From hartmans at MIT.EDU Wed Apr 1 14:25:02 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Wed, 1 Apr 2009 14:25:02 -0400 Subject: svn rev #22154: trunk/ doc/ src/config-files/ src/lib/krb5/krb/ Message-ID: <200904011825.n31IP2AN003439@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22154 Commit By: hartmans Log Message: ticket: 1624 Target_version: 1.7 tags: pullup Use the preferred checksum for non-DES keys in the kdc_req path and all the time in the ap_req checksum path. This breaks code to support DCE versions prior to 1.1 but uses the correct checksum for protocol compatibility. Changed Files: U trunk/doc/admin.texinfo U trunk/src/config-files/krb5.conf.M U trunk/src/lib/krb5/krb/mk_req_ext.c U trunk/src/lib/krb5/krb/send_tgs.c Modified: trunk/doc/admin.texinfo =================================================================== --- trunk/doc/admin.texinfo 2009-03-31 23:51:48 UTC (rev 22153) +++ trunk/doc/admin.texinfo 2009-04-01 18:25:02 UTC (rev 22154) @@ -462,7 +462,8 @@ An integer which specifies the type of checksum to use. Used for compatability with DCE security servers which do not support the default @value{DefaultChecksumType} used by this version of Kerberos. -The possible values and their meanings are as follows. +Note that the ap_req_checksum_type variable's value is ignored. The +kdc_req_checksum_type is only used for DES keys. The possible values and their meanings are as follows. @comment taken from krb5/src/include/krb5.h[in] @table @b Modified: trunk/src/config-files/krb5.conf.M =================================================================== --- trunk/src/config-files/krb5.conf.M 2009-03-31 23:51:48 UTC (rev 22153) +++ trunk/src/config-files/krb5.conf.M 2009-04-01 18:25:02 UTC (rev 22154) @@ -143,15 +143,11 @@ For compatability with DCE security servers which do not support the default CKSUMTYPE_RSA_MD5 used by this version of Kerberos. Use a value of 2 to use the CKSUMTYPE_RSA_MD4 instead. This applies to DCE 1.1 and -earlier. +earlier. This value is only used for DES keys; other keys use the +preferred checksum type for those keys. .IP ap_req_checksum_type -This allows you to set the checksum type used in the authenticator of -KRB_AP_REQ messages. The default value for this type is -CKSUMTYPE_RSA_MD5. For compatibility with applications linked against -DCE version 1.1 or earlier Kerberos libraries, use a value of 2 to use -the CKSUMTYPE_RSA_MD4 -instead. +This obsolete variable is not used. .IP safe_checksum_type This allows you to set the preferred keyed-checksum type for use in KRB_SAFE Modified: trunk/src/lib/krb5/krb/mk_req_ext.c =================================================================== --- trunk/src/lib/krb5/krb/mk_req_ext.c 2009-03-31 23:51:48 UTC (rev 22153) +++ trunk/src/lib/krb5/krb/mk_req_ext.c 2009-04-01 18:25:02 UTC (rev 22154) @@ -205,8 +205,13 @@ checksum.length = in_data->length; checksum.contents = (krb5_octet *) in_data->data; } else { + krb5_cksumtype cksumtype; + retval = krb5int_c_mandatory_cksumtype(context, (*auth_context)->keyblock->enctype, + &cksumtype); + if (retval) + goto cleanup_cksum; if ((retval = krb5_c_make_checksum(context, - (*auth_context)->req_cksumtype, + cksumtype, (*auth_context)->keyblock, KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, in_data, &checksum))) Modified: trunk/src/lib/krb5/krb/send_tgs.c =================================================================== --- trunk/src/lib/krb5/krb/send_tgs.c 2009-03-31 23:51:48 UTC (rev 22153) +++ trunk/src/lib/krb5/krb/send_tgs.c 2009-04-01 18:25:02 UTC (rev 22154) @@ -51,6 +51,7 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey) { + krb5_cksumtype cksumtype; krb5_error_code retval; krb5_checksum checksum; krb5_authenticator authent; @@ -63,9 +64,20 @@ request.authenticator.kvno = 0; request.ap_options = 0; request.ticket = 0; - + switch (in_cred->keyblock.enctype) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + cksumtype = context->kdc_req_sumtype; + break; + default: + retval = krb5int_c_mandatory_cksumtype(context, in_cred->keyblock.enctype, &cksumtype); + if (retval) + goto cleanup; + } + /* Generate checksum */ - if ((retval = krb5_c_make_checksum(context, context->kdc_req_sumtype, + if ((retval = krb5_c_make_checksum(context, cksumtype, &in_cred->keyblock, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, in_data, &checksum))) { From hartmans at MIT.EDU Wed Apr 1 17:13:40 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Wed, 1 Apr 2009 17:13:40 -0400 Subject: svn rev #22158: branches/fast/src/kdc/ Message-ID: <200904012113.n31LDeSE014984@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22158 Commit By: hartmans Log Message: TGS error path can end up with null state if it fails too soon. In this case do not call into FAST. Changed Files: U branches/fast/src/kdc/do_tgs_req.c Modified: branches/fast/src/kdc/do_tgs_req.c =================================================================== --- branches/fast/src/kdc/do_tgs_req.c 2009-04-01 21:13:38 UTC (rev 22157) +++ branches/fast/src/kdc/do_tgs_req.c 2009-04-01 21:13:40 UTC (rev 22158) @@ -972,7 +972,7 @@ krb5_data **response, const char *status) { krb5_error errpkt; - krb5_error_code retval; + krb5_error_code retval = 0; krb5_data *scratch; errpkt.ctime = request->nonce; @@ -997,7 +997,8 @@ } errpkt.e_data.length = 0; errpkt.e_data.data = NULL; - retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt); + if (state) + retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt); if (retval) { free(scratch); free(errpkt.text.data); From hartmans at MIT.EDU Wed Apr 1 17:13:31 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Wed, 1 Apr 2009 17:13:31 -0400 Subject: svn rev #22155: branches/fast/src/ include/ lib/krb5/asn.1/ Message-ID: <200904012113.n31LDVUk014857@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22155 Commit By: hartmans Log Message: fast_options is a KerberosFlags not an int32 Changed Files: U branches/fast/src/include/k5-int.h U branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c U branches/fast/src/lib/krb5/asn.1/krb5_decode.c Modified: branches/fast/src/include/k5-int.h =================================================================== --- branches/fast/src/include/k5-int.h 2009-04-01 18:25:02 UTC (rev 22154) +++ branches/fast/src/include/k5-int.h 2009-04-01 21:13:31 UTC (rev 22155) @@ -982,7 +982,7 @@ typedef struct _krb5_fast_req { krb5_magic magic; - krb5_int32 fast_options; + krb5_flags fast_options; /* padata from req_body is used*/ krb5_kdc_req *req_body; } krb5_fast_req; Modified: branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c =================================================================== --- branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c 2009-04-01 18:25:02 UTC (rev 22154) +++ branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c 2009-04-01 21:13:31 UTC (rev 22155) @@ -1211,7 +1211,7 @@ DEFPTRTYPE(ptr_fast_req_padata, fast_req_padata); static const struct field_info fast_req_fields[] = { - FIELDOF_NORM(krb5_fast_req, int32, fast_options, 0), + FIELDOF_NORM(krb5_fast_req, krb5_flags, fast_options, 0), FIELDOF_NORM( krb5_fast_req, ptr_fast_req_padata, req_body, 1), FIELDOF_NORM( krb5_fast_req, ptr_kdc_req_body, req_body, 2), }; Modified: branches/fast/src/lib/krb5/asn.1/krb5_decode.c =================================================================== --- branches/fast/src/lib/krb5/asn.1/krb5_decode.c 2009-04-01 18:25:02 UTC (rev 22154) +++ branches/fast/src/lib/krb5/asn.1/krb5_decode.c 2009-04-01 21:13:31 UTC (rev 22155) @@ -1114,7 +1114,7 @@ alloc_field(rep->req_body); clear_field(rep, req_body->padata); {begin_structure(); - get_field(rep->fast_options, 0, asn1_decode_int32); + get_field(rep->fast_options, 0, asn1_decode_krb5_flags); opt_field(rep->req_body->padata, 1, asn1_decode_sequence_of_pa_data); get_field(*(rep->req_body), 2, asn1_decode_kdc_req_body); end_structure(); } From hartmans at MIT.EDU Wed Apr 1 17:13:35 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Wed, 1 Apr 2009 17:13:35 -0400 Subject: svn rev #22156: branches/fast/src/ kdc/ lib/krb5/krb/ plugins/preauth/encrypted_challenge/ Message-ID: <200904012113.n31LDZpE014910@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22156 Commit By: hartmans Log Message: Fix memory management errors detected through static analysis; thanks Greg Hudson. Changed Files: U branches/fast/src/kdc/do_as_req.c U branches/fast/src/kdc/fast_util.c U branches/fast/src/kdc/kdc_util.c U branches/fast/src/lib/krb5/krb/fast.c U branches/fast/src/lib/krb5/krb/get_in_tkt.c U branches/fast/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c Modified: branches/fast/src/kdc/do_as_req.c =================================================================== --- branches/fast/src/kdc/do_as_req.c 2009-04-01 21:13:31 UTC (rev 22155) +++ branches/fast/src/kdc/do_as_req.c 2009-04-01 21:13:34 UTC (rev 22156) @@ -760,7 +760,7 @@ if (pa == NULL) retval = ENOMEM; else for (size = 0; td[size]; size++) { - krb5_pa_data *pad = malloc(sizeof(krb5_pa_data *)); + krb5_pa_data *pad = malloc(sizeof(krb5_pa_data )); if (pad == NULL) { retval = ENOMEM; break; Modified: branches/fast/src/kdc/fast_util.c =================================================================== --- branches/fast/src/kdc/fast_util.c 2009-04-01 21:13:31 UTC (rev 22155) +++ branches/fast/src/kdc/fast_util.c 2009-04-01 21:13:34 UTC (rev 22156) @@ -50,7 +50,7 @@ krb5_ticket *ticket = NULL; krb5_keyblock *subkey = NULL; - assert(armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST); + assert(armor->armor_type == KRB5_FAST_ARMOR_AP_REQUEST); krb5_clear_error_message(kdc_context); retval = krb5_auth_con_init(kdc_context, &authcontext); if (retval == 0) @@ -270,7 +270,7 @@ krb5_fast_response fast_response; krb5_data *encoded_ticket = NULL; krb5_data *encrypted_reply = NULL; - krb5_pa_data *pa = NULL, **pa_array; + krb5_pa_data *pa = NULL, **pa_array = NULL; krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5; krb5_pa_data *empty_padata[] = {NULL}; @@ -309,11 +309,14 @@ pa_array[0] = &pa[0]; rep->padata = pa_array; pa_array = NULL; + free(encrypted_reply); encrypted_reply = NULL; pa = NULL; } if (pa) free(pa); + if (pa_array) + free(pa_array); if (encrypted_reply) krb5_free_data(kdc_context, encrypted_reply); if (encoded_ticket) Modified: branches/fast/src/kdc/kdc_util.c =================================================================== --- branches/fast/src/kdc/kdc_util.c 2009-04-01 21:13:31 UTC (rev 22155) +++ branches/fast/src/kdc/kdc_util.c 2009-04-01 21:13:34 UTC (rev 22156) @@ -347,13 +347,13 @@ authenticator->authorization_data, KRB5_AUTHDATA_FX_ARMOR, &authdata); if (retval != 0) - goto cleanup_auth_context; + goto cleanup_authenticator; if (authdata&& authdata[0]) { krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, "ticket valid only as FAST armor"); retval = KRB5KDC_ERR_POLICY; krb5_free_authdata(kdc_context, authdata); - goto cleanup_auth_context; + goto cleanup_authenticator; } krb5_free_authdata(kdc_context, authdata); Modified: branches/fast/src/lib/krb5/krb/fast.c =================================================================== --- branches/fast/src/lib/krb5/krb/fast.c 2009-04-01 21:13:31 UTC (rev 22155) +++ branches/fast/src/lib/krb5/krb/fast.c 2009-04-01 21:13:34 UTC (rev 22156) @@ -299,6 +299,8 @@ free(scratch.data); if (encrypted_response) krb5_free_enc_data(context, encrypted_response); + if (local_resp) + krb5_free_fast_response(context, local_resp); return retval; } Modified: branches/fast/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- branches/fast/src/lib/krb5/krb/get_in_tkt.c 2009-04-01 21:13:31 UTC (rev 22155) +++ branches/fast/src/lib/krb5/krb/get_in_tkt.c 2009-04-01 21:13:34 UTC (rev 22156) @@ -1340,8 +1340,6 @@ out_padata = NULL; krb5_free_error(context, err_reply); err_reply = NULL; - if (ret) - goto cleanup; ret = sort_krb5_padata_sequence(context, &request.server->realm, preauth_to_use); Modified: branches/fast/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c =================================================================== --- branches/fast/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c 2009-04-01 21:13:31 UTC (rev 22155) +++ branches/fast/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c 2009-04-01 21:13:34 UTC (rev 22156) @@ -116,6 +116,7 @@ krb5_pa_data **pa_array = NULL; krb5_data *encoded_ts = NULL; krb5_pa_enc_ts ts; + enc.ciphertext.data = NULL; if (retval == 0) retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); if (retval == 0) @@ -300,8 +301,6 @@ } if (armor_key) krb5_free_keyblock(context, armor_key); - if (challenge_key) - krb5_free_keyblock(context, challenge_key); if (plain.data) free(plain.data); if (enc) From hartmans at MIT.EDU Wed Apr 1 17:13:38 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Wed, 1 Apr 2009 17:13:38 -0400 Subject: svn rev #22157: branches/fast/src/kdc/ Message-ID: <200904012113.n31LDcqn014947@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22157 Commit By: hartmans Log Message: Initialize request state in the TGS path. Changed Files: U branches/fast/src/kdc/do_tgs_req.c Modified: branches/fast/src/kdc/do_tgs_req.c =================================================================== --- branches/fast/src/kdc/do_tgs_req.c 2009-04-01 21:13:34 UTC (rev 22156) +++ branches/fast/src/kdc/do_tgs_req.c 2009-04-01 21:13:38 UTC (rev 22157) @@ -164,6 +164,11 @@ status="UNEXPECTED NULL in header_ticket"; goto cleanup; } + errcode = kdc_make_rstate(&state); + if (errcode !=0) { + status = "making state"; + goto cleanup; + } scratch.length = pa_tgs_req->length; scratch.data = (char *) pa_tgs_req->contents; errcode = kdc_find_fast(&request, &scratch, subkey, header_ticket->enc_part2->session, state); From tlyu at MIT.EDU Thu Apr 2 19:30:28 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Thu, 2 Apr 2009 19:30:28 -0400 Subject: svn rev #22159: trunk/src/appl/bsd/ Message-ID: <200904022330.n32NUSJC013729@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22159 Commit By: tlyu Log Message: ticket: 1624 Fix krshd and krlogind to use krb5_c_verify_checksum. Changed Files: U trunk/src/appl/bsd/krlogind.c U trunk/src/appl/bsd/krshd.c Modified: trunk/src/appl/bsd/krlogind.c =================================================================== --- trunk/src/appl/bsd/krlogind.c 2009-04-01 21:13:40 UTC (rev 22158) +++ trunk/src/appl/bsd/krlogind.c 2009-04-02 23:30:28 UTC (rev 22159) @@ -1358,21 +1358,26 @@ if (authenticator->checksum) { struct sockaddr_in adr; socklen_t adr_length = sizeof(adr); - char * chksumbuf = NULL; + krb5_data chksumbuf; + krb5_boolean valid = 0; + + chksumbuf.data = NULL; if (getsockname(netf, (struct sockaddr *) &adr, &adr_length) != 0) goto error_cleanup; - if (asprintf(&chksumbuf, "%u:%s%s", ntohs(adr.sin_port), term, lusername) < 0) + if (asprintf(&chksumbuf.data, "%u:%s%s", ntohs(adr.sin_port), term, lusername) < 0) goto error_cleanup; - status = krb5_verify_checksum(bsd_context, - authenticator->checksum->checksum_type, - authenticator->checksum, - chksumbuf, strlen(chksumbuf), - ticket->enc_part2->session->contents, - ticket->enc_part2->session->length); + chksumbuf.length = strlen(chksumbuf.data); + status = krb5_c_verify_checksum(bsd_context, + ticket->enc_part2->session, + KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, + &chksumbuf, authenticator->checksum, + &valid); + if (status == 0 && !valid) status = KRB5KRB_AP_ERR_BAD_INTEGRITY; + error_cleanup: - if (chksumbuf) - free(chksumbuf); + if (chksumbuf.data) + free(chksumbuf.data); if (status) { krb5_free_authenticator(bsd_context, authenticator); return status; Modified: trunk/src/appl/bsd/krshd.c =================================================================== --- trunk/src/appl/bsd/krshd.c 2009-04-01 21:13:40 UTC (rev 22158) +++ trunk/src/appl/bsd/krshd.c 2009-04-02 23:30:28 UTC (rev 22159) @@ -1810,8 +1810,11 @@ struct sockaddr_storage adr; unsigned int adr_length = sizeof(adr); int e; - char namebuf[32], *chksumbuf = NULL; + char namebuf[32]; + krb5_boolean valid = 0; + krb5_data chksumbuf; + chksumbuf.data = NULL; if (getsockname(netfd, (struct sockaddr *) &adr, &adr_length) != 0) goto error_cleanup; @@ -1819,19 +1822,20 @@ namebuf, sizeof(namebuf), NI_NUMERICSERV); if (e) fatal(netfd, "local error: can't examine port number"); - if (asprintf(&chksumbuf, "%s:%s%s", namebuf, cmdbuf, locuser) < 0) + if (asprintf(&chksumbuf.data, "%s:%s%s", namebuf, cmdbuf, locuser) < 0) goto error_cleanup; - status = krb5_verify_checksum(bsd_context, - authenticator->checksum->checksum_type, - authenticator->checksum, - chksumbuf, strlen(chksumbuf), - ticket->enc_part2->session->contents, - ticket->enc_part2->session->length); + chksumbuf.length = strlen(chksumbuf.data); + status = krb5_c_verify_checksum(bsd_context, + ticket->enc_part2->session, + KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, + &chksumbuf, authenticator->checksum, + &valid); + if (status == 0 && !valid) status = KRB5KRB_AP_ERR_BAD_INTEGRITY; error_cleanup: - if (chksumbuf) - free(chksumbuf); + if (chksumbuf.data) + free(chksumbuf.data); if (status) { krb5_free_authenticator(bsd_context, authenticator); return status; From hartmans at MIT.EDU Thu Apr 2 23:33:02 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 2 Apr 2009 23:33:02 -0400 Subject: svn rev #22160: trunk/ doc/ src/appl/bsd/ src/config-files/ src/lib/krb5/krb/ Message-ID: <200904030333.n333X2ws027899@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22160 Commit By: hartmans Log Message: ticket: 1624 Unfortunately, pre-1.7 krshd fails to support keyed checksums because it uses the wrong API and wrong key usage. So, if the auth_context has an explicit checksum type set, then respect that. kcmd sets such a checksum type. Also, because other applications may have the same problem, allow the config file variable if set to override the default checksum. * kcmd.c: Force use of rsa_md5 * init_ctx.c: do not default to md5 * mk_req_ext.c: allow auth_context to override Changed Files: U trunk/doc/admin.texinfo U trunk/src/appl/bsd/kcmd.c U trunk/src/config-files/krb5.conf.M U trunk/src/lib/krb5/krb/init_ctx.c U trunk/src/lib/krb5/krb/mk_req_ext.c Modified: trunk/doc/admin.texinfo =================================================================== --- trunk/doc/admin.texinfo 2009-04-02 23:30:28 UTC (rev 22159) +++ trunk/doc/admin.texinfo 2009-04-03 03:33:01 UTC (rev 22160) @@ -462,8 +462,8 @@ An integer which specifies the type of checksum to use. Used for compatability with DCE security servers which do not support the default @value{DefaultChecksumType} used by this version of Kerberos. -Note that the ap_req_checksum_type variable's value is ignored. The -kdc_req_checksum_type is only used for DES keys. The possible values and their meanings are as follows. +The +kdc_req_checksum_type is only used for DES keys. The ap_req_checksum_type defaults to the preferred checksum for the encryption type being used if unset. If set, then the selected checksum is used regardless of the type of key being used. The possible values and their meanings are as follows. @comment taken from krb5/src/include/krb5.h[in] @table @b Modified: trunk/src/appl/bsd/kcmd.c =================================================================== --- trunk/src/appl/bsd/kcmd.c 2009-04-02 23:30:28 UTC (rev 22159) +++ trunk/src/appl/bsd/kcmd.c 2009-04-03 03:33:01 UTC (rev 22160) @@ -473,6 +473,8 @@ if (krb5_auth_con_init(bsd_context, &auth_context)) goto bad2; + if (krb5_auth_con_set_req_cksumtype(bsd_context, auth_context, CKSUMTYPE_RSA_MD5) !=0 ) + goto bad2; if (krb5_auth_con_setflags(bsd_context, auth_context, KRB5_AUTH_CONTEXT_RET_TIME)) goto bad2; Modified: trunk/src/config-files/krb5.conf.M =================================================================== --- trunk/src/config-files/krb5.conf.M 2009-04-02 23:30:28 UTC (rev 22159) +++ trunk/src/config-files/krb5.conf.M 2009-04-03 03:33:01 UTC (rev 22160) @@ -147,7 +147,7 @@ preferred checksum type for those keys. .IP ap_req_checksum_type -This obsolete variable is not used. +If set this variable controls what ap-req checksum will be used in authenticators. This variable should be unset so the appropriate checksum for the encryption key in use will be used. This can be set if backward compatibility requires a specific checksum type. .IP safe_checksum_type This allows you to set the preferred keyed-checksum type for use in KRB_SAFE Modified: trunk/src/lib/krb5/krb/init_ctx.c =================================================================== --- trunk/src/lib/krb5/krb/init_ctx.c 2009-04-02 23:30:28 UTC (rev 22159) +++ trunk/src/lib/krb5/krb/init_ctx.c 2009-04-03 03:33:01 UTC (rev 22160) @@ -208,7 +208,7 @@ ctx->kdc_req_sumtype = tmp; profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5, + KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, 0, &tmp); ctx->default_ap_req_sumtype = tmp; Modified: trunk/src/lib/krb5/krb/mk_req_ext.c =================================================================== --- trunk/src/lib/krb5/krb/mk_req_ext.c 2009-04-02 23:30:28 UTC (rev 22159) +++ trunk/src/lib/krb5/krb/mk_req_ext.c 2009-04-03 03:33:01 UTC (rev 22160) @@ -210,6 +210,8 @@ &cksumtype); if (retval) goto cleanup_cksum; + if ((*auth_context)->req_cksumtype) + cksumtype = (*auth_context)->req_cksumtype; if ((retval = krb5_c_make_checksum(context, cksumtype, (*auth_context)->keyblock, From hartmans at MIT.EDU Thu Apr 2 23:39:42 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 2 Apr 2009 23:39:42 -0400 Subject: svn rev #22162: branches/fast/src/lib/crypto/ arcfour/ Message-ID: <200904030339.n333dg5W028286@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22162 Commit By: hartmans Log Message: Implement PRF for RC4 enctypes Changed Files: U branches/fast/src/lib/crypto/arcfour/arcfour.c U branches/fast/src/lib/crypto/arcfour/arcfour.h U branches/fast/src/lib/crypto/etypes.c Modified: branches/fast/src/lib/crypto/arcfour/arcfour.c =================================================================== --- branches/fast/src/lib/crypto/arcfour/arcfour.c 2009-04-03 03:39:38 UTC (rev 22161) +++ branches/fast/src/lib/crypto/arcfour/arcfour.c 2009-04-03 03:39:41 UTC (rev 22162) @@ -8,6 +8,8 @@ */ #include "k5-int.h" #include "arcfour-int.h" +#include "../hash_provider/hash_provider.h" + const char *const krb5int_arcfour_l40 = "fortybits"; void @@ -304,3 +306,12 @@ return (ret); } + krb5_error_code krb5int_arcfour_prf( + const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + const krb5_data *in, krb5_data *out) + { + assert(out->length == 20); + return krb5_hmac(&krb5int_hash_sha1, key, 1, in, out); + } Modified: branches/fast/src/lib/crypto/arcfour/arcfour.h =================================================================== --- branches/fast/src/lib/crypto/arcfour/arcfour.h 2009-04-03 03:39:38 UTC (rev 22161) +++ branches/fast/src/lib/crypto/arcfour/arcfour.h 2009-04-03 03:39:41 UTC (rev 22162) @@ -34,5 +34,10 @@ extern const struct krb5_enc_provider krb5int_enc_arcfour; extern const struct krb5_aead_provider krb5int_aead_arcfour; + krb5_error_code krb5int_arcfour_prf( + const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + const krb5_data *in, krb5_data *out); #endif /* ARCFOUR_H */ Modified: branches/fast/src/lib/crypto/etypes.c =================================================================== --- branches/fast/src/lib/crypto/etypes.c 2009-04-03 03:39:38 UTC (rev 22161) +++ branches/fast/src/lib/crypto/etypes.c 2009-04-03 03:39:41 UTC (rev 22162) @@ -119,10 +119,10 @@ "ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, - 0, + 20, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, - NULL, /*PRF*/ + krb5int_arcfour_prf, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR, &krb5int_aead_arcfour, 0 /*flags*/ }, @@ -131,10 +131,10 @@ "Exportable ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, - 0, + 20, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, - NULL, /*PRF*/ + krb5int_arcfour_prf, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR, &krb5int_aead_arcfour, 0 /*flags*/ }, From hartmans at MIT.EDU Thu Apr 2 23:39:50 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 2 Apr 2009 23:39:50 -0400 Subject: svn rev #22163: branches/fast/src/kdc/ Message-ID: <200904030339.n333do3U028323@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22163 Commit By: hartmans Log Message: Implement KDC side cookie handling Return a constant cookie in errors to indicate that clients should continue their conversations. Changed Files: U branches/fast/src/kdc/fast_util.c U branches/fast/src/kdc/kdc_preauth.c U branches/fast/src/kdc/kdc_util.h Modified: branches/fast/src/kdc/fast_util.c =================================================================== --- branches/fast/src/kdc/fast_util.c 2009-04-03 03:39:41 UTC (rev 22162) +++ branches/fast/src/kdc/fast_util.c 2009-04-03 03:39:50 UTC (rev 22163) @@ -342,8 +342,8 @@ krb5_fast_response resp; krb5_error fx_error; krb5_data *encoded_fx_error = NULL, *encrypted_reply = NULL; - krb5_pa_data pa[2]; - krb5_pa_data *outer_pa[3]; + krb5_pa_data pa[1]; + krb5_pa_data *outer_pa[3], *cookie = NULL; krb5_pa_data **inner_pa = NULL; size_t size = 0; krb5_data *encoded_e_data = NULL; @@ -369,7 +369,13 @@ pa[0].length = encoded_fx_error->length; pa[0].contents = (unsigned char *) encoded_fx_error->data; inner_pa[size++] = &pa[0]; - resp.padata = inner_pa; + if (find_pa_data(inner_pa, KRB5_PADATA_FX_COOKIE) == NULL) + retval = kdc_preauth_get_cookie(state, &cookie); + } + if (cookie != NULL) + inner_pa[size++] = cookie; + if (retval == 0) { + resp.padata = inner_pa; resp.nonce = request->nonce; resp.rep_key = NULL; resp.finished = NULL; @@ -378,6 +384,11 @@ retval = encrypt_fast_reply(state, &resp, &encrypted_reply); if (inner_pa) free(inner_pa); /*contained storage from caller and our stack*/ + if (cookie) { + free(cookie->contents); + free(cookie); + cookie = NULL; + } if (retval == 0) { pa[0].pa_type = KRB5_PADATA_FX_FAST; pa[0].length = encrypted_reply->length; @@ -399,3 +410,30 @@ krb5_free_data(kdc_context, encoded_fx_error); return retval; } + +krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state, + krb5_pa_data **cookie) +{ + char *contents; + krb5_pa_data *pa = NULL; + /* In our current implementation, the only purpose served by + * returning a cookie is to indicate that a conversation should + * continue on error. Thus, the cookie can have a constant + * string. If cookies are used for real, versioning so that KDCs + * can be upgraded, keying, expiration and many other issues need + * to be considered. + */ + contents = strdup("MIT"); + if (contents == NULL) + return ENOMEM; + pa = calloc(1, sizeof(krb5_pa_data)); + if (pa == NULL) { + free(contents); + return ENOMEM; + } + pa->pa_type = KRB5_PADATA_FX_COOKIE; + pa->length = strlen(contents); + pa->contents = (unsigned char *) contents; + *cookie = pa; + return 0; +} Modified: branches/fast/src/kdc/kdc_preauth.c =================================================================== --- branches/fast/src/kdc/kdc_preauth.c 2009-04-03 03:39:41 UTC (rev 22162) +++ branches/fast/src/kdc/kdc_preauth.c 2009-04-03 03:39:50 UTC (rev 22163) @@ -961,7 +961,8 @@ e_data->data = 0; hw_only = isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH); - pa_data = malloc(sizeof(krb5_pa_data *) * (n_preauth_systems+1)); + /* Allocate 1 entry for the terminator and one for the cookie*/ + pa_data = malloc(sizeof(krb5_pa_data *) * (n_preauth_systems+21)); if (pa_data == 0) return; memset(pa_data, 0, sizeof(krb5_pa_data *) * (n_preauth_systems+1)); @@ -995,6 +996,8 @@ "%spreauth required but hint list is empty", hw_only ? "hw" : ""); } +/* If we fail to get the cookie it is probably still reasonable to continue with the response*/ + kdc_preauth_get_cookie(request->kdc_state, pa); retval = encode_krb5_padata_sequence(pa_data, &edat); if (retval) goto errout; Modified: branches/fast/src/kdc/kdc_util.h =================================================================== --- branches/fast/src/kdc/kdc_util.h 2009-04-03 03:39:41 UTC (rev 22162) +++ branches/fast/src/kdc/kdc_util.h 2009-04-03 03:39:50 UTC (rev 22163) @@ -331,6 +331,9 @@ krb5_kdc_req *request, krb5_pa_data **in_padata, krb5_error *err); +krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state, + krb5_pa_data **cookie); + From hartmans at MIT.EDU Thu Apr 2 23:39:56 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 2 Apr 2009 23:39:56 -0400 Subject: svn rev #22165: branches/fast/src/kdc/ Message-ID: <200904030339.n333duX9028412@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22165 Commit By: hartmans Log Message: Advertize FAST in supported preauth types Changed Files: U branches/fast/src/kdc/kdc_preauth.c Modified: branches/fast/src/kdc/kdc_preauth.c =================================================================== --- branches/fast/src/kdc/kdc_preauth.c 2009-04-03 03:39:53 UTC (rev 22164) +++ branches/fast/src/kdc/kdc_preauth.c 2009-04-03 03:39:56 UTC (rev 22165) @@ -290,6 +290,17 @@ 0 }, { + "FAST", + KRB5_PADATA_FX_FAST, + PA_HARDWARE, + NULL, + NULL, + NULL, + NULL, + NULL, + 0 + }, + { "etype-info", KRB5_PADATA_ETYPE_INFO, 0, From hartmans at MIT.EDU Thu Apr 2 23:39:39 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 2 Apr 2009 23:39:39 -0400 Subject: svn rev #22161: branches/fast/src/lib/krb5/krb/ Message-ID: <200904030339.n333ddhH028249@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22161 Commit By: hartmans Log Message: Client-side cookie support Echo the pa-fx-cookie back to the KDC. No need to store cookie padata in the state structure; removed. If cookie is not present and FAST is being used, do not retry after error. Changed Files: U branches/fast/src/lib/krb5/krb/fast.c U branches/fast/src/lib/krb5/krb/fast.h U branches/fast/src/lib/krb5/krb/preauth2.c Modified: branches/fast/src/lib/krb5/krb/fast.c =================================================================== --- branches/fast/src/lib/krb5/krb/fast.c 2009-04-03 03:33:01 UTC (rev 22160) +++ branches/fast/src/lib/krb5/krb/fast.c 2009-04-03 03:39:38 UTC (rev 22161) @@ -378,9 +378,11 @@ fast_response->padata = NULL; /* * If there is more than the fx_error padata, then we want - * to retry the error + * to retry the error if a cookie is present */ *retry = (*out_padata)[1] != NULL; + if (krb5int_find_pa_data(context, *out_padata, KRB5_PADATA_FX_COOKIE) == NULL) + *retry = 0; } if (fx_error) krb5_free_error(context, fx_error); @@ -475,11 +477,6 @@ /*We are responsible for none of the store in the fast_outer_req*/ krb5_free_keyblock(context, state->armor_key); krb5_free_fast_armor(context, state->armor); - if (state->cookie) { - free(state->cookie->contents); - free(state->cookie); - state->cookie = NULL; - } free(state); } Modified: branches/fast/src/lib/krb5/krb/fast.h =================================================================== --- branches/fast/src/lib/krb5/krb/fast.h 2009-04-03 03:33:01 UTC (rev 22160) +++ branches/fast/src/lib/krb5/krb/fast.h 2009-04-03 03:39:38 UTC (rev 22161) @@ -38,7 +38,6 @@ krb5_fast_armor *armor; krb5_ui_4 fast_state_flags; krb5_ui_4 fast_options; - krb5_pa_data *cookie; krb5_int32 nonce; }; Modified: branches/fast/src/lib/krb5/krb/preauth2.c =================================================================== --- branches/fast/src/lib/krb5/krb/preauth2.c 2009-04-03 03:33:01 UTC (rev 22160) +++ branches/fast/src/lib/krb5/krb/preauth2.c 2009-04-03 03:39:38 UTC (rev 22161) @@ -646,6 +646,36 @@ } static +krb5_error_code pa_fx_cookie(krb5_context context, + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, + krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data) +{ + krb5_pa_data *pa = calloc(1, sizeof(krb5_pa_data)); + krb5_octet *contents; + if (pa == NULL) + return ENOMEM; + contents = malloc(in_padata->length); + if (contents == NULL) { + free(pa); + return ENOMEM; + } + *pa = *in_padata; + pa->contents = contents; + memcpy(contents, in_padata->contents, pa->length); + *out_padata = pa; + return 0; +} + +static krb5_error_code pa_enc_timestamp(krb5_context context, krb5_kdc_req *request, krb5_pa_data *in_padata, @@ -1710,6 +1740,11 @@ PA_REAL, }, { + KRB5_PADATA_FX_COOKIE, + pa_fx_cookie, + PA_INFO, + }, + { -1, NULL, 0, From hartmans at MIT.EDU Thu Apr 2 23:39:59 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 2 Apr 2009 23:39:59 -0400 Subject: svn rev #22166: branches/fast/src/ include/ kdc/ lib/krb5/asn.1/ lib/krb5/krb/ Message-ID: <200904030339.n333dxRN028449@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22166 Commit By: hartmans Log Message: Implement strengthen key Per ietf-krb-wg discussion, the reply key mechanism is being replaced with a strengthen key mechanism. Changed Files: U branches/fast/src/include/k5-int.h U branches/fast/src/kdc/do_as_req.c U branches/fast/src/kdc/do_tgs_req.c U branches/fast/src/kdc/fast_util.c U branches/fast/src/kdc/kdc_util.h U branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c U branches/fast/src/lib/krb5/asn.1/krb5_decode.c U branches/fast/src/lib/krb5/krb/fast.c U branches/fast/src/lib/krb5/krb/fast.h U branches/fast/src/lib/krb5/krb/get_in_tkt.c U branches/fast/src/lib/krb5/krb/kfree.c Modified: branches/fast/src/include/k5-int.h =================================================================== --- branches/fast/src/include/k5-int.h 2009-04-03 03:39:56 UTC (rev 22165) +++ branches/fast/src/include/k5-int.h 2009-04-03 03:39:58 UTC (rev 22166) @@ -1001,7 +1001,7 @@ typedef struct _krb5_fast_response { krb5_magic magic; krb5_pa_data **padata; - krb5_keyblock *rep_key; + krb5_keyblock *strengthen_key; krb5_fast_finished *finished; krb5_int32 nonce; } krb5_fast_response; Modified: branches/fast/src/kdc/do_as_req.c =================================================================== --- branches/fast/src/kdc/do_as_req.c 2009-04-03 03:39:56 UTC (rev 22165) +++ branches/fast/src/kdc/do_as_req.c 2009-04-03 03:39:58 UTC (rev 22166) @@ -119,6 +119,7 @@ krb5_keylist_node *tmp_mkey_list; struct kdc_request_state *state = NULL; krb5_data encoded_req_body; + krb5_keyblock *as_encrypting_key = NULL; #if APPLE_PKINIT @@ -592,7 +593,7 @@ goto errout; } ticket_reply.enc_part.kvno = server_key->key_data_kvno; - errcode = kdc_fast_response_handle_padata(state, request, &reply); + errcode = kdc_fast_response_handle_padata(state, request, &reply, client_keyblock.enctype); if (errcode) { status = "fast response handling"; goto errout; @@ -602,8 +603,13 @@ reply.enc_part.enctype = client_keyblock.enctype; - errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &reply_encpart, - 0, &client_keyblock, &reply, response); + errcode = kdc_fast_handle_reply_key(state, &client_keyblock, &as_encrypting_key); + if (errcode) { + status = "generating reply key"; + goto errout; + } + errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &reply_encpart, + 0, as_encrypting_key, &reply, response); reply.enc_part.kvno = client_key->key_data_kvno; if (errcode) { status = "ENCODE_KDC_REP"; @@ -637,7 +643,8 @@ egress: if (pa_context) free_padata_context(kdc_context, &pa_context); - + if (as_encrypting_key) + krb5_free_keyblock(kdc_context, as_encrypting_key); if (errcode) emsg = krb5_get_error_message(kdc_context, errcode); Modified: branches/fast/src/kdc/do_tgs_req.c =================================================================== --- branches/fast/src/kdc/do_tgs_req.c 2009-04-03 03:39:56 UTC (rev 22165) +++ branches/fast/src/kdc/do_tgs_req.c 2009-04-03 03:39:58 UTC (rev 22166) @@ -878,7 +878,8 @@ reply.enc_part.enctype = subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype; - errcode = kdc_fast_response_handle_padata(state, request, &reply); + errcode = kdc_fast_response_handle_padata(state, request, &reply, + subkey?subkey->enctype:header_ticket->enc_part2->session->enctype); if (errcode !=0 ) { status = "Preparing FAST padata"; goto cleanup; Modified: branches/fast/src/kdc/fast_util.c =================================================================== --- branches/fast/src/kdc/fast_util.c 2009-04-03 03:39:56 UTC (rev 22165) +++ branches/fast/src/kdc/fast_util.c 2009-04-03 03:39:58 UTC (rev 22166) @@ -251,8 +251,8 @@ return; if (s->armor_key) krb5_free_keyblock(kdc_context, s->armor_key); - if (s->reply_key) - krb5_free_keyblock(kdc_context, s->reply_key); + if (s->strengthen_key) + krb5_free_keyblock(kdc_context, s->strengthen_key); if (s->cookie) { free(s->cookie->contents); free(s->cookie); @@ -263,7 +263,7 @@ krb5_error_code kdc_fast_response_handle_padata (struct kdc_request_state *state, krb5_kdc_req *request, - krb5_kdc_rep *rep) + krb5_kdc_rep *rep, krb5_enctype enctype) { krb5_error_code retval = 0; krb5_fast_finished finish; @@ -273,14 +273,23 @@ krb5_pa_data *pa = NULL, **pa_array = NULL; krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5; krb5_pa_data *empty_padata[] = {NULL}; + krb5_keyblock *strengthen_key = NULL; if (!state->armor_key) return 0; memset(&finish, 0, sizeof(finish)); + retval = krb5_init_keyblock(kdc_context, enctype, 0, &strengthen_key); + if (retval == 0) + retval = krb5_c_make_random_key(kdc_context, enctype, strengthen_key); + if (retval == 0) { + state->strengthen_key = strengthen_key; + strengthen_key = NULL; + } + fast_response.padata = rep->padata; if (fast_response.padata == NULL) fast_response.padata = &empty_padata[0]; - fast_response.rep_key = state->reply_key; + fast_response.strengthen_key = state->strengthen_key; fast_response.nonce = request->nonce; fast_response.finished = &finish; finish.client = rep->client; @@ -321,6 +330,8 @@ krb5_free_data(kdc_context, encrypted_reply); if (encoded_ticket) krb5_free_data(kdc_context, encoded_ticket); + if (strengthen_key != NULL) + krb5_free_keyblock(kdc_context, strengthen_key); if (finish.ticket_checksum.contents) krb5_free_checksum_contents(kdc_context, &finish.ticket_checksum); return retval; @@ -377,7 +388,7 @@ if (retval == 0) { resp.padata = inner_pa; resp.nonce = request->nonce; - resp.rep_key = NULL; + resp.strengthen_key = NULL; resp.finished = NULL; } if (retval == 0) @@ -411,6 +422,21 @@ return retval; } +krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state, + krb5_keyblock *existing_key, + krb5_keyblock **out_key) +{ + krb5_error_code retval = 0; + if (state->armor_key) + retval = krb5_c_fx_cf2_simple(kdc_context, + state->strengthen_key, "strengthenkey", + existing_key, + "replykey", out_key); + else retval = krb5_copy_keyblock(kdc_context, existing_key, out_key); + return retval; +} + + krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state, krb5_pa_data **cookie) { Modified: branches/fast/src/kdc/kdc_util.h =================================================================== --- branches/fast/src/kdc/kdc_util.h 2009-04-03 03:39:56 UTC (rev 22165) +++ branches/fast/src/kdc/kdc_util.h 2009-04-03 03:39:58 UTC (rev 22166) @@ -302,11 +302,12 @@ struct kdc_request_state { krb5_keyblock *armor_key; - krb5_keyblock *reply_key; /*When replaced by FAST*/ + krb5_keyblock *strengthen_key; krb5_pa_data *cookie; krb5_int32 fast_options; krb5_int32 fast_internal_flags; }; + krb5_error_code kdc_make_rstate(struct kdc_request_state **out); void kdc_free_rstate (struct kdc_request_state *s); @@ -325,12 +326,18 @@ krb5_error_code kdc_fast_response_handle_padata (struct kdc_request_state *state, krb5_kdc_req *request, - krb5_kdc_rep *rep); + krb5_kdc_rep *rep, + krb5_enctype enctype); krb5_error_code kdc_fast_handle_error (krb5_context context, struct kdc_request_state *state, krb5_kdc_req *request, krb5_pa_data **in_padata, krb5_error *err); +krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state, + krb5_keyblock *existing_key, + krb5_keyblock **out_key); + + krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state, krb5_pa_data **cookie); Modified: branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c =================================================================== --- branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c 2009-04-03 03:39:56 UTC (rev 22165) +++ branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c 2009-04-03 03:39:58 UTC (rev 22166) @@ -1233,7 +1233,7 @@ static const struct field_info fast_response_fields[] = { FIELDOF_NORM(krb5_fast_response, ptr_seqof_pa_data, padata, 0), - FIELDOF_OPT( krb5_fast_response, ptr_encryption_key, rep_key, 1, 1), + FIELDOF_OPT( krb5_fast_response, ptr_encryption_key, strengthen_key, 1, 1), FIELDOF_OPT( krb5_fast_response, ptr_fast_finished, finished, 2, 2), FIELDOF_NORM(krb5_fast_response, int32, nonce, 3), }; @@ -1242,7 +1242,7 @@ { unsigned int optional = 0; const krb5_fast_response *val = p; - if (val->rep_key) + if (val->strengthen_key) optional |= (1u <<1); if (val->finished) optional |= (1u<<2); Modified: branches/fast/src/lib/krb5/asn.1/krb5_decode.c =================================================================== --- branches/fast/src/lib/krb5/asn.1/krb5_decode.c 2009-04-03 03:39:56 UTC (rev 22165) +++ branches/fast/src/lib/krb5/asn.1/krb5_decode.c 2009-04-03 03:39:58 UTC (rev 22166) @@ -1137,10 +1137,10 @@ alloc_field(rep); clear_field(rep, finished); clear_field(rep, padata); - clear_field(rep,rep_key); + clear_field(rep,strengthen_key); {begin_structure(); get_field(rep->padata, 0, asn1_decode_sequence_of_pa_data); - opt_field(rep->rep_key, 1, asn1_decode_encryption_key_ptr); + opt_field(rep->strengthen_key, 1, asn1_decode_encryption_key_ptr); opt_field(rep->finished, 2, asn1_decode_fast_finished_ptr); get_field(rep->nonce, 3, asn1_decode_int32); end_structure(); } Modified: branches/fast/src/lib/krb5/krb/fast.c =================================================================== --- branches/fast/src/lib/krb5/krb/fast.c 2009-04-03 03:39:56 UTC (rev 22165) +++ branches/fast/src/lib/krb5/krb/fast.c 2009-04-03 03:39:58 UTC (rev 22166) @@ -412,14 +412,14 @@ krb5_error_code krb5int_fast_process_response (krb5_context context, struct krb5int_fast_request_state *state, krb5_kdc_rep *resp, - krb5_keyblock **as_key) + krb5_keyblock **strengthen_key) { krb5_error_code retval = 0; krb5_fast_response *fast_response = NULL; krb5_data *encoded_ticket = NULL; krb5_boolean cksum_valid; krb5_clear_error_message(context); - *as_key = NULL; + *strengthen_key = NULL; if (state->armor_key == 0) return 0; retval = decrypt_fast_reply(context, state, resp->padata, @@ -446,8 +446,8 @@ krb5_free_principal(context, resp->client); resp->client = fast_response->finished->client; fast_response->finished->client = NULL; - *as_key = fast_response->rep_key; - fast_response->rep_key = NULL; + *strengthen_key = fast_response->strengthen_key; + fast_response->strengthen_key = NULL; krb5_free_pa_data(context, resp->padata); resp->padata = fast_response->padata; fast_response->padata = NULL; @@ -458,6 +458,29 @@ krb5_free_data(context, encoded_ticket); return retval; } + +krb5_error_code krb5int_fast_reply_key(krb5_context context, + krb5_keyblock *strengthen_key, + krb5_keyblock *existing_key, + krb5_keyblock *out_key) +{ + krb5_keyblock *key = NULL; + krb5_error_code retval = 0; + krb5_free_keyblock_contents(context, out_key); + if (strengthen_key) { + retval = krb5_c_fx_cf2_simple(context, strengthen_key, + "strengthenkey", existing_key, "replykey", &key); + if (retval == 0) { + *out_key = *key; + free(key); + } + } else { + retval = krb5_copy_keyblock_contents(context, existing_key, out_key); + } + return retval; +} + + krb5_error_code krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state **state) { Modified: branches/fast/src/lib/krb5/krb/fast.h =================================================================== --- branches/fast/src/lib/krb5/krb/fast.h 2009-04-03 03:39:56 UTC (rev 22165) +++ branches/fast/src/lib/krb5/krb/fast.h 2009-04-03 03:39:58 UTC (rev 22166) @@ -60,7 +60,7 @@ krb5_error_code krb5int_fast_process_response (krb5_context context, struct krb5int_fast_request_state *state, krb5_kdc_rep *resp, - krb5_keyblock **as_key); + krb5_keyblock **strengthen_key); krb5_error_code krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state **state); @@ -72,5 +72,11 @@ krb5_gic_opt_ext *opte, krb5_kdc_req *request); +krb5_error_code krb5int_fast_reply_key(krb5_context context, + krb5_keyblock *strengthen_key, + krb5_keyblock *existing_key, + krb5_keyblock *output_key); + + #endif Modified: branches/fast/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- branches/fast/src/lib/krb5/krb/get_in_tkt.c 2009-04-03 03:39:56 UTC (rev 22165) +++ branches/fast/src/lib/krb5/krb/get_in_tkt.c 2009-04-03 03:39:58 UTC (rev 22166) @@ -967,8 +967,8 @@ int loopcount; krb5_data salt; krb5_data s2kparams; - krb5_keyblock as_key; - krb5_keyblock *fast_as_key = NULL; + krb5_keyblock as_key, encrypting_key; + krb5_keyblock *strengthen_key = NULL; krb5_error *err_reply; krb5_kdc_rep *local_as_reply; krb5_timestamp time_now; @@ -994,6 +994,8 @@ preauth_to_use = NULL; kdc_padata = NULL; as_key.length = 0; + encrypting_key.length = 0; + encrypting_key.contents = NULL; salt.length = 0; salt.data = NULL; @@ -1397,7 +1399,7 @@ /* process any preauth data in the as_reply */ krb5_clear_preauth_context_use_counts(context); ret = krb5int_fast_process_response(context, fast_state, - local_as_reply, &fast_as_key); + local_as_reply, &strengthen_key); if (ret) goto cleanup; if ((ret = sort_krb5_padata_sequence(context, &request.server->realm, @@ -1445,18 +1447,15 @@ it. If decrypting the as_rep fails, or if there isn't an as_key at all yet, then use the gak_fct to get one, and try again. */ - if (fast_as_key) { - if (as_key.length) - krb5_free_keyblock_contents(context, &as_key); - as_key = *fast_as_key; - free(fast_as_key); - fast_as_key = NULL; - } - if (as_key.length) - ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, - NULL, &as_key, krb5_kdc_rep_decrypt_proc, + if (as_key.length) { + ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, + &encrypting_key); + if (ret) + goto cleanup; + ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, + NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, NULL); - else + } else ret = -1; if (ret) { @@ -1468,6 +1467,10 @@ &as_key, gak_data)))) goto cleanup; + ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, + &encrypting_key); + if (ret) + goto cleanup; if ((ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, NULL, &as_key, krb5_kdc_rep_decrypt_proc, NULL))) @@ -1509,8 +1512,10 @@ } } krb5_preauth_request_context_fini(context); - krb5_free_keyblock(context, fast_as_key); - if (fast_state) + krb5_free_keyblock(context, strengthen_key); + if (encrypting_key.contents) + krb5_free_keyblock_contents(context, &encrypting_key); + if (fast_state) krb5int_fast_free_state(context, fast_state); if (out_padata) krb5_free_pa_data(context, out_padata); Modified: branches/fast/src/lib/krb5/krb/kfree.c =================================================================== --- branches/fast/src/lib/krb5/krb/kfree.c 2009-04-03 03:39:56 UTC (rev 22165) +++ branches/fast/src/lib/krb5/krb/kfree.c 2009-04-03 03:39:58 UTC (rev 22166) @@ -819,6 +819,7 @@ return; krb5_free_pa_data(context, val->padata); krb5_free_fast_finished(context, val->finished); + krb5_free_keyblock(context, val->strengthen_key); free(val); } From hartmans at MIT.EDU Thu Apr 2 23:39:53 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 2 Apr 2009 23:39:53 -0400 Subject: svn rev #22164: branches/fast/src/lib/krb5/krb/ Message-ID: <200904030339.n333dr9F028360@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22164 Commit By: hartmans Log Message: Implement test forr ad-fx-armor Implement a test program to replace the TGT in the ccache with a ticket with the ad-fx-armor authorization data. This can be used to confirm that a KDC honors this authorization data. Changed Files: U branches/fast/src/lib/krb5/krb/Makefile.in A branches/fast/src/lib/krb5/krb/t_ad_fx_armor.c Modified: branches/fast/src/lib/krb5/krb/Makefile.in =================================================================== --- branches/fast/src/lib/krb5/krb/Makefile.in 2009-04-03 03:39:50 UTC (rev 22163) +++ branches/fast/src/lib/krb5/krb/Makefile.in 2009-04-03 03:39:53 UTC (rev 22164) @@ -271,6 +271,7 @@ $(srcdir)/srv_dec_tkt.c \ $(srcdir)/srv_rcache.c \ $(srcdir)/str_conv.c \ + $(srcdir)/t_ad_fx_armor.c \ $(srcdir)/tgtname.c \ $(srcdir)/unparse.c \ $(srcdir)/valid_times.c \ @@ -311,6 +312,9 @@ t_walk_rtree: $(T_WALK_RTREE_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_walk_rtree $(T_WALK_RTREE_OBJS) $(KRB5_BASE_LIBS) +t_ad_fx_armor: t_ad_fx_armor.o + $(CC_LINK) -o $@ $< $(KRB5_BASE_LIBS) + t_authdata: t_authdata.o copy_auth.o $(CC_LINK) -o $@ $< copy_auth.o $(KRB5_BASE_LIBS) Added: branches/fast/src/lib/krb5/krb/t_ad_fx_armor.c =================================================================== --- branches/fast/src/lib/krb5/krb/t_ad_fx_armor.c 2009-04-03 03:39:50 UTC (rev 22163) +++ branches/fast/src/lib/krb5/krb/t_ad_fx_armor.c 2009-04-03 03:39:53 UTC (rev 22164) @@ -0,0 +1,36 @@ +#include +#include +#include + +#define test(x) do {retval = (x); \ + if(retval != 0) { \ + const char *errmsg = krb5_get_error_message(context, retval); \ + fprintf(stderr, "Error message: %s\n", errmsg); \ + abort(); } \ + } while(0); + +krb5_authdata ad_fx_armor = {0, KRB5_AUTHDATA_FX_ARMOR, 1, ""}; +krb5_authdata *array[] = {&ad_fx_armor, NULL}; + + +int main( int argc, char **argv) +{ + krb5_context context; + krb5_ccache ccache = NULL; + krb5_creds creds, *out_creds = NULL; + krb5_error_code retval = 0; + test(krb5_init_context(&context)); + memset(&creds, 0, sizeof(creds)); + creds.authdata = array; + test(krb5_cc_default(context, &ccache)); + test(krb5_cc_get_principal(context, ccache, &creds.client)); + test(krb5_parse_name(context, argv[1], &creds.server)); + test(krb5_get_credentials(context, 0, ccache, &creds, &out_creds)); + test(krb5_cc_destroy(context, ccache)); + test(krb5_cc_default(context, &ccache)); + test(krb5_cc_initialize(context, ccache, out_creds->client)); + test(krb5_cc_store_cred(context, ccache, out_creds)); + test(krb5_cc_close(context,ccache)); + return 0; + +} From hartmans at MIT.EDU Fri Apr 3 00:03:47 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Fri, 3 Apr 2009 00:03:47 -0400 Subject: svn rev #22167: trunk/src/ include/ kdc/ lib/crypto/ lib/crypto/arcfour/ lib/krb5/asn.1/ ... Message-ID: <200904030403.n3343l5O032757@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22167 Commit By: hartmans Log Message: ticket: 6436 Merge fast branch at 22166 onto trunk Changed Files: U trunk/src/include/k5-int.h U trunk/src/kdc/do_as_req.c U trunk/src/kdc/do_tgs_req.c U trunk/src/kdc/fast_util.c U trunk/src/kdc/kdc_preauth.c U trunk/src/kdc/kdc_util.c U trunk/src/kdc/kdc_util.h U trunk/src/lib/crypto/arcfour/arcfour.c U trunk/src/lib/crypto/arcfour/arcfour.h U trunk/src/lib/crypto/etypes.c U trunk/src/lib/krb5/asn.1/asn1_k_encode.c U trunk/src/lib/krb5/asn.1/krb5_decode.c U trunk/src/lib/krb5/krb/Makefile.in U trunk/src/lib/krb5/krb/fast.c U trunk/src/lib/krb5/krb/fast.h U trunk/src/lib/krb5/krb/get_in_tkt.c U trunk/src/lib/krb5/krb/kfree.c U trunk/src/lib/krb5/krb/preauth2.c A trunk/src/lib/krb5/krb/t_ad_fx_armor.c U trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c Modified: trunk/src/include/k5-int.h =================================================================== --- trunk/src/include/k5-int.h 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/include/k5-int.h 2009-04-03 04:03:45 UTC (rev 22167) @@ -982,7 +982,7 @@ typedef struct _krb5_fast_req { krb5_magic magic; - krb5_int32 fast_options; + krb5_flags fast_options; /* padata from req_body is used*/ krb5_kdc_req *req_body; } krb5_fast_req; @@ -1001,7 +1001,7 @@ typedef struct _krb5_fast_response { krb5_magic magic; krb5_pa_data **padata; - krb5_keyblock *rep_key; + krb5_keyblock *strengthen_key; krb5_fast_finished *finished; krb5_int32 nonce; } krb5_fast_response; Modified: trunk/src/kdc/do_as_req.c =================================================================== --- trunk/src/kdc/do_as_req.c 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/kdc/do_as_req.c 2009-04-03 04:03:45 UTC (rev 22167) @@ -119,6 +119,7 @@ krb5_keylist_node *tmp_mkey_list; struct kdc_request_state *state = NULL; krb5_data encoded_req_body; + krb5_keyblock *as_encrypting_key = NULL; #if APPLE_PKINIT @@ -592,7 +593,7 @@ goto errout; } ticket_reply.enc_part.kvno = server_key->key_data_kvno; - errcode = kdc_fast_response_handle_padata(state, request, &reply); + errcode = kdc_fast_response_handle_padata(state, request, &reply, client_keyblock.enctype); if (errcode) { status = "fast response handling"; goto errout; @@ -602,8 +603,13 @@ reply.enc_part.enctype = client_keyblock.enctype; - errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &reply_encpart, - 0, &client_keyblock, &reply, response); + errcode = kdc_fast_handle_reply_key(state, &client_keyblock, &as_encrypting_key); + if (errcode) { + status = "generating reply key"; + goto errout; + } + errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &reply_encpart, + 0, as_encrypting_key, &reply, response); reply.enc_part.kvno = client_key->key_data_kvno; if (errcode) { status = "ENCODE_KDC_REP"; @@ -637,7 +643,8 @@ egress: if (pa_context) free_padata_context(kdc_context, &pa_context); - + if (as_encrypting_key) + krb5_free_keyblock(kdc_context, as_encrypting_key); if (errcode) emsg = krb5_get_error_message(kdc_context, errcode); @@ -760,7 +767,7 @@ if (pa == NULL) retval = ENOMEM; else for (size = 0; td[size]; size++) { - krb5_pa_data *pad = malloc(sizeof(krb5_pa_data *)); + krb5_pa_data *pad = malloc(sizeof(krb5_pa_data )); if (pad == NULL) { retval = ENOMEM; break; Modified: trunk/src/kdc/do_tgs_req.c =================================================================== --- trunk/src/kdc/do_tgs_req.c 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/kdc/do_tgs_req.c 2009-04-03 04:03:45 UTC (rev 22167) @@ -878,7 +878,8 @@ reply.enc_part.enctype = subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype; - errcode = kdc_fast_response_handle_padata(state, request, &reply); + errcode = kdc_fast_response_handle_padata(state, request, &reply, + subkey?subkey->enctype:header_ticket->enc_part2->session->enctype); if (errcode !=0 ) { status = "Preparing FAST padata"; goto cleanup; @@ -972,7 +973,7 @@ krb5_data **response, const char *status) { krb5_error errpkt; - krb5_error_code retval; + krb5_error_code retval = 0; krb5_data *scratch; errpkt.ctime = request->nonce; @@ -997,7 +998,8 @@ } errpkt.e_data.length = 0; errpkt.e_data.data = NULL; - retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt); + if (state) + retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt); if (retval) { free(scratch); free(errpkt.text.data); Modified: trunk/src/kdc/fast_util.c =================================================================== --- trunk/src/kdc/fast_util.c 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/kdc/fast_util.c 2009-04-03 04:03:45 UTC (rev 22167) @@ -50,7 +50,7 @@ krb5_ticket *ticket = NULL; krb5_keyblock *subkey = NULL; - assert(armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST); + assert(armor->armor_type == KRB5_FAST_ARMOR_AP_REQUEST); krb5_clear_error_message(kdc_context); retval = krb5_auth_con_init(kdc_context, &authcontext); if (retval == 0) @@ -251,8 +251,8 @@ return; if (s->armor_key) krb5_free_keyblock(kdc_context, s->armor_key); - if (s->reply_key) - krb5_free_keyblock(kdc_context, s->reply_key); + if (s->strengthen_key) + krb5_free_keyblock(kdc_context, s->strengthen_key); if (s->cookie) { free(s->cookie->contents); free(s->cookie); @@ -263,24 +263,33 @@ krb5_error_code kdc_fast_response_handle_padata (struct kdc_request_state *state, krb5_kdc_req *request, - krb5_kdc_rep *rep) + krb5_kdc_rep *rep, krb5_enctype enctype) { krb5_error_code retval = 0; krb5_fast_finished finish; krb5_fast_response fast_response; krb5_data *encoded_ticket = NULL; krb5_data *encrypted_reply = NULL; - krb5_pa_data *pa = NULL, **pa_array; + krb5_pa_data *pa = NULL, **pa_array = NULL; krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5; krb5_pa_data *empty_padata[] = {NULL}; + krb5_keyblock *strengthen_key = NULL; if (!state->armor_key) return 0; memset(&finish, 0, sizeof(finish)); + retval = krb5_init_keyblock(kdc_context, enctype, 0, &strengthen_key); + if (retval == 0) + retval = krb5_c_make_random_key(kdc_context, enctype, strengthen_key); + if (retval == 0) { + state->strengthen_key = strengthen_key; + strengthen_key = NULL; + } + fast_response.padata = rep->padata; if (fast_response.padata == NULL) fast_response.padata = &empty_padata[0]; - fast_response.rep_key = state->reply_key; + fast_response.strengthen_key = state->strengthen_key; fast_response.nonce = request->nonce; fast_response.finished = &finish; finish.client = rep->client; @@ -309,15 +318,20 @@ pa_array[0] = &pa[0]; rep->padata = pa_array; pa_array = NULL; + free(encrypted_reply); encrypted_reply = NULL; pa = NULL; } if (pa) free(pa); + if (pa_array) + free(pa_array); if (encrypted_reply) krb5_free_data(kdc_context, encrypted_reply); if (encoded_ticket) krb5_free_data(kdc_context, encoded_ticket); + if (strengthen_key != NULL) + krb5_free_keyblock(kdc_context, strengthen_key); if (finish.ticket_checksum.contents) krb5_free_checksum_contents(kdc_context, &finish.ticket_checksum); return retval; @@ -339,8 +353,8 @@ krb5_fast_response resp; krb5_error fx_error; krb5_data *encoded_fx_error = NULL, *encrypted_reply = NULL; - krb5_pa_data pa[2]; - krb5_pa_data *outer_pa[3]; + krb5_pa_data pa[1]; + krb5_pa_data *outer_pa[3], *cookie = NULL; krb5_pa_data **inner_pa = NULL; size_t size = 0; krb5_data *encoded_e_data = NULL; @@ -366,15 +380,26 @@ pa[0].length = encoded_fx_error->length; pa[0].contents = (unsigned char *) encoded_fx_error->data; inner_pa[size++] = &pa[0]; - resp.padata = inner_pa; + if (find_pa_data(inner_pa, KRB5_PADATA_FX_COOKIE) == NULL) + retval = kdc_preauth_get_cookie(state, &cookie); + } + if (cookie != NULL) + inner_pa[size++] = cookie; + if (retval == 0) { + resp.padata = inner_pa; resp.nonce = request->nonce; - resp.rep_key = NULL; + resp.strengthen_key = NULL; resp.finished = NULL; } if (retval == 0) retval = encrypt_fast_reply(state, &resp, &encrypted_reply); if (inner_pa) free(inner_pa); /*contained storage from caller and our stack*/ + if (cookie) { + free(cookie->contents); + free(cookie); + cookie = NULL; + } if (retval == 0) { pa[0].pa_type = KRB5_PADATA_FX_FAST; pa[0].length = encrypted_reply->length; @@ -396,3 +421,45 @@ krb5_free_data(kdc_context, encoded_fx_error); return retval; } + +krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state, + krb5_keyblock *existing_key, + krb5_keyblock **out_key) +{ + krb5_error_code retval = 0; + if (state->armor_key) + retval = krb5_c_fx_cf2_simple(kdc_context, + state->strengthen_key, "strengthenkey", + existing_key, + "replykey", out_key); + else retval = krb5_copy_keyblock(kdc_context, existing_key, out_key); + return retval; +} + + +krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state, + krb5_pa_data **cookie) +{ + char *contents; + krb5_pa_data *pa = NULL; + /* In our current implementation, the only purpose served by + * returning a cookie is to indicate that a conversation should + * continue on error. Thus, the cookie can have a constant + * string. If cookies are used for real, versioning so that KDCs + * can be upgraded, keying, expiration and many other issues need + * to be considered. + */ + contents = strdup("MIT"); + if (contents == NULL) + return ENOMEM; + pa = calloc(1, sizeof(krb5_pa_data)); + if (pa == NULL) { + free(contents); + return ENOMEM; + } + pa->pa_type = KRB5_PADATA_FX_COOKIE; + pa->length = strlen(contents); + pa->contents = (unsigned char *) contents; + *cookie = pa; + return 0; +} Modified: trunk/src/kdc/kdc_preauth.c =================================================================== --- trunk/src/kdc/kdc_preauth.c 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/kdc/kdc_preauth.c 2009-04-03 04:03:45 UTC (rev 22167) @@ -290,6 +290,17 @@ 0 }, { + "FAST", + KRB5_PADATA_FX_FAST, + PA_HARDWARE, + NULL, + NULL, + NULL, + NULL, + NULL, + 0 + }, + { "etype-info", KRB5_PADATA_ETYPE_INFO, 0, @@ -961,7 +972,8 @@ e_data->data = 0; hw_only = isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH); - pa_data = malloc(sizeof(krb5_pa_data *) * (n_preauth_systems+1)); + /* Allocate 1 entry for the terminator and one for the cookie*/ + pa_data = malloc(sizeof(krb5_pa_data *) * (n_preauth_systems+21)); if (pa_data == 0) return; memset(pa_data, 0, sizeof(krb5_pa_data *) * (n_preauth_systems+1)); @@ -995,6 +1007,8 @@ "%spreauth required but hint list is empty", hw_only ? "hw" : ""); } +/* If we fail to get the cookie it is probably still reasonable to continue with the response*/ + kdc_preauth_get_cookie(request->kdc_state, pa); retval = encode_krb5_padata_sequence(pa_data, &edat); if (retval) goto errout; Modified: trunk/src/kdc/kdc_util.c =================================================================== --- trunk/src/kdc/kdc_util.c 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/kdc/kdc_util.c 2009-04-03 04:03:45 UTC (rev 22167) @@ -347,13 +347,13 @@ authenticator->authorization_data, KRB5_AUTHDATA_FX_ARMOR, &authdata); if (retval != 0) - goto cleanup_auth_context; + goto cleanup_authenticator; if (authdata&& authdata[0]) { krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, "ticket valid only as FAST armor"); retval = KRB5KDC_ERR_POLICY; krb5_free_authdata(kdc_context, authdata); - goto cleanup_auth_context; + goto cleanup_authenticator; } krb5_free_authdata(kdc_context, authdata); Modified: trunk/src/kdc/kdc_util.h =================================================================== --- trunk/src/kdc/kdc_util.h 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/kdc/kdc_util.h 2009-04-03 04:03:45 UTC (rev 22167) @@ -302,11 +302,12 @@ struct kdc_request_state { krb5_keyblock *armor_key; - krb5_keyblock *reply_key; /*When replaced by FAST*/ + krb5_keyblock *strengthen_key; krb5_pa_data *cookie; krb5_int32 fast_options; krb5_int32 fast_internal_flags; }; + krb5_error_code kdc_make_rstate(struct kdc_request_state **out); void kdc_free_rstate (struct kdc_request_state *s); @@ -325,12 +326,21 @@ krb5_error_code kdc_fast_response_handle_padata (struct kdc_request_state *state, krb5_kdc_req *request, - krb5_kdc_rep *rep); + krb5_kdc_rep *rep, + krb5_enctype enctype); krb5_error_code kdc_fast_handle_error (krb5_context context, struct kdc_request_state *state, krb5_kdc_req *request, krb5_pa_data **in_padata, krb5_error *err); +krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state, + krb5_keyblock *existing_key, + krb5_keyblock **out_key); + + +krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state, + krb5_pa_data **cookie); + Modified: trunk/src/lib/crypto/arcfour/arcfour.c =================================================================== --- trunk/src/lib/crypto/arcfour/arcfour.c 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/lib/crypto/arcfour/arcfour.c 2009-04-03 04:03:45 UTC (rev 22167) @@ -8,6 +8,8 @@ */ #include "k5-int.h" #include "arcfour-int.h" +#include "../hash_provider/hash_provider.h" + const char *const krb5int_arcfour_l40 = "fortybits"; void @@ -304,3 +306,12 @@ return (ret); } + krb5_error_code krb5int_arcfour_prf( + const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + const krb5_data *in, krb5_data *out) + { + assert(out->length == 20); + return krb5_hmac(&krb5int_hash_sha1, key, 1, in, out); + } Modified: trunk/src/lib/crypto/arcfour/arcfour.h =================================================================== --- trunk/src/lib/crypto/arcfour/arcfour.h 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/lib/crypto/arcfour/arcfour.h 2009-04-03 04:03:45 UTC (rev 22167) @@ -34,5 +34,10 @@ extern const struct krb5_enc_provider krb5int_enc_arcfour; extern const struct krb5_aead_provider krb5int_aead_arcfour; + krb5_error_code krb5int_arcfour_prf( + const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + const krb5_data *in, krb5_data *out); #endif /* ARCFOUR_H */ Modified: trunk/src/lib/crypto/etypes.c =================================================================== --- trunk/src/lib/crypto/etypes.c 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/lib/crypto/etypes.c 2009-04-03 04:03:45 UTC (rev 22167) @@ -119,10 +119,10 @@ "ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, - 0, + 20, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, - NULL, /*PRF*/ + krb5int_arcfour_prf, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR, &krb5int_aead_arcfour, 0 /*flags*/ }, @@ -131,10 +131,10 @@ "Exportable ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, - 0, + 20, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, - NULL, /*PRF*/ + krb5int_arcfour_prf, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR, &krb5int_aead_arcfour, ETYPE_WEAK Modified: trunk/src/lib/krb5/asn.1/asn1_k_encode.c =================================================================== --- trunk/src/lib/krb5/asn.1/asn1_k_encode.c 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/lib/krb5/asn.1/asn1_k_encode.c 2009-04-03 04:03:45 UTC (rev 22167) @@ -1211,7 +1211,7 @@ DEFPTRTYPE(ptr_fast_req_padata, fast_req_padata); static const struct field_info fast_req_fields[] = { - FIELDOF_NORM(krb5_fast_req, int32, fast_options, 0), + FIELDOF_NORM(krb5_fast_req, krb5_flags, fast_options, 0), FIELDOF_NORM( krb5_fast_req, ptr_fast_req_padata, req_body, 1), FIELDOF_NORM( krb5_fast_req, ptr_kdc_req_body, req_body, 2), }; @@ -1233,7 +1233,7 @@ static const struct field_info fast_response_fields[] = { FIELDOF_NORM(krb5_fast_response, ptr_seqof_pa_data, padata, 0), - FIELDOF_OPT( krb5_fast_response, ptr_encryption_key, rep_key, 1, 1), + FIELDOF_OPT( krb5_fast_response, ptr_encryption_key, strengthen_key, 1, 1), FIELDOF_OPT( krb5_fast_response, ptr_fast_finished, finished, 2, 2), FIELDOF_NORM(krb5_fast_response, int32, nonce, 3), }; @@ -1242,7 +1242,7 @@ { unsigned int optional = 0; const krb5_fast_response *val = p; - if (val->rep_key) + if (val->strengthen_key) optional |= (1u <<1); if (val->finished) optional |= (1u<<2); Modified: trunk/src/lib/krb5/asn.1/krb5_decode.c =================================================================== --- trunk/src/lib/krb5/asn.1/krb5_decode.c 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/lib/krb5/asn.1/krb5_decode.c 2009-04-03 04:03:45 UTC (rev 22167) @@ -1114,7 +1114,7 @@ alloc_field(rep->req_body); clear_field(rep, req_body->padata); {begin_structure(); - get_field(rep->fast_options, 0, asn1_decode_int32); + get_field(rep->fast_options, 0, asn1_decode_krb5_flags); opt_field(rep->req_body->padata, 1, asn1_decode_sequence_of_pa_data); get_field(*(rep->req_body), 2, asn1_decode_kdc_req_body); end_structure(); } @@ -1137,10 +1137,10 @@ alloc_field(rep); clear_field(rep, finished); clear_field(rep, padata); - clear_field(rep,rep_key); + clear_field(rep,strengthen_key); {begin_structure(); get_field(rep->padata, 0, asn1_decode_sequence_of_pa_data); - opt_field(rep->rep_key, 1, asn1_decode_encryption_key_ptr); + opt_field(rep->strengthen_key, 1, asn1_decode_encryption_key_ptr); opt_field(rep->finished, 2, asn1_decode_fast_finished_ptr); get_field(rep->nonce, 3, asn1_decode_int32); end_structure(); } Modified: trunk/src/lib/krb5/krb/Makefile.in =================================================================== --- trunk/src/lib/krb5/krb/Makefile.in 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/lib/krb5/krb/Makefile.in 2009-04-03 04:03:45 UTC (rev 22167) @@ -271,6 +271,7 @@ $(srcdir)/srv_dec_tkt.c \ $(srcdir)/srv_rcache.c \ $(srcdir)/str_conv.c \ + $(srcdir)/t_ad_fx_armor.c \ $(srcdir)/tgtname.c \ $(srcdir)/unparse.c \ $(srcdir)/valid_times.c \ @@ -317,6 +318,9 @@ t_walk_rtree: $(T_WALK_RTREE_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_walk_rtree $(T_WALK_RTREE_OBJS) $(KRB5_BASE_LIBS) +t_ad_fx_armor: t_ad_fx_armor.o + $(CC_LINK) -o $@ $< $(KRB5_BASE_LIBS) + t_authdata: t_authdata.o copy_auth.o $(CC_LINK) -o $@ $< copy_auth.o $(KRB5_BASE_LIBS) Modified: trunk/src/lib/krb5/krb/fast.c =================================================================== --- trunk/src/lib/krb5/krb/fast.c 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/lib/krb5/krb/fast.c 2009-04-03 04:03:45 UTC (rev 22167) @@ -299,6 +299,8 @@ free(scratch.data); if (encrypted_response) krb5_free_enc_data(context, encrypted_response); + if (local_resp) + krb5_free_fast_response(context, local_resp); return retval; } @@ -376,9 +378,11 @@ fast_response->padata = NULL; /* * If there is more than the fx_error padata, then we want - * to retry the error + * to retry the error if a cookie is present */ *retry = (*out_padata)[1] != NULL; + if (krb5int_find_pa_data(context, *out_padata, KRB5_PADATA_FX_COOKIE) == NULL) + *retry = 0; } if (fx_error) krb5_free_error(context, fx_error); @@ -408,14 +412,14 @@ krb5_error_code krb5int_fast_process_response (krb5_context context, struct krb5int_fast_request_state *state, krb5_kdc_rep *resp, - krb5_keyblock **as_key) + krb5_keyblock **strengthen_key) { krb5_error_code retval = 0; krb5_fast_response *fast_response = NULL; krb5_data *encoded_ticket = NULL; krb5_boolean cksum_valid; krb5_clear_error_message(context); - *as_key = NULL; + *strengthen_key = NULL; if (state->armor_key == 0) return 0; retval = decrypt_fast_reply(context, state, resp->padata, @@ -442,8 +446,8 @@ krb5_free_principal(context, resp->client); resp->client = fast_response->finished->client; fast_response->finished->client = NULL; - *as_key = fast_response->rep_key; - fast_response->rep_key = NULL; + *strengthen_key = fast_response->strengthen_key; + fast_response->strengthen_key = NULL; krb5_free_pa_data(context, resp->padata); resp->padata = fast_response->padata; fast_response->padata = NULL; @@ -454,6 +458,29 @@ krb5_free_data(context, encoded_ticket); return retval; } + +krb5_error_code krb5int_fast_reply_key(krb5_context context, + krb5_keyblock *strengthen_key, + krb5_keyblock *existing_key, + krb5_keyblock *out_key) +{ + krb5_keyblock *key = NULL; + krb5_error_code retval = 0; + krb5_free_keyblock_contents(context, out_key); + if (strengthen_key) { + retval = krb5_c_fx_cf2_simple(context, strengthen_key, + "strengthenkey", existing_key, "replykey", &key); + if (retval == 0) { + *out_key = *key; + free(key); + } + } else { + retval = krb5_copy_keyblock_contents(context, existing_key, out_key); + } + return retval; +} + + krb5_error_code krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state **state) { @@ -473,11 +500,6 @@ /*We are responsible for none of the store in the fast_outer_req*/ krb5_free_keyblock(context, state->armor_key); krb5_free_fast_armor(context, state->armor); - if (state->cookie) { - free(state->cookie->contents); - free(state->cookie); - state->cookie = NULL; - } free(state); } Modified: trunk/src/lib/krb5/krb/fast.h =================================================================== --- trunk/src/lib/krb5/krb/fast.h 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/lib/krb5/krb/fast.h 2009-04-03 04:03:45 UTC (rev 22167) @@ -38,7 +38,6 @@ krb5_fast_armor *armor; krb5_ui_4 fast_state_flags; krb5_ui_4 fast_options; - krb5_pa_data *cookie; krb5_int32 nonce; }; @@ -61,7 +60,7 @@ krb5_error_code krb5int_fast_process_response (krb5_context context, struct krb5int_fast_request_state *state, krb5_kdc_rep *resp, - krb5_keyblock **as_key); + krb5_keyblock **strengthen_key); krb5_error_code krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state **state); @@ -73,5 +72,11 @@ krb5_gic_opt_ext *opte, krb5_kdc_req *request); +krb5_error_code krb5int_fast_reply_key(krb5_context context, + krb5_keyblock *strengthen_key, + krb5_keyblock *existing_key, + krb5_keyblock *output_key); + + #endif Modified: trunk/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- trunk/src/lib/krb5/krb/get_in_tkt.c 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/lib/krb5/krb/get_in_tkt.c 2009-04-03 04:03:45 UTC (rev 22167) @@ -967,8 +967,8 @@ int loopcount; krb5_data salt; krb5_data s2kparams; - krb5_keyblock as_key; - krb5_keyblock *fast_as_key = NULL; + krb5_keyblock as_key, encrypting_key; + krb5_keyblock *strengthen_key = NULL; krb5_error *err_reply; krb5_kdc_rep *local_as_reply; krb5_timestamp time_now; @@ -994,6 +994,8 @@ preauth_to_use = NULL; kdc_padata = NULL; as_key.length = 0; + encrypting_key.length = 0; + encrypting_key.contents = NULL; salt.length = 0; salt.data = NULL; @@ -1340,8 +1342,6 @@ out_padata = NULL; krb5_free_error(context, err_reply); err_reply = NULL; - if (ret) - goto cleanup; ret = sort_krb5_padata_sequence(context, &request.server->realm, preauth_to_use); @@ -1399,7 +1399,7 @@ /* process any preauth data in the as_reply */ krb5_clear_preauth_context_use_counts(context); ret = krb5int_fast_process_response(context, fast_state, - local_as_reply, &fast_as_key); + local_as_reply, &strengthen_key); if (ret) goto cleanup; if ((ret = sort_krb5_padata_sequence(context, &request.server->realm, @@ -1447,18 +1447,15 @@ it. If decrypting the as_rep fails, or if there isn't an as_key at all yet, then use the gak_fct to get one, and try again. */ - if (fast_as_key) { - if (as_key.length) - krb5_free_keyblock_contents(context, &as_key); - as_key = *fast_as_key; - free(fast_as_key); - fast_as_key = NULL; - } - if (as_key.length) - ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, - NULL, &as_key, krb5_kdc_rep_decrypt_proc, + if (as_key.length) { + ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, + &encrypting_key); + if (ret) + goto cleanup; + ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, + NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, NULL); - else + } else ret = -1; if (ret) { @@ -1470,6 +1467,10 @@ &as_key, gak_data)))) goto cleanup; + ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, + &encrypting_key); + if (ret) + goto cleanup; if ((ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, NULL, &as_key, krb5_kdc_rep_decrypt_proc, NULL))) @@ -1511,8 +1512,10 @@ } } krb5_preauth_request_context_fini(context); - krb5_free_keyblock(context, fast_as_key); - if (fast_state) + krb5_free_keyblock(context, strengthen_key); + if (encrypting_key.contents) + krb5_free_keyblock_contents(context, &encrypting_key); + if (fast_state) krb5int_fast_free_state(context, fast_state); if (out_padata) krb5_free_pa_data(context, out_padata); Modified: trunk/src/lib/krb5/krb/kfree.c =================================================================== --- trunk/src/lib/krb5/krb/kfree.c 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/lib/krb5/krb/kfree.c 2009-04-03 04:03:45 UTC (rev 22167) @@ -819,6 +819,7 @@ return; krb5_free_pa_data(context, val->padata); krb5_free_fast_finished(context, val->finished); + krb5_free_keyblock(context, val->strengthen_key); free(val); } Modified: trunk/src/lib/krb5/krb/preauth2.c =================================================================== --- trunk/src/lib/krb5/krb/preauth2.c 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/lib/krb5/krb/preauth2.c 2009-04-03 04:03:45 UTC (rev 22167) @@ -646,6 +646,36 @@ } static +krb5_error_code pa_fx_cookie(krb5_context context, + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, + krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data) +{ + krb5_pa_data *pa = calloc(1, sizeof(krb5_pa_data)); + krb5_octet *contents; + if (pa == NULL) + return ENOMEM; + contents = malloc(in_padata->length); + if (contents == NULL) { + free(pa); + return ENOMEM; + } + *pa = *in_padata; + pa->contents = contents; + memcpy(contents, in_padata->contents, pa->length); + *out_padata = pa; + return 0; +} + +static krb5_error_code pa_enc_timestamp(krb5_context context, krb5_kdc_req *request, krb5_pa_data *in_padata, @@ -1710,6 +1740,11 @@ PA_REAL, }, { + KRB5_PADATA_FX_COOKIE, + pa_fx_cookie, + PA_INFO, + }, + { -1, NULL, 0, Added: trunk/src/lib/krb5/krb/t_ad_fx_armor.c =================================================================== --- trunk/src/lib/krb5/krb/t_ad_fx_armor.c 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/lib/krb5/krb/t_ad_fx_armor.c 2009-04-03 04:03:45 UTC (rev 22167) @@ -0,0 +1,36 @@ +#include +#include +#include + +#define test(x) do {retval = (x); \ + if(retval != 0) { \ + const char *errmsg = krb5_get_error_message(context, retval); \ + fprintf(stderr, "Error message: %s\n", errmsg); \ + abort(); } \ + } while(0); + +krb5_authdata ad_fx_armor = {0, KRB5_AUTHDATA_FX_ARMOR, 1, ""}; +krb5_authdata *array[] = {&ad_fx_armor, NULL}; + + +int main( int argc, char **argv) +{ + krb5_context context; + krb5_ccache ccache = NULL; + krb5_creds creds, *out_creds = NULL; + krb5_error_code retval = 0; + test(krb5_init_context(&context)); + memset(&creds, 0, sizeof(creds)); + creds.authdata = array; + test(krb5_cc_default(context, &ccache)); + test(krb5_cc_get_principal(context, ccache, &creds.client)); + test(krb5_parse_name(context, argv[1], &creds.server)); + test(krb5_get_credentials(context, 0, ccache, &creds, &out_creds)); + test(krb5_cc_destroy(context, ccache)); + test(krb5_cc_default(context, &ccache)); + test(krb5_cc_initialize(context, ccache, out_creds->client)); + test(krb5_cc_store_cred(context, ccache, out_creds)); + test(krb5_cc_close(context,ccache)); + return 0; + +} Modified: trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c =================================================================== --- trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c 2009-04-03 03:39:58 UTC (rev 22166) +++ trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c 2009-04-03 04:03:45 UTC (rev 22167) @@ -116,6 +116,7 @@ krb5_pa_data **pa_array = NULL; krb5_data *encoded_ts = NULL; krb5_pa_enc_ts ts; + enc.ciphertext.data = NULL; if (retval == 0) retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); if (retval == 0) @@ -300,8 +301,6 @@ } if (armor_key) krb5_free_keyblock(context, armor_key); - if (challenge_key) - krb5_free_keyblock(context, challenge_key); if (plain.data) free(plain.data); if (enc) From hartmans at MIT.EDU Fri Apr 3 01:36:26 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Fri, 3 Apr 2009 01:36:26 -0400 Subject: svn rev #22168: trunk/src/kdc/ Message-ID: <200904030536.n335aQ7M007378@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22168 Commit By: hartmans Log Message: ticket: 6438 Subject: Handle authdata encrypted in subkey target_version: 1.7 tags: pullup RFC 4120 requires that if a subkey is present in the TGS request that authorization data be encrypted in the subkey. Our KDC did not handle this correctly. Changed Files: U trunk/src/kdc/kdc_authdata.c Modified: trunk/src/kdc/kdc_authdata.c =================================================================== --- trunk/src/kdc/kdc_authdata.c 2009-04-03 04:03:45 UTC (rev 22167) +++ trunk/src/kdc/kdc_authdata.c 2009-04-03 05:36:25 UTC (rev 22168) @@ -403,6 +403,13 @@ KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY, 0, &request->authorization_data, &scratch); + if (code != 0) + code = krb5_c_decrypt(context, + client_key, + KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, + 0, &request->authorization_data, + &scratch); + if (code != 0) { free(scratch.data); return code; From ghudson at MIT.EDU Fri Apr 3 14:14:40 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 3 Apr 2009 14:14:40 -0400 Subject: svn rev #22169: trunk/src/lib/krb5/os/ Message-ID: <200904031814.n33IEeP9026888@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22169 Commit By: ghudson Log Message: Adjust the logic in rule_an_to_ln to avoid a "can't happen" case of strchr returning null when searching for a character we know is there. Also properly return ENOMEM if we fail to allocate selstring. Changed Files: U trunk/src/lib/krb5/os/an_to_ln.c Modified: trunk/src/lib/krb5/os/an_to_ln.c =================================================================== --- trunk/src/lib/krb5/os/an_to_ln.c 2009-04-03 05:36:25 UTC (rev 22168) +++ trunk/src/lib/krb5/os/an_to_ln.c 2009-04-03 18:14:40 UTC (rev 22169) @@ -488,7 +488,7 @@ char *current; char *fprincname; char *selstring = 0; - int num_comps, compind; + int num_comps, compind, pos; size_t selstring_used; char *cout; krb5_const krb5_data *datap; @@ -503,16 +503,16 @@ * First part. */ if (*current == '[') { - if (sscanf(current+1,"%d:", &num_comps) == 1) { + current++; + if (sscanf(current,"%d:%n", &num_comps, &pos) == 1) { if (num_comps == aname->length) { /* * We have a match based on the number of components. */ - current = strchr(current, ':'); + current += pos; selstring = (char *) malloc(MAX_FORMAT_BUFFER); selstring_used = 0; - if (current && selstring) { - current++; + if (selstring) { cout = selstring; /* * Plow through the string. @@ -572,6 +572,8 @@ errout: if (kret) free(selstring); } + else + kret = ENOMEM; } else kret = KRB5_LNAME_NOTRANS; From hartmans at MIT.EDU Fri Apr 3 23:03:05 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Fri, 3 Apr 2009 23:03:05 -0400 Subject: svn rev #22170: trunk/src/ kdc/ lib/krb5/krb/ Message-ID: <200904040303.n3433532025490@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22170 Commit By: hartmans Log Message: ticket: 6436 fix logic errors Changed Files: U trunk/src/kdc/fast_util.c U trunk/src/lib/krb5/krb/get_in_tkt.c Modified: trunk/src/kdc/fast_util.c =================================================================== --- trunk/src/kdc/fast_util.c 2009-04-03 18:14:40 UTC (rev 22169) +++ trunk/src/kdc/fast_util.c 2009-04-04 03:03:04 UTC (rev 22170) @@ -211,7 +211,7 @@ else cookie_padata = find_pa_data(request->padata, KRB5_PADATA_FX_COOKIE); if (retval == 0 && cookie_padata != NULL) { krb5_pa_data *new_padata = malloc(sizeof (krb5_pa_data)); - if (new_padata != NULL) { + if (new_padata == NULL) { retval = ENOMEM; } else { new_padata->pa_type = KRB5_PADATA_FX_COOKIE; Modified: trunk/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- trunk/src/lib/krb5/krb/get_in_tkt.c 2009-04-03 18:14:40 UTC (rev 22169) +++ trunk/src/lib/krb5/krb/get_in_tkt.c 2009-04-04 03:03:04 UTC (rev 22170) @@ -1472,7 +1472,7 @@ if (ret) goto cleanup; if ((ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, - NULL, &as_key, krb5_kdc_rep_decrypt_proc, + NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, NULL))) goto cleanup; } From hartmans at MIT.EDU Sun Apr 5 17:11:27 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Sun, 5 Apr 2009 17:11:27 -0400 Subject: svn rev #22171: trunk/src/kdc/ Message-ID: <200904052111.n35LBROA024934@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22171 Commit By: hartmans Log Message: ticket: 6439 Subject: Implement KDC side of TGS FAST target_version: 1.7 tags: pullup Most of the KDC side of TGS FAST was already present. This adds correct generation of the reply key. Changed Files: U trunk/src/kdc/do_tgs_req.c Modified: trunk/src/kdc/do_tgs_req.c =================================================================== --- trunk/src/kdc/do_tgs_req.c 2009-04-04 03:03:04 UTC (rev 22170) +++ trunk/src/kdc/do_tgs_req.c 2009-04-05 21:11:26 UTC (rev 22171) @@ -98,12 +98,13 @@ krb5_transited enc_tkt_transited; int newtransited = 0; krb5_error_code retval = 0; + krb5_keyblock encrypting_key; int nprincs = 0; krb5_boolean more; krb5_timestamp kdc_time, authtime=0; krb5_keyblock session_key; krb5_timestamp until, rtime; - krb5_keyblock encrypting_key; + krb5_keyblock *reply_key = NULL; krb5_keyblock *mkey_ptr; krb5_key_data *server_key; char *cname = 0, *sname = 0, *altcname = 0; @@ -884,10 +885,14 @@ status = "Preparing FAST padata"; goto cleanup; } + errcode =kdc_fast_handle_reply_key(state, subkey?subkey:header_ticket->enc_part2->session, &reply_key); + if (errcode) { + status = "generating reply key"; + goto cleanup; + } errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, subkey ? 1 : 0, - subkey ? subkey : - header_ticket->enc_part2->session, + reply_key, &reply, response); if (errcode) { status = "ENCODE_KDC_REP"; @@ -906,6 +911,8 @@ cleanup: assert(status != NULL); + if (reply_key) + krb5_free_keyblock(kdc_context, reply_key); if (errcode) emsg = krb5_get_error_message (kdc_context, errcode); log_tgs_req(from, request, &reply, cname, sname, altcname, authtime, From epeisach at MIT.EDU Tue Apr 7 13:57:57 2009 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Tue, 7 Apr 2009 13:57:57 -0400 Subject: svn rev #22172: trunk/src/util/ss/ Message-ID: <200904071757.n37HvvaG026308@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22172 Commit By: epeisach Log Message: ticket: 6442 subject: Null pointer defref in adding info Clearly the code is broken - and we either never use it - or callers never pass NULL... Detected by clang static checker. Changed Files: U trunk/src/util/ss/help.c Modified: trunk/src/util/ss/help.c =================================================================== --- trunk/src/util/ss/help.c 2009-04-05 21:11:26 UTC (rev 22171) +++ trunk/src/util/ss/help.c 2009-04-07 17:57:56 UTC (rev 22172) @@ -107,7 +107,7 @@ register char **dirs; info = ss_info(sci_idx); - if (info_dir == NULL && *info_dir) { + if ((info_dir == NULL) || (*info_dir == '\0')) { *code_ptr = SS_ET_NO_INFO_DIR; return; } From tlyu at MIT.EDU Tue Apr 7 17:22:13 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 7 Apr 2009 17:22:13 -0400 Subject: svn rev #22173: trunk/src/lib/gssapi/spnego/ Message-ID: <200904072122.n37LMD3J006317@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22173 Commit By: tlyu Log Message: ticket: 6417 Apply revised patch from Apple that ensures that a REJECT token is sent on error. Changed Files: U trunk/src/lib/gssapi/spnego/spnego_mech.c Modified: trunk/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- trunk/src/lib/gssapi/spnego/spnego_mech.c 2009-04-07 17:57:56 UTC (rev 22172) +++ trunk/src/lib/gssapi/spnego/spnego_mech.c 2009-04-07 21:22:13 UTC (rev 22173) @@ -1650,8 +1650,7 @@ &negState, &return_token); } cleanup: - if (return_token == INIT_TOKEN_SEND || - return_token == CONT_TOKEN_SEND) { + if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { /* For acceptor-sends-first send a tokenInit */ int tmpret; @@ -1666,7 +1665,8 @@ return_token, output_token); } else { - tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech, + tmpret = make_spnego_tokenTarg_msg(negState, + sc ? sc->internal_mech : GSS_C_NO_OID, &mechtok_out, mic_out, return_token, output_token); @@ -3025,6 +3025,8 @@ if (outbuf == GSS_C_NO_BUFFER) return (GSS_S_DEFECTIVE_TOKEN); + if (sendtoken == INIT_TOKEN_SEND && mech_wanted == GSS_C_NO_OID) + return (GSS_S_DEFECTIVE_TOKEN); outbuf->length = 0; outbuf->value = NULL; From tlyu at MIT.EDU Tue Apr 7 17:22:20 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 7 Apr 2009 17:22:20 -0400 Subject: svn rev #22175: trunk/src/lib/krb5/asn.1/ Message-ID: <200904072122.n37LMKXN006439@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22175 Commit By: tlyu Log Message: ticket: 6444 subject: CVE-2009-0847 asn1buf_imbed incorrect length validation tags: pullup target_version: 1.7 asn1buf_imbed() can perform pointer arithmetic that causes the "bound" pointer of the subbuffer to be less than the "next" pointer. This can lead to malloc() failure or crash. In asn1buf_imbed(), check the length before doing arithmetic to set subbuf->bound. In asn1buf_remove_octetstring() and asn1buf_remove_charstring(), check for invalid buffer pointers before executing an unsigned length check against a (casted to size_t) negative number. Changed Files: U trunk/src/lib/krb5/asn.1/asn1buf.c Modified: trunk/src/lib/krb5/asn.1/asn1buf.c =================================================================== --- trunk/src/lib/krb5/asn.1/asn1buf.c 2009-04-07 21:22:17 UTC (rev 22174) +++ trunk/src/lib/krb5/asn.1/asn1buf.c 2009-04-07 21:22:20 UTC (rev 22175) @@ -92,11 +92,11 @@ asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef) { + if (buf->next > buf->bound + 1) return ASN1_OVERRUN; subbuf->base = subbuf->next = buf->next; if (!indef) { + if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN; subbuf->bound = subbuf->base + length - 1; - if (subbuf->bound > buf->bound) - return ASN1_OVERRUN; } else /* constructed indefinite */ subbuf->bound = buf->bound; return 0; @@ -205,6 +205,7 @@ { unsigned int i; + if (buf->next > buf->bound + 1) return ASN1_OVERRUN; if (len > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN; if (len == 0) { *s = 0; @@ -223,6 +224,7 @@ { unsigned int i; + if (buf->next > buf->bound + 1) return ASN1_OVERRUN; if (len > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN; if (len == 0) { *s = 0; From tlyu at MIT.EDU Tue Apr 7 17:22:17 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 7 Apr 2009 17:22:17 -0400 Subject: svn rev #22174: trunk/src/lib/gssapi/spnego/ Message-ID: <200904072122.n37LMH1r006379@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22174 Commit By: tlyu Log Message: ticket: 6443 subject: CVE-2009-0844 SPNEGO can read beyond buffer end tags: pullup target_version: 1.7 SPNEGO can read beyond the end of a buffer if the claimed DER length exceeds the number of bytes in the input buffer. This can lead to crash or information disclosure. Thanks to Apple for reporting this vulnerability and providing patches. Changed Files: U trunk/src/lib/gssapi/spnego/spnego_mech.c Modified: trunk/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- trunk/src/lib/gssapi/spnego/spnego_mech.c 2009-04-07 21:22:13 UTC (rev 22173) +++ trunk/src/lib/gssapi/spnego/spnego_mech.c 2009-04-07 21:22:17 UTC (rev 22174) @@ -83,8 +83,8 @@ /* der routines defined in libgss */ extern unsigned int gssint_der_length_size(OM_uint32); -extern int gssint_get_der_length(unsigned char **, OM_uint32, OM_uint32*); -extern int gssint_put_der_length(OM_uint32, unsigned char **, OM_uint32); +extern int gssint_get_der_length(unsigned char **, OM_uint32, unsigned int*); +extern int gssint_put_der_length(OM_uint32, unsigned char **, unsigned int); /* private routines for spnego_mechanism */ @@ -2390,22 +2390,16 @@ get_input_token(unsigned char **buff_in, unsigned int buff_length) { gss_buffer_t input_token; - unsigned int bytes; + unsigned int len; - if (**buff_in != OCTET_STRING) + if (g_get_tag_and_length(buff_in, OCTET_STRING, buff_length, &len) < 0) return (NULL); - (*buff_in)++; input_token = (gss_buffer_t)malloc(sizeof (gss_buffer_desc)); - if (input_token == NULL) return (NULL); - input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes); - if ((int)input_token->length == -1) { - free(input_token); - return (NULL); - } + input_token->length = len; input_token->value = malloc(input_token->length); if (input_token->value == NULL) { @@ -2457,8 +2451,8 @@ { gss_OID_set returned_mechSet; OM_uint32 major_status; - OM_uint32 length; - OM_uint32 bytes; + int length; + unsigned int bytes; OM_uint32 set_length; unsigned char *start; int i; @@ -2470,23 +2464,26 @@ (*buff_in)++; length = gssint_get_der_length(buff_in, buff_length, &bytes); + if (length < 0 || buff_length - bytes < (unsigned int)length) + return NULL; major_status = gss_create_empty_oid_set(minor_status, &returned_mechSet); if (major_status != GSS_S_COMPLETE) return (NULL); - for (set_length = 0, i = 0; set_length < length; i++) { + for (set_length = 0, i = 0; set_length < (unsigned int)length; i++) { gss_OID_desc *temp = get_mech_oid(minor_status, buff_in, buff_length - (*buff_in - start)); - if (temp != NULL) { - major_status = gss_add_oid_set_member(minor_status, - temp, &returned_mechSet); - if (major_status == GSS_S_COMPLETE) { + if (temp == NULL) + break; + + major_status = gss_add_oid_set_member(minor_status, + temp, &returned_mechSet); + if (major_status == GSS_S_COMPLETE) { set_length += returned_mechSet->elements[i].length +2; if (generic_gss_release_oid(minor_status, &temp)) - map_errcode(minor_status); - } + map_errcode(minor_status); } } @@ -2665,7 +2662,7 @@ return GSS_S_DEFECTIVE_TOKEN; if (*ptr++ == SEQUENCE) { tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); - if (tmplen < 0) + if (tmplen < 0 || REMAIN < (unsigned int)tmplen) return GSS_S_DEFECTIVE_TOKEN; } if (REMAIN < 1) @@ -2675,7 +2672,7 @@ if (tag == CONTEXT) { tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); - if (tmplen < 0) + if (tmplen < 0 || REMAIN < (unsigned int)tmplen) return GSS_S_DEFECTIVE_TOKEN; if (g_get_tag_and_length(&ptr, ENUMERATED, @@ -2696,7 +2693,7 @@ } if (tag == (CONTEXT | 0x01)) { tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); - if (tmplen < 0) + if (tmplen < 0 || REMAIN < (unsigned int)tmplen) return GSS_S_DEFECTIVE_TOKEN; *supportedMech = get_mech_oid(minor_status, &ptr, REMAIN); @@ -2710,7 +2707,7 @@ } if (tag == (CONTEXT | 0x02)) { tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); - if (tmplen < 0) + if (tmplen < 0 || REMAIN < (unsigned int)tmplen) return GSS_S_DEFECTIVE_TOKEN; *responseToken = get_input_token(&ptr, REMAIN); @@ -2724,7 +2721,7 @@ } if (tag == (CONTEXT | 0x03)) { tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); - if (tmplen < 0) + if (tmplen < 0 || REMAIN < (unsigned int)tmplen) return GSS_S_DEFECTIVE_TOKEN; *mechListMIC = get_input_token(&ptr, REMAIN); @@ -3269,7 +3266,7 @@ unsigned char *ptr = *buf; int ret = -1; /* pessimists, assume failure ! */ unsigned int encoded_len; - unsigned int tmplen = 0; + int tmplen = 0; *outlen = 0; if (buflen > 1 && *ptr == tag) { @@ -3278,7 +3275,7 @@ &encoded_len); if (tmplen < 0) { ret = -1; - } else if (tmplen > buflen - (ptr - *buf)) { + } else if ((unsigned int)tmplen > buflen - (ptr - *buf)) { ret = -1; } else ret = 0; From tlyu at MIT.EDU Tue Apr 7 17:22:23 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 7 Apr 2009 17:22:23 -0400 Subject: svn rev #22176: trunk/src/ lib/krb5/asn.1/ tests/asn.1/ Message-ID: <200904072122.n37LMNeZ006485@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22176 Commit By: tlyu Log Message: ticket: 6445 subject: CVE-2009-0846 asn1_decode_generaltime can free uninitialized pointer tags: pullup target_version: 1.7 The asn1_decode_generaltime() function can free an uninitialized pointer if asn1buf_remove_charstring() fails. Changed Files: U trunk/src/lib/krb5/asn.1/asn1_decode.c U trunk/src/tests/asn.1/krb5_decode_test.c Modified: trunk/src/lib/krb5/asn.1/asn1_decode.c =================================================================== --- trunk/src/lib/krb5/asn.1/asn1_decode.c 2009-04-07 21:22:20 UTC (rev 22175) +++ trunk/src/lib/krb5/asn.1/asn1_decode.c 2009-04-07 21:22:23 UTC (rev 22176) @@ -231,6 +231,7 @@ if (length != 15) return ASN1_BAD_LENGTH; retval = asn1buf_remove_charstring(buf,15,&s); + if (retval) return retval; /* Time encoding: YYYYMMDDhhmmssZ */ if (s[14] != 'Z') { free(s); Modified: trunk/src/tests/asn.1/krb5_decode_test.c =================================================================== --- trunk/src/tests/asn.1/krb5_decode_test.c 2009-04-07 21:22:20 UTC (rev 22175) +++ trunk/src/tests/asn.1/krb5_decode_test.c 2009-04-07 21:22:23 UTC (rev 22176) @@ -486,6 +486,22 @@ ktest_destroy_keyblock(&(ref.subkey)); ref.seq_number = 0; decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part); + + retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40"); + if (retval) { + com_err("krb5_decode_test", retval, "while parsing"); + exit(1); + } + retval = decode_krb5_ap_rep_enc_part(&code, &var); + if (retval != ASN1_OVERRUN) { + printf("ERROR: "); + } else { + printf("OK: "); + } + printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n"); + krb5_free_data_contents(test_context, &code); + krb5_free_ap_rep_enc_part(test_context, var); + ktest_empty_ap_rep_enc_part(&ref); } From epeisach at MIT.EDU Tue Apr 7 19:59:26 2009 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Tue, 7 Apr 2009 19:59:26 -0400 Subject: svn rev #22177: trunk/src/util/support/ Message-ID: <200904072359.n37NxQPO014957@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22177 Commit By: epeisach Log Message: ticket: Subject k5_utf8s_to_ucs2s could deref NULL pointer... Based on usage of this static function, this will never happen as results are always malloced (and checked) by caller. However, the function is already coded to handle the first argument being null - so be consistent throughout. Changed Files: U trunk/src/util/support/utf8_conv.c Modified: trunk/src/util/support/utf8_conv.c =================================================================== --- trunk/src/util/support/utf8_conv.c 2009-04-07 21:22:23 UTC (rev 22176) +++ trunk/src/util/support/utf8_conv.c 2009-04-07 23:59:25 UTC (rev 22177) @@ -119,10 +119,12 @@ } assert(ucs2len < count); + + if (ucs2str != NULL) { + /* Add null terminator if there's room in the buffer. */ + ucs2str[ucs2len] = 0; + } - /* Add null terminator if there's room in the buffer. */ - ucs2str[ucs2len] = 0; - return ucs2len; } From tlyu at MIT.EDU Tue Apr 7 21:22:45 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 7 Apr 2009 21:22:45 -0400 Subject: svn rev #22178: branches/krb5-1-6/src/lib/gssapi/spnego/ Message-ID: <200904080122.n381MjhD019643@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22178 Commit By: tlyu Log Message: ticket: 6426 Apply revised patch from Apple that ensures that a REJECT token is sent on error. Changed Files: U branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c Modified: branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c 2009-04-07 23:59:25 UTC (rev 22177) +++ branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c 2009-04-08 01:22:45 UTC (rev 22178) @@ -1248,9 +1248,9 @@ &negState, &return_token); } cleanup: - if (return_token == INIT_TOKEN_SEND || - return_token == CONT_TOKEN_SEND) { - tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech, + if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { + tmpret = make_spnego_tokenTarg_msg(negState, + sc ? sc->internal_mech : GSS_C_NO_OID, &mechtok_out, mic_out, return_token, output_token); @@ -2465,6 +2465,8 @@ if (outbuf == GSS_C_NO_BUFFER) return (GSS_S_DEFECTIVE_TOKEN); + if (sendtoken == INIT_TOKEN_SEND && mech_wanted == GSS_C_NO_OID) + return (GSS_S_DEFECTIVE_TOKEN); outbuf->length = 0; outbuf->value = NULL; From tlyu at MIT.EDU Tue Apr 7 21:22:52 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 7 Apr 2009 21:22:52 -0400 Subject: svn rev #22179: branches/krb5-1-6/src/lib/gssapi/spnego/ Message-ID: <200904080122.n381MqpV019689@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22179 Commit By: tlyu Log Message: ticket: 6446 subject: CVE-2009-0844 (1.6.x) SPNEGO can read beyond buffer end tags: pullup target_version: 1.6.4 version_fixd: 1.6.4 pull up rxxxxx from trunk SPNEGO can read beyond the end of a buffer if the claimed DER length exceeds the number of bytes in the input buffer. This can lead to crash or information disclosure. Thanks to Apple for reporting this vulnerability and providing patches. Changed Files: U branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c Modified: branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c 2009-04-08 01:22:45 UTC (rev 22178) +++ branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c 2009-04-08 01:22:51 UTC (rev 22179) @@ -54,8 +54,8 @@ /* der routines defined in libgss */ extern unsigned int gssint_der_length_size(OM_uint32); -extern int gssint_get_der_length(unsigned char **, OM_uint32, OM_uint32*); -extern int gssint_put_der_length(OM_uint32, unsigned char **, OM_uint32); +extern int gssint_get_der_length(unsigned char **, OM_uint32, unsigned int*); +extern int gssint_put_der_length(OM_uint32, unsigned char **, unsigned int); /* private routines for spnego_mechanism */ @@ -1803,22 +1803,16 @@ get_input_token(unsigned char **buff_in, unsigned int buff_length) { gss_buffer_t input_token; - unsigned int bytes; + unsigned int len; - if (**buff_in != OCTET_STRING) + if (g_get_tag_and_length(buff_in, OCTET_STRING, buff_length, &len) < 0) return (NULL); - (*buff_in)++; input_token = (gss_buffer_t)malloc(sizeof (gss_buffer_desc)); - if (input_token == NULL) return (NULL); - input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes); - if ((int)input_token->length == -1) { - free(input_token); - return (NULL); - } + input_token->length = len; input_token->value = malloc(input_token->length); if (input_token->value == NULL) { @@ -1870,8 +1864,8 @@ { gss_OID_set returned_mechSet; OM_uint32 major_status; - OM_uint32 length; - OM_uint32 bytes; + int length; + unsigned int bytes; OM_uint32 set_length; unsigned char *start; int i; @@ -1883,22 +1877,25 @@ (*buff_in)++; length = gssint_get_der_length(buff_in, buff_length, &bytes); + if (length < 0 || buff_length - bytes < (unsigned int)length) + return NULL; major_status = gss_create_empty_oid_set(minor_status, &returned_mechSet); if (major_status != GSS_S_COMPLETE) return (NULL); - for (set_length = 0, i = 0; set_length < length; i++) { + for (set_length = 0, i = 0; set_length < (unsigned int)length; i++) { gss_OID_desc *temp = get_mech_oid(minor_status, buff_in, buff_length - (*buff_in - start)); - if (temp != NULL) { - major_status = gss_add_oid_set_member(minor_status, - temp, &returned_mechSet); - if (major_status == GSS_S_COMPLETE) { + if (temp == NULL) + break; + + major_status = gss_add_oid_set_member(minor_status, + temp, &returned_mechSet); + if (major_status == GSS_S_COMPLETE) { set_length += returned_mechSet->elements[i].length +2; generic_gss_release_oid(minor_status, &temp); - } } } @@ -2098,7 +2095,7 @@ return GSS_S_DEFECTIVE_TOKEN; if (*ptr++ == SEQUENCE) { tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); - if (tmplen < 0) + if (tmplen < 0 || REMAIN < (unsigned int)tmplen) return GSS_S_DEFECTIVE_TOKEN; } if (REMAIN < 1) @@ -2108,7 +2105,7 @@ if (tag == CONTEXT) { tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); - if (tmplen < 0) + if (tmplen < 0 || REMAIN < (unsigned int)tmplen) return GSS_S_DEFECTIVE_TOKEN; if (g_get_tag_and_length(&ptr, ENUMERATED, @@ -2129,7 +2126,7 @@ } if (tag == (CONTEXT | 0x01)) { tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); - if (tmplen < 0) + if (tmplen < 0 || REMAIN < (unsigned int)tmplen) return GSS_S_DEFECTIVE_TOKEN; *supportedMech = get_mech_oid(minor_status, &ptr, REMAIN); @@ -2143,7 +2140,7 @@ } if (tag == (CONTEXT | 0x02)) { tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); - if (tmplen < 0) + if (tmplen < 0 || REMAIN < (unsigned int)tmplen) return GSS_S_DEFECTIVE_TOKEN; *responseToken = get_input_token(&ptr, REMAIN); @@ -2157,7 +2154,7 @@ } if (tag == (CONTEXT | 0x03)) { tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); - if (tmplen < 0) + if (tmplen < 0 || REMAIN < (unsigned int)tmplen) return GSS_S_DEFECTIVE_TOKEN; *mechListMIC = get_input_token(&ptr, REMAIN); @@ -2718,7 +2715,7 @@ &encoded_len); if (tmplen < 0) { ret = -1; - } else if (tmplen > buflen - (ptr - *buf)) { + } else if ((unsigned int)tmplen > buflen - (ptr - *buf)) { ret = -1; } else ret = 0; From tlyu at MIT.EDU Tue Apr 7 21:22:58 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 7 Apr 2009 21:22:58 -0400 Subject: svn rev #22180: branches/krb5-1-6/src/lib/krb5/asn.1/ Message-ID: <200904080122.n381MwWW019736@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22180 Commit By: tlyu Log Message: ticket: 6447 subject: CVE-2009-0847 (1.6.x) asn1buf_imbed incorrect length validatin tags: pullup target_version: 1.6.4 version_fixed: 1.6.4 pull up rxxxx from trunk asn1buf_imbed() can perform pointer arithmetic that causes the "bound" pointer of the subbuffer to be less than the "next" pointer. This can lead to malloc() failure or crash. In asn1buf_imbed(), check the length before doing arithmetic to set subbuf->bound. In asn1buf_remove_octetstring() and asn1buf_remove_charstring(), check for invalid buffer pointers before executing an unsigned length check against a (casted to size_t) negative number. Changed Files: U branches/krb5-1-6/src/lib/krb5/asn.1/asn1buf.c Modified: branches/krb5-1-6/src/lib/krb5/asn.1/asn1buf.c =================================================================== --- branches/krb5-1-6/src/lib/krb5/asn.1/asn1buf.c 2009-04-08 01:22:51 UTC (rev 22179) +++ branches/krb5-1-6/src/lib/krb5/asn.1/asn1buf.c 2009-04-08 01:22:57 UTC (rev 22180) @@ -78,11 +78,11 @@ asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef) { + if (buf->next > buf->bound + 1) return ASN1_OVERRUN; subbuf->base = subbuf->next = buf->next; if (!indef) { + if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN; subbuf->bound = subbuf->base + length - 1; - if (subbuf->bound > buf->bound) - return ASN1_OVERRUN; } else /* constructed indefinite */ subbuf->bound = buf->bound; return 0; @@ -200,6 +200,7 @@ { int i; + if (buf->next > buf->bound + 1) return ASN1_OVERRUN; if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN; if (len == 0) { *s = 0; @@ -218,6 +219,7 @@ { int i; + if (buf->next > buf->bound + 1) return ASN1_OVERRUN; if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN; if (len == 0) { *s = 0; From tlyu at MIT.EDU Tue Apr 7 21:23:04 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 7 Apr 2009 21:23:04 -0400 Subject: svn rev #22181: branches/krb5-1-6/src/ lib/krb5/asn.1/ tests/asn.1/ Message-ID: <200904080123.n381N4he019782@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22181 Commit By: tlyu Log Message: ticket: 6448 subject: CVE-2009-0846 (1.6.x) asn1_decode_generaltime can free uninitialized pointer tags: pullup target_version: 1.6.4 version_fixed: 1.6.4 pull up rxxxx from trunk The asn1_decode_generaltime() function can free an uninitialized pointer if asn1buf_remove_charstring() fails. Changed Files: U branches/krb5-1-6/src/lib/krb5/asn.1/asn1_decode.c U branches/krb5-1-6/src/tests/asn.1/krb5_decode_test.c Modified: branches/krb5-1-6/src/lib/krb5/asn.1/asn1_decode.c =================================================================== --- branches/krb5-1-6/src/lib/krb5/asn.1/asn1_decode.c 2009-04-08 01:22:57 UTC (rev 22180) +++ branches/krb5-1-6/src/lib/krb5/asn.1/asn1_decode.c 2009-04-08 01:23:03 UTC (rev 22181) @@ -231,6 +231,7 @@ if(length != 15) return ASN1_BAD_LENGTH; retval = asn1buf_remove_charstring(buf,15,&s); + if (retval) return retval; /* Time encoding: YYYYMMDDhhmmssZ */ if(s[14] != 'Z') { free(s); Modified: branches/krb5-1-6/src/tests/asn.1/krb5_decode_test.c =================================================================== --- branches/krb5-1-6/src/tests/asn.1/krb5_decode_test.c 2009-04-08 01:22:57 UTC (rev 22180) +++ branches/krb5-1-6/src/tests/asn.1/krb5_decode_test.c 2009-04-08 01:23:03 UTC (rev 22181) @@ -485,6 +485,22 @@ ktest_destroy_keyblock(&(ref.subkey)); ref.seq_number = 0; decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part); + + retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40"); + if (retval) { + com_err("krb5_decode_test", retval, "while parsing"); + exit(1); + } + retval = decode_krb5_ap_rep_enc_part(&code, &var); + if (retval != ASN1_OVERRUN) { + printf("ERROR: "); + } else { + printf("OK: "); + } + printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n"); + krb5_free_data_contents(test_context, &code); + if (!retval) krb5_free_ap_rep_enc_part(test_context, var); + ktest_empty_ap_rep_enc_part(&ref); } From ghudson at MIT.EDU Wed Apr 8 11:22:17 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Wed, 8 Apr 2009 11:22:17 -0400 Subject: svn rev #22182: trunk/src/lib/krb5/krb/ Message-ID: <200904081522.n38FMHPV007838@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22182 Commit By: ghudson Log Message: ticket: 6108 tags: pullup target_version: 1.7 When getting initial credentials with a password, try the master if preauth fails on a slave, since preauth can fail due to an out-of-date key. This removes a snippet added in r14939 which was considering only hardware preauth. Changed Files: U trunk/src/lib/krb5/krb/gic_pwd.c Modified: trunk/src/lib/krb5/krb/gic_pwd.c =================================================================== --- trunk/src/lib/krb5/krb/gic_pwd.c 2009-04-08 01:23:03 UTC (rev 22181) +++ trunk/src/lib/krb5/krb/gic_pwd.c 2009-04-08 15:22:17 UTC (rev 22182) @@ -144,10 +144,9 @@ goto cleanup; /* If all the kdc's are unavailable, or if the error was due to a - user interrupt, or preauth errored out, fail */ + user interrupt, fail */ if ((ret == KRB5_KDC_UNREACH) || - (ret == KRB5_PREAUTH_FAILED) || (ret == KRB5_LIBOS_PWDINTR) || (ret == KRB5_REALM_CANT_RESOLVE)) goto cleanup; From epeisach at MIT.EDU Wed Apr 8 11:25:44 2009 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Wed, 8 Apr 2009 11:25:44 -0400 Subject: svn rev #22183: trunk/src/kdc/ Message-ID: <200904081525.n38FPi8D008163@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22183 Commit By: epeisach Log Message: ticket: 6449 subject: Fall through on error return If decoding the encoded_req_body fails, proceed goto errout instead of falling through to fast handling. Looks like a merge error. Reindented code. Changed Files: U trunk/src/kdc/do_as_req.c Modified: trunk/src/kdc/do_as_req.c =================================================================== --- trunk/src/kdc/do_as_req.c 2009-04-08 15:22:17 UTC (rev 22182) +++ trunk/src/kdc/do_as_req.c 2009-04-08 15:25:43 UTC (rev 22183) @@ -144,9 +144,10 @@ } if (fetch_asn1_field((unsigned char *) req_pkt->data, 1, 4, &encoded_req_body) != 0) { - errcode = ASN1_BAD_ID; - status = "Finding req_body"; -} + errcode = ASN1_BAD_ID; + status = "Finding req_body"; + goto errout; + } errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, NULL, state); if (errcode) { status = "error decoding FAST"; From ghudson at MIT.EDU Wed Apr 8 11:58:24 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Wed, 8 Apr 2009 11:58:24 -0400 Subject: svn rev #22184: trunk/src/lib/krb5/ error_tables/ krb/ Message-ID: <200904081558.n38FwObX009927@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22184 Commit By: ghudson Log Message: ticket: 1165 mk_safe and mk_priv require the local address to be set in the auth context; rd_safe and rd_priv require the remote address to be set. Create error codes for both kinds of missing addresses and stop trying futilely to handle the cases where they are not set. Changed Files: U trunk/src/lib/krb5/error_tables/krb5_err.et U trunk/src/lib/krb5/krb/mk_priv.c U trunk/src/lib/krb5/krb/mk_safe.c U trunk/src/lib/krb5/krb/rd_priv.c U trunk/src/lib/krb5/krb/rd_safe.c Modified: trunk/src/lib/krb5/error_tables/krb5_err.et =================================================================== --- trunk/src/lib/krb5/error_tables/krb5_err.et 2009-04-08 15:25:43 UTC (rev 22183) +++ trunk/src/lib/krb5/error_tables/krb5_err.et 2009-04-08 15:58:24 UTC (rev 22184) @@ -348,4 +348,7 @@ error_code KRB5_ERR_INVALID_UTF8, "Invalid UTF-8 string" error_code KRB5_ERR_FAST_REQUIRED, "FAST protected pre-authentication required but not supported by KDC" + +error_code KRB5_LOCAL_ADDR_REQUIRED, "Auth context must contain local address" +error_code KRB5_REMOTE_ADDR_REQUIRED, "Auth context must contain remote address" end Modified: trunk/src/lib/krb5/krb/mk_priv.c =================================================================== --- trunk/src/lib/krb5/krb/mk_priv.c 2009-04-08 15:25:43 UTC (rev 22183) +++ trunk/src/lib/krb5/krb/mk_priv.c 2009-04-08 15:58:24 UTC (rev 22184) @@ -136,6 +136,9 @@ /* Need a better error */ return KRB5_RC_REQUIRED; + if (!auth_context->local_addr) + return KRB5_LOCAL_ADDR_REQUIRED; + if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, @@ -154,28 +157,26 @@ } else { outdata->seq = replaydata.seq; } - } + } { krb5_address * premote_fulladdr = NULL; - krb5_address * plocal_fulladdr = NULL; + krb5_address * plocal_fulladdr; krb5_address remote_fulladdr; krb5_address local_fulladdr; CLEANUP_INIT(2); - if (auth_context->local_addr) { - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))) { - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; - } else { - goto error; - } + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))) { + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; } else { - plocal_fulladdr = auth_context->local_addr; + goto error; } + } else { + plocal_fulladdr = auth_context->local_addr; } if (auth_context->remote_addr) { Modified: trunk/src/lib/krb5/krb/mk_safe.c =================================================================== --- trunk/src/lib/krb5/krb/mk_safe.c 2009-04-08 15:25:43 UTC (rev 22183) +++ trunk/src/lib/krb5/krb/mk_safe.c 2009-04-08 15:58:24 UTC (rev 22184) @@ -136,6 +136,9 @@ /* Need a better error */ return KRB5_RC_REQUIRED; + if (!auth_context->local_addr) + return KRB5_LOCAL_ADDR_REQUIRED; + if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, @@ -156,27 +159,24 @@ { krb5_address * premote_fulladdr = NULL; - krb5_address * plocal_fulladdr = NULL; + krb5_address * plocal_fulladdr; krb5_address remote_fulladdr; krb5_address local_fulladdr; krb5_cksumtype sumtype; CLEANUP_INIT(2); - if (auth_context->local_addr) { - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))){ - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; - } else { - goto error; - } + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))){ + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; } else { - plocal_fulladdr = auth_context->local_addr; - } - + goto error; + } + } else { + plocal_fulladdr = auth_context->local_addr; } if (auth_context->remote_addr) { Modified: trunk/src/lib/krb5/krb/rd_priv.c =================================================================== --- trunk/src/lib/krb5/krb/rd_priv.c 2009-04-08 15:25:43 UTC (rev 22183) +++ trunk/src/lib/krb5/krb/rd_priv.c 2009-04-08 15:58:24 UTC (rev 22184) @@ -169,12 +169,15 @@ /* Need a better error */ return KRB5_RC_REQUIRED; + if (!auth_context->remote_addr) + return KRB5_REMOTE_ADDR_REQUIRED; + if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && (auth_context->rcache == NULL)) return KRB5_RC_REQUIRED; { - krb5_address * premote_fulladdr = NULL; + krb5_address * premote_fulladdr; krb5_address * plocal_fulladdr = NULL; krb5_address remote_fulladdr; krb5_address local_fulladdr; @@ -195,20 +198,18 @@ } } - if (auth_context->remote_addr) { - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; - } else { - CLEANUP_DONE(); - return retval; - } + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; } else { - premote_fulladdr = auth_context->remote_addr; - } + CLEANUP_DONE(); + return retval; + } + } else { + premote_fulladdr = auth_context->remote_addr; } memset(&replaydata, 0, sizeof(replaydata)); Modified: trunk/src/lib/krb5/krb/rd_safe.c =================================================================== --- trunk/src/lib/krb5/krb/rd_safe.c 2009-04-08 15:25:43 UTC (rev 22183) +++ trunk/src/lib/krb5/krb/rd_safe.c 2009-04-08 15:58:24 UTC (rev 22184) @@ -177,12 +177,15 @@ (auth_context->rcache == NULL)) return KRB5_RC_REQUIRED; + if (!auth_context->remote_addr) + return KRB5_REMOTE_ADDR_REQUIRED; + /* Get keyblock */ if ((keyblock = auth_context->recv_subkey) == NULL) keyblock = auth_context->keyblock; { - krb5_address * premote_fulladdr = NULL; + krb5_address * premote_fulladdr; krb5_address * plocal_fulladdr = NULL; krb5_address remote_fulladdr; krb5_address local_fulladdr; @@ -203,19 +206,17 @@ } } - if (auth_context->remote_addr) { - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; - } else { - return retval; - } + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; } else { - premote_fulladdr = auth_context->remote_addr; - } + return retval; + } + } else { + premote_fulladdr = auth_context->remote_addr; } memset(&replaydata, 0, sizeof(replaydata)); From ghudson at MIT.EDU Wed Apr 8 12:39:34 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Wed, 8 Apr 2009 12:39:34 -0400 Subject: svn rev #22185: trunk/src/lib/gssapi/ generic/ krb5/ Message-ID: <200904081639.n38GdYts012782@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22185 Commit By: ghudson Log Message: ticket: 6203 tags: pullup target_version: 1.7 Using a patch from Apple, add support for GSS_C_DELEG_POLICY_FLAG, which requests delegation only if the ok-as-delegate ticket flag is set. Changed Files: U trunk/src/lib/gssapi/generic/gssapi.hin U trunk/src/lib/gssapi/krb5/init_sec_context.c Modified: trunk/src/lib/gssapi/generic/gssapi.hin =================================================================== --- trunk/src/lib/gssapi/generic/gssapi.hin 2009-04-08 15:58:24 UTC (rev 22184) +++ trunk/src/lib/gssapi/generic/gssapi.hin 2009-04-08 16:39:33 UTC (rev 22185) @@ -141,6 +141,7 @@ #define GSS_C_ANON_FLAG 64 #define GSS_C_PROT_READY_FLAG 128 #define GSS_C_TRANS_FLAG 256 +#define GSS_C_DELEG_POLICY_FLAG 32768 /* * Credential usage options Modified: trunk/src/lib/gssapi/krb5/init_sec_context.c =================================================================== --- trunk/src/lib/gssapi/krb5/init_sec_context.c 2009-04-08 15:58:24 UTC (rev 22184) +++ trunk/src/lib/gssapi/krb5/init_sec_context.c 2009-04-08 16:39:33 UTC (rev 22185) @@ -209,7 +209,8 @@ if (code) { /* don't fail here; just don't accept/do the delegation request */ - data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG; + data->ctx->gss_flags &= ~(GSS_C_DELEG_FLAG | + GSS_C_DELEG_POLICY_FLAG); data->checksum_data.length = 24; } else { @@ -495,6 +496,14 @@ ctx->krb_times = k_cred->times; + /* + * GSS_C_DELEG_POLICY_FLAG means to delegate only if the + * ok-as-delegate ticket flag is set. + */ + if ((req_flags & GSS_C_DELEG_POLICY_FLAG) + && (k_cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE)) + ctx->gss_flags |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG; + if (default_mech) { mech_type = (gss_OID) gss_mech_krb5; } From epeisach at MIT.EDU Thu Apr 9 07:53:28 2009 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Thu, 9 Apr 2009 07:53:28 -0400 Subject: svn rev #22186: trunk/src/kdc/ Message-ID: <200904091153.n39BrSL8013082@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22186 Commit By: epeisach Log Message: ticket: 6450 subject: kdc: handle_referral_params does not return ENOMEM errors tags: pullup retval was set but never returned. Changed Files: U trunk/src/kdc/main.c Modified: trunk/src/kdc/main.c =================================================================== --- trunk/src/kdc/main.c 2009-04-08 16:39:33 UTC (rev 22185) +++ trunk/src/kdc/main.c 2009-04-09 11:53:27 UTC (rev 22186) @@ -252,7 +252,7 @@ rdp->realm_host_based_services = NULL; } - return 0; + return retval; } /* * Initialize a realm control structure from the alternate profile or from From ghudson at MIT.EDU Thu Apr 9 13:57:04 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 9 Apr 2009 13:57:04 -0400 Subject: svn rev #22187: trunk/doc/ Message-ID: <200904091757.n39Hv4dI003364@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22187 Commit By: ghudson Log Message: ticket: 6451 subject: Update defaults in documentation tags: pullup target_version: 1.7 doc/definitions.texinfo had, predictably, fallen out of date with respect to the code. Update a few of the out of date comments and defaults, particularly the default enctype lists. Changed Files: U trunk/doc/definitions.texinfo Modified: trunk/doc/definitions.texinfo =================================================================== --- trunk/doc/definitions.texinfo 2009-04-09 11:53:27 UTC (rev 22186) +++ trunk/doc/definitions.texinfo 2009-04-09 17:57:03 UTC (rev 22187) @@ -43,7 +43,7 @@ the following should be consistent with the variables set in krb5/src/lib/krb5/krb/init_ctx.c @end ignore - at set DefaultETypeList aes256-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 + at set DefaultETypeList aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 @comment DEFAULT_ETYPE_LIST @set DefaultDefaultTgsEnctypes @value{DefaultETypeList} @set DefaultDefaultTktEnctypes @value{DefaultETypeList} @@ -66,7 +66,7 @@ @ignore the following defaults should be consistent with default variables set -in krb5/src/include/stock/osconf.h +in krb5/src/include/osconf.hin @end ignore @set DefaultMasterKeyType des3-cbc-sha1 @comment DEFAULT_KDC_ENCTYPE @@ -102,14 +102,14 @@ the following defaults should be consistent with the numbers set in krb5/src/lib/kadm5/alt_prof.c @end ignore - at set DefaultMaxLife 10 hours - at comment line 608 + at set DefaultMaxLife 24 hours + at comment max_life @set DefaultMaxRenewableLife 0 - at comment line 622 + at comment max_rlife @set DefaultDefaultPrincipalExpiration 0 - at comment line 639 - at set DefaultSupportedEnctypes des3-hmac-sha1:normal des-cbc-crc:normal - at comment line 705 + at comment expiration + at set DefaultSupportedEnctypes aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal + at comment krb5/src/include/osconf.hin, KRB5_DEFAULT_SUPPORTED_ENCTYPES @ignore the following defaults should be consistent with the values set in From ghudson at MIT.EDU Fri Apr 10 12:09:20 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 10 Apr 2009 12:09:20 -0400 Subject: svn rev #22188: trunk/doc/ Message-ID: <200904101609.n3AG9KSF021976@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22188 Commit By: ghudson Log Message: ticket: 6452 subject: Document allow_weak_crypto tags: pullup target_version: 1.7 Also document which cryptosystems are defined to be weak, and add some enctype entries which weren't in the documentation. Changed Files: U trunk/doc/admin.texinfo U trunk/doc/support-enc.texinfo Modified: trunk/doc/admin.texinfo =================================================================== --- trunk/doc/admin.texinfo 2009-04-09 17:57:03 UTC (rev 22187) +++ trunk/doc/admin.texinfo 2009-04-10 16:09:19 UTC (rev 22188) @@ -355,6 +355,8 @@ Any tag in the configuration files which requires a list of encryption types can be set to some combination of the following strings. +Encryption types marked as ``weak'' are available for compatibility +but not recommended for use. @include support-enc.texinfo @@ -442,6 +444,12 @@ key encryption. The default value for this tag is @value{DefaultPermittedEnctypes}. + at itemx allow_weak_crypto +If this is set to 0 (for false), then weak encryption types will be +filtered out of the previous three lists (as noted in @ref{Supported +Encryption Types}). The default value for this tag is true, but that +default may change in the future. + @itemx clockskew Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is Modified: trunk/doc/support-enc.texinfo =================================================================== --- trunk/doc/support-enc.texinfo 2009-04-09 17:57:03 UTC (rev 22187) +++ trunk/doc/support-enc.texinfo 2009-04-10 16:09:19 UTC (rev 22188) @@ -5,17 +5,21 @@ @table @code @item des-cbc-crc -DES cbc mode with CRC-32 +DES cbc mode with CRC-32 (weak) @item des-cbc-md4 -DES cbc mode with RSA-MD4 +DES cbc mode with RSA-MD4 (weak) @item des-cbc-md5 -DES cbc mode with RSA-MD5 +DES cbc mode with RSA-MD5 (weak) + at item des-cbc-raw +DES cbc mode raw (weak) + at item des3-cbc-raw +Triple DES cbc mode raw (weak) @item des3-cbc-sha1 @itemx des3-hmac-sha1 @itemx des3-cbc-sha1-kd -triple DES cbc mode with HMAC/sha1 +Triple DES cbc mode with HMAC/sha1 @item des-hmac-sha1 -DES with HMAC/sha1 +DES with HMAC/sha1 (weak) @item aes256-cts-hmac-sha1-96 @itemx aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC @@ -29,5 +33,5 @@ @item arcfour-hmac-exp @itemx rc4-hmac-exp @itemx arcfour-hmac-md5-exp -exportable RC4 with HMAC/MD5 +Exportable RC4 with HMAC/MD5 (weak) @end table From ghudson at MIT.EDU Fri Apr 10 15:50:55 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 10 Apr 2009 15:50:55 -0400 Subject: svn rev #22189: trunk/src/lib/krb5/krb/ Message-ID: <200904101950.n3AJotGZ002311@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22189 Commit By: ghudson Log Message: Check return value of krb5int_copy_data_contents in preauth2.c's pa_salt. Changed Files: U trunk/src/lib/krb5/krb/preauth2.c Modified: trunk/src/lib/krb5/krb/preauth2.c =================================================================== --- trunk/src/lib/krb5/krb/preauth2.c 2009-04-10 16:09:19 UTC (rev 22188) +++ trunk/src/lib/krb5/krb/preauth2.c 2009-04-10 19:50:55 UTC (rev 22189) @@ -634,10 +634,13 @@ krb5_gic_get_as_key_fct gak_fct, void *gak_data) { krb5_data tmp; + krb5_error_code retval; tmp = padata2data(*in_padata); krb5_free_data_contents(context, salt); - krb5int_copy_data_contents(context, &tmp, salt); + retval = krb5int_copy_data_contents(context, &tmp, salt); + if (retval) + return retval; if (in_padata->pa_type == KRB5_PADATA_AFS3_SALT) salt->length = SALT_TYPE_AFS_LENGTH; From ghudson at MIT.EDU Fri Apr 10 15:51:53 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 10 Apr 2009 15:51:53 -0400 Subject: svn rev #22190: trunk/src/lib/krb5/krb/ Message-ID: <200904101951.n3AJpr6e002435@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22190 Commit By: ghudson Log Message: Check the return value of krb5_timeofday in krb5int_populate_gic_opt. Also initialize krb5int_populate_gic_opt's output variable. Changed Files: U trunk/src/lib/krb5/krb/gic_pwd.c Modified: trunk/src/lib/krb5/krb/gic_pwd.c =================================================================== --- trunk/src/lib/krb5/krb/gic_pwd.c 2009-04-10 19:50:55 UTC (rev 22189) +++ trunk/src/lib/krb5/krb/gic_pwd.c 2009-04-10 19:51:53 UTC (rev 22190) @@ -416,6 +416,7 @@ krb5_get_init_creds_opt *opt; krb5_error_code retval; + *opte = NULL; retval = krb5_get_init_creds_opt_alloc(context, &opt); if (retval) return(retval); @@ -439,12 +440,17 @@ krb5_get_init_creds_opt_set_proxiable(opt, 1); else krb5_get_init_creds_opt_set_proxiable(opt, 0); if (creds && creds->times.endtime) { - krb5_timeofday(context, &starttime); + retval = krb5_timeofday(context, &starttime); + if (retval) + goto cleanup; if (creds->times.starttime) starttime = creds->times.starttime; krb5_get_init_creds_opt_set_tkt_life(opt, creds->times.endtime - starttime); } return krb5int_gic_opt_to_opte(context, opt, opte, 0, "krb5int_populate_gic_opt"); +cleanup: + krb5_get_init_creds_opt_free(context, opt); + return retval; } /* From ghudson at MIT.EDU Fri Apr 10 15:54:35 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 10 Apr 2009 15:54:35 -0400 Subject: svn rev #22191: trunk/src/lib/krb5/os/ Message-ID: <200904101954.n3AJsZrP002557@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22191 Commit By: ghudson Log Message: Remove an unnecessary cleanup in krb5_cc_set_default_name. Changed Files: U trunk/src/lib/krb5/os/ccdefname.c Modified: trunk/src/lib/krb5/os/ccdefname.c =================================================================== --- trunk/src/lib/krb5/os/ccdefname.c 2009-04-10 19:51:53 UTC (rev 22190) +++ trunk/src/lib/krb5/os/ccdefname.c 2009-04-10 19:54:35 UTC (rev 22191) @@ -264,8 +264,6 @@ new_ccname = NULL; /* don't free */ } - if (new_ccname != NULL) { free (new_ccname); } - return err; } From ghudson at MIT.EDU Fri Apr 10 16:17:38 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 10 Apr 2009 16:17:38 -0400 Subject: svn rev #22192: trunk/src/lib/krb5/krb/ Message-ID: <200904102017.n3AKHcjm003924@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22192 Commit By: ghudson Log Message: Simplify the coupling of problem to response code in recvauth_common, eliminating a big switch statement with a dead-code default block. Changed Files: U trunk/src/lib/krb5/krb/recvauth.c Modified: trunk/src/lib/krb5/krb/recvauth.c =================================================================== --- trunk/src/lib/krb5/krb/recvauth.c 2009-04-10 19:54:35 UTC (rev 22191) +++ trunk/src/lib/krb5/krb/recvauth.c 2009-04-10 20:17:38 UTC (rev 22192) @@ -67,6 +67,7 @@ * and exit. */ problem = 0; + response = 0; if (!(flags & KRB5_RECVAUTH_SKIP_VERSION)) { /* @@ -76,11 +77,14 @@ return(retval); if (strcmp(inbuf.data, sendauth_version)) { problem = KRB5_SENDAUTH_BADAUTHVERS; + response = 1; } free(inbuf.data); } - if (flags & KRB5_RECVAUTH_BADAUTHVERS) + if (flags & KRB5_RECVAUTH_BADAUTHVERS) { problem = KRB5_SENDAUTH_BADAUTHVERS; + response = 1; + } /* * Do the same thing for the application version string. @@ -88,41 +92,17 @@ if ((retval = krb5_read_message(context, fd, &inbuf))) return(retval); if (appl_version && strcmp(inbuf.data, appl_version)) { - if (!problem) + if (!problem) { problem = KRB5_SENDAUTH_BADAPPLVERS; + response = 2; + } } if (version && !problem) *version = inbuf; else free(inbuf.data); + /* - * OK, now check the problem variable. If it's zero, we're - * fine and we can continue. Otherwise, we have to signal an - * error to the client side and bail out. - */ - switch (problem) { - case 0: - response = 0; - break; - case KRB5_SENDAUTH_BADAUTHVERS: - response = 1; - break; - case KRB5_SENDAUTH_BADAPPLVERS: - response = 2; - break; - default: - /* - * Should never happen! - */ - response = 255; -#ifdef SENDAUTH_DEBUG - fprintf(stderr, "Programming botch in recvauth! problem = %d", - problem); - abort(); -#endif - break; - } - /* * Now we actually write the response. If the response is non-zero, * exit with a return value of problem */ From ghudson at MIT.EDU Fri Apr 10 17:17:03 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 10 Apr 2009 17:17:03 -0400 Subject: svn rev #22193: trunk/src/lib/krb5/krb/ Message-ID: <200904102117.n3ALH3ST007540@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22193 Commit By: ghudson Log Message: In krb5_get_in_tkt, r7002 introduced an unused local variable "padata". It was accidentally used in r18641 instead of preauth_to_use when sorting the received padata sequence, causing the sort to be a no-op. Sort the correct sequence and eliminate the unused local variable. Changed Files: U trunk/src/lib/krb5/krb/get_in_tkt.c Modified: trunk/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- trunk/src/lib/krb5/krb/get_in_tkt.c 2009-04-10 20:17:38 UTC (rev 22192) +++ trunk/src/lib/krb5/krb/get_in_tkt.c 2009-04-10 21:17:03 UTC (rev 22193) @@ -512,7 +512,6 @@ krb5_keyblock * decrypt_key = 0; krb5_kdc_req request; krb5_data *encoded_request; - krb5_pa_data **padata = 0; krb5_error * err_reply; krb5_kdc_rep * as_reply = 0; krb5_pa_data ** preauth_to_use = 0; @@ -664,7 +663,7 @@ goto cleanup; retval = sort_krb5_padata_sequence(context, &request.server->realm, - padata); + preauth_to_use); if (retval) goto cleanup; continue; @@ -728,8 +727,6 @@ krb5_free_addresses(context, request.addresses); if (request.padata) krb5_free_pa_data(context, request.padata); - if (padata) - krb5_free_pa_data(context, padata); if (preauth_to_use) krb5_free_pa_data(context, preauth_to_use); if (decrypt_key) From epeisach at MIT.EDU Sun Apr 12 10:09:29 2009 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Sun, 12 Apr 2009 10:09:29 -0400 Subject: svn rev #22194: trunk/src/lib/krb5/ccache/ Message-ID: <200904121409.n3CE9TR8019636@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22194 Commit By: epeisach Log Message: Remove dead assignment of variables that are never used. Changed Files: U trunk/src/lib/krb5/ccache/cc_retr.c U trunk/src/lib/krb5/ccache/ser_cc.c Modified: trunk/src/lib/krb5/ccache/cc_retr.c =================================================================== --- trunk/src/lib/krb5/ccache/cc_retr.c 2009-04-10 21:17:03 UTC (rev 22193) +++ trunk/src/lib/krb5/ccache/cc_retr.c 2009-04-12 14:09:29 UTC (rev 22194) @@ -227,7 +227,7 @@ return kret; } - while ((kret = krb5_cc_next_cred(context, id, &cursor, &fetchcreds)) == KRB5_OK) { + while (krb5_cc_next_cred(context, id, &cursor, &fetchcreds) == KRB5_OK) { if (krb5int_cc_creds_match_request(context, whichfields, mcreds, &fetchcreds)) { if (ktypes) { Modified: trunk/src/lib/krb5/ccache/ser_cc.c =================================================================== --- trunk/src/lib/krb5/ccache/ser_cc.c 2009-04-10 21:17:03 UTC (rev 22193) +++ trunk/src/lib/krb5/ccache/ser_cc.c 2009-04-12 14:09:29 UTC (rev 22194) @@ -100,7 +100,6 @@ krb5_octet *bp; size_t remain; char *ccname; - size_t namelen; const char *fnamep; required = 0; @@ -114,10 +113,7 @@ /* Our identifier */ (void) krb5_ser_pack_int32(KV5M_CCACHE, &bp, &remain); - /* Calculate the length of the name */ - namelen = ccache->ops->prefix ? strlen(ccache->ops->prefix)+1 : 0; fnamep = krb5_cc_get_name(kcontext, ccache); - namelen += (strlen(fnamep)+1); if (ccache->ops->prefix) { if (asprintf(&ccname, "%s:%s", ccache->ops->prefix, fnamep) < 0) From epeisach at MIT.EDU Sun Apr 12 10:59:09 2009 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Sun, 12 Apr 2009 10:59:09 -0400 Subject: svn rev #22195: trunk/src/lib/krb5/rcache/ Message-ID: <200904121459.n3CEx9qX023217@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22195 Commit By: epeisach Log Message: ticket: 6453 subject: remove dead code Remove some more dead code assignment - where the variable is immediately assigned in the next statement - or not used at all. Changed Files: U trunk/src/lib/krb5/rcache/rc_conv.c U trunk/src/lib/krb5/rcache/ser_rc.c Modified: trunk/src/lib/krb5/rcache/rc_conv.c =================================================================== --- trunk/src/lib/krb5/rcache/rc_conv.c 2009-04-12 14:09:29 UTC (rev 22194) +++ trunk/src/lib/krb5/rcache/rc_conv.c 2009-04-12 14:59:08 UTC (rev 22195) @@ -67,7 +67,7 @@ krb5_free_checksum_contents(context, &cksum); return KRB5_RC_MALLOC; } - ptr = hash; + for (i = 0, ptr = hash; i < cksum.length; i++, ptr += 2) snprintf(ptr, 3, "%02X", cksum.contents[i]); *ptr = '\0'; Modified: trunk/src/lib/krb5/rcache/ser_rc.c =================================================================== --- trunk/src/lib/krb5/rcache/ser_rc.c 2009-04-12 14:09:29 UTC (rev 22194) +++ trunk/src/lib/krb5/rcache/ser_rc.c 2009-04-12 14:59:08 UTC (rev 22195) @@ -102,7 +102,6 @@ krb5_octet *bp; size_t remain; char *rcname; - size_t namelen; char *fnamep; required = 0; @@ -116,11 +115,7 @@ /* Our identifier */ (void) krb5_ser_pack_int32(KV5M_RCACHE, &bp, &remain); - /* Calculate the length of the name */ - namelen = (rcache->ops && rcache->ops->type) ? - strlen(rcache->ops->type)+1 : 0; fnamep = krb5_rc_get_name(kcontext, rcache); - namelen += (strlen(fnamep)+1); if (rcache->ops && rcache->ops->type) { if (asprintf(&rcname, "%s:%s", rcache->ops->type, fnamep) < 0) @@ -170,7 +165,6 @@ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) ibuf = 0; if (ibuf == KV5M_RCACHE) { - kret = ENOMEM; /* Get the length of the rcache name */ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); From epeisach at MIT.EDU Sun Apr 12 11:40:41 2009 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Sun, 12 Apr 2009 11:40:41 -0400 Subject: svn rev #22196: trunk/src/lib/krb5/keytab/ Message-ID: <200904121540.n3CFef0A027088@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22196 Commit By: epeisach Log Message: ticket: 6453 status: open More dead code elimination. When asprintf was used the varaible namelen was no longer necessary. Changed Files: U trunk/src/lib/krb5/keytab/kt_file.c Modified: trunk/src/lib/krb5/keytab/kt_file.c =================================================================== --- trunk/src/lib/krb5/keytab/kt_file.c 2009-04-12 14:59:08 UTC (rev 22195) +++ trunk/src/lib/krb5/keytab/kt_file.c 2009-04-12 15:40:41 UTC (rev 22196) @@ -635,7 +635,6 @@ krb5_int32 file_is_open; krb5_int64 file_pos; char *ktname; - size_t namelen; const char *fnamep; required = 0; @@ -654,13 +653,10 @@ file_pos = 0; /* Calculate the length of the name */ - namelen = (keytab->ops && keytab->ops->prefix) ? - strlen(keytab->ops->prefix)+1 : 0; if (ktdata && ktdata->name) fnamep = ktdata->name; else fnamep = ktfile_def_name; - namelen += (strlen(fnamep)+1); if (keytab->ops && keytab->ops->prefix) { if (asprintf(&ktname, "%s:%s", keytab->ops->prefix, fnamep) < 0) @@ -743,7 +739,6 @@ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) ibuf = 0; if (ibuf == KV5M_KEYTAB) { - kret = ENOMEM; /* Get the length of the keytab name */ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); From ghudson at MIT.EDU Mon Apr 13 13:16:35 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 13 Apr 2009 13:16:35 -0400 Subject: svn rev #22197: trunk/src/lib/krb5/os/ Message-ID: <200904131716.n3DHGZVE018580@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22197 Commit By: ghudson Log Message: In krb5int_dns_init, fix a malloc-returning-null check which could let a null result slip past. Changed Files: U trunk/src/lib/krb5/os/dnsglue.c Modified: trunk/src/lib/krb5/os/dnsglue.c =================================================================== --- trunk/src/lib/krb5/os/dnsglue.c 2009-04-12 15:40:41 UTC (rev 22196) +++ trunk/src/lib/krb5/os/dnsglue.c 2009-04-13 17:16:35 UTC (rev 22197) @@ -112,7 +112,7 @@ p = (ds->ansp == NULL) ? malloc(nextincr) : realloc(ds->ansp, nextincr); - if (p == NULL && ds->ansp != NULL) { + if (p == NULL) { ret = -1; goto errout; } From ghudson at MIT.EDU Mon Apr 13 14:36:43 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 13 Apr 2009 14:36:43 -0400 Subject: svn rev #22198: trunk/src/lib/krb5/keytab/ Message-ID: <200904131836.n3DIah1r024202@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22198 Commit By: ghudson Log Message: ticket: 6454 subject: Make krb5_mkt_resolve error handling work Very little is likely to go wrong inside krb5_mkt_resolve (it just allocates memory and plays with mutexes), but if anything did, the handling was almost always wrong. Reorganize the function to handle errors properly, using a helper create_list_node function to simplify the task. Changed Files: U trunk/src/lib/krb5/keytab/kt_memory.c Modified: trunk/src/lib/krb5/keytab/kt_memory.c =================================================================== --- trunk/src/lib/krb5/keytab/kt_memory.c 2009-04-13 17:16:35 UTC (rev 22197) +++ trunk/src/lib/krb5/keytab/kt_memory.c 2009-04-13 18:36:42 UTC (rev 22198) @@ -193,101 +193,109 @@ free(node); } } -/* - * This is an implementation specific resolver. It returns a keytab - * initialized with memory keytab routines. - */ -krb5_error_code KRB5_CALLCONV -krb5_mkt_resolve(krb5_context context, const char *name, krb5_keytab *id) +static krb5_error_code +create_list_node(const char *name, krb5_mkt_list_node **listp) { - krb5_mkt_data *data = 0; krb5_mkt_list_node *list; - krb5_error_code err = 0; + krb5_mkt_data *data = NULL; + krb5_error_code err; - /* First determine if a memory keytab of this name already exists */ - err = KTGLOCK; - if (err) - return(err); + *listp = NULL; - for (list = krb5int_mkt_list; list; list = list->next) - { - if (strcmp(name,KTNAME(list->keytab)) == 0) { - /* Found */ - *id = list->keytab; - goto done; - } + list = calloc(1, sizeof(krb5_mkt_list_node)); + if (list == NULL) { + err = ENOMEM; + goto cleanup; } - /* We will now create the new key table with the specified name. - * We do not drop the global lock, therefore the name will indeed - * be unique when we add it. - */ - - if ((list = (krb5_mkt_list_node *)malloc(sizeof(krb5_mkt_list_node))) == NULL) { + list->keytab = calloc(1, sizeof(struct _krb5_kt)); + if (list->keytab == NULL) { err = ENOMEM; - goto done; + goto cleanup; } + list->keytab->ops = &krb5_mkt_ops; - if ((list->keytab = (krb5_keytab)malloc(sizeof(struct _krb5_kt))) == NULL) { - free(list); + data = calloc(1, sizeof(krb5_mkt_data)); + if (data == NULL) { err = ENOMEM; - goto done; + goto cleanup; } + data->link = NULL; + data->refcount = 0; - list->keytab->ops = &krb5_mkt_ops; - if ((data = (krb5_mkt_data *)malloc(sizeof(krb5_mkt_data))) == NULL) { - free(list->keytab); - free(list); + data->name = strdup(name); + if (data->name == NULL) { err = ENOMEM; - goto done; + goto cleanup; } - data->name = NULL; err = k5_mutex_init(&data->lock); - if (err) { - free(data); - free(list->keytab); - free(list); - goto done; - } + if (err) + goto cleanup; - if ((data->name = strdup(name)) == NULL) { - k5_mutex_destroy(&data->lock); - free(data); + list->keytab->data = data; + list->keytab->magic = KV5M_KEYTAB; + list->next = NULL; + *listp = list; + return 0; + +cleanup: + /* data->lock was initialized last, so no need to destroy. */ + if (data) + free(data->name); + free(data); + if (list) free(list->keytab); - free(list); - err = ENOMEM; - goto done; - } + free(list); + return err; +} - data->link = NULL; - data->refcount = 0; - list->keytab->data = (krb5_pointer)data; - list->keytab->magic = KV5M_KEYTAB; +/* + * This is an implementation specific resolver. It returns a keytab + * initialized with memory keytab routines. + */ - list->next = krb5int_mkt_list; - krb5int_mkt_list = list; +krb5_error_code KRB5_CALLCONV +krb5_mkt_resolve(krb5_context context, const char *name, krb5_keytab *id) +{ + krb5_mkt_list_node *list; + krb5_error_code err = 0; - *id = list->keytab; + *id = NULL; - done: - err = KTLOCK(*id); - if (err) { - k5_mutex_destroy(&data->lock); - if (data && data->name) - free(data->name); - free(data); - if (list && list->keytab) - free(list->keytab); - free(list); - } else { - KTREFCNT(*id)++; - KTUNLOCK(*id); + /* First determine if a memory keytab of this name already exists */ + err = KTGLOCK; + if (err) + return err; + + for (list = krb5int_mkt_list; list; list = list->next) { + if (strcmp(name,KTNAME(list->keytab)) == 0) + break; } + if (!list) { + /* We will now create the new key table with the specified name. + * We do not drop the global lock, therefore the name will indeed + * be unique when we add it. + */ + err = create_list_node(name, &list); + if (err) + goto done; + list->next = krb5int_mkt_list; + krb5int_mkt_list = list; + } + + /* Increment the reference count on the keytab we found or created. */ + err = KTLOCK(list->keytab); + if (err) + goto done; + KTREFCNT(list->keytab)++; + KTUNLOCK(list->keytab); + *id = list->keytab; +done: KTGUNLOCK; - return(err); + return err; } From ghudson at MIT.EDU Mon Apr 13 14:43:29 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 13 Apr 2009 14:43:29 -0400 Subject: svn rev #22199: trunk/src/lib/krb5/krb/ Message-ID: <200904131843.n3DIhT4d024653@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22199 Commit By: ghudson Log Message: In pa_sam, remove a gratuitous null check for etype which was immediately followed by dereferencing etype. Changed Files: U trunk/src/lib/krb5/krb/preauth2.c Modified: trunk/src/lib/krb5/krb/preauth2.c =================================================================== --- trunk/src/lib/krb5/krb/preauth2.c 2009-04-13 18:36:42 UTC (rev 22198) +++ trunk/src/lib/krb5/krb/preauth2.c 2009-04-13 18:43:29 UTC (rev 22199) @@ -871,7 +871,7 @@ /* message from the KDC. If it is not set, pick an enctype that we */ /* think the KDC will have for us. */ - if (etype && *etype == 0) + if (*etype == 0) *etype = ENCTYPE_DES_CBC_CRC; if ((ret = (gak_fct)(context, request->client, *etype, prompter, From ghudson at MIT.EDU Mon Apr 13 15:29:14 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 13 Apr 2009 15:29:14 -0400 Subject: svn rev #22200: trunk/src/lib/krb5/ccache/ Message-ID: <200904131929.n3DJTEWe027512@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22200 Commit By: ghudson Log Message: krb5_fcc_generate_new was destroying a locked mutex in the err_out label, which is used for I/O failures. Unlock the mutex first. Changed Files: U trunk/src/lib/krb5/ccache/cc_file.c Modified: trunk/src/lib/krb5/ccache/cc_file.c =================================================================== --- trunk/src/lib/krb5/ccache/cc_file.c 2009-04-13 18:43:29 UTC (rev 22199) +++ trunk/src/lib/krb5/ccache/cc_file.c 2009-04-13 19:29:14 UTC (rev 22200) @@ -2129,6 +2129,7 @@ err_out: k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_cc_mutex_unlock(context, &data->lock); k5_cc_mutex_destroy(&data->lock); free(data->filename); free(data); From tlyu at MIT.EDU Mon Apr 13 16:26:18 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 13 Apr 2009 16:26:18 -0400 Subject: svn rev #22201: branches/krb5-1-7/src/ include/ lib/krb5/ lib/krb5/krb/ Message-ID: <200904132026.n3DKQI1r031236@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22201 Commit By: tlyu Log Message: ticket: 6393 version_fixed: 1.7 pull up 21993 from trunk Subject: Implement TGS authenticator subkey usage ticket: 6393 tags: enhancement Implement support for use of a subkey in the TGS req. This is needed by FAST TGS support. The interface to krb5_send_tgs changed in order to gain a subkey output parameter. Since this is a private interface it was renamed to krb5int_send_tgs and removed from the export list. * send_tgs.c: generate a subkey and return to caller * decode_kdc_rep.c: Use subkey keyusage * gc_via_tkt.c: pass in subkey to decode_kdc_rep * send_tgs.c: use subkey for encrypting authorization data Changed Files: U branches/krb5-1-7/src/include/k5-int.h U branches/krb5-1-7/src/lib/krb5/krb/decode_kdc.c U branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c U branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c U branches/krb5-1-7/src/lib/krb5/libkrb5.exports Modified: branches/krb5-1-7/src/include/k5-int.h =================================================================== --- branches/krb5-1-7/src/include/k5-int.h 2009-04-13 19:29:14 UTC (rev 22200) +++ branches/krb5-1-7/src/include/k5-int.h 2009-04-13 20:26:18 UTC (rev 22201) @@ -2545,7 +2545,7 @@ void KRB5_CALLCONV krb5_free_config_files (char **filenames); -krb5_error_code krb5_send_tgs +krb5_error_code krb5int_send_tgs (krb5_context, krb5_flags, const krb5_ticket_times *, @@ -2556,11 +2556,16 @@ krb5_pa_data * const *, const krb5_data *, krb5_creds *, - krb5_response * ); + krb5_response * , krb5_keyblock **subkey); + /* The subkey field is an output parameter; if a + * tgs-rep is received then the subkey will be filled + * in with the subkey needed to decrypt the TGS + * response. Otherwise it will be set to null. + */ krb5_error_code krb5_decode_kdc_rep (krb5_context, krb5_data *, - const krb5_keyblock *, + const krb5_keyblock *, krb5_kdc_rep ** ); krb5_error_code krb5_rd_req_decoded Modified: branches/krb5-1-7/src/lib/krb5/krb/decode_kdc.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/decode_kdc.c 2009-04-13 19:29:14 UTC (rev 22200) +++ branches/krb5-1-7/src/lib/krb5/krb/decode_kdc.c 2009-04-13 20:26:18 UTC (rev 22201) @@ -53,12 +53,7 @@ usage = KRB5_KEYUSAGE_AS_REP_ENCPART; retval = decode_krb5_as_rep(enc_rep, &local_dec_rep); } else if (krb5_is_tgs_rep(enc_rep)) { - usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY; - /* KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY would go here, except - that this client code base doesn't ever put a subkey in the - tgs_req authenticator, so the tgs_rep is never encrypted in - one. (Check send_tgs.c:krb5_send_tgs_basic(), near the top - where authent.subkey is set to 0) */ + usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY; retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep); } else { return KRB5KRB_AP_ERR_MSG_TYPE; Modified: branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c 2009-04-13 19:29:14 UTC (rev 22200) +++ branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c 2009-04-13 20:26:18 UTC (rev 22201) @@ -154,6 +154,7 @@ krb5_error *err_reply; krb5_response tgsrep; krb5_enctype *enctypes = 0; + krb5_keyblock *subkey = NULL; #ifdef DEBUG_REFERRALS printf("krb5_get_cred_via_tkt starting; referral flag is %s\n", kdcoptions&KDC_OPT_CANONICALIZE?"on":"off"); @@ -200,12 +201,12 @@ enctypes[1] = 0; } - retval = krb5_send_tgs(context, kdcoptions, &in_cred->times, enctypes, + retval = krb5int_send_tgs(context, kdcoptions, &in_cred->times, enctypes, in_cred->server, address, in_cred->authdata, 0, /* no padata */ (kdcoptions & KDC_OPT_ENC_TKT_IN_SKEY) ? &in_cred->second_ticket : NULL, - tkt, &tgsrep); + tkt, &tgsrep, &subkey); if (enctypes) free(enctypes); if (retval) { @@ -280,7 +281,7 @@ } if ((retval = krb5_decode_kdc_rep(context, &tgsrep.response, - &tkt->keyblock, &dec_rep))) + subkey, &dec_rep))) goto error_4; if (dec_rep->msg_type != KRB5_TGS_REP) { @@ -334,6 +335,9 @@ &in_cred->second_ticket, out_cred); error_3:; + if (subkey != NULL) + krb5_free_keyblock(context, subkey); + memset(dec_rep->enc_part2->session->contents, 0, dec_rep->enc_part2->session->length); krb5_free_kdc_rep(context, dec_rep); Modified: branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c 2009-04-13 19:29:14 UTC (rev 22200) +++ branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c 2009-04-13 20:26:18 UTC (rev 22201) @@ -30,7 +30,7 @@ #include "k5-int.h" /* - Sends a request to the TGS and waits for a response. +Constructs a TGS request options is used for the options in the KRB_TGS_REQ. timestruct values are used for from, till, rtime " " " enctype is used for enctype " " ", and to encrypt the authorization data, @@ -48,7 +48,8 @@ returns system errors */ static krb5_error_code -krb5_send_tgs_basic(krb5_context context, krb5_data *in_data, krb5_creds *in_cred, krb5_data *outbuf) +tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, + krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock **subkey) { krb5_error_code retval; krb5_checksum checksum; @@ -56,6 +57,12 @@ krb5_ap_req request; krb5_data * scratch; krb5_data * toutbuf; + checksum.contents = NULL; +/* Generate subkey*/ + if ((retval = krb5_generate_subkey( context, &in_cred->keyblock, + subkey)) != 0) + return retval; + /* Generate checksum */ if ((retval = krb5_c_make_checksum(context, context->kdc_req_sumtype, @@ -63,43 +70,42 @@ KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, in_data, &checksum))) { free(checksum.contents); - return(retval); + goto cleanup; } /* gen authenticator */ - authent.subkey = 0; + authent.subkey = *subkey; /*owned by caller*/ authent.seq_number = 0; authent.checksum = &checksum; authent.client = in_cred->client; authent.authorization_data = in_cred->authdata; if ((retval = krb5_us_timeofday(context, &authent.ctime, - &authent.cusec))) { - free(checksum.contents); - return(retval); - } + &authent.cusec))) + goto cleanup; + /* encode the authenticator */ - if ((retval = encode_krb5_authenticator(&authent, &scratch))) { - free(checksum.contents); - return(retval); - } + if ((retval = encode_krb5_authenticator(&authent, &scratch))) + goto cleanup; + free(checksum.contents); + checksum.contents = NULL; - request.authenticator.ciphertext.data = 0; + request.authenticator.ciphertext.data = NULL; request.authenticator.kvno = 0; request.ap_options = 0; request.ticket = 0; if ((retval = decode_krb5_ticket(&(in_cred)->ticket, &request.ticket))) /* Cleanup scratch and scratch data */ - goto cleanup_data; + goto cleanup; /* call the encryption routine */ if ((retval = krb5_encrypt_helper(context, &in_cred->keyblock, KRB5_KEYUSAGE_TGS_REQ_AUTH, scratch, &request.authenticator))) - goto cleanup_ticket; + goto cleanup; retval = encode_krb5_ap_req(&request, &toutbuf); *outbuf = *toutbuf; @@ -110,25 +116,30 @@ request.authenticator.ciphertext.length); free(request.authenticator.ciphertext.data); -cleanup_ticket: + cleanup: +if (request.ticket) krb5_free_ticket(context, request.ticket); -cleanup_data: - memset(scratch->data, 0, scratch->length); + if (scratch != NULL && scratch->data != NULL) { +zap(scratch->data, scratch->length); free(scratch->data); - free(scratch); + } + if (*subkey && retval != 0) { + krb5_free_keyblock(context, *subkey); + *subkey = NULL; + } return retval; } krb5_error_code -krb5_send_tgs(krb5_context context, krb5_flags kdcoptions, +krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, const krb5_ticket_times *timestruct, const krb5_enctype *ktypes, krb5_const_principal sname, krb5_address *const *addrs, krb5_authdata *const *authorization_data, krb5_pa_data *const *padata, const krb5_data *second_ticket, - krb5_creds *in_cred, krb5_response *rep) + krb5_creds *in_cred, krb5_response *rep, krb5_keyblock **subkey) { krb5_error_code retval; krb5_kdc_req tgsreq; @@ -140,6 +151,8 @@ krb5_pa_data ap_req_padata; int tcp_only = 0, use_master; + assert (subkey != NULL); + *subkey = NULL; /* * in_creds MUST be a valid credential NOT just a partially filled in * place holder for us to get credentials for the caller. @@ -170,8 +183,8 @@ if ((retval = encode_krb5_authdata(authorization_data, &scratch))) return(retval); - if ((retval = krb5_encrypt_helper(context, &in_cred->keyblock, - KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY, + if ((retval = krb5_encrypt_helper(context, *subkey, + KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, scratch, &tgsreq.authorization_data))) { free(tgsreq.authorization_data.ciphertext.data); @@ -212,7 +225,8 @@ /* * Get an ap_req. */ - if ((retval = krb5_send_tgs_basic(context, scratch, in_cred, &scratch2))) { + if ((retval = tgs_construct_tgsreq(context, scratch, in_cred + , &scratch2, subkey))) { krb5_free_data(context, scratch); goto send_tgs_error_2; } @@ -275,7 +289,7 @@ tcp_only = 1; krb5_free_error(context, err_reply); free(rep->response.data); - rep->response.data = 0; + rep->response.data = NULL; goto send_again; } krb5_free_error(context, err_reply); @@ -303,6 +317,11 @@ tgsreq.authorization_data.ciphertext.length); free(tgsreq.authorization_data.ciphertext.data); } + if (rep->message_type != KRB5_TGS_REP && *subkey){ + krb5_free_keyblock(context, *subkey); + *subkey = NULL; + } + return retval; } Modified: branches/krb5-1-7/src/lib/krb5/libkrb5.exports =================================================================== --- branches/krb5-1-7/src/lib/krb5/libkrb5.exports 2009-04-13 19:29:14 UTC (rev 22200) +++ branches/krb5-1-7/src/lib/krb5/libkrb5.exports 2009-04-13 20:26:18 UTC (rev 22201) @@ -441,7 +441,6 @@ krb5_register_serializer krb5_salttype_to_string krb5_secure_config_files -krb5_send_tgs krb5_sendauth krb5_sendto_kdc krb5_ser_address_init From tlyu at MIT.EDU Mon Apr 13 16:26:31 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 13 Apr 2009 16:26:31 -0400 Subject: svn rev #22205: branches/krb5-1-7/src/kdc/ Message-ID: <200904132026.n3DKQVo0031427@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22205 Commit By: tlyu Log Message: ticket: 6458 subject: use isflagset correctly in TGS referrals version_fixed: 1.7 tags: pullup pull up r22041 from trunk Adjust to the return value of isflagset routine. Changed Files: U branches/krb5-1-7/src/kdc/do_tgs_req.c Modified: branches/krb5-1-7/src/kdc/do_tgs_req.c =================================================================== --- branches/krb5-1-7/src/kdc/do_tgs_req.c 2009-04-13 20:26:27 UTC (rev 22204) +++ branches/krb5-1-7/src/kdc/do_tgs_req.c 2009-04-13 20:26:30 UTC (rev 22205) @@ -1086,8 +1086,7 @@ * If all of these conditions are satisfied - try mapping the FQDN and * re-process the request as if client had asked for cross-realm TGT. */ - - if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE) == TRUE && + if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE) && !isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY) && krb5_princ_size(kdc_context, request->server) == 2) { From tlyu at MIT.EDU Mon Apr 13 16:26:25 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 13 Apr 2009 16:26:25 -0400 Subject: svn rev #22203: branches/krb5-1-7/src/kdc/ Message-ID: <200904132026.n3DKQPq7031320@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22203 Commit By: tlyu Log Message: ticket: 6456 subject: fix memory management in handle_referral_params version_fixed: 1.7 pull up r22037 from trunk Fix in handle_referral_params Changed Files: U branches/krb5-1-7/src/kdc/main.c Modified: branches/krb5-1-7/src/kdc/main.c =================================================================== --- branches/krb5-1-7/src/kdc/main.c 2009-04-13 20:26:22 UTC (rev 22202) +++ branches/krb5-1-7/src/kdc/main.c 2009-04-13 20:26:24 UTC (rev 22203) @@ -175,7 +175,6 @@ kdc_realm_t *rdp ) { krb5_error_code retval = 0; - if (no_refrls && krb5_match_config_pattern(no_refrls, KRB5_CONF_ASTERISK) == TRUE) { rdp->realm_no_host_referral = strdup(KRB5_CONF_ASTERISK); if (!rdp->realm_no_host_referral) @@ -192,9 +191,10 @@ else if (asprintf(&(rdp->realm_no_host_referral),"%s%s%s", " ", rparams->realm_no_host_referral, " ") < 0) retval = ENOMEM; - } else if( no_refrls != NULL && asprintf(&(rdp->realm_no_host_referral),"%s%s%s", " ", no_refrls, " ") < 0) - retval = ENOMEM; - else + } else if( no_refrls != NULL) { + if ( asprintf(&(rdp->realm_no_host_referral),"%s%s%s", " ", no_refrls, " ") < 0) + retval = ENOMEM; + } else rdp->realm_no_host_referral = NULL; } @@ -213,16 +213,17 @@ rdp->realm_host_based_services = strdup(KRB5_CONF_ASTERISK); if (!rdp->realm_host_based_services) retval = ENOMEM; - } else if (host_based_srvcs && asprintf(&(rdp->realm_host_based_services), "%s%s%s%s%s", + } else if (host_based_srvcs) { + if (asprintf(&(rdp->realm_host_based_services), "%s%s%s%s%s", " ", host_based_srvcs," ",rparams->realm_host_based_services, " ") < 0) retval = ENOMEM; - else if (asprintf(&(rdp->realm_host_based_services),"%s%s%s", " ", + } else if (asprintf(&(rdp->realm_host_based_services),"%s%s%s", " ", rparams->realm_host_based_services, " ") < 0) retval = ENOMEM; - } else if(host_based_srvcs != NULL && asprintf(&(rdp->realm_host_based_services),"%s%s%s", - " ", host_based_srvcs, " ") < 0) + } else if (host_based_srvcs) { + if (asprintf(&(rdp->realm_host_based_services),"%s%s%s", " ", host_based_srvcs, " ") < 0) retval = ENOMEM; - else + } else rdp->realm_host_based_services = NULL; } From tlyu at MIT.EDU Mon Apr 13 16:26:28 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 13 Apr 2009 16:26:28 -0400 Subject: svn rev #22204: branches/krb5-1-7/src/tests/ kdc_realm/ kdc_realm/input_conf/ Message-ID: <200904132026.n3DKQSZZ031381@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22204 Commit By: tlyu Log Message: ticket: 6457 subject: KDC realm referral test version_fixed: 1.7 tags: pullup pull up r22040 from trunk KDC realm referral test Changed Files: A branches/krb5-1-7/src/tests/kdc_realm/ A branches/krb5-1-7/src/tests/kdc_realm/input_conf/ A branches/krb5-1-7/src/tests/kdc_realm/input_conf/kdc_pri_template.conf A branches/krb5-1-7/src/tests/kdc_realm/input_conf/kdc_ref_template.conf A branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priCL_template.conf A branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_1_template.conf A branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_2_template.conf A branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_3_template.conf A branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_4_template.conf A branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_5_template.conf A branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_6_template.conf A branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_7_template.conf A branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_8_template.conf A branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_template.conf A branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_ref_template.conf A branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_KDCs.conf A branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_princs.conf A branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_setup.conf A branches/krb5-1-7/src/tests/kdc_realm/kdcref.py Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/kdc_pri_template.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/kdc_pri_template.conf 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/kdc_pri_template.conf 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1,13 @@ +[kdcdefaults] + kdc_ports = 7777 + +[realms] + Y.COM = { + database_name = %(tier2)s/principal + admin_keytab = FILE:%(tier2)s/kadm5.keytab + acl_file = %(tier2)s/kadm5.acl + key_stash_file = %(tier2)s/.k5.ATHENA.MIT.EDU + kdc_ports = 7777 + max_life = 10h 0m 0s + max_renewable_life = 7d 0h 0m 0s + } Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/kdc_ref_template.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/kdc_ref_template.conf 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/kdc_ref_template.conf 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1,13 @@ +[kdcdefaults] + kdc_ports = 7778 + +[realms] + Z.COM = { + database_name = %(tier1)s/principal + admin_keytab = FILE:%(tier1)s/kadm5.keytab + acl_file = %(tier1)s/kadm5.acl + key_stash_file = %(tier1)s/.k5.ATHENA.MIT.EDU + kdc_ports = 7778 + max_life = 10h 0m 0s + max_renewable_life = 7d 0h 0m 0s + } Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priCL_template.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priCL_template.conf 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priCL_template.conf 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1,34 @@ +[libdefaults] + default_realm = Y.COM + default_keytab_name = FILE:%(tier2)s/krb5.keytab + default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + dns_lookup_kdc = true + dns_lookup_realm = false + +[realms] + Y.COM = { + admin_server = KERBEROS.Y.COM + kdc = %(localFQDN)s:7777 + default_domain = Y.COM + } + Z.COM = { + admin_server = KERBEROS.Z.COM + kdc = %(localFQDN)s:7778 + default_domain = Z.COM + } + +[domain_realm] +# .mit.edu = Y.COM + %(localFQDN)s = Y.COM + .%(localFQDN)s = Y.COM + .y.com = Y.COM + y.com = Y.COM + +[dbmodules] + db_module_dir = %(srcdir)s/plugins/kdb/db2 + + +[logging] + kdc = FILE:%(tier2)s/krb5kdc_cl.log + Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_1_template.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_1_template.conf 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_1_template.conf 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1,30 @@ +[libdefaults] + default_realm = Y.COM + default_keytab_name = FILE:%(tier2)s/krb5.keytab + default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + dns_lookup_kdc = true + dns_lookup_realm = false + + +[kdcdefaults] + no_host_referral = * + host_based_services = * + +[realms] + Y.COM = { + kdc = %(localFQDN)s:7777 + } + +[domain_realm] + mybox.mit.edu=Z.COM + %(localFQDN)s=Y.COM + .y.com = Y.COM + y.com = Y.COM + +[dbmodules] + db_module_dir = %(srcdir)s/plugins/kdb/db2 + +[logging] + kdc = FILE:%(tier2)s/krb5kdc.log + Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_2_template.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_2_template.conf 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_2_template.conf 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1,31 @@ +[libdefaults] + default_realm = Y.COM + default_keytab_name = FILE:%(tier2)s/krb5.keytab + default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + dns_lookup_kdc = true + dns_lookup_realm = false + + +[kdcdefaults] + no_host_referral = host1 + + +[realms] + Y.COM = { + kdc = %(localFQDN)s:7777 + host_based_services = * + } + +[domain_realm] + mybox.mit.edu=Z.COM + %(localFQDN)s=Y.COM + .y.com = Y.COM + y.com = Y.COM + +[dbmodules] + db_module_dir = %(srcdir)s/plugins/kdb/db2 + +[logging] + kdc = FILE:%(tier2)s/krb5kdc.log + Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_3_template.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_3_template.conf 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_3_template.conf 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1,30 @@ +[libdefaults] + default_realm = Y.COM + default_keytab_name = FILE:%(tier2)s/krb5.keytab + default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + dns_lookup_kdc = true + dns_lookup_realm = false + + +[kdcdefaults] +# no_host_referral = * +# host_based_services = * + +[realms] + Y.COM = { + kdc = %(localFQDN)s:7777 + } + +[domain_realm] + mybox.mit.edu = Z.COM + %(localFQDN)s = Y.COM + .y.com = Y.COM + y.com = Y.COM + +[dbmodules] + db_module_dir = %(srcdir)s/plugins/kdb/db2 + +[logging] + kdc = FILE:%(tier2)s/krb5kdc.log + Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_4_template.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_4_template.conf 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_4_template.conf 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1,30 @@ +[libdefaults] + default_realm = Y.COM + default_keytab_name = FILE:%(tier2)s/krb5.keytab + default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + dns_lookup_kdc = true + dns_lookup_realm = false + + +[kdcdefaults] + host_based_services = * + +[realms] + Y.COM = { + kdc = %(localFQDN)s:7777 + no_host_referral = host1, * host2 + } + +[domain_realm] + mybox.mit.edu = Z.COM + %(localFQDN)s = Y.COM + .y.com = Y.COM + y.com = Y.COM + +[dbmodules] + db_module_dir = %(srcdir)s/plugins/kdb/db2 + +[logging] + kdc = FILE:%(tier2)s/krb5kdc.log + Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_5_template.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_5_template.conf 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_5_template.conf 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1,30 @@ +[libdefaults] + default_realm = Y.COM + default_keytab_name = FILE:%(tier2)s/krb5.keytab + default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + dns_lookup_kdc = true + dns_lookup_realm = false + + +[kdcdefaults] + no_host_referral = host1 testHost host2 + host_based_services = * + +[realms] + Y.COM = { + kdc = %(localFQDN)s:7777 + } + +[domain_realm] + mybox.mit.edu = Z.COM + %(localFQDN)s = Y.COM + .y.com = Y.COM + y.com = Y.COM + +[dbmodules] + db_module_dir = %(srcdir)s/plugins/kdb/db2 + +[logging] + kdc = FILE:%(tier2)s/krb5kdc.log + Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_6_template.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_6_template.conf 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_6_template.conf 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1,31 @@ +[libdefaults] + default_realm = Y.COM + default_keytab_name = FILE:%(tier2)s/krb5.keytab + default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + dns_lookup_kdc = true + dns_lookup_realm = false + + +[kdcdefaults] +# no_host_referral = * + host_based_services = * + +[realms] + Y.COM = { + kdc = %(localFQDN)s:7777 + no_host_referral = testHost + } + +[domain_realm] + mybox.mit.edu = Z.COM + %(localFQDN)s = Y.COM + .y.com = Y.COM + y.com = Y.COM + +[dbmodules] + db_module_dir = %(srcdir)s/plugins/kdb/db2 + +[logging] + kdc = FILE:%(tier2)s/krb5kdc.log + Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_7_template.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_7_template.conf 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_7_template.conf 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1,29 @@ +[libdefaults] + default_realm = Y.COM + default_keytab_name = FILE:%(tier2)s/krb5.keytab + default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + dns_lookup_kdc = true + dns_lookup_realm = false + + +[kdcdefaults] + host_based_services = testHost + +[realms] + Y.COM = { + kdc = %(localFQDN)s:7777 + } + +[domain_realm] + mybox.mit.edu = Z.COM + %(localFQDN)s = Y.COM + .y.com = Y.COM + y.com = Y.COM + +[dbmodules] + db_module_dir = %(srcdir)s/plugins/kdb/db2 + +[logging] + kdc = FILE:%(tier2)s/krb5kdc.log + Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_8_template.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_8_template.conf 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_8_template.conf 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1,33 @@ +[libdefaults] + default_realm = Y.COM + default_keytab_name = FILE:%(tier2)s/krb5.keytab + default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + dns_lookup_kdc = true + dns_lookup_realm = false + + +[kdcdefaults] + host_based_services = host1 + + +[realms] + Y.COM = { + kdc = %(localFQDN)s:7777 + host_based_services = host2 +# host_based_services = testHost + host_based_services = host3 + } + +[domain_realm] + mybox.mit.edu = Z.COM + %(localFQDN)s = Y.COM + .y.com = Y.COM + y.com = Y.COM + +[dbmodules] + db_module_dir = %(srcdir)s/plugins/kdb/db2 + +[logging] + kdc = FILE:%(tier2)s/krb5kdc.log + Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_template.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_template.conf 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_template.conf 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1,30 @@ +[libdefaults] + default_realm = Y.COM + default_keytab_name = FILE:%(tier2)s/krb5.keytab + default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc + dns_lookup_kdc = true + dns_lookup_realm = false + + +[kdcdefaults] +# no_host_referral = * + host_based_services = * + +[realms] + Y.COM = { + kdc = %(localFQDN)s:7777 + } + +[domain_realm] + mybox.mit.edu = Z.COM + %(localFQDN)s = Y.COM + .y.com = Y.COM + y.com = Y.COM + +[dbmodules] + db_module_dir = %(srcdir)s/plugins/kdb/db2 + +[logging] + kdc = FILE:%(tier2)s/krb5kdc.log + Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_ref_template.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_ref_template.conf 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_ref_template.conf 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1,27 @@ +[libdefaults] + default_realm = Z.COM + default_keytab_name = FILE:%(tier1)s/krb5.keytab + default_tkt_enctypes = aes128-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc aes256-cts-hmac-sha1-96 aes128-cts + default_tgs_enctypes = aes128-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc aes256-cts-hmac-sha1-96 aes128-cts + dns_lookup_kdc = true + dns_lookup_realm = false + +[realms] + Z.COM = { + admin_server = KERBEROS.Z.COM + kdc = %(localFQDN)s:7778 + default_domain = Z.COM + } + +[domain_realm] + %(localFQDN)s=Z.COM + .%(localFQDN)s=Z.COM + .z.com = Z.COM + z.com = Z.COM + +[dbmodules] + db_module_dir = %(srcdir)s/plugins/kdb/db2 + +[logging] + kdc = FILE:%(tier1)s/krb5kdc.log + Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_KDCs.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_KDCs.conf 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_KDCs.conf 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1,9 @@ +krb5_priKDC_template.conf,0 +krb5_priKDC_1_template.conf,1 +krb5_priKDC_2_template.conf,0 +krb5_priKDC_3_template.conf,0 +krb5_priKDC_4_template.conf,1 +krb5_priKDC_5_template.conf,1 +krb5_priKDC_6_template.conf,1 +krb5_priKDC_7_template.conf,0 +krb5_priKDC_8_template.conf,0 \ No newline at end of file Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_princs.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_princs.conf 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_princs.conf 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1 @@ +princUser/admin \ No newline at end of file Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_setup.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_setup.conf 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_setup.conf 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1,5 @@ +sandboxDir=tests/kdc_realm/sandbox +testKDCconf=test_KDCs.conf +principals=test_princs.conf +tier1=sandbox/tier1 +tier2=sandbox/tier2 \ No newline at end of file Added: branches/krb5-1-7/src/tests/kdc_realm/kdcref.py =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/kdcref.py 2009-04-13 20:26:24 UTC (rev 22203) +++ branches/krb5-1-7/src/tests/kdc_realm/kdcref.py 2009-04-13 20:26:27 UTC (rev 22204) @@ -0,0 +1,325 @@ +import os +import sys +import time +from subprocess import Popen, PIPE, STDOUT +import signal +import socket +import errno +import shutil + + +class LaunchError(Exception): + """ Exception class to signal startup error""" + pass + +class AdminError(Exception): + """ Exception class to handle admin errors""" + pass + + +class Launcher: + + def __init__(self, path): + self._buildDir = path + self._confDir = '%s/tests/kdc_realm/input_conf' % self._buildDir + confFile ='%s/test_setup.conf' % self._confDir + confParams = self._testSetup(confFile) + self._sandboxDir = '%s/%s' % (self._buildDir,confParams['sandboxDir']) + self._sandboxTier1 = '%s/%s' % (self._sandboxDir, 'tier1') + self._sandboxTier2 = '%s/%s' % (self._sandboxDir, 'tier2') + self._configurations = self._readServerConfiguration('%s/%s' % (self._confDir,confParams['testKDCconf'])) + self._principals = self._readTestInputs('%s/%s' % (self._confDir,confParams['principals'])) + os.environ["LD_LIBRARY_PATH"] = '%s/lib' % self._buildDir + self._pidRefKDC = 0 + self._pidMap = dict() + self._initialized = False + self._tier1Init = False + self._tier2Init = False + self._vars = {'srcdir': self._buildDir, + 'tier1':self._sandboxTier1, + 'tier2':self._sandboxTier2, + 'localFQDN':socket.getfqdn()} + + def _launchKDC(self, tierId, args, env): + """ + Launching KDC server + """ + cmd = '%s/kdc/krb5kdc' % self._buildDir + handle = Popen([cmd, args], env=env) + time.sleep(1) + # make sure that process is running + rc = handle.poll() + if rc is None: + print 'KDC server has been launched: pid=%s, tier=%s' % (handle.pid, tierId) + self._pidMap[handle.pid] = 1 + return handle.pid + else: + raise LaunchError, 'Failed to launch kdc server' + + + def _prepSandbox(self): + for tierId in range(1,3): + tierdir = '%s/tier%i' % (self._sandboxDir, tierId) + if os.path.exists(tierdir): + shutil.rmtree(tierdir) + os.makedirs(tierdir, 0777) + + + def _kill(self, pid = None): + """ + Kill specific process or group saved in pidMap + """ + if pid is None: + target = self._pidMap.keys() + else: + target = [pid] + for p in target: + if p in self._pidMap: + del self._pidMap[p] + try: + os.kill(p, signal.SIGKILL) + except OSError: + pass + + + def _createDB(self, env): + """ + Creating DB + """ + cmd = '%s/kadmin/dbutil/kdb5_util' % self._buildDir + p = Popen([cmd, 'create', '-s'], env = env, stdin=PIPE, stdout=PIPE, stderr=PIPE) + (out, err) = p.communicate('a\na\n') + if p.returncode != 0: + err_msg = 'Failed to create DB: %s' % err + raise LaunchError, err_msg + + + def _launchClient(self, args, env): + """ + kinit & kvno + """ + self._addPrinc(args, env) + p = Popen(['kinit', args], env = env, stdin=PIPE, stdout=PIPE, stderr=PIPE) + (out, err) = p.communicate('a\n') + if int(p.wait()) == 0: + self._initialized = True + else: + err_msg = 'Failed to kinit client: %s' % err + raise AdminError, err_msg + + # testHost', 'mybox.mit.edu is a srv defined in referral KDC. Get its kvno + cmd = '%s/clients/kvno/kvno' % self._buildDir + handle = Popen([cmd, '-C', '-S', 'testHost', 'mybox.mit.edu'], + env = env, stdin=PIPE, stdout=PIPE, stderr=PIPE) + (out, err) = handle.communicate() + handle.wait() + print 'kvno return code: %s' % handle.returncode + + # Cleanup cached info + p = Popen(['kdestroy'], env = env, stdin=PIPE, stdout=PIPE, stderr=PIPE) + (out, err) = p.communicate() + if int(p.wait()) != 0: + err_msg = 'Failed to kdestroy cashed tickets: %s' % err + raise AdminError, err_msg + + return handle.returncode + + + def _addPrinc(self, args, env): + """ + Add Principal + """ + msg = 'addprinc -pw a %s' % args + p = Popen(['kadmin.local' ], env = env, stdin=PIPE, stdout=PIPE, stderr=PIPE) + (out, err) = p.communicate(msg) + if int(p.wait()) != 0: + err_msg = 'Failed to add principal %s' % err_msg + raise AdminError, err_msg + + + def _crossRealm(self, r_local, r_remote, env): + """ + Croos-realm setup + """ + msg = 'addprinc -pw a krbtgt/%s@%s' % (r_remote, r_local) + p = Popen(['kadmin.local' ], env = env, stdin=PIPE, stdout=PIPE, stderr=PIPE) + (out, err) = p.communicate(msg) + if int(p.wait()) != 0: + err_msg = 'Failed to set cross-realm: %s' % err + raise AdminError, err_msg + + msg = 'addprinc -pw a krbtgt/%s@%s' % (r_local, r_remote) + p = Popen(['kadmin.local' ], env = env, stdin=PIPE, stdout=PIPE, stderr=PIPE) + (out, err) = p.communicate(msg) + if int(p.wait()) != 0: + err_msg = 'Failed to set cross-realm: %s' % err + raise AdminError, err_msg + + + def _launchRefKDC(self,test_env): + """ + Launch referral KDC + """ + test_env["KRB5_CONFIG"] = '%s/krb5.conf' % self._sandboxTier1 + test_env["KRB5_KDC_PROFILE"] = '%s/kdc.conf' % self._sandboxTier1 + server_args = '-n' + if self._tier1Init == False: + # Create adequate to the environment config files + self._createFileFromTemplate('%s' % test_env["KRB5_CONFIG"], + '%s/%s' % (self._confDir,'krb5_ref_template.conf'), + self._vars) + self._createFileFromTemplate('%s' % test_env["KRB5_KDC_PROFILE"], + '%s/%s' % (self._confDir, 'kdc_ref_template.conf'), + self._vars) + + # create DB for KDC to be referred to + pid = self._createDB(test_env) + + # launch KDC to be referred to + self._pidRefKDC = self._launchKDC(1, server_args, test_env) + + # The tests run against 'testHost/mybox.mit.edu' srv. + args = 'testHost/mybox.mit.edu' + self._addPrinc(args, test_env) + self._crossRealm('Z.COM', 'Y.COM', test_env) + self._tier1Init = True + + + def _launchTestingPair(self, srvParam,clntParam): + # launch KDC + server_env = os.environ.copy() + server_env["KRB5_KDC_PROFILE"] = '%s/kdc.conf' % self._sandboxTier2 + server_env["KRB5_CONFIG"] = '%s/krb5_KDC.conf' % self._sandboxTier2 + server_args = '-n' + self._createFileFromTemplate('%s' % server_env["KRB5_CONFIG"], + '%s/%s' % (self._confDir,srvParam), + self._vars) + self._createFileFromTemplate('%s' % server_env["KRB5_KDC_PROFILE"], + '%s/%s' % (self._confDir,'kdc_pri_template.conf'), + self._vars) + if self._tier2Init == False: + pid = self._createDB(server_env) + self._crossRealm('Y.COM', 'Z.COM', server_env) + self._tier2Init = True + + server = self._launchKDC( 2, server_args, server_env) + + # launch client + client_env = os.environ.copy() + client_env["KRB5_CONFIG"] = '%s/krb5_CL.conf' % self._sandboxTier2 + self._createFileFromTemplate('%s' % client_env["KRB5_CONFIG"], + '%s/%s' % (self._confDir, 'krb5_priCL_template.conf'), + self._vars) + client_env["KRB5_KDC_PROFILE"] = server_env["KRB5_KDC_PROFILE"] + rc = self._launchClient(clntParam, client_env) + self._kill(server) + return rc + + + def run(self, args): + """ + run the test + """ + test_env = os.environ.copy() + test_env["SRCDIR"] = '%s' % self._buildDir + + # create sandbox file directory if it does not exist + self._prepSandbox() + + if self._tier1Init == False: + self._launchRefKDC(test_env) + + result = dict() + for princs in self._principals: + for conf in self._configurations: + rc = self._launchTestingPair( conf['confName'], princs % self._vars) + result[conf['confName']] = {'expected':conf['expected'], 'actual':rc} + print 'Test code for configuration %s principal %s: %s' % (conf, princs, rc) + return result + + + def _readTestInputs(self, path): + f = open(path, 'r') + result = [] + for line in f: + result.append(line.rstrip()) + f.close() + return result + + + def _readServerConfiguration(self, path): + f = open(path, 'r') + result = [] + for line in f: + fields = (line.rstrip()).split(',') + result.append({'confName':fields[0],'expected':fields[1]}) + f.close() + return result + + + def _testSetup(self, path): + print path + f = open(path, 'r') + result = dict() + for line in f: + try: + (a,v) = line.rstrip().split('=') + result[a]=v + except: + print 'bad format for config file, line: %s' % line + return None + f.close() + return result + + + def _createFileFromTemplate(self, outpath, template, vars): + fin = open(template, 'r') + result = fin.read() % vars + fin.close() + fout = open(outpath, 'w') + fout.write(result) + fout.close() + + + def _getDNS(self): + print socket.getfqdn() + + + def printTestResults(self, testResults): + success_count = 0 + fail_count = 0 + print '\n' + print '------------------- Test Results ------------------------' + for (conf_name, result) in testResults.iteritems(): + if int(result['expected']) == int(result['actual']): + print 'Test for configuration %s has succeeded' % conf_name + success_count += 1 + else: + print 'Test for configuration %s has failed' % conf_name + fail_count += 1 + + print '------------------- Summary -----------------------------' + print 'Of %i tests %i failed, %i succeeded' % (len(testResults), + fail_count, + success_count) + print '---------------------------------------------------------' + + + def clean(self): + self._kill() + + +if __name__ == '__main__': + src_path = os.environ["PWD"] + print "SOURCE PATH ==>" , src_path + test = None + try: + test = Launcher(src_path) + result = test.run('main') + test.clean() + test.printTestResults(result) + + except: + if test is not None: + test.clean() + raise Property changes on: branches/krb5-1-7/src/tests/kdc_realm/input_conf/kdc_pri_template.conf ___________________________________________________________________ Name: svn:executable + * Property changes on: branches/krb5-1-7/src/tests/kdc_realm/input_conf/kdc_ref_template.conf ___________________________________________________________________ Name: svn:executable + * Property changes on: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priCL_template.conf ___________________________________________________________________ Name: svn:executable + * Property changes on: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_1_template.conf ___________________________________________________________________ Name: svn:executable + * Property changes on: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_2_template.conf ___________________________________________________________________ Name: svn:executable + * Property changes on: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_3_template.conf ___________________________________________________________________ Name: svn:executable + * Property changes on: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_4_template.conf ___________________________________________________________________ Name: svn:executable + * Property changes on: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_5_template.conf ___________________________________________________________________ Name: svn:executable + * Property changes on: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_6_template.conf ___________________________________________________________________ Name: svn:executable + * Property changes on: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_7_template.conf ___________________________________________________________________ Name: svn:executable + * Property changes on: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_8_template.conf ___________________________________________________________________ Name: svn:executable + * Property changes on: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_template.conf ___________________________________________________________________ Name: svn:executable + * Property changes on: branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_ref_template.conf ___________________________________________________________________ Name: svn:executable + * Property changes on: branches/krb5-1-7/src/tests/kdc_realm/kdcref.py ___________________________________________________________________ Name: svn:executable + * From tlyu at MIT.EDU Mon Apr 13 16:26:22 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 13 Apr 2009 16:26:22 -0400 Subject: svn rev #22202: branches/krb5-1-7/src/config-files/ Message-ID: <200904132026.n3DKQMPL031274@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22202 Commit By: tlyu Log Message: ticket: 6398 version_fixed: 1.7 pull up r22038 from trunk ticket: 6398 subject: remove obsolete GNU.ORG realm info target_version: 1.7 tags: pullup Our sample krb5.conf has obsolete info on the GNU.ORG realm; the DNS entries named don't exist, and AFAIK this hasn't been accurate in years. (I don't even know if they're currently running a Kerberos realm.) Changed Files: U branches/krb5-1-7/src/config-files/krb5.conf Modified: branches/krb5-1-7/src/config-files/krb5.conf =================================================================== --- branches/krb5-1-7/src/config-files/krb5.conf 2009-04-13 20:26:18 UTC (rev 22201) +++ branches/krb5-1-7/src/config-files/krb5.conf 2009-04-13 20:26:22 UTC (rev 22202) @@ -2,6 +2,7 @@ default_realm = ATHENA.MIT.EDU [realms] +# use "kdc = ..." if realm admins haven't put SRV records into DNS ATHENA.MIT.EDU = { admin_server = KERBEROS.MIT.EDU default_domain = MIT.EDU @@ -13,12 +14,6 @@ ANDREW.CMU.EDU = { admin_server = vice28.fs.andrew.cmu.edu } -# use "kdc =" if realm admins haven't put SRV records into DNS - GNU.ORG = { - kdc = kerberos.gnu.org - kdc = kerberos-2.gnu.org - admin_server = kerberos.gnu.org - } [domain_realm] .mit.edu = ATHENA.MIT.EDU From tlyu at MIT.EDU Mon Apr 13 16:26:36 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 13 Apr 2009 16:26:36 -0400 Subject: svn rev #22207: branches/krb5-1-7/src/ include/ lib/krb5/ lib/krb5/asn.1/ lib/krb5/krb/ Message-ID: <200904132026.n3DKQaim031502@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22207 Commit By: tlyu Log Message: ticket: 6425 version_fixed: 1.7 pull up r21927, r21928, r21940, r21969, r21981, r22004 from trunk ------------------------------------------------------------------------ r22004 | ghudson | 2009-02-13 17:05:48 -0500 (Fri, 13 Feb 2009) | 3 lines Changed paths: M /trunk/src/lib/krb5/asn.1/asn1_k_decode.c M /trunk/src/lib/krb5/asn.1/asn1_k_decode.h M /trunk/src/lib/krb5/asn.1/krb5_decode.c Correct numerous memory leaks on error conditions in the ASN.1 decoder functions. ------------------------------------------------------------------------ r21981 | ghudson | 2009-02-12 13:21:33 -0500 (Thu, 12 Feb 2009) | 4 lines Changed paths: M /trunk/src/lib/krb5/asn.1/asn1_encode.c M /trunk/src/lib/krb5/asn.1/asn1buf.c Modify asn12krb5_buf and asn1_do_full_encode to make output parameter values well-defined on error. Clean up memory handling and an unused variable in asn1_do_full_encode. ------------------------------------------------------------------------ r21969 | ghudson | 2009-02-11 15:18:43 -0500 (Wed, 11 Feb 2009) | 6 lines Changed paths: M /trunk/src/include/k5-int.h M /trunk/src/lib/krb5/krb/kfree.c M /trunk/src/lib/krb5/libkrb5.exports Ensure we have a free function for every data type we have an ASN.1 decoder for. Export the new free functions, but only declare them in k5-int.h since they shouldn't be needed by applications. Also export a couple of encoder and decoder functions not previously exported. ------------------------------------------------------------------------ r21940 | ghudson | 2009-02-09 21:01:58 -0500 (Mon, 09 Feb 2009) | 5 lines Changed paths: M /trunk/src/lib/krb5/asn.1/krb5_decode.c Adjust the structure of krb5_decode.c functions to initialize output parameters to NULL and not set them to the real values until a successful return is guaranteed. Also fix get_eoc which was returning without clean_return. ------------------------------------------------------------------------ r21928 | ghudson | 2009-02-09 16:25:53 -0500 (Mon, 09 Feb 2009) | 4 lines Changed paths: M /trunk/src/lib/krb5/asn.1/asn1buf.c M /trunk/src/lib/krb5/asn.1/asn1buf.h M /trunk/src/lib/krb5/asn.1/krb5_encode.c Make asn1buf_destroy return void, since it's a free function. In krb5_encode.c functions, make *code well-defined in case of error, and clean up some memory leaks. ------------------------------------------------------------------------ r21927 | ghudson | 2009-02-09 16:23:00 -0500 (Mon, 09 Feb 2009) | 3 lines Changed paths: M /trunk/src/lib/krb5/asn.1/asn1_k_encode.c In asn1_k_encode.c, stop inconsistently destroying buf on some errors. It belongs to the caller. Changed Files: U branches/krb5-1-7/src/include/k5-int.h U branches/krb5-1-7/src/lib/krb5/asn.1/asn1_encode.c U branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.c U branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.h U branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_encode.c U branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.c U branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.h U branches/krb5-1-7/src/lib/krb5/asn.1/krb5_decode.c U branches/krb5-1-7/src/lib/krb5/asn.1/krb5_encode.c U branches/krb5-1-7/src/lib/krb5/krb/kfree.c U branches/krb5-1-7/src/lib/krb5/libkrb5.exports Modified: branches/krb5-1-7/src/include/k5-int.h =================================================================== --- branches/krb5-1-7/src/include/k5-int.h 2009-04-13 20:26:33 UTC (rev 22206) +++ branches/krb5-1-7/src/include/k5-int.h 2009-04-13 20:26:35 UTC (rev 22207) @@ -2537,6 +2537,12 @@ (krb5_context, krb5_pwd_data *); void KRB5_CALLCONV krb5_free_pwd_sequences (krb5_context, passwd_phrase_element **); +void KRB5_CALLCONV krb5_free_passwd_phrase_element + (krb5_context, passwd_phrase_element *); +void KRB5_CALLCONV krb5_free_alt_method + (krb5_context, krb5_alt_method *); +void KRB5_CALLCONV krb5_free_enc_data + (krb5_context, krb5_enc_data *); krb5_error_code krb5_set_config_files (krb5_context, const char **); Modified: branches/krb5-1-7/src/lib/krb5/asn.1/asn1_encode.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/asn1_encode.c 2009-04-13 20:26:33 UTC (rev 22206) +++ branches/krb5-1-7/src/lib/krb5/asn.1/asn1_encode.c 2009-04-13 20:26:35 UTC (rev 22207) @@ -675,20 +675,26 @@ { unsigned int length; asn1_error_code retval; - unsigned int sum = 0; asn1buf *buf = NULL; + krb5_data *d; - if (rep == NULL) return ASN1_MISSING_FIELD; + *code = NULL; + if (rep == NULL) + return ASN1_MISSING_FIELD; + retval = asn1buf_create(&buf); if (retval) return retval; retval = krb5int_asn1_encode_a_thing(buf, rep, a, &length); if (retval) - return retval; - sum += length; - retval = asn12krb5_buf(buf, code); + goto cleanup; + retval = asn12krb5_buf(buf, &d); + if (retval) + goto cleanup; + *code = d; +cleanup: asn1buf_destroy(&buf); return retval; } Modified: branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.c 2009-04-13 20:26:33 UTC (rev 22206) +++ branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.c 2009-04-13 20:26:35 UTC (rev 22207) @@ -30,6 +30,8 @@ #include "asn1_get.h" #include "asn1_misc.h" +#define clean_return(val) { retval = val; goto error_out; } + /* Declare useful decoder variables. */ #define setup() \ asn1_error_code retval; \ @@ -44,7 +46,7 @@ #define next_tag() \ { taginfo t2; \ retval = asn1_get_tag_2(&subbuf, &t2); \ - if (retval) return retval; \ + if (retval) clean_return(retval); \ /* Copy out to match previous functionality, until better integrated. */ \ asn1class = t2.asn1class; \ construction = t2.construction; \ @@ -71,21 +73,38 @@ #define get_eoc() \ { \ retval = asn1_get_eoc_tag(&subbuf); \ - if (retval) return retval; \ + if (retval) clean_return(retval); \ } -#define alloc_field(var, type) \ - var = (type*)calloc(1, sizeof(type)); \ - if ((var) == NULL) return ENOMEM +#define alloc_field(var) \ + var = calloc(1, sizeof(*var)); \ + if ((var) == NULL) clean_return(ENOMEM) +/* + * Allocate a principal and initialize enough fields for + * krb5_free_principal to have defined behavior. + */ +#define alloc_principal(var) \ + alloc_field(var); \ + var->realm.data = NULL; \ + var->data = NULL + +/* + * Allocate a data structure and initialize enough fields for + * krb5_free_data to have defined behavior. + */ +#define alloc_data(var) \ + alloc_field(var); \ + var->data = NULL + /* Fetch an expected APPLICATION class tag and verify. */ #define apptag(tagexpect) \ { \ taginfo t1; \ retval = asn1_get_tag_2(buf, &t1); \ - if (retval) return retval; \ + if (retval) clean_return(retval); \ if (t1.asn1class != APPLICATION || t1.construction != CONSTRUCTED || \ - t1.tagnum != (tagexpect)) return ASN1_BAD_ID; \ + t1.tagnum != (tagexpect)) clean_return(ASN1_BAD_ID); \ /* Copy out to match previous functionality, until better integrated. */ \ asn1class = t1.asn1class; \ construction = t1.construction; \ @@ -104,7 +123,7 @@ */ #define get_field_body(var, decoder) \ retval = decoder(&subbuf, &(var)); \ - if (retval) return retval; \ + if (retval) clean_return(retval); \ if (!taglen && indef) { get_eoc(); } \ next_tag() @@ -115,7 +134,7 @@ * if not. */ #define error_if_bad_tag(tagexpect) \ - if (tagnum != (tagexpect)) { return (tagnum < (tagexpect)) ? ASN1_MISPLACED_FIELD : ASN1_MISSING_FIELD; } + if (tagnum != (tagexpect)) { clean_return((tagnum < (tagexpect)) ? ASN1_MISPLACED_FIELD : ASN1_MISSING_FIELD); } /* * get_field @@ -128,7 +147,7 @@ error_if_bad_tag(tagexpect); \ if ((asn1class != CONTEXT_SPECIFIC || construction != CONSTRUCTED) \ && (tagnum || taglen || asn1class != UNIVERSAL)) \ - return ASN1_BAD_ID; \ + clean_return(ASN1_BAD_ID); \ get_field_body(var,decoder) /* @@ -143,7 +162,7 @@ if (asn1buf_remains(&subbuf, seqindef)) { \ if ((asn1class != CONTEXT_SPECIFIC || construction != CONSTRUCTED) \ && (tagnum || taglen || asn1class != UNIVERSAL)) \ - return ASN1_BAD_ID; \ + clean_return(ASN1_BAD_ID); \ if (tagnum == (tagexpect)) { \ get_field_body(var, decoder); \ } else var = optvalue; \ @@ -154,7 +173,7 @@ /* similar to get_field_body */ #define get_lenfield_body(len, var, decoder) \ retval = decoder(&subbuf, &(len), &(var)); \ - if (retval) return retval; \ + if (retval) clean_return(retval); \ if (!taglen && indef) { get_eoc(); } \ next_tag() @@ -163,7 +182,7 @@ error_if_bad_tag(tagexpect); \ if ((asn1class != CONTEXT_SPECIFIC || construction != CONSTRUCTED) \ && (tagnum || taglen || asn1class != UNIVERSAL)) \ - return ASN1_BAD_ID; \ + clean_return(ASN1_BAD_ID); \ get_lenfield_body(len, var, decoder) /* similar to opt_field */ @@ -176,20 +195,20 @@ * Deal with implicitly tagged fields */ #define get_implicit_octet_string(len, var, tagexpect) \ - if (tagnum != (tagexpect)) return ASN1_MISSING_FIELD; \ + if (tagnum != (tagexpect)) clean_return(ASN1_MISSING_FIELD); \ if (asn1class != CONTEXT_SPECIFIC || construction != PRIMITIVE) \ - return ASN1_BAD_ID; \ + clean_return(ASN1_BAD_ID); \ retval = asn1buf_remove_octetstring(&subbuf, taglen, &(var)); \ - if (retval) return retval; \ + if (retval) clean_return(retval); \ (len) = taglen; \ next_tag() #define opt_implicit_octet_string(len, var, tagexpect) \ if (tagnum == (tagexpect)) { \ if (asn1class != CONTEXT_SPECIFIC || construction != PRIMITIVE) \ - return ASN1_BAD_ID; \ + clean_return(ASN1_BAD_ID); \ retval = asn1buf_remove_octetstring(&subbuf, taglen, &(var)); \ - if (retval) return retval; \ + if (retval) clean_return(retval); \ (len) = taglen; \ next_tag(); \ } else { (len) = 0; (var) = NULL; } @@ -206,9 +225,9 @@ int seqindef; \ int indef; \ retval = asn1_get_sequence(buf, &length, &seqindef); \ - if (retval) return retval; \ + if (retval) clean_return(retval); \ retval = asn1buf_imbed(&subbuf, buf, length, seqindef); \ - if (retval) return retval; \ + if (retval) clean_return(retval); \ next_tag() /* @@ -221,15 +240,15 @@ int seqindef; \ int indef; \ retval = asn1_get_sequence(buf, &length, &seqindef); \ - if (retval) return retval; \ + if (retval) clean_return(retval); \ retval = asn1buf_imbed(&subbuf, buf, length, seqindef); \ - if (retval) return retval + if (retval) clean_return(retval) /* skip trailing garbage */ #define end_structure() \ retval = asn1buf_sync(buf, &subbuf, asn1class, tagnum, \ length, indef, seqindef); \ - if (retval) return retval + if (retval) clean_return(retval) /* * begin_choice @@ -244,7 +263,7 @@ int indef; \ taginfo t; \ retval = asn1_get_tag_2(buf, &t); \ - if (retval) return retval; \ + if (retval) clean_return(retval); \ tagnum = t.tagnum; \ taglen = t.length; \ indef = t.indef; \ @@ -253,14 +272,14 @@ asn1class = t.asn1class; \ construction = t.construction; \ retval = asn1buf_imbed(&subbuf, buf, length, seqindef); \ - if (retval) return retval + if (retval) clean_return(retval) /* skip trailing garbage */ #define end_choice() \ length -= t.length; \ retval = asn1buf_sync(buf, &subbuf, t.asn1class, t.tagnum, \ length, t.indef, seqindef); \ - if (retval) return retval + if (retval) clean_return(retval) /* * sequence_of @@ -295,13 +314,12 @@ * does not prefetch the next tag. */ #define sequence_of_common(buf) \ - int size = 0; \ asn1buf seqbuf; \ int seqofindef; \ retval = asn1_get_sequence(buf, &length, &seqofindef); \ - if (retval) return retval; \ + if (retval) clean_return(retval); \ retval = asn1buf_imbed(&seqbuf, buf, length, seqofindef); \ - if (retval) return retval + if (retval) clean_return(retval) /* * end_sequence_of @@ -313,7 +331,7 @@ { \ taginfo t4; \ retval = asn1_get_tag_2(&seqbuf, &t4); \ - if (retval) return retval; \ + if (retval) clean_return(retval); \ /* Copy out to match previous functionality, until better integrated. */ \ asn1class = t4.asn1class; \ construction = t4.construction; \ @@ -323,7 +341,7 @@ } \ retval = asn1buf_sync(buf, &seqbuf, asn1class, tagnum, \ length, indef, seqofindef); \ - if (retval) return retval; + if (retval) clean_return(retval); /* * end_sequence_of_no_tagvars @@ -348,8 +366,28 @@ #define end_sequence_of_no_tagvars(buf) \ end_sequence_of_no_tagvars_helper(buf, &seqbuf, seqofindef) -#define cleanup() \ - return 0 +/* + * Function body for a pointer decoder, which allocates a pointer + * field and invokes a structure decoder to fill it in. Pointer + * decoders always fill in their output parameters with NULL (on + * error) or a valid constructed structure, making cleanup easier on + * callers. + */ +#define decode_ptr(type, structure_decoder) \ + type val; \ + asn1_error_code retval; \ +\ + *valptr = NULL; \ + val = calloc(1, sizeof(*val)); \ + if (!val) \ + return ENOMEM; \ + retval = structure_decoder(buf, val); \ + if (retval) { \ + free(val); \ + return retval; \ + } \ + *valptr = val; \ + return 0; /* scalars */ asn1_error_code asn1_decode_kerberos_time(asn1buf *buf, krb5_timestamp *val) @@ -430,25 +468,27 @@ asn1_error_code asn1_decode_principal_name(asn1buf *buf, krb5_principal *val) { + int size = 0, i; + krb5_data *array = NULL, *new_array; + setup(); { begin_structure(); get_field((*val)->type,0,asn1_decode_int32); { sequence_of_no_tagvars(&subbuf); while (asn1buf_remains(&seqbuf,seqofindef) > 0) { + unsigned int len; + char *str; + + new_array = realloc(array, (size + 1) * sizeof(krb5_data)); + if (new_array == NULL) clean_return(ENOMEM); + array = new_array; + retval = asn1_decode_generalstring(&seqbuf, &len, &str); + if (retval) clean_return(retval); + array[size].data = str; + array[size].length = len; size++; - if ((*val)->data == NULL) - (*val)->data = (krb5_data*)malloc(size*sizeof(krb5_data)); - else - (*val)->data = (krb5_data*)realloc((*val)->data, - size*sizeof(krb5_data)); - if ((*val)->data == NULL) return ENOMEM; - retval = asn1_decode_generalstring(&seqbuf, - &((*val)->data[size-1].length), - &((*val)->data[size-1].data)); - if (retval) return retval; } - (*val)->length = size; end_sequence_of_no_tagvars(&subbuf); } if (indef) { @@ -456,38 +496,65 @@ } next_tag(); end_structure(); - (*val)->magic = KV5M_PRINCIPAL; } - cleanup(); + (*val)->data = array; + (*val)->length = size; + (*val)->magic = KV5M_PRINCIPAL; + return 0; +error_out: + for (i = 0; i < size; i++) + free(array[i].data); + free(array); + return retval; } asn1_error_code asn1_decode_checksum(asn1buf *buf, krb5_checksum *val) { setup(); + val->contents = NULL; { begin_structure(); get_field(val->checksum_type,0,asn1_decode_cksumtype); get_lenfield(val->length,val->contents,1,asn1_decode_octetstring); end_structure(); val->magic = KV5M_CHECKSUM; } - cleanup(); + return 0; +error_out: + free(val->contents); + return retval; } +asn1_error_code asn1_decode_checksum_ptr(asn1buf *buf, krb5_checksum **valptr) +{ + decode_ptr(krb5_checksum *, asn1_decode_checksum); +} + asn1_error_code asn1_decode_encryption_key(asn1buf *buf, krb5_keyblock *val) { setup(); + val->contents = NULL; { begin_structure(); get_field(val->enctype,0,asn1_decode_enctype); get_lenfield(val->length,val->contents,1,asn1_decode_octetstring); end_structure(); val->magic = KV5M_KEYBLOCK; } - cleanup(); + return 0; +error_out: + free(val->contents); + return retval; } +asn1_error_code +asn1_decode_encryption_key_ptr(asn1buf *buf, krb5_keyblock **valptr) +{ + decode_ptr(krb5_keyblock *, asn1_decode_encryption_key); +} + asn1_error_code asn1_decode_encrypted_data(asn1buf *buf, krb5_enc_data *val) { setup(); + val->ciphertext.data = NULL; { begin_structure(); get_field(val->enctype,0,asn1_decode_enctype); opt_field(val->kvno,1,asn1_decode_kvno,0); @@ -495,7 +562,11 @@ end_structure(); val->magic = KV5M_ENC_DATA; } - cleanup(); + return 0; +error_out: + free(val->ciphertext.data); + val->ciphertext.data = NULL; + return retval; } asn1_error_code asn1_decode_krb5_flags(asn1buf *buf, krb5_flags *val) @@ -551,21 +622,28 @@ asn1_error_code asn1_decode_transited_encoding(asn1buf *buf, krb5_transited *val) { setup(); + val->tr_contents.data = NULL; { begin_structure(); get_field(val->tr_type,0,asn1_decode_octet); get_lenfield(val->tr_contents.length,val->tr_contents.data,1,asn1_decode_charstring); end_structure(); val->magic = KV5M_TRANSITED; } - cleanup(); + return 0; +error_out: + krb5_free_data_contents(NULL, &val->tr_contents); + return retval; } asn1_error_code asn1_decode_enc_kdc_rep_part(asn1buf *buf, krb5_enc_kdc_rep_part *val) { setup(); + val->session = NULL; + val->last_req = NULL; + val->server = NULL; + val->caddrs = NULL; { begin_structure(); - alloc_field(val->session,krb5_keyblock); - get_field(*(val->session),0,asn1_decode_encryption_key); + get_field(val->session,0,asn1_decode_encryption_key_ptr); get_field(val->last_req,1,asn1_decode_last_req); get_field(val->nonce,2,asn1_decode_int32); opt_field(val->key_exp,3,asn1_decode_kerberos_time,0); @@ -575,7 +653,7 @@ opt_field(val->times.starttime,6,asn1_decode_kerberos_time,val->times.authtime); get_field(val->times.endtime,7,asn1_decode_kerberos_time); opt_field(val->times.renew_till,8,asn1_decode_kerberos_time,0); - alloc_field(val->server,krb5_principal_data); + alloc_principal(val->server); get_field(val->server,9,asn1_decode_realm); get_field(val->server,10,asn1_decode_principal_name); opt_field(val->caddrs,11,asn1_decode_host_addresses,NULL); @@ -583,7 +661,17 @@ end_structure(); val->magic = KV5M_ENC_KDC_REP_PART; } - cleanup(); + return 0; +error_out: + krb5_free_keyblock(NULL, val->session); + krb5_free_last_req(NULL, val->last_req); + krb5_free_principal(NULL, val->server); + krb5_free_addresses(NULL, val->caddrs); + val->session = NULL; + val->last_req = NULL; + val->server = NULL; + val->caddrs = NULL; + return retval; } asn1_error_code asn1_decode_ticket(asn1buf *buf, krb5_ticket *val) @@ -591,11 +679,14 @@ setup(); unsigned int applen; apptag(1); + val->server = NULL; + val->enc_part.ciphertext.data = NULL; + val->enc_part2 = NULL; { begin_structure(); { krb5_kvno vno; get_field(vno,0,asn1_decode_kvno); - if (vno != KVNO) return KRB5KDC_ERR_BAD_PVNO; } - alloc_field(val->server,krb5_principal_data); + if (vno != KVNO) clean_return(KRB5KDC_ERR_BAD_PVNO); } + alloc_principal(val->server); get_field(val->server,1,asn1_decode_realm); get_field(val->server,2,asn1_decode_principal_name); get_field(val->enc_part,3,asn1_decode_encrypted_data); @@ -605,41 +696,64 @@ if (!applen) { taginfo t; retval = asn1_get_tag_2(buf, &t); - if (retval) return retval; + if (retval) clean_return(retval); } - cleanup(); + return 0; +error_out: + krb5_free_principal(NULL, val->server); + krb5_free_data_contents(NULL, &val->enc_part.ciphertext); + val->server = NULL; + return retval; } +asn1_error_code +asn1_decode_ticket_ptr(asn1buf *buf, krb5_ticket **valptr) +{ + decode_ptr(krb5_ticket *, asn1_decode_ticket); +} + asn1_error_code asn1_decode_kdc_req(asn1buf *buf, krb5_kdc_req *val) { setup(); + val->padata = NULL; { begin_structure(); { krb5_kvno kvno; get_field(kvno,1,asn1_decode_kvno); - if (kvno != KVNO) return KRB5KDC_ERR_BAD_PVNO; } + if (kvno != KVNO) clean_return(KRB5KDC_ERR_BAD_PVNO); } get_field(val->msg_type,2,asn1_decode_msgtype); opt_field(val->padata,3,asn1_decode_sequence_of_pa_data,NULL); get_field(*val,4,asn1_decode_kdc_req_body); end_structure(); val->magic = KV5M_KDC_REQ; } - cleanup(); + return 0; +error_out: + krb5_free_pa_data(NULL, val->padata); + val->padata = NULL; + return retval; } asn1_error_code asn1_decode_kdc_req_body(asn1buf *buf, krb5_kdc_req *val) { setup(); + val->client = NULL; + val->server = NULL; + val->ktype = NULL; + val->addresses = NULL; + val->authorization_data.ciphertext.data = NULL; + val->unenc_authdata = NULL; + val->second_ticket = NULL; { krb5_principal psave; begin_structure(); get_field(val->kdc_options,0,asn1_decode_kdc_options); - if (tagnum == 1) { alloc_field(val->client,krb5_principal_data); } + if (tagnum == 1) { alloc_principal(val->client); } opt_field(val->client,1,asn1_decode_principal_name,NULL); - alloc_field(val->server,krb5_principal_data); + alloc_principal(val->server); get_field(val->server,2,asn1_decode_realm); if (val->client != NULL) { retval = asn1_krb5_realm_copy(val->client,val->server); - if (retval) return retval; } + if (retval) clean_return(retval); } /* If opt_field server is missing, memory reference to server is lost and results in memory leak */ @@ -672,72 +786,119 @@ end_structure(); val->magic = KV5M_KDC_REQ; } - cleanup(); + return 0; +error_out: + krb5_free_principal(NULL, val->client); + krb5_free_principal(NULL, val->server); + free(val->ktype); + krb5_free_addresses(NULL, val->addresses); + krb5_free_data_contents(NULL, &val->authorization_data.ciphertext); + krb5_free_tickets(NULL, val->second_ticket); + val->client = NULL; + val->server = NULL; + val->ktype = NULL; + val->addresses = NULL; + val->unenc_authdata = NULL; + val->second_ticket = NULL; + return retval; } asn1_error_code asn1_decode_krb_safe_body(asn1buf *buf, krb5_safe *val) { setup(); + val->user_data.data = NULL; + val->r_address = NULL; + val->s_address = NULL; + val->checksum = NULL; { begin_structure(); get_lenfield(val->user_data.length,val->user_data.data,0,asn1_decode_charstring); opt_field(val->timestamp,1,asn1_decode_kerberos_time,0); opt_field(val->usec,2,asn1_decode_int32,0); opt_field(val->seq_number,3,asn1_decode_seqnum,0); - alloc_field(val->s_address,krb5_address); - get_field(*(val->s_address),4,asn1_decode_host_address); + get_field(val->s_address,4,asn1_decode_host_address_ptr); if (tagnum == 5) { - alloc_field(val->r_address,krb5_address); - get_field(*(val->r_address),5,asn1_decode_host_address); - } else val->r_address = NULL; + get_field(val->r_address,5,asn1_decode_host_address_ptr); + } end_structure(); val->magic = KV5M_SAFE; } - cleanup(); + return 0; +error_out: + krb5_free_data_contents(NULL, &val->user_data); + krb5_free_address(NULL, val->r_address); + krb5_free_address(NULL, val->s_address); + val->r_address = NULL; + val->s_address = NULL; + return retval; } asn1_error_code asn1_decode_host_address(asn1buf *buf, krb5_address *val) { setup(); + val->contents = NULL; { begin_structure(); get_field(val->addrtype,0,asn1_decode_addrtype); get_lenfield(val->length,val->contents,1,asn1_decode_octetstring); end_structure(); val->magic = KV5M_ADDRESS; } - cleanup(); + return 0; +error_out: + free(val->contents); + val->contents = NULL; + return retval; } +asn1_error_code +asn1_decode_host_address_ptr(asn1buf *buf, krb5_address **valptr) +{ + decode_ptr(krb5_address *, asn1_decode_host_address); +} + asn1_error_code asn1_decode_kdc_rep(asn1buf *buf, krb5_kdc_rep *val) { setup(); + val->padata = NULL; + val->client = NULL; + val->ticket = NULL; + val->enc_part.ciphertext.data = NULL; + val->enc_part2 = NULL; { begin_structure(); { krb5_kvno pvno; get_field(pvno,0,asn1_decode_kvno); - if (pvno != KVNO) return KRB5KDC_ERR_BAD_PVNO; } + if (pvno != KVNO) clean_return(KRB5KDC_ERR_BAD_PVNO); } get_field(val->msg_type,1,asn1_decode_msgtype); opt_field(val->padata,2,asn1_decode_sequence_of_pa_data,NULL); - alloc_field(val->client,krb5_principal_data); + alloc_principal(val->client); get_field(val->client,3,asn1_decode_realm); get_field(val->client,4,asn1_decode_principal_name); - alloc_field(val->ticket,krb5_ticket); - get_field(*(val->ticket),5,asn1_decode_ticket); + get_field(val->ticket,5,asn1_decode_ticket_ptr); get_field(val->enc_part,6,asn1_decode_encrypted_data); end_structure(); val->magic = KV5M_KDC_REP; } - cleanup(); + return 0; +error_out: + krb5_free_pa_data(NULL, val->padata); + krb5_free_principal(NULL, val->client); + krb5_free_ticket(NULL, val->ticket); + krb5_free_data_contents(NULL, &val->enc_part.ciphertext); + val->padata = NULL; + val->client = NULL; + val->ticket = NULL; + val->enc_part.ciphertext.data = NULL; + return retval; } /* arrays */ #define get_element(element,decoder)\ -retval = decoder(&seqbuf,element);\ -if (retval) return retval +retval = decoder(&seqbuf,&element);\ +if (retval) clean_return(retval) static void * array_expand (void *array, int n_elts, size_t elt_size) { - void *new_array; size_t new_size; if (n_elts <= 0) @@ -749,74 +910,120 @@ return NULL; if (new_size / elt_size != (unsigned int) n_elts) return NULL; - new_array = realloc(array, new_size); - return new_array; + return realloc(array, new_size); } #define array_append(array,size,element,type)\ -size++;\ -*(array) = array_expand(*(array), (size+1), sizeof(type*));\ -if (*(array) == NULL) return ENOMEM;\ -(*(array))[(size)-1] = elt + {\ + void *new_array = array_expand(*(array), (size)+2, sizeof(type*));\ + if (new_array == NULL) clean_return(ENOMEM);\ + *(array) = new_array;\ + (*(array))[(size)++] = elt;\ + } -#define decode_array_body(type,decoder)\ +/* + * Function body for array decoders. freefn is expected to look like + * a krb5_free_ function, so we pass a null first argument. + */ +#define decode_array_body(type,decoder,freefn)\ asn1_error_code retval;\ - type *elt;\ + type *elt = NULL, **array;\ + int size = 0, i; \ \ + array = *val = NULL;\ { sequence_of(buf);\ while (asn1buf_remains(&seqbuf,seqofindef) > 0) {\ - alloc_field(elt,type);\ get_element(elt,decoder);\ - array_append(val,size,elt,type);\ + array_append(&array,size,elt,type);\ + elt = NULL;\ }\ - if (*val == NULL)\ - *val = (type **)malloc(sizeof(type*));\ - (*val)[size] = NULL;\ + if (array == NULL)\ + array = malloc(sizeof(type*));\ + array[size] = NULL;\ end_sequence_of(buf);\ }\ - cleanup() + *val = array;\ + return 0;\ +error_out:\ + if (elt)\ + freefn(NULL,elt);\ + for (i = 0; i < size; i++)\ + freefn(NULL,array[i]);\ + free(array);\ + return retval +static void free_authdata_elt(void *dummy, krb5_authdata *val) +{ + free(val->contents); + free(val); +} asn1_error_code asn1_decode_authorization_data(asn1buf *buf, krb5_authdata ***val) { - decode_array_body(krb5_authdata,asn1_decode_authdata_elt); + decode_array_body(krb5_authdata,asn1_decode_authdata_elt_ptr, + free_authdata_elt); } asn1_error_code asn1_decode_authdata_elt(asn1buf *buf, krb5_authdata *val) { setup(); + val->contents = NULL; { begin_structure(); get_field(val->ad_type,0,asn1_decode_authdatatype); get_lenfield(val->length,val->contents,1,asn1_decode_octetstring); end_structure(); val->magic = KV5M_AUTHDATA; } - cleanup(); + return 0; +error_out: + free(val->contents); + val->contents = NULL; + return retval; } +asn1_error_code +asn1_decode_authdata_elt_ptr(asn1buf *buf, krb5_authdata **valptr) +{ + decode_ptr(krb5_authdata *, asn1_decode_authdata_elt); +} + asn1_error_code asn1_decode_host_addresses(asn1buf *buf, krb5_address ***val) { - decode_array_body(krb5_address,asn1_decode_host_address); + decode_array_body(krb5_address,asn1_decode_host_address_ptr, + krb5_free_address); } asn1_error_code asn1_decode_sequence_of_ticket(asn1buf *buf, krb5_ticket ***val) { - decode_array_body(krb5_ticket,asn1_decode_ticket); + decode_array_body(krb5_ticket,asn1_decode_ticket_ptr,krb5_free_ticket); } +static void free_cred_info(void *dummy, krb5_cred_info *val) +{ + krb5_free_keyblock(NULL, val->session); + krb5_free_principal(NULL, val->client); + krb5_free_principal(NULL, val->server); + krb5_free_addresses(NULL, val->caddrs); + free(val); +} + asn1_error_code asn1_decode_sequence_of_krb_cred_info(asn1buf *buf, krb5_cred_info ***val) { - decode_array_body(krb5_cred_info,asn1_decode_krb_cred_info); + decode_array_body(krb5_cred_info,asn1_decode_krb_cred_info_ptr, + free_cred_info); } asn1_error_code asn1_decode_krb_cred_info(asn1buf *buf, krb5_cred_info *val) { setup(); + val->session = NULL; + val->client = NULL; + val->server = NULL; + val->caddrs = NULL; { begin_structure(); - alloc_field(val->session,krb5_keyblock); - get_field(*(val->session),0,asn1_decode_encryption_key); + get_field(val->session,0,asn1_decode_encryption_key_ptr); if (tagnum == 1) { - alloc_field(val->client,krb5_principal_data); + alloc_principal(val->client); opt_field(val->client,1,asn1_decode_realm,NULL); opt_field(val->client,2,asn1_decode_principal_name,NULL); } opt_field(val->flags,3,asn1_decode_ticket_flags,0); @@ -825,36 +1032,74 @@ opt_field(val->times.endtime,6,asn1_decode_kerberos_time,0); opt_field(val->times.renew_till,7,asn1_decode_kerberos_time,0); if (tagnum == 8) { - alloc_field(val->server,krb5_principal_data); + alloc_principal(val->server); opt_field(val->server,8,asn1_decode_realm,NULL); opt_field(val->server,9,asn1_decode_principal_name,NULL); } opt_field(val->caddrs,10,asn1_decode_host_addresses,NULL); end_structure(); val->magic = KV5M_CRED_INFO; } - cleanup(); + return 0; +error_out: + krb5_free_keyblock(NULL, val->session); + krb5_free_principal(NULL, val->client); + krb5_free_principal(NULL, val->server); + krb5_free_addresses(NULL, val->caddrs); + val->session = NULL; + val->client = NULL; + val->server = NULL; + val->caddrs = NULL; + return retval; } +asn1_error_code +asn1_decode_krb_cred_info_ptr(asn1buf *buf, krb5_cred_info **valptr) +{ + decode_ptr(krb5_cred_info *, asn1_decode_krb_cred_info); +} + +static void free_pa_data(void *dummy, krb5_pa_data *val) +{ + free(val->contents); + free(val); +} + asn1_error_code asn1_decode_sequence_of_pa_data(asn1buf *buf, krb5_pa_data ***val) { - decode_array_body(krb5_pa_data,asn1_decode_pa_data); + decode_array_body(krb5_pa_data,asn1_decode_pa_data_ptr,free_pa_data); } asn1_error_code asn1_decode_pa_data(asn1buf *buf, krb5_pa_data *val) { setup(); + val->contents = NULL; { begin_structure(); get_field(val->pa_type,1,asn1_decode_int32); get_lenfield(val->length,val->contents,2,asn1_decode_octetstring); end_structure(); val->magic = KV5M_PA_DATA; } - cleanup(); + return 0; +error_out: + free(val->contents); + val->contents = NULL; + return retval; } +asn1_error_code asn1_decode_pa_data_ptr(asn1buf *buf, krb5_pa_data **valptr) +{ + decode_ptr(krb5_pa_data *, asn1_decode_pa_data); +} + +static void free_last_req_entry(void *dummy, krb5_last_req_entry *val) +{ + free(val); +} + asn1_error_code asn1_decode_last_req(asn1buf *buf, krb5_last_req_entry ***val) { - decode_array_body(krb5_last_req_entry,asn1_decode_last_req_entry); + decode_array_body(krb5_last_req_entry,asn1_decode_last_req_entry_ptr, + free_last_req_entry); } asn1_error_code asn1_decode_last_req_entry(asn1buf *buf, krb5_last_req_entry *val) @@ -871,147 +1116,222 @@ if ((val->lr_type & 0xffffff80U) == 0x80) val->lr_type |= 0xffffff00U; #endif } - cleanup(); + return 0; +error_out: + return retval; } +asn1_error_code +asn1_decode_last_req_entry_ptr(asn1buf *buf, krb5_last_req_entry **valptr) +{ + decode_ptr(krb5_last_req_entry *, asn1_decode_last_req_entry); +} + asn1_error_code asn1_decode_sequence_of_enctype(asn1buf *buf, int *num, krb5_enctype **val) { + int size = 0; + krb5_enctype *array = NULL, *new_array; + asn1_error_code retval; { sequence_of(buf); while (asn1buf_remains(&seqbuf,seqofindef) > 0) { size++; - if (*val == NULL) - *val = (krb5_enctype*)malloc(size*sizeof(krb5_enctype)); - else - *val = (krb5_enctype*)realloc(*val,size*sizeof(krb5_enctype)); - if (*val == NULL) return ENOMEM; - retval = asn1_decode_enctype(&seqbuf,&((*val)[size-1])); - if (retval) return retval; + new_array = realloc(array,size*sizeof(krb5_enctype)); + if (new_array == NULL) clean_return(ENOMEM); + array = new_array; + retval = asn1_decode_enctype(&seqbuf,&array[size-1]); + if (retval) clean_return(retval); } - *num = size; end_sequence_of(buf); } - cleanup(); + *num = size; + *val = array; + return 0; +error_out: + free(array); + return retval; } asn1_error_code asn1_decode_sequence_of_checksum(asn1buf *buf, krb5_checksum ***val) { - decode_array_body(krb5_checksum, asn1_decode_checksum); + decode_array_body(krb5_checksum, asn1_decode_checksum_ptr, + krb5_free_checksum); } +static void free_etype_info_entry(void *dummy, krb5_etype_info_entry *val) +{ + krb5_free_data_contents(NULL, &val->s2kparams); + free(val->salt); + free(val); +} + static asn1_error_code asn1_decode_etype_info2_entry(asn1buf *buf, krb5_etype_info_entry *val ) { + char *salt = NULL; + krb5_octet *params = NULL; setup(); + val->salt = NULL; + val->s2kparams.data = NULL; { begin_structure(); get_field(val->etype,0,asn1_decode_enctype); if (tagnum == 1) { - char *salt; get_lenfield(val->length,salt,1,asn1_decode_generalstring); val->salt = (krb5_octet *) salt; - } else { + salt = NULL; + } else val->length = KRB5_ETYPE_NO_SALT; - val->salt = 0; - } if ( tagnum ==2) { - krb5_octet *params ; get_lenfield( val->s2kparams.length, params, 2, asn1_decode_octetstring); val->s2kparams.data = ( char *) params; - } else { - val->s2kparams.data = NULL; + params = NULL; + } else val->s2kparams.length = 0; - } end_structure(); val->magic = KV5M_ETYPE_INFO_ENTRY; } - cleanup(); + return 0; +error_out: + free(salt); + free(params); + krb5_free_data_contents(NULL, &val->s2kparams); + free(val->salt); + val->salt = NULL; + return retval; } +static asn1_error_code +asn1_decode_etype_info2_entry_ptr(asn1buf *buf, krb5_etype_info_entry **valptr) +{ + decode_ptr(krb5_etype_info_entry *, asn1_decode_etype_info2_entry); +} + static asn1_error_code asn1_decode_etype_info2_entry_1_3(asn1buf *buf, krb5_etype_info_entry *val ) { setup(); + val->salt = NULL; + val->s2kparams.data = NULL; { begin_structure(); get_field(val->etype,0,asn1_decode_enctype); if (tagnum == 1) { get_lenfield(val->length,val->salt,1,asn1_decode_octetstring); - } else { + } else val->length = KRB5_ETYPE_NO_SALT; - val->salt = 0; - } if ( tagnum ==2) { krb5_octet *params ; get_lenfield( val->s2kparams.length, params, 2, asn1_decode_octetstring); val->s2kparams.data = ( char *) params; - } else { - val->s2kparams.data = NULL; + } else val->s2kparams.length = 0; - } end_structure(); val->magic = KV5M_ETYPE_INFO_ENTRY; } - cleanup(); + return 0; +error_out: + krb5_free_data_contents(NULL, &val->s2kparams); + free(val->salt); + val->salt = NULL; + return retval; } +static asn1_error_code +asn1_decode_etype_info2_entry_1_3_ptr(asn1buf *buf, + krb5_etype_info_entry **valptr) +{ + decode_ptr(krb5_etype_info_entry *, asn1_decode_etype_info2_entry_1_3); +} static asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry *val ) { setup(); + val->salt = NULL; + val->s2kparams.data = NULL; { begin_structure(); get_field(val->etype,0,asn1_decode_enctype); if (tagnum == 1) { get_lenfield(val->length,val->salt,1,asn1_decode_octetstring); - } else { + } else val->length = KRB5_ETYPE_NO_SALT; - val->salt = 0; - } - val->s2kparams.data = NULL; val->s2kparams.length = 0; end_structure(); val->magic = KV5M_ETYPE_INFO_ENTRY; } - cleanup(); + return 0; +error_out: + free(val->salt); + val->salt = NULL; + return retval; } +static asn1_error_code +asn1_decode_etype_info_entry_ptr(asn1buf *buf, krb5_etype_info_entry **valptr) +{ + decode_ptr(krb5_etype_info_entry *, asn1_decode_etype_info_entry); +} + asn1_error_code asn1_decode_etype_info(asn1buf *buf, krb5_etype_info_entry ***val ) { - decode_array_body(krb5_etype_info_entry,asn1_decode_etype_info_entry); + decode_array_body(krb5_etype_info_entry,asn1_decode_etype_info_entry_ptr, + free_etype_info_entry); } +static asn1_error_code decode_etype_info2_13(asn1buf *buf, krb5_etype_info_entry ***val) +{ + decode_array_body(krb5_etype_info_entry, + asn1_decode_etype_info2_entry_1_3_ptr, + free_etype_info_entry); +} + asn1_error_code asn1_decode_etype_info2(asn1buf *buf, krb5_etype_info_entry ***val , krb5_boolean v1_3_behavior) { - if (v1_3_behavior) { + if (v1_3_behavior) + return decode_etype_info2_13(buf, val); + else { decode_array_body(krb5_etype_info_entry, - asn1_decode_etype_info2_entry_1_3); - } else { - decode_array_body(krb5_etype_info_entry, - asn1_decode_etype_info2_entry); + asn1_decode_etype_info2_entry_ptr, + free_etype_info_entry); } } asn1_error_code asn1_decode_passwdsequence(asn1buf *buf, passwd_phrase_element *val) { setup(); + val->passwd = NULL; + val->phrase = NULL; { begin_structure(); - alloc_field(val->passwd,krb5_data); + alloc_data(val->passwd); get_lenfield(val->passwd->length,val->passwd->data, 0,asn1_decode_charstring); val->passwd->magic = KV5M_DATA; - alloc_field(val->phrase,krb5_data); + alloc_data(val->phrase); get_lenfield(val->phrase->length,val->phrase->data, 1,asn1_decode_charstring); val->phrase->magic = KV5M_DATA; end_structure(); val->magic = KV5M_PASSWD_PHRASE_ELEMENT; } - cleanup(); + return 0; +error_out: + krb5_free_data(NULL, val->passwd); + krb5_free_data(NULL, val->phrase); + val->passwd = NULL; + val->phrase = NULL; + return 0; } +asn1_error_code +asn1_decode_passwdsequence_ptr(asn1buf *buf, passwd_phrase_element **valptr) +{ + decode_ptr(passwd_phrase_element *, asn1_decode_passwdsequence); +} + asn1_error_code asn1_decode_sequence_of_passwdsequence(asn1buf *buf, passwd_phrase_element ***val) { - decode_array_body(passwd_phrase_element,asn1_decode_passwdsequence); + decode_array_body(passwd_phrase_element,asn1_decode_passwdsequence_ptr, + krb5_free_passwd_phrase_element); } asn1_error_code asn1_decode_sam_flags(asn1buf *buf, krb5_flags *val) @@ -1026,6 +1346,12 @@ asn1_error_code asn1_decode_sam_challenge(asn1buf *buf, krb5_sam_challenge *val) { setup(); + val->sam_type_name.data = NULL; + val->sam_track_id.data = NULL; + val->sam_challenge_label.data = NULL; + val->sam_response_prompt.data = NULL; + val->sam_pk_for_sad.data = NULL; + val->sam_cksum.contents = NULL; { begin_structure(); get_field(val->sam_type,0,asn1_decode_int32); get_field(val->sam_flags,1,asn1_decode_sam_flags); @@ -1040,37 +1366,58 @@ end_structure(); val->magic = KV5M_SAM_CHALLENGE; } - cleanup(); + return 0; +error_out: + krb5_free_sam_challenge_contents(NULL, val); + return retval; } asn1_error_code asn1_decode_sam_challenge_2(asn1buf *buf, krb5_sam_challenge_2 *val) { + krb5_checksum **cksump; setup(); + val->sam_challenge_2_body.data = NULL; + val->sam_cksum = NULL; { char *save, *end; size_t alloclen; begin_structure(); - if (tagnum != 0) return ASN1_MISSING_FIELD; + if (tagnum != 0) clean_return(ASN1_MISSING_FIELD); if (asn1class != CONTEXT_SPECIFIC || construction != CONSTRUCTED) - return ASN1_BAD_ID; + clean_return(ASN1_BAD_ID); save = subbuf.next; { sequence_of_no_tagvars(&subbuf); - unused_var(size); end_sequence_of_no_tagvars(&subbuf); } end = subbuf.next; alloclen = end - save; - if ((val->sam_challenge_2_body.data = (char *) malloc(alloclen)) == NULL) - return ENOMEM; + val->sam_challenge_2_body.data = malloc(alloclen); + if (!val->sam_challenge_2_body.data) + clean_return(ENOMEM); val->sam_challenge_2_body.length = alloclen; memcpy(val->sam_challenge_2_body.data, save, alloclen); next_tag(); get_field(val->sam_cksum, 1, asn1_decode_sequence_of_checksum); end_structure(); } - cleanup(); + return 0; +error_out: + krb5_free_data_contents(NULL, &val->sam_challenge_2_body); + if (val->sam_cksum) { + for (cksump = val->sam_cksum; *cksump; cksump++) + krb5_free_checksum(NULL, *cksump); + free(val->sam_cksum); + val->sam_cksum = NULL; + } + return retval; } asn1_error_code asn1_decode_sam_challenge_2_body(asn1buf *buf, krb5_sam_challenge_2_body *val) { setup(); + val->sam_type_name.data = NULL; + val->sam_track_id.data = NULL; + val->sam_challenge_label.data = NULL; + val->sam_challenge.data = NULL; + val->sam_response_prompt.data = NULL; + val->sam_pk_for_sad.data = NULL; { begin_structure(); get_field(val->sam_type,0,asn1_decode_int32); get_field(val->sam_flags,1,asn1_decode_sam_flags); @@ -1085,23 +1432,30 @@ end_structure(); val->magic = KV5M_SAM_CHALLENGE; } - cleanup(); + return 0; +error_out: + krb5_free_sam_challenge_2_body_contents(NULL, val); + return retval; } asn1_error_code asn1_decode_enc_sam_key(asn1buf *buf, krb5_sam_key *val) { setup(); + val->sam_key.contents = NULL; { begin_structure(); - /* alloc_field(val->sam_key,krb5_keyblock); */ get_field(val->sam_key,0,asn1_decode_encryption_key); end_structure(); val->magic = KV5M_SAM_KEY; } - cleanup(); + return 0; +error_out: + krb5_free_keyblock_contents(NULL, &val->sam_key); + return retval; } asn1_error_code asn1_decode_enc_sam_response_enc(asn1buf *buf, krb5_enc_sam_response_enc *val) { setup(); + val->sam_sad.data = NULL; { begin_structure(); opt_field(val->sam_nonce,0,asn1_decode_int32,0); opt_field(val->sam_timestamp,1,asn1_decode_kerberos_time,0); @@ -1110,19 +1464,26 @@ end_structure(); val->magic = KV5M_ENC_SAM_RESPONSE_ENC; } - cleanup(); + return 0; +error_out: + krb5_free_enc_sam_response_enc_contents(NULL, val); + return retval; } asn1_error_code asn1_decode_enc_sam_response_enc_2(asn1buf *buf, krb5_enc_sam_response_enc_2 *val) { setup(); + val->sam_sad.data = NULL; { begin_structure(); get_field(val->sam_nonce,0,asn1_decode_int32); opt_string(val->sam_sad,1,asn1_decode_charstring); end_structure(); val->magic = KV5M_ENC_SAM_RESPONSE_ENC_2; } - cleanup(); + return 0; +error_out: + krb5_free_enc_sam_response_enc_2_contents(NULL, val); + return retval; } #define opt_encfield(fld,tag,fn) \ @@ -1139,6 +1500,9 @@ asn1_error_code asn1_decode_sam_response(asn1buf *buf, krb5_sam_response *val) { setup(); + val->sam_track_id.data = NULL; + val->sam_enc_key.ciphertext.data = NULL; + val->sam_enc_nonce_or_ts.ciphertext.data = NULL; { begin_structure(); get_field(val->sam_type,0,asn1_decode_int32); get_field(val->sam_flags,1,asn1_decode_sam_flags); @@ -1150,12 +1514,17 @@ end_structure(); val->magic = KV5M_SAM_RESPONSE; } - cleanup(); + return 0; +error_out: + krb5_free_sam_response_contents(NULL, val); + return retval; } asn1_error_code asn1_decode_sam_response_2(asn1buf *buf, krb5_sam_response_2 *val) { setup(); + val->sam_track_id.data = NULL; + val->sam_enc_nonce_or_sad.ciphertext.data = NULL; { begin_structure(); get_field(val->sam_type,0,asn1_decode_int32); get_field(val->sam_flags,1,asn1_decode_sam_flags); @@ -1165,57 +1534,82 @@ end_structure(); val->magic = KV5M_SAM_RESPONSE; } - cleanup(); + return 0; +error_out: + krb5_free_sam_response_2_contents(NULL, val); + return retval; } asn1_error_code asn1_decode_predicted_sam_response(asn1buf *buf, krb5_predicted_sam_response *val) { setup(); + val->sam_key.contents = NULL; + val->client = NULL; + val->msd.data = NULL; { begin_structure(); get_field(val->sam_key,0,asn1_decode_encryption_key); get_field(val->sam_flags,1,asn1_decode_sam_flags); get_field(val->stime,2,asn1_decode_kerberos_time); get_field(val->susec,3,asn1_decode_int32); - alloc_field(val->client,krb5_principal_data); + alloc_principal(val->client); get_field(val->client,4,asn1_decode_realm); get_field(val->client,5,asn1_decode_principal_name); opt_string(val->msd,6,asn1_decode_charstring); /* should be octet */ end_structure(); val->magic = KV5M_PREDICTED_SAM_RESPONSE; } - cleanup(); + return 0; +error_out: + krb5_free_predicted_sam_response_contents(NULL, val); + return retval; } asn1_error_code asn1_decode_setpw_req(asn1buf *buf, krb5_data *newpasswd, krb5_principal *principal) { + krb5_principal princ = NULL; setup(); *principal = NULL; + newpasswd->data = NULL; { begin_structure(); get_lenfield(newpasswd->length, newpasswd->data, 0, asn1_decode_charstring); if (tagnum == 1) { - alloc_field(*principal, krb5_principal_data); - opt_field(*principal, 1, asn1_decode_principal_name, 0); - opt_field(*principal, 2, asn1_decode_realm, 0); + alloc_principal(princ); + opt_field(princ, 1, asn1_decode_principal_name, 0); + opt_field(princ, 2, asn1_decode_realm, 0); } end_structure(); } - cleanup(); + *principal = princ; + return 0; +error_out: + krb5_free_data_contents(NULL, newpasswd); + krb5_free_principal(NULL, princ); + return retval; } asn1_error_code asn1_decode_pa_for_user(asn1buf *buf, krb5_pa_for_user *val) { setup(); + val->user = NULL; + val->cksum.contents = NULL; + val->auth_package.data = NULL; { begin_structure(); - alloc_field(val->user, krb5_principal_data); + alloc_principal(val->user); get_field(val->user,0,asn1_decode_principal_name); get_field(val->user,1,asn1_decode_realm); get_field(val->cksum,2,asn1_decode_checksum); get_lenfield(val->auth_package.length,val->auth_package.data,3,asn1_decode_generalstring); end_structure(); } - cleanup(); + return 0; +error_out: + krb5_free_principal(NULL, val->user); + krb5_free_checksum_contents(NULL, &val->cksum); + krb5_free_data_contents(NULL, &val->auth_package); + val->user = NULL; + return retval; } asn1_error_code asn1_decode_pa_pac_req(asn1buf *buf, krb5_pa_pac_req *val) @@ -1225,7 +1619,9 @@ get_field(val->include_pac,0,asn1_decode_boolean); end_structure(); } - cleanup(); + return 0; +error_out: + return retval; } #ifndef DISABLE_PKINIT @@ -1234,6 +1630,9 @@ asn1_error_code asn1_decode_external_principal_identifier(asn1buf *buf, krb5_external_principal_identifier *val) { setup(); + val->subjectName.data = NULL; + val->issuerAndSerialNumber.data = NULL; + val->subjectKeyIdentifier.data = NULL; { begin_structure(); opt_implicit_octet_string(val->subjectName.length, val->subjectName.data, 0); @@ -1241,17 +1640,49 @@ opt_implicit_octet_string(val->subjectKeyIdentifier.length, val->subjectKeyIdentifier.data, 2); end_structure(); } - cleanup(); + return 0; +error_out: + free(val->subjectName.data); + free(val->issuerAndSerialNumber.data); + free(val->subjectKeyIdentifier.data); + val->subjectName.data = NULL; + val->issuerAndSerialNumber.data = NULL; + val->subjectKeyIdentifier.data = NULL; + return retval; } +asn1_error_code +asn1_decode_external_principal_identifier_ptr + (asn1buf *buf, + krb5_external_principal_identifier **valptr) +{ + decode_ptr(krb5_external_principal_identifier *, + asn1_decode_external_principal_identifier); +} + +static void +free_external_principal_identifier(void *dummy, + krb5_external_principal_identifier *val) +{ + free(val->subjectName.data); + free(val->issuerAndSerialNumber.data); + free(val->subjectKeyIdentifier.data); + free(val); +} + asn1_error_code asn1_decode_sequence_of_external_principal_identifier(asn1buf *buf, krb5_external_principal_identifier ***val) { - decode_array_body(krb5_external_principal_identifier,asn1_decode_external_principal_identifier); + decode_array_body(krb5_external_principal_identifier, + asn1_decode_external_principal_identifier_ptr, + free_external_principal_identifier); } asn1_error_code asn1_decode_pa_pk_as_req(asn1buf *buf, krb5_pa_pk_as_req *val) { setup(); + val->signedAuthPack.data = NULL; + val->trustedCertifiers = NULL; + val->kdcPkId.data = NULL; { begin_structure(); get_implicit_octet_string(val->signedAuthPack.length, val->signedAuthPack.data, 0); @@ -1259,13 +1690,22 @@ opt_implicit_octet_string(val->kdcPkId.length, val->kdcPkId.data, 2); end_structure(); } - cleanup(); + return 0; +error_out: + free(val->signedAuthPack.data); + free(val->trustedCertifiers); + free(val->kdcPkId.data); + val->signedAuthPack.data = NULL; + val->trustedCertifiers = NULL; + val->kdcPkId.data = NULL; + return retval; } #if 0 /* XXX This needs to be tested!!! XXX */ asn1_error_code asn1_decode_trusted_ca(asn1buf *buf, krb5_trusted_ca *val) { setup(); + val->choice = choice_trusted_cas_UNKNOWN; { char *start, *end; size_t alloclen; @@ -1275,6 +1715,7 @@ val->choice = choice_trusted_cas_principalName; } else if (t.tagnum == choice_trusted_cas_caName) { val->choice = choice_trusted_cas_caName; + val->u.caName.data = NULL; start = subbuf.next; { sequence_of_no_tagvars(&subbuf); @@ -1285,12 +1726,13 @@ alloclen = end - start; val->u.caName.data = malloc(alloclen); if (val->u.caName.data == NULL) - return ENOMEM; + clean_return(ENOMEM); memcpy(val->u.caName.data, start, alloclen); val->u.caName.length = alloclen; next_tag(); } else if (t.tagnum == choice_trusted_cas_issuerAndSerial) { val->choice = choice_trusted_cas_issuerAndSerial; + val->u.issuerAndSerial.data = NULL; start = subbuf.next; { sequence_of_no_tagvars(&subbuf); @@ -1301,45 +1743,84 @@ alloclen = end - start; val->u.issuerAndSerial.data = malloc(alloclen); if (val->u.issuerAndSerial.data == NULL) - return ENOMEM; + clean_return(ENOMEM); memcpy(val->u.issuerAndSerial.data, start, alloclen); val->u.issuerAndSerial.length = alloclen; next_tag(); - } else return ASN1_BAD_ID; + } else clean_return(ASN1_BAD_ID); end_explicit_choice(); } - cleanup(); + return 0; +error_out: + if (val->choice == choice_trusted_cas_caName) + free(val->u.caName.data); + else if (val->choice == choice_trusted_cas_issuerAndSerial) + free(val->u.issuerAndSerial.data); + val->choice = choice_trusted_cas_UNKNOWN; + return retval; } #else asn1_error_code asn1_decode_trusted_ca(asn1buf *buf, krb5_trusted_ca *val) { setup(); + val->choice = choice_trusted_cas_UNKNOWN; { begin_choice(); if (tagnum == choice_trusted_cas_principalName) { val->choice = choice_trusted_cas_principalName; + val->u.principalName = NULL; asn1_decode_krb5_principal_name(&subbuf, &(val->u.principalName)); } else if (tagnum == choice_trusted_cas_caName) { val->choice = choice_trusted_cas_caName; + val->u.caName.data = NULL; get_implicit_octet_string(val->u.caName.length, val->u.caName.data, choice_trusted_cas_caName); } else if (tagnum == choice_trusted_cas_issuerAndSerial) { val->choice = choice_trusted_cas_issuerAndSerial; + val->u.issuerAndSerial.data = NULL; get_implicit_octet_string(val->u.issuerAndSerial.length, val->u.issuerAndSerial.data, choice_trusted_cas_issuerAndSerial); - } else return ASN1_BAD_ID; + } else clean_return(ASN1_BAD_ID); end_choice(); } - cleanup(); + return 0; +error_out: + if (val->choice == choice_trusted_cas_caName) + free(val->u.caName.data); + else if (val->choice == choice_trusted_cas_issuerAndSerial) + free(val->u.issuerAndSerial.data); + val->choice = choice_trusted_cas_UNKNOWN; + return retval; } #endif +asn1_error_code +asn1_decode_trusted_ca_ptr(asn1buf *buf, krb5_trusted_ca **valptr) +{ + decode_ptr(krb5_trusted_ca *, asn1_decode_trusted_ca); +} + +static void free_trusted_ca(void *dummy, krb5_trusted_ca *val) +{ + if (val->choice == choice_trusted_cas_caName) + free(val->u.caName.data); + else if (val->choice == choice_trusted_cas_issuerAndSerial) + free(val->u.issuerAndSerial.data); + free(val); +} + asn1_error_code asn1_decode_sequence_of_trusted_ca(asn1buf *buf, krb5_trusted_ca ***val) { - decode_array_body(krb5_trusted_ca, asn1_decode_trusted_ca); + decode_array_body(krb5_trusted_ca, asn1_decode_trusted_ca_ptr, + free_trusted_ca); } asn1_error_code asn1_decode_pa_pk_as_req_draft9(asn1buf *buf, krb5_pa_pk_as_req_draft9 *val) { + int i; setup(); + val->signedAuthPack.data = NULL; + val->kdcCert.data = NULL; + val->encryptionCert.data = NULL; + val->trustedCertifiers = NULL; { begin_structure(); get_implicit_octet_string(val->signedAuthPack.length, val->signedAuthPack.data, 0); opt_field(val->trustedCertifiers, 1, asn1_decode_sequence_of_trusted_ca, NULL); @@ -1347,24 +1828,47 @@ opt_lenfield(val->encryptionCert.length, val->encryptionCert.data, 2, asn1_decode_octetstring); end_structure(); } - cleanup(); + return 0; +error_out: + free(val->signedAuthPack.data); + free(val->kdcCert.data); + free(val->encryptionCert.data); + if (val->trustedCertifiers) { + for (i = 0; val->trustedCertifiers[i]; i++) + free_trusted_ca(NULL, val->trustedCertifiers[i]); + free(val->trustedCertifiers); + } + val->signedAuthPack.data = NULL; + val->kdcCert.data = NULL; + val->encryptionCert.data = NULL; + val->trustedCertifiers = NULL; + return retval; } asn1_error_code asn1_decode_dh_rep_info(asn1buf *buf, krb5_dh_rep_info *val) { setup(); + val->dhSignedData.data = NULL; + val->serverDHNonce.data = NULL; { begin_structure(); get_implicit_octet_string(val->dhSignedData.length, val->dhSignedData.data, 0); opt_lenfield(val->serverDHNonce.length, val->serverDHNonce.data, 1, asn1_decode_octetstring); end_structure(); } - cleanup(); + return 0; +error_out: + free(val->dhSignedData.data); + free(val->serverDHNonce.data); + val->dhSignedData.data = NULL; + val->serverDHNonce.data = NULL; + return retval; } asn1_error_code asn1_decode_pk_authenticator(asn1buf *buf, krb5_pk_authenticator *val) { setup(); + val->paChecksum.contents = NULL; { begin_structure(); get_field(val->cusec, 0, asn1_decode_int32); get_field(val->ctime, 1, asn1_decode_kerberos_time); @@ -1372,14 +1876,19 @@ opt_lenfield(val->paChecksum.length, val->paChecksum.contents, 3, asn1_decode_octetstring); end_structure(); } - cleanup(); + return 0; +error_out: + krb5_free_checksum_contents(NULL, &val->paChecksum); + return retval; } asn1_error_code asn1_decode_pk_authenticator_draft9(asn1buf *buf, krb5_pk_authenticator_draft9 *val) { setup(); + val->kdcName = NULL; + val->kdcRealm.data = NULL; { begin_structure(); - alloc_field(val->kdcName,krb5_principal_data); + alloc_principal(val->kdcName); get_field(val->kdcName, 0, asn1_decode_principal_name); get_field(val->kdcName, 1, asn1_decode_realm); get_field(val->cusec, 2, asn1_decode_int32); @@ -1387,19 +1896,24 @@ get_field(val->nonce, 4, asn1_decode_int32); end_structure(); } - cleanup(); + return 0; +error_out: + krb5_free_principal(NULL, val->kdcName); + return retval; } asn1_error_code asn1_decode_algorithm_identifier(asn1buf *buf, krb5_algorithm_identifier *val) { setup(); + val->algorithm.data = NULL; + val->parameters.data = NULL; { begin_structure_no_tag(); /* * Forbid indefinite encoding because we don't read enough tag * information from the trailing octets ("ANY DEFINED BY") to * synchronize EOC tags, etc. */ - if (seqindef) return ASN1_BAD_FORMAT; + if (seqindef) clean_return(ASN1_BAD_FORMAT); /* * Set up tag variables because we don't actually call anything * that fetches tag info for us; it's all buried in the decoder @@ -1412,7 +1926,7 @@ indef = 0; retval = asn1_decode_oid(&subbuf, &val->algorithm.length, &val->algorithm.data); - if (retval) return retval; + if (retval) clean_return(retval); val->parameters.length = 0; val->parameters.data = NULL; @@ -1421,43 +1935,59 @@ unsigned int size = length - (subbuf.next - subbuf.base); retval = asn1buf_remove_octetstring(&subbuf, size, &val->parameters.data); - if (retval) return retval; + if (retval) clean_return(retval); val->parameters.length = size; } end_structure(); } - cleanup(); + return 0; +error_out: + free(val->algorithm.data); + free(val->parameters.data); + val->algorithm.data = NULL; + val->parameters.data = NULL; + return retval; } +asn1_error_code +asn1_decode_algorithm_identifier_ptr(asn1buf *buf, + krb5_algorithm_identifier **valptr) +{ + decode_ptr(krb5_algorithm_identifier *, asn1_decode_algorithm_identifier); +} + asn1_error_code asn1_decode_subject_pk_info(asn1buf *buf, krb5_subject_pk_info *val) { asn1_octet unused; setup(); + val->algorithm.algorithm.data = NULL; + val->algorithm.parameters.data = NULL; + val->subjectPublicKey.data = NULL; { begin_structure_no_tag(); retval = asn1_decode_algorithm_identifier(&subbuf, &val->algorithm); - if (retval) return retval; + if (retval) clean_return(retval); /* SubjectPublicKey encoded as a BIT STRING */ next_tag(); if (asn1class != UNIVERSAL || construction != PRIMITIVE || tagnum != ASN1_BITSTRING) - return ASN1_BAD_ID; + clean_return(ASN1_BAD_ID); retval = asn1buf_remove_octet(&subbuf, &unused); - if (retval) return retval; + if (retval) clean_return(retval); /* Number of unused bits must be between 0 and 7. */ /* What to do if unused is not zero? */ - if (unused > 7) return ASN1_BAD_FORMAT; + if (unused > 7) clean_return(ASN1_BAD_FORMAT); taglen--; val->subjectPublicKey.length = 0; val->subjectPublicKey.data = NULL; retval = asn1buf_remove_octetstring(&subbuf, taglen, &val->subjectPublicKey.data); - if (retval) return retval; + if (retval) clean_return(retval); val->subjectPublicKey.length = taglen; /* * We didn't call any macro that does next_tag(); do so now to @@ -1466,77 +1996,137 @@ next_tag(); end_structure(); } - cleanup(); + return 0; +error_out: + free(val->algorithm.algorithm.data); + free(val->algorithm.parameters.data); + free(val->subjectPublicKey.data); + val->algorithm.algorithm.data = NULL; + val->algorithm.parameters.data = NULL; + val->subjectPublicKey.data = NULL; + return 0; } +static void +free_algorithm_identifier(void *dummy, krb5_algorithm_identifier *val) +{ + free(val->algorithm.data); + free(val->parameters.data); + free(val); +} + asn1_error_code asn1_decode_sequence_of_algorithm_identifier(asn1buf *buf, krb5_algorithm_identifier ***val) { - decode_array_body(krb5_algorithm_identifier, asn1_decode_algorithm_identifier); + decode_array_body(krb5_algorithm_identifier, + asn1_decode_algorithm_identifier_ptr, + free_algorithm_identifier); } asn1_error_code asn1_decode_kdc_dh_key_info (asn1buf *buf, krb5_kdc_dh_key_info *val) { setup(); + val->subjectPublicKey.data = NULL; { begin_structure(); retval = asn1buf_remove_octetstring(&subbuf, taglen, &val->subjectPublicKey.data); - if (retval) return retval; + if (retval) clean_return(retval); val->subjectPublicKey.length = taglen; next_tag(); get_field(val->nonce, 1, asn1_decode_int32); opt_field(val->dhKeyExpiration, 2, asn1_decode_kerberos_time, 0); end_structure(); } - cleanup(); + return 0; +error_out: + free(val->subjectPublicKey.data); + val->subjectPublicKey.data = NULL; + return retval; } asn1_error_code asn1_decode_reply_key_pack (asn1buf *buf, krb5_reply_key_pack *val) { setup(); + val->replyKey.contents = NULL; + val->asChecksum.contents = NULL; { begin_structure(); get_field(val->replyKey, 0, asn1_decode_encryption_key); get_field(val->asChecksum, 1, asn1_decode_checksum); end_structure(); } - cleanup(); + return 0; +error_out: + free(val->replyKey.contents); + free(val->asChecksum.contents); + val->replyKey.contents = NULL; + val->asChecksum.contents = NULL; + return retval; } asn1_error_code asn1_decode_reply_key_pack_draft9 (asn1buf *buf, krb5_reply_key_pack_draft9 *val) { setup(); + val->replyKey.contents = NULL; { begin_structure(); get_field(val->replyKey, 0, asn1_decode_encryption_key); get_field(val->nonce, 1, asn1_decode_int32); end_structure(); } - cleanup(); + return 0; +error_out: + free(val->replyKey.contents); + val->replyKey.contents = NULL; + return retval; } asn1_error_code asn1_decode_krb5_principal_name (asn1buf *buf, krb5_principal *val) { + int i; setup(); + (*val)->realm.data = NULL; + (*val)->data = NULL; { begin_structure(); get_field(*val, 0, asn1_decode_realm); get_field(*val, 1, asn1_decode_principal_name); end_structure(); } - cleanup(); + return 0; +error_out: + krb5_free_data_contents(NULL, &(*val)->realm); + if ((*val)->data) { + for (i = 0; i < (*val)->length; i++) + krb5_free_data_contents(NULL, &(*val)->data[i]); + free((*val)->data); + } + (*val)->realm.data = NULL; + (*val)->data = NULL; + return retval; } asn1_error_code asn1_decode_auth_pack(asn1buf *buf, krb5_auth_pack *val) { + int i; setup(); + val->clientPublicValue = NULL; + val->pkAuthenticator.paChecksum.contents = NULL; + val->supportedCMSTypes = NULL; + val->clientDHNonce.data = NULL; { begin_structure(); get_field(val->pkAuthenticator, 0, asn1_decode_pk_authenticator); - if (tagnum == 1) { alloc_field(val->clientPublicValue, krb5_subject_pk_info); } + if (tagnum == 1) { + alloc_field(val->clientPublicValue); + val->clientPublicValue->algorithm.algorithm.data = NULL; + val->clientPublicValue->algorithm.parameters.data = NULL; + val->clientPublicValue->subjectPublicKey.data = NULL; + } /* can't call opt_field because it does decoder(&subbuf, &(val)); */ if (asn1buf_remains(&subbuf, seqindef)) { if ((asn1class != CONTEXT_SPECIFIC || construction != CONSTRUCTED) && (tagnum || taglen || asn1class != UNIVERSAL)) - return ASN1_BAD_ID; + clean_return(ASN1_BAD_ID); if (tagnum == 1) { retval = asn1_decode_subject_pk_info(&subbuf, val->clientPublicValue); + if (retval) clean_return(retval); if (!taglen && indef) { get_eoc(); } next_tag(); } else val->clientPublicValue = NULL; @@ -1544,7 +2134,8 @@ /* can't call opt_field because it does decoder(&subbuf, &(val)); */ if (asn1buf_remains(&subbuf, seqindef)) { if (tagnum == 2) { - asn1_decode_sequence_of_algorithm_identifier(&subbuf, &val->supportedCMSTypes); + retval = asn1_decode_sequence_of_algorithm_identifier(&subbuf, &val->supportedCMSTypes); + if (retval) clean_return(retval); if (!taglen && indef) { get_eoc(); } next_tag(); } else val->supportedCMSTypes = NULL; @@ -1552,24 +2143,49 @@ opt_lenfield(val->clientDHNonce.length, val->clientDHNonce.data, 3, asn1_decode_octetstring); end_structure(); } - cleanup(); + return 0; +error_out: + if (val->clientPublicValue) { + free(val->clientPublicValue->algorithm.algorithm.data); + free(val->clientPublicValue->algorithm.parameters.data); + free(val->clientPublicValue->subjectPublicKey.data); + free(val->clientPublicValue); + } + free(val->pkAuthenticator.paChecksum.contents); + if (val->supportedCMSTypes) { + for (i = 0; val->supportedCMSTypes[i]; i++) + free_algorithm_identifier(NULL, val->supportedCMSTypes[i]); + free(val->supportedCMSTypes); + } + free(val->clientDHNonce.data); + val->clientPublicValue = NULL; + val->pkAuthenticator.paChecksum.contents = NULL; + val->supportedCMSTypes = NULL; + val->clientDHNonce.data = NULL; + return retval; } asn1_error_code asn1_decode_auth_pack_draft9(asn1buf *buf, krb5_auth_pack_draft9 *val) { setup(); + val->pkAuthenticator.kdcName = NULL; + val->clientPublicValue = NULL; { begin_structure(); get_field(val->pkAuthenticator, 0, asn1_decode_pk_authenticator_draft9); if (tagnum == 1) { - alloc_field(val->clientPublicValue, krb5_subject_pk_info); + alloc_field(val->clientPublicValue); + val->clientPublicValue->algorithm.algorithm.data = NULL; + val->clientPublicValue->algorithm.parameters.data = NULL; + val->clientPublicValue->subjectPublicKey.data = NULL; /* can't call opt_field because it does decoder(&subbuf, &(val)); */ if (asn1buf_remains(&subbuf, seqindef)) { if ((asn1class != CONTEXT_SPECIFIC || construction != CONSTRUCTED) && (tagnum || taglen || asn1class != UNIVERSAL)) - return ASN1_BAD_ID; + clean_return(ASN1_BAD_ID); if (tagnum == 1) { retval = asn1_decode_subject_pk_info(&subbuf, val->clientPublicValue); + if (retval) clean_return(retval); if (!taglen && indef) { get_eoc(); } next_tag(); } else val->clientPublicValue = NULL; @@ -1577,18 +2193,33 @@ } end_structure(); } - cleanup(); + return 0; +error_out: + free(val->pkAuthenticator.kdcName); + if (val->clientPublicValue) { + free(val->clientPublicValue->algorithm.algorithm.data); + free(val->clientPublicValue->algorithm.parameters.data); + free(val->clientPublicValue->subjectPublicKey.data); + free(val->clientPublicValue); + } + val->pkAuthenticator.kdcName = NULL; + val->clientPublicValue = NULL; + return retval; } asn1_error_code asn1_decode_pa_pk_as_rep(asn1buf *buf, krb5_pa_pk_as_rep *val) { setup(); + val->choice = choice_pa_pk_as_rep_UNKNOWN; { begin_choice(); if (tagnum == choice_pa_pk_as_rep_dhInfo) { val->choice = choice_pa_pk_as_rep_dhInfo; + val->u.dh_Info.dhSignedData.data = NULL; + val->u.dh_Info.serverDHNonce.data = NULL; get_field_body(val->u.dh_Info, asn1_decode_dh_rep_info); } else if (tagnum == choice_pa_pk_as_rep_encKeyPack) { val->choice = choice_pa_pk_as_rep_encKeyPack; + val->u.encKeyPack.data = NULL; get_implicit_octet_string(val->u.encKeyPack.length, val->u.encKeyPack.data, choice_pa_pk_as_rep_encKeyPack); } else { @@ -1596,19 +2227,31 @@ } end_choice(); } - cleanup(); + return 0; +error_out: + if (val->choice == choice_pa_pk_as_rep_dhInfo) { + free(val->u.dh_Info.dhSignedData.data); + free(val->u.dh_Info.serverDHNonce.data); + } else if (val->choice == choice_pa_pk_as_rep_encKeyPack) { + free(val->u.encKeyPack.data); + } + val->choice = choice_pa_pk_as_rep_UNKNOWN; + return retval; } asn1_error_code asn1_decode_pa_pk_as_rep_draft9(asn1buf *buf, krb5_pa_pk_as_rep_draft9 *val) { setup(); + val->choice = choice_pa_pk_as_rep_draft9_UNKNOWN; { begin_structure(); if (tagnum == choice_pa_pk_as_rep_draft9_dhSignedData) { val->choice = choice_pa_pk_as_rep_draft9_dhSignedData; + val->u.dhSignedData.data = NULL; get_lenfield(val->u.dhSignedData.length, val->u.dhSignedData.data, choice_pa_pk_as_rep_draft9_dhSignedData, asn1_decode_octetstring); } else if (tagnum == choice_pa_pk_as_rep_draft9_encKeyPack) { val->choice = choice_pa_pk_as_rep_draft9_encKeyPack; + val->u.encKeyPack.data = NULL; get_lenfield(val->u.encKeyPack.length, val->u.encKeyPack.data, choice_pa_pk_as_rep_draft9_encKeyPack, asn1_decode_octetstring); } else { @@ -1616,22 +2259,47 @@ } end_structure(); } - cleanup(); + return 0; +error_out: + if (val->choice == choice_pa_pk_as_rep_draft9_dhSignedData) + free(val->u.dhSignedData.data); + else if (val->choice == choice_pa_pk_as_rep_draft9_encKeyPack) + free(val->u.encKeyPack.data); + val->choice = choice_pa_pk_as_rep_draft9_UNKNOWN; + return retval; } +static void free_typed_data(void *dummy, krb5_typed_data *val) +{ + free(val->data); + free(val); +} + asn1_error_code asn1_decode_sequence_of_typed_data(asn1buf *buf, krb5_typed_data ***val) { - decode_array_body(krb5_typed_data,asn1_decode_typed_data); + decode_array_body(krb5_typed_data,asn1_decode_typed_data_ptr, + free_typed_data); } asn1_error_code asn1_decode_typed_data(asn1buf *buf, krb5_typed_data *val) { setup(); + val->data = NULL; { begin_structure(); get_field(val->type,0,asn1_decode_int32); get_lenfield(val->length,val->data,1,asn1_decode_octetstring); end_structure(); } - cleanup(); + return 0; +error_out: + free(val->data); + val->data = NULL; + return retval; } + +asn1_error_code +asn1_decode_typed_data_ptr(asn1buf *buf, krb5_typed_data **valptr) +{ + decode_ptr(krb5_typed_data *, asn1_decode_typed_data); +} #endif /* DISABLE_PKINIT */ Modified: branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.h =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.h 2009-04-13 20:26:33 UTC (rev 22206) +++ branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.h 2009-04-13 20:26:35 UTC (rev 22207) @@ -104,8 +104,12 @@ (asn1buf *buf, krb5_principal *val); asn1_error_code asn1_decode_checksum (asn1buf *buf, krb5_checksum *val); +asn1_error_code asn1_decode_checksum_ptr + (asn1buf *buf, krb5_checksum **valptr); asn1_error_code asn1_decode_encryption_key (asn1buf *buf, krb5_keyblock *val); +asn1_error_code asn1_decode_encryption_key_ptr + (asn1buf *buf, krb5_keyblock **valptr); asn1_error_code asn1_decode_encrypted_data (asn1buf *buf, krb5_enc_data *val); asn1_error_code asn1_decode_ticket_flags @@ -122,6 +126,8 @@ (asn1buf *buf, krb5_flags *val); asn1_error_code asn1_decode_ticket (asn1buf *buf, krb5_ticket *val); +asn1_error_code asn1_decode_ticket_ptr + (asn1buf *buf, krb5_ticket **valptr); asn1_error_code asn1_decode_kdc_req (asn1buf *buf, krb5_kdc_req *val); asn1_error_code asn1_decode_kdc_req_body @@ -130,18 +136,30 @@ (asn1buf *buf, krb5_safe *val); asn1_error_code asn1_decode_host_address (asn1buf *buf, krb5_address *val); +asn1_error_code asn1_decode_host_address_ptr + (asn1buf *buf, krb5_address **valptr); asn1_error_code asn1_decode_kdc_rep (asn1buf *buf, krb5_kdc_rep *val); asn1_error_code asn1_decode_last_req_entry (asn1buf *buf, krb5_last_req_entry *val); +asn1_error_code asn1_decode_last_req_entry_ptr + (asn1buf *buf, krb5_last_req_entry **valptr); asn1_error_code asn1_decode_authdata_elt (asn1buf *buf, krb5_authdata *val); +asn1_error_code asn1_decode_authdata_elt_ptr + (asn1buf *buf, krb5_authdata **valptr); asn1_error_code asn1_decode_krb_cred_info (asn1buf *buf, krb5_cred_info *val); +asn1_error_code asn1_decode_krb_cred_info_ptr + (asn1buf *buf, krb5_cred_info **valptr); asn1_error_code asn1_decode_pa_data (asn1buf *buf, krb5_pa_data *val); +asn1_error_code asn1_decode_pa_data_ptr + (asn1buf *buf, krb5_pa_data **valptr); asn1_error_code asn1_decode_passwdsequence (asn1buf *buf, passwd_phrase_element *val); +asn1_error_code asn1_decode_passwdsequence_ptr + (asn1buf *buf, passwd_phrase_element **valptr); asn1_error_code asn1_decode_sam_challenge (asn1buf *buf, krb5_sam_challenge *val); asn1_error_code asn1_decode_sam_challenge_2 @@ -162,10 +180,14 @@ (asn1buf *buf, krb5_predicted_sam_response *val); asn1_error_code asn1_decode_external_principal_identifier (asn1buf *buf, krb5_external_principal_identifier *val); +asn1_error_code asn1_decode_external_principal_identifier_ptr + (asn1buf *buf, krb5_external_principal_identifier **valptr); asn1_error_code asn1_decode_pa_pk_as_req (asn1buf *buf, krb5_pa_pk_as_req *val); asn1_error_code asn1_decode_trusted_ca (asn1buf *buf, krb5_trusted_ca *val); +asn1_error_code asn1_decode_trusted_ca_ptr + (asn1buf *buf, krb5_trusted_ca **valptr); asn1_error_code asn1_decode_pa_pk_as_req_draft9 (asn1buf *buf, krb5_pa_pk_as_req_draft9 *val); asn1_error_code asn1_decode_dh_rep_info @@ -178,6 +200,8 @@ (asn1buf *buf, krb5_subject_pk_info *val); asn1_error_code asn1_decode_algorithm_identifier (asn1buf *buf, krb5_algorithm_identifier *val); +asn1_error_code asn1_decode_algorithm_identifier_ptr + (asn1buf *buf, krb5_algorithm_identifier **valptr); asn1_error_code asn1_decode_auth_pack (asn1buf *buf, krb5_auth_pack *val); asn1_error_code asn1_decode_auth_pack_draft9 @@ -198,6 +222,8 @@ (asn1buf *buf, krb5_typed_data ***val); asn1_error_code asn1_decode_typed_data (asn1buf *buf, krb5_typed_data *val); +asn1_error_code asn1_decode_typed_data_ptr + (asn1buf *buf, krb5_typed_data **valptr); /* arrays */ asn1_error_code asn1_decode_authorization_data Modified: branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_encode.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_encode.c 2009-04-13 20:26:33 UTC (rev 22206) +++ branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_encode.c 2009-04-13 20:26:35 UTC (rev 22207) @@ -1304,12 +1304,10 @@ { unsigned int length; \ retval = encoder(buf,len,value,&length); \ if (retval) {\ - asn1buf_destroy(&buf);\ return retval; }\ sum += length;\ retval = asn1_make_etag(buf,CONTEXT_SPECIFIC,tag,length,&length);\ if (retval) {\ - asn1buf_destroy(&buf);\ return retval; }\ sum += length; } @@ -1402,10 +1400,8 @@ if (val->parameters.length != 0) { retval = asn1buf_insert_octetstring(buf, val->parameters.length, val->parameters.data); - if (retval) { - asn1buf_destroy(&buf); + if (retval) return retval; - } sum += val->parameters.length; } @@ -1415,10 +1411,8 @@ val->algorithm.data, &length); - if (retval) { - asn1buf_destroy(&buf); + if (retval) return retval; - } sum += length; } @@ -1440,20 +1434,16 @@ retval = asn1buf_insert_octetstring(buf, val->algorithm.parameters.length, val->algorithm.parameters.data); - if (retval) { - asn1buf_destroy(&buf); + if (retval) return retval; - } sum += val->algorithm.parameters.length; retval = asn1_encode_oid(buf, val->algorithm.algorithm.length, val->algorithm.algorithm.data, &length); - if (retval) { - asn1buf_destroy(&buf); + if (retval) return retval; - } sum += length; @@ -1461,10 +1451,8 @@ val->algorithm.parameters.length + length, &length); - if (retval) { - asn1buf_destroy(&buf); + if (retval) return retval; - } sum += length; } @@ -1661,10 +1649,8 @@ retval = asn1_make_etag(buf, CONTEXT_SPECIFIC, 0, val->subjectPublicKey.length + 1 + length, &length); - if (retval) { - asn1buf_destroy(&buf); + if (retval) return retval; - } sum += length; } @@ -1738,10 +1724,8 @@ { unsigned int length; retval = asn1_encode_sequence_of_external_principal_identifier(buf, val, &length); - if (retval) { - asn1buf_destroy(&buf); + if (retval) return retval; - } /* length set but ignored? sum not updated? */ } asn1_cleanup(); Modified: branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.c 2009-04-13 20:26:33 UTC (rev 22206) +++ branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.c 2009-04-13 20:26:35 UTC (rev 22207) @@ -154,14 +154,13 @@ return 0; } -asn1_error_code asn1buf_destroy(asn1buf **buf) +void asn1buf_destroy(asn1buf **buf) { if (*buf != NULL) { free((*buf)->base); free(*buf); *buf = NULL; } - return 0; } #ifdef asn1buf_insert_octet @@ -254,21 +253,24 @@ asn1_error_code asn12krb5_buf(const asn1buf *buf, krb5_data **code) { unsigned int i; - *code = (krb5_data*)calloc(1,sizeof(krb5_data)); - if (*code == NULL) return ENOMEM; - (*code)->magic = KV5M_DATA; - (*code)->data = NULL; - (*code)->length = 0; - (*code)->length = asn1buf_len(buf); - (*code)->data = (char*)malloc((((*code)->length)+1)*sizeof(char)); - if ((*code)->data == NULL) { - free(*code); - *code = NULL; + krb5_data *d; + + *code = NULL; + + d = calloc(1, sizeof(krb5_data)); + if (d == NULL) return ENOMEM; + d->length = asn1buf_len(buf); + d->data = malloc(d->length + 1); + if (d->data == NULL) { + free(d); + return ENOMEM; } - for (i=0; i < (*code)->length; i++) - ((*code)->data)[i] = (buf->base)[((*code)->length)-i-1]; - ((*code)->data)[(*code)->length] = '\0'; + for (i=0; i < d->length; i++) + d->data[i] = buf->base[d->length - i - 1]; + d->data[d->length] = '\0'; + d->magic = KV5M_DATA; + *code = d; return 0; } Modified: branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.h =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.h 2009-04-13 20:26:33 UTC (rev 22206) +++ branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.h 2009-04-13 20:26:35 UTC (rev 22207) @@ -129,7 +129,7 @@ constructed indefinite sequence. effects skips trailing fields. */ -asn1_error_code asn1buf_destroy +void asn1buf_destroy (asn1buf **buf); /* effects Deallocates **buf, sets *buf to NULL. */ Modified: branches/krb5-1-7/src/lib/krb5/asn.1/krb5_decode.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/krb5_decode.c 2009-04-13 20:26:33 UTC (rev 22206) +++ branches/krb5-1-7/src/lib/krb5/asn.1/krb5_decode.c 2009-04-13 20:26:35 UTC (rev 22207) @@ -35,34 +35,45 @@ /* set up variables */ /* the setup* macros can return, but are always used at function start and thus need no malloc cleanup */ -#define setup_buf_only()\ +#define setup_buf_only(type)\ asn1_error_code retval;\ asn1buf buf;\ +type rep = NULL;\ \ +*repptr = NULL;\ retval = asn1buf_wrap_data(&buf,code);\ if (retval) return retval -#define setup_no_tagnum()\ +#define setup_no_tagnum(type)\ asn1_class asn1class;\ asn1_construction construction;\ -setup_buf_only() +setup_buf_only(type) -#define setup_no_length()\ +#define setup_no_length(type)\ asn1_tagnum tagnum;\ -setup_no_tagnum() +setup_no_tagnum(type) -#define setup()\ +#define setup(type)\ unsigned int length;\ -setup_no_length() +setup_no_length(type) /* helper macros for cleanup */ #define clean_return(val) { retval = val; goto error_out; } /* alloc_field is the first thing to allocate storage that may need cleanup */ -#define alloc_field(var,type)\ -var = (type*)calloc(1,sizeof(type));\ +#define alloc_field(var)\ +var = calloc(1,sizeof(*var));\ if ((var) == NULL) clean_return(ENOMEM) +/* + * Allocate a principal and initialize enough fields for + * krb5_free_principal to have defined behavior. + */ +#define alloc_principal(var) \ + alloc_field(var); \ + var->realm.data = NULL; \ + var->data = NULL + /* process encoding header ***************************************/ /* decode tag and check that it == [APPLICATION tagnum] */ #define check_apptag(tagexpect) \ @@ -111,7 +122,7 @@ #define get_eoc() \ { \ retval = asn1_get_eoc_tag(&subbuf); \ - if (retval) return retval; \ + if (retval) clean_return(retval); \ } /* decode sequence header and initialize tagnum with the first field */ @@ -196,79 +207,76 @@ /* finish up */ /* to make things less painful, assume the cleanup is passed rep */ #define cleanup(cleanup_routine)\ + *repptr = rep; \ return 0; \ error_out: \ - if (rep && *rep) { \ - cleanup_routine(*rep); \ - *rep = NULL; \ - } \ + if (rep) \ + cleanup_routine(rep); \ return retval; #define cleanup_none()\ + *repptr = rep; \ return 0; \ error_out: \ return retval; #define cleanup_manual()\ + *repptr = rep; \ return 0; #define free_field(rep,f) free((rep)->f) -#define clear_field(rep,f) (*(rep))->f = 0 +#define clear_field(rep,f) (rep)->f = 0 #ifndef LEAN_CLIENT -krb5_error_code decode_krb5_authenticator(const krb5_data *code, krb5_authenticator **rep) +krb5_error_code +decode_krb5_authenticator(const krb5_data *code, krb5_authenticator **repptr) { - setup(); - alloc_field(*rep,krb5_authenticator); + setup(krb5_authenticator *); + alloc_field(rep); clear_field(rep,subkey); clear_field(rep,checksum); clear_field(rep,client); + clear_field(rep,authorization_data); check_apptag(2); { begin_structure(); { krb5_kvno kvno; get_field(kvno,0,asn1_decode_kvno); if (kvno != KVNO) clean_return(KRB5KDC_ERR_BAD_PVNO); } - alloc_field((*rep)->client,krb5_principal_data); - get_field((*rep)->client,1,asn1_decode_realm); - get_field((*rep)->client,2,asn1_decode_principal_name); - if (tagnum == 3) { - alloc_field((*rep)->checksum,krb5_checksum); - get_field(*((*rep)->checksum),3,asn1_decode_checksum); } - get_field((*rep)->cusec,4,asn1_decode_int32); - get_field((*rep)->ctime,5,asn1_decode_kerberos_time); - if (tagnum == 6) { alloc_field((*rep)->subkey,krb5_keyblock); } - opt_field(*((*rep)->subkey),6,asn1_decode_encryption_key); - opt_field((*rep)->seq_number,7,asn1_decode_seqnum); - opt_field((*rep)->authorization_data,8,asn1_decode_authorization_data); - (*rep)->magic = KV5M_AUTHENTICATOR; + alloc_principal(rep->client); + get_field(rep->client,1,asn1_decode_realm); + get_field(rep->client,2,asn1_decode_principal_name); + opt_field(rep->checksum,3,asn1_decode_checksum_ptr); + get_field(rep->cusec,4,asn1_decode_int32); + get_field(rep->ctime,5,asn1_decode_kerberos_time); + opt_field(rep->subkey,6,asn1_decode_encryption_key_ptr); + opt_field(rep->seq_number,7,asn1_decode_seqnum); + opt_field(rep->authorization_data,8,asn1_decode_authorization_data); + rep->magic = KV5M_AUTHENTICATOR; end_structure(); } cleanup_manual(); error_out: - if (rep && *rep) { - free_field(*rep,subkey); - free_field(*rep,checksum); - free_field(*rep,client); - free(*rep); - *rep = NULL; - } + krb5_free_authenticator(NULL, rep); return retval; } #endif krb5_error_code KRB5_CALLCONV -krb5_decode_ticket(const krb5_data *code, krb5_ticket **rep) +krb5_decode_ticket(const krb5_data *code, krb5_ticket **repptr) { - return decode_krb5_ticket(code, rep); + return decode_krb5_ticket(code, repptr); } -krb5_error_code decode_krb5_ticket(const krb5_data *code, krb5_ticket **rep) +krb5_error_code +decode_krb5_ticket(const krb5_data *code, krb5_ticket **repptr) { - setup(); - alloc_field(*rep,krb5_ticket); + setup(krb5_ticket *); + alloc_field(rep); clear_field(rep,server); + clear_field(rep,enc_part.ciphertext.data); + clear_field(rep,enc_part2); check_apptag(1); { begin_structure(); @@ -276,131 +284,152 @@ get_field(kvno,0,asn1_decode_kvno); if (kvno != KVNO) clean_return(KRB5KDC_ERR_BAD_PVNO); } - alloc_field((*rep)->server,krb5_principal_data); - get_field((*rep)->server,1,asn1_decode_realm); - get_field((*rep)->server,2,asn1_decode_principal_name); - get_field((*rep)->enc_part,3,asn1_decode_encrypted_data); - (*rep)->magic = KV5M_TICKET; + alloc_principal(rep->server); + get_field(rep->server,1,asn1_decode_realm); + get_field(rep->server,2,asn1_decode_principal_name); + get_field(rep->enc_part,3,asn1_decode_encrypted_data); + rep->magic = KV5M_TICKET; end_structure(); } cleanup_manual(); error_out: - if (rep && *rep) { - free_field(*rep,server); - free(*rep); - *rep = NULL; - } + krb5_free_ticket(NULL, rep); return retval; } -krb5_error_code decode_krb5_encryption_key(const krb5_data *code, krb5_keyblock **rep) +krb5_error_code +decode_krb5_encryption_key(const krb5_data *code, krb5_keyblock **repptr) { - setup(); - alloc_field(*rep,krb5_keyblock); + setup(krb5_keyblock *); + alloc_field(rep); + clear_field(rep,contents); { begin_structure(); - get_field((*rep)->enctype,0,asn1_decode_enctype); - get_lenfield((*rep)->length,(*rep)->contents,1,asn1_decode_octetstring); + get_field(rep->enctype,0,asn1_decode_enctype); + get_lenfield(rep->length,rep->contents,1,asn1_decode_octetstring); end_structure(); - (*rep)->magic = KV5M_KEYBLOCK; + rep->magic = KV5M_KEYBLOCK; } - cleanup(free); + cleanup_manual(); +error_out: + krb5_free_keyblock(NULL, rep); + return retval; } -krb5_error_code decode_krb5_enc_tkt_part(const krb5_data *code, krb5_enc_tkt_part **rep) +krb5_error_code +decode_krb5_enc_tkt_part(const krb5_data *code, krb5_enc_tkt_part **repptr) { - setup(); - alloc_field(*rep,krb5_enc_tkt_part); + setup(krb5_enc_tkt_part *); + alloc_field(rep); clear_field(rep,session); clear_field(rep,client); + clear_field(rep,transited.tr_contents.data); + clear_field(rep,caddrs); + clear_field(rep,authorization_data); check_apptag(3); { begin_structure(); - get_field((*rep)->flags,0,asn1_decode_ticket_flags); - alloc_field((*rep)->session,krb5_keyblock); - get_field(*((*rep)->session),1,asn1_decode_encryption_key); - alloc_field((*rep)->client,krb5_principal_data); - get_field((*rep)->client,2,asn1_decode_realm); - get_field((*rep)->client,3,asn1_decode_principal_name); - get_field((*rep)->transited,4,asn1_decode_transited_encoding); - get_field((*rep)->times.authtime,5,asn1_decode_kerberos_time); + get_field(rep->flags,0,asn1_decode_ticket_flags); + get_field(rep->session,1,asn1_decode_encryption_key_ptr); + alloc_principal(rep->client); + get_field(rep->client,2,asn1_decode_realm); + get_field(rep->client,3,asn1_decode_principal_name); + get_field(rep->transited,4,asn1_decode_transited_encoding); + get_field(rep->times.authtime,5,asn1_decode_kerberos_time); if (tagnum == 6) - { get_field((*rep)->times.starttime,6,asn1_decode_kerberos_time); } + { get_field(rep->times.starttime,6,asn1_decode_kerberos_time); } else - (*rep)->times.starttime=(*rep)->times.authtime; - get_field((*rep)->times.endtime,7,asn1_decode_kerberos_time); - opt_field((*rep)->times.renew_till,8,asn1_decode_kerberos_time); - opt_field((*rep)->caddrs,9,asn1_decode_host_addresses); - opt_field((*rep)->authorization_data,10,asn1_decode_authorization_data); - (*rep)->magic = KV5M_ENC_TKT_PART; + rep->times.starttime=rep->times.authtime; + get_field(rep->times.endtime,7,asn1_decode_kerberos_time); + opt_field(rep->times.renew_till,8,asn1_decode_kerberos_time); + opt_field(rep->caddrs,9,asn1_decode_host_addresses); + opt_field(rep->authorization_data,10,asn1_decode_authorization_data); + rep->magic = KV5M_ENC_TKT_PART; end_structure(); } cleanup_manual(); error_out: - if (rep && *rep) { - free_field(*rep,session); - free_field(*rep,client); - free(*rep); - *rep = NULL; - } + krb5_free_enc_tkt_part(NULL, rep); return retval; } -krb5_error_code decode_krb5_enc_kdc_rep_part(const krb5_data *code, krb5_enc_kdc_rep_part **rep) +krb5_error_code +decode_krb5_enc_kdc_rep_part(const krb5_data *code, + krb5_enc_kdc_rep_part **repptr) { taginfo t4; - setup_buf_only(); - alloc_field(*rep,krb5_enc_kdc_rep_part); + setup_buf_only(krb5_enc_kdc_rep_part *); + alloc_field(rep); retval = asn1_get_tag_2(&buf, &t4); if (retval) clean_return(retval); if (t4.asn1class != APPLICATION || t4.construction != CONSTRUCTED) clean_return(ASN1_BAD_ID); - if (t4.tagnum == 25) (*rep)->msg_type = KRB5_AS_REP; - else if (t4.tagnum == 26) (*rep)->msg_type = KRB5_TGS_REP; + if (t4.tagnum == 25) rep->msg_type = KRB5_AS_REP; + else if (t4.tagnum == 26) rep->msg_type = KRB5_TGS_REP; else clean_return(KRB5_BADMSGTYPE); - retval = asn1_decode_enc_kdc_rep_part(&buf,*rep); + retval = asn1_decode_enc_kdc_rep_part(&buf,rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_as_rep(const krb5_data *code, krb5_kdc_rep **rep) +krb5_error_code +decode_krb5_as_rep(const krb5_data *code, krb5_kdc_rep **repptr) { - setup_no_length(); - alloc_field(*rep,krb5_kdc_rep); + setup_no_length(krb5_kdc_rep *); + alloc_field(rep); + clear_field(rep,padata); + clear_field(rep,client); + clear_field(rep,ticket); + clear_field(rep,enc_part.ciphertext.data); + clear_field(rep,enc_part2); check_apptag(11); - retval = asn1_decode_kdc_rep(&buf,*rep); + retval = asn1_decode_kdc_rep(&buf,rep); if (retval) clean_return(retval); #ifdef KRB5_MSGTYPE_STRICT - if ((*rep)->msg_type != KRB5_AS_REP) + if (rep->msg_type != KRB5_AS_REP) clean_return(KRB5_BADMSGTYPE); #endif - cleanup(free); + cleanup_manual(); +error_out: + krb5_free_kdc_rep(NULL, rep); + return retval; } -krb5_error_code decode_krb5_tgs_rep(const krb5_data *code, krb5_kdc_rep **rep) +krb5_error_code +decode_krb5_tgs_rep(const krb5_data *code, krb5_kdc_rep **repptr) { - setup_no_length(); - alloc_field(*rep,krb5_kdc_rep); + setup_no_length(krb5_kdc_rep *); + alloc_field(rep); + clear_field(rep,padata); + clear_field(rep,client); + clear_field(rep,ticket); + clear_field(rep,enc_part.ciphertext.data); + clear_field(rep,enc_part2); check_apptag(13); - retval = asn1_decode_kdc_rep(&buf,*rep); + retval = asn1_decode_kdc_rep(&buf,rep); if (retval) clean_return(retval); #ifdef KRB5_MSGTYPE_STRICT - if ((*rep)->msg_type != KRB5_TGS_REP) clean_return(KRB5_BADMSGTYPE); + if (rep->msg_type != KRB5_TGS_REP) clean_return(KRB5_BADMSGTYPE); #endif - cleanup(free); + cleanup_manual(); +error_out: + krb5_free_kdc_rep(NULL, rep); + return retval; } -krb5_error_code decode_krb5_ap_req(const krb5_data *code, krb5_ap_req **rep) +krb5_error_code +decode_krb5_ap_req(const krb5_data *code, krb5_ap_req **repptr) { - setup(); - alloc_field(*rep,krb5_ap_req); + setup(krb5_ap_req *); + alloc_field(rep); clear_field(rep,ticket); + clear_field(rep,authenticator.ciphertext.data); check_apptag(14); { begin_structure(); @@ -413,27 +442,24 @@ if (msg_type != KRB5_AP_REQ) clean_return(KRB5_BADMSGTYPE); #endif } - get_field((*rep)->ap_options,2,asn1_decode_ap_options); - alloc_field((*rep)->ticket,krb5_ticket); - get_field(*((*rep)->ticket),3,asn1_decode_ticket); - get_field((*rep)->authenticator,4,asn1_decode_encrypted_data); + get_field(rep->ap_options,2,asn1_decode_ap_options); + get_field(rep->ticket,3,asn1_decode_ticket_ptr); + get_field(rep->authenticator,4,asn1_decode_encrypted_data); end_structure(); - (*rep)->magic = KV5M_AP_REQ; + rep->magic = KV5M_AP_REQ; } cleanup_manual(); error_out: - if (rep && *rep) { - free_field(*rep,ticket); - free(*rep); - *rep = NULL; - } + krb5_free_ap_req(NULL, rep); return retval; } -krb5_error_code decode_krb5_ap_rep(const krb5_data *code, krb5_ap_rep **rep) +krb5_error_code +decode_krb5_ap_rep(const krb5_data *code, krb5_ap_rep **repptr) { - setup(); - alloc_field(*rep,krb5_ap_rep); + setup(krb5_ap_rep *); + alloc_field(rep); + clear_field(rep,enc_part.ciphertext.data); check_apptag(15); { begin_structure(); @@ -446,75 +472,100 @@ if (msg_type != KRB5_AP_REP) clean_return(KRB5_BADMSGTYPE); #endif } - get_field((*rep)->enc_part,2,asn1_decode_encrypted_data); + get_field(rep->enc_part,2,asn1_decode_encrypted_data); end_structure(); - (*rep)->magic = KV5M_AP_REP; + rep->magic = KV5M_AP_REP; } - cleanup(free); + cleanup_manual(); +error_out: + krb5_free_ap_rep(NULL, rep); + return retval; } -krb5_error_code decode_krb5_ap_rep_enc_part(const krb5_data *code, krb5_ap_rep_enc_part **rep) +krb5_error_code +decode_krb5_ap_rep_enc_part(const krb5_data *code, + krb5_ap_rep_enc_part **repptr) { - setup(); - alloc_field(*rep,krb5_ap_rep_enc_part); + setup(krb5_ap_rep_enc_part *); + alloc_field(rep); clear_field(rep,subkey); check_apptag(27); { begin_structure(); - get_field((*rep)->ctime,0,asn1_decode_kerberos_time); - get_field((*rep)->cusec,1,asn1_decode_int32); - if (tagnum == 2) { alloc_field((*rep)->subkey,krb5_keyblock); } - opt_field(*((*rep)->subkey),2,asn1_decode_encryption_key); - opt_field((*rep)->seq_number,3,asn1_decode_seqnum); + get_field(rep->ctime,0,asn1_decode_kerberos_time); + get_field(rep->cusec,1,asn1_decode_int32); + opt_field(rep->subkey,2,asn1_decode_encryption_key_ptr); + opt_field(rep->seq_number,3,asn1_decode_seqnum); end_structure(); - (*rep)->magic = KV5M_AP_REP_ENC_PART; + rep->magic = KV5M_AP_REP_ENC_PART; } cleanup_manual(); error_out: - if (rep && *rep) { - free_field(*rep,subkey); - free(*rep); - *rep = NULL; - } + krb5_free_ap_rep_enc_part(NULL, rep); return retval; } -krb5_error_code decode_krb5_as_req(const krb5_data *code, krb5_kdc_req **rep) +krb5_error_code +decode_krb5_as_req(const krb5_data *code, krb5_kdc_req **repptr) { - setup_no_length(); - alloc_field(*rep,krb5_kdc_req); + setup_no_length(krb5_kdc_req *); + alloc_field(rep); + clear_field(rep,padata); + clear_field(rep,client); + clear_field(rep,server); + clear_field(rep,ktype); + clear_field(rep,addresses); + clear_field(rep,authorization_data.ciphertext.data); + clear_field(rep,unenc_authdata); + clear_field(rep,second_ticket); check_apptag(10); - retval = asn1_decode_kdc_req(&buf,*rep); + retval = asn1_decode_kdc_req(&buf,rep); if (retval) clean_return(retval); #ifdef KRB5_MSGTYPE_STRICT - if ((*rep)->msg_type != KRB5_AS_REQ) clean_return(KRB5_BADMSGTYPE); + if (rep->msg_type != KRB5_AS_REQ) clean_return(KRB5_BADMSGTYPE); #endif - cleanup(free); + cleanup_manual(); +error_out: + krb5_free_kdc_req(NULL, rep); + return retval; } -krb5_error_code decode_krb5_tgs_req(const krb5_data *code, krb5_kdc_req **rep) +krb5_error_code +decode_krb5_tgs_req(const krb5_data *code, krb5_kdc_req **repptr) { - setup_no_length(); - alloc_field(*rep,krb5_kdc_req); + setup_no_length(krb5_kdc_req *); + alloc_field(rep); + clear_field(rep,padata); + clear_field(rep,client); + clear_field(rep,server); + clear_field(rep,ktype); + clear_field(rep,addresses); + clear_field(rep,authorization_data.ciphertext.data); + clear_field(rep,unenc_authdata); + clear_field(rep,second_ticket); check_apptag(12); - retval = asn1_decode_kdc_req(&buf,*rep); + retval = asn1_decode_kdc_req(&buf,rep); if (retval) clean_return(retval); #ifdef KRB5_MSGTYPE_STRICT - if ((*rep)->msg_type != KRB5_TGS_REQ) clean_return(KRB5_BADMSGTYPE); + if (rep->msg_type != KRB5_TGS_REQ) clean_return(KRB5_BADMSGTYPE); #endif - cleanup(free); + cleanup_manual(); +error_out: + krb5_free_kdc_req(NULL, rep); + return retval; } -krb5_error_code decode_krb5_kdc_req_body(const krb5_data *code, krb5_kdc_req **rep) +krb5_error_code +decode_krb5_kdc_req_body(const krb5_data *code, krb5_kdc_req **repptr) { - setup_buf_only(); - alloc_field(*rep,krb5_kdc_req); + setup_buf_only(krb5_kdc_req *); + alloc_field(rep); - retval = asn1_decode_kdc_req_body(&buf,*rep); + retval = asn1_decode_kdc_req_body(&buf,rep); if (retval) clean_return(retval); cleanup(free); @@ -534,14 +585,16 @@ * This does *not* perform any copying; the returned pointer to the * encoded KRB-SAFE-BODY points into the input buffer. */ -krb5_error_code decode_krb5_safe_with_body( - const krb5_data *code, - krb5_safe **rep, - krb5_data *body) +krb5_error_code +decode_krb5_safe_with_body(const krb5_data *code, krb5_safe **repptr, + krb5_data *body) { krb5_data tmpbody; - setup(); - alloc_field(*rep,krb5_safe); + setup(krb5_safe *); + alloc_field(rep); + clear_field(rep,user_data.data); + clear_field(rep,r_address); + clear_field(rep,s_address); clear_field(rep,checksum); tmpbody.magic = 0; @@ -568,33 +621,31 @@ tmpbody.length = 0; tmpbody.data = NULL; } - get_field(**rep,2,asn1_decode_krb_safe_body); - alloc_field((*rep)->checksum,krb5_checksum); - get_field(*((*rep)->checksum),3,asn1_decode_checksum); - (*rep)->magic = KV5M_SAFE; + get_field(*rep,2,asn1_decode_krb_safe_body); + get_field(rep->checksum,3,asn1_decode_checksum_ptr); + rep->magic = KV5M_SAFE; end_structure(); } if (body != NULL) *body = tmpbody; cleanup_manual(); error_out: - if (rep && *rep) { - free_field(*rep,checksum); - free(*rep); - *rep = NULL; - } + krb5_free_safe(NULL, rep); return retval; } -krb5_error_code decode_krb5_safe(const krb5_data *code, krb5_safe **rep) +krb5_error_code +decode_krb5_safe(const krb5_data *code, krb5_safe **repptr) { - return decode_krb5_safe_with_body(code, rep, NULL); + return decode_krb5_safe_with_body(code, repptr, NULL); } -krb5_error_code decode_krb5_priv(const krb5_data *code, krb5_priv **rep) +krb5_error_code +decode_krb5_priv(const krb5_data *code, krb5_priv **repptr) { - setup(); - alloc_field(*rep,krb5_priv); + setup(krb5_priv *); + alloc_field(rep); + clear_field(rep,enc_part.ciphertext.data); check_apptag(21); { begin_structure(); @@ -607,48 +658,49 @@ if (msg_type != KRB5_PRIV) clean_return(KRB5_BADMSGTYPE); #endif } - get_field((*rep)->enc_part,3,asn1_decode_encrypted_data); - (*rep)->magic = KV5M_PRIV; + get_field(rep->enc_part,3,asn1_decode_encrypted_data); + rep->magic = KV5M_PRIV; end_structure(); } - cleanup(free); + cleanup_manual(); +error_out: + krb5_free_priv(NULL, rep); + return retval; } -krb5_error_code decode_krb5_enc_priv_part(const krb5_data *code, krb5_priv_enc_part **rep) +krb5_error_code +decode_krb5_enc_priv_part(const krb5_data *code, krb5_priv_enc_part **repptr) { - setup(); - alloc_field(*rep,krb5_priv_enc_part); + setup(krb5_priv_enc_part *); + alloc_field(rep); + clear_field(rep,user_data.data); clear_field(rep,r_address); clear_field(rep,s_address); check_apptag(28); { begin_structure(); - get_lenfield((*rep)->user_data.length,(*rep)->user_data.data,0,asn1_decode_charstring); - opt_field((*rep)->timestamp,1,asn1_decode_kerberos_time); - opt_field((*rep)->usec,2,asn1_decode_int32); - opt_field((*rep)->seq_number,3,asn1_decode_seqnum); - alloc_field((*rep)->s_address,krb5_address); - get_field(*((*rep)->s_address),4,asn1_decode_host_address); - if (tagnum == 5) { alloc_field((*rep)->r_address,krb5_address); } - opt_field(*((*rep)->r_address),5,asn1_decode_host_address); - (*rep)->magic = KV5M_PRIV_ENC_PART; + get_lenfield(rep->user_data.length,rep->user_data.data,0,asn1_decode_charstring); + opt_field(rep->timestamp,1,asn1_decode_kerberos_time); + opt_field(rep->usec,2,asn1_decode_int32); + opt_field(rep->seq_number,3,asn1_decode_seqnum); + get_field(rep->s_address,4,asn1_decode_host_address_ptr); + opt_field(rep->r_address,5,asn1_decode_host_address_ptr); + rep->magic = KV5M_PRIV_ENC_PART; end_structure(); } cleanup_manual(); error_out: - if (rep && *rep) { - free_field(*rep,r_address); - free_field(*rep,s_address); - free(*rep); - *rep = NULL; - } + krb5_free_priv_enc_part(NULL, rep); return retval; } -krb5_error_code decode_krb5_cred(const krb5_data *code, krb5_cred **rep) +krb5_error_code +decode_krb5_cred(const krb5_data *code, krb5_cred **repptr) { - setup(); - alloc_field(*rep,krb5_cred); + setup(krb5_cred *); + alloc_field(rep); + clear_field(rep,tickets); + clear_field(rep,enc_part.ciphertext.data); check_apptag(22); { begin_structure(); @@ -661,52 +713,55 @@ if (msg_type != KRB5_CRED) clean_return(KRB5_BADMSGTYPE); #endif } - get_field((*rep)->tickets,2,asn1_decode_sequence_of_ticket); - get_field((*rep)->enc_part,3,asn1_decode_encrypted_data); - (*rep)->magic = KV5M_CRED; + get_field(rep->tickets,2,asn1_decode_sequence_of_ticket); + get_field(rep->enc_part,3,asn1_decode_encrypted_data); + rep->magic = KV5M_CRED; end_structure(); } - cleanup(free); + cleanup_manual(); +error_out: + krb5_free_cred(NULL, rep); + return retval; } -krb5_error_code decode_krb5_enc_cred_part(const krb5_data *code, krb5_cred_enc_part **rep) +krb5_error_code +decode_krb5_enc_cred_part(const krb5_data *code, krb5_cred_enc_part **repptr) { - setup(); - alloc_field(*rep,krb5_cred_enc_part); + setup(krb5_cred_enc_part *); + alloc_field(rep); clear_field(rep,r_address); clear_field(rep,s_address); + clear_field(rep,ticket_info); check_apptag(29); { begin_structure(); - get_field((*rep)->ticket_info,0,asn1_decode_sequence_of_krb_cred_info); - opt_field((*rep)->nonce,1,asn1_decode_int32); - opt_field((*rep)->timestamp,2,asn1_decode_kerberos_time); - opt_field((*rep)->usec,3,asn1_decode_int32); - if (tagnum == 4) { alloc_field((*rep)->s_address,krb5_address); } - opt_field(*((*rep)->s_address),4,asn1_decode_host_address); - if (tagnum == 5) { alloc_field((*rep)->r_address,krb5_address); } - opt_field(*((*rep)->r_address),5,asn1_decode_host_address); - (*rep)->magic = KV5M_CRED_ENC_PART; + get_field(rep->ticket_info,0,asn1_decode_sequence_of_krb_cred_info); + opt_field(rep->nonce,1,asn1_decode_int32); + opt_field(rep->timestamp,2,asn1_decode_kerberos_time); + opt_field(rep->usec,3,asn1_decode_int32); + opt_field(rep->s_address,4,asn1_decode_host_address_ptr); + opt_field(rep->r_address,5,asn1_decode_host_address_ptr); + rep->magic = KV5M_CRED_ENC_PART; end_structure(); } cleanup_manual(); error_out: - if (rep && *rep) { - free_field(*rep,r_address); - free_field(*rep,s_address); - free(*rep); - *rep = NULL; - } + /* Despite the name, krb5_free_cred_enc_part is contents only. */ + krb5_free_cred_enc_part(NULL, rep); + free(rep); return retval; } -krb5_error_code decode_krb5_error(const krb5_data *code, krb5_error **rep) +krb5_error_code +decode_krb5_error(const krb5_data *code, krb5_error **repptr) { - setup(); - alloc_field(*rep,krb5_error); + setup(krb5_error *); + alloc_field(rep); clear_field(rep,server); clear_field(rep,client); + clear_field(rep,text.data); + clear_field(rep,e_data.data); check_apptag(30); { begin_structure(); @@ -719,427 +774,466 @@ if (msg_type != KRB5_ERROR) clean_return(KRB5_BADMSGTYPE); #endif } - opt_field((*rep)->ctime,2,asn1_decode_kerberos_time); - opt_field((*rep)->cusec,3,asn1_decode_int32); - get_field((*rep)->stime,4,asn1_decode_kerberos_time); - get_field((*rep)->susec,5,asn1_decode_int32); - get_field((*rep)->error,6,asn1_decode_ui_4); - if (tagnum == 7) { alloc_field((*rep)->client,krb5_principal_data); } - opt_field((*rep)->client,7,asn1_decode_realm); - opt_field((*rep)->client,8,asn1_decode_principal_name); - alloc_field((*rep)->server,krb5_principal_data); - get_field((*rep)->server,9,asn1_decode_realm); - get_field((*rep)->server,10,asn1_decode_principal_name); - opt_lenfield((*rep)->text.length,(*rep)->text.data,11,asn1_decode_generalstring); - opt_lenfield((*rep)->e_data.length,(*rep)->e_data.data,12,asn1_decode_charstring); - (*rep)->magic = KV5M_ERROR; + opt_field(rep->ctime,2,asn1_decode_kerberos_time); + opt_field(rep->cusec,3,asn1_decode_int32); + get_field(rep->stime,4,asn1_decode_kerberos_time); + get_field(rep->susec,5,asn1_decode_int32); + get_field(rep->error,6,asn1_decode_ui_4); + if (tagnum == 7) { alloc_principal(rep->client); } + opt_field(rep->client,7,asn1_decode_realm); + opt_field(rep->client,8,asn1_decode_principal_name); + alloc_principal(rep->server); + get_field(rep->server,9,asn1_decode_realm); + get_field(rep->server,10,asn1_decode_principal_name); + opt_lenfield(rep->text.length,rep->text.data,11,asn1_decode_generalstring); + opt_lenfield(rep->e_data.length,rep->e_data.data,12,asn1_decode_charstring); + rep->magic = KV5M_ERROR; end_structure(); } cleanup_manual(); error_out: - if (rep && *rep) { - free_field(*rep,server); - free_field(*rep,client); - free(*rep); - *rep = NULL; - } + krb5_free_error(NULL, rep); return retval; } -krb5_error_code decode_krb5_authdata(const krb5_data *code, krb5_authdata ***rep) +krb5_error_code +decode_krb5_authdata(const krb5_data *code, krb5_authdata ***repptr) { - setup_buf_only(); - *rep = 0; - retval = asn1_decode_authorization_data(&buf,rep); + setup_buf_only(krb5_authdata **); + retval = asn1_decode_authorization_data(&buf,&rep); if (retval) clean_return(retval); cleanup_none(); /* we're not allocating anything here... */ } -krb5_error_code decode_krb5_pwd_sequence(const krb5_data *code, passwd_phrase_element **rep) +krb5_error_code +decode_krb5_pwd_sequence(const krb5_data *code, passwd_phrase_element **repptr) { - setup_buf_only(); - alloc_field(*rep,passwd_phrase_element); - retval = asn1_decode_passwdsequence(&buf,*rep); + setup_buf_only(passwd_phrase_element *); + alloc_field(rep); + retval = asn1_decode_passwdsequence(&buf,rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_pwd_data(const krb5_data *code, krb5_pwd_data **rep) +krb5_error_code +decode_krb5_pwd_data(const krb5_data *code, krb5_pwd_data **repptr) { - setup(); - alloc_field(*rep,krb5_pwd_data); + setup(krb5_pwd_data *); + alloc_field(rep); + clear_field(rep,element); { begin_structure(); - get_field((*rep)->sequence_count,0,asn1_decode_int); - get_field((*rep)->element,1,asn1_decode_sequence_of_passwdsequence); - (*rep)->magic = KV5M_PWD_DATA; + get_field(rep->sequence_count,0,asn1_decode_int); + get_field(rep->element,1,asn1_decode_sequence_of_passwdsequence); + rep->magic = KV5M_PWD_DATA; end_structure (); } - cleanup(free); + cleanup_manual(); +error_out: + krb5_free_pwd_data(NULL, rep); + return retval; } -krb5_error_code decode_krb5_padata_sequence(const krb5_data *code, krb5_pa_data ***rep) +krb5_error_code +decode_krb5_padata_sequence(const krb5_data *code, krb5_pa_data ***repptr) { - setup_buf_only(); - *rep = 0; - retval = asn1_decode_sequence_of_pa_data(&buf,rep); + setup_buf_only(krb5_pa_data **); + retval = asn1_decode_sequence_of_pa_data(&buf,&rep); if (retval) clean_return(retval); cleanup_none(); /* we're not allocating anything here */ } -krb5_error_code decode_krb5_alt_method(const krb5_data *code, krb5_alt_method **rep) +krb5_error_code +decode_krb5_alt_method(const krb5_data *code, krb5_alt_method **repptr) { - setup(); - alloc_field(*rep,krb5_alt_method); + setup(krb5_alt_method *); + alloc_field(rep); + clear_field(rep,data); { begin_structure(); - get_field((*rep)->method,0,asn1_decode_int32); + get_field(rep->method,0,asn1_decode_int32); if (tagnum == 1) { - get_lenfield((*rep)->length,(*rep)->data,1,asn1_decode_octetstring); + get_lenfield(rep->length,rep->data,1,asn1_decode_octetstring); } else { - (*rep)->length = 0; - (*rep)->data = 0; + rep->length = 0; + rep->data = 0; } - (*rep)->magic = KV5M_ALT_METHOD; + rep->magic = KV5M_ALT_METHOD; end_structure(); } - cleanup(free); + cleanup_manual(); +error_out: + krb5_free_alt_method(NULL, rep); + return retval; } -krb5_error_code decode_krb5_etype_info(const krb5_data *code, krb5_etype_info_entry ***rep) +krb5_error_code +decode_krb5_etype_info(const krb5_data *code, krb5_etype_info_entry ***repptr) { - setup_buf_only(); - *rep = 0; - retval = asn1_decode_etype_info(&buf,rep); + setup_buf_only(krb5_etype_info_entry **); + retval = asn1_decode_etype_info(&buf,&rep); if (retval) clean_return(retval); cleanup_none(); /* we're not allocating anything here */ } -krb5_error_code decode_krb5_etype_info2(const krb5_data *code, krb5_etype_info_entry ***rep) +krb5_error_code +decode_krb5_etype_info2(const krb5_data *code, krb5_etype_info_entry ***repptr) { - setup_buf_only(); - *rep = 0; - retval = asn1_decode_etype_info2(&buf,rep, 0); + setup_buf_only(krb5_etype_info_entry **); + retval = asn1_decode_etype_info2(&buf,&rep, 0); if (retval == ASN1_BAD_ID) { retval = asn1buf_wrap_data(&buf,code); if (retval) clean_return(retval); - retval = asn1_decode_etype_info2(&buf, rep, 1); + retval = asn1_decode_etype_info2(&buf, &rep, 1); } if (retval) clean_return(retval); cleanup_none(); /* we're not allocating anything here */ } -krb5_error_code decode_krb5_enc_data(const krb5_data *code, krb5_enc_data **rep) +krb5_error_code +decode_krb5_enc_data(const krb5_data *code, krb5_enc_data **repptr) { - setup_buf_only(); - alloc_field(*rep,krb5_enc_data); + setup_buf_only(krb5_enc_data *); + alloc_field(rep); - retval = asn1_decode_encrypted_data(&buf,*rep); + retval = asn1_decode_encrypted_data(&buf,rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_pa_enc_ts(const krb5_data *code, krb5_pa_enc_ts **rep) +krb5_error_code +decode_krb5_pa_enc_ts(const krb5_data *code, krb5_pa_enc_ts **repptr) { - setup(); - alloc_field(*rep,krb5_pa_enc_ts); + setup(krb5_pa_enc_ts *); + alloc_field(rep); { begin_structure(); - get_field((*rep)->patimestamp,0,asn1_decode_kerberos_time); + get_field(rep->patimestamp,0,asn1_decode_kerberos_time); if (tagnum == 1) { - get_field((*rep)->pausec,1,asn1_decode_int32); + get_field(rep->pausec,1,asn1_decode_int32); } else - (*rep)->pausec = 0; + rep->pausec = 0; end_structure (); } cleanup(free); } -krb5_error_code decode_krb5_sam_challenge(const krb5_data *code, krb5_sam_challenge **rep) +krb5_error_code +decode_krb5_sam_challenge(const krb5_data *code, krb5_sam_challenge **repptr) { - setup_buf_only(); - alloc_field(*rep,krb5_sam_challenge); + setup_buf_only(krb5_sam_challenge *); + alloc_field(rep); - retval = asn1_decode_sam_challenge(&buf,*rep); + retval = asn1_decode_sam_challenge(&buf,rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_sam_challenge_2(const krb5_data *code, krb5_sam_challenge_2 **rep) +krb5_error_code +decode_krb5_sam_challenge_2(const krb5_data *code, + krb5_sam_challenge_2 **repptr) { - setup_buf_only(); - alloc_field(*rep,krb5_sam_challenge_2); + setup_buf_only(krb5_sam_challenge_2 *); + alloc_field(rep); - retval = asn1_decode_sam_challenge_2(&buf,*rep); + retval = asn1_decode_sam_challenge_2(&buf,rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_sam_challenge_2_body(const krb5_data *code, krb5_sam_challenge_2_body **rep) +krb5_error_code +decode_krb5_sam_challenge_2_body(const krb5_data *code, + krb5_sam_challenge_2_body **repptr) { - setup_buf_only(); - alloc_field(*rep, krb5_sam_challenge_2_body); + setup_buf_only(krb5_sam_challenge_2_body *); + alloc_field(rep); - retval = asn1_decode_sam_challenge_2_body(&buf, *rep); + retval = asn1_decode_sam_challenge_2_body(&buf, rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_enc_sam_key(const krb5_data *code, krb5_sam_key **rep) +krb5_error_code +decode_krb5_enc_sam_key(const krb5_data *code, krb5_sam_key **repptr) { - setup_buf_only(); - alloc_field(*rep,krb5_sam_key); + setup_buf_only(krb5_sam_key *); + alloc_field(rep); - retval = asn1_decode_enc_sam_key(&buf,*rep); + retval = asn1_decode_enc_sam_key(&buf,rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_enc_sam_response_enc(const krb5_data *code, krb5_enc_sam_response_enc **rep) +krb5_error_code +decode_krb5_enc_sam_response_enc(const krb5_data *code, + krb5_enc_sam_response_enc **repptr) { - setup_buf_only(); - alloc_field(*rep,krb5_enc_sam_response_enc); + setup_buf_only(krb5_enc_sam_response_enc *); + alloc_field(rep); - retval = asn1_decode_enc_sam_response_enc(&buf,*rep); + retval = asn1_decode_enc_sam_response_enc(&buf,rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_enc_sam_response_enc_2(const krb5_data *code, krb5_enc_sam_response_enc_2 **rep) +krb5_error_code +decode_krb5_enc_sam_response_enc_2(const krb5_data *code, + krb5_enc_sam_response_enc_2 **repptr) { - setup_buf_only(); - alloc_field(*rep,krb5_enc_sam_response_enc_2); + setup_buf_only(krb5_enc_sam_response_enc_2 *); + alloc_field(rep); - retval = asn1_decode_enc_sam_response_enc_2(&buf,*rep); + retval = asn1_decode_enc_sam_response_enc_2(&buf,rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_sam_response(const krb5_data *code, krb5_sam_response **rep) +krb5_error_code +decode_krb5_sam_response(const krb5_data *code, + krb5_sam_response **repptr) { - setup_buf_only(); - alloc_field(*rep,krb5_sam_response); + setup_buf_only(krb5_sam_response *); + alloc_field(rep); - retval = asn1_decode_sam_response(&buf,*rep); + retval = asn1_decode_sam_response(&buf,rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_sam_response_2(const krb5_data *code, krb5_sam_response_2 **rep) +krb5_error_code +decode_krb5_sam_response_2(const krb5_data *code, + krb5_sam_response_2 **repptr) { - setup_buf_only(); - alloc_field(*rep,krb5_sam_response_2); + setup_buf_only(krb5_sam_response_2 *); + alloc_field(rep); - retval = asn1_decode_sam_response_2(&buf,*rep); + retval = asn1_decode_sam_response_2(&buf,rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_predicted_sam_response(const krb5_data *code, krb5_predicted_sam_response **rep) +krb5_error_code +decode_krb5_predicted_sam_response(const krb5_data *code, + krb5_predicted_sam_response **repptr) { - setup_buf_only(); /* preallocated */ - alloc_field(*rep,krb5_predicted_sam_response); + setup_buf_only(krb5_predicted_sam_response *); /* preallocated */ + alloc_field(rep); - retval = asn1_decode_predicted_sam_response(&buf,*rep); + retval = asn1_decode_predicted_sam_response(&buf,rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_setpw_req(const krb5_data *code, - krb5_data **rep, - krb5_principal *principal) +krb5_error_code +decode_krb5_setpw_req(const krb5_data *code, krb5_data **repptr, + krb5_principal *principal) { - setup_buf_only(); - alloc_field(*rep, krb5_data); + setup_buf_only(krb5_data *); + alloc_field(rep); *principal = NULL; - retval = asn1_decode_setpw_req(&buf, *rep, principal); + retval = asn1_decode_setpw_req(&buf, rep, principal); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_pa_for_user(const krb5_data *code, krb5_pa_for_user **rep) +krb5_error_code +decode_krb5_pa_for_user(const krb5_data *code, krb5_pa_for_user **repptr) { - setup_buf_only(); - alloc_field(*rep, krb5_pa_for_user); + setup_buf_only(krb5_pa_for_user *); + alloc_field(rep); - retval = asn1_decode_pa_for_user(&buf, *rep); + retval = asn1_decode_pa_for_user(&buf, rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_pa_pac_req(const krb5_data *code, krb5_pa_pac_req **rep) +krb5_error_code +decode_krb5_pa_pac_req(const krb5_data *code, krb5_pa_pac_req **repptr) { - setup_buf_only(); - alloc_field(*rep, krb5_pa_pac_req); + setup_buf_only(krb5_pa_pac_req *); + alloc_field(rep); - retval = asn1_decode_pa_pac_req(&buf, *rep); + retval = asn1_decode_pa_pac_req(&buf, rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_etype_list(const krb5_data *code, krb5_etype_list **rep) +krb5_error_code +decode_krb5_etype_list(const krb5_data *code, krb5_etype_list **repptr) { - setup_buf_only(); - alloc_field(*rep, krb5_etype_list); + setup_buf_only(krb5_etype_list *); + alloc_field(rep); - retval = asn1_decode_sequence_of_enctype(&buf, &(*rep)->length, &(*rep)->etypes); + retval = asn1_decode_sequence_of_enctype(&buf, &rep->length, &rep->etypes); if (retval) clean_return(retval); cleanup(free); } #ifndef DISABLE_PKINIT -krb5_error_code decode_krb5_pa_pk_as_req(const krb5_data *code, krb5_pa_pk_as_req **rep) +krb5_error_code +decode_krb5_pa_pk_as_req(const krb5_data *code, krb5_pa_pk_as_req **repptr) { - setup_buf_only(); - alloc_field(*rep, krb5_pa_pk_as_req); + setup_buf_only(krb5_pa_pk_as_req *); + alloc_field(rep); - retval = asn1_decode_pa_pk_as_req(&buf, *rep); + retval = asn1_decode_pa_pk_as_req(&buf, rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_pa_pk_as_req_draft9(const krb5_data *code, krb5_pa_pk_as_req_draft9 **rep) +krb5_error_code +decode_krb5_pa_pk_as_req_draft9(const krb5_data *code, + krb5_pa_pk_as_req_draft9 **repptr) { - setup_buf_only(); - alloc_field(*rep, krb5_pa_pk_as_req_draft9); + setup_buf_only(krb5_pa_pk_as_req_draft9 *); + alloc_field(rep); - retval = asn1_decode_pa_pk_as_req_draft9(&buf, *rep); + retval = asn1_decode_pa_pk_as_req_draft9(&buf, rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_pa_pk_as_rep(const krb5_data *code, krb5_pa_pk_as_rep **rep) +krb5_error_code +decode_krb5_pa_pk_as_rep(const krb5_data *code, krb5_pa_pk_as_rep **repptr) { - setup_buf_only(); - alloc_field(*rep, krb5_pa_pk_as_rep); + setup_buf_only(krb5_pa_pk_as_rep *); + alloc_field(rep); - retval = asn1_decode_pa_pk_as_rep(&buf, *rep); + retval = asn1_decode_pa_pk_as_rep(&buf, rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_pa_pk_as_rep_draft9(const krb5_data *code, krb5_pa_pk_as_rep_draft9 **rep) +krb5_error_code +decode_krb5_pa_pk_as_rep_draft9(const krb5_data *code, + krb5_pa_pk_as_rep_draft9 **repptr) { - setup_buf_only(); - alloc_field(*rep, krb5_pa_pk_as_rep_draft9); + setup_buf_only(krb5_pa_pk_as_rep_draft9 *); + alloc_field(rep); - retval = asn1_decode_pa_pk_as_rep_draft9(&buf, *rep); + retval = asn1_decode_pa_pk_as_rep_draft9(&buf, rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_auth_pack(const krb5_data *code, krb5_auth_pack **rep) +krb5_error_code +decode_krb5_auth_pack(const krb5_data *code, krb5_auth_pack **repptr) { - setup_buf_only(); - alloc_field(*rep, krb5_auth_pack); + setup_buf_only(krb5_auth_pack *); + alloc_field(rep); - retval = asn1_decode_auth_pack(&buf, *rep); + retval = asn1_decode_auth_pack(&buf, rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_auth_pack_draft9(const krb5_data *code, krb5_auth_pack_draft9 **rep) +krb5_error_code +decode_krb5_auth_pack_draft9(const krb5_data *code, + krb5_auth_pack_draft9 **repptr) { - setup_buf_only(); - alloc_field(*rep, krb5_auth_pack_draft9); + setup_buf_only(krb5_auth_pack_draft9 *); + alloc_field(rep); - retval = asn1_decode_auth_pack_draft9(&buf, *rep); + retval = asn1_decode_auth_pack_draft9(&buf, rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_kdc_dh_key_info(const krb5_data *code, krb5_kdc_dh_key_info **rep) +krb5_error_code +decode_krb5_kdc_dh_key_info(const krb5_data *code, + krb5_kdc_dh_key_info **repptr) { - setup_buf_only(); - alloc_field(*rep, krb5_kdc_dh_key_info); + setup_buf_only(krb5_kdc_dh_key_info *); + alloc_field(rep); - retval = asn1_decode_kdc_dh_key_info(&buf, *rep); + retval = asn1_decode_kdc_dh_key_info(&buf, rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_principal_name(const krb5_data *code, krb5_principal_data **rep) +krb5_error_code +decode_krb5_principal_name(const krb5_data *code, krb5_principal_data **repptr) { - setup_buf_only(); - alloc_field(*rep, krb5_principal_data); + setup_buf_only(krb5_principal_data *); + alloc_field(rep); - retval = asn1_decode_krb5_principal_name(&buf, rep); + retval = asn1_decode_krb5_principal_name(&buf, &rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_reply_key_pack(const krb5_data *code, krb5_reply_key_pack **rep) +krb5_error_code +decode_krb5_reply_key_pack(const krb5_data *code, krb5_reply_key_pack **repptr) { - setup_buf_only(); - alloc_field(*rep, krb5_reply_key_pack); + setup_buf_only(krb5_reply_key_pack *); + alloc_field(rep); - retval = asn1_decode_reply_key_pack(&buf, *rep); + retval = asn1_decode_reply_key_pack(&buf, rep); if (retval) goto error_out; - cleanup_manual(); -error_out: - if (rep && *rep) { - free((*rep)->replyKey.contents); - free((*rep)->asChecksum.contents); - free(*rep); - *rep = NULL; - } - return retval; + cleanup(free); } -krb5_error_code decode_krb5_reply_key_pack_draft9(const krb5_data *code, krb5_reply_key_pack_draft9 **rep) +krb5_error_code +decode_krb5_reply_key_pack_draft9(const krb5_data *code, + krb5_reply_key_pack_draft9 **repptr) { - setup_buf_only(); - alloc_field(*rep, krb5_reply_key_pack_draft9); + setup_buf_only(krb5_reply_key_pack_draft9 *); + alloc_field(rep); - retval = asn1_decode_reply_key_pack_draft9(&buf, *rep); + retval = asn1_decode_reply_key_pack_draft9(&buf, rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_typed_data(const krb5_data *code, krb5_typed_data ***rep) +krb5_error_code +decode_krb5_typed_data(const krb5_data *code, krb5_typed_data ***repptr) { - setup_buf_only(); - retval = asn1_decode_sequence_of_typed_data(&buf, rep); + setup_buf_only(krb5_typed_data **); + retval = asn1_decode_sequence_of_typed_data(&buf, &rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_td_trusted_certifiers(const krb5_data *code, krb5_external_principal_identifier ***rep) +krb5_error_code +decode_krb5_td_trusted_certifiers(const krb5_data *code, + krb5_external_principal_identifier ***repptr) { - setup_buf_only(); - retval = asn1_decode_sequence_of_external_principal_identifier(&buf, rep); + setup_buf_only(krb5_external_principal_identifier **); + retval = asn1_decode_sequence_of_external_principal_identifier(&buf, &rep); if (retval) clean_return(retval); cleanup(free); } -krb5_error_code decode_krb5_td_dh_parameters(const krb5_data *code, krb5_algorithm_identifier ***rep) +krb5_error_code +decode_krb5_td_dh_parameters(const krb5_data *code, + krb5_algorithm_identifier ***repptr) { - setup_buf_only(); - retval = asn1_decode_sequence_of_algorithm_identifier(&buf, rep); + setup_buf_only(krb5_algorithm_identifier **); + retval = asn1_decode_sequence_of_algorithm_identifier(&buf, &rep); if (retval) clean_return(retval); cleanup(free); Modified: branches/krb5-1-7/src/lib/krb5/asn.1/krb5_encode.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/krb5_encode.c 2009-04-13 20:26:33 UTC (rev 22206) +++ branches/krb5-1-7/src/lib/krb5/asn.1/krb5_encode.c 2009-04-13 20:26:35 UTC (rev 22207) @@ -44,7 +44,10 @@ asn1_error_code retval;\ unsigned int length, sum = 0;\ asn1buf *buf=NULL;\ + krb5_data *tmpcode;\ \ + *code = NULL;\ +\ if (rep == NULL) return ASN1_MISSING_FIELD;\ \ retval = asn1buf_create(&buf);\ @@ -52,21 +55,19 @@ /* produce the final output and clean up the workspace */ #define krb5_cleanup()\ - retval = asn12krb5_buf(buf,code);\ - if (retval) {\ - asn1buf_destroy(&buf);\ - return retval; }\ - retval = asn1buf_destroy(&buf);\ - if (retval) {\ - return retval; }\ -\ + retval = asn12krb5_buf(buf,&tmpcode);\ +error:\ + asn1buf_destroy(&buf);\ + if (retval)\ + return retval;\ + *code = tmpcode;\ return 0 krb5_error_code encode_krb5_pa_pk_as_req(const krb5_pa_pk_as_req *rep, krb5_data **code) { krb5_setup(); retval = asn1_encode_pa_pk_as_req(buf,rep,&length); - if (retval) return retval; + if (retval) goto error; sum += length; krb5_cleanup(); } @@ -75,7 +76,7 @@ { krb5_setup(); retval = asn1_encode_pa_pk_as_req_draft9(buf,rep,&length); - if (retval) return retval; + if (retval) goto error; sum += length; krb5_cleanup(); } @@ -84,7 +85,7 @@ { krb5_setup(); retval = asn1_encode_pa_pk_as_rep(buf,rep,&length); - if (retval) return retval; + if (retval) goto error; sum += length; krb5_cleanup(); } @@ -93,7 +94,7 @@ { krb5_setup(); retval = asn1_encode_pa_pk_as_rep_draft9(buf,rep,&length); - if (retval) return retval; + if (retval) goto error; sum += length; krb5_cleanup(); } @@ -102,7 +103,7 @@ { krb5_setup(); retval = asn1_encode_auth_pack(buf,rep,&length); - if (retval) return retval; + if (retval) goto error; sum += length; krb5_cleanup(); } @@ -111,7 +112,7 @@ { krb5_setup(); retval = asn1_encode_auth_pack_draft9(buf,rep,&length); - if (retval) return retval; + if (retval) goto error; sum += length; krb5_cleanup(); } @@ -120,7 +121,7 @@ { krb5_setup(); retval = asn1_encode_kdc_dh_key_info(buf,rep,&length); - if (retval) return retval; + if (retval) goto error; sum += length; krb5_cleanup(); } @@ -129,7 +130,7 @@ { krb5_setup(); retval = asn1_encode_reply_key_pack(buf,rep,&length); - if (retval) return retval; + if (retval) goto error; sum += length; krb5_cleanup(); } @@ -138,7 +139,7 @@ { krb5_setup(); retval = asn1_encode_reply_key_pack_draft9(buf,rep,&length); - if (retval) return retval; + if (retval) goto error; sum += length; krb5_cleanup(); } @@ -147,7 +148,7 @@ { krb5_setup(); retval = asn1_encode_td_trusted_certifiers(buf,rep,&length); - if (retval) return retval; + if (retval) goto error; sum += length; krb5_cleanup(); } @@ -156,7 +157,7 @@ { krb5_setup(); retval = asn1_encode_sequence_of_typed_data(buf,rep,&length); - if (retval) return retval; + if (retval) goto error; sum += length; krb5_cleanup(); } @@ -165,7 +166,7 @@ { krb5_setup(); retval = asn1_encode_sequence_of_algorithm_identifier(buf,rep,&length); - if (retval) return retval; + if (retval) goto error; sum += length; krb5_cleanup(); } Modified: branches/krb5-1-7/src/lib/krb5/krb/kfree.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/kfree.c 2009-04-13 20:26:33 UTC (rev 22206) +++ branches/krb5-1-7/src/lib/krb5/krb/kfree.c 2009-04-13 20:26:35 UTC (rev 22207) @@ -80,6 +80,15 @@ void KRB5_CALLCONV +krb5_free_alt_method(krb5_context context, + krb5_alt_method *alt) +{ + if (alt) { + free(alt->data); + free(alt); + } +} +void KRB5_CALLCONV krb5_free_ap_rep(krb5_context context, register krb5_ap_rep *val) { if (val == NULL) @@ -254,6 +263,15 @@ } } +void KRB5_CALLCONV +krb5_free_enc_data(krb5_context context, krb5_enc_data *val) +{ + if (val == NULL) + return; + krb5_free_data_contents(context, &val->ciphertext); + free(val); +} + void krb5_free_etype_info(krb5_context context, krb5_etype_info info) { int i; @@ -426,19 +444,30 @@ void KRB5_CALLCONV +krb5_free_passwd_phrase_element(krb5_context context, + passwd_phrase_element *val) +{ + register passwd_phrase_element **temp; + + if (val == NULL) + return; + krb5_free_data(context, val->passwd); + val->passwd = NULL; + krb5_free_data(context, val->phrase); + val->phrase = NULL; + free(val); +} + + +void KRB5_CALLCONV krb5_free_pwd_sequences(krb5_context context, passwd_phrase_element **val) { register passwd_phrase_element **temp; if (val == NULL) return; - for (temp = val; *temp; temp++) { - krb5_free_data(context, (*temp)->passwd); - (*temp)->passwd = 0; - krb5_free_data(context, (*temp)->phrase); - (*temp)->phrase = 0; - free(*temp); - } + for (temp = val; *temp; temp++) + krb5_free_passwd_phrase_element(context, *temp); free(val); } Modified: branches/krb5-1-7/src/lib/krb5/libkrb5.exports =================================================================== --- branches/krb5-1-7/src/lib/krb5/libkrb5.exports 2009-04-13 20:26:33 UTC (rev 22206) +++ branches/krb5-1-7/src/lib/krb5/libkrb5.exports 2009-04-13 20:26:35 UTC (rev 22207) @@ -13,10 +13,12 @@ decode_krb5_enc_kdc_rep_part decode_krb5_enc_priv_part decode_krb5_enc_sam_response_enc +decode_krb5_enc_sam_response_enc_2 decode_krb5_enc_tkt_part decode_krb5_encryption_key decode_krb5_error decode_krb5_etype_info +decode_krb5_etype_info2 decode_krb5_kdc_req_body decode_krb5_pa_enc_ts decode_krb5_pa_for_user @@ -29,6 +31,7 @@ decode_krb5_safe decode_krb5_sam_challenge decode_krb5_sam_response +decode_krb5_sam_response_2 decode_krb5_setpw_req decode_krb5_tgs_rep decode_krb5_tgs_req @@ -47,6 +50,7 @@ encode_krb5_enc_kdc_rep_part encode_krb5_enc_priv_part encode_krb5_enc_sam_response_enc +encode_krb5_enc_sam_response_enc_2 encode_krb5_enc_tkt_part encode_krb5_encryption_key encode_krb5_error @@ -66,6 +70,7 @@ encode_krb5_sam_challenge encode_krb5_sam_key encode_krb5_sam_response +encode_krb5_sam_response_2 encode_krb5_tgs_rep encode_krb5_tgs_req encode_krb5_ticket @@ -192,6 +197,7 @@ krb5_find_serializer krb5_free_address krb5_free_addresses +krb5_free_alt_method krb5_free_ap_rep krb5_free_ap_rep_enc_part krb5_free_ap_req @@ -209,6 +215,7 @@ krb5_free_data krb5_free_data_contents krb5_free_default_realm +krb5_free_enc_data krb5_free_enc_kdc_rep_part krb5_free_enc_sam_response_enc krb5_free_enc_sam_response_enc_2 @@ -233,6 +240,7 @@ krb5_free_pa_for_user krb5_free_pa_server_referral_data krb5_free_pa_svr_referral_data +krb5_free_passwd_phrase_element krb5_free_predicted_sam_response krb5_free_predicted_sam_response_contents krb5_free_principal From tlyu at MIT.EDU Mon Apr 13 16:26:33 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 13 Apr 2009 16:26:33 -0400 Subject: svn rev #22206: branches/krb5-1-7/src/kadmin/ cli/ ktutil/ Message-ID: <200904132026.n3DKQXuJ031465@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22206 Commit By: tlyu Log Message: ticket: 6348 version_fixed: 1.7 pull up r21966, r22042 from trunk ------------------------------------------------------------------------ r22042 | rra | 2009-02-20 13:48:26 -0500 (Fri, 20 Feb 2009) | 5 lines Changed paths: M /trunk/src/kadmin/cli/Makefile.in Ticket: 6348 Tags: pullup Also install k5srvutil into PREFIX/bin instead of PREFIX/sbin. ------------------------------------------------------------------------ r21966 | rra | 2009-02-11 00:00:24 -0500 (Wed, 11 Feb 2009) | 6 lines Changed paths: M /trunk/src/kadmin/cli/Makefile.in M /trunk/src/kadmin/ktutil/Makefile.in Ticket: 6348 Tags: pullup Install ktutil and kadmin into CLIENT_BINDIR instead of ADMIN_BINDIR since both are useful for users other than the system administrator. ------------------------------------------------------------------------ Changed Files: U branches/krb5-1-7/src/kadmin/cli/Makefile.in U branches/krb5-1-7/src/kadmin/ktutil/Makefile.in Modified: branches/krb5-1-7/src/kadmin/cli/Makefile.in =================================================================== --- branches/krb5-1-7/src/kadmin/cli/Makefile.in 2009-04-13 20:26:30 UTC (rev 22205) +++ branches/krb5-1-7/src/kadmin/cli/Makefile.in 2009-04-13 20:26:33 UTC (rev 22206) @@ -28,8 +28,8 @@ install:: $(INSTALL_PROGRAM) $(PROG).local ${DESTDIR}$(ADMIN_BINDIR)/$(PROG).local - $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) - $(INSTALL_SCRIPT) $(srcdir)/k5srvutil.sh ${DESTDIR}$(ADMIN_BINDIR)/k5srvutil + $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(CLIENT_BINDIR)/$(PROG) + $(INSTALL_SCRIPT) $(srcdir)/k5srvutil.sh ${DESTDIR}$(CLIENT_BINDIR)/k5srvutil $(INSTALL_DATA) $(srcdir)/k5srvutil.M ${DESTDIR}$(ADMIN_MANDIR)/k5srvutil.8 $(INSTALL_DATA) $(srcdir)/$(PROG).M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).8 $(INSTALL_DATA) $(srcdir)/$(PROG).local.M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).local.8 Modified: branches/krb5-1-7/src/kadmin/ktutil/Makefile.in =================================================================== --- branches/krb5-1-7/src/kadmin/ktutil/Makefile.in 2009-04-13 20:26:30 UTC (rev 22205) +++ branches/krb5-1-7/src/kadmin/ktutil/Makefile.in 2009-04-13 20:26:33 UTC (rev 22206) @@ -20,7 +20,7 @@ $(CC_LINK) -o ktutil $(OBJS) $(SS_LIB) $(KRB5_BASE_LIBS) install:: - $(INSTALL_PROGRAM) ktutil ${DESTDIR}$(ADMIN_BINDIR)/ktutil + $(INSTALL_PROGRAM) ktutil ${DESTDIR}$(CLIENT_BINDIR)/ktutil $(INSTALL_DATA) $(srcdir)/ktutil.M ${DESTDIR}$(ADMIN_MANDIR)/ktutil.8 generate-files-mac: ktutil_ct.c From wfiveash at MIT.EDU Mon Apr 13 18:15:07 2009 From: wfiveash at MIT.EDU (wfiveash@MIT.EDU) Date: Mon, 13 Apr 2009 18:15:07 -0400 Subject: svn rev #22208: trunk/src/kadmin/dbutil/ Message-ID: <200904132215.n3DMF7o7005431@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22208 Commit By: wfiveash Log Message: Ticket: 6459 Subject: Update kdb5_util man page with missing purge_mkeys command Version_Reported: 1.7 Target_Version: 1.7 Tags: pullup While previously updating the kdb5_util command man page to include documentation on new subcommands added as a result of the Master Key Migration project I missed the purge_mkeys command. I've added that with this commit. Changed Files: U trunk/src/kadmin/dbutil/kdb5_util.M Modified: trunk/src/kadmin/dbutil/kdb5_util.M =================================================================== --- trunk/src/kadmin/dbutil/kdb5_util.M 2009-04-13 20:26:35 UTC (rev 22207) +++ trunk/src/kadmin/dbutil/kdb5_util.M 2009-04-13 22:15:05 UTC (rev 22208) @@ -236,6 +236,18 @@ \fBlist_mkeys\fP List all master keys from most recent to earliest in K/M principal. The output will show the KVNO, enctype and salt for each mkey similar to kadmin getprinc output. A * following an mkey denotes the currently active master key. .TP +\fBpurge_mkeys\fP [\fB-f\fP] [\fB-n\fP] [\fB-v\fP] +Delete master keys from the K/M principal that are not used to protect any principals. This command can be used to remove old master keys from a K/M principal once all principal keys are protected by a newer master key. +.TP +.B \-f +does not prompt user. +.TP +.B \-n +do a dry run, shows master keys that would be purged, does not actually purge any keys. +.TP +.B \-v +verbose output. +.TP \fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] [\fBprinc\-pattern\fP] Update all principal records (or only those matching the .B princ\-pattern From hartmans at MIT.EDU Tue Apr 14 11:05:22 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Tue, 14 Apr 2009 11:05:22 -0400 Subject: svn rev #22209: trunk/src/clients/kinit/ Message-ID: <200904141505.n3EF5Mx4028792@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22209 Commit By: hartmans Log Message: ticket: 6460 subject: Implement kinit option for FAST armor ccache Target_version: 1.7 tags: pullup Implement the -T option to kinit to specify the FAST armor ccache. Changed Files: U trunk/src/clients/kinit/kinit.M U trunk/src/clients/kinit/kinit.c Modified: trunk/src/clients/kinit/kinit.M =================================================================== --- trunk/src/clients/kinit/kinit.M 2009-04-13 22:15:05 UTC (rev 22208) +++ trunk/src/clients/kinit/kinit.M 2009-04-14 15:05:21 UTC (rev 22209) @@ -37,7 +37,7 @@ [\fB\-A\fP] [\fB\-v\fP] [\fB\-R\fP] [\fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]] [\fB\-c\fP \fIcache_name\fP] -[\fB\-S\fP \fIservice_name\fP] +[\fB\-S\fP \fIservice_name\fP][\fB\-T\fP \fIarmor_ccache\fP] [\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]] [\fIprincipal\fP] .ad b @@ -130,6 +130,10 @@ .I keytab_file option; otherwise the default name and location will be used. .TP +\fB\-T\fP \fIarmor_ccache\fP +Specifies the name of a credential cache that already contains a ticket. This ccache +will be used to armor the request Ideally, an attacker should have to attack both the armor ticket and the key of the principal. +.TP \fB\-c\fP \fIcache_name\fP use .I cache_name Modified: trunk/src/clients/kinit/kinit.c =================================================================== --- trunk/src/clients/kinit/kinit.c 2009-04-13 22:15:05 UTC (rev 22208) +++ trunk/src/clients/kinit/kinit.c 2009-04-14 15:05:21 UTC (rev 22209) @@ -117,6 +117,7 @@ char* service_name; char* keytab_name; char* k5_cache_name; + char *armor_ccache; action_type action; @@ -195,9 +196,10 @@ USAGE_BREAK "[-v] [-R] " "[-k [-t keytab_file]] " - "[-c cachename] " + "[-c cachename] " USAGE_BREAK - "[-S service_name]" + "[-S service_name]""-T ticket_armor_cache" + USAGE_BREAK "[-X [=]] [principal]" "\n\n", progname); @@ -278,7 +280,7 @@ int errflg = 0; int i; - while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:vX:CE")) + while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:T:RS:vX:CE")) != -1) { switch (i) { case 'V': @@ -347,6 +349,12 @@ opts->keytab_name = optarg; } break; + case 'T': + if (opts->armor_ccache) { + fprintf(stderr, "Only one armor_ccache\n"); + errflg++; + } else opts->armor_ccache = optarg; + break; case 'R': opts->action = RENEW; break; @@ -585,6 +593,9 @@ } if (opts->no_addresses) krb5_get_init_creds_opt_set_address_list(options, NULL); + if (opts->armor_ccache) + krb5_get_init_creds_opt_set_fast_ccache_name(k5->ctx, options, opts->armor_ccache); + if ((opts->action == INIT_KT) && opts->keytab_name) { From hartmans at MIT.EDU Tue Apr 14 11:35:13 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Tue, 14 Apr 2009 11:35:13 -0400 Subject: svn rev #22210: trunk/src/kdc/ Message-ID: <200904141535.n3EFZDtM030542@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22210 Commit By: hartmans Log Message: ticket: 6461 Subject: Require fast_req checksum to be keyed Target_Version: 1.7 Tags: pullup Since the fast_req checksum is unencrypted, a keyed checksum type needs to be used. Changed Files: U trunk/src/kdc/fast_util.c Modified: trunk/src/kdc/fast_util.c =================================================================== --- trunk/src/kdc/fast_util.c 2009-04-14 15:05:21 UTC (rev 22209) +++ trunk/src/kdc/fast_util.c 2009-04-14 15:35:12 UTC (rev 22210) @@ -133,9 +133,11 @@ krb5_kdc_req *request = *requestptr; krb5_fast_armored_req *fast_armored_req = NULL; krb5_boolean cksum_valid; + krb5_keyblock empty_keyblock; scratch.data = NULL; krb5_clear_error_message(kdc_context); + memset(&empty_keyblock, 0, sizeof(krb5_keyblock)); fast_padata = find_pa_data(request->padata, KRB5_PADATA_FX_FAST); if (fast_padata != NULL){ @@ -192,7 +194,23 @@ krb5_set_error_message(kdc_context, KRB5KRB_AP_ERR_MODIFIED, "FAST req_checksum invalid; request modified"); } - if (retval == 0) { + if (retval == 0) { + krb5_error_code ret; + /* We need to confirm that a keyed checksum is used for the + * fast_req checksum. In April 2009, the best way to do this is + * to try verifying the checksum with a keyblock with an zero + * length; if it succeeds, then an unkeyed checksum is used.*/ + ret = krb5_c_verify_checksum(kdc_context, &empty_keyblock, + KRB5_KEYUSAGE_FAST_REQ_CHKSUM, + checksummed_data, &fast_armored_req->req_checksum, + &cksum_valid); + if (ret == 0) { + retval = KRB5KDC_ERR_POLICY; + krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, + "Unkeyed checksum used in fast_req"); + } + } + if (retval == 0) { if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0) retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION; } From tlyu at MIT.EDU Tue Apr 14 14:33:28 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 14:33:28 -0400 Subject: svn rev #22211: branches/krb5-1-7/src/kdc/ Message-ID: <200904141833.n3EIXSD8008170@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22211 Commit By: tlyu Log Message: subject: clean up KDC realm referrals error handling ticket: 6462 tags: pullup target_version: 1.7 version_fixed: 1.7 pull up r22046, r22070 from trunk ------------------------------------------------------------------------ r22070 | tsitkova | 2009-03-09 10:23:31 -0400 (Mon, 09 Mar 2009) | 2 lines Changed paths: M /trunk/src/kdc/do_tgs_req.c Removed unneeded printf's ------------------------------------------------------------------------ r22046 | tsitkova | 2009-02-23 13:47:28 -0500 (Mon, 23 Feb 2009) | 2 lines Changed paths: M /trunk/src/kdc/do_tgs_req.c Correct the return code. ------------------------------------------------------------------------ Removed unneeded printf's Changed Files: U branches/krb5-1-7/src/kdc/do_tgs_req.c Modified: branches/krb5-1-7/src/kdc/do_tgs_req.c =================================================================== --- branches/krb5-1-7/src/kdc/do_tgs_req.c 2009-04-14 15:35:12 UTC (rev 22210) +++ branches/krb5-1-7/src/kdc/do_tgs_req.c 2009-04-14 18:33:27 UTC (rev 22211) @@ -1128,12 +1128,12 @@ goto cleanup; } if (realms == 0) { - printf(" (null)\n"); + retval = KRB5KRB_AP_ERR_BADMATCH; goto cleanup; } if (realms[0] == 0) { - printf(" (none)\n"); free(realms); + retval = KRB5KRB_AP_ERR_BADMATCH; goto cleanup; } /* Modify request. @@ -1144,7 +1144,6 @@ (*request->server).realm.length, (*request->server).realm.data, "krbtgt", realms[0], (char *)0); - for (cpp = realms; *cpp; cpp++) free(*cpp); } From tlyu at MIT.EDU Tue Apr 14 15:53:50 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 15:53:50 -0400 Subject: svn rev #22212: branches/krb5-1-7/src/ include/krb5/ lib/gssapi/krb5/ lib/krb5/ ... Message-ID: <200904141953.n3EJroqV013470@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22212 Commit By: tlyu Log Message: ticket: 6400 version_fixed: 1.7 pull up r22056, r22057 from trunk ------------------------------------------------------------------------ r22057 | hartmans | 2009-02-26 15:32:35 -0500 (Thu, 26 Feb 2009) | 3 lines Changed paths: M /trunk/src/lib/krb5/krb/copy_auth.c ticket: 6400 krb5_merge_authdata should initialize output on failure. ------------------------------------------------------------------------ r22056 | hartmans | 2009-02-26 15:07:05 -0500 (Thu, 26 Feb 2009) | 11 lines Changed paths: M /trunk/src/include/krb5/krb5.hin M /trunk/src/lib/gssapi/krb5/accept_sec_context.c M /trunk/src/lib/krb5/krb/copy_auth.c M /trunk/src/lib/krb5/libkrb5.exports Subject: Include authenticator and ticket authdata in gss-api ticket: 6400 Target_version: 1.7 Tags: pullup Currently, the GSS-API routines for handling authdata only extract the authorization data from the ticket, not that from the authenticator. This is incorrect. Introduce a new function krb5_merge_authadata to merge two authdata arrays into a newly allocated result array. Use this function in accept_sec_context.c to include both sets of authdata. ------------------------------------------------------------------------ Changed Files: U branches/krb5-1-7/src/include/krb5/krb5.hin U branches/krb5-1-7/src/lib/gssapi/krb5/accept_sec_context.c U branches/krb5-1-7/src/lib/krb5/krb/copy_auth.c U branches/krb5-1-7/src/lib/krb5/libkrb5.exports Modified: branches/krb5-1-7/src/include/krb5/krb5.hin =================================================================== --- branches/krb5-1-7/src/include/krb5/krb5.hin 2009-04-14 18:33:27 UTC (rev 22211) +++ branches/krb5-1-7/src/include/krb5/krb5.hin 2009-04-14 19:53:49 UTC (rev 22212) @@ -1718,6 +1718,14 @@ (krb5_context, krb5_authdata * const *, krb5_authdata ***); +krb5_error_code KRB5_CALLCONV krb5_merge_authdata + (krb5_context, + krb5_authdata * const *, + krb5_authdata *const *, + krb5_authdata ***); +/* Merge two authdata arrays, such as the array from a ticket + * and authenticator */ + krb5_error_code KRB5_CALLCONV krb5_copy_authenticator (krb5_context, const krb5_authenticator *, Modified: branches/krb5-1-7/src/lib/gssapi/krb5/accept_sec_context.c =================================================================== --- branches/krb5-1-7/src/lib/gssapi/krb5/accept_sec_context.c 2009-04-14 18:33:27 UTC (rev 22211) +++ branches/krb5-1-7/src/lib/gssapi/krb5/accept_sec_context.c 2009-04-14 19:53:49 UTC (rev 22212) @@ -811,9 +811,9 @@ } /* XXX move this into gss_name_t */ - if (ticket->enc_part2->authorization_data != NULL && - (code = krb5_copy_authdata(context, + if ( (code = krb5_merge_authdata(context, ticket->enc_part2->authorization_data, + authdat->authorization_data, &ctx->authdata))) { major_status = GSS_S_FAILURE; goto fail; Modified: branches/krb5-1-7/src/lib/krb5/krb/copy_auth.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/copy_auth.c 2009-04-14 18:33:27 UTC (rev 22211) +++ branches/krb5-1-7/src/lib/krb5/krb/copy_auth.c 2009-04-14 19:53:49 UTC (rev 22212) @@ -77,38 +77,63 @@ * Copy an authdata array, with fresh allocation. */ krb5_error_code KRB5_CALLCONV -krb5_copy_authdata(krb5_context context, krb5_authdata *const *inauthdat, krb5_authdata ***outauthdat) +krb5_merge_authdata(krb5_context context, krb5_authdata *const *inauthdat1, krb5_authdata * const *inauthdat2, + krb5_authdata ***outauthdat) { krb5_error_code retval; krb5_authdata ** tempauthdat; - register unsigned int nelems = 0; + register unsigned int nelems = 0, nelems2 = 0; - if (!inauthdat) { + *outauthdat = NULL; + if (!inauthdat1 && !inauthdat2) { *outauthdat = 0; return 0; } - while (inauthdat[nelems]) nelems++; + if (inauthdat1) + while (inauthdat1[nelems]) nelems++; + if (inauthdat2) + while (inauthdat2[nelems2]) nelems2++; /* one more for a null terminated list */ - if (!(tempauthdat = (krb5_authdata **) calloc(nelems+1, + if (!(tempauthdat = (krb5_authdata **) calloc(nelems+nelems2+1, sizeof(*tempauthdat)))) return ENOMEM; - for (nelems = 0; inauthdat[nelems]; nelems++) { - retval = krb5_copy_authdatum(context, inauthdat[nelems], - &tempauthdat[nelems]); - if (retval) { - krb5_free_authdata(context, tempauthdat); - return retval; + if (inauthdat1) { + for (nelems = 0; inauthdat1[nelems]; nelems++) { + retval = krb5_copy_authdatum(context, inauthdat1[nelems], + &tempauthdat[nelems]); + if (retval) { + krb5_free_authdata(context, tempauthdat); + return retval; + } } } + if (inauthdat2) { + for (nelems2 = 0; inauthdat2[nelems2]; nelems2++) { + retval = krb5_copy_authdatum(context, inauthdat2[nelems2], + &tempauthdat[nelems++]); + if (retval) { + krb5_free_authdata(context, tempauthdat); + return retval; + } + } + } + *outauthdat = tempauthdat; return 0; } krb5_error_code KRB5_CALLCONV +krb5_copy_authdata(krb5_context context, + krb5_authdata *const *in_authdat, krb5_authdata ***out) +{ + return krb5_merge_authdata(context, in_authdat, NULL, out); +} + +krb5_error_code KRB5_CALLCONV krb5_decode_authdata_container(krb5_context context, krb5_authdatatype type, const krb5_authdata *container, Modified: branches/krb5-1-7/src/lib/krb5/libkrb5.exports =================================================================== --- branches/krb5-1-7/src/lib/krb5/libkrb5.exports 2009-04-14 18:33:27 UTC (rev 22211) +++ branches/krb5-1-7/src/lib/krb5/libkrb5.exports 2009-04-14 19:53:49 UTC (rev 22212) @@ -354,6 +354,7 @@ krb5_max_dgram_size krb5_max_skdc_timeout krb5_mcc_ops +krb5_merge_authdata krb5_mk_1cred krb5_mk_error krb5_mk_ncred From tlyu at MIT.EDU Tue Apr 14 15:53:54 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 15:53:54 -0400 Subject: svn rev #22213: branches/krb5-1-7/src/lib/krb5/krb/ Message-ID: <200904141953.n3EJrs6Q013507@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22213 Commit By: tlyu Log Message: ticket: 6401 version_fixed: 1.7 pull up r22067 from trunk ------------------------------------------------------------------------ r22067 | hartmans | 2009-03-06 12:26:29 -0500 (Fri, 06 Mar 2009) | 12 lines Changed paths: M /trunk/src/lib/krb5/krb/get_in_tkt.c ticket: 6401 Subject: send_as_req re-encodes the request krb5_get_init_creds calls encode_krb5_as_req to produce an encoding for the preauth plugins, then passes the unencoded request structure into the static function send_as_req. That function re-encodes the request. This is an unnecessary call to the encoder. In addition, for the FAST project, it is desirable to encapsulate the unencoded outer request so that krb5_get_init_creds does not need it. * send_as_req is modified to take an encoded request and realm * Remove unused logic to fill in request nonce from send_as_req ------------------------------------------------------------------------ Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c Modified: branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c 2009-04-14 19:53:49 UTC (rev 22212) +++ branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c 2009-04-14 19:53:53 UTC (rev 22213) @@ -136,36 +136,25 @@ */ static krb5_error_code send_as_request(krb5_context context, - krb5_kdc_req *request, + krb5_data *packet, const krb5_data *realm, krb5_error ** ret_err_reply, krb5_kdc_rep ** ret_as_reply, int *use_master) { krb5_kdc_rep *as_reply = 0; krb5_error_code retval; - krb5_data *packet = 0; krb5_data reply; char k4_version; /* same type as *(krb5_data::data) */ int tcp_only = 0; - krb5_timestamp time_now; reply.data = 0; /* set the nonce if the caller expects us to do it */ - if (request->nonce == 0) { - if ((retval = krb5_timeofday(context, &time_now))) - goto cleanup; - request->nonce = (krb5_int32) time_now; - } - /* encode & send to KDC */ - if ((retval = encode_krb5_as_req(request, &packet)) != 0) - goto cleanup; - k4_version = packet->data[0]; send_again: retval = krb5_sendto_kdc(context, packet, - krb5_princ_realm(context, request->client), + realm, &reply, use_master, tcp_only); #if APPLE_PKINIT inTktDebug("krb5_sendto_kdc returned %d\n", (int)retval); @@ -240,8 +229,6 @@ krb5_free_kdc_rep(context, as_reply); cleanup: - if (packet) - krb5_free_data(context, packet); if (reply.data) free(reply.data); return retval; @@ -517,6 +504,7 @@ krb5_timestamp time_now; krb5_keyblock * decrypt_key = 0; krb5_kdc_req request; + krb5_data *encoded_request; krb5_pa_data **padata = 0; krb5_error * err_reply; krb5_kdc_rep * as_reply = 0; @@ -650,9 +638,14 @@ */ request.nonce = (krb5_int32) time_now; - if ((retval = send_as_request(context, &request, &err_reply, - &as_reply, &use_master))) + if ((retval = encode_krb5_as_req(&request, &encoded_request)) != 0) goto cleanup; + retval = send_as_request(context, encoded_request, + krb5_princ_realm(context, request.client), &err_reply, + &as_reply, &use_master); + krb5_free_data_contents(context, encoded_request); + if (retval != 0) + goto cleanup; if (err_reply) { if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && @@ -1156,7 +1149,6 @@ krb5_preauth_request_context_init(context); - /* nonce is filled in by send_as_request if we don't take care of it */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST)) { request.ktype = options->etype_list; @@ -1301,7 +1293,8 @@ err_reply = 0; local_as_reply = 0; - if ((ret = send_as_request(context, &request, &err_reply, + if ((ret = send_as_request(context, encoded_previous_request, + krb5_princ_realm(context, request.client), &err_reply, &local_as_reply, use_master))) goto cleanup; From tlyu at MIT.EDU Tue Apr 14 15:53:57 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 15:53:57 -0400 Subject: svn rev #22214: branches/krb5-1-7/src/clients/klist/ Message-ID: <200904141953.n3EJrv0J013546@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22214 Commit By: tlyu Log Message: ticket: 4241 version_fixed: 1.7 pull up r22068 from trunk ------------------------------------------------------------------------ r22068 | raeburn | 2009-03-06 18:57:10 -0500 (Fri, 06 Mar 2009) | 6 lines Changed paths: M /trunk/src/clients/klist/klist.c ticket: 4241 target_version: 1.7 tags: pullup Add "-V" option to klist to print the package name and version, and exit. Changed Files: U branches/krb5-1-7/src/clients/klist/klist.c Modified: branches/krb5-1-7/src/clients/klist/klist.c =================================================================== --- branches/krb5-1-7/src/clients/klist/klist.c 2009-04-14 19:53:53 UTC (rev 22213) +++ branches/krb5-1-7/src/clients/klist/klist.c 2009-04-14 19:53:56 UTC (rev 22214) @@ -56,7 +56,7 @@ extern int optind; int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0; -int show_etype = 0, show_addresses = 0, no_resolve = 0; +int show_etype = 0, show_addresses = 0, no_resolve = 0, print_version = 0; char *defname; char *progname; krb5_int32 now; @@ -81,12 +81,13 @@ { #define KRB_AVAIL_STRING(x) ((x)?"available":"not available") - fprintf(stderr, "Usage: %s [-e] [[-c] [-f] [-s] [-a [-n]]] %s", + fprintf(stderr, "Usage: %s [-e] [-V] [[-c] [-f] [-s] [-a [-n]]] %s", progname, "[-k [-t] [-K]] [name]\n"); fprintf(stderr, "\t-c specifies credentials cache\n"); fprintf(stderr, "\t-k specifies keytab\n"); fprintf(stderr, "\t (Default is credentials cache)\n"); fprintf(stderr, "\t-e shows the encryption type\n"); + fprintf(stderr, "\t-V shows the Kerberos version and exits\n"); fprintf(stderr, "\toptions for credential caches:\n"); fprintf(stderr, "\t\t-f shows credentials flags\n"); fprintf(stderr, "\t\t-s sets exit status based on valid tgt existence\n"); @@ -111,7 +112,8 @@ name = NULL; mode = DEFAULT; - while ((c = getopt(argc, argv, "fetKsnack45")) != -1) { + /* V=version so v can be used for verbose later if desired. */ + while ((c = getopt(argc, argv, "fetKsnack45V")) != -1) { switch (c) { case 'f': show_flags = 1; @@ -148,6 +150,9 @@ break; case '5': break; + case 'V': + print_version = 1; + break; default: usage(); break; @@ -172,6 +177,11 @@ usage(); } + if (print_version) { + printf("%s version %s\n", PACKAGE_NAME, PACKAGE_VERSION); + exit(0); + } + name = (optind == argc-1) ? argv[optind] : 0; now = time(0); From tlyu at MIT.EDU Tue Apr 14 15:53:59 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 15:53:59 -0400 Subject: svn rev #22215: branches/krb5-1-7/src/ clients/kvno/ tests/kdc_realm/ tests/kdc_realm/input_conf/ Message-ID: <200904141953.n3EJrxYN013592@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22215 Commit By: tlyu Log Message: ticket: 6463 version_fixed: 1.7 subject: realm referral test cases forcing KRB5_NT_UNKNOWN ------------------------------------------------------------------------ r22072 | tsitkova | 2009-03-10 10:49:43 -0400 (Tue, 10 Mar 2009) | 2 lines Changed paths: A /trunk/src/tests/kdc_realm/input_conf/test_KDCs_1.conf M /trunk/src/tests/kdc_realm/input_conf/test_setup.conf M /trunk/src/tests/kdc_realm/kdcref.py Added test for KRB5_NT_UNKNOWN princ type ------------------------------------------------------------------------ r22069 | tsitkova | 2009-03-09 10:21:20 -0400 (Mon, 09 Mar 2009) | 2 lines Changed paths: M /trunk/src/clients/kvno/kvno.c Introduced '-u' option to kvno to enforce KRB5_NT_UNKNOWN princ type. ------------------------------------------------------------------------ Changed Files: U branches/krb5-1-7/src/clients/kvno/kvno.c A branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_KDCs_1.conf U branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_setup.conf U branches/krb5-1-7/src/tests/kdc_realm/kdcref.py Modified: branches/krb5-1-7/src/clients/kvno/kvno.c =================================================================== --- branches/krb5-1-7/src/clients/kvno/kvno.c 2009-04-14 19:53:56 UTC (rev 22214) +++ branches/krb5-1-7/src/clients/kvno/kvno.c 2009-04-14 19:53:59 UTC (rev 22215) @@ -39,7 +39,7 @@ static void xusage() { - fprintf(stderr, "usage: %s [-C] [-c ccache] [-e etype] [-k keytab] [-S sname] service1 service2 ...\n", + fprintf(stderr, "usage: %s [-C] [-u] [-c ccache] [-e etype] [-k keytab] [-S sname] service1 service2 ...\n", prog); exit(1); } @@ -48,7 +48,7 @@ static void do_v5_kvno (int argc, char *argv[], char *ccachestr, char *etypestr, char *keytab_name, - char *sname, int canon); + char *sname, int canon, int unknown); #include static void extended_com_err_fn (const char *, errcode_t, const char *, @@ -59,7 +59,7 @@ int option; char *etypestr = NULL, *ccachestr = NULL, *keytab_name = NULL; char *sname = NULL; - int canon = 0; + int canon = 0, unknown = 0; set_com_err_hook (extended_com_err_fn); @@ -67,7 +67,7 @@ prog = strrchr(argv[0], '/'); prog = prog ? (prog + 1) : argv[0]; - while ((option = getopt(argc, argv, "Cc:e:hk:qS:")) != -1) { + while ((option = getopt(argc, argv, "uCc:e:hk:qS:")) != -1) { switch (option) { case 'C': canon = 1; @@ -89,7 +89,18 @@ break; case 'S': sname = optarg; + if (unknown == 1){ + fprintf(stderr, "Options -u and -S are mutually exclusive\n"); + xusage(); + } break; + case 'u': + unknown = 1; + if (sname){ + fprintf(stderr, "Options -u and -S are mutually exclusive\n"); + xusage(); + } + break; default: xusage(); break; @@ -100,7 +111,7 @@ xusage(); do_v5_kvno(argc - optind, argv + optind, - ccachestr, etypestr, keytab_name, sname, canon); + ccachestr, etypestr, keytab_name, sname, canon, unknown); return 0; } @@ -119,7 +130,7 @@ static void do_v5_kvno (int count, char *names[], char * ccachestr, char *etypestr, char *keytab_name, - char *sname, int canon) + char *sname, int canon, int unknown) { krb5_error_code ret; int i, errors; @@ -190,6 +201,9 @@ errors++; continue; } + if (unknown == 1) { + krb5_princ_type(context, in_creds.server) = KRB5_NT_UNKNOWN; + } ret = krb5_unparse_name(context, in_creds.server, &princ); if (ret) { Added: branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_KDCs_1.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_KDCs_1.conf 2009-04-14 19:53:56 UTC (rev 22214) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_KDCs_1.conf 2009-04-14 19:53:59 UTC (rev 22215) @@ -0,0 +1,9 @@ +krb5_priKDC_template.conf,0 +krb5_priKDC_1_template.conf,1 +krb5_priKDC_2_template.conf,0 +krb5_priKDC_3_template.conf,1 +krb5_priKDC_4_template.conf,1 +krb5_priKDC_5_template.conf,1 +krb5_priKDC_6_template.conf,1 +krb5_priKDC_7_template.conf,0 +krb5_priKDC_8_template.conf,1 Modified: branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_setup.conf =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_setup.conf 2009-04-14 19:53:56 UTC (rev 22214) +++ branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_setup.conf 2009-04-14 19:53:59 UTC (rev 22215) @@ -1,5 +1,6 @@ sandboxDir=tests/kdc_realm/sandbox testKDCconf=test_KDCs.conf +testKDCconf_1=test_KDCs_1.conf principals=test_princs.conf tier1=sandbox/tier1 -tier2=sandbox/tier2 \ No newline at end of file +tier2=sandbox/tier2 Modified: branches/krb5-1-7/src/tests/kdc_realm/kdcref.py =================================================================== --- branches/krb5-1-7/src/tests/kdc_realm/kdcref.py 2009-04-14 19:53:56 UTC (rev 22214) +++ branches/krb5-1-7/src/tests/kdc_realm/kdcref.py 2009-04-14 19:53:59 UTC (rev 22215) @@ -28,6 +28,7 @@ self._sandboxTier1 = '%s/%s' % (self._sandboxDir, 'tier1') self._sandboxTier2 = '%s/%s' % (self._sandboxDir, 'tier2') self._configurations = self._readServerConfiguration('%s/%s' % (self._confDir,confParams['testKDCconf'])) + self._configurations_1 = self._readServerConfiguration('%s/%s' % (self._confDir,confParams['testKDCconf_1'])) self._principals = self._readTestInputs('%s/%s' % (self._confDir,confParams['principals'])) os.environ["LD_LIBRARY_PATH"] = '%s/lib' % self._buildDir self._pidRefKDC = 0 @@ -94,7 +95,7 @@ raise LaunchError, err_msg - def _launchClient(self, args, env): + def _launchClient(self, args, env, princType): """ kinit & kvno """ @@ -109,7 +110,11 @@ # testHost', 'mybox.mit.edu is a srv defined in referral KDC. Get its kvno cmd = '%s/clients/kvno/kvno' % self._buildDir - handle = Popen([cmd, '-C', '-S', 'testHost', 'mybox.mit.edu'], + if princType == 0: + handle = Popen([cmd, '-C', '-S', 'testHost', 'mybox.mit.edu'], + env = env, stdin=PIPE, stdout=PIPE, stderr=PIPE) + if princType == 1: + handle = Popen([cmd, '-C', '-u', 'testHost/mybox.mit.edu'], env = env, stdin=PIPE, stdout=PIPE, stderr=PIPE) (out, err) = handle.communicate() handle.wait() @@ -185,7 +190,7 @@ self._tier1Init = True - def _launchTestingPair(self, srvParam,clntParam): + def _launchTestingPair(self, srvParam,clntParam, princType): # launch KDC server_env = os.environ.copy() server_env["KRB5_KDC_PROFILE"] = '%s/kdc.conf' % self._sandboxTier2 @@ -198,9 +203,9 @@ '%s/%s' % (self._confDir,'kdc_pri_template.conf'), self._vars) if self._tier2Init == False: - pid = self._createDB(server_env) - self._crossRealm('Y.COM', 'Z.COM', server_env) - self._tier2Init = True + pid = self._createDB(server_env) + self._crossRealm('Y.COM', 'Z.COM', server_env) + self._tier2Init = True server = self._launchKDC( 2, server_args, server_env) @@ -211,7 +216,7 @@ '%s/%s' % (self._confDir, 'krb5_priCL_template.conf'), self._vars) client_env["KRB5_KDC_PROFILE"] = server_env["KRB5_KDC_PROFILE"] - rc = self._launchClient(clntParam, client_env) + rc = self._launchClient(clntParam, client_env, princType) self._kill(server) return rc @@ -232,9 +237,15 @@ result = dict() for princs in self._principals: for conf in self._configurations: - rc = self._launchTestingPair( conf['confName'], princs % self._vars) + rc = self._launchTestingPair( conf['confName'], princs % self._vars, 0) result[conf['confName']] = {'expected':conf['expected'], 'actual':rc} - print 'Test code for configuration %s principal %s: %s' % (conf, princs, rc) + print 'Test code for configuration %s principal %s type KRB5_NT_SRV_HST: %s' % (conf, princs, rc) + self.printTestResults(result) + for conf in self._configurations_1: + rc = self._launchTestingPair( conf['confName'], princs % self._vars, 1) + result[conf['confName']] = {'expected':conf['expected'], 'actual':rc} + print 'Test code for configuration %s principal %si type KRB5_NT_UNKNOWN: %s' % (conf, princs, rc) + self.printTestResults(result) return result @@ -317,7 +328,6 @@ test = Launcher(src_path) result = test.run('main') test.clean() - test.printTestResults(result) except: if test is not None: From tlyu at MIT.EDU Tue Apr 14 17:07:13 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 17:07:13 -0400 Subject: svn rev #22217: branches/krb5-1-7/src/ kadmin/dbutil/ lib/kdb/ plugins/kdb/ldap/libkdb_ldap/ Message-ID: <200904142107.n3EL7D9b018420@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22217 Commit By: tlyu Log Message: ticket: 6405 version_fixed: 1.7 pull up r22073 from trunk ------------------------------------------------------------------------ r22073 | wfiveash | 2009-03-10 16:26:24 -0400 (Tue, 10 Mar 2009) | 5 lines Changed paths: M /trunk/src/kadmin/dbutil/kdb5_mkey.c M /trunk/src/lib/kdb/kdb5.c M /trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c ticket: 6405 Tags: pullup Several small fixes to enable the migrate mkey commands to work properly with a LDAP KDB. See the ticket for more details. Changed Files: U branches/krb5-1-7/src/kadmin/dbutil/kdb5_mkey.c U branches/krb5-1-7/src/lib/kdb/kdb5.c U branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c Modified: branches/krb5-1-7/src/kadmin/dbutil/kdb5_mkey.c =================================================================== --- branches/krb5-1-7/src/kadmin/dbutil/kdb5_mkey.c 2009-04-14 21:07:09 UTC (rev 22216) +++ branches/krb5-1-7/src/kadmin/dbutil/kdb5_mkey.c 2009-04-14 21:07:13 UTC (rev 22217) @@ -185,6 +185,7 @@ mkey_aux_data_head))) { goto clean_n_exit; } + master_entry->mask |= KADM5_KEY_DATA; clean_n_exit: krb5_dbe_free_mkey_aux_list(context, mkey_aux_data_head); @@ -906,6 +907,8 @@ goto fail; } + ent->mask |= KADM5_KEY_DATA; + if ((retval = krb5_db_put_principal(util_context, ent, &nentries))) { com_err(progname, retval, "while updating principal '%s' key data in the database", @@ -1422,6 +1425,8 @@ goto cleanup_return; } + master_entry.mask |= KADM5_KEY_DATA; + if ((retval = krb5_db_put_principal(util_context, &master_entry, &nentries))) { (void) krb5_db_fini(util_context); com_err(progname, retval, "while adding master key entry to the database"); Modified: branches/krb5-1-7/src/lib/kdb/kdb5.c =================================================================== --- branches/krb5-1-7/src/lib/kdb/kdb5.c 2009-04-14 21:07:09 UTC (rev 22216) +++ branches/krb5-1-7/src/lib/kdb/kdb5.c 2009-04-14 21:07:13 UTC (rev 22217) @@ -2678,8 +2678,8 @@ krb5_dbe_free_tl_data(context, free_tl_data); entry->n_tl_data--; } else { + prev_tl_data = tl_data; tl_data = tl_data->tl_data_next; - prev_tl_data = tl_data; } } Modified: branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c =================================================================== --- branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c 2009-04-14 21:07:09 UTC (rev 22216) +++ branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c 2009-04-14 21:07:13 UTC (rev 22217) @@ -148,52 +148,7 @@ return(0); } -#if 0 /************** Begin IFDEF'ed OUT *******************************/ -krb5_error_code -krb5_dbe_lookup_mkvno(krb5_context context, - krb5_db_entry *entry, - krb5_kvno *mkvno) -{ - krb5_tl_data tl_data; - krb5_error_code code; - krb5_int16 tmp; - tl_data.tl_data_type = KRB5_TL_MKVNO; - - if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data))) - return (code); - - /* XXX need to think about this */ - if (tl_data.tl_data_length != 2) { - *mkvno = 0; - return (0); - } - - /* XXX this needs to be the inverse of how this is encoded */ - krb5_kdb_decode_int16(tl_data.tl_data_contents, tmp); - - *mkvno = (krb5_kvno) tmp; - - return (0); -} - -krb5_error_code -krb5_dbe_update_mkvno(krb5_context context, - krb5_db_entry * entry, - krb5_kvno mkvno) -{ - krb5_tl_data tl_data; - krb5_octet buf[2]; /* this is the encoded size of an int16 */ - - tl_data.tl_data_type = KRB5_TL_MKVNO; - tl_data.tl_data_length = sizeof(buf); - krb5_kdb_encode_int16((krb5_int16) mkvno, buf); - tl_data.tl_data_contents = buf; - - return (krb5_dbe_update_tl_data(context, entry, &tl_data)); -} -#endif /**************** END IFDEF'ed OUT *******************************/ - /* it seems odd that there's no function to remove a tl_data, but if I need one, I'll add one */ From tlyu at MIT.EDU Tue Apr 14 17:07:10 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 17:07:10 -0400 Subject: svn rev #22216: branches/krb5-1-7/src/ include/ lib/kdb/ plugins/kdb/ldap/ldap_util/ Message-ID: <200904142107.n3EL7ADP018383@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22216 Commit By: tlyu Log Message: ticket: 6403 version_fixed: 1.7 pull up r22071 from trunk ------------------------------------------------------------------------ r22071 | ghudson | 2009-03-09 21:28:12 -0400 (Mon, 09 Mar 2009) | 10 lines Changed paths: M /trunk/src/include/kdb.h M /trunk/src/lib/kdb/kdb5.c M /trunk/src/lib/kdb/libkdb5.exports M /trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c ticket: 6403 Rename kdb_setup_lib_handle to krb5_db_setup_lib_handle and export it. Make kdb5_ldap_util work again by calling this function to set up dal_handle instead of using one with an uninitialized lib_handle. It is likely that kdb5_ldap_util will only function given a krb5.conf which specifies a realm with an LDAP database module as the default realm. Not sure if that was the case before. Changed Files: U branches/krb5-1-7/src/include/kdb.h U branches/krb5-1-7/src/lib/kdb/kdb5.c U branches/krb5-1-7/src/lib/kdb/libkdb5.exports U branches/krb5-1-7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c Modified: branches/krb5-1-7/src/include/kdb.h =================================================================== --- branches/krb5-1-7/src/include/kdb.h 2009-04-14 19:53:59 UTC (rev 22215) +++ branches/krb5-1-7/src/include/kdb.h 2009-04-14 21:07:09 UTC (rev 22216) @@ -266,6 +266,7 @@ #define KRB5_DB_LOCKMODE_PERMANENT 0x0008 /* libkdb.spec */ +krb5_error_code krb5_db_setup_lib_handle(krb5_context kcontext); krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode ); krb5_error_code krb5_db_init ( krb5_context kcontext ); krb5_error_code krb5_db_create ( krb5_context kcontext, char **db_args ); Modified: branches/krb5-1-7/src/lib/kdb/kdb5.c =================================================================== --- branches/krb5-1-7/src/lib/kdb/kdb5.c 2009-04-14 19:53:59 UTC (rev 22215) +++ branches/krb5-1-7/src/lib/kdb/kdb5.c 2009-04-14 21:07:09 UTC (rev 22216) @@ -616,8 +616,8 @@ return status; } -static krb5_error_code -kdb_setup_lib_handle(krb5_context kcontext) +krb5_error_code +krb5_db_setup_lib_handle(krb5_context kcontext) { char *library = NULL; krb5_error_code status = 0; @@ -714,7 +714,7 @@ } if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -763,7 +763,7 @@ } if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -836,7 +836,7 @@ } if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -866,7 +866,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -893,7 +893,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -921,7 +921,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -951,7 +951,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -983,7 +983,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1017,7 +1017,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1047,7 +1047,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1189,7 +1189,7 @@ log_ctx = kcontext->kdblog_context; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1306,7 +1306,7 @@ log_ctx = kcontext->kdblog_context; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1378,7 +1378,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1407,7 +1407,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1435,7 +1435,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1465,7 +1465,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1500,7 +1500,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1528,7 +1528,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1557,7 +1557,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1590,7 +1590,7 @@ krb5_error_code status = 0; if (context->dal_handle == NULL) { - status = kdb_setup_lib_handle(context); + status = krb5_db_setup_lib_handle(context); if (status) { goto clean_n_exit; } @@ -1645,7 +1645,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1680,7 +1680,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1778,7 +1778,7 @@ kdb5_dal_handle *dal_handle; if (context->dal_handle == NULL) { - retval = kdb_setup_lib_handle(context); + retval = krb5_db_setup_lib_handle(context); if (retval) { goto clean_n_exit; } @@ -1835,7 +1835,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2030,7 +2030,7 @@ void *new_ptr = NULL; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2051,7 +2051,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2091,7 +2091,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2758,7 +2758,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2792,7 +2792,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2820,7 +2820,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2849,7 +2849,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2877,7 +2877,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2906,7 +2906,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2933,7 +2933,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2970,7 +2970,7 @@ } if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -3004,7 +3004,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -3037,7 +3037,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -3087,7 +3087,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } Modified: branches/krb5-1-7/src/lib/kdb/libkdb5.exports =================================================================== --- branches/krb5-1-7/src/lib/kdb/libkdb5.exports 2009-04-14 19:53:59 UTC (rev 22215) +++ branches/krb5-1-7/src/lib/kdb/libkdb5.exports 2009-04-14 21:07:09 UTC (rev 22216) @@ -1,3 +1,4 @@ +krb5_db_setup_lib_handle krb5_db_open krb5_db_inited krb5_db_alloc Modified: branches/krb5-1-7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c =================================================================== --- branches/krb5-1-7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c 2009-04-14 19:53:59 UTC (rev 22215) +++ branches/krb5-1-7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c 2009-04-14 21:07:09 UTC (rev 22216) @@ -297,7 +297,6 @@ unsigned int ldapmask = 0; unsigned int passwd_len = 0; char *prompt = NULL; - kdb5_dal_handle *dal_handle = NULL; krb5_ldap_context *ldap_context=NULL; char *value = NULL, *conf_section = NULL; krb5_boolean realm_name_required = TRUE; @@ -587,12 +586,13 @@ cmd = cmd_lookup(cmd_argv[0]); /* Setup DAL handle to access the database */ - dal_handle = calloc((size_t)1, sizeof(kdb5_dal_handle)); - if (dal_handle == NULL) { + db_retval = krb5_db_setup_lib_handle(util_context); + if (db_retval) { + com_err(progname, db_retval, "while setting up lib handle"); + exit_status++; goto cleanup; } - dal_handle->db_context = ldap_context; - util_context->dal_handle = dal_handle; + util_context->dal_handle->db_context = ldap_context; ldap_context = NULL; db_retval = krb5_ldap_read_server_params(util_context, conf_section, KRB5_KDB_SRV_TYPE_OTHER); @@ -603,7 +603,7 @@ } if (cmd->opendb) { - db_retval = krb5_ldap_db_init(util_context, (krb5_ldap_context *)dal_handle->db_context); + db_retval = krb5_ldap_db_init(util_context, (krb5_ldap_context *)util_context->dal_handle->db_context); if (db_retval) { com_err(progname, db_retval, "while initializing database"); exit_status++; @@ -639,8 +639,6 @@ free(prompt); if (conf_section) free(conf_section); - if (dal_handle) - free(dal_handle); if (usage_print) { usage(); From tlyu at MIT.EDU Tue Apr 14 17:07:16 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 17:07:16 -0400 Subject: svn rev #22218: branches/krb5-1-7/src/ include/ include/krb5/ lib/krb5/ lib/krb5/krb/ Message-ID: <200904142107.n3EL7Geg018459@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22218 Commit By: tlyu Log Message: ticket: 6407 version_fixed: 1.7 pull up r22078 from trunk ------------------------------------------------------------------------ r22078 | ghudson | 2009-03-11 18:11:06 -0400 (Wed, 11 Mar 2009) | 9 lines Changed paths: M /trunk/src/include/k5-int.h M /trunk/src/include/krb5/krb5.hin M /trunk/src/lib/krb5/krb/kerrs.c M /trunk/src/lib/krb5/libkrb5.exports ticket: 6407 subject: Make a working krb5_copy_error_message target_version: 1.7 tags: pullup The krb5_copy_error_state macro wasn't used, didn't work, and didn't need to be a macro. Replace it with an exported API function named krb5_copy_error_message. Changed Files: U branches/krb5-1-7/src/include/k5-int.h U branches/krb5-1-7/src/include/krb5/krb5.hin U branches/krb5-1-7/src/lib/krb5/krb/kerrs.c U branches/krb5-1-7/src/lib/krb5/libkrb5.exports Modified: branches/krb5-1-7/src/include/k5-int.h =================================================================== --- branches/krb5-1-7/src/include/k5-int.h 2009-04-14 21:07:13 UTC (rev 22217) +++ branches/krb5-1-7/src/include/k5-int.h 2009-04-14 21:07:15 UTC (rev 22218) @@ -2326,9 +2326,6 @@ extern int krb5int_crypto_init (void); extern int krb5int_prng_init(void); -#define krb5_copy_error_state(CTX, OCTX) \ - krb5int_set_error(&(CTX)->errinfo, (OCTX)->errinfo.code, "%s", (OCTX)->errinfo.msg) - /* * Referral definitions, debugging hooks, and subfunctions. */ Modified: branches/krb5-1-7/src/include/krb5/krb5.hin =================================================================== --- branches/krb5-1-7/src/include/krb5/krb5.hin 2009-04-14 21:07:13 UTC (rev 22217) +++ branches/krb5-1-7/src/include/krb5/krb5.hin 2009-04-14 21:07:15 UTC (rev 22218) @@ -2490,6 +2490,9 @@ __attribute__((__format__(__printf__, 3, 0))) #endif ; +void KRB5_CALLCONV +krb5_copy_error_message (krb5_context, krb5_context); + /* * The behavior of krb5_get_error_message is only defined the first * time it is called after a failed call to a krb5 function using the Modified: branches/krb5-1-7/src/lib/krb5/krb/kerrs.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/kerrs.c 2009-04-14 21:07:13 UTC (rev 22217) +++ branches/krb5-1-7/src/lib/krb5/krb/kerrs.c 2009-04-14 21:07:15 UTC (rev 22218) @@ -75,6 +75,20 @@ #endif } +/* Set the error message state of dest_ctx to that of src_ctx. */ +void KRB5_CALLCONV +krb5_copy_error_message (krb5_context dest_ctx, krb5_context src_ctx) +{ + if (dest_ctx == src_ctx) + return; + if (src_ctx->err.msg) { + krb5int_set_error(&dest_ctx->err, src_ctx->err.code, "%s", + src_ctx->err.msg); + } else { + krb5int_clear_error(dest_ctx); + } +} + const char * KRB5_CALLCONV krb5_get_error_message (krb5_context ctx, krb5_error_code code) { Modified: branches/krb5-1-7/src/lib/krb5/libkrb5.exports =================================================================== --- branches/krb5-1-7/src/lib/krb5/libkrb5.exports 2009-04-14 21:07:13 UTC (rev 22217) +++ branches/krb5-1-7/src/lib/krb5/libkrb5.exports 2009-04-14 21:07:15 UTC (rev 22218) @@ -172,6 +172,7 @@ krb5_copy_context krb5_copy_creds krb5_copy_data +krb5_copy_error_message krb5_copy_keyblock krb5_copy_keyblock_contents krb5_copy_principal From tlyu at MIT.EDU Tue Apr 14 17:07:18 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 17:07:18 -0400 Subject: svn rev #22219: branches/krb5-1-7/src/kdc/ Message-ID: <200904142107.n3EL7I8J018496@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22219 Commit By: tlyu Log Message: ticket: 6408 version_fixed: 1.7 pull up r22079 from trunk ------------------------------------------------------------------------ r22079 | ghudson | 2009-03-11 18:14:24 -0400 (Wed, 11 Mar 2009) | 13 lines Changed paths: M /trunk/src/kdc/do_tgs_req.c M /trunk/src/kdc/kdc_preauth.c M /trunk/src/kdc/kdc_util.h M /trunk/src/kdc/main.c M /trunk/src/kdc/network.c ticket: 6408 subject: Report verbose error messages from KDC target_version: 1.7 tags: pullup We were losing verbose error messages when logging from the KDC because the context passed to krb5_klog_init did not match the realm-specific context used for most library function calls. Introduce a wrapper function kdc_err which copies the error state from the call context to the log context. The wrapper function also knows the program name, which removes the need to pass argv[0] around everywhere or make up program names. Changed Files: U branches/krb5-1-7/src/kdc/do_tgs_req.c U branches/krb5-1-7/src/kdc/kdc_preauth.c U branches/krb5-1-7/src/kdc/kdc_util.h U branches/krb5-1-7/src/kdc/main.c U branches/krb5-1-7/src/kdc/network.c Modified: branches/krb5-1-7/src/kdc/do_tgs_req.c =================================================================== --- branches/krb5-1-7/src/kdc/do_tgs_req.c 2009-04-14 21:07:15 UTC (rev 22218) +++ branches/krb5-1-7/src/kdc/do_tgs_req.c 2009-04-14 21:07:18 UTC (rev 22219) @@ -55,7 +55,6 @@ */ #include "k5-int.h" -#include "com_err.h" #include #ifdef HAVE_NETINET_IN_H @@ -1124,7 +1123,7 @@ free(temp_buf); if (retval) { /* no match found */ - com_err("krb5_get_domain_realm_mapping", retval, 0); + kdc_err(kdc_context, retval, 0); goto cleanup; } if (realms == 0) { Modified: branches/krb5-1-7/src/kdc/kdc_preauth.c =================================================================== --- branches/krb5-1-7/src/kdc/kdc_preauth.c 2009-04-14 21:07:15 UTC (rev 22218) +++ branches/krb5-1-7/src/kdc/kdc_preauth.c 2009-04-14 21:07:18 UTC (rev 22219) @@ -1861,7 +1861,7 @@ scratch.length = in_padata->length; if ((retval = decode_krb5_sam_response(&scratch, &sr))) { - com_err("krb5kdc", retval, + kdc_err(context, retval, "return_sam_data(): decode_krb5_sam_response failed"); goto cleanup; } @@ -1880,7 +1880,7 @@ if ((retval = krb5_c_decrypt(context, &psr_key, /* XXX */ 0, 0, &tmpdata, &scratch))) { - com_err("krb5kdc", retval, + kdc_err(context, retval, "return_sam_data(): decrypt track_id failed"); free(scratch.data); goto cleanup; @@ -1888,7 +1888,7 @@ } if ((retval = decode_krb5_predicted_sam_response(&scratch, &psr))) { - com_err("krb5kdc", retval, + kdc_err(context, retval, "return_sam_data(): decode_krb5_predicted_sam_response failed"); free(scratch.data); goto cleanup; @@ -1896,7 +1896,7 @@ /* We could use sr->sam_flags, but it may be absent or altered. */ if (psr->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) { - com_err("krb5kdc", retval = KRB5KDC_ERR_PREAUTH_FAILED, + kdc_err(context, retval = KRB5KDC_ERR_PREAUTH_FAILED, "Unsupported SAM flag must-pk-encrypt-sad"); goto cleanup; } @@ -1949,7 +1949,7 @@ break; default: - com_err("krb5kdc", retval = KRB5KDC_ERR_PREAUTH_FAILED, + kdc_err(context, retval = KRB5KDC_ERR_PREAUTH_FAILED, "Unimplemented keytype for SAM key mixing"); goto cleanup; } @@ -2017,7 +2017,7 @@ retval = krb5_copy_principal(kdc_context, request->client, &newp); if (retval) { - com_err("krb5kdc", retval, "copying client name for preauth probe"); + kdc_err(kdc_context, retval, "copying client name for preauth probe"); return retval; } @@ -2075,7 +2075,7 @@ if (retval) { char *sname; krb5_unparse_name(kdc_context, request->client, &sname); - com_err("krb5kdc", retval, + kdc_err(kdc_context, retval, "snk4 finding the enctype and key <%s>", sname); free(sname); return retval; @@ -2086,7 +2086,7 @@ assoc_key, &encrypting_key, NULL); if (retval) { - com_err("krb5kdc", retval, + kdc_err(kdc_context, retval, "snk4 pulling out key entry"); return retval; } @@ -2213,13 +2213,14 @@ if (retval) { /* random key failed */ - com_err("krb5kdc", retval,"generating random challenge for preauth"); + kdc_err(kdc_context, retval, + "generating random challenge for preauth"); return retval; } /* now session_key has a key which we can pick bits out of */ /* we need six decimal digits. Grab 6 bytes, div 2, mod 10 each. */ if (session_key.length != 8) { - com_err("krb5kdc", retval = KRB5KDC_ERR_ETYPE_NOSUPP, + kdc_err(kdc_context, retval = KRB5KDC_ERR_ETYPE_NOSUPP, "keytype didn't match code expectations"); return retval; } @@ -2236,9 +2237,8 @@ encrypting_key.enctype = ENCTYPE_DES_CBC_RAW; - if (retval) { - com_err("krb5kdc", retval, "snk4 processing key"); - } + if (retval) + kdc_err(kdc_context, retval, "snk4 processing key"); { krb5_data plain; @@ -2255,7 +2255,8 @@ if ((retval = krb5_c_encrypt(kdc_context, &encrypting_key, /* XXX */ 0, 0, &plain, &cipher))) { - com_err("krb5kdc", retval, "snk4 response generation failed"); + kdc_err(kdc_context, retval, + "snk4 response generation failed"); return retval; } } @@ -2389,7 +2390,7 @@ if ((retval = decode_krb5_sam_response(&scratch, &sr))) { scratch.data = 0; - com_err("krb5kdc", retval, "decode_krb5_sam_response failed"); + kdc_err(context, retval, "decode_krb5_sam_response failed"); goto cleanup; } @@ -2409,13 +2410,13 @@ if ((retval = krb5_c_decrypt(context, &psr_key, /* XXX */ 0, 0, &tmpdata, &scratch))) { - com_err("krb5kdc", retval, "decrypt track_id failed"); + kdc_err(context, retval, "decrypt track_id failed"); goto cleanup; } } if ((retval = decode_krb5_predicted_sam_response(&scratch, &psr))) { - com_err("krb5kdc", retval, + kdc_err(context, retval, "decode_krb5_predicted_sam_response failed -- replay attack?"); goto cleanup; } @@ -2426,7 +2427,7 @@ if ((retval = krb5_unparse_name(context, psr->client, &princ_psr))) goto cleanup; if (strcmp(princ_req, princ_psr) != 0) { - com_err("krb5kdc", retval = KRB5KDC_ERR_PREAUTH_FAILED, + kdc_err(context, retval = KRB5KDC_ERR_PREAUTH_FAILED, "Principal mismatch in SAM psr! -- replay attack?"); goto cleanup; } @@ -2444,7 +2445,7 @@ * psr's would be able to be replayed. */ if (timenow - psr->stime > rc_lifetime) { - com_err("krb5kdc", retval = KRB5KDC_ERR_PREAUTH_FAILED, + kdc_err(context, retval = KRB5KDC_ERR_PREAUTH_FAILED, "SAM psr came back too late! -- replay attack?"); goto cleanup; } @@ -2457,7 +2458,7 @@ rep.cusec = psr->susec; retval = krb5_rc_store(kdc_context, kdc_rcache, &rep); if (retval) { - com_err("krb5kdc", retval, "SAM psr replay attack!"); + kdc_err(kdc_context, retval, "SAM psr replay attack!"); goto cleanup; } } @@ -2474,13 +2475,13 @@ if ((retval = krb5_c_decrypt(context, &psr->sam_key, /* XXX */ 0, 0, &sr->sam_enc_nonce_or_ts, &scratch))) { - com_err("krb5kdc", retval, "decrypt nonce_or_ts failed"); + kdc_err(context, retval, "decrypt nonce_or_ts failed"); goto cleanup; } } if ((retval = decode_krb5_enc_sam_response_enc(&scratch, &esre))) { - com_err("krb5kdc", retval, "decode_krb5_enc_sam_response_enc failed"); + kdc_err(context, retval, "decode_krb5_enc_sam_response_enc failed"); goto cleanup; } @@ -2498,7 +2499,7 @@ cleanup: if (retval) - com_err("krb5kdc", retval, "sam verify failure"); + kdc_err(context, retval, "sam verify failure"); if (scratch.data) free(scratch.data); if (sr) free(sr); if (psr) free(psr); Modified: branches/krb5-1-7/src/kdc/kdc_util.h =================================================================== --- branches/krb5-1-7/src/kdc/kdc_util.h 2009-04-14 21:07:15 UTC (rev 22218) +++ branches/krb5-1-7/src/kdc/kdc_util.h 2009-04-14 21:07:18 UTC (rev 22219) @@ -134,11 +134,12 @@ krb5_error_code kdc_initialize_rcache (krb5_context, char *); krb5_error_code setup_server_realm (krb5_principal); +void kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...); /* network.c */ -krb5_error_code listen_and_process (const char *); -krb5_error_code setup_network (const char *); -krb5_error_code closedown_network (const char *); +krb5_error_code listen_and_process (void); +krb5_error_code setup_network (void); +krb5_error_code closedown_network (void); /* policy.c */ int against_local_policy_as (krb5_kdc_req *, krb5_db_entry, Modified: branches/krb5-1-7/src/kdc/main.c =================================================================== --- branches/krb5-1-7/src/kdc/main.c 2009-04-14 21:07:15 UTC (rev 22218) +++ branches/krb5-1-7/src/kdc/main.c 2009-04-14 21:07:18 UTC (rev 22219) @@ -86,7 +86,7 @@ void initialize_realms (krb5_context, int, char **); -void finish_realms (char *); +void finish_realms (void); static int nofork = 0; static int rkey_init_done = 0; @@ -97,7 +97,32 @@ #define KRB5_KDC_MAX_REALMS 32 +static krb5_context kdc_err_context; +static const char *kdc_progname; + /* + * We use krb5_klog_init to set up a com_err callback to log error + * messages. The callback also pulls the error message out of the + * context we pass to krb5_klog_init; however, we use realm-specific + * contexts for most of our krb5 library calls, so the error message + * isn't present in the global context. This wrapper ensures that the + * error message state from the call context is copied into the + * context known by krb5_klog. call_context can be NULL if the error + * code did not come from a krb5 library function. + */ +void +kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...) +{ + va_list ap; + + if (call_context) + krb5_copy_error_message(kdc_err_context, call_context); + va_start(ap, fmt); + com_err_va(kdc_progname, code, fmt, ap); + va_end(ap); +} + +/* * Find the realm entry for a given realm. */ kdc_realm_t * @@ -237,10 +262,10 @@ * realm data and we should be all set to begin operation for that realm. */ static krb5_error_code -init_realm(char *progname, kdc_realm_t *rdp, char *realm, - char *def_mpname, krb5_enctype def_enctype, char *def_udp_ports, - char *def_tcp_ports, krb5_boolean def_manual, char **db_args, - char *no_refrls, char *host_based_srvcs) +init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname, + krb5_enctype def_enctype, char *def_udp_ports, char *def_tcp_ports, + krb5_boolean def_manual, char **db_args, char *no_refrls, + char *host_based_srvcs) { krb5_error_code kret; krb5_boolean manual; @@ -257,15 +282,14 @@ rdp->realm_name = realm; kret = krb5int_init_context_kdc(&rdp->realm_context); if (kret) { - com_err(progname, kret, "while getting context for realm %s", - realm); + kdc_err(NULL, kret, "while getting context for realm %s", realm); goto whoops; } kret = krb5_read_realm_params(rdp->realm_context, rdp->realm_name, &rparams); if (kret) { - com_err(progname, kret, "while reading realm parameters"); + kdc_err(rdp->realm_context, kret, "while reading realm parameters"); goto whoops; } @@ -351,7 +375,7 @@ /* Set the default realm of this context */ if ((kret = krb5_set_default_realm(rdp->realm_context, realm))) { - com_err(progname, kret, "while setting default realm to %s", + kdc_err(rdp->realm_context, kret, "while setting default realm to %s", realm); goto whoops; } @@ -363,7 +387,7 @@ kdb_open_flags = KRB5_KDB_OPEN_RO | KRB5_KDB_SRV_TYPE_KDC; #endif if ((kret = krb5_db_open(rdp->realm_context, db_args, kdb_open_flags))) { - com_err(progname, kret, + kdc_err(rdp->realm_context, kret, "while initializing database for realm %s", realm); goto whoops; } @@ -372,7 +396,7 @@ if ((kret = krb5_db_setup_mkey_name(rdp->realm_context, rdp->realm_mpname, rdp->realm_name, (char **) NULL, &rdp->realm_mprinc))) { - com_err(progname, kret, + kdc_err(rdp->realm_context, kret, "while setting up master key name %s for realm %s", rdp->realm_mpname, realm); goto whoops; @@ -385,7 +409,7 @@ rdp->realm_mkey.enctype, manual, FALSE, rdp->realm_stash, &mkvno, NULL, &rdp->realm_mkey))) { - com_err(progname, kret, + kdc_err(rdp->realm_context, kret, "while fetching master key %s for realm %s", rdp->realm_mpname, realm); goto whoops; @@ -403,7 +427,7 @@ rdp->realm_mprinc, IGNORE_VNO, &rdp->realm_mkey))) { - com_err(progname, kret, + kdc_err(rdp->realm_context, kret, "while verifying master key for realm %s", realm); goto whoops; } @@ -411,13 +435,13 @@ if ((kret = krb5_db_fetch_mkey_list(rdp->realm_context, rdp->realm_mprinc, &rdp->realm_mkey, mkvno, &rdp->mkey_list))) { - com_err(progname, kret, + kdc_err(rdp->realm_context, kret, "while fetching master keys list for realm %s", realm); goto whoops; } if ((kret = krb5_db_set_mkey(rdp->realm_context, &rdp->realm_mkey))) { - com_err(progname, kret, + kdc_err(rdp->realm_context, kret, "while setting master key for realm %s", realm); goto whoops; } @@ -425,7 +449,7 @@ /* Set up the keytab */ if ((kret = krb5_ktkdb_resolve(rdp->realm_context, NULL, &rdp->realm_keytab))) { - com_err(progname, kret, + kdc_err(rdp->realm_context, kret, "while resolving kdb keytab for realm %s", realm); goto whoops; } @@ -434,7 +458,7 @@ if ((kret = krb5_build_principal(rdp->realm_context, &rdp->realm_tgsprinc, strlen(realm), realm, KRB5_TGS_NAME, realm, (char *) NULL))) { - com_err(progname, kret, + kdc_err(rdp->realm_context, kret, "while building TGS name for realm %s", realm); goto whoops; } @@ -619,9 +643,8 @@ case 'r': /* realm name for db */ if (!find_realm_data(optarg, (krb5_ui_4) strlen(optarg))) { if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) { - if ((retval = init_realm(argv[0], rdatap, optarg, - mkey_name, menctype, - default_udp_ports, + if ((retval = init_realm(rdatap, optarg, mkey_name, + menctype, default_udp_ports, default_tcp_ports, manual, db_args, no_refrls, host_based_srvcs))) { fprintf(stderr,"%s: cannot initialize realm %s - see log file for details\n", @@ -722,10 +745,10 @@ exit(1); } if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) { - if ((retval = init_realm(argv[0], rdatap, lrealm, - mkey_name, menctype, default_udp_ports, - default_tcp_ports, manual, db_args, - no_refrls, host_based_srvcs))) { + if ((retval = init_realm(rdatap, lrealm, mkey_name, menctype, + default_udp_ports, default_tcp_ports, + manual, db_args, no_refrls, + host_based_srvcs))) { fprintf(stderr,"%s: cannot initialize realm %s - see log file for details\n", argv[0], lrealm); exit(1); @@ -765,7 +788,7 @@ } void -finish_realms(char *prog) +finish_realms() { int i; @@ -830,8 +853,12 @@ exit(1); } krb5_klog_init(kcontext, "kdc", argv[0], 1); + kdc_err_context = kcontext; + kdc_progname = argv[0]; /* N.B.: After this point, com_err sends output to the KDC log - file, and not to stderr. */ + file, and not to stderr. We use the kdc_err wrapper around + com_err to ensure that the error state exists in the context + known to the krb5_klog callback. */ initialize_kdc5_error_table(); @@ -847,35 +874,35 @@ retval = setup_sam(); if (retval) { - com_err(argv[0], retval, "while initializing SAM"); - finish_realms(argv[0]); + kdc_err(kcontext, retval, "while initializing SAM"); + finish_realms(); return 1; } - if ((retval = setup_network(argv[0]))) { - com_err(argv[0], retval, "while initializing network"); - finish_realms(argv[0]); + if ((retval = setup_network())) { + kdc_err(kcontext, retval, "while initializing network"); + finish_realms(); return 1; } if (!nofork && daemon(0, 0)) { - com_err(argv[0], errno, "while detaching from tty"); - finish_realms(argv[0]); + kdc_err(kcontext, errno, "while detaching from tty"); + finish_realms(); return 1; } krb5_klog_syslog(LOG_INFO, "commencing operation"); - if ((retval = listen_and_process(argv[0]))) { - com_err(argv[0], retval, "while processing network requests"); + if ((retval = listen_and_process())) { + kdc_err(kcontext, retval, "while processing network requests"); errout++; } - if ((retval = closedown_network(argv[0]))) { - com_err(argv[0], retval, "while shutting down network"); + if ((retval = closedown_network())) { + kdc_err(kcontext, retval, "while shutting down network"); errout++; } krb5_klog_syslog(LOG_INFO, "shutting down"); unload_preauth_plugins(kcontext); unload_authdata_plugins(kcontext); krb5_klog_close(kdc_context); - finish_realms(argv[0]); + finish_realms(); if (kdc_realmlist) free(kdc_realmlist); #ifdef USE_RCACHE Modified: branches/krb5-1-7/src/kdc/network.c =================================================================== --- branches/krb5-1-7/src/kdc/network.c 2009-04-14 21:07:15 UTC (rev 22218) +++ branches/krb5-1-7/src/kdc/network.c 2009-04-14 21:07:18 UTC (rev 22219) @@ -27,7 +27,6 @@ */ #include "k5-int.h" -#include "com_err.h" #include "kdc_util.h" #include "extern.h" #include "kdc5_err.h" @@ -184,7 +183,7 @@ struct connection { int fd; enum conn_type type; - void (*service)(struct connection *, const char *, int); + void (*service)(struct connection *, int); union { /* Type-specific information. */ struct { @@ -300,7 +299,6 @@ #include "foreachaddr.h" struct socksetup { - const char *prog; krb5_error_code retval; int udp_flags; #define UDP_DO_IPV4 1 @@ -309,7 +307,7 @@ static struct connection * add_fd (struct socksetup *data, int sock, enum conn_type conntype, - void (*service)(struct connection *, const char *, int)) + void (*service)(struct connection *, int)) { struct connection *newconn; void *tmp; @@ -317,21 +315,19 @@ #ifndef _WIN32 if (sock >= FD_SETSIZE) { data->retval = EMFILE; /* XXX */ - com_err(data->prog, 0, - "file descriptor number %d too high", sock); + kdc_err(NULL, 0, "file descriptor number %d too high", sock); return 0; } #endif newconn = malloc(sizeof(*newconn)); if (newconn == 0) { data->retval = ENOMEM; - com_err(data->prog, ENOMEM, - "cannot allocate storage for connection info"); + kdc_err(NULL, ENOMEM, "cannot allocate storage for connection info"); return 0; } if (!ADD(connections, newconn, tmp)) { data->retval = ENOMEM; - com_err(data->prog, ENOMEM, "cannot save socket info"); + kdc_err(NULL, ENOMEM, "cannot save socket info"); free(newconn); return 0; } @@ -343,9 +339,9 @@ return newconn; } -static void process_packet(struct connection *, const char *, int); -static void accept_tcp_connection(struct connection *, const char *, int); -static void process_tcp_connection(struct connection *, const char *, int); +static void process_packet(struct connection *, int); +static void accept_tcp_connection(struct connection *, int); +static void process_tcp_connection(struct connection *, int); static struct connection * add_udp_fd (struct socksetup *data, int sock, int pktinfo) @@ -409,7 +405,7 @@ sock = socket(addr->sa_family, SOCK_STREAM, 0); if (sock == -1) { - com_err(data->prog, errno, "Cannot create TCP server socket on %s", + kdc_err(NULL, errno, "Cannot create TCP server socket on %s", paddr(addr)); return -1; } @@ -417,49 +413,46 @@ #ifndef _WIN32 if (sock >= FD_SETSIZE) { close(sock); - com_err(data->prog, 0, "TCP socket fd number %d (for %s) too high", + kdc_err(NULL, 0, "TCP socket fd number %d (for %s) too high", sock, paddr(addr)); return -1; } #endif if (setreuseaddr(sock, 1) < 0) - com_err(data->prog, errno, - "Cannot enable SO_REUSEADDR on fd %d", sock); + kdc_err(NULL, errno, "Cannot enable SO_REUSEADDR on fd %d", sock); #ifdef KRB5_USE_INET6 if (addr->sa_family == AF_INET6) { #ifdef IPV6_V6ONLY if (setv6only(sock, 1)) - com_err(data->prog, errno, "setsockopt(%d,IPV6_V6ONLY,1) failed", - sock); + kdc_err(NULL, errno, "setsockopt(%d,IPV6_V6ONLY,1) failed", sock); else - com_err(data->prog, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", - sock); + kdc_err(NULL, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", sock); #else krb5_klog_syslog(LOG_INFO, "no IPV6_V6ONLY socket option support"); #endif /* IPV6_V6ONLY */ } #endif /* KRB5_USE_INET6 */ if (bind(sock, addr, socklen(addr)) == -1) { - com_err(data->prog, errno, - "Cannot bind TCP server socket on %s", paddr(addr)); + kdc_err(NULL, errno, "Cannot bind TCP server socket on %s", + paddr(addr)); close(sock); return -1; } if (listen(sock, 5) < 0) { - com_err(data->prog, errno, "Cannot listen on TCP server socket on %s", + kdc_err(NULL, errno, "Cannot listen on TCP server socket on %s", paddr(addr)); close(sock); return -1; } if (setnbio(sock)) { - com_err(data->prog, errno, + kdc_err(NULL, errno, "cannot set listening tcp socket on %s non-blocking", paddr(addr)); close(sock); return -1; } if (setnolinger(sock)) { - com_err(data->prog, errno, "disabling SO_LINGER on TCP socket on %s", + kdc_err(NULL, errno, "disabling SO_LINGER on TCP socket on %s", paddr(addr)); close(sock); return -1; @@ -617,7 +610,7 @@ sock = socket (addr->sa_family, SOCK_DGRAM, 0); if (sock == -1) { data->retval = errno; - com_err(data->prog, data->retval, + kdc_err(NULL, data->retval, "Cannot create server socket for port %d address %s", port, haddrbuf); return 1; @@ -627,11 +620,10 @@ if (addr->sa_family == AF_INET6) { #ifdef IPV6_V6ONLY if (setv6only(sock, 1)) - com_err(data->prog, errno, - "setsockopt(%d,IPV6_V6ONLY,1) failed", sock); - else - com_err(data->prog, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", + kdc_err(NULL, errno, "setsockopt(%d,IPV6_V6ONLY,1) failed", sock); + else + kdc_err(NULL, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", sock); #else krb5_klog_syslog(LOG_INFO, "no IPV6_V6ONLY socket option support"); #endif /* IPV6_V6ONLY */ @@ -640,7 +632,7 @@ set_sa_port(addr, htons(port)); if (bind (sock, (struct sockaddr *)addr, socklen (addr)) == -1) { data->retval = errno; - com_err(data->prog, data->retval, + kdc_err(NULL, data->retval, "Cannot bind server socket to port %d address %s", port, haddrbuf); close(sock); @@ -652,7 +644,7 @@ if (pktinfo) { r = set_pktinfo(sock, addr->sa_family); if (r) { - com_err(data->prog, r, + kdc_err(NULL, r, "Cannot request packet info for udp socket address %s port %d", haddrbuf, port); close(sock); @@ -803,8 +795,7 @@ } } -static void process_routing_update(struct connection *conn, const char *prog, - int selflags) +static void process_routing_update(struct connection *conn, int selflags) { int n_read; struct rt_msghdr rtm; @@ -893,7 +884,7 @@ extern void (*krb5int_sendtokdc_debug_handler)(const void*, size_t); krb5_error_code -setup_network(const char *prog) +setup_network() { struct socksetup setup_data; krb5_error_code retval; @@ -939,7 +930,6 @@ } } - setup_data.prog = prog; setup_data.retval = 0; krb5_klog_syslog (LOG_INFO, "setting up network..."); #ifdef HAVE_STRUCT_RT_MSGHDR @@ -959,7 +949,7 @@ setup_tcp_listener_ports(&setup_data); krb5_klog_syslog (LOG_INFO, "set up %d sockets", n_sockets); if (n_sockets == 0) { - com_err(prog, 0, "no sockets set up?"); + kdc_err(NULL, 0, "no sockets set up?"); exit (1); } @@ -1189,8 +1179,7 @@ return 0; } -static void process_packet(struct connection *conn, const char *prog, - int selflags) +static void process_packet(struct connection *conn, int selflags) { int cc; socklen_t saddr_len, daddr_len; @@ -1216,7 +1205,7 @@ before getting the response packet. */ && errno != ECONNREFUSED ) - com_err(prog, errno, "while receiving from network"); + kdc_err(NULL, errno, "while receiving from network"); return; } if (!cc) @@ -1228,7 +1217,7 @@ if (getnameinfo(ss2sa(&daddr), daddr_len, addrbuf, sizeof(addrbuf), 0, 0, NI_NUMERICHOST)) strlcpy(addrbuf, "?", sizeof(addrbuf)); - com_err(prog, 0, "pktinfo says local addr is %s", addrbuf); + kdc_err(NULL, 0, "pktinfo says local addr is %s", addrbuf); } #endif @@ -1238,7 +1227,7 @@ init_addr(&faddr, ss2sa(&saddr)); /* this address is in net order */ if ((retval = dispatch(&request, &faddr, &response))) { - com_err(prog, retval, "while dispatching (udp)"); + kdc_err(NULL, retval, "while dispatching (udp)"); return; } if (response == NULL) @@ -1263,12 +1252,12 @@ addr.contents, addrbuf, sizeof(addrbuf)) == 0) { strlcpy(addrbuf, "?", sizeof(addrbuf)); } - com_err(prog, errno, "while sending reply to %s/%d", + kdc_err(NULL, errno, "while sending reply to %s/%d", addrbuf, faddr.port); return; } if (cc != response->length) { - com_err(prog, 0, "short reply write %d vs %d\n", + kdc_err(NULL, 0, "short reply write %d vs %d\n", response->length, cc); } krb5_free_data(kdc_context, response); @@ -1280,8 +1269,7 @@ static void kill_tcp_connection(struct connection *); -static void accept_tcp_connection(struct connection *conn, const char *prog, - int selflags) +static void accept_tcp_connection(struct connection *conn, int selflags) { int s; struct sockaddr_storage addr_s; @@ -1303,7 +1291,6 @@ #endif setnbio(s), setnolinger(s), setkeepalive(s); - sockdata.prog = prog; sockdata.retval = 0; newconn = add_tcp_data_fd(&sockdata, s); @@ -1363,7 +1350,7 @@ } } if (newconn->u.tcp.buffer == 0) { - com_err(prog, errno, "allocating buffer for new TCP session from %s", + kdc_err(NULL, errno, "allocating buffer for new TCP session from %s", newconn->u.tcp.addrbuf); delete_fd(newconn); close(s); @@ -1447,7 +1434,7 @@ } static void -process_tcp_connection(struct connection *conn, const char *prog, int selflags) +process_tcp_connection(struct connection *conn, int selflags) { if (selflags & SSF_WRITE) { ssize_t nwrote; @@ -1547,7 +1534,7 @@ err = dispatch(&request, &conn->u.tcp.faddr, &conn->u.tcp.response); if (err) { - com_err(prog, err, "while dispatching (tcp)"); + kdc_err(NULL, err, "while dispatching (tcp)"); goto kill_tcp_connection; } have_response: @@ -1563,10 +1550,9 @@ kill_tcp_connection(conn); } -static void service_conn(struct connection *conn, const char *prog, - int selflags) +static void service_conn(struct connection *conn, int selflags) { - conn->service(conn, prog, selflags); + conn->service(conn, selflags); } /* from sendto_kdc.c */ @@ -1584,7 +1570,7 @@ } krb5_error_code -listen_and_process(const char *prog) +listen_and_process() { int nfound; /* This struct contains 3 fd_set objects; on some platforms, they @@ -1616,7 +1602,7 @@ big deal. */ err = getcurtime(&sstate.end_time); if (err) { - com_err(prog, err, "while getting the time"); + kdc_err(NULL, err, "while getting the time"); continue; } sstate.end_time.tv_sec += 3; @@ -1627,22 +1613,22 @@ err = krb5int_cm_call_select(&sstate, &sout, &sret); if (err) { if (err != EINTR) - com_err(prog, err, "while selecting for network input(1)"); + kdc_err(NULL, err, "while selecting for network input(1)"); continue; } if (sret == 0 && netchanged) { network_reconfiguration_needed = 0; - closedown_network(prog); - err = setup_network(prog); + closedown_network(); + err = setup_network(); if (err) { - com_err(prog, err, "while reinitializing network"); + kdc_err(NULL, err, "while reinitializing network"); return err; } netchanged = 0; } if (sret == -1) { if (errno != EINTR) - com_err(prog, errno, "while selecting for network input(2)"); + kdc_err(NULL, errno, "while selecting for network input(2)"); continue; } nfound = sret; @@ -1655,7 +1641,7 @@ if (FD_ISSET(conns[i]->fd, &sout.wfds)) sflags |= SSF_WRITE, nfound--; if (sflags) - service_conn(conns[i], prog, sflags); + service_conn(conns[i], sflags); } } krb5_klog_syslog(LOG_INFO, "shutdown signal received"); @@ -1663,7 +1649,7 @@ } krb5_error_code -closedown_network(const char *prog) +closedown_network() { int i; struct connection *conn; From tlyu at MIT.EDU Tue Apr 14 17:07:21 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 17:07:21 -0400 Subject: svn rev #22220: branches/krb5-1-7/src/lib/gssapi/krb5/ Message-ID: <200904142107.n3EL7Lks018533@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22220 Commit By: tlyu Log Message: ticket: 6412 version_fixed: 1.7 pull up r22081, r22082 from trunk ------------------------------------------------------------------------ r22082 | raeburn | 2009-03-12 18:06:35 -0400 (Thu, 12 Mar 2009) | 6 lines Changed paths: M /trunk/src/lib/gssapi/krb5/k5sealv3iov.c ticket: 6412 tags: pullup Better fix: Delay setting 'outbuf' until after the header buffer might have been allocated locally, and set it in both code paths instead of just the confidentiality-requested code path. ------------------------------------------------------------------------ r22081 | raeburn | 2009-03-12 12:48:15 -0400 (Thu, 12 Mar 2009) | 7 lines Changed paths: M /trunk/src/lib/gssapi/krb5/k5sealv3iov.c ticket: 6412 subject: crash using library-allocated storage for header in wrap_iov target_version: 1.7 tags: pullup When allocating storage for the header buffer, update the internal output buffer pointer as well. Changed Files: U branches/krb5-1-7/src/lib/gssapi/krb5/k5sealv3iov.c Modified: branches/krb5-1-7/src/lib/gssapi/krb5/k5sealv3iov.c =================================================================== --- branches/krb5-1-7/src/lib/gssapi/krb5/k5sealv3iov.c 2009-04-14 21:07:18 UTC (rev 22219) +++ branches/krb5-1-7/src/lib/gssapi/krb5/k5sealv3iov.c 2009-04-14 21:07:21 UTC (rev 22220) @@ -90,8 +90,6 @@ trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); - outbuf = (unsigned char *)header->buffer.value; - if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) { unsigned int k5_headerlen, k5_trailerlen, k5_padlen; size_t ec = 0; @@ -129,12 +127,13 @@ gss_headerlen += gss_trailerlen; } - if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) + if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) { code = kg_allocate_iov(header, (size_t) gss_headerlen); - else if (header->buffer.length < gss_headerlen) + } else if (header->buffer.length < gss_headerlen) code = KRB5_BAD_MSIZE; if (code != 0) goto cleanup; + outbuf = (unsigned char *)header->buffer.value; header->buffer.length = (size_t) gss_headerlen; if (trailer != NULL) { @@ -204,6 +203,7 @@ code = KRB5_BAD_MSIZE; if (code != 0) goto cleanup; + outbuf = (unsigned char *)header->buffer.value; header->buffer.length = (size_t) gss_headerlen; if (trailer != NULL) { From tlyu at MIT.EDU Tue Apr 14 17:07:24 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 17:07:24 -0400 Subject: svn rev #22221: branches/krb5-1-7/src/lib/krb5/krb/ Message-ID: <200904142107.n3EL7OdP018570@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22221 Commit By: tlyu Log Message: ticket: 6415 version_fixed: 1.7 pull up r22083 from trunk ------------------------------------------------------------------------ r22083 | ghudson | 2009-03-12 23:10:12 -0400 (Thu, 12 Mar 2009) | 9 lines Changed paths: M /trunk/src/lib/krb5/krb/get_in_tkt.c ticket: 6415 subject: Use correct salt for canonicalized principals target_version: 1.7 tags: pullup In cases where the salt is derived from the client principal, use the canonicalized principal received from the KDC to determine the salt. Further changes are probably required for some preauth cases. Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c Modified: branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c 2009-04-14 21:07:21 UTC (rev 22220) +++ branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c 2009-04-14 21:07:24 UTC (rev 22221) @@ -254,7 +254,13 @@ if (key) decrypt_key = key; else { - if ((retval = krb5_principal2salt(context, request->client, &salt))) + /* + * Use salt corresponding to the client principal supplied by + * the KDC, which may differ from the requested principal if + * canonicalization is in effect. We will check + * as_reply->client later in verify_as_reply. + */ + if ((retval = krb5_principal2salt(context, as_reply->client, &salt))) return(retval); retval = (*key_proc)(context, as_reply->enc_part.enctype, @@ -1385,6 +1391,22 @@ goto cleanup; } + /* + * If we haven't gotten a salt from another source yet, set up one + * corresponding to the client principal returned by the KDC. We + * could get the same effect by passing local_as_reply->client to + * gak_fct below, but that would put the canonicalized client name + * in the prompt, which raises issues of needing to sanitize + * unprintable characters. So for now we just let it affect the + * salt. local_as_reply->client will be checked later on in + * verify_as_reply. + */ + if (salt.length == SALT_TYPE_AFS_LENGTH && salt.data == NULL) { + ret = krb5_principal2salt(context, local_as_reply->client, &salt); + if (ret) + goto cleanup; + } + /* XXX For 1.1.1 and prior KDC's, when SAM is used w/ USE_SAD_AS_KEY, the AS_REP comes back encrypted in the user's longterm key instead of in the SAD. If there was a SAM preauth, there From tlyu at MIT.EDU Tue Apr 14 17:07:26 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 17:07:26 -0400 Subject: svn rev #22222: branches/krb5-1-7/src/lib/gssapi/spnego/ Message-ID: <200904142107.n3EL7QHt018622@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22222 Commit By: tlyu Log Message: ticket: 6417 version_fixed: 1.7 pull up r22173 from trunk ------------------------------------------------------------------------ r22173 | tlyu | 2009-04-07 17:22:13 -0400 (Tue, 07 Apr 2009) | 4 lines Changed paths: M /trunk/src/lib/gssapi/spnego/spnego_mech.c ticket: 6417 Apply revised patch from Apple that ensures that a REJECT token is sent on error. Changed Files: U branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c Modified: branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c 2009-04-14 21:07:24 UTC (rev 22221) +++ branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c 2009-04-14 21:07:26 UTC (rev 22222) @@ -1650,8 +1650,7 @@ &negState, &return_token); } cleanup: - if (return_token == INIT_TOKEN_SEND || - return_token == CONT_TOKEN_SEND) { + if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { /* For acceptor-sends-first send a tokenInit */ int tmpret; @@ -1666,7 +1665,8 @@ return_token, output_token); } else { - tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech, + tmpret = make_spnego_tokenTarg_msg(negState, + sc ? sc->internal_mech : GSS_C_NO_OID, &mechtok_out, mic_out, return_token, output_token); @@ -3025,6 +3025,8 @@ if (outbuf == GSS_C_NO_BUFFER) return (GSS_S_DEFECTIVE_TOKEN); + if (sendtoken == INIT_TOKEN_SEND && mech_wanted == GSS_C_NO_OID) + return (GSS_S_DEFECTIVE_TOKEN); outbuf->length = 0; outbuf->value = NULL; From tlyu at MIT.EDU Tue Apr 14 17:07:29 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 17:07:29 -0400 Subject: svn rev #22223: branches/krb5-1-7/doc/ Message-ID: <200904142107.n3EL7TQS018659@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22223 Commit By: tlyu Log Message: ticket: 6418 version_fixed: 1.7 pull up r22088 from trunk ------------------------------------------------------------------------ r22088 | ghudson | 2009-03-14 01:46:18 -0400 (Sat, 14 Mar 2009) | 15 lines Changed paths: M /trunk/doc/admin.texinfo ticket: 6418 subject: Improve LDAP admin documentation target_version: 1.7 tags: pullup Use dc=example,dc=com as the example base DN instead of more archaic forms. Provide a little more cross-referencing of concepts and mechanisms. Add additional steps in the OpenLDAP setup instructions for choosing DNs for the Kerberos container, KDC service, and kadmin service. Explain a little bit about what the Kerberos container and realm container are. Be clearer that using separate subtrees from the realm container for principals is an option, not a necessity, and don't use the base DN as an example of a separate subtree (it's confusing). Changed Files: U branches/krb5-1-7/doc/admin.texinfo Modified: branches/krb5-1-7/doc/admin.texinfo =================================================================== --- branches/krb5-1-7/doc/admin.texinfo 2009-04-14 21:07:26 UTC (rev 22222) +++ branches/krb5-1-7/doc/admin.texinfo 2009-04-14 21:07:28 UTC (rev 22223) @@ -1013,7 +1013,7 @@ @itemx ldap_service_password_file -This LDAP specific tag indicates the file containing the stashed passwords for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. This value is used if no service password file is mentioned in the configuration section under [dbmodules]. +This LDAP specific tag indicates the file containing the stashed passwords (created by @code{kdb5_ldap_util stashsrvpw}) for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. This value is used if no service password file is mentioned in the configuration section under [dbmodules]. @itemx ldap_server @@ -1044,7 +1044,7 @@ This LDAP specific tag indicates the default bind DN for the Administration server. The administration server does a login to the directory as this object. This object should have the rights to read and write the Kerberos data in the LDAP database. @itemx ldap_service_password_file -This LDAP specific tag indicates the file containing the stashed passwords for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. +This LDAP specific tag indicates the file containing the stashed passwords (created by @code{kdb5_ldap_util stashsrvpw}) for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. @itemx ldap_server This LDAP specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace-separated. The LDAP server is specified by a LDAP URI. It is recommended to use ldapi:// or ldaps:// interface to connect to the LDAP server. @@ -1379,20 +1379,20 @@ kdc = SYSLOG:INFO admin_server = FILE=/var/kadm5.log [dbdefaults] - ldap_kerberos_container_dn = cn=krbcontainer,o=mit + ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com [dbmodules] openldap_ldapconf = @{ - db_library = kldap - ldap_kerberos_container_dn = cn=krbcontainer,o=mit - ldap_kdc_dn = "cn=krbadmin,o=mit" - # this object needs to have read rights on - # the realm container, principal container and realm sub-trees - ldap_kadmind_dn = "cn=krbadmin,o=mit" - # this object needs to have read and write rights on - # the realm container, principal container and realm sub-trees - ldap_service_password_file = /etc/kerberos/service.keyfile - ldap_servers = ldaps://kerberos.mit.edu - ldap_conns_per_server = 5 + db_library = kldap + ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com + ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com" + # this object needs to have read rights on + # the realm container and principal subtrees + ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com" + # this object needs to have read and write rights on + # the realm container and principal subtrees + ldap_service_password_file = /etc/kerberos/service.keyfile + ldap_servers = ldaps://kerberos.mit.edu + ldap_conns_per_server = 5 @} @@ -2310,7 +2310,7 @@ @smallexample @group - at b{kadmin:} addprinc -x dn=cn=@value{RANDOMUSER1},o=mit @value{RANDOMUSER1} + at b{kadmin:} addprinc -x dn=cn=@value{RANDOMUSER1},dc=example,dc=com @value{RANDOMUSER1} @b{WARNING: no policy specified for "@value{RANDOMUSER1}@@@value{PRIMARYREALM}"; defaulting to no policy.} @iftex @@ -2334,7 +2334,7 @@ @smallexample @group - at b{kadmin:} addprinc -x containerdn=o=mit -x linkdn=cn=@value{RANDOMUSER2},o=mit @value{RANDOMUSER2} + at b{kadmin:} addprinc -x containerdn=dc=example,dc=com -x linkdn=cn=@value{RANDOMUSER2},dc=example,dc=com @value{RANDOMUSER2} @b{WARNING: no policy specified for "@value{RANDOMUSER2}@@@value{PRIMARYREALM}"; defaulting to no policy.} @iftex @@ -3131,9 +3131,9 @@ @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create -sscope --subtree ou=users,o=org -r ATHENA.MIT.EDU - at b{Password for "cn=admin,o=org":} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu create -sscope 2 +-subtree ou=users,dc=example,dc=com -r ATHENA.MIT.EDU + at b{Password for "cn=admin,dc=example,dc=com":} @b{Initializing database for realm 'ATHENA.MIT.EDU'} @b{You will be prompted for the database Master Password.} @b{It is important that you NOT FORGET this password.} @@ -3159,9 +3159,9 @@ @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create -sscope --subtree ou=users,o=org -kdcdn cn=krbkdc,o=org -admindn cn=krbadmin,o=org -r ATHENA.MIT.EDU - at b{Password for "cn=admin,o=org":} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu create -sscope 2 +-subtree ou=users,dc=example,dc=com -kdcdn cn=krbkdc,dc=example,dc=com -admindn cn=krbadmin,dc=example,dc=com -r ATHENA.MIT.EDU + at b{Password for "cn=admin,dc=example,dc=com":} @b{Initializing database for realm 'ATHENA.MIT.EDU'} @b{You will be prompted for the database Master Password.} @b{It is important that you NOT FORGET this password.} @@ -3256,9 +3256,9 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu modify -r ATHENA.MIT.EDU +requires_preauth - at b{Password for "cn=admin,o=org":} + at b{Password for "cn=admin,dc=example,dc=com":} shell% @end group @end smallexample @@ -3306,11 +3306,11 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view -r ATHENA.MIT.EDU - at b{Password for "cn=admin,o=org":} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu view -r ATHENA.MIT.EDU + at b{Password for "cn=admin,dc=example,dc=com":} @b{Realm Name: ATHENA.MIT.EDU} - at b{Subtree: ou=users,o=org} - at b{Subtree: ou=servers,o=org} + at b{Subtree: ou=users,dc=example,dc=com} + at b{Subtree: ou=servers,dc=example,dc=com} @b{SearchScope: ONE} @b{Maximum ticket life: 0 days 01:00:00} @b{Maximum renewable life: 0 days 10:00:00} @@ -3339,8 +3339,8 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU - at b{Password for "cn=admin,o=org":} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU + at b{Password for "cn=admin,dc=example,dc=com":} @b{Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?} @b{type 'yes' to confirm)? Yes} @b{OK, deleting database of 'ATHENA.MIT.EDU'...} @@ -3359,8 +3359,8 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list - at b{Password for "cn=admin,o=org":} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu list + at b{Password for "cn=admin,dc=example,dc=com":} @b{ATHENA.MIT.EDU} @b{OPENLDAP.MIT.EDU} @b{MEDIA-LAB.MIT.EDU} @@ -3387,9 +3387,9 @@ For example: @smallexample @group -shell% kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyle cn=service-kdc,o=org - at b{Password for "cn=service-kdc,o=org"}: - at b{Re-enter password for "cn=service-kdc,o=org"}: +shell% kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyle cn=service-kdc,dc=example,dc=com + at b{Password for "cn=service-kdc,dc=example,dc=com"}: + at b{Re-enter password for "cn=service-kdc,dc=example,dc=com"}: shell% @end group @end smallexample @@ -3488,9 +3488,9 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create_policy +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day" -maxrenewlife "1 week" -allow_forwardable usertktpolicy - at b{Password for "cn=admin,o=org":} + at b{Password for "cn=admin,dc=example,dc=com":} shell% @end group @end smallexample @@ -3513,9 +3513,9 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view_policy +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu view_policy -r ATHENA.MIT.EDU usertktpolicy - at b{Password for "cn=admin,o=org":} + at b{Password for "cn=admin,dc=example,dc=com":} @b{Ticket policy: usertktpolicy} @b{Maxmum ticket life: 0 days 01:00:00} @b{Maxmum renewable life: 0 days 10:00:00} @@ -3548,9 +3548,9 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu destroy_policy -r ATHENA.MIT.EDU usertktpolicy - at b{Password for "cn=admin,o=org":} + at b{Password for "cn=admin,dc=example,dc=com":} @b{This will delete the policy object 'usertktpolicy', are you sure?} @b{(type 'yes' to confirm)? Yes} @b{** policy object 'usertktpolicy' deleted.} @@ -3577,8 +3577,8 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU - at b{Password for "cn=admin,o=org":} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU + at b{Password for "cn=admin,dc=example,dc=com":} @b{usertktpolicy} @b{tempusertktpolicy} @b{krbtktpolicy} @@ -3628,9 +3628,9 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -create_service -kdc -randpw -f /home/andrew/service_passwd cn=service-kdc,o=org - at b{Password for "cn=admin,o=org":} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu +create_service -kdc -randpw -f /home/andrew/service_passwd cn=service-kdc,dc=example,dc=com + at b{Password for "cn=admin,dc=example,dc=com":} @b{File does not exist. Creating the file /home/andrew/service_passwd...} shell% @end group @@ -3674,9 +3674,9 @@ @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -modify_service -realm ATHENA.MIT.EDU cn=service-kdc,o=org - at b{Password for "cn=admin,o=org":} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu +modify_service -realm ATHENA.MIT.EDU cn=service-kdc,dc=example,dc=com + at b{Password for "cn=admin,dc=example,dc=com":} @b{Changing rights for the service object. Please wait ... done} shell% @end group @@ -3695,13 +3695,13 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -view_service cn=service-kdc,o=org - at b{Password for "cn=admin,o=org":} - at b{Service dn: cn=service-kdc,o=org} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu +view_service cn=service-kdc,dc=example,dc=com + at b{Password for "cn=admin,dc=example,dc=com":} + at b{Service dn: cn=service-kdc,dc=example,dc=com} @b{Service type: kdc} @b{Service host list:} - at b{Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,o=org} + at b{Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,dc=example,dc=com} shell% @end group @end smallexample @@ -3726,12 +3726,12 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -destroy_service cn=service-kdc,o=org - at b{Password for "cn=admin,o=org":} - at b{This will delete the service object 'cn=service-kdc,o=org', are you sure?} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu +destroy_service cn=service-kdc,dc=example,dc=com + at b{Password for "cn=admin,dc=example,dc=com":} + at b{This will delete the service object 'cn=service-kdc,dc=example,dc=com', are you sure?} @b{(type 'yes' to confirm)? Yes} - at b{** service object 'cn=service-kdc,o=org' deleted.} + at b{** service object 'cn=service-kdc,dc=example,dc=com' deleted.} shell% @end group @end smallexample @@ -3751,11 +3751,11 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_service - at b{Password for "cn=admin,o=org":} - at b{cn=service-kdc,o=org} - at b{cn=service-adm,o=org} - at b{cn=service-pwd,o=org} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu list_service + at b{Password for "cn=admin,dc=example,dc=com":} + at b{cn=service-kdc,dc=example,dc=com} + at b{cn=service-adm,dc=example,dc=com} + at b{cn=service-pwd,dc=example,dc=com} shell% @end group @end smallexample @@ -3786,11 +3786,11 @@ @smallexample @group -shell% kdb5_ldap_util setsrvpw -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -setsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org - at b{Password for "cn=admin,o=org":} - at b{Password for "cn=service-kdc,o=org":} - at b{Re-enter password for "cn=service-kdc,o=org":} +shell% kdb5_ldap_util setsrvpw -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu +setsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,dc=example,dc=com + at b{Password for "cn=admin,dc=example,dc=com":} + at b{Password for "cn=service-kdc,dc=example,dc=com":} + at b{Re-enter password for "cn=service-kdc,dc=example,dc=com":} shell% @end group @end smallexample @@ -3924,9 +3924,25 @@ @end smallexample @item -Configure the LDAP server ACLs to enable the KDC and Admin server to -read and write the Kerberos data. +Choose DNs for the KDC and kadmin servers to bind to the LDAP server, +and create them if necessary. These DNs will be specified with the + at code{ldap_kdc_dn} and @code{ldap_kadmind_dn} directives in krb5.conf; +their passwords can be stashed with @code{kdb5_ldap_util stashsrvpw} +and the resulting file specified with the + at code{ldap_service_password_file} directive. + at item +Choose a DN for the global Kerberos container entry (but do not create +the entry at this time). This DN will be specified with the + at code{ldap_kerberos_container_dn} directive in krb5.conf. Realm +container entries will be created underneath this DN. Principal +entries may exist either underneath the realm container (the default) +or in separate trees referenced from the realm container. + + at item +Configure the LDAP server ACLs to enable the KDC and kadmin server DNs +to read and write the Kerberos data. + @subheading Sample access control information @@ -3945,16 +3961,16 @@ by self write by * read -# Providing access to realm subtree -access to @code{dn.subtree}= @i{"o=mit"} - by @code{dn.exact}=@i{"cn=kdc-service,o=mit"} read - by @code{dn.exact}=@i{"cn=adm-service,o=mit"} write +# Providing access to realm container +access to @code{dn.subtree}= @i{"cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com"} + by @code{dn.exact}=@i{"cn=kdc-service,dc=example,dc=com"} read + by @code{dn.exact}=@i{"cn=adm-service,dc=example,dc=com"} write by * none -# Providing access to realm container -access to @code{dn.subtree}= @i{"cn=MIT.EDU,cn=Kerberos,o=mit"} - by @code{dn.exact}=@i{"cn=kdc-service,o=mit"} read - by @code{dn.exact}=@i{"cn=adm-service,o=mit"} write +# Providing access to principals, if not underneath realm container +access to @code{dn.subtree}= @i{"ou=users,dc=example,dc=com"} + by @code{dn.exact}=@i{"cn=kdc-service,dc=example,dc=com"} read + by @code{dn.exact}=@i{"cn=adm-service,dc=example,dc=com"} write by * none access to * @@ -3962,10 +3978,9 @@ @end smallexample @noindent -The above list provides the access control information for the KDC and -Admin service object for the realm container and the realm -subtree. Thus if the realm subtree or the service objects for a realm -are changed then this information should be updated. +If the locations of the container and principals or the DNs of the +service objects for a realm are changed then this information should +be updated. @item Start the LDAP server as follows: @@ -3998,11 +4013,11 @@ Create the realm using @samp{kdb5_ldap_util}. @smallexample - at b{kdb5_ldap_util} @b{-D} @i{ cn=admin,o=mit} create @b{-subtrees} @i{ o=mit} @b{-r} @i{MIT.EDU} @b{-s} + at b{kdb5_ldap_util} @b{-D} @i{cn=admin,dc=example,dc=com} create @b{-subtrees} @i{ou=users,dc=example,dc=com} @b{-r} @i{EXAMPLE.COM} @b{-s} @end smallexample @noindent -Before executing the command, make sure that the subtree mentioned above @samp{(o=mit)} exists. +Use the @code{-subtrees} option if the principals are to exist in a separate subtree from the realm container. Before executing the command, make sure that the subtree mentioned above @samp{(ou=users,dc=example,dc=com)} exists. If the principals will exist underneath the realm container, omit the @code{-subtrees} option and do not worry about creating the principal subtree. For more information, refer to the section @dfn{Global Operations on the Kerberos LDAP Database}. @@ -4017,7 +4032,7 @@ file. @smallexample - at b{kdb5_ldap_util} @b{-D} @i{ cn=admin,o=mit} @i{stashsrvpw} @b{-f} @code{/etc/kerberos/service.keyfile} @i{cn=krbadmin,o=mit} + at b{kdb5_ldap_util} @b{-D} @i{cn=admin,dc=example,dc=com} @i{stashsrvpw} @b{-f} @code{/etc/kerberos/service.keyfile} @i{cn=krbadmin,dc=example,dc=com} @end smallexample @item From tlyu at MIT.EDU Tue Apr 14 17:07:31 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 17:07:31 -0400 Subject: svn rev #22224: branches/krb5-1-7/doc/ Message-ID: <200904142107.n3EL7Vj7018696@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22224 Commit By: tlyu Log Message: ticket: 6419 version_fixed: 1.7 pull up r22089 from trunk ------------------------------------------------------------------------ r22089 | ghudson | 2009-03-15 00:15:16 -0400 (Sun, 15 Mar 2009) | 9 lines Changed paths: M /trunk/doc/admin.texinfo ticket: 6419 subject: Document alias support in LDAP back end tags: pullup target_version: 1.7 Add a few paragraphs to the LDAP instructions on creating aliases through direct manipulation of the LDAP data, and briefly explain when aliases will be used. Changed Files: U branches/krb5-1-7/doc/admin.texinfo Modified: branches/krb5-1-7/doc/admin.texinfo =================================================================== --- branches/krb5-1-7/doc/admin.texinfo 2009-04-14 21:07:28 UTC (rev 22223) +++ branches/krb5-1-7/doc/admin.texinfo 2009-04-14 21:07:31 UTC (rev 22224) @@ -4039,6 +4039,26 @@ Add krb5principalname to the indexes in slapd.conf to speed up the access. @end enumerate +With the LDAP back end it is possible to provide aliases for principal +entries. Currently we provide no mechanism provided for creating +aliases, so it must be done by direct manipulation of the LDAP +entries. + +An entry with aliases contains multiple values of the krbPrincipalName +attribute. Since LDAP attribute values are not ordered, it is +necessary to specify which principal name is canonical, by using the +krbCanonicalName attribute. Therefore, to create aliases for an +entry, first set the krbCanonicalName attribute of the entry to the +canonical principal name (which should be identical to the +pre-existing krbPrincipalName value), and then add additional +krbPrincipalName attributes for the aliases. + +Principal aliases are only returned by the KDC when the client +requests canonicalization. Canonicalization is normally requested for +service principals; for client principals, an explicit flag is often +required (e.g. @code{kinit -C}) and canonicalization is only performed +for initial ticket requests. + @node Application Servers, Backups of Secure Hosts, Configuring Kerberos with OpenLDAP back-end, Top @chapter Application Servers From tlyu at MIT.EDU Tue Apr 14 17:07:34 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 17:07:34 -0400 Subject: svn rev #22225: branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ Message-ID: <200904142107.n3EL7YUH018733@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22225 Commit By: tlyu Log Message: ticket: 6420 version_fixed: 1.7 pull up r22090 from trunk ------------------------------------------------------------------------ r22090 | ghudson | 2009-03-15 00:21:12 -0400 (Sun, 15 Mar 2009) | 10 lines Changed paths: M /trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif M /trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema M /trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c M /trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c ticket: 6420 subject: Add LDAP back end support for canonical name attribute tags: pullup target_version: 1.7 Add a krbCanonicalName attribute to the schema. When looking up a principal, if the canonical name is set and does not match the requested name, then return the entry only if canonicalization was requested, and use the entry's canonical name. Changed Files: U branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif U branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema U branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c U branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c Modified: branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif =================================================================== --- branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif 2009-04-14 21:07:31 UTC (rev 22224) +++ branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif 2009-04-14 21:07:34 UTC (rev 22225) @@ -20,6 +20,15 @@ # specific syntax definitions # Kerberos Object Class(6) class# version# # specific class definitions +# +# iso(1) +# member-body(2) +# United States(840) +# mit (113554) +# infosys(1) +# ldap(4) +# attributeTypes(1) +# Kerberos(6) ######################################################################## @@ -40,6 +49,21 @@ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) +##### If there are multiple krbPrincipalName values for an entry, this +##### is the canonical principal name in the RFC 1964 specified +##### format. (If this attribute does not exist, then all +##### krbPrincipalName values are treated as canonical.) + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 1.2.840.113554.1.4.1.6.1 + NAME 'krbCanonicalName' + EQUALITY caseExactIA5Match + SUBSTR caseExactSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE) + ##### This specifies the type of the principal, the types could be any of ##### the types mentioned in section 6.2 of RFC 4120 @@ -685,7 +709,7 @@ objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' AUXILIARY - MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) + MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) ###### This class is used to create additional principals and stand alone principals. Modified: branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema =================================================================== --- branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema 2009-04-14 21:07:31 UTC (rev 22224) +++ branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema 2009-04-14 21:07:34 UTC (rev 22225) @@ -20,6 +20,15 @@ # specific syntax definitions # Kerberos Object Class(6) class# version# # specific class definitions +# +# iso(1) +# member-body(2) +# United States(840) +# mit (113554) +# infosys(1) +# ldap(4) +# attributeTypes(1) +# Kerberos(6) ######################################################################## @@ -36,7 +45,18 @@ SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) +##### If there are multiple krbPrincipalName values for an entry, this +##### is the canonical principal name in the RFC 1964 specified +##### format. (If this attribute does not exist, then all +##### krbPrincipalName values are treated as canonical.) +attributetype ( 1.2.840.113554.1.4.1.6.1 + NAME 'krbCanonicalName' + EQUALITY caseExactIA5Match + SUBSTR caseExactSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE) + ##### This specifies the type of the principal, the types could be any of ##### the types mentioned in section 6.2 of RFC 4120 @@ -422,7 +442,7 @@ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) -##### This stores the alternate principal names for the principal in the RFC 1961 specified format +##### This stores the alternate principal names for the principal in the RFC 1964 specified format attributetype ( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAliases' @@ -556,7 +576,7 @@ NAME 'krbPrincipalAux' SUP top AUXILIARY - MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) + MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) ###### This class is used to create additional principals and stand alone principals. Modified: branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c =================================================================== --- branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2009-04-14 21:07:31 UTC (rev 22224) +++ branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2009-04-14 21:07:34 UTC (rev 22225) @@ -40,6 +40,7 @@ struct timeval timelimit = {300, 0}; /* 5 minutes */ char *principal_attributes[] = { "krbprincipalname", + "krbcanonicalname", "objectclass", "krbprincipalkey", "krbmaxrenewableage", Modified: branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c =================================================================== --- branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2009-04-14 21:07:31 UTC (rev 22224) +++ branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2009-04-14 21:07:34 UTC (rev 22225) @@ -85,12 +85,13 @@ char *user=NULL, *filter=NULL, **subtree=NULL; unsigned int tree=0, ntrees=1, princlen=0; krb5_error_code tempst=0, st=0; - char **values=NULL; + char **values=NULL, *cname=NULL; LDAP *ld=NULL; LDAPMessage *result=NULL, *ent=NULL; krb5_ldap_context *ldap_context=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; + krb5_principal cprinc=NULL; /* Clear the global error string */ krb5_clear_error_message(context); @@ -145,7 +146,7 @@ * NOTE: a principalname k* in ldap server will return all the principals starting with a k */ for (i=0; values[i] != NULL; ++i) { - if (strcasecmp(values[i], user) == 0) { + if (strcmp(values[i], user) == 0) { *nentries = 1; break; } @@ -156,8 +157,27 @@ continue; } - if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, searchfor, - entries)) != 0) + if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) { + if (values[0] && strcmp(values[0], user) != 0) { + /* We matched an alias, not the canonical name. */ + if (flags & KRB5_KDB_FLAG_CANONICALIZE) { + st = krb5_ldap_parse_principal_name(values[0], &cname); + if (st != 0) + goto cleanup; + st = krb5_parse_name(context, cname, &cprinc); + if (st != 0) + goto cleanup; + } else /* No canonicalization, so don't return aliases. */ + *nentries = 0; + } + ldap_value_free(values); + if (*nentries == 0) + continue; + } + + if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, + cprinc ? cprinc : searchfor, + entries)) != 0) goto cleanup; } ldap_msgfree(result); @@ -190,6 +210,12 @@ if (user) free(user); + if (cname) + free(cname); + + if (cprinc) + krb5_free_principal(context, cprinc); + return st; } From tlyu at MIT.EDU Tue Apr 14 17:07:37 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 17:07:37 -0400 Subject: svn rev #22226: branches/krb5-1-7/src/lib/krb5/krb/ Message-ID: <200904142107.n3EL7bEh018770@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22226 Commit By: tlyu Log Message: ticket: 6423 version_fixed: 1.7 pull up r22092 from trunk ------------------------------------------------------------------------ r22092 | hartmans | 2009-03-16 12:49:59 -0400 (Mon, 16 Mar 2009) | 4 lines Changed paths: M /trunk/src/lib/krb5/krb/auth_con.c ticket: 6423 Subject: krb5_auth_con_free should support freeing a null auth_context without segfault. If the input auth_con is NULL, return success. Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/auth_con.c Modified: branches/krb5-1-7/src/lib/krb5/krb/auth_con.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/auth_con.c 2009-04-14 21:07:34 UTC (rev 22225) +++ branches/krb5-1-7/src/lib/krb5/krb/auth_con.c 2009-04-14 21:07:37 UTC (rev 22226) @@ -44,6 +44,8 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) { + if (auth_context == NULL) + return 0; if (auth_context->local_addr) krb5_free_address(context, auth_context->local_addr); if (auth_context->remote_addr) From tlyu at MIT.EDU Tue Apr 14 17:07:39 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 17:07:39 -0400 Subject: svn rev #22227: branches/krb5-1-7/src/kdc/ Message-ID: <200904142107.n3EL7djb018808@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22227 Commit By: tlyu Log Message: ticket: 6424 version_fixed: 1.7 pull up r22093 from trunk ------------------------------------------------------------------------ r22093 | hartmans | 2009-03-16 12:50:04 -0400 (Mon, 16 Mar 2009) | 7 lines Changed paths: M /trunk/src/kdc/kdc_util.c M /trunk/src/kdc/main.c ticket: 6424 Subject: Call kdb_set_mkey_list from the KDC Target_version: 1.7 tags: pullup In order for the kdb keytab to be used from within the KDC, the KDC needs to set the master key list in the context. Changed Files: U branches/krb5-1-7/src/kdc/kdc_util.c U branches/krb5-1-7/src/kdc/main.c Modified: branches/krb5-1-7/src/kdc/kdc_util.c =================================================================== --- branches/krb5-1-7/src/kdc/kdc_util.c 2009-04-14 21:07:37 UTC (rev 22226) +++ branches/krb5-1-7/src/kdc/kdc_util.c 2009-04-14 21:07:39 UTC (rev 22227) @@ -456,6 +456,7 @@ &master_keyblock, 0, &tmp_mkey_list) == 0) { krb5_dbe_free_key_list(kdc_context, master_keylist); master_keylist = tmp_mkey_list; + krb5_db_set_mkey_list(kdc_context, master_keylist); if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist, server, &mkey_ptr))) { goto errout; Modified: branches/krb5-1-7/src/kdc/main.c =================================================================== --- branches/krb5-1-7/src/kdc/main.c 2009-04-14 21:07:37 UTC (rev 22226) +++ branches/krb5-1-7/src/kdc/main.c 2009-04-14 21:07:39 UTC (rev 22227) @@ -414,7 +414,6 @@ rdp->realm_mpname, realm); goto whoops; } - #if 0 /************** Begin IFDEF'ed OUT *******************************/ /* * Commenting krb5_db_verify_master_key out because it requires the most @@ -445,6 +444,7 @@ "while setting master key for realm %s", realm); goto whoops; } + krb5_db_set_mkey_list(rdp->realm_context, rdp->mkey_list); /* Set up the keytab */ if ((kret = krb5_ktkdb_resolve(rdp->realm_context, NULL, From tlyu at MIT.EDU Tue Apr 14 17:07:47 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 17:07:47 -0400 Subject: svn rev #22229: branches/krb5-1-7/src/ include/ lib/krb5/krb/ Message-ID: <200904142107.n3EL7lCX018883@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22229 Commit By: tlyu Log Message: ticket: 6422 version_fixed: 1.7 pull up r22096, r22097 from trunk ------------------------------------------------------------------------ r22097 | hartmans | 2009-03-16 12:50:30 -0400 (Mon, 16 Mar 2009) | 6 lines Changed paths: M /trunk/src/include/k5-int.h M /trunk/src/lib/krb5/krb/Makefile.in A /trunk/src/lib/krb5/krb/t_authdata.c ticket: 6422 Implement tests for authdata functions Implement some test cases for krb5_merge_authdata and krb5int_find_authdata ------------------------------------------------------------------------ r22096 | hartmans | 2009-03-16 12:50:26 -0400 (Mon, 16 Mar 2009) | 5 lines Changed paths: M /trunk/src/lib/krb5/krb/copy_auth.c subject: Implement krb5int_find_authdata ticket: 6422 Implement a function to find all instances of a particular ad_type in ticket or authenticator authdata. Changed Files: U branches/krb5-1-7/src/include/k5-int.h U branches/krb5-1-7/src/lib/krb5/krb/Makefile.in U branches/krb5-1-7/src/lib/krb5/krb/copy_auth.c A branches/krb5-1-7/src/lib/krb5/krb/t_authdata.c Modified: branches/krb5-1-7/src/include/k5-int.h =================================================================== --- branches/krb5-1-7/src/include/k5-int.h 2009-04-14 21:07:42 UTC (rev 22228) +++ branches/krb5-1-7/src/include/k5-int.h 2009-04-14 21:07:46 UTC (rev 22229) @@ -2570,6 +2570,11 @@ krb5_data *, const krb5_keyblock *, krb5_kdc_rep ** ); +krb5_error_code krb5int_find_authdata +(krb5_context context, krb5_authdata *const * ticket_authdata, + krb5_authdata * const *ap_req_authdata, + krb5_authdatatype ad_type, + krb5_authdata ***results); krb5_error_code krb5_rd_req_decoded (krb5_context, Modified: branches/krb5-1-7/src/lib/krb5/krb/Makefile.in =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/Makefile.in 2009-04-14 21:07:42 UTC (rev 22228) +++ branches/krb5-1-7/src/lib/krb5/krb/Makefile.in 2009-04-14 21:07:46 UTC (rev 22229) @@ -308,6 +308,8 @@ t_walk_rtree: $(T_WALK_RTREE_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_walk_rtree $(T_WALK_RTREE_OBJS) $(KRB5_BASE_LIBS) +t_authdata: t_authdata.o copy_auth.o + $(CC_LINK) -o $@ $< copy_auth.o $(KRB5_BASE_LIBS) t_kerb: $(T_KERB_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_kerb $(T_KERB_OBJS) $(KRB5_BASE_LIBS) @@ -323,7 +325,7 @@ t_expand : $(T_EXPAND_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_expand $(T_EXPAND_OBJS) $(KRB5_BASE_LIBS) -TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand +TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata check-unix:: $(TEST_PROGS) KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\ @@ -356,13 +358,16 @@ $(RUN_SETUP) $(VALGRIND) sh $(srcdir)/transit-tests KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\ $(RUN_SETUP) $(VALGRIND) sh $(srcdir)/walktree-tests + KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\ + $(RUN_SETUP) $(VALGRIND) ./t_authdata clean:: $(RM) $(OUTPRE)t_walk_rtree$(EXEEXT) $(OUTPRE)t_walk_rtree.$(OBJEXT) \ $(OUTPRE)t_kerb$(EXEEXT) $(OUTPRE)t_kerb.$(OBJEXT) \ $(OUTPRE)t_ser$(EXEEXT) $(OUTPRE)t_ser.$(OBJEXT) \ $(OUTPRE)t_deltat$(EXEEXT) $(OUTPRE)t_deltat.$(OBJEXT) \ - $(OUTPRE)t_expand$(EXEEXT) $(OUTPRE)t_expand.$(OBJEXT) + $(OUTPRE)t_expand$(EXEEXT) $(OUTPRE)t_expand.$(OBJEXT) \ + $(OUTPRE)t_authdata$(EXEEXT) $(OUTPRE)t_authdata.$(OBJEXT) @libobj_frag@ Modified: branches/krb5-1-7/src/lib/krb5/krb/copy_auth.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/copy_auth.c 2009-04-14 21:07:42 UTC (rev 22228) +++ branches/krb5-1-7/src/lib/krb5/krb/copy_auth.c 2009-04-14 21:07:46 UTC (rev 22229) @@ -187,3 +187,92 @@ return code; } + +struct find_authdata_context { + krb5_authdata **out; + size_t space; + size_t length; +}; + +static krb5_error_code grow_find_authdata +(krb5_context context, struct find_authdata_context *fctx, + krb5_authdata *elem) +{ + krb5_error_code retval = 0; + if (fctx->length == fctx->space) { + krb5_authdata **new; + if (fctx->space >= 256) { + krb5_set_error_message(context, ERANGE, "More than 256 authdata matched a query"); + return ERANGE; + } + new = realloc(fctx->out, + sizeof (krb5_authdata *)*(2*fctx->space+1)); + if (new == NULL) + return ENOMEM; + fctx->out = new; + fctx->space *=2; + } + fctx->out[fctx->length+1] = NULL; + retval = krb5_copy_authdatum(context, elem, + &fctx->out[fctx->length]); + if (retval == 0) + fctx->length++; + return retval; +} + + + + +static krb5_error_code find_authdata_1 +(krb5_context context, krb5_authdata *const *in_authdat, krb5_authdatatype ad_type, + struct find_authdata_context *fctx) +{ + int i = 0; + krb5_error_code retval=0; + + for (i = 0; in_authdat[i]; i++) { + krb5_authdata *ad = in_authdat[i]; + if (ad->ad_type == ad_type && retval ==0) + retval = grow_find_authdata(context, fctx, ad); + else switch (ad->ad_type) { + krb5_authdata **decoded_container; + case KRB5_AUTHDATA_IF_RELEVANT: + if (retval == 0) + retval = krb5_decode_authdata_container( context, ad->ad_type, ad, &decoded_container); + if (retval == 0) { + retval = find_authdata_1(context, + decoded_container, ad_type, fctx); + krb5_free_authdata(context, decoded_container); + } + break; + default: + break; + } + } + return retval; +} + + +krb5_error_code krb5int_find_authdata +(krb5_context context, krb5_authdata *const * ticket_authdata, + krb5_authdata * const *ap_req_authdata, + krb5_authdatatype ad_type, + krb5_authdata ***results) +{ + krb5_error_code retval = 0; + struct find_authdata_context fctx; + fctx.length = 0; + fctx.space = 2; + fctx.out = calloc(fctx.space+1, sizeof (krb5_authdata *)); + *results = NULL; + if (fctx.out == NULL) + return ENOMEM; + if (ticket_authdata) + retval = find_authdata_1( context, ticket_authdata, ad_type, &fctx); + if ((retval==0) && ap_req_authdata) + retval = find_authdata_1( context, ap_req_authdata, ad_type, &fctx); + if ((retval== 0) && fctx.length) + *results = fctx.out; + else krb5_free_authdata(context, fctx.out); + return retval; +} Added: branches/krb5-1-7/src/lib/krb5/krb/t_authdata.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/t_authdata.c 2009-04-14 21:07:42 UTC (rev 22228) +++ branches/krb5-1-7/src/lib/krb5/krb/t_authdata.c 2009-04-14 21:07:46 UTC (rev 22229) @@ -0,0 +1,102 @@ +/* + * lib/krb5/krb/t_authdata.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + * Test authorization data search + */ + +#include +#include +#include +#include + +krb5_authdata ad1 = { + KV5M_AUTHDATA, + 22, + 4, + (unsigned char *) "abcd"}; +krb5_authdata ad2 = { + KV5M_AUTHDATA, + 23, + 5, + (unsigned char *) "abcde" +}; + +krb5_authdata ad3= { + KV5M_AUTHDATA, + 22, + 3, + (unsigned char *) "ab" +}; +/* we want three results in the return from krb5int_find_authdata so +it has to grow its list. +*/ +krb5_authdata ad4 = { + KV5M_AUTHDATA, + 22, + 5, + (unsigned char *)"abcd" +}; + +krb5_authdata *adseq1[] = {&ad1, &ad2, &ad4, NULL}; + +krb5_authdata *adseq2[] = {&ad3, NULL}; + +static void compare_authdata(const krb5_authdata *adc1, krb5_authdata *adc2) { + assert(adc1->ad_type == adc2->ad_type); + assert(adc1->length == adc2->length); + assert(memcmp(adc1->contents, adc2->contents, adc1->length) == 0); +} + +int main() +{ + krb5_context context; + krb5_authdata **results; + krb5_authdata *container[2]; + krb5_authdata **container_out; + + + assert(krb5_init_context(&context) == 0); + assert(krb5_merge_authdata(context, adseq1, adseq2, &results) == 0); + compare_authdata(results[0], &ad1); + compare_authdata( results[1], &ad2); + compare_authdata(results[2], &ad4); + compare_authdata( results[3], &ad3); + assert(results[4] == NULL); + krb5_free_authdata(context, results); + container[0] = &ad3; + container[1] = NULL; + assert(krb5_encode_authdata_container( context, KRB5_AUTHDATA_IF_RELEVANT, container, &container_out) == 0); + assert(krb5int_find_authdata(context, + adseq1, container_out, 22, &results) == 0); + compare_authdata(&ad1, results[0]); + compare_authdata( results[1], &ad4); + compare_authdata( results[2], &ad3); + assert( results[3] == NULL); + krb5_free_authdata(context, results); + krb5_free_authdata(context, container_out); + return 0; +} From tlyu at MIT.EDU Tue Apr 14 17:07:50 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 17:07:50 -0400 Subject: svn rev #22230: branches/krb5-1-7/src/kdc/ Message-ID: <200904142107.n3EL7oaF018929@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22230 Commit By: tlyu Log Message: ticket: 6464 tags: pullup target_version: 1.7 version_fixed: 1.7 subject: verify return code from krb5_db_set_mkey_list pull up r22100 from trunk ------------------------------------------------------------------------ r22100 | tsitkova | 2009-03-16 14:00:06 -0400 (Mon, 16 Mar 2009) | 2 lines Changed paths: M /trunk/src/kdc/kdc_util.c M /trunk/src/kdc/main.c Verify return code from krb5_db_set_mkey_list. Changed Files: U branches/krb5-1-7/src/kdc/kdc_util.c U branches/krb5-1-7/src/kdc/main.c Modified: branches/krb5-1-7/src/kdc/kdc_util.c =================================================================== --- branches/krb5-1-7/src/kdc/kdc_util.c 2009-04-14 21:07:46 UTC (rev 22229) +++ branches/krb5-1-7/src/kdc/kdc_util.c 2009-04-14 21:07:49 UTC (rev 22230) @@ -456,7 +456,9 @@ &master_keyblock, 0, &tmp_mkey_list) == 0) { krb5_dbe_free_key_list(kdc_context, master_keylist); master_keylist = tmp_mkey_list; - krb5_db_set_mkey_list(kdc_context, master_keylist); + retval = krb5_db_set_mkey_list(kdc_context, master_keylist); + if (retval) + goto errout; if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist, server, &mkey_ptr))) { goto errout; @@ -471,10 +473,10 @@ -1, (krb5_int32)ticket->enc_part.kvno, &server_key); if (retval) - goto errout; + goto errout; if (!server_key) { - retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - goto errout; + retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + goto errout; } if ((*key = (krb5_keyblock *)malloc(sizeof **key))) { retval = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr, Modified: branches/krb5-1-7/src/kdc/main.c =================================================================== --- branches/krb5-1-7/src/kdc/main.c 2009-04-14 21:07:46 UTC (rev 22229) +++ branches/krb5-1-7/src/kdc/main.c 2009-04-14 21:07:49 UTC (rev 22230) @@ -444,7 +444,12 @@ "while setting master key for realm %s", realm); goto whoops; } - krb5_db_set_mkey_list(rdp->realm_context, rdp->mkey_list); + kret = krb5_db_set_mkey_list(rdp->realm_context, rdp->mkey_list); + if (kret) { + kdc_err(rdp->realm_context, kret, + "while setting master key list for realm %s", realm); + goto whoops; + } /* Set up the keytab */ if ((kret = krb5_ktkdb_resolve(rdp->realm_context, NULL, From tlyu at MIT.EDU Tue Apr 14 17:07:43 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 14 Apr 2009 17:07:43 -0400 Subject: svn rev #22228: branches/krb5-1-7/src/ include/krb5/ lib/crypto/ Message-ID: <200904142107.n3EL7hk8018846@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22228 Commit By: tlyu Log Message: ticket: 6421 version_fixed: 1.7 pull up r22094, r22095 from trunk ------------------------------------------------------------------------ r22095 | hartmans | 2009-03-16 12:50:23 -0400 (Mon, 16 Mar 2009) | 7 lines Changed paths: M /trunk/src/lib/crypto/Makefile.in A /trunk/src/lib/crypto/t_cf2.c A /trunk/src/lib/crypto/t_cf2.comments A /trunk/src/lib/crypto/t_cf2.expected A /trunk/src/lib/crypto/t_cf2.in A /trunk/src/lib/crypto/t_prf.comments A /trunk/src/lib/crypto/t_prf.expected A /trunk/src/lib/crypto/t_prf.in ticket: 6421 Implement test cases for CF2 Implement a simple program to call KRB-FX-CF2 and print the resulting keys. Add to regression tests. Also, use the PRF testing application to confirm that CF2 generates consistent keys if called by hand. ------------------------------------------------------------------------ r22094 | hartmans | 2009-03-16 12:50:09 -0400 (Mon, 16 Mar 2009) | 6 lines Changed paths: M /trunk/src/include/krb5/krb5.hin M /trunk/src/lib/crypto/Makefile.in A /trunk/src/lib/crypto/cf2.c M /trunk/src/lib/crypto/etypes.h M /trunk/src/lib/crypto/libk5crypto.exports ticket: 6421 Subject: Implement KRB-FX_CF2 Draft-ietf-krb-wg-preauth-framework defines a function KRB-FX-CF2 that combines two keys of arbitrary enctype. Implement this function as an exported API. Changed Files: U branches/krb5-1-7/src/include/krb5/krb5.hin U branches/krb5-1-7/src/lib/crypto/Makefile.in A branches/krb5-1-7/src/lib/crypto/cf2.c U branches/krb5-1-7/src/lib/crypto/etypes.h U branches/krb5-1-7/src/lib/crypto/libk5crypto.exports A branches/krb5-1-7/src/lib/crypto/t_cf2.c A branches/krb5-1-7/src/lib/crypto/t_cf2.comments A branches/krb5-1-7/src/lib/crypto/t_cf2.expected A branches/krb5-1-7/src/lib/crypto/t_cf2.in A branches/krb5-1-7/src/lib/crypto/t_prf.comments A branches/krb5-1-7/src/lib/crypto/t_prf.expected A branches/krb5-1-7/src/lib/crypto/t_prf.in Modified: branches/krb5-1-7/src/include/krb5/krb5.hin =================================================================== --- branches/krb5-1-7/src/include/krb5/krb5.hin 2009-04-14 21:07:39 UTC (rev 22227) +++ branches/krb5-1-7/src/include/krb5/krb5.hin 2009-04-14 21:07:42 UTC (rev 22228) @@ -497,7 +497,22 @@ krb5_error_code KRB5_CALLCONV krb5_c_prf_length (krb5_context, krb5_enctype, size_t *outlen); +krb5_error_code KRB5_CALLCONV +krb5_c_fx_cf2_simple(krb5_context context, + krb5_keyblock *k1, const char *pepper1, + krb5_keyblock *k2, const char *pepper2, + krb5_keyblock **out); + /* Returns KRB-FX-CF2 in a newly allocated + * keyblock on success or an error code on error. + * This function is simple in that it assumes + * pepper1 and pepper2 are C strings with no + * internal nulls and that the enctype of the + * result will be the same as that of k1. Both + * of these assumptions are true of current + * specs. + */ + krb5_error_code KRB5_CALLCONV krb5_c_make_random_key (krb5_context context, krb5_enctype enctype, Modified: branches/krb5-1-7/src/lib/crypto/Makefile.in =================================================================== --- branches/krb5-1-7/src/lib/crypto/Makefile.in 2009-04-14 21:07:39 UTC (rev 22227) +++ branches/krb5-1-7/src/lib/crypto/Makefile.in 2009-04-14 21:07:42 UTC (rev 22228) @@ -16,6 +16,7 @@ EXTRADEPSRCS=\ $(srcdir)/t_nfold.c \ + $(srcdir)/t_cf2.c \ $(srcdir)/t_encrypt.c \ $(srcdir)/t_prf.c \ $(srcdir)/t_prng.c \ @@ -36,6 +37,7 @@ STLIBOBJS=\ aead.o \ block_size.o \ + cf2.o \ checksum_length.o \ cksumtype_to_string.o \ cksumtypes.o \ @@ -79,6 +81,7 @@ OBJS=\ $(OUTPRE)aead.$(OBJEXT) \ $(OUTPRE)block_size.$(OBJEXT) \ + $(OUTPRE)cf2$(OBJEXT) \ $(OUTPRE)checksum_length.$(OBJEXT) \ $(OUTPRE)cksumtype_to_string.$(OBJEXT) \ $(OUTPRE)cksumtypes.$(OBJEXT) \ @@ -151,6 +154,7 @@ $(srcdir)/old_api_glue.c \ $(srcdir)/pbkdf2.c \ $(srcdir)/prf.c \ + $(srcdir)/cf2.c \ $(srcdir)/prng.c \ $(srcdir)/random_to_key.c \ $(srcdir)/state.c \ @@ -202,13 +206,18 @@ clean-unix:: clean-liblinks clean-libs clean-libobjs -check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 +check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 $(RUN_SETUP) $(VALGRIND) ./t_nfold $(RUN_SETUP) $(VALGRIND) ./t_encrypt $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \ diff t_prng.output $(srcdir)/t_prng.expected $(RUN_SETUP) $(VALGRIND) ./t_hmac + $(RUN_SETUP) $(VALGRIND) ./t_prf <$(srcdir)/t_prf.in >t_prf.output + diff t_prf.output $(srcdir)/t_prf.expected + $(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output + diff t_cf2.output $(srcdir)/t_cf2.expected + # $(RUN_SETUP) $(VALGRIND) ./t_pkcs5 t_nfold$(EXEEXT): t_nfold.$(OBJEXT) nfold.$(OBJEXT) $(SUPPORT_DEPLIB) @@ -220,6 +229,10 @@ t_prf$(EXEEXT): t_prf.$(OBJEXT) $(SUPPORT_DEPLIB) $(CC_LINK) -o $@ t_prf.$(OBJEXT) -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) +t_cf2$(EXEEXT): t_cf2.$(OBJEXT) $(SUPPORT_DEPLIB) + $(CC_LINK) -o $@ t_cf2.$(OBJEXT) -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) + + t_prng$(EXEEXT): t_prng.$(OBJEXT) $(SUPPORT_DEPLIB) $(CC_LINK) -o $@ t_prng.$(OBJEXT) -lk5crypto -lcom_err $(SUPPORT_LIB) @@ -239,7 +252,7 @@ clean:: $(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \ - t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o + t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o t_cf2 t_cf2.o -$(RM) t_prng.output all-windows:: Added: branches/krb5-1-7/src/lib/crypto/cf2.c =================================================================== --- branches/krb5-1-7/src/lib/crypto/cf2.c 2009-04-14 21:07:39 UTC (rev 22227) +++ branches/krb5-1-7/src/lib/crypto/cf2.c 2009-04-14 21:07:42 UTC (rev 22228) @@ -0,0 +1,154 @@ +/* + * lib/crypto/cf2.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + * Implement KRB_FX_CF2 function per + *draft-ietf-krb-wg-preauth-framework-09. Take two keys and two + *pepper strings as input and return a combined key. + */ + +#include +#include +#include "etypes.h" + + +/* + * Call the PRF function multiple times with the pepper prefixed with + * a count byte to get enough bits of output. + */ +static krb5_error_code +prf_plus( krb5_context context, krb5_keyblock *k,const char *pepper, + size_t keybytes, char **out) +{ + krb5_error_code retval = 0; + size_t prflen, iterations; + krb5_data out_data; + krb5_data in_data; + char *buffer = NULL; + struct k5buf prf_inbuf; + krb5int_buf_init_dynamic(&prf_inbuf); + krb5int_buf_add_len( &prf_inbuf, "\001", 1); + krb5int_buf_add( &prf_inbuf, pepper); + retval = krb5_c_prf_length( context, k->enctype, &prflen); + if (retval != 0) + goto cleanup; + iterations = keybytes/prflen; + if ((keybytes%prflen) != 0) + iterations++; + assert(iterations <= 254); + buffer = malloc(iterations*prflen); + if (buffer == NULL) { + retval = ENOMEM; + goto cleanup; + } + if (krb5int_buf_len( &prf_inbuf) == -1) { + retval = ENOMEM; + goto cleanup; + } + in_data.length = (krb5_int32) krb5int_buf_len( &prf_inbuf); + in_data.data = krb5int_buf_data( &prf_inbuf); + out_data.length = prflen; + out_data.data = buffer; + + while (iterations > 0) { + retval = krb5_c_prf( context, k, &in_data, &out_data); + if (retval != 0) + goto cleanup; + out_data.data += prflen; + in_data.data[0]++; + iterations--; + } + cleanup: + if (retval == 0 ) + *out = buffer; + else{ + if (buffer != NULL) + free(buffer); + } + krb5int_free_buf( &prf_inbuf); + return retval; +} + + +krb5_error_code KRB5_CALLCONV +krb5_c_fx_cf2_simple(krb5_context context, + krb5_keyblock *k1, const char *pepper1, + krb5_keyblock *k2, const char *pepper2, + krb5_keyblock **out) +{ + const struct krb5_keytypes *out_enctype; + size_t keybytes, keylength, i; + char *prf1 = NULL, *prf2 = NULL; + krb5_data keydata; + krb5_enctype out_enctype_num; + krb5_error_code retval = 0; + krb5_keyblock *out_key = NULL; + + + if (k1 == NULL ||!krb5_c_valid_enctype(k1->enctype)) + return KRB5_BAD_ENCTYPE; + if (k2 == NULL || !krb5_c_valid_enctype(k2->enctype)) + return KRB5_BAD_ENCTYPE; + out_enctype_num = k1->enctype; + assert(out != NULL); + assert ((out_enctype = find_enctype(out_enctype_num)) != NULL); + if (out_enctype->prf == NULL) { + if (context) + krb5int_set_error(&(context->err) , KRB5_CRYPTO_INTERNAL, + "Enctype %d has no PRF", out_enctype_num); + return KRB5_CRYPTO_INTERNAL; + } + keybytes = out_enctype->enc->keybytes; + keylength = out_enctype->enc->keylength; + + retval = prf_plus( context, k1, pepper1, keybytes, &prf1); + if (retval != 0) + goto cleanup; + retval = prf_plus( context, k2, pepper2, keybytes, &prf2); + if (retval != 0) + goto cleanup; + for (i = 0; i < keybytes; i++) + prf1[i] ^= prf2[i]; + zap(prf2, keybytes); + retval = krb5int_c_init_keyblock( context, out_enctype_num, keylength, &out_key); + if (retval != 0) + goto cleanup; + keydata.data = prf1; + keydata.length = keybytes; + retval = out_enctype->enc->make_key( &keydata, out_key); + + cleanup: + if (retval == 0) + *out = out_key; + else krb5int_c_free_keyblock( context, out_key); + if (prf1 != NULL) { + zap(prf1, keybytes); + free(prf1); + } + if (prf2 != NULL) + free(prf2); + return retval; +} Modified: branches/krb5-1-7/src/lib/crypto/etypes.h =================================================================== --- branches/krb5-1-7/src/lib/crypto/etypes.h 2009-04-14 21:07:39 UTC (rev 22227) +++ branches/krb5-1-7/src/lib/crypto/etypes.h 2009-04-14 21:07:42 UTC (rev 22228) @@ -67,3 +67,17 @@ extern const struct krb5_keytypes krb5_enctypes_list[]; extern const int krb5_enctypes_length; + +static inline const struct krb5_keytypes* +find_enctype (krb5_enctype enctype) +{ + int i; + for (i=0; i + +#include +#include +#include + +int main () { + char pepper1[1024], pepper2[1024]; + krb5_keyblock *k1 = NULL, *k2 = NULL, *out = NULL; + krb5_data s2k; + unsigned int i; + while (1) { + krb5_enctype enctype; + char s[1025]; + + if (scanf( "%d", &enctype) == EOF) + break; + if (scanf("%1024s", &s[0]) == EOF) + break; + assert (krb5_init_keyblock(0, enctype, 0, &k1) == 0); + s2k.data = &s[0]; + s2k.length = strlen(s); + assert(krb5_c_string_to_key (0, enctype, &s2k, &s2k, k1) == 0); + if (scanf("%1024s", &s[0]) == EOF) + break; + assert (krb5_init_keyblock(0, enctype, 0, &k2) == 0); + s2k.data = &s[0]; + s2k.length = strlen(s); + assert(krb5_c_string_to_key (0, enctype, &s2k, &s2k, k2) == 0); + if (scanf("%1024s %1024s", pepper1, pepper2) == EOF) + break; + assert(krb5_c_fx_cf2_simple(0, k1, pepper1, + k2, pepper2, &out) ==0); + i = out->length; + for (; i > 0; i--) { + printf ("%02x", + (unsigned int) ((unsigned char) out->contents[out->length-i])); + } + printf ("\n"); + + krb5_free_keyblock(0,out); + out = NULL; + + krb5_free_keyblock(0, k1); + k1 = NULL; + krb5_free_keyblock(0, k2); + k2 = NULL; + } + + return (0); +} Added: branches/krb5-1-7/src/lib/crypto/t_cf2.comments =================================================================== --- branches/krb5-1-7/src/lib/crypto/t_cf2.comments 2009-04-14 21:07:39 UTC (rev 22227) +++ branches/krb5-1-7/src/lib/crypto/t_cf2.comments 2009-04-14 21:07:42 UTC (rev 22228) @@ -0,0 +1,3 @@ +The first test mirrors the first two tests in t_prf.in. + +The second test mirrors the following four tests in t_prf.in. Added: branches/krb5-1-7/src/lib/crypto/t_cf2.expected =================================================================== --- branches/krb5-1-7/src/lib/crypto/t_cf2.expected 2009-04-14 21:07:39 UTC (rev 22227) +++ branches/krb5-1-7/src/lib/crypto/t_cf2.expected 2009-04-14 21:07:42 UTC (rev 22228) @@ -0,0 +1,2 @@ +97df97e4b798b29eb31ed7280287a92a +4d6ca4e629785c1f01baf55e2e548566b9617ae3a96868c337cb93b5e72b1c7b Added: branches/krb5-1-7/src/lib/crypto/t_cf2.in =================================================================== --- branches/krb5-1-7/src/lib/crypto/t_cf2.in 2009-04-14 21:07:39 UTC (rev 22227) +++ branches/krb5-1-7/src/lib/crypto/t_cf2.in 2009-04-14 21:07:42 UTC (rev 22228) @@ -0,0 +1,10 @@ +17 +key1 +key2 +a +b +18 +key1 +key2 +a +b Added: branches/krb5-1-7/src/lib/crypto/t_prf.comments =================================================================== --- branches/krb5-1-7/src/lib/crypto/t_prf.comments 2009-04-14 21:07:39 UTC (rev 22227) +++ branches/krb5-1-7/src/lib/crypto/t_prf.comments 2009-04-14 21:07:42 UTC (rev 22228) @@ -0,0 +1,8 @@ +The first two tests are effectively a call to krb-fx-cf2 for +aes-128-cts. This mirrorrs the first test in t_cf2.in. + + +The next four tests mirror a call to KRB-FX-CF2 for aes256-cts; this +mirrors the second test in t_cf2.in. + + Added: branches/krb5-1-7/src/lib/crypto/t_prf.expected =================================================================== --- branches/krb5-1-7/src/lib/crypto/t_prf.expected 2009-04-14 21:07:39 UTC (rev 22227) +++ branches/krb5-1-7/src/lib/crypto/t_prf.expected 2009-04-14 21:07:42 UTC (rev 22228) @@ -0,0 +1,6 @@ +77b39a37a868920f2a51f9dd150c5717 +e06c0dd31ff02091994f2ef5178bfe3d +b2628c788e2e9c4a9bb4644678c29f2f +b406373350cee8a6126f4a9b65a0cd21 +ff0e289ea756c0559a0e911856961a49 +0d674dd0f9a6806525a4d92e828bd15a Added: branches/krb5-1-7/src/lib/crypto/t_prf.in =================================================================== --- branches/krb5-1-7/src/lib/crypto/t_prf.in 2009-04-14 21:07:39 UTC (rev 22227) +++ branches/krb5-1-7/src/lib/crypto/t_prf.in 2009-04-14 21:07:42 UTC (rev 22228) @@ -0,0 +1,18 @@ +17 +key1 +2 0161 +17 +key2 +2 0162 +18 +key1 +2 0161 +18 +key1 +2 0261 +18 +key2 +2 0162 +18 +key2 +2 0262 From tlyu at MIT.EDU Wed Apr 15 16:06:30 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:06:30 -0400 Subject: svn rev #22231: branches/krb5-1-7/src/lib/krb5/asn.1/ Message-ID: <200904152006.n3FK6U3o001131@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22231 Commit By: tlyu Log Message: ticket: 6427 version_fixed: 1.7 pull up r22107 from trunk ------------------------------------------------------------------------ r22107 | ghudson | 2009-03-17 17:54:51 -0400 (Tue, 17 Mar 2009) | 8 lines Changed paths: M /trunk/src/lib/krb5/asn.1/asn1_k_decode.c ticket: 6427 subject: Fix error handling issue in ASN.1 decoder tags: pullup target_version: 1.7 In asn1_k_decode.c, check the return value of end_sequence_of_no_tagvars_helper. Changed Files: U branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.c Modified: branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.c 2009-04-14 21:07:49 UTC (rev 22230) +++ branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.c 2009-04-15 20:06:29 UTC (rev 22231) @@ -364,7 +364,8 @@ return retval; } #define end_sequence_of_no_tagvars(buf) \ - end_sequence_of_no_tagvars_helper(buf, &seqbuf, seqofindef) + retval = end_sequence_of_no_tagvars_helper(buf, &seqbuf, seqofindef); \ + if (retval) clean_return(retval) /* * Function body for a pointer decoder, which allocates a pointer From tlyu at MIT.EDU Wed Apr 15 16:06:35 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:06:35 -0400 Subject: svn rev #22232: branches/krb5-1-7/src/ config/ include/ lib/kadm5/ Message-ID: <200904152006.n3FK6Z8q001169@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22232 Commit By: tlyu Log Message: ticket: 6431 version_fixed: 1.7 pull up r22112 from trunk ------------------------------------------------------------------------ r22112 | ghudson | 2009-03-20 14:09:19 -0400 (Fri, 20 Mar 2009) | 11 lines Changed paths: M /trunk/src/config/pre.in M /trunk/src/include/Makefile.in M /trunk/src/include/kdb.h M /trunk/src/lib/kadm5/Makefile.in M /trunk/src/lib/kadm5/admin.h ticket: 6431 subject: Install kadmin and kdb headers tags: pullup target_version: 1.7 Add disclaimers to the kadmin and kdb headers about the weaker stability commitments we make for their APIs, and install them for the benefit of users who can tolerate such instability. (The kadmin interface is the real goal here, but the kadmin header includes kdb.h so we need to install both.) Changed Files: U branches/krb5-1-7/src/config/pre.in U branches/krb5-1-7/src/include/Makefile.in U branches/krb5-1-7/src/include/kdb.h U branches/krb5-1-7/src/lib/kadm5/Makefile.in U branches/krb5-1-7/src/lib/kadm5/admin.h Modified: branches/krb5-1-7/src/config/pre.in =================================================================== --- branches/krb5-1-7/src/config/pre.in 2009-04-15 20:06:29 UTC (rev 22231) +++ branches/krb5-1-7/src/config/pre.in 2009-04-15 20:06:35 UTC (rev 22232) @@ -219,6 +219,7 @@ KRB5_LIBKRB5_MODULE_DIR = $(MODULE_DIR)/libkrb5 GSS_MODULE_DIR = @libdir@/gss KRB5_INCSUBDIRS = \ + $(KRB5_INCDIR)/kadm5 \ $(KRB5_INCDIR)/krb5 \ $(KRB5_INCDIR)/gssapi \ $(KRB5_INCDIR)/gssrpc Modified: branches/krb5-1-7/src/include/Makefile.in =================================================================== --- branches/krb5-1-7/src/include/Makefile.in 2009-04-15 20:06:29 UTC (rev 22231) +++ branches/krb5-1-7/src/include/Makefile.in 2009-04-15 20:06:35 UTC (rev 22232) @@ -132,6 +132,7 @@ install-headers-unix install:: krb5/krb5.h profile.h $(INSTALL_DATA) $(srcdir)/krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5.h + $(INSTALL_DATA) $(srcdir)/kdb.h $(DESTDIR)$(KRB5_INCDIR)$(S)kdb.h $(INSTALL_DATA) krb5/krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)krb5.h $(INSTALL_DATA) $(srcdir)/krb5/locate_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)locate_plugin.h $(INSTALL_DATA) profile.h $(DESTDIR)$(KRB5_INCDIR)$(S)profile.h Modified: branches/krb5-1-7/src/include/kdb.h =================================================================== --- branches/krb5-1-7/src/include/kdb.h 2009-04-15 20:06:29 UTC (rev 22231) +++ branches/krb5-1-7/src/include/kdb.h 2009-04-15 20:06:35 UTC (rev 22232) @@ -58,9 +58,19 @@ * Use is subject to license terms. */ +/* This API is not considered as stable as the main krb5 API. + * + * - We may make arbitrary incompatible changes between feature + * releases (e.g. from 1.7 to 1.8). + * - We will make some effort to avoid making incompatible changes for + * bugfix releases, but will make them if necessary. + */ + #ifndef KRB5_KDB5__ #define KRB5_KDB5__ +#include + /* Salt types */ #define KRB5_KDB_SALTTYPE_NORMAL 0 #define KRB5_KDB_SALTTYPE_V4 1 Modified: branches/krb5-1-7/src/lib/kadm5/Makefile.in =================================================================== --- branches/krb5-1-7/src/lib/kadm5/Makefile.in 2009-04-15 20:06:29 UTC (rev 22231) +++ branches/krb5-1-7/src/lib/kadm5/Makefile.in 2009-04-15 20:06:35 UTC (rev 22232) @@ -98,5 +98,10 @@ clean-windows:: +install-headers-unix install:: $(BUILD_HDRS) + $(INSTALL_DATA) $(srcdir)/admin.h $(DESTDIR)$(KRB5_INCDIR)$(S)kadm5$(S)admin.h + $(INSTALL_DATA) chpass_util_strings.h $(DESTDIR)$(KRB5_INCDIR)$(S)kadm5$(S)chpass_util_strings.h + $(INSTALL_DATA) kadm_err.h $(DESTDIR)$(KRB5_INCDIR)$(S)kadm5$(S)kadm_err.h + @libobj_frag@ Modified: branches/krb5-1-7/src/lib/kadm5/admin.h =================================================================== --- branches/krb5-1-7/src/lib/kadm5/admin.h 2009-04-15 20:06:29 UTC (rev 22231) +++ branches/krb5-1-7/src/lib/kadm5/admin.h 2009-04-15 20:06:35 UTC (rev 22232) @@ -30,6 +30,17 @@ * $Header$ */ +/* + * This API is not considered as stable as the main krb5 API. + * + * - We may make arbitrary incompatible changes between feature + * releases (e.g. from 1.7 to 1.8). + * - We will make some effort to avoid making incompatible changes for + * bugfix releases, but will make them if necessary. + * - We make no commitments at all regarding the v1 API (obtained by + * defining USE_KADM5_API_VERSION to 1) and expect to remove it. + */ + #ifndef __KADM5_ADMIN_H__ #define __KADM5_ADMIN_H__ From tlyu at MIT.EDU Wed Apr 15 16:06:41 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:06:41 -0400 Subject: svn rev #22234: branches/krb5-1-7/src/kadmin/dbutil/ Message-ID: <200904152006.n3FK6fD9001245@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22234 Commit By: tlyu Log Message: ticket: 6432 version_fixed: 1.7 pull up r22114 from trunk ------------------------------------------------------------------------ r22114 | wfiveash | 2009-03-25 17:12:58 -0400 (Wed, 25 Mar 2009) | 9 lines Changed paths: M /trunk/src/kadmin/dbutil/kdb5_util.M Ticket: 6432 Subject: Update kdb5_util man page for mkey migration project Version_Reported: 1.7 Target_Version: 1.7 Tags: pullup Updated the kdb5_util command man page to include documentation on new subcommands added as a result of the Master Key Migration project. Changed Files: U branches/krb5-1-7/src/kadmin/dbutil/kdb5_util.M Modified: branches/krb5-1-7/src/kadmin/dbutil/kdb5_util.M =================================================================== --- branches/krb5-1-7/src/kadmin/dbutil/kdb5_util.M 2009-04-15 20:06:38 UTC (rev 22233) +++ branches/krb5-1-7/src/kadmin/dbutil/kdb5_util.M 2009-04-15 20:06:41 UTC (rev 22234) @@ -216,20 +216,31 @@ \fBark\fP Adds a random key. .TP -\fBadd_mkey\fP ... -This option needs documentation. +\fBadd_mkey\fP [\fB\-e etype\fP] [\fB\-s\fP] +Adds a new master key to the K/M (master key) principal. Existing master keys will remain. +The +.B \-e etype +option allows specification of the enctype of the new master key. The +.B \-s +option stashes the new master key in a local stash file which will be created if it doesn't already exist. .TP -\fBuse_mkey\fP ... -This option needs documentation. +\fBuse_mkey\fP \fImkeyVNO [\fBtime\fP] +Sets the activation time of the master key specified by +.B mkeyVNO. +Once a master key is active (i.e. its activation time has been reached) it will then be used to encrypt principal keys either when the principal keys change, are newly created or when the update_princ_encryption command is run. If the +.B time +argument is provided then that will be the activation time otherwise the current time is used by default. The format of the optional +.B time +argument is that specified in the Time Formats section of the kadmin man page. .TP \fBlist_mkeys\fP -This option needs documentation. +List all master keys from most recent to earliest in K/M principal. The output will show the KVNO, enctype and salt for each mkey similar to kadmin getprinc output. A * following an mkey denotes the currently active master key. .TP \fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] [\fBprinc\-pattern\fP] Update all principal records (or only those matching the .B princ\-pattern -glob pattern) to re-encrypt the key data using the latest version of -the database master key, if they are encrypted using older versions, +glob pattern) to re-encrypt the key data using the active +database master key, if they are encrypted using older versions, and give a count at the end of the number of principals updated. If the .B \-f From tlyu at MIT.EDU Wed Apr 15 16:06:47 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:06:47 -0400 Subject: svn rev #22236: branches/krb5-1-7/src/lib/krb5/krb/ Message-ID: <200904152006.n3FK6l5K001334@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22236 Commit By: tlyu Log Message: ticket: 6393 pull up r22044 from trunk ------------------------------------------------------------------------ r22044 | hartmans | 2009-02-23 11:22:47 -0500 (Mon, 23 Feb 2009) | 10 lines Changed paths: M /trunk/src/lib/krb5/krb/send_tgs.c Ticket: 6393 send_tgs.c: * Move generation of subkey into krb5int_send_tgs from construct_authenticator so that it is available for encrypting authorization data. * Initialize rep->message_type and note that rep is touched on unsuccessful calls (this has always been true). * Do not set *subkey until successful return. Thanks to Greg Hudson for pointing out these problems. Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c Modified: branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c 2009-04-15 20:06:44 UTC (rev 22235) +++ branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c 2009-04-15 20:06:47 UTC (rev 22236) @@ -49,7 +49,7 @@ */ static krb5_error_code tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, - krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock **subkey) + krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey) { krb5_error_code retval; krb5_checksum checksum; @@ -58,11 +58,11 @@ krb5_data * scratch; krb5_data * toutbuf; checksum.contents = NULL; -/* Generate subkey*/ - if ((retval = krb5_generate_subkey( context, &in_cred->keyblock, - subkey)) != 0) - return retval; + request.authenticator.ciphertext.data = NULL; + request.authenticator.kvno = 0; + request.ap_options = 0; + request.ticket = 0; /* Generate checksum */ if ((retval = krb5_c_make_checksum(context, context->kdc_req_sumtype, @@ -74,7 +74,7 @@ } /* gen authenticator */ - authent.subkey = *subkey; /*owned by caller*/ + authent.subkey = subkey; /*owned by caller*/ authent.seq_number = 0; authent.checksum = &checksum; authent.client = in_cred->client; @@ -92,10 +92,6 @@ free(checksum.contents); checksum.contents = NULL; - request.authenticator.ciphertext.data = NULL; - request.authenticator.kvno = 0; - request.ap_options = 0; - request.ticket = 0; if ((retval = decode_krb5_ticket(&(in_cred)->ticket, &request.ticket))) /* Cleanup scratch and scratch data */ @@ -126,13 +122,11 @@ free(scratch); } - if (*subkey && retval != 0) { - krb5_free_keyblock(context, *subkey); - *subkey = NULL; - } return retval; } - +/* + * Note that this function fills in part of rep even on failure. + */ krb5_error_code krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, const krb5_ticket_times *timestruct, const krb5_enctype *ktypes, @@ -150,6 +144,7 @@ krb5_pa_data **combined_padata; krb5_pa_data ap_req_padata; int tcp_only = 0, use_master; + krb5_keyblock *local_subkey = NULL; assert (subkey != NULL); *subkey = NULL; @@ -166,22 +161,29 @@ tgsreq.server = (krb5_principal) sname; tgsreq.from = timestruct->starttime; - tgsreq.till = timestruct->endtime ? timestruct->endtime : - in_cred->times.endtime; - tgsreq.rtime = timestruct->renew_till; - if ((retval = krb5_timeofday(context, &time_now))) - return(retval); - /* XXX we know they are the same size... */ - rep->expected_nonce = tgsreq.nonce = (krb5_int32) time_now; - rep->request_time = time_now; + tgsreq.till = timestruct->endtime ? timestruct->endtime : in_cred->times.endtime; + tgsreq.authorization_data.ciphertext.data = NULL; + tgsreq.rtime = timestruct->renew_till; + if ((retval = krb5_timeofday(context, &time_now))) + return(retval); + /* XXX we know they are the same size... */ + rep->expected_nonce = tgsreq.nonce = (krb5_int32) time_now; + rep->request_time = time_now; + rep->message_type = KRB5_ERROR; /*caller only uses the response + * element on successful return*/ tgsreq.addresses = (krb5_address **) addrs; +/* Generate subkey*/ + if ((retval = krb5_generate_subkey( context, &in_cred->keyblock, + &local_subkey)) != 0) + return retval; + if (authorization_data) { /* need to encrypt it in the request */ if ((retval = encode_krb5_authdata(authorization_data, &scratch))) - return(retval); + goto send_tgs_error_1; if ((retval = krb5_encrypt_helper(context, *subkey, KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, @@ -189,7 +191,7 @@ &tgsreq.authorization_data))) { free(tgsreq.authorization_data.ciphertext.data); krb5_free_data(context, scratch); - return retval; + goto send_tgs_error_1; } krb5_free_data(context, scratch); @@ -226,7 +228,7 @@ * Get an ap_req. */ if ((retval = tgs_construct_tgsreq(context, scratch, in_cred - , &scratch2, subkey))) { + , &scratch2, local_subkey))) { krb5_free_data(context, scratch); goto send_tgs_error_2; } @@ -297,8 +299,10 @@ ; } rep->message_type = KRB5_ERROR; - } else if (krb5_is_tgs_rep(&rep->response)) + } else if (krb5_is_tgs_rep(&rep->response)) { rep->message_type = KRB5_TGS_REP; + *subkey = local_subkey; + } else /* XXX: assume it's an error */ rep->message_type = KRB5_ERROR; } @@ -317,10 +321,9 @@ tgsreq.authorization_data.ciphertext.length); free(tgsreq.authorization_data.ciphertext.data); } - if (rep->message_type != KRB5_TGS_REP && *subkey){ + if (rep->message_type != KRB5_TGS_REP && local_subkey){ krb5_free_keyblock(context, *subkey); - *subkey = NULL; - } + } return retval; From tlyu at MIT.EDU Wed Apr 15 16:06:44 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:06:44 -0400 Subject: svn rev #22235: branches/krb5-1-7/ src/lib/krb5/krb/ Message-ID: <200904152006.n3FK6ilx001282@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22235 Commit By: tlyu Log Message: ticket: 6435 version_fixed: 1.7 pull up r22147 from trunk ------------------------------------------------------------------------ r22147 | ghudson | 2009-03-29 22:43:51 -0400 (Sun, 29 Mar 2009) | 5 lines Changed paths: M /trunk/README M /trunk/src/lib/krb5/krb/Makefile.in M /trunk/src/lib/krb5/krb/deps A /trunk/src/lib/krb5/krb/t_pac.c A /trunk/src/lib/krb5/krb/t_princ.c ticket: 6435 subject: Add PAC and principal parsing test cases From Heimdal, ported by Luke, further modified by me. Changed Files: U branches/krb5-1-7/README U branches/krb5-1-7/src/lib/krb5/krb/Makefile.in U branches/krb5-1-7/src/lib/krb5/krb/deps A branches/krb5-1-7/src/lib/krb5/krb/t_pac.c A branches/krb5-1-7/src/lib/krb5/krb/t_princ.c Modified: branches/krb5-1-7/README =================================================================== --- branches/krb5-1-7/README 2009-04-15 20:06:41 UTC (rev 22234) +++ branches/krb5-1-7/README 2009-04-15 20:06:44 UTC (rev 22235) @@ -907,6 +907,41 @@ California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. + -------------------- + +Marked test programs in src/lib/krb5/krb have the following copyright: + +Copyright (c) 2006 Kungliga Tekniska Högskolan +(Royal Institute of Technology, Stockholm, Sweden). +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +3. Neither the name of KTH nor the names of its contributors may be + used to endorse or promote products derived from this software without + specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY +EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + Acknowledgements ---------------- Modified: branches/krb5-1-7/src/lib/krb5/krb/Makefile.in =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/Makefile.in 2009-04-15 20:06:41 UTC (rev 22234) +++ branches/krb5-1-7/src/lib/krb5/krb/Makefile.in 2009-04-15 20:06:44 UTC (rev 22235) @@ -278,7 +278,9 @@ $(srcdir)/t_kerb.c \ $(srcdir)/t_ser.c \ $(srcdir)/t_deltat.c \ - $(srcdir)/t_expand.c + $(srcdir)/t_expand.c \ + $(srcdir)/t_pac.c \ + $(srcdir)/t_princ.c # Someday, when we have a "maintainer mode", do this right: BISON=bison @@ -306,6 +308,10 @@ T_DELTAT_OBJS= t_deltat.o deltat.o +T_PAC_OBJS= t_pac.o pac.o + +T_PRINC_OBJS= t_princ.o parse.o unparse.o + t_walk_rtree: $(T_WALK_RTREE_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_walk_rtree $(T_WALK_RTREE_OBJS) $(KRB5_BASE_LIBS) t_authdata: t_authdata.o copy_auth.o @@ -325,8 +331,15 @@ t_expand : $(T_EXPAND_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_expand $(T_EXPAND_OBJS) $(KRB5_BASE_LIBS) -TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata +t_pac: $(T_PAC_OBJS) $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o t_pac $(T_PAC_OBJS) $(KRB5_BASE_LIBS) +t_princ: $(T_PRINC_OBJS) $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o t_princ $(T_PRINC_OBJS) $(KRB5_BASE_LIBS) + +TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata t_pac \ + t_princ + check-unix:: $(TEST_PROGS) KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\ $(RUN_SETUP) $(VALGRIND) ./t_kerb \ @@ -360,6 +373,8 @@ $(RUN_SETUP) $(VALGRIND) sh $(srcdir)/walktree-tests KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\ $(RUN_SETUP) $(VALGRIND) ./t_authdata + $(RUN_SETUP) $(VALGRIND) ./t_pac + $(RUN_SETUP) $(VALGRIND) ./t_princ clean:: $(RM) $(OUTPRE)t_walk_rtree$(EXEEXT) $(OUTPRE)t_walk_rtree.$(OBJEXT) \ Modified: branches/krb5-1-7/src/lib/krb5/krb/deps =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/deps 2009-04-15 20:06:41 UTC (rev 22234) +++ branches/krb5-1-7/src/lib/krb5/krb/deps 2009-04-15 20:06:44 UTC (rev 22235) @@ -910,3 +910,23 @@ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h chk_trans.c t_expand.c +t_pac.so t_pac.po $(OUTPRE)t_pac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + t_pac.c +t_princ.so t_princ.po $(OUTPRE)t_princ.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + t_princ.c Added: branches/krb5-1-7/src/lib/krb5/krb/t_pac.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/t_pac.c 2009-04-15 20:06:41 UTC (rev 22234) +++ branches/krb5-1-7/src/lib/krb5/krb/t_pac.c 2009-04-15 20:06:44 UTC (rev 22235) @@ -0,0 +1,318 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "k5-int.h" + +/* + * This PAC and keys are copied (with permission) from Samba torture + * regression test suite, they where created by Andrew Bartlet. + */ + +static const unsigned char saved_pac[] = { + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd8, 0x01, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, + 0x20, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, + 0x40, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, + 0x58, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, + 0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x30, 0xdf, 0xa6, 0xcb, + 0x4f, 0x7d, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0xc0, 0x3c, 0x4e, 0x59, 0x62, 0x73, 0xc5, 0x01, 0xc0, 0x3c, 0x4e, 0x59, + 0x62, 0x73, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x16, 0x00, 0x16, 0x00, + 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x14, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x02, 0x00, 0x65, 0x00, 0x00, 0x00, + 0xed, 0x03, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x02, 0x00, + 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x16, 0x00, 0x20, 0x00, 0x02, 0x00, 0x16, 0x00, 0x18, 0x00, + 0x24, 0x00, 0x02, 0x00, 0x28, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, + 0x57, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00, + 0x41, 0x00, 0x4c, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x57, 0x00, 0x32, 0x00, + 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00, 0x41, 0x00, 0x4c, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x57, 0x00, 0x49, 0x00, + 0x4e, 0x00, 0x32, 0x00, 0x4b, 0x00, 0x33, 0x00, 0x54, 0x00, 0x48, 0x00, 0x49, 0x00, 0x4e, 0x00, + 0x4b, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, + 0x15, 0x00, 0x00, 0x00, 0x11, 0x2f, 0xaf, 0xb5, 0x90, 0x04, 0x1b, 0xec, 0x50, 0x3b, 0xec, 0xdc, + 0x01, 0x00, 0x00, 0x00, 0x30, 0x00, 0x02, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x80, 0x66, 0x28, 0xea, 0x37, 0x80, 0xc5, 0x01, 0x16, 0x00, 0x77, 0x00, 0x32, 0x00, 0x30, 0x00, + 0x30, 0x00, 0x33, 0x00, 0x66, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x61, 0x00, 0x6c, 0x00, 0x24, 0x00, + 0x76, 0xff, 0xff, 0xff, 0x37, 0xd5, 0xb0, 0xf7, 0x24, 0xf0, 0xd6, 0xd4, 0xec, 0x09, 0x86, 0x5a, + 0xa0, 0xe8, 0xc3, 0xa9, 0x00, 0x00, 0x00, 0x00, 0x76, 0xff, 0xff, 0xff, 0xb4, 0xd8, 0xb8, 0xfe, + 0x83, 0xb3, 0x13, 0x3f, 0xfc, 0x5c, 0x41, 0xad, 0xe2, 0x64, 0x83, 0xe0, 0x00, 0x00, 0x00, 0x00 +}; + +static unsigned int type_1_length = 472; + +static const krb5_keyblock kdc_keyblock = { + 0, ENCTYPE_ARCFOUR_HMAC, + 16, (krb5_octet *)"\xB2\x86\x75\x71\x48\xAF\x7F\xD2\x52\xC5\x36\x03\xA1\x50\xB7\xE7" +}; + +static const krb5_keyblock member_keyblock = { + 0, ENCTYPE_ARCFOUR_HMAC, + 16, (krb5_octet *)"\xD2\x17\xFA\xEA\xE5\xE6\xB5\xF9\x5C\xCC\x94\x07\x7A\xB8\xA5\xFC" +}; + +static time_t authtime = 1120440609; +static const char *user = "w2003final$@WIN2K3.THINKER.LOCAL"; + +static void err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) + __attribute__((__format__(__printf__, 3, 0))); + +static void +err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) +{ + va_list ap; + char *msg; + const char *errmsg = NULL; + + va_start(ap, fmt); + if (vasprintf(&msg, fmt, ap) < 0) + exit(1); + va_end(ap); + if (ctx && code) + errmsg = krb5_get_error_message(ctx, code); + if (errmsg) + fprintf(stderr, "t_pac: %s: %s\n", msg, errmsg); + else + fprintf(stderr, "t_pac: %s\n", msg); + exit(1); +} + +int +main(int argc, char **argv) +{ + krb5_error_code ret; + krb5_context context; + krb5_pac pac; + krb5_data data; + krb5_principal p; + + ret = krb5_init_context(&context); + if (ret) + err(NULL, 0, "krb5_init_contex"); + + krb5_set_default_realm(context, "WIN2K3.THINKER.LOCAL"); + + ret = krb5_parse_name(context, user, &p); + if (ret) + err(context, ret, "krb5_parse_name"); + + ret = krb5_pac_parse(context, saved_pac, sizeof(saved_pac), &pac); + if (ret) + err(context, ret, "krb5_pac_parse"); + + ret = krb5_pac_verify(context, pac, authtime, p, + &member_keyblock, &kdc_keyblock); + if (ret) + err(context, ret, "krb5_pac_verify"); + + ret = krb5int_pac_sign(context, pac, authtime, p, + &member_keyblock, &kdc_keyblock, &data); + if (ret) + err(context, ret, "krb5int_pac_sign"); + + krb5_pac_free(context, pac); + + ret = krb5_pac_parse(context, data.data, data.length, &pac); + krb5_free_data_contents(context, &data); + if (ret) + err(context, ret, "krb5_pac_parse 2"); + + ret = krb5_pac_verify(context, pac, authtime, p, + &member_keyblock, &kdc_keyblock); + if (ret) + err(context, ret, "krb5_pac_verify 2"); + + /* make a copy and try to reproduce it */ + { + uint32_t *list; + size_t len, i; + krb5_pac pac2; + + ret = krb5_pac_init(context, &pac2); + if (ret) + err(context, ret, "krb5_pac_init"); + + /* our two user buffer plus the three "system" buffers */ + ret = krb5_pac_get_types(context, pac, &len, &list); + if (ret) + err(context, ret, "krb5_pac_get_types"); + + for (i = 0; i < len; i++) { + /* skip server_cksum, privsvr_cksum, and logon_name */ + if (list[i] == 6 || list[i] == 7 || list[i] == 10) + continue; + + ret = krb5_pac_get_buffer(context, pac, list[i], &data); + if (ret) + err(context, ret, "krb5_pac_get_buffer"); + + if (list[i] == 1) { + if (type_1_length != data.length) + err(context, 0, "type 1 have wrong length: %lu", + (unsigned long)data.length); + } else + err(context, 0, "unknown type %lu", (unsigned long)list[i]); + + ret = krb5_pac_add_buffer(context, pac2, list[i], &data); + if (ret) + err(context, ret, "krb5_pac_add_buffer"); + krb5_free_data_contents(context, &data); + } + free(list); + + ret = krb5int_pac_sign(context, pac2, authtime, p, + &member_keyblock, &kdc_keyblock, &data); + if (ret) + err(context, ret, "krb5int_pac_sign 4"); + + krb5_pac_free(context, pac2); + + ret = krb5_pac_parse(context, data.data, data.length, &pac2); + if (ret) + err(context, ret, "krb5_pac_parse 4"); + + ret = krb5_pac_verify(context, pac2, authtime, p, + &member_keyblock, &kdc_keyblock); + if (ret) + err(context, ret, "krb5_pac_verify 4"); + + krb5_pac_free(context, pac2); + } + + krb5_pac_free(context, pac); + + /* + * Test empty free + */ + + ret = krb5_pac_init(context, &pac); + if (ret) + err(context, ret, "krb5_pac_init"); + krb5_pac_free(context, pac); + + /* + * Test add remove buffer + */ + + ret = krb5_pac_init(context, &pac); + if (ret) + err(context, ret, "krb5_pac_init"); + + { + const krb5_data cdata = { 0, 2, "\x00\x01" } ; + + ret = krb5_pac_add_buffer(context, pac, 1, &cdata); + if (ret) + err(context, ret, "krb5_pac_add_buffer"); + } + { + ret = krb5_pac_get_buffer(context, pac, 1, &data); + if (ret) + err(context, ret, "krb5_pac_get_buffer"); + if (data.length != 2 || memcmp(data.data, "\x00\x01", 2) != 0) + err(context, 0, "krb5_pac_get_buffer data not the same"); + krb5_free_data_contents(context, &data); + } + + { + const krb5_data cdata = { 0, 2, "\x02\x00" } ; + + ret = krb5_pac_add_buffer(context, pac, 2, &cdata); + if (ret) + err(context, ret, "krb5_pac_add_buffer"); + } + { + ret = krb5_pac_get_buffer(context, pac, 1, &data); + if (ret) + err(context, ret, "krb5_pac_get_buffer"); + if (data.length != 2 || memcmp(data.data, "\x00\x01", 2) != 0) + err(context, 0, "krb5_pac_get_buffer data not the same"); + krb5_free_data_contents(context, &data); + /* */ + ret = krb5_pac_get_buffer(context, pac, 2, &data); + if (ret) + err(context, ret, "krb5_pac_get_buffer"); + if (data.length != 2 || memcmp(data.data, "\x02\x00", 2) != 0) + err(context, 0, "krb5_pac_get_buffer data not the same"); + krb5_free_data_contents(context, &data); + } + + ret = krb5int_pac_sign(context, pac, authtime, p, + &member_keyblock, &kdc_keyblock, &data); + if (ret) + err(context, ret, "krb5int_pac_sign"); + + krb5_pac_free(context, pac); + + ret = krb5_pac_parse(context, data.data, data.length, &pac); + krb5_free_data_contents(context, &data); + if (ret) + err(context, ret, "krb5_pac_parse 3"); + + ret = krb5_pac_verify(context, pac, authtime, p, + &member_keyblock, &kdc_keyblock); + if (ret) + err(context, ret, "krb5_pac_verify 3"); + + { + uint32_t *list; + size_t len; + + /* our two user buffer plus the three "system" buffers */ + ret = krb5_pac_get_types(context, pac, &len, &list); + if (ret) + err(context, ret, "krb5_pac_get_types"); + if (len != 5) + err(context, 0, "list wrong length"); + free(list); + } + + krb5_pac_free(context, pac); + + krb5_free_principal(context, p); + krb5_free_context(context); + + return 0; +} Added: branches/krb5-1-7/src/lib/krb5/krb/t_princ.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/t_princ.c 2009-04-15 20:06:41 UTC (rev 22234) +++ branches/krb5-1-7/src/lib/krb5/krb/t_princ.c 2009-04-15 20:06:44 UTC (rev 22235) @@ -0,0 +1,401 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "k5-int.h" + +/* + * Check that a closed cc still keeps it data and that it's no longer + * there when it's destroyed. + */ + +static void err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) + __attribute__((__format__(__printf__, 3, 0))); + +static void +err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) +{ + va_list ap; + char *msg; + const char *errmsg = NULL; + + va_start(ap, fmt); + if (vasprintf(&msg, fmt, ap) < 0) + exit(1); + va_end(ap); + if (ctx && code) + errmsg = krb5_get_error_message(ctx, code); + if (errmsg) + fprintf(stderr, "t_princ: %s: %s\n", msg, errmsg); + else + fprintf(stderr, "t_princ: %s\n", msg); + exit(1); +} + +static void +test_princ(krb5_context context) +{ + const char *princ = "lha at SU.SE"; + const char *princ_short = "lha"; + const char *noquote; + krb5_error_code ret; + char *princ_unparsed; + char *princ_reformed = NULL; + const char *realm; + + krb5_principal p, p2; + + ret = krb5_parse_name(context, princ, &p); + if (ret) + err(context, ret, "krb5_parse_name"); + + ret = krb5_unparse_name(context, p, &princ_unparsed); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (strcmp(princ, princ_unparsed)) { + err(context, 0, "%s != %s", princ, princ_unparsed); + } + + free(princ_unparsed); + + ret = krb5_unparse_name_flags(context, p, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &princ_unparsed); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (strcmp(princ_short, princ_unparsed)) + err(context, 0, "%s != %s", princ_short, princ_unparsed); + free(princ_unparsed); + + realm = krb5_princ_realm(context, p)->data; + + asprintf(&princ_reformed, "%s@%s", princ_short, realm); + + ret = krb5_parse_name(context, princ_reformed, &p2); + free(princ_reformed); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (!krb5_principal_compare(context, p, p2)) { + err(context, 0, "p != p2"); + } + + krb5_free_principal(context, p2); + + ret = krb5_set_default_realm(context, "SU.SE"); + if (ret) + err(context, ret, "krb5_parse_name"); + + ret = krb5_unparse_name_flags(context, p, + KRB5_PRINCIPAL_UNPARSE_SHORT, + &princ_unparsed); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (strcmp(princ_short, princ_unparsed)) + err(context, 0, "'%s' != '%s'", princ_short, princ_unparsed); + free(princ_unparsed); + + ret = krb5_parse_name(context, princ_short, &p2); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (!krb5_principal_compare(context, p, p2)) + err(context, 0, "p != p2"); + krb5_free_principal(context, p2); + + ret = krb5_unparse_name(context, p, &princ_unparsed); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (strcmp(princ, princ_unparsed)) + err(context, 0, "'%s' != '%s'", princ, princ_unparsed); + free(princ_unparsed); + + ret = krb5_set_default_realm(context, "SAMBA.ORG"); + if (ret) + err(context, ret, "krb5_parse_name"); + + ret = krb5_parse_name(context, princ_short, &p2); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (krb5_principal_compare(context, p, p2)) + err(context, 0, "p == p2"); + + if (!krb5_principal_compare_any_realm(context, p, p2)) + err(context, 0, "(ignoring realms) p != p2"); + + ret = krb5_unparse_name(context, p2, &princ_unparsed); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (strcmp(princ, princ_unparsed) == 0) + err(context, 0, "%s == %s", princ, princ_unparsed); + free(princ_unparsed); + + krb5_free_principal(context, p2); + + ret = krb5_parse_name(context, princ, &p2); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (!krb5_principal_compare(context, p, p2)) + err(context, 0, "p != p2"); + + ret = krb5_unparse_name(context, p2, &princ_unparsed); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (strcmp(princ, princ_unparsed)) + err(context, 0, "'%s' != '%s'", princ, princ_unparsed); + free(princ_unparsed); + + krb5_free_principal(context, p2); + + ret = krb5_unparse_name_flags(context, p, + KRB5_PRINCIPAL_UNPARSE_SHORT, + &princ_unparsed); + if (ret) + err(context, ret, "krb5_unparse_name_short"); + + if (strcmp(princ, princ_unparsed) != 0) + err(context, 0, "'%s' != '%s'", princ, princ_unparsed); + free(princ_unparsed); + + ret = krb5_unparse_name(context, p, &princ_unparsed); + if (ret) + err(context, ret, "krb5_unparse_name_short"); + + if (strcmp(princ, princ_unparsed)) + err(context, 0, "'%s' != '%s'", princ, princ_unparsed); + free(princ_unparsed); + + ret = krb5_parse_name_flags(context, princ, + KRB5_PRINCIPAL_PARSE_NO_REALM, + &p2); + if (!ret) + err(context, ret, "Should have failed to parse %s a " + "short name", princ); + + ret = krb5_parse_name_flags(context, princ_short, + KRB5_PRINCIPAL_PARSE_NO_REALM, + &p2); + if (ret) + err(context, ret, "krb5_parse_name"); + + ret = krb5_unparse_name_flags(context, p2, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &princ_unparsed); + krb5_free_principal(context, p2); + if (ret) + err(context, ret, "krb5_unparse_name_norealm"); + + if (strcmp(princ_short, princ_unparsed)) + err(context, 0, "'%s' != '%s'", princ_short, princ_unparsed); + free(princ_unparsed); + + ret = krb5_parse_name_flags(context, princ_short, + KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, + &p2); + if (!ret) + err(context, ret, "Should have failed to parse %s " + "because it lacked a realm", princ_short); + + ret = krb5_parse_name_flags(context, princ, + KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, + &p2); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (!krb5_principal_compare(context, p, p2)) + err(context, 0, "p != p2"); + + ret = krb5_unparse_name_flags(context, p2, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &princ_unparsed); + krb5_free_principal(context, p2); + if (ret) + err(context, ret, "krb5_unparse_name_norealm"); + + if (strcmp(princ_short, princ_unparsed)) + err(context, 0, "'%s' != '%s'", princ_short, princ_unparsed); + free(princ_unparsed); + + krb5_free_principal(context, p); + + /* test quoting */ + + princ = "test\\/principal at SU.SE"; + noquote = "test/principal at SU.SE"; + + ret = krb5_parse_name_flags(context, princ, 0, &p); + if (ret) + err(context, ret, "krb5_parse_name"); + + ret = krb5_unparse_name_flags(context, p, 0, &princ_unparsed); + if (ret) + err(context, ret, "krb5_unparse_name_flags"); + + if (strcmp(princ, princ_unparsed)) + err(context, 0, "q '%s' != '%s'", princ, princ_unparsed); + free(princ_unparsed); + + ret = krb5_unparse_name_flags(context, p, KRB5_PRINCIPAL_UNPARSE_DISPLAY, + &princ_unparsed); + if (ret) + err(context, ret, "krb5_unparse_name_flags"); + + if (strcmp(noquote, princ_unparsed)) + err(context, 0, "nq '%s' != '%s'", noquote, princ_unparsed); + free(princ_unparsed); + + krb5_free_principal(context, p); +} + +static void +test_enterprise(krb5_context context) +{ + krb5_error_code ret; + char *unparsed; + krb5_principal p; + + ret = krb5_set_default_realm(context, "SAMBA.ORG"); + if (ret) + err(context, ret, "krb5_parse_name"); + + ret = krb5_parse_name_flags(context, "lha at su.se@WIN.SU.SE", + KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p); + if (ret) + err(context, ret, "krb5_parse_name_flags"); + + ret = krb5_unparse_name(context, p, &unparsed); + if (ret) + err(context, ret, "krb5_unparse_name"); + + krb5_free_principal(context, p); + + if (strcmp(unparsed, "lha\\@su.se at WIN.SU.SE") != 0) + err(context, 0, "enterprise name failed 1"); + free(unparsed); + + /* + * + */ + + ret = krb5_parse_name_flags(context, "lha\\@su.se at WIN.SU.SE", + KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p); + if (ret) + err(context, ret, "krb5_parse_name_flags"); + + ret = krb5_unparse_name(context, p, &unparsed); + if (ret) + err(context, ret, "krb5_unparse_name"); + + krb5_free_principal(context, p); + if (strcmp(unparsed, "lha\\@su.se\\@WIN.SU.SE at SAMBA.ORG") != 0) + err(context, 0, "enterprise name failed 2: %s", unparsed); + free(unparsed); + + /* + * + */ + + ret = krb5_parse_name_flags(context, "lha\\@su.se at WIN.SU.SE", 0, &p); + if (ret) + err(context, ret, "krb5_parse_name_flags"); + + ret = krb5_unparse_name(context, p, &unparsed); + if (ret) + err(context, ret, "krb5_unparse_name"); + + krb5_free_principal(context, p); + if (strcmp(unparsed, "lha\\@su.se at WIN.SU.SE") != 0) + err(context, 0, "enterprise name failed 3"); + free(unparsed); + + /* + * + */ + + ret = krb5_parse_name_flags(context, "lha at su.se", + KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p); + if (ret) + err(context, ret, "krb5_parse_name_flags"); + + ret = krb5_unparse_name(context, p, &unparsed); + if (ret) + err(context, ret, "krb5_unparse_name"); + + krb5_free_principal(context, p); + if (strcmp(unparsed, "lha\\@su.se at SAMBA.ORG") != 0) + err(context, 0, "enterprise name failed 2: %s", unparsed); + free(unparsed); + + + ret = krb5_parse_name_flags(context, "lukeh at ntdev.padl.com", + KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p); + if (ret) + err(context, ret, "krb5_parse_name_flags"); + + ret = krb5_unparse_name_flags(context, p, KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &unparsed); + if (ret) + err(context, ret, "krb5_unparse_name"); + + krb5_free_principal(context, p); + if (strcmp(unparsed, "lukeh at ntdev.padl.com") != 0) + err(context, 0, "enterprise name failed 4: %s", unparsed); + free(unparsed); +} + + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + + ret = krb5_init_context(&context); + if (ret) + err(NULL, 0, "krb5_init_context failed: %d", ret); + + test_princ(context); + + test_enterprise(context); + + krb5_free_context(context); + + return 0; +} From tlyu at MIT.EDU Wed Apr 15 16:06:53 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:06:53 -0400 Subject: svn rev #22238: branches/krb5-1-7/src/lib/krb5/krb/ Message-ID: <200904152006.n3FK6r8q001427@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22238 Commit By: tlyu Log Message: ticket: 6466 tags: pullup target_version: 1.7 version_fixed: 1.7 subject: check encode_krb5_ap_req return in send_tgs.c pull up r22050 from trunk ------------------------------------------------------------------------ r22050 | tsitkova | 2009-02-23 16:26:29 -0500 (Mon, 23 Feb 2009) | 2 lines Changed paths: M /trunk/src/lib/krb5/krb/send_tgs.c Check return code of encode_krb5_ap_req. Also, tabs vs whitespace. Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c Modified: branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c 2009-04-15 20:06:49 UTC (rev 22237) +++ branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c 2009-04-15 20:06:52 UTC (rev 22238) @@ -1,7 +1,7 @@ /* * lib/krb5/krb/send_tgs.c * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -49,16 +49,16 @@ */ static krb5_error_code tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, - krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey) + krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey) { krb5_error_code retval; krb5_checksum checksum; - krb5_authenticator authent; - krb5_ap_req request; - krb5_data * scratch = NULL; - krb5_data * toutbuf; + krb5_authenticator authent; + krb5_ap_req request; + krb5_data * scratch = NULL; + krb5_data * toutbuf = NULL; + checksum.contents = NULL; - request.authenticator.ciphertext.data = NULL; request.authenticator.kvno = 0; request.ap_options = 0; @@ -66,11 +66,11 @@ /* Generate checksum */ if ((retval = krb5_c_make_checksum(context, context->kdc_req_sumtype, - &in_cred->keyblock, - KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - in_data, &checksum))) { - free(checksum.contents); - goto cleanup; + &in_cred->keyblock, + KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, + in_data, &checksum))) { + free(checksum.contents); + goto cleanup; } /* gen authenticator */ @@ -80,48 +80,50 @@ authent.client = in_cred->client; authent.authorization_data = in_cred->authdata; if ((retval = krb5_us_timeofday(context, &authent.ctime, - &authent.cusec))) - goto cleanup; + &authent.cusec))) + goto cleanup; /* encode the authenticator */ if ((retval = encode_krb5_authenticator(&authent, &scratch))) - goto cleanup; + goto cleanup; - free(checksum.contents); checksum.contents = NULL; if ((retval = decode_krb5_ticket(&(in_cred)->ticket, &request.ticket))) - /* Cleanup scratch and scratch data */ + /* Cleanup scratch and scratch data */ goto cleanup; /* call the encryption routine */ if ((retval = krb5_encrypt_helper(context, &in_cred->keyblock, - KRB5_KEYUSAGE_TGS_REQ_AUTH, - scratch, &request.authenticator))) - goto cleanup; + KRB5_KEYUSAGE_TGS_REQ_AUTH, + scratch, &request.authenticator))) + goto cleanup; - retval = encode_krb5_ap_req(&request, &toutbuf); - *outbuf = *toutbuf; - free(toutbuf); + if (!(retval = encode_krb5_ap_req(&request, &toutbuf))) { + *outbuf = *toutbuf; + free(toutbuf); + } - memset(request.authenticator.ciphertext.data, 0, request.authenticator.ciphertext.length); free(request.authenticator.ciphertext.data); + request.authenticator.ciphertext.length = 0; + request.authenticator.ciphertext.data = 0; - cleanup: -if (request.ticket) - krb5_free_ticket(context, request.ticket); - if (scratch != NULL && scratch->data != NULL) { -zap(scratch->data, scratch->length); - free(scratch->data); - } - free(scratch); +cleanup: + if (request.ticket) + krb5_free_ticket(context, request.ticket); + if (scratch != NULL && scratch->data != NULL) { + zap(scratch->data, scratch->length); + free(scratch->data); + } + free(scratch); + return retval; } /* @@ -129,11 +131,11 @@ */ krb5_error_code krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, - const krb5_ticket_times *timestruct, const krb5_enctype *ktypes, - krb5_const_principal sname, krb5_address *const *addrs, - krb5_authdata *const *authorization_data, - krb5_pa_data *const *padata, const krb5_data *second_ticket, - krb5_creds *in_cred, krb5_response *rep, krb5_keyblock **subkey) + const krb5_ticket_times *timestruct, const krb5_enctype *ktypes, + krb5_const_principal sname, krb5_address *const *addrs, + krb5_authdata *const *authorization_data, + krb5_pa_data *const *padata, const krb5_data *second_ticket, + krb5_creds *in_cred, krb5_response *rep, krb5_keyblock **subkey) { krb5_error_code retval; krb5_kdc_req tgsreq; @@ -162,75 +164,75 @@ tgsreq.from = timestruct->starttime; tgsreq.till = timestruct->endtime ? timestruct->endtime : in_cred->times.endtime; - tgsreq.authorization_data.ciphertext.data = NULL; - tgsreq.rtime = timestruct->renew_till; - if ((retval = krb5_timeofday(context, &time_now))) - return(retval); - /* XXX we know they are the same size... */ - rep->expected_nonce = tgsreq.nonce = (krb5_int32) time_now; - rep->request_time = time_now; - rep->message_type = KRB5_ERROR; /*caller only uses the response - * element on successful return*/ + tgsreq.authorization_data.ciphertext.data = NULL; + tgsreq.rtime = timestruct->renew_till; + if ((retval = krb5_timeofday(context, &time_now))) + return(retval); + /* XXX we know they are the same size... */ + rep->expected_nonce = tgsreq.nonce = (krb5_int32) time_now; + rep->request_time = time_now; + rep->message_type = KRB5_ERROR; /*caller only uses the response + * element on successful return*/ tgsreq.addresses = (krb5_address **) addrs; -/* Generate subkey*/ + /* Generate subkey*/ if ((retval = krb5_generate_subkey( context, &in_cred->keyblock, - &local_subkey)) != 0) - return retval; + &local_subkey)) != 0) + return retval; if (authorization_data) { - /* need to encrypt it in the request */ + /* need to encrypt it in the request */ - if ((retval = encode_krb5_authdata(authorization_data, &scratch))) - goto send_tgs_error_1; + if ((retval = encode_krb5_authdata(authorization_data, &scratch))) + goto send_tgs_error_1; - if ((retval = krb5_encrypt_helper(context, *subkey, - KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, - scratch, - &tgsreq.authorization_data))) { - free(tgsreq.authorization_data.ciphertext.data); - krb5_free_data(context, scratch); - goto send_tgs_error_1; - } + if ((retval = krb5_encrypt_helper(context, *subkey, + KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, + scratch, + &tgsreq.authorization_data))) { + free(tgsreq.authorization_data.ciphertext.data); + krb5_free_data(context, scratch); + goto send_tgs_error_1; + } - krb5_free_data(context, scratch); + krb5_free_data(context, scratch); } /* Get the encryption types list */ if (ktypes) { - /* Check passed ktypes and make sure they're valid. */ - for (tgsreq.nktypes = 0; ktypes[tgsreq.nktypes]; tgsreq.nktypes++) { - if (!krb5_c_valid_enctype(ktypes[tgsreq.nktypes])) - return KRB5_PROG_ETYPE_NOSUPP; - } - tgsreq.ktype = (krb5_enctype *)ktypes; + /* Check passed ktypes and make sure they're valid. */ + for (tgsreq.nktypes = 0; ktypes[tgsreq.nktypes]; tgsreq.nktypes++) { + if (!krb5_c_valid_enctype(ktypes[tgsreq.nktypes])) + return KRB5_PROG_ETYPE_NOSUPP; + } + tgsreq.ktype = (krb5_enctype *)ktypes; } else { /* Get the default ktypes */ krb5_get_tgs_ktypes(context, sname, &(tgsreq.ktype)); - for(tgsreq.nktypes = 0; tgsreq.ktype[tgsreq.nktypes]; tgsreq.nktypes++); + for(tgsreq.nktypes = 0; tgsreq.ktype[tgsreq.nktypes]; tgsreq.nktypes++); } if (second_ticket) { - if ((retval = decode_krb5_ticket(second_ticket, &sec_ticket))) - goto send_tgs_error_1; - sec_ticket_arr[0] = sec_ticket; - sec_ticket_arr[1] = 0; - tgsreq.second_ticket = sec_ticket_arr; + if ((retval = decode_krb5_ticket(second_ticket, &sec_ticket))) + goto send_tgs_error_1; + sec_ticket_arr[0] = sec_ticket; + sec_ticket_arr[1] = 0; + tgsreq.second_ticket = sec_ticket_arr; } else - tgsreq.second_ticket = 0; + tgsreq.second_ticket = 0; /* encode the body; then checksum it */ if ((retval = encode_krb5_kdc_req_body(&tgsreq, &scratch))) - goto send_tgs_error_2; + goto send_tgs_error_2; /* * Get an ap_req. */ - if ((retval = tgs_construct_tgsreq(context, scratch, in_cred - , &scratch2, local_subkey))) { + if ((retval = tgs_construct_tgsreq(context, scratch, in_cred, + &scratch2, local_subkey))) { krb5_free_data(context, scratch); - goto send_tgs_error_2; + goto send_tgs_error_2; } krb5_free_data(context, scratch); @@ -240,36 +242,36 @@ /* combine in any other supplied padata */ if (padata) { - krb5_pa_data * const * counter; - register unsigned int i = 0; - for (counter = padata; *counter; counter++, i++); - combined_padata = malloc((i+2) * sizeof(*combined_padata)); - if (!combined_padata) { - free(ap_req_padata.contents); - retval = ENOMEM; - goto send_tgs_error_2; - } - combined_padata[0] = &ap_req_padata; - for (i = 1, counter = padata; *counter; counter++, i++) - combined_padata[i] = (krb5_pa_data *) *counter; - combined_padata[i] = 0; + krb5_pa_data * const * counter; + register unsigned int i = 0; + for (counter = padata; *counter; counter++, i++); + combined_padata = malloc((i+2) * sizeof(*combined_padata)); + if (!combined_padata) { + free(ap_req_padata.contents); + retval = ENOMEM; + goto send_tgs_error_2; + } + combined_padata[0] = &ap_req_padata; + for (i = 1, counter = padata; *counter; counter++, i++) + combined_padata[i] = (krb5_pa_data *) *counter; + combined_padata[i] = 0; } else { - combined_padata = (krb5_pa_data **)malloc(2*sizeof(*combined_padata)); - if (!combined_padata) { - free(ap_req_padata.contents); - retval = ENOMEM; - goto send_tgs_error_2; - } - combined_padata[0] = &ap_req_padata; - combined_padata[1] = 0; + combined_padata = (krb5_pa_data **)malloc(2*sizeof(*combined_padata)); + if (!combined_padata) { + free(ap_req_padata.contents); + retval = ENOMEM; + goto send_tgs_error_2; + } + combined_padata[0] = &ap_req_padata; + combined_padata[1] = 0; } tgsreq.padata = combined_padata; /* the TGS_REQ is assembled in tgsreq, so encode it */ if ((retval = encode_krb5_tgs_req(&tgsreq, &scratch))) { - free(ap_req_padata.contents); - free(combined_padata); - goto send_tgs_error_2; + free(ap_req_padata.contents); + free(combined_padata); + goto send_tgs_error_2; } free(ap_req_padata.contents); free(combined_padata); @@ -278,53 +280,52 @@ send_again: use_master = 0; retval = krb5_sendto_kdc(context, scratch, - krb5_princ_realm(context, sname), - &rep->response, &use_master, tcp_only); + krb5_princ_realm(context, sname), + &rep->response, &use_master, tcp_only); if (retval == 0) { - if (krb5_is_krb_error(&rep->response)) { - if (!tcp_only) { - krb5_error *err_reply; - retval = decode_krb5_error(&rep->response, &err_reply); - if (retval) - goto send_tgs_error_3; - if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) { - tcp_only = 1; - krb5_free_error(context, err_reply); - free(rep->response.data); - rep->response.data = NULL; - goto send_again; - } - krb5_free_error(context, err_reply); - send_tgs_error_3: - ; - } - rep->message_type = KRB5_ERROR; - } else if (krb5_is_tgs_rep(&rep->response)) { - rep->message_type = KRB5_TGS_REP; - *subkey = local_subkey; - } - else /* XXX: assume it's an error */ - rep->message_type = KRB5_ERROR; + if (krb5_is_krb_error(&rep->response)) { + if (!tcp_only) { + krb5_error *err_reply; + retval = decode_krb5_error(&rep->response, &err_reply); + if (retval) + goto send_tgs_error_3; + if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) { + tcp_only = 1; + krb5_free_error(context, err_reply); + free(rep->response.data); + rep->response.data = NULL; + goto send_again; + } + krb5_free_error(context, err_reply); + send_tgs_error_3: + ; + } + rep->message_type = KRB5_ERROR; + } else if (krb5_is_tgs_rep(&rep->response)) { + rep->message_type = KRB5_TGS_REP; + *subkey = local_subkey; + } else /* XXX: assume it's an error */ + rep->message_type = KRB5_ERROR; } krb5_free_data(context, scratch); send_tgs_error_2:; if (sec_ticket) - krb5_free_ticket(context, sec_ticket); + krb5_free_ticket(context, sec_ticket); send_tgs_error_1:; if (ktypes == NULL) - free(tgsreq.ktype); + free(tgsreq.ktype); if (tgsreq.authorization_data.ciphertext.data) { - memset(tgsreq.authorization_data.ciphertext.data, 0, + memset(tgsreq.authorization_data.ciphertext.data, 0, tgsreq.authorization_data.ciphertext.length); - free(tgsreq.authorization_data.ciphertext.data); + free(tgsreq.authorization_data.ciphertext.data); } if (rep->message_type != KRB5_TGS_REP && local_subkey){ - krb5_free_keyblock(context, *subkey); + krb5_free_keyblock(context, *subkey); } - return retval; } + From tlyu at MIT.EDU Wed Apr 15 16:06:39 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:06:39 -0400 Subject: svn rev #22233: branches/krb5-1-7/src/ include/ plugins/preauth/pkinit/ Message-ID: <200904152006.n3FK6d9c001207@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22233 Commit By: tlyu Log Message: ticket: 6397 pull up r22113 from trunk ------------------------------------------------------------------------ r22113 | ghudson | 2009-03-24 13:24:31 -0400 (Tue, 24 Mar 2009) | 5 lines Changed paths: M /trunk/src/include/k5-int.h M /trunk/src/plugins/preauth/pkinit/pkinit.h M /trunk/src/plugins/preauth/pkinit/pkinit_clnt.c M /trunk/src/plugins/preauth/pkinit/pkinit_matching.c M /trunk/src/plugins/preauth/pkinit/pkinit_srv.c Revert r21880 which included k5-int.h in several pkinit source files. Instead, move the pkinit-specific KRB5_CONF macros to pkinit.h, and add duplicate definitions of the non-pkinit-specific macros used by the pkinit code. Changed Files: U branches/krb5-1-7/src/include/k5-int.h U branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit.h U branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_clnt.c U branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_matching.c U branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c Modified: branches/krb5-1-7/src/include/k5-int.h =================================================================== --- branches/krb5-1-7/src/include/k5-int.h 2009-04-15 20:06:35 UTC (rev 22232) +++ branches/krb5-1-7/src/include/k5-int.h 2009-04-15 20:06:38 UTC (rev 22233) @@ -241,22 +241,6 @@ #define KRB5_CONF_MAX_RENEWABLE_LIFE "max_renewable_life" #define KRB5_CONF_NOADDRESSES "noaddresses" #define KRB5_CONF_PERMITTED_ENCTYPES "permitted_enctypes" -#define KRB5_CONF_PKINIT_ALLOW_UPN "pkinit_allow_upn" -#define KRB5_CONF_PKINIT_ANCHORS "pkinit_anchors" -#define KRB5_CONF_PKINIT_CERT_MATCH "pkinit_cert_match" -#define KRB5_CONF_PKINIT_DH_MIN_BITS "pkinit_dh_min_bits" -#define KRB5_CONF_PKINIT_EKU_CHECKING "pkinit_eku_checking" -#define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity" -#define KRB5_CONF_PKINIT_IDENTITIES "pkinit_identities" -#define KRB5_CONF_PKINIT_KDC_HOSTNAME "pkinit_kdc_hostname" -#define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp" -#define KRB5_CONF_PKINIT_LONGHORN "pkinit_longhorn" -#define KRB5_CONF_PKINIT_MAPPING_FILE "pkinit_mappings_file" -#define KRB5_CONF_PKINIT_POOL "pkinit_pool" -#define KRB5_CONF_PKINIT_REVOKE "pkinit_revoke" -#define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking" -#define KRB5_CONF_PKINIT_WIN2K "pkinit_win2k" -#define KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING "pkinit_win2k_require_binding" #define KRB5_CONF_PREFERRED_PREAUTH_TYPES "preferred_preauth_types" #define KRB5_CONF_PROXIABLE "proxiable" #define KRB5_CONF_RDNS "rdns" Modified: branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit.h =================================================================== --- branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit.h 2009-04-15 20:06:35 UTC (rev 22232) +++ branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit.h 2009-04-15 20:06:38 UTC (rev 22233) @@ -71,6 +71,26 @@ #define PKINIT_DEFAULT_DH_MIN_BITS 2048 +#define KRB5_CONF_KDCDEFAULTS "kdcdefaults" +#define KRB5_CONF_LIBDEFAULTS "libdefaults" +#define KRB5_CONF_REALMS "realms" +#define KRB5_CONF_PKINIT_ALLOW_UPN "pkinit_allow_upn" +#define KRB5_CONF_PKINIT_ANCHORS "pkinit_anchors" +#define KRB5_CONF_PKINIT_CERT_MATCH "pkinit_cert_match" +#define KRB5_CONF_PKINIT_DH_MIN_BITS "pkinit_dh_min_bits" +#define KRB5_CONF_PKINIT_EKU_CHECKING "pkinit_eku_checking" +#define KRB5_CONF_PKINIT_IDENTITIES "pkinit_identities" +#define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity" +#define KRB5_CONF_PKINIT_KDC_HOSTNAME "pkinit_kdc_hostname" +#define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp" +#define KRB5_CONF_PKINIT_LONGHORN "pkinit_longhorn" +#define KRB5_CONF_PKINIT_MAPPING_FILE "pkinit_mapping_file" +#define KRB5_CONF_PKINIT_POOL "pkinit_pool" +#define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking" +#define KRB5_CONF_PKINIT_REVOKE "pkinit_revoke" +#define KRB5_CONF_PKINIT_WIN2K "pkinit_win2k" +#define KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING "pkinit_win2k_require_binding" + /* Make pkiDebug(fmt,...) print, or not. */ #ifdef DEBUG #define pkiDebug printf Modified: branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_clnt.c =================================================================== --- branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_clnt.c 2009-04-15 20:06:35 UTC (rev 22232) +++ branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_clnt.c 2009-04-15 20:06:38 UTC (rev 22233) @@ -38,7 +38,6 @@ #include #include -#include "k5-int.h" #include "pkinit.h" #ifdef LONGHORN_BETA_COMPAT Modified: branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_matching.c =================================================================== --- branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_matching.c 2009-04-15 20:06:35 UTC (rev 22232) +++ branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_matching.c 2009-04-15 20:06:38 UTC (rev 22233) @@ -34,7 +34,6 @@ #include #include #include -#include "k5-int.h" #include "pkinit.h" typedef struct _pkinit_cert_info pkinit_cert_info; Modified: branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c =================================================================== --- branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c 2009-04-15 20:06:35 UTC (rev 22232) +++ branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c 2009-04-15 20:06:38 UTC (rev 22233) @@ -33,7 +33,6 @@ #include #include -#include "k5-int.h" #include "pkinit.h" static krb5_error_code From tlyu at MIT.EDU Wed Apr 15 16:06:55 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:06:55 -0400 Subject: svn rev #22239: branches/krb5-1-7/src/lib/krb5/krb/ Message-ID: <200904152006.n3FK6tbB001464@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22239 Commit By: tlyu Log Message: ticket: 6393 pull up r22148 from trunk ------------------------------------------------------------------------ r22148 | hartmans | 2009-03-31 12:50:25 -0400 (Tue, 31 Mar 2009) | 4 lines Changed paths: M /trunk/src/lib/krb5/krb/send_tgs.c ticket: 6393 in send_tgs.c: Encrypt using local_subkey not *subkey Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c Modified: branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c 2009-04-15 20:06:52 UTC (rev 22238) +++ branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c 2009-04-15 20:06:55 UTC (rev 22239) @@ -187,7 +187,7 @@ if ((retval = encode_krb5_authdata(authorization_data, &scratch))) goto send_tgs_error_1; - if ((retval = krb5_encrypt_helper(context, *subkey, + if ((retval = krb5_encrypt_helper(context, local_subkey, KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, scratch, &tgsreq.authorization_data))) { From tlyu at MIT.EDU Wed Apr 15 16:06:59 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:06:59 -0400 Subject: svn rev #22240: branches/krb5-1-7/src/ include/ lib/kdb/ lib/krb5/ lib/krb5/krb/ Message-ID: <200904152006.n3FK6x7C001511@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22240 Commit By: tlyu Log Message: ticket: 6467 subject: new copy_data_contents variant that null-terminates version_fixed: 1.7 tags: pullup target_version: 1.7 pull up r21893 from trunk ------------------------------------------------------------------------ r21893 | raeburn | 2009-02-05 13:42:10 -0500 (Thu, 05 Feb 2009) | 4 lines Changed paths: M /trunk/src/include/k5-int.h M /trunk/src/lib/kdb/kdb_cpw.c M /trunk/src/lib/krb5/krb/bld_pr_ext.c M /trunk/src/lib/krb5/krb/copy_data.c M /trunk/src/lib/krb5/krb/copy_princ.c M /trunk/src/lib/krb5/libkrb5.exports Create and use (in several places) a variant of krb5int_copy_data_contents that adds a trailing '\0' so the result can be used as a C string. Changed Files: U branches/krb5-1-7/src/include/k5-int.h U branches/krb5-1-7/src/lib/kdb/kdb_cpw.c U branches/krb5-1-7/src/lib/krb5/krb/bld_pr_ext.c U branches/krb5-1-7/src/lib/krb5/krb/copy_data.c U branches/krb5-1-7/src/lib/krb5/krb/copy_princ.c U branches/krb5-1-7/src/lib/krb5/libkrb5.exports Modified: branches/krb5-1-7/src/include/k5-int.h =================================================================== --- branches/krb5-1-7/src/include/k5-int.h 2009-04-15 20:06:55 UTC (rev 22239) +++ branches/krb5-1-7/src/include/k5-int.h 2009-04-15 20:06:58 UTC (rev 22240) @@ -1133,6 +1133,9 @@ krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *); krb5_error_code +krb5int_copy_data_contents_add0 (krb5_context, const krb5_data *, krb5_data *); + +krb5_error_code krb5int_copy_creds_contents (krb5_context, const krb5_creds *, krb5_creds *); typedef krb5_error_code (*krb5_gic_get_as_key_fct) Modified: branches/krb5-1-7/src/lib/kdb/kdb_cpw.c =================================================================== --- branches/krb5-1-7/src/lib/kdb/kdb_cpw.c 2009-04-15 20:06:55 UTC (rev 22239) +++ branches/krb5-1-7/src/lib/kdb/kdb_cpw.c 2009-04-15 20:06:58 UTC (rev 22240) @@ -1,7 +1,7 @@ /* * lib/kdb/kdb_cpw.c * - * Copyright 1995 by the Massachusetts Institute of Technology. + * Copyright 1995, 2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -431,32 +431,17 @@ key_salt.data.length = 0; key_salt.data.data = 0; break; - case KRB5_KDB_SALTTYPE_AFS3: { -#if 0 - krb5_data * saltdata; - if (retval = krb5_copy_data(context, krb5_princ_realm(context, - db_entry->princ), &saltdata)) - return(retval); - - key_salt.data = *saltdata; + case KRB5_KDB_SALTTYPE_AFS3: + /* The afs_mit_string_to_key needs to use strlen, and the + realm field is not (necessarily) NULL terminated. */ + retval = krb5int_copy_data_contents_add0(context, + krb5_princ_realm(context, + db_entry->princ), + &key_salt.data); + if (retval) + return retval; key_salt.data.length = SALT_TYPE_AFS_LENGTH; /*length actually used below...*/ - free(saltdata); -#else - /* Why do we do this? Well, the afs_mit_string_to_key needs to - use strlen, and the realm is not NULL terminated.... */ - unsigned int slen = - (*krb5_princ_realm(context,db_entry->princ)).length; - if(!(key_salt.data.data = (char *) malloc(slen+1))) - return ENOMEM; - key_salt.data.data[slen] = 0; - memcpy((char *)key_salt.data.data, - (char *)(*krb5_princ_realm(context,db_entry->princ)).data, - slen); - key_salt.data.length = SALT_TYPE_AFS_LENGTH; /*length actually used below...*/ -#endif - - } - break; + break; default: return(KRB5_KDB_BAD_SALTTYPE); } Modified: branches/krb5-1-7/src/lib/krb5/krb/bld_pr_ext.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/bld_pr_ext.c 2009-04-15 20:06:55 UTC (rev 22239) +++ branches/krb5-1-7/src/lib/krb5/krb/bld_pr_ext.c 2009-04-15 20:06:58 UTC (rev 22240) @@ -1,7 +1,7 @@ /* * lib/krb5/krb/bld_pr_ext.c * - * Copyright 1991, 2008 by the Massachusetts Institute of Technology. + * Copyright 1991, 2008, 2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -36,12 +36,10 @@ unsigned int rlen, const char * realm, ...) { va_list ap; - register int i, count = 0; - register unsigned int size; - register char *next; - char *tmpdata = 0; + int i, count = 0; krb5_data *princ_data; krb5_principal princ_ret; + krb5_data tmpdata; va_start(ap, realm); /* count up */ @@ -64,28 +62,22 @@ } princ_ret->data = princ_data; princ_ret->length = count; - tmpdata = malloc(rlen+1); - if (!tmpdata) { + tmpdata.length = rlen; + tmpdata.data = (char *) realm; + if (krb5int_copy_data_contents_add0(context, &tmpdata, &princ_ret->realm) != 0) { free(princ_data); free(princ_ret); return ENOMEM; } - krb5_princ_set_realm_length(context, princ_ret, rlen); - krb5_princ_set_realm_data(context, princ_ret, tmpdata); - memcpy(tmpdata, realm, rlen); - tmpdata[rlen] = 0; /* process rest of components */ va_start(ap, realm); for (i = 0; i < count; i++) { - size = va_arg(ap, unsigned int); - next = va_arg(ap, char *); - princ_data[i].length = size; - princ_data[i].data = malloc(size+1); - if (!princ_data[i].data) + tmpdata.length = va_arg(ap, unsigned int); + tmpdata.data = va_arg(ap, char *); + if (krb5int_copy_data_contents_add0(context, &tmpdata, + &princ_data[i]) != 0) goto free_out; - memcpy(princ_data[i].data, next, size); - princ_data[i].data[size] = 0; } va_end(ap); *princ = princ_ret; @@ -96,8 +88,8 @@ while (--i >= 0) free(princ_data[i].data); free(princ_data); + free(princ_ret->realm.data); free(princ_ret); - free(tmpdata); va_end(ap); return ENOMEM; } Modified: branches/krb5-1-7/src/lib/krb5/krb/copy_data.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/copy_data.c 2009-04-15 20:06:55 UTC (rev 22239) +++ branches/krb5-1-7/src/lib/krb5/krb/copy_data.c 2009-04-15 20:06:58 UTC (rev 22240) @@ -1,7 +1,7 @@ /* * lib/krb5/krb/copy_data.c * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -75,3 +75,22 @@ return 0; } + +/* As above, but add an (uncounted) extra byte at the end to + null-terminate the data so it can be used as a standard C + string. */ +krb5_error_code +krb5int_copy_data_contents_add0(krb5_context context, const krb5_data *indata, krb5_data *outdata) +{ + if (!indata) + return EINVAL; + outdata->length = indata->length; + if (!(outdata->data = malloc(outdata->length + 1))) + return ENOMEM; + if (outdata->length) + memcpy(outdata->data, indata->data, outdata->length); + outdata->data[outdata->length] = 0; + outdata->magic = KV5M_DATA; + + return 0; +} Modified: branches/krb5-1-7/src/lib/krb5/krb/copy_princ.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/copy_princ.c 2009-04-15 20:06:55 UTC (rev 22239) +++ branches/krb5-1-7/src/lib/krb5/krb/copy_princ.c 2009-04-15 20:06:58 UTC (rev 22240) @@ -1,7 +1,7 @@ /* * lib/krb5/krb/copy_princ.c * - * Copyright 1990 by the Massachusetts Institute of Technology. + * Copyright 1990, 2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -54,35 +54,25 @@ } for (i = 0; i < nelems; i++) { - unsigned int len = krb5_princ_component(context, inprinc, i)->length; - krb5_princ_component(context, tempprinc, i)->length = len; - if (len) { - if (((krb5_princ_component(context, tempprinc, i)->data = - malloc(len)) == 0)) { - while (--i >= 0) - free(krb5_princ_component(context, tempprinc, i)->data); - free (tempprinc->data); - free (tempprinc); - return ENOMEM; - } - memcpy(krb5_princ_component(context, tempprinc, i)->data, - krb5_princ_component(context, inprinc, i)->data, len); - } else - krb5_princ_component(context, tempprinc, i)->data = 0; + if (krb5int_copy_data_contents(context, + krb5_princ_component(context, inprinc, i), + krb5_princ_component(context, tempprinc, i)) != 0) { + while (--i >= 0) + free(krb5_princ_component(context, tempprinc, i)->data); + free (tempprinc->data); + free (tempprinc); + return ENOMEM; + } } - tempprinc->realm.data = - malloc((tempprinc->realm.length = inprinc->realm.length) + 1); - if (!tempprinc->realm.data) { + if (krb5int_copy_data_contents_add0(context, &inprinc->realm, + &tempprinc->realm) != 0) { for (i = 0; i < nelems; i++) free(krb5_princ_component(context, tempprinc, i)->data); free(tempprinc->data); free(tempprinc); return ENOMEM; } - memcpy(tempprinc->realm.data, inprinc->realm.data, - inprinc->realm.length); - tempprinc->realm.data[tempprinc->realm.length] = 0; *outprinc = tempprinc; return 0; Modified: branches/krb5-1-7/src/lib/krb5/libkrb5.exports =================================================================== --- branches/krb5-1-7/src/lib/krb5/libkrb5.exports 2009-04-15 20:06:55 UTC (rev 22239) +++ branches/krb5-1-7/src/lib/krb5/libkrb5.exports 2009-04-15 20:06:58 UTC (rev 22240) @@ -515,6 +515,7 @@ krb5int_cc_default krb5int_cleanup_library krb5int_cm_call_select +krb5int_copy_data_contents_add0 krb5int_foreach_localaddr krb5int_free_addrlist krb5int_init_context_kdc From tlyu at MIT.EDU Wed Apr 15 16:06:50 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:06:50 -0400 Subject: svn rev #22237: branches/krb5-1-7/src/lib/krb5/krb/ Message-ID: <200904152006.n3FK6owq001380@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22237 Commit By: tlyu Log Message: ticket: 6465 tags: pullup target_version: 1.7 version_fixed: 1.7 subject: send_tgs.c static analyzer friendliness pull up r22002 from trunk ------------------------------------------------------------------------ r22002 | ghudson | 2009-02-13 17:00:47 -0500 (Fri, 13 Feb 2009) | 4 lines Changed paths: M /trunk/src/lib/krb5/krb/send_tgs.c In tgs_construct_tgsreq, free scratch even if scratch->data is NULL. (Which probably can't happen, but static analyzers don't know that.) Also protect scratch from being freed before initialization. Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c Modified: branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c 2009-04-15 20:06:47 UTC (rev 22236) +++ branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c 2009-04-15 20:06:49 UTC (rev 22237) @@ -55,7 +55,7 @@ krb5_checksum checksum; krb5_authenticator authent; krb5_ap_req request; - krb5_data * scratch; + krb5_data * scratch = NULL; krb5_data * toutbuf; checksum.contents = NULL; @@ -119,8 +119,8 @@ if (scratch != NULL && scratch->data != NULL) { zap(scratch->data, scratch->length); free(scratch->data); - free(scratch); } + free(scratch); return retval; } From tlyu at MIT.EDU Wed Apr 15 16:07:13 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:13 -0400 Subject: svn rev #22242: branches/krb5-1-7/src/lib/crypto/ Message-ID: <200904152007.n3FK7DBh001587@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22242 Commit By: tlyu Log Message: ticket: 6437 version_fixed: 1.7 pull up r22152 from trunk ------------------------------------------------------------------------ r22152 | hartmans | 2009-03-31 18:36:03 -0400 (Tue, 31 Mar 2009) | 6 lines Changed paths: M /trunk/src/lib/crypto/etypes.c ticket: 6437 target_version: 1.7 tags: pullup Subject: mark export grade RC4 as weak Set the weak enctype flag on the 40-bit RC4. Changed Files: U branches/krb5-1-7/src/lib/crypto/etypes.c Modified: branches/krb5-1-7/src/lib/crypto/etypes.c =================================================================== --- branches/krb5-1-7/src/lib/crypto/etypes.c 2009-04-15 20:07:03 UTC (rev 22241) +++ branches/krb5-1-7/src/lib/crypto/etypes.c 2009-04-15 20:07:12 UTC (rev 22242) @@ -137,7 +137,8 @@ NULL, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR, &krb5int_aead_arcfour, - 0 /*flags*/ }, + ETYPE_WEAK + }, { ENCTYPE_AES128_CTS_HMAC_SHA1_96, "aes128-cts-hmac-sha1-96", { "aes128-cts" }, From tlyu at MIT.EDU Wed Apr 15 16:07:16 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:16 -0400 Subject: svn rev #22243: branches/krb5-1-7/ doc/ src/appl/bsd/ src/config-files/ src/lib/krb5/krb/ Message-ID: <200904152007.n3FK7GMP001629@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22243 Commit By: tlyu Log Message: ticket: 1624 version_fixed: 1.7 pull up r22154, r22159, r22160 from trunk ------------------------------------------------------------------------ r22160 | hartmans | 2009-04-02 23:33:01 -0400 (Thu, 02 Apr 2009) | 12 lines Changed paths: M /trunk/doc/admin.texinfo M /trunk/src/appl/bsd/kcmd.c M /trunk/src/config-files/krb5.conf.M M /trunk/src/lib/krb5/krb/init_ctx.c M /trunk/src/lib/krb5/krb/mk_req_ext.c ticket: 1624 Unfortunately, pre-1.7 krshd fails to support keyed checksums because it uses the wrong API and wrong key usage. So, if the auth_context has an explicit checksum type set, then respect that. kcmd sets such a checksum type. Also, because other applications may have the same problem, allow the config file variable if set to override the default checksum. * kcmd.c: Force use of rsa_md5 * init_ctx.c: do not default to md5 * mk_req_ext.c: allow auth_context to override ------------------------------------------------------------------------ r22159 | tlyu | 2009-04-02 19:30:28 -0400 (Thu, 02 Apr 2009) | 3 lines Changed paths: M /trunk/src/appl/bsd/krlogind.c M /trunk/src/appl/bsd/krshd.c ticket: 1624 Fix krshd and krlogind to use krb5_c_verify_checksum. ------------------------------------------------------------------------ r22154 | hartmans | 2009-04-01 14:25:02 -0400 (Wed, 01 Apr 2009) | 8 lines Changed paths: M /trunk/doc/admin.texinfo M /trunk/src/config-files/krb5.conf.M M /trunk/src/lib/krb5/krb/mk_req_ext.c M /trunk/src/lib/krb5/krb/send_tgs.c ticket: 1624 Target_version: 1.7 tags: pullup Use the preferred checksum for non-DES keys in the kdc_req path and all the time in the ap_req checksum path. This breaks code to support DCE versions prior to 1.1 but uses the correct checksum for protocol compatibility. Changed Files: U branches/krb5-1-7/doc/admin.texinfo U branches/krb5-1-7/src/appl/bsd/kcmd.c U branches/krb5-1-7/src/appl/bsd/krlogind.c U branches/krb5-1-7/src/appl/bsd/krshd.c U branches/krb5-1-7/src/config-files/krb5.conf.M U branches/krb5-1-7/src/lib/krb5/krb/init_ctx.c U branches/krb5-1-7/src/lib/krb5/krb/mk_req_ext.c U branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c Modified: branches/krb5-1-7/doc/admin.texinfo =================================================================== --- branches/krb5-1-7/doc/admin.texinfo 2009-04-15 20:07:12 UTC (rev 22242) +++ branches/krb5-1-7/doc/admin.texinfo 2009-04-15 20:07:15 UTC (rev 22243) @@ -462,7 +462,8 @@ An integer which specifies the type of checksum to use. Used for compatability with DCE security servers which do not support the default @value{DefaultChecksumType} used by this version of Kerberos. -The possible values and their meanings are as follows. +The +kdc_req_checksum_type is only used for DES keys. The ap_req_checksum_type defaults to the preferred checksum for the encryption type being used if unset. If set, then the selected checksum is used regardless of the type of key being used. The possible values and their meanings are as follows. @comment taken from krb5/src/include/krb5.h[in] @table @b Modified: branches/krb5-1-7/src/appl/bsd/kcmd.c =================================================================== --- branches/krb5-1-7/src/appl/bsd/kcmd.c 2009-04-15 20:07:12 UTC (rev 22242) +++ branches/krb5-1-7/src/appl/bsd/kcmd.c 2009-04-15 20:07:15 UTC (rev 22243) @@ -473,6 +473,8 @@ if (krb5_auth_con_init(bsd_context, &auth_context)) goto bad2; + if (krb5_auth_con_set_req_cksumtype(bsd_context, auth_context, CKSUMTYPE_RSA_MD5) !=0 ) + goto bad2; if (krb5_auth_con_setflags(bsd_context, auth_context, KRB5_AUTH_CONTEXT_RET_TIME)) goto bad2; Modified: branches/krb5-1-7/src/appl/bsd/krlogind.c =================================================================== --- branches/krb5-1-7/src/appl/bsd/krlogind.c 2009-04-15 20:07:12 UTC (rev 22242) +++ branches/krb5-1-7/src/appl/bsd/krlogind.c 2009-04-15 20:07:15 UTC (rev 22243) @@ -1358,21 +1358,26 @@ if (authenticator->checksum) { struct sockaddr_in adr; socklen_t adr_length = sizeof(adr); - char * chksumbuf = NULL; + krb5_data chksumbuf; + krb5_boolean valid = 0; + + chksumbuf.data = NULL; if (getsockname(netf, (struct sockaddr *) &adr, &adr_length) != 0) goto error_cleanup; - if (asprintf(&chksumbuf, "%u:%s%s", ntohs(adr.sin_port), term, lusername) < 0) + if (asprintf(&chksumbuf.data, "%u:%s%s", ntohs(adr.sin_port), term, lusername) < 0) goto error_cleanup; - status = krb5_verify_checksum(bsd_context, - authenticator->checksum->checksum_type, - authenticator->checksum, - chksumbuf, strlen(chksumbuf), - ticket->enc_part2->session->contents, - ticket->enc_part2->session->length); + chksumbuf.length = strlen(chksumbuf.data); + status = krb5_c_verify_checksum(bsd_context, + ticket->enc_part2->session, + KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, + &chksumbuf, authenticator->checksum, + &valid); + if (status == 0 && !valid) status = KRB5KRB_AP_ERR_BAD_INTEGRITY; + error_cleanup: - if (chksumbuf) - free(chksumbuf); + if (chksumbuf.data) + free(chksumbuf.data); if (status) { krb5_free_authenticator(bsd_context, authenticator); return status; Modified: branches/krb5-1-7/src/appl/bsd/krshd.c =================================================================== --- branches/krb5-1-7/src/appl/bsd/krshd.c 2009-04-15 20:07:12 UTC (rev 22242) +++ branches/krb5-1-7/src/appl/bsd/krshd.c 2009-04-15 20:07:15 UTC (rev 22243) @@ -1810,8 +1810,11 @@ struct sockaddr_storage adr; unsigned int adr_length = sizeof(adr); int e; - char namebuf[32], *chksumbuf = NULL; + char namebuf[32]; + krb5_boolean valid = 0; + krb5_data chksumbuf; + chksumbuf.data = NULL; if (getsockname(netfd, (struct sockaddr *) &adr, &adr_length) != 0) goto error_cleanup; @@ -1819,19 +1822,20 @@ namebuf, sizeof(namebuf), NI_NUMERICSERV); if (e) fatal(netfd, "local error: can't examine port number"); - if (asprintf(&chksumbuf, "%s:%s%s", namebuf, cmdbuf, locuser) < 0) + if (asprintf(&chksumbuf.data, "%s:%s%s", namebuf, cmdbuf, locuser) < 0) goto error_cleanup; - status = krb5_verify_checksum(bsd_context, - authenticator->checksum->checksum_type, - authenticator->checksum, - chksumbuf, strlen(chksumbuf), - ticket->enc_part2->session->contents, - ticket->enc_part2->session->length); + chksumbuf.length = strlen(chksumbuf.data); + status = krb5_c_verify_checksum(bsd_context, + ticket->enc_part2->session, + KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, + &chksumbuf, authenticator->checksum, + &valid); + if (status == 0 && !valid) status = KRB5KRB_AP_ERR_BAD_INTEGRITY; error_cleanup: - if (chksumbuf) - free(chksumbuf); + if (chksumbuf.data) + free(chksumbuf.data); if (status) { krb5_free_authenticator(bsd_context, authenticator); return status; Modified: branches/krb5-1-7/src/config-files/krb5.conf.M =================================================================== --- branches/krb5-1-7/src/config-files/krb5.conf.M 2009-04-15 20:07:12 UTC (rev 22242) +++ branches/krb5-1-7/src/config-files/krb5.conf.M 2009-04-15 20:07:15 UTC (rev 22243) @@ -143,15 +143,11 @@ For compatability with DCE security servers which do not support the default CKSUMTYPE_RSA_MD5 used by this version of Kerberos. Use a value of 2 to use the CKSUMTYPE_RSA_MD4 instead. This applies to DCE 1.1 and -earlier. +earlier. This value is only used for DES keys; other keys use the +preferred checksum type for those keys. .IP ap_req_checksum_type -This allows you to set the checksum type used in the authenticator of -KRB_AP_REQ messages. The default value for this type is -CKSUMTYPE_RSA_MD5. For compatibility with applications linked against -DCE version 1.1 or earlier Kerberos libraries, use a value of 2 to use -the CKSUMTYPE_RSA_MD4 -instead. +If set this variable controls what ap-req checksum will be used in authenticators. This variable should be unset so the appropriate checksum for the encryption key in use will be used. This can be set if backward compatibility requires a specific checksum type. .IP safe_checksum_type This allows you to set the preferred keyed-checksum type for use in KRB_SAFE Modified: branches/krb5-1-7/src/lib/krb5/krb/init_ctx.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/init_ctx.c 2009-04-15 20:07:12 UTC (rev 22242) +++ branches/krb5-1-7/src/lib/krb5/krb/init_ctx.c 2009-04-15 20:07:15 UTC (rev 22243) @@ -208,7 +208,7 @@ ctx->kdc_req_sumtype = tmp; profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5, + KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, 0, &tmp); ctx->default_ap_req_sumtype = tmp; Modified: branches/krb5-1-7/src/lib/krb5/krb/mk_req_ext.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/mk_req_ext.c 2009-04-15 20:07:12 UTC (rev 22242) +++ branches/krb5-1-7/src/lib/krb5/krb/mk_req_ext.c 2009-04-15 20:07:15 UTC (rev 22243) @@ -204,8 +204,15 @@ checksum.length = in_data->length; checksum.contents = (krb5_octet *) in_data->data; } else { + krb5_cksumtype cksumtype; + retval = krb5int_c_mandatory_cksumtype(context, (*auth_context)->keyblock->enctype, + &cksumtype); + if (retval) + goto cleanup_cksum; + if ((*auth_context)->req_cksumtype) + cksumtype = (*auth_context)->req_cksumtype; if ((retval = krb5_c_make_checksum(context, - (*auth_context)->req_cksumtype, + cksumtype, (*auth_context)->keyblock, KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, in_data, &checksum))) Modified: branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c 2009-04-15 20:07:12 UTC (rev 22242) +++ branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c 2009-04-15 20:07:15 UTC (rev 22243) @@ -51,6 +51,7 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey) { + krb5_cksumtype cksumtype; krb5_error_code retval; krb5_checksum checksum; krb5_authenticator authent; @@ -63,9 +64,20 @@ request.authenticator.kvno = 0; request.ap_options = 0; request.ticket = 0; - + switch (in_cred->keyblock.enctype) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + cksumtype = context->kdc_req_sumtype; + break; + default: + retval = krb5int_c_mandatory_cksumtype(context, in_cred->keyblock.enctype, &cksumtype); + if (retval) + goto cleanup; + } + /* Generate checksum */ - if ((retval = krb5_c_make_checksum(context, context->kdc_req_sumtype, + if ((retval = krb5_c_make_checksum(context, cksumtype, &in_cred->keyblock, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, in_data, &checksum))) { From tlyu at MIT.EDU Wed Apr 15 16:07:19 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:19 -0400 Subject: svn rev #22244: branches/krb5-1-7/src/kdc/ Message-ID: <200904152007.n3FK7J6n001682@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22244 Commit By: tlyu Log Message: ticket: 6438 version_fixed: 1.7 pull up r22168 from trunk ------------------------------------------------------------------------ r22168 | hartmans | 2009-04-03 01:36:25 -0400 (Fri, 03 Apr 2009) | 8 lines Changed paths: M /trunk/src/kdc/kdc_authdata.c ticket: 6438 Subject: Handle authdata encrypted in subkey target_version: 1.7 tags: pullup RFC 4120 requires that if a subkey is present in the TGS request that authorization data be encrypted in the subkey. Our KDC did not handle this correctly. Changed Files: U branches/krb5-1-7/src/kdc/kdc_authdata.c Modified: branches/krb5-1-7/src/kdc/kdc_authdata.c =================================================================== --- branches/krb5-1-7/src/kdc/kdc_authdata.c 2009-04-15 20:07:15 UTC (rev 22243) +++ branches/krb5-1-7/src/kdc/kdc_authdata.c 2009-04-15 20:07:18 UTC (rev 22244) @@ -403,6 +403,13 @@ KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY, 0, &request->authorization_data, &scratch); + if (code != 0) + code = krb5_c_decrypt(context, + client_key, + KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, + 0, &request->authorization_data, + &scratch); + if (code != 0) { free(scratch.data); return code; From tlyu at MIT.EDU Wed Apr 15 16:07:24 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:24 -0400 Subject: svn rev #22246: branches/krb5-1-7/src/kdc/ Message-ID: <200904152007.n3FK7Ot8001758@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22246 Commit By: tlyu Log Message: ticket: 6439 pull up r22171 from trunk ------------------------------------------------------------------------ r22171 | hartmans | 2009-04-05 17:11:26 -0400 (Sun, 05 Apr 2009) | 7 lines Changed paths: M /trunk/src/kdc/do_tgs_req.c ticket: 6439 Subject: Implement KDC side of TGS FAST target_version: 1.7 tags: pullup Most of the KDC side of TGS FAST was already present. This adds correct generation of the reply key. Changed Files: U branches/krb5-1-7/src/kdc/do_tgs_req.c Modified: branches/krb5-1-7/src/kdc/do_tgs_req.c =================================================================== --- branches/krb5-1-7/src/kdc/do_tgs_req.c 2009-04-15 20:07:21 UTC (rev 22245) +++ branches/krb5-1-7/src/kdc/do_tgs_req.c 2009-04-15 20:07:24 UTC (rev 22246) @@ -98,12 +98,13 @@ krb5_transited enc_tkt_transited; int newtransited = 0; krb5_error_code retval = 0; + krb5_keyblock encrypting_key; int nprincs = 0; krb5_boolean more; krb5_timestamp kdc_time, authtime=0; krb5_keyblock session_key; krb5_timestamp until, rtime; - krb5_keyblock encrypting_key; + krb5_keyblock *reply_key = NULL; krb5_keyblock *mkey_ptr; krb5_key_data *server_key; char *cname = 0, *sname = 0, *altcname = 0; @@ -884,10 +885,14 @@ status = "Preparing FAST padata"; goto cleanup; } + errcode =kdc_fast_handle_reply_key(state, subkey?subkey:header_ticket->enc_part2->session, &reply_key); + if (errcode) { + status = "generating reply key"; + goto cleanup; + } errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, subkey ? 1 : 0, - subkey ? subkey : - header_ticket->enc_part2->session, + reply_key, &reply, response); if (errcode) { status = "ENCODE_KDC_REP"; @@ -906,6 +911,8 @@ cleanup: assert(status != NULL); + if (reply_key) + krb5_free_keyblock(kdc_context, reply_key); if (errcode) emsg = krb5_get_error_message (kdc_context, errcode); log_tgs_req(from, request, &reply, cname, sname, altcname, authtime, From tlyu at MIT.EDU Wed Apr 15 16:07:06 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:06 -0400 Subject: svn rev #22241: branches/krb5-1-7/src/ include/ include/krb5/ kdc/ lib/krb5/ ... Message-ID: <200904152007.n3FK76I6001550@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22241 Commit By: tlyu Log Message: ticket: 6436 version_fixed: 1.7 pull up r22149, r22151, r22153 from trunk ------------------------------------------------------------------------ r22153 | tlyu | 2009-03-31 19:51:48 -0400 (Tue, 31 Mar 2009) | 3 lines Changed paths: M /trunk/src/lib/krb5/asn.1/asn1_k_decode.c M /trunk/src/lib/krb5/asn.1/asn1_k_encode.c M /trunk/src/lib/krb5/asn.1/krb5_decode.c M /trunk/src/lib/krb5/asn.1/krb5_encode.c ticket: 6436 Make FAST changes build when pkinit is disabled. ------------------------------------------------------------------------ r22151 | hartmans | 2009-03-31 18:35:59 -0400 (Tue, 31 Mar 2009) | 3 lines Changed paths: M /trunk/src/kdc/do_tgs_req.c ticket: 6436 Initialize request state in the TGS path. ------------------------------------------------------------------------ r22149 | hartmans | 2009-03-31 13:00:41 -0400 (Tue, 31 Mar 2009) | 8 lines Changed paths: M /trunk/src/Makefile.in M /trunk/src/configure.in M /trunk/src/include/k5-int-pkinit.h M /trunk/src/include/k5-int.h M /trunk/src/include/krb5/krb5.hin M /trunk/src/include/krb5/preauth_plugin.h M /trunk/src/kdc/Makefile.in M /trunk/src/kdc/dispatch.c M /trunk/src/kdc/do_as_req.c M /trunk/src/kdc/do_tgs_req.c A /trunk/src/kdc/fast_util.c M /trunk/src/kdc/kdc_preauth.c M /trunk/src/kdc/kdc_util.c M /trunk/src/kdc/kdc_util.h M /trunk/src/lib/krb5/asn.1/asn1_k_decode.c M /trunk/src/lib/krb5/asn.1/asn1_k_decode.h M /trunk/src/lib/krb5/asn.1/asn1_k_encode.c M /trunk/src/lib/krb5/asn.1/krb5_decode.c M /trunk/src/lib/krb5/error_tables/krb5_err.et M /trunk/src/lib/krb5/error_tables/kv5m_err.et M /trunk/src/lib/krb5/krb/Makefile.in A /trunk/src/lib/krb5/krb/fast.c A /trunk/src/lib/krb5/krb/fast.h M /trunk/src/lib/krb5/krb/get_in_tkt.c M /trunk/src/lib/krb5/krb/gic_opt.c M /trunk/src/lib/krb5/krb/kfree.c M /trunk/src/lib/krb5/krb/preauth2.c M /trunk/src/lib/krb5/libkrb5.exports M /trunk/src/lib/krb5/os/accessor.c A /trunk/src/plugins/preauth/encrypted_challenge A /trunk/src/plugins/preauth/encrypted_challenge/Makefile.in (from /trunk/src/plugins/preauth/cksum_body/Makefile.in:22148) A /trunk/src/plugins/preauth/encrypted_challenge/deps (from /trunk/src/ccapi/test/deps:22148) A /trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports (from /trunk/src/plugins/preauth/pkinit/pkinit.exports:22148) A /trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c A /trunk/src/plugins/preauth/fast_factor.h ticket: 6436 subject: Implement FAST from draft-ietf-krb-wg-preauth-framework Target_Version: 1.7 Merge fast branch at 22146 onto trunk Implement the kerberos pre-authentication framework FAST feature per Projects/FAST on the wiki. Changed Files: U branches/krb5-1-7/src/Makefile.in U branches/krb5-1-7/src/configure.in U branches/krb5-1-7/src/include/k5-int-pkinit.h U branches/krb5-1-7/src/include/k5-int.h U branches/krb5-1-7/src/include/krb5/krb5.hin U branches/krb5-1-7/src/include/krb5/preauth_plugin.h U branches/krb5-1-7/src/kdc/Makefile.in U branches/krb5-1-7/src/kdc/dispatch.c U branches/krb5-1-7/src/kdc/do_as_req.c U branches/krb5-1-7/src/kdc/do_tgs_req.c A branches/krb5-1-7/src/kdc/fast_util.c U branches/krb5-1-7/src/kdc/kdc_preauth.c U branches/krb5-1-7/src/kdc/kdc_util.c U branches/krb5-1-7/src/kdc/kdc_util.h U branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.c U branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.h U branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_encode.c U branches/krb5-1-7/src/lib/krb5/asn.1/krb5_decode.c U branches/krb5-1-7/src/lib/krb5/asn.1/krb5_encode.c U branches/krb5-1-7/src/lib/krb5/error_tables/krb5_err.et U branches/krb5-1-7/src/lib/krb5/error_tables/kv5m_err.et U branches/krb5-1-7/src/lib/krb5/krb/Makefile.in A branches/krb5-1-7/src/lib/krb5/krb/fast.c A branches/krb5-1-7/src/lib/krb5/krb/fast.h U branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c U branches/krb5-1-7/src/lib/krb5/krb/gic_opt.c U branches/krb5-1-7/src/lib/krb5/krb/kfree.c U branches/krb5-1-7/src/lib/krb5/krb/preauth2.c U branches/krb5-1-7/src/lib/krb5/libkrb5.exports U branches/krb5-1-7/src/lib/krb5/os/accessor.c A branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/ A branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/Makefile.in A branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/deps A branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports A branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c A branches/krb5-1-7/src/plugins/preauth/fast_factor.h Modified: branches/krb5-1-7/src/Makefile.in =================================================================== --- branches/krb5-1-7/src/Makefile.in 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/Makefile.in 2009-04-15 20:07:03 UTC (rev 22241) @@ -12,6 +12,7 @@ SUBDIRS=util include lib kdc kadmin @ldap_plugin_dir@ slave clients \ plugins/kdb/db2 \ plugins/preauth/pkinit \ + plugins/preauth/encrypted_challenge \ appl tests \ config-files gen-manpages BUILDTOP=$(REL)$(C) Modified: branches/krb5-1-7/src/configure.in =================================================================== --- branches/krb5-1-7/src/configure.in 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/configure.in 2009-04-15 20:07:03 UTC (rev 22241) @@ -1077,7 +1077,7 @@ plugins/kdb/db2/libdb2/mpool plugins/kdb/db2/libdb2/recno plugins/kdb/db2/libdb2/test - plugins/preauth/cksum_body + plugins/preauth/cksum_body plugins/preauth/encrypted_challenge plugins/preauth/wpse plugins/authdata/greet Modified: branches/krb5-1-7/src/include/k5-int-pkinit.h =================================================================== --- branches/krb5-1-7/src/include/k5-int-pkinit.h 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/include/k5-int-pkinit.h 2009-04-15 20:07:03 UTC (rev 22241) @@ -101,6 +101,9 @@ } krb5_trusted_ca; /* typed data */ +/* The FAST error handling logic currently assumes that this structure and krb5_pa_data * can be safely cast to each other + * if this structure changes, that code needs to be updated to copy. + */ typedef struct _krb5_typed_data { krb5_magic magic; krb5_int32 type; @@ -267,4 +270,6 @@ krb5_error_code decode_krb5_td_dh_parameters (const krb5_data *, krb5_algorithm_identifier ***); +void krb5_free_typed_data(krb5_context, krb5_typed_data **); + #endif /* _KRB5_INT_PKINIT_H */ Modified: branches/krb5-1-7/src/include/k5-int.h =================================================================== --- branches/krb5-1-7/src/include/k5-int.h 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/include/k5-int.h 2009-04-15 20:07:03 UTC (rev 22241) @@ -910,9 +910,11 @@ * requested information. It is opaque to the plugin code and can be * expanded in the future as new types of requests are defined which * may require other things to be passed through. */ + struct krb5int_fast_request_state; typedef struct _krb5_preauth_client_rock { krb5_magic magic; - krb5_kdc_rep *as_reply; + krb5_enctype *etype; + struct krb5int_fast_request_state *fast_state; } krb5_preauth_client_rock; /* This structure lets us keep track of all of the modules which are loaded, @@ -963,6 +965,48 @@ krb5_data auth_package; } krb5_pa_for_user; +enum { + KRB5_FAST_ARMOR_AP_REQUEST = 0x1 +}; + +typedef struct _krb5_fast_armor { + krb5_int32 armor_type; + krb5_data armor_value; +} krb5_fast_armor; +typedef struct _krb5_fast_armored_req { + krb5_magic magic; + krb5_fast_armor *armor; + krb5_checksum req_checksum; + krb5_enc_data enc_part; +} krb5_fast_armored_req; + +typedef struct _krb5_fast_req { + krb5_magic magic; + krb5_int32 fast_options; + /* padata from req_body is used*/ + krb5_kdc_req *req_body; +} krb5_fast_req; + +/* Bits 0-15 are critical in fast options.*/ +#define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff +#define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01 + +typedef struct _krb5_fast_finished { + krb5_timestamp timestamp; + krb5_int32 usec; + krb5_principal client; + krb5_checksum ticket_checksum; +} krb5_fast_finished; + +typedef struct _krb5_fast_response { + krb5_magic magic; + krb5_pa_data **padata; + krb5_keyblock *rep_key; + krb5_fast_finished *finished; + krb5_int32 nonce; +} krb5_fast_response; + + typedef krb5_error_code (*krb5_preauth_obtain_proc) (krb5_context, krb5_pa_data *, @@ -1036,6 +1080,10 @@ krb5_creds *, krb5_int32 *); +krb5_pa_data * krb5int_find_pa_data +(krb5_context, krb5_pa_data * const *, krb5_preauthtype); +/* Does not return a copy; original padata sequence responsible for freeing*/ + void krb5_free_etype_info (krb5_context, krb5_etype_info); @@ -1088,6 +1136,7 @@ typedef struct _krb5_gic_opt_private { int num_preauth_data; krb5_gic_opt_pa_data *preauth_data; + char * fast_ccache_name; } krb5_gic_opt_private; /* @@ -1254,6 +1303,16 @@ void KRB5_CALLCONV krb5_free_etype_list (krb5_context, krb5_etype_list * ); +void KRB5_CALLCONV krb5_free_fast_armor +(krb5_context, krb5_fast_armor *); +void KRB5_CALLCONV krb5_free_fast_armored_req +(krb5_context, krb5_fast_armored_req *); +void KRB5_CALLCONV krb5_free_fast_req(krb5_context, krb5_fast_req *); +void KRB5_CALLCONV krb5_free_fast_finished +(krb5_context, krb5_fast_finished *); +void KRB5_CALLCONV krb5_free_fast_response +(krb5_context, krb5_fast_response *); + /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */ #include "com_err.h" #include "k5-plugin.h" @@ -1594,6 +1653,16 @@ krb5_error_code encode_krb5_etype_list (const krb5_etype_list * , krb5_data **); +krb5_error_code encode_krb5_pa_fx_fast_request +(const krb5_fast_armored_req *, krb5_data **); +krb5_error_code encode_krb5_fast_req +(const krb5_fast_req *, krb5_data **); +krb5_error_code encode_krb5_pa_fx_fast_reply +(const krb5_enc_data *, krb5_data **); + +krb5_error_code encode_krb5_fast_response +(const krb5_fast_response *, krb5_data **); + /************************************************************************* * End of prototypes for krb5_encode.c *************************************************************************/ @@ -1753,6 +1822,19 @@ krb5_error_code decode_krb5_etype_list (const krb5_data *, krb5_etype_list **); +krb5_error_code decode_krb5_pa_fx_fast_request +(const krb5_data *, krb5_fast_armored_req **); + +krb5_error_code decode_krb5_fast_req +(const krb5_data *, krb5_fast_req **); + + +krb5_error_code decode_krb5_pa_fx_fast_reply +(const krb5_data *, krb5_enc_data **); + +krb5_error_code decode_krb5_fast_response +(const krb5_data *, krb5_fast_response **); + struct _krb5_key_data; /* kdb.h */ struct ldap_seqof_key_data { @@ -1982,7 +2064,7 @@ /* To keep happy libraries which are (for now) accessing internal stuff */ /* Make sure to increment by one when changing the struct */ -#define KRB5INT_ACCESS_STRUCT_VERSION 13 +#define KRB5INT_ACCESS_STRUCT_VERSION 14 #ifndef ANAME_SZ struct ktext; /* from krb.h, for krb524 support */ @@ -2036,6 +2118,16 @@ krb5_error_code (*asn1_ldap_decode_sequence_of_keys) (krb5_data *in, ldap_seqof_key_data **); + /* Used for encrypted challenge fast factor*/ + krb5_error_code (*encode_enc_data)(const krb5_enc_data *, krb5_data **); + krb5_error_code (*decode_enc_data)(const krb5_data *, krb5_enc_data **); + void (*free_enc_data)(krb5_context, krb5_enc_data *); + krb5_error_code (*encode_enc_ts)(const krb5_pa_enc_ts *, krb5_data **); + krb5_error_code (*decode_enc_ts)(const krb5_data *, krb5_pa_enc_ts **); + void (*free_enc_ts)(krb5_context, krb5_pa_enc_ts *); + krb5_error_code (*encrypt_helper) + (krb5_context, const krb5_keyblock *, krb5_keyusage, const krb5_data *, + krb5_enc_data *); /* * pkinit asn.1 encode/decode functions Modified: branches/krb5-1-7/src/include/krb5/krb5.hin =================================================================== --- branches/krb5-1-7/src/include/krb5/krb5.hin 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/include/krb5/krb5.hin 2009-04-15 20:07:03 UTC (rev 22241) @@ -631,7 +631,15 @@ /* Defined in KDC referrals draft */ #define KRB5_KEYUSAGE_PA_REFERRAL 26 /* XXX note conflict with above */ +/* define in draft-ietf-krb-wg-preauth-framework*/ +#define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50 +#define KRB5_KEYUSAGE_FAST_ENC 51 +#define KRB5_KEYUSAGE_FAST_REP 52 +#define KRB5_KEYUSAGE_FAST_FINISHED 53 +#define KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT 54 +#define KRB5_KEYUSAGE_ENC_CHALLENGE_KDC 55 +#define KRB5_KEYUSAGE_FAST_REP 52 krb5_boolean KRB5_CALLCONV krb5_c_valid_enctype (krb5_enctype ktype); krb5_boolean KRB5_CALLCONV krb5_c_valid_cksumtype @@ -982,6 +990,11 @@ #define KRB5_PADATA_PAC_REQUEST 128 /* include Windows PAC */ #define KRB5_PADATA_FOR_USER 129 /* username protocol transition request */ #define KRB5_PADATA_S4U_X509_USER 130 /* certificate protocol transition request */ +#define KRB5_PADATA_FX_COOKIE 133 +#define KRB5_PADATA_FX_FAST 136 +#define KRB5_PADATA_FX_ERROR 137 +#define KRB5_PADATA_ENCRYPTED_CHALLENGE 138 + #define KRB5_SAM_USE_SAD_AS_KEY 0x80000000 #define KRB5_SAM_SEND_ENCRYPTED_SAD 0x40000000 #define KRB5_SAM_MUST_PK_ENCRYPT_SAD 0x20000000 /* currently must be zero */ @@ -1005,7 +1018,7 @@ #define KRB5_AUTHDATA_SESAME 65 #define KRB5_AUTHDATA_WIN2K_PAC 128 #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */ - +#define KRB5_AUTHDATA_FX_ARMOR 71 /* password change constants */ #define KRB5_KPASSWD_SUCCESS 0 @@ -1142,6 +1155,13 @@ krb5_authdata **unenc_authdata; /* unencrypted auth data, if available */ krb5_ticket **second_ticket;/* second ticket array; OPTIONAL */ + /* the following field is added in March 2009; it is a hack so + * that FAST state can be carried to pre-authentication plugins. + * A new plugin interface may be a better long-term approach. It + * is believed to be safe to extend this structure because it is + * not found in any public APIs. + */ + void * kdc_state; } krb5_kdc_req; typedef struct _krb5_enc_kdc_rep_part { @@ -2393,6 +2413,15 @@ const char *attr, const char *value); +krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name +(krb5_context context, krb5_get_init_creds_opt *opt, + const char * fast_ccache_name); + /* This API sets a ccache name that will contain some TGT on + calls to get_init_creds functions. If set, this ccache will + be used for FAST (draft-ietf-krb-wg-preauth-framework) to + protect the AS-REQ from observation and active attack. If + the fast_ccache_name is set, then FAST may be required by the + client library. In this version FAST is required.*/ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_password (krb5_context context, Modified: branches/krb5-1-7/src/include/krb5/preauth_plugin.h =================================================================== --- branches/krb5-1-7/src/include/krb5/preauth_plugin.h 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/include/krb5/preauth_plugin.h 2009-04-15 20:07:03 UTC (rev 22241) @@ -123,11 +123,22 @@ * information to enable it to process a request. */ enum krb5plugin_preauth_client_request_type { - /* The returned krb5_data item holds the enctype used to encrypt the - * encrypted portion of the AS_REP packet. */ + /* The returned krb5_data item holds the enctype expected to be used to encrypt the + * encrypted portion of the AS_REP packet. When handling a + * PREAUTH_REQUIRED error, this typically comes from etype-info2. + * When handling an AS reply, it is initialized from the AS reply itself.*/ krb5plugin_preauth_client_get_etype = 1, /* Free the data returned from krb5plugin_preauth_client_req_get_etype */ - krb5plugin_preauth_client_free_etype = 2 + krb5plugin_preauth_client_free_etype = 2, + /* The returned krb5_data contains the FAST armor key in a + * krb5_keyblock. Returns success with a NULL data item in the + * krb5_data if the client library supports FAST but is not using it.*/ + krb5plugin_preauth_client_fast_armor = 3, + /* Frees return from KRB5PLUGIN_PREAUTH_CLIENT_FAST_ARMOR. It is + * acceptable to set data to NULL and free the keyblock using + * krb5_free_keyblock; in that case, this frees the krb5_data + * only.*/ +krb5plugin_preauth_client_free_fast_armor = 4, }; typedef krb5_error_code (*preauth_get_client_data_proc)(krb5_context, @@ -326,8 +337,16 @@ * implementation, there's a good chance that the result will not match * what the client sent, so don't go creating any fatal errors if it * doesn't match up. */ - krb5plugin_preauth_request_body = 4 -}; + krb5plugin_preauth_request_body = 4, + /* The returned krb5_data contains a krb5_keyblock with the FAST + armor key. The data member is NULL if this method is not part + of a FAST tunnel */ + krb5plugin_preauth_fast_armor = 5, + /* Frees a fast armor key; it is acceptable to set data to NULL + and free the keyblock using krb5_free_keyblock; in that case, + this function simply frees the data*/ + krb5plugin_preauth_free_fast_armor = 6, + }; typedef krb5_error_code (*preauth_get_entry_data_proc)(krb5_context, Modified: branches/krb5-1-7/src/kdc/Makefile.in =================================================================== --- branches/krb5-1-7/src/kdc/Makefile.in 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/kdc/Makefile.in 2009-04-15 20:07:03 UTC (rev 22241) @@ -24,6 +24,7 @@ $(srcdir)/dispatch.c \ $(srcdir)/do_as_req.c \ $(srcdir)/do_tgs_req.c \ + $(srcdir)/fast_util.c \ $(srcdir)/kdc_util.c \ $(srcdir)/kdc_preauth.c \ $(srcdir)/main.c \ @@ -38,6 +39,7 @@ dispatch.o \ do_as_req.o \ do_tgs_req.o \ + fast_util.o \ kdc_util.o \ kdc_preauth.o \ main.o \ Modified: branches/krb5-1-7/src/kdc/dispatch.c =================================================================== --- branches/krb5-1-7/src/kdc/dispatch.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/kdc/dispatch.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -92,11 +92,12 @@ /* * setup_server_realm() sets up the global realm-specific data * pointer. + * process_as_req frees the request if it is called */ if (!(retval = setup_server_realm(as_req->server))) { retval = process_as_req(as_req, pkt, from, response); } - krb5_free_kdc_req(kdc_context, as_req); + else krb5_free_kdc_req(kdc_context, as_req); } } else Modified: branches/krb5-1-7/src/kdc/do_as_req.c =================================================================== --- branches/krb5-1-7/src/kdc/do_as_req.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/kdc/do_as_req.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -82,7 +82,7 @@ #endif #endif /* APPLE_PKINIT */ -static krb5_error_code prepare_error_as (krb5_kdc_req *, int, krb5_data *, +static krb5_error_code prepare_error_as (struct kdc_request_state *, krb5_kdc_req *, int, krb5_data *, krb5_principal, krb5_data **, const char *); @@ -117,6 +117,9 @@ int did_log = 0; const char *emsg = 0; krb5_keylist_node *tmp_mkey_list; + struct kdc_request_state *state = NULL; + krb5_data encoded_req_body; + #if APPLE_PKINIT asReqDebug("process_as_req top realm %s name %s\n", @@ -133,6 +136,22 @@ session_key.contents = 0; enc_tkt_reply.authorization_data = NULL; + errcode = kdc_make_rstate(&state); + if (errcode != 0) { + status = "constructing state"; + goto errout; + } + if (fetch_asn1_field((unsigned char *) req_pkt->data, + 1, 4, &encoded_req_body) != 0) { + errcode = ASN1_BAD_ID; + status = "Finding req_body"; +} + errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, NULL, state); + if (errcode) { + status = "error decoding FAST"; + goto errout; + } + request->kdc_state = state; if (!request->client) { status = "NULL_CLIENT"; errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; @@ -548,6 +567,7 @@ goto errout; } + errcode = handle_authdata(kdc_context, c_flags, &client, @@ -572,6 +592,11 @@ goto errout; } ticket_reply.enc_part.kvno = server_key->key_data_kvno; + errcode = kdc_fast_response_handle_padata(state, request, &reply); + if (errcode) { + status = "fast response handling"; + goto errout; + } /* now encode/encrypt the response */ @@ -629,7 +654,7 @@ if (errcode < 0 || errcode > 128) errcode = KRB_ERR_GENERIC; - errcode = prepare_error_as(request, errcode, &e_data, + errcode = prepare_error_as(state, request, errcode, &e_data, c_nprincs ? client.princ : NULL, response, status); status = 0; @@ -679,18 +704,24 @@ } krb5_free_data_contents(kdc_context, &e_data); + kdc_free_rstate(state); + request->kdc_state = NULL; + krb5_free_kdc_req(kdc_context, request); assert(did_log != 0); return errcode; } static krb5_error_code -prepare_error_as (krb5_kdc_req *request, int error, krb5_data *e_data, +prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, int error, krb5_data *e_data, krb5_principal canon_client, krb5_data **response, const char *status) { krb5_error errpkt; krb5_error_code retval; krb5_data *scratch; + krb5_pa_data **pa = NULL; + krb5_typed_data **td = NULL; + size_t size; errpkt.ctime = request->nonce; errpkt.cusec = 0; @@ -719,13 +750,38 @@ errpkt.e_data.length = 0; errpkt.e_data.data = NULL; } - + /*We need to try and produce a padata sequence for FAST*/ + retval = decode_krb5_padata_sequence(e_data, &pa); + if (retval != 0) { + retval = decode_krb5_typed_data(e_data, &td); + if (retval == 0) { + for (size =0; td[size]; size++); + pa = calloc(size+1, sizeof(*pa)); + if (pa == NULL) + retval = ENOMEM; + else for (size = 0; td[size]; size++) { + krb5_pa_data *pad = malloc(sizeof(krb5_pa_data *)); + if (pad == NULL) { + retval = ENOMEM; + break; + } + pad->pa_type = td[size]->type; + pad->contents = td[size]->data; + pad->length = td[size]->length; + pa[size] = pad; + } + krb5_free_typed_data(kdc_context, td); + } + } + retval = kdc_fast_handle_error(kdc_context, rstate, + request, pa, &errpkt); + if (retval == 0) retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); if (retval) free(scratch); else *response = scratch; - + krb5_free_pa_data(kdc_context, pa); return retval; } Modified: branches/krb5-1-7/src/kdc/do_tgs_req.c =================================================================== --- branches/krb5-1-7/src/kdc/do_tgs_req.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/kdc/do_tgs_req.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -76,7 +76,7 @@ krb5_boolean *,int *); static krb5_error_code -prepare_error_tgs(krb5_kdc_req *,krb5_ticket *,int, +prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int, krb5_principal,krb5_data **,const char *); static krb5_int32 @@ -125,6 +125,9 @@ krb5_data *tgs_1 =NULL, *server_1 = NULL; krb5_principal krbtgt_princ; krb5_kvno ticket_kvno = 0; + struct kdc_request_state *state = NULL; + krb5_pa_data *pa_tgs_req; /*points into request*/ + krb5_data scratch; session_key.contents = NULL; @@ -140,7 +143,7 @@ return retval; } errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket, - &krbtgt, &k_nprincs, &subkey); + &krbtgt, &k_nprincs, &subkey, &pa_tgs_req); if (header_ticket && header_ticket->enc_part2 && (errcode2 = krb5_unparse_name(kdc_context, header_ticket->enc_part2->client, @@ -161,7 +164,20 @@ status="UNEXPECTED NULL in header_ticket"; goto cleanup; } - + errcode = kdc_make_rstate(&state); + if (errcode !=0) { + status = "making state"; + goto cleanup; + } + scratch.length = pa_tgs_req->length; + scratch.data = (char *) pa_tgs_req->contents; + errcode = kdc_find_fast(&request, &scratch, subkey, header_ticket->enc_part2->session, state); + if (errcode !=0) { + status = "kdc_find_fast"; + goto cleanup; + } + + /* * Pointer to the encrypted part of the header ticket, which may be * replaced to point to the encrypted part of the evidence ticket @@ -862,7 +878,12 @@ reply.enc_part.enctype = subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype; - errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, + errcode = kdc_fast_response_handle_padata(state, request, &reply); + if (errcode !=0 ) { + status = "Preparing FAST padata"; + goto cleanup; + } + errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, subkey ? 1 : 0, subkey ? subkey : header_ticket->enc_part2->session, @@ -903,7 +924,7 @@ if (errcode < 0 || errcode > 128) errcode = KRB_ERR_GENERIC; - retval = prepare_error_tgs(request, header_ticket, errcode, + retval = prepare_error_tgs(state, request, header_ticket, errcode, nprincs ? server.princ : NULL, response, status); if (got_err) { @@ -916,6 +937,8 @@ krb5_free_ticket(kdc_context, header_ticket); if (request != NULL) krb5_free_kdc_req(kdc_context, request); + if (state) + kdc_free_rstate(state); if (cname != NULL) free(cname); if (sname != NULL) @@ -943,7 +966,8 @@ } static krb5_error_code -prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error, +prepare_error_tgs (struct kdc_request_state *state, + krb5_kdc_req *request, krb5_ticket *ticket, int error, krb5_principal canon_server, krb5_data **response, const char *status) { @@ -966,14 +990,19 @@ errpkt.text.length = strlen(status) + 1; if (!(errpkt.text.data = strdup(status))) return ENOMEM; - + if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) { free(errpkt.text.data); return ENOMEM; } errpkt.e_data.length = 0; errpkt.e_data.data = NULL; - + retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt); + if (retval) { + free(scratch); + free(errpkt.text.data); + return retval; + } retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); if (retval) Added: branches/krb5-1-7/src/kdc/fast_util.c =================================================================== --- branches/krb5-1-7/src/kdc/fast_util.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/kdc/fast_util.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -0,0 +1,398 @@ +/* + * kdc/fast_util.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + */ + +#include + +#include "kdc_util.h" +#include "extern.h" + + +/* + * This function will find the fast and cookie padata and if fast is + * successfully processed, will throw away (and free) the outer + * request and update the pointer to point to the inner request. The + * checksummed_data points to the data that is in the + * armored_fast_request checksum; either the pa-tgs-req or the + * kdc-req-body. + */ + +static krb5_error_code armor_ap_request +(struct kdc_request_state *state, krb5_fast_armor *armor) +{ + krb5_error_code retval = 0; + krb5_auth_context authcontext = NULL; + krb5_ticket *ticket = NULL; + krb5_keyblock *subkey = NULL; + + assert(armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST); + krb5_clear_error_message(kdc_context); + retval = krb5_auth_con_init(kdc_context, &authcontext); + if (retval == 0) + retval = krb5_auth_con_setflags(kdc_context, authcontext, 0); /*disable replay cache*/ + retval = krb5_rd_req(kdc_context, &authcontext, + &armor->armor_value, NULL /*server*/, + kdc_active_realm->realm_keytab, NULL, &ticket); + if (retval !=0) { + const char * errmsg = krb5_get_error_message(kdc_context, retval); + krb5_set_error_message(kdc_context, retval, + "%s while handling ap-request armor", errmsg); + krb5_free_error_message(kdc_context, errmsg); + } + if (retval == 0) { + if (!krb5_principal_compare_any_realm(kdc_context, + tgs_server, + ticket->server)) { + krb5_set_error_message(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH, + "ap-request armor for something other than the local TGS"); + retval = KRB5KDC_ERR_SERVER_NOMATCH; + } + } + if (retval ==0) { + retval = krb5_auth_con_getrecvsubkey(kdc_context, authcontext, &subkey); + if (retval !=0 || subkey == NULL) { + krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, + "ap-request armor without subkey"); + retval = KRB5KDC_ERR_POLICY; + } + } + if (retval==0) + retval = krb5_c_fx_cf2_simple(kdc_context, + subkey, "subkeyarmor", + ticket->enc_part2->session, "ticketarmor", + &state->armor_key); + if (ticket) + krb5_free_ticket(kdc_context, ticket); + if (subkey) + krb5_free_keyblock(kdc_context, subkey); + if (authcontext) + krb5_auth_con_free(kdc_context, authcontext); + return retval; +} + +static krb5_error_code encrypt_fast_reply +(struct kdc_request_state *state, const krb5_fast_response *response, + krb5_data **fx_fast_reply) +{ + krb5_error_code retval = 0; + krb5_enc_data encrypted_reply; + krb5_data *encoded_response = NULL; + assert(state->armor_key); + retval = encode_krb5_fast_response(response, &encoded_response); + if (retval== 0) + retval = krb5_encrypt_helper(kdc_context, state->armor_key, + KRB5_KEYUSAGE_FAST_REP, + encoded_response, &encrypted_reply); + if (encoded_response) + krb5_free_data(kdc_context, encoded_response); + encoded_response = NULL; + if (retval == 0) { + retval = encode_krb5_pa_fx_fast_reply(&encrypted_reply, + fx_fast_reply); + krb5_free_data_contents(kdc_context, &encrypted_reply.ciphertext); + } + return retval; +} + + +krb5_error_code kdc_find_fast +(krb5_kdc_req **requestptr, krb5_data *checksummed_data, + krb5_keyblock *tgs_subkey, + krb5_keyblock *tgs_session, + struct kdc_request_state *state) +{ + krb5_error_code retval = 0; + krb5_pa_data *fast_padata, *cookie_padata; + krb5_data scratch; + krb5_fast_req * fast_req = NULL; + krb5_kdc_req *request = *requestptr; + krb5_fast_armored_req *fast_armored_req = NULL; + krb5_boolean cksum_valid; + + scratch.data = NULL; + krb5_clear_error_message(kdc_context); + fast_padata = find_pa_data(request->padata, + KRB5_PADATA_FX_FAST); + if (fast_padata != NULL){ + scratch.length = fast_padata->length; + scratch.data = (char *) fast_padata->contents; + retval = decode_krb5_pa_fx_fast_request(&scratch, &fast_armored_req); + if (retval == 0 &&fast_armored_req->armor) { + switch (fast_armored_req->armor->armor_type) { + case KRB5_FAST_ARMOR_AP_REQUEST: + retval = armor_ap_request(state, fast_armored_req->armor); + break; + default: + krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED, + "Unknow FAST armor type %d", + fast_armored_req->armor->armor_type); + retval = KRB5KDC_ERR_PREAUTH_FAILED; + } + } + if (retval == 0 && !state->armor_key) { + if (tgs_subkey) + retval = krb5_c_fx_cf2_simple(kdc_context, + tgs_subkey, "subkeyarmor", + tgs_session, "ticketarmor", + &state->armor_key); + else { + krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED, + "No armor key but FAST armored request present"); + retval = KRB5KDC_ERR_PREAUTH_FAILED; + } + } + if (retval == 0) { + krb5_data plaintext; + plaintext.length = fast_armored_req->enc_part.ciphertext.length; + plaintext.data = malloc(plaintext.length); + if (plaintext.data == NULL) + retval = ENOMEM; + retval = krb5_c_decrypt(kdc_context, + state->armor_key, + KRB5_KEYUSAGE_FAST_ENC, NULL, + &fast_armored_req->enc_part, + &plaintext); + if (retval == 0) + retval = decode_krb5_fast_req(&plaintext, &fast_req); + if (plaintext.data) + free(plaintext.data); + } + if (retval == 0) + retval = krb5_c_verify_checksum(kdc_context, state->armor_key, + KRB5_KEYUSAGE_FAST_REQ_CHKSUM, + checksummed_data, &fast_armored_req->req_checksum, + &cksum_valid); + if (retval == 0 && !cksum_valid) { + retval = KRB5KRB_AP_ERR_MODIFIED; + krb5_set_error_message(kdc_context, KRB5KRB_AP_ERR_MODIFIED, + "FAST req_checksum invalid; request modified"); + } + if (retval == 0) { + if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0) + retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION; + } + if (retval == 0) + cookie_padata = find_pa_data(fast_req->req_body->padata, KRB5_PADATA_FX_COOKIE); + if (retval == 0) { + state->fast_options = fast_req->fast_options; + if (request->kdc_state == state) + request->kdc_state = NULL; + krb5_free_kdc_req( kdc_context, request); + *requestptr = fast_req->req_body; + fast_req->req_body = NULL; + + } + } + else cookie_padata = find_pa_data(request->padata, KRB5_PADATA_FX_COOKIE); + if (retval == 0 && cookie_padata != NULL) { + krb5_pa_data *new_padata = malloc(sizeof (krb5_pa_data)); + if (new_padata != NULL) { + retval = ENOMEM; + } else { + new_padata->pa_type = KRB5_PADATA_FX_COOKIE; + new_padata->length = cookie_padata->length; + new_padata->contents = malloc(new_padata->length); + if (new_padata->contents == NULL) { + retval = ENOMEM; + free(new_padata); + } else { + memcpy(new_padata->contents, cookie_padata->contents, new_padata->length); + state->cookie = new_padata; + } + } + } + if (fast_req) + krb5_free_fast_req( kdc_context, fast_req); + if (fast_armored_req) + krb5_free_fast_armored_req(kdc_context, fast_armored_req); + return retval; +} + + +krb5_error_code kdc_make_rstate(struct kdc_request_state **out) +{ + struct kdc_request_state *state = malloc( sizeof(struct kdc_request_state)); + if (state == NULL) + return ENOMEM; + memset( state, 0, sizeof(struct kdc_request_state)); + *out = state; + return 0; +} + +void kdc_free_rstate +(struct kdc_request_state *s) +{ + if (s == NULL) + return; + if (s->armor_key) + krb5_free_keyblock(kdc_context, s->armor_key); + if (s->reply_key) + krb5_free_keyblock(kdc_context, s->reply_key); + if (s->cookie) { + free(s->cookie->contents); + free(s->cookie); + } + free(s); +} + +krb5_error_code kdc_fast_response_handle_padata +(struct kdc_request_state *state, + krb5_kdc_req *request, + krb5_kdc_rep *rep) +{ + krb5_error_code retval = 0; + krb5_fast_finished finish; + krb5_fast_response fast_response; + krb5_data *encoded_ticket = NULL; + krb5_data *encrypted_reply = NULL; + krb5_pa_data *pa = NULL, **pa_array; + krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5; + krb5_pa_data *empty_padata[] = {NULL}; + + if (!state->armor_key) + return 0; + memset(&finish, 0, sizeof(finish)); + fast_response.padata = rep->padata; + if (fast_response.padata == NULL) + fast_response.padata = &empty_padata[0]; + fast_response.rep_key = state->reply_key; + fast_response.nonce = request->nonce; + fast_response.finished = &finish; + finish.client = rep->client; + pa_array = calloc(3, sizeof(*pa_array)); + if (pa_array == NULL) + retval = ENOMEM; + pa = calloc(1, sizeof(krb5_pa_data)); + if (retval == 0 && pa == NULL) + retval = ENOMEM; + if (retval == 0) + retval = krb5_us_timeofday(kdc_context, &finish.timestamp, &finish.usec); + if (retval == 0) + retval = encode_krb5_ticket(rep->ticket, &encoded_ticket); + if (retval == 0) + retval = krb5int_c_mandatory_cksumtype(kdc_context, state->armor_key->enctype, &cksumtype); + if (retval == 0) + retval = krb5_c_make_checksum(kdc_context, cksumtype, + state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED, + encoded_ticket, &finish.ticket_checksum); + if (retval == 0) + retval = encrypt_fast_reply(state, &fast_response, &encrypted_reply); + if (retval == 0) { + pa[0].pa_type = KRB5_PADATA_FX_FAST; + pa[0].length = encrypted_reply->length; + pa[0].contents = (unsigned char *) encrypted_reply->data; + pa_array[0] = &pa[0]; + rep->padata = pa_array; + pa_array = NULL; + encrypted_reply = NULL; + pa = NULL; + } + if (pa) + free(pa); + if (encrypted_reply) + krb5_free_data(kdc_context, encrypted_reply); + if (encoded_ticket) + krb5_free_data(kdc_context, encoded_ticket); + if (finish.ticket_checksum.contents) + krb5_free_checksum_contents(kdc_context, &finish.ticket_checksum); + return retval; +} + + +/* + * We assume the caller is responsible for passing us an in_padata + * sufficient to include in a FAST error. In the FAST case we will + * throw away the e_data in the error (if any); in the non-FAST case + * we will not use the in_padata. + */ +krb5_error_code kdc_fast_handle_error +(krb5_context context, struct kdc_request_state *state, + krb5_kdc_req *request, + krb5_pa_data **in_padata, krb5_error *err) +{ + krb5_error_code retval = 0; + krb5_fast_response resp; + krb5_error fx_error; + krb5_data *encoded_fx_error = NULL, *encrypted_reply = NULL; + krb5_pa_data pa[2]; + krb5_pa_data *outer_pa[3]; + krb5_pa_data **inner_pa = NULL; + size_t size = 0; + krb5_data *encoded_e_data = NULL; + + memset(outer_pa, 0, sizeof(outer_pa)); + if (!state->armor_key) + return 0; + fx_error = *err; + fx_error.e_data.data = NULL; + fx_error.e_data.length = 0; + for (size = 0; in_padata&&in_padata[size]; size++); + size +=3; + inner_pa = calloc(size, sizeof(krb5_pa_data *)); + if (inner_pa == NULL) + retval = ENOMEM; + if (retval == 0) + for (size=0; in_padata&&in_padata[size]; size++) + inner_pa[size] = in_padata[size]; + if (retval == 0) + retval = encode_krb5_error(&fx_error, &encoded_fx_error); + if (retval == 0) { + pa[0].pa_type = KRB5_PADATA_FX_ERROR; + pa[0].length = encoded_fx_error->length; + pa[0].contents = (unsigned char *) encoded_fx_error->data; + inner_pa[size++] = &pa[0]; + resp.padata = inner_pa; + resp.nonce = request->nonce; + resp.rep_key = NULL; + resp.finished = NULL; + } + if (retval == 0) + retval = encrypt_fast_reply(state, &resp, &encrypted_reply); + if (inner_pa) + free(inner_pa); /*contained storage from caller and our stack*/ + if (retval == 0) { + pa[0].pa_type = KRB5_PADATA_FX_FAST; + pa[0].length = encrypted_reply->length; + pa[0].contents = (unsigned char *) encrypted_reply->data; + outer_pa[0] = &pa[0]; + } + retval = encode_krb5_padata_sequence(outer_pa, &encoded_e_data); + if (retval == 0) { + /*process_as holds onto a pointer to the original e_data and frees it*/ + err->e_data = *encoded_e_data; + free(encoded_e_data); /*contents belong to err*/ + encoded_e_data = NULL; + } + if (encoded_e_data) + krb5_free_data(kdc_context, encoded_e_data); + if (encrypted_reply) + krb5_free_data(kdc_context, encrypted_reply); + if (encoded_fx_error) + krb5_free_data(kdc_context, encoded_fx_error); + return retval; +} Modified: branches/krb5-1-7/src/kdc/kdc_preauth.c =================================================================== --- branches/krb5-1-7/src/kdc/kdc_preauth.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/kdc/kdc_preauth.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -133,6 +133,12 @@ krb5_data **e_data, krb5_authdata ***authz_data); +static krb5_error_code get_enc_ts + (krb5_context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data, + void *pa_system_context, + krb5_pa_data *data); static krb5_error_code get_etype_info (krb5_context, krb5_kdc_req *request, krb5_db_entry *client, krb5_db_entry *server, @@ -279,7 +285,7 @@ NULL, NULL, NULL, - 0, + get_enc_ts, verify_enc_timestamp, 0 }, @@ -668,6 +674,7 @@ krb5_keyblock *keys, *mkey_ptr; krb5_key_data *entry_key; krb5_error_code error; + struct kdc_request_state *state = request->kdc_state; switch (type) { case krb5plugin_preauth_entry_request_certificate: @@ -752,6 +759,30 @@ } return ASN1_PARSE_ERROR; break; + case krb5plugin_preauth_fast_armor: + ret = calloc(1, sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + if (state->armor_key == NULL) { + *result = ret; + return 0; + } + error = krb5_copy_keyblock(context, state->armor_key, &keys); + if (error == 0) { + ret->data = (char *) keys; + ret->length = sizeof(krb5_keyblock); + *result = ret; + return 0; + } + free(ret); + return error; + case krb5plugin_preauth_free_fast_armor: + if ((*result)->data) { + keys = (krb5_keyblock *) (*result)->data; + krb5_free_keyblock(context, keys); + } + free(*result); + return 0; default: break; } @@ -1340,7 +1371,20 @@ return 0; } - +static krb5_error_code get_enc_ts + (krb5_context context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data_proc, + void *pa_system_context, + krb5_pa_data *data) +{ + struct kdc_request_state *state = request->kdc_state; + if (state->armor_key) + return ENOENT; + return 0; +} + + static krb5_error_code verify_enc_timestamp(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, Modified: branches/krb5-1-7/src/kdc/kdc_util.c =================================================================== --- branches/krb5-1-7/src/kdc/kdc_util.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/kdc/kdc_util.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -219,28 +219,20 @@ krb5_pa_data * find_pa_data(krb5_pa_data **padata, krb5_preauthtype pa_type) { - krb5_pa_data **tmppa; - - if (padata == NULL) - return NULL; - - for (tmppa = padata; *tmppa != NULL; tmppa++) { - if ((*tmppa)->pa_type == pa_type) - break; - } - - return *tmppa; +return krb5int_find_pa_data(kdc_context, padata, pa_type); } krb5_error_code kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from, krb5_data *pkt, krb5_ticket **ticket, krb5_db_entry *krbtgt, int *nprincs, - krb5_keyblock **subkey) + krb5_keyblock **subkey, + krb5_pa_data **pa_tgs_req) { krb5_pa_data * tmppa; krb5_ap_req * apreq; krb5_error_code retval; + krb5_authdata **authdata = NULL; krb5_data scratch1; krb5_data * scratch = NULL; krb5_boolean foreign_server = FALSE; @@ -352,6 +344,22 @@ &authenticator))) goto cleanup_auth_context; + retval = krb5int_find_authdata(kdc_context, + (*ticket)->enc_part2->authorization_data, + authenticator->authorization_data, + KRB5_AUTHDATA_FX_ARMOR, &authdata); + if (retval != 0) + goto cleanup_auth_context; + if (authdata&& authdata[0]) { + krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, + "ticket valid only as FAST armor"); + retval = KRB5KDC_ERR_POLICY; + krb5_free_authdata(kdc_context, authdata); + goto cleanup_auth_context; + } + krb5_free_authdata(kdc_context, authdata); + + /* Check for a checksum */ if (!(his_cksum = authenticator->checksum)) { retval = KRB5KRB_AP_ERR_INAPP_CKSUM; @@ -385,6 +393,8 @@ } } + if (retval == 0) + *pa_tgs_req = tmppa; cleanup_authenticator: krb5_free_authenticator(kdc_context, authenticator); Modified: branches/krb5-1-7/src/kdc/kdc_util.h =================================================================== --- branches/krb5-1-7/src/kdc/kdc_util.h 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/kdc/kdc_util.h 2009-04-15 20:07:03 UTC (rev 22241) @@ -66,7 +66,7 @@ krb5_ticket **, krb5_db_entry *krbtgt, int *nprincs, - krb5_keyblock **); + krb5_keyblock **, krb5_pa_data **pa_tgs_req); krb5_error_code kdc_get_server_key (krb5_ticket *, unsigned int, krb5_boolean match_enctype, @@ -298,8 +298,42 @@ const char *status, krb5_error_code errcode, const char *emsg); void log_tgs_alt_tgt(krb5_principal p); +/*Request state*/ +struct kdc_request_state { + krb5_keyblock *armor_key; + krb5_keyblock *reply_key; /*When replaced by FAST*/ + krb5_pa_data *cookie; + krb5_int32 fast_options; + krb5_int32 fast_internal_flags; +}; +krb5_error_code kdc_make_rstate(struct kdc_request_state **out); +void kdc_free_rstate +(struct kdc_request_state *s); +/* FAST*/ +enum krb5_fast_kdc_flags { + KRB5_FAST_REPLY_KEY_USED = 0x1, + KRB5_FAST_REPLY_KEY_REPLACED = 0x02, +}; + +krb5_error_code kdc_find_fast +(krb5_kdc_req **requestptr, krb5_data *checksummed_data, + krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session, + struct kdc_request_state *state); + +krb5_error_code kdc_fast_response_handle_padata +(struct kdc_request_state *state, + krb5_kdc_req *request, + krb5_kdc_rep *rep); +krb5_error_code kdc_fast_handle_error +(krb5_context context, struct kdc_request_state *state, + krb5_kdc_req *request, + krb5_pa_data **in_padata, krb5_error *err); + + + + #define isflagset(flagfield, flag) (flagfield & (flag)) #define setflag(flagfield, flag) (flagfield |= (flag)) #define clear(flagfield, flag) (flagfield &= ~(flag)) Modified: branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -1625,6 +1625,57 @@ return retval; } +asn1_error_code asn1_decode_fast_armor +(asn1buf *buf, krb5_fast_armor *val) +{ + setup(); + val->armor_value.data = NULL; + {begin_structure(); + get_field(val->armor_type, 0, asn1_decode_int32); + get_lenfield(val->armor_value.length, val->armor_value.data, + 1, asn1_decode_charstring); + end_structure(); + } + return 0; + error_out: + krb5_free_data_contents( NULL, &val->armor_value); + return retval; +} + +asn1_error_code asn1_decode_fast_armor_ptr +(asn1buf *buf, krb5_fast_armor **valptr) +{ + decode_ptr(krb5_fast_armor *, asn1_decode_fast_armor); +} + +asn1_error_code asn1_decode_fast_finished +(asn1buf *buf, krb5_fast_finished *val) +{ + setup(); + val->client = NULL; + val->ticket_checksum.contents = NULL; + {begin_structure(); + get_field(val->timestamp, 0, asn1_decode_kerberos_time); + get_field(val->usec, 1, asn1_decode_int32); + alloc_field(val->client); + get_field(val->client, 2, asn1_decode_realm); + get_field(val->client, 3, asn1_decode_principal_name); + get_field(val->ticket_checksum, 4, asn1_decode_checksum); + end_structure(); + } + return 0; + error_out: + krb5_free_principal(NULL, val->client); + krb5_free_checksum_contents( NULL, &val->ticket_checksum); + return retval; +} +asn1_error_code asn1_decode_fast_finished_ptr +(asn1buf *buf, krb5_fast_finished **valptr) +{ + decode_ptr( krb5_fast_finished *, asn1_decode_fast_finished); +} + + #ifndef DISABLE_PKINIT /* PKINIT */ @@ -2270,6 +2321,8 @@ return retval; } +#endif /* DISABLE_PKINIT */ + static void free_typed_data(void *dummy, krb5_typed_data *val) { free(val->data); @@ -2303,4 +2356,3 @@ { decode_ptr(krb5_typed_data *, asn1_decode_typed_data); } -#endif /* DISABLE_PKINIT */ Modified: branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.h =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.h 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.h 2009-04-15 20:07:03 UTC (rev 22241) @@ -266,4 +266,16 @@ asn1_error_code asn1_decode_pa_pac_req (asn1buf *buf, krb5_pa_pac_req *val); +asn1_error_code asn1_decode_fast_armor +(asn1buf *buf, krb5_fast_armor *val); + +asn1_error_code asn1_decode_fast_armor_ptr +(asn1buf *buf, krb5_fast_armor **val); + +asn1_error_code asn1_decode_fast_finished +(asn1buf *buf, krb5_fast_finished *val); + +asn1_error_code asn1_decode_fast_finished_ptr +(asn1buf *buf, krb5_fast_finished **val); + #endif Modified: branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_encode.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_encode.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_encode.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -338,6 +338,8 @@ DEFFNXTYPE(kdc_req_body, krb5_kdc_req, asn1_encode_kdc_req_body); /* end ugly hack */ +DEFPTRTYPE(ptr_kdc_req_body,kdc_req_body); + static const struct field_info transited_fields[] = { FIELDOF_NORM(krb5_transited, octet, tr_type, 0), FIELDOF_NORM(krb5_transited, ostring_data, tr_contents, 1), @@ -1177,6 +1179,88 @@ DEFFIELDTYPE(etype_list, krb5_etype_list, FIELDOF_SEQOF_INT32(krb5_etype_list, int32_ptr, etypes, length, -1)); +/* draft-ietf-krb-wg-preauth-framework-09 */ +static const struct field_info fast_armor_fields[] = { + FIELDOF_NORM(krb5_fast_armor, int32, armor_type, 0), + FIELDOF_NORM( krb5_fast_armor, ostring_data, armor_value, 1), +}; + +DEFSEQTYPE( fast_armor, krb5_fast_armor, fast_armor_fields, 0); +DEFPTRTYPE( ptr_fast_armor, fast_armor); + +static const struct field_info fast_armored_req_fields[] = { + FIELDOF_OPT( krb5_fast_armored_req, ptr_fast_armor, armor, 0, 0), + FIELDOF_NORM( krb5_fast_armored_req, checksum, req_checksum, 1), + FIELDOF_NORM( krb5_fast_armored_req, encrypted_data, enc_part, 2), +}; + +static unsigned int fast_armored_req_optional (const void *p) { + const krb5_fast_armored_req *val = p; + unsigned int optional = 0; + if (val->armor) + optional |= (1u)<<0; + return optional; +} + +DEFSEQTYPE( fast_armored_req, krb5_fast_armored_req, fast_armored_req_fields, fast_armored_req_optional); +DEFFIELDTYPE( pa_fx_fast_request, krb5_fast_armored_req, + FIELDOF_ENCODEAS( krb5_fast_armored_req, fast_armored_req, 0)); + +DEFFIELDTYPE(fast_req_padata, krb5_kdc_req, + FIELDOF_NORM(krb5_kdc_req, ptr_seqof_pa_data, padata, -1)); +DEFPTRTYPE(ptr_fast_req_padata, fast_req_padata); + +static const struct field_info fast_req_fields[] = { + FIELDOF_NORM(krb5_fast_req, int32, fast_options, 0), + FIELDOF_NORM( krb5_fast_req, ptr_fast_req_padata, req_body, 1), + FIELDOF_NORM( krb5_fast_req, ptr_kdc_req_body, req_body, 2), +}; + +DEFSEQTYPE(fast_req, krb5_fast_req, fast_req_fields, 0); + + +static const struct field_info fast_finished_fields[] = { + FIELDOF_NORM( krb5_fast_finished, kerberos_time, timestamp, 0), + FIELDOF_NORM( krb5_fast_finished, int32, usec, 1), + FIELDOF_NORM( krb5_fast_finished, realm_of_principal, client, 2), + FIELDOF_NORM(krb5_fast_finished, principal, client, 3), + FIELDOF_NORM( krb5_fast_finished, checksum, ticket_checksum, 4), +}; + +DEFSEQTYPE( fast_finished, krb5_fast_finished, fast_finished_fields, 0); + +DEFPTRTYPE( ptr_fast_finished, fast_finished); + +static const struct field_info fast_response_fields[] = { + FIELDOF_NORM(krb5_fast_response, ptr_seqof_pa_data, padata, 0), + FIELDOF_OPT( krb5_fast_response, ptr_encryption_key, rep_key, 1, 1), + FIELDOF_OPT( krb5_fast_response, ptr_fast_finished, finished, 2, 2), + FIELDOF_NORM(krb5_fast_response, int32, nonce, 3), +}; + +static unsigned int fast_response_optional (const void *p) +{ + unsigned int optional = 0; + const krb5_fast_response *val = p; + if (val->rep_key) + optional |= (1u <<1); + if (val->finished) + optional |= (1u<<2); + return optional; +} +DEFSEQTYPE( fast_response, krb5_fast_response, fast_response_fields, fast_response_optional); + +static const struct field_info fast_rep_fields[] = { + FIELDOF_ENCODEAS(krb5_enc_data, encrypted_data, 0), +}; +DEFSEQTYPE(fast_rep, krb5_enc_data, fast_rep_fields, 0); + +DEFFIELDTYPE(pa_fx_fast_reply, krb5_enc_data, + FIELDOF_ENCODEAS(krb5_enc_data, fast_rep, 0)); + + + + /* Exported complete encoders -- these produce a krb5_data with the encoding in the correct byte order. */ @@ -1243,13 +1327,16 @@ MAKE_FULL_ENCODER(encode_krb5_pa_server_referral_data, pa_server_referral_data); MAKE_FULL_ENCODER(encode_krb5_etype_list, etype_list); +MAKE_FULL_ENCODER(encode_krb5_pa_fx_fast_request, pa_fx_fast_request); +MAKE_FULL_ENCODER( encode_krb5_fast_req, fast_req); +MAKE_FULL_ENCODER( encode_krb5_pa_fx_fast_reply, pa_fx_fast_reply); +MAKE_FULL_ENCODER(encode_krb5_fast_response, fast_response); -#ifndef DISABLE_PKINIT /* * PKINIT */ @@ -1351,6 +1438,8 @@ return retval; }\ sum += length; } +#ifndef DISABLE_PKINIT + /* Callable encoders for the types defined above, until the PKINIT encoders get converted. */ MAKE_ENCFN(asn1_encode_realm, realm_of_principal_data); @@ -1731,6 +1820,8 @@ asn1_cleanup(); } +#endif /* DISABLE_PKINIT */ + asn1_error_code asn1_encode_sequence_of_typed_data(asn1buf *buf, const krb5_typed_data **val, unsigned int *retlen) { asn1_setup(); @@ -1759,4 +1850,3 @@ asn1_makeseq(); asn1_cleanup(); } -#endif /* DISABLE_PKINIT */ Modified: branches/krb5-1-7/src/lib/krb5/asn.1/krb5_decode.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/krb5_decode.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/lib/krb5/asn.1/krb5_decode.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -94,9 +94,9 @@ /* process a structure *******************************************/ /* decode an explicit tag and place the number in tagnum */ -#define next_tag() \ +#define next_tag_from_buf(buf) \ { taginfo t2; \ - retval = asn1_get_tag_2(&subbuf, &t2); \ + retval = asn1_get_tag_2(&(buf), &t2); \ if (retval) clean_return(retval); \ asn1class = t2.asn1class; \ construction = t2.construction; \ @@ -104,7 +104,9 @@ indef = t2.indef; \ taglen = t2.length; \ } +#define next_tag() next_tag_from_buf(subbuf) + static asn1_error_code asn1_get_eoc_tag (asn1buf *buf) { @@ -518,6 +520,7 @@ clear_field(rep,authorization_data.ciphertext.data); clear_field(rep,unenc_authdata); clear_field(rep,second_ticket); + clear_field(rep, kdc_state); check_apptag(10); retval = asn1_decode_kdc_req(&buf,rep); @@ -545,6 +548,7 @@ clear_field(rep,authorization_data.ciphertext.data); clear_field(rep,unenc_authdata); clear_field(rep,second_ticket); + clear_field(rep, kdc_state); check_apptag(12); retval = asn1_decode_kdc_req(&buf,rep); @@ -1080,6 +1084,91 @@ cleanup(free); } +krb5_error_code decode_krb5_pa_fx_fast_request +(const krb5_data *code, krb5_fast_armored_req **repptr) +{ + setup(krb5_fast_armored_req *); + alloc_field(rep); + clear_field(rep, armor); + { + int indef; + unsigned int taglen; + next_tag_from_buf(buf); + if (tagnum != 0) + clean_return(ASN1_BAD_ID); + } + {begin_structure(); + opt_field(rep->armor, 0, asn1_decode_fast_armor_ptr); + get_field(rep->req_checksum, 1, asn1_decode_checksum); + get_field(rep->enc_part, 2, asn1_decode_encrypted_data); + end_structure();} + rep->magic = KV5M_FAST_ARMORED_REQ; + cleanup(free); +} + +krb5_error_code decode_krb5_fast_req +(const krb5_data *code, krb5_fast_req **repptr) +{ + setup(krb5_fast_req *); + alloc_field(rep); + alloc_field(rep->req_body); + clear_field(rep, req_body->padata); + {begin_structure(); + get_field(rep->fast_options, 0, asn1_decode_int32); + opt_field(rep->req_body->padata, 1, asn1_decode_sequence_of_pa_data); + get_field(*(rep->req_body), 2, asn1_decode_kdc_req_body); + end_structure(); } + rep->magic = KV5M_FAST_REQ; + cleanup_manual(); + error_out: + if (rep) { + if (rep->req_body) + krb5_free_kdc_req(0, rep->req_body); + free(rep); + } + return retval; +} + +krb5_error_code decode_krb5_fast_response +(const krb5_data *code, krb5_fast_response **repptr) +{ + setup(krb5_fast_response *); + + alloc_field(rep); + clear_field(rep, finished); + clear_field(rep, padata); + clear_field(rep,rep_key); + {begin_structure(); + get_field(rep->padata, 0, asn1_decode_sequence_of_pa_data); + opt_field(rep->rep_key, 1, asn1_decode_encryption_key_ptr); + opt_field(rep->finished, 2, asn1_decode_fast_finished_ptr); + get_field(rep->nonce, 3, asn1_decode_int32); + end_structure(); } + rep->magic = KV5M_FAST_RESPONSE; + cleanup(free); +} + +krb5_error_code decode_krb5_pa_fx_fast_reply +(const krb5_data *code, krb5_enc_data **repptr) +{ + setup(krb5_enc_data *); + alloc_field(rep); + { + int indef; + unsigned int taglen; + next_tag_from_buf(buf); + if (tagnum != 0) + clean_return(ASN1_BAD_ID); + } + {begin_structure(); + get_field(*rep, 0, asn1_decode_encrypted_data); + end_structure(); + } + + cleanup(free); +} + + #ifndef DISABLE_PKINIT krb5_error_code decode_krb5_pa_pk_as_req(const krb5_data *code, krb5_pa_pk_as_req **repptr) @@ -1208,16 +1297,6 @@ } krb5_error_code -decode_krb5_typed_data(const krb5_data *code, krb5_typed_data ***repptr) -{ - setup_buf_only(krb5_typed_data **); - retval = asn1_decode_sequence_of_typed_data(&buf, &rep); - if (retval) clean_return(retval); - - cleanup(free); -} - -krb5_error_code decode_krb5_td_trusted_certifiers(const krb5_data *code, krb5_external_principal_identifier ***repptr) { @@ -1239,3 +1318,13 @@ cleanup(free); } #endif /* DISABLE_PKINIT */ + +krb5_error_code +decode_krb5_typed_data(const krb5_data *code, krb5_typed_data ***repptr) +{ + setup_buf_only(krb5_typed_data **); + retval = asn1_decode_sequence_of_typed_data(&buf, &rep); + if (retval) clean_return(retval); + + cleanup(free); +} Modified: branches/krb5-1-7/src/lib/krb5/asn.1/krb5_encode.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/krb5_encode.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/lib/krb5/asn.1/krb5_encode.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -34,7 +34,6 @@ /**************** Macros (these save a lot of typing) ****************/ -#ifndef DISABLE_PKINIT /* setup() -- create and initialize bookkeeping variables retval: stores error codes returned from subroutines buf: the coding buffer @@ -63,6 +62,7 @@ *code = tmpcode;\ return 0 +#ifndef DISABLE_PKINIT krb5_error_code encode_krb5_pa_pk_as_req(const krb5_pa_pk_as_req *rep, krb5_data **code) { krb5_setup(); @@ -153,21 +153,22 @@ krb5_cleanup(); } -krb5_error_code encode_krb5_typed_data(const krb5_typed_data **rep, krb5_data **code) +krb5_error_code encode_krb5_td_dh_parameters(const krb5_algorithm_identifier **rep, krb5_data **code) { krb5_setup(); - retval = asn1_encode_sequence_of_typed_data(buf,rep,&length); + retval = asn1_encode_sequence_of_algorithm_identifier(buf,rep,&length); if (retval) goto error; sum += length; krb5_cleanup(); } +#endif /* DISABLE_PKINIT */ -krb5_error_code encode_krb5_td_dh_parameters(const krb5_algorithm_identifier **rep, krb5_data **code) +krb5_error_code encode_krb5_typed_data(const krb5_typed_data **rep, krb5_data **code) { krb5_setup(); - retval = asn1_encode_sequence_of_algorithm_identifier(buf,rep,&length); + retval = asn1_encode_sequence_of_typed_data(buf,rep,&length); if (retval) goto error; sum += length; krb5_cleanup(); } -#endif /* DISABLE_PKINIT */ + Modified: branches/krb5-1-7/src/lib/krb5/error_tables/krb5_err.et =================================================================== --- branches/krb5-1-7/src/lib/krb5/error_tables/krb5_err.et 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/lib/krb5/error_tables/krb5_err.et 2009-04-15 20:07:03 UTC (rev 22241) @@ -134,7 +134,7 @@ error_code KRB5PLACEHOLD_90, "KRB5 error code 90" error_code KRB5PLACEHOLD_91, "KRB5 error code 91" error_code KRB5PLACEHOLD_92, "KRB5 error code 92" -error_code KRB5PLACEHOLD_93, "KRB5 error code 93" +error_code KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION, "An unsupported critical FAST option was requested" error_code KRB5PLACEHOLD_94, "KRB5 error code 94" error_code KRB5PLACEHOLD_95, "KRB5 error code 95" error_code KRB5PLACEHOLD_96, "KRB5 error code 96" @@ -347,4 +347,5 @@ error_code KRB5_PLUGIN_OP_NOTSUPP, "Plugin does not support the operaton" error_code KRB5_ERR_INVALID_UTF8, "Invalid UTF-8 string" +error_code KRB5_ERR_FAST_REQUIRED, "FAST protected pre-authentication required but not supported by KDC" end Modified: branches/krb5-1-7/src/lib/krb5/error_tables/kv5m_err.et =================================================================== --- branches/krb5-1-7/src/lib/krb5/error_tables/kv5m_err.et 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/lib/krb5/error_tables/kv5m_err.et 2009-04-15 20:07:03 UTC (rev 22241) @@ -86,5 +86,7 @@ error_code KV5M_PASSWD_PHRASE_ELEMENT, "Bad magic number for passwd_phrase_element" error_code KV5M_GSS_OID, "Bad magic number for GSSAPI OID" error_code KV5M_GSS_QUEUE, "Bad magic number for GSSAPI QUEUE" - +error_code KV5M_FAST_ARMORED_REQ, "Bad magic number for fast armored request" +error_code KV5M_FAST_REQ, "Bad magic number for FAST request" +error_code KV5M_FAST_RESPONSE, "Bad magic number for FAST response" end Modified: branches/krb5-1-7/src/lib/krb5/krb/Makefile.in =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/Makefile.in 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/lib/krb5/krb/Makefile.in 2009-04-15 20:07:03 UTC (rev 22241) @@ -40,6 +40,7 @@ enc_helper.o \ encode_kdc.o \ encrypt_tk.o \ + fast.o \ free_rtree.o \ fwd_tgt.o \ gc_frm_kdc.o \ @@ -127,6 +128,7 @@ $(OUTPRE)enc_helper.$(OBJEXT) \ $(OUTPRE)encode_kdc.$(OBJEXT) \ $(OUTPRE)encrypt_tk.$(OBJEXT) \ + $(OUTPRE)fast.$(OBJEXT) \ $(OUTPRE)free_rtree.$(OBJEXT) \ $(OUTPRE)fwd_tgt.$(OBJEXT) \ $(OUTPRE)gc_frm_kdc.$(OBJEXT) \ @@ -215,6 +217,7 @@ $(srcdir)/enc_helper.c \ $(srcdir)/encode_kdc.c \ $(srcdir)/encrypt_tk.c \ + $(srcdir)/fast.c \ $(srcdir)/free_rtree.c \ $(srcdir)/fwd_tgt.c \ $(srcdir)/gc_frm_kdc.c \ Added: branches/krb5-1-7/src/lib/krb5/krb/fast.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/fast.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/lib/krb5/krb/fast.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -0,0 +1,499 @@ +/* + * lib/krb5/krb/fast.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + */ + +#include + +/* + * It is possible to support sending a request that includes both a + * FAST and normal version. This would complicate the + * pre-authentication logic significantly. You would need to maintain + * two contexts, one for FAST and one for normal use. In adition, you + * would need to manage the security issues surrounding downgrades. + * However trying FAST at all requires an armor key. Generally in + * obtaining the armor key, the client learns enough to know that FAST + * is supported. If not, the client can see FAST in the + * preauth_required error's padata and retry with FAST. So, this + * implementation does not support FAST+normal. + * + * We store the outer version of the request to use . The caller + * stores the inner version. We handle the encoding of the request + * body (and request) and provide encoded request bodies for the + * caller to use as these may be used for checksums. In the AS case + * we also evaluate whether to continue a conversation as one of the + * important questions there is the presence of a cookie. + */ +#include "fast.h" +#include "int-proto.h" + + +static krb5_error_code fast_armor_ap_request +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_ccache ccache, krb5_data *target_realm) +{ + krb5_error_code retval = 0; + krb5_creds creds, *out_creds = NULL; + krb5_auth_context authcontext = NULL; + krb5_data encoded_authenticator; + krb5_fast_armor *armor = NULL; + krb5_keyblock *subkey = NULL, *armor_key = NULL; + encoded_authenticator.data = NULL; + memset(&creds, 0, sizeof(creds)); + retval = krb5_tgtname(context, target_realm, target_realm, &creds.server); + if (retval ==0) + retval = krb5_cc_get_principal(context, ccache, &creds.client); + if (retval == 0) + retval = krb5_get_credentials(context, 0, ccache, &creds, &out_creds); + if (retval == 0) + retval = krb5_mk_req_extended(context, &authcontext, AP_OPTS_USE_SUBKEY, NULL /*data*/, + out_creds, &encoded_authenticator); + if (retval == 0) + retval = krb5_auth_con_getsendsubkey(context, authcontext, &subkey); + if (retval == 0) + retval = krb5_c_fx_cf2_simple(context, subkey, "subkeyarmor", + &out_creds->keyblock, "ticketarmor", &armor_key); + if (retval == 0) { + armor = calloc(1, sizeof(krb5_fast_armor)); + if (armor == NULL) + retval = ENOMEM; + } + if (retval == 0) { + armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST; + armor->armor_value = encoded_authenticator; + encoded_authenticator.data = NULL; + encoded_authenticator.length = 0; + state->armor = armor; + armor = NULL; + state->armor_key = armor_key; + armor_key = NULL; + } + krb5_free_keyblock(context, armor_key); + krb5_free_keyblock(context, subkey); + if (out_creds) + krb5_free_creds(context, out_creds); + krb5_free_cred_contents(context, &creds); + if (encoded_authenticator.data) + krb5_free_data_contents(context, &encoded_authenticator); + krb5_auth_con_free(context, authcontext); + return retval; +} + +krb5_error_code +krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_req *request, krb5_data **encoded_request_body) +{ + krb5_error_code retval = 0; + krb5_data *local_encoded_request_body = NULL; + assert(state != NULL); + *encoded_request_body = NULL; + if (state->armor_key == NULL) { + return encode_krb5_kdc_req_body(request, encoded_request_body); + } + state->fast_outer_request = *request; + state->fast_outer_request.padata = NULL; + if (retval == 0) + retval = encode_krb5_kdc_req_body(&state->fast_outer_request, + &local_encoded_request_body); + if (retval == 0) { + *encoded_request_body = local_encoded_request_body; + local_encoded_request_body = NULL; + } + if (local_encoded_request_body != NULL) + krb5_free_data(context, local_encoded_request_body); + return retval; +} + +krb5_error_code krb5int_fast_as_armor +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_gic_opt_ext *opte, + krb5_kdc_req *request) +{ + krb5_error_code retval = 0; + krb5_ccache ccache = NULL; + krb5_clear_error_message(context); + if (opte->opt_private->fast_ccache_name) { + retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name, + &ccache); + if (retval==0) + retval = fast_armor_ap_request(context, state, ccache, + krb5_princ_realm(context, request->server)); + if (retval != 0) { + const char * errmsg; + errmsg = krb5_get_error_message(context, retval); + if (errmsg) { + krb5_set_error_message(context, retval, "%s constructing AP-REQ armor", errmsg); + krb5_free_error_message(context, errmsg); + } + } + } + if (ccache) + krb5_cc_close(context, ccache); + return retval; +} + + +krb5_error_code +krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_req *request, + const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, + krb5_data **encoded_request) +{ + krb5_error_code retval = 0; + krb5_pa_data *pa_array[2]; + krb5_pa_data pa[2]; + krb5_fast_req fast_req; + krb5_fast_armored_req *armored_req = NULL; + krb5_data *encoded_fast_req = NULL; + krb5_data *encoded_armored_req = NULL; + krb5_data *local_encoded_result = NULL; + krb5_cksumtype cksumtype; + krb5_data random_data; + char random_buf[4]; + + + assert(state != NULL); + assert(state->fast_outer_request.padata == NULL); + memset(pa_array, 0, sizeof pa_array); + if (state->armor_key == NULL) { + return encoder(request, encoded_request); + } +/* Fill in a fresh random nonce for each inner request*/ + random_data.length = 4; + random_data.data = (char *)random_buf; + retval = krb5_c_random_make_octets(context, &random_data); + if (retval == 0) { + request->nonce = 0x7fffffff & load_32_n(random_buf); + state->nonce = request->nonce; + } + fast_req.req_body = request; + if (fast_req.req_body->padata == NULL) { + fast_req.req_body->padata = calloc(1, sizeof(krb5_pa_data *)); + if (fast_req.req_body->padata == NULL) + retval = ENOMEM; + } + fast_req.fast_options = state->fast_options; + if (retval == 0) + retval = encode_krb5_fast_req(&fast_req, &encoded_fast_req); + if (retval == 0) { + armored_req = calloc(1, sizeof(krb5_fast_armored_req)); + if (armored_req == NULL) + retval = ENOMEM; + } + if (retval == 0) + armored_req->armor = state->armor; + if (retval == 0) + retval = krb5int_c_mandatory_cksumtype(context, state->armor_key->enctype, + &cksumtype); + if (retval ==0) + retval = krb5_c_make_checksum(context, cksumtype, state->armor_key, + KRB5_KEYUSAGE_FAST_REQ_CHKSUM, to_be_checksummed, + &armored_req->req_checksum); + if (retval == 0) + retval = krb5_encrypt_helper(context, state->armor_key, + KRB5_KEYUSAGE_FAST_ENC, encoded_fast_req, + &armored_req->enc_part); + if (retval == 0) + retval = encode_krb5_pa_fx_fast_request(armored_req, &encoded_armored_req); + if (retval==0) { + pa[0].pa_type = KRB5_PADATA_FX_FAST; + pa[0].contents = (unsigned char *) encoded_armored_req->data; + pa[0].length = encoded_armored_req->length; + pa_array[0] = &pa[0]; + } + state->fast_outer_request.padata = pa_array; + if(retval == 0) + retval = encoder(&state->fast_outer_request, &local_encoded_result); + if (retval == 0) { + *encoded_request = local_encoded_result; + local_encoded_result = NULL; + } + if (encoded_armored_req) + krb5_free_data(context, encoded_armored_req); + if (armored_req) { + armored_req->armor = NULL; /*owned by state*/ + krb5_free_fast_armored_req(context, armored_req); + } + if (encoded_fast_req) + krb5_free_data(context, encoded_fast_req); + if (local_encoded_result) + krb5_free_data(context, local_encoded_result); + state->fast_outer_request.padata = NULL; + return retval; +} + +static krb5_error_code decrypt_fast_reply +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_pa_data **in_padata, + krb5_fast_response **response) +{ + krb5_error_code retval = 0; + krb5_data scratch; + krb5_enc_data *encrypted_response = NULL; + krb5_pa_data *fx_reply = NULL; + krb5_fast_response *local_resp = NULL; + assert(state != NULL); + assert(state->armor_key); + fx_reply = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FX_FAST); + if (fx_reply == NULL) + retval = KRB5_ERR_FAST_REQUIRED; + if (retval == 0) { + scratch.data = (char *) fx_reply->contents; + scratch.length = fx_reply->length; + retval = decode_krb5_pa_fx_fast_reply(&scratch, &encrypted_response); + } + scratch.data = NULL; + if (retval == 0) { + scratch.data = malloc(encrypted_response->ciphertext.length); + if (scratch.data == NULL) + retval = ENOMEM; + scratch.length = encrypted_response->ciphertext.length; + } + if (retval == 0) + retval = krb5_c_decrypt(context, state->armor_key, + KRB5_KEYUSAGE_FAST_REP, NULL, + encrypted_response, &scratch); + if (retval != 0) { + const char * errmsg; + errmsg = krb5_get_error_message(context, retval); + krb5_set_error_message(context, retval, "%s while decrypting FAST reply", errmsg); + krb5_free_error_message(context, errmsg); + } + if (retval == 0) + retval = decode_krb5_fast_response(&scratch, &local_resp); + if (retval == 0) { + if (local_resp->nonce != state->nonce) { + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "nonce modified in FAST response: KDC response modified"); + } + } + if (retval == 0) { + *response = local_resp; + local_resp = NULL; + } + if (scratch.data) + free(scratch.data); + if (encrypted_response) + krb5_free_enc_data(context, encrypted_response); + return retval; +} + +/* + * FAST separates two concepts: the set of padata we're using to + * decide what pre-auth mechanisms to use and the set of padata we're + * making available to mechanisms in order for them to respond to an + * error. The plugin interface in March 2009 does not permit + * separating these concepts for the plugins. This function makes + * both available for future revisions to the plugin interface. It + * also re-encodes the padata from the current error as a encoded + * typed-data and puts that in the e_data field. That will allow + * existing plugins with the old interface to find the error data. + * The output parameter out_padata contains the padata from the error + * whenever padata is available (all the time with fast). + */ +krb5_error_code +krb5int_fast_process_error(krb5_context context, struct krb5int_fast_request_state *state, + krb5_error **err_replyptr , krb5_pa_data ***out_padata, + krb5_boolean *retry) +{ + krb5_error_code retval = 0; + krb5_error *err_reply = *err_replyptr; + *out_padata = NULL; + *retry = 0; + if (state->armor_key) { + krb5_pa_data *fx_error_pa; + krb5_pa_data **result = NULL; + krb5_data scratch, *encoded_td = NULL; + krb5_error *fx_error = NULL; + krb5_fast_response *fast_response = NULL; + retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); + if (retval == 0) + retval = decrypt_fast_reply(context, state, result, &fast_response); + if (retval) { + /*This can happen if the KDC does not understand FAST. We + * don't expect that, but treating it as the fatal error + * indicated by the KDC seems reasonable. + */ + *retry = 0; + krb5_free_pa_data(context, result); + return 0; + } + krb5_free_pa_data(context, result); + result = NULL; + if (retval == 0) { + fx_error_pa = krb5int_find_pa_data(context, fast_response->padata, KRB5_PADATA_FX_ERROR); + if (fx_error_pa == NULL) { + krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "Expecting FX_ERROR pa-data inside FAST container"); + retval = KRB5KDC_ERR_PREAUTH_FAILED; + } + } + if (retval == 0) { + scratch.data = (char *) fx_error_pa->contents; + scratch.length = fx_error_pa->length; + retval = decode_krb5_error(&scratch, &fx_error); + } + /* + * krb5_pa_data and krb5_typed_data are safe to cast between: + * they have the same type fields in the same order. + * (krb5_preauthtype is a krb5_int32). If krb5_typed_data is + * ever changed then this will need to be a copy not a cast. + */ + if (retval == 0) + retval = encode_krb5_typed_data( (krb5_typed_data **) fast_response->padata, + &encoded_td); + if (retval == 0) { + fx_error->e_data = *encoded_td; + free(encoded_td); /*contents owned by fx_error*/ + encoded_td = NULL; + krb5_free_error(context, err_reply); + *err_replyptr = fx_error; + fx_error = NULL; + *out_padata = fast_response->padata; + fast_response->padata = NULL; + /* + * If there is more than the fx_error padata, then we want + * to retry the error + */ + *retry = (*out_padata)[1] != NULL; + } + if (fx_error) + krb5_free_error(context, fx_error); + krb5_free_fast_response(context, fast_response); + } else { /*not FAST*/ + *retry = (err_reply->e_data.length > 0); + if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED + ||err_reply->error == KDC_ERR_PREAUTH_FAILED) && err_reply->e_data.length) { + krb5_pa_data **result = NULL; + retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); + if (retval == 0) + if (retval == 0) { + *out_padata = result; + + return 0; + } + krb5_free_pa_data(context, result); + krb5_set_error_message(context, retval, + "Error decoding padata in error reply"); + return retval; + } + } + return retval; +} + + +krb5_error_code krb5int_fast_process_response +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_rep *resp, + krb5_keyblock **as_key) +{ + krb5_error_code retval = 0; + krb5_fast_response *fast_response = NULL; + krb5_data *encoded_ticket = NULL; + krb5_boolean cksum_valid; + krb5_clear_error_message(context); + *as_key = NULL; + if (state->armor_key == 0) + return 0; + retval = decrypt_fast_reply(context, state, resp->padata, + &fast_response); + if (retval == 0) { + if (fast_response->finished == 0) { + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "FAST response missing finish message in KDC reply"); + } + } + if (retval == 0) + retval = encode_krb5_ticket(resp->ticket, &encoded_ticket); + if (retval == 0) + retval = krb5_c_verify_checksum(context, state->armor_key, + KRB5_KEYUSAGE_FAST_FINISHED, + encoded_ticket, + &fast_response->finished->ticket_checksum, + &cksum_valid); + if (retval == 0 && cksum_valid == 0) { + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "ticket modified in KDC reply"); + } + if (retval == 0) { + krb5_free_principal(context, resp->client); + resp->client = fast_response->finished->client; + fast_response->finished->client = NULL; + *as_key = fast_response->rep_key; + fast_response->rep_key = NULL; + krb5_free_pa_data(context, resp->padata); + resp->padata = fast_response->padata; + fast_response->padata = NULL; + } + if (fast_response) + krb5_free_fast_response(context, fast_response); + if (encoded_ticket) + krb5_free_data(context, encoded_ticket); + return retval; +} +krb5_error_code +krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state **state) +{ + krb5_error_code retval = 0; + struct krb5int_fast_request_state *local_state ; + local_state = malloc(sizeof *local_state); + if (local_state == NULL) + return ENOMEM; + memset(local_state, 0, sizeof(*local_state)); + *state = local_state; + return 0; +} + +void +krb5int_fast_free_state( krb5_context context, struct krb5int_fast_request_state *state) +{ + /*We are responsible for none of the store in the fast_outer_req*/ + krb5_free_keyblock(context, state->armor_key); + krb5_free_fast_armor(context, state->armor); + if (state->cookie) { + free(state->cookie->contents); + free(state->cookie); + state->cookie = NULL; + } + free(state); +} + +krb5_pa_data * krb5int_find_pa_data +(krb5_context context, krb5_pa_data *const *padata, krb5_preauthtype pa_type) +{ + krb5_pa_data * const *tmppa; + + if (padata == NULL) + return NULL; + + for (tmppa = padata; *tmppa != NULL; tmppa++) { + if ((*tmppa)->pa_type == pa_type) + break; + } + + return *tmppa; +} + Added: branches/krb5-1-7/src/lib/krb5/krb/fast.h =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/fast.h 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/lib/krb5/krb/fast.h 2009-04-15 20:07:03 UTC (rev 22241) @@ -0,0 +1,77 @@ +/* + * lib/krb5/krb/fast.h + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * <<< Description >>> + */ +#ifndef KRB_FAST_H + +#define KRB_FAST_H + +#include + +struct krb5int_fast_request_state { + krb5_kdc_req fast_outer_request; + krb5_keyblock *armor_key; /*non-null means fast is in use*/ + krb5_fast_armor *armor; + krb5_ui_4 fast_state_flags; + krb5_ui_4 fast_options; + krb5_pa_data *cookie; + krb5_int32 nonce; +}; + +krb5_error_code +krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_req *request, krb5_data **encoded_req_body); + +typedef krb5_error_code(*kdc_req_encoder_proc) (const krb5_kdc_req *, krb5_data **); + +krb5_error_code +krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_req *request, + const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, + krb5_data **encoded_request); +krb5_error_code +krb5int_fast_process_error(krb5_context context, struct krb5int_fast_request_state *state, + krb5_error **err_replyptr , krb5_pa_data ***out_padata, + krb5_boolean *retry); + +krb5_error_code krb5int_fast_process_response +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_rep *resp, + krb5_keyblock **as_key); + +krb5_error_code +krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state **state); + +void +krb5int_fast_free_state( krb5_context , struct krb5int_fast_request_state *state); +krb5_error_code krb5int_fast_as_armor +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_gic_opt_ext *opte, + krb5_kdc_req *request); + + +#endif Modified: branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -32,6 +32,7 @@ #include "k5-int.h" #include "int-proto.h" #include "os-proto.h" +#include "fast.h" #if APPLE_PKINIT #define IN_TKT_DEBUG 0 @@ -967,6 +968,7 @@ krb5_data salt; krb5_data s2kparams; krb5_keyblock as_key; + krb5_keyblock *fast_as_key = NULL; krb5_error *err_reply; krb5_kdc_rep *local_as_reply; krb5_timestamp time_now; @@ -974,6 +976,10 @@ krb5_preauth_client_rock get_data_rock; int canon_flag = 0; krb5_principal_data referred_client; + krb5_boolean retry = 0; + struct krb5int_fast_request_state *fast_state = NULL; + krb5_pa_data **out_padata = NULL; + /* initialize everything which will be freed at cleanup */ @@ -988,7 +994,7 @@ preauth_to_use = NULL; kdc_padata = NULL; as_key.length = 0; - salt.length = 0; + salt.length = 0; salt.data = NULL; local_as_reply = 0; @@ -1002,6 +1008,9 @@ referred_client = *client; referred_client.realm.data = NULL; referred_client.realm.length = 0; + ret = krb5int_fast_make_state(context, &fast_state); + if (ret) + goto cleanup; /* * Set up the basic request structure @@ -1231,15 +1240,20 @@ /* XXX Yuck. Old version. */ request.nonce = (krb5_int32) time_now; } + ret = krb5int_fast_as_armor(context, fast_state, options, &request); + if (ret != 0) + goto cleanup; /* give the preauth plugins a chance to prep the request body */ krb5_preauth_prepare_request(context, options, &request); - ret = encode_krb5_kdc_req_body(&request, &encoded_request_body); + ret = krb5int_fast_prep_req_body(context, fast_state, + &request, &encoded_request_body); if (ret) goto cleanup; get_data_rock.magic = CLIENT_ROCK_MAGIC; - get_data_rock.as_reply = NULL; - + get_data_rock.etype = &etype; + get_data_rock.fast_state = fast_state; + /* now, loop processing preauth data and talking to the kdc */ for (loopcount = 0; loopcount < MAX_IN_TKT_LOOPS; loopcount++) { if (request.padata) { @@ -1258,6 +1272,10 @@ gak_fct, gak_data, &get_data_rock, options))) goto cleanup; + if (out_padata) { + krb5_free_pa_data(context, out_padata); + out_padata = NULL; + } } else { if (preauth_to_use != NULL) { /* @@ -1293,7 +1311,9 @@ krb5_free_data(context, encoded_previous_request); encoded_previous_request = NULL; } - ret = encode_krb5_as_req(&request, &encoded_previous_request); + ret = krb5int_fast_prep_req(context, fast_state, + &request, encoded_request_body, + encode_krb5_as_req, &encoded_previous_request); if (ret) goto cleanup; @@ -1305,15 +1325,19 @@ goto cleanup; if (err_reply) { - if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && - err_reply->e_data.length > 0) { + ret = krb5int_fast_process_error(context, fast_state, &err_reply, + &out_padata, &retry); + if (ret !=0) + goto cleanup; + if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED ||err_reply->error == KDC_ERR_PREAUTH_FAILED) +&& retry) { /* reset the list of preauth types to try */ if (preauth_to_use) { krb5_free_pa_data(context, preauth_to_use); preauth_to_use = NULL; } - ret = decode_krb5_padata_sequence(&err_reply->e_data, - &preauth_to_use); + preauth_to_use = out_padata; + out_padata = NULL; krb5_free_error(context, err_reply); err_reply = NULL; if (ret) @@ -1345,7 +1369,7 @@ goto cleanup; request.client = &referred_client; } else { - if (err_reply->e_data.length > 0) { + if (retry) { /* continue to next iteration */ } else { /* error + no hints = give up */ @@ -1374,10 +1398,14 @@ /* process any preauth data in the as_reply */ krb5_clear_preauth_context_use_counts(context); + ret = krb5int_fast_process_response(context, fast_state, + local_as_reply, &fast_as_key); + if (ret) + goto cleanup; if ((ret = sort_krb5_padata_sequence(context, &request.server->realm, local_as_reply->padata))) goto cleanup; - get_data_rock.as_reply = local_as_reply; + etype = local_as_reply->enc_part.enctype; if ((ret = krb5_do_preauth(context, &request, encoded_request_body, encoded_previous_request, @@ -1419,8 +1447,14 @@ it. If decrypting the as_rep fails, or if there isn't an as_key at all yet, then use the gak_fct to get one, and try again. */ - - if (as_key.length) + if (fast_as_key) { + if (as_key.length) + krb5_free_keyblock_contents(context, &as_key); + as_key = *fast_as_key; + free(fast_as_key); + fast_as_key = NULL; + } + if (as_key.length) ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, NULL, &as_key, krb5_kdc_rep_decrypt_proc, NULL); @@ -1477,6 +1511,11 @@ } } krb5_preauth_request_context_fini(context); + krb5_free_keyblock(context, fast_as_key); + if (fast_state) + krb5int_fast_free_state(context, fast_state); + if (out_padata) + krb5_free_pa_data(context, out_padata); if (encoded_previous_request != NULL) { krb5_free_data(context, encoded_previous_request); encoded_previous_request = NULL; Modified: branches/krb5-1-7/src/lib/krb5/krb/gic_opt.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/gic_opt.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/lib/krb5/krb/gic_opt.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -146,6 +146,8 @@ /* Free up any private stuff */ if (opte->opt_private->preauth_data != NULL) free_gic_opt_ext_preauth_data(context, opte); + if (opte->opt_private->fast_ccache_name) + free(opte->opt_private->fast_ccache_name); free(opte->opt_private); opte->opt_private = NULL; return 0; @@ -465,3 +467,21 @@ } free(preauth_data); } +krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name +(krb5_context context, krb5_get_init_creds_opt *opt, const char *ccache_name) +{ + krb5_error_code retval = 0; + krb5_gic_opt_ext *opte; + + retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, + "krb5_get_init_creds_opt_set_fast_ccache_name"); + if (retval) + return retval; + if (opte->opt_private->fast_ccache_name) { + free(opte->opt_private->fast_ccache_name); + } + opte->opt_private->fast_ccache_name = strdup(ccache_name); + if (opte->opt_private->fast_ccache_name == NULL) + retval = ENOMEM; + return retval; +} Modified: branches/krb5-1-7/src/lib/krb5/krb/kfree.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/kfree.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/lib/krb5/krb/kfree.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -54,6 +54,7 @@ */ #include "k5-int.h" +#include void KRB5_CALLCONV krb5_free_address(krb5_context context, krb5_address *val) @@ -344,6 +345,7 @@ { if (val == NULL) return; + assert( val->kdc_state == NULL); krb5_free_pa_data(context, val->padata); krb5_free_principal(context, val->client); krb5_free_principal(context, val->server); @@ -795,3 +797,63 @@ free(etypes); } } +void krb5_free_fast_req(krb5_context context, krb5_fast_req *val) +{ + if (val == NULL) + return; + krb5_free_kdc_req(context, val->req_body); + free(val); +} + +void krb5_free_fast_armor(krb5_context context, krb5_fast_armor *val) +{ + if (val == NULL) + return; + krb5_free_data_contents(context, &val->armor_value); + free(val); +} + +void krb5_free_fast_response(krb5_context context, krb5_fast_response *val) +{ + if (!val) + return; + krb5_free_pa_data(context, val->padata); + krb5_free_fast_finished(context, val->finished); + free(val); +} + +void krb5_free_fast_finished +(krb5_context context, krb5_fast_finished *val) +{ + if (!val) + return; + krb5_free_principal(context, val->client); + krb5_free_checksum_contents(context, &val->ticket_checksum); + free(val); +} + +void krb5_free_typed_data(krb5_context context, krb5_typed_data **in) +{ + int i = 0; + if (in == NULL) return; + while (in[i] != NULL) { + if (in[i]->data != NULL) + free(in[i]->data); + free(in[i]); + i++; + } + free(in); +} + +void krb5_free_fast_armored_req(krb5_context context, + krb5_fast_armored_req *val) +{ + if (val == NULL) + return; + if (val->armor) + krb5_free_fast_armor(context, val->armor); + krb5_free_data_contents(context, &val->enc_part.ciphertext); + if (val->req_checksum.contents) + krb5_free_checksum_contents(context, &val->req_checksum); + free(val); +} Modified: branches/krb5-1-7/src/lib/krb5/krb/preauth2.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/preauth2.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/lib/krb5/krb/preauth2.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -37,6 +37,7 @@ #include "osconf.h" #include #include "int-proto.h" +#include "fast.h" #if !defined(_WIN32) #include @@ -419,6 +420,7 @@ krb5_data **retdata) { krb5_data *ret; + krb5_error_code retval; char *data; if (rock->magic != CLIENT_ROCK_MAGIC) @@ -430,8 +432,6 @@ case krb5plugin_preauth_client_get_etype: { krb5_enctype *eptr; - if (rock->as_reply == NULL) - return ENOENT; ret = malloc(sizeof(krb5_data)); if (ret == NULL) return ENOMEM; @@ -443,7 +443,7 @@ ret->data = data; ret->length = sizeof(krb5_enctype); eptr = (krb5_enctype *)data; - *eptr = rock->as_reply->enc_part.enctype; + *eptr = *rock->etype; *retdata = ret; return 0; } @@ -457,7 +457,38 @@ free(ret); return 0; break; - default: + case krb5plugin_preauth_client_fast_armor: { + krb5_keyblock *key = NULL; + ret = calloc(1, sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + retval = 0; + if (rock->fast_state->armor_key) + retval = krb5_copy_keyblock(kcontext, rock->fast_state->armor_key, + &key); + if (retval == 0) { + ret->data = (char *) key; + ret->length = key?sizeof(krb5_keyblock):0; + key = NULL; + } + if (retval == 0) { + *retdata = ret; + ret = NULL; + } + if (ret) + free(ret); + return retval; + } + case krb5plugin_preauth_client_free_fast_armor: + ret = *retdata; + if (ret) { + if (ret->data) + krb5_free_keyblock(kcontext, (krb5_keyblock *) ret->data); + free(ret); + *retdata = NULL; + } + return 0; + default: return EINVAL; } } Modified: branches/krb5-1-7/src/lib/krb5/libkrb5.exports =================================================================== --- branches/krb5-1-7/src/lib/krb5/libkrb5.exports 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/lib/krb5/libkrb5.exports 2009-04-15 20:07:03 UTC (rev 22241) @@ -19,6 +19,8 @@ decode_krb5_error decode_krb5_etype_info decode_krb5_etype_info2 +decode_krb5_fast_req +decode_krb5_pa_fx_fast_request decode_krb5_kdc_req_body decode_krb5_pa_enc_ts decode_krb5_pa_for_user @@ -36,6 +38,7 @@ decode_krb5_tgs_rep decode_krb5_tgs_req decode_krb5_ticket +decode_krb5_typed_data encode_krb5_alt_method encode_krb5_ap_rep encode_krb5_ap_rep_enc_part @@ -56,6 +59,8 @@ encode_krb5_error encode_krb5_etype_info encode_krb5_etype_info2 +encode_krb5_fast_response +encode_krb5_pa_fx_fast_reply encode_krb5_kdc_req_body encode_krb5_pa_enc_ts encode_krb5_pa_for_user @@ -226,6 +231,8 @@ krb5_free_error krb5_free_error_message krb5_free_etype_info +krb5_free_fast_armored_req +krb5_free_fast_req krb5_free_host_realm krb5_free_kdc_rep krb5_free_kdc_req @@ -266,6 +273,7 @@ krb5_free_ticket krb5_free_tickets krb5_free_tkt_authent +krb5_free_typed_data krb5_free_unparsed_name krb5_fwd_tgt_creds krb5_gen_portaddr @@ -300,6 +308,7 @@ krb5_get_init_creds_opt_set_canonicalize krb5_get_init_creds_opt_set_change_password_prompt krb5_get_init_creds_opt_set_etype_list +krb5_get_init_creds_opt_set_fast_ccache_name krb5_get_init_creds_opt_set_forwardable krb5_get_init_creds_opt_set_pa krb5_get_init_creds_opt_set_preauth_list @@ -516,6 +525,8 @@ krb5int_cleanup_library krb5int_cm_call_select krb5int_copy_data_contents_add0 +krb5int_find_authdata +krb5int_find_pa_data krb5int_foreach_localaddr krb5int_free_addrlist krb5int_init_context_kdc Modified: branches/krb5-1-7/src/lib/krb5/os/accessor.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/os/accessor.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/lib/krb5/os/accessor.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -132,6 +132,13 @@ S (encode_krb5_sam_response_2, encode_krb5_sam_response_2), S (encode_krb5_enc_sam_response_enc_2, encode_krb5_enc_sam_response_enc_2), + S (encode_enc_ts, encode_krb5_pa_enc_ts), + S (decode_enc_ts, decode_krb5_pa_enc_ts), + S (encode_enc_data, encode_krb5_enc_data), + S(decode_enc_data, decode_krb5_enc_data), + S(free_enc_ts, krb5_free_pa_enc_ts), + S(free_enc_data, krb5_free_enc_data), + S(encrypt_helper, krb5_encrypt_helper), #if DESIGNATED_INITIALIZERS }; Added: branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/Makefile.in =================================================================== --- branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/Makefile.in 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/Makefile.in 2009-04-15 20:07:03 UTC (rev 22241) @@ -0,0 +1,41 @@ +thisconfigdir=../../.. +myfulldir=plugins/preauth/encrypted_challenge +mydir=plugins/preauth/encrypted_challenge +BUILDTOP=$(REL)..$(S)..$(S).. +KRB5_RUN_ENV = @KRB5_RUN_ENV@ +KRB5_CONFIG_SETUP = KRB5_CONFIG=$(SRCTOP)/config-files/krb5.conf ; export KRB5_CONFIG ; +PROG_LIBPATH=-L$(TOPLIBD) +PROG_RPATH=$(KRB5_LIBDIR) +MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR) +DEFS=@DEFS@ + +LOCALINCLUDES = -I../../../include/krb5 -I. + +LIBBASE=encrypted_challenge +LIBMAJOR=0 +LIBMINOR=0 +SO_EXT=.so +RELDIR=../plugins/preauth/encrypted_challenge +# Depends on libk5crypto and libkrb5 +SHLIB_EXPDEPS = \ + $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ + $(TOPLIBD)/libkrb5$(SHLIBEXT) +SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS) + +SHLIB_DIRS=-L$(TOPLIBD) +SHLIB_RDIRS=$(KRB5_LIBDIR) +STOBJLISTS=OBJS.ST +STLIBOBJS=encrypted_challenge_main.o + +SRCS= $(srcdir)/encrypted_challenge_main.c + +all-unix:: $(LIBBASE)$(SO_EXT) +install-unix:: install-libs +clean-unix:: clean-libs clean-libobjs + +clean:: + $(RM) lib$(LIBBASE)$(SO_EXT) + + at libnover_frag@ + at libobj_frag@ + Added: branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/deps =================================================================== Added: branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports =================================================================== --- branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports 2009-04-15 20:07:03 UTC (rev 22241) @@ -0,0 +1,2 @@ +preauthentication_client_1 +preauthentication_server_1 Added: branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c =================================================================== --- branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c 2009-04-15 20:07:03 UTC (rev 22241) @@ -0,0 +1,409 @@ +/* + * plugins/preauth/encrypted_challenge/encrypted_challenge.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + * Implement EncryptedChallenge fast factor from draft-ietf-krb-wg-preauth-framework + */ + +#include +#include "../fast_factor.h" + +#include + +static int preauth_flags +(krb5_context context, krb5_preauthtype pa_type) +{ + return PA_REAL; +} + +static krb5_error_code process_preauth +(krb5_context context, + void *plugin_context, + void *request_context, + krb5_get_init_creds_opt *opt, + preauth_get_client_data_proc get_data_proc, + struct _krb5_preauth_client_rock *rock, + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data *padata, + krb5_prompter_fct prompter, + void *prompter_data, + preauth_get_as_key_proc gak_fct, + void *gak_data, + krb5_data *salt, + krb5_data *s2kparams, + krb5_keyblock *as_key, + krb5_pa_data ***out_padata) +{ + krb5_error_code retval = 0; + krb5_enctype enctype = 0; + krb5_keyblock *challenge_key = NULL, *armor_key = NULL; + krb5_data *etype_data = NULL; + krb5int_access kaccess; + + if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) + return 0; + retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key); + if (retval || armor_key == NULL) + return 0; + retval = get_data_proc(context, rock, krb5plugin_preauth_client_get_etype, &etype_data); + if (retval == 0) { + enctype = *((krb5_enctype *)etype_data->data); + if (as_key->length == 0 ||as_key->enctype != enctype) + retval = gak_fct(context, request->client, + enctype, prompter, prompter_data, + salt, s2kparams, + as_key, gak_data); + } + if (padata->length) { + krb5_enc_data *enc = NULL; + krb5_data scratch; + scratch.length = padata->length; + scratch.data = (char *) padata->contents; + if (retval == 0) + retval = krb5_c_fx_cf2_simple(context,armor_key, "kdcchallengearmor", + as_key, "challengelongterm", &challenge_key); + if (retval == 0) + retval =kaccess.decode_enc_data(&scratch, &enc); + scratch.data = NULL; + if (retval == 0) { + scratch.data = malloc(enc->ciphertext.length); + scratch.length = enc->ciphertext.length; + if (scratch.data == NULL) + retval = ENOMEM; + } + if (retval == 0) + retval = krb5_c_decrypt(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL, + enc, &scratch); +/*Per draft 11 of the preauth framework, the client MAY but + * is not required to actually check the timestamp from the KDC other than + * to confirm it decrypts. This code does not perform that check. + */ + if (scratch.data) + krb5_free_data_contents(context, &scratch); + if (retval == 0) + fast_set_kdc_verified(context, get_data_proc, rock); + if (enc) + kaccess.free_enc_data(context, enc); + } else { /*No padata; we send*/ + krb5_enc_data enc; + krb5_pa_data *pa = NULL; + krb5_pa_data **pa_array = NULL; + krb5_data *encoded_ts = NULL; + krb5_pa_enc_ts ts; + if (retval == 0) + retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); + if (retval == 0) + retval = kaccess.encode_enc_ts(&ts, &encoded_ts); + if (retval == 0) + retval = krb5_c_fx_cf2_simple(context, + armor_key, "clientchallengearmor", + as_key, "challengelongterm", + &challenge_key); + if (retval == 0) + retval = kaccess.encrypt_helper(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, + encoded_ts, &enc); + if (encoded_ts) + krb5_free_data(context, encoded_ts); + encoded_ts = NULL; + if (retval == 0) { + retval = kaccess.encode_enc_data(&enc, &encoded_ts); + krb5_free_data_contents(context, &enc.ciphertext); + } + if (retval == 0) { + pa = calloc(1, sizeof(krb5_pa_data)); + if (pa == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa_array = calloc(2, sizeof(krb5_pa_data *)); + if (pa_array == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa->length = encoded_ts->length; + pa->contents = (unsigned char *) encoded_ts->data; + pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; + free(encoded_ts); + encoded_ts = NULL; + pa_array[0] = pa; + pa = NULL; + *out_padata = pa_array; + pa_array = NULL; + } + if (pa) + free(pa); + if (encoded_ts) + krb5_free_data(context, encoded_ts); + if (pa_array) + free(pa_array); + } + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + if (armor_key) + krb5_free_keyblock(context, armor_key); + if (etype_data != NULL) + get_data_proc(context, rock, krb5plugin_preauth_client_free_etype, + &etype_data); + return retval; +} + + + + +static krb5_error_code kdc_include_padata +(krb5_context context, + krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + struct _krb5_db_entry_new *server, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, + krb5_pa_data *data) +{ + krb5_error_code retval = 0; + krb5_keyblock *armor_key = NULL; + retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key); + if (retval) + return retval; + if (armor_key == 0) + return ENOENT; + krb5_free_keyblock(context, armor_key); + return 0; +} + +static krb5_error_code kdc_verify_preauth +(krb5_context context, + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *data, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, + void **pa_request_context, + krb5_data **e_data, + krb5_authdata ***authz_data) +{ + krb5_error_code retval = 0; + krb5_timestamp now; + krb5_enc_data *enc = NULL; + krb5_data scratch, plain; + krb5_keyblock *armor_key = NULL; + krb5_pa_enc_ts *ts = NULL; + krb5int_access kaccess; + krb5_keyblock *client_keys = NULL; + krb5_data *client_data = NULL; + krb5_keyblock *challenge_key = NULL; + int i; + + plain.data = NULL; + if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) + return 0; + + retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key); + if (retval == 0 &&armor_key == NULL) { + retval = ENOENT; + krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel"); + } + scratch.data = (char *) data->contents; + scratch.length = data->length; + if (retval == 0) + retval = kaccess.decode_enc_data(&scratch, &enc); + if (retval == 0) { + plain.data = malloc(enc->ciphertext.length); + plain.length = enc->ciphertext.length; + if (plain.data == NULL) + retval = ENOMEM; + } + if (retval == 0) + retval = get_entry_proc(context, request, client, + krb5plugin_preauth_keys, &client_data); + if (retval == 0) { + client_keys = (krb5_keyblock *) client_data->data; + for (i = 0; client_keys[i].enctype&& (retval == 0); i++ ) { + retval = krb5_c_fx_cf2_simple(context, + armor_key, "clientchallengearmor", + &client_keys[i], "challengelongterm", + &challenge_key); + if (retval == 0) + retval = krb5_c_decrypt(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, + NULL, enc, &plain); + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + challenge_key = NULL; + if (retval == 0) + break; + /*We failed to decrypt. Try next key*/ + retval = 0; + krb5_free_keyblock_contents(context, &client_keys[i]); + } + if (client_keys[i].enctype == 0) { + retval = KRB5KDC_ERR_PREAUTH_FAILED; + krb5_set_error_message(context, retval, "Incorrect password in encrypted challenge"); + } else { /*not run out of keys*/ + int j; + assert (retval == 0); + for (j = i+1; client_keys[j].enctype; j++) + krb5_free_keyblock_contents(context, &client_keys[j]); + } + + } + if (retval == 0) + retval = kaccess.decode_enc_ts(&plain, &ts); + if (retval == 0) + retval = krb5_timeofday(context, &now); + if (retval == 0) { + if (labs(now-ts->patimestamp) < context->clockskew) { + enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; +/*If this fails, we won't generate a reply to the client. That may + * cause the client to fail, but at this point the KDC has considered + this a success, so the return value is ignored. */ + fast_kdc_replace_reply_key(context, get_entry_proc, request); + krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor", + &client_keys[i], "challengelongterm", + (krb5_keyblock **) pa_request_context); + } else { /*skew*/ + retval = KRB5KRB_AP_ERR_SKEW; + } + } + if (client_keys) { + if (client_keys[i].enctype) + krb5_free_keyblock_contents(context, &client_keys[i]); + krb5_free_data(context, client_data); + } + if (armor_key) + krb5_free_keyblock(context, armor_key); + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + if (plain.data) + free(plain.data); + if (enc) + kaccess.free_enc_data(context, enc); + if (ts) + kaccess.free_enc_ts(context, ts); + return retval; +} + +static krb5_error_code kdc_return_preauth +(krb5_context context, + krb5_pa_data * padata, + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_kdc_rep *reply, + struct _krb5_key_data *client_keys, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, + void **pa_request_context) +{ + krb5_error_code retval = 0; + krb5_keyblock *challenge_key = *pa_request_context; + krb5_pa_enc_ts ts; + krb5_data *plain = NULL; + krb5_enc_data enc; + krb5_data *encoded = NULL; + krb5_pa_data *pa = NULL; + krb5int_access kaccess; + + if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) + return 0; + if (challenge_key == NULL) + return 0; + * pa_request_context = NULL; /*this function will free the + * challenge key*/ + retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); + if (retval == 0) + retval = kaccess.encode_enc_ts(&ts, &plain); + if (retval == 0) + retval = kaccess.encrypt_helper(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, + plain, &enc); + if (retval == 0) + retval = kaccess.encode_enc_data(&enc, &encoded); + if (retval == 0) { + pa = calloc(1, sizeof(krb5_pa_data)); + if (pa == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; + pa->contents = (unsigned char *) encoded->data; + pa->length = encoded->length; + encoded->data = NULL; + *send_pa = pa; + pa = NULL; + } + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + if (encoded) + krb5_free_data(context, encoded); + if (plain) + krb5_free_data(context, plain); + if (enc.ciphertext.data) + krb5_free_data_contents(context, &enc.ciphertext); + return retval; +} + +static int kdc_preauth_flags +(krb5_context context, krb5_preauthtype patype) +{ + return 0; +} + +krb5_preauthtype supported_pa_types[] = { + KRB5_PADATA_ENCRYPTED_CHALLENGE, 0}; + +struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = { + "Encrypted challenge", + &supported_pa_types[0], +NULL, +NULL, +kdc_preauth_flags, + kdc_include_padata, + kdc_verify_preauth, + kdc_return_preauth, +NULL +}; + +struct krb5plugin_preauth_client_ftable_v1 preauthentication_client_1 = { + "Encrypted Challenge", /* name */ + &supported_pa_types[0], /* pa_type_list */ + NULL, /* enctype_list */ + NULL, /* plugin init function */ + NULL, /* plugin fini function */ + preauth_flags, /* get flags function */ + NULL, /* request init function */ + NULL, /* request fini function */ + process_preauth, /* process function */ + NULL, /* try_again function */ +NULL /* get init creds opt function */ +}; Added: branches/krb5-1-7/src/plugins/preauth/fast_factor.h =================================================================== --- branches/krb5-1-7/src/plugins/preauth/fast_factor.h 2009-04-15 20:06:58 UTC (rev 22240) +++ branches/krb5-1-7/src/plugins/preauth/fast_factor.h 2009-04-15 20:07:03 UTC (rev 22241) @@ -0,0 +1,53 @@ +/*Returns success with a null armor_key if FAST is available but not in use. +Returns failure if the client library does not support FAST +*/ +static krb5_error_code fast_get_armor_key +(krb5_context context, preauth_get_client_data_proc get_data, + struct _krb5_preauth_client_rock *rock, + krb5_keyblock **armor_key) +{ + krb5_error_code retval = 0; + krb5_data *data; + retval = get_data(context, rock, krb5plugin_preauth_client_fast_armor, &data); + if (retval == 0) { + *armor_key = (krb5_keyblock *) data->data; + data->data = NULL; + get_data(context, rock, krb5plugin_preauth_client_free_fast_armor, + &data); + } + return retval; +} + +static krb5_error_code fast_kdc_get_armor_key +(krb5_context context, preauth_get_entry_data_proc get_entry, + krb5_kdc_req *request,struct _krb5_db_entry_new *client, + krb5_keyblock **armor_key) +{ + krb5_error_code retval; + krb5_data *data; + retval = get_entry(context, request, client, krb5plugin_preauth_fast_armor, + &data); + if (retval == 0) { + *armor_key = (krb5_keyblock *) data->data; + data->data = NULL; + get_entry(context, request, client, + krb5plugin_preauth_free_fast_armor, &data); + } + return retval; + } + + + + static krb5_error_code fast_kdc_replace_reply_key + (krb5_context context, preauth_get_entry_data_proc get_data, + krb5_kdc_req *request) + { + return 0; + } + +static krb5_error_code fast_set_kdc_verified +(krb5_context context, preauth_get_client_data_proc get_data, + struct _krb5_preauth_client_rock *rock) +{ + return 0; +} From tlyu at MIT.EDU Wed Apr 15 16:07:21 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:21 -0400 Subject: svn rev #22245: branches/krb5-1-7/src/ include/ kdc/ lib/crypto/ lib/crypto/arcfour/ ... Message-ID: <200904152007.n3FK7LTg001720@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22245 Commit By: tlyu Log Message: ticket: 6436 pull up r22167, r22170 from trunk ------------------------------------------------------------------------ r22170 | hartmans | 2009-04-03 23:03:04 -0400 (Fri, 03 Apr 2009) | 3 lines Changed paths: M /trunk/src/kdc/fast_util.c M /trunk/src/lib/krb5/krb/get_in_tkt.c ticket: 6436 fix logic errors ------------------------------------------------------------------------ r22167 | hartmans | 2009-04-03 00:03:45 -0400 (Fri, 03 Apr 2009) | 3 lines Changed paths: M /trunk/src/include/k5-int.h M /trunk/src/kdc/do_as_req.c M /trunk/src/kdc/do_tgs_req.c M /trunk/src/kdc/fast_util.c M /trunk/src/kdc/kdc_preauth.c M /trunk/src/kdc/kdc_util.c M /trunk/src/kdc/kdc_util.h M /trunk/src/lib/crypto/arcfour/arcfour.c M /trunk/src/lib/crypto/arcfour/arcfour.h M /trunk/src/lib/crypto/etypes.c M /trunk/src/lib/krb5/asn.1/asn1_k_encode.c M /trunk/src/lib/krb5/asn.1/krb5_decode.c M /trunk/src/lib/krb5/krb/Makefile.in M /trunk/src/lib/krb5/krb/fast.c M /trunk/src/lib/krb5/krb/fast.h M /trunk/src/lib/krb5/krb/get_in_tkt.c M /trunk/src/lib/krb5/krb/kfree.c M /trunk/src/lib/krb5/krb/preauth2.c A /trunk/src/lib/krb5/krb/t_ad_fx_armor.c M /trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c ticket: 6436 Merge fast branch at 22166 onto trunk Changed Files: U branches/krb5-1-7/src/include/k5-int.h U branches/krb5-1-7/src/kdc/do_as_req.c U branches/krb5-1-7/src/kdc/do_tgs_req.c U branches/krb5-1-7/src/kdc/fast_util.c U branches/krb5-1-7/src/kdc/kdc_preauth.c U branches/krb5-1-7/src/kdc/kdc_util.c U branches/krb5-1-7/src/kdc/kdc_util.h U branches/krb5-1-7/src/lib/crypto/arcfour/arcfour.c U branches/krb5-1-7/src/lib/crypto/arcfour/arcfour.h U branches/krb5-1-7/src/lib/crypto/etypes.c U branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_encode.c U branches/krb5-1-7/src/lib/krb5/asn.1/krb5_decode.c U branches/krb5-1-7/src/lib/krb5/krb/Makefile.in U branches/krb5-1-7/src/lib/krb5/krb/fast.c U branches/krb5-1-7/src/lib/krb5/krb/fast.h U branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c U branches/krb5-1-7/src/lib/krb5/krb/kfree.c U branches/krb5-1-7/src/lib/krb5/krb/preauth2.c A branches/krb5-1-7/src/lib/krb5/krb/t_ad_fx_armor.c U branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c Modified: branches/krb5-1-7/src/include/k5-int.h =================================================================== --- branches/krb5-1-7/src/include/k5-int.h 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/include/k5-int.h 2009-04-15 20:07:21 UTC (rev 22245) @@ -982,7 +982,7 @@ typedef struct _krb5_fast_req { krb5_magic magic; - krb5_int32 fast_options; + krb5_flags fast_options; /* padata from req_body is used*/ krb5_kdc_req *req_body; } krb5_fast_req; @@ -1001,7 +1001,7 @@ typedef struct _krb5_fast_response { krb5_magic magic; krb5_pa_data **padata; - krb5_keyblock *rep_key; + krb5_keyblock *strengthen_key; krb5_fast_finished *finished; krb5_int32 nonce; } krb5_fast_response; Modified: branches/krb5-1-7/src/kdc/do_as_req.c =================================================================== --- branches/krb5-1-7/src/kdc/do_as_req.c 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/kdc/do_as_req.c 2009-04-15 20:07:21 UTC (rev 22245) @@ -119,6 +119,7 @@ krb5_keylist_node *tmp_mkey_list; struct kdc_request_state *state = NULL; krb5_data encoded_req_body; + krb5_keyblock *as_encrypting_key = NULL; #if APPLE_PKINIT @@ -592,7 +593,7 @@ goto errout; } ticket_reply.enc_part.kvno = server_key->key_data_kvno; - errcode = kdc_fast_response_handle_padata(state, request, &reply); + errcode = kdc_fast_response_handle_padata(state, request, &reply, client_keyblock.enctype); if (errcode) { status = "fast response handling"; goto errout; @@ -602,8 +603,13 @@ reply.enc_part.enctype = client_keyblock.enctype; - errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &reply_encpart, - 0, &client_keyblock, &reply, response); + errcode = kdc_fast_handle_reply_key(state, &client_keyblock, &as_encrypting_key); + if (errcode) { + status = "generating reply key"; + goto errout; + } + errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &reply_encpart, + 0, as_encrypting_key, &reply, response); reply.enc_part.kvno = client_key->key_data_kvno; if (errcode) { status = "ENCODE_KDC_REP"; @@ -637,7 +643,8 @@ egress: if (pa_context) free_padata_context(kdc_context, &pa_context); - + if (as_encrypting_key) + krb5_free_keyblock(kdc_context, as_encrypting_key); if (errcode) emsg = krb5_get_error_message(kdc_context, errcode); @@ -760,7 +767,7 @@ if (pa == NULL) retval = ENOMEM; else for (size = 0; td[size]; size++) { - krb5_pa_data *pad = malloc(sizeof(krb5_pa_data *)); + krb5_pa_data *pad = malloc(sizeof(krb5_pa_data )); if (pad == NULL) { retval = ENOMEM; break; Modified: branches/krb5-1-7/src/kdc/do_tgs_req.c =================================================================== --- branches/krb5-1-7/src/kdc/do_tgs_req.c 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/kdc/do_tgs_req.c 2009-04-15 20:07:21 UTC (rev 22245) @@ -878,7 +878,8 @@ reply.enc_part.enctype = subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype; - errcode = kdc_fast_response_handle_padata(state, request, &reply); + errcode = kdc_fast_response_handle_padata(state, request, &reply, + subkey?subkey->enctype:header_ticket->enc_part2->session->enctype); if (errcode !=0 ) { status = "Preparing FAST padata"; goto cleanup; @@ -972,7 +973,7 @@ krb5_data **response, const char *status) { krb5_error errpkt; - krb5_error_code retval; + krb5_error_code retval = 0; krb5_data *scratch; errpkt.ctime = request->nonce; @@ -997,7 +998,8 @@ } errpkt.e_data.length = 0; errpkt.e_data.data = NULL; - retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt); + if (state) + retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt); if (retval) { free(scratch); free(errpkt.text.data); Modified: branches/krb5-1-7/src/kdc/fast_util.c =================================================================== --- branches/krb5-1-7/src/kdc/fast_util.c 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/kdc/fast_util.c 2009-04-15 20:07:21 UTC (rev 22245) @@ -50,7 +50,7 @@ krb5_ticket *ticket = NULL; krb5_keyblock *subkey = NULL; - assert(armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST); + assert(armor->armor_type == KRB5_FAST_ARMOR_AP_REQUEST); krb5_clear_error_message(kdc_context); retval = krb5_auth_con_init(kdc_context, &authcontext); if (retval == 0) @@ -211,7 +211,7 @@ else cookie_padata = find_pa_data(request->padata, KRB5_PADATA_FX_COOKIE); if (retval == 0 && cookie_padata != NULL) { krb5_pa_data *new_padata = malloc(sizeof (krb5_pa_data)); - if (new_padata != NULL) { + if (new_padata == NULL) { retval = ENOMEM; } else { new_padata->pa_type = KRB5_PADATA_FX_COOKIE; @@ -251,8 +251,8 @@ return; if (s->armor_key) krb5_free_keyblock(kdc_context, s->armor_key); - if (s->reply_key) - krb5_free_keyblock(kdc_context, s->reply_key); + if (s->strengthen_key) + krb5_free_keyblock(kdc_context, s->strengthen_key); if (s->cookie) { free(s->cookie->contents); free(s->cookie); @@ -263,24 +263,33 @@ krb5_error_code kdc_fast_response_handle_padata (struct kdc_request_state *state, krb5_kdc_req *request, - krb5_kdc_rep *rep) + krb5_kdc_rep *rep, krb5_enctype enctype) { krb5_error_code retval = 0; krb5_fast_finished finish; krb5_fast_response fast_response; krb5_data *encoded_ticket = NULL; krb5_data *encrypted_reply = NULL; - krb5_pa_data *pa = NULL, **pa_array; + krb5_pa_data *pa = NULL, **pa_array = NULL; krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5; krb5_pa_data *empty_padata[] = {NULL}; + krb5_keyblock *strengthen_key = NULL; if (!state->armor_key) return 0; memset(&finish, 0, sizeof(finish)); + retval = krb5_init_keyblock(kdc_context, enctype, 0, &strengthen_key); + if (retval == 0) + retval = krb5_c_make_random_key(kdc_context, enctype, strengthen_key); + if (retval == 0) { + state->strengthen_key = strengthen_key; + strengthen_key = NULL; + } + fast_response.padata = rep->padata; if (fast_response.padata == NULL) fast_response.padata = &empty_padata[0]; - fast_response.rep_key = state->reply_key; + fast_response.strengthen_key = state->strengthen_key; fast_response.nonce = request->nonce; fast_response.finished = &finish; finish.client = rep->client; @@ -309,15 +318,20 @@ pa_array[0] = &pa[0]; rep->padata = pa_array; pa_array = NULL; + free(encrypted_reply); encrypted_reply = NULL; pa = NULL; } if (pa) free(pa); + if (pa_array) + free(pa_array); if (encrypted_reply) krb5_free_data(kdc_context, encrypted_reply); if (encoded_ticket) krb5_free_data(kdc_context, encoded_ticket); + if (strengthen_key != NULL) + krb5_free_keyblock(kdc_context, strengthen_key); if (finish.ticket_checksum.contents) krb5_free_checksum_contents(kdc_context, &finish.ticket_checksum); return retval; @@ -339,8 +353,8 @@ krb5_fast_response resp; krb5_error fx_error; krb5_data *encoded_fx_error = NULL, *encrypted_reply = NULL; - krb5_pa_data pa[2]; - krb5_pa_data *outer_pa[3]; + krb5_pa_data pa[1]; + krb5_pa_data *outer_pa[3], *cookie = NULL; krb5_pa_data **inner_pa = NULL; size_t size = 0; krb5_data *encoded_e_data = NULL; @@ -366,15 +380,26 @@ pa[0].length = encoded_fx_error->length; pa[0].contents = (unsigned char *) encoded_fx_error->data; inner_pa[size++] = &pa[0]; - resp.padata = inner_pa; + if (find_pa_data(inner_pa, KRB5_PADATA_FX_COOKIE) == NULL) + retval = kdc_preauth_get_cookie(state, &cookie); + } + if (cookie != NULL) + inner_pa[size++] = cookie; + if (retval == 0) { + resp.padata = inner_pa; resp.nonce = request->nonce; - resp.rep_key = NULL; + resp.strengthen_key = NULL; resp.finished = NULL; } if (retval == 0) retval = encrypt_fast_reply(state, &resp, &encrypted_reply); if (inner_pa) free(inner_pa); /*contained storage from caller and our stack*/ + if (cookie) { + free(cookie->contents); + free(cookie); + cookie = NULL; + } if (retval == 0) { pa[0].pa_type = KRB5_PADATA_FX_FAST; pa[0].length = encrypted_reply->length; @@ -396,3 +421,45 @@ krb5_free_data(kdc_context, encoded_fx_error); return retval; } + +krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state, + krb5_keyblock *existing_key, + krb5_keyblock **out_key) +{ + krb5_error_code retval = 0; + if (state->armor_key) + retval = krb5_c_fx_cf2_simple(kdc_context, + state->strengthen_key, "strengthenkey", + existing_key, + "replykey", out_key); + else retval = krb5_copy_keyblock(kdc_context, existing_key, out_key); + return retval; +} + + +krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state, + krb5_pa_data **cookie) +{ + char *contents; + krb5_pa_data *pa = NULL; + /* In our current implementation, the only purpose served by + * returning a cookie is to indicate that a conversation should + * continue on error. Thus, the cookie can have a constant + * string. If cookies are used for real, versioning so that KDCs + * can be upgraded, keying, expiration and many other issues need + * to be considered. + */ + contents = strdup("MIT"); + if (contents == NULL) + return ENOMEM; + pa = calloc(1, sizeof(krb5_pa_data)); + if (pa == NULL) { + free(contents); + return ENOMEM; + } + pa->pa_type = KRB5_PADATA_FX_COOKIE; + pa->length = strlen(contents); + pa->contents = (unsigned char *) contents; + *cookie = pa; + return 0; +} Modified: branches/krb5-1-7/src/kdc/kdc_preauth.c =================================================================== --- branches/krb5-1-7/src/kdc/kdc_preauth.c 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/kdc/kdc_preauth.c 2009-04-15 20:07:21 UTC (rev 22245) @@ -290,6 +290,17 @@ 0 }, { + "FAST", + KRB5_PADATA_FX_FAST, + PA_HARDWARE, + NULL, + NULL, + NULL, + NULL, + NULL, + 0 + }, + { "etype-info", KRB5_PADATA_ETYPE_INFO, 0, @@ -961,7 +972,8 @@ e_data->data = 0; hw_only = isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH); - pa_data = malloc(sizeof(krb5_pa_data *) * (n_preauth_systems+1)); + /* Allocate 1 entry for the terminator and one for the cookie*/ + pa_data = malloc(sizeof(krb5_pa_data *) * (n_preauth_systems+21)); if (pa_data == 0) return; memset(pa_data, 0, sizeof(krb5_pa_data *) * (n_preauth_systems+1)); @@ -995,6 +1007,8 @@ "%spreauth required but hint list is empty", hw_only ? "hw" : ""); } +/* If we fail to get the cookie it is probably still reasonable to continue with the response*/ + kdc_preauth_get_cookie(request->kdc_state, pa); retval = encode_krb5_padata_sequence(pa_data, &edat); if (retval) goto errout; Modified: branches/krb5-1-7/src/kdc/kdc_util.c =================================================================== --- branches/krb5-1-7/src/kdc/kdc_util.c 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/kdc/kdc_util.c 2009-04-15 20:07:21 UTC (rev 22245) @@ -349,13 +349,13 @@ authenticator->authorization_data, KRB5_AUTHDATA_FX_ARMOR, &authdata); if (retval != 0) - goto cleanup_auth_context; + goto cleanup_authenticator; if (authdata&& authdata[0]) { krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, "ticket valid only as FAST armor"); retval = KRB5KDC_ERR_POLICY; krb5_free_authdata(kdc_context, authdata); - goto cleanup_auth_context; + goto cleanup_authenticator; } krb5_free_authdata(kdc_context, authdata); Modified: branches/krb5-1-7/src/kdc/kdc_util.h =================================================================== --- branches/krb5-1-7/src/kdc/kdc_util.h 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/kdc/kdc_util.h 2009-04-15 20:07:21 UTC (rev 22245) @@ -302,11 +302,12 @@ struct kdc_request_state { krb5_keyblock *armor_key; - krb5_keyblock *reply_key; /*When replaced by FAST*/ + krb5_keyblock *strengthen_key; krb5_pa_data *cookie; krb5_int32 fast_options; krb5_int32 fast_internal_flags; }; + krb5_error_code kdc_make_rstate(struct kdc_request_state **out); void kdc_free_rstate (struct kdc_request_state *s); @@ -325,12 +326,21 @@ krb5_error_code kdc_fast_response_handle_padata (struct kdc_request_state *state, krb5_kdc_req *request, - krb5_kdc_rep *rep); + krb5_kdc_rep *rep, + krb5_enctype enctype); krb5_error_code kdc_fast_handle_error (krb5_context context, struct kdc_request_state *state, krb5_kdc_req *request, krb5_pa_data **in_padata, krb5_error *err); +krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state, + krb5_keyblock *existing_key, + krb5_keyblock **out_key); + + +krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state, + krb5_pa_data **cookie); + Modified: branches/krb5-1-7/src/lib/crypto/arcfour/arcfour.c =================================================================== --- branches/krb5-1-7/src/lib/crypto/arcfour/arcfour.c 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/lib/crypto/arcfour/arcfour.c 2009-04-15 20:07:21 UTC (rev 22245) @@ -8,6 +8,8 @@ */ #include "k5-int.h" #include "arcfour-int.h" +#include "../hash_provider/hash_provider.h" + const char *const krb5int_arcfour_l40 = "fortybits"; void @@ -304,3 +306,12 @@ return (ret); } + krb5_error_code krb5int_arcfour_prf( + const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + const krb5_data *in, krb5_data *out) + { + assert(out->length == 20); + return krb5_hmac(&krb5int_hash_sha1, key, 1, in, out); + } Modified: branches/krb5-1-7/src/lib/crypto/arcfour/arcfour.h =================================================================== --- branches/krb5-1-7/src/lib/crypto/arcfour/arcfour.h 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/lib/crypto/arcfour/arcfour.h 2009-04-15 20:07:21 UTC (rev 22245) @@ -34,5 +34,10 @@ extern const struct krb5_enc_provider krb5int_enc_arcfour; extern const struct krb5_aead_provider krb5int_aead_arcfour; + krb5_error_code krb5int_arcfour_prf( + const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + const krb5_data *in, krb5_data *out); #endif /* ARCFOUR_H */ Modified: branches/krb5-1-7/src/lib/crypto/etypes.c =================================================================== --- branches/krb5-1-7/src/lib/crypto/etypes.c 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/lib/crypto/etypes.c 2009-04-15 20:07:21 UTC (rev 22245) @@ -119,10 +119,10 @@ "ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, - 0, + 20, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, - NULL, /*PRF*/ + krb5int_arcfour_prf, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR, &krb5int_aead_arcfour, 0 /*flags*/ }, @@ -131,10 +131,10 @@ "Exportable ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, - 0, + 20, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, - NULL, /*PRF*/ + krb5int_arcfour_prf, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR, &krb5int_aead_arcfour, ETYPE_WEAK Modified: branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_encode.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_encode.c 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_encode.c 2009-04-15 20:07:21 UTC (rev 22245) @@ -1211,7 +1211,7 @@ DEFPTRTYPE(ptr_fast_req_padata, fast_req_padata); static const struct field_info fast_req_fields[] = { - FIELDOF_NORM(krb5_fast_req, int32, fast_options, 0), + FIELDOF_NORM(krb5_fast_req, krb5_flags, fast_options, 0), FIELDOF_NORM( krb5_fast_req, ptr_fast_req_padata, req_body, 1), FIELDOF_NORM( krb5_fast_req, ptr_kdc_req_body, req_body, 2), }; @@ -1233,7 +1233,7 @@ static const struct field_info fast_response_fields[] = { FIELDOF_NORM(krb5_fast_response, ptr_seqof_pa_data, padata, 0), - FIELDOF_OPT( krb5_fast_response, ptr_encryption_key, rep_key, 1, 1), + FIELDOF_OPT( krb5_fast_response, ptr_encryption_key, strengthen_key, 1, 1), FIELDOF_OPT( krb5_fast_response, ptr_fast_finished, finished, 2, 2), FIELDOF_NORM(krb5_fast_response, int32, nonce, 3), }; @@ -1242,7 +1242,7 @@ { unsigned int optional = 0; const krb5_fast_response *val = p; - if (val->rep_key) + if (val->strengthen_key) optional |= (1u <<1); if (val->finished) optional |= (1u<<2); Modified: branches/krb5-1-7/src/lib/krb5/asn.1/krb5_decode.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/krb5_decode.c 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/lib/krb5/asn.1/krb5_decode.c 2009-04-15 20:07:21 UTC (rev 22245) @@ -1114,7 +1114,7 @@ alloc_field(rep->req_body); clear_field(rep, req_body->padata); {begin_structure(); - get_field(rep->fast_options, 0, asn1_decode_int32); + get_field(rep->fast_options, 0, asn1_decode_krb5_flags); opt_field(rep->req_body->padata, 1, asn1_decode_sequence_of_pa_data); get_field(*(rep->req_body), 2, asn1_decode_kdc_req_body); end_structure(); } @@ -1137,10 +1137,10 @@ alloc_field(rep); clear_field(rep, finished); clear_field(rep, padata); - clear_field(rep,rep_key); + clear_field(rep,strengthen_key); {begin_structure(); get_field(rep->padata, 0, asn1_decode_sequence_of_pa_data); - opt_field(rep->rep_key, 1, asn1_decode_encryption_key_ptr); + opt_field(rep->strengthen_key, 1, asn1_decode_encryption_key_ptr); opt_field(rep->finished, 2, asn1_decode_fast_finished_ptr); get_field(rep->nonce, 3, asn1_decode_int32); end_structure(); } Modified: branches/krb5-1-7/src/lib/krb5/krb/Makefile.in =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/Makefile.in 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/lib/krb5/krb/Makefile.in 2009-04-15 20:07:21 UTC (rev 22245) @@ -271,6 +271,7 @@ $(srcdir)/srv_dec_tkt.c \ $(srcdir)/srv_rcache.c \ $(srcdir)/str_conv.c \ + $(srcdir)/t_ad_fx_armor.c \ $(srcdir)/tgtname.c \ $(srcdir)/unparse.c \ $(srcdir)/valid_times.c \ @@ -317,6 +318,9 @@ t_walk_rtree: $(T_WALK_RTREE_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_walk_rtree $(T_WALK_RTREE_OBJS) $(KRB5_BASE_LIBS) +t_ad_fx_armor: t_ad_fx_armor.o + $(CC_LINK) -o $@ $< $(KRB5_BASE_LIBS) + t_authdata: t_authdata.o copy_auth.o $(CC_LINK) -o $@ $< copy_auth.o $(KRB5_BASE_LIBS) Modified: branches/krb5-1-7/src/lib/krb5/krb/fast.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/fast.c 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/lib/krb5/krb/fast.c 2009-04-15 20:07:21 UTC (rev 22245) @@ -299,6 +299,8 @@ free(scratch.data); if (encrypted_response) krb5_free_enc_data(context, encrypted_response); + if (local_resp) + krb5_free_fast_response(context, local_resp); return retval; } @@ -376,9 +378,11 @@ fast_response->padata = NULL; /* * If there is more than the fx_error padata, then we want - * to retry the error + * to retry the error if a cookie is present */ *retry = (*out_padata)[1] != NULL; + if (krb5int_find_pa_data(context, *out_padata, KRB5_PADATA_FX_COOKIE) == NULL) + *retry = 0; } if (fx_error) krb5_free_error(context, fx_error); @@ -408,14 +412,14 @@ krb5_error_code krb5int_fast_process_response (krb5_context context, struct krb5int_fast_request_state *state, krb5_kdc_rep *resp, - krb5_keyblock **as_key) + krb5_keyblock **strengthen_key) { krb5_error_code retval = 0; krb5_fast_response *fast_response = NULL; krb5_data *encoded_ticket = NULL; krb5_boolean cksum_valid; krb5_clear_error_message(context); - *as_key = NULL; + *strengthen_key = NULL; if (state->armor_key == 0) return 0; retval = decrypt_fast_reply(context, state, resp->padata, @@ -442,8 +446,8 @@ krb5_free_principal(context, resp->client); resp->client = fast_response->finished->client; fast_response->finished->client = NULL; - *as_key = fast_response->rep_key; - fast_response->rep_key = NULL; + *strengthen_key = fast_response->strengthen_key; + fast_response->strengthen_key = NULL; krb5_free_pa_data(context, resp->padata); resp->padata = fast_response->padata; fast_response->padata = NULL; @@ -454,6 +458,29 @@ krb5_free_data(context, encoded_ticket); return retval; } + +krb5_error_code krb5int_fast_reply_key(krb5_context context, + krb5_keyblock *strengthen_key, + krb5_keyblock *existing_key, + krb5_keyblock *out_key) +{ + krb5_keyblock *key = NULL; + krb5_error_code retval = 0; + krb5_free_keyblock_contents(context, out_key); + if (strengthen_key) { + retval = krb5_c_fx_cf2_simple(context, strengthen_key, + "strengthenkey", existing_key, "replykey", &key); + if (retval == 0) { + *out_key = *key; + free(key); + } + } else { + retval = krb5_copy_keyblock_contents(context, existing_key, out_key); + } + return retval; +} + + krb5_error_code krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state **state) { @@ -473,11 +500,6 @@ /*We are responsible for none of the store in the fast_outer_req*/ krb5_free_keyblock(context, state->armor_key); krb5_free_fast_armor(context, state->armor); - if (state->cookie) { - free(state->cookie->contents); - free(state->cookie); - state->cookie = NULL; - } free(state); } Modified: branches/krb5-1-7/src/lib/krb5/krb/fast.h =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/fast.h 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/lib/krb5/krb/fast.h 2009-04-15 20:07:21 UTC (rev 22245) @@ -38,7 +38,6 @@ krb5_fast_armor *armor; krb5_ui_4 fast_state_flags; krb5_ui_4 fast_options; - krb5_pa_data *cookie; krb5_int32 nonce; }; @@ -61,7 +60,7 @@ krb5_error_code krb5int_fast_process_response (krb5_context context, struct krb5int_fast_request_state *state, krb5_kdc_rep *resp, - krb5_keyblock **as_key); + krb5_keyblock **strengthen_key); krb5_error_code krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state **state); @@ -73,5 +72,11 @@ krb5_gic_opt_ext *opte, krb5_kdc_req *request); +krb5_error_code krb5int_fast_reply_key(krb5_context context, + krb5_keyblock *strengthen_key, + krb5_keyblock *existing_key, + krb5_keyblock *output_key); + + #endif Modified: branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c 2009-04-15 20:07:21 UTC (rev 22245) @@ -967,8 +967,8 @@ int loopcount; krb5_data salt; krb5_data s2kparams; - krb5_keyblock as_key; - krb5_keyblock *fast_as_key = NULL; + krb5_keyblock as_key, encrypting_key; + krb5_keyblock *strengthen_key = NULL; krb5_error *err_reply; krb5_kdc_rep *local_as_reply; krb5_timestamp time_now; @@ -994,6 +994,8 @@ preauth_to_use = NULL; kdc_padata = NULL; as_key.length = 0; + encrypting_key.length = 0; + encrypting_key.contents = NULL; salt.length = 0; salt.data = NULL; @@ -1340,8 +1342,6 @@ out_padata = NULL; krb5_free_error(context, err_reply); err_reply = NULL; - if (ret) - goto cleanup; ret = sort_krb5_padata_sequence(context, &request.server->realm, preauth_to_use); @@ -1399,7 +1399,7 @@ /* process any preauth data in the as_reply */ krb5_clear_preauth_context_use_counts(context); ret = krb5int_fast_process_response(context, fast_state, - local_as_reply, &fast_as_key); + local_as_reply, &strengthen_key); if (ret) goto cleanup; if ((ret = sort_krb5_padata_sequence(context, &request.server->realm, @@ -1447,18 +1447,15 @@ it. If decrypting the as_rep fails, or if there isn't an as_key at all yet, then use the gak_fct to get one, and try again. */ - if (fast_as_key) { - if (as_key.length) - krb5_free_keyblock_contents(context, &as_key); - as_key = *fast_as_key; - free(fast_as_key); - fast_as_key = NULL; - } - if (as_key.length) - ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, - NULL, &as_key, krb5_kdc_rep_decrypt_proc, + if (as_key.length) { + ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, + &encrypting_key); + if (ret) + goto cleanup; + ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, + NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, NULL); - else + } else ret = -1; if (ret) { @@ -1470,8 +1467,12 @@ &as_key, gak_data)))) goto cleanup; + ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, + &encrypting_key); + if (ret) + goto cleanup; if ((ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, - NULL, &as_key, krb5_kdc_rep_decrypt_proc, + NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, NULL))) goto cleanup; } @@ -1511,8 +1512,10 @@ } } krb5_preauth_request_context_fini(context); - krb5_free_keyblock(context, fast_as_key); - if (fast_state) + krb5_free_keyblock(context, strengthen_key); + if (encrypting_key.contents) + krb5_free_keyblock_contents(context, &encrypting_key); + if (fast_state) krb5int_fast_free_state(context, fast_state); if (out_padata) krb5_free_pa_data(context, out_padata); Modified: branches/krb5-1-7/src/lib/krb5/krb/kfree.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/kfree.c 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/lib/krb5/krb/kfree.c 2009-04-15 20:07:21 UTC (rev 22245) @@ -819,6 +819,7 @@ return; krb5_free_pa_data(context, val->padata); krb5_free_fast_finished(context, val->finished); + krb5_free_keyblock(context, val->strengthen_key); free(val); } Modified: branches/krb5-1-7/src/lib/krb5/krb/preauth2.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/preauth2.c 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/lib/krb5/krb/preauth2.c 2009-04-15 20:07:21 UTC (rev 22245) @@ -646,6 +646,36 @@ } static +krb5_error_code pa_fx_cookie(krb5_context context, + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, + krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data) +{ + krb5_pa_data *pa = calloc(1, sizeof(krb5_pa_data)); + krb5_octet *contents; + if (pa == NULL) + return ENOMEM; + contents = malloc(in_padata->length); + if (contents == NULL) { + free(pa); + return ENOMEM; + } + *pa = *in_padata; + pa->contents = contents; + memcpy(contents, in_padata->contents, pa->length); + *out_padata = pa; + return 0; +} + +static krb5_error_code pa_enc_timestamp(krb5_context context, krb5_kdc_req *request, krb5_pa_data *in_padata, @@ -1710,6 +1740,11 @@ PA_REAL, }, { + KRB5_PADATA_FX_COOKIE, + pa_fx_cookie, + PA_INFO, + }, + { -1, NULL, 0, Added: branches/krb5-1-7/src/lib/krb5/krb/t_ad_fx_armor.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/t_ad_fx_armor.c 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/lib/krb5/krb/t_ad_fx_armor.c 2009-04-15 20:07:21 UTC (rev 22245) @@ -0,0 +1,36 @@ +#include +#include +#include + +#define test(x) do {retval = (x); \ + if(retval != 0) { \ + const char *errmsg = krb5_get_error_message(context, retval); \ + fprintf(stderr, "Error message: %s\n", errmsg); \ + abort(); } \ + } while(0); + +krb5_authdata ad_fx_armor = {0, KRB5_AUTHDATA_FX_ARMOR, 1, ""}; +krb5_authdata *array[] = {&ad_fx_armor, NULL}; + + +int main( int argc, char **argv) +{ + krb5_context context; + krb5_ccache ccache = NULL; + krb5_creds creds, *out_creds = NULL; + krb5_error_code retval = 0; + test(krb5_init_context(&context)); + memset(&creds, 0, sizeof(creds)); + creds.authdata = array; + test(krb5_cc_default(context, &ccache)); + test(krb5_cc_get_principal(context, ccache, &creds.client)); + test(krb5_parse_name(context, argv[1], &creds.server)); + test(krb5_get_credentials(context, 0, ccache, &creds, &out_creds)); + test(krb5_cc_destroy(context, ccache)); + test(krb5_cc_default(context, &ccache)); + test(krb5_cc_initialize(context, ccache, out_creds->client)); + test(krb5_cc_store_cred(context, ccache, out_creds)); + test(krb5_cc_close(context,ccache)); + return 0; + +} Modified: branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c =================================================================== --- branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c 2009-04-15 20:07:18 UTC (rev 22244) +++ branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c 2009-04-15 20:07:21 UTC (rev 22245) @@ -116,6 +116,7 @@ krb5_pa_data **pa_array = NULL; krb5_data *encoded_ts = NULL; krb5_pa_enc_ts ts; + enc.ciphertext.data = NULL; if (retval == 0) retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); if (retval == 0) @@ -300,8 +301,6 @@ } if (armor_key) krb5_free_keyblock(context, armor_key); - if (challenge_key) - krb5_free_keyblock(context, challenge_key); if (plain.data) free(plain.data); if (enc) From tlyu at MIT.EDU Wed Apr 15 16:07:27 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:27 -0400 Subject: svn rev #22247: branches/krb5-1-7/src/util/ss/ Message-ID: <200904152007.n3FK7Rmc001795@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22247 Commit By: tlyu Log Message: ticket: 6442 version_fixed: 1.7 pull up r22172 from trunk ------------------------------------------------------------------------ r22172 | epeisach | 2009-04-07 13:57:56 -0400 (Tue, 07 Apr 2009) | 9 lines Changed paths: M /trunk/src/util/ss/help.c ticket: 6442 subject: Null pointer defref in adding info Clearly the code is broken - and we either never use it - or callers never pass NULL... Detected by clang static checker. Changed Files: U branches/krb5-1-7/src/util/ss/help.c Modified: branches/krb5-1-7/src/util/ss/help.c =================================================================== --- branches/krb5-1-7/src/util/ss/help.c 2009-04-15 20:07:24 UTC (rev 22246) +++ branches/krb5-1-7/src/util/ss/help.c 2009-04-15 20:07:26 UTC (rev 22247) @@ -107,7 +107,7 @@ register char **dirs; info = ss_info(sci_idx); - if (info_dir == NULL && *info_dir) { + if ((info_dir == NULL) || (*info_dir == '\0')) { *code_ptr = SS_ET_NO_INFO_DIR; return; } From tlyu at MIT.EDU Wed Apr 15 16:07:30 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:30 -0400 Subject: svn rev #22248: branches/krb5-1-7/src/lib/gssapi/spnego/ Message-ID: <200904152007.n3FK7USq001833@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22248 Commit By: tlyu Log Message: ticket: 6443 version_fixed: 1.7 pull up r22174 from trunk ------------------------------------------------------------------------ r22174 | tlyu | 2009-04-07 17:22:17 -0400 (Tue, 07 Apr 2009) | 11 lines Changed paths: M /trunk/src/lib/gssapi/spnego/spnego_mech.c ticket: 6443 subject: CVE-2009-0844 SPNEGO can read beyond buffer end tags: pullup target_version: 1.7 SPNEGO can read beyond the end of a buffer if the claimed DER length exceeds the number of bytes in the input buffer. This can lead to crash or information disclosure. Thanks to Apple for reporting this vulnerability and providing patches. Changed Files: U branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c Modified: branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c 2009-04-15 20:07:26 UTC (rev 22247) +++ branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c 2009-04-15 20:07:30 UTC (rev 22248) @@ -83,8 +83,8 @@ /* der routines defined in libgss */ extern unsigned int gssint_der_length_size(OM_uint32); -extern int gssint_get_der_length(unsigned char **, OM_uint32, OM_uint32*); -extern int gssint_put_der_length(OM_uint32, unsigned char **, OM_uint32); +extern int gssint_get_der_length(unsigned char **, OM_uint32, unsigned int*); +extern int gssint_put_der_length(OM_uint32, unsigned char **, unsigned int); /* private routines for spnego_mechanism */ @@ -2390,22 +2390,16 @@ get_input_token(unsigned char **buff_in, unsigned int buff_length) { gss_buffer_t input_token; - unsigned int bytes; + unsigned int len; - if (**buff_in != OCTET_STRING) + if (g_get_tag_and_length(buff_in, OCTET_STRING, buff_length, &len) < 0) return (NULL); - (*buff_in)++; input_token = (gss_buffer_t)malloc(sizeof (gss_buffer_desc)); - if (input_token == NULL) return (NULL); - input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes); - if ((int)input_token->length == -1) { - free(input_token); - return (NULL); - } + input_token->length = len; input_token->value = malloc(input_token->length); if (input_token->value == NULL) { @@ -2457,8 +2451,8 @@ { gss_OID_set returned_mechSet; OM_uint32 major_status; - OM_uint32 length; - OM_uint32 bytes; + int length; + unsigned int bytes; OM_uint32 set_length; unsigned char *start; int i; @@ -2470,23 +2464,26 @@ (*buff_in)++; length = gssint_get_der_length(buff_in, buff_length, &bytes); + if (length < 0 || buff_length - bytes < (unsigned int)length) + return NULL; major_status = gss_create_empty_oid_set(minor_status, &returned_mechSet); if (major_status != GSS_S_COMPLETE) return (NULL); - for (set_length = 0, i = 0; set_length < length; i++) { + for (set_length = 0, i = 0; set_length < (unsigned int)length; i++) { gss_OID_desc *temp = get_mech_oid(minor_status, buff_in, buff_length - (*buff_in - start)); - if (temp != NULL) { - major_status = gss_add_oid_set_member(minor_status, - temp, &returned_mechSet); - if (major_status == GSS_S_COMPLETE) { + if (temp == NULL) + break; + + major_status = gss_add_oid_set_member(minor_status, + temp, &returned_mechSet); + if (major_status == GSS_S_COMPLETE) { set_length += returned_mechSet->elements[i].length +2; if (generic_gss_release_oid(minor_status, &temp)) - map_errcode(minor_status); - } + map_errcode(minor_status); } } @@ -2665,7 +2662,7 @@ return GSS_S_DEFECTIVE_TOKEN; if (*ptr++ == SEQUENCE) { tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); - if (tmplen < 0) + if (tmplen < 0 || REMAIN < (unsigned int)tmplen) return GSS_S_DEFECTIVE_TOKEN; } if (REMAIN < 1) @@ -2675,7 +2672,7 @@ if (tag == CONTEXT) { tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); - if (tmplen < 0) + if (tmplen < 0 || REMAIN < (unsigned int)tmplen) return GSS_S_DEFECTIVE_TOKEN; if (g_get_tag_and_length(&ptr, ENUMERATED, @@ -2696,7 +2693,7 @@ } if (tag == (CONTEXT | 0x01)) { tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); - if (tmplen < 0) + if (tmplen < 0 || REMAIN < (unsigned int)tmplen) return GSS_S_DEFECTIVE_TOKEN; *supportedMech = get_mech_oid(minor_status, &ptr, REMAIN); @@ -2710,7 +2707,7 @@ } if (tag == (CONTEXT | 0x02)) { tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); - if (tmplen < 0) + if (tmplen < 0 || REMAIN < (unsigned int)tmplen) return GSS_S_DEFECTIVE_TOKEN; *responseToken = get_input_token(&ptr, REMAIN); @@ -2724,7 +2721,7 @@ } if (tag == (CONTEXT | 0x03)) { tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); - if (tmplen < 0) + if (tmplen < 0 || REMAIN < (unsigned int)tmplen) return GSS_S_DEFECTIVE_TOKEN; *mechListMIC = get_input_token(&ptr, REMAIN); @@ -3269,7 +3266,7 @@ unsigned char *ptr = *buf; int ret = -1; /* pessimists, assume failure ! */ unsigned int encoded_len; - unsigned int tmplen = 0; + int tmplen = 0; *outlen = 0; if (buflen > 1 && *ptr == tag) { @@ -3278,7 +3275,7 @@ &encoded_len); if (tmplen < 0) { ret = -1; - } else if (tmplen > buflen - (ptr - *buf)) { + } else if ((unsigned int)tmplen > buflen - (ptr - *buf)) { ret = -1; } else ret = 0; From tlyu at MIT.EDU Wed Apr 15 16:07:32 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:32 -0400 Subject: svn rev #22249: branches/krb5-1-7/src/lib/krb5/asn.1/ Message-ID: <200904152007.n3FK7WgI001872@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22249 Commit By: tlyu Log Message: ticket: 6444 version_fixed: 1.7 pull up r22175 from trunk ------------------------------------------------------------------------ r22175 | tlyu | 2009-04-07 17:22:20 -0400 (Tue, 07 Apr 2009) | 14 lines Changed paths: M /trunk/src/lib/krb5/asn.1/asn1buf.c ticket: 6444 subject: CVE-2009-0847 asn1buf_imbed incorrect length validation tags: pullup target_version: 1.7 asn1buf_imbed() can perform pointer arithmetic that causes the "bound" pointer of the subbuffer to be less than the "next" pointer. This can lead to malloc() failure or crash. In asn1buf_imbed(), check the length before doing arithmetic to set subbuf->bound. In asn1buf_remove_octetstring() and asn1buf_remove_charstring(), check for invalid buffer pointers before executing an unsigned length check against a (casted to size_t) negative number. Changed Files: U branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.c Modified: branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.c 2009-04-15 20:07:30 UTC (rev 22248) +++ branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.c 2009-04-15 20:07:32 UTC (rev 22249) @@ -92,11 +92,11 @@ asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef) { + if (buf->next > buf->bound + 1) return ASN1_OVERRUN; subbuf->base = subbuf->next = buf->next; if (!indef) { + if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN; subbuf->bound = subbuf->base + length - 1; - if (subbuf->bound > buf->bound) - return ASN1_OVERRUN; } else /* constructed indefinite */ subbuf->bound = buf->bound; return 0; @@ -205,6 +205,7 @@ { unsigned int i; + if (buf->next > buf->bound + 1) return ASN1_OVERRUN; if (len > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN; if (len == 0) { *s = 0; @@ -223,6 +224,7 @@ { unsigned int i; + if (buf->next > buf->bound + 1) return ASN1_OVERRUN; if (len > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN; if (len == 0) { *s = 0; From tlyu at MIT.EDU Wed Apr 15 16:07:35 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:35 -0400 Subject: svn rev #22250: branches/krb5-1-7/src/ lib/krb5/asn.1/ tests/asn.1/ Message-ID: <200904152007.n3FK7Zhf001911@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22250 Commit By: tlyu Log Message: ticket: 6445 version_fixed: 1.7 pull up r22176 from trunk ------------------------------------------------------------------------ r22176 | tlyu | 2009-04-07 17:22:23 -0400 (Tue, 07 Apr 2009) | 7 lines Changed paths: M /trunk/src/lib/krb5/asn.1/asn1_decode.c M /trunk/src/tests/asn.1/krb5_decode_test.c ticket: 6445 subject: CVE-2009-0846 asn1_decode_generaltime can free uninitialized pointer tags: pullup target_version: 1.7 The asn1_decode_generaltime() function can free an uninitialized pointer if asn1buf_remove_charstring() fails. Changed Files: U branches/krb5-1-7/src/lib/krb5/asn.1/asn1_decode.c U branches/krb5-1-7/src/tests/asn.1/krb5_decode_test.c Modified: branches/krb5-1-7/src/lib/krb5/asn.1/asn1_decode.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/asn.1/asn1_decode.c 2009-04-15 20:07:32 UTC (rev 22249) +++ branches/krb5-1-7/src/lib/krb5/asn.1/asn1_decode.c 2009-04-15 20:07:34 UTC (rev 22250) @@ -231,6 +231,7 @@ if (length != 15) return ASN1_BAD_LENGTH; retval = asn1buf_remove_charstring(buf,15,&s); + if (retval) return retval; /* Time encoding: YYYYMMDDhhmmssZ */ if (s[14] != 'Z') { free(s); Modified: branches/krb5-1-7/src/tests/asn.1/krb5_decode_test.c =================================================================== --- branches/krb5-1-7/src/tests/asn.1/krb5_decode_test.c 2009-04-15 20:07:32 UTC (rev 22249) +++ branches/krb5-1-7/src/tests/asn.1/krb5_decode_test.c 2009-04-15 20:07:34 UTC (rev 22250) @@ -486,6 +486,22 @@ ktest_destroy_keyblock(&(ref.subkey)); ref.seq_number = 0; decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part); + + retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40"); + if (retval) { + com_err("krb5_decode_test", retval, "while parsing"); + exit(1); + } + retval = decode_krb5_ap_rep_enc_part(&code, &var); + if (retval != ASN1_OVERRUN) { + printf("ERROR: "); + } else { + printf("OK: "); + } + printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n"); + krb5_free_data_contents(test_context, &code); + krb5_free_ap_rep_enc_part(test_context, var); + ktest_empty_ap_rep_enc_part(&ref); } From tlyu at MIT.EDU Wed Apr 15 16:07:37 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:37 -0400 Subject: svn rev #22251: branches/krb5-1-7/src/util/support/ Message-ID: <200904152007.n3FK7bPO001960@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22251 Commit By: tlyu Log Message: ticket: 6468 subject: k5_utf8s_to_ucs2s could deref NULL pointer... version_fixed: 1.7 tags: pullup target_version: 1.7 pull up r22177 from trunk ------------------------------------------------------------------------ r22177 | epeisach | 2009-04-07 19:59:25 -0400 (Tue, 07 Apr 2009) | 10 lines Changed paths: M /trunk/src/util/support/utf8_conv.c ticket: Subject k5_utf8s_to_ucs2s could deref NULL pointer... Based on usage of this static function, this will never happen as results are always malloced (and checked) by caller. However, the function is already coded to handle the first argument being null - so be consistent throughout. Changed Files: U branches/krb5-1-7/src/util/support/utf8_conv.c Modified: branches/krb5-1-7/src/util/support/utf8_conv.c =================================================================== --- branches/krb5-1-7/src/util/support/utf8_conv.c 2009-04-15 20:07:34 UTC (rev 22250) +++ branches/krb5-1-7/src/util/support/utf8_conv.c 2009-04-15 20:07:37 UTC (rev 22251) @@ -118,10 +118,12 @@ } assert(ucs2len < count); + + if (ucs2str != NULL) { + /* Add null terminator if there's room in the buffer. */ + ucs2str[ucs2len] = 0; + } - /* Add null terminator if there's room in the buffer. */ - ucs2str[ucs2len] = 0; - return ucs2len; } From tlyu at MIT.EDU Wed Apr 15 16:07:40 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:40 -0400 Subject: svn rev #22252: branches/krb5-1-7/src/lib/krb5/krb/ Message-ID: <200904152007.n3FK7e96002005@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22252 Commit By: tlyu Log Message: ticket: 6108 version_fixed: 1.7 pull up r22182 from trunk ------------------------------------------------------------------------ r22182 | ghudson | 2009-04-08 11:22:17 -0400 (Wed, 08 Apr 2009) | 9 lines Changed paths: M /trunk/src/lib/krb5/krb/gic_pwd.c ticket: 6108 tags: pullup target_version: 1.7 When getting initial credentials with a password, try the master if preauth fails on a slave, since preauth can fail due to an out-of-date key. This removes a snippet added in r14939 which was considering only hardware preauth. Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/gic_pwd.c Modified: branches/krb5-1-7/src/lib/krb5/krb/gic_pwd.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/gic_pwd.c 2009-04-15 20:07:37 UTC (rev 22251) +++ branches/krb5-1-7/src/lib/krb5/krb/gic_pwd.c 2009-04-15 20:07:40 UTC (rev 22252) @@ -144,10 +144,9 @@ goto cleanup; /* If all the kdc's are unavailable, or if the error was due to a - user interrupt, or preauth errored out, fail */ + user interrupt, fail */ if ((ret == KRB5_KDC_UNREACH) || - (ret == KRB5_PREAUTH_FAILED) || (ret == KRB5_LIBOS_PWDINTR) || (ret == KRB5_REALM_CANT_RESOLVE)) goto cleanup; From tlyu at MIT.EDU Wed Apr 15 16:07:46 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:46 -0400 Subject: svn rev #22254: branches/krb5-1-7/src/lib/krb5/ error_tables/ krb/ Message-ID: <200904152007.n3FK7kZd002099@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22254 Commit By: tlyu Log Message: ticket: 1165 version_fixed: 1.7 pull up r22184 from trunk ------------------------------------------------------------------------ r22184 | ghudson | 2009-04-08 11:58:24 -0400 (Wed, 08 Apr 2009) | 7 lines Changed paths: M /trunk/src/lib/krb5/error_tables/krb5_err.et M /trunk/src/lib/krb5/krb/mk_priv.c M /trunk/src/lib/krb5/krb/mk_safe.c M /trunk/src/lib/krb5/krb/rd_priv.c M /trunk/src/lib/krb5/krb/rd_safe.c ticket: 1165 mk_safe and mk_priv require the local address to be set in the auth context; rd_safe and rd_priv require the remote address to be set. Create error codes for both kinds of missing addresses and stop trying futilely to handle the cases where they are not set. Changed Files: U branches/krb5-1-7/src/lib/krb5/error_tables/krb5_err.et U branches/krb5-1-7/src/lib/krb5/krb/mk_priv.c U branches/krb5-1-7/src/lib/krb5/krb/mk_safe.c U branches/krb5-1-7/src/lib/krb5/krb/rd_priv.c U branches/krb5-1-7/src/lib/krb5/krb/rd_safe.c Modified: branches/krb5-1-7/src/lib/krb5/error_tables/krb5_err.et =================================================================== --- branches/krb5-1-7/src/lib/krb5/error_tables/krb5_err.et 2009-04-15 20:07:42 UTC (rev 22253) +++ branches/krb5-1-7/src/lib/krb5/error_tables/krb5_err.et 2009-04-15 20:07:45 UTC (rev 22254) @@ -348,4 +348,7 @@ error_code KRB5_ERR_INVALID_UTF8, "Invalid UTF-8 string" error_code KRB5_ERR_FAST_REQUIRED, "FAST protected pre-authentication required but not supported by KDC" + +error_code KRB5_LOCAL_ADDR_REQUIRED, "Auth context must contain local address" +error_code KRB5_REMOTE_ADDR_REQUIRED, "Auth context must contain remote address" end Modified: branches/krb5-1-7/src/lib/krb5/krb/mk_priv.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/mk_priv.c 2009-04-15 20:07:42 UTC (rev 22253) +++ branches/krb5-1-7/src/lib/krb5/krb/mk_priv.c 2009-04-15 20:07:45 UTC (rev 22254) @@ -136,6 +136,9 @@ /* Need a better error */ return KRB5_RC_REQUIRED; + if (!auth_context->local_addr) + return KRB5_LOCAL_ADDR_REQUIRED; + if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, @@ -154,28 +157,26 @@ } else { outdata->seq = replaydata.seq; } - } + } { krb5_address * premote_fulladdr = NULL; - krb5_address * plocal_fulladdr = NULL; + krb5_address * plocal_fulladdr; krb5_address remote_fulladdr; krb5_address local_fulladdr; CLEANUP_INIT(2); - if (auth_context->local_addr) { - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))) { - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; - } else { - goto error; - } + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))) { + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; } else { - plocal_fulladdr = auth_context->local_addr; + goto error; } + } else { + plocal_fulladdr = auth_context->local_addr; } if (auth_context->remote_addr) { Modified: branches/krb5-1-7/src/lib/krb5/krb/mk_safe.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/mk_safe.c 2009-04-15 20:07:42 UTC (rev 22253) +++ branches/krb5-1-7/src/lib/krb5/krb/mk_safe.c 2009-04-15 20:07:45 UTC (rev 22254) @@ -136,6 +136,9 @@ /* Need a better error */ return KRB5_RC_REQUIRED; + if (!auth_context->local_addr) + return KRB5_LOCAL_ADDR_REQUIRED; + if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, @@ -156,27 +159,24 @@ { krb5_address * premote_fulladdr = NULL; - krb5_address * plocal_fulladdr = NULL; + krb5_address * plocal_fulladdr; krb5_address remote_fulladdr; krb5_address local_fulladdr; krb5_cksumtype sumtype; CLEANUP_INIT(2); - if (auth_context->local_addr) { - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))){ - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; - } else { - goto error; - } + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))){ + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; } else { - plocal_fulladdr = auth_context->local_addr; - } - + goto error; + } + } else { + plocal_fulladdr = auth_context->local_addr; } if (auth_context->remote_addr) { Modified: branches/krb5-1-7/src/lib/krb5/krb/rd_priv.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/rd_priv.c 2009-04-15 20:07:42 UTC (rev 22253) +++ branches/krb5-1-7/src/lib/krb5/krb/rd_priv.c 2009-04-15 20:07:45 UTC (rev 22254) @@ -169,12 +169,15 @@ /* Need a better error */ return KRB5_RC_REQUIRED; + if (!auth_context->remote_addr) + return KRB5_REMOTE_ADDR_REQUIRED; + if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && (auth_context->rcache == NULL)) return KRB5_RC_REQUIRED; { - krb5_address * premote_fulladdr = NULL; + krb5_address * premote_fulladdr; krb5_address * plocal_fulladdr = NULL; krb5_address remote_fulladdr; krb5_address local_fulladdr; @@ -195,20 +198,18 @@ } } - if (auth_context->remote_addr) { - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; - } else { - CLEANUP_DONE(); - return retval; - } + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; } else { - premote_fulladdr = auth_context->remote_addr; - } + CLEANUP_DONE(); + return retval; + } + } else { + premote_fulladdr = auth_context->remote_addr; } memset(&replaydata, 0, sizeof(replaydata)); Modified: branches/krb5-1-7/src/lib/krb5/krb/rd_safe.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/rd_safe.c 2009-04-15 20:07:42 UTC (rev 22253) +++ branches/krb5-1-7/src/lib/krb5/krb/rd_safe.c 2009-04-15 20:07:45 UTC (rev 22254) @@ -177,12 +177,15 @@ (auth_context->rcache == NULL)) return KRB5_RC_REQUIRED; + if (!auth_context->remote_addr) + return KRB5_REMOTE_ADDR_REQUIRED; + /* Get keyblock */ if ((keyblock = auth_context->recv_subkey) == NULL) keyblock = auth_context->keyblock; { - krb5_address * premote_fulladdr = NULL; + krb5_address * premote_fulladdr; krb5_address * plocal_fulladdr = NULL; krb5_address remote_fulladdr; krb5_address local_fulladdr; @@ -203,19 +206,17 @@ } } - if (auth_context->remote_addr) { - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; - } else { - return retval; - } + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; } else { - premote_fulladdr = auth_context->remote_addr; - } + return retval; + } + } else { + premote_fulladdr = auth_context->remote_addr; } memset(&replaydata, 0, sizeof(replaydata)); From tlyu at MIT.EDU Wed Apr 15 16:07:51 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:51 -0400 Subject: svn rev #22256: branches/krb5-1-7/src/kdc/ Message-ID: <200904152007.n3FK7pdP002179@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22256 Commit By: tlyu Log Message: ticket: 6450 version_fixed: 1.7 pull up r22186 from trunk ------------------------------------------------------------------------ r22186 | epeisach | 2009-04-09 07:53:27 -0400 (Thu, 09 Apr 2009) | 7 lines Changed paths: M /trunk/src/kdc/main.c ticket: 6450 subject: kdc: handle_referral_params does not return ENOMEM errors tags: pullup retval was set but never returned. Changed Files: U branches/krb5-1-7/src/kdc/main.c Modified: branches/krb5-1-7/src/kdc/main.c =================================================================== --- branches/krb5-1-7/src/kdc/main.c 2009-04-15 20:07:48 UTC (rev 22255) +++ branches/krb5-1-7/src/kdc/main.c 2009-04-15 20:07:51 UTC (rev 22256) @@ -252,7 +252,7 @@ rdp->realm_host_based_services = NULL; } - return 0; + return retval; } /* * Initialize a realm control structure from the alternate profile or from From tlyu at MIT.EDU Wed Apr 15 16:07:48 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:48 -0400 Subject: svn rev #22255: branches/krb5-1-7/src/lib/gssapi/ generic/ krb5/ Message-ID: <200904152007.n3FK7mio002139@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22255 Commit By: tlyu Log Message: ticket: 6203 version_fixed: 1.7 pull up r22185 from trunk ------------------------------------------------------------------------ r22185 | ghudson | 2009-04-08 12:39:33 -0400 (Wed, 08 Apr 2009) | 8 lines Changed paths: M /trunk/src/lib/gssapi/generic/gssapi.hin M /trunk/src/lib/gssapi/krb5/init_sec_context.c ticket: 6203 tags: pullup target_version: 1.7 Using a patch from Apple, add support for GSS_C_DELEG_POLICY_FLAG, which requests delegation only if the ok-as-delegate ticket flag is set. Changed Files: U branches/krb5-1-7/src/lib/gssapi/generic/gssapi.hin U branches/krb5-1-7/src/lib/gssapi/krb5/init_sec_context.c Modified: branches/krb5-1-7/src/lib/gssapi/generic/gssapi.hin =================================================================== --- branches/krb5-1-7/src/lib/gssapi/generic/gssapi.hin 2009-04-15 20:07:45 UTC (rev 22254) +++ branches/krb5-1-7/src/lib/gssapi/generic/gssapi.hin 2009-04-15 20:07:48 UTC (rev 22255) @@ -141,6 +141,7 @@ #define GSS_C_ANON_FLAG 64 #define GSS_C_PROT_READY_FLAG 128 #define GSS_C_TRANS_FLAG 256 +#define GSS_C_DELEG_POLICY_FLAG 32768 /* * Credential usage options Modified: branches/krb5-1-7/src/lib/gssapi/krb5/init_sec_context.c =================================================================== --- branches/krb5-1-7/src/lib/gssapi/krb5/init_sec_context.c 2009-04-15 20:07:45 UTC (rev 22254) +++ branches/krb5-1-7/src/lib/gssapi/krb5/init_sec_context.c 2009-04-15 20:07:48 UTC (rev 22255) @@ -208,7 +208,8 @@ if (code) { /* don't fail here; just don't accept/do the delegation request */ - data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG; + data->ctx->gss_flags &= ~(GSS_C_DELEG_FLAG | + GSS_C_DELEG_POLICY_FLAG); data->checksum_data.length = 24; } else { @@ -494,6 +495,14 @@ ctx->krb_times = k_cred->times; + /* + * GSS_C_DELEG_POLICY_FLAG means to delegate only if the + * ok-as-delegate ticket flag is set. + */ + if ((req_flags & GSS_C_DELEG_POLICY_FLAG) + && (k_cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE)) + ctx->gss_flags |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG; + if (default_mech) { mech_type = (gss_OID) gss_mech_krb5; } From tlyu at MIT.EDU Wed Apr 15 16:07:53 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:53 -0400 Subject: svn rev #22257: branches/krb5-1-7/doc/ Message-ID: <200904152007.n3FK7rYI002218@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22257 Commit By: tlyu Log Message: ticket: 6451 version_fixed: 1.7 pull up r22187 from trunk ------------------------------------------------------------------------ r22187 | ghudson | 2009-04-09 13:57:03 -0400 (Thu, 09 Apr 2009) | 9 lines Changed paths: M /trunk/doc/definitions.texinfo ticket: 6451 subject: Update defaults in documentation tags: pullup target_version: 1.7 doc/definitions.texinfo had, predictably, fallen out of date with respect to the code. Update a few of the out of date comments and defaults, particularly the default enctype lists. Changed Files: U branches/krb5-1-7/doc/definitions.texinfo Modified: branches/krb5-1-7/doc/definitions.texinfo =================================================================== --- branches/krb5-1-7/doc/definitions.texinfo 2009-04-15 20:07:51 UTC (rev 22256) +++ branches/krb5-1-7/doc/definitions.texinfo 2009-04-15 20:07:53 UTC (rev 22257) @@ -43,7 +43,7 @@ the following should be consistent with the variables set in krb5/src/lib/krb5/krb/init_ctx.c @end ignore - at set DefaultETypeList aes256-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 + at set DefaultETypeList aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 @comment DEFAULT_ETYPE_LIST @set DefaultDefaultTgsEnctypes @value{DefaultETypeList} @set DefaultDefaultTktEnctypes @value{DefaultETypeList} @@ -66,7 +66,7 @@ @ignore the following defaults should be consistent with default variables set -in krb5/src/include/stock/osconf.h +in krb5/src/include/osconf.hin @end ignore @set DefaultMasterKeyType des3-cbc-sha1 @comment DEFAULT_KDC_ENCTYPE @@ -102,14 +102,14 @@ the following defaults should be consistent with the numbers set in krb5/src/lib/kadm5/alt_prof.c @end ignore - at set DefaultMaxLife 10 hours - at comment line 608 + at set DefaultMaxLife 24 hours + at comment max_life @set DefaultMaxRenewableLife 0 - at comment line 622 + at comment max_rlife @set DefaultDefaultPrincipalExpiration 0 - at comment line 639 - at set DefaultSupportedEnctypes des3-hmac-sha1:normal des-cbc-crc:normal - at comment line 705 + at comment expiration + at set DefaultSupportedEnctypes aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal + at comment krb5/src/include/osconf.hin, KRB5_DEFAULT_SUPPORTED_ENCTYPES @ignore the following defaults should be consistent with the values set in From tlyu at MIT.EDU Wed Apr 15 16:07:42 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:42 -0400 Subject: svn rev #22253: branches/krb5-1-7/src/kdc/ Message-ID: <200904152007.n3FK7gsU002045@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22253 Commit By: tlyu Log Message: ticket: 6449 version_fixed: 1.7 pull up r22183 from trunk ------------------------------------------------------------------------ r22183 | epeisach | 2009-04-08 11:25:43 -0400 (Wed, 08 Apr 2009) | 11 lines Changed paths: M /trunk/src/kdc/do_as_req.c ticket: 6449 subject: Fall through on error return If decoding the encoded_req_body fails, proceed goto errout instead of falling through to fast handling. Looks like a merge error. Reindented code. Changed Files: U branches/krb5-1-7/src/kdc/do_as_req.c Modified: branches/krb5-1-7/src/kdc/do_as_req.c =================================================================== --- branches/krb5-1-7/src/kdc/do_as_req.c 2009-04-15 20:07:40 UTC (rev 22252) +++ branches/krb5-1-7/src/kdc/do_as_req.c 2009-04-15 20:07:42 UTC (rev 22253) @@ -144,9 +144,10 @@ } if (fetch_asn1_field((unsigned char *) req_pkt->data, 1, 4, &encoded_req_body) != 0) { - errcode = ASN1_BAD_ID; - status = "Finding req_body"; -} + errcode = ASN1_BAD_ID; + status = "Finding req_body"; + goto errout; + } errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, NULL, state); if (errcode) { status = "error decoding FAST"; From tlyu at MIT.EDU Wed Apr 15 16:07:56 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 16:07:56 -0400 Subject: svn rev #22258: branches/krb5-1-7/doc/ Message-ID: <200904152007.n3FK7uU5002256@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22258 Commit By: tlyu Log Message: ticket: 6452 version_fixed: 1.7 pull up r22188 from trunk ------------------------------------------------------------------------ r22188 | ghudson | 2009-04-10 12:09:19 -0400 (Fri, 10 Apr 2009) | 8 lines Changed paths: M /trunk/doc/admin.texinfo M /trunk/doc/support-enc.texinfo ticket: 6452 subject: Document allow_weak_crypto tags: pullup target_version: 1.7 Also document which cryptosystems are defined to be weak, and add some enctype entries which weren't in the documentation. Changed Files: U branches/krb5-1-7/doc/admin.texinfo U branches/krb5-1-7/doc/support-enc.texinfo Modified: branches/krb5-1-7/doc/admin.texinfo =================================================================== --- branches/krb5-1-7/doc/admin.texinfo 2009-04-15 20:07:53 UTC (rev 22257) +++ branches/krb5-1-7/doc/admin.texinfo 2009-04-15 20:07:55 UTC (rev 22258) @@ -355,6 +355,8 @@ Any tag in the configuration files which requires a list of encryption types can be set to some combination of the following strings. +Encryption types marked as ``weak'' are available for compatibility +but not recommended for use. @include support-enc.texinfo @@ -442,6 +444,12 @@ key encryption. The default value for this tag is @value{DefaultPermittedEnctypes}. + at itemx allow_weak_crypto +If this is set to 0 (for false), then weak encryption types will be +filtered out of the previous three lists (as noted in @ref{Supported +Encryption Types}). The default value for this tag is true, but that +default may change in the future. + @itemx clockskew Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is Modified: branches/krb5-1-7/doc/support-enc.texinfo =================================================================== --- branches/krb5-1-7/doc/support-enc.texinfo 2009-04-15 20:07:53 UTC (rev 22257) +++ branches/krb5-1-7/doc/support-enc.texinfo 2009-04-15 20:07:55 UTC (rev 22258) @@ -5,17 +5,21 @@ @table @code @item des-cbc-crc -DES cbc mode with CRC-32 +DES cbc mode with CRC-32 (weak) @item des-cbc-md4 -DES cbc mode with RSA-MD4 +DES cbc mode with RSA-MD4 (weak) @item des-cbc-md5 -DES cbc mode with RSA-MD5 +DES cbc mode with RSA-MD5 (weak) + at item des-cbc-raw +DES cbc mode raw (weak) + at item des3-cbc-raw +Triple DES cbc mode raw (weak) @item des3-cbc-sha1 @itemx des3-hmac-sha1 @itemx des3-cbc-sha1-kd -triple DES cbc mode with HMAC/sha1 +Triple DES cbc mode with HMAC/sha1 @item des-hmac-sha1 -DES with HMAC/sha1 +DES with HMAC/sha1 (weak) @item aes256-cts-hmac-sha1-96 @itemx aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC @@ -29,5 +33,5 @@ @item arcfour-hmac-exp @itemx rc4-hmac-exp @itemx arcfour-hmac-md5-exp -exportable RC4 with HMAC/MD5 +Exportable RC4 with HMAC/MD5 (weak) @end table From tlyu at MIT.EDU Wed Apr 15 17:00:28 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 17:00:28 -0400 Subject: svn rev #22260: branches/krb5-1-7/src/kadmin/dbutil/ Message-ID: <200904152100.n3FL0SC5005420@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22260 Commit By: tlyu Log Message: ticket: 6459 version_fixed: 1.7 pull up r22208 from trunk ------------------------------------------------------------------------ r22208 | wfiveash | 2009-04-13 18:15:05 -0400 (Mon, 13 Apr 2009) | 11 lines Changed paths: M /trunk/src/kadmin/dbutil/kdb5_util.M Ticket: 6459 Subject: Update kdb5_util man page with missing purge_mkeys command Version_Reported: 1.7 Target_Version: 1.7 Tags: pullup While previously updating the kdb5_util command man page to include documentation on new subcommands added as a result of the Master Key Migration project I missed the purge_mkeys command. I've added that with this commit. Changed Files: U branches/krb5-1-7/src/kadmin/dbutil/kdb5_util.M Modified: branches/krb5-1-7/src/kadmin/dbutil/kdb5_util.M =================================================================== --- branches/krb5-1-7/src/kadmin/dbutil/kdb5_util.M 2009-04-15 21:00:24 UTC (rev 22259) +++ branches/krb5-1-7/src/kadmin/dbutil/kdb5_util.M 2009-04-15 21:00:28 UTC (rev 22260) @@ -236,6 +236,18 @@ \fBlist_mkeys\fP List all master keys from most recent to earliest in K/M principal. The output will show the KVNO, enctype and salt for each mkey similar to kadmin getprinc output. A * following an mkey denotes the currently active master key. .TP +\fBpurge_mkeys\fP [\fB-f\fP] [\fB-n\fP] [\fB-v\fP] +Delete master keys from the K/M principal that are not used to protect any principals. This command can be used to remove old master keys from a K/M principal once all principal keys are protected by a newer master key. +.TP +.B \-f +does not prompt user. +.TP +.B \-n +do a dry run, shows master keys that would be purged, does not actually purge any keys. +.TP +.B \-v +verbose output. +.TP \fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] [\fBprinc\-pattern\fP] Update all principal records (or only those matching the .B princ\-pattern From tlyu at MIT.EDU Wed Apr 15 17:00:34 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 17:00:34 -0400 Subject: svn rev #22262: branches/krb5-1-7/src/kdc/ Message-ID: <200904152100.n3FL0Y6U005494@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22262 Commit By: tlyu Log Message: ticket: 6461 version_fixed: 1.7 pull up r22210 from trunk ------------------------------------------------------------------------ r22210 | hartmans | 2009-04-14 11:35:12 -0400 (Tue, 14 Apr 2009) | 6 lines Changed paths: M /trunk/src/kdc/fast_util.c ticket: 6461 Subject: Require fast_req checksum to be keyed Target_Version: 1.7 Tags: pullup Since the fast_req checksum is unencrypted, a keyed checksum type needs to be used. Changed Files: U branches/krb5-1-7/src/kdc/fast_util.c Modified: branches/krb5-1-7/src/kdc/fast_util.c =================================================================== --- branches/krb5-1-7/src/kdc/fast_util.c 2009-04-15 21:00:31 UTC (rev 22261) +++ branches/krb5-1-7/src/kdc/fast_util.c 2009-04-15 21:00:34 UTC (rev 22262) @@ -133,9 +133,11 @@ krb5_kdc_req *request = *requestptr; krb5_fast_armored_req *fast_armored_req = NULL; krb5_boolean cksum_valid; + krb5_keyblock empty_keyblock; scratch.data = NULL; krb5_clear_error_message(kdc_context); + memset(&empty_keyblock, 0, sizeof(krb5_keyblock)); fast_padata = find_pa_data(request->padata, KRB5_PADATA_FX_FAST); if (fast_padata != NULL){ @@ -192,7 +194,23 @@ krb5_set_error_message(kdc_context, KRB5KRB_AP_ERR_MODIFIED, "FAST req_checksum invalid; request modified"); } - if (retval == 0) { + if (retval == 0) { + krb5_error_code ret; + /* We need to confirm that a keyed checksum is used for the + * fast_req checksum. In April 2009, the best way to do this is + * to try verifying the checksum with a keyblock with an zero + * length; if it succeeds, then an unkeyed checksum is used.*/ + ret = krb5_c_verify_checksum(kdc_context, &empty_keyblock, + KRB5_KEYUSAGE_FAST_REQ_CHKSUM, + checksummed_data, &fast_armored_req->req_checksum, + &cksum_valid); + if (ret == 0) { + retval = KRB5KDC_ERR_POLICY; + krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, + "Unkeyed checksum used in fast_req"); + } + } + if (retval == 0) { if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0) retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION; } From tlyu at MIT.EDU Wed Apr 15 17:00:24 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 17:00:24 -0400 Subject: svn rev #22259: branches/krb5-1-7/src/lib/krb5/ccache/ Message-ID: <200904152100.n3FL0OAl005383@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22259 Commit By: tlyu Log Message: ticket: 6469 subject: fcc_generate_new destroys locked mutex on error tags: pullup target_version: 1.7 version_fixed: 1.7 pull up r22200 from trunk ------------------------------------------------------------------------ r22200 | ghudson | 2009-04-13 15:29:14 -0400 (Mon, 13 Apr 2009) | 3 lines Changed paths: M /trunk/src/lib/krb5/ccache/cc_file.c krb5_fcc_generate_new was destroying a locked mutex in the err_out label, which is used for I/O failures. Unlock the mutex first. Changed Files: U branches/krb5-1-7/src/lib/krb5/ccache/cc_file.c Modified: branches/krb5-1-7/src/lib/krb5/ccache/cc_file.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/ccache/cc_file.c 2009-04-15 20:07:55 UTC (rev 22258) +++ branches/krb5-1-7/src/lib/krb5/ccache/cc_file.c 2009-04-15 21:00:24 UTC (rev 22259) @@ -2129,6 +2129,7 @@ err_out: k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_cc_mutex_unlock(context, &data->lock); k5_cc_mutex_destroy(&data->lock); free(data->filename); free(data); From tlyu at MIT.EDU Wed Apr 15 17:00:31 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 17:00:31 -0400 Subject: svn rev #22261: branches/krb5-1-7/src/clients/kinit/ Message-ID: <200904152100.n3FL0VHY005457@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22261 Commit By: tlyu Log Message: ticket: 6460 version_fixed: 1.7 pull up r22209 from trunk ------------------------------------------------------------------------ r22209 | hartmans | 2009-04-14 11:05:21 -0400 (Tue, 14 Apr 2009) | 6 lines Changed paths: M /trunk/src/clients/kinit/kinit.M M /trunk/src/clients/kinit/kinit.c ticket: 6460 subject: Implement kinit option for FAST armor ccache Target_version: 1.7 tags: pullup Implement the -T option to kinit to specify the FAST armor ccache. Changed Files: U branches/krb5-1-7/src/clients/kinit/kinit.M U branches/krb5-1-7/src/clients/kinit/kinit.c Modified: branches/krb5-1-7/src/clients/kinit/kinit.M =================================================================== --- branches/krb5-1-7/src/clients/kinit/kinit.M 2009-04-15 21:00:28 UTC (rev 22260) +++ branches/krb5-1-7/src/clients/kinit/kinit.M 2009-04-15 21:00:31 UTC (rev 22261) @@ -37,7 +37,7 @@ [\fB\-A\fP] [\fB\-v\fP] [\fB\-R\fP] [\fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]] [\fB\-c\fP \fIcache_name\fP] -[\fB\-S\fP \fIservice_name\fP] +[\fB\-S\fP \fIservice_name\fP][\fB\-T\fP \fIarmor_ccache\fP] [\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]] [\fIprincipal\fP] .ad b @@ -130,6 +130,10 @@ .I keytab_file option; otherwise the default name and location will be used. .TP +\fB\-T\fP \fIarmor_ccache\fP +Specifies the name of a credential cache that already contains a ticket. This ccache +will be used to armor the request Ideally, an attacker should have to attack both the armor ticket and the key of the principal. +.TP \fB\-c\fP \fIcache_name\fP use .I cache_name Modified: branches/krb5-1-7/src/clients/kinit/kinit.c =================================================================== --- branches/krb5-1-7/src/clients/kinit/kinit.c 2009-04-15 21:00:28 UTC (rev 22260) +++ branches/krb5-1-7/src/clients/kinit/kinit.c 2009-04-15 21:00:31 UTC (rev 22261) @@ -117,6 +117,7 @@ char* service_name; char* keytab_name; char* k5_cache_name; + char *armor_ccache; action_type action; @@ -195,9 +196,10 @@ USAGE_BREAK "[-v] [-R] " "[-k [-t keytab_file]] " - "[-c cachename] " + "[-c cachename] " USAGE_BREAK - "[-S service_name]" + "[-S service_name]""-T ticket_armor_cache" + USAGE_BREAK "[-X [=]] [principal]" "\n\n", progname); @@ -278,7 +280,7 @@ int errflg = 0; int i; - while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:vX:CE")) + while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:T:RS:vX:CE")) != -1) { switch (i) { case 'V': @@ -347,6 +349,12 @@ opts->keytab_name = optarg; } break; + case 'T': + if (opts->armor_ccache) { + fprintf(stderr, "Only one armor_ccache\n"); + errflg++; + } else opts->armor_ccache = optarg; + break; case 'R': opts->action = RENEW; break; @@ -585,6 +593,9 @@ } if (opts->no_addresses) krb5_get_init_creds_opt_set_address_list(options, NULL); + if (opts->armor_ccache) + krb5_get_init_creds_opt_set_fast_ccache_name(k5->ctx, options, opts->armor_ccache); + if ((opts->action == INIT_KT) && opts->keytab_name) { From tlyu at MIT.EDU Wed Apr 15 17:07:09 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 15 Apr 2009 17:07:09 -0400 Subject: svn rev #22263: branches/krb5-1-7/src/ kadmin/dbutil/ kdc/ lib/crypto/ lib/crypto/arcfour/ ... Message-ID: <200904152107.n3FL79Z4005953@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22263 Commit By: tlyu Log Message: make depend Changed Files: U branches/krb5-1-7/src/kadmin/dbutil/deps U branches/krb5-1-7/src/kdc/deps U branches/krb5-1-7/src/lib/crypto/arcfour/deps U branches/krb5-1-7/src/lib/crypto/deps U branches/krb5-1-7/src/lib/krb5/krb/deps U branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/deps U branches/krb5-1-7/src/tests/gss-threads/deps Modified: branches/krb5-1-7/src/kadmin/dbutil/deps =================================================================== --- branches/krb5-1-7/src/kadmin/dbutil/deps 2009-04-15 21:00:34 UTC (rev 22262) +++ branches/krb5-1-7/src/kadmin/dbutil/deps 2009-04-15 21:07:09 UTC (rev 22263) @@ -145,3 +145,24 @@ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h import_err.h kdb5_util.h \ nstrtok.h ovload.c +$(OUTPRE)kdb5_mkey.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ + $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h $(SRCTOP)/include/gssrpc/auth.h \ + $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \ + $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \ + $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \ + $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \ + $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/iprop.h \ + $(SRCTOP)/include/iprop_hdr.h $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \ + $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + kdb5_mkey.c kdb5_util.h Modified: branches/krb5-1-7/src/kdc/deps =================================================================== --- branches/krb5-1-7/src/kdc/deps 2009-04-15 21:00:34 UTC (rev 22262) +++ branches/krb5-1-7/src/kdc/deps 2009-04-15 21:07:09 UTC (rev 22263) @@ -38,6 +38,17 @@ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h do_tgs_req.c extern.h \ kdc_util.h policy.h +$(OUTPRE)fast_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \ + $(SRCTOP)/include/kdb_ext.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + extern.h fast_util.c kdc_util.h $(OUTPRE)kdc_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm.h \ @@ -105,10 +116,10 @@ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - extern.c extern.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h extern.c extern.h $(OUTPRE)replay.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ Modified: branches/krb5-1-7/src/lib/crypto/arcfour/deps =================================================================== --- branches/krb5-1-7/src/lib/crypto/arcfour/deps 2009-04-15 21:00:34 UTC (rev 22262) +++ branches/krb5-1-7/src/lib/crypto/arcfour/deps 2009-04-15 21:07:09 UTC (rev 22263) @@ -10,7 +10,8 @@ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - arcfour-int.h arcfour.c arcfour.h + $(srcdir)/../hash_provider/hash_provider.h arcfour-int.h \ + arcfour.c arcfour.h arcfour_aead.so arcfour_aead.po $(OUTPRE)arcfour_aead.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ Modified: branches/krb5-1-7/src/lib/crypto/deps =================================================================== --- branches/krb5-1-7/src/lib/crypto/deps 2009-04-15 21:00:34 UTC (rev 22262) +++ branches/krb5-1-7/src/lib/crypto/deps 2009-04-15 21:07:09 UTC (rev 22263) @@ -327,6 +327,16 @@ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ etypes.h prf.c +cf2.so cf2.po $(OUTPRE)cf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + cf2.c etypes.h prng.so prng.po $(OUTPRE)prng.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ @@ -441,6 +451,8 @@ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ t_nfold.c +t_cf2.so t_cf2.po $(OUTPRE)t_cf2.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h t_cf2.c t_encrypt.so t_encrypt.po $(OUTPRE)t_encrypt.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ Modified: branches/krb5-1-7/src/lib/krb5/krb/deps =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/deps 2009-04-15 21:00:34 UTC (rev 22262) +++ branches/krb5-1-7/src/lib/krb5/krb/deps 2009-04-15 21:07:09 UTC (rev 22263) @@ -273,6 +273,16 @@ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h encrypt_tk.c +fast.so fast.po $(OUTPRE)fast.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + fast.c fast.h int-proto.h free_rtree.so free_rtree.po $(OUTPRE)free_rtree.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -353,7 +363,7 @@ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(srcdir)/../os/os-proto.h \ - get_in_tkt.c int-proto.h + fast.h get_in_tkt.c int-proto.h gic_keytab.so gic_keytab.po $(OUTPRE)gic_keytab.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -564,7 +574,8 @@ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h int-proto.h preauth2.c + $(SRCTOP)/include/socket-utils.h fast.h int-proto.h \ + preauth2.c princ_comp.so princ_comp.po $(OUTPRE)princ_comp.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -807,6 +818,8 @@ $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h str_conv.c +t_ad_fx_armor.so t_ad_fx_armor.po $(OUTPRE)t_ad_fx_armor.$(OBJEXT): \ + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) t_ad_fx_armor.c tgtname.so tgtname.po $(OUTPRE)tgtname.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ Modified: branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/deps =================================================================== --- branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/deps 2009-04-15 21:00:34 UTC (rev 22262) +++ branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/deps 2009-04-15 21:07:09 UTC (rev 22263) @@ -0,0 +1,14 @@ +# +# Generated makefile dependencies follow. +# +encrypted_challenge_main.so encrypted_challenge_main.po \ + $(OUTPRE)encrypted_challenge_main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../fast_factor.h encrypted_challenge_main.c Modified: branches/krb5-1-7/src/tests/gss-threads/deps =================================================================== --- branches/krb5-1-7/src/tests/gss-threads/deps 2009-04-15 21:00:34 UTC (rev 22262) +++ branches/krb5-1-7/src/tests/gss-threads/deps 2009-04-15 21:07:09 UTC (rev 22263) @@ -8,6 +8,7 @@ $(SRCTOP)/include/socket-utils.h gss-client.c gss-misc.h $(OUTPRE)gss-misc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ gss-misc.c gss-misc.h $(OUTPRE)gss-server.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \ From ghudson at MIT.EDU Thu Apr 16 12:46:35 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 16 Apr 2009 12:46:35 -0400 Subject: svn rev #22264: trunk/src/kdc/ Message-ID: <200904161646.n3GGkZTm012018@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22264 Commit By: ghudson Log Message: ticket: 6470 subject: Send explicit salt for SALTTYPE_NORMAL keys target_version: 1.7 tags: pullup Change the signature of _make_etype_info_entry to take the canonical client principal instead of the request structure. Also fixes the salt we compute for SALTTYPE_NOREALM keys. Sending an explicit salt for SALTTYPE_NORMAL keys is believed to be necessary for some preauth scenarios involving aliases. Changed Files: U trunk/src/kdc/kdc_preauth.c U trunk/src/kdc/kdc_util.c Modified: trunk/src/kdc/kdc_preauth.c =================================================================== --- trunk/src/kdc/kdc_preauth.c 2009-04-15 21:07:09 UTC (rev 22263) +++ trunk/src/kdc/kdc_preauth.c 2009-04-16 16:46:33 UTC (rev 22264) @@ -1510,7 +1510,7 @@ static krb5_error_code _make_etype_info_entry(krb5_context context, - krb5_kdc_req *request, krb5_key_data *client_key, + krb5_principal client_princ, krb5_key_data *client_key, krb5_enctype etype, krb5_etype_info_entry **entry, int etype_info2) { @@ -1529,8 +1529,7 @@ tmp_entry->salt = 0; tmp_entry->s2kparams.data = NULL; tmp_entry->s2kparams.length = 0; - retval = get_salt_from_key(context, request->client, - client_key, &salt); + retval = get_salt_from_key(context, client_princ, client_key, &salt); if (retval) goto fail; if (etype_info2 && client_key->key_data_ver > 1 && @@ -1609,10 +1608,10 @@ if (request_contains_enctype(context, request, db_etype)) { assert(etype_info2 || !enctype_requires_etype_info_2(db_etype)); - if ((retval = _make_etype_info_entry(context, request, client_key, - db_etype, &entry[i], etype_info2)) != 0) { + retval = _make_etype_info_entry(context, client->princ, client_key, + db_etype, &entry[i], etype_info2); + if (retval != 0) goto cleanup; - } entry[i+1] = 0; i++; } @@ -1634,10 +1633,11 @@ } if (request_contains_enctype(context, request, db_etype)) { - if ((retval = _make_etype_info_entry(context, request, - client_key, db_etype, &entry[i], etype_info2)) != 0) { + retval = _make_etype_info_entry(context, client->princ, + client_key, db_etype, + &entry[i], etype_info2); + if (retval != 0) goto cleanup; - } entry[i+1] = 0; i++; } @@ -1732,9 +1732,9 @@ } entry[0] = NULL; entry[1] = NULL; - retval = _make_etype_info_entry(context, request, - client_key, encrypting_key->enctype, - entry, etype_info2); + retval = _make_etype_info_entry(context, client->princ, client_key, + encrypting_key->enctype, entry, + etype_info2); if (retval) goto cleanup; Modified: trunk/src/kdc/kdc_util.c =================================================================== --- trunk/src/kdc/kdc_util.c 2009-04-15 21:07:09 UTC (rev 22263) +++ trunk/src/kdc/kdc_util.c 2009-04-16 16:46:33 UTC (rev 22264) @@ -1566,6 +1566,13 @@ switch (client_key->key_data_type[1]) { case KRB5_KDB_SALTTYPE_NORMAL: + /* + * The client could infer the salt from the principal, but + * might use the wrong principal name if this is an alias. So + * it's more reliable to send an explicit salt. + */ + if ((retval = krb5_principal2salt(context, client, salt))) + return retval; break; case KRB5_KDB_SALTTYPE_V4: /* send an empty (V4) salt */ From tlyu at MIT.EDU Fri Apr 17 17:28:38 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Fri, 17 Apr 2009 17:28:38 -0400 Subject: svn rev #22265: branches/krb5-1-7/src/kdc/ Message-ID: <200904172128.n3HLScIY028581@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22265 Commit By: tlyu Log Message: ticket: 6470 version_fixed: 1.7 pull up r22264 from trunk ------------------------------------------------------------------------ r22264 | ghudson | 2009-04-16 12:46:33 -0400 (Thu, 16 Apr 2009) | 12 lines Changed paths: M /trunk/src/kdc/kdc_preauth.c M /trunk/src/kdc/kdc_util.c ticket: 6470 subject: Send explicit salt for SALTTYPE_NORMAL keys target_version: 1.7 tags: pullup Change the signature of _make_etype_info_entry to take the canonical client principal instead of the request structure. Also fixes the salt we compute for SALTTYPE_NOREALM keys. Sending an explicit salt for SALTTYPE_NORMAL keys is believed to be necessary for some preauth scenarios involving aliases. Changed Files: U branches/krb5-1-7/src/kdc/kdc_preauth.c U branches/krb5-1-7/src/kdc/kdc_util.c Modified: branches/krb5-1-7/src/kdc/kdc_preauth.c =================================================================== --- branches/krb5-1-7/src/kdc/kdc_preauth.c 2009-04-16 16:46:33 UTC (rev 22264) +++ branches/krb5-1-7/src/kdc/kdc_preauth.c 2009-04-17 21:28:37 UTC (rev 22265) @@ -1510,7 +1510,7 @@ static krb5_error_code _make_etype_info_entry(krb5_context context, - krb5_kdc_req *request, krb5_key_data *client_key, + krb5_principal client_princ, krb5_key_data *client_key, krb5_enctype etype, krb5_etype_info_entry **entry, int etype_info2) { @@ -1529,8 +1529,7 @@ tmp_entry->salt = 0; tmp_entry->s2kparams.data = NULL; tmp_entry->s2kparams.length = 0; - retval = get_salt_from_key(context, request->client, - client_key, &salt); + retval = get_salt_from_key(context, client_princ, client_key, &salt); if (retval) goto fail; if (etype_info2 && client_key->key_data_ver > 1 && @@ -1609,10 +1608,10 @@ if (request_contains_enctype(context, request, db_etype)) { assert(etype_info2 || !enctype_requires_etype_info_2(db_etype)); - if ((retval = _make_etype_info_entry(context, request, client_key, - db_etype, &entry[i], etype_info2)) != 0) { + retval = _make_etype_info_entry(context, client->princ, client_key, + db_etype, &entry[i], etype_info2); + if (retval != 0) goto cleanup; - } entry[i+1] = 0; i++; } @@ -1634,10 +1633,11 @@ } if (request_contains_enctype(context, request, db_etype)) { - if ((retval = _make_etype_info_entry(context, request, - client_key, db_etype, &entry[i], etype_info2)) != 0) { + retval = _make_etype_info_entry(context, client->princ, + client_key, db_etype, + &entry[i], etype_info2); + if (retval != 0) goto cleanup; - } entry[i+1] = 0; i++; } @@ -1732,9 +1732,9 @@ } entry[0] = NULL; entry[1] = NULL; - retval = _make_etype_info_entry(context, request, - client_key, encrypting_key->enctype, - entry, etype_info2); + retval = _make_etype_info_entry(context, client->princ, client_key, + encrypting_key->enctype, entry, + etype_info2); if (retval) goto cleanup; Modified: branches/krb5-1-7/src/kdc/kdc_util.c =================================================================== --- branches/krb5-1-7/src/kdc/kdc_util.c 2009-04-16 16:46:33 UTC (rev 22264) +++ branches/krb5-1-7/src/kdc/kdc_util.c 2009-04-17 21:28:37 UTC (rev 22265) @@ -1568,6 +1568,13 @@ switch (client_key->key_data_type[1]) { case KRB5_KDB_SALTTYPE_NORMAL: + /* + * The client could infer the salt from the principal, but + * might use the wrong principal name if this is an alias. So + * it's more reliable to send an explicit salt. + */ + if ((retval = krb5_principal2salt(context, client, salt))) + return retval; break; case KRB5_KDB_SALTTYPE_V4: /* send an empty (V4) salt */ From ghudson at MIT.EDU Wed Apr 22 04:26:18 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Wed, 22 Apr 2009 04:26:18 -0400 Subject: svn rev #22266: trunk/doc/ Message-ID: <200904220826.n3M8QIVX001632@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22266 Commit By: ghudson Log Message: In the cross-realm setup example in the admin documentation, use "addprinc" instead of "add_princ" since the latter is not a recognized alias for add_principal. Changed Files: U trunk/doc/admin.texinfo Modified: trunk/doc/admin.texinfo =================================================================== --- trunk/doc/admin.texinfo 2009-04-17 21:28:37 UTC (rev 22265) +++ trunk/doc/admin.texinfo 2009-04-22 08:26:17 UTC (rev 22266) @@ -3826,10 +3826,10 @@ @smallexample @group @b{shell%:} kadmin.local -e "des3-hmac-sha1:normal des-cbc-crc:v4" - at b{kadmin:} add_princ -requires_preauth krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM} + at b{kadmin:} addprinc -requires_preauth krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM} @b{Enter password for principal krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM}:} @b{Re-enter password for principal krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM}:} - at b{kadmin:} add_princ -requires_preauth krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM} + at b{kadmin:} addprinc -requires_preauth krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM} @b{Enter password for principal krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}:} @b{Enter password for principal krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}:} @b{kadmin:} From hartmans at MIT.EDU Wed Apr 22 09:30:01 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Wed, 22 Apr 2009 09:30:01 -0400 Subject: svn rev #22267: trunk/src/kadmin/ cli/ ktutil/ Message-ID: <200904221330.n3MDU1nb019093@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22267 Commit By: hartmans Log Message: Ticket: 6474 Subject: move kadmin, ktutil, k5srvutil man pages to man1 Target_Version: 1.7 Tags: pullup These binaries have been moved to /usr/bin so their manpages should move from man8 to man1. Changed Files: U trunk/src/kadmin/cli/Makefile.in U trunk/src/kadmin/ktutil/Makefile.in Modified: trunk/src/kadmin/cli/Makefile.in =================================================================== --- trunk/src/kadmin/cli/Makefile.in 2009-04-22 08:26:17 UTC (rev 22266) +++ trunk/src/kadmin/cli/Makefile.in 2009-04-22 13:30:00 UTC (rev 22267) @@ -30,8 +30,8 @@ $(INSTALL_PROGRAM) $(PROG).local ${DESTDIR}$(ADMIN_BINDIR)/$(PROG).local $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(CLIENT_BINDIR)/$(PROG) $(INSTALL_SCRIPT) $(srcdir)/k5srvutil.sh ${DESTDIR}$(CLIENT_BINDIR)/k5srvutil - $(INSTALL_DATA) $(srcdir)/k5srvutil.M ${DESTDIR}$(ADMIN_MANDIR)/k5srvutil.8 - $(INSTALL_DATA) $(srcdir)/$(PROG).M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).8 + $(INSTALL_DATA) $(srcdir)/k5srvutil.M ${DESTDIR}$(CLIENT_MANDIR)/k5srvutil.1 + $(INSTALL_DATA) $(srcdir)/$(PROG).M ${DESTDIR}$(CLIENT_MANDIR)/$(PROG).1 $(INSTALL_DATA) $(srcdir)/$(PROG).local.M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).local.8 generate-files-mac: kadmin_ct.c getdate.c Modified: trunk/src/kadmin/ktutil/Makefile.in =================================================================== --- trunk/src/kadmin/ktutil/Makefile.in 2009-04-22 08:26:17 UTC (rev 22266) +++ trunk/src/kadmin/ktutil/Makefile.in 2009-04-22 13:30:00 UTC (rev 22267) @@ -21,7 +21,7 @@ install:: $(INSTALL_PROGRAM) ktutil ${DESTDIR}$(CLIENT_BINDIR)/ktutil - $(INSTALL_DATA) $(srcdir)/ktutil.M ${DESTDIR}$(ADMIN_MANDIR)/ktutil.8 + $(INSTALL_DATA) $(srcdir)/ktutil.M ${DESTDIR}$(CLIENT_MANDIR)/ktutil.1 generate-files-mac: ktutil_ct.c From tlyu at MIT.EDU Wed Apr 22 12:20:49 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 22 Apr 2009 12:20:49 -0400 Subject: svn rev #22268: branches/krb5-1-7/src/kadmin/ cli/ ktutil/ Message-ID: <200904221620.n3MGKnol031984@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22268 Commit By: tlyu Log Message: ticket: 6474 version_fixed: 1.7 pull up r22267 from trunk ------------------------------------------------------------------------ r22267 | hartmans | 2009-04-22 09:30:00 -0400 (Wed, 22 Apr 2009) | 7 lines Changed paths: M /trunk/src/kadmin/cli/Makefile.in M /trunk/src/kadmin/ktutil/Makefile.in Ticket: 6474 Subject: move kadmin, ktutil, k5srvutil man pages to man1 Target_Version: 1.7 Tags: pullup These binaries have been moved to /usr/bin so their manpages should move from man8 to man1. Changed Files: U branches/krb5-1-7/src/kadmin/cli/Makefile.in U branches/krb5-1-7/src/kadmin/ktutil/Makefile.in Modified: branches/krb5-1-7/src/kadmin/cli/Makefile.in =================================================================== --- branches/krb5-1-7/src/kadmin/cli/Makefile.in 2009-04-22 13:30:00 UTC (rev 22267) +++ branches/krb5-1-7/src/kadmin/cli/Makefile.in 2009-04-22 16:20:49 UTC (rev 22268) @@ -30,8 +30,8 @@ $(INSTALL_PROGRAM) $(PROG).local ${DESTDIR}$(ADMIN_BINDIR)/$(PROG).local $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(CLIENT_BINDIR)/$(PROG) $(INSTALL_SCRIPT) $(srcdir)/k5srvutil.sh ${DESTDIR}$(CLIENT_BINDIR)/k5srvutil - $(INSTALL_DATA) $(srcdir)/k5srvutil.M ${DESTDIR}$(ADMIN_MANDIR)/k5srvutil.8 - $(INSTALL_DATA) $(srcdir)/$(PROG).M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).8 + $(INSTALL_DATA) $(srcdir)/k5srvutil.M ${DESTDIR}$(CLIENT_MANDIR)/k5srvutil.1 + $(INSTALL_DATA) $(srcdir)/$(PROG).M ${DESTDIR}$(CLIENT_MANDIR)/$(PROG).1 $(INSTALL_DATA) $(srcdir)/$(PROG).local.M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).local.8 generate-files-mac: kadmin_ct.c getdate.c Modified: branches/krb5-1-7/src/kadmin/ktutil/Makefile.in =================================================================== --- branches/krb5-1-7/src/kadmin/ktutil/Makefile.in 2009-04-22 13:30:00 UTC (rev 22267) +++ branches/krb5-1-7/src/kadmin/ktutil/Makefile.in 2009-04-22 16:20:49 UTC (rev 22268) @@ -21,7 +21,7 @@ install:: $(INSTALL_PROGRAM) ktutil ${DESTDIR}$(CLIENT_BINDIR)/ktutil - $(INSTALL_DATA) $(srcdir)/ktutil.M ${DESTDIR}$(ADMIN_MANDIR)/ktutil.8 + $(INSTALL_DATA) $(srcdir)/ktutil.M ${DESTDIR}$(CLIENT_MANDIR)/ktutil.1 generate-files-mac: ktutil_ct.c From tlyu at MIT.EDU Wed Apr 22 14:08:46 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 22 Apr 2009 14:08:46 -0400 Subject: svn rev #22269: branches/krb5-1-7/ doc/ src/ Message-ID: <200904221808.n3MI8kkX005795@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22269 Commit By: tlyu Log Message: README and patchlevel for krb5-1.7-beta1 Changed Files: U branches/krb5-1-7/README U branches/krb5-1-7/doc/definitions.texinfo U branches/krb5-1-7/src/patchlevel.h Modified: branches/krb5-1-7/README =================================================================== --- branches/krb5-1-7/README 2009-04-22 16:20:49 UTC (rev 22268) +++ branches/krb5-1-7/README 2009-04-22 18:08:46 UTC (rev 22269) @@ -66,13 +66,8 @@ krb5-1.7 release will contain measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, but will default -to "false" in the future. Depending on the outcome of ongoing -discussion on krbdev at mit.edu, this default could change prior to the -final release of krb5-1.7. +to "false" in the future. -Additional measures to ease the transition away from DES are planned -for the final krb5-1.7 release. - Major changes in 1.7 -------------------- @@ -113,284 +108,387 @@ * Master key rollover support. +* Flexible Authentication Secure Tunneling (FAST), a preauthentiation + framework that can protect the AS exchange from dictionary attack. + +* Implement client support for GSS_C_DELEG_POLICY_FLAG, which allows a + GSS application to delegate credentials only if permitted by KDC + policy. One minor known bug, which will probably be fixed by final + release, occurs when this functionality is used with cross-realm + authentication; see RT ticket #6473. + +* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -- + various vulnerabilities in SPNEGO and ASN.1 code. + +Known bugs by ticket ID +----------------------- + +6473 strip ok-as-delegate if not in cross-realm TGT chain + Changes by ticket ID -------------------- -194 a stash file is not a keytab -914 keytab add without randomizing key -1201 replay cache can produce false positive indications -2836 feature request: compile/link time warnings for deprecated - functions -2939 unified CCAPI implementation -3496 krb524d should log success as well as failure -3497 problems with corrupt (truncated) ccaches -3499 race in replay cache file ownership -3737 plugins support requires a Windows equivalent to opendir and - friends -3929 support lazy launching of ccapi server -3930 CCAPI server must be able to distinguish context handles from +194 a stash file is not a keytab +914 keytab add without randomizing key +1165 annoying error message from krb5_mk_priv() +1201 replay cache can produce false positive indications +1624 use more secure checksum types +2836 feature request: compile/link time warnings for deprecated functions +2939 unified CCAPI implementation +3496 krb524d should log success as well as failure +3497 problems with corrupt (truncated) ccaches +3499 race in replay cache file ownership +3737 plugins support requires a Windows equivalent to opendir and friends +3929 support lazy launching of ccapi server +3930 CCAPI server must be able to distinguish context handles from other server instances -3931 CCAPI context and ccache change times must be stored by the client -3932 CCAPI should use a cc_handle not implemented as a pointer -3933 CCAPI client library reconnection support -3934 Implement CCAPI blocking calls -3935 CCAPI implement locking -3936 krb5_ccache functions should use the ccapi version 3 interface -5411 MEMORY keytab -5425 nonce needs to be random -5427 buffer overflow in krb5_kt_get_name -5428 MEMORY keytab leaks -5429 MEMORY keytab should use krb5_copy_keyblock -5430 MEMORY keytab's get_entry should set enctypes and kvnos -5431 krb5_kt_get_type should return const char *. -5432 krb5_kt_default_name should take an unsized length -5440 sendto_kdc() not signal safe, doesn't respond well to +3931 CCAPI context and ccache change times must be stored by the client +3932 CCAPI should use a cc_handle not implemented as a pointer +3933 CCAPI client library reconnection support +3934 Implement CCAPI blocking calls +3935 CCAPI implement locking +3936 krb5_ccache functions should use the ccapi version 3 interface +4241 Command line --version option +5411 MEMORY keytab +5425 nonce needs to be random +5427 buffer overflow in krb5_kt_get_name +5428 MEMORY keytab leaks +5429 MEMORY keytab should use krb5_copy_keyblock +5430 MEMORY keytab's get_entry should set enctypes and kvnos +5431 krb5_kt_get_type should return const char *. +5432 krb5_kt_default_name should take an unsized length +5440 sendto_kdc() not signal safe, doesn't respond well to staggered TCP responses. -5481 manual test of commit handler -5517 use IP(V6)_PKTINFO in KDC for UDP sockets -5545 uninitialized salt length when reading some keys -5560 threads on Solaris 10 -5561 close-on-exec flags -5565 krb5kdc.M is confused about keytype -5567 don't check for readability resolving SRVTAB: keytab -5568 Move CCAPI sources to krb5 repository -5569 Fixed bugs introduced while moving to krb5 repository -5570 Only use __attribute__ on GNUC compilers -5574 Add advisory locking to CCAPI -5575 don't include time.h in CredentialsCache.h if it's not needed -5578 test commit handler -5580 provide asprintf functionality for internal use -5589 krb5 trunk no longer builds on Windows - vsnprintf +5481 manual test of commit handler +5517 use IP(V6)_PKTINFO in KDC for UDP sockets +5545 uninitialized salt length when reading some keys +5560 threads on Solaris 10 +5561 close-on-exec flags +5565 krb5kdc.M is confused about keytype +5567 don't check for readability resolving SRVTAB: keytab +5568 Move CCAPI sources to krb5 repository +5569 Fixed bugs introduced while moving to krb5 repository +5570 Only use __attribute__ on GNUC compilers +5574 Add advisory locking to CCAPI +5575 don't include time.h in CredentialsCache.h if it's not needed +5578 test commit handler +5580 provide asprintf functionality for internal use +5589 krb5 trunk no longer builds on Windows - vsnprintf implementation required -5590 gss krb5 mech enhanced error messages -5593 kadmind crash on Debian AMD64 -5594 Work on compiling CCAPI test suite on Windows -5595 Problems with kpasswd and an IPv6 enviroment -5598 ccs_pipe_t needs copy and release functions -5599 Added new autogenerated file to generate-files-mac target -5600 provide more useful error message when running kpropd on - command line -5635 need more dylib_file specs for darwin -5641 kadm5_setkey_principal_3 fix -5642 Remove unused, unlocalizable error strings -5643 Alignment fix -5649 t_ser should no longer use kdb libraries -5654 remap mechanism-specific status codes in mechglue/spnego -5655 authorization-data plugin support in KDC -5657 (Mac-specific) PROG_LIBPATH build fix -5667 listprincs *z is broken -5670 Add documentation for CCAPI -5671 cleanup src/lib/gssapi/krb5/error_map.h on Windows -5672 no unistd.h on Windows -5699 test program build problem -5754 cci_array_move should work when the source and dest positions are equal -5760 stdint.h should only be accessed if HAVE_STDINT_H defined -5771 cc_ccache_set_principal always returns error 227 -5776 profile library memory leaks introduced when malloc returns 0 -5786 Update Release Documentation for KFW 3.2.2 -5804 cc_initalize(ccapi_version_2) should return CC_BAD_API_VERSION +5590 gss krb5 mech enhanced error messages +5593 kadmind crash on Debian AMD64 +5594 Work on compiling CCAPI test suite on Windows +5595 Problems with kpasswd and an IPv6 enviroment +5598 ccs_pipe_t needs copy and release functions +5599 Added new autogenerated file to generate-files-mac target +5600 provide more useful error message when running kpropd on command line +5635 need more dylib_file specs for darwin +5641 kadm5_setkey_principal_3 fix +5642 Remove unused, unlocalizable error strings +5643 Alignment fix +5649 t_ser should no longer use kdb libraries +5654 remap mechanism-specific status codes in mechglue/spnego +5655 authorization-data plugin support in KDC +5657 (Mac-specific) PROG_LIBPATH build fix +5667 listprincs *z is broken +5670 Add documentation for CCAPI +5671 cleanup src/lib/gssapi/krb5/error_map.h on Windows +5672 no unistd.h on Windows +5699 test program build problem +5754 cci_array_move should work when the source and dest positions are equal +5760 stdint.h should only be accessed if HAVE_STDINT_H defined +5771 cc_ccache_set_principal always returns error 227 +5776 profile library memory leaks introduced when malloc returns 0 +5786 Update Release Documentation for KFW 3.2.2 +5804 cc_initalize(ccapi_version_2) should return CC_BAD_API_VERSION not CC_NOT_SUPP -5805 Add documentation for error codes used for flow control. -5806 Removed NOP line of code from krb5_fcc_next_cred() -5807 can't store delegated krb5 creds when using spnego -5813 cc_ccache_store_credentials should return ccErrBadCredentialsVersion -5814 cci_array_move not returning correct new position -5815 ccs_lock_status_grant_lock granting wrong lock -5822 fixed mispelling in kadmin error message -5828 Include time.h for time() -5835 Kerberos with apple leopard -5863 [no subject] -5864 improve debugging of ticket verification in ksu -5867 krb-priv sequence numbers don't match up in retransmitted requests -5872 Add ccs_pipe_compare -5884 Need CCAPI v2 support for Windows -5885 Remove AppleConnect workaround -5894 krb5int_arcfour_string_to_key does not support utf-8 strings -5899 Compiling krb5-1.6.3 on FreeBSD 7.0-RELEASE -5900 ccs_ccache_reset should check all arguments for NULL -5901 CCAPI v2 support crash when client or server strings are NULL -5902 cci_cred_union_compare_to_credentials_union doesn't work for v5 creds -5903 Fix pointer cast in cc_seq_fetch_NCs_end -5904 cc_set_principal should return error on bad cred version -5905 cc_remove_cred should only remove one cred -5906 Fixed error code remapping -5907 Removed tests for check_cc_context_get_version -5908 Remove C warnings from CCAPI tests -5909 Add CCAPI v2 tests -5911 removed unused header file inclusion CoreFoundation.h -5912 Invalid assignment while trying to set input to NULL -5915 cc_ccache_iterator_release, cc_credentials_iterator_release +5805 Add documentation for error codes used for flow control. +5806 Removed NOP line of code from krb5_fcc_next_cred() +5807 can't store delegated krb5 creds when using spnego +5813 cc_ccache_store_credentials should return ccErrBadCredentialsVersion +5814 cci_array_move not returning correct new position +5815 ccs_lock_status_grant_lock granting wrong lock +5822 fixed mispelling in kadmin error message +5828 Include time.h for time() +5835 Kerberos with apple leopard +5863 [no subject] +5864 improve debugging of ticket verification in ksu +5867 krb-priv sequence numbers don't match up in retransmitted requests +5872 Add ccs_pipe_compare +5884 Need CCAPI v2 support for Windows +5885 Remove AppleConnect workaround +5894 krb5int_arcfour_string_to_key does not support utf-8 strings +5899 Compiling krb5-1.6.3 on FreeBSD 7.0-RELEASE +5900 ccs_ccache_reset should check all arguments for NULL +5901 CCAPI v2 support crash when client or server strings are NULL +5902 cci_cred_union_compare_to_credentials_union doesn't work for v5 creds +5903 Fix pointer cast in cc_seq_fetch_NCs_end +5904 cc_set_principal should return error on bad cred version +5905 cc_remove_cred should only remove one cred +5906 Fixed error code remapping +5907 Removed tests for check_cc_context_get_version +5908 Remove C warnings from CCAPI tests +5909 Add CCAPI v2 tests +5911 removed unused header file inclusion CoreFoundation.h +5912 Invalid assignment while trying to set input to NULL +5915 cc_ccache_iterator_release, cc_credentials_iterator_release leak server memory -5920 CCacheServer should track client iterators -5923 Protect CFBundle calls with mutexes -5925 Windows socket(...) returns SOCKET, not file handle -5926 Added prototype to test function to remove warning. -5943 db creation creates a kadmin/hostname princ but doesn't fix case -5947 krb5_walk_realm_tree broken substring logic -5948 error in filebase+suffix list generation in plugin code -5949 Don't leak memory when multiple arguments are NULL -5954 ksu fails without domain_realm mapping for local host -5960 Move KIM implementation to the krb5 repository -5962 unchecked calls to k5_mutex_lock() interact poorly with finalizers -5963 Profile library should not call rw_access earlier than needed -5964 Re: Fwd: [modauthkerb] [SOLVED] 'Request is a replay' + Basic auth -5966 signed vs unsigned char * warnings in kdb_xdr.c -5967 No prototype when building kdb5_util without krb4 support -5969 Add header for kill() in USE_PASSWORD_SERVER case -5982 cci_credentials_iterator_release using wrong message ID -5989 Add new launchd flags to CCacheServer plist file -5990 kadm5_setkey_principal_3 not copying key_data_ver and key_data_kvno -5993 Masterkey Keytab Stash -5999 fix ktutil listing with timestamp -6000 misc uninitialized-storage accesses -6001 Big endian stash file support -6002 krb5_rc_io_creat should use mkstemp -6005 krb5_get_error_message returns const char * -6009 kdc does not compile with glibc 2.8 -6010 krb5int_gic_opte_copy should copy elements individually -6011 Add EnableTransactions launchd option to CCacheServer -6012 Add EnableTransactions launchd option to KerberosAgent -6013 Stop building Kerberos.app as part of KfM. -6015 gss_export_lucid_sec_context support for SPNEGO -6016 SPNEGO workaround for SAMBA mech OID quirks -6017 KDC virtual address support -6019 Add signal to force KDC to check for changed interfaces -6024 Don't use "ccache" in error string printed to user -6025 Add macro so we don't print deprecated warnings while building KfM -6026 CCacheServer crashes iterating over creds which have been destroyed -6029 kadmind leaks error strings on failures -6031 krb needs better realm lookup logic -6032 test commit handler change -6044 Add Apple Inc. to copyright lists. -6052 Return extended krb5 error strings -6055 KIM API -6066 turn off thread-support debugging code -6070 update DES code copyright notices -6074 Use a valid UTF8 password for randkey password -6075 Open log file for appending only, not also reading -6076 Don't build PKINIT ASN.1 support code if not building PKINIT plugin -6077 krb5_fcc_resolve file locking error on malloc failuer -6080 mac port of kim should not depend on kipc -6081 Conditionalize building of CCAPI ccache type on USE_CCAPI -6083 profile write code should only quote empty strings -6087 Notify clients on ccache deletion -6088 Add support to send CFNotifications on ccache and cache +5920 CCacheServer should track client iterators +5923 Protect CFBundle calls with mutexes +5925 Windows socket(...) returns SOCKET, not file handle +5926 Added prototype to test function to remove warning. +5943 db creation creates a kadmin/hostname princ but doesn't fix case +5947 krb5_walk_realm_tree broken substring logic +5948 error in filebase+suffix list generation in plugin code +5949 Don't leak memory when multiple arguments are NULL +5954 ksu fails without domain_realm mapping for local host +5960 Move KIM implementation to the krb5 repository +5962 unchecked calls to k5_mutex_lock() interact poorly with finalizers +5963 Profile library should not call rw_access earlier than needed +5964 Re: Fwd: [modauthkerb] [SOLVED] 'Request is a replay' + Basic auth +5966 signed vs unsigned char * warnings in kdb_xdr.c +5967 No prototype when building kdb5_util without krb4 support +5969 Add header for kill() in USE_PASSWORD_SERVER case +5982 cci_credentials_iterator_release using wrong message ID +5989 Add new launchd flags to CCacheServer plist file +5990 kadm5_setkey_principal_3 not copying key_data_ver and key_data_kvno +5993 Masterkey Keytab Stash +5999 fix ktutil listing with timestamp +6000 misc uninitialized-storage accesses +6001 Big endian stash file support +6002 krb5_rc_io_creat should use mkstemp +6005 krb5_get_error_message returns const char * +6009 kdc does not compile with glibc 2.8 +6010 krb5int_gic_opte_copy should copy elements individually +6011 Add EnableTransactions launchd option to CCacheServer +6012 Add EnableTransactions launchd option to KerberosAgent +6013 Stop building Kerberos.app as part of KfM. +6015 gss_export_lucid_sec_context support for SPNEGO +6016 SPNEGO workaround for SAMBA mech OID quirks +6017 KDC virtual address support +6019 Add signal to force KDC to check for changed interfaces +6024 Don't use "ccache" in error string printed to user +6025 Add macro so we don't print deprecated warnings while building KfM +6026 CCacheServer crashes iterating over creds which have been destroyed +6029 kadmind leaks error strings on failures +6031 krb needs better realm lookup logic +6032 test commit handler change +6044 Add Apple Inc. to copyright lists. +6052 Return extended krb5 error strings +6055 KIM API +6066 turn off thread-support debugging code +6070 update DES code copyright notices +6074 Use a valid UTF8 password for randkey password +6075 Open log file for appending only, not also reading +6076 Don't build PKINIT ASN.1 support code if not building PKINIT plugin +6077 krb5_fcc_resolve file locking error on malloc failuer +6080 mac port of kim should not depend on kipc +6081 Conditionalize building of CCAPI ccache type on USE_CCAPI +6083 profile write code should only quote empty strings +6087 Notify clients on ccache deletion +6088 Add support to send CFNotifications on ccache and cache collection changes -6090 k5_mutex_destroy calls pthread_mutex_destroy with mutex locked -6091 lean client changes -6093 KIM should not provide keytab functions when building lite framework -6094 CCAPI is leaking mach ports -6101 compile-time flag to disable iprop -6103 fix resource leak in USE_PASSWORD_SERVER code -6111 CCAPI should only use one pthread key -6120 increase rpc timeout -6121 dead code in lib/rpc/clnt_udp.c -6131 Removed argument from kipc_client_lookup_server -6133 C90 compliance -6138 Switch KfM back to error tables -6140 CCAPI should use common ipc and stream code -6142 KerberosAgent dialogs jump around the screen -6143 KerberosAgent: Enter Identity text field shouldn't be clear +6090 k5_mutex_destroy calls pthread_mutex_destroy with mutex locked +6091 lean client changes +6093 KIM should not provide keytab functions when building lite framework +6094 CCAPI is leaking mach ports +6101 compile-time flag to disable iprop +6103 fix resource leak in USE_PASSWORD_SERVER code +6108 A client can fail to get initial creds if it changes the + password while doing so. +6111 CCAPI should only use one pthread key +6120 increase rpc timeout +6121 dead code in lib/rpc/clnt_udp.c +6131 Removed argument from kipc_client_lookup_server +6133 C90 compliance +6138 Switch KfM back to error tables +6140 CCAPI should use common ipc and stream code +6142 KerberosAgent dialogs jump around the screen +6143 KerberosAgent: Enter Identity text field shouldn't be clear automatically -6144 KerberosAgent: ignore user interaction while busy -6145 KerberosAgent attach associated dialogs to Select Identity dialog -6146 Client name passed by KIM is incorrect -6147 KerberosAgent Use Defaults button doesn't work -6151 Don't touch keychain if home directory access is disabled -6153 Add KLL error table -6154 Hinge building KLL shim off KIM_TO_KLL_SHIM, not LEAN_CLIENT -6155 KLLastChangedTime should return current time, not 0 -6156 KLL shim layer does not correctly handle options -6157 KIM should remember options and identity if prefs indicate -6158 KerberosAgent should handle multiple clients simultaneously -6159 KerberosAgent should handle zoom button better -6160 KLL should use __attribute ((deprecated)) -6162 kim_options_copy should allow in_options to be KIM_OPTIONS_DEFAULT -6163 Crash in kim_credential_create_from_keytab -6164 KL APIs which take a NULL principal return klParameterErr -6165 kim_options_create sometimes returns KIM_OPTIONS_DEFAULT -6166 preferences should handle KIM_OPTIONS_DEFAULT -6168 prefs should not create empty dictionary for KIM_OPTIONS_DEFAULT -6169 Missing keys in KerberosAgent Info.plist -6170 change password should always reprompt on error -6171 allow kim ui plugins to have any name -6172 kim_ui_plugin_fini sends pointer to context instead of context. -6175 always zero out authentication strings -6176 Test KIM plugin -6179 kim_os_string_create_localized leaks CFStringRef -6181 Free error message returned by krb5_get_error_message -6182 kim test suite reports error messages incorrectly -6183 KerberosAgent enter identity dialog should use default -6184 handle stash file names with missing keytab type spec and colon in path -6185 Merge KerberosIPC into k5_mig support -6186 Move GUI/CLI detection from KerberosIPC into KIM -6187 use KIM_BUILTIN_UI instead of LEAN_CLIENT for builtin UI -6189 remove unused variable in kim_ui_cli_ask_change_password -6190 Use a context to store error table info -6192 Treat unreadable terminal as user cancelled so regression tests work -6193 Remap some of the more confusing krb5 errors -6194 Double free and leak in kim_os_library_get_application_path -6195 Added back KLL test programs -6197 KLCreatePrincipalFromTriplet should work with empty instance -6198 KerberosAgent continues to ignore mouse events after error -6199 don't include "WRFILE:" in call to mktemp -6201 small leak in KDC authdata plugins -6202 kadmind leaks extended error strings -6211 pam_sam leaking outer krb5_data created by encode_krb5_sam_response -6214 krb5_change_set_password not freeing chpw_rep contents -6216 Free data in tests so leaks checking is easier -6217 kim_preferences should free old identity before overwriting -6218 kim_ccache_iterator_next leaks principal -6219 kim_os_library_get_caller_name leaks file path -6220 kim_identity_change_password_with_credential leaks krb5_creds -6221 KerberosAgent should clear generic auth prompt -6222 KerberosAgent enter dialog should add entered identities to favorites -6224 KerberosAgent 'no selection' placeholder in ticket options -6225 Remove ipc message sent on cc_context_release -6226 KIM should only display error dialogs if it has displayed UI already -6227 Apple LW_net_trans.patch make KDC rescan network after 30 seconds -6231 Apple split build support -6247 Apple patch: null out pointer in string_to_key after free -6248 Apple patch: destroy Mach ports on unload -6250 Use CFStringGetCStringPtr when possible -6251 Add test for kim_identity_create_from_components -6252 krb5_build_principal_va does not allocate krb5_principal -6254 krb5_build_principal_ext walks off beginning of array -6255 partial rewrite of the ASN.1 encoders -6256 localize format strings, not final error string -6260 KerberosAgent hangs changing pw for passwordless identities -6261 Remove saved password if it fails to get tickets -6262 Only prompt automatically from GUI apps -6264 Avoid duplicate identical dialogs in KIM -6265 KerberosAgent bindings causing crashes -6266 BIND_8_COMPAT no longer needed in Leopard -6267 Add _with_password credential acquisition functions to KIM API -6274 Crypto IOV API per Projects/AEAD encryption API -6282 krb5kdc deref uninit memory on the stack on unknown principal (pk-init) -6285 Provide SPI to switch the mach port lookup for kipc -6286 Allow kerberos configuration files fail with EPERM -6289 replay cache is insecurely handled -6290 KIM: Pushing authentication login window do application -6291 Using referrals fills the the credentials cache more entries +6144 KerberosAgent: ignore user interaction while busy +6145 KerberosAgent attach associated dialogs to Select Identity dialog +6146 Client name passed by KIM is incorrect +6147 KerberosAgent Use Defaults button doesn't work +6151 Don't touch keychain if home directory access is disabled +6153 Add KLL error table +6154 Hinge building KLL shim off KIM_TO_KLL_SHIM, not LEAN_CLIENT +6155 KLLastChangedTime should return current time, not 0 +6156 KLL shim layer does not correctly handle options +6157 KIM should remember options and identity if prefs indicate +6158 KerberosAgent should handle multiple clients simultaneously +6159 KerberosAgent should handle zoom button better +6160 KLL should use __attribute ((deprecated)) +6162 kim_options_copy should allow in_options to be KIM_OPTIONS_DEFAULT +6163 Crash in kim_credential_create_from_keytab +6164 KL APIs which take a NULL principal return klParameterErr +6165 kim_options_create sometimes returns KIM_OPTIONS_DEFAULT +6166 preferences should handle KIM_OPTIONS_DEFAULT +6168 prefs should not create empty dictionary for KIM_OPTIONS_DEFAULT +6169 Missing keys in KerberosAgent Info.plist +6170 change password should always reprompt on error +6171 allow kim ui plugins to have any name +6172 kim_ui_plugin_fini sends pointer to context instead of context. +6175 always zero out authentication strings +6176 Test KIM plugin +6179 kim_os_string_create_localized leaks CFStringRef +6181 Free error message returned by krb5_get_error_message +6182 kim test suite reports error messages incorrectly +6183 KerberosAgent enter identity dialog should use default +6184 handle stash file names with missing keytab type spec and colon in path +6185 Merge KerberosIPC into k5_mig support +6186 Move GUI/CLI detection from KerberosIPC into KIM +6187 use KIM_BUILTIN_UI instead of LEAN_CLIENT for builtin UI +6189 remove unused variable in kim_ui_cli_ask_change_password +6190 Use a context to store error table info +6192 Treat unreadable terminal as user cancelled so regression tests work +6193 Remap some of the more confusing krb5 errors +6194 Double free and leak in kim_os_library_get_application_path +6195 Added back KLL test programs +6197 KLCreatePrincipalFromTriplet should work with empty instance +6198 KerberosAgent continues to ignore mouse events after error +6199 don't include "WRFILE:" in call to mktemp +6201 small leak in KDC authdata plugins +6202 kadmind leaks extended error strings +6203 DELEG_POLICY_FLAG for GSS +6211 pam_sam leaking outer krb5_data created by encode_krb5_sam_response +6214 krb5_change_set_password not freeing chpw_rep contents +6216 Free data in tests so leaks checking is easier +6217 kim_preferences should free old identity before overwriting +6218 kim_ccache_iterator_next leaks principal +6219 kim_os_library_get_caller_name leaks file path +6220 kim_identity_change_password_with_credential leaks krb5_creds +6221 KerberosAgent should clear generic auth prompt +6222 KerberosAgent enter dialog should add entered identities to favorites +6224 KerberosAgent 'no selection' placeholder in ticket options +6225 Remove ipc message sent on cc_context_release +6226 KIM should only display error dialogs if it has displayed UI already +6227 Apple LW_net_trans.patch make KDC rescan network after 30 seconds +6231 Apple split build support +6247 Apple patch: null out pointer in string_to_key after free +6248 Apple patch: destroy Mach ports on unload +6250 Use CFStringGetCStringPtr when possible +6251 Add test for kim_identity_create_from_components +6252 krb5_build_principal_va does not allocate krb5_principal +6254 krb5_build_principal_ext walks off beginning of array +6255 partial rewrite of the ASN.1 encoders +6256 localize format strings, not final error string +6260 KerberosAgent hangs changing pw for passwordless identities +6261 Remove saved password if it fails to get tickets +6262 Only prompt automatically from GUI apps +6264 Avoid duplicate identical dialogs in KIM +6265 KerberosAgent bindings causing crashes +6266 BIND_8_COMPAT no longer needed in Leopard +6267 Add _with_password credential acquisition functions to KIM API +6274 Crypto IOV API per Projects/AEAD encryption API +6282 krb5kdc deref uninit memory on the stack on unknown principal (pk-init) +6285 Provide SPI to switch the mach port lookup for kipc +6286 Allow kerberos configuration files fail with EPERM +6289 replay cache is insecurely handled +6290 KIM: Pushing authentication login window do application +6291 Using referrals fills the the credentials cache more entries of the same name -6294 lib/gssapi/krb5/init_sec_context.c: don't leak on mutex_lock failure -6295 Memory leak in KIM identity object -6297 "make check" fails due to krb5_cc_new_unique() on 64-bit +6294 lib/gssapi/krb5/init_sec_context.c: don't leak on mutex_lock failure +6295 Memory leak in KIM identity object +6297 "make check" fails due to krb5_cc_new_unique() on 64-bit Solaris SPARC under Sun Studio -6302 kadmind mem leaks [rdar 6358917] -6303 Remove krb4 support -6308 Alignment problem in resolver test -6309 update ldap plugin Makefile for krb4 removal -6315 move generated dependencies out of Makefile.in -6316 KIM GC problem on 64-bit -6335 test failures in password changing -6336 enctype negotiation - etype list -6337 kadmin should force non-forwardable tickets -6339 Fwd: krb5_sendauth vs NAGLE vs DelayedAck -6342 hash db2 code breaks if st_blksize > 64k -6351 gss_header|trailerlen should be unsigned int -6352 return correct kvno in TGS case -6354 Master Key Migration Project +6302 kadmind mem leaks [rdar 6358917] +6303 Remove krb4 support +6308 Alignment problem in resolver test +6309 update ldap plugin Makefile for krb4 removal +6315 move generated dependencies out of Makefile.in +6316 KIM GC problem on 64-bit +6335 test failures in password changing +6336 enctype negotiation - etype list +6337 kadmin should force non-forwardable tickets +6339 Fwd: krb5_sendauth vs NAGLE vs DelayedAck +6342 hash db2 code breaks if st_blksize > 64k +6348 kadmin and ktutil installed in sbin, should be bin +6349 lib/rpc tests should not fail if portmap/rpcbind not running +6351 gss_header|trailerlen should be unsigned int +6352 return correct kvno in TGS case +6354 Master Key Migration Project +6355 use t_inetd with a ready message and avoid waiting a lot in + non-root tests +6356 small storage leak in KDC startup +6357 address lib/kadm5 test suite slowness +6358 speed up kpasswd tests +6360 utf8_conv.c: wrong level of indirection in free() +6361 new multi-masterkey support doesn't work well when system + clock is set back +6362 don't do arithmetic on void pointers +6363 int/ptr bug in gssapi code +6364 declare replacement [v]asprintf functions +6365 include omitted system header string.h +6367 Fix a memory leak in krb5_kt_resolve +6368 chpw.c: missing break in switch statement +6370 Fix assertion in gc_frm_kdc.c +6371 deal with memleaks in migrate mkey project +6372 Fix memory handling bug in mk_req_ext +6373 remove some redundant or useless qualifiers +6374 Do not assume sizeof(bool_t) == sizeof(krb5_boolean) +6375 Fix error handling in krb5_walk_realm_tree +6376 Memory handling fixes in walk_rtree +6377 make krb5_free_* functions ignore NULL +6378 Change contract of krb5int_utf8_normalize and fix memory leaks +6379 Fix possible free of uninitialized value in walk_rtree +6390 --disable-rpath is not working +6392 Fix allocation failure check in walk_rtree +6393 Implement TGS authenticator subkey support +6397 use macros for config parameter strings +6398 remove obsolete GNU.ORG realm info +6400 [no subject] +6401 send_as_req re-encodes the request +6402 CVE-2009-0845 SPNEGO can dereference a null pointer +6403 kdb5_ldap_util create segfaults when + krb5_dbekd_encrypt_key_data() called +6405 fixing several bugs relating to the migrate mkey project using + a LDAP KDB +6407 Make a working krb5_copy_error_message +6408 Report verbose error messages from KDC +6412 crash using library-allocated storage for header in wrap_iov +6415 Use correct salt for canonicalized principals +6418 Improve LDAP admin documentation +6419 Document alias support in LDAP back end +6420 Add LDAP back end support for canonical name attribute +6421 Implement KRB-FX_CF2 +6422 Implement krb5int_find_authdata +6423 krb5_auth_con_free should support freeing a null auth_context + without segfault. +6424 Call kdb_set_mkey_list from the KDC +6425 Memory leak cleanup in ASN.1 +6427 Fix error handling issue in ASN.1 decoder +6431 Install kadmin and kdb headers +6432 Update kdb5_util man page for mkey migration project +6435 Add PAC and principal parsing test cases +6436 Implement FAST from draft-ietf-krb-wg-preauth-framework +6437 mark export grade RC4 as weak +6438 Handle authdata encrypted in subkey +6439 Implement KDC side of TGS FAST +6442 Null pointer defref in adding info +6443 CVE-2009-0844 SPNEGO can read beyond buffer end +6444 CVE-2009-0847 asn1buf_imbed incorrect length validation +6445 CVE-2009-0846 asn1_decode_generaltime can free uninitialized pointer +6449 Fall through on error return +6450 kdc: handle_referral_params does not return ENOMEM errors +6451 Update defaults in documentation +6452 Document allow_weak_crypto +6456 fix memory management in handle_referral_params +6457 KDC realm referral test +6458 use isflagset correctly in TGS referrals +6459 Update kdb5_util man page with missing purge_mkeys command +6460 Implement kinit option for FAST armor ccache +6461 Require fast_req checksum to be keyed +6462 clean up KDC realm referrals error handling +6463 realm referral test cases forcing KRB5_NT_UNKNOWN +6464 verify return code from krb5_db_set_mkey_list +6465 send_tgs.c static analyzer friendliness +6466 check encode_krb5_ap_req return in send_tgs.c +6467 new copy_data_contents variant that null-terminates +6468 k5_utf8s_to_ucs2s could deref NULL pointer... +6469 fcc_generate_new destroys locked mutex on error +6470 Send explicit salt for SALTTYPE_NORMAL keys +6474 move kadmin, ktutil, k5srvutil man pages to man1 Copyright and Other Legal Notices --------------------------------- @@ -949,7 +1047,8 @@ framework. Thanks to Novell for donating the KDB abstraction layer and the LDAP -database plug-in. +database plug-in, and also code implementing the Microsoft protocol +extensions. Thanks to Sun Microsystems for donating their implementations of mechglue, SPNEGO, master key rollover, and incremental propagation. Modified: branches/krb5-1-7/doc/definitions.texinfo =================================================================== --- branches/krb5-1-7/doc/definitions.texinfo 2009-04-22 16:20:49 UTC (rev 22268) +++ branches/krb5-1-7/doc/definitions.texinfo 2009-04-22 18:08:46 UTC (rev 22269) @@ -19,8 +19,8 @@ @set RANDOMUSER johndoe @set RANDOMUSER1 jennifer @set RANDOMUSER2 david - at set RELEASE 1.6 - at set PREVRELEASE 1.5 + at set RELEASE 1.7 + at set PREVRELEASE 1.6 @set INSTALLDIR /usr/@value{LCPRODUCT} @set PREVINSTALLDIR @value{INSTALLDIR} @set ROOTDIR /usr/local Modified: branches/krb5-1-7/src/patchlevel.h =================================================================== --- branches/krb5-1-7/src/patchlevel.h 2009-04-22 16:20:49 UTC (rev 22268) +++ branches/krb5-1-7/src/patchlevel.h 2009-04-22 18:08:46 UTC (rev 22269) @@ -53,6 +53,6 @@ #define KRB5_MAJOR_RELEASE 1 #define KRB5_MINOR_RELEASE 7 #define KRB5_PATCHLEVEL 0 -#define KRB5_RELTAIL "alpha1-postrelease" +#define KRB5_RELTAIL "beta1" /* #undef KRB5_RELDATE */ -#define KRB5_RELTAG "branches/krb5-1-7" +#define KRB5_RELTAG "tags/krb5-1-7-beta1" From tlyu at MIT.EDU Wed Apr 22 14:09:31 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 22 Apr 2009 14:09:31 -0400 Subject: svn rev #22270: tags/ Message-ID: <200904221809.n3MI9V54005874@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22270 Commit By: tlyu Log Message: tag krb5-1.7-beta1 Changed Files: A tags/krb5-1-7-beta1/ Copied: tags/krb5-1-7-beta1 (from rev 22269, branches/krb5-1-7) From tlyu at MIT.EDU Wed Apr 22 14:10:57 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 22 Apr 2009 14:10:57 -0400 Subject: svn rev #22271: branches/krb5-1-7/src/ Message-ID: <200904221810.n3MIAvRT006075@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22271 Commit By: tlyu Log Message: krb5-1.7-beta1-postrelease Changed Files: U branches/krb5-1-7/src/patchlevel.h Modified: branches/krb5-1-7/src/patchlevel.h =================================================================== --- branches/krb5-1-7/src/patchlevel.h 2009-04-22 18:09:31 UTC (rev 22270) +++ branches/krb5-1-7/src/patchlevel.h 2009-04-22 18:10:57 UTC (rev 22271) @@ -53,6 +53,6 @@ #define KRB5_MAJOR_RELEASE 1 #define KRB5_MINOR_RELEASE 7 #define KRB5_PATCHLEVEL 0 -#define KRB5_RELTAIL "beta1" +#define KRB5_RELTAIL "beta1-postrelease" /* #undef KRB5_RELDATE */ -#define KRB5_RELTAG "tags/krb5-1-7-beta1" +#define KRB5_RELTAG "branches/krb5-1-7" From ghudson at MIT.EDU Thu Apr 23 04:42:40 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 23 Apr 2009 04:42:40 -0400 Subject: svn rev #22272: trunk/src/lib/krb5/krb/ Message-ID: <200904230842.n3N8ge5S023734@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22272 Commit By: ghudson Log Message: ticket: 6473 tags: pullup In krb5_get_cred_via_tkt, strip the ok-as-delegate flag from credentials obtained using a foreign TGT, unless the TGT also has ok-as-delegate set. Changed Files: U trunk/src/lib/krb5/krb/gc_via_tkt.c Modified: trunk/src/lib/krb5/krb/gc_via_tkt.c =================================================================== --- trunk/src/lib/krb5/krb/gc_via_tkt.c 2009-04-22 18:10:57 UTC (rev 22271) +++ trunk/src/lib/krb5/krb/gc_via_tkt.c 2009-04-23 08:42:40 UTC (rev 22272) @@ -144,6 +144,16 @@ return 0; } +/* Return true if a TGS credential is for the client's local realm. */ +static inline int +tgt_is_local_realm(krb5_creds *tgt) +{ + return (tgt->server->length == 2 + && data_eq_string(tgt->server->data[0], KRB5_TGS_NAME) + && data_eq(tgt->server->data[1], tgt->client->realm) + && data_eq(tgt->server->realm, tgt->client->realm)); +} + krb5_error_code krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, krb5_flags kdcoptions, krb5_address *const *address, @@ -289,6 +299,14 @@ goto error_3; } + /* + * Don't trust the ok-as-delegate flag from foreign KDCs unless the + * cross-realm TGT also had the ok-as-delegate flag set. + */ + if (!tgt_is_local_realm(tkt) + && !(tkt->ticket_flags & TKT_FLG_OK_AS_DELEGATE)) + dec_rep->enc_part2->flags &= ~TKT_FLG_OK_AS_DELEGATE; + /* make sure the response hasn't been tampered with..... */ retval = 0; From ghudson at MIT.EDU Thu Apr 23 10:50:07 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 23 Apr 2009 10:50:07 -0400 Subject: svn rev #22273: trunk/src/lib/krb5/os/ Message-ID: <200904231450.n3NEo7TW012451@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22273 Commit By: ghudson Log Message: Fix an error-handling block in sendto_kdc.c's setup_connection() which would always attempt to close -1. Changed Files: U trunk/src/lib/krb5/os/sendto_kdc.c Modified: trunk/src/lib/krb5/os/sendto_kdc.c =================================================================== --- trunk/src/lib/krb5/os/sendto_kdc.c 2009-04-23 08:42:40 UTC (rev 22272) +++ trunk/src/lib/krb5/os/sendto_kdc.c 2009-04-23 14:50:06 UTC (rev 22273) @@ -640,8 +640,6 @@ *udpbufp = malloc(krb5_max_dgram_size); if (*udpbufp == 0) { dperror("malloc(krb5_max_dgram_size)"); - (void) closesocket(state->fd); - state->fd = INVALID_SOCKET; state->state = FAILED; return 1; } From ghudson at MIT.EDU Thu Apr 23 10:52:26 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 23 Apr 2009 10:52:26 -0400 Subject: svn rev #22274: trunk/src/lib/krb5/ccache/ Message-ID: <200904231452.n3NEqQla012605@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22274 Commit By: ghudson Log Message: In krb5_fcc_read, remove an assert which could never trigger (because len is unsigned and cannot be less than zero). Changed Files: U trunk/src/lib/krb5/ccache/cc_file.c Modified: trunk/src/lib/krb5/ccache/cc_file.c =================================================================== --- trunk/src/lib/krb5/ccache/cc_file.c 2009-04-23 14:50:06 UTC (rev 22273) +++ trunk/src/lib/krb5/ccache/cc_file.c 2009-04-23 14:52:25 UTC (rev 22274) @@ -427,7 +427,6 @@ assert(data->cur_offset > 0); assert(data->cur_offset <= data->valid_bytes); len -= ncopied; - assert(len >= 0); /* Don't do arithmetic on void pointers. */ buf = (char*)buf + ncopied; } From ghudson at MIT.EDU Thu Apr 23 10:55:42 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 23 Apr 2009 10:55:42 -0400 Subject: svn rev #22275: trunk/src/lib/krb5/asn.1/ Message-ID: <200904231455.n3NEtgXw012804@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22275 Commit By: ghudson Log Message: Close a memory leak in asn1_decode_etype_info2_entry_1_3. Changed Files: U trunk/src/lib/krb5/asn.1/asn1_k_decode.c Modified: trunk/src/lib/krb5/asn.1/asn1_k_decode.c =================================================================== --- trunk/src/lib/krb5/asn.1/asn1_k_decode.c 2009-04-23 14:52:25 UTC (rev 22274) +++ trunk/src/lib/krb5/asn.1/asn1_k_decode.c 2009-04-23 14:55:42 UTC (rev 22275) @@ -1209,6 +1209,8 @@ static asn1_error_code asn1_decode_etype_info2_entry_1_3(asn1buf *buf, krb5_etype_info_entry *val ) { + krb5_octet *params = NULL; + setup(); val->salt = NULL; val->s2kparams.data = NULL; @@ -1219,10 +1221,10 @@ } else val->length = KRB5_ETYPE_NO_SALT; if ( tagnum ==2) { - krb5_octet *params ; get_lenfield( val->s2kparams.length, params, 2, asn1_decode_octetstring); val->s2kparams.data = ( char *) params; + params = NULL; } else val->s2kparams.length = 0; end_structure(); @@ -1231,6 +1233,7 @@ return 0; error_out: krb5_free_data_contents(NULL, &val->s2kparams); + free(params); free(val->salt); val->salt = NULL; return retval; From ghudson at MIT.EDU Thu Apr 23 11:15:23 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 23 Apr 2009 11:15:23 -0400 Subject: svn rev #22276: trunk/src/lib/krb5/rcache/ Message-ID: <200904231515.n3NFFN2j014577@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22276 Commit By: ghudson Log Message: In krb5_rcache_externalize, remove a pointless null check of a pointer we just dereferenced. Rewrite krb5_rcache_internalize to use the recommended cleanup flow control, closing a memory leak in the process. Changed Files: U trunk/src/lib/krb5/rcache/ser_rc.c Modified: trunk/src/lib/krb5/rcache/ser_rc.c =================================================================== --- trunk/src/lib/krb5/rcache/ser_rc.c 2009-04-23 14:55:42 UTC (rev 22275) +++ trunk/src/lib/krb5/rcache/ser_rc.c 2009-04-23 15:15:22 UTC (rev 22276) @@ -117,7 +117,7 @@ fnamep = krb5_rc_get_name(kcontext, rcache); - if (rcache->ops && rcache->ops->type) { + if (rcache->ops->type) { if (asprintf(&rcname, "%s:%s", rcache->ops->type, fnamep) < 0) rcname = NULL; } else @@ -152,45 +152,57 @@ krb5_rcache_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { krb5_error_code kret; - krb5_rcache rcache; + krb5_rcache rcache = NULL; krb5_int32 ibuf; krb5_octet *bp; size_t remain; - char *rcname; + char *rcname = NULL; bp = *buffer; remain = *lenremain; - kret = EINVAL; + /* Read our magic number */ - if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; - if (ibuf == KV5M_RCACHE) { + if (krb5_ser_unpack_int32(&ibuf, &bp, &remain) || ibuf != KV5M_RCACHE) + return EINVAL; - /* Get the length of the rcache name */ - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + /* Get the length of the rcache name */ + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (kret) + return kret; - if (!kret && - (rcname = (char *) malloc((size_t) (ibuf+1))) && - !(kret = krb5_ser_unpack_bytes((krb5_octet *) rcname, - (size_t) ibuf, - &bp, &remain))) { - rcname[ibuf] = '\0'; - if (!(kret = krb5_rc_resolve_full(kcontext, &rcache, rcname))) { - (void) krb5_rc_recover(kcontext, rcache); - if (!kret && - !(kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)) && - (ibuf == KV5M_RCACHE)) { - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) rcache; - } - else - krb5_rc_close(kcontext, rcache); - } - free(rcname); - } + /* Get the rcache name. */ + rcname = malloc(ibuf + 1); + if (!rcname) + return ENOMEM; + kret = krb5_ser_unpack_bytes((krb5_octet*)rcname, (size_t) ibuf, + &bp, &remain); + if (kret) + goto cleanup; + rcname[ibuf] = '\0'; + + /* Resolve and recover the rcache. */ + kret = krb5_rc_resolve_full(kcontext, &rcache, rcname); + if (kret) + goto cleanup; + krb5_rc_recover(kcontext, rcache); + + /* Read our magic number again. */ + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (kret) + goto cleanup; + if (ibuf != KV5M_RCACHE) { + kret = EINVAL; + goto cleanup; } - return(kret); + + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) rcache; +cleanup: + free(rcname); + if (kret != 0 && rcache) + krb5_rc_close(kcontext, rcache); + return kret; } /* From ghudson at MIT.EDU Thu Apr 23 19:37:43 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 23 Apr 2009 19:37:43 -0400 Subject: svn rev #22277: trunk/src/lib/krb5/krb/ Message-ID: <200904232337.n3NNbhtn012768@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22277 Commit By: ghudson Log Message: In krb5_principal_compare_flags, improve clarity slightly by using a boolean temporary instead of an ordering temporary in the loop over the elements, since we only care about the boolean result. Changed Files: U trunk/src/lib/krb5/krb/princ_comp.c Modified: trunk/src/lib/krb5/krb/princ_comp.c =================================================================== --- trunk/src/lib/krb5/krb/princ_comp.c 2009-04-23 15:15:22 UTC (rev 22276) +++ trunk/src/lib/krb5/krb/princ_comp.c 2009-04-23 23:37:42 UTC (rev 22277) @@ -112,21 +112,20 @@ goto out; for (i = 0; i < (int) nelem; i++) { - register const krb5_data *p1 = krb5_princ_component(context, princ1, i); - register const krb5_data *p2 = krb5_princ_component(context, princ2, i); - int cmp; + const krb5_data *p1 = krb5_princ_component(context, princ1, i); + const krb5_data *p2 = krb5_princ_component(context, princ2, i); + krb5_boolean eq; if (casefold) { if (utf8) - cmp = krb5int_utf8_normcmp(p1, p2, KRB5_UTF8_CASEFOLD); + eq = (krb5int_utf8_normcmp(p1, p2, KRB5_UTF8_CASEFOLD) == 0); else - cmp = p1->length == p2->length ? - strncasecmp(p1->data, p2->data, p2->length) : - p1->length - p2->length; + eq = (p1->length == p2->length + && strncasecmp(p1->data, p2->data, p2->length) == 0); } else - cmp = !data_eq(*p1, *p2); + eq = data_eq(*p1, *p2); - if (cmp != 0) + if (!eq) goto out; } From ghudson at MIT.EDU Fri Apr 24 15:49:54 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 24 Apr 2009 15:49:54 -0400 Subject: svn rev #22278: trunk/src/lib/krb5/keytab/ Message-ID: <200904241949.n3OJns7m018528@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22278 Commit By: ghudson Log Message: ticket: 6475 status: open tags: pullup target_version: 1.7 In krb5_ktfileint_find_slot, don't continue the loop when we find a final zero-length buffer. This is a minimal fix intended to be pulled up to the 1.7 branch; a code cleanup commit will follow. Changed Files: U trunk/src/lib/krb5/keytab/kt_file.c Modified: trunk/src/lib/krb5/keytab/kt_file.c =================================================================== --- trunk/src/lib/krb5/keytab/kt_file.c 2009-04-23 23:37:42 UTC (rev 22277) +++ trunk/src/lib/krb5/keytab/kt_file.c 2009-04-24 19:49:54 UTC (rev 22278) @@ -1755,6 +1755,7 @@ if (fseek(KTFILEP(id), zero_point, SEEK_SET)) { return errno; } + found = TRUE; } } } From ghudson at MIT.EDU Fri Apr 24 17:15:04 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 24 Apr 2009 17:15:04 -0400 Subject: svn rev #22279: trunk/src/lib/krb5/keytab/ Message-ID: <200904242115.n3OLF4gi027643@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22279 Commit By: ghudson Log Message: ticket: 6475 Simplify and shorten krb5_ktfileint_find_slot, and properly handle the commit_point output parameter. Changed Files: U trunk/src/lib/krb5/keytab/kt_file.c Modified: trunk/src/lib/krb5/keytab/kt_file.c =================================================================== --- trunk/src/lib/krb5/keytab/kt_file.c 2009-04-24 19:49:54 UTC (rev 22278) +++ trunk/src/lib/krb5/keytab/kt_file.c 2009-04-24 21:15:04 UTC (rev 22279) @@ -1643,123 +1643,64 @@ * block in the file rather than the size of the actual entry) */ static krb5_error_code -krb5_ktfileint_find_slot(krb5_context context, krb5_keytab id, krb5_int32 *size_needed, krb5_int32 *commit_point) +krb5_ktfileint_find_slot(krb5_context context, krb5_keytab id, krb5_int32 *size_needed, krb5_int32 *commit_point_ptr) { - krb5_int32 size; - krb5_int32 remainder; - krb5_int32 zero_point; - krb5_kt_vno kt_vno; - krb5_boolean found = FALSE; - char iobuf[BUFSIZ]; + FILE *fp; + krb5_int32 size, zero_point, commit_point; + krb5_kt_vno kt_vno; KTCHECKLOCK(id); - /* - * Skip over file version number - */ - if (fseek(KTFILEP(id), 0, SEEK_SET)) { + fp = KTFILEP(id); + /* Skip over file version number. */ + if (fseek(fp, 0, SEEK_SET)) return errno; - } - if (!fread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) { - return KRB5_KT_IOERR; - } + if (!fread(&kt_vno, sizeof(kt_vno), 1, fp)) + return errno; - while (!found) { - *commit_point = ftell(KTFILEP(id)); - if (!fread(&size, sizeof(size), 1, KTFILEP(id))) { - /* - * Hit the end of file, reserve this slot. - */ + for (;;) { + commit_point = ftell(fp); + if (!fread(&size, sizeof(size), 1, fp)) { + /* Hit the end of file, reserve this slot. */ + /* htonl(0) is 0, so no need to worry about byte order */ size = 0; - - /* fseek to synchronise buffered I/O on the key table. */ - /* XXX Without the weird setbuf hack, can we nuke this now? */ - if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0) - { + if (!fwrite(&size, sizeof(size), 1, fp)) return errno; - } - -#ifdef notdef - /* We don't have to do this because htonl(0) == 0 */ - if (KTVERSION(id) != KRB5_KT_VNO_1) - size = htonl(size); -#endif - - if (!fwrite(&size, sizeof(size), 1, KTFILEP(id))) { - return KRB5_KT_IOERR; - } - found = TRUE; + break; } if (KTVERSION(id) != KRB5_KT_VNO_1) - size = ntohl(size); + size = ntohl(size); if (size > 0) { - if (fseek(KTFILEP(id), size, SEEK_CUR)) { + /* Non-empty record; seek past it. */ + if (fseek(fp, size, SEEK_CUR)) return errno; - } - } else if (!found) { - size = -size; + } else if (size < 0) { + /* Empty record; use if it's big enough, seek past otherwise. */ + size = -size; if (size >= *size_needed) { *size_needed = size; - found = TRUE; - } else if (size > 0) { - /* - * The current hole is not large enough, so skip it - */ - if (fseek(KTFILEP(id), size, SEEK_CUR)) { + break; + } else { + if (fseek(fp, size, SEEK_CUR)) return errno; - } - } else { - - /* fseek to synchronise buffered I/O on the key table. */ - - if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0) - { - return errno; - } - - /* - * Found the end of the file (marked by a 0 length buffer) - * Make sure we zero any trailing data. - */ - zero_point = ftell(KTFILEP(id)); - if (zero_point < 0) { - return errno; - } - while ((size = fread(iobuf, 1, sizeof(iobuf), KTFILEP(id)))) { - if (size != sizeof(iobuf)) { - remainder = size % sizeof(krb5_int32); - if (remainder) { - size += sizeof(krb5_int32) - remainder; - } - } - - if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0) - { - return errno; - } - - memset(iobuf, 0, (size_t) size); - fwrite(iobuf, 1, (size_t) size, KTFILEP(id)); - fflush(KTFILEP(id)); - if (feof(KTFILEP(id))) { - break; - } - - if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0) - { - return errno; - } - - } - if (fseek(KTFILEP(id), zero_point, SEEK_SET)) { - return errno; - } - found = TRUE; - } - } + } + } else { + /* Empty record at end of file; use it. */ + /* Ensure the new record will be followed by another 0. */ + zero_point = ftell(fp); + if (fseek(fp, *size_needed, SEEK_CUR)) + return errno; + /* htonl(0) is 0, so no need to worry about byte order */ + if (!fwrite(&size, sizeof(size), 1, fp)) + return errno; + if (fseek(fp, zero_point, SEEK_SET)) + return errno; + break; + } } + *commit_point_ptr = commit_point; return 0; } #endif /* LEAN_CLIENT */ From raeburn at MIT.EDU Sat Apr 25 05:36:12 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Sat, 25 Apr 2009 05:36:12 -0400 Subject: svn rev #22280: trunk/src/ lib/kadm5/ tests/misc/ Message-ID: <200904250936.n3P9aCgQ030371@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22280 Commit By: raeburn Log Message: ticket: 6477 subject: make installed headers C++-safe target_version: 1.7 tags: pullup Now that we're installing the kadm5 headers, they should be C++-safe like the others. Wrap the content in 'extern "C"' if compiling as C++. New test program to verify. Changed Files: U trunk/src/lib/kadm5/admin.h U trunk/src/tests/misc/Makefile.in U trunk/src/tests/misc/deps A trunk/src/tests/misc/test_cxx_kadm5.cpp Modified: trunk/src/lib/kadm5/admin.h =================================================================== --- trunk/src/lib/kadm5/admin.h 2009-04-24 21:15:04 UTC (rev 22279) +++ trunk/src/lib/kadm5/admin.h 2009-04-25 09:36:11 UTC (rev 22280) @@ -56,6 +56,18 @@ #include #include +#ifndef KADM5INT_BEGIN_DECLS +#if defined(__cplusplus) +#define KADM5INT_BEGIN_DECLS extern "C" { +#define KADM5INT_END_DECLS } +#else +#define KADM5INT_BEGIN_DECLS +#define KADM5INT_END_DECLS +#endif +#endif + +KADM5INT_BEGIN_DECLS + #define KADM5_ADMIN_SERVICE "kadmin/admin" #define KADM5_CHANGEPW_SERVICE "kadmin/changepw" #define KADM5_HIST_PRINCIPAL "kadmin/history" @@ -790,4 +802,6 @@ #endif /* USE_KADM5_API_VERSION == 1 */ +KADM5INT_END_DECLS + #endif /* __KADM5_ADMIN_H__ */ Modified: trunk/src/tests/misc/Makefile.in =================================================================== --- trunk/src/tests/misc/Makefile.in 2009-04-24 21:15:04 UTC (rev 22279) +++ trunk/src/tests/misc/Makefile.in 2009-04-25 09:36:11 UTC (rev 22280) @@ -13,16 +13,18 @@ $(srcdir)/test_cxx_krb5.cpp \ $(srcdir)/test_cxx_k5int.cpp \ $(srcdir)/test_cxx_gss.cpp \ - $(srcdir)/test_cxx_rpc.cpp + $(srcdir)/test_cxx_rpc.cpp \ + $(srcdir)/test_cxx_kadm5.cpp all:: test_getpw -check:: test_getpw test_cxx_krb5 test_cxx_gss test_cxx_rpc test_cxx_k5int +check:: test_getpw test_cxx_krb5 test_cxx_gss test_cxx_rpc test_cxx_k5int test_cxx_kadm5 $(RUN_SETUP) $(VALGRIND) ./test_getpw $(RUN_SETUP) $(VALGRIND) ./test_cxx_krb5 $(RUN_SETUP) $(VALGRIND) ./test_cxx_k5int $(RUN_SETUP) $(VALGRIND) ./test_cxx_gss $(RUN_SETUP) $(VALGRIND) ./test_cxx_rpc + $(RUN_SETUP) $(VALGRIND) ./test_cxx_kadm5 test_getpw: $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_DEPLIB) $(CC_LINK) $(ALL_CFLAGS) -o test_getpw $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_LIB) @@ -38,13 +40,16 @@ $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_gss $(OUTPRE)test_cxx_gss.$(OBJEXT) $(LIBS) test_cxx_rpc: $(OUTPRE)test_cxx_rpc.$(OBJEXT) $(GSSRPC_DEPLIBS) $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_rpc $(OUTPRE)test_cxx_rpc.$(OBJEXT) $(GSSRPC_LIBS) $(KRB5_BASE_LIBS) $(LIBS) +test_cxx_kadm5: $(OUTPRE)test_cxx_kadm5.$(OBJEXT) $(KADMCLNT_DEPLIBS) + $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_kadm5 $(OUTPRE)test_cxx_kadm5.$(OBJEXT) $(KADMCLNT_LIBS) $(KRB5_BASE_LIBS) $(LIBS) test_cxx_krb5.$(OBJEXT): test_cxx_krb5.cpp test_cxx_gss.$(OBJEXT): test_cxx_gss.cpp test_cxx_rpc.$(OBJEXT): test_cxx_rpc.cpp +test_cxx_kadm5.$(OBJEXT): test_cxx_kadm5.cpp install:: clean:: - $(RM) test_getpw test_cxx_krb5 test_cxx_gss *.o + $(RM) test_getpw test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_rpc test_cxx_kadm5 *.o Modified: trunk/src/tests/misc/deps =================================================================== --- trunk/src/tests/misc/deps 2009-04-24 21:15:04 UTC (rev 22279) +++ trunk/src/tests/misc/deps 2009-04-25 09:36:11 UTC (rev 22280) @@ -29,3 +29,13 @@ $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \ $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \ $(SRCTOP)/include/gssrpc/xdr.h test_cxx_rpc.cpp +$(OUTPRE)test_cxx_kadm5.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ + $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \ + $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \ + $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \ + $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \ + $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \ + $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/kdb.h \ + $(SRCTOP)/include/krb5.h test_cxx_kadm5.cpp Added: trunk/src/tests/misc/test_cxx_kadm5.cpp =================================================================== --- trunk/src/tests/misc/test_cxx_kadm5.cpp 2009-04-24 21:15:04 UTC (rev 22279) +++ trunk/src/tests/misc/test_cxx_kadm5.cpp 2009-04-25 09:36:11 UTC (rev 22280) @@ -0,0 +1,15 @@ +// Test that the kadm5 header is compatible with C++ application code. + +#include "kadm5/admin.h" + +krb5_context ctx; +kadm5_config_params p_in, p_out; +int main (int argc, char *argv[]) +{ + if (argc == 47 && kadm5_get_config_params(ctx, 1, &p_in, &p_out)) { + printf("error\n"); + return 1; + } + printf("hello, world\n"); + return 0; +} From ghudson at MIT.EDU Mon Apr 27 11:42:24 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 27 Apr 2009 11:42:24 -0400 Subject: svn rev #22281: trunk/src/ include/ kadmin/cli/ kdc/ lib/kadm5/ Message-ID: <200904271542.n3RFgOfe025901@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22281 Commit By: ghudson Log Message: ticket: 5596 Move KRB5_KDB_OK_AS_DELEGATE from kdb_ext.h to kdb.h. Add kadmin support for the flag. In the KDC, remove the restriction on returning the flag on cross-realm TGTs since there is now a defined meaning for that (it allows ok-as-delegate to be honored on the foreign realm's service tickets). Changed Files: U trunk/src/include/kdb.h U trunk/src/include/kdb_ext.h U trunk/src/kadmin/cli/kadmin.M U trunk/src/kadmin/cli/kadmin.c U trunk/src/kdc/do_tgs_req.c U trunk/src/lib/kadm5/str_conv.c Modified: trunk/src/include/kdb.h =================================================================== --- trunk/src/include/kdb.h 2009-04-25 09:36:11 UTC (rev 22280) +++ trunk/src/include/kdb.h 2009-04-27 15:42:23 UTC (rev 22281) @@ -95,6 +95,7 @@ #define KRB5_KDB_PWCHANGE_SERVICE 0x00002000 #define KRB5_KDB_SUPPORT_DESMD5 0x00004000 #define KRB5_KDB_NEW_PRINC 0x00008000 +#define KRB5_KDB_OK_AS_DELEGATE 0x00100000 /* Creation flags */ #define KRB5_KDB_CREATE_BTREE 0x00000001 Modified: trunk/src/include/kdb_ext.h =================================================================== --- trunk/src/include/kdb_ext.h 2009-04-25 09:36:11 UTC (rev 22280) +++ trunk/src/include/kdb_ext.h 2009-04-27 15:42:23 UTC (rev 22281) @@ -31,8 +31,6 @@ #ifndef KRB5_KDB5_EXT__ #define KRB5_KDB5_EXT__ -/* Can be delegated as in TicketFlags */ -#define KRB5_KDB_OK_AS_DELEGATE 0x00100000 /* Allowed to use protocol transition */ #define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE 0x00200000 /* Service does not require authorization data */ Modified: trunk/src/kadmin/cli/kadmin.M =================================================================== --- trunk/src/kadmin/cli/kadmin.M 2009-04-25 09:36:11 UTC (rev 22280) +++ trunk/src/kadmin/cli/kadmin.M 2009-04-27 15:42:23 UTC (rev 22281) @@ -341,6 +341,16 @@ .B -requires_hwauth clears this flag. .TP +{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP +.B +ok_as_delegate +sets the OK-AS-DELEGATE flag on tickets issued for use with this principal +as the service, which clients may use as a hint that credentials can and +should be delegated when authenticating to the service. (Sets the +.SM KRB5_KDB_OK_AS_DELEGATE +flag.) +.B -ok_as_delegate +clears this flag. +.TP {\fB\-\fP|\fB+\fP}\fBallow_svr\fP .B -allow_svr prohibits the issuance of service tickets for this principal. (Sets the Modified: trunk/src/kadmin/cli/kadmin.c =================================================================== --- trunk/src/kadmin/cli/kadmin.c 2009-04-25 09:36:11 UTC (rev 22280) +++ trunk/src/kadmin/cli/kadmin.c 2009-04-27 15:42:23 UTC (rev 22281) @@ -71,7 +71,8 @@ {"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0}, {"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1}, {"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 }, -{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 } +{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }, +{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 } }; static char *prflags[] = { @@ -91,6 +92,11 @@ "PWCHANGE_SERVICE", /* 0x00002000 */ "SUPPORT_DESMD5", /* 0x00004000 */ "NEW_PRINC", /* 0x00008000 */ + "UNKNOWN_0x00010000", /* 0x00010000 */ + "UNKNOWN_0x00020000", /* 0x00020000 */ + "UNKNOWN_0x00040000", /* 0x00040000 */ + "UNKNOWN_0x00080000", /* 0x00080000 */ + "OK_AS_DELEGATE", /* 0x00100000 */ }; char *getenv(); @@ -1117,6 +1123,7 @@ "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", "\t\trequires_hwauth needchange allow_svr password_changing_service\n" + "\t\tok_as_delegate\n" "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" "\t\t\tLook at each database documentation for supported arguments\n"); } @@ -1133,6 +1140,7 @@ "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", "\t\trequires_hwauth needchange allow_svr password_changing_service\n" + "\t\tok_as_delegate\n" "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" "\t\t\tLook at each database documentation for supported arguments\n" ); Modified: trunk/src/kdc/do_tgs_req.c =================================================================== --- trunk/src/kdc/do_tgs_req.c 2009-04-25 09:36:11 UTC (rev 22280) +++ trunk/src/kdc/do_tgs_req.c 2009-04-27 15:42:23 UTC (rev 22281) @@ -417,11 +417,8 @@ enc_tkt_reply.flags = 0; enc_tkt_reply.times.starttime = 0; - if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE) && - !is_referral) { - /* Ensure that we are not returning a referral */ + if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE); - } /* * Fix header_ticket's starttime; if it's zero, fill in the Modified: trunk/src/lib/kadm5/str_conv.c =================================================================== --- trunk/src/lib/kadm5/str_conv.c 2009-04-25 09:36:11 UTC (rev 22280) +++ trunk/src/lib/kadm5/str_conv.c 2009-04-27 15:42:23 UTC (rev 22281) @@ -73,6 +73,7 @@ static const char flags_tickets_in[] = "allow-tickets"; static const char flags_preauth_in[] = "preauth"; static const char flags_hwauth_in[] = "hwauth"; +static const char flags_ok_as_delegate_in[] = "ok-as-delegate"; static const char flags_pwchange_in[] = "pwchange"; static const char flags_service_in[] = "service"; static const char flags_pwsvc_in[] = "pwservice"; @@ -86,6 +87,7 @@ static const char flags_tickets_out[] = "All Tickets Disallowed"; static const char flags_preauth_out[] = "Preauthorization required"; static const char flags_hwauth_out[] = "HW Authorization required"; +static const char flags_ok_as_delegate_out[] = "OK as Delegate"; static const char flags_pwchange_out[] = "Password Change required"; static const char flags_service_out[] = "Service Disabled"; static const char flags_pwsvc_out[] = "Password Changing Service"; @@ -109,6 +111,7 @@ { KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out }, { KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out }, { KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out }, +{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out }, { KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out}, { KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out }, { KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out }, From ghudson at MIT.EDU Mon Apr 27 19:01:09 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 27 Apr 2009 19:01:09 -0400 Subject: svn rev #22282: trunk/src/lib/krb5/keytab/ Message-ID: <200904272301.n3RN19Vs020460@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22282 Commit By: ghudson Log Message: Fix an unchecked use of fwrite in krb5_ktfileint_delete_entry. Changed Files: U trunk/src/lib/krb5/keytab/kt_file.c Modified: trunk/src/lib/krb5/keytab/kt_file.c =================================================================== --- trunk/src/lib/krb5/keytab/kt_file.c 2009-04-27 15:42:23 UTC (rev 22281) +++ trunk/src/lib/krb5/keytab/kt_file.c 2009-04-27 23:01:08 UTC (rev 22282) @@ -1225,7 +1225,9 @@ memset(iobuf, 0, (size_t) len); while (size > 0) { - fwrite(iobuf, 1, (size_t) len, KTFILEP(id)); + if (!fwrite(iobuf, 1, (size_t) len, KTFILEP(id))) { + return KRB5_KT_IOERR; + } size -= len; if (size < len) { len = size; From ghudson at MIT.EDU Mon Apr 27 19:48:22 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 27 Apr 2009 19:48:22 -0400 Subject: svn rev #22283: trunk/src/lib/krb5/krb/ Message-ID: <200904272348.n3RNmMJi025506@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22283 Commit By: ghudson Log Message: Fix a few memory leaks in krb5_mk_ncred. Also tighten up the error handling of the sequence number, only decreasing it if it was increased. The handling of DO_SEQUENCE and RET_SEQUENCE may still be flawed in some cases. Changed Files: U trunk/src/lib/krb5/krb/mk_cred.c Modified: trunk/src/lib/krb5/krb/mk_cred.c =================================================================== --- trunk/src/lib/krb5/krb/mk_cred.c 2009-04-27 23:01:08 UTC (rev 22282) +++ trunk/src/lib/krb5/krb/mk_cred.c 2009-04-27 23:48:22 UTC (rev 22283) @@ -162,14 +162,14 @@ krb5_replay_data replaydata; krb5_cred * pcred; krb5_int32 ncred; + krb5_boolean increased_sequence = FALSE; local_fulladdr.contents = 0; remote_fulladdr.contents = 0; memset(&replaydata, 0, sizeof(krb5_replay_data)); - if (ppcreds == NULL) { + if (ppcreds == NULL) return KRB5KRB_AP_ERR_BADADDR; - } /* * Allocate memory for a NULL terminated list of tickets. @@ -183,8 +183,8 @@ if ((pcred->tickets = (krb5_ticket **)calloc((size_t)ncred+1, sizeof(krb5_ticket *))) == NULL) { - free(pcred); - return ENOMEM; + retval = ENOMEM; + goto error; } /* Get keyblock */ @@ -193,18 +193,22 @@ /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) - return KRB5_RC_REQUIRED; + (auth_context->rcache == NULL)) { + retval = KRB5_RC_REQUIRED; + goto error; + } if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + && (outdata == NULL)) { /* Need a better error */ - return KRB5_RC_REQUIRED; + retval = KRB5_RC_REQUIRED; + goto error; + } if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, &replaydata.usec))) - return retval; + goto error; if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { outdata->timestamp = replaydata.timestamp; outdata->usec = replaydata.usec; @@ -214,6 +218,7 @@ replaydata.seq = auth_context->local_seq_number; if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { auth_context->local_seq_number++; + increased_sequence = TRUE; } else { outdata->seq = replaydata.seq; } @@ -273,15 +278,12 @@ retval = encode_krb5_cred(pcred, ppdata); error: - if (local_fulladdr.contents) - free(local_fulladdr.contents); - if (remote_fulladdr.contents) - free(remote_fulladdr.contents); + free(local_fulladdr.contents); + free(remote_fulladdr.contents); krb5_free_cred(context, pcred); if (retval) { - if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) - || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + if (increased_sequence) auth_context->local_seq_number--; } return retval; From ghudson at MIT.EDU Tue Apr 28 00:30:04 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 28 Apr 2009 00:30:04 -0400 Subject: svn rev #22284: trunk/src/lib/krb5/os/ Message-ID: <200904280430.n3S4U4A9017795@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22284 Commit By: ghudson Log Message: Fix a memory leak in module_locate_server. Changed Files: U trunk/src/lib/krb5/os/locate_kdc.c Modified: trunk/src/lib/krb5/os/locate_kdc.c =================================================================== --- trunk/src/lib/krb5/os/locate_kdc.c 2009-04-27 23:48:22 UTC (rev 22283) +++ trunk/src/lib/krb5/os/locate_kdc.c 2009-04-28 04:30:03 UTC (rev 22284) @@ -624,6 +624,7 @@ char *realmz; /* NUL-terminated realm */ int i; struct module_callback_data cbdata = { 0, }; + const char *msg; Tprintf("in module_locate_server\n"); cbdata.lp = addrlist; @@ -639,7 +640,8 @@ "service_locator", &ptrs, &ctx->err); if (code) { Tprintf("error looking up plugin symbols: %s\n", - krb5_get_error_message(ctx, code)); + (msg = krb5_get_error_message(ctx, code))); + krb5_free_error_message(ctx, msg); return KRB5_PLUGIN_NO_HANDLE; } From ghudson at MIT.EDU Tue Apr 28 00:46:10 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 28 Apr 2009 00:46:10 -0400 Subject: svn rev #22285: trunk/src/lib/krb5/os/ Message-ID: <200904280446.n3S4kAsx018710@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22285 Commit By: ghudson Log Message: Fix a memory leak in aname_replacer using the recommended flow control for exception handling. Changed Files: U trunk/src/lib/krb5/os/an_to_ln.c Modified: trunk/src/lib/krb5/os/an_to_ln.c =================================================================== --- trunk/src/lib/krb5/os/an_to_ln.c 2009-04-28 04:30:03 UTC (rev 22284) +++ trunk/src/lib/krb5/os/an_to_ln.c 2009-04-28 04:46:10 UTC (rev 22285) @@ -376,103 +376,108 @@ aname_replacer(char *string, char **contextp, char **result) { krb5_error_code kret; - char *in; - char *out; + char *in = NULL, *out = NULL, *rule = NULL, *repl = NULL; char *cp, *ep, *tp; - char *rule, *repl; size_t rule_size, repl_size; int doglobal; - kret = ENOMEM; - *result = (char *) NULL; + *result = NULL; + /* Allocate the formatting buffers */ - if ((in = (char *) malloc(MAX_FORMAT_BUFFER)) && - (out = (char *) malloc(MAX_FORMAT_BUFFER))) { + in = malloc(MAX_FORMAT_BUFFER); + if (!in) + return ENOMEM; + out = malloc(MAX_FORMAT_BUFFER); + if (!out) { + kret = ENOMEM; + goto cleanup; + } + + /* + * Prime the buffers. Copy input string to "out" to simulate it + * being the result of an initial iteration. + */ + strlcpy(out, string, MAX_FORMAT_BUFFER); + in[0] = '\0'; + kret = 0; + /* + * Pound through the expression until we're done. + */ + for (cp = *contextp; *cp; ) { + /* Skip leading whitespace */ + while (isspace((int) (*cp))) + cp++; + /* - * Prime the buffers. Copy input string to "out" to simulate it - * being the result of an initial iteration. + * Find our separators. First two characters must be "s/" + * We must also find another "/" followed by another "/". */ - strncpy(out, string, MAX_FORMAT_BUFFER - 1); - out[MAX_FORMAT_BUFFER - 1] = '\0'; - in[0] = '\0'; - kret = 0; - /* - * Pound through the expression until we're done. - */ - for (cp = *contextp; *cp; ) { - /* Skip leading whitespace */ - while (isspace((int) (*cp))) - cp++; + if (!((cp[0] == 's') && + (cp[1] == '/') && + (ep = strchr(&cp[2], '/')) && + (tp = strchr(&ep[1], '/')))) { + /* Bad syntax */ + kret = KRB5_CONFIG_BADFORMAT; + goto cleanup; + } - /* - * Find our separators. First two characters must be "s/" - * We must also find another "/" followed by another "/". - */ - if ((cp[0] == 's') && - (cp[1] == '/') && - (ep = strchr(&cp[2], '/')) && - (tp = strchr(&ep[1], '/'))) { + /* Figure out sizes of strings and allocate them */ + rule_size = (size_t) (ep - &cp[2]); + repl_size = (size_t) (tp - &ep[1]); + rule = malloc(rule_size + 1); + if (!rule) { + kret = ENOMEM; + goto cleanup; + } + repl = malloc(repl_size + 1); + if (!repl) { + kret = ENOMEM; + goto cleanup; + } - /* Figure out sizes of strings and allocate them */ - rule_size = (size_t) (ep - &cp[2]); - repl_size = (size_t) (tp - &ep[1]); - if ((rule = (char *) malloc(rule_size+1)) && - (repl = (char *) malloc(repl_size+1))) { + /* Copy the strings */ + memcpy(rule, &cp[2], rule_size); + memcpy(repl, &ep[1], repl_size); + rule[rule_size] = repl[repl_size] = '\0'; - /* Copy the strings */ - strncpy(rule, &cp[2], rule_size); - strncpy(repl, &ep[1], repl_size); - rule[rule_size] = repl[repl_size] = '\0'; + /* Check for trailing "g" */ + doglobal = (tp[1] == 'g') ? 1 : 0; + if (doglobal) + tp++; - /* Check for trailing "g" */ - doglobal = (tp[1] == 'g') ? 1 : 0; - if (doglobal) - tp++; + /* Swap previous in and out buffers */ + ep = in; + in = out; + out = ep; - /* Swap previous in and out buffers */ - ep = in; - in = out; - out = ep; + /* Do the replacemenbt */ + memset(out, '\0', MAX_FORMAT_BUFFER); + if (!do_replacement(rule, repl, doglobal, in, out)) { + kret = KRB5_LNAME_NOTRANS; + goto cleanup; + } + free(rule); + free(repl); + rule = repl = NULL; - /* Do the replacemenbt */ - memset(out, '\0', MAX_FORMAT_BUFFER); - if (!do_replacement(rule, repl, doglobal, in, out)) { - free(rule); - free(repl); - kret = KRB5_LNAME_NOTRANS; - break; - } - free(rule); - free(repl); + /* If we have no output buffer left, this can't be good */ + if (strlen(out) == 0) { + kret = KRB5_LNAME_NOTRANS; + goto cleanup; + } - /* If we have no output buffer left, this can't be good */ - if (strlen(out) == 0) { - kret = KRB5_LNAME_NOTRANS; - break; - } - } - else { - /* No memory for copies */ - free(rule); - kret = ENOMEM; - break; - } - } - else { - /* Bad syntax */ - kret = KRB5_CONFIG_BADFORMAT; - break; - } - /* Advance past trailer */ - cp = &tp[1]; - } - free(in); - if (!kret) - *result = out; - else - free(out); + /* Advance past trailer */ + cp = &tp[1]; } - return(kret); + free(in); + *result = out; + return 0; +cleanup: + free(in); + free(out); + free(repl); + free(rule); + return kret; } /* From ghudson at MIT.EDU Tue Apr 28 11:45:31 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 28 Apr 2009 11:45:31 -0400 Subject: svn rev #22286: trunk/src/lib/krb5/os/ Message-ID: <200904281545.n3SFjVBm027668@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22286 Commit By: ghudson Log Message: Fix a couple of memory leaks in krb5int_sendto, reworking the error handling a bit for cleanliness in the process. Changed Files: U trunk/src/lib/krb5/os/sendto_kdc.c Modified: trunk/src/lib/krb5/os/sendto_kdc.c =================================================================== --- trunk/src/lib/krb5/os/sendto_kdc.c 2009-04-28 04:46:10 UTC (rev 22285) +++ trunk/src/lib/krb5/os/sendto_kdc.c 2009-04-28 15:45:31 UTC (rev 22286) @@ -605,7 +605,7 @@ -static int +static void setup_connection (struct conn_state *state, struct addrinfo *ai, const krb5_data *message, char **udpbufp) { @@ -641,13 +641,12 @@ if (*udpbufp == 0) { dperror("malloc(krb5_max_dgram_size)"); state->state = FAILED; - return 1; + return; } } state->x.in.buf = *udpbufp; state->x.in.bufsize = krb5_max_dgram_size; } - return 0; } static int @@ -1189,13 +1188,13 @@ int pass; int delay_this_pass = 2; krb5_error_code retval; - struct conn_state *conns; - krb5_data *callback_data = 0; - size_t n_conns, host; - struct select_state *sel_state; + struct conn_state *conns = NULL; + krb5_data *callback_data = NULL; + size_t n_conns = 0, host; + struct select_state *sel_state = NULL; struct timeval now; int winning_conn = -1, e = 0; - char *udpbuf = 0; + char *udpbuf = NULL; if (message) dprint("krb5int_sendto(message=%d@%p, addrlist=", message->length, message->data); @@ -1207,29 +1206,27 @@ reply->data = 0; reply->length = 0; - n_conns = addrs->naddrs; - conns = calloc(n_conns, sizeof(struct conn_state)); - if (conns == NULL) { + conns = calloc(addrs->naddrs, sizeof(struct conn_state)); + if (conns == NULL) return ENOMEM; - } if (callback_info) { - callback_data = calloc(n_conns, sizeof(krb5_data)); + callback_data = calloc(addrs->naddrs, sizeof(krb5_data)); if (callback_data == NULL) { - return ENOMEM; + retval = ENOMEM; + goto egress; } } - for (i = 0; i < n_conns; i++) { + for (i = 0; i < addrs->naddrs; i++) conns[i].fd = INVALID_SOCKET; - } /* One for use here, listing all our fds in use, and one for temporary use in service_fds, for the fds of interest. */ sel_state = malloc(2 * sizeof(*sel_state)); if (sel_state == NULL) { - free(conns); - return ENOMEM; + retval = ENOMEM; + goto egress; } sel_state->max = 0; sel_state->nfds = 0; @@ -1240,14 +1237,11 @@ /* Set up connections. */ - for (host = 0; host < n_conns; host++) { - retval = setup_connection(&conns[host], - addrs->addrs[host].ai, - message, - &udpbuf); - if (retval) - continue; + for (host = 0; host < addrs->naddrs; host++) { + setup_connection(&conns[host], addrs->addrs[host].ai, message, + &udpbuf); } + n_conns = addrs->naddrs; for (pass = 0; pass < MAX_PASS; pass++) { /* Possible optimization: Make only one pass if TCP only. Stop making passes if all UDP ports are closed down. */ @@ -1326,18 +1320,15 @@ for (i = 0; i < n_conns; i++) { if (conns[i].fd != INVALID_SOCKET) closesocket(conns[i].fd); - if (conns[i].state == READING - && conns[i].x.in.buf != 0 - && conns[i].x.in.buf != udpbuf) + if (conns[i].state == READING && conns[i].x.in.buf != udpbuf) free(conns[i].x.in.buf); if (callback_info) { - callback_info->pfn_cleanup( callback_info->context, &callback_data[i]); + callback_info->pfn_cleanup(callback_info->context, + &callback_data[i]); } } - if (callback_data) - free(callback_data); - + free(callback_data); free(conns); if (reply->data != udpbuf) free(udpbuf); From ghudson at MIT.EDU Tue Apr 28 13:54:14 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 28 Apr 2009 13:54:14 -0400 Subject: svn rev #22287: trunk/doc/api/ Message-ID: <200904281754.n3SHsEO5002594@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22287 Commit By: ghudson Log Message: Fix typo. Changed Files: U trunk/doc/api/krb5.tex Modified: trunk/doc/api/krb5.tex =================================================================== --- trunk/doc/api/krb5.tex 2009-04-28 15:45:31 UTC (rev 22286) +++ trunk/doc/api/krb5.tex 2009-04-28 17:54:13 UTC (rev 22287) @@ -1500,7 +1500,7 @@ the \funcparam{auth_context} replay cache is not used. If sequence numbers are to be used (i.e., if either -KRB5_AUTH_CONTEXT_DO_SEQUENCE or KRB5_AUTH_CONTEXT_RET_SEQUENEC is +KRB5_AUTH_CONTEXT_DO_SEQUENCE or KRB5_AUTH_CONTEXT_RET_SEQUENCE is set), then \funcparam{auth_context} local sequence number will be placed in the protected message as its sequence number. From ghudson at MIT.EDU Tue Apr 28 14:00:13 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 28 Apr 2009 14:00:13 -0400 Subject: svn rev #22288: trunk/src/lib/krb5/krb/ Message-ID: <200904281800.n3SI0Dl5002994@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22288 Commit By: ghudson Log Message: ticket: 6478 subject: Fix handling of RET_SEQUENCE flag in mk_priv/mk_ncred Regularize the handling of KRB5_AUTH_CONTEXT_RET_SEQUENCE in krb5_mk_safe, krb5_mk_priv, and krb5_mk_ncred, using krb5_mk_safe as a baseline. RET_SEQUENCE now implies DO_SEQUENCE for all three functions, the sequence number is always incremented if it is used, and outdata->seq is always set if RET_SEQUENCE is passed. Note that in the corresponding rd_ functions, RET_SEQUENCE and DO_SEQUENCE are independent flags, which is not consistent with the above. This compromise is intended to preserve compatibility with any working code which might exist using the RET_SEQUENCE flag. Changed Files: U trunk/src/lib/krb5/krb/mk_cred.c U trunk/src/lib/krb5/krb/mk_priv.c U trunk/src/lib/krb5/krb/mk_safe.c Modified: trunk/src/lib/krb5/krb/mk_cred.c =================================================================== --- trunk/src/lib/krb5/krb/mk_cred.c 2009-04-28 17:54:13 UTC (rev 22287) +++ trunk/src/lib/krb5/krb/mk_cred.c 2009-04-28 18:00:13 UTC (rev 22288) @@ -215,13 +215,10 @@ } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - replaydata.seq = auth_context->local_seq_number; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - auth_context->local_seq_number++; - increased_sequence = TRUE; - } else { + replaydata.seq = auth_context->local_seq_number++; + increased_sequence = TRUE; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) outdata->seq = replaydata.seq; - } } if (auth_context->local_addr) { Modified: trunk/src/lib/krb5/krb/mk_priv.c =================================================================== --- trunk/src/lib/krb5/krb/mk_priv.c 2009-04-28 17:54:13 UTC (rev 22287) +++ trunk/src/lib/krb5/krb/mk_priv.c 2009-04-28 18:00:13 UTC (rev 22288) @@ -151,12 +151,9 @@ } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - replaydata.seq = auth_context->local_seq_number; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - auth_context->local_seq_number++; - } else { + replaydata.seq = auth_context->local_seq_number++; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) outdata->seq = replaydata.seq; - } } { Modified: trunk/src/lib/krb5/krb/mk_safe.c =================================================================== --- trunk/src/lib/krb5/krb/mk_safe.c 2009-04-28 17:54:13 UTC (rev 22287) +++ trunk/src/lib/krb5/krb/mk_safe.c 2009-04-28 18:00:13 UTC (rev 22288) @@ -152,9 +152,8 @@ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { replaydata.seq = auth_context->local_seq_number++; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) { + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) outdata->seq = replaydata.seq; - } } { From tlyu at MIT.EDU Tue Apr 28 20:28:19 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 28 Apr 2009 20:28:19 -0400 Subject: svn rev #22289: branches/krb5-1-7/ Message-ID: <200904290028.n3T0SJ2F025149@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22289 Commit By: tlyu Log Message: Fix accidentally reversed description of allow_weak_crypto. Changed Files: U branches/krb5-1-7/README Modified: branches/krb5-1-7/README =================================================================== --- branches/krb5-1-7/README 2009-04-28 18:00:13 UTC (rev 22288) +++ branches/krb5-1-7/README 2009-04-29 00:28:19 UTC (rev 22289) @@ -74,7 +74,7 @@ * Remove support for version 4 of the Kerberos protocol (krb4). * New libdefaults configuration variable "allow_weak_crypto". NOTE: - Currently defaults to "false", but may default to "true" in a future + Currently defaults to "true", but may default to "false" in a future release. Setting this variable to "false" will have the effect of removing weak enctypes (currently defined to be all single-DES enctypes) from permitted_enctypes, default_tkt_enctypes, and From tlyu at MIT.EDU Tue Apr 28 20:31:50 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 28 Apr 2009 20:31:50 -0400 Subject: svn rev #22290: trunk/src/clients/ksu/ Message-ID: <200904290031.n3T0VoWI025419@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22290 Commit By: tlyu Log Message: ticket: 6472 target_version: 1.7 tags: pullup Fix typo in error message reported by Marek Mahut (Red Hat). Changed Files: U trunk/src/clients/ksu/krb_auth_su.c Modified: trunk/src/clients/ksu/krb_auth_su.c =================================================================== --- trunk/src/clients/ksu/krb_auth_su.c 2009-04-29 00:28:19 UTC (rev 22289) +++ trunk/src/clients/ksu/krb_auth_su.c 2009-04-29 00:31:50 UTC (rev 22290) @@ -179,7 +179,7 @@ if ((retval = krb5_get_cred_from_kdc(context, cc, &in_creds, &out_creds, &tgts))){ - com_err(prog_name, retval, "while geting credentials from kdc"); + com_err(prog_name, retval, "while getting credentials from kdc"); return (FALSE); } From ghudson at MIT.EDU Wed Apr 29 19:21:21 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Wed, 29 Apr 2009 19:21:21 -0400 Subject: svn rev #22291: trunk/src/ include/ lib/krb5/ lib/krb5/krb/ util/support/ Message-ID: <200904292321.n3TNLLLS019921@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22291 Commit By: ghudson Log Message: ticket: 6479 subject: Add DEBUG_ERROR_LOCATIONS support If DEBUG_ERROR_LOCATIONS is defined, replace uses of krb5_set_error_message and krb5int_set_error with calls to the new _fl variants of those functions, and include filename and line number information in the calls. Requires C99-style variadic macros if defined. Changed Files: U trunk/src/include/k5-err.h U trunk/src/include/k5-int.h U trunk/src/lib/krb5/krb/kerrs.c U trunk/src/lib/krb5/libkrb5.exports U trunk/src/util/support/errors.c U trunk/src/util/support/libkrb5support-fixed.exports Modified: trunk/src/include/k5-err.h =================================================================== --- trunk/src/include/k5-err.h 2009-04-29 00:31:50 UTC (rev 22290) +++ trunk/src/include/k5-err.h 2009-04-29 23:21:21 UTC (rev 22291) @@ -65,6 +65,22 @@ __attribute__((__format__(__printf__, 3, 0))) #endif ; +void +krb5int_set_error_fl (struct errinfo *ep, long code, + const char *file, int line, + const char *fmt, ...) +#if !defined(__cplusplus) && (__GNUC__ > 2) + __attribute__((__format__(__printf__, 5, 6))) +#endif + ; +void +krb5int_vset_error_fl (struct errinfo *ep, long code, + const char *file, int line, + const char *fmt, va_list args) +#if !defined(__cplusplus) && (__GNUC__ > 2) + __attribute__((__format__(__printf__, 5, 0))) +#endif + ; const char * krb5int_get_error (struct errinfo *ep, long code); void @@ -74,4 +90,9 @@ void krb5int_set_error_info_callout_fn (const char *(KRB5_CALLCONV *f)(long)); +#ifdef DEBUG_ERROR_LOCATIONS +#define krb5int_set_error(ep, code, ...) \ + krb5int_set_error_fl(ep, code, __FILE__, __LINE__, __VA_ARGS__) +#endif + #endif /* K5_ERR_H */ Modified: trunk/src/include/k5-int.h =================================================================== --- trunk/src/include/k5-int.h 2009-04-29 00:31:50 UTC (rev 22290) +++ trunk/src/include/k5-int.h 2009-04-29 23:21:21 UTC (rev 22291) @@ -2797,4 +2797,9 @@ const krb5_keyblock *privsvr_key, krb5_data *data); +#ifdef DEBUG_ERROR_LOCATIONS +#define krb5_set_error_message(ctx, code, ...) \ + krb5_set_error_message_fl(ctx, code, __FILE__, __LINE__, __VA_ARGS__) +#endif + #endif /* _KRB5_INT_H */ Modified: trunk/src/lib/krb5/krb/kerrs.c =================================================================== --- trunk/src/lib/krb5/krb/kerrs.c 2009-04-29 00:31:50 UTC (rev 22290) +++ trunk/src/lib/krb5/krb/kerrs.c 2009-04-29 23:21:21 UTC (rev 22291) @@ -35,6 +35,7 @@ #endif #endif +#undef krb5_set_error_message void KRB5_CALLCONV_C krb5_set_error_message (krb5_context ctx, krb5_error_code code, const char *fmt, ...) @@ -57,6 +58,28 @@ va_end (args); } +void KRB5_CALLCONV_C +krb5_set_error_message_fl (krb5_context ctx, krb5_error_code code, + const char *file, int line, const char *fmt, ...) +{ + va_list args; + if (ctx == NULL) + return; + va_start (args, fmt); +#ifdef DEBUG + if (ERROR_MESSAGE_DEBUG()) + fprintf(stderr, + "krb5_set_error_message(ctx=%p/err=%p, code=%ld, ...)\n", + ctx, &ctx->err, (long) code); +#endif + krb5int_vset_error_fl (&ctx->err, code, file, line, fmt, args); +#ifdef DEBUG + if (ERROR_MESSAGE_DEBUG()) + fprintf(stderr, "->%s\n", ctx->err.msg); +#endif + va_end (args); +} + void KRB5_CALLCONV krb5_vset_error_message (krb5_context ctx, krb5_error_code code, const char *fmt, va_list args) Modified: trunk/src/lib/krb5/libkrb5.exports =================================================================== --- trunk/src/lib/krb5/libkrb5.exports 2009-04-29 00:31:50 UTC (rev 22290) +++ trunk/src/lib/krb5/libkrb5.exports 2009-04-29 23:21:21 UTC (rev 22291) @@ -487,6 +487,7 @@ krb5_set_default_tgs_enctypes krb5_set_default_tgs_ktypes krb5_set_error_message +krb5_set_error_message_fl krb5_set_password krb5_set_password_using_ccache krb5_set_principal_realm Modified: trunk/src/util/support/errors.c =================================================================== --- trunk/src/util/support/errors.c 2009-04-29 00:31:50 UTC (rev 22290) +++ trunk/src/util/support/errors.c 2009-04-29 23:21:21 UTC (rev 22291) @@ -34,21 +34,40 @@ #define lock() k5_mutex_lock(&krb5int_error_info_support_mutex) #define unlock() k5_mutex_unlock(&krb5int_error_info_support_mutex) +#undef krb5int_set_error void krb5int_set_error (struct errinfo *ep, long code, const char *fmt, ...) { va_list args; va_start (args, fmt); - krb5int_vset_error (ep, code, fmt, args); + krb5int_vset_error_fl (ep, code, NULL, 0, fmt, args); va_end (args); } void +krb5int_set_error_fl (struct errinfo *ep, long code, + const char *file, int line, const char *fmt, ...) +{ + va_list args; + va_start (args, fmt); + krb5int_vset_error_fl (ep, code, file, line, fmt, args); + va_end (args); +} + +void krb5int_vset_error (struct errinfo *ep, long code, const char *fmt, va_list args) { + krb5int_vset_error_fl(ep, code, NULL, 0, fmt, args); +} + +void +krb5int_vset_error_fl (struct errinfo *ep, long code, + const char *file, int line, + const char *fmt, va_list args) +{ va_list args2; - char *str = NULL; + char *str = NULL, *str2, *slash; const char *loc_fmt = NULL; #ifdef USE_KIM @@ -66,6 +85,17 @@ str = NULL; } va_end(args2); + + if (str && line) { + /* Try to add file and line suffix. */ + slash = strrchr(file, '/'); + if (slash) + file = slash + 1; + if (asprintf(&str2, "%s (%s: %d)", str, file, line) > 0) { + free(str); + str = str2; + } + } /* If that failed, try using scratch_buf */ if (str == NULL) { Modified: trunk/src/util/support/libkrb5support-fixed.exports =================================================================== --- trunk/src/util/support/libkrb5support-fixed.exports 2009-04-29 00:31:50 UTC (rev 22290) +++ trunk/src/util/support/libkrb5support-fixed.exports 2009-04-29 23:21:21 UTC (rev 22291) @@ -24,6 +24,8 @@ krb5int_mutex_unlock krb5int_set_error krb5int_vset_error +krb5int_set_error_fl +krb5int_vset_error_fl krb5int_get_error krb5int_free_error krb5int_clear_error From hartmans at MIT.EDU Wed Apr 29 20:38:49 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Wed, 29 Apr 2009 20:38:49 -0400 Subject: svn rev #22292: trunk/src/kdc/ Message-ID: <200904300038.n3U0cnae024315@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22292 Commit By: hartmans Log Message: ticket: 6480 Subject: Do not return PREAUTH_FAILED on unknown preauth Target_Version: 1.7 Tags: pullup If the KDC receives unknown pre-authentication data then ignore it. Do not get into a case where PREAUTH_FAILED is returned because of unknown pre-authentication. The main AS loop will cause PREAUTH_REQUIRED to be returned if the preauth_required flag is set and no valid preauth is found. Changed Files: U trunk/src/kdc/kdc_preauth.c Modified: trunk/src/kdc/kdc_preauth.c =================================================================== --- trunk/src/kdc/kdc_preauth.c 2009-04-29 23:21:21 UTC (rev 22291) +++ trunk/src/kdc/kdc_preauth.c 2009-04-30 00:38:48 UTC (rev 22292) @@ -1204,17 +1204,11 @@ if (pa_ok) return 0; - /* pa system was not found, but principal doesn't require preauth */ - if (!pa_found && - !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) && - !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH)) + /* pa system was not found; we may return PREAUTH_REQUIRED later, + but we did not actually fail to verify the pre-auth. */ + if (!pa_found) return 0; - if (!pa_found) { - emsg = krb5_get_error_message(context, retval); - krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", emsg); - krb5_free_error_message(context, emsg); - } /* The following switch statement allows us * to return some preauth system errors back to the client. From ghudson at MIT.EDU Thu Apr 30 11:08:51 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 30 Apr 2009 11:08:51 -0400 Subject: svn rev #22293: trunk/doc/ Message-ID: <200904301508.n3UF8pcU009223@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22293 Commit By: ghudson Log Message: Document ok_as_delegate in the admin guide. Changed Files: U trunk/doc/admin.texinfo Modified: trunk/doc/admin.texinfo =================================================================== --- trunk/doc/admin.texinfo 2009-04-30 00:38:48 UTC (rev 22292) +++ trunk/doc/admin.texinfo 2009-04-30 15:08:50 UTC (rev 22293) @@ -2274,6 +2274,14 @@ ``+password_changing_service'' option sets the KRB5_KDB_PWCHANGE_SERVICE flag on the principal in the database. + at item @{-|+}ok_as_delegate +The ``+ok_as_delegate'' option sets a flag in tickets issued for the +service principal. Some client programs may recognize this flag as +indicating that it is okay to delegate credentials to the service. If +ok_as_delegate is set on a cross-realm TGT, it indicates that the +foreign realm's ok_as_delegate flags should be honored by clients in +the local realm. The default is ``-ok_as_delegate''. + @item -randkey Sets the key for the principal to a random value (@code{add_principal} only). @value{COMPANY} recommends using this option for host keys. @@ -3101,6 +3109,13 @@ @samp{KRB5_KDB_REQURES_HW_AUTH} flag.) @code{-requires_hwauth} clears this flag. + at itemx @{-|+@}ok_as_delegate + at code{+ok_as_delegate} sets the OK-AS-DELEGATE flag on tickets issued for use +with this principal as the service, which clients may use as a hint that +credentials can and should be delegated when authenticating to the service. +(Sets the @samp{KRB5_KDB_OK_AS_DELEGATE} flag.) @code{-ok_as_delegate} clears +this flag. + @itemx @{-|+@}allow_svr @code{-allow_svr} prohibits the issuance of service tickets for principals. (Sets the @samp{KRB5_KDB_DISALLOW_SVR} flag.) @code{+allow_svr} clears this flag. From tsitkova at MIT.EDU Thu Apr 30 12:27:08 2009 From: tsitkova at MIT.EDU (tsitkova@MIT.EDU) Date: Thu, 30 Apr 2009 12:27:08 -0400 Subject: svn rev #22294: trunk/src/plugins/preauth/encrypted_challenge/ Message-ID: <200904301627.n3UGR8xK013842@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22294 Commit By: tsitkova Log Message: Uninitialized variable may cause unpredictable behavior in kdc_verify_preauth Changed Files: U trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c Modified: trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c =================================================================== --- trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c 2009-04-30 15:08:50 UTC (rev 22293) +++ trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c 2009-04-30 16:27:08 UTC (rev 22294) @@ -41,23 +41,23 @@ static krb5_error_code process_preauth (krb5_context context, - void *plugin_context, - void *request_context, - krb5_get_init_creds_opt *opt, - preauth_get_client_data_proc get_data_proc, - struct _krb5_preauth_client_rock *rock, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data *padata, - krb5_prompter_fct prompter, - void *prompter_data, - preauth_get_as_key_proc gak_fct, - void *gak_data, - krb5_data *salt, - krb5_data *s2kparams, - krb5_keyblock *as_key, - krb5_pa_data ***out_padata) + void *plugin_context, + void *request_context, + krb5_get_init_creds_opt *opt, + preauth_get_client_data_proc get_data_proc, + struct _krb5_preauth_client_rock *rock, + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data *padata, + krb5_prompter_fct prompter, + void *prompter_data, + preauth_get_as_key_proc gak_fct, + void *gak_data, + krb5_data *salt, + krb5_data *s2kparams, + krb5_keyblock *as_key, + krb5_pa_data ***out_padata) { krb5_error_code retval = 0; krb5_enctype enctype = 0; @@ -66,150 +66,150 @@ krb5int_access kaccess; if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) - return 0; + return 0; retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key); if (retval || armor_key == NULL) - return 0; - retval = get_data_proc(context, rock, krb5plugin_preauth_client_get_etype, &etype_data); + return 0; + retval = get_data_proc(context, rock, krb5plugin_preauth_client_get_etype, &etype_data); if (retval == 0) { - enctype = *((krb5_enctype *)etype_data->data); - if (as_key->length == 0 ||as_key->enctype != enctype) - retval = gak_fct(context, request->client, - enctype, prompter, prompter_data, - salt, s2kparams, - as_key, gak_data); + enctype = *((krb5_enctype *)etype_data->data); + if (as_key->length == 0 ||as_key->enctype != enctype) + retval = gak_fct(context, request->client, + enctype, prompter, prompter_data, + salt, s2kparams, + as_key, gak_data); } if (padata->length) { - krb5_enc_data *enc = NULL; - krb5_data scratch; - scratch.length = padata->length; - scratch.data = (char *) padata->contents; - if (retval == 0) - retval = krb5_c_fx_cf2_simple(context,armor_key, "kdcchallengearmor", - as_key, "challengelongterm", &challenge_key); - if (retval == 0) - retval =kaccess.decode_enc_data(&scratch, &enc); - scratch.data = NULL; - if (retval == 0) { - scratch.data = malloc(enc->ciphertext.length); - scratch.length = enc->ciphertext.length; - if (scratch.data == NULL) - retval = ENOMEM; - } - if (retval == 0) - retval = krb5_c_decrypt(context, challenge_key, - KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL, - enc, &scratch); + krb5_enc_data *enc = NULL; + krb5_data scratch; + scratch.length = padata->length; + scratch.data = (char *) padata->contents; + if (retval == 0) + retval = krb5_c_fx_cf2_simple(context,armor_key, "kdcchallengearmor", + as_key, "challengelongterm", &challenge_key); + if (retval == 0) + retval =kaccess.decode_enc_data(&scratch, &enc); + scratch.data = NULL; + if (retval == 0) { + scratch.data = malloc(enc->ciphertext.length); + scratch.length = enc->ciphertext.length; + if (scratch.data == NULL) + retval = ENOMEM; + } + if (retval == 0) + retval = krb5_c_decrypt(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL, + enc, &scratch); /*Per draft 11 of the preauth framework, the client MAY but * is not required to actually check the timestamp from the KDC other than * to confirm it decrypts. This code does not perform that check. */ - if (scratch.data) - krb5_free_data_contents(context, &scratch); - if (retval == 0) - fast_set_kdc_verified(context, get_data_proc, rock); - if (enc) - kaccess.free_enc_data(context, enc); + if (scratch.data) + krb5_free_data_contents(context, &scratch); + if (retval == 0) + fast_set_kdc_verified(context, get_data_proc, rock); + if (enc) + kaccess.free_enc_data(context, enc); } else { /*No padata; we send*/ - krb5_enc_data enc; - krb5_pa_data *pa = NULL; - krb5_pa_data **pa_array = NULL; - krb5_data *encoded_ts = NULL; - krb5_pa_enc_ts ts; - enc.ciphertext.data = NULL; - if (retval == 0) - retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); - if (retval == 0) - retval = kaccess.encode_enc_ts(&ts, &encoded_ts); - if (retval == 0) - retval = krb5_c_fx_cf2_simple(context, - armor_key, "clientchallengearmor", - as_key, "challengelongterm", - &challenge_key); - if (retval == 0) - retval = kaccess.encrypt_helper(context, challenge_key, - KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, - encoded_ts, &enc); - if (encoded_ts) - krb5_free_data(context, encoded_ts); - encoded_ts = NULL; - if (retval == 0) { - retval = kaccess.encode_enc_data(&enc, &encoded_ts); - krb5_free_data_contents(context, &enc.ciphertext); - } - if (retval == 0) { - pa = calloc(1, sizeof(krb5_pa_data)); - if (pa == NULL) - retval = ENOMEM; - } - if (retval == 0) { - pa_array = calloc(2, sizeof(krb5_pa_data *)); - if (pa_array == NULL) - retval = ENOMEM; - } - if (retval == 0) { - pa->length = encoded_ts->length; - pa->contents = (unsigned char *) encoded_ts->data; - pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; - free(encoded_ts); - encoded_ts = NULL; - pa_array[0] = pa; - pa = NULL; - *out_padata = pa_array; - pa_array = NULL; - } - if (pa) - free(pa); - if (encoded_ts) - krb5_free_data(context, encoded_ts); - if (pa_array) - free(pa_array); + krb5_enc_data enc; + krb5_pa_data *pa = NULL; + krb5_pa_data **pa_array = NULL; + krb5_data *encoded_ts = NULL; + krb5_pa_enc_ts ts; + enc.ciphertext.data = NULL; + if (retval == 0) + retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); + if (retval == 0) + retval = kaccess.encode_enc_ts(&ts, &encoded_ts); + if (retval == 0) + retval = krb5_c_fx_cf2_simple(context, + armor_key, "clientchallengearmor", + as_key, "challengelongterm", + &challenge_key); + if (retval == 0) + retval = kaccess.encrypt_helper(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, + encoded_ts, &enc); + if (encoded_ts) + krb5_free_data(context, encoded_ts); + encoded_ts = NULL; + if (retval == 0) { + retval = kaccess.encode_enc_data(&enc, &encoded_ts); + krb5_free_data_contents(context, &enc.ciphertext); } + if (retval == 0) { + pa = calloc(1, sizeof(krb5_pa_data)); + if (pa == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa_array = calloc(2, sizeof(krb5_pa_data *)); + if (pa_array == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa->length = encoded_ts->length; + pa->contents = (unsigned char *) encoded_ts->data; + pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; + free(encoded_ts); + encoded_ts = NULL; + pa_array[0] = pa; + pa = NULL; + *out_padata = pa_array; + pa_array = NULL; + } + if (pa) + free(pa); + if (encoded_ts) + krb5_free_data(context, encoded_ts); + if (pa_array) + free(pa_array); + } if (challenge_key) - krb5_free_keyblock(context, challenge_key); + krb5_free_keyblock(context, challenge_key); if (armor_key) - krb5_free_keyblock(context, armor_key); + krb5_free_keyblock(context, armor_key); if (etype_data != NULL) - get_data_proc(context, rock, krb5plugin_preauth_client_free_etype, - &etype_data); + get_data_proc(context, rock, krb5plugin_preauth_client_free_etype, + &etype_data); return retval; } - - - + + + static krb5_error_code kdc_include_padata (krb5_context context, - krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - preauth_get_entry_data_proc get_entry_proc, - void *pa_module_context, - krb5_pa_data *data) + krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + struct _krb5_db_entry_new *server, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, + krb5_pa_data *data) { krb5_error_code retval = 0; krb5_keyblock *armor_key = NULL; retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key); if (retval) - return retval; + return retval; if (armor_key == 0) - return ENOENT; + return ENOENT; krb5_free_keyblock(context, armor_key); return 0; } static krb5_error_code kdc_verify_preauth (krb5_context context, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *data, - preauth_get_entry_data_proc get_entry_proc, - void *pa_module_context, - void **pa_request_context, - krb5_data **e_data, - krb5_authdata ***authz_data) + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *data, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, + void **pa_request_context, + krb5_data **e_data, + krb5_authdata ***authz_data) { krb5_error_code retval = 0; krb5_timestamp now; @@ -221,108 +221,108 @@ krb5_keyblock *client_keys = NULL; krb5_data *client_data = NULL; krb5_keyblock *challenge_key = NULL; - int i; + int i = 0; plain.data = NULL; if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) - return 0; + return 0; retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key); if (retval == 0 &&armor_key == NULL) { - retval = ENOENT; - krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel"); + retval = ENOENT; + krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel"); } scratch.data = (char *) data->contents; scratch.length = data->length; if (retval == 0) - retval = kaccess.decode_enc_data(&scratch, &enc); + retval = kaccess.decode_enc_data(&scratch, &enc); if (retval == 0) { - plain.data = malloc(enc->ciphertext.length); - plain.length = enc->ciphertext.length; - if (plain.data == NULL) - retval = ENOMEM; + plain.data = malloc(enc->ciphertext.length); + plain.length = enc->ciphertext.length; + if (plain.data == NULL) + retval = ENOMEM; } if (retval == 0) - retval = get_entry_proc(context, request, client, - krb5plugin_preauth_keys, &client_data); + retval = get_entry_proc(context, request, client, + krb5plugin_preauth_keys, &client_data); if (retval == 0) { - client_keys = (krb5_keyblock *) client_data->data; - for (i = 0; client_keys[i].enctype&& (retval == 0); i++ ) { - retval = krb5_c_fx_cf2_simple(context, - armor_key, "clientchallengearmor", - &client_keys[i], "challengelongterm", - &challenge_key); - if (retval == 0) - retval = krb5_c_decrypt(context, challenge_key, - KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, - NULL, enc, &plain); - if (challenge_key) - krb5_free_keyblock(context, challenge_key); - challenge_key = NULL; - if (retval == 0) - break; - /*We failed to decrypt. Try next key*/ - retval = 0; - krb5_free_keyblock_contents(context, &client_keys[i]); - } - if (client_keys[i].enctype == 0) { - retval = KRB5KDC_ERR_PREAUTH_FAILED; - krb5_set_error_message(context, retval, "Incorrect password in encrypted challenge"); - } else { /*not run out of keys*/ - int j; - assert (retval == 0); - for (j = i+1; client_keys[j].enctype; j++) - krb5_free_keyblock_contents(context, &client_keys[j]); - } - + client_keys = (krb5_keyblock *) client_data->data; + for (i = 0; client_keys[i].enctype&& (retval == 0); i++ ) { + retval = krb5_c_fx_cf2_simple(context, + armor_key, "clientchallengearmor", + &client_keys[i], "challengelongterm", + &challenge_key); + if (retval == 0) + retval = krb5_c_decrypt(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, + NULL, enc, &plain); + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + challenge_key = NULL; + if (retval == 0) + break; + /*We failed to decrypt. Try next key*/ + retval = 0; + krb5_free_keyblock_contents(context, &client_keys[i]); } + if (client_keys[i].enctype == 0) { + retval = KRB5KDC_ERR_PREAUTH_FAILED; + krb5_set_error_message(context, retval, "Incorrect password in encrypted challenge"); + } else { /*not run out of keys*/ + int j; + assert (retval == 0); + for (j = i+1; client_keys[j].enctype; j++) + krb5_free_keyblock_contents(context, &client_keys[j]); + } + + } if (retval == 0) - retval = kaccess.decode_enc_ts(&plain, &ts); + retval = kaccess.decode_enc_ts(&plain, &ts); if (retval == 0) - retval = krb5_timeofday(context, &now); + retval = krb5_timeofday(context, &now); if (retval == 0) { - if (labs(now-ts->patimestamp) < context->clockskew) { - enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; -/*If this fails, we won't generate a reply to the client. That may - * cause the client to fail, but at this point the KDC has considered - this a success, so the return value is ignored. */ - fast_kdc_replace_reply_key(context, get_entry_proc, request); - krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor", - &client_keys[i], "challengelongterm", - (krb5_keyblock **) pa_request_context); - } else { /*skew*/ - retval = KRB5KRB_AP_ERR_SKEW; - } + if (labs(now-ts->patimestamp) < context->clockskew) { + enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; + /*If this fails, we won't generate a reply to the client. That may + * cause the client to fail, but at this point the KDC has considered + * this a success, so the return value is ignored. */ + fast_kdc_replace_reply_key(context, get_entry_proc, request); + krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor", + &client_keys[i], "challengelongterm", + (krb5_keyblock **) pa_request_context); + } else { /*skew*/ + retval = KRB5KRB_AP_ERR_SKEW; + } } if (client_keys) { - if (client_keys[i].enctype) - krb5_free_keyblock_contents(context, &client_keys[i]); - krb5_free_data(context, client_data); + if (client_keys[i].enctype) + krb5_free_keyblock_contents(context, &client_keys[i]); + krb5_free_data(context, client_data); } if (armor_key) - krb5_free_keyblock(context, armor_key); + krb5_free_keyblock(context, armor_key); if (plain.data) - free(plain.data); + free(plain.data); if (enc) - kaccess.free_enc_data(context, enc); + kaccess.free_enc_data(context, enc); if (ts) - kaccess.free_enc_ts(context, ts); + kaccess.free_enc_ts(context, ts); return retval; } static krb5_error_code kdc_return_preauth (krb5_context context, - krb5_pa_data * padata, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_kdc_rep *reply, - struct _krb5_key_data *client_keys, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc get_entry_proc, - void *pa_module_context, - void **pa_request_context) + krb5_pa_data * padata, + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_kdc_rep *reply, + struct _krb5_key_data *client_keys, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, + void **pa_request_context) { krb5_error_code retval = 0; krb5_keyblock *challenge_key = *pa_request_context; @@ -334,41 +334,41 @@ krb5int_access kaccess; if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) - return 0; + return 0; if (challenge_key == NULL) - return 0; + return 0; * pa_request_context = NULL; /*this function will free the - * challenge key*/ + * challenge key*/ retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); if (retval == 0) - retval = kaccess.encode_enc_ts(&ts, &plain); + retval = kaccess.encode_enc_ts(&ts, &plain); if (retval == 0) - retval = kaccess.encrypt_helper(context, challenge_key, - KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, - plain, &enc); + retval = kaccess.encrypt_helper(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, + plain, &enc); if (retval == 0) - retval = kaccess.encode_enc_data(&enc, &encoded); + retval = kaccess.encode_enc_data(&enc, &encoded); if (retval == 0) { - pa = calloc(1, sizeof(krb5_pa_data)); - if (pa == NULL) - retval = ENOMEM; + pa = calloc(1, sizeof(krb5_pa_data)); + if (pa == NULL) + retval = ENOMEM; } if (retval == 0) { - pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; - pa->contents = (unsigned char *) encoded->data; - pa->length = encoded->length; - encoded->data = NULL; - *send_pa = pa; - pa = NULL; + pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; + pa->contents = (unsigned char *) encoded->data; + pa->length = encoded->length; + encoded->data = NULL; + *send_pa = pa; + pa = NULL; } if (challenge_key) - krb5_free_keyblock(context, challenge_key); + krb5_free_keyblock(context, challenge_key); if (encoded) - krb5_free_data(context, encoded); + krb5_free_data(context, encoded); if (plain) - krb5_free_data(context, plain); + krb5_free_data(context, plain); if (enc.ciphertext.data) - krb5_free_data_contents(context, &enc.ciphertext); + krb5_free_data_contents(context, &enc.ciphertext); return retval; } @@ -384,25 +384,26 @@ struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = { "Encrypted challenge", &supported_pa_types[0], -NULL, -NULL, -kdc_preauth_flags, + NULL, + NULL, + kdc_preauth_flags, kdc_include_padata, kdc_verify_preauth, kdc_return_preauth, -NULL + NULL }; struct krb5plugin_preauth_client_ftable_v1 preauthentication_client_1 = { - "Encrypted Challenge", /* name */ - &supported_pa_types[0], /* pa_type_list */ - NULL, /* enctype_list */ - NULL, /* plugin init function */ - NULL, /* plugin fini function */ - preauth_flags, /* get flags function */ - NULL, /* request init function */ - NULL, /* request fini function */ - process_preauth, /* process function */ - NULL, /* try_again function */ -NULL /* get init creds opt function */ + "Encrypted Challenge", /* name */ + &supported_pa_types[0], /* pa_type_list */ + NULL, /* enctype_list */ + NULL, /* plugin init function */ + NULL, /* plugin fini function */ + preauth_flags, /* get flags function */ + NULL, /* request init function */ + NULL, /* request fini function */ + process_preauth, /* process function */ + NULL, /* try_again function */ + NULL /* get init creds opt function */ }; + From ghudson at MIT.EDU Thu Apr 30 13:16:20 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 30 Apr 2009 13:16:20 -0400 Subject: svn rev #22295: trunk/src/lib/krb5/keytab/ Message-ID: <200904301716.n3UHGKJi016699@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22295 Commit By: ghudson Log Message: Fix a memory leak by reorganizing krb5_ktf_keytab_internalize to use the recommended exception-handling flow control. Eliminate the check for ktdata being null after resolution because that's not possible. Add a check for the resolved keytab being of a different type, since that would result in data structure corruption. Changed Files: U trunk/src/lib/krb5/keytab/kt_file.c Modified: trunk/src/lib/krb5/keytab/kt_file.c =================================================================== --- trunk/src/lib/krb5/keytab/kt_file.c 2009-04-30 16:27:08 UTC (rev 22294) +++ trunk/src/lib/krb5/keytab/kt_file.c 2009-04-30 17:16:20 UTC (rev 22295) @@ -723,102 +723,92 @@ krb5_ktf_keytab_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { krb5_error_code kret; - krb5_keytab keytab; + krb5_keytab keytab = NULL; krb5_int32 ibuf; krb5_octet *bp; size_t remain; - char *ktname; + char *ktname = NULL; krb5_ktfile_data *ktdata; krb5_int32 file_is_open; krb5_int64 foff; + *argp = NULL; bp = *buffer; remain = *lenremain; - kret = EINVAL; + /* Read our magic number */ - if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; - if (ibuf == KV5M_KEYTAB) { + if (krb5_ser_unpack_int32(&ibuf, &bp, &remain) || ibuf != KV5M_KEYTAB) + return EINVAL; - /* Get the length of the keytab name */ - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + /* Read the keytab name */ + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (kret) + return kret; + ktname = malloc(ibuf + 1); + if (!ktname) + return ENOMEM; + kret = krb5_ser_unpack_bytes((krb5_octet *) ktname, (size_t) ibuf, + &bp, &remain); + if (kret) + goto cleanup; + ktname[ibuf] = '\0'; - if (!kret && - (ktname = (char *) malloc((size_t) (ibuf+1))) && - !(kret = krb5_ser_unpack_bytes((krb5_octet *) ktname, - (size_t) ibuf, - &bp, &remain))) { - ktname[ibuf] = '\0'; - kret = krb5_kt_resolve(kcontext, ktname, &keytab); - if (!kret) { - kret = ENOMEM; - ktdata = (krb5_ktfile_data *) keytab->data; - if (!ktdata) { - /* XXX */ - keytab->data = (void *) malloc(sizeof(krb5_ktfile_data)); - ktdata = (krb5_ktfile_data *) keytab->data; - memset(ktdata, 0, sizeof(krb5_ktfile_data)); - if (strchr(ktname, (int) ':')) - ktdata->name = strdup(strchr(ktname, (int) ':')+1); - else - ktdata->name = strdup(ktname); - } - if (ktdata) { - if (remain >= (sizeof(krb5_int32)*5)) { - (void) krb5_ser_unpack_int32(&file_is_open, - &bp, &remain); - (void) krb5_ser_unpack_int64(&foff, &bp, &remain); - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ktdata->version = (int) ibuf; + /* Resolve the keytab. */ + kret = krb5_kt_resolve(kcontext, ktname, &keytab); + if (kret) + goto cleanup; - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (ibuf == KV5M_KEYTAB) { - if (file_is_open) { - int fmode; - long fpos; + if (keytab->ops != &krb5_ktf_writable_ops + && keytab->ops != &krb5_ktf_ops) { + kret = EINVAL; + goto cleanup; + } + ktdata = (krb5_ktfile_data *) keytab->data; + if (remain < (sizeof(krb5_int32)*5)) { + kret = EINVAL; + goto cleanup; + } + (void) krb5_ser_unpack_int32(&file_is_open, &bp, &remain); + (void) krb5_ser_unpack_int64(&foff, &bp, &remain); + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ktdata->version = (int) ibuf; + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (ibuf != KV5M_KEYTAB) { + kret = EINVAL; + goto cleanup; + } + + if (file_is_open) { + int fmode; + long fpos; + #if !defined(_WIN32) - fmode = (file_is_open >> 1) & O_ACCMODE; + fmode = (file_is_open >> 1) & O_ACCMODE; #else - fmode = 0; + fmode = 0; #endif - if (fmode) - kret = krb5_ktfileint_openw(kcontext, - keytab); - else - kret = krb5_ktfileint_openr(kcontext, - keytab); - if (!kret) { - fpos = foff; /* XX range check? */ - if (fseek(KTFILEP(keytab), fpos, - SEEK_SET) == -1) - kret = errno; - } - } - kret = 0; - } - else - kret = EINVAL; - } - } - if (kret) { - if (keytab->data) { - if (KTFILENAME(keytab)) - free(KTFILENAME(keytab)); - free(keytab->data); - } - free(keytab); - } - else { - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) keytab; - } - } - free(ktname); + if (fmode) + kret = krb5_ktfileint_openw(kcontext, keytab); + else + kret = krb5_ktfileint_openr(kcontext, keytab); + if (kret) + goto cleanup; + fpos = foff; /* XX range check? */ + if (fseek(KTFILEP(keytab), fpos, SEEK_SET) == -1) { + kret = errno; + goto cleanup; } } - return(kret); + + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) keytab; +cleanup: + if (kret != 0 && keytab) + krb5_kt_close(kcontext, keytab); + free(ktname); + return kret; } /* From ghudson at MIT.EDU Thu Apr 30 13:28:55 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 30 Apr 2009 13:28:55 -0400 Subject: svn rev #22296: trunk/src/lib/krb5/keytab/ Message-ID: <200904301728.n3UHStnw017375@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22296 Commit By: ghudson Log Message: In ktfile_common_resolve, set the output pointer to NULL on error, and use a cleanup label instead of freeing the same resources in multiple error handling blocks. Changed Files: U trunk/src/lib/krb5/keytab/kt_file.c Modified: trunk/src/lib/krb5/keytab/kt_file.c =================================================================== --- trunk/src/lib/krb5/keytab/kt_file.c 2009-04-30 17:16:20 UTC (rev 22295) +++ trunk/src/lib/krb5/keytab/kt_file.c 2009-04-30 17:28:55 UTC (rev 22296) @@ -200,41 +200,45 @@ static krb5_error_code ktfile_common_resolve(krb5_context context, const char *name, - krb5_keytab *id, const struct _krb5_kt_ops *ops) + krb5_keytab *idptr, const struct _krb5_kt_ops *ops) { - krb5_ktfile_data *data; - krb5_error_code err; + krb5_ktfile_data *data = NULL; + krb5_error_code err = ENOMEM; + krb5_keytab id; - if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL) - return(ENOMEM); + *idptr = NULL; + + id = calloc(1, sizeof(*id)); + if (id == NULL) + return ENOMEM; - (*id)->ops = ops; - if ((data = (krb5_ktfile_data *)malloc(sizeof(krb5_ktfile_data))) == NULL) { - free(*id); - return(ENOMEM); - } + id->ops = ops; + data = calloc(1, sizeof(krb5_ktfile_data)); + if (data == NULL) + goto cleanup; + data->name = strdup(name); + if (data->name == NULL) + goto cleanup; + err = k5_mutex_init(&data->lock); - if (err) { - free(data); - free(*id); - return err; - } + if (err) + goto cleanup; - if ((data->name = strdup(name)) == NULL) { - k5_mutex_destroy(&data->lock); - free(data); - free(*id); - return(ENOMEM); - } - data->openf = 0; data->version = 0; data->iter_count = 0; - (*id)->data = (krb5_pointer)data; - (*id)->magic = KV5M_KEYTAB; - return(0); + id->data = (krb5_pointer) data; + id->magic = KV5M_KEYTAB; + *idptr = id; + return 0; +cleanup: + if (data) + free(data->name); + free(data); + free(id); + return err; } static krb5_error_code KRB5_CALLCONV From ghudson at MIT.EDU Thu Apr 30 13:49:28 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 30 Apr 2009 13:49:28 -0400 Subject: svn rev #22297: trunk/src/lib/krb5/keytab/ Message-ID: <200904301749.n3UHnSqX018789@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22297 Commit By: ghudson Log Message: In krb5_kt_resolve, ensure that the output parameter is set to NULL on failure even if the underlying resolver doesn't do that properly. Changed Files: U trunk/src/lib/krb5/keytab/ktbase.c Modified: trunk/src/lib/krb5/keytab/ktbase.c =================================================================== --- trunk/src/lib/krb5/keytab/ktbase.c 2009-04-30 17:28:55 UTC (rev 22296) +++ trunk/src/lib/krb5/keytab/ktbase.c 2009-04-30 17:49:28 UTC (rev 22297) @@ -166,11 +166,13 @@ unsigned int pfxlen; const char *cp, *resid; krb5_error_code err = 0; - + krb5_keytab id; + + *ktid = NULL; + cp = strchr (name, ':'); - if (!cp) { - return (*krb5_kt_dfl_ops.resolve)(context, name, ktid); - } + if (!cp) + return (*krb5_kt_dfl_ops.resolve)(context, name, ktid); pfxlen = cp - name; @@ -209,7 +211,9 @@ k5_mutex_unlock(&kt_typehead_lock); for (; tlist; tlist = tlist->next) { if (strcmp (tlist->ops->prefix, pfx) == 0) { - err = (*tlist->ops->resolve)(context, resid, ktid); + err = (*tlist->ops->resolve)(context, resid, &id); + if (!err) + *ktid = id; goto cleanup; } } From hartmans at MIT.EDU Thu Apr 30 16:17:42 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 30 Apr 2009 16:17:42 -0400 Subject: svn rev #22298: trunk/src/lib/crypto/ des/ Message-ID: <200904302017.n3UKHgbD028946@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22298 Commit By: hartmans Log Message: ticket: 5587 Tags: pullup Implement DES and 3DES PRF. Patch fromKAMADA Ken'ichi Currently the DES and 3DES PRF output 16-byte results. This is consistent with RFC 3961, but we need to confirm it is consistent with Heimdal and WG decisions. See IETF 74 minutes for some discussion of the concern as it applies to AES and thus possibly all simplified profile enctypes. Changed Files: U trunk/src/lib/crypto/des/Makefile.in U trunk/src/lib/crypto/des/des_int.h A trunk/src/lib/crypto/des/des_prf.c U trunk/src/lib/crypto/etypes.c U trunk/src/lib/crypto/t_cf2.comments U trunk/src/lib/crypto/t_cf2.expected U trunk/src/lib/crypto/t_cf2.in Modified: trunk/src/lib/crypto/des/Makefile.in =================================================================== --- trunk/src/lib/crypto/des/Makefile.in 2009-04-30 17:49:28 UTC (rev 22297) +++ trunk/src/lib/crypto/des/Makefile.in 2009-04-30 20:17:42 UTC (rev 22298) @@ -18,6 +18,7 @@ d3_cbc.o \ d3_aead.o \ d3_kysched.o \ + des_prf.o \ f_aead.o \ f_cbc.o \ f_cksum.o \ @@ -32,6 +33,7 @@ $(OUTPRE)d3_cbc.$(OBJEXT) \ $(OUTPRE)d3_aead.$(OBJEXT) \ $(OUTPRE)d3_kysched.$(OBJEXT) \ + $(OUTPRE)des_prf.$(OBJEXT) \ $(OUTPRE)f_aead.$(OBJEXT) \ $(OUTPRE)f_cbc.$(OBJEXT) \ $(OUTPRE)f_cksum.$(OBJEXT) \ @@ -46,6 +48,7 @@ $(srcdir)/d3_cbc.c \ $(srcdir)/d3_aead.c \ $(srcdir)/d3_kysched.c \ + $(srcdir)/des_prf.c \ $(srcdir)/f_aead.c \ $(srcdir)/f_cbc.c \ $(srcdir)/f_cksum.c \ Modified: trunk/src/lib/crypto/des/des_int.h =================================================================== --- trunk/src/lib/crypto/des/des_int.h 2009-04-30 17:49:28 UTC (rev 22297) +++ trunk/src/lib/crypto/des/des_int.h 2009-04-30 20:17:42 UTC (rev 22298) @@ -374,5 +374,9 @@ extern krb5_error_code mit_des_set_random_sequence_number (const krb5_data * sequence, krb5_pointer random_state); - +krb5_error_code +krb5int_des_prf (const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + const krb5_data *in, krb5_data *out); #endif /*DES_INTERNAL_DEFS*/ Copied: trunk/src/lib/crypto/des/des_prf.c (from rev 22295, trunk/src/lib/crypto/dk/dk_prf.c) =================================================================== --- trunk/src/lib/crypto/dk/dk_prf.c 2009-04-30 17:16:20 UTC (rev 22295) +++ trunk/src/lib/crypto/des/des_prf.c 2009-04-30 20:17:42 UTC (rev 22298) @@ -0,0 +1,54 @@ +/* + * lib/crypto/des/des_prf.c + * + * Copyright (C) 2004, 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + * This file contains an implementation of the RFC 3961 PRF for + * des-cbc-crc, des-cbc-md4, and des-cbc-md5 enctypes. + */ + +#include "k5-int.h" +#include "../hash_provider/hash_provider.h" /* XXX is this ok? */ + +krb5_error_code +krb5int_des_prf (const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + const krb5_data *in, krb5_data *out) +{ + krb5_data tmp; + krb5_error_code ret = 0; + + hash = &krb5int_hash_md5; /* MD5 is always used. */ + tmp.length = hash->hashsize; + tmp.data = malloc(hash->hashsize); + if (tmp.data == NULL) + return ENOMEM; + ret = hash->hash(1, in, &tmp); + if (ret == 0) + ret = enc->encrypt(key, NULL, &tmp, out); + free(tmp.data); + return ret; +} Modified: trunk/src/lib/crypto/etypes.c =================================================================== --- trunk/src/lib/crypto/etypes.c 2009-04-30 17:49:28 UTC (rev 22297) +++ trunk/src/lib/crypto/etypes.c 2009-04-30 20:17:42 UTC (rev 22298) @@ -33,6 +33,7 @@ #include "dk.h" #include "arcfour.h" #include "aes_s2k.h" +#include "des/des_int.h" /* these will be linear searched. if they ever get big, a binary search or hash table would be better, which means these would need @@ -44,47 +45,47 @@ { ENCTYPE_DES_CBC_CRC, "des-cbc-crc", { 0 }, "DES cbc mode with CRC-32", &krb5int_enc_des, &krb5int_hash_crc32, - 8, + 16, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, krb5int_des_string_to_key, - NULL, /*PRF*/ + krb5int_des_prf, CKSUMTYPE_RSA_MD5, NULL, /*AEAD*/ ETYPE_WEAK }, { ENCTYPE_DES_CBC_MD4, "des-cbc-md4", { 0 }, "DES cbc mode with RSA-MD4", &krb5int_enc_des, &krb5int_hash_md4, - 8, + 16, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, krb5int_des_string_to_key, - NULL, /*PRF*/ + krb5int_des_prf, CKSUMTYPE_RSA_MD4, NULL, /*AEAD*/ ETYPE_WEAK }, { ENCTYPE_DES_CBC_MD5, "des-cbc-md5", { "des" }, "DES cbc mode with RSA-MD5", &krb5int_enc_des, &krb5int_hash_md5, - 8, + 16, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, krb5int_des_string_to_key, - NULL, /*PRF*/ + krb5int_des_prf, CKSUMTYPE_RSA_MD5, NULL, /*AEAD*/ ETYPE_WEAK }, { ENCTYPE_DES_CBC_RAW, "des-cbc-raw", { 0 }, "DES cbc mode raw", &krb5int_enc_des, NULL, - 8, + 16, krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt, krb5int_des_string_to_key, - NULL, /*PRF*/ + krb5int_des_prf, 0, &krb5int_aead_raw, ETYPE_WEAK }, { ENCTYPE_DES3_CBC_RAW, "des3-cbc-raw", { 0 }, "Triple DES cbc mode raw", &krb5int_enc_des3, NULL, - 8, + 16, krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt, krb5int_dk_string_to_key, NULL, /*PRF*/ @@ -96,10 +97,10 @@ "des3-cbc-sha1", { "des3-hmac-sha1", "des3-cbc-sha1-kd" }, "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, - 8, + 16, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, krb5int_dk_string_to_key, - NULL, /*PRF*/ + krb5int_dk_prf, CKSUMTYPE_HMAC_SHA1_DES3, &krb5int_aead_dk, 0 /*flags*/ }, Modified: trunk/src/lib/crypto/t_cf2.comments =================================================================== --- trunk/src/lib/crypto/t_cf2.comments 2009-04-30 17:49:28 UTC (rev 22297) +++ trunk/src/lib/crypto/t_cf2.comments 2009-04-30 20:17:42 UTC (rev 22298) @@ -1,3 +1,5 @@ The first test mirrors the first two tests in t_prf.in. The second test mirrors the following four tests in t_prf.in. + +The third and fourth tests are simple tests of the DES and 3DES PRF. Modified: trunk/src/lib/crypto/t_cf2.expected =================================================================== --- trunk/src/lib/crypto/t_cf2.expected 2009-04-30 17:49:28 UTC (rev 22297) +++ trunk/src/lib/crypto/t_cf2.expected 2009-04-30 20:17:42 UTC (rev 22298) @@ -1,2 +1,4 @@ 97df97e4b798b29eb31ed7280287a92a 4d6ca4e629785c1f01baf55e2e548566b9617ae3a96868c337cb93b5e72b1c7b +43bae3738c9467e6 +e58f9eb643862c13ad38e529313462a7f73e62834fe54a01 Modified: trunk/src/lib/crypto/t_cf2.in =================================================================== --- trunk/src/lib/crypto/t_cf2.in 2009-04-30 17:49:28 UTC (rev 22297) +++ trunk/src/lib/crypto/t_cf2.in 2009-04-30 20:17:42 UTC (rev 22298) @@ -8,3 +8,13 @@ key2 a b +1 +key1 +key2 +a +b +16 +key1 +key2 +a +b From hartmans at MIT.EDU Thu Apr 30 16:48:36 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 30 Apr 2009 16:48:36 -0400 Subject: svn rev #22299: trunk/src/lib/ crypto/ crypto/arcfour/ crypto/des/ krb5/krb/ Message-ID: <200904302048.n3UKmaWv030797@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22299 Commit By: hartmans Log Message: make depend Changed Files: U trunk/src/lib/crypto/arcfour/deps U trunk/src/lib/crypto/deps U trunk/src/lib/crypto/des/deps U trunk/src/lib/krb5/krb/deps Modified: trunk/src/lib/crypto/arcfour/deps =================================================================== --- trunk/src/lib/crypto/arcfour/deps 2009-04-30 20:17:42 UTC (rev 22298) +++ trunk/src/lib/crypto/arcfour/deps 2009-04-30 20:48:36 UTC (rev 22299) @@ -10,7 +10,8 @@ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - arcfour-int.h arcfour.c arcfour.h + $(srcdir)/../hash_provider/hash_provider.h arcfour-int.h \ + arcfour.c arcfour.h arcfour_aead.so arcfour_aead.po $(OUTPRE)arcfour_aead.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ Modified: trunk/src/lib/crypto/deps =================================================================== --- trunk/src/lib/crypto/deps 2009-04-30 20:17:42 UTC (rev 22298) +++ trunk/src/lib/crypto/deps 2009-04-30 20:48:36 UTC (rev 22299) @@ -191,7 +191,7 @@ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ $(srcdir)/aes/aes_s2k.h $(srcdir)/arcfour/arcfour.h \ - $(srcdir)/dk/dk.h $(srcdir)/enc_provider/enc_provider.h \ + $(srcdir)/des/des_int.h $(srcdir)/dk/dk.h $(srcdir)/enc_provider/enc_provider.h \ $(srcdir)/hash_provider/hash_provider.h $(srcdir)/old/old.h \ $(srcdir)/raw/raw.h etypes.c etypes.h hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ Modified: trunk/src/lib/crypto/des/deps =================================================================== --- trunk/src/lib/crypto/des/deps 2009-04-30 20:17:42 UTC (rev 22298) +++ trunk/src/lib/crypto/des/deps 2009-04-30 20:48:36 UTC (rev 22299) @@ -42,6 +42,16 @@ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h d3_kysched.c des_int.h +des_prf.so des_prf.po $(OUTPRE)des_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../hash_provider/hash_provider.h des_prf.c f_aead.so f_aead.po $(OUTPRE)f_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ Modified: trunk/src/lib/krb5/krb/deps =================================================================== --- trunk/src/lib/krb5/krb/deps 2009-04-30 20:17:42 UTC (rev 22298) +++ trunk/src/lib/krb5/krb/deps 2009-04-30 20:48:36 UTC (rev 22299) @@ -818,6 +818,8 @@ $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h str_conv.c +t_ad_fx_armor.so t_ad_fx_armor.po $(OUTPRE)t_ad_fx_armor.$(OBJEXT): \ + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) t_ad_fx_armor.c tgtname.so tgtname.po $(OUTPRE)tgtname.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \