svn rev #23484: trunk/src/lib/krb5/ krb/ os/
tsitkova@MIT.EDU
tsitkova at MIT.EDU
Wed Dec 23 11:00:05 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=23484
Commit By: tsitkova
Log Message:
Code modularity related updates.
Changed Files:
U trunk/src/lib/krb5/krb/Makefile.in
A trunk/src/lib/krb5/krb/gen_save_subkey.c
U trunk/src/lib/krb5/krb/get_in_tkt.c
U trunk/src/lib/krb5/krb/gic_pwd.c
U trunk/src/lib/krb5/krb/init_ctx.c
U trunk/src/lib/krb5/krb/int-proto.h
A trunk/src/lib/krb5/krb/libdef_parse.c
U trunk/src/lib/krb5/krb/mk_req_ext.c
U trunk/src/lib/krb5/krb/vfy_increds.c
U trunk/src/lib/krb5/libkrb5.exports
U trunk/src/lib/krb5/os/dnsglue.c
U trunk/src/lib/krb5/os/hst_realm.c
U trunk/src/lib/krb5/os/init_os_ctx.c
Modified: trunk/src/lib/krb5/krb/Makefile.in
===================================================================
--- trunk/src/lib/krb5/krb/Makefile.in 2009-12-22 22:26:55 UTC (rev 23483)
+++ trunk/src/lib/krb5/krb/Makefile.in 2009-12-23 16:00:05 UTC (rev 23484)
@@ -46,6 +46,7 @@
gc_via_tkt.o \
gen_seqnum.o \
gen_subkey.o \
+ gen_save_subkey.o \
get_creds.o \
get_in_tkt.o \
gic_keytab.o \
@@ -57,6 +58,7 @@
kdc_rep_dc.o \
kerrs.o \
kfree.o \
+ libdef_parse.o \
mk_cred.o \
mk_error.o \
mk_priv.o \
@@ -136,6 +138,7 @@
$(OUTPRE)gc_via_tkt.$(OBJEXT) \
$(OUTPRE)gen_seqnum.$(OBJEXT) \
$(OUTPRE)gen_subkey.$(OBJEXT) \
+ $(OUTPRE)gen_save_subkey.$(OBJEXT) \
$(OUTPRE)get_creds.$(OBJEXT) \
$(OUTPRE)get_in_tkt.$(OBJEXT) \
$(OUTPRE)gic_keytab.$(OBJEXT) \
@@ -145,8 +148,9 @@
$(OUTPRE)init_ctx.$(OBJEXT) \
$(OUTPRE)init_keyblock.$(OBJEXT) \
$(OUTPRE)kdc_rep_dc.$(OBJEXT) \
- $(OUTPRE)kerrs.$(OBJEXT) \
+ $(OUTPRE)kerrs.$(OBJEXT) \
$(OUTPRE)kfree.$(OBJEXT) \
+ $(OUTPRE)libdef_parse.$(OBJEXT) \
$(OUTPRE)mk_cred.$(OBJEXT) \
$(OUTPRE)mk_error.$(OBJEXT) \
$(OUTPRE)mk_priv.$(OBJEXT) \
@@ -227,6 +231,7 @@
$(srcdir)/gc_via_tkt.c \
$(srcdir)/gen_seqnum.c \
$(srcdir)/gen_subkey.c \
+ $(srcdir)/gen_save_subkey.c \
$(srcdir)/get_creds.c \
$(srcdir)/get_in_tkt.c \
$(srcdir)/gic_keytab.c \
@@ -238,6 +243,7 @@
$(srcdir)/kdc_rep_dc.c \
$(srcdir)/kerrs.c \
$(srcdir)/kfree.c \
+ $(srcdir)/libdef_parse.c \
$(srcdir)/mk_cred.c \
$(srcdir)/mk_error.c \
$(srcdir)/mk_priv.c \
Added: trunk/src/lib/krb5/krb/gen_save_subkey.c
===================================================================
--- trunk/src/lib/krb5/krb/gen_save_subkey.c (rev 0)
+++ trunk/src/lib/krb5/krb/gen_save_subkey.c 2009-12-23 16:00:05 UTC (rev 23484)
@@ -0,0 +1,74 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * lib/krb5/krb/gen_save_subkey.c
+ *
+ * Copyright 2009 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * krb5int_generate_and_save_subkey()
+ */
+
+#include "k5-int.h"
+#include "auth_con.h"
+
+krb5_error_code
+krb5int_generate_and_save_subkey(krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_keyblock *keyblock,
+ krb5_enctype enctype)
+{
+ /* Provide some more fodder for random number code.
+ This isn't strong cryptographically; the point here is not
+ to guarantee randomness, but to make it less likely that multiple
+ sessions could pick the same subkey. */
+ struct {
+ krb5_int32 sec, usec;
+ } rnd_data;
+ krb5_data d;
+ krb5_error_code retval;
+ krb5_keyblock *kb = NULL;
+
+ if (krb5_crypto_us_timeofday(&rnd_data.sec, &rnd_data.usec) == 0) {
+ d.length = sizeof(rnd_data);
+ d.data = (char *) &rnd_data;
+ krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TIMING, &d);
+ }
+
+ retval = krb5_generate_subkey_extended(context, keyblock, enctype, &kb);
+ if (retval)
+ return retval;
+ retval = krb5_auth_con_setsendsubkey(context, auth_context, kb);
+ if (retval)
+ goto cleanup;
+ retval = krb5_auth_con_setrecvsubkey(context, auth_context, kb);
+ if (retval)
+ goto cleanup;
+
+cleanup:
+ if (retval) {
+ (void) krb5_auth_con_setsendsubkey(context, auth_context, NULL);
+ (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL);
+ }
+ krb5_free_keyblock(context, kb);
+ return retval;
+}
Modified: trunk/src/lib/krb5/krb/get_in_tkt.c
===================================================================
--- trunk/src/lib/krb5/krb/get_in_tkt.c 2009-12-22 22:26:55 UTC (rev 23483)
+++ trunk/src/lib/krb5/krb/get_in_tkt.c 2009-12-23 16:00:05 UTC (rev 23484)
@@ -839,130 +839,6 @@
return (retval);
}
-/* begin libdefaults parsing code. This should almost certainly move
- somewhere else, but I don't know where the correct somewhere else
- is yet. */
-
-/* XXX Duplicating this is annoying; try to work on a better way.*/
-static const char *const conf_yes[] = {
- "y", "yes", "true", "t", "1", "on",
- 0,
-};
-
-static const char *const conf_no[] = {
- "n", "no", "false", "nil", "0", "off",
- 0,
-};
-
-int
-_krb5_conf_boolean(const char *s)
-{
- const char *const *p;
-
- for(p=conf_yes; *p; p++) {
- if (!strcasecmp(*p,s))
- return 1;
- }
-
- for(p=conf_no; *p; p++) {
- if (!strcasecmp(*p,s))
- return 0;
- }
-
- /* Default to "no" */
- return 0;
-}
-
-static krb5_error_code
-krb5_libdefault_string(krb5_context context, const krb5_data *realm,
- const char *option, char **ret_value)
-{
- profile_t profile;
- const char *names[5];
- char **nameval = NULL;
- krb5_error_code retval;
- char realmstr[1024];
-
- if (realm->length > sizeof(realmstr)-1)
- return(EINVAL);
-
- strncpy(realmstr, realm->data, realm->length);
- realmstr[realm->length] = '\0';
-
- if (!context || (context->magic != KV5M_CONTEXT))
- return KV5M_CONTEXT;
-
- profile = context->profile;
-
- names[0] = KRB5_CONF_LIBDEFAULTS;
-
- /*
- * Try number one:
- *
- * [libdefaults]
- * REALM = {
- * option = <boolean>
- * }
- */
-
- names[1] = realmstr;
- names[2] = option;
- names[3] = 0;
- retval = profile_get_values(profile, names, &nameval);
- if (retval == 0 && nameval && nameval[0])
- goto goodbye;
-
- /*
- * Try number two:
- *
- * [libdefaults]
- * option = <boolean>
- */
-
- names[1] = option;
- names[2] = 0;
- retval = profile_get_values(profile, names, &nameval);
- if (retval == 0 && nameval && nameval[0])
- goto goodbye;
-
-goodbye:
- if (!nameval)
- return(ENOENT);
-
- if (!nameval[0]) {
- retval = ENOENT;
- } else {
- *ret_value = strdup(nameval[0]);
- if (!*ret_value)
- retval = ENOMEM;
- }
-
- profile_free_list(nameval);
-
- return retval;
-}
-
-/* not static so verify_init_creds() can call it */
-/* as well as the DNS code */
-
-krb5_error_code
-krb5_libdefault_boolean(krb5_context context, const krb5_data *realm,
- const char *option, int *ret_value)
-{
- char *string = NULL;
- krb5_error_code retval;
-
- retval = krb5_libdefault_string(context, realm, option, &string);
-
- if (retval)
- return(retval);
-
- *ret_value = _krb5_conf_boolean(string);
- free(string);
-
- return(0);
-}
-
/* Sort a pa_data sequence so that types named in the "preferred_preauth_types"
* libdefaults entry are listed before any others. */
static krb5_error_code
@@ -981,8 +857,8 @@
return 0;
}
- ret = krb5_libdefault_string(context, realm, KRB5_CONF_PREFERRED_PREAUTH_TYPES,
- &preauth_types);
+ ret = krb5int_libdefault_string(context, realm, KRB5_CONF_PREFERRED_PREAUTH_TYPES,
+ &preauth_types);
if ((ret != 0) || (preauth_types == NULL)) {
/* Try to use PKINIT first. */
preauth_types = "17, 16, 15, 14";
@@ -1408,8 +1284,8 @@
/* forwaradble */
if (opte->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE)
tmp = opte->forwardable;
- else if (krb5_libdefault_boolean(context, &ctx->request->client->realm,
- KRB5_CONF_FORWARDABLE, &tmp) == 0)
+ else if (krb5int_libdefault_boolean(context, &ctx->request->client->realm,
+ KRB5_CONF_FORWARDABLE, &tmp) == 0)
;
else
tmp = 0;
@@ -1419,8 +1295,8 @@
/* proxiable */
if (opte->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE)
tmp = opte->proxiable;
- else if (krb5_libdefault_boolean(context, &ctx->request->client->realm,
- KRB5_CONF_PROXIABLE, &tmp) == 0)
+ else if (krb5int_libdefault_boolean(context, &ctx->request->client->realm,
+ KRB5_CONF_PROXIABLE, &tmp) == 0)
;
else
tmp = 0;
@@ -1430,8 +1306,8 @@
/* canonicalize */
if (opte->flags & KRB5_GET_INIT_CREDS_OPT_CANONICALIZE)
tmp = 1;
- else if (krb5_libdefault_boolean(context, &ctx->request->client->realm,
- KRB5_CONF_CANONICALIZE, &tmp) == 0)
+ else if (krb5int_libdefault_boolean(context, &ctx->request->client->realm,
+ KRB5_CONF_CANONICALIZE, &tmp) == 0)
;
else
tmp = 0;
@@ -1445,8 +1321,8 @@
/* ticket lifetime */
if (opte->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)
ctx->tkt_life = options->tkt_life;
- else if (krb5_libdefault_string(context, &ctx->request->client->realm,
- KRB5_CONF_TICKET_LIFETIME, &str) == 0) {
+ else if (krb5int_libdefault_string(context, &ctx->request->client->realm,
+ KRB5_CONF_TICKET_LIFETIME, &str) == 0) {
code = krb5_string_to_deltat(str, &ctx->tkt_life);
if (code != 0)
goto cleanup;
@@ -1458,8 +1334,8 @@
/* renewable lifetime */
if (opte->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE)
ctx->renew_life = options->renew_life;
- else if (krb5_libdefault_string(context, &ctx->request->client->realm,
- KRB5_CONF_RENEW_LIFETIME, &str) == 0) {
+ else if (krb5int_libdefault_string(context, &ctx->request->client->realm,
+ KRB5_CONF_RENEW_LIFETIME, &str) == 0) {
code = krb5_string_to_deltat(str, &ctx->renew_life);
if (code != 0)
goto cleanup;
@@ -1499,8 +1375,8 @@
&ctx->request->addresses);
if (code != 0)
goto cleanup;
- } else if (krb5_libdefault_boolean(context, &ctx->request->client->realm,
- KRB5_CONF_NOADDRESSES, &tmp) != 0
+ } else if (krb5int_libdefault_boolean(context, &ctx->request->client->realm,
+ KRB5_CONF_NOADDRESSES, &tmp) != 0
|| tmp) {
ctx->request->addresses = NULL;
} else {
@@ -2132,3 +2008,52 @@
return code;
}
+
+krb5_error_code
+krb5int_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out,
+ krb5_flags options, krb5_address *const *addrs,
+ krb5_enctype *ktypes,
+ krb5_preauthtype *pre_auth_types, krb5_creds *creds)
+{
+ int i;
+ krb5_int32 starttime;
+ krb5_get_init_creds_opt *opt;
+ krb5_error_code retval;
+
+ *out = NULL;
+ retval = krb5_get_init_creds_opt_alloc(context, &opt);
+ if (retval)
+ return(retval);
+
+ if (addrs)
+ krb5_get_init_creds_opt_set_address_list(opt, (krb5_address **) addrs);
+ if (ktypes) {
+ for (i=0; ktypes[i]; i++);
+ if (i)
+ krb5_get_init_creds_opt_set_etype_list(opt, ktypes, i);
+ }
+ if (pre_auth_types) {
+ for (i=0; pre_auth_types[i]; i++);
+ if (i)
+ krb5_get_init_creds_opt_set_preauth_list(opt, pre_auth_types, i);
+ }
+ if (options&KDC_OPT_FORWARDABLE)
+ krb5_get_init_creds_opt_set_forwardable(opt, 1);
+ else krb5_get_init_creds_opt_set_forwardable(opt, 0);
+ if (options&KDC_OPT_PROXIABLE)
+ krb5_get_init_creds_opt_set_proxiable(opt, 1);
+ else krb5_get_init_creds_opt_set_proxiable(opt, 0);
+ if (creds && creds->times.endtime) {
+ retval = krb5_timeofday(context, &starttime);
+ if (retval)
+ goto cleanup;
+ if (creds->times.starttime) starttime = creds->times.starttime;
+ krb5_get_init_creds_opt_set_tkt_life(opt, creds->times.endtime - starttime);
+ }
+ *out = opt;
+ return 0;
+
+cleanup:
+ krb5_get_init_creds_opt_free(context, opt);
+ return retval;
+}
Modified: trunk/src/lib/krb5/krb/gic_pwd.c
===================================================================
--- trunk/src/lib/krb5/krb/gic_pwd.c 2009-12-22 22:26:55 UTC (rev 23483)
+++ trunk/src/lib/krb5/krb/gic_pwd.c 2009-12-23 16:00:05 UTC (rev 23484)
@@ -419,54 +419,6 @@
return(ret);
}
-krb5_error_code
-krb5int_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out,
- krb5_flags options, krb5_address *const *addrs,
- krb5_enctype *ktypes,
- krb5_preauthtype *pre_auth_types, krb5_creds *creds)
-{
- int i;
- krb5_int32 starttime;
- krb5_get_init_creds_opt *opt;
- krb5_error_code retval;
-
- *out = NULL;
- retval = krb5_get_init_creds_opt_alloc(context, &opt);
- if (retval)
- return(retval);
-
- if (addrs)
- krb5_get_init_creds_opt_set_address_list(opt, (krb5_address **) addrs);
- if (ktypes) {
- for (i=0; ktypes[i]; i++);
- if (i)
- krb5_get_init_creds_opt_set_etype_list(opt, ktypes, i);
- }
- if (pre_auth_types) {
- for (i=0; pre_auth_types[i]; i++);
- if (i)
- krb5_get_init_creds_opt_set_preauth_list(opt, pre_auth_types, i);
- }
- if (options&KDC_OPT_FORWARDABLE)
- krb5_get_init_creds_opt_set_forwardable(opt, 1);
- else krb5_get_init_creds_opt_set_forwardable(opt, 0);
- if (options&KDC_OPT_PROXIABLE)
- krb5_get_init_creds_opt_set_proxiable(opt, 1);
- else krb5_get_init_creds_opt_set_proxiable(opt, 0);
- if (creds && creds->times.endtime) {
- retval = krb5_timeofday(context, &starttime);
- if (retval)
- goto cleanup;
- if (creds->times.starttime) starttime = creds->times.starttime;
- krb5_get_init_creds_opt_set_tkt_life(opt, creds->times.endtime - starttime);
- }
- *out = opt;
- return 0;
-cleanup:
- krb5_get_init_creds_opt_free(context, opt);
- return retval;
-}
-
/*
Rewrites get_in_tkt in terms of newer get_init_creds API.
Attempts to get an initial ticket for creds->client to use server
Modified: trunk/src/lib/krb5/krb/init_ctx.c
===================================================================
--- trunk/src/lib/krb5/krb/init_ctx.c 2009-12-22 22:26:55 UTC (rev 23483)
+++ trunk/src/lib/krb5/krb/init_ctx.c 2009-12-23 16:00:05 UTC (rev 23484)
@@ -647,3 +647,9 @@
}
return ret;
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_profile (krb5_context ctx, profile_t *profile)
+{
+ return profile_copy (ctx->profile, profile);
+}
Modified: trunk/src/lib/krb5/krb/int-proto.h
===================================================================
--- trunk/src/lib/krb5/krb/int-proto.h 2009-12-22 22:26:55 UTC (rev 23483)
+++ trunk/src/lib/krb5/krb/int-proto.h 2009-12-23 16:00:05 UTC (rev 23484)
@@ -37,9 +37,13 @@
krb5_principal *);
krb5_error_code
-krb5_libdefault_boolean(krb5_context, const krb5_data *, const char *,
- int *);
+krb5int_libdefault_boolean(krb5_context, const krb5_data *, const char *,
+ int *);
+krb5_error_code
+krb5int_libdefault_string(krb5_context context, const krb5_data *realm,
+ const char *option, char **ret_value);
+
krb5_error_code krb5_ser_authdata_init (krb5_context);
krb5_error_code krb5_ser_address_init (krb5_context);
krb5_error_code krb5_ser_authenticator_init (krb5_context);
Added: trunk/src/lib/krb5/krb/libdef_parse.c
===================================================================
--- trunk/src/lib/krb5/krb/libdef_parse.c (rev 0)
+++ trunk/src/lib/krb5/krb/libdef_parse.c 2009-12-23 16:00:05 UTC (rev 23484)
@@ -0,0 +1,149 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * lib/krb5/krb/libdef_parse.c
+ *
+ * Copyright 2009 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * krb5int_libdefault_string()
+ * krb5int_libdefault_boolean()
+ *
+ */
+#include "k5-int.h"
+#include "int-proto.h"
+
+static const char *const conf_yes[] = {
+ "y", "yes", "true", "t", "1", "on",
+ 0,
+};
+
+static const char *const conf_no[] = {
+ "n", "no", "false", "nil", "0", "off",
+ 0,
+};
+
+int
+_krb5_conf_boolean(const char *s)
+{
+ const char *const *p;
+
+ for(p=conf_yes; *p; p++) {
+ if (!strcasecmp(*p,s))
+ return 1;
+ }
+
+ for(p=conf_no; *p; p++) {
+ if (!strcasecmp(*p,s))
+ return 0;
+ }
+
+ /* Default to "no" */
+ return 0;
+}
+
+krb5_error_code
+krb5int_libdefault_string(krb5_context context, const krb5_data *realm,
+ const char *option, char **ret_value)
+{
+ profile_t profile;
+ const char *names[5];
+ char **nameval = NULL;
+ krb5_error_code retval;
+ char realmstr[1024];
+
+ if (realm->length > sizeof(realmstr)-1)
+ return(EINVAL);
+
+ strncpy(realmstr, realm->data, realm->length);
+ realmstr[realm->length] = '\0';
+
+ if (!context || (context->magic != KV5M_CONTEXT))
+ return KV5M_CONTEXT;
+
+ profile = context->profile;
+
+ names[0] = KRB5_CONF_LIBDEFAULTS;
+
+ /*
+ * Try number one:
+ *
+ * [libdefaults]
+ * REALM = {
+ * option = <boolean>
+ * }
+ */
+
+ names[1] = realmstr;
+ names[2] = option;
+ names[3] = 0;
+ retval = profile_get_values(profile, names, &nameval);
+ if (retval == 0 && nameval && nameval[0])
+ goto goodbye;
+
+
+ /*
+ * Try number two:
+ *
+ * [libdefaults]
+ * option = <boolean>
+ */
+
+ names[1] = option;
+ names[2] = 0;
+ retval = profile_get_values(profile, names, &nameval);
+ if (retval == 0 && nameval && nameval[0])
+ goto goodbye;
+
+goodbye:
+ if (!nameval)
+ return(ENOENT);
+
+ if (!nameval[0]) {
+ retval = ENOENT;
+ } else {
+ *ret_value = strdup(nameval[0]);
+ if (!*ret_value)
+ retval = ENOMEM;
+ }
+
+ profile_free_list(nameval);
+
+ return retval;
+}
+
+krb5_error_code
+krb5int_libdefault_boolean(krb5_context context, const krb5_data *realm,
+ const char *option, int *ret_value)
+{
+ char *string = NULL;
+ krb5_error_code retval;
+
+ retval = krb5int_libdefault_string(context, realm, option, &string);
+
+ if (retval)
+ return(retval);
+
+ *ret_value = _krb5_conf_boolean(string);
+ free(string);
+
+ return(0);
+}
Modified: trunk/src/lib/krb5/krb/mk_req_ext.c
===================================================================
--- trunk/src/lib/krb5/krb/mk_req_ext.c 2009-12-22 22:26:55 UTC (rev 23483)
+++ trunk/src/lib/krb5/krb/mk_req_ext.c 2009-12-23 16:00:05 UTC (rev 23484)
@@ -80,48 +80,6 @@
krb5_enctype *desired_etypes,
krb5_enctype tkt_enctype);
-krb5_error_code
-krb5int_generate_and_save_subkey(krb5_context context,
- krb5_auth_context auth_context,
- krb5_keyblock *keyblock,
- krb5_enctype enctype)
-{
- /* Provide some more fodder for random number code.
- This isn't strong cryptographically; the point here is not
- to guarantee randomness, but to make it less likely that multiple
- sessions could pick the same subkey. */
- struct {
- krb5_int32 sec, usec;
- } rnd_data;
- krb5_data d;
- krb5_error_code retval;
- krb5_keyblock *kb = NULL;
-
- if (krb5_crypto_us_timeofday(&rnd_data.sec, &rnd_data.usec) == 0) {
- d.length = sizeof(rnd_data);
- d.data = (char *) &rnd_data;
- krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TIMING, &d);
- }
-
- retval = krb5_generate_subkey_extended(context, keyblock, enctype, &kb);
- if (retval)
- return retval;
- retval = krb5_auth_con_setsendsubkey(context, auth_context, kb);
- if (retval)
- goto cleanup;
- retval = krb5_auth_con_setrecvsubkey(context, auth_context, kb);
- if (retval)
- goto cleanup;
-
-cleanup:
- if (retval) {
- (void) krb5_auth_con_setsendsubkey(context, auth_context, NULL);
- (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL);
- }
- krb5_free_keyblock(context, kb);
- return retval;
-}
-
krb5_error_code KRB5_CALLCONV
krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
krb5_flags ap_req_options, krb5_data *in_data,
Modified: trunk/src/lib/krb5/krb/vfy_increds.c
===================================================================
--- trunk/src/lib/krb5/krb/vfy_increds.c 2009-12-22 22:26:55 UTC (rev 23483)
+++ trunk/src/lib/krb5/krb/vfy_increds.c 2009-12-23 16:00:05 UTC (rev 23484)
@@ -115,10 +115,10 @@
(options->flags & KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL)) {
if (options->ap_req_nofail)
goto cleanup;
- } else if (krb5_libdefault_boolean(context,
- &creds->client->realm,
- KRB5_CONF_VERIFY_AP_REQ_NOFAIL,
- &nofail) == 0) {
+ } else if (krb5int_libdefault_boolean(context,
+ &creds->client->realm,
+ KRB5_CONF_VERIFY_AP_REQ_NOFAIL,
+ &nofail) == 0) {
if (nofail)
goto cleanup;
}
Modified: trunk/src/lib/krb5/libkrb5.exports
===================================================================
--- trunk/src/lib/krb5/libkrb5.exports 2009-12-22 22:26:55 UTC (rev 23483)
+++ trunk/src/lib/krb5/libkrb5.exports 2009-12-23 16:00:05 UTC (rev 23484)
@@ -401,7 +401,6 @@
krb5_ktf_writable_ops
krb5_kts_ops
krb5_kuserok
-krb5_libdefault_boolean
krb5_locate_kdc
krb5_lock_file
krb5_make_authdata_kdc_issued
Modified: trunk/src/lib/krb5/os/dnsglue.c
===================================================================
--- trunk/src/lib/krb5/os/dnsglue.c 2009-12-22 22:26:55 UTC (rev 23483)
+++ trunk/src/lib/krb5/os/dnsglue.c 2009-12-23 16:00:05 UTC (rev 23484)
@@ -2,7 +2,7 @@
/*
* lib/krb5/os/dnsglue.c
*
- * Copyright 2004 by the Massachusetts Institute of Technology.
+ * Copyright 2004, 2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -333,4 +333,76 @@
#endif
+/*
+ * Try to look up a TXT record pointing to a Kerberos realm
+ */
+
+krb5_error_code
+krb5_try_realm_txt_rr(const char *prefix, const char *name, char **realm)
+{
+ krb5_error_code retval = KRB5_ERR_HOST_REALM_UNKNOWN;
+ const unsigned char *p, *base;
+ char host[MAXDNAME];
+ int ret, rdlen, len;
+ struct krb5int_dns_state *ds = NULL;
+ struct k5buf buf;
+
+ /*
+ * Form our query, and send it via DNS
+ */
+
+ krb5int_buf_init_fixed(&buf, host, sizeof(host));
+ if (name == NULL || name[0] == '\0') {
+ krb5int_buf_add(&buf, prefix);
+ } else {
+ krb5int_buf_add_fmt(&buf, "%s.%s", prefix, name);
+
+ /* Realm names don't (normally) end with ".", but if the query
+ doesn't end with "." and doesn't get an answer as is, the
+ resolv code will try appending the local domain. Since the
+ realm names are absolutes, let's stop that.
+
+ But only if a name has been specified. If we are performing
+ a search on the prefix alone then the intention is to allow
+ the local domain or domain search lists to be expanded.
+ */
+
+ len = krb5int_buf_len(&buf);
+ if (len > 0 && host[len - 1] != '.')
+ krb5int_buf_add(&buf, ".");
+ }
+ if (krb5int_buf_data(&buf) == NULL)
+ return KRB5_ERR_HOST_REALM_UNKNOWN;
+ ret = krb5int_dns_init(&ds, host, C_IN, T_TXT);
+ if (ret < 0)
+ goto errout;
+
+ ret = krb5int_dns_nextans(ds, &base, &rdlen);
+ if (ret < 0 || base == NULL)
+ goto errout;
+
+ p = base;
+ if (!INCR_OK(base, rdlen, p, 1))
+ goto errout;
+ len = *p++;
+ *realm = malloc((size_t)len + 1);
+ if (*realm == NULL) {
+ retval = ENOMEM;
+ goto errout;
+ }
+ strncpy(*realm, (const char *)p, (size_t)len);
+ (*realm)[len] = '\0';
+ /* Avoid a common error. */
+ if ( (*realm)[len-1] == '.' )
+ (*realm)[len-1] = '\0';
+ retval = 0;
+
+errout:
+ if (ds != NULL) {
+ krb5int_dns_fini(ds);
+ ds = NULL;
+ }
+ return retval;
+}
+
#endif /* KRB5_DNS_LOOKUP */
Modified: trunk/src/lib/krb5/os/hst_realm.c
===================================================================
--- trunk/src/lib/krb5/os/hst_realm.c 2009-12-22 22:26:55 UTC (rev 23483)
+++ trunk/src/lib/krb5/os/hst_realm.c 2009-12-23 16:00:05 UTC (rev 23484)
@@ -84,80 +84,8 @@
char **realm, int limit);
#ifdef KRB5_DNS_LOOKUP
-
#include "dnsglue.h"
-/*
- * Try to look up a TXT record pointing to a Kerberos realm
- */
-
-krb5_error_code
-krb5_try_realm_txt_rr(const char *prefix, const char *name, char **realm)
-{
- krb5_error_code retval = KRB5_ERR_HOST_REALM_UNKNOWN;
- const unsigned char *p, *base;
- char host[MAXDNAME];
- int ret, rdlen, len;
- struct krb5int_dns_state *ds = NULL;
- struct k5buf buf;
-
- /*
- * Form our query, and send it via DNS
- */
-
- krb5int_buf_init_fixed(&buf, host, sizeof(host));
- if (name == NULL || name[0] == '\0') {
- krb5int_buf_add(&buf, prefix);
- } else {
- krb5int_buf_add_fmt(&buf, "%s.%s", prefix, name);
-
- /* Realm names don't (normally) end with ".", but if the query
- doesn't end with "." and doesn't get an answer as is, the
- resolv code will try appending the local domain. Since the
- realm names are absolutes, let's stop that.
-
- But only if a name has been specified. If we are performing
- a search on the prefix alone then the intention is to allow
- the local domain or domain search lists to be expanded.
- */
-
- len = krb5int_buf_len(&buf);
- if (len > 0 && host[len - 1] != '.')
- krb5int_buf_add(&buf, ".");
- }
- if (krb5int_buf_data(&buf) == NULL)
- return KRB5_ERR_HOST_REALM_UNKNOWN;
- ret = krb5int_dns_init(&ds, host, C_IN, T_TXT);
- if (ret < 0)
- goto errout;
-
- ret = krb5int_dns_nextans(ds, &base, &rdlen);
- if (ret < 0 || base == NULL)
- goto errout;
-
- p = base;
- if (!INCR_OK(base, rdlen, p, 1))
- goto errout;
- len = *p++;
- *realm = malloc((size_t)len + 1);
- if (*realm == NULL) {
- retval = ENOMEM;
- goto errout;
- }
- strncpy(*realm, (const char *)p, (size_t)len);
- (*realm)[len] = '\0';
- /* Avoid a common error. */
- if ( (*realm)[len-1] == '.' )
- (*realm)[len-1] = '\0';
- retval = 0;
-
-errout:
- if (ds != NULL) {
- krb5int_dns_fini(ds);
- ds = NULL;
- }
- return retval;
-}
-#else /* KRB5_DNS_LOOKUP */
+#else
#ifndef MAXDNAME
#define MAXDNAME (16 * MAXHOSTNAMELEN)
#endif /* MAXDNAME */
Modified: trunk/src/lib/krb5/os/init_os_ctx.c
===================================================================
--- trunk/src/lib/krb5/os/init_os_ctx.c 2009-12-22 22:26:55 UTC (rev 23483)
+++ trunk/src/lib/krb5/os/init_os_ctx.c 2009-12-23 16:00:05 UTC (rev 23484)
@@ -402,12 +402,6 @@
return retval;
}
-krb5_error_code KRB5_CALLCONV
-krb5_get_profile (krb5_context ctx, profile_t *profile)
-{
- return profile_copy (ctx->profile, profile);
-}
-
krb5_error_code
krb5_set_config_files(krb5_context ctx, const char **filenames)
{
More information about the cvs-krb5
mailing list