; krb5_config_vget_int; krb5_config_vget_int_default; krb5_config_vget_list; - krb5_config_vget_next; krb5_config_vget_string; krb5_config_vget_string_default; krb5_config_vget_strings; @@ -160,6 +167,7 @@ HEIMDAL_KRB5_1.0 { krb5_copy_checksum; krb5_copy_creds; krb5_copy_creds_contents; + krb5_copy_context; krb5_copy_data; krb5_copy_host_realm; krb5_copy_keyblock; @@ -167,7 +175,9 @@ HEIMDAL_KRB5_1.0 { krb5_copy_principal; krb5_copy_ticket; krb5_create_checksum; + krb5_create_checksum_iov; krb5_crypto_destroy; + krb5_crypto_fx_cf2; krb5_crypto_get_checksum_type; krb5_crypto_getblocksize; krb5_crypto_getconfoundersize; @@ -177,7 +187,13 @@ HEIMDAL_KRB5_1.0 { krb5_crypto_overhead; krb5_crypto_prf; krb5_crypto_prf_length; + krb5_crypto_length; + krb5_crypto_length_iov; + krb5_decrypt_iov_ivec; + krb5_encrypt_iov_ivec; + krb5_enomem; krb5_data_alloc; + krb5_data_ct_cmp; krb5_data_cmp; krb5_data_copy; krb5_data_free; @@ -241,6 +257,7 @@ HEIMDAL_KRB5_1.0 { krb5_encrypt; krb5_encrypt_EncryptedData; krb5_encrypt_ivec; + krb5_enctype_enable; krb5_enctype_disable; krb5_enctype_keybits; krb5_enctype_keysize; @@ -268,9 +285,11 @@ HEIMDAL_KRB5_1.0 { krb5_free_creds_contents; krb5_free_data; krb5_free_data_contents; + krb5_free_default_realm; krb5_free_error; krb5_free_error_contents; krb5_free_error_string; + krb5_free_error_message; krb5_free_host_realm; krb5_free_kdc_rep; krb5_free_keyblock; @@ -279,6 +298,7 @@ HEIMDAL_KRB5_1.0 { krb5_free_principal; krb5_free_salt; krb5_free_ticket; + krb5_free_unparsed_name; krb5_fwd_tgt_creds; krb5_generate_random_block; krb5_generate_random_keyblock; @@ -314,6 +334,7 @@ HEIMDAL_KRB5_1.0 { krb5_get_host_realm; krb5_get_ignore_addresses; krb5_get_in_cred; + krb5_cccol_last_change_time; krb5_get_in_tkt; krb5_get_in_tkt_with_keytab; krb5_get_in_tkt_with_password; @@ -336,6 +357,7 @@ HEIMDAL_KRB5_1.0 { krb5_get_init_creds_opt_set_pac_request; krb5_get_init_creds_opt_set_pkinit; krb5_get_init_creds_opt_set_preauth_list; + krb5_get_init_creds_opt_set_process_last_req; krb5_get_init_creds_opt_set_proxiable; krb5_get_init_creds_opt_set_renew_life; krb5_get_init_creds_opt_set_salt; @@ -363,9 +385,11 @@ HEIMDAL_KRB5_1.0 { krb5_hmac; krb5_init_context; krb5_init_ets; - krb5_init_etype; krb5_initlog; + krb5_is_config_principal; krb5_is_thread_safe; + krb5_kcm_call; + krb5_kcm_storage_request; krb5_kerberos_enctypes; krb5_keyblock_get_enctype; krb5_keyblock_init; @@ -390,12 +414,14 @@ HEIMDAL_KRB5_1.0 { krb5_kt_default; krb5_kt_default_modify_name; krb5_kt_default_name; + krb5_kt_destroy; krb5_kt_end_seq_get; krb5_kt_free_entry; krb5_kt_get_entry; krb5_kt_get_full_name; krb5_kt_get_name; krb5_kt_get_type; + krb5_kt_have_content; krb5_kt_next_entry; krb5_kt_read_service_key; krb5_kt_register; @@ -451,18 +477,23 @@ HEIMDAL_KRB5_1.0 { krb5_parse_nametype; krb5_passwd_result_to_string; krb5_password_key_proc; + krb5_get_permitted_enctypes; krb5_plugin_register; krb5_prepend_config_files; krb5_prepend_config_files_default; + krb5_prepend_error_message; krb5_princ_realm; krb5_princ_set_realm; krb5_principal_compare; krb5_principal_compare_any_realm; krb5_principal_get_comp_string; + krb5_principal_get_num_comp; krb5_principal_get_realm; krb5_principal_get_type; krb5_principal_match; + krb5_principal_set_realm; krb5_principal_set_type; + krb5_principal_is_krbtgt; krb5_print_address; krb5_program_setup; krb5_prompter_posix; @@ -540,10 +571,13 @@ HEIMDAL_KRB5_1.0 { krb5_set_default_in_tkt_etypes; krb5_set_default_realm; krb5_set_dns_canonicalize_hostname; + krb5_set_error_message; krb5_set_error_string; krb5_set_extra_addresses; krb5_set_fcache_version; + krb5_set_home_dir_access; krb5_set_ignore_addresses; + krb5_set_kdc_sec_offset; krb5_set_max_time_skew; krb5_set_password; krb5_set_password_using_ccache; @@ -565,13 +599,16 @@ HEIMDAL_KRB5_1.0 { krb5_storage_from_mem; krb5_storage_from_readonly_mem; krb5_storage_get_byteorder; + krb5_storage_get_eof_code; krb5_storage_is_flags; krb5_storage_read; krb5_storage_seek; krb5_storage_set_byteorder; krb5_storage_set_eof_code; krb5_storage_set_flags; + krb5_storage_set_max_alloc; krb5_storage_to_data; + krb5_storage_truncate; krb5_storage_write; krb5_store_address; krb5_store_addrs; @@ -620,6 +657,7 @@ HEIMDAL_KRB5_1.0 { krb5_verify_ap_req; krb5_verify_authenticator_checksum; krb5_verify_checksum; + krb5_verify_checksum_iov; krb5_verify_init_creds; krb5_verify_init_creds_opt_init; krb5_verify_init_creds_opt_set_ap_req_nofail; @@ -638,6 +676,8 @@ HEIMDAL_KRB5_1.0 { krb5_verrx; krb5_vlog; krb5_vlog_msg; + krb5_vprepend_error_message; + krb5_vset_error_message; krb5_vset_error_string; krb5_vwarn; krb5_vwarnx; @@ -647,6 +687,9 @@ HEIMDAL_KRB5_1.0 { krb5_write_priv_message; krb5_write_safe_message; krb5_xfree; + krb5_cccol_cursor_new; + krb5_cccol_cursor_next; + krb5_cccol_cursor_free; # com_err error tables initialize_krb5_error_table_r; @@ -662,22 +705,27 @@ HEIMDAL_KRB5_1.0 { krb5_mcc_ops; krb5_acc_ops; krb5_fcc_ops; + krb5_scc_ops; krb5_kcm_ops; - krb4_fkt_ops; krb5_wrfkt_ops; krb5_mkt_ops; - krb5_fkt_ops; krb5_akf_ops; - krb5_srvtab_fkt_ops; krb5_any_ops; heimdal_version; heimdal_long_version; krb5_config_file; krb5_defkeyname; + krb5_cc_type_api; + krb5_cc_type_file; + krb5_cc_type_memory; + krb5_cc_type_kcm; + krb5_cc_type_scc; # Shared with GSSAPI krb5 _krb5_crc_init_table; _krb5_crc_update; + _krb5_get_krbtgt; + _krb5_build_authenticator; # V4 compat glue _krb5_krb_tf_setup; @@ -694,24 +742,28 @@ HEIMDAL_KRB5_1.0 { _krb5_krb_cr_err_reply; # Shared with libkdc - _krb5_principalname2krb5_principal; - _krb5_principal2principalname; - _krb5_s4u2self_to_checksumdata; - _krb5_put_int; + _krb5_AES_string_to_default_iterator; + _krb5_dh_group_ok; + _krb5_get_host_realm_int; _krb5_get_int; - _krb5_pk_load_id; + _krb5_pac_sign; _krb5_parse_moduli; + _krb5_pk_kdf; + _krb5_pk_load_id; _krb5_pk_mk_ContentInfo; - _krb5_dh_group_ok; _krb5_pk_octetstring2key; - _krb5_pk_allow_proxy_certificate; - _krb5_pac_sign; _krb5_plugin_find; - _krb5_plugin_get_symbol; - _krb5_plugin_get_next; _krb5_plugin_free; - _krb5_AES_string_to_default_iterator; - _krb5_get_host_realm_int; + _krb5_plugin_get_next; + _krb5_plugin_get_symbol; + _krb5_principal2principalname; + _krb5_principalname2krb5_principal; + _krb5_put_int; + _krb5_s4u2self_to_checksumdata; + + # kinit helper + krb5_get_init_creds_opt_set_pkinit_user_certs; + krb5_pk_enterprise_cert; # testing _krb5_aes_cts_encrypt; diff --git a/crypto/heimdal/lib/krb5/version.c b/crypto/heimdal/lib/krb5/version.c index f7ccff5bc882..302854de3f24 100644 --- a/crypto/heimdal/lib/krb5/version.c +++ b/crypto/heimdal/lib/krb5/version.c @@ -1,43 +1,39 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: version.c 7464 1999-12-02 17:05:13Z joda $"); - /* this is just to get a version stamp in the library file */ -#define heimdal_version __heimdal_version -#define heimdal_long_version __heimdal_long_version #include "version.h" diff --git a/crypto/heimdal/lib/krb5/warn.c b/crypto/heimdal/lib/krb5/warn.c index 85f143b8b4b6..cb3be76fccff 100644 --- a/crypto/heimdal/lib/krb5/warn.c +++ b/crypto/heimdal/lib/krb5/warn.c @@ -1,88 +1,81 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" #include <err.h> -RCSID("$Id: warn.c 19086 2006-11-21 08:06:40Z lha $"); - -static krb5_error_code _warnerr(krb5_context context, int do_errtext, +static krb5_error_code _warnerr(krb5_context context, int do_errtext, krb5_error_code code, int level, const char *fmt, va_list ap) __attribute__((__format__(__printf__, 5, 0))); - + static krb5_error_code -_warnerr(krb5_context context, int do_errtext, +_warnerr(krb5_context context, int do_errtext, krb5_error_code code, int level, const char *fmt, va_list ap) { char xfmt[7] = ""; const char *args[2], **arg; char *msg = NULL; - char *err_str = NULL; - + const char *err_str = NULL; + krb5_error_code ret; + args[0] = args[1] = NULL; arg = args; if(fmt){ strlcat(xfmt, "%s", sizeof(xfmt)); if(do_errtext) strlcat(xfmt, ": ", sizeof(xfmt)); - vasprintf(&msg, fmt, ap); - if(msg == NULL) + ret = vasprintf(&msg, fmt, ap); + if(ret < 0 || msg == NULL) return ENOMEM; *arg++ = msg; } if(context && do_errtext){ - const char *err_msg; - strlcat(xfmt, "%s", sizeof(xfmt)); - err_str = krb5_get_error_string(context); + err_str = krb5_get_error_message(context, code); if (err_str != NULL) { - *arg++ = err_str; + *arg = err_str; } else { - err_msg = krb5_get_err_text(context, code); - if (err_msg) - *arg++ = err_msg; - else - *arg++ = "<unknown error>"; + *arg= "<unknown error>"; } } - + if(context && context->warn_dest) krb5_log(context, context->warn_dest, level, xfmt, args[0], args[1]); else warnx(xfmt, args[0], args[1]); free(msg); - free(err_str); + krb5_free_error_message(context, err_str); return 0; } @@ -96,16 +89,38 @@ _warnerr(krb5_context context, int do_errtext, #undef __attribute__ #define __attribute__(X) -krb5_error_code KRB5_LIB_FUNCTION -krb5_vwarn(krb5_context context, krb5_error_code code, +/** + * Log a warning to the log, default stderr, include the error from + * the last failure. + * + * @param context A Kerberos 5 context. + * @param code error code of the last error + * @param fmt message to print + * @param ap arguments + * + * @ingroup krb5_error + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_vwarn(krb5_context context, krb5_error_code code, const char *fmt, va_list ap) __attribute__ ((format (printf, 3, 0))) { return _warnerr(context, 1, code, 1, fmt, ap); } +/** + * Log a warning to the log, default stderr, include the error from + * the last failure. + * + * @param context A Kerberos 5 context. + * @param code error code of the last error + * @param fmt message to print + * + * @ingroup krb5_error + */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_warn(krb5_context context, krb5_error_code code, const char *fmt, ...) __attribute__ ((format (printf, 3, 4))) { @@ -113,14 +128,33 @@ krb5_warn(krb5_context context, krb5_error_code code, const char *fmt, ...) return ret; } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Log a warning to the log, default stderr. + * + * @param context A Kerberos 5 context. + * @param fmt message to print + * @param ap arguments + * + * @ingroup krb5_error + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_vwarnx(krb5_context context, const char *fmt, va_list ap) __attribute__ ((format (printf, 2, 0))) { return _warnerr(context, 0, 0, 1, fmt, ap); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Log a warning to the log, default stderr. + * + * @param context A Kerberos 5 context. + * @param fmt message to print + * + * @ingroup krb5_error + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_warnx(krb5_context context, const char *fmt, ...) __attribute__ ((format (printf, 2, 3))) { @@ -128,83 +162,185 @@ krb5_warnx(krb5_context context, const char *fmt, ...) return ret; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_verr(krb5_context context, int eval, krb5_error_code code, +/** + * Log a warning to the log, default stderr, include bthe error from + * the last failure and then exit. + * + * @param context A Kerberos 5 context + * @param eval the exit code to exit with + * @param code error code of the last error + * @param fmt message to print + * @param ap arguments + * + * @ingroup krb5_error + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_verr(krb5_context context, int eval, krb5_error_code code, const char *fmt, va_list ap) __attribute__ ((noreturn, format (printf, 4, 0))) { _warnerr(context, 1, code, 0, fmt, ap); exit(eval); + UNREACHABLE(return 0); } +/** + * Log a warning to the log, default stderr, include bthe error from + * the last failure and then exit. + * + * @param context A Kerberos 5 context + * @param eval the exit code to exit with + * @param code error code of the last error + * @param fmt message to print + * + * @ingroup krb5_error + */ -krb5_error_code KRB5_LIB_FUNCTION -krb5_err(krb5_context context, int eval, krb5_error_code code, +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_err(krb5_context context, int eval, krb5_error_code code, const char *fmt, ...) __attribute__ ((noreturn, format (printf, 4, 5))) { FUNC(1, code, 0); exit(eval); + UNREACHABLE(return 0); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Log a warning to the log, default stderr, and then exit. + * + * @param context A Kerberos 5 context + * @param eval the exit code to exit with + * @param fmt message to print + * @param ap arguments + * + * @ingroup krb5_error + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap) __attribute__ ((noreturn, format (printf, 3, 0))) { _warnerr(context, 0, 0, 0, fmt, ap); exit(eval); + UNREACHABLE(return 0); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Log a warning to the log, default stderr, and then exit. + * + * @param context A Kerberos 5 context + * @param eval the exit code to exit with + * @param fmt message to print + * + * @ingroup krb5_error + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_errx(krb5_context context, int eval, const char *fmt, ...) __attribute__ ((noreturn, format (printf, 3, 4))) { FUNC(0, 0, 0); exit(eval); + UNREACHABLE(return 0); } -krb5_error_code KRB5_LIB_FUNCTION -krb5_vabort(krb5_context context, krb5_error_code code, +/** + * Log a warning to the log, default stderr, include bthe error from + * the last failure and then abort. + * + * @param context A Kerberos 5 context + * @param code error code of the last error + * @param fmt message to print + * @param ap arguments + * + * @ingroup krb5_error + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_vabort(krb5_context context, krb5_error_code code, const char *fmt, va_list ap) __attribute__ ((noreturn, format (printf, 3, 0))) { _warnerr(context, 1, code, 0, fmt, ap); abort(); + UNREACHABLE(return 0); } +/** + * Log a warning to the log, default stderr, include the error from + * the last failure and then abort. + * + * @param context A Kerberos 5 context + * @param code error code of the last error + * @param fmt message to print + * + * @ingroup krb5_error + */ -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...) __attribute__ ((noreturn, format (printf, 3, 4))) { FUNC(1, code, 0); abort(); + UNREACHABLE(return 0); } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_vabortx(krb5_context context, const char *fmt, va_list ap) __attribute__ ((noreturn, format (printf, 2, 0))) { _warnerr(context, 0, 0, 0, fmt, ap); abort(); + UNREACHABLE(return 0); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Log a warning to the log, default stderr, and then abort. + * + * @param context A Kerberos 5 context + * @param code error code of the last error + * @param fmt message to print + * + * @ingroup krb5_error + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_abortx(krb5_context context, const char *fmt, ...) __attribute__ ((noreturn, format (printf, 2, 3))) { FUNC(0, 0, 0); abort(); + UNREACHABLE(return 0); } -krb5_error_code KRB5_LIB_FUNCTION +/** + * Set the default logging facility. + * + * @param context A Kerberos 5 context + * @param fac Facility to use for logging. + * + * @ingroup krb5_error + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_set_warn_dest(krb5_context context, krb5_log_facility *fac) { context->warn_dest = fac; return 0; } -krb5_log_facility * KRB5_LIB_FUNCTION +/** + * Get the default logging facility. + * + * @param context A Kerberos 5 context + * + * @ingroup krb5_error + */ + +KRB5_LIB_FUNCTION krb5_log_facility * KRB5_LIB_CALL krb5_get_warn_dest(krb5_context context) { return context->warn_dest; diff --git a/crypto/heimdal/lib/krb5/write_message.c b/crypto/heimdal/lib/krb5/write_message.c index 1694a1075e41..84100461444a 100644 --- a/crypto/heimdal/lib/krb5/write_message.c +++ b/crypto/heimdal/lib/krb5/write_message.c @@ -1,41 +1,39 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: write_message.c 17442 2006-05-05 09:31:15Z lha $"); - -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_write_message (krb5_context context, krb5_pointer p_fd, krb5_data *data) @@ -49,13 +47,13 @@ krb5_write_message (krb5_context context, if (krb5_net_write (context, p_fd, buf, 4) != 4 || krb5_net_write (context, p_fd, data->data, len) != len) { ret = errno; - krb5_set_error_string (context, "write: %s", strerror(ret)); + krb5_set_error_message (context, ret, "write: %s", strerror(ret)); return ret; } return 0; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_write_priv_message(krb5_context context, krb5_auth_context ac, krb5_pointer p_fd, @@ -72,7 +70,7 @@ krb5_write_priv_message(krb5_context context, return ret; } -krb5_error_code KRB5_LIB_FUNCTION +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_write_safe_message(krb5_context context, krb5_auth_context ac, krb5_pointer p_fd, |