svn rev #21722: branches/mkey_migrate/ doc/ doc/kim/html/ doc/krb5-protocol/ ...
wfiveash@MIT.EDU
wfiveash at MIT.EDU
Fri Jan 9 20:08:18 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=21722
Commit By: wfiveash
Log Message:
Merged with current trunk, no new function added. Everything builds.
Changed Files:
_U branches/mkey_migrate/
U branches/mkey_migrate/README
U branches/mkey_migrate/doc/Makefile
U branches/mkey_migrate/doc/admin.texinfo
U branches/mkey_migrate/doc/copyright.texinfo
U branches/mkey_migrate/doc/definitions.texinfo
U branches/mkey_migrate/doc/dnssrv.texinfo
U branches/mkey_migrate/doc/install.texinfo
U branches/mkey_migrate/doc/kim/html/group__kim__ccache__iterator__reference.html
U branches/mkey_migrate/doc/kim/html/group__kim__ccache__reference.html
U branches/mkey_migrate/doc/kim/html/group__kim__credential__iterator__reference.html
U branches/mkey_migrate/doc/kim/html/group__kim__credential__reference.html
U branches/mkey_migrate/doc/kim/html/group__kim__identity__reference.html
U branches/mkey_migrate/doc/kim/html/group__kim__library__reference.html
U branches/mkey_migrate/doc/kim/html/group__kim__options__reference.html
U branches/mkey_migrate/doc/kim/html/group__kim__preferences__reference.html
U branches/mkey_migrate/doc/kim/html/group__kim__selection__hints__reference.html
U branches/mkey_migrate/doc/kim/html/group__kim__string__reference.html
U branches/mkey_migrate/doc/kim/html/group__kim__types__reference.html
U branches/mkey_migrate/doc/kim/html/index.html
U branches/mkey_migrate/doc/kim/html/kim_ccache_overview.html
U branches/mkey_migrate/doc/kim/html/kim_credential_overview.html
U branches/mkey_migrate/doc/kim/html/kim_identity_overview.html
U branches/mkey_migrate/doc/kim/html/kim_options_overview.html
U branches/mkey_migrate/doc/kim/html/kim_preferences_overview.html
U branches/mkey_migrate/doc/kim/html/kim_selection_hints_overview.html
U branches/mkey_migrate/doc/kim/html/kim_string_overview.html
U branches/mkey_migrate/doc/kim/html/modules.html
D branches/mkey_migrate/doc/krb4-xrealm.txt
D branches/mkey_migrate/doc/krb425.texinfo
A branches/mkey_migrate/doc/krb5-protocol/draft-ietf-cat-kerberos-pk-init-09.txt
A branches/mkey_migrate/doc/krb5-protocol/rfc4557.txt
D branches/mkey_migrate/doc/old-V4-docs/
_U branches/mkey_migrate/src/
U branches/mkey_migrate/src/BADSYMS
U branches/mkey_migrate/src/Makefile.in
U branches/mkey_migrate/src/aclocal.m4
_U branches/mkey_migrate/src/appl/bsd/
U branches/mkey_migrate/src/appl/bsd/Makefile.in
D branches/mkey_migrate/src/appl/bsd/compat_recv.c
U branches/mkey_migrate/src/appl/bsd/configure.in
U branches/mkey_migrate/src/appl/bsd/defines.h
A branches/mkey_migrate/src/appl/bsd/deps
U branches/mkey_migrate/src/appl/bsd/forward.c
U branches/mkey_migrate/src/appl/bsd/kcmd.c
U branches/mkey_migrate/src/appl/bsd/klogind.M
U branches/mkey_migrate/src/appl/bsd/krcp.c
U branches/mkey_migrate/src/appl/bsd/krlogin.c
U branches/mkey_migrate/src/appl/bsd/krlogind.c
U branches/mkey_migrate/src/appl/bsd/krsh.c
U branches/mkey_migrate/src/appl/bsd/krshd.c
U branches/mkey_migrate/src/appl/bsd/login.M
U branches/mkey_migrate/src/appl/bsd/login.c
U branches/mkey_migrate/src/appl/bsd/rlogin.M
D branches/mkey_migrate/src/appl/bsd/v4rcp.M
D branches/mkey_migrate/src/appl/bsd/v4rcp.c
A branches/mkey_migrate/src/appl/deps
U branches/mkey_migrate/src/appl/gss-sample/Makefile.in
A branches/mkey_migrate/src/appl/gss-sample/deps
U branches/mkey_migrate/src/appl/gss-sample/gss-client.c
_U branches/mkey_migrate/src/appl/gssftp/
A branches/mkey_migrate/src/appl/gssftp/deps
U branches/mkey_migrate/src/appl/gssftp/ftp/Makefile.in
U branches/mkey_migrate/src/appl/gssftp/ftp/cmds.c
A branches/mkey_migrate/src/appl/gssftp/ftp/deps
U branches/mkey_migrate/src/appl/gssftp/ftp/ftp.M
U branches/mkey_migrate/src/appl/gssftp/ftp/ftp.c
U branches/mkey_migrate/src/appl/gssftp/ftp/glob.c
U branches/mkey_migrate/src/appl/gssftp/ftp/main.c
U branches/mkey_migrate/src/appl/gssftp/ftp/ruserpass.c
U branches/mkey_migrate/src/appl/gssftp/ftp/secure.c
U branches/mkey_migrate/src/appl/gssftp/ftpd/Makefile.in
A branches/mkey_migrate/src/appl/gssftp/ftpd/deps
U branches/mkey_migrate/src/appl/gssftp/ftpd/ftpcmd.y
U branches/mkey_migrate/src/appl/gssftp/ftpd/ftpd.M
U branches/mkey_migrate/src/appl/gssftp/ftpd/ftpd.c
_U branches/mkey_migrate/src/appl/libpty/
U branches/mkey_migrate/src/appl/libpty/Makefile.in
A branches/mkey_migrate/src/appl/libpty/deps
U branches/mkey_migrate/src/appl/libpty/getpty.c
U branches/mkey_migrate/src/appl/libpty/logwtmp.c
U branches/mkey_migrate/src/appl/libpty/update_utmp.c
A branches/mkey_migrate/src/appl/sample/deps
A branches/mkey_migrate/src/appl/sample/sclient/deps
U branches/mkey_migrate/src/appl/sample/sclient/sclient.c
A branches/mkey_migrate/src/appl/sample/sserver/deps
U branches/mkey_migrate/src/appl/sample/sserver/sserver.c
A branches/mkey_migrate/src/appl/simple/client/deps
U branches/mkey_migrate/src/appl/simple/client/sim_client.c
A branches/mkey_migrate/src/appl/simple/deps
A branches/mkey_migrate/src/appl/simple/server/deps
_U branches/mkey_migrate/src/appl/telnet/
U branches/mkey_migrate/src/appl/telnet/configure.in
A branches/mkey_migrate/src/appl/telnet/deps
U branches/mkey_migrate/src/appl/telnet/libtelnet/Makefile.in
U branches/mkey_migrate/src/appl/telnet/libtelnet/auth-proto.h
U branches/mkey_migrate/src/appl/telnet/libtelnet/auth.c
A branches/mkey_migrate/src/appl/telnet/libtelnet/deps
U branches/mkey_migrate/src/appl/telnet/libtelnet/enc_des.c
U branches/mkey_migrate/src/appl/telnet/libtelnet/encrypt.c
U branches/mkey_migrate/src/appl/telnet/libtelnet/forward.c
U branches/mkey_migrate/src/appl/telnet/libtelnet/gettytab.c
D branches/mkey_migrate/src/appl/telnet/libtelnet/kerberos.c
U branches/mkey_migrate/src/appl/telnet/libtelnet/kerberos5.c
U branches/mkey_migrate/src/appl/telnet/libtelnet/spx.c
U branches/mkey_migrate/src/appl/telnet/telnet/Makefile.in
U branches/mkey_migrate/src/appl/telnet/telnet/commands.c
A branches/mkey_migrate/src/appl/telnet/telnet/deps
U branches/mkey_migrate/src/appl/telnet/telnet/main.c
U branches/mkey_migrate/src/appl/telnet/telnet/telnet.c
U branches/mkey_migrate/src/appl/telnet/telnet/utilities.c
U branches/mkey_migrate/src/appl/telnet/telnetd/Makefile.in
A branches/mkey_migrate/src/appl/telnet/telnetd/deps
U branches/mkey_migrate/src/appl/telnet/telnetd/slc.c
U branches/mkey_migrate/src/appl/telnet/telnetd/sys_term.c
A branches/mkey_migrate/src/appl/user_user/deps
U branches/mkey_migrate/src/ccapi/common/cci_types.h
U branches/mkey_migrate/src/ccapi/lib/ccapi_context.c
U branches/mkey_migrate/src/ccapi/lib/ccapi_context.h
U branches/mkey_migrate/src/ccapi/lib/ccapi_string.c
U branches/mkey_migrate/src/ccapi/server/ccs_cache_collection.c
A branches/mkey_migrate/src/clients/deps
U branches/mkey_migrate/src/clients/kcpytkt/Makefile.in
U branches/mkey_migrate/src/clients/kdeltkt/Makefile.in
U branches/mkey_migrate/src/clients/kdestroy/Makefile.in
A branches/mkey_migrate/src/clients/kdestroy/deps
U branches/mkey_migrate/src/clients/kdestroy/kdestroy.M
U branches/mkey_migrate/src/clients/kdestroy/kdestroy.c
U branches/mkey_migrate/src/clients/kinit/Makefile.in
A branches/mkey_migrate/src/clients/kinit/deps
U branches/mkey_migrate/src/clients/kinit/kinit.M
U branches/mkey_migrate/src/clients/kinit/kinit.c
U branches/mkey_migrate/src/clients/klist/Makefile.in
A branches/mkey_migrate/src/clients/klist/deps
U branches/mkey_migrate/src/clients/klist/klist.M
U branches/mkey_migrate/src/clients/klist/klist.c
U branches/mkey_migrate/src/clients/kpasswd/Makefile.in
A branches/mkey_migrate/src/clients/kpasswd/deps
U branches/mkey_migrate/src/clients/kpasswd/ksetpwd.c
U branches/mkey_migrate/src/clients/ksu/Makefile.in
U branches/mkey_migrate/src/clients/ksu/authorization.c
U branches/mkey_migrate/src/clients/ksu/ccache.c
A branches/mkey_migrate/src/clients/ksu/deps
U branches/mkey_migrate/src/clients/ksu/krb_auth_su.c
U branches/mkey_migrate/src/clients/ksu/main.c
U branches/mkey_migrate/src/clients/kvno/Makefile.in
A branches/mkey_migrate/src/clients/kvno/deps
U branches/mkey_migrate/src/clients/kvno/kvno.M
U branches/mkey_migrate/src/clients/kvno/kvno.c
U branches/mkey_migrate/src/config/post.in
U branches/mkey_migrate/src/config/pre.in
U branches/mkey_migrate/src/config/shlib.conf
U branches/mkey_migrate/src/config/winexclude.sed
A branches/mkey_migrate/src/config-files/deps
U branches/mkey_migrate/src/config-files/krb5.conf.M
A branches/mkey_migrate/src/config-files/mech
U branches/mkey_migrate/src/configure.in
A branches/mkey_migrate/src/deps
A branches/mkey_migrate/src/gen-manpages/deps
U branches/mkey_migrate/src/include/Makefile.in
A branches/mkey_migrate/src/include/deps
A branches/mkey_migrate/src/include/k5-buf.h
U branches/mkey_migrate/src/include/k5-int.h
U branches/mkey_migrate/src/include/k5-platform.h
U branches/mkey_migrate/src/include/k5-plugin.h
U branches/mkey_migrate/src/include/k5-thread.h
A branches/mkey_migrate/src/include/k5-unicode.h
A branches/mkey_migrate/src/include/k5-utf8.h
U branches/mkey_migrate/src/include/kdb.h
A branches/mkey_migrate/src/include/kdb_ext.h
D branches/mkey_migrate/src/include/kerberosIV/
U branches/mkey_migrate/src/include/kim/kim_ccache.h
U branches/mkey_migrate/src/include/kim/kim_credential.h
U branches/mkey_migrate/src/include/kim/kim_options.h
U branches/mkey_migrate/src/include/kim/kim_preferences.h
U branches/mkey_migrate/src/include/krb5/authdata_plugin.h
U branches/mkey_migrate/src/include/krb5/krb5.hin
U branches/mkey_migrate/src/include/osconf.hin
U branches/mkey_migrate/src/kadmin/cli/Makefile.in
A branches/mkey_migrate/src/kadmin/cli/deps
U branches/mkey_migrate/src/kadmin/cli/kadmin.c
U branches/mkey_migrate/src/kadmin/dbutil/Makefile.in
A branches/mkey_migrate/src/kadmin/dbutil/deps
U branches/mkey_migrate/src/kadmin/dbutil/dump.c
D branches/mkey_migrate/src/kadmin/dbutil/dumpv4.c
U branches/mkey_migrate/src/kadmin/dbutil/kadm5_create.c
U branches/mkey_migrate/src/kadmin/dbutil/kdb5_create.c
U branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.M
U branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.c
U branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.h
D branches/mkey_migrate/src/kadmin/dbutil/loadv4.c
U branches/mkey_migrate/src/kadmin/dbutil/ovload.c
A branches/mkey_migrate/src/kadmin/deps
U branches/mkey_migrate/src/kadmin/ktutil/Makefile.in
A branches/mkey_migrate/src/kadmin/ktutil/deps
U branches/mkey_migrate/src/kadmin/ktutil/ktutil.c
U branches/mkey_migrate/src/kadmin/ktutil/ktutil.h
U branches/mkey_migrate/src/kadmin/ktutil/ktutil_funcs.c
U branches/mkey_migrate/src/kadmin/passwd/Makefile.in
A branches/mkey_migrate/src/kadmin/passwd/deps
_U branches/mkey_migrate/src/kadmin/passwd/unit-test/
A branches/mkey_migrate/src/kadmin/passwd/unit-test/deps
U branches/mkey_migrate/src/kadmin/passwd/xm_kpasswd.c
U branches/mkey_migrate/src/kadmin/server/Makefile.in
D branches/mkey_migrate/src/kadmin/server/acls.l
A branches/mkey_migrate/src/kadmin/server/deps
U branches/mkey_migrate/src/kadmin/server/ipropd_svc.c
U branches/mkey_migrate/src/kadmin/server/kadm_rpc_svc.c
U branches/mkey_migrate/src/kadmin/server/misc.c
U branches/mkey_migrate/src/kadmin/server/misc.h
A branches/mkey_migrate/src/kadmin/server/network.c
U branches/mkey_migrate/src/kadmin/server/ovsec_kadmd.c
U branches/mkey_migrate/src/kadmin/server/schpw.c
U branches/mkey_migrate/src/kadmin/server/server_stubs.c
_U branches/mkey_migrate/src/kadmin/testing/
A branches/mkey_migrate/src/kadmin/testing/deps
A branches/mkey_migrate/src/kadmin/testing/scripts/deps
U branches/mkey_migrate/src/kadmin/testing/util/Makefile.in
A branches/mkey_migrate/src/kadmin/testing/util/deps
U branches/mkey_migrate/src/kadmin/testing/util/tcl_kadm5.c
D branches/mkey_migrate/src/kdc/.saberinit
U branches/mkey_migrate/src/kdc/Makefile.in
A branches/mkey_migrate/src/kdc/deps
U branches/mkey_migrate/src/kdc/dispatch.c
U branches/mkey_migrate/src/kdc/do_as_req.c
U branches/mkey_migrate/src/kdc/do_tgs_req.c
U branches/mkey_migrate/src/kdc/extern.c
U branches/mkey_migrate/src/kdc/extern.h
D branches/mkey_migrate/src/kdc/fakeka.M
D branches/mkey_migrate/src/kdc/fakeka.c
U branches/mkey_migrate/src/kdc/kdc_authdata.c
U branches/mkey_migrate/src/kdc/kdc_preauth.c
U branches/mkey_migrate/src/kdc/kdc_util.c
U branches/mkey_migrate/src/kdc/kdc_util.h
D branches/mkey_migrate/src/kdc/kerberos_v4.c
U branches/mkey_migrate/src/kdc/krb5kdc.M
U branches/mkey_migrate/src/kdc/main.c
U branches/mkey_migrate/src/kdc/network.c
U branches/mkey_migrate/src/kdc/policy.c
U branches/mkey_migrate/src/kim/agent/mac/AuthenticationController.h
U branches/mkey_migrate/src/kim/agent/mac/AuthenticationController.m
U branches/mkey_migrate/src/kim/agent/mac/IPCClient.h
U branches/mkey_migrate/src/kim/agent/mac/IPCClient.m
U branches/mkey_migrate/src/kim/agent/mac/Identities.m
U branches/mkey_migrate/src/kim/agent/mac/KIMUtilities.h
U branches/mkey_migrate/src/kim/agent/mac/KIMUtilities.m
U branches/mkey_migrate/src/kim/agent/mac/KerberosAgent-Info.plist
U branches/mkey_migrate/src/kim/agent/mac/KerberosAgentController.m
U branches/mkey_migrate/src/kim/agent/mac/KerberosAgentPrefix.pch
U branches/mkey_migrate/src/kim/agent/mac/SelectIdentityController.h
U branches/mkey_migrate/src/kim/agent/mac/SelectIdentityController.m
U branches/mkey_migrate/src/kim/agent/mac/resources/English.lproj/Authentication.xib
U branches/mkey_migrate/src/kim/agent/mac/resources/English.lproj/SelectIdentity.strings
U branches/mkey_migrate/src/kim/agent/mac/resources/English.lproj/SelectIdentity.xib
U branches/mkey_migrate/src/kim/lib/kim.exports
U branches/mkey_migrate/src/kim/lib/kim_ccache.c
D branches/mkey_migrate/src/kim/lib/kim_ccache_private.h
U branches/mkey_migrate/src/kim/lib/kim_credential.c
U branches/mkey_migrate/src/kim/lib/kim_credential_private.h
U branches/mkey_migrate/src/kim/lib/kim_error_message.c
U branches/mkey_migrate/src/kim/lib/kim_errors.et
U branches/mkey_migrate/src/kim/lib/kim_identity.c
U branches/mkey_migrate/src/kim/lib/kim_library.c
U branches/mkey_migrate/src/kim/lib/kim_library_private.h
U branches/mkey_migrate/src/kim/lib/kim_options.c
U branches/mkey_migrate/src/kim/lib/kim_preferences.c
U branches/mkey_migrate/src/kim/lib/kim_private.h
U branches/mkey_migrate/src/kim/lib/kim_selection_hints.c
U branches/mkey_migrate/src/kim/lib/kim_ui.c
U branches/mkey_migrate/src/kim/lib/kim_ui_cli.c
U branches/mkey_migrate/src/kim/lib/kim_ui_cli_private.h
U branches/mkey_migrate/src/kim/lib/kim_ui_gui_private.h
U branches/mkey_migrate/src/kim/lib/kim_ui_plugin.c
U branches/mkey_migrate/src/kim/lib/mac/KerberosLogin.c
U branches/mkey_migrate/src/kim/lib/mac/KerberosLogin.h
A branches/mkey_migrate/src/kim/lib/mac/KerberosLoginErrors.et
U branches/mkey_migrate/src/kim/lib/mac/kim_os_identity.c
U branches/mkey_migrate/src/kim/lib/mac/kim_os_library.c
U branches/mkey_migrate/src/kim/lib/mac/kim_os_preferences.c
U branches/mkey_migrate/src/kim/lib/mac/kim_os_string.c
U branches/mkey_migrate/src/kim/lib/mac/kim_os_ui_gui.c
U branches/mkey_migrate/src/kim/test/main.c
U branches/mkey_migrate/src/kim/test/test_kim_common.c
U branches/mkey_migrate/src/kim/test/test_kim_identity.c
U branches/mkey_migrate/src/kim/test/test_kim_identity.h
U branches/mkey_migrate/src/kim/test/test_kim_preferences.c
A branches/mkey_migrate/src/kim/test/test_kll.c
A branches/mkey_migrate/src/kim/test/test_kll_terminal.c
A branches/mkey_migrate/src/kim/test/test_ui_plugin.c
U branches/mkey_migrate/src/krb5-config.M
U branches/mkey_migrate/src/krb5-config.in
D branches/mkey_migrate/src/krb524/
U branches/mkey_migrate/src/lib/Makefile.in
U branches/mkey_migrate/src/lib/apputils/Makefile.in
A branches/mkey_migrate/src/lib/apputils/deps
U branches/mkey_migrate/src/lib/crypto/Makefile.in
A branches/mkey_migrate/src/lib/crypto/aead.c
A branches/mkey_migrate/src/lib/crypto/aead.h
U branches/mkey_migrate/src/lib/crypto/aes/Makefile.in
A branches/mkey_migrate/src/lib/crypto/aes/deps
U branches/mkey_migrate/src/lib/crypto/arcfour/Makefile.in
U branches/mkey_migrate/src/lib/crypto/arcfour/arcfour-int.h
U branches/mkey_migrate/src/lib/crypto/arcfour/arcfour.c
U branches/mkey_migrate/src/lib/crypto/arcfour/arcfour.h
A branches/mkey_migrate/src/lib/crypto/arcfour/arcfour_aead.c
U branches/mkey_migrate/src/lib/crypto/arcfour/arcfour_s2k.c
A branches/mkey_migrate/src/lib/crypto/arcfour/deps
U branches/mkey_migrate/src/lib/crypto/cksumtype_to_string.c
U branches/mkey_migrate/src/lib/crypto/cksumtypes.c
U branches/mkey_migrate/src/lib/crypto/crc32/Makefile.in
A branches/mkey_migrate/src/lib/crypto/crc32/deps
A branches/mkey_migrate/src/lib/crypto/crypto_length.c
U branches/mkey_migrate/src/lib/crypto/decrypt.c
A branches/mkey_migrate/src/lib/crypto/decrypt_iov.c
A branches/mkey_migrate/src/lib/crypto/deps
U branches/mkey_migrate/src/lib/crypto/des/Makefile.in
A branches/mkey_migrate/src/lib/crypto/des/d3_aead.c
A branches/mkey_migrate/src/lib/crypto/des/deps
U branches/mkey_migrate/src/lib/crypto/des/des_int.h
A branches/mkey_migrate/src/lib/crypto/des/f_aead.c
U branches/mkey_migrate/src/lib/crypto/dk/Makefile.in
U branches/mkey_migrate/src/lib/crypto/dk/checksum.c
A branches/mkey_migrate/src/lib/crypto/dk/deps
U branches/mkey_migrate/src/lib/crypto/dk/dk.h
A branches/mkey_migrate/src/lib/crypto/dk/dk_aead.c
U branches/mkey_migrate/src/lib/crypto/enc_provider/Makefile.in
U branches/mkey_migrate/src/lib/crypto/enc_provider/aes.c
A branches/mkey_migrate/src/lib/crypto/enc_provider/deps
U branches/mkey_migrate/src/lib/crypto/enc_provider/des.c
U branches/mkey_migrate/src/lib/crypto/enc_provider/des3.c
U branches/mkey_migrate/src/lib/crypto/enc_provider/enc_provider.h
U branches/mkey_migrate/src/lib/crypto/enc_provider/rc4.c
U branches/mkey_migrate/src/lib/crypto/encrypt.c
A branches/mkey_migrate/src/lib/crypto/encrypt_iov.c
U branches/mkey_migrate/src/lib/crypto/encrypt_length.c
U branches/mkey_migrate/src/lib/crypto/enctype_to_string.c
U branches/mkey_migrate/src/lib/crypto/etypes.c
U branches/mkey_migrate/src/lib/crypto/hash_provider/Makefile.in
A branches/mkey_migrate/src/lib/crypto/hash_provider/deps
U branches/mkey_migrate/src/lib/crypto/hmac.c
U branches/mkey_migrate/src/lib/crypto/keyhash_provider/Makefile.in
A branches/mkey_migrate/src/lib/crypto/keyhash_provider/deps
U branches/mkey_migrate/src/lib/crypto/keyhash_provider/descbc.c
U branches/mkey_migrate/src/lib/crypto/keyhash_provider/hmac_md5.c
U branches/mkey_migrate/src/lib/crypto/keyhash_provider/k5_md4des.c
U branches/mkey_migrate/src/lib/crypto/keyhash_provider/k5_md5des.c
U branches/mkey_migrate/src/lib/crypto/keyhash_provider/keyhash_provider.h
A branches/mkey_migrate/src/lib/crypto/keyhash_provider/md5_hmac.c
U branches/mkey_migrate/src/lib/crypto/libk5crypto.exports
U branches/mkey_migrate/src/lib/crypto/make_checksum.c
A branches/mkey_migrate/src/lib/crypto/make_checksum_iov.c
U branches/mkey_migrate/src/lib/crypto/md4/Makefile.in
A branches/mkey_migrate/src/lib/crypto/md4/deps
U branches/mkey_migrate/src/lib/crypto/md5/Makefile.in
A branches/mkey_migrate/src/lib/crypto/md5/deps
U branches/mkey_migrate/src/lib/crypto/old/Makefile.in
A branches/mkey_migrate/src/lib/crypto/old/deps
U branches/mkey_migrate/src/lib/crypto/raw/Makefile.in
A branches/mkey_migrate/src/lib/crypto/raw/deps
U branches/mkey_migrate/src/lib/crypto/raw/raw.h
A branches/mkey_migrate/src/lib/crypto/raw/raw_aead.c
U branches/mkey_migrate/src/lib/crypto/sha1/Makefile.in
A branches/mkey_migrate/src/lib/crypto/sha1/deps
U branches/mkey_migrate/src/lib/crypto/string_to_key.c
U branches/mkey_migrate/src/lib/crypto/t_encrypt.c
U branches/mkey_migrate/src/lib/crypto/t_hmac.c
U branches/mkey_migrate/src/lib/crypto/vectors.c
U branches/mkey_migrate/src/lib/crypto/verify_checksum.c
A branches/mkey_migrate/src/lib/crypto/verify_checksum_iov.c
U branches/mkey_migrate/src/lib/crypto/yarrow/Makefile.in
A branches/mkey_migrate/src/lib/crypto/yarrow/deps
A branches/mkey_migrate/src/lib/deps
D branches/mkey_migrate/src/lib/des425/
U branches/mkey_migrate/src/lib/gssapi/Makefile.in
A branches/mkey_migrate/src/lib/gssapi/deps
U branches/mkey_migrate/src/lib/gssapi/generic/Makefile.in
A branches/mkey_migrate/src/lib/gssapi/generic/deps
U branches/mkey_migrate/src/lib/gssapi/generic/disp_com_err_status.c
U branches/mkey_migrate/src/lib/gssapi/generic/disp_major_status.c
U branches/mkey_migrate/src/lib/gssapi/generic/gssapi.hin
U branches/mkey_migrate/src/lib/gssapi/generic/gssapiP_generic.h
A branches/mkey_migrate/src/lib/gssapi/generic/gssapi_ext.h
U branches/mkey_migrate/src/lib/gssapi/generic/gssapi_generic.c
U branches/mkey_migrate/src/lib/gssapi/generic/gssapi_generic.h
U branches/mkey_migrate/src/lib/gssapi/generic/maptest.c
A branches/mkey_migrate/src/lib/gssapi/generic/oid_ops.c
U branches/mkey_migrate/src/lib/gssapi/generic/rel_buffer.c
U branches/mkey_migrate/src/lib/gssapi/generic/rel_oid_set.c
U branches/mkey_migrate/src/lib/gssapi/generic/util_buffer.c
A branches/mkey_migrate/src/lib/gssapi/generic/util_buffer_set.c
U branches/mkey_migrate/src/lib/gssapi/generic/util_canonhost.c
U branches/mkey_migrate/src/lib/gssapi/generic/util_errmap.c
U branches/mkey_migrate/src/lib/gssapi/generic/util_localhost.c
U branches/mkey_migrate/src/lib/gssapi/generic/util_ordering.c
U branches/mkey_migrate/src/lib/gssapi/generic/util_set.c
U branches/mkey_migrate/src/lib/gssapi/generic/util_token.c
U branches/mkey_migrate/src/lib/gssapi/generic/util_validate.c
U branches/mkey_migrate/src/lib/gssapi/generic/utl_nohash_validate.c
D branches/mkey_migrate/src/lib/gssapi/gss_libinit.c
D branches/mkey_migrate/src/lib/gssapi/gss_libinit.h
U branches/mkey_migrate/src/lib/gssapi/krb5/Makefile.in
U branches/mkey_migrate/src/lib/gssapi/krb5/accept_sec_context.c
U branches/mkey_migrate/src/lib/gssapi/krb5/acquire_cred.c
U branches/mkey_migrate/src/lib/gssapi/krb5/add_cred.c
U branches/mkey_migrate/src/lib/gssapi/krb5/canon_name.c
U branches/mkey_migrate/src/lib/gssapi/krb5/compare_name.c
U branches/mkey_migrate/src/lib/gssapi/krb5/context_time.c
U branches/mkey_migrate/src/lib/gssapi/krb5/copy_ccache.c
U branches/mkey_migrate/src/lib/gssapi/krb5/delete_sec_context.c
A branches/mkey_migrate/src/lib/gssapi/krb5/deps
U branches/mkey_migrate/src/lib/gssapi/krb5/disp_name.c
U branches/mkey_migrate/src/lib/gssapi/krb5/disp_status.c
U branches/mkey_migrate/src/lib/gssapi/krb5/duplicate_name.c
U branches/mkey_migrate/src/lib/gssapi/krb5/export_name.c
U branches/mkey_migrate/src/lib/gssapi/krb5/export_sec_context.c
U branches/mkey_migrate/src/lib/gssapi/krb5/get_tkt_flags.c
U branches/mkey_migrate/src/lib/gssapi/krb5/gssapiP_krb5.h
U branches/mkey_migrate/src/lib/gssapi/krb5/gssapi_krb5.c
U branches/mkey_migrate/src/lib/gssapi/krb5/gssapi_krb5.hin
U branches/mkey_migrate/src/lib/gssapi/krb5/import_name.c
U branches/mkey_migrate/src/lib/gssapi/krb5/import_sec_context.c
U branches/mkey_migrate/src/lib/gssapi/krb5/indicate_mechs.c
U branches/mkey_migrate/src/lib/gssapi/krb5/init_sec_context.c
U branches/mkey_migrate/src/lib/gssapi/krb5/inq_context.c
U branches/mkey_migrate/src/lib/gssapi/krb5/inq_cred.c
U branches/mkey_migrate/src/lib/gssapi/krb5/inq_names.c
U branches/mkey_migrate/src/lib/gssapi/krb5/k5seal.c
A branches/mkey_migrate/src/lib/gssapi/krb5/k5sealiov.c
U branches/mkey_migrate/src/lib/gssapi/krb5/k5sealv3.c
A branches/mkey_migrate/src/lib/gssapi/krb5/k5sealv3iov.c
U branches/mkey_migrate/src/lib/gssapi/krb5/k5unseal.c
A branches/mkey_migrate/src/lib/gssapi/krb5/k5unsealiov.c
U branches/mkey_migrate/src/lib/gssapi/krb5/krb5_gss_glue.c
U branches/mkey_migrate/src/lib/gssapi/krb5/lucid_context.c
U branches/mkey_migrate/src/lib/gssapi/krb5/process_context_token.c
U branches/mkey_migrate/src/lib/gssapi/krb5/rel_cred.c
U branches/mkey_migrate/src/lib/gssapi/krb5/rel_name.c
U branches/mkey_migrate/src/lib/gssapi/krb5/rel_oid.c
U branches/mkey_migrate/src/lib/gssapi/krb5/seal.c
U branches/mkey_migrate/src/lib/gssapi/krb5/ser_sctx.c
U branches/mkey_migrate/src/lib/gssapi/krb5/set_allowable_enctypes.c
U branches/mkey_migrate/src/lib/gssapi/krb5/set_ccache.c
U branches/mkey_migrate/src/lib/gssapi/krb5/sign.c
U branches/mkey_migrate/src/lib/gssapi/krb5/unseal.c
U branches/mkey_migrate/src/lib/gssapi/krb5/util_cksum.c
U branches/mkey_migrate/src/lib/gssapi/krb5/util_crypt.c
U branches/mkey_migrate/src/lib/gssapi/krb5/util_seed.c
U branches/mkey_migrate/src/lib/gssapi/krb5/util_seqnum.c
U branches/mkey_migrate/src/lib/gssapi/krb5/val_cred.c
U branches/mkey_migrate/src/lib/gssapi/krb5/verify.c
U branches/mkey_migrate/src/lib/gssapi/krb5/wrap_size_limit.c
U branches/mkey_migrate/src/lib/gssapi/libgssapi_krb5.exports
U branches/mkey_migrate/src/lib/gssapi/mechglue/Makefile.in
A branches/mkey_migrate/src/lib/gssapi/mechglue/deps
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_accept_sec_context.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_acquire_cred.c
A branches/mkey_migrate/src/lib/gssapi/mechglue/g_buffer_set.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_compare_name.c
A branches/mkey_migrate/src/lib/gssapi/mechglue/g_complete_auth_token.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_context_time.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_delete_sec_context.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_dsp_status.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_exp_sec_context.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_export_name.c
A branches/mkey_migrate/src/lib/gssapi/mechglue/g_export_name_object.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_glue.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_imp_name.c
A branches/mkey_migrate/src/lib/gssapi/mechglue/g_imp_name_object.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_imp_sec_context.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_init_sec_context.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_initialize.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_inq_context.c
A branches/mkey_migrate/src/lib/gssapi/mechglue/g_inq_context_oid.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_inq_cred.c
A branches/mkey_migrate/src/lib/gssapi/mechglue/g_inq_cred_oid.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_inq_names.c
A branches/mkey_migrate/src/lib/gssapi/mechglue/g_mech_invoke.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_oid_ops.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_process_context.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_rel_cred.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_rel_name.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_rel_oid_set.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_seal.c
A branches/mkey_migrate/src/lib/gssapi/mechglue/g_set_context_option.c
A branches/mkey_migrate/src/lib/gssapi/mechglue/g_set_cred_option.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_sign.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_store_cred.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_unseal.c
A branches/mkey_migrate/src/lib/gssapi/mechglue/g_unwrap_aead.c
A branches/mkey_migrate/src/lib/gssapi/mechglue/g_unwrap_iov.c
A branches/mkey_migrate/src/lib/gssapi/mechglue/g_userok.c
U branches/mkey_migrate/src/lib/gssapi/mechglue/g_verify.c
A branches/mkey_migrate/src/lib/gssapi/mechglue/g_wrap_aead.c
A branches/mkey_migrate/src/lib/gssapi/mechglue/g_wrap_iov.c
A branches/mkey_migrate/src/lib/gssapi/mechglue/gssd_pname_to_uid.c
D branches/mkey_migrate/src/lib/gssapi/mechglue/mech.conf
U branches/mkey_migrate/src/lib/gssapi/mechglue/mechglue.h
U branches/mkey_migrate/src/lib/gssapi/mechglue/mglueP.h
D branches/mkey_migrate/src/lib/gssapi/mechglue/oid_ops.c
U branches/mkey_migrate/src/lib/gssapi/spnego/Makefile.in
A branches/mkey_migrate/src/lib/gssapi/spnego/deps
U branches/mkey_migrate/src/lib/gssapi/spnego/gssapiP_spnego.h
A branches/mkey_migrate/src/lib/gssapi/spnego/mech_spnego.exports
U branches/mkey_migrate/src/lib/gssapi/spnego/spnego_mech.c
U branches/mkey_migrate/src/lib/kadm5/Makefile.in
U branches/mkey_migrate/src/lib/kadm5/admin.h
U branches/mkey_migrate/src/lib/kadm5/alt_prof.c
U branches/mkey_migrate/src/lib/kadm5/clnt/Makefile.in
U branches/mkey_migrate/src/lib/kadm5/clnt/client_init.c
U branches/mkey_migrate/src/lib/kadm5/clnt/client_principal.c
U branches/mkey_migrate/src/lib/kadm5/clnt/client_rpc.c
A branches/mkey_migrate/src/lib/kadm5/clnt/deps
A branches/mkey_migrate/src/lib/kadm5/deps
U branches/mkey_migrate/src/lib/kadm5/logger.c
U branches/mkey_migrate/src/lib/kadm5/srv/Makefile.in
A branches/mkey_migrate/src/lib/kadm5/srv/deps
U branches/mkey_migrate/src/lib/kadm5/srv/libkadm5srv.exports
U branches/mkey_migrate/src/lib/kadm5/srv/server_acl.c
U branches/mkey_migrate/src/lib/kadm5/srv/server_acl.h
U branches/mkey_migrate/src/lib/kadm5/srv/server_dict.c
U branches/mkey_migrate/src/lib/kadm5/srv/svr_iters.c
U branches/mkey_migrate/src/lib/kadm5/srv/svr_policy.c
U branches/mkey_migrate/src/lib/kadm5/srv/svr_principal.c
U branches/mkey_migrate/src/lib/kadm5/str_conv.c
U branches/mkey_migrate/src/lib/kadm5/unit-test/Makefile.in
A branches/mkey_migrate/src/lib/kadm5/unit-test/deps
U branches/mkey_migrate/src/lib/kdb/Makefile.in
U branches/mkey_migrate/src/lib/kdb/decrypt_key.c
A branches/mkey_migrate/src/lib/kdb/deps
U branches/mkey_migrate/src/lib/kdb/encrypt_key.c
U branches/mkey_migrate/src/lib/kdb/kdb5.c
U branches/mkey_migrate/src/lib/kdb/kdb5.h
A branches/mkey_migrate/src/lib/kdb/kdb5int.h
U branches/mkey_migrate/src/lib/kdb/kdb_convert.c
U branches/mkey_migrate/src/lib/kdb/kdb_default.c
U branches/mkey_migrate/src/lib/kdb/kdb_log.c
U branches/mkey_migrate/src/lib/kdb/keytab.c
U branches/mkey_migrate/src/lib/kdb/libkdb5.exports
D branches/mkey_migrate/src/lib/krb4/
U branches/mkey_migrate/src/lib/krb5/Makefile.in
D branches/mkey_migrate/src/lib/krb5/asn.1/.saberinit
U branches/mkey_migrate/src/lib/krb5/asn.1/Makefile.in
A branches/mkey_migrate/src/lib/krb5/asn.1/TODO.asn1
U branches/mkey_migrate/src/lib/krb5/asn.1/asn1_decode.c
U branches/mkey_migrate/src/lib/krb5/asn.1/asn1_decode.h
U branches/mkey_migrate/src/lib/krb5/asn.1/asn1_encode.c
U branches/mkey_migrate/src/lib/krb5/asn.1/asn1_encode.h
U branches/mkey_migrate/src/lib/krb5/asn.1/asn1_k_decode.c
U branches/mkey_migrate/src/lib/krb5/asn.1/asn1_k_decode.h
U branches/mkey_migrate/src/lib/krb5/asn.1/asn1_k_encode.c
U branches/mkey_migrate/src/lib/krb5/asn.1/asn1_k_encode.h
U branches/mkey_migrate/src/lib/krb5/asn.1/asn1buf.c
U branches/mkey_migrate/src/lib/krb5/asn.1/asn1buf.h
A branches/mkey_migrate/src/lib/krb5/asn.1/deps
U branches/mkey_migrate/src/lib/krb5/asn.1/krb5_decode.c
U branches/mkey_migrate/src/lib/krb5/asn.1/krb5_encode.c
U branches/mkey_migrate/src/lib/krb5/asn.1/krbasn1.h
U branches/mkey_migrate/src/lib/krb5/asn.1/ldap_key_seq.c
_U branches/mkey_migrate/src/lib/krb5/ccache/
U branches/mkey_migrate/src/lib/krb5/ccache/Makefile.in
U branches/mkey_migrate/src/lib/krb5/ccache/cc-int.h
U branches/mkey_migrate/src/lib/krb5/ccache/cc_file.c
U branches/mkey_migrate/src/lib/krb5/ccache/cc_memory.c
U branches/mkey_migrate/src/lib/krb5/ccache/ccapi/stdcc.c
U branches/mkey_migrate/src/lib/krb5/ccache/ccdefault.c
U branches/mkey_migrate/src/lib/krb5/ccache/ccfns.c
A branches/mkey_migrate/src/lib/krb5/ccache/deps
A branches/mkey_migrate/src/lib/krb5/deps
U branches/mkey_migrate/src/lib/krb5/error_tables/Makefile.in
A branches/mkey_migrate/src/lib/krb5/error_tables/deps
U branches/mkey_migrate/src/lib/krb5/error_tables/krb5_err.et
_U branches/mkey_migrate/src/lib/krb5/keytab/
U branches/mkey_migrate/src/lib/krb5/keytab/Makefile.in
A branches/mkey_migrate/src/lib/krb5/keytab/deps
U branches/mkey_migrate/src/lib/krb5/keytab/kt_file.c
U branches/mkey_migrate/src/lib/krb5/keytab/kt_memory.c
U branches/mkey_migrate/src/lib/krb5/keytab/kt_srvtab.c
U branches/mkey_migrate/src/lib/krb5/keytab/ktbase.c
U branches/mkey_migrate/src/lib/krb5/krb/Makefile.in
U branches/mkey_migrate/src/lib/krb5/krb/addr_srch.c
U branches/mkey_migrate/src/lib/krb5/krb/auth_con.c
U branches/mkey_migrate/src/lib/krb5/krb/auth_con.h
U branches/mkey_migrate/src/lib/krb5/krb/bld_pr_ext.c
U branches/mkey_migrate/src/lib/krb5/krb/bld_princ.c
U branches/mkey_migrate/src/lib/krb5/krb/chk_trans.c
U branches/mkey_migrate/src/lib/krb5/krb/chpw.c
U branches/mkey_migrate/src/lib/krb5/krb/conv_creds.c
U branches/mkey_migrate/src/lib/krb5/krb/conv_princ.c
U branches/mkey_migrate/src/lib/krb5/krb/copy_athctr.c
U branches/mkey_migrate/src/lib/krb5/krb/copy_auth.c
A branches/mkey_migrate/src/lib/krb5/krb/deps
U branches/mkey_migrate/src/lib/krb5/krb/gc_frm_kdc.c
U branches/mkey_migrate/src/lib/krb5/krb/gc_via_tkt.c
U branches/mkey_migrate/src/lib/krb5/krb/gen_subkey.c
U branches/mkey_migrate/src/lib/krb5/krb/get_creds.c
U branches/mkey_migrate/src/lib/krb5/krb/get_in_tkt.c
U branches/mkey_migrate/src/lib/krb5/krb/gic_opt.c
U branches/mkey_migrate/src/lib/krb5/krb/gic_pwd.c
U branches/mkey_migrate/src/lib/krb5/krb/init_ctx.c
U branches/mkey_migrate/src/lib/krb5/krb/int-proto.h
U branches/mkey_migrate/src/lib/krb5/krb/kfree.c
U branches/mkey_migrate/src/lib/krb5/krb/mk_cred.c
U branches/mkey_migrate/src/lib/krb5/krb/mk_rep.c
U branches/mkey_migrate/src/lib/krb5/krb/mk_req_ext.c
A branches/mkey_migrate/src/lib/krb5/krb/pac.c
U branches/mkey_migrate/src/lib/krb5/krb/parse.c
U branches/mkey_migrate/src/lib/krb5/krb/pkinit_apple_cert_store.c
U branches/mkey_migrate/src/lib/krb5/krb/pkinit_apple_utils.c
U branches/mkey_migrate/src/lib/krb5/krb/preauth.c
U branches/mkey_migrate/src/lib/krb5/krb/preauth2.c
U branches/mkey_migrate/src/lib/krb5/krb/princ_comp.c
U branches/mkey_migrate/src/lib/krb5/krb/rd_priv.c
U branches/mkey_migrate/src/lib/krb5/krb/rd_rep.c
U branches/mkey_migrate/src/lib/krb5/krb/rd_req.c
U branches/mkey_migrate/src/lib/krb5/krb/rd_req_dec.c
U branches/mkey_migrate/src/lib/krb5/krb/rd_safe.c
U branches/mkey_migrate/src/lib/krb5/krb/send_tgs.c
U branches/mkey_migrate/src/lib/krb5/krb/ser_actx.c
U branches/mkey_migrate/src/lib/krb5/krb/ser_auth.c
U branches/mkey_migrate/src/lib/krb5/krb/serialize.c
U branches/mkey_migrate/src/lib/krb5/krb/set_realm.c
U branches/mkey_migrate/src/lib/krb5/krb/srv_rcache.c
U branches/mkey_migrate/src/lib/krb5/krb/str_conv.c
U branches/mkey_migrate/src/lib/krb5/krb/t_kerb.c
U branches/mkey_migrate/src/lib/krb5/krb/t_ser.c
U branches/mkey_migrate/src/lib/krb5/krb/unparse.c
D branches/mkey_migrate/src/lib/krb5/krb/v4lifetime.c
U branches/mkey_migrate/src/lib/krb5/krb/valid_times.c
U branches/mkey_migrate/src/lib/krb5/krb/vfy_increds.c
U branches/mkey_migrate/src/lib/krb5/krb/walk_rtree.c
U branches/mkey_migrate/src/lib/krb5/krb/walktree-tests
U branches/mkey_migrate/src/lib/krb5/libkrb5.exports
U branches/mkey_migrate/src/lib/krb5/os/Makefile.in
U branches/mkey_migrate/src/lib/krb5/os/accessor.c
U branches/mkey_migrate/src/lib/krb5/os/an_to_ln.c
U branches/mkey_migrate/src/lib/krb5/os/ccdefname.c
U branches/mkey_migrate/src/lib/krb5/os/changepw.c
U branches/mkey_migrate/src/lib/krb5/os/def_realm.c
A branches/mkey_migrate/src/lib/krb5/os/deps
U branches/mkey_migrate/src/lib/krb5/os/dnssrv.c
U branches/mkey_migrate/src/lib/krb5/os/hst_realm.c
U branches/mkey_migrate/src/lib/krb5/os/init_os_ctx.c
U branches/mkey_migrate/src/lib/krb5/os/ktdefname.c
U branches/mkey_migrate/src/lib/krb5/os/promptusr.c
U branches/mkey_migrate/src/lib/krb5/os/realm_dom.c
D branches/mkey_migrate/src/lib/krb5/os/send524.c
U branches/mkey_migrate/src/lib/krb5/os/sendto_kdc.c
U branches/mkey_migrate/src/lib/krb5/os/sn2princ.c
U branches/mkey_migrate/src/lib/krb5/os/t_gifconf.c
U branches/mkey_migrate/src/lib/krb5/os/t_locate_kdc.c
U branches/mkey_migrate/src/lib/krb5/os/timeofday.c
U branches/mkey_migrate/src/lib/krb5/rcache/Makefile.in
A branches/mkey_migrate/src/lib/krb5/rcache/deps
U branches/mkey_migrate/src/lib/krb5/rcache/rc-int.h
U branches/mkey_migrate/src/lib/krb5/rcache/rc_base.c
U branches/mkey_migrate/src/lib/krb5/rcache/rc_base.h
U branches/mkey_migrate/src/lib/krb5/rcache/rc_conv.c
U branches/mkey_migrate/src/lib/krb5/rcache/rc_dfl.c
U branches/mkey_migrate/src/lib/krb5/rcache/rc_dfl.h
U branches/mkey_migrate/src/lib/krb5/rcache/rc_io.c
U branches/mkey_migrate/src/lib/krb5/rcache/rc_io.h
U branches/mkey_migrate/src/lib/krb5/rcache/rc_none.c
U branches/mkey_migrate/src/lib/krb5/rcache/rcdef.c
U branches/mkey_migrate/src/lib/krb5/rcache/rcfns.c
U branches/mkey_migrate/src/lib/krb5/rcache/ser_rc.c
A branches/mkey_migrate/src/lib/krb5/unicode/
U branches/mkey_migrate/src/lib/rpc/Makefile.in
U branches/mkey_migrate/src/lib/rpc/auth_gssapi.c
U branches/mkey_migrate/src/lib/rpc/auth_gssapi_misc.c
U branches/mkey_migrate/src/lib/rpc/clnt_perror.c
U branches/mkey_migrate/src/lib/rpc/clnt_simple.c
A branches/mkey_migrate/src/lib/rpc/deps
A branches/mkey_migrate/src/lib/rpc/gssrpcint.h
U branches/mkey_migrate/src/lib/rpc/svc_auth_gss.c
U branches/mkey_migrate/src/lib/rpc/svc_auth_gssapi.c
U branches/mkey_migrate/src/lib/rpc/unit-test/Makefile.in
U branches/mkey_migrate/src/lib/rpc/unit-test/client.c
A branches/mkey_migrate/src/lib/rpc/unit-test/deps
U branches/mkey_migrate/src/lib/rpc/unit-test/server.c
_U branches/mkey_migrate/src/plugins/authdata/greet/
U branches/mkey_migrate/src/plugins/authdata/greet/Makefile.in
A branches/mkey_migrate/src/plugins/authdata/greet/deps
U branches/mkey_migrate/src/plugins/authdata/greet/greet_auth.c
U branches/mkey_migrate/src/plugins/kdb/db2/Makefile.in
U branches/mkey_migrate/src/plugins/kdb/db2/db2_exp.c
A branches/mkey_migrate/src/plugins/kdb/db2/deps
U branches/mkey_migrate/src/plugins/kdb/db2/kdb_db2.c
U branches/mkey_migrate/src/plugins/kdb/db2/libdb2/btree/Makefile.in
A branches/mkey_migrate/src/plugins/kdb/db2/libdb2/btree/deps
U branches/mkey_migrate/src/plugins/kdb/db2/libdb2/db/Makefile.in
A branches/mkey_migrate/src/plugins/kdb/db2/libdb2/db/deps
A branches/mkey_migrate/src/plugins/kdb/db2/libdb2/deps
U branches/mkey_migrate/src/plugins/kdb/db2/libdb2/hash/Makefile.in
A branches/mkey_migrate/src/plugins/kdb/db2/libdb2/hash/deps
U branches/mkey_migrate/src/plugins/kdb/db2/libdb2/mpool/Makefile.in
A branches/mkey_migrate/src/plugins/kdb/db2/libdb2/mpool/deps
U branches/mkey_migrate/src/plugins/kdb/db2/libdb2/recno/Makefile.in
A branches/mkey_migrate/src/plugins/kdb/db2/libdb2/recno/deps
U branches/mkey_migrate/src/plugins/kdb/db2/libdb2/test/dbtest.c
A branches/mkey_migrate/src/plugins/kdb/db2/libdb2/test/deps
U branches/mkey_migrate/src/plugins/kdb/db2/libdb2/test/hash1.tests/driver2.c
U branches/mkey_migrate/src/plugins/kdb/ldap/Makefile.in
A branches/mkey_migrate/src/plugins/kdb/ldap/deps
U branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/Makefile.in
A branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/deps
U branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c
U branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
U branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
U branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c
U branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h
U branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in
A branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/deps
U branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
U branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
U branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
U branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
U branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
U branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h
U branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
U branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h
U branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
U branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
U branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
U branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c
U branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
U branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c
U branches/mkey_migrate/src/plugins/locate/python/Makefile.in
A branches/mkey_migrate/src/plugins/locate/python/deps
U branches/mkey_migrate/src/plugins/locate/python/py-locate.c
U branches/mkey_migrate/src/plugins/preauth/cksum_body/Makefile.in
U branches/mkey_migrate/src/plugins/preauth/cksum_body/cksum_body_main.c
A branches/mkey_migrate/src/plugins/preauth/cksum_body/deps
_U branches/mkey_migrate/src/plugins/preauth/pkinit/
U branches/mkey_migrate/src/plugins/preauth/pkinit/Makefile.in
A branches/mkey_migrate/src/plugins/preauth/pkinit/deps
U branches/mkey_migrate/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
U branches/mkey_migrate/src/plugins/preauth/pkinit/pkinit_profile.c
U branches/mkey_migrate/src/plugins/preauth/wpse/Makefile.in
A branches/mkey_migrate/src/plugins/preauth/wpse/deps
U branches/mkey_migrate/src/plugins/preauth/wpse/wpse_main.c
_U branches/mkey_migrate/src/slave/
U branches/mkey_migrate/src/slave/Makefile.in
A branches/mkey_migrate/src/slave/deps
U branches/mkey_migrate/src/slave/kprop.c
U branches/mkey_migrate/src/slave/kpropd.c
U branches/mkey_migrate/src/slave/kproplog.c
_U branches/mkey_migrate/src/tests/
_U branches/mkey_migrate/src/tests/asn.1/
U branches/mkey_migrate/src/tests/asn.1/Makefile.in
A branches/mkey_migrate/src/tests/asn.1/deps
U branches/mkey_migrate/src/tests/asn.1/krb5_decode_test.c
U branches/mkey_migrate/src/tests/asn.1/krb5_encode_test.c
U branches/mkey_migrate/src/tests/asn.1/ktest.c
U branches/mkey_migrate/src/tests/asn.1/ktest.h
U branches/mkey_migrate/src/tests/asn.1/ktest_equal.c
U branches/mkey_migrate/src/tests/asn.1/ktest_equal.h
A branches/mkey_migrate/src/tests/asn.1/ldap_encode.out
A branches/mkey_migrate/src/tests/asn.1/ldap_trval.out
U branches/mkey_migrate/src/tests/asn.1/reference_encode.out
U branches/mkey_migrate/src/tests/asn.1/t_trval.c
U branches/mkey_migrate/src/tests/asn.1/trval.c
U branches/mkey_migrate/src/tests/asn.1/trval_reference.out
U branches/mkey_migrate/src/tests/asn.1/utility.c
U branches/mkey_migrate/src/tests/asn.1/utility.h
U branches/mkey_migrate/src/tests/create/Makefile.in
A branches/mkey_migrate/src/tests/create/deps
U branches/mkey_migrate/src/tests/create/kdb5_mkdums.c
_U branches/mkey_migrate/src/tests/dejagnu/
U branches/mkey_migrate/src/tests/dejagnu/Makefile.in
U branches/mkey_migrate/src/tests/dejagnu/config/default.exp
A branches/mkey_migrate/src/tests/dejagnu/deps
U branches/mkey_migrate/src/tests/dejagnu/krb-root/rlogin.exp
U branches/mkey_migrate/src/tests/dejagnu/krb-root/telnet.exp
U branches/mkey_migrate/src/tests/dejagnu/krb-standalone/gssftp.exp
A branches/mkey_migrate/src/tests/dejagnu/krb-standalone/iprop.exp
U branches/mkey_migrate/src/tests/dejagnu/krb-standalone/kadmin.exp
A branches/mkey_migrate/src/tests/dejagnu/krb-standalone/kprop.exp
A branches/mkey_migrate/src/tests/dejagnu/krb-standalone/pwchange.exp
U branches/mkey_migrate/src/tests/dejagnu/krb-standalone/pwhist.exp
A branches/mkey_migrate/src/tests/dejagnu/krb-standalone/simple.exp
U branches/mkey_migrate/src/tests/dejagnu/krb-standalone/standalone.exp
A branches/mkey_migrate/src/tests/dejagnu/krb-standalone/tcp.exp
D branches/mkey_migrate/src/tests/dejagnu/krb-standalone/v4gssftp.exp
D branches/mkey_migrate/src/tests/dejagnu/krb-standalone/v4krb524d.exp
D branches/mkey_migrate/src/tests/dejagnu/krb-standalone/v4standalone.exp
A branches/mkey_migrate/src/tests/deps
U branches/mkey_migrate/src/tests/gss-threads/Makefile.in
A branches/mkey_migrate/src/tests/gss-threads/deps
U branches/mkey_migrate/src/tests/gss-threads/gss-client.c
U branches/mkey_migrate/src/tests/gssapi/Makefile.in
A branches/mkey_migrate/src/tests/gssapi/deps
U branches/mkey_migrate/src/tests/hammer/Makefile.in
A branches/mkey_migrate/src/tests/hammer/deps
U branches/mkey_migrate/src/tests/hammer/kdc5_hammer.c
_U branches/mkey_migrate/src/tests/misc/
U branches/mkey_migrate/src/tests/misc/Makefile.in
A branches/mkey_migrate/src/tests/misc/deps
_U branches/mkey_migrate/src/tests/mkeystash_compat/
U branches/mkey_migrate/src/tests/mkeystash_compat/Makefile.in
A branches/mkey_migrate/src/tests/mkeystash_compat/deps
U branches/mkey_migrate/src/tests/resolve/Makefile.in
U branches/mkey_migrate/src/tests/resolve/addrinfo-test.c
A branches/mkey_migrate/src/tests/resolve/deps
U branches/mkey_migrate/src/tests/shlib/Makefile.in
A branches/mkey_migrate/src/tests/shlib/deps
U branches/mkey_migrate/src/tests/shlib/t_loader.c
U branches/mkey_migrate/src/tests/threads/Makefile.in
A branches/mkey_migrate/src/tests/threads/deps
U branches/mkey_migrate/src/tests/threads/t_rcache.c
U branches/mkey_migrate/src/tests/verify/Makefile.in
A branches/mkey_migrate/src/tests/verify/deps
U branches/mkey_migrate/src/tests/verify/kdb5_verify.c
U branches/mkey_migrate/src/util/Makefile.in
_U branches/mkey_migrate/src/util/collected-client-lib/
U branches/mkey_migrate/src/util/collected-client-lib/Makefile.in
A branches/mkey_migrate/src/util/collected-client-lib/deps
U branches/mkey_migrate/src/util/depfix.pl
A branches/mkey_migrate/src/util/deps
U branches/mkey_migrate/src/util/et/Makefile.in
A branches/mkey_migrate/src/util/et/deps
U branches/mkey_migrate/src/util/et/error_message.c
U branches/mkey_migrate/src/util/et/error_table.y
U branches/mkey_migrate/src/util/et/internal.h
U branches/mkey_migrate/src/util/et/t_com_err.c
U branches/mkey_migrate/src/util/mac/k5_mig_client.c
U branches/mkey_migrate/src/util/mac/k5_mig_server.c
U branches/mkey_migrate/src/util/mac/k5_mig_server.h
U branches/mkey_migrate/src/util/mac/k5_mig_types.h
U branches/mkey_migrate/src/util/profile/Makefile.in
A branches/mkey_migrate/src/util/profile/deps
U branches/mkey_migrate/src/util/profile/prof_file.c
U branches/mkey_migrate/src/util/profile/prof_get.c
U branches/mkey_migrate/src/util/profile/prof_init.c
U branches/mkey_migrate/src/util/profile/prof_tree.c
A branches/mkey_migrate/src/util/send-pr/deps
U branches/mkey_migrate/src/util/ss/Makefile.in
A branches/mkey_migrate/src/util/ss/deps
U branches/mkey_migrate/src/util/ss/execute_cmd.c
U branches/mkey_migrate/src/util/ss/help.c
U branches/mkey_migrate/src/util/ss/utils.c
_U branches/mkey_migrate/src/util/support/
U branches/mkey_migrate/src/util/support/Makefile.in
A branches/mkey_migrate/src/util/support/deps
U branches/mkey_migrate/src/util/support/errors.c
U branches/mkey_migrate/src/util/support/fake-addrinfo.c
U branches/mkey_migrate/src/util/support/init-addrinfo.c
A branches/mkey_migrate/src/util/support/k5buf-int.h
A branches/mkey_migrate/src/util/support/k5buf.c
U branches/mkey_migrate/src/util/support/libkrb5support-fixed.exports
U branches/mkey_migrate/src/util/support/plugins.c
A branches/mkey_migrate/src/util/support/printf.c
A branches/mkey_migrate/src/util/support/strlcpy.c
A branches/mkey_migrate/src/util/support/t_k5buf.c
A branches/mkey_migrate/src/util/support/utf8.c
A branches/mkey_migrate/src/util/support/utf8_conv.c
U branches/mkey_migrate/src/wconfig.c
Modified: branches/mkey_migrate/README
===================================================================
--- branches/mkey_migrate/README 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/README 2009-01-10 01:06:45 UTC (rev 21722)
@@ -425,6 +425,10 @@
slave/kpropd_rpc.c
slave/kproplog.c
+and marked portions of the following files:
+
+ lib/krb5/os/hst_realm.c
+
are subject to the following license:
Copyright (c) 2004 Sun Microsystems, Inc.
@@ -594,7 +598,80 @@
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ --------------------
+The implementations of strlcpy and strlcat in
+src/util/support/strlcat.c have the following copyright and permission
+notice:
+
+Copyright (c) 1998 Todd C. Miller <Todd.Miller at courtesan.com>
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+ --------------------
+
+The implementations of UTF-8 string handling in src/util/support and
+src/lib/krb5/unicode are subject to the following copyright and
+permission notice:
+
+The OpenLDAP Public License
+ Version 2.8, 17 August 2003
+
+Redistribution and use of this software and associated documentation
+("Software"), with or without modification, are permitted provided
+that the following conditions are met:
+
+1. Redistributions in source form must retain copyright statements
+ and notices,
+
+2. Redistributions in binary form must reproduce applicable copyright
+ statements and notices, this list of conditions, and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution, and
+
+3. Redistributions must contain a verbatim copy of this document.
+
+The OpenLDAP Foundation may revise this license from time to time.
+Each revision is distinguished by a version number. You may use
+this Software under terms of this license revision or under the
+terms of any subsequent revision of the license.
+
+THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
+CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
+OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+The names of the authors and copyright holders must not be used in
+advertising or otherwise to promote the sale, use or other dealing
+in this Software without specific, written prior permission. Title
+to copyright in this Software shall at all times remain with copyright
+holders.
+
+OpenLDAP is a registered trademark of the OpenLDAP Foundation.
+
+Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
+California, USA. All Rights Reserved. Permission to copy and
+distribute verbatim copies of this document is granted.
+
Acknowledgements
----------------
Modified: branches/mkey_migrate/doc/Makefile
===================================================================
--- branches/mkey_migrate/doc/Makefile 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/Makefile 2009-01-10 01:06:45 UTC (rev 21722)
@@ -26,11 +26,8 @@
USER_GUIDE_INCLUDES=definitions.texinfo copyright.texinfo glossary.texinfo
USER_GUIDE_DEPS=user-guide.texinfo $(USER_GUIDE_INCLUDES)
-KRB425_INCLUDES=definitions.texinfo copyright.texinfo
-KRB425_DEPS=krb425.texinfo $(KRB425_INCLUDES)
-
.PHONY: all
-all:: admin-guide-full install-guide-full user-guide-full krb425-guide-full clean-temp-ps clean-tex
+all:: admin-guide-full install-guide-full user-guide-full clean-temp-ps clean-tex
.PHONY: admin-guide-full
admin-guide-full:: admin-guide admin-guide-info admin-guide-html
@@ -118,28 +115,6 @@
$(MANTXT) $(SRCDIR)/kadmin/passwd/kpasswd.M | $(MANHTML) > kpasswd.html
$(HTML) user-guide.texinfo
-.PHONY: krb425-guide-full
-krb425-guide-full:: krb425-guide krb425-guide-info krb425-guide-html
-
-.PHONY: krb425-guide
-krb425-guide:: krb425-guide.ps
-
-krb425-guide.ps: $(KRB425_DEPS)
- $(DVI) krb425.texinfo
- $(DVIPS) krb425
-
-.PHONY: krb425-guide-html
-krb425-guide-html:: krb425.html
-
-krb425.html:: $(KRB425_DEPS)
- $(HTML) krb425.texinfo
-
-.PHONY: krb425-guide-info
-krb425-guide-info:: krb425.info
-
-krb425.info: $(KRB425_DEPS)
- $(INFO) krb425.texinfo
-
.PHONY: implementor.ps implementor.pdf implementor.info
implementor.pdf: implementor.ps
$(PSPDF) implementor.ps
Modified: branches/mkey_migrate/doc/admin.texinfo
===================================================================
--- branches/mkey_migrate/doc/admin.texinfo 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/admin.texinfo 2009-01-10 01:06:45 UTC (rev 21722)
@@ -502,18 +502,6 @@
code.
@end ignore
- at itemx krb4_srvtab
-Specifies the location of the Kerberos V4 srvtab file. Default is
- at value{DefaultKrb4Srvtab}.
-
- at itemx krb4_config
-Specifies the location of hte Kerberos V4 configuration file. Default
-is @value{DefaultKrb4Config}.
-
- at itemx krb4_realms
-Specifies the location of the Kerberos V4 domain/realm translation
-file. Default is @value{DefaultKrb4Realms}.
-
@itemx dns_lookup_kdc
Indicate whether DNS SRV records should be used to locate the KDCs and
other servers for a realm, if they are not listed in the information for
@@ -637,33 +625,7 @@
that application's man pages. The application defaults specified here
are overridden by those specified in the [realms] section.
-A special application name (afs_krb5) is used by the krb524 service to
-know whether new format AFS tokens based on Kerberos 5 can be used
-rather than the older format which used a converted Kerberos 4 ticket.
-The new format allows for cross-realm authentication without
-introducing a security hole. It is used by default. Older AFS
-servers (before OpenAFS 1.2.8) will not support the new format. If
-servers in your cell do not support the new format, you will need to
-add an @code{afs_krb5} relation to the @code{appdefaults} section.
-The following config file shows how to disable new format AFS tickets
-for the @code{afs.example.com} cell in the @code{EXAMPLE.COM} realm.
- at smallexample
- at group
-[appdefaults]
- afs_krb5 = @{
- EXAMPLE.COM = @{
- afs/afs.example.com = false
- @}
- @}
-
- at end group
- at end smallexample
-
-
-
-
-
@node login, realms (krb5.conf), appdefaults, krb5.conf
@subsection [login]
@@ -675,20 +637,6 @@
Indicate whether or not to use a user's password to get V5 tickets.
The default value is @value{DefaultKrb5GetTickets}.
- at itemx krb4_get_tickets
-Indicate whether or not to user a user's password to get V4 tickets.
-The default value is @value{DefaultKrb4GetTickets}.
-
- at itemx krb4_convert
-Indicate whether or not to use the Kerberos conversion daemon to get V4
-tickets. The default value is @value{DefaultKrb4Convert}. If this is
-set to false and krb4_get_tickets is true, then login will get the V5
-tickets directly using the Kerberos V4 protocol directly. This does
-not currently work with non-MIT-V4 salt types (such as the AFS3 salt
-type). Note that if this is set to true and krb524d is not running,
-login will hang for approximately a minute under Solaris, due to a
-Solaris socket emulation bug.
-
@itemx krb_run_aklog
Indicate whether or not to run aklog. The default value is
@value{DefaultKrbRunAklog}.
@@ -1493,14 +1441,8 @@
current implementation has little protection against denial-of-service
attacks), the standard port number assigned for Kerberos TCP traffic
is port 88.
+- at end table
- at itemx v4_mode
-This string specifies how the KDC should respond to Kerberos 4
-packets. The possible values are none, disable, full, and nopreauth.
-The default value is @value{DefaultV4Mode}.
- at comment these values found in krb5/src/kdc/kerberos_v4.c in v4mode_table
- at end table
-
@node realms (kdc.conf), pkinit kdc options, kdcdefaults, kdc.conf
@subsection [realms]
@@ -4353,7 +4295,6 @@
krb5_prop @value{DefaultKrbPropPort}/tcp # Kerberos slave propagation
@c kpop 1109/tcp # Pop with Kerberos
eklogin @value{DefaultEkloginPort}/tcp # Kerberos auth. & encrypted rlogin
-krb524 @value{DefaultKrb524Port}/tcp # Kerberos 5 to 4 ticket translator
@end group
@end smallexample
Modified: branches/mkey_migrate/doc/copyright.texinfo
===================================================================
--- branches/mkey_migrate/doc/copyright.texinfo 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/copyright.texinfo 2009-01-10 01:06:45 UTC (rev 21722)
@@ -553,6 +553,70 @@
@end iftex
@end quotation
+The implementations of UTF-8 string handling in src/util/support and
+src/lib/krb5/unicode are subject to the following copyright and
+permission notice:
+
+ at quotation
+ at iftex
+ at smallfonts @rm
+ at end iftex
+
+The OpenLDAP Public License
+ Version 2.8, 17 August 2003
+
+Redistribution and use of this software and associated documentation
+("Software"), with or without modification, are permitted provided
+that the following conditions are met:
+
+1. Redistributions in source form must retain copyright statements
+ and notices,
+
+2. Redistributions in binary form must reproduce applicable copyright
+ statements and notices, this list of conditions, and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution, and
+
+3. Redistributions must contain a verbatim copy of this document.
+
+The OpenLDAP Foundation may revise this license from time to time.
+Each revision is distinguished by a version number. You may use
+this Software under terms of this license revision or under the
+terms of any subsequent revision of the license.
+
+THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
+CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
+OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+The names of the authors and copyright holders must not be used in
+advertising or otherwise to promote the sale, use or other dealing
+in this Software without specific, written prior permission. Title
+to copyright in this Software shall at all times remain with copyright
+holders.
+
+OpenLDAP is a registered trademark of the OpenLDAP Foundation.
+
+Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
+California, USA. All Rights Reserved. Permission to copy and
+distribute verbatim copies of this document is granted.
+
+ at iftex
+ at vskip 12pt
+ at hrule
+ at vskip 12pt
+ at end iftex
+ at end quotation
+
Permission is granted to make and distribute verbatim copies of this
manual provided the copyright notices and this permission notice are
preserved on all copies.
Modified: branches/mkey_migrate/doc/definitions.texinfo
===================================================================
--- branches/mkey_migrate/doc/definitions.texinfo 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/definitions.texinfo 2009-01-10 01:06:45 UTC (rev 21722)
@@ -131,10 +131,6 @@
@end ignore
@set DefaultKrb5GetTickets true
@comment login_krb5_get_tickets
- at set DefaultKrb4GetTickets false
- at comment login_krb4_get_tickets
- at set DefaultKrb4Convert false
- at comment login_krb4_convert
@set DefaultKrbRunAklog false
@comment login_krb_run_aklog
@set DefaultAklogPath $(prefix)/bin/aklog
@@ -143,13 +139,6 @@
@comment login_accept_password
@ignore
-the following defaults should be consistent with the values set in
-krb5/src/kdc/kerberos_v4
- at end ignore
- at set DefaultV4Mode none
- at comment KDC_V4_DEFAULT_MODE
-
- at ignore
these defaults are based on code in krb5/src/aclocal.m4
@end ignore
@set DefaultDNSLookupKDC true
@@ -175,14 +164,6 @@
@set DefaultFTPPort 21
@set DefaultKrb524Port 4444
- at comment src/include/kerberosIV/krb.h
- at set DefaultKrb4Srvtab /etc/srvtab
- at comment line 131
- at set DefaultKrb4Config /etc/krb.conf
- at comment KRB_CONF
- at set DefaultKrb4Realms /etc/krb.realms
- at comment KRB_RLM_TRANS
-
@comment krb5/src/lib/krb5/krb/get_in_tkt.c
@set DefaultRenewLifetime 0
@set DefaultNoaddresses set
Modified: branches/mkey_migrate/doc/dnssrv.texinfo
===================================================================
--- branches/mkey_migrate/doc/dnssrv.texinfo 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/dnssrv.texinfo 2009-01-10 01:06:45 UTC (rev 21722)
@@ -59,10 +59,6 @@
This should list port @value{DefaultKpasswdPort} on your master KDC.
It is used when a user changes her password.
- at item _kerberos-iv._udp
-This should refer to your KDCs that serve Kerberos version 4 requests,
-if you have Kerberos v4 enabled.
-
@end table
Be aware, however, that the DNS SRV specification requires that the
Modified: branches/mkey_migrate/doc/install.texinfo
===================================================================
--- branches/mkey_migrate/doc/install.texinfo 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/install.texinfo 2009-01-10 01:06:45 UTC (rev 21722)
@@ -206,9 +206,6 @@
@item
How frequently you will propagate the database from the master KDC to
the slave KDCs.
-
- at item
-Whether you need backward compatibility with Kerberos V4.
@end itemize
@menu
@@ -1093,10 +1090,10 @@
@code{kprop} propagation fails to connect for some reason, the process
on the slave may hang waiting for it, and will need to be restarted.
@item
-The master and slave must be able to initiate TCP connections in
-both directions, without an intervening NAT. They must also be able
-to communicate over IPv4, since MIT's RPC code does not currently
-support IPv6.
+The master and slave must be able to initiate TCP connections in both
+directions, without an intervening NAT. They must also be able to
+communicate over IPv4, since MIT's kprop and RPC code does not
+currently support IPv6.
@end itemize
@menu
@@ -1184,17 +1181,6 @@
@smallexample
@group
-#
-# Note --- if you are using Kerberos V4 and you either:
-#
-# (a) haven't converted all your master or slave KDCs to V5, or
-#
-# (b) are worried about inter-realm interoperability with other KDC's
-# that are still using V4
-#
-# you will need to switch the "kerberos" service to port 750 and create a
-# "kerberos-sec" service on port 88.
-#
kerberos @value{DefaultPort}/udp kdc # Kerberos V5 KDC
kerberos @value{DefaultPort}/tcp kdc # Kerberos V5 KDC
klogin @value{DefaultKloginPort}/tcp # Kerberos authenticated rlogin
@@ -1208,13 +1194,6 @@
@end group
@end smallexample
- at noindent As described in the comments in the above code, if your master
-KDC or any of your slave KDCs is running Kerberos V4, (or if you will be
-authenticating to any Kerberos V4 KDCs in another realm) you will need
-to switch the port number for @code{kerberos} to 750 and create a
- at code{kerberos-sec} service (tcp and udp) on port 88, so the Kerberos
-V4 KDC(s) will continue to work properly.
-
@menu
* Mac OS X Configuration::
@end menu
Modified: branches/mkey_migrate/doc/kim/html/group__kim__ccache__iterator__reference.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/group__kim__ccache__iterator__reference.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/group__kim__ccache__iterator__reference.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -107,7 +107,7 @@
</div>
</div><p>
-<hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:06 2008 for Kerberos Identity Management by
+<hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:44 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/group__kim__ccache__reference.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/group__kim__ccache__reference.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/group__kim__ccache__reference.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -10,8 +10,10 @@
<h2>Functions</h2>
<ul>
<li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__ccache__reference.html#gcdc80c9bfa368eca7cc2d3710b4c0fa9">kim_ccache_create_new</a> (<a class="el" href="group__kim__types__reference.html#gaecf0d1ae48c995038dd20b21e3781c2">kim_ccache</a> *out_ccache, <a class="el" href="group__kim__types__reference.html#gf96cafc394b0d02327b4df8ff669d589">kim_identity</a> in_client_identity, <a class="el" href="group__kim__types__reference.html#gc61f3242847e46c14c73e423829888ab">kim_options</a> in_options)
-<dl class="el"><dd class="mdescRight">Acquire a new initial credential and store it in a ccache. <a href="#gcdc80c9bfa368eca7cc2d3710b4c0fa9"></a><br></dl><li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__ccache__reference.html#g52fa72130f4ba6de8cce1224578102ce">kim_ccache_create_new_if_needed</a> (<a class="el" href="group__kim__types__reference.html#gaecf0d1ae48c995038dd20b21e3781c2">kim_ccache</a> *out_ccache, <a class="el" href="group__kim__types__reference.html#gf96cafc394b0d02327b4df8ff669d589">kim_identity</a> in_client_identity, <a class="el" href="group__kim__types__reference.html#gc61f3242847e46c14c73e423829888ab">kim_options</a> in_options)
-<dl class="el"><dd class="mdescRight">Find a ccache containing a valid initial credential in the cache collection, or if unavailable, acquire and store a new initial credential. <a href="#g52fa72130f4ba6de8cce1224578102ce"></a><br></dl><li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__ccache__reference.html#g6ecc14b94ffb57ca8008d0a407bb9c7d">kim_ccache_create_from_client_identity</a> (<a class="el" href="group__kim__types__reference.html#gaecf0d1ae48c995038dd20b21e3781c2">kim_ccache</a> *out_ccache, <a class="el" href="group__kim__types__reference.html#gf96cafc394b0d02327b4df8ff669d589">kim_identity</a> in_client_identity)
+<dl class="el"><dd class="mdescRight">Acquire a new initial credential and store it in a ccache. <a href="#gcdc80c9bfa368eca7cc2d3710b4c0fa9"></a><br></dl><li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__ccache__reference.html#ge796642d7eb76bc05142ad8112d398e5">kim_ccache_create_new_with_password</a> (<a class="el" href="group__kim__types__reference.html#gaecf0d1ae48c995038dd20b21e3781c2">kim_ccache</a> *out_ccache, <a class="el" href="group__kim__types__reference.html#gf96cafc394b0d02327b4df8ff669d589">kim_identity</a> in_client_identity, <a class="el" href="group__kim__types__reference.html#gc61f3242847e46c14c73e423829888ab">kim_options</a> in_options, <a class="el" href="group__kim__types__reference.html#geea99aa292876e06003b7480087eecb0">kim_string</a> in_password)
+<dl class="el"><dd class="mdescRight">Acquire a new initial credential and store it in a ccache using the provided password.. <a href="#ge796642d7eb76bc05142ad8112d398e5"></a><br></dl><li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__ccache__reference.html#g52fa72130f4ba6de8cce1224578102ce">kim_ccache_create_new_if_needed</a> (<a class="el" href="group__kim__types__reference.html#gaecf0d1ae48c995038dd20b21e3781c2">kim_ccache</a> *out_ccache, <a class="el" href="group__kim__types__reference.html#gf96cafc394b0d02327b4df8ff669d589">kim_identity</a> in_client_identity, <a class="el" href="group__kim__types__reference.html#gc61f3242847e46c14c73e423829888ab">kim_options</a> in_options)
+<dl class="el"><dd class="mdescRight">Find a ccache containing a valid initial credential in the cache collection, or if unavailable, acquire and store a new initial credential. <a href="#g52fa72130f4ba6de8cce1224578102ce"></a><br></dl><li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__ccache__reference.html#g462285a95435cf403b0330be13a515d7">kim_ccache_create_new_if_needed_with_password</a> (<a class="el" href="group__kim__types__reference.html#gaecf0d1ae48c995038dd20b21e3781c2">kim_ccache</a> *out_ccache, <a class="el" href="group__kim__types__reference.html#gf96cafc394b0d02327b4df8ff669d589">kim_identity</a> in_client_identity, <a class="el" href="group__kim__types__reference.html#gc61f3242847e46c14c73e423829888ab">kim_options</a> in_options, <a class="el" href="group__kim__types__reference.html#geea99aa292876e06003b7480087eecb0">kim_string</a> in_password)
+<dl class="el"><dd class="mdescRight">Find a ccache containing a valid initial credential in the cache collection, or if unavailable, acquire and store a new initial credential using the provided password. <a href="#g462285a95435cf403b0330be13a515d7"></a><br></dl><li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__ccache__reference.html#g6ecc14b94ffb57ca8008d0a407bb9c7d">kim_ccache_create_from_client_identity</a> (<a class="el" href="group__kim__types__reference.html#gaecf0d1ae48c995038dd20b21e3781c2">kim_ccache</a> *out_ccache, <a class="el" href="group__kim__types__reference.html#gf96cafc394b0d02327b4df8ff669d589">kim_identity</a> in_client_identity)
<dl class="el"><dd class="mdescRight">Find a ccache for a client identity in the cache collection. <a href="#g6ecc14b94ffb57ca8008d0a407bb9c7d"></a><br></dl><li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__ccache__reference.html#g15cb7e1b9069a610030211cecc5e6232">kim_ccache_create_from_keytab</a> (<a class="el" href="group__kim__types__reference.html#gaecf0d1ae48c995038dd20b21e3781c2">kim_ccache</a> *out_ccache, <a class="el" href="group__kim__types__reference.html#gf96cafc394b0d02327b4df8ff669d589">kim_identity</a> in_identity, <a class="el" href="group__kim__types__reference.html#gc61f3242847e46c14c73e423829888ab">kim_options</a> in_options, <a class="el" href="group__kim__types__reference.html#geea99aa292876e06003b7480087eecb0">kim_string</a> in_keytab)
<dl class="el"><dd class="mdescRight">Acquire a new initial credential from a keytab and store it in a ccache. <a href="#g15cb7e1b9069a610030211cecc5e6232"></a><br></dl><li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__ccache__reference.html#g137761ce872ca756c08e7c31e4101df5">kim_ccache_create_from_default</a> (<a class="el" href="group__kim__types__reference.html#gaecf0d1ae48c995038dd20b21e3781c2">kim_ccache</a> *out_ccache)
<dl class="el"><dd class="mdescRight">Get the default ccache. <a href="#g137761ce872ca756c08e7c31e4101df5"></a><br></dl><li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__ccache__reference.html#geeb02fbd667cfb75455653cf9b8b4a5a">kim_ccache_create_from_display_name</a> (<a class="el" href="group__kim__types__reference.html#gaecf0d1ae48c995038dd20b21e3781c2">kim_ccache</a> *out_ccache, <a class="el" href="group__kim__types__reference.html#geea99aa292876e06003b7480087eecb0">kim_string</a> in_display_name)
@@ -79,11 +81,64 @@
<tr><td valign="top"></td><td valign="top"><em>in_options</em> </td><td>options to control credential acquisition. </td></tr>
</table>
</dl>
-<dl class="note" compact><dt><b>Note:</b></dt><dd>Depending on the kim_options specified, <a class="el" href="group__kim__ccache__reference.html#gcdc80c9bfa368eca7cc2d3710b4c0fa9" title="Acquire a new initial credential and store it in a ccache.">kim_ccache_create_new()</a> may present a GUI or command line prompt to obtain information from the user. </dd></dl>
+<dl class="note" compact><dt><b>Note:</b></dt><dd><a class="el" href="group__kim__ccache__reference.html#gcdc80c9bfa368eca7cc2d3710b4c0fa9" title="Acquire a new initial credential and store it in a ccache.">kim_ccache_create_new()</a> may present a GUI or command line prompt to obtain information from the user. </dd></dl>
<dl class="return" compact><dt><b>Returns:</b></dt><dd>On success, <a class="el" href="group__kim__types__reference.html#g8712727bab9e6b02712a8a01285441d1">KIM_NO_ERROR</a>. On failure, an error code representing the failure. </dd></dl>
</div>
</div><p>
+<a class="anchor" name="ge796642d7eb76bc05142ad8112d398e5"></a><!-- doxytag: member="kim_ccache.h::kim_ccache_create_new_with_password" ref="ge796642d7eb76bc05142ad8112d398e5" args="(kim_ccache *out_ccache, kim_identity in_client_identity, kim_options in_options, kim_string in_password)" -->
+<div class="memitem">
+<div class="memproto">
+ <table class="memname">
+ <tr>
+ <td class="memname"><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> kim_ccache_create_new_with_password </td>
+ <td>(</td>
+ <td class="paramtype"><a class="el" href="group__kim__types__reference.html#gaecf0d1ae48c995038dd20b21e3781c2">kim_ccache</a> * </td>
+ <td class="paramname"> <em>out_ccache</em>, </td>
+ </tr>
+ <tr>
+ <td class="paramkey"></td>
+ <td></td>
+ <td class="paramtype"><a class="el" href="group__kim__types__reference.html#gf96cafc394b0d02327b4df8ff669d589">kim_identity</a> </td>
+ <td class="paramname"> <em>in_client_identity</em>, </td>
+ </tr>
+ <tr>
+ <td class="paramkey"></td>
+ <td></td>
+ <td class="paramtype"><a class="el" href="group__kim__types__reference.html#gc61f3242847e46c14c73e423829888ab">kim_options</a> </td>
+ <td class="paramname"> <em>in_options</em>, </td>
+ </tr>
+ <tr>
+ <td class="paramkey"></td>
+ <td></td>
+ <td class="paramtype"><a class="el" href="group__kim__types__reference.html#geea99aa292876e06003b7480087eecb0">kim_string</a> </td>
+ <td class="paramname"> <em>in_password</em></td><td> </td>
+ </tr>
+ <tr>
+ <td></td>
+ <td>)</td>
+ <td></td><td></td><td width="100%"></td>
+ </tr>
+ </table>
+</div>
+<div class="memdoc">
+
+<p>
+Acquire a new initial credential and store it in a ccache using the provided password..
+<p>
+<dl compact><dt><b>Parameters:</b></dt><dd>
+ <table border="0" cellspacing="2" cellpadding="0">
+ <tr><td valign="top"></td><td valign="top"><em>out_ccache</em> </td><td>on exit, a new cache object for a ccache containing a newly acquired initial credential. Must be freed with <a class="el" href="group__kim__ccache__reference.html#g6c6be543e0ea2b518612be4255e15b9a" title="Free memory associated with a ccache.">kim_ccache_free()</a>. </td></tr>
+ <tr><td valign="top"></td><td valign="top"><em>in_client_identity</em> </td><td>a client identity to obtain a credential for. Specify KIM_IDENTITY_ANY to allow the user to choose. </td></tr>
+ <tr><td valign="top"></td><td valign="top"><em>in_options</em> </td><td>options to control credential acquisition. </td></tr>
+ <tr><td valign="top"></td><td valign="top"><em>in_password</em> </td><td>a password to be used while obtaining credentials. </td></tr>
+ </table>
+</dl>
+<dl class="note" compact><dt><b>Note:</b></dt><dd><a class="el" href="group__kim__ccache__reference.html#ge796642d7eb76bc05142ad8112d398e5" title="Acquire a new initial credential and store it in a ccache using the provided password...">kim_ccache_create_new_with_password()</a> exists to support legacy password-based Kerberos environments. You should not use this function unless you know that it will only be used in environments using passwords. This function may also present a GUI or command line prompt to obtain additional information needed to obtain credentials (eg: SecurID pin). </dd></dl>
+<dl class="return" compact><dt><b>Returns:</b></dt><dd>On success, <a class="el" href="group__kim__types__reference.html#g8712727bab9e6b02712a8a01285441d1">KIM_NO_ERROR</a>. On failure, an error code representing the failure. </dd></dl>
+
+</div>
+</div><p>
<a class="anchor" name="g52fa72130f4ba6de8cce1224578102ce"></a><!-- doxytag: member="kim_ccache.h::kim_ccache_create_new_if_needed" ref="g52fa72130f4ba6de8cce1224578102ce" args="(kim_ccache *out_ccache, kim_identity in_client_identity, kim_options in_options)" -->
<div class="memitem">
<div class="memproto">
@@ -125,11 +180,64 @@
<tr><td valign="top"></td><td valign="top"><em>in_options</em> </td><td>options to control credential acquisition (if a credential is acquired). </td></tr>
</table>
</dl>
-<dl class="note" compact><dt><b>Note:</b></dt><dd>Depending on the kim_options specified, <a class="el" href="group__kim__ccache__reference.html#g52fa72130f4ba6de8cce1224578102ce" title="Find a ccache containing a valid initial credential in the cache collection, or if...">kim_ccache_create_new_if_needed()</a> may present a GUI or command line prompt to obtain information from the user. </dd></dl>
+<dl class="note" compact><dt><b>Note:</b></dt><dd><a class="el" href="group__kim__ccache__reference.html#g52fa72130f4ba6de8cce1224578102ce" title="Find a ccache containing a valid initial credential in the cache collection, or if...">kim_ccache_create_new_if_needed()</a> may present a GUI or command line prompt to obtain information from the user. </dd></dl>
<dl class="return" compact><dt><b>Returns:</b></dt><dd>On success, <a class="el" href="group__kim__types__reference.html#g8712727bab9e6b02712a8a01285441d1">KIM_NO_ERROR</a>. On failure, an error code representing the failure. </dd></dl>
</div>
</div><p>
+<a class="anchor" name="g462285a95435cf403b0330be13a515d7"></a><!-- doxytag: member="kim_ccache.h::kim_ccache_create_new_if_needed_with_password" ref="g462285a95435cf403b0330be13a515d7" args="(kim_ccache *out_ccache, kim_identity in_client_identity, kim_options in_options, kim_string in_password)" -->
+<div class="memitem">
+<div class="memproto">
+ <table class="memname">
+ <tr>
+ <td class="memname"><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> kim_ccache_create_new_if_needed_with_password </td>
+ <td>(</td>
+ <td class="paramtype"><a class="el" href="group__kim__types__reference.html#gaecf0d1ae48c995038dd20b21e3781c2">kim_ccache</a> * </td>
+ <td class="paramname"> <em>out_ccache</em>, </td>
+ </tr>
+ <tr>
+ <td class="paramkey"></td>
+ <td></td>
+ <td class="paramtype"><a class="el" href="group__kim__types__reference.html#gf96cafc394b0d02327b4df8ff669d589">kim_identity</a> </td>
+ <td class="paramname"> <em>in_client_identity</em>, </td>
+ </tr>
+ <tr>
+ <td class="paramkey"></td>
+ <td></td>
+ <td class="paramtype"><a class="el" href="group__kim__types__reference.html#gc61f3242847e46c14c73e423829888ab">kim_options</a> </td>
+ <td class="paramname"> <em>in_options</em>, </td>
+ </tr>
+ <tr>
+ <td class="paramkey"></td>
+ <td></td>
+ <td class="paramtype"><a class="el" href="group__kim__types__reference.html#geea99aa292876e06003b7480087eecb0">kim_string</a> </td>
+ <td class="paramname"> <em>in_password</em></td><td> </td>
+ </tr>
+ <tr>
+ <td></td>
+ <td>)</td>
+ <td></td><td></td><td width="100%"></td>
+ </tr>
+ </table>
+</div>
+<div class="memdoc">
+
+<p>
+Find a ccache containing a valid initial credential in the cache collection, or if unavailable, acquire and store a new initial credential using the provided password.
+<p>
+<dl compact><dt><b>Parameters:</b></dt><dd>
+ <table border="0" cellspacing="2" cellpadding="0">
+ <tr><td valign="top"></td><td valign="top"><em>out_ccache</em> </td><td>on exit, a ccache object for a ccache containing a newly acquired initial credential. Must be freed with <a class="el" href="group__kim__ccache__reference.html#g6c6be543e0ea2b518612be4255e15b9a" title="Free memory associated with a ccache.">kim_ccache_free()</a>. </td></tr>
+ <tr><td valign="top"></td><td valign="top"><em>in_client_identity</em> </td><td>a client identity to obtain a credential for. </td></tr>
+ <tr><td valign="top"></td><td valign="top"><em>in_options</em> </td><td>options to control credential acquisition (if a credential is acquired). </td></tr>
+ <tr><td valign="top"></td><td valign="top"><em>in_password</em> </td><td>a password to be used while obtaining credentials. </td></tr>
+ </table>
+</dl>
+<dl class="note" compact><dt><b>Note:</b></dt><dd><a class="el" href="group__kim__ccache__reference.html#g462285a95435cf403b0330be13a515d7" title="Find a ccache containing a valid initial credential in the cache collection, or if...">kim_ccache_create_new_if_needed_with_password()</a> exists to support legacy password-based Kerberos environments. You should not use this function unless you know that it will only be used in environments using passwords. This function may also present a GUI or command line prompt to obtain additional information needed to obtain credentials (eg: SecurID pin). </dd></dl>
+<dl class="return" compact><dt><b>Returns:</b></dt><dd>On success, <a class="el" href="group__kim__types__reference.html#g8712727bab9e6b02712a8a01285441d1">KIM_NO_ERROR</a>. On failure, an error code representing the failure. </dd></dl>
+
+</div>
+</div><p>
<a class="anchor" name="g6ecc14b94ffb57ca8008d0a407bb9c7d"></a><!-- doxytag: member="kim_ccache.h::kim_ccache_create_from_client_identity" ref="g6ecc14b94ffb57ca8008d0a407bb9c7d" args="(kim_ccache *out_ccache, kim_identity in_client_identity)" -->
<div class="memitem">
<div class="memproto">
@@ -161,7 +269,7 @@
<dl compact><dt><b>Parameters:</b></dt><dd>
<table border="0" cellspacing="2" cellpadding="0">
<tr><td valign="top"></td><td valign="top"><em>out_ccache</em> </td><td>on exit, a ccache object for a ccache containing a TGT credential. Must be freed with <a class="el" href="group__kim__ccache__reference.html#g6c6be543e0ea2b518612be4255e15b9a" title="Free memory associated with a ccache.">kim_ccache_free()</a>. </td></tr>
- <tr><td valign="top"></td><td valign="top"><em>in_client_identity</em> </td><td>a client identity to obtain a credential for. </td></tr>
+ <tr><td valign="top"></td><td valign="top"><em>in_client_identity</em> </td><td>a client identity to find a ccache for. If <em>in_client_identity</em> is <a class="el" href="group__kim__types__reference.html#g322f65f7d72470d57e21a4c8777ee9fb">KIM_IDENTITY_ANY</a>, this function returns the default ccache (ie: is equivalent to <a class="el" href="group__kim__ccache__reference.html#g137761ce872ca756c08e7c31e4101df5" title="Get the default ccache.">kim_ccache_create_from_default()</a>). </td></tr>
</table>
</dl>
<dl class="return" compact><dt><b>Returns:</b></dt><dd>On success, <a class="el" href="group__kim__types__reference.html#g8712727bab9e6b02712a8a01285441d1">KIM_NO_ERROR</a>. On failure, an error code representing the failure. </dd></dl>
@@ -1102,7 +1210,7 @@
</div>
</div><p>
-<hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:06 2008 for Kerberos Identity Management by
+<hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:44 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/group__kim__credential__iterator__reference.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/group__kim__credential__iterator__reference.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/group__kim__credential__iterator__reference.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -117,7 +117,7 @@
</div>
</div><p>
-<hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:06 2008 for Kerberos Identity Management by
+<hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:44 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/group__kim__credential__reference.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/group__kim__credential__reference.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/group__kim__credential__reference.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -10,7 +10,8 @@
<h2>Functions</h2>
<ul>
<li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__credential__reference.html#ga02a96b9ad6fbc64007f741fa21c8814">kim_credential_create_new</a> (<a class="el" href="group__kim__types__reference.html#ge57b4df3376c4a34a119078a7f4a0030">kim_credential</a> *out_credential, <a class="el" href="group__kim__types__reference.html#gf96cafc394b0d02327b4df8ff669d589">kim_identity</a> in_client_identity, <a class="el" href="group__kim__types__reference.html#gc61f3242847e46c14c73e423829888ab">kim_options</a> in_options)
-<dl class="el"><dd class="mdescRight">Acquire a new initial credential. <a href="#ga02a96b9ad6fbc64007f741fa21c8814"></a><br></dl><li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__credential__reference.html#g42c9498e4e928fce495867a1d1835dc3">kim_credential_create_from_keytab</a> (<a class="el" href="group__kim__types__reference.html#ge57b4df3376c4a34a119078a7f4a0030">kim_credential</a> *out_credential, <a class="el" href="group__kim__types__reference.html#gf96cafc394b0d02327b4df8ff669d589">kim_identity</a> in_identity, <a class="el" href="group__kim__types__reference.html#gc61f3242847e46c14c73e423829888ab">kim_options</a> in_options, <a class="el" href="group__kim__types__reference.html#geea99aa292876e06003b7480087eecb0">kim_string</a> in_keytab)
+<dl class="el"><dd class="mdescRight">Acquire a new initial credential. <a href="#ga02a96b9ad6fbc64007f741fa21c8814"></a><br></dl><li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__credential__reference.html#g5a91166863595b457a2c98e622f0c526">kim_credential_create_new_with_password</a> (<a class="el" href="group__kim__types__reference.html#ge57b4df3376c4a34a119078a7f4a0030">kim_credential</a> *out_credential, <a class="el" href="group__kim__types__reference.html#gf96cafc394b0d02327b4df8ff669d589">kim_identity</a> in_client_identity, <a class="el" href="group__kim__types__reference.html#gc61f3242847e46c14c73e423829888ab">kim_options</a> in_options, <a class="el" href="group__kim__types__reference.html#geea99aa292876e06003b7480087eecb0">kim_string</a> in_password)
+<dl class="el"><dd class="mdescRight">Acquire a new initial credential using the provided password. <a href="#g5a91166863595b457a2c98e622f0c526"></a><br></dl><li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__credential__reference.html#g42c9498e4e928fce495867a1d1835dc3">kim_credential_create_from_keytab</a> (<a class="el" href="group__kim__types__reference.html#ge57b4df3376c4a34a119078a7f4a0030">kim_credential</a> *out_credential, <a class="el" href="group__kim__types__reference.html#gf96cafc394b0d02327b4df8ff669d589">kim_identity</a> in_identity, <a class="el" href="group__kim__types__reference.html#gc61f3242847e46c14c73e423829888ab">kim_options</a> in_options, <a class="el" href="group__kim__types__reference.html#geea99aa292876e06003b7480087eecb0">kim_string</a> in_keytab)
<dl class="el"><dd class="mdescRight">Acquire a new initial credential from a keytab. <a href="#g42c9498e4e928fce495867a1d1835dc3"></a><br></dl><li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__credential__reference.html#g5a65ab2a4209ee727d2a08ba8481dd8f">kim_credential_create_from_krb5_creds</a> (<a class="el" href="group__kim__types__reference.html#ge57b4df3376c4a34a119078a7f4a0030">kim_credential</a> *out_credential, krb5_context in_krb5_context, krb5_creds *in_krb5_creds)
<dl class="el"><dd class="mdescRight">Copy a credential from a krb5 credential object. <a href="#g5a65ab2a4209ee727d2a08ba8481dd8f"></a><br></dl><li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__credential__reference.html#gecf207628b94739322344678486b45d2">kim_credential_copy</a> (<a class="el" href="group__kim__types__reference.html#ge57b4df3376c4a34a119078a7f4a0030">kim_credential</a> *out_credential, <a class="el" href="group__kim__types__reference.html#ge57b4df3376c4a34a119078a7f4a0030">kim_credential</a> in_credential)
<dl class="el"><dd class="mdescRight">Copy a credential object. <a href="#gecf207628b94739322344678486b45d2"></a><br></dl><li><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> <a class="el" href="group__kim__credential__reference.html#g5ccc2fc794ea3bf3dc947c8a3ccd1077">kim_credential_get_krb5_creds</a> (<a class="el" href="group__kim__types__reference.html#ge57b4df3376c4a34a119078a7f4a0030">kim_credential</a> in_credential, krb5_context in_krb5_context, krb5_creds **out_krb5_creds)
@@ -70,12 +71,66 @@
<tr><td valign="top"></td><td valign="top"><em>in_options</em> </td><td>options to control credential acquisition. </td></tr>
</table>
</dl>
-<dl class="note" compact><dt><b>Note:</b></dt><dd>Depending on the kim_options specified, <a class="el" href="group__kim__credential__reference.html#ga02a96b9ad6fbc64007f741fa21c8814" title="Acquire a new initial credential.">kim_credential_create_new()</a> may present a GUI or command line prompt to obtain information from the user. </dd></dl>
+<dl class="note" compact><dt><b>Note:</b></dt><dd><a class="el" href="group__kim__credential__reference.html#ga02a96b9ad6fbc64007f741fa21c8814" title="Acquire a new initial credential.">kim_credential_create_new()</a> may present a GUI or command line prompt to obtain information from the user. </dd></dl>
<dl class="return" compact><dt><b>Returns:</b></dt><dd>On success, <a class="el" href="group__kim__types__reference.html#g8712727bab9e6b02712a8a01285441d1">KIM_NO_ERROR</a>. On failure, an error code representing the failure. </dd></dl>
<dl class="see" compact><dt><b>See also:</b></dt><dd><a class="el" href="group__kim__ccache__reference.html#gcdc80c9bfa368eca7cc2d3710b4c0fa9" title="Acquire a new initial credential and store it in a ccache.">kim_ccache_create_new</a> </dd></dl>
</div>
</div><p>
+<a class="anchor" name="g5a91166863595b457a2c98e622f0c526"></a><!-- doxytag: member="kim_credential.h::kim_credential_create_new_with_password" ref="g5a91166863595b457a2c98e622f0c526" args="(kim_credential *out_credential, kim_identity in_client_identity, kim_options in_options, kim_string in_password)" -->
+<div class="memitem">
+<div class="memproto">
+ <table class="memname">
+ <tr>
+ <td class="memname"><a class="el" href="group__kim__types__reference.html#g40f5fe10ab395bddc34286e0c2ff76eb">kim_error</a> kim_credential_create_new_with_password </td>
+ <td>(</td>
+ <td class="paramtype"><a class="el" href="group__kim__types__reference.html#ge57b4df3376c4a34a119078a7f4a0030">kim_credential</a> * </td>
+ <td class="paramname"> <em>out_credential</em>, </td>
+ </tr>
+ <tr>
+ <td class="paramkey"></td>
+ <td></td>
+ <td class="paramtype"><a class="el" href="group__kim__types__reference.html#gf96cafc394b0d02327b4df8ff669d589">kim_identity</a> </td>
+ <td class="paramname"> <em>in_client_identity</em>, </td>
+ </tr>
+ <tr>
+ <td class="paramkey"></td>
+ <td></td>
+ <td class="paramtype"><a class="el" href="group__kim__types__reference.html#gc61f3242847e46c14c73e423829888ab">kim_options</a> </td>
+ <td class="paramname"> <em>in_options</em>, </td>
+ </tr>
+ <tr>
+ <td class="paramkey"></td>
+ <td></td>
+ <td class="paramtype"><a class="el" href="group__kim__types__reference.html#geea99aa292876e06003b7480087eecb0">kim_string</a> </td>
+ <td class="paramname"> <em>in_password</em></td><td> </td>
+ </tr>
+ <tr>
+ <td></td>
+ <td>)</td>
+ <td></td><td></td><td width="100%"></td>
+ </tr>
+ </table>
+</div>
+<div class="memdoc">
+
+<p>
+Acquire a new initial credential using the provided password.
+<p>
+<dl compact><dt><b>Parameters:</b></dt><dd>
+ <table border="0" cellspacing="2" cellpadding="0">
+ <tr><td valign="top"></td><td valign="top"><em>out_credential</em> </td><td>on exit, a new credential object containing a newly acquired initial credential. Must be freed with <a class="el" href="group__kim__credential__reference.html#g5609d3883f82eb3938a2d80e06bd0845" title="Free memory associated with a credential object.">kim_credential_free()</a>. </td></tr>
+ <tr><td valign="top"></td><td valign="top"><em>in_client_identity</em> </td><td>a client identity to obtain a credential for. Specify NULL to allow the user to choose the identity </td></tr>
+ <tr><td valign="top"></td><td valign="top"><em>in_options</em> </td><td>options to control credential acquisition. </td></tr>
+ <tr><td valign="top"></td><td valign="top"><em>in_password</em> </td><td>a password to be used while obtaining the credential. </td></tr>
+ </table>
+</dl>
+<dl class="note" compact><dt><b>Note:</b></dt><dd><a class="el" href="group__kim__credential__reference.html#g5a91166863595b457a2c98e622f0c526" title="Acquire a new initial credential using the provided password.">kim_credential_create_new_with_password()</a> exists to support legacy password-based Kerberos environments. You should not use this function unless you know that it will only be used in environments using passwords. This function may also present a GUI or command line prompt to obtain additional information needed to obtain credentials (eg: SecurID pin). </dd></dl>
+<dl class="return" compact><dt><b>Returns:</b></dt><dd>On success, <a class="el" href="group__kim__types__reference.html#g8712727bab9e6b02712a8a01285441d1">KIM_NO_ERROR</a>. On failure, an error code representing the failure. </dd></dl>
+<dl class="see" compact><dt><b>See also:</b></dt><dd><a class="el" href="group__kim__ccache__reference.html#gcdc80c9bfa368eca7cc2d3710b4c0fa9" title="Acquire a new initial credential and store it in a ccache.">kim_ccache_create_new</a> </dd></dl>
+
+</div>
+</div><p>
<a class="anchor" name="g42c9498e4e928fce495867a1d1835dc3"></a><!-- doxytag: member="kim_credential.h::kim_credential_create_from_keytab" ref="g42c9498e4e928fce495867a1d1835dc3" args="(kim_credential *out_credential, kim_identity in_identity, kim_options in_options, kim_string in_keytab)" -->
<div class="memitem">
<div class="memproto">
@@ -768,7 +823,7 @@
</div>
</div><p>
-<hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:06 2008 for Kerberos Identity Management by
+<hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:44 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/group__kim__identity__reference.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/group__kim__identity__reference.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/group__kim__identity__reference.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -582,7 +582,7 @@
</div>
</div><p>
-<hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:06 2008 for Kerberos Identity Management by
+<hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:44 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/group__kim__library__reference.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/group__kim__library__reference.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/group__kim__library__reference.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -218,7 +218,7 @@
</div>
</div><p>
-<hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:06 2008 for Kerberos Identity Management by
+<hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:44 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/group__kim__options__reference.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/group__kim__options__reference.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/group__kim__options__reference.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -88,7 +88,7 @@
<p>
<dl compact><dt><b>Parameters:</b></dt><dd>
<table border="0" cellspacing="2" cellpadding="0">
- <tr><td valign="top"></td><td valign="top"><em>out_options</em> </td><td>on exit, a new options object which is a copy of <em>in_options</em>. Must be freed with <a class="el" href="group__kim__options__reference.html#gd8de9ea0a4eb9e0ffb8e3056a3899f55" title="Free memory associated with an options object.">kim_options_free()</a>. </td></tr>
+ <tr><td valign="top"></td><td valign="top"><em>out_options</em> </td><td>on exit, a new options object which is a copy of <em>in_options</em>. Must be freed with <a class="el" href="group__kim__options__reference.html#gd8de9ea0a4eb9e0ffb8e3056a3899f55" title="Free memory associated with an options object.">kim_options_free()</a>. If passed KIM_OPTIONS_DEFAULT will set <em>out_options</em> to KIM_OPTIONS_DEFAULT. </td></tr>
<tr><td valign="top"></td><td valign="top"><em>in_options</em> </td><td>a options object. </td></tr>
</table>
</dl>
@@ -769,7 +769,7 @@
</div>
</div><p>
-<hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:06 2008 for Kerberos Identity Management by
+<hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:44 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/group__kim__preferences__reference.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/group__kim__preferences__reference.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/group__kim__preferences__reference.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -172,7 +172,7 @@
<dl compact><dt><b>Parameters:</b></dt><dd>
<table border="0" cellspacing="2" cellpadding="0">
<tr><td valign="top"></td><td valign="top"><em>in_preferences</em> </td><td>a preferences object. </td></tr>
- <tr><td valign="top"></td><td valign="top"><em>out_options</em> </td><td>on exit, the options specified in <em>in_preferences</em>. Must be freed with <a class="el" href="group__kim__options__reference.html#gd8de9ea0a4eb9e0ffb8e3056a3899f55" title="Free memory associated with an options object.">kim_options_free()</a>. </td></tr>
+ <tr><td valign="top"></td><td valign="top"><em>out_options</em> </td><td>on exit, the options specified in <em>in_preferences</em>. May be KIM_OPTIONS_DEFAULT. If not, must be freed with <a class="el" href="group__kim__options__reference.html#gd8de9ea0a4eb9e0ffb8e3056a3899f55" title="Free memory associated with an options object.">kim_options_free()</a>. </td></tr>
</table>
</dl>
<dl class="return" compact><dt><b>Returns:</b></dt><dd>On success, <a class="el" href="group__kim__types__reference.html#g8712727bab9e6b02712a8a01285441d1">KIM_NO_ERROR</a>. On failure, an error code representing the failure. </dd></dl>
@@ -982,7 +982,7 @@
</div>
</div><p>
-<hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:06 2008 for Kerberos Identity Management by
+<hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:44 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/group__kim__selection__hints__reference.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/group__kim__selection__hints__reference.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/group__kim__selection__hints__reference.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -744,7 +744,7 @@
</div>
</div><p>
-<hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:06 2008 for Kerberos Identity Management by
+<hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:44 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/group__kim__string__reference.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/group__kim__string__reference.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/group__kim__string__reference.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -164,7 +164,7 @@
</div>
</div><p>
-<hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:06 2008 for Kerberos Identity Management by
+<hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:44 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/group__kim__types__reference.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/group__kim__types__reference.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/group__kim__types__reference.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -447,7 +447,7 @@
</div>
</div><p>
-<hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:06 2008 for Kerberos Identity Management by
+<hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:44 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/index.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/index.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/index.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -76,7 +76,7 @@
<ul>
<li><a class="el" href="group__kim__types__reference.html">KIM Types and Constants</a> </li>
</ul>
-<hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:05 2008 for Kerberos Identity Management by
+<hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:43 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/kim_ccache_overview.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/kim_ccache_overview.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/kim_ccache_overview.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -21,6 +21,7 @@
Acquiring New Credentials in a CCache</a></h2>
KIM provides the <a class="el" href="group__kim__ccache__reference.html#gcdc80c9bfa368eca7cc2d3710b4c0fa9" title="Acquire a new initial credential and store it in a ccache.">kim_ccache_create_new()</a> API for acquiring new credentials and storing them in a ccache. Credentials can either be obtained for a specific client identity or by specifying <a class="el" href="group__kim__types__reference.html#g322f65f7d72470d57e21a4c8777ee9fb">KIM_IDENTITY_ANY</a> to allow the user to choose. Typically callers of this API obtain the client identity using <a class="el" href="group__kim__selection__hints__reference.html#g5f4130fa05e937b749d7cc5347531abe" title="Choose a client identity based on selection hints.">kim_selection_hints_get_identity()</a>. Depending on the kim_options specified, <a class="el" href="group__kim__ccache__reference.html#gcdc80c9bfa368eca7cc2d3710b4c0fa9" title="Acquire a new initial credential and store it in a ccache.">kim_ccache_create_new()</a> may present a
GUI or command line prompt to obtain information from the user.<p>
<a class="el" href="group__kim__ccache__reference.html#g52fa72130f4ba6de8cce1224578102ce" title="Find a ccache containing a valid initial credential in the cache collection, or if...">kim_ccache_create_new_if_needed()</a> searches the cache collection for a ccache for the client identity and if no appropriate ccache is available, attempts to acquire new credentials and store them in a new ccache. Depending on the kim_options specified, <a class="el" href="group__kim__ccache__reference.html#g52fa72130f4ba6de8cce1224578102ce" title="Find a ccache containing a valid initial credential in the cache collection, or if...">kim_ccache_create_new_if_needed()</a> may present a GUI or command line prompt to obtain information from the user. This function exists for convenience and to avoid code duplication. It can be trivially implemented using <a class="el" href="group__kim__ccache__reference.html#g6ecc14b94ffb57ca8008d0a407bb9c7d" title="Find a ccache for a client identity in the cac
he collection.">kim_ccache_create_from_client_identity()</a> and <a class="el" href="group__kim__ccache__reference.html#gcdc80c9bfa368eca7cc2d3710b4c0fa9" title="Acquire a new initial credential and store it in a ccache.">kim_ccache_create_new()</a>.<p>
+For legacy password-based Kerberos environments KIM also provides <a class="el" href="group__kim__ccache__reference.html#ge796642d7eb76bc05142ad8112d398e5" title="Acquire a new initial credential and store it in a ccache using the provided password...">kim_ccache_create_new_with_password()</a> and <a class="el" href="group__kim__ccache__reference.html#g462285a95435cf403b0330be13a515d7" title="Find a ccache containing a valid initial credential in the cache collection, or if...">kim_ccache_create_new_if_needed_with_password()</a>. You should not use these functions unless you know that they will only be used in environments using passwords. Otherwise users without passwords may be prompted for them.<p>
KIM provides the <a class="el" href="group__kim__ccache__reference.html#g15cb7e1b9069a610030211cecc5e6232" title="Acquire a new initial credential from a keytab and store it in a ccache.">kim_ccache_create_from_keytab()</a> to create credentials using a keytab and store them in the cache collection. A keytab is an on-disk copy of a client identity's secret key. Typically sites use keytabs for client identities that identify a machine or service and protect the keytab with disk permissions. Because a keytab is sufficient to obtain credentials, keytabs will normally only be readable by root, Administrator or some other privileged account. Typically applications use credentials obtained from keytabs to obtain credentials for batch processes. These keytabs and credentials are usually for a special identity used for the batch process rather than a user identity.<h2><a class="anchor" name="kim_ccache_validate">
Validating Credentials in a CCache</a></h2>
A credential with a start time in the future (ie: after the issue date) is called a post-dated credential. Because the KDC administrator may wish to disable a identity, once the start time is reached, all post-dated credentials must be validated before they can be used. Otherwise an attacker using a compromised account could acquire lots of post-dated credentials to circumvent the acccount being disabled.<p>
@@ -62,7 +63,7 @@
<ul>
<li><a class="el" href="group__kim__ccache__reference.html#g9ad7a15bf94420675c17bc61e83e47da" title="Get a kim_options object based on a ccache's credential attributes.">kim_ccache_get_options()</a> returns a kim_options object with the credential options of the credentials in the ccache. This function is intended to be used when adding an identity with existing credentials to the favorite identities list. By passing in the options returned by this call, future requests for the favorite identity will use the same credential options.</li>
</ul>
-See <a class="el" href="group__kim__ccache__reference.html">KIM CCache Reference Documentation</a> and <a class="el" href="group__kim__ccache__iterator__reference.html">KIM CCache Iterator Reference Documentation</a> for information on specific APIs. <hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:05 2008 for Kerberos Identity Management by
+See <a class="el" href="group__kim__ccache__reference.html">KIM CCache Reference Documentation</a> and <a class="el" href="group__kim__ccache__iterator__reference.html">KIM CCache Iterator Reference Documentation</a> for information on specific APIs. <hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:43 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/kim_credential_overview.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/kim_credential_overview.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/kim_credential_overview.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -14,6 +14,7 @@
<h2><a class="anchor" name="kim_credential_acquire_new">
Acquiring New Credentials</a></h2>
KIM provides the <a class="el" href="group__kim__credential__reference.html#ga02a96b9ad6fbc64007f741fa21c8814" title="Acquire a new initial credential.">kim_credential_create_new()</a> API for acquiring new credentials. Credentials can either be obtained for a specific client identity or by specifying <a class="el" href="group__kim__types__reference.html#g322f65f7d72470d57e21a4c8777ee9fb">KIM_IDENTITY_ANY</a> to allow the user to choose. Typically callers of this API obtain the client identity using <a class="el" href="group__kim__selection__hints__reference.html#g5f4130fa05e937b749d7cc5347531abe" title="Choose a client identity based on selection hints.">kim_selection_hints_get_identity()</a>. Depending on the kim_options specified, <a class="el" href="group__kim__credential__reference.html#ga02a96b9ad6fbc64007f741fa21c8814" title="Acquire a new initial credential.">kim_credential_create_new()</a> may present a GUI or command line prompt to obtain information from the user.
<p>
+For legacy password-based Kerberos environments KIM also provides <a class="el" href="group__kim__credential__reference.html#g5a91166863595b457a2c98e622f0c526" title="Acquire a new initial credential using the provided password.">kim_credential_create_new_with_password()</a>. You should not use this function unless you know that it will only be used in environments using passwords. Otherwise users without passwords may be prompted for them.<p>
KIM provides the <a class="el" href="group__kim__credential__reference.html#g42c9498e4e928fce495867a1d1835dc3" title="Acquire a new initial credential from a keytab.">kim_credential_create_from_keytab()</a> to create credentials using a keytab. A keytab is an on-disk copy of a client identity's secret key. Typically sites use keytabs for client identities that identify a machine or service and protect the keytab with disk permissions. Because a keytab is sufficient to obtain credentials, keytabs will normally only be readable by root, Administrator or some other privileged account. Typically applications use credentials obtained from keytabs to obtain credentials for batch processes. These keytabs and credentials are usually for a special identity used for the batch process rather than a user identity.<h2><a class="anchor" name="kim_credential_validate">
Validating Credentials</a></h2>
A credential with a start time in the future (ie: after the issue date) is called a post-dated credential. Because the KDC administrator may wish to disable a identity, once the start time is reached, all post-dated credentials must be validated before they can be used. Otherwise an attacker using a compromised account could acquire lots of post-dated credentials to circumvent the acccount being disabled.<p>
@@ -59,7 +60,7 @@
<ul>
<li><a class="el" href="group__kim__credential__reference.html#g6d0cb540926a4d95923709a5104fb298" title="Get a kim_options object based on a credential's attributes.">kim_credential_get_options()</a> returns a kim_options object with the credential options of the credential. This function is intended to be used when adding an identity with existing credentials to the favorite identities list. By passing in the options returned by this call, future requests for the favorite identity will use the same credential options.</li>
</ul>
-See <a class="el" href="group__kim__credential__reference.html">KIM Credential Reference Documentation</a> and <a class="el" href="group__kim__credential__iterator__reference.html">KIM Credential Iterator Reference Documentation</a> for information on specific APIs. <hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:05 2008 for Kerberos Identity Management by
+See <a class="el" href="group__kim__credential__reference.html">KIM Credential Reference Documentation</a> and <a class="el" href="group__kim__credential__iterator__reference.html">KIM Credential Iterator Reference Documentation</a> for information on specific APIs. <hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:43 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/kim_identity_overview.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/kim_identity_overview.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/kim_identity_overview.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -36,7 +36,7 @@
Many Kerberos sites use passwords for user accounts. Because passwords may be stolen or compromised, they must be frequently changed. KIM provides APIs to change the identity's password directly, and also handles changing the identity's password when it has expired.<p>
<a class="el" href="group__kim__identity__reference.html#g660c28e70656127c7c723d50414675e8" title="Change the password for an identity.">kim_identity_change_password()</a> presents a user interface to obtain the old and new passwords from the user.<p>
<dl class="note" compact><dt><b>Note:</b></dt><dd>Not all identities have a password. Some sites use certificates (pkinit) and in the future there may be other authentication mechanisms (eg: smart cards).</dd></dl>
-See <a class="el" href="group__kim__identity__reference.html">KIM Identity Reference Documentation</a> for information on specific APIs. <hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:05 2008 for Kerberos Identity Management by
+See <a class="el" href="group__kim__identity__reference.html">KIM Identity Reference Documentation</a> for information on specific APIs. <hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:43 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/kim_options_overview.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/kim_options_overview.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/kim_options_overview.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -33,7 +33,7 @@
Use <a class="el" href="group__kim__options__reference.html#g15ffe61f06334f4071e5b1ea6be62117" title="Set whether or not to request a proxiable credential.">kim_options_set_proxiable()</a> to change whether or not the Kerberos libraries request proxiable credentials. Use <a class="el" href="group__kim__options__reference.html#g0193dda96349a6e8d98d6154540a364e" title="Get whether or not to request a proxiable credential.">kim_options_get_proxiable()</a> to find out the current setting.<h3><a class="anchor" name="kim_options_service_name">
Service Name</a></h3>
Normally users acquire TGT credentials (ie "ticket granting tickets") and then use those credentials to acquire service credentials. This allows Kerberos to provide single sign-on while still providing mutual authentication to services. However, sometimes you just want an initial credential for a service. KIM options allows you to set the service name with <a class="el" href="group__kim__options__reference.html#g6e31c69a65efe32a5860125083d0b803" title="Set the service name to request a credential for.">kim_options_set_service_name()</a> and query it with <a class="el" href="group__kim__options__reference.html#gdf70addbc8221c252b1223b5e99dfa94" title="Get the service name to request a credential for.">kim_options_get_service_name()</a>.<p>
-See <a class="el" href="group__kim__options__reference.html">KIM Options Reference Documentation</a> for information on specific APIs. <hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:05 2008 for Kerberos Identity Management by
+See <a class="el" href="group__kim__options__reference.html">KIM Options Reference Documentation</a> for information on specific APIs. <hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:44 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/kim_preferences_overview.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/kim_preferences_overview.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/kim_preferences_overview.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -29,7 +29,7 @@
First, you need to acquire the Favorite Identities stored in the user's preferences using <a class="el" href="group__kim__preferences__reference.html#gf1dc483fcb582add046d552da9b8485f" title="Create a new preferences object from the current user's preferences.">kim_preferences_create()</a>.<p>
Then use <a class="el" href="group__kim__preferences__reference.html#g39ff3407953fedfc861efda92f961f18" title="Get the number of favorite identities in a preferences object.">kim_preferences_get_number_of_favorite_identities()</a> and <a class="el" href="group__kim__preferences__reference.html#g3012077dfb1169ebbbf2d7bf17dbbfdf" title="Get the Nth favorite identity in a preferences object.">kim_preferences_get_favorite_identity_at_index()</a> to display the identities list. Use <a class="el" href="group__kim__preferences__reference.html#gd7ed54017b8d46414c550a87ab775a9d" title="Add a favorite identity to a preferences object.">kim_preferences_add_favorite_identity()</a> and <a class="el" href="group__kim__preferences__reference.html#g85a31ca25607660c9dc2b68527c71f52" title="Remove a favorite identity from a preferences object.">kim_preferences_remove_favorite_identity()</a> to change which identities are in the identities list. Identities are always stored in alphabetical ord
er and duplicate identities are not permitted, so when you add or remove a identity you should redisplay the entire list. If you wish to replace the identities list entirely, use <a class="el" href="group__kim__preferences__reference.html#gc28596bde36d790f569af33d50feedb8" title="Remove all favorite identities in a preferences object.">kim_preferences_remove_all_favorite_identities()</a> to clear the list before adding your identities.<p>
Once you are done editing the favorite identities list, store changes in the user's preference file using <a class="el" href="group__kim__preferences__reference.html#g6815e374d78e13714abcddc478145dd9" title="Synchronize a preferences object with the user's preferences, writing pending...">kim_preferences_synchronize()</a>.<p>
-See <a class="el" href="group__kim__preferences__reference.html">KIM Preferences Documentation</a> for information on specific APIs. <hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:05 2008 for Kerberos Identity Management by
+See <a class="el" href="group__kim__preferences__reference.html">KIM Preferences Documentation</a> for information on specific APIs. <hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:44 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/kim_selection_hints_overview.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/kim_selection_hints_overview.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/kim_selection_hints_overview.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -48,7 +48,7 @@
In many cases a single application may select different identities for different purposes. For example an email application might use different identities to check mail for different accounts. If your application has this property you may need to provide the user with a localized string describing how the identity will be used. You can specify this string with <a class="el" href="group__kim__selection__hints__reference.html#g8fce520fbadcdd10f8928fbea43083ee" title="Get the strings used to prompt the user to select the identity.">kim_selection_hints_get_explanation()</a>. You can find out what string will be used with <a class="el" href="group__kim__selection__hints__reference.html#gcc6ec35aa53cad7a2eca07ceea66a3c6" title="Set the strings used to prompt the user to select the identity.">kim_selection_hints_set_explanation()</a>.<p>
Since the user may choose to acquire credentials when selection an identity, KIM also provides <a class="el" href="group__kim__selection__hints__reference.html#g2cbc1a52c6fa4c94aa85acf7abb205c4" title="Set the options which will be used if credentials need to be acquired.">kim_selection_hints_set_options()</a> to set what credential acquisition options are used. <a class="el" href="group__kim__selection__hints__reference.html#gb8c6aea4ac6b55d77585a5f3047dd3e7" title="Get the options which will be used if credentials need to be acquired.">kim_selection_hints_get_options()</a> returns the options which will be used.<p>
If you need to disable user interaction, use <a class="el" href="group__kim__selection__hints__reference.html#g290210bc1cb57b49539cc7f8c0d8fa2c" title="Set whether or not KIM may interact with the user to select an identity.">kim_selection_hints_set_allow_user_interaction()</a>. Use <a class="el" href="group__kim__selection__hints__reference.html#g95691183f6a85b8208858bd948a64c55" title="Get whether or not KIM may interact with the user to select an identity.">kim_selection_hints_get_allow_user_interaction()</a> to find out whether or not user interaction is enabled. User interaction is enabled by default.<p>
-See <a class="el" href="group__kim__selection__hints__reference.html">KIM Selection Hints Reference Documentation</a> for information on specific APIs. <hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:06 2008 for Kerberos Identity Management by
+See <a class="el" href="group__kim__selection__hints__reference.html">KIM Selection Hints Reference Documentation</a> for information on specific APIs. <hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:44 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/kim_string_overview.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/kim_string_overview.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/kim_string_overview.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -11,7 +11,7 @@
Like most C APIs, the KIM API returns numeric error codes. These error codes may come from KIM, krb5 or GSS APIs. In most cases the caller will want to handle these error programmatically. However, in some circumstances the caller may wish to print an error string to the user.<p>
One problem with just printing the error code to the user is that frequently the context behind the error has been lost. For example if KIM is trying to obtain credentials via referrals, it may fail partway through the process. In this case the error code will be KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, which maps to "Client not found in Kerberos database". Unfortunately this error isn't terribly helpful because it doesn't tell the user whether they typoed their principal name or if referrals failed.<p>
To avoid this problem, KIM maintains an explanatory string for the last error seen in each thread calling into KIM. If a caller wishes to display an error to the user, immediately after getting the error the caller should call <a class="el" href="group__kim__string__reference.html#gf1f7a5aba5f87b139f1b1db1430ca94b" title="Get a text description of an error suitable for display to the user.">kim_string_create_for_last_error()</a> to obtain a copy of the descriptive error message.<p>
-See <a class="el" href="group__kim__string__reference.html">KIM String Reference Documentation</a> for information on specific APIs. <hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:06 2008 for Kerberos Identity Management by
+See <a class="el" href="group__kim__string__reference.html">KIM String Reference Documentation</a> for information on specific APIs. <hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:44 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Modified: branches/mkey_migrate/doc/kim/html/modules.html
===================================================================
--- branches/mkey_migrate/doc/kim/html/modules.html 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/kim/html/modules.html 2009-01-10 01:06:45 UTC (rev 21722)
@@ -18,7 +18,7 @@
<li><a class="el" href="group__kim__string__reference.html">KIM String Reference Documentation</a>
<li><a class="el" href="group__kim__types__reference.html">KIM Types and Constants</a>
</ul>
-<hr size="1"><address style="text-align: right;"><small>Generated on Wed Oct 1 18:42:06 2008 for Kerberos Identity Management by
+<hr size="1"><address style="text-align: right;"><small>Generated on Mon Nov 3 17:45:44 2008 for Kerberos Identity Management by
<a href="http://www.doxygen.org/index.html">
<img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.3 </small></address>
</body>
Deleted: branches/mkey_migrate/doc/krb4-xrealm.txt
===================================================================
--- branches/mkey_migrate/doc/krb4-xrealm.txt 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/krb4-xrealm.txt 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,143 +0,0 @@
-The following text was taken from the patchkit disabling cross-realm
-authentication and triple-DES in krb4.
-
-PATCH KIT DESCRIPTION
-=====================
-
-** FLAG DAY REQUIRED **
-
-One of the things we decided to do (and must do for security reasons)
-was drop support for the 3DES krb4 TGTs. Unfortunately the current
-code will only accept 3DES TGTs if it issues 3DES TGTs. Since the new
-code issues only DES TGTs, the old code will not understand its v4
-TGTs if the site has a 3DES key available for the krbtgt principal.
-The new code will understand and accept both DES and 3DES v4 TGTs.
-
-So, the easiest upgrade option is to deploy the code on all KDCs at
-once, being sure to deploy it on the master KDC last. Under this
-scenario, a brief window exists where slaves may be able to issue
-tickets that the master will not understand. However, the slaves will
-understand tickets issued by the master throughout the upgrade.
-
-An alternate and more annoying upgrade strategy exists. At least one
-max TGT life time before the upgrade, the TGT key can be changed to be
-a single-des key. Since we support adding a new TGT key while
-preserving the old one, this does not create an interruption in
-service. Since no 3DES key is available then both the old and new
-code will issue and accept DES v4 TGTs. After the upgrade, the TGT
-key can again be rekeyed to add 3DES keys. This does require two TGT
-key changes and creates a window where DES is used for the v5 TGT, but
-creates no window in which slaves will issue TGTs the master cannot
-accept.
-
-* What the patch does
-=====================
-
-1) Kerberos 4 cross-realm authentication is disabled by default. A
- "-X" switch is added to both krb524d and krb5kdc to enable v4
- cross-realm. This switch logs a note that a security hole has been
- opened in the KDC log. We said while designing the patch, that we
- were going to try to allow per-realm configuration; because of a
- design problem in the kadm5 library, we could not do this without
- bumping the ABI version of that library. We are unwilling to bump
- an ABI version in a security patch release to get that feature, so
- the configuration of v4 cross-realm is a global switch.
-
-2) Code responsible for v5 TGTs has been changed to require that the
- enctype of the ticket service key be the same as the enctype that
- would currently be issued for that kvno. This means that even if a
- service has multiple keys, you cannot use a weak key to fake the
- KDC into accepting tickets for that service. If you have a non-DES
- TGT key, this separates keys used for v4 and v5. We actually relax
- this requirement for cross-realm TGT keys (which in the new code
- are only used for v5) because we cannot guarantee other Kerberos
- implementations will choose keys the same way.
-
-3) We no longer issue 3DES v4 tickets either in the KDC or krb524d.
- We add code to accept either DES or 3DES tickets for v4. None of
- the attacks discovered so far can be implemented given a KDC that
- accepts but does not issue 3DES tickets, so we believe that leaving
- this functionality in as compatibility for a version or two is
- reasonable. Note however that the attacks described do allow
- successful attackers to print future tickets, so sites probably
- want to rekey important keys after installing this update. Note
- also that even if issuance of 3DES v4 tickets has been disabled,
- outstanding tickets may be used to perform the 3DES cut-and-paste
- attack.
-
-* Test Cases
-============
-
-This code is difficult to test for two reasons. First, you need a
-cross-realm relationship between two KDCs. Secondly, you need a KDC
-that will issue 3DES v4 tickets even though the code with the patch
-applied can no longer do this.
-
-I propose to meet these requirements by setting up a cross-realm 3DES
-key between a realm I control and the test environment. In order to
-provide concrete examples of what I plan to test with the automated
-tests, I assume a shared key between a realm PREPATCH.KRBTEST.COM and the
-test realm PATCH.
-
-In all of the following tests I assume the following configuration.
-A principal v4test at PREPATCH.KRBTEST.COM exists with known password and
-without requiring preauthentication. The PREPATCH.KRBTEST.COM KDC will
-issue v4 tickets for this principal. A principal test at PATCH exists
-with known password and without requiring preauthentication. A
-principal service at PATCH exists. The TGT for the PATCH realm has a
-3des and des key. The shared TGT keys between PATCH and
-PREPATCH.KRBTEST.COM are identical in both directions (required for v4) and
-support both 3DES and DES keys.
-
-1) Run krb524d and krb5kdc for PATCH with no special options using a
- krb5.conf without permitted_enctypes (fully permissive).
-
-
-A) Get v4 tickets as v4test at PREPATCH.KRBTEST.COM. Confirm that kvno -4
-service at PATCH fails with an unknown principal error and logs an error
-about cross-realm being denied to the PATCH KDC log. This confirms
-that v4 cross-realm is not accepted.
-
-B) Get v5 tickets as v4test at PREPATCH.KRBTEST.COM. Confirm that krb524init
--p service at PATCH fails with a prohibited by policy error, but that
-klist -5 includes a ticket for service at PATCH. This confirms that v5
-cross-realm works but the krb524d denies converting such a ticket into
-a cross-realm ticket. Note that the krb524init currently in the
-mainline source tree will not be useful for this test because the
-client denies cross-realm for the simple reason that the v4 ticket
-file format is not flexible enough to support it. The krb524init in
-the 1.2.x release is useful for this test.
-
-
-2) Restart the krb5kdc and krb524d for PATCH with the -X option
- enabling v4 cross-realm.
-
-A) Confirm that the security warning is written to kdc.log.
-
-B) Get v4 tickets as v4test at PREPATCH.KRBTEST.COM. Confirm that kvno -4
-service at PATCH works and leaves a service at PATCH ticket in the cache.
-This confirms that v4 cross-realm works in the KDC. It also confirms
-that the KDC can accept 3DES v4 TGTs. The code path for decrypting a
-TGT is the same for the local realm and for foreign realms, so I don't
-see a need to test local 3DES TGTs in an automated manner although I
-did test it manually.
-
-C) Get v5 tickets as v4test at PREPATCH.KRBTEST.COM. Confirm that krb524init
--p service at PATCH works. This confirms that krb524d will issue
-cross-realm tickets. They're completely useless because the v4 ticket
-file can't represent them, but that's not our problem today.
-
-3) Start the kdc and krb524d with a krb5.conf that includes
- permitted_enctypes only listing des-cbc-crc. Get tickets as
- test at PATCH. Restart the KDC and confirm that kvno service fails
- logging an error about permitted enctypes. This confirms that if
- you manage to obtain a ticket of the wrong enctype it will not be
- accepted later.
-
-These tests do not check to make sure that 3DES tickets are not
-issued by the v4 code. I'm fairly certain that is true as I've
-physically remove the calls to the routine that generates 3DES tickets
-from the code in both the KDC and krb524d. These tests also do not
-check to make sure that cross-realm TGTs are not required to follow
-the strict enctype policy. I've tested that manually but don't know
-how to test that without significantly complicating the test setup.
Deleted: branches/mkey_migrate/doc/krb425.texinfo
===================================================================
--- branches/mkey_migrate/doc/krb425.texinfo 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/doc/krb425.texinfo 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,322 +0,0 @@
-\input texinfo @c -*-texinfo-*-
- at c Note: the above texinfo file must include the "doubleleftarrow"
- at c definitions added by jcb.
- at c %**start of header
- at c guide
- at setfilename krb425.info
- at settitle Upgrading to Kerberos V5 from Kerberos V4
- at c @setchapternewpage odd @c chapter begins on next odd page
- at c @setchapternewpage on @c chapter begins on next page
- at c @smallbook @c Format for 7" X 9.25" paper
- at c %**end of header
-
- at paragraphindent 0
- at iftex
- at parskip 6pt plus 6pt
- at end iftex
-
- at dircategory Kerberos
- at direntry
-* krb425: (krb425). Upgrading to Kerberos V5 from V4
- at end direntry
-
- at include definitions.texinfo
- at set EDITION 1.0
- at set UPDATED May 22, 2003
-
- at finalout @c don't print black warning boxes
-
- at titlepage
- at title Upgrading to @value{PRODUCT} from Kerberos V4
- at subtitle Release: @value{RELEASE}
- at subtitle Document Edition: @value{EDITION}
- at subtitle Last updated: @value{UPDATED}
- at author @value{COMPANY}
-
- at page
- at vskip 0pt plus 1filll
-
- at end titlepage
-
- at node Top, Copyright, (dir), (dir)
-
- at ifinfo
-This document describes how to convert to @value{PRODUCT} from Kerberos V4.
- at end ifinfo
-
- at menu
-* Copyright::
-* Introduction::
-* Configuration Files::
-* Upgrading KDCs::
-* Upgrading Application Servers::
-* Upgrading Client machines::
-* Firewall Considerations::
- at end menu
-
- at node Copyright, Introduction, Top, Top
- at unnumbered Copyright
- at include copyright.texinfo
-
- at node Introduction, Configuration Files, Copyright, Top
- at chapter Introduction
-
-As with most software upgrades, @value{PRODUCT} is generally backward
-compatible but not necessarily forward compatible. The @value{PRODUCT}
-daemons can interoperate with Kerberos V4 clients, but most of the
-Kerberos V4 daemons can not interoperate with Kerberos V5 clients. This
-suggests the following strategy for performing the upgrade:
-
- at enumerate
- at item
- at strong{Upgrade your KDCs.} This must be done first, so that
-interactions with the Kerberos database, whether by Kerberos V5 clients
-or by Kerberos V4 clients, will succeed.
-
- at item
- at strong{Upgrade your servers.} This must be done before upgrading
-client machines, so that the servers are able to respond to both
-Kerberos V5 and Kerberos V4 queries.
-
- at item
- at strong{Upgrade your client machines.} Do this only after your KDCs and
-application servers are upgraded, so that all of your Kerberos V5
-clients will be talking to Kerberos V5 daemons.
- at end enumerate
-
- at node Configuration Files, Upgrading KDCs, Introduction, Top
- at chapter Configuration Files
-
-The Kerberos @code{krb5.conf} and KDC @code{kdc.conf} configuration
-files allow additional tags for Kerberos V4 compatibility.
-
- at menu
-* krb5.conf::
-* kdc.conf::
- at end menu
-
- at node krb5.conf, kdc.conf, Configuration Files, Configuration Files
- at section krb5.conf
-
-If you used the defaults, both when you installed Kerberos V4 and when
-you installed @value{PRODUCT}, you should not need to include any of
-these tags. However, some or all of them may be necessary for
-nonstandard installations.
-
- at menu
-* libdefaults::
-* realms (krb5.conf)::
-* AFS and the Appdefaults Section::
- at end menu
-
- at node libdefaults, realms (krb5.conf), krb5.conf, krb5.conf
- at subsection [libdefaults]
-
-In the [libdefaults] section, the following additional tags may be used:
-
- at table @b
- at item krb4_srvtab
-Specifies the location of the Kerberos V4 srvtab file. Default is
- at value{DefaultKrb4Srvtab}.
-
- at item krb4_config
-Specifies the location of the Kerberos V4 configuration file. Default
-is @value{DefaultKrb4Config}.
-
- at item krb4_realms
-Specifies the location of the Kerberos V4 domain/realm translation
-file. Default is @value{DefaultKrb4Realms}.
- at end table
-
- at node realms (krb5.conf), AFS and the Appdefaults Section, libdefaults, krb5.conf
- at subsection [realms]
-
-In the [realms] section, the following Kerberos V4 tags may be used:
- at table @b
- at itemx default_domain
-Identifies the default domain for hosts in this realm. This is needed
-for translating V4 principal names (which do not contain a domain name)
-to V5 principal names. The default is your Kerberos realm name,
-converted to lower case.
-
- at itemx v4_instance_convert
-This subsection allows the administrator to configure exceptions to the
-default_domain mapping rule. It contains V4 instances (tag name) which
-should be translated to some specific hostname (tag value) as the second
-component in a Kerberos V5 principal name.
-
- at itemx v4_realm
-This relation allows the administrator to configure a different
-realm name to be used when converting V5 principals to V4
-ones. This should only be used when running separate V4 and V5
-realms, with some external means of password sychronization
-between the realms.
-
- at end table
-
- at node AFS and the Appdefaults Section, , realms (krb5.conf), krb5.conf
- at subsection AFS and the Appdefaults Section
-
-Many Kerberos 4 sites also run the Andrew File System (AFS).
-
-Modern AFS servers (OpenAFS > 1.2.8) support the AFS 2b token format.
-This allows AFS to use Kerberos 5 tickets rather than version 4
-tickets, enabling cross-realm authentication. By default, the
- at file{krb524d} service will issue the new AFS 2b tokens. If you are
-using old AFS servers, you will need to disable these new tokens.
-Please see the documentation of the @code{appdefaults} section of
- at file{krb5.conf} in the Kerberos Administration guide.
-
-
-
- at node kdc.conf, , krb5.conf, Configuration Files
- at section kdc.conf
-
-Because Kerberos V4 requires a different type of salt for the encryption
-type, you will need to change the @code{supported_enctypes} line in the
-[realms] section to:
-
- at smallexample
-supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
- at end smallexample
-
-This is the only change needed to the @code{kdc.conf} file.
-
- at node Upgrading KDCs, Upgrading Application Servers, Configuration Files, Top
- at chapter Upgrading KDCs
-
-To convert your KDCs from Kerberos V4 to @value{PRODUCT}, do the
-following:
-
- at enumerate
- at item
-Install @value{PRODUCT} on each KDC, according to the instructions in
-the @value{PRODUCT} Installation Guide, up to the point where it tells
-you to create the database.
-
- at item
-Find the @code{kadmind} (V4) daemon process on the master KDC and kill
-it. This will prevent changes to the Kerberos database while you
-convert the database to the new Kerberos V5 format.
-
- at item
-Create a dump of the V4 database in the directory where your V5 database
-will reside by issuing the command:
-
- at smallexample
-% kdb_util dump @value{ROOTDIR}/var/krb5kdc/v4-dump
- at end smallexample
-
- at item
-Load the V4 dump into a Kerberos V5 database, by issuing the command:
-
- at smallexample
-% kdb5_util load_v4 v4-dump
- at end smallexample
-
- at item
-Create a Kerberos V5 stash file, if desired, by issuing the command:
-
- at smallexample
-% kdb5_util stash
- at end smallexample
-
- at item
-Proceed with the rest of the @value{PRODUCT} installation as described
-in the @value{PRODUCT} Installation Guide. When you get to the section
-that tells you to start the @code{krb5kdc} and @code{kadmind} daemons,
-first find and kill the Kerberos V4 @code{kerberos} daemon on each of
-the KDCs. Then start the @code{krb5kdc} and @code{kadmind} daemons as
-You will need to specify an argument to the @code{-4} command line option to enable Kerberos 4 compatibility.
-See the @code{krb5kdc} man page for details.
-directed. Finally, start the Kerberos V5 to V4 ticket translator
-daemon, @code{krb524d}, by issuing the command:
-
- at smallexample
-% @value{ROOTDIR}/sbin/krb524d -m > /dev/null &
- at end smallexample
-
-If you have a stash file and you start the @code{krb5kdc} and
- at code{kadmind} daemons at boot time, you should add the above line to
-your @code{/etc/rc} (or @code{/etc/rc.local}) file on each KDC.
- at end enumerate
-
- at node Upgrading Application Servers, Upgrading Client machines, Upgrading KDCs, Top
- at chapter Upgrading Application Servers
-
-Install @value{PRODUCT} on each application server, according to the
-instructions in the @value{PRODUCT} Installation Guide, with the
-following exceptions:
-
- at itemize @bullet
- at item
-In the file @code{/etc/services}, add or edit the lines described in the
- at value{PRODUCT} Installation Guide, with the following exception:
-
-in place of:
-
- at smallexample
- at group
-kerberos @value{DefaultPort}/udp kdc # Kerberos V5 KDC
-kerberos @value{DefaultPort}/tcp kdc # Kerberos V5 KDC
- at end group
- at end smallexample
-
- at noindent
-add instead:
-
- at smallexample
- at group
-kerberos-sec @value{DefaultPort}/udp kdc # Kerberos V5 KDC
-kerberos-sec @value{DefaultPort}/tcp kdc # Kerberos V5 KDC
- at end group
- at end smallexample
-
- at item
-Convert your Kerberos V4 srvtab file to Kerberos V5 keytab file as
-follows:
-
- at smallexample
- at group
- at b{#} @value{ROOTDIR}/sbin/ktutil
- at b{ktutil:} rst /etc/krb-srvtab
- at b{ktutil:} wkt /etc/krb5.keytab
- at b{ktutil:} q
- at b{#}
- at end group
- at end smallexample
- at end itemize
-
- at node Upgrading Client machines, Firewall Considerations, Upgrading Application Servers, Top
- at chapter Upgrading Client machines
-
-Install @value{PRODUCT} on each client machine, according to the
-instructions in the @value{PRODUCT} Installation Guide.
-
-Tell your users to add the appropriate directory to their paths. On
-UNIX machines, this will probably be @code{@value{BINDIR}}.
-
-Note that if you upgrade your client machines before all of your
-application servers are upgraded, your users will need to use the
-Kerberos V4 programs to connect to application servers that are still
-running Kerberos V4. (The one exception is the UNIX version of
- at value{PRODUCT} telnet, which can connect to a Kerberos V4 and Kerberos
-V5 application servers.) Users can use either the Kerberos V4 or
- at value{PRODUCT} programs to connect to Kerberos V5 servers.
-
- at node Firewall Considerations, , Upgrading Client machines, Top
- at chapter Firewall Considerations
-
- at value{PRODUCT} uses port @value{DefaultPort}, which is the port
-assigned by the IETF, for KDC requests. Kerberos V4 used port
- at value{DefaultSecondPort}. If your users will need to get to any KDCs
-outside your firewall, you will need to allow TCP and UDP requests on
-port @value{DefaultPort} for your users to get to off-site Kerberos V5
-KDCs, and on port @value{DefaultSecondPort} for your users to get to
-off-site Kerberos V4 KDCs.
-
- at contents
- at c second page break makes sure right-left page alignment works right
- at c with a one-page toc, even though we don't have setchapternewpage odd.
- at c end of texinfo file
- at bye
Copied: branches/mkey_migrate/doc/krb5-protocol/draft-ietf-cat-kerberos-pk-init-09.txt (from rev 21721, trunk/doc/krb5-protocol/draft-ietf-cat-kerberos-pk-init-09.txt)
Copied: branches/mkey_migrate/doc/krb5-protocol/rfc4557.txt (from rev 21721, trunk/doc/krb5-protocol/rfc4557.txt)
Modified: branches/mkey_migrate/src/BADSYMS
===================================================================
--- branches/mkey_migrate/src/BADSYMS 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/BADSYMS 2009-01-10 01:06:45 UTC (rev 21722)
@@ -273,7 +273,6 @@
./util/pty/void_assoc.c: TIOCNOTTY
./util/ss/configure.in: const HAVE_STDARG_H HAVE_VARARGS_H KRB5_DNS_LOOKUP KRB5_DNS_LOOKUP_KDC KRB5_DNS_LOOKUP_REALM NO_YYLINENO POSIX_SIGNALS RETSIGTYPE USE_DIRENT_H USE_SIGPROCMASK WAIT_USES_INT HAVE_STRDUP HAVE_STDLIB_H HAVE_LIBNSL HAVE_LIBSOCKET
./util/ss/error.c: ibm032 NeXT __STDC__
-./util/ss/execute_cmd.c: __SABER__
./util/ss/invocation.c: silly
./util/ss/list_rqs.c: lint NO_FORK __STDC__
./util/ss/pager.c: NO_FORK
Modified: branches/mkey_migrate/src/Makefile.in
===================================================================
--- branches/mkey_migrate/src/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -9,7 +9,7 @@
# plugins/preauth/wpse
# plugins/preauth/cksum_body
# plugins/authdata/greet
-SUBDIRS=util include lib @krb524@ kdc kadmin @ldap_plugin_dir@ slave clients \
+SUBDIRS=util include lib kdc kadmin @ldap_plugin_dir@ slave clients \
plugins/kdb/db2 \
plugins/preauth/pkinit \
appl tests \
@@ -102,7 +102,6 @@
$(srcdir)/config/mkinstalldirs $(DESTDIR)$(KRB5_INCDIR)
$(srcdir)/config/mkinstalldirs $(DESTDIR)$(KRB5_INCDIR)/gssapi
$(srcdir)/config/mkinstalldirs $(DESTDIR)$(KRB5_INCDIR)/gssrpc
- $(srcdir)/config/mkinstalldirs $(DESTDIR)$(KRB5_INCDIR)/kerberosIV
install-headers-prerecurse: install-headers-mkdirs
# install::
@@ -195,7 +194,6 @@
clients\kpasswd\Makefile clients\kvno\Makefile \
clients\kcpytkt\Makefile clients\kdeltkt\Makefile \
include\Makefile \
- krb524\Makefile \
lib\Makefile lib\crypto\Makefile \
lib\crypto\crc32\Makefile lib\crypto\des\Makefile \
lib\crypto\dk\Makefile lib\crypto\enc_provider\Makefile \
@@ -205,11 +203,10 @@
lib\crypto\sha1\Makefile lib\crypto\arcfour\Makefile \
lib\crypto\md4\Makefile lib\crypto\md5\Makefile \
lib\crypto\yarrow\Makefile lib\crypto\aes\Makefile \
- lib\des425\Makefile \
lib\gssapi\Makefile lib\gssapi\generic\Makefile \
lib\gssapi\krb5\Makefile lib\gssapi\mechglue\Makefile \
lib\gssapi\spnego\Makefile \
- lib\krb4\Makefile lib\krb5\Makefile \
+ lib\krb5\Makefile \
lib\krb5\asn.1\Makefile lib\krb5\ccache\Makefile \
lib\krb5\ccache\ccapi\Makefile \
lib\krb5\error_tables\Makefile \
@@ -260,8 +257,6 @@
##DOS## $(WCONFIG) config < $@.in > $@
##DOS##include\Makefile: include\Makefile.in $(MKFDEP)
##DOS## $(WCONFIG) config < $@.in > $@
-##DOS##krb524\Makefile: krb524\Makefile.in $(MKFDEP)
-##DOS## $(WCONFIG) config < $@.in > $@
##DOS##lib\Makefile: lib\Makefile.in $(MKFDEP)
##DOS## $(WCONFIG) config < $@.in > $@
##DOS##lib\crypto\Makefile: lib\crypto\Makefile.in $(MKFDEP)
@@ -294,20 +289,14 @@
##DOS## $(WCONFIG) config < $@.in > $@
##DOS##lib\crypto\raw\Makefile: lib\crypto\raw\Makefile.in $(MKFDEP)
##DOS## $(WCONFIG) config < $@.in > $@
-##DOS##lib\des425\Makefile: lib\des425\Makefile.in $(MKFDEP)
-##DOS## $(WCONFIG) config < $@.in > $@
##DOS##lib\gssapi\Makefile: lib\gssapi\Makefile.in $(MKFDEP)
##DOS## $(WCONFIG) config < $@.in > $@
##DOS##lib\gssapi\generic\Makefile: lib\gssapi\generic\Makefile.in $(MKFDEP)
##DOS## $(WCONFIG) config < $@.in > $@
##DOS##lib\gssapi\mechglue\Makefile: lib\gssapi\mechglue\Makefile.in $(MKFDEP)
##DOS## $(WCONFIG) config < $@.in > $@
-##DOS##lib\gssapi\spnego\Makefile: lib\gssapi\spnego\Makefile.in $(MKFDEP)
-##DOS## $(WCONFIG) config < $@.in > $@
##DOS##lib\gssapi\krb5\Makefile: lib\gssapi\krb5\Makefile.in $(MKFDEP)
##DOS## $(WCONFIG) config < $@.in > $@
-##DOS##lib\krb4\Makefile: lib\krb4\Makefile.in $(MKFDEP)
-##DOS## $(WCONFIG) config < $@.in > $@
##DOS##lib\krb5\Makefile: lib\krb5\Makefile.in $(MKFDEP)
##DOS## $(WCONFIG) config < $@.in > $@
##DOS##lib\krb5\asn.1\Makefile: lib\krb5\asn.1\Makefile.in $(MKFDEP)
@@ -395,14 +384,14 @@
clients/* clients/kdestroy/* clients/kinit/* clients/klist/* \
clients/kpasswd/* clients/kcpytkt/* clients/kdeltkt/* \
config/* include/* include/kerberosIV/* \
- include/krb5/* include/krb5/stock/* include/sys/* krb524/* lib/* \
+ include/krb5/* include/krb5/stock/* include/sys/* lib/* \
lib/crypto/* lib/crypto/crc32/* lib/crypto/des/* lib/crypto/dk/* \
lib/crypto/enc_provider/* lib/crypto/hash_provider/* \
lib/crypto/keyhash_provider/* lib/crypto/old/* lib/crypto/raw/* \
lib/crypto/sha1/* lib/crypto/arcfour/* lib/crypto/md4/* \
lib/crypto/md5/* lib/crypto/yarrow/* \
- lib/des425/* lib/gssapi/* lib/gssapi/generic/* lib/gssapi/krb5/* \
- lib/gssapi/mechglue/* lib/gssapi/spnego/* lib/krb4/* \
+ lib/gssapi/* lib/gssapi/generic/* lib/gssapi/krb5/* \
+ lib/gssapi/mechglue/* lib/gssapi/spnego/* \
lib/krb5/* lib/krb5/asn.1/* lib/krb5/krb/* \
lib/krb5/ccache/* lib/krb5/ccache/ccapi/* \
lib/krb5/error_tables/* \
@@ -442,12 +431,9 @@
$(INC)krb5_err.h $(ET)krb5_err.c \
$(INC)kv5m_err.h $(ET)kv5m_err.c \
$(INC)krb524_err.h $(ET)krb524_err.c \
- $(INC)/kerberosIV/kadm_err.h lib/krb4/kadm_err.c \
- $(INC)/kerberosIV/krb_err.h lib/krb4/krb_err.c \
$(PR)prof_err.h $(PR)prof_err.c \
$(GG)gssapi_err_generic.h $(GG)gssapi_err_generic.c \
- $(GK)gssapi_err_krb5.h $(GK)gssapi_err_krb5.c \
- lib/krb4/krb_err_txt.c
+ $(GK)gssapi_err_krb5.h $(GK)gssapi_err_krb5.c
HOUT = $(INC)krb5\krb5.h $(GG)gssapi.h $(PR)profile.h
@@ -502,10 +488,6 @@
$(AWK) -f $(AH) outfile=$@ $(ET)kv5m_err.et
$(INC)krb524_err.h: $(AH) $(ET)krb524_err.et
$(AWK) -f $(AH) outfile=$@ $(ET)krb524_err.et
-$(INC)/kerberosIV/kadm_err.h: $(AH) lib/krb4/kadm_err.et
- $(AWK) -f $(AH) outfile=$@ lib/krb4/kadm_err.et
-$(INC)/kerberosIV/krb_err.h: $(AH) lib/krb4/krb_err.et
- $(AWK) -f $(AH) outfile=$@ lib/krb4/krb_err.et
$(PR)prof_err.h: $(AH) $(PR)prof_err.et
$(AWK) -f $(AH) outfile=$@ $(PR)prof_err.et
$(GG)gssapi_err_generic.h: $(AH) $(GG)gssapi_err_generic.et
@@ -527,10 +509,6 @@
$(AWK) -f $(AC) outfile=$@ $(ET)kv5m_err.et
$(ET)krb524_err.c: $(AC) $(ET)krb524_err.et
$(AWK) -f $(AC) outfile=$@ $(ET)krb524_err.et
-lib/krb4/kadm_err.c: $(AC) lib/krb4/kadm_err.et
- $(AWK) -f $(AC) outfile=$@ lib/krb4/kadm_err.et
-lib/krb4/krb_err.c: $(AC) lib/krb4/krb_err.et
- $(AWK) -f $(AC) outfile=$@ lib/krb4/krb_err.et
$(PR)prof_err.c: $(AC) $(PR)prof_err.et
$(AWK) -f $(AC) outfile=$@ $(PR)prof_err.et
$(GG)gssapi_err_generic.c: $(AC) $(GG)gssapi_err_generic.et
@@ -542,10 +520,6 @@
$(CE)test2.c: $(AC) $(CE)test2.et
$(AWK) -f $(AC) outfile=$@ $(CE)test2.et
-lib/krb4/krb_err_txt.c: lib/krb4/krb_err.et
- $(AWK) -f lib/krb4/et_errtxt.awk outfile=$@ \
- lib/krb4/krb_err.et
-
KRBHDEP = $(INC)krb5\krb5.hin $(INC)krb5_err.h $(INC)kdb5_err.h \
$(INC)kv5m_err.h $(INC)krb524_err.h $(INC)asn1_err.h
@@ -616,8 +590,6 @@
$(CP) clients\kcpytkt\$(OUTPRE)kcpytkt.exe "$(KRB_INSTALL_DIR)\bin\."
$(CP) clients\kdeltkt\$(OUTPRE)kdeltkt.exe "$(KRB_INSTALL_DIR)\bin\."
$(CP) clients\kpasswd\$(OUTPRE)kpasswd.exe "$(KRB_INSTALL_DIR)\bin\."
- @if exist "$(KRB_INSTALL_DIR)\bin\krb4_32.dll" del "$(KRB_INSTALL_DIR)\bin\krb4_32.dll"
- @if exist "$(KRB_INSTALL_DIR)\lib\krb4_32.lib" del "$(KRB_INSTALL_DIR)\lib\krb4_32.lib"
install-unix::
$(INSTALL_SCRIPT) krb5-config \
Modified: branches/mkey_migrate/src/aclocal.m4
===================================================================
--- branches/mkey_migrate/src/aclocal.m4 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/aclocal.m4 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,5 +1,5 @@
AC_PREREQ(2.52)
-AC_COPYRIGHT([Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2007, 2008
+AC_COPYRIGHT([Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2007, 2008, 2009
Massachusetts Institute of Technology.
])
dnl
@@ -74,7 +74,6 @@
if test -z "$LD" ; then LD=$CC; fi
AC_ARG_VAR(LD,[linker command [CC]])
AC_SUBST(LDFLAGS) dnl
-WITH_KRB4 dnl
KRB5_AC_CHOOSE_ET dnl
KRB5_AC_CHOOSE_SS dnl
KRB5_AC_CHOOSE_DB dnl
@@ -91,7 +90,6 @@
dnl
CONFIG_RELTOPDIR=$ac_reltopdir
AC_SUBST(CONFIG_RELTOPDIR)
-AC_SUBST(subdirs)
lib_frag=$srcdir/$ac_config_fragdir/lib.in
AC_SUBST_FILE(lib_frag)
libobj_frag=$srcdir/$ac_config_fragdir/libobj.in
@@ -502,69 +500,16 @@
AC_DEFINE_UNQUOTED($ac_tr_file) $2], $3)dnl
done
])
-dnl
-dnl set $(KRB4) from --with-krb4=value -- WITH_KRB4
-dnl
-AC_DEFUN(WITH_KRB4,[
-AC_ARG_WITH([krb4],
-[ --without-krb4 omit Kerberos V4 backwards compatibility (default)
- --with-krb4 use V4 libraries included with V5
- --with-krb4=KRB4DIR use preinstalled V4 libraries],
-,
-withval=no
-)dnl
-if test $withval = no; then
- AC_MSG_NOTICE(no krb4 support)
- KRB4_LIB=
- KRB4_DEPLIB=
- KRB4_INCLUDES=
- KRB4_LIBPATH=
- KRB_ERR_H_DEP=
- krb5_cv_build_krb4_libs=no
- krb5_cv_krb4_libdir=
-else
- AC_DEFINE([KRB5_KRB4_COMPAT], 1, [Define this if building with krb4 compat])
- if test $withval = yes; then
- AC_MSG_NOTICE(enabling built in krb4 support)
- KRB4_DEPLIB='$(TOPLIBD)/libkrb4$(DEPLIBEXT)'
- KRB4_LIB=-lkrb4
- KRB4_INCLUDES='-I$(SRCTOP)/include/kerberosIV -I$(BUILDTOP)/include/kerberosIV'
- KRB4_LIBPATH=
- KRB_ERR_H_DEP='$(BUILDTOP)/include/kerberosIV/krb_err.h'
- krb5_cv_build_krb4_libs=yes
- krb5_cv_krb4_libdir=
- else
- AC_MSG_NOTICE(using preinstalled krb4 in $withval)
- KRB4_LIB="-lkrb"
-dnl DEPKRB4_LIB="$withval/lib/libkrb.a"
- KRB4_INCLUDES="-I$withval/include"
- KRB4_LIBPATH="-L$withval/lib"
- KRB_ERR_H_DEP=
- krb5_cv_build_krb4_libs=no
- krb5_cv_krb4_libdir="$withval/lib"
- fi
-fi
-AC_SUBST(KRB4_INCLUDES)
-AC_SUBST(KRB4_LIBPATH)
-AC_SUBST(KRB4_LIB)
-AC_SUBST(KRB4_DEPLIB)
-AC_SUBST(KRB_ERR_H_DEP)
-dnl We always compile the des425 library
-DES425_DEPLIB='$(TOPLIBD)/libdes425$(DEPLIBEXT)'
-DES425_LIB=-ldes425
-AC_SUBST(DES425_DEPLIB)
-AC_SUBST(DES425_LIB)
-])dnl
-dnl
-dnl
AC_DEFUN(KRB5_AC_CHECK_FOR_CFLAGS,[
AC_BEFORE([$0],[AC_PROG_CC])
AC_BEFORE([$0],[AC_PROG_CXX])
krb5_ac_cflags_set=${CFLAGS+set}
krb5_ac_cxxflags_set=${CXXFLAGS+set}
+krb5_ac_warn_cflags_set=${WARN_CFLAGS+set}
+krb5_ac_warn_cxxflags_set=${WARN_CXXFLAGS+set}
])
dnl
-AC_DEFUN(TRY_CC_FLAG,[dnl
+AC_DEFUN(TRY_WARN_CC_FLAG,[dnl
cachevar=`echo "krb5_cv_cc_flag_$1" | sed s/[[^a-zA-Z0-9_]]/_/g`
AC_CACHE_CHECK([if C compiler supports $1], [$cachevar],
[# first try without, then with
@@ -575,7 +520,7 @@
CFLAGS="$old_cflags"],
[AC_MSG_ERROR(compiling simple test program with $CFLAGS failed)])])
if eval test '"${'$cachevar'}"' = yes; then
- CFLAGS="$CFLAGS $1"
+ WARN_CFLAGS="$WARN_CFLAGS $1"
fi
eval flag_supported='${'$cachevar'}'
])dnl
@@ -606,7 +551,7 @@
AC_DEFINE(CONFIG_SMALL,1,[Define to reduce code size even if it means more cpu usage])
fi
# -Wno-long-long, if needed, for k5-platform.h without inttypes.h etc.
-extra_gcc_warn_opts="-Wall -Wcast-qual -Wcast-align -Wconversion -Wshadow"
+extra_gcc_warn_opts="-Wall -Wcast-qual -Wcast-align -Wshadow"
# -Wmissing-prototypes
if test "$GCC" = yes ; then
# Putting this here means we get -Os after -O2, which works.
@@ -618,32 +563,32 @@
*) CFLAGS="$CFLAGS -Os" ;;
esac
fi
- if test "x$krb5_ac_cflags_set" = xset ; then
- AC_MSG_NOTICE(not adding extra gcc warning flags because CFLAGS was set)
+ if test "x$krb5_ac_warn_cflags_set" = xset ; then
+ AC_MSG_NOTICE(not adding extra gcc warning flags because WARN_CFLAGS was set)
else
AC_MSG_NOTICE(adding extra warning flags for gcc)
- CFLAGS="$CFLAGS $extra_gcc_warn_opts -Wmissing-prototypes"
+ WARN_CFLAGS="$WARN_CFLAGS $extra_gcc_warn_opts -Wmissing-prototypes"
if test "`uname -s`" = Darwin ; then
AC_MSG_NOTICE(skipping pedantic warnings on Darwin)
elif test "`uname -s`" = Linux ; then
AC_MSG_NOTICE(skipping pedantic warnings on Linux)
else
- CFLAGS="$CFLAGS -pedantic"
+ WARN_CFLAGS="$WARN_CFLAGS -pedantic"
fi
if test "$ac_cv_cxx_compiler_gnu" = yes; then
- if test "x$krb5_ac_cxxflags_set" = xset ; then
- AC_MSG_NOTICE(not adding extra g++ warnings because CXXFLAGS was set)
+ if test "x$krb5_ac_warn_cxxflags_set" = xset ; then
+ AC_MSG_NOTICE(not adding extra g++ warnings because WARN_CXXFLAGS was set)
else
AC_MSG_NOTICE(adding extra warning flags for g++)
- CXXFLAGS="$CXXFLAGS $extra_gcc_warn_opts"
+ WARN_CXXFLAGS="$WARN_CXXFLAGS $extra_gcc_warn_opts"
fi
fi
# Currently, G++ does not support -Wno-format-zero-length.
- TRY_CC_FLAG(-Wno-format-zero-length)
+ TRY_WARN_CC_FLAG(-Wno-format-zero-length)
# Other flags here may not be supported on some versions of
# gcc that people want to use.
for flag in overflow strict-overflow missing-format-attribute missing-prototypes return-type missing-braces parentheses switch unused-function unused-label unused-variable unused-value unknown-pragmas sign-compare newline-eof ; do
- TRY_CC_FLAG(-W$flag)
+ TRY_WARN_CC_FLAG(-W$flag)
done
# old-style-definition? generates many, many warnings
#
@@ -659,9 +604,9 @@
# We're currently targeting C89+, not C99, so disallow some
# constructs.
for flag in declaration-after-statement variadic-macros ; do
- TRY_CC_FLAG(-Werror=$flag)
+ TRY_WARN_CC_FLAG(-Werror=$flag)
if test "$flag_supported" = no; then
- TRY_CC_FLAG(-W$flag)
+ TRY_WARN_CC_FLAG(-W$flag)
fi
done
# missing-prototypes? maybe someday
@@ -712,7 +657,19 @@
;;
esac
fi
+ if test "`uname -s`" = SunOS ; then
+ # Using Solaris but not GCC, assume Sunsoft compiler.
+ # We have some error-out-on-warning options available.
+ # Sunsoft 12 compiler defaults to -xc99=all, it appears, so "inline"
+ # works, but it also means that declaration-in-code warnings won't
+ # be issued.
+ # -v -fd -errwarn=E_DECLARATION_IN_CODE ...
+ WARN_CFLAGS="-errtags=yes -errwarn=E_BAD_PTR_INT_COMBINATION"
+ WARN_CXXFLAGS="-errtags=yes +w +w2 -xport64"
+ fi
fi
+AC_SUBST(WARN_CFLAGS)
+AC_SUBST(WARN_CXXFLAGS)
])dnl
dnl
dnl
@@ -749,7 +706,7 @@
dnl The ac_foreach generates the list of fragments to include
dnl or "" if $2 is empty
AC_DEFUN(_K5_GEN_MAKEFILE,[dnl
-AC_CONFIG_FILES([$1/Makefile:$srcdir/]K5_TOPDIR[/config/pre.in:$1/Makefile.in:$srcdir/]K5_TOPDIR[/config/post.in])
+AC_CONFIG_FILES([$1/Makefile:$srcdir/]K5_TOPDIR[/config/pre.in:$1/Makefile.in:$1/deps:$srcdir/]K5_TOPDIR[/config/post.in])
])
dnl
dnl K5_GEN_FILE( <ac_output arguments> )
@@ -769,7 +726,7 @@
define(_V5_AC_OUTPUT_MAKEFILE,
[ifelse($2, , ,AC_CONFIG_FILES($2))
AC_FOREACH([DIR], [$1],dnl
- [AC_CONFIG_FILES(DIR[/Makefile:$srcdir/]K5_TOPDIR[/config/pre.in:]DIR[/Makefile.in:$srcdir/]K5_TOPDIR[/config/post.in])])
+ [AC_CONFIG_FILES(DIR[/Makefile:$srcdir/]K5_TOPDIR[/config/pre.in:]DIR[/Makefile.in:]DIR[/deps:$srcdir/]K5_TOPDIR[/config/post.in])])
K5_AC_OUTPUT])dnl
dnl
dnl
@@ -1185,6 +1142,7 @@
AC_SUBST(LIBLIST)
AC_SUBST(LIBLINKS)
AC_SUBST(MAKE_SHLIB_COMMAND)
+AC_SUBST(SHLIB_RPATH_FLAGS)
AC_SUBST(SHLIB_EXPFLAGS)
AC_SUBST(SHLIB_EXPORT_FILE_DEP)
AC_SUBST(DYNOBJ_EXPDEPS)
@@ -1226,6 +1184,7 @@
AC_SUBST(CC_LINK)
AC_SUBST(CXX_LINK)
AC_SUBST(RPATH_FLAG)
+AC_SUBST(PROG_RPATH_FLAGS)
AC_SUBST(DEPLIBEXT)])
dnl
@@ -1254,7 +1213,18 @@
[if test "$enableval" != yes; then
AC_MSG_ERROR([Sorry, this release builds only shared libraries, cannot disable them.])
fi])
+AC_ARG_ENABLE([rpath],
+AC_HELP_STRING([--disable-rpath],[suppress run path flags in link lines]),
+[enable_rpath=$withval],
+[enable_rpath=yes])
+if test "x$enable_rpath" != xyes ; then
+ # Unset the rpath flag values set by shlib.conf
+ SHLIB_RPATH_FLAGS=
+ RPATH_FLAG=
+ PROG_RPATH_FLAGS=
+fi
+
if test "$SHLIBEXT" = ".so-nobuild"; then
AC_MSG_ERROR([Shared libraries are not yet supported on this platform.])
fi
@@ -1462,7 +1432,8 @@
ifelse([$3], ,[if test "x$ac_cv_func_$2" = xyes; then])
AC_CACHE_CHECK([if $2 needs a prototype provided], krb5_cv_func_$2_noproto,
AC_TRY_COMPILE([$1],
-[struct k5foo {int foo; } xx;
+[#undef $2
+struct k5foo {int foo; } xx;
extern int $2 (struct k5foo*);
$2(&xx);
],
@@ -1788,7 +1759,6 @@
: # neither enabled
dnl AC_MSG_NOTICE(disabling ldap backend module support)
fi
-AC_SUBST(OPENLDAP_PLUGIN)
])dnl
dnl
dnl If libkeyutils exists (on Linux) include it and use keyring ccache
Modified: branches/mkey_migrate/src/appl/bsd/Makefile.in
===================================================================
--- branches/mkey_migrate/src/appl/bsd/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,7 +2,6 @@
myfulldir=appl/bsd
mydir=.
BUILDTOP=$(REL)..$(S)..
-LOCALINCLUDES=@KRB4_INCLUDES@
PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
@@ -11,16 +10,13 @@
LOGINLIBS=@LOGINLIBS@
LIBOBJS=@LIBOBJS@
-V4RCP=@V4RCP@
-V4RCPO=@V4RCPO@
KRSHDLIBS=@KRSHDLIBS@
SRCS= $(srcdir)/krcp.c $(srcdir)/krlogin.c $(srcdir)/krsh.c $(srcdir)/kcmd.c \
- $(srcdir)/forward.c $(srcdir)/compat_recv.c \
- $(srcdir)/login.c $(srcdir)/krshd.c $(srcdir)/krlogind.c \
- $(srcdir)/v4rcp.c
-OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) \
- login.o krshd.o krlogind.o $(V4RCPO) $(LIBOBJS)
+ $(srcdir)/forward.c $(srcdir)/login.c $(srcdir)/krshd.c \
+ $(srcdir)/krlogind.c
+OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o $(SETENVOBJ) login.o krshd.o \
+ krlogind.o $(LIBOBJS)
UCB_RLOGIN = @UCB_RLOGIN@
UCB_RSH = @UCB_RSH@
@@ -34,23 +30,20 @@
-DLOGIN_PROGRAM=\"$(SERVER_BINDIR)/login.krb5\" -DKPROGDIR=\"$(CLIENT_BINDIR)\" \
-DHEIMDAL_FRIENDLY
-all:: rsh rcp rlogin kshd klogind login.krb5 $(V4RCP)
+all:: rsh rcp rlogin kshd klogind login.krb5
clean::
- $(RM) rsh rcp rlogin kshd klogind login.krb5 v4rcp
+ $(RM) rsh rcp rlogin kshd klogind login.krb5
-rsh: krsh.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o rsh krsh.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRB4COMPAT_LIBS)
+rsh: krsh.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o rsh krsh.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRB5_BASE_LIBS)
-rcp: krcp.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o rcp krcp.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRB4COMPAT_LIBS)
+rcp: krcp.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o rcp krcp.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRB5_BASE_LIBS)
-v4rcp: v4rcp.o $(SETENVOBJ) $(LIBOBJS) $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o v4rcp v4rcp.o $(SETENVOBJ) $(LIBOBJS) $(KRB4COMPAT_LIBS)
+rlogin: krlogin.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o rlogin krlogin.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRB5_BASE_LIBS)
-rlogin: krlogin.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o rlogin krlogin.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRB4COMPAT_LIBS)
-
install::
for f in rsh rcp rlogin; do \
($(INSTALL_PROGRAM) $$f \
@@ -59,18 +52,12 @@
${DESTDIR}$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1 \
) || exit 1; \
done
- f=$(V4RCP); \
- if test -n "$$f" ; then $(INSTALL_SETUID) $$f \
- $(DESTDIR)$(CLIENT_BINDIR)/`echo $$f|sed '$(transform)'`; \
- $(INSTALL_DATA) $(srcdir)/$$f.M \
- ${DESTDIR}$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \
- fi
-kshd: krshd.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB4COMPAT_DEPLIBS) $(APPUTILS_DEPLIB)
- $(CC_LINK) -o kshd krshd.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) $(LIBOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(KRB4COMPAT_LIBS) $(APPUTILS_LIB)
+kshd: krshd.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB)
+ $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS) $(APPUTILS_LIB)
-klogind: krlogind.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB4COMPAT_DEPLIBS) $(APPUTILS_DEPLIB)
- $(CC_LINK) -o klogind krlogind.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) $(LIBOBJS) $(PTY_LIB) $(UTIL_LIB) $(KRB4COMPAT_LIBS) $(APPUTILS_LIB)
+klogind: krlogind.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB)
+ $(CC_LINK) -o klogind krlogind.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS) $(APPUTILS_LIB)
install::
for f in kshd klogind; do \
@@ -84,8 +71,8 @@
# No program name transformation is done with login.krb5 since it is directly
# referenced by klogind.
#
-login.krb5: login.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o login.krb5 login.o $(SETENVOBJ) $(LIBOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB4COMPAT_LIBS)
+login.krb5: login.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o login.krb5 login.o $(SETENVOBJ) $(LIBOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS)
install::
$(INSTALL_PROGRAM) login.krb5 $(DESTDIR)$(SERVER_BINDIR)/login.krb5
@@ -95,111 +82,3 @@
getdtablesize.o: $(srcdir)/getdtablesize.c
kcmd.o krcp.o krlogin.o krlogind.o krsh.o krshd.o forward.o: defines.h
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)krcp.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/k5-util.h \
- $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h defines.h krcp.c
-$(OUTPRE)krlogin.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- defines.h krlogin.c rpaths.h
-$(OUTPRE)krsh.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- defines.h krsh.c
-$(OUTPRE)kcmd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- defines.h kcmd.c
-$(OUTPRE)forward.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- defines.h forward.c
-$(OUTPRE)compat_recv.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- compat_recv.c defines.h
-$(OUTPRE)login.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/libpty.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- login.c loginpaths.h
-$(OUTPRE)krshd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/libpty.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- defines.h krshd.c loginpaths.h
-$(OUTPRE)krlogind.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/libpty.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- defines.h krlogind.c
-$(OUTPRE)v4rcp.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/krbports.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h rpaths.h v4rcp.c
Deleted: branches/mkey_migrate/src/appl/bsd/compat_recv.c
===================================================================
--- branches/mkey_migrate/src/appl/bsd/compat_recv.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/compat_recv.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,581 +0,0 @@
-/*
- * lib/krb5/krb/compat_recv.c
- *
- * Copyright 1993, 2008 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * convenience sendauth/recvauth functions, with compatibility with V4
- * recvauth.
- *
- * NOTE: linking in this function will pull in V4 kerberos routines.
- *
- * WARNING: In the V4-style arguments, the ticket and kdata arguments
- * have different types than the V4 recvauth; in V4, they were KTEXT
- * and AUTH_DAT *, respectively. Here, they are KTEXT * and AUTH_DAT **
- * and they are allocated by recvauth if and only if we end up talking
- * to a V4 sendauth.
- */
-
-#include "k5-int.h"
-#if !defined(_MACINTOSH)
-#ifdef KRB5_KRB4_COMPAT
-#include <kerberosIV/krb.h>
-#endif
-#include "com_err.h"
-#include <errno.h>
-
-#include <stdio.h>
-#include <string.h>
-
-#include "defines.h"
-
-#ifdef KRB5_KRB4_COMPAT
-static int krb_v4_recvauth(long options, int fd, KTEXT ticket,
- char *service, char *instance,
- struct sockaddr_in *faddr,
- struct sockaddr_in *laddr,
- AUTH_DAT *kdata,
- char *filename,
- Key_schedule schedule,
- char *version);
-#endif
-
-#define KRB_V4_SENDAUTH_VERS "AUTHV0.1" /* MUST be 8 chars long */
-#define KRB_V5_SENDAUTH_VERS "KRB5_SENDAUTH_V1.0"
-
-#define KRB5_RECVAUTH_V4 4
-#define KRB5_RECVAUTH_V5 5
-
-#ifdef KRB5_KRB4_COMPAT
-krb5_error_code
-krb5_compat_recvauth(context, auth_context,
- /* IN */
- fdp, appl_version, server, flags, keytab,
- v4_options, v4_service, v4_instance, v4_faddr, v4_laddr,
- v4_filename,
- /* OUT */
- ticket,
- auth_sys, v4_kdata, v4_schedule, v4_version)
- krb5_context context;
- krb5_auth_context *auth_context;
- krb5_pointer fdp;
- char *appl_version;
- krb5_principal server;
- krb5_int32 flags;
- krb5_keytab keytab;
- krb5_ticket ** ticket;
- krb5_int32 *auth_sys;
-
- /*
- * Version 4 arguments
- */
- krb5_int32 v4_options; /* bit-pattern of options */
- char *v4_service; /* service expected */
- char *v4_instance; /* inst expected (may be filled in) */
- struct sockaddr_in *v4_faddr; /* foreign address */
- struct sockaddr_in *v4_laddr; /* local address */
- AUTH_DAT **v4_kdata; /* kerberos data (returned) */
- char *v4_filename; /* name of file with service keys */
- Key_schedule v4_schedule; /* key schedule (return) */
- char *v4_version; /* version string (filled in) */
-{
- union verslen {
- krb5_int32 len;
- char vers[4];
- } vers;
- char *buf;
- int len, length;
- krb5_int32 retval;
- int fd = *( (int *) fdp);
-#ifdef KRB5_KRB4_COMPAT
- KTEXT v4_ticket; /* storage for client's ticket */
-#endif
-
- if ((retval = krb5_net_read(context, fd, vers.vers, 4)) != 4)
- return((retval < 0) ? errno : ECONNABORTED);
-
-#ifdef KRB5_KRB4_COMPAT
- if (!strncmp(vers.vers, KRB_V4_SENDAUTH_VERS, 4)) {
- /*
- * We must be talking to a V4 sendauth; read in the
- * rest of the version string and make sure.
- */
- if ((retval = krb5_net_read(context, fd, vers.vers, 4)) != 4)
- return((retval < 0) ? errno : ECONNABORTED);
-
- if (strncmp(vers.vers, KRB_V4_SENDAUTH_VERS+4, 4))
- return KRB5_SENDAUTH_BADAUTHVERS;
-
- *auth_sys = KRB5_RECVAUTH_V4;
-
- *v4_kdata = (AUTH_DAT *) malloc( sizeof(AUTH_DAT) );
- v4_ticket = (KTEXT) malloc(sizeof(KTEXT_ST));
-
- retval = krb_v4_recvauth(v4_options, fd, v4_ticket,
- v4_service, v4_instance, v4_faddr,
- v4_laddr, *v4_kdata, v4_filename,
- v4_schedule, v4_version);
- krb5_xfree(v4_ticket);
- /*
- * XXX error code translation?
- */
- switch (retval) {
- case RD_AP_OK:
- return 0;
- case RD_AP_TIME:
- return KRB5KRB_AP_ERR_SKEW;
- case RD_AP_EXP:
- return KRB5KRB_AP_ERR_TKT_EXPIRED;
- case RD_AP_NYV:
- return KRB5KRB_AP_ERR_TKT_NYV;
- case RD_AP_NOT_US:
- return KRB5KRB_AP_ERR_NOT_US;
- case RD_AP_UNDEC:
- return KRB5KRB_AP_ERR_BAD_INTEGRITY;
- case RD_AP_REPEAT:
- return KRB5KRB_AP_ERR_REPEAT;
- case RD_AP_MSG_TYPE:
- return KRB5KRB_AP_ERR_MSG_TYPE;
- case RD_AP_MODIFIED:
- return KRB5KRB_AP_ERR_MODIFIED;
- case RD_AP_ORDER:
- return KRB5KRB_AP_ERR_BADORDER;
- case RD_AP_BADD:
- return KRB5KRB_AP_ERR_BADADDR;
- default:
- return KRB5_SENDAUTH_BADRESPONSE;
- }
- }
-#endif
-
- /*
- * Assume that we're talking to a V5 recvauth; read in the
- * the version string, and make sure it matches.
- */
-
- len = (int) ntohl(vers.len);
-
- if (len < 0 || len > 255)
- return KRB5_SENDAUTH_BADAUTHVERS;
-
- buf = malloc((unsigned) len);
- if (!buf)
- return ENOMEM;
-
- length = krb5_net_read(context, fd, buf, len);
- if (len != length) {
- krb5_xfree(buf);
- if (len < 0)
- return errno;
- else
- return ECONNABORTED;
- }
-
- if (strcmp(buf, KRB_V5_SENDAUTH_VERS)) {
- krb5_xfree(buf);
- return KRB5_SENDAUTH_BADAUTHVERS;
- }
- krb5_xfree(buf);
-
- *auth_sys = KRB5_RECVAUTH_V5;
-
- retval = krb5_recvauth(context, auth_context, fdp, appl_version, server,
- flags | KRB5_RECVAUTH_SKIP_VERSION,
- keytab, ticket);
-
- return retval;
-}
-
-krb5_error_code
-krb5_compat_recvauth_version(context, auth_context,
- /* IN */
- fdp, server, flags, keytab,
- v4_options, v4_service, v4_instance, v4_faddr,
- v4_laddr,
- v4_filename,
- /* OUT */
- ticket,
- auth_sys, v4_kdata, v4_schedule,
- version)
- krb5_context context;
- krb5_auth_context *auth_context;
- krb5_pointer fdp;
- krb5_principal server;
- krb5_int32 flags;
- krb5_keytab keytab;
- krb5_ticket ** ticket;
- krb5_int32 *auth_sys;
-
- /*
- * Version 4 arguments
- */
- krb5_int32 v4_options; /* bit-pattern of options */
- char *v4_service; /* service expected */
- char *v4_instance; /* inst expected (may be filled in) */
- struct sockaddr_in *v4_faddr; /* foreign address */
- struct sockaddr_in *v4_laddr; /* local address */
- AUTH_DAT **v4_kdata; /* kerberos data (returned) */
- char *v4_filename; /* name of file with service keys */
- Key_schedule v4_schedule; /* key schedule (return) */
- krb5_data *version; /* application version filled in */
-{
- union verslen {
- krb5_int32 len;
- char vers[4];
- } vers;
- char *buf;
- int len, length;
- krb5_int32 retval;
- int fd = *( (int *) fdp);
-#ifdef KRB5_KRB4_COMPAT
- KTEXT v4_ticket; /* storage for client's ticket */
-#endif
-
- if ((retval = krb5_net_read(context, fd, vers.vers, 4)) != 4)
- return((retval < 0) ? errno : ECONNABORTED);
-
-#ifdef KRB5_KRB4_COMPAT
- if (v4_faddr->sin_family == AF_INET
- && !strncmp(vers.vers, KRB_V4_SENDAUTH_VERS, 4)) {
- /*
- * We must be talking to a V4 sendauth; read in the
- * rest of the version string and make sure.
- */
- if ((retval = krb5_net_read(context, fd, vers.vers, 4)) != 4)
- return((retval < 0) ? errno : ECONNABORTED);
-
- if (strncmp(vers.vers, KRB_V4_SENDAUTH_VERS+4, 4))
- return KRB5_SENDAUTH_BADAUTHVERS;
-
- *auth_sys = KRB5_RECVAUTH_V4;
-
- *v4_kdata = (AUTH_DAT *) malloc( sizeof(AUTH_DAT) );
- v4_ticket = (KTEXT) malloc(sizeof(KTEXT_ST));
-
- version->length = KRB_SENDAUTH_VLEN; /* no trailing \0! */
- version->data = malloc (KRB_SENDAUTH_VLEN + 1);
- version->data[KRB_SENDAUTH_VLEN] = 0;
- if (version->data == 0)
- return ENOMEM;
- retval = krb_v4_recvauth(v4_options, fd, v4_ticket,
- v4_service, v4_instance, v4_faddr,
- v4_laddr, *v4_kdata, v4_filename,
- v4_schedule, version->data);
- krb5_xfree(v4_ticket);
- /*
- * XXX error code translation?
- */
- switch (retval) {
- case RD_AP_OK:
- return 0;
- case RD_AP_TIME:
- return KRB5KRB_AP_ERR_SKEW;
- case RD_AP_EXP:
- return KRB5KRB_AP_ERR_TKT_EXPIRED;
- case RD_AP_NYV:
- return KRB5KRB_AP_ERR_TKT_NYV;
- case RD_AP_NOT_US:
- return KRB5KRB_AP_ERR_NOT_US;
- case RD_AP_UNDEC:
- return KRB5KRB_AP_ERR_BAD_INTEGRITY;
- case RD_AP_REPEAT:
- return KRB5KRB_AP_ERR_REPEAT;
- case RD_AP_MSG_TYPE:
- return KRB5KRB_AP_ERR_MSG_TYPE;
- case RD_AP_MODIFIED:
- return KRB5KRB_AP_ERR_MODIFIED;
- case RD_AP_ORDER:
- return KRB5KRB_AP_ERR_BADORDER;
- case RD_AP_BADD:
- return KRB5KRB_AP_ERR_BADADDR;
- default:
- return KRB5_SENDAUTH_BADRESPONSE;
- }
- }
-#endif
-
- /*
- * Assume that we're talking to a V5 recvauth; read in the
- * the version string, and make sure it matches.
- */
-
- len = (int) ntohl(vers.len);
-
- if (len < 0 || len > 255)
- return KRB5_SENDAUTH_BADAUTHVERS;
-
- buf = malloc((unsigned) len);
- if (!buf)
- return ENOMEM;
-
- length = krb5_net_read(context, fd, buf, len);
- if (len != length) {
- krb5_xfree(buf);
- if (len < 0)
- return errno;
- else
- return ECONNABORTED;
- }
-
- if (strcmp(buf, KRB_V5_SENDAUTH_VERS)) {
- krb5_xfree(buf);
- return KRB5_SENDAUTH_BADAUTHVERS;
- }
- krb5_xfree(buf);
-
- *auth_sys = KRB5_RECVAUTH_V5;
-
- retval = krb5_recvauth_version(context, auth_context, fdp, server,
- flags | KRB5_RECVAUTH_SKIP_VERSION,
- keytab, ticket, version);
-
- return retval;
-}
-#endif /* KRB5_KRB4_COMPAT */
-
-
-#ifndef max
-#define max(a,b) (((a) > (b)) ? (a) : (b))
-#endif /* max */
-
-#ifdef KRB5_KRB4_COMPAT
-static int
-krb_v4_recvauth(options, fd, ticket, service, instance, faddr, laddr, kdata,
- filename, schedule, version)
-long options; /* bit-pattern of options */
-int fd; /* file descr. to read from */
-KTEXT ticket; /* storage for client's ticket */
-char *service; /* service expected */
-char *instance; /* inst expected (may be filled in) */
-struct sockaddr_in *faddr; /* address of foreign host on fd */
-struct sockaddr_in *laddr; /* local address */
-AUTH_DAT *kdata; /* kerberos data (returned) */
-char *filename; /* name of file with service keys */
-Key_schedule schedule; /* key schedule (return) */
-char *version; /* version string (filled in) */
-{
- int cc, old_vers = 0;
- int rem;
- krb5_int32 tkt_len, priv_len;
- krb5_ui_4 cksum;
- u_char tmp_buf[MAX_KTXT_LEN+max(KRB_SENDAUTH_VLEN+1,21)];
-
- /* read the application version string */
- if ((krb_net_read(fd, version, KRB_SENDAUTH_VLEN) !=
- KRB_SENDAUTH_VLEN))
- return(errno);
- version[KRB_SENDAUTH_VLEN] = '\0';
-
- /* get the length of the ticket */
- if (krb_net_read(fd, (char *)&tkt_len, sizeof(tkt_len)) !=
- sizeof(tkt_len))
- return(errno);
-
- /* sanity check */
- ticket->length = ntohl((unsigned long)tkt_len);
- if ((ticket->length <= 0) || (ticket->length > MAX_KTXT_LEN)) {
- if (options & KOPT_DO_MUTUAL) {
- rem = KFAILURE;
- goto mutual_fail;
- } else
- return(KFAILURE); /* XXX there may still be junk on the fd? */
- }
-
- /* read the ticket */
- if (krb_net_read(fd, (char *) ticket->dat, ticket->length)
- != ticket->length)
- return(errno);
-
- /*
- * now have the ticket. decrypt it to get the authenticated
- * data.
- */
- rem = krb_rd_req(ticket,service,instance,faddr->sin_addr.s_addr,
- kdata,filename);
-
- if (old_vers) return(rem); /* XXX can't do mutual with old client */
-
- /* if we are doing mutual auth, compose a response */
- if (options & KOPT_DO_MUTUAL) {
- if (rem != KSUCCESS)
- /* the krb_rd_req failed */
- goto mutual_fail;
-
- /* add one to the (formerly) sealed checksum, and re-seal it
- for return to the client */
- cksum = kdata->checksum + 1;
- cksum = htonl(cksum);
-#ifndef NOENCRYPTION
- key_sched(kdata->session,schedule);
-#endif /* !NOENCRYPTION */
- priv_len = krb_mk_priv((unsigned char *)&cksum,
- tmp_buf,
- (unsigned long) sizeof(cksum),
- schedule,
- &kdata->session,
- laddr,
- faddr);
- if (priv_len < 0) {
- /* re-sealing failed; notify the client */
- rem = KFAILURE; /* XXX */
-mutual_fail:
- priv_len = -1;
- tkt_len = htonl((unsigned long) priv_len);
- /* a length of -1 is interpreted as an authentication
- failure by the client */
- if ((cc = krb_net_write(fd, (char *)&tkt_len, sizeof(tkt_len)))
- != sizeof(tkt_len))
- return(cc);
- return(rem);
- } else {
- /* re-sealing succeeded, send the private message */
- tkt_len = htonl((unsigned long)priv_len);
- if ((cc = krb_net_write(fd, (char *)&tkt_len, sizeof(tkt_len)))
- != sizeof(tkt_len))
- return(cc);
- if ((cc = krb_net_write(fd, (char *)tmp_buf, (int) priv_len))
- != (int) priv_len)
- return(cc);
- }
- }
- return(rem);
-}
-#endif
-#endif
-
-#ifdef HAVE_SYS_SELECT_H
-#include <sys/select.h>
-#endif
-#include "port-sockets.h"
-
-int
-accept_a_connection (int debug_port, struct sockaddr *from,
- socklen_t *fromlenp)
-{
- int n, s, fd, s4 = -1, s6 = -1, on = 1;
- fd_set sockets;
-
- FD_ZERO(&sockets);
-
-#ifdef KRB5_USE_INET6
- {
- struct sockaddr_in6 sock_in6;
-
- if ((s = socket(AF_INET6, SOCK_STREAM, PF_UNSPEC)) < 0) {
- if ((errno == EPROTONOSUPPORT) || (errno == EAFNOSUPPORT))
- goto skip_ipv6;
- fprintf(stderr, "Error in socket(INET6): %s\n", strerror(errno));
- exit(2);
- }
-
- memset((char *) &sock_in6, 0,sizeof(sock_in6));
- sock_in6.sin6_family = AF_INET6;
- sock_in6.sin6_port = htons(debug_port);
- sock_in6.sin6_addr = in6addr_any;
-
- (void) setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
- (char *)&on, sizeof(on));
-
- if ((bind(s, (struct sockaddr *) &sock_in6, sizeof(sock_in6))) < 0) {
- fprintf(stderr, "Error in bind(INET6): %s\n", strerror(errno));
- exit(2);
- }
-
- if ((listen(s, 5)) < 0) {
- fprintf(stderr, "Error in listen(INET6): %s\n", strerror(errno));
- exit(2);
- }
- s6 = s;
- FD_SET(s, &sockets);
- skip_ipv6:
- ;
- }
-#endif
-
- {
- struct sockaddr_in sock_in;
-
- if ((s = socket(AF_INET, SOCK_STREAM, PF_UNSPEC)) < 0) {
- fprintf(stderr, "Error in socket: %s\n", strerror(errno));
- exit(2);
- }
-
- memset((char *) &sock_in, 0,sizeof(sock_in));
- sock_in.sin_family = AF_INET;
- sock_in.sin_port = htons(debug_port);
- sock_in.sin_addr.s_addr = INADDR_ANY;
-
- (void) setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
- (char *)&on, sizeof(on));
-
- if ((bind(s, (struct sockaddr *) &sock_in, sizeof(sock_in))) < 0) {
- if (s6 >= 0 && errno == EADDRINUSE)
- goto try_ipv6_only;
- fprintf(stderr, "Error in bind: %s\n", strerror(errno));
- exit(2);
- }
-
- if ((listen(s, 5)) < 0) {
- fprintf(stderr, "Error in listen: %s\n", strerror(errno));
- exit(2);
- }
- s4 = s;
- FD_SET(s, &sockets);
- try_ipv6_only:
- ;
- }
- if (s4 == -1 && s6 == -1) {
- fprintf(stderr, "No valid sockets established, exiting\n");
- exit(2);
- }
- n = select(((s4 < s6) ? s6 : s4) + 1, &sockets, 0, 0, 0);
- if (n < 0) {
- fprintf(stderr, "select error: %s\n", strerror(errno));
- exit(2);
- } else if (n == 0) {
- fprintf(stderr, "internal error? select returns 0\n");
- exit(2);
- }
- if (s6 != -1 && FD_ISSET(s6, &sockets)) {
- if (s4 != -1)
- close(s4);
- s = s6;
- } else if (FD_ISSET(s4, &sockets)) {
- if (s6 != -1)
- close(s6);
- s = s4;
- } else {
- fprintf(stderr,
- "internal error? select returns positive, "
- "but neither fd available\n");
- exit(2);
- }
-
- if ((fd = accept(s, from, fromlenp)) < 0) {
- fprintf(stderr, "Error in accept: %s\n", strerror(errno));
- exit(2);
- }
-
- close(s);
- return fd;
-}
Modified: branches/mkey_migrate/src/appl/bsd/configure.in
===================================================================
--- branches/mkey_migrate/src/appl/bsd/configure.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/configure.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -42,30 +42,15 @@
;;
esac
dnl
-dnl krshd does not use krb524...
-dnl
KRSHDLIBS="$LOGINLIBS"
-dnl
-if test "$with_krb4" = "" || test "$with_krb4" = no; then
- AC_MSG_RESULT(no krb4 support)
- V4RCP=
- V4RCPO=
-else
- AC_MSG_RESULT(Adding in krb4 rcp support)
- V4RCP=v4rcp
- V4RCPO=v4rcp.o
-fi
dnl
-dnl
AC_SUBST(KRSHDLIBS)
AC_SUBST(LOGINLIBS)
-AC_SUBST(V4RCP)
-AC_SUBST(V4RCPO)
dnl
AC_FUNC_VFORK
AC_TYPE_MODE_T
AC_CHECK_FUNCS(isatty inet_aton getenv gettosbyname killpg initgroups setpriority setreuid setresuid waitpid setsid ptsname setlogin tcgetpgrp tcsetpgrp setpgid strsave utimes rmufile rresvport_af)
-AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/filio.h sys/sockio.h sys/label.h sys/tty.h ttyent.h lastlog.h sys/select.h sys/ptyvar.h utmp.h sys/time.h krb4-proto.h sys/ioctl_compat.h paths.h arpa/nameser.h)
+AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/filio.h sys/sockio.h sys/label.h sys/tty.h ttyent.h lastlog.h sys/select.h sys/ptyvar.h utmp.h sys/time.h sys/ioctl_compat.h paths.h arpa/nameser.h)
AC_HEADER_STDARG
AC_REPLACE_FUNCS(getdtablesize)
dnl
@@ -168,17 +153,7 @@
dnl
dnl
AC_C_CONST
-if test "$krb5_cv_build_krb4_libs" = yes; then
- AC_DEFINE(HAVE_KRB_GET_ERR_TEXT)
- AC_DEFINE(HAVE_KRB_SAVE_CREDENTIALS)
-else
- oldlibs=$LIBS
- LIBS=" $KRB4_LIB -lkrb5 -lcrypto -lcom_err"
- AC_CHECK_FUNCS(krb_get_err_text krb_save_credentials)
- LIBS=$oldlibs
-fi
-AC_CHECK_HEADERS(krb4-proto.h)
KRB5_AC_LIBUTIL
KRB5_BUILD_PROGRAM
V5_AC_OUTPUT_MAKEFILE
Modified: branches/mkey_migrate/src/appl/bsd/defines.h
===================================================================
--- branches/mkey_migrate/src/appl/bsd/defines.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/defines.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -44,18 +44,6 @@
extern void rcmd_stream_init_normal(void);
-#if defined(KRB5_KRB4_COMPAT) && !defined(SKIP_V4_PROTO)
-extern void rcmd_stream_init_krb4(C_Block, int, int, int);
-
-extern int k4cmd(int *sock, char **ahost, unsigned int rport,
- char *locuser,
- char *remuser, char *cmd, int *fd2p, KTEXT ticket,
- char *service, char *realm, CREDENTIALS *cred,
- Key_schedule schedule, MSG_DAT *msg_data,
- struct sockaddr_in *laddr, struct sockaddr_in *faddr,
- long authopts, int anyport);
-#endif
-
#ifndef HAVE_STRSAVE
extern char *strsave(const char *sp);
#endif
@@ -95,6 +83,3 @@
#endif
#include "port-sockets.h"
-
-int accept_a_connection (int debug_port, struct sockaddr *from,
- socklen_t *fromlenp);
Copied: branches/mkey_migrate/src/appl/bsd/deps (from rev 21721, trunk/src/appl/bsd/deps)
Modified: branches/mkey_migrate/src/appl/bsd/forward.c
===================================================================
--- branches/mkey_migrate/src/appl/bsd/forward.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/forward.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -27,7 +27,6 @@
#include "k5-int.h"
-#define SKIP_V4_PROTO /* To skip the krb4 prototypes */
#include "defines.h"
/* Decode, decrypt and store the forwarded creds in the local ccache. */
@@ -54,7 +53,7 @@
* the rlogind or rshd. Set the environment variable as well.
*/
- sprintf(ccname, "FILE:/tmp/krb5cc_p%ld", (long) getpid());
+ snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_p%ld", (long) getpid());
setenv("KRB5CCNAME", ccname, 1);
retval = krb5_cc_resolve(context, ccname, ccache);
Modified: branches/mkey_migrate/src/appl/bsd/kcmd.c
===================================================================
--- branches/mkey_migrate/src/appl/bsd/kcmd.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/kcmd.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -90,16 +90,10 @@
#include <errno.h>
#include "k5-int.h"
-#ifdef KRB5_KRB4_COMPAT
-#include <kerberosIV/krb.h>
-#endif
#include "defines.h"
extern krb5_context bsd_context;
-#ifdef KRB5_KRB4_COMPAT
-extern Key_schedule v4_schedule;
-#endif
#define START_PORT 5120 /* arbitrary */
@@ -140,27 +134,8 @@
static int twrite(int, char *, size_t, int);
static int v5_des_read(int, char *, size_t, int),
v5_des_write(int, char *, size_t, int);
-#ifdef KRB5_KRB4_COMPAT
-static int v4_des_read(int, char *, size_t, int),
- v4_des_write(int, char *, size_t, int);
-static C_Block v4_session;
-static int right_justify;
-#endif
static int do_lencheck;
-#ifdef KRB5_KRB4_COMPAT
-extern int
-krb_sendauth(long options, int fd, KTEXT ticket,
- char *service, char *inst, char *realm,
- unsigned KRB4_32 checksum,
- MSG_DAT *msg_data,
- CREDENTIALS *cred,
- Key_schedule schedule,
- struct sockaddr_in *laddr,
- struct sockaddr_in *faddr,
- char *version);
-#endif
-
#ifdef POSIX_SIGNALS
typedef sigset_t masktype;
#else
@@ -205,7 +180,7 @@
fprintf(stderr, "can't connect to %s port 0\n", hname);
return -1;
}
- sprintf(rport_buf, "%d", ntohs(rport));
+ snprintf(rport_buf, sizeof(rport_buf), "%d", ntohs(rport));
memset(&aihints, 0, sizeof(aihints));
aihints.ai_socktype = SOCK_STREAM;
aihints.ai_flags = AI_CANONNAME;
@@ -334,7 +309,7 @@
FD_SET(s, &xfds);
listen(s2, 1);
FD_SET(s2, &rfds);
- (void) sprintf(num, "%d", *lportp);
+ (void) snprintf(num, sizeof(num), "%d", *lportp);
slen = strlen(num)+1;
if (write(s, num, slen) != slen) {
perror("write: setting up stderr");
@@ -424,13 +399,10 @@
enum kcmd_proto protonum = *protonump;
int addrfamily = /* AF_INET */0;
- if ((cksumbuf = malloc(strlen(cmd)+strlen(remuser)+64)) == 0 ) {
+ if (asprintf(&cksumbuf, "%u:%s%s", ntohs(rport), cmd, remuser) < 0) {
fprintf(stderr, "Unable to allocate memory for checksum buffer.\n");
return(-1);
}
- sprintf(cksumbuf, "%u:", ntohs(rport));
- strcat(cksumbuf, cmd);
- strcat(cksumbuf, remuser);
cksumdat.data = cksumbuf;
cksumdat.length = strlen(cksumbuf);
@@ -634,133 +606,6 @@
}
-
-#ifdef KRB5_KRB4_COMPAT
-int
-k4cmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, ticket, service, realm,
- cred, schedule, msg_data, laddr, faddr, authopts, anyport)
- int *sock;
- char **ahost;
- unsigned int rport;
- char *locuser, *remuser, *cmd;
- int *fd2p;
- KTEXT ticket;
- char *service;
- char *realm;
- CREDENTIALS *cred;
- Key_schedule schedule;
- MSG_DAT *msg_data;
- struct sockaddr_in *laddr, *faddr;
- long authopts;
- int anyport;
-{
- int s;
- masktype oldmask;
- struct sockaddr_in sockin, from;
- char c;
- int lport = START_PORT;
- int rc;
- char *host_save;
- int status;
- int addrfamily = AF_INET;
-
- block_urgent(&oldmask);
- if (kcmd_connect (&s, &addrfamily, &sockin, *ahost, &host_save, rport, &lport, laddr) == -1) {
- restore_sigs(&oldmask);
- return -1;
- }
- *ahost = host_save;
- /* If realm is null, look up from table */
- if ((realm == NULL) || (realm[0] == '\0')) {
- realm = krb_realmofhost(host_save);
- }
- lport--;
- status = setup_secondary_channel(s, fd2p, &lport, &addrfamily, &from,
- anyport);
- if (status)
- goto bad;
-
- /* set up the needed stuff for mutual auth */
- *faddr = sockin;
-
- status = krb_sendauth(authopts, s, ticket, service, *ahost,
- realm, (unsigned long) getpid(), msg_data,
- cred, schedule, laddr, faddr, "KCMDV0.1");
- if (status != KSUCCESS) {
- fprintf(stderr, "krb_sendauth failed: %s\n", krb_get_err_text(status));
- status = -1;
- goto bad2;
- }
- (void) write(s, remuser, strlen(remuser)+1);
- (void) write(s, cmd, strlen(cmd)+1);
-
-reread:
- if ((rc=read(s, &c, 1)) != 1) {
- if (rc==-1) {
- perror(*ahost);
- } else {
- fprintf(stderr,"rcmd: bad connection with remote host\n");
- }
- status = -1;
- goto bad2;
- }
- if (c != 0) {
- /* If rlogind was compiled on SunOS4, and it somehow
- got the shared library version numbers wrong, it
- may give an ld.so warning about an old version of a
- shared library. Just ignore any such warning.
- Note that the warning is a characteristic of the
- server; we may not ourselves be running under
- SunOS4. */
- if (c == 'l') {
- char *check = "d.so: warning:";
- char *p;
- char cc;
-
- p = check;
- while (read(s, &c, 1) == 1) {
- if (*p == '\0') {
- if (c == '\n')
- break;
- } else {
- if (c != *p)
- break;
- ++p;
- }
- }
-
- if (*p == '\0')
- goto reread;
-
- cc = 'l';
- (void) write(2, &cc, 1);
- if (p != check)
- (void) write(2, check, (unsigned) (p - check));
- }
-
- (void) write(2, &c, 1);
- while (read(s, &c, 1) == 1) {
- (void) write(2, &c, 1);
- if (c == '\n')
- break;
- }
- status = -1;
- goto bad2;
- }
- restore_sigs(&oldmask);
- *sock = s;
- return (KSUCCESS);
- bad2:
- if (lport)
- (void) close(*fd2p);
- bad:
- (void) close(s);
- restore_sigs(&oldmask);
- return (status);
-}
-#endif /* KRB5_KRB4_COMPAT */
-
-
static int
setup_socket (struct sockaddr *sa, GETSOCKNAME_ARG3_TYPE len)
{
@@ -940,25 +785,6 @@
abort();
}
-#ifdef KRB5_KRB4_COMPAT
-void rcmd_stream_init_krb4(session, encrypt_flag, lencheck, justify)
- C_Block session;
- int encrypt_flag;
- int lencheck;
- int justify;
-{
- if (!encrypt_flag) {
- rcmd_stream_init_normal();
- return;
- }
- do_lencheck = lencheck;
- right_justify = justify;
- input = v4_des_read;
- output = v4_des_write;
- memcpy(v4_session, session, sizeof(v4_session));
-}
-#endif
-
int rcmd_stream_read(fd, buf, len, sec)
int fd;
register char *buf;
@@ -1014,7 +840,6 @@
nstored = 0;
}
- /* See the comment in v4_des_read. */
while (1) {
cc = krb5_net_read(bsd_context, fd, &c, 1);
/* we should check for non-blocking here, but we'd have
@@ -1153,162 +978,6 @@
}
-
-#ifdef KRB5_KRB4_COMPAT
-
-static int
-v4_des_read(fd, buf, len, secondary)
-int fd;
-char *buf;
-size_t len;
-int secondary;
-{
- int nreturned = 0;
- krb5_ui_4 net_len, rd_len;
- int cc;
- unsigned char c;
-
- if (nstored >= len) {
- memcpy(buf, store_ptr, len);
- store_ptr += len;
- nstored -= len;
- return(len);
- } else if (nstored) {
- memcpy(buf, store_ptr, nstored);
- nreturned += nstored;
- buf += nstored;
- len -= nstored;
- nstored = 0;
- }
-
- /* We're fetching the length which is MSB first, and the MSB
- has to be zero unless the client is sending more than 2^24
- (16M) bytes in a single write (which is why this code is used
- in rlogin but not rcp or rsh.) The only reasons we'd get
- something other than zero are:
- -- corruption of the tcp stream (which will show up when
- everything else is out of sync too)
- -- un-caught Berkeley-style "pseudo out-of-band data" which
- happens any time the user hits ^C twice.
- The latter is *very* common, as shown by an 'rlogin -x -d'
- using the CNS V4 rlogin. Mark EIchin 1/95
- */
- while (1) {
- cc = krb_net_read(fd, &c, 1);
- if (cc <= 0) return cc; /* read error */
- if (cc == 1) {
- if (c == 0 || !do_lencheck) break;
- }
- }
-
- net_len = c;
- if ((cc = krb_net_read(fd, &c, 1)) != 1) return 0;
- net_len = (net_len << 8) | c;
- if ((cc = krb_net_read(fd, &c, 1)) != 1) return 0;
- net_len = (net_len << 8) | c;
- if ((cc = krb_net_read(fd, &c, 1)) != 1) return 0;
- net_len = (net_len << 8) | c;
-
- /* Note: net_len is unsigned */
- if (net_len > sizeof(des_inbuf)) {
- errno = EIO;
- return(-1);
- }
- /* the writer tells us how much real data we are getting, but
- we need to read the pad bytes (8-byte boundary) */
- rd_len = roundup(net_len, 8);
- if ((cc = krb_net_read(fd, des_inbuf, rd_len)) != rd_len) {
- errno = EIO;
- return(-1);
- }
- (void) pcbc_encrypt((des_cblock *) des_inbuf,
- (des_cblock *) storage,
- (int) ((net_len < 8) ? 8 : net_len),
- v4_schedule,
- &v4_session,
- DECRYPT);
- /*
- * when the cleartext block is < 8 bytes, it is "right-justified"
- * in the block, so we need to adjust the pointer to the data
- */
- if (net_len < 8 && right_justify)
- store_ptr = storage + 8 - net_len;
- else
- store_ptr = storage;
- nstored = net_len;
- if (nstored > len) {
- memcpy(buf, store_ptr, len);
- nreturned += len;
- store_ptr += len;
- nstored -= len;
- } else {
- memcpy(buf, store_ptr, nstored);
- nreturned += nstored;
- nstored = 0;
- }
-
- return(nreturned);
-}
-
-static int
-v4_des_write(fd, buf, len, secondary)
-int fd;
-char *buf;
-size_t len;
-int secondary;
-{
- static char garbage_buf[8];
- unsigned char *len_buf = (unsigned char *) des_outpkt;
-
- /*
- * pcbc_encrypt outputs in 8-byte (64 bit) increments
- *
- * it zero-fills the cleartext to 8-byte padding,
- * so if we have cleartext of < 8 bytes, we want
- * to insert random garbage before it so that the ciphertext
- * differs for each transmission of the same cleartext.
- * if len < 8 - sizeof(long), sizeof(long) bytes of random
- * garbage should be sufficient; leave the rest as-is in the buffer.
- * if len > 8 - sizeof(long), just garbage fill the rest.
- */
-
-#ifdef min
-#undef min
-#endif
-#define min(a,b) ((a < b) ? a : b)
-
- if (len < 8) {
- if (right_justify) {
- krb5_random_confounder(8 - len, garbage_buf);
- /* this "right-justifies" the data in the buffer */
- (void) memcpy(garbage_buf + 8 - len, buf, len);
- } else {
- krb5_random_confounder(8 - len, garbage_buf + len);
- (void) memcpy(garbage_buf, buf, len);
- }
- }
- (void) pcbc_encrypt((des_cblock *) ((len < 8) ? garbage_buf : buf),
- (des_cblock *) (des_outpkt+4),
- (int) ((len < 8) ? 8 : len),
- v4_schedule,
- &v4_session,
- ENCRYPT);
-
- /* tell the other end the real amount, but send an 8-byte padded
- packet */
- len_buf[0] = (len & 0xff000000) >> 24;
- len_buf[1] = (len & 0xff0000) >> 16;
- len_buf[2] = (len & 0xff00) >> 8;
- len_buf[3] = (len & 0xff);
- if (write(fd, des_outpkt, roundup(len,8)+4) != roundup(len,8)+4) {
- errno = EIO;
- return(-1);
- }
- return(len);
-}
-
-#endif /* KRB5_KRB4_COMPAT */
-
#ifndef HAVE_STRSAVE
/* Strsave was a routine in the version 4 krb library: we put it here
for compatablilty with version 5 krb library, since kcmd.o is linked
@@ -1320,11 +989,10 @@
{
register char *ret;
- if((ret = (char *) malloc((unsigned) strlen(sp)+1)) == NULL) {
+ if((ret = strdup(sp)) == NULL) {
fprintf(stderr, "no memory for saving args\n");
exit(1);
}
- (void) strcpy(ret,sp);
return(ret);
}
#endif
Modified: branches/mkey_migrate/src/appl/bsd/klogind.M
===================================================================
--- branches/mkey_migrate/src/appl/bsd/klogind.M 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/klogind.M 2009-01-10 01:06:45 UTC (rev 21722)
@@ -10,7 +10,7 @@
.SH SYNOPSIS
.B klogind
[
-.B \-kr54cpPef
+.B \-rcpPef
]
[[ \fB\-w\fP[\fBip\fP|\fImaxhostlen\fP[\fB,\fP[\fBno\fP]\fBstriplocal\fP ]] ]
[ \fB\-D\fP \fIport\fP ]
@@ -40,38 +40,20 @@
Prompt for password if any checks fail and the \fI-p\fP option was supplied.
.PP
If the authentication succeeds, login the user by calling the accompanying
-login.krb5 or /bin/login, according to the definition of
-DO_NOT_USE_K_LOGIN.
+login.krb5.
+.PP
+klogind allows Kerberos V5 authentication with the \fI.k5login\fP
+access control file to be trusted. If this authorization check is
+passed, then the user is allowed to log in. If the user has no
+\fI.k5login\fP file, the login will be authorized if the results of
+krb5_aname_to_localname conversion matches the account name. Unless
+special rules are configured, this will be true if and only if the
+Kerberos principal of the connecting user is in the default local
+realm and the principal portion matches the account name.
.PP
The configuration of \fIklogind\fP is done
by command line arguments passed by inetd. The options are:
-.IP \fB\-5\fP 10
-Allow Kerberos V5 authentication with the \fI.k5login\fP access control
-file to be trusted. If this authentication system is used by the client
-and the authorization check is passed, then the user is allowed to log in.
-If the user has no \fI.k5login\fP file, the login will be authorized if
-the results of krb5_aname_to_localname conversion matches the account
-name. Unless special rules are configured, this will be true if and only
-if the Kerberos principal of the connecting user is in the default local
-realm and the principal portion matches the account name.
-.IP \fB\-4\fP
-Allow Kerberos V4 authentication with the \fI.klogin\fP access control
-file to be trusted. If this authentication system is used by the client
-and the authorization check is passed, then the user is allowed to log
-in.
-
-.IP \fB\-k\fP
-Allow Kerberos V5 and Kerberos V4 as acceptable authentication
-mechanisms. This is the same as including \fB\-4\fP and \fB\-5\fP.
-
-
-.IP \fB\-p\fP
- If all other authorization checks fail, prompt the user
-for a password If this option is not included, access is denied
-without successful authentication and authorization using one of the
-previous mechanisms.
-
.IP \fB\-P\fP
Prompt the user for a password.
If the -P option is passed, then the password is verified in addition
@@ -82,15 +64,13 @@
.IP \fB\-c\fP
Require Kerberos V5 clients to present a cryptographic checksum of
-initial connection information like the name of the user that the client
-is trying to access in the initial authenticator. This checksum
-provides additionl security by preventing an attacker from changing the
-initial connection information. To benefit from this security, only
-Kerberos V5 should be trusted; Kerberos V4 and rhosts authentication do
-not include this checksum. If this option is specified, older Kerberos
-V5 clients that do not send a checksum in the authenticator will not be
-able to authenticate to this server. This option is mutually exclusive
-with the \fB-i\fP option.
+initial connection information like the name of the user that the
+client is trying to access in the initial authenticator. This
+checksum provides additionl security by preventing an attacker from
+changing the initial connection information. If this option is
+specified, older Kerberos V5 clients that do not send a checksum in
+the authenticator will not be able to authenticate to this server.
+This option is mutually exclusive with the \fB-i\fP option.
If neither the \fB-c\fP or \fB-i\fP options are specified,then
checksums are validated if presented. Since it is difficult to remove
Modified: branches/mkey_migrate/src/appl/bsd/krcp.c
===================================================================
--- branches/mkey_migrate/src/appl/bsd/krcp.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/krcp.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -68,30 +68,18 @@
#include <k5-util.h>
#include <com_err.h>
-#ifdef KRB5_KRB4_COMPAT
-#include <kerberosIV/krb.h>
-#endif
-
#include "defines.h"
#define RCP_BUFSIZ 4096
int sock;
-struct sockaddr_in local, foreign; /* set up by kcmd used by v4_send_auth */
char *krb_realm = NULL;
char *krb_cache = NULL;
char *krb_config = NULL;
krb5_encrypt_block eblock; /* eblock for encrypt/decrypt */
krb5_context bsd_context;
-#ifdef KRB5_KRB4_COMPAT
-Key_schedule v4_schedule;
-CREDENTIALS v4_cred;
-KTEXT_ST v4_ticket;
-MSG_DAT v4_msg_data;
-#endif
-
-void v4_send_auth(char *, char *), try_normal(char **);
+void try_normal(char **);
char **save_argv(int, char **);
#ifndef HAVE_STRSAVE
char *strsave();
@@ -146,7 +134,6 @@
char *targ, *host, *src;
char *suser, *tuser, *thost;
int i;
- unsigned int cmdsiz = 30;
char buf[RCP_BUFSIZ], cmdbuf[30];
char *cmd = cmdbuf;
struct servent *sp;
@@ -206,31 +193,28 @@
argc--, argv++;
if (argc == 0)
usage();
- if(!(krb_realm = (char *)malloc(strlen(*argv) + 1))){
+ if(!(krb_realm = strdup(*argv))){
fprintf(stderr, "rcp: Cannot malloc.\n");
exit(1);
}
- strcpy(krb_realm, *argv);
goto next_arg;
case 'c': /* Change default ccache file */
argc--, argv++;
if (argc == 0)
usage();
- if(!(krb_cache = (char *)malloc(strlen(*argv) + 1))){
+ if(!(krb_cache = strdup(*argv))){
fprintf(stderr, "rcp: Cannot malloc.\n");
exit(1);
}
- strcpy(krb_cache, *argv);
goto next_arg;
case 'C': /* Change default config file */
argc--, argv++;
if (argc == 0)
usage();
- if(!(krb_config = (char *)malloc(strlen(*argv) + 1))){
+ if(!(krb_config = strdup(*argv))){
fprintf(stderr, "rcp: Cannot malloc.\n");
exit(1);
}
- strcpy(krb_config, *argv);
goto next_arg;
case 'P':
if (!strcmp (*argv, "O"))
@@ -302,33 +286,25 @@
}
#ifdef KERBEROS
- if (krb_realm != NULL)
- cmdsiz += strlen(krb_realm);
- if (krb_cache != NULL)
- cmdsiz += strlen(krb_cache);
- if (krb_config != NULL)
- cmdsiz += strlen(krb_config);
+ if (asprintf(&cmd, "%srcp %s%s%s%s%s%s%s%s%s",
+ encryptflag ? "-x " : "",
- if ((cmd = (char *)malloc(cmdsiz)) == NULL) {
+ iamrecursive ? " -r" : "", pflag ? " -p" : "",
+ targetshouldbedirectory ? " -d" : "",
+ krb_realm != NULL ? " -k " : "",
+ krb_realm != NULL ? krb_realm : "",
+ krb_cache != NULL ? " -c " : "",
+ krb_cache != NULL ? krb_cache : "",
+ krb_config != NULL ? " -C " : "",
+ krb_config != NULL ? krb_config : "") < 0) {
fprintf(stderr, "rcp: Cannot malloc.\n");
exit(1);
}
- (void) sprintf(cmd, "%srcp %s%s%s%s%s%s%s%s%s",
- encryptflag ? "-x " : "",
- iamrecursive ? " -r" : "", pflag ? " -p" : "",
- targetshouldbedirectory ? " -d" : "",
- krb_realm != NULL ? " -k " : "",
- krb_realm != NULL ? krb_realm : "",
- krb_cache != NULL ? " -c " : "",
- krb_cache != NULL ? krb_cache : "",
- krb_config != NULL ? " -C " : "",
- krb_config != NULL ? krb_config : "");
-
#else /* !KERBEROS */
- (void) sprintf(cmd, "rcp%s%s%s",
- iamrecursive ? " -r" : "", pflag ? " -p" : "",
- targetshouldbedirectory ? " -d" : "");
+ (void) snprintf(cmd, sizeof(cmdbuf), "rcp%s%s%s",
+ iamrecursive ? " -r" : "", pflag ? " -p" : "",
+ targetshouldbedirectory ? " -d" : "");
#endif /* KERBEROS */
#ifdef POSIX_SIGNALS
@@ -392,22 +368,22 @@
suser = pwd->pw_name;
else if (!okname(suser))
continue;
- (void) sprintf(buf,
+ (void) snprintf(buf, sizeof(buf),
#if defined(hpux) || defined(__hpux)
- "remsh %s -l %s -n %s %s '%s%s%s:%s'",
+ "remsh %s -l %s -n %s %s '%s%s%s:%s'",
#else
- "rsh %s -l %s -n %s %s '%s%s%s:%s'",
+ "rsh %s -l %s -n %s %s '%s%s%s:%s'",
#endif
- host, suser, cmd, src,
- tuser ? tuser : "",
- tuser ? "@" : "",
+ host, suser, cmd, src,
+ tuser ? tuser : "",
+ tuser ? "@" : "",
thost, targ);
} else
- (void) sprintf(buf,
+ (void) snprintf(buf, sizeof(buf),
#if defined(hpux) || defined(__hpux)
- "remsh %s -n %s %s '%s%s%s:%s'",
+ "remsh %s -n %s %s '%s%s%s:%s'",
#else
- "rsh %s -n %s %s '%s%s%s:%s'",
+ "rsh %s -n %s %s '%s%s%s:%s'",
#endif
argv[i], cmd, src,
tuser ? tuser : "",
@@ -417,8 +393,8 @@
} else { /* local to remote */
krb5_creds *cred;
if (rem == -1) {
- (void) sprintf(buf, "%s -t %s",
- cmd, targ);
+ (void) snprintf(buf, sizeof(buf), "%s -t %s",
+ cmd, targ);
host = thost;
#ifdef KERBEROS
authopts = AP_OPTS_MUTUAL_REQUIRED;
@@ -434,8 +410,8 @@
&cred,
0, /* No seq # */
0, /* No server seq # */
- &local,
- &foreign,
+ (struct sockaddr_in *) 0,
+ (struct sockaddr_in *) 0,
&auth_context, authopts,
0, /* Not any port # */
0,
@@ -444,25 +420,7 @@
if (kcmd_proto == KCMD_NEW_PROTOCOL)
/* Don't fall back to less safe methods. */
exit (1);
-#ifdef KRB5_KRB4_COMPAT
- fprintf(stderr, "Trying krb4 rcp...\n");
- if (strncmp(buf, "-x rcp", 6) == 0)
- memcpy(buf, "rcp -x", 6);
- status = k4cmd(&sock, &host, port,
- pwd->pw_name,
- tuser ? tuser : pwd->pw_name, buf,
- 0, &v4_ticket, "rcmd", krb_realm,
- NULL, NULL, NULL,
- &local, &foreign, 0L, 0);
- if (status)
- try_normal(orig_argv);
- if (encryptflag)
- v4_send_auth(host, krb_realm);
- rcmd_stream_init_krb4(v4_cred.session, encryptflag, 0,
- 0);
-#else
try_normal(orig_argv);
-#endif
}
else {
krb5_boolean similar;
@@ -528,10 +486,10 @@
}
}
if (src == 0) { /* local to local */
- (void) sprintf(buf, "/bin/cp%s%s %s %s",
- iamrecursive ? " -r" : "",
- pflag ? " -p" : "",
- argv[i], argv[argc - 1]);
+ (void) snprintf(buf, sizeof(buf), "/bin/cp%s%s %s %s",
+ iamrecursive ? " -r" : "",
+ pflag ? " -p" : "",
+ argv[i], argv[argc - 1]);
(void) susystem(buf);
} else { /* remote to local */
krb5_creds *cred;
@@ -550,7 +508,7 @@
host = argv[i];
suser = pwd->pw_name;
}
- (void) sprintf(buf, "%s -f %s", cmd, src);
+ (void) snprintf(buf, sizeof(buf), "%s -f %s", cmd, src);
#ifdef KERBEROS
authopts = AP_OPTS_MUTUAL_REQUIRED;
status = kcmd(&sock, &host,
@@ -564,7 +522,7 @@
0, /* No seq # */
0, /* No server seq # */
(struct sockaddr_in *) 0,
- &foreign,
+ (struct sockaddr_in *) 0,
&auth_context, authopts,
0, /* Not any port # */
0,
@@ -573,24 +531,7 @@
if (kcmd_proto == KCMD_NEW_PROTOCOL)
/* Don't fall back to less safe methods. */
exit (1);
-#ifdef KRB5_KRB4_COMPAT
- fprintf(stderr, "Trying krb4 rcp...\n");
- if (strncmp(buf, "-x rcp", 6) == 0)
- memcpy(buf, "rcp -x", 6);
- status = k4cmd(&sock, &host, port,
- pwd->pw_name, suser, buf,
- 0, &v4_ticket, "rcmd", krb_realm,
- NULL, NULL, NULL,
- &local, &foreign, 0L, 0);
- if (status)
- try_normal(orig_argv);
- if (encryptflag)
- v4_send_auth(host, krb_realm);
- rcmd_stream_init_krb4(v4_cred.session, encryptflag, 0,
- 0);
-#else
try_normal(orig_argv);
-#endif
} else {
krb5_keyblock *key = &cred->keyblock;
@@ -815,16 +756,16 @@
* Make it compatible with possible future
* versions expecting microseconds.
*/
- (void) sprintf(buf, "T%ld 0 %ld 0\n",
- stb.st_mtime, stb.st_atime);
+ (void) snprintf(buf, sizeof(buf), "T%ld 0 %ld 0\n",
+ stb.st_mtime, stb.st_atime);
(void) rcmd_stream_write(rem, buf, strlen(buf), 0);
if (response() < 0) {
(void) close(f);
continue;
}
}
- (void) sprintf(buf, "C%04o %ld %s\n",
- (int) stb.st_mode&07777, (long ) stb.st_size, last);
+ (void) snprintf(buf, sizeof(buf), "C%04o %ld %s\n",
+ (int) stb.st_mode&07777, (long ) stb.st_size, last);
(void) rcmd_stream_write(rem, buf, strlen(buf), 0);
if (response() < 0) {
(void) close(f);
@@ -884,16 +825,16 @@
else
last++;
if (pflag) {
- (void) sprintf(buf, "T%ld 0 %ld 0\n",
- statp->st_mtime, statp->st_atime);
+ (void) snprintf(buf, sizeof(buf), "T%ld 0 %ld 0\n",
+ statp->st_mtime, statp->st_atime);
(void) rcmd_stream_write(rem, buf, strlen(buf), 0);
if (response() < 0) {
closedir(d);
return;
}
}
- (void) sprintf(buf, "D%04lo %d %s\n", (long) statp->st_mode&07777, 0,
- last);
+ (void) snprintf(buf, sizeof(buf), "D%04lo %d %s\n",
+ (long) statp->st_mode&07777, 0, last);
(void) rcmd_stream_write(rem, buf, strlen(buf), 0);
if (response() < 0) {
closedir(d);
@@ -908,7 +849,7 @@
error("%s/%s: Name too long.\n", name, dp->d_name);
continue;
}
- (void) sprintf(buf, "%s/%s", name, dp->d_name);
+ (void) snprintf(buf, sizeof(buf), "%s/%s", name, dp->d_name);
bufv[0] = buf;
source(1, bufv);
}
@@ -1095,8 +1036,8 @@
if (targisdir) {
if(strlen(targ) + strlen(cp) + 2 >= sizeof(nambuf))
SCREWUP("target name too long");
- (void) sprintf(nambuf, "%s%s%s", targ,
- *targ ? "/" : "", cp);
+ (void) snprintf(nambuf, sizeof(nambuf), "%s%s%s", targ,
+ *targ ? "/" : "", cp);
} else {
if (strlen(targ) + 1 >= sizeof (nambuf))
SCREWUP("target name too long");
@@ -1241,7 +1182,7 @@
errs++;
*cp++ = 1;
- (void) vsprintf(cp, fmt, ap);
+ (void) vsnprintf(cp, sizeof(buf) - (cp - buf), fmt, ap);
va_end(ap);
if (iamremote)
@@ -1418,34 +1359,4 @@
int nstored = 0;
char *store_ptr = storage;
-#ifdef KRB5_KRB4_COMPAT
-void
-v4_send_auth(host,realm)
-char *host;
-char *realm;
-{
- long authopts;
-
- if ((realm == NULL) || (realm[0] == '\0'))
- realm = krb_realmofhost(host);
- /* this needs to be sent again, because the
- rcp process needs the key. the rshd has
- grabbed the first one. */
- authopts = KOPT_DO_MUTUAL;
- if ((rem = krb_sendauth(authopts, sock, &v4_ticket,
- "rcmd", host,
- realm, (unsigned long) getpid(),
- &v4_msg_data,
- &v4_cred, v4_schedule,
- &local,
- &foreign,
- "KCMDV0.1")) != KSUCCESS) {
- fprintf(stderr,
- "krb_sendauth mutual fail: %s\n",
- krb_get_err_text(rem));
- exit(1);
- }
-}
-#endif /* KRB5_KRB4_COMPAT */
-
#endif /* KERBEROS */
Modified: branches/mkey_migrate/src/appl/bsd/krlogin.c
===================================================================
--- branches/mkey_migrate/src/appl/bsd/krlogin.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/krlogin.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -157,9 +157,6 @@
#ifdef KERBEROS
#include <krb5.h>
#include <com_err.h>
-#ifdef KRB5_KRB4_COMPAT
-#include <kerberosIV/krb.h>
-#endif
#include "defines.h"
#define RLOGIN_BUFSIZ 5120
@@ -173,11 +170,6 @@
krb5_context bsd_context;
krb5_auth_context auth_context;
-#ifdef KRB5_KRB4_COMPAT
-Key_schedule v4_schedule;
-CREDENTIALS v4_cred;
-#endif
-
#ifndef UCB_RLOGIN
#define UCB_RLOGIN "/usr/ucb/rlogin"
#endif
@@ -381,12 +373,7 @@
int sock;
krb5_flags authopts;
krb5_error_code status;
-#ifdef KRB5_KRB4_COMPAT
- KTEXT_ST v4_ticket;
- MSG_DAT v4_msg_data;
- int v4only = 0;
#endif
-#endif
int port, debug_port = 0;
enum kcmd_proto kcmd_proto = KCMD_PROTOCOL_COMPAT_HACK;
@@ -483,11 +470,10 @@
"rlogin: -k flag must be followed with a realm name.\n");
exit (1);
}
- if(!(krb_realm = (char *)malloc(strlen(*argv) + 1))){
+ if(!(krb_realm = strdup(*argv))){
fprintf(stderr, "rlogin: Cannot malloc.\n");
exit(1);
}
- strcpy(krb_realm, *argv);
argv++, argc--;
goto another;
}
@@ -524,25 +510,11 @@
argv++, argc--;
goto another;
}
-#ifdef KRB5_KRB4_COMPAT
- if (argc > 0 && !strcmp(*argv, "-4")) {
- v4only++;
- argv++, argc--;
- goto another;
- }
-#endif /* krb4 */
#endif /* KERBEROS */
if (host == 0)
goto usage;
if (argc > 0)
goto usage;
-#ifdef KRB5_KRB4_COMPAT
- if (kcmd_proto != KCMD_PROTOCOL_COMPAT_HACK && v4only) {
- com_err (argv[0], 0,
- "-4 is incompatible with -PO/-PN");
- exit(1);
- }
-#endif
pwd = getpwuid(getuid());
if (pwd == 0) {
fprintf(stderr, "Who are you?\n");
@@ -600,7 +572,8 @@
if (ospeed >= 50)
/* On some systems, ospeed is the baud rate itself,
not a table index. */
- sprintf (term + strlen (term), "%d", ospeed);
+ snprintf (term + strlen (term),
+ sizeof(term) - strlen(term), "%d", ospeed);
else if (ospeed >= sizeof(speeds)/sizeof(char*))
/* Past end of table, but not high enough to
look like a real speed. */
@@ -661,10 +634,6 @@
if (Fflag)
authopts |= OPTS_FORWARDABLE_CREDS;
-#ifdef KRB5_KRB4_COMPAT
- if (v4only)
- goto try_v4;
-#endif
status = kcmd(&sock, &host, port,
null_local_username ? "" : pwd->pw_name,
name ? name : pwd->pw_name, term,
@@ -681,21 +650,7 @@
if (kcmd_proto == KCMD_NEW_PROTOCOL && encrypt_flag)
/* Don't fall back to something less secure. */
exit (1);
-#ifdef KRB5_KRB4_COMPAT
- fprintf(stderr, "Trying krb4 rlogin...\n");
- try_v4:
- status = k4cmd(&sock, &host, port,
- null_local_username ? "" : pwd->pw_name,
- name ? name : pwd->pw_name, term,
- 0, &v4_ticket, "rcmd", krb_realm,
- &v4_cred, v4_schedule, &v4_msg_data, &local, &foreign,
- (encrypt_flag) ? KOPT_DO_MUTUAL : 0L, 0);
- if (status)
- try_normal(orig_argv);
- rcmd_stream_init_krb4(v4_cred.session, encrypt_flag, 1, 1);
-#else
try_normal(orig_argv);
-#endif
} else {
krb5_keyblock *key = 0;
@@ -739,11 +694,7 @@
#ifdef KERBEROS
fprintf (stderr,
"usage: rlogin host [-option] [-option...] [-k realm ] [-t ttytype] [-l username]\n");
-#ifdef KRB5_KRB4_COMPAT
- fprintf (stderr, " where option is e, 7, 8, noflow, n, a, x, f, F, c, 4, PO, or PN\n");
-#else
fprintf (stderr, " where option is e, 7, 8, noflow, n, a, x, f, F, c, PO, or PN\n");
-#endif
#else /* !KERBEROS */
fprintf (stderr,
"usage: rlogin host [-option] [-option...] [-t ttytype] [-l username]\n");
@@ -762,7 +713,7 @@
if (!confirm) return (1); /* no confirm, just die */
if (gethostname (hostname, sizeof(hostname)-1) != 0)
- strcpy (hostname, "???");
+ strlcpy (hostname, "???", sizeof(hostname));
else
hostname[sizeof(hostname)-1] = '\0';
Modified: branches/mkey_migrate/src/appl/bsd/krlogind.c
===================================================================
--- branches/mkey_migrate/src/appl/bsd/krlogind.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/krlogind.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -75,9 +75,7 @@
* The configuration is done either by command-line arguments passed by
* inetd, or by the name of the daemon. If command-line arguments are
* present, they take priority. The options are:
- * -k means trust krb4 or krb5
-* -5 means trust krb5
-* -4 means trust krb4
+ * -k means trust krb5
* -p and -P means prompt for password.
* If the -P option is passed, then the password is verified in
* addition to all other checks. If -p is not passed with -k or -r,
@@ -97,9 +95,6 @@
* CRYPT - Define this if encryption is to be an option.
* DO_NOT_USE_K_LOGIN - Define this if you want to use /bin/login
* instead of the accompanying login.krb5.
- * KRB5_KRB4_COMPAT - Define this if v4 rlogin clients are also to be served.
- * ALWAYS_V5_KUSEROK - Define this if you want .k5login to be
- * checked even for v4 clients (instead of .klogin).
* LOG_ALL_LOGINS - Define this if you want to log all logins.
* LOG_OTHER_USERS - Define this if you want to log all principals
* that do not map onto the local user.
@@ -234,28 +229,15 @@
#ifdef KERBEROS
#include "k5-int.h"
-#ifdef KRB5_KRB4_COMPAT
-#include <kerberosIV/krb.h>
-#endif
#include <libpty.h>
#ifdef HAVE_UTMP_H
#include <utmp.h>
#include <k5-util.h>
#endif
-int auth_sys = 0; /* Which version of Kerberos used to authenticate */
-
-#define KRB5_RECVAUTH_V4 4
-#define KRB5_RECVAUTH_V5 5
-
int non_privileged = 0; /* set when connection is seen to be from */
/* a non-privileged port */
-#ifdef KRB5_KRB4_COMPAT
-AUTH_DAT *v4_kdata;
-Key_schedule v4_schedule;
-#endif
-
#include "com_err.h"
#include "defines.h"
@@ -268,7 +250,7 @@
krb5_keytab keytab = NULL;
-#define ARGSTR "k54ciepPD:S:M:L:fw:?"
+#define ARGSTR "k5ciepPD:S:M:L:fw:?"
#else /* !KERBEROS */
#define ARGSTR "rpPD:f?"
#endif /* KERBEROS */
@@ -334,18 +316,7 @@
krb5_sigtype cleanup(int);
krb5_error_code recvauth(int *);
-/* There are two authentication related masks:
- * auth_ok and auth_sent.
-* The auth_ok mask is the oring of authentication systems any one
-* of which can be used.
-* The auth_sent mask is the oring of one or more authentication/authorization
-* systems that succeeded. If the anding
-* of these two masks is true, then authorization is successful.
-*/
-#define AUTH_KRB4 (0x1)
-#define AUTH_KRB5 (0x2)
-int auth_ok = 0, auth_sent = 0;
-int do_encrypt = 0, passwd_if_fail = 0, passwd_req = 0;
+int do_encrypt = 0, passwd_req = 0;
int checksum_required = 0, checksum_ignored = 0;
int stripdomain = 1;
@@ -397,15 +368,9 @@
switch (ch) {
#ifdef KERBEROS
case 'k':
-#ifdef KRB5_KRB4_COMPAT
- auth_ok |= (AUTH_KRB5|AUTH_KRB4);
-#else
- auth_ok |= AUTH_KRB5;
-#endif /* KRB5_KRB4_COMPAT*/
break;
case '5':
- auth_ok |= AUTH_KRB5;
break;
case 'c':
checksum_required = 1;
@@ -414,11 +379,6 @@
checksum_ignored = 1;
break;
-#ifdef KRB5_KRB4_COMPAT
- case '4':
- auth_ok |= AUTH_KRB4;
- break;
-#endif
#ifdef CRYPT
case 'x': /* Use encryption. */
case 'X':
@@ -439,7 +399,6 @@
break;
#endif
case 'p':
- passwd_if_fail = 1; /* Passwd reqd if any check fails */
break;
case 'P': /* passwd is a must */
passwd_req = 1;
@@ -618,10 +577,6 @@
if (setsockopt(f, SOL_SOCKET, SO_KEEPALIVE,
(const char *) &on, sizeof (on)) < 0)
syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
- if (auth_ok == 0) {
- syslog(LOG_CRIT, "No authentication systems were enabled; all connections will be refused.");
- fatal(f, "All authentication systems disabled; connection refused.");
- }
if (checksum_required&&checksum_ignored) {
syslog( LOG_CRIT, "Checksums are required and ignored; these options are mutually exclusive--check the documentation.");
@@ -858,7 +813,7 @@
/*
* Problems read failed ...
*/
- sprintf(buferror, "Cannot read slave pty %s ",line);
+ snprintf(buferror, sizeof(buferror), "Cannot read slave pty %s ",line);
fatalperror(p,buferror);
}
close(syncpipe[0]);
@@ -867,7 +822,8 @@
#if defined(KERBEROS)
if (do_encrypt) {
if (rcmd_stream_write(f, SECURE_MESSAGE, sizeof(SECURE_MESSAGE), 0) < 0){
- sprintf(buferror, "Cannot encrypt-write network.");
+ snprintf(buferror, sizeof(buferror),
+ "Cannot encrypt-write network.");
fatal(p,buferror);
}
}
@@ -900,7 +856,8 @@
/*
* Problems write failed ...
*/
- sprintf(buferror,"Cannot write slave pty %s ",line);
+ snprintf(buferror, sizeof(buferror), "Cannot write slave pty %s ",
+ line);
fatalperror(f,buferror);
}
@@ -1179,7 +1136,7 @@
#endif
buf[0] = '\01'; /* error indicator */
- (void) sprintf(buf + 1, "%s: %s.\r\n",progname, msg);
+ (void) snprintf(buf + 1, sizeof(buf) - 1, "%s: %s.\r\n", progname, msg);
if ((f == netf) && (pid > 0))
(void) rcmd_stream_write(f, buf, strlen(buf), 0);
else
@@ -1213,7 +1170,7 @@
{
char buf[512];
- (void) sprintf(buf, "%s: %s", msg, error_message(errno));
+ (void) snprintf(buf, sizeof(buf), "%s: %s", msg, error_message(errno));
fatal(f, buf);
}
@@ -1231,8 +1188,7 @@
exit(1);
}
- /* Check authentication. This can be either Kerberos V5, */
- /* Kerberos V4, or host-based. */
+ /* Check authentication. */
if ((status = recvauth(&valid_checksum))) {
if (ticket)
krb5_free_ticket(bsd_context, ticket);
@@ -1247,60 +1203,22 @@
/* OK we have authenticated this user - now check authorization. */
/* The Kerberos authenticated programs must use krb5_kuserok or kuserok*/
-#ifndef KRB5_KRB4_COMPAT
- if (auth_sys == KRB5_RECVAUTH_V4) {
- fatal(netf, "This server does not support Kerberos V4");
- }
-#endif
-
+ /* krb5_kuserok returns 1 if OK */
+ if (!client || !krb5_kuserok(bsd_context, client, lusername)) {
+ if (asprintf(&msg_fail,
+ "User %s is not authorized to login to account %s",
+ krusername, lusername) >= 0)
+ fatal(netf, msg_fail);
+ else
+ fatal(netf,
+ "User is not authorized to login to specified account");
+ }
-#if (defined(ALWAYS_V5_KUSEROK) || !defined(KRB5_KRB4_COMPAT))
- /* krb5_kuserok returns 1 if OK */
- if (client && krb5_kuserok(bsd_context, client, lusername))
- auth_sent |= ((auth_sys == KRB5_RECVAUTH_V4)?AUTH_KRB4:AUTH_KRB5);
-#else
- if (auth_sys == KRB5_RECVAUTH_V4) {
- /* kuserok returns 0 if OK */
- if (!kuserok(v4_kdata, lusername))
- auth_sent |= AUTH_KRB4;
- } else {
- /* krb5_kuserok returns 1 if OK */
- if (client && krb5_kuserok(bsd_context, client, lusername))
- auth_sent |= AUTH_KRB5;
- }
-#endif
-
-
-
if (checksum_required && !valid_checksum) {
- if (auth_sent & AUTH_KRB5) {
- syslog(LOG_WARNING, "Client did not supply required checksum--connection rejected.");
+ syslog(LOG_WARNING, "Client did not supply required checksum--connection rejected.");
- fatal(netf, "You are using an old Kerberos5 without initial connection support; only newer clients are authorized.");
- } else {
- syslog(LOG_WARNING,
- "Configuration error: Requiring checksums with -c is inconsistent with allowing Kerberos V4 connections.");
- }
+ fatal(netf, "You are using an old Kerberos5 without initial connection support; only newer clients are authorized.");
}
- if (auth_ok&auth_sent) /* This should be bitwise.*/
- return;
-
- if (ticket)
- krb5_free_ticket(bsd_context, ticket);
-
- if (krusername)
- msg_fail = (char *)malloc(strlen(krusername) + strlen(lusername) + 80);
- if (!msg_fail)
- fatal(netf, "User is not authorized to login to specified account");
-
- if (auth_sent)
- sprintf(msg_fail, "Access denied because of improper credentials");
- else
- sprintf(msg_fail, "User %s is not authorized to login to account %s",
- krusername, lusername);
-
- fatal(netf, msg_fail);
- /* NOTREACHED */
}
#endif /* KERBEROS */
@@ -1334,10 +1252,10 @@
{
#ifdef KERBEROS
syslog(LOG_ERR,
- "usage: klogind [-ke45pPf] [-D port] [-w[ip|maxhostlen[,[no]striplocal]]] or [r/R][k/K][x/e][p/P]logind");
+ "usage: klogind [-ePf] [-D port] [-w[ip|maxhostlen[,[no]striplocal]]] or [r/R][k/K][x/e][p/P]logind");
#else
syslog(LOG_ERR,
- "usage: rlogind [-rpPf] [-D port] or [r/R][p/P]logind");
+ "usage: rlogind [-rPf] [-D port] or [r/R][p/P]logind");
#endif
}
@@ -1361,9 +1279,6 @@
struct sockaddr_storage peersin, laddr;
socklen_t len;
krb5_data inbuf;
-#ifdef KRB5_KRB4_COMPAT
- char v4_instance[INST_SZ]; /* V4 Instance */
-#endif
krb5_data version;
krb5_authenticator *authenticator;
krb5_rcache rcache;
@@ -1382,10 +1297,6 @@
exit(1);
}
-#ifdef KRB5_KRB4_COMPAT
- strcpy(v4_instance, "*");
-#endif
-
if ((status = krb5_auth_con_init(bsd_context, &auth_context)))
return status;
@@ -1414,38 +1325,15 @@
if (status) return status;
}
-#ifdef KRB5_KRB4_COMPAT
- status = krb5_compat_recvauth_version(bsd_context, &auth_context,
- &netf,
- NULL, /* Specify daemon principal */
- 0, /* no flags */
- keytab, /* normally NULL to use v5srvtab */
-
- do_encrypt ? KOPT_DO_MUTUAL : 0, /*v4_opts*/
- "rcmd", /* v4_service */
- v4_instance, /* v4_instance */
- ss2sin(&peersin), /* foriegn address */
- ss2sin(&laddr), /* our local address */
- "", /* use default srvtab */
-
- &ticket, /* return ticket */
- &auth_sys, /* which authentication system*/
- &v4_kdata, v4_schedule,
- &version);
-#else
- auth_sys = KRB5_RECVAUTH_V5;
status = krb5_recvauth_version(bsd_context, &auth_context, &netf,
NULL, 0, keytab, &ticket, &version);
-#endif
if (status) {
- if (auth_sys == KRB5_RECVAUTH_V5) {
- /*
- * clean up before exiting
- */
- getstr(netf, lusername, sizeof (lusername), "locuser");
- getstr(netf, term, sizeof(term), "Terminal type");
- getstr(netf, rusername, sizeof(rusername), "remuser");
- }
+ /*
+ * clean up before exiting
+ */
+ getstr(netf, lusername, sizeof (lusername), "locuser");
+ getstr(netf, term, sizeof(term), "Terminal type");
+ getstr(netf, rusername, sizeof(rusername), "remuser");
return status;
}
@@ -1453,41 +1341,29 @@
getstr(netf, term, sizeof(term), "Terminal type");
kcmd_proto = KCMD_UNKNOWN_PROTOCOL;
- if (auth_sys == KRB5_RECVAUTH_V5) {
- if (version.length != 9) {
- fatal (netf, "bad application version length");
- }
- if (!memcmp (version.data, "KCMDV0.1", 9))
- kcmd_proto = KCMD_OLD_PROTOCOL;
- else if (!memcmp (version.data, "KCMDV0.2", 9))
- kcmd_proto = KCMD_NEW_PROTOCOL;
+ if (version.length != 9) {
+ fatal (netf, "bad application version length");
}
-#ifdef KRB5_KRB4_COMPAT
- if (auth_sys == KRB5_RECVAUTH_V4)
- kcmd_proto = KCMD_V4_PROTOCOL;
-#endif
+ if (!memcmp (version.data, "KCMDV0.1", 9))
+ kcmd_proto = KCMD_OLD_PROTOCOL;
+ else if (!memcmp (version.data, "KCMDV0.2", 9))
+ kcmd_proto = KCMD_NEW_PROTOCOL;
- if ((auth_sys == KRB5_RECVAUTH_V5)
- && !(checksum_ignored
- && kcmd_proto == KCMD_OLD_PROTOCOL)) {
-
+ if (!(checksum_ignored && kcmd_proto == KCMD_OLD_PROTOCOL)) {
+
if ((status = krb5_auth_con_getauthenticator(bsd_context, auth_context,
&authenticator)))
return status;
-
+
if (authenticator->checksum) {
struct sockaddr_in adr;
socklen_t adr_length = sizeof(adr);
- char * chksumbuf = (char *) malloc(strlen(term)+strlen(lusername)+32);
+ char * chksumbuf = NULL;
if (getsockname(netf, (struct sockaddr *) &adr, &adr_length) != 0)
goto error_cleanup;
- if (chksumbuf == 0)
+ if (asprintf(&chksumbuf, "%u:%s%s", ntohs(adr.sin_port), term, lusername) < 0)
goto error_cleanup;
- sprintf(chksumbuf,"%u:", ntohs(adr.sin_port));
- strcat(chksumbuf,term);
- strcat(chksumbuf,lusername);
-
status = krb5_verify_checksum(bsd_context,
authenticator->checksum->checksum_type,
authenticator->checksum,
@@ -1506,32 +1382,6 @@
krb5_free_authenticator(bsd_context, authenticator);
}
-
-#ifdef KRB5_KRB4_COMPAT
- if (auth_sys == KRB5_RECVAUTH_V4) {
-
- rcmd_stream_init_krb4(v4_kdata->session, do_encrypt, 1, 1);
-
- /* We do not really know the remote user's login name.
- * Assume it to be the same as the first component of the
- * principal's name.
- */
- strncpy(rusername, v4_kdata->pname, sizeof(rusername) - 1);
- rusername[sizeof(rusername) - 1] = '\0';
-
- status = krb5_425_conv_principal(bsd_context, v4_kdata->pname,
- v4_kdata->pinst, v4_kdata->prealm,
- &client);
- if (status) return status;
-
- status = krb5_unparse_name(bsd_context, client, &krusername);
-
- return status;
- }
-#endif
-
- /* Must be V5 */
-
if ((status = krb5_copy_principal(bsd_context, ticket->enc_part2->client,
&client)))
return status;
Modified: branches/mkey_migrate/src/appl/bsd/krsh.c
===================================================================
--- branches/mkey_migrate/src/appl/bsd/krsh.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/krsh.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -64,17 +64,9 @@
#ifdef KERBEROS
#include <krb5.h>
#include <com_err.h>
-#ifdef KRB5_KRB4_COMPAT
-#include <kerberosIV/krb.h>
-#endif
#include "defines.h"
#endif /* KERBEROS */
-#ifdef KRB5_KRB4_COMPAT
-#include <kerberosIV/krb.h>
-Key_schedule v4_schedule;
-#endif
-
/*
* rsh - remote shell
*/
@@ -96,11 +88,6 @@
krb5_context bsd_context;
krb5_creds *cred;
-#ifdef KRB5_KRB4_COMPAT
-Key_schedule v4_schedule;
-CREDENTIALS v4_cred;
-#endif
-
int encrypt_flag = 0;
char *krb_realm = (char *)0;
void try_normal(char **);
@@ -128,7 +115,7 @@
char **argv0;
{
int rem, pid = 0;
- char *host=0, *cp, **ap, buf[RCMD_BUFSIZ], *args, **argv = argv0, *user = 0;
+ char *host=0, **ap, buf[RCMD_BUFSIZ], *args, **argv = argv0, *user = 0;
register int cc;
struct passwd *pwd;
fd_set readfrom, ready;
@@ -149,10 +136,6 @@
krb5_error_code status;
krb5_auth_context auth_context;
int fflag = 0, Fflag = 0;
-#ifdef KRB5_KRB4_COMPAT
- KTEXT_ST v4_ticket;
- MSG_DAT v4_msg_data;
-#endif
#endif /* KERBEROS */
int debug_port = 0;
enum kcmd_proto kcmd_proto = KCMD_PROTOCOL_COMPAT_HACK;
@@ -202,11 +185,10 @@
fprintf(stderr, "rsh(kerberos): -k flag must have a realm after it.\n");
exit (1);
}
- if(!(krb_realm = (char *)malloc(strlen(*argv) + 1))){
+ if(!(krb_realm = strdup(*argv))){
fprintf(stderr, "rsh(kerberos): Cannot malloc.\n");
exit(1);
}
- strcpy(krb_realm, *argv);
argv++, argc--;
goto another;
}
@@ -321,17 +303,14 @@
cc += strlen(*ap) + 1;
if (encrypt_flag)
cc += 3;
- cp = args = (char *) malloc((unsigned) cc);
- if (encrypt_flag) {
- strcpy(args, "-x ");
- cp += 3;
- }
+ args = (char *) malloc((unsigned) cc);
+ *args = '\0';
+ if (encrypt_flag)
+ strlcpy(args, "-x ", cc);
for (ap = argv; *ap; ap++) {
- (void) strcpy(cp, *ap);
- while (*cp)
- cp++;
+ (void) strlcat(args, *ap, cc);
if (ap[1])
- *cp++ = ' ';
+ strlcat(args, " ", cc);
}
if(debug_port == 0) {
@@ -387,26 +366,7 @@
ones. */
if (kcmd_proto == KCMD_NEW_PROTOCOL)
exit (1);
-#ifdef KRB5_KRB4_COMPAT
- /* No encrypted Kerberos 4 rsh. */
- if (encrypt_flag)
- exit(1);
-#ifdef HAVE_ISATTY
- if (isatty(fileno(stderr)))
- fprintf(stderr, "Trying krb4 rsh...\n");
-#endif
- status = k4cmd(&rem, &host, debug_port,
- pwd->pw_name,
- user ? user : pwd->pw_name, args,
- &rfd2, &v4_ticket, "rcmd", krb_realm,
- &v4_cred, v4_schedule, &v4_msg_data,
- &local, &foreign, 0L, 0);
- if (status)
- try_normal(argv0);
- rcmd_stream_init_krb4(v4_cred.session, encrypt_flag, 0, 1);
-#else
try_normal(argv0);
-#endif
} else {
krb5_keyblock *key = &cred->keyblock;
Modified: branches/mkey_migrate/src/appl/bsd/krshd.c
===================================================================
--- branches/mkey_migrate/src/appl/bsd/krshd.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/krshd.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -39,25 +39,14 @@
* This is the rshell daemon. The very basic protocol for checking
* authentication and authorization is:
* 1) Check authentication.
- * 2) Check authorization via the access-control files:
- * ~/.k5login (using krb5_kuserok) and/or
+ * 2) Check authorization via the access-control files:
+ * ~/.k5login (using krb5_kuserok)
* Execute command if configured authoriztion checks pass, else deny
* permission.
- *
- * The configuration is done either by command-line arguments passed by inetd,
- * or by the name of the daemon. If command-line arguments are present, they
- * take priority. The options are:
- * -k means trust krb4 or krb5
- * -5 means trust krb5
- * -4 means trust krb4 (using .klogin)
- *
*/
/* DEFINES:
* KERBEROS - Define this if application is to be kerberised.
- * KRB5_KRB4_COMPAT - Define this if v4 rlogin clients are also to be served.
- * ALWAYS_V5_KUSEROK - Define this if you want .k5login to be
- * checked even for v4 clients (instead of .klogin).
* LOG_ALL_LOGINS - Define this if you want to log all logins.
* LOG_OTHER_USERS - Define this if you want to log all principals that do
* not map onto the local user.
@@ -87,10 +76,7 @@
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/param.h>
-#if !defined(KERBEROS) || !defined(KRB5_KRB4_COMPAT)
-/* Ultrix doesn't protect it vs multiple inclusion, and krb.h includes it */
#include <sys/socket.h>
-#endif
#include <sys/file.h>
#include <sys/stat.h>
#include <sys/time.h>
@@ -122,10 +108,7 @@
#include <stdarg.h>
#include <signal.h>
-#if !defined(KERBEROS) || !defined(KRB5_KRB4_COMPAT)
-/* Ultrix doesn't protect it vs multiple inclusion, and krb.h includes it */
#include <netdb.h>
-#endif
#ifdef CRAY
#ifndef NO_UDB
@@ -159,11 +142,8 @@
#include "k5-int.h"
#include <com_err.h>
#include "loginpaths.h"
-#ifdef KRB5_KRB4_COMPAT
-#include <kerberosIV/krb.h>
-Key_schedule v4_schedule;
-#endif
#include <k5-util.h>
+#include <k5-platform.h>
#ifdef HAVE_PATHS_H
#include <paths.h>
@@ -185,7 +165,7 @@
#define MAXDNAME 256 /*per the rfc*/
#endif
-#define ARGSTR "ek54ciD:S:M:AP:?L:w:"
+#define ARGSTR "ek5ciD:S:M:AP:?L:w:"
@@ -217,22 +197,13 @@
#endif /* KERBEROS */
+static int accept_a_connection (int debug_port, struct sockaddr *from,
+ socklen_t *fromlenp);
#ifndef HAVE_KILLPG
#define killpg(pid, sig) kill(-(pid), (sig))
#endif
-/* There are two authentication related masks:
- * auth_ok and auth_sent.
-* The auth_ok mask is the oring of authentication systems any one
-* of which can be used.
-* The auth_sent mask is the oring of one or more authentication/authorization
-* systems that succeeded. If the anding
-* of these two masks is true, then authorization is successful.
-*/
-#define AUTH_KRB4 (0x1)
-#define AUTH_KRB5 (0x2)
-int auth_ok = 0, auth_sent = 0;
int checksum_required = 0, checksum_ignored = 0;
char *progname;
@@ -320,15 +291,9 @@
switch (ch) {
#ifdef KERBEROS
case 'k':
-#ifdef KRB5_KRB4_COMPAT
- auth_ok |= (AUTH_KRB5|AUTH_KRB4);
-#else
- auth_ok |= AUTH_KRB5;
-#endif /* KRB5_KRB4_COMPAT*/
break;
case '5':
- auth_ok |= AUTH_KRB5;
break;
case 'c':
checksum_required = 1;
@@ -337,12 +302,6 @@
checksum_ignored = 1;
break;
-#ifdef KRB5_KRB4_COMPAT
- case '4':
- auth_ok |= AUTH_KRB4;
- break;
-#endif
-
case 'e':
require_encrypt = 1;
break;
@@ -537,16 +496,6 @@
krb5_principal client;
krb5_authenticator *kdata;
-#ifdef KRB5_KRB4_COMPAT
-AUTH_DAT *v4_kdata;
-KTEXT v4_ticket;
-#endif
-
-int auth_sys = 0; /* Which version of Kerberos used to authenticate */
-
-#define KRB5_RECVAUTH_V4 4
-#define KRB5_RECVAUTH_V5 5
-
static void
ignore_signals()
{
@@ -940,7 +889,7 @@
privileges. */
if (port) {
/* Place entry into wtmp */
- sprintf(ttyn,"krsh%ld",(long) (getpid() % 9999999));
+ snprintf(ttyn,sizeof(ttyn),"krsh%ld",(long) (getpid() % 9999999));
pty_logwtmp(ttyn,locuser,sane_host);
}
/* We are simply execing a program over rshd : log entry into wtmp,
@@ -1090,31 +1039,14 @@
}
#ifdef KERBEROS
-
-#if defined(KRB5_KRB4_COMPAT) && !defined(ALWAYS_V5_KUSEROK)
- if (auth_sys == KRB5_RECVAUTH_V4) {
- /* kuserok returns 0 if OK */
- if (kuserok(v4_kdata, locuser)){
- syslog(LOG_ERR ,
- "Principal %s (%s@%s (%s)) for local user %s failed kuserok.\n",
- kremuser, remuser, hostaddra, hostname, locuser);
- }
- else auth_sent |= AUTH_KRB4;
- } else
-#endif
- {
- /* krb5_kuserok returns 1 if OK */
- if (!krb5_kuserok(bsd_context, client, locuser)){
- syslog(LOG_ERR ,
- "Principal %s (%s@%s (%s)) for local user %s failed krb5_kuserok.\n",
- kremuser, remuser, hostaddra, hostname, locuser);
- }
- else
- auth_sent |=
- ((auth_sys == KRB5_RECVAUTH_V4) ? AUTH_KRB4 : AUTH_KRB5);
- }
-
-
+ /* krb5_kuserok returns 1 if OK */
+ if (!krb5_kuserok(bsd_context, client, locuser)){
+ syslog(LOG_ERR ,
+ "Principal %s (%s@%s (%s)) for local user %s failed krb5_kuserok.\n",
+ kremuser, remuser, hostaddra, hostname, locuser);
+ error("Permission denied.\n");
+ goto signout_please;
+ }
#else
if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' &&
ruserok(hostname[0] ? hostname : hostaddra,
@@ -1126,26 +1058,14 @@
if (checksum_required && !valid_checksum) {
- if (auth_sent & AUTH_KRB5) {
- syslog(LOG_WARNING, "Client did not supply required checksum--connection rejected.");
- error( "You are using an old Kerberos5 client without checksum support; only newer clients are authorized.\n");
- goto signout_please;
- } else {
- syslog(LOG_WARNING,
- "Configuration error: Requiring checksums with -c is inconsistent with allowing Kerberos V4 connections.");
- }
+ syslog(LOG_WARNING, "Client did not supply required checksum--connection rejected.");
+ error( "You are using an old Kerberos5 client without checksum support; only newer clients are authorized.\n");
+ goto signout_please;
}
if (require_encrypt&&(!do_encrypt)) {
error("You must use encryption.\n");
goto signout_please;
}
- if (!(auth_ok&auth_sent)) {
- if (auth_sent)
- error("Another authentication mechanism must be used to access this host.\n");
- else
- error("Permission denied.\n");
- goto signout_please;
- }
if (pwd->pw_uid && !access(NOLOGIN, F_OK)) {
error("Logins currently disabled.\n");
@@ -1422,12 +1342,10 @@
strncat(homedir, pwd->pw_dir, sizeof(homedir)-6);
strncat(shell, pwd->pw_shell, sizeof(shell)-7);
strncat(username, pwd->pw_name, sizeof(username)-6);
- path = (char *) malloc(strlen(kprogdir) + strlen(path_rest) + 7);
- if (path == NULL) {
+ if (asprintf(&path, "PATH=%s:%s", kprogdir, path_rest) < 0) {
perror("malloc");
_exit(1);
}
- sprintf(path, "PATH=%s:%s", kprogdir, path_rest);
envinit[PATHENV] = path;
/* If we have KRB5CCNAME set, then copy into the
@@ -1436,10 +1354,8 @@
*/
if (getenv("KRB5CCNAME")) {
int i;
- char *buf2 = (char *)malloc(strlen(getenv("KRB5CCNAME"))
- +strlen("KRB5CCNAME=")+1);
- if (buf2) {
- sprintf(buf2, "KRB5CCNAME=%s",getenv("KRB5CCNAME"));
+ char *buf2;
+ if (asprintf(&buf2, "KRB5CCNAME=%s",getenv("KRB5CCNAME")) >= 0) {
for (i = 0; envinit[i]; i++);
envinit[i] = buf2;
@@ -1459,10 +1375,10 @@
NI_NUMERICHOST | NI_NUMERICSERV);
if (aierr)
goto skip_localaddr_env;
- sprintf(local_addr, "KRB5LOCALADDR=%s", hbuf);
+ snprintf(local_addr, sizeof(local_addr), "KRB5LOCALADDR=%s", hbuf);
envinit[i++] =local_addr;
- sprintf(local_port, "KRB5LOCALPORT=%s", sbuf);
+ snprintf(local_port, sizeof(local_port), "KRB5LOCALPORT=%s", sbuf);
envinit[i++] =local_port;
skip_localaddr_env:
@@ -1471,10 +1387,10 @@
NI_NUMERICHOST | NI_NUMERICSERV);
if (aierr)
goto skip_remoteaddr_env;
- sprintf(remote_addr, "KRB5REMOTEADDR=%s", hbuf);
+ snprintf(remote_addr, sizeof(remote_addr), "KRB5REMOTEADDR=%s", hbuf);
envinit[i++] =remote_addr;
- sprintf(remote_port, "KRB5REMOTEPORT=%s", sbuf);
+ snprintf(remote_port, sizeof(remote_port), "KRB5REMOTEPORT=%s", sbuf);
envinit[i++] =remote_port;
skip_remoteaddr_env:
@@ -1488,11 +1404,8 @@
char *buf2;
if(getenv(save_env[cnt])) {
- buf2 = (char *)malloc(strlen(getenv(save_env[cnt]))
- +strlen(save_env[cnt])+2);
- if (buf2) {
- sprintf(buf2, "%s=%s", save_env[cnt],
- getenv(save_env[cnt]));
+ if (asprintf(&buf2, "%s=%s", save_env[cnt],
+ getenv(save_env[cnt])) >= 0) {
for (i = 0; envinit[i]; i++);
envinit[i] = buf2;
}
@@ -1513,29 +1426,24 @@
struct stat s2;
int offst = 0;
- copy = malloc(strlen(cmdbuf) + 1);
+ copy = strdup(cmdbuf);
if (copy == NULL) {
perror("malloc");
_exit(1);
}
- strcpy(copy, cmdbuf);
if (do_encrypt && !strncmp(cmdbuf, "-x ", 3)) {
offst = 3;
}
- strcpy((char *) cmdbuf + offst, kprogdir);
+ strlcpy(cmdbuf + offst, kprogdir, sizeof(cmdbuf) - offst);
cp = copy + 3 + offst;
- cmdbuf[sizeof(cmdbuf) - 1] = '\0';
- if (auth_sys == KRB5_RECVAUTH_V4) {
- strncat(cmdbuf, "/v4rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf));
- } else {
- strncat(cmdbuf, "/rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf));
- }
+ strlcat(cmdbuf, "/rcp", sizeof(cmdbuf));
+
if (stat((char *)cmdbuf + offst, &s2) >= 0)
- strncat(cmdbuf, cp, sizeof(cmdbuf) - 1 - strlen(cmdbuf));
+ strlcat(cmdbuf, cp, sizeof(cmdbuf));
else
- strncpy(cmdbuf, copy, sizeof(cmdbuf) - 1 - strlen(cmdbuf));
+ strlcpy(cmdbuf, copy, sizeof(cmdbuf));
free(copy);
}
#endif
@@ -1585,8 +1493,8 @@
#endif
*cp++ = 1;
- (void) sprintf(cp, "%s: ", progname);
- (void) vsprintf(buf+strlen(buf), fmt, ap);
+ (void) snprintf(cp, sizeof(buf) - (cp - buf), "%s: ", progname);
+ (void) vsnprintf(buf+strlen(buf), sizeof(buf) - strlen(buf), fmt, ap);
va_end(ap);
(void) write(2, buf, strlen(buf));
syslog(LOG_ERR ,"%s",buf+1);
@@ -1619,7 +1527,8 @@
register char *endc, *tdp = &tmpdir[strlen(tmpdir)];
register int i;
- sprintf(tdp, "%s/jtmp.%06d", JTMPDIR, jid);
+ snprintf(tdp, sizeof(tmpdir) - (tdp - tmpdir), "%s/jtmp.%06d",
+ JTMPDIR, jid);
endc = &tmpdir[strlen(tmpdir)];
endc[1] = '\0';
@@ -1778,7 +1687,7 @@
void usage()
{
#ifdef KERBEROS
- syslog(LOG_ERR, "usage: kshd [-54ecikK] ");
+ syslog(LOG_ERR, "usage: kshd [-eciK] ");
#else
syslog(LOG_ERR, "usage: rshd");
#endif
@@ -1805,9 +1714,6 @@
struct sockaddr_in laddr;
socklen_t len;
krb5_data inbuf;
-#ifdef KRB5_KRB4_COMPAT
- char v4_instance[INST_SZ]; /* V4 Instance */
-#endif
krb5_authenticator *authenticator;
krb5_ticket *ticket;
krb5_rcache rcache;
@@ -1829,10 +1735,6 @@
#define SIZEOF_INADDR sizeof(struct in_addr)
#endif
-#ifdef KRB5_KRB4_COMPAT
- strcpy(v4_instance, "*");
-#endif
-
status = krb5_auth_con_init(bsd_context, &auth_context);
if (status)
return status;
@@ -1862,66 +1764,25 @@
if (status) return status;
}
-#ifdef KRB5_KRB4_COMPAT
- status = krb5_compat_recvauth_version(bsd_context, &auth_context, &netfd,
- NULL, /* Specify daemon principal */
- 0, /* no flags */
- keytab, /* normally NULL to use v5srvtab */
- 0, /* v4_opts */
- "rcmd", /* v4_service */
- v4_instance, /* v4_instance */
- (struct sockaddr_in *)peersin, /* foreign address */
- &laddr, /* our local address */
- "", /* use default srvtab */
-
- &ticket, /* return ticket */
- &auth_sys, /* which authentication system*/
- &v4_kdata, 0, &version);
-#else
status = krb5_recvauth_version(bsd_context, &auth_context, &netfd,
NULL, /* daemon principal */
0, /* no flags */
keytab, /* normally NULL to use v5srvtab */
&ticket, /* return ticket */
&version); /* application version string */
- auth_sys = KRB5_RECVAUTH_V5;
-#endif
if (status) {
- if (auth_sys == KRB5_RECVAUTH_V5) {
- /*
- * clean up before exiting
- */
- getstr(netfd, locuser, sizeof(locuser), "locuser");
- getstr(netfd, cmdbuf, sizeof(cmdbuf), "command");
- getstr(netfd, remuser, sizeof(locuser), "remuser");
- }
+ /*
+ * clean up before exiting
+ */
+ getstr(netfd, locuser, sizeof(locuser), "locuser");
+ getstr(netfd, cmdbuf, sizeof(cmdbuf), "command");
+ getstr(netfd, remuser, sizeof(locuser), "remuser");
return status;
}
getstr(netfd, locuser, sizeof(locuser), "locuser");
getstr(netfd, cmdbuf, sizeof(cmdbuf), "command");
-#ifdef KRB5_KRB4_COMPAT
- if (auth_sys == KRB5_RECVAUTH_V4) {
- rcmd_stream_init_normal();
-
- /* We do not really know the remote user's login name.
- * Assume it to be the same as the first component of the
- * principal's name.
- */
- strcpy(remuser, v4_kdata->pname);
-
- status = krb5_425_conv_principal(bsd_context, v4_kdata->pname,
- v4_kdata->pinst, v4_kdata->prealm,
- &client);
- if (status) return status;
-
- status = krb5_unparse_name(bsd_context, client, &kremuser);
-
- return status;
- }
-#endif /* KRB5_KRB4_COMPAT */
-
/* Must be V5 */
kcmd_proto = KCMD_UNKNOWN_PROTOCOL;
@@ -1949,27 +1810,17 @@
struct sockaddr_storage adr;
unsigned int adr_length = sizeof(adr);
int e;
- unsigned int buflen = strlen(cmdbuf)+strlen(locuser)+32;
- char * chksumbuf = (char *) malloc(buflen);
+ char namebuf[32], *chksumbuf = NULL;
- if (chksumbuf == 0)
- goto error_cleanup;
if (getsockname(netfd, (struct sockaddr *) &adr, &adr_length) != 0)
goto error_cleanup;
e = getnameinfo((struct sockaddr *)&adr, adr_length, 0, 0,
- chksumbuf, buflen, NI_NUMERICSERV);
- if (e) {
- free(chksumbuf);
+ namebuf, sizeof(namebuf), NI_NUMERICSERV);
+ if (e)
fatal(netfd, "local error: can't examine port number");
- }
- if (strlen(chksumbuf) > 30) {
- free(chksumbuf);
- fatal(netfd, "wacky local port number?!");
- }
- strcat(chksumbuf, ":");
- strcat(chksumbuf,cmdbuf);
- strcat(chksumbuf,locuser);
+ if (asprintf(&chksumbuf, "%s:%s%s", namebuf, cmdbuf, locuser) < 0)
+ goto error_cleanup;
status = krb5_verify_checksum(bsd_context,
authenticator->checksum->checksum_type,
@@ -2060,7 +1911,7 @@
#endif
buf[0] = '\01'; /* error indicator */
- (void) sprintf(buf + 1, "%s: %s.\r\n",progname, msg);
+ (void) snprintf(buf + 1, sizeof(buf) - 1, "%s: %s.\r\n",progname, msg);
if ((f == netf) && (pid > 0))
(void) rcmd_stream_write(f, buf, strlen(buf), 0);
else
@@ -2078,3 +1929,115 @@
}
exit(1);
}
+
+static int
+accept_a_connection (int debug_port, struct sockaddr *from,
+ socklen_t *fromlenp)
+{
+ int n, s, fd, s4 = -1, s6 = -1, on = 1;
+ fd_set sockets;
+
+ FD_ZERO(&sockets);
+
+#ifdef KRB5_USE_INET6
+ {
+ struct sockaddr_in6 sock_in6;
+
+ if ((s = socket(AF_INET6, SOCK_STREAM, PF_UNSPEC)) < 0) {
+ if ((errno == EPROTONOSUPPORT) || (errno == EAFNOSUPPORT))
+ goto skip_ipv6;
+ fprintf(stderr, "Error in socket(INET6): %s\n", strerror(errno));
+ exit(2);
+ }
+
+ memset((char *) &sock_in6, 0,sizeof(sock_in6));
+ sock_in6.sin6_family = AF_INET6;
+ sock_in6.sin6_port = htons(debug_port);
+ sock_in6.sin6_addr = in6addr_any;
+
+ (void) setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
+ (char *)&on, sizeof(on));
+
+ if ((bind(s, (struct sockaddr *) &sock_in6, sizeof(sock_in6))) < 0) {
+ fprintf(stderr, "Error in bind(INET6): %s\n", strerror(errno));
+ exit(2);
+ }
+
+ if ((listen(s, 5)) < 0) {
+ fprintf(stderr, "Error in listen(INET6): %s\n", strerror(errno));
+ exit(2);
+ }
+ s6 = s;
+ FD_SET(s, &sockets);
+ skip_ipv6:
+ ;
+ }
+#endif
+
+ {
+ struct sockaddr_in sock_in;
+
+ if ((s = socket(AF_INET, SOCK_STREAM, PF_UNSPEC)) < 0) {
+ fprintf(stderr, "Error in socket: %s\n", strerror(errno));
+ exit(2);
+ }
+
+ memset((char *) &sock_in, 0,sizeof(sock_in));
+ sock_in.sin_family = AF_INET;
+ sock_in.sin_port = htons(debug_port);
+ sock_in.sin_addr.s_addr = INADDR_ANY;
+
+ (void) setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
+ (char *)&on, sizeof(on));
+
+ if ((bind(s, (struct sockaddr *) &sock_in, sizeof(sock_in))) < 0) {
+ if (s6 >= 0 && errno == EADDRINUSE)
+ goto try_ipv6_only;
+ fprintf(stderr, "Error in bind: %s\n", strerror(errno));
+ exit(2);
+ }
+
+ if ((listen(s, 5)) < 0) {
+ fprintf(stderr, "Error in listen: %s\n", strerror(errno));
+ exit(2);
+ }
+ s4 = s;
+ FD_SET(s, &sockets);
+ try_ipv6_only:
+ ;
+ }
+ if (s4 == -1 && s6 == -1) {
+ fprintf(stderr, "No valid sockets established, exiting\n");
+ exit(2);
+ }
+ n = select(((s4 < s6) ? s6 : s4) + 1, &sockets, 0, 0, 0);
+ if (n < 0) {
+ fprintf(stderr, "select error: %s\n", strerror(errno));
+ exit(2);
+ } else if (n == 0) {
+ fprintf(stderr, "internal error? select returns 0\n");
+ exit(2);
+ }
+ if (s6 != -1 && FD_ISSET(s6, &sockets)) {
+ if (s4 != -1)
+ close(s4);
+ s = s6;
+ } else if (FD_ISSET(s4, &sockets)) {
+ if (s6 != -1)
+ close(s6);
+ s = s4;
+ } else {
+ fprintf(stderr,
+ "internal error? select returns positive, "
+ "but neither fd available\n");
+ exit(2);
+ }
+
+ if ((fd = accept(s, from, fromlenp)) < 0) {
+ fprintf(stderr, "Error in accept: %s\n", strerror(errno));
+ exit(2);
+ }
+
+ close(s);
+ return fd;
+}
Modified: branches/mkey_migrate/src/appl/bsd/login.M
===================================================================
--- branches/mkey_migrate/src/appl/bsd/login.M 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/login.M 2009-01-10 01:06:45 UTC (rev 21722)
@@ -19,8 +19,8 @@
will prompt for a username, or take one on the command line, as
.I login.krb5 username
and will then prompt for a password. This password will be used to
-acquire Kerberos Version 5 tickets and Kerberos Version 4 tickets (if
-possible.) It will also attempt to run
+acquire Kerberos Version 5 tickets (if possible.) It will also attempt
+to run
.I aklog
to get \fIAFS\fP tokens for the user. The version 5 tickets will be
tested against a local
@@ -40,12 +40,6 @@
\fB\-h\fP \fIhostname\fP
pass hostname to telnetd, etc. Must be the last argument.
.TP
-\fB\-k\fP \fIhostname\fP
-Use Kerberos V4 to login. Must be the last argument.
-.TP
-\fB\-K\fP \fIhostname\fP
-Use Kerberos V4 to login. Must be the last argument.
-.TP
\fB\-f\fP \fIname\fP
Perform pre-authenticated login, e.g., datakit, xterm, etc.;
allows preauthenticated login as root.
@@ -66,17 +60,6 @@
provided:
.IP krb5_get_tickets
Use password to get V5 tickets. Default value true.
-.IP krb4_get_tickets
-Use password to get V4 tickets. Default value false.
-.IP krb4_convert
-Use Kerberos conversion daemon to get V4 tickets. Default value
-false. If false, and krb4_get_tickets is true, then login will get
-the V5 tickets directly using the Kerberos V4 protocol directly.
-This does not currently work with non MIT-V4 salt types
-(such as the AFS3 salt type.) Note that if configuration parameter
-is true, and the krb524d is not running, login will hang for
-approximately a minute under Solaris,
-due to a Solaris socket emulation bug.
.IP krb_run_aklog
Attempt to run aklog. Default value false.
.IP aklog_path
@@ -92,6 +75,3 @@
.PP
.SH SEE ALSO
rlogind(8), rlogin(1), telnetd(8)
-.SH BUGS
-Should use a config file to select use of V5, V4, and AFS, as well as
-policy for startup.
Modified: branches/mkey_migrate/src/appl/bsd/login.c
===================================================================
--- branches/mkey_migrate/src/appl/bsd/login.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/login.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -32,10 +32,6 @@
# login stanza
krb5_get_tickets = 1
# use password to get v5 tickets
- krb4_get_tickets = 0
- # use password to get v4 tickets
- krb4_convert = 0
- # use kerberos conversion daemon to get v4 tickets
krb_run_aklog = 0
# attempt to run aklog
aklog_path = $(prefix)/bin/aklog
@@ -46,14 +42,8 @@
#define KRB5_GET_TICKETS
int login_krb5_get_tickets = 1;
-#ifdef KRB5_KRB4_COMPAT
-#define KRB4_GET_TICKETS
-int login_krb4_get_tickets = 0;
-#define KRB4_CONVERT
-int login_krb4_convert = 0;
#define KRB_RUN_AKLOG
int login_krb_run_aklog = 0;
-#endif /* KRB5_KRB4_COMPAT */
int login_accept_passwd = 0;
@@ -67,10 +57,6 @@
* allows preauthenticated login as root)
* login -e name (for pre-authenticated encrypted, must do term
* negotiation)
- * ifdef KRB4_KLOGIN
- * login -k hostname (for Kerberos V4 rlogind with password access)
- * login -K hostname (for Kerberos V4 rlogind with restricted access)
- * endif KRB4_KLOGIN
*
* only one of: -r -f -e -k -K -F
* only one of: -r -h -k -K
@@ -159,44 +145,6 @@
#include "osconf.h"
#endif /* KRB5_GET_TICKETS */
-#ifdef KRB4_KLOGIN
-/* support for running under v4 klogind, -k -K flags */
-#define KRB4
-#endif
-
-#if (defined(KRB4_GET_TICKETS) || defined(KRB4_CONVERT))
-/* support for prompting for v4 initial tickets */
-#define KRB4
-#endif
-
-#ifdef KRB4
-#include <krb.h>
-#include <netinet/in.h>
-#ifdef HAVE_KRB4_PROTO_H
-#include <krb4-proto.h>
-#endif
-#include <arpa/inet.h>
-#ifdef BIND_HACK
-#include <arpa/nameser.h>
-#include <arpa/resolv.h>
-#endif /* BIND_HACK */
-
-/* Hacks to maintain compatability with Athena libkrb*/
-#ifndef HAVE_KRB_SAVE_CREDENTIALS
-#define krb_save_credentials save_credentials
-#endif /*HAVE_KRB_SAVE_CREDENTIALS*/
-
-#ifndef HAVE_KRB_GET_ERR_TEXT
-
-static const char *krb_get_err_text(kerror)
- int kerror;
-{
- return krb_err_txt[kerror];
-}
-
-#endif /*HAVE_KRB_GET_ERR_TEXT*/
-#endif /* KRB4 */
-
#ifndef __STDC__
#ifndef volatile
#define volatile
@@ -302,13 +250,8 @@
-#ifdef KRB4
-#define KRB_ENVIRON "KRBTKFILE" /* Ticket file environment variable */
-#define KRB_TK_DIR "/tmp/tkt_" /* Where to put the ticket */
-#endif /* KRB4_GET_TICKETS */
-
-#if defined(KRB4_GET_TICKETS) || defined(KRB5_GET_TICKETS)
-#define MAXPWSIZE 128 /* Biggest string accepted for KRB4
+#ifdef KRB5_GET_TICKETS
+#define MAXPWSIZE 128 /* Biggest string accepted for KRB5
passsword */
#endif
@@ -353,12 +296,8 @@
} login_conf_set[] = {
#ifdef KRB5_GET_TICKETS
{"krb5_get_tickets", &login_krb5_get_tickets},
+ {"krb_run_aklog", &login_krb_run_aklog},
#endif
-#ifdef KRB5_KRB4_COMPAT
- {"krb4_get_tickets", &login_krb4_get_tickets},
- {"krb4_convert", &login_krb4_convert},
- {"krb4_run_aklog", &login_krb_run_aklog},
-#endif /* KRB5_KRB4_COMPAT */
};
static char *conf_yes[] = {
@@ -501,20 +440,8 @@
int krbflag; /* set if tickets have been obtained */
#endif /* KRB5_GET_TICKETS */
-#ifdef KRB4_GET_TICKETS
-static int got_v4_tickets;
-AUTH_DAT *kdata = (AUTH_DAT *) NULL;
-char tkfile[MAXPATHLEN];
-#endif
-
-#ifdef KRB4_GET_TICKETS
-static void k_init (ttyn, realm)
- char *ttyn;
- char *realm;
-#else
void k_init (ttyn)
char *ttyn;
-#endif
{
#ifdef KRB5_GET_TICKETS
krb5_error_code retval;
@@ -529,7 +456,8 @@
/* Set up the credential cache environment variable */
if (!getenv(KRB5_ENV_CCNAME)) {
- sprintf(ccfile, "FILE:/tmp/krb5cc_p%ld", (long) getpid());
+ snprintf(ccfile, sizeof(ccfile), "FILE:/tmp/krb5cc_p%ld",
+ (long) getpid());
setenv(KRB5_ENV_CCNAME, ccfile, 1);
krb5_cc_set_default_name(kcontext, ccfile);
unlink(ccfile+strlen("FILE:"));
@@ -540,22 +468,6 @@
}
#endif
-#ifdef KRB4_GET_TICKETS
- if (krb_get_lrealm(realm, 1) != KSUCCESS) {
- strncpy(realm, KRB_REALM, sizeof(realm));
- realm[sizeof(realm) - 1] = '\0';
- }
- if (login_krb4_get_tickets || login_krb4_convert) {
- /* Set up the ticket file environment variable */
- strncpy(tkfile, KRB_TK_DIR, sizeof(tkfile));
- tkfile[sizeof(tkfile) - 1] = '\0';
- strncat(tkfile, strrchr(ttyn, '/')+1,
- sizeof(tkfile) - strlen(tkfile));
- (void) unlink (tkfile);
- setenv(KRB_ENVIRON, tkfile, 1);
- }
-#endif
-
#ifdef BIND_HACK
/* Set name server timeout to be reasonable,
so that people don't take 5 minutes to
@@ -571,7 +483,7 @@
{
krb5_error_code code;
char prompt[255];
- sprintf(prompt,"Password for %s", username);
+ snprintf(prompt, sizeof(prompt), "Password for %s", username);
/* reduce opportunities to be swapped out */
code = krb5_read_password(kcontext, prompt, 0, user_pwstring, &pwsize);
@@ -636,236 +548,8 @@
}
#endif /* KRB5_GET_TICKETS */
-#ifdef KRB4_CONVERT
-static int
-try_convert524(kctx, me, use_ccache)
- krb5_context kctx;
- krb5_principal me;
- int use_ccache;
-{
- krb5_principal kpcserver;
- krb5_error_code kpccode;
- int kpcval;
- krb5_creds increds, *v5creds;
- CREDENTIALS v4creds;
-
-
- /* If we have forwarded v5 tickets, retrieve the credentials from
- * the cache; otherwise, the v5 credentials are in my_creds.
- */
- if (use_ccache) {
- /* cc->ccache, already set up */
- /* client->me, already set up */
- kpccode = krb5_build_principal(kctx, &kpcserver,
- krb5_princ_realm(kctx, me)->length,
- krb5_princ_realm(kctx, me)->data,
- "krbtgt",
- krb5_princ_realm(kctx, me)->data,
- NULL);
- if (kpccode) {
- com_err("login/v4", kpccode,
- "while creating service principal name");
- return 0;
- }
-
- memset((char *) &increds, 0, sizeof(increds));
- increds.client = me;
- increds.server = kpcserver;
- increds.times.endtime = 0;
- increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
- kpccode = krb5_get_credentials(kctx, 0, ccache,
- &increds, &v5creds);
- krb5_free_principal(kctx, kpcserver);
- increds.server = NULL;
- if (kpccode) {
- com_err("login/v4", kpccode, "getting V5 credentials");
- return 0;
- }
-
- kpccode = krb524_convert_creds_kdc(kctx, v5creds, &v4creds);
- krb5_free_creds(kctx, v5creds);
- } else
- kpccode = krb524_convert_creds_kdc(kctx, &my_creds, &v4creds);
- if (kpccode) {
- com_err("login/v4", kpccode, "converting to V4 credentials");
- return 0;
- }
- /* this is stolen from the v4 kinit */
- /* initialize ticket cache */
- if ((kpcval = in_tkt(v4creds.pname,v4creds.pinst)
- != KSUCCESS)) {
- com_err("login/v4", kpcval,
- "trying to create the V4 ticket file");
- return 0;
- }
- /* stash ticket, session key, etc. for future use */
- if ((kpcval = krb_save_credentials(v4creds.service,
- v4creds.instance,
- v4creds.realm,
- v4creds.session,
- v4creds.lifetime,
- v4creds.kvno,
- &(v4creds.ticket_st),
- v4creds.issue_date))) {
- com_err("login/v4", kpcval,
- "trying to save the V4 ticket");
- return 0;
- }
- got_v4_tickets = 1;
- strncpy(tkfile, tkt_string(), sizeof(tkfile));
- tkfile[sizeof(tkfile) - 1] = '\0';
- return 1;
-}
-#endif
-
-#ifdef KRB4_GET_TICKETS
-static int
-try_krb4 (user_pwstring, realm)
- char *user_pwstring;
- char *realm;
-{
- int krbval, kpass_ok = 0;
-
- krbval = krb_get_pw_in_tkt(username, "", realm,
- "krbtgt", realm,
- DEFAULT_TKT_LIFE,
- user_pwstring);
-
- switch (krbval) {
- case INTK_OK:
- kpass_ok = 1;
- krbflag = 1;
- strncpy(tkfile, tkt_string(), sizeof(tkfile));
- tkfile[sizeof(tkfile) - 1] = '\0';
- break;
- /* These errors should be silent */
- /* So the Kerberos database can't be probed */
- case KDC_NULL_KEY:
- case KDC_PR_UNKNOWN:
- case INTK_BADPW:
- case KDC_PR_N_UNIQUE:
- case -1:
- break;
-#if 0 /* I want to see where INTK_W_NOTALL comes from before letting
- kpass_ok be set in that case. KR */
- /* These should be printed but are not fatal */
- case INTK_W_NOTALL:
- krbflag = 1;
- kpass_ok = 1;
- fprintf(stderr, "Kerberos error: %s\n",
- krb_get_err_text(krbval));
- break;
-#endif
- default:
- fprintf(stderr, "Kerberos error: %s\n",
- krb_get_err_text(krbval));
- break;
- }
- got_v4_tickets = kpass_ok;
- return kpass_ok;
-}
-#endif /* KRB4_GET_TICKETS */
-
/* Kerberos ticket-handling routines */
-#ifdef KRB4_GET_TICKETS
-/* call already conditionalized on login_krb4_get_tickets */
-/*
- * Verify the Kerberos ticket-granting ticket just retrieved for the
- * user. If the Kerberos server doesn't respond, assume the user is
- * trying to fake us out (since we DID just get a TGT from what is
- * supposedly our KDC). If the rcmd.<host> service is unknown (i.e.,
- * the local srvtab doesn't have it), let her in.
- *
- * Returns 1 for confirmation, -1 for failure, 0 for uncertainty.
- */
-static int verify_krb_v4_tgt (realm)
- char *realm;
-{
- char hostname[MAXHOSTNAMELEN], phost[BUFSIZ];
- struct hostent *hp;
- KTEXT_ST ticket;
- AUTH_DAT authdata;
- unsigned KRB4_32 addr;
- static /*const*/ char rcmd_str[] = "rcmd";
-#if 0
- char key[8];
-#endif
- int krbval, retval, have_keys;
-
- if (gethostname(hostname, sizeof(hostname)) == -1) {
- perror ("cannot retrieve local hostname");
- return -1;
- }
- strncpy (phost, krb_get_phost (hostname), sizeof (phost));
- phost[sizeof(phost)-1] = 0;
- hp = gethostbyname (hostname);
- if (!hp) {
- perror ("cannot retrieve local host address");
- return -1;
- }
- memcpy ((char *) &addr, (char *)hp->h_addr, sizeof (addr));
- /* Do we have rcmd.<host> keys? */
-#if 0 /* Be paranoid. If srvtab exists, assume it must contain the
- right key. The more paranoid mode also helps avoid a
- possible DNS spoofing issue. */
- have_keys = read_service_key (rcmd_str, phost, realm, 0, KEYFILE, key)
- ? 0 : 1;
- memset (key, 0, sizeof (key));
-#else
- have_keys = 0 == access (KEYFILE, F_OK);
-#endif
- krbval = krb_mk_req (&ticket, rcmd_str, phost, realm, 0);
- if (krbval == KDC_PR_UNKNOWN) {
- /*
- * Our rcmd.<host> principal isn't known -- just assume valid
- * for now? This is one case that the user _could_ fake out.
- */
- if (have_keys)
- return -1;
- else
- return 0;
- }
- else if (krbval != KSUCCESS) {
- printf ("Unable to verify Kerberos TGT: %s\n",
- krb_get_err_text(krbval));
-#ifndef SYSLOG42
- syslog (LOG_NOTICE|LOG_AUTH, "Kerberos TGT bad: %s",
- krb_get_err_text(krbval));
-#endif
- return -1;
- }
- /* got ticket, try to use it */
- krbval = krb_rd_req (&ticket, rcmd_str, phost, addr, &authdata, "");
- if (krbval != KSUCCESS) {
- if (krbval == RD_AP_UNDEC && !have_keys)
- retval = 0;
- else {
- retval = -1;
- printf ("Unable to verify `rcmd' ticket: %s\n",
- krb_get_err_text(krbval));
- }
-#ifndef SYSLOG42
- syslog (LOG_NOTICE|LOG_AUTH, "can't verify rcmd ticket: %s;%s\n",
- krb_get_err_text(krbval),
- retval
- ? "srvtab found, assuming failure"
- : "no srvtab found, assuming success");
-#endif
- goto EGRESS;
- }
- /*
- * The rcmd.<host> ticket has been received _and_ verified.
- */
- retval = 1;
- /* do cleanup and return */
-EGRESS:
- memset (&ticket, 0, sizeof (ticket));
- memset (&authdata, 0, sizeof (authdata));
- return retval;
-}
-#endif /* KRB4_GET_TICKETS */
-
static void destroy_tickets()
{
#ifdef KRB5_GET_TICKETS
@@ -876,10 +560,6 @@
krb5_cc_destroy (kcontext, cache);
}
#endif
-#ifdef KRB4_GET_TICKETS
- if (login_krb4_get_tickets || login_krb4_convert)
- dest_tkt();
-#endif /* KRB4_GET_TICKETS */
}
/* AFS support routines */
@@ -926,15 +606,15 @@
static void
afs_login ()
{
-#if defined(KRB4_GET_TICKETS) && defined(SETPAG)
- if (login_krb4_get_tickets && pwd->pw_uid) {
+#if defined(SETPAG)
+ if (login_krb5_get_tickets && pwd->pw_uid) {
/* Only reset the pag for non-root users. */
/* This allows root to become anything. */
pagflag = try_setpag ();
}
#endif
#ifdef KRB_RUN_AKLOG
- if (got_v4_tickets && login_krb_run_aklog) {
+ if (got_v5_tickets && login_krb_run_aklog) {
/* KPROGDIR is $(prefix)/bin */
char aklog_path[MAXPATHLEN];
struct stat st;
@@ -1047,10 +727,6 @@
krb5_creds save_v5creds;
krb5_ccache xtra_creds = NULL;
#endif
-#ifdef KRB4_GET_TICKETS
- CREDENTIALS save_v4creds;
- char realm[REALM_SZ];
-#endif
char *ccname = 0; /* name of forwarded cache */
char *tz = 0;
char *hostname = 0;
@@ -1079,9 +755,6 @@
* login as root.
* -h is used by other servers to pass the name of the
* remote host to login so that it may be placed in utmp and wtmp
- * -k is used by klogind to cause the Kerberos V4 autologin protocol;
- * -K is used by klogind to cause the Kerberos V4 autologin
- * protocol with restricted access.
*/
(void)gethostname(tbuf, sizeof(tbuf));
domain = strchr(tbuf, '.');
@@ -1132,33 +805,6 @@
*p = '\0';
hostname = optarg;
break;
-#ifdef KRB4_KLOGIN
- case 'k':
- case 'K':
- EXCL_AUTH_TEST;
- EXCL_HOST_TEST;
- if (getuid()) {
- fprintf(stderr,
- "login: -%c for super-user only.\n", ch);
- exit(1);
- }
- /* "-k hostname" must be last args */
- if (optind != argc) {
- fprintf(stderr, "Syntax error.\n");
- exit(1);
- }
- if (ch == 'K')
- Kflag = 1;
- else
- kflag = 1;
- passwd_req = (do_krb_login(optarg, Kflag ? 1 : 0) == -1);
- if (domain &&
- (p = strchr(optarg, '.')) &&
- (!strcmp(p, domain)))
- *p = '\0';
- hostname = optarg;
- break;
-#endif /* KRB4_KLOGIN */
case 'e':
EXCL_AUTH_TEST;
if (getuid()) {
@@ -1242,18 +888,13 @@
ask for username if we don't have it already
look it up in local pw or shadow file (to get crypt string)
ask for password
- try and get v4, v5 tickets with it
+ try and get v5 tickets with it
try and use the tickets against the local srvtab
if the password matches, always let them in
if the ticket decrypts, let them in.
- v5 needs to work, does v4?
*/
-#ifdef KRB4_GET_TICKETS
- k_init (ttyn, realm);
-#else
k_init (ttyn);
-#endif
for (cnt = 0;; username = NULL) {
#ifdef KRB5_GET_TICKETS
@@ -1292,17 +933,6 @@
if (!unix_needs_passwd())
break;
- /* we have several sets of code:
- 1) get v5 tickets alone -DKRB5_GET_TICKETS
- 2) get v4 tickets alone [** don't! only get them *with* v5 **]
- 3) get both tickets -DKRB5_GET_TICKETS -DKRB4_GET_TICKETS
- 3a) use krb524 calls to get the v4 tickets -DKRB4_CONVERT plus (3).
- 4) get no tickets and use the password file (none of thes defined.)
-
- Likewise we need to (optionally?) test these tickets against
- local srvtabs.
- */
-
#ifdef KRB5_GET_TICKETS
if (login_krb5_get_tickets) {
/* rename these to something more verbose */
@@ -1324,16 +954,7 @@
if (pwd->pw_uid != 0) { /* Don't get tickets for root */
try_krb5(&me, user_pwstring);
-#ifdef KRB4_GET_TICKETS
- if (login_krb4_get_tickets &&
- !(got_v5_tickets && login_krb4_convert))
- try_krb4(user_pwstring, realm);
-#endif
- krbflag = (got_v5_tickets
-#ifdef KRB4_GET_TICKETS
- || got_v4_tickets
-#endif
- );
+ krbflag = got_v5_tickets;
memset (user_pwstring, 0, sizeof(user_pwstring));
/* password wiped, so we can relax */
setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
@@ -1370,13 +991,6 @@
break; /* we're ok */
}
}
-#ifdef KRB4_GET_TICKETS
- else if (got_v4_tickets) {
- if (login_krb4_get_tickets &&
- (verify_krb_v4_tgt(realm) != -1))
- break; /* we're ok */
- }
-#endif /* KRB4_GET_TICKETS */
bad_login:
setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
@@ -1480,21 +1094,10 @@
forwarded_v5_tickets = 1;
#endif /* KRB5_GET_TICKETS */
-#if defined(KRB5_GET_TICKETS) && defined(KRB4_CONVERT)
- if (login_krb4_convert && !got_v4_tickets) {
- if (got_v5_tickets||forwarded_v5_tickets)
- try_convert524(kcontext, me, forwarded_v5_tickets);
- }
-#endif
-
#ifdef KRB5_GET_TICKETS
if (login_krb5_get_tickets)
dofork();
#endif
-#ifdef KRB4_GET_TICKETS
- else if (login_krb4_get_tickets)
- dofork();
-#endif
/* If the user's shell does not do job control we should put it in a
different process group than than us, and set the tty process group
@@ -1551,17 +1154,16 @@
(void) initgroups(username, pwd->pw_gid);
/*
- * The V5 ccache and V4 ticket file are both created as root.
- * They need to be owned by the user, and chown (a) assumes
- * they are stored in a file and (b) allows a race condition
- * in which a user can delete the file (if the directory
- * sticky bit is not set) and make it a symlink to somewhere
- * else; on some platforms, chown() on a symlink actually
- * changes the owner of the pointed-to file. This is Bad.
+ * The V5 ccache is created as root. It needs to be owned by the
+ * user, and chown (a) assumes they are stored in a file and (b)
+ * allows a race condition in which a user can delete the file (if
+ * the directory sticky bit is not set) and make it a symlink to
+ * somewhere else; on some platforms, chown() on a symlink
+ * actually changes the owner of the pointed-to file. This is
+ * Bad.
*
- * So, we suck the V5 and V4 krbtgts into memory here, destroy
- * the ccache/ticket file, and recreate them later after the
- * setuid.
+ * So, we suck the V5 krbtgt into memory here, destroy the
+ * ccache/ticket file, and recreate them later after the setuid.
*
* With the new v5 api, v5 tickets are kept in memory until written
* out after the setuid. However, forwarded tickets still
@@ -1605,28 +1207,10 @@
}
#endif /* KRB5_GET_TICKETS */
-#ifdef KRB4_GET_TICKETS
- if (got_v4_tickets) {
- memset(&save_v4creds, 0, sizeof(save_v4creds));
-
- retval = krb_get_cred("krbtgt", realm, realm, &save_v4creds);
- if (retval != KSUCCESS) {
- syslog(LOG_ERR,
- "%s while retrieving V4 initial ticket for copy",
- error_message(retval));
- rewrite_ccache = 0;
- }
- }
-#endif /* KRB4_GET_TICKETS */
-
#ifdef KRB5_GET_TICKETS
if (forwarded_v5_tickets)
destroy_tickets();
#endif
-#ifdef KRB4_GET_TICKETS
- else if (got_v4_tickets)
- destroy_tickets();
-#endif
#ifdef OQUOTA
quota(Q_DOWARN, pwd->pw_uid, (dev_t)-1, 0);
@@ -1701,29 +1285,6 @@
}
#endif /* KRB5_GET_TICKETS */
-#ifdef KRB4_GET_TICKETS
- if (got_v4_tickets && rewrite_ccache) {
- if ((retval = in_tkt(save_v4creds.pname, save_v4creds.pinst))
- != KSUCCESS) {
- syslog(LOG_ERR,
- "%s while re-initializing V4 ticket cache as user",
- error_message((retval == -1)?errno:retval));
- } else if ((retval = krb_save_credentials(save_v4creds.service,
- save_v4creds.instance,
- save_v4creds.realm,
- save_v4creds.session,
- save_v4creds.lifetime,
- save_v4creds.kvno,
- &(save_v4creds.ticket_st),
- save_v4creds.issue_date))
- != KSUCCESS) {
- syslog(LOG_ERR,
- "%s while re-storing V4 tickets as user",
- error_message(retval));
- }
- }
-#endif /* KRB4_GET_TICKETS */
-
if (*pwd->pw_shell == '\0')
pwd->pw_shell = BSHELL;
@@ -1778,12 +1339,6 @@
if (term[0])
(void)setenv("TERM", term, 0);
-#ifdef KRB4_GET_TICKETS
- /* tkfile[0] is only set if we got tickets above */
- if (login_krb4_get_tickets && tkfile[0])
- (void) setenv(KRB_ENVIRON, tkfile, 1);
-#endif /* KRB4_GET_TICKETS */
-
#ifdef KRB5_GET_TICKETS
/* ccfile[0] is only set if we got tickets above */
if (login_krb5_get_tickets && ccfile[0]) {
@@ -1795,33 +1350,6 @@
if (tty[sizeof("tty")-1] == 'd')
syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name);
if (pwd->pw_uid == 0)
-#ifdef KRB4_KLOGIN
- if (kdata) {
- if (hostname) {
- char buf[BUFSIZ];
-#ifdef UT_HOSTSIZE
- (void) sprintf(buf,
- "ROOT LOGIN (krb) %s from %.*s, %s.%s@%s",
- tty, UT_HOSTSIZE, hostname,
- kdata->pname, kdata->pinst,
- kdata->prealm);
-#else
- (void) sprintf(buf,
- "ROOT LOGIN (krb) %s from %s, %s.%s@%s",
- tty, hostname,
- kdata->pname, kdata->pinst,
- kdata->prealm);
-#endif
- syslog(LOG_NOTICE, "%s", buf);
- } else {
- syslog(LOG_NOTICE,
- "ROOT LOGIN (krb) %s, %s.%s@%s",
- tty,
- kdata->pname, kdata->pinst,
- kdata->prealm);
- }
- } else
-#endif /* KRB4_KLOGIN */
{
if (hostname) {
#ifdef UT_HOSTSIZE
@@ -1839,10 +1367,6 @@
afs_login();
if (!quietlog) {
-#ifdef KRB4_KLOGIN
- if (!krbflag && !fflag && !eflag )
- printf("\nWarning: No Kerberos tickets obtained.\n\n");
-#endif /* KRB4_KLOGIN */
motd();
check_mail();
}
@@ -2104,7 +1628,7 @@
{
char tbuf[MAXPATHLEN+2];
struct stat st;
- (void)sprintf(tbuf, "%s/%s", MAILDIR, pwd->pw_name);
+ (void)snprintf(tbuf, sizeof(tbuf), "%s/%s", MAILDIR, pwd->pw_name);
if (stat(tbuf, &st) == 0 && st.st_size != 0)
printf("You have %smail.\n",
(st.st_mtime > st.st_atime) ? "new " : "");
@@ -2217,100 +1741,6 @@
return(ruserok(host, (pwd->pw_uid == 0), rusername, username));
}
-#ifdef KRB4_KLOGIN
-int do_krb_login(host, strict)
- char *host;
- int strict;
-{
- int rc;
- struct sockaddr_in sin;
- char instance[INST_SZ], version[9];
- long authoptions = 0L;
- struct hostent *hp = gethostbyname(host);
- static char lusername[UT_NAMESIZE+1];
-
- /*
- * Kerberos autologin protocol.
- */
-
- (void) memset((char *) &sin, 0, (int) sizeof(sin));
-
- if (hp)
- (void) memcpy ((char *)&sin.sin_addr, hp->h_addr,
- sizeof(sin.sin_addr));
- else
- sin.sin_addr.s_addr = inet_addr(host);
-
- if ((hp == NULL) && (sin.sin_addr.s_addr == -1)) {
- printf("Hostname did not resolve to an address, so Kerberos authentication failed\r\n");
- /*
- * No host addr prevents auth, so
- * punt krb and require password
- */
- if (strict) {
- goto paranoid;
- } else {
- pwd = NULL;
- return(-1);
- }
- }
-
- kdata = (AUTH_DAT *)malloc( sizeof(AUTH_DAT) );
- ticket = (KTEXT) malloc(sizeof(KTEXT_ST));
-
- (void) strcpy(instance, "*");
- if ((rc=krb_recvauth(authoptions, 0, ticket, "rcmd",
- instance, &sin,
- (struct sockaddr_in *)0,
- kdata, "", (bit_64 *) 0, version))) {
- printf("Kerberos rlogin failed: %s\r\n",krb_get_err_text(rc));
- if (strict) {
-paranoid:
- /*
- * Paranoid hosts, such as a Kerberos server,
- * specify the Klogind daemon to disallow
- * even password access here.
- */
- printf("Sorry, you must have Kerberos authentication to access this host.\r\n");
- exit(1);
- }
- }
- (void) lgetstr(lusername, sizeof (lusername), "Local user");
- (void) lgetstr(term, sizeof(term), "Terminal type");
- username = lusername;
- if (getuid()) {
- pwd = NULL;
- return(-1);
- }
- pwd = getpwnam(lusername);
- if (pwd == NULL) {
- pwd = NULL;
- return(-1);
- }
-
- /*
- * if Kerberos login failed because of an error in krb_recvauth,
- * return the indication of a bad attempt. User will be prompted
- * for a password. We CAN'T check the .rhost file, because we need
- * the remote username to do that, and the remote username is in the
- * Kerberos ticket. This affects ONLY the case where there is
- * Kerberos on both ends, but Kerberos fails on the server end.
- */
- if (rc) {
- return(-1);
- }
-
- if ((rc=kuserok(kdata,lusername))) {
- printf("login: %s has not given you permission to login without a password.\r\n",lusername);
- if (strict) {
- exit(1);
- }
- return(-1);
- }
- return(0);
-}
-#endif /* KRB4_KLOGIN */
-
void lgetstr(buf, cnt, err)
char *buf, *err;
int cnt;
@@ -2334,15 +1764,11 @@
void sleepexit(eval)
int eval;
{
-#ifdef KRB4_GET_TICKETS
- if (login_krb4_get_tickets && krbflag)
- (void) destroy_tickets();
-#endif /* KRB4_GET_TICKETS */
sleep((u_int)5);
exit(eval);
}
-#if defined(KRB4_GET_TICKETS) || defined(KRB5_GET_TICKETS)
+#ifdef KRB5_GET_TICKETS
static int hungup = 0;
static sigtype
@@ -2350,7 +1776,7 @@
hungup = 1;
}
-/* call already conditionalized on login_krb4_get_tickets */
+/* call already conditionalized on login_krb5_get_tickets */
/*
* This routine handles cleanup stuff, and the like.
* It exits only in the child process.
@@ -2435,7 +1861,7 @@
/* Leave */
exit(0);
}
-#endif /* KRB4_GET_TICKETS */
+#endif /* KRB5_GET_TICKETS */
#ifndef HAVE_STRSAVE
@@ -2448,11 +1874,10 @@
{
register char *ret;
- if ((ret = (char *) malloc((unsigned) strlen(sp)+1)) == NULL) {
+ if ((ret = strdup(sp)) == NULL) {
fprintf(stderr, "no memory for saving args\n");
exit(1);
}
- (void) strcpy(ret,sp);
return(ret);
}
#endif
Modified: branches/mkey_migrate/src/appl/bsd/rlogin.M
===================================================================
--- branches/mkey_migrate/src/appl/bsd/rlogin.M 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/rlogin.M 2009-01-10 01:06:45 UTC (rev 21722)
@@ -25,7 +25,7 @@
.I rhost
[\fB\-e\fP\fI\|c\fP] [\fB\-8\fP] [\fB\-c\fP] [ \fB\-a\fP] [\fB\-f\fP]
[\fB\-F\fP] [\fB\-t\fP \fItermtype\fP] [\fB\-n\fP] [\fB\-7\fP]
-[\fB\-PN | \-PO\fP] [\fB\-4\fP]
+[\fB\-PN | \-PO\fP]
[\fB\-d\fP] [\fB\-k\fP \fIrealm\fP] [\fB\-x\fP] [\fB\-L\fP] [\fB\-l\fP
\fIusername\fP]
.PP
@@ -145,9 +145,6 @@
"input/output error" and a closed connection is the most likely result
of attempting this combination.) If neither option is specified, some
simple heuristics are used to guess which to try.
-.TP
-\fB\-4\fP
-Use Kerberos V4 authentication only; don't try Kerberos V5.
.SH SEE ALSO
rsh(1), kerberos(1), krb_sendauth(3), krb_realmofhost(3), rlogin(1) [UCB
version], klogind(8)
Deleted: branches/mkey_migrate/src/appl/bsd/v4rcp.M
===================================================================
--- branches/mkey_migrate/src/appl/bsd/v4rcp.M 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/v4rcp.M 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,52 +0,0 @@
-.\" appl/bsd/v4rcp.M
-.TH V4RCP 1
-.SH NAME
-v4rcp \- back end for Kerberos V4 rcp
-.SH SYNOPSIS
-.B v4rcp
-.I not invoked by users
-.SH DESCRIPTION
-This program is
-.B not
-for user execution. The usage message indicates this.
-.PP
-Kerberos Version 4
-.I rsh
-did not support encryption. In order to perform
-encrypted file transfer, the version 4
-.I rcp
-program did a second authentication, directly to the
-.I rcp
-process at the other end. This meant that
-.I rcp
-needed to be
-.IR setuid
-to root in order to read the
-.IR krb-srvtab
-file on the remote end.
-.PP
-Rather than add this complexity into the main Kerberos 5
-.I rcp
-the Kerberos 5
-.I kshd
-instead detects the use of Kerberos 4 authentication, and checks the
-command for the program name
-.I rcp
-and then substitutes the full pathname of
-.I v4rcp
-instead. Since
-.I v4rcp
-is installed
-.IR setuid
-to root, it can perform the the authentication and get the session key
-needed to encrypt the file transfer.
-.PP
-Kerberos 5
-.I rcp
-instead uses the encryption support built in to Kerberos 5
-.I rsh
-and
-.I kshd
-directly.
-.SH SEE ALSO
-rsh(1), rcp(1), kshd(8)
Deleted: branches/mkey_migrate/src/appl/bsd/v4rcp.c
===================================================================
--- branches/mkey_migrate/src/appl/bsd/v4rcp.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/bsd/v4rcp.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,1107 +0,0 @@
-/* Stripped down Kerberos V4 rcp, for server-side use only */
-/* based on Cygnus CNS V4-96q1 src/appl/bsd/rcp.c. */
-
-/*
- * rcp.c
- */
-
-/*
- * Copyright (c) 1983 The Regents of the University of California.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that the above copyright notice and this paragraph are
- * duplicated in all such forms and that any documentation,
- * advertising materials, and other materials related to such
- * distribution and use acknowledge that the software was developed
- * by the University of California, Berkeley. The name of the
- * University may not be used to endorse or promote products derived
- * from this software without specific prior written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#ifndef lint
-char copyright[] =
-"@(#) Copyright (c) 1983 The Regents of the University of California.\n\
- All rights reserved.\n";
-#endif /* not lint */
-
-#ifndef lint
-static char sccsid[] = "@(#)rcp.c 5.10 (Berkeley) 9/20/88";
-#endif /* not lint */
-
-/*
- * rcp
- */
-#ifdef KERBEROS
-#include "k5-int.h"
-#include <com_err.h>
-#include <k5-util.h>
-#endif
-
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#ifdef HAVE_STDLIB_H
-#include <stdlib.h>
-#endif
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#ifndef KERBEROS
-/* Ultrix doesn't protect it vs multiple inclusion, and krb.h includes it */
-#include <sys/socket.h>
-#endif
-#include <sys/stat.h>
-#include <sys/time.h>
-#include <sys/ioctl.h>
-#ifdef NEED_SYS_FCNTL_H
-#include <sys/fcntl.h>
-#endif
-#include <netinet/in.h>
-
-#include <fcntl.h>
-#include <stdio.h>
-#include <string.h>
-#include <signal.h>
-#include <pwd.h>
-#include <ctype.h>
-#ifndef KERBEROS
-/* Ultrix doesn't protect it vs multiple inclusion, and krb.h includes it */
-#include <netdb.h>
-#endif
-#include <errno.h>
-#include <stdarg.h>
-
-#include "port-sockets.h"
-
-#ifdef KERBEROS
-#include <krb.h>
-#include <krbports.h>
-
-
-void sink(int, char **), source(int, char **),
- rsource(char *, struct stat *), usage(void);
-/*VARARGS*/
-void error (char *fmt, ...)
-#if !defined (__cplusplus) && (__GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7))
- __attribute__ ((__format__ (__printf__, 1, 2)))
-#endif
- ;
-int response(void);
-#if !defined(HAVE_UTIMES)
-int utimes();
-#endif
-
-
-#if 0
-#include <kstream.h>
-#else
-/* we don't have full kstream in v5, so fake it... */
-
-typedef struct {
- int encrypting;
- int read_fd, write_fd;
- des_key_schedule *sched;
- des_cblock *ivec;
- /* used on the read side */
- char *inbuf;
- char *outbuf;
- int writelen;
- char* retbuf;
- int retbuflen;
- int retlen;
- int returned;
-} *kstream;
-
-static kstream kstream_create_rcp_from_fd(read_fd, write_fd, sched, ivec)
- int read_fd, write_fd;
- des_key_schedule *sched;
- des_cblock *ivec;
-{
- kstream tmp = (kstream)malloc(sizeof(*tmp));
- if (tmp == NULL)
- return NULL;
- tmp->encrypting = 1;
- tmp->read_fd = read_fd;
- tmp->write_fd = write_fd;
- /* they're static in this file, so just hang on to the pointers */
- tmp->sched = sched;
- tmp->ivec = ivec;
- tmp->inbuf = 0;
- tmp->outbuf = 0;
- tmp->writelen = 0;
- tmp->retbuf = 0;
- tmp->retbuflen = 0;
- tmp->returned = 0;
- tmp->retlen = 0;
- return tmp;
-}
-
-static kstream kstream_create_from_fd(read_fd, write_fd, sched, session)
- int read_fd, write_fd;
- Key_schedule *sched;
- des_cblock *session;
-{
- /* just set it up... */
- kstream tmp = (kstream)malloc(sizeof(*tmp));
- if (tmp == NULL)
- return NULL;
- tmp->encrypting = 0;
- tmp->read_fd = read_fd;
- tmp->write_fd = write_fd;
- return tmp;
-}
-
-
-/* always set to 0 here anyway */
-#define kstream_set_buffer_mode(x,y)
-
-static int kstream_read(krem, buf, len)
- kstream krem;
- char *buf;
- unsigned int len;
-{
- if(krem->encrypting) {
- /* when we get a length, we have to read the whole block. However,
- we have to hand it to the user in the chunks they want, which
- may be smaller if BUFSIZ doesn't match. [the caller can deal if
- the incoming blocks are smaller...] */
- if (krem->returned) {
- int remaining = krem->retlen - krem->returned;
- int returning;
-
- if (remaining <= len) {
- returning = remaining;
- } else {
- returning = len;
- }
- memcpy(buf, krem->retbuf+krem->returned, returning);
- krem->returned += returning;
- if (krem->returned == krem->retlen) krem->returned = 0;
-
- return returning;
- }
-
- /* we need 4 bytes to get a length, and once we have that we know how
- much to get to fill the buffer. Then we can hand back bits, or loop. */
- {
- int cc;
- unsigned char clen[4];
- unsigned int x = 0;
- unsigned int sz, off;
-
- cc = read(krem->read_fd, clen, 4);
- if (cc != 4) return cc;
- x <<= 8; x += clen[0] & 0xff;
- x <<= 8; x += clen[1] & 0xff;
- x <<= 8; x += clen[2] & 0xff;
- x <<= 8; x += clen[3] & 0xff;
- sz = (x + 7) & (~7U);
-
- if (krem->retbuflen < sz) {
- if (krem->retbuflen == 0)
- krem->retbuf = (char*)malloc(sz>(BUFSIZ)?sz:(BUFSIZ));
- else
- krem->retbuf = (char*)realloc(krem->retbuf, sz);
- if(!krem->retbuf) { errno = ENOMEM; return -1; }
- krem->retbuflen = sz>(BUFSIZ)?sz:(BUFSIZ);
- }
-
- /* get all of it */
- off = 0;
- do {
- cc = read(krem->read_fd, krem->retbuf+off, sz-off);
- if (cc <= 0) return cc;
- off += cc;
- } while (off < sz);
-
- /* decrypt it */
- des_pcbc_encrypt ((des_cblock *)krem->retbuf,
- (des_cblock *)krem->retbuf,
- (int) sz, *krem->sched, krem->ivec,
- DECRYPT);
-
- /* now retbuf has sz bytes, return len or x of them to the user */
- if (x <= len) {
- memcpy(buf, krem->retbuf, x);
- return x;
- } else {
- memcpy(buf, krem->retbuf, len);
- /* defer the rest */
- krem->returned = len;
- krem->retlen = x;
- return len;
- }
- }
- } else {
- return read(krem->read_fd, buf, len);
- }
-}
-
-static int kstream_write(krem, buf, len)
- kstream krem;
- char *buf;
- unsigned int len;
-{
- if (krem->encrypting) {
- unsigned long x;
- int st;
- unsigned int outlen = (len + 7) & (~7U);
-
- if (krem->writelen < outlen || krem->outbuf == 0) {
- krem->inbuf = (char*)realloc(krem->inbuf, outlen ? outlen : 1);
- krem->outbuf = (char*)realloc(krem->outbuf, outlen+8);
- if(!krem->inbuf || !krem->outbuf) { errno = ENOMEM; return -1; }
- krem->writelen = outlen;
- }
-
- outlen = (len + 7) & (~7U);
-
- memcpy(krem->inbuf, buf, len);
- krb5_random_confounder(outlen-len, krem->inbuf+len);
- buf = krem->inbuf;
-
- x = len;
- krem->outbuf[3+4] = x & 0xff; x >>= 8;
- krem->outbuf[2+4] = x & 0xff; x >>= 8;
- krem->outbuf[1+4] = x & 0xff; x >>= 8;
- krem->outbuf[0+4] = x & 0xff; x >>= 8;
- if (x)
- abort ();
- /* memset(outbuf+4+4, 0x42, BUFSIZ); */
- st = des_pcbc_encrypt ((des_cblock *)buf, (des_cblock *)(krem->outbuf+4+4),
- (int) outlen,
- *krem->sched, krem->ivec, ENCRYPT);
-
- if (st) abort();
- return write(krem->write_fd, krem->outbuf+4, 4+outlen);
- } else {
- return write(krem->write_fd, buf, len);
- }
-}
-
-/* 0 = stdin, read; 1 = stdout, write */
-#define rem 0,1
-
-#endif
-
-
-#ifdef _AUX_SOURCE
-#define vfork fork
-#endif
-#ifdef NOVFORK
-#define vfork fork
-#endif
-
-#ifndef roundup
-#define roundup(x,y) ((((x)+(y)-1)/(y))*(y))
-#endif
-
-int sock;
-CREDENTIALS cred;
-MSG_DAT msg_data;
-struct sockaddr_in foreign, local;
-Key_schedule schedule;
-
-KTEXT_ST ticket;
-AUTH_DAT kdata;
-static des_cblock crypt_session_key;
-char krb_realm[REALM_SZ];
-char **save_argv(int, char **), *krb_realmofhost();
-#ifndef HAVE_STRSAVE
-static char *strsave(char *);
-#endif
-#ifdef NOENCRYPTION
-#define des_read read
-#define des_write write
-#else /* !NOENCRYPTION */
-void answer_auth(void);
-int encryptflag = 0;
-#endif /* NOENCRYPTION */
-#include "rpaths.h"
-#else /* !KERBEROS */
-#define des_read read
-#define des_write write
-#endif /* KERBEROS */
-
-kstream krem;
-int errs;
-krb5_sigtype lostconn(int);
-int iamremote, targetshouldbedirectory;
-int iamrecursive;
-int pflag;
-int force_net;
-struct passwd *pwd;
-int userid;
-int port;
-
-char *getenv();
-
-struct buffer {
- int cnt;
- char *buf;
-} *allocbuf(struct buffer *, int, int);
-
-#define NULLBUF (struct buffer *) 0
-
-#define ga() (void) kstream_write (krem, "", 1)
-
-int main(argc, argv)
- int argc;
- char **argv;
-{
- char portarg[20], rcpportarg[20];
-#ifdef ATHENA
- static char curhost[256];
-#endif /* ATHENA */
-#ifdef KERBEROS
- char realmarg[REALM_SZ + 5];
-#endif /* KERBEROS */
-
- portarg[0] = '\0';
- rcpportarg[0] = '\0';
- realmarg[0] = '\0';
-
- pwd = getpwuid(userid = getuid());
- if (pwd == 0) {
- fprintf(stderr, "who are you?\n");
- exit(1);
- }
-
-#ifdef KERBEROS
- krb_realm[0] = '\0'; /* Initially no kerberos realm set */
-#endif /* KERBEROS */
- for (argc--, argv++; argc > 0 && **argv == '-'; argc--, argv++) {
- (*argv)++;
- while (**argv) switch (*(*argv)++) {
-
- case 'r':
- iamrecursive++;
- break;
-
- case 'p': /* preserve mtimes and atimes */
- pflag++;
- break;
-
- case 'P': /* Set port to use. */
- port = atoi(*argv);
- sprintf(portarg, " -p%d", port);
- sprintf(rcpportarg, " -P%d", port);
- port = htons(port);
- goto next_arg;
-
- case 'N':
- /* Force use of network even on local machine. */
- force_net++;
- break;
-
-#ifdef KERBEROS
-#ifndef NOENCRYPTION
- case 'x':
- encryptflag++;
- break;
-#endif
- case 'k': /* Change kerberos realm */
- argc--, argv++;
- if (argc == 0)
- usage();
- strncpy(krb_realm,*argv,REALM_SZ);
- krb_realm[REALM_SZ-1] = 0;
- sprintf(realmarg, " -k %s", krb_realm);
- goto next_arg;
-#endif /* KERBEROS */
- /* The rest of these are not for users. */
- case 'd':
- targetshouldbedirectory = 1;
- break;
-
- case 'f': /* "from" */
- iamremote = 1;
-#if defined(KERBEROS) && !defined(NOENCRYPTION)
- if (encryptflag) {
- answer_auth();
- krem = kstream_create_rcp_from_fd (rem,
- &schedule,
- &crypt_session_key);
- } else
- krem = kstream_create_from_fd (rem, 0, 0);
- if (krem == NULL) {
- error("rcp: out of memory\n");
- exit(1);
- }
- kstream_set_buffer_mode (krem, 0);
-#endif /* KERBEROS && !NOENCRYPTION */
- (void) response();
- if (setuid(userid)) {
- error("rcp: can't setuid(user)\n");
- exit(1);
- }
- source(--argc, ++argv);
- exit(errs);
-
- case 't': /* "to" */
- iamremote = 1;
-#if defined(KERBEROS) && !defined(NOENCRYPTION)
- if (encryptflag) {
- answer_auth();
- krem = kstream_create_rcp_from_fd (rem,
- &schedule,
- &crypt_session_key);
- } else
- krem = kstream_create_from_fd (rem, 0, 0);
- if (krem == NULL) {
- error("rcp: out of memory\n");
- exit(1);
- }
- kstream_set_buffer_mode (krem, 0);
-#endif /* KERBEROS && !NOENCRYPTION */
- if (setuid(userid)) {
- error("rcp: can't setuid(user)\n");
- exit(1);
- }
- sink(--argc, ++argv);
- exit(errs);
-
- default:
- usage();
- }
-#ifdef KERBEROS
- next_arg: ;
-#endif /* KERBEROS */
- }
- usage();
- return 1;
-}
-
-static void verifydir(cp)
- char *cp;
-{
- struct stat stb;
-
- if (stat(cp, &stb) >= 0) {
- if ((stb.st_mode & S_IFMT) == S_IFDIR)
- return;
- errno = ENOTDIR;
- }
- error("rcp: %s: %s.\n", cp, error_message(errno));
- exit(1);
-}
-
-void source(argc, argv)
- int argc;
- char **argv;
-{
- char *last, *name;
- struct stat stb;
- static struct buffer buffer;
- struct buffer *bp;
- int x, readerr, f;
- unsigned int amt;
- off_t i;
- char buf[BUFSIZ];
-
- for (x = 0; x < argc; x++) {
- name = argv[x];
- if ((f = open(name, 0)) < 0) {
- error("rcp: %s: %s\n", name, error_message(errno));
- continue;
- }
- if (fstat(f, &stb) < 0)
- goto notreg;
- switch (stb.st_mode&S_IFMT) {
-
- case S_IFREG:
- break;
-
- case S_IFDIR:
- if (iamrecursive) {
- (void) close(f);
- rsource(name, &stb);
- continue;
- }
- /* fall into ... */
- default:
-notreg:
- (void) close(f);
- error("rcp: %s: not a plain file\n", name);
- continue;
- }
- last = strrchr(name, '/');
- if (last == 0)
- last = name;
- else
- last++;
- if (pflag) {
- /*
- * Make it compatible with possible future
- * versions expecting microseconds.
- */
- (void) sprintf(buf, "T%ld 0 %ld 0\n",
- stb.st_mtime, stb.st_atime);
- kstream_write (krem, buf, strlen (buf));
- if (response() < 0) {
- (void) close(f);
- continue;
- }
- }
- (void) sprintf(buf, "C%04o %ld %s\n",
- (unsigned int) stb.st_mode&07777, (long) stb.st_size, last);
- kstream_write (krem, buf, strlen (buf));
- if (response() < 0) {
- (void) close(f);
- continue;
- }
- if ((bp = allocbuf(&buffer, f, BUFSIZ)) == NULLBUF) {
- (void) close(f);
- continue;
- }
- readerr = 0;
- for (i = 0; i < stb.st_size; i += bp->cnt) {
- amt = bp->cnt;
- if (i + amt > stb.st_size)
- amt = stb.st_size - i;
- if (readerr == 0 && read(f, bp->buf, amt) != amt)
- readerr = errno;
- kstream_write (krem, bp->buf, amt);
- }
- (void) close(f);
- if (readerr == 0)
- ga();
- else
- error("rcp: %s: %s\n", name, error_message(readerr));
- (void) response();
- }
-}
-
-#ifndef USE_DIRENT_H
-#include <sys/dir.h>
-#else
-#include <dirent.h>
-#endif
-
-void rsource(name, statp)
- char *name;
- struct stat *statp;
-{
- DIR *d = opendir(name);
- char *last;
- char buf[BUFSIZ];
- char *bufv[1];
-#ifdef USE_DIRENT_H
- struct dirent *dp;
-#else
- struct direct *dp;
-#endif
-
- if (d == 0) {
- error("rcp: %s: %s\n", name, error_message(errno));
- return;
- }
- last = strrchr(name, '/');
- if (last == 0)
- last = name;
- else
- last++;
- if (pflag) {
- (void) sprintf(buf, "T%ld 0 %ld 0\n",
- statp->st_mtime, statp->st_atime);
- kstream_write (krem, buf, strlen (buf));
- if (response() < 0) {
- closedir(d);
- return;
- }
- }
- (void) sprintf(buf, "D%04o %d %s\n",
- (unsigned int) statp->st_mode&07777, 0, last);
- kstream_write (krem, buf, strlen (buf));
- if (response() < 0) {
- closedir(d);
- return;
- }
- while ((dp = readdir(d))) {
- if (dp->d_ino == 0)
- continue;
- if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
- continue;
- if (strlen(name) + 1 + strlen(dp->d_name) >= BUFSIZ - 1) {
- error("%s/%s: Name too long.\n", name, dp->d_name);
- continue;
- }
- (void) sprintf(buf, "%s/%s", name, dp->d_name);
- bufv[0] = buf;
- source(1, bufv);
- }
- closedir(d);
- kstream_write (krem, "E\n", 2);
- (void) response();
-}
-
-int response()
-{
- char resp, c, rbuf[BUFSIZ], *cp = rbuf;
-
- if (kstream_read (krem, &resp, 1) != 1)
- lostconn(0);
- switch (resp) {
-
- case 0: /* ok */
- return (0);
-
- default:
- *cp++ = resp;
- /* fall into... */
- case 1: /* error, followed by err msg */
- case 2: /* fatal error, "" */
- do {
- if (kstream_read (krem, &c, 1) != 1)
- lostconn(0);
- *cp++ = c;
- } while (cp < &rbuf[BUFSIZ] && c != '\n');
- if (iamremote == 0)
- (void) write(2, rbuf, (unsigned) (cp - rbuf));
- errs++;
- if (resp == 1)
- return (-1);
- exit(1);
- }
- /*NOTREACHED*/
- return -1;
-}
-
-krb5_sigtype lostconn(signum)
- int signum;
-{
-
- if (iamremote == 0)
- fprintf(stderr, "rcp: lost connection\n");
- exit(1);
-}
-
-#if !defined(HAVE_UTIMES)
-#include <utime.h>
-#include <sys/time.h>
-
-/*
- * We emulate utimes() instead of utime() as necessary because
- * utimes() is more powerful than utime(), and rcp actually tries to
- * set the microsecond values; we don't want to take away
- * functionality unnecessarily.
- */
-int utimes(file, tvp)
-const char *file;
-struct timeval *tvp;
-{
- struct utimbuf times;
-
- times.actime = tvp[0].tv_sec;
- times.modtime = tvp[1].tv_sec;
- return(utime(file, ×));
-}
-#endif
-
-void sink(argc, argv)
- int argc;
- char **argv;
-{
- off_t i, j;
- char *targ, *whopp, *cp;
- int of, wrerr, exists, first, amt;
- mode_t mode;
- unsigned int count;
- off_t size;
- struct buffer *bp;
- static struct buffer buffer;
- struct stat stb;
- int targisdir = 0;
- mode_t mask = umask(0);
- char *myargv[1];
- char cmdbuf[BUFSIZ], nambuf[BUFSIZ];
- int setimes = 0;
- struct timeval tv[2];
-#define atime tv[0]
-#define mtime tv[1]
-#define SCREWUP(str) { whopp = str; goto screwup; }
-
- if (!pflag)
- (void) umask(mask);
- if (argc != 1) {
- error("rcp: ambiguous target\n");
- exit(1);
- }
- targ = *argv;
- if (targetshouldbedirectory)
- verifydir(targ);
- ga();
- if (stat(targ, &stb) == 0 && (stb.st_mode & S_IFMT) == S_IFDIR)
- targisdir = 1;
- for (first = 1; ; first = 0) {
- cp = cmdbuf;
- if (kstream_read (krem, cp, 1) <= 0)
- return;
- if (*cp++ == '\n')
- SCREWUP("unexpected '\\n'");
- do {
- if (kstream_read(krem, cp, 1) != 1)
- SCREWUP("lost connection");
- } while (*cp++ != '\n');
- *cp = 0;
- if (cmdbuf[0] == '\01' || cmdbuf[0] == '\02') {
- if (iamremote == 0)
- (void) write(2, cmdbuf+1, strlen(cmdbuf+1));
- if (cmdbuf[0] == '\02')
- exit(1);
- errs++;
- continue;
- }
- *--cp = 0;
- cp = cmdbuf;
- if (*cp == 'E') {
- ga();
- return;
- }
-
-#define getnum(t) (t) = 0; while (isdigit((int) *cp)) (t) = (t) * 10 + (*cp++ - '0');
- if (*cp == 'T') {
- setimes++;
- cp++;
- getnum(mtime.tv_sec);
- if (*cp++ != ' ')
- SCREWUP("mtime.sec not delimited");
- getnum(mtime.tv_usec);
- if (*cp++ != ' ')
- SCREWUP("mtime.usec not delimited");
- getnum(atime.tv_sec);
- if (*cp++ != ' ')
- SCREWUP("atime.sec not delimited");
- getnum(atime.tv_usec);
- if (*cp++ != '\0')
- SCREWUP("atime.usec not delimited");
- ga();
- continue;
- }
- if (*cp != 'C' && *cp != 'D') {
- /*
- * Check for the case "rcp remote:foo\* local:bar".
- * In this case, the line "No match." can be returned
- * by the shell before the rcp command on the remote is
- * executed so the ^Aerror_message convention isn't
- * followed.
- */
- if (first) {
- error("%s\n", cp);
- exit(1);
- }
- SCREWUP("expected control record");
- }
- cp++;
- mode = 0;
- for (; cp < cmdbuf+5; cp++) {
- if (*cp < '0' || *cp > '7')
- SCREWUP("bad mode");
- mode = (mode << 3) | (*cp - '0');
- }
- if (*cp++ != ' ')
- SCREWUP("mode not delimited");
- size = 0;
- while (isdigit((int) *cp))
- size = size * 10 + (*cp++ - '0');
- if (*cp++ != ' ')
- SCREWUP("size not delimited");
- if (targisdir) {
- if (strlen(targ) + strlen(cp) + 1 < sizeof(nambuf)) {
- (void) snprintf(nambuf, sizeof(nambuf),
- "%s%s%s", targ,
- *targ ? "/" : "", cp);
- } else {
- SCREWUP("target directory name too long");
- }
- } else {
- if (strlen(targ) + 1 < sizeof(nambuf))
- (void) strncpy(nambuf, targ, sizeof(nambuf)-1);
- else
- SCREWUP("target pathname too long");
- }
- nambuf[sizeof(nambuf)-1] = '\0';
- exists = stat(nambuf, &stb) == 0;
- if (cmdbuf[0] == 'D') {
- if (exists) {
- if ((stb.st_mode&S_IFMT) != S_IFDIR) {
- errno = ENOTDIR;
- goto bad;
- }
- if (pflag)
- (void) chmod(nambuf, mode);
- } else if (mkdir(nambuf, mode) < 0)
- goto bad;
- myargv[0] = nambuf;
- sink(1, myargv);
- if (setimes) {
- setimes = 0;
- if (utimes(nambuf, tv) < 0)
- error("rcp: can't set times on %s: %s\n",
- nambuf, error_message(errno));
- }
- continue;
- }
- if ((of = open(nambuf, O_WRONLY|O_CREAT|O_TRUNC, mode)) < 0) {
- bad:
- error("rcp: %s: %s\n", nambuf, error_message(errno));
- continue;
- }
-#ifdef NO_FCHMOD
- if (exists && pflag)
- (void) chmod(nambuf, mode);
-#else
- if (exists && pflag)
- (void) fchmod(of, mode);
-#endif
- ga();
- if ((bp = allocbuf(&buffer, of, BUFSIZ)) == NULLBUF) {
- (void) close(of);
- continue;
- }
- cp = bp->buf;
- count = 0;
- wrerr = 0;
- for (i = 0; i < size; i += BUFSIZ) {
- amt = BUFSIZ;
- if (i + amt > size)
- amt = size - i;
- count += amt;
- do {
- j = kstream_read(krem, cp, amt);
- if (j <= 0) {
- if (j == 0)
- error("rcp: dropped connection");
- else
- error("rcp: %s\n",
- error_message(errno));
- exit(1);
- }
- amt -= j;
- cp += j;
- } while (amt > 0);
- if (count == bp->cnt) {
- if (wrerr == 0 &&
- write(of, bp->buf, count) != count)
- wrerr++;
- count = 0;
- cp = bp->buf;
- }
- }
- if (count != 0 && wrerr == 0 &&
- write(of, bp->buf, count) != count)
- wrerr++;
-#ifndef __SCO__
- if (ftruncate(of, size))
- error("rcp: can't truncate %s: %s\n",
- nambuf, error_message(errno));
-#endif
- (void) close(of);
- (void) response();
- if (setimes) {
- setimes = 0;
- if (utimes(nambuf, tv) < 0)
- error("rcp: can't set times on %s: %s\n",
- nambuf, error_message(errno));
- }
- if (wrerr)
- error("rcp: %s: %s\n", nambuf, error_message(errno));
- else
- ga();
- }
-screwup:
- error("rcp: protocol screwup: %s\n", whopp);
- exit(1);
-}
-
-struct buffer *
-allocbuf(bp, fd, blksize)
- struct buffer *bp;
- int fd, blksize;
-{
- int size;
-#ifndef NOSTBLKSIZE
- struct stat stb;
-
- if (fstat(fd, &stb) < 0) {
- error("rcp: fstat: %s\n", error_message(errno));
- return (NULLBUF);
- }
- size = roundup(stb.st_blksize, blksize);
- if (size == 0)
-#endif
- size = blksize;
- if (bp->cnt < size) {
- if (bp->buf != 0)
- free(bp->buf);
- bp->buf = (char *)malloc((unsigned) size);
- if (bp->buf == 0) {
- error("rcp: malloc: out of memory\n");
- return (NULLBUF);
- }
- }
- bp->cnt = size;
- return (bp);
-}
-
-void
-error(char *fmt, ...)
-{
- va_list ap;
- char buf[BUFSIZ], *cp = buf;
-
- va_start(ap, fmt);
-
- errs++;
- *cp++ = 1;
- (void) vsnprintf(cp, sizeof(buf) - (cp-buf), fmt, ap);
- va_end(ap);
-
- if (krem)
- (void) kstream_write(krem, buf, strlen(buf));
- if (iamremote == 0)
- (void) write(2, buf+1, strlen(buf+1));
-}
-
-void usage()
-{
- fprintf(stderr,
-"v4rcp: this program only acts as a server, and is not for user function.\n");
- exit(1);
-}
-
-#ifdef KERBEROS
-
-char **
-save_argv(argc, argv)
-int argc;
-char **argv;
-{
- register int i;
-
- char **local_argv = (char **)calloc((unsigned) argc+1,
- (unsigned) sizeof(char *));
- /* allocate an extra pointer, so that it is initialized to NULL
- and execv() will work */
- for (i = 0; i < argc; i++)
- local_argv[i] = strsave(argv[i]);
- return(local_argv);
-}
-
-#ifndef HAVE_STRSAVE
-static char *
-strsave(sp)
-char *sp;
-{
- register char *ret;
-
- ret = strdup(sp);
- if (ret == NULL) {
- fprintf(stderr, "rcp: no memory for saving args\n");
- exit(1);
- }
- return ret;
-}
-#endif
-
-#ifndef NOENCRYPTION
-#undef rem
-#define rem 0
-
-void
-answer_auth()
-{
- int status;
- long authopts = KOPT_DO_MUTUAL;
- char instance[INST_SZ];
- char version[9];
- char *srvtab;
- char *envaddr;
-
-#if 0
- int sin_len;
-
- sin_len = sizeof (struct sockaddr_in);
- if (getpeername(rem, &foreign, &sin_len) < 0) {
- perror("getpeername");
- exit(1);
- }
-
- sin_len = sizeof (struct sockaddr_in);
- if (getsockname(rem, &local, &sin_len) < 0) {
- perror("getsockname");
- exit(1);
- }
-#else
- if ((envaddr = getenv("KRB5LOCALADDR"))) {
-#ifdef HAVE_INET_ATON
- inet_aton(envaddr, &local.sin_addr);
-#else
- local.sin_addr.s_addr = inet_addr(envaddr);
-#endif
- local.sin_family = AF_INET;
- envaddr = getenv("KRB5LOCALPORT");
- if (envaddr)
- local.sin_port = htons(atoi(envaddr));
- else
- local.sin_port = 0;
- } else {
- fprintf(stderr, "v4rcp: couldn't get local address (KRB5LOCALADDR)\n");
- exit(1);
- }
- if ((envaddr = getenv("KRB5REMOTEADDR"))) {
-#ifdef HAVE_INET_ATON
- inet_aton(envaddr, &foreign.sin_addr);
-#else
- foreign.sin_addr.s_addr = inet_addr(envaddr);
-#endif
- foreign.sin_family = AF_INET;
- envaddr = getenv("KRB5REMOTEPORT");
- if (envaddr)
- foreign.sin_port = htons(atoi(envaddr));
- else
- foreign.sin_port = 0;
- } else {
- fprintf(stderr, "v4rcp: couldn't get remote address (KRB5REMOTEADDR)\n");
- exit(1);
- }
-
-#endif
- strcpy(instance, "*");
-
- /* If rshd was invoked with the -s argument, it will set the
- environment variable KRB_SRVTAB. We use that to get the
- srvtab file to use. If we do use the environment variable,
- we reset to our real user ID (which will already have been
- set up by rsh). Since rcp is setuid root, we would
- otherwise have a security hole. If we are using the normal
- srvtab (KEYFILE in krb.h, normally set to /etc/krb-srvtab),
- we must keep our effective uid of root, because that file
- can only be read by root. */
- srvtab = (char *) getenv("KRB_SRVTAB");
- if (srvtab == NULL)
- srvtab = "";
- if (*srvtab != '\0')
- (void) setuid (userid);
-
- if ((status = krb_recvauth(authopts, rem, &ticket, "rcmd", instance,
- &foreign,
- &local,
- &kdata,
- srvtab,
- schedule,
- version)) != KSUCCESS) {
- fprintf(stderr, "krb_recvauth mutual fail: %s\n",
- krb_get_err_text(status));
- exit(1);
- }
- memcpy(&crypt_session_key, &kdata.session, sizeof (crypt_session_key));
- return;
-}
-#endif /* !NOENCRYPTION */
-
-#endif /* KERBEROS */
Copied: branches/mkey_migrate/src/appl/deps (from rev 21721, trunk/src/appl/deps)
Modified: branches/mkey_migrate/src/appl/gss-sample/Makefile.in
===================================================================
--- branches/mkey_migrate/src/appl/gss-sample/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/gss-sample/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -49,17 +49,3 @@
install-unix::
$(INSTALL_PROGRAM) gss-client $(DESTDIR)$(CLIENT_BINDIR)/gss-client
$(INSTALL_PROGRAM) gss-server $(DESTDIR)$(SERVER_BINDIR)/gss-server
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)gss-client.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_generic.h gss-client.c \
- gss-misc.h
-$(OUTPRE)gss-misc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- gss-misc.c gss-misc.h
-$(OUTPRE)gss-server.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- $(SRCTOP)/include/port-sockets.h gss-misc.h gss-server.c
Copied: branches/mkey_migrate/src/appl/gss-sample/deps (from rev 21721, trunk/src/appl/gss-sample/deps)
Modified: branches/mkey_migrate/src/appl/gss-sample/gss-client.c
===================================================================
--- branches/mkey_migrate/src/appl/gss-sample/gss-client.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/gss-sample/gss-client.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -567,20 +567,24 @@
static void
parse_oid(char *mechanism, gss_OID * oid)
{
- char *mechstr = 0, *cp;
+ char *mechstr = 0;
gss_buffer_desc tok;
OM_uint32 maj_stat, min_stat;
+ size_t i, mechlen = strlen(mechanism);
if (isdigit((int) mechanism[0])) {
- mechstr = malloc(strlen(mechanism) + 5);
+ mechstr = malloc(mechlen + 5);
if (!mechstr) {
fprintf(stderr, "Couldn't allocate mechanism scratch!\n");
return;
}
- sprintf(mechstr, "{ %s }", mechanism);
- for (cp = mechstr; *cp; cp++)
- if (*cp == '.')
- *cp = ' ';
+ mechstr[0] = '{';
+ mechstr[1] = ' ';
+ for (i = 0; i < mechlen; i++)
+ mechstr[i + 2] = (mechanism[i] == '.') ? ' ' : mechanism[i];
+ mechstr[mechlen + 2] = ' ';
+ mechstr[mechlen + 3] = ' ';
+ mechstr[mechlen + 4] = '\0';
tok.value = mechstr;
} else
tok.value = mechanism;
Modified: branches/mkey_migrate/src/appl/gssftp/ftp/Makefile.in
===================================================================
--- branches/mkey_migrate/src/appl/gssftp/ftp/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/gssftp/ftp/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -21,20 +21,13 @@
$(OUTPRE)main.$(OBJEXT) $(OUTPRE)radix.$(OBJEXT) \
$(OUTPRE)ruserpass.$(OBJEXT) $(OUTPRE)secure.$(OBJEXT)
-LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir) @KRB4_INCLUDES@
+LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)
-#
-# We cannot have @KRB4_INCLUDES@ under Windows, since we do not use
-# configure, so we redefine LOCALINCLUDES not to have that.
-#
-
-##WIN32##LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)
-
all-unix:: ftp
all-windows:: $(OUTPRE)ftp.exe
ftp: $(OBJS) $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o ftp $(OBJS) $(GSS_LIBS) $(KRB4COMPAT_LIBS)
+ $(CC_LINK) -o ftp $(OBJS) $(GSS_LIBS) $(KRB5_BASE_LIBS)
$(OUTPRE)ftp.exe: $(OBJS) $(GLIB) $(KLIB)
link $(EXE_LINKOPTS) -out:$@ $** ws2_32.lib advapi32.lib $(SCLIB)
@@ -70,35 +63,3 @@
secure.o: $(srcdir)/secure.c
# NOPOSTFIX
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)cmds.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(SRCTOP)/include/port-sockets.h $(srcdir)/../arpa/ftp.h \
- cmds.c ftp_var.h pathnames.h
-$(OUTPRE)cmdtab.$(OBJEXT): cmdtab.c ftp_var.h
-$(OUTPRE)domacro.$(OBJEXT): domacro.c ftp_var.h
-$(OUTPRE)ftp.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(KRB_ERR_H_DEP) \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/port-sockets.h $(srcdir)/../arpa/ftp.h \
- $(srcdir)/../arpa/telnet.h ftp.c ftp_var.h secure.h
-$(OUTPRE)getpass.$(OBJEXT): ftp_var.h getpass.c
-$(OUTPRE)glob.$(OBJEXT): ftp_var.h glob.c
-$(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \
- $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \
- $(SRCTOP)/include/port-sockets.h $(srcdir)/../arpa/ftp.h \
- ftp_var.h main.c
-$(OUTPRE)radix.$(OBJEXT): ftp_var.h radix.c
-$(OUTPRE)ruserpass.$(OBJEXT): ftp_var.h ruserpass.c
-$(OUTPRE)secure.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \
- $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \
- $(srcdir)/../arpa/ftp.h secure.c secure.h
Modified: branches/mkey_migrate/src/appl/gssftp/ftp/cmds.c
===================================================================
--- branches/mkey_migrate/src/appl/gssftp/ftp/cmds.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/gssftp/ftp/cmds.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -66,6 +66,8 @@
#include <ctype.h>
#include <time.h>
+#include <k5-platform.h>
+
#ifdef HAVE_GETCWD
#define getwd(x) getcwd(x,MAXPATHLEN)
#endif
@@ -182,7 +184,7 @@
form = FORM_N;
mode = MODE_S;
stru = STRU_F;
- (void) strcpy(bytename, "8"), bytesize = 8;
+ (void) strlcpy(bytename, "8", sizeof(bytename)), bytesize = 8;
if (autoauth) {
if (do_auth() && autoencrypt) {
clevel = PROT_P;
@@ -1615,9 +1617,7 @@
namep = strrchr(shellprog,'/');
if (namep == NULL)
namep = shellprog;
- (void) strcpy(shellnam,"-");
- (void) strncat(shellnam, ++namep, sizeof(shellnam) - 1 - strlen(shellnam));
- shellnam[sizeof(shellnam) - 1] = '\0';
+ (void) snprintf(shellnam, sizeof(shellnam), "-%s", ++namep);
if (strcmp(namep, "sh") != 0)
shellnam[0] = '+';
if (debug) {
Copied: branches/mkey_migrate/src/appl/gssftp/ftp/deps (from rev 21721, trunk/src/appl/gssftp/ftp/deps)
Modified: branches/mkey_migrate/src/appl/gssftp/ftp/ftp.M
===================================================================
--- branches/mkey_migrate/src/appl/gssftp/ftp/ftp.M 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/gssftp/ftp/ftp.M 2009-01-10 01:06:45 UTC (rev 21722)
@@ -94,10 +94,6 @@
.B \-g
Disables file name globbing.
.TP
-\fB\-k\fP \fIrealm\fP
-When using Kerberos v4 authentication, gets tickets in
-.IR realm .
-.TP
.B \-f
Causes credentials to be forwarded to the remote host.
.TP
Modified: branches/mkey_migrate/src/appl/gssftp/ftp/ftp.c
===================================================================
--- branches/mkey_migrate/src/appl/gssftp/ftp/ftp.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/gssftp/ftp/ftp.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -88,11 +88,8 @@
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
-#ifndef KRB5_KRB4_COMPAT
-/* krb.h gets this, and Ultrix doesn't protect vs multiple inclusion */
#include <sys/socket.h>
#include <netdb.h>
-#endif
#include <sys/time.h>
#include <sys/file.h>
#ifdef HAVE_SYS_SELECT_H
@@ -124,14 +121,8 @@
#define L_INCR 1
#endif
-#ifdef KRB5_KRB4_COMPAT
-#include <krb.h>
+#include <k5-platform.h>
-KTEXT_ST ticket;
-CREDENTIALS cred;
-Key_schedule schedule;
-MSG_DAT msg_data;
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
#include <gssapi/gssapi.h>
/* need to include the krb5 file, because we're doing manual fallback
@@ -411,7 +402,7 @@
return(1);
for (n = 0; n < macnum; ++n) {
if (!strcmp("init", macros[n].mac_name)) {
- (void) strcpy(line, "$init");
+ (void) strlcpy(line, "$init", sizeof(line));
makeargv();
domacro(margc, margv);
break;
@@ -436,20 +427,6 @@
int length;
if (auth_type && clevel != PROT_C) {
-#ifdef KRB5_KRB4_COMPAT
- if (strcmp(auth_type, "KERBEROS_V4") == 0)
- if ((length = clevel == PROT_P ?
- krb_mk_priv((unsigned char *)cmd, (unsigned char *)out,
- strlen(cmd), schedule,
- &cred.session, &myctladdr, &hisctladdr)
- : krb_mk_safe((unsigned char *)cmd, (unsigned char *)out,
- strlen(cmd), &cred.session,
- &myctladdr, &hisctladdr)) == -1) {
- fprintf(stderr, "krb_mk_%s failed for KERBEROS_V4\n",
- clevel == PROT_P ? "priv" : "safe");
- return(0);
- }
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
/* secure_command (based on level) */
if (strcmp(auth_type, "GSSAPI") == 0) {
@@ -528,7 +505,7 @@
}
oldintr = signal(SIGINT, cmdabort);
va_start(ap, fmt);
- vsprintf(in, fmt, ap);
+ vsnprintf(in, FTP_BUFSIZ, fmt, ap);
va_end(ap);
again: if (secure_command(in) == 0)
return(0);
@@ -692,39 +669,6 @@
code, radix_error(kerror), obuf);
n = '5';
}
-#ifdef KRB5_KRB4_COMPAT
- else if (strcmp(auth_type, "KERBEROS_V4") == 0) {
- if (safe)
- kerror = krb_rd_safe((unsigned char *)ibuf,
- (unsigned int) len,
- &cred.session,
- &hisctladdr,
- &myctladdr, &msg_data);
- else
- kerror = krb_rd_priv((unsigned char *)ibuf,
- (unsigned int) len,
- schedule, &cred.session,
- &hisctladdr, &myctladdr,
- &msg_data);
- if (kerror != KSUCCESS) {
- printf("%d reply %s! (krb_rd_%s: %s)\n", code,
- safe ? "modified" : "garbled",
- safe ? "safe" : "priv",
- krb_get_err_text(kerror));
- n = '5';
- } else {
- if (debug) printf("%c:", safe ? 'S' : 'P');
- if(msg_data.app_length < sizeof(ibuf) - 2) {
- memmove(ibuf, msg_data.app_data,
- msg_data.app_length);
- strcpy(&ibuf[msg_data.app_length], "\r\n");
- } else {
- printf("Message too long!");
- }
- continue;
- }
- }
-#endif
#ifdef GSSAPI
else if (strcmp(auth_type, "GSSAPI") == 0) {
gss_buffer_desc xmit_buf, msg_buf;
@@ -745,7 +689,7 @@
if(msg_buf.length < sizeof(ibuf) - 2 - 1) {
memcpy(ibuf, msg_buf.value,
msg_buf.length);
- strcpy(&ibuf[msg_buf.length], "\r\n");
+ memcpy(&ibuf[msg_buf.length], "\r\n", 3);
} else {
user_gss_error(maj_stat, min_stat,
"reply was too long");
@@ -1661,10 +1605,6 @@
char *authtype;
int clvl;
int dlvl;
-#ifdef KRB5_KRB4_COMPAT
- C_Block session;
- Key_schedule schedule;
-#endif /* KRB5_KRB4_COMPAT */
} proxstruct, tmpstruct;
struct comvars *ip, *op;
@@ -1742,12 +1682,6 @@
clevel = PROT_C;
if (!dlevel)
dlevel = PROT_C;
-#ifdef KRB5_KRB4_COMPAT
- memcpy(ip->session, cred.session, sizeof(cred.session));
- memcpy(cred.session, op->session, sizeof(cred.session));
- memcpy(ip->schedule, schedule, sizeof(schedule));
- memcpy(schedule, op->schedule, sizeof(schedule));
-#endif /* KRB5_KRB4_COMPAT */
(void) signal(SIGINT, oldintr);
if (abrtflag) {
abrtflag = 0;
@@ -1953,10 +1887,6 @@
return(new);
}
-#ifdef KRB5_KRB4_COMPAT
-char realm[REALM_SZ + 1];
-#endif /* KRB5_KRB4_COMPAT */
-
#ifdef GSSAPI
static const struct {
gss_OID mech_type;
@@ -1971,14 +1901,10 @@
int do_auth()
{
int oldverbose = verbose;
-#ifdef KRB5_KRB4_COMPAT
- char *service, inst[INST_SZ];
- KRB4_32 cksum, checksum = getpid();
-#endif /* KRB5_KRB4_COMPAT */
-#if defined(KRB5_KRB4_COMPAT) || defined(GSSAPI)
+#ifdef GSSAPI
u_char out_buf[FTP_BUFSIZ];
int i;
-#endif /* KRB5_KRB4_COMPAT */
+#endif /* GSSAPI */
if (auth_type) return(1); /* auth already succeeded */
@@ -2009,7 +1935,8 @@
for (trial = 0; trial < n_gss_trials; trial++) {
/* ftp at hostname first, the host at hostname */
/* the V5 GSSAPI binding canonicalizes this for us... */
- sprintf(stbuf, "%s@%s", gss_trials[trial].service_name, hostname);
+ snprintf(stbuf, sizeof(stbuf), "%s@%s",
+ gss_trials[trial].service_name, hostname);
if (debug)
fprintf(stderr, "Trying to authenticate to <%s>\n", stbuf);
@@ -2128,69 +2055,7 @@
}
}
#endif /* GSSAPI */
-#ifdef KRB5_KRB4_COMPAT
- if (command("AUTH %s", "KERBEROS_V4") == CONTINUE) {
- if (verbose)
- printf("%s accepted as authentication type\n", "KERBEROS_V4");
- strncpy(inst, (char *) krb_get_phost(hostname), sizeof(inst) - 1);
- inst[sizeof(inst) - 1] = '\0';
- if (realm[0] == '\0')
- strncpy(realm, (char *) krb_realmofhost(hostname), sizeof(realm) - 1);
- realm[sizeof(realm) - 1] = '\0';
- if ((kerror = krb_mk_req(&ticket, service = "ftp",
- inst, realm, checksum))
- && (kerror != KDC_PR_UNKNOWN ||
- (kerror = krb_mk_req(&ticket, service = "rcmd",
- inst, realm, checksum))))
- fprintf(stderr, "Kerberos V4 krb_mk_req failed: %s\n",
- krb_get_err_text(kerror));
- else if ((kerror = krb_get_cred(service, inst, realm, &cred)))
- fprintf(stderr, "Kerberos V4 krb_get_cred failed: %s\n",
- krb_get_err_text(kerror));
- else {
- key_sched(cred.session, schedule);
- reply_parse = "ADAT=";
- oldverbose = verbose;
- verbose = 0;
- i = ticket.length;
- if ((kerror = radix_encode(ticket.dat, out_buf, &i, 0)))
- fprintf(stderr, "Base 64 encoding failed: %s\n",
- radix_error(kerror));
- else if (command("ADAT %s", out_buf) != COMPLETE)
- fprintf(stderr, "Kerberos V4 authentication failed\n");
- else if (!reply_parse)
- fprintf(stderr,
- "No authentication data received from server\n");
- else if ((kerror = radix_encode((unsigned char *)reply_parse, out_buf, &i, 1)))
- fprintf(stderr, "Base 64 decoding failed: %s\n",
- radix_error(kerror));
- else if ((kerror = krb_rd_safe(out_buf, (unsigned )i,
- &cred.session,
- &hisctladdr, &myctladdr,
- &msg_data)))
- fprintf(stderr, "Kerberos V4 krb_rd_safe failed: %s\n",
- krb_get_err_text(kerror));
- else {
- /* fetch the (modified) checksum */
- (void) memcpy(&cksum, msg_data.app_data, sizeof(cksum));
- if (ntohl(cksum) == checksum + 1) {
- verbose = oldverbose;
- if (verbose)
- printf("Kerberos V4 authentication succeeded\n");
- reply_parse = NULL;
- auth_type = "KERBEROS_V4";
- return(1);
- } else fprintf(stderr,
- "Kerberos V4 mutual authentication failed\n");
- }
- verbose = oldverbose;
- reply_parse = NULL;
- }
- } else fprintf(stderr, "%s rejected as an authentication type\n",
- "KERBEROS_V4");
-#endif /* KRB5_KRB4_COMPAT */
-
/* Other auth types go here ... */
return(0);
@@ -2233,7 +2098,7 @@
* send IAC in urgent mode instead of DM because 4.3BSD places oob mark
* after urgent byte rather than before as is protocol now
*/
- sprintf(buf, "%c%c%c", IAC, IP, IAC);
+ snprintf(buf, sizeof(buf), "%c%c%c", IAC, IP, IAC);
if (send(SOCKETNO(fileno(cout)), buf, 3, MSG_OOB) != 3)
PERROR_SOCKET("abort");
putc(DM, cout);
Modified: branches/mkey_migrate/src/appl/gssftp/ftp/glob.c
===================================================================
--- branches/mkey_migrate/src/appl/gssftp/ftp/glob.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/gssftp/ftp/glob.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -57,6 +57,8 @@
#include <limits.h>
#endif
+#include <k5-platform.h>
+
#include "ftp_var.h"
#ifdef ARG_MAX
@@ -211,7 +213,8 @@
*gpathp = 0;
if (gethdir(gpath + 1))
globerr = "Unknown user name after ~";
- (void) strcpy(gpath, gpath + 1);
+ (void) memmove(gpath, gpath + 1,
+ strlen(gpath));
} else
(void) strncpy(gpath, home, FTP_BUFSIZ - 1);
gpath[FTP_BUFSIZ - 1] = '\0';
@@ -258,10 +261,7 @@
char *base = *gpath ? gpath : ".";
char *buffer = 0;
- buffer = malloc(strlen(base) + strlen("\\*") + 1);
- if (!buffer) return;
- strcpy(buffer, base);
- strcat(buffer, "\\*");
+ if (asprintf(&buffer, "%s\\*", base) < 0) return;
hFile = FindFirstFile(buffer, &file_data);
if (hFile == INVALID_HANDLE_VALUE) {
if (!globbed)
@@ -732,12 +732,10 @@
strspl(cp, dp)
register char *cp, *dp;
{
- register char *ep = malloc((unsigned)(strlen(cp) + strlen(dp) + 1));
+ char *ep;
- if (ep == (char *)0)
+ if (asprintf(&ep, "%s%s", cp, dp) < 0)
fatal("Out of memory");
- (void) strcpy(ep, cp);
- (void) strcat(ep, dp);
return (ep);
}
@@ -775,10 +773,12 @@
char *mhome;
{
register struct passwd *pp = getpwnam(mhome);
+ size_t bufsize = lastgpathp - mhome;
- if (!pp || ((mhome + strlen(pp->pw_dir)) >= lastgpathp))
+ if (!pp)
return (1);
- (void) strcpy(mhome, pp->pw_dir);
+ if (strlcpy(mhome, pp->pw_dir, bufsize) >= bufsize)
+ return (1);
return (0);
}
#endif
Modified: branches/mkey_migrate/src/appl/gssftp/ftp/main.c
===================================================================
--- branches/mkey_migrate/src/appl/gssftp/ftp/main.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/gssftp/ftp/main.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -55,11 +55,8 @@
#include <signal.h>
#include "ftp_var.h"
#ifndef _WIN32
-#ifndef KRB5_KRB4_COMPAT
-/* krb.h gets this, and Ultrix doesn't protect vs multiple inclusion */
#include <sys/socket.h>
#include <netdb.h>
-#endif
#include <sys/ioctl.h>
#include <sys/types.h>
#include <pwd.h>
@@ -90,11 +87,6 @@
sigtype intr (int), lostpeer (int);
extern char *home;
char *getlogin();
-#ifdef KRB5_KRB4_COMPAT
-#include <krb.h>
-struct servent staticsp;
-extern char realm[];
-#endif /* KRB5_KRB4_COMPAT */
static void cmdscanner (int);
static char *slurpstring (void);
@@ -126,12 +118,6 @@
fprintf(stderr, "ftp: ftp/tcp: unknown service\n");
exit(1);
}
-#ifdef KRB5_KRB4_COMPAT
-/* GDM need to static sp so that the information is not lost
- when kerberos calls getservbyname */
- memcpy(&staticsp,sp,sizeof(struct servent));
- sp = &staticsp;
-#endif /* KRB5_KRB4_COMPAT */
doglob = 1;
interactive = 1;
autoauth = 1;
@@ -148,19 +134,6 @@
debug++;
break;
-#ifdef KRB5_KRB4_COMPAT
- case 'k':
- if (*++cp != '\0')
- strncpy(realm, ++cp, REALM_SZ);
- else if (argc > 1) {
- argc--, argv++;
- strncpy(realm, *argv, REALM_SZ);
- }
- else
- fprintf(stderr, "ftp: -k expects arguments\n");
- goto nextopt;
-#endif
-
case 'v':
verbose++;
break;
Modified: branches/mkey_migrate/src/appl/gssftp/ftp/ruserpass.c
===================================================================
--- branches/mkey_migrate/src/appl/gssftp/ftp/ruserpass.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/gssftp/ftp/ruserpass.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -136,7 +136,7 @@
hdir = getenv("HOME");
if (hdir == NULL)
hdir = ".";
- (void) sprintf(buf, "%s/.netrc", hdir);
+ (void) snprintf(buf, sizeof(buf), "%s/.netrc", hdir);
cfile = fopen(buf, "r");
if (cfile == NULL) {
if (errno != ENOENT)
@@ -187,8 +187,7 @@
case LOGIN:
if (token()) {
if (*aname == 0) {
- *aname = malloc((unsigned) strlen(tokval) + 1);
- (void) strcpy(*aname, tokval);
+ *aname = strdup(tokval);
} else {
if (strcmp(*aname, tokval))
goto next;
@@ -204,8 +203,7 @@
goto bad;
}
if (token() && *apass == 0) {
- *apass = malloc((unsigned) strlen(tokval) + 1);
- (void) strcpy(*apass, tokval);
+ *apass = strdup(tokval);
}
break;
case ACCOUNT:
@@ -216,8 +214,7 @@
goto bad;
}
if (token() && *aacct == 0) {
- *aacct = malloc((unsigned) strlen(tokval) + 1);
- (void) strcpy(*aacct, tokval);
+ *aacct = strdup(tokval);
}
break;
case MACDEF:
Modified: branches/mkey_migrate/src/appl/gssftp/ftp/secure.c
===================================================================
--- branches/mkey_migrate/src/appl/gssftp/ftp/secure.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/gssftp/ftp/secure.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -13,15 +13,6 @@
#include <secure.h> /* stuff which is specific to client or server */
-#ifdef KRB5_KRB4_COMPAT
-#include <krb.h>
-
-CRED_DECL
-extern KTEXT_ST ticket;
-extern MSG_DAT msg_data;
-extern Key_schedule schedule;
-#endif /* KRB5_KRB4_COMPAT */
-
#ifdef _WIN32
#undef ERROR
#endif
@@ -82,21 +73,6 @@
static unsigned int smaxqueue; /* Maximum allowed to queue before
flush buffer. < smaxbuf by fudgefactor */
-#ifdef KRB5_KRB4_COMPAT
-#define KRB4_FUDGE_FACTOR 32 /* Amount of growth
- * from cleartext to ciphertext.
- * krb_mk_priv adds this # bytes.
- * Must be defined for each auth type.
- */
-#endif /* KRB5_KRB4_COMPAT */
-
-#ifdef KRB5_KRB4_COMPAT
-/* XXX - The following must be redefined if KERBEROS_V4 is not used
- * but some other auth type is. They must have the same properties. */
-#define looping_write krb_net_write
-#define looping_read krb_net_read
-#endif
-
/* perhaps use these in general, certainly use them for GSSAPI */
#ifndef looping_write
@@ -167,12 +143,6 @@
smaxbuf = maxbuf;
smaxqueue = maxbuf;
-#ifdef KRB5_KRB4_COMPAT
- /* For KRB4 - we know the fudge factor to be 32 */
- if (strcmp(auth_type, "KERBEROS_V4") == 0) {
- smaxqueue = smaxbuf - KRB4_FUDGE_FACTOR;
- }
-#endif
#ifdef GSSAPI
if (strcmp(auth_type, "GSSAPI") == 0) {
OM_uint32 maj_stat, min_stat, mlen;
@@ -289,31 +259,6 @@
buffer lengths required */
/* Other auth types go here ... */
-#ifdef KRB5_KRB4_COMPAT
- if (bufsize < nbyte + fudge) {
- if (outbuf?
- (outbuf = realloc(outbuf, (unsigned) (nbyte + fudge))):
- (outbuf = malloc((unsigned) (nbyte + fudge)))) {
- bufsize = nbyte + fudge;
- } else {
- bufsize = 0;
- secure_error("%s (in malloc of PROT buffer)",
- strerror(errno));
- return(ERR);
- }
- }
-
- if (strcmp(auth_type, "KERBEROS_V4") == 0)
- if ((length = dlevel == PROT_P ?
- krb_mk_priv(buf, (unsigned char *) outbuf, nbyte, schedule,
- SESSION, &myaddr, &hisaddr)
- : krb_mk_safe(buf, (unsigned char *) outbuf, nbyte, SESSION,
- &myaddr, &hisaddr)) == -1) {
- secure_error("krb_mk_%s failed for KERBEROS_V4",
- dlevel == PROT_P ? "priv" : "safe");
- return(ERR);
- }
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
if (strcmp(auth_type, "GSSAPI") == 0) {
gss_buffer_desc in_buf, out_buf;
@@ -392,22 +337,6 @@
return(ERR);
}
/* Other auth types go here ... */
-#ifdef KRB5_KRB4_COMPAT
- if (strcmp(auth_type, "KERBEROS_V4") == 0) {
- if ((kerror = dlevel == PROT_P ?
- krb_rd_priv(ucbuf, length, schedule, SESSION,
- &hisaddr, &myaddr, &msg_data)
- : krb_rd_safe(ucbuf, length, SESSION,
- &hisaddr, &myaddr, &msg_data))) {
- secure_error("krb_rd_%s failed for KERBEROS_V4 (%s)",
- dlevel == PROT_P ? "priv" : "safe",
- krb_get_err_text(kerror));
- return(ERR);
- }
- memmove(ucbuf, msg_data.app_data, msg_data.app_length);
- nin = bufp = msg_data.app_length;
- }
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
if (strcmp(auth_type, "GSSAPI") == 0) {
gss_buffer_desc xmit_buf, msg_buf;
Modified: branches/mkey_migrate/src/appl/gssftp/ftpd/Makefile.in
===================================================================
--- branches/mkey_migrate/src/appl/gssftp/ftpd/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/gssftp/ftpd/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -25,12 +25,12 @@
OBJS = ftpd.o ftpcmd.o glob.o popen.o vers.o radix.o \
secure.o $(LIBOBJS) $(SETENVOBJ)
-LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir) @KRB4_INCLUDES@
+LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)
all:: ftpd
-ftpd: $(OBJS) $(PTY_DEPLIB) $(GSS_DEPLIBS) $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(GSS_LIBS) $(KRB4COMPAT_LIBS)
+ftpd: $(OBJS) $(PTY_DEPLIB) $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(GSS_LIBS) $(KRB5_BASE_LIBS)
generate-files-mac: ftpcmd.c
@@ -76,36 +76,3 @@
vers.o: $(srcdir)/vers.c
# NOPOSTFIX
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)ftpd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(KRB_ERR_H_DEP) \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/libpty.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-util.h \
- $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \
- $(srcdir)/../arpa/ftp.h $(srcdir)/../arpa/telnet.h \
- ftpd.c ftpd_var.h pathnames.h secure.h
-$(OUTPRE)ftpcmd.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_generic.h $(KRB_ERR_H_DEP) \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(srcdir)/../arpa/ftp.h \
- $(srcdir)/../arpa/telnet.h ftpcmd.c ftpd_var.h
-$(OUTPRE)popen.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_generic.h ftpd_var.h \
- popen.c
-$(OUTPRE)vers.$(OBJEXT): vers.c
-$(OUTPRE)glob.$(OBJEXT): $(srcdir)/../ftp/ftp_var.h \
- $(srcdir)/../ftp/glob.c
-$(OUTPRE)radix.$(OBJEXT): $(srcdir)/../ftp/ftp_var.h \
- $(srcdir)/../ftp/radix.c
-$(OUTPRE)secure.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \
- $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \
- $(srcdir)/../arpa/ftp.h $(srcdir)/../ftp/secure.c secure.h
-$(OUTPRE)getdtablesize.$(OBJEXT): $(srcdir)/../../bsd/getdtablesize.c
Copied: branches/mkey_migrate/src/appl/gssftp/ftpd/deps (from rev 21721, trunk/src/appl/gssftp/ftpd/deps)
Modified: branches/mkey_migrate/src/appl/gssftp/ftpd/ftpcmd.y
===================================================================
--- branches/mkey_migrate/src/appl/gssftp/ftpd/ftpcmd.y 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/gssftp/ftpd/ftpcmd.y 2009-01-10 01:06:45 UTC (rev 21722)
@@ -66,6 +66,7 @@
#include <ctype.h>
#include <stdlib.h>
#include <string.h>
+#include <k5-buf.h>
#include "ftpd_var.h"
@@ -75,13 +76,6 @@
unsigned char *ucbuf;
static int kerror; /* XXX needed for all auth types */
-#ifdef KRB5_KRB4_COMPAT
-extern struct sockaddr_in his_addr, ctrl_addr;
-#include <krb.h>
-extern AUTH_DAT kdata;
-extern Key_schedule schedule;
-extern MSG_DAT msg_data;
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_generic.h>
@@ -1089,27 +1083,6 @@
if (debug) syslog(LOG_DEBUG, "getline got %d from %s <%s>\n",
len, cs, mic?"MIC":"ENC");
clevel = mic ? PROT_S : PROT_P;
-#ifdef KRB5_KRB4_COMPAT
- if (strcmp(auth_type, "KERBEROS_V4") == 0) {
- if ((kerror = mic ?
- krb_rd_safe((unsigned char *)out, len, &kdata.session,
- &his_addr, &ctrl_addr, &msg_data)
- : krb_rd_priv((unsigned char *)out, len, schedule,
- &kdata.session, &his_addr, &ctrl_addr, &msg_data))
- != KSUCCESS) {
- reply(535, "%s! (%s)",
- mic ? "MIC command modified" : "ENC command garbled",
- krb_get_err_text(kerror));
- syslog(LOG_ERR,"%s failed: %s",
- mic ? "MIC krb_rd_safe" : "ENC krb_rd_priv",
- krb_get_err_text(kerror));
- *s = '\0';
- return(s);
- }
- (void) memcpy(s, msg_data.app_data, msg_data.app_length);
- (void) strcpy(s+msg_data.app_length, "\r\n");
- }
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
/* we know this is a MIC or ENC already, and out/len already has the bits */
if (strcmp(auth_type, "GSSAPI") == 0) {
@@ -1139,7 +1112,7 @@
}
memcpy(s, msg_buf.value, msg_buf.length);
- strcpy(s+msg_buf.length-(s[msg_buf.length-1]?0:1), "\r\n");
+ memcpy(s+msg_buf.length-(s[msg_buf.length-1]?0:1), "\r\n", 3);
gss_release_buffer(&min_stat, &msg_buf);
}
#endif /* GSSAPI */
@@ -1157,7 +1130,7 @@
}
}
-#if defined KRB5_KRB4_COMPAT || defined GSSAPI /* or other auth types */
+#ifdef GSSAPI /* or other auth types */
else { /* !auth_type */
if ( (!(strncmp(s, "ENC", 3))) || (!(strncmp(s, "MIC", 3)))
#ifndef NOCONFIDENTIAL
@@ -1169,7 +1142,7 @@
return(s);
}
}
-#endif /* KRB5_KRB4_COMPAT || GSSAPI */
+#endif GSSAPI
if (debug) {
if (!strncmp(s, "PASS ", 5) && !guest)
@@ -1438,10 +1411,9 @@
{
char *p;
- p = malloc((unsigned) strlen(s) + 1);
+ p = strdup(s);
if (p == NULL)
fatal("Ran out of memory.");
- (void) strcpy(p, s);
return (p);
}
@@ -1471,6 +1443,7 @@
if (s == 0) {
register int i, j, w;
int columns, lines;
+ struct k5buf buf;
lreply(214, "The following %scommands are recognized %s.",
ftype, "(* =>'s unimplemented)");
@@ -1479,16 +1452,18 @@
columns = 1;
lines = (NCMDS + columns - 1) / columns;
for (i = 0; i < lines; i++) {
- strcpy(str, " ");
+ krb5int_buf_init_fixed(&buf, str, sizeof(str));
+ krb5int_buf_add(&buf, " ");
for (j = 0; j < columns; j++) {
c = ctab + j * lines + i;
- sprintf(&str[strlen(str)], "%s%c", c->name,
- c->implemented ? ' ' : '*');
+ krb5int_buf_add_fmt(&buf, "%s%c", c->name,
+ c->implemented ? ' '
+ : '*');
if (c + lines >= &ctab[NCMDS])
break;
w = strlen(c->name) + 1;
while (w < width) {
- strcat(str, " ");
+ krb5int_buf_add(&buf, " ");
w++;
}
}
Modified: branches/mkey_migrate/src/appl/gssftp/ftpd/ftpd.M
===================================================================
--- branches/mkey_migrate/src/appl/gssftp/ftpd/ftpd.M 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/gssftp/ftpd/ftpd.M 2009-01-10 01:06:45 UTC (rev 21722)
@@ -128,12 +128,6 @@
file to use. The default value is normally set by
.IR /etc/krb5.conf .
.TP
-\fB\-s\fP \fIsrvtab\fP
-Sets the name of the
-.I srvtab
-file to use for Kerberos V4 authentication. The default value is normally
-.IR /etc/srvtab .
-.TP
\fB\-w \fP{\fBip\fP|\fImaxhostlen\fP[\fB,\fP{\fBstriplocal\fP|\fBnostriplocal\fP}]}
Controls the form of the remote hostname passed to login(1).
Specifying \fBip\fP results in the numeric IP address always being
Modified: branches/mkey_migrate/src/appl/gssftp/ftpd/ftpd.c
===================================================================
--- branches/mkey_migrate/src/appl/gssftp/ftpd/ftpd.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/gssftp/ftpd/ftpd.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -47,10 +47,7 @@
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
-#ifndef KRB5_KRB4_COMPAT
-/* krb.h gets this, and Ultrix doesn't protect vs multiple inclusion */
#include <sys/socket.h>
-#endif
#include <sys/wait.h>
#include <sys/file.h>
#include <netinet/in.h>
@@ -80,10 +77,7 @@
#define sigsetjmp(j,s) setjmp(j)
#define siglongjmp longjmp
#endif
-#ifndef KRB5_KRB4_COMPAT
-/* krb.h gets this, and Ultrix doesn't protect vs multiple inclusion */
#include <netdb.h>
-#endif
#include <errno.h>
#include <syslog.h>
#include <unistd.h>
@@ -102,6 +96,8 @@
#include "pathnames.h"
#include <libpty.h>
+#include <k5-platform.h>
+
#ifdef NEED_SETENV
extern int setenv(char *, char *, int);
#endif
@@ -127,18 +123,6 @@
#include <k5-util.h>
#include "port-sockets.h"
-#ifdef KRB5_KRB4_COMPAT
-#include <krb5.h>
-#include <krb.h>
-
-AUTH_DAT kdata;
-KTEXT_ST ticket;
-MSG_DAT msg_data;
-Key_schedule schedule;
-char *keyfile;
-static char *krb4_services[] = { "ftp", "rcmd", NULL };
-#endif /* KRB5_KRB4_COMPAT */
-
#ifdef GSSAPI
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_generic.h>
@@ -160,7 +144,7 @@
char *auth_type; /* Authentication succeeded? If so, what type? */
static char *temp_auth_type;
-int authorized; /* Auth succeeded and was accepted by krb4 or gssapi */
+int authorized; /* Auth succeeded and was accepted by gssapi */
int have_creds; /* User has credentials on disk */
/*
@@ -292,16 +276,9 @@
int addrlen, c, on = 1, tos, port = -1;
extern char *optarg;
extern int optopt;
-#ifdef KRB5_KRB4_COMPAT
- char *option_string = "AaCcdElp:r:s:T:t:U:u:vw:";
-#else /* !KRB5_KRB4_COMPAT */
char *option_string = "AaCcdElp:r:T:t:U:u:vw:";
-#endif /* KRB5_KRB4_COMPAT */
ftpusers = _PATH_FTPUSERS_DEFAULT;
-#ifdef KRB5_KRB4_COMPAT
- keyfile = KEYFILE;
-#endif /* KRB5_KRB4_COMPAT */
debug = 0;
#ifdef SETPROCTITLE
/*
@@ -361,12 +338,6 @@
setenv("KRB_CONF", optarg, 1);
break;
-#ifdef KRB5_KRB4_COMPAT
- case 's':
- keyfile = optarg;
- break;
-#endif /* KRB5_KRB4_COMPAT */
-
case 't':
timeout = atoi(optarg);
if (maxtimeout < timeout)
@@ -572,14 +543,13 @@
sgetsave(s)
char *s;
{
- char *new = malloc((unsigned) strlen(s) + 1);
+ char *new = strdup(s);
if (new == NULL) {
perror_reply(421, "Local resource failure: malloc");
dologout(1);
/* NOTREACHED */
}
- (void) strcpy(new, s);
return (new);
}
@@ -772,37 +742,14 @@
syslog(LOG_ERR, "user: username too long");
name = "[username too long]";
}
- sprintf(buf, "GSSAPI user %s is%s authorized as %s",
+ snprintf(buf, sizeof(buf),
+ "GSSAPI user %s is%s authorized as %s",
(char *) client_name.value,
authorized ? "" : " not",
name);
}
-#ifdef KRB5_KRB4_COMPAT
- else
-#endif /* KRB5_KRB4_COMPAT */
#endif /* GSSAPI */
-#ifdef KRB5_KRB4_COMPAT
- if (auth_type && strcmp(auth_type, "KERBEROS_V4") == 0) {
- int len;
- authorized = kuserok(&kdata,name) == 0;
- len = sizeof("Kerberos user .@ is not authorized as "
- "; Password required.")
- + strlen(kdata.pname)
- + strlen(kdata.pinst)
- + strlen(kdata.prealm)
- + strlen(name);
- if (len >= sizeof(buf)) {
- syslog(LOG_ERR, "user: username too long");
- name = "[username too long]";
- }
- sprintf(buf, "Kerberos user %s%s%s@%s is%s authorized as %s",
- kdata.pname, *kdata.pinst ? "." : "",
- kdata.pinst, kdata.prealm,
- authorized ? "" : " not", name);
- }
-#endif /* KRB5_KRB4_COMPAT */
-
if (!authorized && authlevel == AUTHLEVEL_AUTHORIZE) {
strncat(buf, "; Access denied.",
sizeof(buf) - strlen(buf) - 1);
@@ -907,9 +854,6 @@
#ifdef GSSAPI
krb5_cc_destroy(kcontext, ccache);
#endif
-#ifdef KRB5_KRB4_COMPAT
- dest_tkt();
-#endif
have_creds = 0;
}
pw = NULL;
@@ -926,18 +870,6 @@
krb5_creds my_creds;
krb5_timestamp now;
#endif /* GSSAPI */
-#ifdef KRB5_KRB4_COMPAT
- char realm[REALM_SZ];
-#ifndef GSSAPI
- char **service;
- KTEXT_ST ticket;
- AUTH_DAT authdata;
- des_cblock key;
- char instance[INST_SZ];
- unsigned long faddr;
- struct hostent *hp;
-#endif /* GSSAPI */
-#endif /* KRB5_KRB4_COMPAT */
char ccname[MAXPATHLEN];
#ifdef GSSAPI
@@ -946,7 +878,8 @@
return 0;
my_creds.client = me;
- sprintf(ccname, "FILE:/tmp/krb5cc_ftpd%ld", (long) getpid());
+ snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_ftpd%ld",
+ (long) getpid());
if (krb5_cc_resolve(kcontext, ccname, &ccache))
return(0);
if (krb5_cc_initialize(kcontext, ccache, me))
@@ -979,58 +912,10 @@
krb5_cc_destroy(kcontext, ccache);
return(1);
}
-#endif /* GSSAPI */
-#ifdef KRB5_KRB4_COMPAT
- if (krb_get_lrealm(realm, 1) != KSUCCESS)
- goto nuke_ccache;
-
- sprintf(ccname, "%s_ftpd%ld", TKT_ROOT, (long) getpid());
- krb_set_tkt_string(ccname);
-
- if (krb_get_pw_in_tkt(name, "", realm, "krbtgt", realm, 1, passwd))
- goto nuke_ccache;
-
-#ifndef GSSAPI
- /* Verify the ticket since we didn't verify the krb5 one. */
- strncpy(instance, krb_get_phost(hostname), sizeof(instance));
-
- if ((hp = gethostbyname(instance)) == NULL)
- goto nuke_ccache;
- memcpy((char *) &faddr, (char *)hp->h_addr, sizeof(faddr));
-
- for (service = krb4_services; *service; service++) {
- if (!read_service_key(*service, instance,
- realm, 0, keyfile, key)) {
- (void) memset(key, 0, sizeof(key));
- if (krb_mk_req(&ticket, *service,
- instance, realm, 33) ||
- krb_rd_req(&ticket, *service, instance,
- faddr, &authdata,keyfile) ||
- kuserok(&authdata, name)) {
- dest_tkt();
- goto nuke_ccache;
- } else
- break;
- }
- }
-
- if (!*service) {
- dest_tkt();
- goto nuke_ccache;
- }
-
- if (!want_creds) {
- dest_tkt();
- return(1);
- }
-#endif /* GSSAPI */
-#endif /* KRB5_KRB4_COMPAT */
-
-#if defined(GSSAPI) || defined(KRB5_KRB4_COMPAT)
have_creds = 1;
return(1);
-#endif /* GSSAPI || KRB5_KRB4_COMPAT */
+#endif /* GSSAPI */
nuke_ccache:
#ifdef GSSAPI
@@ -1106,16 +991,13 @@
const char *ccname = krb5_cc_get_name(kcontext, ccache);
chown(ccname, pw->pw_uid, pw->pw_gid);
#endif
-#ifdef KRB5_KRB4_COMPAT
- chown(tkt_string(), pw->pw_uid, pw->pw_gid);
-#endif
}
(void) krb5_setegid((gid_t)pw->pw_gid);
(void) initgroups(pw->pw_name, pw->pw_gid);
/* open wtmp before chroot */
- (void) sprintf(ttyline, "ftp%ld", (long) getpid());
+ (void) snprintf(ttyline, sizeof(ttyline), "ftp%ld", (long) getpid());
pty_logwtmp(ttyline, pw->pw_name, rhost_sane);
logged_in = 1;
@@ -1167,9 +1049,8 @@
if (guest) {
reply(230, "Guest login ok, access restrictions apply.");
#ifdef SETPROCTITLE
- sprintf(proctitle, "%s: anonymous/%.*s", rhost_sane,
- sizeof(proctitle) - strlen(rhost_sane) -
- sizeof(": anonymous/"), passwd);
+ snprintf(proctitle, sizeof(proctitle), "%s: anonymous/%.*s",
+ rhost_sane, passwd);
setproctitle(proctitle);
#endif /* SETPROCTITLE */
if (logging)
@@ -1182,7 +1063,8 @@
reply(230, "User %s logged in.", pw->pw_name);
}
#ifdef SETPROCTITLE
- sprintf(proctitle, "%s: %s", rhost_sane, pw->pw_name);
+ snprintf(proctitle, sizeof(proctitle), "%s: %s",
+ rhost_sane, pw->pw_name);
setproctitle(proctitle);
#endif /* SETPROCTITLE */
if (logging)
@@ -1218,7 +1100,7 @@
reply(501, "filename too long");
return;
}
- (void) sprintf(line, cmd, name), name = line;
+ (void) snprintf(line, sizeof(line), cmd, name), name = line;
fin = ftpd_popen(line, "r"), closefunc = ftpd_pclose;
st.st_size = -1;
#ifndef NOSTBLKSIZE
@@ -1400,9 +1282,10 @@
byte_count = 0;
if (size != (off_t) -1)
/* cast size to long in case sizeof(off_t) > sizeof(long) */
- (void) sprintf (sizebuf, " (%ld bytes)", (long)size);
+ (void) snprintf (sizebuf, sizeof(sizebuf), " (%ld bytes)",
+ (long)size);
else
- (void) strcpy(sizebuf, "");
+ sizebuf[0] = '\0';
if (pdata >= 0) {
int s, fromlen = sizeof(data_dest);
@@ -1664,7 +1547,7 @@
reply(501, "filename too long");
return;
}
- (void) sprintf(line, "/bin/ls -lgA %s", filename);
+ (void) snprintf(line, sizeof(line), "/bin/ls -lgA %s", filename);
fin = ftpd_popen(line, "r");
lreply(211, "status of %s:", filename);
p = str;
@@ -1713,8 +1596,8 @@
lreply(211, "%s FTP server status:", hostname);
reply(0, " %s", version);
- sprintf(str, " Connected to %s", remotehost[0] ? remotehost : "");
- sprintf(&str[strlen(str)], " (%s)", rhost_addra);
+ snprintf(str, sizeof(str), " Connected to %s (%s)",
+ remotehost[0] ? remotehost : "", rhost_addra);
reply(0, "%s", str);
if (auth_type) reply(0, " Authentication type: %s", auth_type);
if (logged_in) {
@@ -1729,41 +1612,35 @@
else
reply(0, " Waiting for user name");
reply(0, " Protection level: %s", levelnames[dlevel]);
- sprintf(str, " TYPE: %s", typenames[type]);
- if (type == TYPE_A || type == TYPE_E)
- sprintf(&str[strlen(str)], ", FORM: %s", formnames[form]);
+ snprintf(str, sizeof(str), " TYPE: %s", typenames[type]);
+ if (type == TYPE_A || type == TYPE_E) {
+ snprintf(&str[strlen(str)], sizeof(str) - strlen(str),
+ ", FORM: %s", formnames[form]);
+ }
if (type == TYPE_L)
-#if 1
strncat(str, " 8", sizeof (str) - strlen(str) - 1);
-#else
-/* this is silly. -- eichin at cygnus.com */
-#if NBBY == 8
- sprintf(&str[strlen(str)], " %d", NBBY);
-#else
- sprintf(&str[strlen(str)], " %d", bytesize); /* need definition! */
-#endif
-#endif
- sprintf(&str[strlen(str)], "; STRUcture: %s; transfer MODE: %s",
- strunames[stru], modenames[mode]);
+ snprintf(&str[strlen(str)], sizeof(str) - strlen(str),
+ "; STRUcture: %s; transfer MODE: %s",
+ strunames[stru], modenames[mode]);
reply(0, "%s", str);
if (data != -1)
- strcpy(str, " Data connection open");
+ strlcpy(str, " Data connection open", sizeof(str));
else if (pdata != -1) {
- strcpy(str, " in Passive mode");
+ strlcpy(str, " in Passive mode", sizeof(str));
sin4 = &pasv_addr;
goto printaddr;
} else if (usedefault == 0) {
- strcpy(str, " PORT");
sin4 = &data_dest;
printaddr:
a = (u_char *) &sin4->sin_addr;
p = (u_char *) &sin4->sin_port;
#define UC(b) (((int) b) & 0xff)
- sprintf(&str[strlen(str)], " (%d,%d,%d,%d,%d,%d)", UC(a[0]),
- UC(a[1]), UC(a[2]), UC(a[3]), UC(p[0]), UC(p[1]));
+ snprintf(str, sizeof(str), " PORT (%d,%d,%d,%d,%d,%d)",
+ UC(a[0]), UC(a[1]), UC(a[2]), UC(a[3]), UC(p[0]),
+ UC(p[1]));
#undef UC
} else
- strcpy(str, " No data connection");
+ strlcpy(str, " No data connection", sizeof(str));
reply(0, "%s", str);
reply(211, "End of status");
}
@@ -1800,10 +1677,10 @@
va_list ap;
va_start(ap, fmt);
- vsprintf(buf, fmt, ap);
+ vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);
#else
- sprintf(buf, fmt, p0, p1, p2, p3, p4, p5);
+ snprintf(buf, sizeof(buf), fmt, p0, p1, p2, p3, p4, p5);
#endif
if (auth_type) {
@@ -1813,33 +1690,9 @@
*/
char in[FTP_BUFSIZ*3/2], out[FTP_BUFSIZ*3/2];
int length = 0, kerror;
- if (n) sprintf(in, "%d%c", n, cont_char);
+ if (n) snprintf(in, sizeof(in), "%d%c", n, cont_char);
else in[0] = '\0';
strncat(in, buf, sizeof (in) - strlen(in) - 1);
-#ifdef KRB5_KRB4_COMPAT
- if (strcmp(auth_type, "KERBEROS_V4") == 0) {
- if (clevel == PROT_P)
- length = krb_mk_priv((unsigned char *)in,
- (unsigned char *)out,
- strlen(in),
- schedule, &kdata.session,
- &ctrl_addr,
- &his_addr);
- else
- length = krb_mk_safe((unsigned char *)in,
- (unsigned char *)out,
- strlen(in),
- &kdata.session,
- &ctrl_addr,
- &his_addr);
- if (length == -1) {
- syslog(LOG_ERR,
- "krb_mk_%s failed for KERBEROS_V4",
- clevel == PROT_P ? "priv" : "safe");
- fputs(in,stdout);
- }
- } else
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
/* reply (based on level) */
if (strcmp(auth_type, "GSSAPI") == 0) {
@@ -1918,10 +1771,10 @@
va_list ap;
va_start(ap, fmt);
- vsprintf(buf, fmt, ap);
+ vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);
#else
- sprintf(buf, fmt, p0, p1, p2, p3, p4, p5);
+ snprintf(buf, sizeof(buf), fmt, p0, p1, p2, p3, p4, p5);
#endif
cont_char = '-';
reply(n, "%s", buf);
@@ -2083,7 +1936,7 @@
exit(1);
}
#ifdef SETPROCTITLE
- sprintf(proctitle, "%s: connected", rhost_sane);
+ snprintf(proctitle, sizeof(proctitle), "%s: connected", rhost_sane);
setproctitle(proctitle);
#endif /* SETPROCTITLE */
@@ -2110,9 +1963,6 @@
#ifdef GSSAPI
krb5_cc_destroy(kcontext, ccache);
#endif
-#ifdef KRB5_KRB4_COMPAT
- dest_tkt();
-#endif
}
/* beware of flushing buffers after a SIGPIPE */
_exit(status);
@@ -2230,7 +2080,7 @@
cp = new + strlen(new);
*cp++ = '.';
for (count = 1; count < 100; count++) {
- (void) sprintf(cp, "%d", count);
+ (void) snprintf(cp, sizeof(new) - (cp - new), "%d", count);
if (stat(new, &st) < 0)
return(new);
}
@@ -2272,12 +2122,6 @@
if (auth_type)
reply(534, "Authentication type already set to %s", auth_type);
else
-#ifdef KRB5_KRB4_COMPAT
- if (strcmp(atype, "KERBEROS_V4") == 0)
- reply(334, "Using authentication type %s; ADAT must follow",
- temp_auth_type = atype);
- else
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
if (strcmp(atype, "GSSAPI") == 0)
reply(334, "Using authentication type %s; ADAT must follow",
@@ -2293,13 +2137,6 @@
char *adata;
{
int kerror, length;
-#ifdef KRB5_KRB4_COMPAT
- static char **service=NULL;
- char instance[INST_SZ];
- KRB4_32 cksum;
- char buf[FTP_BUFSIZ];
- u_char out_buf[sizeof(buf)];
-#endif /* KRB5_KRB4_COMPAT */
if (auth_type) {
reply(503, "Authentication already established");
@@ -2309,61 +2146,6 @@
reply(503, "Must identify AUTH type before ADAT");
return(0);
}
-#ifdef KRB5_KRB4_COMPAT
- if (strcmp(temp_auth_type, "KERBEROS_V4") == 0) {
- kerror = radix_encode(adata, out_buf, &length, 1);
- if (kerror) {
- reply(501, "Couldn't decode ADAT (%s)",
- radix_error(kerror));
- syslog(LOG_ERR, "Couldn't decode ADAT (%s)",
- radix_error(kerror));
- return(0);
- }
- (void) memcpy((char *)ticket.dat, (char *)out_buf, ticket.length = length);
- strcpy(instance, "*");
-
- kerror = 255;
- for (service = krb4_services; *service; service++) {
- kerror = krb_rd_req(&ticket, *service, instance,
- his_addr.sin_addr.s_addr,
- &kdata, keyfile);
- /* Success */
- if(!kerror) break;
- }
- /* rd_req failed.... */
- if(kerror) {
- secure_error("ADAT: Kerberos V4 krb_rd_req: %s",
- krb_get_err_text(kerror));
- return(0);
- }
-
- /* add one to the (formerly) sealed checksum, and re-seal it */
- cksum = kdata.checksum + 1;
- cksum = htonl(cksum);
- key_sched(kdata.session,schedule);
- if ((length = krb_mk_safe((u_char *)&cksum, out_buf, sizeof(cksum),
- &kdata.session,&ctrl_addr, &his_addr)) == -1) {
- secure_error("ADAT: krb_mk_safe failed");
- return(0);
- }
- if (length >= (FTP_BUFSIZ - sizeof("ADAT=")) / 4 * 3) {
- secure_error("ADAT: reply too long");
- return(0);
- }
-
- kerror = radix_encode(out_buf, buf, &length, 0);
- if (kerror) {
- secure_error("Couldn't encode ADAT reply (%s)",
- radix_error(kerror));
- return(0);
- }
- reply(235, "ADAT=%s", buf);
- /* Kerberos V4 authentication succeeded */
- auth_type = temp_auth_type;
- temp_auth_type = NULL;
- return(1);
- }
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
if (strcmp(temp_auth_type, "GSSAPI") == 0) {
int replied = 0;
@@ -2413,7 +2195,8 @@
localname[sizeof(localname) - 1] = '\0';
for (gservice = gss_services; *gservice; gservice++) {
- sprintf(service_name, "%s@%s", *gservice, localname);
+ snprintf(service_name, sizeof(service_name),
+ "%s@%s", *gservice, localname);
name_buf.value = service_name;
name_buf.length = strlen(name_buf.value) + 1;
if (debug)
@@ -2722,7 +2505,8 @@
ret = -2; /* XXX */
goto data_err;
}
- sprintf(nbuf, "%s/%s", dirname, dir->d_name);
+ snprintf(nbuf, sizeof(nbuf), "%s/%s",
+ dirname, dir->d_name);
/*
* We have to do a stat to insure it's
@@ -2918,17 +2702,13 @@
OM_uint32 major_status, minor_status;
krb5_principal me;
char ccname[MAXPATHLEN];
-#ifdef KRB5_KRB4_COMPAT
- krb5_principal kpcserver;
- krb5_creds increds, *v5creds;
- CREDENTIALS v4creds;
-#endif
/* Set up ccache */
if (krb5_parse_name(kcontext, name, &me))
return;
- sprintf(ccname, "FILE:/tmp/krb5cc_ftpd%ld", (long) getpid());
+ snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_ftpd%ld",
+ (long) getpid());
if (krb5_cc_resolve(kcontext, ccname, &ccache))
return;
if (krb5_cc_initialize(kcontext, ccache, me))
@@ -2939,47 +2719,9 @@
if (major_status != GSS_S_COMPLETE)
goto cleanup;
-#ifdef KRB5_KRB4_COMPAT
- /* Convert krb5 creds to krb4 */
-
- if (krb5_build_principal_ext(kcontext, &kpcserver,
- krb5_princ_realm(kcontext, me)->length,
- krb5_princ_realm(kcontext, me)->data,
- 6, "krbtgt",
- krb5_princ_realm(kcontext, me)->length,
- krb5_princ_realm(kcontext, me)->data,
- 0))
- goto cleanup;
-
- memset((char *) &increds, 0, sizeof(increds));
- increds.client = me;
- increds.server = kpcserver;
- increds.times.endtime = 0;
- increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
- if (krb5_get_credentials(kcontext, 0, ccache, &increds, &v5creds))
- goto cleanup;
- if (krb524_convert_creds_kdc(kcontext, v5creds, &v4creds))
- goto cleanup;
-
- sprintf(ccname, "%s_ftpd%ld", TKT_ROOT, (long) getpid());
- krb_set_tkt_string(ccname);
-
- if (in_tkt(v4creds.pname, v4creds.pinst) != KSUCCESS)
- goto cleanup;
-
- if (krb_save_credentials(v4creds.service, v4creds.instance,
- v4creds.realm, v4creds.session,
- v4creds.lifetime, v4creds.kvno,
- &(v4creds.ticket_st), v4creds.issue_date))
- goto cleanup_v4;
-#endif /* KRB5_KRB4_COMPAT */
have_creds = 1;
return;
-#ifdef KRB5_KRB4_COMPAT
-cleanup_v4:
- dest_tkt();
-#endif
cleanup:
krb5_cc_destroy(kcontext, ccache);
}
Modified: branches/mkey_migrate/src/appl/libpty/Makefile.in
===================================================================
--- branches/mkey_migrate/src/appl/libpty/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/libpty/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -110,48 +110,3 @@
@lib_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-pty_err.so pty_err.po $(OUTPRE)pty_err.$(OBJEXT): $(COM_ERR_DEPS) \
- pty_err.c
-cleanup.so cleanup.po $(OUTPRE)cleanup.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h cleanup.c \
- libpty.h pty-int.h pty_err.h
-getpty.so getpty.po $(OUTPRE)getpty.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h getpty.c \
- libpty.h pty-int.h pty_err.h
-init_slave.so init_slave.po $(OUTPRE)init_slave.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- init_slave.c libpty.h pty-int.h pty_err.h
-open_ctty.so open_ctty.po $(OUTPRE)open_ctty.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- libpty.h open_ctty.c pty-int.h pty_err.h
-open_slave.so open_slave.po $(OUTPRE)open_slave.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- libpty.h open_slave.c pty-int.h pty_err.h
-update_utmp.so update_utmp.po $(OUTPRE)update_utmp.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- libpty.h pty-int.h pty_err.h update_utmp.c
-update_wtmp.so update_wtmp.po $(OUTPRE)update_wtmp.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- libpty.h pty-int.h pty_err.h update_wtmp.c
-vhangup.so vhangup.po $(OUTPRE)vhangup.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h libpty.h \
- pty-int.h pty_err.h vhangup.c
-void_assoc.so void_assoc.po $(OUTPRE)void_assoc.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- libpty.h pty-int.h pty_err.h void_assoc.c
-logwtmp.so logwtmp.po $(OUTPRE)logwtmp.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h libpty.h \
- logwtmp.c pty-int.h pty_err.h
-init.so init.po $(OUTPRE)init.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h init.c \
- libpty.h pty-int.h pty_err.h
-sane_hostname.so sane_hostname.po $(OUTPRE)sane_hostname.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- libpty.h pty-int.h pty_err.h sane_hostname.c
Copied: branches/mkey_migrate/src/appl/libpty/deps (from rev 21721, trunk/src/appl/libpty/deps)
Modified: branches/mkey_migrate/src/appl/libpty/getpty.c
===================================================================
--- branches/mkey_migrate/src/appl/libpty/getpty.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/libpty/getpty.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -23,6 +23,7 @@
#include "com_err.h"
#include "libpty.h"
#include "pty-int.h"
+#include "k5-platform.h"
long
ptyint_getpty_ext(int *fd, char *slave, int slavelength, int do_grantpt)
@@ -59,12 +60,11 @@
*fd = -1;
return PTY_GETPTY_NOPTY;
}
- if (strlen(slaveret) > slavelength - 1) {
+ if (strlcpy(slave, slaveret, slavelength) >= slavelength) {
close(*fd);
*fd = -1;
return PTY_GETPTY_SLAVE_TOOLONG;
}
- else strcpy(slave, slaveret);
return 0;
#else /*HAVE__GETPTY*/
@@ -92,12 +92,11 @@
#endif
#endif
if (p) {
- if (strlen(p) > slavelength - 1) {
+ if (strlcpy(slave, p, slavelength) >= slavelength) {
close (*fd);
*fd = -1;
return PTY_GETPTY_SLAVE_TOOLONG;
}
- strcpy(slave, p);
return 0;
}
@@ -106,7 +105,7 @@
return PTY_GETPTY_FSTAT;
}
ptynum = (int)(stb.st_rdev&0xFF);
- sprintf(slavebuf, "/dev/ttyp%x", ptynum);
+ snprintf(slavebuf, sizeof(slavebuf), "/dev/ttyp%x", ptynum);
if (strlen(slavebuf) > slavelength - 1) {
close(*fd);
*fd = -1;
@@ -116,7 +115,7 @@
return 0;
} else {
for (cp = "pqrstuvwxyzPQRST";*cp; cp++) {
- sprintf(slavebuf,"/dev/ptyXX");
+ snprintf(slavebuf,sizeof(slavebuf),"/dev/ptyXX");
slavebuf[sizeof("/dev/pty") - 1] = *cp;
slavebuf[sizeof("/dev/ptyp") - 1] = '0';
if (stat(slavebuf, &stb) < 0)
Modified: branches/mkey_migrate/src/appl/libpty/logwtmp.c
===================================================================
--- branches/mkey_migrate/src/appl/libpty/logwtmp.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/libpty/logwtmp.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -73,7 +73,7 @@
cp = tty + len - 2;
else
cp = tty;
- sprintf(utmp_id, "kr%s", cp);
+ snprintf(utmp_id, sizeof(utmp_id), "kr%s", cp);
strncpy(utx.ut_id, utmp_id, sizeof(utx.ut_id));
#ifdef HAVE_SETUTXENT
Modified: branches/mkey_migrate/src/appl/libpty/update_utmp.c
===================================================================
--- branches/mkey_migrate/src/appl/libpty/update_utmp.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/libpty/update_utmp.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -319,6 +319,7 @@
#include "com_err.h"
#include "libpty.h"
#include "pty-int.h"
+#include "k5-platform.h"
#if !defined(UTMP_FILE) && defined(_PATH_UTMP)
#define UTMP_FILE _PATH_UTMP
@@ -547,7 +548,7 @@
* pain, and would eit cross-compiling.
*/
#ifdef __hpux
- strcpy(utmp_id, cp);
+ strlcpy(utmp_id, cp, sizeof(utmp_id));
#else
if (len > 2 && *(cp - 1) != '/')
snprintf(utmp_id, sizeof(utmp_id), "k%s", cp - 1);
Copied: branches/mkey_migrate/src/appl/sample/deps (from rev 21721, trunk/src/appl/sample/deps)
Copied: branches/mkey_migrate/src/appl/sample/sclient/deps (from rev 21721, trunk/src/appl/sample/sclient/deps)
Modified: branches/mkey_migrate/src/appl/sample/sclient/sclient.c
===================================================================
--- branches/mkey_migrate/src/appl/sample/sclient/sclient.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/sample/sclient/sclient.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -159,11 +159,16 @@
if (getnameinfo(ap->ai_addr, ap->ai_addrlen, abuf, sizeof(abuf),
pbuf, sizeof(pbuf), NI_NUMERICHOST | NI_NUMERICSERV)) {
memset(abuf, 0, sizeof(abuf));
+ memset(pbuf, 0, sizeof(pbuf));
strncpy(abuf, "[error, cannot print address?]",
sizeof(abuf)-1);
- strcpy(pbuf, "[?]");
+ strncpy(pbuf, "[?]", sizeof(pbuf)-1);
}
- sprintf(mbuf, "error contacting %s port %s", abuf, pbuf);
+ memset(mbuf, 0, sizeof(mbuf));
+ strncpy(mbuf, "error contacting ", sizeof(mbuf)-1);
+ strncat(mbuf, abuf, sizeof(mbuf) - strlen(mbuf) - 1);
+ strncat(mbuf, " port ", sizeof(mbuf) - strlen(mbuf) - 1);
+ strncat(mbuf, pbuf, sizeof(mbuf) - strlen(mbuf) - 1);
sock = socket(ap->ai_family, SOCK_STREAM, 0);
if (sock < 0) {
fprintf(stderr, "%s: socket: %s\n", mbuf, strerror(errno));
Copied: branches/mkey_migrate/src/appl/sample/sserver/deps (from rev 21721, trunk/src/appl/sample/sserver/deps)
Modified: branches/mkey_migrate/src/appl/sample/sserver/sserver.c
===================================================================
--- branches/mkey_migrate/src/appl/sample/sserver/sserver.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/sample/sserver/sserver.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -210,12 +210,15 @@
}
/* Get client name */
+ repbuf[sizeof(repbuf) - 1] = '\0';
retval = krb5_unparse_name(context, ticket->enc_part2->client, &cname);
if (retval){
syslog(LOG_ERR, "unparse failed: %s", error_message(retval));
- sprintf(repbuf, "You are <unparse error>\n");
+ strncpy(repbuf, "You are <unparse error>\n", sizeof(repbuf) - 1);
} else {
- sprintf(repbuf, "You are %s\n", cname);
+ strncpy(repbuf, "You are ", sizeof(repbuf) - 1);
+ strncat(repbuf, cname, sizeof(repbuf) - 1 - strlen(repbuf));
+ strncat(repbuf, "\n", sizeof(repbuf) - 1 - strlen(repbuf));
free(cname);
}
xmitlen = htons(strlen(repbuf));
Copied: branches/mkey_migrate/src/appl/simple/client/deps (from rev 21721, trunk/src/appl/simple/client/deps)
Modified: branches/mkey_migrate/src/appl/simple/client/sim_client.c
===================================================================
--- branches/mkey_migrate/src/appl/simple/client/sim_client.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/simple/client/sim_client.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -325,6 +325,12 @@
printf("Sent encrypted message: %d bytes\n", i);
krb5_free_data_contents(context, &packet);
+ retval = krb5_rc_destroy(context, rcache);
+ if (retval) {
+ com_err(progname, retval, "while deleting replay cache");
+ exit(1);
+ }
+ krb5_auth_con_setrcache(context, auth_context, NULL);
krb5_auth_con_free(context, auth_context);
krb5_free_context(context);
Copied: branches/mkey_migrate/src/appl/simple/deps (from rev 21721, trunk/src/appl/simple/deps)
Copied: branches/mkey_migrate/src/appl/simple/server/deps (from rev 21721, trunk/src/appl/simple/server/deps)
Modified: branches/mkey_migrate/src/appl/telnet/configure.in
===================================================================
--- branches/mkey_migrate/src/appl/telnet/configure.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/configure.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -18,12 +18,6 @@
dnl
KRB5_NEED_PROTO([#include <stdlib.h>],setenv)
AC_C_CONST
-if test "$KRB4_LIB" = ''; then
- AC_MSG_RESULT(No Kerberos 4 authentication)
-else
- AC_MSG_RESULT(Kerberos 4 authentication enabled)
- AC_DEFINE(KRB4,1,[Define if krb4 authentication is enabled])
-fi
KRB5_BUILD_LIBRARY
KRB5_BUILD_LIBOBJS
dnl
@@ -81,12 +75,6 @@
#include <netdb.h>],herror,1)
dnl
CHECK_SIGNALS
-if test "$KRB4_LIB" = ''; then
- AC_MSG_RESULT(No Kerberos 4 authentication)
-else
- AC_MSG_RESULT(Kerberos 4 authentication enabled)
- AC_DEFINE(KRB4)
-fi
dnl
KRB5_BUILD_PROGRAM
dnl
Copied: branches/mkey_migrate/src/appl/telnet/deps (from rev 21721, trunk/src/appl/telnet/deps)
Modified: branches/mkey_migrate/src/appl/telnet/libtelnet/Makefile.in
===================================================================
--- branches/mkey_migrate/src/appl/telnet/libtelnet/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/libtelnet/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -25,7 +25,7 @@
#
AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DDES_ENCRYPTION -DKRB5 -DFORWARD \
-UNO_LOGIN_F -DLOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN
-LOCALINCLUDES=-I.. -I$(srcdir)/.. @KRB4_INCLUDES@
+LOCALINCLUDES=-I.. -I$(srcdir)/..
DEFINES = -DTELNET_BUFSIZE=65535 $(AUTH_DEF)
LIBOBJS=@LIBOBJS@
@@ -42,7 +42,6 @@
$(srcdir)/encrypt.c \
$(srcdir)/genget.c \
$(srcdir)/misc.c \
- $(srcdir)/kerberos.c \
$(srcdir)/kerberos5.c \
$(srcdir)/forward.c \
$(srcdir)/enc_des.c \
@@ -57,7 +56,7 @@
$(srcdir)/strerror.c
STLIBOBJS= auth.o encrypt.o genget.o \
- misc.o kerberos.o kerberos5.o forward.o enc_des.o \
+ misc.o kerberos5.o forward.o enc_des.o \
$(LIBOBJS) getent.o $(SETENVOBJ)
TELNET_H= $(srcdir)/../arpa/telnet.h
@@ -73,10 +72,6 @@
encrypt.o: $(TELNET_H)
encrypt.o: encrypt.h
encrypt.o: misc.h
-kerberos.o: $(TELNET_H)
-kerberos.o: encrypt.h
-kerberos.o: auth.h
-kerberos.o: misc.h
kerberos5.o: $(TELNET_H)
kerberos5.o: encrypt.h
kerberos5.o: auth.h
@@ -92,47 +87,3 @@
@lib_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-auth.so auth.po $(OUTPRE)auth.$(OBJEXT): $(srcdir)/../arpa/telnet.h \
- auth-proto.h auth.c auth.h enc-proto.h encrypt.h misc-proto.h
-encrypt.so encrypt.po $(OUTPRE)encrypt.$(OBJEXT): $(srcdir)/../arpa/telnet.h \
- enc-proto.h encrypt.c encrypt.h misc-proto.h misc.h
-genget.so genget.po $(OUTPRE)genget.$(OBJEXT): genget.c \
- misc-proto.h misc.h
-misc.so misc.po $(OUTPRE)misc.$(OBJEXT): auth-proto.h \
- auth.h enc-proto.h encrypt.h misc-proto.h misc.c misc.h
-kerberos.so kerberos.po $(OUTPRE)kerberos.$(OBJEXT): \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \
- $(srcdir)/../arpa/telnet.h auth-proto.h auth.h enc-proto.h \
- encrypt.h kerberos.c misc-proto.h misc.h
-kerberos5.so kerberos5.po $(OUTPRE)kerberos5.$(OBJEXT): \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h \
- $(srcdir)/../arpa/telnet.h auth-proto.h auth.h enc-proto.h \
- encrypt.h kerberos5.c krb5forw.h misc-proto.h misc.h
-forward.so forward.po $(OUTPRE)forward.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h forward.c \
- krb5forw.h
-enc_des.so enc_des.po $(OUTPRE)enc_des.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h $(srcdir)/../arpa/telnet.h \
- enc-proto.h enc_des.c encrypt.h key-proto.h misc-proto.h
-setenv.so setenv.po $(OUTPRE)setenv.$(OBJEXT): misc-proto.h \
- setenv.c
-getent.so getent.po $(OUTPRE)getent.$(OBJEXT): getent.c \
- gettytab.h
-parsetos.so parsetos.po $(OUTPRE)parsetos.$(OBJEXT): \
- misc-proto.h parsetos.c
-strdup.so strdup.po $(OUTPRE)strdup.$(OBJEXT): strdup.c
-strcasecmp.so strcasecmp.po $(OUTPRE)strcasecmp.$(OBJEXT): \
- strcasecmp.c
-strchr.so strchr.po $(OUTPRE)strchr.$(OBJEXT): strchr.c
-strrchr.so strrchr.po $(OUTPRE)strrchr.$(OBJEXT): strrchr.c
-strftime.so strftime.po $(OUTPRE)strftime.$(OBJEXT): \
- strftime.c
-strerror.so strerror.po $(OUTPRE)strerror.$(OBJEXT): \
- strerror.c
Modified: branches/mkey_migrate/src/appl/telnet/libtelnet/auth-proto.h
===================================================================
--- branches/mkey_migrate/src/appl/telnet/libtelnet/auth-proto.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/libtelnet/auth-proto.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -86,15 +86,6 @@
void auth_printsub (unsigned char *, int, unsigned char *, unsigned int);
-#ifdef KRB4
-int kerberos4_init (Authenticator *, int);
-int kerberos4_send (Authenticator *);
-void kerberos4_is (Authenticator *, unsigned char *, int);
-void kerberos4_reply (Authenticator *, unsigned char *, int);
-int kerberos4_status (Authenticator *, char *, int);
-void kerberos4_printsub (unsigned char *, int, unsigned char *, unsigned int);
-#endif
-
#ifdef KRB5
int kerberos5_init (Authenticator *, int);
int kerberos5_send (Authenticator *);
Modified: branches/mkey_migrate/src/appl/telnet/libtelnet/auth.c
===================================================================
--- branches/mkey_migrate/src/appl/telnet/libtelnet/auth.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/libtelnet/auth.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -142,24 +142,6 @@
kerberos5_status,
kerberos5_printsub },
#endif
-#ifdef KRB4
-# ifdef ENCRYPTION
- { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
- kerberos4_init,
- kerberos4_send,
- kerberos4_is,
- kerberos4_reply,
- kerberos4_status,
- kerberos4_printsub },
-# endif /* ENCRYPTION */
- { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
- kerberos4_init,
- kerberos4_send,
- kerberos4_is,
- kerberos4_reply,
- kerberos4_status,
- kerberos4_printsub },
-#endif
{ 0, },
};
@@ -658,7 +640,7 @@
buf[buflen-2] = '*';
buflen -= 2;
for (; cnt > 0; cnt--, data++) {
- sprintf((char *)tbuf, " %d", *data);
+ snprintf((char *)tbuf, sizeof(tbuf), " %d", *data);
for (cp = tbuf; *cp && buflen > 0; --buflen)
*buf++ = *cp++;
if (buflen <= 0)
Copied: branches/mkey_migrate/src/appl/telnet/libtelnet/deps (from rev 21721, trunk/src/appl/telnet/libtelnet/deps)
Modified: branches/mkey_migrate/src/appl/telnet/libtelnet/enc_des.c
===================================================================
--- branches/mkey_migrate/src/appl/telnet/libtelnet/enc_des.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/libtelnet/enc_des.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -550,28 +550,28 @@
switch(data[2]) {
case FB64_IV:
- sprintf(lbuf, "%s_IV", type);
+ snprintf(lbuf, sizeof(lbuf), "%s_IV", type);
cp = lbuf;
goto common;
case FB64_IV_OK:
- sprintf(lbuf, "%s_IV_OK", type);
+ snprintf(lbuf, sizeof(lbuf), "%s_IV_OK", type);
cp = lbuf;
goto common;
case FB64_IV_BAD:
- sprintf(lbuf, "%s_IV_BAD", type);
+ snprintf(lbuf, sizeof(lbuf), "%s_IV_BAD", type);
cp = lbuf;
goto common;
default:
- sprintf(lbuf, " %d (unknown)", data[2]);
+ snprintf(lbuf, sizeof(lbuf), " %d (unknown)", data[2]);
cp = lbuf;
common:
for (; (buflen > 0) && (*buf = *cp++); buf++)
buflen--;
for (i = 3; i < cnt; i++) {
- sprintf(lbuf, " %d", data[i]);
+ snprintf(lbuf, sizeof(lbuf), " %d", data[i]);
for (cp = lbuf; (buflen > 0) && (*buf = *cp++); buf++)
buflen--;
}
Modified: branches/mkey_migrate/src/appl/telnet/libtelnet/encrypt.c
===================================================================
--- branches/mkey_migrate/src/appl/telnet/libtelnet/encrypt.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/libtelnet/encrypt.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -984,7 +984,7 @@
buf[buflen-2] = '*';
buflen -= 2;;
for (; cnt > 0; cnt--, data++) {
- sprintf(tbuf, " %d", *data);
+ snprintf(tbuf, sizeof(tbuf), " %d", *data);
for (cp = tbuf; *cp && buflen > 0; --buflen)
*buf++ = *cp++;
if (buflen <= 0)
Modified: branches/mkey_migrate/src/appl/telnet/libtelnet/forward.c
===================================================================
--- branches/mkey_migrate/src/appl/telnet/libtelnet/forward.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/libtelnet/forward.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -57,7 +57,7 @@
if ((retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)))
return(retval);
- sprintf(ccname, "FILE:/tmp/krb5cc_p%ld", (long) getpid());
+ snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_p%ld", (long) getpid());
setenv("KRB5CCNAME", ccname, 1);
if ((retval = krb5_cc_resolve(context, ccname, &ccache)))
Modified: branches/mkey_migrate/src/appl/telnet/libtelnet/gettytab.c
===================================================================
--- branches/mkey_migrate/src/appl/telnet/libtelnet/gettytab.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/libtelnet/gettytab.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -117,7 +117,7 @@
write(2, "Gettytab entry too long\n", 24);
q[TABBUFSIZ - (p-tbuf)] = 0;
}
- strcpy(p, q+1);
+ strlcpy(p, q+1, TABBUFSIZ - (p-tbuf));
tbuf = holdtbuf;
return(1);
}
Deleted: branches/mkey_migrate/src/appl/telnet/libtelnet/kerberos.c
===================================================================
--- branches/mkey_migrate/src/appl/telnet/libtelnet/kerberos.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/libtelnet/kerberos.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,744 +0,0 @@
-/*-
- * Copyright (c) 1991, 1993
- * The Regents of the University of California. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * This product includes software developed by the University of
- * California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* based on @(#)kerberos.c 8.1 (Berkeley) 6/4/93 */
-
-/*
- * Copyright (C) 1990 by the Massachusetts Institute of Technology
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * Copyright (C) 1998 by the FundsXpress, INC.
- *
- * All rights reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government. It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of FundsXpress. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. FundsXpress makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#ifdef KRB4
-/* this code must be compiled in the krb5 tree. disgustingly, there
- is code in here which declares structures which happen to mirror
- the krb4 des structures. I didn't want to rototill this *completely*
- so this is how it's going to work. --marc */
-#include <krb5.h>
-#include <sys/types.h>
-#include <errno.h>
-#include <arpa/telnet.h>
-#include <stdio.h>
-#include <des.h> /* BSD wont include this in krb.h, so we do it here */
-#include <krb.h>
-#ifdef __STDC__
-#include <stdlib.h>
-#endif
-#ifdef HAVE_STRING_H
-#include <string.h>
-#else
-#include <strings.h>
-#endif
-
-#include "encrypt.h"
-#include "auth.h"
-#include "misc.h"
-
-extern int auth_debug_mode;
-extern krb5_context telnet_context;
-
-int kerberos4_cksum (unsigned char *, int);
-
-static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
- AUTHTYPE_KERBEROS_V4, };
-#if 0
-static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
- TELQUAL_NAME, };
-#endif
-
-#define KRB_AUTH 0 /* Authentication data follows */
-#define KRB_REJECT 1 /* Rejected (reason might follow) */
-#define KRB_ACCEPT 2 /* Accepted */
-#define KRB_CHALLENGE 3 /* Challenge for mutual auth. */
-#define KRB_RESPONSE 4 /* Response for mutual auth. */
-
-#define KRB_SERVICE_NAME "rcmd"
-
-static KTEXT_ST auth;
-static char name[ANAME_SZ];
-static AUTH_DAT adat = { 0 };
-#ifdef ENCRYPTION
-static Block session_key = { 0 };
-static krb5_keyblock krbkey;
-static Block challenge = { 0 };
-#endif /* ENCRYPTION */
-
- static int
-Data(ap, type, d, c)
- Authenticator *ap;
- int type;
- const void *d;
- int c;
-{
- unsigned char *p = str_data + 4;
- const unsigned char *cd = (const unsigned char *)d;
- size_t spaceleft = sizeof(str_data) - 4;
- if (c == -1)
- c = strlen((const char *)cd);
-
- if (auth_debug_mode) {
- printf("%s:%d: [%d] (%d)",
- str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
- str_data[3],
- type, c);
- printd(d, c);
- printf("\r\n");
- }
- *p++ = ap->type;
- *p++ = ap->way;
- *p++ = type;
- spaceleft -= 3;
- while (c-- > 0) {
- if ((*p++ = *cd++) == IAC) {
- *p++ = IAC;
- spaceleft--;
- }
- if ((--spaceleft < 4) && c) {
- errno = ENOMEM;
- return -1;
- }
- }
- *p++ = IAC;
- *p++ = SE;
- if (str_data[3] == TELQUAL_IS)
- printsub('>', &str_data[2], p - (&str_data[2]));
- return(net_write(str_data, p - str_data));
-}
-
- int
-kerberos4_init(ap, server)
- Authenticator *ap;
- int server;
-{
- FILE *fp;
-
- if (server) {
- str_data[3] = TELQUAL_REPLY;
- if ((fp = fopen(KEYFILE, "r")) == NULL)
- return(0);
- fclose(fp);
- } else {
- str_data[3] = TELQUAL_IS;
- }
-
- kerberos5_init(NULL, server);
-
- return(1);
-}
-
-char dst_realm_buf[REALM_SZ], *dest_realm = NULL;
-unsigned int dst_realm_sz = REALM_SZ;
-
- int
-kerberos4_send(ap)
- Authenticator *ap;
-{
- KTEXT_ST kauth;
- char instance[INST_SZ];
- char *realm;
- char *krb_realmofhost();
- char *krb_get_phost();
- CREDENTIALS cred;
- int r;
-#ifdef ENCRYPTION
- krb5_data data;
- krb5_enc_data encdata;
- krb5_error_code code;
- krb5_keyblock rand_key;
-#endif
-
- printf("[ Trying KERBEROS4 ... ]\r\n");
- if (!UserNameRequested) {
- if (auth_debug_mode) {
- printf("Kerberos V4: no user name supplied\r\n");
- }
- return(0);
- }
-
- memset(instance, 0, sizeof(instance));
-
- if ((realm = krb_get_phost(RemoteHostName)))
- strncpy(instance, realm, sizeof(instance));
-
- instance[sizeof(instance)-1] = '\0';
-
- realm = dest_realm ? dest_realm : krb_realmofhost(RemoteHostName);
-
- if (!realm) {
- printf("Kerberos V4: no realm for %s\r\n", RemoteHostName);
- return(0);
- }
- if ((r = krb_mk_req(&kauth, KRB_SERVICE_NAME, instance, realm, 0))) {
- printf("mk_req failed: %s\r\n", krb_get_err_text(r));
- return(0);
- }
- if ((r = krb_get_cred(KRB_SERVICE_NAME, instance, realm, &cred))) {
- printf("get_cred failed: %s\r\n", krb_get_err_text(r));
- return(0);
- }
- if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
- if (auth_debug_mode)
- printf("Not enough room for user name\r\n");
- return(0);
- }
- if (auth_debug_mode)
- printf("Sent %d bytes of authentication data\r\n", kauth.length);
- if (!Data(ap, KRB_AUTH, (void *)kauth.dat, kauth.length)) {
- if (auth_debug_mode)
- printf("Not enough room for authentication data\r\n");
- return(0);
- }
-#ifdef ENCRYPTION
- /*
- * If we are doing mutual authentication, get set up to send
- * the challenge, and verify it when the response comes back.
- */
- if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
- register int i;
-
- data.data = cred.session;
- data.length = 8; /* sizeof(cred.session) */;
-
- if ((code = krb5_c_random_seed(telnet_context, &data))) {
- com_err("libtelnet", code,
- "while seeding random number generator");
- return(0);
- }
-
- if ((code = krb5_c_make_random_key(telnet_context,
- ENCTYPE_DES_CBC_RAW,
- &rand_key))) {
- com_err("libtelnet", code,
- "while creating random session key");
- return(0);
- }
-
- /* the krb4 code uses ecb mode, but on a single block
- with a zero ivec, ecb and cbc are the same */
- krbkey.enctype = ENCTYPE_DES_CBC_RAW;
- krbkey.length = 8;
- krbkey.contents = cred.session;
-
- encdata.ciphertext.data = rand_key.contents;
- encdata.ciphertext.length = rand_key.length;
- encdata.enctype = ENCTYPE_UNKNOWN;
-
- data.data = session_key;
- data.length = 8;
-
- code = krb5_c_decrypt(telnet_context, &krbkey, 0, 0,
- &encdata, &data);
-
- krb5_free_keyblock_contents(telnet_context, &rand_key);
-
- if (code) {
- com_err("libtelnet", code, "while encrypting random key");
- return(0);
- }
-
- encdata.ciphertext.data = session_key;
- encdata.ciphertext.length = 8;
- encdata.enctype = ENCTYPE_UNKNOWN;
-
- data.data = challenge;
- data.length = 8;
-
- code = krb5_c_decrypt(telnet_context, &krbkey, 0, 0,
- &encdata, &data);
-
- /*
- * Increment the challenge by 1, and encrypt it for
- * later comparison.
- */
- for (i = 7; i >= 0; --i) {
- register int x;
- x = (unsigned int)challenge[i] + 1;
- challenge[i] = x; /* ignore overflow */
- if (x < 256) /* if no overflow, all done */
- break;
- }
-
- data.data = challenge;
- data.length = 8;
-
- encdata.ciphertext.data = challenge;
- encdata.ciphertext.length = 8;
- encdata.enctype = ENCTYPE_UNKNOWN;
-
- if ((code = krb5_c_encrypt(telnet_context, &krbkey, 0, 0,
- &data, &encdata))) {
- com_err("libtelnet", code, "while encrypting random key");
- return(0);
- }
- }
-#endif /* ENCRYPTION */
-
- if (auth_debug_mode) {
- printf("CK: %d:", kerberos4_cksum(kauth.dat, kauth.length));
- printd(kauth.dat, kauth.length);
- printf("\r\n");
- printf("Sent Kerberos V4 credentials to server\r\n");
- }
- return(1);
-}
-
- void
-kerberos4_is(ap, data, cnt)
- Authenticator *ap;
- unsigned char *data;
- int cnt;
-{
-#ifdef ENCRYPTION
- Session_Key skey;
- Block datablock, tmpkey;
- krb5_data kdata;
- krb5_enc_data encdata;
- krb5_error_code code;
-#endif /* ENCRYPTION */
- char realm[REALM_SZ];
- char instance[INST_SZ];
- int r;
-
- if (cnt-- < 1)
- return;
- switch (*data++) {
- case KRB_AUTH:
- if (krb_get_lrealm(realm, 1) != KSUCCESS) {
- Data(ap, KRB_REJECT, (void *)"No local V4 Realm.", -1);
- auth_finished(ap, AUTH_REJECT);
- if (auth_debug_mode)
- printf("No local realm\r\n");
- return;
- }
- memcpy((void *)auth.dat, (void *)data, auth.length = cnt);
- if (auth_debug_mode) {
- printf("Got %d bytes of authentication data\r\n", cnt);
- printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length));
- printd(auth.dat, auth.length);
- printf("\r\n");
- }
- instance[0] = '*'; instance[1] = 0;
- if ((r = krb_rd_req(&auth, KRB_SERVICE_NAME,
- instance, 0, &adat, ""))) {
- if (auth_debug_mode)
- printf("Kerberos failed him as %s\r\n", name);
- Data(ap, KRB_REJECT, (const void *)krb_get_err_text(r), -1);
- auth_finished(ap, AUTH_REJECT);
- return;
- }
-#ifdef ENCRYPTION
- memcpy((void *)session_key, (void *)adat.session, sizeof(Block));
-#endif /* ENCRYPTION */
- krb_kntoln(&adat, name);
-
- if (UserNameRequested && !kuserok(&adat, UserNameRequested))
- Data(ap, KRB_ACCEPT, (void *)0, 0);
- else
- Data(ap, KRB_REJECT,
- (void *)"user is not authorized", -1);
- auth_finished(ap, AUTH_USER);
- break;
-
- case KRB_CHALLENGE:
-#ifndef ENCRYPTION
- Data(ap, KRB_RESPONSE, (void *)0, 0);
-#else /* ENCRYPTION */
- if (!VALIDKEY(session_key)) {
- /*
- * We don't have a valid session key, so just
- * send back a response with an empty session
- * key.
- */
- Data(ap, KRB_RESPONSE, (void *)0, 0);
- break;
- }
-
- /*
- * Initialize the random number generator since it's
- * used later on by the encryption routine.
- */
-
- kdata.data = session_key;
- kdata.length = 8;
-
- if ((code = krb5_c_random_seed(telnet_context, &kdata))) {
- com_err("libtelnet", code,
- "while seeding random number generator");
- return;
- }
-
- memcpy((void *)datablock, (void *)data, sizeof(Block));
- /*
- * Take the received encrypted challenge, and encrypt
- * it again to get a unique session_key for the
- * ENCRYPT option.
- */
- krbkey.enctype = ENCTYPE_DES_CBC_RAW;
- krbkey.length = 8;
- krbkey.contents = session_key;
-
- kdata.data = datablock;
- kdata.length = 8;
-
- encdata.ciphertext.data = tmpkey;
- encdata.ciphertext.length = 8;
- encdata.enctype = ENCTYPE_UNKNOWN;
-
- if ((code = krb5_c_encrypt(telnet_context, &krbkey, 0, 0,
- &kdata, &encdata))) {
- com_err("libtelnet", code, "while encrypting random key");
- return;
- }
-
- skey.type = SK_DES;
- skey.length = 8;
- skey.data = tmpkey;
- encrypt_session_key(&skey, 1);
- /*
- * Now decrypt the received encrypted challenge,
- * increment by one, re-encrypt it and send it back.
- */
- encdata.ciphertext.data = datablock;
- encdata.ciphertext.length = 8;
- encdata.enctype = ENCTYPE_UNKNOWN;
-
- kdata.data = challenge;
- kdata.length = 8;
-
- if ((code = krb5_c_decrypt(telnet_context, &krbkey, 0, 0,
- &encdata, &kdata))) {
- com_err("libtelnet", code, "while decrypting challenge");
- return;
- }
-
- for (r = 7; r >= 0; r--) {
- register int t;
- t = (unsigned int)challenge[r] + 1;
- challenge[r] = t; /* ignore overflow */
- if (t < 256) /* if no overflow, all done */
- break;
- }
-
- kdata.data = challenge;
- kdata.length = 8;
-
- encdata.ciphertext.data = challenge;
- encdata.ciphertext.length = 8;
- encdata.enctype = ENCTYPE_UNKNOWN;
-
- if ((code = krb5_c_encrypt(telnet_context, &krbkey, 0, 0,
- &kdata, &encdata))) {
- com_err("libtelnet", code, "while decrypting challenge");
- return;
- }
-
- Data(ap, KRB_RESPONSE, (void *)challenge, sizeof(challenge));
-#endif /* ENCRYPTION */
- break;
-
- default:
- if (auth_debug_mode)
- printf("Unknown Kerberos option %d\r\n", data[-1]);
- Data(ap, KRB_REJECT, 0, 0);
- break;
- }
-}
-
- void
-kerberos4_reply(ap, data, cnt)
- Authenticator *ap;
- unsigned char *data;
- int cnt;
-{
-#ifdef ENCRYPTION
- Session_Key skey;
- krb5_data kdata;
- krb5_enc_data encdata;
- krb5_error_code code;
-
-#endif /* ENCRYPTION */
-
- if (cnt-- < 1)
- return;
- switch (*data++) {
- case KRB_REJECT:
- if (cnt > 0) {
- printf("[ Kerberos V4 refuses authentication because %.*s ]\r\n",
- cnt, data);
- } else
- printf("[ Kerberos V4 refuses authentication ]\r\n");
- auth_send_retry();
- return;
- case KRB_ACCEPT:
- printf("[ Kerberos V4 accepts you ]\r\n");
- if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
- /*
- * Send over the encrypted challenge.
- */
-#ifndef ENCRYPTION
- Data(ap, KRB_CHALLENGE, (void *)0, 0);
-#else /* ENCRYPTION */
- Data(ap, KRB_CHALLENGE, (void *)session_key,
- sizeof(session_key));
-
- kdata.data = session_key;
- kdata.length = 8;
-
- encdata.ciphertext.data = session_key;
- encdata.ciphertext.length = 8;
- encdata.enctype = ENCTYPE_UNKNOWN;
-
- if ((code = krb5_c_encrypt(telnet_context, &krbkey,
- 0, 0, &kdata, &encdata))) {
- com_err("libtelnet", code,
- "while encrypting session_key");
- return;
- }
-
- skey.type = SK_DES;
- skey.length = 8;
- skey.data = session_key;
- encrypt_session_key(&skey, 0);
-#endif /* ENCRYPTION */
- return;
- }
- auth_finished(ap, AUTH_USER);
- return;
- case KRB_RESPONSE:
-#ifdef ENCRYPTION
- /*
- * Verify that the response to the challenge is correct.
- */
- if ((cnt != sizeof(Block)) ||
- (0 != memcmp((void *)data, (void *)challenge,
- sizeof(challenge))))
- {
-#endif /* ENCRYPTION */
- printf("[ Kerberos V4 challenge failed!!! ]\r\n");
- auth_send_retry();
- return;
-#ifdef ENCRYPTION
- }
- printf("[ Kerberos V4 challenge successful ]\r\n");
- auth_finished(ap, AUTH_USER);
-#endif /* ENCRYPTION */
- break;
- default:
- if (auth_debug_mode)
- printf("Unknown Kerberos option %d\r\n", data[-1]);
- return;
- }
-}
-
- int
-kerberos4_status(ap, kname, level)
- Authenticator *ap;
- char *kname;
- int level;
-{
- if (level < AUTH_USER)
- return(level);
-
- /*
- * Always copy in UserNameRequested if the authentication
- * is valid, because the higher level routines need it.
- */
- if (UserNameRequested) {
- /* the name buffer comes from telnetd/telnetd{-ktd}.c */
- strncpy(kname, UserNameRequested, 255);
- kname[255] = '\0';
- }
-
- if (UserNameRequested && !kuserok(&adat, UserNameRequested)) {
- return(AUTH_VALID);
- } else
- return(AUTH_USER);
-}
-
-#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
-#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
-
- void
-kerberos4_printsub(data, cnt, buf, buflen)
- unsigned char *data, *buf;
- int cnt;
- unsigned int buflen;
-{
- char lbuf[32];
- register int i;
-
- buf[buflen-1] = '\0'; /* make sure its NULL terminated */
- buflen -= 1;
-
- switch(data[3]) {
- case KRB_REJECT: /* Rejected (reason might follow) */
- strncpy((char *)buf, " REJECT ", buflen);
- goto common;
-
- case KRB_ACCEPT: /* Accepted (name might follow) */
- strncpy((char *)buf, " ACCEPT ", buflen);
- common:
- BUMP(buf, buflen);
- if (cnt <= 4)
- break;
- ADDC(buf, buflen, '"');
- for (i = 4; i < cnt; i++)
- ADDC(buf, buflen, data[i]);
- ADDC(buf, buflen, '"');
- ADDC(buf, buflen, '\0');
- break;
-
- case KRB_AUTH: /* Authentication data follows */
- strncpy((char *)buf, " AUTH", buflen);
- goto common2;
-
- case KRB_CHALLENGE:
- strncpy((char *)buf, " CHALLENGE", buflen);
- goto common2;
-
- case KRB_RESPONSE:
- strncpy((char *)buf, " RESPONSE", buflen);
- goto common2;
-
- default:
- sprintf(lbuf, " %d (unknown)", data[3]);
- strncpy((char *)buf, lbuf, buflen);
- common2:
- BUMP(buf, buflen);
- for (i = 4; i < cnt; i++) {
- sprintf(lbuf, " %d", data[i]);
- strncpy((char *)buf, lbuf, buflen);
- BUMP(buf, buflen);
- }
- break;
- }
-}
-
- int
-kerberos4_cksum(d, n)
- unsigned char *d;
- int n;
-{
- int ck = 0;
-
- /*
- * A comment is probably needed here for those not
- * well versed in the "C" language. Yes, this is
- * supposed to be a "switch" with the body of the
- * "switch" being a "while" statement. The whole
- * purpose of the switch is to allow us to jump into
- * the middle of the while() loop, and then not have
- * to do any more switch()s.
- *
- * Some compilers will spit out a warning message
- * about the loop not being entered at the top.
- */
- switch (n&03)
- while (n > 0) {
- case 0:
- ck ^= (int)*d++ << 24;
- --n;
- case 3:
- ck ^= (int)*d++ << 16;
- --n;
- case 2:
- ck ^= (int)*d++ << 8;
- --n;
- case 1:
- ck ^= (int)*d++;
- --n;
- }
- return(ck);
-}
-#else
-#include <krb5.h>
-#include <errno.h>
-
-#endif
-
-#ifdef notdef
-
-prkey(msg, key)
- char *msg;
- unsigned char *key;
-{
- register int i;
- printf("%s:", msg);
- for (i = 0; i < 8; i++)
- printf(" %3d", key[i]);
- printf("\r\n");
-}
-#endif
Modified: branches/mkey_migrate/src/appl/telnet/libtelnet/kerberos5.c
===================================================================
--- branches/mkey_migrate/src/appl/telnet/libtelnet/kerberos5.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/libtelnet/kerberos5.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -66,6 +66,7 @@
#include <errno.h>
#include <stdio.h>
#include "krb5.h"
+#include "k5-platform.h"
#include "com_err.h"
#include <netdb.h>
@@ -266,12 +267,11 @@
rdata.magic = 0;
rdata.length = strlen(telnet_krb5_realm);
- rdata.data = (char *) malloc(rdata.length + 1);
+ rdata.data = strdup(telnet_krb5_realm);
if (rdata.data == NULL) {
fprintf(stderr, "malloc failed\n");
return(0);
}
- strcpy(rdata.data, telnet_krb5_realm);
krb5_princ_set_realm(telnet_context, creds.server, &rdata);
}
@@ -440,9 +440,9 @@
r = krb5_rd_req(telnet_context, &auth_context, &auth,
NULL, keytabid, NULL, &ticket);
if (r) {
- (void) strcpy(errbuf, "krb5_rd_req failed: ");
- errbuf[sizeof(errbuf) - 1] = '\0';
- (void) strncat(errbuf, error_message(r), sizeof(errbuf) - 1 - strlen(errbuf));
+ (void) snprintf(errbuf, sizeof(errbuf),
+ "krb5_rd_req failed: %s",
+ error_message(r));
goto errout;
}
@@ -452,7 +452,8 @@
* the default is of length 4.
*/
if (krb5_princ_size(telnet_context,ticket->server) < 1) {
- (void) strcpy(errbuf, "malformed service name");
+ (void) strlcpy(errbuf, "malformed service name",
+ sizeof(errbuf));
goto errout;
}
if (krb5_princ_component(telnet_context,ticket->server,0)->length < 256) {
@@ -464,15 +465,16 @@
ticket->server,0)->length] = '\0';
if (strcmp("host", princ)) {
if(strlen(princ) < sizeof(errbuf) - 39) {
- (void) sprintf(errbuf, "incorrect service name: \"%s\" != \"host\"",
+ (void) snprintf(errbuf, sizeof(errbuf), "incorrect service name: \"%s\" != \"host\"",
princ);
} else {
- (void) sprintf(errbuf, "incorrect service name: principal != \"host\"");
+ (void) snprintf(errbuf, sizeof(errbuf), "incorrect service name: principal != \"host\"");
}
goto errout;
}
} else {
- (void) strcpy(errbuf, "service name too long");
+ (void) strlcpy(errbuf, "service name too long",
+ sizeof(errbuf));
goto errout;
}
@@ -480,16 +482,16 @@
auth_context,
&authenticator);
if (r) {
- (void) strcpy(errbuf,
- "krb5_auth_con_getauthenticator failed: ");
- errbuf[sizeof(errbuf) - 1] = '\0';
- (void) strncat(errbuf, error_message(r), sizeof(errbuf) - 1 - strlen(errbuf));
- goto errout;
+ (void) snprintf(errbuf, sizeof(errbuf),
+ "krb5_auth_con_getauthenticator failed: %s",
+ error_message(r));
+ goto errout;
}
if ((ap->way & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON &&
!authenticator->checksum) {
- (void) strcpy(errbuf,
- "authenticator is missing required checksum");
+ (void) strlcpy(errbuf,
+ "authenticator is missing required checksum",
+ sizeof(errbuf));
goto errout;
}
if (authenticator->checksum) {
@@ -503,9 +505,9 @@
r = krb5_auth_con_getkey(telnet_context, auth_context,
&key);
if (r) {
- (void) strcpy(errbuf, "krb5_auth_con_getkey failed: ");
- errbuf[sizeof(errbuf) - 1] = '\0';
- (void) strncat(errbuf, error_message(r), sizeof(errbuf) - 1 - strlen(errbuf));
+ (void) snprintf(errbuf, sizeof(errbuf),
+ "krb5_auth_con_getkey failed: %s",
+ error_message(r));
goto errout;
}
r = krb5_verify_checksum(telnet_context,
@@ -522,10 +524,9 @@
* present at this time.
*/
if (r) {
- (void) strcpy(errbuf,
- "checksum verification failed: ");
- errbuf[sizeof(errbuf) - 1] = '\0';
- (void) strncat(errbuf, error_message(r), sizeof(errbuf) - 1 - strlen(errbuf));
+ (void) snprintf(errbuf, sizeof(errbuf),
+ "checksum verification failed: %s",
+ error_message(r));
goto errout;
}
krb5_free_keyblock(telnet_context, key);
@@ -535,9 +536,9 @@
/* do ap_rep stuff here */
if ((r = krb5_mk_rep(telnet_context, auth_context,
&outbuf))) {
- (void) strcpy(errbuf, "Make reply failed: ");
- errbuf[sizeof(errbuf) - 1] = '\0';
- (void) strncat(errbuf, error_message(r), sizeof(errbuf) - 1 - strlen(errbuf));
+ (void) snprintf(errbuf, sizeof(errbuf),
+ "Make reply failed: %s",
+ error_message(r));
goto errout;
}
@@ -589,11 +590,10 @@
&inbuf, ticket))) {
char kerrbuf[128];
-
- (void) strcpy(kerrbuf, "Read forwarded creds failed: ");
- kerrbuf[sizeof(kerrbuf) - 1] = '\0';
- (void) strncat(kerrbuf, error_message(r),
- sizeof(kerrbuf) - 1 - strlen(kerrbuf));
+
+ (void) snprintf(kerrbuf, sizeof(kerrbuf),
+ "Read forwarded creds failed: %s",
+ error_message(r));
Data(ap, KRB_FORWARD_REJECT, kerrbuf, -1);
if (auth_debug_mode)
printf(
@@ -618,9 +618,7 @@
{
char eerrbuf[329];
- strcpy(eerrbuf, "telnetd: ");
- eerrbuf[sizeof(eerrbuf) - 1] = '\0';
- strncat(eerrbuf, errbuf, sizeof(eerrbuf) - 1 - strlen(eerrbuf));
+ snprintf(eerrbuf, sizeof(eerrbuf), "telnetd: %s", errbuf);
Data(ap, KRB_REJECT, eerrbuf, -1);
}
if (auth_debug_mode)
@@ -813,12 +811,12 @@
#endif /* FORWARD */
default:
- sprintf(lbuf, " %d (unknown)", data[3]);
+ snprintf(lbuf, sizeof(lbuf), " %d (unknown)", data[3]);
strncpy((char *)buf, lbuf, buflen);
common2:
BUMP(buf, buflen);
for (i = 4; i < cnt; i++) {
- sprintf(lbuf, " %d", data[i]);
+ snprintf(lbuf, sizeof(lbuf), " %d", data[i]);
strncpy((char *)buf, lbuf, buflen);
BUMP(buf, buflen);
}
Modified: branches/mkey_migrate/src/appl/telnet/libtelnet/spx.c
===================================================================
--- branches/mkey_migrate/src/appl/telnet/libtelnet/spx.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/libtelnet/spx.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -71,6 +71,7 @@
#include <arpa/telnet.h>
#include <stdio.h>
#include "gssapi_defs.h"
+#include "k5-platform.h"
#ifdef __STDC__
#include <stdlib.h>
#endif
@@ -172,9 +173,8 @@
if (server) {
str_data[3] = TELQUAL_REPLY;
gethostname(lhostname, sizeof(lhostname));
- strcpy(targ_printable, "SERVICE:rcmd@");
- strncat(targ_printable, lhostname, sizeof(targ_printable) - 1 - 13);
- targ_printable[sizeof(targ_printable) - 1] = '\0';
+ snprintf(targ_printable, sizeof(targ_printable),
+ "SERVICE:rcmd@%s", lhostname);
input_name_buffer.length = strlen(targ_printable);
input_name_buffer.value = targ_printable;
major_status = gss_import_name(&status,
@@ -216,9 +216,8 @@
char *address;
printf("[ Trying SPX ... ]\n");
- strcpy(targ_printable, "SERVICE:rcmd@");
- strncat(targ_printable, RemoteHostName, sizeof(targ_printable) - 1 - 13);
- targ_printable[sizeof(targ_printable) - 1] = '\0';
+ snprintf(targ_printable, sizeof(targ_printable), "SERVICE:rcmd@%s",
+ RemoteHostName);
input_name_buffer.length = strlen(targ_printable);
input_name_buffer.value = targ_printable;
@@ -325,9 +324,8 @@
gethostname(lhostname, sizeof(lhostname));
- strcpy(targ_printable, "SERVICE:rcmd@");
- strncat(targ_printable, lhostname, sizeof(targ_printable) - 1 - 13);
- targ_printable[sizeof(targ_printable) - 1] = '\0';
+ snprintf(targ_printable, sizeof(targ_printable),
+ "SERVICE:rcmd@%s", lhostname);
input_name_buffer.length = strlen(targ_printable);
input_name_buffer.value = targ_printable;
@@ -563,12 +561,12 @@
goto common2;
default:
- sprintf(lbuf, " %d (unknown)", data[3]);
+ snprintf(lbuf, sizeof(lbuf), " %d (unknown)", data[3]);
strncpy((char *)buf, lbuf, buflen);
common2:
BUMP(buf, buflen);
for (i = 4; i < cnt; i++) {
- sprintf(lbuf, " %d", data[i]);
+ snprintf(lbuf, sizeof(lbuf), " %d", data[i]);
strncpy((char *)buf, lbuf, buflen);
BUMP(buf, buflen);
}
Modified: branches/mkey_migrate/src/appl/telnet/telnet/Makefile.in
===================================================================
--- branches/mkey_migrate/src/appl/telnet/telnet/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/telnet/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -47,8 +47,8 @@
all:: telnet
-telnet: $(OBJS) $(KRB4COMPAT_DEPLIBS) ../libtelnet/libtelnet.a
- $(CC_LINK) -o $@ $(OBJS) ../libtelnet/libtelnet.a $(KRB4COMPAT_LIBS)
+telnet: $(OBJS) $(KRB5_BASE_DEPLIBS) ../libtelnet/libtelnet.a
+ $(CC_LINK) -o $@ $(OBJS) ../libtelnet/libtelnet.a $(KRB5_BASE_LIBS)
clean::
$(RM) telnet
@@ -72,41 +72,3 @@
terminal.o: externs.h ring.h types.h $(ARPA_TELNET)
tn3270.o: defines.h externs.h fdset.h general.h ring.h $(ARPA_TELNET)
utilities.o: defines.h externs.h fdset.h general.h ring.h $(ARPA_TELNET)
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)authenc.$(OBJEXT): $(srcdir)/../arpa/telnet.h \
- $(srcdir)/../libtelnet/enc-proto.h $(srcdir)/../libtelnet/encrypt.h \
- $(srcdir)/../libtelnet/misc-proto.h $(srcdir)/../libtelnet/misc.h \
- authenc.c defines.h externs.h general.h ring.h types.h
-$(OUTPRE)commands.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../arpa/telnet.h \
- $(srcdir)/../libtelnet/auth-proto.h $(srcdir)/../libtelnet/auth.h \
- $(srcdir)/../libtelnet/enc-proto.h $(srcdir)/../libtelnet/encrypt.h \
- $(srcdir)/../libtelnet/misc-proto.h commands.c defines.h \
- externs.h general.h ring.h types.h
-$(OUTPRE)main.$(OBJEXT): $(srcdir)/../libtelnet/auth-proto.h \
- $(srcdir)/../libtelnet/auth.h $(srcdir)/../libtelnet/enc-proto.h \
- $(srcdir)/../libtelnet/encrypt.h defines.h externs.h \
- main.c ring.h
-$(OUTPRE)network.$(OBJEXT): $(srcdir)/../arpa/telnet.h \
- defines.h externs.h fdset.h network.c ring.h
-$(OUTPRE)ring.$(OBJEXT): general.h ring.c ring.h
-$(OUTPRE)sys_bsd.$(OBJEXT): $(srcdir)/../arpa/telnet.h \
- defines.h externs.h fdset.h ring.h sys_bsd.c types.h
-$(OUTPRE)telnet.$(OBJEXT): $(srcdir)/../arpa/telnet.h \
- $(srcdir)/../libtelnet/auth-proto.h $(srcdir)/../libtelnet/auth.h \
- $(srcdir)/../libtelnet/enc-proto.h $(srcdir)/../libtelnet/encrypt.h \
- $(srcdir)/../libtelnet/misc-proto.h defines.h externs.h \
- general.h ring.h telnet.c types.h
-$(OUTPRE)terminal.$(OBJEXT): $(srcdir)/../arpa/telnet.h \
- $(srcdir)/../libtelnet/enc-proto.h $(srcdir)/../libtelnet/encrypt.h \
- externs.h ring.h terminal.c types.h
-$(OUTPRE)utilities.$(OBJEXT): $(srcdir)/../arpa/telnet.h \
- $(srcdir)/../libtelnet/auth-proto.h $(srcdir)/../libtelnet/auth.h \
- $(srcdir)/../libtelnet/enc-proto.h $(srcdir)/../libtelnet/encrypt.h \
- defines.h externs.h fdset.h general.h ring.h utilities.c
Modified: branches/mkey_migrate/src/appl/telnet/telnet/commands.c
===================================================================
--- branches/mkey_migrate/src/appl/telnet/telnet/commands.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/telnet/commands.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -117,6 +117,8 @@
#include "fake-addrinfo.h"
+#include <k5-platform.h>
+
char *hostname;
static char _hostname[MAXDNAME];
static char hostaddrstring[NI_MAXHOST];
@@ -1745,8 +1747,8 @@
env_init()
{
extern char **environ;
- register char **epp, *cp;
- register struct env_lst *ep;
+ char **epp, *cp;
+ struct env_lst *ep;
for (epp = environ; *epp; epp++) {
if ((cp = strchr(*epp, '='))) {
@@ -1770,8 +1772,7 @@
gethostname(hbuf, 256);
hbuf[256] = '\0';
- cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + 1);
- sprintf((char *)cp, "%s%s", hbuf, cp2);
+ asprintf(&cp, "%s%s", hbuf, cp2);
free(ep->value);
ep->value = (unsigned char *)cp;
}
@@ -2431,7 +2432,7 @@
return 0;
}
if (argc < 2) {
- (void) strcpy(line, "open ");
+ (void) strlcpy(line, "open ", sizeof(line));
printf("(to) ");
(void) fgets(&line[strlen(line)], (int) (sizeof(line) - strlen(line)),
stdin);
@@ -2580,7 +2581,8 @@
if (error) {
fprintf (stderr, "getnameinfo() error printing address: %s\n",
gai_strerror (error));
- strcpy (hostaddrstring, "[address unprintable]");
+ strlcpy (hostaddrstring, "[address unprintable]",
+ sizeof(hostaddrstring));
}
printf("Trying %s...\r\n", hostaddrstring);
#if defined(IP_OPTIONS) && defined(IPPROTO_IP)
Copied: branches/mkey_migrate/src/appl/telnet/telnet/deps (from rev 21721, trunk/src/appl/telnet/telnet/deps)
Modified: branches/mkey_migrate/src/appl/telnet/telnet/main.c
===================================================================
--- branches/mkey_migrate/src/appl/telnet/telnet/main.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/telnet/main.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -235,14 +235,6 @@
#endif
break;
case 'k':
-#if defined(AUTHENTICATION) && defined(KRB4)
- {
- extern char *dest_realm, dst_realm_buf[];
- extern unsigned int dst_realm_sz;
- dest_realm = dst_realm_buf;
- (void)strncpy(dest_realm, optarg, dst_realm_sz);
- }
-#endif
#if defined(AUTHENTICATION) && defined(KRB5)
{
extern char *telnet_krb5_realm;
@@ -250,8 +242,7 @@
telnet_krb5_realm = optarg;
break;
}
-#endif
-#if !defined(AUTHENTICATION) || (!defined(KRB4) && !defined(KRB5))
+#else
fprintf(stderr,
"%s: Warning: -k ignored, no Kerberos V4 support.\n",
prompt);
Modified: branches/mkey_migrate/src/appl/telnet/telnet/telnet.c
===================================================================
--- branches/mkey_migrate/src/appl/telnet/telnet/telnet.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/telnet/telnet.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -79,6 +79,8 @@
#include <libtelnet/misc-proto.h>
#endif /* defined(AUTHENTICATION) || defined(ENCRYPTION) */
+#include <k5-platform.h>
+
static int is_unique (char *, char **, char **);
@@ -867,8 +869,8 @@
name = gettermname();
len = strlen(name) + 4 + 2;
if (len < NETROOM()) {
- sprintf((char *)temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
- TELQUAL_IS, name, IAC, SE);
+ snprintf((char *)temp, sizeof(temp), "%c%c%c%c%s%c%c",
+ IAC, SB, TELOPT_TTYPE, TELQUAL_IS, name, IAC, SE);
ring_supply_data(&netoring, temp, len);
printsub('>', &temp[2], len-2);
} else {
@@ -889,8 +891,8 @@
TerminalSpeeds(&ispeed, &o_speed);
- sprintf((char *)temp, "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED,
- TELQUAL_IS, o_speed, ispeed, IAC, SE);
+ snprintf((char *)temp, sizeof(temp), "%c%c%c%c%ld,%ld%c%c", IAC,
+ SB, TELOPT_TSPEED, TELQUAL_IS, o_speed, ispeed, IAC, SE);
len = strlen((char *)temp+4) + 4; /* temp[3] is 0 ... */
if (len < NETROOM()) {
@@ -995,8 +997,8 @@
send_wont(TELOPT_XDISPLOC, 1);
break;
}
- sprintf((char *)temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_XDISPLOC,
- TELQUAL_IS, dp, IAC, SE);
+ snprintf((char *)temp, sizeof(temp), "%c%c%c%c%s%c%c",
+ IAC, SB, TELOPT_XDISPLOC, TELQUAL_IS, dp, IAC, SE);
len = strlen((char *)temp+4) + 4; /* temp[3] is 0 ... */
if (len < NETROOM()) {
Modified: branches/mkey_migrate/src/appl/telnet/telnet/utilities.c
===================================================================
--- branches/mkey_migrate/src/appl/telnet/telnet/utilities.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/telnet/utilities.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -61,6 +61,8 @@
#include <libtelnet/encrypt.h>
#endif
+#include <k5-platform.h>
+
FILE *NetTrace = 0; /* Not in bss, since needs to stay */
int prettydump;
@@ -646,7 +648,7 @@
}
{
char tbuf[64];
- sprintf(tbuf, "%s%s%s%s%s",
+ snprintf(tbuf, sizeof(tbuf), "%s%s%s%s%s",
pointer[2]&MODE_EDIT ? "|EDIT" : "",
pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
Modified: branches/mkey_migrate/src/appl/telnet/telnetd/Makefile.in
===================================================================
--- branches/mkey_migrate/src/appl/telnet/telnetd/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/telnetd/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -30,7 +30,7 @@
DEFINES = -DTELNET_BUFSIZE=65535 $(AUTH_DEF) $(OTHERDEFS)
ARPA_TELNET= $(srcdir)/../arpa/telnet.h
-PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH)
+PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
LIBS= @TELNETD_LIBS@
@@ -60,8 +60,8 @@
all:: telnetd
-telnetd: $(OBJS) $(PTY_DEPLIB) $(KRB4COMPAT_DEPLIBS) ../libtelnet/libtelnet.a
- $(CC_LINK) -o $@ $(OBJS) ../libtelnet/libtelnet.a $(PTY_LIB) $(UTIL_LIB) $(KRB4COMPAT_LIBS)
+telnetd: $(OBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) ../libtelnet/libtelnet.a
+ $(CC_LINK) -o $@ $(OBJS) ../libtelnet/libtelnet.a $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS)
clean::
$(RM) telnetd
@@ -82,63 +82,3 @@
telnetd.o: telnetd.h defs.h ext.h $(ARPA_TELNET)
termstat.o: telnetd.h defs.h ext.h $(ARPA_TELNET)
utility.o: telnetd.h defs.h ext.h $(ARPA_TELNET)
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)telnetd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/libpty.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../arpa/telnet.h $(srcdir)/../libtelnet/auth-proto.h \
- $(srcdir)/../libtelnet/auth.h $(srcdir)/../libtelnet/enc-proto.h \
- $(srcdir)/../libtelnet/encrypt.h $(srcdir)/../libtelnet/misc-proto.h \
- defs.h ext.h pathnames.h telnetd.c telnetd.h
-$(OUTPRE)termio-tn.$(OBJEXT): termio-tn.c
-$(OUTPRE)termios-tn.$(OBJEXT): termios-tn.c
-$(OUTPRE)state.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../arpa/telnet.h $(srcdir)/../libtelnet/auth-proto.h \
- $(srcdir)/../libtelnet/auth.h $(srcdir)/../libtelnet/enc-proto.h \
- $(srcdir)/../libtelnet/encrypt.h defs.h ext.h state.c \
- telnetd.h
-$(OUTPRE)termstat.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../arpa/telnet.h defs.h ext.h telnetd.h termstat.c
-$(OUTPRE)slc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../arpa/telnet.h defs.h ext.h slc.c telnetd.h
-$(OUTPRE)sys_term.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/libpty.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../arpa/telnet.h $(srcdir)/../libtelnet/auth-proto.h \
- $(srcdir)/../libtelnet/auth.h defs.h ext.h pathnames.h \
- sys_term.c telnetd.h
-$(OUTPRE)utility.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../arpa/telnet.h $(srcdir)/../libtelnet/auth-proto.h \
- $(srcdir)/../libtelnet/auth.h $(srcdir)/../libtelnet/enc-proto.h \
- $(srcdir)/../libtelnet/encrypt.h defs.h ext.h telnetd.h \
- utility.c
-$(OUTPRE)global.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../arpa/telnet.h defs.h ext.h global.c
-$(OUTPRE)authenc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../arpa/telnet.h $(srcdir)/../libtelnet/misc-proto.h \
- $(srcdir)/../libtelnet/misc.h authenc.c defs.h ext.h \
- telnetd.h
Copied: branches/mkey_migrate/src/appl/telnet/telnetd/deps (from rev 21721, trunk/src/appl/telnet/telnetd/deps)
Modified: branches/mkey_migrate/src/appl/telnet/telnetd/slc.c
===================================================================
--- branches/mkey_migrate/src/appl/telnet/telnetd/slc.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/telnetd/slc.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -154,8 +154,8 @@
slcchange = 0;
if (getit)
init_termbuf();
- (void) sprintf((char *)slcbuf, "%c%c%c%c",
- IAC, SB, TELOPT_LINEMODE, LM_SLC);
+ (void) snprintf((char *)slcbuf, sizeof(slcbuf), "%c%c%c%c",
+ IAC, SB, TELOPT_LINEMODE, LM_SLC);
slcptr = slcbuf + 4;
} /* end of start_slc */
@@ -195,8 +195,9 @@
*bufp = &slcbuf[4];
return(slcptr - slcbuf - 4);
} else {
- (void) sprintf((char *)slcptr, "%c%c", IAC, SE);
- slcptr += 2;
+ *slcptr++ = IAC;
+ *slcptr++ = SE;
+ *slcptr = 0;
len = slcptr - slcbuf;
netwrite(slcbuf, len);
netflush(); /* force it out immediately */
Modified: branches/mkey_migrate/src/appl/telnet/telnetd/sys_term.c
===================================================================
--- branches/mkey_migrate/src/appl/telnet/telnetd/sys_term.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/appl/telnet/telnetd/sys_term.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1133,7 +1133,8 @@
*/
if ((i = open(INIT_FIFO, O_WRONLY)) < 0) {
char tbuf[128];
- (void) sprintf(tbuf, "Can't open %s\n", INIT_FIFO);
+ (void) snprintf(tbuf, sizeof(tbuf), "Can't open %s\n",
+ INIT_FIFO);
fatalperror(net, tbuf);
}
memset((char *)&request, 0, sizeof(request));
@@ -1156,7 +1157,8 @@
#endif /* BFTPDAEMON */
if (write(i, (char *)&request, sizeof(request)) < 0) {
char tbuf[128];
- (void) sprintf(tbuf, "Can't write to %s\n", INIT_FIFO);
+ (void) snprintf(tbuf, sizeof(tbuf), "Can't write to %s\n",
+ INIT_FIFO);
fatalperror(net, tbuf);
}
(void) close(i);
@@ -1168,7 +1170,7 @@
if (i == 3 || n >= 0 || !gotalarm)
break;
gotalarm = 0;
- sprintf(tbuf, "telnetd: waiting for /etc/init to start login process on %s\r\n", line);
+ snprintf(tbuf, sizeof(tbuf), "telnetd: waiting for /etc/init to start login process on %s\r\n", line);
(void) write(net, tbuf, strlen(tbuf));
}
if (n < 0 && gotalarm)
@@ -1255,9 +1257,7 @@
if (term == NULL || term[0] == 0) {
term = "-";
} else {
- strcpy(termbuf, "TERM=");
- strncat(termbuf, term, sizeof(termbuf) - 6);
- termbuf[sizeof(termbuf) - 1] = '\0';
+ snprintf(termbuf, sizeof(termbuf), "TERM=%s", term);
term = termbuf;
}
argv = addarg(argv, term);
@@ -1357,13 +1357,9 @@
write(xpty, name, len);
write(xpty, name, len);
memset(speed, 0, sizeof(speed));
- strncpy(speed,
- (cp = getenv("TERM")) ? cp : "",
- sizeof(speed)-1-(10*sizeof(def_rspeed)/4)-1);
- /* 1 for /, () for the number, 1 for trailing 0. */
- sprintf(speed + strlen(speed),
- "/%d",
- (def_rspeed > 0) ? def_rspeed : 9600);
+ snprintf(speed, sizeof(speed), "%s/%d",
+ (cp = getenv("TERM")) ? cp : "",
+ (def_rspeed > 0) ? def_rspeed : 9600);
len = strlen(speed)+1;
write(xpty, speed, len);
Copied: branches/mkey_migrate/src/appl/user_user/deps (from rev 21721, trunk/src/appl/user_user/deps)
Modified: branches/mkey_migrate/src/ccapi/common/cci_types.h
===================================================================
--- branches/mkey_migrate/src/ccapi/common/cci_types.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/ccapi/common/cci_types.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -39,7 +39,7 @@
/* cc_context_t */
cci_context_first_msg_id,
- cci_context_release_msg_id,
+ cci_context_unused_release_msg_id, /* Unused. Handle for old clients. */
cci_context_sync_msg_id,
cci_context_get_change_time_msg_id,
cci_context_wait_for_change_msg_id,
Modified: branches/mkey_migrate/src/ccapi/lib/ccapi_context.c
===================================================================
--- branches/mkey_migrate/src/ccapi/lib/ccapi_context.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/ccapi/lib/ccapi_context.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -198,6 +198,16 @@
#endif
/* ------------------------------------------------------------------------ */
+/*
+ * Currently does not need to talk to the server since the server must
+ * handle cleaning up resources from crashed clients anyway.
+ *
+ * NOTE: if server communication is ever added here, make sure that
+ * krb5_stdcc_shutdown calls an internal function which does not talk to the
+ * server. krb5_stdcc_shutdown is called from thread fini functions and may
+ * crash talking to the server depending on what order the OS calls the fini
+ * functions (ie: if the ipc layer fini function is called first).
+ */
cc_int32 ccapi_context_release (cc_context_t in_context)
{
@@ -207,17 +217,6 @@
if (!in_context) { err = ccErrBadParam; }
if (!err) {
- err = cci_context_sync (context, 0);
- }
-
- if (!err) {
- err = cci_ipc_send_no_launch (cci_context_release_msg_id,
- context->identifier,
- NULL,
- NULL);
- }
-
- if (!err) {
cci_identifier_release (context->identifier);
free (context->functions);
free (context);
Modified: branches/mkey_migrate/src/ccapi/lib/ccapi_context.h
===================================================================
--- branches/mkey_migrate/src/ccapi/lib/ccapi_context.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/ccapi/lib/ccapi_context.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -29,6 +29,10 @@
#include "cci_common.h"
+/* Used for freeing ccapi context in thread fini calls
+ * Does not tell the server you are exiting. */
+cc_int32 cci_context_destroy (cc_context_t in_context);
+
cc_int32 ccapi_context_release (cc_context_t in_context);
cc_int32 ccapi_context_get_change_time (cc_context_t in_context,
Modified: branches/mkey_migrate/src/ccapi/lib/ccapi_string.c
===================================================================
--- branches/mkey_migrate/src/ccapi/lib/ccapi_string.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/ccapi/lib/ccapi_string.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -67,10 +67,8 @@
}
if (!err) {
- string->data = malloc (strlen (in_cstring) + 1);
- if (string->data) {
- strcpy ((char *)string->data, in_cstring);
- } else {
+ string->data = strdup (in_cstring);
+ if (!string->data) {
err = cci_check_error (ccErrNoMem);
}
Modified: branches/mkey_migrate/src/ccapi/server/ccs_cache_collection.c
===================================================================
--- branches/mkey_migrate/src/ccapi/server/ccs_cache_collection.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/ccapi/server/ccs_cache_collection.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -571,25 +571,6 @@
/* ------------------------------------------------------------------------ */
-static cc_int32 ccs_cache_collection_context_release (ccs_cache_collection_t io_cache_collection,
- k5_ipc_stream in_request_data,
- k5_ipc_stream io_reply_data)
-{
- cc_int32 err = ccNoError;
-
- if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); }
- if (!in_request_data ) { err = cci_check_error (ccErrBadParam); }
- if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); }
-
- if (!err) {
- /* Currently does nothing */
- }
-
- return cci_check_error (err);
-}
-
-/* ------------------------------------------------------------------------ */
-
static cc_int32 ccs_cache_collection_sync (ccs_cache_collection_t io_cache_collection,
k5_ipc_stream in_request_data,
k5_ipc_stream io_reply_data)
@@ -1051,9 +1032,8 @@
}
if (!err) {
- if (in_request_name == cci_context_release_msg_id) {
- err = ccs_cache_collection_context_release (io_cache_collection,
- in_request_data, reply_data);
+ if (in_request_name == cci_context_unused_release_msg_id) {
+ /* Old release message. Do nothing. */
} else if (in_request_name == cci_context_sync_msg_id) {
err = ccs_cache_collection_sync (io_cache_collection,
Copied: branches/mkey_migrate/src/clients/deps (from rev 21721, trunk/src/clients/deps)
Modified: branches/mkey_migrate/src/clients/kcpytkt/Makefile.in
===================================================================
--- branches/mkey_migrate/src/clients/kcpytkt/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/kcpytkt/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -20,8 +20,8 @@
##WIN32##all-windows:: $(KCPYTKT)
all-mac::
-kcpytkt: kcpytkt.o $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o $@ kcpytkt.o $(KRB4COMPAT_LIBS)
+kcpytkt: kcpytkt.o $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o $@ kcpytkt.o $(KRB5_BASE_LIBS)
##WIN32##$(KCPYTKT): $(OUTPRE)kcpytkt.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.obj $(KLIB) $(CLIB) $(EXERES)
##WIN32## link $(EXE_LINKOPTS) /out:$@ $**
Modified: branches/mkey_migrate/src/clients/kdeltkt/Makefile.in
===================================================================
--- branches/mkey_migrate/src/clients/kdeltkt/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/kdeltkt/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -20,8 +20,8 @@
##WIN32##all-windows:: $(KDELTKT)
all-mac::
-kdeltkt: kdeltkt.o $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o $@ kdeltkt.o $(KRB4COMPAT_LIBS)
+kdeltkt: kdeltkt.o $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o $@ kdeltkt.o $(KRB5_BASE_LIBS)
##WIN32##$(KDELTKT): $(OUTPRE)kdeltkt.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.obj $(KLIB) $(CLIB) $(EXERES)
##WIN32## link $(EXE_LINKOPTS) /out:$@ $**
Modified: branches/mkey_migrate/src/clients/kdestroy/Makefile.in
===================================================================
--- branches/mkey_migrate/src/clients/kdestroy/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/kdestroy/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -22,8 +22,8 @@
all-unix:: kdestroy
##WIN32##all-windows:: $(KDESTROY)
-kdestroy: kdestroy.o $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o $@ kdestroy.o $(KRB4COMPAT_LIBS)
+kdestroy: kdestroy.o $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o $@ kdestroy.o $(KRB5_BASE_LIBS)
##WIN32##$(KDESTROY): $(OUTPRE)kdestroy.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.obj $(KLIB) $(CLIB) $(EXERES)
##WIN32## link $(EXE_LINKOPTS) -out:$@ $**
@@ -39,13 +39,3 @@
$(INSTALL_DATA) $(srcdir)/$$f.M \
$(DESTDIR)$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \
done
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)kdestroy.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \
- kdestroy.c
Copied: branches/mkey_migrate/src/clients/kdestroy/deps (from rev 21721, trunk/src/clients/kdestroy/deps)
Modified: branches/mkey_migrate/src/clients/kdestroy/kdestroy.M
===================================================================
--- branches/mkey_migrate/src/clients/kdestroy/kdestroy.M 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/kdestroy/kdestroy.M 2009-01-10 01:06:45 UTC (rev 21722)
@@ -26,7 +26,7 @@
kdestroy \- destroy Kerberos tickets
.SH SYNOPSIS
.B kdestroy
-[\fB\-5\fP] [\fB\-4\fP] [\fB\-q\fP] [\fB\-c\fP \fIcache_name]
+[\fB\-q\fP] [\fB\-c\fP \fIcache_name]
.br
.SH DESCRIPTION
The
@@ -35,24 +35,8 @@
writing zeros to the specified credentials cache that contains them. If
the credentials cache is not specified, the default credentials cache is
destroyed.
-If kdestroy was built with Kerberos 4 support, the default behavior is to
-destroy both Kerberos 5 and Kerberos 4 credentials. Otherwise, kdestroy
-will default to destroying only Kerberos 5 credentials.
.SH OPTIONS
.TP
-.B \-5
-destroy Kerberos 5 credentials. This overrides whatever the default built-in
-behavior may be. This option may be used with
-.B \-4
-.
-.TP
-.B \-4
-destroy Kerberos 4 credentials. This overrides whatever the default built-in
-behavior may be. This option is only available if kinit was built
-with Kerberos 4 compatibility. This option may be used with
-.B \-5
-.
-.TP
.B \-q
Run quietly. Normally
.B kdestroy
@@ -82,18 +66,11 @@
.TP "\w'.SM KRB5CCNAME\ \ 'u"
.SM KRB5CCNAME
Location of the Kerberos 5 credentials (ticket) cache.
-.TP "\w'.SM KRBTKFILE\ \ 'u"
-.SM KRBTKFILE
-Filename of the Kerberos 4 credentials (ticket) cache.
.SH FILES
.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
/tmp/krb5cc_[uid]
default location of Kerberos 5 credentials cache
([uid] is the decimal UID of the user).
-.TP "\w'/tmp/tkt[uid]\ \ 'u"
-/tmp/tkt[uid]
-default location of Kerberos 4 credentials cache
-([uid] is the decimal UID of the user).
.SH SEE ALSO
kinit(1), klist(1), krb5(3)
.SH BUGS
Modified: branches/mkey_migrate/src/clients/kdestroy/kdestroy.c
===================================================================
--- branches/mkey_migrate/src/clients/kdestroy/kdestroy.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/kdestroy/kdestroy.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -36,10 +36,6 @@
#include <unistd.h>
#endif
-#ifdef KRB5_KRB4_COMPAT
-#include <kerberosIV/krb.h>
-#endif
-
#ifdef __STDC__
#define BELL_CHAR '\a'
#else
@@ -57,29 +53,12 @@
char *progname;
-int got_k5 = 0;
-int got_k4 = 0;
-int default_k5 = 1;
-#ifdef KRB5_KRB4_COMPAT
-int default_k4 = 1;
-#else
-int default_k4 = 0;
-#endif
-
-
static void usage()
{
#define KRB_AVAIL_STRING(x) ((x)?"available":"not available")
- fprintf(stderr, "Usage: %s [-5] [-4] [-q] [-c cache_name]\n", progname);
- fprintf(stderr, "\t-5 Kerberos 5 (%s)\n", KRB_AVAIL_STRING(got_k5));
- fprintf(stderr, "\t-4 Kerberos 4 (%s)\n", KRB_AVAIL_STRING(got_k4));
- fprintf(stderr, "\t (Default is %s%s%s%s)\n",
- default_k5?"Kerberos 5":"",
- (default_k5 && default_k4)?" and ":"",
- default_k4?"Kerberos 4":"",
- (!default_k5 && !default_k4)?"neither":"");
+ fprintf(stderr, "Usage: %s [-q] [-c cache_name]\n", progname);
fprintf(stderr, "\t-q quiet mode\n");
fprintf(stderr, "\t-c specify name of credentials cache\n");
exit(2);
@@ -96,23 +75,11 @@
krb5_ccache cache = NULL;
char *cache_name = NULL;
int code = 0;
-#ifdef KRB5_KRB4_COMPAT
- int v4code = 0;
- int v4 = 1;
-#endif
int errflg = 0;
int quiet = 0;
- int use_k5 = 0;
- int use_k4 = 0;
-
progname = GET_PROGNAME(argv[0]);
- got_k5 = 1;
-#ifdef KRB5_KRB4_COMPAT
- got_k4 = 1;
-#endif
-
while ((c = getopt(argc, argv, "54qc:")) != -1) {
switch (c) {
case 'q':
@@ -127,24 +94,10 @@
}
break;
case '4':
- if (!got_k4)
- {
-#ifdef KRB5_KRB4_COMPAT
- fprintf(stderr, "Kerberos 4 support could not be loaded\n");
-#else
- fprintf(stderr, "This was not built with Kerberos 4 support\n");
-#endif
- exit(3);
- }
- use_k4 = 1;
+ fprintf(stderr, "Kerberos 4 is no longer supported\n");
+ exit(3);
break;
case '5':
- if (!got_k5)
- {
- fprintf(stderr, "Kerberos 5 support could not be loaded\n");
- exit(3);
- }
- use_k5 = 1;
break;
case '?':
default:
@@ -160,69 +113,38 @@
usage();
}
- if (!use_k5 && !use_k4)
- {
- use_k5 = default_k5;
- use_k4 = default_k4;
+ retval = krb5_init_context(&kcontext);
+ if (retval) {
+ com_err(progname, retval, "while initializing krb5");
+ exit(1);
}
- if (!use_k5)
- got_k5 = 0;
- if (!use_k4)
- got_k4 = 0;
-
- if (got_k5) {
- retval = krb5_init_context(&kcontext);
- if (retval) {
- com_err(progname, retval, "while initializing krb5");
+ if (cache_name) {
+ code = krb5_cc_resolve (kcontext, cache_name, &cache);
+ if (code != 0) {
+ com_err (progname, code, "while resolving %s", cache_name);
exit(1);
}
-
- if (cache_name) {
-#ifdef KRB5_KRB4_COMPAT
- v4 = 0; /* Don't do v4 if doing v5 and cache name given. */
-#endif
- code = krb5_cc_resolve (kcontext, cache_name, &cache);
- if (code != 0) {
- com_err (progname, code, "while resolving %s", cache_name);
- exit(1);
- }
- } else {
- code = krb5_cc_default(kcontext, &cache);
- if (code) {
- com_err(progname, code, "while getting default ccache");
- exit(1);
- }
+ } else {
+ code = krb5_cc_default(kcontext, &cache);
+ if (code) {
+ com_err(progname, code, "while getting default ccache");
+ exit(1);
}
-
- code = krb5_cc_destroy (kcontext, cache);
- if (code != 0) {
- com_err (progname, code, "while destroying cache");
- if (code != KRB5_FCC_NOFILE) {
- if (quiet)
- fprintf(stderr, "Ticket cache NOT destroyed!\n");
- else {
- fprintf(stderr, "Ticket cache %cNOT%c destroyed!\n",
- BELL_CHAR, BELL_CHAR);
- }
- errflg = 1;
- }
- }
}
-#ifdef KRB5_KRB4_COMPAT
- if (got_k4 && v4) {
- v4code = dest_tkt();
- if (v4code == KSUCCESS && code != 0)
- fprintf(stderr, "Kerberos 4 ticket cache destroyed.\n");
- if (v4code != KSUCCESS && v4code != RET_TKFIL) {
+
+ code = krb5_cc_destroy (kcontext, cache);
+ if (code != 0) {
+ com_err (progname, code, "while destroying cache");
+ if (code != KRB5_FCC_NOFILE) {
if (quiet)
- fprintf(stderr, "Kerberos 4 ticket cache NOT destroyed!\n");
- else
- fprintf(stderr, "Kerberos 4 ticket cache %cNOT%c destroyed!\n",
+ fprintf(stderr, "Ticket cache NOT destroyed!\n");
+ else {
+ fprintf(stderr, "Ticket cache %cNOT%c destroyed!\n",
BELL_CHAR, BELL_CHAR);
+ }
errflg = 1;
}
}
-#endif
return errflg;
}
Modified: branches/mkey_migrate/src/clients/kinit/Makefile.in
===================================================================
--- branches/mkey_migrate/src/clients/kinit/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/kinit/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -25,8 +25,8 @@
all-unix:: kinit
##WIN32##all-windows:: $(KINIT)
-kinit: kinit.o $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o $@ kinit.o $(KRB4COMPAT_LIBS)
+kinit: kinit.o $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o $@ kinit.o $(KRB5_BASE_LIBS)
##WIN32##$(KINIT): $(OUTPRE)kinit.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.lib $(KLIB) $(CLIB) $(EXERES)
##WIN32## link $(EXE_LINKOPTS) -out:$@ $** advapi32.lib
@@ -42,13 +42,3 @@
$(INSTALL_DATA) $(srcdir)/$$f.M \
$(DESTDIR)$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \
done
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)kinit.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \
- $(SRCTOP)/include/krb5.h kinit.c
Copied: branches/mkey_migrate/src/clients/kinit/deps (from rev 21721, trunk/src/clients/kinit/deps)
Modified: branches/mkey_migrate/src/clients/kinit/kinit.M
===================================================================
--- branches/mkey_migrate/src/clients/kinit/kinit.M 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/kinit/kinit.M 2009-01-10 01:06:45 UTC (rev 21722)
@@ -28,8 +28,6 @@
.TP
.B kinit
.ad l
-[\fB\-5\fP]
-[\fB\-4\fP]
[\fB\-V\fP]
[\fB\-l\fP \fIlifetime\fP] [\fB\-s\fP \fIstart_time\fP]
[\fB\-r\fP \fIrenewable_life\fP]
@@ -48,28 +46,8 @@
.I kinit
obtains and caches an initial ticket-granting ticket for
.IR principal .
-The typical default behavior is to acquire only
-Kerberos 5 tickets. However, if kinit was built with both
-Kerberos 4 support and with the default behavior of acquiring both
-types of tickets, it will try to acquire both Kerberos 5 and Kerberos 4
-by default.
-Any documentation particular to Kerberos 4 does not apply if Kerberos 4
-support was not built into kinit.
.SH OPTIONS
.TP
-.B \-5
-get Kerberos 5 tickets. This overrides whatever the default built-in
-behavior may be. This option may be used with
-.B \-4
-.
-.TP
-.B \-4
-get Kerberos 4 tickets. This overrides whatever the default built-in
-behavior may be. This option is only available if kinit was built
-with Kerberos 4 compatibility. This option may be used with
-.B \-5
-.
-.TP
.B \-V
display verbose output.
.TP
@@ -105,45 +83,43 @@
Postdated tickets are issued with the
.I invalid
flag set, and need to be fed back to the kdc before use.
-(Not applicable to Kerberos 4.)
.TP
\fB\-r\fP \fIrenewable_life\fP
requests renewable tickets, with a total lifetime of
.IR renewable_life .
The duration is in the same format as the
.B \-l
-option, with the same delimiters. (Not applicable to Kerberos 4.)
+option, with the same delimiters.
.TP
.B \-f
-request forwardable tickets. (Not applicable to Kerberos 4.)
+request forwardable tickets.
.TP
.B \-F
-do not request forwardable tickets. (Not applicable to Kerberos 4.)
+do not request forwardable tickets.
.TP
.B \-p
-request proxiable tickets. (Not applicable to Kerberos 4.)
+request proxiable tickets.
.TP
.B \-P
-do not request proxiable tickets. (Not applicable to Kerberos 4.)
+do not request proxiable tickets.
.TP
.B \-a
-request tickets with the local address[es]. (Not applicable to Kerberos 4.)
+request tickets with the local address[es].
.TP
.B \-A
-request address-less tickets. (Not applicable to Kerberos 4.)
+request address-less tickets.
.TP
.B \-v
requests that the ticket granting ticket in the cache (with the
.I invalid
flag set) be passed to the kdc for validation. If the ticket is within
its requested time range, the cache is replaced with the validated
-ticket. (Not applicable to Kerberos 4.)
+ticket.
.TP
.B \-R
requests renewal of the ticket-granting ticket. Note that an expired
ticket cannot be renewed, even if the ticket is still within its
-renewable life. When using this option with Kerberos 4, the kdc must
-support Kerberos 5 to Kerberos 4 ticket conversion.
+renewable life.
.TP
\fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]
requests a host ticket, obtained from a key in the local host's
@@ -152,9 +128,7 @@
the
.B \-t
.I keytab_file
-option; otherwise the default name and location will be used. When using
-this option with Kerberos 4, the kdc must support Kerberos 5 to Kerberos 4
-ticket conversion.
+option; otherwise the default name and location will be used.
.TP
\fB\-c\fP \fIcache_name\fP
use
@@ -167,15 +141,10 @@
environment variable is set, its value is used to name the default
ticket cache. Any existing contents of the cache are destroyed by
.IR kinit .
-(Note: The default name for Kerberos 4 comes from the
-.B KRBTKFILE
-environment variable. This option does not apply to Kerberos 4.)
.TP
\fB\-S\fP \fIservice_name\fP
specify an alternate service name to use when
-getting initial tickets. (Applicable to Kerberos 5 or if using both
-Kerberos 5 and Kerberos 4 with a kdc that supports Kerberos 5 to Kerberos 4
-ticket conversion.)
+getting initial tickets.
.TP
\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]
specify a pre\-authentication attribute and value to be passed to
@@ -204,18 +173,11 @@
.TP "\w'.SM KRB5CCNAME\ \ 'u"
.SM KRB5CCNAME
Location of the Kerberos 5 credentials (ticket) cache.
-.TP "\w'.SM KRBTKFILE\ \ 'u"
-.SM KRBTKFILE
-Filename of the Kerberos 4 credentials (ticket) cache.
.SH FILES
.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
/tmp/krb5cc_[uid]
default location of Kerberos 5 credentials cache
([uid] is the decimal UID of the user).
-.TP "\w'/tmp/tkt[uid]\ \ 'u"
-/tmp/tkt[uid]
-default location of Kerberos 4 credentials cache
-([uid] is the decimal UID of the user).
.TP
/etc/krb5.keytab
default location for the local host's
Modified: branches/mkey_migrate/src/clients/kinit/kinit.c
===================================================================
--- branches/mkey_migrate/src/clients/kinit/kinit.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/kinit/kinit.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -30,12 +30,6 @@
#include "autoconf.h"
#include "k5-platform.h" /* for asprintf */
#include <krb5.h>
-#ifdef KRB5_KRB4_COMPAT
-#include <kerberosIV/krb.h>
-#define HAVE_KRB524
-#else
-#undef HAVE_KRB524
-#endif
#include <string.h>
#include <stdio.h>
#include <time.h>
@@ -98,27 +92,8 @@
#endif /* _WIN32 */
#endif /* HAVE_PWD_H */
-static char* progname_v5 = 0;
-#ifdef KRB5_KRB4_COMPAT
-static char* progname_v4 = 0;
-static char* progname_v524 = 0;
-#endif
+static char *progname;
-static int got_k5 = 0;
-static int got_k4 = 0;
-
-static int default_k5 = 1;
-#if defined(KRB5_KRB4_COMPAT) && defined(KINIT_DEFAULT_BOTH)
-static int default_k4 = 1;
-#else
-static int default_k4 = 0;
-#endif
-
-static int authed_k5 = 0;
-static int authed_k4 = 0;
-
-#define KRB4_BACKUP_DEFAULT_LIFE_SECS 24*60*60 /* 1 day */
-
typedef enum { INIT_PW, INIT_KT, RENEW, VALIDATE } action_type;
struct k_opts
@@ -142,12 +117,14 @@
char* service_name;
char* keytab_name;
char* k5_cache_name;
- char* k4_cache_name;
action_type action;
int num_pa_opts;
krb5_gic_opt_pa_data *pa_opts;
+
+ int canonicalize;
+ int enterprise;
};
struct k5_data
@@ -158,17 +135,6 @@
char* name;
};
-struct k4_data
-{
- krb5_deltat lifetime;
-#ifdef KRB5_KRB4_COMPAT
- char aname[ANAME_SZ + 1];
- char inst[INST_SZ + 1];
- char realm[REALM_SZ + 1];
- char name[ANAME_SZ + 1 + INST_SZ + 1 + REALM_SZ + 1];
-#endif
-};
-
#ifdef GETOPT_LONG
/* if struct[2] == NULL, then long_getopt acts as if the short flag
struct[3] was specified. If struct[2] != NULL, then struct[3] is
@@ -182,6 +148,8 @@
{ "forwardable", 0, NULL, 'f' },
{ "proxiable", 0, NULL, 'p' },
{ "noaddresses", 0, NULL, 'A' },
+ { "canonicalize", 0, NULL, 'C' },
+ { "enterprise", 0, NULL, 'E' },
{ NULL, 0, NULL, 0 }
};
@@ -191,24 +159,27 @@
#endif
static void
-usage(progname)
- char *progname;
+usage()
{
#define USAGE_BREAK "\n\t"
#ifdef GETOPT_LONG
-#define USAGE_LONG_FORWARDABLE " | --forwardable | --noforwardable"
-#define USAGE_LONG_PROXIABLE " | --proxiable | --noproxiable"
-#define USAGE_LONG_ADDRESSES " | --addresses | --noaddresses"
+#define USAGE_LONG_FORWARDABLE " | --forwardable | --noforwardable"
+#define USAGE_LONG_PROXIABLE " | --proxiable | --noproxiable"
+#define USAGE_LONG_ADDRESSES " | --addresses | --noaddresses"
+#define USAGE_LONG_CANONICALIZE " | --canonicalize"
+#define USAGE_LONG_ENTERPRISE " | --enterprise"
#define USAGE_BREAK_LONG USAGE_BREAK
#else
-#define USAGE_LONG_FORWARDABLE ""
-#define USAGE_LONG_PROXIABLE ""
-#define USAGE_LONG_ADDRESSES ""
-#define USAGE_BREAK_LONG ""
+#define USAGE_LONG_FORWARDABLE ""
+#define USAGE_LONG_PROXIABLE ""
+#define USAGE_LONG_ADDRESSES ""
+#define USAGE_LONG_CANONICALIZE ""
+#define USAGE_LONG_ENTERPRISE ""
+#define USAGE_BREAK_LONG ""
#endif
- fprintf(stderr, "Usage: %s [-5] [-4] [-V] "
+ fprintf(stderr, "Usage: %s [-V] "
"[-l lifetime] [-s start_time] "
USAGE_BREAK
"[-r renewable_life] "
@@ -217,7 +188,11 @@
"[-p | -P" USAGE_LONG_PROXIABLE "] "
USAGE_BREAK_LONG
"[-a | -A" USAGE_LONG_ADDRESSES "] "
+ USAGE_BREAK_LONG
+ "[-C" USAGE_LONG_CANONICALIZE "] "
USAGE_BREAK
+ "[-E" USAGE_LONG_ENTERPRISE "] "
+ USAGE_BREAK
"[-v] [-R] "
"[-k [-t keytab_file]] "
"[-c cachename] "
@@ -227,54 +202,26 @@
"\n\n",
progname);
-#define KRB_AVAIL_STRING(x) ((x)?"available":"not available")
-
-#define OPTTYPE_KRB5 "5"
-#define OPTTYPE_KRB4 "4"
-#define OPTTYPE_EITHER "Either 4 or 5"
-#ifdef HAVE_KRB524
-#define OPTTYPE_BOTH "5, or both 5 and 4"
-#else
-#define OPTTYPE_BOTH "5"
-#endif
-
-#ifdef KRB5_KRB4_COMPAT
-#define USAGE_OPT_FMT "%s%-50s%s\n"
-#define ULINE(indent, col1, col2) \
-fprintf(stderr, USAGE_OPT_FMT, indent, col1, col2)
-#else
-#define USAGE_OPT_FMT "%s%s\n"
-#define ULINE(indent, col1, col2) \
-fprintf(stderr, USAGE_OPT_FMT, indent, col1)
-#endif
-
- ULINE(" ", "options:", "valid with Kerberos:");
- fprintf(stderr, "\t-5 Kerberos 5 (%s)\n", KRB_AVAIL_STRING(got_k5));
- fprintf(stderr, "\t-4 Kerberos 4 (%s)\n", KRB_AVAIL_STRING(got_k4));
- fprintf(stderr, "\t (Default behavior is to try %s%s%s%s)\n",
- default_k5?"Kerberos 5":"",
- (default_k5 && default_k4)?" and ":"",
- default_k4?"Kerberos 4":"",
- (!default_k5 && !default_k4)?"neither":"");
- ULINE("\t", "-V verbose", OPTTYPE_EITHER);
- ULINE("\t", "-l lifetime", OPTTYPE_EITHER);
- ULINE("\t", "-s start time", OPTTYPE_KRB5);
- ULINE("\t", "-r renewable lifetime", OPTTYPE_KRB5);
- ULINE("\t", "-f forwardable", OPTTYPE_KRB5);
- ULINE("\t", "-F not forwardable", OPTTYPE_KRB5);
- ULINE("\t", "-p proxiable", OPTTYPE_KRB5);
- ULINE("\t", "-P not proxiable", OPTTYPE_KRB5);
- ULINE("\t", "-a include addresses", OPTTYPE_KRB5);
- ULINE("\t", "-A do not include addresses", OPTTYPE_KRB5);
- ULINE("\t", "-v validate", OPTTYPE_KRB5);
- ULINE("\t", "-R renew", OPTTYPE_BOTH);
- ULINE("\t", "-k use keytab", OPTTYPE_BOTH);
- ULINE("\t", "-t filename of keytab to use", OPTTYPE_BOTH);
- ULINE("\t", "-c Kerberos 5 cache name", OPTTYPE_KRB5);
- /* This options is not yet available: */
- /* ULINE("\t", "-C Kerberos 4 cache name", OPTTYPE_KRB4); */
- ULINE("\t", "-S service", OPTTYPE_BOTH);
- ULINE("\t", "-X <attribute>[=<value>]", OPTTYPE_KRB5);
+ fprintf(stderr, " options:");
+ fprintf(stderr, "\t-V verbose\n");
+ fprintf(stderr, "\t-l lifetime\n");
+ fprintf(stderr, "\t-s start time\n");
+ fprintf(stderr, "\t-r renewable lifetime\n");
+ fprintf(stderr, "\t-f forwardable\n");
+ fprintf(stderr, "\t-F not forwardable\n");
+ fprintf(stderr, "\t-p proxiable\n");
+ fprintf(stderr, "\t-P not proxiable\n");
+ fprintf(stderr, "\t-a include addresses\n");
+ fprintf(stderr, "\t-A do not include addresses\n");
+ fprintf(stderr, "\t-v validate\n");
+ fprintf(stderr, "\t-R renew\n");
+ fprintf(stderr, "\t-C canonicalize\n");
+ fprintf(stderr, "\t-E client is enterprise principal name\n");
+ fprintf(stderr, "\t-k use keytab\n");
+ fprintf(stderr, "\t-t filename of keytab to use\n");
+ fprintf(stderr, "\t-c Kerberos 5 cache name\n");
+ fprintf(stderr, "\t-S service\n");
+ fprintf(stderr, "\t-X <attribute>[=<value>]\n");
exit(2);
}
@@ -322,19 +269,16 @@
}
static char *
-parse_options(argc, argv, opts, progname)
+parse_options(argc, argv, opts)
int argc;
char **argv;
struct k_opts* opts;
- char *progname;
{
krb5_error_code code;
int errflg = 0;
- int use_k4 = 0;
- int use_k5 = 0;
int i;
- while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:vX:"))
+ while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:vX:CE"))
!= -1) {
switch (i) {
case 'V':
@@ -426,40 +370,17 @@
errflg++;
}
break;
-#if 0
- /*
- A little more work is needed before we can enable this
- option.
- */
case 'C':
- if (opts->k4_cache_name)
- {
- fprintf(stderr, "Only one -C option allowed\n");
- errflg++;
- } else {
- opts->k4_cache_name = optarg;
- }
+ opts->canonicalize = 1;
break;
-#endif
+ case 'E':
+ opts->enterprise = 1;
+ break;
case '4':
- if (!got_k4)
- {
-#ifdef KRB5_KRB4_COMPAT
- fprintf(stderr, "Kerberos 4 support could not be loaded\n");
-#else
- fprintf(stderr, "This was not built with Kerberos 4 support\n");
-#endif
- exit(3);
- }
- use_k4 = 1;
+ fprintf(stderr, "Kerberos 4 is no longer supported\n");
+ exit(3);
break;
case '5':
- if (!got_k5)
- {
- fprintf(stderr, "Kerberos 5 support could not be loaded\n");
- exit(3);
- }
- use_k5 = 1;
break;
default:
errflg++;
@@ -489,66 +410,22 @@
errflg++;
}
- /* At this point, if errorless, we know we only have one option
- selection */
- if (!use_k5 && !use_k4) {
- use_k5 = default_k5;
- use_k4 = default_k4;
- }
-
- /* Now, we encode the OPTTYPE stuff here... */
- if (!use_k5 &&
- (opts->starttime || opts->rlife || opts->forwardable ||
- opts->proxiable || opts->addresses || opts->not_forwardable ||
- opts->not_proxiable || opts->no_addresses ||
- (opts->action == VALIDATE) || opts->k5_cache_name))
- {
- fprintf(stderr, "Specified option that requires Kerberos 5\n");
- errflg++;
- }
- if (!use_k4 &&
- opts->k4_cache_name)
- {
- fprintf(stderr, "Specified option that require Kerberos 4\n");
- errflg++;
- }
- if (
-#ifdef HAVE_KRB524
- !use_k5
-#else
- use_k4
-#endif
- && (opts->service_name || opts->keytab_name ||
- (opts->action == INIT_KT) || (opts->action == RENEW))
- )
- {
- fprintf(stderr, "Specified option that requires Kerberos 5\n");
- errflg++;
- }
-
if (errflg) {
- usage(progname);
+ usage();
}
- got_k5 = got_k5 && use_k5;
- got_k4 = got_k4 && use_k4;
-
opts->principal_name = (optind == argc-1) ? argv[optind] : 0;
return opts->principal_name;
}
static int
-k5_begin(opts, k5, k4)
+k5_begin(opts, k5)
struct k_opts* opts;
-struct k5_data* k5;
-struct k4_data* k4;
+ struct k5_data* k5;
{
- char* progname = progname_v5;
krb5_error_code code = 0;
+ int flags = opts->enterprise ? KRB5_PRINCIPAL_PARSE_ENTERPRISE : 0;
- if (!got_k5)
- return 0;
-
code = krb5_init_context(&k5->ctx);
if (code) {
com_err(progname, code, "while initializing Kerberos 5 library");
@@ -575,8 +452,8 @@
if (opts->principal_name)
{
/* Use specified name */
- if ((code = krb5_parse_name(k5->ctx, opts->principal_name,
- &k5->me))) {
+ if ((code = krb5_parse_name_flags(k5->ctx, opts->principal_name,
+ flags, &k5->me))) {
com_err(progname, code, "when parsing name %s",
opts->principal_name);
return 0;
@@ -606,8 +483,8 @@
fprintf(stderr, "Unable to identify user\n");
return 0;
}
- if ((code = krb5_parse_name(k5->ctx, name,
- &k5->me)))
+ if ((code = krb5_parse_name_flags(k5->ctx, name,
+ flags, &k5->me)))
{
com_err(progname, code, "when parsing name %s",
name);
@@ -624,19 +501,6 @@
}
opts->principal_name = k5->name;
-#ifdef KRB5_KRB4_COMPAT
- if (got_k4)
- {
- /* Translate to a Kerberos 4 principal */
- code = krb5_524_conv_principal(k5->ctx, k5->me,
- k4->aname, k4->inst, k4->realm);
- if (code) {
- k4->aname[0] = 0;
- k4->inst[0] = 0;
- k4->realm[0] = 0;
- }
- }
-#endif
return 1;
}
@@ -656,110 +520,6 @@
memset(k5, 0, sizeof(*k5));
}
-static int
-k4_begin(opts, k4)
- struct k_opts* opts;
- struct k4_data* k4;
-{
-#ifdef KRB5_KRB4_COMPAT
- char* progname = progname_v4;
- int k_errno = 0;
-#endif
-
- if (!got_k4)
- return 0;
-
-#ifdef KRB5_KRB4_COMPAT
- if (k4->aname[0])
- goto skip;
-
- if (opts->principal_name)
- {
- /* Use specified name */
- k_errno = kname_parse(k4->aname, k4->inst, k4->realm,
- opts->principal_name);
- if (k_errno)
- {
- fprintf(stderr, "%s: %s\n", progname,
- krb_get_err_text(k_errno));
- return 0;
- }
- } else {
- /* No principal name specified */
- if (opts->action == INIT_KT) {
- /* Use the default host/service name */
- /* XXX - need to add this functionality */
- fprintf(stderr, "%s: Kerberos 4 srvtab support is not "
- "implemented\n", progname);
- return 0;
- } else {
- /* Get default principal from cache if one exists */
- k_errno = krb_get_tf_fullname(tkt_string(), k4->aname,
- k4->inst, k4->realm);
- if (k_errno)
- {
- char *name = get_name_from_os();
- if (!name)
- {
- fprintf(stderr, "Unable to identify user\n");
- return 0;
- }
- k_errno = kname_parse(k4->aname, k4->inst, k4->realm,
- name);
- if (k_errno)
- {
- fprintf(stderr, "%s: %s\n", progname,
- krb_get_err_text(k_errno));
- return 0;
- }
- }
- }
- }
-
- if (!k4->realm[0])
- krb_get_lrealm(k4->realm, 1);
-
- if (k4->inst[0])
- snprintf(k4->name, sizeof(k4->name), "%s.%s@%s",
- k4->aname, k4->inst, k4->realm);
- else
- snprintf(k4->name, sizeof(k4->name), "%s@%s", k4->aname, k4->realm);
- opts->principal_name = k4->name;
-
- skip:
- if (k4->aname[0] && !k_isname(k4->aname))
- {
- fprintf(stderr, "%s: bad Kerberos 4 name format\n", progname);
- return 0;
- }
-
- if (k4->inst[0] && !k_isinst(k4->inst))
- {
- fprintf(stderr, "%s: bad Kerberos 4 instance format\n", progname);
- return 0;
- }
-
- if (k4->realm[0] && !k_isrealm(k4->realm))
- {
- fprintf(stderr, "%s: bad Kerberos 4 realm format\n", progname);
- return 0;
- }
-#endif /* KRB5_KRB4_COMPAT */
- return 1;
-}
-
-static void
-k4_end(k4)
- struct k4_data* k4;
-{
- memset(k4, 0, sizeof(*k4));
-}
-
-#ifdef KRB5_KRB4_COMPAT
-static char stash_password[1024];
-static int got_password = 0;
-#endif /* KRB5_KRB4_COMPAT */
-
static krb5_error_code
KRB5_CALLCONV
kinit_prompter(
@@ -771,21 +531,8 @@
krb5_prompt prompts[]
)
{
- int i;
- krb5_prompt_type *types;
krb5_error_code rc =
krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
- if (!rc && (types = krb5_get_prompt_types(ctx)))
- for (i = 0; i < num_prompts; i++)
- if ((types[i] == KRB5_PROMPT_TYPE_PASSWORD) ||
- (types[i] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN))
- {
-#ifdef KRB5_KRB4_COMPAT
- strncpy(stash_password, prompts[i].reply->data,
- sizeof(stash_password));
- got_password = 1;
-#endif
- }
return rc;
}
@@ -794,7 +541,6 @@
struct k_opts* opts;
struct k5_data* k5;
{
- char* progname = progname_v5;
int notix = 1;
krb5_keytab keytab = 0;
krb5_creds my_creds;
@@ -802,9 +548,6 @@
krb5_get_init_creds_opt *options = NULL;
int i;
- if (!got_k5)
- return 0;
-
memset(&my_creds, 0, sizeof(my_creds));
code = krb5_get_init_creds_opt_alloc(k5->ctx, &options);
@@ -828,6 +571,8 @@
krb5_get_init_creds_opt_set_proxiable(options, 1);
if (opts->not_proxiable)
krb5_get_init_creds_opt_set_proxiable(options, 0);
+ if (opts->canonicalize)
+ krb5_get_init_creds_opt_set_canonicalize(options, 1);
if (opts->addresses)
{
krb5_address **addresses = NULL;
@@ -902,14 +647,7 @@
break;
}
- /* If got code == KRB5_AP_ERR_V4_REPLY && got_k4, we should
- let the user know that maybe he/she wants -4. */
- if (code == KRB5KRB_AP_ERR_V4_REPLY && got_k4)
- com_err(progname, code, "while %s\n"
- "The KDC doesn't support v5. "
- "You may want the -4 option in the future",
- doing);
- else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
+ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
fprintf(stderr, "%s: Password incorrect while %s\n", progname,
doing);
else
@@ -917,12 +655,8 @@
goto cleanup;
}
- if (!opts->lifetime) {
- /* We need to figure out what lifetime to use for Kerberos 4. */
- opts->lifetime = my_creds.times.endtime - my_creds.times.authtime;
- }
-
- code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me);
+ code = krb5_cc_initialize(k5->ctx, k5->cc,
+ opts->canonicalize ? my_creds.client : k5->me);
if (code) {
com_err(progname, code, "when initializing cache %s",
opts->k5_cache_name?opts->k5_cache_name:"");
@@ -954,194 +688,6 @@
return notix?0:1;
}
-static int
-k4_kinit(opts, k4, ctx)
- struct k_opts* opts;
- struct k4_data* k4;
- krb5_context ctx;
-{
-#ifdef KRB5_KRB4_COMPAT
- char* progname = progname_v4;
- int k_errno = 0;
-#endif
-
- if (!got_k4)
- return 0;
-
- if (opts->starttime)
- return 0;
-
-#ifdef KRB5_KRB4_COMPAT
- if (!k4->lifetime)
- k4->lifetime = opts->lifetime;
- if (!k4->lifetime)
- k4->lifetime = KRB4_BACKUP_DEFAULT_LIFE_SECS;
-
- k4->lifetime = krb_time_to_life(0, k4->lifetime);
-
- switch (opts->action)
- {
- case INIT_PW:
- if (!got_password) {
- unsigned int pwsize = sizeof(stash_password);
- krb5_error_code code;
- char prompt[1024];
-
- snprintf(prompt, sizeof(prompt),
- "Password for %s", opts->principal_name);
- stash_password[0] = 0;
- /*
- Note: krb5_read_password does not actually look at the
- context, so we're ok even if we don't have a context. If
- we cannot dynamically load krb5, we can substitute any
- decent read password function instead of the krb5 one.
- */
- code = krb5_read_password(ctx, prompt, 0, stash_password, &pwsize);
- if (code || pwsize == 0)
- {
- fprintf(stderr, "Error while reading password for '%s'\n",
- opts->principal_name);
- memset(stash_password, 0, sizeof(stash_password));
- return 0;
- }
- got_password = 1;
- }
- k_errno = krb_get_pw_in_tkt(k4->aname, k4->inst, k4->realm, "krbtgt",
- k4->realm, k4->lifetime, stash_password);
-
- if (k_errno) {
- fprintf(stderr, "%s: %s\n", progname,
- krb_get_err_text(k_errno));
- if (authed_k5)
- fprintf(stderr, "Maybe your KDC does not support v4. "
- "Try the -5 option next time.\n");
- return 0;
- }
- return 1;
-#ifndef HAVE_KRB524
- case INIT_KT:
- fprintf(stderr, "%s: srvtabs are not supported\n", progname);
- return 0;
- case RENEW:
- fprintf(stderr, "%s: renewal of krb4 tickets is not supported\n",
- progname);
- return 0;
-#else
- /* These cases are handled by the 524 code - this prevents the compiler
- warnings of not using all the enumerated types.
- */
- case INIT_KT:
- case RENEW:
- case VALIDATE:
- return 0;
-#endif
- }
-#endif
- return 0;
-}
-
-static char*
-getvprogname(v, progname)
- char *v, *progname;
-{
- char *ret;
-
- if (asprintf(&ret, "%s(v%s)", progname, v) < 0)
- return progname;
- else
- return ret;
-}
-
-#ifdef HAVE_KRB524
-/* Convert krb5 tickets to krb4. */
-static int try_convert524(k5)
- struct k5_data* k5;
-{
- char * progname = progname_v524;
- krb5_error_code code = 0;
- int icode = 0;
- krb5_principal kpcserver = 0;
- krb5_creds *v5creds = 0;
- krb5_creds increds;
- CREDENTIALS v4creds;
-
- if (!got_k4 || !got_k5)
- return 0;
-
- memset((char *) &increds, 0, sizeof(increds));
- /*
- From this point on, we can goto cleanup because increds is
- initialized.
- */
-
- if ((code = krb5_build_principal(k5->ctx,
- &kpcserver,
- krb5_princ_realm(k5->ctx, k5->me)->length,
- krb5_princ_realm(k5->ctx, k5->me)->data,
- "krbtgt",
- krb5_princ_realm(k5->ctx, k5->me)->data,
- NULL))) {
- com_err(progname, code,
- "while creating service principal name");
- goto cleanup;
- }
-
- increds.client = k5->me;
- increds.server = kpcserver;
- /* Prevent duplicate free calls. */
- kpcserver = 0;
-
- increds.times.endtime = 0;
- increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
- if ((code = krb5_get_credentials(k5->ctx, 0,
- k5->cc,
- &increds,
- &v5creds))) {
- com_err(progname, code,
- "getting V5 credentials");
- goto cleanup;
- }
- if ((icode = krb524_convert_creds_kdc(k5->ctx,
- v5creds,
- &v4creds))) {
- com_err(progname, icode,
- "converting to V4 credentials");
- goto cleanup;
- }
- /* this is stolen from the v4 kinit */
- /* initialize ticket cache */
- if ((icode = in_tkt(v4creds.pname, v4creds.pinst)
- != KSUCCESS)) {
- com_err(progname, icode,
- "trying to create the V4 ticket file");
- goto cleanup;
- }
- /* stash ticket, session key, etc. for future use */
- if ((icode = krb_save_credentials(v4creds.service,
- v4creds.instance,
- v4creds.realm,
- v4creds.session,
- v4creds.lifetime,
- v4creds.kvno,
- &(v4creds.ticket_st),
- v4creds.issue_date))) {
- com_err(progname, icode,
- "trying to save the V4 ticket");
- goto cleanup;
- }
-
- cleanup:
- memset(&v4creds, 0, sizeof(v4creds));
- if (v5creds)
- krb5_free_creds(k5->ctx, v5creds);
- increds.client = 0;
- krb5_free_cred_contents(k5->ctx, &increds);
- if (kpcserver)
- krb5_free_principal(k5->ctx, kpcserver);
- return !(code || icode);
-}
-#endif /* HAVE_KRB524 */
-
int
main(argc, argv)
int argc;
@@ -1149,16 +695,9 @@
{
struct k_opts opts;
struct k5_data k5;
- struct k4_data k4;
- char *progname;
+ int authed_k5 = 0;
-
progname = GET_PROGNAME(argv[0]);
- progname_v5 = getvprogname("5", progname);
-#ifdef KRB5_KRB4_COMPAT
- progname_v4 = getvprogname("4", progname);
- progname_v524 = getvprogname("524", progname);
-#endif
/* Ensure we can be driven from a pipe */
if(!isatty(fileno(stdin)))
@@ -1168,49 +707,24 @@
if(!isatty(fileno(stderr)))
setvbuf(stderr, 0, _IONBF, 0);
- /*
- This is where we would put in code to dynamically load Kerberos
- libraries. Currenlty, we just get them implicitly.
- */
- got_k5 = 1;
-#ifdef KRB5_KRB4_COMPAT
- got_k4 = 1;
-#endif
-
memset(&opts, 0, sizeof(opts));
opts.action = INIT_PW;
memset(&k5, 0, sizeof(k5));
- memset(&k4, 0, sizeof(k4));
set_com_err_hook (extended_com_err_fn);
- parse_options(argc, argv, &opts, progname);
+ parse_options(argc, argv, &opts);
- got_k5 = k5_begin(&opts, &k5, &k4);
- got_k4 = k4_begin(&opts, &k4);
+ if (k5_begin(&opts, &k5))
+ authed_k5 = k5_kinit(&opts, &k5);
- authed_k5 = k5_kinit(&opts, &k5);
-#ifdef HAVE_KRB524
- if (authed_k5)
- authed_k4 = try_convert524(&k5);
-#endif
- if (!authed_k4)
- authed_k4 = k4_kinit(&opts, &k4, k5.ctx);
-#ifdef KRB5_KRB4_COMPAT
- memset(stash_password, 0, sizeof(stash_password));
-#endif
-
if (authed_k5 && opts.verbose)
fprintf(stderr, "Authenticated to Kerberos v5\n");
- if (authed_k4 && opts.verbose)
- fprintf(stderr, "Authenticated to Kerberos v4\n");
k5_end(&k5);
- k4_end(&k4);
- if ((got_k5 && !authed_k5) || (got_k4 && !authed_k4) ||
- (!got_k5 && !got_k4))
+ if (!authed_k5)
exit(1);
return 0;
}
Modified: branches/mkey_migrate/src/clients/klist/Makefile.in
===================================================================
--- branches/mkey_migrate/src/clients/klist/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/klist/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -22,8 +22,8 @@
all-unix:: klist
##WIN32##all-windows:: $(KLIST)
-klist: klist.o $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o $@ klist.o $(KRB4COMPAT_LIBS)
+klist: klist.o $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o $@ klist.o $(KRB5_BASE_LIBS)
##WIN32##$(KLIST): $(OUTPRE)klist.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.lib $(SLIB) $(KLIB) $(CLIB) $(EXERES)
##WIN32## link $(EXE_LINKOPTS) -out:$@ $** ws2_32.lib $(SCLIB)
@@ -40,15 +40,3 @@
$(DESTDIR)$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \
done
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)klist.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- klist.c
Copied: branches/mkey_migrate/src/clients/klist/deps (from rev 21721, trunk/src/clients/klist/deps)
Modified: branches/mkey_migrate/src/clients/klist/klist.M
===================================================================
--- branches/mkey_migrate/src/clients/klist/klist.M 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/klist/klist.M 2009-01-10 01:06:45 UTC (rev 21722)
@@ -25,7 +25,7 @@
.SH NAME
klist \- list cached Kerberos tickets
.SH SYNOPSIS
-\fBklist\fP [\fB\-5\fP] [\fB\-4\fP] [\fB\-e\fP] [[\fB\-c\fP] [\fB\-f\fP]
+\fBklist\fP [\fB\-e\fP] [[\fB\-c\fP] [\fB\-f\fP]
[\fB\-s\fP] [\fB\-a\fP [\fB\-n\fP]]]
[\fB\-k\fP [\fB\-t\fP] [\fB\-K\fP]]
[\fIcache_name\fP | \fIkeytab_name\fP]
@@ -36,24 +36,8 @@
cache, or the keys held in a
.B keytab
file.
-If klist was built with Kerberos 4 support, the default behavior is to list
-both Kerberos 5 and Kerberos 4 credentials. Otherwise, klist will default
-to listing only Kerberos 5 credentials.
.SH OPTIONS
.TP
-.B \-5
-list Kerberos 5 credentials. This overrides whatever the default built-in
-behavior may be. This option may be used with
-.B \-4
-.
-.TP
-.B \-4
-list Kerberos 4 credentials. This overrides whatever the default built-in
-behavior may be. This option is only available if kinit was built
-with Kerberos 4 compatibility. This option may be used with
-.B \-5
-.
-.TP
.B \-e
displays the encryption types of the session key and the ticket for each
credential in the credential cache, or each key in the keytab file.
@@ -133,18 +117,11 @@
.TP "\w'.SM KRB5CCNAME\ \ 'u"
.SM KRB5CCNAME
Location of the Kerberos 5 credentials (ticket) cache.
-.TP "\w'.SM KRBTKFILE\ \ 'u"
-.SM KRBTKFILE
-Filename of the Kerberos 4 credentials (ticket) cache.
.SH FILES
.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
/tmp/krb5cc_[uid]
default location of Kerberos 5 credentials cache
([uid] is the decimal UID of the user).
-.TP "\w'/tmp/tkt[uid]\ \ 'u"
-/tmp/tkt[uid]
-default location of Kerberos 4 credentials cache
-([uid] is the decimal UID of the user).
.TP
/etc/krb5.keytab
default location for the local host's
Modified: branches/mkey_migrate/src/clients/klist/klist.c
===================================================================
--- branches/mkey_migrate/src/clients/klist/klist.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/klist/klist.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -29,9 +29,6 @@
#include "autoconf.h"
#include <krb5.h>
-#ifdef KRB5_KRB4_COMPAT
-#include <kerberosIV/krb.h>
-#endif
#include <com_err.h>
#include <stdlib.h>
#ifdef HAVE_UNISTD_H
@@ -76,43 +73,16 @@
void one_addr (krb5_address *);
void fillit (FILE *, unsigned int, int);
-#ifdef KRB5_KRB4_COMPAT
-void do_v4_ccache (char *);
-#endif /* KRB5_KRB4_COMPAT */
-
#define DEFAULT 0
#define CCACHE 1
#define KEYTAB 2
-/*
- * The reason we start out with got_k4 and got_k5 as zero (false) is
- * so that we can easily add dynamic loading support for determining
- * whether Kerberos 4 and Keberos 5 libraries are available
- */
-
-static int got_k5 = 0;
-static int got_k4 = 0;
-
-static int default_k5 = 1;
-#ifdef KRB5_KRB4_COMPAT
-static int default_k4 = 1;
-#else
-static int default_k4 = 0;
-#endif
-
static void usage()
{
#define KRB_AVAIL_STRING(x) ((x)?"available":"not available")
- fprintf(stderr, "Usage: %s [-5] [-4] [-e] [[-c] [-f] [-s] [-a [-n]]] %s",
+ fprintf(stderr, "Usage: %s [-e] [[-c] [-f] [-s] [-a [-n]]] %s",
progname, "[-k [-t] [-K]] [name]\n");
- fprintf(stderr, "\t-5 Kerberos 5 (%s)\n", KRB_AVAIL_STRING(got_k5));
- fprintf(stderr, "\t-4 Kerberos 4 (%s)\n", KRB_AVAIL_STRING(got_k4));
- fprintf(stderr, "\t (Default is %s%s%s%s)\n",
- default_k5?"Kerberos 5":"",
- (default_k5 && default_k4)?" and ":"",
- default_k4?"Kerberos 4":"",
- (!default_k5 && !default_k4)?"neither":"");
fprintf(stderr, "\t-c specifies credentials cache\n");
fprintf(stderr, "\t-k specifies keytab\n");
fprintf(stderr, "\t (Default is credentials cache)\n");
@@ -136,13 +106,7 @@
int c;
char *name;
int mode;
- int use_k5 = 0, use_k4 = 0;
- got_k5 = 1;
-#ifdef KRB5_KRB4_COMPAT
- got_k4 = 1;
-#endif
-
progname = GET_PROGNAME(argv[0]);
name = NULL;
@@ -179,24 +143,10 @@
mode = KEYTAB;
break;
case '4':
- if (!got_k4)
- {
-#ifdef KRB5_KRB4_COMPAT
- fprintf(stderr, "Kerberos 4 support could not be loaded\n");
-#else
- fprintf(stderr, "This was not built with Kerberos 4 support\n");
-#endif
- exit(3);
- }
- use_k4 = 1;
+ fprintf(stderr, "Kerberos 4 is no longer supported\n");
+ exit(3);
break;
case '5':
- if (!got_k5)
- {
- fprintf(stderr, "Kerberos 5 support could not be loaded\n");
- exit(3);
- }
- use_k5 = 1;
break;
default:
usage();
@@ -224,17 +174,6 @@
name = (optind == argc-1) ? argv[optind] : 0;
- if (!use_k5 && !use_k4)
- {
- use_k5 = default_k5;
- use_k4 = default_k4;
- }
-
- if (!use_k5)
- got_k5 = 0;
- if (!use_k4)
- got_k4 = 0;
-
now = time(0);
{
char tmp[BUFSIZ];
@@ -247,7 +186,6 @@
timestamp_width = 15;
}
- if (got_k5)
{
krb5_error_code retval;
retval = krb5_init_context(&kcontext);
@@ -260,18 +198,6 @@
do_ccache(name);
else
do_keytab(name);
- } else {
-#ifdef KRB5_KRB4_COMPAT
- if (mode == DEFAULT || mode == CCACHE)
- do_v4_ccache(name);
- else {
- /* We may want to add v4 srvtab support */
- fprintf(stderr,
- "%s: srvtab option not supported for Kerberos 4\n",
- progname);
- exit(1);
- }
-#endif /* KRB4_KRB5_COMPAT */
}
return 0;
@@ -733,105 +659,3 @@
for (i=0; i<num; i++)
fputc(c, f);
}
-
-#ifdef KRB5_KRB4_COMPAT
-void
-do_v4_ccache(name)
- char * name;
-{
- char pname[ANAME_SZ];
- char pinst[INST_SZ];
- char prealm[REALM_SZ];
- char *file;
- int k_errno;
- CREDENTIALS c;
- int header = 1;
-
- if (!got_k4)
- return;
-
- file = name?name:tkt_string();
-
- if (status_only) {
- fprintf(stderr,
- "%s: exit status option not supported for Kerberos 4\n",
- progname);
- exit(1);
- }
-
- if (got_k5)
- printf("\n\n");
-
- printf("Kerberos 4 ticket cache: %s\n", file);
-
- /*
- * Since krb_get_tf_realm will return a ticket_file error,
- * we will call tf_init and tf_close first to filter out
- * things like no ticket file. Otherwise, the error that
- * the user would see would be
- * klist: can't find realm of ticket file: No ticket file (tf_util)
- * instead of
- * klist: No ticket file (tf_util)
- */
-
- /* Open ticket file */
- k_errno = tf_init(file, R_TKT_FIL);
- if (k_errno) {
- fprintf(stderr, "%s: %s\n", progname, krb_get_err_text (k_errno));
- exit(1);
- }
- /* Close ticket file */
- (void) tf_close();
-
- /*
- * We must find the realm of the ticket file here before calling
- * tf_init because since the realm of the ticket file is not
- * really stored in the principal section of the file, the
- * routine we use must itself call tf_init and tf_close.
- */
- if ((k_errno = krb_get_tf_realm(file, prealm)) != KSUCCESS) {
- fprintf(stderr, "%s: can't find realm of ticket file: %s\n",
- progname, krb_get_err_text (k_errno));
- exit(1);
- }
-
- /* Open ticket file */
- if ((k_errno = tf_init(file, R_TKT_FIL))) {
- fprintf(stderr, "%s: %s\n", progname, krb_get_err_text (k_errno));
- exit(1);
- }
- /* Get principal name and instance */
- if ((k_errno = tf_get_pname(pname)) ||
- (k_errno = tf_get_pinst(pinst))) {
- fprintf(stderr, "%s: %s\n", progname, krb_get_err_text (k_errno));
- exit(1);
- }
-
- /*
- * You may think that this is the obvious place to get the
- * realm of the ticket file, but it can't be done here as the
- * routine to do this must open the ticket file. This is why
- * it was done before tf_init.
- */
-
- printf("Principal: %s%s%s%s%s\n\n", pname,
- (pinst[0] ? "." : ""), pinst,
- (prealm[0] ? "@" : ""), prealm);
- while ((k_errno = tf_get_cred(&c)) == KSUCCESS) {
- if (header) {
- printf("%-18s %-18s %s\n",
- " Issued", " Expires", " Principal");
- header = 0;
- }
- printtime(c.issue_date);
- fputs(" ", stdout);
- printtime(krb_life_to_time(c.issue_date, c.lifetime));
- printf(" %s%s%s%s%s\n",
- c.service, (c.instance[0] ? "." : ""), c.instance,
- (c.realm[0] ? "@" : ""), c.realm);
- }
- if (header && k_errno == EOF) {
- printf("No tickets in file.\n");
- }
-}
-#endif /* KRB4_KRB5_COMPAT */
Modified: branches/mkey_migrate/src/clients/kpasswd/Makefile.in
===================================================================
--- branches/mkey_migrate/src/clients/kpasswd/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/kpasswd/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -42,13 +42,3 @@
##WIN32## link $(EXE_LINKOPTS) -out:$@ $** $(SCLIB)
##WIN32## $(_VC_MANIFEST_EMBED_EXE)
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)kpasswd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h \
- kpasswd.c
-$(OUTPRE)ksetpwd.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h ksetpwd.c
Copied: branches/mkey_migrate/src/clients/kpasswd/deps (from rev 21721, trunk/src/clients/kpasswd/deps)
Modified: branches/mkey_migrate/src/clients/kpasswd/ksetpwd.c
===================================================================
--- branches/mkey_migrate/src/clients/kpasswd/ksetpwd.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/kpasswd/ksetpwd.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -3,6 +3,7 @@
#include <unistd.h>
#include <stdio.h>
#include <time.h>
+#include <k5-platform.h>
#define TKTTIMELEFT 60*10 /* ten minutes */
@@ -69,14 +70,11 @@
krb5_unparse_name( kcontext, kme, &pName );
if( cachename )
{
- pCacheName = malloc( strlen( pName ) + strlen( cachename ) + 1 );
- if( pCacheName == NULL )
+ if (asprintf(&pCacheName, "%s%s", cachename, pName) < 0)
{
kres = KRB5_CC_NOMEM;
goto fail;
}
- strcpy( pCacheName, cachename );
- strcat( pCacheName, pName );
kres = krb5_cc_resolve( kcontext, pCacheName, &kcache );
if( kres )
{
Modified: branches/mkey_migrate/src/clients/ksu/Makefile.in
===================================================================
--- branches/mkey_migrate/src/clients/ksu/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/ksu/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -41,70 +41,3 @@
$(INSTALL_DATA) $(srcdir)/$$f.M \
${DESTDIR}$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \
done
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)krb_auth_su.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- krb_auth_su.c ksu.h
-$(OUTPRE)ccache.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/k5-util.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h ccache.c ksu.h
-$(OUTPRE)authorization.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- authorization.c ksu.h
-$(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/k5-util.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h ksu.h main.c
-$(OUTPRE)heuristic.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- heuristic.c ksu.h
-$(OUTPRE)xmalloc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- ksu.h xmalloc.c
-$(OUTPRE)setenv.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- setenv.c
Modified: branches/mkey_migrate/src/clients/ksu/authorization.c
===================================================================
--- branches/mkey_migrate/src/clients/ksu/authorization.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/ksu/authorization.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -365,15 +365,13 @@
}else{
/* must be either full path or just the cmd name */
if (strchr(fcmd, '/')){
- err = (char *) xcalloc((strlen(fcmd) +200) ,sizeof(char));
- sprintf(err,"Error: bad entry - %s in %s file, must be either full path or just the cmd name\n", fcmd, KRB5_USERS_NAME);
+ asprintf(&err,"Error: bad entry - %s in %s file, must be either full path or just the cmd name\n", fcmd, KRB5_USERS_NAME);
*out_err = err;
return FALSE;
}
#ifndef CMD_PATH
- err = (char *) xcalloc(2*(strlen(fcmd) +200) ,sizeof(char));
- sprintf(err,"Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH must be defined \n", fcmd, KRB5_USERS_NAME, fcmd);
+ asprintf(&err,"Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH must be defined \n", fcmd, KRB5_USERS_NAME, fcmd);
*out_err = err;
return FALSE;
#else
@@ -386,8 +384,7 @@
tc = get_first_token (path_ptr, &lp);
if (! tc){
- err = (char *) xcalloc((strlen(fcmd) +200) ,sizeof(char));
- sprintf(err,"Error: bad entry - %s in %s file, CMD_PATH contains no paths \n", fcmd, KRB5_USERS_NAME);
+ asprintf(&err,"Error: bad entry - %s in %s file, CMD_PATH contains no paths \n", fcmd, KRB5_USERS_NAME);
*out_err = err;
return FALSE;
}
@@ -395,8 +392,7 @@
i=0;
do{
if (*tc != '/'){ /* must be full path */
- err = (char *) xcalloc((strlen(tc) +200) ,sizeof(char));
- sprintf(err,"Error: bad path %s in CMD_PATH for %s must start with '/' \n",tc, KRB5_USERS_NAME );
+ asprintf(&err,"Error: bad path %s in CMD_PATH for %s must start with '/' \n",tc, KRB5_USERS_NAME );
*out_err = err;
return FALSE;
}
@@ -498,13 +494,9 @@
int i = 0;
krb5_boolean retbool= FALSE;
int j =0;
- char * err;
- unsigned int max_ln=0;
- unsigned int tln=0;
+ struct k5buf buf;
while(fcmd_arr[i]){
- tln = strlen(fcmd_arr[i]);
- if ( tln > max_ln) max_ln = tln;
if (!stat (fcmd_arr[i], &st_temp )){
*cmd_out = xstrdup(fcmd_arr[i]);
retbool = TRUE;
@@ -514,15 +506,16 @@
}
if (retbool == FALSE ){
- err = (char *) xcalloc((80 + (max_ln+2)*i) ,sizeof(char));
- strcpy(err,"Error: not found -> ");
- for(j= 0; j < i; j ++){
- strcat(err, " ");
- strcat(err, fcmd_arr[j]);
- strcat(err, " ");
+ krb5int_buf_init_dynamic(&buf);
+ krb5int_buf_add(&buf, "Error: not found -> ");
+ for(j= 0; j < i; j ++)
+ krb5int_buf_add_fmt(&buf, " %s ", fcmd_arr[j]);
+ krb5int_buf_add(&buf, "\n");
+ *err_out = krb5int_buf_data(&buf);
+ if (*err_out == NULL) {
+ perror(prog_name);
+ exit(1);
}
- strcat(err, "\n");
- *err_out = err;
}
@@ -710,17 +703,19 @@
void init_auth_names(pw_dir)
char *pw_dir;
{
- if (strlen (k5login_path) + 2 + strlen (KRB5_LOGIN_NAME) >= MAXPATHLEN) {
+ const char *sep;
+ int r1, r2;
+
+ sep = ((strlen(pw_dir) == 1) && (*pw_dir == '/')) ? "" : "/";
+ r1 = snprintf(k5login_path, sizeof(k5login_path), "%s%s%s",
+ pw_dir, sep, KRB5_LOGIN_NAME);
+ r2 = snprintf(k5users_path, sizeof(k5users_path), "%s%s%s",
+ pw_dir, sep, KRB5_USERS_NAME);
+ if (SNPRINTF_OVERFLOW(r1, sizeof(k5login_path)) ||
+ SNPRINTF_OVERFLOW(r2, sizeof(k5users_path))) {
fprintf (stderr,
"home directory name `%s' too long, can't search for .k5login\n",
pw_dir);
exit (1);
}
- if ((strlen(pw_dir) == 1) && (*pw_dir == '/')){
- sprintf(k5login_path,"%s%s", pw_dir, KRB5_LOGIN_NAME);
- sprintf(k5users_path,"%s%s", pw_dir, KRB5_USERS_NAME);
- } else {
- sprintf(k5login_path,"%s/%s", pw_dir, KRB5_LOGIN_NAME);
- sprintf(k5users_path,"%s/%s", pw_dir, KRB5_USERS_NAME);
- }
}
Modified: branches/mkey_migrate/src/clients/ksu/ccache.c
===================================================================
--- branches/mkey_migrate/src/clients/ksu/ccache.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/ksu/ccache.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -373,7 +373,7 @@
FILE *fp;
char * linebuf;
char *newline;
- int gobble;
+ int gobble, result;
char ** buf_out;
struct stat st_temp;
int count = 0, chunk_count = 1;
@@ -383,12 +383,11 @@
if ((pwd = getpwnam(luser)) == NULL) {
return 0;
}
- if (strlen(pwd->pw_dir) + sizeof("/.k5login") > MAXPATHLEN) {
+ result = snprintf(pbuf, sizeof(pbuf), "%s/.k5login", pwd->pw_dir);
+ if (SNPRINTF_OVERFLOW(result, sizeof(pbuf))) {
fprintf (stderr, "home directory path for %s too long\n", luser);
exit (1);
}
- (void) strcpy(pbuf, pwd->pw_dir);
- (void) strcat(pbuf, "/.k5login");
if (stat(pbuf, &st_temp)) { /* not accessible */
return 0;
Copied: branches/mkey_migrate/src/clients/ksu/deps (from rev 21721, trunk/src/clients/ksu/deps)
Modified: branches/mkey_migrate/src/clients/ksu/krb_auth_su.c
===================================================================
--- branches/mkey_migrate/src/clients/ksu/krb_auth_su.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/ksu/krb_auth_su.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -27,13 +27,6 @@
#include "ksu.h"
-static krb5_error_code krb5_verify_tkt_def
- (krb5_context,
- krb5_principal,
- krb5_principal,
- krb5_keyblock *,
- krb5_data *,
- krb5_ticket **);
void plain_dump_principal ();
@@ -56,6 +49,7 @@
int *path_passwd;
{
krb5_principal client, server;
+ krb5_verify_init_creds_opt vfy_opts;
krb5_creds tgt, tgtq, in_creds, * out_creds;
krb5_creds **tgts = NULL; /* list of ticket granting tickets */
@@ -213,9 +207,11 @@
krb5_free_tgt_creds(context, tgts);
}
- retval = krb5_verify_tkt_def(context, client, server,
- &out_creds->keyblock, &out_creds->ticket,
- &target_tkt);
+ krb5_verify_init_creds_opt_init(&vfy_opts);
+ krb5_verify_init_creds_opt_set_ap_req_nofail( &vfy_opts, 1);
+ retval = krb5_verify_init_creds(context, out_creds, server, NULL /*keytab*/,
+ NULL /*output ccache*/,
+ &vfy_opts);
if (retval) {
com_err(prog_name, retval, "while verifying ticket for server");
return (FALSE);
@@ -242,7 +238,7 @@
{
krb5_creds tgt, tgtq;
- krb5_ticket * target_tkt;
+ krb5_verify_init_creds_opt vfy_opts;
krb5_error_code retval;
memset((char *) &tgtq, 0, sizeof(tgtq));
@@ -266,9 +262,12 @@
return (FALSE) ;
}
-
- if ((retval = krb5_verify_tkt_def(context, client, server, &tgt.keyblock,
- &tgt.ticket, &target_tkt))){
+ krb5_verify_init_creds_opt_init(&vfy_opts);
+ krb5_verify_init_creds_opt_set_ap_req_nofail( &vfy_opts, 1);
+ retval = krb5_verify_init_creds(context, &tgt, server, NULL /*keytab*/,
+ NULL /*output ccache*/,
+ &vfy_opts);
+ if (retval){
com_err(prog_name, retval, "while verifing ticket for server");
return (FALSE);
}
@@ -276,123 +275,8 @@
return TRUE;
}
-static krb5_error_code
-krb5_verify_tkt_def(context, client, server, cred_ses_key,
- scr_ticket, clear_ticket)
- /* IN */
- krb5_context context;
- krb5_principal client;
- krb5_principal server;
- krb5_keyblock *cred_ses_key;
- krb5_data *scr_ticket;
- /* OUT */
- krb5_ticket **clear_ticket;
-{
- krb5_keytab keytabid;
- krb5_enctype enctype;
- krb5_keytab_entry ktentry;
- krb5_keyblock *tkt_key = NULL;
- krb5_ticket * tkt = NULL;
- krb5_error_code retval =0;
- krb5_keyblock * tkt_ses_key;
-
- if ((retval = decode_krb5_ticket(scr_ticket, &tkt))){
- return retval;
- }
-
- if (auth_debug){
- fprintf(stderr,"krb5_verify_tkt_def: verifying target server\n");
- dump_principal(context, "server", server);
- dump_principal(context, "tkt->server", tkt->server);
- }
-
- if (server && !krb5_principal_compare(context, server, tkt->server)){
- return KRB5KRB_AP_WRONG_PRINC;
- }
-
- /* get the default keytab */
- if ((retval = krb5_kt_default(context, &keytabid))){
- krb5_free_ticket(context, tkt);
- return retval;
- }
- enctype = tkt->enc_part.enctype;
-
- if ((retval = krb5_kt_get_entry(context, keytabid, server,
- tkt->enc_part.kvno, enctype, &ktentry))){
- krb5_free_ticket(context, tkt);
- return retval;
- }
-
- krb5_kt_close(context, keytabid);
-
- if ((retval = krb5_copy_keyblock(context, &ktentry.key, &tkt_key))){
- krb5_free_ticket(context, tkt);
- krb5_kt_free_entry(context, &ktentry);
- return retval;
- }
-
- /* decrypt the ticket */
- if ((retval = krb5_decrypt_tkt_part(context, tkt_key, tkt))) {
- krb5_free_ticket(context, tkt);
- krb5_kt_free_entry(context, &ktentry);
- krb5_free_keyblock(context, tkt_key);
- return(retval);
- }
- /* Check to make sure ticket hasn't expired */
- retval = krb5_check_exp(context, tkt->enc_part2->times);
- if (retval) {
- if (auth_debug && (retval == KRB5KRB_AP_ERR_TKT_EXPIRED)) {
- fprintf(stderr,
- "krb5_verify_tkt_def: ticket has expired");
- }
- krb5_free_ticket(context, tkt);
- krb5_kt_free_entry(context, &ktentry);
- krb5_free_keyblock(context, tkt_key);
- return KRB5KRB_AP_ERR_TKT_EXPIRED;
- }
-
- if (!krb5_principal_compare(context, client, tkt->enc_part2->client)) {
- krb5_free_ticket(context, tkt);
- krb5_kt_free_entry(context, &ktentry);
- krb5_free_keyblock(context, tkt_key);
- return KRB5KRB_AP_ERR_BADMATCH;
- }
-
- if (auth_debug){
- fprintf(stderr,
- "krb5_verify_tkt_def: verified client's identity\n");
- dump_principal(context, "client", client);
- dump_principal(context, "tkt->enc_part2->client",tkt->enc_part2->client);
- }
-
- tkt_ses_key = tkt->enc_part2->session;
-
- if (cred_ses_key->enctype != tkt_ses_key->enctype ||
- cred_ses_key->length != tkt_ses_key->length ||
- memcmp((char *)cred_ses_key->contents,
- (char *)tkt_ses_key->contents, cred_ses_key->length)) {
-
- krb5_free_ticket(context, tkt);
- krb5_kt_free_entry(context, &ktentry);
- krb5_free_keyblock(context, tkt_key);
- return KRB5KRB_AP_ERR_BAD_INTEGRITY;
- }
-
- if (auth_debug){
- fprintf(stderr,
- "krb5_verify_tkt_def: session keys match \n");
- }
-
- *clear_ticket = tkt;
- krb5_kt_free_entry(context, &ktentry);
- krb5_free_keyblock(context, tkt_key);
- return 0;
-
-}
-
-
krb5_boolean krb5_get_tkt_via_passwd (context, ccache, client, server,
options, zero_password)
krb5_context context;
@@ -407,8 +291,8 @@
krb5_timestamp now;
unsigned int pwsize;
char password[255], *client_name, prompt[255];
+ int result;
-
*zero_password = FALSE;
if ((code = krb5_unparse_name(context, client, &client_name))) {
@@ -442,13 +326,14 @@
} else
my_creds.times.renew_till = 0;
- if (strlen (client_name) + 80 > sizeof (prompt)) {
+ result = snprintf(prompt, sizeof(prompt), "Kerberos password for %s: ",
+ client_name);
+ if (SNPRINTF_OVERFLOW(result, sizeof(prompt))) {
fprintf (stderr,
"principal name %s too long for internal buffer space\n",
client_name);
return FALSE;
}
- (void) sprintf(prompt,"Kerberos password for %s: ", client_name);
pwsize = sizeof(password);
Modified: branches/mkey_migrate/src/clients/ksu/main.c
===================================================================
--- branches/mkey_migrate/src/clients/ksu/main.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/ksu/main.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -425,9 +425,9 @@
cache will be created.*/
do {
- sprintf(cc_target_tag, "%s%ld.%d",
- KRB5_SECONDARY_CACHE,
- (long) target_uid, gen_sym());
+ snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d",
+ KRB5_SECONDARY_CACHE,
+ (long) target_uid, gen_sym());
cc_target_tag_tmp = strchr(cc_target_tag, ':') + 1;
}while ( !stat ( cc_target_tag_tmp, &st_temp));
@@ -855,15 +855,16 @@
static char * ontty()
{
char *p, *ttyname();
- static char buf[MAXPATHLEN + 4];
+ static char buf[MAXPATHLEN + 5];
+ int result;
buf[0] = 0;
if ((p = ttyname(STDERR_FILENO))) {
- if (strlen (p) > MAXPATHLEN) {
+ result = snprintf(buf, sizeof(buf), " on %s", p);
+ if (SNPRINTF_OVERFLOW(result, sizeof(buf))) {
fprintf (stderr, "terminal name %s too long\n", p);
exit (1);
}
- sprintf(buf, " on %s", p);
}
return (buf);
}
@@ -875,11 +876,7 @@
{
char * env_var_buf;
- /* allocate extra two spaces, one for the = and one for the \0 */
- env_var_buf = (char *) xcalloc(2 + strlen(name) + strlen(value),
- sizeof(char));
-
- sprintf(env_var_buf,"%s=%s",name, value);
+ asprintf(&env_var_buf,"%s=%s",name, value);
return putenv(env_var_buf);
}
Modified: branches/mkey_migrate/src/clients/kvno/Makefile.in
===================================================================
--- branches/mkey_migrate/src/clients/kvno/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/kvno/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -23,8 +23,8 @@
##WIN32##all-windows:: $(KVNO)
-kvno: kvno.o $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o $@ kvno.o $(KRB4COMPAT_LIBS)
+kvno: kvno.o $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o $@ kvno.o $(KRB5_BASE_LIBS)
##WIN32##$(KVNO): $(OUTPRE)kvno.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.obj $(KLIB) $(CLIB) $(EXERES)
##WIN32## link $(EXE_LINKOPTS) /out:$@ $**
@@ -40,13 +40,3 @@
$(INSTALL_DATA) $(srcdir)/$$f.M \
$(DESTDIR)$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \
done
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)kvno.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \
- kvno.c
Copied: branches/mkey_migrate/src/clients/kvno/deps (from rev 21721, trunk/src/clients/kvno/deps)
Modified: branches/mkey_migrate/src/clients/kvno/kvno.M
===================================================================
--- branches/mkey_migrate/src/clients/kvno/kvno.M 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/kvno/kvno.M 2009-01-10 01:06:45 UTC (rev 21722)
@@ -28,7 +28,7 @@
.SH NAME
kvno \- print key version numbers of Kerberos principals
.SH SYNOPSIS
-\fBkvno\fP [\fB\-q\fP] [\fB\-h\fP] [\fB\-4\fP\ |\ [\fB-c ccache\fP]\ [\fB\-e etype\fP]]
+\fBkvno\fP [\fB\-q\fP] [\fB\-h\fP] [\fB-c ccache\fP]\ [\fB\-e etype\fP]
\fBservice1\fP \fBservice2\fP \fB...\fP
.br
.SH DESCRIPTION
@@ -51,11 +51,6 @@
.B \-h
prints a usage statement and exits
.TP
-.B \-4
-specifies that Kerberos version 4 tickets should be acquired and
-described. This option is only available if Kerberos 4 support was
-enabled at compilation time.
-.TP
.B \-S sname
specifies that krb5_sname_to_principal() will be used to build
principal names. If this flag is specified, the
@@ -70,16 +65,10 @@
.TP "\w'.SM KRB5CCNAME\ \ 'u"
.SM KRB5CCNAME
Location of the credentials (ticket) cache.
-.TP
-.SM KRBTKFILE
-Location of the v4 ticket file.
.SH FILES
.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
/tmp/krb5cc_[uid]
default location of the credentials cache ([uid] is the decimal UID of
the user).
-.TP
-/tmp/tkt[uid]
-default location of the v4 ticket file.
.SH SEE ALSO
kinit(1), kdestroy(1), krb5(3)
Modified: branches/mkey_migrate/src/clients/kvno/kvno.c
===================================================================
--- branches/mkey_migrate/src/clients/kvno/kvno.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/clients/kvno/kvno.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -39,23 +39,16 @@
static void xusage()
{
-#ifdef KRB5_KRB4_COMPAT
- fprintf(stderr,
- "usage: %s [-4 | [-c ccache] [-e etype] [-k keytab] [-S sname]] service1 service2 ...\n",
+ fprintf(stderr, "usage: %s [-C] [-c ccache] [-e etype] [-k keytab] [-S sname] service1 service2 ...\n",
prog);
-#else
- fprintf(stderr, "usage: %s [-c ccache] [-e etype] [-k keytab] [-S sname] service1 service2 ...\n",
- prog);
-#endif
exit(1);
}
int quiet = 0;
-static void do_v4_kvno (int argc, char *argv[]);
static void do_v5_kvno (int argc, char *argv[],
char *ccachestr, char *etypestr, char *keytab_name,
- char *sname);
+ char *sname, int canon);
#include <com_err.h>
static void extended_com_err_fn (const char *, errcode_t, const char *,
@@ -66,15 +59,19 @@
int option;
char *etypestr = NULL, *ccachestr = NULL, *keytab_name = NULL;
char *sname = NULL;
- int v4 = 0;
+ int canon = 0;
+
set_com_err_hook (extended_com_err_fn);
prog = strrchr(argv[0], '/');
prog = prog ? (prog + 1) : argv[0];
- while ((option = getopt(argc, argv, "c:e:hk:q4S:")) != -1) {
+ while ((option = getopt(argc, argv, "Cc:e:hk:qS:")) != -1) {
switch (option) {
+ case 'C':
+ canon = 1;
+ break;
case 'c':
ccachestr = optarg;
break;
@@ -90,9 +87,6 @@
case 'q':
quiet = 1;
break;
- case '4':
- v4 = 1;
- break;
case 'S':
sname = optarg;
break;
@@ -105,68 +99,11 @@
if ((argc - optind) < 1)
xusage();
- if ((ccachestr != NULL || etypestr != NULL || keytab_name != NULL) && v4)
- xusage();
-
- if (sname != NULL && v4)
- xusage();
-
- if (v4)
- do_v4_kvno(argc - optind, argv + optind);
- else
do_v5_kvno(argc - optind, argv + optind,
- ccachestr, etypestr, keytab_name, sname);
+ ccachestr, etypestr, keytab_name, sname, canon);
return 0;
}
-#ifdef KRB5_KRB4_COMPAT
-#include <kerberosIV/krb.h>
-#endif
-static void do_v4_kvno (int count, char *names[])
-{
-#ifdef KRB5_KRB4_COMPAT
- int i;
-
- for (i = 0; i < count; i++) {
- int err;
- char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
- KTEXT_ST req;
- CREDENTIALS creds;
- *name = *inst = *realm = '\0';
- err = kname_parse (name, inst, realm, names[i]);
- if (err) {
- fprintf(stderr, "%s: error parsing name '%s': %s\n",
- prog, names[i], krb_get_err_text(err));
- exit(1);
- }
- if (realm[0] == 0) {
- err = krb_get_lrealm(realm, 1);
- if (err) {
- fprintf(stderr, "%s: error looking up local realm: %s\n",
- prog, krb_get_err_text(err));
- exit(1);
- }
- }
- err = krb_mk_req(&req, name, inst, realm, 0);
- if (err) {
- fprintf(stderr, "%s: krb_mk_req error: %s\n", prog,
- krb_get_err_text(err));
- exit(1);
- }
- err = krb_get_cred(name, inst, realm, &creds);
- if (err) {
- fprintf(stderr, "%s: krb_get_cred error: %s\n", prog,
- krb_get_err_text(err));
- exit(1);
- }
- if (!quiet)
- printf("%s: kvno = %d\n", names[i], creds.kvno);
- }
-#else
- xusage();
-#endif
-}
-
#include <krb5.h>
static krb5_context context;
static void extended_com_err_fn (const char *myprog, errcode_t code,
@@ -182,7 +119,7 @@
static void do_v5_kvno (int count, char *names[],
char * ccachestr, char *etypestr, char *keytab_name,
- char *sname)
+ char *sname, int canon)
{
krb5_error_code ret;
int i, errors;
@@ -265,7 +202,8 @@
in_creds.keyblock.enctype = etype;
- ret = krb5_get_credentials(context, 0, ccache, &in_creds, &out_creds);
+ ret = krb5_get_credentials(context, canon ? KRB5_GC_CANONICALIZE : 0,
+ ccache, &in_creds, &out_creds);
krb5_free_principal(context, in_creds.server);
Modified: branches/mkey_migrate/src/config/post.in
===================================================================
--- branches/mkey_migrate/src/config/post.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/config/post.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -88,13 +88,19 @@
'$(SRCTOP)' '$(myfulldir)' '$(srcdir)' '$(BUILDTOP)' "$$x" '$(STLIBOBJS)' \
< .d > .depend
+# Temporarily keep the rule for removing the dependency line eater
+# until we're sure we've gotten everything converted and excised the
+# old stuff from Makefile.in files.
depend-update-makefile: .depend depend-recurse
if test -n "$(SRCS)" ; then \
- sed -e '/^# +++ Dependency line eater +++/,$$d' \
- < $(srcdir)/Makefile.in | cat - .depend \
- > $(srcdir)/Makefile.in.new; \
- $(SRCTOP)/config/move-if-changed $(srcdir)/Makefile.in.new $(srcdir)/Makefile.in ; \
- else :; fi
+ $(CP) .depend $(srcdir)/deps.new ; \
+ else \
+ echo "# No dependencies here." > $(srcdir)/deps.new ; \
+ fi
+ $(SRCTOP)/config/move-if-changed $(srcdir)/deps.new $(srcdir)/deps
+ sed -e '/^# +++ Dependency line eater +++/,$$d' \
+ < $(srcdir)/Makefile.in > $(srcdir)/Makefile.in.new
+ $(SRCTOP)/config/move-if-changed $(srcdir)/Makefile.in.new $(srcdir)/Makefile.in
DEPTARGETS = .depend .d .dtmp $(DEP_VERIFY)
DEPTARGETS_CLEAN = .depend .d .dtmp $(DEPTARGETS_ at srcdir@_ at CONFIG_RELTOPDIR@)
@@ -141,7 +147,7 @@
# thisconfigdir = relative path from this Makefile to config.status
# mydir = relative path from config.status to this Makefile
-Makefile: $(srcdir)/Makefile.in $(thisconfigdir)/config.status \
+Makefile: $(srcdir)/Makefile.in $(srcdir)/deps $(thisconfigdir)/config.status \
$(SRCTOP)/config/pre.in $(SRCTOP)/config/post.in
cd $(thisconfigdir) && $(SHELL) config.status $(mydir)/Makefile
$(thisconfigdir)/config.status: $(srcdir)/$(thisconfigdir)/configure
Modified: branches/mkey_migrate/src/config/pre.in
===================================================================
--- branches/mkey_migrate/src/config/pre.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/config/pre.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -152,17 +152,20 @@
# LOCALINCLUDES set by local Makefile.in
# CPPFLAGS user override
# CFLAGS user override but starts off set by configure
+# WARN_CFLAGS user override but starts off set by configure
# PTHREAD_CFLAGS set by configure, not included in CFLAGS so that we
# don't pull the pthreads library into shared libraries
ALL_CFLAGS = $(DEFS) $(DEFINES) $(KRB_INCLUDES) $(LOCALINCLUDES) \
-DKRB5_DEPRECATED=1 \
- $(CPPFLAGS) $(CFLAGS) $(PTHREAD_CFLAGS)
+ $(CPPFLAGS) $(CFLAGS) $(WARN_CFLAGS) $(PTHREAD_CFLAGS)
ALL_CXXFLAGS = $(DEFS) $(DEFINES) $(KRB_INCLUDES) $(LOCALINCLUDES) \
-DKRB5_DEPRECATED=1 \
- $(CPPFLAGS) $(CXXFLAGS) $(PTHREAD_CFLAGS)
+ $(CPPFLAGS) $(CXXFLAGS) $(WARN_CXXFLAGS) $(PTHREAD_CFLAGS)
CFLAGS = @CFLAGS@
CXXFLAGS = @CXXFLAGS@
+WARN_CFLAGS = @WARN_CFLAGS@
+WARN_CXXFLAGS = @WARN_CXXFLAGS@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_LIBS = @PTHREAD_LIBS@
THREAD_LINKOPTS = $(PTHREAD_CFLAGS) $(PTHREAD_LIBS)
@@ -178,10 +181,6 @@
LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
LDARGS = @LDARGS@
LIBS = @LIBS@
-SRVLIBS = @SRVLIBS@
-SRVDEPLIBS = @SRVDEPLIBS@
-CLNTLIBS = @CLNTLIBS@
-CLNTDEPLIBS = @CLNTDEPLIBS@
INSTALL=@INSTALL@
INSTALL_STRIP=
@@ -218,10 +217,10 @@
KRB5_PA_MODULE_DIR = $(MODULE_DIR)/preauth
KRB5_AD_MODULE_DIR = $(MODULE_DIR)/authdata
KRB5_LIBKRB5_MODULE_DIR = $(MODULE_DIR)/libkrb5
+GSS_MODULE_DIR = @libdir@/gss
KRB5_INCSUBDIRS = \
$(KRB5_INCDIR)/krb5 \
$(KRB5_INCDIR)/gssapi \
- $(KRB5_INCDIR)/kerberosIV \
$(KRB5_INCDIR)/gssrpc
#
@@ -279,7 +278,6 @@
AUTOHEADERFLAGS =
MOVEIFCHANGED = $(SRCTOP)/config/move-if-changed
-HOST_TYPE = @HOST_TYPE@
SHEXT = @SHEXT@
STEXT=@STEXT@
VEXT=@VEXT@
@@ -312,6 +310,9 @@
# prefix (with no spaces after) for rpath flag to cc
RPATH_FLAG=@RPATH_FLAG@
+# link flags to add PROG_RPATH to the rpath
+PROG_RPATH_FLAGS=@PROG_RPATH_FLAGS@
+
# this gets set by configure to either $(STLIBEXT) or $(SHLIBEXT),
# depending on whether we're building with shared libraries.
DEPLIBEXT=@DEPLIBEXT@
@@ -321,8 +322,6 @@
KDB5_DEPLIB = $(TOPLIBD)/libkdb5$(DEPLIBEXT)
GSSRPC_DEPLIB = $(TOPLIBD)/libgssrpc$(DEPLIBEXT)
GSS_DEPLIB = $(TOPLIBD)/libgssapi_krb5$(DEPLIBEXT)
-KRB4_DEPLIB = @KRB4_DEPLIB@ # $(TOPLIBD)/libkrb4$(DEPLIBEXT)
-DES425_DEPLIB = @DES425_DEPLIB@ # $(TOPLIBD)/libdes425$(DEPLIBEXT)
KRB5_DEPLIB = $(TOPLIBD)/libkrb5$(DEPLIBEXT)
CRYPTO_DEPLIB = $(TOPLIBD)/libk5crypto$(DEPLIBEXT)
COM_ERR_DEPLIB = $(COM_ERR_DEPLIB- at COM_ERR_VERSION@)
@@ -340,7 +339,6 @@
APPUTILS_DEPLIB = $(TOPLIBD)/libapputils.a
KRB5_BASE_DEPLIBS = $(KRB5_DEPLIB) $(CRYPTO_DEPLIB) $(COM_ERR_DEPLIB) $(SUPPORT_DEPLIB)
-KRB4COMPAT_DEPLIBS = $(KRB4_DEPLIB) $(DES425_DEPLIB) $(KRB5_BASE_DEPLIBS)
KDB5_DEPLIBS = $(KDB5_DEPLIB)
GSS_DEPLIBS = $(GSS_DEPLIB)
GSSRPC_DEPLIBS = $(GSSRPC_DEPLIB) $(GSS_DEPLIBS)
@@ -361,11 +359,6 @@
SS_DEPS-sys =
SS_DEPS-k5 = $(BUILDTOP)/include/ss/ss.h $(BUILDTOP)/include/ss/ss_err.h
-# Header file dependencies that might depend on whether krb4 support
-# is compiled.
-
-KRB_ERR_H_DEP = @KRB_ERR_H_DEP@
-
# LIBS gets substituted in... e.g. -lnsl -lsocket
# GEN_LIB is -lgen if needed for regexp
@@ -384,19 +377,10 @@
GSS_KRB5_LIB = -lgssapi_krb5
SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
-# KRB4_LIB is -lkrb4 if building --with-krb4
-# needs fixing if ever used on Mac OS X!
-KRB4_LIB = @KRB4_LIB@
-
-# DES425_LIB is -ldes425 if building --with-krb4
-# needs fixing if ever used on Mac OS X!
-DES425_LIB = @DES425_LIB@
-
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB)
-KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS)
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on Mac OS X!
@@ -417,11 +401,6 @@
APPUTILS_LIB = -lapputils
#
-# some more stuff for --with-krb4
-KRB4_LIBPATH = @KRB4_LIBPATH@
-KRB4_INCLUDES = @KRB4_INCLUDES@
-
-#
# variables for --with-tcl=
TCL_LIBS = @TCL_LIBS@
TCL_LIBPATH = @TCL_LIBPATH@
@@ -547,8 +526,12 @@
# to change to rearrange where the various parameters fit in.
MAKE_SHLIB_COMMAND=@MAKE_SHLIB_COMMAND@
+# run path flags for explicit libraries depending on this one,
+# e.g. "-R$(SHLIB_RPATH)"
+SHLIB_RPATH_FLAGS=@SHLIB_RPATH_FLAGS@
+
# flags for explicit libraries depending on this one,
-# e.g. "-R$(SHLIB_RPATH) $(SHLIB_SHLIB_DIRFLAGS) $(SHLIB_EXPLIBS)"
+# e.g. "$(SHLIB_RPATH_FLAGS) $(SHLIB_SHLIB_DIRFLAGS) $(SHLIB_EXPLIBS)"
SHLIB_EXPFLAGS=@SHLIB_EXPFLAGS@
## Parameters to be set by configure for use in libobj.in:
@@ -565,10 +548,6 @@
# "$(CC) -G", "$(LD) -Bshareable", etc.
LDCOMBINE=@LDCOMBINE@
-# "-h $@", "-h lib$(LIBNAME).$(LIBMAJOR)", etc.
-SONAME=@SONAME@
-
-
#
# rules to make various types of object files
#
Modified: branches/mkey_migrate/src/config/shlib.conf
===================================================================
--- branches/mkey_migrate/src/config/shlib.conf 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/config/shlib.conf 2009-01-10 01:06:45 UTC (rev 21722)
@@ -65,11 +65,13 @@
use_linker_init_option=yes
use_linker_fini_option=yes
EXTRA_FILES="$EXTRA_FILES export"
- SHLIB_EXPFLAGS='-rpath $(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ SHLIB_RPATH_FLAGS='-rpath $(SHLIB_RDIRS)'
+ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
RPATH_FLAG='-Wl,-rpath -Wl,'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(PTHREAD_CFLAGS) $(LDFLAGS)'
- CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CXXFLAGS) $(PTHREAD_CFLAGS) $(LDFLAGS)'
+ PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(PTHREAD_CFLAGS) $(LDFLAGS)'
+ CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(PTHREAD_CFLAGS) $(LDFLAGS)'
if test "$ac_cv_c_compiler_gnu" = yes \
&& test "$krb5_cv_prog_gnu_ld" = yes; then
# Really should check for gnu ld vs system ld, too.
@@ -124,16 +126,19 @@
RPATH_FLAG='-Wl,+b,'
if test "$ac_cv_c_compiler_gnu" = yes; then
PICFLAGS=-fPIC
- SHLIB_EXPFLAGS='-Wl,+s -Wl,+b,$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ SHLIB_RPATH_FLAGS='-Wl,+b,$(SHLIB_RDIRS)'
+ SHLIB_EXPFLAGS='-Wl,+s $(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
LDCOMBINE='gcc -fPIC -shared -Wl,+h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) -Wl,-c,hpux10.exports'
else
PICFLAGS=+z
- SHLIB_EXPFLAGS='+s +b $(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ SHLIB_RPATH_FLAGS='+b $(SHLIB_RDIRS)'
+ SHLIB_EXPFLAGS='+s $(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
LDCOMBINE='ld -b +h $(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) -c hpux10.exports'
fi
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -Wl,+s $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(LDFLAGS)'
+ PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -Wl,+s $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
- CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) -Wl,+s $(RPATH_FLAG)$(PROG_RPATH) $(CXXFLAGS) $(LDFLAGS)'
+ CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) -Wl,+s $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
RUN_ENV='SHLIB_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export SHLIB_PATH;'
SHLIB_EXPORT_FILE_DEP=hpux10.exports
@@ -159,13 +164,15 @@
else
LDCOMBINE='ld -shared -ignore_unresolved -update_registry $(BUILDTOP)/so_locations -soname $(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT)'
fi
- SHLIB_EXPFLAGS='-rpath $(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ SHLIB_RPATH_FLAGS='-rpath $(SHLIB_RDIRS)'
+ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
# no gprof for Irix...
PROFFLAGS=-p
RPATH_FLAG='-Wl,-rpath -Wl,'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(LDFLAGS)'
+ PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
- CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CXXFLAGS) $(LDFLAGS)'
+ CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
# This grossness is necessary due to the presence of *three*
# supported ABIs on Irix, and the precedence of the rpath over
@@ -205,13 +212,15 @@
opts=''
fi
LDCOMBINE='$(CC) -shared '$opts' -Wl,-soname -Wl,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $$initfini'
- SHLIB_EXPFLAGS='-rpath $(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ SHLIB_RPATH_FLAGS='-rpath $(SHLIB_RDIRS)'
+ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
# no gprof for Irix...
PROFFLAGS=-p
RPATH_FLAG='-Wl,-rpath -Wl,'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(LDFLAGS)'
+ PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
- CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CXXFLAGS) $(LDFLAGS)'
+ CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
# This grossness is necessary due to the presence of *three*
# supported ABIs on Irix, and the precedence of the rpath over
@@ -239,14 +248,16 @@
PICFLAGS=-Kpic
LDCOMBINE='$(CC) -G -h $(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT)'
fi
- SHLIB_EXPFLAGS='-R$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ SHLIB_RPATH_FLAGS='-R$(SHLIB_RDIRS)'
+ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
SHLIBEXT=.so
SHLIBVEXT='.so.$(LIBMAJOR).$(LIBMINOR)'
SHLIBSEXT='.so.$(LIBMAJOR)'
RPATH_FLAG=-R
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(LDFLAGS)'
+ PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
- CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CXXFLAGS) $(LDFLAGS)'
+ CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH;'
PROFFLAGS=-pg
@@ -258,11 +269,13 @@
SHLIBSEXT='.so.$(LIBMAJOR)'
SHLIBEXT=.so
LDCOMBINE='ld -shared -soname $(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT)'
- SHLIB_EXPFLAGS='-R$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ SHLIB_RPATH_FLAGS='-R$(SHLIB_RDIRS)'
+ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
RPATH_FLAG='-Wl,-rpath -Wl,'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(LDFLAGS)'
+ PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
- CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CXXFLAGS) $(LDFLAGS)'
+ CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH;'
PROFFLAGS=-pg
@@ -273,11 +286,13 @@
SHLIBVEXT='.so.$(LIBMAJOR).$(LIBMINOR)'
SHLIBEXT=.so
LDCOMBINE='$(CC) -shared $(LDFLAGS)'
- SHLIB_EXPFLAGS='-R$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ SHLIB_RPATH_FLAGS='-R$(SHLIB_RDIRS)'
+ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
RPATH_FLAG=-R
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(LDFLAGS)'
+ PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
- CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CXXFLAGS) $(LDFLAGS)'
+ CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH;'
PROFFLAGS=-pg
@@ -297,11 +312,13 @@
RPATH_FLAG=-R
SHLIBVEXT='.so.$(LIBMAJOR).$(LIBMINOR)'
fi
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(LDFLAGS)'
- CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CXXFLAGS) $(LDFLAGS)'
+ PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
SHLIBEXT=.so
LDCOMBINE='ld -Bshareable'
- SHLIB_EXPFLAGS='-R$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ SHLIB_RPATH_FLAGS='-R$(SHLIB_RDIRS)'
+ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH;'
@@ -313,11 +330,13 @@
SHLIBVEXT='.so.$(LIBMAJOR).$(LIBMINOR)'
SHLIBEXT=.so
LDCOMBINE='ld -Bshareable'
- SHLIB_EXPFLAGS='-R$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ SHLIB_RPATH_FLAGS='-R$(SHLIB_RDIRS)'
+ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
RPATH_FLAG=-R
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(LDFLAGS)'
+ PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
- CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CXXFLAGS) $(LDFLAGS)'
+ CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH;'
PROFFLAGS=-pg
@@ -371,12 +390,14 @@
SHLIBVEXT='.so.$(LIBMAJOR).$(LIBMINOR)'
SHLIBSEXT='.so.$(LIBMAJOR)'
SHLIBEXT=.so
- SHLIB_EXPFLAGS='-R$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ SHLIB_RPATH_FLAGS='-R$(SHLIB_RDIRS)'
+ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
RPATH_FLAG=-R
- CC_LINK_SHARED='$(PURE) $(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(LDFLAGS)'
+ PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
+ CC_LINK_SHARED='$(PURE) $(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
CC_LINK_STATIC='$(PURE) $(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
- CXX_LINK_SHARED='$(PURE) $(CXX) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CXXFLAGS) $(LDFLAGS)'
+ CXX_LINK_SHARED='$(PURE) $(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(PURE) $(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH;'
;;
@@ -394,12 +415,14 @@
SHLIB_EXPORT_FILE_DEP=binutils.versions
# For cases where we do have dependencies on other libraries
# built in this tree...
- SHLIB_EXPFLAGS='-Wl,-R$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ SHLIB_RPATH_FLAGS='-Wl,-R$(SHLIB_RDIRS)'
+ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
RPATH_FLAG='-Wl,-rpath -Wl,'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(LDFLAGS)'
+ PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
- CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CXXFLAGS) $(LDFLAGS)'
+ CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH; '
@@ -420,10 +443,12 @@
SHLIBVEXT='.so.$(LIBMAJOR)'
SHLIBEXT=.so
LDCOMBINE='ld -Bshareable'
- SHLIB_EXPFLAGS='-R$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -Wl,-rpath,$(PROG_RPATH)'
+ SHLIB_RPATH_FLAGS='-R$(SHLIB_RDIRS)'
+ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ PROG_RPATH_FLAGS='-Wl,-rpath,$(PROG_RPATH)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS)'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH)'
- CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) -Wl,-rpath,$(PROG_RPATH)'
+ CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH)'
RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/
/:/g"`; export LD_LIBRARY_PATH;'
@@ -451,9 +476,10 @@
use_linker_fini_option=yes
MAKE_SHLIB_COMMAND="${INIT_FINI_PREP} && ${LDCOMBINE}"
RPATH_TAIL=:/usr/lib:/lib
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH):'"$RPATH_TAIL"' $(CFLAGS) $(LDFLAGS)'
+ PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH):'"$RPATH_TAIL"
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
- CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH):'"$RPATH_TAIL"' $(CXXFLAGS) $(LDFLAGS)'
+ CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
# $(PROG_RPATH) is here to handle things like a shared tcl library
RUN_ENV='LIBPATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`:$(PROG_RPATH):/usr/lib:/usr/local/lib; export LIBPATH; '
@@ -487,9 +513,10 @@
MAKE_SHLIB_COMMAND="${INIT_FINI_PREP} && ${LDCOMBINE}"' && ar cq $@ shr.o.$(LIBMAJOR).$(LIBMINOR) && chmod +x $@ && rm -f shr.o.$(LIBMAJOR).$(LIBMINOR)'
MAKE_DYNOBJ_COMMAND="${INIT_FINI_PREP} && ${LDCOMBINE_DYN}"
RPATH_TAIL=:/usr/lib:/lib
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH):'"$RPATH_TAIL"' $(CFLAGS) $(LDFLAGS)'
+ PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH):'"$RPATH_TAIL"
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
- CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH):'"$RPATH_TAIL"' $(CXXFLAGS) $(LDFLAGS)'
+ CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
# $(PROG_RPATH) is here to handle things like a shared tcl library
RUN_ENV='LIBPATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`:$(PROG_RPATH):/usr/lib:/usr/local/lib; export LIBPATH; '
Modified: branches/mkey_migrate/src/config/winexclude.sed
===================================================================
--- branches/mkey_migrate/src/config/winexclude.sed 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/config/winexclude.sed 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,4 +1,3 @@
-/krb5\.saber/d
/autoconf.h$/d
/t_mddriver$/d
/test_parse$/d
Copied: branches/mkey_migrate/src/config-files/deps (from rev 21721, trunk/src/config-files/deps)
Modified: branches/mkey_migrate/src/config-files/krb5.conf.M
===================================================================
--- branches/mkey_migrate/src/config-files/krb5.conf.M 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/config-files/krb5.conf.M 2009-01-10 01:06:45 UTC (rev 21722)
@@ -201,6 +201,16 @@
General flag controlling the use of DNS for Kerberos information. If both
of the preceding options are specified, this option has no effect.
+.IP realm_try_domains
+Indicate whether a host's domain components should be used to
+determine the Kerberos realm of the host. The value of this variable
+is an integer: -1 means not to search, 0 means to try the host's
+domain itself, 1 means to also try the domain's immediate parent, and
+so forth. The library's usual mechanism for locating Kerberos realms
+is used to determine whether a domain is a valid realm--which may
+involve consulting DNS if dns_lookup_kdc is set. The default is not
+to search domain components.
+
.IP extra_addresses
This allows a computer to use multiple local addresses, in order to
allow Kerberos to work in a network that uses NATs. The addresses should
Copied: branches/mkey_migrate/src/config-files/mech (from rev 21721, trunk/src/config-files/mech)
Modified: branches/mkey_migrate/src/configure.in
===================================================================
--- branches/mkey_migrate/src/configure.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/configure.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -55,20 +55,6 @@
AC_ARG_ENABLE([athena],
[ --enable-athena build with MIT Project Athena configuration],,)
dnl
-if test -z "$KRB4_LIB"; then
-kadminv4=""
-krb524=""
-libkrb4=""
-KRB4=""
-else
-kadminv4=kadmin.v4
-krb524=krb524
-libkrb4=lib/krb4
-KRB4=krb4
-fi
-AC_SUBST(KRB4)
-AC_SUBST(krb524)
-dnl
dnl Begin autoconf tests for the Makefiles generated out of the top-level
dnl configure.in...
dnl
@@ -90,6 +76,19 @@
dnl for kdc
AC_CHECK_HEADERS(syslog.h stdarg.h sys/select.h sys/sockio.h ifaddrs.h unistd.h)
AC_CHECK_FUNCS(openlog syslog closelog strftime vsprintf vasprintf vsnprintf)
+AC_CHECK_FUNCS(strlcpy)
+EXTRA_SUPPORT_SYMS=
+AC_CHECK_FUNC(strlcpy, [STRLCPY_ST_OBJ= STRLCPY_OBJ=], [STRLCPY_ST_OBJ=strlcpy.o STRLCPY_OBJ='$(OUTPRE)strlcpy.$(OBJEXT)' EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_strlcpy krb5int_strlcat"])
+AC_SUBST(STRLCPY_OBJ)
+AC_SUBST(STRLCPY_ST_OBJ)
+AC_CHECK_FUNC(vasprintf,
+[PRINTF_ST_OBJ=
+PRINTF_OBJ=],
+[PRINTF_ST_OBJ=printf.o
+PRINTF_OBJ='$(OUTPRE)printf.$(OBJEXT)'
+EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_asprintf krb5int_vasprintf"])
+AC_SUBST(PRINTF_OBJ)
+AC_SUBST(PRINTF_ST_OBJ)
KRB5_NEED_PROTO([#include <stdarg.h>
#include <stdio.h>
],vasprintf)
@@ -100,6 +99,7 @@
/* Solaris 8 declares swab in stdlib.h. */
#include <stdlib.h>
],swab,1)
+KRB5_NEED_PROTO([#include <ctype.h>],isblank,1)
dnl
AC_PROG_AWK
KRB5_AC_INET6
@@ -144,17 +144,8 @@
else
AC_DEFINE(NOCACHE,1,[Define if the KDC should use no replay cache])
fi
-AC_ARG_ENABLE([fakeka],
-AC_HELP_STRING([--enable-fakeka],[build the Fake KA server (emulates an AFS kaserver) @<:@default: don't build@:>@]), , enableval=no)dnl
-if test "$enableval" = yes; then
- FAKEKA=fakeka
-else
- FAKEKA=
-fi
-AC_SUBST(FAKEKA)
KRB5_RUN_FLAGS
dnl
-dnl for krb524
AC_TYPE_SIGNAL
dnl
dnl from old include/configure.in
@@ -169,7 +160,6 @@
AC_HEADER_DIRENT
AC_CHECK_FUNCS(strdup setvbuf inet_ntoa inet_aton seteuid setresuid setreuid setegid setresgid setregid setsid flock fchmod chmod strftime strptime geteuid setenv unsetenv getenv gethostbyname2 getifaddrs gmtime_r localtime_r pthread_mutex_lock sched_yield bswap16 bswap64 mkstemp getusershell lstat access ftime getcwd srand48 srand srandom stat strchr strerror strerror_r strstr timezone umask waitpid sem_init sem_trywait daemon)
dnl
-EXTRA_SUPPORT_SYMS=
AC_CHECK_FUNC(mkstemp,
[MKSTEMP_ST_OBJ=
MKSTEMP_OBJ=],
@@ -573,15 +563,6 @@
[ --enable-athena build with MIT Project Athena configuration],
AC_DEFINE(KRB5_ATHENA_COMPAT,1,[Define if MIT Project Athena default configuration should be used]),)
-if test "$KRB4_LIB" = ''; then
- AC_MSG_NOTICE(No Kerberos 4 compatibility)
- maybe_kerberosIV=
-else
- AC_MSG_NOTICE(Kerberos 4 compatibility enabled)
- maybe_kerberosIV=kerberosIV
- AC_DEFINE(KRB5_KRB4_COMPAT,1,[Define if Kerberos V4 backwards compatibility should be supported])
-fi
-AC_SUBST(maybe_kerberosIV)
dnl
AC_C_INLINE
AH_TOP([
@@ -687,11 +668,6 @@
fi
AC_SUBST(DO_TEST)
dnl
-DO_V4_TEST=
-if test "$have_PERL" = perl -a "$have_RUNTEST" = runtest -a "$TCL_LIBS" != "" -a "$ath_compat" != ""; then
- DO_V4_TEST=ok
-fi
-AC_SUBST(DO_V4_TEST)
dnl The following are substituted into kadmin/testing/scripts/env-setup.sh
RBUILD=`pwd`
AC_SUBST(RBUILD)
@@ -713,25 +689,6 @@
AC_CHECK_PROG(RUNTEST,runtest,runtest)
AC_CHECK_PROG(PERL,perl,perl)
dnl
-dnl
-dnl for lib/krb4
-case $krb5_cv_host in
- *-apple-darwin*)
- KRB_ERR_TXT=
- KRB_ERR=
- KRB_ERR_C=krb_err.c
- ;;
- *)
- KRB_ERR='$(OUTPRE)krb_err.$(OBJEXT)'
- KRB_ERR_TXT=krb_err_txt.c
- KRB_ERR_C=
- ;;
-esac
-AC_SUBST([KRB_ERR_TXT])
-AC_SUBST([KRB_ERR])
-AC_SUBST([KRB_ERR_C])
-dnl
-dnl
dnl lib/gssapi
AC_CHECK_HEADER(stdint.h,[
include_stdint='awk '\''END{printf("%cinclude <stdint.h>\n", 35);}'\'' < /dev/null'],
@@ -957,13 +914,6 @@
HAVE_RUNTEST=no
fi
AC_SUBST(HAVE_RUNTEST)
-if test "$KRB4_LIB" = ''; then
- KRB4_DEJAGNU_TEST="KRBIV=0"
-else
- AC_MSG_RESULT(Kerberos 4 testing enabled)
- KRB4_DEJAGNU_TEST="KRBIV=1"
-fi
-AC_SUBST(KRB4_DEJAGNU_TEST)
dnl for plugins/kdb/db2
dnl
@@ -1011,9 +961,6 @@
fi # tsmissing not empty
fi # enable_thread_support
dnl
-HOST_TYPE=$krb5_cv_host
-AC_SUBST(HOST_TYPE)
-dnl
dnl Sadly, we seem to have accidentally committed ourselves in 1.4 to
dnl an ABI that includes the existence of libkrb5support.0 even
dnl though random apps should never use anything from it. And on
@@ -1039,9 +986,6 @@
if test "$SS_VERSION" = k5 ; then
K5_GEN_MAKEFILE(util/ss)
fi
-if test -n "$KRB4_LIB"; then
- K5_GEN_MAKEFILE(lib/krb4)
-fi
dnl
dnl
ldap_plugin_dir=""
@@ -1073,10 +1017,19 @@
K5_GEN_MAKEFILE(plugins/kdb/ldap/ldap_util)
K5_GEN_MAKEFILE(plugins/kdb/ldap/libkdb_ldap)
ldap_plugin_dir=plugins/kdb/ldap
+ LDAP=yes
+else
+ LDAP=no
fi
AC_SUBST(ldap_plugin_dir)
+AC_SUBST(LDAP)
-AC_CHECK_HEADERS(Python.h python2.3/Python.h)
+dnl We really should look for and use python-config.
+PYTHON_LIB=
+AC_CHECK_HEADERS(Python.h python2.3/Python.h python2.5/Python.h)
+AC_CHECK_LIB(python2.3,main,[PYTHON_LIB=-lpython2.3],
+ AC_CHECK_LIB(python2.5,main,[PYTHON_LIB=-lpython2.5]))
+AC_SUBST(PYTHON_LIB)
dnl
dnl Kludge for simple server --- FIXME is this the best way to do this?
@@ -1092,7 +1045,7 @@
util util/support util/profile util/send-pr
- lib lib/des425 lib/kdb
+ lib lib/kdb
lib/crypto lib/crypto/crc32 lib/crypto/des lib/crypto/dk
lib/crypto/enc_provider lib/crypto/hash_provider
@@ -1102,9 +1055,10 @@
lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache
lib/krb5/keytab lib/krb5/krb lib/krb5/rcache lib/krb5/os
+ lib/krb5/unicode
- lib/gssapi lib/gssapi/generic lib/gssapi/krb5
- lib/gssapi/mechglue lib/gssapi/spnego
+ lib/gssapi lib/gssapi/generic lib/gssapi/krb5 lib/gssapi/spnego
+ lib/gssapi/mechglue
lib/rpc lib/rpc/unit-test
@@ -1112,8 +1066,7 @@
lib/apputils
- kdc slave krb524 config-files gen-manpages include
- include/kerberosIV
+ kdc slave config-files gen-manpages include
plugins/locate/python
plugins/kdb/db2
Copied: branches/mkey_migrate/src/deps (from rev 21721, trunk/src/deps)
Copied: branches/mkey_migrate/src/gen-manpages/deps (from rev 21721, trunk/src/gen-manpages/deps)
Modified: branches/mkey_migrate/src/include/Makefile.in
===================================================================
--- branches/mkey_migrate/src/include/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/include/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,7 +1,6 @@
thisconfigdir=..
myfulldir=include
mydir=include
-SUBDIRS=@maybe_kerberosIV@
BUILDTOP=$(REL)..
KRB5RCTMPDIR= @KRB5_RCTMPDIR@
##DOSBUILDTOP = ..
@@ -66,6 +65,7 @@
-e "s+ at LIBDIR+$(LIBDIR)+" \
-e "s+ at SBINDIR+$(SBINDIR)+" \
-e "s+ at MODULEDIR+$(MODULE_DIR)+" \
+ -e "s+ at GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
-e 's+ at LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
-e 's+ at SYSCONFDIR+$(SYSCONFDIR)+'
Copied: branches/mkey_migrate/src/include/deps (from rev 21721, trunk/src/include/deps)
Copied: branches/mkey_migrate/src/include/k5-buf.h (from rev 21721, trunk/src/include/k5-buf.h)
Modified: branches/mkey_migrate/src/include/k5-int.h
===================================================================
--- branches/mkey_migrate/src/include/k5-int.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/include/k5-int.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -176,6 +176,9 @@
/* Get error info support. */
#include "k5-err.h"
+/* Get string buffer support. */
+#include "k5-buf.h"
+
/* Error codes used in KRB_ERROR protocol messages.
Return values of library routines are based on a different error table
(which allows non-ambiguous error codes between subsystems) */
@@ -210,6 +213,10 @@
/* required */
#define KDC_ERR_SERVER_NOMATCH 26 /* Requested server and */
/* ticket don't match*/
+#define KDC_ERR_MUST_USE_USER2USER 27 /* Server principal valid for */
+ /* user2user only */
+#define KDC_ERR_PATH_NOT_ACCEPTED 28 /* KDC policy rejected transited */
+ /* path */
#define KDC_ERR_SVC_UNAVAILABLE 29 /* A service is not
* available that is
* required to process the
@@ -248,13 +255,19 @@
/* PKINIT server-reported errors */
#define KDC_ERR_CLIENT_NOT_TRUSTED 62 /* client cert not trusted */
+#define KDC_ERR_KDC_NOT_TRUSTED 63
#define KDC_ERR_INVALID_SIG 64 /* client signature verify failed */
#define KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65 /* invalid Diffie-Hellman parameters */
+#define KDC_ERR_CERTIFICATE_MISMATCH 66
+#define KRB_AP_ERR_NO_TGT 67
+#define KDC_ERR_WRONG_REALM 68
+#define KRB_AP_ERR_USER_TO_USER_REQUIRED 69
#define KDC_ERR_CANT_VERIFY_CERTIFICATE 70 /* client cert not verifiable to */
/* trusted root cert */
#define KDC_ERR_INVALID_CERTIFICATE 71 /* client cert had invalid signature */
#define KDC_ERR_REVOKED_CERTIFICATE 72 /* client cert was revoked */
#define KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 /* client cert revoked, reason unknown */
+#define KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74
#define KDC_ERR_CLIENT_NAME_MISMATCH 75 /* mismatch between client cert and */
/* principal name */
#define KDC_ERR_INCONSISTENT_KEY_PURPOSE 77 /* bad extended key use */
@@ -300,6 +313,12 @@
typedef krb5_etype_info_entry ** krb5_etype_info;
+/* RFC 4537 */
+typedef struct _krb5_etype_list {
+ int length;
+ krb5_enctype *etypes;
+} krb5_etype_list;
+
/*
* a sam_challenge is returned for alternate preauth
*/
@@ -559,7 +578,19 @@
krb5_error_code (*init_state) (const krb5_keyblock *key,
krb5_keyusage keyusage, krb5_data *out_state);
krb5_error_code (*free_state) (krb5_data *state);
-
+
+ /* In-place encryption/decryption of multiple buffers */
+ krb5_error_code (*encrypt_iov) (const krb5_keyblock *key,
+ const krb5_data *cipher_state,
+ krb5_crypto_iov *data,
+ size_t num_data);
+
+
+ krb5_error_code (*decrypt_iov) (const krb5_keyblock *key,
+ const krb5_data *cipher_state,
+ krb5_crypto_iov *data,
+ size_t num_data);
+
};
struct krb5_hash_provider {
@@ -585,8 +616,47 @@
const krb5_data *input,
const krb5_data *hash,
krb5_boolean *valid);
+
+ krb5_error_code (*hash_iov) (const krb5_keyblock *key,
+ krb5_keyusage keyusage,
+ const krb5_data *ivec,
+ const krb5_crypto_iov *data,
+ size_t num_data,
+ krb5_data *output);
+
+ krb5_error_code (*verify_iov) (const krb5_keyblock *key,
+ krb5_keyusage keyusage,
+ const krb5_data *ivec,
+ const krb5_crypto_iov *data,
+ size_t num_data,
+ const krb5_data *hash,
+ krb5_boolean *valid);
};
+struct krb5_aead_provider {
+ krb5_error_code (*crypto_length) (const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ krb5_cryptotype type,
+ unsigned int *length);
+ krb5_error_code (*encrypt_iov) (const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ krb5_keyusage keyusage,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data);
+ krb5_error_code (*decrypt_iov) (const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ krb5_keyusage keyusage,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data);
+};
+
typedef void (*krb5_encrypt_length_func) (const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
size_t inputlen, size_t *length);
@@ -612,13 +682,14 @@
char *out_string;
const struct krb5_enc_provider *enc;
const struct krb5_hash_provider *hash;
- size_t prf_length;
+ size_t prf_length;
krb5_encrypt_length_func encrypt_len;
krb5_crypt_func encrypt;
krb5_crypt_func decrypt;
krb5_str2key_func str2key;
- krb5_prf_func prf;
+ krb5_prf_func prf;
krb5_cksumtype required_ctype;
+ const struct krb5_aead_provider *aead;
};
struct krb5_cksumtypes {
@@ -662,6 +733,12 @@
const krb5_keyblock *key, unsigned int icount,
const krb5_data *input, krb5_data *output);
+krb5_error_code krb5int_hmac_iov
+(const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output);
+
krb5_error_code krb5int_pbkdf2_hmac_sha1 (const krb5_data *, unsigned long,
const krb5_data *,
const krb5_data *);
@@ -862,6 +939,12 @@
krb5_int32 pausec;
} krb5_pa_enc_ts;
+typedef struct _krb5_pa_for_user {
+ krb5_principal user;
+ krb5_checksum cksum;
+ krb5_data auth_package;
+} krb5_pa_for_user;
+
typedef krb5_error_code (*krb5_preauth_obtain_proc)
(krb5_context,
krb5_pa_data *,
@@ -1139,6 +1222,16 @@
void KRB5_CALLCONV krb5_free_pa_enc_ts
(krb5_context, krb5_pa_enc_ts *);
+void KRB5_CALLCONV krb5_free_pa_for_user
+ (krb5_context, krb5_pa_for_user * );
+void KRB5_CALLCONV krb5_free_pa_svr_referral_data
+ (krb5_context, krb5_pa_svr_referral_data * );
+void KRB5_CALLCONV krb5_free_pa_server_referral_data
+ (krb5_context, krb5_pa_server_referral_data * );
+void KRB5_CALLCONV krb5_free_pa_pac_req
+ (krb5_context, krb5_pa_pac_req * );
+void KRB5_CALLCONV krb5_free_etype_list
+ (krb5_context, krb5_etype_list * );
#include "kdb.h"
@@ -1381,8 +1474,12 @@
krb5_error_code encode_krb5_safe
(const krb5_safe *rep, krb5_data **code);
+struct krb5_safe_with_body {
+ krb5_safe *safe;
+ krb5_data *body;
+};
krb5_error_code encode_krb5_safe_with_body
- (const krb5_safe *rep, const krb5_data *body, krb5_data **code);
+ (const struct krb5_safe_with_body *rep, krb5_data **code);
krb5_error_code encode_krb5_priv
(const krb5_priv *rep, krb5_data **code);
@@ -1400,7 +1497,7 @@
(const krb5_error *rep, krb5_data **code);
krb5_error_code encode_krb5_authdata
- (const krb5_authdata **rep, krb5_data **code);
+ (krb5_authdata *const *rep, krb5_data **code);
krb5_error_code encode_krb5_authdata_elt
(const krb5_authdata *rep, krb5_data **code);
@@ -1412,15 +1509,15 @@
(const krb5_pwd_data *rep, krb5_data **code);
krb5_error_code encode_krb5_padata_sequence
- (const krb5_pa_data ** rep, krb5_data **code);
+ (krb5_pa_data *const *rep, krb5_data **code);
krb5_error_code encode_krb5_alt_method
(const krb5_alt_method *, krb5_data **code);
krb5_error_code encode_krb5_etype_info
- (const krb5_etype_info_entry **, krb5_data **code);
+ (krb5_etype_info_entry *const *, krb5_data **code);
krb5_error_code encode_krb5_etype_info2
- (const krb5_etype_info_entry **, krb5_data **code);
+ (krb5_etype_info_entry *const *, krb5_data **code);
krb5_error_code encode_krb5_enc_data
(const krb5_enc_data *, krb5_data **);
@@ -1440,11 +1537,13 @@
krb5_error_code encode_krb5_sam_response
(const krb5_sam_response * , krb5_data **);
+#if 0 /* currently not compiled because we never use them */
krb5_error_code encode_krb5_sam_challenge_2
(const krb5_sam_challenge_2 * , krb5_data **);
krb5_error_code encode_krb5_sam_challenge_2_body
(const krb5_sam_challenge_2_body * , krb5_data **);
+#endif
krb5_error_code encode_krb5_enc_sam_response_enc_2
(const krb5_enc_sam_response_enc_2 * , krb5_data **);
@@ -1455,9 +1554,28 @@
krb5_error_code encode_krb5_predicted_sam_response
(const krb5_predicted_sam_response * , krb5_data **);
+struct krb5_setpw_req {
+ krb5_principal target;
+ krb5_data password;
+};
krb5_error_code encode_krb5_setpw_req
-(const krb5_principal target, char *password, krb5_data **code);
+ (const struct krb5_setpw_req *rep, krb5_data **code);
+krb5_error_code encode_krb5_pa_for_user
+ (const krb5_pa_for_user * , krb5_data **);
+
+krb5_error_code encode_krb5_pa_svr_referral_data
+ (const krb5_pa_svr_referral_data * , krb5_data **);
+
+krb5_error_code encode_krb5_pa_server_referral_data
+ (const krb5_pa_server_referral_data * , krb5_data **);
+
+krb5_error_code encode_krb5_pa_pac_req
+ (const krb5_pa_pac_req * , krb5_data **);
+
+krb5_error_code encode_krb5_etype_list
+ (const krb5_etype_list * , krb5_data **);
+
/*************************************************************************
* End of prototypes for krb5_encode.c
*************************************************************************/
@@ -1599,18 +1717,40 @@
krb5_error_code decode_krb5_sam_key
(const krb5_data *, krb5_sam_key **);
+krb5_error_code decode_krb5_setpw_req
+ (const krb5_data *, krb5_data **, krb5_principal *);
+
+krb5_error_code decode_krb5_pa_for_user
+ (const krb5_data *, krb5_pa_for_user **);
+
+krb5_error_code decode_krb5_pa_svr_referral_data
+ (const krb5_data *, krb5_pa_svr_referral_data **);
+
+krb5_error_code decode_krb5_pa_server_referral_data
+ (const krb5_data *, krb5_pa_server_referral_data **);
+
+krb5_error_code decode_krb5_pa_pac_req
+ (const krb5_data *, krb5_pa_pac_req **);
+
+krb5_error_code decode_krb5_etype_list
+ (const krb5_data *, krb5_etype_list **);
+
struct _krb5_key_data; /* kdb.h */
+
+struct ldap_seqof_key_data {
+ krb5_int32 mkvno; /* Master key version number */
+ struct _krb5_key_data *key_data;
+ krb5_int16 n_key_data;
+};
+typedef struct ldap_seqof_key_data ldap_seqof_key_data;
+
krb5_error_code
-krb5int_ldap_encode_sequence_of_keys (struct _krb5_key_data *key_data,
- krb5_int16 n_key_data,
- krb5_int32 mkvno,
+krb5int_ldap_encode_sequence_of_keys (const ldap_seqof_key_data *val,
krb5_data **code);
krb5_error_code
krb5int_ldap_decode_sequence_of_keys (krb5_data *in,
- struct _krb5_key_data **out,
- krb5_int16 *n_key_data,
- int *mkvno);
+ ldap_seqof_key_data **rep);
/*************************************************************************
* End of prototypes for krb5_decode.c
@@ -1765,7 +1905,8 @@
krb5_error_code
krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context,
- krb5_keyblock * /* Old keyblock, not new! */);
+ krb5_keyblock * /* Old keyblock, not new! */,
+ krb5_enctype);
/* set and change password helpers */
@@ -1855,6 +1996,7 @@
struct srv_dns_entry **answers);
void (*free_srv_dns_data)(struct srv_dns_entry *);
int (*use_dns_kdc)(krb5_context);
+ krb5_error_code (*clean_hostname)(krb5_context, const char *, char *, size_t);
/* krb4 compatibility stuff -- may be null if not enabled */
krb5_int32 (*krb_life_to_time)(krb5_int32, int);
@@ -1869,16 +2011,12 @@
/* Used for KDB LDAP back end. */
krb5_error_code
- (*asn1_ldap_encode_sequence_of_keys) (struct _krb5_key_data *key_data,
- krb5_int16 n_key_data,
- krb5_int32 mkvno,
+ (*asn1_ldap_encode_sequence_of_keys) (const ldap_seqof_key_data *val,
krb5_data **code);
krb5_error_code
(*asn1_ldap_decode_sequence_of_keys) (krb5_data *in,
- struct _krb5_key_data **out,
- krb5_int16 *n_key_data,
- int *mkvno);
+ ldap_seqof_key_data **);
/*
* pkinit asn.1 encode/decode functions
@@ -1946,6 +2084,12 @@
krb5_error_code (*encode_krb5_authdata_elt)
(const krb5_authdata *rep, krb5_data **code);
+ /* Exported for testing only! */
+ krb5_error_code (*encode_krb5_sam_response_2)
+ (const krb5_sam_response_2 *rep, krb5_data **code);
+ krb5_error_code (*encode_krb5_enc_sam_response_enc_2)
+ (const krb5_enc_sam_response_enc_2 *rep, krb5_data **code);
+
} krb5int_access;
#define KRB5INT_ACCESS_VERSION \
@@ -1964,20 +2108,6 @@
#define KRB524_SERVICE "krb524"
#define KRB524_PORT 4444
-/* v4lifetime.c */
-extern krb5_int32 krb5int_krb_life_to_time(krb5_int32, int);
-extern int krb5int_krb_time_to_life(krb5_int32, krb5_int32);
-
-/* conv_creds.c */
-int krb5int_encode_v4tkt
- (struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
-
-/* send524.c */
-int krb5int_524_sendto_kdc
- (krb5_context context, const krb5_data * message,
- const krb5_data * realm, krb5_data * reply,
- struct sockaddr *, socklen_t *);
-
/* temporary -- this should be under lib/krb5/ccache somewhere */
struct _krb5_ccache {
@@ -2047,37 +2177,6 @@
krb5_error_code
krb5int_cc_os_default_name(krb5_context context, char **name);
-/* reentrant mutex used by krb5_cc_* functions */
-typedef struct _k5_cc_mutex {
- k5_mutex_t lock;
- krb5_context owner;
- krb5_int32 refcount;
-} k5_cc_mutex;
-
-#define K5_CC_MUTEX_PARTIAL_INITIALIZER \
- { K5_MUTEX_PARTIAL_INITIALIZER, NULL, 0 }
-
-krb5_error_code
-k5_cc_mutex_init(k5_cc_mutex *m);
-
-krb5_error_code
-k5_cc_mutex_finish_init(k5_cc_mutex *m);
-
-#define k5_cc_mutex_destroy(M) \
-k5_mutex_destroy(&(M)->lock);
-
-void
-k5_cc_mutex_assert_locked(krb5_context context, k5_cc_mutex *m);
-
-void
-k5_cc_mutex_assert_unlocked(krb5_context context, k5_cc_mutex *m);
-
-krb5_error_code
-k5_cc_mutex_lock(krb5_context context, k5_cc_mutex *m);
-
-krb5_error_code
-k5_cc_mutex_unlock(krb5_context context, k5_cc_mutex *m);
-
typedef struct _krb5_donot_replay {
krb5_magic magic;
krb5_ui_4 hash;
@@ -2197,7 +2296,7 @@
/*
* Referral definitions, debugging hooks, and subfunctions.
*/
-#define KRB5_REFERRAL_MAXHOPS 5
+#define KRB5_REFERRAL_MAXHOPS 10
/* #define DEBUG_REFERRALS */
#ifdef DEBUG_REFERRALS
@@ -2241,7 +2340,6 @@
krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output);
-struct _krb5_kt_ops;
struct _krb5_kt { /* should move into k5-int.h */
krb5_magic magic;
const struct _krb5_kt_ops *ops;
@@ -2270,6 +2368,16 @@
krb5_boolean krb5_is_permitted_enctype
(krb5_context, krb5_enctype);
+typedef struct
+{
+ krb5_enctype *etype;
+ krb5_boolean *etype_ok;
+ krb5_int32 etype_count;
+} krb5_etypes_permitted;
+
+krb5_boolean krb5_is_permitted_enctype_ext
+ ( krb5_context, krb5_etypes_permitted *);
+
krb5_error_code krb5_kdc_rep_decrypt_proc
(krb5_context,
const krb5_keyblock *,
@@ -2321,6 +2429,11 @@
krb5_error_code krb5_generate_subkey
(krb5_context,
const krb5_keyblock *, krb5_keyblock **);
+krb5_error_code krb5_generate_subkey_extended
+ (krb5_context,
+ const krb5_keyblock *,
+ krb5_enctype,
+ krb5_keyblock **);
krb5_error_code krb5_generate_seq_number
(krb5_context,
const krb5_keyblock *, krb5_ui_4 *);
@@ -2523,6 +2636,15 @@
void KRB5_CALLCONV krb5_free_realm_string
(krb5_context context, char *str);
+/* Internal principal function used by KIM to avoid code duplication */
+krb5_error_code KRB5_CALLCONV
+krb5int_build_principal_alloc_va(krb5_context context,
+ krb5_principal *princ,
+ unsigned int rlen,
+ const char *realm,
+ const char *first,
+ va_list ap);
+
/* Some data comparison and conversion functions. */
#if 0
static inline int data_cmp(krb5_data d1, krb5_data d2)
@@ -2560,4 +2682,14 @@
&& a1.length == a2.length
&& !memcmp(a1.contents, a2.contents, a1.length));
}
+
+krb5_error_code KRB5_CALLCONV
+krb5int_pac_sign(krb5_context context,
+ krb5_pac pac,
+ krb5_timestamp authtime,
+ krb5_const_principal principal,
+ const krb5_keyblock *server_key,
+ const krb5_keyblock *privsvr_key,
+ krb5_data *data);
+
#endif /* _KRB5_INT_H */
Modified: branches/mkey_migrate/src/include/k5-platform.h
===================================================================
--- branches/mkey_migrate/src/include/k5-platform.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/include/k5-platform.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -860,6 +860,14 @@
#define va_copy(dest, src) memcmp(dest, src, sizeof(va_list))
#endif
+/* Provide strlcpy/strlcat interfaces. */
+#ifndef HAVE_STRLCPY
+#define strlcpy krb5int_strlcpy
+#define strlcat krb5int_strlcat
+extern size_t krb5int_strlcpy(char *dst, const char *src, size_t siz);
+extern size_t krb5int_strlcat(char *dst, const char *src, size_t siz);
+#endif
+
/* Provide [v]asprintf interfaces. */
#ifndef HAVE_VSNPRINTF
#ifdef _WIN32
@@ -892,88 +900,19 @@
#endif /* win32? */
#endif /* no vsnprintf */
-#ifndef HAVE_VASPRINTF
-
#if !defined(__cplusplus) && (__GNUC__ > 2)
-static inline int k5_vasprintf(char **, const char *, va_list)
+extern int krb5int_vasprintf(char **, const char *, va_list)
__attribute__((__format__(__printf__, 2, 0)));
-static inline int k5_asprintf(char **, const char *, ...)
+extern int krb5int_asprintf(char **, const char *, ...)
__attribute__((__format__(__printf__, 2, 3)));
#endif
-#define vasprintf k5_vasprintf
-/* On error: BSD: Set *ret to NULL. GNU: *ret is undefined.
+#ifndef HAVE_VASPRINTF
- Since we want to be able to use the GNU version directly, we need
- provide only the weaker guarantee in this version. */
-static inline int
-vasprintf(char **ret, const char *format, va_list ap)
-{
- va_list ap2;
- char *str = NULL, *nstr;
- size_t len = 80;
- int len2;
-
- while (1) {
- if (len >= INT_MAX || len == 0)
- goto fail;
- nstr = realloc(str, len);
- if (nstr == NULL)
- goto fail;
- str = nstr;
- va_copy(ap2, ap);
- len2 = vsnprintf(str, len, format, ap2);
- va_end(ap2);
- /* ISO C vsnprintf returns the needed length. Some old
- vsnprintf implementations return -1 on truncation. */
- if (len2 < 0) {
- /* Don't know how much space we need, just that we didn't
- supply enough; get a bigger buffer and try again. */
- if (len <= SIZE_MAX/2)
- len *= 2;
- else if (len < SIZE_MAX)
- len = SIZE_MAX;
- else
- goto fail;
- } else if ((unsigned int) len2 >= SIZE_MAX) {
- /* Need more space than we can request. */
- goto fail;
- } else if ((size_t) len2 >= len) {
- /* Need more space, but we know how much. */
- len = (size_t) len2 + 1;
- } else {
- /* Success! */
- break;
- }
- }
- /* We might've allocated more than we need, if we're still using
- the initial guess, or we got here by doubling. */
- if ((size_t) len2 < len - 1) {
- nstr = realloc(str, (size_t) len2 + 1);
- if (nstr)
- str = nstr;
- }
- *ret = str;
- return len2;
-
-fail:
- free(str);
- return -1;
-}
+#define vasprintf krb5int_vasprintf
/* Assume HAVE_ASPRINTF iff HAVE_VASPRINTF. */
-#define asprintf k5_asprintf
-static inline int
-k5_asprintf(char **ret, const char *format, ...)
-{
- va_list ap;
- int n;
+#define asprintf krb5int_asprintf
- va_start(ap, format);
- n = vasprintf(ret, format, ap);
- va_end(ap);
- return n;
-}
-
#elif defined(NEED_VASPRINTF_PROTO)
extern int vasprintf(char **, const char *, va_list)
@@ -989,6 +928,22 @@
#endif /* have vasprintf and prototype? */
+/* Return true if the snprintf return value RESULT reflects a buffer
+ overflow for the buffer size SIZE.
+
+ We cast the result to unsigned int for two reasons. First, old
+ implementations of snprintf (such as the one in Solaris 9 and
+ prior) return -1 on a buffer overflow. Casting the result to -1
+ will convert that value to UINT_MAX, which should compare larger
+ than any reasonable buffer size. Second, comparing signed and
+ unsigned integers will generate warnings with some compilers, and
+ can have unpredictable results, particularly when the relative
+ widths of the types is not known (size_t may be the same width as
+ int or larger).
+*/
+#define SNPRINTF_OVERFLOW(result, size) \
+ ((unsigned int)(result) >= (size_t)(size))
+
#ifndef HAVE_MKSTEMP
extern int krb5int_mkstemp(char *);
#define mkstemp krb5int_mkstemp
Modified: branches/mkey_migrate/src/include/k5-plugin.h
===================================================================
--- branches/mkey_migrate/src/include/k5-plugin.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/include/k5-plugin.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -45,6 +45,9 @@
So, no krb5 types. */
+#ifndef K5_PLUGIN_H
+#define K5_PLUGIN_H
+
#if defined(_MSDOS) || defined(_WIN32)
#include "win-mac.h"
#endif
@@ -102,3 +105,5 @@
void (***)(void), struct errinfo *);
void KRB5_CALLCONV
krb5int_free_plugin_dir_func (void (**)(void));
+
+#endif /* K5_PLUGIN_H */
Modified: branches/mkey_migrate/src/include/k5-thread.h
===================================================================
--- branches/mkey_migrate/src/include/k5-thread.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/include/k5-thread.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -411,12 +411,7 @@
K5_KEY_GSS_KRB5_ERROR_MESSAGE,
K5_KEY_KIM_ERROR_MESSAGE,
#if defined(__MACH__) && defined(__APPLE__)
- K5_KEY_CCAPI_REQUEST_PORT,
- K5_KEY_CCAPI_REPLY_STREAM,
- K5_KEY_CCAPI_SERVER_DIED,
- K5_KEY_IPC_REQUEST_PORTS,
- K5_KEY_IPC_REPLY_STREAM,
- K5_KEY_IPC_SERVER_DIED,
+ K5_KEY_IPC_CONNECTION_INFO,
K5_KEY_COM_ERR_REENTER,
#endif
K5_KEY_MAX
Copied: branches/mkey_migrate/src/include/k5-unicode.h (from rev 21721, trunk/src/include/k5-unicode.h)
Copied: branches/mkey_migrate/src/include/k5-utf8.h (from rev 21721, trunk/src/include/k5-utf8.h)
Modified: branches/mkey_migrate/src/include/kdb.h
===================================================================
--- branches/mkey_migrate/src/include/kdb.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/include/kdb.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -85,6 +85,8 @@
#define KRB5_KDB_CREATE_BTREE 0x00000001
#define KRB5_KDB_CREATE_HASH 0x00000002
+#if !defined(_WIN32)
+
/*
* Note --- these structures cannot be modified without changing the
* database version number in libkdb.a, but should be expandable by
@@ -233,6 +235,7 @@
*
* Data encoding is little-endian.
*/
+#ifdef _KRB5_INT_H
#include "k5-platform.h"
#define krb5_kdb_decode_int16(cp, i16) \
*((krb5_int16 *) &(i16)) = load_16_le(cp)
@@ -240,6 +243,7 @@
*((krb5_int32 *) &(i32)) = load_32_le(cp)
#define krb5_kdb_encode_int16(i16, cp) store_16_le(i16, cp)
#define krb5_kdb_encode_int32(i32, cp) store_32_le(i32, cp)
+#endif /* _KRB5_INT_H */
#define KRB5_KDB_OPEN_RW 0
#define KRB5_KDB_OPEN_RO 1
@@ -311,6 +315,13 @@
krb5_keyblock *key);
krb5_error_code krb5_db_get_mkey ( krb5_context kcontext,
krb5_keyblock **key );
+
+krb5_error_code krb5_db_set_mkey_list( krb5_context context,
+ krb5_keyblock_node * keylist);
+
+krb5_error_code krb5_db_get_mkey_list( krb5_context kcontext,
+ krb5_keyblock_node ** keylist);
+
krb5_error_code krb5_db_free_master_key ( krb5_context kcontext,
krb5_keyblock *key );
krb5_error_code krb5_db_store_master_key ( krb5_context kcontext,
@@ -587,6 +598,36 @@
krb5_error_code
krb5_def_promote_db(krb5_context, char *, char **);
+krb5_error_code
+krb5_dbekd_def_decrypt_key_data( krb5_context context,
+ const krb5_keyblock * mkey,
+ const krb5_key_data * key_data,
+ krb5_keyblock * dbkey,
+ krb5_keysalt * keysalt);
+
+krb5_error_code
+krb5_dbekd_def_encrypt_key_data( krb5_context context,
+ const krb5_keyblock * mkey,
+ const krb5_keyblock * dbkey,
+ const krb5_keysalt * keysalt,
+ int keyver,
+ krb5_key_data * key_data);
+
+krb5_error_code
+krb5_dbekd_def_decrypt_key_data( krb5_context context,
+ const krb5_keyblock * mkey,
+ const krb5_key_data * key_data,
+ krb5_keyblock * dbkey,
+ krb5_keysalt * keysalt);
+
+krb5_error_code
+krb5_dbekd_def_encrypt_key_data( krb5_context context,
+ const krb5_keyblock * mkey,
+ const krb5_keyblock * dbkey,
+ const krb5_keysalt * keysalt,
+ int keyver,
+ krb5_key_data * key_data);
+
krb5_error_code
krb5_db_create_policy( krb5_context kcontext,
osa_policy_ent_t policy);
@@ -615,6 +656,219 @@
krb5_db_free_policy( krb5_context kcontext,
osa_policy_ent_t policy);
+
+
+krb5_error_code
+krb5_db_set_context
+ (krb5_context, void *db_context);
+
+krb5_error_code
+krb5_db_get_context
+ (krb5_context, void **db_context);
+
#define KRB5_KDB_DEF_FLAGS 0
+#define KDB_MAX_DB_NAME 128
+#define KDB_REALM_SECTION "realms"
+#define KDB_MODULE_POINTER "database_module"
+#define KDB_MODULE_DEF_SECTION "dbdefaults"
+#define KDB_MODULE_SECTION "dbmodules"
+#define KDB_LIB_POINTER "db_library"
+#define KDB_DATABASE_CONF_FILE DEFAULT_SECURE_PROFILE_PATH
+#define KDB_DATABASE_ENV_PROF KDC_PROFILE_ENV
+
+#define KRB5_KDB_OPEN_RW 0
+#define KRB5_KDB_OPEN_RO 1
+
+#define KRB5_KDB_OPT_SET_DB_NAME 0
+#define KRB5_KDB_OPT_SET_LOCK_MODE 1
+
+typedef struct _kdb_vftabl {
+ short int maj_ver;
+ short int min_ver;
+
+ krb5_error_code (*init_library)();
+ krb5_error_code (*fini_library)();
+ krb5_error_code (*init_module) ( krb5_context kcontext,
+ char * conf_section,
+ char ** db_args,
+ int mode );
+
+ krb5_error_code (*fini_module) ( krb5_context kcontext );
+
+ krb5_error_code (*db_create) ( krb5_context kcontext,
+ char * conf_section,
+ char ** db_args );
+
+ krb5_error_code (*db_destroy) ( krb5_context kcontext,
+ char *conf_section,
+ char ** db_args );
+
+ krb5_error_code (*db_get_age) ( krb5_context kcontext,
+ char *db_name,
+ time_t *age );
+
+ krb5_error_code (*db_set_option) ( krb5_context kcontext,
+ int option,
+ void *value );
+
+ krb5_error_code (*db_lock) ( krb5_context kcontext,
+ int mode );
+
+ krb5_error_code (*db_unlock) ( krb5_context kcontext);
+
+ krb5_error_code (*db_get_principal) ( krb5_context kcontext,
+ krb5_const_principal search_for,
+ unsigned int flags,
+ krb5_db_entry *entries,
+ int *nentries,
+ krb5_boolean *more );
+
+ krb5_error_code (*db_free_principal) ( krb5_context kcontext,
+ krb5_db_entry *entry,
+ int count );
+
+ krb5_error_code (*db_put_principal) ( krb5_context kcontext,
+ krb5_db_entry *entries,
+ int *nentries,
+ char **db_args);
+
+ krb5_error_code (*db_delete_principal) ( krb5_context kcontext,
+ krb5_const_principal search_for,
+ int *nentries );
+
+ krb5_error_code (*db_iterate) ( krb5_context kcontext,
+ char *match_entry,
+ int (*func) (krb5_pointer, krb5_db_entry *),
+ krb5_pointer func_arg );
+
+ krb5_error_code (*db_create_policy) ( krb5_context kcontext,
+ osa_policy_ent_t policy );
+
+ krb5_error_code (*db_get_policy) ( krb5_context kcontext,
+ char *name,
+ osa_policy_ent_t *policy,
+ int *cnt);
+
+ krb5_error_code (*db_put_policy) ( krb5_context kcontext,
+ osa_policy_ent_t policy );
+
+ krb5_error_code (*db_iter_policy) ( krb5_context kcontext,
+ char *match_entry,
+ osa_adb_iter_policy_func func,
+ void *data );
+
+
+ krb5_error_code (*db_delete_policy) ( krb5_context kcontext,
+ char *policy );
+
+ void (*db_free_policy) ( krb5_context kcontext,
+ osa_policy_ent_t val );
+
+ krb5_error_code (*db_supported_realms) ( krb5_context kcontext,
+ char **realms );
+
+ krb5_error_code (*db_free_supported_realms) ( krb5_context kcontext,
+ char **realms );
+
+
+ const char * (*errcode_2_string) ( krb5_context kcontext,
+ long err_code );
+
+ void (*release_errcode_string) (krb5_context kcontext, const char *msg);
+
+ void * (*db_alloc) (krb5_context kcontext, void *ptr, size_t size);
+ void (*db_free) (krb5_context kcontext, void *ptr);
+
+
+
+ /* optional functions */
+ krb5_error_code (*set_master_key) ( krb5_context kcontext,
+ char *pwd,
+ krb5_keyblock *key);
+
+ krb5_error_code (*get_master_key) ( krb5_context kcontext,
+ krb5_keyblock **key);
+
+ krb5_error_code (*set_master_key_list) ( krb5_context kcontext,
+ krb5_keyblock_node *keylist);
+
+ krb5_error_code (*get_master_key_list) ( krb5_context kcontext,
+ krb5_keyblock_node **keylist);
+
+ krb5_error_code (*setup_master_key_name) ( krb5_context kcontext,
+ char *keyname,
+ char *realm,
+ char **fullname,
+ krb5_principal *principal);
+
+ krb5_error_code (*store_master_key) ( krb5_context kcontext,
+ char *db_arg,
+ krb5_principal mname,
+ krb5_kvno kvno,
+ krb5_keyblock *key,
+ char *master_pwd);
+
+ krb5_error_code (*fetch_master_key) ( krb5_context kcontext,
+ krb5_principal mname,
+ krb5_keyblock *key,
+ krb5_kvno *kvno,
+ char *db_args);
+
+ krb5_error_code (*verify_master_key) ( krb5_context kcontext,
+ krb5_principal mprinc,
+ krb5_kvno kvno,
+ krb5_keyblock *mkey );
+
+ krb5_error_code (*fetch_master_key_list) (krb5_context kcontext,
+ krb5_principal mname,
+ const krb5_keyblock *key,
+ krb5_kvno kvno,
+ krb5_keyblock_node **mkeys_list);
+
+ krb5_error_code (*dbe_search_enctype) ( krb5_context kcontext,
+ krb5_db_entry *dbentp,
+ krb5_int32 *start,
+ krb5_int32 ktype,
+ krb5_int32 stype,
+ krb5_int32 kvno,
+ krb5_key_data **kdatap);
+
+
+ krb5_error_code
+ (*db_change_pwd) ( krb5_context context,
+ krb5_keyblock * master_key,
+ krb5_key_salt_tuple * ks_tuple,
+ int ks_tuple_count,
+ char * passwd,
+ int new_kvno,
+ krb5_boolean keepold,
+ krb5_db_entry * db_entry);
+
+ /* Promote a temporary database to be the live one. */
+ krb5_error_code (*promote_db) (krb5_context context,
+ char *conf_section,
+ char **db_args);
+
+ krb5_error_code (*dbekd_decrypt_key_data) ( krb5_context kcontext,
+ const krb5_keyblock *mkey,
+ const krb5_key_data *key_data,
+ krb5_keyblock *dbkey,
+ krb5_keysalt *keysalt );
+
+ krb5_error_code (*dbekd_encrypt_key_data) ( krb5_context kcontext,
+ const krb5_keyblock *mkey,
+ const krb5_keyblock *dbkey,
+ const krb5_keysalt *keyselt,
+ int keyver,
+ krb5_key_data *key_data );
+
+ krb5_error_code
+ (*db_invoke) ( krb5_context context,
+ unsigned int method,
+ const krb5_data *req,
+ krb5_data *rep );
+} kdb_vftabl;
+#endif /* !defined(_WIN32) */
+
#endif /* KRB5_KDB5__ */
Copied: branches/mkey_migrate/src/include/kdb_ext.h (from rev 21721, trunk/src/include/kdb_ext.h)
Modified: branches/mkey_migrate/src/include/kim/kim_ccache.h
===================================================================
--- branches/mkey_migrate/src/include/kim/kim_ccache.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/include/kim/kim_ccache.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -114,6 +114,12 @@
* It can be trivially implemented using
* #kim_ccache_create_from_client_identity() and #kim_ccache_create_new().
*
+ * For legacy password-based Kerberos environments KIM also provides
+ * #kim_ccache_create_new_with_password() and
+ * #kim_ccache_create_new_if_needed_with_password(). You should not use these
+ * functions unless you know that they will only be used in environments using
+ * passwords. Otherwise users without passwords may be prompted for them.
+ *
* KIM provides the #kim_ccache_create_from_keytab() to create credentials
* using a keytab and store them in the cache collection. A keytab is an
* on-disk copy of a client identity's secret key. Typically sites use
@@ -301,39 +307,83 @@
* \param in_client_identity a client identity to obtain a credential for. Specify KIM_IDENTITY_ANY to
* allow the user to choose.
* \param in_options options to control credential acquisition.
- * \note Depending on the kim_options specified, #kim_ccache_create_new() may
+ * \note #kim_ccache_create_new() may
* present a GUI or command line prompt to obtain information from the user.
* \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure.
* \brief Acquire a new initial credential and store it in a ccache.
*/
kim_error kim_ccache_create_new (kim_ccache *out_ccache,
- kim_identity in_client_identity,
- kim_options in_options);
+ kim_identity in_client_identity,
+ kim_options in_options);
/*!
+ * \param out_ccache on exit, a new cache object for a ccache containing a newly acquired
+ * initial credential. Must be freed with kim_ccache_free().
+ * \param in_client_identity a client identity to obtain a credential for. Specify KIM_IDENTITY_ANY to
+ * allow the user to choose.
+ * \param in_options options to control credential acquisition.
+ * \param in_password a password to be used while obtaining credentials.
+ * \note #kim_ccache_create_new_with_password() exists to support
+ * legacy password-based Kerberos environments. You should not use this
+ * function unless you know that it will only be used in environments using passwords.
+ * This function may also present a GUI or command line prompt to obtain
+ * additional information needed to obtain credentials (eg: SecurID pin).
+ * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure.
+ * \brief Acquire a new initial credential and store it in a ccache
+ * using the provided password..
+ */
+kim_error kim_ccache_create_new_with_password (kim_ccache *out_ccache,
+ kim_identity in_client_identity,
+ kim_options in_options,
+ kim_string in_password);
+
+/*!
* \param out_ccache on exit, a ccache object for a ccache containing a newly acquired
* initial credential. Must be freed with kim_ccache_free().
* \param in_client_identity a client identity to obtain a credential for.
* \param in_options options to control credential acquisition (if a credential is acquired).
- * \note Depending on the kim_options specified, #kim_ccache_create_new_if_needed() may
+ * \note #kim_ccache_create_new_if_needed() may
* present a GUI or command line prompt to obtain information from the user.
* \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure.
* \brief Find a ccache containing a valid initial credential in the cache collection, or if
* unavailable, acquire and store a new initial credential.
*/
kim_error kim_ccache_create_new_if_needed (kim_ccache *out_ccache,
- kim_identity in_client_identity,
- kim_options in_options);
+ kim_identity in_client_identity,
+ kim_options in_options);
/*!
+ * \param out_ccache on exit, a ccache object for a ccache containing a newly acquired
+ * initial credential. Must be freed with kim_ccache_free().
+ * \param in_client_identity a client identity to obtain a credential for.
+ * \param in_options options to control credential acquisition (if a credential is acquired).
+ * \param in_password a password to be used while obtaining credentials.
+ * \note #kim_ccache_create_new_if_needed_with_password() exists to support
+ * legacy password-based Kerberos environments. You should not use this
+ * function unless you know that it will only be used in environments using passwords.
+ * This function may also present a GUI or command line prompt to obtain
+ * additional information needed to obtain credentials (eg: SecurID pin).
+ * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure.
+ * \brief Find a ccache containing a valid initial credential in the cache collection, or if
+ * unavailable, acquire and store a new initial credential using the provided password.
+ */
+kim_error kim_ccache_create_new_if_needed_with_password (kim_ccache *out_ccache,
+ kim_identity in_client_identity,
+ kim_options in_options,
+ kim_string in_password);
+
+/*!
* \param out_ccache on exit, a ccache object for a ccache containing a TGT
* credential. Must be freed with kim_ccache_free().
- * \param in_client_identity a client identity to obtain a credential for.
+ * \param in_client_identity a client identity to find a ccache for. If
+ * \a in_client_identity is #KIM_IDENTITY_ANY, this
+ * function returns the default ccache
+ * (ie: is equivalent to #kim_ccache_create_from_default()).
* \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure.
* \brief Find a ccache for a client identity in the cache collection.
*/
kim_error kim_ccache_create_from_client_identity (kim_ccache *out_ccache,
- kim_identity in_client_identity);
+ kim_identity in_client_identity);
/*!
* \param out_ccache on exit, a new ccache object containing an initial credential
@@ -347,9 +397,9 @@
* \brief Acquire a new initial credential from a keytab and store it in a ccache.
*/
kim_error kim_ccache_create_from_keytab (kim_ccache *out_ccache,
- kim_identity in_identity,
- kim_options in_options,
- kim_string in_keytab);
+ kim_identity in_identity,
+ kim_options in_options,
+ kim_string in_keytab);
/*!
* \param out_ccache on exit, a ccache object for the default ccache.
@@ -381,8 +431,8 @@
* \brief Get a ccache for a ccache type and name.
*/
kim_error kim_ccache_create_from_type_and_name (kim_ccache *out_ccache,
- kim_string in_type,
- kim_string in_name);
+ kim_string in_type,
+ kim_string in_name);
/*!
* \param out_ccache on exit, a new ccache object which is a copy of in_krb5_ccache.
@@ -393,8 +443,8 @@
* \brief Get a ccache for a krb5 ccache.
*/
kim_error kim_ccache_create_from_krb5_ccache (kim_ccache *out_ccache,
- krb5_context in_krb5_context,
- krb5_ccache in_krb5_ccache);
+ krb5_context in_krb5_context,
+ krb5_ccache in_krb5_ccache);
/*!
* \param out_ccache on exit, the new ccache object which is a copy of in_ccache.
@@ -404,7 +454,7 @@
* \brief Copy a ccache.
*/
kim_error kim_ccache_copy (kim_ccache *out_ccache,
- kim_ccache in_ccache);
+ kim_ccache in_ccache);
/*!
* \param in_ccache a ccache object.
@@ -438,7 +488,7 @@
* \brief Get the name of a ccache.
*/
kim_error kim_ccache_get_name (kim_ccache in_ccache,
- kim_string *out_name);
+ kim_string *out_name);
/*!
* \param in_ccache a ccache object.
@@ -447,7 +497,7 @@
* \brief Get the type of a ccache.
*/
kim_error kim_ccache_get_type (kim_ccache in_ccache,
- kim_string *out_type);
+ kim_string *out_type);
/*!
* \param in_ccache a ccache object.
@@ -563,9 +613,9 @@
* \brief Verify the TGT in a ccache.
*/
kim_error kim_ccache_verify (kim_ccache in_ccache,
- kim_identity in_service_identity,
- kim_string in_keytab,
- kim_boolean in_fail_if_no_service_key);
+ kim_identity in_service_identity,
+ kim_string in_keytab,
+ kim_boolean in_fail_if_no_service_key);
/*!
* \param in_ccache a ccache object containing a TGT to be renewed.
@@ -574,7 +624,7 @@
* \brief Renew the TGT in a ccache.
*/
kim_error kim_ccache_renew (kim_ccache in_ccache,
- kim_options in_options);
+ kim_options in_options);
/*!
* \param in_ccache a ccache object containing a TGT to be validated.
@@ -583,7 +633,7 @@
* \brief Validate the TGT in a ccache.
*/
kim_error kim_ccache_validate (kim_ccache in_ccache,
- kim_options in_options);
+ kim_options in_options);
/*!
* \param io_ccache a ccache object to be destroyed. Set to NULL on exit.
Modified: branches/mkey_migrate/src/include/kim/kim_credential.h
===================================================================
--- branches/mkey_migrate/src/include/kim/kim_credential.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/include/kim/kim_credential.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -101,6 +101,11 @@
* kim_options specified, #kim_credential_create_new() may present a
* GUI or command line prompt to obtain information from the user.
*
+ * For legacy password-based Kerberos environments KIM also provides
+ * #kim_credential_create_new_with_password(). You should not use this
+ * function unless you know that it will only be used in environments using
+ * passwords. Otherwise users without passwords may be prompted for them.
+ *
* KIM provides the #kim_credential_create_from_keytab() to create credentials
* using a keytab. A keytab is an on-disk copy of a client identity's secret
* key. Typically sites use keytabs for client identities that identify a
@@ -324,7 +329,7 @@
* \param in_client_identity a client identity to obtain a credential for. Specify NULL to
* allow the user to choose the identity
* \param in_options options to control credential acquisition.
- * \note Depending on the kim_options specified, #kim_credential_create_new() may
+ * \note #kim_credential_create_new() may
* present a GUI or command line prompt to obtain information from the user.
* \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure.
* \brief Acquire a new initial credential.
@@ -335,6 +340,27 @@
kim_options in_options);
/*!
+ * \param out_credential on exit, a new credential object containing a newly acquired
+ * initial credential. Must be freed with kim_credential_free().
+ * \param in_client_identity a client identity to obtain a credential for. Specify NULL to
+ * allow the user to choose the identity
+ * \param in_options options to control credential acquisition.
+ * \param in_password a password to be used while obtaining the credential.
+ * \note #kim_credential_create_new_with_password() exists to support
+ * legacy password-based Kerberos environments. You should not use this
+ * function unless you know that it will only be used in environments using passwords.
+ * This function may also present a GUI or command line prompt to obtain
+ * additional information needed to obtain credentials (eg: SecurID pin).
+ * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure.
+ * \brief Acquire a new initial credential using the provided password.
+ * \sa kim_ccache_create_new
+ */
+kim_error kim_credential_create_new_with_password (kim_credential *out_credential,
+ kim_identity in_client_identity,
+ kim_options in_options,
+ kim_string in_password);
+
+/*!
* \param out_credential on exit, a new credential object containing an initial credential
* for \a in_identity obtained using \a in_keytab.
* Must be freed with kim_credential_free().
Modified: branches/mkey_migrate/src/include/kim/kim_options.h
===================================================================
--- branches/mkey_migrate/src/include/kim/kim_options.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/include/kim/kim_options.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -185,7 +185,8 @@
/*!
* \param out_options on exit, a new options object which is a copy of \a in_options.
- * Must be freed with kim_options_free().
+ * Must be freed with kim_options_free(). If passed KIM_OPTIONS_DEFAULT
+ * will set \a out_options to KIM_OPTIONS_DEFAULT.
* \param in_options a options object.
* \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure.
* \brief Copy options.
Modified: branches/mkey_migrate/src/include/kim/kim_preferences.h
===================================================================
--- branches/mkey_migrate/src/include/kim/kim_preferences.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/include/kim/kim_preferences.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -177,7 +177,8 @@
/*!
* \param in_preferences a preferences object.
* \param out_options on exit, the options specified in \a in_preferences.
- * Must be freed with kim_options_free().
+ * May be KIM_OPTIONS_DEFAULT.
+ * If not, must be freed with kim_options_free().
* \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure.
* \brief Get the user's preferred options.
* \sa kim_preferences_set_options()
Modified: branches/mkey_migrate/src/include/krb5/authdata_plugin.h
===================================================================
--- branches/mkey_migrate/src/include/krb5/authdata_plugin.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/include/krb5/authdata_plugin.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -108,4 +108,53 @@
krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply);
} krb5plugin_authdata_ftable_v0;
+
+typedef struct krb5plugin_authdata_ftable_v1 {
+ /* Not-usually-visible name. */
+ char *name;
+
+ /*
+ * Per-plugin initialization/cleanup. The init function is called
+ * by the KDC when the plugin is loaded, and the fini function is
+ * called before the plugin is unloaded. Both are optional.
+ */
+ krb5_error_code (*init_proc)(krb5_context, void **);
+ void (*fini_proc)(krb5_context, void *);
+ /*
+ * Actual authorization data handling function. If this field
+ * holds a null pointer, this mechanism will be skipped, and the
+ * init/fini functions will not be run.
+ *
+ * This function should only modify the field
+ * enc_tkt_reply->authorization_data. All other values should be
+ * considered inputs only. And, it should *modify* the field, not
+ * overwrite it and assume that there are no other authdata
+ * plugins in use.
+ *
+ * Memory management: authorization_data is a malloc-allocated,
+ * null-terminated sequence of malloc-allocated pointers to
+ * authorization data structures. This plugin code currently
+ * assumes the libraries, KDC, and plugin all use the same malloc
+ * pool, which may be a problem if/when we get the KDC code
+ * running on Windows.
+ *
+ * If this function returns a non-zero error code, a message
+ * is logged, but no other action is taken. Other authdata
+ * plugins will be called, and a response will be sent to the
+ * client (barring other problems).
+ */
+ krb5_error_code (*authdata_proc)(krb5_context,
+ unsigned int flags,
+ struct _krb5_db_entry_new *client,
+ struct _krb5_db_entry_new *server,
+ struct _krb5_db_entry_new *tgs,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
+ krb5_enc_tkt_part *enc_tkt_request,
+ krb5_enc_tkt_part *enc_tkt_reply);
+} krb5plugin_authdata_ftable_v1;
+
#endif /* KRB5_AUTHDATA_PLUGIN_H_INCLUDED */
Modified: branches/mkey_migrate/src/include/krb5/krb5.hin
===================================================================
--- branches/mkey_migrate/src/include/krb5/krb5.hin 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/include/krb5/krb5.hin 2009-01-10 01:06:45 UTC (rev 21722)
@@ -195,6 +195,7 @@
typedef krb5_int32 krb5_cksumtype;
typedef krb5_int32 krb5_authdatatype;
typedef krb5_int32 krb5_keyusage;
+typedef krb5_int32 krb5_cryptotype;
typedef krb5_int32 krb5_preauthtype; /* This may change, later on */
typedef krb5_int32 krb5_flags;
@@ -243,17 +244,29 @@
*/
/* Name type not known */
-#define KRB5_NT_UNKNOWN 0
+#define KRB5_NT_UNKNOWN 0
/* Just the name of the principal as in DCE, or for users */
-#define KRB5_NT_PRINCIPAL 1
+#define KRB5_NT_PRINCIPAL 1
/* Service and other unique instance (krbtgt) */
-#define KRB5_NT_SRV_INST 2
+#define KRB5_NT_SRV_INST 2
/* Service with host name as instance (telnet, rcommands) */
-#define KRB5_NT_SRV_HST 3
+#define KRB5_NT_SRV_HST 3
/* Service with host as remaining components */
-#define KRB5_NT_SRV_XHST 4
+#define KRB5_NT_SRV_XHST 4
/* Unique ID */
-#define KRB5_NT_UID 5
+#define KRB5_NT_UID 5
+/* PKINIT */
+#define KRB5_NT_X500_PRINCIPAL 6
+/* Name in form of SMTP email name */
+#define KRB5_NT_SMTP_NAME 7
+/* Windows 2000 UPN */
+#define KRB5_NT_ENTERPRISE_PRINCIPAL 10
+/* Windows 2000 UPN and SID */
+#define KRB5_NT_MS_PRINCIPAL -128
+/* NT 4 style name */
+#define KRB5_NT_MS_PRINCIPAL_AND_ID -129
+/* NT 4 style name and SID */
+#define KRB5_NT_ENT_PRINCIPAL_AND_ID -130
/* constant version thereof: */
typedef const krb5_principal_data *krb5_const_principal;
@@ -302,6 +315,7 @@
#define ADDRTYPE_XNS 0x0006
#define ADDRTYPE_ISO 0x0007
#define ADDRTYPE_DDP 0x0010
+#define ADDRTYPE_NETBIOS 0x0014
#define ADDRTYPE_INET6 0x0018
/* not yet in the spec... */
#define ADDRTYPE_ADDRPORT 0x0100
@@ -364,6 +378,11 @@
krb5_data ciphertext;
} krb5_enc_data;
+typedef struct _krb5_crypto_iov {
+ krb5_cryptotype flags;
+ krb5_data data;
+} krb5_crypto_iov;
+
/* per Kerberos v5 protocol spec */
#define ENCTYPE_NULL 0x0000
#define ENCTYPE_DES_CBC_CRC 0x0001 /* DES cbc mode with CRC-32 */
@@ -402,6 +421,7 @@
#define CKSUMTYPE_HMAC_SHA1_DES3 0x000c
#define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f
#define CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010
+#define CKSUMTYPE_MD5_HMAC_ARCFOUR -137 /*Microsoft netlogon cksumtype*/
#define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /*Microsoft md5 hmac cksumtype*/
/* The following are entropy source designations. Whenever
@@ -612,6 +632,57 @@
krb5_boolean KRB5_CALLCONV krb5_c_is_keyed_cksum
(krb5_cksumtype ctype);
+/* AEAD APIs */
+#define KRB5_CRYPTO_TYPE_EMPTY 0 /* [in] ignored */
+#define KRB5_CRYPTO_TYPE_HEADER 1 /* [out] header */
+#define KRB5_CRYPTO_TYPE_DATA 2 /* [in, out] plaintext */
+#define KRB5_CRYPTO_TYPE_SIGN_ONLY 3 /* [in] associated data */
+#define KRB5_CRYPTO_TYPE_PADDING 4 /* [out] padding */
+#define KRB5_CRYPTO_TYPE_TRAILER 5 /* [out] checksum for encrypt */
+#define KRB5_CRYPTO_TYPE_CHECKSUM 6 /* [out] checksum for MIC */
+#define KRB5_CRYPTO_TYPE_STREAM 7 /* [in] entire message */
+
+krb5_error_code KRB5_CALLCONV
+ krb5_c_make_checksum_iov
+ (krb5_context context, krb5_cksumtype cksumtype,
+ const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_crypto_iov *data, size_t num_data);
+
+krb5_error_code KRB5_CALLCONV
+ krb5_c_verify_checksum_iov
+ (krb5_context context,
+ krb5_cksumtype cksumtype,
+ const krb5_keyblock *key, krb5_keyusage usage,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_boolean *valid);
+
+krb5_error_code KRB5_CALLCONV
+ krb5_c_encrypt_iov
+ (krb5_context context, const krb5_keyblock *key,
+ krb5_keyusage usage, const krb5_data *cipher_state,
+ krb5_crypto_iov *data, size_t num_data);
+
+krb5_error_code KRB5_CALLCONV
+ krb5_c_decrypt_iov
+ (krb5_context context, const krb5_keyblock *key,
+ krb5_keyusage usage, const krb5_data *cipher_state,
+ krb5_crypto_iov *data, size_t num_data);
+
+krb5_error_code KRB5_CALLCONV
+ krb5_c_crypto_length
+ (krb5_context context, krb5_enctype enctype,
+ krb5_cryptotype type, unsigned int *size);
+
+krb5_error_code KRB5_CALLCONV
+ krb5_c_crypto_length_iov
+ (krb5_context context, krb5_enctype enctype,
+ krb5_crypto_iov *data, size_t num_data);
+
+krb5_error_code KRB5_CALLCONV
+ krb5_c_padding_length
+ (krb5_context context, krb5_enctype enctype,
+ size_t data_length, unsigned int *size);
+
#ifdef KRB5_OLD_CRYPTO
/*
* old cryptosystem routine prototypes. These are now layered
@@ -712,6 +783,7 @@
/* #define KDC_OPT_RESERVED 0x00080000 */
/* #define KDC_OPT_RESERVED 0x00040000 */
#define KDC_OPT_REQUEST_ANONYMOUS 0x00020000
+#define KDC_OPT_CNAME_IN_ADDL_TKT 0x00020000
#define KDC_OPT_CANONICALIZE 0x00010000
/* #define KDC_OPT_RESERVED 0x00008000 */
/* #define KDC_OPT_RESERVED 0x00004000 */
@@ -772,10 +844,10 @@
/* #define AP_OPTS_RESERVED 0x00000010 */
/* #define AP_OPTS_RESERVED 0x00000008 */
/* #define AP_OPTS_RESERVED 0x00000004 */
-/* #define AP_OPTS_RESERVED 0x00000002 */
-#define AP_OPTS_USE_SUBKEY 0x00000001
+#define AP_OPTS_ETYPE_NEGOTIATION 0x00000002
+#define AP_OPTS_USE_SUBKEY 0x00000001
-#define AP_OPTS_WIRE_MASK 0xfffffff0
+#define AP_OPTS_WIRE_MASK 0xfffffff0
/* definitions for ad_type fields. */
#define AD_TYPE_RESERVED 0x8000
@@ -825,13 +897,6 @@
#define LR_TYPE_INTERPRETATION_MASK 0x7fff
-/* definitions for ad_type fields. */
-#define AD_TYPE_EXTERNAL 0x4000
-#define AD_TYPE_REGISTERED 0x2000
-
-#define AD_TYPE_FIELD_TYPE_MASK 0x1fff
-#define AD_TYPE_INTERNAL_MASK 0x3fff
-
/* definitions for msec direction bit for KRB_SAFE, KRB_PRIV */
#define MSEC_DIRBIT 0x8000
#define MSEC_VAL_MASK 0x7fff
@@ -899,12 +964,15 @@
#define KRB5_PADATA_PK_AS_REP 17 /* PKINIT */
#define KRB5_PADATA_ETYPE_INFO2 19
#define KRB5_PADATA_USE_SPECIFIED_KVNO 20
+#define KRB5_PADATA_SVR_REFERRAL_INFO 20 /* Windows 2000 referrals */
#define KRB5_PADATA_SAM_REDIRECT 21
#define KRB5_PADATA_GET_FROM_TYPED_DATA 22
#define KRB5_PADATA_REFERRAL 25 /* draft referral system */
#define KRB5_PADATA_SAM_CHALLENGE_2 30 /* draft challenge system, updated */
#define KRB5_PADATA_SAM_RESPONSE_2 31 /* draft challenge system, updated */
-
+#define KRB5_PADATA_PAC_REQUEST 128 /* include Windows PAC */
+#define KRB5_PADATA_FOR_USER 129 /* username protocol transition request */
+#define KRB5_PADATA_S4U_X509_USER 130 /* certificate protocol transition request */
#define KRB5_SAM_USE_SAD_AS_KEY 0x80000000
#define KRB5_SAM_SEND_ENCRYPTED_SAD 0x40000000
#define KRB5_SAM_MUST_PK_ENCRYPT_SAD 0x20000000 /* currently must be zero */
@@ -926,6 +994,8 @@
#define KRB5_AUTHDATA_INITIAL_VERIFIED_CAS 9
#define KRB5_AUTHDATA_OSF_DCE 64
#define KRB5_AUTHDATA_SESAME 65
+#define KRB5_AUTHDATA_WIN2K_PAC 128
+#define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */
/* password change constants */
@@ -1078,6 +1148,7 @@
krb5_principal server; /* server's principal identifier */
krb5_address **caddrs; /* array of ptrs to addresses,
optional */
+ krb5_pa_data **enc_padata; /* Windows 2000 compat */
} krb5_enc_kdc_rep_part;
typedef struct _krb5_kdc_rep {
@@ -1179,7 +1250,28 @@
} krb5_pwd_data;
/* these need to be here so the typedefs are available for the prototypes */
+/*
+ * Note for Windows 2000 compatibility this is encoded
+ * in the enc_padata field of the krb5_enc_kdc_rep_part.
+ */
+typedef struct _krb5_pa_svr_referral_data {
+ /* Referred name, only realm is required */
+ krb5_principal principal;
+} krb5_pa_svr_referral_data;
+typedef struct _krb5_pa_server_referral_data {
+ krb5_data *referred_realm;
+ krb5_principal true_principal_name;
+ krb5_principal requested_principal_name;
+ krb5_timestamp referral_valid_until;
+ krb5_checksum rep_cksum;
+} krb5_pa_server_referral_data;
+
+typedef struct _krb5_pa_pac_req {
+ /* TRUE if a PAC should be included in TGS-REP */
+ krb5_boolean include_pac;
+} krb5_pa_pac_req;
+
/*
* begin "safepriv.h"
*/
@@ -1444,6 +1536,7 @@
#define KRB5_GC_USER_USER 1 /* want user-user ticket */
#define KRB5_GC_CACHED 2 /* want cached ticket only */
+#define KRB5_GC_CANONICALIZE 4 /* set canonicalize KDC option */
krb5_error_code KRB5_CALLCONV krb5_get_credentials
(krb5_context,
@@ -1483,11 +1576,20 @@
(krb5_context,
krb5_auth_context,
krb5_data *);
+krb5_error_code KRB5_CALLCONV krb5_mk_rep_dce
+ (krb5_context,
+ krb5_auth_context,
+ krb5_data *);
krb5_error_code KRB5_CALLCONV krb5_rd_rep
(krb5_context,
krb5_auth_context,
const krb5_data *,
krb5_ap_rep_enc_part **);
+krb5_error_code KRB5_CALLCONV krb5_rd_rep_dce
+ (krb5_context,
+ krb5_auth_context,
+ const krb5_data *,
+ krb5_ui_4 *);
krb5_error_code KRB5_CALLCONV krb5_mk_error
(krb5_context,
const krb5_error *,
@@ -1512,6 +1614,14 @@
(krb5_context,
const char *,
krb5_principal * );
+#define KRB5_PRINCIPAL_PARSE_NO_REALM 0x1
+#define KRB5_PRINCIPAL_PARSE_REQUIRE_REALM 0x2
+#define KRB5_PRINCIPAL_PARSE_ENTERPRISE 0x4
+krb5_error_code KRB5_CALLCONV krb5_parse_name_flags
+ (krb5_context,
+ const char *,
+ int,
+ krb5_principal * );
krb5_error_code KRB5_CALLCONV krb5_unparse_name
(krb5_context,
krb5_const_principal,
@@ -1521,6 +1631,20 @@
krb5_const_principal,
char **,
unsigned int *);
+#define KRB5_PRINCIPAL_UNPARSE_SHORT 0x1
+#define KRB5_PRINCIPAL_UNPARSE_NO_REALM 0x2
+#define KRB5_PRINCIPAL_UNPARSE_DISPLAY 0x4
+krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags
+ (krb5_context,
+ krb5_const_principal,
+ int,
+ char **);
+krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags_ext
+ (krb5_context,
+ krb5_const_principal,
+ int,
+ char **,
+ unsigned int *);
krb5_error_code KRB5_CALLCONV krb5_set_principal_realm
(krb5_context, krb5_principal, const char *);
@@ -1545,6 +1669,20 @@
(krb5_context,
krb5_const_principal,
krb5_const_principal);
+krb5_boolean KRB5_CALLCONV krb5_principal_compare_any_realm
+ (krb5_context,
+ krb5_const_principal,
+ krb5_const_principal);
+#define KRB5_PRINCIPAL_COMPARE_IGNORE_REALM 1
+#define KRB5_PRINCIPAL_COMPARE_ENTERPRISE 2 /* compare UPNs as real principals */
+#define KRB5_PRINCIPAL_COMPARE_CASEFOLD 4 /* case-insensitive comparison */
+#define KRB5_PRINCIPAL_COMPARE_UTF8 8 /* treat principals as UTF-8 */
+
+krb5_boolean KRB5_CALLCONV krb5_principal_compare_flags
+ (krb5_context,
+ krb5_const_principal,
+ krb5_const_principal,
+ int);
krb5_error_code KRB5_CALLCONV krb5_init_keyblock
(krb5_context, krb5_enctype enctype,
size_t length, krb5_keyblock **out);
@@ -1605,10 +1743,16 @@
__attribute__ ((sentinel))
#endif
;
-krb5_error_code KRB5_CALLCONV krb5_build_principal_va
+#if KRB5_DEPRECATED
+KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV krb5_build_principal_va
(krb5_context,
krb5_principal, unsigned int, const char *, va_list);
+#endif
+/* Version of krb5_build_principal_va which allocates krb5_principal_data */
+krb5_error_code KRB5_CALLCONV krb5_build_principal_alloc_va
+ (krb5_context, krb5_principal *, unsigned int, const char *, va_list);
+
krb5_error_code KRB5_CALLCONV krb5_425_conv_principal
(krb5_context,
const char *name,
@@ -2142,6 +2286,7 @@
#define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040
#define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080
#define KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT 0x0100
+#define KRB5_GET_INIT_CREDS_OPT_CANONICALIZE 0x0200
krb5_error_code KRB5_CALLCONV
@@ -2179,6 +2324,11 @@
int proxiable);
void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_canonicalize
+(krb5_get_init_creds_opt *opt,
+ int canonicalize);
+
+void KRB5_CALLCONV
krb5_get_init_creds_opt_set_etype_list
(krb5_get_init_creds_opt *opt,
krb5_enctype *etype_list,
@@ -2355,7 +2505,70 @@
void KRB5_CALLCONV
krb5_clear_error_message (krb5_context);
+krb5_error_code KRB5_CALLCONV
+krb5_decode_authdata_container(krb5_context context,
+ krb5_authdatatype type,
+ const krb5_authdata *container,
+ krb5_authdata ***authdata);
+krb5_error_code KRB5_CALLCONV
+krb5_encode_authdata_container(krb5_context context,
+ krb5_authdatatype type,
+ krb5_authdata * const*authdata,
+ krb5_authdata ***container);
+/*
+ * Windows PAC
+ */
+struct krb5_pac_data;
+typedef struct krb5_pac_data *krb5_pac;
+
+krb5_error_code KRB5_CALLCONV
+krb5_pac_add_buffer
+(krb5_context context,
+ krb5_pac pac,
+ krb5_ui_4 type,
+ const krb5_data *data);
+
+void KRB5_CALLCONV
+krb5_pac_free
+(krb5_context context,
+ krb5_pac pac);
+
+krb5_error_code KRB5_CALLCONV
+krb5_pac_get_buffer
+(krb5_context context,
+ krb5_pac pac,
+ krb5_ui_4 type,
+ krb5_data *data);
+
+krb5_error_code KRB5_CALLCONV
+krb5_pac_get_types
+(krb5_context context,
+ krb5_pac pac,
+ size_t *len,
+ krb5_ui_4 **types);
+
+krb5_error_code KRB5_CALLCONV
+krb5_pac_init
+(krb5_context context,
+ krb5_pac *pac);
+
+krb5_error_code KRB5_CALLCONV
+krb5_pac_parse
+(krb5_context context,
+ const void *ptr,
+ size_t len,
+ krb5_pac *pac);
+
+krb5_error_code KRB5_CALLCONV
+krb5_pac_verify
+(krb5_context context,
+ const krb5_pac pac,
+ krb5_timestamp authtime,
+ krb5_const_principal principal,
+ const krb5_keyblock *server,
+ const krb5_keyblock *privsvr);
+
#if TARGET_OS_MAC
# pragma pack(pop)
#endif
Modified: branches/mkey_migrate/src/include/osconf.hin
===================================================================
--- branches/mkey_migrate/src/include/osconf.hin 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/include/osconf.hin 2009-01-10 01:06:45 UTC (rev 21722)
@@ -115,18 +115,6 @@
#define KRB5_ENV_CCNAME "KRB5CCNAME"
/*
- * krb4 kadmin stuff follows
- */
-
-/* the default syslog file */
-#define KADM_SYSLOG "@LOCALSTATEDIR/krb5kdc/admin_server.syslog"
-
-/* where to find the bad password table */
-#define PW_CHECK_FILE "@LOCALSTATEDIR/krb5kdc/bad_passwd"
-
-#define DEFAULT_ACL_DIR "@LOCALSTATEDIR/krb5kdc"
-
-/*
* krb5 slave support follows
*/
@@ -138,4 +126,10 @@
#define KPROPD_DEFAULT_KRB_DB DEFAULT_KDB_FILE
#define KPROPD_ACL_FILE "@LOCALSTATEDIR/krb5kdc/kpropd.acl"
+/*
+ * GSS mechglue
+ */
+#define MECH_CONF "@SYSCONFDIR/gss/mech"
+#define MECH_LIB_PREFIX "@GSSMODULEDIR/"
+
#endif /* KRB5_OSCONF__ */
Modified: branches/mkey_migrate/src/kadmin/cli/Makefile.in
===================================================================
--- branches/mkey_migrate/src/kadmin/cli/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/cli/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -44,45 +44,3 @@
# for testing getdate.y
datetest: getdate.c
$(CC) -o datetest $(ALL_CFLAGS) $(LDFLAGS) $(LDARGS) -DTEST getdate.c
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)kadmin.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h kadmin.c kadmin.h
-$(OUTPRE)kadmin_ct.$(OBJEXT): $(COM_ERR_DEPS) $(SS_DEPS) \
- kadmin_ct.c
-$(OUTPRE)ss_wrapper.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h \
- $(SS_DEPS) kadmin.h ss_wrapper.c
-$(OUTPRE)getdate.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h \
- getdate.c kadmin.h
-$(OUTPRE)keytab.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h kadmin.h keytab.c
Copied: branches/mkey_migrate/src/kadmin/cli/deps (from rev 21721, trunk/src/kadmin/cli/deps)
Modified: branches/mkey_migrate/src/kadmin/cli/kadmin.c
===================================================================
--- branches/mkey_migrate/src/kadmin/cli/kadmin.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/cli/kadmin.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -134,9 +134,9 @@
minutes = duration / 60;
duration %= 60;
seconds = duration;
- sprintf(out, "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
- days, days == 1 ? "day" : "days",
- hours, minutes, seconds);
+ snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
+ days, days == 1 ? "day" : "days",
+ hours, minutes, seconds);
return out;
}
@@ -161,23 +161,22 @@
{
char *cp, *fullname;
krb5_error_code retval;
+ int result;
/* assumes def_realm is initialized! */
- fullname = (char *)malloc(strlen(name) + 1 + strlen(def_realm) + 1);
- if (fullname == NULL)
- return ENOMEM;
- strcpy(fullname, name);
- cp = strchr(fullname, '@');
+ cp = strchr(name, '@');
while (cp) {
- if (cp - fullname && *(cp - 1) != '\\')
+ if (cp - name && *(cp - 1) != '\\')
break;
else
cp = strchr(cp + 1, '@');
}
- if (cp == NULL) {
- strcat(fullname, "@");
- strcat(fullname, def_realm);
- }
+ if (cp == NULL)
+ result = asprintf(&fullname, "%s@%s", name, def_realm);
+ else
+ result = asprintf(&fullname, "%s", name);
+ if (result < 0)
+ return ENOMEM;
retval = krb5_parse_name(context, fullname, principal);
free(fullname);
return retval;
@@ -279,15 +278,10 @@
break;
case 'd':
/* now db_name is not a seperate argument. It has to be passed as part of the db_args */
- if (!db_name) {
- db_name = malloc(strlen(optarg) + sizeof("dbname="));
- } else {
- db_name = realloc(db_name, strlen(optarg) + sizeof("dbname="));
- }
+ if (db_name)
+ free(db_name);
+ asprintf(&db_name, "dbname=%s", optarg);
- strcpy(db_name, "dbname=");
- strcat(db_name, optarg);
-
db_args_size++;
{
char **temp = realloc(db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */
@@ -437,43 +431,27 @@
}
if (cp != NULL)
*cp = '\0';
- princstr = (char*)malloc(strlen(canon) + 6 /* "/admin" */ +
- (realm ? 1 + strlen(realm) : 0) + 1);
- if (princstr == NULL) {
+ if (asprintf(&princstr, "%s/admin%s%s", canon,
+ (realm) ? "@" : "",
+ (realm) ? realm : "") < 0) {
fprintf(stderr, "%s: out of memory\n", whoami);
exit(1);
}
- strcpy(princstr, canon);
- strcat(princstr, "/admin");
- if (realm) {
- strcat(princstr, "@");
- strcat(princstr, realm);
- }
free(canon);
krb5_free_principal(context, princ);
freeprinc++;
} else if ((luser = getenv("USER"))) {
- princstr = (char *) malloc(strlen(luser) + 7 /* "/admin@" */
- + strlen(def_realm) + 1);
- if (princstr == NULL) {
+ if (asprintf(&princstr, "%s/admin@%s", luser, def_realm) < 0) {
fprintf(stderr, "%s: out of memory\n", whoami);
exit(1);
}
- strcpy(princstr, luser);
- strcat(princstr, "/admin");
- strcat(princstr, "@");
- strcat(princstr, def_realm);
freeprinc++;
} else if ((pw = getpwuid(getuid()))) {
- princstr = (char *) malloc(strlen(pw->pw_name) + 7 /* "/admin@" */
- + strlen(def_realm) + 1);
- if (princstr == NULL) {
+ if (asprintf(&princstr, "%s/admin@%s", pw->pw_name,
+ def_realm) < 0) {
fprintf(stderr, "%s: out of memory\n", whoami);
exit(1);
}
- strcpy(princstr, pw->pw_name);
- strcat(princstr, "/admin@");
- strcat(princstr, def_realm);
freeprinc++;
} else {
fprintf(stderr, "%s: unable to figure out a principal name\n",
@@ -558,7 +536,7 @@
krb5_defkeyname = DEFAULT_KEYTAB;
}
- if ((retval = kadm5_init_iprop(handle)) != 0) {
+ if ((retval = kadm5_init_iprop(handle, 0)) != 0) {
com_err(whoami, retval, _("while mapping update log"));
exit(1);
}
@@ -816,11 +794,12 @@
} else if (argc == 1) {
unsigned int i = sizeof (newpw) - 1;
- sprintf(prompt1, "Enter password for principal \"%.900s\"",
- *argv);
- sprintf(prompt2,
- "Re-enter password for principal \"%.900s\"",
- *argv);
+ snprintf(prompt1, sizeof(prompt1),
+ "Enter password for principal \"%.900s\"",
+ *argv);
+ snprintf(prompt2, sizeof(prompt2),
+ "Re-enter password for principal \"%.900s\"",
+ *argv);
retval = krb5_read_password(context, prompt1, prompt2,
newpw, &i);
if (retval) {
@@ -1250,11 +1229,12 @@
} else if (pass == NULL) {
unsigned int sz = sizeof (newpw) - 1;
- sprintf(prompt1, "Enter password for principal \"%.900s\"",
- canon);
- sprintf(prompt2,
- "Re-enter password for principal \"%.900s\"",
- canon);
+ snprintf(prompt1, sizeof(prompt1),
+ "Enter password for principal \"%.900s\"",
+ canon);
+ snprintf(prompt2, sizeof(prompt2),
+ "Re-enter password for principal \"%.900s\"",
+ canon);
retval = krb5_read_password(context, prompt1, prompt2,
newpw, &sz);
if (retval) {
@@ -1501,6 +1481,14 @@
free(canon);
return;
}
+ free(canon);
+ canon = NULL;
+ retval = krb5_unparse_name(context, dprinc.principal, &canon);
+ if (retval) {
+ com_err("get_principal", retval, "while canonicalizing principal");
+ krb5_free_principal(context, princ);
+ return;
+ }
retval = krb5_unparse_name(context, dprinc.mod_name, &modcanon);
if (retval) {
com_err("get_principal", retval, "while unparsing modname");
@@ -1535,14 +1523,14 @@
if (krb5_enctype_to_string(key_data->key_data_type[0],
enctype, sizeof(enctype)))
- sprintf(enctype, "<Encryption type 0x%x>",
- key_data->key_data_type[0]);
+ snprintf(enctype, sizeof(enctype), "<Encryption type 0x%x>",
+ key_data->key_data_type[0]);
printf("Key: vno %d, %s, ", key_data->key_data_kvno, enctype);
if (key_data->key_data_ver > 1) {
if (krb5_salttype_to_string(key_data->key_data_type[1],
salttype, sizeof(salttype)))
- sprintf(salttype, "<Salt type 0x%x>",
- key_data->key_data_type[1]);
+ snprintf(salttype, sizeof(salttype), "<Salt type 0x%x>",
+ key_data->key_data_type[1]);
printf("%s\n", salttype);
} else
printf("no salt\n");
Modified: branches/mkey_migrate/src/kadmin/dbutil/Makefile.in
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/dbutil/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,18 +2,13 @@
myfulldir=kadmin/dbutil
mydir=kadmin/dbutil
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DKDB4_DISABLE
DEFS=
-LOCALINCLUDES = -I. @KRB4_INCLUDES@
-PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH)
+LOCALINCLUDES = -I.
+PROG_LIBPATH=-L$(TOPLIBD) $(KRB5_LIBPATH)
PROG_RPATH=$(KRB5_LIBDIR)
KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS)
PROG = kdb5_util
-###OBJS = kdb5_util.o dump.o dumpv4.o loadv4.o \
-### kdb5_create.o kadm5_create.o string_table.o kdb5_stash.o \
-### kdb5_destroy.o ovload.o import_err.o strtok.o
-###
SRCS = kdb5_util.c kdb5_create.c kadm5_create.c string_table.c kdb5_destroy.c \
kdb5_stash.c import_err.c strtok.c dump.c ovload.c kdb5_mkey.c
@@ -25,8 +20,8 @@
all:: $(PROG)
-$(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB4COMPAT_DEPLIBS) $(GETDATE)
- $(CC_LINK) -o $(PROG) $(OBJS) $(GETDATE) $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB4COMPAT_LIBS)
+$(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(GETDATE)
+ $(CC_LINK) -o $(PROG) $(OBJS) $(GETDATE) $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB5_BASE_LIBS)
import_err.c import_err.h: $(srcdir)/import_err.et
@@ -39,148 +34,3 @@
clean::
$(RM) $(PROG) $(OBJS) import_err.c import_err.h
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)kdb5_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/iprop.h \
- $(SRCTOP)/include/iprop_hdr.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/kdb_log.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h kdb5_util.c kdb5_util.h
-$(OUTPRE)kdb5_create.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/iprop.h \
- $(SRCTOP)/include/iprop_hdr.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/kdb_log.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h kdb5_create.c kdb5_util.h
-$(OUTPRE)kadm5_create.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h $(SRCTOP)/include/fake-addrinfo.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/iprop.h $(SRCTOP)/include/iprop_hdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- kadm5_create.c kdb5_util.h string_table.h
-$(OUTPRE)string_table.$(OBJEXT): string_table.c
-$(OUTPRE)kdb5_destroy.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/iprop.h $(SRCTOP)/include/iprop_hdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- kdb5_destroy.c kdb5_util.h
-$(OUTPRE)kdb5_stash.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/iprop.h $(SRCTOP)/include/iprop_hdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- kdb5_stash.c kdb5_util.h
-$(OUTPRE)import_err.$(OBJEXT): $(COM_ERR_DEPS) import_err.c
-$(OUTPRE)strtok.$(OBJEXT): nstrtok.h strtok.c
-$(OUTPRE)dump.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/iprop.h $(SRCTOP)/include/iprop_hdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- dump.c kdb5_util.h
-$(OUTPRE)ovload.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/iprop.h $(SRCTOP)/include/iprop_hdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- import_err.h kdb5_util.h nstrtok.h ovload.c
Copied: branches/mkey_migrate/src/kadmin/dbutil/deps (from rev 21721, trunk/src/kadmin/dbutil/deps)
Modified: branches/mkey_migrate/src/kadmin/dbutil/dump.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/dump.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/dbutil/dump.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -331,15 +331,12 @@
int fd;
static char ok[]=".dump_ok";
- if ((file_ok = (char *)malloc(strlen(file_name) + strlen(ok) + 1))
- == NULL) {
+ if (asprintf(&file_ok, "%s%s", file_name, ok) < 0) {
com_err(progname, ENOMEM,
"while allocating filename for update_ok_file");
exit_status++;
return;
}
- strcpy(file_ok, file_name);
- strcat(file_ok, ok);
if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
com_err(progname, errno, "while creating 'ok' file, '%s'",
file_ok);
@@ -2283,14 +2280,11 @@
}
dumpfile = argv[aindex];
- if (!(dbname_tmp = (char *) malloc(strlen(dbname)+
- strlen(dump_tmptrail)+1))) {
+ if (asprintf(&dbname_tmp, "%s%s", dbname, dump_tmptrail) < 0) {
fprintf(stderr, no_name_mem_fmt, progname);
exit_status++;
return;
}
- strcpy(dbname_tmp, dbname);
- strcat(dbname_tmp, dump_tmptrail);
/*
* Initialize the Kerberos context and error tables.
Deleted: branches/mkey_migrate/src/kadmin/dbutil/dumpv4.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/dumpv4.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/dbutil/dumpv4.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,462 +0,0 @@
-/*
- * admin/edit/dumpv4.c
- *
- * Copyright 1990,1991, 1994 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * Dump a KDC database into a V4 slave dump.
- */
-
-/*
- * Copyright (C) 1998 by the FundsXpress, INC.
- *
- * All rights reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government. It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of FundsXpress. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. FundsXpress makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#ifdef KRB5_KRB4_COMPAT
-
-#include "k5-int.h"
-#include "com_err.h"
-
-#include <des.h>
-#include <krb.h>
-#ifdef HAVE_KRB_DB_H
-#include <krb_db.h>
-#endif /*HAVE_KRB_DB_H*/
-#ifdef HAVE_KDC_H
-;/* MKEYFILE is now defined in kdc.h */
-#include <kdc.h>
-#endif /*HAVE_KDC_H*/
-#include <stdio.h>
-#include <kadm5/admin.h>
-#include "kdb5_util.h"
-
-struct dump_record {
- char *comerr_name;
- FILE *f;
- krb5_keyblock *v5mkey;
- C_Block v4_master_key;
- Key_schedule v4_master_key_schedule;
- long master_key_version;
- char *realm;
-};
-
-
-void update_ok_file();
-
-#define ANAME_SZ 40
-#define INST_SZ 40
-
-static char *v4_mkeyfile = "/.k";
-static int shortlife;
-static krb5_error_code handle_one_key(struct dump_record *arg,
- krb5_keyblock *v5mkey,
- krb5_key_data *v5key,
- des_cblock v4key);
-static int handle_keys(struct dump_record *arg);
-
-static int
-v4init(arg, manual)
- struct dump_record *arg;
- int manual;
-{
- int fd;
- int ok = 0;
-
- if (!manual) {
- fd = open(v4_mkeyfile, O_RDONLY, 0600);
- if (fd >= 0) {
- if (read(fd,arg->v4_master_key,sizeof(C_Block)) == sizeof(C_Block))
- ok = 1;
- close(fd);
- }
- }
- if (!ok) {
- des_read_password(&arg->v4_master_key, "V4 Kerberos master key", 1);
- printf("\n");
- }
- arg->master_key_version = 1;
- key_sched(arg->v4_master_key, arg->v4_master_key_schedule);
-
- return 0;
-}
-
-static void
-v4_print_time(file, timeval)
- FILE *file;
- unsigned long timeval;
-{
- struct tm *tm;
- struct tm *gmtime();
- tm = gmtime((time_t *)&timeval);
- fprintf(file, " %04d%02d%02d%02d%02d",
- tm->tm_year < 1900 ? tm->tm_year + 1900: tm->tm_year,
- tm->tm_mon + 1,
- tm->tm_mday,
- tm->tm_hour,
- tm->tm_min);
-}
-
-
-
-static krb5_error_code
-dump_v4_iterator(ptr, entry)
- krb5_pointer ptr;
- krb5_db_entry *entry;
-{
- struct dump_record *arg = (struct dump_record *) ptr;
- krb5_principal mod_princ;
- krb5_timestamp mod_time;
- krb5_error_code retval;
- int i, max_kvno, ok_key;
-
- struct v4princ {
- char name[ANAME_SZ+1];
- char instance[INST_SZ+1];
- char realm[REALM_SZ+1];
- int max_life;
- int kdc_key_ver, key_version, attributes;
- char mod_name[ANAME_SZ+1];
- char mod_instance[INST_SZ+1];
- char mod_realm[REALM_SZ+1];
- } v4princ, *principal;
- des_cblock v4key;
-
- principal = &v4princ;
-
- if (strcmp(krb5_princ_realm(util_context, entry->princ)->data, arg->realm))
- /* skip this because it's a key for a different realm, probably
- * a paired krbtgt key */
- return 0;
-
- retval = krb5_524_conv_principal(util_context, entry->princ,
- principal->name, principal->instance,
- principal->realm);
- if (retval)
- /* Skip invalid V4 principals */
- return 0;
-
- if (!strcmp(principal->name, "K") && !strcmp(principal->instance, "M"))
- /* The V4 master key is handled specially */
- return 0;
-
- if (! principal->name[0])
- return 0;
- if (! principal->instance[0])
- strcpy(principal->instance, "*");
-
- /* Now move to mod princ */
- if ((retval = krb5_dbe_lookup_mod_princ_data(util_context,entry,
- &mod_time, &mod_princ))){
- com_err(arg->comerr_name, retval, "while unparsing db entry");
- exit_status++;
- return retval;
- }
- retval = krb5_524_conv_principal(util_context, mod_princ,
- principal->mod_name, principal->mod_instance,
- principal->mod_realm);
- if (retval) {
- /* Invalid V4 mod principal */
- principal->mod_name[0] = '\0';
- principal->mod_instance[0] = '\0';
- }
-
- if (! principal->mod_name[0])
- strcpy(principal->mod_name, "*");
- if (! principal->mod_instance[0])
- strcpy(principal->mod_instance, "*");
-
- /* OK deal with the key now. */
- for (max_kvno = i = 0; i < entry->n_key_data; i++) {
- if (max_kvno < entry->key_data[i].key_data_kvno) {
- max_kvno = entry->key_data[i].key_data_kvno;
- ok_key = i;
- }
- }
-
- i = ok_key;
- while (ok_key < entry->n_key_data) {
- if (max_kvno == entry->key_data[ok_key].key_data_kvno) {
- if (entry->key_data[ok_key].key_data_type[1]
- == KRB5_KDB_SALTTYPE_V4) {
- goto found_one;
- }
- }
- ok_key++;
- }
-
- /* See if there are any DES keys that may be suitable */
- ok_key = i;
- while (ok_key < entry->n_key_data) {
- if (max_kvno == entry->key_data[ok_key].key_data_kvno) {
- krb5_enctype enctype = entry->key_data[ok_key].key_data_type[0];
- if ((enctype == ENCTYPE_DES_CBC_CRC) ||
- (enctype == ENCTYPE_DES_CBC_MD5) ||
- (enctype == ENCTYPE_DES_CBC_RAW))
- goto found_one;
- }
- ok_key++;
- }
- /* skip this because it's a new style key and we can't help it */
- return 0;
-
-found_one:;
- principal->key_version = max_kvno;
- if (!shortlife)
- principal->max_life = krb_time_to_life(0, entry->max_life);
- else {
- principal->max_life = entry->max_life / (60 * 5);
- if (principal->max_life > 255)
- principal->max_life = 255;
- }
-
- principal->kdc_key_ver = arg->master_key_version;
- principal->attributes = 0; /* ??? not preserved either */
-
- fprintf(arg->f, "%s %s %d %d %d %d ",
- principal->name,
- principal->instance,
- principal->max_life,
- principal->kdc_key_ver,
- principal->key_version,
- principal->attributes);
-
- handle_one_key(arg, arg->v5mkey, &entry->key_data[ok_key], v4key);
-
- for (i = 0; i < 8; i++) {
- fprintf(arg->f, "%02x", ((unsigned char*)v4key)[i]);
- if (i == 3) fputc(' ', arg->f);
- }
-
- if (entry->expiration == 0) {
- /* 0 means "never" expire. V4 didn't support that, so rather than
- having everything appear to have expired in 1970, we nail in the
- Cygnus 96q1 default value. The value quoted here is directly
- from src/admin/kdb_init.c in Cygnus CNS V4 96q1, and is
- roughly 12/31/2009. */
- v4_print_time(arg->f, 946702799+((365*10+3)*24*60*60));
- } else {
- v4_print_time(arg->f, entry->expiration);
- }
- v4_print_time(arg->f, mod_time);
-
- fprintf(arg->f, " %s %s\n", principal->mod_name, principal->mod_instance);
- return 0;
-}
-
-/*ARGSUSED*/
-void dump_v4db(argc, argv)
- int argc;
- char **argv;
-{
- int i;
- char *outname = NULL;
- FILE *f;
- struct dump_record arg;
-
- for (i = 1; i < argc; i++) {
- if (!strcmp(argv[i], "-S")) {
- shortlife++;
- continue;
- }
- break;
- }
- if (argc - i > 1) {
- com_err(argv[0], 0, "Usage: %s [-S] filename", argv[0]);
- exit_status++;
- return;
- }
- if (!dbactive) {
- com_err(argv[0], 0, Err_no_database);
- exit_status++;
- return;
- }
- if (argc - i == 1) {
- outname = argv[i];
- /*
- * Make sure that we don't open and truncate on the fopen,
- * since that may hose an on-going kprop process.
- *
- * We could also control this by opening for read and
- * write, doing an flock with LOCK_EX, and then
- * truncating the file once we have gotten the lock,
- * but that would involve more OS dependancies than I
- * want to get into.
- */
- unlink(outname);
- if (!(f = fopen(outname, "w"))) {
- com_err(argv[0], errno,
- "While opening file %s for writing", outname);
- exit_status++;
- return;
- }
- } else {
- f = stdout;
- }
-
- arg.comerr_name = argv[0];
- arg.f = f;
- v4init(&arg, 0);
- handle_keys(&arg);
-
- /* special handling for K.M since it isn't preserved */
- {
- des_cblock v4key;
- int i2;
-
- /* assume:
- max lifetime (255)
- key version == 1 (actually, should be whatever the v5 one is)
- master key version == key version
- args == 0 (none are preserved)
- expiration date is the default 2000
- last mod time is near zero (arbitrarily.)
- creator is db_creation *
- */
-
- fprintf(f,"K M 255 1 1 0 ");
-
-#ifndef KDB4_DISABLE
- kdb_encrypt_key (arg.v4_master_key, v4key,
- arg.v4_master_key, arg.v4_master_key_schedule,
- ENCRYPT);
-#else /* KDB4_DISABLE */
- pcbc_encrypt((C_Block *) arg.v4_master_key,
- (C_Block *) v4key,
- (long) sizeof(C_Block),
- arg.v4_master_key_schedule,
- (C_Block *) arg.v4_master_key,
- ENCRYPT);
-#endif /* KDB4_DISABLE */
-
- for (i2=0; i2<8; i2++) {
- fprintf(f, "%02x", ((unsigned char*)v4key)[i2]);
- if (i2 == 3) fputc(' ', f);
- }
- fprintf(f," 200001010459 197001020000 db_creation *\n");
- }
-
- (void) krb5_db_iterate(util_context, dump_v4_iterator,
- (krb5_pointer) &arg);
- if (argc == 2)
- fclose(f);
- if (outname)
- update_ok_file(outname);
-}
-
-static int handle_keys(arg)
- struct dump_record *arg;
-{
- krb5_error_code retval;
- char *defrealm;
- char *mkey_name = 0;
- char *mkey_fullname;
- krb5_principal l_master_princ;
-
- if ((retval = krb5_get_default_realm(util_context, &defrealm))) {
- com_err(arg->comerr_name, retval,
- "while retrieving default realm name");
- exit(1);
- }
- arg->realm = defrealm;
-
- /* assemble & parse the master key name */
-
- if ((retval = krb5_db_setup_mkey_name(util_context, mkey_name, arg->realm,
- &mkey_fullname, &l_master_princ))) {
- com_err(arg->comerr_name, retval, "while setting up master key name");
- exit(1);
- }
-
- if ((retval = krb5_db_fetch_mkey(util_context, l_master_princ,
- master_keyblock.enctype, 0,
- 0, global_params.stash_file, 0,
- &master_keyblock))) {
- com_err(arg->comerr_name, retval, "while reading master key");
- exit(1);
- }
- arg->v5mkey = &master_keyblock;
- return(0);
-}
-
-static krb5_error_code
-handle_one_key(arg, v5mkey, v5key, v4key)
- struct dump_record *arg;
- krb5_keyblock *v5mkey;
- krb5_key_data *v5key;
- des_cblock v4key;
-{
- krb5_error_code retval;
-
- krb5_keyblock v5plainkey;
- /* v4key is the actual v4 key from the file. */
-
- retval = krb5_dbekd_decrypt_key_data(util_context, v5mkey, v5key,
- &v5plainkey, NULL);
- if (retval)
- return retval;
-
- memcpy(v4key, v5plainkey.contents, sizeof(des_cblock));
-#ifndef KDB4_DISABLE
- kdb_encrypt_key (v4key, v4key,
- arg->v4_master_key, arg->v4_master_key_schedule,
- ENCRYPT);
-#else /* KDB4_DISABLE */
- pcbc_encrypt((C_Block *) v4key,
- (C_Block *) v4key,
- (long) sizeof(C_Block),
- arg->v4_master_key_schedule,
- (C_Block *) arg->v4_master_key,
- ENCRYPT);
-#endif /* KDB4_DISABLE */
- return 0;
-}
-
-#else /* KRB5_KRB4_COMPAT */
-void dump_v4db(argc, argv)
- int argc;
- char **argv;
-{
- printf("This version of krb5_edit does not support the V4 dump command.\n");
-}
-#endif /* KRB5_KRB4_COMPAT */
Modified: branches/mkey_migrate/src/kadmin/dbutil/kadm5_create.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kadm5_create.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/dbutil/kadm5_create.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -145,8 +145,7 @@
{
char *n;
- n = (char *) malloc(strlen(name) + strlen(realm) + 2);
- sprintf(n, "%s@%s", name, realm);
+ asprintf(&n, "%s@%s", name, realm);
return n;
}
Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_create.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_create.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_create.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -285,9 +285,9 @@
/* } */
if (log_ctx && log_ctx->iproprole) {
- if (retval = ulog_map(util_context, global_params.iprop_logfile,
- global_params.iprop_ulogsize, FKCOMMAND,
- db5util_db_args)) {
+ if ((retval = ulog_map(util_context, global_params.iprop_logfile,
+ global_params.iprop_ulogsize, FKCOMMAND,
+ db5util_db_args))) {
com_err(argv[0], retval,
_("while creating update log"));
exit_status++;
Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.M
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.M 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.M 2009-01-10 01:06:45 UTC (rev 21722)
@@ -213,59 +213,6 @@
default.
.RE
.TP
-\fBdump_v4\fP [\fB\-S\fP] [\fIfilename\fP]
-Dumps the current database into the Kerberos 4 database dump format.
-The \-S option specifies the short lifetime algorithm.
-.TP
-\fBload_v4\fP [\fB\-T\fP] [\fB\-v\fP] [\fB\-h\fP] [\fB\-S\fP]
-[\fB\-t\fP] [\fB-n\fP] [\fB\-K\fP] [\fB\-s\fP\ \fIstashfile\fP]
-\fIinputfile\fP
-.br
-Loads a Kerberos 4 database dump file. Options:
-.RS
-.TP
-.B \-K
-prompts for the V5 master key instead of using the stashed version.
-.TP
-.B \-n
-prompts for the V4 master key, instead of reading from the stash file.
-.TP
-.B \-s \fIstashfile
-gets the V4 master key out of \fIstashfile\fP instead of /.k
-.TP
-.B \-T
-creates a new \fIkrbtgt\fP instead of converting the V4 one. The V5 server
-will thus not recognize outstanding tickets, so this should be used
-with caution.
-.TP
-.B \-v
-lists each principal as it is converted or ignored.
-.TP
-.B \-t
-uses a temporary database, then moves that into place, instead of adding
-the keys to the current database.
-.TP
-.B \-S
-Uses the short lifetime algorithm for conversion.
-.TP
-.B \-h
-Stores the database as a hash instead of a btree. This option is
-not recommended, as databases stored in hash format are known to
-corrupt data and lose principals.
-.PP
-Note: if the Kerberos 4 database had a default expiration date of 12/31/1999
-or 12/31/2009 (the compiled in defaults for older or newer Kerberos
-releases) then any entries which have the same expiration date will be
-converted to "never" expire in the version 5 database. If the default
-did not match either value, all expiration dates will be preserved.
-.PP
-Also, Kerberos 4 stored a single modification time for any change to a
-record; Version 5 stores a seperate modification time and last
-password change time. In practice, Version 4 "modifications" were
-always password changes. \fIload_v4\fP copies the value into both
-fields.
-.RE
-.TP
\fBark\fP
Adds a random key.
.SH SEE ALSO
Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -121,8 +121,6 @@
{"stash", kdb5_stash, 1},
{"dump", dump_db, 1},
{"load", load_db, 0},
-/* {"dump_v4", dump_v4db, 1}, */
-/* {"load_v4", load_v4db, 0}, */
{"ark", add_random_key, 1},
{"add_mkey", kdb5_add_mkey, 1}, /* 1 is opendb */
{"use_mkey", kdb5_use_mkey, 1}, /* 1 is opendb */
@@ -218,16 +216,12 @@
global_params.dbname = koptarg;
global_params.mask |= KADM5_CONFIG_DBNAME;
- db_name_tmp = malloc( strlen(global_params.dbname) + sizeof("dbname="));
- if( db_name_tmp == NULL )
+ if (asprintf(&db_name_tmp, "dbname=%s", global_params.dbname) < 0)
{
com_err(progname, ENOMEM, "while parsing command arguments");
exit(1);
}
- strcpy( db_name_tmp, "dbname=");
- strcat( db_name_tmp, global_params.dbname );
-
if (!add_db_arg(db_name_tmp)) {
com_err(progname, ENOMEM, "while parsing command arguments\n");
exit(1);
Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.h
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -77,8 +77,6 @@
extern void load_db (int argc, char **argv);
extern void dump_db (int argc, char **argv);
-extern void load_v4db (int argc, char **argv);
-extern void dump_v4db (int argc, char **argv);
extern void kdb5_create (int argc, char **argv);
extern void kdb5_destroy (int argc, char **argv);
extern void kdb5_stash (int argc, char **argv);
Deleted: branches/mkey_migrate/src/kadmin/dbutil/loadv4.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/loadv4.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/dbutil/loadv4.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,982 +0,0 @@
-/*
- * kadmin/dbutil/loadv4.c
- *
- * Copyright 1996 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * Generate (from scratch) a Kerberos V5 KDC database, filling it in with the
- * entries from a V4 database.
- */
-
-/*
- * Copyright (C) 1998 by the FundsXpress, INC.
- *
- * All rights reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government. It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of FundsXpress. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. FundsXpress makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#include <stdio.h>
-
-#ifdef KRB5_KRB4_COMPAT
-
-#include "k5-int.h"
-#include "com_err.h"
-
-#include <des.h>
-#include <krb.h>
-#include <krb_db.h>
-/* MKEYFILE is now defined in kdc.h */
-#include <kdc.h>
-
-static C_Block master_key;
-static Key_schedule master_key_schedule;
-
-static char *v4_mkeyfile = "/.k";
-
-#include <kadm5/admin.h>
-/* Define to make certain blocks private */
-#define V4_DECLARES_STATIC
-#include "kdb5_util.h"
-#include "kadm5/adb.h" /* osa_adb_create_policy_db */
-#include <netinet/in.h> /* ntohl */
-
-#define PROGNAME argv[0]
-
-enum ap_op {
- NULL_KEY, /* setup null keys */
- MASTER_KEY, /* use master key as new key */
- RANDOM_KEY /* choose a random key */
-};
-
-struct realm_info {
- krb5_deltat max_life;
- krb5_deltat max_rlife;
- krb5_timestamp expiration;
- krb5_flags flags;
- krb5_keyblock *key;
-};
-
-static struct realm_info rblock = { /* XXX */
- KRB5_KDB_MAX_LIFE,
- KRB5_KDB_MAX_RLIFE,
- KRB5_KDB_EXPIRATION,
- KRB5_KDB_DEF_FLAGS,
- 0
-};
-
-static int verbose = 0;
-
-static int shortlife = 0;
-
-static krb5_error_code add_principal
- (krb5_context,
- krb5_principal,
- enum ap_op,
- struct realm_info *);
-
-static int v4init (char *, int, char *);
-static krb5_error_code enter_in_v5_db (krb5_context,
- char *, Principal *);
-static krb5_error_code process_v4_dump (krb5_context, char *,
- char *, long);
-static krb5_error_code v4_dump_find_default (krb5_context, char *,
- char *, long *);
-static krb5_error_code fixup_database (krb5_context, char *);
-
-static int create_local_tgt = 0;
-
-static krb5_keyblock master_keyblock;
-static krb5_principal master_princ;
-
-static krb5_data tgt_princ_entries[] = {
- {0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME},
- {0, 0, 0} };
-
-static krb5_data db_creator_entries[] = {
- {0, sizeof("db_creation")-1, "db_creation"} };
-
-/* XXX knows about contents of krb5_principal, and that tgt names
- are of form TGT/REALM at REALM */
-static krb5_principal_data tgt_princ = {
- 0, /* magic number */
- {0, 0, 0}, /* krb5_data realm */
- tgt_princ_entries, /* krb5_data *data */
- 2, /* int length */
- KRB5_NT_SRV_INST /* int type */
-};
-
-static krb5_principal_data db_create_princ = {
- 0, /* magic number */
- {0, 0, 0}, /* krb5_data realm */
- db_creator_entries, /* krb5_data *data */
- 1, /* int length */
- KRB5_NT_SRV_INST /* int type */
-};
-
-
-void
-load_v4db(argc, argv)
- int argc;
- char *argv[];
-{
- krb5_error_code retval;
- /* The kdb library will default to this, but it is convenient to
- make it explicit (error reporting and temporary filename generation
- use it). */
- char *dbname = DEFAULT_KDB_FILE;
- char *v4dumpfile = 0;
- char *realm = 0;
- char *mkey_name = 0;
- char *mkey_fullname;
- char *defrealm;
- int v4manual = 0;
- krb5_boolean read_mkey = 0;
- int tempdb = 0;
- char *tempdbname;
- krb5_context context;
- char *stash_file = (char *) NULL;
- int persist, op_ind;
- kadm5_config_params newparams;
- extern kadm5_config_params global_params;
- long exp_time = 0;
- krb5_int32 crflags = KRB5_KDB_CREATE_BTREE;
- krb5_data seed;
-
- retval = kadm5_init_krb5_context(&context);
- if (retval) {
- fprintf(stderr, "%s: Could not initialize krb5 context.\n", PROGNAME);
- return;
- }
-
- if (strrchr(argv[0], '/'))
- argv[0] = strrchr(argv[0], '/')+1;
-
- persist = 1;
- op_ind = 1;
- while (persist && (op_ind < argc)) {
- if (!strcmp(argv[op_ind], "-T")) {
- create_local_tgt = 1;
- }
- else if (!strcmp(argv[op_ind], "-t")) {
- tempdb = 1;
- }
- else if (!strcmp(argv[op_ind], "-K")) {
- read_mkey = 1;
- }
- else if (!strcmp(argv[op_ind], "-v")) {
- verbose = 1;
- }
- else if (!strcmp(argv[op_ind], "-n")) {
- v4manual++;
- }
- else if (!strcmp(argv[op_ind], "-S")) {
- shortlife++;
- }
- else if (!strcmp(argv[op_ind], "-s")) {
- if ((argc - op_ind) >= 1) {
- v4_mkeyfile = argv[op_ind+1];
- op_ind++;
- } else {
- usage();
- }
- }
- else if (!strcmp(argv[op_ind], "-h")) {
- crflags = KRB5_KDB_CREATE_HASH;
- }
- else if ((argc - op_ind) >= 1) {
- v4dumpfile = argv[op_ind];
- op_ind++;
- }
- else
- usage();
- op_ind++;
- }
-
- realm = global_params.realm;
- dbname = global_params.dbname;
- mkey_name = global_params.mkey_name;
- master_keyblock.enctype = global_params.enctype;
- if (global_params.stash_file)
- stash_file = strdup(global_params.stash_file);
- rblock.max_life = global_params.max_life;
- rblock.max_rlife = global_params.max_rlife;
- rblock.expiration = global_params.expiration;
- rblock.flags = global_params.flags;
-
- if (!v4dumpfile) {
- usage();
- krb5_free_context(context);
- return;
- }
-
- if (!krb5_c_valid_enctype(master_keyblock.enctype)) {
- com_err(PROGNAME, KRB5_PROG_KEYTYPE_NOSUPP,
- "while setting up enctype %d", master_keyblock.enctype);
- krb5_free_context(context);
- return;
- }
-
- /* If the user has not requested locking, don't modify an existing database. */
- if (! tempdb) {
- retval = krb5_db_set_name(context, dbname);
- if (retval != ENOENT) {
- fprintf(stderr,
- "%s: The v5 database appears to already exist.\n",
- PROGNAME);
- krb5_free_context(context);
- return;
- }
- tempdbname = dbname;
- } else {
- size_t dbnamelen = strlen(dbname);
- tempdbname = malloc(dbnamelen + 2);
- if (tempdbname == 0) {
- com_err(PROGNAME, ENOMEM, "allocating temporary filename");
- krb5_free_context(context);
- return;
- }
- strcpy(tempdbname, dbname);
- tempdbname[dbnamelen] = '~';
- tempdbname[dbnamelen+1] = 0;
- (void) krb5_db_destroy(context, tempdbname);
- }
-
-
- if (!realm) {
- retval = krb5_get_default_realm(context, &defrealm);
- if (retval) {
- com_err(PROGNAME, retval, "while retrieving default realm name");
- krb5_free_context(context);
- return;
- }
- realm = defrealm;
- }
-
- /* assemble & parse the master key name */
-
- retval = krb5_db_setup_mkey_name(context, mkey_name, realm,
- &mkey_fullname, &master_princ);
- if (retval) {
- com_err(PROGNAME, retval, "while setting up master key name");
- krb5_free_context(context);
- return;
- }
-
- krb5_princ_set_realm_data(context, &db_create_princ, realm);
- krb5_princ_set_realm_length(context, &db_create_princ, strlen(realm));
- krb5_princ_set_realm_data(context, &tgt_princ, realm);
- krb5_princ_set_realm_length(context, &tgt_princ, strlen(realm));
- krb5_princ_component(context, &tgt_princ,1)->data = realm;
- krb5_princ_component(context, &tgt_princ,1)->length = strlen(realm);
-
- printf("Initializing database '%s' for realm '%s',\n\
-master key name '%s'\n",
- dbname, realm, mkey_fullname);
-
- if (read_mkey) {
- puts("You will be prompted for the version 5 database Master Password.");
- puts("It is important that you NOT FORGET this password.");
- fflush(stdout);
- }
-
-
- retval = krb5_db_fetch_mkey(context, master_princ,
- master_keyblock.enctype,
- read_mkey, read_mkey, stash_file, 0,
- &master_keyblock);
- if (retval) {
- com_err(PROGNAME, retval, "while reading master key");
- krb5_free_context(context);
- return;
- }
-
- rblock.key = &master_keyblock;
-
- seed.length = master_keyblock.length;
- seed.data = master_keyblock.contents;
-
- retval = krb5_c_random_seed(context, &seed);
- if (retval) {
- com_err(PROGNAME, retval, "while initializing random key generator");
- krb5_free_context(context);
- return;
- }
-
- retval = krb5_db_create(context, tempdbname, crflags);
- if (retval) {
- com_err(PROGNAME, retval, "while creating %sdatabase '%s'",
- tempdb ? "temporary " : "", tempdbname);
- krb5_free_context(context);
- return;
- }
-
- retval = krb5_db_set_name(context, tempdbname);
- if (retval) {
- (void) krb5_db_destroy(context, tempdbname);
- com_err(PROGNAME, retval, "while setting active database to '%s'",
- tempdbname);
- krb5_free_context(context);
- return;
- }
- if (v4init(PROGNAME, v4manual, v4dumpfile)) {
- (void) krb5_db_destroy(context, tempdbname);
- krb5_free_context(context);
- return;
- }
- if ((retval = krb5_db_init(context)) ||
- (retval = krb5_db_open_database(context))) {
- (void) krb5_db_destroy(context, tempdbname);
- com_err(PROGNAME, retval, "while initializing the database '%s'",
- tempdbname);
- krb5_free_context(context);
- return;
- }
-
- retval = add_principal(context, master_princ, MASTER_KEY, &rblock);
- if (retval) {
- (void) krb5_db_fini(context);
- (void) krb5_db_destroy(context, tempdbname);
- com_err(PROGNAME, retval, "while adding K/M to the database");
- krb5_free_context(context);
- return;
- }
-
- if (create_local_tgt &&
- (retval = add_principal(context, &tgt_princ, RANDOM_KEY, &rblock))) {
- (void) krb5_db_fini(context);
- (void) krb5_db_destroy(context, tempdbname);
- com_err(PROGNAME, retval, "while adding TGT service to the database");
- krb5_free_context(context);
- return;
- }
-
- retval = v4_dump_find_default(context, v4dumpfile, realm, &exp_time);
- if (retval) {
- com_err(PROGNAME, retval, "warning: default entry not found");
- }
-
- retval = process_v4_dump(context, v4dumpfile, realm, exp_time);
- putchar('\n');
- if (retval)
- com_err(PROGNAME, retval, "while translating entries to the database");
- else {
- retval = fixup_database(context, realm);
- }
-
- /* clean up; rename temporary database if there were no errors */
- if (retval == 0) {
- retval = krb5_db_fini (context);
- if (retval)
- com_err(PROGNAME, retval, "while shutting down database");
- else if (tempdb && (retval = krb5_db_rename(context, tempdbname,
- dbname)))
- com_err(PROGNAME, retval, "while renaming temporary database");
- } else {
- (void) krb5_db_fini (context);
- if (tempdb)
- (void) krb5_db_destroy (context, tempdbname);
- }
- memset((char *)master_keyblock.contents, 0, master_keyblock.length);
-
- /*
- * Cons up config params for new database; using the global_params
- * is just fine.
- */
- newparams = global_params;
-
- /*
- * Always create the policy db, even if we are not loading a dump
- * file with policy info.
- */
- if (!tempdb && (retval = osa_adb_create_policy_db(&newparams))) {
- com_err(PROGNAME, retval, "while creating policy database");
- kadm5_free_config_params(context, &newparams);
- krb5_free_context(context);
- return;
- }
- /*
- * Create the magic principals in the database.
- */
- retval = kadm5_create_magic_princs(&newparams, context);
- if (retval) {
- com_err(PROGNAME, retval, "while creating KADM5 principals");
- krb5_free_context(context);
- return;
- }
-
- krb5_free_context(context);
- return;
-}
-
-static int
-v4init(pname, manual, dumpfile)
-char *pname;
-int manual;
-char *dumpfile;
-{
- int fd;
- int ok = 0;
-
- if (!manual) {
- fd = open(v4_mkeyfile, O_RDONLY, 0600);
- if (fd >= 0) {
- if (read(fd, master_key, sizeof(master_key)) == sizeof(master_key))
- ok = 1;
- close(fd);
- }
- }
- if (!ok) {
- des_read_password(&master_key, "V4 Kerberos master key", 0);
- printf("\n");
- }
- key_sched(master_key, master_key_schedule);
- return 0;
-}
-
-static krb5_error_code
-enter_in_v5_db(context, realm, princ)
-krb5_context context;
-char *realm;
-Principal *princ;
-{
- krb5_db_entry entry;
- krb5_error_code retval;
- krb5_keyblock v4v5key;
- int nentries = 1;
- des_cblock v4key;
- char *name;
- krb5_timestamp mod_time;
- krb5_principal mod_princ;
- krb5_keysalt keysalt;
-
- /* don't convert local TGT if we created a TGT already.... */
- if (create_local_tgt && !strcmp(princ->name, "krbtgt") &&
- !strcmp(princ->instance, realm)) {
- if (verbose)
- printf("\nignoring local TGT: '%s.%s' ...",
- princ->name, princ->instance);
- return 0;
- }
- if (!strcmp(princ->name, KERB_M_NAME) &&
- !strcmp(princ->instance, KERB_M_INST)) {
- des_cblock key_from_db;
- int val;
-
- /* here's our chance to verify the master key */
- /*
- * use the master key to decrypt the key in the db, had better
- * be the same!
- */
- memcpy(key_from_db, (char *)&princ->key_low, 4);
- memcpy(((char *) key_from_db) + 4, (char *)&princ->key_high, 4);
- pcbc_encrypt((C_Block *) &key_from_db,
- (C_Block *) &key_from_db,
- (long) sizeof(C_Block),
- master_key_schedule,
- (C_Block *) master_key,
- DECRYPT);
- val = memcmp((char *) master_key, (char *) key_from_db,
- sizeof(master_key));
- memset((char *)key_from_db, 0, sizeof(key_from_db));
- if (val) {
- return KRB5_KDB_BADMASTERKEY;
- }
- if (verbose)
- printf("\nignoring '%s.%s' ...", princ->name, princ->instance);
- return 0;
- }
- memset((char *) &entry, 0, sizeof(entry));
- retval = krb5_425_conv_principal(context, princ->name, princ->instance,
- realm, &entry.princ);
- if (retval)
- return retval;
- if (verbose) {
- retval = krb5_unparse_name(context, entry.princ, &name);
- if (retval)
- name = strdup("<not unparsable name!>");
- if (verbose)
- printf("\ntranslating %s...", name);
- free(name);
- }
-
- retval = krb5_build_principal(context, &mod_princ,
- strlen(realm), realm, princ->mod_name,
- princ->mod_instance[0] ?
- princ->mod_instance : NULL,
- NULL);
- if (retval) {
- krb5_free_principal(context, entry.princ);
- return retval;
- }
- mod_time = princ->mod_date;
-
- if (!shortlife)
- entry.max_life = krb_life_to_time(0, princ->max_life);
- else
- entry.max_life = princ->max_life * 60 * 5;
- entry.max_renewable_life = rblock.max_rlife;
- entry.len = KRB5_KDB_V1_BASE_LENGTH;
- entry.expiration = princ->exp_date;
- entry.attributes = rblock.flags; /* XXX is there a way to convert
- the old attrs? */
-
- memcpy((char *)v4key, (char *)&(princ->key_low), 4);
- memcpy((char *) (((char *) v4key) + 4), (char *)&(princ->key_high), 4);
- pcbc_encrypt((C_Block *) &v4key,
- (C_Block *) &v4key,
- (long) sizeof(C_Block),
- master_key_schedule,
- (C_Block *) master_key,
- DECRYPT);
-
- v4v5key.magic = KV5M_KEYBLOCK;
- v4v5key.contents = (krb5_octet *)v4key;
- v4v5key.enctype = ENCTYPE_DES_CBC_CRC;
- v4v5key.length = sizeof(v4key);
-
- retval = krb5_dbe_create_key_data(context, &entry);
- if (retval) {
- krb5_free_principal(context, entry.princ);
- krb5_free_principal(context, mod_princ);
- return retval;
- }
-
- keysalt.type = KRB5_KDB_SALTTYPE_V4;
- keysalt.data.length = 0;
- keysalt.data.data = (char *) NULL;
- retval = krb5_dbekd_encrypt_key_data(context, rblock.key,
- &v4v5key, &keysalt,
- princ->key_version,
- &entry.key_data[0]);
- if (!retval)
- retval = krb5_dbe_update_mod_princ_data(context, &entry,
- mod_time, mod_princ);
- if (!retval)
- retval = krb5_dbe_update_last_pwd_change(context, &entry, mod_time);
-
- if (retval) {
- krb5_db_free_principal(context, &entry, 1);
- krb5_free_principal(context, mod_princ);
- return retval;
- }
- memset((char *)v4key, 0, sizeof(v4key));
-
- retval = krb5_db_put_principal(context, &entry, &nentries);
-
- if (!retval && !strcmp(princ->name, "krbtgt") &&
- strcmp(princ->instance, realm) && princ->instance[0]) {
- krb5_free_principal(context, entry.princ);
- retval = krb5_build_principal(context, &entry.princ,
- strlen(princ->instance),
- princ->instance,
- "krbtgt", realm, NULL);
- if (retval)
- return retval;
- retval = krb5_db_put_principal(context, &entry, &nentries);
- }
-
- krb5_db_free_principal(context, &entry, 1);
- krb5_free_principal(context, mod_princ);
-
- return retval;
-}
-
-static krb5_error_code
-add_principal(context, princ, op, pblock)
-krb5_context context;
-krb5_principal princ;
-enum ap_op op;
-struct realm_info *pblock;
-{
- krb5_db_entry entry;
- krb5_error_code retval;
- krb5_keyblock rkey;
- int nentries = 1;
- krb5_timestamp mod_time;
-
- memset((char *) &entry, 0, sizeof(entry));
- retval = krb5_copy_principal(context, princ, &entry.princ);
- if (retval)
- return(retval);
- entry.max_life = pblock->max_life;
- entry.max_renewable_life = pblock->max_rlife;
- entry.len = KRB5_KDB_V1_BASE_LENGTH;
- entry.expiration = pblock->expiration;
-
- retval = krb5_timeofday(context, &mod_time);
- if (retval) {
- krb5_db_free_principal(context, &entry, 1);
- return retval;
- }
- entry.attributes = pblock->flags;
-
- retval = krb5_dbe_create_key_data(context, &entry);
- if (retval) {
- krb5_db_free_principal(context, &entry, 1);
- return(retval);
- }
-
- switch (op) {
- case MASTER_KEY:
- entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
- retval = krb5_dbekd_encrypt_key_data(context, pblock->key,
- &master_keyblock,
- (krb5_keysalt *) NULL, 1,
- &entry.key_data[0]);
- if (retval) {
- krb5_db_free_principal(context, &entry, 1);
- return retval;
- }
- break;
- case RANDOM_KEY:
- retval = krb5_c_make_random_key(context, pblock->key->enctype,
- &rkey);
- if (retval) {
- krb5_db_free_principal(context, &entry, 1);
- return retval;
- }
- retval = krb5_dbekd_encrypt_key_data(context, pblock->key,
- &rkey, (krb5_keysalt *) NULL,
- 1, &entry.key_data[0]);
- if (retval) {
- krb5_db_free_principal(context, &entry, 1);
- return(retval);
- }
- krb5_free_keyblock_contents(context, &rkey);
- break;
- case NULL_KEY:
- return EOPNOTSUPP;
- default:
- break;
- }
-
- retval = krb5_dbe_update_mod_princ_data(context, &entry,
- mod_time, &db_create_princ);
- if (!retval)
- retval = krb5_db_put_principal(context, &entry, &nentries);
- krb5_db_free_principal(context, &entry, 1);
- return retval;
-}
-
-/*
- * Convert a struct tm * to a UNIX time.
- */
-
-
-#define daysinyear(y) (((y) % 4) ? 365 : (((y) % 100) ? 366 : (((y) % 400) ? 365 : 366)))
-
-#define SECSPERDAY 24*60*60
-#define SECSPERHOUR 60*60
-#define SECSPERMIN 60
-
-static int cumdays[] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334,
- 365};
-
-static int leapyear[] = {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31};
-static int nonleapyear[] = {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31};
-
-static long
-maketime(tp, local)
-register struct tm *tp;
-int local;
-{
- register long retval;
- int foo;
- int *marray;
-
- if (tp->tm_mon < 0 || tp->tm_mon > 11 ||
- tp->tm_hour < 0 || tp->tm_hour > 23 ||
- tp->tm_min < 0 || tp->tm_min > 59 ||
- tp->tm_sec < 0 || tp->tm_sec > 59) /* out of range */
- return 0;
-
- retval = 0;
- if (tp->tm_year < 1900)
- foo = tp->tm_year + 1900;
- else
- foo = tp->tm_year;
-
- if (foo < 1901 || foo > 2038) /* year is too small/large */
- return 0;
-
- if (daysinyear(foo) == 366) {
- if (tp->tm_mon > 1)
- retval+= SECSPERDAY; /* add leap day */
- marray = leapyear;
- } else
- marray = nonleapyear;
-
- if (tp->tm_mday < 0 || tp->tm_mday > marray[tp->tm_mon])
- return 0; /* out of range */
-
- while (--foo >= 1970)
- retval += daysinyear(foo) * SECSPERDAY;
-
- retval += cumdays[tp->tm_mon] * SECSPERDAY;
- retval += (tp->tm_mday-1) * SECSPERDAY;
- retval += tp->tm_hour * SECSPERHOUR + tp->tm_min * SECSPERMIN + tp->tm_sec;
-
- if (local) {
- /* need to use local time, so we retrieve timezone info */
- struct timezone tz;
- struct timeval tv;
- if (gettimeofday(&tv, &tz) < 0) {
- /* some error--give up? */
- return(retval);
- }
- retval += tz.tz_minuteswest * SECSPERMIN;
- }
- return(retval);
-}
-
-static long
-time_explode(cp)
-register char *cp;
-{
- char wbuf[5];
- struct tm tp;
- int local;
-
- memset((char *)&tp, 0, sizeof(tp));
-
- if (strlen(cp) > 10) { /* new format */
- (void) strncpy(wbuf, cp, 4);
- wbuf[4] = 0;
- tp.tm_year = atoi(wbuf);
- cp += 4; /* step over the year */
- local = 0; /* GMT */
- } else { /* old format: local time,
- year is 2 digits, assuming 19xx */
- wbuf[0] = *cp++;
- wbuf[1] = *cp++;
- wbuf[2] = 0;
- tp.tm_year = 1900 + atoi(wbuf);
- local = 1; /* local */
- }
-
- wbuf[0] = *cp++;
- wbuf[1] = *cp++;
- wbuf[2] = 0;
- tp.tm_mon = atoi(wbuf)-1;
-
- wbuf[0] = *cp++;
- wbuf[1] = *cp++;
- tp.tm_mday = atoi(wbuf);
-
- wbuf[0] = *cp++;
- wbuf[1] = *cp++;
- tp.tm_hour = atoi(wbuf);
-
- wbuf[0] = *cp++;
- wbuf[1] = *cp++;
- tp.tm_min = atoi(wbuf);
-
-
- return(maketime(&tp, local));
-}
-
-static krb5_error_code
-process_v4_dump(context, dumpfile, realm, default_exp_time)
-krb5_context context;
-char *dumpfile;
-char *realm;
-long default_exp_time;
-{
- krb5_error_code retval;
- FILE *input_file;
- Principal aprinc;
- char exp_date_str[50];
- char mod_date_str[50];
- int temp1, temp2, temp3;
-
- input_file = fopen(dumpfile, "r");
- if (!input_file)
- return errno;
-
- for (;;) { /* explicit break on eof from fscanf */
- int nread;
-
- memset((char *)&aprinc, 0, sizeof(aprinc));
- nread = fscanf(input_file,
- "%s %s %d %d %d %hd %lx %lx %s %s %s %s\n",
- aprinc.name,
- aprinc.instance,
- &temp1,
- &temp2,
- &temp3,
- &aprinc.attributes,
- &aprinc.key_low,
- &aprinc.key_high,
- exp_date_str,
- mod_date_str,
- aprinc.mod_name,
- aprinc.mod_instance);
- if (nread != 12) {
- retval = nread == EOF ? 0 : KRB5_KDB_DB_CORRUPT;
- break;
- }
- aprinc.key_low = ntohl (aprinc.key_low);
- aprinc.key_high = ntohl (aprinc.key_high);
- aprinc.max_life = (unsigned char) temp1;
- aprinc.kdc_key_ver = (unsigned char) temp2;
- aprinc.key_version = (unsigned char) temp3;
- aprinc.exp_date = time_explode(exp_date_str);
- if (aprinc.exp_date == default_exp_time)
- aprinc.exp_date = 0;
- aprinc.mod_date = time_explode(mod_date_str);
- if (aprinc.instance[0] == '*')
- aprinc.instance[0] = '\0';
- if (aprinc.mod_name[0] == '*')
- aprinc.mod_name[0] = '\0';
- if (aprinc.mod_instance[0] == '*')
- aprinc.mod_instance[0] = '\0';
- retval = enter_in_v5_db(context, realm, &aprinc);
- if (retval)
- break;
- }
- (void) fclose(input_file);
- return retval;
-}
-
-static krb5_error_code
-v4_dump_find_default(context, dumpfile, realm, exptime)
-krb5_context context;
-char *dumpfile;
-char *realm;
-long *exptime;
-{
- krb5_error_code retval = 0;
- FILE *input_file;
- Principal aprinc;
- char exp_date_str[50];
- char mod_date_str[50];
- int temp1, temp2, temp3;
- long foundtime, guess1, guess2;
-
- /* kdb_init is usually the only thing to touch the time in the
- default entry, and everything else just copies that time. If
- the site hasn't changed it, we can assume that "never" is an
- appropriate value for V5. There have been two values compiled
- in, typically:
-
- MIT V4 had the code
- principal.exp_date = 946702799;
- strncpy(principal.exp_date_txt, "12/31/99", DATE_SZ);
-
- Cygnus CNS V4 had the code
- principal.exp_date = 946702799+((365*10+3)*24*60*60);
- strncpy(principal.exp_date_txt, "12/31/2009", DATE_SZ);
-
- However, the dump files only store minutes -- so these values
- are 59 seconds high.
-
- Other values could be added later, but in practice these are
- likely to be the only ones. */
-
- guess1 = 946702799-59;
- guess2 = 946702799+((365*10+3)*24*60*60);
-
- input_file = fopen(dumpfile, "r");
- if (!input_file)
- return errno;
-
- for (;;) { /* explicit break on eof from fscanf */
- int nread;
-
- memset((char *)&aprinc, 0, sizeof(aprinc));
- nread = fscanf(input_file,
- "%s %s %d %d %d %hd %lx %lx %s %s %s %s\n",
- aprinc.name,
- aprinc.instance,
- &temp1,
- &temp2,
- &temp3,
- &aprinc.attributes,
- &aprinc.key_low,
- &aprinc.key_high,
- exp_date_str,
- mod_date_str,
- aprinc.mod_name,
- aprinc.mod_instance);
- if (nread != 12) {
- retval = nread == EOF ? 0 : KRB5_KDB_DB_CORRUPT;
- break;
- }
- if (!strcmp(aprinc.name, "default")
- && !strcmp(aprinc.instance, "*")) {
- foundtime = time_explode(exp_date_str);
- if (foundtime == guess1 || foundtime == guess2)
- *exptime = foundtime;
- if (verbose) {
- printf("\ndefault expiration found: ");
- if (foundtime == guess1) {
- printf("MIT or pre96q1 value (1999)");
- } else if (foundtime == guess2) {
- printf("Cygnus CNS post 96q1 value (2009)");
- } else {
- printf("non-default start time (%ld,%s)",
- foundtime, exp_date_str);
- }
- }
- break;
- }
- }
- (void) fclose(input_file);
- return retval;
-}
-
-static krb5_error_code fixup_database(context, realm)
- krb5_context context;
- char * realm;
-{
- return 0;
-}
-
-#else /* KRB5_KRB4_COMPAT */
-void
-load_v4db(argc, argv)
- int argc;
- char *argv[];
-{
- printf("This version of kdb5_util does not support the V4 load command.\n");
-}
-#endif /* KRB5_KRB4_COMPAT */
Modified: branches/mkey_migrate/src/kadmin/dbutil/ovload.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/ovload.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/dbutil/ovload.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -131,11 +131,10 @@
goto done;
} else {
if(strcmp(cp, "")) {
- if((rec->policy = (char *) malloc(strlen(cp)+1)) == NULL) {
+ if((rec->policy = strdup(cp)) == NULL) {
ret = ENOMEM;
goto done;
}
- strcpy(rec->policy, cp);
} else rec->policy = NULL;
}
if((cp = nstrtok((char *) NULL, "\t")) == NULL) {
Copied: branches/mkey_migrate/src/kadmin/deps (from rev 21721, trunk/src/kadmin/deps)
Modified: branches/mkey_migrate/src/kadmin/ktutil/Makefile.in
===================================================================
--- branches/mkey_migrate/src/kadmin/ktutil/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/ktutil/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,8 +2,7 @@
myfulldir=kadmin/ktutil
mydir=kadmin/ktutil
BUILDTOP=$(REL)..$(S)..
-LOCALINCLUDES = $(KRB4_INCLUDES)
-PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH)
+PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
DEFS=
@@ -38,30 +37,3 @@
clean::
$(RM) ktutil
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)ktutil.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SS_DEPS) ktutil.c ktutil.h
-$(OUTPRE)ktutil_ct.$(OBJEXT): $(COM_ERR_DEPS) $(SS_DEPS) \
- ktutil_ct.c
-$(OUTPRE)ktutil_funcs.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h ktutil.h ktutil_funcs.c
Copied: branches/mkey_migrate/src/kadmin/ktutil/deps (from rev 21721, trunk/src/kadmin/ktutil/deps)
Modified: branches/mkey_migrate/src/kadmin/ktutil/ktutil.c
===================================================================
--- branches/mkey_migrate/src/kadmin/ktutil/ktutil.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/ktutil/ktutil.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -98,7 +98,6 @@
int argc;
char *argv[];
{
-#ifdef KRB5_KRB4_COMPAT
krb5_error_code retval;
if (argc != 2) {
@@ -108,9 +107,6 @@
retval = ktutil_read_srvtab(kcontext, argv[1], &ktlist);
if (retval)
com_err(argv[0], retval, "while reading srvtab \"%s\"", argv[1]);
-#else
- fprintf(stderr, "%s: krb4 support not configured\n", argv[0]);
-#endif
}
void ktutil_write_v5(argc, argv)
@@ -132,19 +128,7 @@
int argc;
char *argv[];
{
-#ifdef KRB5_KRB4_COMPAT
- krb5_error_code retval;
-
- if (argc != 2) {
- fprintf(stderr, "%s: must specify srvtab to write\n", argv[0]);
- return;
- }
- retval = ktutil_write_srvtab(kcontext, ktlist, argv[1]);
- if (retval)
- com_err(argv[0], retval, "while writing srvtab \"%s\"", argv[1]);
-#else
- fprintf(stderr, "%s: krb4 support not configured\n", argv[0]);
-#endif
+ fprintf(stderr, "%s: writing srvtabs is no longer supported\n", argv[0]);
}
void ktutil_add_entry(argc, argv)
Modified: branches/mkey_migrate/src/kadmin/ktutil/ktutil.h
===================================================================
--- branches/mkey_migrate/src/kadmin/ktutil/ktutil.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/ktutil/ktutil.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -49,14 +49,9 @@
krb5_kt_list,
char *);
-#ifdef KRB5_KRB4_COMPAT
krb5_error_code ktutil_read_srvtab (krb5_context,
char *,
krb5_kt_list *);
-krb5_error_code ktutil_write_srvtab (krb5_context,
- krb5_kt_list,
- char *);
-#endif
void ktutil_add_entry (int, char *[]);
Modified: branches/mkey_migrate/src/kadmin/ktutil/ktutil_funcs.c
===================================================================
--- branches/mkey_migrate/src/kadmin/ktutil/ktutil_funcs.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/ktutil/ktutil_funcs.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -28,10 +28,6 @@
#include "k5-int.h"
#include "ktutil.h"
-#ifdef KRB5_KRB4_COMPAT
-#include "kerberosIV/krb.h"
-#include <stdio.h>
-#endif
#include <string.h>
#include <ctype.h>
@@ -161,7 +157,8 @@
goto cleanup;
}
- sprintf(promptstr, "Password for %.1000s", princ_str);
+ snprintf(promptstr, sizeof(promptstr), "Password for %.1000s",
+ princ_str);
retval = krb5_read_password(context, promptstr, NULL, password.data,
&password.length);
if (retval)
@@ -317,11 +314,11 @@
krb5_keytab kt;
char ktname[MAXPATHLEN+sizeof("WRFILE:")+1];
krb5_error_code retval = 0;
+ int result;
- strcpy(ktname, "WRFILE:");
- if (strlen (name) >= MAXPATHLEN)
+ result = snprintf(ktname, sizeof(ktname), "WRFILE:%s", name);
+ if (SNPRINTF_OVERFLOW(result, sizeof(ktname)))
return ENAMETOOLONG;
- strncat (ktname, name, MAXPATHLEN);
retval = krb5_kt_resolve(context, ktname, &kt);
if (retval)
return retval;
@@ -334,31 +331,7 @@
return retval;
}
-#ifdef KRB5_KRB4_COMPAT
/*
- * getstr() takes a file pointer, a string and a count. It reads from
- * the file until either it has read "count" characters, or until it
- * reads a null byte. When finished, what has been read exists in the
- * given string "s". If "count" characters were actually read, the
- * last is changed to a null, so the returned string is always null-
- * terminated. getstr() returns the number of characters read,
- * including the null terminator.
- */
-
-static int getstr(fp, s, n)
- FILE *fp;
- register char *s;
- int n;
-{
- register int count = n;
- while (fread(s, 1, 1, fp) > 0 && --count)
- if (*s++ == '\0')
- return (n - count);
- *s = '\0';
- return (n - count);
-}
-
-/*
* Read in a named krb4 srvtab and append to list. Allocate new list
* if needed.
*/
@@ -367,190 +340,12 @@
char *name;
krb5_kt_list *list;
{
- krb5_kt_list lp = NULL, tail = NULL, back = NULL;
- krb5_keytab_entry *entry;
- krb5_error_code retval = 0;
- char sname[SNAME_SZ]; /* name of service */
- char sinst[INST_SZ]; /* instance of service */
- char srealm[REALM_SZ]; /* realm of service */
- unsigned char kvno; /* key version number */
- des_cblock key;
- FILE *fp;
+ char *ktname;
+ krb5_error_code result;
- if (*list) {
- /* point lp at the tail of the list */
- for (lp = *list; lp->next; lp = lp->next);
- back = lp;
- }
- fp = fopen(name, "r");
- if (!fp)
- return EIO;
- for (;;) {
- entry = (krb5_keytab_entry *)malloc(sizeof (krb5_keytab_entry));
- if (!entry) {
- retval = ENOMEM;
- break;
- }
- memset((char *)entry, 0, sizeof (*entry));
- memset(sname, 0, sizeof (sname));
- memset(sinst, 0, sizeof (sinst));
- memset(srealm, 0, sizeof (srealm));
- if (!(getstr(fp, sname, SNAME_SZ) > 0 &&
- getstr(fp, sinst, INST_SZ) > 0 &&
- getstr(fp, srealm, REALM_SZ) > 0 &&
- fread(&kvno, 1, 1, fp) > 0 &&
- fread((char *)key, sizeof (key), 1, fp) > 0))
- break;
- entry->magic = KV5M_KEYTAB_ENTRY;
- entry->timestamp = 0; /* XXX */
- entry->vno = kvno;
- retval = krb5_425_conv_principal(context,
- sname, sinst, srealm,
- &entry->principal);
- if (retval)
- break;
- entry->key.magic = KV5M_KEYBLOCK;
- entry->key.enctype = ENCTYPE_DES_CBC_CRC;
- entry->key.length = sizeof (key);
- entry->key.contents = (krb5_octet *)malloc(sizeof (key));
- if (!entry->key.contents) {
- retval = ENOMEM;
- break;
- }
- memcpy((char *)entry->key.contents, (char *)key, sizeof (key));
- if (!lp) { /* if list is empty, start one */
- lp = (krb5_kt_list)malloc(sizeof (*lp));
- if (!lp) {
- retval = ENOMEM;
- break;
- }
- } else {
- lp->next = (krb5_kt_list)malloc(sizeof (*lp));
- if (!lp->next) {
- retval = ENOMEM;
- break;
- }
- lp = lp->next;
- }
- lp->next = NULL;
- lp->entry = entry;
- if (!tail)
- tail = lp;
- }
- if (entry) {
- if (entry->magic == KV5M_KEYTAB_ENTRY)
- krb5_kt_free_entry(context, entry);
- free((char *)entry);
- }
- if (retval) {
- ktutil_free_kt_list(context, tail);
- tail = NULL;
- if (back)
- back->next = NULL;
- }
- if (!*list)
- *list = tail;
- fclose(fp);
- return retval;
+ if (asprintf(&ktname, "SRVTAB:%s", name) < 0)
+ return ENOMEM;
+ result = ktutil_read_keytab(context, ktname, list);
+ free(ktname);
+ return result;
}
-
-/*
- * Writes a kt_list out to a krb4 srvtab file. Note that it first
- * prunes the kt_list so that it won't contain any keys that are not
- * the most recent, and ignores keys that are not ENCTYPE_DES.
- */
-krb5_error_code ktutil_write_srvtab(context, list, name)
- krb5_context context;
- krb5_kt_list list;
- char *name;
-{
- krb5_kt_list lp, lp1, prev, pruned = NULL;
- krb5_error_code retval = 0;
- FILE *fp;
- char sname[SNAME_SZ];
- char sinst[INST_SZ];
- char srealm[REALM_SZ];
-
- /* First do heinous stuff to prune the list. */
- for (lp = list; lp; lp = lp->next) {
- if ((lp->entry->key.enctype != ENCTYPE_DES_CBC_CRC) &&
- (lp->entry->key.enctype != ENCTYPE_DES_CBC_MD5) &&
- (lp->entry->key.enctype != ENCTYPE_DES_CBC_MD4) &&
- (lp->entry->key.enctype != ENCTYPE_DES_CBC_RAW))
- continue;
-
- for (lp1 = pruned; lp1; prev = lp1, lp1 = lp1->next) {
- /* Hunt for the current principal in the pruned list */
- if (krb5_principal_compare(context,
- lp->entry->principal,
- lp1->entry->principal))
- break;
- }
- if (!lp1) { /* need to add entry to tail of pruned list */
- if (!pruned) {
- pruned = (krb5_kt_list) malloc(sizeof (*pruned));
- if (!pruned)
- return ENOMEM;
- memset((char *) pruned, 0, sizeof(*pruned));
- lp1 = pruned;
- } else {
- prev->next
- = (krb5_kt_list) malloc(sizeof (*pruned));
- if (!prev->next) {
- retval = ENOMEM;
- goto free_pruned;
- }
- memset((char *) prev->next, 0, sizeof(*pruned));
- lp1 = prev->next;
- }
- lp1->entry = lp->entry;
- } else {
- /* This heuristic should be roughly the same as in the
- keytab-reading code in libkrb5. */
- int offset = 0;
- if (lp1->entry->vno > 240 || lp->entry->vno > 240) {
- offset = 128;
- }
-#define M(X) (((X) + offset) % 256)
- if (M(lp1->entry->vno) < M(lp->entry->vno))
- /* Check if lp->entry is newer kvno; if so, update */
- lp1->entry = lp->entry;
- }
- }
- umask(0077); /*Changing umask for all of ktutil is OK
- * We don't ever write out anything that should use
- * default umask.*/
- fp = fopen(name, "w");
- if (!fp) {
- retval = EIO;
- goto free_pruned;
- }
- for (lp = pruned; lp; lp = lp->next) {
- unsigned char kvno;
- kvno = (unsigned char) lp->entry->vno;
- retval = krb5_524_conv_principal(context,
- lp->entry->principal,
- sname, sinst, srealm);
- if (retval)
- break;
- fwrite(sname, strlen(sname) + 1, 1, fp);
- fwrite(sinst, strlen(sinst) + 1, 1, fp);
- fwrite(srealm, strlen(srealm) + 1, 1, fp);
- fwrite((char *)&kvno, 1, 1, fp);
- fwrite((char *)lp->entry->key.contents,
- sizeof (des_cblock), 1, fp);
- }
- fclose(fp);
- free_pruned:
- /*
- * Loop over and free the pruned list; don't use free_kt_list
- * because that kills the entries.
- */
- for (lp = pruned; lp;) {
- prev = lp;
- lp = lp->next;
- free((char *)prev);
- }
- return retval;
-}
-#endif /* KRB5_KRB4_COMPAT */
Modified: branches/mkey_migrate/src/kadmin/passwd/Makefile.in
===================================================================
--- branches/mkey_migrate/src/kadmin/passwd/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/passwd/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -24,34 +24,3 @@
clean::
$(RM) kpasswd_strings.c kpasswd_strings.h $(PROG) $(OBJS)
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)tty_kpasswd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h kpasswd.h \
- kpasswd_strings.h tty_kpasswd.c
-$(OUTPRE)kpasswd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h kpasswd.c \
- kpasswd.h kpasswd_strings.h
-$(OUTPRE)kpasswd_strings.$(OBJEXT): $(COM_ERR_DEPS) \
- kpasswd_strings.c
Copied: branches/mkey_migrate/src/kadmin/passwd/deps (from rev 21721, trunk/src/kadmin/passwd/deps)
Modified: branches/mkey_migrate/src/kadmin/passwd/xm_kpasswd.c
===================================================================
--- branches/mkey_migrate/src/kadmin/passwd/xm_kpasswd.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/passwd/xm_kpasswd.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -116,7 +116,7 @@
}
if (fmt)
{
- vsprintf(buf + strlen(buf), fmt, args);
+ vsnprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), fmt, args);
}
XtVaSetValues(scroll_text, XmNvalue, buf, NULL);
@@ -321,7 +321,7 @@
XmString xmstr;
char buf[1024];
- sprintf(buf, fmt_string, arg_string);
+ snprintf(buf, sizeof(buf), fmt_string, arg_string);
xmstr = XmStringCreateLtoR(buf, XmSTRING_DEFAULT_CHARSET);
XtVaSetValues(main_lbl, XmNlabelString, xmstr, NULL);
Modified: branches/mkey_migrate/src/kadmin/server/Makefile.in
===================================================================
--- branches/mkey_migrate/src/kadmin/server/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/server/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -13,8 +13,8 @@
PROG_RPATH=$(KRB5_LIBDIR)
PROG = kadmind
-OBJS = kadm_rpc_svc.o server_stubs.o ovsec_kadmd.o schpw.o misc.o server_glue_v1.o ipropd_svc.o
-SRCS = kadm_rpc_svc.c server_stubs.c ovsec_kadmd.c schpw.c misc.c server_glue_v1.c ipropd_svc.c
+OBJS = kadm_rpc_svc.o server_stubs.o ovsec_kadmd.o schpw.o misc.o server_glue_v1.o ipropd_svc.o network.o
+SRCS = kadm_rpc_svc.c server_stubs.c ovsec_kadmd.c schpw.c misc.c server_glue_v1.c ipropd_svc.c network.c
all:: $(PROG)
@@ -27,127 +27,3 @@
clean::
$(RM) $(PROG) $(OBJS)
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)kadm_rpc_svc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \
- $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h kadm_rpc_svc.c misc.h
-$(OUTPRE)server_stubs.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \
- $(BUILDTOP)/include/kadm5/server_acl.h $(BUILDTOP)/include/kadm5/server_internal.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h misc.h \
- server_stubs.c
-$(OUTPRE)ovsec_kadmd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/kadm5/server_acl.h \
- $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.h \
- $(BUILDTOP)/lib/gssapi/krb5/gssapi_err_krb5.h $(BUILDTOP)/lib/gssapi/krb5/gssapi_krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_gssapi.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/iprop.h $(SRCTOP)/include/iprop_hdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/kdb_kt.h $(SRCTOP)/include/kdb_log.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/gssapi/generic/gssapiP_generic.h \
- $(SRCTOP)/lib/gssapi/generic/gssapi_generic.h $(SRCTOP)/lib/gssapi/krb5/gssapiP_krb5.h \
- misc.h ovsec_kadmd.c
-$(OUTPRE)schpw.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h misc.h schpw.c
-$(OUTPRE)misc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h misc.c misc.h
-$(OUTPRE)server_glue_v1.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h misc.h \
- server_glue_v1.c
-$(OUTPRE)ipropd_svc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/kadm5/server_internal.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/lib/gssapi/krb5/gssapi_krb5.h $(COM_ERR_DEPS) \
- $(SRCTOP)/include/adm_proto.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/iprop.h \
- $(SRCTOP)/include/iprop_hdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/lib/kadm5/srv/server_acl.h ipropd_svc.c misc.h
Deleted: branches/mkey_migrate/src/kadmin/server/acls.l
===================================================================
--- branches/mkey_migrate/src/kadmin/server/acls.l 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/server/acls.l 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,190 +0,0 @@
-%{
-/*
- * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
- *
- * $Id$
- * $Source$
- *
- * $Log$
- * Revision 1.3 1996/07/22 20:28:49 marc
- * this commit includes all the changes on the OV_9510_INTEGRATION and
- * OV_MERGE branches. This includes, but is not limited to, the new openvision
- * admin system, and major changes to gssapi to add functionality, and bring
- * the implementation in line with rfc1964. before committing, the
- * code was built and tested for netbsd and solaris.
- *
- * Revision 1.2.4.1 1996/07/18 03:03:31 marc
- * merged in changes from OV_9510_BP to OV_9510_FINAL1
- *
- * Revision 1.2.2.1 1996/06/20 21:56:31 marc
- * File added to the repository on a branch
- *
- * Revision 1.2 1993/11/05 07:47:46 bjaspan
- * add and use cmp_gss_names, fix regexp bug
- *
- * Revision 1.1 1993/11/05 07:08:48 bjaspan
- * Initial revision
- *
- */
-
-#if !defined(lint) && !defined(__CODECENTER__)
-static char *rcsid = "$Header$";
-#endif
-
-enum tokens {
- NEWLINE = 257,
- COMMA,
- SEMI,
-
- GET = 300,
- ADD,
- MODIFY,
- DELETE,
-
- ID = 350,
-};
-
-typedef union {
- char *s;
-} toktype;
-
-toktype tokval;
-int acl_lineno = 0;
-
-%}
-
-%%
-
-\n acl_lineno++;
-[ \t]* ;
-[ ]*#.* ;
-"," return (COMMA);
-";" return (SEMI);
-"get" return (GET);
-"add" return (ADD);
-"modify" return (MODIFY);
-"delete" return (DELETE);
-^[^ \t\n]+ { tokval.s = yytext; return (ID); }
-
-%%
-
-#include <string.h>
-#include <syslog.h>
-#include <gssapi/gssapi.h>
-#include <gssapi/gssapi_krb5.h>
-#include <ovsec_admin/admin.h>
-
-typedef struct _entry {
- gss_name_t gss_name;
- char *name;
- u_int privs;
- struct _entry *next;
-} acl_entry;
-
-static acl_entry *acl_head = NULL;
-
-static void error(char *msg);
-
-int parse_aclfile(FILE *acl_file)
-{
- OM_uint32 gssstat, minor_stat;
- gss_buffer_desc in_buf;
- acl_entry *entry;
- enum tokens tok;
-
- yyin = acl_file;
-
- acl_lineno = 1;
- while ((tok = yylex()) != 0) {
- if (tok != ID) {
- error("expected identifier");
- goto error;
- }
-
- entry = (acl_entry *) malloc(sizeof(acl_entry));
- if (entry == NULL) {
- error("out of memory");
- goto error;
- }
- entry->name = strdup(tokval.s);
- entry->privs = 0;
- while (1) {
- switch (tok = yylex()) {
- case GET:
- entry->privs |= OVSEC_KADM_PRIV_GET;
- break;
- case ADD:
- entry->privs |= OVSEC_KADM_PRIV_ADD;
- break;
- case MODIFY:
- entry->privs |= OVSEC_KADM_PRIV_MODIFY;
- break;
- case DELETE:
- entry->privs |= OVSEC_KADM_PRIV_DELETE;
- break;
- default:
- error("expected privilege");
- goto error;
- }
- tok = yylex();
- if (tok == COMMA)
- continue;
- else if (tok == SEMI)
- break;
- else {
- error("expected comma or semicolon");
- goto error;
- }
- }
-
- in_buf.value = entry->name;
- in_buf.length = strlen(entry->name) + 1;
- gssstat = gss_import_name(&minor_stat, &in_buf,
- gss_nt_krb5_name, &entry->gss_name);
- if (gssstat != GSS_S_COMPLETE) {
- error("invalid name");
- goto error;
- }
-
- if (acl_head == NULL) {
- entry->next = NULL;
- acl_head = entry;
- } else {
- entry->next = acl_head;
- acl_head = entry;
- }
- }
- return 0;
-
-error:
- return 1;
-}
-
-int acl_check(gss_name_t caller, int priv)
-{
- acl_entry *entry;
-
- entry = acl_head;
- while (entry) {
- if (cmp_gss_names(entry->gss_name, caller) && entry->privs & priv)
- return 1;
- entry = entry->next;
- }
- return 0;
-}
-
-int cmp_gss_names(gss_name_t name1, gss_name_t name2)
-{
- OM_uint32 minor_stat;
- int eq;
- (void) gss_compare_name(&minor_stat, name1, name2, &eq);
- return eq;
-}
-
-static void error(char *msg)
-{
- syslog(LOG_ERR, "Error while parsing acl file, line %d: %s\n",
- acl_lineno, msg);
-}
-
-yywrap() { return(1); }
Copied: branches/mkey_migrate/src/kadmin/server/deps (from rev 21721, trunk/src/kadmin/server/deps)
Modified: branches/mkey_migrate/src/kadmin/server/ipropd_svc.c
===================================================================
--- branches/mkey_migrate/src/kadmin/server/ipropd_svc.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/server/ipropd_svc.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -31,16 +31,15 @@
extern gss_name_t rqst2name(struct svc_req *rqstp);
-extern int setup_gss_names(struct svc_req *, gss_buffer_desc *,
- gss_buffer_desc *);
-extern char *client_addr(struct svc_req *, char *);
extern void *global_server_handle;
extern int nofork;
extern short l_port;
static char abuf[33];
-char *client_addr(struct svc_req *svc, char *buf) {
- return strcpy(buf, inet_ntoa(svc->rq_xprt->xp_raddr.sin_addr));
+/* Result is stored in a static buffer and is invalidated by the next call. */
+static const char *client_addr(struct svc_req *svc) {
+ strlcpy(abuf, inet_ntoa(svc->rq_xprt->xp_raddr.sin_addr), sizeof(abuf));
+ return abuf;
}
static char *reply_ok_str = "UPDATE_OK";
@@ -51,10 +50,8 @@
static char *reply_perm_str = "UPDATE_PERM_DENIED";
static char *reply_unknown_str = "<UNKNOWN_CODE>";
-#define LOG_UNAUTH _("Unauthorized request: %s, %s, " \
- "client=%s, service=%s, addr=%s")
-#define LOG_DONE _("Request: %s, %s, %s, client=%s, " \
- "service=%s, addr=%s")
+#define LOG_UNAUTH _("Unauthorized request: %s, client=%s, service=%s, addr=%s")
+#define LOG_DONE _("Request: %s, %s, %s, client=%s, service=%s, addr=%s")
#ifdef DPRINT
#undef DPRINT
@@ -182,8 +179,8 @@
ret.ret = UPDATE_PERM_DENIED;
krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, whoami,
- "<null>", client_name, service_name,
- client_addr(rqstp, abuf));
+ client_name, service_name,
+ client_addr(rqstp));
goto out;
}
@@ -202,11 +199,13 @@
(unsigned long)arg->last_sno);
}
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, whoami,
+ krb5_klog_syslog(LOG_NOTICE,
+ _("Request: %s, %s, %s, client=%s, service=%s, addr=%s"),
+ whoami,
obuf,
((kret == 0) ? "success" : error_message(kret)),
client_name, service_name,
- client_addr(rqstp, abuf));
+ client_addr(rqstp));
out:
if (nofork)
@@ -222,16 +221,15 @@
* Return arg cl str ptr on success, else NULL.
*/
static char *
-getclhoststr(char *clprinc, char *cl, int len)
+getclhoststr(char *clprinc, char *cl, size_t len)
{
char *s;
if ((s = strchr(clprinc, '/')) != NULL) {
/* XXX "!++s"? */
if (!++s)
return NULL;
- if (strlen(s) >= len)
+ if (strlcpy(cl, s, len) >= len)
return NULL;
- strcpy(cl, s);
/* XXX Copy with @REALM first, with bounds check, then
chop off the realm?? */
if ((s = strchr(cl, '@')) != NULL) {
@@ -301,8 +299,8 @@
ret.ret = UPDATE_PERM_DENIED;
krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, whoami,
- "<null>", client_name, service_name,
- client_addr(rqstp, abuf));
+ client_name, service_name,
+ client_addr(rqstp));
goto out;
}
@@ -327,8 +325,8 @@
* note the -i; modified version of kdb5_util dump format
* to include sno (serial number)
*/
- if (asprintf(&ubuf, "%s dump -i %s", KPROPD_DEFAULT_KDB5_UTIL,
- tmpf) < 0) {
+ if (asprintf(&ubuf, "%s dump -i %s </dev/null 2>&1",
+ KPROPD_DEFAULT_KDB5_UTIL, tmpf) < 0) {
krb5_klog_syslog(LOG_ERR,
_("%s: cannot construct kdb5 util dump string too long; out of memory"),
whoami);
@@ -403,11 +401,11 @@
ret.lastentry.last_time.seconds = 0;
ret.lastentry.last_time.useconds = 0;
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, whoami,
- "<null>",
- "success",
+ krb5_klog_syslog(LOG_NOTICE,
+ _("Request: %s, spawned resync process %d, client=%s, service=%s, addr=%s"),
+ whoami, fret,
client_name, service_name,
- client_addr(rqstp, abuf));
+ client_addr(rqstp));
goto out;
}
@@ -601,12 +599,10 @@
if (ret = kadm5_get_master(context, realm, &host))
return (ret);
- name = malloc(strlen(KIPROP_SVC_NAME)+ strlen(host) + 2);
- if (name == NULL) {
+ if (asprintf(&name, "%s@%s", KIPROP_SVC_NAME, host) < 0) {
free(host);
return (ENOMEM);
}
- (void) sprintf(name, "%s@%s", KIPROP_SVC_NAME, host);
free(host);
*host_service_name = name;
Modified: branches/mkey_migrate/src/kadmin/server/kadm_rpc_svc.c
===================================================================
--- branches/mkey_migrate/src/kadmin/server/kadm_rpc_svc.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/server/kadm_rpc_svc.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -25,8 +25,6 @@
static int check_rpcsec_auth(struct svc_req *);
-void log_badauth(OM_uint32 major, OM_uint32 minor,
- struct sockaddr_in *addr, char *data);
/*
* Function: kadm_1
*
Modified: branches/mkey_migrate/src/kadmin/server/misc.c
===================================================================
--- branches/mkey_migrate/src/kadmin/server/misc.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/server/misc.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -6,6 +6,7 @@
#include <k5-int.h>
#include <kdb.h>
#include <kadm5/server_internal.h>
+#include <kadm5/server_acl.h>
#include "misc.h"
/*
@@ -95,19 +96,61 @@
}
kadm5_ret_t
-schpw_util_wrapper(void *server_handle, krb5_principal princ,
+schpw_util_wrapper(void *server_handle,
+ krb5_principal client,
+ krb5_principal target,
+ krb5_boolean initial_flag,
char *new_pw, char **ret_pw,
char *msg_ret, unsigned int msg_len)
{
- kadm5_ret_t ret;
+ kadm5_ret_t ret;
+ kadm5_server_handle_t handle = server_handle;
+ krb5_boolean access_granted;
+ krb5_boolean self;
- ret = check_min_life(server_handle, princ, msg_ret, msg_len);
- if (ret)
- return ret;
+ /*
+ * If no target is explicitly provided, then the target principal
+ * is the client principal.
+ */
+ if (target == NULL)
+ target = client;
- return kadm5_chpass_principal_util(server_handle, princ,
- new_pw, ret_pw,
- msg_ret, msg_len);
+ /*
+ * A principal can always change its own password, as long as it
+ * has an initial ticket and meets the minimum password lifetime
+ * requirement.
+ */
+ self = krb5_principal_compare(handle->context, client, target);
+ if (self) {
+ ret = check_min_life(server_handle, target, msg_ret, msg_len);
+ if (ret != 0)
+ return ret;
+
+ access_granted = initial_flag;
+ } else
+ access_granted = FALSE;
+
+ if (!access_granted &&
+ kadm5int_acl_check_krb(handle->context, client,
+ ACL_CHANGEPW, target, NULL)) {
+ /*
+ * Otherwise, principals with appropriate privileges can change
+ * any password
+ */
+ access_granted = TRUE;
+ }
+
+ if (access_granted) {
+ ret = kadm5_chpass_principal_util(server_handle,
+ target,
+ new_pw, ret_pw,
+ msg_ret, msg_len);
+ } else {
+ ret = KADM5_AUTH_CHANGEPW;
+ strlcpy(msg_ret, "Unauthorized request", msg_len);
+ }
+
+ return ret;
}
kadm5_ret_t
Modified: branches/mkey_migrate/src/kadmin/server/misc.h
===================================================================
--- branches/mkey_migrate/src/kadmin/server/misc.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/server/misc.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -3,6 +3,23 @@
*
*/
+#ifndef _MISC_H
+#define _MISC_H 1
+
+typedef struct _krb5_fulladdr {
+ krb5_address * address;
+ krb5_ui_4 port;
+} krb5_fulladdr;
+
+void
+log_badauth(OM_uint32 major, OM_uint32 minor,
+ struct sockaddr_in *addr, char *data);
+
+int
+setup_gss_names(struct svc_req *, gss_buffer_desc *,
+ gss_buffer_desc *);
+
+
kadm5_ret_t
chpass_principal_wrapper_3(void *server_handle,
krb5_principal principal,
@@ -20,7 +37,8 @@
krb5_keyblock **keys, int *n_keys);
kadm5_ret_t
-schpw_util_wrapper(void *server_handle, krb5_principal princ,
+schpw_util_wrapper(void *server_handle, krb5_principal client,
+ krb5_principal target, krb5_boolean initial_flag,
char *new_pw, char **ret_pw,
char *msg_ret, unsigned int msg_len);
@@ -37,17 +55,43 @@
krb5_error_code process_chpw_request(krb5_context context,
void *server_handle,
- char *realm, int s,
+ char *realm,
krb5_keytab keytab,
- struct sockaddr_in *sockin,
+ krb5_fulladdr *local_faddr,
+ krb5_fulladdr *remote_faddr,
krb5_data *req, krb5_data *rep);
-#ifdef SVC_GETARGS
-void kadm_1(struct svc_req *, SVCXPRT *);
-#endif
+void kadm_1(struct svc_req *, SVCXPRT *);
+void krb5_iprop_prog_1(struct svc_req *, SVCXPRT *);
void trunc_name(size_t *len, char **dots);
int
gss_to_krb5_name_1(struct svc_req *rqstp, krb5_context ctx, gss_name_t gss_name,
krb5_principal *princ, gss_buffer_t gss_str);
+
+
+extern volatile int signal_request_exit;
+extern volatile int signal_request_hup;
+
+void reset_db(void);
+
+void log_badauth(OM_uint32 major, OM_uint32 minor,
+ struct sockaddr_in *addr, char *data);
+
+/* network.c */
+krb5_error_code setup_network(void *handle, const char *prog);
+krb5_error_code listen_and_process(void *handle, const char *prog);
+krb5_error_code closedown_network(void *handle, const char *prog);
+
+
+void
+krb5_iprop_prog_1(struct svc_req *rqstp, SVCXPRT *transp);
+
+kadm5_ret_t
+kiprop_get_adm_host_srv_name(krb5_context,
+ const char *,
+ char **);
+
+
+#endif /* _MISC_H */
Copied: branches/mkey_migrate/src/kadmin/server/network.c (from rev 21721, trunk/src/kadmin/server/network.c)
Modified: branches/mkey_migrate/src/kadmin/server/ovsec_kadmd.c
===================================================================
--- branches/mkey_migrate/src/kadmin/server/ovsec_kadmd.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/server/ovsec_kadmd.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -77,7 +77,6 @@
void request_hup(int);
void reset_db(void);
void sig_pipe(int);
-void kadm_svc_run(kadm5_config_params *params);
#ifdef POSIX_SIGNALS
static struct sigaction s_action;
@@ -124,12 +123,6 @@
void kadm5_set_use_password_server (void);
#endif
-extern void krb5_iprop_prog_1();
-extern kadm5_ret_t kiprop_get_adm_host_srv_name(
- krb5_context,
- const char *,
- char **);
-
/*
* Function: usage
*
@@ -215,15 +208,12 @@
int main(int argc, char *argv[])
{
- register SVCXPRT *transp, *iproptransp;
extern char *optarg;
extern int optind, opterr;
int ret, oldnames = 0;
OM_uint32 OMret, major_status, minor_status;
char *whoami;
gss_buffer_desc in_buf;
- struct sockaddr_in addr;
- int s;
auth_gssapi_name names[4];
gss_buffer_desc gssbuf;
gss_OID nt_krb5_name_oid;
@@ -231,8 +221,8 @@
char **db_args = NULL;
int db_args_size = 0;
char *errmsg;
+ int i;
- char *kiprop_name = NULL; /* iprop svc name */
kdb_log_context *log_ctx;
setvbuf(stderr, NULL, _IONBF, 0);
@@ -359,238 +349,17 @@
exit(1);
}
- memset(&addr, 0, sizeof(addr));
- addr.sin_family = AF_INET;
- addr.sin_addr.s_addr = INADDR_ANY;
- addr.sin_port = htons(params.kadmind_port);
-
- if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
- const char *e_txt;
- ret = SOCKET_ERRNO;
- e_txt = krb5_get_error_message (context, ret);
- krb5_klog_syslog(LOG_ERR, "Cannot create TCP socket: %s",
- e_txt);
- fprintf(stderr, "Cannot create TCP socket: %s",
- e_txt);
- kadm5_destroy(global_server_handle);
- krb5_klog_close(context);
- exit(1);
- }
- set_cloexec_fd(s);
-
- if ((schpw = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
- const char *e_txt;
- ret = SOCKET_ERRNO;
- e_txt = krb5_get_error_message (context, ret);
- krb5_klog_syslog(LOG_ERR,
- "cannot create simple chpw socket: %s",
- e_txt);
- fprintf(stderr, "Cannot create simple chpw socket: %s",
- e_txt);
- kadm5_destroy(global_server_handle);
- krb5_klog_close(context);
- exit(1);
- }
- set_cloexec_fd(schpw);
-
-#ifndef DISABLE_IPROP
- if ((ipropfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
- const char *e_txt;
- ret = SOCKET_ERRNO;
- e_txt = krb5_get_error_message (context, ret);
- krb5_klog_syslog(LOG_ERR,
- "cannot create iprop listening socket: %s",
- e_txt);
- fprintf(stderr, "cannot create iprop listening socket: %s",
- e_txt);
- kadm5_destroy(global_server_handle);
- krb5_klog_close(context);
- exit(1);
- }
- set_cloexec_fd(ipropfd);
-#endif
-
-#ifdef SO_REUSEADDR
- /* the old admin server turned on SO_REUSEADDR for non-default
- port numbers. this was necessary, on solaris, for the tests
- to work. jhawk argues that the debug and production modes
- should be the same. I think I agree, so I'm always going to set
- SO_REUSEADDR. The other option is to have the unit tests wait
- until the port is useable, or use a different port each time.
- --marc */
-
- {
- int allowed;
-
- allowed = 1;
- if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
- (char *) &allowed, sizeof(allowed)) < 0 ||
- setsockopt(schpw, SOL_SOCKET, SO_REUSEADDR,
- (char *) &allowed, sizeof(allowed)) < 0
-#ifndef DISABLE_IPROP
- || setsockopt(ipropfd, SOL_SOCKET, SO_REUSEADDR,
- (char *) &allowed, sizeof(allowed)) < 0
-#endif
- ) {
- const char *e_txt;
- ret = SOCKET_ERRNO;
- e_txt = krb5_get_error_message (context, ret);
- krb5_klog_syslog(LOG_ERR, "Cannot set SO_REUSEADDR: %s",
- e_txt);
- fprintf(stderr, "Cannot set SO_REUSEADDR: %s", e_txt);
- kadm5_destroy(global_server_handle);
- krb5_klog_close(context);
- exit(1);
- }
- }
-#endif /* SO_REUSEADDR */
- memset(&addr, 0, sizeof(addr));
- addr.sin_family = AF_INET;
- addr.sin_addr.s_addr = INADDR_ANY;
- addr.sin_port = htons(params.kadmind_port);
-
- if (bind(s, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
- int oerrno = errno;
- const char *e_txt = krb5_get_error_message (context, errno);
- fprintf(stderr, "%s: Cannot bind socket.\n", whoami);
- fprintf(stderr, "bind: %s\n", e_txt);
- errno = oerrno;
- krb5_klog_syslog(LOG_ERR, "Cannot bind socket: %s", e_txt);
- if(oerrno == EADDRINUSE) {
- char *w = strrchr(whoami, '/');
- if (w) {
- w++;
- }
- else {
- w = whoami;
- }
- fprintf(stderr,
-"This probably means that another %s process is already\n"
-"running, or that another program is using the server port (number %d)\n"
-"after being assigned it by the RPC portmap daemon. If another\n"
-"%s is already running, you should kill it before\n"
-"restarting the server. If, on the other hand, another program is\n"
-"using the server port, you should kill it before running\n"
-"%s, and ensure that the conflict does not occur in the\n"
-"future by making sure that %s is started on reboot\n"
- "before portmap.\n", w, ntohs(addr.sin_port), w, w, w);
- krb5_klog_syslog(LOG_ERR, "Check for already-running %s or for "
- "another process using port %d", w,
- htons(addr.sin_port));
- }
+ if ((ret = setup_network(global_server_handle, whoami))) {
+ const char *e_txt = krb5_get_error_message (context, ret);
+ krb5_klog_syslog(LOG_ERR, "%s: %s while initializing network, aborting",
+ whoami, e_txt);
+ fprintf(stderr, "%s: %s while initializing network, aborting\n",
+ whoami, e_txt);
kadm5_destroy(global_server_handle);
krb5_klog_close(context);
exit(1);
}
- memset(&addr, 0, sizeof(addr));
- addr.sin_family = AF_INET;
- addr.sin_addr.s_addr = INADDR_ANY;
- /* XXX */
- addr.sin_port = htons(params.kpasswd_port);
-
- if (bind(schpw, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
- char portbuf[32];
- int oerrno = errno;
- const char *e_txt = krb5_get_error_message (context, errno);
- fprintf(stderr, "%s: Cannot bind socket.\n", whoami);
- fprintf(stderr, "bind: %s\n", e_txt);
- errno = oerrno;
- snprintf(portbuf, sizeof(portbuf), "%d", ntohs(addr.sin_port));
- krb5_klog_syslog(LOG_ERR, "cannot bind simple chpw socket: %s",
- e_txt);
- if(oerrno == EADDRINUSE) {
- char *w = strrchr(whoami, '/');
- if (w) {
- w++;
- }
- else {
- w = whoami;
- }
- fprintf(stderr,
-"This probably means that another %s process is already\n"
-"running, or that another program is using the server port (number %d).\n"
-"If another %s is already running, you should kill it before\n"
-"restarting the server.\n",
- w, ntohs(addr.sin_port), w);
- }
- kadm5_destroy(global_server_handle);
- krb5_klog_close(context);
- exit(1);
- }
-
-#ifndef DISABLE_IPROP
- memset(&addr, 0, sizeof(addr));
- addr.sin_family = AF_INET;
- addr.sin_addr.s_addr = INADDR_ANY;
- addr.sin_port = htons(params.iprop_port);
- if (bind(ipropfd, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
- char portbuf[32];
- int oerrno = errno;
- const char *e_txt = krb5_get_error_message (context, errno);
- fprintf(stderr, "%s: Cannot bind socket.\n", whoami);
- fprintf(stderr, "bind: %s\n", e_txt);
- errno = oerrno;
- snprintf(portbuf, sizeof(portbuf), "%d", ntohs(addr.sin_port));
- krb5_klog_syslog(LOG_ERR, "cannot bind iprop socket: %s",
- e_txt);
- if(oerrno == EADDRINUSE) {
- char *w = strrchr(whoami, '/');
- if (w) {
- w++;
- }
- else {
- w = whoami;
- }
- fprintf(stderr,
-"This probably means that another %s process is already\n"
-"running, or that another program is using the server port (number %d).\n"
-"If another %s is already running, you should kill it before\n"
-"restarting the server.\n",
- w, ntohs(addr.sin_port), w);
- }
- kadm5_destroy(global_server_handle);
- krb5_klog_close(context);
- exit(1);
- }
-#endif
-
- transp = svctcp_create(s, 0, 0);
- if(transp == NULL) {
- fprintf(stderr, "%s: Cannot create RPC service.\n", whoami);
- krb5_klog_syslog(LOG_ERR, "Cannot create RPC service: %m");
- kadm5_destroy(global_server_handle);
- krb5_klog_close(context);
- exit(1);
- }
- if(!svc_register(transp, KADM, KADMVERS, kadm_1, 0)) {
- fprintf(stderr, "%s: Cannot register RPC service.\n", whoami);
- krb5_klog_syslog(LOG_ERR, "Cannot register RPC service, failing.");
- kadm5_destroy(global_server_handle);
- krb5_klog_close(context);
- exit(1);
- }
-
-#ifndef DISABLE_IPROP
- iproptransp = svctcp_create(ipropfd, 0, 0);
- if (iproptransp == NULL) {
- fprintf(stderr, "%s: Cannot create RPC service.\n", whoami);
- krb5_klog_syslog(LOG_ERR, "Cannot create RPC service: %m");
- kadm5_destroy(global_server_handle);
- krb5_klog_close(context);
- exit(1);
- }
- if (!svc_register(iproptransp, KRB5_IPROP_PROG, KRB5_IPROP_VERS, krb5_iprop_prog_1, IPPROTO_TCP)) {
- fprintf(stderr, "%s: Cannot register RPC service.\n", whoami);
- krb5_klog_syslog(LOG_ERR, "Cannot register RPC service, continuing.");
-#if 0
- kadm5_destroy(global_server_handle);
- krb5_klog_close(context);
- exit(1);
-#endif
- }
-#endif
-
names[0].name = build_princ_name(KADM5_ADMIN_SERVICE, params.realm);
names[1].name = build_princ_name(KADM5_CHANGEPW_SERVICE, params.realm);
names[2].name = build_princ_name(OVSEC_KADM_ADMIN_SERVICE, params.realm);
@@ -833,13 +602,13 @@
if (nofork)
fprintf(stderr, "%s: starting...\n", whoami);
- kadm_svc_run(¶ms);
+ listen_and_process(global_server_handle, whoami);
krb5_klog_syslog(LOG_INFO, "finished, exiting");
/* Clean up memory, etc */
svcauth_gssapi_unset_names();
kadm5_destroy(global_server_handle);
- close(s);
+ closedown_network(global_server_handle, whoami);
kadm5int_acl_finish(context, 0);
if(gss_changepw_name) {
(void) gss_release_name(&OMret, &gss_changepw_name);
@@ -847,9 +616,9 @@
if(gss_oldchangepw_name) {
(void) gss_release_name(&OMret, &gss_oldchangepw_name);
}
- for(s = 0 ; s < 4; s++) {
- if (names[s].name) {
- free(names[s].name);
+ for(i = 0 ; i < 4; i++) {
+ if (names[i].name) {
+ free(names[i].name);
}
}
@@ -911,69 +680,7 @@
#endif /* POSIX_SIGNALS */
}
-/*
- * Function: kadm_svc_run
- *
- * Purpose: modified version of sunrpc svc_run.
- * which closes the database every TIMEOUT seconds.
- *
- * Arguments:
- * Requires:
- * Effects:
- * Modifies:
- */
-
-void kadm_svc_run(params)
-kadm5_config_params *params;
-{
- fd_set rfd;
- struct timeval timeout;
-
- while(signal_request_exit == 0) {
- if (signal_request_hup) {
- reset_db();
- krb5_klog_reopen(context);
- signal_request_hup = 0;
- }
#ifdef PURIFY
- if (signal_pure_report) /* check to see if a report */
- /* should be dumped... */
- {
- purify_new_reports();
- signal_pure_report = 0;
- }
- if (signal_pure_clear) /* ...before checking whether */
- /* the info should be cleared. */
- {
- purify_clear_new_reports();
- signal_pure_clear = 0;
- }
-#endif /* PURIFY */
- timeout.tv_sec = TIMEOUT;
- timeout.tv_usec = 0;
- rfd = svc_fdset;
- FD_SET(schpw, &rfd);
-#define max(a, b) (((a) > (b)) ? (a) : (b))
- switch(select(max(schpw, svc_maxfd) + 1,
- (fd_set *) &rfd, NULL, NULL, &timeout)) {
- case -1:
- if(errno == EINTR)
- continue;
- perror("select");
- return;
- case 0:
- reset_db();
- break;
- default:
- if (FD_ISSET(schpw, &rfd))
- do_schpw(schpw, params);
- else
- svc_getreqset(&rfd);
- }
- }
-}
-
-#ifdef PURIFY
/*
* Function: request_pure_report
*
@@ -1344,99 +1051,3 @@
}
}
-void do_schpw(int s1, kadm5_config_params *params)
-{
- krb5_error_code ret;
- /* XXX buffer = ethernet mtu */
- char req[1500];
- int len;
- struct sockaddr_in from;
- socklen_t fromlen;
- krb5_keytab kt;
- krb5_data reqdata, repdata;
- int s2;
-
- fromlen = sizeof(from);
- if ((len = recvfrom(s1, req, sizeof(req), 0, (struct sockaddr *)&from,
- &fromlen)) < 0) {
- krb5_klog_syslog(LOG_ERR, "chpw: Couldn't receive request: %s",
- krb5_get_error_message (context, errno));
- return;
- }
-
- if ((ret = krb5_kt_resolve(context, "KDB:", &kt))) {
- krb5_klog_syslog(LOG_ERR, "chpw: Couldn't open admin keytab %s",
- krb5_get_error_message (context, ret));
- return;
- }
-
- reqdata.length = len;
- reqdata.data = req;
-
- /* this is really obscure. s1 is used for all communications. it
- is left unconnected in case the server is multihomed and routes
- are asymmetric. s2 is connected to resolve routes and get
- addresses. this is the *only* way to get proper addresses for
- multihomed hosts if routing is asymmetric.
-
- A related problem in the server, but not the client, is that
- many os's have no way to disconnect a connected udp socket, so
- the s2 socket needs to be closed and recreated for each
- request. The s1 socket must not be closed, or else queued
- requests will be lost.
-
- A "naive" client implementation (one socket, no connect,
- hostname resolution to get the local ip addr) will work and
- interoperate if the client is single-homed. */
-
- if ((s2 = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
- const char *errmsg = krb5_get_error_message (context, errno);
- krb5_klog_syslog(LOG_ERR, "cannot create connecting socket: %s",
- errmsg);
- fprintf(stderr, "Cannot create connecting socket: %s",
- errmsg);
- svcauth_gssapi_unset_names();
- kadm5_destroy(global_server_handle);
- krb5_klog_close(context);
- exit(1);
- }
- set_cloexec_fd(s2);
-
- if (connect(s2, (struct sockaddr *) &from, sizeof(from)) < 0) {
- krb5_klog_syslog(LOG_ERR, "chpw: Couldn't connect to client: %s",
- krb5_get_error_message (context, errno));
- goto cleanup;
- }
-
- if ((ret = process_chpw_request(context, global_server_handle,
- params->realm, s2, kt, &from,
- &reqdata, &repdata))) {
- krb5_klog_syslog(LOG_ERR, "chpw: Error processing request: %s",
- krb5_get_error_message (context, ret));
- }
-
- close(s2);
-
- if (repdata.length == 0) {
- /* just return. This means something really bad happened */
- goto cleanup;
- }
-
- len = sendto(s1, repdata.data, (int) repdata.length, 0,
- (struct sockaddr *) &from, sizeof(from));
-
- if (len < (int) repdata.length) {
- krb5_xfree(repdata.data);
-
- krb5_klog_syslog(LOG_ERR, "chpw: Error sending reply: %s",
- krb5_get_error_message (context, errno));
- goto cleanup;
- }
-
- krb5_xfree(repdata.data);
-
-cleanup:
- krb5_kt_close(context, kt);
-
- return;
-}
Modified: branches/mkey_migrate/src/kadmin/server/schpw.c
===================================================================
--- branches/mkey_migrate/src/kadmin/server/schpw.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/server/schpw.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -11,37 +11,40 @@
#define GETSOCKNAME_ARG3_TYPE int
#endif
+#define RFC3244_VERSION 0xff80
+
krb5_error_code
-process_chpw_request(context, server_handle, realm, s, keytab, sockin,
- req, rep)
+process_chpw_request(context, server_handle, realm, keytab,
+ local_faddr, remote_faddr, req, rep)
krb5_context context;
void *server_handle;
char *realm;
- int s;
krb5_keytab keytab;
- struct sockaddr_in *sockin;
+ krb5_fulladdr *local_faddr;
+ krb5_fulladdr *remote_faddr;
krb5_data *req;
krb5_data *rep;
{
krb5_error_code ret;
char *ptr;
int plen, vno;
- krb5_address local_kaddr, remote_kaddr;
- int allocated_mem = 0;
krb5_data ap_req, ap_rep;
krb5_auth_context auth_context;
krb5_principal changepw;
+ krb5_principal client, target = NULL;
krb5_ticket *ticket;
krb5_data cipher, clear;
- struct sockaddr local_addr, remote_addr;
- GETSOCKNAME_ARG3_TYPE addrlen;
krb5_replay_data replay;
krb5_error krberror;
int numresult;
char strresult[1024];
- char *clientstr;
+ char *clientstr = NULL, *targetstr = NULL;
size_t clen;
char *cdots;
+ struct sockaddr_storage ss;
+ socklen_t salen;
+ char addrbuf[100];
+ krb5_address *addr = remote_faddr->address;
ret = 0;
rep->length = 0;
@@ -58,7 +61,7 @@
or the caller passed in garbage */
ret = KRB5KRB_AP_ERR_MODIFIED;
numresult = KRB5_KPASSWD_MALFORMED;
- strcpy(strresult, "Request was truncated");
+ strlcpy(strresult, "Request was truncated", sizeof(strresult));
goto chpwfail;
}
@@ -77,7 +80,7 @@
vno = (*ptr++ & 0xff) ;
vno = (vno<<8) | (*ptr++ & 0xff);
- if (vno != 1) {
+ if (vno != 1 && vno != RFC3244_VERSION) {
ret = KRB5KDC_ERR_BAD_PVNO;
numresult = KRB5_KPASSWD_BAD_VERSION;
snprintf(strresult, sizeof(strresult),
@@ -93,7 +96,8 @@
if (ptr + ap_req.length >= req->data + req->length) {
ret = KRB5KRB_AP_ERR_MODIFIED;
numresult = KRB5_KPASSWD_MALFORMED;
- strcpy(strresult, "Request was truncated in AP-REQ");
+ strlcpy(strresult, "Request was truncated in AP-REQ",
+ sizeof(strresult));
goto chpwfail;
}
@@ -105,7 +109,8 @@
ret = krb5_auth_con_init(context, &auth_context);
if (ret) {
numresult = KRB5_KPASSWD_HARDERROR;
- strcpy(strresult, "Failed initializing auth context");
+ strlcpy(strresult, "Failed initializing auth context",
+ sizeof(strresult));
goto chpwfail;
}
@@ -113,7 +118,8 @@
KRB5_AUTH_CONTEXT_DO_SEQUENCE);
if (ret) {
numresult = KRB5_KPASSWD_HARDERROR;
- strcpy(strresult, "Failed initializing auth context");
+ strlcpy(strresult, "Failed initializing auth context",
+ sizeof(strresult));
goto chpwfail;
}
@@ -121,7 +127,8 @@
"kadmin", "changepw", NULL);
if (ret) {
numresult = KRB5_KPASSWD_HARDERROR;
- strcpy(strresult, "Failed building kadmin/changepw principal");
+ strlcpy(strresult, "Failed building kadmin/changepw principal",
+ sizeof(strresult));
goto chpwfail;
}
@@ -130,63 +137,11 @@
if (ret) {
numresult = KRB5_KPASSWD_AUTHERROR;
- strcpy(strresult, "Failed reading application request");
+ strlcpy(strresult, "Failed reading application request",
+ sizeof(strresult));
goto chpwfail;
}
- /* set up address info */
-
- addrlen = sizeof(local_addr);
-
- if (getsockname(s, &local_addr, &addrlen) < 0) {
- ret = errno;
- numresult = KRB5_KPASSWD_HARDERROR;
- strcpy(strresult, "Failed getting server internet address");
- goto chpwfail;
- }
-
- /* some brain-dead OS's don't return useful information from
- * the getsockname call. Namely, windows and solaris. */
-
- if (((struct sockaddr_in *)&local_addr)->sin_addr.s_addr != 0) {
- local_kaddr.addrtype = ADDRTYPE_INET;
- local_kaddr.length =
- sizeof(((struct sockaddr_in *) &local_addr)->sin_addr);
- local_kaddr.contents =
- (krb5_octet *) &(((struct sockaddr_in *) &local_addr)->sin_addr);
- } else {
- krb5_address **addrs;
-
- krb5_os_localaddr(context, &addrs);
- local_kaddr.magic = addrs[0]->magic;
- local_kaddr.addrtype = addrs[0]->addrtype;
- local_kaddr.length = addrs[0]->length;
- local_kaddr.contents = malloc(addrs[0]->length);
- memcpy(local_kaddr.contents, addrs[0]->contents, addrs[0]->length);
- allocated_mem++;
-
- krb5_free_addresses(context, addrs);
- }
-
- addrlen = sizeof(remote_addr);
-
- if (getpeername(s, &remote_addr, &addrlen) < 0) {
- ret = errno;
- numresult = KRB5_KPASSWD_HARDERROR;
- strcpy(strresult, "Failed getting client internet address");
- goto chpwfail;
- }
-
- remote_kaddr.addrtype = ADDRTYPE_INET;
- remote_kaddr.length =
- sizeof(((struct sockaddr_in *) &remote_addr)->sin_addr);
- remote_kaddr.contents =
- (krb5_octet *) &(((struct sockaddr_in *) &remote_addr)->sin_addr);
-
- remote_kaddr.addrtype = ADDRTYPE_INET;
- remote_kaddr.length = sizeof(sockin->sin_addr);
- remote_kaddr.contents = (krb5_octet *) &sockin->sin_addr;
-
/* mk_priv requires that the local address be set.
getsockname is used for this. rd_priv requires that the
remote address be set. recvfrom is used for this. If
@@ -202,31 +157,25 @@
is specified. Are we having fun yet? */
ret = krb5_auth_con_setaddrs(context, auth_context, NULL,
- &remote_kaddr);
+ remote_faddr->address);
if (ret) {
numresult = KRB5_KPASSWD_HARDERROR;
- strcpy(strresult, "Failed storing client internet address");
+ strlcpy(strresult, "Failed storing client internet address",
+ sizeof(strresult));
goto chpwfail;
}
- /* verify that this is an AS_REQ ticket */
-
- if (!(ticket->enc_part2->flags & TKT_FLG_INITIAL)) {
- numresult = KRB5_KPASSWD_AUTHERROR;
- strcpy(strresult, "Ticket must be derived from a password");
- goto chpwfail;
- }
-
/* construct the ap-rep */
ret = krb5_mk_rep(context, auth_context, &ap_rep);
if (ret) {
numresult = KRB5_KPASSWD_AUTHERROR;
- strcpy(strresult, "Failed replying to application request");
+ strlcpy(strresult, "Failed replying to application request",
+ sizeof(strresult));
goto chpwfail;
}
- /* decrypt the new password */
+ /* decrypt the ChangePasswdData */
cipher.length = (req->data + req->length) - ptr;
cipher.data = ptr;
@@ -234,23 +183,66 @@
ret = krb5_rd_priv(context, auth_context, &cipher, &clear, &replay);
if (ret) {
numresult = KRB5_KPASSWD_HARDERROR;
- strcpy(strresult, "Failed decrypting request");
+ strlcpy(strresult, "Failed decrypting request", sizeof(strresult));
goto chpwfail;
}
- ret = krb5_unparse_name(context, ticket->enc_part2->client, &clientstr);
+ client = ticket->enc_part2->client;
+
+ /* decode ChangePasswdData for setpw requests */
+ if (vno == RFC3244_VERSION) {
+ krb5_data *clear_data;
+
+ ret = decode_krb5_setpw_req(&clear, &clear_data, &target);
+ if (ret != 0) {
+ numresult = KRB5_KPASSWD_MALFORMED;
+ strlcpy(strresult, "Failed decoding ChangePasswdData",
+ sizeof(strresult));
+ goto chpwfail;
+ }
+
+ memset(clear.data, 0, clear.length);
+ free(clear.data);
+
+ clear = *clear_data;
+ free(clear_data);
+
+ if (target != NULL) {
+ ret = krb5_unparse_name(context, target, &targetstr);
+ if (ret != 0) {
+ numresult = KRB5_KPASSWD_HARDERROR;
+ strlcpy(strresult, "Failed unparsing target name for log",
+ sizeof(strresult));
+ goto chpwfail;
+ }
+ }
+ }
+
+ ret = krb5_unparse_name(context, client, &clientstr);
if (ret) {
numresult = KRB5_KPASSWD_HARDERROR;
- strcpy(strresult, "Failed unparsing client name for log");
+ strlcpy(strresult, "Failed unparsing client name for log",
+ sizeof(strresult));
goto chpwfail;
}
+
+ /* for cpw, verify that this is an AS_REQ ticket */
+ if (vno == 1 &&
+ (ticket->enc_part2->flags & TKT_FLG_INITIAL) == 0) {
+ numresult = KRB5_KPASSWD_INITIAL_FLAG_NEEDED;
+ strlcpy(strresult, "Ticket must be derived from a password",
+ sizeof(strresult));
+ goto chpwfail;
+ }
+
/* change the password */
ptr = (char *) malloc(clear.length+1);
memcpy(ptr, clear.data, clear.length);
ptr[clear.length] = '\0';
- ret = schpw_util_wrapper(server_handle, ticket->enc_part2->client,
+ ret = schpw_util_wrapper(server_handle, client, target,
+ (ticket->enc_part2->flags & TKT_FLG_INITIAL) != 0,
ptr, NULL, strresult, sizeof(strresult));
/* zap the password */
@@ -262,28 +254,86 @@
clen = strlen(clientstr);
trunc_name(&clen, &cdots);
- krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s",
- inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),
- (int) clen, clientstr, cdots,
- ret ? krb5_get_error_message (context, ret) : "success");
- krb5_free_unparsed_name(context, clientstr);
- if (ret) {
- if ((ret != KADM5_PASS_Q_TOOSHORT) &&
- (ret != KADM5_PASS_REUSE) && (ret != KADM5_PASS_Q_CLASS) &&
- (ret != KADM5_PASS_Q_DICT) && (ret != KADM5_PASS_TOOSOON))
- numresult = KRB5_KPASSWD_HARDERROR;
- else
- numresult = KRB5_KPASSWD_SOFTERROR;
- /* strresult set by kadb5_chpass_principal_util() */
- goto chpwfail;
+ switch (addr->addrtype) {
+ case ADDRTYPE_INET: {
+ struct sockaddr_in *sin = ss2sin(&ss);
+
+ sin->sin_family = AF_INET;
+ memcpy(&sin->sin_addr, addr->contents, addr->length);
+ sin->sin_port = htons(remote_faddr->port);
+ salen = sizeof(*sin);
+ break;
}
+ case ADDRTYPE_INET6: {
+ struct sockaddr_in6 *sin6 = ss2sin6(&ss);
- /* success! */
+ sin6->sin6_family = AF_INET6;
+ memcpy(&sin6->sin6_addr, addr->contents, addr->length);
+ sin6->sin6_port = htons(remote_faddr->port);
+ salen = sizeof(*sin6);
+ break;
+ }
+ default: {
+ struct sockaddr *sa = ss2sa(&ss);
- numresult = KRB5_KPASSWD_SUCCESS;
- strcpy(strresult, "");
+ sa->sa_family = AF_UNSPEC;
+ salen = sizeof(*sa);
+ break;
+ }
+ }
+ if (getnameinfo(ss2sa(&ss), salen,
+ addrbuf, sizeof(addrbuf), NULL, 0,
+ NI_NUMERICHOST | NI_NUMERICSERV) != 0)
+ strlcpy(addrbuf, "<unprintable>", sizeof(addrbuf));
+
+ if (vno == RFC3244_VERSION) {
+ size_t tlen;
+ char *tdots;
+ const char *targetp;
+
+ if (target == NULL) {
+ tlen = clen;
+ tdots = cdots;
+ targetp = targetstr;
+ } else {
+ tlen = strlen(targetstr);
+ trunc_name(&tlen, &tdots);
+ targetp = clientstr;
+ }
+
+ krb5_klog_syslog(LOG_NOTICE, "setpw request from %s by %.*s%s for %.*s%s: %s",
+ addrbuf,
+ (int) clen, clientstr, cdots,
+ (int) tlen, targetp, tdots,
+ ret ? krb5_get_error_message (context, ret) : "success");
+ } else {
+ krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s",
+ addrbuf,
+ (int) clen, clientstr, cdots,
+ ret ? krb5_get_error_message (context, ret) : "success");
+ }
+ switch (ret) {
+ case KADM5_AUTH_CHANGEPW:
+ numresult = KRB5_KPASSWD_ACCESSDENIED;
+ break;
+ case KADM5_PASS_Q_TOOSHORT:
+ case KADM5_PASS_REUSE:
+ case KADM5_PASS_Q_CLASS:
+ case KADM5_PASS_Q_DICT:
+ case KADM5_PASS_TOOSOON:
+ numresult = KRB5_KPASSWD_HARDERROR;
+ break;
+ case 0:
+ numresult = KRB5_KPASSWD_SUCCESS;
+ strlcpy(strresult, "", sizeof(strresult));
+ break;
+ default:
+ numresult = KRB5_KPASSWD_SOFTERROR;
+ break;
+ }
+
chpwfail:
clear.length = 2 + strlen(strresult);
@@ -299,18 +349,20 @@
cipher.length = 0;
if (ap_rep.length) {
- ret = krb5_auth_con_setaddrs(context, auth_context, &local_kaddr,
- NULL);
+ ret = krb5_auth_con_setaddrs(context, auth_context,
+ local_faddr->address, NULL);
if (ret) {
numresult = KRB5_KPASSWD_HARDERROR;
- strcpy(strresult,
- "Failed storing client and server internet addresses");
+ strlcpy(strresult,
+ "Failed storing client and server internet addresses",
+ sizeof(strresult));
} else {
ret = krb5_mk_priv(context, auth_context, &clear, &cipher,
&replay);
if (ret) {
numresult = KRB5_KPASSWD_HARDERROR;
- strcpy(strresult, "Failed encrypting reply");
+ strlcpy(strresult, "Failed encrypting reply",
+ sizeof(strresult));
}
}
}
@@ -409,8 +461,12 @@
krb5_xfree(clear.data);
if (cipher.length)
krb5_xfree(cipher.data);
- if (allocated_mem)
- krb5_xfree(local_kaddr.contents);
+ if (target)
+ krb5_free_principal(context, target);
+ if (targetstr)
+ krb5_free_unparsed_name(context, targetstr);
+ if (clientstr)
+ krb5_free_unparsed_name(context, clientstr);
return(ret);
}
Modified: branches/mkey_migrate/src/kadmin/server/server_stubs.c
===================================================================
--- branches/mkey_migrate/src/kadmin/server/server_stubs.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/server/server_stubs.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -110,6 +110,8 @@
{
kadm5_server_handle_t handle;
+ *out_handle = NULL;
+
if (! (handle = (kadm5_server_handle_t)
malloc(sizeof(*handle))))
return ENOMEM;
@@ -137,6 +139,8 @@
*/
static void free_server_handle(kadm5_server_handle_t handle)
{
+ if (!handle)
+ return;
krb5_free_principal(handle->context, handle->current_caller);
free(handle);
}
@@ -303,17 +307,15 @@
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_generic_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -338,22 +340,23 @@
ret.code = kadm5_create_principal((void *)handle,
&arg->rec, arg->mask,
arg->passwd);
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
- log_done("kadm5_create_principal", prime_arg, errmsg,
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
+
+ log_done("kadm5_create_principal", prime_arg,
+ errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
- /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
}
- free_server_handle(handle);
free(prime_arg);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -366,17 +369,15 @@
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_generic_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -403,21 +404,22 @@
arg->n_ks_tuple,
arg->ks_tuple,
arg->passwd);
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
- log_done("kadm5_create_principal", prime_arg, errmsg,
+ log_done("kadm5_create_principal", prime_arg,
+ errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
- /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
}
- free_server_handle(handle);
free(prime_arg);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
+
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -430,17 +432,15 @@
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_generic_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -461,22 +461,23 @@
&client_name, &service_name, rqstp);
} else {
ret.code = kadm5_delete_principal((void *)handle, arg->princ);
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
- log_done("kadm5_delete_principal", prime_arg, errmsg,
+ log_done("kadm5_delete_principal", prime_arg,
+ errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
- /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
+
}
free(prime_arg);
- free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
- exit_func:
+exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -490,17 +491,15 @@
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_generic_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
ret.code = KADM5_FAILURE;
@@ -522,21 +521,21 @@
} else {
ret.code = kadm5_modify_principal((void *)handle, &arg->rec,
arg->mask);
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
- log_done("kadm5_modify_principal", prime_arg, errmsg,
+ log_done("kadm5_modify_principal", prime_arg,
+ errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
- /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
}
- free_server_handle(handle);
free(prime_arg);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -551,7 +550,7 @@
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
- const char *errmsg;
+ const char *errmsg = NULL;
size_t tlen1, tlen2, clen, slen;
char *tdots1, *tdots2, *cdots, *sdots;
@@ -560,10 +559,8 @@
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
ret.code = KADM5_FAILURE;
@@ -612,10 +609,8 @@
} else {
ret.code = kadm5_rename_principal((void *)handle, arg->src,
arg->dest);
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
/* okay to cast lengths to int because trunc_name limits max value */
krb5_klog_syslog(LOG_NOTICE,
@@ -623,17 +618,22 @@
"%.*s%s to %.*s%s, %s, "
"client=%.*s%s, service=%.*s%s, addr=%s",
(int)tlen1, prime_arg1, tdots1,
- (int)tlen2, prime_arg2, tdots2, errmsg,
+ (int)tlen2, prime_arg2, tdots2,
+ errmsg ? errmsg : "success",
(int)clen, (char *)client_name.value, cdots,
(int)slen, (char *)service_name.value, sdots,
inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
+
}
- free_server_handle(handle);
free(prime_arg1);
free(prime_arg2);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -647,17 +647,15 @@
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_gprinc_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -696,20 +694,20 @@
arg->mask);
}
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
- log_done(funcname, prime_arg, errmsg,
+ log_done(funcname, prime_arg, errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
}
- free_server_handle(handle);
free(prime_arg);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -722,17 +720,15 @@
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_gprincs_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -756,19 +752,21 @@
ret.code = kadm5_get_principals((void *)handle,
arg->exp, &ret.princs,
&ret.count);
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
- log_done("kadm5_get_principals", prime_arg, errmsg,
+ log_done("kadm5_get_principals", prime_arg,
+ errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
+
}
- free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -781,17 +779,15 @@
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_generic_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -818,21 +814,23 @@
ret.code = KADM5_AUTH_CHANGEPW;
}
- if(ret.code != KADM5_AUTH_CHANGEPW) {
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if (ret.code != KADM5_AUTH_CHANGEPW) {
+ if (ret.code != 0)
+ errmsg = krb5_get_error_message(handle->context, ret.code);
- log_done("kadm5_chpass_principal", prime_arg, errmsg,
+ log_done("kadm5_chpass_principal", prime_arg,
+ errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
+
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
}
- free_server_handle(handle);
free(prime_arg);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -845,17 +843,15 @@
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_generic_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -889,20 +885,22 @@
}
if(ret.code != KADM5_AUTH_CHANGEPW) {
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
- log_done("kadm5_chpass_principal", prime_arg, errmsg,
+ log_done("kadm5_chpass_principal", prime_arg,
+ errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
+
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
}
- free_server_handle(handle);
free(prime_arg);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -915,17 +913,15 @@
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_generic_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -950,20 +946,22 @@
}
if(ret.code != KADM5_AUTH_SETKEY) {
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
- log_done("kadm5_setv4key_principal", prime_arg, errmsg,
+ log_done("kadm5_setv4key_principal", prime_arg,
+ errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
+
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
}
- free_server_handle(handle);
free(prime_arg);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -976,17 +974,15 @@
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_generic_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -1011,20 +1007,22 @@
}
if(ret.code != KADM5_AUTH_SETKEY) {
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
- log_done("kadm5_setkey_principal", prime_arg, errmsg,
+ log_done("kadm5_setkey_principal", prime_arg,
+ errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
+
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
}
- free_server_handle(handle);
free(prime_arg);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -1037,17 +1035,15 @@
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_generic_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -1075,20 +1071,22 @@
}
if(ret.code != KADM5_AUTH_SETKEY) {
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
- log_done("kadm5_setkey_principal", prime_arg, errmsg,
+ log_done("kadm5_setkey_principal", prime_arg,
+ errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
+
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
}
- free_server_handle(handle);
free(prime_arg);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -1103,7 +1101,7 @@
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_chrand_ret, &ret);
@@ -1111,10 +1109,8 @@
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -1123,7 +1119,6 @@
if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
ret.code = KADM5_FAILURE;
- free_server_handle(handle);
goto exit_func;
}
if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
@@ -1156,19 +1151,20 @@
}
if(ret.code != KADM5_AUTH_CHANGEPW) {
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
- log_done(funcname, prime_arg, errmsg,
+ log_done(funcname, prime_arg, errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
+
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
}
- free_server_handle(handle);
free(prime_arg);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -1183,17 +1179,15 @@
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_chrand_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -1202,7 +1196,6 @@
if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
ret.code = KADM5_FAILURE;
- free_server_handle(handle);
goto exit_func;
}
if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
@@ -1241,19 +1234,20 @@
}
if(ret.code != KADM5_AUTH_CHANGEPW) {
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
- log_done(funcname, prime_arg, errmsg,
+ log_done(funcname, prime_arg, errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
+
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
}
- free_server_handle(handle);
free(prime_arg);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -1266,17 +1260,15 @@
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_generic_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -1296,19 +1288,21 @@
} else {
ret.code = kadm5_create_policy((void *)handle, &arg->rec,
arg->mask);
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
log_done("kadm5_create_policy",
- ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
+ ((prime_arg == NULL) ? "(null)" : prime_arg),
+ errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
+
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
}
- free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -1321,17 +1315,15 @@
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_generic_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -1349,19 +1341,21 @@
ret.code = KADM5_AUTH_DELETE;
} else {
ret.code = kadm5_delete_policy((void *)handle, arg->name);
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
log_done("kadm5_delete_policy",
- ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
+ ((prime_arg == NULL) ? "(null)" : prime_arg),
+ errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
+
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
}
- free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -1374,17 +1368,15 @@
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_generic_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -1403,19 +1395,21 @@
} else {
ret.code = kadm5_modify_policy((void *)handle, &arg->rec,
arg->mask);
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
log_done("kadm5_modify_policy",
- ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
+ ((prime_arg == NULL) ? "(null)" : prime_arg),
+ errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
+
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
}
- free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -1431,17 +1425,15 @@
kadm5_policy_ent_t e;
kadm5_principal_ent_rec caller_ent;
kadm5_server_handle_t handle;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_gpol_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -1487,22 +1479,24 @@
&ret.rec);
}
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
log_done(funcname,
- ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
+ ((prime_arg == NULL) ? "(null)" : prime_arg),
+ errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
+
} else {
log_unauth(funcname, prime_arg,
&client_name, &service_name, rqstp);
}
- free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -1516,17 +1510,15 @@
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_gpols_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -1548,18 +1540,20 @@
ret.code = kadm5_get_policies((void *)handle,
arg->exp, &ret.pols,
&ret.count);
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
- log_done("kadm5_get_policies", prime_arg, errmsg,
+ log_done("kadm5_get_policies", prime_arg,
+ errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
+
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
}
- free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -1569,17 +1563,15 @@
gss_buffer_desc client_name, service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
- const char *errmsg;
+ const char *errmsg = NULL;
xdr_free(xdr_getprivs_ret, &ret);
if ((ret.code = new_server_handle(*arg, rqstp, &handle)))
goto exit_func;
- if ((ret.code = check_handle((void *)handle))) {
- free_server_handle(handle);
+ if ((ret.code = check_handle((void *)handle)))
goto exit_func;
- }
ret.api_version = handle->api_version;
@@ -1589,18 +1581,20 @@
}
ret.code = kadm5_get_privs((void *)handle, &ret.privs);
- if( ret.code == 0 )
- errmsg = "success";
- else
- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ if( ret.code != 0 )
+ errmsg = krb5_get_error_message(handle->context, ret.code);
- log_done("kadm5_get_privs", client_name.value, errmsg,
+ log_done("kadm5_get_privs", client_name.value,
+ errmsg ? errmsg : "success",
&client_name, &service_name, rqstp);
- free_server_handle(handle);
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
+
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ free_server_handle(handle);
return &ret;
}
@@ -1611,7 +1605,7 @@
service_name;
kadm5_server_handle_t handle;
OM_uint32 minor_stat;
- const char *errmsg = NULL;
+ const char *errmsg = NULL;
size_t clen, slen;
char *cdots, *sdots;
@@ -1632,8 +1626,6 @@
if (ret.code != 0)
errmsg = krb5_get_error_message(NULL, ret.code);
- else
- errmsg = "success";
clen = client_name.length;
trunc_name(&clen, &cdots);
@@ -1644,11 +1636,14 @@
"client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d",
(ret.api_version == KADM5_API_VERSION_1 ?
"kadm5_init (V1)" : "kadm5_init"),
- (int)clen, (char *)client_name.value, cdots, errmsg,
(int)clen, (char *)client_name.value, cdots,
+ errmsg ? errmsg : "success",
+ (int)clen, (char *)client_name.value, cdots,
(int)slen, (char *)service_name.value, sdots,
inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
rqstp->rq_cred.oa_flavor);
+ if (errmsg != NULL)
+ krb5_free_error_message(NULL, errmsg);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
Modified: branches/mkey_migrate/src/kadmin/testing/util/Makefile.in
===================================================================
--- branches/mkey_migrate/src/kadmin/testing/util/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/testing/util/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -42,34 +42,3 @@
clean::
$(RM) $(CLNTPROG) $(SRVPROG)
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)tcl_ovsec_kadm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/lib/kdb/adb_err.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h tcl_kadm5.h tcl_ovsec_kadm.c
-$(OUTPRE)tcl_kadm5.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/lib/kdb/adb_err.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h tcl_kadm5.c tcl_kadm5.h
-$(OUTPRE)test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- tcl_kadm5.h test.c
Copied: branches/mkey_migrate/src/kadmin/testing/util/deps (from rev 21721, trunk/src/kadmin/testing/util/deps)
Modified: branches/mkey_migrate/src/kadmin/testing/util/tcl_kadm5.c
===================================================================
--- branches/mkey_migrate/src/kadmin/testing/util/tcl_kadm5.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kadmin/testing/util/tcl_kadm5.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -961,8 +961,7 @@
retcode = TCL_ERROR;
goto finished;
}
- tl->tl_data_contents = (krb5_octet *) malloc(tmp+1);
- strcpy((char *) tl->tl_data_contents, argv1[2]);
+ tl->tl_data_contents = (krb5_octet *) strdup(argv1[2]);
Tcl_Free((char *) argv1);
argv1 = NULL;
Deleted: branches/mkey_migrate/src/kdc/.saberinit
===================================================================
--- branches/mkey_migrate/src/kdc/.saberinit 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/.saberinit 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,35 +0,0 @@
-suppress 223
-suppress 285
-suppress 33 on v4_klog
-suppress 34 on v4_klog
-suppress 36 on sendto
-suppress 35
-suppress 287 on usage
-suppress 287 on sin
-suppress 349 on krb_err_txt
-suppress 349 on krbONE
-suppress 349 on _ctype_
-suppress 340
-suppress 341
-suppress 346
-suppress 226 on error
-load -G main.o kdc5_err.o kdc_util.o network.o policy.o -I../include
-load -G do_as_req.o do_tgs_req.o extern.o -I../include
-make SRCS=dispatch.c saber
-load -G kerberos_v4.c -DBACKWARD_COMPAT -DVARARGS -I../include/kerberosIV -I../include -I../include/stdc-incl
-cd /site/Don/krb5/kdc
-load -G ../lib/kdb/libkdb.a ../lib/libkrb5.a
-load -G ../lib/des/libdes.a ../lib/os-4.3/libos.a ../lib/crc-32/libcrc32.a
-load -G /mit/isode/isode-6.0/@sys/lib/libisode.a
-load -G -lkrb -ldes -lcom_err
-setopt load_flags -I/mit/krb5/vax-cc/include
-link
-unload /site/Don/krb5/lib/kdb/libkdb.a(decrypt_key.o)
-cd /site/Don/krb5/lib/kdb
-make SRCS=decrypt_key.c saber
-unload /site/Don/krb5/lib/des/libdes.a(enc_dec.o)
-unload /site/Don/krb5/lib/des/libdes.a(new_rn_key.o)
-cd /site/Don/krb5/lib/des
-make SRCS=enc_dec.c saber
-make SRCS=new_rn_key.c saber
-run
Modified: branches/mkey_migrate/src/kdc/Makefile.in
===================================================================
--- branches/mkey_migrate/src/kdc/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -12,15 +12,13 @@
PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH)
KDB5_LIB_DEPS=$(DL_LIB) $(THREAD_LINKOPTS)
PROG_RPATH=$(KRB5_LIBDIR)
-FAKEKA=@FAKEKA@
DEFS=-DLIBDIR=\"$(KRB5_LIBDIR)\"
-EXTRADEPSRCS= fakeka.c
-all:: krb5kdc rtest $(FAKEKA)
+all:: krb5kdc rtest
# DEFINES = -DBACKWARD_COMPAT $(KRB4DEF)
-LOCALINCLUDES = @KRB4_INCLUDES@ -I.
+LOCALINCLUDES = -I.
SRCS= \
kdc5_err.c \
$(srcdir)/dispatch.c \
@@ -33,8 +31,7 @@
$(srcdir)/policy.c \
$(srcdir)/extern.c \
$(srcdir)/replay.c \
- $(srcdir)/kdc_authdata.c \
- $(srcdir)/kerberos_v4.c
+ $(srcdir)/kdc_authdata.c
OBJS= \
kdc5_err.o \
@@ -48,8 +45,7 @@
policy.o \
extern.o \
replay.o \
- kdc_authdata.o \
- kerberos_v4.o
+ kdc_authdata.o
RT_OBJS= rtest.o \
kdc_util.o \
@@ -64,15 +60,12 @@
kdc5_err.o: kdc5_err.h
-krb5kdc: $(OBJS) $(KADMSRV_DEPLIBS) $(KRB4COMPAT_DEPLIBS) $(APPUTILS_DEPLIB)
- $(CC_LINK) -o krb5kdc $(OBJS) $(KADMSRV_LIBS) $(KRB4COMPAT_LIBS) $(APPUTILS_LIB)
+krb5kdc: $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB)
+ $(CC_LINK) -o krb5kdc $(OBJS) $(KADMSRV_LIBS) $(KRB5_BASE_LIBS) $(APPUTILS_LIB)
rtest: $(RT_OBJS) $(KDB5_DEPLIBS) $(KADM_COMM_DEPLIBS) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o rtest $(RT_OBJS) $(KDB5_LIBS) $(KADM_COMM_LIBS) $(KRB5_BASE_LIBS)
-fakeka: fakeka.o $(KADMSRV_DEPLIBS) $(KRB4COMPAT_DEPLIBS) $(APPUTILS_DEPLIB)
- $(CC_LINK) -o fakeka fakeka.o $(KADMSRV_LIBS) $(KRB4COMPAT_LIBS) $(APPUTILS_LIB)
-
check-unix:: rtest
KRB5_CONFIG=$(SRCTOP)/config-files/krb5.conf ; export KRB5_CONFIG ;\
$(RUN_SETUP) $(VALGRIND) $(srcdir)/rtscript > test.out
@@ -82,163 +75,7 @@
install::
$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
$(INSTALL_DATA) $(srcdir)/krb5kdc.M ${DESTDIR}$(SERVER_MANDIR)/krb5kdc.8
- f=$(FAKEKA); \
- if test -n "$$f" ; then \
- $(INSTALL_PROGRAM) $$f ${DESTDIR}$(SERVER_BINDIR)/$$f; \
- $(INSTALL_DATA) $(srcdir)/fakeka.M ${DESTDIR}$(SERVER_MANDIR)/fakeka.8; \
- fi
clean::
- $(RM) kdc5_err.h kdc5_err.c krb5kdc rtest.o rtest fakeka.o fakeka
+ $(RM) kdc5_err.h kdc5_err.c krb5kdc rtest.o rtest
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)kdc5_err.$(OBJEXT): $(COM_ERR_DEPS) kdc5_err.c
-$(OUTPRE)dispatch.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h dispatch.c extern.h \
- kdc_util.h
-$(OUTPRE)do_as_req.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm.h \
- $(SRCTOP)/include/adm_proto.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h do_as_req.c extern.h \
- kdc_util.h policy.h
-$(OUTPRE)do_tgs_req.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h do_tgs_req.c extern.h \
- kdc_util.h policy.h
-$(OUTPRE)kdc_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm.h \
- $(SRCTOP)/include/adm_proto.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h extern.h kdc_util.c \
- kdc_util.h
-$(OUTPRE)kdc_preauth.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h extern.h kdc_preauth.c \
- kdc_util.h
-$(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm.h \
- $(SRCTOP)/include/adm_proto.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/kdb_kt.h \
- $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- extern.h kdc5_err.h kdc_util.h main.c
-$(OUTPRE)network.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
- $(SRCTOP)/include/cm.h $(SRCTOP)/include/fake-addrinfo.h \
- $(SRCTOP)/include/foreachaddr.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h extern.h kdc5_err.h \
- kdc_util.h network.c
-$(OUTPRE)policy.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h kdc_util.h policy.c
-$(OUTPRE)extern.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h extern.c extern.h
-$(OUTPRE)replay.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h extern.h kdc_util.h \
- replay.c
-$(OUTPRE)kdc_authdata.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- extern.h kdc_authdata.c kdc_util.h
-$(OUTPRE)kerberos_v4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/klog.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/krb_db.h \
- $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- extern.h kdc_util.h kerberos_v4.c
-$(OUTPRE)fakeka.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(KRB_ERR_H_DEP) \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \
- fakeka.c
Copied: branches/mkey_migrate/src/kdc/deps (from rev 21721, trunk/src/kdc/deps)
Modified: branches/mkey_migrate/src/kdc/dispatch.c
===================================================================
--- branches/mkey_migrate/src/kdc/dispatch.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/dispatch.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -99,10 +99,6 @@
krb5_free_kdc_req(kdc_context, as_req);
}
}
-#ifdef KRB5_KRB4_COMPAT
- else if (pkt->data[0] == 4) /* old version */
- retval = process_v4(pkt, from, response);
-#endif
else
retval = KRB5KRB_AP_ERR_MSG_TYPE;
#ifndef NOCACHE
Modified: branches/mkey_migrate/src/kdc/do_as_req.c
===================================================================
--- branches/mkey_migrate/src/kdc/do_as_req.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/do_as_req.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,7 +2,7 @@
* kdc/do_as_req.c
*
* Portions Copyright (C) 2007 Apple Inc.
- * Copyright 1990,1991,2007 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -27,6 +27,33 @@
*
* KDC Routines to deal with AS_REQ's
*/
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
#include "k5-int.h"
#include "com_err.h"
@@ -56,7 +83,8 @@
#endif /* APPLE_PKINIT */
static krb5_error_code prepare_error_as (krb5_kdc_req *, int, krb5_data *,
- krb5_data **, const char *);
+ krb5_principal, krb5_data **,
+ const char *);
/*ARGSUSED*/
krb5_error_code
@@ -73,23 +101,21 @@
krb5_boolean more;
krb5_timestamp kdc_time, authtime;
krb5_keyblock session_key;
- krb5_keyblock encrypting_key;
const char *status;
- krb5_key_data *server_key, *client_key;
+ krb5_key_data *server_key, *client_key;
+ krb5_keyblock server_keyblock, client_keyblock;
krb5_keyblock *tmp_mkey;
krb5_enctype useenctype;
-#ifdef KRBCONF_KDC_MODIFIES_KDB
krb5_boolean update_client = 0;
-#endif /* KRBCONF_KDC_MODIFIES_KDB */
krb5_data e_data;
register int i;
krb5_timestamp until, rtime;
char *cname = 0, *sname = 0;
- const char *fromstring = 0;
- char ktypestr[128];
- char rep_etypestr[128];
- char fromstringbuf[70];
+ unsigned int c_flags = 0, s_flags = 0;
+ krb5_principal_data client_princ;
void *pa_context = NULL;
+ int did_log = 0;
+ const char *emsg = 0;
#if APPLE_PKINIT
asReqDebug("process_as_req top realm %s name %s\n",
@@ -98,20 +124,14 @@
ticket_reply.enc_part.ciphertext.data = 0;
e_data.data = 0;
- encrypting_key.contents = 0;
+ server_keyblock.contents = NULL;
+ client_keyblock.contents = NULL;
reply.padata = 0;
+ memset(&reply, 0, sizeof(reply));
+
session_key.contents = 0;
enc_tkt_reply.authorization_data = NULL;
- ktypes2str(ktypestr, sizeof(ktypestr),
- request->nktypes, request->ktype);
-
- fromstring = inet_ntop(ADDRTYPE2FAMILY (from->address->addrtype),
- from->address->contents,
- fromstringbuf, sizeof(fromstringbuf));
- if (!fromstring)
- fromstring = "<unknown>";
-
if (!request->client) {
status = "NULL_CLIENT";
errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
@@ -133,13 +153,33 @@
}
limit_string(sname);
+ /*
+ * We set KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY as a hint
+ * to the backend to return naming information in lieu
+ * of cross realm TGS entries.
+ */
+ setflag(c_flags, KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY);
+ /*
+ * Note that according to the referrals draft we should
+ * always canonicalize enterprise principal names.
+ */
+ if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE) ||
+ krb5_princ_type(kdc_context,
+ request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
+ }
+ if (include_pac_p(kdc_context, request)) {
+ setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
+ }
c_nprincs = 1;
- if ((errcode = get_principal(kdc_context, request->client,
- &client, &c_nprincs, &more))) {
+ if ((errcode = krb5_db_get_principal_ext(kdc_context, request->client,
+ c_flags, &client, &c_nprincs,
+ &more))) {
status = "LOOKING_UP_CLIENT";
c_nprincs = 0;
goto errout;
}
+
if (more) {
status = "NON-UNIQUE_CLIENT";
errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
@@ -153,12 +193,40 @@
#endif
goto errout;
}
-
+
+ /*
+ * If the backend returned a principal that is not in the local
+ * realm, then we need to refer the client to that realm.
+ */
+ if (!is_local_principal(client.princ)) {
+ /* Entry is a referral to another realm */
+ status = "REFERRAL";
+ errcode = KRB5KDC_ERR_WRONG_REALM;
+ goto errout;
+ }
+
+#if 0
+ /*
+ * Turn off canonicalization if client is marked DES only
+ * (unless enterprise principal name was requested)
+ */
+ if (isflagset(client.attributes, KRB5_KDB_NON_MS_PRINCIPAL) &&
+ krb5_princ_type(kdc_context,
+ request->client) != KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ clear(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
+ }
+#endif
+
+ s_flags = 0;
+ if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
+ setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
+ }
s_nprincs = 1;
- if ((errcode = get_principal(kdc_context, request->server, &server,
- &s_nprincs, &more))) {
- status = "LOOKING_UP_SERVER";
- goto errout;
+ if ((errcode = krb5_db_get_principal_ext(kdc_context, request->server,
+ s_flags, &server,
+ &s_nprincs, &more))) {
+ status = "LOOKING_UP_SERVER";
+ goto errout;
}
if (more) {
status = "NON-UNIQUE_SERVER";
@@ -174,9 +242,10 @@
status = "TIMEOFDAY";
goto errout;
}
+ authtime = kdc_time; /* for audit_as_request() */
if ((errcode = validate_as_request(request, client, server,
- kdc_time, &status))) {
+ kdc_time, &status))) {
if (!status)
status = "UNKNOWN_REASON";
errcode += ERROR_TABLE_BASE_krb5;
@@ -201,9 +270,22 @@
goto errout;
}
- ticket_reply.server = request->server;
+ /*
+ * Canonicalization is only effective if we are issuing a TGT
+ * (the intention is to allow support for Windows "short" realm
+ * aliases, nothing more).
+ */
+ if (isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE) &&
+ krb5_is_tgs_principal(request->server) &&
+ krb5_is_tgs_principal(server.princ)) {
+ ticket_reply.server = server.princ;
+ } else {
+ ticket_reply.server = request->server;
+ }
enc_tkt_reply.flags = 0;
+ enc_tkt_reply.times.authtime = authtime;
+
setflag(enc_tkt_reply.flags, TKT_FLG_INITIAL);
/* It should be noted that local policy may affect the */
@@ -220,12 +302,17 @@
setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE);
enc_tkt_reply.session = &session_key;
- enc_tkt_reply.client = request->client;
+ if (isflagset(c_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
+ client_princ = *(client.princ);
+ } else {
+ client_princ = *(request->client);
+ /* The realm is always canonicalized */
+ client_princ.realm = *(krb5_princ_realm(context, client.princ));
+ }
+ enc_tkt_reply.client = &client_princ;
enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
- enc_tkt_reply.times.authtime = kdc_time;
-
if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) {
setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED);
setflag(enc_tkt_reply.flags, TKT_FLG_INVALID);
@@ -281,6 +368,9 @@
errcode = check_padata(kdc_context, &client, req_pkt, request,
&enc_tkt_reply, &pa_context, &e_data);
if (errcode) {
+ if (errcode == KRB5KDC_ERR_PREAUTH_FAILED)
+ get_preauth_hint_list(request, &client, &server, &e_data);
+
#ifdef KRBCONF_KDC_MODIFIES_KDB
/*
* Note: this doesn't work if you're using slave servers!!!
@@ -294,8 +384,8 @@
}
}
client.last_failed = kdc_time;
+#endif
update_client = 1;
-#endif
status = "PREAUTH_FAILED";
#ifdef KRBCONF_VAGUE_ERRORS
errcode = KRB5KRB_ERR_GENERIC;
@@ -316,9 +406,10 @@
goto errout;
}
- errcode = handle_authdata(kdc_context, &client, req_pkt, request, &enc_tkt_reply);
- if (errcode) {
- krb5_klog_syslog(LOG_INFO, "AS_REQ : handle_authdata (%d)", errcode);
+ if ((errcode = validate_forwardable(request, client, server,
+ kdc_time, &status))) {
+ errcode += ERROR_TABLE_BASE_krb5;
+ goto errout;
}
ticket_reply.enc_part2 = &enc_tkt_reply;
@@ -343,21 +434,13 @@
/* convert server.key into a real key (it may be encrypted
in the database) */
if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, tmp_mkey,
- server_key, &encrypting_key,
+ /* server_keyblock is later used to generate auth data signatures */
+ server_key, &server_keyblock,
NULL))) {
status = "DECRYPT_SERVER_KEY";
goto errout;
}
- errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key, &ticket_reply);
- krb5_free_keyblock_contents(kdc_context, &encrypting_key);
- encrypting_key.contents = 0;
- if (errcode) {
- status = "ENCRYPTING_TICKET";
- goto errout;
- }
- ticket_reply.enc_part.kvno = server_key->key_data_kvno;
-
/*
* Find the appropriate client key. We search in the order specified
* by request keytype list.
@@ -386,16 +469,16 @@
/* convert client.key_data into a real key */
if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, tmp_mkey,
- client_key, &encrypting_key,
+ client_key, &client_keyblock,
NULL))) {
status = "DECRYPT_CLIENT_KEY";
goto errout;
}
- encrypting_key.enctype = useenctype;
+ client_keyblock.enctype = useenctype;
/* Start assembling the response */
reply.msg_type = KRB5_AS_REP;
- reply.client = request->client;
+ reply.client = enc_tkt_reply.client; /* post canonicalization */
reply.ticket = &ticket_reply;
reply_encpart.session = &session_key;
if ((errcode = fetch_last_req_info(&client, &reply_encpart.last_req))) {
@@ -413,10 +496,12 @@
reply_encpart.times.authtime = authtime = kdc_time;
reply_encpart.caddrs = enc_tkt_reply.caddrs;
+ reply_encpart.enc_padata = NULL;
- /* Fetch the padata info to be returned */
+ /* Fetch the padata info to be returned (do this before
+ authdata to handle possible replacement of reply key */
errcode = return_padata(kdc_context, &client, req_pkt, request,
- &reply, client_key, &encrypting_key, &pa_context);
+ &reply, client_key, &client_keyblock, &pa_context);
if (errcode) {
status = "KDC_RETURN_PADATA";
goto errout;
@@ -427,16 +512,45 @@
reply.client->realm.data, reply.client->data->data);
#endif /* APPLE_PKINIT */
+ errcode = return_svr_referral_data(kdc_context,
+ &server, &reply_encpart);
+ if (errcode) {
+ status = "KDC_RETURN_ENC_PADATA";
+ goto errout;
+ }
+
+ errcode = handle_authdata(kdc_context,
+ c_flags,
+ &client,
+ &server,
+ &server,
+ &client_keyblock,
+ &server_keyblock,
+ req_pkt,
+ request,
+ NULL, /* for_user_princ */
+ NULL, /* enc_tkt_request */
+ &enc_tkt_reply);
+ if (errcode) {
+ krb5_klog_syslog(LOG_INFO, "AS_REQ : handle_authdata (%d)", errcode);
+ status = "HANDLE_AUTHDATA";
+ goto errout;
+ }
+
+ errcode = krb5_encrypt_tkt_part(kdc_context, &server_keyblock, &ticket_reply);
+ if (errcode) {
+ status = "ENCRYPTING_TICKET";
+ goto errout;
+ }
+ ticket_reply.enc_part.kvno = server_key->key_data_kvno;
+
/* now encode/encrypt the response */
- reply.enc_part.enctype = encrypting_key.enctype;
+ reply.enc_part.enctype = client_keyblock.enctype;
errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &reply_encpart,
- 0, &encrypting_key, &reply, response);
- krb5_free_keyblock_contents(kdc_context, &encrypting_key);
- encrypting_key.contents = 0;
+ 0, &client_keyblock, &reply, response);
reply.enc_part.kvno = client_key->key_data_kvno;
-
if (errcode) {
status = "ENCODE_KDC_REP";
goto errout;
@@ -447,14 +561,8 @@
memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length);
free(reply.enc_part.ciphertext.data);
- rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), &reply);
- krb5_klog_syslog(LOG_INFO,
- "AS_REQ (%s) %s: ISSUE: authtime %d, "
- "%s, %s for %s",
- ktypestr,
- fromstring, authtime,
- rep_etypestr,
- cname, sname);
+ log_as_req(from, request, &reply, cname, sname, authtime, 0, 0, 0);
+ did_log = 1;
#ifdef KRBCONF_KDC_MODIFIES_KDB
/*
@@ -462,56 +570,59 @@
*/
client.last_success = kdc_time;
client.fail_auth_count = 0;
+#endif /* KRBCONF_KDC_MODIFIES_KDB */
update_client = 1;
-#endif /* KRBCONF_KDC_MODIFIES_KDB */
+ goto egress;
+
errout:
+ assert (status != 0);
+ /* fall through */
+
+egress:
+ if (update_client) {
+ audit_as_request(request, &client, &server, authtime, errcode);
+ }
+
if (pa_context)
free_padata_context(kdc_context, &pa_context);
+ if (errcode)
+ emsg = krb5_get_error_message(kdc_context, errcode);
+
if (status) {
- const char * emsg = 0;
- if (errcode)
- emsg = krb5_get_error_message (kdc_context, errcode);
-
- krb5_klog_syslog(LOG_INFO, "AS_REQ (%s) %s: %s: %s for %s%s%s",
- ktypestr,
- fromstring, status,
- cname ? cname : "<unknown client>",
- sname ? sname : "<unknown server>",
- errcode ? ", " : "",
- errcode ? emsg : "");
- if (errcode)
- krb5_free_error_message (kdc_context, emsg);
+ log_as_req(from, request, &reply, cname, sname, 0,
+ status, errcode, emsg);
+ did_log = 1;
}
if (errcode) {
- int got_err = 0;
if (status == 0) {
- status = krb5_get_error_message (kdc_context, errcode);
- got_err = 1;
+ status = emsg;
}
errcode -= ERROR_TABLE_BASE_krb5;
if (errcode < 0 || errcode > 128)
errcode = KRB_ERR_GENERIC;
- errcode = prepare_error_as(request, errcode, &e_data, response,
- status);
- if (got_err) {
- krb5_free_error_message (kdc_context, status);
- status = 0;
- }
+ errcode = prepare_error_as(request, errcode, &e_data,
+ c_nprincs ? client.princ : NULL,
+ response, status);
+ status = 0;
}
+ if (emsg)
+ krb5_free_error_message(kdc_context, emsg);
if (enc_tkt_reply.authorization_data != NULL)
krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
- if (encrypting_key.contents)
- krb5_free_keyblock_contents(kdc_context, &encrypting_key);
- if (reply.padata)
+ if (server_keyblock.contents != NULL)
+ krb5_free_keyblock_contents(kdc_context, &server_keyblock);
+ if (client_keyblock.contents != NULL)
+ krb5_free_keyblock_contents(kdc_context, &client_keyblock);
+ if (reply.padata != NULL)
krb5_free_pa_data(kdc_context, reply.padata);
- if (cname)
+ if (cname != NULL)
free(cname);
- if (sname)
+ if (sname != NULL)
free(sname);
if (c_nprincs) {
#ifdef KRBCONF_KDC_MODIFIES_KDB
@@ -533,22 +644,23 @@
}
if (s_nprincs)
krb5_db_free_principal(kdc_context, &server, s_nprincs);
- if (session_key.contents)
+ if (session_key.contents != NULL)
krb5_free_keyblock_contents(kdc_context, &session_key);
- if (ticket_reply.enc_part.ciphertext.data) {
+ if (ticket_reply.enc_part.ciphertext.data != NULL) {
memset(ticket_reply.enc_part.ciphertext.data , 0,
ticket_reply.enc_part.ciphertext.length);
free(ticket_reply.enc_part.ciphertext.data);
}
krb5_free_data_contents(kdc_context, &e_data);
-
+ assert(did_log != 0);
return errcode;
}
static krb5_error_code
prepare_error_as (krb5_kdc_req *request, int error, krb5_data *e_data,
- krb5_data **response, const char *status)
+ krb5_principal canon_client, krb5_data **response,
+ const char *status)
{
krb5_error errpkt;
krb5_error_code retval;
@@ -562,21 +674,24 @@
return(retval);
errpkt.error = error;
errpkt.server = request->server;
- errpkt.client = request->client;
- errpkt.text.length = strlen(status)+1;
- if (!(errpkt.text.data = malloc(errpkt.text.length)))
+
+ if (error == KRB5KDC_ERR_WRONG_REALM)
+ errpkt.client = canon_client;
+ else
+ errpkt.client = request->client;
+ errpkt.text.length = strlen(status) + 1;
+ if (!(errpkt.text.data = strdup(status)))
return ENOMEM;
- (void) strcpy(errpkt.text.data, status);
if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
free(errpkt.text.data);
return ENOMEM;
}
- if (e_data && e_data->data) {
+ if (e_data != NULL&& e_data->data != NULL) {
errpkt.e_data = *e_data;
} else {
errpkt.e_data.length = 0;
- errpkt.e_data.data = 0;
+ errpkt.e_data.data = NULL;
}
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
Modified: branches/mkey_migrate/src/kdc/do_tgs_req.c
===================================================================
--- branches/mkey_migrate/src/kdc/do_tgs_req.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/do_tgs_req.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,7 +1,7 @@
/*
* kdc/do_tgs_req.c
*
- * Copyright 1990,1991,2001,2007 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2001,2007,2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -26,6 +26,33 @@
*
* KDC Routines to deal with TGS_REQ's
*/
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
#include "k5-int.h"
#include "com_err.h"
@@ -49,8 +76,8 @@
krb5_boolean *, int *);
static krb5_error_code prepare_error_tgs (krb5_kdc_req *, krb5_ticket *,
- int, const char *, krb5_data **,
- const char *);
+ int, krb5_principal,
+ krb5_data **, const char *);
/*ARGSUSED*/
krb5_error_code
@@ -75,8 +102,7 @@
krb5_timestamp until, rtime;
krb5_keyblock encrypting_key;
krb5_key_data *server_key;
- char *cname = 0, *sname = 0, *tmp = 0;
- const char *fromstring = 0;
+ char *cname = 0, *sname = 0, *altcname = 0;
krb5_last_req_entry *nolrarray[2], nolrentry;
/* krb5_address *noaddrarray[1]; */
krb5_enctype useenctype;
@@ -84,18 +110,22 @@
register int i;
int firstpass = 1;
const char *status = 0;
- char ktypestr[128];
- char rep_etypestr[128];
- char fromstringbuf[70];
+ krb5_enc_tkt_part *header_enc_tkt = NULL; /* ticket granting or evidence ticket */
+ krb5_db_entry client, krbtgt;
+ int c_nprincs = 0, k_nprincs = 0;
+ krb5_pa_for_user *for_user = NULL; /* protocol transition request */
+ krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */
+ unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */
+ char *s4u_name = NULL;
+ krb5_boolean is_referral;
+ const char *emsg = NULL;
- session_key.contents = 0;
+ session_key.contents = NULL;
retval = decode_krb5_tgs_req(pkt, &request);
if (retval)
return retval;
- ktypes2str(ktypestr, sizeof(ktypestr),
- request->nktypes, request->ktype);
/*
* setup_server_realm() sets up the global realm-specific data pointer.
*/
@@ -104,12 +134,6 @@
return retval;
}
- fromstring = inet_ntop(ADDRTYPE2FAMILY(from->address->addrtype),
- from->address->contents,
- fromstringbuf, sizeof(fromstringbuf));
- if (!fromstring)
- fromstring = "<unknown>";
-
if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) {
status = "UNPARSING SERVER";
goto cleanup;
@@ -117,8 +141,8 @@
limit_string(sname);
/* errcode = kdc_process_tgs_req(request, from, pkt, &req_authdat); */
- errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket, &subkey);
-
+ errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket,
+ &krbtgt, &k_nprincs, &subkey);
if (header_ticket && header_ticket->enc_part2 &&
(errcode2 = krb5_unparse_name(kdc_context,
header_ticket->enc_part2->client,
@@ -139,6 +163,14 @@
status="UNEXPECTED NULL in header_ticket";
goto cleanup;
}
+
+ /*
+ * Pointer to the encrypted part of the header ticket, which may be
+ * replaced to point to the encrypted part of the evidence ticket
+ * if constrained delegation is used. This simplifies the number of
+ * special cases for constrained delegation.
+ */
+ header_enc_tkt = header_ticket->enc_part2;
/*
* We've already dealt with the AP_REQ authentication, so we can
@@ -146,14 +178,22 @@
* decrypted with the session key.
*/
- authtime = header_ticket->enc_part2->times.authtime;
-
/* XXX make sure server here has the proper realm...taken from AP_REQ
header? */
nprincs = 1;
- if ((errcode = get_principal(kdc_context, request->server, &server,
- &nprincs, &more))) {
+ if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
+ setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
+ setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
+ }
+
+ errcode = krb5_db_get_principal_ext(kdc_context,
+ request->server,
+ s_flags,
+ &server,
+ &nprincs,
+ &more);
+ if (errcode) {
status = "LOOKING_UP_SERVER";
nprincs = 0;
goto cleanup;
@@ -195,13 +235,28 @@
}
if ((retval = validate_tgs_request(request, server, header_ticket,
- kdc_time, &status))) {
+ kdc_time, &status))) {
if (!status)
status = "UNKNOWN_REASON";
errcode = retval + ERROR_TABLE_BASE_krb5;
goto cleanup;
}
+ if (!is_local_principal(header_enc_tkt->client))
+ setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
+
+ is_referral = krb5_is_tgs_principal(server.princ) &&
+ !krb5_principal_compare(kdc_context, tgs_server, server.princ);
+
+ /* Check for protocol transition */
+ errcode = kdc_process_s4u2self_req(kdc_context, request, header_enc_tkt->client,
+ &server, header_enc_tkt->session, kdc_time,
+ &for_user, &client, &c_nprincs, &status);
+ if (errcode)
+ goto cleanup;
+ if (for_user != NULL)
+ setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
+
/*
* We pick the session keytype here....
*
@@ -214,17 +269,23 @@
* to anything else.
*/
useenctype = 0;
- if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
+ if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY |
+ KDC_OPT_CNAME_IN_ADDL_TKT)) {
krb5_keyblock * st_sealing_key;
krb5_kvno st_srv_kvno;
krb5_enctype etype;
+ krb5_db_entry st_client;
+ int st_nprincs = 0;
/*
* Get the key for the second ticket, and decrypt it.
*/
if ((errcode = kdc_get_server_key(request->second_ticket[st_idx],
- &st_sealing_key,
- &st_srv_kvno))) {
+ c_flags,
+ &st_client,
+ &st_nprincs,
+ &st_sealing_key,
+ &st_srv_kvno))) {
status = "2ND_TKT_SERVER";
goto cleanup;
}
@@ -233,6 +294,7 @@
krb5_free_keyblock(kdc_context, st_sealing_key);
if (errcode) {
status = "2ND_TKT_DECRYPT";
+ krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
goto cleanup;
}
@@ -240,6 +302,7 @@
if (!krb5_c_valid_enctype(etype)) {
status = "BAD_ETYPE_IN_2ND_TKT";
errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
+ krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
goto cleanup;
}
@@ -249,6 +312,34 @@
break;
}
}
+
+ if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) {
+ /* Do constrained delegation protocol and authorization checks */
+ errcode = kdc_process_s4u2proxy_req(kdc_context,
+ request,
+ request->second_ticket[st_idx]->enc_part2,
+ &st_client,
+ header_ticket->enc_part2->client,
+ request->server,
+ &status);
+ if (errcode)
+ goto cleanup;
+
+ setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION);
+
+ assert(krb5_is_tgs_principal(header_ticket->server));
+
+ /* From now on, use evidence ticket as header ticket */
+ header_enc_tkt = request->second_ticket[st_idx]->enc_part2;
+
+ assert(c_nprincs == 0); /* assured by kdc_process_s4u2self_req() */
+
+ client = st_client;
+ c_nprincs = st_nprincs;
+ } else {
+ /* "client" is not used for user2user */
+ krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
+ }
}
/*
@@ -272,24 +363,35 @@
goto cleanup;
}
- ticket_reply.server = request->server; /* XXX careful for realm... */
+ authtime = header_enc_tkt->times.authtime;
+ if (is_referral)
+ ticket_reply.server = server.princ;
+ else
+ ticket_reply.server = request->server; /* XXX careful for realm... */
+
enc_tkt_reply.flags = 0;
enc_tkt_reply.times.starttime = 0;
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE) &&
+ !is_referral) {
+ /* Ensure that we are not returning a referral */
+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+ }
+
/*
* Fix header_ticket's starttime; if it's zero, fill in the
* authtime's value.
*/
- if (!(header_ticket->enc_part2->times.starttime))
- header_ticket->enc_part2->times.starttime =
- header_ticket->enc_part2->times.authtime;
+ if (!(header_enc_tkt->times.starttime))
+ header_enc_tkt->times.starttime = header_enc_tkt->times.authtime;
/* don't use new addresses unless forwarded, see below */
- enc_tkt_reply.caddrs = header_ticket->enc_part2->caddrs;
+ enc_tkt_reply.caddrs = header_enc_tkt->caddrs;
/* noaddrarray[0] = 0; */
reply_encpart.caddrs = 0; /* optional...don't put it in */
+ reply_encpart.enc_padata = NULL;
/* It should be noted that local policy may affect the */
/* processing of any of these flags. For example, some */
@@ -297,7 +399,17 @@
if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE))
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
-
+ if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
+ if (!krb5_is_tgs_principal(server.princ) &&
+ is_local_principal(server.princ)) {
+ if (isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
+ setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
+ else
+ clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
+ }
+ if (isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
+ clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
+ }
if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) {
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
@@ -306,7 +418,7 @@
enc_tkt_reply.caddrs = request->addresses;
reply_encpart.caddrs = request->addresses;
}
- if (isflagset(header_ticket->enc_part2->flags, TKT_FLG_FORWARDED))
+ if (isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDED))
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE))
@@ -332,6 +444,7 @@
enc_tkt_reply.times.starttime = kdc_time;
if (isflagset(request->kdc_options, KDC_OPT_VALIDATE)) {
+ assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
/* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
to the caller */
ticket_reply = *(header_ticket);
@@ -342,6 +455,7 @@
if (isflagset(request->kdc_options, KDC_OPT_RENEW)) {
krb5_deltat old_life;
+ assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
/* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
to the caller */
ticket_reply = *(header_ticket);
@@ -360,15 +474,13 @@
enc_tkt_reply.times.endtime =
min(until, min(enc_tkt_reply.times.starttime + server.max_life,
min(enc_tkt_reply.times.starttime + max_life_for_realm,
- header_ticket->enc_part2->times.endtime)));
+ header_enc_tkt->times.endtime)));
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
(enc_tkt_reply.times.endtime < request->till) &&
- isflagset(header_ticket->enc_part2->flags,
- TKT_FLG_RENEWABLE)) {
+ isflagset(header_enc_tkt->flags, TKT_FLG_RENEWABLE)) {
setflag(request->kdc_options, KDC_OPT_RENEWABLE);
request->rtime =
- min(request->till,
- header_ticket->enc_part2->times.renew_till);
+ min(request->till, header_enc_tkt->times.renew_till);
}
}
rtime = (request->rtime == 0) ? kdc_infinity : request->rtime;
@@ -379,7 +491,7 @@
setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
enc_tkt_reply.times.renew_till =
min(rtime,
- min(header_ticket->enc_part2->times.renew_till,
+ min(header_enc_tkt->times.renew_till,
enc_tkt_reply.times.starttime +
min(server.max_renewable_life,
max_renewable_life_for_realm)));
@@ -390,15 +502,15 @@
/*
* Set authtime to be the same as header_ticket's
*/
- enc_tkt_reply.times.authtime = header_ticket->enc_part2->times.authtime;
+ enc_tkt_reply.times.authtime = header_enc_tkt->times.authtime;
/*
* Propagate the preauthentication flags through to the returned ticket.
*/
- if (isflagset(header_ticket->enc_part2->flags, TKT_FLG_PRE_AUTH))
+ if (isflagset(header_enc_tkt->flags, TKT_FLG_PRE_AUTH))
setflag(enc_tkt_reply.flags, TKT_FLG_PRE_AUTH);
- if (isflagset(header_ticket->enc_part2->flags, TKT_FLG_HW_AUTH))
+ if (isflagset(header_enc_tkt->flags, TKT_FLG_HW_AUTH))
setflag(enc_tkt_reply.flags, TKT_FLG_HW_AUTH);
/* starttime is optional, and treated as authtime if not present.
@@ -406,49 +518,130 @@
if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
enc_tkt_reply.times.starttime = 0;
- /* assemble any authorization data */
- if (request->authorization_data.ciphertext.data) {
- krb5_data scratch;
+ if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
+ errcode = krb5_unparse_name(kdc_context, for_user->user, &s4u_name);
+ } else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
+ errcode = krb5_unparse_name(kdc_context, header_enc_tkt->client, &s4u_name);
+ } else {
+ errcode = 0;
+ }
+ if (errcode) {
+ status = "UNPARSING S4U CLIENT";
+ goto cleanup;
+ }
- scratch.length = request->authorization_data.ciphertext.length;
- if (!(scratch.data =
- malloc(request->authorization_data.ciphertext.length))) {
- status = "AUTH_NOMEM";
- errcode = ENOMEM;
+ if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
+ krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
+ encrypting_key = *(t2enc->session);
+ } else {
+ /*
+ * Find the server key
+ */
+ if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
+ -1, /* ignore keytype */
+ -1, /* Ignore salttype */
+ 0, /* Get highest kvno */
+ &server_key))) {
+ status = "FINDING_SERVER_KEY";
goto cleanup;
}
-
- if ((errcode = krb5_c_decrypt(kdc_context,
- header_ticket->enc_part2->session,
- KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY,
- 0, &request->authorization_data,
- &scratch))) {
- status = "AUTH_ENCRYPT_FAIL";
- free(scratch.data);
+ /* convert server.key into a real key (it may be encrypted
+ * in the database) */
+ if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context,
+ &master_keyblock,
+ server_key, &encrypting_key,
+ NULL))) {
+ status = "DECRYPT_SERVER_KEY";
goto cleanup;
}
+ }
- /* scratch now has the authorization data, so we decode it */
- errcode = decode_krb5_authdata(&scratch, &(request->unenc_authdata));
- free(scratch.data);
- if (errcode) {
- status = "AUTH_DECODE";
- goto cleanup;
+ if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
+ /*
+ * Don't allow authorization data to be disabled if constrained
+ * delegation is requested. We don't want to deny the server
+ * the ability to validate that delegation was used.
+ */
+ clear(server.attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED);
+ }
+ if (isflagset(server.attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) == 0) {
+ /*
+ * If we are not doing protocol transition/constrained delegation
+ * and there was no authorization data included, try to lookup
+ * the client principal as it may be mapped to a local account.
+ *
+ * Always validate authorization data for constrained delegation
+ * because we must validate the KDC signatures.
+ */
+ if (!isflagset(c_flags, KRB5_KDB_FLAGS_S4U) &&
+ header_enc_tkt->authorization_data == NULL) {
+
+ /* Generate authorization data so we can include it in ticket */
+ setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
+ /* Map principals from foreign (possibly non-AD) realms */
+ setflag(c_flags, KRB5_KDB_FLAG_MAP_PRINCIPALS);
+
+ assert(c_nprincs == 0); /* should not have been looked up already */
+
+ c_nprincs = 1;
+ errcode = krb5_db_get_principal_ext(kdc_context,
+ header_enc_tkt->client,
+ c_flags,
+ &client,
+ &c_nprincs,
+ &more);
+ /*
+ * We can ignore errors because the principal may be a
+ * valid cross-realm principal for which we have no local
+ * mapping. But we do want to check that at most one entry
+ * was returned.
+ */
+ if (errcode == 0 && (more || c_nprincs > 1)) {
+ errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
+ goto cleanup;
+ } else if (errcode) {
+ c_nprincs = 0;
+ }
}
+ }
- if ((errcode =
- concat_authorization_data(request->unenc_authdata,
- header_ticket->enc_part2->authorization_data,
- &enc_tkt_reply.authorization_data))) {
- status = "CONCAT_AUTH";
+ enc_tkt_reply.authorization_data = NULL;
+
+ if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
+ is_local_principal(header_enc_tkt->client))
+ enc_tkt_reply.client = for_user->user;
+ else
+ enc_tkt_reply.client = header_enc_tkt->client;
+
+ errcode = handle_authdata(kdc_context,
+ c_flags,
+ (c_nprincs != 0) ? &client : NULL,
+ &server,
+ (k_nprincs != 0) ? &krbtgt : NULL,
+ subkey != NULL ? subkey :
+ header_ticket->enc_part2->session,
+ &encrypting_key, /* U2U or server key */
+ pkt,
+ request,
+ for_user ? for_user->user : NULL,
+ header_enc_tkt,
+ &enc_tkt_reply);
+ if (errcode) {
+ krb5_klog_syslog(LOG_INFO, "TGS_REQ : handle_authdata (%d)", errcode);
+ status = "HANDLE_AUTHDATA";
+ goto cleanup;
+ }
+
+ if (is_referral && isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
+ errcode = return_svr_referral_data(kdc_context,
+ &server, &reply_encpart);
+ if (errcode) {
+ status = "KDC_RETURN_ENC_PADATA";
goto cleanup;
}
- } else
- enc_tkt_reply.authorization_data =
- header_ticket->enc_part2->authorization_data;
+ }
enc_tkt_reply.session = &session_key;
- enc_tkt_reply.client = header_ticket->enc_part2->client;
enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
@@ -464,11 +657,11 @@
if (realm_compare(header_ticket->server, tgs_server) ||
realm_compare(header_ticket->server, enc_tkt_reply.client)) {
/* tgt issued by local realm or issued by realm of client */
- enc_tkt_reply.transited = header_ticket->enc_part2->transited;
+ enc_tkt_reply.transited = header_enc_tkt->transited;
} else {
/* tgt issued by some other realm and not the realm of the client */
/* assemble new transited field into allocated storage */
- if (header_ticket->enc_part2->transited.tr_type !=
+ if (header_enc_tkt->transited.tr_type !=
KRB5_DOMAIN_X500_COMPRESS) {
status = "BAD_TRTYPE";
errcode = KRB5KDC_ERR_TRTYPE_NOSUPP;
@@ -481,7 +674,7 @@
enc_tkt_transited.tr_contents.length = 0;
enc_tkt_reply.transited = enc_tkt_transited;
if ((errcode =
- add_to_transited(&header_ticket->enc_part2->transited.tr_contents,
+ add_to_transited(&header_enc_tkt->transited.tr_contents,
&enc_tkt_reply.transited.tr_contents,
header_ticket->server,
enc_tkt_reply.client,
@@ -491,14 +684,23 @@
}
newtransited = 1;
}
+ if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
+ errcode = validate_transit_path(kdc_context, header_enc_tkt->client,
+ &server,
+ (k_nprincs != 0) ? &krbtgt : NULL);
+ if (errcode) {
+ status = "NON_TRANSITIVE";
+ goto cleanup;
+ }
+ }
if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
unsigned int tlen;
char *tdots;
- errcode = krb5_check_transited_list (kdc_context,
- &enc_tkt_reply.transited.tr_contents,
- krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
- krb5_princ_realm (kdc_context, request->server));
+ errcode = kdc_check_transited_list (kdc_context,
+ &enc_tkt_reply.transited.tr_contents,
+ krb5_princ_realm (kdc_context, header_enc_tkt->client),
+ krb5_princ_realm (kdc_context, request->server));
tlen = enc_tkt_reply.transited.tr_contents.length;
tdots = tlen > 125 ? "..." : "";
tlen = tlen > 125 ? 125 : tlen;
@@ -515,7 +717,7 @@
enc_tkt_reply.transited.tr_contents.data,
tdots);
else {
- const char *emsg = krb5_get_error_message(kdc_context, errcode);
+ emsg = krb5_get_error_message(kdc_context, errcode);
krb5_klog_syslog (LOG_ERR,
"unexpected error checking transit from "
"'%s' to '%s' via '%.*s%s': %s",
@@ -525,6 +727,7 @@
enc_tkt_reply.transited.tr_contents.data,
tdots, emsg);
krb5_free_error_message(kdc_context, emsg);
+ emsg = NULL;
}
} else
krb5_klog_syslog (LOG_INFO, "not checking transit path");
@@ -551,71 +754,36 @@
krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
krb5_principal client2 = t2enc->client;
if (!krb5_principal_compare(kdc_context, request->server, client2)) {
- if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
- tmp = 0;
- if (tmp != NULL)
- limit_string(tmp);
+ if ((errcode = krb5_unparse_name(kdc_context, client2, &altcname)))
+ altcname = 0;
+ if (altcname != NULL)
+ limit_string(altcname);
- krb5_klog_syslog(LOG_INFO,
- "TGS_REQ %s: 2ND_TKT_MISMATCH: "
- "authtime %d, %s for %s, 2nd tkt client %s",
- fromstring, authtime,
- cname ? cname : "<unknown client>",
- sname ? sname : "<unknown server>",
- tmp ? tmp : "<unknown>");
errcode = KRB5KDC_ERR_SERVER_NOMATCH;
+ status = "2ND_TKT_MISMATCH";
goto cleanup;
}
ticket_reply.enc_part.kvno = 0;
ticket_reply.enc_part.enctype = t2enc->session->enctype;
- if ((errcode = krb5_encrypt_tkt_part(kdc_context, t2enc->session,
- &ticket_reply))) {
- status = "2ND_TKT_ENCRYPT";
- goto cleanup;
- }
st_idx++;
} else {
- /*
- * Find the server key
- */
- if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
- -1, /* ignore keytype */
- -1, /* Ignore salttype */
- 0, /* Get highest kvno */
- &server_key))) {
- status = "FINDING_SERVER_KEY";
- goto cleanup;
- }
+ ticket_reply.enc_part.kvno = server_key->key_data_kvno;
+ }
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server, &tmp_mkey))) {
- status = "FINDING_MASTER_KEY";
- goto cleanup;
- }
-
- /* convert server.key into a real key (it may be encrypted
- * in the database) */
- if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context,
- tmp_mkey,
- server_key, &encrypting_key,
- NULL))) {
- status = "DECRYPT_SERVER_KEY";
- goto cleanup;
- }
- errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
- &ticket_reply);
+ errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
+ &ticket_reply);
+ if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
krb5_free_keyblock_contents(kdc_context, &encrypting_key);
- if (errcode) {
- status = "TKT_ENCRYPT";
- goto cleanup;
- }
- ticket_reply.enc_part.kvno = server_key->key_data_kvno;
+ if (errcode) {
+ status = "TKT_ENCRYPT";
+ goto cleanup;
}
/* Start assembling the response */
reply.msg_type = KRB5_TGS_REP;
reply.padata = 0; /* always */
- reply.client = header_ticket->enc_part2->client;
+ reply.client = enc_tkt_reply.client;
reply.enc_part.kvno = 0; /* We are using the session key */
reply.ticket = &ticket_reply;
@@ -625,7 +793,7 @@
/* copy the time fields EXCEPT for authtime; its location
is used for ktime */
reply_encpart.times = enc_tkt_reply.times;
- reply_encpart.times.authtime = header_ticket->enc_part2->times.authtime;
+ reply_encpart.times.authtime = header_enc_tkt->times.authtime;
/* starttime is optional, and treated as authtime if not present.
so we can nuke it if it matches */
@@ -667,27 +835,16 @@
free(reply.enc_part.ciphertext.data);
cleanup:
- if (status) {
- const char * emsg = NULL;
- if (!errcode)
- rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), &reply);
- if (errcode)
- emsg = krb5_get_error_message (kdc_context, errcode);
- krb5_klog_syslog(LOG_INFO,
- "TGS_REQ (%s) %s: %s: authtime %d, "
- "%s%s %s for %s%s%s",
- ktypestr,
- fromstring, status, authtime,
- !errcode ? rep_etypestr : "",
- !errcode ? "," : "",
- cname ? cname : "<unknown client>",
- sname ? sname : "<unknown server>",
- errcode ? ", " : "",
- errcode ? emsg : "");
- if (errcode)
- krb5_free_error_message (kdc_context, emsg);
+ assert(status != NULL);
+ if (errcode)
+ emsg = krb5_get_error_message (kdc_context, errcode);
+ log_tgs_req(from, request, &reply, cname, sname, altcname, authtime,
+ status, errcode, emsg);
+ if (errcode) {
+ krb5_free_error_message (kdc_context, emsg);
+ emsg = NULL;
}
-
+
if (errcode) {
int got_err = 0;
if (status == 0) {
@@ -699,28 +856,39 @@
errcode = KRB_ERR_GENERIC;
retval = prepare_error_tgs(request, header_ticket, errcode,
- fromstring, response, status);
+ nprincs ? server.princ : NULL,
+ response, status);
if (got_err) {
krb5_free_error_message (kdc_context, status);
status = 0;
}
}
- if (header_ticket)
+ if (header_ticket != NULL)
krb5_free_ticket(kdc_context, header_ticket);
- if (request)
+ if (request != NULL)
krb5_free_kdc_req(kdc_context, request);
- if (cname)
+ if (cname != NULL)
free(cname);
- if (sname)
+ if (sname != NULL)
free(sname);
- if (nprincs)
+ if (nprincs != 0)
krb5_db_free_principal(kdc_context, &server, 1);
- if (session_key.contents)
+ if (session_key.contents != NULL)
krb5_free_keyblock_contents(kdc_context, &session_key);
if (newtransited)
free(enc_tkt_reply.transited.tr_contents.data);
- if (subkey)
+ if (k_nprincs)
+ krb5_db_free_principal(kdc_context, &krbtgt, k_nprincs);
+ if (c_nprincs)
+ krb5_db_free_principal(kdc_context, &client, c_nprincs);
+ if (for_user != NULL)
+ krb5_free_pa_for_user(kdc_context, for_user);
+ if (kdc_issued_auth_data != NULL)
+ krb5_free_authdata(kdc_context, kdc_issued_auth_data);
+ if (s4u_name != NULL)
+ free(s4u_name);
+ if (subkey != NULL)
krb5_free_keyblock(kdc_context, subkey);
return retval;
@@ -728,7 +896,8 @@
static krb5_error_code
prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error,
- const char *ident, krb5_data **response, const char *status)
+ krb5_principal canon_server,
+ krb5_data **response, const char *status)
{
krb5_error errpkt;
krb5_error_code retval;
@@ -745,18 +914,17 @@
if (ticket && ticket->enc_part2)
errpkt.client = ticket->enc_part2->client;
else
- errpkt.client = 0;
+ errpkt.client = NULL;
errpkt.text.length = strlen(status) + 1;
- if (!(errpkt.text.data = malloc(errpkt.text.length)))
+ if (!(errpkt.text.data = strdup(status)))
return ENOMEM;
- (void) strcpy(errpkt.text.data, status);
if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
free(errpkt.text.data);
return ENOMEM;
}
errpkt.e_data.length = 0;
- errpkt.e_data.data = 0;
+ errpkt.e_data.data = NULL;
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
free(errpkt.text.data);
@@ -820,7 +988,6 @@
} else if (*nprincs == 1) {
/* Found it! */
krb5_principal tmpprinc;
- char *sname;
tmp = *krb5_princ_realm(kdc_context, *pl2);
krb5_princ_set_realm(kdc_context, *pl2,
@@ -834,15 +1001,7 @@
krb5_free_principal(kdc_context, request->server);
request->server = tmpprinc;
- if (krb5_unparse_name(kdc_context, request->server, &sname)) {
- krb5_klog_syslog(LOG_INFO,
- "TGS_REQ: issuing alternate <un-unparseable> TGT");
- } else {
- limit_string(sname);
- krb5_klog_syslog(LOG_INFO,
- "TGS_REQ: issuing TGT %s", sname);
- free(sname);
- }
+ log_tgs_alt_tgt(request->server);
krb5_free_realm_tree(kdc_context, plist);
return;
}
Modified: branches/mkey_migrate/src/kdc/extern.c
===================================================================
--- branches/mkey_migrate/src/kdc/extern.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/extern.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -37,6 +37,7 @@
krb5_timestamp kdc_infinity = KRB5_INT32_MAX; /* XXX */
krb5_rcache kdc_rcache = (krb5_rcache) NULL;
krb5_keyblock psr_key;
+krb5_int32 max_dgram_reply_size = MAX_DGRAM_SIZE;
volatile int signal_requests_exit = 0; /* gets set when signal hits */
volatile int signal_requests_hup = 0; /* ditto */
Modified: branches/mkey_migrate/src/kdc/extern.h
===================================================================
--- branches/mkey_migrate/src/kdc/extern.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/extern.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -98,6 +98,7 @@
extern krb5_timestamp kdc_infinity; /* greater than all other timestamps */
extern krb5_rcache kdc_rcache; /* replay cache */
extern krb5_keyblock psr_key; /* key for predicted sam response */
+extern krb5_int32 max_dgram_reply_size; /* maximum datagram size */
extern volatile int signal_requests_exit;
extern volatile int signal_requests_hup;
Deleted: branches/mkey_migrate/src/kdc/fakeka.M
===================================================================
--- branches/mkey_migrate/src/kdc/fakeka.M 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/fakeka.M 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,111 +0,0 @@
-.\" kdc/fakeka.M
-.\"
-.\" Copyright 2005 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\" require a specific license from the United States Government.
-.\" It is the responsibility of any person or organization contemplating
-.\" export to obtain such a license before exporting.
-.\"
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission. Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose. It is provided "as is" without express
-.\" or implied warranty.
-.\" "
-.TH FAKEKA 8
-.SH NAME
-fakeka \- Fake kaserver for AFS clients
-.SH SYNOPSIS
-\fBfakeka\fP [\fB\-dm\fP] [\fB\-c\fP \fIcell\fP] [\fB\-f\fP \fIforwarder\fP]
-[\fB\-l\fP \fBfacility\fP] [\fB\-p\fP \fBport\fP] [\fB\-r\fP \fIrealm\fP]
-.br
-.SH DESCRIPTION
-.I fakeka
-is a fake kaserver that speaks just enough of the AFS RX protocol to make
-klog work. It is used in conjunction with a Kerberos V5 KDC to support
-existing AFS clients, and is usually used with ka-forwarder.
-.I fakeka
-must run on the same host as your Kerberos V5 KDC, since it needs access
-to the KDC database. ka-forwarder should run on each of your AFS database
-servers, pointing to your Kerberos V5 KDCs.
-.I fakeka
-should then be running on each of the KDCs, with the AFS database servers
-listed as arguments to the
-.B -f
-option.
-.PP
-Note that principals you wish to use
-.I fakeka
-with must have either a V4-style key (des:v4) or an AFS-style key
-(des:afs3). V5 enctypes won't work.
-.SH OPTIONS
-.TP
-\fB\-c\fP \fIcell\fP
-The AFS cell for which
-.I fakeka
-will be handling requests. If not given, this defaults to the same as the
-Kerberos V5 realm (see
-.B \-r
-below).
-.TP
-.B \-d
-Enables debugging. When this flag is given,
-.I fakeka
-will run in the foreground and print debugging information to standard
-error. Overrides
-.BR \-m .
-.TP
-\fB\-f\fP \fIforwarder\fP
-Allows forwarded requests from
-.IR forwarder ,
-which is generally an AFS database server running ka-forwarder. This
-option can be given multiple times (up to 10). Each system running
-ka-forwarder should be specified with the
-.B \-f
-flag or forwarded requests from that host will not be answered. (The
-forwarders append their own address to the packet.
-.TP
-\fB\-l\fP \fIfacility\fP
-Log actions via syslog with the given
-.I facility
-rather than the default of LOG_DAEMON.
-.I facility
-must be one of KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON,
-LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, or LOCAL7. This
-option is case-sensitive. Not all of these facilities may be available,
-depending on what pre-defined syslog facilities your system provides.
-.TP
-.B \-m
-Fork and background when starting. You will usually always want to give
-this flag.
-.TP
-\fB\-p\fP \fIport\fP
-Listen on the specified port rather than the default of 7004 (which is
-what klog expects).
-.I port
-may be a number or a service name from
-.IR /etc/services .
-.TP
-\fB\-r\fP \fIrealm\fP
-The Kerberos V5 realm to which the requests are being translated. The
-default is the local default realm.
-.SH EXAMPLES
-Handle requests for a local cell whose name matches the local realm,
-accepting forwarded queries from afs1.example.com and afs2.example.com:
-.IP "" 4
-fakeka -m -f afs1.example.com -f afs2.example.com
-.PP
-If the cell name doesn't match the realm name,
-.B \-c
-would need to be added, specifying the cell name.
-.SH SEE ALSO
-ka-forwarder(8)
Deleted: branches/mkey_migrate/src/kdc/fakeka.c
===================================================================
--- branches/mkey_migrate/src/kdc/fakeka.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/fakeka.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,1396 +0,0 @@
-/*
- * COPYRIGHT NOTICE
- * Copyright (c) 1994 Carnegie Mellon University
- * All Rights Reserved.
- *
- * Permission to use, copy, modify and distribute this software and its
- * documentation is hereby granted, provided that both the copyright
- * notice and this permission notice appear in all copies of the
- * software, derivative works or modified versions, and any portions
- * thereof, and that both notices appear in supporting documentation.
- *
- * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
- * CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR
- * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
- *
- * Carnegie Mellon requests users of this software to return to
- *
- * Software Distribution Coordinator or Software_Distribution at CS.CMU.EDU
- * School of Computer Science
- * Carnegie Mellon University
- * Pittsburgh PA 15213-3890
- *
- * any improvements or extensions that they make and grant Carnegie Mellon
- * the rights to redistribute these changes.
- *
- * Converted to Kerberos 5 by Ken Hornstein <kenh at cmf.nrl.navy.mil>
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <stdio.h>
-#include <string.h>
-#include <syslog.h>
-#include <ctype.h>
-#include <errno.h>
-#include <netdb.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#ifdef HAVE_STDLIB_H
-#include <stdlib.h>
-#endif
-#ifdef HAVE_MEMORY_H
-#include <memory.h>
-#endif
-
-#include <krb5.h>
-#include <kadm5/admin.h>
-#include <com_err.h>
-#include <kerberosIV/krb.h>
-#include <kerberosIV/des.h>
-
-#ifndef LINT
-static char rcsid[]=
- "$Id$";
-#endif
-
-/*
- * Misc macros
- */
-
-#define PAD_TO(x, a) (((u_long)(x) + (a) - 1) & ~((a) - 1))
-#define min(a, b) ((a) < (b) ? (a) : (b))
-#define MAXFORWARDERS 10
-#define HEADER_LEN 8
-
-/*
- * Error values from kautils.h
- *
- * The security errors are:
- * KABADTICKET, KABADSERVER, KABADUSER, and KACLOCKSKEW
- */
-
-#define KADATABASEINCONSISTENT (180480L)
-#define KANOENT (180484L)
-#define KABADREQUEST (180490L)
-#define KABADTICKET (180504L)
-#define KABADSERVER (180507L)
-#define KABADUSER (180508L)
-#define KACLOCKSKEW (180514L)
-#define KAINTERNALERROR (180518L)
-
-
-/*
- * Type definitions
- */
-
-typedef struct packet {
- char *base;
- int len;
- char data[1024];
-} *packet_t;
-
-typedef struct rx_header {
- u_int rx_epoch;
- u_int rx_cid;
- u_int rx_callnum;
- u_int rx_seq;
- u_int rx_serial;
- u_char rx_type;
- u_char rx_flags;
- u_char rx_userstatus;
- u_char rx_securityindex;
- u_short rx_spare;
- u_short rx_service;
- u_int rx_request;
-} *rx_t;
-
-
-/*
- * Global vars
- */
-
-char *progname = "fakeka"; /* needed by libkdb.a */
-char *localrealm = NULL;
-char *localcell = NULL;
-krb5_timestamp req_time;
-kadm5_config_params realm_params;
-int debug = 0;
-
-
-/*
- * This is a table for the "infamous" CMU ticket lifetime conversion. If
- * the lifetime is greater than 128, use this table
- */
-#define MAX_TICKET_LIFETIME 2592000
-static long cmu_seconds[] =
-{
- 38400, 41055, 43894, 46929, 50174, 53643, 57352, 61318,
- 65558, 70091, 74937, 80119, 85658, 91581, 97914, 104684,
- 111922, 119661, 127935, 136781, 146239, 156350, 167161, 178720,
- 191077, 204289, 218415, 233517, 249663, 266926, 285383, 305116,
- 326213, 348769, 372885, 398668, 426233, 455705, 487215, 520903,
- 556921, 595430, 636600, 680618, 727679, 777995, 831789, 889303,
- 950794, 1016536, 1086825, 1161973, 1242317, 1328217, 1420057, 1518246,
- 1623225, 1735463, 1855462, 1983757, 2120924, 2267575, 2424366, 2591999,
- 0
-};
-
-#if __STDC__
-/*
- * Prototypes for all the functions we define
- */
-
-void perrorexit(char *);
-void pexit(char *);
-char *kaerror(int);
-int get_princ_key(krb5_context, void *, kadm5_principal_ent_t, des_cblock,
- des_key_schedule);
-int check_princ(krb5_context, void *, char *, char *, kadm5_principal_ent_t);
-
-int make_reply_packet(krb5_context, void *, packet_t, int, int, int,
- char *, char *, char *, char *,
- des_cblock, des_key_schedule, char *);
-
-int Authenticate(krb5_context, void *, char *, packet_t, packet_t);
-int GetTicket(krb5_context, void *, char *, packet_t, packet_t);
-void process(krb5_context, void *, char *, packet_t, packet_t);
-#endif
-
-
-/*
- * Helpers for exiting with errors
- */
-
-void perrorexit(str)
-char *str;
-{
- perror(str);
- exit(1);
-}
-
-void pexit(str)
-char *str;
-{
- printf("%s\n", str);
- exit(1);
-}
-
-
-/*
- * Translate error codes into strings.
- */
-
-char *kaerror(e)
-int e;
-{
- static char buf[1024];
-
- switch (e) {
- case KADATABASEINCONSISTENT:
- return "database is inconsistent";
- case KANOENT:
- return "principal does not exist";
- case KABADREQUEST:
- return "request was malformed (bad password)";
- case KABADTICKET:
- return "ticket was malformed, invalid, or expired";
- case KABADSERVER:
- return "cannot issue tickets for this service";
- case KABADUSER:
- return "principal expired";
- case KACLOCKSKEW:
- return "client time is too far skewed";
- case KAINTERNALERROR:
- return "internal error in fakeka, help!";
- default:
- sprintf(buf, "impossible error code %d, help!", e);
- return buf;
- }
- /*NOTREACHED*/
-}
-
-/*
- * Syslog facilities
- */
-typedef struct {
- int num;
- char *string;
-} facility_mapping;
-
-static facility_mapping mappings[] = {
-#ifdef LOG_KERN
- { LOG_KERN, "KERN" },
-#endif
-#ifdef LOG_USER
- { LOG_USER, "USER" },
-#endif
-#ifdef LOG_MAIL
- { LOG_MAIL, "MAIL" },
-#endif
-#ifdef LOG_DAEMON
- { LOG_DAEMON, "DAEMON" },
-#endif
-#ifdef LOG_AUTH
- { LOG_AUTH, "AUTH" },
-#endif
-#ifdef LOG_LPR
- { LOG_LPR, "LPR" },
-#endif
-#ifdef LOG_NEWS
- { LOG_NEWS, "NEWS" },
-#endif
-#ifdef LOG_UUCP
- { LOG_UUCP, "UUCP" },
-#endif
-#ifdef LOG_CRON
- { LOG_CRON, "CRON" },
-#endif
-#ifdef LOG_LOCAL0
- { LOG_LOCAL0, "LOCAL0" },
-#endif
-#ifdef LOG_LOCAL1
- { LOG_LOCAL1, "LOCAL1" },
-#endif
-#ifdef LOG_LOCAL2
- { LOG_LOCAL2, "LOCAL2" },
-#endif
-#ifdef LOG_LOCAL3
- { LOG_LOCAL3, "LOCAL3" },
-#endif
-#ifdef LOG_LOCAL4
- { LOG_LOCAL4, "LOCAL4" },
-#endif
-#ifdef LOG_LOCAL5
- { LOG_LOCAL5, "LOCAL5" },
-#endif
-#ifdef LOG_LOCAL6
- { LOG_LOCAL6, "LOCAL6" },
-#endif
-#ifdef LOG_LOCAL7
- { LOG_LOCAL7, "LOCAL7" },
-#endif
- { 0, NULL }
-};
-
-
-/*
- * Get the principal's key and key schedule from the db record.
- *
- * Life is more complicated in the V5 world. Since we can have different
- * encryption types, we have to make sure that we get back a DES key.
- * Also, we have to try to get back a AFS3 or V4 salted key, since AFS
- * doesn't know about a V5 style salt.
- */
-
-int get_princ_key(context, handle, p, k, s)
-krb5_context context;
-void *handle;
-kadm5_principal_ent_t p;
-des_cblock k;
-des_key_schedule s;
-{
- int rv;
- krb5_keyblock kb;
- kadm5_ret_t retval;
-
- /*
- * We need to call kadm5_decrypt_key to decrypt the key data
- * from the principal record. We _must_ have a encryption type
- * of DES_CBC_CRC, and we prefer having a salt type of AFS 3 (but
- * a V4 salt will work as well). If that fails, then return any
- * type of key we can find.
- *
- * Note that since this uses kadm5_decrypt_key, it means it has to
- * be compiled with the kadm5srv library.
- */
-
- if ((retval = kadm5_decrypt_key(handle, p, ENCTYPE_DES_CBC_CRC,
- KRB5_KDB_SALTTYPE_AFS3, 0, &kb,
- NULL, NULL)))
- if ((retval = kadm5_decrypt_key(handle, p, ENCTYPE_DES_CBC_CRC,
- KRB5_KDB_SALTTYPE_V4, 0, &kb,
- NULL, NULL)))
- if ((retval = kadm5_decrypt_key(handle, p, ENCTYPE_DES_CBC_CRC,
- -1, 0, &kb, NULL, NULL))) {
- syslog(LOG_ERR, "Couldn't find any matching key: %s",
- error_message(retval));
- return KAINTERNALERROR;
- }
-
- /*
- * Copy the data from our krb5_keyblock to the des_cblock. Make sure
- * the size of our key matches the V4/AFS des_cblock.
- */
-
- if (kb.length != sizeof(des_cblock)) {
- krb5_free_keyblock_contents(context, &kb);
- syslog(LOG_ERR, "Principal key size of %d didn't match C_Block size"
- " %d", kb.length, sizeof(des_cblock));
- return KAINTERNALERROR;
- }
-
- memcpy((char *) k, (char *) kb.contents, sizeof(des_cblock));
-
- krb5_free_keyblock_contents(context, &kb);
-
- /*
- * Calculate the des key schedule
- */
-
- rv = des_key_sched(k, s);
- if (rv) {
- memset((void *) k, 0, sizeof(k));
- memset((void *)s, 0, sizeof(s));
- return KAINTERNALERROR;
- }
- return 0;
-}
-
-
-/*
- * Fetch principal from db and validate it.
- *
- * Note that this always fetches the key data from the principal (but it
- * doesn't decrypt it).
- */
-
-int check_princ(context, handle, name, inst, p)
-krb5_context context;
-void *handle;
-char *name, *inst;
-kadm5_principal_ent_t p;
-{
- krb5_principal princ;
- krb5_error_code code;
- kadm5_ret_t retcode;
-
- /*
- * Screen out null principals. They are causing crashes here
- * under HPUX-10.20. - vwelch at ncsa.uiuc.edu 1/6/98
- */
- if (!name || (name[0] == '\0')) {
- syslog(LOG_ERR, "screening out null principal");
- return KANOENT;
- }
-
- /*
- * Build a principal from the name and instance (the realm is always
- * the same).
- */
-
- if ((code = krb5_build_principal_ext(context, &princ, strlen(localrealm),
- localrealm, strlen(name), name,
- strlen(inst), inst, 0))) {
- syslog(LOG_ERR, "could not build principal: %s", error_message(code));
- return KAINTERNALERROR;
- }
-
- /*
- * Fetch the principal from the database -- also fetch the key data.
- * Note that since this retrieves the key data, it has to be linked with
- * the kadm5srv library.
- */
-
- if ((retcode = kadm5_get_principal(handle, princ, p,
- KADM5_PRINCIPAL_NORMAL_MASK |
- KADM5_KEY_DATA))) {
- if (retcode == KADM5_UNK_PRINC) {
- krb5_free_principal(context, princ);
- syslog(LOG_INFO, "principal %s.%s does not exist", name, inst);
- return KANOENT;
- } else {
- krb5_free_principal(context, princ);
- syslog(LOG_ERR, "kadm5_get_principal failed: %s",
- error_message(retcode));
- return KAINTERNALERROR;
- }
- }
-
- krb5_free_principal(context, princ);
-
- /*
- * Check various things - taken from the KDC code.
- *
- * Since we're essentially bypassing the KDC, we need to make sure
- * that we don't give out a ticket that we shouldn't.
- */
-
- /*
- * Has the principal expired?
- */
-
- if (p->princ_expire_time && p->princ_expire_time < req_time) {
- kadm5_free_principal_ent(handle, p);
- return KABADUSER;
- }
-
- /*
- * Has the principal's password expired? Note that we don't
- * check for the PWCHANGE_SERVICE flag here, since we don't
- * support password changing. We do support the REQUIRES_PWCHANGE
- * flag, though.
- */
-
- if ((p->pw_expiration && p->pw_expiration < req_time) ||
- (p->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- kadm5_free_principal_ent(handle, p);
- return KABADUSER;
- }
-
- /*
- * See if the principal is locked out
- */
-
- if (p->attributes & KRB5_KDB_DISALLOW_ALL_TIX) {
- kadm5_free_principal_ent(handle, p);
- return KABADUSER;
- }
-
- /*
- * There's no way we can handle hardware preauth, so
- * disallow tickets with this flag set.
- */
-
- if (p->attributes & KRB5_KDB_REQUIRES_HW_AUTH) {
- kadm5_free_principal_ent(handle, p);
- return KABADUSER;
- }
-
- /*
- * Must be okay, then
- */
-
- return 0;
-}
-
-
-/*
- * Create an rx reply packet in "packet" using the provided data.
- * The caller is responsible for zeroing key and sched.
- */
-
-int make_reply_packet(context, handle, reply, challenge_response, start_time,
- end_time, cname, cinst, sname, sinst, key, sched, label)
-krb5_context context;
-void *handle;
-packet_t reply;
-int challenge_response, start_time, end_time;
-char *cname, *cinst, *sname, *sinst;
-des_cblock key;
-des_key_schedule sched;
-char *label;
-{
- int rv, n, maxn, v4life, *enclenp, *ticklenp;
- u_char *p, *enc, *ticket;
- kadm5_principal_ent_rec cprinc, sprinc;
- des_cblock skey, new_session_key;
- des_key_schedule ssched;
- krb5_deltat lifetime;
-
- rv = 0;
-
- rv = check_princ(context, handle, cname, cinst, &cprinc);
- if (rv)
- return rv;
-
- rv = check_princ(context, handle, sname, sinst, &sprinc);
- if (rv) {
- kadm5_free_principal_ent(handle, &cprinc);
- return rv;
- }
-
- /*
- * Bound ticket lifetime by max lifetimes of user and service.
- *
- * Since V5 already stores everything in Unix epoch timestamps like
- * AFS, these calculations are much simpler.
- */
-
- lifetime = end_time - start_time;
- lifetime = min(lifetime, cprinc.max_life);
- lifetime = min(lifetime, sprinc.max_life);
- lifetime = min(lifetime, realm_params.max_life);
-
- end_time = start_time + lifetime;
-
- /*
- * But we have to convert back to V4-style lifetimes
- */
-
- v4life = lifetime / 300;
- if (v4life > 127) {
- /*
- * Use the CMU algorithm instead
- */
- long *clist = cmu_seconds;
- while (*clist && *clist < lifetime) clist++;
- v4life = 128 + (clist - cmu_seconds);
- }
-
- /*
- * If this is for afs and the instance is the local cell name
- * then we assume we added the instance in GetTickets to
- * identify the afs key in the kerberos database. This is for
- * cases where the afs cell name is different from the kerberos
- * realm name. We now want to remove the instance so it doesn't
- * cause klog to barf.
- */
- if (!strcmp(sname, "afs") && (strcasecmp(sinst, localcell) == 0))
- sinst[0] = '\0';
-
- /*
- * All the data needed to construct the ticket is ready, so do it.
- */
-
- p = (unsigned char *) reply->base;
- maxn = reply->len;
- n = 0;
-
-#define ERR(x) do { rv = x ; goto error; } while (0)
-#define ADVANCE(x) { if ((n += x) > maxn) ERR(KAINTERNALERROR); else p += x;}
-#define PUT_CHAR(x) { *p = (x); ADVANCE(1); }
-#define PUT_INT(x) { int q = ntohl(x); memcpy(p, (char *)&q, 4); ADVANCE(4); }
-#define PUT_STR(x) { strcpy((char *) p, x); ADVANCE(strlen(x) + 1); }
-
- ADVANCE(28);
- PUT_INT(0x2bc);
-
- enclenp = (int *)p;
- PUT_INT(0); /* filled in later */
-
- enc = p;
- PUT_INT(0);
- PUT_INT(challenge_response);
-
- /*
- * new_session_key is created here, and remains in the clear
- * until just before we return.
- */
- des_new_random_key(new_session_key);
- memcpy(p, new_session_key, 8);
-
- ADVANCE(8);
- PUT_INT(start_time);
- PUT_INT(end_time);
- PUT_INT(sprinc.kvno);
-
- ticklenp = (int *)p;
- PUT_INT(0); /* filled in later */
-
- PUT_STR(cname);
- PUT_STR(cinst);
- PUT_STR("");
- PUT_STR(sname);
- PUT_STR(sinst);
-
- ticket = p;
- PUT_CHAR(0); /* flags, always 0 */
- PUT_STR(cname);
- PUT_STR(cinst);
- PUT_STR("");
- PUT_INT(0); /* would be ip address */
-
- memcpy(p, new_session_key, 8);
-
- ADVANCE(8);
-
- PUT_CHAR(v4life);
- PUT_INT(start_time);
- PUT_STR(sname);
- PUT_STR(sinst);
-
- ADVANCE(PAD_TO(p - ticket, 8) - (p - ticket));
-
- *ticklenp = ntohl(p - ticket);
-
- rv = get_princ_key(context, handle, &sprinc, skey, ssched);
- if (rv)
- return rv;
- des_pcbc_encrypt((C_Block *) ticket, (C_Block *) ticket, p - ticket,
- ssched, (C_Block *) skey, ENCRYPT);
- memset(skey, 0, sizeof(skey));
- memset(ssched, 0, sizeof(ssched));
-
- PUT_STR(label); /* "tgsT" or "gtkt" */
- ADVANCE(-1); /* back up over string terminator */
-
- ADVANCE(PAD_TO(p - enc, 8) - (p - enc));
-#undef ERR
-#undef ADVANCE
-#undef PUT_CHAR
-#undef PUT_INT
-#undef PUT_STR
-
- *enclenp = ntohl(p - enc);
- des_pcbc_encrypt((C_Block *) enc, (C_Block *) enc, p - enc, sched,
- (C_Block *) key, ENCRYPT);
- reply->len = n;
-
- error:
- memset(new_session_key, 0, sizeof(new_session_key));
- kadm5_free_principal_ent(handle, &cprinc);
- kadm5_free_principal_ent(handle, &sprinc);
-
- return rv;
-}
-
-#define ERR(x) do { rv = x; goto error; } while (0)
-#define ADVANCE(x) { if ((n += x) > maxn) ERR(KABADREQUEST); else p += x; }
-#define GET_INT(x) { int q; memcpy((char *)&q, p, 4); x = ntohl(q); ADVANCE(4); }
-#define GET_CHAR(x) { x = *p; ADVANCE(1); }
-#define GET_PSTR(x) \
- { \
- GET_INT(len); \
- if (len > sizeof(x) - 1) ERR(KABADREQUEST); \
- memcpy(x, p, len); \
- x[len] = 0; \
- ADVANCE(PAD_TO(len, 4)); \
- }
-
-#define GET_STR(x) \
- { \
- len = strlen(p); \
- if (len > sizeof(x) - 1) ERR(KABADREQUEST); \
- strcpy(x, p); \
- ADVANCE(len + 1); \
- }
-
-
-/*
- * Process an Authenticate request.
- */
-
-int Authenticate(context, handle, from, req, reply)
-krb5_context context;
-void *handle;
-char *from;
-packet_t req, reply;
-{
- int rv, n, maxn;
- int len, start_time, end_time, challenge;
- char name[ANAME_SZ+1], inst[INST_SZ+1], *p;
- kadm5_principal_ent_rec cprinc;
- des_cblock ckey;
- des_key_schedule csched;
- int free_princ_ent = 0;
-
- rv = 0;
-
- p = req->base;
- maxn = req->len;
- n = 0;
-
- ADVANCE(32);
-
- GET_PSTR(name);
- GET_PSTR(inst);
-
- if (debug)
- fprintf(stderr, "Authenticating %s.%s\n", name, inst);
-
- rv = check_princ(context, handle, name, inst, &cprinc);
- if (rv)
- ERR(rv);
-
- free_princ_ent = 1;
-
- GET_INT(start_time);
- GET_INT(end_time);
-
- GET_INT(len);
- if (len != 8)
- ERR(KABADREQUEST);
-
- /*
- * ckey and csched are set here and remain in the clear
- * until just before we return.
- */
-
- rv = get_princ_key(context, handle, &cprinc, ckey, csched);
- if (rv)
- ERR(rv);
- des_pcbc_encrypt((C_Block *) p, (C_Block *) p, 8, csched,
- (C_Block *) ckey, DECRYPT);
-
- GET_INT(challenge);
-
- rv = memcmp(p, "gTGS", 4);
- if (rv)
- ERR(KABADREQUEST);
- ADVANCE(4);
-
- /* ignore the rest */
- ADVANCE(8);
-
- /*
- * We have all the data from the request, now generate the reply.
- */
-
- rv = make_reply_packet(context, handle, reply, challenge + 1, start_time,
- end_time, name, inst, "krbtgt", localcell,
- ckey, csched, "tgsT");
- error:
- memset(ckey, 0, sizeof(ckey));
- memset(csched, 0, sizeof(csched));
-
- syslog(LOG_INFO, "authenticate: %s.%s from %s", name, inst, from);
- if (rv) {
- syslog(LOG_INFO, "... failed due to %s", kaerror(rv));
- }
- if (free_princ_ent)
- kadm5_free_principal_ent(handle, &cprinc);
- return rv;
-}
-
-
-/*
- * Process a GetTicket rpc.
- */
-
-int GetTicket(context, handle, from, req, reply)
-krb5_context context;
-void *handle;
-char *from;
-packet_t req, reply;
-{
- int rv, n, maxn, len, ticketlen;
- char *p;
- u_int kvno, start_time, end_time, times[2], flags, ipaddr;
- u_int tgt_start_time, tgt_end_time, lifetime;
- char rname[ANAME_SZ+1], rinst[INST_SZ+1]; /* requested principal */
- char sname[ANAME_SZ+1], sinst[INST_SZ+1]; /* service principal (TGT) */
- char cname[ANAME_SZ+1], cinst[INST_SZ+1]; /* client principal */
- char cell[REALM_SZ+1], realm[REALM_SZ+1];
- char enctimes[8 + 1], ticket[1024];
- u_char tgt_lifetime;
- kadm5_principal_ent_rec cprinc;
- des_cblock ckey, session_key;
- des_key_schedule csched, session_sched;
- int free_princ_ent = 0;
-
- rv = 0;
-
- /*
- * Initialize these so we don't crash trying to print them in
- * case they don't get filled in.
- */
- strcpy(rname, "Unknown");
- strcpy(rinst, "Unknown");
- strcpy(sname, "Unknown");
- strcpy(sinst, "Unknown");
- strcpy(cname, "Unknown");
- strcpy(cinst, "Unknown");
- strcpy(cell, "Unknown");
- strcpy(realm, "Unknown");
-
- p = req->base;
- maxn = req->len;
- n = 0;
-
- ADVANCE(32);
-
- GET_INT(kvno);
-
- GET_PSTR(cell);
- if (!cell[0])
- strcpy(cell, localcell);
-
- if (debug)
- fprintf(stderr, "Cell is %s\n", cell);
-
- memset(ticket, 0, sizeof(ticket));
- GET_PSTR(ticket);
- ticketlen = len; /* hacky hack hack */
- GET_PSTR(rname);
- GET_PSTR(rinst);
-
- if (debug)
- fprintf(stderr, "Request for %s/%s\n", rname, rinst);
-
- GET_PSTR(enctimes); /* still encrypted */
- if (len != 8) /* hack and hack again */
- ERR(KABADREQUEST);
-
- /* ignore the rest */
- ADVANCE(8);
-
- /*
- * That's it for the packet, now decode the embedded ticket.
- */
-
- rv = check_princ(context, handle, "krbtgt", cell, &cprinc);
- if (rv)
- ERR(rv);
-
- free_princ_ent = 1;
-
- rv = get_princ_key(context, handle, &cprinc, ckey, csched);
- if (rv)
- ERR(rv);
- des_pcbc_encrypt((C_Block *) ticket, (C_Block *) ticket, ticketlen, csched,
- (C_Block *) ckey, DECRYPT);
- memset(ckey, 0, sizeof(ckey));
- memset(csched, 0, sizeof(csched));
-
- /*
- * The ticket's session key is now in the clear in the ticket buffer.
- * We zero it just before returning.
- */
-
- p = ticket;
- maxn = ticketlen;
- n = 0;
-
- GET_CHAR(flags);
- GET_STR(cname);
- GET_STR(cinst);
- GET_STR(realm);
- GET_INT(ipaddr);
- memcpy(session_key, p, 8);
- ADVANCE(8);
-
- GET_CHAR(tgt_lifetime);
- GET_INT(tgt_start_time);
- GET_STR(sname);
- GET_STR(sinst);
-
- if (debug)
- fprintf(stderr,
- "ticket: %s.%s@%s for %s.%s\n",
- cname, cinst, realm, sname, sinst);
-
- /*
- * ok, we've got the ticket unpacked.
- * now decrypt the start and end times.
- */
-
- rv = des_key_sched(session_key, session_sched);
- if (rv)
- ERR(KABADTICKET);
-
- des_ecb_encrypt((C_Block *) enctimes, (C_Block *) times, session_sched,
- DECRYPT);
- start_time = ntohl(times[0]);
- end_time = ntohl(times[1]);
-
- /*
- * All the info we need is now available.
- * Now validate the request.
- */
-
- /*
- * This translator requires that the flags and IP address
- * in the ticket be zero, because we always set them that way,
- * and we want to accept only tickets that we generated.
- *
- * Are the flags and IP address fields 0?
- */
- if (flags || ipaddr) {
- if (debug)
- fprintf(stderr, "ERROR: flags or ipaddr field non-zero\n");
- ERR(KABADTICKET);
- }
- /*
- * Is the supplied ticket a tgt?
- */
- if (strcmp(sname, "krbtgt")) {
- if (debug)
- fprintf(stderr, "ERROR: not for krbtgt service\n");
- ERR(KABADTICKET);
- }
-
- /*
- * This translator does not allow MIT-style cross-realm access.
- * Is this a cross-realm ticket?
- */
- if (strcasecmp(sinst, localcell)) {
- if (debug)
- fprintf(stderr,
- "ERROR: Service instance (%s) differs from local cell\n",
- sinst);
- ERR(KABADTICKET);
- }
-
- /*
- * This translator does not issue cross-realm tickets,
- * since klog doesn't use this feature.
- * Is the request for a cross-realm ticket?
- */
- if (strcasecmp(cell, localcell)) {
- if (debug)
- fprintf(stderr, "ERROR: Cell %s != local cell", cell);
- ERR(KABADTICKET);
- }
-
- /*
- * Even if we later decide to issue cross-realm tickets,
- * we should not permit "realm hopping".
- * This means that the client's realm should match
- * the realm of the tgt with whose key we are supposed
- * to decrypt the ticket. I think.
- */
- if (*realm && strcasecmp(realm, cell)) {
- if (debug)
- fprintf(stderr, "ERROR: Realm %s != cell %s\n", realm, cell);
- ERR(KABADTICKET);
- }
-
- /*
- * This translator issues service tickets only for afs,
- * since klog is the only client that should be using it.
- * Is the requested service afs?
- *
- * Note: to make EMT work, we're allowing tickets for emt/admin and
- * adm/admin.
- */
- if (! ((strcmp(rname, "afs") == 0 && ! *rinst) ||
- (strcmp(rname, "emt") == 0 && strcmp(rinst, "admin") == 0) ||
- (strcmp(rname, "adm") == 0 && strcmp(rinst, "admin") == 0)))
- ERR(KABADSERVER);
-
- /*
- * If the local realm name and cell name differ and the user
- * is in the local cell and has requested a ticket of afs. (no
- * instance, then we actually want to get a ticket for
- * afs/<cell name>@<realm name>
- */
- if ((strcmp(rname, "afs") == 0) && !*rinst &&
- strcmp(localrealm, localcell) &&
- (strcasecmp(cell, localcell) == 0)) {
- char *c;
-
- strcpy(rinst, localcell);
-
- for (c = rinst; *c != NULL; c++)
- *c = (char) tolower( (int) *c);
-
- if (debug)
- fprintf(stderr, "Getting ticket for afs/%s\n", localcell);
- }
-
- /*
- * Even if we later decide to issue service tickets for
- * services other than afs, we should still disallow
- * the "changepw" and "krbtgt" services.
- */
- if (!strcmp(rname, "changepw") || !strcmp(rname, "krbtgt"))
- ERR(KABADSERVER);
-
- /*
- * Is the tgt valid yet? (ie. is the start time in the future)
- */
- if (req_time < tgt_start_time - CLOCK_SKEW) {
- if (debug)
- fprintf(stderr, "ERROR: Ticket not yet valid\n");
- ERR(KABADTICKET);
- }
-
- /*
- * Has the tgt expired? (ie. is the end time in the past)
- *
- * Sigh, convert from V4 lifetimes back to Unix epoch times.
- */
-
- if (tgt_lifetime < 128)
- tgt_end_time = tgt_start_time + tgt_lifetime * 300;
- else if (tgt_lifetime < 192)
- tgt_end_time = tgt_start_time + cmu_seconds[tgt_lifetime - 128];
- else
- tgt_end_time = tgt_start_time + MAX_TICKET_LIFETIME;
-
- if (tgt_end_time < req_time) {
- if (debug)
- fprintf(stderr, "ERROR: Ticket expired\n");
- ERR(KABADTICKET);
- }
-
- /*
- * This translator uses the requested start time as a cheesy
- * authenticator, since the KA protocol does not have an
- * explicit authenticator. We can do this since klog always
- * requests a start time equal to the current time.
- *
- * Is the requested start time approximately now?
- */
- if (abs(req_time - start_time) > CLOCK_SKEW)
- ERR(KACLOCKSKEW);
-
- /*
- * The new ticket's lifetime is the minimum of:
- * 1. remainder of tgt's lifetime
- * 2. requested lifetime
- *
- * This is further limited by the client and service's max lifetime
- * in make_reply_packet().
- */
-
- lifetime = tgt_end_time - req_time;
- lifetime = min(lifetime, end_time - start_time);
- end_time = req_time + lifetime;
-
- /*
- * We have all the data from the request, now generate the reply.
- */
-
- rv = make_reply_packet(context, handle, reply, 0, start_time, end_time,
- cname, cinst, rname, rinst,
- session_key, session_sched, "gtkt");
- error:
- memset(ticket, 0, sizeof(ticket));
- memset(session_key, 0, sizeof(session_key));
- memset(session_sched, 0, sizeof(session_sched));
-
- if (free_princ_ent)
- kadm5_free_principal_ent(handle, &cprinc);
-
- syslog(LOG_INFO, "getticket: %s.%s from %s for %s.%s",
- cname, cinst, from, rname, rinst);
- if (rv) {
- syslog(LOG_INFO, "... failed due to %s", kaerror(rv));
- }
- return rv;
-}
-
-
-#undef ERR
-#undef ADVANCE
-#undef GET_INT
-#undef GET_PSTR
-#undef GET_STR
-
-/*
- * Convert the request into a reply.
- * Returns 0 on success.
- */
-
-void process(context, handle, from, req, reply)
-krb5_context context;
-void *handle;
-char *from;
-packet_t req, reply;
-{
- int rv;
- rx_t req_rx = (rx_t)req->base;
- rx_t reply_rx = (rx_t)reply->base;
- int service, request;
-
- service = ntohs(req_rx->rx_service);
- request = ntohl(req_rx->rx_request);
-
- /* ignore everything but type 1 */
- if (req_rx->rx_type != 1) {
- reply->len = 0;
- return;
- }
-
- /* copy the rx header and change the flags */
- *reply_rx = *req_rx;
- reply_rx->rx_flags = 4;
-
- rv = -1;
-
- if (service == 0x2db && (request == 0x15 || request == 0x16)) {
- if (debug)
- fprintf(stderr, "Handling Authenticate request\n");
- rv = Authenticate(context, handle, from, req, reply);
- }
- if (service == 0x2dc && request == 0x17) {
- if (debug)
- fprintf(stderr, "Handling GetTicket request\n");
- rv = GetTicket(context, handle, from, req, reply);
- }
-/*
- if (service == 0x2db && request == 0x1) {
- rv = Authenticate_old(from, req, reply);
- }
- if (service == 0x2dc && request == 0x3) {
- rv = GetTicket_old(from, req, reply);
- }
- */
- if (rv == -1) {
- syslog(LOG_INFO, "bogus request %d/%d", service, request);
- rv = KABADREQUEST;
- }
-
- if (rv) {
- /* send the error back to rx */
- reply->len = sizeof (*reply_rx);
-
- reply_rx->rx_type = 4;
- reply_rx->rx_flags = 0;
- reply_rx->rx_request = ntohl(rv);
- }
-}
-
-
-int main(argc, argv)
-int argc;
-char **argv;
-{
- int s, rv, ch, mflag = 0;
- u_short port;
- struct sockaddr_in sin;
- int forwarders[MAXFORWARDERS], num_forwarders;
- krb5_context context;
- krb5_error_code code;
- krb5_keyblock mkey;
- krb5_principal master_princ;
- kadm5_principal_ent_rec master_princ_rec;
- void *handle;
- facility_mapping *mapping;
- int facility = LOG_DAEMON;
-
- extern char *optarg;
-
- port = 7004;
- num_forwarders = 0;
-
- /*
- * Parse args.
- */
- while ((ch = getopt(argc, argv, "c:df:l:mp:r:")) != -1) {
- switch (ch) {
- case 'c':
- localcell = optarg;
- break;
- case 'd':
- debug++;
- break;
- case 'f': {
- struct hostent *hp;
-
- if (num_forwarders++ >= MAXFORWARDERS)
- pexit("too many forwarders\n");
-
- hp = gethostbyname(optarg);
- if (!hp) {
- printf("unknown host %s\n", optarg);
- exit(1);
- }
- forwarders[num_forwarders - 1] = *(int *)hp->h_addr;
-
- break;
- }
- case 'l':
- for (mapping = mappings; mapping->string != NULL; mapping++)
- if (strcmp(mapping->string, optarg) == 0)
- break;
-
- if (mapping->string == NULL) {
- printf("Unknown facility \"%s\"\n", optarg);
- exit(1);
- }
-
- facility = mapping->num;
- break;
- case 'm':
- mflag = 1;
- break;
- case 'p':
- if (isdigit(*optarg)) {
- port = atoi(optarg);
- }
- else {
- struct servent *sp;
-
- sp = getservbyname(optarg, "udp");
- if (!sp) {
- printf("unknown service %s\n", optarg);
- exit(1);
- }
- port = sp->s_port;
- }
- break;
- case 'r':
- localrealm = optarg;
- break;
- default:
- printf("usage: %s [-c cell] [-d] [-f forwarder-host] [-l facility ] [-p port] [-r realm]\n",
- argv[0]);
- exit(1);
- }
- }
-
- openlog("fakeka", LOG_PID, facility);
-
- port = htons(port);
-
- /*
- * Set up the socket.
- */
-
- s = socket(AF_INET, SOCK_DGRAM, 0);
- if (s < 0)
- perrorexit("Couldn't create socket");
- set_cloexec_fd(s);
-
- sin.sin_family = AF_INET;
- sin.sin_addr.s_addr = 0;
- sin.sin_port = port;
-
- rv = bind(s, (struct sockaddr *)&sin, sizeof(sin));
- if (rv < 0)
- perrorexit("Couldn't bind socket");
-
- /*
- * Initialize kerberos stuff and kadm5 stuff.
- */
-
- if ((code = krb5int_init_context_kdc(&context))) {
- com_err(argv[0], code, "while initializing Kerberos");
- exit(1);
- }
-
- if (!localrealm && (code = krb5_get_default_realm(context, &localrealm))) {
- com_err(argv[0], code, "while getting local realm");
- exit(1);
- }
-
- if (!localcell)
- localcell = localrealm;
-
- if ((code = kadm5_init_with_password(progname, NULL, KADM5_ADMIN_SERVICE,
- NULL, KADM5_STRUCT_VERSION,
- KADM5_API_VERSION_2,
- (char **) NULL, /* db_args */
- &handle))) {
- com_err(argv[0], code, "while initializing Kadm5");
- exit(1);
- }
-
- if ((code = kadm5_get_config_params(context, 1, NULL,
- &realm_params))) {
- com_err(argv[0], code, "while getting realm parameters");
- exit(1);
- }
-
- if (! (realm_params.mask & KADM5_CONFIG_MAX_LIFE)) {
- fprintf(stderr, "Cannot determine maximum ticket lifetime\n");
- exit(1);
- }
-
- /*
- * We need to initialize the random number generator for DES. Use
- * the master key to do this.
- */
-
- if ((code = krb5_parse_name(context, realm_params.mask &
- KADM5_CONFIG_MKEY_NAME ?
- realm_params.mkey_name : "K/M",
- &master_princ))) {
- com_err(argv[0], code, "while parsing master key name");
- exit(1);
- }
-
- if ((code = kadm5_get_principal(handle, master_princ, &master_princ_rec,
- KADM5_KEY_DATA))) {
- com_err(argv[0], code, "while getting master key data");
- exit(1);
- }
-
- if ((code = kadm5_decrypt_key(handle, &master_princ_rec,
- ENCTYPE_DES_CBC_CRC, -1, 0, &mkey, NULL,
- NULL))) {
- com_err(argv[0], code, "while decrypting the master key");
- exit(1);
- }
-
- des_init_random_number_generator(mkey.contents);
-
- krb5_free_keyblock_contents(context, &mkey);
-
- kadm5_free_principal_ent(handle, &master_princ_rec);
-
- krb5_free_principal(context, master_princ);
-
- /*
- * Fork and go into the background, if requested
- */
-
- if (!debug && mflag && daemon(0, 0)) {
- com_err(argv[0], errno, "while detaching from tty");
- }
-
- /*
- * rpc server loop.
- */
-
- for (;;) {
- struct packet req, reply;
- int sinlen, packetlen, i, forwarded;
- char *from;
-
- sinlen = sizeof(sin);
- forwarded = 0;
-
- memset(req.data, 0, sizeof(req.data));
- rv = recvfrom(s, req.data, sizeof(req.data),
- 0, (struct sockaddr *)&sin, &sinlen);
-
- if (rv < 0) {
- syslog(LOG_ERR, "recvfrom failed: %m");
- sleep(1);
- continue;
- }
- packetlen = rv;
-
- for (i = 0; i < num_forwarders; i++) {
- if (sin.sin_addr.s_addr == forwarders[i]) {
- forwarded = 1;
- break;
- }
- }
-
- if ((code = krb5_timeofday(context, &req_time))) {
- syslog(LOG_ERR, "krb5_timeofday failed: %s",
- error_message(code));
- continue;
- }
-
- memset(reply.data, 0, sizeof(reply.data));
- req.len = packetlen;
- req.base = req.data;
- reply.base = reply.data;
- reply.len = sizeof(reply.data);
-
- if (forwarded) {
- struct in_addr ia;
-
- memcpy(&ia.s_addr, req.data, 4);
- from = inet_ntoa(ia);
- /*
- * copy the forwarder header and adjust the bases and lengths.
- */
- memcpy(reply.data, req.data, HEADER_LEN);
- req.base += HEADER_LEN;
- req.len -= HEADER_LEN;
- reply.base += HEADER_LEN;
- reply.len -= HEADER_LEN;
- }
- else {
- from = inet_ntoa(sin.sin_addr);
- }
-
- process(context, handle, from, &req, &reply);
-
- if (reply.len == 0)
- continue;
-
- if (forwarded) {
- /* re-adjust the length to account for the forwarder header */
- reply.len += HEADER_LEN;
- }
-
- rv = sendto(s, reply.data, reply.len,
- 0, (struct sockaddr *)&sin, sinlen);
- if (rv < 0) {
- syslog(LOG_ERR, "sendto failed: %m");
- sleep(1);
- }
- }
- /*NOTREACHED*/
-}
Modified: branches/mkey_migrate/src/kdc/kdc_authdata.c
===================================================================
--- branches/mkey_migrate/src/kdc/kdc_authdata.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/kdc_authdata.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,6 +2,7 @@
* kdc/kdc_authdata.c
*
* Copyright (C) 2007 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2008 by the Massachusetts Institute of Technology.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
@@ -42,157 +43,156 @@
static const char *objdirs[] = { LIBDIR "/krb5/plugins/authdata", NULL };
#endif
-typedef krb5_error_code (*authdata_proc)
+/* MIT Kerberos 1.6 (V0) authdata plugin callback */
+typedef krb5_error_code (*authdata_proc_0)
(krb5_context, krb5_db_entry *client,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_enc_tkt_part * enc_tkt_reply);
-
+/* MIT Kerberos 1.7 (V1) authdata plugin callback */
+typedef krb5_error_code (*authdata_proc_1)
+ (krb5_context, unsigned int flags,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
+ krb5_enc_tkt_part *enc_tkt_request,
+ krb5_enc_tkt_part *enc_tkt_reply);
typedef krb5_error_code (*init_proc)
(krb5_context, void **);
typedef void (*fini_proc)
(krb5_context, void *);
+/* Internal authdata system for copying TGS-REQ authdata to ticket */
+static krb5_error_code handle_request_authdata
+ (krb5_context context,
+ unsigned int flags,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
+ krb5_enc_tkt_part *enc_tkt_request,
+ krb5_enc_tkt_part *enc_tkt_reply);
+
+/* Internal authdata system for handling KDC-issued authdata */
+static krb5_error_code handle_tgt_authdata
+ (krb5_context context,
+ unsigned int flags,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
+ krb5_enc_tkt_part *enc_tkt_request,
+ krb5_enc_tkt_part *enc_tkt_reply);
+
typedef struct _krb5_authdata_systems {
const char *name;
+#define AUTHDATA_SYSTEM_UNKNOWN -1
+#define AUTHDATA_SYSTEM_V0 0
+#define AUTHDATA_SYSTEM_V1 1
int type;
+#define AUTHDATA_FLAG_CRITICAL 0x1
int flags;
void *plugin_context;
init_proc init;
fini_proc fini;
- authdata_proc handle_authdata;
+ union {
+ authdata_proc_1 v1;
+ authdata_proc_0 v0;
+ } handle_authdata;
} krb5_authdata_systems;
-#undef GREET_PREAUTH
-
-#ifdef GREET_PREAUTH
-static krb5_error_code
-greet_init(krb5_context ctx, void **blob)
-{
- *blob = "hello";
- return 0;
-}
-
-static void
-greet_fini(krb5_context ctx, void *blob)
-{
-}
-
-static krb5_error_code
-greet_authdata(krb5_context ctx, krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_enc_tkt_part * enc_tkt_reply)
-{
-#define GREET_SIZE (20)
-
- char *p;
- krb5_authdata *a;
- size_t count;
- krb5_authdata **new_ad;
-
- krb5_klog_syslog (LOG_DEBUG, "in greet_authdata");
-
- p = calloc(1, GREET_SIZE);
- a = calloc(1, sizeof(*a));
-
- if (p == NULL || a == NULL) {
- free(p);
- free(a);
- return ENOMEM;
- }
- strcpy(p, "hello");
- a->magic = KV5M_AUTHDATA;
- a->ad_type = -42;
- a->length = GREET_SIZE;
- a->contents = p;
- if (enc_tkt_reply->authorization_data == 0) {
- count = 0;
- } else {
- for (count = 0; enc_tkt_reply->authorization_data[count] != 0; count++)
- ;
- }
- new_ad = realloc(enc_tkt_reply->authorization_data,
- (count+2) * sizeof(krb5_authdata *));
- if (new_ad == NULL) {
- free(p);
- free(a);
- return ENOMEM;
- }
- enc_tkt_reply->authorization_data = new_ad;
- new_ad[count] = a;
- new_ad[count+1] = NULL;
- return 0;
-}
-#endif
-
static krb5_authdata_systems static_authdata_systems[] = {
-#ifdef GREET_PREAUTH
- { "greeting", 0, 0, 0, greet_init, greet_fini, greet_authdata },
-#endif
- { "[end]", -1,}
+ { "tgs_req", AUTHDATA_SYSTEM_V1, AUTHDATA_FLAG_CRITICAL, NULL, NULL, NULL, { handle_request_authdata } },
+ { "tgt", AUTHDATA_SYSTEM_V1, AUTHDATA_FLAG_CRITICAL, NULL, NULL, NULL, { handle_tgt_authdata } },
};
static krb5_authdata_systems *authdata_systems;
static int n_authdata_systems;
static struct plugin_dir_handle authdata_plugins;
+/* Load both v0 and v1 authdata plugins */
krb5_error_code
load_authdata_plugins(krb5_context context)
{
- struct errinfo err;
- void **authdata_plugins_ftables = NULL;
- struct krb5plugin_authdata_ftable_v0 *ftable = NULL;
+ void **authdata_plugins_ftables_v0 = NULL;
+ void **authdata_plugins_ftables_v1 = NULL;
size_t module_count;
- int i, k;
+ size_t i, k;
init_proc server_init_proc = NULL;
+ krb5_error_code code;
- memset(&err, 0, sizeof(err));
-
/* Attempt to load all of the authdata plugins we can find. */
PLUGIN_DIR_INIT(&authdata_plugins);
if (PLUGIN_DIR_OPEN(&authdata_plugins) == 0) {
if (krb5int_open_plugin_dirs(objdirs, NULL,
- &authdata_plugins, &err) != 0) {
+ &authdata_plugins, &context->err) != 0) {
return KRB5_PLUGIN_NO_HANDLE;
}
}
/* Get the method tables provided by the loaded plugins. */
- authdata_plugins_ftables = NULL;
+ authdata_plugins_ftables_v0 = NULL;
+ authdata_plugins_ftables_v1 = NULL;
n_authdata_systems = 0;
+
if (krb5int_get_plugin_dir_data(&authdata_plugins,
+ "authdata_server_1",
+ &authdata_plugins_ftables_v1, &context->err) != 0 ||
+ krb5int_get_plugin_dir_data(&authdata_plugins,
"authdata_server_0",
- &authdata_plugins_ftables, &err) != 0) {
- return KRB5_PLUGIN_NO_HANDLE;
+ &authdata_plugins_ftables_v0, &context->err) != 0) {
+ code = KRB5_PLUGIN_NO_HANDLE;
+ goto cleanup;
}
/* Count the valid modules. */
module_count = sizeof(static_authdata_systems)
/ sizeof(static_authdata_systems[0]);
- if (authdata_plugins_ftables != NULL) {
- for (i = 0; authdata_plugins_ftables[i] != NULL; i++) {
- ftable = authdata_plugins_ftables[i];
- if ((ftable->authdata_proc != NULL)) {
+
+ if (authdata_plugins_ftables_v1 != NULL) {
+ struct krb5plugin_authdata_ftable_v1 *ftable;
+
+ for (i = 0; authdata_plugins_ftables_v1[i] != NULL; i++) {
+ ftable = authdata_plugins_ftables_v1[i];
+ if (ftable->authdata_proc != NULL)
module_count++;
- }
}
}
+
+ if (authdata_plugins_ftables_v0 != NULL) {
+ struct krb5plugin_authdata_ftable_v0 *ftable;
+ for (i = 0; authdata_plugins_ftables_v0[i] != NULL; i++) {
+ ftable = authdata_plugins_ftables_v0[i];
+ if (ftable->authdata_proc != NULL)
+ module_count++;
+ }
+ }
+
/* Build the complete list of supported authdata options, and
* leave room for a terminator entry. */
authdata_systems = calloc(module_count + 1, sizeof(krb5_authdata_systems));
if (authdata_systems == NULL) {
- krb5int_free_plugin_dir_data(authdata_plugins_ftables);
- return ENOMEM;
+ code = ENOMEM;
+ goto cleanup;
}
/* Add the locally-supplied mechanisms to the dynamic list first. */
for (i = 0, k = 0;
i < sizeof(static_authdata_systems) / sizeof(static_authdata_systems[0]);
i++) {
- if (static_authdata_systems[i].type == -1)
- break;
authdata_systems[k] = static_authdata_systems[i];
/* Try to initialize the authdata system. If it fails, we'll remove it
* from the list of systems we'll be using. */
@@ -205,13 +205,15 @@
k++;
}
- /* Now add the dynamically-loaded mechanisms to the list. */
- if (authdata_plugins_ftables != NULL) {
- for (i = 0; authdata_plugins_ftables[i] != NULL; i++) {
+ /* Add dynamically loaded V1 plugins */
+ if (authdata_plugins_ftables_v1 != NULL) {
+ struct krb5plugin_authdata_ftable_v1 *ftable;
+
+ for (i = 0; authdata_plugins_ftables_v1[i] != NULL; i++) {
krb5_error_code initerr;
void *pctx = NULL;
- ftable = authdata_plugins_ftables[i];
+ ftable = authdata_plugins_ftables_v1[i];
if ((ftable->authdata_proc == NULL)) {
continue;
}
@@ -232,19 +234,66 @@
}
authdata_systems[k].name = ftable->name;
+ authdata_systems[k].type = AUTHDATA_SYSTEM_V1;
authdata_systems[k].init = server_init_proc;
authdata_systems[k].fini = ftable->fini_proc;
- authdata_systems[k].handle_authdata = ftable->authdata_proc;
+ authdata_systems[k].handle_authdata.v1 = ftable->authdata_proc;
authdata_systems[k].plugin_context = pctx;
k++;
}
- krb5int_free_plugin_dir_data(authdata_plugins_ftables);
}
+
+ /* Add dynamically loaded V0 plugins */
+ if (authdata_plugins_ftables_v0 != NULL) {
+ struct krb5plugin_authdata_ftable_v0 *ftable;
+
+ for (i = 0; authdata_plugins_ftables_v0[i] != NULL; i++) {
+ krb5_error_code initerr;
+ void *pctx = NULL;
+
+ ftable = authdata_plugins_ftables_v0[i];
+ if ((ftable->authdata_proc == NULL)) {
+ continue;
+ }
+ server_init_proc = ftable->init_proc;
+ if ((server_init_proc != NULL) &&
+ ((initerr = (*server_init_proc)(context, &pctx)) != 0)) {
+ const char *emsg;
+ emsg = krb5_get_error_message(context, initerr);
+ if (emsg) {
+ krb5_klog_syslog(LOG_ERR,
+ "authdata %s failed to initialize: %s",
+ ftable->name, emsg);
+ krb5_free_error_message(context, emsg);
+ }
+ memset(&authdata_systems[k], 0, sizeof(authdata_systems[k]));
+
+ continue;
+ }
+
+ authdata_systems[k].name = ftable->name;
+ authdata_systems[k].type = AUTHDATA_SYSTEM_V0;
+ authdata_systems[k].init = server_init_proc;
+ authdata_systems[k].fini = ftable->fini_proc;
+ authdata_systems[k].handle_authdata.v0 = ftable->authdata_proc;
+ authdata_systems[k].plugin_context = pctx;
+ k++;
+ }
+ }
+
n_authdata_systems = k;
/* Add the end-of-list marker. */
authdata_systems[k].name = "[end]";
- authdata_systems[k].type = -1;
- return 0;
+ authdata_systems[k].type = AUTHDATA_SYSTEM_UNKNOWN;
+ code = 0;
+
+cleanup:
+ if (authdata_plugins_ftables_v1 != NULL)
+ krb5int_free_plugin_dir_data(authdata_plugins_ftables_v1);
+ if (authdata_plugins_ftables_v0 != NULL)
+ krb5int_free_plugin_dir_data(authdata_plugins_ftables_v0);
+
+ return code;
}
krb5_error_code
@@ -267,33 +316,296 @@
return 0;
}
+/* Merge authdata. If copy == 0, in_authdata is invalid on return */
+static krb5_error_code
+merge_authdata (krb5_context context,
+ krb5_authdata **in_authdata,
+ krb5_authdata ***out_authdata,
+ krb5_boolean copy)
+{
+ size_t i, nadata = 0;
+ krb5_authdata **authdata = *out_authdata;
+
+ if (in_authdata == NULL || in_authdata[0] == NULL)
+ return 0;
+
+ if (authdata != NULL) {
+ for (nadata = 0; authdata[nadata] != NULL; nadata++)
+ ;
+ }
+
+ for (i = 0; in_authdata[i] != NULL; i++)
+ ;
+
+ if (authdata == NULL) {
+ authdata = (krb5_authdata **)calloc(i + 1, sizeof(krb5_authdata *));
+ } else {
+ authdata = (krb5_authdata **)realloc(authdata,
+ ((nadata + i + 1) * sizeof(krb5_authdata *)));
+ }
+ if (authdata == NULL)
+ return ENOMEM;
+
+ if (copy) {
+ krb5_error_code code;
+ krb5_authdata **tmp;
+
+ code = krb5_copy_authdata(context, in_authdata, &tmp);
+ if (code != 0)
+ return code;
+
+ in_authdata = tmp;
+ }
+
+ for (i = 0; in_authdata[i] != NULL; i++)
+ authdata[nadata + i] = in_authdata[i];
+
+ authdata[nadata + i] = NULL;
+
+ free(in_authdata);
+
+ *out_authdata = authdata;
+
+ return 0;
+}
+
+/* Handle copying TGS-REQ authorization data into reply */
+static krb5_error_code
+handle_request_authdata (krb5_context context,
+ unsigned int flags,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
+ krb5_enc_tkt_part *enc_tkt_request,
+ krb5_enc_tkt_part *enc_tkt_reply)
+{
+ krb5_error_code code;
+ krb5_data scratch;
+
+ if (request->msg_type != KRB5_TGS_REQ ||
+ request->authorization_data.ciphertext.data == NULL)
+ return 0;
+
+ assert(enc_tkt_request != NULL);
+
+ scratch.length = request->authorization_data.ciphertext.length;
+ scratch.data = malloc(scratch.length);
+ if (scratch.data == NULL)
+ return ENOMEM;
+
+ code = krb5_c_decrypt(context,
+ enc_tkt_request->session,
+ KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY,
+ 0, &request->authorization_data,
+ &scratch);
+ if (code != 0) {
+ free(scratch.data);
+ return code;
+ }
+
+ /* scratch now has the authorization data, so we decode it, and make
+ * it available to subsequent authdata plugins */
+ code = decode_krb5_authdata(&scratch, &request->unenc_authdata);
+ if (code != 0) {
+ free(scratch.data);
+ return code;
+ }
+
+ free(scratch.data);
+
+ code = merge_authdata(context, request->unenc_authdata,
+ &enc_tkt_reply->authorization_data, TRUE /* copy */);
+
+ return code;
+}
+
+/* Handle backend-managed authorization data */
+static krb5_error_code
+handle_tgt_authdata (krb5_context context,
+ unsigned int flags,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
+ krb5_enc_tkt_part *enc_tkt_request,
+ krb5_enc_tkt_part *enc_tkt_reply)
+{
+ krb5_error_code code;
+ krb5_authdata **db_authdata = NULL;
+ krb5_db_entry ad_entry;
+ int ad_nprincs = 0;
+ krb5_boolean tgs_req = (request->msg_type == KRB5_TGS_REQ);
+ krb5_const_principal actual_client;
+
+ /*
+ * Check whether KDC issued authorization data should be included.
+ * A server can explicitly disable the inclusion of authorization
+ * data by setting the KRB5_KDB_NO_AUTH_DATA_REQUIRED flag on its
+ * principal entry. Otherwise authorization data will be included
+ * if it was present in the TGT, the client is from another realm
+ * or protocol transition/constrained delegation was used, or, in
+ * the AS-REQ case, if the pre-auth data indicated the PAC should
+ * be present.
+ *
+ * We permit sign_authorization_data() to return a krb5_db_entry
+ * representing the principal associated with the authorization
+ * data, in case that principal is not local to our realm and we
+ * need to perform additional checks (such as disabling delegation
+ * for cross-realm protocol transition below).
+ */
+ if (tgs_req) {
+ assert(enc_tkt_request != NULL);
+
+ if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED))
+ return 0;
+
+ if (enc_tkt_request->authorization_data == NULL &&
+ !isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM | KRB5_KDB_FLAGS_S4U))
+ return 0;
+
+ assert(enc_tkt_reply->times.authtime == enc_tkt_request->times.authtime);
+ } else {
+ if (!isflagset(flags, KRB5_KDB_FLAG_INCLUDE_PAC))
+ return 0;
+ }
+
+ /*
+ * We have this special case for protocol transition, because for
+ * cross-realm protocol transition the ticket reply client will
+ * not be changed until the final hop.
+ */
+ if (isflagset(flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION))
+ actual_client = for_user_princ;
+ else
+ actual_client = enc_tkt_reply->client;
+
+ /*
+ * If the backend does not implement the sign authdata method, then
+ * just copy the TGT authorization data into the reply, except for
+ * the constrained delegation case (which requires special handling
+ * because it will promote untrusted auth data to KDC issued auth
+ * data; this requires backend-specific code)
+ *
+ * Presently this interface does not support using request auth data
+ * to influence (eg. possibly restrict) the reply auth data.
+ */
+ code = sign_db_authdata(context,
+ flags,
+ actual_client,
+ client,
+ server,
+ krbtgt,
+ client_key,
+ server_key, /* U2U or server key */
+ enc_tkt_reply->times.authtime,
+ tgs_req ? enc_tkt_request->authorization_data : NULL,
+ &db_authdata,
+ &ad_entry,
+ &ad_nprincs);
+ if (code == KRB5_KDB_DBTYPE_NOSUP) {
+ assert(ad_nprincs == 0);
+ assert(db_authdata == NULL);
+
+ if (isflagset(flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION))
+ return KRB5KDC_ERR_POLICY;
+
+ if (tgs_req)
+ return merge_authdata(context, enc_tkt_request->authorization_data,
+ &enc_tkt_reply->authorization_data, TRUE);
+ else
+ return 0;
+ }
+
+ if (ad_nprincs != 0) {
+ if (isflagset(flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
+ isflagset(ad_entry.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
+ clear(enc_tkt_reply->flags, TKT_FLG_FORWARDABLE);
+
+ krb5_db_free_principal(context, &ad_entry, ad_nprincs);
+
+ if (ad_nprincs != 1) {
+ if (db_authdata != NULL)
+ krb5_free_authdata(context, db_authdata);
+ return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
+ }
+ }
+
+ if (db_authdata != NULL) {
+ code = merge_authdata(context, db_authdata,
+ &enc_tkt_reply->authorization_data,
+ FALSE);
+ if (code != 0)
+ krb5_free_authdata(context, db_authdata);
+ }
+
+ return code;
+}
+
krb5_error_code
-handle_authdata (krb5_context context, krb5_db_entry *client,
- krb5_data *req_pkt, krb5_kdc_req *request,
+handle_authdata (krb5_context context,
+ unsigned int flags,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
+ krb5_enc_tkt_part *enc_tkt_request,
krb5_enc_tkt_part *enc_tkt_reply)
{
- krb5_error_code retval = 0;
+ krb5_error_code code = 0;
int i;
- const char *emsg;
- krb5_klog_syslog (LOG_DEBUG, "handling authdata");
-
+ assert(enc_tkt_reply->authorization_data == NULL);
for (i = 0; i < n_authdata_systems; i++) {
const krb5_authdata_systems *asys = &authdata_systems[i];
- if (asys->handle_authdata && asys->type != -1) {
- retval = asys->handle_authdata(context, client, req_pkt,
- request, enc_tkt_reply);
- if (retval) {
- emsg = krb5_get_error_message (context, retval);
- krb5_klog_syslog (LOG_INFO,
- "authdata (%s) handling failure: %s",
- asys->name, emsg);
- krb5_free_error_message (context, emsg);
- } else {
- krb5_klog_syslog (LOG_DEBUG, ".. .. ok");
- }
+
+ switch (asys->type) {
+ case AUTHDATA_SYSTEM_V0:
+ /* V0 was only in AS-REQ code path */
+ if (request->msg_type != KRB5_AS_REQ)
+ continue;
+
+ code = (*asys->handle_authdata.v0)(context, client, req_pkt,
+ request, enc_tkt_reply);
+ break;
+ case AUTHDATA_SYSTEM_V1:
+ code = (*asys->handle_authdata.v1)(context, flags,
+ client, server, krbtgt,
+ client_key, server_key,
+ req_pkt, request, for_user_princ,
+ enc_tkt_request,
+ enc_tkt_reply);
+ break;
+ default:
+ code = 0;
+ break;
}
+ if (code != 0) {
+ const char *emsg;
+
+ emsg = krb5_get_error_message (context, code);
+ krb5_klog_syslog (LOG_INFO,
+ "authdata (%s) handling failure: %s",
+ asys->name, emsg);
+ krb5_free_error_message (context, emsg);
+
+ if (asys->flags & AUTHDATA_FLAG_CRITICAL)
+ break;
+ }
}
- return 0;
+ return code;
}
+
Modified: branches/mkey_migrate/src/kdc/kdc_preauth.c
===================================================================
--- branches/mkey_migrate/src/kdc/kdc_preauth.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/kdc_preauth.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -51,6 +51,33 @@
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
#include "k5-int.h"
#include "kdc_util.h"
@@ -236,13 +263,13 @@
"pkinit",
KRB5_PADATA_PK_AS_REQ,
PA_SUFFICIENT,
- NULL, // pa_sys_context
- NULL, // init
- NULL, // fini
+ NULL, /* pa_sys_context */
+ NULL, /* init */
+ NULL, /* fini */
get_pkinit_edata,
verify_pkinit_request,
return_pkinit_response,
- NULL // free_pa_request_context
+ NULL /* free_pa_request_context */
},
#endif /* APPLE_PKINIT */
{
@@ -311,6 +338,27 @@
0,
0
},
+ {
+ "pac-request",
+ KRB5_PADATA_PAC_REQUEST,
+ PA_PSEUDO,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL
+ },
+#if 0
+ {
+ "server-referral",
+ KRB5_PADATA_SERVER_REFERRAL,
+ PA_PSEUDO,
+ 0,
+ 0,
+ return_server_referral
+ },
+#endif
{ "[end]", -1,}
};
@@ -321,21 +369,18 @@
krb5_error_code
load_preauth_plugins(krb5_context context)
{
- struct errinfo err;
void **preauth_plugins_ftables;
struct krb5plugin_preauth_server_ftable_v1 *ftable;
- int module_count, i, j, k;
+ size_t module_count, i, j, k;
void *plugin_context;
preauth_server_init_proc server_init_proc = NULL;
char **kdc_realm_names = NULL;
- memset(&err, 0, sizeof(err));
-
/* Attempt to load all of the preauth plugins we can find. */
PLUGIN_DIR_INIT(&preauth_plugins);
if (PLUGIN_DIR_OPEN(&preauth_plugins) == 0) {
if (krb5int_open_plugin_dirs(objdirs, NULL,
- &preauth_plugins, &err) != 0) {
+ &preauth_plugins, &context->err) != 0) {
return KRB5_PLUGIN_NO_HANDLE;
}
}
@@ -344,7 +389,7 @@
preauth_plugins_ftables = NULL;
if (krb5int_get_plugin_dir_data(&preauth_plugins,
"preauthentication_server_1",
- &preauth_plugins_ftables, &err) != 0) {
+ &preauth_plugins_ftables, &context->err) != 0) {
return KRB5_PLUGIN_NO_HANDLE;
}
@@ -384,7 +429,7 @@
krb5int_free_plugin_dir_data(preauth_plugins_ftables);
return ENOMEM;
}
- for (i = 0; i < kdc_numrealms; i++) {
+ for (i = 0; i < (size_t)kdc_numrealms; i++) {
kdc_realm_names[i] = kdc_realmlist[i]->realm_name;
}
kdc_realm_names[i] = NULL;
@@ -901,8 +946,7 @@
"%spreauth required but hint list is empty",
hw_only ? "hw" : "");
}
- retval = encode_krb5_padata_sequence((const krb5_pa_data **) pa_data,
- &edat);
+ retval = encode_krb5_padata_sequence(pa_data, &edat);
if (retval)
goto errout;
*e_data = *edat;
@@ -1108,11 +1152,12 @@
krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", emsg);
krb5_free_error_message(context, emsg);
}
+
/* The following switch statement allows us
* to return some preauth system errors back to the client.
*/
switch(retval) {
- case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+ case 0: /* in case of PA-PAC-REQUEST with no PA-ENC-TIMESTAMP */
case KRB5KRB_AP_ERR_SKEW:
case KRB5KDC_ERR_ETYPE_NOSUPP:
/* rfc 4556 */
@@ -1136,6 +1181,7 @@
/* This value is shared with KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. */
/* case KRB5KDC_ERR_KEY_TOO_WEAK: */
return retval;
+ case KRB5KRB_AP_ERR_BAD_INTEGRITY:
default:
return KRB5KDC_ERR_PREAUTH_FAILED;
}
@@ -1299,7 +1345,7 @@
krb5_timestamp timenow;
krb5_error_code decrypt_err = 0;
- scratch.data = pa->contents;
+ scratch.data = (char *)pa->contents;
scratch.length = pa->length;
enc_ts_data.data = 0;
@@ -1508,10 +1554,9 @@
}
}
if (etype_info2)
- retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry,
- &scratch);
- else retval = encode_krb5_etype_info((const krb5_etype_info_entry **) entry,
- &scratch);
+ retval = encode_krb5_etype_info2(entry, &scratch);
+ else
+ retval = encode_krb5_etype_info(entry, &scratch);
if (retval)
goto cleanup;
pa_data->contents = (unsigned char *)scratch->data;
@@ -1603,13 +1648,13 @@
goto cleanup;
if (etype_info2)
- retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry, &scratch);
+ retval = encode_krb5_etype_info2(entry, &scratch);
else
- retval = encode_krb5_etype_info((const krb5_etype_info_entry **) entry, &scratch);
+ retval = encode_krb5_etype_info(entry, &scratch);
if (retval)
goto cleanup;
- tmp_padata->contents = scratch->data;
+ tmp_padata->contents = (krb5_octet *)scratch->data;
tmp_padata->length = scratch->length;
*send_pa = tmp_padata;
@@ -1779,7 +1824,7 @@
* all this once.
*/
- scratch.data = in_padata->contents;
+ scratch.data = (char *)in_padata->contents;
scratch.length = in_padata->length;
if ((retval = decode_krb5_sam_response(&scratch, &sr))) {
@@ -2092,7 +2137,7 @@
if (retval) goto cleanup;
pa_data->magic = KV5M_PA_DATA;
pa_data->pa_type = KRB5_PADATA_SAM_CHALLENGE;
- pa_data->contents = scratch->data;
+ pa_data->contents = (krb5_octet *)scratch->data;
pa_data->length = scratch->length;
retval = 0;
@@ -2260,7 +2305,7 @@
if (retval) goto cleanup;
pa_data->magic = KV5M_PA_DATA;
pa_data->pa_type = KRB5_PADATA_SAM_CHALLENGE;
- pa_data->contents = scratch->data;
+ pa_data->contents = (krb5_octet *)scratch->data;
pa_data->length = scratch->length;
retval = 0;
@@ -2291,7 +2336,7 @@
krb5_timestamp timenow;
char *princ_req = 0, *princ_psr = 0;
- scratch.data = pa->contents;
+ scratch.data = (char *)pa->contents;
scratch.length = pa->length;
if ((retval = decode_krb5_sam_response(&scratch, &sr))) {
@@ -2862,3 +2907,146 @@
}
#endif /* APPLE_PKINIT */
+
+/*
+ * Returns TRUE if the PAC should be included
+ */
+krb5_boolean
+include_pac_p(krb5_context context, krb5_kdc_req *request)
+{
+ krb5_error_code code;
+ krb5_pa_data **padata;
+ krb5_boolean retval = TRUE; /* default is to return PAC */
+ krb5_data data;
+ krb5_pa_pac_req *req = NULL;
+
+ if (request->padata == NULL) {
+ return retval;
+ }
+
+ for (padata = request->padata; *padata != NULL; padata++) {
+ if ((*padata)->pa_type == KRB5_PADATA_PAC_REQUEST) {
+ data.data = (char *)(*padata)->contents;
+ data.length = (*padata)->length;
+
+ code = decode_krb5_pa_pac_req(&data, &req);
+ if (code == 0) {
+ retval = req->include_pac;
+ krb5_free_pa_pac_req(context, req);
+ req = NULL;
+ }
+ break;
+ }
+ }
+
+ return retval;
+}
+
+krb5_error_code
+return_svr_referral_data(krb5_context context,
+ krb5_db_entry *server,
+ krb5_enc_kdc_rep_part *reply_encpart)
+{
+ krb5_error_code code;
+ krb5_tl_data tl_data;
+ krb5_pa_data *pa_data;
+
+ /* This should be initialized and only used for Win2K compat */
+ assert(reply_encpart->enc_padata == NULL);
+
+ tl_data.tl_data_type = KRB5_TL_SVR_REFERRAL_DATA;
+
+ code = krb5_dbe_lookup_tl_data(context, server, &tl_data);
+ if (code || tl_data.tl_data_length == 0)
+ return 0; /* no server referrals to return */
+
+ pa_data = (krb5_pa_data *)malloc(sizeof(*pa_data));
+ if (pa_data == NULL)
+ return ENOMEM;
+
+ pa_data->magic = KV5M_PA_DATA;
+ pa_data->pa_type = KRB5_PADATA_SVR_REFERRAL_INFO;
+ pa_data->length = tl_data.tl_data_length;
+ pa_data->contents = malloc(pa_data->length);
+ if (pa_data->contents == NULL) {
+ free(pa_data);
+ return ENOMEM;
+ }
+ memcpy(pa_data->contents, tl_data.tl_data_contents, tl_data.tl_data_length);
+
+ reply_encpart->enc_padata = (krb5_pa_data **)calloc(2, sizeof(krb5_pa_data *));
+ if (reply_encpart->enc_padata == NULL) {
+ free(pa_data->contents);
+ free(pa_data);
+ return ENOMEM;
+ }
+
+ reply_encpart->enc_padata[0] = pa_data;
+ reply_encpart->enc_padata[1] = NULL;
+
+ return 0;
+}
+
+#if 0
+static krb5_error_code return_server_referral(krb5_context context,
+ krb5_pa_data * padata,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_key_data *client_key,
+ krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa)
+{
+ krb5_error_code code;
+ krb5_tl_data tl_data;
+ krb5_pa_data *pa_data;
+ krb5_enc_data enc_data;
+ krb5_data plain;
+ krb5_data *enc_pa_data;
+
+ *send_pa = NULL;
+
+ tl_data.tl_data_type = KRB5_TL_SERVER_REFERRAL;
+
+ code = krb5_dbe_lookup_tl_data(context, server, &tl_data);
+ if (code || tl_data.tl_data_length == 0)
+ return 0; /* no server referrals to return */
+
+ plain.length = tl_data.tl_data_length;
+ plain.data = tl_data.tl_data_contents;
+
+ /* Encrypt ServerReferralData */
+ code = krb5_encrypt_helper(context, encrypting_key,
+ KRB5_KEYUSAGE_PA_SERVER_REFERRAL_DATA,
+ &plain, &enc_data);
+ if (code)
+ return code;
+
+ /* Encode ServerReferralData into PA-SERVER-REFERRAL-DATA */
+ code = encode_krb5_enc_data(&enc_data, &enc_pa_data);
+ if (code) {
+ krb5_free_data_contents(context, &enc_data.ciphertext);
+ return code;
+ }
+
+ krb5_free_data_contents(context, &enc_data.ciphertext);
+
+ /* Return PA-SERVER-REFERRAL-DATA */
+ pa_data = (krb5_pa_data *)malloc(sizeof(*pa_data));
+ if (pa_data == NULL) {
+ krb5_free_data(context, enc_pa_data);
+ return ENOMEM;
+ }
+
+ pa_data->magic = KV5M_PA_DATA;
+ pa_data->pa_type = KRB5_PADATA_SVR_REFERRAL_INFO;
+ pa_data->length = enc_pa_data->length;
+ pa_data->contents = enc_pa_data->data;
+
+ free(enc_pa_data); /* don't free contents */
+
+ *send_pa = pa_data;
+
+ return 0;
+}
+#endif
Modified: branches/mkey_migrate/src/kdc/kdc_util.c
===================================================================
--- branches/mkey_migrate/src/kdc/kdc_util.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/kdc_util.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -26,6 +26,33 @@
*
* Utility functions for the KDC implementation.
*/
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
#include "k5-int.h"
#include "kdc_util.h"
@@ -135,19 +162,22 @@
}
krb5_boolean
-realm_compare(krb5_principal princ1, krb5_principal princ2)
+realm_compare(krb5_const_principal princ1, krb5_const_principal princ2)
{
- krb5_data *realm1 = krb5_princ_realm(kdc_context, princ1);
- krb5_data *realm2 = krb5_princ_realm(kdc_context, princ2);
+ return krb5_realm_compare(kdc_context, princ1, princ2);
+}
- return data_eq(*realm1, *realm2);
+krb5_boolean
+is_local_principal(krb5_const_principal princ1)
+{
+ return krb5_realm_compare(kdc_context, princ1, tgs_server);
}
/*
* Returns TRUE if the kerberos principal is the name of a Kerberos ticket
* service.
*/
-krb5_boolean krb5_is_tgs_principal(krb5_principal principal)
+krb5_boolean krb5_is_tgs_principal(krb5_const_principal principal)
{
if ((krb5_princ_size(kdc_context, principal) > 0) &&
data_eq_string (*krb5_princ_component(kdc_context, principal, 0),
@@ -186,12 +216,29 @@
return(0);
}
+krb5_pa_data *
+find_pa_data(krb5_pa_data **padata, krb5_preauthtype pa_type)
+{
+ krb5_pa_data **tmppa;
+
+ if (padata == NULL)
+ return NULL;
+
+ for (tmppa = padata; *tmppa != NULL; tmppa++) {
+ if ((*tmppa)->pa_type == pa_type)
+ break;
+ }
+
+ return *tmppa;
+}
+
krb5_error_code
kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
krb5_data *pkt, krb5_ticket **ticket,
+ krb5_db_entry *krbtgt, int *nprincs,
krb5_keyblock **subkey)
{
- krb5_pa_data ** tmppa;
+ krb5_pa_data * tmppa;
krb5_ap_req * apreq;
krb5_error_code retval;
krb5_data scratch1;
@@ -200,23 +247,20 @@
krb5_auth_context auth_context = NULL;
krb5_authenticator * authenticator = NULL;
krb5_checksum * his_cksum = NULL;
-/* krb5_keyblock * key = NULL;*/
-/* krb5_kvno kvno = 0;*/
+ krb5_keyblock * key = NULL;
+ krb5_kvno kvno = 0;
- if (!request->padata)
+ *nprincs = 0;
+
+ tmppa = find_pa_data(request->padata, KRB5_PADATA_AP_REQ);
+ if (!tmppa)
return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
- for (tmppa = request->padata; *tmppa; tmppa++) {
- if ((*tmppa)->pa_type == KRB5_PADATA_AP_REQ)
- break;
- }
- if (!*tmppa) /* cannot find any AP_REQ */
- return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
- scratch1.length = (*tmppa)->length;
- scratch1.data = (char *)(*tmppa)->contents;
+ scratch1.length = tmppa->length;
+ scratch1.data = (char *)tmppa->contents;
if ((retval = decode_krb5_ap_req(&scratch1, &apreq)))
return retval;
-
+
if (isflagset(apreq->ap_options, AP_OPTS_USE_SESSION_KEY) ||
isflagset(apreq->ap_options, AP_OPTS_MUTUAL_REQUIRED)) {
krb5_klog_syslog(LOG_INFO, "TGS_REQ: SESSION KEY or MUTUAL");
@@ -234,9 +278,7 @@
we set a flag here for checking below.
*/
- if (!data_eq(*krb5_princ_realm(kdc_context, apreq->ticket->server),
- *krb5_princ_realm(kdc_context, tgs_server)))
- foreign_server = TRUE;
+ foreign_server = !is_local_principal(apreq->ticket->server);
if ((retval = krb5_auth_con_init(kdc_context, &auth_context)))
goto cleanup;
@@ -250,21 +292,15 @@
goto cleanup_auth_context;
#endif
-/*
- if ((retval = kdc_get_server_key(apreq->ticket, &key, &kvno)))
+ if ((retval = kdc_get_server_key(apreq->ticket, 0, krbtgt, nprincs, &key, &kvno)))
goto cleanup_auth_context;
-*/
-
/*
- * XXX This is currently wrong but to fix it will require making a
- * new keytab for groveling over the kdb.
+ * We do not use the KDB keytab because other parts of the TGS need the TGT key.
*/
-/*
retval = krb5_auth_con_setuseruserkey(kdc_context, auth_context, key);
krb5_free_keyblock(kdc_context, key);
if (retval)
goto cleanup_auth_context;
-*/
if ((retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, apreq,
apreq->ticket->server,
@@ -322,11 +358,8 @@
}
/* make sure the client is of proper lineage (see above) */
- if (foreign_server) {
- krb5_data *tkt_realm = krb5_princ_realm(kdc_context,
- (*ticket)->enc_part2->client);
- krb5_data *tgs_realm = krb5_princ_realm(kdc_context, tgs_server);
- if (data_eq(*tkt_realm, *tgs_realm)) {
+ if (foreign_server && !find_pa_data(request->padata, KRB5_PADATA_FOR_USER)) {
+ if (is_local_principal((*ticket)->enc_part2->client)) {
/* someone in a foreign realm claiming to be local */
krb5_klog_syslog(LOG_INFO, "PROCESS_TGS: failed lineage check");
retval = KRB5KDC_ERR_POLICY;
@@ -374,31 +407,32 @@
* much else. -- tlyu
*/
krb5_error_code
-kdc_get_server_key(krb5_ticket *ticket, krb5_keyblock **key, krb5_kvno *kvno)
+kdc_get_server_key(krb5_ticket *ticket, unsigned int flags,
+ krb5_db_entry *server,
+ int *nprincs, krb5_keyblock **key, krb5_kvno *kvno)
{
krb5_error_code retval;
- krb5_db_entry server;
krb5_boolean more;
- int nprincs;
krb5_key_data * server_key;
krb5_keyblock * tmp_mkey;
- nprincs = 1;
+ *nprincs = 1;
- if ((retval = get_principal(kdc_context, ticket->server,
- &server, &nprincs,
- &more))) {
+ retval = krb5_db_get_principal_ext(kdc_context,
+ ticket->server,
+ flags,
+ server,
+ nprincs,
+ &more);
+ if (retval) {
return(retval);
}
if (more) {
- krb5_db_free_principal(kdc_context, &server, nprincs);
return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
- } else if (nprincs != 1) {
+ } else if (*nprincs != 1) {
char *sname;
- krb5_db_free_principal(kdc_context, &server, nprincs);
if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {
- limit_string(sname);
krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",
sname);
free(sname);
@@ -412,7 +446,7 @@
retval = krb5_dbe_find_enctype(kdc_context, &server,
ticket->enc_part.enctype, -1,
- ticket->enc_part.kvno, &server_key);
+ (krb5_int32)ticket->enc_part.kvno, &server_key);
if (retval)
goto errout;
if (!server_key) {
@@ -424,14 +458,9 @@
retval = krb5_dbekd_decrypt_key_data(kdc_context, tmp_mkey,
server_key,
*key, NULL);
- if (retval) {
- free(*key);
- *key = NULL;
- }
} else
retval = ENOMEM;
errout:
- krb5_db_free_principal(kdc_context, &server, nprincs);
return retval;
}
@@ -573,6 +602,7 @@
char *realm;
char *trans;
char *otrans, *otrans_ptr;
+ size_t bufsize;
/* The following are for stepping through the transited field */
@@ -601,7 +631,10 @@
/* +1 for null,
+1 for extra comma which may be added between
+1 for potential space when leading slash in realm */
- if (!(trans = (char *) malloc(strlen(realm) + strlen(otrans) + 3))) {
+ bufsize = strlen(realm) + strlen(otrans) + 3;
+ if (bufsize > MAX_REALM_LN)
+ bufsize = MAX_REALM_LN;
+ if (!(trans = (char *) malloc(bufsize))) {
retval = ENOMEM;
goto fail;
}
@@ -713,7 +746,7 @@
/* Note that the second test here is an unsigned comparison,
so the first half (or a cast) is also required. */
- assert(nlst < 0 || nlst < sizeof(next));
+ assert(nlst < 0 || nlst < (int)sizeof(next));
if ((nlst < 0 || next[nlst] != '.') &&
(next[0] != '/') &&
(pl = subrealm(exp, realm))) {
@@ -789,17 +822,15 @@
}
if (new_trans->length != 0) {
- if (strlen(trans) + 2 >= MAX_REALM_LN) {
+ if (strlcat(trans, ",", bufsize) >= bufsize) {
retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
goto fail;
}
- strcat(trans, ",");
}
- if (strlen(trans) + strlen(current) + 1 >= MAX_REALM_LN) {
+ if (strlcat(trans, current, bufsize) >= bufsize) {
retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
goto fail;
}
- strcat(trans, current);
new_trans->length = strlen(trans);
strncpy(prev, exp, sizeof(prev) - 1);
@@ -810,24 +841,21 @@
if (!added) {
if (new_trans->length != 0) {
- if (strlen(trans) + 2 >= MAX_REALM_LN) {
+ if (strlcat(trans, ",", bufsize) >= bufsize) {
retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
goto fail;
}
- strcat(trans, ",");
}
if((realm[0] == '/') && trans[0]) {
- if (strlen(trans) + 2 >= MAX_REALM_LN) {
+ if (strlcat(trans, " ", bufsize) >= bufsize) {
retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
goto fail;
}
- strcat(trans, " ");
}
- if (strlen(trans) + strlen(realm) + 1 >= MAX_REALM_LN) {
+ if (strlcat(trans, realm, bufsize) >= bufsize) {
retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
goto fail;
}
- strcat(trans, realm);
new_trans->length = strlen(trans);
}
@@ -907,7 +935,21 @@
*status = "POSTDATE NOT ALLOWED";
return(KDC_ERR_CANNOT_POSTDATE);
}
-
+
+ /*
+ * A Windows KDC will return KDC_ERR_PREAUTH_REQUIRED instead of
+ * KDC_ERR_POLICY in the following case:
+ *
+ * - KDC_OPT_FORWARDABLE is set in KDCOptions but local
+ * policy has KRB5_KDB_DISALLOW_FORWARDABLE set for the
+ * client, and;
+ * - KRB5_KDB_REQUIRES_PRE_AUTH is set for the client but
+ * preauthentication data is absent in the request.
+ *
+ * Hence, this check most be done after the check for preauth
+ * data, and is now performed by validate_forwardable().
+ */
+#if 0
/* Client and server must allow forwardable tickets */
if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE) &&
(isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE) ||
@@ -915,6 +957,7 @@
*status = "FORWARDABLE NOT ALLOWED";
return(KDC_ERR_POLICY);
}
+#endif
/* Client and server must allow renewable tickets */
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE) &&
@@ -935,7 +978,7 @@
/* Check to see if client is locked out */
if (isflagset(client.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) {
*status = "CLIENT LOCKED OUT";
- return(KDC_ERR_C_PRINCIPAL_UNKNOWN);
+ return(KDC_ERR_CLIENT_REVOKED);
}
/* Check to see if server is locked out */
@@ -947,13 +990,13 @@
/* Check to see if server is allowed to be a service */
if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) {
*status = "SERVICE NOT ALLOWED";
- return(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+ return(KDC_ERR_MUST_USE_USER2USER);
}
/*
* Check against local policy
*/
- errcode = against_local_policy_as(request, server, client,
+ errcode = against_local_policy_as(request, client, server,
kdc_time, status);
if (errcode)
return errcode;
@@ -961,6 +1004,21 @@
return 0;
}
+int
+validate_forwardable(krb5_kdc_req *request, krb5_db_entry client,
+ krb5_db_entry server, krb5_timestamp kdc_time,
+ const char **status)
+{
+ *status = NULL;
+ if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE) &&
+ (isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE) ||
+ isflagset(server.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))) {
+ *status = "FORWARDABLE NOT ALLOWED";
+ return(KDC_ERR_POLICY);
+ } else
+ return 0;
+}
+
#define ASN1_ID_CLASS (0xc0)
#define ASN1_ID_TYPE (0x20)
#define ASN1_ID_TAG (0x1f)
@@ -1068,7 +1126,7 @@
lastlevel = tag;
if (levels == level) {
/* in our context-dependent class, is this the one we're looking for ? */
- if (tag == field) {
+ if (tag == (int)field) {
/* return length and data */
astream++;
savelen = *astream;
@@ -1115,8 +1173,7 @@
KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED | \
KDC_OPT_RENEWABLE | KDC_OPT_RENEWABLE_OK | \
KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_RENEW | \
- KDC_OPT_VALIDATE)
-
+ KDC_OPT_VALIDATE | KDC_OPT_CANONICALIZE | KDC_OPT_CNAME_IN_ADDL_TKT)
#define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | \
KDC_OPT_VALIDATE)
@@ -1284,7 +1341,7 @@
/* Server must be allowed to be a service */
if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) {
*status = "SERVER NOT ALLOWED";
- return(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+ return(KDC_ERR_MUST_USE_USER2USER);
}
/* Check the hot list */
@@ -1330,6 +1387,14 @@
}
st_idx++;
}
+ if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) {
+ if (!request->second_ticket ||
+ !request->second_ticket[st_idx]) {
+ *status = "NO_2ND_TKT";
+ return(KDC_ERR_BADOPTION);
+ }
+ st_idx++;
+ }
/* Check for hardware preauthentication */
if (isflagset(server.attributes, KRB5_KDB_REQUIRES_HW_AUTH) &&
@@ -1538,7 +1603,7 @@
snprintf(stmp, sizeof(stmp), "%s%ld", i ? " " : "", (long)ktype[i]);
if (strlen(s) + strlen(stmp) + sizeof("}") > len)
break;
- strcat(s, stmp);
+ strlcat(s, stmp, len);
}
if (i < nktypes) {
/*
@@ -1553,9 +1618,9 @@
continue;
}
}
- strcat(s, "...");
+ strlcat(s, "...", len);
}
- strcat(s, "}");
+ strlcat(s, "}", len);
return;
}
@@ -1575,7 +1640,7 @@
if (rep->ticket != NULL) {
snprintf(stmp, sizeof(stmp),
" tkt=%ld", (long)rep->ticket->enc_part.enctype);
- strcat(s, stmp);
+ strlcat(s, stmp, len);
}
if (rep->ticket != NULL
@@ -1583,9 +1648,9 @@
&& rep->ticket->enc_part2->session != NULL) {
snprintf(stmp, sizeof(stmp), " ses=%ld",
(long)rep->ticket->enc_part2->session->enctype);
- strcat(s, stmp);
+ strlcat(s, stmp, len);
}
- strcat(s, "}");
+ strlcat(s, "}", len);
return;
}
@@ -1609,3 +1674,652 @@
return get_principal_locked (kcontext, search_for, entries, nentries,
more);
}
+
+
+krb5_error_code
+sign_db_authdata (krb5_context context,
+ unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_timestamp authtime,
+ krb5_authdata **tgs_authdata,
+ krb5_authdata ***ret_authdata,
+ krb5_db_entry *ad_entry,
+ int *ad_nprincs)
+{
+ krb5_error_code code;
+ kdb_sign_auth_data_req req;
+ kdb_sign_auth_data_rep rep;
+ krb5_data req_data;
+ krb5_data rep_data;
+
+ *ret_authdata = NULL;
+ if (ad_entry != NULL) {
+ assert(ad_nprincs != NULL);
+ memset(ad_entry, 0, sizeof(*ad_entry));
+ *ad_nprincs = 0;
+ }
+
+ memset(&req, 0, sizeof(req));
+ memset(&rep, 0, sizeof(rep));
+
+ req.flags = flags;
+ req.client_princ = client_princ;
+ req.client = client;
+ req.server = server;
+ req.krbtgt = krbtgt;
+ req.client_key = client_key;
+ req.server_key = server_key;
+ req.authtime = authtime;
+ req.auth_data = tgs_authdata;
+
+ rep.entry = ad_entry;
+ rep.nprincs = 0;
+
+ req_data.data = (void *)&req;
+ req_data.length = sizeof(req);
+
+ rep_data.data = (void *)&rep;
+ rep_data.length = sizeof(rep);
+
+ code = krb5_db_invoke(context,
+ KRB5_KDB_METHOD_SIGN_AUTH_DATA,
+ &req_data,
+ &rep_data);
+
+ *ret_authdata = rep.auth_data;
+ *ad_nprincs = rep.nprincs;
+
+ return code;
+}
+
+static krb5_error_code
+verify_s4u2self_checksum(krb5_context context,
+ krb5_keyblock *key,
+ krb5_pa_for_user *req)
+{
+ krb5_error_code code;
+ int i;
+ krb5_int32 name_type;
+ char *p;
+ krb5_data data;
+ krb5_boolean valid = FALSE;
+
+ if (!krb5_c_is_keyed_cksum(req->cksum.checksum_type)) {
+ return KRB5KRB_AP_ERR_INAPP_CKSUM;
+ }
+
+ /*
+ * Checksum is over name type and string components of
+ * client principal name and auth_package.
+ */
+ data.length = 4;
+ for (i = 0; i < krb5_princ_size(context, req->user); i++) {
+ data.length += krb5_princ_component(context, req->user, i)->length;
+ }
+ data.length += krb5_princ_realm(context, req->user)->length;
+ data.length += req->auth_package.length;
+
+ p = data.data = malloc(data.length);
+ if (data.data == NULL) {
+ return ENOMEM;
+ }
+
+ name_type = krb5_princ_type(context, req->user);
+ p[0] = (name_type >> 0 ) & 0xFF;
+ p[1] = (name_type >> 8 ) & 0xFF;
+ p[2] = (name_type >> 16) & 0xFF;
+ p[3] = (name_type >> 24) & 0xFF;
+ p += 4;
+
+ for (i = 0; i < krb5_princ_size(context, req->user); i++) {
+ memcpy(p, krb5_princ_component(context, req->user, i)->data,
+ krb5_princ_component(context, req->user, i)->length);
+ p += krb5_princ_component(context, req->user, i)->length;
+ }
+
+ memcpy(p, krb5_princ_realm(context, req->user)->data,
+ krb5_princ_realm(context, req->user)->length);
+ p += krb5_princ_realm(context, req->user)->length;
+
+ memcpy(p, req->auth_package.data, req->auth_package.length);
+ p += req->auth_package.length;
+
+ code = krb5_c_verify_checksum(context,
+ key,
+ KRB5_KEYUSAGE_APP_DATA_CKSUM,
+ &data,
+ &req->cksum,
+ &valid);
+
+ if (code == 0 && valid == FALSE)
+ code = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+
+ free(data.data);
+
+ return code;
+}
+
+/*
+ * Protocol transition validation code based on AS-REQ
+ * validation code
+ */
+static int
+validate_s4u2self_request(krb5_kdc_req *request,
+ const krb5_db_entry *client,
+ krb5_timestamp kdc_time,
+ const char **status)
+{
+ int errcode;
+ krb5_db_entry server = { 0 };
+
+ /* The client's password must not be expired, unless the server is
+ a KRB5_KDC_PWCHANGE_SERVICE. */
+ if (client->pw_expiration && client->pw_expiration < kdc_time) {
+ *status = "CLIENT KEY EXPIRED";
+ return KDC_ERR_KEY_EXP;
+ }
+
+ /* The client must not be expired */
+ if (client->expiration && client->expiration < kdc_time) {
+ *status = "CLIENT EXPIRED";
+ return KDC_ERR_NAME_EXP;
+ }
+
+ /*
+ * If the client requires password changing, then return an
+ * error; S4U2Self cannot be used to change a password.
+ */
+ if (isflagset(client->attributes, KRB5_KDB_REQUIRES_PWCHANGE)) {
+ *status = "REQUIRED PWCHANGE";
+ return KDC_ERR_KEY_EXP;
+ }
+
+ /* Check to see if client is locked out */
+ if (isflagset(client->attributes, KRB5_KDB_DISALLOW_ALL_TIX)) {
+ *status = "CLIENT LOCKED OUT";
+ return KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ }
+
+ /*
+ * Check against local policy
+ */
+ errcode = against_local_policy_as(request, *client, server,
+ kdc_time, status);
+ if (errcode)
+ return errcode;
+
+ return 0;
+}
+
+/*
+ * Protocol transition (S4U2Self)
+ */
+krb5_error_code
+kdc_process_s4u2self_req(krb5_context context,
+ krb5_kdc_req *request,
+ krb5_const_principal client_princ,
+ const krb5_db_entry *server,
+ krb5_keyblock *subkey,
+ krb5_timestamp kdc_time,
+ krb5_pa_for_user **for_user,
+ krb5_db_entry *princ,
+ int *nprincs,
+ const char **status)
+{
+ krb5_error_code code;
+ krb5_pa_data **pa_data;
+ krb5_data req_data;
+ krb5_boolean more;
+
+ *nprincs = 0;
+ memset(princ, 0, sizeof(*princ));
+
+ if (request->padata == NULL) {
+ return 0;
+ }
+
+ for (pa_data = request->padata; *pa_data != NULL; pa_data++) {
+ if ((*pa_data)->pa_type == KRB5_PADATA_FOR_USER)
+ break;
+ }
+ if (*pa_data == NULL) {
+ return 0;
+ }
+
+#if 0
+ /*
+ * Ignore request if the server principal is a TGS, not so much
+ * to avoid unconstrained tickets being issued (as that would
+ * require knowing the TGS key anyway) but so that we do not
+ * block the server referral path.
+ */
+ if (krb5_is_tgs_principal(server->princ)) {
+ return 0;
+ }
+#endif
+
+ *status = "PROCESS_S4U2SELF_REQUEST";
+
+ req_data.length = (*pa_data)->length;
+ req_data.data = (char *)(*pa_data)->contents;
+
+ code = decode_krb5_pa_for_user(&req_data, for_user);
+ if (code) {
+ return code;
+ }
+
+ if (krb5_princ_type(context, (*for_user)->user) !=
+ KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ *status = "INVALID_S4U2SELF_REQUEST";
+ return KRB5KDC_ERR_POLICY;
+ }
+
+ code = verify_s4u2self_checksum(context, subkey, *for_user);
+ if (code) {
+ *status = "INVALID_S4U2SELF_CHECKSUM";
+ krb5_free_pa_for_user(kdc_context, *for_user);
+ *for_user = NULL;
+ return code;
+ }
+ if (!krb5_principal_compare_flags(context, request->server, client_princ,
+ KRB5_PRINCIPAL_COMPARE_ENTERPRISE)) {
+ *status = "INVALID_S4U2SELF_REQUEST";
+ return KRB5KDC_ERR_POLICY;
+ }
+
+ /*
+ * Protocol transition is mutually exclusive with renew/forward/etc
+ * as well as user-to-user and constrained delegation.
+ *
+ * We can assert from this check that the header ticket was a TGT, as
+ * that is validated previously in validate_tgs_request().
+ */
+ if (request->kdc_options & (NO_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT)) {
+ return KRB5KDC_ERR_BADOPTION;
+ }
+
+ /*
+ * Do not attempt to lookup principals in foreign realms.
+ */
+ if (is_local_principal((*for_user)->user)) {
+ *nprincs = 1;
+ code = krb5_db_get_principal_ext(kdc_context,
+ (*for_user)->user,
+ KRB5_KDB_FLAG_INCLUDE_PAC,
+ princ, nprincs, &more);
+ if (code) {
+ *status = "LOOKING_UP_S4U2SELF_PRINCIPAL";
+ *nprincs = 0;
+ return code; /* caller can free for_user */
+ }
+
+ if (more) {
+ *status = "NON_UNIQUE_S4U2SELF_PRINCIPAL";
+ return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
+ } else if (*nprincs != 1) {
+ *status = "UNKNOWN_S4U2SELF_PRINCIPAL";
+ return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ }
+
+ code = validate_s4u2self_request(request, princ, kdc_time, status);
+ if (code) {
+ return code;
+ }
+ }
+
+ *status = NULL;
+
+ return 0;
+}
+
+static krb5_error_code
+check_allowed_to_delegate_to(krb5_context context,
+ const krb5_db_entry *server,
+ krb5_const_principal proxy)
+{
+ kdb_check_allowed_to_delegate_req req;
+ krb5_data req_data;
+ krb5_data rep_data;
+ krb5_error_code code;
+
+ /* Can't get a TGT (otherwise it would be unconstrained delegation) */
+ if (krb5_is_tgs_principal(proxy)) {
+ return KRB5KDC_ERR_POLICY;
+ }
+
+ /* Must be in same realm */
+ if (!krb5_realm_compare(context, server->princ, proxy)) {
+ return KRB5_IN_TKT_REALM_MISMATCH; /* XXX */
+ }
+
+ req.server = server;
+ req.proxy = proxy;
+
+ req_data.data = (void *)&req;
+ req_data.length = sizeof(req);
+
+ rep_data.data = NULL;
+ rep_data.length = 0;
+
+ code = krb5_db_invoke(context,
+ KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE,
+ &req_data,
+ &rep_data);
+ if (code == KRB5_KDB_DBTYPE_NOSUP) {
+ code = KRB5KDC_ERR_POLICY;
+ }
+
+ assert(rep_data.length == 0);
+
+ return code;
+}
+
+krb5_error_code
+kdc_process_s4u2proxy_req(krb5_context context,
+ krb5_kdc_req *request,
+ const krb5_enc_tkt_part *t2enc,
+ const krb5_db_entry *server,
+ krb5_const_principal server_princ,
+ krb5_const_principal proxy_princ,
+ const char **status)
+{
+ krb5_error_code errcode;
+
+ /*
+ * Constrained delegation is mutually exclusive with renew/forward/etc.
+ * We can assert from this check that the header ticket was a TGT, as
+ * that is validated previously in validate_tgs_request().
+ */
+ if (request->kdc_options & (NO_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
+ return KRB5KDC_ERR_BADOPTION;
+ }
+
+ /* Ensure that evidence ticket server matches TGT client */
+ if (!krb5_principal_compare(kdc_context,
+ server->princ, /* after canon */
+ server_princ)) {
+ return KRB5KDC_ERR_SERVER_NOMATCH;
+ }
+
+ if (!isflagset(t2enc->flags, TKT_FLG_FORWARDABLE)) {
+ *status = "EVIDENCE_TKT_NOT_FORWARDABLE";
+ return KRB5_TKT_NOT_FORWARDABLE;
+ }
+
+ /* Backend policy check */
+ errcode = check_allowed_to_delegate_to(kdc_context,
+ server, proxy_princ);
+ if (errcode) {
+ *status = "NOT_ALLOWED_TO_DELEGATE";
+ return errcode;
+ }
+
+ return 0;
+}
+
+krb5_error_code
+kdc_check_transited_list(krb5_context context,
+ const krb5_data *trans,
+ const krb5_data *realm1,
+ const krb5_data *realm2)
+{
+ krb5_error_code code;
+ kdb_check_transited_realms_req req;
+ krb5_data req_data;
+ krb5_data rep_data;
+
+ /* First check using krb5.conf */
+ code = krb5_check_transited_list(kdc_context, trans, realm1, realm2);
+ if (code)
+ return code;
+
+ memset(&req, 0, sizeof(req));
+
+ req.tr_contents = trans;
+ req.client_realm = realm1;
+ req.server_realm = realm2;
+
+ req_data.data = (void *)&req;
+ req_data.length = sizeof(req);
+
+ rep_data.data = NULL;
+ rep_data.length = 0;
+
+ code = krb5_db_invoke(context,
+ KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS,
+ &req_data,
+ &rep_data);
+ if (code == KRB5_KDB_DBTYPE_NOSUP) {
+ code = 0;
+ }
+
+ assert(rep_data.length == 0);
+
+ return code;
+}
+
+krb5_error_code
+audit_as_request(krb5_kdc_req *request,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp authtime,
+ krb5_error_code errcode)
+{
+ krb5_error_code code;
+ kdb_audit_as_req req;
+ krb5_data req_data;
+ krb5_data rep_data;
+
+ memset(&req, 0, sizeof(req));
+
+ req.request = request;
+ req.client = client;
+ req.server = server;
+ req.authtime = authtime;
+ req.error_code = errcode;
+
+ req_data.data = (void *)&req;
+ req_data.length = sizeof(req);
+
+ rep_data.data = NULL;
+ rep_data.length = 0;
+
+ code = krb5_db_invoke(kdc_context,
+ KRB5_KDB_METHOD_AUDIT_AS,
+ &req_data,
+ &rep_data);
+ if (code == KRB5_KDB_DBTYPE_NOSUP) {
+ return 0;
+ }
+
+ assert(rep_data.length == 0);
+
+ return code;
+}
+
+krb5_error_code
+audit_tgs_request(krb5_kdc_req *request,
+ krb5_const_principal client,
+ krb5_db_entry *server,
+ krb5_timestamp authtime,
+ krb5_error_code errcode)
+{
+ krb5_error_code code;
+ kdb_audit_tgs_req req;
+ krb5_data req_data;
+ krb5_data rep_data;
+
+ memset(&req, 0, sizeof(req));
+
+ req.request = request;
+ req.client = client;
+ req.server = server;
+ req.authtime = authtime;
+ req.error_code = errcode;
+
+ req_data.data = (void *)&req;
+ req_data.length = sizeof(req);
+
+ rep_data.data = NULL;
+ rep_data.length = 0;
+
+ code = krb5_db_invoke(kdc_context,
+ KRB5_KDB_METHOD_AUDIT_TGS,
+ &req_data,
+ &rep_data);
+ if (code == KRB5_KDB_DBTYPE_NOSUP) {
+ return 0;
+ }
+
+ assert(rep_data.length == 0);
+
+ return code;
+}
+
+krb5_error_code
+validate_transit_path(krb5_context context,
+ krb5_const_principal client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt)
+{
+ /* Incoming */
+ if (isflagset(server->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE)) {
+ return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
+ }
+
+ /* Outgoing */
+ if (isflagset(krbtgt->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE) &&
+ (!krb5_principal_compare(context, server->princ, krbtgt->princ) ||
+ !krb5_realm_compare(context, client, krbtgt->princ))) {
+ return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
+ }
+
+ return 0;
+}
+
+
+/* Main logging routines for ticket requests.
+
+ There are a few simple cases -- unparseable requests mainly --
+ where messages are logged otherwise, but once a ticket request can
+ be decoded in some basic way, these routines are used for logging
+ the details. */
+
+/* "status" is null to indicate success. */
+/* Someday, pass local address/port as well. */
+void
+log_as_req(const krb5_fulladdr *from,
+ krb5_kdc_req *request, krb5_kdc_rep *reply,
+ const char *cname, const char *sname,
+ krb5_timestamp authtime,
+ const char *status, krb5_error_code errcode, const char *emsg)
+{
+ const char *fromstring = 0;
+ char fromstringbuf[70];
+ char ktypestr[128];
+ const char *cname2 = cname ? cname : "<unknown client>";
+ const char *sname2 = sname ? sname : "<unknown server>";
+
+ fromstring = inet_ntop(ADDRTYPE2FAMILY (from->address->addrtype),
+ from->address->contents,
+ fromstringbuf, sizeof(fromstringbuf));
+ if (!fromstring)
+ fromstring = "<unknown>";
+ ktypes2str(ktypestr, sizeof(ktypestr),
+ request->nktypes, request->ktype);
+
+ if (status == NULL) {
+ /* success */
+ char rep_etypestr[128];
+ rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply);
+ krb5_klog_syslog(LOG_INFO,
+ "AS_REQ (%s) %s: ISSUE: authtime %d, %s, %s for %s",
+ ktypestr, fromstring, authtime,
+ rep_etypestr, cname2, sname2);
+ } else {
+ /* fail */
+ krb5_klog_syslog(LOG_INFO, "AS_REQ (%s) %s: %s: %s for %s%s%s",
+ ktypestr, fromstring, status,
+ cname2, sname2, emsg ? ", " : "", emsg ? emsg : "");
+ }
+#if 0
+ /* Sun (OpenSolaris) version would probably something like this.
+ The client and server names passed can be null, unlike in the
+ logging routines used above. Note that a struct in_addr is
+ used, but the real address could be an IPv6 address. */
+ audit_krb5kdc_as_req(some in_addr *, (in_port_t)from->port, 0,
+ cname, sname, errcode);
+#endif
+}
+
+/* Here "status" must be non-null. Error code
+ KRB5KDC_ERR_SERVER_NOMATCH is handled specially. */
+void
+log_tgs_req(const krb5_fulladdr *from,
+ krb5_kdc_req *request, krb5_kdc_rep *reply,
+ const char *cname, const char *sname, const char *altcname,
+ krb5_timestamp authtime,
+ const char *status, krb5_error_code errcode, const char *emsg)
+{
+ char ktypestr[128];
+ const char *fromstring = 0;
+ char fromstringbuf[70];
+ char rep_etypestr[128];
+
+ fromstring = inet_ntop(ADDRTYPE2FAMILY(from->address->addrtype),
+ from->address->contents,
+ fromstringbuf, sizeof(fromstringbuf));
+ if (!fromstring)
+ fromstring = "<unknown>";
+ ktypes2str(ktypestr, sizeof(ktypestr), request->nktypes, request->ktype);
+ if (!errcode)
+ rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply);
+ else
+ rep_etypestr[0] = 0;
+
+ /* Differences: server-nomatch message logs 2nd ticket's client
+ name (useful), and doesn't log ktypestr (probably not
+ important). */
+ if (errcode != KRB5KDC_ERR_SERVER_NOMATCH)
+ krb5_klog_syslog(LOG_INFO,
+ "TGS_REQ (%s) %s: %s: authtime %d, %s%s %s for %s%s%s",
+ ktypestr,
+ fromstring, status, authtime,
+ rep_etypestr,
+ !errcode ? "," : "",
+ cname ? cname : "<unknown client>",
+ sname ? sname : "<unknown server>",
+ errcode ? ", " : "",
+ errcode ? emsg : "");
+ else
+ krb5_klog_syslog(LOG_INFO,
+ "TGS_REQ %s: %s: authtime %d, %s for %s, 2nd tkt client %s",
+ fromstring, status, authtime,
+ cname ? cname : "<unknown client>",
+ sname ? sname : "<unknown server>",
+ altcname ? altcname : "<unknown>");
+
+ /* OpenSolaris: audit_krb5kdc_tgs_req(...) or
+ audit_krb5kdc_tgs_req_2ndtktmm(...) */
+}
+
+void
+log_tgs_alt_tgt(krb5_principal p)
+{
+ char *sname;
+ if (krb5_unparse_name(kdc_context, p, &sname)) {
+ krb5_klog_syslog(LOG_INFO,
+ "TGS_REQ: issuing alternate <un-unparseable> TGT");
+ } else {
+ limit_string(sname);
+ krb5_klog_syslog(LOG_INFO, "TGS_REQ: issuing TGT %s", sname);
+ free(sname);
+ }
+ /* OpenSolaris: audit_krb5kdc_tgs_req_alt_tgt(...) */
+}
+
Modified: branches/mkey_migrate/src/kdc/kdc_util.h
===================================================================
--- branches/mkey_migrate/src/kdc/kdc_util.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/kdc_util.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -31,6 +31,7 @@
#define __KRB5_KDC_UTIL__
#include "kdb.h"
+#include "kdb_ext.h"
typedef struct _krb5_fulladdr {
krb5_address * address;
@@ -38,8 +39,9 @@
} krb5_fulladdr;
krb5_error_code check_hot_list (krb5_ticket *);
-krb5_boolean realm_compare (krb5_principal, krb5_principal);
-krb5_boolean krb5_is_tgs_principal (krb5_principal);
+krb5_boolean realm_compare (krb5_const_principal, krb5_const_principal);
+krb5_boolean is_local_principal(krb5_const_principal princ1);
+krb5_boolean krb5_is_tgs_principal (krb5_const_principal);
krb5_error_code add_to_transited (krb5_data *,
krb5_data *,
krb5_principal,
@@ -62,16 +64,22 @@
const krb5_fulladdr *,
krb5_data *,
krb5_ticket **,
+ krb5_db_entry *krbtgt,
+ int *nprincs,
krb5_keyblock **);
-krb5_error_code kdc_get_server_key (krb5_ticket *,
- krb5_keyblock **,
- krb5_kvno *);
+krb5_error_code kdc_get_server_key (krb5_ticket *, unsigned int,
+ krb5_db_entry *, int *,
+ krb5_keyblock **, krb5_kvno *);
int validate_as_request (krb5_kdc_req *, krb5_db_entry,
krb5_db_entry, krb5_timestamp,
const char **);
+int validate_forwardable(krb5_kdc_req *, krb5_db_entry,
+ krb5_db_entry, krb5_timestamp,
+ const char **);
+
int validate_tgs_request (krb5_kdc_req *, krb5_db_entry,
krb5_ticket *, krb5_timestamp,
const char **);
@@ -164,13 +172,26 @@
krb5_error_code free_padata_context
(krb5_context context, void **padata_context);
+krb5_pa_data *find_pa_data
+ (krb5_pa_data **padata, krb5_preauthtype pa_type);
+
/* kdc_authdata.c */
krb5_error_code load_authdata_plugins(krb5_context context);
krb5_error_code unload_authdata_plugins(krb5_context context);
-krb5_error_code handle_authdata (krb5_context context, krb5_db_entry *client,
- krb5_data *req_pkt, krb5_kdc_req *request,
- krb5_enc_tkt_part *enc_tkt_reply);
+krb5_error_code
+handle_authdata (krb5_context context,
+ unsigned int flags,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
+ krb5_enc_tkt_part *enc_tkt_request,
+ krb5_enc_tkt_part *enc_tkt_reply);
/* replay.c */
krb5_boolean kdc_check_lookaside (krb5_data *, krb5_data **);
@@ -188,20 +209,97 @@
krb5_const_principal search_for,
krb5_db_entry *entries, int *nentries, krb5_boolean *more);
+krb5_boolean
+include_pac_p(krb5_context context, krb5_kdc_req *request);
+
+krb5_error_code return_svr_referral_data
+ (krb5_context context,
+ krb5_db_entry *server,
+ krb5_enc_kdc_rep_part *reply_encpart);
+
+krb5_error_code sign_db_authdata
+ (krb5_context context,
+ unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_timestamp authtime,
+ krb5_authdata **tgs_authdata,
+ krb5_authdata ***ret_authdata,
+ krb5_db_entry *ad_entry,
+ int *ad_nprincs);
+
+krb5_error_code kdc_process_s4u2self_req
+ (krb5_context context,
+ krb5_kdc_req *request,
+ krb5_const_principal client_princ,
+ const krb5_db_entry *server,
+ krb5_keyblock *subkey,
+ krb5_timestamp kdc_time,
+ krb5_pa_for_user **s4u2_req,
+ krb5_db_entry *princ,
+ int *nprincs,
+ const char **status);
+
+krb5_error_code kdc_process_s4u2proxy_req
+ (krb5_context context,
+ krb5_kdc_req *request,
+ const krb5_enc_tkt_part *t2enc,
+ const krb5_db_entry *server,
+ krb5_const_principal server_princ,
+ krb5_const_principal proxy_princ,
+ const char **status);
+
+krb5_error_code kdc_check_transited_list
+ (krb5_context context,
+ const krb5_data *trans,
+ const krb5_data *realm1,
+ const krb5_data *realm2);
+
+krb5_error_code audit_as_request
+ (krb5_kdc_req *request,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp authtime,
+ krb5_error_code errcode);
+
+krb5_error_code audit_tgs_request
+ (krb5_kdc_req *request,
+ krb5_const_principal client,
+ krb5_db_entry *server,
+ krb5_timestamp authtime,
+ krb5_error_code errcode);
+
+krb5_error_code
+validate_transit_path(krb5_context context,
+ krb5_const_principal client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt);
+
+
+void
+log_as_req(const krb5_fulladdr *from,
+ krb5_kdc_req *request, krb5_kdc_rep *reply,
+ const char *cname, const char *sname,
+ krb5_timestamp authtime,
+ const char *status, krb5_error_code errcode, const char *emsg);
+void
+log_tgs_req(const krb5_fulladdr *from,
+ krb5_kdc_req *request, krb5_kdc_rep *reply,
+ const char *cname, const char *sname, const char *altcname,
+ krb5_timestamp authtime,
+ const char *status, krb5_error_code errcode, const char *emsg);
+void log_tgs_alt_tgt(krb5_principal p);
+
+
+
#define isflagset(flagfield, flag) (flagfield & (flag))
#define setflag(flagfield, flag) (flagfield |= (flag))
#define clear(flagfield, flag) (flagfield &= ~(flag))
-#ifdef KRB5_KRB4_COMPAT
-krb5_error_code process_v4 (const krb5_data *,
- const krb5_fulladdr *,
- krb5_data **);
-void process_v4_mode (const char *, const char *);
-void enable_v4_crossrealm(char *);
-#else
-#define process_v4(foo,bar,quux,foobar) KRB5KRB_AP_ERR_BADVERSION
-#endif
-
#ifndef min
#define min(a, b) ((a) < (b) ? (a) : (b))
#define max(a, b) ((a) > (b) ? (a) : (b))
Deleted: branches/mkey_migrate/src/kdc/kerberos_v4.c
===================================================================
--- branches/mkey_migrate/src/kdc/kerberos_v4.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/kerberos_v4.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,1189 +0,0 @@
-/*
- * kdc/kerberos_v4.c
- *
- * Copyright 1985, 1986, 1987, 1988,1991,2007 by the Massachusetts Institute
- * of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- */
-
-#include "autoconf.h"
-#ifdef KRB5_KRB4_COMPAT
-#define BACKWARD_COMPAT
-
-#include "k5-int.h"
-#include "kdc_util.h"
-#include "adm_proto.h"
-
-#include <stdarg.h>
-
-#include <stdio.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <signal.h>
-#ifdef HAVE_SYS_TIME_H
-#include <sys/time.h>
-#ifdef TIME_WITH_SYS_TIME
-#include <time.h>
-#endif
-#else
-#include <time.h>
-#endif
-#include <sys/file.h>
-#include <ctype.h>
-#include <syslog.h>
-#include <string.h>
-#include <errno.h>
-
-/* v4 include files:
- */
-#include <krb.h>
-#include <des.h>
-#include <klog.h>
-#include <prot.h>
-#include <krb_db.h>
-
-#ifdef NEED_SWAB_PROTO
-extern void swab(const void *, void *, size_t );
-#endif
-
-static int compat_decrypt_key (krb5_key_data *, C_Block,
- krb5_keyblock *, int);
-static int kerb_get_principal (char *, char *, Principal *,
- int *, krb5_keyblock *, krb5_kvno,
- int, krb5_deltat *);
-static int check_princ (char *, char *, int, Principal *,
- krb5_keyblock *, int, krb5_deltat *);
-
-static char * v4_klog (int, const char *, ...)
-#if !defined(__cplusplus) && (__GNUC__ > 2)
- __attribute__((__format__(__printf__, 2, 3)))
-#endif
- ;
-#define klog v4_klog
-
-/* Byte ordering */
-/*#define MSB_FIRST 0 / * 68000, IBM RT/PC */
-/*#define LSB_FIRST 1 / * Vax, PC8086 */
-#if defined K5_LE
-# define HOST_BYTE_ORDER 1
-#elif defined K5_BE
-# define HOST_BYTE_ORDER 0
-#else
-static int krbONE = 1;
-# define HOST_BYTE_ORDER (* (char *) &krbONE)
-#endif
-
-#ifndef BACKWARD_COMPAT
-static Key_schedule master_key_schedule;
-static C_Block master_key;
-#endif
-
-static struct timeval kerb_time;
-static Principal a_name_data; /* for requesting user */
-static Principal s_name_data; /* for services requested */
-static C_Block session_key;
-
-static char log_text[512];
-static char *lt;
-
-/* fields within the received request packet */
-static u_char req_msg_type;
-static u_char req_version;
-static char *req_name_ptr;
-static char *req_inst_ptr;
-static char *req_realm_ptr;
-
-static krb5_ui_4 req_time_ws;
-
-static char local_realm[REALM_SZ];
-
-static long n_auth_req;
-static long n_appl_req;
-
-static long pause_int = -1;
-
-static void hang(void);
-
-
-/* v4/v5 backwards-compatibility stub routines,
- * which allow the v5 server to handle v4 packets
- * by invoking substantially-unaltered v4 server code.
- * this is only necessary during the installation's conversion to v5.
- * process_v4() is invoked by v5's dispatch() routine;
- * when the v4 server needs to access the v5 database,
- * it calls the other stubs.
- *
- * until all kerberized application-programs are updated,
- * this approach inflates the v5 server's code size,
- * but it's easier to debug than a concurrent, subordinate v4 server would be.
- */
-
-/*
- * v5 include files:
- */
-#include "com_err.h"
-#include "extern.h" /* to pick up master_princ */
-
-static krb5_data *kerberos_v4 (struct sockaddr_in *, KTEXT);
-static krb5_data *kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *);
-static int set_tgtkey (char *, krb5_kvno, krb5_boolean);
-
-/* Attributes converted from V5 to V4 - internal representation */
-#define V4_KDB_REQUIRES_PREAUTH 0x1
-#define V4_KDB_DISALLOW_ALL_TIX 0x2
-#define V4_KDB_REQUIRES_PWCHANGE 0x4
-#define V4_KDB_DISALLOW_SVR 0x8
-
-/* v4 compatibitly mode switch */
-#define KDC_V4_NONE 0 /* Don't even respond to packets */
-#define KDC_V4_DISABLE 1 /* V4 requests return an error */
-#define KDC_V4_FULL 2 /* Preauth required go through */
-#define KDC_V4_NOPREAUTH 3 /* Preauth required disallowed */
-
-#define KDC_V4_DEFAULT_MODE KDC_V4_NONE
-/* Flag on how to handle v4 */
-static int kdc_v4;
-
-struct v4mode_lookup_entry {
- int mode; /* Mode setting */
- const char * v4_specifier; /* How to recognize it */
-};
-
-static const struct v4mode_lookup_entry v4mode_table[] = {
-/* mode input specifier */
-{ KDC_V4_NONE, "none" },
-{ KDC_V4_DISABLE, "disable" },
-{ KDC_V4_FULL, "full" },
-{ KDC_V4_NOPREAUTH, "nopreauth" }
-};
-
-static const int v4mode_table_nents = sizeof(v4mode_table)/
- sizeof(v4mode_table[0]);
-
-static int allow_v4_crossrealm = 0;
-
-void process_v4_mode(const char *program_name, const char *string)
-{
- int i, found;
-
- found = 0;
- kdc_v4 = KDC_V4_DEFAULT_MODE;
-
- if(!string) return; /* Set to default mode */
-
- for (i=0; i<v4mode_table_nents; i++) {
- if (!strcasecmp(string, v4mode_table[i].v4_specifier)) {
- found = 1;
- kdc_v4 = v4mode_table[i].mode;
- break;
- }
- }
-
- if(!found) {
- /* It is considered fatal if we request a mode that is not found */
- com_err(program_name, 0, "invalid v4_mode %s", string);
- exit(1);
- }
- return;
-}
-
-void enable_v4_crossrealm ( char *programname) {
- allow_v4_crossrealm = 1;
- krb5_klog_syslog(LOG_ERR, "Enabling v4 cross-realm compatibility; this is a known security hole");
-}
-
-krb5_error_code
-process_v4(const krb5_data *pkt, const krb5_fulladdr *client_fulladdr,
- krb5_data **resp)
-{
- struct sockaddr_in client_sockaddr;
- krb5_address *addr = client_fulladdr->address;
- krb5_error_code retval;
- krb5_timestamp now;
- KTEXT_ST v4_pkt;
- char *lrealm;
-
- /* Check if disabled completely */
- if (kdc_v4 == KDC_V4_NONE) {
- (void) klog(L_KRB_PERR, "Disabled KRB V4 request");
- return KRB5KDC_ERR_BAD_PVNO;
- }
-
-
- if ((retval = krb5_timeofday(kdc_context, &now)))
- return(retval);
- kerb_time.tv_sec = now;
-
- if (!*local_realm) { /* local-realm name already set up */
- lrealm = master_princ->realm.data;
- if (master_princ->realm.length < sizeof(local_realm)) {
- memcpy(local_realm, lrealm, master_princ->realm.length);
- local_realm[master_princ->realm.length] = '\0';
- } else
- retval = KRB5_CONFIG_NOTENUFSPACE;
- }
- /* convert client_fulladdr to client_sockaddr:
- */
- client_sockaddr.sin_family = AF_INET;
- client_sockaddr.sin_port = client_fulladdr->port;
- if (client_fulladdr->address->addrtype != ADDRTYPE_INET) {
- klog(L_KRB_PERR, "got krb4 request from non-ipv4 address");
- client_sockaddr.sin_addr.s_addr = 0;
- } else
- memcpy(&client_sockaddr.sin_addr, addr->contents,
- sizeof client_sockaddr.sin_addr);
- memset( client_sockaddr.sin_zero, 0, sizeof client_sockaddr.sin_zero);
-
- /* convert v5 packet structure to v4's.
- * this copy is gross, but necessary:
- */
- if (pkt->length > MAX_KTXT_LEN) {
- (void) klog(L_KRB_PERR, "V4 request too long.");
- return KRB5KRB_ERR_FIELD_TOOLONG;
- }
- memset( &v4_pkt, 0, sizeof(v4_pkt));
- v4_pkt.length = pkt->length;
- v4_pkt.mbz = 0;
- memcpy( v4_pkt.dat, pkt->data, pkt->length);
-
- *resp = kerberos_v4( &client_sockaddr, &v4_pkt);
- return(retval);
-}
-
-static char * v4_klog( int type, const char *format, ...)
-{
- int logpri = LOG_INFO;
- va_list pvar;
- va_start(pvar, format);
-
- switch (type) {
- case L_ERR_SEXP:
- case L_ERR_NKY:
- case L_ERR_NUN:
- case L_ERR_UNK:
- case L_KRB_PERR:
- logpri = LOG_ERR;
- case L_INI_REQ:
- case L_NTGT_INTK:
- case L_TKT_REQ:
- case L_APPL_REQ:
- strcpy(log_text, "PROCESS_V4:");
- vsnprintf(log_text+strlen(log_text),
- sizeof(log_text) - strlen(log_text),
- format, pvar);
- krb5_klog_syslog(logpri, "%s", log_text);
- default:
- /* ignore the other types... */
- ;
- }
- va_end(pvar);
- return(log_text);
-}
-
-static
-krb5_data *make_response(const char *msg, int len)
-{
- krb5_data *response;
-
- if ( !(response = (krb5_data *) malloc( sizeof *response))) {
- return 0;
- }
- if ( !(response->data = (char *) malloc( len))) {
- krb5_free_data(kdc_context, response);
- return 0;
- }
- response->length = len;
- memcpy( response->data, msg, len);
- return response;
-}
-static void
-hang(void)
-{
- if (pause_int == -1) {
- klog(L_KRB_PERR, "Kerberos will pause so as not to loop init");
- /* for (;;)
- pause(); */
- } else {
- char buf[256];
- snprintf(buf, sizeof(buf),
- "Kerberos will wait %d seconds before dying so as not to loop init",
- (int) pause_int);
- klog(L_KRB_PERR, buf);
- sleep((unsigned) pause_int);
- klog(L_KRB_PERR, "Do svedania....\n");
- /* exit(1); */
- }
-}
-#define kdb_encrypt_key( in, out, mk, mks, e_d_flag)
-#define LONGLEN 4
-#define K4KDC_ENCTYPE_OK(e) \
-((e) == ENCTYPE_DES_CBC_CRC \
- || (e) == ENCTYPE_DES_CBC_MD4 \
- || (e) == ENCTYPE_DES_CBC_MD5 \
- || (e) == ENCTYPE_DES_CBC_RAW)
-
-/* take a v5 keyblock, masquerading as a v4 key,
- * decrypt it, and convert the resulting v5 keyblock
- * to a real v4 key.
- * this is ugly, but it saves changing more v4 code.
- *
- * Also, keep old krb5_keyblock around in case we want to use it later.
- */
-static int
-compat_decrypt_key (krb5_key_data *in5, unsigned char *out4,
- krb5_keyblock *out5, int issrv)
-{
- krb5_error_code retval;
-
- out5->contents = NULL;
- memset(out4, 0, sizeof(out4));
- retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_keyblock,
- in5, out5, NULL);
- if (retval) {
- lt = klog(L_DEATH_REQ, "KDC can't decrypt principal's key.");
- out5->contents = NULL;
- return(retval);
- }
- if (K4KDC_ENCTYPE_OK(out5->enctype)) {
- if (out5->length == KRB5_MIT_DES_KEYSIZE)
- memcpy(out4, out5->contents, out5->length);
- else {
- lt = klog(L_DEATH_REQ, "internal keysize error in kdc");
- krb5_free_keyblock_contents(kdc_context, out5);
- out5->contents = NULL;
- retval = -1;
- }
- } else {
- if (!issrv) {
- lt = klog(L_DEATH_REQ, "incompatible principal key type.");
- krb5_free_keyblock_contents(kdc_context, out5);
- out5->contents = NULL;
- retval = -1;
- } else {
- /* KLUDGE! If it's a non-raw des3 key, bash its enctype */
- if (out5->enctype == ENCTYPE_DES3_CBC_SHA1 )
- out5->enctype = ENCTYPE_DES3_CBC_RAW;
- }
- }
- return(retval);
-}
-
-/* array of name-components + NULL ptr
- */
-
-/*
- * Previously this code returned either a v4 key or a v5 key and you
- * could tell from the enctype of the v5 key whether the v4 key was
- * useful. Now we return both keys so the code can try both des3 and
- * des decryption. We fail if the ticket doesn't have a v4 key.
- * Also, note as a side effect, the v5 key is basically useless in
- * the client case. It is still returned so the caller can free it.
- */
-static int
-kerb_get_principal(char *name, char *inst, /* could have wild cards */
- Principal *principal,
- int *more, /* more tuples than room for */
- krb5_keyblock *k5key, krb5_kvno kvno,
- int issrv, /* true if retrieving a service key */
- krb5_deltat *k5life)
-{
- /* Note that this structure should not be passed to the
- krb5_free* functions, because the pointers within it point
- to data with other references. */
- krb5_principal search;
-
- krb5_db_entry entries; /* filled in by krb5_db_get_principal() */
- int nprinc; /* how many found */
- krb5_boolean more5; /* are there more? */
- C_Block k;
- short toggle = 0;
- unsigned long *date;
- char* text;
- struct tm *tp;
- krb5_key_data *pkey;
- krb5_error_code retval;
-
- *more = 0;
- /* begin setting up the principal structure
- * with the first info we have:
- */
- memcpy( principal->name, name, 1 + strlen( name));
- memcpy( principal->instance, inst, 1 + strlen( inst));
-
- /* the principal-name format changed between v4 & v5:
- * v4: name.instance at realm
- * v5: realm/name/instance
- * in v5, null instance means the null-component doesn't exist.
- */
-
- if ((retval = krb5_425_conv_principal(kdc_context, name, inst,
- local_realm, &search)))
- return(0);
-
- /* The krb4 support in the KDC is not thread-safe yet, so maintain
- the global lock until that gets fixed. */
- if ((retval = get_principal_locked(kdc_context, search, &entries,
- &nprinc, &more5))) {
- krb5_free_principal(kdc_context, search);
- return(0);
- }
- principal->key_low = principal->key_high = 0;
- krb5_free_principal(kdc_context, search);
-
- if (nprinc < 1) {
- *more = (int)more5 || (nprinc > 1);
- return(nprinc);
- }
-
- if (!issrv) {
- if (krb5_dbe_find_enctype(kdc_context,
- &entries,
- ENCTYPE_DES_CBC_CRC,
- KRB5_KDB_SALTTYPE_V4,
- kvno,
- &pkey) &&
- krb5_dbe_find_enctype(kdc_context,
- &entries,
- ENCTYPE_DES_CBC_CRC,
- -1,
- kvno,
- &pkey)) {
- lt = klog(L_KRB_PERR,
- "KDC V4: principal %s.%s isn't V4 compatible",
- name, inst);
- krb5_db_free_principal(kdc_context, &entries, nprinc);
- return(0);
- }
- } else {
- if ( krb5_dbe_find_enctype(kdc_context, &entries,
- ENCTYPE_DES_CBC_CRC,
- KRB5_KDB_SALTTYPE_V4, kvno, &pkey) &&
- krb5_dbe_find_enctype(kdc_context, &entries,
- ENCTYPE_DES_CBC_CRC,
- -1, kvno, &pkey)) {
- lt = klog(L_KRB_PERR,
- "KDC V4: failed to find key for %s.%s #%d",
- name, inst, kvno);
- krb5_db_free_principal(kdc_context, &entries, nprinc);
- return(0);
- }
- }
-
- if (!compat_decrypt_key(pkey, k, k5key, issrv)) {
- memcpy( &principal->key_low, k, LONGLEN);
- memcpy( &principal->key_high, (krb5_ui_4 *) k + 1, LONGLEN);
- }
- memset(k, 0, sizeof k);
- if (issrv) {
- krb5_free_keyblock_contents (kdc_context, k5key);
- if (krb5_dbe_find_enctype(kdc_context, &entries,
- ENCTYPE_DES3_CBC_RAW,
- -1, kvno, &pkey) &&
- krb5_dbe_find_enctype(kdc_context, &entries,
- ENCTYPE_DES3_CBC_SHA1,
- -1, kvno, &pkey) &&
- krb5_dbe_find_enctype(kdc_context, &entries,
- ENCTYPE_DES_CBC_CRC,
- KRB5_KDB_SALTTYPE_V4, kvno, &pkey) &&
- krb5_dbe_find_enctype(kdc_context, &entries,
- ENCTYPE_DES_CBC_CRC,
- -1, kvno, &pkey)) {
- lt = klog(L_KRB_PERR,
- "KDC V4: failed to find key for %s.%s #%d (after having found it once)",
- name, inst, kvno);
- krb5_db_free_principal(kdc_context, &entries, nprinc);
- return(0);
- }
- compat_decrypt_key(pkey, k, k5key, issrv);
- memset (k, 0, sizeof k);
- }
-
-
- /*
- * Convert v5's entries struct to v4's Principal struct:
- * v5's time-unit for lifetimes is 1 sec, while v4 uses 5 minutes,
- * and gets weirder above (128 * 300) seconds.
- */
- principal->max_life = krb_time_to_life(0, entries.max_life);
- if (k5life != NULL)
- *k5life = entries.max_life;
- /*
- * This is weird, but the intent is that the expiration is the minimum
- * of the principal expiration and key expiration
- */
- principal->exp_date = (unsigned long)
- entries.expiration && entries.pw_expiration ?
- min(entries.expiration, entries.pw_expiration) :
- (entries.pw_expiration ? entries.pw_expiration :
- entries.expiration);
-/* principal->mod_date = (unsigned long) entries.mod_date; */
-/* Set the master key version to 1. It's not really useful because all keys
- * will be encrypted in the same master key version, and digging out the
- * actual key version will be harder than it's worth --proven */
-/* principal->kdc_key_ver = entries.mkvno; */
- principal->kdc_key_ver = 1;
- principal->key_version = pkey->key_data_kvno;
- /* We overload the attributes with the relevant v5 ones */
- principal->attributes = 0;
- if (isflagset(entries.attributes, KRB5_KDB_REQUIRES_HW_AUTH) ||
- isflagset(entries.attributes, KRB5_KDB_REQUIRES_PRE_AUTH)) {
- principal->attributes |= V4_KDB_REQUIRES_PREAUTH;
- }
- if (isflagset(entries.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) {
- principal->attributes |= V4_KDB_DISALLOW_ALL_TIX;
- }
- if (issrv && isflagset(entries.attributes, KRB5_KDB_DISALLOW_SVR)) {
- principal->attributes |= V4_KDB_DISALLOW_SVR;
- }
- if (isflagset(entries.attributes, KRB5_KDB_REQUIRES_PWCHANGE)) {
- principal->attributes |= V4_KDB_REQUIRES_PWCHANGE;
- }
-
- /* set up v4 format of each date's text: */
- for ( date = &principal->exp_date, text = principal->exp_date_txt;
- toggle ^= 1;
- date = &principal->mod_date, text = principal->mod_date_txt) {
- tp = localtime( (time_t *) date);
- snprintf(text, sizeof(principal->mod_date_txt), "%4d-%02d-%02d",
- tp->tm_year > 1900 ? tp->tm_year : tp->tm_year + 1900,
- tp->tm_mon + 1, tp->tm_mday); /* January is 0, not 1 */
- }
- /*
- * free the storage held by the v5 entry struct,
- * which was allocated by krb5_db_get_principal().
- * this routine clears the keyblock's contents for us.
- */
- krb5_db_free_principal(kdc_context, &entries, nprinc);
- *more = (int) more5 || (nprinc > 1);
- return( nprinc);
-}
-
-static void str_length_check(char *str, int max_size)
-{
- int i;
- char *cp;
-
- for (i=0, cp = str; i < max_size-1; i++, cp++) {
- if (*cp == 0)
- return;
- }
- *cp = 0;
-}
-
-static krb5_data *
-kerberos_v4(struct sockaddr_in *client, KTEXT pkt)
-{
- static KTEXT_ST rpkt_st;
- KTEXT rpkt = &rpkt_st;
- static KTEXT_ST ciph_st;
- KTEXT ciph = &ciph_st;
- static KTEXT_ST tk_st;
- KTEXT tk = &tk_st;
- static KTEXT_ST auth_st;
- KTEXT auth = &auth_st;
- AUTH_DAT ad_st;
- AUTH_DAT *ad = &ad_st;
- krb5_data *response = 0;
-
- static struct in_addr client_host;
- static int msg_byte_order;
- static int swap_bytes;
- static u_char k_flags;
- /* char *p_name, *instance; */
- int lifetime = 0;
- int i;
- C_Block key;
- Key_schedule key_s;
- char *ptr;
-
- krb5_keyblock k5key;
- krb5_kvno kvno;
- krb5_deltat sk5life, ck5life;
- KRB4_32 v4endtime, v4req_end;
-
- k5key.contents = NULL; /* in case we have to free it */
-
- ciph->length = 0;
-
- client_host = client->sin_addr;
-
- /* eval macros and correct the byte order and alignment as needed */
- req_version = pkt_version(pkt); /* 1 byte, version */
- req_msg_type = pkt_msg_type(pkt); /* 1 byte, Kerberos msg type */
-
- /* set these to point to something safe */
- req_name_ptr = req_inst_ptr = req_realm_ptr = "";
-
- /* check if disabled, but we tell client */
- if (kdc_v4 == KDC_V4_DISABLE) {
- lt = klog(L_KRB_PERR,
- "KRB will not handle v4 request from %s",
- inet_ntoa(client_host));
- /* send an error reply */
- req_name_ptr = req_inst_ptr = req_realm_ptr = "";
- return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
- }
-
- /* check packet version */
- if (req_version != KRB_PROT_VERSION) {
- lt = klog(L_KRB_PERR,
- "KRB prot version mismatch: KRB =%d request = %d",
- KRB_PROT_VERSION, req_version);
- /* send an error reply */
- req_name_ptr = req_inst_ptr = req_realm_ptr = "";
- return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
- }
- msg_byte_order = req_msg_type & 1;
-
- swap_bytes = 0;
- if (msg_byte_order != HOST_BYTE_ORDER) {
- swap_bytes++;
- }
- klog(L_KRB_PINFO,
- "Prot version: %d, Byte order: %d, Message type: %d",
- (int) req_version, msg_byte_order, req_msg_type);
-
- switch (req_msg_type & ~1) {
-
- case AUTH_MSG_KDC_REQUEST:
- {
- int req_life; /* Requested liftime */
- unsigned int request_backdate = 0; /*How far to backdate
- in seconds.*/
- char *service; /* Service name */
- char *instance; /* Service instance */
-#ifdef notdef
- int kerno; /* Kerberos error number */
-#endif
- n_auth_req++;
- tk->length = 0;
- k_flags = 0; /* various kerberos flags */
-
-
- /* set up and correct for byte order and alignment */
- req_name_ptr = (char *) pkt_a_name(pkt);
- str_length_check(req_name_ptr, ANAME_SZ);
- req_inst_ptr = (char *) pkt_a_inst(pkt);
- str_length_check(req_inst_ptr, INST_SZ);
- req_realm_ptr = (char *) pkt_a_realm(pkt);
- str_length_check(req_realm_ptr, REALM_SZ);
- memcpy(&req_time_ws, pkt_time_ws(pkt), sizeof(req_time_ws));
- /* time has to be diddled */
- if (swap_bytes) {
- swap_u_long(req_time_ws);
- }
- ptr = (char *) pkt_time_ws(pkt) + 4;
-
- req_life = (*ptr++) & 0xff;
-
- service = ptr;
- str_length_check(service, SNAME_SZ);
- instance = ptr + strlen(service) + 1;
- str_length_check(instance, INST_SZ);
-
- rpkt = &rpkt_st;
-
- klog(L_INI_REQ,
- "Initial ticket request Host: %s User: \"%s\" \"%s\"",
- inet_ntoa(client_host), req_name_ptr, req_inst_ptr);
-
- if ((i = check_princ(req_name_ptr, req_inst_ptr, 0,
- &a_name_data, &k5key, 0, &ck5life))) {
- response = kerb_err_reply(client, pkt, i, "check_princ failed");
- a_name_data.key_low = a_name_data.key_high = 0;
- krb5_free_keyblock_contents(kdc_context, &k5key);
- return response;
- }
- /* don't use k5key for client */
- krb5_free_keyblock_contents(kdc_context, &k5key);
- tk->length = 0; /* init */
- if (strcmp(service, "krbtgt"))
- klog(L_NTGT_INTK,
- "INITIAL request from %s.%s for %s.%s", req_name_ptr,
- req_inst_ptr, service, instance);
- /* this does all the checking */
- if ((i = check_princ(service, instance, lifetime,
- &s_name_data, &k5key, 1, &sk5life))) {
- response = kerb_err_reply(client, pkt, i, "check_princ failed");
- a_name_data.key_high = a_name_data.key_low = 0;
- s_name_data.key_high = s_name_data.key_low = 0;
- krb5_free_keyblock_contents(kdc_context, &k5key);
- return response;
- }
- /* Bound requested lifetime with service and user */
- v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life);
- v4req_end = min(v4req_end, kerb_time.tv_sec + ck5life);
- v4req_end = min(v4req_end, kerb_time.tv_sec + sk5life);
- lifetime = krb_time_to_life(kerb_time.tv_sec, v4req_end);
- v4endtime = krb_life_to_time(kerb_time.tv_sec, lifetime);
- /*
- * Adjust issue time backwards if necessary, due to
- * roundup in krb_time_to_life().
- */
- if (v4endtime > v4req_end)
- request_backdate = v4endtime - v4req_end;
-
-#ifdef NOENCRYPTION
- memset(session_key, 0, sizeof(C_Block));
-#else
- /* random session key */
- des_new_random_key(session_key);
-#endif
-
- /* unseal server's key from master key */
- memcpy( key, &s_name_data.key_low, 4);
- memcpy( ((krb5_ui_4 *) key) + 1, &s_name_data.key_high, 4);
-
- s_name_data.key_low = s_name_data.key_high = 0;
- kdb_encrypt_key(key, key, master_key,
- master_key_schedule, DECRYPT);
- /* construct and seal the ticket */
- /* We always issue des tickets; the 3des tickets are a broken hack*/
- krb_create_ticket(tk, k_flags, a_name_data.name,
- a_name_data.instance, local_realm,
- client_host.s_addr, (char *) session_key,
- lifetime, kerb_time.tv_sec - request_backdate,
- s_name_data.name, s_name_data.instance,
- key);
-
- krb5_free_keyblock_contents(kdc_context, &k5key);
- memset(key, 0, sizeof(key));
- memset(key_s, 0, sizeof(key_s));
-
- /*
- * get the user's key, unseal it from the server's key, and
- * use it to seal the cipher
- */
-
- /* a_name_data.key_low a_name_data.key_high */
- memcpy( key, &a_name_data.key_low, 4);
- memcpy( ((krb5_ui_4 *) key) + 1, &a_name_data.key_high, 4);
- a_name_data.key_low= a_name_data.key_high = 0;
-
- /* unseal the a_name key from the master key */
- kdb_encrypt_key(key, key, master_key,
- master_key_schedule, DECRYPT);
-
- create_ciph(ciph, session_key, s_name_data.name,
- s_name_data.instance, local_realm, lifetime,
- s_name_data.key_version, tk, kerb_time.tv_sec, key);
-
- /* clear session key */
- memset(session_key, 0, sizeof(session_key));
-
- memset(key, 0, sizeof(key));
-
-
-
- /* always send a reply packet */
- rpkt = create_auth_reply(req_name_ptr, req_inst_ptr,
- req_realm_ptr, req_time_ws, 0, a_name_data.exp_date,
- a_name_data.key_version, ciph);
- response = make_response((char *) rpkt->dat, rpkt->length);
- memset(&a_name_data, 0, sizeof(a_name_data));
- memset(&s_name_data, 0, sizeof(s_name_data));
- break;
- }
- case AUTH_MSG_APPL_REQUEST:
- {
- krb5_ui_4 time_ws; /* Workstation time */
- int req_life; /* Requested liftime */
- char *service; /* Service name */
- char *instance; /* Service instance */
- int kerno = 0; /* Kerberos error number */
- unsigned int request_backdate = 0; /*How far to backdate
- in seconds.*/
- char tktrlm[REALM_SZ];
-
- n_appl_req++;
- tk->length = 0;
- k_flags = 0; /* various kerberos flags */
-
- auth->mbz = 0; /* pkt->mbz already zeroed */
- auth->length = 4 + strlen((char *)pkt->dat + 3);
- if (auth->length + 1 >= MAX_KTXT_LEN) {
- lt = klog(L_KRB_PERR,
- "APPL request with realm length too long from %s",
- inet_ntoa(client_host));
- return kerb_err_reply(client, pkt, RD_AP_INCON,
- "realm length too long");
- }
-
- auth->length += (int) *(pkt->dat + auth->length) +
- (int) *(pkt->dat + auth->length + 1) + 2;
- if (auth->length > MAX_KTXT_LEN) {
- lt = klog(L_KRB_PERR,
- "APPL request with funky tkt or req_id length from %s",
- inet_ntoa(client_host));
- return kerb_err_reply(client, pkt, RD_AP_INCON,
- "funky tkt or req_id length");
- }
-
- memcpy(auth->dat, pkt->dat, auth->length);
-
- strncpy(tktrlm, (char *)auth->dat + 3, REALM_SZ);
- tktrlm[REALM_SZ-1] = '\0';
- kvno = (krb5_kvno)auth->dat[2];
- if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) {
- lt = klog(L_ERR_UNK,
- "Cross realm ticket from %s denied by policy,", tktrlm);
- return kerb_err_reply(client, pkt,
- KERB_ERR_PRINCIPAL_UNKNOWN, lt);
- }
- if (set_tgtkey(tktrlm, kvno, 0)) {
- lt = klog(L_ERR_UNK,
- "FAILED set_tgtkey realm %s, kvno %d. Host: %s ",
- tktrlm, kvno, inet_ntoa(client_host));
- /* no better error code */
- return kerb_err_reply(client, pkt,
- KERB_ERR_PRINCIPAL_UNKNOWN, lt);
- }
- kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
- ad, 0);
- if (kerno) {
- if (set_tgtkey(tktrlm, kvno, 1)) {
- lt = klog(L_ERR_UNK,
- "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ",
- tktrlm, kvno, inet_ntoa(client_host));
- /* no better error code */
- return kerb_err_reply(client, pkt,
- KERB_ERR_PRINCIPAL_UNKNOWN, lt);
- }
- kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
- ad, 0);
- }
-
- if (kerno) {
- klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s",
- inet_ntoa(client_host), krb_get_err_text(kerno));
- req_name_ptr = req_inst_ptr = req_realm_ptr = "";
- return kerb_err_reply(client, pkt, kerno, "krb_rd_req failed");
- }
- ptr = (char *) pkt->dat + auth->length;
-
- memcpy(&time_ws, ptr, 4);
- ptr += 4;
-
- req_life = (*ptr++) & 0xff;
-
- service = ptr;
- str_length_check(service, SNAME_SZ);
- instance = ptr + strlen(service) + 1;
- str_length_check(instance, INST_SZ);
-
- klog(L_APPL_REQ, "APPL Request %s.%s@%s on %s for %s.%s",
- ad->pname, ad->pinst, ad->prealm,
- inet_ntoa(client_host), service, instance);
- req_name_ptr = ad->pname;
- req_inst_ptr = ad->pinst;
- req_realm_ptr = ad->prealm;
-
- if (strcmp(ad->prealm, tktrlm)) {
- return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
- "Can't hop realms");
- }
- if (!strcmp(service, "changepw")) {
- return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
- "Can't authorize password changed based on TGT");
- }
- kerno = check_princ(service, instance, req_life,
- &s_name_data, &k5key, 1, &sk5life);
- if (kerno) {
- response = kerb_err_reply(client, pkt, kerno,
- "check_princ failed");
- s_name_data.key_high = s_name_data.key_low = 0;
- krb5_free_keyblock_contents(kdc_context, &k5key);
- return response;
- }
- /* Bound requested lifetime with service and user */
- v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life);
- v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life);
- v4req_end = min(v4endtime, v4req_end);
- v4req_end = min(v4req_end, kerb_time.tv_sec + sk5life);
-
- lifetime = krb_time_to_life(kerb_time.tv_sec, v4req_end);
- v4endtime = krb_life_to_time(kerb_time.tv_sec, lifetime);
- /*
- * Adjust issue time backwards if necessary, due to
- * roundup in krb_time_to_life().
- */
- if (v4endtime > v4req_end)
- request_backdate = v4endtime - v4req_end;
-
- /* unseal server's key from master key */
- memcpy(key, &s_name_data.key_low, 4);
- memcpy(((krb5_ui_4 *) key) + 1, &s_name_data.key_high, 4);
- s_name_data.key_low = s_name_data.key_high = 0;
- kdb_encrypt_key(key, key, master_key,
- master_key_schedule, DECRYPT);
- /* construct and seal the ticket */
-
-#ifdef NOENCRYPTION
- memset(session_key, 0, sizeof(C_Block));
-#else
- /* random session key */
- des_new_random_key(session_key);
-#endif
-
- /* ALways issue des tickets*/
- krb_create_ticket(tk, k_flags, ad->pname, ad->pinst,
- ad->prealm, client_host.s_addr,
- (char *) session_key, lifetime,
- kerb_time.tv_sec - request_backdate,
- s_name_data.name, s_name_data.instance,
- key);
- krb5_free_keyblock_contents(kdc_context, &k5key);
- memset(key, 0, sizeof(key));
- memset(key_s, 0, sizeof(key_s));
-
- create_ciph(ciph, session_key, service, instance,
- local_realm,
- lifetime, s_name_data.key_version, tk,
- kerb_time.tv_sec, ad->session);
-
- /* clear session key */
- memset(session_key, 0, sizeof(session_key));
-
- memset(ad->session, 0, sizeof(ad->session));
-
- rpkt = create_auth_reply(ad->pname, ad->pinst,
- ad->prealm, time_ws,
- 0, 0, 0, ciph);
- response = make_response((char *) rpkt->dat, rpkt->length);
- memset(&s_name_data, 0, sizeof(s_name_data));
- break;
- }
-
-
-#ifdef notdef_DIE
- case AUTH_MSG_DIE:
- {
- lt = klog(L_DEATH_REQ,
- "Host: %s User: \"%s\" \"%s\" Kerberos killed",
- inet_ntoa(client_host), req_name_ptr, req_inst_ptr, 0);
- exit(0);
- }
-#endif /* notdef_DIE */
-
- default:
- {
- lt = klog(L_KRB_PERR,
- "Unknown message type: %d from %s port %u",
- req_msg_type, inet_ntoa(client_host),
- ntohs(client->sin_port));
- break;
- }
- }
- return response;
-}
-
-
-
-/*
- * kerb_er_reply creates an error reply packet and sends it to the
- * client.
- */
-
-static krb5_data *
-kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string)
-{
- static KTEXT_ST e_pkt_st;
- KTEXT e_pkt = &e_pkt_st;
- static char e_msg[128];
-
- strcpy(e_msg, "\nKerberos error -- ");
- strncat(e_msg, string, sizeof(e_msg) - 1 - 19);
- cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr,
- req_time_ws, err, e_msg);
- return make_response((char *) e_pkt->dat, e_pkt->length);
-}
-
-static int
-check_princ(char *p_name, char *instance, int lifetime, Principal *p,
- krb5_keyblock *k5key, int issrv, krb5_deltat *k5life)
-{
- static int n;
- static int more;
- /* long trans; */
-
- n = kerb_get_principal(p_name, instance, p, &more, k5key, 0,
- issrv, k5life);
- klog(L_ALL_REQ,
- "Principal: \"%s\", Instance: \"%s\" Lifetime = %d n = %d",
- p_name, instance, lifetime, n);
-
- if (n < 0) {
- lt = klog(L_KRB_PERR, "Database unavailable!");
- p->key_high = p->key_low = 0;
- hang();
- }
-
- /*
- * if more than one p_name, pick one, randomly create a session key,
- * compute maximum lifetime, lookup authorizations if applicable,
- * and stuff into cipher.
- */
- if (n == 0) {
- /* service unknown, log error, skip to next request */
- lt = klog(L_ERR_UNK, "UNKNOWN \"%s\" \"%s\"", p_name, instance);
- return KERB_ERR_PRINCIPAL_UNKNOWN;
- }
- if (more) {
- /* not unique, log error */
- lt = klog(L_ERR_NUN, "Principal NOT UNIQUE \"%s\" \"%s\"",
- p_name, instance);
- return KERB_ERR_PRINCIPAL_NOT_UNIQUE;
- }
-
- /*
- * Check our V5 stuff first.
- */
-
- /*
- * Does the principal have REQUIRES_PWCHANGE set?
- */
- if (isflagset(p->attributes, V4_KDB_REQUIRES_PWCHANGE)) {
- lt = klog(L_ERR_SEXP, "V5 REQUIRES_PWCHANGE set "
- "\"%s\" \"%s\"", p_name, instance);
- return KERB_ERR_NAME_EXP;
- }
-
- /*
- * Does the principal have DISALLOW_ALL_TIX set?
- */
- if (isflagset(p->attributes, V4_KDB_DISALLOW_ALL_TIX)) {
- lt = klog(L_ERR_SEXP, "V5 DISALLOW_ALL_TIX set: "
- "\"%s\" \"%s\"", p_name, instance);
- /* Not sure of a better error to return */
- return KERB_ERR_NAME_EXP;
- }
-
- if (isflagset(p->attributes, V4_KDB_DISALLOW_SVR)) {
- lt = klog(L_ERR_SEXP, "V5 DISALLOW_SVR set: "
- "\"%s\" \"%s\"", p_name, instance);
- /* Not sure of a better error to return */
- return KERB_ERR_NAME_EXP;
- }
-
- /*
- * Does the principal require preauthentication?
- */
- if ((kdc_v4 == KDC_V4_NOPREAUTH) &&
- isflagset(p->attributes, V4_KDB_REQUIRES_PREAUTH)) {
- lt = klog(L_ERR_SEXP, "V5 REQUIRES_PREAUTH set: "
- "\"%s\" \"%s\"", p_name, instance);
- /* Not sure of a better error to return */
- return KERB_ERR_AUTH_EXP;
-/* return KERB_ERR_NAME_EXP;*/
- }
-
- /* If the user's key is null, we want to return an error */
- if (k5key->contents != NULL && K4KDC_ENCTYPE_OK(k5key->enctype)) {
- if ((p->key_low == 0) && (p->key_high == 0)) {
- /* User has a null key */
- lt = klog(L_ERR_NKY, "Null key \"%s\" \"%s\"", p_name, instance);
- return KERB_ERR_NULL_KEY;
- }
- }
- /* make sure the service hasn't expired */
- if (((u_long) p->exp_date != 0)&&
- ((u_long) p->exp_date <(u_long) kerb_time.tv_sec)) {
- /* service did expire, log it */
- char timestr[40];
- struct tm *tm;
- time_t t = p->exp_date;
-
- tm = localtime(&t);
- if (!strftime(timestr, sizeof(timestr), "%Y-%m-%d %H:%M:%S", tm))
- timestr[0] = '\0';
- lt = klog(L_ERR_SEXP,
- "EXPIRED \"%s\" \"%s\" %s", p->name, p->instance, timestr);
- return KERB_ERR_NAME_EXP;
- }
- /* ok is zero */
- return 0;
-}
-
-
-/* Set the key for krb_rd_req so we can check tgt */
-static int
-set_tgtkey(char *r, krb5_kvno kvno, krb5_boolean use_3des)
-{
- int n;
- static char lastrealm[REALM_SZ] = "";
- static int last_kvno = 0;
- static krb5_boolean last_use_3des = 0;
- static int more;
- Principal p_st;
- Principal *p = &p_st;
- C_Block key;
- krb5_keyblock k5key;
-
- k5key.contents = NULL;
- if (!strcmp(lastrealm, r) && last_kvno == kvno && last_use_3des == use_3des)
- return (KSUCCESS);
-
-/* log("Getting key for %s", r); */
-
- n = kerb_get_principal("krbtgt", r, p, &more, &k5key, kvno, 1, NULL);
- if (n == 0)
- return (KFAILURE);
-
- if (isflagset(p->attributes, V4_KDB_DISALLOW_ALL_TIX)) {
- lt = klog(L_ERR_SEXP,
- "V5 DISALLOW_ALL_TIX set: \"krbtgt\" \"%s\"", r);
- krb5_free_keyblock_contents(kdc_context, &k5key);
- return KFAILURE;
- }
-
- if (isflagset(p->attributes, V4_KDB_DISALLOW_SVR)) {
- lt = klog(L_ERR_SEXP, "V5 DISALLOW_SVR set: \"krbtgt\" \"%s\"", r);
- krb5_free_keyblock_contents(kdc_context, &k5key);
- return KFAILURE;
- }
-
- if (use_3des&&!K4KDC_ENCTYPE_OK(k5key.enctype)) {
- krb_set_key_krb5(kdc_context, &k5key);
- strncpy(lastrealm, r, sizeof(lastrealm) - 1);
- lastrealm[sizeof(lastrealm) - 1] = '\0';
- last_kvno = kvno;
- last_use_3des = use_3des;
- } else {
- /* unseal tgt key from master key */
- memcpy(key, &p->key_low, 4);
- memcpy(((krb5_ui_4 *) key) + 1, &p->key_high, 4);
- kdb_encrypt_key(key, key, master_key,
- master_key_schedule, DECRYPT);
- krb_set_key((char *) key, 0);
- strncpy(lastrealm, r, sizeof(lastrealm) - 1);
- lastrealm[sizeof(lastrealm) - 1] = '\0';
- last_kvno = kvno;
- }
- krb5_free_keyblock_contents(kdc_context, &k5key);
- return (KSUCCESS);
-}
-
-#else /* KRB5_KRB4_COMPAT */
-#include "k5-int.h"
-#endif /* KRB5_KRB4_COMPAT */
Modified: branches/mkey_migrate/src/kdc/krb5kdc.M
===================================================================
--- branches/mkey_migrate/src/kdc/krb5kdc.M 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/krb5kdc.M 2009-01-10 01:06:45 UTC (rev 21722)
@@ -47,9 +47,6 @@
.B \-r
.I realm
] [
-.B \-4
-.I v4mode
-] [
.B \-n
]
.br
@@ -131,23 +128,6 @@
from the keyboard rather than from a file on disk.
.PP
The
-.B \-4
-option specifies how the KDC responds to kerberos IV requests for
-tickets. The command line option overrides the value in the KDC
-profile. The possible values are
-.I none,
-.I disable,
-.I full
-or
-.I nopreauth.
-These instruct the KDC to not respond to V4 packets, to
-respond with a version skew error, to issue tickets for all database
-entries, and to issue tickets for all but preauthentication required
-database entries respectively. The default behaviour is as if
-.I none
-was specified.
-.PP
-The
.B \-n
option specifies that the KDC does not put itself in the background
and does not disassociate itself from the terminal. In normal
Modified: branches/mkey_migrate/src/kdc/main.c
===================================================================
--- branches/mkey_migrate/src/kdc/main.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/main.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,7 +1,6 @@
/*
* kdc/main.c
*
- * Portions Copyright (C) 2007 Apple Inc.
* Copyright 1990,2001,2008 by the Massachusetts Institute of Technology.
*
* Export of this software from the United States of America may
@@ -26,6 +25,33 @@
*
* Main procedure body for the KDC server process.
*/
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
#include <stdio.h>
#include <syslog.h>
@@ -45,10 +71,6 @@
#include <netinet/in.h>
#endif
-#ifdef KRB5_KRB4_COMPAT
-#include <des.h>
-#endif
-
#if defined(NEED_DAEMON_PROTO)
extern int daemon(int, int);
#endif
@@ -326,32 +348,18 @@
if (!rkey_init_done) {
krb5_data seed;
-#ifdef KRB5_KRB4_COMPAT
- krb5_keyblock temp_key;
-#endif
/*
* If all that worked, then initialize the random key
* generators.
*/
seed.length = rdp->realm_mkey.length;
- seed.data = rdp->realm_mkey.contents;
+ seed.data = (char *)rdp->realm_mkey.contents;
if ((kret = krb5_c_random_add_entropy(rdp->realm_context,
KRB5_C_RANDSOURCE_TRUSTEDPARTY, &seed)))
goto whoops;
-#ifdef KRB5_KRB4_COMPAT
- if ((kret = krb5_c_make_random_key(rdp->realm_context,
- ENCTYPE_DES_CBC_CRC, &temp_key))) {
- com_err(progname, kret,
- "while initializing V4 random key generator");
- goto whoops;
- }
-
- (void) des_init_random_number_generator(temp_key.contents);
- krb5_free_keyblock_contents(rdp->realm_context, &temp_key);
-#endif
rkey_init_done = 1;
}
whoops:
@@ -421,7 +429,7 @@
void
usage(char *name)
{
- fprintf(stderr, "usage: %s [-x db_args]* [-d dbpathname] [-r dbrealmname]\n\t\t[-R replaycachename] [-m] [-k masterenctype] [-M masterkeyname]\n\t\t[-p port] [-4 v4mode] [-X] [-n]\n"
+ fprintf(stderr, "usage: %s [-x db_args]* [-d dbpathname] [-r dbrealmname]\n\t\t[-R replaycachename] [-m] [-k masterenctype] [-M masterkeyname]\n\t\t[-p port] [-n]\n"
"\nwhere,\n\t[-x db_args]* - Any number of database specific arguments. Look at\n"
"\t\t\teach database module documentation for supported\n\t\t\targuments\n",
name);
@@ -447,9 +455,6 @@
char **db_args = NULL;
int db_args_size = 0;
-#ifdef KRB5_KRB4_COMPAT
- char *v4mode = 0;
-#endif
extern char *optarg;
if (!krb5_aprof_init(DEFAULT_KDC_PROFILE, KDC_PROFILE_ENV, &aprof)) {
@@ -461,11 +466,10 @@
hierarchy[1] = "kdc_tcp_ports";
if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_tcp_ports))
default_tcp_ports = 0;
-#ifdef KRB5_KRB4_COMPAT
- hierarchy[1] = "v4_mode";
- if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &v4mode))
- v4mode = 0;
-#endif
+ hierarchy[1] = "kdc_max_dgram_reply_size";
+ if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size))
+ max_dgram_reply_size = MAX_DGRAM_SIZE;
+
/* aprof_init can return 0 with aprof == NULL */
if (aprof)
krb5_aprof_finish(aprof);
@@ -575,17 +579,9 @@
#endif
break;
case '4':
-#ifdef KRB5_KRB4_COMPAT
- if (v4mode)
- free(v4mode);
- v4mode = strdup(optarg);
-#endif
break;
case 'X':
-#ifdef KRB5_KRB4_COMPAT
- enable_v4_crossrealm(argv[0]);
-#endif
- break;
+ break;
case '?':
default:
usage(argv[0]);
@@ -593,15 +589,7 @@
}
}
-#ifdef KRB5_KRB4_COMPAT
/*
- * Setup the v4 mode
- */
- process_v4_mode(argv[0], v4mode);
- free(v4mode);
-#endif
-
- /*
* Check to see if we processed any realms.
*/
if (kdc_numrealms == 0) {
Modified: branches/mkey_migrate/src/kdc/network.c
===================================================================
--- branches/mkey_migrate/src/kdc/network.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/network.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -160,7 +160,7 @@
if (getnameinfo(sa, socklen(sa),
buf, sizeof(buf), portbuf, sizeof(portbuf),
NI_NUMERICHOST|NI_NUMERICSERV))
- strcpy(buf, "<unprintable>");
+ strlcpy(buf, "<unprintable>", sizeof(buf));
else {
unsigned int len = sizeof(buf) - strlen(buf);
char *p = buf + strlen(buf);
@@ -527,26 +527,28 @@
/* Sockets are created, prepare to listen on them. */
if (s4 >= 0) {
- FD_SET(s4, &sstate.rfds);
- if (s4 >= sstate.max)
- sstate.max = s4 + 1;
if (add_tcp_listener_fd(data, s4) == 0)
close(s4);
- else
+ else {
+ FD_SET(s4, &sstate.rfds);
+ if (s4 >= sstate.max)
+ sstate.max = s4 + 1;
krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s",
s4, paddr((struct sockaddr *)&sin4));
+ }
}
#ifdef KRB5_USE_INET6
if (s6 >= 0) {
- FD_SET(s6, &sstate.rfds);
- if (s6 >= sstate.max)
- sstate.max = s6 + 1;
if (add_tcp_listener_fd(data, s6) == 0) {
close(s6);
s6 = -1;
- } else
+ } else {
+ FD_SET(s6, &sstate.rfds);
+ if (s6 >= sstate.max)
+ sstate.max = s6 + 1;
krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s",
s6, paddr((struct sockaddr *)&sin6));
+ }
if (s4 < 0)
krb5_klog_syslog(LOG_INFO,
"assuming IPv6 socket accepts IPv4");
@@ -665,9 +667,6 @@
return 1;
}
}
- FD_SET (sock, &sstate.rfds);
- if (sock >= sstate.max)
- sstate.max = sock + 1;
krb5_klog_syslog (LOG_INFO, "listening on fd %d: udp %s%s", sock,
paddr((struct sockaddr *)addr),
pktinfo ? " (pktinfo)" : "");
@@ -675,6 +674,9 @@
close(sock);
return 1;
}
+ FD_SET (sock, &sstate.rfds);
+ if (sock >= sstate.max)
+ sstate.max = sock + 1;
}
return 0;
}
@@ -695,7 +697,7 @@
err = getnameinfo(addr, socklen(addr), haddrbuf, sizeof(haddrbuf),
0, 0, NI_NUMERICHOST);
if (err)
- strcpy(haddrbuf, "<unprintable>");
+ strlcpy(haddrbuf, "<unprintable>", sizeof(haddrbuf));
switch (addr->sa_family) {
case AF_INET:
@@ -1154,6 +1156,38 @@
#endif
}
+static krb5_error_code
+make_too_big_error (krb5_data **out)
+{
+ krb5_error errpkt;
+ krb5_error_code retval;
+ krb5_data *scratch;
+
+ memset(&errpkt, 0, sizeof(errpkt));
+
+ retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec);
+ if (retval)
+ return retval;
+ errpkt.error = KRB_ERR_RESPONSE_TOO_BIG;
+ errpkt.server = tgs_server;
+ errpkt.client = NULL;
+ errpkt.text.length = 0;
+ errpkt.text.data = 0;
+ errpkt.e_data.length = 0;
+ errpkt.e_data.data = 0;
+ scratch = malloc(sizeof(*scratch));
+ if (scratch == NULL)
+ return ENOMEM;
+ retval = krb5_mk_error(kdc_context, &errpkt, scratch);
+ if (retval) {
+ free(scratch);
+ return retval;
+ }
+
+ *out = scratch;
+ return 0;
+}
+
static void process_packet(struct connection *conn, const char *prog,
int selflags)
{
@@ -1192,7 +1226,7 @@
char addrbuf[100];
if (getnameinfo(ss2sa(&daddr), daddr_len, addrbuf, sizeof(addrbuf),
0, 0, NI_NUMERICHOST))
- strcpy(addrbuf, "?");
+ strlcpy(addrbuf, "?", sizeof(addrbuf));
com_err(prog, 0, "pktinfo says local addr is %s", addrbuf);
}
#endif
@@ -1208,6 +1242,16 @@
}
if (response == NULL)
return;
+ if (response->length > max_dgram_reply_size) {
+ krb5_free_data(kdc_context, response);
+ retval = make_too_big_error(&response);
+ if (retval) {
+ krb5_klog_syslog(LOG_ERR,
+ "error constructing KRB_ERR_RESPONSE_TOO_BIG error: %s",
+ error_message(retval));
+ return;
+ }
+ }
cc = send_to_from(port_fd, response->data, (socklen_t) response->length, 0,
(struct sockaddr *)&saddr, saddr_len,
(struct sockaddr *)&daddr, daddr_len);
@@ -1216,7 +1260,7 @@
krb5_free_data(kdc_context, response);
if (inet_ntop(((struct sockaddr *)&saddr)->sa_family,
addr.contents, addrbuf, sizeof(addrbuf)) == 0) {
- strcpy(addrbuf, "?");
+ strlcpy(addrbuf, "?", sizeof(addrbuf));
}
com_err(prog, errno, "while sending reply to %s/%d",
addrbuf, faddr.port);
@@ -1269,7 +1313,7 @@
newconn->u.tcp.addrbuf, sizeof(newconn->u.tcp.addrbuf),
tmpbuf, sizeof(tmpbuf),
NI_NUMERICHOST | NI_NUMERICSERV))
- strcpy(newconn->u.tcp.addrbuf, "???");
+ strlcpy(newconn->u.tcp.addrbuf, "???", sizeof(newconn->u.tcp.addrbuf));
else {
char *p, *end;
p = newconn->u.tcp.addrbuf;
@@ -1277,7 +1321,7 @@
p += strlen(p);
if (end - p > 2 + strlen(tmpbuf)) {
*p++ = '.';
- strcpy(p, tmpbuf);
+ strlcpy(p, tmpbuf, end - p);
}
}
#if 0
@@ -1554,7 +1598,13 @@
while (!signal_requests_exit) {
if (signal_requests_hup) {
+ int k;
+
krb5_klog_reopen(kdc_context);
+ for (k = 0; k < kdc_numrealms; k++)
+ krb5_db_invoke(kdc_realmlist[k]->realm_context,
+ KRB5_KDB_METHOD_REFRESH_POLICY,
+ NULL, NULL);
signal_requests_hup = 0;
}
Modified: branches/mkey_migrate/src/kdc/policy.c
===================================================================
--- branches/mkey_migrate/src/kdc/policy.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kdc/policy.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -25,15 +25,49 @@
*
* Policy decision routines for KDC.
*/
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
#include "k5-int.h"
#include "kdc_util.h"
+#include "extern.h"
int
against_local_policy_as(register krb5_kdc_req *request, krb5_db_entry client,
krb5_db_entry server, krb5_timestamp kdc_time,
const char **status)
{
+ krb5_error_code code;
+ kdb_check_policy_as_req req;
+ kdb_check_policy_as_rep rep;
+ krb5_data req_data;
+ krb5_data rep_data;
+
#if 0
/* An AS request must include the addresses field */
if (request->addresses == 0) {
@@ -41,8 +75,37 @@
return KRB5KDC_ERR_POLICY;
}
#endif
-
- return 0; /* not against policy */
+
+ memset(&req, 0, sizeof(req));
+ memset(&rep, 0, sizeof(rep));
+
+ req.request = request;
+ req.client = &client;
+ req.server = &server;
+ req.kdc_time = kdc_time;
+
+ req_data.data = (void *)&req;
+ req_data.length = sizeof(req);
+
+ rep_data.data = (void *)&rep;
+ rep_data.length = sizeof(rep);
+
+ code = krb5_db_invoke(kdc_context,
+ KRB5_KDB_METHOD_CHECK_POLICY_AS,
+ &req_data,
+ &rep_data);
+ if (code == KRB5_KDB_DBTYPE_NOSUP)
+ return 0;
+
+ *status = rep.status;
+
+ if (code != 0) {
+ code -= ERROR_TABLE_BASE_krb5;
+ if (code < 0 || code > 128)
+ code = KRB_ERR_GENERIC;
+ }
+
+ return code;
}
/*
@@ -52,6 +115,12 @@
against_local_policy_tgs(register krb5_kdc_req *request, krb5_db_entry server,
krb5_ticket *ticket, const char **status)
{
+ krb5_error_code code;
+ kdb_check_policy_tgs_req req;
+ kdb_check_policy_tgs_rep rep;
+ krb5_data req_data;
+ krb5_data rep_data;
+
#if 0
/*
* For example, if your site wants to disallow ticket forwarding,
@@ -63,13 +132,35 @@
return KRB5KDC_ERR_POLICY;
}
#endif
-
- return 0; /* not against policy */
-}
+ memset(&req, 0, sizeof(req));
+ memset(&rep, 0, sizeof(rep));
+ req.request = request;
+ req.server = &server;
+ req.ticket = ticket;
+ req_data.data = (void *)&req;
+ req_data.length = sizeof(req);
+ rep_data.data = (void *)&rep;
+ rep_data.length = sizeof(rep);
+ code = krb5_db_invoke(kdc_context,
+ KRB5_KDB_METHOD_CHECK_POLICY_TGS,
+ &req_data,
+ &rep_data);
+ if (code == KRB5_KDB_DBTYPE_NOSUP)
+ return 0;
+ *status = rep.status;
+ if (code != 0) {
+ code -= ERROR_TABLE_BASE_krb5;
+ if (code < 0 || code > 128)
+ code = KRB_ERR_GENERIC;
+ }
+
+ return code;
+}
+
Modified: branches/mkey_migrate/src/kim/agent/mac/AuthenticationController.h
===================================================================
--- branches/mkey_migrate/src/kim/agent/mac/AuthenticationController.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/agent/mac/AuthenticationController.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -65,6 +65,7 @@
IBOutlet NSWindow *ticketOptionsSheet;
IBOutlet NSObjectController *ticketOptionsController;
+ BOOL visibleAsSheet;
IBOutlet NSSlider *validLifetimeSlider;
IBOutlet NSSlider *renewableLifetimeSlider;
@@ -79,12 +80,12 @@
- (void) setContent: (NSMutableDictionary *) newContent;
-- (void) showEnterIdentity;
-- (void) showAuthPrompt;
-- (void) showEnterPassword;
-- (void) showSAM;
-- (void) showChangePassword;
-- (void) showError;
+- (void) showEnterIdentity: (NSWindow *) parentWindow;
+- (void) showAuthPrompt: (NSWindow *) parentWindow;
+- (void) showEnterPassword: (NSWindow *) parentWindow;
+- (void) showSAM: (NSWindow *) parentWindow;
+- (void) showChangePassword: (NSWindow *) parentWindow;
+- (void) showError: (NSWindow *) parentWindow;
- (IBAction) cancel: (id) sender;
- (IBAction) enterIdentity: (id) sender;
@@ -92,18 +93,28 @@
- (IBAction) changePassword: (id) sender;
- (IBAction) showedError: (id) sender;
+- (IBAction) checkboxDidChange: (id) sender;
- (IBAction) sliderDidChange: (id) sender;
- (IBAction) showTicketOptions: (id) sender;
- (IBAction) cancelTicketOptions: (id) sender;
- (IBAction) saveTicketOptions: (id) sender;
-- (void) sheetDidEnd: (NSWindow *) sheet
+- (IBAction) cancelAuthSheet: (id) sender;
+
+- (void) authSheetDidEnd: (NSWindow *) sheet
+ returnCode: (int) returnCode
+ contextInfo: (void *) contextInfo;
+- (void) ticketOptionsSheetDidEnd: (NSWindow *) sheet
returnCode: (int) returnCode
contextInfo: (void *) contextInfo;
- (IBAction) changePasswordGearAction: (id) sender;
- (void) swapView: (NSView *) aView;
+- (void) showSpinny;
+- (void) hideSpinny;
+- (void) clearSensitiveInputs;
+- (void) clearAllInputs;
@end
Modified: branches/mkey_migrate/src/kim/agent/mac/AuthenticationController.m
===================================================================
--- branches/mkey_migrate/src/kim/agent/mac/AuthenticationController.m 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/agent/mac/AuthenticationController.m 2009-01-10 01:06:45 UTC (rev 21722)
@@ -75,7 +75,9 @@
{
[[self window] center];
// We need to float over the loginwindow and SecurityAgent so use its hardcoded level.
- [[self window] setLevel:NSScreenSaverWindowLevel];
+ [[self window] setLevel:NSModalPanelWindowLevel];
+
+ visibleAsSheet = NO;
lifetimeFormatter.displaySeconds = NO;
lifetimeFormatter.displayShortFormat = NO;
@@ -136,6 +138,9 @@
[glueController setValue:[NSNumber numberWithBool:valid]
forKeyPath:change_password_ok_keypath];
}
+ else {
+ [super observeValueForKeyPath:keyPath ofObject:object change:change context:context];
+ }
}
else {
[super observeValueForKeyPath:keyPath ofObject:object change:change context:context];
@@ -148,14 +153,98 @@
[super showWindow:sender];
}
+- (void) showWithParent: (NSWindow *) parentWindow
+{
+ // attach as sheet if given a parentWindow
+ if (parentWindow && !visibleAsSheet) {
+ [NSApp beginSheet:[self window]
+ modalForWindow:parentWindow
+ modalDelegate:self
+ didEndSelector:@selector(authSheetDidEnd:returnCode:contextInfo:)
+ contextInfo:NULL];
+ }
+ // else, display as normal
+ else {
+ [self showWindow:nil];
+ }
+}
+
+- (void) windowWillBeginSheet: (NSNotification *) notification
+{
+ visibleAsSheet = YES;
+}
+
+- (void) windowDidEndSheet: (NSNotification *) notification
+{
+ visibleAsSheet = NO;
+}
+
- (void) setContent: (NSMutableDictionary *) newContent
{
[self window]; // wake up the nib connections
[glueController setContent:newContent];
}
-- (void) showEnterIdentity
+- (void) swapView: (NSView *) aView
{
+ NSWindow *theWindow = [self window];
+ NSRect windowFrame;
+ NSRect viewFrame;
+
+ [[containerView subviews] makeObjectsPerformSelector:@selector(removeFromSuperview)];
+
+ windowFrame = [theWindow frame];
+ viewFrame = [theWindow frameRectForContentRect:[aView frame]];
+ windowFrame.origin.y -= viewFrame.size.height - windowFrame.size.height;
+
+ windowFrame.size.width = viewFrame.size.width;
+ windowFrame.size.height = viewFrame.size.height;
+
+ [theWindow setFrame:windowFrame display:YES animate:YES];
+
+ [containerView addSubview:aView];
+
+}
+
+- (void) showSpinny
+{
+ [enterSpinny startAnimation: nil];
+ [passwordSpinny startAnimation: nil];
+ [samSpinny startAnimation: nil];
+ [changePasswordSpinny startAnimation: nil];
+ [glueController setValue:[NSNumber numberWithBool:NO]
+ forKeyPath:accepting_input_keypath];
+}
+
+- (void) hideSpinny
+{
+ [enterSpinny stopAnimation: nil];
+ [passwordSpinny stopAnimation: nil];
+ [samSpinny stopAnimation: nil];
+ [changePasswordSpinny stopAnimation: nil];
+ [glueController setValue:[NSNumber numberWithBool:YES]
+ forKeyPath:accepting_input_keypath];
+}
+
+- (void) clearSensitiveInputs
+{
+ [glueController setValue:@""
+ forKeyPath:prompt_response_keypath];
+}
+
+- (void) clearAllInputs
+{
+ [glueController setValue:@""
+ forKeyPath:old_password_keypath];
+ [glueController setValue:@""
+ forKeyPath:new_password_keypath];
+ [glueController setValue:@""
+ forKeyPath:verify_password_keypath];
+ [self clearSensitiveInputs];
+}
+
+- (void) showEnterIdentity: (NSWindow *) parentWindow
+{
kim_error err = KIM_NO_ERROR;
NSWindow *theWindow = [self window];
NSString *key = (associatedClient.name) ? ACAppPrincReqKey : ACPrincReqKey;
@@ -218,32 +307,34 @@
[glueController setValue:message
forKeyPath:message_keypath];
- [enterSpinny stopAnimation:nil];
+ [self hideSpinny];
+ [self clearAllInputs];
[self swapView:identityView];
[theWindow makeFirstResponder:identityField];
- [[self window] makeKeyAndOrderFront:nil];
+ [self showWithParent: parentWindow];
}
-- (void) showAuthPrompt
+- (void) showAuthPrompt: (NSWindow *) parentWindow
{
uint32_t type = [[glueController valueForKeyPath:@"content.prompt_type"] unsignedIntegerValue];
- [passwordSpinny stopAnimation:nil];
- [samSpinny stopAnimation:nil];
+ [self hideSpinny];
+ [self clearSensitiveInputs];
+
switch (type) {
case kim_prompt_type_password :
- [self showEnterPassword]; break;
+ [self showEnterPassword: parentWindow]; break;
case kim_prompt_type_preauth :
default :
- [self showSAM]; break;
+ [self showSAM: parentWindow]; break;
}
}
-- (void) showEnterPassword
+- (void) showEnterPassword: (NSWindow *) parentWindow
{
CGFloat shrinkBy;
NSRect frame;
@@ -283,32 +374,11 @@
[self swapView:passwordView];
[theWindow makeFirstResponder:passwordField];
- [self showWindow:nil];
+ [self showWithParent:parentWindow];
}
-- (void) swapView: (NSView *) aView
+- (void) showSAM: (NSWindow *) parentWindow
{
- NSWindow *theWindow = [self window];
- NSRect windowFrame;
- NSRect viewFrame;
-
- [[containerView subviews] makeObjectsPerformSelector:@selector(removeFromSuperview)];
-
- windowFrame = [theWindow frame];
- viewFrame = [theWindow frameRectForContentRect:[aView frame]];
- windowFrame.origin.y -= viewFrame.size.height - windowFrame.size.height;
-
- windowFrame.size.width = viewFrame.size.width;
- windowFrame.size.height = viewFrame.size.height;
-
- [theWindow setFrame:windowFrame display:YES animate:YES];
-
- [containerView addSubview:aView];
-
-}
-
-- (void) showSAM
-{
// set badge
[samBadge setBadgePath:associatedClient.path];
@@ -317,11 +387,11 @@
[self swapView:samView];
- [self showWindow:nil];
[[self window] makeFirstResponder:samPromptField];
+ [self showWithParent:parentWindow];
}
-- (void) showChangePassword
+- (void) showChangePassword: (NSWindow *) parentWindow
{
NSString *key = ([glueController valueForKeyPath:password_expired_keypath]) ? ACAppPrincReqKey : ACPrincReqKey;
NSString *message = [NSString stringWithFormat:
@@ -358,26 +428,45 @@
// set badge
[changePasswordBadge setBadgePath:associatedClient.path];
- [changePasswordSpinny stopAnimation:nil];
+ [self hideSpinny];
+ if (![[self window] isVisible]) {
+ [self clearAllInputs];
+ }
+
[self swapView:changePasswordView];
-
- [self showWindow:nil];
+
+ [self showWithParent:parentWindow];
+
[theWindow makeFirstResponder:oldPasswordField];
}
-- (void) showError
+- (void) showError: (NSWindow *) parentWindow
{
// wake up the nib connections and adjust window size
[self window];
// set badge
[errorBadge setBadgePath:associatedClient.path];
+ [self hideSpinny];
[self swapView:errorView];
- [self showWindow:nil];
+ [self showWithParent:parentWindow];
}
+- (IBAction) checkboxDidChange: (id) sender
+{
+ if ([[ticketOptionsController valueForKeyPath:uses_default_options_keypath] boolValue]) {
+ // merge defaults onto current options
+ NSMutableDictionary *currentOptions = [ticketOptionsController content];
+ NSDictionary *defaultOptions = [KIMUtilities dictionaryForKimOptions:NULL];
+ [currentOptions addEntriesFromDictionary:defaultOptions];
+ // update the sliders, since their values aren't bound
+ [validLifetimeSlider setDoubleValue:[[ticketOptionsController valueForKeyPath:valid_lifetime_keypath] doubleValue]];
+ [renewableLifetimeSlider setDoubleValue:[[ticketOptionsController valueForKeyPath:renewal_lifetime_keypath] doubleValue]];
+ }
+}
+
- (IBAction) sliderDidChange: (id) sender
{
NSInteger increment = 0;
@@ -412,13 +501,12 @@
options = [favoriteOptions objectForKey:expandedString];
}
- // else fallback to options passed from client
- // use a copy of the current options
+ // else, it's not a favorite identity. use default options
if (!options) {
- options = [[[glueController valueForKeyPath:options_keypath] mutableCopy] autorelease];
+ options = [KIMUtilities dictionaryForKimOptions:KIM_OPTIONS_DEFAULT];
}
- [ticketOptionsController setContent:options];
+ [ticketOptionsController setContent:[[options mutableCopy] autorelease]];
[ticketOptionsController setValue:[NSNumber numberWithInteger:[KIMUtilities minValidLifetime]]
forKeyPath:min_valid_keypath];
@@ -439,7 +527,7 @@
[NSApp beginSheet:ticketOptionsSheet
modalForWindow:[self window]
modalDelegate:self
- didEndSelector:@selector(sheetDidEnd:returnCode:contextInfo:)
+ didEndSelector:@selector(ticketOptionsSheetDidEnd:returnCode:contextInfo:)
contextInfo:NULL];
}
@@ -453,10 +541,23 @@
[NSApp endSheet:ticketOptionsSheet];
}
-- (void) sheetDidEnd: (NSWindow *) sheet
- returnCode: (int) returnCode
- contextInfo: (void *) contextInfo
+- (IBAction) cancelAuthSheet: (id) sender
{
+ [NSApp endSheet:[self window]];
+}
+
+- (void) authSheetDidEnd: (NSWindow *) sheet
+ returnCode: (int) returnCode
+ contextInfo: (void *) contextInfo
+{
+ [sheet orderOut:nil];
+}
+
+
+- (void) ticketOptionsSheetDidEnd: (NSWindow *) sheet
+ returnCode: (int) returnCode
+ contextInfo: (void *) contextInfo
+{
if (returnCode == NSUserCancelledError) {
// discard new options
[ticketOptionsController setContent:nil];
@@ -487,12 +588,11 @@
}
if (!identity) { err = KIM_BAD_PRINCIPAL_STRING_ERR; }
- if (!options) { err = KIM_BAD_OPTIONS_ERR; }
- if (!err && identity) {
+ if (!err) {
err = kim_preferences_remove_favorite_identity(prefs, identity);
}
- if (!err && identity && options) {
+ if (!err) {
err = kim_preferences_add_favorite_identity(prefs, identity, options);
}
if (!err) {
@@ -515,7 +615,7 @@
options = [glueController valueForKeyPath:options_keypath];
}
- [enterSpinny startAnimation:nil];
+ [self showSpinny];
// the principal must already be valid to get this far
[associatedClient didEnterIdentity:expandedString options:options wantsChangePassword:YES];
@@ -523,6 +623,7 @@
- (IBAction) cancel: (id) sender
{
+ [NSApp endSheet:[self window]];
[associatedClient didCancel];
}
@@ -535,7 +636,7 @@
options = [glueController valueForKeyPath:options_keypath];
}
- [enterSpinny startAnimation:nil];
+ [self showSpinny];
// the principal must already be valid to get this far
[associatedClient didEnterIdentity:expandedString options:options wantsChangePassword:NO];
@@ -549,8 +650,8 @@
if (!saveResponse) {
saveResponse = [NSNumber numberWithBool:NO];
}
- [passwordSpinny startAnimation:nil];
- [samSpinny startAnimation:nil];
+
+ [self showSpinny];
[associatedClient didPromptForAuth:responseString
saveResponse:saveResponse];
}
@@ -561,11 +662,12 @@
NSString *newString = [glueController valueForKeyPath:new_password_keypath];
NSString *verifyString = [glueController valueForKeyPath:verify_password_keypath];
- [changePasswordSpinny startAnimation:nil];
+ [self showSpinny];
[associatedClient didChangePassword:oldString
newPassword:newString
verifyPassword:verifyString];
+ [NSApp endSheet:[self window]];
}
- (IBAction) showedError: (id) sender
Modified: branches/mkey_migrate/src/kim/agent/mac/IPCClient.h
===================================================================
--- branches/mkey_migrate/src/kim/agent/mac/IPCClient.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/agent/mac/IPCClient.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -28,6 +28,7 @@
@class SelectIdentityController;
@class AuthenticationController;
+ at class Identities;
@interface IPCClient : NSObject {
mach_port_t port;
@@ -49,6 +50,7 @@
@property (readonly, retain) AuthenticationController *authController;
- (void) cleanup;
+- (void) saveIdentityToFavoritesIfSuccessful;
- (kim_error) selectIdentity: (NSDictionary *) info;
- (kim_error) enterIdentity: (NSDictionary *) info;
Modified: branches/mkey_migrate/src/kim/agent/mac/IPCClient.m
===================================================================
--- branches/mkey_migrate/src/kim/agent/mac/IPCClient.m 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/agent/mac/IPCClient.m 2009-01-10 01:06:45 UTC (rev 21722)
@@ -27,6 +27,7 @@
#import "SelectIdentityController.h"
#import "AuthenticationController.h"
#import "KerberosAgentListener.h"
+#import "Identities.h"
enum krb_agent_client_state {
ipc_client_state_idle,
@@ -71,21 +72,69 @@
{
self = [super init];
if (self != nil) {
+ kim_error err = KIM_NO_ERROR;
+ kim_preferences prefs = NULL;
+ kim_identity identity = NULL;
+ kim_string identity_string = NULL;
+
self.state = ipc_client_state_init;
self.selectController = [[[SelectIdentityController alloc] init] autorelease];
self.authController = [[[AuthenticationController alloc] init] autorelease];
self.selectController.associatedClient = self;
self.authController.associatedClient = self;
+ self.currentInfo = [NSMutableDictionary dictionary];
+
+ // pre-populate the identity_string if there's a default identity
+ err = kim_preferences_create(&prefs);
+ if (!err && prefs) {
+ err = kim_preferences_get_client_identity(prefs, &identity);
+ }
+ if (!err && identity) {
+ err = kim_identity_get_display_string(identity, &identity_string);
+ }
+ if (!err && identity_string) {
+ [self.currentInfo setObject:[NSString stringWithUTF8String:identity_string]
+ forKey:@"identity_string"];
+ }
+
+ kim_string_free(&identity_string);
+ kim_identity_free(&identity);
+ kim_preferences_free(&prefs);
}
return self;
}
- (void) cleanup
{
+ if (![[self.selectController window] isVisible]) {
+ [self saveIdentityToFavoritesIfSuccessful];
+ }
[self.selectController close];
[self.authController close];
+ self.selectController = nil;
+ self.authController = nil;
+ self.currentInfo = nil;
}
+- (void) saveIdentityToFavoritesIfSuccessful
+{
+ NSString *identityString = [self.currentInfo valueForKeyPath:@"identity_string"];
+ NSDictionary *options = [self.currentInfo valueForKeyPath:@"options"];
+
+ Identities *identities = [[Identities alloc] init];
+ Identity *theIdentity = [[Identity alloc] initWithIdentity:identityString
+ options:options];
+ for (Identity *anIdentity in [identities identities]) {
+ if ([anIdentity isEqual:theIdentity]) {
+ if (!anIdentity.favorite) {
+ anIdentity.favorite = YES;
+ [identities synchronizePreferences];
+ }
+ break;
+ }
+ }
+}
+
- (void) didCancel
{
kim_error err = KIM_USER_CANCELED_ERR;
@@ -104,14 +153,24 @@
else if (self.state == ipc_client_state_change_password) {
[KerberosAgentListener didChangePassword:self.currentInfo error:err];
}
- self.state = ipc_client_state_idle;
+
+ if ([[self.selectController window] isVisible]) {
+ self.state = ipc_client_state_select;
+ }
+ else {
+ self.state = ipc_client_state_idle;
+ }
}
- (kim_error) selectIdentity: (NSDictionary *) info
{
- self.currentInfo = [[info mutableCopy] autorelease];
+ [self.currentInfo addEntriesFromDictionary:info];
self.state = ipc_client_state_select;
+ if ([[self.authController window] isVisible]) {
+ [self.authController cancelAuthSheet:nil];
+ }
+
[self.selectController setContent:self.currentInfo];
[self.selectController showWindow:nil];
@@ -137,17 +196,25 @@
[KerberosAgentListener didSelectIdentity:self.currentInfo error:0];
// clean up state
- self.currentInfo = nil;
- self.state = ipc_client_state_idle;
+ if (!wantsChangePassword) {
+ self.state = ipc_client_state_idle;
+ }
}
- (kim_error) enterIdentity: (NSDictionary *) info
{
- self.currentInfo = [[info mutableCopy] autorelease];
+ NSWindow *parentWindow = nil;
+
+ [self.currentInfo addEntriesFromDictionary:info];
+
+ if ([[self.selectController window] isVisible]) {
+ parentWindow = [selectController window];
+ }
+
self.state = ipc_client_state_enter;
[self.authController setContent:self.currentInfo];
- [self.authController showEnterIdentity];
+ [self.authController showEnterIdentity:parentWindow];
return 0;
}
@@ -160,15 +227,29 @@
[self.currentInfo setObject:options forKey:@"options"];
[self.currentInfo setObject:[NSNumber numberWithBool:wantsChangePassword] forKey:@"wants_change_password"];
[KerberosAgentListener didEnterIdentity:self.currentInfo error:0];
+
+ if ([[self.selectController window] isVisible]) {
+ self.state = ipc_client_state_select;
+ }
+ else {
+ self.state = ipc_client_state_idle;
+ }
}
- (kim_error) promptForAuth: (NSDictionary *) info
{
- self.currentInfo = [[info mutableCopy] autorelease];
+ NSWindow *parentWindow = nil;
+
+ [self.currentInfo addEntriesFromDictionary:info];
+
+ if ([[self.selectController window] isVisible]) {
+ parentWindow = [selectController window];
+ }
+
self.state = ipc_client_state_auth_prompt;
[self.authController setContent:self.currentInfo];
- [self.authController showAuthPrompt];
+ [self.authController showAuthPrompt:parentWindow];
return 0;
}
@@ -178,15 +259,29 @@
[self.currentInfo setObject:responseString forKey:@"prompt_response"];
[self.currentInfo setObject:saveResponse forKey:@"save_response"];
[KerberosAgentListener didPromptForAuth:self.currentInfo error:0];
+
+ if ([[self.selectController window] isVisible]) {
+ self.state = ipc_client_state_select;
+ }
+ else {
+ self.state = ipc_client_state_idle;
+ }
}
- (kim_error) changePassword: (NSDictionary *) info
{
- self.currentInfo = [[info mutableCopy] autorelease];
+ NSWindow *parentWindow = nil;
+
+ [self.currentInfo addEntriesFromDictionary:info];
+
+ if ([[self.selectController window] isVisible]) {
+ parentWindow = [selectController window];
+ }
+
self.state = ipc_client_state_change_password;
[self.authController setContent:self.currentInfo];
- [self.authController showChangePassword];
+ [self.authController showChangePassword:parentWindow];
return 0;
}
@@ -198,23 +293,45 @@
[self.currentInfo setObject:oldPassword forKey:@"old_password"];
[self.currentInfo setObject:newPassword forKey:@"new_password"];
[self.currentInfo setObject:verifyPassword forKey:@"verify_password"];
+
+ if ([[self.selectController window] isVisible]) {
+ self.state = ipc_client_state_select;
+ }
+ else {
+ self.state = ipc_client_state_idle;
+ }
+
[KerberosAgentListener didChangePassword:self.currentInfo error:0];
}
- (kim_error) handleError: (NSDictionary *) info
{
- self.currentInfo = [[info mutableCopy] autorelease];
+ NSWindow *parentWindow = nil;
+
+ [self.currentInfo addEntriesFromDictionary:info];
+
+ if ([[self.selectController window] isVisible]) {
+ parentWindow = [selectController window];
+ }
+
self.state = ipc_client_state_handle_error;
[self.authController setContent:self.currentInfo];
- [self.authController showError];
+ [self.authController showError:parentWindow];
return 0;
}
- (void) didHandleError
{
+ if ([[self.selectController window] isVisible]) {
+ self.state = ipc_client_state_select;
+ }
+ else {
+ self.state = ipc_client_state_idle;
+ }
+
[KerberosAgentListener didHandleError:self.currentInfo error:0];
}
Modified: branches/mkey_migrate/src/kim/agent/mac/Identities.m
===================================================================
--- branches/mkey_migrate/src/kim/agent/mac/Identities.m 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/agent/mac/Identities.m 2009-01-10 01:06:45 UTC (rev 21722)
@@ -48,41 +48,7 @@
{
NSMutableSet *result = [[super keyPathsForValuesAffectingValueForKey:key] mutableCopy];
NSSet *otherKeys = nil;
-
-// if ([key isEqualToString:@"principalString"]) {
-// otherKeys = [NSSet setWithObjects:@"kimIdentity", nil];
-// }
-// else if ([key isEqualToString:@"expirationDate"]) {
-// otherKeys = [NSSet setWithObjects:@"kimOptions", @"state", @"expirationTime", nil];
-// }
-// else if ([key isEqualToString:@"expirationString"]) {
-// otherKeys = [NSSet setWithObjects:@"kimOptions", @"state", @"expirationTime", nil];
-// }
-// else if ([key isEqualToString:@"isProxiable"]) {
-// otherKeys = [NSSet setWithObjects:@"kimOptions", nil];
-// }
-// else if ([key isEqualToString:@"isForwardable"]) {
-// otherKeys = [NSSet setWithObjects:@"kimOptions", nil];
-// }
-// else if ([key isEqualToString:@"isAddressless"]) {
-// otherKeys = [NSSet setWithObjects:@"kimOptions", nil];
-// }
-// else if ([key isEqualToString:@"isRenewable"]) {
-// otherKeys = [NSSet setWithObjects:@"kimOptions", nil];
-// }
-// else if ([key isEqualToString:@"validLifetime"]) {
-// otherKeys = [NSSet setWithObjects:@"kimOptions", nil];
-// }
-// else if ([key isEqualToString:@"renewableLifetime"]) {
-// otherKeys = [NSSet setWithObjects:@"kimOptions", nil];
-// }
-// else if ([key isEqualToString:@"validLifetimeString"]) {
-// otherKeys = [NSSet setWithObjects:@"kimOptions", @"validLifetime", nil];
-// }
-// else if ([key isEqualToString:@"renewableLifetimeString"]) {
-// otherKeys = [NSSet setWithObjects:@"kimOptions", @"renewableLifetime", nil];
-// }
-
+
[result unionSet:otherKeys];
return [result autorelease];
@@ -511,7 +477,7 @@
}
//NSLog(@"waited %@", [[NSThread currentThread] description]);
- [(Identities *) [connection rootProxy] update];
+ [(Identities *) [connection rootProxy] reload];
sleep (1);
}
Modified: branches/mkey_migrate/src/kim/agent/mac/KIMUtilities.h
===================================================================
--- branches/mkey_migrate/src/kim/agent/mac/KIMUtilities.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/agent/mac/KIMUtilities.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -53,6 +53,7 @@
#define options_keypath @"content.options"
+#define uses_default_options_keypath @"content.usesDefaultTicketOptions"
#define valid_lifetime_keypath @"content.valid_lifetime"
#define renewal_lifetime_keypath @"content.renewal_lifetime"
#define renewable_keypath @"content.renewable"
@@ -65,6 +66,7 @@
#define max_renewable_keypath @"content.maxRenewableLifetime"
#define wants_change_password_keypath @"content.wants_change_password"
+#define accepting_input_keypath @"content.acceptingInput"
#define ACKVOContext @"authenticationController"
Modified: branches/mkey_migrate/src/kim/agent/mac/KIMUtilities.m
===================================================================
--- branches/mkey_migrate/src/kim/agent/mac/KIMUtilities.m 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/agent/mac/KIMUtilities.m 2009-01-10 01:06:45 UTC (rev 21722)
@@ -109,6 +109,7 @@
+ (NSDictionary *) dictionaryForKimOptions: (kim_options) options
{
kim_error err = KIM_NO_ERROR;
+ kim_preferences prefs = NULL;
NSMutableDictionary *newDict = [NSMutableDictionary dictionaryWithCapacity:8];
kim_boolean addressless = FALSE;
kim_boolean forwardable = FALSE;
@@ -119,6 +120,15 @@
kim_string service_name = NULL;
kim_time start_time = 0;
+ if (options == KIM_OPTIONS_DEFAULT) {
+ [newDict setObject:[NSNumber numberWithBool:YES]
+ forKey:@"usesDefaultTicketOptions"];
+ err = kim_preferences_create(&prefs);
+ if (!err) {
+ err = kim_preferences_get_options(prefs, &options);
+ }
+ }
+
if (!err) {
err = kim_options_get_addressless(options, &addressless);
}
@@ -177,6 +187,12 @@
forKey:@"start_time"];
}
+ // only free options if it was allocated by this method
+ if (prefs) {
+ kim_options_free(&options);
+ kim_preferences_free(&prefs);
+ }
+
return newDict;
}
@@ -184,16 +200,29 @@
{
kim_error err = KIM_NO_ERROR;
kim_options options = NULL;
- kim_boolean addressless = [[aDict valueForKey:@"addressless"] boolValue];
- kim_boolean forwardable = [[aDict valueForKey:@"forwardable"] boolValue];
- kim_boolean proxiable = [[aDict valueForKey:@"proxiable"] boolValue];
- kim_boolean renewable = [[aDict valueForKey:@"renewable"] boolValue];
- kim_lifetime valid_lifetime = [[aDict valueForKey:@"valid_lifetime"] integerValue];
- kim_lifetime renewal_lifetime = [[aDict valueForKey:@"renewal_lifetime"] integerValue];
- kim_string service_name = ([[aDict valueForKey:@"service_name"] length] > 0) ?
- [[aDict valueForKey:@"service_name"] UTF8String] : NULL;
- kim_time start_time = [[aDict valueForKey:@"start_time"] integerValue];
+ kim_boolean addressless;
+ kim_boolean forwardable;
+ kim_boolean proxiable;
+ kim_boolean renewable;
+ kim_lifetime valid_lifetime;
+ kim_lifetime renewal_lifetime;
+ kim_string service_name;
+ kim_time start_time;
+
+ if (!aDict || [[aDict objectForKey:@"usesDefaultTicketOptions"] boolValue]) {
+ return KIM_OPTIONS_DEFAULT;
+ }
+ addressless = [[aDict valueForKey:@"addressless"] boolValue];
+ forwardable = [[aDict valueForKey:@"forwardable"] boolValue];
+ proxiable = [[aDict valueForKey:@"proxiable"] boolValue];
+ renewable = [[aDict valueForKey:@"renewable"] boolValue];
+ valid_lifetime = [[aDict valueForKey:@"valid_lifetime"] integerValue];
+ renewal_lifetime = [[aDict valueForKey:@"renewal_lifetime"] integerValue];
+ service_name = ([[aDict valueForKey:@"service_name"] length] > 0) ?
+ [[aDict valueForKey:@"service_name"] UTF8String] : NULL;
+ start_time = [[aDict valueForKey:@"start_time"] integerValue];
+
if (!err) {
err = kim_options_create (&options);
}
Modified: branches/mkey_migrate/src/kim/agent/mac/KerberosAgent-Info.plist
===================================================================
--- branches/mkey_migrate/src/kim/agent/mac/KerberosAgent-Info.plist 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/agent/mac/KerberosAgent-Info.plist 2009-01-10 01:06:45 UTC (rev 21722)
@@ -12,10 +12,14 @@
<string>edu.mit.Kerberos.KerberosAgent</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
+ <key>CFBundleName</key>
+ <string>KerberosAgent</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleSignature</key>
<string>KrbA</string>
+ <key>CFBundleShortVersionString</key>
+ <string>1.0</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>NSMainNibFile</key>
Modified: branches/mkey_migrate/src/kim/agent/mac/KerberosAgentController.m
===================================================================
--- branches/mkey_migrate/src/kim/agent/mac/KerberosAgentController.m 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/agent/mac/KerberosAgentController.m 2009-01-10 01:06:45 UTC (rev 21722)
@@ -64,7 +64,6 @@
- (void) quitIfIdle: (NSTimer *) timer
{
if ([self.clients count] == 0) {
- NSLog(@"No active clients. Terminating.");
[NSApp terminate:nil];
}
autoQuitTimer = nil;
@@ -120,6 +119,7 @@
}
[autoQuitTimer invalidate];
+ autoQuitTimer = nil;
[KerberosAgentListener didAddClient:info error:err];
[info release];
@@ -213,6 +213,7 @@
if ([self.clients count] == 0) {
// the client removes itself after select identity,
// but might come back shortly afterward in need of an auth prompt
+ [autoQuitTimer invalidate];
autoQuitTimer = [NSTimer scheduledTimerWithTimeInterval:SECONDS_BEFORE_AUTO_QUIT_ON_NO_CLIENTS
target:self
selector:@selector(quitIfIdle:)
Modified: branches/mkey_migrate/src/kim/agent/mac/KerberosAgentPrefix.pch
===================================================================
--- branches/mkey_migrate/src/kim/agent/mac/KerberosAgentPrefix.pch 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/agent/mac/KerberosAgentPrefix.pch 2009-01-10 01:06:45 UTC (rev 21722)
@@ -4,8 +4,6 @@
#define CacheCollectionDidChangeNotification @"CacheCollectionDidChange"
#endif
-#define BIND_8_COMPAT
-
#include <Kerberos/Kerberos.h>
#include <Kerberos/KerberosLoginPrivate.h>
#include <Kerberos/kim.h>
Modified: branches/mkey_migrate/src/kim/agent/mac/SelectIdentityController.h
===================================================================
--- branches/mkey_migrate/src/kim/agent/mac/SelectIdentityController.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/agent/mac/SelectIdentityController.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -42,6 +42,7 @@
IBOutlet NSTextField *headerTextField;
IBOutlet NSTextField *explanationTextField;
+ IBOutlet NSScrollView *identityTableScrollView;
IBOutlet NSTableView *identityTableView;
IBOutlet NSButton *addIdentityButton;
IBOutlet NSPopUpButton *actionPopupButton;
@@ -53,7 +54,7 @@
IBOutlet NSObjectController *glueController;
- IBOutlet NSWindow *identityOptionsWindow;
+ IBOutlet NSWindow *ticketOptionsWindow;
IBOutlet NSObjectController *identityOptionsController;
IBOutlet NSTextField *identityField;
IBOutlet NSTextField *staticIdentityField;
@@ -61,7 +62,10 @@
IBOutlet NSSlider *validLifetimeSlider;
IBOutlet NSSlider *renewableLifetimeSlider;
+ IBOutlet NSBox *ticketOptionsBox;
IBOutlet NSButton *ticketOptionsOkButton;
+ IBOutlet NSButton *ticketOptionsToggleButton;
+ CGFloat optionsBoxHeight;
}
@property (readwrite, retain) IPCClient *associatedClient;
@@ -73,7 +77,6 @@
- (IBAction) removeFromFavorites: (id) sender;
- (IBAction) editOptions: (id) sender;
-- (IBAction) resetOptions: (id) sender;
- (IBAction) cancelOptions: (id) sender;
- (IBAction) doneOptions: (id) sender;
@@ -82,11 +85,13 @@
- (IBAction) select: (id) sender;
- (IBAction) cancel: (id) sender;
+- (IBAction) checkboxDidChange: (id) sender;
- (IBAction) sliderDidChange: (id) sender;
- (void) showOptions: (NSString *) contextInfo;
- (void) didEndSheet: (NSWindow *) sheet returnCode: (int) returnCode contextInfo: (void *) contextInfo;
- (void) saveOptions;
+- (IBAction) toggleOptionsVisibility: (id) sender;
- (void) timedRefresh:(NSTimer *)timer;
Modified: branches/mkey_migrate/src/kim/agent/mac/SelectIdentityController.m
===================================================================
--- branches/mkey_migrate/src/kim/agent/mac/SelectIdentityController.m 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/agent/mac/SelectIdentityController.m 2009-01-10 01:06:45 UTC (rev 21722)
@@ -26,8 +26,6 @@
#import "IPCClient.h"
#import "KerberosFormatters.h"
-#define identities_key_path @"identities"
-
@implementation SelectIdentityController
@synthesize associatedClient;
@@ -55,14 +53,13 @@
{
NSString *key = nil;
NSString *message = nil;
-
- // We need to float over the loginwindow and SecurityAgent so use its hardcoded level.
+
[[self window] center];
- [[self window] setLevel:NSScreenSaverWindowLevel];
+ [[self window] setLevel:NSModalPanelWindowLevel];
longTimeFormatter.displaySeconds = NO;
longTimeFormatter.displayShortFormat = NO;
-
+
[identityTableView setDoubleAction:@selector(select:)];
identities = [[Identities alloc] init];
[identitiesController setContent:identities];
@@ -82,6 +79,9 @@
}
[headerTextField setStringValue:message];
+ optionsBoxHeight = [ticketOptionsBox frame].size.height + [ticketOptionsBox frame].origin.y - [ticketOptionsToggleButton frame].origin.y - [ticketOptionsToggleButton frame].size.height;
+ [self toggleOptionsVisibility:nil];
+
[identityOptionsController addObserver:self
forKeyPath:identity_string_keypath
options:NSKeyValueObservingOptionNew
@@ -90,15 +90,34 @@
- (void) observeValueForKeyPath:(NSString *) keyPath ofObject: (id) object change: (NSDictionary *) change context:(void *) context
{
- if ([keyPath isEqualToString:identity_string_keypath]) {
+ if (object == identityOptionsController && [keyPath isEqualToString:identity_string_keypath]) {
BOOL enabled = [KIMUtilities validateIdentity:[identityOptionsController valueForKeyPath:identity_string_keypath]];
[identityOptionsController setValue:[NSNumber numberWithBool:enabled]
forKeyPath:@"content.canClickOK"];
}
+ else {
+ [super observeValueForKeyPath:keyPath ofObject:object change:change context:context];
+ }
}
// ---------------------------------------------------------------------------
+- (NSRect) windowWillUseStandardFrame: (NSWindow *) window defaultFrame: (NSRect) defaultFrame
+{
+ NSRect newFrame = [window frame];
+ CGFloat oldHeight = [[identityTableScrollView contentView] frame].size.height;
+ CGFloat newHeight = [identityTableView numberOfRows] *
+ ([identityTableView rowHeight] + [identityTableView intercellSpacing].height);
+ CGFloat yDelta = newHeight - oldHeight;
+
+ newFrame.origin.y -= yDelta;
+ newFrame.size.height += yDelta;
+
+ return newFrame;
+}
+
+// ---------------------------------------------------------------------------
+
- (void) setContent: (NSMutableDictionary *) newContent
{
[self window]; // wake up the nib connections
@@ -169,7 +188,7 @@
selectedIdentity = [[identityArrayController selectedObjects] lastObject];
[associatedClient didSelectIdentity: selectedIdentity.identity
- options: [identityOptionsController valueForKeyPath:@"content.options"]
+ options: [identityOptionsController content]
wantsChangePassword: NO];
}
@@ -194,18 +213,10 @@
// ---------------------------------------------------------------------------
-- (IBAction) resetOptions: (id) sender
-{
- Identity *anIdentity = [identityArrayController.selectedObjects lastObject];
- [identityOptionsController setContent:anIdentity.options];
-}
-
-// ---------------------------------------------------------------------------
-
- (IBAction) cancelOptions: (id) sender
{
identityOptionsController.content = nil;
- [NSApp endSheet:identityOptionsWindow returnCode:NSUserCancelledError];
+ [NSApp endSheet:ticketOptionsWindow returnCode:NSUserCancelledError];
// dump changed settings
[identities reload];
@@ -218,11 +229,27 @@
// Identity *anIdentity = identityOptionsController.content;
- [NSApp endSheet: identityOptionsWindow];
+ [NSApp endSheet: ticketOptionsWindow];
}
// ---------------------------------------------------------------------------
+- (IBAction) checkboxDidChange: (id) sender
+{
+ if ([[identityOptionsController valueForKeyPath:uses_default_options_keypath] boolValue]) {
+ // merge defaults onto current options
+ NSMutableDictionary *currentOptions = [identityOptionsController content];
+ NSDictionary *defaultOptions = [KIMUtilities dictionaryForKimOptions:NULL];
+ NSLog(@"using default ticket options");
+ [currentOptions addEntriesFromDictionary:defaultOptions];
+ // update the sliders, since their values aren't bound
+ [validLifetimeSlider setDoubleValue:[[identityOptionsController valueForKeyPath:valid_lifetime_keypath] doubleValue]];
+ [renewableLifetimeSlider setDoubleValue:[[identityOptionsController valueForKeyPath:renewal_lifetime_keypath] doubleValue]];
+ }
+}
+
+// ---------------------------------------------------------------------------
+
- (IBAction) sliderDidChange: (id) sender
{
NSInteger increment = 0;
@@ -272,7 +299,7 @@
[self sliderDidChange:validLifetimeSlider];
[self sliderDidChange:renewableLifetimeSlider];
- [NSApp beginSheet: identityOptionsWindow
+ [NSApp beginSheet: ticketOptionsWindow
modalForWindow: [self window]
modalDelegate: self
didEndSelector: @selector(didEndSheet:returnCode:contextInfo:)
@@ -343,6 +370,37 @@
// ---------------------------------------------------------------------------
+- (IBAction) toggleOptionsVisibility: (id) sender
+{
+ NSRect newFrame = [NSWindow contentRectForFrameRect:[ticketOptionsWindow frame] styleMask:[ticketOptionsWindow styleMask]];
+ CGFloat newHeight;
+
+ if ([ticketOptionsBox isHidden]) {
+ newHeight = newFrame.size.height + optionsBoxHeight;
+ newFrame.origin.y += newFrame.size.height;
+ newFrame.origin.y -= newHeight;
+ newFrame.size.height = newHeight;
+ newFrame = [NSWindow frameRectForContentRect:newFrame styleMask:[ticketOptionsWindow styleMask]];
+
+ [ticketOptionsWindow setFrame:newFrame display:YES animate:YES];
+ [ticketOptionsBox setHidden:NO];
+ [sender setTitle:NSLocalizedStringFromTable(@"SelectIdentityHideOptions", @"SelectIdentity", NULL)];
+ }
+ else {
+ newHeight = newFrame.size.height - optionsBoxHeight;
+ newFrame.origin.y += newFrame.size.height;
+ newFrame.origin.y -= newHeight;
+ newFrame.size.height = newHeight;
+ newFrame = [NSWindow frameRectForContentRect:newFrame styleMask:[ticketOptionsWindow styleMask]];
+
+ [ticketOptionsBox setHidden:YES];
+ [ticketOptionsWindow setFrame:newFrame display:YES animate:YES];
+ [sender setTitle:NSLocalizedStringFromTable(@"SelectIdentityShowOptions", @"SelectIdentity", NULL)];
+ }
+}
+
+// ---------------------------------------------------------------------------
+
- (void) timedRefresh:(NSTimer *)timer
{
// refetch data to update expiration times
Modified: branches/mkey_migrate/src/kim/agent/mac/resources/English.lproj/Authentication.xib
===================================================================
--- branches/mkey_migrate/src/kim/agent/mac/resources/English.lproj/Authentication.xib 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/agent/mac/resources/English.lproj/Authentication.xib 2009-01-10 01:06:45 UTC (rev 21722)
@@ -8,10 +8,7 @@
<string key="IBDocument.HIToolboxVersion">352.00</string>
<object class="NSMutableArray" key="IBDocument.EditedObjectIDs">
<bool key="EncodedWithXMLCoder">YES</bool>
- <integer value="300288"/>
<integer value="19"/>
- <integer value="300175"/>
- <integer value="300420"/>
</object>
<object class="NSArray" key="IBDocument.PluginDependencies">
<bool key="EncodedWithXMLCoder">YES</bool>
@@ -60,6 +57,7 @@
<string>identity_string</string>
<string>favorite_identity_strings</string>
<string>isBusy</string>
+ <string>acceptingInput</string>
</object>
<bool key="NSEditable">YES</bool>
<object class="_NSManagedProxy" key="_NSManagedProxy"/>
@@ -75,6 +73,7 @@
<string>maxRenewableLifetime</string>
<string>renewa</string>
<string>renewal_lifetime</string>
+ <string>usesDefaultTicketOptions</string>
</object>
<bool key="NSEditable">YES</bool>
<object class="_NSManagedProxy" key="_NSManagedProxy"/>
@@ -376,7 +375,7 @@
<string key="NSClassName">NSView</string>
</object>
<object class="NSCustomView" id="866582848">
- <reference key="NSNextResponder"/>
+ <nil key="NSNextResponder"/>
<int key="NSvFlags">274</int>
<object class="NSMutableArray" key="NSSubviews">
<bool key="EncodedWithXMLCoder">YES</bool>
@@ -522,7 +521,6 @@
</object>
</object>
<string key="NSFrameSize">{500, 208}</string>
- <reference key="NSSuperview"/>
<string key="NSClassName">NSView</string>
</object>
<object class="NSCustomView" id="898191415">
@@ -667,7 +665,7 @@
<string key="NSClassName">NSView</string>
</object>
<object class="NSCustomView" id="60326189">
- <reference key="NSNextResponder"/>
+ <nil key="NSNextResponder"/>
<int key="NSvFlags">286</int>
<object class="NSMutableArray" key="NSSubviews">
<bool key="EncodedWithXMLCoder">YES</bool>
@@ -847,7 +845,6 @@
</object>
</object>
<string key="NSFrameSize">{500, 230}</string>
- <reference key="NSSuperview"/>
<string key="NSClassName">NSView</string>
</object>
<object class="NSCustomView" id="861423802">
@@ -950,7 +947,7 @@
<object class="NSWindowTemplate" id="102029948">
<int key="NSWindowStyleMask">1</int>
<int key="NSWindowBacking">2</int>
- <string key="NSWindowRect">{{21, 50}, {430, 283}}</string>
+ <string key="NSWindowRect">{{21, 28}, {430, 305}}</string>
<int key="NSWTFlags">1886912512</int>
<string key="NSWindowTitle">Kerberos Ticket Options</string>
<string key="NSWindowClass">NSWindow</string>
@@ -960,7 +957,7 @@
<string key="NSWindowContentMaxSize">{3.40282e+38, 3.40282e+38}</string>
<string key="NSWindowContentMinSize">{430, 283}</string>
<object class="NSView" key="NSWindowView" id="389112266">
- <reference key="NSNextResponder"/>
+ <nil key="NSNextResponder"/>
<int key="NSvFlags">256</int>
<object class="NSMutableArray" key="NSSubviews">
<bool key="EncodedWithXMLCoder">YES</bool>
@@ -1172,9 +1169,30 @@
<int key="NSPeriodicInterval">25</int>
</object>
</object>
+ <object class="NSButton" id="453888690">
+ <reference key="NSNextResponder" ref="389112266"/>
+ <int key="NSvFlags">268</int>
+ <string key="NSFrame">{{18, 269}, {184, 18}}</string>
+ <reference key="NSSuperview" ref="389112266"/>
+ <bool key="NSEnabled">YES</bool>
+ <object class="NSButtonCell" key="NSCell" id="505343782">
+ <int key="NSCellFlags">-2080244224</int>
+ <int key="NSCellFlags2">0</int>
+ <string key="NSContents">Use default ticket options</string>
+ <reference key="NSSupport" ref="604532625"/>
+ <reference key="NSControlView" ref="453888690"/>
+ <int key="NSButtonFlags">1211912703</int>
+ <int key="NSButtonFlags2">130</int>
+ <reference key="NSNormalImage" ref="375544883"/>
+ <reference key="NSAlternateImage" ref="875913500"/>
+ <string key="NSAlternateContents"/>
+ <string key="NSKeyEquivalent"/>
+ <int key="NSPeriodicDelay">200</int>
+ <int key="NSPeriodicInterval">25</int>
+ </object>
+ </object>
</object>
- <string key="NSFrameSize">{430, 283}</string>
- <reference key="NSSuperview"/>
+ <string key="NSFrameSize">{430, 305}</string>
</object>
<string key="NSScreenRect">{{0, 0}, {1440, 878}}</string>
<string key="NSMinSize">{430, 305}</string>
@@ -1320,7 +1338,7 @@
<string key="label">enabled: selection.isPrincipalValid</string>
<reference key="source" ref="207178735"/>
<reference key="destination" ref="57033499"/>
- <object class="NSNibBindingConnector" key="connector">
+ <object class="NSNibBindingConnector" key="connector" id="243297891">
<reference key="NSSource" ref="207178735"/>
<reference key="NSDestination" ref="57033499"/>
<string key="NSLabel">enabled: selection.isPrincipalValid</string>
@@ -1384,7 +1402,7 @@
<string key="label">enabled: selection.isPromptValid</string>
<reference key="source" ref="133507311"/>
<reference key="destination" ref="57033499"/>
- <object class="NSNibBindingConnector" key="connector">
+ <object class="NSNibBindingConnector" key="connector" id="6001298">
<reference key="NSSource" ref="133507311"/>
<reference key="NSDestination" ref="57033499"/>
<string key="NSLabel">enabled: selection.isPromptValid</string>
@@ -1472,7 +1490,7 @@
<string key="label">enabled: selection.isPromptValid</string>
<reference key="source" ref="499090485"/>
<reference key="destination" ref="57033499"/>
- <object class="NSNibBindingConnector" key="connector">
+ <object class="NSNibBindingConnector" key="connector" id="723183973">
<reference key="NSSource" ref="499090485"/>
<reference key="NSDestination" ref="57033499"/>
<string key="NSLabel">enabled: selection.isPromptValid</string>
@@ -1592,7 +1610,7 @@
<string key="label">enabled: selection.isChangePasswordValid</string>
<reference key="source" ref="105446308"/>
<reference key="destination" ref="57033499"/>
- <object class="NSNibBindingConnector" key="connector">
+ <object class="NSNibBindingConnector" key="connector" id="145342680">
<reference key="NSSource" ref="105446308"/>
<reference key="NSDestination" ref="57033499"/>
<string key="NSLabel">enabled: selection.isChangePasswordValid</string>
@@ -1822,7 +1840,7 @@
<string key="label">enabled: selection.renewable</string>
<reference key="source" ref="594182616"/>
<reference key="destination" ref="633725892"/>
- <object class="NSNibBindingConnector" key="connector">
+ <object class="NSNibBindingConnector" key="connector" id="252907861">
<reference key="NSSource" ref="594182616"/>
<reference key="NSDestination" ref="633725892"/>
<string key="NSLabel">enabled: selection.renewable</string>
@@ -2106,6 +2124,474 @@
</object>
<int key="connectionID">300540</int>
</object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">value: selection.usesDefaultTicketOptions</string>
+ <reference key="source" ref="453888690"/>
+ <reference key="destination" ref="633725892"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="453888690"/>
+ <reference key="NSDestination" ref="633725892"/>
+ <string key="NSLabel">value: selection.usesDefaultTicketOptions</string>
+ <string key="NSBinding">value</string>
+ <string key="NSKeyPath">selection.usesDefaultTicketOptions</string>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300545</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.usesDefaultTicketOptions</string>
+ <reference key="source" ref="486016405"/>
+ <reference key="destination" ref="633725892"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="486016405"/>
+ <reference key="NSDestination" ref="633725892"/>
+ <string key="NSLabel">enabled: selection.usesDefaultTicketOptions</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.usesDefaultTicketOptions</string>
+ <object class="NSDictionary" key="NSOptions">
+ <string key="NS.key.0">NSValueTransformerName</string>
+ <string key="NS.object.0">NSNegateBoolean</string>
+ </object>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300547</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.usesDefaultTicketOptions</string>
+ <reference key="source" ref="964499406"/>
+ <reference key="destination" ref="633725892"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="964499406"/>
+ <reference key="NSDestination" ref="633725892"/>
+ <string key="NSLabel">enabled: selection.usesDefaultTicketOptions</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.usesDefaultTicketOptions</string>
+ <object class="NSDictionary" key="NSOptions">
+ <string key="NS.key.0">NSValueTransformerName</string>
+ <string key="NS.object.0">NSNegateBoolean</string>
+ </object>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300549</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.usesDefaultTicketOptions</string>
+ <reference key="source" ref="198913348"/>
+ <reference key="destination" ref="633725892"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="198913348"/>
+ <reference key="NSDestination" ref="633725892"/>
+ <string key="NSLabel">enabled: selection.usesDefaultTicketOptions</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.usesDefaultTicketOptions</string>
+ <object class="NSDictionary" key="NSOptions">
+ <string key="NS.key.0">NSValueTransformerName</string>
+ <string key="NS.object.0">NSNegateBoolean</string>
+ </object>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300551</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.usesDefaultTicketOptions</string>
+ <reference key="source" ref="368169141"/>
+ <reference key="destination" ref="633725892"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="368169141"/>
+ <reference key="NSDestination" ref="633725892"/>
+ <string key="NSLabel">enabled: selection.usesDefaultTicketOptions</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.usesDefaultTicketOptions</string>
+ <object class="NSDictionary" key="NSOptions">
+ <string key="NS.key.0">NSValueTransformerName</string>
+ <string key="NS.object.0">NSNegateBoolean</string>
+ </object>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300553</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled2: selection.usesDefaultTicketOptions</string>
+ <reference key="source" ref="594182616"/>
+ <reference key="destination" ref="633725892"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="594182616"/>
+ <reference key="NSDestination" ref="633725892"/>
+ <string key="NSLabel">enabled2: selection.usesDefaultTicketOptions</string>
+ <string key="NSBinding">enabled2</string>
+ <string key="NSKeyPath">selection.usesDefaultTicketOptions</string>
+ <object class="NSDictionary" key="NSOptions">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <object class="NSMutableArray" key="dict.sortedKeys">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <string>NSMultipleValuesPlaceholder</string>
+ <string>NSNoSelectionPlaceholder</string>
+ <string>NSNotApplicablePlaceholder</string>
+ <string>NSNullPlaceholder</string>
+ <string>NSValueTransformerName</string>
+ </object>
+ <object class="NSMutableArray" key="dict.values">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <integer value="-1" id="7"/>
+ <reference ref="7"/>
+ <reference ref="7"/>
+ <reference ref="7"/>
+ <string>NSNegateBoolean</string>
+ </object>
+ </object>
+ <reference key="NSPreviousConnector" ref="252907861"/>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300555</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBActionConnection" key="connection">
+ <string key="label">checkboxDidChange:</string>
+ <reference key="source" ref="262677138"/>
+ <reference key="destination" ref="453888690"/>
+ </object>
+ <int key="connectionID">300556</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.acceptingInput</string>
+ <reference key="source" ref="441176528"/>
+ <reference key="destination" ref="57033499"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="441176528"/>
+ <reference key="NSDestination" ref="57033499"/>
+ <string key="NSLabel">enabled: selection.acceptingInput</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.acceptingInput</string>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300560</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.acceptingInput</string>
+ <reference key="source" ref="158061"/>
+ <reference key="destination" ref="57033499"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="158061"/>
+ <reference key="NSDestination" ref="57033499"/>
+ <string key="NSLabel">enabled: selection.acceptingInput</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.acceptingInput</string>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300561</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.acceptingInput</string>
+ <reference key="source" ref="576133689"/>
+ <reference key="destination" ref="57033499"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="576133689"/>
+ <reference key="NSDestination" ref="57033499"/>
+ <string key="NSLabel">enabled: selection.acceptingInput</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.acceptingInput</string>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300562</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled2: selection.acceptingInput</string>
+ <reference key="source" ref="105446308"/>
+ <reference key="destination" ref="57033499"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="105446308"/>
+ <reference key="NSDestination" ref="57033499"/>
+ <string key="NSLabel">enabled2: selection.acceptingInput</string>
+ <string key="NSBinding">enabled2</string>
+ <string key="NSKeyPath">selection.acceptingInput</string>
+ <object class="NSDictionary" key="NSOptions">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <object class="NSMutableArray" key="dict.sortedKeys">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <string>NSMultipleValuesPlaceholder</string>
+ <string>NSNoSelectionPlaceholder</string>
+ <string>NSNotApplicablePlaceholder</string>
+ <string>NSNullPlaceholder</string>
+ </object>
+ <object class="NSMutableArray" key="dict.values">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <reference ref="7"/>
+ <reference ref="7"/>
+ <reference ref="7"/>
+ <reference ref="7"/>
+ </object>
+ </object>
+ <reference key="NSPreviousConnector" ref="145342680"/>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300563</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.acceptingInput</string>
+ <reference key="source" ref="288995352"/>
+ <reference key="destination" ref="57033499"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="288995352"/>
+ <reference key="NSDestination" ref="57033499"/>
+ <string key="NSLabel">enabled: selection.acceptingInput</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.acceptingInput</string>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300564</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.acceptingInput</string>
+ <reference key="source" ref="225475172"/>
+ <reference key="destination" ref="57033499"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="225475172"/>
+ <reference key="NSDestination" ref="57033499"/>
+ <string key="NSLabel">enabled: selection.acceptingInput</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.acceptingInput</string>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300565</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.acceptingInput</string>
+ <reference key="source" ref="645528597"/>
+ <reference key="destination" ref="57033499"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="645528597"/>
+ <reference key="NSDestination" ref="57033499"/>
+ <string key="NSLabel">enabled: selection.acceptingInput</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.acceptingInput</string>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300566</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.acceptingInput</string>
+ <reference key="source" ref="494687042"/>
+ <reference key="destination" ref="57033499"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="494687042"/>
+ <reference key="NSDestination" ref="57033499"/>
+ <string key="NSLabel">enabled: selection.acceptingInput</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.acceptingInput</string>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300567</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled2: selection.acceptingInput</string>
+ <reference key="source" ref="133507311"/>
+ <reference key="destination" ref="57033499"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="133507311"/>
+ <reference key="NSDestination" ref="57033499"/>
+ <string key="NSLabel">enabled2: selection.acceptingInput</string>
+ <string key="NSBinding">enabled2</string>
+ <string key="NSKeyPath">selection.acceptingInput</string>
+ <object class="NSDictionary" key="NSOptions">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <object class="NSMutableArray" key="dict.sortedKeys">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <string>NSMultipleValuesPlaceholder</string>
+ <string>NSNoSelectionPlaceholder</string>
+ <string>NSNotApplicablePlaceholder</string>
+ <string>NSNullPlaceholder</string>
+ </object>
+ <object class="NSMutableArray" key="dict.values">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <reference ref="7"/>
+ <reference ref="7"/>
+ <reference ref="7"/>
+ <reference ref="7"/>
+ </object>
+ </object>
+ <reference key="NSPreviousConnector" ref="6001298"/>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300568</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.acceptingInput</string>
+ <reference key="source" ref="529434335"/>
+ <reference key="destination" ref="57033499"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="529434335"/>
+ <reference key="NSDestination" ref="57033499"/>
+ <string key="NSLabel">enabled: selection.acceptingInput</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.acceptingInput</string>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300569</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.acceptingInput</string>
+ <reference key="source" ref="523041784"/>
+ <reference key="destination" ref="57033499"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="523041784"/>
+ <reference key="NSDestination" ref="57033499"/>
+ <string key="NSLabel">enabled: selection.acceptingInput</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.acceptingInput</string>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300570</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled2: selection.acceptingInput</string>
+ <reference key="source" ref="207178735"/>
+ <reference key="destination" ref="57033499"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="207178735"/>
+ <reference key="NSDestination" ref="57033499"/>
+ <string key="NSLabel">enabled2: selection.acceptingInput</string>
+ <string key="NSBinding">enabled2</string>
+ <string key="NSKeyPath">selection.acceptingInput</string>
+ <object class="NSDictionary" key="NSOptions">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <object class="NSMutableArray" key="dict.sortedKeys">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <string>NSMultipleValuesPlaceholder</string>
+ <string>NSNoSelectionPlaceholder</string>
+ <string>NSNotApplicablePlaceholder</string>
+ <string>NSNullPlaceholder</string>
+ </object>
+ <object class="NSMutableArray" key="dict.values">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <reference ref="7"/>
+ <reference ref="7"/>
+ <reference ref="7"/>
+ <reference ref="7"/>
+ </object>
+ </object>
+ <reference key="NSPreviousConnector" ref="243297891"/>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300571</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.acceptingInput</string>
+ <reference key="source" ref="1016187493"/>
+ <reference key="destination" ref="57033499"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="1016187493"/>
+ <reference key="NSDestination" ref="57033499"/>
+ <string key="NSLabel">enabled: selection.acceptingInput</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.acceptingInput</string>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300572</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.acceptingInput</string>
+ <reference key="source" ref="270897371"/>
+ <reference key="destination" ref="57033499"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="270897371"/>
+ <reference key="NSDestination" ref="57033499"/>
+ <string key="NSLabel">enabled: selection.acceptingInput</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.acceptingInput</string>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300573</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.acceptingInput</string>
+ <reference key="source" ref="907069022"/>
+ <reference key="destination" ref="57033499"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="907069022"/>
+ <reference key="NSDestination" ref="57033499"/>
+ <string key="NSLabel">enabled: selection.acceptingInput</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.acceptingInput</string>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300574</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled2: selection.acceptingInput</string>
+ <reference key="source" ref="499090485"/>
+ <reference key="destination" ref="57033499"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="499090485"/>
+ <reference key="NSDestination" ref="57033499"/>
+ <string key="NSLabel">enabled2: selection.acceptingInput</string>
+ <string key="NSBinding">enabled2</string>
+ <string key="NSKeyPath">selection.acceptingInput</string>
+ <object class="NSDictionary" key="NSOptions">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <object class="NSMutableArray" key="dict.sortedKeys">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <string>NSMultipleValuesPlaceholder</string>
+ <string>NSNoSelectionPlaceholder</string>
+ <string>NSNotApplicablePlaceholder</string>
+ <string>NSNullPlaceholder</string>
+ </object>
+ <object class="NSMutableArray" key="dict.values">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <reference ref="7"/>
+ <reference ref="7"/>
+ <reference ref="7"/>
+ <reference ref="7"/>
+ </object>
+ </object>
+ <reference key="NSPreviousConnector" ref="723183973"/>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300575</int>
+ </object>
</object>
<object class="IBMutableOrderedSet" key="objectRecords">
<object class="NSArray" key="orderedObjects">
@@ -2710,16 +3196,17 @@
<reference key="object" ref="389112266"/>
<object class="NSMutableArray" key="children">
<bool key="EncodedWithXMLCoder">YES</bool>
- <reference ref="284195308"/>
- <reference ref="681646907"/>
- <reference ref="332956369"/>
- <reference ref="368169141"/>
- <reference ref="964499406"/>
- <reference ref="198913348"/>
- <reference ref="594182616"/>
+ <reference ref="486016405"/>
<reference ref="318596865"/>
- <reference ref="486016405"/>
<reference ref="523287828"/>
+ <reference ref="594182616"/>
+ <reference ref="198913348"/>
+ <reference ref="964499406"/>
+ <reference ref="368169141"/>
+ <reference ref="332956369"/>
+ <reference ref="681646907"/>
+ <reference ref="284195308"/>
+ <reference ref="453888690"/>
</object>
<reference key="parent" ref="102029948"/>
</object>
@@ -2918,6 +3405,20 @@
<reference key="object" ref="314932147"/>
<reference key="parent" ref="60326189"/>
</object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300543</int>
+ <reference key="object" ref="453888690"/>
+ <object class="NSMutableArray" key="children">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <reference ref="505343782"/>
+ </object>
+ <reference key="parent" ref="389112266"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300544</int>
+ <reference key="object" ref="505343782"/>
+ <reference key="parent" ref="453888690"/>
+ </object>
</object>
</object>
<object class="NSMutableDictionary" key="flattenedProperties">
@@ -3060,6 +3561,8 @@
<string>300533.IBPluginDependency</string>
<string>300534.IBPluginDependency</string>
<string>300536.IBPluginDependency</string>
+ <string>300543.IBPluginDependency</string>
+ <string>300544.IBPluginDependency</string>
</object>
<object class="NSMutableArray" key="dict.values">
<bool key="EncodedWithXMLCoder">YES</bool>
@@ -3069,7 +3572,7 @@
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
<string>{{628, 646}, {500, 210}}</string>
<reference ref="9"/>
- <integer value="0"/>
+ <reference ref="8"/>
<string>{{932, 664}, {484, 199}}</string>
<reference ref="9"/>
<reference ref="9"/>
@@ -3159,9 +3662,9 @@
<reference ref="9"/>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
<reference ref="9"/>
- <string>{{647, 412}, {430, 283}}</string>
+ <string>{{647, 390}, {430, 305}}</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
- <string>{{647, 412}, {430, 283}}</string>
+ <string>{{647, 390}, {430, 305}}</string>
<reference ref="9"/>
<reference ref="8"/>
<reference ref="9"/>
@@ -3199,6 +3702,8 @@
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
+ <string>com.apple.InterfaceBuilder.CocoaPlugin</string>
+ <string>com.apple.InterfaceBuilder.CocoaPlugin</string>
</object>
</object>
<object class="NSMutableDictionary" key="unlocalizedProperties">
@@ -3221,7 +3726,7 @@
</object>
</object>
<nil key="sourceID"/>
- <int key="maxID">300540</int>
+ <int key="maxID">300575</int>
</object>
<object class="IBClassDescriber" key="IBDocument.Classes">
<object class="NSMutableArray" key="referencedPartialClassDescriptions">
@@ -3238,6 +3743,7 @@
<string>cancelTicketOptions:</string>
<string>changePassword:</string>
<string>changePasswordGearAction:</string>
+ <string>checkboxDidChange:</string>
<string>enterIdentity:</string>
<string>saveTicketOptions:</string>
<string>showTicketOptions:</string>
@@ -3256,6 +3762,7 @@
<string>id</string>
<string>id</string>
<string>id</string>
+ <string>id</string>
</object>
</object>
<object class="NSMutableDictionary" key="outlets">
Modified: branches/mkey_migrate/src/kim/agent/mac/resources/English.lproj/SelectIdentity.strings
===================================================================
(Binary files differ)
Modified: branches/mkey_migrate/src/kim/agent/mac/resources/English.lproj/SelectIdentity.xib
===================================================================
--- branches/mkey_migrate/src/kim/agent/mac/resources/English.lproj/SelectIdentity.xib 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/agent/mac/resources/English.lproj/SelectIdentity.xib 2009-01-10 01:06:45 UTC (rev 21722)
@@ -8,7 +8,7 @@
<string key="IBDocument.HIToolboxVersion">352.00</string>
<object class="NSMutableArray" key="IBDocument.EditedObjectIDs">
<bool key="EncodedWithXMLCoder">YES</bool>
- <integer value="6"/>
+ <integer value="300295"/>
</object>
<object class="NSArray" key="IBDocument.PluginDependencies">
<bool key="EncodedWithXMLCoder">YES</bool>
@@ -40,7 +40,7 @@
<string key="NSWindowContentMaxSize">{800, 800}</string>
<string key="NSWindowContentMinSize">{400, 273}</string>
<object class="NSView" key="NSWindowView" id="928852707">
- <reference key="NSNextResponder"/>
+ <nil key="NSNextResponder"/>
<int key="NSvFlags">256</int>
<object class="NSMutableArray" key="NSSubviews">
<bool key="EncodedWithXMLCoder">YES</bool>
@@ -472,7 +472,6 @@
</object>
</object>
</object>
- <int key="NSSelectedIndex">3</int>
<bool key="NSPullDown">YES</bool>
<int key="NSPreferredEdge">2</int>
<bool key="NSUsesItemFromMenu">YES</bool>
@@ -482,7 +481,6 @@
</object>
</object>
<string key="NSFrameSize">{500, 273}</string>
- <reference key="NSSuperview"/>
</object>
<string key="NSScreenRect">{{0, 0}, {1440, 878}}</string>
<string key="NSMinSize">{400, 295}</string>
@@ -515,7 +513,7 @@
<object class="NSWindowTemplate" id="370461416">
<int key="NSWindowStyleMask">7</int>
<int key="NSWindowBacking">2</int>
- <string key="NSWindowRect">{{196, 162}, {427, 348}}</string>
+ <string key="NSWindowRect">{{196, 142}, {427, 368}}</string>
<int key="NSWTFlags">603979776</int>
<string key="NSWindowTitle">Window</string>
<string key="NSWindowClass">NSWindow</string>
@@ -529,9 +527,8 @@
<object class="NSTextField" id="485004197">
<reference key="NSNextResponder" ref="1019868804"/>
<int key="NSvFlags">266</int>
- <string key="NSFrame">{{78, 306}, {329, 22}}</string>
+ <string key="NSFrame">{{78, 326}, {329, 22}}</string>
<reference key="NSSuperview" ref="1019868804"/>
- <reference key="NSWindow"/>
<bool key="NSEnabled">YES</bool>
<object class="NSTextFieldCell" key="NSCell" id="1047482753">
<int key="NSCellFlags">-1804468671</int>
@@ -558,14 +555,13 @@
<object class="NSTextField" id="404880622">
<reference key="NSNextResponder" ref="1019868804"/>
<int key="NSvFlags">268</int>
- <string key="NSFrame">{{17, 308}, {60, 17}}</string>
+ <string key="NSFrame">{{17, 328}, {56, 17}}</string>
<reference key="NSSuperview" ref="1019868804"/>
- <reference key="NSWindow"/>
<bool key="NSEnabled">YES</bool>
<object class="NSTextFieldCell" key="NSCell" id="775341038">
<int key="NSCellFlags">68288064</int>
- <int key="NSCellFlags2">71304192</int>
- <string key="NSContents">Identity: </string>
+ <int key="NSCellFlags2">4195328</int>
+ <string key="NSContents">Identity:</string>
<reference key="NSSupport" ref="604532625"/>
<reference key="NSControlView" ref="404880622"/>
<reference key="NSBackgroundColor" ref="876444531"/>
@@ -585,9 +581,8 @@
<object class="NSSlider" id="552234083">
<reference key="NSNextResponder" ref="929379"/>
<int key="NSvFlags">266</int>
- <string key="NSFrame">{{24, 179}, {337, 25}}</string>
+ <string key="NSFrame">{{22, 181}, {347, 25}}</string>
<reference key="NSSuperview" ref="929379"/>
- <reference key="NSWindow"/>
<bool key="NSEnabled">YES</bool>
<object class="NSSliderCell" key="NSCell" id="629844970">
<int key="NSCellFlags">67501824</int>
@@ -610,9 +605,8 @@
<object class="NSTextField" id="576071402">
<reference key="NSNextResponder" ref="929379"/>
<int key="NSvFlags">268</int>
- <string key="NSFrame">{{13, 211}, {185, 17}}</string>
+ <string key="NSFrame">{{11, 213}, {185, 17}}</string>
<reference key="NSSuperview" ref="929379"/>
- <reference key="NSWindow"/>
<bool key="NSEnabled">YES</bool>
<object class="NSTextFieldCell" key="NSCell" id="380679549">
<int key="NSCellFlags">67239424</int>
@@ -627,9 +621,8 @@
<object class="NSTextField" id="54325332">
<reference key="NSNextResponder" ref="929379"/>
<int key="NSvFlags">266</int>
- <string key="NSFrame">{{23, 157}, {339, 14}}</string>
+ <string key="NSFrame">{{21, 159}, {349, 14}}</string>
<reference key="NSSuperview" ref="929379"/>
- <reference key="NSWindow"/>
<bool key="NSEnabled">YES</bool>
<object class="NSTextFieldCell" key="NSCell" id="584202005">
<int key="NSCellFlags">67239424</int>
@@ -644,9 +637,8 @@
<object class="NSTextField" id="240805237">
<reference key="NSNextResponder" ref="929379"/>
<int key="NSvFlags">268</int>
- <string key="NSFrame">{{13, 132}, {133, 17}}</string>
+ <string key="NSFrame">{{11, 134}, {133, 17}}</string>
<reference key="NSSuperview" ref="929379"/>
- <reference key="NSWindow"/>
<bool key="NSEnabled">YES</bool>
<object class="NSTextFieldCell" key="NSCell" id="638526338">
<int key="NSCellFlags">67239424</int>
@@ -661,9 +653,8 @@
<object class="NSSlider" id="373804676">
<reference key="NSNextResponder" ref="929379"/>
<int key="NSvFlags">266</int>
- <string key="NSFrame">{{42, 34}, {301, 25}}</string>
+ <string key="NSFrame">{{40, 36}, {311, 25}}</string>
<reference key="NSSuperview" ref="929379"/>
- <reference key="NSWindow"/>
<bool key="NSEnabled">YES</bool>
<object class="NSSliderCell" key="NSCell" id="84127609">
<int key="NSCellFlags">67501824</int>
@@ -690,9 +681,8 @@
<object class="NSButton" id="910622795">
<reference key="NSNextResponder" ref="929379"/>
<int key="NSvFlags">268</int>
- <string key="NSFrame">{{24, 86}, {303, 18}}</string>
+ <string key="NSFrame">{{22, 88}, {303, 18}}</string>
<reference key="NSSuperview" ref="929379"/>
- <reference key="NSWindow"/>
<bool key="NSEnabled">YES</bool>
<object class="NSButtonCell" key="NSCell" id="878349972">
<int key="NSCellFlags">67239424</int>
@@ -714,9 +704,8 @@
<object class="NSButton" id="415869872">
<reference key="NSNextResponder" ref="929379"/>
<int key="NSvFlags">268</int>
- <string key="NSFrame">{{24, 108}, {351, 18}}</string>
+ <string key="NSFrame">{{22, 110}, {351, 18}}</string>
<reference key="NSSuperview" ref="929379"/>
- <reference key="NSWindow"/>
<bool key="NSEnabled">YES</bool>
<object class="NSButtonCell" key="NSCell" id="77611886">
<int key="NSCellFlags">67239424</int>
@@ -736,9 +725,8 @@
<object class="NSButton" id="606962746">
<reference key="NSNextResponder" ref="929379"/>
<int key="NSvFlags">268</int>
- <string key="NSFrame">{{24, 64}, {248, 18}}</string>
+ <string key="NSFrame">{{22, 66}, {248, 18}}</string>
<reference key="NSSuperview" ref="929379"/>
- <reference key="NSWindow"/>
<bool key="NSEnabled">YES</bool>
<object class="NSButtonCell" key="NSCell" id="583273626">
<int key="NSCellFlags">67239424</int>
@@ -758,9 +746,8 @@
<object class="NSTextField" id="956800130">
<reference key="NSNextResponder" ref="929379"/>
<int key="NSvFlags">266</int>
- <string key="NSFrame">{{41, 12}, {303, 14}}</string>
+ <string key="NSFrame">{{39, 14}, {313, 14}}</string>
<reference key="NSSuperview" ref="929379"/>
- <reference key="NSWindow"/>
<bool key="NSEnabled">YES</bool>
<object class="NSTextFieldCell" key="NSCell" id="596249502">
<int key="NSCellFlags">67239424</int>
@@ -773,14 +760,12 @@
</object>
</object>
</object>
- <string key="NSFrame">{{3, 3}, {387, 238}}</string>
+ <string key="NSFrame">{{1, 1}, {391, 242}}</string>
<reference key="NSSuperview" ref="282101470"/>
- <reference key="NSWindow"/>
</object>
</object>
- <string key="NSFrame">{{17, 56}, {393, 244}}</string>
+ <string key="NSFrame">{{17, 48}, {393, 244}}</string>
<reference key="NSSuperview" ref="1019868804"/>
- <reference key="NSWindow"/>
<string key="NSOffsets">{0, 0}</string>
<object class="NSTextFieldCell" key="NSTitleCell">
<int key="NSCellFlags">67239424</int>
@@ -794,7 +779,7 @@
</object>
</object>
<reference key="NSContentView" ref="929379"/>
- <int key="NSBorderType">2</int>
+ <int key="NSBorderType">1</int>
<int key="NSBoxType">1</int>
<int key="NSTitlePosition">0</int>
<bool key="NSTransparent">NO</bool>
@@ -804,7 +789,6 @@
<int key="NSvFlags">289</int>
<string key="NSFrame">{{331, 12}, {82, 32}}</string>
<reference key="NSSuperview" ref="1019868804"/>
- <reference key="NSWindow"/>
<bool key="NSEnabled">YES</bool>
<object class="NSButtonCell" key="NSCell" id="870649207">
<int key="NSCellFlags">67239424</int>
@@ -825,7 +809,6 @@
<int key="NSvFlags">289</int>
<string key="NSFrame">{{249, 12}, {82, 32}}</string>
<reference key="NSSuperview" ref="1019868804"/>
- <reference key="NSWindow"/>
<bool key="NSEnabled">YES</bool>
<object class="NSButtonCell" key="NSCell" id="754483226">
<int key="NSCellFlags">67239424</int>
@@ -841,48 +824,70 @@
<int key="NSPeriodicInterval">25</int>
</object>
</object>
- <object class="NSButton" id="669516699">
+ <object class="NSTextField" id="958176038">
<reference key="NSNextResponder" ref="1019868804"/>
- <int key="NSvFlags">289</int>
- <string key="NSFrame">{{129, 12}, {120, 32}}</string>
+ <int key="NSvFlags">-2147483382</int>
+ <string key="NSFrame">{{73, 328}, {337, 17}}</string>
<reference key="NSSuperview" ref="1019868804"/>
- <reference key="NSWindow"/>
<bool key="NSEnabled">YES</bool>
- <object class="NSButtonCell" key="NSCell" id="362266618">
- <int key="NSCellFlags">67239424</int>
- <int key="NSCellFlags2">134217728</int>
- <string key="NSContents">Use Defaults</string>
+ <object class="NSTextFieldCell" key="NSCell" id="196100637">
+ <int key="NSCellFlags">68288064</int>
+ <int key="NSCellFlags2">272630784</int>
+ <string key="NSContents">Label</string>
<reference key="NSSupport" ref="604532625"/>
- <reference key="NSControlView" ref="669516699"/>
- <int key="NSButtonFlags">-2038284033</int>
- <int key="NSButtonFlags2">129</int>
+ <reference key="NSControlView" ref="958176038"/>
+ <reference key="NSBackgroundColor" ref="876444531"/>
+ <reference key="NSTextColor" ref="883746258"/>
+ </object>
+ </object>
+ <object class="NSButton" id="46228658">
+ <reference key="NSNextResponder" ref="1019868804"/>
+ <int key="NSvFlags">268</int>
+ <string key="NSFrame">{{18, 300}, {184, 18}}</string>
+ <reference key="NSSuperview" ref="1019868804"/>
+ <bool key="NSEnabled">YES</bool>
+ <object class="NSButtonCell" key="NSCell" id="830149940">
+ <int key="NSCellFlags">-2080244224</int>
+ <int key="NSCellFlags2">0</int>
+ <string key="NSContents">Use default ticket options</string>
+ <reference key="NSSupport" ref="604532625"/>
+ <reference key="NSControlView" ref="46228658"/>
+ <int key="NSButtonFlags">1211912703</int>
+ <int key="NSButtonFlags2">130</int>
+ <object class="NSCustomResource" key="NSNormalImage">
+ <string key="NSClassName">NSImage</string>
+ <string key="NSResourceName">NSSwitch</string>
+ </object>
+ <reference key="NSAlternateImage" ref="565361234"/>
<string key="NSAlternateContents"/>
<string key="NSKeyEquivalent"/>
<int key="NSPeriodicDelay">200</int>
<int key="NSPeriodicInterval">25</int>
</object>
</object>
- <object class="NSTextField" id="958176038">
+ <object class="NSButton" id="58047674">
<reference key="NSNextResponder" ref="1019868804"/>
- <int key="NSvFlags">-2147483380</int>
- <string key="NSFrame">{{75, 308}, {335, 17}}</string>
+ <int key="NSvFlags">292</int>
+ <string key="NSFrame">{{14, 12}, {127, 32}}</string>
<reference key="NSSuperview" ref="1019868804"/>
- <reference key="NSWindow"/>
<bool key="NSEnabled">YES</bool>
- <object class="NSTextFieldCell" key="NSCell" id="196100637">
- <int key="NSCellFlags">68288064</int>
- <int key="NSCellFlags2">272630784</int>
- <string key="NSContents">Label</string>
+ <object class="NSButtonCell" key="NSCell" id="167351998">
+ <int key="NSCellFlags">67239424</int>
+ <int key="NSCellFlags2">134217728</int>
+ <string key="NSContents">Show Options</string>
<reference key="NSSupport" ref="604532625"/>
- <reference key="NSControlView" ref="958176038"/>
- <reference key="NSBackgroundColor" ref="876444531"/>
- <reference key="NSTextColor" ref="883746258"/>
+ <reference key="NSControlView" ref="58047674"/>
+ <int key="NSButtonFlags">-2038284033</int>
+ <int key="NSButtonFlags2">129</int>
+ <string key="NSAlternateContents"/>
+ <string type="base64-UTF8" key="NSKeyEquivalent">Gw</string>
+ <int key="NSPeriodicDelay">200</int>
+ <int key="NSPeriodicInterval">25</int>
</object>
</object>
</object>
- <string key="NSFrameSize">{427, 348}</string>
+ <string key="NSFrameSize">{427, 368}</string>
<reference key="NSSuperview"/>
- <reference key="NSWindow"/>
</object>
<string key="NSScreenRect">{{0, 0}, {1280, 778}}</string>
<string key="NSMaxSize">{3.40282e+38, 3.40282e+38}</string>
@@ -909,8 +914,10 @@
<string>renewal_lifetime</string>
<string>identity_string</string>
<string>canClickOK</string>
+ <string>usesDefaultTicketOptions</string>
</object>
<bool key="NSEditable">YES</bool>
+ <bool key="NSAutomaticallyPreparesContent">YES</bool>
<object class="_NSManagedProxy" key="_NSManagedProxy"/>
</object>
<object class="NSObjectController" id="252123121">
@@ -931,6 +938,7 @@
<string>favorite</string>
<string>identities</string>
<string>minRenewableLifetime</string>
+ <string>content.identities</string>
</object>
<string key="NSObjectClassName">Identities</string>
<object class="_NSManagedProxy" key="_NSManagedProxy"/>
@@ -1285,22 +1293,6 @@
<int key="connectionID">300442</int>
</object>
<object class="IBConnectionRecord">
- <object class="IBBindingConnection" key="connection">
- <string key="label">contentArray: selection.identities</string>
- <reference key="source" ref="333357907"/>
- <reference key="destination" ref="1031761104"/>
- <object class="NSNibBindingConnector" key="connector">
- <reference key="NSSource" ref="333357907"/>
- <reference key="NSDestination" ref="1031761104"/>
- <string key="NSLabel">contentArray: selection.identities</string>
- <string key="NSBinding">contentArray</string>
- <string key="NSKeyPath">selection.identities</string>
- <int key="NSNibBindingConnectorVersion">2</int>
- </object>
- </object>
- <int key="connectionID">300444</int>
- </object>
- <object class="IBConnectionRecord">
<object class="IBActionConnection" key="connection">
<string key="label">newIdentity:</string>
<reference key="source" ref="262677138"/>
@@ -1309,14 +1301,6 @@
<int key="connectionID">300450</int>
</object>
<object class="IBConnectionRecord">
- <object class="IBOutletConnection" key="connection">
- <string key="label">identityOptionsWindow</string>
- <reference key="source" ref="262677138"/>
- <reference key="destination" ref="370461416"/>
- </object>
- <int key="connectionID">300451</int>
- </object>
- <object class="IBConnectionRecord">
<object class="IBActionConnection" key="connection">
<string key="label">editOptions:</string>
<reference key="source" ref="262677138"/>
@@ -1334,14 +1318,6 @@
</object>
<object class="IBConnectionRecord">
<object class="IBActionConnection" key="connection">
- <string key="label">resetOptions:</string>
- <reference key="source" ref="262677138"/>
- <reference key="destination" ref="669516699"/>
- </object>
- <int key="connectionID">300454</int>
- </object>
- <object class="IBConnectionRecord">
- <object class="IBActionConnection" key="connection">
<string key="label">doneOptions:</string>
<reference key="source" ref="262677138"/>
<reference key="destination" ref="932240937"/>
@@ -1599,7 +1575,7 @@
<string key="label">enabled: selection.renewable</string>
<reference key="source" ref="373804676"/>
<reference key="destination" ref="196152721"/>
- <object class="NSNibBindingConnector" key="connector">
+ <object class="NSNibBindingConnector" key="connector" id="331780751">
<reference key="NSSource" ref="373804676"/>
<reference key="NSDestination" ref="196152721"/>
<string key="NSLabel">enabled: selection.renewable</string>
@@ -1671,7 +1647,7 @@
<string key="NSKeyPath">arrangedObjects.identity</string>
<object class="NSDictionary" key="NSOptions">
<string key="NS.key.0">NSConditionallySetsEditable</string>
- <integer value="1" key="NS.object.0" id="5"/>
+ <reference key="NS.object.0" ref="9"/>
</object>
<int key="NSNibBindingConnectorVersion">2</int>
</object>
@@ -1707,7 +1683,7 @@
<string key="NSKeyPath">selection.identity_string</string>
<object class="NSDictionary" key="NSOptions">
<string key="NS.key.0">NSContinuouslyUpdatesValue</string>
- <reference key="NS.object.0" ref="5"/>
+ <reference key="NS.object.0" ref="9"/>
</object>
<int key="NSNibBindingConnectorVersion">2</int>
</object>
@@ -1715,7 +1691,203 @@
<int key="connectionID">300509</int>
</object>
<object class="IBConnectionRecord">
+ <object class="IBOutletConnection" key="connection">
+ <string key="label">identityTableScrollView</string>
+ <reference key="source" ref="262677138"/>
+ <reference key="destination" ref="616284695"/>
+ </object>
+ <int key="connectionID">300511</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBOutletConnection" key="connection">
+ <string key="label">ticketOptionsBox</string>
+ <reference key="source" ref="262677138"/>
+ <reference key="destination" ref="282101470"/>
+ </object>
+ <int key="connectionID">300520</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBActionConnection" key="connection">
+ <string key="label">toggleOptionsVisibility:</string>
+ <reference key="source" ref="262677138"/>
+ <reference key="destination" ref="58047674"/>
+ </object>
+ <int key="connectionID">300521</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBOutletConnection" key="connection">
+ <string key="label">ticketOptionsWindow</string>
+ <reference key="source" ref="262677138"/>
+ <reference key="destination" ref="370461416"/>
+ </object>
+ <int key="connectionID">300522</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBOutletConnection" key="connection">
+ <string key="label">ticketOptionsToggleButton</string>
+ <reference key="source" ref="262677138"/>
+ <reference key="destination" ref="58047674"/>
+ </object>
+ <int key="connectionID">300523</int>
+ </object>
+ <object class="IBConnectionRecord">
<object class="IBBindingConnection" key="connection">
+ <string key="label">value: selection.usesDefaultTicketOptions</string>
+ <reference key="source" ref="46228658"/>
+ <reference key="destination" ref="196152721"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="46228658"/>
+ <reference key="NSDestination" ref="196152721"/>
+ <string key="NSLabel">value: selection.usesDefaultTicketOptions</string>
+ <string key="NSBinding">value</string>
+ <string key="NSKeyPath">selection.usesDefaultTicketOptions</string>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300525</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.usesDefaultTicketOptions</string>
+ <reference key="source" ref="552234083"/>
+ <reference key="destination" ref="196152721"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="552234083"/>
+ <reference key="NSDestination" ref="196152721"/>
+ <string key="NSLabel">enabled: selection.usesDefaultTicketOptions</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.usesDefaultTicketOptions</string>
+ <object class="NSDictionary" key="NSOptions">
+ <string key="NS.key.0">NSValueTransformerName</string>
+ <string key="NS.object.0">NSNegateBoolean</string>
+ </object>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300527</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.usesDefaultTicketOptions</string>
+ <reference key="source" ref="415869872"/>
+ <reference key="destination" ref="196152721"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="415869872"/>
+ <reference key="NSDestination" ref="196152721"/>
+ <string key="NSLabel">enabled: selection.usesDefaultTicketOptions</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.usesDefaultTicketOptions</string>
+ <object class="NSDictionary" key="NSOptions">
+ <string key="NS.key.0">NSValueTransformerName</string>
+ <string key="NS.object.0">NSNegateBoolean</string>
+ </object>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300529</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.usesDefaultTicketOptions</string>
+ <reference key="source" ref="910622795"/>
+ <reference key="destination" ref="196152721"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="910622795"/>
+ <reference key="NSDestination" ref="196152721"/>
+ <string key="NSLabel">enabled: selection.usesDefaultTicketOptions</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.usesDefaultTicketOptions</string>
+ <object class="NSDictionary" key="NSOptions">
+ <string key="NS.key.0">NSValueTransformerName</string>
+ <string key="NS.object.0">NSNegateBoolean</string>
+ </object>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300531</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled: selection.usesDefaultTicketOptions</string>
+ <reference key="source" ref="606962746"/>
+ <reference key="destination" ref="196152721"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="606962746"/>
+ <reference key="NSDestination" ref="196152721"/>
+ <string key="NSLabel">enabled: selection.usesDefaultTicketOptions</string>
+ <string key="NSBinding">enabled</string>
+ <string key="NSKeyPath">selection.usesDefaultTicketOptions</string>
+ <object class="NSDictionary" key="NSOptions">
+ <string key="NS.key.0">NSValueTransformerName</string>
+ <string key="NS.object.0">NSNegateBoolean</string>
+ </object>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300533</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">enabled2: selection.usesDefaultTicketOptions</string>
+ <reference key="source" ref="373804676"/>
+ <reference key="destination" ref="196152721"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="373804676"/>
+ <reference key="NSDestination" ref="196152721"/>
+ <string key="NSLabel">enabled2: selection.usesDefaultTicketOptions</string>
+ <string key="NSBinding">enabled2</string>
+ <string key="NSKeyPath">selection.usesDefaultTicketOptions</string>
+ <object class="NSDictionary" key="NSOptions">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <object class="NSMutableArray" key="dict.sortedKeys">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <string>NSMultipleValuesPlaceholder</string>
+ <string>NSNoSelectionPlaceholder</string>
+ <string>NSNotApplicablePlaceholder</string>
+ <string>NSNullPlaceholder</string>
+ <string>NSValueTransformerName</string>
+ </object>
+ <object class="NSMutableArray" key="dict.values">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <integer value="-1" id="7"/>
+ <reference ref="7"/>
+ <reference ref="7"/>
+ <reference ref="7"/>
+ <string>NSNegateBoolean</string>
+ </object>
+ </object>
+ <reference key="NSPreviousConnector" ref="331780751"/>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300535</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBActionConnection" key="connection">
+ <string key="label">checkboxDidChange:</string>
+ <reference key="source" ref="262677138"/>
+ <reference key="destination" ref="46228658"/>
+ </object>
+ <int key="connectionID">300536</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
+ <string key="label">contentArray: content.identities</string>
+ <reference key="source" ref="333357907"/>
+ <reference key="destination" ref="1031761104"/>
+ <object class="NSNibBindingConnector" key="connector">
+ <reference key="NSSource" ref="333357907"/>
+ <reference key="NSDestination" ref="1031761104"/>
+ <string key="NSLabel">contentArray: content.identities</string>
+ <string key="NSBinding">contentArray</string>
+ <string key="NSKeyPath">content.identities</string>
+ <int key="NSNibBindingConnectorVersion">2</int>
+ </object>
+ </object>
+ <int key="connectionID">300539</int>
+ </object>
+ <object class="IBConnectionRecord">
+ <object class="IBBindingConnection" key="connection">
<string key="label">enabled: selection.canClickOK</string>
<reference key="source" ref="932240937"/>
<reference key="destination" ref="196152721"/>
@@ -1725,10 +1897,29 @@
<string key="NSLabel">enabled: selection.canClickOK</string>
<string key="NSBinding">enabled</string>
<string key="NSKeyPath">selection.canClickOK</string>
+ <object class="NSDictionary" key="NSOptions">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <object class="NSMutableArray" key="dict.sortedKeys">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <string>NSMultipleValuesPlaceholder</string>
+ <string>NSNoSelectionPlaceholder</string>
+ <string>NSNotApplicablePlaceholder</string>
+ <string>NSNullPlaceholder</string>
+ <string>NSRaisesForNotApplicableKeys</string>
+ </object>
+ <object class="NSMutableArray" key="dict.values">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <integer value="0" id="8"/>
+ <reference ref="8"/>
+ <reference ref="8"/>
+ <reference ref="8"/>
+ <integer value="0"/>
+ </object>
+ </object>
<int key="NSNibBindingConnectorVersion">2</int>
</object>
</object>
- <int key="connectionID">300510</int>
+ <int key="connectionID">300546</int>
</object>
</object>
<object class="IBMutableOrderedSet" key="objectRecords">
@@ -1976,11 +2167,12 @@
<bool key="EncodedWithXMLCoder">YES</bool>
<reference ref="932240937"/>
<reference ref="871834199"/>
- <reference ref="282101470"/>
- <reference ref="669516699"/>
<reference ref="958176038"/>
<reference ref="485004197"/>
<reference ref="404880622"/>
+ <reference ref="46228658"/>
+ <reference ref="282101470"/>
+ <reference ref="58047674"/>
</object>
<reference key="parent" ref="370461416"/>
</object>
@@ -1989,15 +2181,15 @@
<reference key="object" ref="282101470"/>
<object class="NSMutableArray" key="children">
<bool key="EncodedWithXMLCoder">YES</bool>
- <reference ref="373804676"/>
+ <reference ref="956800130"/>
<reference ref="606962746"/>
<reference ref="415869872"/>
<reference ref="910622795"/>
- <reference ref="552234083"/>
- <reference ref="576071402"/>
+ <reference ref="373804676"/>
<reference ref="240805237"/>
- <reference ref="956800130"/>
<reference ref="54325332"/>
+ <reference ref="576071402"/>
+ <reference ref="552234083"/>
</object>
<reference key="parent" ref="1019868804"/>
</object>
@@ -2030,132 +2222,6 @@
<reference key="parent" ref="404880622"/>
</object>
<object class="IBObjectRecord">
- <int key="objectID">300307</int>
- <reference key="object" ref="373804676"/>
- <object class="NSMutableArray" key="children">
- <bool key="EncodedWithXMLCoder">YES</bool>
- <reference ref="84127609"/>
- </object>
- <reference key="parent" ref="282101470"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300308</int>
- <reference key="object" ref="956800130"/>
- <object class="NSMutableArray" key="children">
- <bool key="EncodedWithXMLCoder">YES</bool>
- <reference ref="596249502"/>
- </object>
- <reference key="parent" ref="282101470"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300309</int>
- <reference key="object" ref="606962746"/>
- <object class="NSMutableArray" key="children">
- <bool key="EncodedWithXMLCoder">YES</bool>
- <reference ref="583273626"/>
- </object>
- <reference key="parent" ref="282101470"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300310</int>
- <reference key="object" ref="415869872"/>
- <object class="NSMutableArray" key="children">
- <bool key="EncodedWithXMLCoder">YES</bool>
- <reference ref="77611886"/>
- </object>
- <reference key="parent" ref="282101470"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300311</int>
- <reference key="object" ref="910622795"/>
- <object class="NSMutableArray" key="children">
- <bool key="EncodedWithXMLCoder">YES</bool>
- <reference ref="878349972"/>
- </object>
- <reference key="parent" ref="282101470"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300312</int>
- <reference key="object" ref="54325332"/>
- <object class="NSMutableArray" key="children">
- <bool key="EncodedWithXMLCoder">YES</bool>
- <reference ref="584202005"/>
- </object>
- <reference key="parent" ref="282101470"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300313</int>
- <reference key="object" ref="552234083"/>
- <object class="NSMutableArray" key="children">
- <bool key="EncodedWithXMLCoder">YES</bool>
- <reference ref="629844970"/>
- </object>
- <reference key="parent" ref="282101470"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300314</int>
- <reference key="object" ref="576071402"/>
- <object class="NSMutableArray" key="children">
- <bool key="EncodedWithXMLCoder">YES</bool>
- <reference ref="380679549"/>
- </object>
- <reference key="parent" ref="282101470"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300315</int>
- <reference key="object" ref="240805237"/>
- <object class="NSMutableArray" key="children">
- <bool key="EncodedWithXMLCoder">YES</bool>
- <reference ref="638526338"/>
- </object>
- <reference key="parent" ref="282101470"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300316</int>
- <reference key="object" ref="638526338"/>
- <reference key="parent" ref="240805237"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300317</int>
- <reference key="object" ref="380679549"/>
- <reference key="parent" ref="576071402"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300318</int>
- <reference key="object" ref="629844970"/>
- <reference key="parent" ref="552234083"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300319</int>
- <reference key="object" ref="584202005"/>
- <reference key="parent" ref="54325332"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300320</int>
- <reference key="object" ref="878349972"/>
- <reference key="parent" ref="910622795"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300321</int>
- <reference key="object" ref="77611886"/>
- <reference key="parent" ref="415869872"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300322</int>
- <reference key="object" ref="583273626"/>
- <reference key="parent" ref="606962746"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300323</int>
- <reference key="object" ref="596249502"/>
- <reference key="parent" ref="956800130"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300324</int>
- <reference key="object" ref="84127609"/>
- <reference key="parent" ref="373804676"/>
- </object>
- <object class="IBObjectRecord">
<int key="objectID">300329</int>
<reference key="object" ref="932240937"/>
<object class="NSMutableArray" key="children">
@@ -2190,20 +2256,6 @@
<reference key="parent" ref="871834199"/>
</object>
<object class="IBObjectRecord">
- <int key="objectID">300358</int>
- <reference key="object" ref="669516699"/>
- <object class="NSMutableArray" key="children">
- <bool key="EncodedWithXMLCoder">YES</bool>
- <reference ref="362266618"/>
- </object>
- <reference key="parent" ref="1019868804"/>
- </object>
- <object class="IBObjectRecord">
- <int key="objectID">300359</int>
- <reference key="object" ref="362266618"/>
- <reference key="parent" ref="669516699"/>
- </object>
- <object class="IBObjectRecord">
<int key="objectID">300370</int>
<reference key="object" ref="1031761104"/>
<reference key="parent" ref="0"/>
@@ -2291,6 +2343,160 @@
<reference key="parent" ref="0"/>
<string key="objectName">Long Time Formatter</string>
</object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300308</int>
+ <reference key="object" ref="956800130"/>
+ <object class="NSMutableArray" key="children">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <reference ref="596249502"/>
+ </object>
+ <reference key="parent" ref="282101470"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300323</int>
+ <reference key="object" ref="596249502"/>
+ <reference key="parent" ref="956800130"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300309</int>
+ <reference key="object" ref="606962746"/>
+ <object class="NSMutableArray" key="children">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <reference ref="583273626"/>
+ </object>
+ <reference key="parent" ref="282101470"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300322</int>
+ <reference key="object" ref="583273626"/>
+ <reference key="parent" ref="606962746"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300310</int>
+ <reference key="object" ref="415869872"/>
+ <object class="NSMutableArray" key="children">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <reference ref="77611886"/>
+ </object>
+ <reference key="parent" ref="282101470"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300321</int>
+ <reference key="object" ref="77611886"/>
+ <reference key="parent" ref="415869872"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300311</int>
+ <reference key="object" ref="910622795"/>
+ <object class="NSMutableArray" key="children">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <reference ref="878349972"/>
+ </object>
+ <reference key="parent" ref="282101470"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300320</int>
+ <reference key="object" ref="878349972"/>
+ <reference key="parent" ref="910622795"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300307</int>
+ <reference key="object" ref="373804676"/>
+ <object class="NSMutableArray" key="children">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <reference ref="84127609"/>
+ </object>
+ <reference key="parent" ref="282101470"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300324</int>
+ <reference key="object" ref="84127609"/>
+ <reference key="parent" ref="373804676"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300315</int>
+ <reference key="object" ref="240805237"/>
+ <object class="NSMutableArray" key="children">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <reference ref="638526338"/>
+ </object>
+ <reference key="parent" ref="282101470"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300316</int>
+ <reference key="object" ref="638526338"/>
+ <reference key="parent" ref="240805237"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300312</int>
+ <reference key="object" ref="54325332"/>
+ <object class="NSMutableArray" key="children">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <reference ref="584202005"/>
+ </object>
+ <reference key="parent" ref="282101470"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300319</int>
+ <reference key="object" ref="584202005"/>
+ <reference key="parent" ref="54325332"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300314</int>
+ <reference key="object" ref="576071402"/>
+ <object class="NSMutableArray" key="children">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <reference ref="380679549"/>
+ </object>
+ <reference key="parent" ref="282101470"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300317</int>
+ <reference key="object" ref="380679549"/>
+ <reference key="parent" ref="576071402"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300313</int>
+ <reference key="object" ref="552234083"/>
+ <object class="NSMutableArray" key="children">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <reference ref="629844970"/>
+ </object>
+ <reference key="parent" ref="282101470"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300318</int>
+ <reference key="object" ref="629844970"/>
+ <reference key="parent" ref="552234083"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300514</int>
+ <reference key="object" ref="46228658"/>
+ <object class="NSMutableArray" key="children">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <reference ref="830149940"/>
+ </object>
+ <reference key="parent" ref="1019868804"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300515</int>
+ <reference key="object" ref="830149940"/>
+ <reference key="parent" ref="46228658"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300518</int>
+ <reference key="object" ref="58047674"/>
+ <object class="NSMutableArray" key="children">
+ <bool key="EncodedWithXMLCoder">YES</bool>
+ <reference ref="167351998"/>
+ </object>
+ <reference key="parent" ref="1019868804"/>
+ </object>
+ <object class="IBObjectRecord">
+ <int key="objectID">300519</int>
+ <reference key="object" ref="167351998"/>
+ <reference key="parent" ref="58047674"/>
+ </object>
</object>
</object>
<object class="NSMutableDictionary" key="flattenedProperties">
@@ -2360,8 +2566,6 @@
<string>300331.IBPluginDependency</string>
<string>300334.IBPluginDependency</string>
<string>300335.IBPluginDependency</string>
- <string>300358.IBPluginDependency</string>
- <string>300359.IBPluginDependency</string>
<string>300370.IBPluginDependency</string>
<string>300402.IBPluginDependency</string>
<string>300403.IBPluginDependency</string>
@@ -2376,6 +2580,10 @@
<string>300462.IBPluginDependency</string>
<string>300485.IBPluginDependency</string>
<string>300498.IBPluginDependency</string>
+ <string>300514.IBPluginDependency</string>
+ <string>300515.IBPluginDependency</string>
+ <string>300518.IBPluginDependency</string>
+ <string>300519.IBPluginDependency</string>
<string>5.IBEditorWindowLastContentRect</string>
<string>5.IBPluginDependency</string>
<string>5.IBWindowTemplateEditedContentRect</string>
@@ -2420,9 +2628,9 @@
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
- <string>{{553, 335}, {427, 348}}</string>
+ <string>{{704, 346}, {427, 368}}</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
- <string>{{553, 335}, {427, 348}}</string>
+ <string>{{704, 346}, {427, 368}}</string>
<reference ref="75542549"/>
<reference ref="75542549"/>
<string>{10000, 354}</string>
@@ -2461,9 +2669,9 @@
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
+ <string>{{610, 271}, {203, 103}}</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
- <string>{{610, 271}, {203, 103}}</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
@@ -2472,14 +2680,16 @@
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
+ <string>com.apple.InterfaceBuilder.CocoaPlugin</string>
+ <string>com.apple.InterfaceBuilder.CocoaPlugin</string>
<string>{{495, 457}, {500, 273}}</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
<string>{{495, 457}, {500, 273}}</string>
<reference ref="9"/>
- <reference ref="9"/>
+ <reference ref="75542549"/>
<string>{{503, 256}, {419, 465}}</string>
<reference ref="9"/>
- <reference ref="5"/>
+ <reference ref="9"/>
<string>{800, 800}</string>
<string>{400, 273}</string>
<string>com.apple.InterfaceBuilder.CocoaPlugin</string>
@@ -2508,7 +2718,7 @@
</object>
</object>
<nil key="sourceID"/>
- <int key="maxID">300510</int>
+ <int key="maxID">300546</int>
</object>
<object class="IBClassDescriber" key="IBDocument.Classes">
<object class="NSMutableArray" key="referencedPartialClassDescriptions">
@@ -2553,13 +2763,14 @@
<string>cancel:</string>
<string>cancelOptions:</string>
<string>changePassword:</string>
+ <string>checkboxDidChange:</string>
<string>doneOptions:</string>
<string>editOptions:</string>
<string>newIdentity:</string>
<string>removeFromFavorites:</string>
- <string>resetOptions:</string>
<string>select:</string>
<string>sliderDidChange:</string>
+ <string>toggleOptionsVisibility:</string>
</object>
<object class="NSMutableArray" key="dict.values">
<bool key="EncodedWithXMLCoder">YES</bool>
@@ -2574,6 +2785,7 @@
<string>id</string>
<string>id</string>
<string>id</string>
+ <string>id</string>
</object>
</object>
<object class="NSMutableDictionary" key="outlets">
@@ -2590,7 +2802,7 @@
<string>identityArrayController</string>
<string>identityField</string>
<string>identityOptionsController</string>
- <string>identityOptionsWindow</string>
+ <string>identityTableScrollView</string>
<string>identityTableView</string>
<string>kerberosIconImageView</string>
<string>longTimeFormatter</string>
@@ -2598,7 +2810,10 @@
<string>selectIdentityButton</string>
<string>shortTimeFormatter</string>
<string>staticIdentityField</string>
+ <string>ticketOptionsBox</string>
<string>ticketOptionsOkButton</string>
+ <string>ticketOptionsToggleButton</string>
+ <string>ticketOptionsWindow</string>
<string>validLifetimeSlider</string>
</object>
<object class="NSMutableArray" key="dict.values">
@@ -2613,7 +2828,7 @@
<string>NSArrayController</string>
<string>NSTextField</string>
<string>NSObjectController</string>
- <string>NSWindow</string>
+ <string>NSScrollView</string>
<string>NSTableView</string>
<string>BadgedImageView</string>
<string>KerberosTimeFormatter</string>
@@ -2621,7 +2836,10 @@
<string>NSButton</string>
<string>KerberosTimeFormatter</string>
<string>NSTextField</string>
+ <string>NSBox</string>
<string>NSButton</string>
+ <string>NSButton</string>
+ <string>NSWindow</string>
<string>NSSlider</string>
</object>
</object>
Modified: branches/mkey_migrate/src/kim/lib/kim.exports
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim.exports 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim.exports 2009-01-10 01:06:45 UTC (rev 21722)
@@ -93,6 +93,7 @@
kim_credential_iterator_free
kim_credential_create_new
+kim_credential_create_new_with_password
kim_credential_create_from_keytab
kim_credential_create_from_krb5_creds
kim_credential_copy
@@ -116,7 +117,9 @@
kim_ccache_iterator_free
kim_ccache_create_new
+kim_ccache_create_new_with_password
kim_ccache_create_new_if_needed
+kim_ccache_create_new_if_needed_with_password
kim_ccache_create_from_client_identity
kim_ccache_create_from_keytab
kim_ccache_create_from_default
Modified: branches/mkey_migrate/src/kim/lib/kim_ccache.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_ccache.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_ccache.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -108,6 +108,9 @@
ccache = NULL;
err = KIM_NO_ERROR;
}
+
+ if (principal) { krb5_free_principal (in_ccache_iterator->context,
+ principal); }
}
if (!err) {
@@ -254,6 +257,19 @@
kim_identity in_client_identity,
kim_options in_options)
{
+ return check_error (kim_ccache_create_new_if_needed_with_password (out_ccache,
+ in_client_identity,
+ in_options,
+ NULL));
+}
+
+/* ------------------------------------------------------------------------ */
+
+kim_error kim_ccache_create_new_if_needed_with_password (kim_ccache *out_ccache,
+ kim_identity in_client_identity,
+ kim_options in_options,
+ kim_string in_password)
+{
kim_error err = KIM_NO_ERROR;
kim_ccache ccache = NULL;
@@ -263,7 +279,8 @@
if (!err) {
kim_credential_state state;
- err = kim_ccache_create_from_client_identity (&ccache, in_client_identity);
+ err = kim_ccache_create_from_client_identity (&ccache,
+ in_client_identity);
if (!err) {
err = kim_ccache_get_state (ccache, &state);
@@ -280,7 +297,10 @@
if (!ccache) {
/* ccache does not already exist, create a new one */
- err = kim_ccache_create_new (&ccache, in_client_identity, in_options);
+ err = kim_ccache_create_new_with_password (&ccache,
+ in_client_identity,
+ in_options,
+ in_password);
}
}
@@ -300,56 +320,62 @@
kim_identity in_client_identity)
{
kim_error err = KIM_NO_ERROR;
- kim_ccache_iterator iterator = NULL;
- kim_boolean found = FALSE;
- if (!err && !out_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
- if (!err && !in_client_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); }
+ if (!err && !out_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); }
- if (!err) {
+ if (!err && in_client_identity) {
+ kim_ccache_iterator iterator = NULL;
+ kim_boolean found = FALSE;
+
err = kim_ccache_iterator_create (&iterator);
- }
-
- while (!err && !found) {
- kim_ccache ccache = NULL;
- kim_identity identity = NULL;
- kim_comparison comparison;
- err = kim_ccache_iterator_next (iterator, &ccache);
-
- if (!err && !ccache) {
- kim_string string = NULL;
+ while (!err && !found) {
+ kim_ccache ccache = NULL;
+ kim_identity identity = NULL;
+ kim_comparison comparison;
- err = kim_identity_get_display_string (in_client_identity, &string);
+ err = kim_ccache_iterator_next (iterator, &ccache);
+ if (!err && !ccache) {
+ kim_string string = NULL;
+
+ err = kim_identity_get_display_string (in_client_identity,
+ &string);
+
+ if (!err) {
+ err = kim_error_set_message_for_code (KIM_NO_SUCH_PRINCIPAL_ERR,
+ string);
+ }
+
+ kim_string_free (&string);
+ }
+
if (!err) {
- err = kim_error_set_message_for_code (KIM_NO_SUCH_PRINCIPAL_ERR,
- string);
+ err = kim_ccache_get_client_identity (ccache, &identity);
}
- kim_string_free (&string);
+ if (!err) {
+ err = kim_identity_compare (in_client_identity, identity,
+ &comparison);
+ }
+
+ if (!err && kim_comparison_is_equal_to (comparison)) {
+ found = 1;
+ *out_ccache = ccache;
+ ccache = NULL;
+ }
+
+ kim_identity_free (&identity);
+ kim_ccache_free (&ccache);
}
- if (!err) {
- err = kim_ccache_get_client_identity (ccache, &identity);
- }
+ kim_ccache_iterator_free (&iterator);
- if (!err) {
- err = kim_identity_compare (in_client_identity, identity, &comparison);
- }
-
- if (!err && kim_comparison_is_equal_to (comparison)) {
- found = 1;
- *out_ccache = ccache;
- ccache = NULL;
- }
-
- kim_identity_free (&identity);
- kim_ccache_free (&ccache);
+ } else if (!err) {
+ /* in_client_identity is NULL, get default ccache */
+ err = kim_ccache_create_from_default (out_ccache);
}
- kim_ccache_iterator_free (&iterator);
-
return check_error (err);
}
Deleted: branches/mkey_migrate/src/kim/lib/kim_ccache_private.h
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_ccache_private.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_ccache_private.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,37 +0,0 @@
-/*
- * $Header$
- *
- * Copyright 2006 Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#ifndef KIM_CCACHE_PRIVATE_H
-#define KIM_CCACHE_PRIVATE_H
-
-#include <kim/kim.h>
-
-kim_error kim_ccache_create_new_with_password (kim_ccache *out_ccache,
- kim_identity in_client_identity,
- kim_options in_options,
- kim_string in_password);
-
-#endif /* KIM_CCACHE_PRIVATE_H */
Modified: branches/mkey_migrate/src/kim/lib/kim_credential.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_credential.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_credential.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -213,6 +213,46 @@
/* ------------------------------------------------------------------------ */
+static void kim_credential_remember_prefs (kim_identity in_identity,
+ kim_options in_options)
+{
+ kim_error err = KIM_NO_ERROR;
+ kim_preferences prefs = NULL;
+ kim_boolean remember_identity = 0;
+ kim_boolean remember_options = 0;
+
+ err = kim_preferences_create (&prefs);
+
+ if (!err && in_options) {
+ err = kim_preferences_get_remember_options (prefs,
+ &remember_options);
+ }
+
+ if (!err && in_identity) {
+ err = kim_preferences_get_remember_client_identity (prefs,
+ &remember_identity);
+ }
+
+ if (!err && remember_options) {
+ err = kim_preferences_set_options (prefs, in_options);
+ }
+
+ if (!err && remember_identity) {
+ err = kim_preferences_set_client_identity (prefs, in_identity);
+
+ }
+
+ if (!err && (remember_options || remember_identity)) {
+ err = kim_preferences_synchronize (prefs);
+ }
+
+ kim_preferences_free (&prefs);
+
+ check_error (err);
+}
+
+/* ------------------------------------------------------------------------ */
+
kim_error kim_credential_create_new_with_password (kim_credential *out_credential,
kim_identity in_identity,
kim_options in_options,
@@ -269,7 +309,11 @@
/* reenter enter_identity so just forget this identity
* even if we got an error */
- if (err == KIM_USER_CANCELED_ERR) { err = KIM_NO_ERROR; }
+ if (err == KIM_USER_CANCELED_ERR ||
+ err == KIM_DUPLICATE_UI_REQUEST_ERR) {
+ err = KIM_NO_ERROR;
+ }
+
kim_identity_free (&identity);
}
@@ -290,6 +334,7 @@
/* set counter to zero so we can tell if we got prompted */
context.prompt_count = 0;
+ context.password_to_save = NULL;
err = krb5_error (credential->context,
krb5_get_init_creds_password (credential->context,
@@ -356,23 +401,49 @@
kim_string_free (&new_password);
}
- if (!err || err == KIM_USER_CANCELED_ERR) {
+ if (!err || err == KIM_USER_CANCELED_ERR ||
+ err == KIM_DUPLICATE_UI_REQUEST_ERR) {
/* new creds obtained or the user gave up */
done_with_credentials = 1;
- } else {
- /* new creds failed, report error to user */
- kim_error terr = kim_ui_handle_kim_error (&context, identity,
- kim_ui_error_type_authentication,
- err);
+ if (!err) {
+ /* remember identity and options if the user wanted to */
+ kim_credential_remember_prefs (identity, options);
+ }
- if (prompt_count) {
- /* User was prompted and might have entered bad info
- * so let them try again. */
- err = terr;
- }
+ if (err == KIM_DUPLICATE_UI_REQUEST_ERR) {
+ kim_ccache ccache = NULL;
+ /* credential for this identity was obtained, but via a different
+ * dialog. Find it. */
+
+ err = kim_ccache_create_from_client_identity (&ccache,
+ identity);
+
+ if (!err) {
+ err = kim_ccache_get_valid_credential (ccache,
+ &credential);
+ }
+
+ kim_ccache_free (&ccache);
+ }
+
+ } else if (prompt_count) {
+ /* User was prompted and might have entered bad info
+ * so report error and try again. */
+
+ err = kim_ui_handle_kim_error (&context, identity,
+ kim_ui_error_type_authentication,
+ err);
}
+ if (err == KRB5KRB_AP_ERR_BAD_INTEGRITY ||
+ err == KRB5KDC_ERR_PREAUTH_FAILED ||
+ err == KIM_BAD_PASSWORD_ERR || err == KIM_PREAUTH_FAILED_ERR) {
+ /* if the password could have failed, remove any saved ones
+ * or the user will get stuck. */
+ kim_os_identity_remove_saved_password (identity);
+ }
+
if (free_creds) { krb5_free_cred_contents (credential->context, &creds); }
}
@@ -380,16 +451,11 @@
/* identity obtained or the user gave up */
done_with_identity = 1;
- } else {
- /* new creds failed, report error to user */
- kim_error terr = kim_ui_handle_kim_error (&context, identity,
- kim_ui_error_type_authentication,
- err);
-
- if (!in_identity) {
- /* User entered an identity so let them try again */
- err = terr;
- }
+ } else if (!in_identity) {
+ /* User entered an identity so report error and try again */
+ err = kim_ui_handle_kim_error (&context, identity,
+ kim_ui_error_type_authentication,
+ err);
}
if (identity != in_identity) { kim_identity_free (&identity); }
@@ -399,13 +465,13 @@
kim_error fini_err = kim_ui_fini (&context);
if (!err) { err = check_error (fini_err); }
}
-
+
if (!err) {
*out_credential = credential;
credential = NULL;
}
- if (options != in_options ) { kim_options_free (&options); }
+ if (options != in_options) { kim_options_free (&options); }
kim_credential_free (&credential);
return check_error (err);
@@ -513,6 +579,7 @@
}
if (principal ) { krb5_free_principal (credential->context, principal); }
+ if (free_creds) { krb5_free_cred_contents (credential->context, &creds); }
if (!err) {
*out_credential = credential;
@@ -520,7 +587,6 @@
}
if (options != in_options) { kim_options_free (&options); }
- if (free_creds) { krb5_free_cred_contents (credential->context, &creds); }
kim_credential_free (&credential);
return check_error (err);
@@ -614,6 +680,7 @@
/* set counter to zero so we can tell if we got prompted */
in_ui_context->prompt_count = 0;
+ in_ui_context->identity = in_identity;
err = krb5_error (credential->context,
krb5_get_init_creds_password (credential->context,
Modified: branches/mkey_migrate/src/kim/lib/kim_credential_private.h
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_credential_private.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_credential_private.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -36,9 +36,4 @@
kim_ui_context *in_ui_context,
kim_boolean *out_user_was_prompted);
-kim_error kim_credential_create_new_with_password (kim_credential *out_credential,
- kim_identity in_identity,
- kim_options in_options,
- kim_string in_password);
-
#endif /* KIM_CREDENTIAL_PRIVATE_H */
Modified: branches/mkey_migrate/src/kim/lib/kim_error_message.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_error_message.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_error_message.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -38,7 +38,7 @@
typedef struct kim_last_error {
kim_error code;
- char message[1024];
+ char message[2048];
} *kim_last_error;
/* ------------------------------------------------------------------------ */
@@ -91,8 +91,38 @@
}
}
+#pragma mark -
+
/* ------------------------------------------------------------------------ */
+static kim_boolean kim_error_is_builtin (kim_error in_error)
+{
+ return (in_error == KIM_NO_ERROR ||
+ in_error == KIM_OUT_OF_MEMORY_ERR);
+}
+
+/* ------------------------------------------------------------------------ */
+/* Warning: only remap to error strings with the same format! */
+
+static kim_error kim_error_remap (kim_error in_error)
+{
+ /* some krb5 errors are confusing. remap to better ones */
+ switch (in_error) {
+ case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+ return KIM_BAD_PASSWORD_ERR;
+
+ case KRB5KDC_ERR_PREAUTH_FAILED:
+ return KIM_PREAUTH_FAILED_ERR;
+
+ case KRB5KRB_AP_ERR_SKEW:
+ return KIM_CLOCK_SKEW_ERR;
+ }
+
+ return in_error;
+}
+
+/* ------------------------------------------------------------------------ */
+
kim_string kim_error_message (kim_error in_error)
{
int lock_err = 0;
@@ -110,17 +140,9 @@
if (!lock_err) { k5_mutex_unlock (&kim_error_lock); }
- return message ? message : error_message (in_error);
+ return message ? message : error_message (kim_error_remap (in_error));
}
-/* ------------------------------------------------------------------------ */
-
-static kim_boolean kim_error_is_builtin (kim_error in_error)
-{
- return (in_error == KIM_NO_ERROR ||
- in_error == KIM_OUT_OF_MEMORY_ERR);
-}
-
#pragma mark -- Generic Functions --
/* ------------------------------------------------------------------------ */
@@ -140,26 +162,27 @@
/* ------------------------------------------------------------------------ */
-kim_error kim_error_set_message_for_code_va (kim_error in_error,
+kim_error kim_error_set_message_for_code_va (kim_error in_code,
va_list in_args)
{
kim_error err = KIM_NO_ERROR;
-
- if (!err && !kim_error_is_builtin (in_error)) {
+ kim_error code = kim_error_remap (in_code);
+
+ if (!kim_error_is_builtin (code)) {
kim_string message = NULL;
-
+
err = kim_string_create_from_format_va_retcode (&message,
- error_message (in_error),
+ error_message (code),
in_args);
if (!err) {
- err = kim_error_set_message (in_error, message);
+ err = kim_error_set_message (code, message);
}
kim_string_free (&message);
}
- return err ? err : in_error;
+ return err ? err : code;
}
@@ -169,14 +192,23 @@
krb5_error_code in_code)
{
kim_error err = KIM_NO_ERROR;
+ krb5_error_code code = kim_error_remap (in_code);
- if (!err && !kim_error_is_builtin (in_code)) {
- const char *message = krb5_get_error_message (in_context, in_code);
+ if (code != in_code) {
+ /* error was remapped to a KIM error */
+ err = kim_error_set_message (code, error_message (code));
+
+ } else if (!kim_error_is_builtin (code)) {
+ const char *message = krb5_get_error_message (in_context, code);
- err = kim_error_set_message (in_code, message);
+ if (message) {
+ err = kim_error_set_message (code, message);
+
+ krb5_free_error_message (in_context, message);
+ }
}
- return err ? err : in_code;
+ return err ? err : code;
}
#pragma mark -- Debugging Functions --
Modified: branches/mkey_migrate/src/kim/lib/kim_errors.et
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_errors.et 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_errors.et 2009-01-10 01:06:45 UTC (rev 21722)
@@ -29,6 +29,7 @@
error_code KIM_NO_REALMS_ERR, "There are no Kerberos realms configured"
error_code KIM_NO_SUCH_REALM_ERR, "The realm '%s' is not in your configuration file or does not exist"
error_code KIM_UNSUPPORTED_HINT_ERR, "The hint '%s' is not supported by this version of KIM"
+error_code KIM_CLOCK_SKEW_ERR, "Clock skew too big: please check your time, time zone and daylight savings settings"
index 25
# Principal Errors
@@ -37,6 +38,8 @@
error_code KIM_PASSWORD_MISMATCH_ERR, "New and verify passwords do not match"
error_code KIM_INSECURE_PASSWORD_ERR, "Your new password for '%s' is insecure; please pick another one"
error_code KIM_PASSWORD_CHANGE_FAILED_ERR, "Unable to change password for %s"
+error_code KIM_BAD_PASSWORD_ERR, "Password incorrect"
+error_code KIM_PREAUTH_FAILED_ERR, "Password incorrect or preauthentication failed"
index 50
# Options Errors
@@ -49,6 +52,7 @@
error_code KIM_USER_CANCELED_ERR, "The user cancelled the operation"
error_code KIM_NO_SERVER_ERR, "KerberosAgent is not responding"
error_code KIM_NO_UI_ERR, "Unable to display a user interface from this environment"
+error_code KIM_DUPLICATE_UI_REQUEST_ERR, "UI just handled this request"
index 100
# Preferences Errors
Modified: branches/mkey_migrate/src/kim/lib/kim_identity.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_identity.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_identity.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -24,8 +24,8 @@
* or implied warranty.
*/
+#include "k5-int.h"
#include <krb5.h>
-#include <gssapi/gssapi.h>
#include "kim_private.h"
/* ------------------------------------------------------------------------ */
@@ -110,7 +110,6 @@
{
kim_error err = KIM_NO_ERROR;
kim_identity identity = NULL;
- krb5_principal_data principal_data; /* allocated by KIM so can't be returned */
if (!err && !out_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !in_realm ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
@@ -126,64 +125,23 @@
if (!err) {
va_list args;
- kim_count component_count = 1;
-
+
va_start (args, in_1st_component);
- while (va_arg (args, kim_string)) { component_count++; }
+ err = krb5_error (identity->context,
+ krb5int_build_principal_alloc_va (identity->context,
+ &identity->principal,
+ strlen(in_realm),
+ in_realm,
+ in_1st_component,
+ args));
va_end (args);
-
- principal_data.length = component_count;
- principal_data.data = (krb5_data *) malloc (component_count * sizeof (krb5_data));
- if (!principal_data.data) { err = KIM_OUT_OF_MEMORY_ERR; }
}
-
+
if (!err) {
- va_list args;
- krb5_int32 i;
-
- krb5_princ_set_realm_length (context, &principal_data, strlen (in_realm));
- krb5_princ_set_realm_data (context, &principal_data, (char *) in_realm);
-
- va_start (args, in_1st_component);
- for (i = 0; !err && (i < principal_data.length); i++) {
- kim_string component = NULL;
- if (i == 0) {
- err = kim_string_copy (&component, in_1st_component);
- } else {
- err = kim_string_copy (&component, va_arg (args, kim_string));
- }
-
- if (!err) {
- principal_data.data[i].data = (char *) component;
- principal_data.data[i].length = strlen (component);
- }
- }
- va_end (args);
- }
-
- if (!err) {
- /* make a copy that has actually been allocated by the krb5
- * library so krb5_free_principal can be called on it */
- err = krb5_error (identity->context,
- krb5_copy_principal (identity->context,
- &principal_data,
- &identity->principal));
- }
-
- if (!err) {
*out_identity = identity;
identity = NULL;
}
- if (principal_data.data) {
- krb5_int32 i;
-
- for (i = 0; i < principal_data.length; i++) {
- kim_string component = principal_data.data[i].data;
- kim_string_free (&component);
- }
- free (principal_data.data);
- }
kim_identity_free (&identity);
return check_error (err);
@@ -569,6 +527,7 @@
krb5_data message_data;
krb5_data description_data;
+ if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !in_credential ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !in_new_password ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !in_ui_context ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
@@ -666,6 +625,8 @@
*out_rejected_err = rejected_err;
}
+ if (creds) { krb5_free_creds (in_identity->context, creds); }
+
return check_error (err);
}
@@ -689,7 +650,7 @@
kim_error rejected_err = KIM_NO_ERROR;
kim_string rejected_message = NULL;
kim_string rejected_description = NULL;
- kim_boolean was_prompted = 0;
+ kim_boolean was_prompted = 0; /* ignore because we always prompt */
err = kim_ui_change_password (in_ui_context,
in_identity,
@@ -746,19 +707,15 @@
rejected_message,
rejected_description);
- } else if (err && err != KIM_USER_CANCELED_ERR) {
- /* new creds failed, report error to user */
- kim_error terr = KIM_NO_ERROR;
+ } else if (err && err != KIM_USER_CANCELED_ERR &&
+ err != KIM_DUPLICATE_UI_REQUEST_ERR) {
+ /* New creds failed, report error to user.
+ * Overwrite error so we loop and let the user try again.
+ * The user always gets prompted so we always loop. */
+ err = kim_ui_handle_kim_error (in_ui_context, in_identity,
+ kim_ui_error_type_change_password,
+ err);
- terr = kim_ui_handle_kim_error (in_ui_context, in_identity,
- kim_ui_error_type_change_password,
- err);
-
- if (was_prompted || err == KIM_PASSWORD_MISMATCH_ERR) {
- /* User could have entered bad info so let them try again. */
- err = terr;
- }
-
} else {
/* password change succeeded or the user gave up */
done = 1;
@@ -782,10 +739,13 @@
kim_string_free (&saved_password);
}
+
+ if (err == KIM_DUPLICATE_UI_REQUEST_ERR) { err = KIM_NO_ERROR; }
}
kim_string_free (&rejected_message);
kim_string_free (&rejected_description);
+
kim_ui_free_string (in_ui_context, &old_password);
kim_ui_free_string (in_ui_context, &new_password);
kim_ui_free_string (in_ui_context, &verify_password);
Modified: branches/mkey_migrate/src/kim/lib/kim_library.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_library.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_library.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -34,6 +34,9 @@
#include "kim_private.h"
#include "kim_os_private.h"
+#if KIM_TO_KLL_SHIM
+#include "KerberosLoginErrors.h"
+#endif
MAKE_INIT_FUNCTION(kim_error_init);
MAKE_FINI_FUNCTION(kim_error_fini);
@@ -42,7 +45,10 @@
static int kim_error_init (void)
{
- add_error_table (&et_KIM_error_table);
+ add_error_table (&et_KIM_error_table);
+#if KIM_TO_KLL_SHIM
+ add_error_table (&et_KLL_error_table);
+#endif
return 0;
}
@@ -55,6 +61,9 @@
}
remove_error_table (&et_KIM_error_table);
+#if KIM_TO_KLL_SHIM
+ remove_error_table (&et_KLL_error_table);
+#endif
}
/* ------------------------------------------------------------------------ */
@@ -235,6 +244,11 @@
kim_debug_printf ("KIM_NEVER_PROMPT is set.");
allow_automatic_prompting = FALSE;
}
+
+ if (allow_automatic_prompting && !kim_os_library_caller_uses_gui ()) {
+ kim_debug_printf ("Caller is not using gui.");
+ allow_automatic_prompting = FALSE;
+ }
if (allow_automatic_prompting) {
/* Make sure there is at least 1 config file. We don't support DNS
Modified: branches/mkey_migrate/src/kim/lib/kim_library_private.h
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_library_private.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_library_private.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -32,6 +32,8 @@
kim_error kim_library_init (void);
+kim_boolean kim_os_library_caller_uses_gui (void);
+
kim_ui_environment kim_os_library_get_ui_environment (void);
kim_ui_environment kim_library_ui_environment (void);
Modified: branches/mkey_migrate/src/kim/lib/kim_options.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_options.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_options.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -91,6 +91,7 @@
{
kim_error err = KIM_NO_ERROR;
kim_preferences preferences = NULL;
+ kim_options options = KIM_OPTIONS_DEFAULT;
if (!err && !out_options) { err = check_error (KIM_NULL_PARAMETER_ERR); }
@@ -99,9 +100,19 @@
}
if (!err) {
- err = kim_preferences_get_options (preferences, out_options);
+ err = kim_preferences_get_options (preferences, &options);
}
+ if (!err && !options) {
+ err = kim_options_allocate (&options);
+ }
+
+ if (!err) {
+ *out_options = options;
+ options = NULL; /* caller takes ownership */
+ }
+
+ kim_options_free (&options);
kim_preferences_free (&preferences);
return check_error (err);
@@ -116,7 +127,6 @@
kim_options options = KIM_OPTIONS_DEFAULT;
if (!err && !out_options) { err = check_error (KIM_NULL_PARAMETER_ERR); }
- if (!err && !in_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && in_options != KIM_OPTIONS_DEFAULT) {
err = kim_options_allocate (&options);
Modified: branches/mkey_migrate/src/kim/lib/kim_preferences.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_preferences.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_preferences.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -230,7 +230,7 @@
{
kim_error err = KIM_NO_ERROR;
kim_identity identity = NULL;
- kim_options options = NULL;
+ kim_options options = KIM_OPTIONS_DEFAULT;
kim_count insert_at = 0;
if (!err && !io_favorites) { err = check_error (KIM_NULL_PARAMETER_ERR); }
@@ -437,16 +437,24 @@
if (!err) {
kim_identity default_identity = kim_default_client_identity;
+ kim_identity identity = NULL;
err = kim_os_identity_create_for_username (&default_identity);
if (!err) {
err = kim_os_preferences_get_identity_for_key (kim_preference_key_client_identity,
default_identity,
- &in_preferences->client_identity);
+ &identity);
}
+ if (!err) {
+ kim_identity_free (&in_preferences->client_identity);
+ in_preferences->client_identity = identity;
+ identity = NULL;
+ }
+
kim_identity_free (&default_identity);
+ kim_identity_free (&identity);
}
if (!err) {
@@ -502,7 +510,7 @@
if (!err && !in_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); }
- if (!err && in_preferences->remember_options && in_preferences->options_changed) {
+ if (!err && in_preferences->options_changed) {
err = kim_os_preferences_set_options_for_key (kim_preference_key_options,
in_preferences->options);
}
@@ -512,7 +520,7 @@
in_preferences->remember_options);
}
- if (!err && in_preferences->remember_client_identity && in_preferences->client_identity_changed) {
+ if (!err && in_preferences->client_identity_changed) {
kim_identity default_identity = kim_default_client_identity;
err = kim_os_identity_create_for_username (&default_identity);
Modified: branches/mkey_migrate/src/kim/lib/kim_private.h
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_private.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_private.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -39,7 +39,6 @@
#include "kim_debug_private.h"
#include "kim_error_private.h"
#include "kim_identity_private.h"
-#include "kim_ccache_private.h"
#include "kim_credential_private.h"
#include "kim_options_private.h"
#include "kim_preferences_private.h"
Modified: branches/mkey_migrate/src/kim/lib/kim_selection_hints.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_selection_hints.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_selection_hints.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -372,11 +372,7 @@
if (!err && !out_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err) {
- if (in_selection_hints->options) {
- err = kim_options_copy (out_options, in_selection_hints->options);
- } else {
- *out_options = KIM_OPTIONS_DEFAULT;
- }
+ err = kim_options_copy (out_options, in_selection_hints->options);
}
return check_error (err);
@@ -484,7 +480,8 @@
/* reenter select_identity so just forget this identity
* even if we got an error */
- if (err == KIM_USER_CANCELED_ERR) { err = KIM_NO_ERROR; }
+ if (err == KIM_USER_CANCELED_ERR ||
+ err == KIM_DUPLICATE_UI_REQUEST_ERR) { err = KIM_NO_ERROR; }
kim_identity_free (&identity);
}
Modified: branches/mkey_migrate/src/kim/lib/kim_ui.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_ui.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_ui.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -51,15 +51,15 @@
if (!err && !io_context) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !io_context->initialized) {
-#ifndef LEAN_CLIENT
+#ifdef KIM_BUILTIN_UI
kim_ui_environment environment = kim_library_ui_environment ();
if (environment == KIM_UI_ENVIRONMENT_GUI) {
-#endif /* LEAN_CLIENT */
+#endif /* KIM_BUILTIN_UI */
io_context->type = kim_ui_type_gui_plugin;
err = kim_ui_plugin_init (io_context);
-#ifndef LEAN_CLIENT
+#ifdef KIM_BUILTIN_UI
if (err) {
io_context->type = kim_ui_type_gui_builtin;
@@ -76,7 +76,7 @@
err = check_error (KIM_NO_UI_ERR);
}
-#endif /* LEAN_CLIENT */
+#endif /* KIM_BUILTIN_UI */
if (!err) {
io_context->initialized = 1;
@@ -133,7 +133,7 @@
out_identity,
out_change_password);
-#ifndef LEAN_CLIENT
+#ifdef KIM_BUILTIN_UI
} else if (in_context->type == kim_ui_type_gui_builtin) {
err = kim_os_ui_gui_enter_identity (in_context,
io_options,
@@ -146,7 +146,7 @@
out_identity,
out_change_password);
-#endif /* LEAN_CLIENT */
+#endif /* KIM_BUILTIN_UI */
} else {
err = check_error (KIM_NO_UI_ERR);
@@ -181,7 +181,7 @@
out_identity,
out_change_password);
-#ifndef LEAN_CLIENT
+#ifdef KIM_BUILTIN_UI
} else if (in_context->type == kim_ui_type_gui_builtin) {
err = kim_os_ui_gui_select_identity (in_context,
io_hints,
@@ -194,7 +194,7 @@
out_identity,
out_change_password);
-#endif /* LEAN_CLIENT */
+#endif /* KIM_BUILTIN_UI */
} else {
err = check_error (KIM_NO_UI_ERR);
@@ -263,7 +263,7 @@
&reply,
&save_reply);
-#ifndef LEAN_CLIENT
+#ifdef KIM_BUILTIN_UI
} else if (context->type == kim_ui_type_gui_builtin) {
err = kim_os_ui_gui_auth_prompt (context,
context->identity,
@@ -287,7 +287,7 @@
in_prompts[i].prompt,
&reply,
&save_reply);
-#endif /* LEAN_CLIENT */
+#endif /* KIM_BUILTIN_UI */
} else {
err = check_error (KIM_NO_UI_ERR);
@@ -319,9 +319,9 @@
/* Clean up reply buffer. Saved passwords are allocated by KIM. */
if (reply) {
- memset (reply, '\0', strlen (reply));
- if (got_saved_password) {
- kim_string_free ((kim_string *) &reply);
+ if (got_saved_password) {
+ memset (reply, '\0', strlen (reply));
+ kim_string_free ((kim_string *) &reply);
} else {
kim_ui_free_string (context, &reply);
}
@@ -361,7 +361,7 @@
out_new_password,
out_verify_password);
-#ifndef LEAN_CLIENT
+#ifdef KIM_BUILTIN_UI
} else if (in_context->type == kim_ui_type_gui_builtin) {
err = kim_os_ui_gui_change_password (in_context,
in_identity,
@@ -377,7 +377,7 @@
out_old_password,
out_new_password,
out_verify_password);
-#endif /* LEAN_CLIENT */
+#endif /* KIM_BUILTIN_UI */
} else {
err = check_error (KIM_NO_UI_ERR);
@@ -413,7 +413,7 @@
in_error_message,
in_error_description);
-#ifndef LEAN_CLIENT
+#ifdef KIM_BUILTIN_UI
} else if (in_context->type == kim_ui_type_gui_builtin) {
err = kim_os_ui_gui_handle_error (in_context,
in_identity,
@@ -427,7 +427,7 @@
in_error,
in_error_message,
in_error_description);
-#endif /* LEAN_CLIENT */
+#endif /* KIM_BUILTIN_UI */
} else {
err = check_error (KIM_NO_UI_ERR);
@@ -445,11 +445,14 @@
kim_error err = kim_ui_init_lazy (in_context);
if (!err && in_context && io_string && *io_string) {
+ /* most ui strings are auth information so zero before freeing */
+ memset (*io_string, '\0', strlen (*io_string));
+
if (in_context->type == kim_ui_type_gui_plugin) {
kim_ui_plugin_free_string (in_context,
io_string);
-#ifndef LEAN_CLIENT
+#ifdef KIM_BUILTIN_UI
} else if (in_context->type == kim_ui_type_gui_builtin) {
kim_os_ui_gui_free_string (in_context,
io_string);
@@ -457,7 +460,7 @@
} else if (in_context->type == kim_ui_type_cli) {
kim_ui_cli_free_string (in_context,
io_string);
-#endif /* LEAN_CLIENT */
+#endif /* KIM_BUILTIN_UI */
}
}
}
@@ -474,13 +477,13 @@
if (io_context->type == kim_ui_type_gui_plugin) {
err = kim_ui_plugin_fini (io_context);
-#ifndef LEAN_CLIENT
+#ifdef KIM_BUILTIN_UI
} else if (io_context->type == kim_ui_type_gui_builtin) {
err = kim_os_ui_gui_fini (io_context);
} else if (io_context->type == kim_ui_type_cli) {
err = kim_ui_cli_fini (io_context);
-#endif /* LEAN_CLIENT */
+#endif /* KIM_BUILTIN_UI */
} else {
err = check_error (KIM_NO_UI_ERR);
Modified: branches/mkey_migrate/src/kim/lib/kim_ui_cli.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_ui_cli.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_ui_cli.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -24,7 +24,7 @@
* or implied warranty.
*/
-#ifndef LEAN_CLIENT
+#ifdef KIM_BUILTIN_UI
#include "kim_private.h"
@@ -73,7 +73,9 @@
prompts[0].reply->length = sizeof (reply_string);
err = krb5_prompter_posix (k5context, NULL, NULL, NULL, 1, prompts);
- if (err == KRB5_LIBOS_PWDINTR) { err = check_error (KIM_USER_CANCELED_ERR); }
+ if (err == KRB5_LIBOS_PWDINTR || err == KRB5_LIBOS_CANTREADPWD) {
+ err = check_error (KIM_USER_CANCELED_ERR);
+ }
}
if (!err) {
@@ -228,7 +230,9 @@
if (!err) {
err = krb5_prompter_posix (k5context, in_context, in_title,
in_message, 1, prompts);
- if (err == KRB5_LIBOS_PWDINTR) { err = check_error (KIM_USER_CANCELED_ERR); }
+ if (err == KRB5_LIBOS_PWDINTR || err == KRB5_LIBOS_CANTREADPWD) {
+ err = check_error (KIM_USER_CANCELED_ERR);
+ }
}
if (!err) {
@@ -255,7 +259,6 @@
{
kim_error err = KIM_NO_ERROR;
kim_string ask_change_password = NULL;
- kim_string answer_options = NULL;
kim_string yes = NULL;
kim_string no = NULL;
kim_string unknown_response = NULL;
@@ -314,7 +317,6 @@
}
kim_string_free (&ask_change_password);
- kim_string_free (&answer_options);
kim_string_free (&yes);
kim_string_free (&no);
kim_string_free (&unknown_response);
@@ -378,6 +380,11 @@
1, enter_old_password_format,
identity_string);
+ if (!err && strlen (old_password) < 1) {
+ /* Empty password: Synthesize bad password err */
+ err = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ }
+
if (!err) {
err = kim_credential_create_for_change_password ((kim_credential *) &in_context->tcontext,
in_identity,
@@ -389,7 +396,7 @@
if (err && err != KIM_USER_CANCELED_ERR) {
/* new creds failed, report error to user */
err = kim_ui_handle_kim_error (in_context, in_identity,
- kim_ui_error_type_authentication,
+ kim_ui_error_type_change_password,
err);
} else {
@@ -468,4 +475,4 @@
return KIM_NO_ERROR;
}
-#endif /* LEAN_CLIENT */
+#endif /* KIM_BUILTIN_UI */
Modified: branches/mkey_migrate/src/kim/lib/kim_ui_cli_private.h
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_ui_cli_private.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_ui_cli_private.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -27,7 +27,7 @@
#ifndef KIM_UI_CLI_PRIVATE_H
#define KIM_UI_CLI_PRIVATE_H
-#ifndef LEAN_CLIENT
+#ifdef KIM_BUILTIN_UI
#include <kim/kim.h>
@@ -75,6 +75,6 @@
kim_error kim_ui_cli_fini (kim_ui_context *in_context);
-#endif /* LEAN_CLIENT */
+#endif /* KIM_BUILTIN_UI */
#endif /* KIM_UI_CLI_PRIVATE_H */
Modified: branches/mkey_migrate/src/kim/lib/kim_ui_gui_private.h
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_ui_gui_private.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_ui_gui_private.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -27,7 +27,7 @@
#ifndef KIM_UI_GUI_PRIVATE_H
#define KIM_UI_GUI_PRIVATE_H
-#ifndef LEAN_CLIENT
+#ifdef KIM_BUILTIN_UI
#include <kim/kim.h>
@@ -75,6 +75,6 @@
kim_error kim_os_ui_gui_fini (kim_ui_context *in_context);
-#endif /* LEAN_CLIENT */
+#endif /* KIM_BUILTIN_UI */
#endif /* KIM_UI_GUI_PRIVATE_H */
Modified: branches/mkey_migrate/src/kim/lib/kim_ui_plugin.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/kim_ui_plugin.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/kim_ui_plugin.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -29,16 +29,16 @@
#include "kim_private.h"
+const char * const *kim_ui_plugin_files = NULL;
#if TARGET_OS_MAC
-const char * const kim_ui_plugin_files[] = { "KerberosUI", NULL };
static const char *kim_ui_plugin_dirs[] = { KRB5_KIM_UI_PLUGIN_BUNDLE_DIR, LIBDIR "/krb5/plugins/kimui", NULL };
#else
-const char * const *kim_ui_plugin_files = NULL;
static const char *kim_ui_plugin_dirs[] = { LIBDIR "/krb5/plugins/kimui", NULL };
#endif
struct kim_ui_plugin_context {
+ krb5_context kcontext;
struct plugin_dir_handle plugins;
struct kim_ui_plugin_ftable_v0 *ftable;
void **ftables;
@@ -57,6 +57,9 @@
if (PLUGIN_DIR_OPEN (&(*io_context)->plugins)) {
krb5int_close_plugin_dirs (&(*io_context)->plugins);
}
+ if ((*io_context)->kcontext) {
+ krb5_free_context ((*io_context)->kcontext);
+ }
free (*io_context);
*io_context = NULL;
}
@@ -77,6 +80,10 @@
}
if (!err) {
+ err = krb5_error (NULL, krb5_init_context (&context->kcontext));
+ }
+
+ if (!err) {
PLUGIN_DIR_INIT(&context->plugins);
context->ftable = NULL;
context->ftables = NULL;
@@ -99,7 +106,6 @@
{
kim_error err = KIM_NO_ERROR;
kim_ui_plugin_context context = NULL;
- struct errinfo einfo;
if (!err && !io_context) { err = check_error (KIM_NULL_PARAMETER_ERR); }
@@ -110,16 +116,19 @@
if (!err) {
PLUGIN_DIR_INIT(&context->plugins);
- err = krb5int_open_plugin_dirs (kim_ui_plugin_dirs,
- kim_ui_plugin_files,
- &context->plugins, &einfo);
+ err = krb5_error (context->kcontext,
+ krb5int_open_plugin_dirs (kim_ui_plugin_dirs,
+ kim_ui_plugin_files,
+ &context->plugins,
+ &context->kcontext->err));
}
if (!err) {
- err = krb5int_get_plugin_dir_data (&context->plugins,
- "kim_ui_0",
- &context->ftables,
- &einfo);
+ err = krb5_error (context->kcontext,
+ krb5int_get_plugin_dir_data (&context->plugins,
+ "kim_ui_0",
+ &context->ftables,
+ &context->kcontext->err));
}
if (!err && context->ftables) {
@@ -332,7 +341,7 @@
kim_ui_plugin_context context = (kim_ui_plugin_context) io_context->tcontext;
if (context) {
- err = context->ftable->fini (&context->plugin_context);
+ err = context->ftable->fini (context->plugin_context);
}
if (!err) {
Modified: branches/mkey_migrate/src/kim/lib/mac/KerberosLogin.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/mac/KerberosLogin.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/mac/KerberosLogin.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -24,20 +24,34 @@
* or implied warranty.
*/
-#ifndef LEAN_CLIENT
+#ifdef KIM_TO_KLL_SHIM
-#define KERBEROSLOGIN_DEPRECATED
-
#include "CredentialsCache.h"
#include "KerberosLogin.h"
#include "KerberosLoginPrivate.h"
#include <kim/kim.h>
#include "kim_private.h"
+#include "k5-thread.h"
+#include <time.h>
+/*
+ * Deprecated Error codes
+ */
+enum {
+ /* Carbon Dialog errors */
+ klDialogDoesNotExistErr = 19676,
+ klDialogAlreadyExistsErr,
+ klNotInForegroundErr,
+ klNoAppearanceErr,
+ klFatalDialogErr,
+ klCarbonUnavailableErr
+};
+
krb5_get_init_creds_opt *__KLLoginOptionsGetKerberos5Options (KLLoginOptions ioOptions);
KLTime __KLLoginOptionsGetStartTime (KLLoginOptions ioOptions);
char *__KLLoginOptionsGetServiceName (KLLoginOptions ioOptions);
+
/* ------------------------------------------------------------------------ */
static KLStatus kl_check_error_ (kim_error inError, const char *function, const char *file, int line)
@@ -158,7 +172,7 @@
/* ------------------------------------------------------------------------ */
-KLStatus KLSetApplicationOptions (const KLApplicationOptions *inAppOptions)
+KLStatus KLSetApplicationOptions (const void *inAppOptions)
{
/* Deprecated */
return kl_check_error (klNoErr);
@@ -166,10 +180,14 @@
/* ------------------------------------------------------------------------ */
-KLStatus KLGetApplicationOptions (KLApplicationOptions *outAppOptions)
+KLStatus KLGetApplicationOptions (void *outAppOptions)
{
- /* Deprecated */
- return kl_check_error (klNoErr);
+ /* Deprecated -- this function took a struct declared on the caller's
+ * stack. It used to fill in the struct with information about the
+ * Mac OS 9 dialog used for automatic prompting. Since there is no
+ * way for us provide valid values, just leave the struct untouched
+ * and return a reasonable error. */
+ return kl_check_error (klDialogDoesNotExistErr);
}
/* ------------------------------------------------------------------------ */
@@ -185,13 +203,9 @@
kim_identity identity = NULL;
if (!err) {
- err = kim_ccache_create_from_client_identity (&ccache,
- inPrincipal);
-
- if (err) {
- /* ccache does not already exist, create a new one */
- err = kim_ccache_create_new (&ccache, inPrincipal, inLoginOptions);
- }
+ err = kim_ccache_create_new_if_needed (&ccache,
+ inPrincipal,
+ inLoginOptions);
}
if (!err && outPrincipal) {
@@ -267,7 +281,9 @@
kim_error err = KIM_NO_ERROR;
kim_ccache ccache = NULL;
- err = kim_ccache_create_from_client_identity (&ccache, inPrincipal);
+ if (!err) {
+ err = kim_ccache_create_from_client_identity (&ccache, inPrincipal);
+ }
if (!err) {
err = kim_ccache_destroy (&ccache);
@@ -285,9 +301,6 @@
/* ------------------------------------------------------------------------ */
-
-/* Kerberos Login dialog low level functions */
-
KLStatus KLAcquireInitialTicketsWithPassword (KLPrincipal inPrincipal,
KLLoginOptions inLoginOptions,
const char *inPassword,
@@ -297,16 +310,10 @@
kim_ccache ccache = NULL;
if (!err) {
- err = kim_ccache_create_from_client_identity (&ccache,
- inPrincipal);
-
- if (err) {
- /* ccache does not already exist, create a new one */
- err = kim_ccache_create_new_with_password (&ccache,
- inPrincipal,
- inLoginOptions,
- inPassword);
- }
+ err = kim_ccache_create_new_if_needed_with_password (&ccache,
+ inPrincipal,
+ inLoginOptions,
+ inPassword);
}
if (!err && outCredCacheName) {
@@ -567,18 +574,50 @@
return kl_check_error (err);
}
+static cc_time_t g_cc_change_time = 0;
+static KLTime g_kl_change_time = 0;
+static k5_mutex_t g_change_time_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
+MAKE_INIT_FUNCTION(kim_change_time_init);
+MAKE_FINI_FUNCTION(kim_change_time_fini);
+
/* ------------------------------------------------------------------------ */
+static int kim_change_time_init (void)
+{
+ g_kl_change_time = time (NULL);
+
+ return k5_mutex_finish_init(&g_change_time_mutex);
+}
+
+/* ------------------------------------------------------------------------ */
+
+static void kim_change_time_fini (void)
+{
+ if (!INITIALIZER_RAN (kim_change_time_init) || PROGRAM_EXITING ()) {
+ return;
+ }
+
+ k5_mutex_destroy(&g_change_time_mutex);
+}
+
+/* ------------------------------------------------------------------------ */
+
KLStatus KLLastChangedTime (KLTime *outLastChangedTime)
{
- KLStatus err = klNoErr;
+ KLStatus err = CALL_INIT_FUNCTION (kim_change_time_init);
+ kim_error mutex_err = KIM_NO_ERROR;
cc_context_t context = NULL;
cc_time_t ccChangeTime = 0;
- if (!outLastChangedTime) { err = kl_check_error (klParameterErr); }
-
+ if (!err && !outLastChangedTime) { err = kl_check_error (klParameterErr); }
+
if (!err) {
+ mutex_err = k5_mutex_lock (&g_change_time_mutex);
+ if (mutex_err) { err = mutex_err; }
+ }
+
+ if (!err) {
err = cc_initialize (&context, ccapi_version_4, NULL, NULL);
}
@@ -587,10 +626,24 @@
}
if (!err) {
- *outLastChangedTime = ccChangeTime;
+ /* cc_context_get_change_time returns 0 if there are no tickets
+ * but KLLastChangedTime always returned the current time. So
+ * fake the current time if cc_context_get_change_time returns 0. */
+ if (ccChangeTime > g_cc_change_time) {
+ /* changed, make sure g_kl_change_time increases in value */
+ if (ccChangeTime > g_kl_change_time) {
+ g_kl_change_time = ccChangeTime;
+ } else {
+ g_kl_change_time++; /* we got ahead of the ccapi, just increment */
+ }
+ g_cc_change_time = ccChangeTime;
+ }
+
+ *outLastChangedTime = g_kl_change_time;
}
- if (context) { cc_context_release (context); }
+ if (context ) { cc_context_release (context); }
+ if (!mutex_err) { k5_mutex_unlock (&g_change_time_mutex); }
return kl_check_error (err);
}
@@ -612,11 +665,7 @@
if (!outFoundValidTickets) { err = kl_check_error (klParameterErr); }
if (!err) {
- if (inPrincipal) {
- err = kim_ccache_create_from_client_identity (&ccache, inPrincipal);
- } else {
- err = kim_ccache_create_from_default (&ccache);
- }
+ err = kim_ccache_create_from_client_identity (&ccache, inPrincipal);
}
if (!err) {
@@ -625,6 +674,10 @@
if (!err && outPrincipal) {
err = kim_ccache_get_client_identity (ccache, &identity);
+ if (err) {
+ err = KIM_NO_ERROR;
+ identity = NULL;
+ }
}
if (!err && outCredCacheName) {
@@ -886,6 +939,8 @@
};
+/* ------------------------------------------------------------------------ */
+
KLStatus KLGetDefaultLoginOption (const KLDefaultLoginOption inOption,
void *ioBuffer,
KLSize *ioBufferSize)
@@ -927,11 +982,11 @@
} else if (!err && inOption == loginOption_LoginInstance) {
targetSize = 0; /* Deprecated */
- } else if (!err && (inOption == loginOption_ShowOptions &&
- inOption == loginOption_RememberShowOptions &&
- inOption == loginOption_LongTicketLifetimeDisplay &&
- inOption == loginOption_RememberPrincipal &&
- inOption == loginOption_RememberExtras &&
+ } else if (!err && (inOption == loginOption_ShowOptions ||
+ inOption == loginOption_RememberShowOptions ||
+ inOption == loginOption_LongTicketLifetimeDisplay ||
+ inOption == loginOption_RememberPrincipal ||
+ inOption == loginOption_RememberExtras ||
inOption == loginOption_RememberPassword)) {
targetSize = sizeof(KLBoolean);
@@ -962,11 +1017,10 @@
}
}
- } else if (!err && (inOption == loginOption_MinimalTicketLifetime &&
- inOption == loginOption_MaximalTicketLifetime &&
- inOption == loginOption_LongTicketLifetimeDisplay &&
- inOption == loginOption_RememberPrincipal &&
- inOption == loginOption_RememberExtras)) {
+ } else if (!err && (inOption == loginOption_MinimalTicketLifetime ||
+ inOption == loginOption_MaximalTicketLifetime ||
+ inOption == loginOption_MinimalRenewableLifetime ||
+ inOption == loginOption_MaximalRenewableLifetime)) {
targetSize = sizeof(KLLifetime);
if (!returnSizeOnly) {
@@ -994,9 +1048,9 @@
}
}
- } else if (!err && (inOption == loginOption_DefaultRenewableTicket &&
- inOption == loginOption_DefaultForwardableTicket &&
- inOption == loginOption_DefaultProxiableTicket &&
+ } else if (!err && (inOption == loginOption_DefaultRenewableTicket ||
+ inOption == loginOption_DefaultForwardableTicket ||
+ inOption == loginOption_DefaultProxiableTicket ||
inOption == loginOption_DefaultAddresslessTicket)) {
targetSize = sizeof(KLBoolean);
@@ -1031,7 +1085,7 @@
}
- } else if (!err && (inOption == loginOption_DefaultTicketLifetime &&
+ } else if (!err && (inOption == loginOption_DefaultTicketLifetime ||
inOption == loginOption_DefaultRenewableLifetime)) {
targetSize = sizeof(KLLifetime);
@@ -1128,11 +1182,11 @@
} else if (!err && inOption == loginOption_LoginInstance) {
/* Ignored */
- } else if (!err && (inOption == loginOption_ShowOptions &&
- inOption == loginOption_RememberShowOptions &&
- inOption == loginOption_LongTicketLifetimeDisplay &&
- inOption == loginOption_RememberPrincipal &&
- inOption == loginOption_RememberExtras &&
+ } else if (!err && (inOption == loginOption_ShowOptions ||
+ inOption == loginOption_RememberShowOptions ||
+ inOption == loginOption_LongTicketLifetimeDisplay ||
+ inOption == loginOption_RememberPrincipal ||
+ inOption == loginOption_RememberExtras ||
inOption == loginOption_RememberPassword)) {
if (inBufferSize > sizeof (KLBoolean)) {
err = kl_check_error (klBufferTooLargeErr);
@@ -1141,17 +1195,16 @@
}
if (!err && inOption == loginOption_RememberPrincipal) {
- err = kim_preferences_set_remember_client_identity (prefs, *(kim_boolean *)inBuffer);
+ err = kim_preferences_set_remember_client_identity (prefs, *(KLBoolean *)inBuffer);
} else if (!err && inOption == loginOption_RememberExtras) {
- err = kim_preferences_set_remember_options (prefs, *(kim_boolean *)inBuffer);
+ err = kim_preferences_set_remember_options (prefs, *(KLBoolean *)inBuffer);
}
- } else if (!err && (inOption == loginOption_MinimalTicketLifetime &&
- inOption == loginOption_MaximalTicketLifetime &&
- inOption == loginOption_LongTicketLifetimeDisplay &&
- inOption == loginOption_RememberPrincipal &&
- inOption == loginOption_RememberExtras)) {
+ } else if (!err && (inOption == loginOption_MinimalTicketLifetime ||
+ inOption == loginOption_MaximalTicketLifetime ||
+ inOption == loginOption_MinimalRenewableLifetime ||
+ inOption == loginOption_MaximalRenewableLifetime)) {
if (inBufferSize > sizeof (KLLifetime)) {
err = kl_check_error (klBufferTooLargeErr);
} else if (inBufferSize < sizeof (KLLifetime)) {
@@ -1159,21 +1212,21 @@
}
if (!err && inOption == loginOption_MinimalTicketLifetime) {
- err = kim_preferences_set_minimum_lifetime (prefs, *(kim_lifetime *)inBuffer);
+ err = kim_preferences_set_minimum_lifetime (prefs, *(KLLifetime *)inBuffer);
} else if (!err && inOption == loginOption_MaximalTicketLifetime) {
- err = kim_preferences_set_maximum_lifetime (prefs, *(kim_lifetime *)inBuffer);
+ err = kim_preferences_set_maximum_lifetime (prefs, *(KLLifetime *)inBuffer);
} else if (!err && inOption == loginOption_MinimalRenewableLifetime) {
- err = kim_preferences_set_minimum_renewal_lifetime (prefs, *(kim_lifetime *)inBuffer);
+ err = kim_preferences_set_minimum_renewal_lifetime (prefs, *(KLLifetime *)inBuffer);
} else if (!err && inOption == loginOption_MaximalRenewableLifetime) {
- err = kim_preferences_set_maximum_renewal_lifetime (prefs, *(kim_lifetime *)inBuffer);
+ err = kim_preferences_set_maximum_renewal_lifetime (prefs, *(KLLifetime *)inBuffer);
}
- } else if (!err && (inOption == loginOption_DefaultRenewableTicket &&
- inOption == loginOption_DefaultForwardableTicket &&
- inOption == loginOption_DefaultProxiableTicket &&
+ } else if (!err && (inOption == loginOption_DefaultRenewableTicket ||
+ inOption == loginOption_DefaultForwardableTicket ||
+ inOption == loginOption_DefaultProxiableTicket ||
inOption == loginOption_DefaultAddresslessTicket)) {
kim_options options = NULL;
@@ -1188,16 +1241,16 @@
}
if (!err && inOption == loginOption_DefaultRenewableTicket) {
- err = kim_options_set_renewable (options, *(kim_boolean *)inBuffer);
+ err = kim_options_set_renewable (options, *(KLBoolean *)inBuffer);
} else if (!err && inOption == loginOption_DefaultForwardableTicket) {
- err = kim_options_set_forwardable (options, *(kim_boolean *)inBuffer);
+ err = kim_options_set_forwardable (options, *(KLBoolean *)inBuffer);
} else if (!err && inOption == loginOption_DefaultProxiableTicket) {
- err = kim_options_set_proxiable (options, *(kim_boolean *)inBuffer);
+ err = kim_options_set_proxiable (options, *(KLBoolean *)inBuffer);
} else if (!err && inOption == loginOption_DefaultAddresslessTicket) {
- err = kim_options_set_addressless (options, *(kim_boolean *)inBuffer);
+ err = kim_options_set_addressless (options, *(KLBoolean *)inBuffer);
}
if (!err) {
@@ -1206,7 +1259,7 @@
kim_options_free (&options);
- } else if (!err && (inOption == loginOption_DefaultTicketLifetime &&
+ } else if (!err && (inOption == loginOption_DefaultTicketLifetime ||
inOption == loginOption_DefaultRenewableLifetime)) {
kim_options options = NULL;
@@ -1221,10 +1274,10 @@
}
if (!err && inOption == loginOption_DefaultTicketLifetime) {
- err = kim_options_set_lifetime (options, *(kim_lifetime *)inBuffer);
+ err = kim_options_set_lifetime (options, *(KLLifetime *)inBuffer);
} else if (!err && inOption == loginOption_DefaultRenewableLifetime) {
- err = kim_options_set_renewal_lifetime (options, *(kim_lifetime *)inBuffer);
+ err = kim_options_set_renewal_lifetime (options, *(KLLifetime *)inBuffer);
}
if (!err) {
@@ -1393,11 +1446,18 @@
const char *inRealm,
KLPrincipal *outPrincipal)
{
- return kl_check_error (kim_identity_create_from_components (outPrincipal,
- inRealm,
- inName,
- inInstance,
- NULL));
+ if (inInstance && strlen (inInstance) > 0) {
+ return kl_check_error (kim_identity_create_from_components (outPrincipal,
+ inRealm,
+ inName,
+ inInstance,
+ NULL));
+ } else {
+ return kl_check_error (kim_identity_create_from_components (outPrincipal,
+ inRealm,
+ inName,
+ NULL));
+ }
}
/* ------------------------------------------------------------------------ */
@@ -1797,4 +1857,4 @@
-#endif /* LEAN_CLIENT */
+#endif /* KIM_TO_KLL_SHIM */
Modified: branches/mkey_migrate/src/kim/lib/mac/KerberosLogin.h
===================================================================
--- branches/mkey_migrate/src/kim/lib/mac/KerberosLogin.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/mac/KerberosLogin.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -34,6 +34,12 @@
# endif
#endif
+#if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= 30203
+# define KERBEROSLOGIN_DEPRECATED __attribute__((deprecated))
+#else
+# define KERBEROSLOGIN_DEPRECATED
+#endif
+
#include <sys/types.h>
#include <krb5.h>
@@ -152,16 +158,6 @@
klInsecurePasswordErr,
klPasswordChangeFailedErr,
-#ifdef KERBEROSLOGIN_DEPRECATED
- /* Dialog errors -- deprecated */
- klDialogDoesNotExistErr = 19676,
- klDialogAlreadyExistsErr,
- klNotInForegroundErr,
- klNoAppearanceErr,
- klFatalDialogErr,
- klCarbonUnavailableErr,
-#endif
-
/* Login IPC errors */
klCantContactServerErr = 19776,
klCantDisplayUIErr,
@@ -191,18 +187,6 @@
typedef void (*KLIdleCallback) (KLRefCon appData);
#define CallKLIdleCallback(userRoutine, appData) ((userRoutine) (appData))
-#ifdef KERBEROSLOGIN_DEPRECATED
-
-/* Application options */
-typedef struct {
- void * deprecatedEventFilter;
- KLRefCon deprecatedEventFilterAppData;
- KLSInt16 deprecatedRealmsPopupMenuID;
- KLSInt16 deprecatedLoginModeMenuID;
-} KLApplicationOptions;
-
-#endif
-
/* Principal information */
typedef kim_identity KLPrincipal;
@@ -216,31 +200,35 @@
*/
/* Deprecated functions -- provided for compatibility with KfM 4.0 */
-#ifdef KERBEROSLOGIN_DEPRECATED
KLStatus KLAcquireTickets (KLPrincipal inPrincipal,
KLPrincipal *outPrincipal,
- char **outCredCacheName);
+ char **outCredCacheName)
+ KERBEROSLOGIN_DEPRECATED;
KLStatus KLAcquireNewTickets (KLPrincipal inPrincipal,
KLPrincipal *outPrincipal,
- char **outCredCacheName);
+ char **outCredCacheName)
+ KERBEROSLOGIN_DEPRECATED;
KLStatus KLAcquireTicketsWithPassword (KLPrincipal inPrincipal,
KLLoginOptions inLoginOptions,
const char *inPassword,
- char **outCredCacheName);
+ char **outCredCacheName)
+ KERBEROSLOGIN_DEPRECATED;
KLStatus KLAcquireNewTicketsWithPassword (KLPrincipal inPrincipal,
KLLoginOptions inLoginOptions,
const char *inPassword,
- char **outCredCacheName);
+ char **outCredCacheName)
+ KERBEROSLOGIN_DEPRECATED;
-KLStatus KLSetApplicationOptions (const KLApplicationOptions *inAppOptions);
+KLStatus KLSetApplicationOptions (const void *inAppOptions)
+ KERBEROSLOGIN_DEPRECATED;
-KLStatus KLGetApplicationOptions (KLApplicationOptions *outAppOptions);
+KLStatus KLGetApplicationOptions (void *outAppOptions)
+ KERBEROSLOGIN_DEPRECATED;
-#endif
/* Kerberos Login high-level API */
KLStatus KLAcquireInitialTickets (KLPrincipal inPrincipal,
Copied: branches/mkey_migrate/src/kim/lib/mac/KerberosLoginErrors.et (from rev 21721, trunk/src/kim/lib/mac/KerberosLoginErrors.et)
Modified: branches/mkey_migrate/src/kim/lib/mac/kim_os_identity.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/mac/kim_os_identity.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/mac/kim_os_identity.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -85,12 +85,14 @@
if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !out_password) { err = check_error (KIM_NULL_PARAMETER_ERR); }
- /* Short circuit if password saving is disabled */
+ if (!err && !kim_library_allow_home_directory_access ()) {
+ err = check_error (ENOENT); /* simulate no password found */
+ }
+
if (!err && !kim_os_identity_allow_save_password ()) {
err = kim_os_identity_remove_saved_password (in_identity);
if (!err) {
- /* simulate no password found */
- err = check_error (ENOENT);
+ err = check_error (ENOENT); /* simulate no password found */
}
}
@@ -116,8 +118,8 @@
err = kim_string_create_from_buffer (out_password, buffer, length);
}
- if (name ) { kim_string_free (&name); }
- if (realm ) { kim_string_free (&realm); }
+ kim_string_free (&name);
+ kim_string_free (&realm);
if (buffer) { SecKeychainItemFreeContent (NULL, buffer); }
return check_error (err);
@@ -135,7 +137,10 @@
if (!err && !in_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !in_password) { err = check_error (KIM_NULL_PARAMETER_ERR); }
- /* Short circuit if password saving is disabled */
+ if (!err && !kim_library_allow_home_directory_access ()) {
+ return KIM_NO_ERROR; /* simulate no error */
+ }
+
if (!err && !kim_os_identity_allow_save_password ()) {
return kim_os_identity_remove_saved_password (in_identity);
}
@@ -153,7 +158,7 @@
UInt32 namelen = strlen (name);
UInt32 realmlen = strlen (realm);
- // Add the password to the keychain
+ /* Add the password to the keychain */
err = SecKeychainAddGenericPassword (nil,
realmlen, realm,
namelen, name,
@@ -161,8 +166,8 @@
&itemRef);
if (err == errSecDuplicateItem) {
- // We've already stored a password for this principal
- // but it might have changed so update it
+ /* We've already stored a password for this principal
+ * but it might have changed so update it */
void *buffer = NULL;
UInt32 length = 0;
@@ -186,7 +191,7 @@
}
} else if (!err) {
- // We added a new entry, add a descriptive label
+ /* We added a new entry, add a descriptive label */
SecKeychainAttributeList *copiedAttrs = NULL;
SecKeychainAttributeInfo attrInfo;
UInt32 tag = 7;
@@ -231,8 +236,8 @@
if (itemRef) { CFRelease (itemRef); }
}
- if (name ) { kim_string_free (&name); }
- if (realm) { kim_string_free (&realm); }
+ kim_string_free (&name);
+ kim_string_free (&realm);
return check_error (err);
}
@@ -247,6 +252,10 @@
if (!err && !in_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); }
+ if (!err && !kim_library_allow_home_directory_access ()) {
+ return KIM_NO_ERROR; /* simulate no error */
+ }
+
if (!err) {
err = kim_identity_get_components_string (in_identity, &name);
}
@@ -278,8 +287,8 @@
if (itemRef) { CFRelease (itemRef); }
}
- if (name ) { kim_string_free (&name); }
- if (realm) { kim_string_free (&realm); }
+ kim_string_free (&name);
+ kim_string_free (&realm);
return check_error (err);
}
Modified: branches/mkey_migrate/src/kim/lib/mac/kim_os_library.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/mac/kim_os_library.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/mac/kim_os_library.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -25,9 +25,8 @@
*/
#include <CoreFoundation/CoreFoundation.h>
-#include <ApplicationServices/ApplicationServices.h>
+#include <Security/AuthSession.h>
#include <mach-o/dyld.h>
-#include <Kerberos/kipc_session.h>
#include "k5-int.h"
#include "k5-thread.h"
#include <krb5/krb5.h>
@@ -95,16 +94,56 @@
/* ------------------------------------------------------------------------ */
+kim_boolean kim_os_library_caller_uses_gui (void)
+{
+ kim_boolean caller_uses_gui = 0;
+
+ /* Check for the HIToolbox (Carbon) or AppKit (Cocoa).
+ * If either is loaded, we are a GUI app! */
+ CFBundleRef appKitBundle = CFBundleGetBundleWithIdentifier (CFSTR ("com.apple.AppKit"));
+ CFBundleRef hiToolBoxBundle = CFBundleGetBundleWithIdentifier (CFSTR ("com.apple.HIToolbox"));
+
+ if (hiToolBoxBundle && CFBundleIsExecutableLoaded (hiToolBoxBundle)) {
+ caller_uses_gui = 1; /* Using Carbon */
+ }
+
+ if (appKitBundle && CFBundleIsExecutableLoaded (appKitBundle)) {
+ caller_uses_gui = 1; /* Using Cocoa */
+ }
+
+ return caller_uses_gui;
+}
+
+/* ------------------------------------------------------------------------ */
+
kim_ui_environment kim_os_library_get_ui_environment (void)
{
-#ifndef LEAN_CLIENT
- kipc_session_attributes_t attributes = kipc_session_get_attributes ();
+#ifdef KIM_BUILTIN_UI
+ kim_boolean has_gui_access = 0;
+ SessionAttributeBits sattrs = 0L;
- if (attributes & kkipc_session_caller_uses_gui) {
+ has_gui_access = ((SessionGetInfo (callerSecuritySession,
+ NULL, &sattrs) == noErr) &&
+ (sattrs & sessionHasGraphicAccess));
+
+ if (has_gui_access && kim_os_library_caller_uses_gui ()) {
return KIM_UI_ENVIRONMENT_GUI;
- } else if (attributes & kkipc_session_has_cli_access) {
- return KIM_UI_ENVIRONMENT_CLI;
- } else if (attributes & kkipc_session_has_gui_access) {
+ }
+
+ {
+ int fd_stdin = fileno (stdin);
+ int fd_stdout = fileno (stdout);
+ char *fd_stdin_name = ttyname (fd_stdin);
+
+ /* Session info isn't reliable for remote sessions.
+ * Check manually for terminal access with file descriptors */
+ if (isatty (fd_stdin) && isatty (fd_stdout) && fd_stdin_name) {
+ return KIM_UI_ENVIRONMENT_CLI;
+ }
+ }
+
+ /* If we don't have a CLI but can talk to the GUI, use that */
+ if (has_gui_access) {
return KIM_UI_ENVIRONMENT_GUI;
}
@@ -169,7 +208,7 @@
}
if (cfpath ) { CFRelease (cfpath); }
- if (absolute_url ) { CFRelease (bundle_url); }
+ if (absolute_url ) { CFRelease (absolute_url); }
if (bundle_url ) { CFRelease (bundle_url); }
if (resources_url ) { CFRelease (resources_url); }
if (executable_url) { CFRelease (executable_url); }
@@ -233,14 +272,17 @@
if (!err && !out_application_name) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && bundle) {
- CFURLRef bundle_url = CFBundleCopyBundleURL (bundle);
+ cfname = CFBundleGetValueForInfoDictionaryKey (bundle,
+ kCFBundleNameKey);
- if (bundle_url) {
- err = LSCopyDisplayNameForURL (bundle_url, &cfname);
- check_error (err);
+ if (!cfname || CFGetTypeID (cfname) != CFStringGetTypeID ()) {
+ cfname = CFBundleGetValueForInfoDictionaryKey (bundle,
+ kCFBundleExecutableKey);
}
- if (bundle_url) { CFRelease (bundle_url); }
+ if (cfname) {
+ cfname = CFStringCreateCopy (kCFAllocatorDefault, cfname);
+ }
}
if (!err && !cfname) {
@@ -270,6 +312,7 @@
if (cfpathnoext) { CFRelease (cfpathnoext); }
if (cfpath ) { CFRelease (cfpath); }
+ kim_string_free (&path);
}
if (!err && cfname) {
Modified: branches/mkey_migrate/src/kim/lib/mac/kim_os_preferences.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/mac/kim_os_preferences.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/mac/kim_os_preferences.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -226,7 +226,7 @@
kim_error err = KIM_NO_ERROR;
CFStringRef key = NULL;
- if (!err && !in_value) { err = check_error (KIM_NULL_PARAMETER_ERR); }
+ /* in_value may be NULL if removing the key */
if (!err) {
key = kim_os_preferences_cfstring_for_key (in_key);
@@ -888,20 +888,21 @@
kim_error err = KIM_NO_ERROR;
CFMutableDictionaryRef dictionary = NULL;
- if (!err && !in_options) { err = check_error (KIM_NULL_PARAMETER_ERR); }
+ /* in_options may be KIM_OPTIONS_DEFAULT, in which case we empty the dict */
- if (!err) {
+ if (!err && in_options) {
dictionary = CFDictionaryCreateMutable (kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
if (!dictionary) { err = check_error (KIM_OUT_OF_MEMORY_ERR); }
+
+ if (!err) {
+ err = kim_os_preferences_options_to_dictionary (in_options, dictionary);
+ }
}
if (!err) {
- err = kim_os_preferences_options_to_dictionary (in_options, dictionary);
- }
-
- if (!err) {
+ /* NULL dictioray will remove any entry for this key */
err = kim_os_preferences_set_value (in_key, dictionary);
}
@@ -937,7 +938,6 @@
for (i = 0; !err && i < count; i++) {
CFDictionaryRef dictionary = NULL;
- kim_options options = KIM_OPTIONS_DEFAULT;
CFStringRef cfstring = NULL;
dictionary = (CFDictionaryRef) CFArrayGetValueAtIndex (value, i);
@@ -955,6 +955,7 @@
if (!err && cfstring) {
kim_string string = NULL;
kim_identity identity = NULL;
+ kim_options options = KIM_OPTIONS_DEFAULT;
err = kim_os_string_create_from_cfstring (&string, cfstring);
Modified: branches/mkey_migrate/src/kim/lib/mac/kim_os_string.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/mac/kim_os_string.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/mac/kim_os_string.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -67,6 +67,8 @@
if (!err && cfstring) {
err = kim_os_string_create_from_cfstring (&string, cfstring);
}
+
+ if (cfstring) { CFRelease (cfstring); }
}
if (!err && !string) {
@@ -99,21 +101,34 @@
if (!err && !in_cfstring) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err) {
- length = CFStringGetMaximumSizeForEncoding (CFStringGetLength (in_cfstring),
- kCFStringEncodingUTF8) + 1;
+ char *ptr = NULL;
- string = (char *) calloc (length, sizeof (char));
- if (!string) { err = check_error (KIM_OUT_OF_MEMORY_ERR); }
+ /* check if in_cfstring is a C string internally so we can
+ * avoid using CFStringGetMaximumSizeForEncoding which is wasteful */
+ ptr = (char *) CFStringGetCStringPtr(in_cfstring,
+ kCFStringEncodingUTF8);
+ if (ptr) {
+ string = strdup (ptr);
+ if (!string) { err = check_error (KIM_OUT_OF_MEMORY_ERR); }
+
+ } else {
+ length = CFStringGetMaximumSizeForEncoding (CFStringGetLength (in_cfstring),
+ kCFStringEncodingUTF8) + 1;
+
+ string = (char *) calloc (length, sizeof (char));
+ if (!string) { err = check_error (KIM_OUT_OF_MEMORY_ERR); }
+
+ if (!err) {
+ if (!CFStringGetCString (in_cfstring,
+ (char *) string,
+ length,
+ kCFStringEncodingUTF8)) {
+ err = KIM_OUT_OF_MEMORY_ERR;
+ }
+ }
+ }
}
- if (!err) {
- if (!CFStringGetCString (in_cfstring,
- (char *) string,
- length,
- kCFStringEncodingUTF8)) {
- err = KIM_OUT_OF_MEMORY_ERR;
- }
- }
if (!err) {
*out_string = string;
Modified: branches/mkey_migrate/src/kim/lib/mac/kim_os_ui_gui.c
===================================================================
--- branches/mkey_migrate/src/kim/lib/mac/kim_os_ui_gui.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/lib/mac/kim_os_ui_gui.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -24,13 +24,12 @@
* or implied warranty.
*/
-#ifndef LEAN_CLIENT
+#ifdef KIM_BUILTIN_UI
#include "kim_os_private.h"
#include "k5_mig_client.h"
-#include <Kerberos/kipc_client.h>
#include <mach/mach.h>
#include <mach/mach_error.h>
#include <unistd.h>
@@ -561,4 +560,4 @@
return check_error (err);
}
-#endif /* LEAN_CLIENT */
+#endif /* KIM_BUILTIN_UI */
Modified: branches/mkey_migrate/src/kim/test/main.c
===================================================================
--- branches/mkey_migrate/src/kim/test/main.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/test/main.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -40,6 +40,8 @@
test_kim_identity_create_from_string (state);
+ test_kim_identity_create_from_components (state);
+
test_kim_identity_copy (state);
test_kim_identity_compare (state);
Modified: branches/mkey_migrate/src/kim/test/test_kim_common.c
===================================================================
--- branches/mkey_migrate/src/kim/test/test_kim_common.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/test/test_kim_common.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -100,7 +100,7 @@
va_list args;
kim_string message = NULL;
- kim_error err = kim_string_create_for_last_error (&message, err);
+ kim_error err = kim_string_create_for_last_error (&message, in_err);
printf ("\tFAILURE: ");
printf ("%s() got %d (%s) ",
Modified: branches/mkey_migrate/src/kim/test/test_kim_identity.c
===================================================================
--- branches/mkey_migrate/src/kim/test/test_kim_identity.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/test/test_kim_identity.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -161,6 +161,56 @@
/* ------------------------------------------------------------------------ */
+void test_kim_identity_create_from_components (kim_test_state_t state)
+{
+ kim_count i = 0;
+
+ start_test (state, "kim_identity_create_from_components");
+
+ for (i = 0; test_identities[i].string; i++) {
+ kim_error err = KIM_NO_ERROR;
+ kim_identity identity = NULL;
+ kim_string string = NULL;
+
+ printf (".");
+
+ if (!err) {
+ err = kim_identity_create_from_components (&identity,
+ test_identities[i].realm,
+ test_identities[i].components[0],
+ test_identities[i].components[1],
+ test_identities[i].components[2],
+ test_identities[i].components[3],
+ test_identities[i].components[4],
+ NULL);
+ fail_if_error (state, "kim_identity_create_from_components", err,
+ "while creating the identity for %s",
+ test_identities[i].string);
+ }
+
+ if (!err) {
+ err = kim_identity_get_string (identity, &string);
+ fail_if_error (state, "kim_identity_get_string", err,
+ "while getting the string for %s",
+ test_identities[i].string);
+ }
+
+ if (!err && strcmp (string, test_identities[i].string)) {
+ log_failure (state, "Unexpected string (got '%s', expected '%s')",
+ string, test_identities[i].string);
+ }
+
+ kim_string_free (&string);
+ kim_identity_free (&identity);
+ }
+
+ printf ("\n");
+
+ end_test (state);
+}
+
+/* ------------------------------------------------------------------------ */
+
void test_kim_identity_copy (kim_test_state_t state)
{
kim_count i = 0;
Modified: branches/mkey_migrate/src/kim/test/test_kim_identity.h
===================================================================
--- branches/mkey_migrate/src/kim/test/test_kim_identity.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/test/test_kim_identity.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -33,6 +33,8 @@
void test_kim_identity_create_from_string (kim_test_state_t state);
+void test_kim_identity_create_from_components (kim_test_state_t state);
+
void test_kim_identity_copy (kim_test_state_t state);
void test_kim_identity_compare (kim_test_state_t state);
Modified: branches/mkey_migrate/src/kim/test/test_kim_preferences.c
===================================================================
--- branches/mkey_migrate/src/kim/test/test_kim_preferences.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/kim/test/test_kim_preferences.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -658,6 +658,8 @@
log_failure (state, "Favorite identity %s not found in favorite identities list",
fids[i].identity);
}
+
+ kim_identity_free (&identity);
}
if (!err && i != count) {
@@ -841,6 +843,8 @@
log_failure (state, "Favorite identity %s not found in favorite identities list",
fids[i].identity);
}
+
+ kim_identity_free (&identity);
}
if (!err && i != count) {
@@ -855,7 +859,6 @@
if (!err) {
kim_preferences prefs = NULL;
kim_count count, j;
- kim_string string;
err = kim_preferences_create (&prefs);
fail_if_error (state, "kim_preferences_create", err,
@@ -870,6 +873,7 @@
for (j = 0; j < count; j++) {
kim_identity compare_identity = NULL;
kim_options compare_options = NULL;
+ kim_string string = NULL;
err = kim_preferences_get_favorite_identity_at_index (prefs, 0,
&compare_identity,
@@ -878,7 +882,12 @@
"while getting favorite identity %d", (int) j);
if (!err) {
- kim_identity_get_display_string(compare_identity, &string);
+ err = kim_identity_get_display_string(compare_identity, &string);
+ fail_if_error (state, "kim_identity_get_display_string", err,
+ "while getting the display string for identity %d", (int) j);
+ }
+
+ if (!err) {
err = kim_preferences_remove_favorite_identity(prefs, compare_identity);
fail_if_error (state, "kim_preferences_remove_favorite_identity", err,
"while removing favorite identity %d \"%s\"", (int) j, string);
@@ -897,6 +906,7 @@
display_string);
}
+ kim_string_free (&string);
kim_identity_free (&compare_identity);
kim_options_free (&compare_options);
}
Copied: branches/mkey_migrate/src/kim/test/test_kll.c (from rev 21721, trunk/src/kim/test/test_kll.c)
Copied: branches/mkey_migrate/src/kim/test/test_kll_terminal.c (from rev 21721, trunk/src/kim/test/test_kll_terminal.c)
Copied: branches/mkey_migrate/src/kim/test/test_ui_plugin.c (from rev 21721, trunk/src/kim/test/test_ui_plugin.c)
Modified: branches/mkey_migrate/src/krb5-config.M
===================================================================
--- branches/mkey_migrate/src/krb5-config.M 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/krb5-config.M 2009-01-10 01:06:45 UTC (rev 21722)
@@ -64,7 +64,6 @@
.in +.5i
krb5 Kerberos 5 application
gssapi GSSAPI application with Kerberos 5 bindings
-krb4 Kerberos 4 application
kadm-client Kadmin client
kadm-server Kadmin server
kdb Application that accesses the kerberos database
Modified: branches/mkey_migrate/src/krb5-config.in
===================================================================
--- branches/mkey_migrate/src/krb5-config.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/krb5-config.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -32,11 +32,10 @@
includedir=@includedir@
libdir=@libdir@
CC_LINK='@CC_LINK@'
-KRB4_LIB=@KRB4_LIB@
-DES425_LIB=@DES425_LIB@
KDB5_DB_LIB=@KDB5_DB_LIB@
LDFLAGS='@LDFLAGS@'
RPATH_FLAG='@RPATH_FLAG@'
+PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@'
PTHREAD_CFLAGS='@PTHREAD_CFLAGS@'
DL_LIB='@DL_LIB@'
@@ -86,9 +85,6 @@
gssapi)
library=gssapi
;;
- krb4)
- library=krb4
- ;;
kadm-client)
library=kadm_client
;;
@@ -125,7 +121,6 @@
echo "Libraries:"
echo " krb5 Kerberos 5 application"
echo " gssapi GSSAPI application with Kerberos 5 bindings"
- echo " krb4 Kerberos 4 application"
echo " kadm-client Kadmin client"
echo " kadm-server Kadmin server"
echo " kdb Application that accesses the kerberos database"
@@ -185,6 +180,7 @@
# Ugly gross hack for our build tree
lib_flags=`echo $CC_LINK | sed -e 's/\$(CC)//' \
-e 's/\$(PURE)//' \
+ -e 's#\$(PROG_RPATH_FLAGS)#'"$PROG_RPATH_FLAGS"'#' \
-e 's#\$(PROG_RPATH)#'$libdir'#' \
-e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \
-e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
@@ -217,11 +213,6 @@
library=krb5
fi
- if test $library = 'krb4'; then
- lib_flags="$lib_flags $KRB4_LIB $DES425_LIB"
- library=krb5
- fi
-
if test $library = 'krb5'; then
lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB"
fi
Modified: branches/mkey_migrate/src/lib/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,15 +1,14 @@
thisconfigdir=./..
myfulldir=lib
mydir=lib
-SUBDIRS=crypto krb5 des425 @KRB4@ gssapi rpc kdb kadm5 apputils
+SUBDIRS=crypto krb5 gssapi rpc kdb kadm5 apputils
BUILDTOP=$(REL)..
all-unix::
-CLEANLIBS = libkrb5.a libkdb5.a libcrypto.a libgssapi_krb5.a libdes425.a \
- libkrb425.a libkadm.a libkrb4.a libcom_err.a libpty.a \
- libss.a libgssapi.a libapputils.a \
- libkrb5.so libcrypto.so libkrb4.so libdes425.so
+CLEANLIBS = libkrb5.a libkdb5.a libcrypto.a libgssapi_krb5.a libkadm.a \
+ libcom_err.a libpty.a ibss.a libgssapi.a libapputils.a libkrb5.so \
+ libcrypto.so
clean-unix::
Modified: branches/mkey_migrate/src/lib/apputils/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/apputils/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/apputils/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -36,18 +36,3 @@
@lib_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-daemon.so daemon.po $(OUTPRE)daemon.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h daemon.c
-dummy.so dummy.po $(OUTPRE)dummy.$(OBJEXT): dummy.c
Copied: branches/mkey_migrate/src/lib/apputils/deps (from rev 21721, trunk/src/lib/apputils/deps)
Modified: branches/mkey_migrate/src/lib/crypto/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/crypto/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -8,7 +8,7 @@
-I$(srcdir)/hash_provider -I$(srcdir)/keyhash_provider \
-I$(srcdir)/aes \
-I$(srcdir)/old -I$(srcdir)/raw -I$(srcdir)/dk -I$(srcdir)/arcfour \
- -I$(srcdir)/yarrow -I$(srcdir)/sha1
+ -I$(srcdir)/yarrow -I$(srcdir)/sha1 -I$(srcdir)/md5
RUN_SETUP = @KRB5_RUN_ENV@
PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
@@ -34,16 +34,20 @@
PROG_RPATH=$(KRB5_LIBDIR)
STLIBOBJS=\
+ aead.o \
block_size.o \
checksum_length.o \
cksumtype_to_string.o \
cksumtypes.o \
coll_proof_cksum.o \
combine_keys.o \
+ crypto_length.o \
crypto_libinit.o \
default_state.o \
decrypt.o \
+ decrypt_iov.o \
encrypt.o \
+ encrypt_iov.o \
encrypt_length.o \
enctype_compare.o \
enctype_to_string.o \
@@ -54,6 +58,7 @@
keyed_checksum_types.o \
keylengths.o \
make_checksum.o \
+ make_checksum_iov.o \
make_random_key.o \
mandatory_sumtype.o \
nfold.o \
@@ -68,19 +73,24 @@
string_to_key.o \
valid_cksumtype.o \
valid_enctype.o \
- verify_checksum.o
+ verify_checksum.o \
+ verify_checksum_iov.o
OBJS=\
+ $(OUTPRE)aead.$(OBJEXT) \
$(OUTPRE)block_size.$(OBJEXT) \
$(OUTPRE)checksum_length.$(OBJEXT) \
$(OUTPRE)cksumtype_to_string.$(OBJEXT) \
$(OUTPRE)cksumtypes.$(OBJEXT) \
$(OUTPRE)coll_proof_cksum.$(OBJEXT) \
$(OUTPRE)combine_keys.$(OBJEXT) \
+ $(OUTPRE)crypto_length.$(OBJEXT) \
$(OUTPRE)crypto_libinit.$(OBJEXT) \
$(OUTPRE)default_state.$(OBJEXT) \
$(OUTPRE)decrypt.$(OBJEXT) \
+ $(OUTPRE)decrypt_iov.$(OBJEXT) \
$(OUTPRE)encrypt.$(OBJEXT) \
+ $(OUTPRE)encrypt_iov.$(OBJEXT) \
$(OUTPRE)encrypt_length.$(OBJEXT) \
$(OUTPRE)enctype_compare.$(OBJEXT) \
$(OUTPRE)enctype_to_string.$(OBJEXT) \
@@ -91,6 +101,7 @@
$(OUTPRE)keyed_checksum_types.$(OBJEXT) \
$(OUTPRE)keylengths.$(OBJEXT) \
$(OUTPRE)make_checksum.$(OBJEXT) \
+ $(OUTPRE)make_checksum_iov.$(OBJEXT) \
$(OUTPRE)make_random_key.$(OBJEXT) \
$(OUTPRE)mandatory_sumtype.$(OBJEXT) \
$(OUTPRE)nfold.$(OBJEXT) \
@@ -105,19 +116,24 @@
$(OUTPRE)string_to_key.$(OBJEXT) \
$(OUTPRE)valid_cksumtype.$(OBJEXT) \
$(OUTPRE)valid_enctype.$(OBJEXT) \
- $(OUTPRE)verify_checksum.$(OBJEXT)
+ $(OUTPRE)verify_checksum.$(OBJEXT) \
+ $(OUTPRE)verify_checksum_iov.$(OBJEXT)
SRCS=\
+ $(srcdir)/aead.c \
$(srcdir)/block_size.c \
$(srcdir)/checksum_length.c \
$(srcdir)/cksumtype_to_string.c \
$(srcdir)/cksumtypes.c \
$(srcdir)/coll_proof_cksum.c \
$(srcdir)/combine_keys.c \
+ $(srcdir)/crypto_length.c \
$(srcdir)/crypto_libinit.c \
$(srcdir)/default_state.c \
$(srcdir)/decrypt.c \
+ $(srcdir)/decrypt_iov.c \
$(srcdir)/encrypt.c \
+ $(srcdir)/encrypt_iov.c \
$(srcdir)/encrypt_length.c \
$(srcdir)/enctype_compare.c \
$(srcdir)/enctype_to_string.c \
@@ -128,6 +144,7 @@
$(srcdir)/keyed_checksum_types.c\
$(srcdir)/keylengths.c \
$(srcdir)/make_checksum.c \
+ $(srcdir)/make_checksum_iov.c \
$(srcdir)/make_random_key.c \
$(srcdir)/mandatory_sumtype.c \
$(srcdir)/nfold.c \
@@ -142,7 +159,8 @@
$(srcdir)/string_to_key.c \
$(srcdir)/valid_cksumtype.c \
$(srcdir)/valid_enctype.c \
- $(srcdir)/verify_checksum.c
+ $(srcdir)/verify_checksum.c \
+ $(srcdir)/verify_checksum_iov.c
LIBBASE=k5crypto
@@ -363,433 +381,3 @@
@lib_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-block_size.so block_size.po $(OUTPRE)block_size.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- block_size.c etypes.h
-checksum_length.so checksum_length.po $(OUTPRE)checksum_length.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- checksum_length.c cksumtypes.h
-cksumtype_to_string.so cksumtype_to_string.po $(OUTPRE)cksumtype_to_string.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- cksumtype_to_string.c cksumtypes.h
-cksumtypes.so cksumtypes.po $(OUTPRE)cksumtypes.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/hash_provider/hash_provider.h $(srcdir)/keyhash_provider/keyhash_provider.h \
- cksumtypes.c cksumtypes.h
-coll_proof_cksum.so coll_proof_cksum.po $(OUTPRE)coll_proof_cksum.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- cksumtypes.h coll_proof_cksum.c
-combine_keys.so combine_keys.po $(OUTPRE)combine_keys.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/dk/dk.h combine_keys.c etypes.h
-crypto_libinit.so crypto_libinit.po $(OUTPRE)crypto_libinit.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- crypto_libinit.c
-default_state.so default_state.po $(OUTPRE)default_state.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- default_state.c
-decrypt.so decrypt.po $(OUTPRE)decrypt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h decrypt.c etypes.h
-encrypt.so encrypt.po $(OUTPRE)encrypt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h encrypt.c etypes.h
-encrypt_length.so encrypt_length.po $(OUTPRE)encrypt_length.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- encrypt_length.c etypes.h
-enctype_compare.so enctype_compare.po $(OUTPRE)enctype_compare.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- enctype_compare.c etypes.h
-enctype_to_string.so enctype_to_string.po $(OUTPRE)enctype_to_string.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- enctype_to_string.c etypes.h
-etypes.so etypes.po $(OUTPRE)etypes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/aes/aes_s2k.h \
- $(srcdir)/arcfour/arcfour.h $(srcdir)/dk/dk.h $(srcdir)/enc_provider/enc_provider.h \
- $(srcdir)/hash_provider/hash_provider.h $(srcdir)/old/old.h \
- $(srcdir)/raw/raw.h etypes.c etypes.h
-hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h hmac.c
-keyblocks.so keyblocks.po $(OUTPRE)keyblocks.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- keyblocks.c
-keyed_cksum.so keyed_cksum.po $(OUTPRE)keyed_cksum.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- cksumtypes.h keyed_cksum.c
-keyed_checksum_types.so keyed_checksum_types.po $(OUTPRE)keyed_checksum_types.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- cksumtypes.h etypes.h keyed_checksum_types.c
-keylengths.so keylengths.po $(OUTPRE)keylengths.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- etypes.h keylengths.c
-make_checksum.so make_checksum.po $(OUTPRE)make_checksum.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/dk/dk.h cksumtypes.h etypes.h make_checksum.c
-make_random_key.so make_random_key.po $(OUTPRE)make_random_key.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- etypes.h make_random_key.c
-mandatory_sumtype.so mandatory_sumtype.po $(OUTPRE)mandatory_sumtype.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- etypes.h mandatory_sumtype.c
-nfold.so nfold.po $(OUTPRE)nfold.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h nfold.c
-old_api_glue.so old_api_glue.po $(OUTPRE)old_api_glue.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- old_api_glue.c
-pbkdf2.so pbkdf2.po $(OUTPRE)pbkdf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/hash_provider/hash_provider.h \
- pbkdf2.c
-prf.so prf.po $(OUTPRE)prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h etypes.h prf.c
-prng.so prng.po $(OUTPRE)prng.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/enc_provider/enc_provider.h \
- $(srcdir)/sha1/shs.h $(srcdir)/yarrow/yarrow.h $(srcdir)/yarrow/ycipher.h \
- $(srcdir)/yarrow/yhash.h $(srcdir)/yarrow/ytypes.h \
- prng.c
-random_to_key.so random_to_key.po $(OUTPRE)random_to_key.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- etypes.h random_to_key.c
-state.so state.po $(OUTPRE)state.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h etypes.h state.c
-string_to_cksumtype.so string_to_cksumtype.po $(OUTPRE)string_to_cksumtype.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- cksumtypes.h string_to_cksumtype.c
-string_to_enctype.so string_to_enctype.po $(OUTPRE)string_to_enctype.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- etypes.h string_to_enctype.c
-string_to_key.so string_to_key.po $(OUTPRE)string_to_key.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- etypes.h string_to_key.c
-valid_cksumtype.so valid_cksumtype.po $(OUTPRE)valid_cksumtype.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- cksumtypes.h valid_cksumtype.c
-valid_enctype.so valid_enctype.po $(OUTPRE)valid_enctype.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- etypes.h valid_enctype.c
-verify_checksum.so verify_checksum.po $(OUTPRE)verify_checksum.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- cksumtypes.h verify_checksum.c
-t_nfold.so t_nfold.po $(OUTPRE)t_nfold.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h t_nfold.c
-t_encrypt.so t_encrypt.po $(OUTPRE)t_encrypt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- etypes.h t_encrypt.c
-t_prf.so t_prf.po $(OUTPRE)t_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h t_prf.c
-t_prng.so t_prng.po $(OUTPRE)t_prng.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h t_prng.c
-t_hmac.so t_hmac.po $(OUTPRE)t_hmac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/hash_provider/hash_provider.h \
- t_hmac.c
-t_pkcs5.so t_pkcs5.po $(OUTPRE)t_pkcs5.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h t_pkcs5.c
-t_cts.so t_cts.po $(OUTPRE)t_cts.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/hash_provider/hash_provider.h \
- t_cts.c
-vectors.so vectors.po $(OUTPRE)vectors.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/hash_provider/hash_provider.h \
- vectors.c
Copied: branches/mkey_migrate/src/lib/crypto/aead.c (from rev 21721, trunk/src/lib/crypto/aead.c)
Copied: branches/mkey_migrate/src/lib/crypto/aead.h (from rev 21721, trunk/src/lib/crypto/aead.h)
Modified: branches/mkey_migrate/src/lib/crypto/aes/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/crypto/aes/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/aes/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -70,25 +70,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-aescrypt.so aescrypt.po $(OUTPRE)aescrypt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h aes.h aescrypt.c aesopt.h \
- uitypes.h
-aestab.so aestab.po $(OUTPRE)aestab.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- aes.h aesopt.h aestab.c uitypes.h
-aeskey.so aeskey.po $(OUTPRE)aeskey.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- aes.h aeskey.c aesopt.h uitypes.h
-aes_s2k.so aes_s2k.po $(OUTPRE)aes_s2k.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../dk/dk.h \
- aes_s2k.c aes_s2k.h
Copied: branches/mkey_migrate/src/lib/crypto/aes/deps (from rev 21721, trunk/src/lib/crypto/aes/deps)
Modified: branches/mkey_migrate/src/lib/crypto/arcfour/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/crypto/arcfour/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/arcfour/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -16,14 +16,17 @@
STLIBOBJS=\
arcfour.o \
+ arcfour_aead.o \
arcfour_s2k.o
OBJS=\
$(OUTPRE)arcfour.$(OBJEXT) \
+ $(OUTPRE)arcfour_aead.$(OBJEXT) \
$(OUTPRE)arcfour_s2k.$(OBJEXT)
SRCS=\
$(srcdir)/arcfour.c \
+ $(srcdir)/arcfour_aead.c\
$(srcdir)/arcfour_s2k.c
##DOS##LIBOBJS = $(OBJS)
@@ -38,29 +41,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-arcfour.so arcfour.po $(OUTPRE)arcfour.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h arcfour-int.h arcfour.c \
- arcfour.h
-arcfour_s2k.so arcfour_s2k.po $(OUTPRE)arcfour_s2k.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../md4/rsa-md4.h arcfour-int.h arcfour.h \
- arcfour_s2k.c
Modified: branches/mkey_migrate/src/lib/crypto/arcfour/arcfour-int.h
===================================================================
--- branches/mkey_migrate/src/lib/crypto/arcfour/arcfour-int.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/arcfour/arcfour-int.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -27,5 +27,6 @@
krb5_keyusage krb5int_arcfour_translate_usage(krb5_keyusage usage);
+extern const char *const krb5int_arcfour_l40;
#endif /* ARCFOUR_INT_H */
Modified: branches/mkey_migrate/src/lib/crypto/arcfour/arcfour.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/arcfour/arcfour.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/arcfour/arcfour.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -8,7 +8,7 @@
*/
#include "k5-int.h"
#include "arcfour-int.h"
-static const char *const l40 = "fortybits";
+const char *const krb5int_arcfour_l40 = "fortybits";
void
krb5_arcfour_encrypt_length(const struct krb5_enc_provider *enc,
@@ -139,7 +139,7 @@
/* begin the encryption, computer K1 */
ms_usage=krb5int_arcfour_translate_usage(usage);
if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
- strncpy(salt.data, l40, salt.length);
+ strncpy(salt.data, krb5int_arcfour_l40, salt.length);
store_32_le(ms_usage, salt.data+10);
} else {
salt.length=4;
@@ -253,7 +253,7 @@
/* compute the salt */
ms_usage=krb5int_arcfour_translate_usage(usage);
if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
- strncpy(salt.data, l40, salt.length);
+ strncpy(salt.data, krb5int_arcfour_l40, salt.length);
salt.data[10]=ms_usage & 0xff;
salt.data[11]=(ms_usage>>8) & 0xff;
salt.data[12]=(ms_usage>>16) & 0xff;
Modified: branches/mkey_migrate/src/lib/crypto/arcfour/arcfour.h
===================================================================
--- branches/mkey_migrate/src/lib/crypto/arcfour/arcfour.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/arcfour/arcfour.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -33,4 +33,6 @@
krb5_keyblock *);
extern const struct krb5_enc_provider krb5int_enc_arcfour;
+extern const struct krb5_aead_provider krb5int_aead_arcfour;
+
#endif /* ARCFOUR_H */
Copied: branches/mkey_migrate/src/lib/crypto/arcfour/arcfour_aead.c (from rev 21721, trunk/src/lib/crypto/arcfour/arcfour_aead.c)
Modified: branches/mkey_migrate/src/lib/crypto/arcfour/arcfour_s2k.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/arcfour/arcfour_s2k.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/arcfour/arcfour_s2k.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,4 +1,5 @@
#include "k5-int.h"
+#include "k5-utf8.h"
#include "rsa-md4.h"
#include "arcfour-int.h"
@@ -6,58 +7,15 @@
#include <CoreFoundation/CFString.h>
#endif
-static krb5_error_code
-utf8to16(unsigned char *utf16_buf, const char *utf8_str, size_t *len)
-{
- krb5_error_code err = 0;
-
-#if TARGET_OS_MAC && !defined(DEPEND)
- CFStringRef string = NULL;
- CFIndex length = *len;
-
- string = CFStringCreateWithCString (kCFAllocatorDefault,
- utf8_str, kCFStringEncodingUTF8);
- if (!string) { err = ENOMEM; }
-
- if (!err) {
- CFIndex copied = 0;
- CFRange range = CFRangeMake (0, CFStringGetLength (string));
-
- copied = CFStringGetBytes (string, range, kCFStringEncodingUTF16LE,
- 0, false, utf16_buf, length, &length);
- if (copied != range.length) { err = ENOMEM; }
- }
-
- if (!err) {
- *len = length;
- }
-
- if (string) { CFRelease (string); }
-
-#else
- /*
- * This should be re-evaluated in the future, it makes the assumption that
- * the user's password is in ascii, not utf-8. Use iconv?
- */
- size_t counter;
- for (counter=0;counter<*len;counter++) {
- utf16_buf[2*counter]=utf8_str[counter];
- utf16_buf[2*counter + 1]=0x00;
- }
-#endif
-
- return err;
-}
-
krb5_error_code
krb5int_arcfour_string_to_key(const struct krb5_enc_provider *enc,
const krb5_data *string, const krb5_data *salt,
const krb5_data *params, krb5_keyblock *key)
{
krb5_error_code err = 0;
- size_t len;
- unsigned char *copystr;
krb5_MD4_CTX md4_context;
+ unsigned char *copystr;
+ size_t copystrlen;
if (params != NULL)
return KRB5_ERR_BAD_S2K_PARAMS;
@@ -71,22 +29,14 @@
Since the password must be stored in unicode, we need to increase
that number by 2x.
*/
- if (string->length > (SIZE_MAX/2))
- return (KRB5_BAD_MSIZE);
- len= string->length * 2;
+ err = krb5int_utf8cs_to_ucs2les(string->data, string->length, ©str, ©strlen);
+ if (err)
+ return err;
- copystr = malloc(len);
- if (copystr == NULL)
- return ENOMEM;
-
- /* make the string. start by creating the unicode version of the password*/
- err = utf8to16(copystr, string->data, &len);
- if (err) goto cleanup;
-
/* the actual MD4 hash of the data */
krb5_MD4Init(&md4_context);
- krb5_MD4Update(&md4_context, (unsigned char *)copystr, len);
+ krb5_MD4Update(&md4_context, copystr, copystrlen);
krb5_MD4Final(&md4_context);
memcpy(key->contents, md4_context.digest, 16);
@@ -101,9 +51,8 @@
}
#endif /* 0 */
-cleanup:
/* Zero out the data behind us */
- memset (copystr, 0, len);
+ memset(copystr, 0, copystrlen);
memset(&md4_context, 0, sizeof(md4_context));
free(copystr);
return err;
Copied: branches/mkey_migrate/src/lib/crypto/arcfour/deps (from rev 21721, trunk/src/lib/crypto/arcfour/deps)
Modified: branches/mkey_migrate/src/lib/crypto/cksumtype_to_string.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/cksumtype_to_string.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/cksumtype_to_string.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -34,10 +34,9 @@
for (i=0; i<krb5_cksumtypes_length; i++) {
if (krb5_cksumtypes_list[i].ctype == cksumtype) {
- if ((strlen(krb5_cksumtypes_list[i].out_string)+1) > buflen)
+ if (strlcpy(buffer, krb5_cksumtypes_list[i].out_string,
+ buflen) >= buflen)
return(ENOMEM);
-
- strcpy(buffer, krb5_cksumtypes_list[i].out_string);
return(0);
}
}
Modified: branches/mkey_migrate/src/lib/crypto/cksumtypes.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/cksumtypes.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/cksumtypes.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -92,6 +92,10 @@
"hmac-sha1-96-aes256", "HMAC-SHA1 AES256 key",
0, NULL,
&krb5int_hash_sha1, 12 },
+ { CKSUMTYPE_MD5_HMAC_ARCFOUR, 0,
+ "md5-hmac-rc4", "Microsoft MD5 HMAC (RC4 key)",
+ ENCTYPE_ARCFOUR_HMAC, &krb5int_keyhash_md5_hmac,
+ NULL }
};
const unsigned int krb5_cksumtypes_length =
Modified: branches/mkey_migrate/src/lib/crypto/crc32/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/crypto/crc32/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/crc32/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -39,17 +39,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-crc32.so crc32.po $(OUTPRE)crc32.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h crc-32.h crc32.c
Copied: branches/mkey_migrate/src/lib/crypto/crc32/deps (from rev 21721, trunk/src/lib/crypto/crc32/deps)
Copied: branches/mkey_migrate/src/lib/crypto/crypto_length.c (from rev 21721, trunk/src/lib/crypto/crypto_length.c)
Modified: branches/mkey_migrate/src/lib/crypto/decrypt.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/decrypt.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/decrypt.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -26,6 +26,7 @@
#include "k5-int.h"
#include "etypes.h"
+#include "aead.h"
krb5_error_code KRB5_CALLCONV
krb5_c_decrypt(krb5_context context, const krb5_keyblock *key,
@@ -50,6 +51,16 @@
(krb5_enctypes_list[i].etype != input->enctype))
return(KRB5_BAD_ENCTYPE);
+ if (krb5_enctypes_list[i].decrypt == NULL) {
+ assert(krb5_enctypes_list[i].aead != NULL);
+
+ return krb5int_c_decrypt_aead_compat(krb5_enctypes_list[i].aead,
+ krb5_enctypes_list[i].enc,
+ krb5_enctypes_list[i].hash,
+ key, usage, ivec,
+ &input->ciphertext, output);
+ }
+
return((*(krb5_enctypes_list[i].decrypt))
(krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash,
key, usage, ivec, &input->ciphertext, output));
Copied: branches/mkey_migrate/src/lib/crypto/decrypt_iov.c (from rev 21721, trunk/src/lib/crypto/decrypt_iov.c)
Copied: branches/mkey_migrate/src/lib/crypto/deps (from rev 21721, trunk/src/lib/crypto/deps)
Modified: branches/mkey_migrate/src/lib/crypto/des/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/crypto/des/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/des/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -16,7 +16,9 @@
STLIBOBJS=\
afsstring2key.o \
d3_cbc.o \
+ d3_aead.o \
d3_kysched.o \
+ f_aead.o \
f_cbc.o \
f_cksum.o \
f_parity.o \
@@ -28,7 +30,9 @@
OBJS= $(OUTPRE)afsstring2key.$(OBJEXT) \
$(OUTPRE)d3_cbc.$(OBJEXT) \
+ $(OUTPRE)d3_aead.$(OBJEXT) \
$(OUTPRE)d3_kysched.$(OBJEXT) \
+ $(OUTPRE)f_aead.$(OBJEXT) \
$(OUTPRE)f_cbc.$(OBJEXT) \
$(OUTPRE)f_cksum.$(OBJEXT) \
$(OUTPRE)f_parity.$(OBJEXT) \
@@ -40,7 +44,9 @@
SRCS= $(srcdir)/afsstring2key.c \
$(srcdir)/d3_cbc.c \
+ $(srcdir)/d3_aead.c \
$(srcdir)/d3_kysched.c \
+ $(srcdir)/f_aead.c \
$(srcdir)/f_cbc.c \
$(srcdir)/f_cksum.c \
$(srcdir)/f_parity.c \
@@ -93,119 +99,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-afsstring2key.so afsstring2key.po $(OUTPRE)afsstring2key.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h afsstring2key.c des_int.h
-d3_cbc.so d3_cbc.po $(OUTPRE)d3_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- d3_cbc.c des_int.h f_tables.h
-d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h d3_kysched.c des_int.h
-f_cbc.so f_cbc.po $(OUTPRE)f_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- des_int.h f_cbc.c f_tables.h
-f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- des_int.h f_cksum.c f_tables.h
-f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h des_int.h f_parity.c
-f_sched.so f_sched.po $(OUTPRE)f_sched.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- des_int.h f_sched.c
-f_tables.so f_tables.po $(OUTPRE)f_tables.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h des_int.h f_tables.c \
- f_tables.h
-key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h des_int.h key_sched.c
-weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h des_int.h weak_key.c
-string2key.so string2key.po $(OUTPRE)string2key.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h des_int.h string2key.c
Copied: branches/mkey_migrate/src/lib/crypto/des/d3_aead.c (from rev 21721, trunk/src/lib/crypto/des/d3_aead.c)
Copied: branches/mkey_migrate/src/lib/crypto/des/deps (from rev 21721, trunk/src/lib/crypto/des/deps)
Modified: branches/mkey_migrate/src/lib/crypto/des/des_int.h
===================================================================
--- branches/mkey_migrate/src/lib/crypto/des/des_int.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/des/des_int.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -64,10 +64,57 @@
#ifndef KRB5_MIT_DES__
#define KRB5_MIT_DES__
-#define KRB5INT_CRYPTO_DES_INT /* skip krb4-specific DES stuff */
-#include "kerberosIV/des.h" /* for des_key_schedule, etc. */
-#undef KRB5INT_CRYPTO_DES_INT /* don't screw other inclusions of des.h */
+#if defined(__MACH__) && defined(__APPLE__)
+#include <TargetConditionals.h>
+#include <AvailabilityMacros.h>
+#if TARGET_RT_MAC_CFM
+#error "Use KfM 4.0 SDK headers for CFM compilation."
+#endif
+#if defined(DEPRECATED_IN_MAC_OS_X_VERSION_10_5) && !defined(KRB5_SUPRESS_DEPRECATED_WARNINGS)
+#define KRB5INT_DES_DEPRECATED DEPRECATED_IN_MAC_OS_X_VERSION_10_5
+#endif
+#endif /* defined(__MACH__) && defined(__APPLE__) */
+/* Macro to add deprecated attribute to DES types and functions */
+/* Currently only defined on Mac OS X 10.5 and later. */
+#ifndef KRB5INT_DES_DEPRECATED
+#define KRB5INT_DES_DEPRECATED
+#endif
+
+#include <limits.h>
+
+#if UINT_MAX >= 0xFFFFFFFFUL
+#define DES_INT32 int
+#define DES_UINT32 unsigned int
+#else
+#define DES_INT32 long
+#define DES_UINT32 unsigned long
+#endif
+
+typedef unsigned char des_cblock[8] /* crypto-block size */
+KRB5INT_DES_DEPRECATED;
+
+/*
+ * Key schedule.
+ *
+ * This used to be
+ *
+ * typedef struct des_ks_struct {
+ * union { DES_INT32 pad; des_cblock _;} __;
+ * } des_key_schedule[16];
+ *
+ * but it would cause trouble if DES_INT32 were ever more than 4
+ * bytes. The reason is that all the encryption functions cast it to
+ * (DES_INT32 *), and treat it as if it were DES_INT32[32]. If
+ * 2*sizeof(DES_INT32) is ever more than sizeof(des_cblock), the
+ * caller-allocated des_key_schedule will be overflowed by the key
+ * scheduling functions. We can't assume that every platform will
+ * have an exact 32-bit int, and nothing should be looking inside a
+ * des_key_schedule anyway.
+ */
+typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16]
+KRB5INT_DES_DEPRECATED;
+
typedef des_cblock mit_des_cblock;
typedef des_key_schedule mit_des_key_schedule;
@@ -240,7 +287,22 @@
const mit_des_key_schedule ks3,
const mit_des_cblock ivec);
+void
+krb5int_des3_cbc_encrypt_iov(krb5_crypto_iov *data,
+ unsigned long num_data,
+ const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ mit_des_cblock ivec);
+void
+krb5int_des3_cbc_decrypt_iov(krb5_crypto_iov *data,
+ unsigned long num_data,
+ const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ mit_des_cblock ivec);
+
#define mit_des3_cbc_encrypt(in,out,length,ks1,ks2,ks3,ivec,enc) \
((enc ? krb5int_des3_cbc_encrypt : krb5int_des3_cbc_decrypt) \
(in, out, length, ks1, ks2, ks3, ivec), 0)
@@ -262,7 +324,18 @@
((enc ? krb5int_des_cbc_encrypt : krb5int_des_cbc_decrypt) \
(in, out, length, schedule, ivec), 0)
+void
+krb5int_des_cbc_encrypt_iov(krb5_crypto_iov *data,
+ unsigned long num_data,
+ const mit_des_key_schedule schedule,
+ mit_des_cblock ivec);
+void
+krb5int_des_cbc_decrypt_iov(krb5_crypto_iov *data,
+ unsigned long num_data,
+ const mit_des_key_schedule schedule,
+ mit_des_cblock ivec);
+
/* d3_procky.c */
extern krb5_error_code mit_des3_process_key
(krb5_encrypt_block * eblock,
Copied: branches/mkey_migrate/src/lib/crypto/des/f_aead.c (from rev 21721, trunk/src/lib/crypto/des/f_aead.c)
Modified: branches/mkey_migrate/src/lib/crypto/dk/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/crypto/dk/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/dk/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -16,6 +16,7 @@
STLIBOBJS=\
checksum.o \
+ dk_aead.o \
dk_decrypt.o \
dk_encrypt.o \
derive.o \
@@ -24,6 +25,7 @@
OBJS=\
$(OUTPRE)checksum.$(OBJEXT) \
+ $(OUTPRE)dk_aead.$(OBJEXT) \
$(OUTPRE)dk_decrypt.$(OBJEXT) \
$(OUTPRE)dk_encrypt.$(OBJEXT) \
$(OUTPRE)derive.$(OBJEXT) \
@@ -32,6 +34,7 @@
SRCS=\
$(srcdir)/checksum.c \
+ $(srcdir)/dk_aead.c \
$(srcdir)/dk_decrypt.c \
$(srcdir)/dk_encrypt.c \
$(srcdir)/dk_prf.c \
@@ -50,66 +53,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-checksum.so checksum.po $(OUTPRE)checksum.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../etypes.h checksum.c dk.h
-dk_decrypt.so dk_decrypt.po $(OUTPRE)dk_decrypt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- dk.h dk_decrypt.c
-dk_encrypt.so dk_encrypt.po $(OUTPRE)dk_encrypt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- dk.h dk_encrypt.c
-dk_prf.so dk_prf.po $(OUTPRE)dk_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h dk.h dk_prf.c
-derive.so derive.po $(OUTPRE)derive.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h derive.c dk.h
-stringtokey.so stringtokey.po $(OUTPRE)stringtokey.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- dk.h stringtokey.c
Modified: branches/mkey_migrate/src/lib/crypto/dk/checksum.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/dk/checksum.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/dk/checksum.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -27,6 +27,7 @@
#include "k5-int.h"
#include "etypes.h"
#include "dk.h"
+#include "aead.h"
#define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */
@@ -101,3 +102,73 @@
return(ret);
}
+krb5_error_code
+krb5int_dk_make_checksum_iov(const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key, krb5_keyusage usage,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output)
+{
+ int i;
+ const struct krb5_enc_provider *enc;
+ size_t blocksize, keybytes, keylength;
+ krb5_error_code ret;
+ unsigned char constantdata[K5CLENGTH];
+ krb5_data datain;
+ unsigned char *kcdata;
+ krb5_keyblock kc;
+
+ for (i=0; i<krb5_enctypes_length; i++) {
+ if (krb5_enctypes_list[i].etype == key->enctype)
+ break;
+ }
+
+ if (i == krb5_enctypes_length)
+ return(KRB5_BAD_ENCTYPE);
+
+ enc = krb5_enctypes_list[i].enc;
+
+ /* allocate and set to-be-derived keys */
+
+ blocksize = enc->block_size;
+ keybytes = enc->keybytes;
+ keylength = enc->keylength;
+
+ /* key->length will be tested in enc->encrypt
+ output->length will be tested in krb5_hmac */
+
+ if ((kcdata = (unsigned char *) malloc(keylength)) == NULL)
+ return(ENOMEM);
+
+ kc.contents = kcdata;
+ kc.length = keylength;
+
+ /* derive the key */
+
+ datain.data = (char *) constantdata;
+ datain.length = K5CLENGTH;
+
+ datain.data[0] = (usage>>24)&0xff;
+ datain.data[1] = (usage>>16)&0xff;
+ datain.data[2] = (usage>>8)&0xff;
+ datain.data[3] = usage&0xff;
+
+ datain.data[4] = (char) 0x99;
+
+ if ((ret = krb5_derive_key(enc, key, &kc, &datain)) != 0)
+ goto cleanup;
+
+ /* hash the data */
+
+ if ((ret = krb5int_hmac_iov(hash, &kc, data, num_data, output)) != 0)
+ memset(output->data, 0, output->length);
+
+ /* ret is set correctly by the prior call */
+
+cleanup:
+ memset(kcdata, 0, keylength);
+
+ free(kcdata);
+
+ return(ret);
+}
+
Copied: branches/mkey_migrate/src/lib/crypto/dk/deps (from rev 21721, trunk/src/lib/crypto/dk/deps)
Modified: branches/mkey_migrate/src/lib/crypto/dk/dk.h
===================================================================
--- branches/mkey_migrate/src/lib/crypto/dk/dk.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/dk/dk.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -85,6 +85,40 @@
const krb5_data *input, krb5_data *output);
krb5_error_code
+krb5int_dk_make_checksum_iov(const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key, krb5_keyusage usage,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output);
+
+krb5_error_code
krb5_derive_random(const struct krb5_enc_provider *enc,
const krb5_keyblock *inkey, krb5_data *outrnd,
const krb5_data *in_constant);
+
+/* AEAD */
+
+extern const struct krb5_aead_provider krb5int_aead_dk;
+extern const struct krb5_aead_provider krb5int_aead_aes;
+
+/* CCM */
+
+void
+krb5int_ccm_encrypt_length(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ size_t inputlen, size_t *length);
+
+extern const struct krb5_aead_provider krb5int_aead_ccm;
+
+krb5_error_code krb5int_ccm_encrypt
+(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key, krb5_keyusage usage,
+ const krb5_data *ivec, const krb5_data *input,
+ krb5_data *arg_output);
+
+krb5_error_code krb5int_ccm_decrypt
+(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key, krb5_keyusage usage,
+ const krb5_data *ivec, const krb5_data *input,
+ krb5_data *arg_output);
Copied: branches/mkey_migrate/src/lib/crypto/dk/dk_aead.c (from rev 21721, trunk/src/lib/crypto/dk/dk_aead.c)
Modified: branches/mkey_migrate/src/lib/crypto/enc_provider/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/crypto/enc_provider/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/enc_provider/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,7 +2,7 @@
myfulldir=lib/crypto/enc_provider
mydir=lib/crypto/enc_provider
BUILDTOP=$(REL)..$(S)..$(S)..
-LOCALINCLUDES = -I$(srcdir)/../des -I$(srcdir)/../arcfour -I$(srcdir)/../aes
+LOCALINCLUDES = -I$(srcdir)/../des -I$(srcdir)/../arcfour -I$(srcdir)/../aes -I$(srcdir)/..
DEFS=
##DOS##BUILDTOP = ..\..\..
@@ -14,7 +14,7 @@
RUN_SETUP = @KRB5_RUN_ENV@ KRB5_CONFIG=$(SRCTOP)/config-files/krb5.conf
-STLIBOBJS= des.o des3.o rc4.o aes.o
+STLIBOBJS= des.o des3.o rc4.o aes.o
OBJS= \
$(OUTPRE)des.$(OBJEXT) \
@@ -40,48 +40,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../des/des_int.h des.c enc_provider.h
-des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../des/des_int.h des3.c
-aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../aes/aes.h \
- $(srcdir)/../aes/uitypes.h aes.c enc_provider.h
-rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../arcfour/arcfour-int.h \
- $(srcdir)/../arcfour/arcfour.h enc_provider.h rc4.c
Modified: branches/mkey_migrate/src/lib/crypto/enc_provider/aes.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/enc_provider/aes.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/enc_provider/aes.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,7 +1,7 @@
/*
- * lib/crypto/enc_provider/aes.h
+ * lib/crypto/enc_provider/aes.c
*
- * Copyright (C) 2003, 2007 by the Massachusetts Institute of Technology.
+ * Copyright (C) 2003, 2007, 2008 by the Massachusetts Institute of Technology.
* All rights reserved.
*
* Export of this software from the United States of America may
@@ -27,6 +27,7 @@
#include "k5-int.h"
#include "enc_provider.h"
#include "aes.h"
+#include "../aead.h"
#if 0
aes_rval aes_blk_len(unsigned int blen, aes_ctx cx[1]);
@@ -198,6 +199,170 @@
}
static krb5_error_code
+krb5int_aes_encrypt_iov(const krb5_keyblock *key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ aes_ctx ctx;
+ char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE];
+ int nblocks = 0, blockno;
+ size_t input_length, i;
+
+ if (aes_enc_key(key->contents, key->length, &ctx) != aes_good)
+ abort();
+
+ if (ivec != NULL)
+ memcpy(tmp, ivec->data, BLOCK_SIZE);
+ else
+ memset(tmp, 0, BLOCK_SIZE);
+
+ for (i = 0, input_length = 0; i < num_data; i++) {
+ krb5_crypto_iov *iov = &data[i];
+
+ if (ENCRYPT_IOV(iov))
+ input_length += iov->data.length;
+ }
+
+ nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+
+ assert(nblocks > 1);
+
+ {
+ char blockN2[BLOCK_SIZE]; /* second last */
+ char blockN1[BLOCK_SIZE]; /* last block */
+ struct iov_block_state input_pos, output_pos;
+
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+
+ for (blockno = 0; blockno < nblocks - 2; blockno++) {
+ char blockN[BLOCK_SIZE];
+
+ krb5int_c_iov_get_block((unsigned char *)blockN, BLOCK_SIZE, data, num_data, &input_pos);
+ xorblock(tmp, blockN);
+ enc(tmp2, tmp, &ctx);
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, BLOCK_SIZE, &output_pos);
+
+ /* Set up for next block. */
+ memcpy(tmp, tmp2, BLOCK_SIZE);
+ }
+
+ /* Do final CTS step for last two blocks (the second of which
+ may or may not be incomplete). */
+
+ /* First, get the last two blocks */
+ memset(blockN1, 0, sizeof(blockN1)); /* pad last block with zeros */
+ krb5int_c_iov_get_block((unsigned char *)blockN2, BLOCK_SIZE, data, num_data, &input_pos);
+ krb5int_c_iov_get_block((unsigned char *)blockN1, BLOCK_SIZE, data, num_data, &input_pos);
+
+ /* Encrypt second last block */
+ xorblock(tmp, blockN2);
+ enc(tmp2, tmp, &ctx);
+ memcpy(blockN2, tmp2, BLOCK_SIZE); /* blockN2 now contains first block */
+ memcpy(tmp, tmp2, BLOCK_SIZE);
+
+ /* Encrypt last block */
+ xorblock(tmp, blockN1);
+ enc(tmp2, tmp, &ctx);
+ memcpy(blockN1, tmp2, BLOCK_SIZE);
+
+ /* Put the last two blocks back into the iovec (reverse order) */
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN1, BLOCK_SIZE, &output_pos);
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN2, BLOCK_SIZE, &output_pos);
+
+ if (ivec != NULL)
+ memcpy(ivec->data, blockN1, BLOCK_SIZE);
+ }
+
+ return 0;
+}
+
+static krb5_error_code
+krb5int_aes_decrypt_iov(const krb5_keyblock *key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ aes_ctx ctx;
+ char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
+ int nblocks = 0, blockno, i;
+ size_t input_length;
+
+ CHECK_SIZES;
+
+ if (aes_dec_key(key->contents, key->length, &ctx) != aes_good)
+ abort();
+
+ if (ivec != NULL)
+ memcpy(tmp, ivec->data, BLOCK_SIZE);
+ else
+ memset(tmp, 0, BLOCK_SIZE);
+
+ for (i = 0, input_length = 0; i < num_data; i++) {
+ krb5_crypto_iov *iov = &data[i];
+
+ if (ENCRYPT_IOV(iov))
+ input_length += iov->data.length;
+ }
+
+ nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+
+ assert(nblocks > 1);
+
+ {
+ char blockN2[BLOCK_SIZE]; /* second last */
+ char blockN1[BLOCK_SIZE]; /* last block */
+ struct iov_block_state input_pos, output_pos;
+
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+
+ for (blockno = 0; blockno < nblocks - 2; blockno++) {
+ char blockN[BLOCK_SIZE];
+
+ krb5int_c_iov_get_block((unsigned char *)blockN, BLOCK_SIZE, data, num_data, &input_pos);
+ dec(tmp2, blockN, &ctx);
+ xorblock(tmp2, tmp);
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, BLOCK_SIZE, &output_pos);
+ memcpy(tmp, blockN, BLOCK_SIZE);
+ }
+
+ /* Do last two blocks, the second of which (next-to-last block
+ of plaintext) may be incomplete. */
+
+ /* First, get the last two encrypted blocks */
+ memset(blockN1, 0, sizeof(blockN1)); /* pad last block with zeros */
+ krb5int_c_iov_get_block((unsigned char *)blockN2, BLOCK_SIZE, data, num_data, &input_pos);
+ krb5int_c_iov_get_block((unsigned char *)blockN1, BLOCK_SIZE, data, num_data, &input_pos);
+
+ /* Decrypt second last block */
+ dec(tmp2, blockN2, &ctx);
+ /* Set tmp2 to last (possibly partial) plaintext block, and
+ save it. */
+ xorblock(tmp2, blockN1);
+ memcpy(blockN2, tmp2, BLOCK_SIZE);
+
+ /* Maybe keep the trailing part, and copy in the last
+ ciphertext block. */
+ input_length %= BLOCK_SIZE;
+ memcpy(tmp2, blockN1, input_length ? input_length : BLOCK_SIZE);
+ dec(tmp3, tmp2, &ctx);
+ xorblock(tmp3, tmp);
+ /* Copy out ivec first before we clobber blockN1 with plaintext */
+ if (ivec != NULL)
+ memcpy(ivec->data, blockN1, BLOCK_SIZE);
+ memcpy(blockN1, tmp3, BLOCK_SIZE);
+
+ /* Put the last two blocks back into the iovec */
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN1, BLOCK_SIZE, &output_pos);
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN2, BLOCK_SIZE, &output_pos);
+ }
+
+ return 0;
+}
+
+static krb5_error_code
k5_aes_make_key(const krb5_data *randombits, krb5_keyblock *key)
{
if (key->length != 16 && key->length != 32)
@@ -230,7 +395,9 @@
krb5int_aes_decrypt,
k5_aes_make_key,
krb5int_aes_init_state,
- krb5int_default_free_state
+ krb5int_default_free_state,
+ krb5int_aes_encrypt_iov,
+ krb5int_aes_decrypt_iov
};
const struct krb5_enc_provider krb5int_enc_aes256 = {
@@ -240,5 +407,8 @@
krb5int_aes_decrypt,
k5_aes_make_key,
krb5int_aes_init_state,
- krb5int_default_free_state
+ krb5int_default_free_state,
+ krb5int_aes_encrypt_iov,
+ krb5int_aes_decrypt_iov
};
+
Copied: branches/mkey_migrate/src/lib/crypto/enc_provider/deps (from rev 21721, trunk/src/lib/crypto/enc_provider/deps)
Modified: branches/mkey_migrate/src/lib/crypto/enc_provider/des.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/enc_provider/des.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/enc_provider/des.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -27,6 +27,7 @@
#include "k5-int.h"
#include "des_int.h"
#include "enc_provider.h"
+#include "aead.h"
static krb5_error_code
k5_des_docrypt(const krb5_keyblock *key, const krb5_data *ivec,
@@ -106,6 +107,67 @@
return(0);
}
+static krb5_error_code
+k5_des_docrypt_iov(const krb5_keyblock *key, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data, int enc)
+{
+ mit_des_key_schedule schedule;
+ size_t input_length = 0;
+ int i;
+
+ /* key->enctype was checked by the caller */
+
+ if (key->length != 8)
+ return(KRB5_BAD_KEYSIZE);
+
+ for (i = 0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (ENCRYPT_DATA_IOV(iov))
+ input_length += iov->data.length;
+ }
+
+ if ((input_length % 8) != 0)
+ return(KRB5_BAD_MSIZE);
+ if (ivec && (ivec->length != 8))
+ return(KRB5_BAD_MSIZE);
+
+ switch (mit_des_key_sched(key->contents, schedule)) {
+ case -1:
+ return(KRB5DES_BAD_KEYPAR);
+ case -2:
+ return(KRB5DES_WEAK_KEY);
+ }
+
+ /* this has a return value, but the code always returns zero */
+ if (enc)
+ krb5int_des_cbc_encrypt_iov(data, num_data, schedule, ivec ? ivec->data : NULL);
+ else
+ krb5int_des_cbc_decrypt_iov(data, num_data, schedule, ivec ? ivec->data : NULL);
+
+ memset(schedule, 0, sizeof(schedule));
+
+ return(0);
+}
+
+static krb5_error_code
+k5_des_encrypt_iov(const krb5_keyblock *key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ return k5_des_docrypt_iov(key, ivec, data, num_data, 1);
+}
+
+static krb5_error_code
+k5_des_decrypt_iov(const krb5_keyblock *key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ return k5_des_docrypt_iov(key, ivec, data, num_data, 0);
+}
+
const struct krb5_enc_provider krb5int_enc_des = {
8,
7, 8,
@@ -113,5 +175,7 @@
k5_des_decrypt,
k5_des_make_key,
krb5int_des_init_state,
- krb5int_default_free_state
+ krb5int_default_free_state,
+ k5_des_encrypt_iov,
+ k5_des_decrypt_iov
};
Modified: branches/mkey_migrate/src/lib/crypto/enc_provider/des3.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/enc_provider/des3.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/enc_provider/des3.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -26,6 +26,7 @@
#include "k5-int.h"
#include "des_int.h"
+#include "../aead.h"
static krb5_error_code
validate_and_schedule(const krb5_keyblock *key, const krb5_data *ivec,
@@ -54,6 +55,37 @@
}
static krb5_error_code
+validate_and_schedule_iov(const krb5_keyblock *key, const krb5_data *ivec,
+ const krb5_crypto_iov *data, size_t num_data,
+ mit_des3_key_schedule *schedule)
+{
+ size_t i, input_length;
+
+ for (i = 0, input_length = 0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (ENCRYPT_IOV(iov))
+ input_length += iov->data.length;
+ }
+
+ if (key->length != 24)
+ return(KRB5_BAD_KEYSIZE);
+ if ((input_length%8) != 0)
+ return(KRB5_BAD_MSIZE);
+ if (ivec && (ivec->length != 8))
+ return(KRB5_BAD_MSIZE);
+
+ switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents,
+ *schedule)) {
+ case -1:
+ return(KRB5DES_BAD_KEYPAR);
+ case -2:
+ return(KRB5DES_WEAK_KEY);
+ }
+ return 0;
+}
+
+static krb5_error_code
k5_des3_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output)
{
@@ -129,6 +161,52 @@
return(0);
}
+static krb5_error_code
+k5_des3_encrypt_iov(const krb5_keyblock *key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ mit_des3_key_schedule schedule;
+ krb5_error_code err;
+
+ err = validate_and_schedule_iov(key, ivec, data, num_data, &schedule);
+ if (err)
+ return err;
+
+ /* this has a return value, but the code always returns zero */
+ krb5int_des3_cbc_encrypt_iov(data, num_data,
+ schedule[0], schedule[1], schedule[2],
+ ivec != NULL ? (const unsigned char *) ivec->data : NULL);
+
+ zap(schedule, sizeof(schedule));
+
+ return(0);
+}
+
+static krb5_error_code
+k5_des3_decrypt_iov(const krb5_keyblock *key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ mit_des3_key_schedule schedule;
+ krb5_error_code err;
+
+ err = validate_and_schedule_iov(key, ivec, data, num_data, &schedule);
+ if (err)
+ return err;
+
+ /* this has a return value, but the code always returns zero */
+ krb5int_des3_cbc_decrypt_iov(data, num_data,
+ schedule[0], schedule[1], schedule[2],
+ ivec != NULL ? (const unsigned char *) ivec->data : NULL);
+
+ zap(schedule, sizeof(schedule));
+
+ return(0);
+}
+
const struct krb5_enc_provider krb5int_enc_des3 = {
8,
21, 24,
@@ -136,5 +214,8 @@
k5_des3_decrypt,
k5_des3_make_key,
krb5int_des_init_state,
- krb5int_default_free_state
+ krb5int_default_free_state,
+ k5_des3_encrypt_iov,
+ k5_des3_decrypt_iov
};
+
Modified: branches/mkey_migrate/src/lib/crypto/enc_provider/enc_provider.h
===================================================================
--- branches/mkey_migrate/src/lib/crypto/enc_provider/enc_provider.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/enc_provider/enc_provider.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -31,3 +31,6 @@
extern const struct krb5_enc_provider krb5int_enc_arcfour;
extern const struct krb5_enc_provider krb5int_enc_aes128;
extern const struct krb5_enc_provider krb5int_enc_aes256;
+extern const struct krb5_enc_provider krb5int_enc_aes128_ctr;
+extern const struct krb5_enc_provider krb5int_enc_aes256_ctr;
+
Modified: branches/mkey_migrate/src/lib/crypto/enc_provider/rc4.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/enc_provider/rc4.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/enc_provider/rc4.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -9,6 +9,7 @@
#include "k5-int.h"
#include "arcfour-int.h"
#include "enc_provider.h"
+#include "../aead.h"
/* gets the next byte from the PRNG */
#if ((__GNUC__ >= 2) )
static __inline__ unsigned int k5_arcfour_byte(ArcfourContext *);
@@ -156,7 +157,62 @@
return 0;
}
+/* In-place encryption */
static krb5_error_code
+k5_arcfour_docrypt_iov(const krb5_keyblock *key,
+ const krb5_data *state,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ ArcfourContext *arcfour_ctx = NULL;
+ ArcFourCipherState *cipher_state = NULL;
+ krb5_error_code ret;
+ size_t i;
+
+ if (key->length != 16)
+ return KRB5_BAD_KEYSIZE;
+ if (state != NULL && (state->length != sizeof(ArcFourCipherState)))
+ return KRB5_BAD_MSIZE;
+
+ if (state != NULL) {
+ cipher_state = (ArcFourCipherState *)state->data;
+ arcfour_ctx = &cipher_state->ctx;
+ if (cipher_state->initialized == 0) {
+ ret = k5_arcfour_init(arcfour_ctx, key->contents, key->length);
+ if (ret != 0)
+ return ret;
+
+ cipher_state->initialized = 1;
+ }
+ } else {
+ arcfour_ctx = (ArcfourContext *)malloc(sizeof(ArcfourContext));
+ if (arcfour_ctx == NULL)
+ return ENOMEM;
+
+ ret = k5_arcfour_init(arcfour_ctx, key->contents, key->length);
+ if (ret != 0) {
+ free(arcfour_ctx);
+ return ret;
+ }
+ }
+
+ for (i = 0; i < num_data; i++) {
+ krb5_crypto_iov *iov = &data[i];
+
+ if (ENCRYPT_IOV(iov))
+ k5_arcfour_crypt(arcfour_ctx, (unsigned char *)iov->data.data,
+ (const unsigned char *)iov->data.data, iov->data.length);
+ }
+
+ if (state == NULL) {
+ memset(arcfour_ctx, 0, sizeof(ArcfourContext));
+ free(arcfour_ctx);
+ }
+
+ return 0;
+}
+
+static krb5_error_code
k5_arcfour_make_key(const krb5_data *randombits, krb5_keyblock *key)
{
if (key->length != 16)
@@ -208,5 +264,8 @@
k5_arcfour_docrypt,
k5_arcfour_make_key,
k5_arcfour_init_state, /*xxx not implemented yet*/
- krb5int_default_free_state
+ krb5int_default_free_state,
+ k5_arcfour_docrypt_iov,
+ k5_arcfour_docrypt_iov
};
+
Modified: branches/mkey_migrate/src/lib/crypto/encrypt.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/encrypt.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/encrypt.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -26,6 +26,7 @@
#include "k5-int.h"
#include "etypes.h"
+#include "aead.h"
krb5_error_code KRB5_CALLCONV
krb5_c_encrypt(krb5_context context, const krb5_keyblock *key,
@@ -46,6 +47,16 @@
output->kvno = 0;
output->enctype = key->enctype;
+ if (krb5_enctypes_list[i].encrypt == NULL) {
+ assert(krb5_enctypes_list[i].aead != NULL);
+
+ return krb5int_c_encrypt_aead_compat(krb5_enctypes_list[i].aead,
+ krb5_enctypes_list[i].enc,
+ krb5_enctypes_list[i].hash,
+ key, usage, ivec,
+ input, &output->ciphertext);
+ }
+
return((*(krb5_enctypes_list[i].encrypt))
(krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash,
key, usage, ivec, input, &output->ciphertext));
Copied: branches/mkey_migrate/src/lib/crypto/encrypt_iov.c (from rev 21721, trunk/src/lib/crypto/encrypt_iov.c)
Modified: branches/mkey_migrate/src/lib/crypto/encrypt_length.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/encrypt_length.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/encrypt_length.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -26,6 +26,7 @@
#include "k5-int.h"
#include "etypes.h"
+#include "aead.h"
krb5_error_code KRB5_CALLCONV
krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype,
@@ -41,9 +42,18 @@
if (i == krb5_enctypes_length)
return(KRB5_BAD_ENCTYPE);
- (*(krb5_enctypes_list[i].encrypt_len))
- (krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash,
- inputlen, length);
+ if (krb5_enctypes_list[i].encrypt_len == NULL) {
+ assert(krb5_enctypes_list[i].aead != NULL);
+ krb5int_c_encrypt_length_aead_compat(krb5_enctypes_list[i].aead,
+ krb5_enctypes_list[i].enc,
+ krb5_enctypes_list[i].hash,
+ inputlen, length);
+ } else {
+ (*(krb5_enctypes_list[i].encrypt_len))
+ (krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash,
+ inputlen, length);
+ }
+
return(0);
}
Modified: branches/mkey_migrate/src/lib/crypto/enctype_to_string.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/enctype_to_string.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/enctype_to_string.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -34,10 +34,9 @@
for (i=0; i<krb5_enctypes_length; i++) {
if (krb5_enctypes_list[i].etype == enctype) {
- if ((strlen(krb5_enctypes_list[i].out_string)+1) > buflen)
+ if (strlcpy(buffer, krb5_enctypes_list[i].out_string,
+ buflen) >= buflen)
return(ENOMEM);
-
- strcpy(buffer, krb5_enctypes_list[i].out_string);
return(0);
}
}
Modified: branches/mkey_migrate/src/lib/crypto/etypes.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/etypes.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/etypes.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -48,7 +48,8 @@
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
krb5int_des_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_RSA_MD5 },
+ CKSUMTYPE_RSA_MD5,
+ NULL /*AEAD*/ },
{ ENCTYPE_DES_CBC_MD4,
"des-cbc-md4", "DES cbc mode with RSA-MD4",
&krb5int_enc_des, &krb5int_hash_md4,
@@ -56,7 +57,8 @@
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
krb5int_des_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_RSA_MD4 },
+ CKSUMTYPE_RSA_MD4,
+ NULL /*AEAD*/ },
{ ENCTYPE_DES_CBC_MD5,
"des-cbc-md5", "DES cbc mode with RSA-MD5",
&krb5int_enc_des, &krb5int_hash_md5,
@@ -64,7 +66,8 @@
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
krb5int_des_string_to_key,
NULL, /*PRF*/
-CKSUMTYPE_RSA_MD5 },
+ CKSUMTYPE_RSA_MD5,
+ NULL /*AEAD*/ },
{ ENCTYPE_DES_CBC_MD5,
"des", "DES cbc mode with RSA-MD5", /* alias */
&krb5int_enc_des, &krb5int_hash_md5,
@@ -72,7 +75,8 @@
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
krb5int_des_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_RSA_MD5 },
+ CKSUMTYPE_RSA_MD5,
+ NULL /*AEAD*/ },
{ ENCTYPE_DES_CBC_RAW,
"des-cbc-raw", "DES cbc mode raw",
@@ -81,7 +85,8 @@
krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
krb5int_des_string_to_key,
NULL, /*PRF*/
- 0 },
+ 0,
+ &krb5int_aead_raw },
{ ENCTYPE_DES3_CBC_RAW,
"des3-cbc-raw", "Triple DES cbc mode raw",
&krb5int_enc_des3, NULL,
@@ -89,7 +94,8 @@
krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
krb5int_dk_string_to_key,
NULL, /*PRF*/
- 0 },
+ 0,
+ &krb5int_aead_raw },
{ ENCTYPE_DES3_CBC_SHA1,
"des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
@@ -98,7 +104,8 @@
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_SHA1_DES3 },
+ CKSUMTYPE_HMAC_SHA1_DES3,
+ &krb5int_aead_dk },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
@@ -106,7 +113,8 @@
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_SHA1_DES3 },
+ CKSUMTYPE_HMAC_SHA1_DES3,
+ &krb5int_aead_dk },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
@@ -114,7 +122,8 @@
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_SHA1_DES3 },
+ CKSUMTYPE_HMAC_SHA1_DES3,
+ &krb5int_aead_dk },
{ ENCTYPE_DES_HMAC_SHA1,
"des-hmac-sha1", "DES with HMAC/sha1",
@@ -123,7 +132,8 @@
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
NULL, /*PRF*/
- 0 },
+ 0,
+ NULL },
{ ENCTYPE_ARCFOUR_HMAC,
"arcfour-hmac","ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5,
@@ -131,7 +141,8 @@
krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_MD5_ARCFOUR },
+ CKSUMTYPE_HMAC_MD5_ARCFOUR,
+ &krb5int_aead_arcfour },
{ ENCTYPE_ARCFOUR_HMAC, /* alias */
"rc4-hmac", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5,
@@ -139,7 +150,8 @@
krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_MD5_ARCFOUR },
+ CKSUMTYPE_HMAC_MD5_ARCFOUR,
+ &krb5int_aead_arcfour },
{ ENCTYPE_ARCFOUR_HMAC, /* alias */
"arcfour-hmac-md5", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5,
@@ -147,7 +159,8 @@
krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_MD5_ARCFOUR },
+ CKSUMTYPE_HMAC_MD5_ARCFOUR,
+ &krb5int_aead_arcfour },
{ ENCTYPE_ARCFOUR_HMAC_EXP,
"arcfour-hmac-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
@@ -156,7 +169,8 @@
krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_MD5_ARCFOUR },
+ CKSUMTYPE_HMAC_MD5_ARCFOUR,
+ &krb5int_aead_arcfour },
{ ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
"rc4-hmac-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
@@ -165,7 +179,8 @@
krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_MD5_ARCFOUR },
+ CKSUMTYPE_HMAC_MD5_ARCFOUR,
+ &krb5int_aead_arcfour },
{ ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
"arcfour-hmac-md5-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
@@ -174,7 +189,8 @@
krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_MD5_ARCFOUR },
+ CKSUMTYPE_HMAC_MD5_ARCFOUR,
+ &krb5int_aead_arcfour },
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
"aes128-cts-hmac-sha1-96", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
@@ -183,7 +199,8 @@
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
krb5int_aes_string_to_key,
krb5int_dk_prf,
- CKSUMTYPE_HMAC_SHA1_96_AES128 },
+ CKSUMTYPE_HMAC_SHA1_96_AES128,
+ &krb5int_aead_aes },
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96, /* alias */
"aes128-cts", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes128, &krb5int_hash_sha1,
@@ -191,7 +208,8 @@
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
krb5int_aes_string_to_key,
krb5int_dk_prf,
- CKSUMTYPE_HMAC_SHA1_96_AES128 },
+ CKSUMTYPE_HMAC_SHA1_96_AES128,
+ &krb5int_aead_aes },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
"aes256-cts-hmac-sha1-96", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes256, &krb5int_hash_sha1,
@@ -199,7 +217,8 @@
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
krb5int_aes_string_to_key,
krb5int_dk_prf,
- CKSUMTYPE_HMAC_SHA1_96_AES256 },
+ CKSUMTYPE_HMAC_SHA1_96_AES256,
+ &krb5int_aead_aes },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, /* alias */
"aes256-cts", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes256, &krb5int_hash_sha1,
@@ -207,7 +226,8 @@
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
krb5int_aes_string_to_key,
krb5int_dk_prf,
- CKSUMTYPE_HMAC_SHA1_96_AES256 },
+ CKSUMTYPE_HMAC_SHA1_96_AES256,
+ &krb5int_aead_aes },
};
const int krb5_enctypes_length =
Modified: branches/mkey_migrate/src/lib/crypto/hash_provider/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/crypto/hash_provider/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/hash_provider/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -35,48 +35,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-hash_crc32.so hash_crc32.po $(OUTPRE)hash_crc32.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../crc32/crc-32.h hash_crc32.c hash_provider.h
-hash_md4.so hash_md4.po $(OUTPRE)hash_md4.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../md4/rsa-md4.h hash_md4.c hash_provider.h
-hash_md5.so hash_md5.po $(OUTPRE)hash_md5.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../md5/rsa-md5.h hash_md5.c hash_provider.h
-hash_sha1.so hash_sha1.po $(OUTPRE)hash_sha1.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../sha1/shs.h hash_provider.h hash_sha1.c
Copied: branches/mkey_migrate/src/lib/crypto/hash_provider/deps (from rev 21721, trunk/src/lib/crypto/hash_provider/deps)
Modified: branches/mkey_migrate/src/lib/crypto/hmac.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/hmac.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/hmac.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -25,6 +25,7 @@
*/
#include "k5-int.h"
+#include "aead.h"
/*
* the HMAC transform looks like:
@@ -125,3 +126,41 @@
return(ret);
}
+
+krb5_error_code
+krb5int_hmac_iov(const struct krb5_hash_provider *hash, const krb5_keyblock *key,
+ const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
+{
+ krb5_data *sign_data;
+ size_t num_sign_data;
+ krb5_error_code ret;
+ size_t i, j;
+
+ /* Create a checksum over all the data to be signed */
+ for (i = 0, num_sign_data = 0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (SIGN_IOV(iov))
+ num_sign_data++;
+ }
+
+ /* XXX cleanup to avoid alloc */
+ sign_data = (krb5_data *)calloc(num_sign_data, sizeof(krb5_data));
+ if (sign_data == NULL)
+ return ENOMEM;
+
+ for (i = 0, j = 0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (SIGN_IOV(iov))
+ sign_data[j++] = iov->data;
+ }
+
+ /* caller must store checksum in iov as it may be TYPE_TRAILER or TYPE_CHECKSUM */
+ ret = krb5_hmac(hash, key, num_sign_data, sign_data, output);
+
+ free(sign_data);
+
+ return ret;
+}
+
Modified: branches/mkey_migrate/src/lib/crypto/keyhash_provider/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/crypto/keyhash_provider/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/keyhash_provider/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -16,11 +16,11 @@
RUN_SETUP = @KRB5_RUN_ENV@ KRB5_CONFIG=$(SRCTOP)/config-files/krb5.conf
-STLIBOBJS= descbc.o k5_md4des.o k5_md5des.o hmac_md5.o
+STLIBOBJS= descbc.o k5_md4des.o k5_md5des.o hmac_md5.o md5_hmac.o
-OBJS= $(OUTPRE)descbc.$(OBJEXT) $(OUTPRE)k5_md4des.$(OBJEXT) $(OUTPRE)k5_md5des.$(OBJEXT) $(OUTPRE)hmac_md5.$(OBJEXT)
+OBJS= $(OUTPRE)descbc.$(OBJEXT) $(OUTPRE)k5_md4des.$(OBJEXT) $(OUTPRE)k5_md5des.$(OBJEXT) $(OUTPRE)hmac_md5.$(OBJEXT) $(OUTPRE)md5_hmac.$(OBJEXT)
-SRCS= $(srcdir)/descbc.c $(srcdir)/k5_md4des.c $(srcdir)/k5_md5des.c $(srcdir)/hmac_md5.c
+SRCS= $(srcdir)/descbc.c $(srcdir)/k5_md4des.c $(srcdir)/k5_md5des.c $(srcdir)/hmac_md5.c $(srcdir)/md5_hmac.c
##DOS##LIBOBJS = $(OBJS)
@@ -54,52 +54,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-descbc.so descbc.po $(OUTPRE)descbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../des/des_int.h descbc.c keyhash_provider.h
-k5_md4des.so k5_md4des.po $(OUTPRE)k5_md4des.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \
- $(srcdir)/../md4/rsa-md4.h k5_md4des.c keyhash_provider.h
-k5_md5des.so k5_md5des.po $(OUTPRE)k5_md5des.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \
- $(srcdir)/../md5/rsa-md5.h k5_md5des.c keyhash_provider.h
-hmac_md5.so hmac_md5.po $(OUTPRE)hmac_md5.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../arcfour/arcfour-int.h $(srcdir)/../arcfour/arcfour.h \
- $(srcdir)/../hash_provider/hash_provider.h $(srcdir)/../md5/rsa-md5.h \
- hmac_md5.c keyhash_provider.h
Copied: branches/mkey_migrate/src/lib/crypto/keyhash_provider/deps (from rev 21721, trunk/src/lib/crypto/keyhash_provider/deps)
Modified: branches/mkey_migrate/src/lib/crypto/keyhash_provider/descbc.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/keyhash_provider/descbc.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/keyhash_provider/descbc.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -66,5 +66,7 @@
const struct krb5_keyhash_provider krb5int_keyhash_descbc = {
8,
k5_descbc_hash,
+ NULL,
+ NULL,
NULL
};
Modified: branches/mkey_migrate/src/lib/crypto/keyhash_provider/hmac_md5.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/keyhash_provider/hmac_md5.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/keyhash_provider/hmac_md5.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,9 +1,7 @@
/*
* lib/crypto/keyhash_provider/hmac_md5.c
*
-(I don't know)
-.
- * Copyright2001 by the Massachusetts Institute of Technology.
+ * Copyright 2001 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -26,8 +24,8 @@
* or implied warranty.
*
*
-* Implementation of the Microsoft hmac-md5 checksum type.
-* Implemented based on draft-brezak-win2k-krb-rc4-hmac-03
+ * Implementation of the Microsoft hmac-md5 checksum type.
+ * Implemented based on draft-brezak-win2k-krb-rc4-hmac-03
*/
#include "k5-int.h"
@@ -35,6 +33,7 @@
#include "arcfour-int.h"
#include "rsa-md5.h"
#include "hash_provider.h"
+#include "../aead.h"
static krb5_error_code
k5_hmac_md5_hash (const krb5_keyblock *key, krb5_keyusage usage,
@@ -86,11 +85,67 @@
return ret;
}
-
+static krb5_error_code
+k5_hmac_md5_hash_iov (const krb5_keyblock *key, krb5_keyusage usage,
+ const krb5_data *iv,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output)
+{
+ krb5_keyusage ms_usage;
+ krb5_error_code ret;
+ krb5_keyblock ks;
+ krb5_data ds, ks_constant, md5tmp;
+ krb5_MD5_CTX ctx;
+ char t[4];
+ size_t i;
+ ds.length = key->length;
+ ks.length = key->length;
+ ds.data = malloc(ds.length);
+ if (ds.data == NULL)
+ return ENOMEM;
+ ks.contents = (void *) ds.data;
+
+ ks_constant.data = "signaturekey";
+ ks_constant.length = strlen(ks_constant.data)+1; /* Including null*/
+
+ ret = krb5_hmac( &krb5int_hash_md5, key, 1,
+ &ks_constant, &ds);
+ if (ret)
+ goto cleanup;
+
+ krb5_MD5Init (&ctx);
+ ms_usage = krb5int_arcfour_translate_usage (usage);
+ t[0] = (ms_usage) & 0xff;
+ t[1] = (ms_usage>>8) & 0xff;
+ t[2] = (ms_usage >>16) & 0xff;
+ t[3] = (ms_usage>>24) & 0XFF;
+ krb5_MD5Update (&ctx, (unsigned char * ) &t, 4);
+ for (i = 0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (SIGN_IOV(iov))
+ krb5_MD5Update (&ctx, (unsigned char *)iov->data.data,
+ (unsigned int)iov->data.length);
+ }
+ krb5_MD5Final(&ctx);
+ md5tmp.data = (void *) ctx.digest;
+ md5tmp.length = 16;
+ ret = krb5_hmac ( &krb5int_hash_md5, &ks, 1, &md5tmp,
+ output);
+
+ cleanup:
+ memset(&ctx, 0, sizeof(ctx));
+ memset (ks.contents, 0, ks.length);
+ free (ks.contents);
+ return ret;
+}
+
const struct krb5_keyhash_provider krb5int_keyhash_hmac_md5 = {
16,
k5_hmac_md5_hash,
- NULL /*checksum again*/
+ NULL, /*checksum again*/
+ k5_hmac_md5_hash_iov,
+ NULL /*checksum again */
};
Modified: branches/mkey_migrate/src/lib/crypto/keyhash_provider/k5_md4des.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/keyhash_provider/k5_md4des.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/keyhash_provider/k5_md4des.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -188,5 +188,7 @@
const struct krb5_keyhash_provider krb5int_keyhash_md4des = {
CONFLENGTH+RSA_MD4_CKSUM_LENGTH,
k5_md4des_hash,
- k5_md4des_verify
+ k5_md4des_verify,
+ NULL,
+ NULL
};
Modified: branches/mkey_migrate/src/lib/crypto/keyhash_provider/k5_md5des.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/keyhash_provider/k5_md5des.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/keyhash_provider/k5_md5des.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -185,5 +185,7 @@
const struct krb5_keyhash_provider krb5int_keyhash_md5des = {
CONFLENGTH+RSA_MD5_CKSUM_LENGTH,
k5_md5des_hash,
- k5_md5des_verify
+ k5_md5des_verify,
+ NULL,
+ NULL
};
Modified: branches/mkey_migrate/src/lib/crypto/keyhash_provider/keyhash_provider.h
===================================================================
--- branches/mkey_migrate/src/lib/crypto/keyhash_provider/keyhash_provider.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/keyhash_provider/keyhash_provider.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -30,3 +30,6 @@
extern const struct krb5_keyhash_provider krb5int_keyhash_md4des;
extern const struct krb5_keyhash_provider krb5int_keyhash_md5des;
extern const struct krb5_keyhash_provider krb5int_keyhash_hmac_md5;
+extern const struct krb5_keyhash_provider krb5int_keyhash_md5_hmac;
+extern const struct krb5_keyhash_provider krb5int_keyhash_aescbc_128;
+extern const struct krb5_keyhash_provider krb5int_keyhash_aescbc_256;
Copied: branches/mkey_migrate/src/lib/crypto/keyhash_provider/md5_hmac.c (from rev 21721, trunk/src/lib/crypto/keyhash_provider/md5_hmac.c)
Modified: branches/mkey_migrate/src/lib/crypto/libk5crypto.exports
===================================================================
--- branches/mkey_migrate/src/lib/crypto/libk5crypto.exports 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/libk5crypto.exports 2009-01-10 01:06:45 UTC (rev 21722)
@@ -14,8 +14,12 @@
krb5_arcfour_encrypt_length
krb5_c_block_size
krb5_c_checksum_length
+krb5_c_crypto_length
+krb5_c_crypto_length_iov
krb5_c_decrypt
+krb5_c_decrypt_iov
krb5_c_encrypt
+krb5_c_encrypt_iov
krb5_c_encrypt_length
krb5_c_enctype_compare
krb5_c_free_state
@@ -25,7 +29,9 @@
krb5_c_keyed_checksum_types
krb5_c_keylengths
krb5_c_make_checksum
+krb5_c_make_checksum_iov
krb5_c_make_random_key
+krb5_c_padding_length
krb5_c_prf
krb5_c_prf_length
krb5_c_random_add_entropy
@@ -38,6 +44,7 @@
krb5_c_valid_cksumtype
krb5_c_valid_enctype
krb5_c_verify_checksum
+krb5_c_verify_checksum_iov
krb5_calculate_checksum
krb5_checksum_size
krb5_cksumtype_to_string
Modified: branches/mkey_migrate/src/lib/crypto/make_checksum.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/make_checksum.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/make_checksum.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -63,7 +63,10 @@
if (krb5_cksumtypes_list[i].keyhash) {
/* check if key is compatible */
+ const struct krb5_keyhash_provider *keyhash;
+ keyhash = krb5_cksumtypes_list[i].keyhash;
+
if (krb5_cksumtypes_list[i].keyed_etype) {
for (e1=0; e1<krb5_enctypes_length; e1++)
if (krb5_enctypes_list[e1].etype ==
@@ -82,7 +85,18 @@
}
}
- ret = (*(krb5_cksumtypes_list[i].keyhash->hash))(key, usage, 0, input, &data);
+ if (keyhash->hash == NULL) {
+ krb5_crypto_iov iov[1];
+
+ iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
+ iov[0].data = *input;
+
+ assert(keyhash->hash_iov != NULL);
+
+ ret = (*keyhash->hash_iov)(key, usage, 0, iov, 1, &data);
+ } else {
+ ret = (*keyhash->hash)(key, usage, 0, input, &data);
+ }
} else if (krb5_cksumtypes_list[i].flags & KRB5_CKSUMFLAG_DERIVE) {
ret = krb5_dk_make_checksum(krb5_cksumtypes_list[i].hash,
key, usage, input, &data);
Copied: branches/mkey_migrate/src/lib/crypto/make_checksum_iov.c (from rev 21721, trunk/src/lib/crypto/make_checksum_iov.c)
Modified: branches/mkey_migrate/src/lib/crypto/md4/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/crypto/md4/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/md4/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -56,17 +56,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-md4.so md4.po $(OUTPRE)md4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h md4.c rsa-md4.h
Copied: branches/mkey_migrate/src/lib/crypto/md4/deps (from rev 21721, trunk/src/lib/crypto/md4/deps)
Modified: branches/mkey_migrate/src/lib/crypto/md5/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/crypto/md5/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/md5/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -46,17 +46,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-md5.so md5.po $(OUTPRE)md5.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h md5.c rsa-md5.h
Copied: branches/mkey_migrate/src/lib/crypto/md5/deps (from rev 21721, trunk/src/lib/crypto/md5/deps)
Modified: branches/mkey_migrate/src/lib/crypto/old/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/crypto/old/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/old/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -33,39 +33,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-des_stringtokey.so des_stringtokey.po $(OUTPRE)des_stringtokey.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \
- des_stringtokey.c old.h
-old_decrypt.so old_decrypt.po $(OUTPRE)old_decrypt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- old.h old_decrypt.c
-old_encrypt.so old_encrypt.po $(OUTPRE)old_encrypt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- old.h old_encrypt.c
Copied: branches/mkey_migrate/src/lib/crypto/old/deps (from rev 21721, trunk/src/lib/crypto/old/deps)
Modified: branches/mkey_migrate/src/lib/crypto/raw/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/crypto/raw/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/raw/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,6 +2,7 @@
myfulldir=lib/crypto/raw
mydir=lib/crypto/raw
BUILDTOP=$(REL)..$(S)..$(S)..
+LOCALINCLUDES = -I$(srcdir)/..
DEFS=
##DOS##BUILDTOP = ..\..\..
@@ -13,11 +14,11 @@
RUN_SETUP = @KRB5_RUN_ENV@ KRB5_CONFIG=$(SRCTOP)/config-files/krb5.conf
-STLIBOBJS= raw_decrypt.o raw_encrypt.o
+STLIBOBJS= raw_decrypt.o raw_encrypt.o raw_aead.o
-OBJS= $(OUTPRE)raw_decrypt.$(OBJEXT) $(OUTPRE)raw_encrypt.$(OBJEXT)
+OBJS= $(OUTPRE)raw_decrypt.$(OBJEXT) $(OUTPRE)raw_encrypt.$(OBJEXT) $(OUTPRE)raw_aead.$(OBJEXT)
-SRCS= $(srcdir)/raw_decrypt.c $(srcdir)/raw_encrypt.c
+SRCS= $(srcdir)/raw_decrypt.c $(srcdir)/raw_encrypt.c $(srcdir)/raw_aead.c
##DOS##LIBOBJS = $(OBJS)
@@ -31,28 +32,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-raw_decrypt.so raw_decrypt.po $(OUTPRE)raw_decrypt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- raw.h raw_decrypt.c
-raw_encrypt.so raw_encrypt.po $(OUTPRE)raw_encrypt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- raw.h raw_encrypt.c
Copied: branches/mkey_migrate/src/lib/crypto/raw/deps (from rev 21721, trunk/src/lib/crypto/raw/deps)
Modified: branches/mkey_migrate/src/lib/crypto/raw/raw.h
===================================================================
--- branches/mkey_migrate/src/lib/crypto/raw/raw.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/raw/raw.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -44,3 +44,6 @@
const krb5_keyblock *key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *arg_output);
+
+extern const struct krb5_aead_provider krb5int_aead_raw;
+
Copied: branches/mkey_migrate/src/lib/crypto/raw/raw_aead.c (from rev 21721, trunk/src/lib/crypto/raw/raw_aead.c)
Modified: branches/mkey_migrate/src/lib/crypto/sha1/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/crypto/sha1/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/sha1/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -51,17 +51,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-shs.so shs.po $(OUTPRE)shs.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h shs.c shs.h
Copied: branches/mkey_migrate/src/lib/crypto/sha1/deps (from rev 21721, trunk/src/lib/crypto/sha1/deps)
Modified: branches/mkey_migrate/src/lib/crypto/string_to_key.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/string_to_key.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/string_to_key.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -93,6 +93,8 @@
if (ret) {
memset(key->contents, 0, keylength);
free(key->contents);
+ key->length = 0;
+ key->contents = NULL;
}
return(ret);
Modified: branches/mkey_migrate/src/lib/crypto/t_encrypt.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/t_encrypt.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/t_encrypt.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,7 +1,7 @@
/*
-main * lib/crypto/t_encrypt.c
+ * lib/crypto/t_encrypt.c
*
- * Copyright2001 by the Massachusetts Institute of Technology.
+ * Copyright 2001, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -76,12 +76,15 @@
{
krb5_context context = 0;
krb5_data in, in2, out, out2, check, check2, state;
+ krb5_crypto_iov iov[5];
int i;
size_t len;
krb5_enc_data enc_out, enc_out2;
krb5_error_code retval;
krb5_keyblock *key;
+ memset(iov, 0, sizeof(iov));
+
in.data = "This is a test.\n";
in.length = strlen (in.data);
in2.data = "This is another test.\n";
@@ -118,6 +121,46 @@
test ("Decrypting",
krb5_c_decrypt (context, key, 7, 0, &enc_out, &check));
test ("Comparing", compare_results (&in, &check));
+ if ( krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_HEADER, &len) == 0 ){
+ /* We support iov/aead*/
+ int j, pos;
+ krb5_data signdata;
+ signdata.data = (char *) "This should be signed";
+ signdata.length = strlen(signdata.data);
+ iov[0].flags= KRB5_CRYPTO_TYPE_STREAM;
+ iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
+ iov[0].data = enc_out.ciphertext;
+ iov[1].data = out;
+ test("IOV stream decrypting",
+ krb5_c_decrypt_iov( context, key, 7, 0, iov, 2));
+ test("Comparing results",
+ compare_results(&in, &iov[1].data));
+ iov[0].flags = KRB5_CRYPTO_TYPE_HEADER;
+ iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
+ iov[1].data = in; /*We'll need to copy memory before encrypt*/
+ iov[2].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
+ iov[2].data = signdata;
+ iov[3].flags = KRB5_CRYPTO_TYPE_PADDING;
+ iov[4].flags = KRB5_CRYPTO_TYPE_TRAILER;
+ test("Setting up iov lengths",
+ krb5_c_crypto_length_iov(context, key->enctype, iov, 5));
+ for (j=0,pos=0; j <= 4; j++ ){
+ if (iov[j].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY)
+ continue;
+ iov[j].data.data = &out.data[pos];
+ pos += iov[j].data.length;
+ }
+ assert (iov[1].data.length == in.length);
+ memcpy(iov[1].data.data, in.data, in.length);
+ test("iov encrypting",
+ krb5_c_encrypt_iov(context, key, 7, 0, iov, 5));
+ assert(iov[1].data.length == in.length);
+ test("iov decrypting",
+ krb5_c_decrypt_iov(context, key, 7, 0, iov, 5));
+ test("Comparing results",
+ compare_results(&in, &iov[1].data));
+
+ }
enc_out.ciphertext.length = out.length;
check.length = 2048;
test ("init_state",
Modified: branches/mkey_migrate/src/lib/crypto/t_hmac.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/t_hmac.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/t_hmac.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -135,6 +135,7 @@
krb5_error_code err;
int i, j;
int lose = 0;
+ struct k5buf buf;
/* RFC 2202 test vector. */
static const struct hmac_test md5tests[] = {
@@ -240,11 +241,12 @@
exit(1);
}
- if (sizeof(stroutbuf) - 3 < 2 * out.length)
+ krb5int_buf_init_fixed(&buf, stroutbuf, sizeof(stroutbuf));
+ krb5int_buf_add(&buf, "0x");
+ for (j = 0; j < out.length; j++)
+ krb5int_buf_add_fmt(&buf, "%02x", 0xff & outbuf[j]);
+ if (krb5int_buf_data(&buf) == NULL)
abort();
- strcpy(stroutbuf, "0x");
- for (j = 0; j < out.length; j++)
- sprintf(stroutbuf + strlen(stroutbuf), "%02x", 0xff & outbuf[j]);
if (strcmp(stroutbuf, md5tests[i].hexdigest)) {
printf("*** CHECK FAILED!\n"
"\tReturned: %s.\n"
Modified: branches/mkey_migrate/src/lib/crypto/vectors.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/vectors.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/vectors.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -129,10 +129,10 @@
sd.data = (char *) s;
assert (strlen (s) + 4 < sizeof (buf));
- sprintf (buf, "\"%s\"", s);
+ snprintf (buf, sizeof (buf), "\"%s\"", s);
printf ( "salt: %-25s", buf);
printhex (strlen(s), s);
- sprintf (buf, "\"%s\"", p);
+ snprintf (buf, sizeof (buf), "\"%s\"", p);
printf ("\npassword: %-25s", buf);
printhex (strlen(p), p);
printf ("\n");
@@ -174,10 +174,10 @@
key.contents = key_contents;
assert (strlen (s) + 4 < sizeof (buf));
- sprintf (buf, "\"%s\"", s);
+ snprintf (buf, sizeof(buf), "\"%s\"", s);
printf ( "salt:\t%s\n\t", buf);
printhex (strlen(s), s);
- sprintf (buf, "\"%s\"", p);
+ snprintf (buf, sizeof(buf), "\"%s\"", p);
printf ("\npasswd:\t%s\n\t", buf);
printhex (strlen(p), p);
printf ("\n");
Modified: branches/mkey_migrate/src/lib/crypto/verify_checksum.c
===================================================================
--- branches/mkey_migrate/src/lib/crypto/verify_checksum.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/verify_checksum.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -51,11 +51,23 @@
indata.length = cksum->length;
indata.data = (char *) cksum->contents;
- if (krb5_cksumtypes_list[i].keyhash &&
- krb5_cksumtypes_list[i].keyhash->verify)
- return((*(krb5_cksumtypes_list[i].keyhash->verify))(key, usage, 0, data,
- &indata, valid));
+ if (krb5_cksumtypes_list[i].keyhash) {
+ const struct krb5_keyhash_provider *keyhash;
+ keyhash = krb5_cksumtypes_list[i].keyhash;
+
+ if (keyhash->verify == NULL && keyhash->verify_iov != NULL) {
+ krb5_crypto_iov iov[1];
+
+ iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
+ iov[0].data = *data;
+
+ return (*keyhash->verify_iov)(key, usage, 0, iov, 1, &indata, valid);
+ } else if (keyhash->verify != NULL) {
+ return (*keyhash->verify)(key, usage, 0, data, &indata, valid);
+ }
+ }
+
/* otherwise, make the checksum again, and compare */
if ((ret = krb5_c_checksum_length(context, cksum->checksum_type, &hashsize)))
Copied: branches/mkey_migrate/src/lib/crypto/verify_checksum_iov.c (from rev 21721, trunk/src/lib/crypto/verify_checksum_iov.c)
Modified: branches/mkey_migrate/src/lib/crypto/yarrow/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/crypto/yarrow/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/crypto/yarrow/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -37,30 +37,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-yarrow.so yarrow.po $(OUTPRE)yarrow.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../sha1/shs.h \
- yarrow.c yarrow.h ycipher.h yexcep.h yhash.h ylock.h \
- ystate.h ytypes.h
-ycipher.so ycipher.po $(OUTPRE)ycipher.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../enc_provider/enc_provider.h \
- $(srcdir)/../sha1/shs.h yarrow.h ycipher.c ycipher.h \
- yhash.h ytypes.h
Copied: branches/mkey_migrate/src/lib/crypto/yarrow/deps (from rev 21721, trunk/src/lib/crypto/yarrow/deps)
Copied: branches/mkey_migrate/src/lib/deps (from rev 21721, trunk/src/lib/deps)
Modified: branches/mkey_migrate/src/lib/gssapi/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,8 +2,8 @@
myfulldir=lib/gssapi
mydir=lib/gssapi
BUILDTOP=$(REL)..$(S)..
-SUBDIRS= generic mechglue krb5 spnego
-DEFS=
+SUBDIRS= generic krb5 spnego mechglue
+DEFS=-D_GSS_STATIC_LINK=1
##DOSLIBNAME=$(OUTPRE)gssapi.lib
##DOSOBJFILELIST=@$(OUTPRE)mechglue.lst @$(OUTPRE)spnego.lst @$(OUTPRE)generic.lst @$(OUTPRE)krb5.lst @$(OUTPRE)gssapi.lst
@@ -15,20 +15,16 @@
##DOS##DLL_EXP_TYPE=GSS
LOCALINCLUDES = -Igeneric -I$(srcdir)/generic -Ikrb5 -I$(srcdir)/krb5 -I$(srcdir)/mechglue
-STLIBOBJS=\
- gss_libinit.o
+STLIBOBJS=
-OBJS=\
- $(OUTPRE)gss_libinit.$(OBJEXT)
+OBJS=
+SRCS=
-SRCS=\
- $(srcdir)/gss_libinit.c
-
LIBBASE=gssapi_krb5
LIBMAJOR=2
LIBMINOR=2
-LIBINITFUNC=gssint_lib_init
-LIBFINIFUNC=gssint_lib_fini
+#LIBINITFUNC=gssint_lib_init
+#LIBFINIFUNC=gssint_lib_fini
STOBJLISTS=OBJS.ST generic/OBJS.ST mechglue/OBJS.ST krb5/OBJS.ST spnego/OBJS.ST
SUBDIROBJLISTS=generic/OBJS.ST mechglue/OBJS.ST krb5/OBJS.ST spnego/OBJS.ST
SHLIB_EXPDEPS=\
@@ -139,23 +135,3 @@
@lib_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-gss_libinit.so gss_libinit.po $(OUTPRE)gss_libinit.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssapi.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/generic/gssapiP_generic.h $(srcdir)/generic/gssapi_generic.h \
- $(srcdir)/krb5/gssapiP_krb5.h $(srcdir)/mechglue/mechglue.h \
- $(srcdir)/mechglue/mglueP.h generic/gssapi_err_generic.h \
- gss_libinit.c gss_libinit.h krb5/gssapi_err_krb5.h \
- krb5/gssapi_krb5.h
Copied: branches/mkey_migrate/src/lib/gssapi/deps (from rev 21721, trunk/src/lib/gssapi/deps)
Modified: branches/mkey_migrate/src/lib/gssapi/generic/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -18,7 +18,8 @@
EHDRDIR= $(BUILDTOP)$(S)include$(S)gssapi
HDRS= $(EHDRDIR)$(S)gssapi.h \
- $(EHDRDIR)$(S)gssapi_generic.h
+ $(EHDRDIR)$(S)gssapi_generic.h \
+ $(EHDRDIR)$(S)gssapi_ext.h
MK_EHDRDIR=if test -d $(EHDRDIR); then :; else (set -x; mkdir $(EHDRDIR)); fi
##DOS##MK_EHDRDIR=rem
@@ -29,6 +30,8 @@
$(CP) gssapi.h $@
$(EHDRDIR)$(S)gssapi_generic.h: $(EHDRDIR)$(S)timestamp $(srcdir)$(S)gssapi_generic.h
$(CP) $(srcdir)$(S)gssapi_generic.h $@
+$(EHDRDIR)$(S)gssapi_ext.h: $(EHDRDIR)$(S)timestamp $(srcdir)$(S)gssapi_ext.h
+ $(CP) $(srcdir)$(S)gssapi_ext.h $@
$(EHDRDIR)$(S)timestamp:
$(MK_EHDRDIR)
@@ -67,9 +70,11 @@
$(srcdir)/disp_com_err_status.c \
$(srcdir)/disp_major_status.c \
$(srcdir)/gssapi_generic.c \
+ $(srcdir)/oid_ops.c \
$(srcdir)/rel_buffer.c \
$(srcdir)/rel_oid_set.c \
$(srcdir)/util_buffer.c \
+ $(srcdir)/util_buffer_set.c \
$(srcdir)/util_errmap.c \
$(srcdir)/util_ordering.c \
$(srcdir)/util_set.c \
@@ -81,9 +86,11 @@
$(OUTPRE)disp_com_err_status.$(OBJEXT) \
$(OUTPRE)disp_major_status.$(OBJEXT) \
$(OUTPRE)gssapi_generic.$(OBJEXT) \
+ $(OUTPRE)oid_ops.$(OBJEXT) \
$(OUTPRE)rel_buffer.$(OBJEXT) \
$(OUTPRE)rel_oid_set.$(OBJEXT) \
$(OUTPRE)util_buffer.$(OBJEXT) \
+ $(OUTPRE)util_buffer_set.$(OBJEXT) \
$(OUTPRE)util_errmap.$(OBJEXT) \
$(OUTPRE)util_ordering.$(OBJEXT) \
$(OUTPRE)util_set.$(OBJEXT) \
@@ -95,9 +102,11 @@
disp_com_err_status.o \
disp_major_status.o \
gssapi_generic.o \
+ oid_ops.o \
rel_buffer.o \
rel_oid_set.o \
util_buffer.o \
+ util_buffer_set.o \
util_errmap.o \
util_ordering.o \
util_set.o \
@@ -105,7 +114,7 @@
util_validate.o \
gssapi_err_generic.o
-EXPORTED_HEADERS= gssapi_generic.h
+EXPORTED_HEADERS= gssapi_generic.h gssapi_ext.h
EXPORTED_BUILT_HEADERS= gssapi.h
$(OBJS): $(EXPORTED_HEADERS) $(ETHDRS)
@@ -162,68 +171,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-disp_com_err_status.so disp_com_err_status.po $(OUTPRE)disp_com_err_status.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssapi.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(srcdir)/../gss_libinit.h \
- disp_com_err_status.c gssapiP_generic.h gssapi_err_generic.h \
- gssapi_generic.h
-disp_major_status.so disp_major_status.po $(OUTPRE)disp_major_status.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- disp_major_status.c gssapiP_generic.h gssapi_err_generic.h \
- gssapi_generic.h
-gssapi_generic.so gssapi_generic.po $(OUTPRE)gssapi_generic.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- gssapiP_generic.h gssapi_err_generic.h gssapi_generic.c \
- gssapi_generic.h
-rel_buffer.so rel_buffer.po $(OUTPRE)rel_buffer.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- gssapiP_generic.h gssapi_err_generic.h gssapi_generic.h \
- rel_buffer.c
-rel_oid_set.so rel_oid_set.po $(OUTPRE)rel_oid_set.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- gssapiP_generic.h gssapi_err_generic.h gssapi_generic.h \
- rel_oid_set.c
-util_buffer.so util_buffer.po $(OUTPRE)util_buffer.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- gssapiP_generic.h gssapi_err_generic.h gssapi_generic.h \
- util_buffer.c
-util_errmap.so util_errmap.po $(OUTPRE)util_errmap.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- errmap.h gssapiP_generic.h gssapi_err_generic.h gssapi_generic.h \
- util_errmap.c
-util_ordering.so util_ordering.po $(OUTPRE)util_ordering.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- gssapiP_generic.h gssapi_err_generic.h gssapi_generic.h \
- util_ordering.c
-util_set.so util_set.po $(OUTPRE)util_set.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- gssapiP_generic.h gssapi_err_generic.h gssapi_generic.h \
- util_set.c
-util_token.so util_token.po $(OUTPRE)util_token.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- gssapiP_generic.h gssapi_err_generic.h gssapi_generic.h \
- util_token.c
-util_validate.so util_validate.po $(OUTPRE)util_validate.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssapi.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(srcdir)/../gss_libinit.h \
- gssapiP_generic.h gssapi_err_generic.h gssapi_generic.h \
- util_validate.c
-gssapi_err_generic.so gssapi_err_generic.po $(OUTPRE)gssapi_err_generic.$(OBJEXT): \
- $(COM_ERR_DEPS) gssapi_err_generic.c
Copied: branches/mkey_migrate/src/lib/gssapi/generic/deps (from rev 21721, trunk/src/lib/gssapi/generic/deps)
Modified: branches/mkey_migrate/src/lib/gssapi/generic/disp_com_err_status.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/disp_com_err_status.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/disp_com_err_status.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -25,7 +26,6 @@
*/
#include "gssapiP_generic.h"
-#include "gss_libinit.h"
#include "com_err.h"
/* XXXX internationalization!! */
@@ -37,30 +37,28 @@
/**/
/* if status_type == GSS_C_GSS_CODE, return up to three error messages,
- for routine errors, call error, and status, in that order.
- message_context == 0 : print the routine error
- message_context == 1 : print the calling error
- message_context > 2 : print supplementary info bit (message_context-2)
+ for routine errors, call error, and status, in that order.
+ message_context == 0 : print the routine error
+ message_context == 1 : print the calling error
+ message_context > 2 : print supplementary info bit (message_context-2)
if status_type == GSS_C_MECH_CODE, return the output from error_message()
- */
+*/
OM_uint32
g_display_com_err_status(minor_status, status_value, status_string)
- OM_uint32 *minor_status;
- OM_uint32 status_value;
- gss_buffer_t status_string;
+ OM_uint32 *minor_status;
+ OM_uint32 status_value;
+ gss_buffer_t status_string;
{
- status_string->length = 0;
- status_string->value = NULL;
+ status_string->length = 0;
+ status_string->value = NULL;
- (void) gssint_initialize_library();
-
- if (! g_make_string_buffer(((status_value == 0)?no_error:
- error_message(status_value)),
- status_string)) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+ if (! g_make_string_buffer(((status_value == 0)?no_error:
+ error_message(status_value)),
+ status_string)) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
Modified: branches/mkey_migrate/src/lib/gssapi/generic/disp_major_status.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/disp_major_status.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/disp_major_status.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -38,57 +39,57 @@
/**/
static const char * const calling_error_string[] = {
- NULL,
- "A required input parameter could not be read",
- "A required input parameter could not be written",
- "A parameter was malformed",
+ NULL,
+ "A required input parameter could not be read",
+ "A required input parameter could not be written",
+ "A parameter was malformed",
};
-
+
static const char * const calling_error = "calling error";
#define GSS_CALLING_ERROR_STR(x) \
GSS_ERROR_STR((x), calling_error_string, GSS_CALLING_ERROR, \
- GSS_S_CALL_INACCESSIBLE_READ, GSS_S_CALL_BAD_STRUCTURE, \
- GSS_CALLING_ERROR_FIELD)
+ GSS_S_CALL_INACCESSIBLE_READ, GSS_S_CALL_BAD_STRUCTURE, \
+ GSS_CALLING_ERROR_FIELD)
/**/
static const char * const routine_error_string[] = {
- NULL,
- "An unsupported mechanism was requested",
- "An invalid name was supplied",
- "A supplied name was of an unsupported type",
- "Incorrect channel bindings were supplied",
- "An invalid status code was supplied",
- "A token had an invalid signature",
- "No credentials were supplied",
- "No context has been established",
- "A token was invalid",
- "A credential was invalid",
- "The referenced credentials have expired",
- "The context has expired",
- "Miscellaneous failure",
- "The quality-of-protection requested could not be provided",
- "The operation is forbidden by the local security policy",
- "The operation or option is not available",
-};
+ NULL,
+ "An unsupported mechanism was requested",
+ "An invalid name was supplied",
+ "A supplied name was of an unsupported type",
+ "Incorrect channel bindings were supplied",
+ "An invalid status code was supplied",
+ "A token had an invalid signature",
+ "No credentials were supplied",
+ "No context has been established",
+ "A token was invalid",
+ "A credential was invalid",
+ "The referenced credentials have expired",
+ "The context has expired",
+ "Miscellaneous failure",
+ "The quality-of-protection requested could not be provided",
+ "The operation is forbidden by the local security policy",
+ "The operation or option is not available",
+};
static const char * const routine_error = "routine error";
#define GSS_ROUTINE_ERROR_STR(x) \
GSS_ERROR_STR((x), routine_error_string, GSS_ROUTINE_ERROR, \
- GSS_S_BAD_MECH, GSS_S_FAILURE, \
- GSS_ROUTINE_ERROR_FIELD)
+ GSS_S_BAD_MECH, GSS_S_FAILURE, \
+ GSS_ROUTINE_ERROR_FIELD)
/**/
/* this becomes overly gross after about 4 strings */
static const char * const sinfo_string[] = {
- "The routine must be called again to complete its function",
- "The token was a duplicate of an earlier token",
- "The token's validity period has expired",
- "A later token has already been processed",
+ "The routine must be called again to complete its function",
+ "The token was a duplicate of an earlier token",
+ "The token's validity period has expired",
+ "A later token has already been processed",
};
static const char * const sinfo_code = "supplementary info code";
@@ -107,203 +108,203 @@
/**/
-static int
+static int
display_unknown(kind, value, buffer)
- const char *kind;
- OM_uint32 value;
- gss_buffer_t buffer;
+ const char *kind;
+ OM_uint32 value;
+ gss_buffer_t buffer;
{
- char *str;
+ char *str;
- if (asprintf(&str, unknown_error, kind, value) < 0)
- return(0);
+ if (asprintf(&str, unknown_error, kind, value) < 0)
+ return(0);
- buffer->length = strlen(str);
- buffer->value = str;
+ buffer->length = strlen(str);
+ buffer->value = str;
- return(1);
+ return(1);
}
/* code should be set to the calling error field */
static OM_uint32 display_calling(minor_status, code, status_string)
- OM_uint32 *minor_status;
- OM_uint32 code;
- gss_buffer_t status_string;
+ OM_uint32 *minor_status;
+ OM_uint32 code;
+ gss_buffer_t status_string;
{
- const char *str;
+ const char *str;
- if ((str = GSS_CALLING_ERROR_STR(code))) {
- if (! g_make_string_buffer(str, status_string)) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- } else {
- if (! display_unknown(calling_error, GSS_CALLING_ERROR_FIELD(code),
- status_string)) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- }
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+ if ((str = GSS_CALLING_ERROR_STR(code))) {
+ if (! g_make_string_buffer(str, status_string)) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ } else {
+ if (! display_unknown(calling_error, GSS_CALLING_ERROR_FIELD(code),
+ status_string)) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ }
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
/* code should be set to the routine error field */
static OM_uint32 display_routine(minor_status, code, status_string)
- OM_uint32 *minor_status;
- OM_uint32 code;
- gss_buffer_t status_string;
+ OM_uint32 *minor_status;
+ OM_uint32 code;
+ gss_buffer_t status_string;
{
- const char *str;
+ const char *str;
- if ((str = GSS_ROUTINE_ERROR_STR(code))) {
- if (! g_make_string_buffer(str, status_string)) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- } else {
- if (! display_unknown(routine_error, GSS_ROUTINE_ERROR_FIELD(code),
- status_string)) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- }
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+ if ((str = GSS_ROUTINE_ERROR_STR(code))) {
+ if (! g_make_string_buffer(str, status_string)) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ } else {
+ if (! display_unknown(routine_error, GSS_ROUTINE_ERROR_FIELD(code),
+ status_string)) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ }
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
/* code should be set to the bit offset (log_2) of a supplementary info bit */
static OM_uint32 display_bit(minor_status, code, status_string)
- OM_uint32 *minor_status;
- OM_uint32 code;
- gss_buffer_t status_string;
+ OM_uint32 *minor_status;
+ OM_uint32 code;
+ gss_buffer_t status_string;
{
- const char *str;
+ const char *str;
- if ((str = GSS_SINFO_STR(code))) {
- if (! g_make_string_buffer(str, status_string)) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- } else {
- if (! display_unknown(sinfo_code, 1<<code, status_string)) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- }
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+ if ((str = GSS_SINFO_STR(code))) {
+ if (! g_make_string_buffer(str, status_string)) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ } else {
+ if (! display_unknown(sinfo_code, 1<<code, status_string)) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ }
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
/**/
/* return error messages, for routine errors, call error, and status,
in that order.
- message_context == 0 : print the routine error
- message_context == 1 : print the calling error
- message_context > 2 : print supplementary info bit (message_context-2)
- */
+ message_context == 0 : print the routine error
+ message_context == 1 : print the calling error
+ message_context > 2 : print supplementary info bit (message_context-2)
+*/
-OM_uint32 g_display_major_status(minor_status, status_value,
- message_context, status_string)
- OM_uint32 *minor_status;
- OM_uint32 status_value;
- OM_uint32 *message_context;
- gss_buffer_t status_string;
+OM_uint32 g_display_major_status(minor_status, status_value,
+ message_context, status_string)
+ OM_uint32 *minor_status;
+ OM_uint32 status_value;
+ OM_uint32 *message_context;
+ gss_buffer_t status_string;
{
- OM_uint32 ret, tmp;
- int bit;
+ OM_uint32 ret, tmp;
+ int bit;
- /*** deal with no error at all specially */
+ /*** deal with no error at all specially */
- if (status_value == 0) {
- if (! g_make_string_buffer(no_error, status_string)) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- *message_context = 0;
- *minor_status = 0;
- return(GSS_S_COMPLETE);
- }
+ if (status_value == 0) {
+ if (! g_make_string_buffer(no_error, status_string)) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ *message_context = 0;
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
+ }
- /*** do routine error */
+ /*** do routine error */
- if (*message_context == 0) {
- if ((tmp = GSS_ROUTINE_ERROR(status_value))) {
- status_value -= tmp;
- if ((ret = display_routine(minor_status, tmp, status_string)))
- return(ret);
- *minor_status = 0;
- if (status_value) {
- (*message_context)++;
- return(GSS_S_COMPLETE);
- } else {
- *message_context = 0;
- return(GSS_S_COMPLETE);
- }
- } else {
- (*message_context)++;
- }
- } else {
- status_value -= GSS_ROUTINE_ERROR(status_value);
- }
+ if (*message_context == 0) {
+ if ((tmp = GSS_ROUTINE_ERROR(status_value))) {
+ status_value -= tmp;
+ if ((ret = display_routine(minor_status, tmp, status_string)))
+ return(ret);
+ *minor_status = 0;
+ if (status_value) {
+ (*message_context)++;
+ return(GSS_S_COMPLETE);
+ } else {
+ *message_context = 0;
+ return(GSS_S_COMPLETE);
+ }
+ } else {
+ (*message_context)++;
+ }
+ } else {
+ status_value -= GSS_ROUTINE_ERROR(status_value);
+ }
- /*** do calling error */
+ /*** do calling error */
- if (*message_context == 1) {
- if ((tmp = GSS_CALLING_ERROR(status_value))) {
- status_value -= tmp;
- if ((ret = display_calling(minor_status, tmp, status_string)))
- return(ret);
- *minor_status = 0;
- if (status_value) {
- (*message_context)++;
- return(GSS_S_COMPLETE);
- } else {
- *message_context = 0;
- return(GSS_S_COMPLETE);
- }
- } else {
- (*message_context)++;
- }
- } else {
- status_value -= GSS_CALLING_ERROR(status_value);
- }
+ if (*message_context == 1) {
+ if ((tmp = GSS_CALLING_ERROR(status_value))) {
+ status_value -= tmp;
+ if ((ret = display_calling(minor_status, tmp, status_string)))
+ return(ret);
+ *minor_status = 0;
+ if (status_value) {
+ (*message_context)++;
+ return(GSS_S_COMPLETE);
+ } else {
+ *message_context = 0;
+ return(GSS_S_COMPLETE);
+ }
+ } else {
+ (*message_context)++;
+ }
+ } else {
+ status_value -= GSS_CALLING_ERROR(status_value);
+ }
- /*** do sinfo bits (*message_context == 2 + number of bits done) */
+ /*** do sinfo bits (*message_context == 2 + number of bits done) */
- tmp = GSS_SUPPLEMENTARY_INFO_FIELD(status_value);
- /* mask off the bits which have been done */
- if (*message_context > 2) {
- tmp &= ~LSBMASK(*message_context-3);
- status_value &= ~LSBMASK(*message_context-3);
- }
+ tmp = GSS_SUPPLEMENTARY_INFO_FIELD(status_value);
+ /* mask off the bits which have been done */
+ if (*message_context > 2) {
+ tmp &= ~LSBMASK(*message_context-3);
+ status_value &= ~LSBMASK(*message_context-3);
+ }
- if (!tmp) {
- /* bogon input - there should be something left */
- *minor_status = (OM_uint32) G_BAD_MSG_CTX;
- return(GSS_S_FAILURE);
- }
+ if (!tmp) {
+ /* bogon input - there should be something left */
+ *minor_status = (OM_uint32) G_BAD_MSG_CTX;
+ return(GSS_S_FAILURE);
+ }
- /* compute the bit offset */
- /*SUPPRESS 570*/
- for (bit=0; (((OM_uint32) 1)<<bit) != LSBGET(tmp); bit++) ;
+ /* compute the bit offset */
+ /*SUPPRESS 570*/
+ for (bit=0; (((OM_uint32) 1)<<bit) != LSBGET(tmp); bit++) ;
- /* print it */
- if ((ret = display_bit(minor_status, bit, status_string)))
- return(ret);
+ /* print it */
+ if ((ret = display_bit(minor_status, bit, status_string)))
+ return(ret);
- /* compute the new status_value/message_context */
- status_value -= ((OM_uint32) 1)<<bit;
+ /* compute the new status_value/message_context */
+ status_value -= ((OM_uint32) 1)<<bit;
- if (status_value) {
- *message_context = bit+3;
- return(GSS_S_COMPLETE);
- } else {
- *message_context = 0;
- return(GSS_S_COMPLETE);
- }
+ if (status_value) {
+ *message_context = bit+3;
+ return(GSS_S_COMPLETE);
+ } else {
+ *message_context = 0;
+ return(GSS_S_COMPLETE);
+ }
}
Modified: branches/mkey_migrate/src/lib/gssapi/generic/gssapi.hin
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/gssapi.hin 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/gssapi.hin 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -28,10 +29,10 @@
*/
#if defined(__MACH__) && defined(__APPLE__)
-# include <TargetConditionals.h>
-# if TARGET_RT_MAC_CFM
-# error "Use KfM 4.0 SDK headers for CFM compilation."
-# endif
+# include <TargetConditionals.h>
+# if TARGET_RT_MAC_CFM
+# error "Use KfM 4.0 SDK headers for CFM compilation."
+# endif
#endif
#ifdef __cplusplus
@@ -85,73 +86,73 @@
typedef uint32_t gss_uint32;
typedef int32_t gss_int32;
-#ifdef OM_STRING
+#ifdef OM_STRING
/*
* We have included the xom.h header file. Use the definition for
* OM_object identifier.
*/
-typedef OM_object_identifier gss_OID_desc, *gss_OID;
-#else /* OM_STRING */
+typedef OM_object_identifier gss_OID_desc, *gss_OID;
+#else /* OM_STRING */
/*
* We can't use X/Open definitions, so roll our own.
*/
-typedef gss_uint32 OM_uint32;
+typedef gss_uint32 OM_uint32;
typedef struct gss_OID_desc_struct {
- OM_uint32 length;
- void *elements;
+ OM_uint32 length;
+ void *elements;
} gss_OID_desc, *gss_OID;
-#endif /* OM_STRING */
+#endif /* OM_STRING */
typedef struct gss_OID_set_desc_struct {
- size_t count;
- gss_OID elements;
+ size_t count;
+ gss_OID elements;
} gss_OID_set_desc, *gss_OID_set;
typedef struct gss_buffer_desc_struct {
- size_t length;
- void *value;
+ size_t length;
+ void *value;
} gss_buffer_desc, *gss_buffer_t;
typedef struct gss_channel_bindings_struct {
- OM_uint32 initiator_addrtype;
- gss_buffer_desc initiator_address;
- OM_uint32 acceptor_addrtype;
- gss_buffer_desc acceptor_address;
- gss_buffer_desc application_data;
+ OM_uint32 initiator_addrtype;
+ gss_buffer_desc initiator_address;
+ OM_uint32 acceptor_addrtype;
+ gss_buffer_desc acceptor_address;
+ gss_buffer_desc application_data;
} *gss_channel_bindings_t;
/*
* For now, define a QOP-type as an OM_uint32 (pending resolution of ongoing
* discussions).
*/
-typedef OM_uint32 gss_qop_t;
-typedef int gss_cred_usage_t;
+typedef OM_uint32 gss_qop_t;
+typedef int gss_cred_usage_t;
/*
* Flag bits for context-level services.
*/
-#define GSS_C_DELEG_FLAG 1
-#define GSS_C_MUTUAL_FLAG 2
-#define GSS_C_REPLAY_FLAG 4
-#define GSS_C_SEQUENCE_FLAG 8
-#define GSS_C_CONF_FLAG 16
-#define GSS_C_INTEG_FLAG 32
-#define GSS_C_ANON_FLAG 64
-#define GSS_C_PROT_READY_FLAG 128
-#define GSS_C_TRANS_FLAG 256
+#define GSS_C_DELEG_FLAG 1
+#define GSS_C_MUTUAL_FLAG 2
+#define GSS_C_REPLAY_FLAG 4
+#define GSS_C_SEQUENCE_FLAG 8
+#define GSS_C_CONF_FLAG 16
+#define GSS_C_INTEG_FLAG 32
+#define GSS_C_ANON_FLAG 64
+#define GSS_C_PROT_READY_FLAG 128
+#define GSS_C_TRANS_FLAG 256
/*
* Credential usage options
*/
-#define GSS_C_BOTH 0
-#define GSS_C_INITIATE 1
-#define GSS_C_ACCEPT 2
+#define GSS_C_BOTH 0
+#define GSS_C_INITIATE 1
+#define GSS_C_ACCEPT 2
/*
* Status code types for gss_display_status
*/
-#define GSS_C_GSS_CODE 1
+#define GSS_C_GSS_CODE 1
#define GSS_C_MECH_CODE 2
/*
@@ -177,6 +178,7 @@
#define GSS_C_AF_BSC 17
#define GSS_C_AF_DSS 18
#define GSS_C_AF_OSI 19
+#define GSS_C_AF_NETBIOS 20
#define GSS_C_AF_X25 21
#define GSS_C_AF_NULLADDR 255
@@ -197,8 +199,8 @@
* Some alternate names for a couple of the above values. These are defined
* for V1 compatibility.
*/
-#define GSS_C_NULL_OID GSS_C_NO_OID
-#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET
+#define GSS_C_NULL_OID GSS_C_NO_OID
+#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET
/*
* Define the default Quality of Protection for per-message services. Note
@@ -244,7 +246,7 @@
((x) & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
#define GSS_ERROR(x) \
((x) & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
- (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
+ (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
/*
* Now the actual status code definitions
@@ -407,301 +409,311 @@
/* Function Prototypes */
-OM_uint32 KRB5_CALLCONV gss_acquire_cred
-(OM_uint32 *, /* minor_status */
- gss_name_t, /* desired_name */
- OM_uint32, /* time_req */
- gss_OID_set, /* desired_mechs */
- gss_cred_usage_t, /* cred_usage */
- gss_cred_id_t *, /* output_cred_handle */
- gss_OID_set *, /* actual_mechs */
- OM_uint32 * /* time_rec */
- );
+OM_uint32 KRB5_CALLCONV
+gss_acquire_cred(
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* desired_name */
+ OM_uint32, /* time_req */
+ gss_OID_set, /* desired_mechs */
+ gss_cred_usage_t, /* cred_usage */
+ gss_cred_id_t *, /* output_cred_handle */
+ gss_OID_set *, /* actual_mechs */
+ OM_uint32 *); /* time_rec */
-OM_uint32 KRB5_CALLCONV gss_release_cred
-(OM_uint32 *, /* minor_status */
- gss_cred_id_t * /* cred_handle */
- );
+OM_uint32 KRB5_CALLCONV
+gss_release_cred(
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t *); /* cred_handle */
-OM_uint32 KRB5_CALLCONV gss_init_sec_context
-(OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* claimant_cred_handle */
- gss_ctx_id_t *, /* context_handle */
- gss_name_t, /* target_name */
- gss_OID, /* mech_type (used to be const) */
- OM_uint32, /* req_flags */
- OM_uint32, /* time_req */
- gss_channel_bindings_t, /* input_chan_bindings */
- gss_buffer_t, /* input_token */
- gss_OID *, /* actual_mech_type */
- gss_buffer_t, /* output_token */
- OM_uint32 *, /* ret_flags */
- OM_uint32 * /* time_rec */
- );
+OM_uint32 KRB5_CALLCONV
+gss_init_sec_context(
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* claimant_cred_handle */
+ gss_ctx_id_t *, /* context_handle */
+ gss_name_t, /* target_name */
+ gss_OID, /* mech_type (used to be const) */
+ OM_uint32, /* req_flags */
+ OM_uint32, /* time_req */
+ gss_channel_bindings_t, /* input_chan_bindings */
+ gss_buffer_t, /* input_token */
+ gss_OID *, /* actual_mech_type */
+ gss_buffer_t, /* output_token */
+ OM_uint32 *, /* ret_flags */
+ OM_uint32 *); /* time_rec */
-OM_uint32 KRB5_CALLCONV gss_accept_sec_context
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t *, /* context_handle */
- gss_cred_id_t, /* acceptor_cred_handle */
- gss_buffer_t, /* input_token_buffer */
- gss_channel_bindings_t, /* input_chan_bindings */
- gss_name_t *, /* src_name */
- gss_OID *, /* mech_type */
- gss_buffer_t, /* output_token */
- OM_uint32 *, /* ret_flags */
- OM_uint32 *, /* time_rec */
- gss_cred_id_t * /* delegated_cred_handle */
- );
+OM_uint32 KRB5_CALLCONV
+gss_accept_sec_context(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t *, /* context_handle */
+ gss_cred_id_t, /* acceptor_cred_handle */
+ gss_buffer_t, /* input_token_buffer */
+ gss_channel_bindings_t, /* input_chan_bindings */
+ gss_name_t *, /* src_name */
+ gss_OID *, /* mech_type */
+ gss_buffer_t, /* output_token */
+ OM_uint32 *, /* ret_flags */
+ OM_uint32 *, /* time_rec */
+ gss_cred_id_t *); /* delegated_cred_handle */
-OM_uint32 KRB5_CALLCONV gss_process_context_token
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t /* token_buffer */
- );
+OM_uint32 KRB5_CALLCONV
+gss_process_context_token(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t); /* token_buffer */
-OM_uint32 KRB5_CALLCONV gss_delete_sec_context
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t *, /* context_handle */
- gss_buffer_t /* output_token */
- );
-OM_uint32 KRB5_CALLCONV gss_context_time
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- OM_uint32 * /* time_rec */
- );
+OM_uint32 KRB5_CALLCONV
+gss_delete_sec_context(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t *, /* context_handle */
+ gss_buffer_t); /* output_token */
+
+OM_uint32 KRB5_CALLCONV
+gss_context_time(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ OM_uint32 *); /* time_rec */
+
+
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_get_mic
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_qop_t, /* qop_req */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t /* message_token */
- );
+OM_uint32 KRB5_CALLCONV
+gss_get_mic(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_qop_t, /* qop_req */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t); /* message_token */
+
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_verify_mic
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t, /* message_token */
- gss_qop_t * /* qop_state */
- );
+OM_uint32 KRB5_CALLCONV
+gss_verify_mic(OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t, /* message_token */
+ gss_qop_t * /* qop_state */
+);
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_wrap
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- gss_qop_t, /* qop_req */
- gss_buffer_t, /* input_message_buffer */
- int *, /* conf_state */
- gss_buffer_t /* output_message_buffer */
- );
+OM_uint32 KRB5_CALLCONV
+gss_wrap(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req */
+ gss_buffer_t, /* input_message_buffer */
+ int *, /* conf_state */
+ gss_buffer_t); /* output_message_buffer */
+
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_unwrap
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* input_message_buffer */
- gss_buffer_t, /* output_message_buffer */
- int *, /* conf_state */
- gss_qop_t * /* qop_state */
- );
+OM_uint32 KRB5_CALLCONV
+gss_unwrap(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* input_message_buffer */
+ gss_buffer_t, /* output_message_buffer */
+ int *, /* conf_state */
+ gss_qop_t *); /* qop_state */
-OM_uint32 KRB5_CALLCONV gss_display_status
-(OM_uint32 *, /* minor_status */
- OM_uint32, /* status_value */
- int, /* status_type */
- gss_OID, /* mech_type (used to be const) */
- OM_uint32 *, /* message_context */
- gss_buffer_t /* status_string */
- );
-OM_uint32 KRB5_CALLCONV gss_indicate_mechs
-(OM_uint32 *, /* minor_status */
- gss_OID_set * /* mech_set */
- );
+OM_uint32 KRB5_CALLCONV
+gss_display_status(
+ OM_uint32 *, /* minor_status */
+ OM_uint32, /* status_value */
+ int, /* status_type */
+ gss_OID, /* mech_type (used to be const) */
+ OM_uint32 *, /* message_context */
+ gss_buffer_t); /* status_string */
-OM_uint32 KRB5_CALLCONV gss_compare_name
-(OM_uint32 *, /* minor_status */
- gss_name_t, /* name1 */
- gss_name_t, /* name2 */
- int * /* name_equal */
- );
-OM_uint32 KRB5_CALLCONV gss_display_name
-(OM_uint32 *, /* minor_status */
- gss_name_t, /* input_name */
- gss_buffer_t, /* output_name_buffer */
- gss_OID * /* output_name_type */
- );
+OM_uint32 KRB5_CALLCONV
+gss_indicate_mechs(
+ OM_uint32 *, /* minor_status */
+ gss_OID_set *); /* mech_set */
-OM_uint32 KRB5_CALLCONV gss_import_name
-(OM_uint32 *, /* minor_status */
- gss_buffer_t, /* input_name_buffer */
- gss_OID, /* input_name_type(used to be const) */
- gss_name_t * /* output_name */
- );
-OM_uint32 KRB5_CALLCONV gss_release_name
-(OM_uint32 *, /* minor_status */
- gss_name_t * /* input_name */
- );
+OM_uint32 KRB5_CALLCONV
+gss_compare_name(
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name1 */
+ gss_name_t, /* name2 */
+ int *); /* name_equal */
-OM_uint32 KRB5_CALLCONV gss_release_buffer
-(OM_uint32 *, /* minor_status */
- gss_buffer_t /* buffer */
- );
-OM_uint32 KRB5_CALLCONV gss_release_oid_set
-(OM_uint32 *, /* minor_status */
- gss_OID_set * /* set */
- );
+OM_uint32 KRB5_CALLCONV
+gss_display_name(
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* input_name */
+ gss_buffer_t, /* output_name_buffer */
+ gss_OID *); /* output_name_type */
-OM_uint32 KRB5_CALLCONV gss_inquire_cred
-(OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* cred_handle */
- gss_name_t *, /* name */
- OM_uint32 *, /* lifetime */
- gss_cred_usage_t *, /* cred_usage */
- gss_OID_set * /* mechanisms */
- );
+OM_uint32 KRB5_CALLCONV
+gss_import_name(
+ OM_uint32 *, /* minor_status */
+ gss_buffer_t, /* input_name_buffer */
+ gss_OID, /* input_name_type(used to be const) */
+ gss_name_t *); /* output_name */
+
+OM_uint32 KRB5_CALLCONV
+gss_release_name(
+ OM_uint32 *, /* minor_status */
+ gss_name_t *); /* input_name */
+
+OM_uint32 KRB5_CALLCONV
+gss_release_buffer(
+ OM_uint32 *, /* minor_status */
+ gss_buffer_t); /* buffer */
+
+OM_uint32 KRB5_CALLCONV
+gss_release_oid_set(
+ OM_uint32 *, /* minor_status */
+ gss_OID_set *); /* set */
+
+OM_uint32 KRB5_CALLCONV
+gss_inquire_cred(
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* cred_handle */
+ gss_name_t *, /* name */
+ OM_uint32 *, /* lifetime */
+ gss_cred_usage_t *, /* cred_usage */
+ gss_OID_set *); /* mechanisms */
+
/* Last argument new for V2 */
-OM_uint32 KRB5_CALLCONV gss_inquire_context
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_name_t *, /* src_name */
- gss_name_t *, /* targ_name */
- OM_uint32 *, /* lifetime_rec */
- gss_OID *, /* mech_type */
- OM_uint32 *, /* ctx_flags */
- int *, /* locally_initiated */
- int * /* open */
- );
+OM_uint32 KRB5_CALLCONV
+gss_inquire_context(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_name_t *, /* src_name */
+ gss_name_t *, /* targ_name */
+ OM_uint32 *, /* lifetime_rec */
+ gss_OID *, /* mech_type */
+ OM_uint32 *, /* ctx_flags */
+ int *, /* locally_initiated */
+ int *); /* open */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_wrap_size_limit
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- gss_qop_t, /* qop_req */
- OM_uint32, /* req_output_size */
- OM_uint32 * /* max_input_size */
- );
+OM_uint32 KRB5_CALLCONV
+gss_wrap_size_limit(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req */
+ OM_uint32, /* req_output_size */
+ OM_uint32 *); /* max_input_size */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_import_name_object
-(OM_uint32 *, /* minor_status */
- void *, /* input_name */
- gss_OID, /* input_name_type */
- gss_name_t * /* output_name */
- );
+OM_uint32 KRB5_CALLCONV
+gss_import_name_object(
+ OM_uint32 *, /* minor_status */
+ void *, /* input_name */
+ gss_OID, /* input_name_type */
+ gss_name_t *); /* output_name */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_export_name_object
-(OM_uint32 *, /* minor_status */
- gss_name_t, /* input_name */
- gss_OID, /* desired_name_type */
- void ** /* output_name */
- );
+OM_uint32 KRB5_CALLCONV
+gss_export_name_object(
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* input_name */
+ gss_OID, /* desired_name_type */
+ void **); /* output_name */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_add_cred
-(OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* input_cred_handle */
- gss_name_t, /* desired_name */
- gss_OID, /* desired_mech */
- gss_cred_usage_t, /* cred_usage */
- OM_uint32, /* initiator_time_req */
- OM_uint32, /* acceptor_time_req */
- gss_cred_id_t *, /* output_cred_handle */
- gss_OID_set *, /* actual_mechs */
- OM_uint32 *, /* initiator_time_rec */
- OM_uint32 * /* acceptor_time_rec */
- );
+OM_uint32 KRB5_CALLCONV
+gss_add_cred(
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* input_cred_handle */
+ gss_name_t, /* desired_name */
+ gss_OID, /* desired_mech */
+ gss_cred_usage_t, /* cred_usage */
+ OM_uint32, /* initiator_time_req */
+ OM_uint32, /* acceptor_time_req */
+ gss_cred_id_t *, /* output_cred_handle */
+ gss_OID_set *, /* actual_mechs */
+ OM_uint32 *, /* initiator_time_rec */
+ OM_uint32 *); /* acceptor_time_rec */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_inquire_cred_by_mech
-(OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* cred_handle */
- gss_OID, /* mech_type */
- gss_name_t *, /* name */
- OM_uint32 *, /* initiator_lifetime */
- OM_uint32 *, /* acceptor_lifetime */
- gss_cred_usage_t * /* cred_usage */
- );
+OM_uint32 KRB5_CALLCONV
+gss_inquire_cred_by_mech(
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* cred_handle */
+ gss_OID, /* mech_type */
+ gss_name_t *, /* name */
+ OM_uint32 *, /* initiator_lifetime */
+ OM_uint32 *, /* acceptor_lifetime */
+ gss_cred_usage_t *); /* cred_usage */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_export_sec_context
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t *, /* context_handle */
- gss_buffer_t /* interprocess_token */
- );
+OM_uint32 KRB5_CALLCONV
+gss_export_sec_context(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t *, /* context_handle */
+ gss_buffer_t); /* interprocess_token */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_import_sec_context
-(OM_uint32 *, /* minor_status */
- gss_buffer_t, /* interprocess_token */
- gss_ctx_id_t * /* context_handle */
- );
+OM_uint32 KRB5_CALLCONV
+gss_import_sec_context(
+ OM_uint32 *, /* minor_status */
+ gss_buffer_t, /* interprocess_token */
+ gss_ctx_id_t *); /* context_handle */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_release_oid
-(OM_uint32 *, /* minor_status */
- gss_OID * /* oid */
- );
+OM_uint32 KRB5_CALLCONV
+gss_release_oid(
+ OM_uint32 *, /* minor_status */
+ gss_OID *); /* oid */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_create_empty_oid_set
-(OM_uint32 *, /* minor_status */
- gss_OID_set * /* oid_set */
- );
+OM_uint32 KRB5_CALLCONV
+gss_create_empty_oid_set(
+ OM_uint32 *, /* minor_status */
+ gss_OID_set *); /* oid_set */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_add_oid_set_member
-(OM_uint32 *, /* minor_status */
- gss_OID, /* member_oid */
- gss_OID_set * /* oid_set */
- );
+OM_uint32 KRB5_CALLCONV
+gss_add_oid_set_member(
+ OM_uint32 *, /* minor_status */
+ gss_OID, /* member_oid */
+ gss_OID_set *); /* oid_set */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_test_oid_set_member
-(OM_uint32 *, /* minor_status */
- gss_OID, /* member */
- gss_OID_set, /* set */
- int * /* present */
- );
+OM_uint32 KRB5_CALLCONV
+gss_test_oid_set_member(
+ OM_uint32 *, /* minor_status */
+ gss_OID, /* member */
+ gss_OID_set, /* set */
+ int *); /* present */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_str_to_oid
-(OM_uint32 *, /* minor_status */
- gss_buffer_t, /* oid_str */
- gss_OID * /* oid */
- );
+OM_uint32 KRB5_CALLCONV
+gss_str_to_oid(
+ OM_uint32 *, /* minor_status */
+ gss_buffer_t, /* oid_str */
+ gss_OID *); /* oid */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_oid_to_str
-(OM_uint32 *, /* minor_status */
- gss_OID, /* oid */
- gss_buffer_t /* oid_str */
- );
+OM_uint32 KRB5_CALLCONV
+gss_oid_to_str(
+ OM_uint32 *, /* minor_status */
+ gss_OID, /* oid */
+ gss_buffer_t); /* oid_str */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_inquire_names_for_mech
-(OM_uint32 *, /* minor_status */
- gss_OID, /* mechanism */
- gss_OID_set * /* name_types */
- );
+OM_uint32 KRB5_CALLCONV
+gss_inquire_names_for_mech(
+ OM_uint32 *, /* minor_status */
+ gss_OID, /* mechanism */
+ gss_OID_set *); /* name_types */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_inquire_mechs_for_name(
- OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- gss_OID_set * /* mech_types */
-);
+OM_uint32 KRB5_CALLCONV
+gss_inquire_mechs_for_name(
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ gss_OID_set *); /* mech_types */
/*
* The following routines are obsolete variants of gss_get_mic, gss_wrap,
@@ -710,62 +722,62 @@
* entrypoints (as opposed to #defines) should be provided, to allow GSSAPI
* V1 applications to link against GSSAPI V2 implementations.
*/
-OM_uint32 KRB5_CALLCONV gss_sign
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* qop_req */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t /* message_token */
- );
+OM_uint32 KRB5_CALLCONV
+gss_sign(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* qop_req */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t); /* message_token */
-OM_uint32 KRB5_CALLCONV gss_verify
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t, /* token_buffer */
- int * /* qop_state */
- );
+OM_uint32 KRB5_CALLCONV
+gss_verify(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t, /* token_buffer */
+ int *); /* qop_state */
-OM_uint32 KRB5_CALLCONV gss_seal
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- int, /* qop_req */
- gss_buffer_t, /* input_message_buffer */
- int *, /* conf_state */
- gss_buffer_t /* output_message_buffer */
- );
+OM_uint32 KRB5_CALLCONV
+gss_seal(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ int, /* qop_req */
+ gss_buffer_t, /* input_message_buffer */
+ int *, /* conf_state */
+ gss_buffer_t); /* output_message_buffer */
-OM_uint32 KRB5_CALLCONV gss_unseal
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* input_message_buffer */
- gss_buffer_t, /* output_message_buffer */
- int *, /* conf_state */
- int * /* qop_state */
- );
+OM_uint32 KRB5_CALLCONV
+gss_unseal(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* input_message_buffer */
+ gss_buffer_t, /* output_message_buffer */
+ int *, /* conf_state */
+ int *); /* qop_state */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_export_name
-(OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- gss_buffer_t /* exported_name */
- );
+OM_uint32 KRB5_CALLCONV
+gss_export_name(
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ gss_buffer_t); /* exported_name */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_duplicate_name
-(OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- gss_name_t * /* dest_name */
- );
+OM_uint32 KRB5_CALLCONV
+gss_duplicate_name(
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ gss_name_t *); /* dest_name */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_canonicalize_name
-(OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- const gss_OID, /* mech_type */
- gss_name_t * /* output_name */
- );
+OM_uint32 KRB5_CALLCONV
+gss_canonicalize_name(
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ const gss_OID, /* mech_type */
+ gss_name_t *); /* output_name */
#if TARGET_OS_MAC
# pragma pack(pop)
Modified: branches/mkey_migrate/src/lib/gssapi/generic/gssapiP_generic.h
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/gssapiP_generic.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/gssapiP_generic.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -39,57 +40,58 @@
#include "k5-thread.h"
#include "gssapi_generic.h"
-
+#include "gssapi_ext.h"
#include "gssapi_err_generic.h"
#include <errno.h>
#include "k5-platform.h"
+#include "k5-buf.h"
typedef UINT64_TYPE gssint_uint64;
/** helper macros **/
-#define g_OID_equal(o1, o2) \
- (((o1)->length == (o2)->length) && \
- (memcmp((o1)->elements, (o2)->elements, (o1)->length) == 0))
+#define g_OID_equal(o1, o2) \
+ (((o1)->length == (o2)->length) && \
+ (memcmp((o1)->elements, (o2)->elements, (o1)->length) == 0))
/* this code knows that an int on the wire is 32 bits. The type of
num should be at least this big, or the extra shifts may do weird
things */
-#define TWRITE_INT(ptr, num, bigend) \
- (ptr)[0] = (char) ((bigend)?((num)>>24):((num)&0xff)); \
- (ptr)[1] = (char) ((bigend)?(((num)>>16)&0xff):(((num)>>8)&0xff)); \
- (ptr)[2] = (char) ((bigend)?(((num)>>8)&0xff):(((num)>>16)&0xff)); \
- (ptr)[3] = (char) ((bigend)?((num)&0xff):((num)>>24)); \
+#define TWRITE_INT(ptr, num, bigend) \
+ (ptr)[0] = (char) ((bigend)?((num)>>24):((num)&0xff)); \
+ (ptr)[1] = (char) ((bigend)?(((num)>>16)&0xff):(((num)>>8)&0xff)); \
+ (ptr)[2] = (char) ((bigend)?(((num)>>8)&0xff):(((num)>>16)&0xff)); \
+ (ptr)[3] = (char) ((bigend)?((num)&0xff):((num)>>24)); \
(ptr) += 4;
-#define TWRITE_INT16(ptr, num, bigend) \
- (ptr)[0] = (char) ((bigend)?((num)>>24):((num)&0xff)); \
- (ptr)[1] = (char) ((bigend)?(((num)>>16)&0xff):(((num)>>8)&0xff)); \
+#define TWRITE_INT16(ptr, num, bigend) \
+ (ptr)[0] = (char) ((bigend)?((num)>>24):((num)&0xff)); \
+ (ptr)[1] = (char) ((bigend)?(((num)>>16)&0xff):(((num)>>8)&0xff)); \
(ptr) += 2;
-#define TREAD_INT(ptr, num, bigend) \
- (num) = (((ptr)[0]<<((bigend)?24: 0)) | \
- ((ptr)[1]<<((bigend)?16: 8)) | \
- ((ptr)[2]<<((bigend)? 8:16)) | \
- ((ptr)[3]<<((bigend)? 0:24))); \
+#define TREAD_INT(ptr, num, bigend) \
+ (num) = (((ptr)[0]<<((bigend)?24: 0)) | \
+ ((ptr)[1]<<((bigend)?16: 8)) | \
+ ((ptr)[2]<<((bigend)? 8:16)) | \
+ ((ptr)[3]<<((bigend)? 0:24))); \
(ptr) += 4;
-#define TREAD_INT16(ptr, num, bigend) \
- (num) = (((ptr)[0]<<((bigend)?24: 0)) | \
- ((ptr)[1]<<((bigend)?16: 8))); \
+#define TREAD_INT16(ptr, num, bigend) \
+ (num) = (((ptr)[0]<<((bigend)?24: 0)) | \
+ ((ptr)[1]<<((bigend)?16: 8))); \
(ptr) += 2;
-#define TWRITE_STR(ptr, str, len) \
- memcpy((ptr), (char *) (str), (len)); \
+#define TWRITE_STR(ptr, str, len) \
+ memcpy((ptr), (char *) (str), (len)); \
(ptr) += (len);
-#define TREAD_STR(ptr, str, len) \
- (str) = (ptr); \
+#define TREAD_STR(ptr, str, len) \
+ (str) = (ptr); \
(ptr) += (len);
-#define TWRITE_BUF(ptr, buf, bigend) \
- TWRITE_INT((ptr), (buf).length, (bigend)); \
+#define TWRITE_BUF(ptr, buf, bigend) \
+ TWRITE_INT((ptr), (buf).length, (bigend)); \
TWRITE_STR((ptr), (buf).value, (buf).length);
/** malloc wrappers; these may actually do something later */
@@ -104,38 +106,38 @@
/** helper functions **/
/* hide names from applications, especially glib applications */
-#define g_set_init gssint_g_set_init
-#define g_set_destroy gssint_g_set_destroy
-#define g_set_entry_add gssint_g_set_entry_add
-#define g_set_entry_delete gssint_g_set_entry_delete
-#define g_set_entry_get gssint_g_set_entry_get
-#define g_save_name gssint_g_save_name
-#define g_save_cred_id gssint_g_save_cred_id
-#define g_save_ctx_id gssint_g_save_ctx_id
-#define g_save_lucidctx_id gssint_g_save_lucidctx_id
-#define g_validate_name gssint_g_validate_name
-#define g_validate_cred_id gssint_g_validate_cred_id
-#define g_validate_ctx_id gssint_g_validate_ctx_id
-#define g_validate_lucidctx_id gssint_g_validate_lucidctx_id
-#define g_delete_name gssint_g_delete_name
-#define g_delete_cred_id gssint_g_delete_cred_id
-#define g_delete_ctx_id gssint_g_delete_ctx_id
-#define g_delete_lucidctx_id gssint_g_delete_lucidctx_id
-#define g_make_string_buffer gssint_g_make_string_buffer
-#define g_token_size gssint_g_token_size
-#define g_make_token_header gssint_g_make_token_header
-#define g_verify_token_header gssint_g_verify_token_header
-#define g_display_major_status gssint_g_display_major_status
-#define g_display_com_err_status gssint_g_display_com_err_status
-#define g_order_init gssint_g_order_init
-#define g_order_check gssint_g_order_check
-#define g_order_free gssint_g_order_free
-#define g_queue_size gssint_g_queue_size
-#define g_queue_externalize gssint_g_queue_externalize
-#define g_queue_internalize gssint_g_queue_internalize
-#define g_canonicalize_host gssint_g_canonicalize_host
-#define g_local_host_name gssint_g_local_host_name
-#define g_strdup gssint_g_strdup
+#define g_set_init gssint_g_set_init
+#define g_set_destroy gssint_g_set_destroy
+#define g_set_entry_add gssint_g_set_entry_add
+#define g_set_entry_delete gssint_g_set_entry_delete
+#define g_set_entry_get gssint_g_set_entry_get
+#define g_save_name gssint_g_save_name
+#define g_save_cred_id gssint_g_save_cred_id
+#define g_save_ctx_id gssint_g_save_ctx_id
+#define g_save_lucidctx_id gssint_g_save_lucidctx_id
+#define g_validate_name gssint_g_validate_name
+#define g_validate_cred_id gssint_g_validate_cred_id
+#define g_validate_ctx_id gssint_g_validate_ctx_id
+#define g_validate_lucidctx_id gssint_g_validate_lucidctx_id
+#define g_delete_name gssint_g_delete_name
+#define g_delete_cred_id gssint_g_delete_cred_id
+#define g_delete_ctx_id gssint_g_delete_ctx_id
+#define g_delete_lucidctx_id gssint_g_delete_lucidctx_id
+#define g_make_string_buffer gssint_g_make_string_buffer
+#define g_token_size gssint_g_token_size
+#define g_make_token_header gssint_g_make_token_header
+#define g_verify_token_header gssint_g_verify_token_header
+#define g_display_major_status gssint_g_display_major_status
+#define g_display_com_err_status gssint_g_display_com_err_status
+#define g_order_init gssint_g_order_init
+#define g_order_check gssint_g_order_check
+#define g_order_free gssint_g_order_free
+#define g_queue_size gssint_g_queue_size
+#define g_queue_externalize gssint_g_queue_externalize
+#define g_queue_internalize gssint_g_queue_internalize
+#define g_canonicalize_host gssint_g_canonicalize_host
+#define g_local_host_name gssint_g_local_host_name
+#define g_strdup gssint_g_strdup
typedef struct _g_set_elt *g_set_elt;
typedef struct {
@@ -170,25 +172,29 @@
unsigned int g_token_size (const gss_OID_desc * mech, unsigned int body_size);
void g_make_token_header (const gss_OID_desc * mech, unsigned int body_size,
- unsigned char **buf, int tok_type);
+ unsigned char **buf, int tok_type);
-gss_int32 g_verify_token_header (const gss_OID_desc * mech,
- unsigned int *body_size,
- unsigned char **buf, int tok_type,
- unsigned int toksize_in,
- int wrapper_required);
+/* flags for g_verify_token_header() */
+#define G_VFY_TOKEN_HDR_WRAPPER_REQUIRED 0x01
+#define G_VFY_TOKEN_HDR_IGNORE_SEQ_SIZE 0x02
+gss_int32 g_verify_token_header (const gss_OID_desc * mech,
+ unsigned int *body_size,
+ unsigned char **buf, int tok_type,
+ unsigned int toksize_in,
+ int flags);
+
OM_uint32 g_display_major_status (OM_uint32 *minor_status,
- OM_uint32 status_value,
- OM_uint32 *message_context,
- gss_buffer_t status_string);
+ OM_uint32 status_value,
+ OM_uint32 *message_context,
+ gss_buffer_t status_string);
OM_uint32 g_display_com_err_status (OM_uint32 *minor_status,
- OM_uint32 status_value,
- gss_buffer_t status_string);
+ OM_uint32 status_value,
+ gss_buffer_t status_string);
gss_int32 g_order_init (void **queue, gssint_uint64 seqnum,
- int do_replay, int do_sequence, int wide);
+ int do_replay, int do_sequence, int wide);
gss_int32 g_order_check (void **queue, gssint_uint64 seqnum);
@@ -196,70 +202,104 @@
gss_uint32 g_queue_size(void *vqueue, size_t *sizep);
gss_uint32 g_queue_externalize(void *vqueue, unsigned char **buf,
- size_t *lenremain);
+ size_t *lenremain);
gss_uint32 g_queue_internalize(void **vqueue, unsigned char **buf,
- size_t *lenremain);
+ size_t *lenremain);
char *g_strdup (char *str);
/** declarations of internal name mechanism functions **/
-OM_uint32 generic_gss_release_buffer
-(OM_uint32*, /* minor_status */
- gss_buffer_t /* buffer */
- );
+OM_uint32
+generic_gss_release_buffer(
+ OM_uint32 *, /* minor_status */
+ gss_buffer_t); /* buffer */
-OM_uint32 generic_gss_release_oid_set
-(OM_uint32*, /* minor_status */
- gss_OID_set* /* set */
- );
+OM_uint32
+generic_gss_release_oid_set(
+ OM_uint32 *, /* minor_status */
+ gss_OID_set *); /* set */
-OM_uint32 generic_gss_release_oid
-(OM_uint32*, /* minor_status */
- gss_OID* /* set */
- );
+OM_uint32
+generic_gss_release_oid(
+ OM_uint32 *, /* minor_status */
+ gss_OID *); /* set */
-OM_uint32 generic_gss_copy_oid
-(OM_uint32 *, /* minor_status */
- const gss_OID_desc * const, /* oid */
- gss_OID * /* new_oid */
- );
+OM_uint32
+generic_gss_copy_oid(
+ OM_uint32 *, /* minor_status */
+ const gss_OID_desc * const, /* oid */
+ gss_OID *); /* new_oid */
-OM_uint32 generic_gss_create_empty_oid_set
-(OM_uint32 *, /* minor_status */
- gss_OID_set * /* oid_set */
- );
+OM_uint32
+generic_gss_create_empty_oid_set(
+ OM_uint32 *, /* minor_status */
+ gss_OID_set *); /* oid_set */
-OM_uint32 generic_gss_add_oid_set_member
-(OM_uint32 *, /* minor_status */
- const gss_OID_desc * const, /* member_oid */
- gss_OID_set * /* oid_set */
- );
+OM_uint32
+generic_gss_add_oid_set_member(
+ OM_uint32 *, /* minor_status */
+ const gss_OID_desc * const, /* member_oid */
+ gss_OID_set *); /* oid_set */
-OM_uint32 generic_gss_test_oid_set_member
-(OM_uint32 *, /* minor_status */
- const gss_OID_desc * const, /* member */
- gss_OID_set, /* set */
- int * /* present */
- );
+OM_uint32
+generic_gss_test_oid_set_member(
+ OM_uint32 *, /* minor_status */
+ const gss_OID_desc * const, /* member */
+ gss_OID_set, /* set */
+ int *); /* present */
-OM_uint32 generic_gss_oid_to_str
-(OM_uint32 *, /* minor_status */
- const gss_OID_desc * const, /* oid */
- gss_buffer_t /* oid_str */
- );
+OM_uint32
+generic_gss_oid_to_str(
+ OM_uint32 *, /* minor_status */
+ const gss_OID_desc * const, /* oid */
+ gss_buffer_t); /* oid_str */
-OM_uint32 generic_gss_str_to_oid
-(OM_uint32 *, /* minor_status */
- gss_buffer_t, /* oid_str */
- gss_OID * /* oid */
- );
+OM_uint32
+generic_gss_str_to_oid(
+ OM_uint32 *, /* minor_status */
+ gss_buffer_t, /* oid_str */
+ gss_OID *); /* oid */
+OM_uint32
+generic_gss_oid_compose(
+ OM_uint32 *, /* minor_status */
+ const char *, /* prefix */
+ size_t, /* prefix_len */
+ int, /* suffix */
+ gss_OID_desc *); /* oid */
+
+OM_uint32
+generic_gss_oid_decompose(
+ OM_uint32 *, /* minor_status */
+ const char *, /*prefix */
+ size_t, /* prefix_len */
+ gss_OID_desc *, /* oid */
+ int *); /* suffix */
+
int gssint_mecherrmap_init(void);
void gssint_mecherrmap_destroy(void);
OM_uint32 gssint_mecherrmap_map(OM_uint32 minor, const gss_OID_desc *oid);
int gssint_mecherrmap_get(OM_uint32 minor, gss_OID mech_oid,
- OM_uint32 *mech_minor);
+ OM_uint32 *mech_minor);
OM_uint32 gssint_mecherrmap_map_errcode(OM_uint32 errcode);
+OM_uint32 generic_gss_create_empty_buffer_set
+(OM_uint32 * /*minor_status*/,
+ gss_buffer_set_t * /*buffer_set*/);
+
+OM_uint32 generic_gss_add_buffer_set_member
+(OM_uint32 * /*minor_status*/,
+ const gss_buffer_t /*member_buffer*/,
+ gss_buffer_set_t * /*buffer_set*/);
+
+OM_uint32 generic_gss_release_buffer_set
+(OM_uint32 * /*minor_status*/,
+ gss_buffer_set_t * /*buffer_set*/);
+
+OM_uint32 generic_gss_copy_oid_set
+(OM_uint32 *, /* minor_status */
+ const gss_OID_set_desc *, /* const oidset*/
+ gss_OID_set * /*new_oidset*/);
+
#endif /* _GSSAPIP_GENERIC_H_ */
Copied: branches/mkey_migrate/src/lib/gssapi/generic/gssapi_ext.h (from rev 21721, trunk/src/lib/gssapi/generic/gssapi_ext.h)
Modified: branches/mkey_migrate/src/lib/gssapi/generic/gssapi_generic.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/gssapi_generic.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/gssapi_generic.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -37,37 +38,37 @@
static const gss_OID_desc const_oids[] = {
/*
* The implementation must reserve static storage for a
- * gss_OID_desc object containing the value */
+ * gss_OID_desc object containing the value */
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01"},
/* corresponding to an object-identifier value of
- * {iso(1) member-body(2) United States(840) mit(113554)
- * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant
- * GSS_C_NT_USER_NAME should be initialized to point
- * to that gss_OID_desc.
- */
-
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant
+ * GSS_C_NT_USER_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+
/*
- * The implementation must reserve static storage for a
- * gss_OID_desc object containing the value */
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value */
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"},
/* corresponding to an object-identifier value of
- * {iso(1) member-body(2) United States(840) mit(113554)
- * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
- * The constant GSS_C_NT_MACHINE_UID_NAME should be
- * initialized to point to that gss_OID_desc.
- */
-
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
+ * The constant GSS_C_NT_MACHINE_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+
/*
- * The implementation must reserve static storage for a
- * gss_OID_desc object containing the value */
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value */
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03"},
/* corresponding to an object-identifier value of
- * {iso(1) member-body(2) United States(840) mit(113554)
- * infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
- * The constant GSS_C_NT_STRING_UID_NAME should be
- * initialized to point to that gss_OID_desc.
- */
-
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
+ * The constant GSS_C_NT_STRING_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value */
@@ -85,15 +86,15 @@
* parameter, but should not be emitted by GSS-API
* implementations
*/
-
+
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value */
- {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"},
- /* corresponding to an object-identifier value of
- * {iso(1) member-body(2) Unites States(840) mit(113554)
- * infosys(1) gssapi(2) generic(1) service_name(4)}.
- * The constant GSS_C_NT_HOSTBASED_SERVICE should be
+ {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"},
+ /* corresponding to an object-identifier value of
+ * {iso(1) member-body(2) Unites States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) service_name(4)}.
+ * The constant GSS_C_NT_HOSTBASED_SERVICE should be
* initialized to point to that gss_OID_desc.
*/
@@ -107,7 +108,7 @@
* and GSS_C_NT_ANONYMOUS should be initialized to point
* to that gss_OID_desc.
*/
-
+
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value */
@@ -118,14 +119,17 @@
* GSS_C_NT_EXPORT_NAME should be initialized to point
* to that gss_OID_desc.
*/
+
+ /* GSS_C_INQ_SSPI_SESSION_KEY 1.2.840.113554.1.2.2.5.5 */
+ {11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"},
};
/* Here are the constants which point to the static structure above.
*
* Constants of the form GSS_C_NT_* are specified by rfc 2744.
*
- * Constants of the form gss_nt_* are the original MIT krb5 names
- * found in gssapi_generic.h. They are provided for compatibility. */
+ * Constants of the form gss_nt_* are the original MIT krb5 names
+ * found in gssapi_generic.h. They are provided for compatibility. */
GSS_DLLIMP gss_OID GSS_C_NT_USER_NAME = oids+0;
GSS_DLLIMP gss_OID gss_nt_user_name = oids+0;
@@ -137,7 +141,7 @@
GSS_DLLIMP gss_OID gss_nt_string_uid_name = oids+2;
GSS_DLLIMP gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = oids+3;
-gss_OID gss_nt_service_name_v2 = oids+3;
+gss_OID gss_nt_service_name_v2 = oids+3;
GSS_DLLIMP gss_OID GSS_C_NT_HOSTBASED_SERVICE = oids+4;
GSS_DLLIMP gss_OID gss_nt_service_name = oids+4;
@@ -145,4 +149,7 @@
GSS_DLLIMP gss_OID GSS_C_NT_ANONYMOUS = oids+5;
GSS_DLLIMP gss_OID GSS_C_NT_EXPORT_NAME = oids+6;
-gss_OID gss_nt_exported_name = oids+6;
+gss_OID gss_nt_exported_name = oids+6;
+
+GSS_DLLIMP gss_OID GSS_C_INQ_SSPI_SESSION_KEY = oids+7;
+
Modified: branches/mkey_migrate/src/lib/gssapi/generic/gssapi_generic.h
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/gssapi_generic.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/gssapi_generic.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -30,17 +31,20 @@
#include <gssapi/gssapi.h>
#if defined(__cplusplus) && !defined(GSSAPIGENERIC_BEGIN_DECLS)
-#define GSSAPIGENERIC_BEGIN_DECLS extern "C" {
-#define GSSAPIGENERIC_END_DECLS }
+#define GSSAPIGENERIC_BEGIN_DECLS extern "C" {
+#define GSSAPIGENERIC_END_DECLS }
#else
#define GSSAPIGENERIC_BEGIN_DECLS
#define GSSAPIGENERIC_END_DECLS
#endif
+#define GSS_EMPTY_BUFFER(buf) ((buf) == NULL ||\
+ (buf)->value == NULL || (buf)->length == 0)
+
GSSAPIGENERIC_BEGIN_DECLS
/* Deprecated MIT krb5 oid names provided for compatibility.
- * The correct oids (GSS_C_NT_USER_NAME, etc) from rfc 2744
+ * The correct oids (GSS_C_NT_USER_NAME, etc) from rfc 2744
* are defined in gssapi.h. */
GSS_DLLIMP extern gss_OID gss_nt_user_name;
Modified: branches/mkey_migrate/src/lib/gssapi/generic/maptest.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/maptest.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/maptest.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
#include <stdio.h>
#include <stdarg.h>
#include <assert.h>
@@ -11,13 +12,13 @@
static int eltcmp(elt left, elt right)
{
if (left.a < right.a)
- return -1;
+ return -1;
if (left.a > right.a)
- return 1;
+ return 1;
if (left.b < right.b)
- return -1;
+ return -1;
if (left.b > right.b)
- return 1;
+ return 1;
return 0;
}
static void eltprt(elt v, FILE *f)
@@ -27,9 +28,9 @@
static int intcmp(int left, int right)
{
if (left < right)
- return -1;
+ return -1;
if (left > right)
- return 1;
+ return 1;
return 0;
}
static void intprt(int v, FILE *f)
Copied: branches/mkey_migrate/src/lib/gssapi/generic/oid_ops.c (from rev 21721, trunk/src/lib/gssapi/generic/oid_ops.c)
Modified: branches/mkey_migrate/src/lib/gssapi/generic/rel_buffer.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/rel_buffer.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/rel_buffer.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/* #ident "@(#)g_rel_buffer.c 1.2 96/02/06 SMI" */
/*
@@ -2,3 +3,3 @@
* Copyright 1996 by Sun Microsystems, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
@@ -12,7 +13,7 @@
* without specific, written prior permission. Sun Microsystems makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -34,23 +35,22 @@
#endif
OM_uint32
-generic_gss_release_buffer (minor_status,
- buffer)
- OM_uint32 * minor_status;
- gss_buffer_t buffer;
+generic_gss_release_buffer(
+ OM_uint32 *minor_status,
+ gss_buffer_t buffer)
{
if (minor_status)
- *minor_status = 0;
+ *minor_status = 0;
/* if buffer is NULL, return */
if (buffer == GSS_C_NO_BUFFER)
- return(GSS_S_COMPLETE);
+ return(GSS_S_COMPLETE);
if (buffer->value) {
- free(buffer->value);
- buffer->length = 0;
- buffer->value = NULL;
+ free(buffer->value);
+ buffer->length = 0;
+ buffer->value = NULL;
}
return (GSS_S_COMPLETE);
Modified: branches/mkey_migrate/src/lib/gssapi/generic/rel_oid_set.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/rel_oid_set.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/rel_oid_set.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/* #ident "@(#)gss_release_oid_set.c 1.12 95/08/23 SMI" */
/*
@@ -2,3 +3,3 @@
* Copyright 1996 by Sun Microsystems, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
@@ -12,7 +13,7 @@
* without specific, written prior permission. Sun Microsystems makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -34,28 +35,27 @@
#endif
OM_uint32
-generic_gss_release_oid_set (minor_status,
- set)
- OM_uint32 * minor_status;
- gss_OID_set * set;
+generic_gss_release_oid_set(
+ OM_uint32 *minor_status,
+ gss_OID_set *set)
{
size_t i;
if (minor_status)
- *minor_status = 0;
+ *minor_status = 0;
if (set == NULL)
- return(GSS_S_COMPLETE);
+ return(GSS_S_COMPLETE);
if (*set == GSS_C_NULL_OID_SET)
- return(GSS_S_COMPLETE);
+ return(GSS_S_COMPLETE);
for (i=0; i<(*set)->count; i++)
- free((*set)->elements[i].elements);
+ free((*set)->elements[i].elements);
free((*set)->elements);
free(*set);
*set = GSS_C_NULL_OID_SET;
-
+
return(GSS_S_COMPLETE);
}
Modified: branches/mkey_migrate/src/lib/gssapi/generic/util_buffer.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/util_buffer.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/util_buffer.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -33,12 +34,12 @@
int g_make_string_buffer(const char *str, gss_buffer_t buffer)
{
- buffer->length = strlen(str);
+ buffer->length = strlen(str);
- if ((buffer->value = strdup(str)) == NULL) {
- buffer->length = 0;
- return(0);
- }
+ if ((buffer->value = strdup(str)) == NULL) {
+ buffer->length = 0;
+ return(0);
+ }
- return(1);
+ return(1);
}
Copied: branches/mkey_migrate/src/lib/gssapi/generic/util_buffer_set.c (from rev 21721, trunk/src/lib/gssapi/generic/util_buffer_set.c)
Modified: branches/mkey_migrate/src/lib/gssapi/generic/util_canonhost.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/util_canonhost.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/util_canonhost.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -37,35 +38,32 @@
#include <string.h>
char *
-g_canonicalize_host(hostname)
- char *hostname;
+g_canonicalize_host(char *hostname)
{
- struct hostent *hent;
- char *haddr;
- char *canon, *str;
+ struct hostent *hent;
+ char *haddr;
+ char *canon, *str;
- if ((hent = gethostbyname(hostname)) == NULL)
- return(NULL);
+ if ((hent = gethostbyname(hostname)) == NULL)
+ return(NULL);
- if (! (haddr = (char *) xmalloc(hent->h_length))) {
+ if (! (haddr = (char *) xmalloc(hent->h_length))) {
return(NULL);
- }
+ }
- memcpy(haddr, hent->h_addr_list[0], hent->h_length);
+ memcpy(haddr, hent->h_addr_list[0], hent->h_length);
- if (! (hent = gethostbyaddr(haddr, hent->h_length, hent->h_addrtype))) {
+ if (! (hent = gethostbyaddr(haddr, hent->h_length, hent->h_addrtype))) {
return(NULL);
- }
+ }
- xfree(haddr);
+ xfree(haddr);
- if ((canon = (char *) xmalloc(strlen(hent->h_name)+1)) == NULL)
- return(NULL);
+ if ((canon = (char *) strdup(hent->h_name)) == NULL)
+ return(NULL);
- strcpy(canon, hent->h_name);
+ for (str = canon; *str; str++)
+ if (isupper(*str)) *str = tolower(*str);
- for (str = canon; *str; str++)
- if (isupper(*str)) *str = tolower(*str);
-
- return(canon);
+ return(canon);
}
Modified: branches/mkey_migrate/src/lib/gssapi/generic/util_errmap.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/util_errmap.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/util_errmap.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2007, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
@@ -6,7 +7,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -20,7 +21,7 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
#include "gssapiP_generic.h"
@@ -45,26 +46,26 @@
cmp_OM_uint32(OM_uint32 m1, OM_uint32 m2)
{
if (m1 < m2)
- return -1;
+ return -1;
else if (m1 > m2)
- return 1;
+ return 1;
else
- return 0;
+ return 0;
}
static inline int
mecherror_cmp(struct mecherror m1, struct mecherror m2)
{
if (m1.code < m2.code)
- return -1;
+ return -1;
if (m1.code > m2.code)
- return 1;
+ return 1;
if (m1.mech.length < m2.mech.length)
- return -1;
+ return -1;
if (m1.mech.length > m2.mech.length)
- return 1;
+ return 1;
if (m1.mech.length == 0)
- return 0;
+ return 0;
return memcmp(m1.mech.elements, m2.mech.elements, m1.mech.length);
}
@@ -80,10 +81,10 @@
*dest = src;
dest->mech.elements = malloc(src.mech.length);
if (dest->mech.elements == NULL) {
- if (src.mech.length)
- return ENOMEM;
- else
- return 0;
+ if (src.mech.length)
+ return ENOMEM;
+ else
+ return 0;
}
memcpy(dest->mech.elements, src.mech.elements, src.mech.length);
return 0;
@@ -95,40 +96,40 @@
OM_uint32 minor;
gss_buffer_desc str;
static const struct {
- const char *oidstr, *name;
+ const char *oidstr, *name;
} mechnames[] = {
- { "{ 1 2 840 113554 1 2 2 }", "krb5-new" },
- { "{ 1 3 5 1 5 2 }", "krb5-old" },
- { "{ 1 2 840 48018 1 2 2 }", "krb5-microsoft" },
- { "{ 1 3 6 1 5 5 2 }", "spnego" },
+ { "{ 1 2 840 113554 1 2 2 }", "krb5-new" },
+ { "{ 1 3 5 1 5 2 }", "krb5-old" },
+ { "{ 1 2 840 48018 1 2 2 }", "krb5-microsoft" },
+ { "{ 1 3 6 1 5 5 2 }", "spnego" },
};
unsigned int i;
fprintf(f, "%lu@", (unsigned long) value.code);
if (value.mech.length == 0) {
- fprintf(f, "(com_err)");
- return;
+ fprintf(f, "(com_err)");
+ return;
}
fprintf(f, "%p=", value.mech.elements);
if (generic_gss_oid_to_str(&minor, &value.mech, &str)) {
- fprintf(f, "(error in conversion)");
- return;
+ fprintf(f, "(error in conversion)");
+ return;
}
/* Note: generic_gss_oid_to_str returns a null-terminated string. */
for (i = 0; i < sizeof(mechnames)/sizeof(mechnames[0]); i++) {
- if (!strcmp(str.value, mechnames[i].oidstr) && mechnames[i].name != 0) {
- fprintf(f, "%s", mechnames[i].name);
- break;
- }
+ if (!strcmp(str.value, mechnames[i].oidstr) && mechnames[i].name != 0) {
+ fprintf(f, "%s", mechnames[i].name);
+ break;
+ }
}
if (i == sizeof(mechnames)/sizeof(mechnames[0]))
- fprintf(f, "%s", (char *) str.value);
+ fprintf(f, "%s", (char *) str.value);
generic_gss_release_buffer(&minor, &str);
}
#include "errmap.h"
-#include "krb5.h" /* for KRB5KRB_AP_WRONG_PRINC */
+#include "krb5.h" /* for KRB5KRB_AP_WRONG_PRINC */
static mecherrmap m;
static k5_mutex_t mutex = K5_MUTEX_PARTIAL_INITIALIZER;
@@ -140,11 +141,11 @@
err = mecherrmap_init(&m);
if (err)
- return err;
+ return err;
err = k5_mutex_finish_init(&mutex);
if (err) {
- mecherrmap_destroy(&m);
- return err;
+ mecherrmap_destroy(&m);
+ return err;
}
return 0;
@@ -155,7 +156,7 @@
static int free_one(OM_uint32 i, struct mecherror value, void *p)
{
if (value.mech.length && value.mech.elements)
- free(value.mech.elements);
+ free(value.mech.elements);
return 0;
}
@@ -178,7 +179,7 @@
FILE *f;
f = fopen("/dev/pts/9", "w+");
if (f == NULL)
- f = stderr;
+ f = stderr;
#endif
me.code = minor;
@@ -186,51 +187,51 @@
err = k5_mutex_lock(&mutex);
if (err) {
#ifdef DEBUG
- if (f != stderr) fclose(f);
+ if (f != stderr) fclose(f);
#endif
- return 0;
+ return 0;
}
/* Is this status+oid already mapped? */
p = mecherrmap_findright(&m, me);
if (p != NULL) {
- k5_mutex_unlock(&mutex);
+ k5_mutex_unlock(&mutex);
#ifdef DEBUG
- fprintf(f, "%s: found ", __func__);
- mecherror_print(me, f);
- fprintf(f, " in map as %lu\n", (unsigned long) *p);
- if (f != stderr) fclose(f);
+ fprintf(f, "%s: found ", __func__);
+ mecherror_print(me, f);
+ fprintf(f, " in map as %lu\n", (unsigned long) *p);
+ if (f != stderr) fclose(f);
#endif
- return *p;
+ return *p;
}
/* Is this status code already mapped to something else
mech-specific? */
mep = mecherrmap_findleft(&m, minor);
if (mep == NULL) {
- /* Map it to itself plus this mech-oid. */
- new_status = minor;
+ /* Map it to itself plus this mech-oid. */
+ new_status = minor;
} else {
- /* Already assigned. Pick a fake new value and map it. */
- /* There's a theoretical infinite loop risk here, if we fill
- in 2**32 values. Also, returning 0 has a special
- meaning. */
- do {
- next_fake++;
- new_status = next_fake;
- if (new_status == 0)
- /* ??? */;
- } while (mecherrmap_findleft(&m, new_status) != NULL);
+ /* Already assigned. Pick a fake new value and map it. */
+ /* There's a theoretical infinite loop risk here, if we fill
+ in 2**32 values. Also, returning 0 has a special
+ meaning. */
+ do {
+ next_fake++;
+ new_status = next_fake;
+ if (new_status == 0)
+ /* ??? */;
+ } while (mecherrmap_findleft(&m, new_status) != NULL);
}
err = mecherror_copy(&me_copy, me);
if (err) {
- k5_mutex_unlock(&mutex);
- return err;
+ k5_mutex_unlock(&mutex);
+ return err;
}
err = mecherrmap_add(&m, new_status, me_copy);
k5_mutex_unlock(&mutex);
if (err) {
- if (me_copy.mech.length)
- free(me_copy.mech.elements);
+ if (me_copy.mech.length)
+ free(me_copy.mech.elements);
}
#ifdef DEBUG
fprintf(f, "%s: mapping ", __func__);
@@ -241,9 +242,9 @@
if (f != stderr) fclose(f);
#endif
if (err)
- return 0;
+ return 0;
else
- return new_status;
+ return new_status;
}
static gss_OID_desc no_oid = { 0, 0 };
@@ -253,21 +254,21 @@
}
int gssint_mecherrmap_get(OM_uint32 minor, gss_OID mech_oid,
- OM_uint32 *mech_minor)
+ OM_uint32 *mech_minor)
{
const struct mecherror *p;
int err;
if (minor == 0) {
- return EINVAL;
+ return EINVAL;
}
err = k5_mutex_lock(&mutex);
if (err)
- return err;
+ return err;
p = mecherrmap_findleft(&m, minor);
k5_mutex_unlock(&mutex);
if (!p) {
- return EINVAL;
+ return EINVAL;
}
*mech_oid = p->mech;
*mech_minor = p->code;
Modified: branches/mkey_migrate/src/lib/gssapi/generic/util_localhost.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/util_localhost.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/util_localhost.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -34,17 +35,15 @@
#define MAXHOSTNAMELEN 64
#endif
-char *g_local_host_name()
+char *
+g_local_host_name(void)
{
- char buf[MAXHOSTNAMELEN+1], *ptr;
+ char buf[MAXHOSTNAMELEN+1], *ptr;
- if (gethostname(buf, sizeof(buf)) < 0)
- return 0;
+ if (gethostname(buf, sizeof(buf)) < 0)
+ return 0;
- buf[sizeof(buf)-1] = '\0';
+ buf[sizeof(buf)-1] = '\0';
- if (! (ptr = xmalloc(strlen(buf) + 1)))
- return 0;
-
- return strcpy(ptr, buf);
+ return strdup(buf);
}
Modified: branches/mkey_migrate/src/lib/gssapi/generic/util_ordering.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/util_ordering.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/util_ordering.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -34,18 +35,18 @@
#define QUEUE_LENGTH 20
typedef struct _queue {
- int do_replay;
- int do_sequence;
- int start;
- int length;
- gssint_uint64 firstnum;
- /* Stored as deltas from firstnum. This way, the high bit won't
- overflow unless we've actually gone through 2**n messages, or
- gotten something *way* out of sequence. */
- gssint_uint64 elem[QUEUE_LENGTH];
- /* All ones for 64-bit sequence numbers; 32 ones for 32-bit
- sequence numbers. */
- gssint_uint64 mask;
+ int do_replay;
+ int do_sequence;
+ int start;
+ int length;
+ gssint_uint64 firstnum;
+ /* Stored as deltas from firstnum. This way, the high bit won't
+ overflow unless we've actually gone through 2**n messages, or
+ gotten something *way* out of sequence. */
+ gssint_uint64 elem[QUEUE_LENGTH];
+ /* All ones for 64-bit sequence numbers; 32 ones for 32-bit
+ sequence numbers. */
+ gssint_uint64 mask;
} queue;
/* rep invariant:
@@ -59,157 +60,157 @@
static void
queue_insert(queue *q, int after, gssint_uint64 seqnum)
{
- /* insert. this is not the fastest way, but it's easy, and it's
- optimized for insert at end, which is the common case */
- int i;
+ /* insert. this is not the fastest way, but it's easy, and it's
+ optimized for insert at end, which is the common case */
+ int i;
- /* common case: at end, after == q->start+q->length-1 */
+ /* common case: at end, after == q->start+q->length-1 */
- /* move all the elements (after,last] up one slot */
+ /* move all the elements (after,last] up one slot */
- for (i=q->start+q->length-1; i>after; i--)
- QELEM(q,i+1) = QELEM(q,i);
+ for (i=q->start+q->length-1; i>after; i--)
+ QELEM(q,i+1) = QELEM(q,i);
- /* fill in slot after+1 */
+ /* fill in slot after+1 */
- QELEM(q,after+1) = seqnum;
+ QELEM(q,after+1) = seqnum;
- /* Either increase the length by one, or move the starting point up
- one (deleting the first element, which got bashed above), as
- appropriate. */
+ /* Either increase the length by one, or move the starting point up
+ one (deleting the first element, which got bashed above), as
+ appropriate. */
- if (q->length == QSIZE(q)) {
- q->start++;
- if (q->start == QSIZE(q))
- q->start = 0;
- } else {
- q->length++;
- }
+ if (q->length == QSIZE(q)) {
+ q->start++;
+ if (q->start == QSIZE(q))
+ q->start = 0;
+ } else {
+ q->length++;
+ }
}
gss_int32
g_order_init(void **vqueue, gssint_uint64 seqnum,
- int do_replay, int do_sequence, int wide_nums)
+ int do_replay, int do_sequence, int wide_nums)
{
- queue *q;
+ queue *q;
- if ((q = (queue *) malloc(sizeof(queue))) == NULL)
- return(ENOMEM);
+ if ((q = (queue *) malloc(sizeof(queue))) == NULL)
+ return(ENOMEM);
- /* This stops valgrind from complaining about writing uninitialized
- data if the caller exports the context and writes it to a file.
- We don't actually use those bytes at all, but valgrind still
- complains. */
- memset(q, 0xfe, sizeof(*q));
+ /* This stops valgrind from complaining about writing uninitialized
+ data if the caller exports the context and writes it to a file.
+ We don't actually use those bytes at all, but valgrind still
+ complains. */
+ memset(q, 0xfe, sizeof(*q));
- q->do_replay = do_replay;
- q->do_sequence = do_sequence;
- q->mask = wide_nums ? ~(gssint_uint64)0 : 0xffffffffUL;
+ q->do_replay = do_replay;
+ q->do_sequence = do_sequence;
+ q->mask = wide_nums ? ~(gssint_uint64)0 : 0xffffffffUL;
- q->start = 0;
- q->length = 1;
- q->firstnum = seqnum;
- q->elem[q->start] = ((gssint_uint64)0 - 1) & q->mask;
+ q->start = 0;
+ q->length = 1;
+ q->firstnum = seqnum;
+ q->elem[q->start] = ((gssint_uint64)0 - 1) & q->mask;
- *vqueue = (void *) q;
- return(0);
+ *vqueue = (void *) q;
+ return(0);
}
gss_int32
g_order_check(void **vqueue, gssint_uint64 seqnum)
{
- queue *q;
- int i;
- gssint_uint64 expected;
+ queue *q;
+ int i;
+ gssint_uint64 expected;
- q = (queue *) (*vqueue);
+ q = (queue *) (*vqueue);
- if (!q->do_replay && !q->do_sequence)
- return(GSS_S_COMPLETE);
+ if (!q->do_replay && !q->do_sequence)
+ return(GSS_S_COMPLETE);
- /* All checks are done relative to the initial sequence number, to
- avoid (or at least put off) the pain of wrapping. */
- seqnum -= q->firstnum;
- /* If we're only doing 32-bit values, adjust for that again.
+ /* All checks are done relative to the initial sequence number, to
+ avoid (or at least put off) the pain of wrapping. */
+ seqnum -= q->firstnum;
+ /* If we're only doing 32-bit values, adjust for that again.
- Note that this will probably be the wrong thing to if we get
- 2**32 messages sent with 32-bit sequence numbers. */
- seqnum &= q->mask;
+ Note that this will probably be the wrong thing to if we get
+ 2**32 messages sent with 32-bit sequence numbers. */
+ seqnum &= q->mask;
- /* rule 1: expected sequence number */
+ /* rule 1: expected sequence number */
- expected = (QELEM(q,q->start+q->length-1)+1) & q->mask;
- if (seqnum == expected) {
- queue_insert(q, q->start+q->length-1, seqnum);
- return(GSS_S_COMPLETE);
- }
+ expected = (QELEM(q,q->start+q->length-1)+1) & q->mask;
+ if (seqnum == expected) {
+ queue_insert(q, q->start+q->length-1, seqnum);
+ return(GSS_S_COMPLETE);
+ }
- /* rule 2: > expected sequence number */
+ /* rule 2: > expected sequence number */
- if ((seqnum > expected)) {
- queue_insert(q, q->start+q->length-1, seqnum);
- if (q->do_replay && !q->do_sequence)
- return(GSS_S_COMPLETE);
- else
- return(GSS_S_GAP_TOKEN);
- }
+ if ((seqnum > expected)) {
+ queue_insert(q, q->start+q->length-1, seqnum);
+ if (q->do_replay && !q->do_sequence)
+ return(GSS_S_COMPLETE);
+ else
+ return(GSS_S_GAP_TOKEN);
+ }
- /* rule 3: seqnum < seqnum(first) */
+ /* rule 3: seqnum < seqnum(first) */
- if ((seqnum < QELEM(q,q->start)) &&
- /* Is top bit of whatever width we're using set?
+ if ((seqnum < QELEM(q,q->start)) &&
+ /* Is top bit of whatever width we're using set?
- We used to check for greater than or equal to firstnum, but
- (1) we've since switched to compute values relative to
- firstnum, so the lowest we can have is 0, and (2) the effect
- of the original scheme was highly dependent on whether
- firstnum was close to either side of 0. (Consider
- firstnum==0xFFFFFFFE and we miss three packets; the next
- packet is *new* but would look old.)
+ We used to check for greater than or equal to firstnum, but
+ (1) we've since switched to compute values relative to
+ firstnum, so the lowest we can have is 0, and (2) the effect
+ of the original scheme was highly dependent on whether
+ firstnum was close to either side of 0. (Consider
+ firstnum==0xFFFFFFFE and we miss three packets; the next
+ packet is *new* but would look old.)
- This check should give us 2**31 or 2**63 messages "new", and
- just as many "old". That's not quite right either. */
- (seqnum & (1 + (q->mask >> 1)))
- ) {
- if (q->do_replay && !q->do_sequence)
- return(GSS_S_OLD_TOKEN);
- else
- return(GSS_S_UNSEQ_TOKEN);
- }
+ This check should give us 2**31 or 2**63 messages "new", and
+ just as many "old". That's not quite right either. */
+ (seqnum & (1 + (q->mask >> 1)))
+ ) {
+ if (q->do_replay && !q->do_sequence)
+ return(GSS_S_OLD_TOKEN);
+ else
+ return(GSS_S_UNSEQ_TOKEN);
+ }
- /* rule 4+5: seqnum in [seqnum(first),seqnum(last)] */
+ /* rule 4+5: seqnum in [seqnum(first),seqnum(last)] */
- else {
- if (seqnum == QELEM(q,q->start+q->length-1))
- return(GSS_S_DUPLICATE_TOKEN);
+ else {
+ if (seqnum == QELEM(q,q->start+q->length-1))
+ return(GSS_S_DUPLICATE_TOKEN);
- for (i=q->start; i<q->start+q->length-1; i++) {
- if (seqnum == QELEM(q,i))
- return(GSS_S_DUPLICATE_TOKEN);
- if ((seqnum > QELEM(q,i)) && (seqnum < QELEM(q,i+1))) {
- queue_insert(q, i, seqnum);
- if (q->do_replay && !q->do_sequence)
- return(GSS_S_COMPLETE);
- else
- return(GSS_S_UNSEQ_TOKEN);
- }
- }
- }
+ for (i=q->start; i<q->start+q->length-1; i++) {
+ if (seqnum == QELEM(q,i))
+ return(GSS_S_DUPLICATE_TOKEN);
+ if ((seqnum > QELEM(q,i)) && (seqnum < QELEM(q,i+1))) {
+ queue_insert(q, i, seqnum);
+ if (q->do_replay && !q->do_sequence)
+ return(GSS_S_COMPLETE);
+ else
+ return(GSS_S_UNSEQ_TOKEN);
+ }
+ }
+ }
- /* this should never happen */
- return(GSS_S_FAILURE);
+ /* this should never happen */
+ return(GSS_S_FAILURE);
}
void
g_order_free(void **vqueue)
{
- queue *q;
-
- q = (queue *) (*vqueue);
+ queue *q;
- free(q);
+ q = (queue *) (*vqueue);
- *vqueue = NULL;
+ free(q);
+
+ *vqueue = NULL;
}
/*
@@ -226,11 +227,11 @@
g_queue_externalize(void *vqueue, unsigned char **buf, size_t *lenremain)
{
if (*lenremain < sizeof(queue))
- return ENOMEM;
+ return ENOMEM;
memcpy(*buf, vqueue, sizeof(queue));
*buf += sizeof(queue);
*lenremain -= sizeof(queue);
-
+
return 0;
}
@@ -240,9 +241,9 @@
void *q;
if (*lenremain < sizeof(queue))
- return EINVAL;
+ return EINVAL;
if ((q = malloc(sizeof(queue))) == 0)
- return ENOMEM;
+ return ENOMEM;
memcpy(q, *buf, sizeof(queue));
*buf += sizeof(queue);
*lenremain -= sizeof(queue);
Modified: branches/mkey_migrate/src/lib/gssapi/generic/util_set.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/util_set.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/util_set.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1995 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -27,79 +28,79 @@
#include "gssapiP_generic.h"
struct _g_set_elt {
- void *key;
- void *value;
- struct _g_set_elt *next;
+ void *key;
+ void *value;
+ struct _g_set_elt *next;
};
int g_set_init(g_set_elt *s)
{
- *s = NULL;
+ *s = NULL;
- return(0);
+ return(0);
}
#if 0
int g_set_destroy(g_set_elt *s)
{
- g_set next;
+ g_set next;
- while (*s) {
- next = (*s)->next;
- free(*s);
- *s = next;
- }
+ while (*s) {
+ next = (*s)->next;
+ free(*s);
+ *s = next;
+ }
- return(0);
+ return(0);
}
#endif
int g_set_entry_add(g_set_elt *s, void *key, void *value)
{
- g_set_elt first;
+ g_set_elt first;
- if ((first = (struct _g_set_elt *) malloc(sizeof(struct _g_set_elt))) == NULL)
- return(ENOMEM);
+ if ((first = (struct _g_set_elt *) malloc(sizeof(struct _g_set_elt))) == NULL)
+ return(ENOMEM);
- first->key = key;
- first->value = value;
- first->next = *s;
+ first->key = key;
+ first->value = value;
+ first->next = *s;
- *s = first;
+ *s = first;
- return(0);
+ return(0);
}
int g_set_entry_delete(g_set_elt *s, void *key)
{
- g_set_elt *p;
+ g_set_elt *p;
- for (p=s; *p; p = &((*p)->next)) {
- if ((*p)->key == key) {
- g_set_elt next = (*p)->next;
- free(*p);
- *p = next;
+ for (p=s; *p; p = &((*p)->next)) {
+ if ((*p)->key == key) {
+ g_set_elt next = (*p)->next;
+ free(*p);
+ *p = next;
- return(0);
- }
- }
+ return(0);
+ }
+ }
- return(-1);
+ return(-1);
}
int g_set_entry_get(g_set_elt *s, void *key, void **value)
{
- g_set_elt p;
+ g_set_elt p;
- for (p = *s; p; p = p->next) {
- if (p->key == key) {
- *value = p->value;
+ for (p = *s; p; p = p->next) {
+ if (p->key == key) {
+ *value = p->value;
- return(0);
- }
- }
+ return(0);
+ }
+ }
- *value = NULL;
+ *value = NULL;
- return(-1);
+ return(-1);
}
Modified: branches/mkey_migrate/src/lib/gssapi/generic/util_token.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/util_token.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/util_token.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -35,130 +36,126 @@
the interfaces, so the code can be fixed if the OSI namespace
balloons unexpectedly. */
-/* Each token looks like this:
-
-0x60 tag for APPLICATION 0, SEQUENCE
- (constructed, definite-length)
- <length> possible multiple bytes, need to parse/generate
- 0x06 tag for OBJECT IDENTIFIER
- <moid_length> compile-time constant string (assume 1 byte)
- <moid_bytes> compile-time constant string
- <inner_bytes> the ANY containing the application token
- bytes 0,1 are the token type
- bytes 2,n are the token data
-
-Note that the token type field is a feature of RFC 1964 mechanisms and
-is not used by other GSSAPI mechanisms. As such, a token type of -1
-is interpreted to mean that no token type should be expected or
-generated.
-
-For the purposes of this abstraction, the token "header" consists of
-the sequence tag and length octets, the mech OID DER encoding, and the
-first two inner bytes, which indicate the token type. The token
-"body" consists of everything else.
-
-*/
-
-static unsigned int der_length_size(length)
- int length;
+/*
+ * Each token looks like this:
+ * 0x60 tag for APPLICATION 0, SEQUENCE
+ * (constructed, definite-length)
+ * <length> possible multiple bytes, need to parse/generate
+ * 0x06 tag for OBJECT IDENTIFIER
+ * <moid_length> compile-time constant string (assume 1 byte)
+ * <moid_bytes> compile-time constant string
+ * <inner_bytes> the ANY containing the application token
+ * bytes 0,1 are the token type
+ * bytes 2,n are the token data
+ *
+ * Note that the token type field is a feature of RFC 1964 mechanisms and
+ * is not used by other GSSAPI mechanisms. As such, a token type of -1
+ * is interpreted to mean that no token type should be expected or
+ * generated.
+ *
+ * For the purposes of this abstraction, the token "header" consists of
+ * the sequence tag and length octets, the mech OID DER encoding, and the
+ * first two inner bytes, which indicate the token type. The token
+ * "body" consists of everything else.
+ */
+static unsigned int
+der_length_size(int length)
{
- if (length < (1<<7))
- return(1);
- else if (length < (1<<8))
- return(2);
+ if (length < (1<<7))
+ return(1);
+ else if (length < (1<<8))
+ return(2);
#if INT_MAX == 0x7fff
- else
- return(3);
+ else
+ return(3);
#else
- else if (length < (1<<16))
- return(3);
- else if (length < (1<<24))
- return(4);
- else
- return(5);
+ else if (length < (1<<16))
+ return(3);
+ else if (length < (1<<24))
+ return(4);
+ else
+ return(5);
#endif
}
-static void der_write_length(buf, length)
- unsigned char **buf;
- int length;
+static void
+der_write_length(unsigned char **buf, int length)
{
- if (length < (1<<7)) {
- *(*buf)++ = (unsigned char) length;
- } else {
- *(*buf)++ = (unsigned char) (der_length_size(length)+127);
+ if (length < (1<<7)) {
+ *(*buf)++ = (unsigned char) length;
+ } else {
+ *(*buf)++ = (unsigned char) (der_length_size(length)+127);
#if INT_MAX > 0x7fff
- if (length >= (1<<24))
- *(*buf)++ = (unsigned char) (length>>24);
- if (length >= (1<<16))
- *(*buf)++ = (unsigned char) ((length>>16)&0xff);
+ if (length >= (1<<24))
+ *(*buf)++ = (unsigned char) (length>>24);
+ if (length >= (1<<16))
+ *(*buf)++ = (unsigned char) ((length>>16)&0xff);
#endif
- if (length >= (1<<8))
- *(*buf)++ = (unsigned char) ((length>>8)&0xff);
- *(*buf)++ = (unsigned char) (length&0xff);
- }
+ if (length >= (1<<8))
+ *(*buf)++ = (unsigned char) ((length>>8)&0xff);
+ *(*buf)++ = (unsigned char) (length&0xff);
+ }
}
/* returns decoded length, or < 0 on failure. Advances buf and
decrements bufsize */
-static int der_read_length(buf, bufsize)
- unsigned char **buf;
- int *bufsize;
+static int
+der_read_length(unsigned char **buf, int *bufsize)
{
- unsigned char sf;
- int ret;
+ unsigned char sf;
+ int ret;
- if (*bufsize < 1)
- return(-1);
- sf = *(*buf)++;
- (*bufsize)--;
- if (sf & 0x80) {
- if ((sf &= 0x7f) > ((*bufsize)-1))
- return(-1);
- if (sf > sizeof(int))
- return (-1);
- ret = 0;
- for (; sf; sf--) {
- ret = (ret<<8) + (*(*buf)++);
- (*bufsize)--;
- }
- } else {
- ret = sf;
- }
+ if (*bufsize < 1)
+ return(-1);
+ sf = *(*buf)++;
+ (*bufsize)--;
+ if (sf & 0x80) {
+ if ((sf &= 0x7f) > ((*bufsize)-1))
+ return(-1);
+ if (sf > sizeof(int))
+ return (-1);
+ ret = 0;
+ for (; sf; sf--) {
+ ret = (ret<<8) + (*(*buf)++);
+ (*bufsize)--;
+ }
+ } else {
+ ret = sf;
+ }
- return(ret);
+ return(ret);
}
/* returns the length of a token, given the mech oid and the body size */
-unsigned int g_token_size(mech, body_size)
- const gss_OID_desc * mech;
- unsigned int body_size;
+unsigned int
+g_token_size(const gss_OID_desc * mech, unsigned int body_size)
{
- /* set body_size to sequence contents size */
- body_size += 4 + (int) mech->length; /* NEED overflow check */
- return(1 + der_length_size(body_size) + body_size);
+ /* set body_size to sequence contents size */
+ body_size += 4 + (int) mech->length; /* NEED overflow check */
+ return(1 + der_length_size(body_size) + body_size);
}
/* fills in a buffer with the token header. The buffer is assumed to
be the right size. buf is advanced past the token header */
-void g_make_token_header(mech, body_size, buf, tok_type)
- const gss_OID_desc * mech;
- unsigned int body_size;
- unsigned char **buf;
- int tok_type;
+void
+g_make_token_header(
+ const gss_OID_desc * mech,
+ unsigned int body_size,
+ unsigned char **buf,
+ int tok_type)
{
- *(*buf)++ = 0x60;
- der_write_length(buf, (tok_type == -1) ?2:4 + mech->length + body_size);
- *(*buf)++ = 0x06;
- *(*buf)++ = (unsigned char) mech->length;
- TWRITE_STR(*buf, mech->elements, mech->length);
- if (tok_type != -1) {
- *(*buf)++ = (unsigned char) ((tok_type>>8)&0xff);
- *(*buf)++ = (unsigned char) (tok_type&0xff);
- }
+ *(*buf)++ = 0x60;
+ der_write_length(buf, (tok_type == -1) ?2:4 + mech->length + body_size);
+ *(*buf)++ = 0x06;
+ *(*buf)++ = (unsigned char) mech->length;
+ TWRITE_STR(*buf, mech->elements, mech->length);
+ if (tok_type != -1) {
+ *(*buf)++ = (unsigned char) ((tok_type>>8)&0xff);
+ *(*buf)++ = (unsigned char) (tok_type&0xff);
+ }
}
/*
@@ -170,63 +167,64 @@
* *body_size are left unmodified on error.
*/
-gss_int32 g_verify_token_header(mech, body_size, buf_in, tok_type, toksize_in,
- wrapper_required)
- const gss_OID_desc * mech;
- unsigned int *body_size;
- unsigned char **buf_in;
- int tok_type;
- unsigned int toksize_in;
- int wrapper_required;
+gss_int32
+g_verify_token_header(
+ const gss_OID_desc * mech,
+ unsigned int *body_size,
+ unsigned char **buf_in,
+ int tok_type,
+ unsigned int toksize_in,
+ int flags)
{
- unsigned char *buf = *buf_in;
- int seqsize;
- gss_OID_desc toid;
- int toksize = toksize_in;
+ unsigned char *buf = *buf_in;
+ int seqsize;
+ gss_OID_desc toid;
+ int toksize = toksize_in;
- if ((toksize-=1) < 0)
- return(G_BAD_TOK_HEADER);
- if (*buf++ != 0x60) {
- if (wrapper_required)
- return(G_BAD_TOK_HEADER);
- buf--;
- toksize++;
- goto skip_wrapper;
- }
+ if ((toksize-=1) < 0)
+ return(G_BAD_TOK_HEADER);
+ if (*buf++ != 0x60) {
+ if (flags & G_VFY_TOKEN_HDR_WRAPPER_REQUIRED)
+ return(G_BAD_TOK_HEADER);
+ buf--;
+ toksize++;
+ goto skip_wrapper;
+ }
- if ((seqsize = der_read_length(&buf, &toksize)) < 0)
- return(G_BAD_TOK_HEADER);
+ if ((seqsize = der_read_length(&buf, &toksize)) < 0)
+ return(G_BAD_TOK_HEADER);
- if (seqsize != toksize)
- return(G_BAD_TOK_HEADER);
+ if ((flags & G_VFY_TOKEN_HDR_IGNORE_SEQ_SIZE) == 0 &&
+ seqsize != toksize)
+ return(G_BAD_TOK_HEADER);
- if ((toksize-=1) < 0)
- return(G_BAD_TOK_HEADER);
- if (*buf++ != 0x06)
- return(G_BAD_TOK_HEADER);
-
- if ((toksize-=1) < 0)
- return(G_BAD_TOK_HEADER);
- toid.length = *buf++;
+ if ((toksize-=1) < 0)
+ return(G_BAD_TOK_HEADER);
+ if (*buf++ != 0x06)
+ return(G_BAD_TOK_HEADER);
- if ((toksize-=toid.length) < 0)
- return(G_BAD_TOK_HEADER);
- toid.elements = buf;
- buf+=toid.length;
+ if ((toksize-=1) < 0)
+ return(G_BAD_TOK_HEADER);
+ toid.length = *buf++;
- if (! g_OID_equal(&toid, mech))
- return G_WRONG_MECH;
+ if ((toksize-=toid.length) < 0)
+ return(G_BAD_TOK_HEADER);
+ toid.elements = buf;
+ buf+=toid.length;
+
+ if (! g_OID_equal(&toid, mech))
+ return G_WRONG_MECH;
skip_wrapper:
- if (tok_type != -1) {
- if ((toksize-=2) < 0)
- return(G_BAD_TOK_HEADER);
+ if (tok_type != -1) {
+ if ((toksize-=2) < 0)
+ return(G_BAD_TOK_HEADER);
- if ((*buf++ != ((tok_type>>8)&0xff)) ||
- (*buf++ != (tok_type&0xff)))
- return(G_WRONG_TOKID);
- }
- *buf_in = buf;
- *body_size = toksize;
+ if ((*buf++ != ((tok_type>>8)&0xff)) ||
+ (*buf++ != (tok_type&0xff)))
+ return(G_WRONG_TOKID);
+ }
+ *buf_in = buf;
+ *body_size = toksize;
- return 0;
+ return 0;
}
Modified: branches/mkey_migrate/src/lib/gssapi/generic/util_validate.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/util_validate.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/util_validate.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -29,7 +30,6 @@
*/
#include "gssapiP_generic.h"
-#include "gss_libinit.h"
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
@@ -45,193 +45,187 @@
static const DBT dbtone = { (void *) &one, sizeof(one) };
typedef struct _vkey {
- int type;
- void *ptr;
+ int type;
+ void *ptr;
} vkey;
#endif
-#define V_NAME 1
-#define V_CRED_ID 2
-#define V_CTX_ID 3
-#define V_LCTX_ID 4
+#define V_NAME 1
+#define V_CRED_ID 2
+#define V_CTX_ID 3
+#define V_LCTX_ID 4
/* All these functions return 0 on failure, and non-zero on success */
static int g_save(db, type, ptr)
- g_set *db;
+ g_set *db;
#ifdef HAVE_BSD_DB
- int type;
+ int type;
#else
- void *type;
+ void *type;
#endif
- void *ptr;
+ void *ptr;
{
- int ret;
+ int ret;
#ifdef HAVE_BSD_DB
- DB **vdb;
- vkey vk;
- DBT key;
+ DB **vdb;
+ vkey vk;
+ DBT key;
- ret = gssint_initialize_library();
- if (ret)
- return 0;
- ret = k5_mutex_lock(&db->mutex);
- if (ret)
- return 0;
+ ret = k5_mutex_lock(&db->mutex);
+ if (ret)
+ return 0;
- vdb = (DB **) &db->data;
+ vdb = (DB **) &db->data;
- if (!*vdb)
- *vdb = dbopen(NULL, O_CREAT|O_RDWR, O_CREAT|O_RDWR, DB_HASH, NULL);
+ if (!*vdb)
+ *vdb = dbopen(NULL, O_CREAT|O_RDWR, O_CREAT|O_RDWR, DB_HASH, NULL);
- vk.type = type;
- vk.ptr = ptr;
+ vk.type = type;
+ vk.ptr = ptr;
- key.data = &vk;
- key.size = sizeof(vk);
+ key.data = &vk;
+ key.size = sizeof(vk);
- ret = ((*((*vdb)->put))(*vdb, &key, &dbtone, 0) == 0);
- k5_mutex_unlock(&db->mutex);
- return ret;
+ ret = ((*((*vdb)->put))(*vdb, &key, &dbtone, 0) == 0);
+ k5_mutex_unlock(&db->mutex);
+ return ret;
#else
- g_set_elt *gs;
+ g_set_elt *gs;
- ret = gssint_initialize_library();
- if (ret)
- return 0;
- ret = k5_mutex_lock(&db->mutex);
- if (ret)
- return 0;
+ ret = k5_mutex_lock(&db->mutex);
+ if (ret)
+ return 0;
- gs = (g_set_elt *) &db->data;
+ gs = (g_set_elt *) &db->data;
- if (!*gs)
- if (g_set_init(gs)) {
- k5_mutex_unlock(&db->mutex);
- return(0);
- }
+ if (!*gs)
+ if (g_set_init(gs)) {
+ k5_mutex_unlock(&db->mutex);
+ return(0);
+ }
- ret = (g_set_entry_add(gs, ptr, type) == 0);
- k5_mutex_unlock(&db->mutex);
- return ret;
+ ret = (g_set_entry_add(gs, ptr, type) == 0);
+ k5_mutex_unlock(&db->mutex);
+ return ret;
#endif
}
static int g_validate(db, type, ptr)
- g_set *db;
+ g_set *db;
#ifdef HAVE_BSD_DB
- int type;
+ int type;
#else
- void *type;
+ void *type;
#endif
- void *ptr;
+ void *ptr;
{
- int ret;
+ int ret;
#ifdef HAVE_BSD_DB
- DB **vdb;
- vkey vk;
- DBT key, value;
+ DB **vdb;
+ vkey vk;
+ DBT key, value;
- ret = k5_mutex_lock(&db->mutex);
- if (ret)
- return 0;
+ ret = k5_mutex_lock(&db->mutex);
+ if (ret)
+ return 0;
- vdb = (DB **) &db->data;
- if (!*vdb) {
- k5_mutex_unlock(&db->mutex);
- return(0);
- }
+ vdb = (DB **) &db->data;
+ if (!*vdb) {
+ k5_mutex_unlock(&db->mutex);
+ return(0);
+ }
- vk.type = type;
- vk.ptr = ptr;
+ vk.type = type;
+ vk.ptr = ptr;
- key.data = &vk;
- key.size = sizeof(vk);
+ key.data = &vk;
+ key.size = sizeof(vk);
- if ((*((*vdb)->get))(*vdb, &key, &value, 0)) {
- k5_mutex_unlock(&db->mutex);
- return(0);
- }
+ if ((*((*vdb)->get))(*vdb, &key, &value, 0)) {
+ k5_mutex_unlock(&db->mutex);
+ return(0);
+ }
- k5_mutex_unlock(&db->mutex);
- return((value.size == sizeof(one)) &&
- (*((int *) value.data) == one));
+ k5_mutex_unlock(&db->mutex);
+ return((value.size == sizeof(one)) &&
+ (*((int *) value.data) == one));
#else
- g_set_elt *gs;
- void *value;
+ g_set_elt *gs;
+ void *value;
- ret = k5_mutex_lock(&db->mutex);
- if (ret)
- return 0;
+ ret = k5_mutex_lock(&db->mutex);
+ if (ret)
+ return 0;
- gs = (g_set_elt *) &db->data;
- if (!*gs) {
- k5_mutex_unlock(&db->mutex);
- return(0);
- }
+ gs = (g_set_elt *) &db->data;
+ if (!*gs) {
+ k5_mutex_unlock(&db->mutex);
+ return(0);
+ }
- if (g_set_entry_get(gs, ptr, (void **) &value)) {
- k5_mutex_unlock(&db->mutex);
- return(0);
- }
- k5_mutex_unlock(&db->mutex);
- return(value == type);
+ if (g_set_entry_get(gs, ptr, (void **) &value)) {
+ k5_mutex_unlock(&db->mutex);
+ return(0);
+ }
+ k5_mutex_unlock(&db->mutex);
+ return(value == type);
#endif
}
static int g_delete(db, type, ptr)
- g_set *db;
+ g_set *db;
#ifdef HAVE_BSD_DB
- int type;
+ int type;
#else
- void *type;
+ void *type;
#endif
- void *ptr;
+ void *ptr;
{
- int ret;
+ int ret;
#ifdef HAVE_BSD_DB
- DB **vdb;
- vkey vk;
- DBT key;
+ DB **vdb;
+ vkey vk;
+ DBT key;
- ret = k5_mutex_lock(&db->mutex);
- if (ret)
- return 0;
+ ret = k5_mutex_lock(&db->mutex);
+ if (ret)
+ return 0;
- vdb = (DB **) &db->data;
- if (!*vdb) {
- k5_mutex_unlock(&db->mutex);
- return(0);
- }
+ vdb = (DB **) &db->data;
+ if (!*vdb) {
+ k5_mutex_unlock(&db->mutex);
+ return(0);
+ }
- vk.type = type;
- vk.ptr = ptr;
+ vk.type = type;
+ vk.ptr = ptr;
- key.data = &vk;
- key.size = sizeof(vk);
+ key.data = &vk;
+ key.size = sizeof(vk);
- ret = ((*((*vdb)->del))(*vdb, &key, 0) == 0);
- k5_mutex_unlock(&db->mutex);
- return ret;
+ ret = ((*((*vdb)->del))(*vdb, &key, 0) == 0);
+ k5_mutex_unlock(&db->mutex);
+ return ret;
#else
- g_set_elt *gs;
+ g_set_elt *gs;
- ret = k5_mutex_lock(&db->mutex);
- if (ret)
- return 0;
+ ret = k5_mutex_lock(&db->mutex);
+ if (ret)
+ return 0;
- gs = (g_set_elt *) &db->data;
- if (!*gs) {
- k5_mutex_unlock(&db->mutex);
- return(0);
- }
+ gs = (g_set_elt *) &db->data;
+ if (!*gs) {
+ k5_mutex_unlock(&db->mutex);
+ return(0);
+ }
- if (g_set_entry_delete(gs, ptr)) {
- k5_mutex_unlock(&db->mutex);
- return(0);
- }
- k5_mutex_unlock(&db->mutex);
- return(1);
+ if (g_set_entry_delete(gs, ptr)) {
+ k5_mutex_unlock(&db->mutex);
+ return(0);
+ }
+ k5_mutex_unlock(&db->mutex);
+ return(1);
#endif
}
@@ -240,82 +234,81 @@
/* save */
int g_save_name(vdb, name)
- g_set *vdb;
- gss_name_t name;
+ g_set *vdb;
+ gss_name_t name;
{
- return(g_save(vdb, V_NAME, (void *) name));
+ return(g_save(vdb, V_NAME, (void *) name));
}
int g_save_cred_id(vdb, cred)
- g_set *vdb;
- gss_cred_id_t cred;
+ g_set *vdb;
+ gss_cred_id_t cred;
{
- return(g_save(vdb, V_CRED_ID, (void *) cred));
+ return(g_save(vdb, V_CRED_ID, (void *) cred));
}
int g_save_ctx_id(vdb, ctx)
- g_set *vdb;
- gss_ctx_id_t ctx;
+ g_set *vdb;
+ gss_ctx_id_t ctx;
{
- return(g_save(vdb, V_CTX_ID, (void *) ctx));
+ return(g_save(vdb, V_CTX_ID, (void *) ctx));
}
int g_save_lucidctx_id(vdb, lctx)
- g_set *vdb;
- void *lctx;
+ g_set *vdb;
+ void *lctx;
{
- return(g_save(vdb, V_LCTX_ID, (void *) lctx));
+ return(g_save(vdb, V_LCTX_ID, (void *) lctx));
}
/* validate */
int g_validate_name(vdb, name)
- g_set *vdb;
- gss_name_t name;
+ g_set *vdb;
+ gss_name_t name;
{
- return(g_validate(vdb, V_NAME, (void *) name));
+ return(g_validate(vdb, V_NAME, (void *) name));
}
int g_validate_cred_id(vdb, cred)
- g_set *vdb;
- gss_cred_id_t cred;
+ g_set *vdb;
+ gss_cred_id_t cred;
{
- return(g_validate(vdb, V_CRED_ID, (void *) cred));
+ return(g_validate(vdb, V_CRED_ID, (void *) cred));
}
int g_validate_ctx_id(vdb, ctx)
- g_set *vdb;
- gss_ctx_id_t ctx;
+ g_set *vdb;
+ gss_ctx_id_t ctx;
{
- return(g_validate(vdb, V_CTX_ID, (void *) ctx));
+ return(g_validate(vdb, V_CTX_ID, (void *) ctx));
}
int g_validate_lucidctx_id(vdb, lctx)
- g_set *vdb;
- void *lctx;
+ g_set *vdb;
+ void *lctx;
{
- return(g_validate(vdb, V_LCTX_ID, (void *) lctx));
+ return(g_validate(vdb, V_LCTX_ID, (void *) lctx));
}
/* delete */
int g_delete_name(vdb, name)
- g_set *vdb;
- gss_name_t name;
+ g_set *vdb;
+ gss_name_t name;
{
- return(g_delete(vdb, V_NAME, (void *) name));
+ return(g_delete(vdb, V_NAME, (void *) name));
}
int g_delete_cred_id(vdb, cred)
- g_set *vdb;
- gss_cred_id_t cred;
+ g_set *vdb;
+ gss_cred_id_t cred;
{
- return(g_delete(vdb, V_CRED_ID, (void *) cred));
+ return(g_delete(vdb, V_CRED_ID, (void *) cred));
}
int g_delete_ctx_id(vdb, ctx)
- g_set *vdb;
- gss_ctx_id_t ctx;
+ g_set *vdb;
+ gss_ctx_id_t ctx;
{
- return(g_delete(vdb, V_CTX_ID, (void *) ctx));
+ return(g_delete(vdb, V_CTX_ID, (void *) ctx));
}
int g_delete_lucidctx_id(vdb, lctx)
- g_set *vdb;
- void *lctx;
+ g_set *vdb;
+ void *lctx;
{
- return(g_delete(vdb, V_LCTX_ID, (void *) lctx));
+ return(g_delete(vdb, V_LCTX_ID, (void *) lctx));
}
-
Modified: branches/mkey_migrate/src/lib/gssapi/generic/utl_nohash_validate.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/generic/utl_nohash_validate.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/generic/utl_nohash_validate.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,7 +1,8 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1990,1994 by the Massachusetts Institute of Technology.
* All Rights Reserved.
- *
+ *
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
@@ -20,7 +21,7 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
/*
@@ -41,81 +42,80 @@
/* save */
int g_save_name(vdb, name)
- void **vdb;
- gss_name_t *name;
+ void **vdb;
+ gss_name_t *name;
{
- return 1;
+ return 1;
}
int g_save_cred_id(vdb, cred)
- void **vdb;
- gss_cred_id_t *cred;
+ void **vdb;
+ gss_cred_id_t *cred;
{
- return 1;
+ return 1;
}
int g_save_ctx_id(vdb, ctx)
- void **vdb;
- gss_ctx_id_t *ctx;
+ void **vdb;
+ gss_ctx_id_t *ctx;
{
- return 1;
+ return 1;
}
int g_save_lucidctx_id(vdb, lctx)
- void **vdb;
- void *lctx;
+ void **vdb;
+ void *lctx;
{
- return 1;
+ return 1;
}
/* validate */
int g_validate_name(vdb, name)
- void **vdb;
- gss_name_t *name;
+ void **vdb;
+ gss_name_t *name;
{
- return 1;
+ return 1;
}
int g_validate_cred_id(vdb, cred)
- void **vdb;
- gss_cred_id_t *cred;
+ void **vdb;
+ gss_cred_id_t *cred;
{
- return 1;
+ return 1;
}
int g_validate_ctx_id(vdb, ctx)
- void **vdb;
- gss_ctx_id_t *ctx;
+ void **vdb;
+ gss_ctx_id_t *ctx;
{
- return 1;
+ return 1;
}
int g_validate_lucidctx_id(vdb, lctx)
- void **vdb;
- void *lctx;
+ void **vdb;
+ void *lctx;
{
- return 1;
+ return 1;
}
/* delete */
int g_delete_name(vdb, name)
- void **vdb;
- gss_name_t *name;
+ void **vdb;
+ gss_name_t *name;
{
- return 1;
+ return 1;
}
int g_delete_cred_id(vdb, cred)
- void **vdb;
- gss_cred_id_t *cred;
+ void **vdb;
+ gss_cred_id_t *cred;
{
- return 1;
+ return 1;
}
int g_delete_ctx_id(vdb, ctx)
- void **vdb;
- gss_ctx_id_t *ctx;
+ void **vdb;
+ gss_ctx_id_t *ctx;
{
- return 1;
+ return 1;
}
int g_delete_lucidctx_id(vdb, lctx)
- void **vdb;
- void *lctx;
+ void **vdb;
+ void *lctx;
{
- return 1;
+ return 1;
}
-
Deleted: branches/mkey_migrate/src/lib/gssapi/gss_libinit.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/gss_libinit.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/gss_libinit.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,90 +0,0 @@
-#include <assert.h>
-
-#include "gssapi_err_generic.h"
-#include "gssapi_err_krb5.h"
-#include "gssapiP_krb5.h"
-#include "gssapiP_generic.h"
-
-#include "gss_libinit.h"
-#include "k5-platform.h"
-
-#include "mglueP.h"
-
-/*
- * Initialize the GSSAPI library.
- */
-
-MAKE_INIT_FUNCTION(gssint_lib_init);
-MAKE_FINI_FUNCTION(gssint_lib_fini);
-
-int gssint_lib_init(void)
-{
- int err;
-
-#ifdef SHOW_INITFINI_FUNCS
- printf("gssint_lib_init\n");
-#endif
-
- add_error_table(&et_k5g_error_table);
- add_error_table(&et_ggss_error_table);
-
- err = gssint_mechglue_init();
- if (err)
- return err;
-#ifndef LEAN_CLIENT
- err = k5_mutex_finish_init(&gssint_krb5_keytab_lock);
- if (err)
- return err;
-#endif /* LEAN_CLIENT */
- err = k5_key_register(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME, free);
- if (err)
- return err;
- err = k5_key_register(K5_KEY_GSS_KRB5_CCACHE_NAME, free);
- if (err)
- return err;
- err = k5_key_register(K5_KEY_GSS_KRB5_ERROR_MESSAGE,
- krb5_gss_delete_error_info);
- if (err)
- return err;
- err = gssint_mecherrmap_init();
- if (err)
- return err;
-#ifndef _WIN32
- err = k5_mutex_finish_init(&kg_kdc_flag_mutex);
- if (err)
- return err;
-#endif
- return k5_mutex_finish_init(&kg_vdb.mutex);
-}
-
-void gssint_lib_fini(void)
-{
- if (!INITIALIZER_RAN(gssint_lib_init) || PROGRAM_EXITING()) {
-#ifdef SHOW_INITFINI_FUNCS
- printf("gssint_lib_fini: skipping\n");
-#endif
- return;
- }
-#ifdef SHOW_INITFINI_FUNCS
- printf("gssint_lib_fini\n");
-#endif
- remove_error_table(&et_k5g_error_table);
- remove_error_table(&et_ggss_error_table);
-
- k5_key_delete(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME);
- k5_key_delete(K5_KEY_GSS_KRB5_CCACHE_NAME);
- k5_mutex_destroy(&kg_vdb.mutex);
-#ifndef _WIN32
- k5_mutex_destroy(&kg_kdc_flag_mutex);
-#endif
-#ifndef LEAN_CLIENT
- k5_mutex_destroy(&gssint_krb5_keytab_lock);
-#endif /* LEAN_CLIENT */
- gssint_mecherrmap_destroy();
- gssint_mechglue_fini();
-}
-
-OM_uint32 gssint_initialize_library (void)
-{
- return CALL_INIT_FUNCTION(gssint_lib_init);
-}
Deleted: branches/mkey_migrate/src/lib/gssapi/gss_libinit.h
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/gss_libinit.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/gss_libinit.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,9 +0,0 @@
-#ifndef GSSAPI_LIBINIT_H
-#define GSSAPI_LIBINIT_H
-
-#include "gssapi.h"
-
-OM_uint32 gssint_initialize_library (void);
-void gssint_cleanup_library (void);
-
-#endif /* GSSAPI_LIBINIT_H */
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -3,8 +3,25 @@
mydir=lib/gssapi/krb5
BUILDTOP=$(REL)..$(S)..$(S)..
LOCALINCLUDES = -I. -I$(srcdir) -I$(srcdir)/.. -I../generic -I$(srcdir)/../generic -I../mechglue -I$(srcdir)/../mechglue
-DEFS=
+DEFS=-D_GSS_STATIC_LINK=1
+#PROG_LIBPATH=-L$(TOPLIBD)
+#PROG_RPATH=$(KRB5_LIBDIR)
+#MODULE_INSTALL_DIR = $(GSS_MODULE_DIR)
+#LIBBASE=mech_krb5
+#LIBMAJOR=0
+#LIBMINOR=0
+#SO_EXT=.so
+#LIBINITFUNC=gss_krb5int_init
+#LIBFINIFUNC=gss_krb5int_fini
+#STOBJLISTS=../generic/OBJS.ST OBJS.ST
+#SUBDIROBJLISTS=../generic/OBJS.ST
+#SHLIB_EXPDEPS=$(KRB5_DEPLIB) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB) $(COM_ERR_DEPLIB)
+#SHLIB_EXPLIBS=-lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) $(DL_LIB) $(LIBS)
+#SHLIB_DIRS=-L$(TOPLIBD)
+#SHLIB_RDIRS=$(KRB5_LIBDIR)
+#RELDIR=gssapi/krb5
+
##DOS##BUILDTOP = ..\..\..
##DOS##PREFIXDIR=krb5
##DOS##OBJFILE = ..\$(OUTPRE)krb5.lst
@@ -45,8 +62,11 @@
$(srcdir)/inq_cred.c \
$(srcdir)/inq_names.c \
$(srcdir)/k5seal.c \
+ $(srcdir)/k5sealiov.c \
$(srcdir)/k5sealv3.c \
+ $(srcdir)/k5sealv3iov.c \
$(srcdir)/k5unseal.c \
+ $(srcdir)/k5unsealiov.c \
$(srcdir)/krb5_gss_glue.c \
$(srcdir)/lucid_context.c \
$(srcdir)/process_context_token.c \
@@ -65,11 +85,8 @@
$(srcdir)/util_seqnum.c \
$(srcdir)/val_cred.c \
$(srcdir)/verify.c \
- $(srcdir)/wrap_size_limit.c \
- gssapi_err_krb5.c
+ $(srcdir)/wrap_size_limit.c
-# $(srcdir)/pname_to_uid.c \
-# $(srcdir)/k5mech.c
OBJS = \
$(OUTPRE)accept_sec_context.$(OBJEXT) \
@@ -95,8 +112,11 @@
$(OUTPRE)inq_cred.$(OBJEXT) \
$(OUTPRE)inq_names.$(OBJEXT) \
$(OUTPRE)k5seal.$(OBJEXT) \
+ $(OUTPRE)k5sealiov.$(OBJEXT) \
$(OUTPRE)k5sealv3.$(OBJEXT) \
+ $(OUTPRE)k5sealv3iov.$(OBJEXT) \
$(OUTPRE)k5unseal.$(OBJEXT) \
+ $(OUTPRE)k5unsealiov.$(OBJEXT) \
$(OUTPRE)krb5_gss_glue.$(OBJEXT) \
$(OUTPRE)lucid_context.$(OBJEXT) \
$(OUTPRE)process_context_token.$(OBJEXT) \
@@ -145,8 +165,11 @@
inq_cred.o \
inq_names.o \
k5seal.o \
+ k5sealiov.o \
k5sealv3.o \
+ k5sealv3iov.o \
k5unseal.o \
+ k5unsealiov.o \
krb5_gss_glue.o \
lucid_context.o \
process_context_token.o \
@@ -248,549 +271,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-accept_sec_context.so accept_sec_context.po $(OUTPRE)accept_sec_context.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- accept_sec_context.c gssapiP_krb5.h gssapi_err_krb5.h \
- gssapi_krb5.h
-acquire_cred.so acquire_cred.po $(OUTPRE)acquire_cred.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssapi.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- $(srcdir)/../gss_libinit.h ../generic/gssapi_err_generic.h \
- acquire_cred.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
-add_cred.so add_cred.po $(OUTPRE)add_cred.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- add_cred.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
-canon_name.so canon_name.po $(OUTPRE)canon_name.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- canon_name.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
-compare_name.so compare_name.po $(OUTPRE)compare_name.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- compare_name.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
-context_time.so context_time.po $(OUTPRE)context_time.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- context_time.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
-copy_ccache.so copy_ccache.po $(OUTPRE)copy_ccache.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- copy_ccache.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
-delete_sec_context.so delete_sec_context.po $(OUTPRE)delete_sec_context.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- delete_sec_context.c gssapiP_krb5.h gssapi_err_krb5.h \
- gssapi_krb5.h
-disp_name.so disp_name.po $(OUTPRE)disp_name.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- disp_name.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
-disp_status.so disp_status.po $(OUTPRE)disp_status.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssapi.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- $(srcdir)/../gss_libinit.h ../generic/gssapi_err_generic.h \
- disp_status.c error_map.h gssapiP_krb5.h gssapi_err_krb5.h \
- gssapi_krb5.h
-duplicate_name.so duplicate_name.po $(OUTPRE)duplicate_name.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- duplicate_name.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
-export_name.so export_name.po $(OUTPRE)export_name.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- export_name.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
-export_sec_context.so export_sec_context.po $(OUTPRE)export_sec_context.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- export_sec_context.c gssapiP_krb5.h gssapi_err_krb5.h \
- gssapi_krb5.h
-get_tkt_flags.so get_tkt_flags.po $(OUTPRE)get_tkt_flags.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- get_tkt_flags.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
-gssapi_krb5.so gssapi_krb5.po $(OUTPRE)gssapi_krb5.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.c gssapi_krb5.h
-import_name.so import_name.po $(OUTPRE)import_name.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h import_name.c
-import_sec_context.so import_sec_context.po $(OUTPRE)import_sec_context.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h import_sec_context.c
-indicate_mechs.so indicate_mechs.po $(OUTPRE)indicate_mechs.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h $(srcdir)/../mechglue/mechglue.h \
- $(srcdir)/../mechglue/mglueP.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h indicate_mechs.c
-init_sec_context.so init_sec_context.po $(OUTPRE)init_sec_context.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssapi.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- $(srcdir)/../gss_libinit.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h init_sec_context.c
-inq_context.so inq_context.po $(OUTPRE)inq_context.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h inq_context.c
-inq_cred.so inq_cred.po $(OUTPRE)inq_cred.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h inq_cred.c
-inq_names.so inq_names.po $(OUTPRE)inq_names.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h inq_names.c
-k5seal.so k5seal.po $(OUTPRE)k5seal.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
- gssapi_krb5.h k5seal.c
-k5sealv3.so k5sealv3.po $(OUTPRE)k5sealv3.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h k5sealv3.c
-k5unseal.so k5unseal.po $(OUTPRE)k5unseal.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h k5unseal.c
-krb5_gss_glue.so krb5_gss_glue.po $(OUTPRE)krb5_gss_glue.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h $(srcdir)/../mechglue/mechglue.h \
- $(srcdir)/../mechglue/mglueP.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h krb5_gss_glue.c
-lucid_context.so lucid_context.po $(OUTPRE)lucid_context.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h lucid_context.c
-process_context_token.so process_context_token.po $(OUTPRE)process_context_token.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h process_context_token.c
-rel_cred.so rel_cred.po $(OUTPRE)rel_cred.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h rel_cred.c
-rel_oid.so rel_oid.po $(OUTPRE)rel_oid.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
- gssapi_krb5.h rel_oid.c
-rel_name.so rel_name.po $(OUTPRE)rel_name.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h rel_name.c
-seal.so seal.po $(OUTPRE)seal.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
- gssapi_krb5.h seal.c
-set_allowable_enctypes.so set_allowable_enctypes.po \
- $(OUTPRE)set_allowable_enctypes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
- gssapi_krb5.h set_allowable_enctypes.c
-ser_sctx.so ser_sctx.po $(OUTPRE)ser_sctx.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h ser_sctx.c
-set_ccache.so set_ccache.po $(OUTPRE)set_ccache.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssapi.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- $(srcdir)/../gss_libinit.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h set_ccache.c
-sign.so sign.po $(OUTPRE)sign.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
- gssapi_krb5.h sign.c
-unseal.so unseal.po $(OUTPRE)unseal.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
- gssapi_krb5.h unseal.c
-util_cksum.so util_cksum.po $(OUTPRE)util_cksum.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h util_cksum.c
-util_crypt.so util_crypt.po $(OUTPRE)util_crypt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h util_crypt.c
-util_seed.so util_seed.po $(OUTPRE)util_seed.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h util_seed.c
-util_seqnum.so util_seqnum.po $(OUTPRE)util_seqnum.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h util_seqnum.c
-val_cred.so val_cred.po $(OUTPRE)val_cred.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h val_cred.c
-verify.so verify.po $(OUTPRE)verify.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
- gssapi_krb5.h verify.c
-wrap_size_limit.so wrap_size_limit.po $(OUTPRE)wrap_size_limit.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
- gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h wrap_size_limit.c
-gssapi_err_krb5.so gssapi_err_krb5.po $(OUTPRE)gssapi_err_krb5.$(OBJEXT): \
- $(COM_ERR_DEPS) gssapi_err_krb5.c
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/accept_sec_context.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/accept_sec_context.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/accept_sec_context.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2000, 2004, 2007, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
@@ -6,7 +7,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -20,11 +21,11 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -34,7 +35,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -46,14 +47,14 @@
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -64,11 +65,38 @@
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
#include "k5-int.h"
#include "gssapiP_krb5.h"
@@ -84,7 +112,7 @@
#define CFX_ACCEPTOR_SUBKEY 1
#endif
-#ifndef LEAN_CLIENT
+#ifndef LEAN_CLIENT
/* Decode, decrypt and store the forwarded creds in the local ccache. */
static krb5_error_code
@@ -99,91 +127,91 @@
krb5_ccache ccache = NULL;
krb5_gss_cred_id_t cred = NULL;
krb5_auth_context new_auth_ctx = NULL;
- krb5_int32 flags_org;
+ krb5_int32 flags_org;
- if ((retval = krb5_auth_con_getflags(context, auth_context, &flags_org)))
- return retval;
- krb5_auth_con_setflags(context, auth_context,
- 0);
+ if ((retval = krb5_auth_con_getflags(context, auth_context, &flags_org)))
+ return retval;
+ krb5_auth_con_setflags(context, auth_context,
+ 0);
- /*
- * By the time krb5_rd_cred is called here (after krb5_rd_req has been
- * called in krb5_gss_accept_sec_context), the "keyblock" field of
- * auth_context contains a pointer to the session key, and the
- * "recv_subkey" field might contain a session subkey. Either of
- * these (the "recv_subkey" if it isn't NULL, otherwise the
- * "keyblock") might have been used to encrypt the encrypted part of
- * the KRB_CRED message that contains the forwarded credentials. (The
- * Java Crypto and Security Implementation from the DSTC in Australia
- * always uses the session key. But apparently it never negotiates a
- * subkey, so this code works fine against a JCSI client.) Up to the
- * present, though, GSSAPI clients linked against the MIT code (which
- * is almost all GSSAPI clients) don't encrypt the KRB_CRED message at
- * all -- at this level. So if the first call to krb5_rd_cred fails,
- * we should call it a second time with another auth context freshly
- * created by krb5_auth_con_init. All of its keyblock fields will be
- * NULL, so krb5_rd_cred will assume that the KRB_CRED message is
- * unencrypted. (The MIT code doesn't actually send the KRB_CRED
- * message in the clear -- the "authenticator" whose "checksum" ends up
- * containing the KRB_CRED message does get encrypted.)
- */
- if (krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)) {
- if ((retval = krb5_auth_con_init(context, &new_auth_ctx)))
- goto cleanup;
- krb5_auth_con_setflags(context, new_auth_ctx, 0);
- if ((retval = krb5_rd_cred(context, new_auth_ctx, inbuf,
- &creds, NULL)))
- goto cleanup;
- }
+ /*
+ * By the time krb5_rd_cred is called here (after krb5_rd_req has been
+ * called in krb5_gss_accept_sec_context), the "keyblock" field of
+ * auth_context contains a pointer to the session key, and the
+ * "recv_subkey" field might contain a session subkey. Either of
+ * these (the "recv_subkey" if it isn't NULL, otherwise the
+ * "keyblock") might have been used to encrypt the encrypted part of
+ * the KRB_CRED message that contains the forwarded credentials. (The
+ * Java Crypto and Security Implementation from the DSTC in Australia
+ * always uses the session key. But apparently it never negotiates a
+ * subkey, so this code works fine against a JCSI client.) Up to the
+ * present, though, GSSAPI clients linked against the MIT code (which
+ * is almost all GSSAPI clients) don't encrypt the KRB_CRED message at
+ * all -- at this level. So if the first call to krb5_rd_cred fails,
+ * we should call it a second time with another auth context freshly
+ * created by krb5_auth_con_init. All of its keyblock fields will be
+ * NULL, so krb5_rd_cred will assume that the KRB_CRED message is
+ * unencrypted. (The MIT code doesn't actually send the KRB_CRED
+ * message in the clear -- the "authenticator" whose "checksum" ends up
+ * containing the KRB_CRED message does get encrypted.)
+ */
+ if (krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)) {
+ if ((retval = krb5_auth_con_init(context, &new_auth_ctx)))
+ goto cleanup;
+ krb5_auth_con_setflags(context, new_auth_ctx, 0);
+ if ((retval = krb5_rd_cred(context, new_auth_ctx, inbuf,
+ &creds, NULL)))
+ goto cleanup;
+ }
if ((retval = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache))) {
- ccache = NULL;
+ ccache = NULL;
goto cleanup;
}
if ((retval = krb5_cc_initialize(context, ccache, creds[0]->client)))
- goto cleanup;
+ goto cleanup;
if ((retval = krb5_cc_store_cred(context, ccache, creds[0])))
- goto cleanup;
+ goto cleanup;
/* generate a delegated credential handle */
if (out_cred) {
- /* allocate memory for a cred_t... */
- if (!(cred =
- (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec)))) {
- retval = ENOMEM; /* out of memory? */
- goto cleanup;
- }
+ /* allocate memory for a cred_t... */
+ if (!(cred =
+ (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec)))) {
+ retval = ENOMEM; /* out of memory? */
+ goto cleanup;
+ }
- /* zero it out... */
- memset(cred, 0, sizeof(krb5_gss_cred_id_rec));
+ /* zero it out... */
+ memset(cred, 0, sizeof(krb5_gss_cred_id_rec));
- retval = k5_mutex_init(&cred->lock);
- if (retval) {
- xfree(cred);
- cred = NULL;
- goto cleanup;
- }
+ retval = k5_mutex_init(&cred->lock);
+ if (retval) {
+ xfree(cred);
+ cred = NULL;
+ goto cleanup;
+ }
- /* copy the client principle into it... */
- if ((retval =
- krb5_copy_principal(context, creds[0]->client, &(cred->princ)))) {
- k5_mutex_destroy(&cred->lock);
- retval = ENOMEM; /* out of memory? */
- xfree(cred); /* clean up memory on failure */
- cred = NULL;
- goto cleanup;
- }
+ /* copy the client principle into it... */
+ if ((retval =
+ krb5_copy_principal(context, creds[0]->client, &(cred->princ)))) {
+ k5_mutex_destroy(&cred->lock);
+ retval = ENOMEM; /* out of memory? */
+ xfree(cred); /* clean up memory on failure */
+ cred = NULL;
+ goto cleanup;
+ }
- cred->usage = GSS_C_INITIATE; /* we can't accept with this */
- /* cred->princ already set */
- cred->prerfc_mech = 1; /* this cred will work with all three mechs */
- cred->rfc_mech = 1;
- cred->keytab = NULL; /* no keytab associated with this... */
- cred->tgt_expire = creds[0]->times.endtime; /* store the end time */
- cred->ccache = ccache; /* the ccache containing the credential */
- ccache = NULL; /* cred takes ownership so don't destroy */
+ cred->usage = GSS_C_INITIATE; /* we can't accept with this */
+ /* cred->princ already set */
+ cred->prerfc_mech = 1; /* this cred will work with all three mechs */
+ cred->rfc_mech = 1;
+ cred->keytab = NULL; /* no keytab associated with this... */
+ cred->tgt_expire = creds[0]->times.endtime; /* store the end time */
+ cred->ccache = ccache; /* the ccache containing the credential */
+ ccache = NULL; /* cred takes ownership so don't destroy */
}
/* If there were errors, there might have been a memory leak
@@ -193,16 +221,16 @@
*/
cleanup:
if (creds)
- krb5_free_tgt_creds(context, creds);
+ krb5_free_tgt_creds(context, creds);
if (ccache)
- (void)krb5_cc_destroy(context, ccache);
+ (void)krb5_cc_destroy(context, ccache);
if (out_cred)
- *out_cred = cred; /* return credential */
+ *out_cred = cred; /* return credential */
if (new_auth_ctx)
- krb5_auth_con_free(context, new_auth_ctx);
+ krb5_auth_con_free(context, new_auth_ctx);
krb5_auth_con_setflags(context, auth_context, flags_org);
@@ -210,12 +238,13 @@
}
-OM_uint32
-krb5_gss_accept_sec_context(minor_status, context_handle,
- verifier_cred_handle, input_token,
- input_chan_bindings, src_name, mech_type,
- output_token, ret_flags, time_rec,
- delegated_cred_handle)
+/*
+ * Performs third leg of DCE authentication
+ */
+static OM_uint32
+kg_accept_dce(minor_status, context_handle, verifier_cred_handle,
+ input_token, input_chan_bindings, src_name, mech_type,
+ output_token, ret_flags, time_rec, delegated_cred_handle)
OM_uint32 *minor_status;
gss_ctx_id_t *context_handle;
gss_cred_id_t verifier_cred_handle;
@@ -228,269 +257,400 @@
OM_uint32 *time_rec;
gss_cred_id_t *delegated_cred_handle;
{
- krb5_context context;
- unsigned char *ptr, *ptr2;
- char *sptr;
- long tmp;
- size_t md5len;
- int bigend;
- krb5_gss_cred_id_t cred = 0;
- krb5_data ap_rep, ap_req;
- unsigned int i;
krb5_error_code code;
- krb5_address addr, *paddr;
- krb5_authenticator *authdat = 0;
- krb5_checksum reqcksum;
- krb5_principal name = NULL;
- krb5_ui_4 gss_flags = 0;
- int decode_req_message = 0;
krb5_gss_ctx_id_rec *ctx = 0;
krb5_timestamp now;
- gss_buffer_desc token;
- krb5_auth_context auth_context = NULL;
- krb5_ticket * ticket = NULL;
- int option_id;
- krb5_data option;
- const gss_OID_desc *mech_used = NULL;
+ krb5_principal name = NULL;
+ krb5_ui_4 nonce = 0;
+ krb5_data ap_rep;
OM_uint32 major_status = GSS_S_FAILURE;
- OM_uint32 tmp_minor_status;
- krb5_error krb_error_data;
- krb5_data scratch;
- gss_cred_id_t cred_handle = NULL;
- krb5_gss_cred_id_t deleg_cred = NULL;
- krb5int_access kaccess;
- int cred_rcache = 0;
- code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
- if (code) {
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
-
- code = krb5_gss_init_context(&context);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
-
- /* set up returns to be freeable */
-
- if (src_name)
- *src_name = (gss_name_t) NULL;
output_token->length = 0;
output_token->value = NULL;
- token.value = 0;
- reqcksum.contents = 0;
- ap_req.data = 0;
- ap_rep.data = 0;
-
+
if (mech_type)
*mech_type = GSS_C_NULL_OID;
/* return a bogus cred handle */
if (delegated_cred_handle)
*delegated_cred_handle = GSS_C_NO_CREDENTIAL;
- /*
- * Context handle must be unspecified. Actually, it must be
- * non-established, but currently, accept_sec_context never returns
- * a non-established context handle.
- */
- /*SUPPRESS 29*/
- if (*context_handle != GSS_C_NO_CONTEXT) {
- *minor_status = EINVAL;
- save_error_string(EINVAL, "accept_sec_context called with existing context handle");
- krb5_free_context(context);
- return(GSS_S_FAILURE);
+ ctx = (krb5_gss_ctx_id_rec *)*context_handle;
+
+ code = krb5_timeofday(ctx->k5_context, &now);
+ if (code != 0) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
}
- /* handle default cred handle */
- if (verifier_cred_handle == GSS_C_NO_CREDENTIAL) {
- major_status = krb5_gss_acquire_cred(minor_status, GSS_C_NO_NAME,
- GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
- GSS_C_ACCEPT, &cred_handle,
- NULL, NULL);
- if (major_status != GSS_S_COMPLETE) {
- code = *minor_status;
+ if (ctx->krb_times.endtime < now) {
+ code = 0;
+ major_status = GSS_S_CREDENTIALS_EXPIRED;
+ goto fail;
+ }
+
+ ap_rep.data = input_token->value;
+ ap_rep.length = input_token->length;
+
+ code = krb5_rd_rep_dce(ctx->k5_context,
+ ctx->auth_context,
+ &ap_rep,
+ &nonce);
+ if (code != 0) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+
+ ctx->established = 1;
+
+ if (src_name) {
+ if ((code = krb5_copy_principal(ctx->k5_context, ctx->there, &name))) {
+ major_status = GSS_S_FAILURE;
goto fail;
}
- } else {
- major_status = krb5_gss_validate_cred(minor_status,
- verifier_cred_handle);
- if (GSS_ERROR(major_status)) {
- code = *minor_status;
+ /* intern the src_name */
+ if (! kg_save_name((gss_name_t) name)) {
+ code = G_VALIDATE_FAILED;
+ major_status = GSS_S_FAILURE;
goto fail;
}
- cred_handle = verifier_cred_handle;
+ *src_name = (gss_name_t) name;
}
- cred = (krb5_gss_cred_id_t) cred_handle;
+ if (mech_type)
+ *mech_type = ctx->mech_used;
- /* make sure the supplied credentials are valid for accept */
+ if (time_rec)
+ *time_rec = ctx->krb_times.endtime - now;
- if ((cred->usage != GSS_C_ACCEPT) &&
- (cred->usage != GSS_C_BOTH)) {
- code = 0;
- major_status = GSS_S_NO_CRED;
- goto fail;
- }
+ if (ret_flags)
+ *ret_flags = ctx->gss_flags;
- /* verify the token's integrity, and leave the token in ap_req.
- figure out which mech oid was used, and save it */
+ /* XXX no support for delegated credentials yet */
- ptr = (unsigned char *) input_token->value;
+ *minor_status = 0;
- if (!(code = g_verify_token_header(gss_mech_krb5,
- &(ap_req.length),
- &ptr, KG_TOK_CTX_AP_REQ,
- input_token->length, 1))) {
- mech_used = gss_mech_krb5;
- } else if ((code == G_WRONG_MECH)
- &&!(code = g_verify_token_header((gss_OID) gss_mech_krb5_wrong,
- &(ap_req.length),
- &ptr, KG_TOK_CTX_AP_REQ,
- input_token->length, 1))) {
- mech_used = gss_mech_krb5_wrong;
- } else if ((code == G_WRONG_MECH) &&
- !(code = g_verify_token_header(gss_mech_krb5_old,
- &(ap_req.length),
- &ptr, KG_TOK_CTX_AP_REQ,
- input_token->length, 1))) {
- /*
- * Previous versions of this library used the old mech_id
- * and some broken behavior (wrong IV on checksum
- * encryption). We support the old mech_id for
- * compatibility, and use it to decide when to use the
- * old behavior.
- */
- mech_used = gss_mech_krb5_old;
- } else if (code == G_WRONG_TOKID) {
- major_status = GSS_S_CONTINUE_NEEDED;
- code = KRB5KRB_AP_ERR_MSG_TYPE;
- mech_used = gss_mech_krb5;
- goto fail;
- } else {
- major_status = GSS_S_DEFECTIVE_TOKEN;
- goto fail;
- }
+ return GSS_S_COMPLETE;
- sptr = (char *) ptr;
- TREAD_STR(sptr, ap_req.data, ap_req.length);
- decode_req_message = 1;
+ fail:
+ /* real failure code follows */
- /* construct the sender_addr */
+ if (ctx)
+ (void) krb5_gss_delete_sec_context(minor_status,
+ (gss_ctx_id_t *) &ctx, NULL);
+ *context_handle = GSS_C_NO_CONTEXT;
+ *minor_status = code;
- if ((input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) &&
- (input_chan_bindings->initiator_addrtype == GSS_C_AF_INET)) {
- /* XXX is this right? */
- addr.addrtype = ADDRTYPE_INET;
- addr.length = input_chan_bindings->initiator_address.length;
- addr.contents = input_chan_bindings->initiator_address.value;
+ return major_status;
+}
- paddr = &addr;
- } else {
- paddr = NULL;
- }
+static OM_uint32
+kg_accept_krb5(minor_status, context_handle,
+ verifier_cred_handle, input_token,
+ input_chan_bindings, src_name, mech_type,
+ output_token, ret_flags, time_rec,
+ delegated_cred_handle)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t *context_handle;
+ gss_cred_id_t verifier_cred_handle;
+ gss_buffer_t input_token;
+ gss_channel_bindings_t input_chan_bindings;
+ gss_name_t *src_name;
+ gss_OID *mech_type;
+ gss_buffer_t output_token;
+ OM_uint32 *ret_flags;
+ OM_uint32 *time_rec;
+ gss_cred_id_t *delegated_cred_handle;
+{
+ krb5_context context;
+ unsigned char *ptr, *ptr2;
+ char *sptr;
+ OM_uint32 tmp;
+ size_t md5len;
+ int bigend;
+ krb5_gss_cred_id_t cred = 0;
+ krb5_data ap_rep, ap_req;
+ unsigned int i;
+ krb5_error_code code;
+ krb5_address addr, *paddr;
+ krb5_authenticator *authdat = 0;
+ krb5_checksum reqcksum;
+ krb5_principal name = NULL;
+ krb5_ui_4 gss_flags = 0;
+ int decode_req_message = 0;
+ krb5_gss_ctx_id_rec *ctx = NULL;
+ krb5_timestamp now;
+ gss_buffer_desc token;
+ krb5_auth_context auth_context = NULL;
+ krb5_ticket * ticket = NULL;
+ int option_id;
+ krb5_data option;
+ const gss_OID_desc *mech_used = NULL;
+ OM_uint32 major_status = GSS_S_FAILURE;
+ OM_uint32 tmp_minor_status;
+ krb5_error krb_error_data;
+ krb5_data scratch;
+ gss_cred_id_t cred_handle = NULL;
+ krb5_gss_cred_id_t deleg_cred = NULL;
+ krb5int_access kaccess;
+ int cred_rcache = 0;
+ int no_encap = 0;
+ krb5_flags ap_req_options = 0;
- /* decode the AP_REQ message */
+ code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
+ if (code) {
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
- /* decode the message */
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- if ((code = krb5_auth_con_init(context, &auth_context))) {
- major_status = GSS_S_FAILURE;
- save_error_info(code, context);
- goto fail;
- }
- if (cred->rcache) {
- cred_rcache = 1;
- if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- }
- if ((code = krb5_auth_con_setaddrs(context, auth_context, NULL, paddr))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ /* set up returns to be freeable */
- if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ,
- cred->keytab, NULL, &ticket))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- krb5_auth_con_setflags(context, auth_context,
- KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+ if (src_name)
+ *src_name = (gss_name_t) NULL;
+ output_token->length = 0;
+ output_token->value = NULL;
+ token.value = 0;
+ reqcksum.contents = 0;
+ ap_req.data = 0;
+ ap_rep.data = 0;
- krb5_auth_con_getauthenticator(context, auth_context, &authdat);
+ if (mech_type)
+ *mech_type = GSS_C_NULL_OID;
+ /* return a bogus cred handle */
+ if (delegated_cred_handle)
+ *delegated_cred_handle = GSS_C_NO_CREDENTIAL;
+ /* handle default cred handle */
+ if (verifier_cred_handle == GSS_C_NO_CREDENTIAL) {
+ major_status = krb5_gss_acquire_cred(minor_status, GSS_C_NO_NAME,
+ GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
+ GSS_C_ACCEPT, &cred_handle,
+ NULL, NULL);
+ if (major_status != GSS_S_COMPLETE) {
+ code = *minor_status;
+ goto fail;
+ }
+ } else {
+ major_status = krb5_gss_validate_cred(minor_status,
+ verifier_cred_handle);
+ if (GSS_ERROR(major_status)) {
+ code = *minor_status;
+ goto fail;
+ }
+ cred_handle = verifier_cred_handle;
+ }
+
+ cred = (krb5_gss_cred_id_t) cred_handle;
+
+ /* make sure the supplied credentials are valid for accept */
+
+ if ((cred->usage != GSS_C_ACCEPT) &&
+ (cred->usage != GSS_C_BOTH)) {
+ code = 0;
+ major_status = GSS_S_NO_CRED;
+ goto fail;
+ }
+
+ /* verify the token's integrity, and leave the token in ap_req.
+ figure out which mech oid was used, and save it */
+
+ ptr = (unsigned char *) input_token->value;
+
+ if (!(code = g_verify_token_header(gss_mech_krb5,
+ &(ap_req.length),
+ &ptr, KG_TOK_CTX_AP_REQ,
+ input_token->length, 1))) {
+ mech_used = gss_mech_krb5;
+ } else if ((code == G_WRONG_MECH)
+ &&!(code = g_verify_token_header((gss_OID) gss_mech_krb5_wrong,
+ &(ap_req.length),
+ &ptr, KG_TOK_CTX_AP_REQ,
+ input_token->length, 1))) {
+ mech_used = gss_mech_krb5_wrong;
+ } else if ((code == G_WRONG_MECH) &&
+ !(code = g_verify_token_header(gss_mech_krb5_old,
+ &(ap_req.length),
+ &ptr, KG_TOK_CTX_AP_REQ,
+ input_token->length, 1))) {
+ /*
+ * Previous versions of this library used the old mech_id
+ * and some broken behavior (wrong IV on checksum
+ * encryption). We support the old mech_id for
+ * compatibility, and use it to decide when to use the
+ * old behavior.
+ */
+ mech_used = gss_mech_krb5_old;
+ } else if (code == G_WRONG_TOKID) {
+ major_status = GSS_S_CONTINUE_NEEDED;
+ code = KRB5KRB_AP_ERR_MSG_TYPE;
+ mech_used = gss_mech_krb5;
+ goto fail;
+ } else if (code == G_BAD_TOK_HEADER) {
+ /* DCE style not encapsulated */
+ ap_req.length = input_token->length;
+ ap_req.data = input_token->value;
+ mech_used = gss_mech_krb5;
+ no_encap = 1;
+ } else {
+ major_status = GSS_S_DEFECTIVE_TOKEN;
+ goto fail;
+ }
+
+ sptr = (char *) ptr;
+ TREAD_STR(sptr, ap_req.data, ap_req.length);
+ decode_req_message = 1;
+
+ /* construct the sender_addr */
+
+ if ((input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) &&
+ (input_chan_bindings->initiator_addrtype == GSS_C_AF_INET)) {
+ /* XXX is this right? */
+ addr.addrtype = ADDRTYPE_INET;
+ addr.length = input_chan_bindings->initiator_address.length;
+ addr.contents = input_chan_bindings->initiator_address.value;
+
+ paddr = &addr;
+ } else {
+ paddr = NULL;
+ }
+
+ /* decode the AP_REQ message */
+
+ /* decode the message */
+
+ if ((code = krb5_auth_con_init(context, &auth_context))) {
+ major_status = GSS_S_FAILURE;
+ save_error_info((OM_uint32)code, context);
+ goto fail;
+ }
+ if (cred->rcache) {
+ cred_rcache = 1;
+ if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
+ if ((code = krb5_auth_con_setaddrs(context, auth_context, NULL, paddr))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+
+ if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ,
+ cred->keytab, &ap_req_options, &ticket))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ krb5_auth_con_setflags(context, auth_context,
+ KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+
+ krb5_auth_con_getauthenticator(context, auth_context, &authdat);
+
#if 0
- /* make sure the necessary parts of the authdat are present */
+ /* make sure the necessary parts of the authdat are present */
- if ((authdat->authenticator->subkey == NULL) ||
- (authdat->ticket->enc_part2 == NULL)) {
- code = KG_NO_SUBKEY;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ if ((authdat->authenticator->subkey == NULL) ||
+ (authdat->ticket->enc_part2 == NULL)) {
+ code = KG_NO_SUBKEY;
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
#endif
- {
- /* gss krb5 v1 */
+ if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
+ /* Samba does not send 0x8003 GSS-API checksums */
+ krb5_boolean valid;
+ krb5_keyblock *subkey;
+ krb5_data zero;
- /* stash this now, for later. */
- code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &md5len);
- if (code) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ code = krb5_auth_con_getkey(context, auth_context, &subkey);
+ if (code) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
- /* verify that the checksum is correct */
+ zero.length = 0;
+ zero.data = "";
- /*
- The checksum may be either exactly 24 bytes, in which case
- no options are specified, or greater than 24 bytes, in which case
- one or more options are specified. Currently, the only valid
- option is KRB5_GSS_FOR_CREDS_OPTION ( = 1 ).
- */
+ code = krb5_c_verify_checksum(context,
+ subkey,
+ KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM,
+ &zero,
+ authdat->checksum,
+ &valid);
+ if (code || !valid) {
+ major_status = GSS_S_BAD_SIG;
+ krb5_free_keyblock(context, subkey);
+ goto fail;
+ }
- if ((authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) ||
- (authdat->checksum->length < 24)) {
- code = 0;
- major_status = GSS_S_BAD_BINDINGS;
- goto fail;
- }
+ gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+ bigend = 0;
+ decode_req_message = 0;
- /*
- "Be liberal in what you accept, and
- conservative in what you send"
- -- rfc1123
+ krb5_free_keyblock(context, subkey);
+ } else {
+ /* gss krb5 v1 */
- This code will let this acceptor interoperate with an initiator
- using little-endian or big-endian integer encoding.
- */
+ /* stash this now, for later. */
+ code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &md5len);
+ if (code) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
- ptr = (unsigned char *) authdat->checksum->contents;
- bigend = 0;
+ /* verify that the checksum is correct */
- TREAD_INT(ptr, tmp, bigend);
+ /*
+ The checksum may be either exactly 24 bytes, in which case
+ no options are specified, or greater than 24 bytes, in which case
+ one or more options are specified. Currently, the only valid
+ option is KRB5_GSS_FOR_CREDS_OPTION ( = 1 ).
+ */
- if (tmp != md5len) {
- ptr = (unsigned char *) authdat->checksum->contents;
- bigend = 1;
+ if ((authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) ||
+ (authdat->checksum->length < 24)) {
+ code = 0;
+ major_status = GSS_S_BAD_BINDINGS;
+ goto fail;
+ }
- TREAD_INT(ptr, tmp, bigend);
+ /*
+ "Be liberal in what you accept, and
+ conservative in what you send"
+ -- rfc1123
- if (tmp != md5len) {
- code = KG_BAD_LENGTH;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- }
+ This code will let this acceptor interoperate with an initiator
+ using little-endian or big-endian integer encoding.
+ */
- /* at this point, bigend is set according to the initiator's
- byte order */
+ ptr = (unsigned char *) authdat->checksum->contents;
+ bigend = 0;
+ TREAD_INT(ptr, tmp, bigend);
- /*
+ if (tmp != md5len) {
+ ptr = (unsigned char *) authdat->checksum->contents;
+ bigend = 1;
+
+ TREAD_INT(ptr, tmp, bigend);
+
+ if (tmp != md5len) {
+ code = KG_BAD_LENGTH;
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
+
+ /* at this point, bigend is set according to the initiator's
+ byte order */
+
+
+ /*
The following section of code attempts to implement the
optional channel binding facility as described in RFC2743.
@@ -503,507 +663,542 @@
a checksum and compare against those provided by the
client. */
- if ((code = kg_checksum_channel_bindings(context,
- input_chan_bindings,
- &reqcksum, bigend))) {
- major_status = GSS_S_BAD_BINDINGS;
- goto fail;
- }
+ if ((code = kg_checksum_channel_bindings(context,
+ input_chan_bindings,
+ &reqcksum, bigend))) {
+ major_status = GSS_S_BAD_BINDINGS;
+ goto fail;
+ }
- /* Always read the clients bindings - eventhough we might ignore them */
- TREAD_STR(ptr, ptr2, reqcksum.length);
+ /* Always read the clients bindings - eventhough we might ignore them */
+ TREAD_STR(ptr, ptr2, reqcksum.length);
- if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS ) {
- if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
- xfree(reqcksum.contents);
- reqcksum.contents = 0;
- code = 0;
- major_status = GSS_S_BAD_BINDINGS;
- goto fail;
- }
-
- }
+ if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS ) {
+ if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
+ xfree(reqcksum.contents);
+ reqcksum.contents = 0;
+ code = 0;
+ major_status = GSS_S_BAD_BINDINGS;
+ goto fail;
+ }
- xfree(reqcksum.contents);
- reqcksum.contents = 0;
+ }
- TREAD_INT(ptr, gss_flags, bigend);
+ xfree(reqcksum.contents);
+ reqcksum.contents = 0;
+
+ TREAD_INT(ptr, gss_flags, bigend);
#if 0
- gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if
- there's a delegation, we'll set
- it below */
+ gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if
+ there's a delegation, we'll set
+ it below */
#endif
- decode_req_message = 0;
+ decode_req_message = 0;
- /* if the checksum length > 24, there are options to process */
+ /* if the checksum length > 24, there are options to process */
- if(authdat->checksum->length > 24 && (gss_flags & GSS_C_DELEG_FLAG)) {
+ if(authdat->checksum->length > 24 && (gss_flags & GSS_C_DELEG_FLAG)) {
- i = authdat->checksum->length - 24;
+ i = authdat->checksum->length - 24;
- if (i >= 4) {
+ if (i >= 4) {
- TREAD_INT16(ptr, option_id, bigend);
+ TREAD_INT16(ptr, option_id, bigend);
- TREAD_INT16(ptr, option.length, bigend);
+ TREAD_INT16(ptr, option.length, bigend);
- i -= 4;
+ i -= 4;
- if (i < option.length || option.length < 0) {
- code = KG_BAD_LENGTH;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ if (i < option.length || option.length < 0) {
+ code = KG_BAD_LENGTH;
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
- /* have to use ptr2, since option.data is wrong type and
- macro uses ptr as both lvalue and rvalue */
+ /* have to use ptr2, since option.data is wrong type and
+ macro uses ptr as both lvalue and rvalue */
- TREAD_STR(ptr, ptr2, option.length);
- option.data = (char *) ptr2;
+ TREAD_STR(ptr, ptr2, option.length);
+ option.data = (char *) ptr2;
- i -= option.length;
+ i -= option.length;
- if (option_id != KRB5_GSS_FOR_CREDS_OPTION) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ if (option_id != KRB5_GSS_FOR_CREDS_OPTION) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
- /* store the delegated credential */
+ /* store the delegated credential */
- code = rd_and_store_for_creds(context, auth_context, &option,
- (delegated_cred_handle) ?
- &deleg_cred : NULL);
- if (code) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ code = rd_and_store_for_creds(context, auth_context, &option,
+ (delegated_cred_handle) ?
+ &deleg_cred : NULL);
+ if (code) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
- } /* if i >= 4 */
- /* ignore any additional trailing data, for now */
+ } /* if i >= 4 */
+ /* ignore any additional trailing data, for now */
#ifdef CFX_EXERCISE
- {
- FILE *f = fopen("/tmp/gsslog", "a");
- if (f) {
- fprintf(f,
- "initial context token with delegation, %d extra bytes\n",
- i);
- fclose(f);
- }
- }
+ {
+ FILE *f = fopen("/tmp/gsslog", "a");
+ if (f) {
+ fprintf(f,
+ "initial context token with delegation, %d extra bytes\n",
+ i);
+ fclose(f);
+ }
+ }
#endif
- } else {
+ } else {
#ifdef CFX_EXERCISE
- {
- FILE *f = fopen("/tmp/gsslog", "a");
- if (f) {
- if (gss_flags & GSS_C_DELEG_FLAG)
- fprintf(f,
- "initial context token, delegation flag but too small\n");
- else
- /* no deleg flag, length might still be too big */
- fprintf(f,
- "initial context token, %d extra bytes\n",
- authdat->checksum->length - 24);
- fclose(f);
- }
- }
+ {
+ FILE *f = fopen("/tmp/gsslog", "a");
+ if (f) {
+ if (gss_flags & GSS_C_DELEG_FLAG)
+ fprintf(f,
+ "initial context token, delegation flag but too small\n");
+ else
+ /* no deleg flag, length might still be too big */
+ fprintf(f,
+ "initial context token, %d extra bytes\n",
+ authdat->checksum->length - 24);
+ fclose(f);
+ }
+ }
#endif
- }
- }
+ }
+ }
- /* create the ctx struct and start filling it in */
+ /* only DCE_STYLE clients are allowed to send raw AP-REQs */
+ if (no_encap != ((gss_flags & GSS_C_DCE_STYLE) != 0)) {
+ major_status = GSS_S_DEFECTIVE_TOKEN;
+ goto fail;
+ }
- if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec)))
- == NULL) {
- code = ENOMEM;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ /* create the ctx struct and start filling it in */
- memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
- ctx->mech_used = (gss_OID) mech_used;
- ctx->auth_context = auth_context;
- ctx->initiate = 0;
- ctx->gss_flags = (GSS_C_TRANS_FLAG |
- ((gss_flags) & (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
- GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)));
- ctx->seed_init = 0;
- ctx->big_endian = bigend;
- ctx->cred_rcache = cred_rcache;
+ if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec)))
+ == NULL) {
+ code = ENOMEM;
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
- /* Intern the ctx pointer so that delete_sec_context works */
- if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
- xfree(ctx);
- ctx = 0;
+ memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
+ ctx->mech_used = (gss_OID) mech_used;
+ ctx->auth_context = auth_context;
+ ctx->initiate = 0;
+ ctx->gss_flags = (GSS_C_TRANS_FLAG |
+ ((gss_flags) & (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
+ GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
+ GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG |
+ GSS_C_DCE_STYLE | GSS_C_IDENTIFY_FLAG |
+ GSS_C_EXTENDED_ERROR_FLAG)));
+ ctx->seed_init = 0;
+ ctx->big_endian = bigend;
+ ctx->cred_rcache = cred_rcache;
- code = G_VALIDATE_FAILED;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ /* Intern the ctx pointer so that delete_sec_context works */
+ if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
+ xfree(ctx);
+ ctx = 0;
- if ((code = krb5_copy_principal(context, ticket->server, &ctx->here))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ code = G_VALIDATE_FAILED;
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
- if ((code = krb5_copy_principal(context, authdat->client, &ctx->there))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ /* XXX move this into gss_name_t */
+ if (ticket->enc_part2->authorization_data != NULL &&
+ (code = krb5_copy_authdata(context,
+ ticket->enc_part2->authorization_data,
+ &ctx->authdata))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ if ((code = krb5_copy_principal(context, ticket->server, &ctx->here))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
- if ((code = krb5_auth_con_getrecvsubkey(context, auth_context,
- &ctx->subkey))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ if ((code = krb5_copy_principal(context, authdat->client, &ctx->there))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
- /* use the session key if the subkey isn't present */
+ if ((code = krb5_auth_con_getrecvsubkey(context, auth_context,
+ &ctx->subkey))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
- if (ctx->subkey == NULL) {
- if ((code = krb5_auth_con_getkey(context, auth_context,
- &ctx->subkey))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- }
+ /* use the session key if the subkey isn't present */
- if (ctx->subkey == NULL) {
- /* this isn't a very good error, but it's not clear to me this
- can actually happen */
- major_status = GSS_S_FAILURE;
- code = KRB5KDC_ERR_NULL_KEY;
- goto fail;
- }
+ if (ctx->subkey == NULL) {
+ if ((code = krb5_auth_con_getkey(context, auth_context,
+ &ctx->subkey))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
- ctx->proto = 0;
- switch(ctx->subkey->enctype) {
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES_CBC_CRC:
- ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW;
- ctx->signalg = SGN_ALG_DES_MAC_MD5;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_DES;
+ if (ctx->subkey == NULL) {
+ /* this isn't a very good error, but it's not clear to me this
+ can actually happen */
+ major_status = GSS_S_FAILURE;
+ code = KRB5KDC_ERR_NULL_KEY;
+ goto fail;
+ }
- /* fill in the encryption descriptors */
+ ctx->enc = NULL;
+ ctx->seq = NULL;
+ ctx->have_acceptor_subkey = 0;
+ /* DCE_STYLE implies acceptor_subkey */
+ if ((ctx->gss_flags & GSS_C_DCE_STYLE) == 0) {
+ code = kg_setup_keys(context, ctx, ctx->subkey, &ctx->cksumtype);
+ if (code) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
+ ctx->krb_times = ticket->enc_part2->times; /* struct copy */
+ ctx->krb_flags = ticket->enc_part2->flags;
- if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ krb5_free_ticket(context, ticket); /* Done with ticket */
- for (i=0; i<ctx->enc->length; i++)
- /*SUPPRESS 113*/
- ctx->enc->contents[i] ^= 0xf0;
+ {
+ krb5_int32 seq_temp;
+ krb5_auth_con_getremoteseqnumber(context, auth_context, &seq_temp);
+ ctx->seq_recv = seq_temp;
+ }
- goto copy_subkey_to_seq;
+ if ((code = krb5_timeofday(context, &now))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
- case ENCTYPE_DES3_CBC_SHA1:
- ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW;
- ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
- ctx->cksum_size = 20;
- ctx->sealalg = SEAL_ALG_DES3KD;
+ if (ctx->krb_times.endtime < now) {
+ code = 0;
+ major_status = GSS_S_CREDENTIALS_EXPIRED;
+ goto fail;
+ }
- /* fill in the encryption descriptors */
- copy_subkey:
- if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- copy_subkey_to_seq:
- if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- break;
+ g_order_init(&(ctx->seqstate), ctx->seq_recv,
+ (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
+ (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto);
- case ENCTYPE_ARCFOUR_HMAC:
- ctx->signalg = SGN_ALG_HMAC_MD5 ;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ;
- goto copy_subkey;
+ /* DCE_STYLE implies mutual authentication */
+ if (ctx->gss_flags & GSS_C_DCE_STYLE)
+ ctx->gss_flags |= GSS_C_MUTUAL_FLAG;
- default:
- ctx->signalg = -1;
- ctx->sealalg = -1;
- ctx->proto = 1;
- code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype,
- &ctx->cksumtype);
- if (code)
- goto fail;
- code = krb5_c_checksum_length(context, ctx->cksumtype,
- &ctx->cksum_size);
- if (code)
- goto fail;
- ctx->have_acceptor_subkey = 0;
- goto copy_subkey;
- }
+ /* at this point, the entire context structure is filled in,
+ so it can be released. */
- ctx->endtime = ticket->enc_part2->times.endtime;
- ctx->krb_flags = ticket->enc_part2->flags;
+ /* generate an AP_REP if necessary */
- krb5_free_ticket(context, ticket); /* Done with ticket */
+ if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) {
+ unsigned char * ptr3;
+ krb5_int32 seq_temp;
+ int cfx_generate_subkey;
- {
- krb5_ui_4 seq_temp;
- krb5_auth_con_getremoteseqnumber(context, auth_context, &seq_temp);
- ctx->seq_recv = seq_temp;
- }
+ if (ctx->proto == 1 || (ctx->gss_flags & GSS_C_DCE_STYLE) ||
+ (ap_req_options & AP_OPTS_USE_SUBKEY))
+ cfx_generate_subkey = CFX_ACCEPTOR_SUBKEY;
+ else
+ cfx_generate_subkey = 0;
- if ((code = krb5_timeofday(context, &now))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ if (cfx_generate_subkey) {
+ krb5_int32 acflags;
+ code = krb5_auth_con_getflags(context, auth_context, &acflags);
+ if (code == 0) {
+ acflags |= KRB5_AUTH_CONTEXT_USE_SUBKEY;
+ code = krb5_auth_con_setflags(context, auth_context, acflags);
+ }
+ if (code) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
- if (ctx->endtime < now) {
- code = 0;
- major_status = GSS_S_CREDENTIALS_EXPIRED;
- goto fail;
- }
+ if ((code = krb5_mk_rep(context, auth_context, &ap_rep))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
- g_order_init(&(ctx->seqstate), ctx->seq_recv,
- (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
- (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto);
+ krb5_auth_con_getlocalseqnumber(context, auth_context, &seq_temp);
+ ctx->seq_send = seq_temp & 0xffffffffL;
- /* at this point, the entire context structure is filled in,
- so it can be released. */
+ if (cfx_generate_subkey) {
+ /* Get the new acceptor subkey. With the code above, there
+ should always be one if we make it to this point. */
+ code = krb5_auth_con_getsendsubkey(context, auth_context,
+ &ctx->acceptor_subkey);
+ if (code != 0) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ ctx->have_acceptor_subkey = 1;
- /* generate an AP_REP if necessary */
+ code = kg_setup_keys(context, ctx, ctx->acceptor_subkey,
+ &ctx->acceptor_subkey_cksumtype);
+ if (code) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
- if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) {
- unsigned char * ptr3;
- krb5_ui_4 seq_temp;
- int cfx_generate_subkey;
+ /* the reply token hasn't been sent yet, but that's ok. */
+ if (ctx->gss_flags & GSS_C_DCE_STYLE) {
+ assert(ctx->have_acceptor_subkey);
- if (ctx->proto == 1)
- cfx_generate_subkey = CFX_ACCEPTOR_SUBKEY;
- else
- cfx_generate_subkey = 0;
+ /* in order to force acceptor subkey to be used, don't set PROT_READY */
- if (cfx_generate_subkey) {
- krb5_int32 acflags;
- code = krb5_auth_con_getflags(context, auth_context, &acflags);
- if (code == 0) {
- acflags |= KRB5_AUTH_CONTEXT_USE_SUBKEY;
- code = krb5_auth_con_setflags(context, auth_context, acflags);
- }
- if (code) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- }
+ /* Raw AP-REP is returned */
+ output_token->length = ap_rep.length;
+ output_token->value = ap_rep.data;
+ ap_rep.data = NULL; /* don't double free */
- if ((code = krb5_mk_rep(context, auth_context, &ap_rep))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ ctx->established = 0;
- krb5_auth_con_getlocalseqnumber(context, auth_context, &seq_temp);
- ctx->seq_send = seq_temp & 0xffffffffL;
+ *context_handle = (gss_ctx_id_t)ctx;
+ *minor_status = 0;
+ major_status = GSS_S_CONTINUE_NEEDED;
- if (cfx_generate_subkey) {
- /* Get the new acceptor subkey. With the code above, there
- should always be one if we make it to this point. */
- code = krb5_auth_con_getsendsubkey(context, auth_context,
- &ctx->acceptor_subkey);
- if (code != 0) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- code = (*kaccess.krb5int_c_mandatory_cksumtype)(context,
- ctx->acceptor_subkey->enctype,
- &ctx->acceptor_subkey_cksumtype);
- if (code) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- ctx->have_acceptor_subkey = 1;
- }
+ /* Only last leg should set return arguments */
+ goto fail;
+ } else
+ ctx->gss_flags |= GSS_C_PROT_READY_FLAG;
- /* the reply token hasn't been sent yet, but that's ok. */
- ctx->gss_flags |= GSS_C_PROT_READY_FLAG;
- ctx->established = 1;
+ ctx->established = 1;
- token.length = g_token_size(mech_used, ap_rep.length);
+ token.length = g_token_size(mech_used, ap_rep.length);
- if ((token.value = (unsigned char *) xmalloc(token.length))
- == NULL) {
- major_status = GSS_S_FAILURE;
- code = ENOMEM;
- goto fail;
- }
- ptr3 = token.value;
- g_make_token_header(mech_used, ap_rep.length,
- &ptr3, KG_TOK_CTX_AP_REP);
+ if ((token.value = (unsigned char *) xmalloc(token.length))
+ == NULL) {
+ major_status = GSS_S_FAILURE;
+ code = ENOMEM;
+ goto fail;
+ }
+ ptr3 = token.value;
+ g_make_token_header(mech_used, ap_rep.length,
+ &ptr3, KG_TOK_CTX_AP_REP);
- TWRITE_STR(ptr3, ap_rep.data, ap_rep.length);
+ TWRITE_STR(ptr3, ap_rep.data, ap_rep.length);
- ctx->established = 1;
+ ctx->established = 1;
- } else {
- token.length = 0;
- token.value = NULL;
- ctx->seq_send = ctx->seq_recv;
+ } else {
+ token.length = 0;
+ token.value = NULL;
+ ctx->seq_send = ctx->seq_recv;
- ctx->established = 1;
- }
+ ctx->established = 1;
+ }
- /* set the return arguments */
+ /* set the return arguments */
- if (src_name) {
- if ((code = krb5_copy_principal(context, ctx->there, &name))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- /* intern the src_name */
- if (! kg_save_name((gss_name_t) name)) {
- code = G_VALIDATE_FAILED;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- }
+ if (src_name) {
+ if ((code = krb5_copy_principal(context, ctx->there, &name))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ /* intern the src_name */
+ if (! kg_save_name((gss_name_t) name)) {
+ code = G_VALIDATE_FAILED;
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
- if (mech_type)
- *mech_type = (gss_OID) mech_used;
+ if (mech_type)
+ *mech_type = (gss_OID) mech_used;
- if (time_rec)
- *time_rec = ctx->endtime - now;
+ if (time_rec)
+ *time_rec = ctx->krb_times.endtime - now;
- if (ret_flags)
- *ret_flags = ctx->gss_flags;
+ if (ret_flags)
+ *ret_flags = ctx->gss_flags;
- *context_handle = (gss_ctx_id_t)ctx;
- *output_token = token;
+ *context_handle = (gss_ctx_id_t)ctx;
+ *output_token = token;
- if (src_name)
- *src_name = (gss_name_t) name;
+ if (src_name)
+ *src_name = (gss_name_t) name;
- if (delegated_cred_handle && deleg_cred) {
- if (!kg_save_cred_id((gss_cred_id_t) deleg_cred)) {
- major_status = GSS_S_FAILURE;
- code = G_VALIDATE_FAILED;
- goto fail;
- }
+ if (delegated_cred_handle && deleg_cred) {
+ if (!kg_save_cred_id((gss_cred_id_t) deleg_cred)) {
+ major_status = GSS_S_FAILURE;
+ code = G_VALIDATE_FAILED;
+ goto fail;
+ }
- *delegated_cred_handle = (gss_cred_id_t) deleg_cred;
- }
+ *delegated_cred_handle = (gss_cred_id_t) deleg_cred;
+ }
- /* finally! */
+ /* finally! */
- *minor_status = 0;
- major_status = GSS_S_COMPLETE;
+ *minor_status = 0;
+ major_status = GSS_S_COMPLETE;
- fail:
- if (authdat)
- krb5_free_authenticator(context, authdat);
- /* The ctx structure has the handle of the auth_context */
- if (auth_context && !ctx) {
- if (cred_rcache)
- (void)krb5_auth_con_setrcache(context, auth_context, NULL);
+fail:
+ if (authdat)
+ krb5_free_authenticator(context, authdat);
+ /* The ctx structure has the handle of the auth_context */
+ if (auth_context && !ctx) {
+ if (cred_rcache)
+ (void)krb5_auth_con_setrcache(context, auth_context, NULL);
- krb5_auth_con_free(context, auth_context);
- }
- if (reqcksum.contents)
- xfree(reqcksum.contents);
- if (ap_rep.data)
- krb5_free_data_contents(context, &ap_rep);
+ krb5_auth_con_free(context, auth_context);
+ }
+ if (reqcksum.contents)
+ xfree(reqcksum.contents);
+ if (ap_rep.data)
+ krb5_free_data_contents(context, &ap_rep);
+ if (major_status == GSS_S_COMPLETE ||
+ (major_status == GSS_S_CONTINUE_NEEDED && code != KRB5KRB_AP_ERR_MSG_TYPE)) {
+ ctx->k5_context = context;
+ context = NULL;
+ goto done;
+ }
- if (!GSS_ERROR(major_status) && major_status != GSS_S_CONTINUE_NEEDED) {
- ctx->k5_context = context;
- context = NULL;
- goto done;
- }
+ /* from here on is the real "fail" code */
- /* from here on is the real "fail" code */
+ if (ctx)
+ (void) krb5_gss_delete_sec_context(&tmp_minor_status,
+ (gss_ctx_id_t *) &ctx, NULL);
+ if (deleg_cred) { /* free memory associated with the deleg credential */
+ if (deleg_cred->ccache)
+ (void)krb5_cc_close(context, deleg_cred->ccache);
+ if (deleg_cred->princ)
+ krb5_free_principal(context, deleg_cred->princ);
+ xfree(deleg_cred);
+ }
+ if (token.value)
+ xfree(token.value);
+ if (name) {
+ (void) kg_delete_name((gss_name_t) name);
+ krb5_free_principal(context, name);
+ }
- if (ctx)
- (void) krb5_gss_delete_sec_context(&tmp_minor_status,
- (gss_ctx_id_t *) &ctx, NULL);
- if (deleg_cred) { /* free memory associated with the deleg credential */
- if (deleg_cred->ccache)
- (void)krb5_cc_close(context, deleg_cred->ccache);
- if (deleg_cred->princ)
- krb5_free_principal(context, deleg_cred->princ);
- xfree(deleg_cred);
- }
- if (token.value)
- xfree(token.value);
- if (name) {
- (void) kg_delete_name((gss_name_t) name);
- krb5_free_principal(context, name);
- }
+ *minor_status = code;
- *minor_status = code;
+ /*
+ * If decode_req_message is set, then we need to decode the ap_req
+ * message to determine whether or not to send a response token.
+ * We need to do this because for some errors we won't be able to
+ * decode the authenticator to read out the gss_flags field.
+ */
+ if (decode_req_message) {
+ krb5_ap_req * request;
- /*
- * If decode_req_message is set, then we need to decode the ap_req
- * message to determine whether or not to send a response token.
- * We need to do this because for some errors we won't be able to
- * decode the authenticator to read out the gss_flags field.
- */
- if (decode_req_message) {
- krb5_ap_req * request;
-
- if (decode_krb5_ap_req(&ap_req, &request))
- goto done;
+ if (decode_krb5_ap_req(&ap_req, &request))
+ goto done;
- if (request->ap_options & AP_OPTS_MUTUAL_REQUIRED)
- gss_flags |= GSS_C_MUTUAL_FLAG;
- krb5_free_ap_req(context, request);
- }
+ if (request->ap_options & AP_OPTS_MUTUAL_REQUIRED)
+ gss_flags |= GSS_C_MUTUAL_FLAG;
+ krb5_free_ap_req(context, request);
+ }
- if (cred
- && ((gss_flags & GSS_C_MUTUAL_FLAG)
- || (major_status == GSS_S_CONTINUE_NEEDED))) {
- unsigned int tmsglen;
- int toktype;
+ if (cred
+ && ((gss_flags & GSS_C_MUTUAL_FLAG)
+ || (major_status == GSS_S_CONTINUE_NEEDED))) {
+ unsigned int tmsglen;
+ int toktype;
- /*
- * The client is expecting a response, so we can send an
- * error token back
- */
- memset(&krb_error_data, 0, sizeof(krb_error_data));
+ /*
+ * The client is expecting a response, so we can send an
+ * error token back
+ */
+ memset(&krb_error_data, 0, sizeof(krb_error_data));
- code -= ERROR_TABLE_BASE_krb5;
- if (code < 0 || code > 128)
- code = 60 /* KRB_ERR_GENERIC */;
+ code -= ERROR_TABLE_BASE_krb5;
+ if (code < 0 || code > 128)
+ code = 60 /* KRB_ERR_GENERIC */;
- krb_error_data.error = code;
- (void) krb5_us_timeofday(context, &krb_error_data.stime,
- &krb_error_data.susec);
- krb_error_data.server = cred->princ;
+ krb_error_data.error = code;
+ (void) krb5_us_timeofday(context, &krb_error_data.stime,
+ &krb_error_data.susec);
+ krb_error_data.server = cred->princ;
- code = krb5_mk_error(context, &krb_error_data, &scratch);
- if (code)
- goto done;
+ code = krb5_mk_error(context, &krb_error_data, &scratch);
+ if (code)
+ goto done;
- tmsglen = scratch.length;
- toktype = KG_TOK_CTX_ERROR;
+ tmsglen = scratch.length;
+ toktype = KG_TOK_CTX_ERROR;
- token.length = g_token_size(mech_used, tmsglen);
- token.value = (unsigned char *) xmalloc(token.length);
- if (!token.value)
- goto done;
+ token.length = g_token_size(mech_used, tmsglen);
+ token.value = (unsigned char *) xmalloc(token.length);
+ if (!token.value)
+ goto done;
- ptr = token.value;
- g_make_token_header(mech_used, tmsglen, &ptr, toktype);
+ ptr = token.value;
+ g_make_token_header(mech_used, tmsglen, &ptr, toktype);
- TWRITE_STR(ptr, scratch.data, scratch.length);
- krb5_free_data_contents(context, &scratch);
+ TWRITE_STR(ptr, scratch.data, scratch.length);
+ krb5_free_data_contents(context, &scratch);
- *output_token = token;
- }
+ *output_token = token;
+ }
- done:
- if (!verifier_cred_handle && cred_handle) {
- krb5_gss_release_cred(&tmp_minor_status, &cred_handle);
- }
- if (context) {
- if (major_status && *minor_status)
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- }
- return (major_status);
+done:
+ if (!verifier_cred_handle && cred_handle) {
+ krb5_gss_release_cred(&tmp_minor_status, &cred_handle);
+ }
+ if (context) {
+ if (major_status && *minor_status)
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ }
+ return (major_status);
}
#endif /* LEAN_CLIENT */
+OM_uint32
+krb5_gss_accept_sec_context(minor_status, context_handle,
+ verifier_cred_handle, input_token,
+ input_chan_bindings, src_name, mech_type,
+ output_token, ret_flags, time_rec,
+ delegated_cred_handle)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t *context_handle;
+ gss_cred_id_t verifier_cred_handle;
+ gss_buffer_t input_token;
+ gss_channel_bindings_t input_chan_bindings;
+ gss_name_t *src_name;
+ gss_OID *mech_type;
+ gss_buffer_t output_token;
+ OM_uint32 *ret_flags;
+ OM_uint32 *time_rec;
+ gss_cred_id_t *delegated_cred_handle;
+{
+ krb5_gss_ctx_id_rec *ctx = (krb5_gss_ctx_id_rec *)*context_handle;
+
+ /*
+ * Context handle must be unspecified. Actually, it must be
+ * non-established, but currently, accept_sec_context never returns
+ * a non-established context handle.
+ */
+ /*SUPPRESS 29*/
+ if (ctx != NULL) {
+ if (ctx->established == 0 && (ctx->gss_flags & GSS_C_DCE_STYLE)) {
+ return kg_accept_dce(minor_status, context_handle,
+ verifier_cred_handle, input_token,
+ input_chan_bindings, src_name, mech_type,
+ output_token, ret_flags, time_rec,
+ delegated_cred_handle);
+ } else {
+ *minor_status = EINVAL;
+ save_error_string(EINVAL, "accept_sec_context called with existing context handle");
+ return GSS_S_FAILURE;
+ }
+ }
+
+ return kg_accept_krb5(minor_status, context_handle,
+ verifier_cred_handle, input_token,
+ input_chan_bindings, src_name, mech_type,
+ output_token, ret_flags, time_rec,
+ delegated_cred_handle);
+}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/acquire_cred.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/acquire_cred.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/acquire_cred.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2000, 2007, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
@@ -6,7 +7,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -20,11 +21,11 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -34,7 +35,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -46,14 +47,14 @@
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -64,14 +65,13 @@
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
#include "k5-int.h"
-#include "gss_libinit.h"
#include "gssapiP_krb5.h"
#ifdef HAVE_STRING_H
#include <string.h>
@@ -81,6 +81,7 @@
#if defined(USE_KIM)
#include <kim/kim.h>
+#include "kim_library_private.h"
#elif defined(USE_LEASH)
#ifdef _WIN64
#define LEASH_DLL "leashw64.dll"
@@ -96,598 +97,665 @@
static char *krb5_gss_keytab = NULL;
/* Heimdal calls this gsskrb5_register_acceptor_identity. */
-OM_uint32 KRB5_CALLCONV
-krb5_gss_register_acceptor_identity(const char *keytab)
+OM_uint32
+gss_krb5int_register_acceptor_identity(OM_uint32 *minor_status,
+ const gss_OID desired_mech,
+ const gss_OID desired_object,
+ gss_buffer_t value)
{
char *new, *old;
int err;
- err = gssint_initialize_library();
+ err = gss_krb5int_initialize_library();
if (err != 0)
- return GSS_S_FAILURE;
+ return GSS_S_FAILURE;
- if (keytab == NULL)
- return GSS_S_FAILURE;
+ if (value->value == NULL)
+ return GSS_S_FAILURE;
- new = strdup(keytab);
+ new = strdup((char *)value->value);
if (new == NULL)
- return GSS_S_FAILURE;
+ return GSS_S_FAILURE;
err = k5_mutex_lock(&gssint_krb5_keytab_lock);
if (err) {
- free(new);
- return GSS_S_FAILURE;
+ free(new);
+ return GSS_S_FAILURE;
}
old = krb5_gss_keytab;
krb5_gss_keytab = new;
k5_mutex_unlock(&gssint_krb5_keytab_lock);
if (old != NULL)
- free(old);
+ free(old);
return GSS_S_COMPLETE;
}
/* get credentials corresponding to a key in the krb5 keytab.
If the default name is requested, return the name in output_princ.
- If output_princ is non-NULL, the caller will use or free it, regardless
- of the return value.
+ If output_princ is non-NULL, the caller will use or free it, regardless
+ of the return value.
If successful, set the keytab-specific fields in cred
- */
+*/
-static OM_uint32
+static OM_uint32
acquire_accept_cred(context, minor_status, desired_name, output_princ, cred)
- krb5_context context;
- OM_uint32 *minor_status;
- gss_name_t desired_name;
- krb5_principal *output_princ;
- krb5_gss_cred_id_rec *cred;
+ krb5_context context;
+ OM_uint32 *minor_status;
+ gss_name_t desired_name;
+ krb5_principal *output_princ;
+ krb5_gss_cred_id_rec *cred;
{
- krb5_error_code code;
- krb5_principal princ;
- krb5_keytab kt;
- krb5_keytab_entry entry;
+ krb5_error_code code;
+ krb5_principal princ;
+ krb5_keytab kt;
+ krb5_keytab_entry entry;
- *output_princ = NULL;
- cred->keytab = NULL;
+ *output_princ = NULL;
+ cred->keytab = NULL;
- /* open the default keytab */
+ /* open the default keytab */
- code = gssint_initialize_library();
- if (code != 0) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
- code = k5_mutex_lock(&gssint_krb5_keytab_lock);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
- if (krb5_gss_keytab != NULL) {
- code = krb5_kt_resolve(context, krb5_gss_keytab, &kt);
- k5_mutex_unlock(&gssint_krb5_keytab_lock);
- } else {
- k5_mutex_unlock(&gssint_krb5_keytab_lock);
- code = krb5_kt_default(context, &kt);
- }
+ code = gss_krb5int_initialize_library();
+ if (code != 0) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+ code = k5_mutex_lock(&gssint_krb5_keytab_lock);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+ if (krb5_gss_keytab != NULL) {
+ code = krb5_kt_resolve(context, krb5_gss_keytab, &kt);
+ k5_mutex_unlock(&gssint_krb5_keytab_lock);
+ } else {
+ k5_mutex_unlock(&gssint_krb5_keytab_lock);
+ code = krb5_kt_default(context, &kt);
+ }
- if (code) {
- *minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
- }
+ if (code) {
+ *minor_status = code;
+ return(GSS_S_CRED_UNAVAIL);
+ }
- if (desired_name != GSS_C_NO_NAME) {
- princ = (krb5_principal) desired_name;
- if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) {
- (void) krb5_kt_close(context, kt);
- if (code == KRB5_KT_NOTFOUND) {
- char *errstr = krb5_get_error_message(context, code);
- krb5_set_error_message(context, KG_KEYTAB_NOMATCH, "%s", errstr);
- krb5_free_error_message(context, errstr);
- *minor_status = KG_KEYTAB_NOMATCH;
- } else
- *minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
- }
- krb5_kt_free_entry(context, &entry);
+ if (desired_name != GSS_C_NO_NAME) {
+ princ = (krb5_principal) desired_name;
+ if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) {
+ (void) krb5_kt_close(context, kt);
+ if (code == KRB5_KT_NOTFOUND) {
+ char *errstr = (char *)krb5_get_error_message(context, code);
+ krb5_set_error_message(context, KG_KEYTAB_NOMATCH, "%s", errstr);
+ krb5_free_error_message(context, errstr);
+ *minor_status = KG_KEYTAB_NOMATCH;
+ } else
+ *minor_status = code;
+ return(GSS_S_CRED_UNAVAIL);
+ }
+ krb5_kt_free_entry(context, &entry);
- /* Open the replay cache for this principal. */
- if ((code = krb5_get_server_rcache(context,
- krb5_princ_component(context, princ, 0),
- &cred->rcache))) {
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
+ /* Open the replay cache for this principal. */
+ if ((code = krb5_get_server_rcache(context,
+ krb5_princ_component(context, princ, 0),
+ &cred->rcache))) {
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
- }
+ }
/* hooray. we made it */
- cred->keytab = kt;
+ cred->keytab = kt;
- return(GSS_S_COMPLETE);
+ return(GSS_S_COMPLETE);
}
#endif /* LEAN_CLIENT */
/* get credentials corresponding to the default credential cache.
If the default name is requested, return the name in output_princ.
- If output_princ is non-NULL, the caller will use or free it, regardless
- of the return value.
+ If output_princ is non-NULL, the caller will use or free it, regardless
+ of the return value.
If successful, set the ccache-specific fields in cred.
- */
+*/
-static OM_uint32
+static OM_uint32
acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
- krb5_context context;
- OM_uint32 *minor_status;
- gss_name_t desired_name;
- krb5_principal *output_princ;
- krb5_gss_cred_id_rec *cred;
+ krb5_context context;
+ OM_uint32 *minor_status;
+ gss_name_t desired_name;
+ krb5_principal *output_princ;
+ krb5_gss_cred_id_rec *cred;
{
- krb5_error_code code;
- krb5_ccache ccache;
- krb5_principal princ, tmp_princ;
- krb5_flags flags;
- krb5_cc_cursor cur;
- krb5_creds creds;
- int got_endtime;
- int caller_provided_ccache_name = 0;
+ krb5_error_code code;
+ krb5_ccache ccache;
+ krb5_principal princ, tmp_princ;
+ krb5_flags flags;
+ krb5_cc_cursor cur;
+ krb5_creds creds;
+ int got_endtime;
+ int caller_provided_ccache_name = 0;
- cred->ccache = NULL;
+ cred->ccache = NULL;
- /* load the GSS ccache name into the kg_context */
-
- if (GSS_ERROR(kg_sync_ccache_name(context, minor_status)))
- return(GSS_S_FAILURE);
+ /* load the GSS ccache name into the kg_context */
- /* check to see if the caller provided a ccache name if so
- * we will just use that and not search the cache collection */
- if (GSS_ERROR(kg_caller_provided_ccache_name (minor_status, &caller_provided_ccache_name))) {
- return(GSS_S_FAILURE);
- }
+ if (GSS_ERROR(kg_sync_ccache_name(context, minor_status)))
+ return(GSS_S_FAILURE);
+ /* check to see if the caller provided a ccache name if so
+ * we will just use that and not search the cache collection */
+ if (GSS_ERROR(kg_caller_provided_ccache_name (minor_status, &caller_provided_ccache_name))) {
+ return(GSS_S_FAILURE);
+ }
+
#if defined(USE_KIM) || defined(USE_LEASH)
- if (desired_name && !caller_provided_ccache_name) {
+ if (desired_name && !caller_provided_ccache_name) {
#if defined(USE_KIM)
- kim_error err = KIM_NO_ERROR;
- kim_ccache kimccache = NULL;
- kim_identity identity = NULL;
+ kim_error err = KIM_NO_ERROR;
+ kim_ccache kimccache = NULL;
+ kim_identity identity = NULL;
+ kim_credential_state state;
+ krb5_principal desired_princ = (krb5_principal) desired_name;
- err = kim_identity_create_from_krb5_principal (&identity,
- context,
- (krb5_principal) desired_name);
-
- if (!err) {
- err = kim_ccache_create_new_if_needed (&kimccache,
- identity,
- KIM_OPTIONS_DEFAULT);
- }
-
- if (!err) {
- err = kim_ccache_get_krb5_ccache (kimccache, context, &ccache);
- }
-
- kim_ccache_free (&kimccache);
- kim_identity_free (&identity);
-
- if (err) {
- *minor_status = err;
- return(GSS_S_CRED_UNAVAIL);
- }
-
+ err = kim_identity_create_from_krb5_principal (&identity,
+ context,
+ desired_princ);
+
+ if (!err) {
+ err = kim_ccache_create_from_client_identity (&kimccache, identity);
+ }
+
+ if (!err) {
+ err = kim_ccache_get_state (kimccache, &state);
+ }
+
+ if (!err && state != kim_credentials_state_valid) {
+ if (state == kim_credentials_state_needs_validation) {
+ err = kim_ccache_validate (kimccache, KIM_OPTIONS_DEFAULT);
+ } else {
+ kim_ccache_free (&kimccache);
+ ccache = NULL;
+ }
+ }
+
+ if (!kimccache && kim_library_allow_automatic_prompting ()) {
+ /* ccache does not already exist, create a new one */
+ err = kim_ccache_create_new (&kimccache, identity,
+ KIM_OPTIONS_DEFAULT);
+ }
+
+ if (!err) {
+ err = kim_ccache_get_krb5_ccache (kimccache, context, &ccache);
+ }
+
+ kim_ccache_free (&kimccache);
+ kim_identity_free (&identity);
+
+ if (err) {
+ *minor_status = err;
+ return(GSS_S_CRED_UNAVAIL);
+ }
+
#elif defined(USE_LEASH)
- if ( hLeashDLL == INVALID_HANDLE_VALUE ) {
- hLeashDLL = LoadLibrary(LEASH_DLL);
- if ( hLeashDLL != INVALID_HANDLE_VALUE ) {
- (FARPROC) pLeash_AcquireInitialTicketsIfNeeded =
- GetProcAddress(hLeashDLL, "not_an_API_Leash_AcquireInitialTicketsIfNeeded");
- }
- }
-
- if ( pLeash_AcquireInitialTicketsIfNeeded ) {
- char ccname[256]="";
- pLeash_AcquireInitialTicketsIfNeeded(context, (krb5_principal) desired_name, ccname, sizeof(ccname));
- if (!ccname[0]) {
- *minor_status = KRB5_CC_NOTFOUND;
- return(GSS_S_CRED_UNAVAIL);
- }
+ if ( hLeashDLL == INVALID_HANDLE_VALUE ) {
+ hLeashDLL = LoadLibrary(LEASH_DLL);
+ if ( hLeashDLL != INVALID_HANDLE_VALUE ) {
+ (FARPROC) pLeash_AcquireInitialTicketsIfNeeded =
+ GetProcAddress(hLeashDLL, "not_an_API_Leash_AcquireInitialTicketsIfNeeded");
+ }
+ }
- if ((code = krb5_cc_resolve (context, ccname, &ccache))) {
- *minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
- }
- } else {
- /* leash dll not available, open the default credential cache */
-
- if ((code = krb5int_cc_default(context, &ccache))) {
- *minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
- }
- }
+ if ( pLeash_AcquireInitialTicketsIfNeeded ) {
+ char ccname[256]="";
+ pLeash_AcquireInitialTicketsIfNeeded(context, (krb5_principal) desired_name, ccname, sizeof(ccname));
+ if (!ccname[0]) {
+ *minor_status = KRB5_CC_NOTFOUND;
+ return(GSS_S_CRED_UNAVAIL);
+ }
+
+ if ((code = krb5_cc_resolve (context, ccname, &ccache))) {
+ *minor_status = code;
+ return(GSS_S_CRED_UNAVAIL);
+ }
+ } else {
+ /* leash dll not available, open the default credential cache */
+
+ if ((code = krb5int_cc_default(context, &ccache))) {
+ *minor_status = code;
+ return(GSS_S_CRED_UNAVAIL);
+ }
+ }
#endif /* USE_LEASH */
- } else
+ } else
#endif /* USE_KIM || USE_LEASH */
- {
- /* open the default credential cache */
-
- if ((code = krb5int_cc_default(context, &ccache))) {
- *minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
- }
- }
+ {
+ /* open the default credential cache */
- /* turn off OPENCLOSE mode while extensive frobbing is going on */
+ if ((code = krb5int_cc_default(context, &ccache))) {
+ *minor_status = code;
+ return(GSS_S_CRED_UNAVAIL);
+ }
+ }
- flags = 0; /* turns off OPENCLOSE mode */
- if ((code = krb5_cc_set_flags(context, ccache, flags))) {
- (void)krb5_cc_close(context, ccache);
- *minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
- }
+ /* turn off OPENCLOSE mode while extensive frobbing is going on */
- /* get out the principal name and see if it matches */
+ flags = 0; /* turns off OPENCLOSE mode */
+ if ((code = krb5_cc_set_flags(context, ccache, flags))) {
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = code;
+ return(GSS_S_CRED_UNAVAIL);
+ }
- if ((code = krb5_cc_get_principal(context, ccache, &princ))) {
- (void)krb5_cc_close(context, ccache);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
+ /* get out the principal name and see if it matches */
- if (desired_name != (gss_name_t) NULL) {
- if (! krb5_principal_compare(context, princ, (krb5_principal) desired_name)) {
- (void)krb5_free_principal(context, princ);
- (void)krb5_cc_close(context, ccache);
- *minor_status = KG_CCACHE_NOMATCH;
- return(GSS_S_CRED_UNAVAIL);
- }
- (void)krb5_free_principal(context, princ);
- princ = (krb5_principal) desired_name;
- } else {
- *output_princ = princ;
- }
+ if ((code = krb5_cc_get_principal(context, ccache, &princ))) {
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
- /* iterate over the ccache, find the tgt */
+ if (desired_name != (gss_name_t) NULL) {
+ if (! krb5_principal_compare(context, princ, (krb5_principal) desired_name)) {
+ (void)krb5_free_principal(context, princ);
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = KG_CCACHE_NOMATCH;
+ return(GSS_S_CRED_UNAVAIL);
+ }
+ (void)krb5_free_principal(context, princ);
+ princ = (krb5_principal) desired_name;
+ } else {
+ *output_princ = princ;
+ }
- if ((code = krb5_cc_start_seq_get(context, ccache, &cur))) {
- (void)krb5_cc_close(context, ccache);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
+ /* iterate over the ccache, find the tgt */
- /* this is hairy. If there's a tgt for the principal's local realm
- in here, that's what we want for the expire time. But if
- there's not, then we want to use the first key. */
+ if ((code = krb5_cc_start_seq_get(context, ccache, &cur))) {
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
- got_endtime = 0;
+ /* this is hairy. If there's a tgt for the principal's local realm
+ in here, that's what we want for the expire time. But if
+ there's not, then we want to use the first key. */
- code = krb5_build_principal_ext(context, &tmp_princ,
- krb5_princ_realm(context, princ)->length,
- krb5_princ_realm(context, princ)->data,
- 6, "krbtgt",
- krb5_princ_realm(context, princ)->length,
- krb5_princ_realm(context, princ)->data,
- 0);
- if (code) {
- (void)krb5_cc_close(context, ccache);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
- while (!(code = krb5_cc_next_cred(context, ccache, &cur, &creds))) {
- if (krb5_principal_compare(context, tmp_princ, creds.server)) {
- cred->tgt_expire = creds.times.endtime;
- got_endtime = 1;
- *minor_status = 0;
- code = 0;
- krb5_free_cred_contents(context, &creds);
- break;
- }
- if (got_endtime == 0) {
- cred->tgt_expire = creds.times.endtime;
- got_endtime = 1;
- }
- krb5_free_cred_contents(context, &creds);
- }
- krb5_free_principal(context, tmp_princ);
+ got_endtime = 0;
- if (code && code != KRB5_CC_END) {
- /* this means some error occurred reading the ccache */
- (void)krb5_cc_end_seq_get(context, ccache, &cur);
- (void)krb5_cc_close(context, ccache);
- *minor_status = code;
- return(GSS_S_FAILURE);
- } else if (! got_endtime) {
- /* this means the ccache was entirely empty */
- (void)krb5_cc_end_seq_get(context, ccache, &cur);
- (void)krb5_cc_close(context, ccache);
- *minor_status = KG_EMPTY_CCACHE;
- return(GSS_S_FAILURE);
- } else {
- /* this means that we found an endtime to use. */
- if ((code = krb5_cc_end_seq_get(context, ccache, &cur))) {
- (void)krb5_cc_close(context, ccache);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
- flags = KRB5_TC_OPENCLOSE; /* turns on OPENCLOSE mode */
- if ((code = krb5_cc_set_flags(context, ccache, flags))) {
- (void)krb5_cc_close(context, ccache);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
- }
+ code = krb5_build_principal_ext(context, &tmp_princ,
+ krb5_princ_realm(context, princ)->length,
+ krb5_princ_realm(context, princ)->data,
+ 6, "krbtgt",
+ krb5_princ_realm(context, princ)->length,
+ krb5_princ_realm(context, princ)->data,
+ 0);
+ if (code) {
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+ while (!(code = krb5_cc_next_cred(context, ccache, &cur, &creds))) {
+ if (krb5_principal_compare(context, tmp_princ, creds.server)) {
+ cred->tgt_expire = creds.times.endtime;
+ got_endtime = 1;
+ *minor_status = 0;
+ code = 0;
+ krb5_free_cred_contents(context, &creds);
+ break;
+ }
+ if (got_endtime == 0) {
+ cred->tgt_expire = creds.times.endtime;
+ got_endtime = 1;
+ }
+ krb5_free_cred_contents(context, &creds);
+ }
+ krb5_free_principal(context, tmp_princ);
- /* the credentials match and are valid */
+ if (code && code != KRB5_CC_END) {
+ /* this means some error occurred reading the ccache */
+ (void)krb5_cc_end_seq_get(context, ccache, &cur);
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ } else if (! got_endtime) {
+ /* this means the ccache was entirely empty */
+ (void)krb5_cc_end_seq_get(context, ccache, &cur);
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = KG_EMPTY_CCACHE;
+ return(GSS_S_FAILURE);
+ } else {
+ /* this means that we found an endtime to use. */
+ if ((code = krb5_cc_end_seq_get(context, ccache, &cur))) {
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+ flags = KRB5_TC_OPENCLOSE; /* turns on OPENCLOSE mode */
+ if ((code = krb5_cc_set_flags(context, ccache, flags))) {
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+ }
- cred->ccache = ccache;
- /* minor_status is set while we are iterating over the ccache */
- return(GSS_S_COMPLETE);
+ /* the credentials match and are valid */
+
+ cred->ccache = ccache;
+ /* minor_status is set while we are iterating over the ccache */
+ return(GSS_S_COMPLETE);
}
-
+
/*ARGSUSED*/
OM_uint32
krb5_gss_acquire_cred(minor_status, desired_name, time_req,
- desired_mechs, cred_usage, output_cred_handle,
- actual_mechs, time_rec)
- OM_uint32 *minor_status;
- gss_name_t desired_name;
- OM_uint32 time_req;
- gss_OID_set desired_mechs;
- gss_cred_usage_t cred_usage;
- gss_cred_id_t *output_cred_handle;
- gss_OID_set *actual_mechs;
- OM_uint32 *time_rec;
+ desired_mechs, cred_usage, output_cred_handle,
+ actual_mechs, time_rec)
+ OM_uint32 *minor_status;
+ gss_name_t desired_name;
+ OM_uint32 time_req;
+ gss_OID_set desired_mechs;
+ gss_cred_usage_t cred_usage;
+ gss_cred_id_t *output_cred_handle;
+ gss_OID_set *actual_mechs;
+ OM_uint32 *time_rec;
{
- krb5_context context;
- size_t i;
- krb5_gss_cred_id_t cred;
- gss_OID_set ret_mechs;
- int req_old, req_new;
- OM_uint32 ret;
- krb5_error_code code;
+ krb5_context context;
+ size_t i;
+ krb5_gss_cred_id_t cred;
+ gss_OID_set ret_mechs;
+ int req_old, req_new;
+ OM_uint32 ret;
+ krb5_error_code code;
- code = gssint_initialize_library();
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ code = gss_krb5int_initialize_library();
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- code = krb5_gss_init_context(&context);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- /* make sure all outputs are valid */
+ /* make sure all outputs are valid */
- *output_cred_handle = NULL;
- if (actual_mechs)
- *actual_mechs = NULL;
- if (time_rec)
- *time_rec = 0;
+ *output_cred_handle = NULL;
+ if (actual_mechs)
+ *actual_mechs = NULL;
+ if (time_rec)
+ *time_rec = 0;
- /* validate the name */
+ /* validate the name */
- /*SUPPRESS 29*/
- if ((desired_name != (gss_name_t) NULL) &&
- (! kg_validate_name(desired_name))) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
+ /*SUPPRESS 29*/
+ if ((desired_name != (gss_name_t) NULL) &&
+ (! kg_validate_name(desired_name))) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ krb5_free_context(context);
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
- /* verify that the requested mechanism set is the default, or
- contains krb5 */
+ /* verify that the requested mechanism set is the default, or
+ contains krb5 */
- if (desired_mechs == GSS_C_NULL_OID_SET) {
- req_old = 1;
- req_new = 1;
- } else {
- req_old = 0;
- req_new = 0;
+ if (desired_mechs == GSS_C_NULL_OID_SET) {
+ req_old = 1;
+ req_new = 1;
+ } else {
+ req_old = 0;
+ req_new = 0;
- for (i=0; i<desired_mechs->count; i++) {
- if (g_OID_equal(gss_mech_krb5_old, &(desired_mechs->elements[i])))
- req_old++;
- if (g_OID_equal(gss_mech_krb5, &(desired_mechs->elements[i])))
- req_new++;
- }
+ for (i=0; i<desired_mechs->count; i++) {
+ if (g_OID_equal(gss_mech_krb5_old, &(desired_mechs->elements[i])))
+ req_old++;
+ if (g_OID_equal(gss_mech_krb5, &(desired_mechs->elements[i])))
+ req_new++;
+ }
- if (!req_old && !req_new) {
- *minor_status = 0;
- krb5_free_context(context);
- return(GSS_S_BAD_MECH);
- }
- }
+ if (!req_old && !req_new) {
+ *minor_status = 0;
+ krb5_free_context(context);
+ return(GSS_S_BAD_MECH);
+ }
+ }
- /* create the gss cred structure */
+ /* create the gss cred structure */
- if ((cred =
- (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec))) == NULL) {
- *minor_status = ENOMEM;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- memset(cred, 0, sizeof(krb5_gss_cred_id_rec));
+ if ((cred =
+ (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec))) == NULL) {
+ *minor_status = ENOMEM;
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ memset(cred, 0, sizeof(krb5_gss_cred_id_rec));
- cred->usage = cred_usage;
- cred->princ = NULL;
- cred->prerfc_mech = req_old;
- cred->rfc_mech = req_new;
+ cred->usage = cred_usage;
+ cred->princ = NULL;
+ cred->prerfc_mech = req_old;
+ cred->rfc_mech = req_new;
#ifndef LEAN_CLIENT
- cred->keytab = NULL;
+ cred->keytab = NULL;
#endif /* LEAN_CLIENT */
- cred->ccache = NULL;
+ cred->ccache = NULL;
- code = k5_mutex_init(&cred->lock);
- if (code) {
- *minor_status = code;
- krb5_free_context(context);
- return GSS_S_FAILURE;
- }
- /* Note that we don't need to lock this GSSAPI credential record
- here, because no other thread can gain access to it until we
- return it. */
+ code = k5_mutex_init(&cred->lock);
+ if (code) {
+ *minor_status = code;
+ krb5_free_context(context);
+ return GSS_S_FAILURE;
+ }
+ /* Note that we don't need to lock this GSSAPI credential record
+ here, because no other thread can gain access to it until we
+ return it. */
- if ((cred_usage != GSS_C_INITIATE) &&
- (cred_usage != GSS_C_ACCEPT) &&
- (cred_usage != GSS_C_BOTH)) {
- k5_mutex_destroy(&cred->lock);
- xfree(cred);
- *minor_status = (OM_uint32) G_BAD_USAGE;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
+ if ((cred_usage != GSS_C_INITIATE) &&
+ (cred_usage != GSS_C_ACCEPT) &&
+ (cred_usage != GSS_C_BOTH)) {
+ k5_mutex_destroy(&cred->lock);
+ xfree(cred);
+ *minor_status = (OM_uint32) G_BAD_USAGE;
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
- /* if requested, acquire credentials for accepting */
- /* this will fill in cred->princ if the desired_name is not specified */
+ /* if requested, acquire credentials for accepting */
+ /* this will fill in cred->princ if the desired_name is not specified */
#ifndef LEAN_CLIENT
- if ((cred_usage == GSS_C_ACCEPT) ||
- (cred_usage == GSS_C_BOTH))
- if ((ret = acquire_accept_cred(context, minor_status, desired_name,
- &(cred->princ), cred))
- != GSS_S_COMPLETE) {
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
- k5_mutex_destroy(&cred->lock);
- xfree(cred);
- /* minor_status set by acquire_accept_cred() */
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(ret);
- }
+ if ((cred_usage == GSS_C_ACCEPT) ||
+ (cred_usage == GSS_C_BOTH))
+ if ((ret = acquire_accept_cred(context, minor_status, desired_name,
+ &(cred->princ), cred))
+ != GSS_S_COMPLETE) {
+ if (cred->princ)
+ krb5_free_principal(context, cred->princ);
+ k5_mutex_destroy(&cred->lock);
+ xfree(cred);
+ /* minor_status set by acquire_accept_cred() */
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(ret);
+ }
#endif /* LEAN_CLIENT */
- /* if requested, acquire credentials for initiation */
- /* this will fill in cred->princ if it wasn't set above, and
- the desired_name is not specified */
+ /* if requested, acquire credentials for initiation */
+ /* this will fill in cred->princ if it wasn't set above, and
+ the desired_name is not specified */
- if ((cred_usage == GSS_C_INITIATE) ||
- (cred_usage == GSS_C_BOTH))
- if ((ret =
- acquire_init_cred(context, minor_status,
- cred->princ?(gss_name_t)cred->princ:desired_name,
- &(cred->princ), cred))
- != GSS_S_COMPLETE) {
+ if ((cred_usage == GSS_C_INITIATE) ||
+ (cred_usage == GSS_C_BOTH))
+ if ((ret =
+ acquire_init_cred(context, minor_status,
+ cred->princ?(gss_name_t)cred->princ:desired_name,
+ &(cred->princ), cred))
+ != GSS_S_COMPLETE) {
#ifndef LEAN_CLIENT
- if (cred->keytab)
- krb5_kt_close(context, cred->keytab);
+ if (cred->keytab)
+ krb5_kt_close(context, cred->keytab);
#endif /* LEAN_CLIENT */
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
- k5_mutex_destroy(&cred->lock);
- xfree(cred);
- /* minor_status set by acquire_init_cred() */
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(ret);
- }
+ if (cred->princ)
+ krb5_free_principal(context, cred->princ);
+ k5_mutex_destroy(&cred->lock);
+ xfree(cred);
+ /* minor_status set by acquire_init_cred() */
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(ret);
+ }
- /* if the princ wasn't filled in already, fill it in now */
+ /* if the princ wasn't filled in already, fill it in now */
- if (!cred->princ && (desired_name != GSS_C_NO_NAME))
- if ((code = krb5_copy_principal(context, (krb5_principal) desired_name,
- &(cred->princ)))) {
- if (cred->ccache)
- (void)krb5_cc_close(context, cred->ccache);
+ if (!cred->princ && (desired_name != GSS_C_NO_NAME))
+ if ((code = krb5_copy_principal(context, (krb5_principal) desired_name,
+ &(cred->princ)))) {
+ if (cred->ccache)
+ (void)krb5_cc_close(context, cred->ccache);
#ifndef LEAN_CLIENT
- if (cred->keytab)
- (void)krb5_kt_close(context, cred->keytab);
+ if (cred->keytab)
+ (void)krb5_kt_close(context, cred->keytab);
#endif /* LEAN_CLIENT */
- k5_mutex_destroy(&cred->lock);
- xfree(cred);
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
+ k5_mutex_destroy(&cred->lock);
+ xfree(cred);
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
- /*** at this point, the cred structure has been completely created */
+ /*** at this point, the cred structure has been completely created */
- /* compute time_rec */
+ /* compute time_rec */
- if (cred_usage == GSS_C_ACCEPT) {
- if (time_rec)
- *time_rec = GSS_C_INDEFINITE;
- } else {
- krb5_timestamp now;
+ if (cred_usage == GSS_C_ACCEPT) {
+ if (time_rec)
+ *time_rec = GSS_C_INDEFINITE;
+ } else {
+ krb5_timestamp now;
- if ((code = krb5_timeofday(context, &now))) {
- if (cred->ccache)
- (void)krb5_cc_close(context, cred->ccache);
+ if ((code = krb5_timeofday(context, &now))) {
+ if (cred->ccache)
+ (void)krb5_cc_close(context, cred->ccache);
#ifndef LEAN_CLIENT
- if (cred->keytab)
- (void)krb5_kt_close(context, cred->keytab);
+ if (cred->keytab)
+ (void)krb5_kt_close(context, cred->keytab);
#endif /* LEAN_CLIENT */
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
- k5_mutex_destroy(&cred->lock);
- xfree(cred);
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
+ if (cred->princ)
+ krb5_free_principal(context, cred->princ);
+ k5_mutex_destroy(&cred->lock);
+ xfree(cred);
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
- if (time_rec)
- *time_rec = (cred->tgt_expire > now) ? (cred->tgt_expire - now) : 0;
- }
+ if (time_rec)
+ *time_rec = (cred->tgt_expire > now) ? (cred->tgt_expire - now) : 0;
+ }
- /* create mechs */
+ /* create mechs */
- if (actual_mechs) {
- if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status,
- &ret_mechs)) ||
- (cred->prerfc_mech &&
- GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
- gss_mech_krb5_old,
- &ret_mechs))) ||
- (cred->rfc_mech &&
- GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
- gss_mech_krb5,
- &ret_mechs)))) {
- if (cred->ccache)
- (void)krb5_cc_close(context, cred->ccache);
+ if (actual_mechs) {
+ if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status,
+ &ret_mechs)) ||
+ (cred->prerfc_mech &&
+ GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
+ gss_mech_krb5_old,
+ &ret_mechs))) ||
+ (cred->rfc_mech &&
+ GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
+ gss_mech_krb5,
+ &ret_mechs)))) {
+ if (cred->ccache)
+ (void)krb5_cc_close(context, cred->ccache);
#ifndef LEAN_CLIENT
- if (cred->keytab)
- (void)krb5_kt_close(context, cred->keytab);
+ if (cred->keytab)
+ (void)krb5_kt_close(context, cred->keytab);
#endif /* LEAN_CLIENT */
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
- k5_mutex_destroy(&cred->lock);
- xfree(cred);
- /* *minor_status set above */
- krb5_free_context(context);
- return(ret);
- }
- }
+ if (cred->princ)
+ krb5_free_principal(context, cred->princ);
+ k5_mutex_destroy(&cred->lock);
+ xfree(cred);
+ /* *minor_status set above */
+ krb5_free_context(context);
+ return(ret);
+ }
+ }
- /* intern the credential handle */
+ /* intern the credential handle */
- if (! kg_save_cred_id((gss_cred_id_t) cred)) {
- free(ret_mechs->elements);
- free(ret_mechs);
- if (cred->ccache)
- (void)krb5_cc_close(context, cred->ccache);
+ if (! kg_save_cred_id((gss_cred_id_t) cred)) {
+ free(ret_mechs->elements);
+ free(ret_mechs);
+ if (cred->ccache)
+ (void)krb5_cc_close(context, cred->ccache);
#ifndef LEAN_CLIENT
- if (cred->keytab)
- (void)krb5_kt_close(context, cred->keytab);
+ if (cred->keytab)
+ (void)krb5_kt_close(context, cred->keytab);
#endif /* LEAN_CLIENT */
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
- k5_mutex_destroy(&cred->lock);
- xfree(cred);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- save_error_string(*minor_status, "error saving credentials");
- krb5_free_context(context);
- return(GSS_S_FAILURE);
+ if (cred->princ)
+ krb5_free_principal(context, cred->princ);
+ k5_mutex_destroy(&cred->lock);
+ xfree(cred);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ save_error_string(*minor_status, "error saving credentials");
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+
+ /* return success */
+
+ *minor_status = 0;
+ *output_cred_handle = (gss_cred_id_t) cred;
+ if (actual_mechs)
+ *actual_mechs = ret_mechs;
+
+ krb5_free_context(context);
+ return(GSS_S_COMPLETE);
+}
+
+OM_uint32
+gss_krb5int_set_cred_rcache(OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ const gss_OID desired_oid,
+ const gss_buffer_t value)
+{
+ krb5_gss_cred_id_t cred;
+ krb5_error_code code;
+ krb5_context context;
+ krb5_rcache rcache;
+
+ assert(value->length == sizeof(rcache));
+
+ if (value->length != sizeof(rcache))
+ return GSS_S_FAILURE;
+
+ rcache = (krb5_rcache)value->value;
+
+ if (cred_handle == GSS_C_NO_CREDENTIAL)
+ return GSS_S_NO_CRED;
+
+ cred = (krb5_gss_cred_id_t)cred_handle;
+
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
}
+ if (cred->rcache != NULL) {
+ code = krb5_rc_close(context, cred->rcache);
+ if (code) {
+ *minor_status = code;
+ krb5_free_context(context);
+ return GSS_S_FAILURE;
+ }
+ }
- /* return success */
+ cred->rcache = rcache;
+ krb5_free_context(context);
+
*minor_status = 0;
- *output_cred_handle = (gss_cred_id_t) cred;
- if (actual_mechs)
- *actual_mechs = ret_mechs;
-
- krb5_free_context(context);
- return(GSS_S_COMPLETE);
+ return GSS_S_COMPLETE;
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/add_cred.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/add_cred.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/add_cred.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2000, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
@@ -6,7 +7,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -20,18 +21,18 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -42,7 +43,7 @@
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
@@ -62,26 +63,26 @@
/* V2 interface */
OM_uint32
krb5_gss_add_cred(minor_status, input_cred_handle,
- desired_name, desired_mech, cred_usage,
- initiator_time_req, acceptor_time_req,
- output_cred_handle, actual_mechs,
- initiator_time_rec, acceptor_time_rec)
- OM_uint32 *minor_status;
- gss_cred_id_t input_cred_handle;
- gss_name_t desired_name;
- gss_OID desired_mech;
- gss_cred_usage_t cred_usage;
- OM_uint32 initiator_time_req;
- OM_uint32 acceptor_time_req;
- gss_cred_id_t *output_cred_handle;
- gss_OID_set *actual_mechs;
- OM_uint32 *initiator_time_rec;
- OM_uint32 *acceptor_time_rec;
+ desired_name, desired_mech, cred_usage,
+ initiator_time_req, acceptor_time_req,
+ output_cred_handle, actual_mechs,
+ initiator_time_rec, acceptor_time_rec)
+ OM_uint32 *minor_status;
+ gss_cred_id_t input_cred_handle;
+ gss_name_t desired_name;
+ gss_OID desired_mech;
+ gss_cred_usage_t cred_usage;
+ OM_uint32 initiator_time_req;
+ OM_uint32 acceptor_time_req;
+ gss_cred_id_t *output_cred_handle;
+ gss_OID_set *actual_mechs;
+ OM_uint32 *initiator_time_rec;
+ OM_uint32 *acceptor_time_rec;
{
- krb5_context context;
- OM_uint32 major_status, lifetime;
- krb5_gss_cred_id_t cred;
- krb5_error_code code;
+ krb5_context context;
+ OM_uint32 major_status, lifetime;
+ krb5_gss_cred_id_t cred;
+ krb5_error_code code;
/* this is pretty simple, since there's not really any difference
between the underlying mechanisms. The main hair is in copying
@@ -90,18 +91,18 @@
/* check if the desired_mech is bogus */
if (!g_OID_equal(desired_mech, gss_mech_krb5) &&
- !g_OID_equal(desired_mech, gss_mech_krb5_old)) {
- *minor_status = 0;
- return(GSS_S_BAD_MECH);
+ !g_OID_equal(desired_mech, gss_mech_krb5_old)) {
+ *minor_status = 0;
+ return(GSS_S_BAD_MECH);
}
/* check if the desired_mech is bogus */
if ((cred_usage != GSS_C_INITIATE) &&
- (cred_usage != GSS_C_ACCEPT) &&
- (cred_usage != GSS_C_BOTH)) {
- *minor_status = (OM_uint32) G_BAD_USAGE;
- return(GSS_S_FAILURE);
+ (cred_usage != GSS_C_ACCEPT) &&
+ (cred_usage != GSS_C_BOTH)) {
+ *minor_status = (OM_uint32) G_BAD_USAGE;
+ return(GSS_S_FAILURE);
}
/* since the default credential includes all the mechanisms,
@@ -109,22 +110,22 @@
/*SUPPRESS 29*/
if (input_cred_handle == GSS_C_NO_CREDENTIAL) {
- *minor_status = 0;
- return(GSS_S_DUPLICATE_ELEMENT);
+ *minor_status = 0;
+ return(GSS_S_DUPLICATE_ELEMENT);
}
code = krb5_gss_init_context(&context);
if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
+ *minor_status = code;
+ return GSS_S_FAILURE;
}
major_status = krb5_gss_validate_cred_1(minor_status, input_cred_handle,
- context);
+ context);
if (GSS_ERROR(major_status)) {
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return major_status;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return major_status;
}
cred = (krb5_gss_cred_id_t) input_cred_handle;
@@ -134,252 +135,252 @@
if copying */
if (!((cred->usage == cred_usage) ||
- ((cred->usage == GSS_C_BOTH) &&
- (output_cred_handle != NULL)))) {
- *minor_status = (OM_uint32) G_BAD_USAGE;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
+ ((cred->usage == GSS_C_BOTH) &&
+ (output_cred_handle != NULL)))) {
+ *minor_status = (OM_uint32) G_BAD_USAGE;
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
}
/* check that desired_mech isn't already in the credential */
if ((g_OID_equal(desired_mech, gss_mech_krb5_old) && cred->prerfc_mech) ||
- (g_OID_equal(desired_mech, gss_mech_krb5) && cred->rfc_mech)) {
- *minor_status = 0;
- krb5_free_context(context);
- return(GSS_S_DUPLICATE_ELEMENT);
+ (g_OID_equal(desired_mech, gss_mech_krb5) && cred->rfc_mech)) {
+ *minor_status = 0;
+ krb5_free_context(context);
+ return(GSS_S_DUPLICATE_ELEMENT);
}
if (GSS_ERROR(kg_sync_ccache_name(context, minor_status))) {
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return GSS_S_FAILURE;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return GSS_S_FAILURE;
}
/* verify the desired_name */
/*SUPPRESS 29*/
if ((desired_name != (gss_name_t) NULL) &&
- (! kg_validate_name(desired_name))) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ (! kg_validate_name(desired_name))) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ krb5_free_context(context);
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
}
/* make sure the desired_name is the same as the existing one */
if (desired_name &&
- !krb5_principal_compare(context, (krb5_principal) desired_name,
- cred->princ)) {
- *minor_status = 0;
- krb5_free_context(context);
- return(GSS_S_BAD_NAME);
+ !krb5_principal_compare(context, (krb5_principal) desired_name,
+ cred->princ)) {
+ *minor_status = 0;
+ krb5_free_context(context);
+ return(GSS_S_BAD_NAME);
}
/* copy the cred if necessary */
if (output_cred_handle) {
- /* make a copy */
- krb5_gss_cred_id_t new_cred;
- char ktboth[1024];
- const char *kttype, *cctype, *ccname;
- char ccboth[1024];
+ /* make a copy */
+ krb5_gss_cred_id_t new_cred;
+ char ktboth[1024];
+ const char *kttype, *cctype, *ccname;
+ char ccboth[1024];
- if ((new_cred =
- (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec)))
- == NULL) {
- *minor_status = ENOMEM;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- memset(new_cred, 0, sizeof(krb5_gss_cred_id_rec));
-
- new_cred->usage = cred_usage;
- new_cred->prerfc_mech = cred->prerfc_mech;
- new_cred->rfc_mech = cred->rfc_mech;
- new_cred->tgt_expire = cred->tgt_expire;
+ if ((new_cred =
+ (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec)))
+ == NULL) {
+ *minor_status = ENOMEM;
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ memset(new_cred, 0, sizeof(krb5_gss_cred_id_rec));
- if (cred->princ)
- code = krb5_copy_principal(context, cred->princ, &new_cred->princ);
- if (code) {
- xfree(new_cred);
+ new_cred->usage = cred_usage;
+ new_cred->prerfc_mech = cred->prerfc_mech;
+ new_cred->rfc_mech = cred->rfc_mech;
+ new_cred->tgt_expire = cred->tgt_expire;
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
-#ifndef LEAN_CLIENT
- if (cred->keytab) {
- kttype = krb5_kt_get_type(context, cred->keytab);
- if ((strlen(kttype)+2) > sizeof(ktboth)) {
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
- xfree(new_cred);
+ if (cred->princ)
+ code = krb5_copy_principal(context, cred->princ, &new_cred->princ);
+ if (code) {
+ xfree(new_cred);
- *minor_status = ENOMEM;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+#ifndef LEAN_CLIENT
+ if (cred->keytab) {
+ kttype = krb5_kt_get_type(context, cred->keytab);
+ if ((strlen(kttype)+2) > sizeof(ktboth)) {
+ if (new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
+ xfree(new_cred);
- strncpy(ktboth, kttype, sizeof(ktboth) - 1);
- ktboth[sizeof(ktboth) - 1] = '\0';
- strncat(ktboth, ":", sizeof(ktboth) - 1 - strlen(ktboth));
+ *minor_status = ENOMEM;
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
- code = krb5_kt_get_name(context, cred->keytab,
- ktboth+strlen(ktboth),
- sizeof(ktboth)-strlen(ktboth));
- if (code) {
- if(new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
- xfree(new_cred);
+ strncpy(ktboth, kttype, sizeof(ktboth) - 1);
+ ktboth[sizeof(ktboth) - 1] = '\0';
+ strncat(ktboth, ":", sizeof(ktboth) - 1 - strlen(ktboth));
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
+ code = krb5_kt_get_name(context, cred->keytab,
+ ktboth+strlen(ktboth),
+ sizeof(ktboth)-strlen(ktboth));
+ if (code) {
+ if(new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
+ xfree(new_cred);
- code = krb5_kt_resolve(context, ktboth, &new_cred->keytab);
- if (code) {
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
- xfree(new_cred);
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- } else {
+ code = krb5_kt_resolve(context, ktboth, &new_cred->keytab);
+ if (code) {
+ if (new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
+ xfree(new_cred);
+
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ } else {
#endif /* LEAN_CLIENT */
- new_cred->keytab = NULL;
-#ifndef LEAN_CLIENT
- }
+ new_cred->keytab = NULL;
+#ifndef LEAN_CLIENT
+ }
#endif /* LEAN_CLIENT */
-
- if (cred->rcache) {
- /* Open the replay cache for this principal. */
- if ((code = krb5_get_server_rcache(context,
- krb5_princ_component(context, cred->princ, 0),
- &new_cred->rcache))) {
-#ifndef LEAN_CLIENT
- if (new_cred->keytab)
- krb5_kt_close(context, new_cred->keytab);
+
+ if (cred->rcache) {
+ /* Open the replay cache for this principal. */
+ if ((code = krb5_get_server_rcache(context,
+ krb5_princ_component(context, cred->princ, 0),
+ &new_cred->rcache))) {
+#ifndef LEAN_CLIENT
+ if (new_cred->keytab)
+ krb5_kt_close(context, new_cred->keytab);
#endif /* LEAN_CLIENT */
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
- xfree(new_cred);
+ if (new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
+ xfree(new_cred);
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- } else {
- new_cred->rcache = NULL;
- }
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ } else {
+ new_cred->rcache = NULL;
+ }
- if (cred->ccache) {
- cctype = krb5_cc_get_type(context, cred->ccache);
- ccname = krb5_cc_get_name(context, cred->ccache);
+ if (cred->ccache) {
+ cctype = krb5_cc_get_type(context, cred->ccache);
+ ccname = krb5_cc_get_name(context, cred->ccache);
- if ((strlen(cctype)+strlen(ccname)+2) > sizeof(ccboth)) {
- if (new_cred->rcache)
- krb5_rc_close(context, new_cred->rcache);
-#ifndef LEAN_CLIENT
- if (new_cred->keytab)
- krb5_kt_close(context, new_cred->keytab);
+ if ((strlen(cctype)+strlen(ccname)+2) > sizeof(ccboth)) {
+ if (new_cred->rcache)
+ krb5_rc_close(context, new_cred->rcache);
+#ifndef LEAN_CLIENT
+ if (new_cred->keytab)
+ krb5_kt_close(context, new_cred->keytab);
#endif /* LEAN_CLIENT */
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
- xfree(new_cred);
+ if (new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
+ xfree(new_cred);
- krb5_free_context(context);
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
+ krb5_free_context(context);
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
- strncpy(ccboth, cctype, sizeof(ccboth) - 1);
- ccboth[sizeof(ccboth) - 1] = '\0';
- strncat(ccboth, ":", sizeof(ccboth) - 1 - strlen(ccboth));
- strncat(ccboth, ccname, sizeof(ccboth) - 1 - strlen(ccboth));
+ strncpy(ccboth, cctype, sizeof(ccboth) - 1);
+ ccboth[sizeof(ccboth) - 1] = '\0';
+ strncat(ccboth, ":", sizeof(ccboth) - 1 - strlen(ccboth));
+ strncat(ccboth, ccname, sizeof(ccboth) - 1 - strlen(ccboth));
- code = krb5_cc_resolve(context, ccboth, &new_cred->ccache);
- if (code) {
- if (new_cred->rcache)
- krb5_rc_close(context, new_cred->rcache);
-#ifndef LEAN_CLIENT
- if (new_cred->keytab)
- krb5_kt_close(context, new_cred->keytab);
+ code = krb5_cc_resolve(context, ccboth, &new_cred->ccache);
+ if (code) {
+ if (new_cred->rcache)
+ krb5_rc_close(context, new_cred->rcache);
+#ifndef LEAN_CLIENT
+ if (new_cred->keytab)
+ krb5_kt_close(context, new_cred->keytab);
#endif /* LEAN_CLIENT */
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
- xfree(new_cred);
+ if (new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
+ xfree(new_cred);
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- } else {
- new_cred->ccache = NULL;
- }
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ } else {
+ new_cred->ccache = NULL;
+ }
- /* intern the credential handle */
+ /* intern the credential handle */
- if (! kg_save_cred_id((gss_cred_id_t) new_cred)) {
- if (new_cred->ccache)
- krb5_cc_close(context, new_cred->ccache);
- if (new_cred->rcache)
- krb5_rc_close(context, new_cred->rcache);
-#ifndef LEAN_CLIENT
- if (new_cred->keytab)
- krb5_kt_close(context, new_cred->keytab);
+ if (! kg_save_cred_id((gss_cred_id_t) new_cred)) {
+ if (new_cred->ccache)
+ krb5_cc_close(context, new_cred->ccache);
+ if (new_cred->rcache)
+ krb5_rc_close(context, new_cred->rcache);
+#ifndef LEAN_CLIENT
+ if (new_cred->keytab)
+ krb5_kt_close(context, new_cred->keytab);
#endif /* LEAN_CLIENT */
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
- xfree(new_cred);
- krb5_free_context(context);
+ if (new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
+ xfree(new_cred);
+ krb5_free_context(context);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_FAILURE);
- }
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_FAILURE);
+ }
- /* modify new_cred */
+ /* modify new_cred */
- cred = new_cred;
+ cred = new_cred;
}
-
+
/* set the flag for the new mechanism */
if (g_OID_equal(desired_mech, gss_mech_krb5_old))
- cred->prerfc_mech = 1;
+ cred->prerfc_mech = 1;
else if (g_OID_equal(desired_mech, gss_mech_krb5))
- cred->rfc_mech = 1;
+ cred->rfc_mech = 1;
/* set the outputs */
- if (GSS_ERROR(major_status = krb5_gss_inquire_cred(minor_status,
- (gss_cred_id_t)cred,
- NULL, &lifetime,
- NULL, actual_mechs))) {
- OM_uint32 dummy;
-
- if (output_cred_handle)
- (void) krb5_gss_release_cred(&dummy, (gss_cred_id_t *) &cred);
- krb5_free_context(context);
+ if (GSS_ERROR(major_status = krb5_gss_inquire_cred(minor_status,
+ (gss_cred_id_t)cred,
+ NULL, &lifetime,
+ NULL, actual_mechs))) {
+ OM_uint32 dummy;
- return(major_status);
+ if (output_cred_handle)
+ (void) krb5_gss_release_cred(&dummy, (gss_cred_id_t *) &cred);
+ krb5_free_context(context);
+
+ return(major_status);
}
if (initiator_time_rec)
- *initiator_time_rec = lifetime;
+ *initiator_time_rec = lifetime;
if (acceptor_time_rec)
- *acceptor_time_rec = lifetime;
+ *acceptor_time_rec = lifetime;
if (output_cred_handle)
- *output_cred_handle = (gss_cred_id_t)cred;
+ *output_cred_handle = (gss_cred_id_t)cred;
krb5_free_context(context);
*minor_status = 0;
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/canon_name.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/canon_name.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/canon_name.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/canon_name.c
*
@@ -30,16 +31,16 @@
/* This is trivial since we're a single mechanism implementation */
OM_uint32 krb5_gss_canonicalize_name(OM_uint32 *minor_status,
- const gss_name_t input_name,
- const gss_OID mech_type,
- gss_name_t *output_name)
+ const gss_name_t input_name,
+ const gss_OID mech_type,
+ gss_name_t *output_name)
{
if ((mech_type != GSS_C_NULL_OID) &&
- !g_OID_equal(gss_mech_krb5, mech_type) &&
- !g_OID_equal(gss_mech_krb5_old, mech_type)) {
- *minor_status = 0;
- return(GSS_S_BAD_MECH);
+ !g_OID_equal(gss_mech_krb5, mech_type) &&
+ !g_OID_equal(gss_mech_krb5_old, mech_type)) {
+ *minor_status = 0;
+ return(GSS_S_BAD_MECH);
}
- return(gss_duplicate_name(minor_status, input_name, output_name));
+ return(krb5_gss_duplicate_name(minor_status, input_name, output_name));
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/compare_name.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/compare_name.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/compare_name.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -28,33 +29,33 @@
OM_uint32
krb5_gss_compare_name(minor_status, name1, name2, name_equal)
- OM_uint32 *minor_status;
- gss_name_t name1;
- gss_name_t name2;
- int *name_equal;
-{
- krb5_context context;
- krb5_error_code code;
+ OM_uint32 *minor_status;
+ gss_name_t name1;
+ gss_name_t name2;
+ int *name_equal;
+{
+ krb5_context context;
+ krb5_error_code code;
- if (! kg_validate_name(name1)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
+ if (! kg_validate_name(name1)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
- if (! kg_validate_name(name2)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
+ if (! kg_validate_name(name2)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
- code = krb5_gss_init_context(&context);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- *minor_status = 0;
- *name_equal = krb5_principal_compare(context, (krb5_principal) name1,
- (krb5_principal) name2);
- krb5_free_context(context);
- return(GSS_S_COMPLETE);
+ *minor_status = 0;
+ *name_equal = krb5_principal_compare(context, (krb5_principal) name1,
+ (krb5_principal) name2);
+ krb5_free_context(context);
+ return(GSS_S_COMPLETE);
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/context_time.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/context_time.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/context_time.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -28,41 +29,41 @@
OM_uint32
krb5_gss_context_time(minor_status, context_handle, time_rec)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- OM_uint32 *time_rec;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ OM_uint32 *time_rec;
{
- krb5_error_code code;
- krb5_gss_ctx_id_rec *ctx;
- krb5_timestamp now;
- krb5_deltat lifetime;
+ krb5_error_code code;
+ krb5_gss_ctx_id_rec *ctx;
+ krb5_timestamp now;
+ krb5_deltat lifetime;
- /* validate the context handle */
- if (! kg_validate_ctx_id(context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
- }
+ /* validate the context handle */
+ if (! kg_validate_ctx_id(context_handle)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
+ }
- ctx = (krb5_gss_ctx_id_rec *) context_handle;
+ ctx = (krb5_gss_ctx_id_rec *) context_handle;
- if (! ctx->established) {
- *minor_status = KG_CTX_INCOMPLETE;
- return(GSS_S_NO_CONTEXT);
- }
+ if (! ctx->established) {
+ *minor_status = KG_CTX_INCOMPLETE;
+ return(GSS_S_NO_CONTEXT);
+ }
- if ((code = krb5_timeofday(ctx->k5_context, &now))) {
- *minor_status = code;
- save_error_info(*minor_status, ctx->k5_context);
- return(GSS_S_FAILURE);
- }
+ if ((code = krb5_timeofday(ctx->k5_context, &now))) {
+ *minor_status = code;
+ save_error_info(*minor_status, ctx->k5_context);
+ return(GSS_S_FAILURE);
+ }
- if ((lifetime = ctx->endtime - now) <= 0) {
- *time_rec = 0;
- *minor_status = 0;
- return(GSS_S_CONTEXT_EXPIRED);
- } else {
- *time_rec = lifetime;
- *minor_status = 0;
- return(GSS_S_COMPLETE);
- }
+ if ((lifetime = ctx->krb_times.endtime - now) <= 0) {
+ *time_rec = 0;
+ *minor_status = 0;
+ return(GSS_S_CONTEXT_EXPIRED);
+ } else {
+ *time_rec = lifetime;
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
+ }
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/copy_ccache.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/copy_ccache.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/copy_ccache.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,57 +1,62 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
#include "gssapiP_krb5.h"
-OM_uint32 KRB5_CALLCONV
-gss_krb5int_copy_ccache(minor_status, cred_handle, out_ccache)
- OM_uint32 *minor_status;
- gss_cred_id_t cred_handle;
- krb5_ccache out_ccache;
+OM_uint32 KRB5_CALLCONV
+gss_krb5int_copy_ccache(OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ const gss_OID desired_object,
+ const gss_buffer_t value)
{
- OM_uint32 major_status;
- krb5_gss_cred_id_t k5creds;
- krb5_cc_cursor cursor;
- krb5_creds creds;
- krb5_error_code code;
- krb5_context context;
+ krb5_gss_cred_id_t k5creds;
+ krb5_cc_cursor cursor;
+ krb5_creds creds;
+ krb5_error_code code;
+ krb5_context context;
+ krb5_ccache out_ccache;
+
+ assert(value->length == sizeof(out_ccache));
- /* validate the cred handle */
- major_status = krb5_gss_validate_cred(minor_status, cred_handle);
- if (major_status)
- return(major_status);
-
- k5creds = (krb5_gss_cred_id_t) cred_handle;
- code = k5_mutex_lock(&k5creds->lock);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
- if (k5creds->usage == GSS_C_ACCEPT) {
- k5_mutex_unlock(&k5creds->lock);
- *minor_status = (OM_uint32) G_BAD_USAGE;
- return(GSS_S_FAILURE);
- }
+ if (value->length != sizeof(out_ccache))
+ return GSS_S_FAILURE;
- code = krb5_gss_init_context(&context);
- if (code) {
- k5_mutex_unlock(&k5creds->lock);
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ out_ccache = (krb5_ccache)value->value;
- code = krb5_cc_start_seq_get(context, k5creds->ccache, &cursor);
- if (code) {
- k5_mutex_unlock(&k5creds->lock);
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- while (!code && !krb5_cc_next_cred(context, k5creds->ccache, &cursor, &creds))
- code = krb5_cc_store_cred(context, out_ccache, &creds);
- krb5_cc_end_seq_get(context, k5creds->ccache, &cursor);
- k5_mutex_unlock(&k5creds->lock);
- *minor_status = code;
- if (code)
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return code ? GSS_S_FAILURE : GSS_S_COMPLETE;
+ /* cred handle will have been validated by gssspi_set_cred_option() */
+
+ k5creds = (krb5_gss_cred_id_t) cred_handle;
+ code = k5_mutex_lock(&k5creds->lock);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+ if (k5creds->usage == GSS_C_ACCEPT) {
+ k5_mutex_unlock(&k5creds->lock);
+ *minor_status = (OM_uint32) G_BAD_USAGE;
+ return(GSS_S_FAILURE);
+ }
+
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ k5_mutex_unlock(&k5creds->lock);
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+
+ code = krb5_cc_start_seq_get(context, k5creds->ccache, &cursor);
+ if (code) {
+ k5_mutex_unlock(&k5creds->lock);
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ while (!code && !krb5_cc_next_cred(context, k5creds->ccache, &cursor, &creds))
+ code = krb5_cc_store_cred(context, out_ccache, &creds);
+ krb5_cc_end_seq_get(context, k5creds->ccache, &cursor);
+ k5_mutex_unlock(&k5creds->lock);
+ *minor_status = code;
+ if (code)
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return code ? GSS_S_FAILURE : GSS_S_COMPLETE;
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/delete_sec_context.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/delete_sec_context.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/delete_sec_context.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -28,94 +29,97 @@
OM_uint32
krb5_gss_delete_sec_context(minor_status, context_handle, output_token)
- OM_uint32 *minor_status;
- gss_ctx_id_t *context_handle;
- gss_buffer_t output_token;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t *context_handle;
+ gss_buffer_t output_token;
{
- krb5_context context;
- krb5_gss_ctx_id_rec *ctx;
+ krb5_context context;
+ krb5_gss_ctx_id_rec *ctx;
- if (output_token) {
- output_token->length = 0;
- output_token->value = NULL;
- }
+ if (output_token) {
+ output_token->length = 0;
+ output_token->value = NULL;
+ }
- /*SUPPRESS 29*/
- if (*context_handle == GSS_C_NO_CONTEXT) {
- *minor_status = 0;
- return(GSS_S_COMPLETE);
- }
+ /*SUPPRESS 29*/
+ if (*context_handle == GSS_C_NO_CONTEXT) {
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
+ }
- /*SUPPRESS 29*/
- /* validate the context handle */
- if (! kg_validate_ctx_id(*context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
- }
+ /*SUPPRESS 29*/
+ /* validate the context handle */
+ if (! kg_validate_ctx_id(*context_handle)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
+ }
- ctx = (krb5_gss_ctx_id_t) *context_handle;
- context = ctx->k5_context;
+ ctx = (krb5_gss_ctx_id_t) *context_handle;
+ context = ctx->k5_context;
- /* construct a delete context token if necessary */
+ /* construct a delete context token if necessary */
- if (output_token) {
- OM_uint32 major;
- gss_buffer_desc empty;
- empty.length = 0; empty.value = NULL;
+ if (output_token) {
+ OM_uint32 major;
+ gss_buffer_desc empty;
+ empty.length = 0; empty.value = NULL;
- if ((major = kg_seal(minor_status, *context_handle, 0,
- GSS_C_QOP_DEFAULT,
- &empty, NULL, output_token, KG_TOK_DEL_CTX))) {
- save_error_info(*minor_status, context);
- return(major);
- }
- }
+ if ((major = kg_seal(minor_status, *context_handle, 0,
+ GSS_C_QOP_DEFAULT,
+ &empty, NULL, output_token, KG_TOK_DEL_CTX))) {
+ save_error_info(*minor_status, context);
+ return(major);
+ }
+ }
- /* invalidate the context handle */
+ /* invalidate the context handle */
- (void)kg_delete_ctx_id(*context_handle);
+ (void)kg_delete_ctx_id(*context_handle);
- /* free all the context state */
+ /* free all the context state */
- if (ctx->seqstate)
- g_order_free(&(ctx->seqstate));
+ if (ctx->seqstate)
+ g_order_free(&(ctx->seqstate));
- if (ctx->enc)
- krb5_free_keyblock(context, ctx->enc);
+ if (ctx->enc)
+ krb5_free_keyblock(context, ctx->enc);
- if (ctx->seq)
- krb5_free_keyblock(context, ctx->seq);
+ if (ctx->seq)
+ krb5_free_keyblock(context, ctx->seq);
- if (ctx->here)
- krb5_free_principal(context, ctx->here);
- if (ctx->there)
- krb5_free_principal(context, ctx->there);
- if (ctx->subkey)
- krb5_free_keyblock(context, ctx->subkey);
- if (ctx->acceptor_subkey)
- krb5_free_keyblock(context, ctx->acceptor_subkey);
+ if (ctx->here)
+ krb5_free_principal(context, ctx->here);
+ if (ctx->there)
+ krb5_free_principal(context, ctx->there);
+ if (ctx->subkey)
+ krb5_free_keyblock(context, ctx->subkey);
+ if (ctx->acceptor_subkey)
+ krb5_free_keyblock(context, ctx->acceptor_subkey);
- if (ctx->auth_context) {
- if (ctx->cred_rcache)
- (void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL);
+ if (ctx->auth_context) {
+ if (ctx->cred_rcache)
+ (void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL);
- krb5_auth_con_free(context, ctx->auth_context);
- }
+ krb5_auth_con_free(context, ctx->auth_context);
+ }
- if (ctx->mech_used)
- gss_release_oid(minor_status, &ctx->mech_used);
-
- if (ctx->k5_context)
- krb5_free_context(ctx->k5_context);
+ if (ctx->mech_used)
+ krb5_gss_release_oid(minor_status, &ctx->mech_used);
- /* Zero out context */
- memset(ctx, 0, sizeof(*ctx));
- xfree(ctx);
+ if (ctx->authdata)
+ krb5_free_authdata(context, ctx->authdata);
- /* zero the handle itself */
+ if (ctx->k5_context)
+ krb5_free_context(ctx->k5_context);
- *context_handle = GSS_C_NO_CONTEXT;
+ /* Zero out context */
+ memset(ctx, 0, sizeof(*ctx));
+ xfree(ctx);
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+ /* zero the handle itself */
+
+ *context_handle = GSS_C_NO_CONTEXT;
+
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
Copied: branches/mkey_migrate/src/lib/gssapi/krb5/deps (from rev 21721, trunk/src/lib/gssapi/krb5/deps)
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/disp_name.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/disp_name.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/disp_name.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -23,53 +24,53 @@
#include "gssapiP_krb5.h"
OM_uint32
-krb5_gss_display_name(minor_status, input_name, output_name_buffer,
- output_name_type)
- OM_uint32 *minor_status;
- gss_name_t input_name;
- gss_buffer_t output_name_buffer;
- gss_OID *output_name_type;
+krb5_gss_display_name(minor_status, input_name, output_name_buffer,
+ output_name_type)
+ OM_uint32 *minor_status;
+ gss_name_t input_name;
+ gss_buffer_t output_name_buffer;
+ gss_OID *output_name_type;
{
- krb5_context context;
- krb5_error_code code;
- char *str;
+ krb5_context context;
+ krb5_error_code code;
+ char *str;
- code = krb5_gss_init_context(&context);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- output_name_buffer->length = 0;
- output_name_buffer->value = NULL;
+ output_name_buffer->length = 0;
+ output_name_buffer->value = NULL;
- if (! kg_validate_name(input_name)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
+ if (! kg_validate_name(input_name)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ krb5_free_context(context);
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
- if ((code = krb5_unparse_name(context,
- (krb5_principal) input_name, &str))) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
+ if ((code = krb5_unparse_name(context,
+ (krb5_principal) input_name, &str))) {
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
- if (! g_make_string_buffer(str, output_name_buffer)) {
- krb5_free_unparsed_name(context, str);
- krb5_free_context(context);
+ if (! g_make_string_buffer(str, output_name_buffer)) {
+ krb5_free_unparsed_name(context, str);
+ krb5_free_context(context);
- *minor_status = (OM_uint32) G_BUFFER_ALLOC;
- return(GSS_S_FAILURE);
- }
+ *minor_status = (OM_uint32) G_BUFFER_ALLOC;
+ return(GSS_S_FAILURE);
+ }
- krb5_free_unparsed_name(context, str);
- krb5_free_context(context);
+ krb5_free_unparsed_name(context, str);
+ krb5_free_context(context);
- *minor_status = 0;
- if (output_name_type)
- *output_name_type = (gss_OID) gss_nt_krb5_name;
- return(GSS_S_COMPLETE);
+ *minor_status = 0;
+ if (output_name_type)
+ *output_name_type = (gss_OID) gss_nt_krb5_name;
+ return(GSS_S_COMPLETE);
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/disp_status.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/disp_status.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/disp_status.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -21,7 +22,6 @@
*/
#include "gssapiP_krb5.h"
-#include "gss_libinit.h"
#include "com_err.h"
/* XXXX internationalization!! */
@@ -30,11 +30,11 @@
compare_OM_uint32 (OM_uint32 a, OM_uint32 b)
{
if (a < b)
- return -1;
+ return -1;
else if (a == b)
- return 0;
+ return 0;
else
- return 1;
+ return 1;
}
static inline void
free_string (char *s)
@@ -46,22 +46,22 @@
char *get_error_message(OM_uint32 minor_code)
{
gsserrmap *p = k5_getspecific(K5_KEY_GSS_KRB5_ERROR_MESSAGE);
- char *msg = 0;
+ char *msg = NULL;
#ifdef DEBUG
fprintf(stderr, "%s(%lu, p=%p)", __func__, (unsigned long) minor_code,
- (void *) p);
+ (void *) p);
#endif
if (p) {
- char **v = gsserrmap_find(p, minor_code);
- if (v) {
- msg = *v;
+ char **v = gsserrmap_find(p, minor_code);
+ if (v) {
+ msg = *v;
#ifdef DEBUG
- fprintf(stderr, " FOUND!");
+ fprintf(stderr, " FOUND!");
#endif
- }
+ }
}
if (msg == 0)
- msg = error_message(minor_code);
+ msg = (char *)error_message((krb5_error_code)minor_code);
#ifdef DEBUG
fprintf(stderr, " -> %p/%s\n", (void *) msg, msg);
#endif
@@ -78,24 +78,24 @@
#endif
p = k5_getspecific(K5_KEY_GSS_KRB5_ERROR_MESSAGE);
if (!p) {
- p = malloc(sizeof(*p));
- if (p == NULL) {
- ret = 1;
- goto fail;
- }
- if (gsserrmap_init(p) != 0) {
- free(p);
- p = NULL;
- ret = 1;
- goto fail;
- }
- if (k5_setspecific(K5_KEY_GSS_KRB5_ERROR_MESSAGE, p) != 0) {
- gsserrmap_destroy(p);
- free(p);
- p = NULL;
- ret = 1;
- goto fail;
- }
+ p = malloc(sizeof(*p));
+ if (p == NULL) {
+ ret = 1;
+ goto fail;
+ }
+ if (gsserrmap_init(p) != 0) {
+ free(p);
+ p = NULL;
+ ret = 1;
+ goto fail;
+ }
+ if (k5_setspecific(K5_KEY_GSS_KRB5_ERROR_MESSAGE, p) != 0) {
+ gsserrmap_destroy(p);
+ free(p);
+ p = NULL;
+ ret = 1;
+ goto fail;
+ }
}
ret = gsserrmap_replace_or_insert(p, minor_code, msg);
fail:
@@ -108,8 +108,8 @@
{
char *s = strdup(msg);
if (s) {
- if (save_error_string_nocopy(minor_code, s) != 0)
- free(s);
+ if (save_error_string_nocopy(minor_code, s) != 0)
+ free(s);
}
}
void save_error_message(OM_uint32 minor_code, const char *format, ...)
@@ -122,8 +122,8 @@
n = vasprintf(&s, format, ap);
va_end(ap);
if (n >= 0) {
- if (save_error_string_nocopy(minor_code, s) != 0)
- free(s);
+ if (save_error_string_nocopy(minor_code, s) != 0)
+ free(s);
}
}
void krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx)
@@ -132,17 +132,17 @@
#ifdef DEBUG
fprintf(stderr, "%s(%lu, ctx=%p)\n", __func__,
- (unsigned long) minor_code, (void *)ctx);
+ (unsigned long) minor_code, (void *)ctx);
#endif
- s = krb5_get_error_message(ctx, minor_code);
+ s = (char *)krb5_get_error_message(ctx, (krb5_error_code)minor_code);
#ifdef DEBUG
fprintf(stderr, "%s(%lu, ctx=%p) saving: %s\n", __func__,
- (unsigned long) minor_code, (void *)ctx, s);
+ (unsigned long) minor_code, (void *)ctx, s);
#endif
save_error_string(minor_code, s);
/* The get_error_message call above resets the error message in
ctx. Put it back, in case we make this call again *sigh*. */
- krb5_set_error_message(ctx, minor_code, "%s", s);
+ krb5_set_error_message(ctx, (krb5_error_code)minor_code, "%s", s);
krb5_free_error_message(ctx, s);
}
void krb5_gss_delete_error_info(void *p)
@@ -154,44 +154,44 @@
OM_uint32
krb5_gss_display_status(minor_status, status_value, status_type,
- mech_type, message_context, status_string)
- OM_uint32 *minor_status;
- OM_uint32 status_value;
- int status_type;
- gss_OID mech_type;
- OM_uint32 *message_context;
- gss_buffer_t status_string;
+ mech_type, message_context, status_string)
+ OM_uint32 *minor_status;
+ OM_uint32 status_value;
+ int status_type;
+ gss_OID mech_type;
+ OM_uint32 *message_context;
+ gss_buffer_t status_string;
{
- status_string->length = 0;
- status_string->value = NULL;
+ status_string->length = 0;
+ status_string->value = NULL;
- if ((mech_type != GSS_C_NULL_OID) &&
- !g_OID_equal(gss_mech_krb5, mech_type) &&
- !g_OID_equal(gss_mech_krb5_old, mech_type)) {
- *minor_status = 0;
- return(GSS_S_BAD_MECH);
+ if ((mech_type != GSS_C_NULL_OID) &&
+ !g_OID_equal(gss_mech_krb5, mech_type) &&
+ !g_OID_equal(gss_mech_krb5_old, mech_type)) {
+ *minor_status = 0;
+ return(GSS_S_BAD_MECH);
}
- if (status_type == GSS_C_GSS_CODE) {
- return(g_display_major_status(minor_status, status_value,
- message_context, status_string));
- } else if (status_type == GSS_C_MECH_CODE) {
- (void) gssint_initialize_library();
+ if (status_type == GSS_C_GSS_CODE) {
+ return(g_display_major_status(minor_status, status_value,
+ message_context, status_string));
+ } else if (status_type == GSS_C_MECH_CODE) {
+ (void) gss_krb5int_initialize_library();
- if (*message_context) {
- *minor_status = (OM_uint32) G_BAD_MSG_CTX;
- return(GSS_S_FAILURE);
- }
+ if (*message_context) {
+ *minor_status = (OM_uint32) G_BAD_MSG_CTX;
+ return(GSS_S_FAILURE);
+ }
- /* If this fails, there's not much we can do... */
- if (g_make_string_buffer(krb5_gss_get_error_message(status_value),
- status_string) != 0)
- *minor_status = ENOMEM;
- else
- *minor_status = 0;
- return 0;
- } else {
- *minor_status = 0;
- return(GSS_S_BAD_STATUS);
- }
+ /* If this fails, there's not much we can do... */
+ if (g_make_string_buffer(krb5_gss_get_error_message(status_value),
+ status_string) != 0)
+ *minor_status = ENOMEM;
+ else
+ *minor_status = 0;
+ return 0;
+ } else {
+ *minor_status = 0;
+ return(GSS_S_BAD_STATUS);
+ }
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/duplicate_name.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/duplicate_name.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/duplicate_name.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/duplicate_name.c
*
@@ -28,53 +29,47 @@
#include "gssapiP_krb5.h"
OM_uint32 krb5_gss_duplicate_name(OM_uint32 *minor_status,
- const gss_name_t input_name,
- gss_name_t *dest_name)
+ const gss_name_t input_name,
+ gss_name_t *dest_name)
{
- krb5_context context;
- krb5_error_code code;
- krb5_principal princ, outprinc;
+ krb5_context context;
+ krb5_error_code code;
+ krb5_principal princ, outprinc;
- if (minor_status)
- *minor_status = 0;
+ if (minor_status)
+ *minor_status = 0;
- code = krb5_gss_init_context(&context);
- if (code) {
- if (minor_status)
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ if (minor_status)
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- if (! kg_validate_name(input_name)) {
- if (minor_status)
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
+ if (! kg_validate_name(input_name)) {
+ if (minor_status)
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ krb5_free_context(context);
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
- princ = (krb5_principal)input_name;
- if ((code = krb5_copy_principal(context, princ, &outprinc))) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
+ princ = (krb5_principal)input_name;
+ if ((code = krb5_copy_principal(context, princ, &outprinc))) {
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
- if (! kg_save_name((gss_name_t) outprinc)) {
- krb5_free_principal(context, outprinc);
- krb5_free_context(context);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_FAILURE);
- }
-
- krb5_free_context(context);
- *dest_name = (gss_name_t) outprinc;
- return(GSS_S_COMPLETE);
-
-}
+ if (! kg_save_name((gss_name_t) outprinc)) {
+ krb5_free_principal(context, outprinc);
+ krb5_free_context(context);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_FAILURE);
+ }
+ krb5_free_context(context);
+ *dest_name = (gss_name_t) outprinc;
+ return(GSS_S_COMPLETE);
-
-
-
-
+}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/export_name.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/export_name.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/export_name.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/export_name.c
*
@@ -28,68 +29,69 @@
#include "gssapiP_krb5.h"
OM_uint32 krb5_gss_export_name(OM_uint32 *minor_status,
- const gss_name_t input_name,
- gss_buffer_t exported_name)
+ const gss_name_t input_name,
+ gss_buffer_t exported_name)
{
- krb5_context context;
- krb5_error_code code;
- size_t length;
- char *str, *cp;
+ krb5_context context;
+ krb5_error_code code;
+ size_t length;
+ char *str;
+ unsigned char *cp;
- if (minor_status)
- *minor_status = 0;
+ if (minor_status)
+ *minor_status = 0;
- code = krb5_gss_init_context(&context);
- if (code) {
- if (minor_status)
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ if (minor_status)
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- exported_name->length = 0;
- exported_name->value = NULL;
-
- if (! kg_validate_name(input_name)) {
- if (minor_status)
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
+ exported_name->length = 0;
+ exported_name->value = NULL;
- if ((code = krb5_unparse_name(context, (krb5_principal) input_name,
- &str))) {
- if (minor_status)
- *minor_status = code;
- save_error_info(code, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
+ if (! kg_validate_name(input_name)) {
+ if (minor_status)
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ krb5_free_context(context);
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
- krb5_free_context(context);
- length = strlen(str);
- exported_name->length = 10 + length + gss_mech_krb5->length;
- exported_name->value = malloc(exported_name->length);
- if (!exported_name->value) {
- free(str);
- if (minor_status)
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- cp = exported_name->value;
+ if ((code = krb5_unparse_name(context, (krb5_principal) input_name,
+ &str))) {
+ if (minor_status)
+ *minor_status = code;
+ save_error_info((OM_uint32)code, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
- /* Note: we assume the OID will be less than 128 bytes... */
- *cp++ = 0x04; *cp++ = 0x01;
- store_16_be(gss_mech_krb5->length+2, cp);
- cp += 2;
- *cp++ = 0x06;
- *cp++ = (gss_mech_krb5->length) & 0xFF;
- memcpy(cp, gss_mech_krb5->elements, gss_mech_krb5->length);
- cp += gss_mech_krb5->length;
- store_32_be(length, cp);
- cp += 4;
- memcpy(cp, str, length);
+ krb5_free_context(context);
+ length = strlen(str);
+ exported_name->length = 10 + length + gss_mech_krb5->length;
+ exported_name->value = malloc(exported_name->length);
+ if (!exported_name->value) {
+ free(str);
+ if (minor_status)
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ cp = exported_name->value;
- free(str);
+ /* Note: we assume the OID will be less than 128 bytes... */
+ *cp++ = 0x04; *cp++ = 0x01;
+ store_16_be(gss_mech_krb5->length+2, cp);
+ cp += 2;
+ *cp++ = 0x06;
+ *cp++ = (gss_mech_krb5->length) & 0xFF;
+ memcpy(cp, gss_mech_krb5->elements, gss_mech_krb5->length);
+ cp += gss_mech_krb5->length;
+ store_32_be(length, cp);
+ cp += 4;
+ memcpy(cp, str, length);
- return(GSS_S_COMPLETE);
+ free(str);
+
+ return(GSS_S_COMPLETE);
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/export_sec_context.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/export_sec_context.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/export_sec_context.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/export_sec_context.c
*
@@ -26,22 +27,22 @@
*/
/*
- * export_sec_context.c - Externalize the security context.
+ * export_sec_context.c - Externalize the security context.
*/
#include "gssapiP_krb5.h"
#ifndef LEAN_CLIENT
OM_uint32
krb5_gss_export_sec_context(minor_status, context_handle, interprocess_token)
- OM_uint32 *minor_status;
- gss_ctx_id_t *context_handle;
- gss_buffer_t interprocess_token;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t *context_handle;
+ gss_buffer_t interprocess_token;
{
- krb5_context context = NULL;
- krb5_error_code kret;
- OM_uint32 retval;
- size_t bufsize, blen;
- krb5_gss_ctx_id_t ctx;
- krb5_octet *obuffer, *obp;
+ krb5_context context = NULL;
+ krb5_error_code kret;
+ OM_uint32 retval;
+ size_t bufsize, blen;
+ krb5_gss_ctx_id_t ctx;
+ krb5_octet *obuffer, *obp;
/* Assume a tragic failure */
obuffer = (krb5_octet *) NULL;
@@ -49,35 +50,35 @@
*minor_status = 0;
if (!kg_validate_ctx_id(*context_handle)) {
- kret = (OM_uint32) G_VALIDATE_FAILED;
- retval = GSS_S_NO_CONTEXT;
- goto error_out;
+ kret = (OM_uint32) G_VALIDATE_FAILED;
+ retval = GSS_S_NO_CONTEXT;
+ goto error_out;
}
ctx = (krb5_gss_ctx_id_t) *context_handle;
context = ctx->k5_context;
kret = krb5_gss_ser_init(context);
if (kret)
- goto error_out;
+ goto error_out;
/* Determine size needed for externalization of context */
bufsize = 0;
if ((kret = kg_ctx_size(context, (krb5_pointer) ctx,
- &bufsize)))
- goto error_out;
+ &bufsize)))
+ goto error_out;
/* Allocate the buffer */
if ((obuffer = (krb5_octet *) xmalloc(bufsize)) == NULL) {
- kret = ENOMEM;
- goto error_out;
+ kret = ENOMEM;
+ goto error_out;
}
obp = obuffer;
blen = bufsize;
/* Externalize the context */
if ((kret = kg_ctx_externalize(context,
- (krb5_pointer) ctx, &obp, &blen)))
- goto error_out;
+ (krb5_pointer) ctx, &obp, &blen)))
+ goto error_out;
/* Success! Return the buffer */
interprocess_token->length = bufsize - blen;
@@ -93,14 +94,14 @@
error_out:
if (retval != GSS_S_COMPLETE)
- if (kret != 0 && context != 0)
- save_error_info(kret, context);
+ if (kret != 0 && context != 0)
+ save_error_info((OM_uint32)kret, context);
if (obuffer && bufsize) {
- memset(obuffer, 0, bufsize);
- xfree(obuffer);
+ memset(obuffer, 0, bufsize);
+ xfree(obuffer);
}
- if (*minor_status == 0)
- *minor_status = (OM_uint32) kret;
+ if (*minor_status == 0)
+ *minor_status = (OM_uint32) kret;
return(retval);
}
#endif /* LEAN_CLIENT */
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/get_tkt_flags.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/get_tkt_flags.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/get_tkt_flags.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -26,30 +27,19 @@
* $Id$
*/
-OM_uint32 KRB5_CALLCONV
-gss_krb5int_get_tkt_flags(minor_status, context_handle, ticket_flags)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- krb5_flags *ticket_flags;
+OM_uint32 KRB5_CALLCONV
+gss_krb5int_get_tkt_flags(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *data_set)
{
- krb5_gss_ctx_id_rec *ctx;
+ krb5_gss_ctx_id_rec *ctx;
+ gss_buffer_desc rep;
- /* validate the context handle */
- if (! kg_validate_ctx_id(context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
- }
+ ctx = (krb5_gss_ctx_id_rec *) context_handle;
- ctx = (krb5_gss_ctx_id_rec *) context_handle;
+ rep.value = &ctx->krb_flags;
+ rep.length = sizeof(ctx->krb_flags);
- if (! ctx->established) {
- *minor_status = KG_CTX_INCOMPLETE;
- return(GSS_S_NO_CONTEXT);
- }
-
- if (ticket_flags)
- *ticket_flags = ctx->krb_flags;
-
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+ return generic_gss_add_buffer_set_member(minor_status, &rep, data_set);
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/gssapiP_krb5.h
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2000, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
@@ -6,7 +7,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -20,11 +21,11 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -34,7 +35,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -68,6 +69,7 @@
*/
#include "gssapi_krb5.h"
#include "gssapi_err_krb5.h"
+#include "gssapi_ext.h"
/* for debugging */
#undef CFX_EXERCISE
@@ -85,44 +87,46 @@
#define GSS_MECH_KRB5_WRONG_OID "\052\206\110\202\367\022\001\002\002"
-#define CKSUMTYPE_KG_CB 0x8003
+#define CKSUMTYPE_KG_CB 0x8003
-#define KG_TOK_CTX_AP_REQ 0x0100
-#define KG_TOK_CTX_AP_REP 0x0200
-#define KG_TOK_CTX_ERROR 0x0300
-#define KG_TOK_SIGN_MSG 0x0101
-#define KG_TOK_SEAL_MSG 0x0201
-#define KG_TOK_MIC_MSG 0x0101
-#define KG_TOK_WRAP_MSG 0x0201
-#define KG_TOK_DEL_CTX 0x0102
+#define KG_TOK_CTX_AP_REQ 0x0100
+#define KG_TOK_CTX_AP_REP 0x0200
+#define KG_TOK_CTX_ERROR 0x0300
+#define KG_TOK_SIGN_MSG 0x0101
+#define KG_TOK_SEAL_MSG 0x0201
+#define KG_TOK_MIC_MSG 0x0101
+#define KG_TOK_WRAP_MSG 0x0201
+#define KG_TOK_DEL_CTX 0x0102
+#define KG2_TOK_MIC_MSG 0x0404
+#define KG2_TOK_WRAP_MSG 0x0504
+#define KG2_TOK_DEL_CTX 0x0405
-#define KG2_TOK_INITIAL 0x0101
-#define KG2_TOK_RESPONSE 0x0202
-#define KG2_TOK_MIC 0x0303
-#define KG2_TOK_WRAP_INTEG 0x0404
-#define KG2_TOK_WRAP_PRIV 0x0505
-
#define KRB5_GSS_FOR_CREDS_OPTION 1
-#define KG2_RESP_FLAG_ERROR 0x0001
-#define KG2_RESP_FLAG_DELEG_OK 0x0002
+#define KG2_RESP_FLAG_ERROR 0x0001
+#define KG2_RESP_FLAG_DELEG_OK 0x0002
+/** CFX flags **/
+#define FLAG_SENDER_IS_ACCEPTOR 0x01
+#define FLAG_WRAP_CONFIDENTIAL 0x02
+#define FLAG_ACCEPTOR_SUBKEY 0x04
+
/* These are to be stored in little-endian order, i.e., des-mac is
stored as 02 00. */
enum sgn_alg {
- SGN_ALG_DES_MAC_MD5 = 0x0000,
- SGN_ALG_MD2_5 = 0x0001,
- SGN_ALG_DES_MAC = 0x0002,
- SGN_ALG_3 = 0x0003, /* not published */
- SGN_ALG_HMAC_MD5 = 0x0011, /* microsoft w2k; */
- SGN_ALG_HMAC_SHA1_DES3_KD = 0x0004
+ SGN_ALG_DES_MAC_MD5 = 0x0000,
+ SGN_ALG_MD2_5 = 0x0001,
+ SGN_ALG_DES_MAC = 0x0002,
+ SGN_ALG_3 = 0x0003, /* not published */
+ SGN_ALG_HMAC_MD5 = 0x0011, /* microsoft w2k; */
+ SGN_ALG_HMAC_SHA1_DES3_KD = 0x0004
};
enum seal_alg {
- SEAL_ALG_NONE = 0xffff,
- SEAL_ALG_DES = 0x0000,
- SEAL_ALG_1 = 0x0001, /* not published */
- SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */
- SEAL_ALG_DES3KD = 0x0002
+ SEAL_ALG_NONE = 0xffff,
+ SEAL_ALG_DES = 0x0000,
+ SEAL_ALG_1 = 0x0001, /* not published */
+ SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */
+ SEAL_ALG_DES3KD = 0x0002
};
/* for 3DES */
@@ -131,20 +135,20 @@
#define KG_USAGE_SEQ 24
/* for draft-ietf-krb-wg-gssapi-cfx-01 */
-#define KG_USAGE_ACCEPTOR_SEAL 22
-#define KG_USAGE_ACCEPTOR_SIGN 23
-#define KG_USAGE_INITIATOR_SEAL 24
-#define KG_USAGE_INITIATOR_SIGN 25
+#define KG_USAGE_ACCEPTOR_SEAL 22
+#define KG_USAGE_ACCEPTOR_SIGN 23
+#define KG_USAGE_INITIATOR_SEAL 24
+#define KG_USAGE_INITIATOR_SIGN 25
enum qop {
- GSS_KRB5_INTEG_C_QOP_MD5 = 0x0001, /* *partial* MD5 = "MD2.5" */
- GSS_KRB5_INTEG_C_QOP_DES_MD5 = 0x0002,
- GSS_KRB5_INTEG_C_QOP_DES_MAC = 0x0003,
- GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 = 0x0004,
- GSS_KRB5_INTEG_C_QOP_MASK = 0x00ff,
- GSS_KRB5_CONF_C_QOP_DES = 0x0100,
- GSS_KRB5_CONF_C_QOP_DES3_KD = 0x0200,
- GSS_KRB5_CONF_C_QOP_MASK = 0xff00
+ GSS_KRB5_INTEG_C_QOP_MD5 = 0x0001, /* *partial* MD5 = "MD2.5" */
+ GSS_KRB5_INTEG_C_QOP_DES_MD5 = 0x0002,
+ GSS_KRB5_INTEG_C_QOP_DES_MAC = 0x0003,
+ GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 = 0x0004,
+ GSS_KRB5_INTEG_C_QOP_MASK = 0x00ff,
+ GSS_KRB5_CONF_C_QOP_DES = 0x0100,
+ GSS_KRB5_CONF_C_QOP_DES3_KD = 0x0200,
+ GSS_KRB5_CONF_C_QOP_MASK = 0xff00
};
/** internal types **/
@@ -152,61 +156,62 @@
typedef krb5_principal krb5_gss_name_t;
typedef struct _krb5_gss_cred_id_rec {
- /* protect against simultaneous accesses */
- k5_mutex_t lock;
+ /* protect against simultaneous accesses */
+ k5_mutex_t lock;
- /* name/type of credential */
- gss_cred_usage_t usage;
- krb5_principal princ; /* this is not interned as a gss_name_t */
- int prerfc_mech;
- int rfc_mech;
+ /* name/type of credential */
+ gss_cred_usage_t usage;
+ krb5_principal princ; /* this is not interned as a gss_name_t */
+ int prerfc_mech;
+ int rfc_mech;
- /* keytab (accept) data */
- krb5_keytab keytab;
- krb5_rcache rcache;
+ /* keytab (accept) data */
+ krb5_keytab keytab;
+ krb5_rcache rcache;
- /* ccache (init) data */
- krb5_ccache ccache;
- krb5_timestamp tgt_expire;
- krb5_enctype *req_enctypes; /* limit negotiated enctypes to this list */
-} krb5_gss_cred_id_rec, *krb5_gss_cred_id_t;
+ /* ccache (init) data */
+ krb5_ccache ccache;
+ krb5_timestamp tgt_expire;
+ krb5_enctype *req_enctypes; /* limit negotiated enctypes to this list */
+} krb5_gss_cred_id_rec, *krb5_gss_cred_id_t;
typedef struct _krb5_gss_ctx_id_rec {
- unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */
- unsigned int established : 1;
- unsigned int big_endian : 1;
- unsigned int have_acceptor_subkey : 1;
- unsigned int seed_init : 1; /* XXX tested but never actually set */
- OM_uint32 gss_flags;
- unsigned char seed[16];
- krb5_principal here;
- krb5_principal there;
- krb5_keyblock *subkey;
- int signalg;
- size_t cksum_size;
- int sealalg;
- krb5_keyblock *enc;
- krb5_keyblock *seq;
- krb5_timestamp endtime;
- krb5_flags krb_flags;
- /* XXX these used to be signed. the old spec is inspecific, and
- the new spec specifies unsigned. I don't believe that the change
- affects the wire encoding. */
- gssint_uint64 seq_send;
- gssint_uint64 seq_recv;
- void *seqstate;
- krb5_context k5_context;
- krb5_auth_context auth_context;
- gss_OID_desc *mech_used;
+ unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */
+ unsigned int established : 1;
+ unsigned int big_endian : 1;
+ unsigned int have_acceptor_subkey : 1;
+ unsigned int seed_init : 1; /* XXX tested but never actually set */
+ OM_uint32 gss_flags;
+ unsigned char seed[16];
+ krb5_principal here;
+ krb5_principal there;
+ krb5_keyblock *subkey;
+ int signalg;
+ size_t cksum_size;
+ int sealalg;
+ krb5_keyblock *enc;
+ krb5_keyblock *seq;
+ krb5_ticket_times krb_times;
+ krb5_flags krb_flags;
+ /* XXX these used to be signed. the old spec is inspecific, and
+ the new spec specifies unsigned. I don't believe that the change
+ affects the wire encoding. */
+ gssint_uint64 seq_send;
+ gssint_uint64 seq_recv;
+ void *seqstate;
+ krb5_context k5_context;
+ krb5_auth_context auth_context;
+ gss_OID_desc *mech_used;
/* Protocol spec revision
0 => RFC 1964 with 3DES and RC4 enhancements
1 => draft-ietf-krb-wg-gssapi-cfx-01
No others defined so far. */
- int proto;
- krb5_cksumtype cksumtype; /* for "main" subkey */
- krb5_keyblock *acceptor_subkey; /* CFX only */
- krb5_cksumtype acceptor_subkey_cksumtype;
- int cred_rcache; /* did we get rcache from creds? */
+ int proto;
+ krb5_cksumtype cksumtype; /* for "main" subkey */
+ krb5_keyblock *acceptor_subkey; /* CFX only */
+ krb5_cksumtype acceptor_subkey_cksumtype;
+ int cred_rcache; /* did we get rcache from creds? */
+ krb5_authdata **authdata;
} krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
extern g_set kg_vdb;
@@ -217,478 +222,690 @@
/* helper macros */
-#define kg_save_name(name) g_save_name(&kg_vdb,name)
-#define kg_save_cred_id(cred) g_save_cred_id(&kg_vdb,cred)
-#define kg_save_ctx_id(ctx) g_save_ctx_id(&kg_vdb,ctx)
-#define kg_save_lucidctx_id(lctx) g_save_lucidctx_id(&kg_vdb,lctx)
+#define kg_save_name(name) g_save_name(&kg_vdb,name)
+#define kg_save_cred_id(cred) g_save_cred_id(&kg_vdb,cred)
+#define kg_save_ctx_id(ctx) g_save_ctx_id(&kg_vdb,ctx)
+#define kg_save_lucidctx_id(lctx) g_save_lucidctx_id(&kg_vdb,lctx)
-#define kg_validate_name(name) g_validate_name(&kg_vdb,name)
-#define kg_validate_cred_id(cred) g_validate_cred_id(&kg_vdb,cred)
-#define kg_validate_ctx_id(ctx) g_validate_ctx_id(&kg_vdb,ctx)
-#define kg_validate_lucidctx_id(lctx) g_validate_lucidctx_id(&kg_vdb,lctx)
+#define kg_validate_name(name) g_validate_name(&kg_vdb,name)
+#define kg_validate_cred_id(cred) g_validate_cred_id(&kg_vdb,cred)
+#define kg_validate_ctx_id(ctx) g_validate_ctx_id(&kg_vdb,ctx)
+#define kg_validate_lucidctx_id(lctx) g_validate_lucidctx_id(&kg_vdb,lctx)
-#define kg_delete_name(name) g_delete_name(&kg_vdb,name)
-#define kg_delete_cred_id(cred) g_delete_cred_id(&kg_vdb,cred)
-#define kg_delete_ctx_id(ctx) g_delete_ctx_id(&kg_vdb,ctx)
-#define kg_delete_lucidctx_id(lctx) g_delete_lucidctx_id(&kg_vdb,lctx)
+#define kg_delete_name(name) g_delete_name(&kg_vdb,name)
+#define kg_delete_cred_id(cred) g_delete_cred_id(&kg_vdb,cred)
+#define kg_delete_ctx_id(ctx) g_delete_ctx_id(&kg_vdb,ctx)
+#define kg_delete_lucidctx_id(lctx) g_delete_lucidctx_id(&kg_vdb,lctx)
/** helper functions **/
-OM_uint32 kg_get_defcred
- (OM_uint32 *minor_status,
- gss_cred_id_t *cred);
+OM_uint32 kg_get_defcred
+(OM_uint32 *minor_status,
+ gss_cred_id_t *cred);
krb5_error_code kg_checksum_channel_bindings
- (krb5_context context, gss_channel_bindings_t cb,
- krb5_checksum *cksum,
- int bigend);
+(krb5_context context, gss_channel_bindings_t cb,
+ krb5_checksum *cksum,
+ int bigend);
krb5_error_code kg_make_seq_num (krb5_context context,
- krb5_keyblock *key,
- int direction, krb5_ui_4 seqnum, unsigned char *cksum,
- unsigned char *buf);
+ krb5_keyblock *key,
+ int direction, krb5_ui_4 seqnum, unsigned char *cksum,
+ unsigned char *buf);
krb5_error_code kg_get_seq_num (krb5_context context,
- krb5_keyblock *key,
- unsigned char *cksum, unsigned char *buf, int *direction,
- krb5_ui_4 *seqnum);
+ krb5_keyblock *key,
+ unsigned char *cksum, unsigned char *buf, int *direction,
+ krb5_ui_4 *seqnum);
krb5_error_code kg_make_seed (krb5_context context,
- krb5_keyblock *key,
- unsigned char *seed);
+ krb5_keyblock *key,
+ unsigned char *seed);
+krb5_error_code
+kg_setup_keys(krb5_context context,
+ krb5_gss_ctx_id_rec *ctx,
+ krb5_keyblock *subkey,
+ krb5_cksumtype *cksumtype);
+
int kg_confounder_size (krb5_context context, krb5_keyblock *key);
-krb5_error_code kg_make_confounder (krb5_context context,
- krb5_keyblock *key, unsigned char *buf);
+krb5_error_code kg_make_confounder (krb5_context context,
+ krb5_keyblock *key, unsigned char *buf);
-krb5_error_code kg_encrypt (krb5_context context,
- krb5_keyblock *key, int usage,
- krb5_pointer iv,
- krb5_const_pointer in,
- krb5_pointer out,
- unsigned int length);
+krb5_error_code kg_encrypt (krb5_context context,
+ krb5_keyblock *key, int usage,
+ krb5_pointer iv,
+ krb5_const_pointer in,
+ krb5_pointer out,
+ unsigned int length);
+
+krb5_error_code kg_encrypt_iov (krb5_context context,
+ int proto, int dce_style,
+ size_t ec, size_t rrc,
+ krb5_keyblock *key, int usage,
+ krb5_pointer iv,
+ gss_iov_buffer_desc *iov,
+ int iov_count);
+
krb5_error_code
kg_arcfour_docrypt (const krb5_keyblock *longterm_key , int ms_usage,
- const unsigned char *kd_data, size_t kd_data_len,
- const unsigned char *input_buf, size_t input_len,
- unsigned char *output_buf);
+ const unsigned char *kd_data, size_t kd_data_len,
+ const unsigned char *input_buf, size_t input_len,
+ unsigned char *output_buf);
+krb5_error_code
+kg_arcfour_docrypt_iov (krb5_context context,
+ const krb5_keyblock *longterm_key , int ms_usage,
+ const unsigned char *kd_data, size_t kd_data_len,
+ gss_iov_buffer_desc *iov,
+ int iov_count);
+
krb5_error_code kg_decrypt (krb5_context context,
- krb5_keyblock *key, int usage,
- krb5_pointer iv,
- krb5_const_pointer in,
- krb5_pointer out,
- unsigned int length);
+ krb5_keyblock *key, int usage,
+ krb5_pointer iv,
+ krb5_const_pointer in,
+ krb5_pointer out,
+ unsigned int length);
+krb5_error_code kg_decrypt_iov (krb5_context context,
+ int proto, int dce_style,
+ size_t ec, size_t rrc,
+ krb5_keyblock *key, int usage,
+ krb5_pointer iv,
+ gss_iov_buffer_desc *iov,
+ int iov_count);
+
OM_uint32 kg_seal (OM_uint32 *minor_status,
- gss_ctx_id_t context_handle,
- int conf_req_flag,
- int qop_req,
- gss_buffer_t input_message_buffer,
- int *conf_state,
- gss_buffer_t output_message_buffer,
- int toktype);
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ gss_buffer_t input_message_buffer,
+ int *conf_state,
+ gss_buffer_t output_message_buffer,
+ int toktype);
OM_uint32 kg_unseal (OM_uint32 *minor_status,
- gss_ctx_id_t context_handle,
- gss_buffer_t input_token_buffer,
- gss_buffer_t message_buffer,
- int *conf_state,
- int *qop_state,
- int toktype);
+ gss_ctx_id_t context_handle,
+ gss_buffer_t input_token_buffer,
+ gss_buffer_t message_buffer,
+ int *conf_state,
+ gss_qop_t *qop_state,
+ int toktype);
OM_uint32 kg_seal_size (OM_uint32 *minor_status,
- gss_ctx_id_t context_handle,
- int conf_req_flag,
- gss_qop_t qop_req,
- OM_uint32 output_size,
- OM_uint32 *input_size);
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ OM_uint32 output_size,
+ OM_uint32 *input_size);
krb5_error_code kg_ctx_size (krb5_context kcontext,
- krb5_pointer arg,
- size_t *sizep);
+ krb5_pointer arg,
+ size_t *sizep);
krb5_error_code kg_ctx_externalize (krb5_context kcontext,
- krb5_pointer arg,
- krb5_octet **buffer,
- size_t *lenremain);
+ krb5_pointer arg,
+ krb5_octet **buffer,
+ size_t *lenremain);
krb5_error_code kg_ctx_internalize (krb5_context kcontext,
- krb5_pointer *argp,
- krb5_octet **buffer,
- size_t *lenremain);
+ krb5_pointer *argp,
+ krb5_octet **buffer,
+ size_t *lenremain);
OM_uint32 kg_sync_ccache_name (krb5_context context, OM_uint32 *minor_status);
-OM_uint32 kg_caller_provided_ccache_name (OM_uint32 *minor_status,
+OM_uint32 kg_caller_provided_ccache_name (OM_uint32 *minor_status,
int *out_caller_provided_name);
-OM_uint32 kg_get_ccache_name (OM_uint32 *minor_status,
+OM_uint32 kg_get_ccache_name (OM_uint32 *minor_status,
const char **out_name);
-OM_uint32 kg_set_ccache_name (OM_uint32 *minor_status,
+OM_uint32 kg_set_ccache_name (OM_uint32 *minor_status,
const char *name);
+/* AEAD */
+
+krb5_error_code gss_krb5int_make_seal_token_v3_iov(krb5_context context,
+ krb5_gss_ctx_id_rec *ctx,
+ int conf_req_flag,
+ int *conf_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count,
+ int toktype);
+
+OM_uint32 gss_krb5int_unseal_v3_iov(krb5_context context,
+ OM_uint32 *minor_status,
+ krb5_gss_ctx_id_rec *ctx,
+ gss_iov_buffer_desc *iov,
+ int iov_count,
+ int *conf_state,
+ gss_qop_t *qop_state,
+ int toktype);
+
+gss_iov_buffer_t kg_locate_iov (gss_iov_buffer_desc *iov,
+ int iov_count,
+ OM_uint32 type);
+
+void kg_iov_msglen(gss_iov_buffer_desc *iov,
+ int iov_count,
+ size_t *data_length,
+ size_t *assoc_data_length);
+
+void kg_release_iov(gss_iov_buffer_desc *iov,
+ int iov_count);
+
+krb5_error_code kg_make_checksum_iov_v1(krb5_context context,
+ krb5_cksumtype type,
+ size_t token_cksum_len,
+ krb5_keyblock *seq,
+ krb5_keyblock *enc, /* for conf len */
+ krb5_keyusage sign_usage,
+ gss_iov_buffer_desc *iov,
+ int iov_count,
+ int toktype,
+ krb5_checksum *checksum);
+
+krb5_error_code kg_make_checksum_iov_v3(krb5_context context,
+ krb5_cksumtype type,
+ size_t rrc,
+ krb5_keyblock *key,
+ krb5_keyusage sign_usage,
+ gss_iov_buffer_desc *iov,
+ int iov_count);
+
+krb5_error_code kg_verify_checksum_iov_v3(krb5_context context,
+ krb5_cksumtype type,
+ size_t rrc,
+ krb5_keyblock *key,
+ krb5_keyusage sign_usage,
+ gss_iov_buffer_desc *iov,
+ int iov_count,
+ krb5_boolean *valid);
+
+OM_uint32 kg_seal_iov (OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ int *conf_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count,
+ int toktype);
+
+OM_uint32 kg_unseal_iov (OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int *conf_state,
+ gss_qop_t *qop_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count,
+ int toktype);
+
+OM_uint32 kg_seal_iov_length(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ int *conf_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count);
+
+krb5_cryptotype kg_translate_flag_iov(OM_uint32 type);
+
+OM_uint32 kg_fixup_padding_iov(OM_uint32 *minor_status,
+ gss_iov_buffer_desc *iov,
+ int iov_count);
+
+int kg_map_toktype(int proto, int toktype);
+
+krb5_boolean kg_integ_only_iov(gss_iov_buffer_desc *iov, int iov_count);
+
+krb5_error_code kg_allocate_iov(gss_iov_buffer_t iov, size_t size);
+
/** declarations of internal name mechanism functions **/
OM_uint32 krb5_gss_acquire_cred
(OM_uint32*, /* minor_status */
- gss_name_t, /* desired_name */
- OM_uint32, /* time_req */
- gss_OID_set, /* desired_mechs */
- gss_cred_usage_t, /* cred_usage */
- gss_cred_id_t*, /* output_cred_handle */
- gss_OID_set*, /* actual_mechs */
- OM_uint32* /* time_rec */
- );
+ gss_name_t, /* desired_name */
+ OM_uint32, /* time_req */
+ gss_OID_set, /* desired_mechs */
+ gss_cred_usage_t, /* cred_usage */
+ gss_cred_id_t*, /* output_cred_handle */
+ gss_OID_set*, /* actual_mechs */
+ OM_uint32* /* time_rec */
+);
OM_uint32 krb5_gss_release_cred
(OM_uint32*, /* minor_status */
- gss_cred_id_t* /* cred_handle */
- );
+ gss_cred_id_t* /* cred_handle */
+);
OM_uint32 krb5_gss_init_sec_context
(OM_uint32*, /* minor_status */
- gss_cred_id_t, /* claimant_cred_handle */
- gss_ctx_id_t*, /* context_handle */
- gss_name_t, /* target_name */
- gss_OID, /* mech_type */
- OM_uint32, /* req_flags */
- OM_uint32, /* time_req */
- gss_channel_bindings_t,
- /* input_chan_bindings */
- gss_buffer_t, /* input_token */
- gss_OID*, /* actual_mech_type */
- gss_buffer_t, /* output_token */
- OM_uint32*, /* ret_flags */
- OM_uint32* /* time_rec */
- );
+ gss_cred_id_t, /* claimant_cred_handle */
+ gss_ctx_id_t*, /* context_handle */
+ gss_name_t, /* target_name */
+ gss_OID, /* mech_type */
+ OM_uint32, /* req_flags */
+ OM_uint32, /* time_req */
+ gss_channel_bindings_t,
+ /* input_chan_bindings */
+ gss_buffer_t, /* input_token */
+ gss_OID*, /* actual_mech_type */
+ gss_buffer_t, /* output_token */
+ OM_uint32*, /* ret_flags */
+ OM_uint32* /* time_rec */
+);
#ifndef LEAN_CLIENT
OM_uint32 krb5_gss_accept_sec_context
(OM_uint32*, /* minor_status */
- gss_ctx_id_t*, /* context_handle */
- gss_cred_id_t, /* verifier_cred_handle */
- gss_buffer_t, /* input_token_buffer */
- gss_channel_bindings_t,
- /* input_chan_bindings */
- gss_name_t*, /* src_name */
- gss_OID*, /* mech_type */
- gss_buffer_t, /* output_token */
- OM_uint32*, /* ret_flags */
- OM_uint32*, /* time_rec */
- gss_cred_id_t* /* delegated_cred_handle */
- );
+ gss_ctx_id_t*, /* context_handle */
+ gss_cred_id_t, /* verifier_cred_handle */
+ gss_buffer_t, /* input_token_buffer */
+ gss_channel_bindings_t,
+ /* input_chan_bindings */
+ gss_name_t*, /* src_name */
+ gss_OID*, /* mech_type */
+ gss_buffer_t, /* output_token */
+ OM_uint32*, /* ret_flags */
+ OM_uint32*, /* time_rec */
+ gss_cred_id_t* /* delegated_cred_handle */
+);
#endif /* LEAN_CLIENT */
OM_uint32 krb5_gss_process_context_token
(OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t /* token_buffer */
- );
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t /* token_buffer */
+);
OM_uint32 krb5_gss_delete_sec_context
(OM_uint32*, /* minor_status */
- gss_ctx_id_t*, /* context_handle */
- gss_buffer_t /* output_token */
- );
+ gss_ctx_id_t*, /* context_handle */
+ gss_buffer_t /* output_token */
+);
OM_uint32 krb5_gss_context_time
(OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- OM_uint32* /* time_rec */
- );
+ gss_ctx_id_t, /* context_handle */
+ OM_uint32* /* time_rec */
+);
-OM_uint32 krb5_gss_sign
-(OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* qop_req */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t /* message_token */
- );
-
-OM_uint32 krb5_gss_verify
-(OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t, /* token_buffer */
- int* /* qop_state */
- );
-
-OM_uint32 krb5_gss_seal
-(OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- int, /* qop_req */
- gss_buffer_t, /* input_message_buffer */
- int*, /* conf_state */
- gss_buffer_t /* output_message_buffer */
- );
-
-OM_uint32 krb5_gss_unseal
-(OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* input_message_buffer */
- gss_buffer_t, /* output_message_buffer */
- int*, /* conf_state */
- int* /* qop_state */
- );
-
OM_uint32 krb5_gss_display_status
(OM_uint32*, /* minor_status */
- OM_uint32, /* status_value */
- int, /* status_type */
- gss_OID, /* mech_type */
- OM_uint32*, /* message_context */
- gss_buffer_t /* status_string */
- );
+ OM_uint32, /* status_value */
+ int, /* status_type */
+ gss_OID, /* mech_type */
+ OM_uint32*, /* message_context */
+ gss_buffer_t /* status_string */
+);
OM_uint32 krb5_gss_indicate_mechs
(OM_uint32*, /* minor_status */
- gss_OID_set* /* mech_set */
- );
+ gss_OID_set* /* mech_set */
+);
OM_uint32 krb5_gss_compare_name
(OM_uint32*, /* minor_status */
- gss_name_t, /* name1 */
- gss_name_t, /* name2 */
- int* /* name_equal */
- );
+ gss_name_t, /* name1 */
+ gss_name_t, /* name2 */
+ int* /* name_equal */
+);
OM_uint32 krb5_gss_display_name
(OM_uint32*, /* minor_status */
- gss_name_t, /* input_name */
- gss_buffer_t, /* output_name_buffer */
- gss_OID* /* output_name_type */
- );
+ gss_name_t, /* input_name */
+ gss_buffer_t, /* output_name_buffer */
+ gss_OID* /* output_name_type */
+);
OM_uint32 krb5_gss_import_name
(OM_uint32*, /* minor_status */
- gss_buffer_t, /* input_name_buffer */
- gss_OID, /* input_name_type */
- gss_name_t* /* output_name */
- );
+ gss_buffer_t, /* input_name_buffer */
+ gss_OID, /* input_name_type */
+ gss_name_t* /* output_name */
+);
OM_uint32 krb5_gss_release_name
(OM_uint32*, /* minor_status */
- gss_name_t* /* input_name */
- );
+ gss_name_t* /* input_name */
+);
OM_uint32 krb5_gss_inquire_cred
(OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* cred_handle */
- gss_name_t *, /* name */
- OM_uint32 *, /* lifetime */
- gss_cred_usage_t*,/* cred_usage */
- gss_OID_set * /* mechanisms */
- );
+ gss_cred_id_t, /* cred_handle */
+ gss_name_t *, /* name */
+ OM_uint32 *, /* lifetime */
+ gss_cred_usage_t*,/* cred_usage */
+ gss_OID_set * /* mechanisms */
+);
OM_uint32 krb5_gss_inquire_context
(OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_name_t*, /* initiator_name */
- gss_name_t*, /* acceptor_name */
- OM_uint32*, /* lifetime_rec */
- gss_OID*, /* mech_type */
- OM_uint32*, /* ret_flags */
- int*, /* locally_initiated */
- int* /* open */
- );
+ gss_ctx_id_t, /* context_handle */
+ gss_name_t*, /* initiator_name */
+ gss_name_t*, /* acceptor_name */
+ OM_uint32*, /* lifetime_rec */
+ gss_OID*, /* mech_type */
+ OM_uint32*, /* ret_flags */
+ int*, /* locally_initiated */
+ int* /* open */
+);
/* New V2 entry points */
OM_uint32 krb5_gss_get_mic
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_qop_t, /* qop_req */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t /* message_token */
- );
+(OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_qop_t, /* qop_req */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t /* message_token */
+);
OM_uint32 krb5_gss_verify_mic
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t, /* message_token */
- gss_qop_t * /* qop_state */
- );
+(OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t, /* message_token */
+ gss_qop_t * /* qop_state */
+);
OM_uint32 krb5_gss_wrap
+(OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req */
+ gss_buffer_t, /* input_message_buffer */
+ int *, /* conf_state */
+ gss_buffer_t /* output_message_buffer */
+);
+
+OM_uint32 krb5_gss_wrap_iov
(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- gss_qop_t, /* qop_req */
- gss_buffer_t, /* input_message_buffer */
- int *, /* conf_state */
- gss_buffer_t /* output_message_buffer */
- );
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req */
+ int *, /* conf_state */
+ gss_iov_buffer_desc *, /* iov */
+ int /* iov_count */
+);
+OM_uint32
+krb5_gss_wrap_iov_length
+(OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req */
+ int *, /* conf_state */
+ gss_iov_buffer_desc *, /* iov */
+ int /* iov_count */
+);
+
OM_uint32 krb5_gss_unwrap
+(OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* input_message_buffer */
+ gss_buffer_t, /* output_message_buffer */
+ int *, /* conf_state */
+ gss_qop_t * /* qop_state */
+);
+
+OM_uint32 krb5_gss_unwrap_iov
(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* input_message_buffer */
- gss_buffer_t, /* output_message_buffer */
- int *, /* conf_state */
- gss_qop_t * /* qop_state */
- );
+ gss_ctx_id_t, /* context_handle */
+ int *, /* conf_state */
+ gss_qop_t *, /* qop_state */
+ gss_iov_buffer_desc *, /* iov */
+ int /* iov_count */
+);
OM_uint32 krb5_gss_wrap_size_limit
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- gss_qop_t, /* qop_req */
- OM_uint32, /* req_output_size */
- OM_uint32 * /* max_input_size */
- );
+(OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req */
+ OM_uint32, /* req_output_size */
+ OM_uint32 * /* max_input_size */
+);
OM_uint32 krb5_gss_import_name_object
-(OM_uint32 *, /* minor_status */
- void *, /* input_name */
- gss_OID, /* input_name_type */
- gss_name_t * /* output_name */
- );
+(OM_uint32 *, /* minor_status */
+ void *, /* input_name */
+ gss_OID, /* input_name_type */
+ gss_name_t * /* output_name */
+);
OM_uint32 krb5_gss_export_name_object
-(OM_uint32 *, /* minor_status */
- gss_name_t, /* input_name */
- gss_OID, /* desired_name_type */
- void * * /* output_name */
- );
+(OM_uint32 *, /* minor_status */
+ gss_name_t, /* input_name */
+ gss_OID, /* desired_name_type */
+ void * * /* output_name */
+);
OM_uint32 krb5_gss_add_cred
-(OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* input_cred_handle */
- gss_name_t, /* desired_name */
- gss_OID, /* desired_mech */
- gss_cred_usage_t, /* cred_usage */
- OM_uint32, /* initiator_time_req */
- OM_uint32, /* acceptor_time_req */
- gss_cred_id_t *, /* output_cred_handle */
- gss_OID_set *, /* actual_mechs */
- OM_uint32 *, /* initiator_time_rec */
- OM_uint32 * /* acceptor_time_rec */
- );
+(OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* input_cred_handle */
+ gss_name_t, /* desired_name */
+ gss_OID, /* desired_mech */
+ gss_cred_usage_t, /* cred_usage */
+ OM_uint32, /* initiator_time_req */
+ OM_uint32, /* acceptor_time_req */
+ gss_cred_id_t *, /* output_cred_handle */
+ gss_OID_set *, /* actual_mechs */
+ OM_uint32 *, /* initiator_time_rec */
+ OM_uint32 * /* acceptor_time_rec */
+);
OM_uint32 krb5_gss_inquire_cred_by_mech
-(OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* cred_handle */
- gss_OID, /* mech_type */
- gss_name_t *, /* name */
- OM_uint32 *, /* initiator_lifetime */
- OM_uint32 *, /* acceptor_lifetime */
- gss_cred_usage_t * /* cred_usage */
- );
+(OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* cred_handle */
+ gss_OID, /* mech_type */
+ gss_name_t *, /* name */
+ OM_uint32 *, /* initiator_lifetime */
+ OM_uint32 *, /* acceptor_lifetime */
+ gss_cred_usage_t * /* cred_usage */
+);
#ifndef LEAN_CLIENT
OM_uint32 krb5_gss_export_sec_context
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t *, /* context_handle */
- gss_buffer_t /* interprocess_token */
- );
+(OM_uint32 *, /* minor_status */
+ gss_ctx_id_t *, /* context_handle */
+ gss_buffer_t /* interprocess_token */
+);
OM_uint32 krb5_gss_import_sec_context
-(OM_uint32 *, /* minor_status */
- gss_buffer_t, /* interprocess_token */
- gss_ctx_id_t * /* context_handle */
- );
+(OM_uint32 *, /* minor_status */
+ gss_buffer_t, /* interprocess_token */
+ gss_ctx_id_t * /* context_handle */
+);
#endif /* LEAN_CLIENT */
krb5_error_code krb5_gss_ser_init(krb5_context);
OM_uint32 krb5_gss_release_oid
-(OM_uint32 *, /* minor_status */
- gss_OID * /* oid */
- );
+(OM_uint32 *, /* minor_status */
+ gss_OID * /* oid */
+);
OM_uint32 krb5_gss_internal_release_oid
-(OM_uint32 *, /* minor_status */
- gss_OID * /* oid */
- );
+(OM_uint32 *, /* minor_status */
+ gss_OID * /* oid */
+);
OM_uint32 krb5_gss_inquire_names_for_mech
-(OM_uint32 *, /* minor_status */
- gss_OID, /* mechanism */
- gss_OID_set * /* name_types */
- );
+(OM_uint32 *, /* minor_status */
+ gss_OID, /* mechanism */
+ gss_OID_set * /* name_types */
+);
OM_uint32 krb5_gss_canonicalize_name
-(OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- const gss_OID, /* mech_type */
- gss_name_t * /* output_name */
- );
-
+(OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ const gss_OID, /* mech_type */
+ gss_name_t * /* output_name */
+);
+
OM_uint32 krb5_gss_export_name
-(OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- gss_buffer_t /* exported_name */
- );
+(OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ gss_buffer_t /* exported_name */
+);
OM_uint32 krb5_gss_duplicate_name
-(OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- gss_name_t * /* dest_name */
- );
+(OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ gss_name_t * /* dest_name */
+);
OM_uint32 krb5_gss_validate_cred
-(OM_uint32 *, /* minor_status */
- gss_cred_id_t /* cred */
- );
+(OM_uint32 *, /* minor_status */
+ gss_cred_id_t /* cred */
+);
OM_uint32
krb5_gss_validate_cred_1(OM_uint32 * /* minor_status */,
- gss_cred_id_t /* cred_handle */,
- krb5_context /* context */);
+ gss_cred_id_t /* cred_handle */,
+ krb5_context /* context */);
gss_OID krb5_gss_convert_static_mech_oid(gss_OID oid);
-
+
krb5_error_code gss_krb5int_make_seal_token_v3(krb5_context,
- krb5_gss_ctx_id_rec *,
- const gss_buffer_desc *,
- gss_buffer_t,
- int, int);
+ krb5_gss_ctx_id_rec *,
+ const gss_buffer_desc *,
+ gss_buffer_t,
+ int, int);
OM_uint32 gss_krb5int_unseal_token_v3(krb5_context *contextptr,
- OM_uint32 *minor_status,
- krb5_gss_ctx_id_rec *ctx,
- unsigned char *ptr,
- unsigned int bodysize,
- gss_buffer_t message_buffer,
- int *conf_state, int *qop_state,
- int toktype);
+ OM_uint32 *minor_status,
+ krb5_gss_ctx_id_rec *ctx,
+ unsigned char *ptr,
+ unsigned int bodysize,
+ gss_buffer_t message_buffer,
+ int *conf_state, gss_qop_t *qop_state,
+ int toktype);
+int gss_krb5int_rotate_left (void *ptr, size_t bufsiz, size_t rc);
+
/*
* These take unglued krb5-mech-specific contexts.
*/
-OM_uint32 KRB5_CALLCONV gss_krb5int_get_tkt_flags
- (OM_uint32 *minor_status,
- gss_ctx_id_t context_handle,
- krb5_flags *ticket_flags);
+#define GSS_KRB5_GET_TKT_FLAGS_OID_LENGTH 11
+#define GSS_KRB5_GET_TKT_FLAGS_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x01"
+OM_uint32 KRB5_CALLCONV gss_krb5int_get_tkt_flags
+(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *data_set);
+
+#define GSS_KRB5_COPY_CCACHE_OID_LENGTH 11
+#define GSS_KRB5_COPY_CCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x02"
+
OM_uint32 KRB5_CALLCONV gss_krb5int_copy_ccache
- (OM_uint32 *minor_status,
- gss_cred_id_t cred_handle,
- krb5_ccache out_ccache);
+(OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ const gss_OID desired_oid,
+ const gss_buffer_t value);
+#define GSS_KRB5_CCACHE_NAME_OID_LENGTH 11
+#define GSS_KRB5_CCACHE_NAME_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x03"
+
+struct krb5_gss_ccache_name_req {
+ const char *name;
+ const char **out_name;
+};
+
+OM_uint32 KRB5_CALLCONV gss_krb5int_ccache_name
+ (OM_uint32 *minor_status,
+ const gss_OID,
+ const gss_OID,
+ const gss_buffer_t);
+
+#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH 11
+#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x04"
+
+struct krb5_gss_set_allowable_enctypes_req {
+ OM_uint32 num_ktypes;
+ krb5_enctype *ktypes;
+};
+
+#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
+#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
+
+OM_uint32
+gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *);
+
OM_uint32 KRB5_CALLCONV
-gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
- gss_cred_id_t cred,
- OM_uint32 num_ktypes,
- krb5_enctype *ktypes);
+gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
+ gss_cred_id_t cred,
+ const gss_OID desired_oid,
+ const gss_buffer_t value);
-OM_uint32 KRB5_CALLCONV
+#define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH 11
+#define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x06"
+
+OM_uint32
gss_krb5int_export_lucid_sec_context(OM_uint32 *minor_status,
- gss_ctx_id_t *context_handle,
- OM_uint32 version,
- void **kctx);
+ const gss_ctx_id_t context_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *data_set);
+#define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH 11
+#define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07"
+OM_uint32
+gss_krb5int_free_lucid_sec_context(OM_uint32 *, const gss_OID,
+ const gss_OID, gss_buffer_t);
+
extern k5_mutex_t kg_kdc_flag_mutex;
krb5_error_code krb5_gss_init_context (krb5_context *ctxp);
+#define GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH 11
+#define GSS_KRB5_USE_KDC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x08"
+
+OM_uint32 krb5int_gss_use_kdc_context(OM_uint32 *, const gss_OID,
+ const gss_OID, gss_buffer_t);
+
krb5_error_code krb5_gss_use_kdc_context(void);
+#define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH 11
+#define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x09"
+
+OM_uint32
+gss_krb5int_register_acceptor_identity(OM_uint32 *, const gss_OID, const gss_OID, gss_buffer_t);
+
+#define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 11
+#define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0a"
+
+OM_uint32
+gss_krb5int_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *ad_data);
+
+#define GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH 11
+#define GSS_KRB5_SET_CRED_RCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0b"
+
+OM_uint32
+gss_krb5int_set_cred_rcache(OM_uint32 *, gss_cred_id_t, const gss_OID, const gss_buffer_t);
+
+#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH 11
+#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0c"
+
+OM_uint32
+gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *,
+ const gss_ctx_id_t,
+ const gss_OID,
+ gss_buffer_set_t *);
+
+#ifdef _GSS_STATIC_LINK
+int gss_krb5int_lib_init(void);
+void gss_krb5int_lib_fini(void);
+#endif /* _GSS_STATIC_LINK */
+
+OM_uint32 gss_krb5int_initialize_library(void);
+void gss_krb5int_cleanup_library(void);
+
/* For error message handling. */
/* Returns a shared string, not a private copy! */
extern char *
@@ -701,12 +918,16 @@
__attribute__((__format__(__printf__, 2, 3)))
#endif
;
-extern void
-krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx);
+ extern void
+ krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx);
#define get_error_message krb5_gss_get_error_message
#define save_error_string krb5_gss_save_error_string
#define save_error_message krb5_gss_save_error_message
#define save_error_info krb5_gss_save_error_info
extern void krb5_gss_delete_error_info(void *p);
+/* Prefix concatenated with Kerberos encryption type */
+#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10
+#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04"
+
#endif /* _GSSAPIP_KRB5_H_ */
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/gssapi_krb5.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/gssapi_krb5.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/gssapi_krb5.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -22,14 +23,14 @@
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -40,11 +41,38 @@
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
/*
* $Id$
@@ -54,6 +82,7 @@
/* For declaration of krb5_ser_context_init */
#include "k5-int.h"
#include "gssapiP_krb5.h"
+#include "mglueP.h"
/** exported constants defined in gssapi_krb5{,_nx}.h **/
@@ -61,21 +90,27 @@
/*
* The OID of the draft krb5 mechanism, assigned by IETF, is:
- * iso(1) org(3) dod(5) internet(1) security(5)
- * kerberosv5(2) = 1.3.5.1.5.2
+ * iso(1) org(3) dod(5) internet(1) security(5)
+ * kerberosv5(2) = 1.3.5.1.5.2
* The OID of the krb5_name type is:
- * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
- * krb5(2) krb5_name(1) = 1.2.840.113554.1.2.2.1
+ * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
+ * krb5(2) krb5_name(1) = 1.2.840.113554.1.2.2.1
* The OID of the krb5_principal type is:
- * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
- * krb5(2) krb5_principal(2) = 1.2.840.113554.1.2.2.2
+ * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
+ * krb5(2) krb5_principal(2) = 1.2.840.113554.1.2.2.2
* The OID of the proposed standard krb5 mechanism is:
- * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
- * krb5(2) = 1.2.840.113554.1.2.2
+ * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
+ * krb5(2) = 1.2.840.113554.1.2.2
* The OID of the proposed standard krb5 v2 mechanism is:
- * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
- * krb5v2(3) = 1.2.840.113554.1.2.3
- *
+ * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
+ * krb5v2(3) = 1.2.840.113554.1.2.3
+ * Provisionally reserved for Kerberos session key algorithm
+ * identifiers is:
+ * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
+ * krb5(2) krb5_enctype(4) = 1.2.840.113554.1.2.2.4
+ * Provisionally reserved for Kerberos mechanism-specific APIs:
+ * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
+ * krb5(2) krb5_gssapi_ext(5) = 1.2.840.113554.1.2.2.5
*/
/*
@@ -86,26 +121,26 @@
*/
const gss_OID_desc krb5_gss_oid_array[] = {
- /* this is the official, rfc-specified OID */
- {GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID},
- /* this pre-RFC mech OID */
- {GSS_MECH_KRB5_OLD_OID_LENGTH, GSS_MECH_KRB5_OLD_OID},
- /* this is the unofficial, incorrect mech OID emitted by MS */
- {GSS_MECH_KRB5_WRONG_OID_LENGTH, GSS_MECH_KRB5_WRONG_OID},
- /* this is the v2 assigned OID */
- {9, "\052\206\110\206\367\022\001\002\003"},
- /* these two are name type OID's */
+ /* this is the official, rfc-specified OID */
+ {GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID},
+ /* this pre-RFC mech OID */
+ {GSS_MECH_KRB5_OLD_OID_LENGTH, GSS_MECH_KRB5_OLD_OID},
+ /* this is the unofficial, incorrect mech OID emitted by MS */
+ {GSS_MECH_KRB5_WRONG_OID_LENGTH, GSS_MECH_KRB5_WRONG_OID},
+ /* this is the v2 assigned OID */
+ {9, "\052\206\110\206\367\022\001\002\003"},
+ /* these two are name type OID's */
/* 2.1.1. Kerberos Principal Name Form: (rfc 1964)
* This name form shall be represented by the Object Identifier {iso(1)
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
* krb5(2) krb5_name(1)}. The recommended symbolic name for this type
* is "GSS_KRB5_NT_PRINCIPAL_NAME". */
- {10, "\052\206\110\206\367\022\001\002\002\001"},
+ {10, "\052\206\110\206\367\022\001\002\002\001"},
- /* gss_nt_krb5_principal. Object identifier for a krb5_principal. Do not use. */
- {10, "\052\206\110\206\367\022\001\002\002\002"},
- { 0, 0 }
+ /* gss_nt_krb5_principal. Object identifier for a krb5_principal. Do not use. */
+ {10, "\052\206\110\206\367\022\001\002\002\002"},
+ { 0, 0 }
};
const gss_OID_desc * const gss_mech_krb5 = krb5_gss_oid_array+0;
@@ -116,11 +151,11 @@
const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME = krb5_gss_oid_array+4;
static const gss_OID_set_desc oidsets[] = {
- {1, (gss_OID) krb5_gss_oid_array+0},
- {1, (gss_OID) krb5_gss_oid_array+1},
- {3, (gss_OID) krb5_gss_oid_array+0},
- {1, (gss_OID) krb5_gss_oid_array+2},
- {3, (gss_OID) krb5_gss_oid_array+0},
+ {1, (gss_OID) krb5_gss_oid_array+0},
+ {1, (gss_OID) krb5_gss_oid_array+1},
+ {3, (gss_OID) krb5_gss_oid_array+0},
+ {1, (gss_OID) krb5_gss_oid_array+2},
+ {3, (gss_OID) krb5_gss_oid_array+0},
};
const gss_OID_set_desc * const gss_mech_set_krb5 = oidsets+0;
@@ -137,54 +172,54 @@
*/
OM_uint32
kg_get_defcred(minor_status, cred)
- OM_uint32 *minor_status;
- gss_cred_id_t *cred;
+ OM_uint32 *minor_status;
+ gss_cred_id_t *cred;
{
OM_uint32 major;
-
- if ((major = krb5_gss_acquire_cred(minor_status,
- (gss_name_t) NULL, GSS_C_INDEFINITE,
- GSS_C_NULL_OID_SET, GSS_C_INITIATE,
- cred, NULL, NULL)) && GSS_ERROR(major)) {
- return(major);
- }
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+
+ if ((major = krb5_gss_acquire_cred(minor_status,
+ (gss_name_t) NULL, GSS_C_INDEFINITE,
+ GSS_C_NULL_OID_SET, GSS_C_INITIATE,
+ cred, NULL, NULL)) && GSS_ERROR(major)) {
+ return(major);
+ }
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
OM_uint32
kg_sync_ccache_name (krb5_context context, OM_uint32 *minor_status)
{
OM_uint32 err = 0;
-
- /*
+
+ /*
* Sync up the context ccache name with the GSSAPI ccache name.
- * If kg_ccache_name is NULL -- normal unless someone has called
- * gss_krb5_ccache_name() -- then the system default ccache will
+ * If kg_ccache_name is NULL -- normal unless someone has called
+ * gss_krb5_ccache_name() -- then the system default ccache will
* be picked up and used by resetting the context default ccache.
* This is needed for platforms which support multiple ccaches.
*/
-
+
if (!err) {
/* if NULL, resets the context default ccache */
err = krb5_cc_set_default_name(context,
- (char *) k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME));
+ (char *) k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME));
}
-
+
*minor_status = err;
return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
}
/* This function returns whether or not the caller set a cccache name. Used by
- * gss_acquire_cred to figure out if the caller wants to only look at this
+ * gss_acquire_cred to figure out if the caller wants to only look at this
* ccache or search the cache collection for the desired name */
OM_uint32
-kg_caller_provided_ccache_name (OM_uint32 *minor_status,
-int *out_caller_provided_name)
+kg_caller_provided_ccache_name (OM_uint32 *minor_status,
+ int *out_caller_provided_name)
{
if (out_caller_provided_name) {
- *out_caller_provided_name =
- (k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME) != NULL);
+ *out_caller_provided_name =
+ (k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME) != NULL);
}
*minor_status = 0;
@@ -199,31 +234,31 @@
char *kg_ccache_name;
kg_ccache_name = k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME);
-
+
if (kg_ccache_name != NULL) {
- name = strdup(kg_ccache_name);
- if (name == NULL)
- err = ENOMEM;
+ name = strdup(kg_ccache_name);
+ if (name == NULL)
+ err = ENOMEM;
} else {
- krb5_context context = NULL;
+ krb5_context context = NULL;
- /* Reset the context default ccache (see text above), and then
- retrieve it. */
- err = krb5_gss_init_context(&context);
- if (!err)
- err = krb5_cc_set_default_name (context, NULL);
- if (!err) {
- name = krb5_cc_default_name(context);
- if (name) {
- name = strdup(name);
- if (name == NULL)
- err = ENOMEM;
- }
- }
- if (err && context)
- save_error_info(err, context);
- if (context)
- krb5_free_context(context);
+ /* Reset the context default ccache (see text above), and then
+ retrieve it. */
+ err = krb5_gss_init_context(&context);
+ if (!err)
+ err = krb5_cc_set_default_name (context, NULL);
+ if (!err) {
+ name = krb5_cc_default_name(context);
+ if (name) {
+ name = strdup(name);
+ if (name == NULL)
+ err = ENOMEM;
+ }
+ }
+ if (err && context)
+ save_error_info(err, context);
+ if (context)
+ krb5_free_context(context);
}
if (!err) {
@@ -231,7 +266,7 @@
*out_name = name;
}
}
-
+
*minor_status = err;
return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
}
@@ -245,12 +280,11 @@
krb5_error_code kerr;
if (name) {
- new_name = malloc(strlen(name) + 1);
- if (new_name == NULL) {
- *minor_status = ENOMEM;
- return GSS_S_FAILURE;
- }
- strcpy(new_name, name);
+ new_name = strdup(name);
+ if (new_name == NULL) {
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
}
kg_ccache_name = k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME);
@@ -259,14 +293,502 @@
new_name = swap;
kerr = k5_setspecific(K5_KEY_GSS_KRB5_CCACHE_NAME, kg_ccache_name);
if (kerr != 0) {
- /* Can't store, so free up the storage. */
- free(kg_ccache_name);
- /* ??? free(new_name); */
- *minor_status = kerr;
- return GSS_S_FAILURE;
+ /* Can't store, so free up the storage. */
+ free(kg_ccache_name);
+ /* ??? free(new_name); */
+ *minor_status = kerr;
+ return GSS_S_FAILURE;
}
free (new_name);
*minor_status = 0;
return GSS_S_COMPLETE;
}
+
+#define g_OID_prefix_equal(o1, o2) \
+ (((o1)->length >= (o2)->length) && \
+ (memcmp((o1)->elements, (o2)->elements, (o2)->length) == 0))
+
+/*
+ * gss_inquire_sec_context_by_oid() methods
+ */
+static struct {
+ gss_OID_desc oid;
+ OM_uint32 (*func)(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *);
+} krb5_gss_inquire_sec_context_by_oid_ops[] = {
+ {
+ {GSS_KRB5_GET_TKT_FLAGS_OID_LENGTH, GSS_KRB5_GET_TKT_FLAGS_OID},
+ gss_krb5int_get_tkt_flags
+ },
+ {
+ {GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID},
+ gss_krb5int_extract_authz_data_from_sec_context
+ },
+ {
+ {GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH, GSS_KRB5_INQ_SSPI_SESSION_KEY_OID},
+ gss_krb5int_inq_session_key
+ },
+ {
+ {GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID},
+ gss_krb5int_export_lucid_sec_context
+ },
+ {
+ {GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID},
+ gss_krb5int_extract_authtime_from_sec_context
+ }
+};
+
+static OM_uint32
+krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *data_set)
+{
+ krb5_gss_ctx_id_rec *ctx;
+ size_t i;
+
+ if (minor_status == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
+
+ *minor_status = 0;
+
+ if (desired_object == GSS_C_NO_OID)
+ return GSS_S_CALL_INACCESSIBLE_READ;
+
+ if (data_set == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
+
+ *data_set = GSS_C_NO_BUFFER_SET;
+
+ if (!kg_validate_ctx_id(context_handle))
+ return GSS_S_NO_CONTEXT;
+
+ ctx = (krb5_gss_ctx_id_rec *) context_handle;
+
+ if (!ctx->established)
+ return GSS_S_NO_CONTEXT;
+
+ for (i = 0; i < sizeof(krb5_gss_inquire_sec_context_by_oid_ops)/
+ sizeof(krb5_gss_inquire_sec_context_by_oid_ops[0]); i++) {
+ if (g_OID_prefix_equal(desired_object, &krb5_gss_inquire_sec_context_by_oid_ops[i].oid)) {
+ return (*krb5_gss_inquire_sec_context_by_oid_ops[i].func)(minor_status,
+ context_handle,
+ desired_object,
+ data_set);
+ }
+ }
+
+ *minor_status = EINVAL;
+
+ return GSS_S_UNAVAILABLE;
+}
+
+/*
+ * gss_inquire_cred_by_oid() methods
+ */
+static struct {
+ gss_OID_desc oid;
+ OM_uint32 (*func)(OM_uint32 *, const gss_cred_id_t, const gss_OID, gss_buffer_set_t *);
+} krb5_gss_inquire_cred_by_oid_ops[] = {
+};
+
+static OM_uint32
+krb5_gss_inquire_cred_by_oid(OM_uint32 *minor_status,
+ const gss_cred_id_t cred_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *data_set)
+{
+ OM_uint32 major_status = GSS_S_FAILURE;
+ krb5_gss_cred_id_t cred;
+ size_t i;
+
+ if (minor_status == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
+
+ *minor_status = 0;
+
+ if (desired_object == GSS_C_NO_OID)
+ return GSS_S_CALL_INACCESSIBLE_READ;
+
+ if (data_set == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
+
+ *data_set = GSS_C_NO_BUFFER_SET;
+ if (cred_handle == GSS_C_NO_CREDENTIAL) {
+ *minor_status = (OM_uint32)KRB5_NOCREDS_SUPPLIED;
+ return GSS_S_NO_CRED;
+ }
+
+ major_status = krb5_gss_validate_cred(minor_status, cred_handle);
+ if (GSS_ERROR(major_status))
+ return major_status;
+
+ cred = (krb5_gss_cred_id_t) cred_handle;
+
+ for (i = 0; i < sizeof(krb5_gss_inquire_cred_by_oid_ops)/
+ sizeof(krb5_gss_inquire_cred_by_oid_ops[0]); i++) {
+ if (g_OID_prefix_equal(desired_object, &krb5_gss_inquire_cred_by_oid_ops[i].oid)) {
+ return (*krb5_gss_inquire_cred_by_oid_ops[i].func)(minor_status,
+ cred_handle,
+ desired_object,
+ data_set);
+ }
+ }
+
+ *minor_status = EINVAL;
+
+ return GSS_S_UNAVAILABLE;
+}
+
+/*
+ * gss_set_sec_context_option() methods
+ */
+static struct {
+ gss_OID_desc oid;
+ OM_uint32 (*func)(OM_uint32 *, gss_ctx_id_t *, const gss_OID, const gss_buffer_t);
+} krb5_gss_set_sec_context_option_ops[] = {
+};
+
+static OM_uint32
+krb5_gss_set_sec_context_option (OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ const gss_OID desired_object,
+ const gss_buffer_t value)
+{
+ size_t i;
+
+ if (minor_status == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
+
+ *minor_status = 0;
+
+ if (context_handle == NULL)
+ return GSS_S_CALL_INACCESSIBLE_READ;
+
+ if (desired_object == GSS_C_NO_OID)
+ return GSS_S_CALL_INACCESSIBLE_READ;
+
+ if (*context_handle != GSS_C_NO_CONTEXT) {
+ krb5_gss_ctx_id_rec *ctx;
+
+ if (!kg_validate_ctx_id(*context_handle))
+ return GSS_S_NO_CONTEXT;
+
+ ctx = (krb5_gss_ctx_id_rec *) context_handle;
+
+ if (!ctx->established)
+ return GSS_S_NO_CONTEXT;
+ }
+
+ for (i = 0; i < sizeof(krb5_gss_set_sec_context_option_ops)/
+ sizeof(krb5_gss_set_sec_context_option_ops[0]); i++) {
+ if (g_OID_prefix_equal(desired_object, &krb5_gss_set_sec_context_option_ops[i].oid)) {
+ return (*krb5_gss_set_sec_context_option_ops[i].func)(minor_status,
+ context_handle,
+ desired_object,
+ value);
+ }
+ }
+
+ *minor_status = EINVAL;
+
+ return GSS_S_UNAVAILABLE;
+}
+
+/*
+ * gssspi_set_cred_option() methods
+ */
+static struct {
+ gss_OID_desc oid;
+ OM_uint32 (*func)(OM_uint32 *, gss_cred_id_t, const gss_OID, const gss_buffer_t);
+} krb5_gssspi_set_cred_option_ops[] = {
+ {
+ {GSS_KRB5_COPY_CCACHE_OID_LENGTH, GSS_KRB5_COPY_CCACHE_OID},
+ gss_krb5int_copy_ccache
+ },
+ {
+ {GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH, GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID},
+ gss_krb5int_set_allowable_enctypes
+ },
+ {
+ {GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH, GSS_KRB5_SET_CRED_RCACHE_OID},
+ gss_krb5int_set_cred_rcache
+ }
+};
+
+static OM_uint32
+krb5_gssspi_set_cred_option(OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ const gss_OID desired_object,
+ const gss_buffer_t value)
+{
+ OM_uint32 major_status = GSS_S_FAILURE;
+ size_t i;
+
+ if (minor_status == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
+
+ *minor_status = 0;
+
+ if (cred_handle == GSS_C_NO_CREDENTIAL) {
+ *minor_status = (OM_uint32)KRB5_NOCREDS_SUPPLIED;
+ return GSS_S_NO_CRED;
+ }
+
+ if (desired_object == GSS_C_NO_OID)
+ return GSS_S_CALL_INACCESSIBLE_READ;
+
+ major_status = krb5_gss_validate_cred(minor_status, cred_handle);
+ if (GSS_ERROR(major_status))
+ return major_status;
+
+ for (i = 0; i < sizeof(krb5_gssspi_set_cred_option_ops)/
+ sizeof(krb5_gssspi_set_cred_option_ops[0]); i++) {
+ if (g_OID_prefix_equal(desired_object, &krb5_gssspi_set_cred_option_ops[i].oid)) {
+ return (*krb5_gssspi_set_cred_option_ops[i].func)(minor_status,
+ cred_handle,
+ desired_object,
+ value);
+ }
+ }
+
+ *minor_status = EINVAL;
+
+ return GSS_S_UNAVAILABLE;
+}
+
+/*
+ * gssspi_mech_invoke() methods
+ */
+static struct {
+ gss_OID_desc oid;
+ OM_uint32 (*func)(OM_uint32 *, const gss_OID, const gss_OID, gss_buffer_t);
+} krb5_gssspi_mech_invoke_ops[] = {
+ {
+ {GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH, GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID},
+ gss_krb5int_register_acceptor_identity
+ },
+ {
+ {GSS_KRB5_CCACHE_NAME_OID_LENGTH, GSS_KRB5_CCACHE_NAME_OID},
+ gss_krb5int_ccache_name
+ },
+ {
+ {GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID},
+ gss_krb5int_free_lucid_sec_context
+ },
+ {
+ {GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH, GSS_KRB5_USE_KDC_CONTEXT_OID},
+ krb5int_gss_use_kdc_context
+ }
+};
+
+static OM_uint32
+krb5_gssspi_mech_invoke (OM_uint32 *minor_status,
+ const gss_OID desired_mech,
+ const gss_OID desired_object,
+ gss_buffer_t value)
+{
+ size_t i;
+
+ if (minor_status == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
+
+ *minor_status = 0;
+
+ if (desired_mech == GSS_C_NO_OID)
+ return GSS_S_BAD_MECH;
+
+ if (desired_object == GSS_C_NO_OID)
+ return GSS_S_CALL_INACCESSIBLE_READ;
+
+ for (i = 0; i < sizeof(krb5_gssspi_mech_invoke_ops)/
+ sizeof(krb5_gssspi_mech_invoke_ops[0]); i++) {
+ if (g_OID_prefix_equal(desired_object, &krb5_gssspi_mech_invoke_ops[i].oid)) {
+ return (*krb5_gssspi_mech_invoke_ops[i].func)(minor_status,
+ desired_mech,
+ desired_object,
+ value);
+ }
+ }
+
+ *minor_status = EINVAL;
+
+ return GSS_S_UNAVAILABLE;
+}
+
+static struct gss_config krb5_mechanism = {
+ { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID },
+ NULL,
+ krb5_gss_acquire_cred,
+ krb5_gss_release_cred,
+ krb5_gss_init_sec_context,
+#ifdef LEAN_CLIENT
+ NULL,
+#else
+ krb5_gss_accept_sec_context,
+#endif
+ krb5_gss_process_context_token,
+ krb5_gss_delete_sec_context,
+ krb5_gss_context_time,
+ krb5_gss_get_mic,
+ krb5_gss_verify_mic,
+#ifdef IOV_SHIM_EXERCISE
+ NULL,
+ NULL,
+#else
+ krb5_gss_wrap,
+ krb5_gss_unwrap,
+#endif
+ krb5_gss_display_status,
+ krb5_gss_indicate_mechs,
+ krb5_gss_compare_name,
+ krb5_gss_display_name,
+ krb5_gss_import_name,
+ krb5_gss_release_name,
+ krb5_gss_inquire_cred,
+ krb5_gss_add_cred,
+#ifdef LEAN_CLIENT
+ NULL,
+ NULL,
+#else
+ krb5_gss_export_sec_context,
+ krb5_gss_import_sec_context,
+#endif
+ krb5_gss_inquire_cred_by_mech,
+ krb5_gss_inquire_names_for_mech,
+ krb5_gss_inquire_context,
+ krb5_gss_internal_release_oid,
+ krb5_gss_wrap_size_limit,
+ krb5_gss_export_name,
+ NULL, /* store_cred */
+ NULL, /* import_name_object */
+ NULL, /* export_name_object */
+ krb5_gss_inquire_sec_context_by_oid,
+ krb5_gss_inquire_cred_by_oid,
+ krb5_gss_set_sec_context_option,
+ krb5_gssspi_set_cred_option,
+ krb5_gssspi_mech_invoke,
+ NULL, /* wrap_aead */
+ NULL, /* unwrap_aead */
+ krb5_gss_wrap_iov,
+ krb5_gss_unwrap_iov,
+ krb5_gss_wrap_iov_length,
+ NULL, /* complete_auth_token */
+};
+
+
+#ifdef _GSS_STATIC_LINK
+#include "mglueP.h"
+static int gss_krb5mechglue_init(void)
+{
+ struct gss_mech_config mech_krb5;
+
+ memset(&mech_krb5, 0, sizeof(mech_krb5));
+ mech_krb5.mech = &krb5_mechanism;
+ mech_krb5.mechNameStr = "kerberos_v5";
+ mech_krb5.mech_type = (gss_OID)gss_mech_krb5;
+
+ gssint_register_mechinfo(&mech_krb5);
+
+ mech_krb5.mechNameStr = "kerberos_v5_old";
+ mech_krb5.mech_type = (gss_OID)gss_mech_krb5_old;
+ gssint_register_mechinfo(&mech_krb5);
+
+ mech_krb5.mechNameStr = "mskrb";
+ mech_krb5.mech_type = (gss_OID)gss_mech_krb5_wrong;
+ gssint_register_mechinfo(&mech_krb5);
+
+ return 0;
+}
+#else
+MAKE_INIT_FUNCTION(gss_krb5int_lib_init);
+MAKE_FINI_FUNCTION(gss_krb5int_lib_fini);
+
+gss_mechanism KRB5_CALLCONV
+gss_mech_initialize(void)
+{
+ return &krb5_mechanism;
+}
+#endif /* _GSS_STATIC_LINK */
+
+int gss_krb5int_lib_init(void)
+{
+ int err;
+
+#ifdef SHOW_INITFINI_FUNCS
+ printf("gss_krb5int_lib_init\n");
+#endif
+
+ add_error_table(&et_ggss_error_table);
+
+#ifndef LEAN_CLIENT
+ err = k5_mutex_finish_init(&gssint_krb5_keytab_lock);
+ if (err)
+ return err;
+#endif /* LEAN_CLIENT */
+ err = k5_key_register(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME, free);
+ if (err)
+ return err;
+ err = k5_key_register(K5_KEY_GSS_KRB5_CCACHE_NAME, free);
+ if (err)
+ return err;
+ err = k5_key_register(K5_KEY_GSS_KRB5_ERROR_MESSAGE,
+ krb5_gss_delete_error_info);
+ if (err)
+ return err;
+#ifndef _WIN32
+ err = k5_mutex_finish_init(&kg_kdc_flag_mutex);
+ if (err)
+ return err;
+ err = k5_mutex_finish_init(&kg_vdb.mutex);
+ if (err)
+ return err;
+#endif
+#ifdef _GSS_STATIC_LINK
+ err = gss_krb5mechglue_init();
+ if (err)
+ return err;
+#endif
+
+ return 0;
+}
+
+void gss_krb5int_lib_fini(void)
+{
+#ifndef _GSS_STATIC_LINK
+ if (!INITIALIZER_RAN(gss_krb5int_lib_init) || PROGRAM_EXITING()) {
+# ifdef SHOW_INITFINI_FUNCS
+ printf("gss_krb5int_lib_fini: skipping\n");
+# endif
+ return;
+ }
+#endif
+#ifdef SHOW_INITFINI_FUNCS
+ printf("gss_krb5int_lib_fini\n");
+#endif
+ remove_error_table(&et_k5g_error_table);
+
+ k5_key_delete(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME);
+ k5_key_delete(K5_KEY_GSS_KRB5_CCACHE_NAME);
+ k5_mutex_destroy(&kg_vdb.mutex);
+#ifndef _WIN32
+ k5_mutex_destroy(&kg_kdc_flag_mutex);
+#endif
+#ifndef LEAN_CLIENT
+ k5_mutex_destroy(&gssint_krb5_keytab_lock);
+#endif /* LEAN_CLIENT */
+}
+
+#ifdef _GSS_STATIC_LINK
+extern OM_uint32 gssint_lib_init(void);
+#endif
+
+OM_uint32 gss_krb5int_initialize_library (void)
+{
+#ifdef _GSS_STATIC_LINK
+ return gssint_mechglue_initialize_library();
+#else
+ return CALL_INIT_FUNCTION(gss_krb5int_lib_init);
+#endif
+}
+
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/gssapi_krb5.hin
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/gssapi_krb5.hin 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/gssapi_krb5.hin 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
-/* -*- c -*-
+/* -*- mode: c; indent-tabs-mode: nil -*- */
+/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -24,6 +25,7 @@
#define _GSSAPI_KRB5_H_
#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_ext.h>
#include <krb5.h>
/* C++ friendlyness */
@@ -50,7 +52,7 @@
* "GSS_C_NT_HOSTBASED_SERVICE". */
/* 2.2.1. User Name Form */
-#define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME
+#define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME
/* This name form shall be represented by the Object Identifier {iso(1)
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
* generic(1) user_name(1)}. The recommended symbolic name for this
@@ -68,7 +70,7 @@
/* This name form shall be represented by the Object Identifier {iso(1)
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
* generic(1) string_uid_name(3)}. The recommended symbolic name for
- * this type is "GSS_KRB5_NT_STRING_UID_NAME". */
+ * this type is "GSS_KRB5_NT_STRING_UID_NAME". */
GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5;
GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_old;
@@ -82,12 +84,12 @@
GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[];
-#define gss_krb5_nt_general_name gss_nt_krb5_name
-#define gss_krb5_nt_principal gss_nt_krb5_principal
-#define gss_krb5_nt_service_name gss_nt_service_name
-#define gss_krb5_nt_user_name gss_nt_user_name
-#define gss_krb5_nt_machine_uid_name gss_nt_machine_uid_name
-#define gss_krb5_nt_string_uid_name gss_nt_string_uid_name
+#define gss_krb5_nt_general_name gss_nt_krb5_name
+#define gss_krb5_nt_principal gss_nt_krb5_principal
+#define gss_krb5_nt_service_name gss_nt_service_name
+#define gss_krb5_nt_user_name gss_nt_user_name
+#define gss_krb5_nt_machine_uid_name gss_nt_machine_uid_name
+#define gss_krb5_nt_string_uid_name gss_nt_string_uid_name
#if defined(_WIN32)
@@ -99,48 +101,48 @@
typedef struct gss_krb5_lucid_key {
- OM_uint32 type; /* key encryption type */
- OM_uint32 length; /* length of key data */
- void * data; /* actual key data */
+ OM_uint32 type; /* key encryption type */
+ OM_uint32 length; /* length of key data */
+ void * data; /* actual key data */
} gss_krb5_lucid_key_t;
typedef struct gss_krb5_rfc1964_keydata {
- OM_uint32 sign_alg; /* signing algorthm */
- OM_uint32 seal_alg; /* seal/encrypt algorthm */
- gss_krb5_lucid_key_t ctx_key;
- /* Context key
- (Kerberos session key or subkey) */
+ OM_uint32 sign_alg; /* signing algorthm */
+ OM_uint32 seal_alg; /* seal/encrypt algorthm */
+ gss_krb5_lucid_key_t ctx_key;
+ /* Context key
+ (Kerberos session key or subkey) */
} gss_krb5_rfc1964_keydata_t;
typedef struct gss_krb5_cfx_keydata {
- OM_uint32 have_acceptor_subkey;
- /* 1 if there is an acceptor_subkey
- present, 0 otherwise */
- gss_krb5_lucid_key_t ctx_key;
- /* Context key
- (Kerberos session key or subkey) */
- gss_krb5_lucid_key_t acceptor_subkey;
- /* acceptor-asserted subkey or
- 0's if no acceptor subkey */
+ OM_uint32 have_acceptor_subkey;
+ /* 1 if there is an acceptor_subkey
+ present, 0 otherwise */
+ gss_krb5_lucid_key_t ctx_key;
+ /* Context key
+ (Kerberos session key or subkey) */
+ gss_krb5_lucid_key_t acceptor_subkey;
+ /* acceptor-asserted subkey or
+ 0's if no acceptor subkey */
} gss_krb5_cfx_keydata_t;
typedef struct gss_krb5_lucid_context_v1 {
- OM_uint32 version; /* Structure version number (1)
- MUST be at beginning of struct! */
- OM_uint32 initiate; /* Are we the initiator? */
- OM_uint32 endtime; /* expiration time of context */
- gss_uint64 send_seq; /* sender sequence number */
- gss_uint64 recv_seq; /* receive sequence number */
- OM_uint32 protocol; /* 0: rfc1964,
- 1: draft-ietf-krb-wg-gssapi-cfx-07 */
- /*
- * if (protocol == 0) rfc1964_kd should be used
- * and cfx_kd contents are invalid and should be zero
- * if (protocol == 1) cfx_kd should be used
- * and rfc1964_kd contents are invalid and should be zero
- */
- gss_krb5_rfc1964_keydata_t rfc1964_kd;
- gss_krb5_cfx_keydata_t cfx_kd;
+ OM_uint32 version; /* Structure version number (1)
+ MUST be at beginning of struct! */
+ OM_uint32 initiate; /* Are we the initiator? */
+ OM_uint32 endtime; /* expiration time of context */
+ gss_uint64 send_seq; /* sender sequence number */
+ gss_uint64 recv_seq; /* receive sequence number */
+ OM_uint32 protocol; /* 0: rfc1964,
+ 1: draft-ietf-krb-wg-gssapi-cfx-07 */
+ /*
+ * if (protocol == 0) rfc1964_kd should be used
+ * and cfx_kd contents are invalid and should be zero
+ * if (protocol == 1) cfx_kd should be used
+ * and rfc1964_kd contents are invalid and should be zero
+ */
+ gss_krb5_rfc1964_keydata_t rfc1964_kd;
+ gss_krb5_cfx_keydata_t cfx_kd;
} gss_krb5_lucid_context_v1_t;
/*
@@ -148,7 +150,7 @@
* See example below for usage.
*/
typedef struct gss_krb5_lucid_context_version {
- OM_uint32 version; /* Structure version number */
+ OM_uint32 version; /* Structure version number */
} gss_krb5_lucid_context_version_t;
@@ -159,19 +161,19 @@
OM_uint32 KRB5_CALLCONV krb5_gss_register_acceptor_identity(const char *);
-OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags
- (OM_uint32 *minor_status,
- gss_ctx_id_t context_handle,
- krb5_flags *ticket_flags);
+OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags(
+ OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ krb5_flags *ticket_flags);
-OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache
- (OM_uint32 *minor_status,
- gss_cred_id_t cred_handle,
- krb5_ccache out_ccache);
+OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache(
+ OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ krb5_ccache out_ccache);
-OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name
- (OM_uint32 *minor_status, const char *name,
- const char **out_name);
+OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name(
+ OM_uint32 *minor_status, const char *name,
+ const char **out_name);
/*
* gss_krb5_set_allowable_enctypes
@@ -197,14 +199,14 @@
*
*/
OM_uint32 KRB5_CALLCONV
-gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
- gss_cred_id_t cred,
- OM_uint32 num_ktypes,
- krb5_enctype *ktypes);
+gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
+ gss_cred_id_t cred,
+ OM_uint32 num_ktypes,
+ krb5_enctype *ktypes);
/*
* Returns a non-opaque (lucid) version of the internal context
- * information.
+ * information.
*
* Note that context_handle must not be used again by the caller
* after this call. The GSS implementation is free to release any
@@ -212,7 +214,7 @@
* GSS implementation whether it returns pointers to existing data,
* or copies of the data. The caller should treat the returned
* lucid context as read-only.
- *
+ *
* The caller must call gss_krb5_free_lucid_context() to free
* the context and allocated resources when it is finished with it.
*
@@ -228,33 +230,33 @@
* (XXX Need error definition(s))
*
* For example:
- * void *return_ctx;
- * gss_krb5_lucid_context_v1_t *ctx;
- * OM_uint32 min_stat, maj_stat;
- * OM_uint32 vers;
- * gss_ctx_id_t *ctx_handle;
+ * void *return_ctx;
+ * gss_krb5_lucid_context_v1_t *ctx;
+ * OM_uint32 min_stat, maj_stat;
+ * OM_uint32 vers;
+ * gss_ctx_id_t *ctx_handle;
*
- * maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
- * ctx_handle, 1, &return_ctx);
- * // Verify success
+ * maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
+ * ctx_handle, 1, &return_ctx);
+ * // Verify success
*
- * vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
- * switch (vers) {
- * case 1:
- * ctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
- * break;
- * default:
- * // Error, unknown version returned
- * break;
- * }
+ * vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
+ * switch (vers) {
+ * case 1:
+ * ctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
+ * break;
+ * default:
+ * // Error, unknown version returned
+ * break;
+ * }
*
*/
OM_uint32 KRB5_CALLCONV
gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
- gss_ctx_id_t *context_handle,
- OM_uint32 version,
- void **kctx);
+ gss_ctx_id_t *context_handle,
+ OM_uint32 version,
+ void **kctx);
/*
* Frees the allocated storage associated with an
@@ -262,9 +264,23 @@
*/
OM_uint32 KRB5_CALLCONV
gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status,
- void *kctx);
+ void *kctx);
+OM_uint32 KRB5_CALLCONV
+gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ int ad_type,
+ gss_buffer_t ad_data);
+
+OM_uint32 KRB5_CALLCONV
+gss_krb5_set_cred_rcache(OM_uint32 *minor_status,
+ gss_cred_id_t cred,
+ krb5_rcache rcache);
+
+OM_uint32 KRB5_CALLCONV
+gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, krb5_timestamp *);
+
#ifdef __cplusplus
}
#endif /* __cplusplus */
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/import_name.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/import_name.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/import_name.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -39,201 +40,201 @@
/*
* errors:
- * GSS_S_BAD_NAMETYPE if the type is bogus
- * GSS_S_BAD_NAME if the type is good but the name is bogus
- * GSS_S_FAILURE if memory allocation fails
+ * GSS_S_BAD_NAMETYPE if the type is bogus
+ * GSS_S_BAD_NAME if the type is good but the name is bogus
+ * GSS_S_FAILURE if memory allocation fails
*/
OM_uint32
-krb5_gss_import_name(minor_status, input_name_buffer,
- input_name_type, output_name)
- OM_uint32 *minor_status;
- gss_buffer_t input_name_buffer;
- gss_OID input_name_type;
- gss_name_t *output_name;
+krb5_gss_import_name(minor_status, input_name_buffer,
+ input_name_type, output_name)
+ OM_uint32 *minor_status;
+ gss_buffer_t input_name_buffer;
+ gss_OID input_name_type;
+ gss_name_t *output_name;
{
- krb5_context context;
- krb5_principal princ;
- krb5_error_code code;
- char *stringrep, *tmp, *tmp2, *cp;
- OM_uint32 length;
+ krb5_context context;
+ krb5_principal princ;
+ krb5_error_code code;
+ char *stringrep, *tmp, *tmp2, *cp;
+ OM_uint32 length;
#ifndef NO_PASSWORD
- struct passwd *pw;
+ struct passwd *pw;
#endif
- code = krb5_gss_init_context(&context);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- /* set up default returns */
+ /* set up default returns */
- *output_name = NULL;
- *minor_status = 0;
+ *output_name = NULL;
+ *minor_status = 0;
- /* Go find the appropriate string rep to pass into parse_name */
+ /* Go find the appropriate string rep to pass into parse_name */
- if ((input_name_type != GSS_C_NULL_OID) &&
- (g_OID_equal(input_name_type, gss_nt_service_name) ||
- g_OID_equal(input_name_type, gss_nt_service_name_v2))) {
- char *service, *host;
+ if ((input_name_type != GSS_C_NULL_OID) &&
+ (g_OID_equal(input_name_type, gss_nt_service_name) ||
+ g_OID_equal(input_name_type, gss_nt_service_name_v2))) {
+ char *service, *host;
- if ((tmp =
- (char *) xmalloc(input_name_buffer->length + 1)) == NULL) {
- *minor_status = ENOMEM;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
+ if ((tmp =
+ (char *) xmalloc(input_name_buffer->length + 1)) == NULL) {
+ *minor_status = ENOMEM;
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
- memcpy(tmp, input_name_buffer->value, input_name_buffer->length);
- tmp[input_name_buffer->length] = 0;
+ memcpy(tmp, input_name_buffer->value, input_name_buffer->length);
+ tmp[input_name_buffer->length] = 0;
- service = tmp;
- if ((host = strchr(tmp, '@'))) {
- *host = '\0';
- host++;
- }
+ service = tmp;
+ if ((host = strchr(tmp, '@'))) {
+ *host = '\0';
+ host++;
+ }
- code = krb5_sname_to_principal(context, host, service, KRB5_NT_SRV_HST,
- &princ);
+ code = krb5_sname_to_principal(context, host, service, KRB5_NT_SRV_HST,
+ &princ);
- xfree(tmp);
- } else if ((input_name_type != GSS_C_NULL_OID) &&
- (g_OID_equal(input_name_type, gss_nt_krb5_principal))) {
- krb5_principal input;
+ xfree(tmp);
+ } else if ((input_name_type != GSS_C_NULL_OID) &&
+ (g_OID_equal(input_name_type, gss_nt_krb5_principal))) {
+ krb5_principal input;
- if (input_name_buffer->length != sizeof(krb5_principal)) {
- *minor_status = (OM_uint32) G_WRONG_SIZE;
- krb5_free_context(context);
- return(GSS_S_BAD_NAME);
- }
+ if (input_name_buffer->length != sizeof(krb5_principal)) {
+ *minor_status = (OM_uint32) G_WRONG_SIZE;
+ krb5_free_context(context);
+ return(GSS_S_BAD_NAME);
+ }
- input = *((krb5_principal *) input_name_buffer->value);
+ input = *((krb5_principal *) input_name_buffer->value);
- if ((code = krb5_copy_principal(context, input, &princ))) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- } else {
+ if ((code = krb5_copy_principal(context, input, &princ))) {
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ } else {
#ifndef NO_PASSWORD
- uid_t uid;
- struct passwd pwx;
- char pwbuf[BUFSIZ];
+ uid_t uid;
+ struct passwd pwx;
+ char pwbuf[BUFSIZ];
#endif
- stringrep = NULL;
+ stringrep = NULL;
- if ((tmp =
- (char *) xmalloc(input_name_buffer->length + 1)) == NULL) {
- *minor_status = ENOMEM;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- tmp2 = 0;
+ if ((tmp =
+ (char *) xmalloc(input_name_buffer->length + 1)) == NULL) {
+ *minor_status = ENOMEM;
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ tmp2 = 0;
- memcpy(tmp, input_name_buffer->value, input_name_buffer->length);
- tmp[input_name_buffer->length] = 0;
+ memcpy(tmp, input_name_buffer->value, input_name_buffer->length);
+ tmp[input_name_buffer->length] = 0;
- if ((input_name_type == GSS_C_NULL_OID) ||
- g_OID_equal(input_name_type, gss_nt_krb5_name) ||
- g_OID_equal(input_name_type, gss_nt_user_name)) {
- stringrep = (char *) tmp;
+ if ((input_name_type == GSS_C_NULL_OID) ||
+ g_OID_equal(input_name_type, gss_nt_krb5_name) ||
+ g_OID_equal(input_name_type, gss_nt_user_name)) {
+ stringrep = (char *) tmp;
#ifndef NO_PASSWORD
- } else if (g_OID_equal(input_name_type, gss_nt_machine_uid_name)) {
- uid = *(uid_t *) input_name_buffer->value;
- do_getpwuid:
- if (k5_getpwuid_r(uid, &pwx, pwbuf, sizeof(pwbuf), &pw) == 0)
- stringrep = pw->pw_name;
- else
- *minor_status = (OM_uint32) G_NOUSER;
- } else if (g_OID_equal(input_name_type, gss_nt_string_uid_name)) {
- uid = atoi(tmp);
- goto do_getpwuid;
+ } else if (g_OID_equal(input_name_type, gss_nt_machine_uid_name)) {
+ uid = *(uid_t *) input_name_buffer->value;
+ do_getpwuid:
+ if (k5_getpwuid_r(uid, &pwx, pwbuf, sizeof(pwbuf), &pw) == 0)
+ stringrep = pw->pw_name;
+ else
+ *minor_status = (OM_uint32) G_NOUSER;
+ } else if (g_OID_equal(input_name_type, gss_nt_string_uid_name)) {
+ uid = atoi(tmp);
+ goto do_getpwuid;
#endif
- } else if (g_OID_equal(input_name_type, gss_nt_exported_name)) {
- cp = tmp;
- if (*cp++ != 0x04)
- goto fail_name;
- if (*cp++ != 0x01)
- goto fail_name;
- if (*cp++ != 0x00)
- goto fail_name;
- length = *cp++;
- if (length != gss_mech_krb5->length+2)
- goto fail_name;
- if (*cp++ != 0x06)
- goto fail_name;
- length = *cp++;
- if (length != gss_mech_krb5->length)
- goto fail_name;
- if (memcmp(cp, gss_mech_krb5->elements, length) != 0)
- goto fail_name;
- cp += length;
- length = *cp++;
- length = (length << 8) | *cp++;
- length = (length << 8) | *cp++;
- length = (length << 8) | *cp++;
- tmp2 = malloc(length+1);
- if (tmp2 == NULL) {
- xfree(tmp);
- *minor_status = ENOMEM;
- krb5_free_context(context);
- return GSS_S_FAILURE;
- }
- strncpy(tmp2, cp, length);
- tmp2[length] = 0;
-
- stringrep = tmp2;
- } else {
- xfree(tmp);
- krb5_free_context(context);
- return(GSS_S_BAD_NAMETYPE);
- }
+ } else if (g_OID_equal(input_name_type, gss_nt_exported_name)) {
+ cp = tmp;
+ if (*cp++ != 0x04)
+ goto fail_name;
+ if (*cp++ != 0x01)
+ goto fail_name;
+ if (*cp++ != 0x00)
+ goto fail_name;
+ length = *cp++;
+ if (length != gss_mech_krb5->length+2)
+ goto fail_name;
+ if (*cp++ != 0x06)
+ goto fail_name;
+ length = *cp++;
+ if (length != gss_mech_krb5->length)
+ goto fail_name;
+ if (memcmp(cp, gss_mech_krb5->elements, length) != 0)
+ goto fail_name;
+ cp += length;
+ length = *cp++;
+ length = (length << 8) | *cp++;
+ length = (length << 8) | *cp++;
+ length = (length << 8) | *cp++;
+ tmp2 = malloc(length+1);
+ if (tmp2 == NULL) {
+ xfree(tmp);
+ *minor_status = ENOMEM;
+ krb5_free_context(context);
+ return GSS_S_FAILURE;
+ }
+ strncpy(tmp2, cp, length);
+ tmp2[length] = 0;
- /* at this point, stringrep is set, or if not, *minor_status is. */
+ stringrep = tmp2;
+ } else {
+ xfree(tmp);
+ krb5_free_context(context);
+ return(GSS_S_BAD_NAMETYPE);
+ }
- if (stringrep)
- code = krb5_parse_name(context, (char *) stringrep, &princ);
- else {
- fail_name:
- xfree(tmp);
- if (tmp2)
- xfree(tmp2);
- krb5_free_context(context);
- return(GSS_S_BAD_NAME);
- }
-
- if (tmp2)
- xfree(tmp2);
- xfree(tmp);
- }
+ /* at this point, stringrep is set, or if not, *minor_status is. */
- /* at this point, a krb5 function has been called to set princ. code
- contains the return status */
+ if (stringrep)
+ code = krb5_parse_name(context, (char *) stringrep, &princ);
+ else {
+ fail_name:
+ xfree(tmp);
+ if (tmp2)
+ xfree(tmp2);
+ krb5_free_context(context);
+ return(GSS_S_BAD_NAME);
+ }
- if (code) {
- *minor_status = (OM_uint32) code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_BAD_NAME);
- }
+ if (tmp2)
+ xfree(tmp2);
+ xfree(tmp);
+ }
- /* save the name in the validation database */
+ /* at this point, a krb5 function has been called to set princ. code
+ contains the return status */
- if (! kg_save_name((gss_name_t) princ)) {
- krb5_free_principal(context, princ);
- krb5_free_context(context);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_FAILURE);
- }
+ if (code) {
+ *minor_status = (OM_uint32) code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_BAD_NAME);
+ }
- krb5_free_context(context);
+ /* save the name in the validation database */
- /* return it */
+ if (! kg_save_name((gss_name_t) princ)) {
+ krb5_free_principal(context, princ);
+ krb5_free_context(context);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_FAILURE);
+ }
- *output_name = (gss_name_t) princ;
- return(GSS_S_COMPLETE);
+ krb5_free_context(context);
+
+ /* return it */
+
+ *output_name = (gss_name_t) princ;
+ return(GSS_S_COMPLETE);
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/import_sec_context.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/import_sec_context.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/import_sec_context.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/import_sec_context.c
*
@@ -26,7 +27,7 @@
*/
/*
- * import_sec_context.c - Internalize the security context.
+ * import_sec_context.c - Internalize the security context.
*/
#include "gssapiP_krb5.h"
/* for serialization initialization functions */
@@ -37,19 +38,19 @@
* the OID if possible.
*/
gss_OID krb5_gss_convert_static_mech_oid(oid)
- gss_OID oid;
+ gss_OID oid;
{
- const gss_OID_desc *p;
- OM_uint32 minor_status;
-
- for (p = krb5_gss_oid_array; p->length; p++) {
- if ((oid->length == p->length) &&
- (memcmp(oid->elements, p->elements, p->length) == 0)) {
- gss_release_oid(&minor_status, &oid);
- return (gss_OID) p;
- }
- }
- return oid;
+ const gss_OID_desc *p;
+ OM_uint32 minor_status;
+
+ for (p = krb5_gss_oid_array; p->length; p++) {
+ if ((oid->length == p->length) &&
+ (memcmp(oid->elements, p->elements, p->length) == 0)) {
+ generic_gss_release_oid(&minor_status, &oid);
+ return (gss_OID) p;
+ }
+ }
+ return oid;
}
krb5_error_code
@@ -57,28 +58,28 @@
{
krb5_error_code code;
static krb5_error_code (KRB5_CALLCONV *const fns[])(krb5_context) = {
- krb5_ser_context_init, krb5_ser_auth_context_init,
- krb5_ser_ccache_init, krb5_ser_rcache_init, krb5_ser_keytab_init,
+ krb5_ser_context_init, krb5_ser_auth_context_init,
+ krb5_ser_ccache_init, krb5_ser_rcache_init, krb5_ser_keytab_init,
};
unsigned int i;
for (i = 0; i < sizeof(fns)/sizeof(fns[0]); i++)
- if ((code = (fns[i])(context)) != 0)
- return code;
+ if ((code = (fns[i])(context)) != 0)
+ return code;
return 0;
}
OM_uint32
krb5_gss_import_sec_context(minor_status, interprocess_token, context_handle)
- OM_uint32 *minor_status;
- gss_buffer_t interprocess_token;
- gss_ctx_id_t *context_handle;
+ OM_uint32 *minor_status;
+ gss_buffer_t interprocess_token;
+ gss_ctx_id_t *context_handle;
{
- krb5_context context;
- krb5_error_code kret = 0;
- size_t blen;
- krb5_gss_ctx_id_t ctx;
- krb5_octet *ibp;
+ krb5_context context;
+ krb5_error_code kret = 0;
+ size_t blen;
+ krb5_gss_ctx_id_t ctx;
+ krb5_octet *ibp;
/* This is a bit screwy. We create a krb5 context because we need
one when calling the serialization code. However, one of the
@@ -86,15 +87,15 @@
we can throw this one away. */
kret = krb5_gss_init_context(&context);
if (kret) {
- *minor_status = kret;
- return GSS_S_FAILURE;
+ *minor_status = kret;
+ return GSS_S_FAILURE;
}
kret = krb5_gss_ser_init(context);
if (kret) {
- *minor_status = kret;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return GSS_S_FAILURE;
+ *minor_status = kret;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return GSS_S_FAILURE;
}
/* Assume a tragic failure */
@@ -107,20 +108,20 @@
kret = kg_ctx_internalize(context, (krb5_pointer *) &ctx, &ibp, &blen);
krb5_free_context(context);
if (kret) {
- *minor_status = (OM_uint32) kret;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
+ *minor_status = (OM_uint32) kret;
+ save_error_info(*minor_status, context);
+ return(GSS_S_FAILURE);
}
/* intern the context handle */
if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
- (void)krb5_gss_delete_sec_context(minor_status,
- (gss_ctx_id_t *) &ctx, NULL);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_FAILURE);
+ (void)krb5_gss_delete_sec_context(minor_status,
+ (gss_ctx_id_t *) &ctx, NULL);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_FAILURE);
}
ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used);
-
+
*context_handle = (gss_ctx_id_t) ctx;
*minor_status = 0;
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/indicate_mechs.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/indicate_mechs.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/indicate_mechs.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -29,16 +30,8 @@
OM_uint32
krb5_gss_indicate_mechs(minor_status, mech_set)
- OM_uint32 *minor_status;
- gss_OID_set *mech_set;
+ OM_uint32 *minor_status;
+ gss_OID_set *mech_set;
{
- *minor_status = 0;
-
- if (gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {
- *mech_set = GSS_C_NO_OID_SET;
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
-
- return(GSS_S_COMPLETE);
+ return generic_gss_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set);
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/init_sec_context.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/init_sec_context.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/init_sec_context.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,12 +1,13 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
- * Copyright 2000,2002, 2003, 2007 by the Massachusetts Institute of Technology.
+ * Copyright 2000, 2002, 2003, 2007, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -20,11 +21,11 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -34,7 +35,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -46,14 +47,14 @@
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -64,14 +65,40 @@
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
#include "k5-int.h"
-#include "gss_libinit.h"
#include "gssapiP_krb5.h"
#ifdef HAVE_MEMORY_H
#include <memory.h>
@@ -92,7 +119,7 @@
* ccache.
*/
static krb5_error_code get_credentials(context, cred, server, now,
- endtime, out_creds)
+ endtime, out_creds)
krb5_context context;
krb5_gss_cred_id_t cred;
krb5_principal server;
@@ -100,24 +127,24 @@
krb5_timestamp endtime;
krb5_creds **out_creds;
{
- krb5_error_code code;
- krb5_creds in_creds;
+ krb5_error_code code;
+ krb5_creds in_creds;
k5_mutex_assert_locked(&cred->lock);
memset((char *) &in_creds, 0, sizeof(krb5_creds));
if ((code = krb5_copy_principal(context, cred->princ, &in_creds.client)))
- goto cleanup;
+ goto cleanup;
if ((code = krb5_copy_principal(context, server, &in_creds.server)))
- goto cleanup;
+ goto cleanup;
in_creds.times.endtime = endtime;
in_creds.keyblock.enctype = 0;
code = krb5_get_credentials(context, 0, cred->ccache,
- &in_creds, out_creds);
+ &in_creds, out_creds);
if (code)
- goto cleanup;
+ goto cleanup;
/*
* Enforce a stricter limit (without timeskew forgiveness at the
@@ -125,16 +152,16 @@
* non-forgiving.
*/
if (!krb5_gss_dbg_client_expcreds && *out_creds != NULL &&
- (*out_creds)->times.endtime < now) {
- code = KRB5KRB_AP_ERR_TKT_EXPIRED;
- goto cleanup;
+ (*out_creds)->times.endtime < now) {
+ code = KRB5KRB_AP_ERR_TKT_EXPIRED;
+ goto cleanup;
}
-
+
cleanup:
if (in_creds.client)
- krb5_free_principal(context, in_creds.client);
+ krb5_free_principal(context, in_creds.client);
if (in_creds.server)
- krb5_free_principal(context, in_creds.server);
+ krb5_free_principal(context, in_creds.server);
return code;
}
struct gss_checksum_data {
@@ -149,7 +176,7 @@
#endif
static krb5_error_code KRB5_CALLCONV
make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
- void *cksum_data, krb5_data **out)
+ void *cksum_data, krb5_data **out)
{
krb5_error_code code;
krb5_int32 con_flags;
@@ -163,48 +190,48 @@
/* build the checksum field */
if (data->ctx->gss_flags & GSS_C_DELEG_FLAG) {
- /* first get KRB_CRED message, so we know its length */
+ /* first get KRB_CRED message, so we know its length */
- /* clear the time check flag that was set in krb5_auth_con_init() */
- krb5_auth_con_getflags(context, auth_context, &con_flags);
- krb5_auth_con_setflags(context, auth_context,
- con_flags & ~KRB5_AUTH_CONTEXT_DO_TIME);
+ /* clear the time check flag that was set in krb5_auth_con_init() */
+ krb5_auth_con_getflags(context, auth_context, &con_flags);
+ krb5_auth_con_setflags(context, auth_context,
+ con_flags & ~KRB5_AUTH_CONTEXT_DO_TIME);
- code = krb5_fwd_tgt_creds(context, auth_context, 0,
- data->cred->princ, data->ctx->there,
- data->cred->ccache, 1,
- &credmsg);
+ code = krb5_fwd_tgt_creds(context, auth_context, 0,
+ data->cred->princ, data->ctx->there,
+ data->cred->ccache, 1,
+ &credmsg);
- /* turn KRB5_AUTH_CONTEXT_DO_TIME back on */
- krb5_auth_con_setflags(context, auth_context, con_flags);
+ /* turn KRB5_AUTH_CONTEXT_DO_TIME back on */
+ krb5_auth_con_setflags(context, auth_context, con_flags);
- if (code) {
- /* don't fail here; just don't accept/do the delegation
+ if (code) {
+ /* don't fail here; just don't accept/do the delegation
request */
- data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG;
+ data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG;
- data->checksum_data.length = 24;
- } else {
- if (credmsg.length+28 > KRB5_INT16_MAX) {
- krb5_free_data_contents(context, &credmsg);
- return(KRB5KRB_ERR_FIELD_TOOLONG);
- }
+ data->checksum_data.length = 24;
+ } else {
+ if (credmsg.length+28 > KRB5_INT16_MAX) {
+ krb5_free_data_contents(context, &credmsg);
+ return(KRB5KRB_ERR_FIELD_TOOLONG);
+ }
- data->checksum_data.length = 28+credmsg.length;
- }
+ data->checksum_data.length = 28+credmsg.length;
+ }
} else {
- data->checksum_data.length = 24;
+ data->checksum_data.length = 24;
}
#ifdef CFX_EXERCISE
if (data->ctx->auth_context->keyblock != NULL
- && data->ctx->auth_context->keyblock->enctype == 18) {
- srand(time(0) ^ getpid());
- /* Our ftp client code stupidly assumes a base64-encoded
- version of the token will fit in 10K, so don't make this
- too big. */
- junk = rand() & 0xff;
+ && data->ctx->auth_context->keyblock->enctype == 18) {
+ srand(time(0) ^ getpid());
+ /* Our ftp client code stupidly assumes a base64-encoded
+ version of the token will fit in 10K, so don't make this
+ too big. */
+ junk = rand() & 0xff;
} else
- junk = 0;
+ junk = 0;
#else
junk = 0;
#endif
@@ -215,13 +242,13 @@
(maybe) KRB_CRED msg */
if ((data->checksum_data.data =
- (char *) xmalloc(data->checksum_data.length)) == NULL) {
- if (credmsg.data)
- krb5_free_data_contents(context, &credmsg);
- return(ENOMEM);
+ (char *) xmalloc(data->checksum_data.length)) == NULL) {
+ if (credmsg.data)
+ krb5_free_data_contents(context, &credmsg);
+ return(ENOMEM);
}
- ptr = data->checksum_data.data;
+ ptr = (unsigned char *)data->checksum_data.data;
TWRITE_INT(ptr, data->md5.length, 0);
TWRITE_STR(ptr, (unsigned char *) data->md5.contents, data->md5.length);
@@ -231,19 +258,19 @@
xfree(data->md5.contents);
if (credmsg.data) {
- TWRITE_INT16(ptr, KRB5_GSS_FOR_CREDS_OPTION, 0);
- TWRITE_INT16(ptr, credmsg.length, 0);
- TWRITE_STR(ptr, (unsigned char *) credmsg.data, credmsg.length);
+ TWRITE_INT16(ptr, KRB5_GSS_FOR_CREDS_OPTION, 0);
+ TWRITE_INT16(ptr, credmsg.length, 0);
+ TWRITE_STR(ptr, (unsigned char *) credmsg.data, credmsg.length);
- /* free credmsg data */
- krb5_free_data_contents(context, &credmsg);
+ /* free credmsg data */
+ krb5_free_data_contents(context, &credmsg);
}
if (junk)
- memset(ptr, 'i', junk);
+ memset(ptr, 'i', junk);
*out = &data->checksum_data;
return 0;
}
-
+
static krb5_error_code
make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token)
krb5_context context;
@@ -273,7 +300,7 @@
return(code);
krb5_auth_con_set_req_cksumtype(context, ctx->auth_context,
- CKSUMTYPE_KG_CB);
+ CKSUMTYPE_KG_CB);
cksum_struct.md5 = md5;
cksum_struct.ctx = ctx;
cksum_struct.cred = cred;
@@ -283,15 +310,15 @@
case ENCTYPE_DES_CBC_MD4:
case ENCTYPE_DES_CBC_MD5:
case ENCTYPE_DES3_CBC_SHA1:
- code = make_gss_checksum(context, ctx->auth_context, &cksum_struct,
- &checksum_data);
- if (code)
- goto cleanup;
- break;
+ code = make_gss_checksum(context, ctx->auth_context, &cksum_struct,
+ &checksum_data);
+ if (code)
+ goto cleanup;
+ break;
default:
- krb5_auth_con_set_checksum_func(context, ctx->auth_context,
- make_gss_checksum, &cksum_struct);
- break;
+ krb5_auth_con_set_checksum_func(context, ctx->auth_context,
+ make_gss_checksum, &cksum_struct);
+ break;
}
@@ -300,348 +327,278 @@
mk_req_flags = AP_OPTS_USE_SUBKEY;
if (ctx->gss_flags & GSS_C_MUTUAL_FLAG)
- mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED;
+ mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_ETYPE_NEGOTIATION;
code = krb5_mk_req_extended(context, &ctx->auth_context, mk_req_flags,
- checksum_data, k_cred, &ap_req);
+ checksum_data, k_cred, &ap_req);
krb5_free_data_contents(context, &cksum_struct.checksum_data);
if (code)
- goto cleanup;
+ goto cleanup;
- /* store the interesting stuff from creds and authent */
- ctx->endtime = k_cred->times.endtime;
- ctx->krb_flags = k_cred->ticket_flags;
+ /* store the interesting stuff from creds and authent */
+ ctx->krb_times = k_cred->times;
+ ctx->krb_flags = k_cred->ticket_flags;
- /* build up the token */
+ /* build up the token */
+ if (ctx->gss_flags & GSS_C_DCE_STYLE) {
+ /*
+ * For DCE RPC, do not encapsulate the AP-REQ in the
+ * typical GSS wrapping.
+ */
+ token->length = ap_req.length;
+ token->value = ap_req.data;
- /* allocate space for the token */
- tlen = g_token_size((gss_OID) mech_type, ap_req.length);
+ ap_req.data = NULL; /* don't double free */
+ } else {
+ /* allocate space for the token */
+ tlen = g_token_size((gss_OID) mech_type, ap_req.length);
- if ((t = (unsigned char *) xmalloc(tlen)) == NULL) {
- code = ENOMEM;
- goto cleanup;
- }
+ if ((t = (unsigned char *) xmalloc(tlen)) == NULL) {
+ code = ENOMEM;
+ goto cleanup;
+ }
- /* fill in the buffer */
+ /* fill in the buffer */
+ ptr = t;
- ptr = t;
+ g_make_token_header(mech_type, ap_req.length,
+ &ptr, KG_TOK_CTX_AP_REQ);
- g_make_token_header(mech_type, ap_req.length,
- &ptr, KG_TOK_CTX_AP_REQ);
+ TWRITE_STR(ptr, (unsigned char *) ap_req.data, ap_req.length);
- TWRITE_STR(ptr, (unsigned char *) ap_req.data, ap_req.length);
+ /* pass it back */
- /* pass it back */
+ token->length = tlen;
+ token->value = (void *) t;
+ }
- token->length = tlen;
- token->value = (void *) t;
+ code = 0;
- code = 0;
-
- cleanup:
- if (checksum_data && checksum_data->data)
- krb5_free_data_contents(context, checksum_data);
- if (ap_req.data)
- krb5_free_data_contents(context, &ap_req);
+cleanup:
+ if (checksum_data && checksum_data->data)
+ krb5_free_data_contents(context, checksum_data);
+ if (ap_req.data)
+ krb5_free_data_contents(context, &ap_req);
- return (code);
+ return (code);
}
/*
- * setup_enc
- *
- * Fill in the encryption descriptors. Called after AP-REQ is made.
- */
-static OM_uint32
-setup_enc(
- OM_uint32 *minor_status,
- krb5_gss_ctx_id_rec *ctx,
- krb5_context context)
-{
- krb5_error_code code;
- unsigned int i;
- krb5int_access kaccess;
-
- code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
- if (code)
- goto fail;
-
- ctx->have_acceptor_subkey = 0;
- ctx->proto = 0;
- ctx->cksumtype = 0;
- switch(ctx->subkey->enctype) {
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_CRC:
- ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW;
- ctx->signalg = SGN_ALG_DES_MAC_MD5;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_DES;
-
- /* The encryption key is the session key XOR
- 0xf0f0f0f0f0f0f0f0. */
- if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc)))
- goto fail;
-
- for (i=0; i<ctx->enc->length; i++)
- ctx->enc->contents[i] ^= 0xf0;
-
- goto copy_subkey_to_seq;
-
- case ENCTYPE_DES3_CBC_SHA1:
- /* MIT extension */
- ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW;
- ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
- ctx->cksum_size = 20;
- ctx->sealalg = SEAL_ALG_DES3KD;
-
- copy_subkey:
- code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc);
- if (code)
- goto fail;
- copy_subkey_to_seq:
- code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq);
- if (code) {
- krb5_free_keyblock (context, ctx->enc);
- goto fail;
- }
- break;
-
- case ENCTYPE_ARCFOUR_HMAC:
- /* Microsoft extension */
- ctx->signalg = SGN_ALG_HMAC_MD5 ;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ;
-
- goto copy_subkey;
-
- default:
- /* Fill some fields we shouldn't be using on this path
- with garbage. */
- ctx->signalg = -10;
- ctx->sealalg = -10;
-
- ctx->proto = 1;
- code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype,
- &ctx->cksumtype);
- if (code)
- goto fail;
- code = krb5_c_checksum_length(context, ctx->cksumtype,
- &ctx->cksum_size);
- if (code)
- goto fail;
- goto copy_subkey;
- }
-fail:
- *minor_status = code;
- return GSS_S_FAILURE;
-}
-
-/*
* new_connection
*
* Do the grunt work of setting up a new context.
*/
static OM_uint32
new_connection(
- OM_uint32 *minor_status,
- krb5_gss_cred_id_t cred,
- gss_ctx_id_t *context_handle,
- gss_name_t target_name,
- gss_OID mech_type,
- OM_uint32 req_flags,
- OM_uint32 time_req,
- gss_channel_bindings_t input_chan_bindings,
- gss_buffer_t input_token,
- gss_OID *actual_mech_type,
- gss_buffer_t output_token,
- OM_uint32 *ret_flags,
- OM_uint32 *time_rec,
- krb5_context context,
- int default_mech)
+ OM_uint32 *minor_status,
+ krb5_gss_cred_id_t cred,
+ gss_ctx_id_t *context_handle,
+ gss_name_t target_name,
+ gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ gss_channel_bindings_t input_chan_bindings,
+ gss_buffer_t input_token,
+ gss_OID *actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec,
+ krb5_context context,
+ int default_mech)
{
- OM_uint32 major_status;
- krb5_error_code code;
- krb5_creds *k_cred;
- krb5_gss_ctx_id_rec *ctx, *ctx_free;
- krb5_timestamp now;
- gss_buffer_desc token;
+ OM_uint32 major_status;
+ krb5_error_code code;
+ krb5_creds *k_cred;
+ krb5_gss_ctx_id_rec *ctx, *ctx_free;
+ krb5_timestamp now;
+ gss_buffer_desc token;
- k5_mutex_assert_locked(&cred->lock);
- major_status = GSS_S_FAILURE;
- token.length = 0;
- token.value = NULL;
+ k5_mutex_assert_locked(&cred->lock);
+ major_status = GSS_S_FAILURE;
+ token.length = 0;
+ token.value = NULL;
- /* make sure the cred is usable for init */
+ /* make sure the cred is usable for init */
- if ((cred->usage != GSS_C_INITIATE) &&
- (cred->usage != GSS_C_BOTH)) {
- *minor_status = 0;
- return(GSS_S_NO_CRED);
- }
+ if ((cred->usage != GSS_C_INITIATE) &&
+ (cred->usage != GSS_C_BOTH)) {
+ *minor_status = 0;
+ return(GSS_S_NO_CRED);
+ }
- /* complain if the input token is non-null */
+ /* complain if the input token is non-null */
- if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) {
- *minor_status = 0;
- return(GSS_S_DEFECTIVE_TOKEN);
- }
+ if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) {
+ *minor_status = 0;
+ return(GSS_S_DEFECTIVE_TOKEN);
+ }
- /* create the ctx */
+ /* create the ctx */
- if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec)))
- == NULL) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
+ if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec)))
+ == NULL) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
- /* fill in the ctx */
- memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
- ctx_free = ctx;
- if ((code = krb5_auth_con_init(context, &ctx->auth_context)))
- goto fail;
- krb5_auth_con_setflags(context, ctx->auth_context,
- KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+ /* fill in the ctx */
+ memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
+ ctx_free = ctx;
+ if ((code = krb5_auth_con_init(context, &ctx->auth_context)))
+ goto fail;
+ krb5_auth_con_setflags(context, ctx->auth_context,
+ KRB5_AUTH_CONTEXT_DO_SEQUENCE);
- /* limit the encryption types negotiated (if requested) */
- if (cred->req_enctypes) {
- if ((code = krb5_set_default_tgs_enctypes(context,
- cred->req_enctypes))) {
- goto fail;
- }
- }
+ /* limit the encryption types negotiated (if requested) */
+ if (cred->req_enctypes) {
+ if ((code = krb5_set_default_tgs_enctypes(context,
+ cred->req_enctypes))) {
+ goto fail;
+ }
+ }
- ctx->initiate = 1;
- ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
- GSS_C_TRANS_FLAG |
- ((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
- GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)));
- ctx->seed_init = 0;
- ctx->big_endian = 0; /* all initiators do little-endian, as per spec */
- ctx->seqstate = 0;
+ ctx->initiate = 1;
+ ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
+ GSS_C_TRANS_FLAG |
+ ((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
+ GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG |
+ GSS_C_DCE_STYLE | GSS_C_IDENTIFY_FLAG |
+ GSS_C_EXTENDED_ERROR_FLAG)));
+ ctx->seed_init = 0;
+ ctx->big_endian = 0; /* all initiators do little-endian, as per spec */
+ ctx->seqstate = 0;
- if ((code = krb5_timeofday(context, &now)))
- goto fail;
+ if (req_flags & GSS_C_DCE_STYLE)
+ ctx->gss_flags |= GSS_C_MUTUAL_FLAG;
- if (time_req == 0 || time_req == GSS_C_INDEFINITE) {
- ctx->endtime = 0;
- } else {
- ctx->endtime = now + time_req;
- }
+ if ((code = krb5_timeofday(context, &now)))
+ goto fail;
- if ((code = krb5_copy_principal(context, cred->princ, &ctx->here)))
- goto fail;
-
- if ((code = krb5_copy_principal(context, (krb5_principal) target_name,
- &ctx->there)))
- goto fail;
+ if (time_req == 0 || time_req == GSS_C_INDEFINITE) {
+ ctx->krb_times.endtime = 0;
+ } else {
+ ctx->krb_times.endtime = now + time_req;
+ }
- code = get_credentials(context, cred, ctx->there, now,
- ctx->endtime, &k_cred);
- if (code)
- goto fail;
+ if ((code = krb5_copy_principal(context, cred->princ, &ctx->here)))
+ goto fail;
- if (default_mech) {
- mech_type = (gss_OID) gss_mech_krb5;
- }
+ if ((code = krb5_copy_principal(context, (krb5_principal) target_name,
+ &ctx->there)))
+ goto fail;
- if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used)
- != GSS_S_COMPLETE) {
- code = *minor_status;
- goto fail;
- }
- /*
- * Now try to make it static if at all possible....
- */
- ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used);
+ code = get_credentials(context, cred, ctx->there, now,
+ ctx->krb_times.endtime, &k_cred);
+ if (code)
+ goto fail;
- {
- /* gsskrb5 v1 */
- krb5_ui_4 seq_temp;
- if ((code = make_ap_req_v1(context, ctx,
- cred, k_cred, input_chan_bindings,
- mech_type, &token))) {
- if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) ||
- (code == KG_EMPTY_CCACHE))
- major_status = GSS_S_NO_CRED;
- if (code == KRB5KRB_AP_ERR_TKT_EXPIRED)
- major_status = GSS_S_CREDENTIALS_EXPIRED;
- goto fail;
- }
+ ctx->krb_times = k_cred->times;
- krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &seq_temp);
- ctx->seq_send = seq_temp;
- krb5_auth_con_getsendsubkey(context, ctx->auth_context,
- &ctx->subkey);
- }
+ if (default_mech) {
+ mech_type = (gss_OID) gss_mech_krb5;
+ }
- major_status = setup_enc(minor_status, ctx, context);
+ if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used)
+ != GSS_S_COMPLETE) {
+ code = *minor_status;
+ goto fail;
+ }
+ /*
+ * Now try to make it static if at all possible....
+ */
+ ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used);
- if (k_cred) {
- krb5_free_creds(context, k_cred);
- k_cred = 0;
- }
-
- /* at this point, the context is constructed and valid,
- hence, releaseable */
+ {
+ /* gsskrb5 v1 */
+ krb5_int32 seq_temp;
+ if ((code = make_ap_req_v1(context, ctx,
+ cred, k_cred, input_chan_bindings,
+ mech_type, &token))) {
+ if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) ||
+ (code == KG_EMPTY_CCACHE))
+ major_status = GSS_S_NO_CRED;
+ if (code == KRB5KRB_AP_ERR_TKT_EXPIRED)
+ major_status = GSS_S_CREDENTIALS_EXPIRED;
+ goto fail;
+ }
- /* intern the context handle */
+ krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &seq_temp);
+ ctx->seq_send = seq_temp;
+ krb5_auth_con_getsendsubkey(context, ctx->auth_context,
+ &ctx->subkey);
+ }
- if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
- code = G_VALIDATE_FAILED;
- goto fail;
- }
- *context_handle = (gss_ctx_id_t) ctx;
- ctx_free = 0;
+ if (k_cred) {
+ krb5_free_creds(context, k_cred);
+ k_cred = NULL;
+ }
+ ctx->enc = NULL;
+ ctx->seq = NULL;
+ ctx->have_acceptor_subkey = 0;
+ code = kg_setup_keys(context, ctx, ctx->subkey, &ctx->cksumtype);
+ if (code != 0)
+ goto fail;
- /* compute time_rec */
- if (time_rec) {
- if ((code = krb5_timeofday(context, &now)))
- goto fail;
- *time_rec = ctx->endtime - now;
- }
+ /* at this point, the context is constructed and valid,
+ hence, releaseable */
- /* set the other returns */
- *output_token = token;
+ /* intern the context handle */
- if (ret_flags)
- *ret_flags = ctx->gss_flags;
+ if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
+ code = G_VALIDATE_FAILED;
+ goto fail;
+ }
+ *context_handle = (gss_ctx_id_t) ctx;
+ ctx_free = 0;
- if (actual_mech_type)
- *actual_mech_type = mech_type;
+ /* compute time_rec */
+ if (time_rec) {
+ if ((code = krb5_timeofday(context, &now)))
+ goto fail;
+ *time_rec = ctx->krb_times.endtime - now;
+ }
- /* return successfully */
+ /* set the other returns */
+ *output_token = token;
- *minor_status = 0;
- if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) {
- ctx->established = 0;
- return(GSS_S_CONTINUE_NEEDED);
- } else {
- ctx->seq_recv = ctx->seq_send;
- g_order_init(&(ctx->seqstate), ctx->seq_recv,
- (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
- (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto);
- ctx->gss_flags |= GSS_C_PROT_READY_FLAG;
- ctx->established = 1;
- return(GSS_S_COMPLETE);
- }
+ if (ret_flags)
+ *ret_flags = ctx->gss_flags;
+ if (actual_mech_type)
+ *actual_mech_type = mech_type;
+
+ /* return successfully */
+
+ *minor_status = 0;
+ if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) {
+ ctx->established = 0;
+ return(GSS_S_CONTINUE_NEEDED);
+ } else {
+ ctx->seq_recv = ctx->seq_send;
+ g_order_init(&(ctx->seqstate), ctx->seq_recv,
+ (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
+ (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto);
+ ctx->gss_flags |= GSS_C_PROT_READY_FLAG;
+ ctx->established = 1;
+ return(GSS_S_COMPLETE);
+ }
+
fail:
- if (ctx_free) {
- if (ctx_free->auth_context)
- krb5_auth_con_free(context, ctx_free->auth_context);
- if (ctx_free->here)
- krb5_free_principal(context, ctx_free->here);
- if (ctx_free->there)
- krb5_free_principal(context, ctx_free->there);
- if (ctx_free->subkey)
- krb5_free_keyblock(context, ctx_free->subkey);
- xfree(ctx_free);
- } else
- (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
+ if (ctx_free) {
+ if (ctx_free->auth_context)
+ krb5_auth_con_free(context, ctx_free->auth_context);
+ if (ctx_free->here)
+ krb5_free_principal(context, ctx_free->here);
+ if (ctx_free->there)
+ krb5_free_principal(context, ctx_free->there);
+ if (ctx_free->subkey)
+ krb5_free_keyblock(context, ctx_free->subkey);
+ xfree(ctx_free);
+ } else
+ (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
- *minor_status = code;
- return (major_status);
+ *minor_status = code;
+ return (major_status);
}
/*
@@ -651,180 +608,199 @@
*/
static OM_uint32
mutual_auth(
- OM_uint32 *minor_status,
- gss_ctx_id_t *context_handle,
- gss_name_t target_name,
- gss_OID mech_type,
- OM_uint32 req_flags,
- OM_uint32 time_req,
- gss_channel_bindings_t input_chan_bindings,
- gss_buffer_t input_token,
- gss_OID *actual_mech_type,
- gss_buffer_t output_token,
- OM_uint32 *ret_flags,
- OM_uint32 *time_rec,
- krb5_context context)
+ OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ gss_name_t target_name,
+ gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ gss_channel_bindings_t input_chan_bindings,
+ gss_buffer_t input_token,
+ gss_OID *actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec,
+ krb5_context context)
{
- OM_uint32 major_status;
- unsigned char *ptr;
- char *sptr;
- krb5_data ap_rep;
- krb5_ap_rep_enc_part *ap_rep_data;
- krb5_timestamp now;
- krb5_gss_ctx_id_rec *ctx;
- krb5_error *krb_error;
- krb5_error_code code;
- krb5int_access kaccess;
+ OM_uint32 major_status;
+ unsigned char *ptr;
+ char *sptr;
+ krb5_data ap_rep;
+ krb5_ap_rep_enc_part *ap_rep_data;
+ krb5_timestamp now;
+ krb5_gss_ctx_id_rec *ctx;
+ krb5_error *krb_error;
+ krb5_error_code code;
+ krb5int_access kaccess;
- major_status = GSS_S_FAILURE;
+ major_status = GSS_S_FAILURE;
- code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
- if (code)
- goto fail;
+ code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
+ if (code)
+ goto fail;
- /* validate the context handle */
- /*SUPPRESS 29*/
- if (! kg_validate_ctx_id(*context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
- }
+ /* validate the context handle */
+ /*SUPPRESS 29*/
+ if (! kg_validate_ctx_id(*context_handle)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
+ }
- ctx = (krb5_gss_ctx_id_t) *context_handle;
+ ctx = (krb5_gss_ctx_id_t) *context_handle;
- /* make sure the context is non-established, and that certain
- arguments are unchanged */
+ /* make sure the context is non-established, and that certain
+ arguments are unchanged */
- if ((ctx->established) ||
- ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) {
- code = KG_CONTEXT_ESTABLISHED;
- goto fail;
- }
+ if ((ctx->established) ||
+ ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) {
+ code = KG_CONTEXT_ESTABLISHED;
+ goto fail;
+ }
- if (! krb5_principal_compare(context, ctx->there,
- (krb5_principal) target_name)) {
- (void)krb5_gss_delete_sec_context(minor_status,
- context_handle, NULL);
- code = 0;
- major_status = GSS_S_BAD_NAME;
- goto fail;
- }
+ if (! krb5_principal_compare(context, ctx->there,
+ (krb5_principal) target_name)) {
+ (void)krb5_gss_delete_sec_context(minor_status,
+ context_handle, NULL);
+ code = 0;
+ major_status = GSS_S_BAD_NAME;
+ goto fail;
+ }
- /* verify the token and leave the AP_REP message in ap_rep */
+ /* verify the token and leave the AP_REP message in ap_rep */
- if (input_token == GSS_C_NO_BUFFER) {
- (void)krb5_gss_delete_sec_context(minor_status,
- context_handle, NULL);
- code = 0;
- major_status = GSS_S_DEFECTIVE_TOKEN;
- goto fail;
- }
+ if (input_token == GSS_C_NO_BUFFER) {
+ (void)krb5_gss_delete_sec_context(minor_status,
+ context_handle, NULL);
+ code = 0;
+ major_status = GSS_S_DEFECTIVE_TOKEN;
+ goto fail;
+ }
- ptr = (unsigned char *) input_token->value;
+ ptr = (unsigned char *) input_token->value;
- if (g_verify_token_header(ctx->mech_used,
- &(ap_rep.length),
- &ptr, KG_TOK_CTX_AP_REP,
- input_token->length, 1)) {
- if (g_verify_token_header((gss_OID) ctx->mech_used,
- &(ap_rep.length),
- &ptr, KG_TOK_CTX_ERROR,
- input_token->length, 1) == 0) {
+ if (ctx->gss_flags & GSS_C_DCE_STYLE) {
+ /* Raw AP-REP */
+ ap_rep.length = input_token->length;
+ ap_rep.data = (char *)input_token->value;
+ } else if (g_verify_token_header(ctx->mech_used,
+ &(ap_rep.length),
+ &ptr, KG_TOK_CTX_AP_REP,
+ input_token->length, 1)) {
+ if (g_verify_token_header((gss_OID) ctx->mech_used,
+ &(ap_rep.length),
+ &ptr, KG_TOK_CTX_ERROR,
+ input_token->length, 1) == 0) {
- /* Handle a KRB_ERROR message from the server */
+ /* Handle a KRB_ERROR message from the server */
- sptr = (char *) ptr; /* PC compiler bug */
- TREAD_STR(sptr, ap_rep.data, ap_rep.length);
-
- code = krb5_rd_error(context, &ap_rep, &krb_error);
- if (code)
- goto fail;
- if (krb_error->error)
- code = krb_error->error + ERROR_TABLE_BASE_krb5;
- else
- code = 0;
- krb5_free_error(context, krb_error);
- goto fail;
- } else {
- *minor_status = 0;
- return(GSS_S_DEFECTIVE_TOKEN);
- }
- }
+ sptr = (char *) ptr; /* PC compiler bug */
+ TREAD_STR(sptr, ap_rep.data, ap_rep.length);
- sptr = (char *) ptr; /* PC compiler bug */
- TREAD_STR(sptr, ap_rep.data, ap_rep.length);
+ code = krb5_rd_error(context, &ap_rep, &krb_error);
+ if (code)
+ goto fail;
+ if (krb_error->error)
+ code = (krb5_error_code)krb_error->error + ERROR_TABLE_BASE_krb5;
+ else
+ code = 0;
+ krb5_free_error(context, krb_error);
+ goto fail;
+ } else {
+ *minor_status = 0;
+ return(GSS_S_DEFECTIVE_TOKEN);
+ }
+ }
- /* decode the ap_rep */
- if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep,
- &ap_rep_data))) {
- /*
- * XXX A hack for backwards compatiblity.
- * To be removed in 1999 -- proven
- */
- krb5_auth_con_setuseruserkey(context, ctx->auth_context,
- ctx->subkey);
- if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep,
- &ap_rep_data)))
- goto fail;
- }
+ sptr = (char *) ptr; /* PC compiler bug */
+ TREAD_STR(sptr, ap_rep.data, ap_rep.length);
- /* store away the sequence number */
- ctx->seq_recv = ap_rep_data->seq_number;
- g_order_init(&(ctx->seqstate), ctx->seq_recv,
- (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
- (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0, ctx->proto);
+ /* decode the ap_rep */
+ if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep,
+ &ap_rep_data))) {
+ /*
+ * XXX A hack for backwards compatiblity.
+ * To be removed in 1999 -- proven
+ */
+ krb5_auth_con_setuseruserkey(context, ctx->auth_context,
+ ctx->subkey);
+ if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep,
+ &ap_rep_data)))
+ goto fail;
+ }
- if (ctx->proto == 1 && ap_rep_data->subkey) {
- /* Keep acceptor's subkey. */
- ctx->have_acceptor_subkey = 1;
- code = krb5_copy_keyblock(context, ap_rep_data->subkey,
- &ctx->acceptor_subkey);
- if (code)
- goto fail;
- code = (*kaccess.krb5int_c_mandatory_cksumtype)(context,
- ctx->acceptor_subkey->enctype,
- &ctx->acceptor_subkey_cksumtype);
- if (code)
- goto fail;
- }
+ /* store away the sequence number */
+ ctx->seq_recv = ap_rep_data->seq_number;
+ g_order_init(&(ctx->seqstate), ctx->seq_recv,
+ (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
+ (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0, ctx->proto);
- /* free the ap_rep_data */
- krb5_free_ap_rep_enc_part(context, ap_rep_data);
+ if (ap_rep_data->subkey != NULL &&
+ (ctx->proto == 1 || (ctx->gss_flags & GSS_C_DCE_STYLE) ||
+ ap_rep_data->subkey->enctype != ctx->subkey->enctype)) {
+ /* Keep acceptor's subkey. */
+ ctx->have_acceptor_subkey = 1;
+ code = krb5_copy_keyblock(context, ap_rep_data->subkey,
+ &ctx->acceptor_subkey);
+ if (code) {
+ krb5_free_ap_rep_enc_part(context, ap_rep_data);
+ goto fail;
+ }
+ code = kg_setup_keys(context, ctx, ctx->acceptor_subkey,
+ &ctx->acceptor_subkey_cksumtype);
+ if (code) {
+ krb5_free_ap_rep_enc_part(context, ap_rep_data);
+ goto fail;
+ }
+ }
+ /* free the ap_rep_data */
+ krb5_free_ap_rep_enc_part(context, ap_rep_data);
- /* set established */
- ctx->established = 1;
+ if (ctx->gss_flags & GSS_C_DCE_STYLE) {
+ krb5_data outbuf;
- /* set returns */
+ code = krb5_mk_rep_dce(context, ctx->auth_context, &outbuf);
+ if (code)
+ goto fail;
- if (time_rec) {
- if ((code = krb5_timeofday(context, &now)))
- goto fail;
- *time_rec = ctx->endtime - now;
- }
+ output_token->value = outbuf.data;
+ output_token->length = outbuf.length;
+ }
- if (ret_flags)
- *ret_flags = ctx->gss_flags;
+ /* set established */
+ ctx->established = 1;
- if (actual_mech_type)
- *actual_mech_type = mech_type;
+ /* set returns */
- /* success */
+ if (time_rec) {
+ if ((code = krb5_timeofday(context, &now)))
+ goto fail;
+ *time_rec = ctx->krb_times.endtime - now;
+ }
- *minor_status = 0;
- return GSS_S_COMPLETE;
+ if (ret_flags)
+ *ret_flags = ctx->gss_flags;
+ if (actual_mech_type)
+ *actual_mech_type = mech_type;
+
+ /* success */
+
+ *minor_status = 0;
+ return GSS_S_COMPLETE;
+
fail:
- (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
+ (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
- *minor_status = code;
- return (major_status);
+ *minor_status = code;
+ return (major_status);
}
OM_uint32
krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
- context_handle, target_name, mech_type,
- req_flags, time_req, input_chan_bindings,
- input_token, actual_mech_type, output_token,
- ret_flags, time_rec)
+ context_handle, target_name, mech_type,
+ req_flags, time_req, input_chan_bindings,
+ input_token, actual_mech_type, output_token,
+ ret_flags, time_rec)
OM_uint32 *minor_status;
gss_cred_id_t claimant_cred_handle;
gss_ctx_id_t *context_handle;
@@ -839,142 +815,144 @@
OM_uint32 *ret_flags;
OM_uint32 *time_rec;
{
- krb5_context context;
- krb5_gss_cred_id_t cred;
- int err;
- krb5_error_code kerr;
- int default_mech = 0;
- OM_uint32 major_status;
- OM_uint32 tmp_min_stat;
+ krb5_context context;
+ krb5_gss_cred_id_t cred;
+ int err;
+ krb5_error_code kerr;
+ int default_mech = 0;
+ OM_uint32 major_status;
+ OM_uint32 tmp_min_stat;
- if (*context_handle == GSS_C_NO_CONTEXT) {
- kerr = krb5_gss_init_context(&context);
- if (kerr) {
- *minor_status = kerr;
- return GSS_S_FAILURE;
- }
- if (GSS_ERROR(kg_sync_ccache_name(context, minor_status))) {
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return GSS_S_FAILURE;
- }
- } else {
- context = ((krb5_gss_ctx_id_rec *)*context_handle)->k5_context;
- }
+ if (*context_handle == GSS_C_NO_CONTEXT) {
+ kerr = krb5_gss_init_context(&context);
+ if (kerr) {
+ *minor_status = kerr;
+ return GSS_S_FAILURE;
+ }
+ if (GSS_ERROR(kg_sync_ccache_name(context, minor_status))) {
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return GSS_S_FAILURE;
+ }
+ } else {
+ context = ((krb5_gss_ctx_id_rec *)*context_handle)->k5_context;
+ }
- /* set up return values so they can be "freed" successfully */
+ /* set up return values so they can be "freed" successfully */
- major_status = GSS_S_FAILURE; /* Default major code */
- output_token->length = 0;
- output_token->value = NULL;
- if (actual_mech_type)
- *actual_mech_type = NULL;
+ major_status = GSS_S_FAILURE; /* Default major code */
+ output_token->length = 0;
+ output_token->value = NULL;
+ if (actual_mech_type)
+ *actual_mech_type = NULL;
- /* verify that the target_name is valid and usable */
+ /* verify that the target_name is valid and usable */
- if (! kg_validate_name(target_name)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- save_error_info(*minor_status, context);
- if (*context_handle == GSS_C_NO_CONTEXT)
- krb5_free_context(context);
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
+ if (! kg_validate_name(target_name)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ save_error_info(*minor_status, context);
+ if (*context_handle == GSS_C_NO_CONTEXT)
+ krb5_free_context(context);
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
- /* verify the credential, or use the default */
- /*SUPPRESS 29*/
- if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) {
- major_status = kg_get_defcred(minor_status, (gss_cred_id_t *)&cred);
- if (major_status && GSS_ERROR(major_status)) {
- if (*context_handle == GSS_C_NO_CONTEXT)
- krb5_free_context(context);
- return(major_status);
- }
- } else {
- major_status = krb5_gss_validate_cred(minor_status, claimant_cred_handle);
- if (GSS_ERROR(major_status)) {
- save_error_info(*minor_status, context);
- if (*context_handle == GSS_C_NO_CONTEXT)
- krb5_free_context(context);
- return(major_status);
- }
- cred = (krb5_gss_cred_id_t) claimant_cred_handle;
- }
- kerr = k5_mutex_lock(&cred->lock);
- if (kerr) {
- krb5_free_context(context);
- *minor_status = kerr;
- return GSS_S_FAILURE;
- }
+ /* verify the credential, or use the default */
+ /*SUPPRESS 29*/
+ if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) {
+ major_status = kg_get_defcred(minor_status, (gss_cred_id_t *)&cred);
+ if (major_status && GSS_ERROR(major_status)) {
+ if (*context_handle == GSS_C_NO_CONTEXT)
+ krb5_free_context(context);
+ return(major_status);
+ }
+ } else {
+ major_status = krb5_gss_validate_cred(minor_status, claimant_cred_handle);
+ if (GSS_ERROR(major_status)) {
+ save_error_info(*minor_status, context);
+ if (*context_handle == GSS_C_NO_CONTEXT)
+ krb5_free_context(context);
+ return(major_status);
+ }
+ cred = (krb5_gss_cred_id_t) claimant_cred_handle;
+ }
+ kerr = k5_mutex_lock(&cred->lock);
+ if (kerr) {
+ if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
+ krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
+ krb5_free_context(context);
+ *minor_status = kerr;
+ return GSS_S_FAILURE;
+ }
- /* verify the mech_type */
+ /* verify the mech_type */
- err = 0;
- if (mech_type == GSS_C_NULL_OID) {
- default_mech = 1;
- if (cred->rfc_mech) {
- mech_type = (gss_OID) gss_mech_krb5;
- } else if (cred->prerfc_mech) {
- mech_type = (gss_OID) gss_mech_krb5_old;
- } else {
- err = 1;
- }
- } else if (g_OID_equal(mech_type, gss_mech_krb5)) {
- if (!cred->rfc_mech)
- err = 1;
- } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) {
- if (!cred->prerfc_mech)
- err = 1;
- } else if (g_OID_equal(mech_type, gss_mech_krb5_wrong)) {
- if (!cred->rfc_mech)
- err = 1;
- } else {
- err = 1;
- }
-
- if (err) {
- k5_mutex_unlock(&cred->lock);
- if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
- krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
- *minor_status = 0;
- if (*context_handle == GSS_C_NO_CONTEXT)
- krb5_free_context(context);
- return(GSS_S_BAD_MECH);
- }
+ err = 0;
+ if (mech_type == GSS_C_NULL_OID) {
+ default_mech = 1;
+ if (cred->rfc_mech) {
+ mech_type = (gss_OID) gss_mech_krb5;
+ } else if (cred->prerfc_mech) {
+ mech_type = (gss_OID) gss_mech_krb5_old;
+ } else {
+ err = 1;
+ }
+ } else if (g_OID_equal(mech_type, gss_mech_krb5)) {
+ if (!cred->rfc_mech)
+ err = 1;
+ } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) {
+ if (!cred->prerfc_mech)
+ err = 1;
+ } else if (g_OID_equal(mech_type, gss_mech_krb5_wrong)) {
+ if (!cred->rfc_mech)
+ err = 1;
+ } else {
+ err = 1;
+ }
- /* is this a new connection or not? */
+ if (err) {
+ k5_mutex_unlock(&cred->lock);
+ if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
+ krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
+ *minor_status = 0;
+ if (*context_handle == GSS_C_NO_CONTEXT)
+ krb5_free_context(context);
+ return(GSS_S_BAD_MECH);
+ }
- /*SUPPRESS 29*/
- if (*context_handle == GSS_C_NO_CONTEXT) {
- major_status = new_connection(minor_status, cred, context_handle,
- target_name, mech_type, req_flags,
- time_req, input_chan_bindings,
- input_token, actual_mech_type,
- output_token, ret_flags, time_rec,
- context, default_mech);
- k5_mutex_unlock(&cred->lock);
- if (*context_handle == GSS_C_NO_CONTEXT) {
- save_error_info (*minor_status, context);
- krb5_free_context(context);
- } else
- ((krb5_gss_ctx_id_rec *) *context_handle)->k5_context = context;
- } else {
- /* mutual_auth doesn't care about the credentials */
- k5_mutex_unlock(&cred->lock);
- major_status = mutual_auth(minor_status, context_handle,
- target_name, mech_type, req_flags,
- time_req, input_chan_bindings,
- input_token, actual_mech_type,
- output_token, ret_flags, time_rec,
- context);
- /* If context_handle is now NO_CONTEXT, mutual_auth called
- delete_sec_context, which would've zapped the krb5 context
- too. */
- }
+ /* is this a new connection or not? */
- if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
- krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred);
+ /*SUPPRESS 29*/
+ if (*context_handle == GSS_C_NO_CONTEXT) {
+ major_status = new_connection(minor_status, cred, context_handle,
+ target_name, mech_type, req_flags,
+ time_req, input_chan_bindings,
+ input_token, actual_mech_type,
+ output_token, ret_flags, time_rec,
+ context, default_mech);
+ k5_mutex_unlock(&cred->lock);
+ if (*context_handle == GSS_C_NO_CONTEXT) {
+ save_error_info (*minor_status, context);
+ krb5_free_context(context);
+ } else
+ ((krb5_gss_ctx_id_rec *) *context_handle)->k5_context = context;
+ } else {
+ /* mutual_auth doesn't care about the credentials */
+ k5_mutex_unlock(&cred->lock);
+ major_status = mutual_auth(minor_status, context_handle,
+ target_name, mech_type, req_flags,
+ time_req, input_chan_bindings,
+ input_token, actual_mech_type,
+ output_token, ret_flags, time_rec,
+ context);
+ /* If context_handle is now NO_CONTEXT, mutual_auth called
+ delete_sec_context, which would've zapped the krb5 context
+ too. */
+ }
- return(major_status);
+ if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
+ krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred);
+
+ return(major_status);
}
#ifndef _WIN32
@@ -990,38 +968,43 @@
int is_kdc;
#endif
- err = gssint_initialize_library();
+ err = gss_krb5int_initialize_library();
if (err)
- return err;
+ return err;
#ifndef _WIN32
err = k5_mutex_lock(&kg_kdc_flag_mutex);
if (err)
- return err;
+ return err;
is_kdc = kdc_flag;
k5_mutex_unlock(&kg_kdc_flag_mutex);
if (is_kdc)
- return krb5int_init_context_kdc(ctxp);
+ return krb5int_init_context_kdc(ctxp);
#endif
return krb5_init_context(ctxp);
}
#ifndef _WIN32
-krb5_error_code
-krb5_gss_use_kdc_context()
+OM_uint32
+krb5int_gss_use_kdc_context(OM_uint32 *minor_status,
+ const gss_OID desired_mech,
+ const gss_OID desired_object,
+ gss_buffer_t value)
{
- krb5_error_code err;
+ OM_uint32 err;
- err = gssint_initialize_library();
+ *minor_status = 0;
+
+ err = gss_krb5int_initialize_library();
if (err)
- return err;
- err = k5_mutex_lock(&kg_kdc_flag_mutex);
- if (err)
- return err;
+ return err;
+ *minor_status = k5_mutex_lock(&kg_kdc_flag_mutex);
+ if (*minor_status) {
+ return GSS_S_FAILURE;
+ }
kdc_flag = 1;
k5_mutex_unlock(&kg_kdc_flag_mutex);
- return 0;
+ return GSS_S_COMPLETE;
}
#endif
-
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/inq_context.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/inq_context.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/inq_context.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -19,117 +20,294 @@
* OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
#include "gssapiP_krb5.h"
OM_uint32
-krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
- acceptor_name, lifetime_rec, mech_type, ret_flags,
- locally_initiated, opened)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_name_t *initiator_name;
- gss_name_t *acceptor_name;
- OM_uint32 *lifetime_rec;
- gss_OID *mech_type;
- OM_uint32 *ret_flags;
- int *locally_initiated;
- int *opened;
+krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
+ acceptor_name, lifetime_rec, mech_type, ret_flags,
+ locally_initiated, opened)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_name_t *initiator_name;
+ gss_name_t *acceptor_name;
+ OM_uint32 *lifetime_rec;
+ gss_OID *mech_type;
+ OM_uint32 *ret_flags;
+ int *locally_initiated;
+ int *opened;
{
- krb5_context context;
- krb5_error_code code;
- krb5_gss_ctx_id_rec *ctx;
- krb5_principal initiator, acceptor;
- krb5_timestamp now;
- krb5_deltat lifetime;
+ krb5_context context;
+ krb5_error_code code;
+ krb5_gss_ctx_id_rec *ctx;
+ krb5_principal initiator, acceptor;
+ krb5_timestamp now;
+ krb5_deltat lifetime;
- if (initiator_name)
- *initiator_name = (gss_name_t) NULL;
- if (acceptor_name)
- *acceptor_name = (gss_name_t) NULL;
+ if (initiator_name)
+ *initiator_name = (gss_name_t) NULL;
+ if (acceptor_name)
+ *acceptor_name = (gss_name_t) NULL;
- /* validate the context handle */
- if (! kg_validate_ctx_id(context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
- }
+ /* validate the context handle */
+ if (! kg_validate_ctx_id(context_handle)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
+ }
- ctx = (krb5_gss_ctx_id_rec *) context_handle;
+ ctx = (krb5_gss_ctx_id_rec *) context_handle;
- if (! ctx->established) {
- *minor_status = KG_CTX_INCOMPLETE;
- return(GSS_S_NO_CONTEXT);
- }
+ if (! ctx->established) {
+ *minor_status = KG_CTX_INCOMPLETE;
+ return(GSS_S_NO_CONTEXT);
+ }
- initiator = NULL;
- acceptor = NULL;
- context = ctx->k5_context;
+ initiator = NULL;
+ acceptor = NULL;
+ context = ctx->k5_context;
- if ((code = krb5_timeofday(context, &now))) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
- }
+ if ((code = krb5_timeofday(context, &now))) {
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ return(GSS_S_FAILURE);
+ }
- if ((lifetime = ctx->endtime - now) < 0)
- lifetime = 0;
+ if ((lifetime = ctx->krb_times.endtime - now) < 0)
+ lifetime = 0;
- if (initiator_name) {
- if ((code = krb5_copy_principal(context,
- ctx->initiate?ctx->here:ctx->there,
- &initiator))) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
- }
- if (! kg_save_name((gss_name_t) initiator)) {
- krb5_free_principal(context, initiator);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_FAILURE);
- }
- }
+ if (initiator_name) {
+ if ((code = krb5_copy_principal(context,
+ ctx->initiate?ctx->here:ctx->there,
+ &initiator))) {
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ return(GSS_S_FAILURE);
+ }
+ if (! kg_save_name((gss_name_t) initiator)) {
+ krb5_free_principal(context, initiator);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_FAILURE);
+ }
+ }
- if (acceptor_name) {
- if ((code = krb5_copy_principal(context,
- ctx->initiate?ctx->there:ctx->here,
- &acceptor))) {
- if (initiator) krb5_free_principal(context, initiator);
- *minor_status = code;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
- }
- if (! kg_save_name((gss_name_t) acceptor)) {
- krb5_free_principal(context, acceptor);
- if (initiator) {
- kg_delete_name((gss_name_t) initiator);
- krb5_free_principal(context, initiator);
- }
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_FAILURE);
- }
- }
+ if (acceptor_name) {
+ if ((code = krb5_copy_principal(context,
+ ctx->initiate?ctx->there:ctx->here,
+ &acceptor))) {
+ if (initiator) krb5_free_principal(context, initiator);
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ return(GSS_S_FAILURE);
+ }
+ if (! kg_save_name((gss_name_t) acceptor)) {
+ krb5_free_principal(context, acceptor);
+ if (initiator) {
+ kg_delete_name((gss_name_t) initiator);
+ krb5_free_principal(context, initiator);
+ }
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_FAILURE);
+ }
+ }
- if (initiator_name)
- *initiator_name = (gss_name_t) initiator;
+ if (initiator_name)
+ *initiator_name = (gss_name_t) initiator;
- if (acceptor_name)
- *acceptor_name = (gss_name_t) acceptor;
+ if (acceptor_name)
+ *acceptor_name = (gss_name_t) acceptor;
- if (lifetime_rec)
- *lifetime_rec = lifetime;
+ if (lifetime_rec)
+ *lifetime_rec = lifetime;
- if (mech_type)
- *mech_type = (gss_OID) ctx->mech_used;
+ if (mech_type)
+ *mech_type = (gss_OID) ctx->mech_used;
- if (ret_flags)
- *ret_flags = ctx->gss_flags;
+ if (ret_flags)
+ *ret_flags = ctx->gss_flags;
- if (locally_initiated)
- *locally_initiated = ctx->initiate;
+ if (locally_initiated)
+ *locally_initiated = ctx->initiate;
- if (opened)
- *opened = ctx->established;
+ if (opened)
+ *opened = ctx->established;
- *minor_status = 0;
- return((lifetime == 0)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
+ *minor_status = 0;
+ return((lifetime == 0)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
}
+
+OM_uint32
+gss_krb5int_inq_session_key(
+ OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *data_set)
+{
+ krb5_gss_ctx_id_rec *ctx;
+ krb5_keyblock *key;
+ gss_buffer_desc keyvalue, keyinfo;
+ OM_uint32 major_status, minor;
+ unsigned char oid_buf[GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH + 6];
+ gss_OID_desc oid;
+
+ ctx = (krb5_gss_ctx_id_rec *) context_handle;
+ key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey : ctx->subkey;
+
+ keyvalue.value = key->contents;
+ keyvalue.length = key->length;
+
+ major_status = generic_gss_add_buffer_set_member(minor_status, &keyvalue, data_set);
+ if (GSS_ERROR(major_status))
+ goto cleanup;
+
+ oid.elements = oid_buf;
+ oid.length = sizeof(oid_buf);
+
+ major_status = generic_gss_oid_compose(minor_status,
+ GSS_KRB5_SESSION_KEY_ENCTYPE_OID,
+ GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH,
+ key->enctype,
+ &oid);
+ if (GSS_ERROR(major_status))
+ goto cleanup;
+
+ keyinfo.value = oid.elements;
+ keyinfo.length = oid.length;
+
+ major_status = generic_gss_add_buffer_set_member(minor_status, &keyinfo, data_set);
+ if (GSS_ERROR(major_status))
+ goto cleanup;
+
+ return GSS_S_COMPLETE;
+
+cleanup:
+ if (*data_set != GSS_C_NO_BUFFER_SET) {
+ if ((*data_set)->count != 0)
+ memset((*data_set)->elements[0].value, 0, (*data_set)->elements[0].length);
+ gss_release_buffer_set(&minor, data_set);
+ }
+
+ return major_status;
+}
+
+OM_uint32
+gss_krb5int_extract_authz_data_from_sec_context(
+ OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *data_set)
+{
+ OM_uint32 major_status;
+ krb5_gss_ctx_id_rec *ctx;
+ int ad_type = 0;
+ size_t i;
+
+ *data_set = GSS_C_NO_BUFFER_SET;
+
+ ctx = (krb5_gss_ctx_id_rec *) context_handle;
+
+ major_status = generic_gss_oid_decompose(minor_status,
+ GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID,
+ GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH,
+ desired_object,
+ &ad_type);
+ if (major_status != GSS_S_COMPLETE || ad_type == 0) {
+ *minor_status = ENOENT;
+ return GSS_S_FAILURE;
+ }
+
+ if (ctx->authdata != NULL) {
+ for (i = 0; ctx->authdata[i] != NULL; i++) {
+ if (ctx->authdata[i]->ad_type == ad_type) {
+ gss_buffer_desc ad_data;
+
+ ad_data.length = ctx->authdata[i]->length;
+ ad_data.value = ctx->authdata[i]->contents;
+
+ major_status = generic_gss_add_buffer_set_member(minor_status,
+ &ad_data, data_set);
+ if (GSS_ERROR(major_status))
+ break;
+ }
+ }
+ }
+
+ if (GSS_ERROR(major_status)) {
+ OM_uint32 tmp;
+
+ generic_gss_release_buffer_set(&tmp, data_set);
+ }
+
+ return major_status;
+}
+
+OM_uint32
+gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_OID desired_oid,
+ gss_buffer_set_t *data_set)
+{
+ krb5_gss_ctx_id_rec *ctx;
+ gss_buffer_desc rep;
+
+ ctx = (krb5_gss_ctx_id_rec *) context_handle;
+
+ rep.value = &ctx->krb_times.authtime;
+ rep.length = sizeof(ctx->krb_times.authtime);
+
+ return generic_gss_add_buffer_set_member(minor_status, &rep, data_set);
+}
+
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/inq_cred.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/inq_cred.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/inq_cred.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2000, 2007 by the Massachusetts Institute of Technology.
* All Rights Reserved.
@@ -6,7 +7,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -20,11 +21,11 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -34,7 +35,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -46,14 +47,14 @@
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -64,7 +65,7 @@
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
@@ -74,195 +75,194 @@
OM_uint32
krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
- cred_usage, mechanisms)
- OM_uint32 *minor_status;
- gss_cred_id_t cred_handle;
- gss_name_t *name;
- OM_uint32 *lifetime_ret;
- gss_cred_usage_t *cred_usage;
- gss_OID_set *mechanisms;
+ cred_usage, mechanisms)
+ OM_uint32 *minor_status;
+ gss_cred_id_t cred_handle;
+ gss_name_t *name;
+ OM_uint32 *lifetime_ret;
+ gss_cred_usage_t *cred_usage;
+ gss_OID_set *mechanisms;
{
- krb5_context context;
- krb5_gss_cred_id_t cred;
- krb5_error_code code;
- krb5_timestamp now;
- krb5_deltat lifetime;
- krb5_principal ret_name;
- gss_OID_set mechs;
- OM_uint32 ret;
+ krb5_context context;
+ krb5_gss_cred_id_t cred;
+ krb5_error_code code;
+ krb5_timestamp now;
+ krb5_deltat lifetime;
+ krb5_principal ret_name;
+ gss_OID_set mechs;
+ OM_uint32 ret;
- ret = GSS_S_FAILURE;
- ret_name = NULL;
+ ret = GSS_S_FAILURE;
+ ret_name = NULL;
- code = krb5_gss_init_context(&context);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- if (name) *name = NULL;
- if (mechanisms) *mechanisms = NULL;
+ if (name) *name = NULL;
+ if (mechanisms) *mechanisms = NULL;
- /* check for default credential */
- /*SUPPRESS 29*/
- if (cred_handle == GSS_C_NO_CREDENTIAL) {
- OM_uint32 major;
+ /* check for default credential */
+ /*SUPPRESS 29*/
+ if (cred_handle == GSS_C_NO_CREDENTIAL) {
+ OM_uint32 major;
- if ((major = kg_get_defcred(minor_status, (gss_cred_id_t *)&cred)) &&
- GSS_ERROR(major)) {
- krb5_free_context(context);
- return(major);
- }
- } else {
- OM_uint32 major;
-
- major = krb5_gss_validate_cred(minor_status, cred_handle);
- if (GSS_ERROR(major)) {
- krb5_free_context(context);
- return(major);
- }
- cred = (krb5_gss_cred_id_t) cred_handle;
- }
+ if ((major = kg_get_defcred(minor_status, (gss_cred_id_t *)&cred)) &&
+ GSS_ERROR(major)) {
+ krb5_free_context(context);
+ return(major);
+ }
+ } else {
+ OM_uint32 major;
- if ((code = krb5_timeofday(context, &now))) {
- *minor_status = code;
- ret = GSS_S_FAILURE;
- goto fail;
- }
+ major = krb5_gss_validate_cred(minor_status, cred_handle);
+ if (GSS_ERROR(major)) {
+ krb5_free_context(context);
+ return(major);
+ }
+ cred = (krb5_gss_cred_id_t) cred_handle;
+ }
- code = k5_mutex_lock(&cred->lock);
- if (code != 0) {
- *minor_status = code;
- ret = GSS_S_FAILURE;
- goto fail;
- }
- if (cred->tgt_expire > 0) {
- if ((lifetime = cred->tgt_expire - now) < 0)
- lifetime = 0;
- }
- else
- lifetime = GSS_C_INDEFINITE;
+ if ((code = krb5_timeofday(context, &now))) {
+ *minor_status = code;
+ ret = GSS_S_FAILURE;
+ goto fail;
+ }
- if (name) {
- if (cred->princ &&
- (code = krb5_copy_principal(context, cred->princ, &ret_name))) {
- k5_mutex_unlock(&cred->lock);
- *minor_status = code;
- save_error_info(*minor_status, context);
- ret = GSS_S_FAILURE;
- goto fail;
- }
- }
+ code = k5_mutex_lock(&cred->lock);
+ if (code != 0) {
+ *minor_status = code;
+ ret = GSS_S_FAILURE;
+ goto fail;
+ }
+ if (cred->tgt_expire > 0) {
+ if ((lifetime = cred->tgt_expire - now) < 0)
+ lifetime = 0;
+ }
+ else
+ lifetime = GSS_C_INDEFINITE;
- if (mechanisms) {
- if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status,
- &mechs)) ||
- (cred->prerfc_mech &&
- GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
- gss_mech_krb5_old,
- &mechs))) ||
- (cred->rfc_mech &&
- GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
- gss_mech_krb5,
- &mechs)))) {
- k5_mutex_unlock(&cred->lock);
- if (ret_name)
- krb5_free_principal(context, ret_name);
- /* *minor_status set above */
- goto fail;
- }
- }
+ if (name) {
+ if (cred->princ &&
+ (code = krb5_copy_principal(context, cred->princ, &ret_name))) {
+ k5_mutex_unlock(&cred->lock);
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ ret = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
- if (name) {
- if (ret_name != NULL && ! kg_save_name((gss_name_t) ret_name)) {
- k5_mutex_unlock(&cred->lock);
- if (cred_handle == GSS_C_NO_CREDENTIAL)
- krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
+ if (mechanisms) {
+ if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status,
+ &mechs)) ||
+ (cred->prerfc_mech &&
+ GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
+ gss_mech_krb5_old,
+ &mechs))) ||
+ (cred->rfc_mech &&
+ GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
+ gss_mech_krb5,
+ &mechs)))) {
+ k5_mutex_unlock(&cred->lock);
+ if (ret_name)
+ krb5_free_principal(context, ret_name);
+ /* *minor_status set above */
+ goto fail;
+ }
+ }
- (void) gss_release_oid_set(minor_status, &mechs);
- krb5_free_principal(context, ret_name);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- if (ret_name != NULL)
- *name = (gss_name_t) ret_name;
- else
- *name = GSS_C_NO_NAME;
- }
+ if (name) {
+ if (ret_name != NULL && ! kg_save_name((gss_name_t) ret_name)) {
+ k5_mutex_unlock(&cred->lock);
+ if (cred_handle == GSS_C_NO_CREDENTIAL)
+ krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
- if (lifetime_ret)
- *lifetime_ret = lifetime;
+ (void) generic_gss_release_oid_set(minor_status, &mechs);
+ krb5_free_principal(context, ret_name);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ if (ret_name != NULL)
+ *name = (gss_name_t) ret_name;
+ else
+ *name = GSS_C_NO_NAME;
+ }
- if (cred_usage)
- *cred_usage = cred->usage;
- k5_mutex_unlock(&cred->lock);
+ if (lifetime_ret)
+ *lifetime_ret = lifetime;
- if (mechanisms)
- *mechanisms = mechs;
+ if (cred_usage)
+ *cred_usage = cred->usage;
+ k5_mutex_unlock(&cred->lock);
- if (cred_handle == GSS_C_NO_CREDENTIAL)
- krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
+ if (mechanisms)
+ *mechanisms = mechs;
- krb5_free_context(context);
- *minor_status = 0;
- return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
+ if (cred_handle == GSS_C_NO_CREDENTIAL)
+ krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
+
+ krb5_free_context(context);
+ *minor_status = 0;
+ return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
fail:
- if (cred_handle == GSS_C_NO_CREDENTIAL) {
- OM_uint32 tmp_min_stat;
+ if (cred_handle == GSS_C_NO_CREDENTIAL) {
+ OM_uint32 tmp_min_stat;
- krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred);
- }
- krb5_free_context(context);
- return ret;
+ krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred);
+ }
+ krb5_free_context(context);
+ return ret;
}
/* V2 interface */
OM_uint32
krb5_gss_inquire_cred_by_mech(minor_status, cred_handle,
- mech_type, name, initiator_lifetime,
- acceptor_lifetime, cred_usage)
- OM_uint32 *minor_status;
- gss_cred_id_t cred_handle;
- gss_OID mech_type;
- gss_name_t *name;
- OM_uint32 *initiator_lifetime;
- OM_uint32 *acceptor_lifetime;
+ mech_type, name, initiator_lifetime,
+ acceptor_lifetime, cred_usage)
+ OM_uint32 *minor_status;
+ gss_cred_id_t cred_handle;
+ gss_OID mech_type;
+ gss_name_t *name;
+ OM_uint32 *initiator_lifetime;
+ OM_uint32 *acceptor_lifetime;
gss_cred_usage_t *cred_usage;
{
- krb5_gss_cred_id_t cred;
- OM_uint32 lifetime;
- OM_uint32 mstat;
+ krb5_gss_cred_id_t cred;
+ OM_uint32 lifetime;
+ OM_uint32 mstat;
/*
* We only know how to handle our own creds.
*/
if ((mech_type != GSS_C_NULL_OID) &&
- !g_OID_equal(gss_mech_krb5_old, mech_type) &&
- !g_OID_equal(gss_mech_krb5, mech_type)) {
- *minor_status = 0;
- return(GSS_S_NO_CRED);
+ !g_OID_equal(gss_mech_krb5_old, mech_type) &&
+ !g_OID_equal(gss_mech_krb5, mech_type)) {
+ *minor_status = 0;
+ return(GSS_S_NO_CRED);
}
cred = (krb5_gss_cred_id_t) cred_handle;
mstat = krb5_gss_inquire_cred(minor_status,
- cred_handle,
- name,
- &lifetime,
- cred_usage,
- (gss_OID_set *) NULL);
+ cred_handle,
+ name,
+ &lifetime,
+ cred_usage,
+ (gss_OID_set *) NULL);
if (mstat == GSS_S_COMPLETE) {
- if (cred &&
- ((cred->usage == GSS_C_INITIATE) ||
- (cred->usage == GSS_C_BOTH)) &&
- initiator_lifetime)
- *initiator_lifetime = lifetime;
- if (cred &&
- ((cred->usage == GSS_C_ACCEPT) ||
- (cred->usage == GSS_C_BOTH)) &&
- acceptor_lifetime)
- *acceptor_lifetime = lifetime;
+ if (cred &&
+ ((cred->usage == GSS_C_INITIATE) ||
+ (cred->usage == GSS_C_BOTH)) &&
+ initiator_lifetime)
+ *initiator_lifetime = lifetime;
+ if (cred &&
+ ((cred->usage == GSS_C_ACCEPT) ||
+ (cred->usage == GSS_C_BOTH)) &&
+ acceptor_lifetime)
+ *acceptor_lifetime = lifetime;
}
return(mstat);
}
-
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/inq_names.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/inq_names.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/inq_names.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/inq_names.c
*
@@ -32,68 +33,67 @@
OM_uint32
krb5_gss_inquire_names_for_mech(minor_status, mechanism, name_types)
- OM_uint32 *minor_status;
- gss_OID mechanism;
- gss_OID_set *name_types;
+ OM_uint32 *minor_status;
+ gss_OID mechanism;
+ gss_OID_set *name_types;
{
- OM_uint32 major, minor;
+ OM_uint32 major, minor;
/*
* We only know how to handle our own mechanism.
*/
if ((mechanism != GSS_C_NULL_OID) &&
- !g_OID_equal(gss_mech_krb5, mechanism) &&
- !g_OID_equal(gss_mech_krb5_old, mechanism)) {
- *minor_status = 0;
- return(GSS_S_BAD_MECH);
+ !g_OID_equal(gss_mech_krb5, mechanism) &&
+ !g_OID_equal(gss_mech_krb5_old, mechanism)) {
+ *minor_status = 0;
+ return(GSS_S_BAD_MECH);
}
/* We're okay. Create an empty OID set */
- major = gss_create_empty_oid_set(minor_status, name_types);
+ major = generic_gss_create_empty_oid_set(minor_status, name_types);
if (major == GSS_S_COMPLETE) {
- /* Now add our members. */
- if (
- ((major = generic_gss_add_oid_set_member(minor_status,
- gss_nt_user_name,
- name_types)
- ) == GSS_S_COMPLETE) &&
- ((major = generic_gss_add_oid_set_member(minor_status,
- gss_nt_machine_uid_name,
- name_types)
- ) == GSS_S_COMPLETE) &&
- ((major = generic_gss_add_oid_set_member(minor_status,
- gss_nt_string_uid_name,
- name_types)
- ) == GSS_S_COMPLETE) &&
- ((major = generic_gss_add_oid_set_member(minor_status,
- gss_nt_service_name,
- name_types)
- ) == GSS_S_COMPLETE) &&
- ((major = generic_gss_add_oid_set_member(minor_status,
- gss_nt_service_name_v2,
- name_types)
- ) == GSS_S_COMPLETE) &&
- ((major = generic_gss_add_oid_set_member(minor_status,
- gss_nt_exported_name,
- name_types)
- ) == GSS_S_COMPLETE) &&
- ((major = generic_gss_add_oid_set_member(minor_status,
- gss_nt_krb5_name,
- name_types)
- ) == GSS_S_COMPLETE)
- ) {
- major = generic_gss_add_oid_set_member(minor_status,
- gss_nt_krb5_principal,
- name_types);
- }
+ /* Now add our members. */
+ if (
+ ((major = generic_gss_add_oid_set_member(minor_status,
+ gss_nt_user_name,
+ name_types)
+ ) == GSS_S_COMPLETE) &&
+ ((major = generic_gss_add_oid_set_member(minor_status,
+ gss_nt_machine_uid_name,
+ name_types)
+ ) == GSS_S_COMPLETE) &&
+ ((major = generic_gss_add_oid_set_member(minor_status,
+ gss_nt_string_uid_name,
+ name_types)
+ ) == GSS_S_COMPLETE) &&
+ ((major = generic_gss_add_oid_set_member(minor_status,
+ gss_nt_service_name,
+ name_types)
+ ) == GSS_S_COMPLETE) &&
+ ((major = generic_gss_add_oid_set_member(minor_status,
+ gss_nt_service_name_v2,
+ name_types)
+ ) == GSS_S_COMPLETE) &&
+ ((major = generic_gss_add_oid_set_member(minor_status,
+ gss_nt_exported_name,
+ name_types)
+ ) == GSS_S_COMPLETE) &&
+ ((major = generic_gss_add_oid_set_member(minor_status,
+ gss_nt_krb5_name,
+ name_types)
+ ) == GSS_S_COMPLETE)
+ ) {
+ major = generic_gss_add_oid_set_member(minor_status,
+ gss_nt_krb5_principal,
+ name_types);
+ }
- /*
- * If we choked, then release the set, but don't overwrite the minor
- * status with the release call.
- */
- if (major != GSS_S_COMPLETE)
- (void) gss_release_oid_set(&minor,
- name_types);
+ /*
+ * If we choked, then release the set, but don't overwrite the minor
+ * status with the release call.
+ */
+ if (major != GSS_S_COMPLETE)
+ (void) generic_gss_release_oid_set(&minor, name_types);
}
return(major);
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/k5seal.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/k5seal.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/k5seal.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
*
@@ -52,19 +53,19 @@
static krb5_error_code
make_seal_token_v1 (krb5_context context,
- krb5_keyblock *enc,
- krb5_keyblock *seq,
- gssint_uint64 *seqnum,
- int direction,
- gss_buffer_t text,
- gss_buffer_t token,
- int signalg,
- size_t cksum_size,
- int sealalg,
- int do_encrypt,
- int toktype,
- int bigend,
- gss_OID oid)
+ krb5_keyblock *enc,
+ krb5_keyblock *seq,
+ gssint_uint64 *seqnum,
+ int direction,
+ gss_buffer_t text,
+ gss_buffer_t token,
+ int signalg,
+ size_t cksum_size,
+ int sealalg,
+ int do_encrypt,
+ int toktype,
+ int bigend,
+ gss_OID oid)
{
krb5_error_code code;
size_t sumlen;
@@ -72,13 +73,13 @@
krb5_data plaind;
krb5_checksum md5cksum;
krb5_checksum cksum;
- /* msglen contains the message length
- * we are signing/encrypting. tmsglen
- * contains the length of the message
- * we plan to write out to the token.
- * tlen is the length of the token
- * including header. */
- unsigned conflen=0, tmsglen, tlen, msglen;
+ /* msglen contains the message length
+ * we are signing/encrypting. tmsglen
+ * contains the length of the message
+ * we plan to write out to the token.
+ * tlen is the length of the token
+ * including header. */
+ unsigned int conflen=0, tmsglen, tlen, msglen;
unsigned char *t, *ptr;
unsigned char *plain;
unsigned char pad;
@@ -89,30 +90,30 @@
/* create the token buffer */
/* Do we need confounder? */
if (do_encrypt || (!bigend && (toktype == KG_TOK_SEAL_MSG)))
- conflen = kg_confounder_size(context, enc);
+ conflen = kg_confounder_size(context, enc);
else conflen = 0;
if (toktype == KG_TOK_SEAL_MSG) {
- switch (sealalg) {
- case SEAL_ALG_MICROSOFT_RC4:
- msglen = conflen + text->length+1;
- pad = 1;
- break;
- default:
- /* XXX knows that des block size is 8 */
- msglen = (conflen+text->length+8)&(~7);
- pad = 8-(text->length%8);
- }
- tmsglen = msglen;
+ switch (sealalg) {
+ case SEAL_ALG_MICROSOFT_RC4:
+ msglen = conflen + text->length+1;
+ pad = 1;
+ break;
+ default:
+ /* XXX knows that des block size is 8 */
+ msglen = (conflen+text->length+8)&(~7);
+ pad = 8-(text->length%8);
+ }
+ tmsglen = msglen;
} else {
- tmsglen = 0;
- msglen = text->length;
- pad = 0;
+ tmsglen = 0;
+ msglen = text->length;
+ pad = 0;
}
tlen = g_token_size((gss_OID) oid, 14+cksum_size+tmsglen);
if ((t = (unsigned char *) xmalloc(tlen)) == NULL)
- return(ENOMEM);
+ return(ENOMEM);
/*** fill in the token */
@@ -125,12 +126,12 @@
/* 2..3 SEAL_ALG or Filler */
if ((toktype == KG_TOK_SEAL_MSG) && do_encrypt) {
- ptr[2] = sealalg & 0xff;
- ptr[3] = (sealalg >> 8) & 0xff;
+ ptr[2] = sealalg & 0xff;
+ ptr[3] = (sealalg >> 8) & 0xff;
} else {
- /* No seal */
- ptr[2] = 0xff;
- ptr[3] = 0xff;
+ /* No seal */
+ ptr[2] = 0xff;
+ ptr[3] = 0xff;
}
/* 4..5 Filler */
@@ -143,40 +144,40 @@
switch (signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_MD2_5:
- md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
- break;
+ md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
+ break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
- md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3;
- break;
+ md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3;
+ break;
case SGN_ALG_HMAC_MD5:
- md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR;
- if (toktype != KG_TOK_SEAL_MSG)
- sign_usage = 15;
- break;
+ md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR;
+ if (toktype != KG_TOK_SEAL_MSG)
+ sign_usage = 15;
+ break;
default:
case SGN_ALG_DES_MAC:
- abort ();
+ abort ();
}
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
if (code) {
- xfree(t);
- return(code);
+ xfree(t);
+ return(code);
}
md5cksum.length = sumlen;
if ((plain = (unsigned char *) xmalloc(msglen ? msglen : 1)) == NULL) {
- xfree(t);
- return(ENOMEM);
+ xfree(t);
+ return(ENOMEM);
}
if (conflen) {
- if ((code = kg_make_confounder(context, enc, plain))) {
- xfree(plain);
- xfree(t);
- return(code);
- }
+ if ((code = kg_make_confounder(context, enc, plain))) {
+ xfree(plain);
+ xfree(t);
+ return(code);
+ }
}
memcpy(plain+conflen, text->value, text->length);
@@ -186,121 +187,121 @@
/* 8 = head of token body as specified by mech spec */
if (! (data_ptr =
- (char *) xmalloc(8 + (bigend ? text->length : msglen)))) {
- xfree(plain);
- xfree(t);
- return(ENOMEM);
+ (char *) xmalloc(8 + (bigend ? text->length : msglen)))) {
+ xfree(plain);
+ xfree(t);
+ return(ENOMEM);
}
(void) memcpy(data_ptr, ptr-2, 8);
if (bigend)
- (void) memcpy(data_ptr+8, text->value, text->length);
+ (void) memcpy(data_ptr+8, text->value, text->length);
else
- (void) memcpy(data_ptr+8, plain, msglen);
+ (void) memcpy(data_ptr+8, plain, msglen);
plaind.length = 8 + (bigend ? text->length : msglen);
plaind.data = data_ptr;
code = krb5_c_make_checksum(context, md5cksum.checksum_type, seq,
- sign_usage, &plaind, &md5cksum);
+ sign_usage, &plaind, &md5cksum);
xfree(data_ptr);
if (code) {
- xfree(plain);
- xfree(t);
- return(code);
+ xfree(plain);
+ xfree(t);
+ return(code);
}
switch(signalg) {
case SGN_ALG_DES_MAC_MD5:
case 3:
- if ((code = kg_encrypt(context, seq, KG_USAGE_SEAL,
- (g_OID_equal(oid, gss_mech_krb5_old) ?
- seq->contents : NULL),
- md5cksum.contents, md5cksum.contents, 16))) {
- krb5_free_checksum_contents(context, &md5cksum);
- xfree (plain);
- xfree(t);
- return code;
- }
+ if ((code = kg_encrypt(context, seq, KG_USAGE_SEAL,
+ (g_OID_equal(oid, gss_mech_krb5_old) ?
+ seq->contents : NULL),
+ md5cksum.contents, md5cksum.contents, 16))) {
+ krb5_free_checksum_contents(context, &md5cksum);
+ xfree (plain);
+ xfree(t);
+ return code;
+ }
- cksum.length = cksum_size;
- cksum.contents = md5cksum.contents + 16 - cksum.length;
+ cksum.length = cksum_size;
+ cksum.contents = md5cksum.contents + 16 - cksum.length;
- memcpy(ptr+14, cksum.contents, cksum.length);
- break;
+ memcpy(ptr+14, cksum.contents, cksum.length);
+ break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
- /*
- * Using key derivation, the call to krb5_c_make_checksum
- * already dealt with encrypting.
- */
- if (md5cksum.length != cksum_size)
- abort ();
- memcpy (ptr+14, md5cksum.contents, md5cksum.length);
- break;
+ /*
+ * Using key derivation, the call to krb5_c_make_checksum
+ * already dealt with encrypting.
+ */
+ if (md5cksum.length != cksum_size)
+ abort ();
+ memcpy (ptr+14, md5cksum.contents, md5cksum.length);
+ break;
case SGN_ALG_HMAC_MD5:
- memcpy (ptr+14, md5cksum.contents, cksum_size);
- break;
+ memcpy (ptr+14, md5cksum.contents, cksum_size);
+ break;
}
krb5_free_checksum_contents(context, &md5cksum);
/* create the seq_num */
- if ((code = kg_make_seq_num(context, seq, direction?0:0xff, *seqnum,
- ptr+14, ptr+6))) {
- xfree (plain);
- xfree(t);
- return(code);
+ if ((code = kg_make_seq_num(context, seq, direction?0:0xff,
+ (krb5_ui_4)*seqnum, ptr+14, ptr+6))) {
+ xfree (plain);
+ xfree(t);
+ return(code);
}
if (do_encrypt) {
- switch(sealalg) {
- case SEAL_ALG_MICROSOFT_RC4:
- {
- unsigned char bigend_seqnum[4];
- krb5_keyblock *enc_key;
- int i;
- bigend_seqnum[0] = (*seqnum>>24) & 0xff;
- bigend_seqnum[1] = (*seqnum>>16) & 0xff;
- bigend_seqnum[2] = (*seqnum>>8) & 0xff;
- bigend_seqnum[3] = *seqnum & 0xff;
- code = krb5_copy_keyblock (context, enc, &enc_key);
- if (code)
- {
- xfree(plain);
- xfree(t);
- return(code);
- }
- assert (enc_key->length == 16);
- for (i = 0; i <= 15; i++)
- ((char *) enc_key->contents)[i] ^=0xf0;
- code = kg_arcfour_docrypt (enc_key, 0,
- bigend_seqnum, 4,
- plain, tmsglen,
- ptr+14+cksum_size);
- krb5_free_keyblock (context, enc_key);
- if (code)
- {
- xfree(plain);
- xfree(t);
- return(code);
- }
- }
- break;
- default:
- if ((code = kg_encrypt(context, enc, KG_USAGE_SEAL, NULL,
- (krb5_pointer) plain,
- (krb5_pointer) (ptr+cksum_size+14),
- tmsglen))) {
- xfree(plain);
- xfree(t);
- return(code);
- }
- }
+ switch(sealalg) {
+ case SEAL_ALG_MICROSOFT_RC4:
+ {
+ unsigned char bigend_seqnum[4];
+ krb5_keyblock *enc_key;
+ int i;
+ bigend_seqnum[0] = (*seqnum>>24) & 0xff;
+ bigend_seqnum[1] = (*seqnum>>16) & 0xff;
+ bigend_seqnum[2] = (*seqnum>>8) & 0xff;
+ bigend_seqnum[3] = *seqnum & 0xff;
+ code = krb5_copy_keyblock (context, enc, &enc_key);
+ if (code)
+ {
+ xfree(plain);
+ xfree(t);
+ return(code);
+ }
+ assert (enc_key->length == 16);
+ for (i = 0; i <= 15; i++)
+ ((char *) enc_key->contents)[i] ^=0xf0;
+ code = kg_arcfour_docrypt (enc_key, 0,
+ bigend_seqnum, 4,
+ plain, tmsglen,
+ ptr+14+cksum_size);
+ krb5_free_keyblock (context, enc_key);
+ if (code)
+ {
+ xfree(plain);
+ xfree(t);
+ return(code);
+ }
+ }
+ break;
+ default:
+ if ((code = kg_encrypt(context, enc, KG_USAGE_SEAL, NULL,
+ (krb5_pointer) plain,
+ (krb5_pointer) (ptr+cksum_size+14),
+ tmsglen))) {
+ xfree(plain);
+ xfree(t);
+ return(code);
+ }
+ }
}else {
- if (tmsglen)
- memcpy(ptr+14+cksum_size, plain, tmsglen);
+ if (tmsglen)
+ memcpy(ptr+14+cksum_size, plain, tmsglen);
}
- xfree(plain);
+ xfree(plain);
/* that's it. return the token */
@@ -319,11 +320,11 @@
OM_uint32
kg_seal(minor_status, context_handle, conf_req_flag, qop_req,
- input_message_buffer, conf_state, output_message_buffer, toktype)
+ input_message_buffer, conf_state, output_message_buffer, toktype)
OM_uint32 *minor_status;
gss_ctx_id_t context_handle;
int conf_req_flag;
- int qop_req;
+ gss_qop_t qop_req;
gss_buffer_t input_message_buffer;
int *conf_state;
gss_buffer_t output_message_buffer;
@@ -339,65 +340,65 @@
/* Only default qop or matching established cryptosystem is allowed.
- There are NO EXTENSIONS to this set for AES and friends! The
- new spec says "just use 0". The old spec plus extensions would
- actually allow for certain non-zero values. Fix this to handle
- them later. */
+ There are NO EXTENSIONS to this set for AES and friends! The
+ new spec says "just use 0". The old spec plus extensions would
+ actually allow for certain non-zero values. Fix this to handle
+ them later. */
if (qop_req != 0) {
- *minor_status = (OM_uint32) G_UNKNOWN_QOP;
- return GSS_S_FAILURE;
+ *minor_status = (OM_uint32) G_UNKNOWN_QOP;
+ return GSS_S_FAILURE;
}
/* validate the context handle */
if (! kg_validate_ctx_id(context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
}
ctx = (krb5_gss_ctx_id_rec *) context_handle;
if (! ctx->established) {
- *minor_status = KG_CTX_INCOMPLETE;
- return(GSS_S_NO_CONTEXT);
+ *minor_status = KG_CTX_INCOMPLETE;
+ return(GSS_S_NO_CONTEXT);
}
context = ctx->k5_context;
if ((code = krb5_timeofday(context, &now))) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ return(GSS_S_FAILURE);
}
switch (ctx->proto)
{
case 0:
- code = make_seal_token_v1(context, ctx->enc, ctx->seq,
- &ctx->seq_send, ctx->initiate,
- input_message_buffer, output_message_buffer,
- ctx->signalg, ctx->cksum_size, ctx->sealalg,
- conf_req_flag, toktype, ctx->big_endian,
- ctx->mech_used);
- break;
+ code = make_seal_token_v1(context, ctx->enc, ctx->seq,
+ &ctx->seq_send, ctx->initiate,
+ input_message_buffer, output_message_buffer,
+ ctx->signalg, ctx->cksum_size, ctx->sealalg,
+ conf_req_flag, toktype, ctx->big_endian,
+ ctx->mech_used);
+ break;
case 1:
- code = gss_krb5int_make_seal_token_v3(context, ctx,
- input_message_buffer,
- output_message_buffer,
- conf_req_flag, toktype);
- break;
+ code = gss_krb5int_make_seal_token_v3(context, ctx,
+ input_message_buffer,
+ output_message_buffer,
+ conf_req_flag, toktype);
+ break;
default:
- code = G_UNKNOWN_QOP; /* XXX */
- break;
+ code = G_UNKNOWN_QOP; /* XXX */
+ break;
}
if (code) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ return(GSS_S_FAILURE);
}
if (conf_state)
- *conf_state = conf_req_flag;
+ *conf_state = conf_req_flag;
*minor_status = 0;
- return((ctx->endtime < now)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
+ return((ctx->krb_times.endtime < now)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
}
Copied: branches/mkey_migrate/src/lib/gssapi/krb5/k5sealiov.c (from rev 21721, trunk/src/lib/gssapi/krb5/k5sealiov.c)
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/k5sealv3.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/k5sealv3.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/k5sealv3.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/k5sealv3.c
*
@@ -8,7 +9,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -22,19 +23,19 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
*
+ *
*/
/* draft-ietf-krb-wg-gssapi-cfx-05 */
#include <assert.h>
-#include "k5-platform.h" /* for 64-bit support */
-#include "k5-int.h" /* for zap() */
+#include "k5-platform.h" /* for 64-bit support */
+#include "k5-int.h" /* for zap() */
#include "gssapiP_krb5.h"
#include <stdarg.h>
-static int
-rotate_left (void *ptr, size_t bufsiz, size_t rc)
+int
+gss_krb5int_rotate_left (void *ptr, size_t bufsiz, size_t rc)
{
/* Optimize for receiving. After some debugging is done, the MIT
implementation won't do any rotates on sending, and while
@@ -44,14 +45,14 @@
void *tbuf;
if (bufsiz == 0)
- return 1;
+ return 1;
rc = rc % bufsiz;
if (rc == 0)
- return 1;
+ return 1;
tbuf = malloc(rc);
if (tbuf == 0)
- return 0;
+ return 0;
memcpy(tbuf, ptr, rc);
memmove(ptr, (char *)ptr + rc, bufsiz - rc);
memcpy((char *)ptr + bufsiz - rc, tbuf, rc);
@@ -61,16 +62,12 @@
static const gss_buffer_desc empty_message = { 0, 0 };
-#define FLAG_SENDER_IS_ACCEPTOR 0x01
-#define FLAG_WRAP_CONFIDENTIAL 0x02
-#define FLAG_ACCEPTOR_SUBKEY 0x04
-
krb5_error_code
gss_krb5int_make_seal_token_v3 (krb5_context context,
- krb5_gss_ctx_id_rec *ctx,
- const gss_buffer_desc * message,
- gss_buffer_t token,
- int conf_req_flag, int toktype)
+ krb5_gss_ctx_id_rec *ctx,
+ const gss_buffer_desc * message,
+ gss_buffer_t token,
+ int conf_req_flag, int toktype)
{
size_t bufsize = 16;
unsigned char *outbuf = 0;
@@ -85,202 +82,209 @@
unsigned short tok_id;
krb5_checksum sum;
krb5_keyblock *key;
+ krb5_cksumtype cksumtype;
- assert(toktype != KG_TOK_SEAL_MSG || ctx->enc != 0);
assert(ctx->big_endian == 0);
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
key_usage = (toktype == KG_TOK_WRAP_MSG
- ? (ctx->initiate
- ? KG_USAGE_INITIATOR_SEAL
- : KG_USAGE_ACCEPTOR_SEAL)
- : (ctx->initiate
- ? KG_USAGE_INITIATOR_SIGN
- : KG_USAGE_ACCEPTOR_SIGN));
+ ? (ctx->initiate
+ ? KG_USAGE_INITIATOR_SEAL
+ : KG_USAGE_ACCEPTOR_SEAL)
+ : (ctx->initiate
+ ? KG_USAGE_INITIATOR_SIGN
+ : KG_USAGE_ACCEPTOR_SIGN));
if (ctx->have_acceptor_subkey) {
- key = ctx->acceptor_subkey;
+ key = ctx->acceptor_subkey;
+ cksumtype = ctx->acceptor_subkey_cksumtype;
} else {
- key = ctx->enc;
+ key = ctx->subkey;
+ cksumtype = ctx->cksumtype;
}
+ assert(key != NULL);
#ifdef CFX_EXERCISE
{
- static int initialized = 0;
- if (!initialized) {
- srand(time(0));
- initialized = 1;
- }
+ static int initialized = 0;
+ if (!initialized) {
+ srand(time(0));
+ initialized = 1;
+ }
}
#endif
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
- krb5_data plain;
- krb5_enc_data cipher;
- size_t ec_max;
+ krb5_data plain;
+ krb5_enc_data cipher;
+ size_t ec_max;
- /* 300: Adds some slop. */
- if (SIZE_MAX - 300 < message->length)
- return ENOMEM;
- ec_max = SIZE_MAX - message->length - 300;
- if (ec_max > 0xffff)
- ec_max = 0xffff;
+ /* 300: Adds some slop. */
+ if (SIZE_MAX - 300 < message->length)
+ return ENOMEM;
+ ec_max = SIZE_MAX - message->length - 300;
+ if (ec_max > 0xffff)
+ ec_max = 0xffff;
#ifdef CFX_EXERCISE
- /* For testing only. For performance, always set ec = 0. */
- ec = ec_max & rand();
+ /* For testing only. For performance, always set ec = 0. */
+ ec = ec_max & rand();
#else
- ec = 0;
+ ec = 0;
#endif
- plain.length = message->length + 16 + ec;
- plain.data = malloc(message->length + 16 + ec);
- if (plain.data == NULL)
- return ENOMEM;
+ plain.length = message->length + 16 + ec;
+ plain.data = malloc(message->length + 16 + ec);
+ if (plain.data == NULL)
+ return ENOMEM;
- /* Get size of ciphertext. */
- bufsize = 16 + krb5_encrypt_size (plain.length, ctx->enc->enctype);
- /* Allocate space for header plus encrypted data. */
- outbuf = malloc(bufsize);
- if (outbuf == NULL) {
- free(plain.data);
- return ENOMEM;
- }
+ /* Get size of ciphertext. */
+ bufsize = 16 + krb5_encrypt_size (plain.length, key->enctype);
+ /* Allocate space for header plus encrypted data. */
+ outbuf = malloc(bufsize);
+ if (outbuf == NULL) {
+ free(plain.data);
+ return ENOMEM;
+ }
- /* TOK_ID */
- store_16_be(0x0504, outbuf);
- /* flags */
- outbuf[2] = (acceptor_flag
- | (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0)
- | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
- /* filler */
- outbuf[3] = 0xff;
- /* EC */
- store_16_be(ec, outbuf+4);
- /* RRC */
- store_16_be(0, outbuf+6);
- store_64_be(ctx->seq_send, outbuf+8);
+ /* TOK_ID */
+ store_16_be(KG2_TOK_WRAP_MSG, outbuf);
+ /* flags */
+ outbuf[2] = (acceptor_flag
+ | (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0)
+ | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
+ /* filler */
+ outbuf[3] = 0xff;
+ /* EC */
+ store_16_be(ec, outbuf+4);
+ /* RRC */
+ store_16_be(0, outbuf+6);
+ store_64_be(ctx->seq_send, outbuf+8);
- memcpy(plain.data, message->value, message->length);
- memset(plain.data + message->length, 'x', ec);
- memcpy(plain.data + message->length + ec, outbuf, 16);
+ memcpy(plain.data, message->value, message->length);
+ memset(plain.data + message->length, 'x', ec);
+ memcpy(plain.data + message->length + ec, outbuf, 16);
- cipher.ciphertext.data = outbuf + 16;
- cipher.ciphertext.length = bufsize - 16;
- cipher.enctype = key->enctype;
- err = krb5_c_encrypt(context, key, key_usage, 0, &plain, &cipher);
- zap(plain.data, plain.length);
- free(plain.data);
- plain.data = 0;
- if (err)
- goto error;
+ cipher.ciphertext.data = (char *)outbuf + 16;
+ cipher.ciphertext.length = bufsize - 16;
+ cipher.enctype = key->enctype;
+ err = krb5_c_encrypt(context, key, key_usage, 0, &plain, &cipher);
+ zap(plain.data, plain.length);
+ free(plain.data);
+ plain.data = 0;
+ if (err)
+ goto error;
- /* Now that we know we're returning a valid token.... */
- ctx->seq_send++;
+ /* Now that we know we're returning a valid token.... */
+ ctx->seq_send++;
#ifdef CFX_EXERCISE
- rrc = rand() & 0xffff;
- if (rotate_left(outbuf+16, bufsize-16,
- (bufsize-16) - (rrc % (bufsize - 16))))
- store_16_be(rrc, outbuf+6);
- /* If the rotate fails, don't worry about it. */
+ rrc = rand() & 0xffff;
+ if (gss_krb5int_rotate_left(outbuf+16, bufsize-16,
+ (bufsize-16) - (rrc % (bufsize - 16))))
+ store_16_be(rrc, outbuf+6);
+ /* If the rotate fails, don't worry about it. */
#endif
} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
- krb5_data plain;
+ krb5_data plain;
+ size_t cksumsize;
- /* Here, message is the application-supplied data; message2 is
- what goes into the output token. They may be the same, or
- message2 may be empty (for MIC). */
+ /* Here, message is the application-supplied data; message2 is
+ what goes into the output token. They may be the same, or
+ message2 may be empty (for MIC). */
- tok_id = 0x0504;
+ tok_id = KG2_TOK_WRAP_MSG;
wrap_with_checksum:
- plain.length = message->length + 16;
- plain.data = malloc(message->length + 16);
- if (plain.data == NULL)
- return ENOMEM;
+ plain.length = message->length + 16;
+ plain.data = malloc(message->length + 16);
+ if (plain.data == NULL)
+ return ENOMEM;
- if (ctx->cksum_size > 0xffff)
- abort();
-
- bufsize = 16 + message2->length + ctx->cksum_size;
- outbuf = malloc(bufsize);
- if (outbuf == NULL) {
- free(plain.data);
- plain.data = 0;
- err = ENOMEM;
+ err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
+ if (err)
goto error;
- }
- /* TOK_ID */
- store_16_be(tok_id, outbuf);
- /* flags */
- outbuf[2] = (acceptor_flag
- | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
- /* filler */
- outbuf[3] = 0xff;
- if (toktype == KG_TOK_WRAP_MSG) {
- /* Use 0 for checksum calculation, substitute
- checksum length later. */
- /* EC */
- store_16_be(0, outbuf+4);
- /* RRC */
- store_16_be(0, outbuf+6);
- } else {
- /* MIC and DEL store 0xFF in EC and RRC. */
- store_16_be(0xffff, outbuf+4);
- store_16_be(0xffff, outbuf+6);
- }
- store_64_be(ctx->seq_send, outbuf+8);
+ assert(cksumsize <= 0xffff);
- memcpy(plain.data, message->value, message->length);
- memcpy(plain.data + message->length, outbuf, 16);
+ bufsize = 16 + message2->length + cksumsize;
+ outbuf = malloc(bufsize);
+ if (outbuf == NULL) {
+ free(plain.data);
+ plain.data = 0;
+ err = ENOMEM;
+ goto error;
+ }
- /* Fill in the output token -- data contents, if any, and
- space for the checksum. */
- if (message2->length)
- memcpy(outbuf + 16, message2->value, message2->length);
+ /* TOK_ID */
+ store_16_be(tok_id, outbuf);
+ /* flags */
+ outbuf[2] = (acceptor_flag
+ | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
+ /* filler */
+ outbuf[3] = 0xff;
+ if (toktype == KG_TOK_WRAP_MSG) {
+ /* Use 0 for checksum calculation, substitute
+ checksum length later. */
+ /* EC */
+ store_16_be(0, outbuf+4);
+ /* RRC */
+ store_16_be(0, outbuf+6);
+ } else {
+ /* MIC and DEL store 0xFF in EC and RRC. */
+ store_16_be(0xffff, outbuf+4);
+ store_16_be(0xffff, outbuf+6);
+ }
+ store_64_be(ctx->seq_send, outbuf+8);
- sum.contents = outbuf + 16 + message2->length;
- sum.length = ctx->cksum_size;
+ memcpy(plain.data, message->value, message->length);
+ memcpy(plain.data + message->length, outbuf, 16);
- err = krb5_c_make_checksum(context, ctx->cksumtype, key,
- key_usage, &plain, &sum);
- zap(plain.data, plain.length);
- free(plain.data);
- plain.data = 0;
- if (err) {
- zap(outbuf,bufsize);
- goto error;
- }
- if (sum.length != ctx->cksum_size)
- abort();
- memcpy(outbuf + 16 + message2->length, sum.contents, ctx->cksum_size);
- krb5_free_checksum_contents(context, &sum);
- sum.contents = 0;
- /* Now that we know we're actually generating the token... */
- ctx->seq_send++;
+ /* Fill in the output token -- data contents, if any, and
+ space for the checksum. */
+ if (message2->length)
+ memcpy(outbuf + 16, message2->value, message2->length);
- if (toktype == KG_TOK_WRAP_MSG) {
+ sum.contents = outbuf + 16 + message2->length;
+ sum.length = cksumsize;
+
+ err = krb5_c_make_checksum(context, cksumtype, key,
+ key_usage, &plain, &sum);
+ zap(plain.data, plain.length);
+ free(plain.data);
+ plain.data = 0;
+ if (err) {
+ zap(outbuf,bufsize);
+ goto error;
+ }
+ if (sum.length != cksumsize)
+ abort();
+ memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
+ krb5_free_checksum_contents(context, &sum);
+ sum.contents = 0;
+ /* Now that we know we're actually generating the token... */
+ ctx->seq_send++;
+
+ if (toktype == KG_TOK_WRAP_MSG) {
#ifdef CFX_EXERCISE
- rrc = rand() & 0xffff;
- /* If the rotate fails, don't worry about it. */
- if (rotate_left(outbuf+16, bufsize-16,
- (bufsize-16) - (rrc % (bufsize - 16))))
- store_16_be(rrc, outbuf+6);
+ rrc = rand() & 0xffff;
+ /* If the rotate fails, don't worry about it. */
+ if (gss_krb5int_rotate_left(outbuf+16, bufsize-16,
+ (bufsize-16) - (rrc % (bufsize - 16))))
+ store_16_be(rrc, outbuf+6);
#endif
- /* Fix up EC field. */
- store_16_be(ctx->cksum_size, outbuf+4);
- } else {
- store_16_be(0xffff, outbuf+6);
- }
+ /* Fix up EC field. */
+ store_16_be(cksumsize, outbuf+4);
+ } else {
+ store_16_be(0xffff, outbuf+6);
+ }
} else if (toktype == KG_TOK_MIC_MSG) {
- tok_id = 0x0404;
- message2 = &empty_message;
- goto wrap_with_checksum;
+ tok_id = KG2_TOK_MIC_MSG;
+ message2 = &empty_message;
+ goto wrap_with_checksum;
} else if (toktype == KG_TOK_DEL_CTX) {
- tok_id = 0x0405;
- message = message2 = &empty_message;
- goto wrap_with_checksum;
+ tok_id = KG2_TOK_DEL_CTX;
+ message = message2 = &empty_message;
+ goto wrap_with_checksum;
} else
- abort();
+ abort();
token->value = outbuf;
token->length = bufsize;
@@ -298,11 +302,11 @@
OM_uint32
gss_krb5int_unseal_token_v3(krb5_context *contextptr,
- OM_uint32 *minor_status,
- krb5_gss_ctx_id_rec *ctx,
- unsigned char *ptr, unsigned int bodysize,
- gss_buffer_t message_buffer,
- int *conf_state, int *qop_state, int toktype)
+ OM_uint32 *minor_status,
+ krb5_gss_ctx_id_rec *ctx,
+ unsigned char *ptr, unsigned int bodysize,
+ gss_buffer_t message_buffer,
+ int *conf_state, gss_qop_t *qop_state, int toktype)
{
krb5_context context = *contextptr;
krb5_data plain;
@@ -314,22 +318,22 @@
krb5_error_code err;
krb5_boolean valid;
krb5_keyblock *key;
+ krb5_cksumtype cksumtype;
- assert(toktype != KG_TOK_SEAL_MSG || ctx->enc != 0);
assert(ctx->big_endian == 0);
assert(ctx->proto == 1);
if (qop_state)
- *qop_state = GSS_C_QOP_DEFAULT;
+ *qop_state = GSS_C_QOP_DEFAULT;
acceptor_flag = ctx->initiate ? FLAG_SENDER_IS_ACCEPTOR : 0;
key_usage = (toktype == KG_TOK_WRAP_MSG
- ? (!ctx->initiate
- ? KG_USAGE_INITIATOR_SEAL
- : KG_USAGE_ACCEPTOR_SEAL)
- : (!ctx->initiate
- ? KG_USAGE_INITIATOR_SIGN
- : KG_USAGE_ACCEPTOR_SIGN));
+ ? (!ctx->initiate
+ ? KG_USAGE_INITIATOR_SEAL
+ : KG_USAGE_ACCEPTOR_SEAL)
+ : (!ctx->initiate
+ ? KG_USAGE_INITIATOR_SIGN
+ : KG_USAGE_ACCEPTOR_SIGN));
/* Oops. I wrote this code assuming ptr would be at the start of
the token header. */
@@ -338,174 +342,183 @@
if (bodysize < 16) {
defective:
- *minor_status = 0;
- return GSS_S_DEFECTIVE_TOKEN;
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
}
if ((ptr[2] & FLAG_SENDER_IS_ACCEPTOR) != acceptor_flag) {
- *minor_status = G_BAD_DIRECTION;
- return GSS_S_BAD_SIG;
+ *minor_status = (OM_uint32)G_BAD_DIRECTION;
+ return GSS_S_BAD_SIG;
}
/* Two things to note here.
- First, we can't really enforce the use of the acceptor's subkey,
- if we're the acceptor; the initiator may have sent messages
- before getting the subkey. We could probably enforce it if
- we're the initiator.
+ First, we can't really enforce the use of the acceptor's subkey,
+ if we're the acceptor; the initiator may have sent messages
+ before getting the subkey. We could probably enforce it if
+ we're the initiator.
- Second, if someone tweaks the code to not set the flag telling
- the krb5 library to generate a new subkey in the AP-REP
- message, the MIT library may include a subkey anyways --
- namely, a copy of the AP-REQ subkey, if it was provided. So
- the initiator may think we wanted a subkey, and set the flag,
- even though we weren't trying to set the subkey. The "other"
- key, the one not asserted by the acceptor, will have the same
- value in that case, though, so we can just ignore the flag. */
+ Second, if someone tweaks the code to not set the flag telling
+ the krb5 library to generate a new subkey in the AP-REP
+ message, the MIT library may include a subkey anyways --
+ namely, a copy of the AP-REQ subkey, if it was provided. So
+ the initiator may think we wanted a subkey, and set the flag,
+ even though we weren't trying to set the subkey. The "other"
+ key, the one not asserted by the acceptor, will have the same
+ value in that case, though, so we can just ignore the flag. */
if (ctx->have_acceptor_subkey && (ptr[2] & FLAG_ACCEPTOR_SUBKEY)) {
- key = ctx->acceptor_subkey;
+ key = ctx->acceptor_subkey;
+ cksumtype = ctx->acceptor_subkey_cksumtype;
} else {
- key = ctx->enc;
+ key = ctx->subkey;
+ cksumtype = ctx->cksumtype;
}
+ assert(key != NULL);
if (toktype == KG_TOK_WRAP_MSG) {
- if (load_16_be(ptr) != 0x0504)
- goto defective;
- if (ptr[3] != 0xff)
- goto defective;
- ec = load_16_be(ptr+4);
- rrc = load_16_be(ptr+6);
- seqnum = load_64_be(ptr+8);
- if (!rotate_left(ptr+16, bodysize-16, rrc)) {
- no_mem:
- *minor_status = ENOMEM;
- return GSS_S_FAILURE;
- }
- if (ptr[2] & FLAG_WRAP_CONFIDENTIAL) {
- /* confidentiality */
- krb5_enc_data cipher;
- unsigned char *althdr;
+ if (load_16_be(ptr) != KG2_TOK_WRAP_MSG)
+ goto defective;
+ if (ptr[3] != 0xff)
+ goto defective;
+ ec = load_16_be(ptr+4);
+ rrc = load_16_be(ptr+6);
+ seqnum = load_64_be(ptr+8);
+ if (!gss_krb5int_rotate_left(ptr+16, bodysize-16, rrc)) {
+ no_mem:
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+ if (ptr[2] & FLAG_WRAP_CONFIDENTIAL) {
+ /* confidentiality */
+ krb5_enc_data cipher;
+ unsigned char *althdr;
- if (conf_state)
- *conf_state = 1;
- /* Do we have no decrypt_size function?
+ if (conf_state)
+ *conf_state = 1;
+ /* Do we have no decrypt_size function?
- For all current cryptosystems, the ciphertext size will
- be larger than the plaintext size. */
- cipher.enctype = key->enctype;
- cipher.ciphertext.length = bodysize - 16;
- cipher.ciphertext.data = ptr + 16;
- plain.length = bodysize - 16;
- plain.data = malloc(plain.length);
- if (plain.data == NULL)
- goto no_mem;
- err = krb5_c_decrypt(context, key, key_usage, 0,
- &cipher, &plain);
- if (err) {
- free(plain.data);
- goto error;
- }
- /* Don't use bodysize here! Use the fact that
- cipher.ciphertext.length has been adjusted to the
- correct length. */
- althdr = plain.data + plain.length - 16;
- if (load_16_be(althdr) != 0x0504
- || althdr[2] != ptr[2]
- || althdr[3] != ptr[3]
- || memcmp(althdr+8, ptr+8, 8)) {
- free(plain.data);
- goto defective;
- }
- message_buffer->value = plain.data;
- message_buffer->length = plain.length - ec - 16;
- if(message_buffer->length == 0) {
- free(message_buffer->value);
- message_buffer->value = NULL;
- }
- } else {
- /* no confidentiality */
- if (conf_state)
- *conf_state = 0;
- if (ec + 16 < ec)
- /* overflow check */
- goto defective;
- if (ec + 16 > bodysize)
- goto defective;
- /* We have: header | msg | cksum.
- We need cksum(msg | header).
- Rotate the first two. */
- store_16_be(0, ptr+4);
- store_16_be(0, ptr+6);
- plain.length = bodysize-ec;
- plain.data = ptr;
- if (!rotate_left(ptr, bodysize-ec, 16))
- goto no_mem;
- sum.length = ec;
- if (sum.length != ctx->cksum_size) {
- *minor_status = 0;
- return GSS_S_BAD_SIG;
- }
- sum.contents = ptr+bodysize-ec;
- sum.checksum_type = ctx->cksumtype;
- err = krb5_c_verify_checksum(context, key, key_usage,
- &plain, &sum, &valid);
+ For all current cryptosystems, the ciphertext size will
+ be larger than the plaintext size. */
+ cipher.enctype = key->enctype;
+ cipher.ciphertext.length = bodysize - 16;
+ cipher.ciphertext.data = (char *)ptr + 16;
+ plain.length = bodysize - 16;
+ plain.data = malloc(plain.length);
+ if (plain.data == NULL)
+ goto no_mem;
+ err = krb5_c_decrypt(context, key, key_usage, 0,
+ &cipher, &plain);
+ if (err) {
+ free(plain.data);
+ goto error;
+ }
+ /* Don't use bodysize here! Use the fact that
+ cipher.ciphertext.length has been adjusted to the
+ correct length. */
+ althdr = (unsigned char *)plain.data + plain.length - 16;
+ if (load_16_be(althdr) != KG2_TOK_WRAP_MSG
+ || althdr[2] != ptr[2]
+ || althdr[3] != ptr[3]
+ || memcmp(althdr+8, ptr+8, 8)) {
+ free(plain.data);
+ goto defective;
+ }
+ message_buffer->value = plain.data;
+ message_buffer->length = plain.length - ec - 16;
+ if(message_buffer->length == 0) {
+ free(message_buffer->value);
+ message_buffer->value = NULL;
+ }
+ } else {
+ size_t cksumsize;
+
+ err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
if (err)
goto error;
- if (!valid) {
- *minor_status = 0;
- return GSS_S_BAD_SIG;
- }
- message_buffer->length = plain.length - 16;
- message_buffer->value = malloc(message_buffer->length);
- if (message_buffer->value == NULL)
- goto no_mem;
- memcpy(message_buffer->value, plain.data, message_buffer->length);
- }
- err = g_order_check(&ctx->seqstate, seqnum);
- *minor_status = 0;
- return err;
+
+ /* no confidentiality */
+ if (conf_state)
+ *conf_state = 0;
+ if (ec + 16 < ec)
+ /* overflow check */
+ goto defective;
+ if (ec + 16 > bodysize)
+ goto defective;
+ /* We have: header | msg | cksum.
+ We need cksum(msg | header).
+ Rotate the first two. */
+ store_16_be(0, ptr+4);
+ store_16_be(0, ptr+6);
+ plain.length = bodysize-ec;
+ plain.data = (char *)ptr;
+ if (!gss_krb5int_rotate_left(ptr, bodysize-ec, 16))
+ goto no_mem;
+ sum.length = ec;
+ if (sum.length != cksumsize) {
+ *minor_status = 0;
+ return GSS_S_BAD_SIG;
+ }
+ sum.contents = ptr+bodysize-ec;
+ sum.checksum_type = cksumtype;
+ err = krb5_c_verify_checksum(context, key, key_usage,
+ &plain, &sum, &valid);
+ if (err)
+ goto error;
+ if (!valid) {
+ *minor_status = 0;
+ return GSS_S_BAD_SIG;
+ }
+ message_buffer->length = plain.length - 16;
+ message_buffer->value = malloc(message_buffer->length);
+ if (message_buffer->value == NULL)
+ goto no_mem;
+ memcpy(message_buffer->value, plain.data, message_buffer->length);
+ }
+ err = g_order_check(&ctx->seqstate, seqnum);
+ *minor_status = 0;
+ return err;
} else if (toktype == KG_TOK_MIC_MSG) {
- /* wrap token, no confidentiality */
- if (load_16_be(ptr) != 0x0404)
- goto defective;
+ /* wrap token, no confidentiality */
+ if (load_16_be(ptr) != KG2_TOK_MIC_MSG)
+ goto defective;
verify_mic_1:
- if (ptr[3] != 0xff)
- goto defective;
- if (load_32_be(ptr+4) != 0xffffffffL)
- goto defective;
- seqnum = load_64_be(ptr+8);
- plain.length = message_buffer->length + 16;
- plain.data = malloc(plain.length);
- if (plain.data == NULL)
- goto no_mem;
- if (message_buffer->length)
- memcpy(plain.data, message_buffer->value, message_buffer->length);
- memcpy(plain.data + message_buffer->length, ptr, 16);
- sum.length = bodysize - 16;
- sum.contents = ptr + 16;
- sum.checksum_type = ctx->cksumtype;
- err = krb5_c_verify_checksum(context, key, key_usage,
- &plain, &sum, &valid);
- free(plain.data);
- plain.data = NULL;
- if (err) {
- error:
- *minor_status = err;
- save_error_info(*minor_status, context);
- return GSS_S_BAD_SIG; /* XXX */
- }
- if (!valid) {
- *minor_status = 0;
- return GSS_S_BAD_SIG;
- }
- err = g_order_check(&ctx->seqstate, seqnum);
- *minor_status = 0;
- return err;
+ if (ptr[3] != 0xff)
+ goto defective;
+ if (load_32_be(ptr+4) != 0xffffffffL)
+ goto defective;
+ seqnum = load_64_be(ptr+8);
+ plain.length = message_buffer->length + 16;
+ plain.data = malloc(plain.length);
+ if (plain.data == NULL)
+ goto no_mem;
+ if (message_buffer->length)
+ memcpy(plain.data, message_buffer->value, message_buffer->length);
+ memcpy(plain.data + message_buffer->length, ptr, 16);
+ sum.length = bodysize - 16;
+ sum.contents = ptr + 16;
+ sum.checksum_type = cksumtype;
+ err = krb5_c_verify_checksum(context, key, key_usage,
+ &plain, &sum, &valid);
+ free(plain.data);
+ plain.data = NULL;
+ if (err) {
+ error:
+ *minor_status = err;
+ save_error_info(*minor_status, context);
+ return GSS_S_BAD_SIG; /* XXX */
+ }
+ if (!valid) {
+ *minor_status = 0;
+ return GSS_S_BAD_SIG;
+ }
+ err = g_order_check(&ctx->seqstate, seqnum);
+ *minor_status = 0;
+ return err;
} else if (toktype == KG_TOK_DEL_CTX) {
- if (load_16_be(ptr) != 0x0405)
- goto defective;
- message_buffer = &empty_message;
- goto verify_mic_1;
+ if (load_16_be(ptr) != KG2_TOK_DEL_CTX)
+ goto defective;
+ message_buffer = (gss_buffer_t)&empty_message;
+ goto verify_mic_1;
} else {
- goto defective;
+ goto defective;
}
}
Copied: branches/mkey_migrate/src/lib/gssapi/krb5/k5sealv3iov.c (from rev 21721, trunk/src/lib/gssapi/krb5/k5sealv3iov.c)
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/k5unseal.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/k5unseal.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/k5unseal.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2001, 2007 by the Massachusetts Institute of Technology.
* Copyright 1993 by OpenVision Technologies, Inc.
@@ -58,7 +59,7 @@
static OM_uint32
kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
- conf_state, qop_state, toktype)
+ conf_state, qop_state, toktype)
krb5_context context;
OM_uint32 *minor_status;
krb5_gss_ctx_id_rec *ctx;
@@ -89,8 +90,8 @@
krb5_keyusage sign_usage = KG_USAGE_SIGN;
if (toktype == KG_TOK_SEAL_MSG) {
- message_buffer->length = 0;
- message_buffer->value = NULL;
+ message_buffer->length = 0;
+ message_buffer->value = NULL;
}
/* get the sign and seal algorithms */
@@ -101,141 +102,141 @@
/* Sanity checks */
if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) {
- *minor_status = 0;
- return GSS_S_DEFECTIVE_TOKEN;
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
}
if ((toktype != KG_TOK_SEAL_MSG) &&
- (sealalg != 0xffff)) {
- *minor_status = 0;
- return GSS_S_DEFECTIVE_TOKEN;
+ (sealalg != 0xffff)) {
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
}
/* in the current spec, there is only one valid seal algorithm per
key type, so a simple comparison is ok */
if ((toktype == KG_TOK_SEAL_MSG) &&
- !((sealalg == 0xffff) ||
- (sealalg == ctx->sealalg))) {
- *minor_status = 0;
- return GSS_S_DEFECTIVE_TOKEN;
+ !((sealalg == 0xffff) ||
+ (sealalg == ctx->sealalg))) {
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
}
/* there are several mappings of seal algorithms to sign algorithms,
but few enough that we can try them all. */
if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
- (ctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||
- (ctx->sealalg == SEAL_ALG_DES3KD &&
- signalg != SGN_ALG_HMAC_SHA1_DES3_KD)||
- (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4 &&
- signalg != SGN_ALG_HMAC_MD5)) {
- *minor_status = 0;
- return GSS_S_DEFECTIVE_TOKEN;
+ (ctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||
+ (ctx->sealalg == SEAL_ALG_DES3KD &&
+ signalg != SGN_ALG_HMAC_SHA1_DES3_KD)||
+ (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4 &&
+ signalg != SGN_ALG_HMAC_MD5)) {
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
}
switch (signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_MD2_5:
case SGN_ALG_HMAC_MD5:
- cksum_len = 8;
- if (toktype != KG_TOK_SEAL_MSG)
- sign_usage = 15;
- break;
+ cksum_len = 8;
+ if (toktype != KG_TOK_SEAL_MSG)
+ sign_usage = 15;
+ break;
case SGN_ALG_3:
- cksum_len = 16;
- break;
+ cksum_len = 16;
+ break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
- cksum_len = 20;
- break;
+ cksum_len = 20;
+ break;
default:
- *minor_status = 0;
- return GSS_S_DEFECTIVE_TOKEN;
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
}
/* get the token parameters */
if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction,
- &seqnum))) {
- *minor_status = code;
- return(GSS_S_BAD_SIG);
+ &seqnum))) {
+ *minor_status = code;
+ return(GSS_S_BAD_SIG);
}
/* decode the message, if SEAL */
if (toktype == KG_TOK_SEAL_MSG) {
- int tmsglen = bodysize-(14+cksum_len);
- if (sealalg != 0xffff) {
- if ((plain = (unsigned char *) xmalloc(tmsglen)) == NULL) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- if (ctx->enc->enctype == ENCTYPE_ARCFOUR_HMAC) {
- unsigned char bigend_seqnum[4];
- krb5_keyblock *enc_key;
- int i;
- bigend_seqnum[0] = (seqnum>>24) & 0xff;
- bigend_seqnum[1] = (seqnum>>16) & 0xff;
- bigend_seqnum[2] = (seqnum>>8) & 0xff;
- bigend_seqnum[3] = seqnum & 0xff;
- code = krb5_copy_keyblock (context, ctx->enc, &enc_key);
- if (code)
- {
- xfree(plain);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
+ size_t tmsglen = bodysize-(14+cksum_len);
+ if (sealalg != 0xffff) {
+ if ((plain = (unsigned char *) xmalloc(tmsglen)) == NULL) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ if (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4) {
+ unsigned char bigend_seqnum[4];
+ krb5_keyblock *enc_key;
+ int i;
+ bigend_seqnum[0] = (seqnum>>24) & 0xff;
+ bigend_seqnum[1] = (seqnum>>16) & 0xff;
+ bigend_seqnum[2] = (seqnum>>8) & 0xff;
+ bigend_seqnum[3] = seqnum & 0xff;
+ code = krb5_copy_keyblock (context, ctx->enc, &enc_key);
+ if (code)
+ {
+ xfree(plain);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
- assert (enc_key->length == 16);
- for (i = 0; i <= 15; i++)
- ((char *) enc_key->contents)[i] ^=0xf0;
- code = kg_arcfour_docrypt (enc_key, 0,
- &bigend_seqnum[0], 4,
- ptr+14+cksum_len, tmsglen,
- plain);
- krb5_free_keyblock (context, enc_key);
- } else {
- code = kg_decrypt(context, ctx->enc, KG_USAGE_SEAL, NULL,
- ptr+14+cksum_len, plain, tmsglen);
- }
- if (code) {
- xfree(plain);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
- } else {
- plain = ptr+14+cksum_len;
- }
+ assert (enc_key->length == 16);
+ for (i = 0; i <= 15; i++)
+ ((char *) enc_key->contents)[i] ^=0xf0;
+ code = kg_arcfour_docrypt (enc_key, 0,
+ &bigend_seqnum[0], 4,
+ ptr+14+cksum_len, tmsglen,
+ plain);
+ krb5_free_keyblock (context, enc_key);
+ } else {
+ code = kg_decrypt(context, ctx->enc, KG_USAGE_SEAL, NULL,
+ ptr+14+cksum_len, plain, tmsglen);
+ }
+ if (code) {
+ xfree(plain);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+ } else {
+ plain = ptr+14+cksum_len;
+ }
- plainlen = tmsglen;
+ plainlen = tmsglen;
- if ((sealalg == 0xffff) && ctx->big_endian) {
- token.length = tmsglen;
- } else {
- conflen = kg_confounder_size(context, ctx->enc);
- token.length = tmsglen - conflen - plain[tmsglen-1];
- }
+ if ((sealalg == 0xffff) && ctx->big_endian) {
+ token.length = tmsglen;
+ } else {
+ conflen = kg_confounder_size(context, ctx->enc);
+ token.length = tmsglen - conflen - plain[tmsglen-1];
+ }
- if (token.length) {
- if ((token.value = (void *) xmalloc(token.length)) == NULL) {
- if (sealalg != 0xffff)
- xfree(plain);
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- memcpy(token.value, plain+conflen, token.length);
- } else {
- token.value = NULL;
- }
+ if (token.length) {
+ if ((token.value = (void *) xmalloc(token.length)) == NULL) {
+ if (sealalg != 0xffff)
+ xfree(plain);
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ memcpy(token.value, plain+conflen, token.length);
+ } else {
+ token.value = NULL;
+ }
} else if (toktype == KG_TOK_SIGN_MSG) {
- token = *message_buffer;
- plain = token.value;
- plainlen = token.length;
+ token = *message_buffer;
+ plain = token.value;
+ plainlen = token.length;
} else {
- token.length = 0;
- token.value = NULL;
- plain = token.value;
- plainlen = token.length;
+ token.length = 0;
+ token.value = NULL;
+ plain = token.value;
+ plainlen = token.length;
}
/* compute the checksum of the message */
@@ -246,227 +247,227 @@
case SGN_ALG_MD2_5:
case SGN_ALG_DES_MAC:
case SGN_ALG_3:
- md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
- break;
+ md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
+ break;
case SGN_ALG_HMAC_MD5:
- md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR;
- break;
+ md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR;
+ break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
- md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3;
- break;
+ md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3;
+ break;
default:
- abort ();
+ abort ();
}
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
if (code)
- return(code);
+ return(code);
md5cksum.length = sumlen;
switch (signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_3:
- /* compute the checksum of the message */
+ /* compute the checksum of the message */
- /* 8 = bytes of token body to be checksummed according to spec */
+ /* 8 = bytes of token body to be checksummed according to spec */
- if (! (data_ptr = (void *)
- xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) {
- if (sealalg != 0xffff)
- xfree(plain);
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
+ if (! (data_ptr = (void *)
+ xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) {
+ if (sealalg != 0xffff)
+ xfree(plain);
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
- (void) memcpy(data_ptr, ptr-2, 8);
+ (void) memcpy(data_ptr, ptr-2, 8);
- if (ctx->big_endian)
- (void) memcpy(data_ptr+8, token.value, token.length);
- else
- (void) memcpy(data_ptr+8, plain, plainlen);
+ if (ctx->big_endian)
+ (void) memcpy(data_ptr+8, token.value, token.length);
+ else
+ (void) memcpy(data_ptr+8, plain, plainlen);
- plaind.length = 8 + (ctx->big_endian ? token.length : plainlen);
- plaind.data = data_ptr;
- code = krb5_c_make_checksum(context, md5cksum.checksum_type,
- ctx->seq, sign_usage,
- &plaind, &md5cksum);
- xfree(data_ptr);
+ plaind.length = 8 + (ctx->big_endian ? token.length : plainlen);
+ plaind.data = data_ptr;
+ code = krb5_c_make_checksum(context, md5cksum.checksum_type,
+ ctx->seq, sign_usage,
+ &plaind, &md5cksum);
+ xfree(data_ptr);
- if (code) {
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
+ if (code) {
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
- if ((code = kg_encrypt(context, ctx->seq, KG_USAGE_SEAL,
- (g_OID_equal(ctx->mech_used, gss_mech_krb5_old) ?
- ctx->seq->contents : NULL),
- md5cksum.contents, md5cksum.contents, 16))) {
- krb5_free_checksum_contents(context, &md5cksum);
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ if ((code = kg_encrypt(context, ctx->seq, KG_USAGE_SEAL,
+ (g_OID_equal(ctx->mech_used, gss_mech_krb5_old) ?
+ ctx->seq->contents : NULL),
+ md5cksum.contents, md5cksum.contents, 16))) {
+ krb5_free_checksum_contents(context, &md5cksum);
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- if (signalg == 0)
- cksum.length = 8;
- else
- cksum.length = 16;
- cksum.contents = md5cksum.contents + 16 - cksum.length;
+ if (signalg == 0)
+ cksum.length = 8;
+ else
+ cksum.length = 16;
+ cksum.contents = md5cksum.contents + 16 - cksum.length;
- code = memcmp(cksum.contents, ptr+14, cksum.length);
- break;
+ code = memcmp(cksum.contents, ptr+14, cksum.length);
+ break;
case SGN_ALG_MD2_5:
- if (!ctx->seed_init &&
- (code = kg_make_seed(context, ctx->subkey, ctx->seed))) {
- krb5_free_checksum_contents(context, &md5cksum);
- if (sealalg != 0xffff)
- xfree(plain);
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ if (!ctx->seed_init &&
+ (code = kg_make_seed(context, ctx->subkey, ctx->seed))) {
+ krb5_free_checksum_contents(context, &md5cksum);
+ if (sealalg != 0xffff)
+ xfree(plain);
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- if (! (data_ptr = (void *)
- xmalloc(sizeof(ctx->seed) + 8 +
- (ctx->big_endian ? token.length : plainlen)))) {
- krb5_free_checksum_contents(context, &md5cksum);
- if (sealalg == 0)
- xfree(plain);
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- (void) memcpy(data_ptr, ptr-2, 8);
- (void) memcpy(data_ptr+8, ctx->seed, sizeof(ctx->seed));
- if (ctx->big_endian)
- (void) memcpy(data_ptr+8+sizeof(ctx->seed),
- token.value, token.length);
- else
- (void) memcpy(data_ptr+8+sizeof(ctx->seed),
- plain, plainlen);
- plaind.length = 8 + sizeof(ctx->seed) +
- (ctx->big_endian ? token.length : plainlen);
- plaind.data = data_ptr;
- krb5_free_checksum_contents(context, &md5cksum);
- code = krb5_c_make_checksum(context, md5cksum.checksum_type,
- ctx->seq, sign_usage,
- &plaind, &md5cksum);
- xfree(data_ptr);
+ if (! (data_ptr = (void *)
+ xmalloc(sizeof(ctx->seed) + 8 +
+ (ctx->big_endian ? token.length : plainlen)))) {
+ krb5_free_checksum_contents(context, &md5cksum);
+ if (sealalg == 0)
+ xfree(plain);
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ (void) memcpy(data_ptr, ptr-2, 8);
+ (void) memcpy(data_ptr+8, ctx->seed, sizeof(ctx->seed));
+ if (ctx->big_endian)
+ (void) memcpy(data_ptr+8+sizeof(ctx->seed),
+ token.value, token.length);
+ else
+ (void) memcpy(data_ptr+8+sizeof(ctx->seed),
+ plain, plainlen);
+ plaind.length = 8 + sizeof(ctx->seed) +
+ (ctx->big_endian ? token.length : plainlen);
+ plaind.data = data_ptr;
+ krb5_free_checksum_contents(context, &md5cksum);
+ code = krb5_c_make_checksum(context, md5cksum.checksum_type,
+ ctx->seq, sign_usage,
+ &plaind, &md5cksum);
+ xfree(data_ptr);
- if (code) {
- if (sealalg == 0)
- xfree(plain);
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
+ if (code) {
+ if (sealalg == 0)
+ xfree(plain);
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
- code = memcmp(md5cksum.contents, ptr+14, 8);
- /* Falls through to defective-token?? */
+ code = memcmp(md5cksum.contents, ptr+14, 8);
+ /* Falls through to defective-token?? */
default:
- *minor_status = 0;
- return(GSS_S_DEFECTIVE_TOKEN);
+ *minor_status = 0;
+ return(GSS_S_DEFECTIVE_TOKEN);
case SGN_ALG_HMAC_SHA1_DES3_KD:
case SGN_ALG_HMAC_MD5:
- /* compute the checksum of the message */
+ /* compute the checksum of the message */
- /* 8 = bytes of token body to be checksummed according to spec */
+ /* 8 = bytes of token body to be checksummed according to spec */
- if (! (data_ptr = (void *)
- xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) {
- if (sealalg != 0xffff)
- xfree(plain);
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
+ if (! (data_ptr = (void *)
+ xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) {
+ if (sealalg != 0xffff)
+ xfree(plain);
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
- (void) memcpy(data_ptr, ptr-2, 8);
+ (void) memcpy(data_ptr, ptr-2, 8);
- if (ctx->big_endian)
- (void) memcpy(data_ptr+8, token.value, token.length);
- else
- (void) memcpy(data_ptr+8, plain, plainlen);
+ if (ctx->big_endian)
+ (void) memcpy(data_ptr+8, token.value, token.length);
+ else
+ (void) memcpy(data_ptr+8, plain, plainlen);
- plaind.length = 8 + (ctx->big_endian ? token.length : plainlen);
- plaind.data = data_ptr;
- code = krb5_c_make_checksum(context, md5cksum.checksum_type,
- ctx->seq, sign_usage,
- &plaind, &md5cksum);
- xfree(data_ptr);
+ plaind.length = 8 + (ctx->big_endian ? token.length : plainlen);
+ plaind.data = data_ptr;
+ code = krb5_c_make_checksum(context, md5cksum.checksum_type,
+ ctx->seq, sign_usage,
+ &plaind, &md5cksum);
+ xfree(data_ptr);
- if (code) {
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
+ if (code) {
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
- code = memcmp(md5cksum.contents, ptr+14, cksum_len);
- break;
+ code = memcmp(md5cksum.contents, ptr+14, cksum_len);
+ break;
}
krb5_free_checksum_contents(context, &md5cksum);
if (sealalg != 0xffff)
- xfree(plain);
+ xfree(plain);
/* compare the computed checksum against the transmitted checksum */
if (code) {
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = 0;
- return(GSS_S_BAD_SIG);
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = 0;
+ return(GSS_S_BAD_SIG);
}
/* it got through unscathed. Make sure the context is unexpired */
if (toktype == KG_TOK_SEAL_MSG)
- *message_buffer = token;
+ *message_buffer = token;
if (conf_state)
- *conf_state = (sealalg != 0xffff);
+ *conf_state = (sealalg != 0xffff);
if (qop_state)
- *qop_state = GSS_C_QOP_DEFAULT;
+ *qop_state = GSS_C_QOP_DEFAULT;
if ((code = krb5_timeofday(context, &now))) {
- *minor_status = code;
- return(GSS_S_FAILURE);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
}
- if (now > ctx->endtime) {
- *minor_status = 0;
- return(GSS_S_CONTEXT_EXPIRED);
+ if (now > ctx->krb_times.endtime) {
+ *minor_status = 0;
+ return(GSS_S_CONTEXT_EXPIRED);
}
/* do sequencing checks */
if ((ctx->initiate && direction != 0xff) ||
- (!ctx->initiate && direction != 0)) {
- if (toktype == KG_TOK_SEAL_MSG) {
- xfree(token.value);
- message_buffer->value = NULL;
- message_buffer->length = 0;
- }
- *minor_status = G_BAD_DIRECTION;
- return(GSS_S_BAD_SIG);
+ (!ctx->initiate && direction != 0)) {
+ if (toktype == KG_TOK_SEAL_MSG) {
+ xfree(token.value);
+ message_buffer->value = NULL;
+ message_buffer->length = 0;
+ }
+ *minor_status = (OM_uint32)G_BAD_DIRECTION;
+ return(GSS_S_BAD_SIG);
}
- retval = g_order_check(&(ctx->seqstate), seqnum);
+ retval = g_order_check(&(ctx->seqstate), (gssint_uint64)seqnum);
/* success or ordering violation */
@@ -479,13 +480,13 @@
OM_uint32
kg_unseal(minor_status, context_handle, input_token_buffer,
- message_buffer, conf_state, qop_state, toktype)
+ message_buffer, conf_state, qop_state, toktype)
OM_uint32 *minor_status;
gss_ctx_id_t context_handle;
gss_buffer_t input_token_buffer;
gss_buffer_t message_buffer;
int *conf_state;
- int *qop_state;
+ gss_qop_t *qop_state;
int toktype;
{
krb5_gss_ctx_id_rec *ctx;
@@ -497,15 +498,15 @@
/* validate the context handle */
if (! kg_validate_ctx_id(context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
}
ctx = (krb5_gss_ctx_id_rec *) context_handle;
if (! ctx->established) {
- *minor_status = KG_CTX_INCOMPLETE;
- return(GSS_S_NO_CONTEXT);
+ *minor_status = KG_CTX_INCOMPLETE;
+ return(GSS_S_NO_CONTEXT);
}
/* parse the token, leave the data in message_buffer, setting conf_state */
@@ -514,41 +515,26 @@
ptr = (unsigned char *) input_token_buffer->value;
- if (ctx->proto)
- switch (toktype) {
- case KG_TOK_SIGN_MSG:
- toktype2 = 0x0404;
- break;
- case KG_TOK_SEAL_MSG:
- toktype2 = 0x0504;
- break;
- case KG_TOK_DEL_CTX:
- toktype2 = 0x0405;
- break;
- default:
- toktype2 = toktype;
- break;
- }
- else
- toktype2 = toktype;
+ toktype2 = kg_map_toktype(ctx->proto, toktype);
+
err = g_verify_token_header(ctx->mech_used,
- &bodysize, &ptr, toktype2,
- input_token_buffer->length,
- !ctx->proto);
+ &bodysize, &ptr, toktype2,
+ input_token_buffer->length,
+ !ctx->proto);
if (err) {
- *minor_status = err;
- return GSS_S_DEFECTIVE_TOKEN;
+ *minor_status = err;
+ return GSS_S_DEFECTIVE_TOKEN;
}
if (ctx->proto == 0)
- ret = kg_unseal_v1(ctx->k5_context, minor_status, ctx, ptr, bodysize,
- message_buffer, conf_state, qop_state,
- toktype);
+ ret = kg_unseal_v1(ctx->k5_context, minor_status, ctx, ptr, bodysize,
+ message_buffer, conf_state, qop_state,
+ toktype);
else
- ret = gss_krb5int_unseal_token_v3(&ctx->k5_context, minor_status, ctx,
- ptr, bodysize, message_buffer,
- conf_state, qop_state, toktype);
+ ret = gss_krb5int_unseal_token_v3(&ctx->k5_context, minor_status, ctx,
+ ptr, bodysize, message_buffer,
+ conf_state, qop_state, toktype);
if (ret != 0)
- save_error_info (*minor_status, ctx->k5_context);
+ save_error_info (*minor_status, ctx->k5_context);
return ret;
}
Copied: branches/mkey_migrate/src/lib/gssapi/krb5/k5unsealiov.c (from rev 21721, trunk/src/lib/gssapi/krb5/k5unsealiov.c)
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/krb5_gss_glue.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/krb5_gss_glue.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/krb5_gss_glue.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -19,1131 +20,391 @@
* OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
/*
* $Id$
*/
#include "gssapiP_krb5.h"
-#include "mglueP.h"
+OM_uint32 KRB5_CALLCONV
+gss_krb5_get_tkt_flags(
+ OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ krb5_flags *ticket_flags)
+{
+ static const gss_OID_desc const req_oid = {
+ GSS_KRB5_GET_TKT_FLAGS_OID_LENGTH,
+ GSS_KRB5_GET_TKT_FLAGS_OID };
+ OM_uint32 major_status;
+ gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
-/** mechglue wrappers **/
+ if (ticket_flags == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
-static OM_uint32 k5glue_acquire_cred
-(void *, OM_uint32*, /* minor_status */
- gss_name_t, /* desired_name */
- OM_uint32, /* time_req */
- gss_OID_set, /* desired_mechs */
- gss_cred_usage_t, /* cred_usage */
- gss_cred_id_t*, /* output_cred_handle */
- gss_OID_set*, /* actual_mechs */
- OM_uint32* /* time_rec */
- );
+ major_status = gss_inquire_sec_context_by_oid(minor_status,
+ context_handle,
+ (const gss_OID)&req_oid,
+ &data_set);
+ if (major_status != GSS_S_COMPLETE)
+ return major_status;
-static OM_uint32 k5glue_release_cred
-(void *, OM_uint32*, /* minor_status */
- gss_cred_id_t* /* cred_handle */
- );
+ if (data_set == GSS_C_NO_BUFFER_SET ||
+ data_set->count != 1 ||
+ data_set->elements[0].length != sizeof(*ticket_flags)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
-static OM_uint32 k5glue_init_sec_context
-(void *, OM_uint32*, /* minor_status */
- gss_cred_id_t, /* claimant_cred_handle */
- gss_ctx_id_t*, /* context_handle */
- gss_name_t, /* target_name */
- gss_OID, /* mech_type */
- OM_uint32, /* req_flags */
- OM_uint32, /* time_req */
- gss_channel_bindings_t,
- /* input_chan_bindings */
- gss_buffer_t, /* input_token */
- gss_OID*, /* actual_mech_type */
- gss_buffer_t, /* output_token */
- OM_uint32*, /* ret_flags */
- OM_uint32* /* time_rec */
- );
-
-#ifndef LEAN_CLIENT
-static OM_uint32 k5glue_accept_sec_context
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t*, /* context_handle */
- gss_cred_id_t, /* verifier_cred_handle */
- gss_buffer_t, /* input_token_buffer */
- gss_channel_bindings_t,
- /* input_chan_bindings */
- gss_name_t*, /* src_name */
- gss_OID*, /* mech_type */
- gss_buffer_t, /* output_token */
- OM_uint32*, /* ret_flags */
- OM_uint32*, /* time_rec */
- gss_cred_id_t* /* delegated_cred_handle */
- );
-#endif /* LEAN_CLIENT */
+ *ticket_flags = *((krb5_flags *)data_set->elements[0].value);
-static OM_uint32 k5glue_process_context_token
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t /* token_buffer */
- );
+ gss_release_buffer_set(minor_status, &data_set);
-static OM_uint32 k5glue_delete_sec_context
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t*, /* context_handle */
- gss_buffer_t /* output_token */
- );
+ *minor_status = 0;
-static OM_uint32 k5glue_context_time
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- OM_uint32* /* time_rec */
- );
-
-static OM_uint32 k5glue_sign
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* qop_req */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t /* message_token */
- );
+ return GSS_S_COMPLETE;
+}
-static OM_uint32 k5glue_verify
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t, /* token_buffer */
- int* /* qop_state */
- );
+OM_uint32 KRB5_CALLCONV
+gss_krb5_copy_ccache(
+ OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ krb5_ccache out_ccache)
+{
+ static const gss_OID_desc const req_oid = {
+ GSS_KRB5_COPY_CCACHE_OID_LENGTH,
+ GSS_KRB5_COPY_CCACHE_OID };
+ OM_uint32 major_status;
+ gss_buffer_desc req_buffer;
-static OM_uint32 k5glue_seal
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- int, /* qop_req */
- gss_buffer_t, /* input_message_buffer */
- int*, /* conf_state */
- gss_buffer_t /* output_message_buffer */
- );
+ if (out_ccache == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
-static OM_uint32 k5glue_unseal
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* input_message_buffer */
- gss_buffer_t, /* output_message_buffer */
- int*, /* conf_state */
- int* /* qop_state */
- );
+ req_buffer.value = out_ccache;
+ req_buffer.length = sizeof(out_ccache);
-static OM_uint32 k5glue_display_status
-(void *, OM_uint32*, /* minor_status */
- OM_uint32, /* status_value */
- int, /* status_type */
- gss_OID, /* mech_type */
- OM_uint32*, /* message_context */
- gss_buffer_t /* status_string */
- );
+ major_status = gssspi_set_cred_option(minor_status,
+ cred_handle,
+ (const gss_OID)&req_oid,
+ &req_buffer);
-static OM_uint32 k5glue_indicate_mechs
-(void *, OM_uint32*, /* minor_status */
- gss_OID_set* /* mech_set */
- );
+ return major_status;
+}
-static OM_uint32 k5glue_compare_name
-(void *, OM_uint32*, /* minor_status */
- gss_name_t, /* name1 */
- gss_name_t, /* name2 */
- int* /* name_equal */
- );
+OM_uint32 KRB5_CALLCONV
+gss_krb5_export_lucid_sec_context(
+ OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ OM_uint32 version,
+ void **kctx)
+{
+ unsigned char oid_buf[GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH + 6];
+ gss_OID_desc req_oid;
+ OM_uint32 major_status, minor;
+ gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
-static OM_uint32 k5glue_display_name
-(void *, OM_uint32*, /* minor_status */
- gss_name_t, /* input_name */
- gss_buffer_t, /* output_name_buffer */
- gss_OID* /* output_name_type */
- );
+ if (kctx == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
-static OM_uint32 k5glue_import_name
-(void *, OM_uint32*, /* minor_status */
- gss_buffer_t, /* input_name_buffer */
- gss_OID, /* input_name_type */
- gss_name_t* /* output_name */
- );
+ *kctx = NULL;
-static OM_uint32 k5glue_release_name
-(void *, OM_uint32*, /* minor_status */
- gss_name_t* /* input_name */
- );
+ req_oid.elements = oid_buf;
+ req_oid.length = sizeof(oid_buf);
-static OM_uint32 k5glue_inquire_cred
-(void *, OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* cred_handle */
- gss_name_t *, /* name */
- OM_uint32 *, /* lifetime */
- gss_cred_usage_t*,/* cred_usage */
- gss_OID_set * /* mechanisms */
- );
+ major_status = generic_gss_oid_compose(minor_status,
+ GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID,
+ GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH,
+ (int)version,
+ &req_oid);
+ if (GSS_ERROR(major_status))
+ return major_status;
-static OM_uint32 k5glue_inquire_context
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_name_t*, /* initiator_name */
- gss_name_t*, /* acceptor_name */
- OM_uint32*, /* lifetime_rec */
- gss_OID*, /* mech_type */
- OM_uint32*, /* ret_flags */
- int*, /* locally_initiated */
- int* /* open */
- );
+ major_status = gss_inquire_sec_context_by_oid(minor_status,
+ *context_handle,
+ &req_oid,
+ &data_set);
+ if (GSS_ERROR(major_status))
+ return major_status;
-#if 0
-/* New V2 entry points */
-static OM_uint32 k5glue_get_mic
-(void *, OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_qop_t, /* qop_req */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t /* message_token */
- );
-
-static OM_uint32 k5glue_verify_mic
-(void *, OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t, /* message_token */
- gss_qop_t * /* qop_state */
- );
-
-static OM_uint32 k5glue_wrap
-(void *, OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- gss_qop_t, /* qop_req */
- gss_buffer_t, /* input_message_buffer */
- int *, /* conf_state */
- gss_buffer_t /* output_message_buffer */
- );
-
-static OM_uint32 k5glue_unwrap
-(void *, OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* input_message_buffer */
- gss_buffer_t, /* output_message_buffer */
- int *, /* conf_state */
- gss_qop_t * /* qop_state */
- );
-#endif
-
-static OM_uint32 k5glue_wrap_size_limit
-(void *, OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- gss_qop_t, /* qop_req */
- OM_uint32, /* req_output_size */
- OM_uint32 * /* max_input_size */
- );
-
-#if 0
-static OM_uint32 k5glue_import_name_object
-(void *, OM_uint32 *, /* minor_status */
- void *, /* input_name */
- gss_OID, /* input_name_type */
- gss_name_t * /* output_name */
- );
-
-static OM_uint32 k5glue_export_name_object
-(void *, OM_uint32 *, /* minor_status */
- gss_name_t, /* input_name */
- gss_OID, /* desired_name_type */
- void * * /* output_name */
- );
-#endif
-
-static OM_uint32 k5glue_add_cred
-(void *, OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* input_cred_handle */
- gss_name_t, /* desired_name */
- gss_OID, /* desired_mech */
- gss_cred_usage_t, /* cred_usage */
- OM_uint32, /* initiator_time_req */
- OM_uint32, /* acceptor_time_req */
- gss_cred_id_t *, /* output_cred_handle */
- gss_OID_set *, /* actual_mechs */
- OM_uint32 *, /* initiator_time_rec */
- OM_uint32 * /* acceptor_time_rec */
- );
-
-static OM_uint32 k5glue_inquire_cred_by_mech
-(void *, OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* cred_handle */
- gss_OID, /* mech_type */
- gss_name_t *, /* name */
- OM_uint32 *, /* initiator_lifetime */
- OM_uint32 *, /* acceptor_lifetime */
- gss_cred_usage_t * /* cred_usage */
- );
-
-#ifndef LEAN_CLIENT
-static OM_uint32 k5glue_export_sec_context
-(void *, OM_uint32 *, /* minor_status */
- gss_ctx_id_t *, /* context_handle */
- gss_buffer_t /* interprocess_token */
- );
-
-static OM_uint32 k5glue_import_sec_context
-(void *, OM_uint32 *, /* minor_status */
- gss_buffer_t, /* interprocess_token */
- gss_ctx_id_t * /* context_handle */
- );
-#endif /* LEAN_CLIENT */
-
-krb5_error_code k5glue_ser_init(krb5_context);
-
-static OM_uint32 k5glue_internal_release_oid
-(void *, OM_uint32 *, /* minor_status */
- gss_OID * /* oid */
- );
-
-static OM_uint32 k5glue_inquire_names_for_mech
-(void *, OM_uint32 *, /* minor_status */
- gss_OID, /* mechanism */
- gss_OID_set * /* name_types */
- );
-
-#if 0
-static OM_uint32 k5glue_canonicalize_name
-(void *, OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- const gss_OID, /* mech_type */
- gss_name_t * /* output_name */
- );
-#endif
-
-static OM_uint32 k5glue_export_name
-(void *, OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- gss_buffer_t /* exported_name */
- );
-
-#if 0
-static OM_uint32 k5glue_duplicate_name
-(void *, OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- gss_name_t * /* dest_name */
- );
-#endif
-
-#if 0
-static OM_uint32 k5glue_validate_cred
-(void *, OM_uint32 *, /* minor_status */
- gss_cred_id_t /* cred */
- );
-#endif
-
-/*
- * The krb5 mechanism provides two mech OIDs; use this initializer to
- * ensure that both dispatch tables contain identical function
- * pointers.
- */
-#ifndef LEAN_CLIENT
-#define KRB5_GSS_CONFIG_INIT \
- NULL, \
- k5glue_acquire_cred, \
- k5glue_release_cred, \
- k5glue_init_sec_context, \
- k5glue_accept_sec_context, \
- k5glue_process_context_token, \
- k5glue_delete_sec_context, \
- k5glue_context_time, \
- k5glue_sign, \
- k5glue_verify, \
- k5glue_seal, \
- k5glue_unseal, \
- k5glue_display_status, \
- k5glue_indicate_mechs, \
- k5glue_compare_name, \
- k5glue_display_name, \
- k5glue_import_name, \
- k5glue_release_name, \
- k5glue_inquire_cred, \
- k5glue_add_cred, \
- k5glue_export_sec_context, \
- k5glue_import_sec_context, \
- k5glue_inquire_cred_by_mech, \
- k5glue_inquire_names_for_mech, \
- k5glue_inquire_context, \
- k5glue_internal_release_oid, \
- k5glue_wrap_size_limit, \
- k5glue_export_name, \
- NULL /* store_cred */
-
-#else /* LEAN_CLIENT */
-
-#define KRB5_GSS_CONFIG_INIT \
- NULL, \
- k5glue_acquire_cred, \
- k5glue_release_cred, \
- k5glue_init_sec_context, \
- NULL, \
- k5glue_process_context_token, \
- k5glue_delete_sec_context, \
- k5glue_context_time, \
- k5glue_sign, \
- k5glue_verify, \
- k5glue_seal, \
- k5glue_unseal, \
- k5glue_display_status, \
- k5glue_indicate_mechs, \
- k5glue_compare_name, \
- k5glue_display_name, \
- k5glue_import_name, \
- k5glue_release_name, \
- k5glue_inquire_cred, \
- k5glue_add_cred, \
- NULL, \
- NULL, \
- k5glue_inquire_cred_by_mech, \
- k5glue_inquire_names_for_mech, \
- k5glue_inquire_context, \
- k5glue_internal_release_oid, \
- k5glue_wrap_size_limit, \
- k5glue_export_name, \
- NULL /* store_cred */
-
-#endif /* LEAN_CLIENT */
-
-
-static struct gss_config krb5_mechanism = {
- 100, "kerberos_v5",
- { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID },
- KRB5_GSS_CONFIG_INIT
-};
-
-static struct gss_config krb5_mechanism_old = {
- 200, "kerberos_v5 (pre-RFC OID)",
- { GSS_MECH_KRB5_OLD_OID_LENGTH, GSS_MECH_KRB5_OLD_OID },
- KRB5_GSS_CONFIG_INIT
-};
-
-static struct gss_config krb5_mechanism_wrong = {
- 300, "kerberos_v5 (wrong OID)",
- { GSS_MECH_KRB5_WRONG_OID_LENGTH, GSS_MECH_KRB5_WRONG_OID },
- KRB5_GSS_CONFIG_INIT
-};
-
-static gss_mechanism krb5_mech_configs[] = {
- &krb5_mechanism, &krb5_mechanism_old, &krb5_mechanism_wrong, NULL
-};
-
-#ifdef MS_BUG_TEST
-static gss_mechanism krb5_mech_configs_hack[] = {
- &krb5_mechanism, &krb5_mechanism_old, NULL
-};
-#endif
-
-#define gssint_get_mech_configs krb5_gss_get_mech_configs
-
-gss_mechanism *
-gssint_get_mech_configs(void)
-{
-#ifdef MS_BUG_TEST
- char *envstr = getenv("MS_FORCE_NO_MSOID");
-
- if (envstr != NULL && strcmp(envstr, "1") == 0) {
- return krb5_mech_configs_hack;
+ if (data_set == GSS_C_NO_BUFFER_SET ||
+ data_set->count != 1 ||
+ data_set->elements[0].length != sizeof(void *)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
}
-#endif
- return krb5_mech_configs;
-}
-#ifndef LEAN_CLIENT
-static OM_uint32
-k5glue_accept_sec_context(ctx, minor_status, context_handle, verifier_cred_handle,
- input_token, input_chan_bindings, src_name, mech_type,
- output_token, ret_flags, time_rec, delegated_cred_handle)
- void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t *context_handle;
- gss_cred_id_t verifier_cred_handle;
- gss_buffer_t input_token;
- gss_channel_bindings_t input_chan_bindings;
- gss_name_t *src_name;
- gss_OID *mech_type;
- gss_buffer_t output_token;
- OM_uint32 *ret_flags;
- OM_uint32 *time_rec;
- gss_cred_id_t *delegated_cred_handle;
-{
- return(krb5_gss_accept_sec_context(minor_status,
- context_handle,
- verifier_cred_handle,
- input_token,
- input_chan_bindings,
- src_name,
- mech_type,
- output_token,
- ret_flags,
- time_rec,
- delegated_cred_handle));
-}
-#endif /* LEAN_CLIENT */
+ *kctx = *((void **)data_set->elements[0].value);
-static OM_uint32
-k5glue_acquire_cred(ctx, minor_status, desired_name, time_req, desired_mechs,
- cred_usage, output_cred_handle, actual_mechs, time_rec)
- void *ctx;
- OM_uint32 *minor_status;
- gss_name_t desired_name;
- OM_uint32 time_req;
- gss_OID_set desired_mechs;
- gss_cred_usage_t cred_usage;
- gss_cred_id_t *output_cred_handle;
- gss_OID_set *actual_mechs;
- OM_uint32 *time_rec;
-{
- return(krb5_gss_acquire_cred(minor_status,
- desired_name,
- time_req,
- desired_mechs,
- cred_usage,
- output_cred_handle,
- actual_mechs,
- time_rec));
-}
+ /* Clean up the context state (it is an error for
+ * someone to attempt to use this context again)
+ */
+ (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
+ *context_handle = GSS_C_NO_CONTEXT;
-/* V2 */
-static OM_uint32
-k5glue_add_cred(ctx, minor_status, input_cred_handle, desired_name, desired_mech,
- cred_usage, initiator_time_req, acceptor_time_req,
- output_cred_handle, actual_mechs, initiator_time_rec,
- acceptor_time_rec)
- void *ctx;
- OM_uint32 *minor_status;
- gss_cred_id_t input_cred_handle;
- gss_name_t desired_name;
- gss_OID desired_mech;
- gss_cred_usage_t cred_usage;
- OM_uint32 initiator_time_req;
- OM_uint32 acceptor_time_req;
- gss_cred_id_t *output_cred_handle;
- gss_OID_set *actual_mechs;
- OM_uint32 *initiator_time_rec;
- OM_uint32 *acceptor_time_rec;
-{
- return(krb5_gss_add_cred(minor_status, input_cred_handle, desired_name,
- desired_mech, cred_usage, initiator_time_req,
- acceptor_time_req, output_cred_handle,
- actual_mechs, initiator_time_rec,
- acceptor_time_rec));
-}
+ generic_gss_release_buffer_set(&minor, &data_set);
-#if 0
-/* V2 */
-static OM_uint32
-k5glue_add_oid_set_member(ctx, minor_status, member_oid, oid_set)
- void *ctx;
- OM_uint32 *minor_status;
- gss_OID member_oid;
- gss_OID_set *oid_set;
-{
- return(generic_gss_add_oid_set_member(minor_status, member_oid, oid_set));
+ return GSS_S_COMPLETE;
}
-#endif
-static OM_uint32
-k5glue_compare_name(ctx, minor_status, name1, name2, name_equal)
- void *ctx;
- OM_uint32 *minor_status;
- gss_name_t name1;
- gss_name_t name2;
- int *name_equal;
+OM_uint32 KRB5_CALLCONV
+gss_krb5_set_allowable_enctypes(
+ OM_uint32 *minor_status,
+ gss_cred_id_t cred,
+ OM_uint32 num_ktypes,
+ krb5_enctype *ktypes)
{
- return(krb5_gss_compare_name(minor_status, name1,
- name2, name_equal));
-}
+ static const gss_OID_desc const req_oid = {
+ GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH,
+ GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID };
+ OM_uint32 major_status;
+ struct krb5_gss_set_allowable_enctypes_req req;
+ gss_buffer_desc req_buffer;
+
+ req.num_ktypes = num_ktypes;
+ req.ktypes = ktypes;
-static OM_uint32
-k5glue_context_time(ctx, minor_status, context_handle, time_rec)
- void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- OM_uint32 *time_rec;
-{
- return(krb5_gss_context_time(minor_status, context_handle,
- time_rec));
-}
+ req_buffer.length = sizeof(req);
+ req_buffer.value = &req;
-#if 0
-/* V2 */
-static OM_uint32
-k5glue_create_empty_oid_set(ctx, minor_status, oid_set)
- void *ctx;
- OM_uint32 *minor_status;
- gss_OID_set *oid_set;
-{
- return(generic_gss_create_empty_oid_set(minor_status, oid_set));
-}
-#endif
+ major_status = gssspi_set_cred_option(minor_status,
+ cred,
+ (const gss_OID)&req_oid,
+ &req_buffer);
-static OM_uint32
-k5glue_delete_sec_context(ctx, minor_status, context_handle, output_token)
- void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t *context_handle;
- gss_buffer_t output_token;
-{
- return(krb5_gss_delete_sec_context(minor_status,
- context_handle, output_token));
+ return major_status;
}
-static OM_uint32
-k5glue_display_name(ctx, minor_status, input_name, output_name_buffer, output_name_type)
- void *ctx;
- OM_uint32 *minor_status;
- gss_name_t input_name;
- gss_buffer_t output_name_buffer;
- gss_OID *output_name_type;
+OM_uint32 KRB5_CALLCONV
+gss_krb5_ccache_name(
+ OM_uint32 *minor_status,
+ const char *name,
+ const char **out_name)
{
- return(krb5_gss_display_name(minor_status, input_name,
- output_name_buffer, output_name_type));
-}
+ static const gss_OID_desc const req_oid = {
+ GSS_KRB5_CCACHE_NAME_OID_LENGTH,
+ GSS_KRB5_CCACHE_NAME_OID };
+ OM_uint32 major_status;
+ struct krb5_gss_ccache_name_req req;
+ gss_buffer_desc req_buffer;
-static OM_uint32
-k5glue_display_status(ctx, minor_status, status_value, status_type,
- mech_type, message_context, status_string)
- void *ctx;
- OM_uint32 *minor_status;
- OM_uint32 status_value;
- int status_type;
- gss_OID mech_type;
- OM_uint32 *message_context;
- gss_buffer_t status_string;
-{
- return(krb5_gss_display_status(minor_status, status_value,
- status_type, mech_type, message_context,
- status_string));
-}
-#ifndef LEAN_CLIENT
-/* V2 */
-static OM_uint32
-k5glue_export_sec_context(ctx, minor_status, context_handle, interprocess_token)
- void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t *context_handle;
- gss_buffer_t interprocess_token;
-{
- return(krb5_gss_export_sec_context(minor_status,
- context_handle,
- interprocess_token));
-}
-#endif /* LEAN_CLIENT */
-#if 0
-/* V2 */
-static OM_uint32
-k5glue_get_mic(ctx, minor_status, context_handle, qop_req,
- message_buffer, message_token)
- void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_qop_t qop_req;
- gss_buffer_t message_buffer;
- gss_buffer_t message_token;
-{
- return(krb5_gss_get_mic(minor_status, context_handle,
- qop_req, message_buffer, message_token));
-}
-#endif
+ req.name = name;
+ req.out_name = out_name;
-static OM_uint32
-k5glue_import_name(ctx, minor_status, input_name_buffer, input_name_type, output_name)
- void *ctx;
- OM_uint32 *minor_status;
- gss_buffer_t input_name_buffer;
- gss_OID input_name_type;
- gss_name_t *output_name;
-{
-#if 0
- OM_uint32 err;
- err = gssint_initialize_library();
- if (err) {
- *minor_status = err;
- return GSS_S_FAILURE;
- }
-#endif
- return(krb5_gss_import_name(minor_status, input_name_buffer,
- input_name_type, output_name));
-}
+ req_buffer.length = sizeof(req);
+ req_buffer.value = &req;
-#ifndef LEAN_CLIENT
-/* V2 */
-static OM_uint32
-k5glue_import_sec_context(ctx, minor_status, interprocess_token, context_handle)
- void *ctx;
- OM_uint32 *minor_status;
- gss_buffer_t interprocess_token;
- gss_ctx_id_t *context_handle;
-{
- return(krb5_gss_import_sec_context(minor_status,
- interprocess_token,
- context_handle));
-}
-#endif /* LEAN_CLIENT */
+ major_status = gssspi_mech_invoke(minor_status,
+ (const gss_OID)gss_mech_krb5,
+ (const gss_OID)&req_oid,
+ &req_buffer);
-static OM_uint32
-k5glue_indicate_mechs(ctx, minor_status, mech_set)
- void *ctx;
- OM_uint32 *minor_status;
- gss_OID_set *mech_set;
-{
- return(krb5_gss_indicate_mechs(minor_status, mech_set));
+ return major_status;
}
-static OM_uint32
-k5glue_init_sec_context(ctx, minor_status, claimant_cred_handle, context_handle,
- target_name, mech_type, req_flags, time_req,
- input_chan_bindings, input_token, actual_mech_type,
- output_token, ret_flags, time_rec)
- void *ctx;
- OM_uint32 *minor_status;
- gss_cred_id_t claimant_cred_handle;
- gss_ctx_id_t *context_handle;
- gss_name_t target_name;
- gss_OID mech_type;
- OM_uint32 req_flags;
- OM_uint32 time_req;
- gss_channel_bindings_t input_chan_bindings;
- gss_buffer_t input_token;
- gss_OID *actual_mech_type;
- gss_buffer_t output_token;
- OM_uint32 *ret_flags;
- OM_uint32 *time_rec;
+OM_uint32 KRB5_CALLCONV
+gss_krb5_free_lucid_sec_context(
+ OM_uint32 *minor_status,
+ void *kctx)
{
- return(krb5_gss_init_sec_context(minor_status,
- claimant_cred_handle, context_handle,
- target_name, mech_type, req_flags,
- time_req, input_chan_bindings, input_token,
- actual_mech_type, output_token, ret_flags,
- time_rec));
-}
+ static const gss_OID_desc const req_oid = {
+ GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH,
+ GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID };
+ OM_uint32 major_status;
+ gss_buffer_desc req_buffer;
-static OM_uint32
-k5glue_inquire_context(ctx, minor_status, context_handle, initiator_name, acceptor_name,
- lifetime_rec, mech_type, ret_flags,
- locally_initiated, opened)
- void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_name_t *initiator_name;
- gss_name_t *acceptor_name;
- OM_uint32 *lifetime_rec;
- gss_OID *mech_type;
- OM_uint32 *ret_flags;
- int *locally_initiated;
- int *opened;
-{
- return(krb5_gss_inquire_context(minor_status, context_handle,
- initiator_name, acceptor_name, lifetime_rec,
- mech_type, ret_flags, locally_initiated,
- opened));
-}
+ req_buffer.length = sizeof(kctx);
+ req_buffer.value = kctx;
-static OM_uint32
-k5glue_inquire_cred(ctx, minor_status, cred_handle, name, lifetime_ret,
- cred_usage, mechanisms)
- void *ctx;
- OM_uint32 *minor_status;
- gss_cred_id_t cred_handle;
- gss_name_t *name;
- OM_uint32 *lifetime_ret;
- gss_cred_usage_t *cred_usage;
- gss_OID_set *mechanisms;
-{
- return(krb5_gss_inquire_cred(minor_status, cred_handle,
- name, lifetime_ret, cred_usage, mechanisms));
-}
+ major_status = gssspi_mech_invoke(minor_status,
+ (const gss_OID)gss_mech_krb5,
+ (const gss_OID)&req_oid,
+ &req_buffer);
-/* V2 */
-static OM_uint32
-k5glue_inquire_cred_by_mech(ctx, minor_status, cred_handle, mech_type, name,
- initiator_lifetime, acceptor_lifetime, cred_usage)
- void *ctx;
- OM_uint32 *minor_status;
- gss_cred_id_t cred_handle;
- gss_OID mech_type;
- gss_name_t *name;
- OM_uint32 *initiator_lifetime;
- OM_uint32 *acceptor_lifetime;
- gss_cred_usage_t *cred_usage;
-{
- return(krb5_gss_inquire_cred_by_mech(minor_status, cred_handle,
- mech_type, name, initiator_lifetime,
- acceptor_lifetime, cred_usage));
+ return major_status;
}
-/* V2 */
-static OM_uint32
-k5glue_inquire_names_for_mech(ctx, minor_status, mechanism, name_types)
- void *ctx;
- OM_uint32 *minor_status;
- gss_OID mechanism;
- gss_OID_set *name_types;
+OM_uint32 KRB5_CALLCONV
+krb5_gss_register_acceptor_identity(const char *keytab)
{
- return(krb5_gss_inquire_names_for_mech(minor_status,
- mechanism,
- name_types));
-}
+ static const gss_OID_desc const req_oid = {
+ GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH,
+ GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID };
+ OM_uint32 major_status;
+ OM_uint32 minor_status;
+ gss_buffer_desc req_buffer;
-#if 0
-/* V2 */
-static OM_uint32
-k5glue_oid_to_str(ctx, minor_status, oid, oid_str)
- void *ctx;
- OM_uint32 *minor_status;
- gss_OID oid;
- gss_buffer_t oid_str;
-{
- return(generic_gss_oid_to_str(minor_status, oid, oid_str));
-}
-#endif
+ req_buffer.length = strlen(keytab);
+ req_buffer.value = (char *)keytab;
-static OM_uint32
-k5glue_process_context_token(ctx, minor_status, context_handle, token_buffer)
- void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t token_buffer;
-{
- return(krb5_gss_process_context_token(minor_status,
- context_handle, token_buffer));
-}
+ major_status = gssspi_mech_invoke(&minor_status,
+ (const gss_OID)gss_mech_krb5,
+ (const gss_OID)&req_oid,
+ &req_buffer);
-static OM_uint32
-k5glue_release_cred(ctx, minor_status, cred_handle)
- void *ctx;
- OM_uint32 *minor_status;
- gss_cred_id_t *cred_handle;
-{
- return(krb5_gss_release_cred(minor_status, cred_handle));
+ return major_status;
}
-static OM_uint32
-k5glue_release_name(ctx, minor_status, input_name)
- void *ctx;
- OM_uint32 *minor_status;
- gss_name_t *input_name;
+krb5_error_code
+krb5_gss_use_kdc_context(void)
{
- return(krb5_gss_release_name(minor_status, input_name));
-}
+ static const gss_OID_desc const req_oid = {
+ GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH,
+ GSS_KRB5_USE_KDC_CONTEXT_OID };
+ OM_uint32 major_status;
+ OM_uint32 minor_status;
+ gss_buffer_desc req_buffer;
-#if 0
-static OM_uint32
-k5glue_release_buffer(ctx, minor_status, buffer)
- void *ctx;
- OM_uint32 *minor_status;
- gss_buffer_t buffer;
-{
- return(generic_gss_release_buffer(minor_status,
- buffer));
-}
-#endif
+ req_buffer.length = 0;
+ req_buffer.value = NULL;
-/* V2 */
-static OM_uint32
-k5glue_internal_release_oid(ctx, minor_status, oid)
- void *ctx;
- OM_uint32 *minor_status;
- gss_OID *oid;
-{
- return(krb5_gss_internal_release_oid(minor_status, oid));
-}
+ major_status = gssspi_mech_invoke(&minor_status,
+ (const gss_OID)gss_mech_krb5,
+ (const gss_OID)&req_oid,
+ &req_buffer);
-#if 0
-static OM_uint32
-k5glue_release_oid_set(ctx, minor_status, set)
- void *ctx;
- OM_uint32 * minor_status;
- gss_OID_set *set;
-{
- return(generic_gss_release_oid_set(minor_status, set));
+ return major_status;
}
-#endif
-/* V1 only */
-static OM_uint32
-k5glue_seal(ctx, minor_status, context_handle, conf_req_flag, qop_req,
- input_message_buffer, conf_state, output_message_buffer)
- void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- int conf_req_flag;
- int qop_req;
- gss_buffer_t input_message_buffer;
- int *conf_state;
- gss_buffer_t output_message_buffer;
+/*
+ * This API should go away and be replaced with an accessor
+ * into a gss_name_t.
+ */
+OM_uint32 KRB5_CALLCONV
+gsskrb5_extract_authz_data_from_sec_context(
+ OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ int ad_type,
+ gss_buffer_t ad_data)
{
- return(krb5_gss_seal(minor_status, context_handle,
- conf_req_flag, qop_req, input_message_buffer,
- conf_state, output_message_buffer));
-}
+ gss_OID_desc req_oid;
+ unsigned char oid_buf[GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH + 6];
+ OM_uint32 major_status;
+ gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
-static OM_uint32
-k5glue_sign(ctx, minor_status, context_handle,
- qop_req, message_buffer,
- message_token)
- void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- int qop_req;
- gss_buffer_t message_buffer;
- gss_buffer_t message_token;
-{
- return(krb5_gss_sign(minor_status, context_handle,
- qop_req, message_buffer, message_token));
-}
+ if (ad_data == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
-#if 0
-/* V2 */
-static OM_uint32
-k5glue_verify_mic(ctx, minor_status, context_handle,
- message_buffer, token_buffer, qop_state)
- void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t message_buffer;
- gss_buffer_t token_buffer;
- gss_qop_t *qop_state;
-{
- return(krb5_gss_verify_mic(minor_status, context_handle,
- message_buffer, token_buffer, qop_state));
-}
+ req_oid.elements = oid_buf;
+ req_oid.length = sizeof(oid_buf);
-/* V2 */
-static OM_uint32
-k5glue_wrap(ctx, minor_status, context_handle, conf_req_flag, qop_req,
- input_message_buffer, conf_state, output_message_buffer)
- void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- int conf_req_flag;
- gss_qop_t qop_req;
- gss_buffer_t input_message_buffer;
- int *conf_state;
- gss_buffer_t output_message_buffer;
-{
- return(krb5_gss_wrap(minor_status, context_handle, conf_req_flag, qop_req,
- input_message_buffer, conf_state,
- output_message_buffer));
-}
+ major_status = generic_gss_oid_compose(minor_status,
+ GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID,
+ GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH,
+ ad_type,
+ &req_oid);
+ if (GSS_ERROR(major_status))
+ return major_status;
-/* V2 */
-static OM_uint32
-k5glue_str_to_oid(ctx, minor_status, oid_str, oid)
- void *ctx;
- OM_uint32 *minor_status;
- gss_buffer_t oid_str;
- gss_OID *oid;
-{
- return(generic_gss_str_to_oid(minor_status, oid_str, oid));
-}
+ major_status = gss_inquire_sec_context_by_oid(minor_status,
+ context_handle,
+ (const gss_OID)&req_oid,
+ &data_set);
+ if (major_status != GSS_S_COMPLETE) {
+ return major_status;
+ }
-/* V2 */
-static OM_uint32
-k5glue_test_oid_set_member(ctx, minor_status, member, set, present)
- void *ctx;
- OM_uint32 *minor_status;
- gss_OID member;
- gss_OID_set set;
- int *present;
-{
- return(generic_gss_test_oid_set_member(minor_status, member, set,
- present));
-}
-#endif
+ if (data_set == GSS_C_NO_BUFFER_SET ||
+ data_set->count != 1) {
+ return GSS_S_FAILURE;
+ }
-/* V1 only */
-static OM_uint32
-k5glue_unseal(ctx, minor_status, context_handle, input_message_buffer,
- output_message_buffer, conf_state, qop_state)
- void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t input_message_buffer;
- gss_buffer_t output_message_buffer;
- int *conf_state;
- int *qop_state;
-{
- return(krb5_gss_unseal(minor_status, context_handle,
- input_message_buffer, output_message_buffer,
- conf_state, qop_state));
-}
+ ad_data->length = data_set->elements[0].length;
+ ad_data->value = data_set->elements[0].value;
-#if 0
-/* V2 */
-static OM_uint32
-k5glue_unwrap(ctx, minor_status, context_handle, input_message_buffer,
- output_message_buffer, conf_state, qop_state)
- void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t input_message_buffer;
- gss_buffer_t output_message_buffer;
- int *conf_state;
- gss_qop_t *qop_state;
-{
- return(krb5_gss_unwrap(minor_status, context_handle, input_message_buffer,
- output_message_buffer, conf_state, qop_state));
-}
-#endif
+ data_set->elements[0].length = 0;
+ data_set->elements[0].value = NULL;
-/* V1 only */
-static OM_uint32
-k5glue_verify(ctx, minor_status, context_handle, message_buffer,
- token_buffer, qop_state)
- void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t message_buffer;
- gss_buffer_t token_buffer;
- int *qop_state;
-{
- return(krb5_gss_verify(minor_status,
- context_handle,
- message_buffer,
- token_buffer,
- qop_state));
-}
+ data_set->count = 0;
-/* V2 interface */
-static OM_uint32
-k5glue_wrap_size_limit(ctx, minor_status, context_handle, conf_req_flag,
- qop_req, req_output_size, max_input_size)
- void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- int conf_req_flag;
- gss_qop_t qop_req;
- OM_uint32 req_output_size;
- OM_uint32 *max_input_size;
-{
- return(krb5_gss_wrap_size_limit(minor_status, context_handle,
- conf_req_flag, qop_req,
- req_output_size, max_input_size));
-}
+ gss_release_buffer_set(minor_status, &data_set);
-#if 0
-/* V2 interface */
-static OM_uint32
-k5glue_canonicalize_name(ctx, minor_status, input_name, mech_type, output_name)
- void *ctx;
- OM_uint32 *minor_status;
- const gss_name_t input_name;
- const gss_OID mech_type;
- gss_name_t *output_name;
-{
- return krb5_gss_canonicalize_name(minor_status, input_name,
- mech_type, output_name);
+ return GSS_S_COMPLETE;
}
-#endif
-/* V2 interface */
-static OM_uint32
-k5glue_export_name(ctx, minor_status, input_name, exported_name)
- void *ctx;
- OM_uint32 *minor_status;
- const gss_name_t input_name;
- gss_buffer_t exported_name;
-{
- return krb5_gss_export_name(minor_status, input_name, exported_name);
-}
-
-#if 0
-/* V2 interface */
-static OM_uint32
-k5glue_duplicate_name(ctx, minor_status, input_name, dest_name)
- void *ctx;
- OM_uint32 *minor_status;
- const gss_name_t input_name;
- gss_name_t *dest_name;
-{
- return krb5_gss_duplicate_name(minor_status, input_name, dest_name);
-}
-#endif
-
OM_uint32 KRB5_CALLCONV
-gss_krb5_get_tkt_flags(
+gss_krb5_set_cred_rcache(
OM_uint32 *minor_status,
- gss_ctx_id_t context_handle,
- krb5_flags *ticket_flags)
+ gss_cred_id_t cred,
+ krb5_rcache rcache)
{
- gss_union_ctx_id_t uctx;
+ static const gss_OID_desc const req_oid = {
+ GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH,
+ GSS_KRB5_SET_CRED_RCACHE_OID };
+ OM_uint32 major_status;
+ gss_buffer_desc req_buffer;
+
+ req_buffer.length = sizeof(rcache);
+ req_buffer.value = rcache;
- uctx = (gss_union_ctx_id_t)context_handle;
- if (!g_OID_equal(uctx->mech_type, &krb5_mechanism.mech_type) &&
- !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type))
- return GSS_S_BAD_MECH;
- return gss_krb5int_get_tkt_flags(minor_status, uctx->internal_ctx_id,
- ticket_flags);
-}
+ major_status = gssspi_set_cred_option(minor_status,
+ cred,
+ (const gss_OID)&req_oid,
+ &req_buffer);
-OM_uint32 KRB5_CALLCONV
-gss_krb5_copy_ccache(
- OM_uint32 *minor_status,
- gss_cred_id_t cred_handle,
- krb5_ccache out_ccache)
-{
- gss_union_cred_t ucred;
- gss_cred_id_t mcred;
-
- ucred = (gss_union_cred_t)cred_handle;
-
- mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism.mech_type);
- if (mcred != GSS_C_NO_CREDENTIAL)
- return gss_krb5int_copy_ccache(minor_status, mcred, out_ccache);
-
- mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism_old.mech_type);
- if (mcred != GSS_C_NO_CREDENTIAL)
- return gss_krb5int_copy_ccache(minor_status, mcred, out_ccache);
-
- return GSS_S_DEFECTIVE_CREDENTIAL;
+ return major_status;
}
-/* XXX need to delete mechglue ctx too */
OM_uint32 KRB5_CALLCONV
-gss_krb5_export_lucid_sec_context(
- OM_uint32 *minor_status,
- gss_ctx_id_t *context_handle,
- OM_uint32 version,
- void **kctx)
+gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ krb5_timestamp *authtime)
{
- gss_union_ctx_id_t uctx;
+ static const gss_OID_desc const req_oid = {
+ GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH,
+ GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID };
+ OM_uint32 major_status;
+ gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
- uctx = (gss_union_ctx_id_t)*context_handle;
- if (!g_OID_equal(uctx->mech_type, &krb5_mechanism.mech_type) &&
- !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type))
- return GSS_S_BAD_MECH;
- return gss_krb5int_export_lucid_sec_context(minor_status,
- &uctx->internal_ctx_id,
- version, kctx);
-}
+ if (authtime == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
-OM_uint32 KRB5_CALLCONV
-gss_krb5_set_allowable_enctypes(
- OM_uint32 *minor_status,
- gss_cred_id_t cred,
- OM_uint32 num_ktypes,
- krb5_enctype *ktypes)
-{
- gss_union_cred_t ucred;
- gss_cred_id_t mcred;
+ major_status = gss_inquire_sec_context_by_oid(minor_status,
+ context_handle,
+ (const gss_OID)&req_oid,
+ &data_set);
+ if (major_status != GSS_S_COMPLETE)
+ return major_status;
- ucred = (gss_union_cred_t)cred;
- mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism.mech_type);
- if (mcred != GSS_C_NO_CREDENTIAL)
- return gss_krb5int_set_allowable_enctypes(minor_status, mcred,
- num_ktypes, ktypes);
+ if (data_set == GSS_C_NO_BUFFER_SET ||
+ data_set->count != 1 ||
+ data_set->elements[0].length != sizeof(*authtime)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
- mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism_old.mech_type);
- if (mcred != GSS_C_NO_CREDENTIAL)
- return gss_krb5int_set_allowable_enctypes(minor_status, mcred,
- num_ktypes, ktypes);
+ *authtime = *((krb5_timestamp *)data_set->elements[0].value);
- return GSS_S_DEFECTIVE_CREDENTIAL;
+ gss_release_buffer_set(minor_status, &data_set);
+
+ *minor_status = 0;
+
+ return GSS_S_COMPLETE;
}
+
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/lucid_context.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/lucid_context.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/lucid_context.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/lucid_context.c
*
@@ -51,7 +52,7 @@
static krb5_error_code
make_external_lucid_ctx_v1(
krb5_gss_ctx_id_rec * gctx,
- unsigned int version,
+ int version,
void **out_ptr);
@@ -61,70 +62,61 @@
OM_uint32 KRB5_CALLCONV
gss_krb5int_export_lucid_sec_context(
- OM_uint32 *minor_status,
- gss_ctx_id_t *context_handle,
- OM_uint32 version,
- void **kctx)
+ OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *data_set)
{
- krb5_error_code kret = 0;
- OM_uint32 retval;
- krb5_gss_ctx_id_t ctx;
- void *lctx = NULL;
+ krb5_error_code kret = 0;
+ OM_uint32 retval;
+ krb5_gss_ctx_id_t ctx = (krb5_gss_ctx_id_t)context_handle;
+ void *lctx = NULL;
+ int version = 0;
+ gss_buffer_desc rep;
/* Assume failure */
retval = GSS_S_FAILURE;
*minor_status = 0;
+ *data_set = GSS_C_NO_BUFFER_SET;
- if (kctx)
- *kctx = NULL;
- else {
- kret = EINVAL;
- goto error_out;
- }
+ retval = generic_gss_oid_decompose(minor_status,
+ GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID,
+ GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH,
+ desired_object,
+ &version);
+ if (GSS_ERROR(retval))
+ return retval;
- if (!kg_validate_ctx_id(*context_handle)) {
- kret = (OM_uint32) G_VALIDATE_FAILED;
- retval = GSS_S_NO_CONTEXT;
- goto error_out;
- }
-
- ctx = (krb5_gss_ctx_id_t) *context_handle;
-
/* Externalize a structure of the right version */
switch (version) {
case 1:
- kret = make_external_lucid_ctx_v1((krb5_pointer)ctx,
- version, &lctx);
+ kret = make_external_lucid_ctx_v1((krb5_pointer)ctx,
+ version, &lctx);
break;
default:
- kret = (OM_uint32) KG_LUCID_VERSION;
- break;
+ kret = (OM_uint32) KG_LUCID_VERSION;
+ break;
}
if (kret)
- goto error_out;
+ goto error_out;
/* Success! Record the context and return the buffer */
if (! kg_save_lucidctx_id((void *)lctx)) {
- kret = G_VALIDATE_FAILED;
- goto error_out;
+ kret = G_VALIDATE_FAILED;
+ goto error_out;
}
- *kctx = lctx;
- *minor_status = 0;
- retval = GSS_S_COMPLETE;
+ rep.value = lctx;
+ rep.length = sizeof(lctx);
- /* Clean up the context state (it is an error for
- * someone to attempt to use this context again)
- */
- (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
- *context_handle = GSS_C_NO_CONTEXT;
+ retval = generic_gss_add_buffer_set_member(minor_status, &rep, data_set);
+ if (GSS_ERROR(retval))
+ goto error_out;
- return (retval);
-
error_out:
- if (*minor_status == 0)
- *minor_status = (OM_uint32) kret;
+ if (*minor_status == 0)
+ *minor_status = (OM_uint32) kret;
return(retval);
}
@@ -132,44 +124,48 @@
* Frees the storage associated with an
* exported lucid context structure.
*/
-OM_uint32 KRB5_CALLCONV
-gss_krb5_free_lucid_sec_context(
+OM_uint32
+gss_krb5int_free_lucid_sec_context(
OM_uint32 *minor_status,
- void *kctx)
+ const gss_OID desired_mech,
+ const gss_OID desired_object,
+ gss_buffer_t value)
{
- OM_uint32 retval;
- krb5_error_code kret = 0;
- int version;
+ OM_uint32 retval;
+ krb5_error_code kret = 0;
+ int version;
+ void *kctx;
/* Assume failure */
retval = GSS_S_FAILURE;
*minor_status = 0;
+ kctx = value->value;
if (!kctx) {
- kret = EINVAL;
- goto error_out;
+ kret = EINVAL;
+ goto error_out;
}
/* Verify pointer is valid lucid context */
if (! kg_validate_lucidctx_id(kctx)) {
- kret = G_VALIDATE_FAILED;
- goto error_out;
+ kret = G_VALIDATE_FAILED;
+ goto error_out;
}
/* Determine version and call correct free routine */
version = ((gss_krb5_lucid_context_version_t *)kctx)->version;
switch (version) {
case 1:
- (void)kg_delete_lucidctx_id(kctx);
- free_external_lucid_ctx_v1((gss_krb5_lucid_context_v1_t*) kctx);
- break;
+ (void)kg_delete_lucidctx_id(kctx);
+ free_external_lucid_ctx_v1((gss_krb5_lucid_context_v1_t*) kctx);
+ break;
default:
- kret = EINVAL;
- break;
+ kret = EINVAL;
+ break;
}
if (kret)
- goto error_out;
+ goto error_out;
/* Success! */
*minor_status = 0;
@@ -178,8 +174,8 @@
return (retval);
error_out:
- if (*minor_status == 0)
- *minor_status = (OM_uint32) kret;
+ if (*minor_status == 0)
+ *minor_status = (OM_uint32) kret;
return(retval);
}
@@ -190,7 +186,7 @@
static krb5_error_code
make_external_lucid_ctx_v1(
krb5_gss_ctx_id_rec * gctx,
- unsigned int version,
+ int version,
void **out_ptr)
{
gss_krb5_lucid_context_v1_t *lctx = NULL;
@@ -199,44 +195,44 @@
/* Allocate the structure */
if ((lctx = xmalloc(bufsize)) == NULL) {
- retval = ENOMEM;
- goto error_out;
+ retval = ENOMEM;
+ goto error_out;
}
memset(lctx, 0, bufsize);
lctx->version = 1;
lctx->initiate = gctx->initiate ? 1 : 0;
- lctx->endtime = gctx->endtime;
+ lctx->endtime = gctx->krb_times.endtime;
lctx->send_seq = gctx->seq_send;
lctx->recv_seq = gctx->seq_recv;
lctx->protocol = gctx->proto;
/* gctx->proto == 0 ==> rfc1964-style key information
gctx->proto == 1 ==> cfx-style (draft-ietf-krb-wg-gssapi-cfx-07) keys */
if (gctx->proto == 0) {
- lctx->rfc1964_kd.sign_alg = gctx->signalg;
- lctx->rfc1964_kd.seal_alg = gctx->sealalg;
- /* Copy key */
- if ((retval = copy_keyblock_to_lucid_key(gctx->subkey,
- &lctx->rfc1964_kd.ctx_key)))
- goto error_out;
+ lctx->rfc1964_kd.sign_alg = gctx->signalg;
+ lctx->rfc1964_kd.seal_alg = gctx->sealalg;
+ /* Copy key */
+ if ((retval = copy_keyblock_to_lucid_key(gctx->subkey,
+ &lctx->rfc1964_kd.ctx_key)))
+ goto error_out;
}
else if (gctx->proto == 1) {
- /* Copy keys */
- /* (subkey is always present, either a copy of the kerberos
- session key or a subkey) */
- if ((retval = copy_keyblock_to_lucid_key(gctx->subkey,
- &lctx->cfx_kd.ctx_key)))
- goto error_out;
- if (gctx->have_acceptor_subkey) {
- if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey,
- &lctx->cfx_kd.acceptor_subkey)))
- goto error_out;
- lctx->cfx_kd.have_acceptor_subkey = 1;
- }
+ /* Copy keys */
+ /* (subkey is always present, either a copy of the kerberos
+ session key or a subkey) */
+ if ((retval = copy_keyblock_to_lucid_key(gctx->subkey,
+ &lctx->cfx_kd.ctx_key)))
+ goto error_out;
+ if (gctx->have_acceptor_subkey) {
+ if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey,
+ &lctx->cfx_kd.acceptor_subkey)))
+ goto error_out;
+ lctx->cfx_kd.have_acceptor_subkey = 1;
+ }
}
else {
- return EINVAL; /* XXX better error code? */
+ return EINVAL; /* XXX better error code? */
}
/* Success! */
@@ -245,7 +241,7 @@
error_out:
if (lctx) {
- free_external_lucid_ctx_v1(lctx);
+ free_external_lucid_ctx_v1(lctx);
}
return retval;
@@ -258,13 +254,13 @@
gss_krb5_lucid_key_t *lkey)
{
if (!k5key || !k5key->contents || k5key->length == 0)
- return EINVAL;
+ return EINVAL;
memset(lkey, 0, sizeof(gss_krb5_lucid_key_t));
/* Allocate storage for the key data */
if ((lkey->data = xmalloc(k5key->length)) == NULL) {
- return ENOMEM;
+ return ENOMEM;
}
memcpy(lkey->data, k5key->contents, k5key->length);
lkey->length = k5key->length;
@@ -280,11 +276,11 @@
gss_krb5_lucid_key_t *key)
{
if (key) {
- if (key->data && key->length) {
- memset(key->data, 0, key->length);
- xfree(key->data);
- memset(key, 0, sizeof(gss_krb5_lucid_key_t));
- }
+ if (key->data && key->length) {
+ memset(key->data, 0, key->length);
+ xfree(key->data);
+ memset(key, 0, sizeof(gss_krb5_lucid_key_t));
+ }
}
}
/* Free any storage associated with a gss_krb5_lucid_context_v1 structure */
@@ -293,15 +289,15 @@
gss_krb5_lucid_context_v1_t *ctx)
{
if (ctx) {
- if (ctx->protocol == 0) {
- free_lucid_key_data(&ctx->rfc1964_kd.ctx_key);
- }
- if (ctx->protocol == 1) {
- free_lucid_key_data(&ctx->cfx_kd.ctx_key);
- if (ctx->cfx_kd.have_acceptor_subkey)
- free_lucid_key_data(&ctx->cfx_kd.acceptor_subkey);
- }
- xfree(ctx);
- ctx = NULL;
+ if (ctx->protocol == 0) {
+ free_lucid_key_data(&ctx->rfc1964_kd.ctx_key);
+ }
+ if (ctx->protocol == 1) {
+ free_lucid_key_data(&ctx->cfx_kd.ctx_key);
+ if (ctx->cfx_kd.have_acceptor_subkey)
+ free_lucid_key_data(&ctx->cfx_kd.acceptor_subkey);
+ }
+ xfree(ctx);
+ ctx = NULL;
}
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/process_context_token.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/process_context_token.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/process_context_token.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -27,38 +28,38 @@
*/
OM_uint32
-krb5_gss_process_context_token(minor_status, context_handle,
- token_buffer)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t token_buffer;
+krb5_gss_process_context_token(minor_status, context_handle,
+ token_buffer)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_buffer_t token_buffer;
{
- krb5_gss_ctx_id_rec *ctx;
- OM_uint32 majerr;
+ krb5_gss_ctx_id_rec *ctx;
+ OM_uint32 majerr;
- /* validate the context handle */
- if (! kg_validate_ctx_id(context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
- }
+ /* validate the context handle */
+ if (! kg_validate_ctx_id(context_handle)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
+ }
- ctx = (krb5_gss_ctx_id_t) context_handle;
+ ctx = (krb5_gss_ctx_id_t) context_handle;
- if (! ctx->established) {
- *minor_status = KG_CTX_INCOMPLETE;
- return(GSS_S_NO_CONTEXT);
- }
+ if (! ctx->established) {
+ *minor_status = KG_CTX_INCOMPLETE;
+ return(GSS_S_NO_CONTEXT);
+ }
- /* "unseal" the token */
+ /* "unseal" the token */
- if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle,
- token_buffer,
- GSS_C_NO_BUFFER, NULL, NULL,
- KG_TOK_DEL_CTX)))
- return(majerr);
+ if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle,
+ token_buffer,
+ GSS_C_NO_BUFFER, NULL, NULL,
+ KG_TOK_DEL_CTX)))
+ return(majerr);
- /* that's it. delete the context */
+ /* that's it. delete the context */
- return(krb5_gss_delete_sec_context(minor_status, &context_handle,
- GSS_C_NO_BUFFER));
+ return(krb5_gss_delete_sec_context(minor_status, &context_handle,
+ GSS_C_NO_BUFFER));
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/rel_cred.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/rel_cred.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/rel_cred.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -22,74 +23,74 @@
#include "gssapiP_krb5.h"
-OM_uint32
+OM_uint32
krb5_gss_release_cred(minor_status, cred_handle)
- OM_uint32 *minor_status;
- gss_cred_id_t *cred_handle;
+ OM_uint32 *minor_status;
+ gss_cred_id_t *cred_handle;
{
- krb5_context context;
- krb5_gss_cred_id_t cred;
- krb5_error_code code1, code2, code3;
+ krb5_context context;
+ krb5_gss_cred_id_t cred;
+ krb5_error_code code1, code2, code3;
- code1 = krb5_gss_init_context(&context);
- if (code1) {
- *minor_status = code1;
- return GSS_S_FAILURE;
- }
+ code1 = krb5_gss_init_context(&context);
+ if (code1) {
+ *minor_status = code1;
+ return GSS_S_FAILURE;
+ }
- if (*cred_handle == GSS_C_NO_CREDENTIAL) {
- *minor_status = 0;
- krb5_free_context(context);
- return(GSS_S_COMPLETE);
- }
+ if (*cred_handle == GSS_C_NO_CREDENTIAL) {
+ *minor_status = 0;
+ krb5_free_context(context);
+ return(GSS_S_COMPLETE);
+ }
- if (! kg_delete_cred_id(*cred_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_NO_CRED);
- }
+ if (! kg_delete_cred_id(*cred_handle)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ krb5_free_context(context);
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_NO_CRED);
+ }
- cred = (krb5_gss_cred_id_t)*cred_handle;
+ cred = (krb5_gss_cred_id_t)*cred_handle;
- k5_mutex_destroy(&cred->lock);
- /* ignore error destroying mutex */
+ k5_mutex_destroy(&cred->lock);
+ /* ignore error destroying mutex */
- if (cred->ccache)
- code1 = krb5_cc_close(context, cred->ccache);
- else
- code1 = 0;
+ if (cred->ccache)
+ code1 = krb5_cc_close(context, cred->ccache);
+ else
+ code1 = 0;
-#ifndef LEAN_CLIENT
- if (cred->keytab)
- code2 = krb5_kt_close(context, cred->keytab);
- else
+#ifndef LEAN_CLIENT
+ if (cred->keytab)
+ code2 = krb5_kt_close(context, cred->keytab);
+ else
#endif /* LEAN_CLIENT */
- code2 = 0;
+ code2 = 0;
- if (cred->rcache)
- code3 = krb5_rc_close(context, cred->rcache);
- else
- code3 = 0;
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
+ if (cred->rcache)
+ code3 = krb5_rc_close(context, cred->rcache);
+ else
+ code3 = 0;
+ if (cred->princ)
+ krb5_free_principal(context, cred->princ);
- if (cred->req_enctypes)
- free(cred->req_enctypes);
+ if (cred->req_enctypes)
+ free(cred->req_enctypes);
- xfree(cred);
+ xfree(cred);
- *cred_handle = NULL;
+ *cred_handle = NULL;
- *minor_status = 0;
- if (code1)
- *minor_status = code1;
- if (code2)
- *minor_status = code2;
- if (code3)
- *minor_status = code3;
+ *minor_status = 0;
+ if (code1)
+ *minor_status = code1;
+ if (code2)
+ *minor_status = code2;
+ if (code3)
+ *minor_status = code3;
- if (*minor_status)
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(*minor_status?GSS_S_FAILURE:GSS_S_COMPLETE);
+ if (*minor_status)
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(*minor_status?GSS_S_FAILURE:GSS_S_COMPLETE);
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/rel_name.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/rel_name.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/rel_name.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -24,31 +25,31 @@
OM_uint32
krb5_gss_release_name(minor_status, input_name)
- OM_uint32 *minor_status;
- gss_name_t *input_name;
+ OM_uint32 *minor_status;
+ gss_name_t *input_name;
{
- krb5_context context;
- krb5_error_code code;
+ krb5_context context;
+ krb5_error_code code;
- code = krb5_gss_init_context(&context);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- if (! kg_validate_name(*input_name)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
+ if (! kg_validate_name(*input_name)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ krb5_free_context(context);
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
- (void)kg_delete_name(*input_name);
+ (void)kg_delete_name(*input_name);
- krb5_free_principal(context, (krb5_principal) *input_name);
- krb5_free_context(context);
+ krb5_free_principal(context, (krb5_principal) *input_name);
+ krb5_free_context(context);
- *input_name = (gss_name_t) NULL;
+ *input_name = (gss_name_t) NULL;
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/rel_oid.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/rel_oid.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/rel_oid.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/rel_oid.c
*
@@ -31,13 +32,13 @@
#include "gssapiP_krb5.h"
OM_uint32 krb5_gss_internal_release_oid (OM_uint32 *, /* minor_status */
- gss_OID * /* oid */
- );
+ gss_OID * /* oid */
+);
OM_uint32
krb5_gss_release_oid(minor_status, oid)
- OM_uint32 *minor_status;
- gss_OID *oid;
+ OM_uint32 *minor_status;
+ gss_OID *oid;
{
/*
* The V2 API says the following!
@@ -49,38 +50,37 @@
* allocated OID values with OIDs returned by GSS-API.
*/
if (krb5_gss_internal_release_oid(minor_status, oid) != GSS_S_COMPLETE) {
- /* Pawn it off on the generic routine */
- return(generic_gss_release_oid(minor_status, oid));
+ /* Pawn it off on the generic routine */
+ return(generic_gss_release_oid(minor_status, oid));
}
else {
- *oid = GSS_C_NO_OID;
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+ *oid = GSS_C_NO_OID;
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
}
OM_uint32
krb5_gss_internal_release_oid(minor_status, oid)
- OM_uint32 *minor_status;
- gss_OID *oid;
+ OM_uint32 *minor_status;
+ gss_OID *oid;
{
/*
* This function only knows how to release internal OIDs. It will
* return GSS_S_CONTINUE_NEEDED for any OIDs it does not recognize.
*/
-
+
*minor_status = 0;
if ((*oid != gss_mech_krb5) &&
- (*oid != gss_mech_krb5_old) &&
- (*oid != gss_mech_krb5_wrong) &&
- (*oid != gss_nt_krb5_name) &&
- (*oid != gss_nt_krb5_principal)) {
- /* We don't know about this OID */
- return(GSS_S_CONTINUE_NEEDED);
+ (*oid != gss_mech_krb5_old) &&
+ (*oid != gss_mech_krb5_wrong) &&
+ (*oid != gss_nt_krb5_name) &&
+ (*oid != gss_nt_krb5_principal)) {
+ /* We don't know about this OID */
+ return(GSS_S_CONTINUE_NEEDED);
}
else {
- *oid = GSS_C_NO_OID;
- return(GSS_S_COMPLETE);
+ *oid = GSS_C_NO_OID;
+ return(GSS_S_COMPLETE);
}
}
-
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/seal.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/seal.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/seal.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -26,38 +27,56 @@
* $Id$
*/
+/* V2 interface */
OM_uint32
-krb5_gss_seal(minor_status, context_handle, conf_req_flag,
- qop_req, input_message_buffer, conf_state,
- output_message_buffer)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- int conf_req_flag;
- int qop_req;
- gss_buffer_t input_message_buffer;
- int *conf_state;
- gss_buffer_t output_message_buffer;
+krb5_gss_wrap(minor_status, context_handle, conf_req_flag,
+ qop_req, input_message_buffer, conf_state,
+ output_message_buffer)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ int conf_req_flag;
+ gss_qop_t qop_req;
+ gss_buffer_t input_message_buffer;
+ int *conf_state;
+ gss_buffer_t output_message_buffer;
{
- return(kg_seal(minor_status, context_handle, conf_req_flag,
- qop_req, input_message_buffer, conf_state,
- output_message_buffer, KG_TOK_SEAL_MSG));
+ return(kg_seal(minor_status, context_handle, conf_req_flag,
+ qop_req, input_message_buffer, conf_state,
+ output_message_buffer, KG_TOK_WRAP_MSG));
}
-/* V2 interface */
+/* AEAD interfaces */
OM_uint32
-krb5_gss_wrap(minor_status, context_handle, conf_req_flag,
- qop_req, input_message_buffer, conf_state,
- output_message_buffer)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- int conf_req_flag;
- gss_qop_t qop_req;
- gss_buffer_t input_message_buffer;
- int *conf_state;
- gss_buffer_t output_message_buffer;
+krb5_gss_wrap_iov(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ int *conf_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count)
{
- return(kg_seal(minor_status, context_handle, conf_req_flag,
- (int) qop_req, input_message_buffer, conf_state,
- output_message_buffer, KG_TOK_WRAP_MSG));
+ OM_uint32 major_status;
+
+ major_status = kg_seal_iov(minor_status, context_handle, conf_req_flag,
+ qop_req, conf_state,
+ iov, iov_count, KG_TOK_WRAP_MSG);
+
+ return major_status;
}
+OM_uint32
+krb5_gss_wrap_iov_length(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ int *conf_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count)
+{
+ OM_uint32 major_status;
+
+ major_status = kg_seal_iov_length(minor_status, context_handle, conf_req_flag,
+ qop_req, conf_state, iov, iov_count);
+ return major_status;
+}
+
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/ser_sctx.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/ser_sctx.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/ser_sctx.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/ser_sctx.c
*
@@ -32,8 +33,8 @@
#include "gssapiP_krb5.h"
/*
- * This module contains routines to [de]serialize
- * krb5_gss_enc_desc and krb5_gss_ctx_id_t.
+ * This module contains routines to [de]serialize
+ * krb5_gss_enc_desc and krb5_gss_ctx_id_t.
* XXX This whole serialization abstraction is unnecessary in a
* non-messaging environment, which krb5 is. Someday, this should
* all get redone without the extra level of indirection. I've done
@@ -45,190 +46,190 @@
static krb5_error_code
kg_oid_externalize(kcontext, arg, buffer, lenremain)
- krb5_context kcontext;
- krb5_pointer arg;
- krb5_octet **buffer;
- size_t *lenremain;
+ krb5_context kcontext;
+ krb5_pointer arg;
+ krb5_octet **buffer;
+ size_t *lenremain;
{
- gss_OID oid = (gss_OID) arg;
- krb5_error_code err;
-
- err = krb5_ser_pack_int32(KV5M_GSS_OID, buffer, lenremain);
- if (err)
- return err;
- err = krb5_ser_pack_int32((krb5_int32) oid->length,
- buffer, lenremain);
- if (err)
- return err;
- err = krb5_ser_pack_bytes((krb5_octet *) oid->elements,
- oid->length, buffer, lenremain);
- if (err)
- return err;
- err = krb5_ser_pack_int32(KV5M_GSS_OID, buffer, lenremain);
- return err;
+ gss_OID oid = (gss_OID) arg;
+ krb5_error_code err;
+
+ err = krb5_ser_pack_int32(KV5M_GSS_OID, buffer, lenremain);
+ if (err)
+ return err;
+ err = krb5_ser_pack_int32((krb5_int32) oid->length,
+ buffer, lenremain);
+ if (err)
+ return err;
+ err = krb5_ser_pack_bytes((krb5_octet *) oid->elements,
+ oid->length, buffer, lenremain);
+ if (err)
+ return err;
+ err = krb5_ser_pack_int32(KV5M_GSS_OID, buffer, lenremain);
+ return err;
}
static krb5_error_code
kg_oid_internalize(kcontext, argp, buffer, lenremain)
- krb5_context kcontext;
- krb5_pointer *argp;
- krb5_octet **buffer;
- size_t *lenremain;
+ krb5_context kcontext;
+ krb5_pointer *argp;
+ krb5_octet **buffer;
+ size_t *lenremain;
{
- gss_OID oid;
- krb5_int32 ibuf;
- krb5_octet *bp;
- size_t remain;
+ gss_OID oid;
+ krb5_int32 ibuf;
+ krb5_octet *bp;
+ size_t remain;
- bp = *buffer;
- remain = *lenremain;
+ bp = *buffer;
+ remain = *lenremain;
- /* Read in and check our magic number */
- if (krb5_ser_unpack_int32(&ibuf, &bp, &remain))
- return (EINVAL);
+ /* Read in and check our magic number */
+ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain))
+ return (EINVAL);
- if (ibuf != KV5M_GSS_OID)
- return (EINVAL);
+ if (ibuf != KV5M_GSS_OID)
+ return (EINVAL);
- oid = (gss_OID) malloc(sizeof(gss_OID_desc));
- if (oid == NULL)
- return ENOMEM;
- if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) {
- free(oid);
- return EINVAL;
- }
- oid->length = ibuf;
- oid->elements = malloc(ibuf);
- if (oid->elements == 0) {
- free(oid);
- return ENOMEM;
- }
- if (krb5_ser_unpack_bytes((krb5_octet *) oid->elements,
- oid->length, &bp, &remain)) {
- free(oid->elements);
- free(oid);
- return EINVAL;
- }
-
- /* Read in and check our trailing magic number */
- if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) {
- free(oid->elements);
- free(oid);
- return (EINVAL);
- }
+ oid = (gss_OID) malloc(sizeof(gss_OID_desc));
+ if (oid == NULL)
+ return ENOMEM;
+ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) {
+ free(oid);
+ return EINVAL;
+ }
+ oid->length = ibuf;
+ oid->elements = malloc((size_t)ibuf);
+ if (oid->elements == 0) {
+ free(oid);
+ return ENOMEM;
+ }
+ if (krb5_ser_unpack_bytes((krb5_octet *) oid->elements,
+ oid->length, &bp, &remain)) {
+ free(oid->elements);
+ free(oid);
+ return EINVAL;
+ }
- if (ibuf != KV5M_GSS_OID) {
- free(oid->elements);
- free(oid);
- return (EINVAL);
- }
+ /* Read in and check our trailing magic number */
+ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) {
+ free(oid->elements);
+ free(oid);
+ return (EINVAL);
+ }
- *buffer = bp;
- *lenremain = remain;
- *argp = (krb5_pointer) oid;
- return 0;
+ if (ibuf != KV5M_GSS_OID) {
+ free(oid->elements);
+ free(oid);
+ return (EINVAL);
+ }
+
+ *buffer = bp;
+ *lenremain = remain;
+ *argp = (krb5_pointer) oid;
+ return 0;
}
static krb5_error_code
kg_oid_size(kcontext, arg, sizep)
- krb5_context kcontext;
- krb5_pointer arg;
- size_t *sizep;
+ krb5_context kcontext;
+ krb5_pointer arg;
+ size_t *sizep;
{
- krb5_error_code kret;
- gss_OID oid;
- size_t required;
+ krb5_error_code kret;
+ gss_OID oid;
+ size_t required;
- kret = EINVAL;
- if ((oid = (gss_OID) arg)) {
- required = 2*sizeof(krb5_int32); /* For the header and trailer */
- required += sizeof(krb5_int32);
- required += oid->length;
+ kret = EINVAL;
+ if ((oid = (gss_OID) arg)) {
+ required = 2*sizeof(krb5_int32); /* For the header and trailer */
+ required += sizeof(krb5_int32);
+ required += oid->length;
- kret = 0;
+ kret = 0;
- *sizep += required;
- }
+ *sizep += required;
+ }
- return(kret);
+ return(kret);
}
static krb5_error_code
kg_queue_externalize(kcontext, arg, buffer, lenremain)
- krb5_context kcontext;
- krb5_pointer arg;
- krb5_octet **buffer;
- size_t *lenremain;
+ krb5_context kcontext;
+ krb5_pointer arg;
+ krb5_octet **buffer;
+ size_t *lenremain;
{
krb5_error_code err;
err = krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain);
if (err == 0)
- err = g_queue_externalize(arg, buffer, lenremain);
+ err = g_queue_externalize(arg, buffer, lenremain);
if (err == 0)
- err = krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain);
+ err = krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain);
return err;
}
static krb5_error_code
kg_queue_internalize(kcontext, argp, buffer, lenremain)
- krb5_context kcontext;
- krb5_pointer *argp;
- krb5_octet **buffer;
- size_t *lenremain;
+ krb5_context kcontext;
+ krb5_pointer *argp;
+ krb5_octet **buffer;
+ size_t *lenremain;
{
- krb5_int32 ibuf;
- krb5_octet *bp;
- size_t remain;
- krb5_error_code err;
+ krb5_int32 ibuf;
+ krb5_octet *bp;
+ size_t remain;
+ krb5_error_code err;
- bp = *buffer;
- remain = *lenremain;
+ bp = *buffer;
+ remain = *lenremain;
- /* Read in and check our magic number */
- if (krb5_ser_unpack_int32(&ibuf, &bp, &remain))
- return (EINVAL);
+ /* Read in and check our magic number */
+ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain))
+ return (EINVAL);
- if (ibuf != KV5M_GSS_QUEUE)
- return (EINVAL);
+ if (ibuf != KV5M_GSS_QUEUE)
+ return (EINVAL);
- err = g_queue_internalize(argp, &bp, &remain);
- if (err)
- return err;
+ err = g_queue_internalize(argp, &bp, &remain);
+ if (err)
+ return err;
- /* Read in and check our trailing magic number */
- if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) {
- g_order_free(argp);
- return (EINVAL);
- }
+ /* Read in and check our trailing magic number */
+ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) {
+ g_order_free(argp);
+ return (EINVAL);
+ }
- if (ibuf != KV5M_GSS_QUEUE) {
- g_order_free(argp);
- return (EINVAL);
- }
+ if (ibuf != KV5M_GSS_QUEUE) {
+ g_order_free(argp);
+ return (EINVAL);
+ }
- *buffer = bp;
- *lenremain = remain;
- return 0;
+ *buffer = bp;
+ *lenremain = remain;
+ return 0;
}
static krb5_error_code
kg_queue_size(kcontext, arg, sizep)
- krb5_context kcontext;
- krb5_pointer arg;
- size_t *sizep;
+ krb5_context kcontext;
+ krb5_pointer arg;
+ size_t *sizep;
{
- krb5_error_code kret;
- size_t required;
+ krb5_error_code kret;
+ size_t required;
- kret = EINVAL;
- if (arg) {
- required = 2*sizeof(krb5_int32); /* For the header and trailer */
- g_queue_size(arg, &required);
+ kret = EINVAL;
+ if (arg) {
+ required = 2*sizeof(krb5_int32); /* For the header and trailer */
+ g_queue_size(arg, &required);
- kret = 0;
- *sizep += required;
- }
- return(kret);
+ kret = 0;
+ *sizep += required;
+ }
+ return(kret);
}
/*
@@ -236,108 +237,123 @@
*/
krb5_error_code
kg_ctx_size(kcontext, arg, sizep)
- krb5_context kcontext;
- krb5_pointer arg;
- size_t *sizep;
+ krb5_context kcontext;
+ krb5_pointer arg;
+ size_t *sizep;
{
- krb5_error_code kret;
- krb5_gss_ctx_id_rec *ctx;
- size_t required;
+ krb5_error_code kret;
+ krb5_gss_ctx_id_rec *ctx;
+ size_t required;
/*
* krb5_gss_ctx_id_rec requires:
- * krb5_int32 for KG_CONTEXT
- * krb5_int32 for initiate.
- * krb5_int32 for established.
- * krb5_int32 for big_endian.
- * krb5_int32 for have_acceptor_subkey.
- * krb5_int32 for seed_init.
- * krb5_int32 for gss_flags.
- * sizeof(seed) for seed
- * ... for here
- * ... for there
- * ... for subkey
- * krb5_int32 for signalg.
- * krb5_int32 for cksum_size.
- * krb5_int32 for sealalg.
- * ... for enc
- * ... for seq
- * krb5_int32 for endtime.
- * krb5_int32 for flags.
- * krb5_int64 for seq_send.
- * krb5_int64 for seq_recv.
- * ... for seqstate
- * ... for auth_context
- * ... for mech_used
- * krb5_int32 for proto
- * krb5_int32 for cksumtype
- * ... for acceptor_subkey
- * krb5_int32 for acceptor_key_cksumtype
- * krb5_int32 for cred_rcache
- * krb5_int32 for trailer.
+ * krb5_int32 for KG_CONTEXT
+ * krb5_int32 for initiate.
+ * krb5_int32 for established.
+ * krb5_int32 for big_endian.
+ * krb5_int32 for have_acceptor_subkey.
+ * krb5_int32 for seed_init.
+ * krb5_int32 for gss_flags.
+ * sizeof(seed) for seed
+ * ... for here
+ * ... for there
+ * ... for subkey
+ * krb5_int32 for signalg.
+ * krb5_int32 for cksum_size.
+ * krb5_int32 for sealalg.
+ * ... for enc
+ * ... for seq
+ * krb5_int32 for authtime.
+ * krb5_int32 for starttime.
+ * krb5_int32 for endtime.
+ * krb5_int32 for renew_till.
+ * krb5_int32 for flags.
+ * krb5_int64 for seq_send.
+ * krb5_int64 for seq_recv.
+ * ... for seqstate
+ * ... for auth_context
+ * ... for mech_used
+ * krb5_int32 for proto
+ * krb5_int32 for cksumtype
+ * ... for acceptor_subkey
+ * krb5_int32 for acceptor_key_cksumtype
+ * krb5_int32 for cred_rcache
+ * krb5_int32 for number of elements in authdata array
+ * ... for authdata array
+ * krb5_int32 for trailer.
*/
kret = EINVAL;
if ((ctx = (krb5_gss_ctx_id_rec *) arg)) {
- required = 17*sizeof(krb5_int32);
- required += 2*sizeof(krb5_int64);
- required += sizeof(ctx->seed);
+ required = 21*sizeof(krb5_int32);
+ required += 2*sizeof(krb5_int64);
+ required += sizeof(ctx->seed);
- kret = 0;
- if (!kret && ctx->here)
- kret = krb5_size_opaque(kcontext,
- KV5M_PRINCIPAL,
- (krb5_pointer) ctx->here,
- &required);
+ kret = 0;
+ if (!kret && ctx->here)
+ kret = krb5_size_opaque(kcontext,
+ KV5M_PRINCIPAL,
+ (krb5_pointer) ctx->here,
+ &required);
- if (!kret && ctx->there)
- kret = krb5_size_opaque(kcontext,
- KV5M_PRINCIPAL,
- (krb5_pointer) ctx->there,
- &required);
+ if (!kret && ctx->there)
+ kret = krb5_size_opaque(kcontext,
+ KV5M_PRINCIPAL,
+ (krb5_pointer) ctx->there,
+ &required);
- if (!kret && ctx->subkey)
- kret = krb5_size_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->subkey,
- &required);
+ if (!kret && ctx->subkey)
+ kret = krb5_size_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer) ctx->subkey,
+ &required);
- if (!kret && ctx->enc)
- kret = krb5_size_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->enc,
- &required);
+ if (!kret && ctx->enc)
+ kret = krb5_size_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer) ctx->enc,
+ &required);
- if (!kret && ctx->seq)
- kret = krb5_size_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->seq,
- &required);
+ if (!kret && ctx->seq)
+ kret = krb5_size_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer) ctx->seq,
+ &required);
- if (!kret)
- kret = kg_oid_size(kcontext,
- (krb5_pointer) ctx->mech_used,
- &required);
+ if (!kret)
+ kret = kg_oid_size(kcontext,
+ (krb5_pointer) ctx->mech_used,
+ &required);
- if (!kret && ctx->seqstate)
- kret = kg_queue_size(kcontext, ctx->seqstate, &required);
+ if (!kret && ctx->seqstate)
+ kret = kg_queue_size(kcontext, ctx->seqstate, &required);
- if (!kret)
- kret = krb5_size_opaque(kcontext,
- KV5M_CONTEXT,
- (krb5_pointer) ctx->k5_context,
- &required);
- if (!kret)
- kret = krb5_size_opaque(kcontext,
- KV5M_AUTH_CONTEXT,
- (krb5_pointer) ctx->auth_context,
- &required);
- if (!kret && ctx->acceptor_subkey)
- kret = krb5_size_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->acceptor_subkey,
- &required);
- if (!kret)
- *sizep += required;
+ if (!kret)
+ kret = krb5_size_opaque(kcontext,
+ KV5M_CONTEXT,
+ (krb5_pointer) ctx->k5_context,
+ &required);
+ if (!kret)
+ kret = krb5_size_opaque(kcontext,
+ KV5M_AUTH_CONTEXT,
+ (krb5_pointer) ctx->auth_context,
+ &required);
+ if (!kret && ctx->acceptor_subkey)
+ kret = krb5_size_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer) ctx->acceptor_subkey,
+ &required);
+ if (!kret && ctx->authdata) {
+ krb5_int32 i;
+
+ for (i = 0; !kret && ctx->authdata[i]; i++) {
+ kret = krb5_size_opaque(kcontext,
+ KV5M_AUTHDATA,
+ (krb5_pointer)ctx->authdata[i],
+ &required);
+ }
+ }
+ if (!kret)
+ *sizep += required;
}
return(kret);
}
@@ -347,20 +363,20 @@
*/
krb5_error_code
kg_ctx_externalize(kcontext, arg, buffer, lenremain)
- krb5_context kcontext;
- krb5_pointer arg;
- krb5_octet **buffer;
- size_t *lenremain;
+ krb5_context kcontext;
+ krb5_pointer arg;
+ krb5_octet **buffer;
+ size_t *lenremain;
{
- krb5_error_code kret;
- krb5_gss_ctx_id_rec *ctx;
- size_t required;
- krb5_octet *bp;
- size_t remain;
+ krb5_error_code kret;
+ krb5_gss_ctx_id_rec *ctx;
+ size_t required;
+ krb5_octet *bp;
+ size_t remain;
krb5int_access kaccess;
kret = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
- if (kret)
+ if (kret)
return(kret);
required = 0;
@@ -368,122 +384,147 @@
remain = *lenremain;
kret = EINVAL;
if ((ctx = (krb5_gss_ctx_id_rec *) arg)) {
- kret = ENOMEM;
- if (!kg_ctx_size(kcontext, arg, &required) &&
- (required <= remain)) {
- /* Our identifier */
- (void) krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain);
+ kret = ENOMEM;
+ if (!kg_ctx_size(kcontext, arg, &required) &&
+ (required <= remain)) {
+ /* Our identifier */
+ (void) krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain);
- /* Now static data */
- (void) krb5_ser_pack_int32((krb5_int32) ctx->initiate,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->established,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->big_endian,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->have_acceptor_subkey,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->seed_init,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->gss_flags,
- &bp, &remain);
- (void) krb5_ser_pack_bytes((krb5_octet *) ctx->seed,
- sizeof(ctx->seed),
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->signalg,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->cksum_size,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->sealalg,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->endtime,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->krb_flags,
- &bp, &remain);
- (void) (*kaccess.krb5_ser_pack_int64)((krb5_int64) ctx->seq_send,
- &bp, &remain);
- (void) (*kaccess.krb5_ser_pack_int64)((krb5_int64) ctx->seq_recv,
- &bp, &remain);
+ /* Now static data */
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->initiate,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->established,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->big_endian,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->have_acceptor_subkey,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->seed_init,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->gss_flags,
+ &bp, &remain);
+ (void) krb5_ser_pack_bytes((krb5_octet *) ctx->seed,
+ sizeof(ctx->seed),
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->signalg,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->cksum_size,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->sealalg,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->krb_times.authtime,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->krb_times.starttime,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->krb_times.endtime,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->krb_times.renew_till,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->krb_flags,
+ &bp, &remain);
+ (void) (*kaccess.krb5_ser_pack_int64)((krb5_int64) ctx->seq_send,
+ &bp, &remain);
+ (void) (*kaccess.krb5_ser_pack_int64)((krb5_int64) ctx->seq_recv,
+ &bp, &remain);
- /* Now dynamic data */
- kret = 0;
+ /* Now dynamic data */
+ kret = 0;
- if (!kret && ctx->mech_used)
- kret = kg_oid_externalize(kcontext, ctx->mech_used,
- &bp, &remain);
-
- if (!kret && ctx->here)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_PRINCIPAL,
- (krb5_pointer) ctx->here,
- &bp, &remain);
+ if (!kret && ctx->mech_used)
+ kret = kg_oid_externalize(kcontext, ctx->mech_used,
+ &bp, &remain);
- if (!kret && ctx->there)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_PRINCIPAL,
- (krb5_pointer) ctx->there,
- &bp, &remain);
+ if (!kret && ctx->here)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_PRINCIPAL,
+ (krb5_pointer) ctx->here,
+ &bp, &remain);
- if (!kret && ctx->subkey)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->subkey,
- &bp, &remain);
+ if (!kret && ctx->there)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_PRINCIPAL,
+ (krb5_pointer) ctx->there,
+ &bp, &remain);
- if (!kret && ctx->enc)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->enc,
- &bp, &remain);
+ if (!kret && ctx->subkey)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer) ctx->subkey,
+ &bp, &remain);
- if (!kret && ctx->seq)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->seq,
- &bp, &remain);
+ if (!kret && ctx->enc)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer) ctx->enc,
+ &bp, &remain);
- if (!kret && ctx->seqstate)
- kret = kg_queue_externalize(kcontext,
- ctx->seqstate, &bp, &remain);
+ if (!kret && ctx->seq)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer) ctx->seq,
+ &bp, &remain);
- if (!kret)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_CONTEXT,
- (krb5_pointer) ctx->k5_context,
- &bp, &remain);
+ if (!kret && ctx->seqstate)
+ kret = kg_queue_externalize(kcontext,
+ ctx->seqstate, &bp, &remain);
- if (!kret)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_AUTH_CONTEXT,
- (krb5_pointer) ctx->auth_context,
- &bp, &remain);
+ if (!kret)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_CONTEXT,
+ (krb5_pointer) ctx->k5_context,
+ &bp, &remain);
- if (!kret)
- kret = krb5_ser_pack_int32((krb5_int32) ctx->proto,
- &bp, &remain);
- if (!kret)
- kret = krb5_ser_pack_int32((krb5_int32) ctx->cksumtype,
- &bp, &remain);
- if (!kret && ctx->acceptor_subkey)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->acceptor_subkey,
- &bp, &remain);
- if (!kret)
- kret = krb5_ser_pack_int32((krb5_int32) ctx->acceptor_subkey_cksumtype,
- &bp, &remain);
+ if (!kret)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_AUTH_CONTEXT,
+ (krb5_pointer) ctx->auth_context,
+ &bp, &remain);
- if (!kret)
- kret = krb5_ser_pack_int32((krb5_int32) ctx->cred_rcache,
- &bp, &remain);
- /* trailer */
- if (!kret)
- kret = krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain);
+ if (!kret)
+ kret = krb5_ser_pack_int32((krb5_int32) ctx->proto,
+ &bp, &remain);
+ if (!kret)
+ kret = krb5_ser_pack_int32((krb5_int32) ctx->cksumtype,
+ &bp, &remain);
+ if (!kret && ctx->acceptor_subkey)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer) ctx->acceptor_subkey,
+ &bp, &remain);
+ if (!kret)
+ kret = krb5_ser_pack_int32((krb5_int32) ctx->acceptor_subkey_cksumtype,
+ &bp, &remain);
+
+ if (!kret)
+ kret = krb5_ser_pack_int32((krb5_int32) ctx->cred_rcache,
+ &bp, &remain);
if (!kret) {
- *buffer = bp;
- *lenremain = remain;
+ krb5_int32 i = 0;
+
+ if (ctx->authdata) {
+ for (; ctx->authdata[i]; i++)
+ ;
+ }
+ /* authdata count */
+ kret = krb5_ser_pack_int32(i, &bp, &remain);
+ if (!kret && ctx->authdata) {
+ /* authdata */
+ for (i = 0; !kret && ctx->authdata[i]; i++)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_AUTHDATA,
+ ctx->authdata[i],
+ &bp,
+ &remain);
+ }
}
- }
+ /* trailer */
+ if (!kret)
+ kret = krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain);
+ if (!kret) {
+ *buffer = bp;
+ *lenremain = remain;
+ }
+ }
}
return(kret);
}
@@ -493,16 +534,16 @@
*/
krb5_error_code
kg_ctx_internalize(kcontext, argp, buffer, lenremain)
- krb5_context kcontext;
- krb5_pointer *argp;
- krb5_octet **buffer;
- size_t *lenremain;
+ krb5_context kcontext;
+ krb5_pointer *argp;
+ krb5_octet **buffer;
+ size_t *lenremain;
{
- krb5_error_code kret;
- krb5_gss_ctx_id_rec *ctx;
- krb5_int32 ibuf;
- krb5_octet *bp;
- size_t remain;
+ krb5_error_code kret;
+ krb5_gss_ctx_id_rec *ctx;
+ krb5_int32 ibuf;
+ krb5_octet *bp;
+ size_t remain;
krb5int_access kaccess;
kret = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
@@ -514,167 +555,193 @@
kret = EINVAL;
/* Read our magic number */
if (krb5_ser_unpack_int32(&ibuf, &bp, &remain))
- ibuf = 0;
+ ibuf = 0;
if (ibuf == KG_CONTEXT) {
- kret = ENOMEM;
+ kret = ENOMEM;
- /* Get a context */
- if ((remain >= (17*sizeof(krb5_int32)
- + 2*sizeof(krb5_int64)
- + sizeof(ctx->seed))) &&
- (ctx = (krb5_gss_ctx_id_rec *)
- xmalloc(sizeof(krb5_gss_ctx_id_rec)))) {
- memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
+ /* Get a context */
+ if ((remain >= (17*sizeof(krb5_int32)
+ + 2*sizeof(krb5_int64)
+ + sizeof(ctx->seed))) &&
+ (ctx = (krb5_gss_ctx_id_rec *)
+ xmalloc(sizeof(krb5_gss_ctx_id_rec)))) {
+ memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
- ctx->k5_context = kcontext;
+ ctx->k5_context = kcontext;
- /* Get static data */
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->initiate = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->established = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->big_endian = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->have_acceptor_subkey = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->seed_init = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->gss_flags = (int) ibuf;
- (void) krb5_ser_unpack_bytes((krb5_octet *) ctx->seed,
- sizeof(ctx->seed),
- &bp, &remain);
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->signalg = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->cksum_size = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->sealalg = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->endtime = (krb5_timestamp) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->krb_flags = (krb5_flags) ibuf;
- (void) (*kaccess.krb5_ser_unpack_int64)(&ctx->seq_send, &bp, &remain);
- kret = (*kaccess.krb5_ser_unpack_int64)(&ctx->seq_recv, &bp, &remain);
- if (kret) {
- free(ctx);
- return kret;
- }
+ /* Get static data */
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->initiate = (int) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->established = (int) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->big_endian = (int) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->have_acceptor_subkey = (int) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->seed_init = (int) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->gss_flags = (int) ibuf;
+ (void) krb5_ser_unpack_bytes((krb5_octet *) ctx->seed,
+ sizeof(ctx->seed),
+ &bp, &remain);
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->signalg = (int) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->cksum_size = (int) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->sealalg = (int) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->krb_times.authtime = (krb5_timestamp) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->krb_times.starttime = (krb5_timestamp) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->krb_times.endtime = (krb5_timestamp) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->krb_times.renew_till = (krb5_timestamp) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->krb_flags = (krb5_flags) ibuf;
+ (void) (*kaccess.krb5_ser_unpack_int64)((krb5_int64 *)&ctx->seq_send, &bp, &remain);
+ kret = (*kaccess.krb5_ser_unpack_int64)((krb5_int64 *)&ctx->seq_recv, &bp, &remain);
+ if (kret) {
+ free(ctx);
+ return kret;
+ }
- {
- krb5_pointer tmp;
- kret = kg_oid_internalize(kcontext, &tmp, &bp,
- &remain);
- if (kret == 0)
- ctx->mech_used = tmp;
- else if (kret == EINVAL)
- kret = 0;
- }
- /* Now get substructure data */
- if ((kret = krb5_internalize_opaque(kcontext,
- KV5M_PRINCIPAL,
- (krb5_pointer *) &ctx->here,
- &bp, &remain))) {
- if (kret == EINVAL)
- kret = 0;
- }
- if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
- KV5M_PRINCIPAL,
- (krb5_pointer *) &ctx->there,
- &bp, &remain))) {
- if (kret == EINVAL)
- kret = 0;
- }
- if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer *) &ctx->subkey,
- &bp, &remain))) {
- if (kret == EINVAL)
- kret = 0;
- }
- if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer *) &ctx->enc,
- &bp, &remain))) {
- if (kret == EINVAL)
- kret = 0;
- }
- if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer *) &ctx->seq,
- &bp, &remain))) {
- if (kret == EINVAL)
- kret = 0;
- }
+ {
+ krb5_pointer tmp;
+ kret = kg_oid_internalize(kcontext, &tmp, &bp,
+ &remain);
+ if (kret == 0)
+ ctx->mech_used = tmp;
+ else if (kret == EINVAL)
+ kret = 0;
+ }
+ /* Now get substructure data */
+ if ((kret = krb5_internalize_opaque(kcontext,
+ KV5M_PRINCIPAL,
+ (krb5_pointer *) &ctx->here,
+ &bp, &remain))) {
+ if (kret == EINVAL)
+ kret = 0;
+ }
+ if (!kret &&
+ (kret = krb5_internalize_opaque(kcontext,
+ KV5M_PRINCIPAL,
+ (krb5_pointer *) &ctx->there,
+ &bp, &remain))) {
+ if (kret == EINVAL)
+ kret = 0;
+ }
+ if (!kret &&
+ (kret = krb5_internalize_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer *) &ctx->subkey,
+ &bp, &remain))) {
+ if (kret == EINVAL)
+ kret = 0;
+ }
+ if (!kret &&
+ (kret = krb5_internalize_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer *) &ctx->enc,
+ &bp, &remain))) {
+ if (kret == EINVAL)
+ kret = 0;
+ }
+ if (!kret &&
+ (kret = krb5_internalize_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer *) &ctx->seq,
+ &bp, &remain))) {
+ if (kret == EINVAL)
+ kret = 0;
+ }
- if (!kret) {
- kret = kg_queue_internalize(kcontext, &ctx->seqstate,
- &bp, &remain);
- if (kret == EINVAL)
- kret = 0;
- }
-
- if (!kret)
- kret = krb5_internalize_opaque(kcontext,
- KV5M_CONTEXT,
- (krb5_pointer *) &ctx->k5_context,
- &bp, &remain);
+ if (!kret) {
+ kret = kg_queue_internalize(kcontext, &ctx->seqstate,
+ &bp, &remain);
+ if (kret == EINVAL)
+ kret = 0;
+ }
- if (!kret)
- kret = krb5_internalize_opaque(kcontext,
- KV5M_AUTH_CONTEXT,
- (krb5_pointer *) &ctx->auth_context,
- &bp, &remain);
+ if (!kret)
+ kret = krb5_internalize_opaque(kcontext,
+ KV5M_CONTEXT,
+ (krb5_pointer *) &ctx->k5_context,
+ &bp, &remain);
- if (!kret)
- kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->proto = ibuf;
- if (!kret)
- kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->cksumtype = ibuf;
- if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer *) &ctx->acceptor_subkey,
- &bp, &remain))) {
- if (kret == EINVAL)
- kret = 0;
- }
- if (!kret)
- kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->cred_rcache = ibuf;
- if (!kret)
- kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->acceptor_subkey_cksumtype = ibuf;
+ if (!kret)
+ kret = krb5_internalize_opaque(kcontext,
+ KV5M_AUTH_CONTEXT,
+ (krb5_pointer *) &ctx->auth_context,
+ &bp, &remain);
- /* Get trailer */
- if (!kret)
- kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- if (!kret && ibuf != KG_CONTEXT)
- kret = EINVAL;
+ if (!kret)
+ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->proto = ibuf;
+ if (!kret)
+ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->cksumtype = ibuf;
+ if (!kret &&
+ (kret = krb5_internalize_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer *) &ctx->acceptor_subkey,
+ &bp, &remain))) {
+ if (kret == EINVAL)
+ kret = 0;
+ }
+ if (!kret)
+ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->acceptor_subkey_cksumtype = ibuf;
+ if (!kret)
+ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->cred_rcache = ibuf;
+ /* authdata */
+ if (!kret)
+ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ if (!kret) {
+ krb5_int32 nadata = ibuf, i;
- if (!kret) {
- *buffer = bp;
- *lenremain = remain;
- *argp = (krb5_pointer) ctx;
- } else {
- if (ctx->seq)
- krb5_free_keyblock(kcontext, ctx->seq);
- if (ctx->enc)
- krb5_free_keyblock(kcontext, ctx->enc);
- if (ctx->subkey)
- krb5_free_keyblock(kcontext, ctx->subkey);
- if (ctx->there)
- krb5_free_principal(kcontext, ctx->there);
- if (ctx->here)
- krb5_free_principal(kcontext, ctx->here);
- xfree(ctx);
+ if (nadata > 0) {
+ ctx->authdata = (krb5_authdata **)calloc((size_t)nadata + 1,
+ sizeof(krb5_authdata *));
+ if (ctx->authdata == NULL) {
+ kret = ENOMEM;
+ } else {
+ for (i = 0; !kret && i < nadata; i++)
+ kret = krb5_internalize_opaque(kcontext,
+ KV5M_AUTHDATA,
+ (krb5_pointer *)&ctx->authdata[i],
+ &bp,
+ &remain);
+ }
+ }
}
- }
+ /* Get trailer */
+ if (!kret)
+ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ if (!kret && ibuf != KG_CONTEXT)
+ kret = EINVAL;
+
+ if (!kret) {
+ *buffer = bp;
+ *lenremain = remain;
+ *argp = (krb5_pointer) ctx;
+ } else {
+ if (ctx->seq)
+ krb5_free_keyblock(kcontext, ctx->seq);
+ if (ctx->enc)
+ krb5_free_keyblock(kcontext, ctx->enc);
+ if (ctx->subkey)
+ krb5_free_keyblock(kcontext, ctx->subkey);
+ if (ctx->there)
+ krb5_free_principal(kcontext, ctx->there);
+ if (ctx->here)
+ krb5_free_principal(kcontext, ctx->here);
+ xfree(ctx);
+ }
+ }
}
return(kret);
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/set_allowable_enctypes.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/set_allowable_enctypes.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/set_allowable_enctypes.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/set_allowable_enctypes.c
*
@@ -8,7 +9,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -59,10 +60,10 @@
#include "gssapi_krb5.h"
OM_uint32 KRB5_CALLCONV
-gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
- gss_cred_id_t cred_handle,
- OM_uint32 num_ktypes,
- krb5_enctype *ktypes)
+gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ const gss_OID desired_oid,
+ const gss_buffer_t value)
{
unsigned int i;
krb5_enctype * new_ktypes;
@@ -70,57 +71,61 @@
krb5_gss_cred_id_t cred;
krb5_error_code kerr = 0;
OM_uint32 temp_status;
+ struct krb5_gss_set_allowable_enctypes_req *req;
/* Assume a failure */
*minor_status = 0;
major_status = GSS_S_FAILURE;
+ assert(value->length == sizeof(*req));
+ req = (struct krb5_gss_set_allowable_enctypes_req *)value->value;
+
/* verify and valildate cred handle */
if (cred_handle == GSS_C_NO_CREDENTIAL) {
- kerr = KRB5_NOCREDS_SUPPLIED;
- goto error_out;
+ kerr = KRB5_NOCREDS_SUPPLIED;
+ goto error_out;
}
major_status = krb5_gss_validate_cred(&temp_status, cred_handle);
if (GSS_ERROR(major_status)) {
- kerr = temp_status;
- goto error_out;
+ kerr = temp_status;
+ goto error_out;
}
cred = (krb5_gss_cred_id_t) cred_handle;
- if (ktypes) {
- for (i = 0; i < num_ktypes && ktypes[i]; i++) {
- if (!krb5_c_valid_enctype(ktypes[i])) {
- kerr = KRB5_PROG_ETYPE_NOSUPP;
- goto error_out;
- }
- }
+ if (req->ktypes) {
+ for (i = 0; i < req->num_ktypes && req->ktypes[i]; i++) {
+ if (!krb5_c_valid_enctype(req->ktypes[i])) {
+ kerr = KRB5_PROG_ETYPE_NOSUPP;
+ goto error_out;
+ }
+ }
} else {
- kerr = k5_mutex_lock(&cred->lock);
- if (kerr)
- goto error_out;
- if (cred->req_enctypes)
- free(cred->req_enctypes);
- cred->req_enctypes = NULL;
- k5_mutex_unlock(&cred->lock);
- return GSS_S_COMPLETE;
+ kerr = k5_mutex_lock(&cred->lock);
+ if (kerr)
+ goto error_out;
+ if (cred->req_enctypes)
+ free(cred->req_enctypes);
+ cred->req_enctypes = NULL;
+ k5_mutex_unlock(&cred->lock);
+ return GSS_S_COMPLETE;
}
/* Copy the requested ktypes into the cred structure */
if ((new_ktypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * (i + 1)))) {
- memcpy(new_ktypes, ktypes, sizeof(krb5_enctype) * i);
- new_ktypes[i] = 0; /* "null-terminate" the list */
+ memcpy(new_ktypes, req->ktypes, sizeof(krb5_enctype) * i);
+ new_ktypes[i] = 0; /* "null-terminate" the list */
}
else {
- kerr = ENOMEM;
- goto error_out;
+ kerr = ENOMEM;
+ goto error_out;
}
kerr = k5_mutex_lock(&cred->lock);
if (kerr) {
- free(new_ktypes);
- goto error_out;
+ free(new_ktypes);
+ goto error_out;
}
if (cred->req_enctypes)
- free(cred->req_enctypes);
+ free(cred->req_enctypes);
cred->req_enctypes = new_ktypes;
k5_mutex_unlock(&cred->lock);
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/set_ccache.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/set_ccache.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/set_ccache.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/set_ccache.c
*
@@ -8,7 +9,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -29,28 +30,35 @@
#include <string.h>
#include "gssapiP_krb5.h"
-#include "gss_libinit.h"
-OM_uint32 KRB5_CALLCONV
-gss_krb5_ccache_name(minor_status, name, out_name)
- OM_uint32 *minor_status;
- const char *name;
- const char **out_name;
+OM_uint32 KRB5_CALLCONV
+gss_krb5int_ccache_name(OM_uint32 *minor_status,
+ const gss_OID desired_mech,
+ const gss_OID desired_object,
+ gss_buffer_t value)
{
char *old_name = NULL;
OM_uint32 err = 0;
OM_uint32 minor = 0;
char *gss_out_name;
+ struct krb5_gss_ccache_name_req *req;
- err = gssint_initialize_library();
+ err = gss_krb5int_initialize_library();
if (err) {
- *minor_status = err;
- return GSS_S_FAILURE;
+ *minor_status = err;
+ return GSS_S_FAILURE;
}
+ assert(value->length == sizeof(*req));
+
+ if (value->length != sizeof(*req))
+ return GSS_S_FAILURE;
+
+ req = (struct krb5_gss_ccache_name_req *)value->value;
+
gss_out_name = k5_getspecific(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME);
- if (out_name) {
+ if (req->out_name) {
const char *tmp_name = NULL;
if (!err) {
@@ -58,35 +66,35 @@
}
if (!err) {
old_name = gss_out_name;
- gss_out_name = tmp_name;
- }
+ gss_out_name = (char *)tmp_name;
+ }
}
/* If out_name was NULL, we keep the same gss_out_name value, and
don't free up any storage (leave old_name NULL). */
if (!err)
- kg_set_ccache_name (&err, name);
+ kg_set_ccache_name (&err, req->name);
minor = k5_setspecific(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME, gss_out_name);
if (minor) {
- /* Um. Now what? */
- if (err == 0) {
- err = minor;
- }
- free(gss_out_name);
- gss_out_name = NULL;
+ /* Um. Now what? */
+ if (err == 0) {
+ err = minor;
+ }
+ free(gss_out_name);
+ gss_out_name = NULL;
}
if (!err) {
- if (out_name) {
- *out_name = gss_out_name;
+ if (req->out_name) {
+ *(req->out_name) = gss_out_name;
}
}
-
+
if (old_name != NULL) {
free (old_name);
}
-
+
*minor_status = err;
return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/sign.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/sign.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/sign.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -26,32 +27,51 @@
* $Id$
*/
+/* V2 interface */
OM_uint32
-krb5_gss_sign(minor_status, context_handle,
- qop_req, message_buffer,
- message_token)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- int qop_req;
- gss_buffer_t message_buffer;
- gss_buffer_t message_token;
+krb5_gss_get_mic(minor_status, context_handle, qop_req,
+ message_buffer, message_token)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_qop_t qop_req;
+ gss_buffer_t message_buffer;
+ gss_buffer_t message_token;
{
- return(kg_seal(minor_status, context_handle, 0,
- qop_req, message_buffer, NULL,
- message_token, KG_TOK_SIGN_MSG));
+ return(kg_seal(minor_status, context_handle, 0,
+ qop_req, message_buffer, NULL,
+ message_token, KG_TOK_MIC_MSG));
}
-/* V2 interface */
+#if 0
OM_uint32
-krb5_gss_get_mic(minor_status, context_handle, qop_req,
- message_buffer, message_token)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_qop_t qop_req;
- gss_buffer_t message_buffer;
- gss_buffer_t message_token;
+krb5_gss_get_mic_iov(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ gss_qop_t qop_req,
+ gss_iov_buffer_desc *iov,
+ int iov_count)
{
- return(kg_seal(minor_status, context_handle, 0,
- (int) qop_req, message_buffer, NULL,
- message_token, KG_TOK_MIC_MSG));
+ OM_uint32 major_status;
+
+ major_status = kg_seal_iov(minor_status, context_handle, FALSE,
+ qop_req, NULL,
+ iov, iov_count, KG_TOK_MIC_MSG);
+
+ return major_status;
}
+
+OM_uint32
+krb5_gss_get_mic_iov_length(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ int *conf_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count)
+{
+ OM_uint32 major_status;
+
+ major_status = kg_seal_iov_length(minor_status, context_handle, conf_req_flag,
+ qop_req, conf_state, iov, iov_count);
+ return major_status;
+}
+#endif
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/unseal.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/unseal.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/unseal.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -26,41 +27,41 @@
* $Id$
*/
-OM_uint32
-krb5_gss_unseal(minor_status, context_handle,
- input_message_buffer, output_message_buffer,
- conf_state, qop_state)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t input_message_buffer;
- gss_buffer_t output_message_buffer;
- int *conf_state;
- int *qop_state;
-{
- return(kg_unseal(minor_status, context_handle,
- input_message_buffer, output_message_buffer,
- conf_state, qop_state, KG_TOK_SEAL_MSG));
-}
-
/* V2 interface */
OM_uint32
krb5_gss_unwrap(minor_status, context_handle,
- input_message_buffer, output_message_buffer,
- conf_state, qop_state)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t input_message_buffer;
- gss_buffer_t output_message_buffer;
- int *conf_state;
- gss_qop_t *qop_state;
+ input_message_buffer, output_message_buffer,
+ conf_state, qop_state)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_buffer_t input_message_buffer;
+ gss_buffer_t output_message_buffer;
+ int *conf_state;
+ gss_qop_t *qop_state;
{
- OM_uint32 rstat;
- int qstate;
+ OM_uint32 rstat;
rstat = kg_unseal(minor_status, context_handle,
- input_message_buffer, output_message_buffer,
- conf_state, &qstate, KG_TOK_WRAP_MSG);
- if (!rstat && qop_state)
- *qop_state = (gss_qop_t) qstate;
+ input_message_buffer, output_message_buffer,
+ conf_state, qop_state, KG_TOK_WRAP_MSG);
return(rstat);
}
+
+/* AEAD interface */
+OM_uint32
+krb5_gss_unwrap_iov(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int *conf_state,
+ gss_qop_t *qop_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count)
+{
+ OM_uint32 major_status;
+
+ major_status = kg_unseal_iov(minor_status, context_handle,
+ conf_state, qop_state,
+ iov, iov_count, KG_TOK_WRAP_MSG);
+
+ return major_status;
+}
+
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/util_cksum.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/util_cksum.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/util_cksum.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -28,81 +29,267 @@
/* Checksumming the channel bindings always uses plain MD5. */
krb5_error_code
kg_checksum_channel_bindings(context, cb, cksum, bigend)
- krb5_context context;
- gss_channel_bindings_t cb;
- krb5_checksum *cksum;
- int bigend;
+ krb5_context context;
+ gss_channel_bindings_t cb;
+ krb5_checksum *cksum;
+ int bigend;
{
- size_t len;
- char *buf = 0;
- char *ptr;
- size_t sumlen;
- krb5_data plaind;
- krb5_error_code code;
- void *temp;
+ size_t len;
+ char *buf = 0;
+ char *ptr;
+ size_t sumlen;
+ krb5_data plaind;
+ krb5_error_code code;
+ void *temp;
- /* initialize the the cksum */
- code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &sumlen);
- if (code)
- return(code);
+ /* initialize the the cksum */
+ code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &sumlen);
+ if (code)
+ return(code);
- cksum->checksum_type = CKSUMTYPE_RSA_MD5;
- cksum->length = sumlen;
-
- /* generate a buffer full of zeros if no cb specified */
+ cksum->checksum_type = CKSUMTYPE_RSA_MD5;
+ cksum->length = sumlen;
- if (cb == GSS_C_NO_CHANNEL_BINDINGS) {
- if ((cksum->contents = (krb5_octet *) xmalloc(cksum->length)) == NULL) {
- return(ENOMEM);
- }
- memset(cksum->contents, '\0', cksum->length);
- return(0);
- }
+ /* generate a buffer full of zeros if no cb specified */
- /* create the buffer to checksum into */
+ if (cb == GSS_C_NO_CHANNEL_BINDINGS) {
+ if ((cksum->contents = (krb5_octet *) xmalloc(cksum->length)) == NULL) {
+ return(ENOMEM);
+ }
+ memset(cksum->contents, '\0', cksum->length);
+ return(0);
+ }
- len = (sizeof(krb5_int32)*5+
- cb->initiator_address.length+
- cb->acceptor_address.length+
- cb->application_data.length);
+ /* create the buffer to checksum into */
- if ((buf = (char *) xmalloc(len)) == NULL)
- return(ENOMEM);
+ len = (sizeof(krb5_int32)*5+
+ cb->initiator_address.length+
+ cb->acceptor_address.length+
+ cb->application_data.length);
- /* helper macros. This code currently depends on a long being 32
- bits, and htonl dtrt. */
+ if ((buf = (char *) xmalloc(len)) == NULL)
+ return(ENOMEM);
- ptr = buf;
+ /* helper macros. This code currently depends on a long being 32
+ bits, and htonl dtrt. */
- TWRITE_INT(ptr, cb->initiator_addrtype, bigend);
- TWRITE_BUF(ptr, cb->initiator_address, bigend);
- TWRITE_INT(ptr, cb->acceptor_addrtype, bigend);
- TWRITE_BUF(ptr, cb->acceptor_address, bigend);
- TWRITE_BUF(ptr, cb->application_data, bigend);
+ ptr = buf;
- /* checksum the data */
+ TWRITE_INT(ptr, cb->initiator_addrtype, bigend);
+ TWRITE_BUF(ptr, cb->initiator_address, bigend);
+ TWRITE_INT(ptr, cb->acceptor_addrtype, bigend);
+ TWRITE_BUF(ptr, cb->acceptor_address, bigend);
+ TWRITE_BUF(ptr, cb->application_data, bigend);
- plaind.length = len;
- plaind.data = buf;
+ /* checksum the data */
- code = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, 0, 0,
- &plaind, cksum);
- if (code)
- goto cleanup;
+ plaind.length = len;
+ plaind.data = buf;
- if ((temp = xmalloc(cksum->length)) == NULL) {
- krb5_free_checksum_contents(context, cksum);
- code = ENOMEM;
- goto cleanup;
- }
+ code = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, 0, 0,
+ &plaind, cksum);
+ if (code)
+ goto cleanup;
- memcpy(temp, cksum->contents, cksum->length);
- krb5_free_checksum_contents(context, cksum);
- cksum->contents = (krb5_octet *)temp;
+ if ((temp = xmalloc(cksum->length)) == NULL) {
+ krb5_free_checksum_contents(context, cksum);
+ code = ENOMEM;
+ goto cleanup;
+ }
- /* success */
- cleanup:
- if (buf)
- xfree(buf);
- return code;
+ memcpy(temp, cksum->contents, cksum->length);
+ krb5_free_checksum_contents(context, cksum);
+ cksum->contents = (krb5_octet *)temp;
+
+ /* success */
+cleanup:
+ if (buf)
+ xfree(buf);
+ return code;
}
+
+krb5_error_code
+kg_make_checksum_iov_v1(krb5_context context,
+ krb5_cksumtype type,
+ size_t cksum_len,
+ krb5_keyblock *seq,
+ krb5_keyblock *enc,
+ krb5_keyusage sign_usage,
+ gss_iov_buffer_desc *iov,
+ int iov_count,
+ int toktype,
+ krb5_checksum *checksum)
+{
+ krb5_error_code code;
+ gss_iov_buffer_desc *header;
+ krb5_crypto_iov *kiov;
+ size_t kiov_count;
+ int i = 0, j;
+ size_t conf_len = 0, token_header_len;
+
+ header = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
+ assert(header != NULL);
+
+ kiov_count = 3 + iov_count;
+ kiov = (krb5_crypto_iov *)xmalloc(kiov_count * sizeof(krb5_crypto_iov));
+ if (kiov == NULL)
+ return ENOMEM;
+
+ /* Checksum over ( Header | Confounder | Data | Pad ) */
+ if (toktype == KG_TOK_WRAP_MSG)
+ conf_len = kg_confounder_size(context, (krb5_keyblock *)enc);
+
+ /* Checksum output */
+ kiov[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
+ kiov[i].data.length = checksum->length;
+ kiov[i].data.data = xmalloc(checksum->length);
+ if (kiov[i].data.data == NULL) {
+ xfree(kiov);
+ return ENOMEM;
+ }
+ i++;
+
+ /* Header | SND_SEQ | SGN_CKSUM | Confounder */
+ token_header_len = 16 + cksum_len + conf_len;
+
+ /* Header (calculate from end because of variable length ASN.1 header) */
+ kiov[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
+ kiov[i].data.length = 8;
+ kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - token_header_len;
+ i++;
+
+ /* Confounder */
+ if (toktype == KG_TOK_WRAP_MSG) {
+ kiov[i].flags = KRB5_CRYPTO_TYPE_DATA;
+ kiov[i].data.length = conf_len;
+ kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - conf_len;
+ i++;
+ }
+
+ for (j = 0; j < iov_count; j++) {
+ kiov[i].flags = kg_translate_flag_iov(iov[j].type);
+ kiov[i].data.length = iov[j].buffer.length;
+ kiov[i].data.data = (char *)iov[j].buffer.value;
+ i++;
+ }
+
+ code = krb5_c_make_checksum_iov(context, type, seq, sign_usage, kiov, kiov_count);
+ if (code == 0) {
+ checksum->length = kiov[0].data.length;
+ checksum->contents = (unsigned char *)kiov[0].data.data;
+ } else
+ free(kiov[0].data.data);
+
+ xfree(kiov);
+
+ return code;
+}
+
+static krb5_error_code
+checksum_iov_v3(krb5_context context,
+ krb5_cksumtype type,
+ size_t rrc,
+ krb5_keyblock *key,
+ krb5_keyusage sign_usage,
+ gss_iov_buffer_desc *iov,
+ int iov_count,
+ krb5_boolean verify,
+ krb5_boolean *valid)
+{
+ krb5_error_code code;
+ gss_iov_buffer_desc *header;
+ gss_iov_buffer_desc *trailer;
+ krb5_crypto_iov *kiov;
+ size_t kiov_count;
+ int i = 0, j;
+ unsigned int k5_checksumlen;
+
+ if (verify)
+ *valid = FALSE;
+
+ code = krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_CHECKSUM, &k5_checksumlen);
+ if (code != 0)
+ return code;
+
+ header = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
+ assert(header != NULL);
+
+ trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
+ assert(rrc != 0 || trailer != NULL);
+
+ if (trailer == NULL) {
+ if (rrc != k5_checksumlen)
+ return KRB5_BAD_MSIZE;
+ if (header->buffer.length != 16 + k5_checksumlen)
+ return KRB5_BAD_MSIZE;
+ } else if (trailer->buffer.length != k5_checksumlen)
+ return KRB5_BAD_MSIZE;
+
+ kiov_count = 2 + iov_count;
+ kiov = (krb5_crypto_iov *)xmalloc(kiov_count * sizeof(krb5_crypto_iov));
+ if (kiov == NULL)
+ return ENOMEM;
+
+ /* Checksum over ( Data | Header ) */
+
+ /* Data */
+ for (j = 0; j < iov_count; j++) {
+ kiov[i].flags = kg_translate_flag_iov(iov[j].type);
+ kiov[i].data.length = iov[j].buffer.length;
+ kiov[i].data.data = (char *)iov[j].buffer.value;
+ i++;
+ }
+
+ /* Header */
+ kiov[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
+ kiov[i].data.length = 16;
+ kiov[i].data.data = (char *)header->buffer.value;
+ i++;
+
+ /* Checksum */
+ kiov[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
+ if (trailer == NULL) {
+ kiov[i].data.length = header->buffer.length - 16;
+ kiov[i].data.data = (char *)header->buffer.value + 16;
+ } else {
+ kiov[i].data.length = trailer->buffer.length;
+ kiov[i].data.data = (char *)trailer->buffer.value;
+ }
+ i++;
+
+ if (verify)
+ code = krb5_c_verify_checksum_iov(context, type, key, sign_usage, kiov, kiov_count, valid);
+ else
+ code = krb5_c_make_checksum_iov(context, type, key, sign_usage, kiov, kiov_count);
+
+ xfree(kiov);
+
+ return code;
+}
+
+krb5_error_code
+kg_make_checksum_iov_v3(krb5_context context,
+ krb5_cksumtype type,
+ size_t rrc,
+ krb5_keyblock *key,
+ krb5_keyusage sign_usage,
+ gss_iov_buffer_desc *iov,
+ int iov_count)
+{
+ return checksum_iov_v3(context, type, rrc, key,
+ sign_usage, iov, iov_count, 0, NULL);
+}
+
+krb5_error_code
+kg_verify_checksum_iov_v3(krb5_context context,
+ krb5_cksumtype type,
+ size_t rrc,
+ krb5_keyblock *key,
+ krb5_keyusage sign_usage,
+ gss_iov_buffer_desc *iov,
+ int iov_count,
+ krb5_boolean *valid)
+{
+ return checksum_iov_v3(context, type, rrc, key,
+ sign_usage, iov, iov_count, 1, valid);
+}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/util_crypt.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/util_crypt.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/util_crypt.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,7 +1,8 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
- * Copyright2001 by the Massachusetts Institute of Technology.
+ * Copyright 2001, 2008 by the Massachusetts Institute of Technology.
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -11,7 +12,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -23,14 +24,14 @@
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -41,7 +42,7 @@
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
@@ -53,188 +54,866 @@
#include <memory.h>
#endif
+const char const kg_arcfour_l40[] = "fortybits";
+
+krb5_error_code
+kg_setup_keys(krb5_context context,
+ krb5_gss_ctx_id_rec *ctx,
+ krb5_keyblock *subkey,
+ krb5_cksumtype *cksumtype)
+{
+ krb5_error_code code;
+ unsigned int i;
+ krb5int_access kaccess;
+
+ assert(ctx != NULL);
+ assert(subkey != NULL);
+
+ *cksumtype = 0;
+ ctx->proto = 0;
+
+ code = krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION);
+ if (code != 0)
+ return code;
+
+ if (ctx->enc != NULL) {
+ krb5_free_keyblock(context, ctx->enc);
+ ctx->enc = NULL;
+ }
+ code = krb5_copy_keyblock(context, subkey, &ctx->enc);
+ if (code != 0)
+ return code;
+
+ if (ctx->seq != NULL) {
+ krb5_free_keyblock(context, ctx->seq);
+ ctx->seq = NULL;
+ }
+ code = krb5_copy_keyblock(context, subkey, &ctx->seq);
+ if (code != 0)
+ return code;
+
+ switch (subkey->enctype) {
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES_CBC_MD4:
+ case ENCTYPE_DES_CBC_CRC:
+ ctx->enc->enctype = ENCTYPE_DES_CBC_RAW;
+ ctx->seq->enctype = ENCTYPE_DES_CBC_RAW;
+ ctx->signalg = SGN_ALG_DES_MAC_MD5;
+ ctx->cksum_size = 8;
+ ctx->sealalg = SEAL_ALG_DES;
+
+ for (i = 0; i < ctx->enc->length; i++)
+ /*SUPPRESS 113*/
+ ctx->enc->contents[i] ^= 0xF0;
+ break;
+ case ENCTYPE_DES3_CBC_SHA1:
+ ctx->enc->enctype = ENCTYPE_DES3_CBC_RAW;
+ ctx->seq->enctype = ENCTYPE_DES3_CBC_RAW;
+ ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
+ ctx->cksum_size = 20;
+ ctx->sealalg = SEAL_ALG_DES3KD;
+ break;
+ case ENCTYPE_ARCFOUR_HMAC:
+ case ENCTYPE_ARCFOUR_HMAC_EXP:
+ ctx->signalg = SGN_ALG_HMAC_MD5;
+ ctx->cksum_size = 8;
+ ctx->sealalg = SEAL_ALG_MICROSOFT_RC4;
+ break;
+ default:
+ ctx->signalg = -1;
+ ctx->sealalg = -1;
+ ctx->proto = 1;
+
+ code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, subkey->enctype,
+ cksumtype);
+ if (code != 0)
+ return code;
+ }
+
+ return 0;
+}
+
int
kg_confounder_size(context, key)
- krb5_context context;
- krb5_keyblock *key;
+ krb5_context context;
+ krb5_keyblock *key;
{
- krb5_error_code code;
- size_t blocksize;
- /* We special case rc4*/
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC)
- return 8;
- code = krb5_c_block_size(context, key->enctype, &blocksize);
- if (code)
- return(-1); /* XXX */
+ krb5_error_code code;
+ size_t blocksize;
+ /* We special case rc4*/
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC ||
+ key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+ return 8;
+ code = krb5_c_block_size(context, key->enctype, &blocksize);
+ if (code)
+ return(-1); /* XXX */
- return(blocksize);
+ return(blocksize);
}
krb5_error_code
kg_make_confounder(context, key, buf)
- krb5_context context;
- krb5_keyblock *key;
- unsigned char *buf;
+ krb5_context context;
+ krb5_keyblock *key;
+ unsigned char *buf;
{
- krb5_error_code code;
- size_t blocksize;
- krb5_data lrandom;
+ int confsize;
+ krb5_data lrandom;
- code = krb5_c_block_size(context, key->enctype, &blocksize);
- if (code)
- return(code);
+ confsize = kg_confounder_size(context, key);
+ if (confsize < 0)
+ return KRB5_BAD_MSIZE;
- lrandom.length = blocksize;
- lrandom.data = buf;
+ lrandom.length = confsize;
+ lrandom.data = (char *)buf;
- return(krb5_c_random_make_octets(context, &lrandom));
+ return(krb5_c_random_make_octets(context, &lrandom));
}
krb5_error_code
kg_encrypt(context, key, usage, iv, in, out, length)
- krb5_context context;
- krb5_keyblock *key;
- int usage;
- krb5_pointer iv;
- krb5_const_pointer in;
- krb5_pointer out;
- unsigned int length;
+ krb5_context context;
+ krb5_keyblock *key;
+ int usage;
+ krb5_pointer iv;
+ krb5_const_pointer in;
+ krb5_pointer out;
+ unsigned int length;
{
- krb5_error_code code;
- size_t blocksize;
- krb5_data ivd, *pivd, inputd;
- krb5_enc_data outputd;
+ krb5_error_code code;
+ size_t blocksize;
+ krb5_data ivd, *pivd, inputd;
+ krb5_enc_data outputd;
- if (iv) {
- code = krb5_c_block_size(context, key->enctype, &blocksize);
- if (code)
- return(code);
+ if (iv) {
+ code = krb5_c_block_size(context, key->enctype, &blocksize);
+ if (code)
+ return(code);
- ivd.length = blocksize;
- ivd.data = malloc(ivd.length);
- if (ivd.data == NULL)
- return ENOMEM;
- memcpy(ivd.data, iv, ivd.length);
- pivd = &ivd;
- } else {
- pivd = NULL;
- }
+ ivd.length = blocksize;
+ ivd.data = malloc(ivd.length);
+ if (ivd.data == NULL)
+ return ENOMEM;
+ memcpy(ivd.data, iv, ivd.length);
+ pivd = &ivd;
+ } else {
+ pivd = NULL;
+ }
- inputd.length = length;
- inputd.data = in;
+ inputd.length = length;
+ inputd.data = (char *)in;
- outputd.ciphertext.length = length;
- outputd.ciphertext.data = out;
+ outputd.ciphertext.length = length;
+ outputd.ciphertext.data = out;
- code = krb5_c_encrypt(context, key, usage, pivd, &inputd, &outputd);
- if (pivd != NULL)
- free(pivd->data);
- return code;
+ code = krb5_c_encrypt(context, key, usage, pivd, &inputd, &outputd);
+ if (pivd != NULL)
+ free(pivd->data);
+ return code;
}
/* length is the length of the cleartext. */
krb5_error_code
kg_decrypt(context, key, usage, iv, in, out, length)
- krb5_context context;
- krb5_keyblock *key;
- int usage;
- krb5_pointer iv;
- krb5_const_pointer in;
- krb5_pointer out;
- unsigned int length;
+ krb5_context context;
+ krb5_keyblock *key;
+ int usage;
+ krb5_pointer iv;
+ krb5_const_pointer in;
+ krb5_pointer out;
+ unsigned int length;
{
- krb5_error_code code;
- size_t blocksize;
- krb5_data ivd, *pivd, outputd;
- krb5_enc_data inputd;
+ krb5_error_code code;
+ size_t blocksize;
+ krb5_data ivd, *pivd, outputd;
+ krb5_enc_data inputd;
- if (iv) {
- code = krb5_c_block_size(context, key->enctype, &blocksize);
- if (code)
- return(code);
+ if (iv) {
+ code = krb5_c_block_size(context, key->enctype, &blocksize);
+ if (code)
+ return(code);
- ivd.length = blocksize;
- ivd.data = malloc(ivd.length);
- if (ivd.data == NULL)
- return ENOMEM;
- memcpy(ivd.data, iv, ivd.length);
- pivd = &ivd;
- } else {
- pivd = NULL;
- }
+ ivd.length = blocksize;
+ ivd.data = malloc(ivd.length);
+ if (ivd.data == NULL)
+ return ENOMEM;
+ memcpy(ivd.data, iv, ivd.length);
+ pivd = &ivd;
+ } else {
+ pivd = NULL;
+ }
- inputd.enctype = ENCTYPE_UNKNOWN;
- inputd.ciphertext.length = length;
- inputd.ciphertext.data = in;
+ inputd.enctype = ENCTYPE_UNKNOWN;
+ inputd.ciphertext.length = length;
+ inputd.ciphertext.data = (char *)in;
- outputd.length = length;
- outputd.data = out;
+ outputd.length = length;
+ outputd.data = out;
- code = krb5_c_decrypt(context, key, usage, pivd, &inputd, &outputd);
- if (pivd != NULL)
- free(pivd->data);
- return code;
+ code = krb5_c_decrypt(context, key, usage, pivd, &inputd, &outputd);
+ if (pivd != NULL)
+ free(pivd->data);
+ return code;
}
krb5_error_code
kg_arcfour_docrypt (const krb5_keyblock *longterm_key , int ms_usage,
- const unsigned char *kd_data, size_t kd_data_len,
- const unsigned char *input_buf, size_t input_len,
- unsigned char *output_buf)
+ const unsigned char *kd_data, size_t kd_data_len,
+ const unsigned char *input_buf, size_t input_len,
+ unsigned char *output_buf)
{
- krb5_error_code code;
- krb5_data input, output;
- krb5int_access kaccess;
- krb5_keyblock seq_enc_key, usage_key;
- unsigned char t[4];
+ krb5_error_code code;
+ krb5_data input, output;
+ krb5int_access kaccess;
+ krb5_keyblock seq_enc_key, usage_key;
+ unsigned char t[14];
+ size_t i = 0;
+ int exportable = (longterm_key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP);
- usage_key.length = longterm_key->length;
- usage_key.contents = malloc(usage_key.length);
- if (usage_key.contents == NULL)
- return (ENOMEM);
- seq_enc_key.length = longterm_key->length;
- seq_enc_key.contents = malloc(seq_enc_key.length);
- if (seq_enc_key.contents == NULL) {
+ usage_key.length = longterm_key->length;
+ usage_key.contents = malloc(usage_key.length);
+ if (usage_key.contents == NULL)
+ return (ENOMEM);
+ seq_enc_key.length = longterm_key->length;
+ seq_enc_key.contents = malloc(seq_enc_key.length);
+ if (seq_enc_key.contents == NULL) {
+ free ((void *) usage_key.contents);
+ return (ENOMEM);
+ }
+ code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
+ if (code)
+ goto cleanup_arcfour;
+
+ if (exportable) {
+ memcpy(t, kg_arcfour_l40, sizeof(kg_arcfour_l40));
+ i += sizeof(kg_arcfour_l40);
+ }
+ t[i++] = ms_usage &0xff;
+ t[i++] = (ms_usage>>8) & 0xff;
+ t[i++] = (ms_usage>>16) & 0xff;
+ t[i++] = (ms_usage>>24) & 0xff;
+ input.data = (void *) &t;
+ input.length = i;
+ output.data = (void *) usage_key.contents;
+ output.length = usage_key.length;
+ code = (*kaccess.krb5_hmac) (kaccess.md5_hash_provider,
+ longterm_key, 1, &input, &output);
+ if (code)
+ goto cleanup_arcfour;
+ if (exportable)
+ memset(usage_key.contents + 7, 0xab, 9);
+
+ input.data = ( void *) kd_data;
+ input.length = kd_data_len;
+ output.data = (void *) seq_enc_key.contents;
+ code = (*kaccess.krb5_hmac) (kaccess.md5_hash_provider,
+ &usage_key, 1, &input, &output);
+ if (code)
+ goto cleanup_arcfour;
+ input.data = ( void * ) input_buf;
+ input.length = input_len;
+ output.data = (void * ) output_buf;
+ output.length = input_len;
+ code = ((*kaccess.arcfour_enc_provider->encrypt)(
+ &seq_enc_key, 0,
+ &input, &output));
+cleanup_arcfour:
+ memset ((void *) seq_enc_key.contents, 0, seq_enc_key.length);
+ memset ((void *) usage_key.contents, 0, usage_key.length);
free ((void *) usage_key.contents);
- return (ENOMEM);
- }
- code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
- if (code)
- goto cleanup_arcfour;
+ free ((void *) seq_enc_key.contents);
+ return (code);
+}
- t[0] = ms_usage &0xff;
- t[1] = (ms_usage>>8) & 0xff;
- t[2] = (ms_usage>>16) & 0xff;
- t[3] = (ms_usage>>24) & 0xff;
- input.data = (void *) &t;
- input.length = 4;
- output.data = (void *) usage_key.contents;
- output.length = usage_key.length;
- code = (*kaccess.krb5_hmac) (kaccess.md5_hash_provider,
- longterm_key, 1, &input, &output);
- if (code)
- goto cleanup_arcfour;
-
- input.data = ( void *) kd_data;
- input.length = kd_data_len;
- output.data = (void *) seq_enc_key.contents;
- code = (*kaccess.krb5_hmac) (kaccess.md5_hash_provider,
- &usage_key, 1, &input, &output);
- if (code)
- goto cleanup_arcfour;
- input.data = ( void * ) input_buf;
- input.length = input_len;
- output.data = (void * ) output_buf;
- output.length = input_len;
- code = ((*kaccess.arcfour_enc_provider->encrypt)(
- &seq_enc_key, 0,
- &input, &output));
- cleanup_arcfour:
- memset ((void *) seq_enc_key.contents, 0, seq_enc_key.length);
- memset ((void *) usage_key.contents, 0, usage_key.length);
- free ((void *) usage_key.contents);
- free ((void *) seq_enc_key.contents);
- return (code);
+/* AEAD */
+static krb5_error_code
+kg_translate_iov_v1(context, key, iov, iov_count, pkiov, pkiov_count)
+ krb5_context context;
+ const krb5_keyblock *key;
+ gss_iov_buffer_desc *iov;
+ int iov_count;
+ krb5_crypto_iov **pkiov;
+ size_t *pkiov_count;
+{
+ gss_iov_buffer_desc *header;
+ gss_iov_buffer_desc *trailer;
+ int i = 0, j;
+ size_t kiov_count;
+ krb5_crypto_iov *kiov;
+ size_t conf_len;
+
+ *pkiov = NULL;
+ *pkiov_count = 0;
+
+ conf_len = kg_confounder_size(context, (krb5_keyblock *)key);
+
+ header = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
+ assert(header != NULL);
+
+ if (header->buffer.length < conf_len)
+ return KRB5_BAD_MSIZE;
+
+ trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
+ assert(trailer == NULL || trailer->buffer.length == 0);
+
+ kiov_count = 3 + iov_count;
+ kiov = (krb5_crypto_iov *)malloc(kiov_count * sizeof(krb5_crypto_iov));
+ if (kiov == NULL)
+ return ENOMEM;
+
+ /* For pre-CFX (raw enctypes) there is no krb5 header */
+ kiov[i].flags = KRB5_CRYPTO_TYPE_HEADER;
+ kiov[i].data.length = 0;
+ kiov[i].data.data = NULL;
+ i++;
+
+ /* For pre-CFX, the confounder is at the end of the GSS header */
+ kiov[i].flags = KRB5_CRYPTO_TYPE_DATA;
+ kiov[i].data.length = conf_len;
+ kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - conf_len;
+ i++;
+
+ for (j = 0; j < iov_count; j++) {
+ kiov[i].flags = kg_translate_flag_iov(iov[j].type);
+ if (kiov[i].flags == KRB5_CRYPTO_TYPE_EMPTY)
+ continue;
+
+ kiov[i].data.length = iov[j].buffer.length;
+ kiov[i].data.data = (char *)iov[j].buffer.value;
+ i++;
+ }
+
+ kiov[i].flags = KRB5_CRYPTO_TYPE_TRAILER;
+ kiov[i].data.length = 0;
+ kiov[i].data.data = NULL;
+ i++;
+
+ *pkiov = kiov;
+ *pkiov_count = i;
+
+ return 0;
}
-
+
+static krb5_error_code
+kg_translate_iov_v3(context, dce_style, ec, rrc, key, iov, iov_count, pkiov, pkiov_count)
+ krb5_context context;
+ int dce_style; /* DCE_STYLE indicates actual RRC is EC + RRC */
+ size_t ec; /* Extra rotate count for DCE_STYLE, pad length otherwise */
+ size_t rrc; /* Rotate count */
+ const krb5_keyblock *key;
+ gss_iov_buffer_desc *iov;
+ int iov_count;
+ krb5_crypto_iov **pkiov;
+ size_t *pkiov_count;
+{
+ gss_iov_buffer_t header;
+ gss_iov_buffer_t trailer;
+ int i = 0, j;
+ size_t kiov_count;
+ krb5_crypto_iov *kiov;
+ unsigned int k5_headerlen = 0, k5_trailerlen = 0;
+ size_t gss_headerlen, gss_trailerlen;
+ krb5_error_code code;
+
+ *pkiov = NULL;
+ *pkiov_count = 0;
+
+ header = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
+ assert(header != NULL);
+
+ trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
+ assert(trailer == NULL || rrc == 0);
+
+ code = krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_HEADER, &k5_headerlen);
+ if (code != 0)
+ return code;
+
+ code = krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_TRAILER, &k5_trailerlen);
+ if (code != 0)
+ return code;
+
+ /* Check header and trailer sizes */
+ gss_headerlen = 16 /* GSS-Header */ + k5_headerlen; /* Kerb-Header */
+ gss_trailerlen = ec + 16 /* E(GSS-Header) */ + k5_trailerlen; /* Kerb-Trailer */
+
+ /* If we're caller without a trailer, we must rotate by trailer length */
+ if (trailer == NULL) {
+ size_t actual_rrc = rrc;
+
+ if (dce_style)
+ actual_rrc += ec; /* compensate for Windows bug */
+
+ if (actual_rrc != gss_trailerlen)
+ return KRB5_BAD_MSIZE;
+
+ gss_headerlen += gss_trailerlen;
+ gss_trailerlen = 0;
+ } else {
+ if (trailer->buffer.length != gss_trailerlen)
+ return KRB5_BAD_MSIZE;
+ }
+
+ if (header->buffer.length != gss_headerlen)
+ return KRB5_BAD_MSIZE;
+
+ kiov_count = 3 + iov_count;
+ kiov = (krb5_crypto_iov *)malloc(kiov_count * sizeof(krb5_crypto_iov));
+ if (kiov == NULL)
+ return ENOMEM;
+
+ /*
+ * The krb5 header is located at the end of the GSS header.
+ */
+ kiov[i].flags = KRB5_CRYPTO_TYPE_HEADER;
+ kiov[i].data.length = k5_headerlen;
+ kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - k5_headerlen;
+ i++;
+
+ for (j = 0; j < iov_count; j++) {
+ kiov[i].flags = kg_translate_flag_iov(iov[j].type);
+ if (kiov[i].flags == KRB5_CRYPTO_TYPE_EMPTY)
+ continue;
+
+ kiov[i].data.length = iov[j].buffer.length;
+ kiov[i].data.data = (char *)iov[j].buffer.value;
+ i++;
+ }
+
+ /*
+ * The EC and encrypted GSS header are placed in the trailer, which may
+ * be rotated directly after the plaintext header if no trailer buffer
+ * is provided.
+ */
+ kiov[i].flags = KRB5_CRYPTO_TYPE_DATA;
+ kiov[i].data.length = ec + 16; /* E(Header) */
+ if (trailer == NULL)
+ kiov[i].data.data = (char *)header->buffer.value + 16;
+ else
+ kiov[i].data.data = (char *)trailer->buffer.value;
+ i++;
+
+ /*
+ * The krb5 trailer is placed after the encrypted copy of the
+ * krb5 header (which may be in the GSS header or trailer).
+ */
+ kiov[i].flags = KRB5_CRYPTO_TYPE_TRAILER;
+ kiov[i].data.length = k5_trailerlen;
+ kiov[i].data.data = kiov[i - 1].data.data + ec + 16; /* E(Header) */
+ i++;
+
+ *pkiov = kiov;
+ *pkiov_count = i;
+
+ return 0;
+}
+
+static krb5_error_code
+kg_translate_iov(context, proto, dce_style, ec, rrc, key, iov, iov_count, pkiov, pkiov_count)
+ krb5_context context;
+ int proto; /* 1 if CFX, 0 for pre-CFX */
+ int dce_style;
+ size_t ec;
+ size_t rrc;
+ const krb5_keyblock *key;
+ gss_iov_buffer_desc *iov;
+ int iov_count;
+ krb5_crypto_iov **pkiov;
+ size_t *pkiov_count;
+{
+ return proto ?
+ kg_translate_iov_v3(context, dce_style, ec, rrc, key, iov, iov_count, pkiov, pkiov_count) :
+ kg_translate_iov_v1(context, key, iov, iov_count, pkiov, pkiov_count);
+}
+
+krb5_error_code
+kg_encrypt_iov(context, proto, dce_style, ec, rrc, key, usage, iv, iov, iov_count)
+ krb5_context context;
+ int proto;
+ int dce_style;
+ size_t ec;
+ size_t rrc;
+ krb5_keyblock *key;
+ int usage;
+ krb5_pointer iv;
+ gss_iov_buffer_desc *iov;
+ int iov_count;
+{
+ krb5_error_code code;
+ size_t blocksize;
+ krb5_data ivd, *pivd;
+ size_t kiov_count;
+ krb5_crypto_iov *kiov;
+
+ if (iv) {
+ code = krb5_c_block_size(context, key->enctype, &blocksize);
+ if (code)
+ return(code);
+
+ ivd.length = blocksize;
+ ivd.data = malloc(ivd.length);
+ if (ivd.data == NULL)
+ return ENOMEM;
+ memcpy(ivd.data, iv, ivd.length);
+ pivd = &ivd;
+ } else {
+ pivd = NULL;
+ }
+
+ code = kg_translate_iov(context, proto, dce_style, ec, rrc, key,
+ iov, iov_count, &kiov, &kiov_count);
+ if (code == 0) {
+ code = krb5_c_encrypt_iov(context, key, usage, pivd, kiov, kiov_count);
+ free(kiov);
+ }
+
+ if (pivd != NULL)
+ free(pivd->data);
+
+ return code;
+}
+
+/* length is the length of the cleartext. */
+
+krb5_error_code
+kg_decrypt_iov(context, proto, dce_style, ec, rrc, key, usage, iv, iov, iov_count)
+ krb5_context context;
+ int proto;
+ int dce_style;
+ size_t ec;
+ size_t rrc;
+ krb5_keyblock *key;
+ int usage;
+ krb5_pointer iv;
+ gss_iov_buffer_desc *iov;
+ int iov_count;
+{
+ krb5_error_code code;
+ size_t blocksize;
+ krb5_data ivd, *pivd;
+ size_t kiov_count;
+ krb5_crypto_iov *kiov;
+
+ if (iv) {
+ code = krb5_c_block_size(context, key->enctype, &blocksize);
+ if (code)
+ return(code);
+
+ ivd.length = blocksize;
+ ivd.data = malloc(ivd.length);
+ if (ivd.data == NULL)
+ return ENOMEM;
+ memcpy(ivd.data, iv, ivd.length);
+ pivd = &ivd;
+ } else {
+ pivd = NULL;
+ }
+
+ code = kg_translate_iov(context, proto, dce_style, ec, rrc, key,
+ iov, iov_count, &kiov, &kiov_count);
+ if (code == 0) {
+ code = krb5_c_decrypt_iov(context, key, usage, pivd, kiov, kiov_count);
+ free(kiov);
+ }
+
+ if (pivd != NULL)
+ free(pivd->data);
+
+ return code;
+}
+
+krb5_error_code
+kg_arcfour_docrypt_iov (krb5_context context,
+ const krb5_keyblock *longterm_key , int ms_usage,
+ const unsigned char *kd_data, size_t kd_data_len,
+ gss_iov_buffer_desc *iov, int iov_count)
+{
+ krb5_error_code code;
+ krb5_data input, output;
+ krb5int_access kaccess;
+ krb5_keyblock seq_enc_key, usage_key;
+ unsigned char t[14];
+ size_t i = 0;
+ int exportable = (longterm_key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP);
+ krb5_crypto_iov *kiov = NULL;
+ size_t kiov_count = 0;
+
+ usage_key.length = longterm_key->length;
+ usage_key.contents = malloc(usage_key.length);
+ if (usage_key.contents == NULL)
+ return (ENOMEM);
+ seq_enc_key.length = longterm_key->length;
+ seq_enc_key.contents = malloc(seq_enc_key.length);
+ if (seq_enc_key.contents == NULL) {
+ free ((void *) usage_key.contents);
+ return (ENOMEM);
+ }
+ code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
+ if (code)
+ goto cleanup_arcfour;
+
+ if (exportable) {
+ memcpy(t, kg_arcfour_l40, sizeof(kg_arcfour_l40));
+ i += sizeof(kg_arcfour_l40);
+ }
+ t[i++] = ms_usage &0xff;
+ t[i++] = (ms_usage>>8) & 0xff;
+ t[i++] = (ms_usage>>16) & 0xff;
+ t[i++] = (ms_usage>>24) & 0xff;
+ input.data = (void *) &t;
+ input.length = i;
+ output.data = (void *) usage_key.contents;
+ output.length = usage_key.length;
+ code = (*kaccess.krb5_hmac) (kaccess.md5_hash_provider,
+ longterm_key, 1, &input, &output);
+ if (code)
+ goto cleanup_arcfour;
+ if (exportable)
+ memset(usage_key.contents + 7, 0xab, 9);
+
+ input.data = ( void *) kd_data;
+ input.length = kd_data_len;
+ output.data = (void *) seq_enc_key.contents;
+ code = (*kaccess.krb5_hmac) (kaccess.md5_hash_provider,
+ &usage_key, 1, &input, &output);
+ if (code)
+ goto cleanup_arcfour;
+
+ code = kg_translate_iov(context, 0 /* proto */, 0 /* dce_style */,
+ 0 /* ec */, 0 /* rrc */, longterm_key,
+ iov, iov_count, &kiov, &kiov_count);
+ if (code)
+ goto cleanup_arcfour;
+
+ code = ((*kaccess.arcfour_enc_provider->encrypt_iov)(
+ &seq_enc_key, 0,
+ kiov, kiov_count));
+cleanup_arcfour:
+ memset ((void *) seq_enc_key.contents, 0, seq_enc_key.length);
+ memset ((void *) usage_key.contents, 0, usage_key.length);
+ free ((void *) usage_key.contents);
+ free ((void *) seq_enc_key.contents);
+ if (kiov != NULL)
+ free(kiov);
+ return (code);
+}
+
+krb5_cryptotype
+kg_translate_flag_iov(OM_uint32 type)
+{
+ krb5_cryptotype ktype;
+
+ switch (GSS_IOV_BUFFER_TYPE(type)) {
+ case GSS_IOV_BUFFER_TYPE_DATA:
+ case GSS_IOV_BUFFER_TYPE_PADDING:
+ ktype = KRB5_CRYPTO_TYPE_DATA;
+ break;
+ case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:
+ ktype = KRB5_CRYPTO_TYPE_SIGN_ONLY;
+ break;
+ default:
+ ktype = KRB5_CRYPTO_TYPE_EMPTY;
+ break;
+ }
+
+ return ktype;
+}
+
+gss_iov_buffer_t
+kg_locate_iov(gss_iov_buffer_desc *iov,
+ int iov_count,
+ OM_uint32 type)
+{
+ int i;
+ gss_iov_buffer_t p = GSS_C_NO_IOV_BUFFER;
+
+ if (iov == GSS_C_NO_IOV_BUFFER)
+ return GSS_C_NO_IOV_BUFFER;
+
+ for (i = iov_count - 1; i >= 0; i--) {
+ if (GSS_IOV_BUFFER_TYPE(iov[i].type) == type) {
+ if (p == GSS_C_NO_IOV_BUFFER)
+ p = &iov[i];
+ else
+ return GSS_C_NO_IOV_BUFFER;
+ }
+ }
+
+ return p;
+}
+
+void
+kg_iov_msglen(gss_iov_buffer_desc *iov,
+ int iov_count,
+ size_t *data_length_p,
+ size_t *assoc_data_length_p)
+{
+ int i;
+ size_t data_length = 0, assoc_data_length = 0;
+
+ assert(iov != GSS_C_NO_IOV_BUFFER);
+
+ *data_length_p = *assoc_data_length_p = 0;
+
+ for (i = 0; i < iov_count; i++) {
+ OM_uint32 type = GSS_IOV_BUFFER_TYPE(iov[i].type);
+
+ if (type == GSS_IOV_BUFFER_TYPE_SIGN_ONLY)
+ assoc_data_length += iov[i].buffer.length;
+
+ if (type == GSS_IOV_BUFFER_TYPE_DATA ||
+ type == GSS_IOV_BUFFER_TYPE_SIGN_ONLY)
+ data_length += iov[i].buffer.length;
+ }
+
+ *data_length_p = data_length;
+ *assoc_data_length_p = assoc_data_length;
+}
+
+void
+kg_release_iov(gss_iov_buffer_desc *iov, int iov_count)
+{
+ int i;
+ OM_uint32 min_stat;
+
+ assert(iov != GSS_C_NO_IOV_BUFFER);
+
+ for (i = 0; i < iov_count; i++) {
+ if (iov[i].type & GSS_IOV_BUFFER_FLAG_ALLOCATED) {
+ gss_release_buffer(&min_stat, &iov[i].buffer);
+ iov[i].type &= ~(GSS_IOV_BUFFER_FLAG_ALLOCATED);
+ }
+ }
+}
+
+OM_uint32
+kg_fixup_padding_iov(OM_uint32 *minor_status,
+ gss_iov_buffer_desc *iov,
+ int iov_count)
+{
+ gss_iov_buffer_t padding = NULL;
+ gss_iov_buffer_t data = NULL;
+ size_t padlength, relative_padlength;
+ unsigned char *p;
+ OM_uint32 minor;
+
+ data = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_DATA);
+ padding = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING);
+
+ if (data == NULL) {
+ *minor_status = 0;
+ return GSS_S_COMPLETE;
+ }
+
+ if (padding == NULL || padding->buffer.length == 0) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
+
+ p = (unsigned char *)padding->buffer.value;
+ padlength = p[padding->buffer.length - 1];
+
+ if (data->buffer.length + padding->buffer.length < padlength ||
+ padlength == 0) {
+ *minor_status = (OM_uint32)KRB5_BAD_MSIZE;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
+ /*
+ * kg_unseal_stream_iov() will place one byte of padding in the
+ * padding buffer; its true value is unknown until after decryption.
+ *
+ * relative_padlength contains the number of bytes to compensate the
+ * padding and data buffers by; it will be zero if the caller manages
+ * the padding length.
+ *
+ * If the caller manages the padding length, then relative_padlength
+ * wil be zero.
+ *
+ * eg. if the buffers are structured as follows:
+ *
+ * +---DATA---+-PAD-+
+ * | ABCDE444 | 4 |
+ * +----------+-----+
+ *
+ * after compensation they would look like:
+ *
+ * +-DATA--+-PAD--+
+ * | ABCDE | NULL |
+ * +-------+------+
+ */
+ relative_padlength = padlength - padding->buffer.length;
+
+ assert(data->buffer.length >= relative_padlength);
+
+ data->buffer.length -= relative_padlength;
+
+ if (padding->type & GSS_IOV_BUFFER_FLAG_ALLOCATED) {
+ gss_release_buffer(&minor, &padding->buffer);
+ padding->type &= ~(GSS_IOV_BUFFER_FLAG_ALLOCATED);
+ }
+
+ padding->buffer.length = 0;
+ padding->buffer.value = NULL;
+
+ return GSS_S_COMPLETE;
+}
+
+int kg_map_toktype(int proto, int toktype)
+{
+ int toktype2;
+
+ if (proto)
+ switch (toktype) {
+ case KG_TOK_SIGN_MSG:
+ toktype2 = KG2_TOK_MIC_MSG;
+ break;
+ case KG_TOK_WRAP_MSG:
+ toktype2 = KG2_TOK_WRAP_MSG;
+ break;
+ case KG_TOK_DEL_CTX:
+ toktype2 = KG2_TOK_DEL_CTX;
+ break;
+ default:
+ toktype2 = toktype;
+ break;
+ }
+ else
+ toktype2 = toktype;
+
+ return toktype2;
+}
+
+krb5_boolean kg_integ_only_iov(gss_iov_buffer_desc *iov, int iov_count)
+{
+ int i;
+ krb5_boolean has_conf_data = FALSE;
+
+ assert(iov != GSS_C_NO_IOV_BUFFER);
+
+ for (i = 0; i < iov_count; i++) {
+ if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA) {
+ has_conf_data = TRUE;
+ break;
+ }
+ }
+
+ return (has_conf_data == FALSE);
+}
+
+krb5_error_code kg_allocate_iov(gss_iov_buffer_t iov, size_t size)
+{
+ assert(iov != GSS_C_NO_IOV_BUFFER);
+ assert(iov->type & GSS_IOV_BUFFER_FLAG_ALLOCATE);
+
+ iov->buffer.length = size;
+ iov->buffer.value = xmalloc(size);
+ if (iov->buffer.value == NULL) {
+ iov->buffer.length = 0;
+ return ENOMEM;
+ }
+
+ iov->type |= GSS_IOV_BUFFER_FLAG_ALLOCATED;
+
+ return 0;
+}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/util_seed.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/util_seed.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/util_seed.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -29,26 +30,26 @@
krb5_error_code
kg_make_seed(context, key, seed)
- krb5_context context;
- krb5_keyblock *key;
- unsigned char *seed;
+ krb5_context context;
+ krb5_keyblock *key;
+ unsigned char *seed;
{
- krb5_error_code code;
- krb5_keyblock *tmpkey;
- unsigned int i;
+ krb5_error_code code;
+ krb5_keyblock *tmpkey;
+ unsigned int i;
- code = krb5_copy_keyblock(context, key, &tmpkey);
- if (code)
- return(code);
+ code = krb5_copy_keyblock(context, key, &tmpkey);
+ if (code)
+ return(code);
- /* reverse the key bytes, as per spec */
+ /* reverse the key bytes, as per spec */
- for (i=0; i<tmpkey->length; i++)
- tmpkey->contents[i] = key->contents[key->length - 1 - i];
+ for (i=0; i<tmpkey->length; i++)
+ tmpkey->contents[i] = key->contents[key->length - 1 - i];
- code = kg_encrypt(context, tmpkey, KG_USAGE_SEAL, NULL, zeros, seed, 16);
+ code = kg_encrypt(context, tmpkey, KG_USAGE_SEAL, NULL, zeros, seed, 16);
- krb5_free_keyblock(context, tmpkey);
+ krb5_free_keyblock(context, tmpkey);
- return(code);
+ return(code);
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/util_seqnum.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/util_seqnum.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/util_seqnum.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,7 +1,8 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
- * Copyright2001 by the Massachusetts Institute of Technology.
+ * Copyright2001 by the Massachusetts Institute of Technology.
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -11,7 +12,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -30,76 +31,79 @@
krb5_error_code
kg_make_seq_num(context, key, direction, seqnum, cksum, buf)
- krb5_context context;
- krb5_keyblock *key;
- int direction;
- krb5_ui_4 seqnum;
- unsigned char *cksum;
- unsigned char *buf;
+ krb5_context context;
+ krb5_keyblock *key;
+ int direction;
+ krb5_ui_4 seqnum;
+ unsigned char *cksum;
+ unsigned char *buf;
{
- unsigned char plain[8];
+ unsigned char plain[8];
- plain[4] = direction;
- plain[5] = direction;
- plain[6] = direction;
- plain[7] = direction;
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC ) {
- /* Yes, Microsoft used big-endian sequence number.*/
- plain[0] = (seqnum>>24) & 0xff;
- plain[1] = (seqnum>>16) & 0xff;
- plain[2] = (seqnum>>8) & 0xff;
- plain[3] = seqnum & 0xff;
- return kg_arcfour_docrypt (key, 0,
- cksum, 8,
- &plain[0], 8,
- buf);
-
- }
-
- plain[0] = (unsigned char) (seqnum&0xff);
- plain[1] = (unsigned char) ((seqnum>>8)&0xff);
- plain[2] = (unsigned char) ((seqnum>>16)&0xff);
- plain[3] = (unsigned char) ((seqnum>>24)&0xff);
+ plain[4] = direction;
+ plain[5] = direction;
+ plain[6] = direction;
+ plain[7] = direction;
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC ||
+ key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+ /* Yes, Microsoft used big-endian sequence number.*/
+ plain[0] = (seqnum>>24) & 0xff;
+ plain[1] = (seqnum>>16) & 0xff;
+ plain[2] = (seqnum>>8) & 0xff;
+ plain[3] = seqnum & 0xff;
+ return kg_arcfour_docrypt (key, 0,
+ cksum, 8,
+ &plain[0], 8,
+ buf);
- return(kg_encrypt(context, key, KG_USAGE_SEQ, cksum, plain, buf, 8));
+ }
+
+ plain[0] = (unsigned char) (seqnum&0xff);
+ plain[1] = (unsigned char) ((seqnum>>8)&0xff);
+ plain[2] = (unsigned char) ((seqnum>>16)&0xff);
+ plain[3] = (unsigned char) ((seqnum>>24)&0xff);
+
+ return(kg_encrypt(context, key, KG_USAGE_SEQ, cksum, plain, buf, 8));
}
krb5_error_code kg_get_seq_num(context, key, cksum, buf, direction, seqnum)
- krb5_context context;
- krb5_keyblock *key;
- unsigned char *cksum;
- unsigned char *buf;
- int *direction;
- krb5_ui_4 *seqnum;
+ krb5_context context;
+ krb5_keyblock *key;
+ unsigned char *cksum;
+ unsigned char *buf;
+ int *direction;
+ krb5_ui_4 *seqnum;
{
- krb5_error_code code;
- unsigned char plain[8];
+ krb5_error_code code;
+ unsigned char plain[8];
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC) {
- code = kg_arcfour_docrypt (key, 0,
- cksum, 8,
- buf, 8,
- plain);
- } else {
- code = kg_decrypt(context, key, KG_USAGE_SEQ, cksum, buf, plain, 8);
- }
- if (code)
- return(code);
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC ||
+ key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+ code = kg_arcfour_docrypt (key, 0,
+ cksum, 8,
+ buf, 8,
+ plain);
+ } else {
+ code = kg_decrypt(context, key, KG_USAGE_SEQ, cksum, buf, plain, 8);
+ }
+ if (code)
+ return(code);
- if ((plain[4] != plain[5]) ||
- (plain[4] != plain[6]) ||
- (plain[4] != plain[7]))
- return((krb5_error_code) KG_BAD_SEQ);
+ if ((plain[4] != plain[5]) ||
+ (plain[4] != plain[6]) ||
+ (plain[4] != plain[7]))
+ return((krb5_error_code) KG_BAD_SEQ);
- *direction = plain[4];
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC) {
- *seqnum = (plain[3]|(plain[2]<<8) | (plain[1]<<16)| (plain[0]<<24));
- } else {
- *seqnum = ((plain[0]) |
- (plain[1]<<8) |
- (plain[2]<<16) |
- (plain[3]<<24));
- }
+ *direction = plain[4];
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC ||
+ key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+ *seqnum = (plain[3]|(plain[2]<<8) | (plain[1]<<16)| (plain[0]<<24));
+ } else {
+ *seqnum = ((plain[0]) |
+ (plain[1]<<8) |
+ (plain[2]<<16) |
+ (plain[3]<<24));
+ }
- return(0);
+ return(0);
}
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/val_cred.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/val_cred.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/val_cred.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1997, 2007 by Massachusetts Institute of Technology
* All Rights Reserved.
@@ -6,7 +7,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -20,7 +21,7 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
#include "gssapiP_krb5.h"
@@ -32,37 +33,37 @@
OM_uint32
krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
- krb5_context context)
+ krb5_context context)
{
krb5_gss_cred_id_t cred;
krb5_error_code code;
krb5_principal princ;
if (!kg_validate_cred_id(cred_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_DEFECTIVE_CREDENTIAL);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_DEFECTIVE_CREDENTIAL);
}
cred = (krb5_gss_cred_id_t) cred_handle;
code = k5_mutex_lock(&cred->lock);
if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
+ *minor_status = code;
+ return GSS_S_FAILURE;
}
if (cred->ccache) {
- if ((code = krb5_cc_get_principal(context, cred->ccache, &princ))) {
- k5_mutex_unlock(&cred->lock);
- *minor_status = code;
- return(GSS_S_DEFECTIVE_CREDENTIAL);
- }
- if (!krb5_principal_compare(context, princ, cred->princ)) {
- k5_mutex_unlock(&cred->lock);
- *minor_status = KG_CCACHE_NOMATCH;
- return(GSS_S_DEFECTIVE_CREDENTIAL);
- }
- (void)krb5_free_principal(context, princ);
+ if ((code = krb5_cc_get_principal(context, cred->ccache, &princ))) {
+ k5_mutex_unlock(&cred->lock);
+ *minor_status = code;
+ return(GSS_S_DEFECTIVE_CREDENTIAL);
+ }
+ if (!krb5_principal_compare(context, princ, cred->princ)) {
+ k5_mutex_unlock(&cred->lock);
+ *minor_status = KG_CCACHE_NOMATCH;
+ return(GSS_S_DEFECTIVE_CREDENTIAL);
+ }
+ (void)krb5_free_principal(context, princ);
}
*minor_status = 0;
return GSS_S_COMPLETE;
@@ -70,8 +71,8 @@
OM_uint32
krb5_gss_validate_cred(minor_status, cred_handle)
- OM_uint32 *minor_status;
- gss_cred_id_t cred_handle;
+ OM_uint32 *minor_status;
+ gss_cred_id_t cred_handle;
{
krb5_context context;
krb5_error_code code;
@@ -79,21 +80,17 @@
code = krb5_gss_init_context(&context);
if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
+ *minor_status = code;
+ return GSS_S_FAILURE;
}
maj = krb5_gss_validate_cred_1(minor_status, cred_handle, context);
if (maj == 0) {
- krb5_gss_cred_id_t cred = (krb5_gss_cred_id_t) cred_handle;
- k5_mutex_assert_locked(&cred->lock);
- k5_mutex_unlock(&cred->lock);
+ krb5_gss_cred_id_t cred = (krb5_gss_cred_id_t) cred_handle;
+ k5_mutex_assert_locked(&cred->lock);
+ k5_mutex_unlock(&cred->lock);
}
save_error_info(*minor_status, context);
krb5_free_context(context);
return maj;
}
-
-
-
-
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/verify.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/verify.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/verify.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -10,7 +11,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -26,39 +27,39 @@
* $Id$
*/
-OM_uint32
-krb5_gss_verify(minor_status, context_handle,
- message_buffer, token_buffer,
- qop_state)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t message_buffer;
- gss_buffer_t token_buffer;
- int *qop_state;
-{
- return(kg_unseal(minor_status, context_handle,
- token_buffer, message_buffer,
- NULL, qop_state, KG_TOK_SIGN_MSG));
-}
-
/* V2 interface */
OM_uint32
krb5_gss_verify_mic(minor_status, context_handle,
- message_buffer, token_buffer,
- qop_state)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t message_buffer;
- gss_buffer_t token_buffer;
- gss_qop_t *qop_state;
+ message_buffer, token_buffer,
+ qop_state)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_buffer_t message_buffer;
+ gss_buffer_t token_buffer;
+ gss_qop_t *qop_state;
{
- OM_uint32 rstat;
- int qstate;
+ OM_uint32 rstat;
rstat = kg_unseal(minor_status, context_handle,
- token_buffer, message_buffer,
- NULL, &qstate, KG_TOK_MIC_MSG);
- if (!rstat && qop_state)
- *qop_state = (gss_qop_t) qstate;
+ token_buffer, message_buffer,
+ NULL, qop_state, KG_TOK_MIC_MSG);
return(rstat);
}
+
+#if 0
+OM_uint32
+krb5_gss_verify_mic_iov(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ gss_qop_t *qop_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count)
+{
+ OM_uint32 major_status;
+
+ major_status = kg_unseal_iov(minor_status, context_handle,
+ NULL, qop_state,
+ iov, iov_count, KG_TOK_WRAP_MSG);
+
+ return major_status;
+}
+#endif
Modified: branches/mkey_migrate/src/lib/gssapi/krb5/wrap_size_limit.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/krb5/wrap_size_limit.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/krb5/wrap_size_limit.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2000 by the Massachusetts Institute of Technology.
* All Rights Reserved.
@@ -6,7 +7,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -20,11 +21,11 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -34,7 +35,7 @@
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -46,14 +47,14 @@
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -64,7 +65,7 @@
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
@@ -75,69 +76,88 @@
/* V2 interface */
OM_uint32
krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag,
- qop_req, req_output_size, max_input_size)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- int conf_req_flag;
- gss_qop_t qop_req;
- OM_uint32 req_output_size;
- OM_uint32 *max_input_size;
+ qop_req, req_output_size, max_input_size)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ int conf_req_flag;
+ gss_qop_t qop_req;
+ OM_uint32 req_output_size;
+ OM_uint32 *max_input_size;
{
- krb5_gss_ctx_id_rec *ctx;
- OM_uint32 data_size, conflen;
- OM_uint32 ohlen;
- int overhead;
+ krb5_gss_ctx_id_rec *ctx;
+ OM_uint32 data_size, conflen;
+ OM_uint32 ohlen;
+ int overhead;
/* only default qop is allowed */
if (qop_req != GSS_C_QOP_DEFAULT) {
- *minor_status = (OM_uint32) G_UNKNOWN_QOP;
- return(GSS_S_FAILURE);
+ *minor_status = (OM_uint32) G_UNKNOWN_QOP;
+ return(GSS_S_FAILURE);
}
-
+
/* validate the context handle */
if (! kg_validate_ctx_id(context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
}
-
+
ctx = (krb5_gss_ctx_id_rec *) context_handle;
if (! ctx->established) {
- *minor_status = KG_CTX_INCOMPLETE;
- return(GSS_S_NO_CONTEXT);
+ *minor_status = KG_CTX_INCOMPLETE;
+ return(GSS_S_NO_CONTEXT);
}
if (ctx->proto == 1) {
- /* No pseudo-ASN.1 wrapper overhead, so no sequence length and
- OID. */
- OM_uint32 sz = req_output_size;
- /* Token header: 16 octets. */
- if (conf_req_flag) {
- while (sz > 0 && krb5_encrypt_size(sz, ctx->enc->enctype) + 16 > req_output_size)
- sz--;
- /* Allow for encrypted copy of header. */
- if (sz > 16)
- sz -= 16;
- else
- sz = 0;
+ /* No pseudo-ASN.1 wrapper overhead, so no sequence length and
+ OID. */
+ OM_uint32 sz = req_output_size;
+
+ /* Token header: 16 octets. */
+ if (conf_req_flag) {
+ krb5_enctype enctype;
+
+ enctype = ctx->have_acceptor_subkey ? ctx->acceptor_subkey->enctype
+ : ctx->subkey->enctype;
+
+ while (sz > 0 && krb5_encrypt_size(sz, enctype) + 16 > req_output_size)
+ sz--;
+ /* Allow for encrypted copy of header. */
+ if (sz > 16)
+ sz -= 16;
+ else
+ sz = 0;
#ifdef CFX_EXERCISE
- /* Allow for EC padding. In the MIT implementation, only
- added while testing. */
- if (sz > 65535)
- sz -= 65535;
- else
- sz = 0;
+ /* Allow for EC padding. In the MIT implementation, only
+ added while testing. */
+ if (sz > 65535)
+ sz -= 65535;
+ else
+ sz = 0;
#endif
- } else {
- /* Allow for token header and checksum. */
- if (sz < 16 + ctx->cksum_size)
- sz = 0;
- else
- sz -= (16 + ctx->cksum_size);
- }
+ } else {
+ krb5_cksumtype cksumtype;
+ krb5_error_code err;
+ size_t cksumsize;
- *max_input_size = sz;
- *minor_status = 0;
- return GSS_S_COMPLETE;
+ cksumtype = ctx->have_acceptor_subkey ? ctx->acceptor_subkey_cksumtype
+ : ctx->cksumtype;
+
+ err = krb5_c_checksum_length(ctx->k5_context, cksumtype, &cksumsize);
+ if (err) {
+ *minor_status = err;
+ return GSS_S_FAILURE;
+ }
+
+ /* Allow for token header and checksum. */
+ if (sz < 16 + cksumsize)
+ sz = 0;
+ else
+ sz -= (16 + cksumsize);
+ }
+
+ *max_input_size = sz;
+ *minor_status = 0;
+ return GSS_S_COMPLETE;
}
/* Calculate the token size and subtract that from the output size */
@@ -146,17 +166,17 @@
conflen = kg_confounder_size(ctx->k5_context, ctx->enc);
data_size = (conflen + data_size + 8) & (~(OM_uint32)7);
ohlen = g_token_size(ctx->mech_used,
- (unsigned int) (data_size + ctx->cksum_size + 14))
- - req_output_size;
+ (unsigned int) (data_size + ctx->cksum_size + 14))
+ - req_output_size;
if (ohlen+overhead < req_output_size)
- /*
- * Cannot have trailer length that will cause us to pad over our
- * length.
- */
- *max_input_size = (req_output_size - ohlen - overhead) & (~(OM_uint32)7);
+ /*
+ * Cannot have trailer length that will cause us to pad over our
+ * length.
+ */
+ *max_input_size = (req_output_size - ohlen - overhead) & (~(OM_uint32)7);
else
- *max_input_size = 0;
+ *max_input_size = 0;
*minor_status = 0;
return(GSS_S_COMPLETE);
Modified: branches/mkey_migrate/src/lib/gssapi/libgssapi_krb5.exports
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/libgssapi_krb5.exports 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/libgssapi_krb5.exports 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+GSS_C_INQ_SSPI_SESSION_KEY
GSS_C_NT_ANONYMOUS
GSS_C_NT_EXPORT_NAME
GSS_C_NT_HOSTBASED_SERVICE
@@ -8,36 +9,46 @@
GSS_KRB5_NT_PRINCIPAL_NAME
gss_accept_sec_context
gss_acquire_cred
+gss_add_buffer_set_member
gss_add_cred
gss_add_oid_set_member
gss_canonicalize_name
gss_compare_name
+gss_complete_auth_token
gss_context_time
+gss_create_empty_buffer_set
gss_create_empty_oid_set
gss_delete_sec_context
gss_display_name
gss_display_status
gss_duplicate_name
gss_export_name
+gss_export_name_object
gss_export_sec_context
gss_get_mic
gss_import_name
+gss_import_name_object
gss_import_sec_context
gss_indicate_mechs
gss_init_sec_context
gss_inquire_context
gss_inquire_cred
gss_inquire_cred_by_mech
+gss_inquire_cred_by_oid
gss_inquire_mechs_for_name
gss_inquire_names_for_mech
+gss_inquire_sec_context_by_oid
gss_krb5_ccache_name
gss_krb5_copy_ccache
gss_krb5_export_lucid_sec_context
gss_krb5_get_tkt_flags
gss_krb5_free_lucid_sec_context
gss_krb5_set_allowable_enctypes
+gss_krb5_set_cred_rcache
gss_krb5int_make_seal_token_v3
gss_krb5int_unseal_token_v3
+gsskrb5_extract_authtime_from_sec_context
+gsskrb5_extract_authz_data_from_sec_context
gss_mech_krb5
gss_mech_krb5_old
gss_mech_set_krb5
@@ -53,21 +64,31 @@
gss_nt_user_name
gss_oid_to_str
gss_process_context_token
+gss_release_buffer_set
gss_release_buffer
gss_release_cred
+gss_release_iov_buffer
gss_release_name
gss_release_oid
gss_release_oid_set
gss_seal
+gss_set_sec_context_option
gss_sign
gss_str_to_oid
gss_test_oid_set_member
gss_unseal
gss_unwrap
+gss_unwrap_aead
+gss_unwrap_iov
gss_verify
gss_verify_mic
gss_wrap
+gss_wrap_aead
+gss_wrap_iov
+gss_wrap_iov_length
gss_wrap_size_limit
+gssspi_set_cred_option
+gssspi_mech_invoke
krb5_gss_dbg_client_expcreds
krb5_gss_register_acceptor_identity
krb5_gss_use_kdc_context
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,8 +2,8 @@
myfulldir=lib/gssapi/mechglue
mydir=lib/gssapi/mechglue
BUILDTOP=$(REL)..$(S)..$(S)..
-LOCALINCLUDES = -I. -I$(srcdir) -I$(srcdir)/.. -I../generic -I$(srcdir)/../generic
-DEFS=
+LOCALINCLUDES = -I. -I$(srcdir) -I$(srcdir)/.. -I../generic -I$(srcdir)/../generic -I../krb5 -I$(srcdir)/../krb5 -I../spnego -I$(srcdir)/../spnego
+DEFS=-D_GSS_STATIC_LINK=1
##DOSBUILDTOP = ..\..\..
##DOS##PREFIXDIR=mechglue
@@ -14,8 +14,10 @@
SRCS = \
$(srcdir)/g_accept_sec_context.c \
$(srcdir)/g_acquire_cred.c \
+ $(srcdir)/g_buffer_set.c \
$(srcdir)/g_canon_name.c \
$(srcdir)/g_compare_name.c \
+ $(srcdir)/g_complete_auth_token.c \
$(srcdir)/g_context_time.c \
$(srcdir)/g_delete_sec_context.c \
$(srcdir)/g_dsp_name.c \
@@ -23,14 +25,19 @@
$(srcdir)/g_dup_name.c \
$(srcdir)/g_exp_sec_context.c \
$(srcdir)/g_export_name.c \
+ $(srcdir)/g_export_name_object.c \
$(srcdir)/g_glue.c \
$(srcdir)/g_imp_name.c \
+ $(srcdir)/g_imp_name_object.c \
$(srcdir)/g_imp_sec_context.c \
$(srcdir)/g_init_sec_context.c \
$(srcdir)/g_initialize.c \
$(srcdir)/g_inq_context.c \
+ $(srcdir)/g_inq_context_oid.c \
$(srcdir)/g_inq_cred.c \
+ $(srcdir)/g_inq_cred_oid.c \
$(srcdir)/g_inq_names.c \
+ $(srcdir)/g_mech_invoke.c \
$(srcdir)/g_mechname.c \
$(srcdir)/g_oid_ops.c \
$(srcdir)/g_process_context.c \
@@ -39,17 +46,24 @@
$(srcdir)/g_rel_name.c \
$(srcdir)/g_rel_oid_set.c \
$(srcdir)/g_seal.c \
+ $(srcdir)/g_set_context_option.c \
+ $(srcdir)/g_set_cred_option.c \
$(srcdir)/g_sign.c \
$(srcdir)/g_store_cred.c \
$(srcdir)/g_unseal.c \
+ $(srcdir)/g_unwrap_aead.c \
+ $(srcdir)/g_unwrap_iov.c \
$(srcdir)/g_verify.c \
- $(srcdir)/oid_ops.c
+ $(srcdir)/g_wrap_aead.c \
+ $(srcdir)/g_wrap_iov.c
OBJS = \
$(OUTPRE)g_accept_sec_context.$(OBJEXT) \
$(OUTPRE)g_acquire_cred.$(OBJEXT) \
+ $(OUTPRE)g_buffer_set.$(OBJEXT) \
$(OUTPRE)g_canon_name.$(OBJEXT) \
$(OUTPRE)g_compare_name.$(OBJEXT) \
+ $(OUTPRE)g_complete_auth_token.$(OBJEXT) \
$(OUTPRE)g_context_time.$(OBJEXT) \
$(OUTPRE)g_delete_sec_context.$(OBJEXT) \
$(OUTPRE)g_dsp_name.$(OBJEXT) \
@@ -57,14 +71,19 @@
$(OUTPRE)g_dup_name.$(OBJEXT) \
$(OUTPRE)g_exp_sec_context.$(OBJEXT) \
$(OUTPRE)g_export_name.$(OBJEXT) \
+ $(OUTPRE)g_export_name_object.$(OBJEXT) \
$(OUTPRE)g_glue.$(OBJEXT) \
$(OUTPRE)g_imp_name.$(OBJEXT) \
+ $(OUTPRE)g_imp_name_object.$(OBJEXT) \
$(OUTPRE)g_imp_sec_context.$(OBJEXT) \
$(OUTPRE)g_init_sec_context.$(OBJEXT) \
$(OUTPRE)g_initialize.$(OBJEXT) \
$(OUTPRE)g_inq_context.$(OBJEXT) \
+ $(OUTPRE)g_inq_context_oid.$(OBJEXT) \
$(OUTPRE)g_inq_cred.$(OBJEXT) \
+ $(OUTPRE)g_inq_cred_oid.$(OBJEXT) \
$(OUTPRE)g_inq_names.$(OBJEXT) \
+ $(OUTPRE)g_mech_invoke.$(OBJEXT) \
$(OUTPRE)g_mechname.$(OBJEXT) \
$(OUTPRE)g_oid_ops.$(OBJEXT) \
$(OUTPRE)g_process_context.$(OBJEXT) \
@@ -73,17 +92,24 @@
$(OUTPRE)g_rel_name.$(OBJEXT) \
$(OUTPRE)g_rel_oid_set.$(OBJEXT) \
$(OUTPRE)g_seal.$(OBJEXT) \
+ $(OUTPRE)g_set_context_option.$(OBJEXT) \
+ $(OUTPRE)g_set_cred_option.$(OBJEXT) \
$(OUTPRE)g_sign.$(OBJEXT) \
$(OUTPRE)g_store_cred.$(OBJEXT) \
$(OUTPRE)g_unseal.$(OBJEXT) \
+ $(OUTPRE)g_unwrap_aead.$(OBJEXT) \
+ $(OUTPRE)g_unwrap_iov.$(OBJEXT) \
$(OUTPRE)g_verify.$(OBJEXT) \
- $(OUTPRE)oid_ops.$(OBJEXT)
+ $(OUTPRE)g_wrap_aead.$(OBJEXT) \
+ $(OUTPRE)g_wrap_iov.$(OBJEXT)
STLIBOBJS = \
g_accept_sec_context.o \
g_acquire_cred.o \
+ g_buffer_set.o \
g_canon_name.o \
g_compare_name.o \
+ g_complete_auth_token.o \
g_context_time.o \
g_delete_sec_context.o \
g_dsp_name.o \
@@ -91,14 +117,19 @@
g_dup_name.o \
g_exp_sec_context.o \
g_export_name.o \
+ g_export_name_object.o \
g_glue.o \
g_imp_name.o \
+ g_imp_name_object.o \
g_imp_sec_context.o \
g_init_sec_context.o \
g_initialize.o \
g_inq_context.o \
+ g_inq_context_oid.o \
g_inq_cred.o \
+ g_inq_cred_oid.o \
g_inq_names.o \
+ g_mech_invoke.o \
g_mechname.o \
g_oid_ops.o \
g_process_context.o \
@@ -107,11 +138,16 @@
g_rel_name.o \
g_rel_oid_set.o \
g_seal.o \
+ g_set_context_option.o \
+ g_set_cred_option.o \
g_sign.o \
g_store_cred.o \
g_unseal.o \
+ g_unwrap_aead.o \
+ g_unwrap_iov.o \
g_verify.o \
- oid_ops.o
+ g_wrap_aead.o \
+ g_wrap_iov.o
EHDRDIR= $(BUILDTOP)$(S)include$(S)gssapi
EXPORTED_HEADERS = mechglue.h
@@ -134,201 +170,3 @@
includes::
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-g_accept_sec_context.so g_accept_sec_context.po $(OUTPRE)g_accept_sec_context.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_accept_sec_context.c \
- mechglue.h mglueP.h
-g_acquire_cred.so g_acquire_cred.po $(OUTPRE)g_acquire_cred.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_acquire_cred.c mechglue.h \
- mglueP.h
-g_canon_name.so g_canon_name.po $(OUTPRE)g_canon_name.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_canon_name.c mechglue.h \
- mglueP.h
-g_compare_name.so g_compare_name.po $(OUTPRE)g_compare_name.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_compare_name.c mechglue.h \
- mglueP.h
-g_context_time.so g_context_time.po $(OUTPRE)g_context_time.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_context_time.c mechglue.h \
- mglueP.h
-g_delete_sec_context.so g_delete_sec_context.po $(OUTPRE)g_delete_sec_context.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_delete_sec_context.c \
- mechglue.h mglueP.h
-g_dsp_name.so g_dsp_name.po $(OUTPRE)g_dsp_name.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_dsp_name.c mechglue.h \
- mglueP.h
-g_dsp_status.so g_dsp_status.po $(OUTPRE)g_dsp_status.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_dsp_status.c mechglue.h \
- mglueP.h
-g_dup_name.so g_dup_name.po $(OUTPRE)g_dup_name.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_dup_name.c mechglue.h \
- mglueP.h
-g_exp_sec_context.so g_exp_sec_context.po $(OUTPRE)g_exp_sec_context.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_exp_sec_context.c \
- mechglue.h mglueP.h
-g_export_name.so g_export_name.po $(OUTPRE)g_export_name.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_export_name.c mechglue.h \
- mglueP.h
-g_glue.so g_glue.po $(OUTPRE)g_glue.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(COM_ERR_DEPS) \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_glue.c mechglue.h \
- mglueP.h
-g_imp_name.so g_imp_name.po $(OUTPRE)g_imp_name.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_imp_name.c mechglue.h \
- mglueP.h
-g_imp_sec_context.so g_imp_sec_context.po $(OUTPRE)g_imp_sec_context.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_imp_sec_context.c \
- mechglue.h mglueP.h
-g_init_sec_context.so g_init_sec_context.po $(OUTPRE)g_init_sec_context.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_init_sec_context.c \
- mechglue.h mglueP.h
-g_initialize.so g_initialize.po $(OUTPRE)g_initialize.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssapi.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h $(srcdir)/../gss_libinit.h \
- ../generic/gssapi_err_generic.h g_initialize.c mechglue.h \
- mglueP.h
-g_inq_context.so g_inq_context.po $(OUTPRE)g_inq_context.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_inq_context.c mechglue.h \
- mglueP.h
-g_inq_cred.so g_inq_cred.po $(OUTPRE)g_inq_cred.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_inq_cred.c mechglue.h \
- mglueP.h
-g_inq_names.so g_inq_names.po $(OUTPRE)g_inq_names.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_inq_names.c mechglue.h \
- mglueP.h
-g_mechname.so g_mechname.po $(OUTPRE)g_mechname.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_mechname.c mechglue.h \
- mglueP.h
-g_oid_ops.so g_oid_ops.po $(OUTPRE)g_oid_ops.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_oid_ops.c mechglue.h \
- mglueP.h
-g_process_context.so g_process_context.po $(OUTPRE)g_process_context.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_process_context.c \
- mechglue.h mglueP.h
-g_rel_buffer.so g_rel_buffer.po $(OUTPRE)g_rel_buffer.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_rel_buffer.c mechglue.h \
- mglueP.h
-g_rel_cred.so g_rel_cred.po $(OUTPRE)g_rel_cred.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_rel_cred.c mechglue.h \
- mglueP.h
-g_rel_name.so g_rel_name.po $(OUTPRE)g_rel_name.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_rel_name.c mechglue.h \
- mglueP.h
-g_rel_oid_set.so g_rel_oid_set.po $(OUTPRE)g_rel_oid_set.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_rel_oid_set.c mechglue.h \
- mglueP.h
-g_seal.so g_seal.po $(OUTPRE)g_seal.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(COM_ERR_DEPS) \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_seal.c mechglue.h \
- mglueP.h
-g_sign.so g_sign.po $(OUTPRE)g_sign.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(COM_ERR_DEPS) \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_sign.c mechglue.h \
- mglueP.h
-g_store_cred.so g_store_cred.po $(OUTPRE)g_store_cred.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_store_cred.c mechglue.h \
- mglueP.h
-g_unseal.so g_unseal.po $(OUTPRE)g_unseal.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_unseal.c mechglue.h \
- mglueP.h
-g_verify.so g_verify.po $(OUTPRE)g_verify.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h g_verify.c mechglue.h \
- mglueP.h
-oid_ops.so oid_ops.po $(OUTPRE)oid_ops.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- ../generic/gssapi_err_generic.h mechglue.h mglueP.h \
- oid_ops.c
Copied: branches/mkey_migrate/src/lib/gssapi/mechglue/deps (from rev 21721, trunk/src/lib/gssapi/mechglue/deps)
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_accept_sec_context.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_accept_sec_context.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_accept_sec_context.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -146,7 +146,7 @@
if(*context_handle == GSS_C_NO_CONTEXT) {
- if (GSS_EMPTY_BUFFER(input_token_buffer))
+ if (input_token_buffer == GSS_C_NO_BUFFER)
return (GSS_S_CALL_INACCESSIBLE_READ);
/* Get the token mech type */
@@ -193,9 +193,7 @@
mech = gssint_get_mechanism (token_mech_type);
if (mech && mech->gss_accept_sec_context) {
- status = mech->gss_accept_sec_context(
- mech->context,
- minor_status,
+ status = mech->gss_accept_sec_context(minor_status,
&union_ctx_id->internal_ctx_id,
input_cred_handle,
input_token_buffer,
@@ -236,7 +234,6 @@
output_token);
if (internal_name != GSS_C_NO_NAME)
mech->gss_release_name(
- mech->context,
&temp_minor_status,
&internal_name);
return (temp_status);
@@ -288,8 +285,7 @@
d_u_cred->loopback = d_u_cred;
if (mech->gss_inquire_cred) {
- status = mech->gss_inquire_cred(mech->context,
- minor_status,
+ status = mech->gss_inquire_cred(minor_status,
tmp_d_cred,
&internal_name,
&d_u_cred->auxinfo.time_rec,
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_acquire_cred.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_acquire_cred.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_acquire_cred.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -381,8 +381,8 @@
internal_name = union_name->mech_name;
else {
if (gssint_import_internal_name(minor_status,
- &mech->mech_type, union_name,
- &allocated_name) != GSS_S_COMPLETE)
+ &mech->mech_type, union_name,
+ &allocated_name) != GSS_S_COMPLETE)
return (GSS_S_BAD_NAME);
internal_name = allocated_name;
}
@@ -397,8 +397,10 @@
else if (cred_usage == GSS_C_BOTH)
time_req = (acceptor_time_req > initiator_time_req) ?
acceptor_time_req : initiator_time_req;
+ else
+ time_req = 0;
- status = mech->gss_acquire_cred(mech->context, minor_status,
+ status = mech->gss_acquire_cred(minor_status,
internal_name, time_req,
GSS_C_NULL_OID_SET, cred_usage,
&cred, NULL, &time_rec);
@@ -421,7 +423,6 @@
if (internal_name == NULL) {
if (mech->gss_inquire_cred == NULL ||
((status = mech->gss_inquire_cred(
- mech->context,
&temp_minor_status, cred,
&allocated_name, NULL, NULL,
NULL)) != GSS_S_COMPLETE))
@@ -430,8 +431,7 @@
}
if (internal_name != GSS_C_NO_NAME) {
- status = mech->gss_display_name(mech->context,
- &temp_minor_status, internal_name,
+ status = mech->gss_display_name(&temp_minor_status, internal_name,
&union_cred->auxinfo.name,
&union_cred->auxinfo.name_type);
@@ -519,8 +519,7 @@
free(new_cred_array);
if (cred != NULL && mech->gss_release_cred)
- mech->gss_release_cred(mech->context,
- &temp_minor_status, &cred);
+ mech->gss_release_cred(&temp_minor_status, &cred);
if (allocated_name)
(void) gssint_release_internal_name(&temp_minor_status,
Copied: branches/mkey_migrate/src/lib/gssapi/mechglue/g_buffer_set.c (from rev 21721, trunk/src/lib/gssapi/mechglue/g_buffer_set.c)
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_compare_name.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_compare_name.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_compare_name.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -72,7 +72,7 @@
{
OM_uint32 major_status, temp_minor;
gss_union_name_t union_name1, union_name2;
- gss_mechanism mech;
+ gss_mechanism mech = NULL;
gss_name_t internal_name;
major_status = val_comp_name_args(minor_status,
@@ -114,7 +114,11 @@
if ((union_name1->mech_name == 0) || (union_name2->mech_name == 0))
/* should never happen */
return (GSS_S_BAD_NAME);
- major_status = mech->gss_compare_name(mech->context, minor_status,
+ if (!mech)
+ return (GSS_S_BAD_MECH);
+ if (!mech->gss_compare_name)
+ return (GSS_S_UNAVAILABLE);
+ major_status = mech->gss_compare_name(minor_status,
union_name1->mech_name,
union_name2->mech_name,
name_equal);
@@ -190,7 +194,11 @@
if (major_status != GSS_S_COMPLETE)
return (GSS_S_COMPLETE); /* return complete, but not equal */
- major_status = mech->gss_compare_name(mech->context, minor_status,
+ if (!mech)
+ return (GSS_S_BAD_MECH);
+ if (!mech->gss_compare_name)
+ return (GSS_S_UNAVAILABLE);
+ major_status = mech->gss_compare_name(minor_status,
union_name1->mech_name,
internal_name, name_equal);
if (major_status != GSS_S_COMPLETE)
Copied: branches/mkey_migrate/src/lib/gssapi/mechglue/g_complete_auth_token.c (from rev 21721, trunk/src/lib/gssapi/mechglue/g_complete_auth_token.c)
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_context_time.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_context_time.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_context_time.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -64,7 +64,6 @@
if (mech->gss_context_time) {
status = mech->gss_context_time(
- mech->context,
minor_status,
ctx->internal_ctx_id,
time_rec);
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_delete_sec_context.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_delete_sec_context.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_delete_sec_context.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -73,7 +73,6 @@
{
OM_uint32 status;
gss_union_ctx_id_t ctx;
- gss_mechanism mech;
status = val_del_sec_ctx_args(minor_status, context_handle, output_token);
if (status != GSS_S_COMPLETE)
@@ -87,29 +86,19 @@
ctx = (gss_union_ctx_id_t) *context_handle;
if (GSSINT_CHK_LOOP(ctx))
return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT);
- mech = gssint_get_mechanism (ctx->mech_type);
-
- if (mech) {
+
+ status = gssint_delete_internal_sec_context(minor_status,
+ ctx->mech_type,
+ &ctx->internal_ctx_id,
+ output_token);
+ if (status)
+ return status;
- if (mech->gss_delete_sec_context) {
- status = mech->gss_delete_sec_context(
- mech->context,
- minor_status,
- &ctx->internal_ctx_id,
- output_token);
- if (status != GSS_S_COMPLETE)
- map_error(minor_status, mech);
- } else
- status = GSS_S_UNAVAILABLE;
+ /* now free up the space for the union context structure */
+ free(ctx->mech_type->elements);
+ free(ctx->mech_type);
+ free(*context_handle);
+ *context_handle = GSS_C_NO_CONTEXT;
- /* now free up the space for the union context structure */
- free(ctx->mech_type->elements);
- free(ctx->mech_type);
- free(*context_handle);
- *context_handle = NULL;
-
- return(status);
- }
-
- return (GSS_S_BAD_MECH);
+ return (GSS_S_COMPLETE);
}
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_dsp_status.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_dsp_status.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_dsp_status.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -121,7 +121,7 @@
if (mech && mech->gss_display_status) {
OM_uint32 r;
- r = mech->gss_display_status(mech->context, minor_status,
+ r = mech->gss_display_status(minor_status,
status_value, status_type, mech_type,
message_context, status_string);
/* How's this for weird? If we get an error returning the
@@ -358,12 +358,11 @@
/* now copy the status code and return to caller */
outStr->length = strlen(errStr);
- outStr->value = malloc((size_t)outStr->length+1);
+ outStr->value = strdup(errStr);
if (outStr->value == NULL) {
outStr->length = 0;
return (GSS_S_FAILURE);
}
- (void) strcpy((char *)outStr->value, errStr);
return (GSS_S_COMPLETE);
} /* displayMajor */
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_exp_sec_context.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_exp_sec_context.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_exp_sec_context.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -101,7 +101,7 @@
if (!mech->gss_export_sec_context)
return (GSS_S_UNAVAILABLE);
- status = mech->gss_export_sec_context(mech->context, minor_status,
+ status = mech->gss_export_sec_context(minor_status,
&ctx->internal_ctx_id, &token);
if (status != GSS_S_COMPLETE) {
map_error(minor_status, mech);
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_export_name.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_export_name.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_export_name.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -56,3 +56,4 @@
return gssint_export_internal_name(minor_status, union_name->mech_type,
union_name->mech_name, exported_name);
}
+
Copied: branches/mkey_migrate/src/lib/gssapi/mechglue/g_export_name_object.c (from rev 21721, trunk/src/lib/gssapi/mechglue/g_export_name_object.c)
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_glue.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_glue.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_glue.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -51,7 +51,7 @@
/* p points to the beginning of the buffer */
unsigned char *p = *buf;
int length, new_length;
- int octets;
+ unsigned int octets;
if (buf_len < 1)
return (-1);
@@ -184,7 +184,7 @@
*
*/
-OM_uint32 gssint_get_mech_type(OID, token)
+OM_uint32 gssint_get_mech_type_oid(OID, token)
gss_OID OID;
gss_buffer_t token;
{
@@ -246,7 +246,44 @@
return (GSS_S_COMPLETE);
}
+/*
+ * The following mechanisms do not always identify themselves
+ * per the GSS-API specification, when interoperating with MS
+ * peers. We include the OIDs here so we do not have to ilnk
+ * with the mechanism.
+ */
+static gss_OID_desc gss_ntlm_mechanism_oid_desc =
+ {10, (void *)"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"};
+static gss_OID_desc gss_spnego_mechanism_oid_desc =
+ {6, (void *)"\x2b\x06\x01\x05\x05\x02"};
+static gss_OID_desc gss_krb5_mechanism_oid_desc =
+ {9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
+#define NTLMSSP_SIGNATURE "NTLMSSP"
+
+OM_uint32 gssint_get_mech_type(OID, token)
+ gss_OID OID;
+ gss_buffer_t token;
+{
+ /* Check for interoperability exceptions */
+ if (token->length >= sizeof(NTLMSSP_SIGNATURE) &&
+ memcmp(token->value, NTLMSSP_SIGNATURE,
+ sizeof(NTLMSSP_SIGNATURE)) == 0) {
+ *OID = gss_ntlm_mechanism_oid_desc;
+ } else if (token->length != 0 &&
+ ((char *)token->value)[0] == 0x6E) {
+ /* Could be a raw AP-REQ (check for APPLICATION tag) */
+ *OID = gss_krb5_mechanism_oid_desc;
+ } else if (token->length == 0) {
+ *OID = gss_spnego_mechanism_oid_desc;
+ } else {
+ return gssint_get_mech_type_oid(OID, token);
+ }
+
+ return (GSS_S_COMPLETE);
+}
+
+
/*
* Internal routines to get and release an internal mechanism name
*/
@@ -267,7 +304,6 @@
if (mech) {
if (mech->gss_import_name) {
status = mech->gss_import_name (
- mech->context,
minor_status,
union_name->external_name,
union_name->name_type,
@@ -306,8 +342,7 @@
return (GSS_S_BAD_MECH);
if (mech->gss_export_name) {
- status = mech->gss_export_name(mech->context,
- minor_status,
+ status = mech->gss_export_name(minor_status,
internal_name,
name_buf);
if (status != GSS_S_COMPLETE)
@@ -342,8 +377,7 @@
* mechanisms also, so that factoring name export/import out of
* the mech and into libgss pays off.
*/
- if ((status = mech->gss_display_name(mech->context,
- minor_status,
+ if ((status = mech->gss_display_name(minor_status,
internal_name,
&dispName,
&nameOid))
@@ -421,7 +455,6 @@
if (mech) {
if (mech->gss_display_name) {
status = mech->gss_display_name (
- mech->context,
minor_status,
internal_name,
external_name,
@@ -449,7 +482,6 @@
if (mech) {
if (mech->gss_release_name) {
status = mech->gss_release_name (
- mech->context,
minor_status,
internal_name);
if (status != GSS_S_COMPLETE)
@@ -463,7 +495,33 @@
return (GSS_S_BAD_MECH);
}
+OM_uint32 gssint_delete_internal_sec_context (minor_status,
+ mech_type,
+ internal_ctx,
+ output_token)
+OM_uint32 *minor_status;
+gss_OID mech_type;
+gss_ctx_id_t *internal_ctx;
+gss_buffer_t output_token;
+{
+ OM_uint32 status;
+ gss_mechanism mech;
+ mech = gssint_get_mechanism (mech_type);
+ if (mech) {
+ if (mech->gss_delete_sec_context)
+ status = mech->gss_delete_sec_context (minor_status,
+ internal_ctx,
+ output_token);
+ else
+ status = GSS_S_UNAVAILABLE;
+
+ return (status);
+ }
+
+ return (GSS_S_BAD_MECH);
+}
+
/*
* This function converts an internal gssapi name to a union gssapi
* name. Note that internal_name should be considered "consumed" by
@@ -501,10 +559,11 @@
union_name->external_name =
(gss_buffer_t) malloc(sizeof(gss_buffer_desc));
if (!union_name->external_name) {
+ major_status = GSS_S_FAILURE;
goto allocation_failure;
}
- major_status = mech->gss_display_name(mech->context, minor_status,
+ major_status = mech->gss_display_name(minor_status,
internal_name,
union_name->external_name,
&union_name->name_type);
@@ -550,13 +609,29 @@
gss_OID mech_type;
{
int i;
-
+
if (union_cred == GSS_C_NO_CREDENTIAL)
return GSS_C_NO_CREDENTIAL;
-
+
+ /* SPNEGO mechanism will again call into GSSAPI */
+ if (g_OID_equal(&gss_spnego_mechanism_oid_desc, mech_type))
+ return (gss_cred_id_t)union_cred;
+
for (i=0; i < union_cred->count; i++) {
if (g_OID_equal(mech_type, &union_cred->mechs_array[i]))
return union_cred->cred_array[i];
+
+ /* for SPNEGO, check the next-lower set of creds */
+ if (g_OID_equal(&gss_spnego_mechanism_oid_desc, &union_cred->mechs_array[i])) {
+ gss_union_cred_t candidate_cred;
+ gss_cred_id_t sub_cred;
+
+ candidate_cred = (gss_union_cred_t)union_cred->cred_array[i];
+ sub_cred = gssint_get_mechanism_cred(candidate_cred, mech_type);
+
+ if(sub_cred != GSS_C_NO_CREDENTIAL)
+ return sub_cred;
+ }
}
return GSS_C_NO_CREDENTIAL;
}
@@ -604,3 +679,4 @@
return (GSS_S_COMPLETE);
} /* ****** gssint_create_copy_buffer ****** */
+
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_imp_name.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_imp_name.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_imp_name.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -252,7 +252,7 @@
* have created it.
*/
if (mech->gss_export_name) {
- major = mech->gss_import_name(mech->context, minor,
+ major = mech->gss_import_name(minor,
&expName, (gss_OID)GSS_C_NT_EXPORT_NAME,
&unionName->mech_name);
if (major != GSS_S_COMPLETE)
@@ -350,7 +350,7 @@
*/
expName.length = nameLen;
expName.value = nameLen ? (void *)buf : NULL;
- major = mech->gss_import_name(mech->context, minor, &expName,
+ major = mech->gss_import_name(minor, &expName,
GSS_C_NULL_OID, &unionName->mech_name);
if (major != GSS_S_COMPLETE) {
map_error(minor, mech);
@@ -363,3 +363,4 @@
}
return major;
} /* importExportName */
+
Copied: branches/mkey_migrate/src/lib/gssapi/mechglue/g_imp_name_object.c (from rev 21721, trunk/src/lib/gssapi/mechglue/g_imp_name_object.c)
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_imp_sec_context.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_imp_sec_context.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_imp_sec_context.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -143,7 +143,7 @@
goto error_out;
}
- status = mech->gss_import_sec_context(mech->context, minor_status,
+ status = mech->gss_import_sec_context(minor_status,
&token, &ctx->internal_ctx_id);
if (status == GSS_S_COMPLETE) {
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_init_sec_context.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_init_sec_context.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_init_sec_context.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -209,7 +209,6 @@
*/
status = mech->gss_init_sec_context(
- mech->context,
minor_status,
input_cred_handle,
&union_ctx_id->internal_ctx_id,
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_initialize.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_initialize.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_initialize.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -27,10 +27,15 @@
*/
#include "mglueP.h"
-#include "gss_libinit.h"
#ifdef HAVE_STDLIB_H
#include <stdlib.h>
#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
#include <stdio.h>
#include <string.h>
@@ -40,16 +45,27 @@
#define M_DEFAULT "default"
#include "k5-thread.h"
+#include "k5-plugin.h"
+#include "osconf.h"
+#ifdef _GSS_STATIC_LINK
+#include "gssapiP_krb5.h"
+#include "gssapiP_spnego.h"
+#endif
+#define MECH_SYM "gss_mech_initialize"
+
+#ifndef MECH_CONF
+#define MECH_CONF "/etc/gss/mech"
+#endif
+
/* Local functions */
static gss_mech_info searchMechList(const gss_OID);
+static void loadConfigFile(const char *);
static void updateMechList(void);
static void freeMechList(void);
-static void register_mech(gss_mechanism, const char *, void *);
static OM_uint32 build_mechSet(void);
static void free_mechSet(void);
-static void init_hardcoded(void);
/*
* list of mechanism libraries and their entry points.
@@ -58,28 +74,67 @@
static gss_mech_info g_mechList = NULL;
static gss_mech_info g_mechListTail = NULL;
static k5_mutex_t g_mechListLock = K5_MUTEX_PARTIAL_INITIALIZER;
+static time_t g_confFileModTime = (time_t)0;
+static time_t g_mechSetTime = (time_t)0;
static gss_OID_set_desc g_mechSet = { 0, NULL };
static k5_mutex_t g_mechSetLock = K5_MUTEX_PARTIAL_INITIALIZER;
+MAKE_INIT_FUNCTION(gssint_mechglue_init);
+MAKE_FINI_FUNCTION(gssint_mechglue_fini);
+
int
gssint_mechglue_init(void)
{
int err;
+#ifdef SHOW_INITFINI_FUNCS
+ printf("gssint_mechglue_init\n");
+#endif
+
+ add_error_table(&et_ggss_error_table);
+
err = k5_mutex_finish_init(&g_mechSetLock);
- return k5_mutex_finish_init(&g_mechListLock);
+ err = k5_mutex_finish_init(&g_mechListLock);
+
+#ifdef _GSS_STATIC_LINK
+ err = gss_krb5int_lib_init();
+ err = gss_spnegoint_lib_init();
+#endif
+
+ return err;
}
void
gssint_mechglue_fini(void)
{
+ if (!INITIALIZER_RAN(gssint_mechglue_init) || PROGRAM_EXITING()) {
+#ifdef SHOW_INITFINI_FUNCS
+ printf("gssint_mechglue_fini: skipping\n");
+#endif
+ return;
+ }
+
+#ifdef SHOW_INITFINI_FUNCS
+ printf("gssint_mechglue_fini\n");
+#endif
+#ifdef _GSS_STATIC_LINK
+ gss_spnegoint_lib_fini();
+ gss_krb5int_lib_fini();
+#endif
k5_mutex_destroy(&g_mechSetLock);
k5_mutex_destroy(&g_mechListLock);
free_mechSet();
freeMechList();
+ remove_error_table(&et_ggss_error_table);
+ gssint_mecherrmap_destroy();
}
+int
+gssint_mechglue_initialize_library(void)
+{
+ return CALL_INIT_FUNCTION(gssint_mechglue_init);
+}
/*
* function used to reclaim the memory used by a gss_OID structure.
@@ -93,13 +148,12 @@
OM_uint32 major;
gss_mech_info aMech;
- if (gssint_initialize_library())
- return GSS_S_FAILURE;
-
if (minor_status == NULL)
return (GSS_S_CALL_INACCESSIBLE_WRITE);
- *minor_status = 0;
+ *minor_status = gssint_mechglue_initialize_library();
+ if (*minor_status != 0)
+ return (GSS_S_FAILURE);
*minor_status = k5_mutex_lock(&g_mechListLock);
if (*minor_status)
@@ -116,7 +170,6 @@
*/
if (aMech->mech && aMech->mech->gss_internal_release_oid) {
major = aMech->mech->gss_internal_release_oid(
- aMech->mech->context,
minor_status, oid);
if (major == GSS_S_COMPLETE) {
k5_mutex_unlock(&g_mechListLock);
@@ -146,6 +199,8 @@
OM_uint32 *minorStatus;
gss_OID_set *mechSet;
{
+ char *fileName;
+ struct stat fileInfo;
unsigned int i, j;
gss_OID curItem;
@@ -161,9 +216,20 @@
if (minorStatus == NULL || mechSet == NULL)
return (GSS_S_CALL_INACCESSIBLE_WRITE);
- if (gssint_initialize_library())
- return GSS_S_FAILURE;
+ *minorStatus = gssint_mechglue_initialize_library();
+ if (*minorStatus != 0)
+ return (GSS_S_FAILURE);
+ fileName = MECH_CONF;
+
+ /*
+ * If we have already computed the mechanisms supported and if it
+ * is still valid; make a copy and return to caller,
+ * otherwise build it first.
+ */
+ if ((stat(fileName, &fileInfo) == 0 &&
+ fileInfo.st_mtime > g_mechSetTime)) {
+ } /* if g_mechSet is out of date or not initialized */
if (build_mechSet())
return GSS_S_FAILURE;
@@ -247,7 +313,8 @@
build_mechSet(void)
{
gss_mech_info mList;
- int i, count;
+ size_t i;
+ size_t count;
gss_OID curItem;
/*
@@ -260,6 +327,20 @@
if (k5_mutex_lock(&g_mechListLock) != 0)
return GSS_S_FAILURE;
+#if 0
+ /*
+ * this checks for the case when we need to re-construct the
+ * g_mechSet structure, but the mechanism list is upto date
+ * (because it has been read by someone calling
+ * gssint_get_mechanism)
+ */
+ if (fileInfo.st_mtime > g_confFileModTime)
+ {
+ g_confFileModTime = fileInfo.st_mtime;
+ loadConfigFile(fileName);
+ }
+#endif
+
updateMechList();
/*
@@ -323,6 +404,9 @@
}
}
+#if 0
+ g_mechSetTime = fileInfo.st_mtime;
+#endif
(void) k5_mutex_unlock(&g_mechSetLock);
(void) k5_mutex_unlock(&g_mechListLock);
@@ -344,6 +428,9 @@
gss_mech_info aMech;
char *modOptions = NULL;
+ if (gssint_mechglue_initialize_library() != 0)
+ return (NULL);
+
/* make sure we have fresh data */
if (k5_mutex_lock(&g_mechListLock) != 0)
return NULL;
@@ -375,6 +462,9 @@
*oid = GSS_C_NULL_OID;
+ if (gssint_mechglue_initialize_library() != 0)
+ return (GSS_S_FAILURE);
+
if ((mechStr == NULL) || (strlen(mechStr) == 0) ||
(strcasecmp(mechStr, M_DEFAULT) == 0))
return (GSS_S_COMPLETE);
@@ -413,6 +503,9 @@
if (oid == GSS_C_NULL_OID)
return (M_DEFAULT);
+ if (gssint_mechglue_initialize_library() != 0)
+ return (NULL);
+
/* ensure we have fresh data */
if (k5_mutex_lock(&g_mechListLock) != 0)
return NULL;
@@ -437,11 +530,12 @@
gss_mech_info aMech;
int i;
- if (gssint_initialize_library())
- return GSS_S_FAILURE;
if (mechArray == NULL || arrayLen < 1)
return (GSS_S_CALL_INACCESSIBLE_WRITE);
+ if (gssint_mechglue_initialize_library() != 0)
+ return (GSS_S_FAILURE);
+
/* ensure we have fresh data */
if (k5_mutex_lock(&g_mechListLock) != 0)
return GSS_S_FAILURE;
@@ -463,7 +557,6 @@
return (GSS_S_COMPLETE);
} /* gss_get_mechanisms */
-
/*
* determines if the mechList needs to be updated from file
* and performs the update.
@@ -472,56 +565,128 @@
static void
updateMechList(void)
{
-
+ char *fileName;
+ struct stat fileInfo;
+
+ fileName = MECH_CONF;
+
+ /* check if mechList needs updating */
+ if (stat(fileName, &fileInfo) == 0 &&
+ (fileInfo.st_mtime > g_confFileModTime)) {
+ loadConfigFile(fileName);
+ g_confFileModTime = fileInfo.st_mtime;
+ }
+#if 0
init_hardcoded();
-
+#endif
} /* updateMechList */
+#ifdef _GSS_STATIC_LINK
static void
-freeMechList(void)
+releaseMechInfo(gss_mech_info *pCf)
{
- gss_mech_info cf, next_cf;
+ gss_mech_info cf;
+ OM_uint32 minor_status;
- for (cf = g_mechList; cf != NULL; cf = next_cf) {
- next_cf = cf->next;
+ if (*pCf == NULL) {
+ return;
+ }
+
+ cf = *pCf;
+
+ if (cf->kmodName != NULL)
+ free(cf->kmodName);
+ if (cf->uLibName != NULL)
free(cf->uLibName);
+ if (cf->mechNameStr != NULL)
free(cf->mechNameStr);
- free(cf);
+ if (cf->optionStr != NULL)
+ free(cf->optionStr);
+ if (cf->mech_type != GSS_C_NO_OID &&
+ cf->mech_type != &cf->mech->mech_type)
+ generic_gss_release_oid(&minor_status, &cf->mech_type);
+ if (cf->mech != NULL) {
+ memset(cf->mech, 0, sizeof(*cf->mech));
+ free(cf->mech);
}
+ if (cf->dl_handle != NULL)
+ krb5int_close_plugin(cf->dl_handle);
+
+ memset(cf, 0, sizeof(*cf));
+ free(cf);
+
+ *pCf = NULL;
}
/*
* Register a mechanism. Called with g_mechListLock held.
*/
-static void
-register_mech(gss_mechanism mech, const char *namestr, void *dl_handle)
+int
+gssint_register_mechinfo(gss_mech_info template)
{
gss_mech_info cf, new_cf;
- new_cf = malloc(sizeof(*new_cf));
- if (new_cf == NULL)
- return;
+ new_cf = calloc(1, sizeof(*new_cf));
+ if (new_cf == NULL) {
+ return ENOMEM;
+ }
- memset(new_cf, 0, sizeof(*new_cf));
- new_cf->kmodName = NULL;
- new_cf->uLibName = strdup(namestr);
- new_cf->mechNameStr = strdup(mech->mechNameStr);
- new_cf->mech_type = &mech->mech_type;
- new_cf->mech = mech;
+ new_cf->dl_handle = template->dl_handle;
+ /* copy mech so we can rewrite canonical mechanism OID */
+ new_cf->mech = (gss_mechanism)calloc(1, sizeof(struct gss_config));
+ if (new_cf->mech == NULL) {
+ releaseMechInfo(&new_cf);
+ return ENOMEM;
+ }
+ memcpy(new_cf->mech, template->mech, sizeof(struct gss_config));
+ if (template->mech_type != NULL)
+ new_cf->mech->mech_type = *(template->mech_type);
+ new_cf->mech_type = &new_cf->mech->mech_type;
+ new_cf->priority = template->priority;
+ new_cf->freeMech = 1;
new_cf->next = NULL;
+ if (template->kmodName != NULL) {
+ new_cf->kmodName = strdup(template->kmodName);
+ if (new_cf->kmodName == NULL) {
+ releaseMechInfo(&new_cf);
+ return ENOMEM;
+ }
+ }
+ if (template->uLibName != NULL) {
+ new_cf->uLibName = strdup(template->uLibName);
+ if (new_cf->uLibName == NULL) {
+ releaseMechInfo(&new_cf);
+ return ENOMEM;
+ }
+ }
+ if (template->mechNameStr != NULL) {
+ new_cf->mechNameStr = strdup(template->mechNameStr);
+ if (new_cf->mechNameStr == NULL) {
+ releaseMechInfo(&new_cf);
+ return ENOMEM;
+ }
+ }
+ if (template->optionStr != NULL) {
+ new_cf->optionStr = strdup(template->optionStr);
+ if (new_cf->optionStr == NULL) {
+ releaseMechInfo(&new_cf);
+ return ENOMEM;
+ }
+ }
if (g_mechList == NULL) {
g_mechList = new_cf;
g_mechListTail = new_cf;
- return;
- } else if (mech->priority < g_mechList->mech->priority) {
+ return 0;
+ } else if (new_cf->priority < g_mechList->priority) {
new_cf->next = g_mechList;
g_mechList = new_cf;
- return;
+ return 0;
}
+
for (cf = g_mechList; cf != NULL; cf = cf->next) {
if (cf->next == NULL ||
- mech->priority < cf->next->mech->priority) {
+ new_cf->priority < cf->next->priority) {
new_cf->next = cf->next;
cf->next = new_cf;
if (g_mechListTail == cf) {
@@ -530,36 +695,113 @@
break;
}
}
+
+ return 0;
}
+#endif /* _GSS_STATIC_LINK */
-/*
- * Initialize the hardcoded mechanisms. This function is called with
- * g_mechListLock held.
- */
+#define GSS_ADD_DYNAMIC_METHOD(_dl, _mech, _symbol) \
+ do { \
+ struct errinfo errinfo; \
+ \
+ memset(&errinfo, 0, sizeof(errinfo)); \
+ if (krb5int_get_plugin_func(_dl, \
+ #_symbol, \
+ (void (**)())&(_mech)->_symbol, \
+ &errinfo) || errinfo.code) \
+ (_mech)->_symbol = NULL; \
+ } while (0)
+
+static gss_mechanism
+build_dynamicMech(void *dl, const gss_OID mech_type)
+{
+ gss_mechanism mech;
+
+ mech = (gss_mechanism)calloc(1, sizeof(*mech));
+ if (mech == NULL) {
+ return NULL;
+ }
+
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_acquire_cred);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_release_cred);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_init_sec_context);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_accept_sec_context);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_process_context_token);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_delete_sec_context);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_context_time);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_get_mic);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_verify_mic);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_wrap);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_unwrap);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_display_status);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_indicate_mechs);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_compare_name);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_display_name);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_import_name);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_release_name);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_inquire_cred);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_add_cred);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_export_sec_context);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_import_sec_context);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_inquire_cred_by_mech);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_inquire_names_for_mech);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_inquire_context);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_internal_release_oid);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_wrap_size_limit);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_export_name);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_store_cred);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_import_name_object);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_export_name_object);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_inquire_sec_context_by_oid);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_inquire_cred_by_oid);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_set_sec_context_option);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gssspi_set_cred_option);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gssspi_mech_invoke);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_wrap_aead);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_unwrap_aead);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_wrap_iov);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_unwrap_iov);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_wrap_iov_length);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_complete_auth_token);
+
+ assert(mech_type != GSS_C_NO_OID);
+
+ mech->mech_type = *(mech_type);
+
+ return mech;
+}
+
static void
-init_hardcoded(void)
+freeMechList(void)
{
- gss_mechanism *cflist;
- static int inited;
+ gss_mech_info cf, next_cf;
+ OM_uint32 minor;
- if (inited)
- return;
-
- cflist = krb5_gss_get_mech_configs();
- if (cflist == NULL)
- return;
- for ( ; *cflist != NULL; cflist++) {
- register_mech(*cflist, "<builtin krb5>", NULL);
+ for (cf = g_mechList; cf != NULL; cf = next_cf) {
+ next_cf = cf->next;
+ if (cf->kmodName != NULL)
+ free(cf->kmodName);
+ if (cf->uLibName != NULL)
+ free(cf->uLibName);
+ if (cf->mechNameStr != NULL)
+ free(cf->mechNameStr);
+ if (cf->optionStr != NULL)
+ free(cf->optionStr);
+ if (cf->mech_type != &cf->mech->mech_type)
+ generic_gss_release_oid(&minor, &cf->mech_type);
+ if (cf->mech != NULL && cf->freeMech)
+ free(cf->mech);
+ if (cf->mech_ext != NULL && cf->freeMech)
+ free(cf->mech_ext);
+ if (cf->dl_handle != NULL)
+ (void) krb5int_close_plugin(cf->dl_handle);
+ free(cf);
}
- cflist = spnego_gss_get_mech_configs();
- if (cflist == NULL)
- return;
- for ( ; *cflist != NULL; cflist++) {
- register_mech(*cflist, "<builtin spnego>", NULL);
- }
- inited = 1;
}
+/*
+ * Register a mechanism. Called with g_mechListLock held.
+ */
/*
* given the mechanism type, return the mechanism structure
@@ -569,12 +811,16 @@
* module if it has not been already loaded.
*/
gss_mechanism
-gssint_get_mechanism(gss_OID oid)
+gssint_get_mechanism(oid)
+const gss_OID oid;
{
gss_mech_info aMech;
+ gss_mechanism (*sym)(const gss_OID);
+ struct plugin_file_handle *dl;
+ struct errinfo errinfo;
- if (gssint_initialize_library())
- return NULL;
+ if (gssint_mechglue_initialize_library() != 0)
+ return (NULL);
if (k5_mutex_lock(&g_mechListLock) != 0)
return NULL;
@@ -602,12 +848,103 @@
if (aMech->mech) {
(void) k5_mutex_unlock(&g_mechListLock);
return (aMech->mech);
+ }
+
+ memset(&errinfo, 0, sizeof(errinfo));
+
+ if (krb5int_open_plugin(aMech->uLibName, &dl, &errinfo) != 0 ||
+ errinfo.code != 0) {
+#if 0
+ (void) syslog(LOG_INFO, "libgss dlopen(%s): %s\n",
+ aMech->uLibName, dlerror());
+#endif
+ (void) k5_mutex_unlock(&g_mechListLock);
+ return ((gss_mechanism)NULL);
+ }
+
+ if (krb5int_get_plugin_func(dl, MECH_SYM, (void (**)())&sym,
+ &errinfo) == 0) {
+ /* Call the symbol to get the mechanism table */
+ aMech->mech = (*sym)(aMech->mech_type);
} else {
- return NULL;
+ /* Try dynamic dispatch table */
+ aMech->mech = build_dynamicMech(dl, aMech->mech_type);
+ aMech->freeMech = 1;
}
+ if (aMech->mech == NULL) {
+ (void) krb5int_close_plugin(dl);
+#if 0
+ (void) syslog(LOG_INFO, "unable to initialize mechanism"
+ " library [%s]\n", aMech->uLibName);
+#endif
+ (void) k5_mutex_unlock(&g_mechListLock);
+ return ((gss_mechanism)NULL);
+ }
+
+ aMech->dl_handle = dl;
+
+ (void) k5_mutex_unlock(&g_mechListLock);
+ return (aMech->mech);
} /* gssint_get_mechanism */
+gss_mechanism_ext
+gssint_get_mechanism_ext(oid)
+const gss_OID oid;
+{
+ gss_mech_info aMech;
+ gss_mechanism_ext mech_ext;
+ if (gssint_mechglue_initialize_library() != 0)
+ return (NULL);
+
+ /* check if the mechanism is already loaded */
+ if ((aMech = searchMechList(oid)) != NULL && aMech->mech_ext != NULL)
+ return (aMech->mech_ext);
+
+ if (gssint_get_mechanism(oid) == NULL)
+ return (NULL);
+
+ if (aMech->dl_handle == NULL)
+ return (NULL);
+
+ /* Load the gss_config_ext struct for this mech */
+
+ mech_ext = (gss_mechanism_ext)malloc(sizeof (struct gss_config_ext));
+
+ if (mech_ext == NULL)
+ return (NULL);
+
+#if 0
+ /*
+ * dlsym() the mech's 'method' functions for the extended APIs
+ *
+ * NOTE: Until the void *context argument is removed from the
+ * SPI method functions' signatures it will be necessary to have
+ * different function pointer typedefs and function names for
+ * the SPI methods than for the API. When this argument is
+ * removed it will be possible to rename gss_*_sfct to gss_*_fct
+ * and and gssspi_* to gss_*.
+ */
+ mech_ext->gss_acquire_cred_with_password =
+ (gss_acquire_cred_with_password_sfct)dlsym(aMech->dl_handle,
+ "gssspi_acquire_cred_with_password");
+#endif
+
+ /* Set aMech->mech_ext */
+ (void) k5_mutex_lock(&g_mechListLock);
+
+ if (aMech->mech_ext == NULL)
+ aMech->mech_ext = mech_ext;
+ else
+ free(mech_ext); /* we raced and lost; don't leak */
+
+ (void) k5_mutex_unlock(&g_mechListLock);
+
+ return (aMech->mech_ext);
+
+} /* gssint_get_mechanism_ext */
+
+
/*
* this routine is used for searching the list of mechanism data.
*
@@ -631,3 +968,235 @@
/* none found */
return ((gss_mech_info) NULL);
} /* searchMechList */
+
+
+/*
+ * loads the configuration file
+ * this is called while having a mutex lock on the mechanism list
+ * entries for libraries that have been loaded can't be modified
+ * mechNameStr and mech_type fields are not updated during updates
+ */
+static void loadConfigFile(fileName)
+const char *fileName;
+{
+ char buffer[BUFSIZ], *oidStr, *oid, *sharedLib, *kernMod, *endp;
+ char *modOptions;
+ char sharedPath[sizeof (MECH_LIB_PREFIX) + BUFSIZ];
+ char *tmpStr;
+ FILE *confFile;
+ gss_OID mechOid;
+ gss_mech_info aMech, tmp;
+ OM_uint32 minor;
+ gss_buffer_desc oidBuf;
+
+ if ((confFile = fopen(fileName, "r")) == NULL) {
+ return;
+ }
+
+ (void) memset(buffer, 0, sizeof (buffer));
+ while (fgets(buffer, BUFSIZ, confFile) != NULL) {
+
+ /* ignore lines beginning with # */
+ if (*buffer == '#')
+ continue;
+
+ /*
+ * find the first white-space character after
+ * the mechanism name
+ */
+ oidStr = buffer;
+ for (oid = buffer; *oid && !isspace(*oid); oid++);
+
+ /* Now find the first non-white-space character */
+ if (*oid) {
+ *oid = '\0';
+ oid++;
+ while (*oid && isspace(*oid))
+ oid++;
+ }
+
+ /*
+ * If that's all, then this is a corrupt entry. Skip it.
+ */
+ if (! *oid)
+ continue;
+
+ /* Find the end of the oid and make sure it is NULL-ended */
+ for (endp = oid; *endp && !isspace(*endp); endp++)
+ ;
+
+ if (*endp) {
+ *endp = '\0';
+ }
+
+ /*
+ * check if an entry for this oid already exists
+ * if it does, and the library is already loaded then
+ * we can't modify it, so skip it
+ */
+ oidBuf.value = (void *)oid;
+ oidBuf.length = strlen(oid);
+ if (generic_gss_str_to_oid(&minor, &oidBuf, &mechOid)
+ != GSS_S_COMPLETE) {
+#if 0
+ (void) syslog(LOG_INFO, "invalid mechanism oid"
+ " [%s] in configuration file", oid);
+#endif
+ continue;
+ }
+
+ aMech = searchMechList(mechOid);
+ if (aMech && aMech->mech) {
+ generic_gss_release_oid(&minor, &mechOid);
+ continue;
+ }
+
+ /* Find the start of the shared lib name */
+ for (sharedLib = endp+1; *sharedLib && isspace(*sharedLib);
+ sharedLib++)
+ ;
+
+ /*
+ * If that's all, then this is a corrupt entry. Skip it.
+ */
+ if (! *sharedLib) {
+ generic_gss_release_oid(&minor, &mechOid);
+ continue;
+ }
+
+ /*
+ * Find the end of the shared lib name and make sure it is
+ * NULL-terminated.
+ */
+ for (endp = sharedLib; *endp && !isspace(*endp); endp++)
+ ;
+
+ if (*endp) {
+ *endp = '\0';
+ }
+
+ /* Find the start of the optional kernel module lib name */
+ for (kernMod = endp+1; *kernMod && isspace(*kernMod);
+ kernMod++)
+ ;
+
+ /*
+ * If this item starts with a bracket "[", then
+ * it is not a kernel module, but is a list of
+ * options for the user module to parse later.
+ */
+ if (*kernMod && *kernMod != '[') {
+ /*
+ * Find the end of the shared lib name and make sure
+ * it is NULL-terminated.
+ */
+ for (endp = kernMod; *endp && !isspace(*endp); endp++)
+ ;
+
+ if (*endp) {
+ *endp = '\0';
+ }
+ } else
+ kernMod = NULL;
+
+ /* Find the start of the optional module options list */
+ for (modOptions = endp+1; *modOptions && isspace(*modOptions);
+ modOptions++);
+
+ if (*modOptions == '[') {
+ /* move past the opening bracket */
+ for (modOptions = modOptions+1;
+ *modOptions && isspace(*modOptions);
+ modOptions++);
+
+ /* Find the closing bracket */
+ for (endp = modOptions;
+ *endp && *endp != ']'; endp++);
+
+ if (endp)
+ *endp = '\0';
+
+ } else {
+ modOptions = NULL;
+ }
+
+ snprintf(sharedPath, sizeof(sharedPath), "%s%s", MECH_LIB_PREFIX, sharedLib);
+
+ /*
+ * are we creating a new mechanism entry or
+ * just modifying existing (non loaded) mechanism entry
+ */
+ if (aMech) {
+ /*
+ * delete any old values and set new
+ * mechNameStr and mech_type are not modified
+ */
+ if (aMech->kmodName) {
+ free(aMech->kmodName);
+ aMech->kmodName = NULL;
+ }
+
+ if (aMech->optionStr) {
+ free(aMech->optionStr);
+ aMech->optionStr = NULL;
+ }
+
+ if ((tmpStr = strdup(sharedPath)) != NULL) {
+ if (aMech->uLibName)
+ free(aMech->uLibName);
+ aMech->uLibName = tmpStr;
+ }
+
+ if (kernMod) /* this is an optional parameter */
+ aMech->kmodName = strdup(kernMod);
+
+ if (modOptions) /* optional module options */
+ aMech->optionStr = strdup(modOptions);
+
+ /* the oid is already set */
+ generic_gss_release_oid(&minor, &mechOid);
+ continue;
+ }
+
+ /* adding a new entry */
+ aMech = calloc(1, sizeof (struct gss_mech_config));
+ if (aMech == NULL) {
+ generic_gss_release_oid(&minor, &mechOid);
+ continue;
+ }
+ aMech->mech_type = mechOid;
+ aMech->uLibName = strdup(sharedPath);
+ aMech->mechNameStr = strdup(oidStr);
+ aMech->freeMech = 0;
+
+ /* check if any memory allocations failed - bad news */
+ if (aMech->uLibName == NULL || aMech->mechNameStr == NULL) {
+ if (aMech->uLibName)
+ free(aMech->uLibName);
+ if (aMech->mechNameStr)
+ free(aMech->mechNameStr);
+ generic_gss_release_oid(&minor, &mechOid);
+ free(aMech);
+ continue;
+ }
+ if (kernMod) /* this is an optional parameter */
+ aMech->kmodName = strdup(kernMod);
+
+ if (modOptions)
+ aMech->optionStr = strdup(modOptions);
+ /*
+ * add the new entry to the end of the list - make sure
+ * that only complete entries are added because other
+ * threads might currently be searching the list.
+ */
+ tmp = g_mechListTail;
+ g_mechListTail = aMech;
+
+ if (tmp != NULL)
+ tmp->next = aMech;
+
+ if (g_mechList == NULL)
+ g_mechList = aMech;
+ } /* while */
+ (void) fclose(confFile);
+} /* loadConfigFile */
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_inq_context.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_inq_context.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_inq_context.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -111,7 +111,6 @@
}
status = mech->gss_inquire_context(
- mech->context,
minor_status,
ctx->internal_ctx_id,
(src_name ? &localSourceName : NULL),
@@ -135,8 +134,7 @@
if (status != GSS_S_COMPLETE) {
if (localTargName)
- mech->gss_release_name(mech->context,
- &temp_minor, &localTargName);
+ mech->gss_release_name(&temp_minor, &localTargName);
return (status);
}
Copied: branches/mkey_migrate/src/lib/gssapi/mechglue/g_inq_context_oid.c (from rev 21721, trunk/src/lib/gssapi/mechglue/g_inq_context_oid.c)
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_inq_cred.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_inq_cred.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_inq_cred.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -86,7 +86,7 @@
if (!mech->gss_inquire_cred)
return (GSS_S_UNAVAILABLE);
- status = mech->gss_inquire_cred(mech->context, minor_status,
+ status = mech->gss_inquire_cred(minor_status,
GSS_C_NO_CREDENTIAL,
name ? &internal_name : NULL,
lifetime, cred_usage, mechanisms);
@@ -143,7 +143,9 @@
*/
if(name != NULL) {
- if ((gss_import_name(&temp_minor_status,
+ if (union_cred->auxinfo.name.length == 0) {
+ *name = GSS_C_NO_NAME;
+ } else if ((gss_import_name(&temp_minor_status,
&union_cred->auxinfo.name,
union_cred->auxinfo.name_type,
name) != GSS_S_COMPLETE) ||
@@ -246,7 +248,7 @@
return (GSS_S_DEFECTIVE_CREDENTIAL);
#endif
- status = mech->gss_inquire_cred_by_mech(mech->context, minor_status,
+ status = mech->gss_inquire_cred_by_mech(minor_status,
mech_cred, mech_type,
name ? &internal_name : NULL,
initiator_lifetime,
Copied: branches/mkey_migrate/src/lib/gssapi/mechglue/g_inq_cred_oid.c (from rev 21721, trunk/src/lib/gssapi/mechglue/g_inq_cred_oid.c)
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_inq_names.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_inq_names.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_inq_names.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -69,7 +69,6 @@
if (mech->gss_inquire_names_for_mech) {
status = mech->gss_inquire_names_for_mech(
- mech->context,
minor_status,
mechanism,
name_types);
Copied: branches/mkey_migrate/src/lib/gssapi/mechglue/g_mech_invoke.c (from rev 21721, trunk/src/lib/gssapi/mechglue/g_mech_invoke.c)
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_oid_ops.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_oid_ops.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_oid_ops.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -100,3 +100,12 @@
return status;
}
+OM_uint32 KRB5_CALLCONV
+gssint_copy_oid_set(
+ OM_uint32 *minor_status,
+ const gss_OID_set_desc * const oidset,
+ gss_OID_set *new_oidset)
+{
+ return generic_gss_copy_oid_set(minor_status, oidset, new_oidset);
+}
+
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_process_context.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_process_context.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_process_context.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -67,7 +67,6 @@
if (mech->gss_process_context_token) {
status = mech->gss_process_context_token(
- mech->context,
minor_status,
ctx->internal_ctx_id,
token_buffer);
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_rel_cred.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_rel_cred.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_rel_cred.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -78,7 +78,7 @@
if (mech) {
if (mech->gss_release_cred) {
temp_status = mech->gss_release_cred
- (mech->context,
+ (
minor_status,
&union_cred->cred_array[j]);
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_rel_name.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_rel_name.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_rel_name.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -48,7 +48,7 @@
*minor_status = 0;
/* if input_name is NULL, return error */
- if (input_name == 0)
+ if (input_name == NULL)
return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME);
if (*input_name == GSS_C_NO_NAME)
@@ -65,16 +65,19 @@
*input_name = 0;
*minor_status = 0;
- if (union_name->name_type)
- gss_release_oid(minor_status, &union_name->name_type);
-
- free(union_name->external_name->value);
- free(union_name->external_name);
+ if (union_name->name_type != GSS_C_NO_OID)
+ gss_release_oid(minor_status, &union_name->name_type);
+ if (union_name->external_name != GSS_C_NO_BUFFER) {
+ if (union_name->external_name->value != NULL)
+ free(union_name->external_name->value);
+ free(union_name->external_name);
+ }
+
if (union_name->mech_type) {
- gssint_release_internal_name(minor_status, union_name->mech_type,
- &union_name->mech_name);
- gss_release_oid(minor_status, &union_name->mech_type);
+ gssint_release_internal_name(minor_status, union_name->mech_type,
+ &union_name->mech_name);
+ gss_release_oid(minor_status, &union_name->mech_type);
}
free(union_name);
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_rel_oid_set.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_rel_oid_set.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_rel_oid_set.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -39,25 +39,5 @@
OM_uint32 * minor_status;
gss_OID_set * set;
{
- OM_uint32 i;
- gss_OID oid;
- if (minor_status)
- *minor_status = 0;
-
- if (set == NULL)
- return GSS_S_COMPLETE;
-
- if (*set == GSS_C_NULL_OID_SET)
- return(GSS_S_COMPLETE);
-
- for (i=0; i<(*set)->count; i++) {
- oid = &(*set)->elements[i];
- free(oid->elements);
- }
- free((*set)->elements);
- free(*set);
-
- *set = GSS_C_NULL_OID_SET;
-
- return(GSS_S_COMPLETE);
+ return generic_gss_release_oid_set(minor_status, set);
}
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_seal.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_seal.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_seal.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -23,17 +23,17 @@
*/
/*
- * glue routine for gss_seal
+ * glue routine for gss_wrap
*/
#include "mglueP.h"
static OM_uint32
-val_seal_args(
+val_wrap_args(
OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
int conf_req_flag,
- int qop_req,
+ gss_qop_t qop_req,
gss_buffer_t input_message_buffer,
int *conf_state,
gss_buffer_t output_message_buffer)
@@ -66,9 +66,8 @@
return (GSS_S_COMPLETE);
}
-
OM_uint32 KRB5_CALLCONV
-gss_seal (minor_status,
+gss_wrap (minor_status,
context_handle,
conf_req_flag,
qop_req,
@@ -79,7 +78,7 @@
OM_uint32 * minor_status;
gss_ctx_id_t context_handle;
int conf_req_flag;
-int qop_req;
+gss_qop_t qop_req;
gss_buffer_t input_message_buffer;
int * conf_state;
gss_buffer_t output_message_buffer;
@@ -90,7 +89,7 @@
gss_union_ctx_id_t ctx;
gss_mechanism mech;
- status = val_seal_args(minor_status, context_handle,
+ status = val_wrap_args(minor_status, context_handle,
conf_req_flag, qop_req,
input_message_buffer, conf_state,
output_message_buffer);
@@ -106,9 +105,8 @@
mech = gssint_get_mechanism (ctx->mech_type);
if (mech) {
- if (mech->gss_seal) {
- status = mech->gss_seal(
- mech->context,
+ if (mech->gss_wrap) {
+ status = mech->gss_wrap(
minor_status,
ctx->internal_ctx_id,
conf_req_flag,
@@ -118,9 +116,20 @@
output_message_buffer);
if (status != GSS_S_COMPLETE)
map_error(minor_status, mech);
+ } else if (mech->gss_wrap_aead ||
+ (mech->gss_wrap_iov && mech->gss_wrap_iov_length)) {
+ status = gssint_wrap_aead(mech,
+ minor_status,
+ ctx,
+ conf_req_flag,
+ (gss_qop_t)qop_req,
+ GSS_C_NO_BUFFER,
+ input_message_buffer,
+ conf_state,
+ output_message_buffer);
} else
status = GSS_S_UNAVAILABLE;
-
+
return(status);
}
/* EXPORT DELETE END */
@@ -129,7 +138,7 @@
}
OM_uint32 KRB5_CALLCONV
-gss_wrap (minor_status,
+gss_seal (minor_status,
context_handle,
conf_req_flag,
qop_req,
@@ -140,19 +149,74 @@
OM_uint32 * minor_status;
gss_ctx_id_t context_handle;
int conf_req_flag;
-gss_qop_t qop_req;
+int qop_req;
gss_buffer_t input_message_buffer;
int * conf_state;
gss_buffer_t output_message_buffer;
{
- return gss_seal(minor_status, (gss_ctx_id_t)context_handle,
- conf_req_flag, (int) qop_req,
- (gss_buffer_t)input_message_buffer, conf_state,
+ return gss_wrap(minor_status, context_handle,
+ conf_req_flag, (gss_qop_t) qop_req,
+ input_message_buffer, conf_state,
output_message_buffer);
}
/*
+ * It is only possible to implement gss_wrap_size_limit() on top
+ * of gss_wrap_iov_length() for mechanisms that do not use any
+ * padding and have fixed length headers/trailers.
+ */
+static OM_uint32
+gssint_wrap_size_limit_iov_shim(gss_mechanism mech,
+ OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ OM_uint32 req_output_size,
+ OM_uint32 *max_input_size)
+{
+ gss_iov_buffer_desc iov[4];
+ OM_uint32 status;
+ OM_uint32 ohlen;
+
+ iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
+ iov[0].buffer.value = NULL;
+ iov[0].buffer.length = 0;
+
+ iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
+ iov[1].buffer.length = req_output_size;
+ iov[1].buffer.value = NULL;
+
+ iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING;
+ iov[2].buffer.value = NULL;
+ iov[2].buffer.length = 0;
+
+ iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER;
+ iov[3].buffer.value = NULL;
+ iov[3].buffer.length = 0;
+
+ assert(mech->gss_wrap_iov_length);
+
+ status = mech->gss_wrap_iov_length(minor_status, context_handle,
+ conf_req_flag, qop_req,
+ NULL, iov,
+ sizeof(iov)/sizeof(iov[0]));
+ if (status != GSS_S_COMPLETE) {
+ map_error(minor_status, mech);
+ return status;
+ }
+
+ ohlen = iov[0].buffer.length + iov[3].buffer.length;
+
+ if (iov[2].buffer.length == 0 && ohlen < req_output_size)
+ *max_input_size = req_output_size - ohlen;
+ else
+ *max_input_size = 0;
+
+ return GSS_S_COMPLETE;
+}
+
+/*
* New for V2
*/
OM_uint32 KRB5_CALLCONV
@@ -190,13 +254,18 @@
if (!mech)
return (GSS_S_BAD_MECH);
- if (!mech->gss_wrap_size_limit)
- return (GSS_S_UNAVAILABLE);
-
- major_status = mech->gss_wrap_size_limit(mech->context, minor_status,
- ctx->internal_ctx_id,
- conf_req_flag, qop_req,
- req_output_size, max_input_size);
+ if (mech->gss_wrap_size_limit)
+ major_status = mech->gss_wrap_size_limit(minor_status,
+ ctx->internal_ctx_id,
+ conf_req_flag, qop_req,
+ req_output_size, max_input_size);
+ else if (mech->gss_wrap_iov_length)
+ major_status = gssint_wrap_size_limit_iov_shim(mech, minor_status,
+ ctx->internal_ctx_id,
+ conf_req_flag, qop_req,
+ req_output_size, max_input_size);
+ else
+ major_status = GSS_S_UNAVAILABLE;
if (major_status != GSS_S_COMPLETE)
map_error(minor_status, mech);
return major_status;
Copied: branches/mkey_migrate/src/lib/gssapi/mechglue/g_set_context_option.c (from rev 21721, trunk/src/lib/gssapi/mechglue/g_set_context_option.c)
Copied: branches/mkey_migrate/src/lib/gssapi/mechglue/g_set_cred_option.c (from rev 21721, trunk/src/lib/gssapi/mechglue/g_set_cred_option.c)
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_sign.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_sign.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_sign.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -23,16 +23,16 @@
*/
/*
- * glue routine gss_sign
+ * glue routine gss_get_mic
*/
#include "mglueP.h"
static OM_uint32
-val_sign_args(
+val_get_mic_args(
OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
- int qop_req,
+ gss_qop_t qop_req,
gss_buffer_t message_buffer,
gss_buffer_t msg_token)
{
@@ -66,15 +66,15 @@
OM_uint32 KRB5_CALLCONV
-gss_sign (minor_status,
- context_handle,
- qop_req,
- message_buffer,
- msg_token)
+gss_get_mic (minor_status,
+ context_handle,
+ qop_req,
+ message_buffer,
+ msg_token)
OM_uint32 * minor_status;
gss_ctx_id_t context_handle;
-int qop_req;
+gss_qop_t qop_req;
gss_buffer_t message_buffer;
gss_buffer_t msg_token;
@@ -83,8 +83,8 @@
gss_union_ctx_id_t ctx;
gss_mechanism mech;
- status = val_sign_args(minor_status, context_handle,
- qop_req, message_buffer, msg_token);
+ status = val_get_mic_args(minor_status, context_handle,
+ qop_req, message_buffer, msg_token);
if (status != GSS_S_COMPLETE)
return (status);
@@ -97,9 +97,8 @@
mech = gssint_get_mechanism (ctx->mech_type);
if (mech) {
- if (mech->gss_sign) {
- status = mech->gss_sign(
- mech->context,
+ if (mech->gss_get_mic) {
+ status = mech->gss_get_mic(
minor_status,
ctx->internal_ctx_id,
qop_req,
@@ -117,7 +116,7 @@
}
OM_uint32 KRB5_CALLCONV
-gss_get_mic (minor_status,
+gss_sign (minor_status,
context_handle,
qop_req,
message_buffer,
@@ -125,12 +124,12 @@
OM_uint32 * minor_status;
gss_ctx_id_t context_handle;
-gss_qop_t qop_req;
+int qop_req;
gss_buffer_t message_buffer;
gss_buffer_t msg_token;
{
- return (gss_sign(minor_status, context_handle, (int) qop_req,
- message_buffer, msg_token));
+ return (gss_get_mic(minor_status, context_handle, (gss_qop_t) qop_req,
+ message_buffer, msg_token));
}
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_store_cred.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_store_cred.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_store_cred.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -111,7 +111,7 @@
if (mech_cred == GSS_C_NO_CREDENTIAL)
return (GSS_S_NO_CRED);
- major_status = mech->gss_store_cred(mech->context,
+ major_status = mech->gss_store_cred(
minor_status,
(gss_cred_id_t)mech_cred,
cred_usage,
@@ -143,7 +143,7 @@
if (mech_cred == GSS_C_NO_CREDENTIAL)
continue; /* can't happen, but safe to ignore */
- major_status = mech->gss_store_cred(mech->context,
+ major_status = mech->gss_store_cred(
minor_status,
(gss_cred_id_t)mech_cred,
cred_usage,
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_unseal.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_unseal.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_unseal.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -23,13 +23,13 @@
*/
/*
- * glue routine gss_unseal
+ * glue routine gss_unwrap
*/
#include "mglueP.h"
OM_uint32 KRB5_CALLCONV
-gss_unseal (minor_status,
+gss_unwrap (minor_status,
context_handle,
input_message_buffer,
output_message_buffer,
@@ -41,7 +41,7 @@
gss_buffer_t input_message_buffer;
gss_buffer_t output_message_buffer;
int * conf_state;
-int * qop_state;
+gss_qop_t * qop_state;
{
/* EXPORT DELETE START */
@@ -75,15 +75,12 @@
* select the approprate underlying mechanism routine and
* call it.
*/
-
ctx = (gss_union_ctx_id_t) context_handle;
mech = gssint_get_mechanism (ctx->mech_type);
if (mech) {
- if (mech->gss_unseal) {
- status = mech->gss_unseal(
- mech->context,
- minor_status,
+ if (mech->gss_unwrap) {
+ status = mech->gss_unwrap(minor_status,
ctx->internal_ctx_id,
input_message_buffer,
output_message_buffer,
@@ -91,6 +88,15 @@
qop_state);
if (status != GSS_S_COMPLETE)
map_error(minor_status, mech);
+ } else if (mech->gss_unwrap_aead || mech->gss_unwrap_iov) {
+ status = gssint_unwrap_aead(mech,
+ minor_status,
+ ctx,
+ input_message_buffer,
+ GSS_C_NO_BUFFER,
+ output_message_buffer,
+ conf_state,
+ (gss_qop_t *)qop_state);
} else
status = GSS_S_UNAVAILABLE;
@@ -103,7 +109,7 @@
}
OM_uint32 KRB5_CALLCONV
-gss_unwrap (minor_status,
+gss_unseal (minor_status,
context_handle,
input_message_buffer,
output_message_buffer,
@@ -115,10 +121,10 @@
gss_buffer_t input_message_buffer;
gss_buffer_t output_message_buffer;
int * conf_state;
-gss_qop_t * qop_state;
+int * qop_state;
{
- return (gss_unseal(minor_status, (gss_ctx_id_t)context_handle,
- (gss_buffer_t)input_message_buffer,
- output_message_buffer, conf_state, (int *) qop_state));
+ return (gss_unwrap(minor_status, context_handle,
+ input_message_buffer,
+ output_message_buffer, conf_state, (gss_qop_t *) qop_state));
}
Copied: branches/mkey_migrate/src/lib/gssapi/mechglue/g_unwrap_aead.c (from rev 21721, trunk/src/lib/gssapi/mechglue/g_unwrap_aead.c)
Copied: branches/mkey_migrate/src/lib/gssapi/mechglue/g_unwrap_iov.c (from rev 21721, trunk/src/lib/gssapi/mechglue/g_unwrap_iov.c)
Copied: branches/mkey_migrate/src/lib/gssapi/mechglue/g_userok.c (from rev 21721, trunk/src/lib/gssapi/mechglue/g_userok.c)
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/g_verify.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/g_verify.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/g_verify.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -23,23 +23,23 @@
*/
/*
- * glue routine for gss_verify
+ * glue routine for gss_verify_mic
*/
#include "mglueP.h"
OM_uint32 KRB5_CALLCONV
-gss_verify (minor_status,
- context_handle,
- message_buffer,
- token_buffer,
- qop_state)
+gss_verify_mic (minor_status,
+ context_handle,
+ message_buffer,
+ token_buffer,
+ qop_state)
OM_uint32 * minor_status;
gss_ctx_id_t context_handle;
gss_buffer_t message_buffer;
gss_buffer_t token_buffer;
-int * qop_state;
+gss_qop_t * qop_state;
{
OM_uint32 status;
@@ -68,14 +68,13 @@
mech = gssint_get_mechanism (ctx->mech_type);
if (mech) {
- if (mech->gss_verify) {
- status = mech->gss_verify(
- mech->context,
- minor_status,
- ctx->internal_ctx_id,
- message_buffer,
- token_buffer,
- qop_state);
+ if (mech->gss_verify_mic) {
+ status = mech->gss_verify_mic(
+ minor_status,
+ ctx->internal_ctx_id,
+ message_buffer,
+ token_buffer,
+ qop_state);
if (status != GSS_S_COMPLETE)
map_error(minor_status, mech);
} else
@@ -88,7 +87,7 @@
}
OM_uint32 KRB5_CALLCONV
-gss_verify_mic (minor_status,
+gss_verify (minor_status,
context_handle,
message_buffer,
token_buffer,
@@ -98,9 +97,10 @@
gss_ctx_id_t context_handle;
gss_buffer_t message_buffer;
gss_buffer_t token_buffer;
-gss_qop_t * qop_state;
+int * qop_state;
{
- return (gss_verify(minor_status, context_handle,
- message_buffer, token_buffer, (int *) qop_state));
+ return (gss_verify_mic(minor_status, context_handle,
+ message_buffer, token_buffer,
+ (gss_qop_t *) qop_state));
}
Copied: branches/mkey_migrate/src/lib/gssapi/mechglue/g_wrap_aead.c (from rev 21721, trunk/src/lib/gssapi/mechglue/g_wrap_aead.c)
Copied: branches/mkey_migrate/src/lib/gssapi/mechglue/g_wrap_iov.c (from rev 21721, trunk/src/lib/gssapi/mechglue/g_wrap_iov.c)
Copied: branches/mkey_migrate/src/lib/gssapi/mechglue/gssd_pname_to_uid.c (from rev 21721, trunk/src/lib/gssapi/mechglue/gssd_pname_to_uid.c)
Deleted: branches/mkey_migrate/src/lib/gssapi/mechglue/mech.conf
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/mech.conf 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/mech.conf 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,7 +0,0 @@
-#
-#
-# GSSAPI Mechanism Definitions
-#
-# library function
-/opt/SUNWgss/lib/mech_krb5.so krb5_gss_initialize
-#mech_krb5.so krb5_gss_initialize
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/mechglue.h
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/mechglue.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/mechglue.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -35,4 +35,8 @@
/* GSSAPI Extension functions -- these functions aren't */
/* in the GSSAPI, but they are provided in this library */
+#include <gssapi/gssapi_ext.h>
+
+void KRB5_CALLCONV gss_initialize(void);
+
#endif /* _GSS_MECHGLUE_H */
Modified: branches/mkey_migrate/src/lib/gssapi/mechglue/mglueP.h
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/mglueP.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/mglueP.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -20,9 +20,6 @@
(o1)->length = (o2)->length; \
} while (0)
-#define GSS_EMPTY_BUFFER(buf) ((buf) == NULL ||\
- (buf)->value == NULL || (buf)->length == 0)
-
/*
* Array of context IDs typed by mechanism OID
*/
@@ -78,7 +75,20 @@
gss_cred_id_t *cred_array;
gss_union_cred_auxinfo auxinfo;
} gss_union_cred_desc, *gss_union_cred_t;
-
+
+typedef OM_uint32 (*gss_acquire_cred_with_password_sfct)(
+ void *, /* context */
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* desired_name */
+ const gss_buffer_t, /* password */
+ OM_uint32, /* time_req */
+ const gss_OID_set, /* desired_mechs */
+ int, /* cred_usage */
+ gss_cred_id_t *, /* output_cred_handle */
+ gss_OID_set *, /* actual_mechs */
+ OM_uint32 * /* time_rec */
+ /* */);
+
/*
* Rudimentary pointer validation macro to check whether the
* "loopback" field of an opaque struct points back to itself. This
@@ -91,8 +101,11 @@
/********************************************************/
/* The Mechanism Dispatch Table -- a mechanism needs to */
/* define one of these and provide a function to return */
-/* it to initialize the GSSAPI library */
+/* it to initialize the GSSAPI library */
+int gssint_mechglue_initialize_library(void);
+OM_uint32 gssint_get_mech_type_oid(gss_OID OID, gss_buffer_t token);
+
/*
* This is the definition of the mechs_array struct, which is used to
* define the mechs array table. This table is used to indirectly
@@ -105,13 +118,10 @@
*/
typedef struct gss_config {
- OM_uint32 priority;
- char * mechNameStr;
gss_OID_desc mech_type;
void * context;
OM_uint32 (*gss_acquire_cred)
(
- void*, /* context */
OM_uint32*, /* minor_status */
gss_name_t, /* desired_name */
OM_uint32, /* time_req */
@@ -123,13 +133,11 @@
);
OM_uint32 (*gss_release_cred)
(
- void*, /* context */
OM_uint32*, /* minor_status */
gss_cred_id_t* /* cred_handle */
);
OM_uint32 (*gss_init_sec_context)
(
- void*, /* context */
OM_uint32*, /* minor_status */
gss_cred_id_t, /* claimant_cred_handle */
gss_ctx_id_t*, /* context_handle */
@@ -146,7 +154,6 @@
);
OM_uint32 (*gss_accept_sec_context)
(
- void*, /* context */
OM_uint32*, /* minor_status */
gss_ctx_id_t*, /* context_handle */
gss_cred_id_t, /* verifier_cred_handle */
@@ -161,67 +168,59 @@
);
OM_uint32 (*gss_process_context_token)
(
- void*, /* context */
OM_uint32*, /* minor_status */
gss_ctx_id_t, /* context_handle */
gss_buffer_t /* token_buffer */
);
OM_uint32 (*gss_delete_sec_context)
(
- void*, /* context */
OM_uint32*, /* minor_status */
gss_ctx_id_t*, /* context_handle */
gss_buffer_t /* output_token */
);
OM_uint32 (*gss_context_time)
(
- void*, /* context */
OM_uint32*, /* minor_status */
gss_ctx_id_t, /* context_handle */
OM_uint32* /* time_rec */
);
- OM_uint32 (*gss_sign)
+ OM_uint32 (*gss_get_mic)
(
- void*, /* context */
OM_uint32*, /* minor_status */
gss_ctx_id_t, /* context_handle */
- int, /* qop_req */
+ gss_qop_t, /* qop_req */
gss_buffer_t, /* message_buffer */
gss_buffer_t /* message_token */
);
- OM_uint32 (*gss_verify)
+ OM_uint32 (*gss_verify_mic)
(
- void*, /* context */
OM_uint32*, /* minor_status */
gss_ctx_id_t, /* context_handle */
gss_buffer_t, /* message_buffer */
gss_buffer_t, /* token_buffer */
- int* /* qop_state */
+ gss_qop_t* /* qop_state */
);
- OM_uint32 (*gss_seal)
+ OM_uint32 (*gss_wrap)
(
- void*, /* context */
OM_uint32*, /* minor_status */
gss_ctx_id_t, /* context_handle */
int, /* conf_req_flag */
- int, /* qop_req */
+ gss_qop_t, /* qop_req */
gss_buffer_t, /* input_message_buffer */
int*, /* conf_state */
gss_buffer_t /* output_message_buffer */
);
- OM_uint32 (*gss_unseal)
+ OM_uint32 (*gss_unwrap)
(
- void*, /* context */
OM_uint32*, /* minor_status */
gss_ctx_id_t, /* context_handle */
gss_buffer_t, /* input_message_buffer */
gss_buffer_t, /* output_message_buffer */
int*, /* conf_state */
- int* /* qop_state */
+ gss_qop_t* /* qop_state */
);
OM_uint32 (*gss_display_status)
(
- void*, /* context */
OM_uint32*, /* minor_status */
OM_uint32, /* status_value */
int, /* status_type */
@@ -231,13 +230,11 @@
);
OM_uint32 (*gss_indicate_mechs)
(
- void*, /* context */
OM_uint32*, /* minor_status */
gss_OID_set* /* mech_set */
);
OM_uint32 (*gss_compare_name)
(
- void*, /* context */
OM_uint32*, /* minor_status */
gss_name_t, /* name1 */
gss_name_t, /* name2 */
@@ -245,7 +242,6 @@
);
OM_uint32 (*gss_display_name)
(
- void*, /* context */
OM_uint32*, /* minor_status */
gss_name_t, /* input_name */
gss_buffer_t, /* output_name_buffer */
@@ -253,7 +249,6 @@
);
OM_uint32 (*gss_import_name)
(
- void*, /* context */
OM_uint32*, /* minor_status */
gss_buffer_t, /* input_name_buffer */
gss_OID, /* input_name_type */
@@ -261,13 +256,11 @@
);
OM_uint32 (*gss_release_name)
(
- void*, /* context */
OM_uint32*, /* minor_status */
gss_name_t* /* input_name */
);
OM_uint32 (*gss_inquire_cred)
(
- void*, /* context */
OM_uint32 *, /* minor_status */
gss_cred_id_t, /* cred_handle */
gss_name_t *, /* name */
@@ -277,7 +270,6 @@
);
OM_uint32 (*gss_add_cred)
(
- void*, /* context */
OM_uint32 *, /* minor_status */
gss_cred_id_t, /* input_cred_handle */
gss_name_t, /* desired_name */
@@ -292,21 +284,18 @@
);
OM_uint32 (*gss_export_sec_context)
(
- void*, /* context */
OM_uint32 *, /* minor_status */
gss_ctx_id_t *, /* context_handle */
gss_buffer_t /* interprocess_token */
);
OM_uint32 (*gss_import_sec_context)
(
- void *, /* context */
OM_uint32 *, /* minor_status */
gss_buffer_t, /* interprocess_token */
gss_ctx_id_t * /* context_handle */
);
OM_uint32 (*gss_inquire_cred_by_mech)
(
- void *, /* context */
OM_uint32 *, /* minor_status */
gss_cred_id_t, /* cred_handle */
gss_OID, /* mech_type */
@@ -317,14 +306,12 @@
);
OM_uint32 (*gss_inquire_names_for_mech)
(
- void *, /* context */
OM_uint32 *, /* minor_status */
gss_OID, /* mechanism */
gss_OID_set * /* name_types */
);
OM_uint32 (*gss_inquire_context)
(
- void *, /* context */
OM_uint32 *, /* minor_status */
gss_ctx_id_t, /* context_handle */
gss_name_t *, /* src_name */
@@ -332,18 +319,16 @@
OM_uint32 *, /* lifetime_rec */
gss_OID *, /* mech_type */
OM_uint32 *, /* ctx_flags */
- int *, /* locally_initiated */
+ int *, /* locally_initiated */
int * /* open */
);
OM_uint32 (*gss_internal_release_oid)
(
- void *, /* context */
OM_uint32 *, /* minor_status */
gss_OID * /* OID */
);
OM_uint32 (*gss_wrap_size_limit)
(
- void *, /* context */
OM_uint32 *, /* minor_status */
gss_ctx_id_t, /* context_handle */
int, /* conf_req_flag */
@@ -351,16 +336,30 @@
OM_uint32, /* req_output_size */
OM_uint32 * /* max_input_size */
);
+#if 0
+ int (*pname_to_uid)
+ (
+ char *, /* pname */
+ gss_OID, /* name type */
+ gss_OID, /* mech type */
+ uid_t * /* uid */
+ );
+ OM_uint32 (*gssint_userok)
+ (
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* pname */
+ const char *, /* local user */
+ int * /* user ok? */
+ /* */);
+#endif
OM_uint32 (*gss_export_name)
(
- void *, /* context */
OM_uint32 *, /* minor_status */
const gss_name_t, /* input_name */
gss_buffer_t /* exported_name */
/* */);
OM_uint32 (*gss_store_cred)
(
- void *, /* context */
OM_uint32 *, /* minor_status */
const gss_cred_id_t, /* input_cred */
gss_cred_usage_t, /* cred_usage */
@@ -370,8 +369,132 @@
gss_OID_set *, /* elements_stored */
gss_cred_usage_t * /* cred_usage_stored */
/* */);
+
+ OM_uint32 (*gss_import_name_object)
+ (
+ OM_uint32 *, /* minor_status */
+ void *, /* input_name */
+ gss_OID, /* input_name_type */
+ gss_name_t * /* output_name */
+ /* */);
+
+ OM_uint32 (*gss_export_name_object)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* input_name */
+ gss_OID, /* desired_name_type */
+ void ** /* output_name */
+ /* */);
+
+ /* GGF extensions */
+
+ OM_uint32 (*gss_inquire_sec_context_by_oid)
+ (
+ OM_uint32 *, /* minor_status */
+ const gss_ctx_id_t, /* context_handle */
+ const gss_OID, /* OID */
+ gss_buffer_set_t * /* data_set */
+ );
+ OM_uint32 (*gss_inquire_cred_by_oid)
+ (
+ OM_uint32 *, /* minor_status */
+ const gss_cred_id_t, /* cred_handle */
+ const gss_OID, /* OID */
+ gss_buffer_set_t * /* data_set */
+ );
+ OM_uint32 (*gss_set_sec_context_option)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t *, /* context_handle */
+ const gss_OID, /* OID */
+ const gss_buffer_t /* value */
+ );
+ OM_uint32 (*gssspi_set_cred_option)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* cred_handle */
+ const gss_OID, /* OID */
+ const gss_buffer_t /* value */
+ );
+ OM_uint32 (*gssspi_mech_invoke)
+ (
+ OM_uint32*, /* minor_status */
+ const gss_OID, /* mech OID */
+ const gss_OID, /* OID */
+ gss_buffer_t /* value */
+ );
+
+ /* AEAD extensions */
+ OM_uint32 (*gss_wrap_aead)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req */
+ gss_buffer_t, /* input_assoc_buffer */
+ gss_buffer_t, /* input_payload_buffer */
+ int *, /* conf_state */
+ gss_buffer_t /* output_message_buffer */
+ /* */);
+
+ OM_uint32 (*gss_unwrap_aead)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* input_message_buffer */
+ gss_buffer_t, /* input_assoc_buffer */
+ gss_buffer_t, /* output_payload_buffer */
+ int *, /* conf_state */
+ gss_qop_t * /* qop_state */
+ /* */);
+
+ /* SSPI extensions */
+ OM_uint32 (*gss_wrap_iov)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req */
+ int *, /* conf_state */
+ gss_iov_buffer_desc *, /* iov */
+ int /* iov_count */
+ /* */);
+
+ OM_uint32 (*gss_unwrap_iov)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int *, /* conf_state */
+ gss_qop_t *, /* qop_state */
+ gss_iov_buffer_desc *, /* iov */
+ int /* iov_count */
+ /* */);
+
+ OM_uint32 (*gss_wrap_iov_length)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag*/
+ gss_qop_t, /* qop_req */
+ int *, /* conf_state */
+ gss_iov_buffer_desc *, /* iov */
+ int /* iov_count */
+ /* */);
+
+ OM_uint32 (*gss_complete_auth_token)
+ (
+ OM_uint32*, /* minor_status */
+ const gss_ctx_id_t, /* context_handle */
+ gss_buffer_t /* input_message_buffer */
+ );
+
} *gss_mechanism;
+/* This structure MUST NOT be used by any code outside libgss */
+typedef struct gss_config_ext {
+ gss_acquire_cred_with_password_sfct gss_acquire_cred_with_password;
+} *gss_mechanism_ext;
+
/*
* In the user space we use a wrapper structure to encompass the
* mechanism entry points. The wrapper contain the mechanism
@@ -387,21 +510,22 @@
void *dl_handle; /* RTLD object handle for the mech */
gss_OID mech_type; /* mechanism oid */
gss_mechanism mech; /* mechanism initialization struct */
+ gss_mechanism_ext mech_ext; /* extensions */
+ int priority; /* mechanism preference order */
+ int freeMech; /* free mech table */
struct gss_mech_config *next; /* next element in the list */
} *gss_mech_info;
-/* Mechanisms defined within our library */
-
-extern gss_mechanism *krb5_gss_get_mech_configs(void);
-extern gss_mechanism *spnego_gss_get_mech_configs(void);
-
/********************************************************/
/* Internal mechglue routines */
+#if 0
int gssint_mechglue_init(void);
void gssint_mechglue_fini(void);
+#endif
gss_mechanism gssint_get_mechanism (gss_OID);
+gss_mechanism_ext gssint_get_mechanism_ext(const gss_OID);
OM_uint32 gssint_get_mech_type (gss_OID, gss_buffer_t);
char *gssint_get_kmodName(const gss_OID);
char *gssint_get_modOptions(const gss_OID);
@@ -412,6 +536,11 @@
OM_uint32 gssint_display_internal_name (OM_uint32 *, gss_OID, gss_name_t,
gss_buffer_t, gss_OID *);
OM_uint32 gssint_release_internal_name (OM_uint32 *, gss_OID, gss_name_t *);
+OM_uint32 gssint_delete_internal_sec_context (OM_uint32 *, gss_OID,
+ gss_ctx_id_t *, gss_buffer_t);
+#ifdef _GSS_STATIC_LINK
+int gssint_register_mechinfo(gss_mech_info template);
+#endif
OM_uint32 gssint_convert_name_to_union_name
(OM_uint32 *, /* minor_status */
@@ -466,6 +595,14 @@
);
OM_uint32
+gssint_userok(
+ OM_uint32 *, /* minor */
+ const gss_name_t, /* name */
+ const char *, /* user */
+ int * /* user_ok */
+);
+
+OM_uint32
gss_store_cred(
OM_uint32 *, /* minor_status */
const gss_cred_id_t, /* input_cred_handle */
@@ -494,6 +631,27 @@
unsigned int /* max_len */
);
+OM_uint32
+gssint_wrap_aead (gss_mechanism, /* mech */
+ OM_uint32 *, /* minor_status */
+ gss_union_ctx_id_t, /* ctx */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req_flag */
+ gss_buffer_t, /* input_assoc_buffer */
+ gss_buffer_t, /* input_payload_buffer */
+ int *, /* conf_state */
+ gss_buffer_t); /* output_message_buffer */
+OM_uint32
+gssint_unwrap_aead (gss_mechanism, /* mech */
+ OM_uint32 *, /* minor_status */
+ gss_union_ctx_id_t, /* ctx */
+ gss_buffer_t, /* input_message_buffer */
+ gss_buffer_t, /* input_assoc_buffer */
+ gss_buffer_t, /* output_payload_buffer */
+ int *, /* conf_state */
+ gss_qop_t *); /* qop_state */
+
+
/* Use this to map an error code that was returned from a mech
operation; the mech will be asked to produce the associated error
messages.
Deleted: branches/mkey_migrate/src/lib/gssapi/mechglue/oid_ops.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/mechglue/oid_ops.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/mechglue/oid_ops.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,514 +0,0 @@
-/* #pragma ident "@(#)oid_ops.c 1.19 04/02/23 SMI" */
-/*
- * lib/gssapi/generic/oid_ops.c
- *
- * Copyright 1995 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- */
-
-/*
- * oid_ops.c - GSS-API V2 interfaces to manipulate OIDs
- */
-
-#include "mglueP.h"
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#include <stdlib.h>
-#include <string.h>
-#include <stdio.h>
-#include <gssapi/gssapi_generic.h>
-#include <errno.h>
-#include <ctype.h>
-
-OM_uint32
-generic_gss_release_oid(minor_status, oid)
- OM_uint32 *minor_status;
- gss_OID *oid;
-{
- if (minor_status)
- *minor_status = 0;
-
- if (oid == NULL || *oid == GSS_C_NO_OID)
- return(GSS_S_COMPLETE);
-
- /*
- * The V2 API says the following!
- *
- * gss_release_oid[()] will recognize any of the GSSAPI's own OID values,
- * and will silently ignore attempts to free these OIDs; for other OIDs
- * it will call the C free() routine for both the OID data and the
- * descriptor. This allows applications to freely mix their own heap-
- * allocated OID values with OIDs returned by GSS-API.
- */
-
- /*
- * We use the official OID definitions instead of the unofficial OID
- * defintions. But we continue to support the unofficial OID
- * gss_nt_service_name just in case if some gss applications use
- * the old OID.
- */
-
- if ((*oid != GSS_C_NT_USER_NAME) &&
- (*oid != GSS_C_NT_MACHINE_UID_NAME) &&
- (*oid != GSS_C_NT_STRING_UID_NAME) &&
- (*oid != GSS_C_NT_HOSTBASED_SERVICE) &&
- (*oid != GSS_C_NT_ANONYMOUS) &&
- (*oid != GSS_C_NT_EXPORT_NAME) &&
- (*oid != gss_nt_service_name)) {
- free((*oid)->elements);
- free(*oid);
- }
- *oid = GSS_C_NO_OID;
- return(GSS_S_COMPLETE);
-}
-
-OM_uint32
-generic_gss_copy_oid(minor_status, oid, new_oid)
- OM_uint32 *minor_status;
- const gss_OID_desc * const oid;
- gss_OID *new_oid;
-{
- gss_OID p;
-
- *minor_status = 0;
-
- p = (gss_OID) malloc(sizeof(gss_OID_desc));
- if (!p) {
- *minor_status = ENOMEM;
- return GSS_S_FAILURE;
- }
- p->length = oid->length;
- p->elements = malloc(p->length);
- if (!p->elements) {
- free(p);
- return GSS_S_FAILURE;
- }
- memcpy(p->elements, oid->elements, p->length);
- *new_oid = p;
- return(GSS_S_COMPLETE);
-}
-
-
-OM_uint32
-generic_gss_create_empty_oid_set(minor_status, oid_set)
- OM_uint32 *minor_status;
- gss_OID_set *oid_set;
-{
- *minor_status = 0;
-
- if ((*oid_set = (gss_OID_set) malloc(sizeof(gss_OID_set_desc)))) {
- memset(*oid_set, 0, sizeof(gss_OID_set_desc));
- return(GSS_S_COMPLETE);
- }
- else {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
-}
-
-OM_uint32
-generic_gss_add_oid_set_member(minor_status, member_oid, oid_set)
- OM_uint32 *minor_status;
- const gss_OID_desc * const member_oid;
- gss_OID_set *oid_set;
-{
- gss_OID elist;
- gss_OID lastel;
-
- *minor_status = 0;
-
- if (member_oid == NULL || member_oid->length == 0 ||
- member_oid->elements == NULL)
- return (GSS_S_CALL_INACCESSIBLE_READ);
-
- elist = (*oid_set)->elements;
- /* Get an enlarged copy of the array */
- if (((*oid_set)->elements = (gss_OID) malloc(((*oid_set)->count+1) *
- sizeof(gss_OID_desc)))) {
- /* Copy in the old junk */
- if (elist)
- memcpy((*oid_set)->elements,
- elist,
- ((*oid_set)->count * sizeof(gss_OID_desc)));
-
- /* Duplicate the input element */
- lastel = &(*oid_set)->elements[(*oid_set)->count];
- if ((lastel->elements =
- (void *) malloc((size_t) member_oid->length))) {
- /* Success - copy elements */
- memcpy(lastel->elements, member_oid->elements,
- (size_t) member_oid->length);
- /* Set length */
- lastel->length = member_oid->length;
-
- /* Update count */
- (*oid_set)->count++;
- if (elist)
- free(elist);
- *minor_status = 0;
- return(GSS_S_COMPLETE);
- }
- else
- free((*oid_set)->elements);
- }
- /* Failure - restore old contents of list */
- (*oid_set)->elements = elist;
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
-}
-
-OM_uint32
-generic_gss_test_oid_set_member(minor_status, member, set, present)
- OM_uint32 *minor_status;
- const gss_OID_desc * const member;
- gss_OID_set set;
- int *present;
-{
- OM_uint32 i;
- int result;
-
- *minor_status = 0;
-
- if (member == NULL || set == NULL)
- return (GSS_S_CALL_INACCESSIBLE_READ);
-
- if (present == NULL)
- return (GSS_S_CALL_INACCESSIBLE_WRITE);
-
- result = 0;
- for (i=0; i<set->count; i++) {
- if ((set->elements[i].length == member->length) &&
- !memcmp(set->elements[i].elements,
- member->elements,
- (size_t) member->length)) {
- result = 1;
- break;
- }
- }
- *present = result;
- return(GSS_S_COMPLETE);
-}
-
-/*
- * OID<->string routines. These are uuuuugly.
- */
-OM_uint32
-generic_gss_oid_to_str(minor_status, oid, oid_str)
- OM_uint32 *minor_status;
- const gss_OID_desc * const oid;
- gss_buffer_t oid_str;
-{
- char numstr[128];
- OM_uint32 number;
- int numshift;
- OM_uint32 string_length;
- OM_uint32 i;
- unsigned char *cp;
- char *bp;
-
- if (minor_status != NULL)
- *minor_status = 0;
-
- if (oid_str != GSS_C_NO_BUFFER) {
- oid_str->length = 0;
- oid_str->value = NULL;
- }
-
- if (oid == NULL || oid->length == 0 || oid->elements == NULL)
- return (GSS_S_CALL_INACCESSIBLE_READ);
-
- if (oid_str == GSS_C_NO_BUFFER)
- return (GSS_S_CALL_INACCESSIBLE_WRITE);
-
- /* Decoded according to krb5/gssapi_krb5.c */
-
- /* First determine the size of the string */
- string_length = 0;
- number = 0;
- numshift = 0;
- cp = (unsigned char *) oid->elements;
- number = (unsigned long) cp[0];
- snprintf(numstr, sizeof(numstr), "%lu ", (unsigned long)number/40);
- string_length += strlen(numstr);
- snprintf(numstr, sizeof(numstr), "%lu ", (unsigned long)number%40);
- string_length += strlen(numstr);
- for (i=1; i<oid->length; i++) {
- if ((OM_uint32) (numshift+7) < (sizeof (OM_uint32)*8)) {/* XXX */
- number = (number << 7) | (cp[i] & 0x7f);
- numshift += 7;
- }
- else {
- return(GSS_S_FAILURE);
- }
- if ((cp[i] & 0x80) == 0) {
- snprintf(numstr, sizeof(numstr), "%lu ", (unsigned long)number);
- string_length += strlen(numstr);
- number = 0;
- numshift = 0;
- }
- }
- /*
- * If we get here, we've calculated the length of "n n n ... n ". Add 4
- * here for "{ " and "}\0".
- */
- string_length += 4;
- if ((bp = (char *) malloc(string_length))) {
- strcpy(bp, "{ ");
- number = (OM_uint32) cp[0];
- snprintf(numstr, sizeof(numstr), "%lu ", (unsigned long)number/40);
- strcat(bp, numstr);
- snprintf(numstr, sizeof(numstr), "%lu ", (unsigned long)number%40);
- strcat(bp, numstr);
- number = 0;
- cp = (unsigned char *) oid->elements;
- for (i=1; i<oid->length; i++) {
- number = (number << 7) | (cp[i] & 0x7f);
- if ((cp[i] & 0x80) == 0) {
- snprintf(numstr, sizeof(numstr), "%lu ", (unsigned long)number);
- strcat(bp, numstr);
- number = 0;
- }
- }
- strcat(bp, "}");
- oid_str->length = strlen(bp)+1;
- oid_str->value = (void *) bp;
- return(GSS_S_COMPLETE);
- }
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
-}
-
-OM_uint32
-generic_gss_str_to_oid(minor_status, oid_str, oid)
- OM_uint32 *minor_status;
- gss_buffer_t oid_str;
- gss_OID *oid;
-{
- unsigned char *cp, *bp, *startp;
- int brace;
- long numbuf;
- long onumbuf;
- OM_uint32 nbytes;
- int i;
- unsigned char *op;
-
- if (minor_status != NULL)
- *minor_status = 0;
-
- if (oid != NULL)
- *oid = GSS_C_NO_OID;
-
- if (GSS_EMPTY_BUFFER(oid_str))
- return (GSS_S_CALL_INACCESSIBLE_READ);
-
- if (oid == NULL)
- return (GSS_S_CALL_INACCESSIBLE_WRITE);
-
- brace = 0;
- bp = oid_str->value;
- cp = bp;
- /* Skip over leading space */
- while ((bp < &cp[oid_str->length]) && isspace(*bp))
- bp++;
- if (*bp == '{') {
- brace = 1;
- bp++;
- }
- while ((bp < &cp[oid_str->length]) && isspace(*bp))
- bp++;
- startp = bp;
- nbytes = 0;
-
- /*
- * The first two numbers are chewed up by the first octet.
- */
- if (sscanf((char *)bp, "%ld", &numbuf) != 1) {
- *minor_status = EINVAL;
- return(GSS_S_FAILURE);
- }
- while ((bp < &cp[oid_str->length]) && isdigit(*bp))
- bp++;
- while ((bp < &cp[oid_str->length]) && isspace(*bp))
- bp++;
- if (sscanf((char *)bp, "%ld", &numbuf) != 1) {
- *minor_status = EINVAL;
- return(GSS_S_FAILURE);
- }
- while ((bp < &cp[oid_str->length]) && isdigit(*bp))
- bp++;
- while ((bp < &cp[oid_str->length]) &&
- (isspace(*bp) || *bp == '.'))
- bp++;
- nbytes++;
- while (isdigit(*bp)) {
- if (sscanf((char *)bp, "%ld", &numbuf) != 1) {
- return(GSS_S_FAILURE);
- }
- while (numbuf) {
- nbytes++;
- numbuf >>= 7;
- }
- while ((bp < &cp[oid_str->length]) && isdigit(*bp))
- bp++;
- while ((bp < &cp[oid_str->length]) &&
- (isspace(*bp) || *bp == '.'))
- bp++;
- }
- if (brace && (*bp != '}')) {
- return(GSS_S_FAILURE);
- }
-
- /*
- * Phew! We've come this far, so the syntax is good.
- */
- if ((*oid = (gss_OID) malloc(sizeof(gss_OID_desc)))) {
- if (((*oid)->elements = (void *) malloc(nbytes))) {
- (*oid)->length = nbytes;
- op = (unsigned char *) (*oid)->elements;
- bp = startp;
- (void) sscanf((char *)bp, "%ld", &numbuf);
- while (isdigit(*bp))
- bp++;
- while (isspace(*bp) || *bp == '.')
- bp++;
- onumbuf = 40*numbuf;
- (void) sscanf((char *)bp, "%ld", &numbuf);
- onumbuf += numbuf;
- *op = (unsigned char) onumbuf;
- op++;
- while (isdigit(*bp))
- bp++;
- while (isspace(*bp) || *bp == '.')
- bp++;
- while (isdigit(*bp)) {
- (void) sscanf((char *)bp, "%ld", &numbuf);
- nbytes = 0;
- /* Have to fill in the bytes msb-first */
- onumbuf = numbuf;
- while (numbuf) {
- nbytes++;
- numbuf >>= 7;
- }
- numbuf = onumbuf;
- op += nbytes;
- i = -1;
- while (numbuf) {
- op[i] = (unsigned char) numbuf & 0x7f;
- if (i != -1)
- op[i] |= 0x80;
- i--;
- numbuf >>= 7;
- }
- while (isdigit(*bp))
- bp++;
- while (isspace(*bp) || *bp == '.')
- bp++;
- }
- return(GSS_S_COMPLETE);
- }
- else {
- free(*oid);
- *oid = GSS_C_NO_OID;
- }
- }
- return(GSS_S_FAILURE);
-}
-
-/*
- * Copyright 1993 by OpenVision Technologies, Inc.
- *
- * Permission to use, copy, modify, distribute, and sell this software
- * and its documentation for any purpose is hereby granted without fee,
- * provided that the above copyright notice appears in all copies and
- * that both that copyright notice and this permission notice appear in
- * supporting documentation, and that the name of OpenVision not be used
- * in advertising or publicity pertaining to distribution of the software
- * without specific, written prior permission. OpenVision makes no
- * representations about the suitability of this software for any
- * purpose. It is provided "as is" without express or implied warranty.
- *
- * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
- * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
- * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
- * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-OM_uint32
-gssint_copy_oid_set(
- OM_uint32 *minor_status,
- const gss_OID_set_desc * const oidset,
- gss_OID_set *new_oidset
- )
-{
- gss_OID_set_desc *copy;
- OM_uint32 minor = 0;
- OM_uint32 major = GSS_S_COMPLETE;
- OM_uint32 i;
-
- if (minor_status != NULL)
- *minor_status = 0;
-
- if (new_oidset != NULL)
- *new_oidset = GSS_C_NO_OID_SET;
-
- if (oidset == GSS_C_NO_OID_SET)
- return (GSS_S_CALL_INACCESSIBLE_READ);
-
- if (new_oidset == NULL)
- return (GSS_S_CALL_INACCESSIBLE_WRITE);
-
- if ((copy = (gss_OID_set_desc *) calloc(1, sizeof (*copy))) == NULL) {
- major = GSS_S_FAILURE;
- goto done;
- }
-
- if ((copy->elements = (gss_OID_desc *)
- calloc(oidset->count, sizeof (*copy->elements))) == NULL) {
- major = GSS_S_FAILURE;
- goto done;
- }
- copy->count = oidset->count;
-
- for (i = 0; i < copy->count; i++) {
- gss_OID_desc *out = ©->elements[i];
- gss_OID_desc *in = &oidset->elements[i];
-
- if ((out->elements = (void *) malloc(in->length)) == NULL) {
- major = GSS_S_FAILURE;
- goto done;
- }
- (void) memcpy(out->elements, in->elements, in->length);
- out->length = in->length;
- }
-
- *new_oidset = copy;
-done:
- if (major != GSS_S_COMPLETE) {
- (void) gss_release_oid_set(&minor, ©);
- }
-
- return (major);
-}
Modified: branches/mkey_migrate/src/lib/gssapi/spnego/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/spnego/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/spnego/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -3,6 +3,7 @@
mydir=lib/gssapi/spnego
BUILDTOP=$(REL)..$(S)..$(S)..
LOCALINCLUDES = -I. -I$(srcdir) -I$(srcdir)/.. -I../generic -I$(srcdir)/../generic -I../mechglue -I$(srcdir)/../mechglue
+DEFS=-D_GSS_STATIC_LINK=1
##DOS##BUILDTOP = ..\..\..
##DOS##PREFIXDIR=spnego
@@ -23,21 +24,3 @@
clean-unix:: clean-libobjs
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-spnego_mech.so spnego_mech.po $(OUTPRE)spnego_mech.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
- $(srcdir)/../generic/gssapi_generic.h $(srcdir)/../mechglue/mechglue.h \
- $(srcdir)/../mechglue/mglueP.h ../generic/gssapi_err_generic.h \
- gssapiP_spnego.h spnego_mech.c
Copied: branches/mkey_migrate/src/lib/gssapi/spnego/deps (from rev 21721, trunk/src/lib/gssapi/spnego/deps)
Modified: branches/mkey_migrate/src/lib/gssapi/spnego/gssapiP_spnego.h
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/spnego/gssapiP_spnego.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/spnego/gssapiP_spnego.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -39,6 +39,7 @@
#define ENUMERATED 0x0a
#define ENUMERATION_LENGTH 1
#define HEADER_ID 0x60
+#define GENERAL_STRING 0x1b
/*
* SPNEGO specific error codes (minor status codes)
@@ -106,17 +107,10 @@
*/
#define SPNEGO_MAGIC_ID 0x00000fed
-/* SPNEGO oid structure */
-static const gss_OID_desc spnego_oids[] = {
- {SPNEGO_OID_LENGTH, SPNEGO_OID},
-};
+/* SPNEGO oid declarations */
+extern const gss_OID_desc * const gss_mech_spnego;
+extern const gss_OID_set_desc * const gss_mech_set_spnego;
-const gss_OID_desc * const gss_mech_spnego = spnego_oids+0;
-static const gss_OID_set_desc spnego_oidsets[] = {
- {1, (gss_OID) spnego_oids+0},
-};
-const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0;
-
#ifdef DEBUG
#define dsyslog(a) syslog(LOG_DEBUG, a)
#else
@@ -130,7 +124,6 @@
OM_uint32 spnego_gss_acquire_cred
(
- void *, /* spnego context */
OM_uint32 *, /* minor_status */
gss_name_t, /* desired_name */
OM_uint32, /* time_req */
@@ -143,7 +136,6 @@
OM_uint32 spnego_gss_release_cred
(
- void *, /* spnego context */
OM_uint32 *, /* minor_status */
/* CSTYLED */
gss_cred_id_t * /* cred_handle */
@@ -151,7 +143,6 @@
OM_uint32 spnego_gss_init_sec_context
(
- void *, /* spnego context */
OM_uint32 *, /* minor_status */
gss_cred_id_t, /* claimant_cred_handle */
gss_ctx_id_t *, /* context_handle */
@@ -170,7 +161,6 @@
#ifndef LEAN_CLIENT
OM_uint32 spnego_gss_accept_sec_context
(
- void *, /* spnego context */
OM_uint32 *, /* minor_status */
gss_ctx_id_t *, /* context_handle */
gss_cred_id_t, /* verifier_cred_handle */
@@ -186,9 +176,16 @@
);
#endif /* LEAN_CLIENT */
+OM_uint32 spnego_gss_compare_name
+(
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* name1 */
+ const gss_name_t, /* name2 */
+ int * /* name_equal */
+);
+
OM_uint32 spnego_gss_display_name
(
- void *,
OM_uint32 *, /* minor_status */
gss_name_t, /* input_name */
gss_buffer_t, /* output_name_buffer */
@@ -197,7 +194,6 @@
OM_uint32 spnego_gss_display_status
(
- void *, /* spnego context */
OM_uint32 *, /* minor_status */
OM_uint32, /* status_value */
int, /* status_type */
@@ -208,7 +204,6 @@
OM_uint32 spnego_gss_import_name
(
- void *, /* spnego context */
OM_uint32 *, /* minor_status */
gss_buffer_t, /* input_name_buffer */
gss_OID, /* input_name_type */
@@ -218,7 +213,6 @@
OM_uint32 spnego_gss_release_name
(
- void *, /* spnego context */
OM_uint32 *, /* minor_status */
/* CSTYLED */
gss_name_t * /* input_name */
@@ -226,30 +220,27 @@
OM_uint32 spnego_gss_inquire_names_for_mech
(
- void *, /* spnego context */
OM_uint32 *, /* minor_status */
gss_OID, /* mechanism */
gss_OID_set * /* name_types */
);
-OM_uint32 spnego_gss_unseal
+OM_uint32 spnego_gss_unwrap
(
- void *context,
OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
- int *qop_state
+ gss_qop_t *qop_state
);
-OM_uint32 spnego_gss_seal
+OM_uint32 spnego_gss_wrap
(
- void *context,
OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
int conf_req_flag,
- int qop_req,
+ gss_qop_t qop_req,
gss_buffer_t input_message_buffer,
int *conf_state,
gss_buffer_t output_message_buffer
@@ -257,7 +248,6 @@
OM_uint32 spnego_gss_process_context_token
(
- void *context,
OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t token_buffer
@@ -265,7 +255,6 @@
OM_uint32 spnego_gss_delete_sec_context
(
- void *context,
OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_buffer_t output_token
@@ -273,7 +262,6 @@
OM_uint32 spnego_gss_context_time
(
- void *context,
OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
OM_uint32 *time_rec
@@ -281,7 +269,6 @@
#ifndef LEAN_CLIENT
OM_uint32 spnego_gss_export_sec_context
(
- void *context,
OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_buffer_t interprocess_token
@@ -289,7 +276,6 @@
OM_uint32 spnego_gss_import_sec_context
(
- void *context,
OM_uint32 *minor_status,
const gss_buffer_t interprocess_token,
gss_ctx_id_t *context_handle
@@ -298,7 +284,6 @@
OM_uint32 spnego_gss_inquire_context
(
- void *context,
OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
gss_name_t *src_name,
@@ -312,7 +297,6 @@
OM_uint32 spnego_gss_wrap_size_limit
(
- void *context,
OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
@@ -321,26 +305,112 @@
OM_uint32 *max_input_size
);
-OM_uint32 spnego_gss_sign
+OM_uint32 spnego_gss_get_mic
(
- void *context,
OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
- int qop_req,
+ gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token
);
-OM_uint32 spnego_gss_verify
+OM_uint32 spnego_gss_verify_mic
(
- void *context,
OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t msg_buffer,
const gss_buffer_t token_buffer,
- int *qop_state
+ gss_qop_t *qop_state
);
+OM_uint32
+spnego_gss_inquire_sec_context_by_oid
+(
+ OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *data_set
+);
+
+OM_uint32
+spnego_gss_set_sec_context_option
+(
+ OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ const gss_OID desired_object,
+ const gss_buffer_t value
+);
+
+#ifdef _GSS_STATIC_LINK
+int gss_spnegoint_lib_init(void);
+void gss_spnegoint_lib_fini(void);
+#else
+gss_mechanism KRB5_CALLCONV gss_mech_initialize(void);
+#endif /* _GSS_STATIC_LINK */
+
+OM_uint32 spnego_gss_wrap_aead
+(
+ OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ gss_buffer_t input_assoc_buffer,
+ gss_buffer_t input_payload_buffer,
+ int *conf_state,
+ gss_buffer_t output_message_buffer
+);
+
+OM_uint32 spnego_gss_unwrap_aead
+(
+ OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ gss_buffer_t input_message_buffer,
+ gss_buffer_t input_assoc_buffer,
+ gss_buffer_t output_payload_buffer,
+ int *conf_state,
+ gss_qop_t *qop_state
+);
+
+OM_uint32 spnego_gss_wrap_iov
+(
+ OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ int *conf_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count
+);
+
+OM_uint32 spnego_gss_unwrap_iov
+(
+ OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int *conf_state,
+ gss_qop_t *qop_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count
+);
+
+OM_uint32 spnego_gss_wrap_iov_length
+(
+ OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ int *conf_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count
+);
+
+OM_uint32
+spnego_gss_complete_auth_token
+(
+ OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ gss_buffer_t input_message_buffer
+);
+
#ifdef __cplusplus
}
#endif
Copied: branches/mkey_migrate/src/lib/gssapi/spnego/mech_spnego.exports (from rev 21721, trunk/src/lib/gssapi/spnego/mech_spnego.exports)
Modified: branches/mkey_migrate/src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- branches/mkey_migrate/src/lib/gssapi/spnego/spnego_mech.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/gssapi/spnego/spnego_mech.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -32,9 +32,37 @@
* peers using the GSS-API.
*
*/
-
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
/* #pragma ident "@(#)spnego_mech.c 1.7 04/09/28 SMI" */
+#include <sys/param.h>
+#include <unistd.h>
#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
@@ -78,7 +106,6 @@
static void release_spnego_ctx(spnego_gss_ctx_id_t *);
static void check_spnego_options(spnego_gss_ctx_id_t);
static spnego_gss_ctx_id_t create_spnego_ctx(void);
-static int put_req_flags(unsigned char **, OM_uint32, unsigned int);
static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf);
static int put_input_token(unsigned char **, gss_buffer_t, unsigned int);
static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int);
@@ -136,7 +163,9 @@
g_get_tag_and_length(unsigned char **, int, unsigned int, unsigned int *);
static int
-make_spnego_tokenInit_msg(spnego_gss_ctx_id_t, gss_buffer_t,
+make_spnego_tokenInit_msg(spnego_gss_ctx_id_t,
+ int,
+ gss_buffer_t,
OM_uint32, gss_buffer_t, send_token_flag,
gss_buffer_t);
static int
@@ -152,6 +181,26 @@
get_negTokenResp(OM_uint32 *, unsigned char *, unsigned int,
OM_uint32 *, gss_OID *, gss_buffer_t *, gss_buffer_t *);
+static int
+is_kerb_mech(gss_OID oid);
+
+/* SPNEGO oid structure */
+static const gss_OID_desc spnego_oids[] = {
+ {SPNEGO_OID_LENGTH, SPNEGO_OID},
+};
+
+const gss_OID_desc * const gss_mech_spnego = spnego_oids+0;
+static const gss_OID_set_desc spnego_oidsets[] = {
+ {1, (gss_OID) spnego_oids+0},
+};
+const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0;
+
+static int make_NegHints(OM_uint32 *, gss_cred_id_t, gss_buffer_t *);
+static int put_neg_hints(unsigned char **, gss_buffer_t, unsigned int);
+static OM_uint32
+acc_ctx_hints(OM_uint32 *, gss_ctx_id_t *, gss_cred_id_t,
+ gss_buffer_t *, OM_uint32 *, send_token_flag *);
+
/*
* The Mech OID for SPNEGO:
* { iso(1) org(3) dod(6) internet(1) security(5)
@@ -159,7 +208,6 @@
*/
static struct gss_config spnego_mechanism =
{
- 400, "spnego",
{SPNEGO_OID_LENGTH, SPNEGO_OID},
NULL,
spnego_gss_acquire_cred,
@@ -173,13 +221,13 @@
NULL, /* gss_process_context_token */
spnego_gss_delete_sec_context, /* gss_delete_sec_context */
spnego_gss_context_time, /* gss_context_time */
- spnego_gss_sign, /* gss_sign */
- spnego_gss_verify, /* gss_verify */
- spnego_gss_seal, /* gss_seal */
- spnego_gss_unseal, /* gss_unseal */
+ spnego_gss_get_mic, /* gss_get_mic */
+ spnego_gss_verify_mic, /* gss_verify_mic */
+ spnego_gss_wrap, /* gss_wrap */
+ spnego_gss_unwrap, /* gss_unwrap */
spnego_gss_display_status,
NULL, /* gss_indicate_mechs */
- NULL, /* gss_compare_name */
+ spnego_gss_compare_name,
spnego_gss_display_name,
spnego_gss_import_name,
spnego_gss_release_name,
@@ -199,24 +247,63 @@
spnego_gss_wrap_size_limit, /* gss_wrap_size_limit */
NULL, /* gss_export_name */
NULL, /* gss_store_cred */
+ NULL, /* gss_import_name_object */
+ NULL, /* gss_export_name_object */
+ spnego_gss_inquire_sec_context_by_oid, /* gss_inquire_sec_context_by_oid */
+ NULL, /* gss_inquire_cred_by_oid */
+ spnego_gss_set_sec_context_option, /* gss_set_sec_context_option */
+ NULL, /* gssspi_set_cred_option */
+ NULL, /* gssspi_mech_invoke */
+ spnego_gss_wrap_aead,
+ spnego_gss_unwrap_aead,
+ spnego_gss_wrap_iov,
+ spnego_gss_unwrap_iov,
+ spnego_gss_wrap_iov_length,
+ spnego_gss_complete_auth_token
};
-static gss_mechanism spnego_mech_configs[] = {
- &spnego_mechanism, NULL
-};
+#ifdef _GSS_STATIC_LINK
+#include "mglueP.h"
-#define gssint_get_mech_configs spnego_gss_get_mech_configs
+static int gss_spnegomechglue_init(void)
+{
+ struct gss_mech_config mech_spnego;
-gss_mechanism *
-gssint_get_mech_configs(void)
+ memset(&mech_spnego, 0, sizeof(mech_spnego));
+ mech_spnego.mech = &spnego_mechanism;
+ mech_spnego.mechNameStr = "spnego";
+ mech_spnego.mech_type = GSS_C_NO_OID;
+
+ return gssint_register_mechinfo(&mech_spnego);
+}
+#else
+gss_mechanism KRB5_CALLCONV
+gss_mech_initialize(void)
{
- return spnego_mech_configs;
+ return (&spnego_mechanism);
}
+MAKE_INIT_FUNCTION(gss_krb5int_lib_init);
+MAKE_FINI_FUNCTION(gss_krb5int_lib_fini);
+int gss_krb5int_lib_init(void)
+#endif /* _GSS_STATIC_LINK */
+
+int gss_spnegoint_lib_init(void)
+{
+#ifdef _GSS_STATIC_LINK
+ return gss_spnegomechglue_init();
+#else
+ return 0;
+#endif
+}
+
+void gss_spnegoint_lib_fini(void)
+{
+}
+
/*ARGSUSED*/
OM_uint32
-spnego_gss_acquire_cred(void *ctx,
- OM_uint32 *minor_status,
+spnego_gss_acquire_cred(OM_uint32 *minor_status,
gss_name_t desired_name,
OM_uint32 time_req,
gss_OID_set desired_mechs,
@@ -269,8 +356,7 @@
/*ARGSUSED*/
OM_uint32
-spnego_gss_release_cred(void *ctx,
- OM_uint32 *minor_status,
+spnego_gss_release_cred(OM_uint32 *minor_status,
gss_cred_id_t *cred_handle)
{
OM_uint32 status;
@@ -557,10 +643,15 @@
* mech not finished and mech token missing
*/
ret = GSS_S_DEFECTIVE_TOKEN;
- } else {
+ } else if (sc->mic_reqd &&
+ (sc->ctx_flags & GSS_C_INTEG_FLAG)) {
*negState = ACCEPT_INCOMPLETE;
*tokflag = CONT_TOKEN_SEND;
ret = GSS_S_CONTINUE_NEEDED;
+ } else {
+ *negState = ACCEPT_COMPLETE;
+ *tokflag = NO_TOKEN_SEND;
+ ret = GSS_S_COMPLETE;
}
cleanup:
if (supportedMech != GSS_C_NO_OID)
@@ -598,7 +689,17 @@
map_errcode(minor_status);
return GSS_S_DEFECTIVE_TOKEN;
}
- if (!g_OID_equal(supportedMech, sc->internal_mech)) {
+
+ /*
+ * If the mechanism we sent is not the mechanism returned from
+ * the server, we need to handle the server's counter
+ * proposal. There is a bug in SAMBA servers that always send
+ * the old Kerberos mech OID, even though we sent the new one.
+ * So we will treat all the Kerberos mech OIDS as the same.
+ */
+ if (!(is_kerb_mech(supportedMech) &&
+ is_kerb_mech(sc->internal_mech)) &&
+ !g_OID_equal(supportedMech, sc->internal_mech)) {
ret = init_ctx_reselect(minor_status, sc,
acc_negState, supportedMech,
responseToken, mechListMIC,
@@ -722,6 +823,7 @@
* generated/handled.
*/
if (*send_token == CONT_TOKEN_SEND &&
+ mechtok_out->length == 0 &&
(!sc->mic_reqd ||
!(sc->ctx_flags & GSS_C_INTEG_FLAG))) {
@@ -748,7 +850,7 @@
/*ARGSUSED*/
OM_uint32
-spnego_gss_init_sec_context(void *ct,
+spnego_gss_init_sec_context(
OM_uint32 *minor_status,
gss_cred_id_t claimant_cred_handle,
gss_ctx_id_t *context_handle,
@@ -835,11 +937,11 @@
cleanup:
if (send_token == INIT_TOKEN_SEND) {
if (make_spnego_tokenInit_msg(spnego_ctx,
+ 0,
mechListMIC_out,
req_flags,
&mechtok_out, send_token,
output_token) < 0) {
-
ret = GSS_S_FAILURE;
}
} else if (send_token != NO_TOKEN_SEND) {
@@ -859,6 +961,8 @@
*context_handle = (gss_ctx_id_t)spnego_ctx->ctx_handle;
if (actual_mech != NULL)
*actual_mech = spnego_ctx->actual_mech;
+ if (ret_flags != NULL)
+ *ret_flags = spnego_ctx->ctx_flags;
release_spnego_ctx(&spnego_ctx);
} else if (ret != GSS_S_CONTINUE_NEEDED) {
if (spnego_ctx != NULL) {
@@ -887,7 +991,266 @@
return ret;
} /* init_sec_context */
+/* We don't want to import KRB5 headers here */
+static const gss_OID_desc gss_mech_krb5_oid =
+ { 9, "\052\206\110\206\367\022\001\002\002" };
+static const gss_OID_desc gss_mech_krb5_wrong_oid =
+ { 9, "\052\206\110\202\367\022\001\002\002" };
+
/*
+ * verify that the input token length is not 0. If it is, just return.
+ * If the token length is greater than 0, der encode as a sequence
+ * and place in buf_out, advancing buf_out.
+ */
+
+static int
+put_neg_hints(unsigned char **buf_out, gss_buffer_t input_token,
+ unsigned int buflen)
+{
+ int ret;
+
+ /* if token length is 0, we do not want to send */
+ if (input_token->length == 0)
+ return (0);
+
+ if (input_token->length > buflen)
+ return (-1);
+
+ *(*buf_out)++ = SEQUENCE;
+ if ((ret = gssint_put_der_length(input_token->length, buf_out,
+ input_token->length)))
+ return (ret);
+ TWRITE_STR(*buf_out, input_token->value, input_token->length);
+ return (0);
+}
+
+/*
+ * NegHints ::= SEQUENCE {
+ * hintName [0] GeneralString OPTIONAL,
+ * hintAddress [1] OCTET STRING OPTIONAL
+ * }
+ */
+
+#define HOST_PREFIX "host@"
+#define HOST_PREFIX_LEN (sizeof(HOST_PREFIX) - 1)
+
+static int
+make_NegHints(OM_uint32 *minor_status,
+ gss_cred_id_t cred, gss_buffer_t *outbuf)
+{
+ gss_buffer_desc hintNameBuf;
+ gss_name_t hintName = GSS_C_NO_NAME;
+ gss_name_t hintKerberosName;
+ gss_OID hintNameType;
+ OM_uint32 major_status;
+ OM_uint32 minor;
+ unsigned int tlen = 0;
+ unsigned int hintNameSize = 0;
+ unsigned int negHintsSize = 0;
+ unsigned char *ptr;
+ unsigned char *t;
+
+ *outbuf = GSS_C_NO_BUFFER;
+
+ if (cred != GSS_C_NO_CREDENTIAL) {
+ major_status = gss_inquire_cred(minor_status,
+ cred,
+ &hintName,
+ NULL,
+ NULL,
+ NULL);
+ if (major_status != GSS_S_COMPLETE)
+ return (major_status);
+ }
+
+ if (hintName == GSS_C_NO_NAME) {
+ krb5_error_code code;
+ krb5int_access kaccess;
+ char hostname[HOST_PREFIX_LEN + MAXHOSTNAMELEN + 1] = HOST_PREFIX;
+
+ code = krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION);
+ if (code != 0) {
+ *minor_status = code;
+ return (GSS_S_FAILURE);
+ }
+
+ /* this breaks mutual authentication but Samba relies on it */
+ code = (*kaccess.clean_hostname)(NULL, NULL,
+ &hostname[HOST_PREFIX_LEN],
+ MAXHOSTNAMELEN);
+ if (code != 0) {
+ *minor_status = code;
+ return (GSS_S_FAILURE);
+ }
+
+ hintNameBuf.value = hostname;
+ hintNameBuf.length = strlen(hostname);
+
+ major_status = gss_import_name(minor_status,
+ &hintNameBuf,
+ GSS_C_NT_HOSTBASED_SERVICE,
+ &hintName);
+ if (major_status != GSS_S_COMPLETE) {
+ return (major_status);
+ }
+ }
+
+ hintNameBuf.value = NULL;
+ hintNameBuf.length = 0;
+
+ major_status = gss_canonicalize_name(minor_status,
+ hintName,
+ (gss_OID)&gss_mech_krb5_oid,
+ &hintKerberosName);
+ if (major_status != GSS_S_COMPLETE) {
+ gss_release_name(&minor, &hintName);
+ return (major_status);
+ }
+ gss_release_name(&minor, &hintName);
+
+ major_status = gss_display_name(minor_status,
+ hintKerberosName,
+ &hintNameBuf,
+ &hintNameType);
+ if (major_status != GSS_S_COMPLETE) {
+ gss_release_name(&minor, &hintName);
+ return (major_status);
+ }
+ gss_release_name(&minor, &hintKerberosName);
+
+ /*
+ * Now encode the name hint into a NegHints ASN.1 type
+ */
+ major_status = GSS_S_FAILURE;
+
+ /* Length of DER encoded GeneralString */
+ tlen = 1 + gssint_der_length_size(hintNameBuf.length) +
+ hintNameBuf.length;
+ hintNameSize = tlen;
+
+ /* Length of DER encoded hintName */
+ tlen += 1 + gssint_der_length_size(hintNameSize);
+ negHintsSize = tlen;
+
+ t = (unsigned char *)malloc(tlen);
+ if (t == NULL) {
+ *minor_status = ENOMEM;
+ goto errout;
+ }
+
+ ptr = t;
+
+ *ptr++ = CONTEXT | 0x00; /* hintName identifier */
+ if (gssint_put_der_length(hintNameSize,
+ &ptr, tlen - (int)(ptr-t)))
+ goto errout;
+
+ *ptr++ = GENERAL_STRING;
+ if (gssint_put_der_length(hintNameBuf.length,
+ &ptr, tlen - (int)(ptr-t)))
+ goto errout;
+
+ memcpy(ptr, hintNameBuf.value, hintNameBuf.length);
+ ptr += hintNameBuf.length;
+
+ *outbuf = (gss_buffer_t)malloc(sizeof(gss_buffer_desc));
+ if (*outbuf == NULL) {
+ *minor_status = ENOMEM;
+ goto errout;
+ }
+ (*outbuf)->value = (void *)t;
+ (*outbuf)->length = ptr - t;
+
+ t = NULL; /* don't free */
+
+ *minor_status = 0;
+ major_status = GSS_S_COMPLETE;
+
+errout:
+ if (t != NULL) {
+ free(t);
+ }
+
+ gss_release_buffer(&minor, &hintNameBuf);
+
+ return (major_status);
+}
+
+static OM_uint32
+acc_ctx_hints(OM_uint32 *minor_status,
+ gss_ctx_id_t *ctx,
+ gss_cred_id_t cred,
+ gss_buffer_t *mechListMIC,
+ OM_uint32 *negState,
+ send_token_flag *return_token)
+{
+ OM_uint32 tmpmin, ret;
+ gss_OID_set supported_mechSet;
+ spnego_gss_ctx_id_t sc = NULL;
+
+ *mechListMIC = GSS_C_NO_BUFFER;
+ supported_mechSet = GSS_C_NO_OID_SET;
+ *return_token = ERROR_TOKEN_SEND;
+ *negState = REJECT;
+ *minor_status = 0;
+
+ *ctx = GSS_C_NO_CONTEXT;
+ ret = GSS_S_DEFECTIVE_TOKEN;
+
+ if (cred != GSS_C_NO_CREDENTIAL) {
+ ret = gss_inquire_cred(minor_status, cred, NULL, NULL,
+ NULL, &supported_mechSet);
+ if (ret != GSS_S_COMPLETE) {
+ *return_token = NO_TOKEN_SEND;
+ goto cleanup;
+ }
+ } else {
+ ret = get_available_mechs(minor_status, GSS_C_NO_NAME,
+ GSS_C_ACCEPT, NULL,
+ &supported_mechSet);
+ if (ret != GSS_S_COMPLETE) {
+ *return_token = NO_TOKEN_SEND;
+ goto cleanup;
+ }
+ }
+
+ ret = make_NegHints(minor_status, cred, mechListMIC);
+ if (ret != GSS_S_COMPLETE) {
+ *return_token = NO_TOKEN_SEND;
+ goto cleanup;
+ }
+
+ /*
+ * Select the best match between the list of mechs
+ * that the initiator requested and the list that
+ * the acceptor will support.
+ */
+ sc = create_spnego_ctx();
+ if (sc == NULL) {
+ ret = GSS_S_FAILURE;
+ *return_token = NO_TOKEN_SEND;
+ goto cleanup;
+ }
+ if (put_mech_set(supported_mechSet, &sc->DER_mechTypes) < 0) {
+ ret = GSS_S_FAILURE;
+ *return_token = NO_TOKEN_SEND;
+ goto cleanup;
+ }
+ sc->internal_mech = GSS_C_NO_OID;
+
+ *negState = ACCEPT_INCOMPLETE;
+ *return_token = INIT_TOKEN_SEND;
+ sc->firstpass = 1;
+ *ctx = (gss_ctx_id_t)sc;
+ ret = GSS_S_COMPLETE;
+
+cleanup:
+ gss_release_oid_set(&tmpmin, &supported_mechSet);
+
+ return ret;
+}
+
+/*
* Set negState to REJECT if the token is defective, else
* ACCEPT_INCOMPLETE or REQUEST_MIC, depending on whether initiator's
* preferred mechanism is supported.
@@ -909,6 +1272,7 @@
spnego_gss_ctx_id_t sc = NULL;
*ctx = GSS_C_NO_CONTEXT;
+
ret = GSS_S_DEFECTIVE_TOKEN;
der_mechTypes.length = 0;
der_mechTypes.value = NULL;
@@ -953,7 +1317,12 @@
ret = GSS_S_BAD_MECH;
goto cleanup;
}
- sc = create_spnego_ctx();
+ sc = (spnego_gss_ctx_id_t)*ctx;
+ if (sc != NULL) {
+ gss_release_buffer(&tmpmin, &sc->DER_mechTypes);
+ assert(mech_wanted != GSS_C_NO_OID);
+ } else
+ sc = create_spnego_ctx();
if (sc == NULL) {
ret = GSS_S_FAILURE;
*return_token = NO_TOKEN_SEND;
@@ -1078,7 +1447,7 @@
*tokflag = ERROR_TOKEN_SEND;
return GSS_S_BAD_MECH;
}
- ret = mech->gss_indicate_mechs(NULL, minor_status, &mech_set);
+ ret = mech->gss_indicate_mechs(minor_status, &mech_set);
if (ret != GSS_S_COMPLETE) {
*tokflag = NO_TOKEN_SEND;
map_error(minor_status, mech);
@@ -1115,18 +1484,20 @@
OM_uint32 ret;
gss_OID_desc mechoid;
- /*
- * mechoid is an alias; don't free it.
- */
- ret = gssint_get_mech_type(&mechoid, mechtok_in);
- if (ret != GSS_S_COMPLETE) {
- *tokflag = NO_TOKEN_SEND;
- return ret;
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) {
+ /*
+ * mechoid is an alias; don't free it.
+ */
+ ret = gssint_get_mech_type(&mechoid, mechtok_in);
+ if (ret != GSS_S_COMPLETE) {
+ *tokflag = NO_TOKEN_SEND;
+ return ret;
+ }
+ ret = acc_ctx_vfy_oid(minor_status, sc, &mechoid,
+ negState, tokflag);
+ if (ret != GSS_S_COMPLETE)
+ return ret;
}
- ret = acc_ctx_vfy_oid(minor_status, sc, &mechoid,
- negState, tokflag);
- if (ret != GSS_S_COMPLETE)
- return ret;
ret = gss_accept_sec_context(minor_status,
&sc->ctx_handle,
@@ -1173,7 +1544,7 @@
/*ARGSUSED*/
OM_uint32
-spnego_gss_accept_sec_context(void *ct,
+spnego_gss_accept_sec_context(
OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_cred_id_t verifier_cred_handle,
@@ -1186,12 +1557,13 @@
OM_uint32 *time_rec,
gss_cred_id_t *delegated_cred_handle)
{
- OM_uint32 ret, tmpret, tmpmin, negState;
+ OM_uint32 ret, tmpmin, negState;
send_token_flag return_token;
gss_buffer_t mechtok_in, mic_in, mic_out;
gss_buffer_desc mechtok_out = GSS_C_EMPTY_BUFFER;
spnego_gss_ctx_id_t sc = NULL;
OM_uint32 mechstat = GSS_S_FAILURE;
+ int sendTokenInit = 0;
mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER;
@@ -1210,7 +1582,8 @@
if (input_token == GSS_C_NO_BUFFER)
return GSS_S_CALL_INACCESSIBLE_READ;
- if (*context_handle == GSS_C_NO_CONTEXT) {
+ sc = (spnego_gss_ctx_id_t)*context_handle;
+ if (sc == NULL || sc->internal_mech == GSS_C_NO_OID) {
if (src_name != NULL)
*src_name = GSS_C_NO_NAME;
if (mech_type != NULL)
@@ -1221,14 +1594,27 @@
*ret_flags = 0;
if (delegated_cred_handle != NULL)
*delegated_cred_handle = GSS_C_NO_CREDENTIAL;
- /* Can set negState to REQUEST_MIC */
- ret = acc_ctx_new(minor_status, input_token,
- context_handle, verifier_cred_handle,
- &mechtok_in, &mic_in,
- &negState, &return_token);
- if (ret != GSS_S_COMPLETE)
- goto cleanup;
- ret = GSS_S_CONTINUE_NEEDED;
+ if (input_token->length == 0) {
+ sendTokenInit = 1;
+ ret = acc_ctx_hints(minor_status,
+ context_handle,
+ verifier_cred_handle,
+ &mic_out,
+ &negState,
+ &return_token);
+ if (ret != GSS_S_COMPLETE)
+ goto cleanup;
+ ret = GSS_S_CONTINUE_NEEDED;
+ } else {
+ /* Can set negState to REQUEST_MIC */
+ ret = acc_ctx_new(minor_status, input_token,
+ context_handle, verifier_cred_handle,
+ &mechtok_in, &mic_in,
+ &negState, &return_token);
+ if (ret != GSS_S_COMPLETE)
+ goto cleanup;
+ ret = GSS_S_CONTINUE_NEEDED;
+ }
} else {
/* Can set negState to ACCEPT_INCOMPLETE */
ret = acc_ctx_cont(minor_status, input_token,
@@ -1267,13 +1653,27 @@
}
cleanup:
if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) {
- tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech,
- &mechtok_out, mic_out,
- return_token,
- output_token);
- if (tmpret != GSS_S_COMPLETE) {
- ret = tmpret;
+ /* For acceptor-sends-first send a tokenInit */
+ int tmpret;
+
+ assert(sc != NULL);
+
+ if (sendTokenInit) {
+ tmpret = make_spnego_tokenInit_msg(sc,
+ 1,
+ mic_out,
+ 0,
+ GSS_C_NO_BUFFER,
+ return_token,
+ output_token);
+ } else {
+ tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech,
+ &mechtok_out, mic_out,
+ return_token,
+ output_token);
}
+ if (tmpret < 0)
+ ret = GSS_S_FAILURE;
}
if (ret == GSS_S_COMPLETE) {
*context_handle = (gss_ctx_id_t)sc->ctx_handle;
@@ -1303,7 +1703,7 @@
/*ARGSUSED*/
OM_uint32
-spnego_gss_display_status(void *ctx,
+spnego_gss_display_status(
OM_uint32 *minor_status,
OM_uint32 status_value,
int status_type,
@@ -1348,7 +1748,7 @@
/*ARGSUSED*/
OM_uint32
-spnego_gss_import_name(void *ctx,
+spnego_gss_import_name(
OM_uint32 *minor_status,
gss_buffer_t input_name_buffer,
gss_OID input_name_type,
@@ -1367,7 +1767,7 @@
/*ARGSUSED*/
OM_uint32
-spnego_gss_release_name(void *ctx,
+spnego_gss_release_name(
OM_uint32 *minor_status,
gss_name_t *input_name)
{
@@ -1383,8 +1783,26 @@
/*ARGSUSED*/
OM_uint32
-spnego_gss_display_name(void *ctx,
+spnego_gss_compare_name(
OM_uint32 *minor_status,
+ const gss_name_t name1,
+ const gss_name_t name2,
+ int *name_equal)
+{
+ OM_uint32 status = GSS_S_COMPLETE;
+ dsyslog("Entering compare_name\n");
+
+ status = gss_compare_name(minor_status, name1, name2, name_equal);
+
+ dsyslog("Leaving compare_name\n");
+ return (status);
+}
+
+/*ARGSUSED*/
+/*ARGSUSED*/
+OM_uint32
+spnego_gss_display_name(
+ OM_uint32 *minor_status,
gss_name_t input_name,
gss_buffer_t output_name_buffer,
gss_OID *output_name_type)
@@ -1402,7 +1820,7 @@
/*ARGSUSED*/
OM_uint32
-spnego_gss_inquire_names_for_mech(void *ctx,
+spnego_gss_inquire_names_for_mech(
OM_uint32 *minor_status,
gss_OID mechanism,
gss_OID_set *name_types)
@@ -1445,16 +1863,16 @@
}
OM_uint32
-spnego_gss_unseal(void *context,
+spnego_gss_unwrap(
OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
- int *qop_state)
+ gss_qop_t *qop_state)
{
OM_uint32 ret;
- ret = gss_unseal(minor_status,
+ ret = gss_unwrap(minor_status,
context_handle,
input_message_buffer,
output_message_buffer,
@@ -1465,17 +1883,17 @@
}
OM_uint32
-spnego_gss_seal(void *context,
+spnego_gss_wrap(
OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
int conf_req_flag,
- int qop_req,
+ gss_qop_t qop_req,
gss_buffer_t input_message_buffer,
int *conf_state,
gss_buffer_t output_message_buffer)
{
OM_uint32 ret;
- ret = gss_seal(minor_status,
+ ret = gss_wrap(minor_status,
context_handle,
conf_req_flag,
qop_req,
@@ -1487,7 +1905,7 @@
}
OM_uint32
-spnego_gss_process_context_token(void *context,
+spnego_gss_process_context_token(
OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t token_buffer)
@@ -1501,7 +1919,7 @@
}
OM_uint32
-spnego_gss_delete_sec_context(void *context,
+spnego_gss_delete_sec_context(
OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_buffer_t output_token)
@@ -1529,7 +1947,7 @@
}
OM_uint32
-spnego_gss_context_time(void *context,
+spnego_gss_context_time(
OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
OM_uint32 *time_rec)
@@ -1542,7 +1960,7 @@
}
#ifndef LEAN_CLIENT
OM_uint32
-spnego_gss_export_sec_context(void *context,
+spnego_gss_export_sec_context(
OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_buffer_t interprocess_token)
@@ -1555,7 +1973,7 @@
}
OM_uint32
-spnego_gss_import_sec_context(void *context,
+spnego_gss_import_sec_context(
OM_uint32 *minor_status,
const gss_buffer_t interprocess_token,
gss_ctx_id_t *context_handle)
@@ -1569,7 +1987,7 @@
#endif /* LEAN_CLIENT */
OM_uint32
-spnego_gss_inquire_context(void *context,
+spnego_gss_inquire_context(
OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
gss_name_t *src_name,
@@ -1596,7 +2014,7 @@
}
OM_uint32
-spnego_gss_wrap_size_limit(void *context,
+spnego_gss_wrap_size_limit(
OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
@@ -1615,15 +2033,15 @@
}
OM_uint32
-spnego_gss_sign(void *context,
+spnego_gss_get_mic(
OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
- int qop_req,
+ gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token)
{
OM_uint32 ret;
- ret = gss_sign(minor_status,
+ ret = gss_get_mic(minor_status,
context_handle,
qop_req,
message_buffer,
@@ -1632,22 +2050,167 @@
}
OM_uint32
-spnego_gss_verify(void *context,
+spnego_gss_verify_mic(
OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t msg_buffer,
const gss_buffer_t token_buffer,
- int *qop_state)
+ gss_qop_t *qop_state)
{
OM_uint32 ret;
ret = gss_verify_mic(minor_status,
context_handle,
msg_buffer,
token_buffer,
- (gss_qop_t *)qop_state); /* XXX */
+ qop_state);
return (ret);
}
+OM_uint32
+spnego_gss_inquire_sec_context_by_oid(
+ OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *data_set)
+{
+ OM_uint32 ret;
+ ret = gss_inquire_sec_context_by_oid(minor_status,
+ context_handle,
+ desired_object,
+ data_set);
+ return (ret);
+}
+
+OM_uint32
+spnego_gss_set_sec_context_option(
+ OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ const gss_OID desired_object,
+ const gss_buffer_t value)
+{
+ OM_uint32 ret;
+ ret = gss_set_sec_context_option(minor_status,
+ context_handle,
+ desired_object,
+ value);
+ return (ret);
+}
+
+OM_uint32
+spnego_gss_wrap_aead(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ gss_buffer_t input_assoc_buffer,
+ gss_buffer_t input_payload_buffer,
+ int *conf_state,
+ gss_buffer_t output_message_buffer)
+{
+ OM_uint32 ret;
+ ret = gss_wrap_aead(minor_status,
+ context_handle,
+ conf_req_flag,
+ qop_req,
+ input_assoc_buffer,
+ input_payload_buffer,
+ conf_state,
+ output_message_buffer);
+
+ return (ret);
+}
+
+OM_uint32
+spnego_gss_unwrap_aead(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ gss_buffer_t input_message_buffer,
+ gss_buffer_t input_assoc_buffer,
+ gss_buffer_t output_payload_buffer,
+ int *conf_state,
+ gss_qop_t *qop_state)
+{
+ OM_uint32 ret;
+ ret = gss_unwrap_aead(minor_status,
+ context_handle,
+ input_message_buffer,
+ input_assoc_buffer,
+ output_payload_buffer,
+ conf_state,
+ qop_state);
+ return (ret);
+}
+
+OM_uint32
+spnego_gss_wrap_iov(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ int *conf_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count)
+{
+ OM_uint32 ret;
+ ret = gss_wrap_iov(minor_status,
+ context_handle,
+ conf_req_flag,
+ qop_req,
+ conf_state,
+ iov,
+ iov_count);
+ return (ret);
+}
+
+OM_uint32
+spnego_gss_unwrap_iov(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int *conf_state,
+ gss_qop_t *qop_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count)
+{
+ OM_uint32 ret;
+ ret = gss_unwrap_iov(minor_status,
+ context_handle,
+ conf_state,
+ qop_state,
+ iov,
+ iov_count);
+ return (ret);
+}
+
+OM_uint32
+spnego_gss_wrap_iov_length(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ int *conf_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count)
+{
+ OM_uint32 ret;
+ ret = gss_wrap_iov_length(minor_status,
+ context_handle,
+ conf_req_flag,
+ qop_req,
+ conf_state,
+ iov,
+ iov_count);
+ return (ret);
+}
+
+
+OM_uint32
+spnego_gss_complete_auth_token(
+ OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ gss_buffer_t input_message_buffer)
+{
+ OM_uint32 ret;
+ ret = gss_complete_auth_token(minor_status,
+ context_handle,
+ input_message_buffer);
+ return (ret);
+}
+
/*
* We will release everything but the ctx_handle so that it
* can be passed back to init/accept context. This routine should
@@ -2005,30 +2568,6 @@
return (0);
}
-/*
- * der encode the passed req_flags into buf_out, advancing
- * the buffer pointer.
- */
-
-static int
-put_req_flags(unsigned char **buf_out, OM_uint32 req_flags,
- unsigned int buflen)
-{
- int ret = 0;
- if (buflen < 6)
- return (-1);
-
- *(*buf_out)++ = CONTEXT | 0x01;
- if ((ret = gssint_put_der_length(4, buf_out, buflen-1)) != 0)
- return (ret);
-
- *(*buf_out)++ = BIT_STRING;
- *(*buf_out)++ = BIT_STRING_LENGTH;
- *(*buf_out)++ = BIT_STRING_PADDING;
- *(*buf_out)++ = (unsigned char) (req_flags << 1);
- return (ret);
-}
-
static OM_uint32
get_negTokenInit(OM_uint32 *minor_status,
gss_buffer_t buf,
@@ -2238,8 +2777,14 @@
unsigned int i;
for (i = 0; i < mechset->count; i++) {
- gss_test_oid_set_member(minor_status, &mechset->elements[i],
- supported_mechSet, &present);
+ gss_OID mech_oid = &mechset->elements[i];
+
+ /* Accept wrong mechanism OID from MS clients */
+ if (mech_oid->length == gss_mech_krb5_wrong_oid.length &&
+ memcmp(mech_oid->elements, gss_mech_krb5_wrong_oid.elements, mech_oid->length) == 0)
+ mech_oid = (gss_OID)&gss_mech_krb5_oid;;
+
+ gss_test_oid_set_member(minor_status, mech_oid, supported_mechSet, &present);
if (!present)
continue;
@@ -2272,14 +2817,7 @@
static spnego_token_t
make_spnego_token(char *name)
{
- spnego_token_t token;
-
- token = (spnego_token_t)malloc(strlen(name)+1);
-
- if (token == NULL)
- return (NULL);
- strcpy(token, name);
- return (token);
+ return (spnego_token_t)strdup(name);
}
static gss_buffer_desc
@@ -2306,6 +2844,7 @@
*/
static int
make_spnego_tokenInit_msg(spnego_gss_ctx_id_t spnego_ctx,
+ int negHintsCompat,
gss_buffer_t mechListMIC, OM_uint32 req_flags,
gss_buffer_t data, send_token_flag sendtoken,
gss_buffer_t outbuf)
@@ -2336,13 +2875,6 @@
gssint_der_length_size(spnego_ctx->DER_mechTypes.length) +
spnego_ctx->DER_mechTypes.length;
dataLen += mechListTokenSize;
- /*
- * 4 bytes for ret_flags:
- * ASN.1 token + ASN.1 Length + Padding + Flags
- * 0xa1 LENGTH BIT_STRING BIT_STRING_LEN PAD DATA
- */
- if (req_flags != 0)
- dataLen += 6;
/*
* If a token from gss_init_sec_context exists,
@@ -2420,7 +2952,7 @@
tlen - (int)(ptr-t))))
goto errout;
- *ptr++ = CONTEXT; /* MechTypeList identifier */
+ *ptr++ = CONTEXT | 0x00; /* MechTypeList identifier */
if ((ret = gssint_put_der_length(spnego_ctx->DER_mechTypes.length,
&ptr, tlen - (int)(ptr-t))))
goto errout;
@@ -2431,12 +2963,6 @@
ptr += spnego_ctx->DER_mechTypes.length;
- if (req_flags != 0) {
- if ((ret = put_req_flags(&ptr, req_flags,
- tlen - (int)(ptr-t))))
- goto errout;
- }
-
if (data != NULL) {
*ptr++ = CONTEXT | 0x02;
if ((ret = gssint_put_der_length(rspTokenSize,
@@ -2454,7 +2980,12 @@
&ptr, tlen - (int)(ptr - t))))
goto errout;
- if ((ret = put_input_token(&ptr, mechListMIC,
+ if (negHintsCompat) {
+ ret = put_neg_hints(&ptr, mechListMIC,
+ tlen - (int)(ptr - t));
+ if (ret)
+ goto errout;
+ } else if ((ret = put_input_token(&ptr, mechListMIC,
tlen - (int)(ptr - t))))
goto errout;
}
@@ -2737,7 +3268,7 @@
unsigned char *ptr = *buf;
int ret = -1; /* pessimists, assume failure ! */
unsigned int encoded_len;
- int tmplen = 0;
+ unsigned int tmplen = 0;
*outlen = 0;
if (buflen > 1 && *ptr == tag) {
@@ -2883,3 +3414,26 @@
return (ret);
}
+
+/*
+ * Return non-zero if the oid is one of the kerberos mech oids,
+ * otherwise return zero.
+ *
+ * N.B. There are 3 oids that represent the kerberos mech:
+ * RFC-specified GSS_MECH_KRB5_OID,
+ * Old pre-RFC GSS_MECH_KRB5_OLD_OID,
+ * Incorrect MS GSS_MECH_KRB5_WRONG_OID
+ */
+
+static int
+is_kerb_mech(gss_OID oid)
+{
+ int answer = 0;
+ OM_uint32 minor;
+ extern const gss_OID_set_desc * const gss_mech_set_krb5_both;
+
+ (void) gss_test_oid_set_member(&minor,
+ oid, (gss_OID_set)gss_mech_set_krb5_both, &answer);
+
+ return (answer);
+}
Modified: branches/mkey_migrate/src/lib/kadm5/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -100,111 +100,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-kadm_err.so kadm_err.po $(OUTPRE)kadm_err.$(OBJEXT): \
- $(COM_ERR_DEPS) kadm_err.c
-chpass_util_strings.so chpass_util_strings.po $(OUTPRE)chpass_util_strings.$(OBJEXT): \
- $(COM_ERR_DEPS) chpass_util_strings.c
-ovsec_glue.so ovsec_glue.po $(OUTPRE)ovsec_glue.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h ovsec_glue.c
-misc_free.so misc_free.po $(OUTPRE)misc_free.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h admin_internal.h misc_free.c \
- server_internal.h
-kadm_rpc_xdr.so kadm_rpc_xdr.po $(OUTPRE)kadm_rpc_xdr.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/admin_xdr.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/kadm5/server_internal.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h kadm_rpc_xdr.c
-chpass_util.so chpass_util.po $(OUTPRE)chpass_util.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h admin_internal.h chpass_util.c
-alt_prof.so alt_prof.po $(OUTPRE)alt_prof.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/iprop.h $(SRCTOP)/include/iprop_hdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- alt_prof.c
-str_conv.so str_conv.po $(OUTPRE)str_conv.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h admin_internal.h str_conv.c
-logger.so logger.po $(OUTPRE)logger.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- logger.c
Modified: branches/mkey_migrate/src/lib/kadm5/admin.h
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/admin.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/admin.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -516,6 +516,8 @@
krb5_error_code kadm5_init_krb5_context (krb5_context *);
+krb5_error_code kadm5_init_iprop(void *server_handle, char **db_args);
+
/*
* kadm5_get_principal_keys is used only by kadmin.local to extract existing
* keys from the database without changing them. It should never be exposed
Modified: branches/mkey_migrate/src/lib/kadm5/alt_prof.c
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/alt_prof.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/alt_prof.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -73,42 +73,28 @@
krb5_error_code kret;
profile_t profile;
const char *kdc_config;
- size_t krb5_config_len, kdc_config_len;
char *profile_path;
char **filenames;
int i;
+ struct k5buf buf;
kret = krb5_get_default_config_files (&filenames);
if (kret)
return kret;
- krb5_config_len = 0;
- for (i = 0; filenames[i] != NULL; i++)
- krb5_config_len += strlen(filenames[i]) + 1;
- if (i > 0)
- krb5_config_len--;
- if (envname == NULL
- || (kdc_config = getenv(envname)) == NULL)
+ if (envname == NULL || (kdc_config = getenv(envname)) == NULL)
kdc_config = fname;
- if (kdc_config == NULL)
- kdc_config_len = 0;
- else
- kdc_config_len = strlen(kdc_config);
- profile_path = malloc(2 + krb5_config_len + kdc_config_len);
- if (profile_path == NULL) {
- krb5_free_config_files(filenames);
- return ENOMEM;
+ krb5int_buf_init_dynamic(&buf);
+ if (kdc_config)
+ krb5int_buf_add(&buf, kdc_config);
+ for (i = 0; filenames[i] != NULL; i++) {
+ if (krb5int_buf_len(&buf) > 0)
+ krb5int_buf_add(&buf, ":");
+ krb5int_buf_add(&buf, filenames[i]);
}
- if (kdc_config_len)
- strcpy(profile_path, kdc_config);
- else
- profile_path[0] = 0;
- if (krb5_config_len)
- for (i = 0; filenames[i] != NULL; i++) {
- if (kdc_config_len || i)
- strcat(profile_path, ":");
- strcat(profile_path, filenames[i]);
- }
krb5_free_config_files(filenames);
+ profile_path = krb5int_buf_data(&buf);
+ if (profile_path == NULL)
+ return ENOMEM;
profile = (profile_t) NULL;
kret = profile_init_path(profile_path, &profile);
free(profile_path);
@@ -156,7 +142,7 @@
{
static const char *const yes[] = { "y", "yes", "true", "t", "1", "on" };
static const char *const no[] = { "n", "no", "false", "f", "nil", "0", "off" };
- int i;
+ unsigned int i;
for (i = 0; i < sizeof(yes)/sizeof(yes[0]); i++)
if (!strcasecmp(string, yes[i])) {
@@ -192,6 +178,7 @@
}
valp = values[idx];
kret = string_to_boolean (valp, &val);
+ profile_free_list(values);
if (kret)
return kret;
*retdata = val;
@@ -235,9 +222,7 @@
kret = krb5_string_to_deltat(valp, deltatp);
/* Free the string storage */
- for (idx=0; values[idx]; idx++)
- krb5_xfree(values[idx]);
- krb5_xfree(values);
+ profile_free_list(values);
}
return(kret);
}
@@ -265,22 +250,25 @@
{
krb5_error_code kret;
char **values;
- int idx, i;
+ int lastidx;
if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) {
- idx = 0;
+ for (lastidx=0; values[lastidx]; lastidx++);
+ lastidx--;
+
+ /* Excise the entry we want from the null-terminated list,
+ and free up the rest. */
if (uselast) {
- for (idx=0; values[idx]; idx++);
- idx--;
+ *stringp = values[lastidx];
+ values[lastidx] = NULL;
+ } else {
+ *stringp = values[0];
+ values[0] = values[lastidx];
+ values[lastidx] = NULL;
}
- *stringp = values[idx];
-
/* Free the string storage */
- for (i=0; values[i]; i++)
- if (i != idx)
- krb5_xfree(values[i]);
- krb5_xfree(values);
+ profile_free_list(values);
}
return(kret);
}
@@ -322,9 +310,7 @@
kret = EINVAL;
/* Free the string storage */
- for (idx=0; values[idx]; idx++)
- krb5_xfree(values[idx]);
- krb5_xfree(values);
+ profile_free_list(values);
}
return(kret);
}
@@ -798,15 +784,16 @@
kadm5_config_params *params;
{
if (params) {
- krb5_xfree(params->dbname);
- krb5_xfree(params->mkey_name);
- krb5_xfree(params->stash_file);
- krb5_xfree(params->keysalts);
+ free(params->dbname);
+ free(params->mkey_name);
+ free(params->stash_file);
+ free(params->keysalts);
free(params->admin_server);
free(params->admin_keytab);
free(params->dict_file);
free(params->acl_file);
free(params->realm);
+ free(params->iprop_logfile);
}
return(0);
}
Modified: branches/mkey_migrate/src/lib/kadm5/clnt/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/clnt/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/clnt/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -14,8 +14,8 @@
$(TOPLIBD)/libgssapi_krb5$(SHLIBEXT) \
$(TOPLIBD)/libkrb5$(SHLIBEXT) \
$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
- $(COM_ERR_DEPLIB)
-SHLIB_EXPLIBS=-lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
+ $(COM_ERR_DEPLIB) $(SUPPORT_LIBDEP)
+SHLIB_EXPLIBS=-lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto $(SUPPORT_LIB) -lcom_err
SHLIB_DIRS=-L$(TOPLIBD)
SHLIB_RDIRS=$(KRB5_LIBDIR)
RELDIR=kadm5/clnt
@@ -75,92 +75,3 @@
@lib_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-clnt_policy.so clnt_policy.po $(OUTPRE)clnt_policy.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h client_internal.h clnt_policy.c
-client_rpc.so client_rpc.po $(OUTPRE)client_rpc.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h client_rpc.c
-client_principal.so client_principal.po $(OUTPRE)client_principal.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h client_internal.h client_principal.c
-client_init.so client_init.po $(OUTPRE)client_init.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_gssapi.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/iprop.h \
- $(SRCTOP)/include/iprop_hdr.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h client_init.c client_internal.h
-clnt_privs.so clnt_privs.po $(OUTPRE)clnt_privs.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h client_internal.h clnt_privs.c
-clnt_chpass_util.so clnt_chpass_util.po $(OUTPRE)clnt_chpass_util.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h client_internal.h \
- clnt_chpass_util.c
Modified: branches/mkey_migrate/src/lib/kadm5/clnt/client_init.c
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/clnt/client_init.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/clnt/client_init.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -839,7 +839,7 @@
* libkdb's ulog functions. The srv equivalent makes the actual calls.
*/
krb5_error_code
-kadm5_init_iprop(void *handle)
+kadm5_init_iprop(void *handle, char **db_args)
{
return (0);
}
Modified: branches/mkey_migrate/src/lib/kadm5/clnt/client_principal.c
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/clnt/client_principal.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/clnt/client_principal.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -14,6 +14,7 @@
#ifdef HAVE_MEMORY_H
#include <memory.h>
#endif
+#include <string.h>
#include <errno.h>
#include "client_internal.h"
Modified: branches/mkey_migrate/src/lib/kadm5/clnt/client_rpc.c
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/clnt/client_rpc.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/clnt/client_rpc.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,6 +2,8 @@
#include <kadm5/kadm_rpc.h>
#include <krb5.h>
#include <kadm5/admin.h>
+#include <string.h> /* for memset prototype */
+
#ifdef HAVE_MEMORY_H
#include <memory.h>
#endif
Copied: branches/mkey_migrate/src/lib/kadm5/clnt/deps (from rev 21721, trunk/src/lib/kadm5/clnt/deps)
Copied: branches/mkey_migrate/src/lib/kadm5/deps (from rev 21721, trunk/src/lib/kadm5/deps)
Modified: branches/mkey_migrate/src/lib/kadm5/logger.c
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/logger.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/logger.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -569,7 +569,7 @@
{ "LOCAL7", LOG_LOCAL7 },
#endif /* LOG_LOCAL7 */
};
- int j;
+ unsigned int j;
for (j = 0; j < sizeof(facilities)/sizeof(facilities[0]); j++)
if (!strcasecmp(cp2, facilities[j].name)) {
@@ -664,10 +664,7 @@
log_control.log_nentries = 1;
}
if (log_control.log_nentries) {
- log_control.log_whoami = (char *) malloc(strlen(whoami)+1);
- if (log_control.log_whoami)
- strcpy(log_control.log_whoami, whoami);
-
+ log_control.log_whoami = strdup(whoami);
log_control.log_hostname = (char *) malloc(MAXHOSTNAMELEN + 1);
if (log_control.log_hostname) {
gethostname(log_control.log_hostname, MAXHOSTNAMELEN);
Modified: branches/mkey_migrate/src/lib/kadm5/srv/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/srv/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/srv/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -22,9 +22,9 @@
$(TOPLIBD)/libkdb5$(SHLIBEXT) \
$(TOPLIBD)/libkrb5$(SHLIBEXT) \
$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
- $(COM_ERR_DEPLIB)
+ $(COM_ERR_DEPLIB) $(SUPPORT_LIBDEP)
SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(KDB5_DB_LIB) \
- -lkrb5 -lk5crypto -lcom_err @GEN_LIB@
+ -lkrb5 -lk5crypto $(SUPPORT_LIB) -lcom_err @GEN_LIB@
SHLIB_DIRS=-L$(TOPLIBD)
SHLIB_RDIRS=$(KRB5_LIBDIR)
RELDIR=kadm5/srv
@@ -92,164 +92,3 @@
@lib_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-svr_policy.so svr_policy.po $(OUTPRE)svr_policy.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/server_internal.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h svr_policy.c
-svr_principal.so svr_principal.po $(OUTPRE)svr_principal.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/server_internal.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h svr_principal.c
-server_acl.so server_acl.po $(OUTPRE)server_acl.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_generic.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h server_acl.c server_acl.h
-server_kdb.so server_kdb.po $(OUTPRE)server_kdb.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/server_internal.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h server_kdb.c
-server_misc.so server_misc.po $(OUTPRE)server_misc.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/server_internal.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h server_misc.c
-server_init.so server_init.po $(OUTPRE)server_init.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/server_internal.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.h \
- $(BUILDTOP)/lib/gssapi/krb5/gssapi_err_krb5.h $(BUILDTOP)/lib/gssapi/krb5/gssapi_krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/iprop.h $(SRCTOP)/include/iprop_hdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../../gssapi/generic/gssapiP_generic.h $(srcdir)/../../gssapi/generic/gssapi_generic.h \
- $(srcdir)/../../gssapi/krb5/gssapiP_krb5.h server_init.c
-server_dict.so server_dict.po $(OUTPRE)server_dict.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/server_internal.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h server_dict.c
-svr_iters.so svr_iters.po $(OUTPRE)svr_iters.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/server_internal.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h svr_iters.c
-svr_chpass_util.so svr_chpass_util.po $(OUTPRE)svr_chpass_util.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/server_internal.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h svr_chpass_util.c
-adb_xdr.so adb_xdr.po $(OUTPRE)adb_xdr.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
- $(BUILDTOP)/include/kadm5/admin_xdr.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \
- $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h adb_xdr.c
Copied: branches/mkey_migrate/src/lib/kadm5/srv/deps (from rev 21721, trunk/src/lib/kadm5/srv/deps)
Modified: branches/mkey_migrate/src/lib/kadm5/srv/libkadm5srv.exports
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/srv/libkadm5srv.exports 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/srv/libkadm5srv.exports 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,7 @@
_kadm5_check_handle
_kadm5_chpass_principal_util
kadm5int_acl_check
+kadm5int_acl_check_krb
kadm5int_acl_finish
kadm5int_acl_impose_restrictions
kadm5int_acl_init
Modified: branches/mkey_migrate/src/lib/kadm5/srv/server_acl.c
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/srv/server_acl.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/srv/server_acl.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -217,9 +217,8 @@
}
}
if (opok) {
- acle->ae_name = (char *) malloc(strlen(acle_principal)+1);
+ acle->ae_name = strdup(acle_principal);
if (acle->ae_name) {
- strcpy(acle->ae_name, acle_principal);
acle->ae_principal = (krb5_principal) NULL;
acle->ae_name_bad = 0;
DPRINT(DEBUG_ACL, acl_debug_level,
@@ -737,6 +736,42 @@
}
/*
+ * kadm5int_acl_check_krb() - Is this operation permitted for this principal?
+ */
+krb5_boolean
+kadm5int_acl_check_krb(kcontext, caller_princ, opmask, principal, restrictions)
+ krb5_context kcontext;
+ krb5_const_principal caller_princ;
+ krb5_int32 opmask;
+ krb5_const_principal principal;
+ restriction_t **restrictions;
+{
+ krb5_boolean retval;
+ aent_t *aentry;
+
+ DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_op_permitted()\n"));
+
+ retval = FALSE;
+
+ aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal);
+ if (aentry) {
+ if ((aentry->ae_op_allowed & opmask) == opmask) {
+ retval = TRUE;
+ if (restrictions) {
+ *restrictions =
+ (aentry->ae_restrictions && aentry->ae_restrictions->mask)
+ ? aentry->ae_restrictions
+ : (restriction_t *) NULL;
+ }
+ }
+ }
+
+ DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_op_permitted()=%d\n",
+ retval));
+ return retval;
+}
+
+/*
* kadm5int_acl_check() - Is this operation permitted for this principal?
* this code used not to be based on gssapi. In order
* to minimize porting hassles, I've put all the
@@ -753,47 +788,30 @@
restriction_t **restrictions;
{
krb5_boolean retval;
- aent_t *aentry;
gss_buffer_desc caller_buf;
gss_OID caller_oid;
OM_uint32 emaj, emin;
krb5_error_code code;
krb5_principal caller_princ;
- DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_op_permitted()\n"));
-
if (GSS_ERROR(emaj = gss_display_name(&emin, caller, &caller_buf,
&caller_oid)))
- return(0);
+ return FALSE;
code = krb5_parse_name(kcontext, (char *) caller_buf.value,
&caller_princ);
gss_release_buffer(&emin, &caller_buf);
- if (code)
- return(code);
+ if (code != 0)
+ return FALSE;
- retval = 0;
+ retval = kadm5int_acl_check_krb(kcontext, caller_princ,
+ opmask, principal, restrictions);
- aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal);
- if (aentry) {
- if ((aentry->ae_op_allowed & opmask) == opmask) {
- retval = 1;
- if (restrictions) {
- *restrictions =
- (aentry->ae_restrictions && aentry->ae_restrictions->mask)
- ? aentry->ae_restrictions
- : (restriction_t *) NULL;
- }
- }
- }
-
krb5_free_principal(kcontext, caller_princ);
- DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_op_permitted()=%d\n",
- retval));
- return(retval);
+ return retval;
}
kadm5_ret_t
Modified: branches/mkey_migrate/src/lib/kadm5/srv/server_acl.h
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/srv/server_acl.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/srv/server_acl.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -95,6 +95,12 @@
krb5_int32,
krb5_principal,
restriction_t **);
+krb5_boolean kadm5int_acl_check_krb
+ (krb5_context,
+ krb5_const_principal,
+ krb5_int32,
+ krb5_const_principal,
+ restriction_t **);
krb5_error_code kadm5int_acl_impose_restrictions
(krb5_context,
kadm5_principal_ent_rec *,
Modified: branches/mkey_migrate/src/lib/kadm5/srv/server_dict.c
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/srv/server_dict.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/srv/server_dict.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -24,6 +24,7 @@
#include "adm_proto.h"
#include <syslog.h>
#include "server_internal.h"
+#include "k5-platform.h"
static char **word_list = NULL; /* list of word pointers */
static char *word_block = NULL; /* actual word data */
Modified: branches/mkey_migrate/src/lib/kadm5/srv/svr_iters.c
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/srv/svr_iters.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/srv/svr_iters.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -86,7 +86,7 @@
/* and trailing null. If glob has no @, also allocate space for */
/* the realm. */
append_realm = (realm != NULL) && (strchr(glob, '@') == NULL);
- p = (char *) malloc(strlen(glob)*2+ 3 + (append_realm ? 2 : 0));
+ p = (char *) malloc(strlen(glob)*2+ 3 + (append_realm ? 3 : 0));
if (p == NULL)
return ENOMEM;
*regexp = p;
@@ -120,6 +120,7 @@
if (append_realm) {
*p++ = '@';
+ *p++ = '.';
*p++ = '*';
}
Modified: branches/mkey_migrate/src/lib/kadm5/srv/svr_policy.c
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/srv/svr_policy.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/srv/svr_policy.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -12,6 +12,7 @@
#include <kadm5/admin.h>
#include "server_internal.h"
#include <stdlib.h>
+#include <string.h>
#include <errno.h>
#define MAX_PW_HISTORY 10
@@ -289,11 +290,10 @@
if( cnt != 1 )
return KADM5_UNK_POLICY;
- if ((entry->policy = (char *) malloc(strlen(t->name) + 1)) == NULL) {
+ if ((entry->policy = strdup(t->name)) == NULL) {
krb5_db_free_policy(handle->context, t);
return ENOMEM;
}
- strcpy(entry->policy, t->name);
entry->pw_min_life = t->pw_min_life;
entry->pw_max_life = t->pw_max_life;
entry->pw_min_length = t->pw_min_length;
Modified: branches/mkey_migrate/src/lib/kadm5/srv/svr_principal.c
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/srv/svr_principal.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/srv/svr_principal.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -763,18 +763,17 @@
if ((mask & KADM5_POLICY) &&
adb.policy && (adb.aux_attributes & KADM5_POLICY)) {
- if ((entry->policy = (char *) malloc(strlen(adb.policy) + 1)) == NULL) {
+ if ((entry->policy = strdup(adb.policy)) == NULL) {
ret = ENOMEM;
goto done;
}
- strcpy(entry->policy, adb.policy);
}
if (mask & KADM5_AUX_ATTRIBUTES)
entry->aux_attributes = adb.aux_attributes;
if ((mask & KADM5_PRINCIPAL) &&
- (ret = krb5_copy_principal(handle->context, principal,
+ (ret = krb5_copy_principal(handle->context, kdb.princ,
&entry->principal))) {
goto done;
}
Modified: branches/mkey_migrate/src/lib/kadm5/str_conv.c
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/str_conv.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/str_conv.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -173,45 +173,29 @@
int i;
krb5_flags pflags;
const char *sepstring;
- char *op;
- int initial;
- krb5_error_code retval;
+ struct k5buf buf;
- retval = 0;
- op = buffer;
pflags = 0;
- initial = 1;
sepstring = (sep) ? sep : flags_default_sep;
+ krb5int_buf_init_fixed(&buf, buffer, buflen);
/* Blast through the table matching all we can */
for (i=0; i<flags_table_nents; i++) {
if (flags & flags_table[i].fl_flags) {
- /* Found a match, see if it'll fit into the output buffer */
- if ((op+strlen(flags_table[i].fl_output)+strlen(sepstring)) <
- (buffer + buflen)) {
- if (!initial) {
- strcpy(op, sep);
- op += strlen(sep);
- }
- initial = 0;
- strcpy(op, flags_table[i].fl_output);
- op += strlen(flags_table[i].fl_output);
- }
- else {
- retval = ENOMEM;
- break;
- }
+ if (krb5int_buf_len(&buf) > 0)
+ krb5int_buf_add(&buf, sepstring);
+ krb5int_buf_add(&buf, flags_table[i].fl_output);
/* Keep track of what we matched */
pflags |= flags_table[i].fl_flags;
}
}
- if (!retval) {
- /* See if there's any leftovers */
- if (flags & ~pflags)
- retval = EINVAL;
- else if (initial)
- *buffer = '\0';
- }
- return(retval);
+ if (krb5int_buf_data(&buf) == NULL)
+ return(ENOMEM);
+
+ /* See if there's any leftovers */
+ if (flags & ~pflags)
+ return(EINVAL);
+
+ return(0);
}
krb5_error_code
@@ -221,8 +205,8 @@
size_t buflen;
{
if(flag < 0 || flag >= flags_table_nents) return ENOENT; /* End of list */
- if(strlen(flags_table[flag].fl_specifier) > buflen) return ENOMEM;
- strcpy(buffer, flags_table[flag].fl_specifier);
+ if(strlcpy(buffer, flags_table[flag].fl_specifier, buflen) >= buflen)
+ return ENOMEM;
return 0;
}
Modified: branches/mkey_migrate/src/lib/kadm5/unit-test/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/unit-test/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kadm5/unit-test/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -141,93 +141,3 @@
$(RM) server-iter-test iter-test.o
$(RM) server-setkey-test client-setkey-test setkey-test.o
$(RM) *.log *.plog *.sum *.psum unit-test-log.*
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)init-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h init-test.c
-$(OUTPRE)destroy-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/client_internal.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h destroy-test.c
-$(OUTPRE)handle-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/client_internal.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h handle-test.c
-$(OUTPRE)iter-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h iter-test.c
-$(OUTPRE)setkey-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h setkey-test.c
-$(OUTPRE)randkey-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h randkey-test.c
-$(OUTPRE)lock-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h lock-test.c
Copied: branches/mkey_migrate/src/lib/kadm5/unit-test/deps (from rev 21721, trunk/src/lib/kadm5/unit-test/deps)
Modified: branches/mkey_migrate/src/lib/kdb/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/kdb/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kdb/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -64,119 +64,3 @@
@lib_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-kdb5.so kdb5.po $(OUTPRE)kdb5.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/iprop.h \
- $(SRCTOP)/include/iprop_hdr.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/kdb_log.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h adb_err.h kdb5.c kdb5.h
-encrypt_key.so encrypt_key.po $(OUTPRE)encrypt_key.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h encrypt_key.c
-decrypt_key.so decrypt_key.po $(OUTPRE)decrypt_key.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h decrypt_key.c
-kdb_default.so kdb_default.po $(OUTPRE)kdb_default.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h kdb_default.c
-kdb_cpw.so kdb_cpw.po $(OUTPRE)kdb_cpw.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h kdb_cpw.c
-adb_err.so adb_err.po $(OUTPRE)adb_err.$(OBJEXT): $(COM_ERR_DEPS) \
- adb_err.c
-iprop_xdr.so iprop_xdr.po $(OUTPRE)iprop_xdr.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/iprop.h iprop_xdr.c
-kdb_convert.so kdb_convert.po $(OUTPRE)kdb_convert.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/iprop.h $(SRCTOP)/include/iprop_hdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- kdb_convert.c
-kdb_log.so kdb_log.po $(OUTPRE)kdb_log.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/iprop.h \
- $(SRCTOP)/include/iprop_hdr.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/kdb_log.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h kdb5.h kdb_log.c
-keytab.so keytab.po $(OUTPRE)keytab.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/kdb_kt.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h keytab.c
Modified: branches/mkey_migrate/src/lib/kdb/decrypt_key.c
===================================================================
--- branches/mkey_migrate/src/lib/kdb/decrypt_key.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kdb/decrypt_key.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -63,11 +63,11 @@
*/
krb5_error_code
-krb5_dbekd_decrypt_key_data( krb5_context context,
- const krb5_keyblock * mkey,
- const krb5_key_data * key_data,
- krb5_keyblock * dbkey,
- krb5_keysalt * keysalt)
+krb5_dbekd_def_decrypt_key_data( krb5_context context,
+ const krb5_keyblock * mkey,
+ const krb5_key_data * key_data,
+ krb5_keyblock * dbkey,
+ krb5_keysalt * keysalt)
{
krb5_error_code retval = 0;
krb5_int16 tmplen;
Copied: branches/mkey_migrate/src/lib/kdb/deps (from rev 21721, trunk/src/lib/kdb/deps)
Modified: branches/mkey_migrate/src/lib/kdb/encrypt_key.c
===================================================================
--- branches/mkey_migrate/src/lib/kdb/encrypt_key.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kdb/encrypt_key.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -63,12 +63,12 @@
*/
krb5_error_code
-krb5_dbekd_encrypt_key_data( krb5_context context,
- const krb5_keyblock * mkey,
- const krb5_keyblock * dbkey,
- const krb5_keysalt * keysalt,
- int keyver,
- krb5_key_data * key_data)
+krb5_dbekd_def_encrypt_key_data( krb5_context context,
+ const krb5_keyblock * mkey,
+ const krb5_keyblock * dbkey,
+ const krb5_keysalt * keysalt,
+ int keyver,
+ krb5_key_data * key_data)
{
krb5_error_code retval;
krb5_octet * ptr;
Modified: branches/mkey_migrate/src/lib/kdb/kdb5.c
===================================================================
--- branches/mkey_migrate/src/lib/kdb/kdb5.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kdb/kdb5.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -38,6 +38,7 @@
#include "kdb5.h"
#include <assert.h>
#include "kdb_log.h"
+#include "kdb5int.h"
/* Currently DB2 policy related errors are exported from DAL. But
other databases should set_err function to return string. */
@@ -259,6 +260,14 @@
if (lib->vftabl.promote_db == NULL) {
lib->vftabl.promote_db = krb5_def_promote_db;
}
+
+ if (lib->vftabl.dbekd_decrypt_key_data == NULL) {
+ lib->vftabl.dbekd_decrypt_key_data = krb5_dbekd_def_decrypt_key_data;
+ }
+
+ if (lib->vftabl.dbekd_encrypt_key_data == NULL) {
+ lib->vftabl.dbekd_encrypt_key_data = krb5_dbekd_def_encrypt_key_data;
+ }
}
static int kdb_db2_pol_err_loaded = 0;
@@ -288,7 +297,7 @@
goto clean_n_exit;
}
- strcpy((*lib)->name, lib_name);
+ strlcpy((*lib)->name, lib_name, sizeof((*lib)->name));
#if !defined(KDB5_USE_LIB_KDB_DB2) && !defined(KDB5_USE_LIB_TEST)
#error No database module defined
@@ -378,7 +387,7 @@
goto clean_n_exit;
}
- strcpy((*lib)->name, lib_name);
+ strlcpy((*lib)->name, lib_name, sizeof((*lib)->name));
/* Fetch the list of directories specified in the config
file(s) first. */
@@ -934,7 +943,7 @@
}
status =
- dal_handle->lib_handle->vftabl.db_get_principal(kcontext, search_for,
+ dal_handle->lib_handle->vftabl.db_get_principal(kcontext, search_for, 0,
entries, nentries,
more);
get_errmsg(kcontext, status);
@@ -945,6 +954,40 @@
}
krb5_error_code
+krb5_db_get_principal_ext(krb5_context kcontext,
+ krb5_const_principal search_for,
+ unsigned int flags,
+ krb5_db_entry * entries,
+ int *nentries, krb5_boolean * more)
+{
+ krb5_error_code status = 0;
+ kdb5_dal_handle *dal_handle;
+
+ if (kcontext->dal_handle == NULL) {
+ status = kdb_setup_lib_handle(kcontext);
+ if (status) {
+ goto clean_n_exit;
+ }
+ }
+
+ dal_handle = kcontext->dal_handle;
+ status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE);
+ if (status) {
+ goto clean_n_exit;
+ }
+
+ status =
+ dal_handle->lib_handle->vftabl.db_get_principal(kcontext, search_for,
+ flags,
+ entries, nentries,
+ more);
+ kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
+
+ clean_n_exit:
+ return status;
+}
+
+krb5_error_code
krb5_db_free_principal(krb5_context kcontext, krb5_db_entry * entry, int count)
{
krb5_error_code status = 0;
@@ -1146,7 +1189,7 @@
upd->kdb_princ_name.utf8str_t_val = princ_name;
upd->kdb_princ_name.utf8str_t_len = strlen(princ_name);
- if ((status = ulog_add_update(kcontext, upd)))
+ if ((status = ulog_add_update(kcontext, upd)) != 0)
goto err_lock;
upd++;
}
@@ -1397,9 +1440,32 @@
}
krb5_error_code
-krb5_db_set_mkey_list(krb5_context context, krb5_keyblock_node * keylist)
+krb5_db_set_mkey_list(krb5_context kcontext,
+ krb5_keyblock_node * keylist)
{
- return krb5_db_set_master_key_ext(context, NULL, keylist);
+ krb5_error_code status = 0;
+ kdb5_dal_handle *dal_handle;
+
+ if (kcontext->dal_handle == NULL) {
+ status = kdb_setup_lib_handle(kcontext);
+ if (status) {
+ goto clean_n_exit;
+ }
+ }
+
+ dal_handle = kcontext->dal_handle;
+ status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE);
+ if (status) {
+ goto clean_n_exit;
+ }
+
+ status = dal_handle->lib_handle->vftabl.set_master_key_list(kcontext, keylist);
+ get_errmsg(kcontext, status);
+
+ kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
+
+ clean_n_exit:
+ return status;
}
krb5_error_code
@@ -2054,23 +2120,14 @@
char **fullname, krb5_principal * principal)
{
krb5_error_code retval;
- size_t keylen;
- size_t rlen = strlen(realm);
char *fname;
if (!keyname)
keyname = KRB5_KDB_M_NAME; /* XXX external? */
- keylen = strlen(keyname);
-
- fname = malloc(keylen + rlen + strlen(REALM_SEP_STRING) + 1);
- if (!fname)
+ if (asprintf(&fname, "%s%s%s", keyname, REALM_SEP_STRING, realm) < 0)
return ENOMEM;
- strcpy(fname, keyname);
- strcat(fname, REALM_SEP_STRING);
- strcat(fname, realm);
-
if ((retval = krb5_parse_name(context, fname, principal)))
return retval;
if (fullname)
@@ -2832,3 +2889,125 @@
return status;
}
+krb5_error_code
+krb5_dbekd_decrypt_key_data( krb5_context kcontext,
+ const krb5_keyblock * mkey,
+ const krb5_key_data * key_data,
+ krb5_keyblock * dbkey,
+ krb5_keysalt * keysalt)
+{
+ krb5_error_code status = 0;
+ kdb5_dal_handle *dal_handle;
+
+ if (kcontext->dal_handle == NULL) {
+ status = kdb_setup_lib_handle(kcontext);
+ if (status) {
+ goto clean_n_exit;
+ }
+ }
+
+ dal_handle = kcontext->dal_handle;
+ status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE);
+ if (status) {
+ goto clean_n_exit;
+ }
+
+ status =
+ dal_handle->lib_handle->vftabl.dbekd_decrypt_key_data(kcontext,
+ mkey, key_data, dbkey, keysalt);
+ kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
+
+ clean_n_exit:
+ return status;
+}
+
+krb5_error_code
+krb5_dbekd_encrypt_key_data( krb5_context kcontext,
+ const krb5_keyblock * mkey,
+ const krb5_keyblock * dbkey,
+ const krb5_keysalt * keysalt,
+ int keyver,
+ krb5_key_data * key_data)
+{
+ krb5_error_code status = 0;
+ kdb5_dal_handle *dal_handle;
+
+ if (kcontext->dal_handle == NULL) {
+ status = kdb_setup_lib_handle(kcontext);
+ if (status) {
+ goto clean_n_exit;
+ }
+ }
+
+ dal_handle = kcontext->dal_handle;
+ status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE);
+ if (status) {
+ goto clean_n_exit;
+ }
+
+ status =
+ dal_handle->lib_handle->vftabl.dbekd_encrypt_key_data(kcontext,
+ mkey, dbkey, keysalt, keyver, key_data);
+ kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
+
+ clean_n_exit:
+ return status;
+}
+
+krb5_error_code
+krb5_db_get_context(krb5_context context, void **db_context)
+{
+ *db_context = KRB5_DB_GET_DB_CONTEXT(context);
+ if (*db_context == NULL) {
+ return KRB5_KDB_DBNOTINITED;
+ }
+
+ return 0;
+}
+
+krb5_error_code
+krb5_db_set_context(krb5_context context, void *db_context)
+{
+ KRB5_DB_GET_DB_CONTEXT(context) = db_context;
+
+ return 0;
+}
+
+krb5_error_code
+krb5_db_invoke(krb5_context kcontext,
+ unsigned int method,
+ const krb5_data *req,
+ krb5_data *rep)
+{
+ krb5_error_code status = 0;
+ kdb5_dal_handle *dal_handle;
+
+ if (kcontext->dal_handle == NULL) {
+ status = kdb_setup_lib_handle(kcontext);
+ if (status) {
+ goto clean_n_exit;
+ }
+ }
+
+ dal_handle = kcontext->dal_handle;
+ if (dal_handle->lib_handle->vftabl.db_invoke == NULL) {
+ status = KRB5_KDB_DBTYPE_NOSUP;
+ goto clean_n_exit;
+ }
+
+ status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE);
+ if (status) {
+ goto clean_n_exit;
+ }
+
+ status =
+ dal_handle->lib_handle->vftabl.db_invoke(kcontext,
+ method,
+ req,
+ rep);
+ kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
+
+ clean_n_exit:
+ return status;
+}
+
Modified: branches/mkey_migrate/src/lib/kdb/kdb5.h
===================================================================
--- branches/mkey_migrate/src/lib/kdb/kdb5.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kdb/kdb5.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -10,189 +10,12 @@
#include <utime.h>
#include <k5-int.h>
#include "kdb.h"
+#include "kdb_ext.h"
-#define KDB_MAX_DB_NAME 128
-#define KDB_REALM_SECTION "realms"
-#define KDB_MODULE_POINTER "database_module"
-#define KDB_MODULE_DEF_SECTION "dbdefaults"
-#define KDB_MODULE_SECTION "dbmodules"
-#define KDB_LIB_POINTER "db_library"
-#define KDB_DATABASE_CONF_FILE DEFAULT_SECURE_PROFILE_PATH
-#define KDB_DATABASE_ENV_PROF KDC_PROFILE_ENV
-
-#define KRB5_DB_GET_DB_CONTEXT(kcontext) (((kdb5_dal_handle*) (kcontext)->db_context)->db_context)
+#define KRB5_DB_GET_DB_CONTEXT(kcontext) (((kdb5_dal_handle*) (kcontext)->dal_handle)->db_context)
#define KRB5_DB_GET_PROFILE(kcontext) ((kcontext)->profile)
#define KRB5_DB_GET_REALM(kcontext) ((kcontext)->default_realm)
-typedef struct _kdb_vftabl{
- short int maj_ver;
- short int min_ver;
-
- krb5_error_code (*init_library)();
- krb5_error_code (*fini_library)();
- krb5_error_code (*init_module) (krb5_context kcontext,
- char * conf_section,
- char ** db_args,
- int mode);
-
- krb5_error_code (*fini_module) (krb5_context kcontext);
-
- krb5_error_code (*db_create) (krb5_context kcontext,
- char * conf_section,
- char ** db_args);
-
- krb5_error_code (*db_destroy) (krb5_context kcontext,
- char *conf_section,
- char ** db_args);
-
- krb5_error_code (*db_get_age) (krb5_context kcontext,
- char *db_name,
- time_t *age);
-
- krb5_error_code (*db_set_option) (krb5_context kcontext,
- int option,
- void *value);
-
- krb5_error_code (*db_lock) (krb5_context kcontext,
- int mode);
-
- krb5_error_code (*db_unlock) (krb5_context kcontext);
-
- krb5_error_code (*db_get_principal) (krb5_context kcontext,
- krb5_const_principal search_for,
- krb5_db_entry *entries,
- int *nentries,
- krb5_boolean *more);
-
- krb5_error_code (*db_free_principal) (krb5_context kcontext,
- krb5_db_entry *entry,
- int count);
-
- krb5_error_code (*db_put_principal) (krb5_context kcontext,
- krb5_db_entry *entries,
- int *nentries,
- char **db_args);
-
- krb5_error_code (*db_delete_principal) (krb5_context kcontext,
- krb5_const_principal search_for,
- int *nentries);
-
- krb5_error_code (*db_iterate) (krb5_context kcontext,
- char *match_entry,
- int (*func) (krb5_pointer, krb5_db_entry *),
- krb5_pointer func_arg);
-
- krb5_error_code (*db_create_policy) (krb5_context kcontext,
- osa_policy_ent_t policy);
-
- krb5_error_code (*db_get_policy) (krb5_context kcontext,
- char *name,
- osa_policy_ent_t *policy,
- int *cnt);
-
- krb5_error_code (*db_put_policy) (krb5_context kcontext,
- osa_policy_ent_t policy);
-
- krb5_error_code (*db_iter_policy) (krb5_context kcontext,
- char *match_entry,
- osa_adb_iter_policy_func func,
- void *data);
-
-
- krb5_error_code (*db_delete_policy) (krb5_context kcontext,
- char *policy);
-
- void (*db_free_policy) (krb5_context kcontext,
- osa_policy_ent_t val);
-
- krb5_error_code (*db_supported_realms) (krb5_context kcontext,
- char **realms);
-
- krb5_error_code (*db_free_supported_realms) (krb5_context kcontext,
- char **realms);
-
-
- const char * (*errcode_2_string) (krb5_context kcontext,
- long err_code);
- void (*release_errcode_string) (krb5_context kcontext, const char *msg);
-
- void * (*db_alloc) (krb5_context kcontext, void *ptr, size_t size);
- void (*db_free) (krb5_context kcontext, void *ptr);
-
-
-
- /* optional functions */
- krb5_error_code (*set_master_key) (krb5_context kcontext,
- char *pwd,
- krb5_keyblock *key);
-
- krb5_error_code (*get_master_key) (krb5_context kcontext,
- krb5_keyblock **key);
-
- krb5_error_code (*set_master_key_list) (krb5_context kcontext,
- krb5_keyblock_node *keylist);
-
- krb5_error_code (*get_master_key_list) (krb5_context kcontext,
- krb5_keyblock_node **keylist);
-
-
- krb5_error_code (*setup_master_key_name) (krb5_context kcontext,
- char *keyname,
- char *realm,
- char **fullname,
- krb5_principal *principal);
-
- krb5_error_code (*store_master_key) (krb5_context kcontext,
- char *db_arg,
- krb5_principal mname,
- krb5_kvno kvno,
- krb5_keyblock *key,
- char *master_pwd);
-
- krb5_error_code (*fetch_master_key) (krb5_context kcontext,
- krb5_principal mname,
- krb5_keyblock *key,
- krb5_kvno *kvno,
- char *db_args);
-
- krb5_error_code (*verify_master_key) (krb5_context kcontext,
- krb5_principal mprinc,
- krb5_kvno kvno,
- krb5_keyblock *mkey);
-
- krb5_error_code (*fetch_master_key_list) (krb5_context kcontext,
- krb5_principal mname,
- const krb5_keyblock *key,
- krb5_kvno kvno,
- krb5_keyblock_node **mkeys_list);
-
-
- krb5_error_code (*dbe_search_enctype) (krb5_context kcontext,
- krb5_db_entry *dbentp,
- krb5_int32 *start,
- krb5_int32 ktype,
- krb5_int32 stype,
- krb5_int32 kvno,
- krb5_key_data **kdatap);
-
-
- krb5_error_code
- (*db_change_pwd) (krb5_context context,
- krb5_keyblock * master_key,
- krb5_key_salt_tuple * ks_tuple,
- int ks_tuple_count,
- char * passwd,
- int new_kvno,
- krb5_boolean keepold,
- krb5_db_entry * db_entry);
-
- /* Promote a temporary database to be the live one. */
- krb5_error_code (*promote_db) (krb5_context context,
- char *conf_section,
- char **db_args);
-
-} kdb_vftabl;
-
typedef struct _db_library {
char name[KDB_MAX_DB_NAME];
int reference_cnt;
Copied: branches/mkey_migrate/src/lib/kdb/kdb5int.h (from rev 21721, trunk/src/lib/kdb/kdb5int.h)
Modified: branches/mkey_migrate/src/lib/kdb/kdb_convert.c
===================================================================
--- branches/mkey_migrate/src/lib/kdb/kdb_convert.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kdb/kdb_convert.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -149,10 +149,10 @@
{
u->utf8str_t_len = d.length;
if (d.data) {
- /* XXX Is the data always a nul-terminated string? */
- u->utf8str_t_val = strdup(d.data);
+ u->utf8str_t_val = malloc(d.length);
if (u->utf8str_t_val == NULL)
return -1;
+ memcpy(u->utf8str_t_val, d.data, d.length);
} else
u->utf8str_t_val = NULL;
return 0;
@@ -225,100 +225,65 @@
* Maybe a return value should indicate success/failure?
*/
static void
-replace_with_utf8str(krb5_data *d, utf8str_t u)
+set_from_utf8str(krb5_data *d, utf8str_t u)
{
+ if (u.utf8str_t_len > INT_MAX-1 || u.utf8str_t_len >= SIZE_MAX-1) {
+ d->data = NULL;
+ return;
+ }
d->length = u.utf8str_t_len;
- /* XXX Memory leak: old d->data if realloc failed. */
- /* XXX Overflow check? d->length + 1. */
- d->data = realloc(d->data, d->length + 1);
+ d->data = malloc(d->length + 1);
if (d->data == NULL)
return;
- if (u.utf8str_t_val) /* May be null if length = 0. */
- strncpy(d->data, u.utf8str_t_val, d->length + 1);
+ if (d->length) /* Pointer may be null if length = 0. */
+ strncpy(d->data, u.utf8str_t_val, d->length);
d->data[d->length] = 0;
}
/*
* Converts the krb5_principal struct from ulog to db2 format.
*/
-static krb5_error_code
-conv_princ_2db(krb5_context context, krb5_principal *dbprinc,
- kdb_incr_update_t *upd,
- int cnt, princ_type tp,
- int princ_exists)
+static krb5_principal
+conv_princ_2db(krb5_context context, kdbe_princ_t *kdbe_princ)
{
int i;
krb5_principal princ;
- kdbe_princ_t *kdbe_princ;
kdbe_data_t *components;
- if (upd == NULL)
- return (KRB5KRB_ERR_GENERIC);
-
- if (princ_exists == 0) {
- princ = NULL;
- princ = (krb5_principal)malloc(sizeof (krb5_principal_data));
- if (princ == NULL) {
- return (ENOMEM);
- }
- } else {
- princ = *dbprinc;
+ princ = calloc(1, sizeof (krb5_principal_data));
+ if (princ == NULL) {
+ return NULL;
}
+ princ->length = 0;
+ princ->data = NULL;
- switch (tp) {
- case REG_PRINC:
- case MOD_PRINC:
- kdbe_princ = &ULOG_ENTRY(upd, cnt).av_princ; /* or av_mod_princ */
- components = kdbe_princ->k_components.k_components_val;
+ components = kdbe_princ->k_components.k_components_val;
- princ->type = (krb5_int32)
- kdbe_princ->k_nametype;
- if (princ_exists == 0)
- princ->realm.data = NULL;
- replace_with_utf8str(&princ->realm, kdbe_princ->k_realm);
- if (princ->realm.data == NULL)
- goto error;
+ princ->type = (krb5_int32) kdbe_princ->k_nametype;
+ princ->realm.data = NULL;
+ set_from_utf8str(&princ->realm, kdbe_princ->k_realm);
+ if (princ->realm.data == NULL)
+ goto error;
- /* Free up old entries we're about to release. */
- if (princ_exists) {
- for (i = kdbe_princ->k_components.k_components_len; i < princ->length; i++) {
- free(princ->data[i].data);
- princ->data[i].data = NULL;
- }
- } else
- princ->data = NULL;
- princ->data = (krb5_data *)realloc(princ->data,
- (princ->length * sizeof (krb5_data)));
- if (princ->data == NULL)
- /* XXX Memory leak: old storage not freed. */
- goto error;
- /* Initialize pointers in added component slots. */
- for (i = princ->length; i < kdbe_princ->k_components.k_components_len; i++) {
- princ->data[i].data = NULL;
- }
- princ->length = (krb5_int32)kdbe_princ->k_components.k_components_len;
+ princ->data = calloc(kdbe_princ->k_components.k_components_len,
+ sizeof (krb5_data));
+ if (princ->data == NULL)
+ goto error;
+ for (i = 0; i < kdbe_princ->k_components.k_components_len; i++)
+ princ->data[i].data = NULL;
+ princ->length = (krb5_int32)kdbe_princ->k_components.k_components_len;
- for (i = 0; i < princ->length; i++) {
- princ->data[i].magic =
- components[i].k_magic;
- if (princ_exists == 0)
- princ->data[i].data = NULL;
- replace_with_utf8str(&princ->data[i],
- components[i].k_data);
- if (princ->data[i].data == NULL)
- goto error;
- }
- break;
-
- default:
- break;
+ for (i = 0; i < princ->length; i++) {
+ princ->data[i].magic = components[i].k_magic;
+ set_from_utf8str(&princ->data[i], components[i].k_data);
+ if (princ->data[i].data == NULL)
+ goto error;
}
- *dbprinc = princ;
- return (0);
+ return princ;
error:
krb5_free_principal(context, princ);
- return (ENOMEM);
+ return NULL;
}
@@ -681,7 +646,7 @@
if (dbprincstr == NULL)
return (ENOMEM);
strncpy(dbprincstr, (char *)upd->kdb_princ_name.utf8str_t_val,
- (upd->kdb_princ_name.utf8str_t_len + 1));
+ upd->kdb_princ_name.utf8str_t_len);
dbprincstr[upd->kdb_princ_name.utf8str_t_len] = 0;
ret = krb5_parse_name(context, dbprincstr, &dbprinc);
@@ -702,66 +667,63 @@
ent->n_tl_data = 0;
for (i = 0; i < nattrs; i++) {
+ krb5_principal tmpprinc = NULL;
+
+#define u (ULOG_ENTRY(upd, i))
switch (ULOG_ENTRY_TYPE(upd, i).av_type) {
case AT_ATTRFLAGS:
- ent->attributes = (krb5_flags)
- ULOG_ENTRY(upd, i).av_attrflags;
+ ent->attributes = (krb5_flags) u.av_attrflags;
break;
case AT_MAX_LIFE:
- ent->max_life = (krb5_deltat)
- ULOG_ENTRY(upd, i).av_max_life;
+ ent->max_life = (krb5_deltat) u.av_max_life;
break;
case AT_MAX_RENEW_LIFE:
- ent->max_renewable_life = (krb5_deltat)
- ULOG_ENTRY(upd, i).av_max_renew_life;
+ ent->max_renewable_life = (krb5_deltat) u.av_max_renew_life;
break;
case AT_EXP:
- ent->expiration = (krb5_timestamp)
- ULOG_ENTRY(upd, i).av_exp;
+ ent->expiration = (krb5_timestamp) u.av_exp;
break;
case AT_PW_EXP:
- ent->pw_expiration = (krb5_timestamp)
- ULOG_ENTRY(upd, i).av_pw_exp;
+ ent->pw_expiration = (krb5_timestamp) u.av_pw_exp;
break;
case AT_LAST_SUCCESS:
- ent->last_success = (krb5_timestamp)
- ULOG_ENTRY(upd, i).av_last_success;
+ ent->last_success = (krb5_timestamp) u.av_last_success;
break;
case AT_LAST_FAILED:
- ent->last_failed = (krb5_timestamp)
- ULOG_ENTRY(upd, i).av_last_failed;
+ ent->last_failed = (krb5_timestamp) u.av_last_failed;
break;
case AT_FAIL_AUTH_COUNT:
- ent->fail_auth_count = (krb5_kvno)
- ULOG_ENTRY(upd, i).av_fail_auth_count;
+ ent->fail_auth_count = (krb5_kvno) u.av_fail_auth_count;
break;
case AT_PRINC:
- if ((ret = conv_princ_2db(context,
- &(ent->princ), upd,
- i, REG_PRINC, nprincs)))
- return (ret);
+ tmpprinc = conv_princ_2db(context, &u.av_princ);
+ if (tmpprinc == NULL)
+ return ENOMEM;
+ if (nprincs)
+ krb5_free_principal(context, ent->princ);
+ ent->princ = tmpprinc;
break;
case AT_KEYDATA:
if (nprincs != 0)
prev_n_keys = ent->n_key_data;
- ent->n_key_data = (krb5_int16)ULOG_ENTRY(upd,
- i).av_keydata.av_keydata_len;
+ else
+ prev_n_keys = 0;
+ ent->n_key_data = (krb5_int16)u.av_keydata.av_keydata_len;
if (nprincs == 0)
ent->key_data = NULL;
- ent->key_data = (krb5_key_data *)realloc(
- ent->key_data,
- (ent->n_key_data *
- sizeof (krb5_key_data)));
+ ent->key_data = (krb5_key_data *)realloc(ent->key_data,
+ (ent->n_key_data *
+ sizeof (krb5_key_data)));
/* XXX Memory leak: Old key data in
records eliminated by resizing to
smaller size. */
@@ -770,37 +732,49 @@
return (ENOMEM);
/* BEGIN CSTYLED */
+ for (j = prev_n_keys; j < ent->n_key_data; j++) {
+ for (cnt = 0; cnt < 2; cnt++) {
+ ent->key_data[j].key_data_contents[cnt] = NULL;
+ }
+ }
for (j = 0; j < ent->n_key_data; j++) {
- ent->key_data[j].key_data_ver = (krb5_int16)ULOG_ENTRY_KEYVAL(upd, i, j).k_ver;
- ent->key_data[j].key_data_kvno = (krb5_int16)ULOG_ENTRY_KEYVAL(upd, i, j).k_kvno;
+ krb5_key_data *kp = &ent->key_data[j];
+ kdbe_key_t *kv = &ULOG_ENTRY_KEYVAL(upd, i, j);
+ kp->key_data_ver = (krb5_int16)kv->k_ver;
+ kp->key_data_kvno = (krb5_int16)kv->k_kvno;
+ if (kp->key_data_ver > 2) {
+ return EINVAL; /* XXX ? */
+ }
- for (cnt = 0; cnt < ent->key_data[j].key_data_ver; cnt++) {
- ent->key_data[j].key_data_type[cnt] = (krb5_int16)ULOG_ENTRY_KEYVAL(upd, i, j).k_enctype.k_enctype_val[cnt];
- ent->key_data[j].key_data_length[cnt] = (krb5_int16)ULOG_ENTRY_KEYVAL(upd, i, j).k_contents.k_contents_val[cnt].utf8str_t_len;
- if ((nprincs == 0) || (j >= prev_n_keys))
- ent->key_data[j].key_data_contents[cnt] = NULL;
+ for (cnt = 0; cnt < kp->key_data_ver; cnt++) {
+ void *newptr;
+ kp->key_data_type[cnt] = (krb5_int16)kv->k_enctype.k_enctype_val[cnt];
+ kp->key_data_length[cnt] = (krb5_int16)kv->k_contents.k_contents_val[cnt].utf8str_t_len;
+ newptr = realloc(kp->key_data_contents[cnt],
+ kp->key_data_length[cnt]);
+ if (newptr == NULL)
+ return ENOMEM;
+ kp->key_data_contents[cnt] = newptr;
- ent->key_data[j].key_data_contents[cnt] = (krb5_octet *)realloc(ent->key_data[j].key_data_contents[cnt], ent->key_data[j].key_data_length[cnt]);
- if (ent->key_data[j].key_data_contents[cnt] == NULL)
- /* XXX Memory leak: old storage. */
- return (ENOMEM);
-
- (void) memset(ent->key_data[j].key_data_contents[cnt], 0, (ent->key_data[j].key_data_length[cnt] * sizeof (krb5_octet)));
- (void) memcpy(ent->key_data[j].key_data_contents[cnt], ULOG_ENTRY_KEYVAL(upd, i, j).k_contents.k_contents_val[cnt].utf8str_t_val, ent->key_data[j].key_data_length[cnt]);
+ (void) memset(kp->key_data_contents[cnt], 0,
+ kp->key_data_length[cnt]);
+ (void) memcpy(kp->key_data_contents[cnt],
+ kv->k_contents.k_contents_val[cnt].utf8str_t_val,
+ kp->key_data_length[cnt]);
}
}
break;
case AT_TL_DATA:
- cnt = ULOG_ENTRY(upd, i).av_tldata.av_tldata_len;
+ cnt = u.av_tldata.av_tldata_len;
newtl = malloc(cnt * sizeof (krb5_tl_data));
(void) memset(newtl, 0, (cnt * sizeof (krb5_tl_data)));
if (newtl == NULL)
return (ENOMEM);
- for (j = 0; j < cnt; j++){
- newtl[j].tl_data_type = (krb5_int16)ULOG_ENTRY(upd, i).av_tldata.av_tldata_val[j].tl_type;
- newtl[j].tl_data_length = (krb5_int16)ULOG_ENTRY(upd, i).av_tldata.av_tldata_val[j].tl_data.tl_data_len;
+ for (j = 0; j < cnt; j++) {
+ newtl[j].tl_data_type = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_type;
+ newtl[j].tl_data_length = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_data.tl_data_len;
newtl[j].tl_data_contents = NULL;
newtl[j].tl_data_contents = malloc(newtl[j].tl_data_length * sizeof (krb5_octet));
if (newtl[j].tl_data_contents == NULL)
@@ -810,15 +784,13 @@
return (ENOMEM);
(void) memset(newtl[j].tl_data_contents, 0, (newtl[j].tl_data_length * sizeof (krb5_octet)));
- (void) memcpy(newtl[j].tl_data_contents, ULOG_ENTRY(upd, i).av_tldata.av_tldata_val[j].tl_data.tl_data_val, newtl[j].tl_data_length);
+ (void) memcpy(newtl[j].tl_data_contents, u.av_tldata.av_tldata_val[j].tl_data.tl_data_val, newtl[j].tl_data_length);
newtl[j].tl_data_next = NULL;
if (j > 0)
- newtl[j - 1].tl_data_next =
- &newtl[j];
+ newtl[j - 1].tl_data_next = &newtl[j];
}
- if ((ret = krb5_dbe_update_tl_data(context,
- ent, newtl)))
+ if ((ret = krb5_dbe_update_tl_data(context, ent, newtl)))
return (ret);
for (j = 0; j < cnt; j++)
if (newtl[j].tl_data_contents) {
@@ -833,32 +805,30 @@
/* END CSTYLED */
case AT_PW_LAST_CHANGE:
- if ((ret = krb5_dbe_update_last_pwd_change(
- context, ent,
- ULOG_ENTRY(upd, i).av_pw_last_change)))
+ if ((ret = krb5_dbe_update_last_pwd_change(context, ent,
+ u.av_pw_last_change)))
return (ret);
break;
case AT_MOD_PRINC:
- if ((ret = conv_princ_2db(context,
- &mod_princ, upd,
- i, MOD_PRINC, 0)))
- return (ret);
+ tmpprinc = conv_princ_2db(context, &u.av_mod_princ);
+ if (tmpprinc == NULL)
+ return ENOMEM;
+ mod_princ = tmpprinc;
break;
case AT_MOD_TIME:
- mod_time = ULOG_ENTRY(upd, i).av_mod_time;
+ mod_time = u.av_mod_time;
break;
case AT_LEN:
- ent->len = (krb5_int16)
- ULOG_ENTRY(upd, i).av_len;
+ ent->len = (krb5_int16) u.av_len;
break;
default:
break;
}
-
+#undef u
}
/*
Modified: branches/mkey_migrate/src/lib/kdb/kdb_default.c
===================================================================
--- branches/mkey_migrate/src/lib/kdb/kdb_default.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kdb/kdb_default.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -144,19 +144,14 @@
char defkeyfile[MAXPATHLEN+1];
char *tmp_ktname = NULL, *tmp_ktpath;
krb5_data *realm = krb5_princ_realm(context, mname);
-#ifndef LEAN_CLIENT
- krb5_keytab kt;
+ krb5_keytab kt = NULL;
krb5_keytab_entry new_entry;
-#endif /* LEAN_CLIENT */
struct stat stb;
int statrc;
if (!keyfile) {
- (void) strcpy(defkeyfile, DEFAULT_KEYFILE_STUB);
- (void) strncat(defkeyfile, realm->data,
- min(sizeof(defkeyfile)-sizeof(DEFAULT_KEYFILE_STUB)-1,
- realm->length));
- defkeyfile[sizeof(defkeyfile) - 1] = '\0';
+ (void) snprintf(defkeyfile, sizeof(defkeyfile), "%s%s",
+ DEFAULT_KEYFILE_STUB, realm->data);
keyfile = defkeyfile;
}
@@ -184,7 +179,14 @@
goto out;
}
- if (mktemp(tmp_ktname) == NULL) {
+ /*
+ * Set tmp_ktpath to point to the keyfile path (skip WRFILE:). Subtracting
+ * 1 to account for NULL terminator in sizeof calculation of a string
+ * constant. Used further down.
+ */
+ tmp_ktpath = tmp_ktname + (sizeof("WRFILE:") - 1);
+
+ if (mktemp(tmp_ktpath) == NULL) {
retval = errno;
krb5_set_error_message (context, retval,
"Could not create temp stash file: %s",
@@ -192,7 +194,6 @@
goto out;
}
-#ifndef LEAN_CLIENT
/* create new stash keytab using temp file name */
retval = krb5_kt_resolve(context, tmp_ktname, &kt);
if (retval != 0)
@@ -202,15 +203,7 @@
new_entry.principal = mname;
new_entry.key = *key;
new_entry.vno = kvno;
-#endif /* LEAN_CLIENT */
- /*
- * Set tmp_ktpath to point to the keyfile path (skip WRFILE:). Subtracting
- * 1 to account for NULL terminator in sizeof calculation of a string
- * constant. Used further down.
- */
- tmp_ktpath = tmp_ktname + (sizeof("WRFILE:") - 1);
-#ifndef LEAN_CLIENT
retval = krb5_kt_add_entry(context, kt, &new_entry);
if (retval != 0) {
/* delete tmp keyfile if it exists and an error occurrs */
@@ -225,11 +218,12 @@
tmp_ktpath, keyfile, error_message(errno));
}
}
-#endif /* LEAN_CLIENT */
out:
if (tmp_ktname != NULL)
free(tmp_ktname);
+ if (kt)
+ krb5_kt_close(context, kt);
return retval;
}
@@ -314,7 +308,6 @@
return retval;
}
-#ifndef LEAN_CLIENT
static krb5_error_code
krb5_db_def_fetch_mkey_keytab(krb5_context context,
const char *keyfile,
@@ -323,7 +316,7 @@
krb5_kvno *kvno)
{
krb5_error_code retval = 0;
- krb5_keytab kt;
+ krb5_keytab kt = NULL;
krb5_keytab_entry kt_ent;
krb5_enctype enctype = IGNORE_ENCTYPE;
@@ -373,9 +366,11 @@
}
errout:
+ if (kt)
+ krb5_kt_close(context, kt);
+
return retval;
}
-#endif /* LEAN_CLIENT */
/* XXX WAF: I'm now thinking this fucntion should check to see if the fetched
* key matches the latest mkey in the master princ. If it doesn't then the
@@ -397,27 +392,21 @@
if (db_args != NULL) {
(void) strncpy(keyfile, db_args, sizeof(keyfile));
} else {
- (void) strcpy(keyfile, DEFAULT_KEYFILE_STUB);
- (void) strncat(keyfile, realm->data,
- min(sizeof(keyfile)-sizeof(DEFAULT_KEYFILE_STUB)-1,
- realm->length));
+ (void) snprintf(keyfile, sizeof(keyfile), "%s%s",
+ DEFAULT_KEYFILE_STUB, realm->data);
}
/* null terminate no matter what */
keyfile[sizeof(keyfile) - 1] = '\0';
-#ifndef LEAN_CLIENT
/* assume the master key is in a keytab */
retval_kt = krb5_db_def_fetch_mkey_keytab(context, keyfile, mname, key, kvno);
if (retval_kt != 0) {
-#endif /* LEAN_CLIENT */
/*
* If it's not in a keytab, fall back and try getting the mkey from the
* older stash file format.
*/
retval_ofs = krb5_db_def_fetch_mkey_stash(context, keyfile, key, kvno);
-#ifndef LEAN_CLIENT
}
-#endif /* LEAN_CLIENT */
if (retval_kt != 0 && retval_ofs != 0) {
/*
Modified: branches/mkey_migrate/src/lib/kdb/kdb_log.c
===================================================================
--- branches/mkey_migrate/src/lib/kdb/kdb_log.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kdb/kdb_log.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -16,6 +16,7 @@
#include <syslog.h>
#include "kdb5.h"
#include "kdb_log.h"
+#include "kdb5int.h"
/*
* This modules includes all the necessary functions that create and
@@ -73,7 +74,7 @@
(pagesize-1)) & (~(pagesize-1));
size = end - start;
- if (retval = msync((caddr_t)start, size, MS_SYNC)) {
+ if ((retval = msync((caddr_t)start, size, MS_SYNC))) {
return (retval);
}
@@ -186,10 +187,10 @@
recsize = sizeof (kdb_ent_header_t) + upd_size;
if (recsize > ulog->kdb_block) {
- if (retval = ulog_resize(ulog, ulogentries, ulogfd, recsize)) {
- /* Resize element array failed */
- return (retval);
- }
+ if ((retval = ulog_resize(ulog, ulogentries, ulogfd, recsize))) {
+ /* Resize element array failed */
+ return (retval);
+ }
}
cur_sno = ulog->kdb_last_sno;
@@ -227,7 +228,7 @@
if (!xdr_kdb_incr_update_t(&xdrs, upd))
return (KRB5_LOG_CONV);
- if (retval = ulog_sync_update(ulog, indx_log))
+ if ((retval = ulog_sync_update(ulog, indx_log)))
return (retval);
if (ulog->kdb_num < ulogentries)
@@ -280,7 +281,7 @@
ulog->kdb_state = KDB_STABLE;
- if (retval = ulog_sync_update(ulog, indx_log))
+ if ((retval = ulog_sync_update(ulog, indx_log)))
return (retval);
ulog_sync_header(ulog);
@@ -370,8 +371,8 @@
(upd->kdb_princ_name.utf8str_t_len + 1));
dbprincstr[upd->kdb_princ_name.utf8str_t_len] = 0;
- if (retval = krb5_parse_name(context, dbprincstr,
- &dbprinc)) {
+ if ((retval = krb5_parse_name(context, dbprincstr,
+ &dbprinc))) {
goto cleanup;
}
@@ -398,7 +399,7 @@
(void) memset(entry, 0, sizeof (krb5_db_entry));
- if (retval = ulog_conv_2dbentry(context, entry, upd, 1))
+ if ((retval = ulog_conv_2dbentry(context, entry, upd, 1)))
goto cleanup;
retval = krb5int_put_principal_no_log(context, entry,
@@ -441,7 +442,7 @@
{
XDR xdrs;
krb5_error_code retval = 0;
- int i;
+ unsigned int i;
kdb_ent_header_t *indx_log;
kdb_incr_update_t *upd = NULL;
kdb_incr_result_t *incr_ret = NULL;
Modified: branches/mkey_migrate/src/lib/kdb/keytab.c
===================================================================
--- branches/mkey_migrate/src/lib/kdb/keytab.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kdb/keytab.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -41,9 +41,8 @@
krb5_ktkdb_get_name(krb5_context context, krb5_keytab keytab,
char *name, unsigned int namelen)
{
- if (namelen < sizeof("KDB:"))
+ if (strlcpy(name, "KDB:", namelen) >= namelen);
return KRB5_KT_NAME_TOOLONG;
- strcpy(name, "KDB:");
return 0;
}
@@ -179,6 +178,8 @@
kerror = krb5_dbe_find_enctype(context, &db_entry,
xrealm_tgt?enctype:-1,
-1, kvno, &key_data);
+ if (kerror == KRB5_KDB_NO_MATCHING_KEY)
+ kerror = KRB5_KT_KVNONOTFOUND;
if (kerror)
goto error;
Modified: branches/mkey_migrate/src/lib/kdb/libkdb5.exports
===================================================================
--- branches/mkey_migrate/src/lib/kdb/libkdb5.exports 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/kdb/libkdb5.exports 2009-01-10 01:06:45 UTC (rev 21722)
@@ -14,10 +14,14 @@
krb5_db_free_principal
krb5_db_get_age
krb5_db_get_mkey
+krb5_db_get_context
krb5_db_get_principal
+krb5_db_get_principal_ext
+krb5_db_invoke
krb5_db_iterate
krb5_db_lock
krb5_db_put_principal
+krb5_db_set_context
krb5_db_set_mkey
krb5_db_setup_mkey_name
krb5_db_unlock
Modified: branches/mkey_migrate/src/lib/krb5/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/krb5/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,8 +2,8 @@
myfulldir=lib/krb5
mydir=lib/krb5
BUILDTOP=$(REL)..$(S)..
-LOCALINCLUDES = -I$(srcdir)/ccache -I$(srcdir)/keytab -I$(srcdir)/rcache -I$(srcdir)/os
-SUBDIRS= error_tables asn.1 ccache keytab krb os rcache
+LOCALINCLUDES = -I$(srcdir)/ccache -I$(srcdir)/keytab -I$(srcdir)/rcache -I$(srcdir)/os -I$(srcdir)/unicode
+SUBDIRS= error_tables asn.1 ccache keytab krb os rcache unicode
DEFS=
##DOSBUILDTOP = ..\..
@@ -32,6 +32,7 @@
keytab/OBJS.ST \
krb/OBJS.ST \
rcache/OBJS.ST \
+ unicode/OBJS.ST \
os/OBJS.ST \
$(BUILDTOP)/util/profile/OBJS.ST
@@ -42,6 +43,7 @@
keytab/OBJS.ST \
krb/OBJS.ST \
rcache/OBJS.ST \
+ unicode/OBJS.ST \
os/OBJS.ST \
$(BUILDTOP)/util/profile/OBJS.ST
@@ -93,6 +95,9 @@
cd ..\rcache
@echo Making in krb5\rcache
$(MAKE) -$(MFLAGS)
+ cd ..\unicode
+ @echo Making in krb5\unicode
+ $(MAKE) -$(MFLAGS)
cd ..
clean-windows::
@@ -120,6 +125,9 @@
cd ..\rcache
@echo Making clean in krb5\rcache
$(MAKE) -$(MFLAGS) clean
+ cd ..\unicode
+ @echo Making clean in krb5\unicode
+ $(MAKE) -$(MFLAGS) clean
cd ..
@echo Making clean locally
@@ -128,20 +136,3 @@
@lib_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-krb5_libinit.so krb5_libinit.po $(OUTPRE)krb5_libinit.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/ccache/cc-int.h $(srcdir)/keytab/kt-int.h \
- $(srcdir)/os/os-proto.h $(srcdir)/rcache/rc-int.h krb5_libinit.c \
- krb5_libinit.h
Deleted: branches/mkey_migrate/src/lib/krb5/asn.1/.saberinit
===================================================================
--- branches/mkey_migrate/src/lib/krb5/asn.1/.saberinit 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/asn.1/.saberinit 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,4 +0,0 @@
-alias hex print (unsigned)
-setopt load_flags -I../include
-load -lisode
-alias reload load
Modified: branches/mkey_migrate/src/lib/krb5/asn.1/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/krb5/asn.1/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/asn.1/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -57,123 +57,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-asn1_decode.so asn1_decode.po $(OUTPRE)asn1_decode.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- asn1_decode.c asn1_decode.h asn1_get.h asn1buf.h krbasn1.h
-asn1_k_decode.so asn1_k_decode.po $(OUTPRE)asn1_k_decode.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- asn1_decode.h asn1_get.h asn1_k_decode.c asn1_k_decode.h \
- asn1_misc.h asn1buf.h krbasn1.h
-asn1_encode.so asn1_encode.po $(OUTPRE)asn1_encode.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- asn1_encode.c asn1_encode.h asn1_make.h asn1buf.h krbasn1.h
-asn1_get.so asn1_get.po $(OUTPRE)asn1_get.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- asn1_get.c asn1_get.h asn1buf.h krbasn1.h
-asn1_make.so asn1_make.po $(OUTPRE)asn1_make.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- asn1_make.c asn1_make.h asn1buf.h krbasn1.h
-asn1buf.so asn1buf.po $(OUTPRE)asn1buf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h asn1_get.h asn1buf.c \
- asn1buf.h krbasn1.h
-krb5_decode.so krb5_decode.po $(OUTPRE)krb5_decode.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- asn1_decode.h asn1_get.h asn1_k_decode.h asn1buf.h \
- krb5_decode.c krbasn1.h
-krb5_encode.so krb5_encode.po $(OUTPRE)krb5_encode.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- asn1_encode.h asn1_k_encode.h asn1_make.h asn1buf.h \
- krb5_encode.c krbasn1.h
-asn1_k_encode.so asn1_k_encode.po $(OUTPRE)asn1_k_encode.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- asn1_encode.h asn1_k_encode.c asn1_k_encode.h asn1_make.h \
- asn1buf.h krbasn1.h
-ldap_key_seq.so ldap_key_seq.po $(OUTPRE)ldap_key_seq.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h asn1_decode.h asn1_encode.h \
- asn1_get.h asn1_make.h asn1buf.h krbasn1.h ldap_key_seq.c
-asn1_misc.so asn1_misc.po $(OUTPRE)asn1_misc.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- asn1_misc.c asn1_misc.h krbasn1.h
Copied: branches/mkey_migrate/src/lib/krb5/asn.1/TODO.asn1 (from rev 21721, trunk/src/lib/krb5/asn.1/TODO.asn1)
Modified: branches/mkey_migrate/src/lib/krb5/asn.1/asn1_decode.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/asn.1/asn1_decode.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/asn.1/asn1_decode.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -259,3 +259,19 @@
*val = t;
cleanup();
}
+
+asn1_error_code asn1_decode_boolean(asn1buf *buf, unsigned *val)
+{
+ setup();
+ asn1_octet bval;
+
+ tag(ASN1_BOOLEAN);
+
+ retval = asn1buf_remove_octet(buf, &bval);
+ if (retval) return retval;
+
+ *val = (bval != 0x00);
+
+ cleanup();
+}
+
Modified: branches/mkey_migrate/src/lib/krb5/asn.1/asn1_decode.h
===================================================================
--- branches/mkey_migrate/src/lib/krb5/asn.1/asn1_decode.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/asn.1/asn1_decode.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -59,6 +59,9 @@
Returns ENOMEM if memory is exhausted.
Returns asn1 errors. */
+
+asn1_error_code asn1_decode_boolean
+ (asn1buf *buf, unsigned int *val);
asn1_error_code asn1_decode_integer
(asn1buf *buf, long *val);
asn1_error_code asn1_decode_unsigned_integer
Modified: branches/mkey_migrate/src/lib/krb5/asn.1/asn1_encode.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/asn.1/asn1_encode.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/asn.1/asn1_encode.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,7 +2,7 @@
/*
* src/lib/krb5/asn.1/asn1_encode.c
*
- * Copyright 1994 by the Massachusetts Institute of Technology.
+ * Copyright 1994, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -30,7 +30,30 @@
#include "asn1_encode.h"
#include "asn1_make.h"
-static asn1_error_code asn1_encode_integer_internal(asn1buf *buf, long val,
+asn1_error_code asn1_encode_boolean(asn1buf *buf, asn1_intmax val,
+ unsigned int *retlen)
+{
+ asn1_error_code retval;
+ unsigned int length = 0;
+ unsigned int partlen = 1;
+ asn1_octet bval;
+
+ bval = val ? 0xFF : 0x00;
+
+ retval = asn1buf_insert_octet(buf, bval);
+ if (retval) return retval;
+
+ length = partlen;
+ retval = asn1_make_tag(buf, UNIVERSAL, PRIMITIVE, ASN1_BOOLEAN, length, &partlen);
+ if (retval) return retval;
+ length += partlen;
+
+ *retlen = length;
+ return 0;
+}
+
+static asn1_error_code asn1_encode_integer_internal(asn1buf *buf,
+ asn1_intmax val,
unsigned int *retlen)
{
asn1_error_code retval;
@@ -62,7 +85,7 @@
return 0;
}
-asn1_error_code asn1_encode_integer(asn1buf * buf, long val,
+asn1_error_code asn1_encode_integer(asn1buf * buf, asn1_intmax val,
unsigned int *retlen)
{
asn1_error_code retval;
@@ -80,6 +103,7 @@
return 0;
}
+#if 0
asn1_error_code
asn1_encode_enumerated(asn1buf * buf, long val,
unsigned int *retlen)
@@ -98,8 +122,9 @@
*retlen = length;
return 0;
}
+#endif
-asn1_error_code asn1_encode_unsigned_integer(asn1buf *buf, unsigned long val,
+asn1_error_code asn1_encode_unsigned_integer(asn1buf *buf, asn1_uintmax val,
unsigned int *retlen)
{
asn1_error_code retval;
@@ -115,7 +140,7 @@
if (retval) return retval;
length++;
valcopy = valcopy >> 8;
- } while (valcopy != 0 && valcopy != ~0);
+ } while (valcopy != 0);
if (digit&0x80) { /* make sure the high bit is */
retval = asn1buf_insert_octet(buf,0); /* of the proper signed-ness */
@@ -131,16 +156,18 @@
return 0;
}
-asn1_error_code asn1_encode_oid(asn1buf *buf, unsigned int len,
- const asn1_octet *val,
- unsigned int *retlen)
+static asn1_error_code
+encode_bytestring_with_tag(asn1buf *buf, unsigned int len,
+ const void *val, int tag,
+ unsigned int *retlen)
{
asn1_error_code retval;
unsigned int length;
+ if (len > 0 && val == 0) return ASN1_MISSING_FIELD;
retval = asn1buf_insert_octetstring(buf, len, val);
if (retval) return retval;
- retval = asn1_make_tag(buf, UNIVERSAL, PRIMITIVE, ASN1_OBJECTIDENTIFIER,
+ retval = asn1_make_tag(buf, UNIVERSAL, PRIMITIVE, tag,
len, &length);
if (retval) return retval;
@@ -148,37 +175,23 @@
return 0;
}
-asn1_error_code asn1_encode_octetstring(asn1buf *buf, unsigned int len,
- const asn1_octet *val,
- unsigned int *retlen)
+asn1_error_code asn1_encode_oid(asn1buf *buf, unsigned int len,
+ const asn1_octet *val,
+ unsigned int *retlen)
{
- asn1_error_code retval;
- unsigned int length;
-
- retval = asn1buf_insert_octetstring(buf,len,val);
- if (retval) return retval;
- retval = asn1_make_tag(buf,UNIVERSAL,PRIMITIVE,ASN1_OCTETSTRING,len,&length);
- if (retval) return retval;
-
- *retlen = len + length;
- return 0;
+ return encode_bytestring_with_tag(buf, len, val, ASN1_OBJECTIDENTIFIER,
+ retlen);
}
-asn1_error_code asn1_encode_charstring(asn1buf *buf, unsigned int len,
- const char *val, unsigned int *retlen)
+asn1_error_code asn1_encode_octetstring(asn1buf *buf, unsigned int len,
+ const void *val,
+ unsigned int *retlen)
{
- asn1_error_code retval;
- unsigned int length;
-
- retval = asn1buf_insert_charstring(buf,len,val);
- if (retval) return retval;
- retval = asn1_make_tag(buf,UNIVERSAL,PRIMITIVE,ASN1_OCTETSTRING,len,&length);
- if (retval) return retval;
-
- *retlen = len + length;
- return 0;
+ return encode_bytestring_with_tag(buf, len, val, ASN1_OCTETSTRING,
+ retlen);
}
+#if 0
asn1_error_code asn1_encode_null(asn1buf *buf, int *retlen)
{
asn1_error_code retval;
@@ -195,40 +208,23 @@
asn1_error_code asn1_encode_printablestring(asn1buf *buf, unsigned int len,
const char *val, int *retlen)
{
- asn1_error_code retval;
- unsigned int length;
-
- retval = asn1buf_insert_charstring(buf,len,val);
- if (retval) return retval;
- retval = asn1_make_tag(buf,UNIVERSAL,PRIMITIVE,ASN1_PRINTABLESTRING,len, &length);
- if (retval) return retval;
-
- *retlen = len + length;
- return 0;
+ return encode_bytestring_with_tag(buf, len, val, ASN1_PRINTABLESTRING,
+ retlen);
}
asn1_error_code asn1_encode_ia5string(asn1buf *buf, unsigned int len,
const char *val, int *retlen)
{
- asn1_error_code retval;
- unsigned int length;
-
- retval = asn1buf_insert_charstring(buf,len,val);
- if (retval) return retval;
- retval = asn1_make_tag(buf,UNIVERSAL,PRIMITIVE,ASN1_IA5STRING,len, &length);
- if (retval) return retval;
-
- *retlen = len + length;
- return 0;
+ return encode_bytestring_with_tag(buf, len, val, ASN1_IA5STRING,
+ retlen);
}
+#endif
asn1_error_code asn1_encode_generaltime(asn1buf *buf, time_t val,
unsigned int *retlen)
{
- asn1_error_code retval;
struct tm *gtime, gtimebuf;
char s[16], *sp;
- unsigned int length, sum=0;
time_t gmt_time = val;
/*
@@ -237,6 +233,7 @@
if (gmt_time == 0) {
sp = "19700101000000Z";
} else {
+ int len;
/*
* Sanity check this just to be paranoid, as gmtime can return NULL,
@@ -262,40 +259,436 @@
gtime->tm_mday > 31 || gtime->tm_hour > 23 ||
gtime->tm_min > 59 || gtime->tm_sec > 59)
return ASN1_BAD_GMTIME;
- if (snprintf(s, sizeof(s), "%04d%02d%02d%02d%02d%02dZ",
- 1900+gtime->tm_year, gtime->tm_mon+1, gtime->tm_mday,
- gtime->tm_hour, gtime->tm_min, gtime->tm_sec)
- >= sizeof(s))
+ len = snprintf(s, sizeof(s), "%04d%02d%02d%02d%02d%02dZ",
+ 1900+gtime->tm_year, gtime->tm_mon+1,
+ gtime->tm_mday, gtime->tm_hour,
+ gtime->tm_min, gtime->tm_sec);
+ if (SNPRINTF_OVERFLOW(len, sizeof(s)))
/* Shouldn't be possible given above tests. */
return ASN1_BAD_GMTIME;
sp = s;
}
- retval = asn1buf_insert_charstring(buf,15,sp);
+ return encode_bytestring_with_tag(buf, 15, sp, ASN1_GENERALTIME,
+ retlen);
+}
+
+asn1_error_code asn1_encode_generalstring(asn1buf *buf, unsigned int len,
+ const void *val,
+ unsigned int *retlen)
+{
+ return encode_bytestring_with_tag(buf, len, val, ASN1_GENERALSTRING,
+ retlen);
+}
+
+asn1_error_code asn1_encode_bitstring(asn1buf *buf, unsigned int len,
+ const void *val,
+ unsigned int *retlen)
+{
+ asn1_error_code retval;
+ unsigned int length;
+
+ retval = asn1buf_insert_octetstring(buf, len, val);
if (retval) return retval;
- sum = 15;
+ retval = asn1buf_insert_octet(buf, 0);
+ if (retval) return retval;
+ retval = asn1_make_tag(buf, UNIVERSAL, PRIMITIVE, ASN1_BITSTRING,
+ len+1, &length);
+ if (retval) return retval;
+ *retlen = len + 1 + length;
+ return 0;
+}
- retval = asn1_make_tag(buf,UNIVERSAL,PRIMITIVE,ASN1_GENERALTIME,sum,&length);
+asn1_error_code asn1_encode_opaque(asn1buf *buf, unsigned int len,
+ const void *val, unsigned int *retlen)
+{
+ asn1_error_code retval;
+
+ retval = asn1buf_insert_octetstring(buf, len, val);
if (retval) return retval;
- sum += length;
+ *retlen = len;
+ return 0;
+}
+/* ASN.1 constructed type encoder engine
+
+ Two entry points here:
+
+ krb5int_asn1_encode_a_thing: Incrementally adds the partial
+ encoding of an object to an already-initialized asn1buf.
+
+ krb5int_asn1_do_full_encode: Returns a completed encoding, in the
+ correct byte order, in an allocated krb5_data. */
+
+#ifdef POINTERS_ARE_ALL_THE_SAME
+#define LOADPTR(PTR,TYPE) \
+ (assert((TYPE)->loadptr != NULL), (TYPE)->loadptr(PTR))
+#else
+#define LOADPTR(PTR,TYPE) \
+ (*(const void *const *)(PTR))
+#endif
+
+static int
+get_nullterm_sequence_len(const void *valp, const struct atype_info *seq)
+{
+ int i;
+ const struct atype_info *a;
+ const void *elt, *eltptr;
+
+ a = seq;
+ i = 0;
+ assert(a->type == atype_ptr);
+ assert(seq->size != 0);
+
+ while (1) {
+ eltptr = (const char *) valp + i * seq->size;
+ elt = LOADPTR(eltptr, a);
+ if (elt == NULL)
+ break;
+ i++;
+ }
+ return i;
+}
+static asn1_error_code
+encode_sequence_of(asn1buf *buf, int seqlen, const void *val,
+ const struct atype_info *eltinfo,
+ unsigned int *retlen);
+
+static asn1_error_code
+encode_nullterm_sequence_of(asn1buf *buf, const void *val,
+ const struct atype_info *type,
+ int can_be_empty,
+ unsigned int *retlen)
+{
+ int length = get_nullterm_sequence_len(val, type);
+ if (!can_be_empty && length == 0) return ASN1_MISSING_FIELD;
+ return encode_sequence_of(buf, length, val, type, retlen);
+}
+
+static asn1_error_code
+just_encode_sequence(asn1buf *buf, const void *val,
+ const struct seq_info *seq,
+ unsigned int *retlen);
+static asn1_error_code
+encode_a_field(asn1buf *buf, const void *val,
+ const struct field_info *field,
+ unsigned int *retlen);
+
+asn1_error_code
+krb5int_asn1_encode_a_thing(asn1buf *buf, const void *val,
+ const struct atype_info *a, unsigned int *retlen)
+{
+ switch (a->type) {
+ case atype_fn:
+ assert(a->enc != NULL);
+ return a->enc(buf, val, retlen);
+ case atype_sequence:
+ assert(a->seq != NULL);
+ return just_encode_sequence(buf, val, a->seq, retlen);
+ case atype_ptr:
+ assert(a->basetype != NULL);
+ return krb5int_asn1_encode_a_thing(buf, LOADPTR(val, a),
+ a->basetype, retlen);
+ case atype_field:
+ assert(a->field != NULL);
+ return encode_a_field(buf, val, a->field, retlen);
+ case atype_nullterm_sequence_of:
+ case atype_nonempty_nullterm_sequence_of:
+ assert(a->basetype != NULL);
+ return encode_nullterm_sequence_of(buf, val, a->basetype,
+ a->type == atype_nullterm_sequence_of,
+ retlen);
+ case atype_tagged_thing:
+ {
+ asn1_error_code retval;
+ unsigned int length, sum = 0;
+ retval = krb5int_asn1_encode_a_thing(buf, val, a->basetype, &length);
+ if (retval) return retval;
+ sum = length;
+ retval = asn1_make_etag(buf, a->tagtype, a->tagval, sum, &length);
+ if (retval) return retval;
+ sum += length;
+ *retlen = sum;
+ return 0;
+ }
+ case atype_int:
+ assert(a->loadint != NULL);
+ return asn1_encode_integer(buf, a->loadint(val), retlen);
+ case atype_uint:
+ assert(a->loaduint != NULL);
+ return asn1_encode_unsigned_integer(buf, a->loaduint(val), retlen);
+ case atype_min:
+ case atype_max:
+ case atype_fn_len:
+ default:
+ assert(a->type > atype_min);
+ assert(a->type < atype_max);
+ assert(a->type != atype_fn_len);
+ abort();
+ }
+}
+
+static asn1_error_code
+encode_a_field(asn1buf *buf, const void *val,
+ const struct field_info *field,
+ unsigned int *retlen)
+{
+ asn1_error_code retval;
+ unsigned int sum = 0;
+
+ if (val == NULL) return ASN1_MISSING_FIELD;
+
+ switch (field->ftype) {
+ case field_immediate:
+ {
+ unsigned int length;
+
+ retval = asn1_encode_integer(buf, (asn1_intmax) field->dataoff,
+ &length);
+ if (retval) return retval;
+ sum += length;
+ break;
+ }
+ case field_sequenceof_len:
+ {
+ const void *dataptr, *lenptr;
+ int slen;
+ unsigned int length;
+ const struct atype_info *a;
+
+ /* The field holds a pointer to the array of objects. So the
+ address we compute is a pointer-to-pointer, and that's what
+ field->atype must help us dereference. */
+ dataptr = (const char *)val + field->dataoff;
+ lenptr = (const char *)val + field->lenoff;
+ assert(field->atype->type == atype_ptr);
+ dataptr = LOADPTR(dataptr, field->atype);
+ a = field->atype->basetype;
+ assert(field->lentype != 0);
+ assert(field->lentype->type == atype_int || field->lentype->type == atype_uint);
+ assert(sizeof(int) <= sizeof(asn1_intmax));
+ assert(sizeof(unsigned int) <= sizeof(asn1_uintmax));
+ if (field->lentype->type == atype_int) {
+ asn1_intmax xlen = field->lentype->loadint(lenptr);
+ if (xlen < 0)
+ return EINVAL;
+ if ((unsigned int) xlen != (asn1_uintmax) xlen)
+ return EINVAL;
+ if ((unsigned int) xlen > INT_MAX)
+ return EINVAL;
+ slen = (int) xlen;
+ } else {
+ asn1_uintmax xlen = field->lentype->loaduint(lenptr);
+ if ((unsigned int) xlen != xlen)
+ return EINVAL;
+ if (xlen > INT_MAX)
+ return EINVAL;
+ slen = (int) xlen;
+ }
+ if (slen != 0 && dataptr == NULL)
+ return ASN1_MISSING_FIELD;
+ retval = encode_sequence_of(buf, slen, dataptr, a, &length);
+ if (retval) return retval;
+ sum += length;
+ break;
+ }
+ case field_normal:
+ {
+ const void *dataptr;
+ const struct atype_info *a;
+ unsigned int length;
+
+ dataptr = (const char *)val + field->dataoff;
+
+ a = field->atype;
+ assert(a->type != atype_fn_len);
+ retval = krb5int_asn1_encode_a_thing(buf, dataptr, a, &length);
+ if (retval) {
+ return retval;
+ }
+ sum += length;
+ break;
+ }
+ case field_string:
+ {
+ const void *dataptr, *lenptr;
+ const struct atype_info *a;
+ size_t slen;
+ unsigned int length;
+
+ dataptr = (const char *)val + field->dataoff;
+ lenptr = (const char *)val + field->lenoff;
+
+ a = field->atype;
+ assert(a->type == atype_fn_len);
+ assert(field->lentype != 0);
+ assert(field->lentype->type == atype_int || field->lentype->type == atype_uint);
+ assert(sizeof(int) <= sizeof(asn1_intmax));
+ assert(sizeof(unsigned int) <= sizeof(asn1_uintmax));
+ if (field->lentype->type == atype_int) {
+ asn1_intmax xlen = field->lentype->loadint(lenptr);
+ if (xlen < 0)
+ return EINVAL;
+ if ((size_t) xlen != (asn1_uintmax) xlen)
+ return EINVAL;
+ slen = (size_t) xlen;
+ } else {
+ asn1_uintmax xlen = field->lentype->loaduint(lenptr);
+ if ((size_t) xlen != xlen)
+ return EINVAL;
+ slen = (size_t) xlen;
+ }
+
+ dataptr = LOADPTR(dataptr, a);
+ if (slen == SIZE_MAX)
+ /* Error - negative or out of size_t range. */
+ return EINVAL;
+ if (dataptr == NULL && slen != 0)
+ return ASN1_MISSING_FIELD;
+ /* Currently our string encoders want "unsigned int" for
+ lengths. */
+ if (slen != (unsigned int) slen)
+ return EINVAL;
+ assert(a->enclen != NULL);
+ retval = a->enclen(buf, (unsigned int) slen, dataptr, &length);
+ if (retval) {
+ return retval;
+ }
+ sum += length;
+ break;
+ }
+ default:
+ assert(field->ftype > field_min);
+ assert(field->ftype < field_max);
+ assert(__LINE__ == 0);
+ abort();
+ }
+ if (field->tag >= 0) {
+ unsigned int length;
+ retval = asn1_make_etag(buf, CONTEXT_SPECIFIC, field->tag, sum,
+ &length);
+ if (retval) {
+ return retval;
+ }
+ sum += length;
+ }
*retlen = sum;
return 0;
}
-asn1_error_code asn1_encode_generalstring(asn1buf *buf, unsigned int len,
- const char *val,
- unsigned int *retlen)
+static asn1_error_code
+encode_fields(asn1buf *buf, const void *val,
+ const struct field_info *fields, size_t nfields,
+ unsigned int optional,
+ unsigned int *retlen)
{
+ size_t i;
+ unsigned int sum = 0;
+ for (i = nfields; i > 0; i--) {
+ const struct field_info *f = fields+i-1;
+ unsigned int length;
+ asn1_error_code retval;
+ int present;
+
+ if (f->opt == -1)
+ present = 1;
+ else if ((1u << f->opt) & optional)
+ present = 1;
+ else
+ present = 0;
+ if (present) {
+ retval = encode_a_field(buf, val, f, &length);
+ if (retval) return retval;
+ sum += length;
+ }
+ }
+ *retlen = sum;
+ return 0;
+}
+
+static asn1_error_code
+just_encode_sequence(asn1buf *buf, const void *val,
+ const struct seq_info *seq,
+ unsigned int *retlen)
+{
+ const struct field_info *fields = seq->fields;
+ size_t nfields = seq->n_fields;
+ unsigned int optional;
asn1_error_code retval;
- unsigned int length;
+ unsigned int sum = 0;
- retval = asn1buf_insert_charstring(buf,len,val);
- if (retval) return retval;
- retval = asn1_make_tag(buf,UNIVERSAL,PRIMITIVE,ASN1_GENERALSTRING,len,
- &length);
- if (retval) return retval;
+ if (seq->optional)
+ optional = seq->optional(val);
+ else
+ /* In this case, none of the field descriptors should indicate
+ that we examine any bits of this value. */
+ optional = 0;
+ {
+ unsigned int length;
+ retval = encode_fields(buf, val, fields, nfields, optional, &length);
+ if (retval) return retval;
+ sum += length;
+ }
+ {
+ unsigned int length;
+ retval = asn1_make_sequence(buf, sum, &length);
+ if (retval) return retval;
+ sum += length;
+ }
+ *retlen = sum;
+ return 0;
+}
- *retlen = len + length;
+static asn1_error_code
+encode_sequence_of(asn1buf *buf, int seqlen, const void *val,
+ const struct atype_info *eltinfo,
+ unsigned int *retlen)
+{
+ asn1_error_code retval;
+ unsigned int sum = 0;
+ int i;
+
+ for (i = seqlen-1; i >= 0; i--) {
+ const void *eltptr;
+ unsigned int length;
+ const struct atype_info *a = eltinfo;
+
+ assert(eltinfo->size != 0);
+ eltptr = (const char *)val + i * eltinfo->size;
+ retval = krb5int_asn1_encode_a_thing(buf, eltptr, a, &length);
+ if (retval) return retval;
+ sum += length;
+ }
+ {
+ unsigned int length;
+ retval = asn1_make_sequence(buf, sum, &length);
+ if (retval) return retval;
+ sum += length;
+ }
+ *retlen = sum;
return 0;
}
+
+krb5_error_code
+krb5int_asn1_do_full_encode(const void *rep, krb5_data **code,
+ const struct atype_info *a)
+{
+ unsigned int length;
+ asn1_error_code retval;
+ unsigned int sum = 0;
+ asn1buf *buf = NULL;
+
+ if (rep == NULL) return ASN1_MISSING_FIELD;
+
+ retval = asn1buf_create(&buf);
+ if (retval)
+ return retval;
+
+ retval = krb5int_asn1_encode_a_thing(buf, rep, a, &length);
+ if (retval)
+ return retval;
+ sum += length;
+ retval = asn12krb5_buf(buf, code);
+ asn1buf_destroy(&buf);
+ return retval;
+}
Modified: branches/mkey_migrate/src/lib/krb5/asn.1/asn1_encode.h
===================================================================
--- branches/mkey_migrate/src/lib/krb5/asn.1/asn1_encode.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/asn.1/asn1_encode.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,7 +2,7 @@
/*
* src/lib/krb5/asn.1/asn1_encode.h
*
- * Copyright 1994 by the Massachusetts Institute of Technology.
+ * Copyright 1994, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -41,17 +41,20 @@
Operations
+ asn1_encode_boolean
asn1_encode_integer
+ asn1_encode_unsigned_integer
asn1_encode_octetstring
- asn1_encode_null
- asn1_encode_printablestring
- asn1_encode_ia5string
asn1_encode_generaltime
asn1_encode_generalstring
+ asn1_encode_bitstring
+ asn1_encode_oid
*/
+asn1_error_code asn1_encode_boolean
+ (asn1buf *buf, asn1_intmax val, unsigned int *retlen);
asn1_error_code asn1_encode_integer
- (asn1buf *buf, long val, unsigned int *retlen);
+ (asn1buf *buf, asn1_intmax val, unsigned int *retlen);
/* requires *buf is allocated
modifies *buf, *retlen
effects Inserts the encoding of val into *buf and returns
@@ -63,7 +66,7 @@
(asn1buf *buf, long val, unsigned int *retlen);
asn1_error_code asn1_encode_unsigned_integer
- (asn1buf *buf, unsigned long val,
+ (asn1buf *buf, asn1_uintmax val,
unsigned int *retlen);
/* requires *buf is allocated
modifies *buf, *retlen
@@ -74,7 +77,7 @@
asn1_error_code asn1_encode_octetstring
(asn1buf *buf,
- unsigned int len, const asn1_octet *val,
+ unsigned int len, const void *val,
unsigned int *retlen);
/* requires *buf is allocated
modifies *buf, *retlen
@@ -82,6 +85,7 @@
the length of the encoding in *retlen.
Returns ENOMEM to signal an unsuccesful attempt
to expand the buffer. */
+#define asn1_encode_charstring asn1_encode_octetstring
asn1_error_code asn1_encode_oid
(asn1buf *buf,
@@ -94,17 +98,6 @@
Returns ENOMEM to signal an unsuccesful attempt
to expand the buffer. */
-asn1_error_code asn1_encode_charstring
- (asn1buf *buf,
- unsigned int len, const char *val,
- unsigned int *retlen);
-/* requires *buf is allocated
- modifies *buf, *retlen
- effects Inserts the encoding of val into *buf and returns
- the length of the encoding in *retlen.
- Returns ENOMEM to signal an unsuccesful attempt
- to expand the buffer. */
-
asn1_error_code asn1_encode_null
(asn1buf *buf, int *retlen);
/* requires *buf is allocated
@@ -148,7 +141,7 @@
asn1_error_code asn1_encode_generalstring
(asn1buf *buf,
- unsigned int len, const char *val,
+ unsigned int len, const void *val,
unsigned int *retlen);
/* requires *buf is allocated, val has a length of len characters
modifies *buf, *retlen
@@ -157,4 +150,515 @@
Returns ENOMEM to signal an unsuccesful attempt
to expand the buffer. */
+asn1_error_code asn1_encode_bitstring(asn1buf *buf, unsigned int len,
+ const void *val,
+ unsigned int *retlen);
+/* requires *buf is allocated, val has a length of len characters
+ modifies *buf, *retlen
+ effects Inserts the encoding of val into *buf and returns
+ the length of the encoding in *retlen.
+ Returns ENOMEM to signal an unsuccesful attempt
+ to expand the buffer. */
+
+asn1_error_code asn1_encode_opaque(asn1buf *buf, unsigned int len,
+ const void *val,
+ unsigned int *retlen);
+/* requires *buf is allocated, val has a length of len characters
+ modifies *buf, *retlen
+ effects Inserts the encoding of val into *buf and returns
+ the length of the encoding in *retlen.
+ Returns ENOMEM to signal an unsuccesful attempt
+ to expand the buffer. */
+
+/* Type descriptor info.
+
+ In this context, a "type" is a combination of a C data type
+ and an ASN.1 encoding scheme for it. So we would have to define
+ different "types" for:
+
+ * unsigned char* encoded as octet string
+ * char* encoded as octet string
+ * char* encoded as generalstring
+ * krb5_data encoded as octet string
+ * krb5_data encoded as generalstring
+ * int32_t encoded as integer
+ * unsigned char encoded as integer
+
+ Perhaps someday some kind of flags could be defined so that minor
+ variations on the C types could be handled via common routines.
+
+ The handling of strings is pretty messy. Currently, we have a
+ separate kind of encoder function that takes an extra length
+ parameter. Perhaps we should just give up on that, always deal
+ with just a single location, and handle strings by via encoder
+ functions for krb5_data, keyblock, etc.
+
+ We wind up with a lot of load-time relocations being done, which is
+ a bit annoying. Be careful about "fixing" that at the cost of too
+ much run-time performance. It might work to have a master "module"
+ descriptor with pointers to various arrays (type descriptors,
+ strings, field descriptors, functions) most of which don't need
+ relocation themselves, and replace most of the pointers with table
+ indices.
+
+ It's a work in progress. */
+
+enum atype_type {
+ /* For bounds checking only. By starting with values above 1, we
+ guarantee that zero-initialized storage will be recognized as
+ invalid. */
+ atype_min = 1,
+ /* Encoder function to be called with address of <thing>. */
+ atype_fn,
+ /* Encoder function to be called with address of <thing> and a
+ length (unsigned int). */
+ atype_fn_len,
+ /* Pointer to actual thing to be encoded.
+
+ Most of the fields are related only to the C type -- size, how
+ to fetch a pointer in a type-safe fashion -- but since the base
+ type descriptor encapsulates the encoding as well, different
+ encodings for the same C type may require different pointer-to
+ types as well.
+
+ Must not refer to atype_fn_len. */
+ atype_ptr,
+ /* Sequence, with pointer to sequence descriptor header. */
+ atype_sequence,
+ /* Sequence-of, with pointer to base type descriptor, represented
+ as a null-terminated array of pointers (and thus the "base"
+ type descriptor is actually an atype_ptr node). */
+ atype_nullterm_sequence_of,
+ atype_nonempty_nullterm_sequence_of,
+ /* Encode this object using a single field descriptor. This may
+ mean the atype/field breakdown needs revision....
+
+ Main expected uses: Encode realm component of principal as a
+ GENERALSTRING. Pluck data and length fields out of a structure
+ and encode a counted SEQUENCE OF. */
+ atype_field,
+ /* Tagged version of another type. */
+ atype_tagged_thing,
+ /* Integer types. */
+ atype_int,
+ atype_uint,
+ /* Unused except for bounds checking. */
+ atype_max
+};
+
+/* Initialized structures could be a lot smaller if we could use C99
+ designated initializers, and a union for all the type-specific
+ stuff. Maybe use the hack we use for krb5int_access, where we use
+ a run-time initialize if the compiler doesn't support designated
+ initializers? That's a lot of work here, though, with so many
+ little structures. Maybe if/when these get auto-generated. */
+struct atype_info {
+ enum atype_type type;
+ /* used for sequence-of processing */
+ unsigned int size;
+ /* atype_fn */
+ asn1_error_code (*enc)(asn1buf *, const void *, unsigned int *);
+ /* atype_fn_len */
+ asn1_error_code (*enclen)(asn1buf *, unsigned int, const void *,
+ unsigned int *);
+ /* atype_ptr, atype_fn_len */
+ const void *(*loadptr)(const void *);
+ /* atype_ptr, atype_nullterm_sequence_of */
+ const struct atype_info *basetype;
+ /* atype_sequence */
+ const struct seq_info *seq;
+ /* atype_field */
+ const struct field_info *field;
+ /* atype_tagged_thing */
+ unsigned int tagval : 8, tagtype : 8;
+ /* atype_[u]int */
+ asn1_intmax (*loadint)(const void *);
+ asn1_uintmax (*loaduint)(const void *);
+};
+
+/* The various DEF*TYPE macros must:
+
+ + Define a type named aux_typedefname_##DESCNAME, for use in any
+ types derived from the type being defined.
+
+ + Define an atype_info struct named krb5int_asn1type_##DESCNAME.
+
+ + Define any extra stuff needed in the type descriptor, like
+ pointer-load functions.
+
+ + Accept a following semicolon syntactically, to keep Emacs parsing
+ (and indentation calculating) code happy.
+
+ Nothing else should directly define the atype_info structures. */
+
+/* Define a type for which we must use an explicit encoder function.
+ The DEFFNTYPE variant uses a function taking a void*, the
+ DEFFNXTYPE form wants a function taking a pointer to the actual C
+ type to be encoded; you should use the latter unless you've already
+ got the void* function supplied elsewhere.
+
+ Of course, we need a single, consistent type for the descriptor
+ structure field, so we use the function pointer type that uses
+ void*, and create a wrapper function in DEFFNXTYPE. However, in
+ all our cases so far, the supplied function is static and not used
+ otherwise, so the compiler can merge it with the wrapper function
+ if the optimizer is good enough. */
+#define DEFFNTYPE(DESCNAME, CTYPENAME, ENCFN) \
+ typedef CTYPENAME aux_typedefname_##DESCNAME; \
+ const struct atype_info krb5int_asn1type_##DESCNAME = { \
+ atype_fn, sizeof(CTYPENAME), ENCFN, \
+ }
+#define DEFFNXTYPE(DESCNAME, CTYPENAME, ENCFN) \
+ typedef CTYPENAME aux_typedefname_##DESCNAME; \
+ static asn1_error_code \
+ aux_encfn_##DESCNAME(asn1buf *buf, const void *val, \
+ unsigned int *retlen) \
+ { \
+ return ENCFN(buf, \
+ (const aux_typedefname_##DESCNAME *)val, \
+ retlen); \
+ } \
+ const struct atype_info krb5int_asn1type_##DESCNAME = { \
+ atype_fn, sizeof(CTYPENAME), aux_encfn_##DESCNAME, \
+ }
+/* XXX The handling of data+length fields really needs reworking.
+ A type descriptor probably isn't the right way.
+
+ Also, the C type is likely to be one of char*, unsigned char*,
+ or (maybe) void*. An enumerator or reference to an external
+ function would be more compact.
+
+ The supplied encoder function takes as an argument the data pointer
+ loaded from the indicated location, not the address of the field.
+ This isn't consistent with DEFFN[X]TYPE above, but all of the uses
+ of DEFFNLENTYPE are for string encodings, and that's how our
+ string-encoding primitives work. So be it. */
+#ifdef POINTERS_ARE_ALL_THE_SAME
+#define DEFFNLENTYPE(DESCNAME, CTYPENAME, ENCFN) \
+ typedef CTYPENAME aux_typedefname_##DESCNAME; \
+ const struct atype_info krb5int_asn1type_##DESCNAME = { \
+ atype_fn_len, 0, 0, ENCFN, \
+ }
+#else
+#define DEFFNLENTYPE(DESCNAME, CTYPENAME, ENCFN) \
+ typedef CTYPENAME aux_typedefname_##DESCNAME; \
+ static const void *loadptr_for_##DESCNAME(const void *pv) \
+ { \
+ const aux_typedefname_##DESCNAME *p = pv; \
+ return *p; \
+ } \
+ const struct atype_info krb5int_asn1type_##DESCNAME = { \
+ atype_fn_len, 0, 0, ENCFN, \
+ loadptr_for_##DESCNAME \
+ }
#endif
+/* A sequence, defined by the indicated series of fields, and an
+ optional function indicating which fields are present. */
+#define DEFSEQTYPE(DESCNAME, CTYPENAME, FIELDS, OPT) \
+ typedef CTYPENAME aux_typedefname_##DESCNAME; \
+ static const struct seq_info aux_seqinfo_##DESCNAME = { \
+ OPT, FIELDS, sizeof(FIELDS)/sizeof(FIELDS[0]) \
+ }; \
+ const struct atype_info krb5int_asn1type_##DESCNAME = { \
+ atype_sequence, sizeof(CTYPENAME), 0,0,0,0, \
+ &aux_seqinfo_##DESCNAME, \
+ }
+/* Integer types. */
+#define DEFINTTYPE(DESCNAME, CTYPENAME) \
+ typedef CTYPENAME aux_typedefname_##DESCNAME; \
+ static asn1_intmax loadint_##DESCNAME(const void *p) \
+ { \
+ assert(sizeof(CTYPENAME) <= sizeof(asn1_intmax)); \
+ return *(const aux_typedefname_##DESCNAME *)p; \
+ } \
+ const struct atype_info krb5int_asn1type_##DESCNAME = { \
+ atype_int, sizeof(CTYPENAME), 0, 0, 0, 0, 0, 0, 0, 0, \
+ loadint_##DESCNAME, 0, \
+ }
+#define DEFUINTTYPE(DESCNAME, CTYPENAME) \
+ typedef CTYPENAME aux_typedefname_##DESCNAME; \
+ static asn1_uintmax loaduint_##DESCNAME(const void *p) \
+ { \
+ assert(sizeof(CTYPENAME) <= sizeof(asn1_uintmax)); \
+ return *(const aux_typedefname_##DESCNAME *)p; \
+ } \
+ const struct atype_info krb5int_asn1type_##DESCNAME = { \
+ atype_uint, sizeof(CTYPENAME), 0, 0, 0, 0, 0, 0, 0, 0, \
+ 0, loaduint_##DESCNAME, \
+ }
+/* Pointers to other types, to be encoded as those other types. */
+#ifdef POINTERS_ARE_ALL_THE_SAME
+#define DEFPTRTYPE(DESCNAME,BASEDESCNAME) \
+ typedef aux_typedefname_##BASEDESCNAME * aux_typedefname_##DESCNAME; \
+ const struct atype_info krb5int_asn1type_##DESCNAME = { \
+ atype_ptr, sizeof(aux_typedefname_##DESCNAME), 0, 0, 0, \
+ &krb5int_asn1type_##BASEDESCNAME, 0 \
+ }
+#else
+#define DEFPTRTYPE(DESCNAME,BASEDESCNAME) \
+ typedef aux_typedefname_##BASEDESCNAME * aux_typedefname_##DESCNAME; \
+ static const void * \
+ loadptr_for_##BASEDESCNAME##_from_##DESCNAME(const void *p) \
+ { \
+ const aux_typedefname_##DESCNAME *inptr = p; \
+ const aux_typedefname_##BASEDESCNAME *retptr; \
+ retptr = *inptr; \
+ return retptr; \
+ } \
+ const struct atype_info krb5int_asn1type_##DESCNAME = { \
+ atype_ptr, sizeof(aux_typedefname_##DESCNAME), 0, 0, \
+ loadptr_for_##BASEDESCNAME##_from_##DESCNAME, \
+ &krb5int_asn1type_##BASEDESCNAME, 0 \
+ }
+#endif
+/* This encodes a pointer-to-pointer-to-thing where the passed-in
+ value points to a null-terminated list of pointers to objects to be
+ encoded, and encodes a (possibly empty) SEQUENCE OF these objects.
+
+ BASEDESCNAME is a descriptor name for the pointer-to-thing
+ type.
+
+ When dealing with a structure containing a
+ pointer-to-pointer-to-thing field, make a DEFPTRTYPE of this type,
+ and use that type for the structure field. */
+#define DEFNULLTERMSEQOFTYPE(DESCNAME,BASEDESCNAME) \
+ typedef aux_typedefname_##BASEDESCNAME aux_typedefname_##DESCNAME; \
+ const struct atype_info krb5int_asn1type_##DESCNAME = { \
+ atype_nullterm_sequence_of, sizeof(aux_typedefname_##DESCNAME), \
+ 0, 0, \
+ 0 /* loadptr */, \
+ &krb5int_asn1type_##BASEDESCNAME, 0 \
+ }
+#define DEFNONEMPTYNULLTERMSEQOFTYPE(DESCNAME,BASEDESCNAME) \
+ typedef aux_typedefname_##BASEDESCNAME aux_typedefname_##DESCNAME; \
+ const struct atype_info krb5int_asn1type_##DESCNAME = { \
+ atype_nonempty_nullterm_sequence_of, \
+ sizeof(aux_typedefname_##DESCNAME), \
+ 0, 0, \
+ 0 /* loadptr */, \
+ &krb5int_asn1type_##BASEDESCNAME, 0 \
+ }
+/* Encode a thing (probably sub-fields within the structure) as a
+ single object. */
+#define DEFFIELDTYPE(DESCNAME, CTYPENAME, FIELDINFO) \
+ typedef CTYPENAME aux_typedefname_##DESCNAME; \
+ static const struct field_info aux_fieldinfo_##DESCNAME = FIELDINFO; \
+ const struct atype_info krb5int_asn1type_##DESCNAME = { \
+ atype_field, sizeof(CTYPENAME), 0, 0, 0, 0, 0, \
+ &aux_fieldinfo_##DESCNAME \
+ }
+/* Objects with an APPLICATION tag added. */
+#define DEFAPPTAGGEDTYPE(DESCNAME, TAG, BASEDESC) \
+ typedef aux_typedefname_##BASEDESC aux_typedefname_##DESCNAME; \
+ const struct atype_info krb5int_asn1type_##DESCNAME = { \
+ atype_tagged_thing, sizeof(aux_typedefname_##DESCNAME), \
+ 0, 0, 0, &krb5int_asn1type_##BASEDESC, 0, 0, TAG, APPLICATION \
+ }
+
+/* Declare an externally-defined type. This is a hack we should do
+ away with once we move to generating code from a script. For now,
+ this macro is unfortunately not compatible with the defining macros
+ above, since you can't do the typedefs twice and we need the
+ declarations to produce typedefs. (We could eliminate the typedefs
+ from the DEF* macros, but then every DEF* macro use, even the ones
+ for internal type nodes we only use to build other types, would
+ need an accompanying declaration which explicitly lists the
+ type.) */
+#define IMPORT_TYPE(DESCNAME, CTYPENAME) \
+ typedef CTYPENAME aux_typedefname_##DESCNAME; \
+ extern const struct atype_info krb5int_asn1type_##DESCNAME
+
+/* Create a partial-encoding function by the indicated name, for the
+ indicated type. Should only be needed until we've converted all of
+ the encoders, then everything should use descriptor tables. */
+extern asn1_error_code
+krb5int_asn1_encode_a_thing(asn1buf *buf, const void *val,
+ const struct atype_info *a, unsigned int *retlen);
+#define MAKE_ENCFN(FNAME,DESC) \
+ static asn1_error_code FNAME (asn1buf *buf, \
+ const aux_typedefname_##DESC *val, \
+ unsigned int *retlen) \
+ { \
+ return krb5int_asn1_encode_a_thing(buf, val, \
+ &krb5int_asn1type_##DESC, \
+ retlen); \
+ } \
+ extern int dummy /* gobble semicolon */
+
+/* Sequence field descriptor.
+
+ Currently we assume everything is a single object with a type
+ descriptor, and then we bolt on some ugliness on the side for
+ handling strings with length fields.
+
+ Anything with "interesting" encoding handling, like a sequence-of
+ or a pointer to the actual value to encode, is handled via opaque
+ types with their own encoder functions. Most of that should
+ eventually change. */
+
+enum field_type {
+ /* Unused except for range checking. */
+ field_min = 1,
+ /* Field ATYPE describes processing of field at DATAOFF. */
+ field_normal,
+ /* Encode an "immediate" integer value stored in DATAOFF, with no
+ reference to the data structure. */
+ field_immediate,
+ /* Encode some kind of string field encoded with pointer and
+ length. (A GENERALSTRING represented as a null-terminated C
+ string would be handled as field_normal.) */
+ field_string,
+ /* LENOFF indicates a value describing the length of the array at
+ DATAOFF, encoded as a sequence-of with the element type
+ described by ATYPE. */
+ field_sequenceof_len,
+ /* Unused except for range checking. */
+ field_max
+};
+/* To do: Consider using bitfields. */
+struct field_info {
+ /* Type of the field. */
+ unsigned int /* enum field_type */ ftype : 3;
+
+ /* Use of DATAOFF and LENOFF are described by the value in FTYPE.
+ Generally DATAOFF will be the offset from the supplied pointer
+ at which we find the object to be encoded. */
+ unsigned int dataoff : 9, lenoff : 9;
+
+ /* If TAG is non-negative, a context tag with that value is added
+ to the encoding of the thing. (XXX This would encode more
+ compactly as an unsigned bitfield value tagnum+1, with 0=no
+ tag.) The tag is omitted for optional fields that are not
+ present.
+
+ It's a bit illogical to combine the tag and other field info,
+ since really a sequence field could have zero or several
+ context tags, and of course a tag could be used elsewhere. But
+ the normal mode in the Kerberos ASN.1 description is to use one
+ context tag on each sequence field, so for now let's address
+ that case primarily and work around the other cases (thus tag<0
+ means skip tagging). */
+ signed int tag : 5;
+
+ /* If OPT is non-negative and the sequence header structure has a
+ function pointer describing which fields are present, OPT is
+ the bit position indicating whether the currently-described
+ element is present. (XXX Similar encoding issue.)
+
+ Note: Most of the time, I'm using the same number here as for
+ the context tag. This is just because it's easier for me to
+ keep track while working on the code by hand. The *only*
+ meaningful correlation is of this value and the bits set by the
+ "optional" function when examining the data structure. */
+ signed int opt : 5;
+
+ /* For some values of FTYPE, this describes the type of the
+ object(s) to be encoded. */
+ const struct atype_info *atype;
+
+ /* We use different types for "length" fields in different places.
+ So we need a good way to retrieve the various kinds of lengths
+ in a compatible way. This may be a string length, or the
+ length of an array of objects to encode in a SEQUENCE OF.
+
+ In case the field is signed and negative, or larger than
+ size_t, return SIZE_MAX as an error indication. We'll assume
+ for now that we'll never have 4G-1 (or 2**64-1, or on tiny
+ systems, 65535) sized values. On most if not all systems we
+ care about, SIZE_MAX is equivalent to "all of addressable
+ memory" minus one byte. That wouldn't leave enough extra room
+ for the structure we're encoding, so it's pretty safe to assume
+ SIZE_MAX won't legitimately come up on those systems.
+
+ If this code gets ported to a segmented architecture or other
+ system where it might be possible... figure it out then. */
+ const struct atype_info *lentype;
+};
+
+/* Normal or optional sequence fields at a particular offset, encoded
+ as indicated by the listed DESCRiptor. */
+#define FIELDOF_OPT(TYPE,DESCR,FIELDNAME,TAG,OPT) \
+ { \
+ field_normal, OFFOF(TYPE, FIELDNAME, aux_typedefname_##DESCR), \
+ 0, TAG, OPT, &krb5int_asn1type_##DESCR \
+ }
+#define FIELDOF_NORM(TYPE,DESCR,FIELDNAME,TAG) \
+ FIELDOF_OPT(TYPE,DESCR,FIELDNAME,TAG,-1)
+/* If encoding a subset of the fields of the current structure (for
+ example, a flat structure describing data that gets encoded as a
+ sequence containing one or more sequences), use ENCODEAS, no struct
+ field name(s), and the indicated type descriptor must support the
+ current struct type. */
+#define FIELDOF_ENCODEAS(TYPE,DESCR,TAG) \
+ FIELDOF_ENCODEAS_OPT(TYPE,DESCR,TAG,-1)
+#define FIELDOF_ENCODEAS_OPT(TYPE,DESCR,TAG,OPT) \
+ { \
+ field_normal, \
+ 0 * sizeof(0 ? (TYPE *)0 : (aux_typedefname_##DESCR *) 0), \
+ 0, TAG, OPT, &krb5int_asn1type_##DESCR \
+ }
+
+/* Reinterpret some subset of the structure itself as something
+ else. */
+#define FIELD_SELF(DESCR, TAG) \
+ { field_normal, 0, 0, TAG, -1, &krb5int_asn1type_##DESCR }
+
+#define FIELDOF_OPTSTRINGL(STYPE,DESC,PTRFIELD,LENDESC,LENFIELD,TAG,OPT) \
+ { \
+ field_string, \
+ OFFOF(STYPE, PTRFIELD, aux_typedefname_##DESC), \
+ OFFOF(STYPE, LENFIELD, aux_typedefname_##LENDESC), \
+ TAG, OPT, &krb5int_asn1type_##DESC, &krb5int_asn1type_##LENDESC \
+ }
+#define FIELDOF_OPTSTRING(STYPE,DESC,PTRFIELD,LENFIELD,TAG,OPT) \
+ FIELDOF_OPTSTRINGL(STYPE,DESC,PTRFIELD,uint,LENFIELD,TAG,OPT)
+#define FIELDOF_STRINGL(STYPE,DESC,PTRFIELD,LENDESC,LENFIELD,TAG) \
+ FIELDOF_OPTSTRINGL(STYPE,DESC,PTRFIELD,LENDESC,LENFIELD,TAG,-1)
+#define FIELDOF_STRING(STYPE,DESC,PTRFIELD,LENFIELD,TAG) \
+ FIELDOF_OPTSTRING(STYPE,DESC,PTRFIELD,LENFIELD,TAG,-1)
+#define FIELD_INT_IMM(VALUE,TAG) \
+ { field_immediate, VALUE, 0, TAG, -1, 0, }
+
+#define FIELDOF_SEQOF_LEN(STYPE,DESC,PTRFIELD,LENFIELD,LENTYPE,TAG) \
+ { \
+ field_sequenceof_len, \
+ OFFOF(STYPE, PTRFIELD, aux_typedefname_##DESC), \
+ OFFOF(STYPE, LENFIELD, aux_typedefname_##LENTYPE), \
+ TAG, -1, &krb5int_asn1type_##DESC, &krb5int_asn1type_##LENTYPE \
+ }
+#define FIELDOF_SEQOF_INT32(STYPE,DESC,PTRFIELD,LENFIELD,TAG) \
+ FIELDOF_SEQOF_LEN(STYPE,DESC,PTRFIELD,LENFIELD,int32,TAG)
+
+struct seq_info {
+ /* If present, returns a bitmask indicating which fields are
+ present. See the "opt" field in struct field_info. */
+ unsigned int (*optional)(const void *);
+ /* Indicates an array of sequence field descriptors. */
+ const struct field_info *fields;
+ size_t n_fields;
+ /* Missing: Extensibility handling. (New field type?) */
+};
+
+extern krb5_error_code
+krb5int_asn1_do_full_encode(const void *rep, krb5_data **code,
+ const struct atype_info *a);
+
+#define MAKE_FULL_ENCODER(FNAME, DESC) \
+ krb5_error_code FNAME(const aux_typedefname_##DESC *rep, \
+ krb5_data **code) \
+ { \
+ return krb5int_asn1_do_full_encode(rep, code, \
+ &krb5int_asn1type_##DESC); \
+ } \
+ extern int dummy /* gobble semicolon */
+
+#include <stddef.h>
+/* Ugly hack!
+ Like "offsetof", but with type checking. */
+#define WARN_IF_TYPE_MISMATCH(LVALUE, TYPE) \
+ (sizeof(0 ? (TYPE *) 0 : &(LVALUE)))
+#define OFFOF(TYPE,FIELD,FTYPE) \
+ (offsetof(TYPE, FIELD) \
+ + 0 * WARN_IF_TYPE_MISMATCH(((TYPE*)0)->FIELD, FTYPE))
+
+#endif
Modified: branches/mkey_migrate/src/lib/krb5/asn.1/asn1_k_decode.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/asn.1/asn1_k_decode.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/asn.1/asn1_k_decode.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -579,6 +579,7 @@
get_field(val->server,9,asn1_decode_realm);
get_field(val->server,10,asn1_decode_principal_name);
opt_field(val->caddrs,11,asn1_decode_host_addresses,NULL);
+ opt_field(val->enc_padata,12,asn1_decode_sequence_of_pa_data,NULL);
end_structure();
val->magic = KV5M_ENC_KDC_REP_PART;
}
@@ -741,12 +742,12 @@
if (n_elts <= 0)
return NULL;
- if (n_elts > SIZE_MAX / elt_size)
+ if ((unsigned int) n_elts > SIZE_MAX / elt_size)
return NULL;
new_size = n_elts * elt_size;
if (new_size == 0)
return NULL;
- if (new_size / elt_size != n_elts)
+ if (new_size / elt_size != (unsigned int) n_elts)
return NULL;
new_array = realloc(array, new_size);
return new_array;
@@ -1186,6 +1187,46 @@
cleanup();
}
+asn1_error_code asn1_decode_setpw_req(asn1buf *buf, krb5_data *newpasswd, krb5_principal *principal)
+{
+ setup();
+ *principal = NULL;
+
+ { begin_structure();
+ get_lenfield(newpasswd->length, newpasswd->data, 0, asn1_decode_charstring);
+ if (tagnum == 1) {
+ alloc_field(*principal, krb5_principal_data);
+ opt_field(*principal, 1, asn1_decode_principal_name, 0);
+ opt_field(*principal, 2, asn1_decode_realm, 0);
+ }
+ end_structure();
+ }
+ cleanup();
+}
+
+asn1_error_code asn1_decode_pa_for_user(asn1buf *buf, krb5_pa_for_user *val)
+{
+ setup();
+ { begin_structure();
+ get_field(val->user,0,asn1_decode_principal_name);
+ get_field(val->user,1,asn1_decode_realm);
+ get_field(val->cksum,2,asn1_decode_checksum);
+ get_lenfield(val->auth_package.length,val->auth_package.data,3,asn1_decode_generalstring);
+ end_structure();
+ }
+ cleanup();
+}
+
+asn1_error_code asn1_decode_pa_pac_req(asn1buf *buf, krb5_pa_pac_req *val)
+{
+ setup();
+ { begin_structure();
+ get_field(val->include_pac,0,asn1_decode_boolean);
+ end_structure();
+ }
+ cleanup();
+}
+
#ifndef DISABLE_PKINIT
/* PKINIT */
@@ -1374,7 +1415,8 @@
val->parameters.length = 0;
val->parameters.data = NULL;
- if (length > subbuf.next - subbuf.base) {
+ assert(subbuf.next >= subbuf.base);
+ if (length > (size_t)(subbuf.next - subbuf.base)) {
unsigned int size = length - (subbuf.next - subbuf.base);
retval = asn1buf_remove_octetstring(&subbuf, size,
&val->parameters.data);
Modified: branches/mkey_migrate/src/lib/krb5/asn.1/asn1_k_decode.h
===================================================================
--- branches/mkey_migrate/src/lib/krb5/asn.1/asn1_k_decode.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/asn.1/asn1_k_decode.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -233,4 +233,11 @@
asn1_error_code asn1_decode_sequence_of_algorithm_identifier
(asn1buf *buf, krb5_algorithm_identifier ***val);
+asn1_error_code asn1_decode_setpw_req
+ (asn1buf *buf, krb5_data *rep, krb5_principal *principal);
+asn1_error_code asn1_decode_pa_for_user
+ (asn1buf *buf, krb5_pa_for_user *val);
+asn1_error_code asn1_decode_pa_pac_req
+ (asn1buf *buf, krb5_pa_pac_req *val);
+
#endif
Modified: branches/mkey_migrate/src/lib/krb5/asn.1/asn1_k_encode.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/asn.1/asn1_k_encode.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/asn.1/asn1_k_encode.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -30,988 +30,1344 @@
#include "asn1_encode.h"
#include <assert.h>
-/**** asn1 macros ****/
-#if 0
- How to write an asn1 encoder function using these macros:
+/* helper macros
- asn1_error_code asn1_encode_krb5_substructure(asn1buf *buf,
- const krb5_type *val,
- int *retlen)
- {
- asn1_setup();
+ These are mostly only needed for PKINIT, but there are three
+ basic-krb5 encoders not converted yet. */
- asn1_addfield(val->last_field, n, asn1_type);
- asn1_addfield(rep->next_to_last_field, n-1, asn1_type);
- ...
-
- /* for OPTIONAL fields */
- if (rep->field_i == should_not_be_omitted)
- asn1_addfield(rep->field_i, i, asn1_type);
-
- /* for string fields (these encoders take an additional argument,
- the length of the string) */
- addlenfield(rep->field_length, rep->field, i-1, asn1_type);
-
- /* if you really have to do things yourself... */
- retval = asn1_encode_asn1_type(buf,rep->field,&length);
- if (retval) return retval;
- sum += length;
- retval = asn1_make_etag(buf, CONTEXT_SPECIFIC, tag_number, length,
- &length);
- if (retval) return retval;
- sum += length;
-
- ...
- asn1_addfield(rep->second_field, 1, asn1_type);
- asn1_addfield(rep->first_field, 0, asn1_type);
- asn1_makeseq();
-
- asn1_cleanup();
- }
-#endif
-
/* setup() -- create and initialize bookkeeping variables
retval: stores error codes returned from subroutines
length: length of the most-recently produced encoding
sum: cumulative length of the entire encoding */
#define asn1_setup()\
asn1_error_code retval;\
- unsigned int length, sum=0
+ unsigned int sum=0
-/* asn1_addfield -- add a field, or component, to the encoding */
-#define asn1_addfield(value,tag,encoder)\
-{ retval = encoder(buf,value,&length);\
+/* form a sequence (by adding a sequence header to the current encoding) */
+#define asn1_makeseq()\
+{ unsigned int length;\
+ retval = asn1_make_sequence(buf,sum,&length);\
if (retval) {\
- asn1buf_destroy(&buf);\
return retval; }\
- sum += length;\
- retval = asn1_make_etag(buf,CONTEXT_SPECIFIC,tag,length,&length);\
- if (retval) {\
- asn1buf_destroy(&buf);\
- return retval; }\
sum += length; }
-/* asn1_addlenfield -- add a field whose length must be separately specified */
-#define asn1_addlenfield(len,value,tag,encoder)\
-{ retval = encoder(buf,len,value,&length);\
+/* produce the final output and clean up the workspace */
+#define asn1_cleanup()\
+ *retlen = sum;\
+ return 0
+
+/* asn1_addfield -- add a field, or component, to the encoding */
+#define asn1_addfield(value,tag,encoder)\
+{ unsigned int length; \
+ retval = encoder(buf,value,&length); \
if (retval) {\
- asn1buf_destroy(&buf);\
return retval; }\
sum += length;\
retval = asn1_make_etag(buf,CONTEXT_SPECIFIC,tag,length,&length);\
if (retval) {\
- asn1buf_destroy(&buf);\
return retval; }\
sum += length; }
-/* asn1_addfield_implicit -- add an implicitly tagged field, or component, to the encoding */
-#define asn1_addfield_implicit(value,tag,encoder)\
-{ retval = encoder(buf,value,&length);\
- if (retval) {\
- asn1buf_destroy(&buf);\
- return retval; }\
- sum += length;\
- retval = asn1_make_tag(buf,CONTEXT_SPECIFIC,PRIMITIVE,tag,length,&length); \
- if (retval) {\
- asn1buf_destroy(&buf);\
- return retval; }\
- sum += length; }
+DEFINTTYPE(int32, krb5_int32);
+DEFPTRTYPE(int32_ptr, int32);
-/* asn1_insert_implicit_octetstring -- add an octet string with implicit tagging */
-#define asn1_insert_implicit_octetstring(len,value,tag)\
-{ retval = asn1buf_insert_octetstring(buf,len,value);\
- if (retval) {\
- asn1buf_destroy(&buf);\
- return retval; }\
- sum += len;\
- retval = asn1_make_tag(buf,CONTEXT_SPECIFIC,PRIMITIVE,tag,len,&length); \
- if (retval) {\
- asn1buf_destroy(&buf);\
- return retval; }\
- sum += length; }
+DEFUINTTYPE(uint, unsigned int);
+DEFUINTTYPE(octet, krb5_octet);
+DEFUINTTYPE(ui_4, krb5_ui_4);
-/* asn1_insert_implicit_bitstring -- add a bitstring with implicit tagging */
-#define asn1_insert_implicit_bitstring(len,value,tag)\
-{ retval = asn1buf_insert_octetstring(buf,len,value);\
- if (retval) {\
- asn1buf_destroy(&buf);\
- return retval; }\
- sum += len;\
- retval = asn1buf_insert_octet(buf, 0);\
- if (retval) {\
- asn1buf_destroy(&buf);\
- return retval; }\
- sum++;\
- retval = asn1_make_tag(buf,UNIVERSAL,PRIMITIVE,tag,len+1,&length); \
- if (retval) {\
- asn1buf_destroy(&buf);\
- return retval; }\
- sum += length; }
+DEFFNLENTYPE(octetstring, unsigned char *, asn1_encode_octetstring);
+DEFFNLENTYPE(s_octetstring, char *, asn1_encode_octetstring);
+DEFFNLENTYPE(charstring, char *, asn1_encode_charstring);
+DEFFNLENTYPE(generalstring, char *, asn1_encode_generalstring);
+DEFFNLENTYPE(u_generalstring, unsigned char *, asn1_encode_generalstring);
+DEFFNLENTYPE(opaque, char *, asn1_encode_opaque);
-/* form a sequence (by adding a sequence header to the current encoding) */
-#define asn1_makeseq()\
- retval = asn1_make_sequence(buf,sum,&length);\
- if (retval) {\
- asn1buf_destroy(&buf);\
- return retval; }\
- sum += length
+DEFFIELDTYPE(gstring_data, krb5_data,
+ FIELDOF_STRING(krb5_data, generalstring, data, length, -1));
+DEFPTRTYPE(gstring_data_ptr,gstring_data);
-/* add an APPLICATION class tag to the current encoding */
-#define asn1_apptag(num)\
- retval = asn1_make_etag(buf,APPLICATION,num,sum,&length);\
- if (retval) {\
- asn1buf_destroy(&buf);\
- return retval; }\
- sum += length
+DEFFIELDTYPE(ostring_data, krb5_data,
+ FIELDOF_STRING(krb5_data, s_octetstring, data, length, -1));
+DEFPTRTYPE(ostring_data_ptr,ostring_data);
-/* produce the final output and clean up the workspace */
-#define asn1_cleanup()\
- *retlen = sum;\
- return 0
+DEFFIELDTYPE(opaque_data, krb5_data,
+ FIELDOF_STRING(krb5_data, opaque, data, length, -1));
-asn1_error_code asn1_encode_ui_4(asn1buf *buf, const krb5_ui_4 val, unsigned int *retlen)
-{
- return asn1_encode_unsigned_integer(buf,val,retlen);
-}
+DEFFIELDTYPE(realm_of_principal_data, krb5_principal_data,
+ FIELDOF_NORM(krb5_principal_data, gstring_data, realm, -1));
+DEFPTRTYPE(realm_of_principal, realm_of_principal_data);
-asn1_error_code asn1_encode_realm(asn1buf *buf, const krb5_principal val, unsigned int *retlen)
+static const struct field_info princname_fields[] = {
+ FIELDOF_NORM(krb5_principal_data, int32, type, 0),
+ FIELDOF_SEQOF_INT32(krb5_principal_data, gstring_data_ptr, data, length, 1),
+};
+/* krb5_principal is a typedef for krb5_principal_data*, so this is
+ effectively "encode_principal_data_at" with an address arg. */
+DEFSEQTYPE(principal_data, krb5_principal_data, princname_fields, 0);
+DEFPTRTYPE(principal, principal_data);
+
+static asn1_error_code
+asn1_encode_kerberos_time_at(asn1buf *buf, const krb5_timestamp *val,
+ unsigned int *retlen)
{
- if (val == NULL ||
- (val->realm.length && val->realm.data == NULL))
- return ASN1_MISSING_FIELD;
- return asn1_encode_generalstring(buf,val->realm.length,val->realm.data,
- retlen);
+ /* Range checking for time_t vs krb5_timestamp? */
+ time_t tval = *val;
+ return asn1_encode_generaltime(buf, tval, retlen);
}
+DEFFNXTYPE(kerberos_time, krb5_timestamp, asn1_encode_kerberos_time_at);
-asn1_error_code asn1_encode_principal_name(asn1buf *buf, const krb5_principal val, unsigned int *retlen)
-{
- asn1_setup();
- int n;
+const static struct field_info address_fields[] = {
+ FIELDOF_NORM(krb5_address, int32, addrtype, 0),
+ FIELDOF_STRING(krb5_address, octetstring, contents, length, 1),
+};
+DEFSEQTYPE(address, krb5_address, address_fields, 0);
+DEFPTRTYPE(address_ptr, address);
- if (val == NULL || val->data == NULL) return ASN1_MISSING_FIELD;
+DEFNULLTERMSEQOFTYPE(seq_of_host_addresses, address_ptr);
+DEFPTRTYPE(ptr_seqof_host_addresses, seq_of_host_addresses);
- for (n = (int) ((val->length)-1); n >= 0; n--) {
- if (val->data[n].length &&
- val->data[n].data == NULL)
- return ASN1_MISSING_FIELD;
- retval = asn1_encode_generalstring(buf,
- (val->data)[n].length,
- (val->data)[n].data,
- &length);
- if (retval) return retval;
- sum += length;
- }
- asn1_makeseq();
- retval = asn1_make_etag(buf,CONTEXT_SPECIFIC,1,sum,&length);
- if (retval) return retval;
- sum += length;
+static unsigned int
+optional_encrypted_data (const void *vptr)
+{
+ const krb5_enc_data *val = vptr;
+ unsigned int optional = 0;
- asn1_addfield(val->type,0,asn1_encode_integer);
+ if (val->kvno != 0)
+ optional |= (1u << 1);
- asn1_makeseq();
-
- asn1_cleanup();
+ return optional;
}
-asn1_error_code asn1_encode_kerberos_time(asn1buf *buf, const krb5_timestamp val, unsigned int *retlen)
+static const struct field_info encrypted_data_fields[] = {
+ FIELDOF_NORM(krb5_enc_data, int32, enctype, 0),
+ FIELDOF_OPT(krb5_enc_data, uint, kvno, 1, 1),
+ FIELDOF_NORM(krb5_enc_data, ostring_data, ciphertext, 2),
+};
+DEFSEQTYPE(encrypted_data, krb5_enc_data, encrypted_data_fields,
+ optional_encrypted_data);
+
+/* The encode_bitstring function wants an array of bytes (since PKINIT
+ may provide something that isn't 32 bits), but krb5_flags is stored
+ as a 32-bit integer in host order. */
+static asn1_error_code
+asn1_encode_krb5_flags_at(asn1buf *buf, const krb5_flags *val,
+ unsigned int *retlen)
{
- return asn1_encode_generaltime(buf,val,retlen);
+ unsigned char cbuf[4];
+ store_32_be((krb5_ui_4) *val, cbuf);
+ return asn1_encode_bitstring(buf, 4, cbuf, retlen);
}
+DEFFNXTYPE(krb5_flags, krb5_flags, asn1_encode_krb5_flags_at);
-asn1_error_code asn1_encode_host_address(asn1buf *buf, const krb5_address *val, unsigned int *retlen)
-{
- asn1_setup();
+const static struct field_info authdata_elt_fields[] = {
+ /* ad-type[0] INTEGER */
+ FIELDOF_NORM(krb5_authdata, int32, ad_type, 0),
+ /* ad-data[1] OCTET STRING */
+ FIELDOF_STRING(krb5_authdata, octetstring, contents, length, 1),
+};
+DEFSEQTYPE(authdata_elt, krb5_authdata, authdata_elt_fields, 0);
+DEFPTRTYPE(authdata_elt_ptr, authdata_elt);
+DEFNONEMPTYNULLTERMSEQOFTYPE(auth_data, authdata_elt_ptr);
+DEFPTRTYPE(auth_data_ptr, auth_data);
- if (val == NULL || val->contents == NULL) return ASN1_MISSING_FIELD;
+static const struct field_info encryption_key_fields[] = {
+ FIELDOF_NORM(krb5_keyblock, int32, enctype, 0),
+ FIELDOF_STRING(krb5_keyblock, octetstring, contents, length, 1),
+};
+DEFSEQTYPE(encryption_key, krb5_keyblock, encryption_key_fields, 0);
+DEFPTRTYPE(ptr_encryption_key, encryption_key);
- asn1_addlenfield(val->length,val->contents,1,asn1_encode_octetstring);
- asn1_addfield(val->addrtype,0,asn1_encode_integer);
- asn1_makeseq();
+static const struct field_info checksum_fields[] = {
+ FIELDOF_NORM(krb5_checksum, int32, checksum_type, 0),
+ FIELDOF_STRING(krb5_checksum, octetstring, contents, length, 1),
+};
+DEFSEQTYPE(checksum, krb5_checksum, checksum_fields, 0);
+DEFPTRTYPE(checksum_ptr, checksum);
+DEFNULLTERMSEQOFTYPE(seq_of_checksum, checksum_ptr);
+DEFPTRTYPE(ptr_seqof_checksum, seq_of_checksum);
- asn1_cleanup();
-}
+static const struct field_info lr_fields[] = {
+ FIELDOF_NORM(krb5_last_req_entry, int32, lr_type, 0),
+ FIELDOF_NORM(krb5_last_req_entry, kerberos_time, value, 1),
+};
+DEFSEQTYPE(last_req_ent, krb5_last_req_entry, lr_fields, 0);
-asn1_error_code asn1_encode_host_addresses(asn1buf *buf, const krb5_address **val, unsigned int *retlen)
-{
- asn1_setup();
- int i;
+DEFPTRTYPE(last_req_ent_ptr, last_req_ent);
+DEFNONEMPTYNULLTERMSEQOFTYPE(last_req, last_req_ent_ptr);
+DEFPTRTYPE(last_req_ptr, last_req);
- if (val == NULL || val[0] == NULL) return ASN1_MISSING_FIELD;
+static const struct field_info ticket_fields[] = {
+ FIELD_INT_IMM(KVNO, 0),
+ FIELDOF_NORM(krb5_ticket, realm_of_principal, server, 1),
+ FIELDOF_NORM(krb5_ticket, principal, server, 2),
+ FIELDOF_NORM(krb5_ticket, encrypted_data, enc_part, 3),
+};
+DEFSEQTYPE(untagged_ticket, krb5_ticket, ticket_fields, 0);
+DEFAPPTAGGEDTYPE(ticket, 1, untagged_ticket);
- for (i=0; val[i] != NULL; i++); /* go to end of array */
- for (i--; i>=0; i--) {
- retval = asn1_encode_host_address(buf,val[i],&length);
- if (retval) return retval;
- sum += length;
- }
- asn1_makeseq();
+static const struct field_info pa_data_fields[] = {
+ FIELDOF_NORM(krb5_pa_data, int32, pa_type, 1),
+ FIELDOF_STRING(krb5_pa_data, octetstring, contents, length, 2),
+};
+DEFSEQTYPE(pa_data, krb5_pa_data, pa_data_fields, 0);
+DEFPTRTYPE(pa_data_ptr, pa_data);
- asn1_cleanup();
-}
+DEFNULLTERMSEQOFTYPE(seq_of_pa_data, pa_data_ptr);
+DEFPTRTYPE(ptr_seqof_pa_data, seq_of_pa_data);
-asn1_error_code asn1_encode_encrypted_data(asn1buf *buf, const krb5_enc_data *val, unsigned int *retlen)
+DEFPTRTYPE(ticket_ptr, ticket);
+DEFNONEMPTYNULLTERMSEQOFTYPE(seq_of_ticket,ticket_ptr);
+DEFPTRTYPE(ptr_seqof_ticket, seq_of_ticket);
+
+/* EncKDCRepPart ::= SEQUENCE */
+static const struct field_info enc_kdc_rep_part_fields[] = {
+ /* key[0] EncryptionKey */
+ FIELDOF_NORM(krb5_enc_kdc_rep_part, ptr_encryption_key, session, 0),
+ /* last-req[1] LastReq */
+ FIELDOF_NORM(krb5_enc_kdc_rep_part, last_req_ptr, last_req, 1),
+ /* nonce[2] INTEGER */
+ FIELDOF_NORM(krb5_enc_kdc_rep_part, int32, nonce, 2),
+ /* key-expiration[3] KerberosTime OPTIONAL */
+ FIELDOF_OPT(krb5_enc_kdc_rep_part, kerberos_time, key_exp, 3, 3),
+ /* flags[4] TicketFlags */
+ FIELDOF_NORM(krb5_enc_kdc_rep_part, krb5_flags, flags, 4),
+ /* authtime[5] KerberosTime */
+ FIELDOF_NORM(krb5_enc_kdc_rep_part, kerberos_time, times.authtime, 5),
+ /* starttime[6] KerberosTime OPTIONAL */
+ FIELDOF_OPT(krb5_enc_kdc_rep_part, kerberos_time, times.starttime, 6, 6),
+ /* endtime[7] KerberosTime */
+ FIELDOF_NORM(krb5_enc_kdc_rep_part, kerberos_time, times.endtime, 7),
+ /* renew-till[8] KerberosTime OPTIONAL */
+ FIELDOF_OPT(krb5_enc_kdc_rep_part, kerberos_time, times.renew_till, 8, 8),
+ /* srealm[9] Realm */
+ FIELDOF_NORM(krb5_enc_kdc_rep_part, realm_of_principal, server, 9),
+ /* sname[10] PrincipalName */
+ FIELDOF_NORM(krb5_enc_kdc_rep_part, principal, server, 10),
+ /* caddr[11] HostAddresses OPTIONAL */
+ FIELDOF_OPT(krb5_enc_kdc_rep_part, ptr_seqof_host_addresses, caddrs,
+ 11, 11),
+ /* encrypted-pa-data[12] SEQUENCE OF PA-DATA OPTIONAL */
+ FIELDOF_OPT(krb5_enc_kdc_rep_part, ptr_seqof_pa_data, enc_padata, 12, 12),
+};
+static unsigned int optional_enc_kdc_rep_part(const void *p)
{
- asn1_setup();
+ const krb5_enc_kdc_rep_part *val = p;
+ unsigned int optional = 0;
- if (val == NULL ||
- (val->ciphertext.length && val->ciphertext.data == NULL))
- return ASN1_MISSING_FIELD;
+ if (val->key_exp)
+ optional |= (1u << 3);
+ if (val->times.starttime)
+ optional |= (1u << 6);
+ if (val->flags & TKT_FLG_RENEWABLE)
+ optional |= (1u << 8);
+ if (val->caddrs != NULL && val->caddrs[0] != NULL)
+ optional |= (1u << 11);
- asn1_addlenfield(val->ciphertext.length,val->ciphertext.data,2,asn1_encode_charstring);
- /* krb5_kvno should be int */
- if (val->kvno)
- asn1_addfield((int) val->kvno,1,asn1_encode_integer);
- asn1_addfield(val->enctype,0,asn1_encode_integer);
-
- asn1_makeseq();
-
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(enc_kdc_rep_part, krb5_enc_kdc_rep_part, enc_kdc_rep_part_fields,
+ optional_enc_kdc_rep_part);
-asn1_error_code asn1_encode_krb5_flags(asn1buf *buf, const krb5_flags val, unsigned int *retlen)
+/* Yuck! Eventually push this *up* above the encoder API and make the
+ rest of the library put the realm name in one consistent place. At
+ the same time, might as well add the msg-type field and encode both
+ AS-REQ and TGS-REQ through the same descriptor. */
+struct kdc_req_hack {
+ krb5_kdc_req v;
+ krb5_data *server_realm;
+};
+static const struct field_info kdc_req_hack_fields[] = {
+ FIELDOF_NORM(struct kdc_req_hack, krb5_flags, v.kdc_options, 0),
+ FIELDOF_OPT(struct kdc_req_hack, principal, v.client, 1, 1),
+ FIELDOF_NORM(struct kdc_req_hack, gstring_data_ptr, server_realm, 2),
+ FIELDOF_OPT(struct kdc_req_hack, principal, v.server, 3, 3),
+ FIELDOF_OPT(struct kdc_req_hack, kerberos_time, v.from, 4, 4),
+ FIELDOF_NORM(struct kdc_req_hack, kerberos_time, v.till, 5),
+ FIELDOF_OPT(struct kdc_req_hack, kerberos_time, v.rtime, 6, 6),
+ FIELDOF_NORM(struct kdc_req_hack, int32, v.nonce, 7),
+ FIELDOF_SEQOF_INT32(struct kdc_req_hack, int32_ptr, v.ktype, v.nktypes, 8),
+ FIELDOF_OPT(struct kdc_req_hack, ptr_seqof_host_addresses, v.addresses, 9, 9),
+ FIELDOF_OPT(struct kdc_req_hack, encrypted_data, v.authorization_data, 10, 10),
+ FIELDOF_OPT(struct kdc_req_hack, ptr_seqof_ticket, v.second_ticket, 11, 11),
+};
+static unsigned int optional_kdc_req_hack(const void *p)
{
- asn1_setup();
- krb5_flags valcopy = val;
- int i;
+ const struct kdc_req_hack *val2 = p;
+ const krb5_kdc_req *val = &val2->v;
+ unsigned int optional = 0;
- for (i=0; i<4; i++) {
- retval = asn1buf_insert_octet(buf,(asn1_octet) (valcopy&0xFF));
- if (retval) return retval;
- valcopy >>= 8;
- }
- retval = asn1buf_insert_octet(buf,0); /* 0 padding bits */
- if (retval) return retval;
- sum = 5;
+ if (val->second_ticket != NULL && val->second_ticket[0] != NULL)
+ optional |= (1u << 11);
+ if (val->authorization_data.ciphertext.data != NULL)
+ optional |= (1u << 10);
+ if (val->addresses != NULL && val->addresses[0] != NULL)
+ optional |= (1u << 9);
+ if (val->rtime)
+ optional |= (1u << 6);
+ if (val->from)
+ optional |= (1u << 4);
+ if (val->server != NULL)
+ optional |= (1u << 3);
+ if (val->client != NULL)
+ optional |= (1u << 1);
- retval = asn1_make_tag(buf,UNIVERSAL,PRIMITIVE,ASN1_BITSTRING,sum,
- &length);
- if (retval) return retval;
- sum += length;
-
- *retlen = sum;
- return 0;
+ return optional;
}
-
-asn1_error_code asn1_encode_ap_options(asn1buf *buf, const krb5_flags val, unsigned int *retlen)
+DEFSEQTYPE(kdc_req_body_hack, struct kdc_req_hack, kdc_req_hack_fields,
+ optional_kdc_req_hack);
+static asn1_error_code
+asn1_encode_kdc_req_hack(asn1buf *, const struct kdc_req_hack *,
+ unsigned int *);
+MAKE_ENCFN(asn1_encode_kdc_req_hack, kdc_req_body_hack);
+static asn1_error_code
+asn1_encode_kdc_req_body(asn1buf *buf, const krb5_kdc_req *val,
+ unsigned int *retlen)
{
- return asn1_encode_krb5_flags(buf,val,retlen);
+ struct kdc_req_hack val2;
+ val2.v = *val;
+ if (val->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY) {
+ if (val->second_ticket != NULL && val->second_ticket[0] != NULL) {
+ val2.server_realm = &val->second_ticket[0]->server->realm;
+ } else return ASN1_MISSING_FIELD;
+ } else if (val->server != NULL) {
+ val2.server_realm = &val->server->realm;
+ } else return ASN1_MISSING_FIELD;
+ return asn1_encode_kdc_req_hack(buf, &val2, retlen);
}
+DEFFNXTYPE(kdc_req_body, krb5_kdc_req, asn1_encode_kdc_req_body);
+/* end ugly hack */
-asn1_error_code asn1_encode_ticket_flags(asn1buf *buf, const krb5_flags val, unsigned int *retlen)
+static const struct field_info transited_fields[] = {
+ FIELDOF_NORM(krb5_transited, octet, tr_type, 0),
+ FIELDOF_NORM(krb5_transited, ostring_data, tr_contents, 1),
+};
+DEFSEQTYPE(transited, krb5_transited, transited_fields, 0);
+
+static const struct field_info krb_safe_body_fields[] = {
+ FIELDOF_NORM(krb5_safe, ostring_data, user_data, 0),
+ FIELDOF_OPT(krb5_safe, kerberos_time, timestamp, 1, 1),
+ FIELDOF_OPT(krb5_safe, int32, usec, 2, 2),
+ FIELDOF_OPT(krb5_safe, uint, seq_number, 3, 3),
+ FIELDOF_NORM(krb5_safe, address_ptr, s_address, 4),
+ FIELDOF_OPT(krb5_safe, address_ptr, r_address, 5, 5),
+};
+static unsigned int optional_krb_safe_body(const void *p)
{
- return asn1_encode_krb5_flags(buf,val,retlen);
-}
+ const krb5_safe *val = p;
+ unsigned int optional = 0;
-asn1_error_code asn1_encode_kdc_options(asn1buf *buf, const krb5_flags val, unsigned int *retlen)
-{
- return asn1_encode_krb5_flags(buf,val,retlen);
+ if (val->timestamp) {
+ optional |= (1u << 1);
+ optional |= (1u << 2);
+ }
+ if (val->seq_number)
+ optional |= (1u << 3);
+ if (val->r_address != NULL)
+ optional |= (1u << 5);
+
+ return optional;
}
+DEFSEQTYPE(krb_safe_body, krb5_safe, krb_safe_body_fields,
+ optional_krb_safe_body);
-asn1_error_code asn1_encode_authorization_data(asn1buf *buf, const krb5_authdata **val, unsigned int *retlen)
+static const struct field_info krb_cred_info_fields[] = {
+ FIELDOF_NORM(krb5_cred_info, ptr_encryption_key, session, 0),
+ FIELDOF_OPT(krb5_cred_info, realm_of_principal, client, 1, 1),
+ FIELDOF_OPT(krb5_cred_info, principal, client, 2, 2),
+ FIELDOF_OPT(krb5_cred_info, krb5_flags, flags, 3, 3),
+ FIELDOF_OPT(krb5_cred_info, kerberos_time, times.authtime, 4, 4),
+ FIELDOF_OPT(krb5_cred_info, kerberos_time, times.starttime, 5, 5),
+ FIELDOF_OPT(krb5_cred_info, kerberos_time, times.endtime, 6, 6),
+ FIELDOF_OPT(krb5_cred_info, kerberos_time, times.renew_till, 7, 7),
+ FIELDOF_OPT(krb5_cred_info, realm_of_principal, server, 8, 8),
+ FIELDOF_OPT(krb5_cred_info, principal, server, 9, 9),
+ FIELDOF_OPT(krb5_cred_info, ptr_seqof_host_addresses, caddrs, 10, 10),
+};
+static unsigned int optional_krb_cred_info(const void *p)
{
- asn1_setup();
- int i;
+ const krb5_cred_info *val = p;
+ unsigned int optional = 0;
- if (val == NULL || val[0] == NULL) return ASN1_MISSING_FIELD;
-
- for (i=0; val[i] != NULL; i++); /* get to the end of the array */
- for (i--; i>=0; i--) {
- retval = asn1_encode_krb5_authdata_elt(buf,val[i],&length);
- if (retval) return retval;
- sum += length;
+ if (val->caddrs != NULL && val->caddrs[0] != NULL)
+ optional |= (1u << 10);
+ if (val->server != NULL) {
+ optional |= (1u << 9);
+ optional |= (1u << 8);
}
- asn1_makeseq();
+ if (val->times.renew_till)
+ optional |= (1u << 7);
+ if (val->times.endtime)
+ optional |= (1u << 6);
+ if (val->times.starttime)
+ optional |= (1u << 5);
+ if (val->times.authtime)
+ optional |= (1u << 4);
+ if (val->flags)
+ optional |= (1u << 3);
+ if (val->client != NULL) {
+ optional |= (1u << 2);
+ optional |= (1u << 1);
+ }
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(cred_info, krb5_cred_info, krb_cred_info_fields,
+ optional_krb_cred_info);
+DEFPTRTYPE(cred_info_ptr, cred_info);
+DEFNULLTERMSEQOFTYPE(seq_of_cred_info, cred_info_ptr);
-asn1_error_code asn1_encode_krb5_authdata_elt(asn1buf *buf, const krb5_authdata *val, unsigned int *retlen)
-{
- asn1_setup();
+DEFPTRTYPE(ptrseqof_cred_info, seq_of_cred_info);
- if (val == NULL ||
- (val->length && val->contents == NULL))
- return ASN1_MISSING_FIELD;
- /* ad-data[1] OCTET STRING */
- asn1_addlenfield(val->length,val->contents,1,asn1_encode_octetstring);
- /* ad-type[0] INTEGER */
- asn1_addfield(val->ad_type,0,asn1_encode_integer);
- /* SEQUENCE */
- asn1_makeseq();
- asn1_cleanup();
-}
-
-asn1_error_code asn1_encode_kdc_rep(int msg_type, asn1buf *buf, const krb5_kdc_rep *val, unsigned int *retlen)
+static unsigned int
+optional_etype_info_entry(const void *vptr)
{
- asn1_setup();
+ const krb5_etype_info_entry *val = vptr;
+ unsigned int optional = 0;
- if (val == NULL) return ASN1_MISSING_FIELD;
+ if (val->length >= 0 && val->length != KRB5_ETYPE_NO_SALT)
+ optional |= (1u << 1);
- asn1_addfield(&(val->enc_part),6,asn1_encode_encrypted_data);
- asn1_addfield(val->ticket,5,asn1_encode_ticket);
- asn1_addfield(val->client,4,asn1_encode_principal_name);
- asn1_addfield(val->client,3,asn1_encode_realm);
- if (val->padata != NULL && val->padata[0] != NULL)
- asn1_addfield((const krb5_pa_data**)val->padata,2,asn1_encode_sequence_of_pa_data);
- if (msg_type != KRB5_AS_REP && msg_type != KRB5_TGS_REP)
- return KRB5_BADMSGTYPE;
- asn1_addfield(msg_type,1,asn1_encode_integer);
- asn1_addfield(KVNO,0,asn1_encode_integer);
- asn1_makeseq();
-
- asn1_cleanup();
+ return optional;
}
+static const struct field_info etype_info_entry_fields[] = {
+ FIELDOF_NORM(krb5_etype_info_entry, int32, etype, 0),
+ FIELDOF_OPTSTRING(krb5_etype_info_entry, octetstring, salt, length, 1, 1),
+};
+DEFSEQTYPE(etype_info_entry, krb5_etype_info_entry, etype_info_entry_fields,
+ optional_etype_info_entry);
-asn1_error_code asn1_encode_enc_kdc_rep_part(asn1buf *buf, const krb5_enc_kdc_rep_part *val, unsigned int *retlen)
+static unsigned int
+optional_etype_info2_entry(const void *vptr)
{
- asn1_setup();
+ const krb5_etype_info_entry *val = vptr;
+ unsigned int optional = 0;
- if (val == NULL) return ASN1_MISSING_FIELD;
+ if (val->length >= 0 && val->length != KRB5_ETYPE_NO_SALT)
+ optional |= (1u << 1);
+ if (val->s2kparams.data)
+ optional |= (1u << 2);
- /* caddr[11] HostAddresses OPTIONAL */
- if (val->caddrs != NULL && val->caddrs[0] != NULL)
- asn1_addfield((const krb5_address**)(val->caddrs),11,asn1_encode_host_addresses);
+ return optional;
+}
- /* sname[10] PrincipalName */
- asn1_addfield(val->server,10,asn1_encode_principal_name);
+static const struct field_info etype_info2_entry_fields[] = {
+ FIELDOF_NORM(krb5_etype_info_entry, int32, etype, 0),
+ FIELDOF_OPTSTRING(krb5_etype_info_entry, u_generalstring, salt, length,
+ 1, 1),
+ FIELDOF_OPT(krb5_etype_info_entry, ostring_data, s2kparams, 2, 2),
+};
+DEFSEQTYPE(etype_info2_entry, krb5_etype_info_entry, etype_info2_entry_fields,
+ optional_etype_info2_entry);
- /* srealm[9] Realm */
- asn1_addfield(val->server,9,asn1_encode_realm);
+DEFPTRTYPE(etype_info_entry_ptr, etype_info_entry);
+DEFNULLTERMSEQOFTYPE(etype_info, etype_info_entry_ptr);
- /* renew-till[8] KerberosTime OPTIONAL */
- if (val->flags & TKT_FLG_RENEWABLE)
- asn1_addfield(val->times.renew_till,8,asn1_encode_kerberos_time);
+DEFPTRTYPE(etype_info2_entry_ptr, etype_info2_entry);
+DEFNULLTERMSEQOFTYPE(etype_info2, etype_info2_entry_ptr);
- /* endtime[7] KerberosTime */
- asn1_addfield(val->times.endtime,7,asn1_encode_kerberos_time);
+static const struct field_info passwdsequence_fields[] = {
+ FIELDOF_NORM(passwd_phrase_element, ostring_data_ptr, passwd, 0),
+ FIELDOF_NORM(passwd_phrase_element, ostring_data_ptr, phrase, 1),
+};
+DEFSEQTYPE(passwdsequence, passwd_phrase_element, passwdsequence_fields, 0);
- /* starttime[6] KerberosTime OPTIONAL */
- if (val->times.starttime)
- asn1_addfield(val->times.starttime,6,asn1_encode_kerberos_time);
+DEFPTRTYPE(passwdsequence_ptr, passwdsequence);
+DEFNONEMPTYNULLTERMSEQOFTYPE(seqof_passwdsequence, passwdsequence_ptr);
+DEFPTRTYPE(ptr_seqof_passwdsequence, seqof_passwdsequence);
- /* authtime[5] KerberosTime */
- asn1_addfield(val->times.authtime,5,asn1_encode_kerberos_time);
- /* flags[4] TicketFlags */
- asn1_addfield(val->flags,4,asn1_encode_ticket_flags);
+static const struct field_info sam_challenge_fields[] = {
+ FIELDOF_NORM(krb5_sam_challenge, int32, sam_type, 0),
+ FIELDOF_NORM(krb5_sam_challenge, krb5_flags, sam_flags, 1),
+ FIELDOF_OPT(krb5_sam_challenge, ostring_data, sam_type_name, 2, 2),
+ FIELDOF_OPT(krb5_sam_challenge, ostring_data, sam_track_id,3, 3),
+ FIELDOF_OPT(krb5_sam_challenge, ostring_data, sam_challenge_label,4, 4),
+ FIELDOF_OPT(krb5_sam_challenge, ostring_data, sam_challenge,5, 5),
+ FIELDOF_OPT(krb5_sam_challenge, ostring_data, sam_response_prompt,6, 6),
+ FIELDOF_OPT(krb5_sam_challenge, ostring_data, sam_pk_for_sad,7, 7),
+ FIELDOF_OPT(krb5_sam_challenge, int32, sam_nonce, 8, 8),
+ FIELDOF_OPT(krb5_sam_challenge, checksum, sam_cksum, 9, 9),
+};
+static unsigned int optional_sam_challenge(const void *p)
+{
+ const krb5_sam_challenge *val = p;
+ unsigned int optional = 0;
- /* key-expiration[3] KerberosTime OPTIONAL */
- if (val->key_exp)
- asn1_addfield(val->key_exp,3,asn1_encode_kerberos_time);
+ if (val->sam_cksum.length)
+ optional |= (1u << 9);
- /* nonce[2] INTEGER */
- asn1_addfield(val->nonce,2,asn1_encode_integer);
+ if (val->sam_nonce)
+ optional |= (1u << 8);
- /* last-req[1] LastReq */
- asn1_addfield((const krb5_last_req_entry**)val->last_req,1,asn1_encode_last_req);
+ if (val->sam_pk_for_sad.length > 0) optional |= (1u << 7);
+ if (val->sam_response_prompt.length > 0) optional |= (1u << 6);
+ if (val->sam_challenge.length > 0) optional |= (1u << 5);
+ if (val->sam_challenge_label.length > 0) optional |= (1u << 4);
+ if (val->sam_track_id.length > 0) optional |= (1u << 3);
+ if (val->sam_type_name.length > 0) optional |= (1u << 2);
- /* key[0] EncryptionKey */
- asn1_addfield(val->session,0,asn1_encode_encryption_key);
-
- /* EncKDCRepPart ::= SEQUENCE */
- asn1_makeseq();
-
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(sam_challenge,krb5_sam_challenge,sam_challenge_fields,
+ optional_sam_challenge);
-asn1_error_code asn1_encode_sequence_of_checksum(asn1buf *buf, const krb5_checksum ** val, unsigned int *retlen)
+#if 0 /* encoders not used! */
+MAKE_ENCFN(asn1_encode_sequence_of_checksum, seq_of_checksum);
+static asn1_error_code
+asn1_encode_sam_challenge_2(asn1buf *buf, const krb5_sam_challenge_2 *val,
+ unsigned int *retlen)
{
asn1_setup();
- int i;
+ if ( (!val) || (!val->sam_cksum) || (!val->sam_cksum[0]))
+ return ASN1_MISSING_FIELD;
- if (val == NULL) return ASN1_MISSING_FIELD;
+ asn1_addfield(val->sam_cksum, 1, asn1_encode_sequence_of_checksum);
- for (i=0; val[i] != NULL; i++);
- for (i--; i>=0; i--) {
- retval = asn1_encode_checksum(buf,val[i],&length);
- if (retval) return retval;
+ {
+ unsigned int length;
+
+ retval = asn1buf_insert_octetstring(buf, val->sam_challenge_2_body.length,
+ (unsigned char *)val->sam_challenge_2_body.data);
+ if (retval) {
+ return retval;
+ }
+ sum += val->sam_challenge_2_body.length;
+ retval = asn1_make_etag(buf, CONTEXT_SPECIFIC, 0,
+ val->sam_challenge_2_body.length, &length);
+ if (retval) {
+ return retval;
+ }
sum += length;
}
+
asn1_makeseq();
-
asn1_cleanup();
}
+DEFFNXTYPE(sam_challenge_2, krb5_sam_challenge_2, asn1_encode_sam_challenge_2);
-asn1_error_code asn1_encode_kdc_req_body(asn1buf *buf, const krb5_kdc_req *rep, unsigned int *retlen)
+static const struct field_info sam_challenge_2_body_fields[] = {
+ FIELDOF_NORM(krb5_sam_challenge_2_body, int32, sam_type, 0),
+ FIELDOF_NORM(krb5_sam_challenge_2_body, krb5_flags, sam_flags, 1),
+ FIELDOF_OPT(krb5_sam_challenge_2_body, ostring_data, sam_type_name, 2, 2),
+ FIELDOF_OPT(krb5_sam_challenge_2_body, ostring_data, sam_track_id,3, 3),
+ FIELDOF_OPT(krb5_sam_challenge_2_body, ostring_data, sam_challenge_label,4, 4),
+ FIELDOF_OPT(krb5_sam_challenge_2_body, ostring_data, sam_challenge,5, 5),
+ FIELDOF_OPT(krb5_sam_challenge_2_body, ostring_data, sam_response_prompt,6, 6),
+ FIELDOF_OPT(krb5_sam_challenge_2_body, ostring_data, sam_pk_for_sad,7, 7),
+ FIELDOF_NORM(krb5_sam_challenge_2_body, int32, sam_nonce, 8),
+ FIELDOF_NORM(krb5_sam_challenge_2_body, int32, sam_etype, 9),
+};
+static unsigned int optional_sam_challenge_2_body(const void *p)
{
- asn1_setup();
+ const krb5_sam_challenge_2_body *val = p;
+ unsigned int optional = 0;
- if (rep == NULL) return ASN1_MISSING_FIELD;
+ if (val->sam_pk_for_sad.length > 0) optional |= (1u << 7);
+ if (val->sam_response_prompt.length > 0) optional |= (1u << 6);
+ if (val->sam_challenge.length > 0) optional |= (1u << 5);
+ if (val->sam_challenge_label.length > 0) optional |= (1u << 4);
+ if (val->sam_track_id.length > 0) optional |= (1u << 3);
+ if (val->sam_type_name.length > 0) optional |= (1u << 2);
- /* additional-tickets[11] SEQUENCE OF Ticket OPTIONAL */
- if (rep->second_ticket != NULL && rep->second_ticket[0] != NULL)
- asn1_addfield((const krb5_ticket**)rep->second_ticket,
- 11,asn1_encode_sequence_of_ticket);
+ return optional;
+}
+DEFSEQTYPE(sam_challenge_2_body,krb5_sam_challenge_2_body,sam_challenge_2_body_fields,
+ optional_sam_challenge_2_body);
+#endif
- /* enc-authorization-data[10] EncryptedData OPTIONAL, */
- /* -- Encrypted AuthorizationData encoding */
- if (rep->authorization_data.ciphertext.data != NULL)
- asn1_addfield(&(rep->authorization_data),10,asn1_encode_encrypted_data);
+static const struct field_info sam_key_fields[] = {
+ FIELDOF_NORM(krb5_sam_key, encryption_key, sam_key, 0),
+};
+DEFSEQTYPE(sam_key, krb5_sam_key, sam_key_fields, 0);
- /* addresses[9] HostAddresses OPTIONAL, */
- if (rep->addresses != NULL && rep->addresses[0] != NULL)
- asn1_addfield((const krb5_address**)rep->addresses,9,asn1_encode_host_addresses);
+static const struct field_info enc_sam_response_enc_fields[] = {
+ FIELDOF_NORM(krb5_enc_sam_response_enc, int32, sam_nonce, 0),
+ FIELDOF_NORM(krb5_enc_sam_response_enc, kerberos_time, sam_timestamp, 1),
+ FIELDOF_NORM(krb5_enc_sam_response_enc, int32, sam_usec, 2),
+ FIELDOF_OPT(krb5_enc_sam_response_enc, ostring_data, sam_sad, 3, 3),
+};
+static unsigned int optional_enc_sam_response_enc(const void *p)
+{
+ const krb5_enc_sam_response_enc *val = p;
+ unsigned int optional = 0;
- /* etype[8] SEQUENCE OF INTEGER, -- EncryptionType, */
- /* -- in preference order */
- asn1_addlenfield(rep->nktypes,rep->ktype,8,asn1_encode_sequence_of_enctype);
+ if (val->sam_sad.length > 0) optional |= (1u << 3);
- /* nonce[7] INTEGER, */
- asn1_addfield(rep->nonce,7,asn1_encode_integer);
+ return optional;
+}
+DEFSEQTYPE(enc_sam_response_enc, krb5_enc_sam_response_enc,
+ enc_sam_response_enc_fields, optional_enc_sam_response_enc);
- /* rtime[6] KerberosTime OPTIONAL, */
- if (rep->rtime)
- asn1_addfield(rep->rtime,6,asn1_encode_kerberos_time);
+static const struct field_info enc_sam_response_enc_2_fields[] = {
+ FIELDOF_NORM(krb5_enc_sam_response_enc_2, int32, sam_nonce, 0),
+ FIELDOF_OPT(krb5_enc_sam_response_enc_2, ostring_data, sam_sad, 1, 1),
+};
+static unsigned int optional_enc_sam_response_enc_2(const void *p)
+{
+ const krb5_enc_sam_response_enc_2 *val = p;
+ unsigned int optional = 0;
- /* till[5] KerberosTime, */
- asn1_addfield(rep->till,5,asn1_encode_kerberos_time);
+ if (val->sam_sad.length > 0) optional |= (1u << 1);
- /* from[4] KerberosTime OPTIONAL, */
- if (rep->from)
- asn1_addfield(rep->from,4,asn1_encode_kerberos_time);
+ return optional;
+}
+DEFSEQTYPE(enc_sam_response_enc_2, krb5_enc_sam_response_enc_2,
+ enc_sam_response_enc_2_fields, optional_enc_sam_response_enc_2);
- /* sname[3] PrincipalName OPTIONAL, */
- if (rep->server != NULL)
- asn1_addfield(rep->server,3,asn1_encode_principal_name);
+static const struct field_info sam_response_fields[] = {
+ FIELDOF_NORM(krb5_sam_response, int32, sam_type, 0),
+ FIELDOF_NORM(krb5_sam_response, krb5_flags, sam_flags, 1),
+ FIELDOF_OPT(krb5_sam_response, ostring_data, sam_track_id, 2, 2),
+ FIELDOF_OPT(krb5_sam_response, encrypted_data, sam_enc_key, 3, 3),
+ FIELDOF_NORM(krb5_sam_response, encrypted_data, sam_enc_nonce_or_ts, 4),
+ FIELDOF_OPT(krb5_sam_response, int32, sam_nonce, 5, 5),
+ FIELDOF_OPT(krb5_sam_response, kerberos_time, sam_patimestamp, 6, 6),
+};
+static unsigned int optional_sam_response(const void *p)
+{
+ const krb5_sam_response *val = p;
+ unsigned int optional = 0;
- /* realm[2] Realm, -- Server's realm */
- /* -- Also client's in AS-REQ */
- if (rep->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY) {
- if (rep->second_ticket != NULL && rep->second_ticket[0] != NULL) {
- asn1_addfield(rep->second_ticket[0]->server,2,asn1_encode_realm)
- } else return ASN1_MISSING_FIELD;
- } else if (rep->server != NULL) {
- asn1_addfield(rep->server,2,asn1_encode_realm);
- } else return ASN1_MISSING_FIELD;
+ if (val->sam_patimestamp)
+ optional |= (1u << 6);
+ if (val->sam_nonce)
+ optional |= (1u << 5);
+ if (val->sam_enc_key.ciphertext.length)
+ optional |= (1u << 3);
+ if (val->sam_track_id.length > 0) optional |= (1u << 2);
- /* cname[1] PrincipalName OPTIONAL, */
- /* -- Used only in AS-REQ */
- if (rep->client != NULL)
- asn1_addfield(rep->client,1,asn1_encode_principal_name);
-
- /* kdc-options[0] KDCOptions, */
- asn1_addfield(rep->kdc_options,0,asn1_encode_kdc_options);
-
- /* KDC-REQ-BODY ::= SEQUENCE */
- asn1_makeseq();
-
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(sam_response, krb5_sam_response, sam_response_fields,
+ optional_sam_response);
-asn1_error_code asn1_encode_encryption_key(asn1buf *buf, const krb5_keyblock *val, unsigned int *retlen)
+static const struct field_info sam_response_2_fields[] = {
+ FIELDOF_NORM(krb5_sam_response_2, int32, sam_type, 0),
+ FIELDOF_NORM(krb5_sam_response_2, krb5_flags, sam_flags, 1),
+ FIELDOF_OPT(krb5_sam_response_2, ostring_data, sam_track_id, 2, 2),
+ FIELDOF_NORM(krb5_sam_response_2, encrypted_data, sam_enc_nonce_or_sad, 3),
+ FIELDOF_NORM(krb5_sam_response_2, int32, sam_nonce, 4),
+};
+static unsigned int optional_sam_response_2(const void *p)
{
- asn1_setup();
+ const krb5_sam_response_2 *val = p;
+ unsigned int optional = 0;
- if (val == NULL ||
- (val->length && val->contents == NULL))
- return ASN1_MISSING_FIELD;
+ if (val->sam_track_id.length > 0) optional |= (1u << 2);
- asn1_addlenfield(val->length,val->contents,1,asn1_encode_octetstring);
- asn1_addfield(val->enctype,0,asn1_encode_integer);
- asn1_makeseq();
-
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(sam_response_2, krb5_sam_response_2, sam_response_2_fields,
+ optional_sam_response_2);
-asn1_error_code asn1_encode_checksum(asn1buf *buf, const krb5_checksum *val, unsigned int *retlen)
+static const struct field_info predicted_sam_response_fields[] = {
+ FIELDOF_NORM(krb5_predicted_sam_response, encryption_key, sam_key, 0),
+ FIELDOF_NORM(krb5_predicted_sam_response, krb5_flags, sam_flags, 1),
+ FIELDOF_NORM(krb5_predicted_sam_response, kerberos_time, stime, 2),
+ FIELDOF_NORM(krb5_predicted_sam_response, int32, susec, 3),
+ FIELDOF_NORM(krb5_predicted_sam_response, realm_of_principal, client, 4),
+ FIELDOF_NORM(krb5_predicted_sam_response, principal, client, 5),
+ FIELDOF_OPT(krb5_predicted_sam_response, ostring_data, msd, 6, 6),
+};
+static unsigned int optional_predicted_sam_response(const void *p)
{
- asn1_setup();
+ const krb5_predicted_sam_response *val = p;
+ unsigned int optional = 0;
- if (val == NULL ||
- (val->length && val->contents == NULL))
- return ASN1_MISSING_FIELD;
+ if (val->msd.length > 0) optional |= (1u << 6);
- asn1_addlenfield(val->length,val->contents,1,asn1_encode_octetstring);
- asn1_addfield(val->checksum_type,0,asn1_encode_integer);
- asn1_makeseq();
-
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(predicted_sam_response, krb5_predicted_sam_response,
+ predicted_sam_response_fields,
+ optional_predicted_sam_response);
-asn1_error_code asn1_encode_transited_encoding(asn1buf *buf, const krb5_transited *val, unsigned int *retlen)
+static const struct field_info krb5_authenticator_fields[] = {
+ /* Authenticator ::= [APPLICATION 2] SEQUENCE */
+ /* authenticator-vno[0] INTEGER */
+ FIELD_INT_IMM(KVNO, 0),
+ /* crealm[1] Realm */
+ FIELDOF_NORM(krb5_authenticator, realm_of_principal, client, 1),
+ /* cname[2] PrincipalName */
+ FIELDOF_NORM(krb5_authenticator, principal, client, 2),
+ /* cksum[3] Checksum OPTIONAL */
+ FIELDOF_OPT(krb5_authenticator, checksum_ptr, checksum, 3, 3),
+ /* cusec[4] INTEGER */
+ FIELDOF_NORM(krb5_authenticator, int32, cusec, 4),
+ /* ctime[5] KerberosTime */
+ FIELDOF_NORM(krb5_authenticator, kerberos_time, ctime, 5),
+ /* subkey[6] EncryptionKey OPTIONAL */
+ FIELDOF_OPT(krb5_authenticator, ptr_encryption_key, subkey, 6, 6),
+ /* seq-number[7] INTEGER OPTIONAL */
+ FIELDOF_OPT(krb5_authenticator, uint, seq_number, 7, 7),
+ /* authorization-data[8] AuthorizationData OPTIONAL */
+ FIELDOF_OPT(krb5_authenticator, auth_data_ptr, authorization_data, 8, 8),
+};
+static unsigned int optional_krb5_authenticator(const void *p)
{
- asn1_setup();
+ const krb5_authenticator *val = p;
+ unsigned int optional = 0;
- if (val == NULL ||
- (val->tr_contents.length != 0 && val->tr_contents.data == NULL))
- return ASN1_MISSING_FIELD;
+ if (val->authorization_data != NULL && val->authorization_data[0] != NULL)
+ optional |= (1u << 8);
- asn1_addlenfield(val->tr_contents.length,val->tr_contents.data,
- 1,asn1_encode_charstring);
- asn1_addfield(val->tr_type,0,asn1_encode_integer);
- asn1_makeseq();
+ if (val->seq_number != 0)
+ optional |= (1u << 7);
- asn1_cleanup();
-}
+ if (val->subkey != NULL)
+ optional |= (1u << 6);
-asn1_error_code asn1_encode_last_req(asn1buf *buf, const krb5_last_req_entry **val, unsigned int *retlen)
-{
- asn1_setup();
- int i;
+ if (val->checksum != NULL)
+ optional |= (1u << 3);
- if (val == NULL || val[0] == NULL) return ASN1_MISSING_FIELD;
-
- for (i=0; val[i] != NULL; i++); /* go to end of array */
- for (i--; i>=0; i--) {
- retval = asn1_encode_last_req_entry(buf,val[i],&length);
- if (retval) return retval;
- sum += length;
- }
- asn1_makeseq();
-
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(untagged_krb5_authenticator, krb5_authenticator, krb5_authenticator_fields,
+ optional_krb5_authenticator);
+DEFAPPTAGGEDTYPE(krb5_authenticator, 2, untagged_krb5_authenticator);
-asn1_error_code asn1_encode_last_req_entry(asn1buf *buf, const krb5_last_req_entry *val, unsigned int *retlen)
+static const struct field_info enc_tkt_part_fields[] = {
+ /* EncTicketPart ::= [APPLICATION 3] SEQUENCE */
+ /* flags[0] TicketFlags */
+ FIELDOF_NORM(krb5_enc_tkt_part, krb5_flags, flags, 0),
+ /* key[1] EncryptionKey */
+ FIELDOF_NORM(krb5_enc_tkt_part, ptr_encryption_key, session, 1),
+ /* crealm[2] Realm */
+ FIELDOF_NORM(krb5_enc_tkt_part, realm_of_principal, client, 2),
+ /* cname[3] PrincipalName */
+ FIELDOF_NORM(krb5_enc_tkt_part, principal, client, 3),
+ /* transited[4] TransitedEncoding */
+ FIELDOF_NORM(krb5_enc_tkt_part, transited, transited, 4),
+ /* authtime[5] KerberosTime */
+ FIELDOF_NORM(krb5_enc_tkt_part, kerberos_time, times.authtime, 5),
+ /* starttime[6] KerberosTime OPTIONAL */
+ FIELDOF_OPT(krb5_enc_tkt_part, kerberos_time, times.starttime, 6, 6),
+ /* endtime[7] KerberosTime */
+ FIELDOF_NORM(krb5_enc_tkt_part, kerberos_time, times.endtime, 7),
+ /* renew-till[8] KerberosTime OPTIONAL */
+ FIELDOF_OPT(krb5_enc_tkt_part, kerberos_time, times.renew_till, 8, 8),
+ /* caddr[9] HostAddresses OPTIONAL */
+ FIELDOF_OPT(krb5_enc_tkt_part, ptr_seqof_host_addresses, caddrs, 9, 9),
+ /* authorization-data[10] AuthorizationData OPTIONAL */
+ FIELDOF_OPT(krb5_enc_tkt_part, auth_data_ptr, authorization_data, 10, 10),
+};
+static unsigned int optional_enc_tkt_part(const void *p)
{
- asn1_setup();
+ const krb5_enc_tkt_part *val = p;
+ unsigned int optional = 0;
- if (val == NULL) return ASN1_MISSING_FIELD;
+ if (val->authorization_data != NULL && val->authorization_data[0] != NULL)
+ optional |= (1u << 10);
+ if (val->caddrs != NULL && val->caddrs[0] != NULL)
+ optional |= (1u << 9);
+ if (val->times.renew_till)
+ optional |= (1u << 8);
+ if (val->times.starttime)
+ optional |= (1u << 6);
- asn1_addfield(val->value,1,asn1_encode_kerberos_time);
- asn1_addfield(val->lr_type,0,asn1_encode_integer);
- asn1_makeseq();
-
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(untagged_enc_tkt_part, krb5_enc_tkt_part, enc_tkt_part_fields,
+ optional_enc_tkt_part);
+DEFAPPTAGGEDTYPE(enc_tkt_part, 3, untagged_enc_tkt_part);
-asn1_error_code asn1_encode_sequence_of_pa_data(asn1buf *buf, const krb5_pa_data **val, unsigned int *retlen)
+DEFAPPTAGGEDTYPE(enc_tgs_rep_part, 26, enc_kdc_rep_part);
+
+static const struct field_info as_rep_fields[] = {
+ /* AS-REP ::= [APPLICATION 11] KDC-REP */
+ /* But KDC-REP needs to know what type it's being encapsulated
+ in, so expand each version. */
+ FIELD_INT_IMM(KVNO, 0),
+ FIELD_INT_IMM(KRB5_AS_REP, 1),
+ FIELDOF_OPT(krb5_kdc_rep, ptr_seqof_pa_data, padata, 2, 2),
+ FIELDOF_NORM(krb5_kdc_rep, realm_of_principal, client, 3),
+ FIELDOF_NORM(krb5_kdc_rep, principal, client, 4),
+ FIELDOF_NORM(krb5_kdc_rep, ticket_ptr, ticket, 5),
+ FIELDOF_NORM(krb5_kdc_rep, encrypted_data, enc_part, 6),
+};
+static unsigned int optional_as_rep(const void *p)
{
- asn1_setup();
- int i;
+ const krb5_kdc_rep *val = p;
+ unsigned int optional = 0;
- if (val == NULL) return ASN1_MISSING_FIELD;
+ if (val->padata != NULL && val->padata[0] != NULL)
+ optional |= (1u << 2);
- for (i=0; val[i] != NULL; i++);
- for (i--; i>=0; i--) {
- retval = asn1_encode_pa_data(buf,val[i],&length);
- if (retval) return retval;
- sum += length;
- }
- asn1_makeseq();
-
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(untagged_as_rep, krb5_kdc_rep, as_rep_fields, optional_as_rep);
+DEFAPPTAGGEDTYPE(as_rep, 11, untagged_as_rep);
-asn1_error_code asn1_encode_pa_data(asn1buf *buf, const krb5_pa_data *val, unsigned int *retlen)
+static const struct field_info tgs_rep_fields[] = {
+ /* TGS-REP ::= [APPLICATION 13] KDC-REP */
+ /* But KDC-REP needs to know what type it's being encapsulated
+ in, so expand each version. */
+ FIELD_INT_IMM(KVNO, 0),
+ FIELD_INT_IMM(KRB5_TGS_REP, 1),
+ FIELDOF_OPT(krb5_kdc_rep, ptr_seqof_pa_data, padata, 2, 2),
+ FIELDOF_NORM(krb5_kdc_rep, realm_of_principal, client, 3),
+ FIELDOF_NORM(krb5_kdc_rep, principal, client, 4),
+ FIELDOF_NORM(krb5_kdc_rep, ticket_ptr, ticket, 5),
+ FIELDOF_NORM(krb5_kdc_rep, encrypted_data, enc_part, 6),
+};
+static unsigned int optional_tgs_rep(const void *p)
{
- asn1_setup();
+ const krb5_kdc_rep *val = p;
+ unsigned int optional = 0;
- if (val == NULL || (val->length != 0 && val->contents == NULL))
- return ASN1_MISSING_FIELD;
+ if (val->padata != NULL && val->padata[0] != NULL)
+ optional |= (1u << 2);
- asn1_addlenfield(val->length,val->contents,2,asn1_encode_octetstring);
- asn1_addfield(val->pa_type,1,asn1_encode_integer);
- asn1_makeseq();
-
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(untagged_tgs_rep, krb5_kdc_rep, tgs_rep_fields, optional_tgs_rep);
+DEFAPPTAGGEDTYPE(tgs_rep, 13, untagged_tgs_rep);
-asn1_error_code asn1_encode_sequence_of_ticket(asn1buf *buf, const krb5_ticket **val, unsigned int *retlen)
-{
- asn1_setup();
- int i;
+static const struct field_info ap_req_fields[] = {
+ /* AP-REQ ::= [APPLICATION 14] SEQUENCE */
+ /* pvno[0] INTEGER */
+ FIELD_INT_IMM(KVNO, 0),
+ /* msg-type[1] INTEGER */
+ FIELD_INT_IMM(ASN1_KRB_AP_REQ, 1),
+ /* ap-options[2] APOptions */
+ FIELDOF_NORM(krb5_ap_req, krb5_flags, ap_options, 2),
+ /* ticket[3] Ticket */
+ FIELDOF_NORM(krb5_ap_req, ticket_ptr, ticket, 3),
+ /* authenticator[4] EncryptedData */
+ FIELDOF_NORM(krb5_ap_req, encrypted_data, authenticator, 4),
+};
+DEFSEQTYPE(untagged_ap_req, krb5_ap_req, ap_req_fields, 0);
+DEFAPPTAGGEDTYPE(ap_req, 14, untagged_ap_req);
- if (val == NULL || val[0] == NULL) return ASN1_MISSING_FIELD;
+static const struct field_info ap_rep_fields[] = {
+ /* AP-REP ::= [APPLICATION 15] SEQUENCE */
+ /* pvno[0] INTEGER */
+ FIELD_INT_IMM(KVNO, 0),
+ /* msg-type[1] INTEGER */
+ FIELD_INT_IMM(ASN1_KRB_AP_REP, 1),
+ /* enc-part[2] EncryptedData */
+ FIELDOF_NORM(krb5_ap_rep, encrypted_data, enc_part, 2),
+};
+DEFSEQTYPE(untagged_ap_rep, krb5_ap_rep, ap_rep_fields, 0);
+DEFAPPTAGGEDTYPE(ap_rep, 15, untagged_ap_rep);
- for (i=0; val[i] != NULL; i++);
- for (i--; i>=0; i--) {
- retval = asn1_encode_ticket(buf,val[i],&length);
- if (retval) return retval;
- sum += length;
- }
- asn1_makeseq();
-
- asn1_cleanup();
-}
-
-asn1_error_code asn1_encode_ticket(asn1buf *buf, const krb5_ticket *val, unsigned int *retlen)
+static const struct field_info ap_rep_enc_part_fields[] = {
+ /* EncAPRepPart ::= [APPLICATION 27] SEQUENCE */
+ /* ctime[0] KerberosTime */
+ FIELDOF_NORM(krb5_ap_rep_enc_part, kerberos_time, ctime, 0),
+ /* cusec[1] INTEGER */
+ FIELDOF_NORM(krb5_ap_rep_enc_part, int32, cusec, 1),
+ /* subkey[2] EncryptionKey OPTIONAL */
+ FIELDOF_OPT(krb5_ap_rep_enc_part, ptr_encryption_key, subkey, 2, 2),
+ /* seq-number[3] INTEGER OPTIONAL */
+ FIELDOF_OPT(krb5_ap_rep_enc_part, uint, seq_number, 3, 3),
+};
+static unsigned int optional_ap_rep_enc_part(const void *p)
{
- asn1_setup();
+ const krb5_ap_rep_enc_part *val = p;
+ unsigned int optional = 0;
- if (val == NULL) return ASN1_MISSING_FIELD;
+ if (val->seq_number)
+ optional |= (1u << 3);
+ if (val->subkey != NULL)
+ optional |= (1u << 2);
- asn1_addfield(&(val->enc_part),3,asn1_encode_encrypted_data);
- asn1_addfield(val->server,2,asn1_encode_principal_name);
- asn1_addfield(val->server,1,asn1_encode_realm);
- asn1_addfield(KVNO,0,asn1_encode_integer);
- asn1_makeseq();
- asn1_apptag(1);
-
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(untagged_ap_rep_enc_part, krb5_ap_rep_enc_part,
+ ap_rep_enc_part_fields, optional_ap_rep_enc_part);
+DEFAPPTAGGEDTYPE(ap_rep_enc_part, 27, untagged_ap_rep_enc_part);
-asn1_error_code asn1_encode_sequence_of_enctype(asn1buf *buf, const int len, const krb5_enctype *val, unsigned int *retlen)
+static const struct field_info as_req_fields[] = {
+ /* AS-REQ ::= [APPLICATION 10] KDC-REQ */
+ FIELD_INT_IMM(KVNO, 1),
+ FIELD_INT_IMM(KRB5_AS_REQ, 2),
+ FIELDOF_OPT(krb5_kdc_req, ptr_seqof_pa_data, padata, 3, 3),
+ FIELDOF_ENCODEAS(krb5_kdc_req, kdc_req_body, 4),
+};
+static unsigned int optional_as_req(const void *p)
{
- asn1_setup();
- int i;
+ const krb5_kdc_req *val = p;
+ unsigned int optional = 0;
- if (val == NULL) return ASN1_MISSING_FIELD;
+ if (val->padata != NULL && val->padata[0] != NULL)
+ optional |= (1u << 3);
- for (i=len-1; i>=0; i--) {
- retval = asn1_encode_integer(buf,val[i],&length);
- if (retval) return retval;
- sum += length;
- }
- asn1_makeseq();
-
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(untagged_as_req, krb5_kdc_req, as_req_fields, optional_as_req);
+DEFAPPTAGGEDTYPE(as_req, 10, untagged_as_req);
-asn1_error_code asn1_encode_kdc_req(int msg_type, asn1buf *buf, const krb5_kdc_req *val, unsigned int *retlen)
+static const struct field_info tgs_req_fields[] = {
+ /* TGS-REQ ::= [APPLICATION 12] KDC-REQ */
+ FIELD_INT_IMM(KVNO, 1),
+ FIELD_INT_IMM(KRB5_TGS_REQ, 2),
+ FIELDOF_OPT(krb5_kdc_req, ptr_seqof_pa_data, padata, 3, 3),
+ FIELDOF_ENCODEAS(krb5_kdc_req, kdc_req_body, 4),
+};
+static unsigned int optional_tgs_req(const void *p)
{
- asn1_setup();
+ const krb5_kdc_req *val = p;
+ unsigned int optional = 0;
- if (val == NULL) return ASN1_MISSING_FIELD;
-
- asn1_addfield(val,4,asn1_encode_kdc_req_body);
if (val->padata != NULL && val->padata[0] != NULL)
- asn1_addfield((const krb5_pa_data**)val->padata,3,asn1_encode_sequence_of_pa_data);
- if (msg_type != KRB5_AS_REQ && msg_type != KRB5_TGS_REQ)
- return KRB5_BADMSGTYPE;
- asn1_addfield(msg_type,2,asn1_encode_integer);
- asn1_addfield(KVNO,1,asn1_encode_integer);
- asn1_makeseq();
+ optional |= (1u << 3);
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(untagged_tgs_req, krb5_kdc_req, tgs_req_fields,
+ optional_tgs_req);
+DEFAPPTAGGEDTYPE(tgs_req, 12, untagged_tgs_req);
-asn1_error_code asn1_encode_krb_safe_body(asn1buf *buf, const krb5_safe *val, unsigned int *retlen)
-{
- asn1_setup();
+static const struct field_info krb5_safe_fields[] = {
+ FIELD_INT_IMM(KVNO, 0),
+ FIELD_INT_IMM(ASN1_KRB_SAFE,1),
+ FIELD_SELF(krb_safe_body, 2),
+ FIELDOF_NORM(krb5_safe, checksum_ptr, checksum, 3),
+};
+DEFSEQTYPE(untagged_krb5_safe, krb5_safe, krb5_safe_fields, 0);
+DEFAPPTAGGEDTYPE(krb5_safe, 20, untagged_krb5_safe);
- if (val == NULL) return ASN1_MISSING_FIELD;
+DEFPTRTYPE(krb_saved_safe_body_ptr, opaque_data);
+DEFFIELDTYPE(krb5_safe_checksum_only, krb5_safe,
+ FIELDOF_NORM(krb5_safe, checksum_ptr, checksum, -1));
+DEFPTRTYPE(krb5_safe_checksum_only_ptr, krb5_safe_checksum_only);
+static const struct field_info krb5_safe_with_body_fields[] = {
+ FIELD_INT_IMM(KVNO, 0),
+ FIELD_INT_IMM(ASN1_KRB_SAFE,1),
+ FIELDOF_NORM(struct krb5_safe_with_body, krb_saved_safe_body_ptr, body, 2),
+ FIELDOF_NORM(struct krb5_safe_with_body, krb5_safe_checksum_only_ptr, safe, 3),
+};
+DEFSEQTYPE(untagged_krb5_safe_with_body, struct krb5_safe_with_body,
+ krb5_safe_with_body_fields, 0);
+DEFAPPTAGGEDTYPE(krb5_safe_with_body, 20, untagged_krb5_safe_with_body);
- if (val->r_address != NULL)
- asn1_addfield(val->r_address,5,asn1_encode_host_address);
- asn1_addfield(val->s_address,4,asn1_encode_host_address);
- if (val->seq_number)
- asn1_addfield(val->seq_number,3,asn1_encode_unsigned_integer);
- if (val->timestamp) {
- asn1_addfield(val->usec,2,asn1_encode_integer);
- asn1_addfield(val->timestamp,1,asn1_encode_kerberos_time);
- }
- if (val->user_data.length && val->user_data.data == NULL)
- return ASN1_MISSING_FIELD;
- asn1_addlenfield(val->user_data.length,val->user_data.data,0,asn1_encode_charstring)
- ;
+static const struct field_info priv_fields[] = {
+ FIELD_INT_IMM(KVNO, 0),
+ FIELD_INT_IMM(ASN1_KRB_PRIV, 1),
+ FIELDOF_NORM(krb5_priv, encrypted_data, enc_part, 3),
+};
+DEFSEQTYPE(untagged_priv, krb5_priv, priv_fields, 0);
+DEFAPPTAGGEDTYPE(krb5_priv, 21, untagged_priv);
- asn1_makeseq();
- asn1_cleanup();
-}
-
-asn1_error_code asn1_encode_sequence_of_krb_cred_info(asn1buf *buf, const krb5_cred_info **val, unsigned int *retlen)
+static const struct field_info priv_enc_part_fields[] = {
+ FIELDOF_NORM(krb5_priv_enc_part, ostring_data, user_data, 0),
+ FIELDOF_OPT(krb5_priv_enc_part, kerberos_time, timestamp, 1, 1),
+ FIELDOF_OPT(krb5_priv_enc_part, int32, usec, 2, 2),
+ FIELDOF_OPT(krb5_priv_enc_part, uint, seq_number, 3, 3),
+ FIELDOF_NORM(krb5_priv_enc_part, address_ptr, s_address, 4),
+ FIELDOF_OPT(krb5_priv_enc_part, address_ptr, r_address, 5, 5),
+};
+static unsigned int optional_priv_enc_part(const void *p)
{
- asn1_setup();
- int i;
+ const krb5_priv_enc_part *val = p;
+ unsigned int optional = 0;
- if (val == NULL) return ASN1_MISSING_FIELD;
-
- for (i=0; val[i] != NULL; i++);
- for (i--; i>=0; i--) {
- retval = asn1_encode_krb_cred_info(buf,val[i],&length);
- if (retval) return retval;
- sum += length;
+ if (val->timestamp) {
+ optional |= (1u << 2);
+ optional |= (1u << 1);
}
- asn1_makeseq();
+ if (val->seq_number)
+ optional |= (1u << 3);
+ if (val->r_address)
+ optional |= (1u << 5);
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(untagged_priv_enc_part, krb5_priv_enc_part, priv_enc_part_fields,
+ optional_priv_enc_part);
+DEFAPPTAGGEDTYPE(priv_enc_part, 28, untagged_priv_enc_part);
-asn1_error_code asn1_encode_krb_cred_info(asn1buf *buf, const krb5_cred_info *val, unsigned int *retlen)
+static const struct field_info cred_fields[] = {
+ /* KRB-CRED ::= [APPLICATION 22] SEQUENCE */
+ /* pvno[0] INTEGER */
+ FIELD_INT_IMM(KVNO, 0),
+ /* msg-type[1] INTEGER, -- KRB_CRED */
+ FIELD_INT_IMM(ASN1_KRB_CRED, 1),
+ /* tickets[2] SEQUENCE OF Ticket */
+ FIELDOF_NORM(krb5_cred, ptr_seqof_ticket, tickets, 2),
+ /* enc-part[3] EncryptedData */
+ FIELDOF_NORM(krb5_cred, encrypted_data, enc_part, 3),
+};
+DEFSEQTYPE(untagged_cred, krb5_cred, cred_fields, 0);
+DEFAPPTAGGEDTYPE(krb5_cred, 22, untagged_cred);
+
+static const struct field_info enc_cred_part_fields[] = {
+ /* EncKrbCredPart ::= [APPLICATION 29] SEQUENCE */
+ /* ticket-info[0] SEQUENCE OF KrbCredInfo */
+ FIELDOF_NORM(krb5_cred_enc_part, ptrseqof_cred_info, ticket_info, 0),
+ /* nonce[1] INTEGER OPTIONAL */
+ FIELDOF_OPT(krb5_cred_enc_part, int32, nonce, 1, 1),
+ /* timestamp[2] KerberosTime OPTIONAL */
+ FIELDOF_OPT(krb5_cred_enc_part, kerberos_time, timestamp, 2, 2),
+ /* usec[3] INTEGER OPTIONAL */
+ FIELDOF_OPT(krb5_cred_enc_part, int32, usec, 3, 3),
+ /* s-address[4] HostAddress OPTIONAL */
+ FIELDOF_OPT(krb5_cred_enc_part, address_ptr, s_address, 4, 4),
+ /* r-address[5] HostAddress OPTIONAL */
+ FIELDOF_OPT(krb5_cred_enc_part, address_ptr, r_address, 5, 5),
+};
+static unsigned int optional_enc_cred_part(const void *p)
{
- asn1_setup();
+ const krb5_cred_enc_part *val = p;
+ unsigned int optional = 0;
- if (val == NULL) return ASN1_MISSING_FIELD;
+ if (val->r_address != NULL)
+ optional |= (1u << 5);
- if (val->caddrs != NULL && val->caddrs[0] != NULL)
- asn1_addfield((const krb5_address**)val->caddrs,10,asn1_encode_host_addresses);
- if (val->server != NULL) {
- asn1_addfield(val->server,9,asn1_encode_principal_name);
- asn1_addfield(val->server,8,asn1_encode_realm);
+ if (val->s_address != NULL)
+ optional |= (1u << 4);
+
+ if (val->timestamp) {
+ optional |= (1u << 2);
+ optional |= (1u << 3);
}
- if (val->times.renew_till)
- asn1_addfield(val->times.renew_till,7,asn1_encode_kerberos_time);
- if (val->times.endtime)
- asn1_addfield(val->times.endtime,6,asn1_encode_kerberos_time);
- if (val->times.starttime)
- asn1_addfield(val->times.starttime,5,asn1_encode_kerberos_time);
- if (val->times.authtime)
- asn1_addfield(val->times.authtime,4,asn1_encode_kerberos_time);
- if (val->flags)
- asn1_addfield(val->flags,3,asn1_encode_ticket_flags);
- if (val->client != NULL) {
- asn1_addfield(val->client,2,asn1_encode_principal_name);
- asn1_addfield(val->client,1,asn1_encode_realm);
- }
- asn1_addfield(val->session,0,asn1_encode_encryption_key);
- asn1_makeseq();
+ if (val->nonce)
+ optional |= (1u << 1);
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(untagged_enc_cred_part, krb5_cred_enc_part, enc_cred_part_fields,
+ optional_enc_cred_part);
+DEFAPPTAGGEDTYPE(enc_cred_part, 29, untagged_enc_cred_part);
-asn1_error_code asn1_encode_etype_info_entry(asn1buf *buf, const krb5_etype_info_entry *val,
- unsigned int *retlen, int etype_info2)
+static const struct field_info error_fields[] = {
+ /* KRB-ERROR ::= [APPLICATION 30] SEQUENCE */
+ /* pvno[0] INTEGER */
+ FIELD_INT_IMM(KVNO, 0),
+ /* msg-type[1] INTEGER */
+ FIELD_INT_IMM(ASN1_KRB_ERROR, 1),
+ /* ctime[2] KerberosTime OPTIONAL */
+ FIELDOF_OPT(krb5_error, kerberos_time, ctime, 2, 2),
+ /* cusec[3] INTEGER OPTIONAL */
+ FIELDOF_OPT(krb5_error, int32, cusec, 3, 3),
+ /* stime[4] KerberosTime */
+ FIELDOF_NORM(krb5_error, kerberos_time, stime, 4),
+ /* susec[5] INTEGER */
+ FIELDOF_NORM(krb5_error, int32, susec, 5),
+ /* error-code[6] INTEGER */
+ FIELDOF_NORM(krb5_error, ui_4, error, 6),
+ /* crealm[7] Realm OPTIONAL */
+ FIELDOF_OPT(krb5_error, realm_of_principal, client, 7, 7),
+ /* cname[8] PrincipalName OPTIONAL */
+ FIELDOF_OPT(krb5_error, principal, client, 8, 8),
+ /* realm[9] Realm -- Correct realm */
+ FIELDOF_NORM(krb5_error, realm_of_principal, server, 9),
+ /* sname[10] PrincipalName -- Correct name */
+ FIELDOF_NORM(krb5_error, principal, server, 10),
+ /* e-text[11] GeneralString OPTIONAL */
+ FIELDOF_OPT(krb5_error, gstring_data, text, 11, 11),
+ /* e-data[12] OCTET STRING OPTIONAL */
+ FIELDOF_OPT(krb5_error, ostring_data, e_data, 12, 12),
+};
+static unsigned int optional_error(const void *p)
{
- asn1_setup();
+ const krb5_error *val = p;
+ unsigned int optional = 0;
- assert(val->s2kparams.data == NULL || etype_info2);
- if (val == NULL || (val->length > 0 && val->length != KRB5_ETYPE_NO_SALT &&
- val->salt == NULL))
- return ASN1_MISSING_FIELD;
- if (val->s2kparams.data != NULL)
- asn1_addlenfield(val->s2kparams.length, val->s2kparams.data, 2,
- asn1_encode_octetstring);
- if (val->length >= 0 && val->length != KRB5_ETYPE_NO_SALT) {
- if (etype_info2) {
- asn1_addlenfield(val->length,val->salt,1,
- asn1_encode_generalstring);
- } else {
- asn1_addlenfield(val->length,val->salt,1,
- asn1_encode_octetstring);
- }
+ if (val->ctime)
+ optional |= (1u << 2);
+ if (val->cusec)
+ optional |= (1u << 3);
+ if (val->client) {
+ optional |= (1u << 7);
+ optional |= (1u << 8);
}
- asn1_addfield(val->etype,0,asn1_encode_integer);
- asn1_makeseq();
+ if (val->text.data != NULL && val->text.length > 0)
+ optional |= (1u << 11);
+ if (val->e_data.data != NULL && val->e_data.length > 0)
+ optional |= (1u << 12);
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(untagged_krb5_error, krb5_error, error_fields, optional_error);
+DEFAPPTAGGEDTYPE(krb5_error, 30, untagged_krb5_error);
-asn1_error_code asn1_encode_etype_info(asn1buf *buf, const krb5_etype_info_entry **val,
- unsigned int *retlen, int etype_info2)
+static const struct field_info alt_method_fields[] = {
+ FIELDOF_NORM(krb5_alt_method, int32, method, 0),
+ FIELDOF_OPTSTRING(krb5_alt_method, octetstring, data, length, 1, 1),
+};
+static unsigned int
+optional_alt_method(const void *p)
{
- asn1_setup();
- int i;
+ const krb5_alt_method *a = p;
+ unsigned int optional = 0;
- if (val == NULL) return ASN1_MISSING_FIELD;
+ if (a->data != NULL && a->length > 0)
+ optional |= (1u << 1);
- for (i=0; val[i] != NULL; i++); /* get to the end of the array */
- for (i--; i>=0; i--) {
- retval = asn1_encode_etype_info_entry(buf,val[i],&length, etype_info2);
- if (retval) return retval;
- sum += length;
- }
- asn1_makeseq();
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(alt_method, krb5_alt_method, alt_method_fields, optional_alt_method);
-asn1_error_code asn1_encode_sequence_of_passwdsequence(asn1buf *buf, const passwd_phrase_element **val, unsigned int *retlen)
+static const struct field_info pa_enc_ts_fields[] = {
+ FIELDOF_NORM(krb5_pa_enc_ts, kerberos_time, patimestamp, 0),
+ FIELDOF_OPT(krb5_pa_enc_ts, int32, pausec, 1, 1),
+};
+static unsigned int
+optional_pa_enc_ts(const void *p)
{
- asn1_setup();
- int i;
+ const krb5_pa_enc_ts *val = p;
+ unsigned int optional = 0;
- if (val == NULL || val[0] == NULL) return ASN1_MISSING_FIELD;
+ if (val->pausec)
+ optional |= (1u << 1);
- for (i=0; val[i] != NULL; i++); /* get to the end of the array */
- for (i--; i>=0; i--) {
- retval = asn1_encode_passwdsequence(buf,val[i],&length);
- if (retval) return retval;
- sum += length;
- }
- asn1_makeseq();
- asn1_cleanup();
+ return optional;
}
+DEFSEQTYPE(pa_enc_ts, krb5_pa_enc_ts, pa_enc_ts_fields, optional_pa_enc_ts);
-asn1_error_code asn1_encode_passwdsequence(asn1buf *buf, const passwd_phrase_element *val, unsigned int *retlen)
-{
- asn1_setup();
- asn1_addlenfield(val->phrase->length,val->phrase->data,1,asn1_encode_charstring);
- asn1_addlenfield(val->passwd->length,val->passwd->data,0,asn1_encode_charstring);
- asn1_makeseq();
- asn1_cleanup();
-}
+static const struct field_info pwd_data_fields[] = {
+ FIELDOF_NORM(krb5_pwd_data, int32, sequence_count, 0),
+ FIELDOF_NORM(krb5_pwd_data, ptr_seqof_passwdsequence, element, 1),
+};
+DEFSEQTYPE(pwd_data, krb5_pwd_data, pwd_data_fields, 0);
-asn1_error_code asn1_encode_sam_flags(asn1buf *buf, const krb5_flags val, unsigned int *retlen)
-{
- return asn1_encode_krb5_flags(buf,val,retlen);
-}
+static const struct field_info setpw_req_fields[] = {
+ FIELDOF_NORM(struct krb5_setpw_req, ostring_data, password, 0),
+ FIELDOF_NORM(struct krb5_setpw_req, principal, target, 1),
+ FIELDOF_NORM(struct krb5_setpw_req, realm_of_principal, target, 2),
+};
-#define add_optstring(val,n,fn) \
- if ((val).length > 0) {asn1_addlenfield((val).length,(val).data,n,fn);}
+DEFSEQTYPE(setpw_req, struct krb5_setpw_req, setpw_req_fields, 0);
-asn1_error_code asn1_encode_sam_challenge(asn1buf *buf, const krb5_sam_challenge *val, unsigned int *retlen)
-{
- asn1_setup();
- /* possibly wrong */
- if (val->sam_cksum.length)
- asn1_addfield(&(val->sam_cksum),9,asn1_encode_checksum);
+/* [MS-SFU] Section 2.2.1. */
+static const struct field_info pa_for_user_fields[] = {
+ FIELDOF_NORM(krb5_pa_for_user, principal, user, 0),
+ FIELDOF_NORM(krb5_pa_for_user, realm_of_principal, user, 1),
+ FIELDOF_NORM(krb5_pa_for_user, checksum, cksum, 2),
+ FIELDOF_NORM(krb5_pa_for_user, gstring_data, auth_package, 3),
+};
- if (val->sam_nonce)
- asn1_addfield(val->sam_nonce,8,asn1_encode_integer);
+DEFSEQTYPE(pa_for_user, krb5_pa_for_user, pa_for_user_fields, 0);
- add_optstring(val->sam_pk_for_sad,7,asn1_encode_charstring);
- add_optstring(val->sam_response_prompt,6,asn1_encode_charstring);
- add_optstring(val->sam_challenge,5,asn1_encode_charstring);
- add_optstring(val->sam_challenge_label,4,asn1_encode_charstring);
- add_optstring(val->sam_track_id,3,asn1_encode_charstring);
- add_optstring(val->sam_type_name,2,asn1_encode_charstring);
+/* draft-ietf-krb-wg-kerberos-referrals Appendix A. */
+static const struct field_info pa_svr_referral_data_fields[] = {
+ FIELDOF_NORM(krb5_pa_svr_referral_data, realm_of_principal, principal, 0),
+ FIELDOF_OPT(krb5_pa_svr_referral_data, principal, principal, 1, 1),
+};
- asn1_addfield(val->sam_flags,1,asn1_encode_sam_flags);
- asn1_addfield(val->sam_type,0,asn1_encode_integer);
+DEFSEQTYPE(pa_svr_referral_data, krb5_pa_svr_referral_data, pa_svr_referral_data_fields, 0);
- asn1_makeseq();
- asn1_cleanup();
-}
+/* draft-ietf-krb-wg-kerberos-referrals Section 8. */
+static const struct field_info pa_server_referral_data_fields[] = {
+ FIELDOF_OPT(krb5_pa_server_referral_data, gstring_data_ptr, referred_realm, 0, 0),
+ FIELDOF_OPT(krb5_pa_server_referral_data, principal, true_principal_name, 1, 1),
+ FIELDOF_OPT(krb5_pa_server_referral_data, principal, requested_principal_name, 2, 2),
+ FIELDOF_OPT(krb5_pa_server_referral_data, kerberos_time, referral_valid_until, 3, 3),
+ FIELDOF_NORM(krb5_pa_server_referral_data, checksum, rep_cksum, 4),
+};
-asn1_error_code asn1_encode_sam_challenge_2(asn1buf *buf, const krb5_sam_challenge_2 *val, unsigned int *retlen)
-{
- asn1_setup();
- if ( (!val) || (!val->sam_cksum) || (!val->sam_cksum[0]))
- return ASN1_MISSING_FIELD;
+DEFSEQTYPE(pa_server_referral_data, krb5_pa_server_referral_data, pa_server_referral_data_fields, 0);
- asn1_addfield((const krb5_checksum **) val->sam_cksum, 1, asn1_encode_sequence_of_checksum);
- retval = asn1buf_insert_octetstring(buf, val->sam_challenge_2_body.length,
- (unsigned char *)val->sam_challenge_2_body.data);
- if (retval) {
- asn1buf_destroy(&buf);
- return retval;
- }
- sum += val->sam_challenge_2_body.length;
- retval = asn1_make_etag(buf, CONTEXT_SPECIFIC, 0,
- val->sam_challenge_2_body.length, &length);
- if (retval) {
- asn1buf_destroy(&buf);
- return retval;
- }
- sum += length;
+#if 0
+/* draft-brezak-win2k-krb-authz Section 6. */
+static const struct field_info pa_pac_request_fields[] = {
+ FIELDOF_NORM(krb5_pa_pac_req, boolean, include_pac, 0),
+};
- asn1_makeseq();
- asn1_cleanup();
-}
+DEFSEQTYPE(pa_pac_request, krb5_pa_pac_req, pa_pac_request_fields, 0);
+#endif
-asn1_error_code asn1_encode_sam_challenge_2_body(asn1buf *buf, const krb5_sam_challenge_2_body *val, unsigned int *retlen)
-{
- asn1_setup();
+/* RFC 4537 */
+DEFFIELDTYPE(etype_list, krb5_etype_list,
+ FIELDOF_SEQOF_INT32(krb5_etype_list, int32_ptr, etypes, length, -1));
- asn1_addfield(val->sam_etype, 9, asn1_encode_integer);
- asn1_addfield(val->sam_nonce,8,asn1_encode_integer);
- add_optstring(val->sam_pk_for_sad,7,asn1_encode_charstring);
- add_optstring(val->sam_response_prompt,6,asn1_encode_charstring);
- add_optstring(val->sam_challenge,5,asn1_encode_charstring);
- add_optstring(val->sam_challenge_label,4,asn1_encode_charstring);
- add_optstring(val->sam_track_id,3,asn1_encode_charstring);
- add_optstring(val->sam_type_name,2,asn1_encode_charstring);
+/* Exported complete encoders -- these produce a krb5_data with
+ the encoding in the correct byte order. */
- asn1_addfield(val->sam_flags,1,asn1_encode_sam_flags);
- asn1_addfield(val->sam_type,0,asn1_encode_integer);
+MAKE_FULL_ENCODER(encode_krb5_authenticator, krb5_authenticator);
+MAKE_FULL_ENCODER(encode_krb5_ticket, ticket);
+MAKE_FULL_ENCODER(encode_krb5_encryption_key, encryption_key);
+MAKE_FULL_ENCODER(encode_krb5_enc_tkt_part, enc_tkt_part);
+/* XXX We currently (for backwards compatibility) encode both
+ EncASRepPart and EncTGSRepPart with application tag 26. */
+MAKE_FULL_ENCODER(encode_krb5_enc_kdc_rep_part, enc_tgs_rep_part);
+MAKE_FULL_ENCODER(encode_krb5_as_rep, as_rep);
+MAKE_FULL_ENCODER(encode_krb5_tgs_rep, tgs_rep);
+MAKE_FULL_ENCODER(encode_krb5_ap_req, ap_req);
+MAKE_FULL_ENCODER(encode_krb5_ap_rep, ap_rep);
+MAKE_FULL_ENCODER(encode_krb5_ap_rep_enc_part, ap_rep_enc_part);
+MAKE_FULL_ENCODER(encode_krb5_as_req, as_req);
+MAKE_FULL_ENCODER(encode_krb5_tgs_req, tgs_req);
+MAKE_FULL_ENCODER(encode_krb5_kdc_req_body, kdc_req_body);
+MAKE_FULL_ENCODER(encode_krb5_safe, krb5_safe);
- asn1_makeseq();
- asn1_cleanup();
-}
+/*
+ * encode_krb5_safe_with_body
+ *
+ * Like encode_krb5_safe(), except takes a saved KRB-SAFE-BODY
+ * encoding to avoid problems with re-encoding.
+ */
+MAKE_FULL_ENCODER(encode_krb5_safe_with_body, krb5_safe_with_body);
-asn1_error_code asn1_encode_sam_key(asn1buf *buf, const krb5_sam_key *val, unsigned int *retlen)
-{
- asn1_setup();
- asn1_addfield(&(val->sam_key),0,asn1_encode_encryption_key);
+MAKE_FULL_ENCODER(encode_krb5_priv, krb5_priv);
+MAKE_FULL_ENCODER(encode_krb5_enc_priv_part, priv_enc_part);
+MAKE_FULL_ENCODER(encode_krb5_cred, krb5_cred);
+MAKE_FULL_ENCODER(encode_krb5_enc_cred_part, enc_cred_part);
+MAKE_FULL_ENCODER(encode_krb5_error, krb5_error);
+MAKE_FULL_ENCODER(encode_krb5_authdata, auth_data);
+MAKE_FULL_ENCODER(encode_krb5_authdata_elt, authdata_elt);
+MAKE_FULL_ENCODER(encode_krb5_alt_method, alt_method);
+MAKE_FULL_ENCODER(encode_krb5_etype_info, etype_info);
+MAKE_FULL_ENCODER(encode_krb5_etype_info2, etype_info2);
+MAKE_FULL_ENCODER(encode_krb5_enc_data, encrypted_data);
+MAKE_FULL_ENCODER(encode_krb5_pa_enc_ts, pa_enc_ts);
+/* Sandia Additions */
+MAKE_FULL_ENCODER(encode_krb5_pwd_sequence, passwdsequence);
+MAKE_FULL_ENCODER(encode_krb5_pwd_data, pwd_data);
+MAKE_FULL_ENCODER(encode_krb5_padata_sequence, seq_of_pa_data);
+/* sam preauth additions */
+MAKE_FULL_ENCODER(encode_krb5_sam_challenge, sam_challenge);
+#if 0 /* encoders not used! */
+MAKE_FULL_ENCODER(encode_krb5_sam_challenge_2, sam_challenge_2);
+MAKE_FULL_ENCODER(encode_krb5_sam_challenge_2_body,
+ sam_challenge_2_body);
+#endif
+MAKE_FULL_ENCODER(encode_krb5_sam_key, sam_key);
+MAKE_FULL_ENCODER(encode_krb5_enc_sam_response_enc,
+ enc_sam_response_enc);
+MAKE_FULL_ENCODER(encode_krb5_enc_sam_response_enc_2,
+ enc_sam_response_enc_2);
+MAKE_FULL_ENCODER(encode_krb5_sam_response, sam_response);
+MAKE_FULL_ENCODER(encode_krb5_sam_response_2, sam_response_2);
+MAKE_FULL_ENCODER(encode_krb5_predicted_sam_response,
+ predicted_sam_response);
+MAKE_FULL_ENCODER(encode_krb5_setpw_req, setpw_req);
+MAKE_FULL_ENCODER(encode_krb5_pa_for_user, pa_for_user);
+MAKE_FULL_ENCODER(encode_krb5_pa_svr_referral_data, pa_svr_referral_data);
+MAKE_FULL_ENCODER(encode_krb5_pa_server_referral_data, pa_server_referral_data);
+MAKE_FULL_ENCODER(encode_krb5_etype_list, etype_list);
- asn1_makeseq();
- asn1_cleanup();
-}
-asn1_error_code asn1_encode_enc_sam_response_enc(asn1buf *buf, const krb5_enc_sam_response_enc *val, unsigned int *retlen)
-{
- asn1_setup();
- add_optstring(val->sam_sad,3,asn1_encode_charstring);
- asn1_addfield(val->sam_usec,2,asn1_encode_integer);
- asn1_addfield(val->sam_timestamp,1,asn1_encode_kerberos_time);
- asn1_addfield(val->sam_nonce,0,asn1_encode_integer);
- asn1_makeseq();
- asn1_cleanup();
-}
-asn1_error_code asn1_encode_enc_sam_response_enc_2(asn1buf *buf, const krb5_enc_sam_response_enc_2 *val, unsigned int *retlen)
-{
- asn1_setup();
- add_optstring(val->sam_sad,1,asn1_encode_charstring);
- asn1_addfield(val->sam_nonce,0,asn1_encode_integer);
+#ifndef DISABLE_PKINIT
+/*
+ * PKINIT
+ */
- asn1_makeseq();
+/* This code hasn't been converted to use the above framework yet,
+ because we currently have no test cases to validate the new
+ version. It *also* appears that some of the encodings may disagree
+ with the specifications, but that's a separate problem. */
- asn1_cleanup();
-}
+/**** asn1 macros ****/
+#if 0
+ How to write an asn1 encoder function using these macros:
-asn1_error_code asn1_encode_sam_response(asn1buf *buf, const krb5_sam_response *val, unsigned int *retlen)
-{
- asn1_setup();
+ asn1_error_code asn1_encode_krb5_substructure(asn1buf *buf,
+ const krb5_type *val,
+ int *retlen)
+ {
+ asn1_setup();
- if (val->sam_patimestamp)
- asn1_addfield(val->sam_patimestamp,6,asn1_encode_kerberos_time);
- if (val->sam_nonce)
- asn1_addfield(val->sam_nonce,5,asn1_encode_integer);
- asn1_addfield(&(val->sam_enc_nonce_or_ts),4,asn1_encode_encrypted_data);
- if (val->sam_enc_key.ciphertext.length)
- asn1_addfield(&(val->sam_enc_key),3,asn1_encode_encrypted_data);
- add_optstring(val->sam_track_id,2,asn1_encode_charstring);
- asn1_addfield(val->sam_flags,1,asn1_encode_sam_flags);
- asn1_addfield(val->sam_type,0,asn1_encode_integer);
+ asn1_addfield(val->last_field, n, asn1_type);
+ asn1_addfield(rep->next_to_last_field, n-1, asn1_type);
+ ...
- asn1_makeseq();
+ /* for OPTIONAL fields */
+ if (rep->field_i == should_not_be_omitted)
+ asn1_addfield(rep->field_i, i, asn1_type);
- asn1_cleanup();
-}
+ /* for string fields (these encoders take an additional argument,
+ the length of the string) */
+ addlenfield(rep->field_length, rep->field, i-1, asn1_type);
-asn1_error_code asn1_encode_sam_response_2(asn1buf *buf, const krb5_sam_response_2 *val, unsigned int *retlen)
-{
- asn1_setup();
+ /* if you really have to do things yourself... */
+ retval = asn1_encode_asn1_type(buf,rep->field,&length);
+ if (retval) return retval;
+ sum += length;
+ retval = asn1_make_etag(buf, CONTEXT_SPECIFIC, tag_number, length,
+ &length);
+ if (retval) return retval;
+ sum += length;
- asn1_addfield(val->sam_nonce,4,asn1_encode_integer);
- asn1_addfield(&(val->sam_enc_nonce_or_sad),3,asn1_encode_encrypted_data);
- add_optstring(val->sam_track_id,2,asn1_encode_charstring);
- asn1_addfield(val->sam_flags,1,asn1_encode_sam_flags);
- asn1_addfield(val->sam_type,0,asn1_encode_integer);
+ ...
+ asn1_addfield(rep->second_field, 1, asn1_type);
+ asn1_addfield(rep->first_field, 0, asn1_type);
+ asn1_makeseq();
- asn1_makeseq();
+ asn1_cleanup();
+ }
+#endif
- asn1_cleanup();
-}
+/* asn1_addlenfield -- add a field whose length must be separately specified */
+#define asn1_addlenfield(len,value,tag,encoder)\
+{ unsigned int length; \
+ retval = encoder(buf,len,value,&length); \
+ if (retval) {\
+ asn1buf_destroy(&buf);\
+ return retval; }\
+ sum += length;\
+ retval = asn1_make_etag(buf,CONTEXT_SPECIFIC,tag,length,&length);\
+ if (retval) {\
+ asn1buf_destroy(&buf);\
+ return retval; }\
+ sum += length; }
-asn1_error_code asn1_encode_predicted_sam_response(asn1buf *buf, const krb5_predicted_sam_response *val, unsigned int *retlen)
-{
- asn1_setup();
+/* asn1_addfield_implicit -- add an implicitly tagged field, or component, to the encoding */
+#define asn1_addfield_implicit(value,tag,encoder)\
+{ unsigned int length;\
+ retval = encoder(buf,value,&length);\
+ if (retval) {\
+ return retval; }\
+ sum += length;\
+ retval = asn1_make_tag(buf,CONTEXT_SPECIFIC,PRIMITIVE,tag,length,&length); \
+ if (retval) {\
+ return retval; }\
+ sum += length; }
- add_optstring(val->msd,6,asn1_encode_charstring);
- asn1_addfield(val->client,5,asn1_encode_principal_name);
- asn1_addfield(val->client,4,asn1_encode_realm);
- asn1_addfield(val->susec,3,asn1_encode_integer);
- asn1_addfield(val->stime,2,asn1_encode_kerberos_time);
- asn1_addfield(val->sam_flags,1,asn1_encode_sam_flags);
- asn1_addfield(&(val->sam_key),0,asn1_encode_encryption_key);
+/* asn1_insert_implicit_octetstring -- add an octet string with implicit tagging */
+#define asn1_insert_implicit_octetstring(len,value,tag)\
+{ unsigned int length;\
+ retval = asn1buf_insert_octetstring(buf,len,value);\
+ if (retval) {\
+ return retval; }\
+ sum += len;\
+ retval = asn1_make_tag(buf,CONTEXT_SPECIFIC,PRIMITIVE,tag,len,&length); \
+ if (retval) {\
+ return retval; }\
+ sum += length; }
- asn1_makeseq();
+/* asn1_insert_implicit_bitstring -- add a bitstring with implicit tagging */
+/* needs "length" declared in enclosing context */
+#define asn1_insert_implicit_bitstring(len,value,tag)\
+{ retval = asn1buf_insert_octetstring(buf,len,value); \
+ if (retval) {\
+ return retval; }\
+ sum += len;\
+ retval = asn1buf_insert_octet(buf, 0);\
+ if (retval) {\
+ return retval; }\
+ sum++;\
+ retval = asn1_make_tag(buf,UNIVERSAL,PRIMITIVE,tag,len+1,&length); \
+ if (retval) {\
+ return retval; }\
+ sum += length; }
- asn1_cleanup();
-}
+/* Callable encoders for the types defined above, until the PKINIT
+ encoders get converted. */
+MAKE_ENCFN(asn1_encode_realm, realm_of_principal_data);
+MAKE_ENCFN(asn1_encode_principal_name, principal_data);
+MAKE_ENCFN(asn1_encode_encryption_key, encryption_key);
+MAKE_ENCFN(asn1_encode_checksum, checksum);
-/*
- * Do some ugliness to insert a raw pre-encoded KRB-SAFE-BODY.
- */
-asn1_error_code asn1_encode_krb_saved_safe_body(asn1buf *buf, const krb5_data *body, unsigned int *retlen)
+static asn1_error_code
+asn1_encode_kerberos_time(asn1buf *buf, const krb5_timestamp val,
+ unsigned int *retlen)
{
- asn1_error_code retval;
-
- retval = asn1buf_insert_octetstring(buf, body->length,
- (krb5_octet *)body->data);
- if (retval) {
- asn1buf_destroy(&buf);
- return retval;
- }
- *retlen = body->length;
- return 0;
+ return asn1_encode_kerberos_time_at(buf,&val,retlen);
}
-#ifndef DISABLE_PKINIT
-/*
- * PKINIT
- */
-
+/* Now the real PKINIT encoder functions. */
asn1_error_code asn1_encode_pk_authenticator(asn1buf *buf, const krb5_pk_authenticator *val, unsigned int *retlen)
{
asn1_setup();
@@ -1053,15 +1409,18 @@
sum += val->parameters.length;
}
- retval = asn1_encode_oid(buf, val->algorithm.length,
- val->algorithm.data,
- &length);
+ {
+ unsigned int length;
+ retval = asn1_encode_oid(buf, val->algorithm.length,
+ val->algorithm.data,
+ &length);
- if (retval) {
- asn1buf_destroy(&buf);
- return retval;
+ if (retval) {
+ asn1buf_destroy(&buf);
+ return retval;
+ }
+ sum += length;
}
- sum += length;
asn1_makeseq();
asn1_cleanup();
@@ -1071,9 +1430,14 @@
{
asn1_setup();
- asn1_insert_implicit_bitstring(val->subjectPublicKey.length,val->subjectPublicKey.data,ASN1_BITSTRING);
+ {
+ unsigned int length;
+ asn1_insert_implicit_bitstring(val->subjectPublicKey.length,val->subjectPublicKey.data,ASN1_BITSTRING);
+ }
if (val->algorithm.parameters.length != 0) {
+ unsigned int length;
+
retval = asn1buf_insert_octetstring(buf, val->algorithm.parameters.length,
val->algorithm.parameters.data);
if (retval) {
@@ -1081,27 +1445,28 @@
return retval;
}
sum += val->algorithm.parameters.length;
- }
- retval = asn1_encode_oid(buf, val->algorithm.algorithm.length,
- val->algorithm.algorithm.data,
- &length);
+ retval = asn1_encode_oid(buf, val->algorithm.algorithm.length,
+ val->algorithm.algorithm.data,
+ &length);
- if (retval) {
- asn1buf_destroy(&buf);
- return retval;
- }
- sum += length;
+ if (retval) {
+ asn1buf_destroy(&buf);
+ return retval;
+ }
+ sum += length;
- retval = asn1_make_etag(buf, UNIVERSAL, ASN1_SEQUENCE,
- val->algorithm.parameters.length + length,
- &length);
- if (retval) {
- asn1buf_destroy(&buf);
- return retval;
+ retval = asn1_make_etag(buf, UNIVERSAL, ASN1_SEQUENCE,
+ val->algorithm.parameters.length + length,
+ &length);
+
+ if (retval) {
+ asn1buf_destroy(&buf);
+ return retval;
+ }
+ sum += length;
}
- sum += length;
asn1_makeseq();
asn1_cleanup();
@@ -1116,6 +1481,7 @@
for (i=0; val[i] != NULL; i++);
for (i--; i>=0; i--) {
+ unsigned int length;
retval = asn1_encode_algorithm_identifier(buf,val[i],&length);
if (retval) return retval;
sum += length;
@@ -1183,6 +1549,7 @@
for (i=0; val[i] != NULL; i++);
for (i--; i>=0; i--) {
+ unsigned int length;
retval = asn1_encode_external_principal_identifier(buf,val[i],&length);
if (retval) return retval;
sum += length;
@@ -1238,6 +1605,7 @@
for (i=0; val[i] != NULL; i++);
for (i--; i>=0; i--) {
+ unsigned int length;
retval = asn1_encode_trusted_ca(buf,val[i],&length);
if (retval) return retval;
sum += length;
@@ -1286,15 +1654,19 @@
asn1_addfield(val->dhKeyExpiration, 2, asn1_encode_kerberos_time);
asn1_addfield(val->nonce, 1, asn1_encode_integer);
- asn1_insert_implicit_bitstring(val->subjectPublicKey.length,val->subjectPublicKey.data,3);
- retval = asn1_make_etag(buf, CONTEXT_SPECIFIC, 0,
- val->subjectPublicKey.length + 1 + length,
- &length);
- if (retval) {
- asn1buf_destroy(&buf);
- return retval;
+ {
+ unsigned int length;
+
+ asn1_insert_implicit_bitstring(val->subjectPublicKey.length,val->subjectPublicKey.data,3);
+ retval = asn1_make_etag(buf, CONTEXT_SPECIFIC, 0,
+ val->subjectPublicKey.length + 1 + length,
+ &length);
+ if (retval) {
+ asn1buf_destroy(&buf);
+ return retval;
+ }
+ sum += length;
}
- sum += length;
asn1_makeseq();
asn1_cleanup();
@@ -1363,10 +1735,14 @@
asn1_error_code asn1_encode_td_trusted_certifiers(asn1buf *buf, const krb5_external_principal_identifier **val, unsigned int *retlen)
{
asn1_setup();
- retval = asn1_encode_sequence_of_external_principal_identifier(buf, val, &length);
- if (retval) {
- asn1buf_destroy(&buf);
- return retval;
+ {
+ unsigned int length;
+ retval = asn1_encode_sequence_of_external_principal_identifier(buf, val, &length);
+ if (retval) {
+ asn1buf_destroy(&buf);
+ return retval;
+ }
+ /* length set but ignored? sum not updated? */
}
asn1_cleanup();
}
@@ -1380,6 +1756,8 @@
for (i=0; val[i] != NULL; i++);
for (i--; i>=0; i--) {
+ unsigned int length;
+
retval = asn1_encode_typed_data(buf,val[i],&length);
if (retval) return retval;
sum += length;
Modified: branches/mkey_migrate/src/lib/krb5/asn.1/asn1_k_encode.h
===================================================================
--- branches/mkey_migrate/src/lib/krb5/asn.1/asn1_k_encode.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/asn.1/asn1_k_encode.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,7 +2,7 @@
/*
* src/lib/krb5/asn.1/asn1_k_encode.h
*
- * Copyright 1994 by the Massachusetts Institute of Technology.
+ * Copyright 1994, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -33,48 +33,6 @@
#include "asn1buf.h"
/*
- Overview
-
- Encoding routines for various ASN.1 "substructures" as defined in
- the krb5 protocol.
-
- Operations
-
- asn1_encode_krb5_flags
- asn1_encode_ap_options
- asn1_encode_ticket_flags
- asn1_encode_kdc_options
- asn1_encode_kerberos_time
-
- asn1_encode_realm
- asn1_encode_principal_name
- asn1_encode_encrypted_data
- asn1_encode_authorization_data
- asn1_encode_krb5_authdata_elt
- asn1_encode_kdc_rep
- asn1_encode_ticket
- asn1_encode_encryption_key
- asn1_encode_checksum
- asn1_encode_host_address
- asn1_encode_transited_encoding
- asn1_encode_enc_kdc_rep_part
- asn1_encode_kdc_req
- asn1_encode_kdc_req_body
- asn1_encode_krb_safe_body
- asn1_encode_krb_cred_info
- asn1_encode_last_req_entry
- asn1_encode_pa_data
-
- asn1_encode_host_addresses
- asn1_encode_last_req
- asn1_encode_sequence_of_pa_data
- asn1_encode_sequence_of_ticket
- asn1_encode_sequence_of_enctype
- asn1_encode_sequence_of_checksum
- asn1_encode_sequence_of_krb_cred_info
-*/
-
-/*
**** for simple val's ****
asn1_error_code asn1_encode_asn1_type(asn1buf *buf,
const krb5_type val,
@@ -107,169 +65,6 @@
Returns ENOMEM if memory runs out.
*/
-asn1_error_code asn1_encode_ui_4 (asn1buf *buf,
- const krb5_ui_4 val,
- unsigned int *retlen);
-
-asn1_error_code asn1_encode_msgtype (asn1buf *buf,
- const /*krb5_msgtype*/int val,
- unsigned int *retlen);
-
-asn1_error_code asn1_encode_realm
- (asn1buf *buf, const krb5_principal val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_principal_name
- (asn1buf *buf, const krb5_principal val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_encrypted_data
- (asn1buf *buf, const krb5_enc_data *val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_krb5_flags
- (asn1buf *buf, const krb5_flags val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_ap_options
- (asn1buf *buf, const krb5_flags val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_ticket_flags
- (asn1buf *buf, const krb5_flags val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_kdc_options
- (asn1buf *buf, const krb5_flags val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_authorization_data
- (asn1buf *buf, const krb5_authdata **val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_krb5_authdata_elt
- (asn1buf *buf, const krb5_authdata *val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_kdc_rep
- (int msg_type, asn1buf *buf, const krb5_kdc_rep *val,
- unsigned int *retlen);
-
-asn1_error_code asn1_encode_enc_kdc_rep_part
- (asn1buf *buf, const krb5_enc_kdc_rep_part *val,
- unsigned int *retlen);
-
-asn1_error_code asn1_encode_ticket
- (asn1buf *buf, const krb5_ticket *val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_encryption_key
- (asn1buf *buf, const krb5_keyblock *val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_kerberos_time
- (asn1buf *buf, const krb5_timestamp val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_checksum
- (asn1buf *buf, const krb5_checksum *val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_host_address
- (asn1buf *buf, const krb5_address *val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_host_addresses
- (asn1buf *buf, const krb5_address **val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_transited_encoding
- (asn1buf *buf, const krb5_transited *val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_last_req
- (asn1buf *buf, const krb5_last_req_entry **val,
- unsigned int *retlen);
-
-asn1_error_code asn1_encode_sequence_of_pa_data
- (asn1buf *buf, const krb5_pa_data **val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_sequence_of_ticket
- (asn1buf *buf, const krb5_ticket **val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_sequence_of_enctype
- (asn1buf *buf,
- const int len, const krb5_enctype *val,
- unsigned int *retlen);
-
-asn1_error_code asn1_encode_sequence_of_checksum
- (asn1buf *buf, const krb5_checksum **val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_kdc_req
- (int msg_type,
- asn1buf *buf,
- const krb5_kdc_req *val,
- unsigned int *retlen);
-
-asn1_error_code asn1_encode_kdc_req_body
- (asn1buf *buf, const krb5_kdc_req *val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_krb_safe_body
- (asn1buf *buf, const krb5_safe *val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_sequence_of_krb_cred_info
- (asn1buf *buf, const krb5_cred_info **val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_krb_cred_info
- (asn1buf *buf, const krb5_cred_info *val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_last_req_entry
- (asn1buf *buf, const krb5_last_req_entry *val,
- unsigned int *retlen);
-
-asn1_error_code asn1_encode_pa_data
- (asn1buf *buf, const krb5_pa_data *val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_alt_method
- (asn1buf *buf, const krb5_alt_method *val,
- unsigned int *retlen);
-
-asn1_error_code asn1_encode_etype_info_entry
- (asn1buf *buf, const krb5_etype_info_entry *val,
- unsigned int *retlen, int etype_info2);
-
-asn1_error_code asn1_encode_etype_info
- (asn1buf *buf, const krb5_etype_info_entry **val,
- unsigned int *retlen, int etype_info2);
-
-asn1_error_code asn1_encode_passwdsequence
- (asn1buf *buf, const passwd_phrase_element *val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_sequence_of_passwdsequence
- (asn1buf *buf, const passwd_phrase_element **val,
- unsigned int *retlen);
-
-asn1_error_code asn1_encode_sam_flags
- (asn1buf * buf, const krb5_flags val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_sam_challenge
- (asn1buf *buf, const krb5_sam_challenge * val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_sam_challenge_2
- (asn1buf *buf, const krb5_sam_challenge_2 * val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_sam_challenge_2_body
- (asn1buf *buf, const krb5_sam_challenge_2_body * val,
- unsigned int *retlen);
-
-asn1_error_code asn1_encode_sam_key
- (asn1buf *buf, const krb5_sam_key *val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_enc_sam_response_enc
- (asn1buf *buf, const krb5_enc_sam_response_enc *val,
- unsigned int *retlen);
-
-asn1_error_code asn1_encode_enc_sam_response_enc_2
- (asn1buf *buf, const krb5_enc_sam_response_enc_2 *val,
- unsigned int *retlen);
-
-asn1_error_code asn1_encode_sam_response
- (asn1buf *buf, const krb5_sam_response *val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_sam_response_2
- (asn1buf *buf, const krb5_sam_response_2 *val, unsigned int *retlen);
-
-asn1_error_code asn1_encode_predicted_sam_response
- (asn1buf *buf, const krb5_predicted_sam_response *val,
- unsigned int *retlen);
-
-asn1_error_code asn1_encode_krb_saved_safe_body
- (asn1buf *buf, const krb5_data *body, unsigned int *retlen);
-
/* PKINIT */
asn1_error_code asn1_encode_pk_authenticator
@@ -337,4 +132,5 @@
asn1_error_code asn1_encode_sequence_of_typed_data
(asn1buf *buf, const krb5_typed_data **val, unsigned int *retlen);
+
#endif
Modified: branches/mkey_migrate/src/lib/krb5/asn.1/asn1buf.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/asn.1/asn1buf.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/asn.1/asn1buf.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -52,10 +52,17 @@
#define ASN1BUF_OMIT_INLINE_FUNCS
#include "asn1buf.h"
-#undef ASN1BUF_OMIT_INLINE_FUNCS
#include <stdio.h>
#include "asn1_get.h"
+#if !defined(__GNUC__) || defined(CONFIG_SMALL)
+/* Declare private procedures as static if they're not used for inline
+ expansion of other stuff elsewhere. */
+static unsigned int asn1buf_free(const asn1buf *);
+static asn1_error_code asn1buf_ensure_space(asn1buf *, unsigned int);
+static asn1_error_code asn1buf_expand(asn1buf *, unsigned int);
+#endif
+
#define asn1_is_eoc(class, num, indef) \
((class) == UNIVERSAL && !(num) && !(indef))
@@ -117,7 +124,7 @@
nestlevel = 1 + indef;
if (!indef) {
- if (length <= buf->bound - buf->next + 1)
+ if (length <= (size_t)(buf->bound - buf->next + 1))
buf->next += length;
else
return ASN1_OVERRUN;
@@ -128,7 +135,7 @@
retval = asn1_get_tag_2(buf, &t);
if (retval) return retval;
if (!t.indef) {
- if (t.length <= buf->bound - buf->next + 1)
+ if (t.length <= (size_t)(buf->bound - buf->next + 1))
buf->next += t.length;
else
return ASN1_OVERRUN;
@@ -165,30 +172,21 @@
return 0;
}
-asn1_error_code asn1buf_insert_octetstring(asn1buf *buf, const unsigned int len, const krb5_octet *s)
+asn1_error_code
+asn1buf_insert_bytestring(asn1buf *buf, const unsigned int len, const void *sv)
{
asn1_error_code retval;
unsigned int length;
+ const char *s = sv;
retval = asn1buf_ensure_space(buf,len);
if (retval) return retval;
for (length=1; length<=len; length++,(buf->next)++)
- *(buf->next) = (char)(s[len-length]);
+ *(buf->next) = (s[len-length]);
return 0;
}
-asn1_error_code asn1buf_insert_charstring(asn1buf *buf, const unsigned int len, const char *s)
-{
- asn1_error_code retval;
- unsigned int length;
- retval = asn1buf_ensure_space(buf,len);
- if (retval) return retval;
- for (length=1; length<=len; length++,(buf->next)++)
- *(buf->next) = (char)(s[len-length]);
- return 0;
-}
-
#undef asn1buf_remove_octet
asn1_error_code asn1buf_remove_octet(asn1buf *buf, asn1_octet *o)
{
@@ -201,7 +199,7 @@
{
unsigned int i;
- if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
+ if (len > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
if (len == 0) {
*s = 0;
return 0;
@@ -219,7 +217,7 @@
{
unsigned int i;
- if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
+ if (len > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
if (len == 0) {
*s = 0;
return 0;
@@ -276,13 +274,11 @@
{
free(*s);
if (buf == NULL) {
- *s = malloc(sizeof("<NULL>"));
+ *s = strdup("<NULL>");
if (*s == NULL) return ENOMEM;
- strcpy(*s,"<NULL>");
} else if (buf->base == NULL) {
- *s = malloc(sizeof("<EMPTY>"));
+ *s = strdup("<EMPTY>");
if (*s == NULL) return ENOMEM;
- strcpy(*s,"<EMPTY>");
} else {
unsigned int length = asn1buf_len(buf);
unsigned int i;
@@ -305,13 +301,11 @@
free(*s);
if (buf == NULL) {
- *s = malloc(sizeof("<NULL>"));
+ *s = strdup("<NULL>");
if (*s == NULL) return ENOMEM;
- strcpy(*s,"<NULL>");
} else if (buf->base == NULL) {
- *s = malloc(sizeof("<EMPTY>"));
+ *s = strdup("<EMPTY>");
if (*s == NULL) return ENOMEM;
- strcpy(*s,"<EMPTY>");
} else {
unsigned int length = asn1buf_len(buf);
int i;
@@ -331,8 +325,7 @@
/****************************************************************/
/* Private Procedures */
-#undef asn1buf_size
-int asn1buf_size(const asn1buf *buf)
+static int asn1buf_size(const asn1buf *buf)
{
if (buf == NULL || buf->base == NULL) return 0;
return buf->bound - buf->base + 1;
@@ -348,12 +341,10 @@
#undef asn1buf_ensure_space
asn1_error_code asn1buf_ensure_space(asn1buf *buf, const unsigned int amount)
{
- int avail = asn1buf_free(buf);
- if (avail < amount) {
- asn1_error_code retval = asn1buf_expand(buf, amount-avail);
- if (retval) return retval;
- }
- return 0;
+ unsigned int avail = asn1buf_free(buf);
+ if (avail >= amount)
+ return 0;
+ return asn1buf_expand(buf, amount-avail);
}
asn1_error_code asn1buf_expand(asn1buf *buf, unsigned int inc)
@@ -367,12 +358,9 @@
if (inc < STANDARD_INCREMENT)
inc = STANDARD_INCREMENT;
- if (buf->base == NULL)
- buf->base = malloc((asn1buf_size(buf)+inc) * sizeof(asn1_octet));
- else
- buf->base = realloc(buf->base,
- (asn1buf_size(buf)+inc) * sizeof(asn1_octet));
- if (buf->base == NULL) return ENOMEM;
+ buf->base = realloc(buf->base,
+ (asn1buf_size(buf)+inc) * sizeof(asn1_octet));
+ if (buf->base == NULL) return ENOMEM; /* XXX leak */
buf->bound = (buf->base) + bound_offset + inc;
buf->next = (buf->base) + next_offset;
return 0;
Modified: branches/mkey_migrate/src/lib/krb5/asn.1/asn1buf.h
===================================================================
--- branches/mkey_migrate/src/lib/krb5/asn.1/asn1buf.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/asn.1/asn1buf.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -13,16 +13,7 @@
/**************** Private Procedures ****************/
-int asn1buf_size
- (const asn1buf *buf);
-/* requires *buf has been created and not destroyed
- effects Returns the total size
- (in octets) of buf's octet buffer. */
-#define asn1buf_size(buf) \
- (((buf) == NULL || (buf)->base == NULL) \
- ? 0 \
- : ((buf)->bound - (buf)->base + 1))
-
+#if (__GNUC__ >= 2) && !defined(CONFIG_SMALL)
unsigned int asn1buf_free
(const asn1buf *buf);
/* requires *buf is allocated
@@ -40,20 +31,18 @@
effects If buf has less than amount octets of free space, then it is
expanded to have at least amount octets of free space.
Returns ENOMEM memory is exhausted. */
-#ifndef CONFIG_SMALL
#define asn1buf_ensure_space(buf,amount) \
((asn1buf_free(buf) < (amount)) \
? (asn1buf_expand((buf), (amount)-asn1buf_free(buf))) \
: 0)
-#endif
-
asn1_error_code asn1buf_expand
(asn1buf *buf, unsigned int inc);
/* requires *buf is allocated
modifies *buf
effects Expands *buf by allocating space for inc more octets.
Returns ENOMEM if memory is exhausted. */
+#endif
int asn1buf_len
(const asn1buf *buf);
@@ -162,21 +151,16 @@
}
#endif
-asn1_error_code asn1buf_insert_octetstring
- (asn1buf *buf, const unsigned int len, const asn1_octet *s);
+asn1_error_code asn1buf_insert_bytestring
+ (asn1buf *buf, const unsigned int len, const void *s);
/* requires *buf is allocated
modifies *buf
- effects Inserts the contents of s (an octet array of length len)
+ effects Inserts the contents of s (an array of length len)
into the buffer *buf, expanding the buffer if necessary.
Returns ENOMEM if memory is exhausted. */
-asn1_error_code asn1buf_insert_charstring
- (asn1buf *buf, const unsigned int len, const char *s);
-/* requires *buf is allocated
- modifies *buf
- effects Inserts the contents of s (a character array of length len)
- into the buffer *buf, expanding the buffer if necessary.
- Returns ENOMEM if memory is exhausted. */
+#define asn1buf_insert_octetstring asn1buf_insert_bytestring
+#define asn1buf_insert_charstring asn1buf_insert_bytestring
asn1_error_code asn1buf_remove_octet
(asn1buf *buf, asn1_octet *o);
Copied: branches/mkey_migrate/src/lib/krb5/asn.1/deps (from rev 21721, trunk/src/lib/krb5/asn.1/deps)
Modified: branches/mkey_migrate/src/lib/krb5/asn.1/krb5_decode.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/asn.1/krb5_decode.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/asn.1/krb5_decode.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -215,6 +215,7 @@
#define free_field(rep,f) free((rep)->f)
#define clear_field(rep,f) (*(rep))->f = 0
+#ifndef LEAN_CLIENT
krb5_error_code decode_krb5_authenticator(const krb5_data *code, krb5_authenticator **rep)
{
setup();
@@ -254,6 +255,7 @@
}
return retval;
}
+#endif
krb5_error_code
KRB5_CALLCONV
@@ -949,6 +951,53 @@
cleanup(free);
}
+krb5_error_code decode_krb5_setpw_req(const krb5_data *code,
+ krb5_data **rep,
+ krb5_principal *principal)
+{
+ setup_buf_only();
+ alloc_field(*rep, krb5_data);
+ *principal = NULL;
+
+ retval = asn1_decode_setpw_req(&buf, *rep, principal);
+ if (retval) clean_return(retval);
+
+ cleanup(free);
+}
+
+krb5_error_code decode_krb5_pa_for_user(const krb5_data *code, krb5_pa_for_user **rep)
+{
+ setup_buf_only();
+ alloc_field(*rep, krb5_pa_for_user);
+
+ retval = asn1_decode_pa_for_user(&buf, *rep);
+ if (retval) clean_return(retval);
+
+ cleanup(free);
+}
+
+krb5_error_code decode_krb5_pa_pac_req(const krb5_data *code, krb5_pa_pac_req **rep)
+{
+ setup_buf_only();
+ alloc_field(*rep, krb5_pa_pac_req);
+
+ retval = asn1_decode_pa_pac_req(&buf, *rep);
+ if (retval) clean_return(retval);
+
+ cleanup(free);
+}
+
+krb5_error_code decode_krb5_etype_list(const krb5_data *code, krb5_etype_list **rep)
+{
+ setup_buf_only();
+ alloc_field(*rep, krb5_etype_list);
+
+ retval = asn1_decode_sequence_of_enctype(&buf, &(*rep)->length, &(*rep)->etypes);
+ if (retval) clean_return(retval);
+
+ cleanup(free);
+}
+
#ifndef DISABLE_PKINIT
krb5_error_code decode_krb5_pa_pk_as_req(const krb5_data *code, krb5_pa_pk_as_req **rep)
{
Modified: branches/mkey_migrate/src/lib/krb5/asn.1/krb5_encode.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/asn.1/krb5_encode.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/asn.1/krb5_encode.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -34,47 +34,7 @@
/**************** Macros (these save a lot of typing) ****************/
-/**** krb5 macros ****/
-#if 0
- How to write a krb5 encoder function using these macros:
-
- asn1_error_code encode_krb5_structure(const krb5_type *rep,
- krb5_data **code)
- {
- krb5_setup();
-
- krb5_addfield(rep->last_field, n, asn1_type);
- krb5_addfield(rep->next_to_last_field, n-1, asn1_type);
- ...
-
- /* for OPTIONAL fields */
- if (rep->field_i == should_not_be_omitted)
- krb5_addfield(rep->field_i, i, asn1_type);
-
- /* for string fields (these encoders take an additional argument,
- the length of the string) */
- addlenfield(rep->field_length, rep->field, i-1, asn1_type);
-
- /* if you really have to do things yourself... */
- retval = asn1_encode_asn1_type(buf,rep->field,&length);
- if (retval) return retval;
- sum += length;
- retval = asn1_make_etag(buf,
- [UNIVERSAL/APPLICATION/CONTEXT_SPECIFIC/PRIVATE],
- tag_number, length, &length);
- if (retval) return retval;
- sum += length;
-
- ...
- krb5_addfield(rep->second_field, 1, asn1_type);
- krb5_addfield(rep->first_field, 0, asn1_type);
- krb5_makeseq();
- krb5_apptag(tag_number);
-
- krb5_cleanup();
- }
-#endif
-
+#ifndef DISABLE_PKINIT
/* setup() -- create and initialize bookkeeping variables
retval: stores error codes returned from subroutines
buf: the coding buffer
@@ -82,56 +42,14 @@
sum: cumulative length of the entire encoding */
#define krb5_setup()\
asn1_error_code retval;\
+ unsigned int length, sum = 0;\
asn1buf *buf=NULL;\
- unsigned int length, sum=0;\
\
if (rep == NULL) return ASN1_MISSING_FIELD;\
\
retval = asn1buf_create(&buf);\
if (retval) return retval
-/* krb5_addfield -- add a field, or component, to the encoding */
-#define krb5_addfield(value,tag,encoder)\
-{ retval = encoder(buf,value,&length);\
- if (retval) {\
- asn1buf_destroy(&buf);\
- return retval; }\
- sum += length;\
- retval = asn1_make_etag(buf,CONTEXT_SPECIFIC,tag,length,&length);\
- if (retval) {\
- asn1buf_destroy(&buf);\
- return retval; }\
- sum += length; }
-
-/* krb5_addlenfield -- add a field whose length must be separately specified */
-#define krb5_addlenfield(len,value,tag,encoder)\
-{ retval = encoder(buf,len,value,&length);\
- if (retval) {\
- asn1buf_destroy(&buf);\
- return retval; }\
- sum += length;\
- retval = asn1_make_etag(buf,CONTEXT_SPECIFIC,tag,length,&length);\
- if (retval) {\
- asn1buf_destroy(&buf);\
- return retval; }\
- sum += length; }
-
-/* form a sequence (by adding a sequence header to the current encoding) */
-#define krb5_makeseq()\
- retval = asn1_make_sequence(buf,sum,&length);\
- if (retval) {\
- asn1buf_destroy(&buf);\
- return retval; }\
- sum += length
-
-/* add an APPLICATION class tag to the current encoding */
-#define krb5_apptag(num)\
- retval = asn1_make_etag(buf,APPLICATION,num,sum,&length);\
- if (retval) {\
- asn1buf_destroy(&buf);\
- return retval; }\
- sum += length
-
/* produce the final output and clean up the workspace */
#define krb5_cleanup()\
retval = asn12krb5_buf(buf,code);\
@@ -144,769 +62,6 @@
\
return 0
-krb5_error_code encode_krb5_authenticator(const krb5_authenticator *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* authorization-data[8] AuthorizationData OPTIONAL */
- if (rep->authorization_data != NULL &&
- rep->authorization_data[0] != NULL) {
- retval = asn1_encode_authorization_data(buf, (const krb5_authdata **)
- rep->authorization_data,
- &length);
- if (retval) {
- asn1buf_destroy(&buf);
- return retval; }
- sum += length;
- retval = asn1_make_etag(buf,CONTEXT_SPECIFIC,8,length,&length);
- if (retval) {
- asn1buf_destroy(&buf);
- return retval; }
- sum += length;
- }
-
- /* seq-number[7] INTEGER OPTIONAL */
- if (rep->seq_number != 0)
- krb5_addfield(rep->seq_number,7,asn1_encode_unsigned_integer);
-
- /* subkey[6] EncryptionKey OPTIONAL */
- if (rep->subkey != NULL)
- krb5_addfield(rep->subkey,6,asn1_encode_encryption_key);
-
- /* ctime[5] KerberosTime */
- krb5_addfield(rep->ctime,5,asn1_encode_kerberos_time);
-
- /* cusec[4] INTEGER */
- krb5_addfield(rep->cusec,4,asn1_encode_integer);
-
- /* cksum[3] Checksum OPTIONAL */
- if (rep->checksum != NULL)
- krb5_addfield(rep->checksum,3,asn1_encode_checksum);
-
- /* cname[2] PrincipalName */
- krb5_addfield(rep->client,2,asn1_encode_principal_name);
-
- /* crealm[1] Realm */
- krb5_addfield(rep->client,1,asn1_encode_realm);
-
- /* authenticator-vno[0] INTEGER */
- krb5_addfield(KVNO,0,asn1_encode_integer);
-
- /* Authenticator ::= [APPLICATION 2] SEQUENCE */
- krb5_makeseq();
- krb5_apptag(2);
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_ticket(const krb5_ticket *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* enc-part[3] EncryptedData */
- krb5_addfield(&(rep->enc_part),3,asn1_encode_encrypted_data);
-
- /* sname [2] PrincipalName */
- krb5_addfield(rep->server,2,asn1_encode_principal_name);
-
- /* realm [1] Realm */
- krb5_addfield(rep->server,1,asn1_encode_realm);
-
- /* tkt-vno [0] INTEGER */
- krb5_addfield(KVNO,0,asn1_encode_integer);
-
- /* Ticket ::= [APPLICATION 1] SEQUENCE */
- krb5_makeseq();
- krb5_apptag(1);
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_encryption_key(const krb5_keyblock *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* keyvalue[1] OCTET STRING */
- krb5_addlenfield(rep->length,rep->contents,1,asn1_encode_octetstring);
-
- /* enctype[0] INTEGER */
- krb5_addfield(rep->enctype,0,asn1_encode_integer);
-
- /* EncryptionKey ::= SEQUENCE */
- krb5_makeseq();
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_enc_tkt_part(const krb5_enc_tkt_part *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* authorization-data[10] AuthorizationData OPTIONAL */
- if (rep->authorization_data != NULL &&
- rep->authorization_data[0] != NULL)
- krb5_addfield((const krb5_authdata**)rep->authorization_data,
- 10,asn1_encode_authorization_data);
-
- /* caddr[9] HostAddresses OPTIONAL */
- if (rep->caddrs != NULL && rep->caddrs[0] != NULL)
- krb5_addfield((const krb5_address**)rep->caddrs,9,asn1_encode_host_addresses);
-
- /* renew-till[8] KerberosTime OPTIONAL */
- if (rep->times.renew_till)
- krb5_addfield(rep->times.renew_till,8,asn1_encode_kerberos_time);
-
- /* endtime[7] KerberosTime */
- krb5_addfield(rep->times.endtime,7,asn1_encode_kerberos_time);
-
- /* starttime[6] KerberosTime OPTIONAL */
- if (rep->times.starttime)
- krb5_addfield(rep->times.starttime,6,asn1_encode_kerberos_time);
-
- /* authtime[5] KerberosTime */
- krb5_addfield(rep->times.authtime,5,asn1_encode_kerberos_time);
-
- /* transited[4] TransitedEncoding */
- krb5_addfield(&(rep->transited),4,asn1_encode_transited_encoding);
-
- /* cname[3] PrincipalName */
- krb5_addfield(rep->client,3,asn1_encode_principal_name);
-
- /* crealm[2] Realm */
- krb5_addfield(rep->client,2,asn1_encode_realm);
-
- /* key[1] EncryptionKey */
- krb5_addfield(rep->session,1,asn1_encode_encryption_key);
-
- /* flags[0] TicketFlags */
- krb5_addfield(rep->flags,0,asn1_encode_ticket_flags);
-
- /* EncTicketPart ::= [APPLICATION 3] SEQUENCE */
- krb5_makeseq();
- krb5_apptag(3);
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_enc_kdc_rep_part(const krb5_enc_kdc_rep_part *rep, krb5_data **code)
-{
- asn1_error_code retval;
- asn1buf *buf=NULL;
- unsigned int length, sum=0;
-
- if (rep == NULL) return ASN1_MISSING_FIELD;
-
- retval = asn1buf_create(&buf);
- if (retval) return retval;
-
- retval = asn1_encode_enc_kdc_rep_part(buf,rep,&length);
- if (retval) return retval;
- sum += length;
-
-#ifdef KRB5_ENCKRB5KDCREPPART_COMPAT
- krb5_apptag(26);
-#else
- /* XXX WRONG!!! Should use 25 || 26, not the outer KDC_REP tags! */
- if (rep->msg_type == KRB5_AS_REP) { krb5_apptag(ASN1_KRB_AS_REP); }
- else if (rep->msg_type == KRB5_TGS_REP) { krb5_apptag(ASN1_KRB_TGS_REP); }
- else return KRB5_BADMSGTYPE;
-#endif
- krb5_cleanup();
-}
-
-/* yes, the translation is identical to that used for KDC__REP */
-krb5_error_code encode_krb5_as_rep(const krb5_kdc_rep *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* AS-REP ::= [APPLICATION 11] KDC-REP */
- retval = asn1_encode_kdc_rep(KRB5_AS_REP,buf,rep,&length);
- if (retval) return retval;
- sum += length;
-
- krb5_apptag(11);
-
- krb5_cleanup();
-}
-
-/* yes, the translation is identical to that used for KDC__REP */
-krb5_error_code encode_krb5_tgs_rep(const krb5_kdc_rep *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* TGS-REP ::= [APPLICATION 13] KDC-REP */
- retval = asn1_encode_kdc_rep(KRB5_TGS_REP,buf,rep,&length);
- if (retval) return retval;
- sum += length;
-
- krb5_apptag(13);
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_ap_req(const krb5_ap_req *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* authenticator[4] EncryptedData */
- krb5_addfield(&(rep->authenticator),4,asn1_encode_encrypted_data);
-
- /* ticket[3] Ticket */
- krb5_addfield(rep->ticket,3,asn1_encode_ticket);
-
- /* ap-options[2] APOptions */
- krb5_addfield(rep->ap_options,2,asn1_encode_ap_options);
-
- /* msg-type[1] INTEGER */
- krb5_addfield(ASN1_KRB_AP_REQ,1,asn1_encode_integer);
-
- /* pvno[0] INTEGER */
- krb5_addfield(KVNO,0,asn1_encode_integer);
-
- /* AP-REQ ::= [APPLICATION 14] SEQUENCE */
- krb5_makeseq();
- krb5_apptag(14);
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_ap_rep(const krb5_ap_rep *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* enc-part[2] EncryptedData */
- krb5_addfield(&(rep->enc_part),2,asn1_encode_encrypted_data);
-
- /* msg-type[1] INTEGER */
- krb5_addfield(ASN1_KRB_AP_REP,1,asn1_encode_integer);
-
- /* pvno[0] INTEGER */
- krb5_addfield(KVNO,0,asn1_encode_integer);
-
- /* AP-REP ::= [APPLICATION 15] SEQUENCE */
- krb5_makeseq();
- krb5_apptag(15);
-
- krb5_cleanup();
-}
-
-
-krb5_error_code encode_krb5_ap_rep_enc_part(const krb5_ap_rep_enc_part *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* seq-number[3] INTEGER OPTIONAL */
- if (rep->seq_number)
- krb5_addfield(rep->seq_number,3,asn1_encode_unsigned_integer);
-
- /* subkey[2] EncryptionKey OPTIONAL */
- if (rep->subkey != NULL)
- krb5_addfield(rep->subkey,2,asn1_encode_encryption_key);
-
- /* cusec[1] INTEGER */
- krb5_addfield(rep->cusec,1,asn1_encode_integer);
-
- /* ctime[0] KerberosTime */
- krb5_addfield(rep->ctime,0,asn1_encode_kerberos_time);
-
- /* EncAPRepPart ::= [APPLICATION 27] SEQUENCE */
- krb5_makeseq();
- krb5_apptag(27);
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_as_req(const krb5_kdc_req *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* AS-REQ ::= [APPLICATION 10] KDC-REQ */
- retval = asn1_encode_kdc_req(KRB5_AS_REQ,buf,rep,&length);
- if (retval) return retval;
- sum += length;
-
- krb5_apptag(10);
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_tgs_req(const krb5_kdc_req *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* TGS-REQ ::= [APPLICATION 12] KDC-REQ */
- retval = asn1_encode_kdc_req(KRB5_TGS_REQ,buf,rep,&length);
- if (retval) return retval;
- sum += length;
-
- krb5_apptag(12);
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_kdc_req_body(const krb5_kdc_req *rep, krb5_data **code)
-{
- krb5_setup();
-
- retval = asn1_encode_kdc_req_body(buf,rep,&length);
- if (retval) return retval;
- sum += length;
-
- krb5_cleanup();
-}
-
-
-krb5_error_code encode_krb5_safe(const krb5_safe *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* cksum[3] Checksum */
- krb5_addfield(rep->checksum,3,asn1_encode_checksum);
-
- /* safe-body[2] KRB-SAFE-BODY */
- krb5_addfield(rep,2,asn1_encode_krb_safe_body);
-
- /* msg-type[1] INTEGER */
- krb5_addfield(ASN1_KRB_SAFE,1,asn1_encode_integer);
-
- /* pvno[0] INTEGER */
- krb5_addfield(KVNO,0,asn1_encode_integer);
-
- /* KRB-SAFE ::= [APPLICATION 20] SEQUENCE */
- krb5_makeseq();
- krb5_apptag(20);
-
- krb5_cleanup();
-}
-
-/*
- * encode_krb5_safe_with_body
- *
- * Like encode_krb5_safe(), except takes a saved KRB-SAFE-BODY
- * encoding to avoid problems with re-encoding.
- */
-krb5_error_code encode_krb5_safe_with_body(
- const krb5_safe *rep,
- const krb5_data *body,
- krb5_data **code)
-{
- krb5_setup();
-
- if (body == NULL) {
- asn1buf_destroy(&buf);
- return ASN1_MISSING_FIELD;
- }
-
- /* cksum[3] Checksum */
- krb5_addfield(rep->checksum,3,asn1_encode_checksum);
-
- /* safe-body[2] KRB-SAFE-BODY */
- krb5_addfield(body,2,asn1_encode_krb_saved_safe_body);
-
- /* msg-type[1] INTEGER */
- krb5_addfield(ASN1_KRB_SAFE,1,asn1_encode_integer);
-
- /* pvno[0] INTEGER */
- krb5_addfield(KVNO,0,asn1_encode_integer);
-
- /* KRB-SAFE ::= [APPLICATION 20] SEQUENCE */
- krb5_makeseq();
- krb5_apptag(20);
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_priv(const krb5_priv *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* enc-part[3] EncryptedData */
- krb5_addfield(&(rep->enc_part),3,asn1_encode_encrypted_data);
-
- /* msg-type[1] INTEGER */
- krb5_addfield(ASN1_KRB_PRIV,1,asn1_encode_integer);
-
- /* pvno[0] INTEGER */
- krb5_addfield(KVNO,0,asn1_encode_integer);
-
- /* KRB-PRIV ::= [APPLICATION 21] SEQUENCE */
- krb5_makeseq();
- krb5_apptag(21);
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_enc_priv_part(const krb5_priv_enc_part *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* r-address[5] HostAddress OPTIONAL -- recip's addr */
- if (rep->r_address)
- krb5_addfield(rep->r_address,5,asn1_encode_host_address);
-
- /* s-address[4] HostAddress -- sender's addr */
- krb5_addfield(rep->s_address,4,asn1_encode_host_address);
-
- /* seq-number[3] INTEGER OPTIONAL */
- if (rep->seq_number)
- krb5_addfield(rep->seq_number,3,asn1_encode_unsigned_integer);
-
- /* usec[2] INTEGER OPTIONAL */
- if (rep->timestamp) {
- krb5_addfield(rep->usec,2,asn1_encode_integer);
- /* timestamp[1] KerberosTime OPTIONAL */
- krb5_addfield(rep->timestamp,1,asn1_encode_kerberos_time);
- }
-
- /* user-data[0] OCTET STRING */
- krb5_addlenfield(rep->user_data.length,rep->user_data.data,0,asn1_encode_charstring);
-
- /* EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE */
- krb5_makeseq();
- krb5_apptag(28);
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_cred(const krb5_cred *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* enc-part[3] EncryptedData */
- krb5_addfield(&(rep->enc_part),3,asn1_encode_encrypted_data);
-
- /* tickets[2] SEQUENCE OF Ticket */
- krb5_addfield((const krb5_ticket**)rep->tickets,2,asn1_encode_sequence_of_ticket);
-
- /* msg-type[1] INTEGER, -- KRB_CRED */
- krb5_addfield(ASN1_KRB_CRED,1,asn1_encode_integer);
-
- /* pvno[0] INTEGER */
- krb5_addfield(KVNO,0,asn1_encode_integer);
-
- /* KRB-CRED ::= [APPLICATION 22] SEQUENCE */
- krb5_makeseq();
- krb5_apptag(22);
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_enc_cred_part(const krb5_cred_enc_part *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* r-address[5] HostAddress OPTIONAL */
- if (rep->r_address != NULL)
- krb5_addfield(rep->r_address,5,asn1_encode_host_address);
-
- /* s-address[4] HostAddress OPTIONAL */
- if (rep->s_address != NULL)
- krb5_addfield(rep->s_address,4,asn1_encode_host_address);
-
- /* usec[3] INTEGER OPTIONAL */
- if (rep->timestamp) {
- krb5_addfield(rep->usec,3,asn1_encode_integer);
- /* timestamp[2] KerberosTime OPTIONAL */
- krb5_addfield(rep->timestamp,2,asn1_encode_kerberos_time);
- }
-
- /* nonce[1] INTEGER OPTIONAL */
- if (rep->nonce)
- krb5_addfield(rep->nonce,1,asn1_encode_integer);
-
- /* ticket-info[0] SEQUENCE OF KrbCredInfo */
- krb5_addfield((const krb5_cred_info**)rep->ticket_info,
- 0,asn1_encode_sequence_of_krb_cred_info);
-
- /* EncKrbCredPart ::= [APPLICATION 29] SEQUENCE */
- krb5_makeseq();
- krb5_apptag(29);
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_error(const krb5_error *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* e-data[12] OCTET STRING OPTIONAL */
- if (rep->e_data.data != NULL && rep->e_data.length > 0)
- krb5_addlenfield(rep->e_data.length,rep->e_data.data,12,asn1_encode_charstring);
-
- /* e-text[11] GeneralString OPTIONAL */
- if (rep->text.data != NULL && rep->text.length > 0)
- krb5_addlenfield(rep->text.length,rep->text.data,11,asn1_encode_generalstring);
-
- /* sname[10] PrincipalName -- Correct name */
- krb5_addfield(rep->server,10,asn1_encode_principal_name);
-
- /* realm[9] Realm -- Correct realm */
- krb5_addfield(rep->server,9,asn1_encode_realm);
-
- /* cname[8] PrincipalName OPTIONAL */
- if (rep->client != NULL) {
- krb5_addfield(rep->client,8,asn1_encode_principal_name);
- /* crealm[7] Realm OPTIONAL */
- krb5_addfield(rep->client,7,asn1_encode_realm);
- }
-
- /* error-code[6] INTEGER */
- krb5_addfield(rep->error,6,asn1_encode_ui_4);
-
- /* susec[5] INTEGER */
- krb5_addfield(rep->susec,5,asn1_encode_integer);
-
- /* stime[4] KerberosTime */
- krb5_addfield(rep->stime,4,asn1_encode_kerberos_time);
-
- /* cusec[3] INTEGER OPTIONAL */
- if (rep->cusec)
- krb5_addfield(rep->cusec,3,asn1_encode_integer);
-
- /* ctime[2] KerberosTime OPTIONAL */
- if (rep->ctime)
- krb5_addfield(rep->ctime,2,asn1_encode_kerberos_time);
-
- /* msg-type[1] INTEGER */
- krb5_addfield(ASN1_KRB_ERROR,1,asn1_encode_integer);
-
- /* pvno[0] INTEGER */
- krb5_addfield(KVNO,0,asn1_encode_integer);
-
- /* KRB-ERROR ::= [APPLICATION 30] SEQUENCE */
- krb5_makeseq();
- krb5_apptag(30);
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_authdata(const krb5_authdata **rep, krb5_data **code)
-{
- asn1_error_code retval;
- asn1buf *buf=NULL;
- unsigned int length;
-
- if (rep == NULL) return ASN1_MISSING_FIELD;
-
- retval = asn1buf_create(&buf);
- if (retval) return retval;
-
- retval = asn1_encode_authorization_data(buf,(const krb5_authdata**)rep,
- &length);
- if (retval) return retval;
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_authdata_elt(const krb5_authdata *rep, krb5_data **code)
-{
- asn1_error_code retval;
- asn1buf *buf=NULL;
- unsigned int length;
-
- if (rep == NULL) return ASN1_MISSING_FIELD;
-
- retval = asn1buf_create(&buf);
- if (retval) return retval;
-
- retval = asn1_encode_krb5_authdata_elt(buf,rep, &length);
- if (retval) return retval;
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_alt_method(const krb5_alt_method *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* method-data[1] OctetString OPTIONAL */
- if (rep->data != NULL && rep->length > 0)
- krb5_addlenfield(rep->length,rep->data,1,asn1_encode_octetstring);
-
- /* method-type[0] Integer */
- krb5_addfield(rep->method,0,asn1_encode_integer);
-
- krb5_makeseq();
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_etype_info(const krb5_etype_info_entry **rep, krb5_data **code)
-{
- krb5_setup();
- retval = asn1_encode_etype_info(buf,rep,&length, 0);
- if (retval) return retval;
- sum += length;
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_etype_info2(const krb5_etype_info_entry **rep, krb5_data **code)
-{
- krb5_setup();
- retval = asn1_encode_etype_info(buf,rep,&length, 1);
- if (retval) return retval;
- sum += length;
- krb5_cleanup();
-}
-
-
-krb5_error_code encode_krb5_enc_data(const krb5_enc_data *rep, krb5_data **code)
-{
- krb5_setup();
-
- retval = asn1_encode_encrypted_data(buf,rep,&length);
- if (retval) return retval;
- sum += length;
-
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_pa_enc_ts(const krb5_pa_enc_ts *rep, krb5_data **code)
-{
- krb5_setup();
-
- /* pausec[1] INTEGER OPTIONAL */
- if (rep->pausec)
- krb5_addfield(rep->pausec,1,asn1_encode_integer);
-
- /* patimestamp[0] KerberosTime, -- client's time */
- krb5_addfield(rep->patimestamp,0,asn1_encode_kerberos_time);
-
- krb5_makeseq();
-
- krb5_cleanup();
-}
-
-/* Sandia Additions */
-krb5_error_code encode_krb5_pwd_sequence(const passwd_phrase_element *rep, krb5_data **code)
-{
- krb5_setup();
- retval = asn1_encode_passwdsequence(buf,rep,&length);
- if (retval) return retval;
- sum += length;
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_pwd_data(const krb5_pwd_data *rep, krb5_data **code)
-{
- krb5_setup();
- krb5_addfield((const passwd_phrase_element**)rep->element,1,asn1_encode_sequence_of_passwdsequence);
- krb5_addfield(rep->sequence_count,0,asn1_encode_integer);
- krb5_makeseq();
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_padata_sequence(const krb5_pa_data **rep, krb5_data **code)
-{
- krb5_setup();
-
- retval = asn1_encode_sequence_of_pa_data(buf,rep,&length);
- if (retval) return retval;
- sum += length;
-
- krb5_cleanup();
-}
-
-/* sam preauth additions */
-krb5_error_code encode_krb5_sam_challenge(const krb5_sam_challenge *rep, krb5_data **code)
-{
- krb5_setup();
- retval = asn1_encode_sam_challenge(buf,rep,&length);
- if (retval) return retval;
- sum += length;
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_sam_challenge_2(const krb5_sam_challenge_2 *rep, krb5_data **code)
-{
- krb5_setup();
- retval = asn1_encode_sam_challenge_2(buf,rep,&length);
- if (retval) return retval;
- sum += length;
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_sam_challenge_2_body(const krb5_sam_challenge_2_body *rep, krb5_data **code)
-{
- krb5_setup();
- retval = asn1_encode_sam_challenge_2_body(buf,rep,&length);
- if (retval) return retval;
- sum += length;
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_sam_key(const krb5_sam_key *rep, krb5_data **code)
-{
- krb5_setup();
- retval = asn1_encode_sam_key(buf,rep,&length);
- if (retval) return retval;
- sum += length;
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_enc_sam_response_enc(const krb5_enc_sam_response_enc *rep, krb5_data **code)
-{
- krb5_setup();
- retval = asn1_encode_enc_sam_response_enc(buf,rep,&length);
- if (retval) return retval;
- sum += length;
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_enc_sam_response_enc_2(const krb5_enc_sam_response_enc_2 *rep, krb5_data **code)
-{
- krb5_setup();
- retval = asn1_encode_enc_sam_response_enc_2(buf,rep,&length);
- if (retval) return retval;
- sum += length;
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_sam_response(const krb5_sam_response *rep, krb5_data **code)
-{
- krb5_setup();
- retval = asn1_encode_sam_response(buf,rep,&length);
- if (retval) return retval;
- sum += length;
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_sam_response_2(const krb5_sam_response_2 *rep, krb5_data **code)
-{
- krb5_setup();
- retval = asn1_encode_sam_response_2(buf,rep,&length);
- if (retval) return retval;
- sum += length;
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_predicted_sam_response(const krb5_predicted_sam_response *rep, krb5_data **code)
-{
- krb5_setup();
- retval = asn1_encode_predicted_sam_response(buf,rep,&length);
- if (retval) return retval;
- sum += length;
- krb5_cleanup();
-}
-
-krb5_error_code encode_krb5_setpw_req(const krb5_principal target,
- char *password, krb5_data **code)
-{
- /* Macros really want us to have a variable called rep which we do not need*/
- const char *rep = "dummy string";
-
- krb5_setup();
-
- krb5_addfield(target,2,asn1_encode_realm);
- krb5_addfield(target,1,asn1_encode_principal_name);
- krb5_addlenfield(strlen(password), password,0,asn1_encode_octetstring);
- krb5_makeseq();
-
-
- krb5_cleanup();
-}
-
-#ifndef DISABLE_PKINIT
krb5_error_code encode_krb5_pa_pk_as_req(const krb5_pa_pk_as_req *rep, krb5_data **code)
{
krb5_setup();
Modified: branches/mkey_migrate/src/lib/krb5/asn.1/krbasn1.h
===================================================================
--- branches/mkey_migrate/src/lib/krb5/asn.1/krbasn1.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/asn.1/krbasn1.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -9,16 +9,6 @@
#ifdef HAVE_STDLIB_H
#include <stdlib.h>
#endif
-/*
- * Older versions of the Kerberos are always sending the
- * enc_kdc_rep_part structure with an application tag of #26, instead
- * of using the application tag of #25 (AS REP) or #26 (AS REP) as
- * necessary. Worse yet, they will only accept a tag of #26, so we
- * need to follow this for backwards compatibility. #defining
- * KRB5_ENCKRB5KDCREPPART_COMPAT will preserve this wrong (but
- * compatible) behavior.
- */
-#define KRB5_ENCKRB5KDCREPPART_COMPAT
/*
* If KRB5_MSGTYPE_STRICT is defined, then be strict about checking
@@ -45,6 +35,9 @@
typedef enum { UNIVERSAL = 0x00, APPLICATION = 0x40,
CONTEXT_SPECIFIC = 0x80, PRIVATE = 0xC0 } asn1_class;
+typedef INT64_TYPE asn1_intmax;
+typedef UINT64_TYPE asn1_uintmax;
+
typedef int asn1_tagnum;
#define ASN1_TAGNUM_CEILING INT_MAX
#define ASN1_TAGNUM_MAX (ASN1_TAGNUM_CEILING-1)
@@ -53,12 +46,13 @@
#define KVNO 5
/* Universal Tag Numbers */
+#define ASN1_BOOLEAN 1
#define ASN1_INTEGER 2
#define ASN1_BITSTRING 3
#define ASN1_OCTETSTRING 4
#define ASN1_NULL 5
#define ASN1_OBJECTIDENTIFIER 6
-#define ASN1_ENUMERATED 10
+#define ASN1_ENUMERATED 10
#define ASN1_SEQUENCE 16
#define ASN1_SET 17
#define ASN1_PRINTABLESTRING 19
Modified: branches/mkey_migrate/src/lib/krb5/asn.1/ldap_key_seq.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/asn.1/ldap_key_seq.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/asn.1/ldap_key_seq.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -39,187 +39,86 @@
#include "asn1_decode.h"
#include "asn1_make.h"
#include "asn1_get.h"
+#include "asn1_k_encode.h"
#ifdef ENABLE_LDAP
-#define asn1_encode_sequence_of_keys krb5int_ldap_encode_sequence_of_keys
-#define asn1_decode_sequence_of_keys krb5int_ldap_decode_sequence_of_keys
-
-#define cleanup(err) \
- { \
- ret = err; \
- goto last; \
- }
-
-#define checkerr \
- if (ret != 0) \
- goto last
-
/************************************************************************/
/* Encode the Principal's keys */
/************************************************************************/
-static asn1_error_code
-asn1_encode_key(asn1buf *buf,
- krb5_key_data key_data,
- unsigned int *retlen)
-{
- asn1_error_code ret = 0;
- unsigned int length, sum = 0;
+/* Imports from asn1_k_encode.c.
+ XXX Must be manually synchronized for now. */
+IMPORT_TYPE(octetstring, unsigned char *);
+IMPORT_TYPE(int32, krb5_int32);
- /* Encode the key type and value. */
- {
- unsigned int key_len = 0;
- /* key value */
- ret = asn1_encode_octetstring (buf,
- key_data.key_data_length[0],
- key_data.key_data_contents[0],
- &length); checkerr;
- key_len += length;
- ret = asn1_make_etag(buf, CONTEXT_SPECIFIC, 1, length, &length); checkerr;
- key_len += length;
- /* key type */
- ret = asn1_encode_integer (buf, key_data.key_data_type[0], &length);
- checkerr;
- key_len += length;
- ret = asn1_make_etag(buf, CONTEXT_SPECIFIC, 0, length, &length); checkerr;
- key_len += length;
+DEFINTTYPE(int16, krb5_int16);
+DEFINTTYPE(ui_2, krb5_ui_2);
- ret = asn1_make_sequence(buf, key_len, &length); checkerr;
- key_len += length;
- ret = asn1_make_etag(buf, CONTEXT_SPECIFIC, 1, key_len, &length); checkerr;
- key_len += length;
+static const struct field_info krbsalt_fields[] = {
+ FIELDOF_NORM(krb5_key_data, int16, key_data_type[1], 0),
+ FIELDOF_OPTSTRINGL(krb5_key_data, octetstring, key_data_contents[1],
+ ui_2, key_data_length[1], 1, 1),
+};
+static unsigned int optional_krbsalt (const void *p)
+{
+ const krb5_key_data *k = p;
+ unsigned int optional = 0;
- sum += key_len;
- }
- /* Encode the salt type and value (optional) */
- if (key_data.key_data_ver > 1) {
- unsigned int salt_len = 0;
- /* salt value (optional) */
- if (key_data.key_data_length[1] > 0) {
- ret = asn1_encode_octetstring (buf,
- key_data.key_data_length[1],
- key_data.key_data_contents[1],
- &length); checkerr;
- salt_len += length;
- ret = asn1_make_etag(buf, CONTEXT_SPECIFIC, 1, length, &length);
- checkerr;
- salt_len += length;
- }
- /* salt type */
- ret = asn1_encode_integer (buf, key_data.key_data_type[1], &length);
- checkerr;
- salt_len += length;
- ret = asn1_make_etag(buf, CONTEXT_SPECIFIC, 0, length, &length); checkerr;
- salt_len += length;
+ if (k->key_data_length[1] > 0)
+ optional |= (1u << 1);
- ret = asn1_make_sequence(buf, salt_len, &length); checkerr;
- salt_len += length;
- ret = asn1_make_etag(buf, CONTEXT_SPECIFIC, 0, salt_len, &length); checkerr;
- salt_len += length;
-
- sum += salt_len;
- }
-
- ret = asn1_make_sequence(buf, sum, &length); checkerr;
- sum += length;
-
- *retlen = sum;
-
-last:
- return ret;
+ return optional;
}
+DEFSEQTYPE(krbsalt, krb5_key_data, krbsalt_fields, optional_krbsalt);
+static const struct field_info encryptionkey_fields[] = {
+ FIELDOF_NORM(krb5_key_data, int16, key_data_type[0], 0),
+ FIELDOF_STRINGL(krb5_key_data, octetstring, key_data_contents[0],
+ ui_2, key_data_length[0], 1),
+};
+DEFSEQTYPE(encryptionkey, krb5_key_data, encryptionkey_fields, 0);
-/* Major version and minor version are both '1' - first version */
-/* asn1_error_code asn1_encode_sequence_of_keys (krb5_key_data *key_data, */
-krb5_error_code
-asn1_encode_sequence_of_keys (krb5_key_data *key_data,
- krb5_int16 n_key_data,
- krb5_int32 mkvno, /* Master key version number */
- krb5_data **code)
-{
- asn1_error_code ret = 0;
- asn1buf *buf = NULL;
- unsigned int length, sum = 0;
- unsigned long tmp_ul;
+static const struct field_info key_data_fields[] = {
+ FIELDOF_ENCODEAS(krb5_key_data, krbsalt, 0),
+ FIELDOF_ENCODEAS(krb5_key_data, encryptionkey, 1),
+#if 0 /* We don't support this field currently. */
+ FIELDOF_blah(krb5_key_data, s2kparams, ...),
+#endif
+};
+DEFSEQTYPE(key_data, krb5_key_data, key_data_fields, 0);
+DEFPTRTYPE(ptr_key_data, key_data);
- *code = NULL;
+DEFFIELDTYPE(key_data_kvno, krb5_key_data,
+ FIELDOF_NORM(krb5_key_data, int16, key_data_kvno, -1));
+DEFPTRTYPE(ptr_key_data_kvno, key_data_kvno);
- if (n_key_data == 0) cleanup (ASN1_MISSING_FIELD);
+static const struct field_info ldap_key_seq_fields[] = {
+ FIELD_INT_IMM(1, 0),
+ FIELD_INT_IMM(1, 1),
+ FIELDOF_NORM(ldap_seqof_key_data, ptr_key_data_kvno, key_data, 2),
+ FIELDOF_NORM(ldap_seqof_key_data, int32, mkvno, 3), /* mkvno */
+ FIELDOF_SEQOF_LEN(ldap_seqof_key_data, ptr_key_data, key_data, n_key_data,
+ int16, 4),
+};
+DEFSEQTYPE(ldap_key_seq, ldap_seqof_key_data, ldap_key_seq_fields, 0);
- /* Allocate the buffer */
- ret = asn1buf_create(&buf);
- checkerr;
+/* Export a function to do the whole encoding. */
+MAKE_FULL_ENCODER(krb5int_ldap_encode_sequence_of_keys, ldap_key_seq);
- /* Sequence of keys */
- {
- int i;
- unsigned int seq_len = 0;
-
- for (i = n_key_data - 1; i >= 0; i--) {
- ret = asn1_encode_key (buf, key_data[i], &length); checkerr;
- seq_len += length;
- }
- ret = asn1_make_sequence(buf, seq_len, &length); checkerr;
- seq_len += length;
- ret = asn1_make_etag(buf, CONTEXT_SPECIFIC, 4, seq_len, &length); checkerr;
- seq_len += length;
-
- sum += seq_len;
- }
-
- /* mkvno */
- if (mkvno < 0)
- cleanup (ASN1_BAD_FORMAT);
- tmp_ul = (unsigned long)mkvno;
- ret = asn1_encode_unsigned_integer (buf, tmp_ul, &length); checkerr;
- sum += length;
- ret = asn1_make_etag(buf, CONTEXT_SPECIFIC, 3, length, &length); checkerr;
- sum += length;
-
- /* kvno (assuming all keys in array have same version) */
- if (key_data[0].key_data_kvno < 0)
- cleanup (ASN1_BAD_FORMAT);
- tmp_ul = (unsigned long)key_data[0].key_data_kvno;
- ret = asn1_encode_unsigned_integer (buf, tmp_ul, &length);
- checkerr;
- sum += length;
- ret = asn1_make_etag(buf, CONTEXT_SPECIFIC, 2, length, &length); checkerr;
- sum += length;
-
- /* attribute-minor-vno == 1 */
- ret = asn1_encode_unsigned_integer (buf, 1, &length); checkerr;
- sum += length;
- ret = asn1_make_etag(buf, CONTEXT_SPECIFIC, 1, length, &length); checkerr;
- sum += length;
-
- /* attribute-major-vno == 1 */
- ret = asn1_encode_unsigned_integer (buf, 1, &length); checkerr;
- sum += length;
- ret = asn1_make_etag(buf, CONTEXT_SPECIFIC, 0, length, &length); checkerr;
- sum += length;
-
- ret = asn1_make_sequence(buf, sum, &length); checkerr;
- sum += length;
-
- /* The reverse encoding is straightened out here */
- ret = asn12krb5_buf (buf, code); checkerr;
-
-last:
- asn1buf_destroy (&buf);
-
- if (ret != 0 && *code != NULL) {
- free ((*code)->data);
- free (*code);
- }
-
- return ret;
-}
-
/************************************************************************/
/* Decode the Principal's keys */
/************************************************************************/
+#define cleanup(err) \
+ { \
+ ret = err; \
+ goto last; \
+ }
+
+#define checkerr \
+ if (ret != 0) \
+ goto last
+
#define safe_syncbuf(outer,inner,buflen) \
if (! ((inner)->next == (inner)->bound + 1 && \
(inner)->next == (outer)->next + buflen)) \
@@ -279,7 +178,8 @@
#endif
static asn1_error_code
-decode_tagged_octetstring (asn1buf *buf, asn1_tagnum expectedtag, int *len,
+decode_tagged_octetstring (asn1buf *buf, asn1_tagnum expectedtag,
+ unsigned int *len,
asn1_octet **val)
{
int buflen;
@@ -328,8 +228,8 @@
if (t.tagnum == 0) {
int salt_buflen;
asn1buf slt;
- unsigned long keytype;
- int keylen;
+ long keytype;
+ unsigned int keylen;
key->key_data_ver = 2;
asn1_get_sequence(&subbuf, &length, &seqindef);
@@ -358,7 +258,7 @@
int key_buflen;
asn1buf kbuf;
long lval;
- int ival;
+ unsigned int ival;
if (t.tagnum != 1)
cleanup (ASN1_MISSING_FIELD);
@@ -390,12 +290,14 @@
return ret;
}
-/* asn1_error_code asn1_decode_sequence_of_keys (krb5_data *in, */
-krb5_error_code asn1_decode_sequence_of_keys (krb5_data *in,
- krb5_key_data **out,
- krb5_int16 *n_key_data,
- int *mkvno)
+krb5_error_code krb5int_ldap_decode_sequence_of_keys (krb5_data *in,
+ ldap_seqof_key_data **rep)
{
+ ldap_seqof_key_data *repval;
+ krb5_key_data **out;
+ krb5_int16 *n_key_data;
+ int *mkvno;
+
asn1_error_code ret;
asn1buf buf, subbuf;
int seqindef;
@@ -404,6 +306,12 @@
int kvno, maj, min;
long lval;
+ repval = calloc(1,sizeof(ldap_seqof_key_data));
+ *rep = repval;
+ out = &repval->key_data;
+ n_key_data = &repval->n_key_data;
+ mkvno = &repval->mkvno;
+
*n_key_data = 0;
*out = NULL;
Modified: branches/mkey_migrate/src/lib/krb5/ccache/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/krb5/ccache/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/ccache/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -113,125 +113,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-ccbase.so ccbase.po $(OUTPRE)ccbase.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h cc-int.h ccbase.c \
- fcc.h
-cccopy.so cccopy.po $(OUTPRE)cccopy.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h cccopy.c
-cccursor.so cccursor.po $(OUTPRE)cccursor.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- cc-int.h cccursor.c
-ccdefault.so ccdefault.po $(OUTPRE)ccdefault.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- ccdefault.c
-ccdefops.so ccdefops.po $(OUTPRE)ccdefops.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- ccdefops.c fcc.h
-cc_retr.so cc_retr.po $(OUTPRE)cc_retr.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h cc-int.h cc_retr.c
-cc_file.so cc_file.po $(OUTPRE)cc_file.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h cc_file.c
-cc_memory.so cc_memory.po $(OUTPRE)cc_memory.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- cc-int.h cc_memory.c
-cc_keyring.so cc_keyring.po $(OUTPRE)cc_keyring.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- cc-int.h cc_keyring.c
-ccfns.so ccfns.po $(OUTPRE)ccfns.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h ccfns.c
-ser_cc.so ser_cc.po $(OUTPRE)ser_cc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h ser_cc.c
-t_cc.so t_cc.po $(OUTPRE)t_cc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h t_cc.c
-t_cccursor.so t_cccursor.po $(OUTPRE)t_cccursor.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h t_cccursor.c
Modified: branches/mkey_migrate/src/lib/krb5/ccache/cc-int.h
===================================================================
--- branches/mkey_migrate/src/lib/krb5/ccache/cc-int.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/ccache/cc-int.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -64,7 +64,37 @@
krb5_context context,
krb5_cc_typecursor *cursor);
+/* reentrant mutex used by krb5_cc_* functions */
+typedef struct _k5_cc_mutex {
+ k5_mutex_t lock;
+ krb5_context owner;
+ krb5_int32 refcount;
+} k5_cc_mutex;
+#define K5_CC_MUTEX_PARTIAL_INITIALIZER \
+ { K5_MUTEX_PARTIAL_INITIALIZER, NULL, 0 }
+
+krb5_error_code
+k5_cc_mutex_init(k5_cc_mutex *m);
+
+krb5_error_code
+k5_cc_mutex_finish_init(k5_cc_mutex *m);
+
+#define k5_cc_mutex_destroy(M) \
+k5_mutex_destroy(&(M)->lock);
+
+void
+k5_cc_mutex_assert_locked(krb5_context context, k5_cc_mutex *m);
+
+void
+k5_cc_mutex_assert_unlocked(krb5_context context, k5_cc_mutex *m);
+
+krb5_error_code
+k5_cc_mutex_lock(krb5_context context, k5_cc_mutex *m);
+
+krb5_error_code
+k5_cc_mutex_unlock(krb5_context context, k5_cc_mutex *m);
+
extern k5_cc_mutex krb5int_mcc_mutex;
extern k5_cc_mutex krb5int_krcc_mutex;
extern k5_cc_mutex krb5int_cc_file_mutex;
Modified: branches/mkey_migrate/src/lib/krb5/ccache/cc_file.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/ccache/cc_file.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/ccache/cc_file.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -76,8 +76,8 @@
fcc_nseq.c and fcc_read don't check return values a lot.
*/
#include "k5-int.h"
+#include "cc-int.h"
-
#include <stdio.h>
#include <errno.h>
@@ -1997,8 +1997,7 @@
if (kret)
return kret;
- (void) strcpy(scratch, TKT_ROOT);
- (void) strcat(scratch, "XXXXXX");
+ (void) snprintf(scratch, sizeof(scratch), "%sXXXXXX", TKT_ROOT);
ret = mkstemp(scratch);
if (ret == -1) {
k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex);
Modified: branches/mkey_migrate/src/lib/krb5/ccache/cc_memory.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/ccache/cc_memory.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/ccache/cc_memory.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -415,7 +415,7 @@
return err;
}
- d->name = malloc(strlen(name) + 1);
+ d->name = strdup(name);
if (d->name == NULL) {
k5_cc_mutex_destroy(&d->lock);
krb5_xfree(d);
@@ -426,9 +426,6 @@
d->changetime = 0;
update_mcc_change_time(d);
- /* Set up the filename */
- strcpy(d->name, name);
-
n = malloc(sizeof(krb5_mcc_list_node));
if (n == NULL) {
free(d->name);
Modified: branches/mkey_migrate/src/lib/krb5/ccache/ccapi/stdcc.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/ccache/ccapi/stdcc.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/ccache/ccapi/stdcc.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -5,7 +5,7 @@
* Written by Frank Dabek July 1998
* Updated by Jeffrey Altman June 2006
*
- * Copyright 1998, 1999, 2006 by the Massachusetts Institute of Technology.
+ * Copyright 1998, 1999, 2006, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -347,12 +347,11 @@
}
if (!err) {
- name = (char *) malloc (sizeof (*name) * (strlen (ccstring->data) + 1));
+ name = strdup (ccstring->data);
if (!name) { err = KRB5_CC_NOMEM; }
}
if (!err) {
- strcpy (name, ccstring->data);
ccapi_data->cache_name = name;
name = NULL; /* take ownership */
@@ -407,7 +406,7 @@
}
if (!err) {
- name = malloc (strlen(residual) + 1);
+ name = strdup (residual);
if (!name) { err = KRB5_CC_NOMEM; }
}
@@ -421,7 +420,6 @@
}
if (!err) {
- strcpy(name, residual);
ccapi_data->cache_name = name;
name = NULL; /* take ownership */
@@ -850,6 +848,10 @@
}
if (err == ccIteratorEnd) { err = ccErrCredentialsNotFound; }
+ if (iterator) {
+ err = cc_credentials_iterator_release(iterator);
+ }
+
if (!err) {
cache_changed ();
}
@@ -936,12 +938,11 @@
}
if (!err) {
- name = (char *) malloc (sizeof (*name) * (strlen (ccstring->data) + 1));
+ name = strdup (ccstring->data);
if (!name) { err = KRB5_CC_NOMEM; }
}
if (!err) {
- strcpy (name, ccstring->data);
ccapi_data->cache_name = name;
name = NULL; /* take ownership */
@@ -1198,15 +1199,13 @@
if (!(ccapi_data = (stdccCacheDataPtr)malloc(sizeof(stdccCacheData))))
goto errout;
- if (!(cName = malloc(strlen(residual)+1)))
+ if (!(cName = strdup(residual)))
goto errout;
newCache->ops = &krb5_cc_stdcc_ops;
newCache->data = ccapi_data;
ccapi_data->cache_name = cName;
- strcpy(cName, residual);
-
err = cc_open(gCntrlBlock, cName, CC_CRED_V5, 0L,
&ccapi_data->NamedCache);
if (err != CC_NOERROR) {
Modified: branches/mkey_migrate/src/lib/krb5/ccache/ccdefault.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/ccache/ccdefault.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/ccache/ccdefault.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -31,6 +31,7 @@
#if defined(USE_KIM)
#include <kim/kim.h>
+#include "kim_library_private.h"
#elif defined(USE_LEASH)
static void (*pLeash_AcquireInitialTicketsIfNeeded)(krb5_context,krb5_principal,char*,int) = NULL;
static HANDLE hLeashDLL = INVALID_HANDLE_VALUE;
@@ -78,7 +79,7 @@
}
#ifdef USE_KIM
- {
+ if (kim_library_allow_automatic_prompting ()) {
kim_error err = KIM_NO_ERROR;
kim_ccache kimccache = NULL;
kim_identity identity = KIM_IDENTITY_ANY;
@@ -111,7 +112,8 @@
if (!err) {
krb5_cc_set_default_name (context, name);
}
-
+
+ kim_identity_free (&identity);
kim_string_free (&name);
kim_ccache_free (&kimccache);
}
Modified: branches/mkey_migrate/src/lib/krb5/ccache/ccfns.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/ccache/ccfns.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/ccache/ccfns.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,7 +1,7 @@
/*
* lib/krb5/ccache/ccfns.c
*
- * Copyright 2000, 2007 by the Massachusetts Institute of Technology.
+ * Copyright 2000, 2007, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -69,6 +69,9 @@
krb5_ticket *tkt;
krb5_principal s1, s2;
+ /* remove any dups */
+ krb5_cc_remove_cred(context, cache, 0, creds);
+
ret = cache->ops->store(context, cache, creds);
if (ret) return ret;
@@ -82,9 +85,11 @@
if (ret) return 0;
s2 = tkt->server;
if (!krb5_principal_compare(context, s1, s2)) {
- creds->server = s2;
- ret = cache->ops->store(context, cache, creds);
- creds->server = s1;
+ creds->server = s2;
+ /* remove any dups */
+ krb5_cc_remove_cred(context, cache, 0, creds);
+ ret = cache->ops->store(context, cache, creds);
+ creds->server = s1;
}
krb5_free_ticket(context, tkt);
return ret;
Copied: branches/mkey_migrate/src/lib/krb5/ccache/deps (from rev 21721, trunk/src/lib/krb5/ccache/deps)
Copied: branches/mkey_migrate/src/lib/krb5/deps (from rev 21721, trunk/src/lib/krb5/deps)
Modified: branches/mkey_migrate/src/lib/krb5/error_tables/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/krb5/error_tables/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/error_tables/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -58,18 +58,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-asn1_err.so asn1_err.po $(OUTPRE)asn1_err.$(OBJEXT): \
- $(COM_ERR_DEPS) asn1_err.c
-kdb5_err.so kdb5_err.po $(OUTPRE)kdb5_err.$(OBJEXT): \
- $(COM_ERR_DEPS) kdb5_err.c
-krb5_err.so krb5_err.po $(OUTPRE)krb5_err.$(OBJEXT): \
- $(COM_ERR_DEPS) krb5_err.c
-kv5m_err.so kv5m_err.po $(OUTPRE)kv5m_err.$(OBJEXT): \
- $(COM_ERR_DEPS) kv5m_err.c
-krb524_err.so krb524_err.po $(OUTPRE)krb524_err.$(OBJEXT): \
- $(COM_ERR_DEPS) krb524_err.c
Copied: branches/mkey_migrate/src/lib/krb5/error_tables/deps (from rev 21721, trunk/src/lib/krb5/error_tables/deps)
Modified: branches/mkey_migrate/src/lib/krb5/error_tables/krb5_err.et
===================================================================
--- branches/mkey_migrate/src/lib/krb5/error_tables/krb5_err.et 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/error_tables/krb5_err.et 2009-01-10 01:06:45 UTC (rev 21722)
@@ -66,8 +66,8 @@
# ^^ 24
error_code KRB5KDC_ERR_PREAUTH_REQUIRED, "Additional pre-authentication required"
error_code KRB5KDC_ERR_SERVER_NOMATCH, "Requested server and ticket don't match"
-error_code KRB5PLACEHOLD_27, "KRB5 error code 27"
-error_code KRB5PLACEHOLD_28, "KRB5 error code 28"
+error_code KRB5KDC_ERR_MUST_USE_USER2USER, "Server principal valid for user2user only"
+error_code KRB5KDC_ERR_PATH_NOT_ACCEPTED, "KDC policy rejects transited path"
error_code KRB5KDC_ERR_SVC_UNAVAILABLE, "A service is not available that is required to process the request"
error_code KRB5PLACEHOLD_30, "KRB5 error code 30"
# vv 31
@@ -108,9 +108,9 @@
error_code KRB5KDC_ERR_INVALID_SIG, "Invalid signature"
error_code KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, "Key parameters not accepted"
error_code KRB5KDC_ERR_CERTIFICATE_MISMATCH, "Certificate mismatch"
-error_code KRB5PLACEHOLD_67, "KRB5 error code 67"
-error_code KRB5PLACEHOLD_68, "KRB5 error code 68"
-error_code KRB5PLACEHOLD_69, "KRB5 error code 69"
+error_code KRB5KRB_AP_ERR_NO_TGT, "No ticket granting ticket"
+error_code KRB5KDC_ERR_WRONG_REALM, "Realm not local to KDC"
+error_code KRB5KRB_AP_ERR_USER_TO_USER_REQUIRED, "User to user required"
error_code KRB5KDC_ERR_CANT_VERIFY_CERTIFICATE, "Can't verify certificate"
error_code KRB5KDC_ERR_INVALID_CERTIFICATE, "Invalid certificate"
error_code KRB5KDC_ERR_REVOKED_CERTIFICATE, "Revoked certificate"
Modified: branches/mkey_migrate/src/lib/krb5/keytab/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/krb5/keytab/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/keytab/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -78,114 +78,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-ktadd.so ktadd.po $(OUTPRE)ktadd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h ktadd.c
-ktbase.so ktbase.po $(OUTPRE)ktbase.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h kt-int.h ktbase.c
-ktdefault.so ktdefault.po $(OUTPRE)ktdefault.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- ktdefault.c
-ktfr_entry.so ktfr_entry.po $(OUTPRE)ktfr_entry.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- ktfr_entry.c
-ktremove.so ktremove.po $(OUTPRE)ktremove.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- ktremove.c
-ktfns.so ktfns.po $(OUTPRE)ktfns.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h ktfns.c
-kt_file.so kt_file.po $(OUTPRE)kt_file.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h kt_file.c
-kt_memory.so kt_memory.po $(OUTPRE)kt_memory.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- kt-int.h kt_memory.c
-kt_srvtab.so kt_srvtab.po $(OUTPRE)kt_srvtab.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- kt_srvtab.c
-read_servi.so read_servi.po $(OUTPRE)read_servi.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- read_servi.c
-t_keytab.so t_keytab.po $(OUTPRE)t_keytab.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- t_keytab.c
Copied: branches/mkey_migrate/src/lib/krb5/keytab/deps (from rev 21721, trunk/src/lib/krb5/keytab/deps)
Modified: branches/mkey_migrate/src/lib/krb5/keytab/kt_file.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/keytab/kt_file.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/keytab/kt_file.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -221,14 +221,13 @@
return err;
}
- if ((data->name = (char *)calloc(strlen(name) + 1, sizeof(char))) == NULL) {
+ if ((data->name = strdup(name)) == NULL) {
k5_mutex_destroy(&data->lock);
krb5_xfree(data);
krb5_xfree(*id);
return(ENOMEM);
}
- (void) strcpy(data->name, name);
data->openf = 0;
data->version = 0;
data->iter_count = 0;
@@ -441,21 +440,12 @@
* trt will happen if the name is passed back to resolve.
*/
{
- memset(name, 0, len);
+ int result;
- if (len < strlen(id->ops->prefix)+2)
+ memset(name, 0, len);
+ result = snprintf(name, len, "%s:%s", id->ops->prefix, KTFILENAME(id));
+ if (SNPRINTF_OVERFLOW(result, len))
return(KRB5_KT_NAME_TOOLONG);
- strcpy(name, id->ops->prefix);
- name += strlen(id->ops->prefix);
- name[0] = ':';
- name++;
- len -= strlen(id->ops->prefix)+1;
-
- if (len < strlen(KTFILENAME(id))+1)
- return(KRB5_KT_NAME_TOOLONG);
- strcpy(name, KTFILENAME(id));
- /* strcpy will NUL-terminate the destination */
-
return(0);
}
Modified: branches/mkey_migrate/src/lib/krb5/keytab/kt_memory.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/keytab/kt_memory.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/keytab/kt_memory.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -252,7 +252,7 @@
goto done;
}
- if ((data->name = (char *)calloc(strlen(name) + 1, sizeof(char))) == NULL) {
+ if ((data->name = strdup(name)) == NULL) {
k5_mutex_destroy(&data->lock);
krb5_xfree(data);
krb5_xfree(list->keytab);
@@ -261,8 +261,6 @@
goto done;
}
- (void) strcpy(data->name, name);
-
data->link = NULL;
data->refcount = 0;
list->keytab->data = (krb5_pointer)data;
@@ -474,21 +472,12 @@
krb5_error_code KRB5_CALLCONV
krb5_mkt_get_name(krb5_context context, krb5_keytab id, char *name, unsigned int len)
{
- memset(name, 0, len);
+ int result;
- if (len < strlen(id->ops->prefix)+2)
+ memset(name, 0, len);
+ result = snprintf(name, len, "%s:%s", id->ops->prefix, KTNAME(id));
+ if (SNPRINTF_OVERFLOW(result, len))
return(KRB5_KT_NAME_TOOLONG);
- strcpy(name, id->ops->prefix);
- name += strlen(id->ops->prefix);
- name[0] = ':';
- name++;
- len -= strlen(id->ops->prefix)+1;
-
- if (len < strlen(KTNAME(id))+1)
- return(KRB5_KT_NAME_TOOLONG);
- strcpy(name, KTNAME(id));
- /* strcpy will NUL-terminate the destination */
-
return(0);
}
Modified: branches/mkey_migrate/src/lib/krb5/keytab/kt_srvtab.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/keytab/kt_srvtab.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/keytab/kt_srvtab.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -127,14 +127,13 @@
return(ENOMEM);
}
- data->name = (char *)malloc(strlen(name) + 1);
+ data->name = strdup(name);
if (data->name == NULL) {
krb5_xfree(data);
krb5_xfree(*id);
return(ENOMEM);
}
- (void) strcpy(data->name, name);
data->openf = 0;
(*id)->data = (krb5_pointer)data;
@@ -249,21 +248,12 @@
* trt will happen if the name is passed back to resolve.
*/
{
- memset(name, 0, len);
+ int result;
- if (len < strlen(id->ops->prefix)+2)
+ memset(name, 0, len);
+ result = snprintf(name, len, "%s:%s", id->ops->prefix, KTFILENAME(id));
+ if (SNPRINTF_OVERFLOW(result, len))
return(KRB5_KT_NAME_TOOLONG);
- strcpy(name, id->ops->prefix);
- name += strlen(id->ops->prefix);
- name[0] = ':';
- name++;
- len -= strlen(id->ops->prefix)+1;
-
- if (len < strlen(KTFILENAME(id))+1)
- return(KRB5_KT_NAME_TOOLONG);
- strcpy(name, KTFILENAME(id));
- /* strcpy will NUL-terminate the destination */
-
return(0);
}
Modified: branches/mkey_migrate/src/lib/krb5/keytab/ktbase.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/keytab/ktbase.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/keytab/ktbase.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -181,6 +181,11 @@
return ENOMEM;
resid = name;
+ } else if (name[0] == '/') {
+ pfx = strdup("FILE");
+ if (!pfx)
+ return ENOMEM;
+ resid = name;
} else {
resid = name + pfxlen + 1;
Modified: branches/mkey_migrate/src/lib/krb5/krb/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -64,6 +64,7 @@
mk_req.o \
mk_req_ext.o \
mk_safe.o \
+ pac.o \
parse.o \
pr_to_salt.o \
preauth.o \
@@ -94,7 +95,6 @@
str_conv.o \
tgtname.o \
unparse.o \
- v4lifetime.o \
valid_times.o \
vfy_increds.o \
vic_opt.o \
@@ -151,7 +151,8 @@
$(OUTPRE)mk_req.$(OBJEXT) \
$(OUTPRE)mk_req_ext.$(OBJEXT) \
$(OUTPRE)mk_safe.$(OBJEXT) \
- $(OUTPRE)parse.$(OBJEXT) \
+ $(OUTPRE)pac.$(OBJEXT) \
+ $(OUTPRE)parse.$(OBJEXT) \
$(OUTPRE)pr_to_salt.$(OBJEXT) \
$(OUTPRE)preauth.$(OBJEXT) \
$(OUTPRE)preauth2.$(OBJEXT) \
@@ -181,7 +182,6 @@
$(OUTPRE)str_conv.$(OBJEXT) \
$(OUTPRE)tgtname.$(OBJEXT) \
$(OUTPRE)unparse.$(OBJEXT) \
- $(OUTPRE)v4lifetime.$(OBJEXT) \
$(OUTPRE)valid_times.$(OBJEXT) \
$(OUTPRE)vfy_increds.$(OBJEXT) \
$(OUTPRE)vic_opt.$(OBJEXT) \
@@ -239,6 +239,7 @@
$(srcdir)/mk_req.c \
$(srcdir)/mk_req_ext.c \
$(srcdir)/mk_safe.c \
+ $(srcdir)/pac.c \
$(srcdir)/parse.c \
$(srcdir)/pr_to_salt.c \
$(srcdir)/preauth.c \
@@ -269,7 +270,6 @@
$(srcdir)/str_conv.c \
$(srcdir)/tgtname.c \
$(srcdir)/unparse.c \
- $(srcdir)/v4lifetime.c \
$(srcdir)/valid_times.c \
$(srcdir)/vfy_increds.c \
$(srcdir)/vic_opt.c \
@@ -297,7 +297,7 @@
COMERRLIB=$(TOPLIBD)/libcom_err.a
T_WALK_RTREE_OBJS= t_walk_rtree.o walk_rtree.o tgtname.o unparse.o \
- free_rtree.o bld_pr_ext.o
+ free_rtree.o bld_pr_ext.o copy_data.o
T_KERB_OBJS= t_kerb.o conv_princ.o unparse.o set_realm.o str_conv.o
@@ -354,8 +354,8 @@
$(RUN_SETUP) $(VALGRIND) ./t_ser
$(RUN_SETUP) $(VALGRIND) ./t_deltat
$(RUN_SETUP) $(VALGRIND) sh $(srcdir)/transit-tests
- : known to fail "http://krbdev.mit.edu/rt/Ticket/Display.html?id=5947"
- -$(RUN_SETUP) $(VALGRIND) sh $(srcdir)/walktree-tests
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
+ $(RUN_SETUP) $(VALGRIND) sh $(srcdir)/walktree-tests
clean::
$(RM) $(OUTPRE)t_walk_rtree$(EXEEXT) $(OUTPRE)t_walk_rtree.$(OBJEXT) \
@@ -366,898 +366,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-addr_comp.so addr_comp.po $(OUTPRE)addr_comp.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- addr_comp.c
-addr_order.so addr_order.po $(OUTPRE)addr_order.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- addr_order.c
-addr_srch.so addr_srch.po $(OUTPRE)addr_srch.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- addr_srch.c
-appdefault.so appdefault.po $(OUTPRE)appdefault.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- appdefault.c
-auth_con.so auth_con.po $(OUTPRE)auth_con.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- auth_con.c auth_con.h
-bld_pr_ext.so bld_pr_ext.po $(OUTPRE)bld_pr_ext.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- bld_pr_ext.c
-bld_princ.so bld_princ.po $(OUTPRE)bld_princ.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- bld_princ.c
-brand.so brand.po $(OUTPRE)brand.$(OBJEXT): $(SRCTOP)/patchlevel.h \
- brand.c
-chk_trans.so chk_trans.po $(OUTPRE)chk_trans.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- chk_trans.c
-chpw.so chpw.po $(OUTPRE)chpw.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h auth_con.h chpw.c
-conv_creds.so conv_creds.po $(OUTPRE)conv_creds.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- conv_creds.c
-conv_princ.so conv_princ.po $(OUTPRE)conv_princ.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- conv_princ.c
-copy_addrs.so copy_addrs.po $(OUTPRE)copy_addrs.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- copy_addrs.c
-copy_auth.so copy_auth.po $(OUTPRE)copy_auth.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- copy_auth.c
-copy_athctr.so copy_athctr.po $(OUTPRE)copy_athctr.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- copy_athctr.c
-copy_cksum.so copy_cksum.po $(OUTPRE)copy_cksum.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- copy_cksum.c
-copy_creds.so copy_creds.po $(OUTPRE)copy_creds.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- copy_creds.c
-copy_data.so copy_data.po $(OUTPRE)copy_data.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- copy_data.c
-copy_key.so copy_key.po $(OUTPRE)copy_key.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- copy_key.c
-copy_princ.so copy_princ.po $(OUTPRE)copy_princ.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- copy_princ.c
-copy_tick.so copy_tick.po $(OUTPRE)copy_tick.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- copy_tick.c
-cp_key_cnt.so cp_key_cnt.po $(OUTPRE)cp_key_cnt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- cp_key_cnt.c
-decode_kdc.so decode_kdc.po $(OUTPRE)decode_kdc.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- decode_kdc.c
-decrypt_tk.so decrypt_tk.po $(OUTPRE)decrypt_tk.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- decrypt_tk.c
-deltat.so deltat.po $(OUTPRE)deltat.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h deltat.c
-enc_helper.so enc_helper.po $(OUTPRE)enc_helper.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- enc_helper.c
-encode_kdc.so encode_kdc.po $(OUTPRE)encode_kdc.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- encode_kdc.c
-encrypt_tk.so encrypt_tk.po $(OUTPRE)encrypt_tk.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- encrypt_tk.c
-free_rtree.so free_rtree.po $(OUTPRE)free_rtree.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- free_rtree.c
-fwd_tgt.so fwd_tgt.po $(OUTPRE)fwd_tgt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h fwd_tgt.c
-gc_frm_kdc.so gc_frm_kdc.po $(OUTPRE)gc_frm_kdc.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- gc_frm_kdc.c int-proto.h
-gc_via_tkt.so gc_via_tkt.po $(OUTPRE)gc_via_tkt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- gc_via_tkt.c int-proto.h
-gen_seqnum.so gen_seqnum.po $(OUTPRE)gen_seqnum.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- gen_seqnum.c
-gen_subkey.so gen_subkey.po $(OUTPRE)gen_subkey.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- gen_subkey.c
-get_creds.so get_creds.po $(OUTPRE)get_creds.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- get_creds.c
-get_in_tkt.so get_in_tkt.po $(OUTPRE)get_in_tkt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../os/os-proto.h get_in_tkt.c int-proto.h
-gic_keytab.so gic_keytab.po $(OUTPRE)gic_keytab.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- gic_keytab.c
-gic_opt.so gic_opt.po $(OUTPRE)gic_opt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h gic_opt.c int-proto.h
-gic_pwd.so gic_pwd.po $(OUTPRE)gic_pwd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h gic_pwd.c
-in_tkt_sky.so in_tkt_sky.po $(OUTPRE)in_tkt_sky.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- in_tkt_sky.c
-init_ctx.so init_ctx.po $(OUTPRE)init_ctx.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/patchlevel.h $(srcdir)/../krb5_libinit.h \
- brand.c init_ctx.c
-init_keyblock.so init_keyblock.po $(OUTPRE)init_keyblock.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- init_keyblock.c
-kdc_rep_dc.so kdc_rep_dc.po $(OUTPRE)kdc_rep_dc.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- kdc_rep_dc.c
-kerrs.so kerrs.po $(OUTPRE)kerrs.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h kerrs.c
-kfree.so kfree.po $(OUTPRE)kfree.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h kfree.c
-mk_cred.so mk_cred.po $(OUTPRE)mk_cred.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h auth_con.h cleanup.h \
- mk_cred.c
-mk_error.so mk_error.po $(OUTPRE)mk_error.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- mk_error.c
-mk_priv.so mk_priv.po $(OUTPRE)mk_priv.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h auth_con.h cleanup.h \
- mk_priv.c
-mk_rep.so mk_rep.po $(OUTPRE)mk_rep.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h auth_con.h mk_rep.c
-mk_req.so mk_req.po $(OUTPRE)mk_req.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h auth_con.h mk_req.c
-mk_req_ext.so mk_req_ext.po $(OUTPRE)mk_req_ext.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- auth_con.h mk_req_ext.c
-mk_safe.so mk_safe.po $(OUTPRE)mk_safe.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h auth_con.h cleanup.h \
- mk_safe.c
-parse.so parse.po $(OUTPRE)parse.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h parse.c
-pr_to_salt.so pr_to_salt.po $(OUTPRE)pr_to_salt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- pr_to_salt.c
-preauth.so preauth.po $(OUTPRE)preauth.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h preauth.c
-preauth2.so preauth2.po $(OUTPRE)preauth2.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- int-proto.h preauth2.c
-princ_comp.so princ_comp.po $(OUTPRE)princ_comp.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- princ_comp.c
-rd_cred.so rd_cred.po $(OUTPRE)rd_cred.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h auth_con.h cleanup.h \
- rd_cred.c
-rd_error.so rd_error.po $(OUTPRE)rd_error.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- rd_error.c
-rd_priv.so rd_priv.po $(OUTPRE)rd_priv.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h auth_con.h cleanup.h \
- rd_priv.c
-rd_rep.so rd_rep.po $(OUTPRE)rd_rep.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h auth_con.h rd_rep.c
-rd_req.so rd_req.po $(OUTPRE)rd_req.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h auth_con.h rd_req.c
-rd_req_dec.so rd_req_dec.po $(OUTPRE)rd_req_dec.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- auth_con.h rd_req_dec.c
-rd_safe.so rd_safe.po $(OUTPRE)rd_safe.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h auth_con.h cleanup.h \
- rd_safe.c
-recvauth.so recvauth.po $(OUTPRE)recvauth.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- auth_con.h recvauth.c
-sendauth.so sendauth.po $(OUTPRE)sendauth.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- auth_con.h sendauth.c
-send_tgs.so send_tgs.po $(OUTPRE)send_tgs.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- send_tgs.c
-ser_actx.so ser_actx.po $(OUTPRE)ser_actx.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- auth_con.h int-proto.h ser_actx.c
-ser_adata.so ser_adata.po $(OUTPRE)ser_adata.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- int-proto.h ser_adata.c
-ser_addr.so ser_addr.po $(OUTPRE)ser_addr.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- int-proto.h ser_addr.c
-ser_auth.so ser_auth.po $(OUTPRE)ser_auth.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- int-proto.h ser_auth.c
-ser_cksum.so ser_cksum.po $(OUTPRE)ser_cksum.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- int-proto.h ser_cksum.c
-ser_ctx.so ser_ctx.po $(OUTPRE)ser_ctx.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h ser_ctx.c
-ser_key.so ser_key.po $(OUTPRE)ser_key.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h int-proto.h ser_key.c
-ser_princ.so ser_princ.po $(OUTPRE)ser_princ.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- int-proto.h ser_princ.c
-serialize.so serialize.po $(OUTPRE)serialize.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- serialize.c
-set_realm.so set_realm.po $(OUTPRE)set_realm.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- set_realm.c
-srv_dec_tkt.so srv_dec_tkt.po $(OUTPRE)srv_dec_tkt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- srv_dec_tkt.c
-srv_rcache.so srv_rcache.po $(OUTPRE)srv_rcache.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- srv_rcache.c
-str_conv.so str_conv.po $(OUTPRE)str_conv.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h str_conv.c
-tgtname.so tgtname.po $(OUTPRE)tgtname.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h int-proto.h tgtname.c
-unparse.so unparse.po $(OUTPRE)unparse.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h unparse.c
-v4lifetime.so v4lifetime.po $(OUTPRE)v4lifetime.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- v4lifetime.c
-valid_times.so valid_times.po $(OUTPRE)valid_times.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- valid_times.c
-vfy_increds.so vfy_increds.po $(OUTPRE)vfy_increds.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- int-proto.h vfy_increds.c
-vic_opt.so vic_opt.po $(OUTPRE)vic_opt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h vic_opt.c
-walk_rtree.so walk_rtree.po $(OUTPRE)walk_rtree.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- int-proto.h walk_rtree.c
-t_walk_rtree.so t_walk_rtree.po $(OUTPRE)t_walk_rtree.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- t_walk_rtree.c
-t_kerb.so t_kerb.po $(OUTPRE)t_kerb.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \
- t_kerb.c
-t_ser.so t_ser.po $(OUTPRE)t_ser.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h auth_con.h t_ser.c
-t_deltat.so t_deltat.po $(OUTPRE)t_deltat.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- t_deltat.c
-t_expand.so t_expand.po $(OUTPRE)t_expand.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- chk_trans.c t_expand.c
Modified: branches/mkey_migrate/src/lib/krb5/krb/addr_srch.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/addr_srch.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/addr_srch.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -29,6 +29,20 @@
#include "k5-int.h"
+static unsigned int
+address_count(krb5_address *const *addrlist)
+{
+ unsigned int i;
+
+ if (addrlist == NULL)
+ return 0;
+
+ for (i = 0; addrlist[i]; i++)
+ ;
+
+ return i;
+}
+
/*
* if addr is listed in addrlist, or addrlist is null, return TRUE.
* if not listed, return FALSE
@@ -36,6 +50,14 @@
krb5_boolean
krb5_address_search(krb5_context context, const krb5_address *addr, krb5_address *const *addrlist)
{
+ /*
+ * Treat an address list containing only a NetBIOS address
+ * as empty, because we presently have no way of associating
+ * a client with its NetBIOS address.
+ */
+ if (address_count(addrlist) == 1 &&
+ addrlist[0]->addrtype == ADDRTYPE_NETBIOS)
+ return TRUE;
if (!addrlist)
return TRUE;
for (; *addrlist; addrlist++) {
Modified: branches/mkey_migrate/src/lib/krb5/krb/auth_con.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/auth_con.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/auth_con.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -34,8 +34,9 @@
(*auth_context)->req_cksumtype = context->default_ap_req_sumtype;
(*auth_context)->safe_cksumtype = context->default_safe_sumtype;
- (*auth_context) -> checksum_func = NULL;
+ (*auth_context)->checksum_func = NULL;
(*auth_context)->checksum_func_data = NULL;
+ (*auth_context)->negotiated_etype = ENCTYPE_NULL;
(*auth_context)->magic = KV5M_AUTH_CONTEXT;
return 0;
}
@@ -243,13 +244,14 @@
*seqnumber = auth_context->local_seq_number;
return 0;
}
-
+#ifndef LEAN_CLIENT
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context, krb5_authenticator **authenticator)
{
return (krb5_copy_authenticator(context, auth_context->authentp,
authenticator));
}
+#endif
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getremoteseqnumber(krb5_context context, krb5_auth_context auth_context, krb5_int32 *seqnumber)
Modified: branches/mkey_migrate/src/lib/krb5/krb/auth_con.h
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/auth_con.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/auth_con.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -21,8 +21,9 @@
krb5_pointer i_vector; /* mk_priv, rd_priv only */
krb5_rcache rcache;
krb5_enctype * permitted_etypes; /* rd_req */
- krb5_mk_req_checksum_func checksum_func;
- void *checksum_func_data;
+ krb5_mk_req_checksum_func checksum_func;
+ void *checksum_func_data;
+ krb5_enctype negotiated_etype;
};
Modified: branches/mkey_migrate/src/lib/krb5/krb/bld_pr_ext.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/bld_pr_ext.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/bld_pr_ext.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -93,7 +93,7 @@
return 0;
free_out:
- while (i-- >= 0)
+ while (--i >= 0)
krb5_xfree(princ_data[i].data);
krb5_xfree(princ_data);
krb5_xfree(princ_ret);
Modified: branches/mkey_migrate/src/lib/krb5/krb/bld_princ.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/bld_princ.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/bld_princ.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -30,84 +30,159 @@
#include <stdarg.h>
#include "k5-int.h"
-krb5_error_code
-KRB5_CALLCONV
-krb5_build_principal_va(krb5_context context, krb5_principal princ, unsigned int rlen, const char *realm, va_list ap)
+/* Takes first component as argument for KIM API,
+ * which does not allow realms with zero components */
+static krb5_error_code
+krb5int_build_principal_va(krb5_context context,
+ krb5_principal princ,
+ unsigned int rlen,
+ const char *realm,
+ const char *first,
+ va_list ap)
{
- register int i, count = 0;
- register char *next;
- char *tmpdata;
- krb5_data *data;
+ krb5_error_code retval = 0;
+ char *r = NULL;
+ krb5_data *data = NULL;
+ krb5_int32 count = 0;
+ krb5_int32 size = 2; /* initial guess at needed space */
+ char *component = NULL;
+
+ data = malloc(size * sizeof(krb5_data));
+ if (!data) { retval = ENOMEM; }
+
+ if (!retval) {
+ r = strdup(realm);
+ if (!r) { retval = ENOMEM; }
+ }
+
+ if (!retval && first) {
+ data[0].length = strlen(first);
+ data[0].data = strdup(first);
+ if (!data[0].data) { retval = ENOMEM; }
+ count++;
+
+ /* ap is only valid if first is non-NULL */
+ while (!retval && (component = va_arg(ap, char *))) {
+ if (count == size) {
+ krb5_data *new_data = NULL;
+
+ size *= 2;
+ new_data = realloc ((char *) data, sizeof(krb5_data) * size);
+ if (new_data) {
+ data = new_data;
+ } else {
+ retval = ENOMEM;
+ }
+ }
+
+ if (!retval) {
+ data[count].length = strlen(component);
+ data[count].data = strdup(component);
+ if (!data[count].data) { retval = ENOMEM; }
+ count++;
+ }
+ }
+ }
+
+ if (!retval) {
+ princ->type = KRB5_NT_UNKNOWN;
+ princ->magic = KV5M_PRINCIPAL;
+ krb5_princ_set_realm_data(context, princ, r);
+ krb5_princ_set_realm_length(context, princ, rlen);
+ princ->data = data;
+ princ->length = count;
+ r = NULL; /* take ownership */
+ data = NULL; /* take ownership */
+ }
+
+ if (data) {
+ while (--count >= 0) {
+ krb5_xfree(data[count].data);
+ }
+ krb5_xfree(data);
+ }
+ krb5_xfree(r);
+
+ return retval;
+}
- /* guess at an initial sufficent count of 2 pieces */
- count = 2;
+krb5_error_code KRB5_CALLCONV
+krb5_build_principal_va(krb5_context context,
+ krb5_principal princ,
+ unsigned int rlen,
+ const char *realm,
+ va_list ap)
+{
+ char *first = va_arg(ap, char *);
+
+ return krb5int_build_principal_va(context, princ, rlen, realm, first, ap);
+}
- /* get space for array and realm, and insert realm */
- data = (krb5_data *) malloc(sizeof(krb5_data) * count);
- if (data == 0)
- return ENOMEM;
- krb5_princ_set_realm_length(context, princ, rlen);
- tmpdata = malloc(rlen);
- if (!tmpdata) {
- free (data);
- return ENOMEM;
+/* Takes first component as argument for KIM API,
+ * which does not allow realms with zero components */
+krb5_error_code KRB5_CALLCONV
+krb5int_build_principal_alloc_va(krb5_context context,
+ krb5_principal *princ,
+ unsigned int rlen,
+ const char *realm,
+ const char *first,
+ va_list ap)
+{
+ krb5_error_code retval = 0;
+
+ krb5_principal p = malloc(sizeof(krb5_principal_data));
+ if (!p) { retval = ENOMEM; }
+
+ if (!retval) {
+ retval = krb5int_build_principal_va(context, p, rlen, realm, first, ap);
}
- krb5_princ_set_realm_data(context, princ, tmpdata);
- memcpy(tmpdata, realm, rlen);
+
+ if (!retval) {
+ *princ = p;
+ } else {
+ krb5_xfree(p);
+ }
+
+ return retval;
+}
- /* process rest of components */
+krb5_error_code KRB5_CALLCONV
+krb5_build_principal_alloc_va(krb5_context context,
+ krb5_principal *princ,
+ unsigned int rlen,
+ const char *realm,
+ va_list ap)
+{
+ krb5_error_code retval = 0;
+
+ krb5_principal p = malloc(sizeof(krb5_principal_data));
+ if (!p) { retval = ENOMEM; }
+
+ if (!retval) {
+ retval = krb5_build_principal_va(context, p, rlen, realm, ap);
+ }
+
+ if (!retval) {
+ *princ = p;
+ } else {
+ krb5_xfree(p);
+ }
- for (i = 0, next = va_arg(ap, char *);
- next;
- next = va_arg(ap, char *), i++) {
- if (i == count) {
- /* not big enough. realloc the array */
- krb5_data *p_tmp;
- p_tmp = (krb5_data *) realloc((char *)data,
- sizeof(krb5_data)*(count*2));
- if (!p_tmp) {
- free_out:
- while (--i >= 0)
- krb5_xfree(data[i].data);
- krb5_xfree(data);
- krb5_xfree(tmpdata);
- return (ENOMEM);
- }
- count *= 2;
- data = p_tmp;
- }
-
- data[i].length = strlen(next);
- data[i].data = strdup(next);
- if (!data[i].data)
- goto free_out;
- }
- princ->data = data;
- princ->length = i;
- princ->type = KRB5_NT_UNKNOWN;
- princ->magic = KV5M_PRINCIPAL;
- return 0;
+ return retval;
}
krb5_error_code KRB5_CALLCONV_C
-krb5_build_principal(krb5_context context, krb5_principal * princ,
+krb5_build_principal(krb5_context context,
+ krb5_principal * princ,
unsigned int rlen,
const char * realm, ...)
{
+ krb5_error_code retval = 0;
va_list ap;
- krb5_error_code retval;
- krb5_principal pr_ret = (krb5_principal)malloc(sizeof(krb5_principal_data));
-
- if (!pr_ret)
- return ENOMEM;
-
+
va_start(ap, realm);
- retval = krb5_build_principal_va(context, pr_ret, rlen, realm, ap);
+ retval = krb5_build_principal_alloc_va(context, princ, rlen, realm, ap);
va_end(ap);
- if (retval == 0)
- *princ = pr_ret;
- else
- krb5_xfree(pr_ret);
-
+
return retval;
}
Modified: branches/mkey_migrate/src/lib/krb5/krb/chk_trans.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/chk_trans.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/chk_trans.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -137,7 +137,7 @@
}
static krb5_error_code
-maybe_join (krb5_data *last, krb5_data *buf, int bufsiz)
+maybe_join (krb5_data *last, krb5_data *buf, unsigned int bufsiz)
{
if (buf->length == 0)
return 0;
Modified: branches/mkey_migrate/src/lib/krb5/krb/chpw.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/chpw.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/chpw.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -269,6 +269,7 @@
krb5_error_code ret;
krb5_data cipherpw;
krb5_data *encoded_setpw;
+ struct krb5_setpw_req req;
char *ptr;
@@ -279,7 +280,10 @@
KRB5_AUTH_CONTEXT_DO_SEQUENCE)))
return(ret);
- ret = encode_krb5_setpw_req(targprinc, passwd, &encoded_setpw);
+ req.target = targprinc;
+ req.password.data = passwd;
+ req.password.length = strlen(passwd);
+ ret = encode_krb5_setpw_req(&req, &encoded_setpw);
if (ret) {
return ret;
}
Modified: branches/mkey_migrate/src/lib/krb5/krb/conv_creds.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/conv_creds.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/conv_creds.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -27,247 +27,13 @@
#include "port-sockets.h"
#include "socket-utils.h"
-#if defined(KRB5_KRB4_COMPAT) || defined(_WIN32) /* yuck */
-#include "kerberosIV/krb.h"
-
-#ifdef USE_CCAPI
-#include <CredentialsCache.h>
-#endif
-
-#define krb524_debug krb5int_krb524_debug
-int krb524_debug = 0;
-
-static krb5_error_code krb524_convert_creds_plain
-(krb5_context context, krb5_creds *v5creds,
- CREDENTIALS *v4creds);
-
-static int decode_v4tkt
- (struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
-
krb5_error_code KRB5_CALLCONV
krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds,
- CREDENTIALS *v4creds)
-{
- krb5_error_code ret;
- krb5_data reply;
- char *p;
- struct sockaddr_storage ss;
- socklen_t slen = sizeof(ss);
-
- ret = krb524_convert_creds_plain(context, v5creds, v4creds);
- if (ret)
- return ret;
-
- reply.data = NULL;
- ret = krb5int_524_sendto_kdc(context, &v5creds->ticket,
- &v5creds->server->realm, &reply,
- ss2sa(&ss), &slen);
- if (ret)
- return ret;
-
-#if TARGET_OS_MAC
-#ifdef USE_CCAPI
- v4creds->stk_type = cc_v4_stk_des;
-#endif
- if (slen == sizeof(struct sockaddr_in)
- && ss2sa(&ss)->sa_family == AF_INET) {
- v4creds->address = ss2sin(&ss)->sin_addr.s_addr;
- }
- /* Otherwise, leave it set to all-zero. */
-#endif
-
- p = reply.data;
- ret = ntohl(*((krb5_error_code *) p));
- p += sizeof(krb5_int32);
- reply.length -= sizeof(krb5_int32);
- if (ret)
- goto fail;
-
- v4creds->kvno = ntohl(*((krb5_error_code *) p));
- p += sizeof(krb5_int32);
- reply.length -= sizeof(krb5_int32);
- ret = decode_v4tkt(&v4creds->ticket_st, p, &reply.length);
-
-fail:
- if (reply.data)
- free(reply.data);
- reply.data = NULL;
- return ret;
-}
-
-static krb5_error_code
-krb524_convert_creds_plain(context, v5creds, v4creds)
- krb5_context context;
- krb5_creds *v5creds;
- CREDENTIALS *v4creds;
-{
- int ret;
- krb5_timestamp endtime;
- char dummy[REALM_SZ];
- memset((char *) v4creds, 0, sizeof(CREDENTIALS));
-
- if ((ret = krb5_524_conv_principal(context, v5creds->client,
- v4creds->pname, v4creds->pinst,
- dummy)))
- return ret;
- if ((ret = krb5_524_conv_principal(context, v5creds->server,
- v4creds->service, v4creds->instance,
- v4creds->realm)))
- return ret;
-
- /* Check enctype too */
- if (v5creds->keyblock.length != sizeof(C_Block)) {
- if (krb524_debug)
- fprintf(stderr, "v5 session keyblock length %d != C_Block size %d\n",
- v5creds->keyblock.length,
- (int) sizeof(C_Block));
- return KRB524_BADKEY;
- } else
- memcpy(v4creds->session, (char *) v5creds->keyblock.contents,
- sizeof(C_Block));
-
- /* V4 has no concept of authtime or renew_till, so ignore them */
- v4creds->issue_date = v5creds->times.starttime;
- v4creds->lifetime = krb5int_krb_time_to_life(v5creds->times.starttime,
- v5creds->times.endtime);
- endtime = krb5int_krb_life_to_time(v4creds->issue_date,
- v4creds->lifetime);
- /*
- * Adjust start time backwards to deal with rounding up in
- * krb_time_to_life(), to match code on server side.
- */
- if (endtime > v5creds->times.endtime)
- v4creds->issue_date -= endtime - v5creds->times.endtime;
-
- return 0;
-}
-
-/* this used to be krb524/encode.c, under same copyright as above */
-/*
- * I'm sure that this is reinventing the wheel, but I don't know where
- * the wheel is hidden.
- */
-
-int encode_v4tkt (KTEXT_ST *, char *, unsigned int *);
-static int encode_bytes (char **, int *, char *, unsigned int),
- encode_int32 (char **, int *, krb5_int32 *);
-
-static int decode_bytes (char **, int *, char *, unsigned int),
- decode_int32 (char **, int *, krb5_int32 *);
-
-static int encode_bytes(out, outlen, in, len)
- char **out;
- int *outlen;
- char *in;
- unsigned int len;
-{
- if (len > *outlen)
- return KRB524_ENCFULL;
- memcpy(*out, in, len);
- *out += len;
- *outlen -= len;
- return 0;
-}
-
-static int encode_int32(out, outlen, v)
- char **out;
- int *outlen;
- krb5_int32 *v;
-{
- krb5_int32 nv; /* Must be 4 bytes */
-
- nv = htonl(*v);
- return encode_bytes(out, outlen, (char *) &nv, sizeof(nv));
-}
-
-int krb5int_encode_v4tkt(v4tkt, buf, encoded_len)
- KTEXT_ST *v4tkt;
- char *buf;
- unsigned int *encoded_len;
-{
- int buflen, ret;
- krb5_int32 temp;
-
- buflen = *encoded_len;
-
- if (v4tkt->length < MAX_KTXT_LEN)
- memset(v4tkt->dat + v4tkt->length, 0,
- (unsigned int) (MAX_KTXT_LEN - v4tkt->length));
- temp = v4tkt->length;
- if ((ret = encode_int32(&buf, &buflen, &temp)))
- return ret;
- if ((ret = encode_bytes(&buf, &buflen, (char *)v4tkt->dat, MAX_KTXT_LEN)))
- return ret;
- temp = v4tkt->mbz;
- if ((ret = encode_int32(&buf, &buflen, &temp)))
- return ret;
-
- *encoded_len -= buflen;
- return 0;
-}
-
-/* decode functions */
-
-static int decode_bytes(out, outlen, in, len)
- char **out;
- int *outlen;
- char *in;
- unsigned int len;
-{
- if (len > *outlen)
- return KRB524_DECEMPTY;
- memcpy(in, *out, len);
- *out += len;
- *outlen -= len;
- return 0;
-}
-
-static int decode_int32(out, outlen, v)
- char **out;
- int *outlen;
- krb5_int32 *v;
-{
- int ret;
- krb5_int32 nv; /* Must be four bytes */
-
- if ((ret = decode_bytes(out, outlen, (char *) &nv, sizeof(nv))))
- return ret;
- *v = ntohl(nv);
- return 0;
-}
-
-static int decode_v4tkt(v4tkt, buf, encoded_len)
- KTEXT_ST *v4tkt;
- char *buf;
- unsigned int *encoded_len;
-{
- int buflen, ret;
- krb5_int32 temp;
-
- buflen = *encoded_len;
- if ((ret = decode_int32(&buf, &buflen, &temp)))
- return ret;
- v4tkt->length = temp;
- if ((ret = decode_bytes(&buf, &buflen, (char *)v4tkt->dat, MAX_KTXT_LEN)))
- return ret;
- if ((ret = decode_int32(&buf, &buflen, &temp)))
- return ret;
- v4tkt->mbz = temp;
- *encoded_len -= buflen;
- return 0;
-}
-
-#else /* no krb4 compat */
-
-krb5_error_code KRB5_CALLCONV
-krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds,
struct credentials *v4creds)
{
return KRB524_KRB4_DISABLED;
}
-#endif
-
/* These may be needed for object-level backwards compatibility on Mac
OS and UNIX, but Windows should be okay. */
#ifndef _WIN32
@@ -285,7 +51,7 @@
krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds,
struct credentials *v4creds)
{
- return krb5_524_convert_creds(context, v5creds, v4creds);
+ return KRB524_KRB4_DISABLED;
}
void KRB5_CALLCONV krb524_init_ets ()
Modified: branches/mkey_migrate/src/lib/krb5/krb/conv_princ.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/conv_princ.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/conv_princ.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -169,9 +169,8 @@
* It is, so set the new name now, and chop off
* instance's domain name if requested.
*/
- if (strlen (p->v4_str) > ANAME_SZ - 1)
+ if (strlcpy(name, p->v4_str, ANAME_SZ) >= ANAME_SZ)
return KRB5_INVALID_PRINCIPAL;
- strcpy(name, p->v4_str);
if (p->flags & DO_REALM_CONVERSION) {
compo = krb5_princ_component(context, princ, 1);
c = strnchr(compo->data, '.', compo->length);
Modified: branches/mkey_migrate/src/lib/krb5/krb/copy_athctr.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/copy_athctr.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/copy_athctr.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -28,7 +28,7 @@
*/
#include "k5-int.h"
-
+#ifndef LEAN_CLIENT
krb5_error_code KRB5_CALLCONV
krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom, krb5_authenticator **authto)
{
@@ -79,3 +79,5 @@
*authto = tempto;
return 0;
}
+#endif
+
Modified: branches/mkey_migrate/src/lib/krb5/krb/copy_auth.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/copy_auth.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/copy_auth.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -26,6 +26,33 @@
*
* krb5_copy_authdata()
*/
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
#include "k5-int.h"
@@ -80,3 +107,58 @@
*outauthdat = tempauthdat;
return 0;
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_decode_authdata_container(krb5_context context,
+ krb5_authdatatype type,
+ const krb5_authdata *container,
+ krb5_authdata ***authdata)
+{
+ krb5_error_code code;
+ krb5_data data;
+
+ *authdata = NULL;
+
+ if ((container->ad_type & AD_TYPE_FIELD_TYPE_MASK) != type)
+ return EINVAL;
+
+ data.length = container->length;
+ data.data = (char *)container->contents;
+
+ code = decode_krb5_authdata(&data, authdata);
+ if (code)
+ return code;
+
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_encode_authdata_container(krb5_context context,
+ krb5_authdatatype type,
+ krb5_authdata *const*authdata,
+ krb5_authdata ***container)
+{
+ krb5_error_code code;
+ krb5_data *data;
+ krb5_authdata ad_datum;
+ krb5_authdata *ad_data[2];
+
+ *container = NULL;
+
+ code = encode_krb5_authdata((krb5_authdata * const *)authdata, &data);
+ if (code)
+ return code;
+
+ ad_datum.ad_type = type & AD_TYPE_FIELD_TYPE_MASK;
+ ad_datum.length = data->length;
+ ad_datum.contents = (unsigned char *)data->data;
+
+ ad_data[0] = &ad_datum;
+ ad_data[1] = NULL;
+
+ code = krb5_copy_authdata(context, ad_data, container);
+
+ krb5_free_data(context, data);
+
+ return code;
+}
Copied: branches/mkey_migrate/src/lib/krb5/krb/deps (from rev 21721, trunk/src/lib/krb5/krb/deps)
Modified: branches/mkey_migrate/src/lib/krb5/krb/gc_frm_kdc.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/gc_frm_kdc.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/gc_frm_kdc.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -92,6 +92,7 @@
krb5_creds *cur_cc_tgt;
krb5_creds *nxt_cc_tgt;
unsigned int ntgts;
+ krb5_creds *offpath_tgt;
};
/*
@@ -139,10 +140,6 @@
#define HARD_CC_ERR(r) ((r) && (r) != KRB5_CC_NOTFOUND && \
(r) != KRB5_CC_NOT_KTYPE)
-#define IS_TGS_PRINC(c, p) \
- (krb5_princ_size((c), (p)) == 2 && \
- data_eq_string(*krb5_princ_component((c), (p), 0), KRB5_TGS_NAME))
-
/*
* Flags for ccache lookups of cross-realm TGTs.
*
@@ -168,9 +165,11 @@
static krb5_error_code do_traversal(krb5_context ctx, krb5_ccache,
krb5_principal client, krb5_principal server,
krb5_creds *out_cc_tgt, krb5_creds **out_tgt,
- krb5_creds ***out_kdc_tgts);
-static krb5_error_code krb5_get_cred_from_kdc_opt(krb5_context, krb5_ccache,
- krb5_creds *, krb5_creds **, krb5_creds ***, int);
+ krb5_creds ***out_kdc_tgts, int *tgtptr_isoffpath);
+static krb5_error_code chase_offpath(struct tr_state *, krb5_principal,
+ krb5_principal);
+static krb5_error_code offpath_loopchk(struct tr_state *ts,
+ krb5_creds *tgt, krb5_creds *reftgts[], unsigned int rcount);
/*
* init_cc_tgts()
@@ -434,6 +433,7 @@
krb5_principal *kdcptr;
TR_DBG(ts, "find_nxt_kdc");
+ assert(ts->ntgts > 0);
assert(ts->nxt_tgt == ts->kdc_tgts[ts->ntgts-1]);
if (krb5_princ_size(ts->ctx, ts->nxt_tgt->server) != 2)
return KRB5_KDCREP_MODIFIED;
@@ -448,21 +448,39 @@
break;
}
}
- if (*kdcptr == NULL) {
+ if (*kdcptr != NULL) {
+ ts->nxt_kdc = kdcptr;
+ TR_DBG_RET(ts, "find_nxt_kdc", 0);
+ return 0;
+ }
+
+ r2 = krb5_princ_component(ts->ctx, ts->kdc_list[0], 1);
+ if (r1 != NULL && r2 != NULL &&
+ r1->length == r2->length &&
+ !memcmp(r1->data, r2->data, r1->length)) {
+ TR_DBG_RET(ts, "find_nxt_kdc: looped back to local",
+ KRB5_KDCREP_MODIFIED);
+ return KRB5_KDCREP_MODIFIED;
+ }
+
+ /*
+ * Realm is not in our list; we probably got an unexpected realm
+ * referral.
+ */
+ ts->offpath_tgt = ts->nxt_tgt;
+ if (ts->cur_kdc == ts->kdc_list) {
/*
- * Not found; we probably got an unexpected realm referral.
- * Don't touch NXT_KDC, thus allowing next_closest_tgt() to
- * continue looping backwards.
+ * Local KDC referred us off path; trust it for caching
+ * purposes.
*/
- if (ts->ntgts > 0) {
- /* Punt NXT_TGT from KDC_TGTS if bogus. */
- krb5_free_creds(ts->ctx, ts->kdc_tgts[--ts->ntgts]);
- ts->kdc_tgts[ts->ntgts] = NULL;
- }
- TR_DBG_RET(ts, "find_nxt_kdc", KRB5_KDCREP_MODIFIED);
- return KRB5_KDCREP_MODIFIED;
+ return 0;
}
- ts->nxt_kdc = kdcptr;
+ /*
+ * Unlink the off-path TGT from KDC_TGTS but don't free it,
+ * because we should return it.
+ */
+ ts->kdc_tgts[--ts->ntgts] = NULL;
+ ts->nxt_tgt = ts->cur_tgt;
TR_DBG_RET(ts, "find_nxt_kdc", 0);
return 0;
}
@@ -577,10 +595,8 @@
break;
}
/*
- * Because try_kdc() validates referral TGTs, it can return an
- * error indicating a bogus referral. The loop continues when
- * it gets a bogus referral, which is arguably the right
- * thing. (Previous implementation unconditionally failed.)
+ * In case of errors in try_kdc() or find_nxt_kdc(), continue
+ * looping through the KDC list.
*/
}
/*
@@ -689,7 +705,8 @@
krb5_principal server,
krb5_creds *out_cc_tgt,
krb5_creds **out_tgt,
- krb5_creds ***out_kdc_tgts)
+ krb5_creds ***out_kdc_tgts,
+ int *tgtptr_isoffpath)
{
krb5_error_code retval;
struct tr_state state, *ts;
@@ -717,13 +734,23 @@
retval = next_closest_tgt(ts, client);
if (retval)
goto cleanup;
+
+ if (ts->offpath_tgt != NULL) {
+ retval = chase_offpath(ts, client, server);
+ if (retval)
+ goto cleanup;
+ break;
+ }
assert(ts->cur_kdc != ts->nxt_kdc);
}
if (NXT_TGT_IS_CACHED(ts)) {
+ assert(ts->offpath_tgt = NULL);
*out_cc_tgt = *ts->cur_cc_tgt;
*out_tgt = out_cc_tgt;
MARK_CUR_CC_TGT_CLEAN(ts);
+ } else if (ts->offpath_tgt != NULL){
+ *out_tgt = ts->offpath_tgt;
} else {
/* CUR_TGT is somewhere in KDC_TGTS; no need to copy. */
*out_tgt = ts->nxt_tgt;
@@ -739,10 +766,126 @@
free(ts->kdc_tgts);
} else
*out_kdc_tgts = ts->kdc_tgts;
+ *tgtptr_isoffpath = (ts->offpath_tgt != NULL);
return retval;
}
/*
+ * chase_offpath()
+ *
+ * Chase off-path TGT referrals.
+ *
+ * If we are traversing a trusted path (either hierarchically derived
+ * or explicit capath) and get a TGT pointing to a realm off this
+ * path, query the realm referenced by that off-path TGT. Repeat
+ * until we get to the destination realm or encounter an error.
+ *
+ * CUR_TGT is always either pointing into REFTGTS or is an alias for
+ * TS->OFFPATH_TGT.
+ */
+static krb5_error_code
+chase_offpath(struct tr_state *ts,
+ krb5_principal client, krb5_principal server)
+{
+ krb5_error_code retval;
+ krb5_creds mcred;
+ krb5_creds *cur_tgt, *nxt_tgt, *reftgts[KRB5_REFERRAL_MAXHOPS];
+ krb5_data *rsrc, *rdst, *r1;
+ unsigned int rcount, i;
+
+ rdst = krb5_princ_realm(ts->ctx, server);
+ cur_tgt = ts->offpath_tgt;
+
+ for (rcount = 0; rcount < KRB5_REFERRAL_MAXHOPS; rcount++) {
+ nxt_tgt = NULL;
+ memset(&mcred, 0, sizeof(mcred));
+ rsrc = krb5_princ_component(ts->ctx, cur_tgt->server, 1);
+ retval = krb5_tgtname(ts->ctx, rdst, rsrc, &mcred.server);
+ if (retval)
+ goto cleanup;
+ mcred.client = client;
+ retval = krb5_get_cred_via_tkt(ts->ctx, cur_tgt,
+ FLAGS2OPTS(cur_tgt->ticket_flags),
+ cur_tgt->addresses, &mcred, &nxt_tgt);
+ mcred.client = NULL;
+ krb5_free_principal(ts->ctx, mcred.server);
+ mcred.server = NULL;
+ if (retval)
+ goto cleanup;
+ if (!IS_TGS_PRINC(ts->ctx, nxt_tgt->server)) {
+ retval = KRB5_KDCREP_MODIFIED;
+ goto cleanup;
+ }
+ r1 = krb5_princ_component(ts->ctx, nxt_tgt->server, 1);
+ if (rdst->length == r1->length &&
+ !memcmp(rdst->data, r1->data, rdst->length)) {
+ retval = 0;
+ goto cleanup;
+ }
+ retval = offpath_loopchk(ts, nxt_tgt, reftgts, rcount);
+ if (retval)
+ goto cleanup;
+ reftgts[rcount] = nxt_tgt;
+ cur_tgt = nxt_tgt;
+ nxt_tgt = NULL;
+ }
+ /* Max hop count exceeded. */
+ retval = KRB5_KDCREP_MODIFIED;
+
+cleanup:
+ if (mcred.server != NULL) {
+ krb5_free_principal(ts->ctx, mcred.server);
+ }
+ /*
+ * Don't free TS->OFFPATH_TGT if it's in the list of cacheable
+ * TGTs to be returned by do_traversal().
+ */
+ if (ts->offpath_tgt != ts->nxt_tgt) {
+ krb5_free_creds(ts->ctx, ts->offpath_tgt);
+ }
+ ts->offpath_tgt = NULL;
+ if (nxt_tgt != NULL) {
+ if (retval)
+ krb5_free_creds(ts->ctx, nxt_tgt);
+ else
+ ts->offpath_tgt = nxt_tgt;
+ }
+ for (i = 0; i < rcount; i++) {
+ krb5_free_creds(ts->ctx, reftgts[i]);
+ }
+ return retval;
+}
+
+/*
+ * offpath_loopchk()
+ *
+ * Check for loop back to previously-visited realms, both off-path and
+ * on-path.
+ */
+static krb5_error_code
+offpath_loopchk(struct tr_state *ts,
+ krb5_creds *tgt, krb5_creds *reftgts[], unsigned int rcount)
+{
+ krb5_data *r1, *r2;
+ unsigned int i;
+
+ r1 = krb5_princ_component(ts->ctx, tgt->server, 1);
+ for (i = 0; i < rcount; i++) {
+ r2 = krb5_princ_component(ts->ctx, reftgts[i]->server, 1);
+ if (r1->length == r2->length &&
+ !memcmp(r1->data, r2->data, r1->length))
+ return KRB5_KDCREP_MODIFIED;
+ }
+ for (i = 0; i < ts->ntgts; i++) {
+ r2 = krb5_princ_component(ts->ctx, ts->kdc_tgts[i]->server, 1);
+ if (r1->length == r2->length &&
+ !memcmp(r1->data, r2->data, r1->length))
+ return KRB5_KDCREP_MODIFIED;
+ }
+ return 0;
+}
+
+/*
* krb5_get_cred_from_kdc_opt()
* krb5_get_cred_from_kdc()
* krb5_get_cred_from_kdc_validate()
@@ -778,7 +921,7 @@
* Returns errors, system errors.
*/
-static krb5_error_code
+krb5_error_code
krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
krb5_creds *in_cred, krb5_creds **out_cred,
krb5_creds ***tgts, int kdcopt)
@@ -786,6 +929,8 @@
krb5_error_code retval, subretval;
krb5_principal client, server, supplied_server, out_supplied_server;
krb5_creds tgtq, cc_tgt, *tgtptr, *referral_tgts[KRB5_REFERRAL_MAXHOPS];
+ krb5_creds *otgtptr = NULL;
+ int tgtptr_isoffpath = 0;
krb5_boolean old_use_conf_ktypes;
char **hrealms;
unsigned int referral_count, i;
@@ -847,8 +992,10 @@
} else if (!HARD_CC_ERR(retval)) {
DPRINTF(("gc_from_kdc: starting do_traversal to find "
"initial TGT for referral\n"));
+ tgtptr_isoffpath = 0;
+ otgtptr = NULL;
retval = do_traversal(context, ccache, client, server,
- &cc_tgt, &tgtptr, tgts);
+ &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath);
}
if (retval) {
DPRINTF(("gc_from_kdc: failed to find initial TGT for referral\n"));
@@ -863,6 +1010,11 @@
* path, otherwise fall back to old-style assumptions.
*/
+ /*
+ * Save TGTPTR because we rewrite it in the referral loop, and
+ * we might need to explicitly free it later.
+ */
+ otgtptr = tgtptr;
for (referral_count = 0;
referral_count < KRB5_REFERRAL_MAXHOPS;
referral_count++) {
@@ -987,6 +1139,7 @@
tgtptr=*out_cred;
/* Save pointer to tgt in referral_tgts. */
referral_tgts[referral_count]=*out_cred;
+ *out_cred = NULL;
/* Copy krbtgt realm to server principal. */
krb5_free_data_contents(context, &server->realm);
retval = krb5int_copy_data_contents(context,
@@ -1061,6 +1214,11 @@
/* Free tgtptr data if reused from above. */
if (tgtptr == &cc_tgt)
krb5_free_cred_contents(context, tgtptr);
+ tgtptr = NULL;
+ /* Free saved TGT in OTGTPTR if it was off-path. */
+ if (tgtptr_isoffpath)
+ krb5_free_creds(context, otgtptr);
+ otgtptr = NULL;
/* Free TGTS if previously filled by do_traversal() */
if (*tgts != NULL) {
for (i = 0; (*tgts)[i] != NULL; i++) {
@@ -1075,11 +1233,13 @@
if (!retval) {
tgtptr = &cc_tgt;
} else if (!HARD_CC_ERR(retval)) {
+ tgtptr_isoffpath = 0;
retval = do_traversal(context, ccache, client, server,
- &cc_tgt, &tgtptr, tgts);
+ &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath);
}
if (retval)
goto cleanup;
+ otgtptr = tgtptr;
/*
* Finally have TGT for target realm! Try using it to get creds.
@@ -1102,6 +1262,8 @@
krb5_free_cred_contents(context, &tgtq);
if (tgtptr == &cc_tgt)
krb5_free_cred_contents(context, tgtptr);
+ if (tgtptr_isoffpath)
+ krb5_free_creds(context, otgtptr);
context->use_conf_ktypes = old_use_conf_ktypes;
/* Drop the original principal back into in_cred so that it's cached
in the expected format. */
Modified: branches/mkey_migrate/src/lib/krb5/krb/gc_via_tkt.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/gc_via_tkt.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/gc_via_tkt.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -31,12 +31,6 @@
#include "k5-int.h"
#include "int-proto.h"
-#define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew)
-
-#define IS_TGS_PRINC(c, p) \
- (krb5_princ_size((c), (p)) == 2 && \
- data_eq_string(*krb5_princ_component((c), (p), 0), KRB5_TGS_NAME))
-
static krb5_error_code
krb5_kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *const *address, krb5_data *psectkt, krb5_creds **ppcreds)
{
Modified: branches/mkey_migrate/src/lib/krb5/krb/gen_subkey.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/gen_subkey.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/gen_subkey.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -40,7 +40,10 @@
}
krb5_error_code
-krb5_generate_subkey(krb5_context context, const krb5_keyblock *key, krb5_keyblock **subkey)
+krb5_generate_subkey_extended(krb5_context context,
+ const krb5_keyblock *key,
+ krb5_enctype enctype,
+ krb5_keyblock **subkey)
{
krb5_error_code retval;
krb5_data seed;
@@ -52,10 +55,16 @@
if ((*subkey = (krb5_keyblock *) malloc(sizeof(krb5_keyblock))) == NULL)
return(ENOMEM);
- if ((retval = krb5_c_make_random_key(context, key->enctype, *subkey))) {
+ if ((retval = krb5_c_make_random_key(context, enctype, *subkey))) {
krb5_xfree(*subkey);
return(retval);
}
return(0);
}
+
+krb5_error_code
+krb5_generate_subkey(krb5_context context, const krb5_keyblock *key, krb5_keyblock **subkey)
+{
+ return krb5_generate_subkey_extended(context, key, key->enctype, subkey);
+}
Modified: branches/mkey_migrate/src/lib/krb5/krb/get_creds.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/get_creds.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/get_creds.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -44,6 +44,7 @@
*/
#include "k5-int.h"
+#include "int-proto.h"
static krb5_error_code
krb5_get_credentials_core(krb5_context context, krb5_flags options,
@@ -110,6 +111,7 @@
krb5_creds **tgts;
krb5_flags fields;
int not_ktype;
+ int kdcopt = 0;
retval = krb5_get_credentials_core(context, options,
in_creds,
@@ -141,7 +143,11 @@
else
not_ktype = 0;
- retval = krb5_get_cred_from_kdc(context, ccache, ncreds, out_creds, &tgts);
+ if (options & KRB5_GC_CANONICALIZE)
+ kdcopt |= KDC_OPT_CANONICALIZE;
+
+ retval = krb5_get_cred_from_kdc_opt(context, ccache, ncreds,
+ out_creds, &tgts, kdcopt);
if (tgts) {
register int i = 0;
krb5_error_code rv2;
Modified: branches/mkey_migrate/src/lib/krb5/krb/get_in_tkt.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/get_in_tkt.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/get_in_tkt.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -293,15 +293,31 @@
krb5_kdc_rep *as_reply)
{
krb5_error_code retval;
-
+ int canon_req;
+ int canon_ok;
+
/* check the contents for sanity: */
if (!as_reply->enc_part2->times.starttime)
as_reply->enc_part2->times.starttime =
as_reply->enc_part2->times.authtime;
-
- if (!krb5_principal_compare(context, as_reply->client, request->client)
- || !krb5_principal_compare(context, as_reply->enc_part2->server, request->server)
- || !krb5_principal_compare(context, as_reply->ticket->server, request->server)
+
+ /*
+ * We only allow the AS-REP server name to be changed if the
+ * caller set the canonicalize flag (or requested an enterprise
+ * principal) and we requested (and received) a TGT.
+ */
+ canon_req = ((request->kdc_options & KDC_OPT_CANONICALIZE) != 0) ||
+ (krb5_princ_type(context, request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL);
+ if (canon_req) {
+ canon_ok = IS_TGS_PRINC(context, request->server) &&
+ IS_TGS_PRINC(context, as_reply->enc_part2->server);
+ } else
+ canon_ok = 0;
+
+ if ((!canon_ok &&
+ (!krb5_principal_compare(context, as_reply->client, request->client) ||
+ !krb5_principal_compare(context, as_reply->enc_part2->server, request->server)))
+ || !krb5_principal_compare(context, as_reply->enc_part2->server, as_reply->ticket->server)
|| (request->nonce != as_reply->enc_part2->nonce)
/* XXX check for extraneous flags */
/* XXX || (!krb5_addresses_compare(context, addrs, as_reply->enc_part2->caddrs)) */
@@ -507,7 +523,10 @@
krb5_pa_data ** preauth_to_use = 0;
int loopcount = 0;
krb5_int32 do_more = 0;
+ int canon_flag;
int use_master = 0;
+ int referral_count = 0;
+ krb5_principal_data referred_client;
#if APPLE_PKINIT
inTktDebug("krb5_get_in_tkt top\n");
@@ -518,7 +537,15 @@
if (ret_as_reply)
*ret_as_reply = 0;
-
+
+ referred_client = *(creds->client);
+ referred_client.realm.data = NULL;
+ referred_client.realm.length = 0;
+
+ /* per referrals draft, enterprise principals imply canonicalization */
+ canon_flag = ((options & KDC_OPT_CANONICALIZE) != 0) ||
+ creds->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL;
+
/*
* Set up the basic request structure
*/
@@ -641,6 +668,27 @@
if (retval)
goto cleanup;
continue;
+ } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) {
+ if (++referral_count > KRB5_REFERRAL_MAXHOPS ||
+ err_reply->client == NULL ||
+ err_reply->client->realm.length == 0) {
+ retval = KRB5KDC_ERR_WRONG_REALM;
+ krb5_free_error(context, err_reply);
+ goto cleanup;
+ }
+ /* Rewrite request.client with realm from error reply */
+ if (referred_client.realm.data) {
+ krb5_free_data_contents(context, &referred_client.realm);
+ referred_client.realm.data = NULL;
+ }
+ retval = krb5int_copy_data_contents(context,
+ &err_reply->client->realm,
+ &referred_client.realm);
+ krb5_free_error(context, err_reply);
+ if (retval)
+ goto cleanup;
+ request.client = &referred_client;
+ continue;
} else {
retval = (krb5_error_code) err_reply->error
+ ERROR_TABLE_BASE_krb5;
@@ -692,6 +740,8 @@
else
krb5_free_kdc_rep(context, as_reply);
}
+ if (referred_client.realm.data)
+ krb5_free_data_contents(context, &referred_client.realm);
return (retval);
}
@@ -788,11 +838,9 @@
if (!nameval[0]) {
retval = ENOENT;
} else {
- *ret_value = malloc(strlen(nameval[0]) + 1);
+ *ret_value = strdup(nameval[0]);
if (!*ret_value)
retval = ENOMEM;
- else
- strcpy(*ret_value, nameval[0]);
}
profile_free_list(nameval);
@@ -925,6 +973,8 @@
krb5_timestamp time_now;
krb5_enctype etype = 0;
krb5_preauth_client_rock get_data_rock;
+ int canon_flag = 0;
+ krb5_principal_data referred_client;
/* initialize everything which will be freed at cleanup */
@@ -949,6 +999,11 @@
err_reply = NULL;
+ /* referred_client is used to rewrite the client realm for referrals */
+ referred_client = *client;
+ referred_client.realm.data = NULL;
+ referred_client.realm.length = 0;
+
/*
* Set up the basic request structure
*/
@@ -986,6 +1041,17 @@
if (tempint)
request.kdc_options |= KDC_OPT_PROXIABLE;
+ /* canonicalize */
+ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_CANONICALIZE))
+ tempint = 1;
+ else if ((ret = krb5_libdefault_boolean(context, &client->realm,
+ "canonicalize", &tempint)) == 0)
+ ;
+ else
+ tempint = 0;
+ if (tempint)
+ request.kdc_options |= KDC_OPT_CANONICALIZE;
+
/* allow_postdate */
if (start_time > 0)
@@ -1047,6 +1113,10 @@
request.client = client;
+ /* per referrals draft, enterprise principals imply canonicalization */
+ canon_flag = ((request.kdc_options & KDC_OPT_CANONICALIZE) != 0) ||
+ client->type == KRB5_NT_ENTERPRISE_PRINCIPAL;
+
/* service */
if (in_tkt_service) {
@@ -1153,7 +1223,7 @@
krb5_data random_data;
random_data.length = 4;
- random_data.data = random_buf;
+ random_data.data = (char *)random_buf;
if (krb5_c_random_make_octets(context, &random_data) == 0)
/* See RT ticket 3196 at MIT. If we set the high bit, we
may have compatibility problems with Heimdal, because
@@ -1255,6 +1325,25 @@
if (ret)
goto cleanup;
/* continue to next iteration */
+ } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) {
+ if (err_reply->client == NULL ||
+ err_reply->client->realm.length == 0) {
+ ret = KRB5KDC_ERR_WRONG_REALM;
+ krb5_free_error(context, err_reply);
+ goto cleanup;
+ }
+ /* Rewrite request.client with realm from error reply */
+ if (referred_client.realm.data) {
+ krb5_free_data_contents(context, &referred_client.realm);
+ referred_client.realm.data = NULL;
+ }
+ ret = krb5int_copy_data_contents(context,
+ &err_reply->client->realm,
+ &referred_client.realm);
+ krb5_free_error(context, err_reply);
+ if (ret)
+ goto cleanup;
+ request.client = &referred_client;
} else {
if (err_reply->e_data.length > 0) {
/* continue to next iteration */
@@ -1405,6 +1494,8 @@
*as_reply = local_as_reply;
else if (local_as_reply)
krb5_free_kdc_rep(context, local_as_reply);
+ if (referred_client.realm.data)
+ krb5_free_data_contents(context, &referred_client.realm);
return(ret);
}
Modified: branches/mkey_migrate/src/lib/krb5/krb/gic_opt.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/gic_opt.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/gic_opt.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -43,6 +43,15 @@
}
void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opt, int canonicalize)
+{
+ if (canonicalize)
+ opt->flags |= KRB5_GET_INIT_CREDS_OPT_CANONICALIZE;
+ else
+ opt->flags &= ~(KRB5_GET_INIT_CREDS_OPT_CANONICALIZE);
+}
+
+void KRB5_CALLCONV
krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, krb5_enctype *etype_list, int etype_list_length)
{
opt->flags |= KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST;
Modified: branches/mkey_migrate/src/lib/krb5/krb/gic_pwd.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/gic_pwd.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/gic_pwd.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -45,10 +45,7 @@
if ((ret = krb5_unparse_name(context, client, &clientstr)))
return(ret);
- strcpy(promptstr, "Password for ");
- strncat(promptstr, clientstr, sizeof(promptstr)-strlen(promptstr)-1);
- promptstr[sizeof(promptstr)-1] = '\0';
-
+ snprintf(promptstr, sizeof(promptstr), "Password for %s", clientstr);
free(clientstr);
prompt.prompt = promptstr;
@@ -115,11 +112,11 @@
pw0.data = pw0array;
if (password && password[0]) {
- if ((pw0.length = strlen(password)) > sizeof(pw0array)) {
- ret = EINVAL;
- goto cleanup;
+ if (strlcpy(pw0.data, password, sizeof(pw0array)) >= sizeof(pw0array)) {
+ ret = EINVAL;
+ goto cleanup;
}
- strcpy(pw0.data, password);
+ pw0.length = strlen(password);
} else {
pw0.data[0] = '\0';
pw0.length = sizeof(pw0array);
@@ -241,7 +238,8 @@
prompt[1].reply = &pw1;
prompt_types[1] = KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN;
- strcpy(banner, "Password expired. You must change it now.");
+ strlcpy(banner, "Password expired. You must change it now.",
+ sizeof(banner));
for (tries = 3; tries; tries--) {
pw0.length = sizeof(pw0array);
Modified: branches/mkey_migrate/src/lib/krb5/krb/init_ctx.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/init_ctx.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/init_ctx.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -488,6 +488,38 @@
return(ret);
}
+/* The same as krb5_is_permitted_enctype, but verifies multiple etype's
+ * Returns 0 is either the list of the permitted enc types is not available
+ * or all requested etypes are not permitted. Otherwise returns 1.
+ */
+
+krb5_boolean
+krb5_is_permitted_enctype_ext ( krb5_context context,
+ krb5_etypes_permitted *etypes)
+{
+ krb5_enctype *list, *ptr;
+ krb5_boolean ret = 0;
+ int i = 0;
+
+ if (krb5_get_permitted_enctypes(context, &list))
+ return(0);
+
+ for ( i=0; i< etypes->etype_count; i++ )
+ {
+ for (ptr = list; *ptr; ptr++)
+ {
+ if (*ptr == etypes->etype[i])
+ {
+ etypes->etype_ok[i] = TRUE;
+ ret = 1;
+ }
+ }
+ }
+ krb5_free_ktypes (context, list);
+
+ return(ret);
+}
+
static krb5_error_code
copy_ktypes(krb5_context ctx,
unsigned int nktypes,
Modified: branches/mkey_migrate/src/lib/krb5/krb/int-proto.h
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/int-proto.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/int-proto.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -54,5 +54,16 @@
const char *attr,
const char *value);
+krb5_error_code
+krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
+ krb5_creds *in_cred, krb5_creds **out_cred,
+ krb5_creds ***tgts, int kdcopt);
+
+#define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew)
+
+#define IS_TGS_PRINC(c, p) \
+ (krb5_princ_size((c), (p)) == 2 && \
+ data_eq_string(*krb5_princ_component((c), (p), 0), KRB5_TGS_NAME))
+
#endif /* KRB5_INT_FUNC_PROTO__ */
Modified: branches/mkey_migrate/src/lib/krb5/krb/kfree.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/kfree.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/kfree.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -25,6 +25,33 @@
*
* krb5_free_address()
*/
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
#include "k5-int.h"
#include <kdb.h>
@@ -716,6 +743,75 @@
}
void KRB5_CALLCONV
+krb5_free_pa_for_user(krb5_context context, krb5_pa_for_user *req)
+{
+ if (req == NULL)
+ return;
+ if (req->user != NULL) {
+ krb5_free_principal(context, req->user);
+ req->user = NULL;
+ }
+ krb5_free_checksum_contents(context, &req->cksum);
+ krb5_free_data_contents(context, &req->auth_package);
+ krb5_xfree(req);
+}
+
+void KRB5_CALLCONV
+krb5_free_pa_server_referral_data(krb5_context context,
+ krb5_pa_server_referral_data *ref)
+{
+ if (ref == NULL)
+ return;
+ if (ref->referred_realm) {
+ krb5_free_data(context, ref->referred_realm);
+ ref->referred_realm = NULL;
+ }
+ if (ref->true_principal_name != NULL) {
+ krb5_free_principal(context, ref->true_principal_name);
+ ref->true_principal_name = NULL;
+ }
+ if (ref->requested_principal_name != NULL) {
+ krb5_free_principal(context, ref->requested_principal_name);
+ ref->requested_principal_name = NULL;
+ }
+ krb5_free_checksum_contents(context, &ref->rep_cksum);
+ krb5_xfree(ref);
+}
+
+void KRB5_CALLCONV
+krb5_free_pa_svr_referral_data(krb5_context context,
+ krb5_pa_svr_referral_data *ref)
+{
+ if (ref == NULL)
+ return;
+ if (ref->principal != NULL) {
+ krb5_free_principal(context, ref->principal);
+ ref->principal = NULL;
+ }
+ krb5_xfree(ref);
+}
+
+void KRB5_CALLCONV
+krb5_free_pa_pac_req(krb5_context context,
+ krb5_pa_pac_req *req)
+{
+ if (req == NULL)
+ return;
+ krb5_xfree(req);
+}
+
+void KRB5_CALLCONV
+krb5_free_etype_list(krb5_context context,
+ krb5_etype_list *etypes)
+{
+ if (etypes != NULL) {
+ if (etypes->etypes != NULL)
+ krb5_xfree(etypes->etypes);
+ krb5_xfree(etypes);
+ }
+}
+
+void KRB5_CALLCONV
krb5_free_key_data_contents(krb5_context context,
krb5_key_data *key)
{
Modified: branches/mkey_migrate/src/lib/krb5/krb/mk_cred.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/mk_cred.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/mk_cred.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -174,13 +174,15 @@
/*
* Allocate memory for a NULL terminated list of tickets.
*/
- for (ncred = 0; ppcreds[ncred]; ncred++);
+ for (ncred = 0; ppcreds[ncred]; ncred++)
+ ;
if ((pcred = (krb5_cred *)calloc(1, sizeof(krb5_cred))) == NULL)
return ENOMEM;
if ((pcred->tickets
- = (krb5_ticket **)calloc(ncred+1, sizeof(krb5_ticket *))) == NULL) {
+ = (krb5_ticket **)calloc((size_t)ncred+1,
+ sizeof(krb5_ticket *))) == NULL) {
free(pcred);
return ENOMEM;
}
Modified: branches/mkey_migrate/src/lib/krb5/krb/mk_rep.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/mk_rep.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/mk_rep.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -26,6 +26,33 @@
*
* krb5_mk_rep()
*/
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
#include "k5-int.h"
#include "auth_con.h"
@@ -39,9 +66,9 @@
returns system errors
*/
-krb5_error_code KRB5_CALLCONV
-krb5_mk_rep(krb5_context context, krb5_auth_context auth_context,
- krb5_data *outbuf)
+static krb5_error_code
+k5_mk_rep(krb5_context context, krb5_auth_context auth_context,
+ krb5_data *outbuf, int dce_style)
{
krb5_error_code retval;
krb5_ap_rep_enc_part repl;
@@ -58,18 +85,32 @@
return(retval);
}
- repl.ctime = auth_context->authentp->ctime;
- repl.cusec = auth_context->authentp->cusec;
- if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) {
+ if (dce_style) {
+ krb5_us_timeofday(context, &repl.ctime, &repl.cusec);
+ } else {
+ repl.ctime = auth_context->authentp->ctime;
+ repl.cusec = auth_context->authentp->cusec;
+ }
+
+ if (dce_style)
+ repl.subkey = NULL;
+ else if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) {
+ assert(auth_context->negotiated_etype != ENCTYPE_NULL);
+
retval = krb5int_generate_and_save_subkey (context, auth_context,
- auth_context->keyblock);
+ auth_context->keyblock,
+ auth_context->negotiated_etype);
if (retval)
return retval;
repl.subkey = auth_context->send_subkey;
} else
repl.subkey = auth_context->authentp->subkey;
- repl.seq_number = auth_context->local_seq_number;
+ if (dce_style)
+ repl.seq_number = auth_context->remote_seq_number;
+ else
+ repl.seq_number = auth_context->local_seq_number;
+
/* encode it before encrypting */
if ((retval = encode_krb5_ap_rep_enc_part(&repl, &scratch)))
return retval;
@@ -95,3 +136,15 @@
return retval;
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf)
+{
+ return k5_mk_rep(context, auth_context, outbuf, 0);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_mk_rep_dce(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf)
+{
+ return k5_mk_rep(context, auth_context, outbuf, 1);
+}
Modified: branches/mkey_migrate/src/lib/krb5/krb/mk_req_ext.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/mk_req_ext.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/mk_req_ext.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -64,16 +64,25 @@
returns system errors
*/
+static krb5_error_code
+make_etype_list(krb5_context context,
+ krb5_enctype *desired_etypes,
+ krb5_enctype tkt_enctype,
+ krb5_authdata ***authdata);
+
static krb5_error_code
krb5_generate_authenticator (krb5_context,
krb5_authenticator *, krb5_principal,
krb5_checksum *, krb5_keyblock *,
- krb5_ui_4, krb5_authdata ** );
+ krb5_ui_4, krb5_authdata **,
+ krb5_enctype *desired_etypes,
+ krb5_enctype tkt_enctype);
krb5_error_code
krb5int_generate_and_save_subkey (krb5_context context,
krb5_auth_context auth_context,
- krb5_keyblock *keyblock)
+ krb5_keyblock *keyblock,
+ krb5_enctype enctype)
{
/* Provide some more fodder for random number code.
This isn't strong cryptographically; the point here is not
@@ -92,7 +101,8 @@
if (auth_context->send_subkey)
krb5_free_keyblock(context, auth_context->send_subkey);
- if ((retval = krb5_generate_subkey(context, keyblock, &auth_context->send_subkey)))
+ if ((retval = krb5_generate_subkey_extended(context, keyblock, enctype,
+ &auth_context->send_subkey)))
return retval;
if (auth_context->recv_subkey)
@@ -116,18 +126,23 @@
krb5_checksum checksum;
krb5_checksum *checksump = 0;
krb5_auth_context new_auth_context;
+ krb5_enctype *desired_etypes = NULL;
krb5_ap_req request;
krb5_data *scratch = 0;
krb5_data *toutbuf;
request.ap_options = ap_req_options & AP_OPTS_WIRE_MASK;
- request.authenticator.ciphertext.data = 0;
+ request.authenticator.ciphertext.data = NULL;
request.ticket = 0;
if (!in_creds->ticket.length)
return(KRB5_NO_TKT_SUPPLIED);
+ if ((ap_req_options & AP_OPTS_ETYPE_NEGOTIATION) &&
+ !(ap_req_options & AP_OPTS_MUTUAL_REQUIRED))
+ return(EINVAL);
+
/* we need a native ticket */
if ((retval = decode_krb5_ticket(&(in_creds)->ticket, &request.ticket)))
return(retval);
@@ -174,7 +189,8 @@
if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) {
retval = krb5int_generate_and_save_subkey (context, *auth_context,
- &in_creds->keyblock);
+ &in_creds->keyblock,
+ in_creds->keyblock.enctype);
if (retval)
goto cleanup;
}
@@ -205,12 +221,23 @@
goto cleanup_cksum;
}
+ if (ap_req_options & AP_OPTS_ETYPE_NEGOTIATION) {
+ if ((*auth_context)->permitted_etypes == NULL) {
+ retval = krb5_get_tgs_ktypes(context, in_creds->server, &desired_etypes);
+ if (retval)
+ goto cleanup_cksum;
+ } else
+ desired_etypes = (*auth_context)->permitted_etypes;
+ }
+
if ((retval = krb5_generate_authenticator(context,
(*auth_context)->authentp,
- (in_creds)->client, checksump,
+ in_creds->client, checksump,
(*auth_context)->send_subkey,
(*auth_context)->local_seq_number,
- (in_creds)->authdata)))
+ in_creds->authdata,
+ desired_etypes,
+ in_creds->keyblock.enctype)))
goto cleanup_cksum;
/* encode the authenticator */
@@ -223,7 +250,6 @@
*/
(*auth_context)->authentp->client = NULL;
(*auth_context)->authentp->checksum = NULL;
- (*auth_context)->authentp->authorization_data = NULL;
/* call the encryption routine */
if ((retval = krb5_encrypt_helper(context, &in_creds->keyblock,
@@ -242,6 +268,9 @@
free(checksump->contents);
cleanup:
+ if (desired_etypes &&
+ desired_etypes != (*auth_context)->permitted_etypes)
+ krb5_xfree(desired_etypes);
if (request.ticket)
krb5_free_ticket(context, request.ticket);
if (request.authenticator.ciphertext.data) {
@@ -261,7 +290,9 @@
krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent,
krb5_principal client, krb5_checksum *cksum,
krb5_keyblock *key, krb5_ui_4 seq_number,
- krb5_authdata **authorization)
+ krb5_authdata **authorization,
+ krb5_enctype *desired_etypes,
+ krb5_enctype tkt_enctype)
{
krb5_error_code retval;
@@ -274,7 +305,116 @@
} else
authent->subkey = 0;
authent->seq_number = seq_number;
- authent->authorization_data = authorization;
+ authent->authorization_data = NULL;
+ if (authorization != NULL) {
+ retval = krb5_copy_authdata(context, authorization,
+ &authent->authorization_data);
+ if (retval)
+ return retval;
+ }
+ /* Only send EtypeList if we prefer another enctype to tkt_enctype */
+ if (desired_etypes != NULL && desired_etypes[0] != tkt_enctype) {
+ retval = make_etype_list(context, desired_etypes, tkt_enctype,
+ &authent->authorization_data);
+ if (retval)
+ return retval;
+ }
+
return(krb5_us_timeofday(context, &authent->ctime, &authent->cusec));
}
+
+/* RFC 4537 */
+static krb5_error_code
+make_etype_list(krb5_context context,
+ krb5_enctype *desired_etypes,
+ krb5_enctype tkt_enctype,
+ krb5_authdata ***authdata)
+{
+ krb5_error_code code;
+ krb5_etype_list etypes;
+ krb5_data *enc_etype_list;
+ krb5_data *ad_if_relevant;
+ krb5_authdata *etype_adata[2], etype_adatum, **adata;
+ int i;
+
+ etypes.etypes = desired_etypes;
+
+ for (etypes.length = 0;
+ etypes.etypes[etypes.length] != ENCTYPE_NULL;
+ etypes.length++)
+ ;
+
+ /*
+ * RFC 4537:
+ *
+ * If the enctype of the ticket session key is included in the enctype
+ * list sent by the client, it SHOULD be the last on the list;
+ */
+ for (i = 0; i < etypes.length; i++) {
+ if (etypes.etypes[i] == tkt_enctype) {
+ krb5_enctype etype;
+
+ etype = etypes.etypes[etypes.length - 1];
+ etypes.etypes[etypes.length - 1] = tkt_enctype;
+ etypes.etypes[i] = etype;
+ break;
+ }
+ }
+
+ code = encode_krb5_etype_list(&etypes, &enc_etype_list);
+ if (code) {
+ return code;
+ }
+
+ etype_adatum.magic = KV5M_AUTHDATA;
+ etype_adatum.ad_type = KRB5_AUTHDATA_ETYPE_NEGOTIATION;
+ etype_adatum.length = enc_etype_list->length;
+ etype_adatum.contents = (krb5_octet *)enc_etype_list->data;
+
+ etype_adata[0] = &etype_adatum;
+ etype_adata[1] = NULL;
+
+ /* Wrap in AD-IF-RELEVANT container */
+ code = encode_krb5_authdata(etype_adata, &ad_if_relevant);
+ if (code) {
+ krb5_free_data(context, enc_etype_list);
+ return code;
+ }
+
+ krb5_free_data(context, enc_etype_list);
+
+ adata = *authdata;
+ if (adata == NULL) {
+ adata = (krb5_authdata **)calloc(2, sizeof(krb5_authdata *));
+ i = 0;
+ } else {
+ for (i = 0; adata[i] != NULL; i++)
+ ;
+
+ adata = (krb5_authdata **)realloc(*authdata,
+ (i + 2) * sizeof(krb5_authdata *));
+ }
+ if (adata == NULL) {
+ krb5_free_data(context, ad_if_relevant);
+ return ENOMEM;
+ }
+
+ adata[i] = (krb5_authdata *)malloc(sizeof(krb5_authdata));
+ if (adata[i] == NULL) {
+ krb5_free_data(context, ad_if_relevant);
+ return ENOMEM;
+ }
+ adata[i]->magic = KV5M_AUTHDATA;
+ adata[i]->ad_type = KRB5_AUTHDATA_IF_RELEVANT;
+ adata[i]->length = ad_if_relevant->length;
+ adata[i]->contents = (krb5_octet *)ad_if_relevant->data;
+ krb5_xfree(ad_if_relevant); /* contents owned by adata[i] */
+
+ adata[i + 1] = NULL;
+
+ *authdata = adata;
+
+ return 0;
+}
+
Copied: branches/mkey_migrate/src/lib/krb5/krb/pac.c (from rev 21721, trunk/src/lib/krb5/krb/pac.c)
Modified: branches/mkey_migrate/src/lib/krb5/krb/parse.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/parse.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/parse.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,7 +1,7 @@
/*
* lib/krb5/krb/parse.c
*
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -59,17 +59,17 @@
#define FCOMPNUM 10
-
/*
* May the fleas of a thousand camels infest the ISO, they who think
* that arbitrarily large multi-component names are a Good Thing.....
*/
-krb5_error_code KRB5_CALLCONV
-krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincipal)
+static krb5_error_code
+k5_parse_name(krb5_context context, const char *name,
+ int flags, krb5_principal *nprincipal)
{
register const char *cp;
register char *q;
- register int i,c,size;
+ register int i,c,size;
int components = 0;
const char *parsed_realm = NULL;
int fcompsize[FCOMPNUM];
@@ -79,24 +79,28 @@
char *tmpdata;
krb5_principal principal;
krb5_error_code retval;
-
+ unsigned int enterprise = (flags & KRB5_PRINCIPAL_PARSE_ENTERPRISE);
+ int first_at;
+
/*
* Pass 1. Find out how many components there are to the name,
- * and get string sizes for the first FCOMPNUM components.
+ * and get string sizes for the first FCOMPNUM components. For
+ * enterprise principal names (UPNs), there is only a single
+ * component.
*/
size = 0;
- for (i=0,cp = name; (c = *cp); cp++) {
+ for (i=0,cp = name, first_at = 1; (c = *cp); cp++) {
if (c == QUOTECHAR) {
cp++;
if (!(c = *cp))
/*
- * QUOTECHAR can't be at the last
- * character of the name!
- */
+ * QUOTECHAR can't be at the last
+ * character of the name!
+ */
return(KRB5_PARSE_MALFORMED);
size++;
continue;
- } else if (c == COMPONENT_SEP) {
+ } else if (c == COMPONENT_SEP && !enterprise) {
if (parsed_realm)
/*
* Shouldn't see a component separator
@@ -108,22 +112,26 @@
}
size = 0;
i++;
- } else if (c == REALM_SEP) {
+ } else if (c == REALM_SEP && (!enterprise || !first_at)) {
if (parsed_realm)
/*
* Multiple realm separaters
* not allowed; zero-length realms are.
*/
return(KRB5_PARSE_MALFORMED);
- parsed_realm = cp+1;
+ parsed_realm = cp + 1;
if (i < FCOMPNUM) {
fcompsize[i] = size;
}
size = 0;
- } else
+ } else {
+ if (c == REALM_SEP && enterprise && first_at)
+ first_at = 0;
+
size++;
+ }
}
- if (parsed_realm)
+ if (parsed_realm != NULL)
realmsize = size;
else if (i < FCOMPNUM)
fcompsize[i] = size;
@@ -133,20 +141,30 @@
* component pieces
*/
principal = (krb5_principal)malloc(sizeof(krb5_principal_data));
- if (!principal) {
- return(ENOMEM);
+ if (principal == NULL) {
+ return(ENOMEM);
}
principal->data = (krb5_data *) malloc(sizeof(krb5_data) * components);
- if (!principal->data) {
- free((char *)principal);
+ if (principal->data == NULL) {
+ krb5_xfree((char *)principal);
return ENOMEM;
}
principal->length = components;
+
/*
- * If a realm was not found, then use the defualt realm....
+ * If a realm was not found, then use the default realm, unless
+ * KRB5_PRINCIPAL_PARSE_NO_REALM was specified in which case the
+ * realm will be empty.
*/
if (!parsed_realm) {
- if (!default_realm) {
+ if (flags & KRB5_PRINCIPAL_PARSE_REQUIRE_REALM) {
+ krb5_set_error_message(context, KRB5_PARSE_MALFORMED,
+ "Principal %s is missing required realm", name);
+ krb5_xfree(principal->data);
+ krb5_xfree(principal);
+ return KRB5_PARSE_MALFORMED;
+ }
+ if (!default_realm && (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) == 0) {
retval = krb5_get_default_realm(context, &default_realm);
if (retval) {
krb5_xfree(principal->data);
@@ -156,7 +174,14 @@
default_realm_size = strlen(default_realm);
}
realmsize = default_realm_size;
+ } else if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) {
+ krb5_set_error_message(context, KRB5_PARSE_MALFORMED,
+ "Principal %s has realm present", name);
+ krb5_xfree(principal->data);
+ krb5_xfree(principal);
+ return KRB5_PARSE_MALFORMED;
}
+
/*
* Pass 2. Happens only if there were more than FCOMPNUM
* component; if this happens, someone should be shot
@@ -208,7 +233,7 @@
/*
* Now, we need to allocate the space for the strings themselves.....
*/
- tmpdata = malloc(realmsize+1);
+ tmpdata = malloc(realmsize + 1);
if (tmpdata == 0) {
krb5_xfree(principal->data);
krb5_xfree(principal);
@@ -220,7 +245,7 @@
for (i=0; i < components; i++) {
char *tmpdata2 =
malloc(krb5_princ_component(context, principal, i)->length + 1);
- if (!tmpdata2) {
+ if (tmpdata2 == NULL) {
for (i--; i >= 0; i--)
krb5_xfree(krb5_princ_component(context, principal, i)->data);
krb5_xfree(krb5_princ_realm(context, principal)->data);
@@ -239,7 +264,7 @@
* allocated.
*/
q = krb5_princ_component(context, principal, 0)->data;
- for (i=0,cp = name; (c = *cp); cp++) {
+ for (i=0,cp = name, first_at = 1; (c = *cp); cp++) {
if (c == QUOTECHAR) {
cp++;
switch (c = *cp) {
@@ -257,29 +282,57 @@
break;
default:
*q++ = c;
+ break;
}
- } else if ((c == COMPONENT_SEP) || (c == REALM_SEP)) {
+ } else if (c == COMPONENT_SEP && !enterprise) {
i++;
*q++ = '\0';
- if (c == COMPONENT_SEP)
- q = krb5_princ_component(context, principal, i)->data;
- else
- q = krb5_princ_realm(context, principal)->data;
- } else
+ q = krb5_princ_component(context, principal, i)->data;
+ } else if (c == REALM_SEP && (!enterprise || !first_at)) {
+ i++;
+ *q++ = '\0';
+ q = krb5_princ_realm(context, principal)->data;
+ } else {
+ if (c == REALM_SEP && enterprise && first_at)
+ first_at = 0;
+
*q++ = c;
+ }
}
*q++ = '\0';
- if (!parsed_realm)
- strcpy(krb5_princ_realm(context, principal)->data, default_realm);
+ if (!parsed_realm) {
+ if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM)
+ (krb5_princ_realm(context, principal)->data)[0] = '\0';
+ else
+ strlcpy(krb5_princ_realm(context, principal)->data, default_realm, realmsize+1);
+ }
/*
* Alright, we're done. Now stuff a pointer to this monstrosity
* into the return variable, and let's get out of here.
*/
- krb5_princ_type(context, principal) = KRB5_NT_PRINCIPAL;
+ if (enterprise)
+ krb5_princ_type(context, principal) = KRB5_NT_ENTERPRISE_PRINCIPAL;
+ else
+ krb5_princ_type(context, principal) = KRB5_NT_PRINCIPAL;
principal->magic = KV5M_PRINCIPAL;
principal->realm.magic = KV5M_DATA;
*nprincipal = principal;
- krb5_xfree(default_realm);
+ if (default_realm != NULL)
+ krb5_xfree(default_realm);
+
return(0);
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincipal)
+{
+ return k5_parse_name(context, name, 0, nprincipal);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_parse_name_flags(krb5_context context, const char *name,
+ int flags, krb5_principal *nprincipal)
+{
+ return k5_parse_name(context, name, flags, nprincipal);
+}
Modified: branches/mkey_migrate/src/lib/krb5/krb/pkinit_apple_cert_store.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/pkinit_apple_cert_store.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/pkinit_apple_cert_store.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -594,7 +594,7 @@
}
cpOut = outstr;
for(dex=0; dex<CC_SHA1_DIGEST_LENGTH; dex++) {
- sprintf(cpOut, "%02X", (unsigned)(digest[dex]));
+ snprintf(cpOut, 3, "%02X", (unsigned)(digest[dex]));
cpOut += 2;
}
*cpOut = '\0';
Modified: branches/mkey_migrate/src/lib/krb5/krb/pkinit_apple_utils.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/pkinit_apple_utils.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/pkinit_apple_utils.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -301,13 +301,11 @@
utc->tm_min > 59 || utc->tm_sec > 59) {
return ASN1_BAD_GMTIME;
}
- outStr = (char *)malloc(16);
- if(outStr == NULL) {
+ if (asprintf(&outStr, "%04d%02d%02d%02d%02d%02dZ",
+ utc->tm_year + 1900, utc->tm_mon + 1,
+ utc->tm_mday, utc->tm_hour, utc->tm_min, utc->tm_sec) < 0) {
return ENOMEM;
}
- sprintf(outStr, "%04d%02d%02d%02d%02d%02dZ",
- utc->tm_year + 1900, utc->tm_mon + 1,
- utc->tm_mday, utc->tm_hour, utc->tm_min, utc->tm_sec);
*str = outStr;
return 0;
}
Modified: branches/mkey_migrate/src/lib/krb5/krb/preauth.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/preauth.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/preauth.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -397,10 +397,7 @@
unsigned int prompt_len = sc->sam_response_prompt.length;
char *challenge = sc->sam_challenge.data;
unsigned int challenge_len = sc->sam_challenge.length;
- char *prompt1, *p;
- char *sep1 = ": [";
- char *sep2 = "]\n";
- char *sep3 = ": ";
+ struct k5buf buf;
if (sc->sam_cksum.length == 0) {
/* or invalid -- but lets just handle presence now XXX */
@@ -438,20 +435,16 @@
Challenge for Digital Pathways mechanism: [134591]
Passcode:
*/
- p = prompt1 = malloc(label_len + strlen(sep1) +
- challenge_len + strlen(sep2) +
- prompt_len+ strlen(sep3) + 1);
- if (p == NULL)
- return NULL;
+ krb5int_buf_init_dynamic(&buf);
if (challenge_len) {
- strncpy(p, label, label_len); p += label_len;
- strcpy(p, sep1); p += strlen(sep1);
- strncpy(p, challenge, challenge_len); p += challenge_len;
- strcpy(p, sep2); p += strlen(sep2);
+ krb5int_buf_add_len(&buf, label, label_len);
+ krb5int_buf_add(&buf, ": [");
+ krb5int_buf_add_len(&buf, challenge, challenge_len);
+ krb5int_buf_add(&buf, "]\n");
}
- strncpy(p, prompt, prompt_len); p += prompt_len;
- strcpy(p, sep3); /* p += strlen(sep3); */
- return prompt1;
+ krb5int_buf_add_len(&buf, prompt, prompt_len);
+ krb5int_buf_add(&buf, ": ");
+ return krb5int_buf_data(&buf);
}
/*
Modified: branches/mkey_migrate/src/lib/krb5/krb/preauth2.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/preauth2.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/preauth2.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -792,7 +792,7 @@
return(ret);
if (sam_challenge->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) {
- krb5_xfree(sam_challenge);
+ krb5_free_sam_challenge(context, sam_challenge);
return(KRB5_SAM_UNSUPPORTED);
}
@@ -842,7 +842,7 @@
krb5int_set_prompt_types(context, &prompt_type);
if ((ret = ((*prompter)(context, prompter_data, name,
banner, 1, &kprompt)))) {
- krb5_xfree(sam_challenge);
+ krb5_free_sam_challenge(context, sam_challenge);
krb5int_set_prompt_types(context, 0);
return(ret);
}
@@ -853,8 +853,8 @@
if ((ret = krb5_us_timeofday(context,
&enc_sam_response_enc.sam_timestamp,
&enc_sam_response_enc.sam_usec))) {
- krb5_xfree(sam_challenge);
- return(ret);
+ krb5_free_sam_challenge(context,sam_challenge);
+ return(ret);
}
sam_response.sam_patimestamp = enc_sam_response_enc.sam_timestamp;
@@ -878,7 +878,7 @@
if ((salt->length == -1 || salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) {
if ((ret = krb5_principal2salt(context, request->client,
&defsalt))) {
- krb5_xfree(sam_challenge);
+ krb5_free_sam_challenge(context, sam_challenge);
return(ret);
}
@@ -896,7 +896,7 @@
krb5_xfree(defsalt.data);
if (ret) {
- krb5_xfree(sam_challenge);
+ krb5_free_sam_challenge(context, sam_challenge);
return(ret);
}
@@ -916,7 +916,7 @@
if ((salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) {
if (ret = krb5_principal2salt(context, request->client,
&defsalt)) {
- krb5_xfree(sam_challenge);
+ krb5_free_sam_challenge(context, sam_challenge);
return(ret);
}
@@ -940,7 +940,7 @@
krb5_xfree(defsalt.data);
if (ret) {
- krb5_xfree(sam_challenge);
+ krb5_free_sam_challenge(context, sam_challenge);
return(ret);
}
@@ -991,6 +991,8 @@
*out_padata = pa;
+ krb5_xfree(scratch);
+
return(0);
}
Modified: branches/mkey_migrate/src/lib/krb5/krb/princ_comp.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/princ_comp.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/princ_comp.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -29,37 +29,116 @@
*/
#include "k5-int.h"
+#include "k5-unicode.h"
+static krb5_boolean
+realm_compare_flags(krb5_context context,
+ krb5_const_principal princ1,
+ krb5_const_principal princ2,
+ int flags)
+{
+ const krb5_data *realm1 = krb5_princ_realm(context, princ1);
+ const krb5_data *realm2 = krb5_princ_realm(context, princ2);
+
+ if (realm1->length != realm2->length)
+ return FALSE;
+
+ return (flags & KRB5_PRINCIPAL_COMPARE_CASEFOLD) ?
+ (strncasecmp(realm1->data, realm2->data, realm2->length) == 0) :
+ (memcmp(realm1->data, realm2->data, realm2->length) == 0);
+}
+
krb5_boolean KRB5_CALLCONV
krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)
{
- if (!data_eq(*krb5_princ_realm(context, princ1),
- *krb5_princ_realm(context, princ2)))
- return FALSE;
+ return realm_compare_flags(context, princ1, princ2, 0);
+}
- return TRUE;
+static krb5_error_code
+upn_to_principal(krb5_context context,
+ krb5_const_principal princ,
+ krb5_principal *upn)
+{
+ char *unparsed_name;
+ krb5_error_code code;
+
+ code = krb5_unparse_name_flags(context, princ,
+ KRB5_PRINCIPAL_UNPARSE_NO_REALM,
+ &unparsed_name);
+ if (code) {
+ *upn = NULL;
+ return code;
+ }
+
+ code = krb5_parse_name(context, unparsed_name, upn);
+
+ free(unparsed_name);
+
+ return code;
}
krb5_boolean KRB5_CALLCONV
-krb5_principal_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)
+krb5_principal_compare_flags(krb5_context context,
+ krb5_const_principal princ1,
+ krb5_const_principal princ2,
+ int flags)
{
register int i;
krb5_int32 nelem;
+ unsigned int utf8 = (flags & KRB5_PRINCIPAL_COMPARE_UTF8) != 0;
+ unsigned int casefold = (flags & KRB5_PRINCIPAL_COMPARE_CASEFOLD) != 0;
+ krb5_principal upn1 = NULL;
+ krb5_principal upn2 = NULL;
+ krb5_boolean ret = FALSE;
+ if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
+ /* Treat UPNs as if they were real principals */
+ if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ if (upn_to_principal(context, princ1, &upn1) == 0)
+ princ1 = upn1;
+ }
+ if (krb5_princ_type(context, princ2) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ if (upn_to_principal(context, princ2, &upn2) == 0)
+ princ2 = upn2;
+ }
+ }
+
nelem = krb5_princ_size(context, princ1);
if (nelem != krb5_princ_size(context, princ2))
- return FALSE;
+ goto out;
- if (! krb5_realm_compare(context, princ1, princ2))
- return FALSE;
+ if ((flags & KRB5_PRINCIPAL_COMPARE_IGNORE_REALM) == 0 &&
+ !realm_compare_flags(context, princ1, princ2, flags))
+ goto out;
for (i = 0; i < (int) nelem; i++) {
register const krb5_data *p1 = krb5_princ_component(context, princ1, i);
register const krb5_data *p2 = krb5_princ_component(context, princ2, i);
- if (!data_eq(*p1, *p2))
- return FALSE;
+ int cmp;
+
+ if (casefold) {
+ if (utf8)
+ cmp = krb5int_utf8_normcmp(p1, p2, KRB5_UTF8_CASEFOLD);
+ else
+ cmp = p1->length == p2->length ?
+ strncasecmp(p1->data, p2->data, p2->length) :
+ p1->length - p2->length;
+ } else
+ cmp = !data_eq(*p1, *p2);
+
+ if (cmp != 0)
+ goto out;
}
- return TRUE;
+
+ ret = TRUE;
+
+out:
+ if (upn1 != NULL)
+ krb5_free_principal(context, upn1);
+ if (upn2 != NULL)
+ krb5_free_principal(context, upn2);
+
+ return ret;
}
krb5_boolean KRB5_CALLCONV krb5_is_referral_realm(const krb5_data *r)
@@ -81,3 +160,20 @@
else
return FALSE;
}
+
+krb5_boolean KRB5_CALLCONV
+krb5_principal_compare(krb5_context context,
+ krb5_const_principal princ1,
+ krb5_const_principal princ2)
+{
+ return krb5_principal_compare_flags(context, princ1, princ2, 0);
+}
+
+krb5_boolean KRB5_CALLCONV
+krb5_principal_compare_any_realm(krb5_context context,
+ krb5_const_principal princ1,
+ krb5_const_principal princ2)
+{
+ return krb5_principal_compare_flags(context, princ1, princ2, KRB5_PRINCIPAL_COMPARE_IGNORE_REALM);
+}
+
Modified: branches/mkey_migrate/src/lib/krb5/krb/rd_priv.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/rd_priv.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/rd_priv.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -265,7 +265,9 @@
error:;
krb5_xfree(outbuf->data);
+ outbuf->length = 0;
+ outbuf->data = NULL;
+
return retval;
-
}
Modified: branches/mkey_migrate/src/lib/krb5/krb/rd_rep.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/rd_rep.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/rd_rep.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -26,6 +26,33 @@
*
* krb5_rd_rep()
*/
+/*
+ * Copyright (c) 2006-2008, Novell, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * The copyright holder's name is not used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
#include "k5-int.h"
#include "auth_con.h"
@@ -102,6 +129,8 @@
krb5_free_keyblock(context, auth_context->send_subkey);
auth_context->send_subkey = NULL;
}
+ /* not used for anything yet */
+ auth_context->negotiated_etype = (*repl)->subkey->enctype;
}
/* Get remote sequence number */
@@ -114,3 +143,60 @@
free(scratch.data);
return retval;
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context,
+ const krb5_data *inbuf, krb5_ui_4 *nonce)
+{
+ krb5_error_code retval;
+ krb5_ap_rep * reply;
+ krb5_data scratch;
+ krb5_ap_rep_enc_part *repl;
+
+ if (!krb5_is_ap_rep(inbuf))
+ return KRB5KRB_AP_ERR_MSG_TYPE;
+
+ /* decode it */
+
+ if ((retval = decode_krb5_ap_rep(inbuf, &reply)))
+ return retval;
+
+ /* put together an eblock for this encryption */
+
+ scratch.length = reply->enc_part.ciphertext.length;
+ if (!(scratch.data = malloc(scratch.length))) {
+ krb5_free_ap_rep(context, reply);
+ return(ENOMEM);
+ }
+
+ if ((retval = krb5_c_decrypt(context, auth_context->keyblock,
+ KRB5_KEYUSAGE_AP_REP_ENCPART, 0,
+ &reply->enc_part, &scratch)))
+ goto clean_scratch;
+
+ /* now decode the decrypted stuff */
+ retval = decode_krb5_ap_rep_enc_part(&scratch, &repl);
+ if (retval)
+ goto clean_scratch;
+
+ *nonce = repl->seq_number;
+ if (*nonce != auth_context->local_seq_number) {
+ retval = KRB5_MUTUAL_FAILED;
+ goto clean_scratch;
+ }
+
+ /* Must be NULL to prevent echoing for client AP-REP */
+ if (repl->subkey != NULL) {
+ retval = KRB5_MUTUAL_FAILED;
+ goto clean_scratch;
+ }
+
+clean_scratch:
+ memset(scratch.data, 0, scratch.length);
+
+ if (repl != NULL)
+ krb5_free_ap_rep_enc_part(context, repl);
+ krb5_free_ap_rep(context, reply);
+ free(scratch.data);
+ return retval;
+}
Modified: branches/mkey_migrate/src/lib/krb5/krb/rd_req.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/rd_req.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/rd_req.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -77,19 +77,6 @@
*auth_context = new_auth_context;
}
- if (!server) {
- server = request->ticket->server;
- }
- /* Get an rcache if necessary. */
- if (((*auth_context)->rcache == NULL)
- && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME)
- && server) {
- if ((retval = krb5_get_server_rcache(context,
- krb5_princ_component(context,
- server,0),
- &(*auth_context)->rcache)))
- goto cleanup_auth_context;
- }
#ifndef LEAN_CLIENT
/* Get a keytab if necessary. */
Modified: branches/mkey_migrate/src/lib/krb5/krb/rd_req_dec.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/rd_req_dec.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/rd_req_dec.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,7 +2,7 @@
* lib/krb5/krb/rd_req_dec.c
*
* Copyright (c) 1994 CyberSAFE Corporation.
- * Copyright 1990,1991,2007 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -62,6 +62,19 @@
static krb5_error_code decrypt_authenticator
(krb5_context, const krb5_ap_req *, krb5_authenticator **,
int);
+static krb5_error_code
+decode_etype_list(krb5_context context,
+ const krb5_authenticator *authp,
+ krb5_enctype **desired_etypes,
+ int *desired_etypes_len);
+static krb5_error_code
+negotiate_etype(krb5_context context,
+ const krb5_enctype *desired_etypes,
+ int desired_etypes_len,
+ int mandatory_etypes_index,
+ const krb5_enctype *permitted_etypes,
+ int permitted_etypes_len,
+ krb5_enctype *negotiated_etype);
krb5_error_code
krb5int_check_clockskew(krb5_context context, krb5_timestamp date)
@@ -79,27 +92,83 @@
static krb5_error_code
krb5_rd_req_decrypt_tkt_part(krb5_context context, const krb5_ap_req *req,
- krb5_keytab keytab)
+ krb5_const_principal server, krb5_keytab keytab)
{
krb5_error_code retval;
- krb5_enctype enctype;
krb5_keytab_entry ktent;
- enctype = req->ticket->enc_part.enctype;
+ retval = KRB5_KT_NOTFOUND;
#ifndef LEAN_CLIENT
- if ((retval = krb5_kt_get_entry(context, keytab, req->ticket->server,
- req->ticket->enc_part.kvno,
- enctype, &ktent)))
- return retval;
+ if (server != NULL || keytab->ops->start_seq_get == NULL) {
+ retval = krb5_kt_get_entry(context, keytab,
+ server != NULL ? server : req->ticket->server,
+ req->ticket->enc_part.kvno,
+ req->ticket->enc_part.enctype, &ktent);
+ if (retval == 0) {
+ retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket);
+
+ (void) krb5_free_keytab_entry_contents(context, &ktent);
+ }
+ } else {
+ krb5_error_code code;
+ krb5_kt_cursor cursor;
+
+ retval = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if (retval != 0)
+ goto map_error;
+
+ while ((code = krb5_kt_next_entry(context, keytab,
+ &ktent, &cursor)) == 0) {
+ if (ktent.key.enctype != req->ticket->enc_part.enctype)
+ continue;
+
+ retval = krb5_decrypt_tkt_part(context, &ktent.key,
+ req->ticket);
+
+ if (retval == 0) {
+ krb5_principal tmp;
+
+ /*
+ * We overwrite ticket->server to be the principal
+ * that we match in the keytab. The reason for doing
+ * this is that GSS-API and other consumers look at
+ * that principal to make authorization decisions
+ * about whether the appropriate server is contacted.
+ * It might be cleaner to create a new API and store
+ * the server in the auth_context, but doing so would
+ * probably miss existing uses of the server. Instead,
+ * perhaps an API should be created to retrieve the
+ * server as it appeared in the ticket.
+ */
+ retval = krb5_copy_principal(context, ktent.principal, &tmp);
+ if (retval == 0) {
+ krb5_free_principal(context, req->ticket->server);
+ req->ticket->server = tmp;
+ }
+ (void) krb5_free_keytab_entry_contents(context, &ktent);
+ break;
+ }
+ (void) krb5_free_keytab_entry_contents(context, &ktent);
+ }
+
+ code = krb5_kt_end_seq_get(context, keytab, &cursor);
+ if (code != 0)
+ retval = code;
+ }
#endif /* LEAN_CLIENT */
- retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket);
- /* Upon error, Free keytab entry first, then return */
+map_error:
+ switch (retval) {
+ case KRB5_KT_KVNONOTFOUND:
+ case KRB5_KT_NOTFOUND:
+ case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+ retval = KRB5KRB_AP_WRONG_PRINC;
+ break;
+ default:
+ break;
+ }
-#ifndef LEAN_CLIENT
- (void) krb5_kt_free_entry(context, &ktent);
-#endif /* LEAN_CLIENT */
return retval;
}
@@ -134,8 +203,13 @@
krb5_ticket **ticket, int check_valid_flag)
{
krb5_error_code retval = 0;
- krb5_principal_data princ_data;
-
+ krb5_principal_data princ_data;
+ krb5_enctype *desired_etypes = NULL;
+ int desired_etypes_len = 0;
+ int rfc4537_etypes_len = 0;
+ krb5_enctype *permitted_etypes = NULL;
+ int permitted_etypes_len = 0;
+
req->ticket->enc_part2 = NULL;
if (server && krb5_is_referral_realm(&server->realm)) {
char *realm;
@@ -147,19 +221,8 @@
princ_data.realm.data = realm;
princ_data.realm.length = strlen(realm);
}
- if (server && !krb5_principal_compare(context, server, req->ticket->server)) {
- char *found_name = 0, *wanted_name = 0;
- if (krb5_unparse_name(context, server, &wanted_name) == 0
- && krb5_unparse_name(context, req->ticket->server, &found_name) == 0)
- krb5_set_error_message(context, KRB5KRB_AP_WRONG_PRINC,
- "Wrong principal in request (found %s, wanted %s)",
- found_name, wanted_name);
- krb5_free_unparsed_name(context, wanted_name);
- krb5_free_unparsed_name(context, found_name);
- retval = KRB5KRB_AP_WRONG_PRINC;
- goto cleanup;
- }
+
/* if (req->ap_options & AP_OPTS_USE_SESSION_KEY)
do we need special processing here ? */
@@ -171,18 +234,19 @@
krb5_free_keyblock(context, (*auth_context)->keyblock);
(*auth_context)->keyblock = NULL;
} else {
- if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, keytab)))
+ if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, server, keytab)))
goto cleanup;
}
/* XXX this is an evil hack. check_valid_flag is set iff the call
is not from inside the kdc. we can use this to determine which
key usage to use */
+#ifndef LEAN_CLIENT
if ((retval = decrypt_authenticator(context, req,
&((*auth_context)->authentp),
check_valid_flag)))
goto cleanup;
-
+#endif
if (!krb5_principal_compare(context, (*auth_context)->authentp->client,
req->ticket->enc_part2->client)) {
retval = KRB5KRB_AP_ERR_BADMATCH;
@@ -196,6 +260,19 @@
goto cleanup;
}
+ if (!server) {
+ server = req->ticket->server;
+ }
+ /* Get an rcache if necessary. */
+ if (((*auth_context)->rcache == NULL)
+ && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME)
+ && server) {
+ if ((retval = krb5_get_server_rcache(context,
+ krb5_princ_component(context,
+ server,0),
+ &(*auth_context)->rcache)))
+ goto cleanup;
+ }
/* okay, now check cross-realm policy */
#if defined(_SINGLE_HOP_ONLY)
@@ -295,81 +372,86 @@
}
}
- /* check if the various etypes are permitted */
+ /* read RFC 4537 etype list from sender */
+ retval = decode_etype_list(context,
+ (*auth_context)->authentp,
+ &desired_etypes,
+ &rfc4537_etypes_len);
+ if (retval != 0)
+ goto cleanup;
- if ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_PERMIT_ALL) {
- /* no etype check needed */;
- } else if ((*auth_context)->permitted_etypes == NULL) {
- int etype;
- /* check against the default set */
- if ((!krb5_is_permitted_enctype(context,
- etype = req->ticket->enc_part.enctype)) ||
- (!krb5_is_permitted_enctype(context,
- etype = req->ticket->enc_part2->session->enctype)) ||
- (((*auth_context)->authentp->subkey) &&
- !krb5_is_permitted_enctype(context,
- etype = (*auth_context)->authentp->subkey->enctype))) {
- char enctype_name[30];
- retval = KRB5_NOPERM_ETYPE;
- if (krb5_enctype_to_string(etype, enctype_name, sizeof(enctype_name)) == 0)
- krb5_set_error_message(context, retval,
- "Encryption type %s not permitted",
- enctype_name);
- goto cleanup;
- }
- } else {
- /* check against the set in the auth_context */
- int i;
+ if (desired_etypes == NULL)
+ desired_etypes = (krb5_enctype *)calloc(4, sizeof(krb5_enctype));
+ else
+ desired_etypes = (krb5_enctype *)realloc(desired_etypes,
+ (rfc4537_etypes_len + 4) *
+ sizeof(krb5_enctype));
+ if (desired_etypes == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
- for (i=0; (*auth_context)->permitted_etypes[i]; i++)
- if ((*auth_context)->permitted_etypes[i] ==
- req->ticket->enc_part.enctype)
- break;
- if (!(*auth_context)->permitted_etypes[i]) {
- char enctype_name[30];
- retval = KRB5_NOPERM_ETYPE;
- if (krb5_enctype_to_string(req->ticket->enc_part.enctype,
- enctype_name, sizeof(enctype_name)) == 0)
- krb5_set_error_message(context, retval,
- "Encryption type %s not permitted",
- enctype_name);
- goto cleanup;
- }
-
- for (i=0; (*auth_context)->permitted_etypes[i]; i++)
- if ((*auth_context)->permitted_etypes[i] ==
- req->ticket->enc_part2->session->enctype)
- break;
- if (!(*auth_context)->permitted_etypes[i]) {
- char enctype_name[30];
- retval = KRB5_NOPERM_ETYPE;
- if (krb5_enctype_to_string(req->ticket->enc_part2->session->enctype,
- enctype_name, sizeof(enctype_name)) == 0)
- krb5_set_error_message(context, retval,
- "Encryption type %s not permitted",
- enctype_name);
- goto cleanup;
- }
-
- if ((*auth_context)->authentp->subkey) {
- for (i=0; (*auth_context)->permitted_etypes[i]; i++)
- if ((*auth_context)->permitted_etypes[i] ==
- (*auth_context)->authentp->subkey->enctype)
- break;
- if (!(*auth_context)->permitted_etypes[i]) {
- char enctype_name[30];
- retval = KRB5_NOPERM_ETYPE;
- if (krb5_enctype_to_string((*auth_context)->authentp->subkey->enctype,
- enctype_name,
- sizeof(enctype_name)) == 0)
- krb5_set_error_message(context, retval,
- "Encryption type %s not permitted",
- enctype_name);
+ desired_etypes_len = rfc4537_etypes_len;
+
+ /*
+ * RFC 4537:
+ *
+ * If the EtypeList is present and the server prefers an enctype from
+ * the client's enctype list over that of the AP-REQ authenticator
+ * subkey (if that is present) or the service ticket session key, the
+ * server MUST create a subkey using that enctype. This negotiated
+ * subkey is sent in the subkey field of AP-REP message, and it is then
+ * used as the protocol key or base key [RFC3961] for subsequent
+ * communication.
+ *
+ * If the enctype of the ticket session key is included in the enctype
+ * list sent by the client, it SHOULD be the last on the list;
+ * otherwise, this enctype MUST NOT be negotiated if it was not included
+ * in the list.
+ *
+ * The second paragraph does appear to contradict the first with respect
+ * to whether it is legal to negotiate the ticket session key type if it
+ * is absent in the EtypeList. A literal reading suggests that we can use
+ * the AP-REQ subkey enctype. Also a client has no way of distinguishing
+ * a server that does not RFC 4537 from one that has chosen the same
+ * enctype as the ticket session key for the acceptor subkey, surely.
+ */
+
+ if ((*auth_context)->authentp->subkey != NULL) {
+ desired_etypes[desired_etypes_len++] = (*auth_context)->authentp->subkey->enctype;
+ }
+ desired_etypes[desired_etypes_len++] = req->ticket->enc_part2->session->enctype;
+ desired_etypes[desired_etypes_len++] = req->ticket->enc_part.enctype;
+ desired_etypes[desired_etypes_len] = ENCTYPE_NULL;
+
+ if (((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_PERMIT_ALL) == 0) {
+ if ((*auth_context)->permitted_etypes != NULL) {
+ permitted_etypes = (*auth_context)->permitted_etypes;
+ } else {
+ retval = krb5_get_permitted_enctypes(context, &permitted_etypes);
+ if (retval != 0)
goto cleanup;
- }
}
+ for (permitted_etypes_len = 0;
+ permitted_etypes[permitted_etypes_len] != ENCTYPE_NULL;
+ permitted_etypes_len++)
+ ;
+ } else {
+ permitted_etypes = NULL;
+ permitted_etypes_len = 0;
}
+ /* check if the various etypes are permitted */
+ retval = negotiate_etype(context,
+ desired_etypes, desired_etypes_len,
+ rfc4537_etypes_len,
+ permitted_etypes, permitted_etypes_len,
+ &(*auth_context)->negotiated_etype);
+ if (retval != 0)
+ goto cleanup;
+
+ assert((*auth_context)->negotiated_etype != ENCTYPE_NULL);
+
(*auth_context)->remote_seq_number = (*auth_context)->authentp->seq_number;
if ((*auth_context)->authentp->subkey) {
if ((retval = krb5_copy_keyblock(context,
@@ -408,11 +490,22 @@
if (ticket)
if ((retval = krb5_copy_ticket(context, req->ticket, ticket)))
goto cleanup;
- if (ap_req_options)
- *ap_req_options = req->ap_options;
+ if (ap_req_options) {
+ *ap_req_options = req->ap_options & AP_OPTS_WIRE_MASK;
+ if (rfc4537_etypes_len != 0)
+ *ap_req_options |= AP_OPTS_ETYPE_NEGOTIATION;
+ if ((*auth_context)->negotiated_etype != (*auth_context)->keyblock->enctype)
+ *ap_req_options |= AP_OPTS_USE_SUBKEY;
+ }
+
retval = 0;
cleanup:
+ if (desired_etypes != NULL)
+ krb5_xfree(desired_etypes);
+ if (permitted_etypes != NULL &&
+ permitted_etypes != (*auth_context)->permitted_etypes)
+ krb5_xfree(permitted_etypes);
if (server == &princ_data)
krb5_free_default_realm(context, princ_data.realm.data);
if (retval) {
@@ -454,6 +547,7 @@
return retval;
}
+#ifndef LEAN_CLIENT
static krb5_error_code
decrypt_authenticator(krb5_context context, const krb5_ap_req *request,
krb5_authenticator **authpp, int is_ap_req)
@@ -488,3 +582,131 @@
clean_scratch();
return retval;
}
+#endif
+
+static krb5_error_code
+negotiate_etype(krb5_context context,
+ const krb5_enctype *desired_etypes,
+ int desired_etypes_len,
+ int mandatory_etypes_index,
+ const krb5_enctype *permitted_etypes,
+ int permitted_etypes_len,
+ krb5_enctype *negotiated_etype)
+{
+ int i, j;
+
+ *negotiated_etype = ENCTYPE_NULL;
+
+ /* mandatory segment of desired_etypes must be permitted */
+ for (i = mandatory_etypes_index; i < desired_etypes_len; i++) {
+ krb5_boolean permitted = FALSE;
+
+ for (j = 0; j < permitted_etypes_len; j++) {
+ if (desired_etypes[i] == permitted_etypes[j]) {
+ permitted = TRUE;
+ break;
+ }
+ }
+
+ if (permitted == FALSE) {
+ char enctype_name[30];
+
+ if (krb5_enctype_to_string(desired_etypes[i],
+ enctype_name,
+ sizeof(enctype_name)) == 0)
+ krb5_set_error_message(context, KRB5_NOPERM_ETYPE,
+ "Encryption type %s not permitted",
+ enctype_name);
+ return KRB5_NOPERM_ETYPE;
+ }
+ }
+
+ /*
+ * permitted_etypes is ordered from most to least preferred;
+ * find first desired_etype that matches.
+ */
+ for (j = 0; j < permitted_etypes_len; j++) {
+ for (i = 0; i < desired_etypes_len; i++) {
+ if (desired_etypes[i] == permitted_etypes[j]) {
+ *negotiated_etype = permitted_etypes[j];
+ return 0;
+ }
+ }
+ }
+
+ /*NOTREACHED*/
+ return KRB5_NOPERM_ETYPE;
+}
+
+static krb5_error_code
+decode_etype_list(krb5_context context,
+ const krb5_authenticator *authp,
+ krb5_enctype **desired_etypes,
+ int *desired_etypes_len)
+{
+ krb5_error_code code;
+ krb5_authdata **ad_if_relevant = NULL;
+ krb5_authdata *etype_adata = NULL;
+ krb5_etype_list *etype_list = NULL;
+ int i, j;
+ krb5_data data;
+
+ *desired_etypes = NULL;
+
+ if (authp->authorization_data == NULL)
+ return 0;
+
+ /*
+ * RFC 4537 says that ETYPE_NEGOTIATION auth data should be wrapped
+ * in AD_IF_RELEVANT, but we handle the case where it is mandatory.
+ */
+ for (i = 0; authp->authorization_data[i] != NULL; i++) {
+ switch (authp->authorization_data[i]->ad_type) {
+ case KRB5_AUTHDATA_IF_RELEVANT:
+ code = krb5_decode_authdata_container(context,
+ KRB5_AUTHDATA_IF_RELEVANT,
+ authp->authorization_data[i],
+ &ad_if_relevant);
+ if (code != 0)
+ continue;
+
+ for (j = 0; ad_if_relevant[j] != NULL; j++) {
+ if (ad_if_relevant[j]->ad_type == KRB5_AUTHDATA_ETYPE_NEGOTIATION) {
+ etype_adata = ad_if_relevant[j];
+ break;
+ }
+ }
+ if (etype_adata == NULL) {
+ krb5_free_authdata(context, ad_if_relevant);
+ ad_if_relevant = NULL;
+ }
+ break;
+ case KRB5_AUTHDATA_ETYPE_NEGOTIATION:
+ etype_adata = authp->authorization_data[i];
+ break;
+ default:
+ break;
+ }
+ if (etype_adata != NULL)
+ break;
+ }
+
+ if (etype_adata == NULL)
+ return 0;
+
+ data.data = (char *)etype_adata->contents;
+ data.length = etype_adata->length;
+
+ code = decode_krb5_etype_list(&data, &etype_list);
+ if (code == 0) {
+ *desired_etypes = etype_list->etypes;
+ *desired_etypes_len = etype_list->length;
+ krb5_xfree(etype_list);
+ }
+
+ if (ad_if_relevant != NULL)
+ krb5_free_authdata(context, ad_if_relevant);
+
+ return code;
+}
+
Modified: branches/mkey_migrate/src/lib/krb5/krb/rd_safe.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/rd_safe.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/rd_safe.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -58,6 +58,7 @@
krb5_octet zero_octet = 0;
krb5_data *scratch;
krb5_boolean valid;
+ struct krb5_safe_with_body swb;
if (!krb5_is_krb_safe(inbuf))
return KRB5KRB_AP_ERR_MSG_TYPE;
@@ -116,7 +117,9 @@
message->checksum = &our_cksum;
- retval = encode_krb5_safe_with_body(message, &safe_body, &scratch);
+ swb.body = &safe_body;
+ swb.safe = message;
+ retval = encode_krb5_safe_with_body(&swb, &scratch);
message->checksum = his_cksum;
if (retval)
goto cleanup;
Modified: branches/mkey_migrate/src/lib/krb5/krb/send_tgs.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/send_tgs.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/send_tgs.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -167,8 +167,7 @@
if (authorization_data) {
/* need to encrypt it in the request */
- if ((retval = encode_krb5_authdata((const krb5_authdata**)authorization_data,
- &scratch)))
+ if ((retval = encode_krb5_authdata(authorization_data, &scratch)))
return(retval);
if ((retval = krb5_encrypt_helper(context, &in_cred->keyblock,
Modified: branches/mkey_migrate/src/lib/krb5/krb/ser_actx.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/ser_actx.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/ser_actx.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -550,8 +550,10 @@
kret = krb5_ser_authdata_init(kcontext);
if (!kret)
kret = krb5_ser_address_init(kcontext);
+#ifndef LEAN_CLIENT
if (!kret)
kret = krb5_ser_authenticator_init(kcontext);
+#endif
if (!kret)
kret = krb5_ser_checksum_init(kcontext);
if (!kret)
Modified: branches/mkey_migrate/src/lib/krb5/krb/ser_auth.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/ser_auth.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/ser_auth.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -28,6 +28,9 @@
/*
* ser_auth.c - Serialize krb5_authenticator structure.
*/
+
+#ifndef LEAN_CLIENT
+
#include "k5-int.h"
#include "int-proto.h"
@@ -335,7 +338,6 @@
}
return(kret);
}
-
/*
* Register the authenticator serializer.
*/
@@ -344,3 +346,4 @@
{
return(krb5_register_serializer(kcontext, &krb5_authenticator_ser_entry));
}
+#endif
Modified: branches/mkey_migrate/src/lib/krb5/krb/serialize.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/serialize.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/serialize.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -62,7 +62,8 @@
kret = 0;
/* See if it's already there, if so, we're good to go. */
- if (!(stable = krb5_find_serializer(kcontext, entry->odtype))) {
+ if (!(stable = (krb5_ser_entry *)krb5_find_serializer(kcontext,
+ entry->odtype))) {
/*
* Can't find our type. Create a new entry.
*/
Modified: branches/mkey_migrate/src/lib/krb5/krb/set_realm.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/set_realm.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/set_realm.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -36,10 +36,9 @@
return -EINVAL;
length = strlen(realm);
- newrealm = malloc(length+1); /* Include room for the null */
+ newrealm = strdup(realm);
if (!newrealm)
return -ENOMEM;
- strcpy(newrealm, realm);
(void) krb5_xfree(krb5_princ_realm(context,principal)->data);
Modified: branches/mkey_migrate/src/lib/krb5/krb/srv_rcache.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/srv_rcache.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/srv_rcache.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -39,13 +39,10 @@
{
krb5_rcache rcache = 0;
char *cachename = 0, *cachetype;
- char tmp[4];
krb5_error_code retval;
- unsigned int p, i;
- unsigned int len;
-
+ unsigned int i;
+ struct k5buf buf;
#ifdef HAVE_GETEUID
- unsigned long tens;
unsigned long uid = geteuid();
#endif
@@ -54,56 +51,25 @@
cachetype = krb5_rc_default_type(context);
- len = piece->length + 3 + 1;
+ krb5int_buf_init_dynamic(&buf);
+ krb5int_buf_add(&buf, cachetype);
+ krb5int_buf_add(&buf, ":");
for (i = 0; i < piece->length; i++) {
if (piece->data[i] == '-')
- len++;
+ krb5int_buf_add(&buf, "--");
else if (!isvalidrcname((int) piece->data[i]))
- len += 3;
+ krb5int_buf_add_fmt(&buf, "-%03o", piece->data[i]);
+ else
+ krb5int_buf_add_len(&buf, &piece->data[i], 1);
}
-
#ifdef HAVE_GETEUID
- len += 2; /* _<uid> */
- for (tens = 1; (uid / tens) > 9 ; tens *= 10)
- len++;
+ krb5int_buf_add_fmt(&buf, "_%lu", uid);
#endif
-
- cachename = malloc(strlen(cachetype) + 5 + len);
- if (!cachename) {
- retval = ENOMEM;
- goto cleanup;
- }
- strcpy(cachename, cachetype);
- p = strlen(cachename);
- cachename[p++] = ':';
- for (i = 0; i < piece->length; i++) {
- if (piece->data[i] == '-') {
- cachename[p++] = '-';
- cachename[p++] = '-';
- continue;
- }
- if (!isvalidrcname((int) piece->data[i])) {
- snprintf(tmp, sizeof(tmp), "%03o", piece->data[i]);
- cachename[p++] = '-';
- cachename[p++] = tmp[0];
- cachename[p++] = tmp[1];
- cachename[p++] = tmp[2];
- continue;
- }
- cachename[p++] = piece->data[i];
- }
+ cachename = krb5int_buf_data(&buf);
+ if (cachename == NULL)
+ return ENOMEM;
-#ifdef HAVE_GETEUID
- cachename[p++] = '_';
- while (tens) {
- cachename[p++] = '0' + ((uid / tens) % 10);
- tens /= 10;
- }
-#endif
-
- cachename[p++] = '\0';
-
retval = krb5_rc_resolve_full(context, &rcache, cachename);
if (retval) {
rcache = 0;
Modified: branches/mkey_migrate/src/lib/krb5/krb/str_conv.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/str_conv.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/str_conv.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -118,11 +118,9 @@
}
}
if (out) {
- if (buflen > strlen(out))
- strcpy(buffer, out);
- else
- out = (char *) NULL;
- return((out) ? 0 : ENOMEM);
+ if (strlcpy(buffer, out, buflen) >= buflen)
+ return(ENOMEM);
+ return(0);
}
else
return(EINVAL);
Modified: branches/mkey_migrate/src/lib/krb5/krb/t_kerb.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/t_kerb.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/t_kerb.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -5,9 +5,6 @@
#include "krb5.h"
#include "autoconf.h"
-#ifdef KRB5_KRB4_COMPAT
-#include "kerberosIV/krb.h"
-#endif
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
@@ -68,11 +65,9 @@
{
krb5_principal princ = 0;
krb5_error_code retval;
-#ifndef KRB5_KRB4_COMPAT
#define ANAME_SZ 40
#define INST_SZ 40
#define REALM_SZ 40
-#endif
char aname[ANAME_SZ+1], inst[INST_SZ+1], realm[REALM_SZ+1];
aname[ANAME_SZ] = inst[INST_SZ] = realm[REALM_SZ] = 0;
Modified: branches/mkey_migrate/src/lib/krb5/krb/t_ser.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/t_ser.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/t_ser.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -418,7 +418,7 @@
!(kret = ser_data(verbose, "> Resolved default keytab",
(krb5_pointer) keytab, KV5M_KEYTAB)) &&
!(kret = krb5_kt_close(kcontext, keytab))) {
- sprintf(ccname, "FILE:temp_kt_%d", (int) getpid());
+ snprintf(ccname, sizeof(ccname), "FILE:temp_kt_%d", (int) getpid());
if (!(kret = krb5_kt_resolve(kcontext, ccname, &keytab)) &&
!(kret = ser_data(verbose, "> Resolved FILE keytab",
(krb5_pointer) keytab, KV5M_KEYTAB)) &&
Modified: branches/mkey_migrate/src/lib/krb5/krb/unparse.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/unparse.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/unparse.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,7 +1,7 @@
/*
* lib/krb5/krb/unparse.c
*
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -58,33 +58,52 @@
#define COMPONENT_SEP '/'
static int
-component_length_quoted(const krb5_data *src)
+component_length_quoted(const krb5_data *src, int flags)
{
const char *cp = src->data;
int length = src->length;
int j;
int size = length;
- for (j = 0; j < length; j++,cp++)
- if (*cp == REALM_SEP || *cp == COMPONENT_SEP ||
- *cp == '\0' || *cp == '\\' || *cp == '\t' ||
- *cp == '\n' || *cp == '\b')
- size++;
+ if ((flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) == 0) {
+ int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) &&
+ !(flags & KRB5_PRINCIPAL_UNPARSE_SHORT);
+
+ for (j = 0; j < length; j++,cp++)
+ if ((!no_realm && *cp == REALM_SEP) ||
+ *cp == COMPONENT_SEP ||
+ *cp == '\0' || *cp == '\\' || *cp == '\t' ||
+ *cp == '\n' || *cp == '\b')
+ size++;
+ }
+
return size;
}
static int
-copy_component_quoting(char *dest, const krb5_data *src)
+copy_component_quoting(char *dest, const krb5_data *src, int flags)
{
int j;
const char *cp = src->data;
char *q = dest;
int length = src->length;
+ if (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) {
+ memcpy(dest, src->data, src->length);
+ return src->length;
+ }
+
for (j=0; j < length; j++,cp++) {
+ int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) &&
+ !(flags & KRB5_PRINCIPAL_UNPARSE_SHORT);
+
switch (*cp) {
+ case REALM_SEP:
+ if (no_realm) {
+ *q++ = *cp;
+ break;
+ }
case COMPONENT_SEP:
- case REALM_SEP:
case '\\':
*q++ = '\\';
*q++ = *cp;
@@ -101,6 +120,13 @@
*q++ = '\\';
*q++ = 'b';
break;
+#if 0
+ /* Heimdal escapes spaces in principal names upon unparsing */
+ case ' ':
+ *q++ = '\\';
+ *q++ = ' ';
+ break;
+#endif
case '\0':
*q++ = '\\';
*q++ = '0';
@@ -112,27 +138,47 @@
return q - dest;
}
-krb5_error_code KRB5_CALLCONV
-krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal,
- char **name, unsigned int *size)
+static krb5_error_code
+k5_unparse_name(krb5_context context, krb5_const_principal principal,
+ int flags, char **name, unsigned int *size)
{
char *cp, *q;
int i;
int length;
krb5_int32 nelem;
unsigned int totalsize = 0;
+ char *default_realm = NULL;
+ krb5_error_code ret = 0;
if (!principal || !name)
return KRB5_PARSE_MALFORMED;
- totalsize += component_length_quoted(krb5_princ_realm(context,
- principal));
- totalsize++; /* This is for the separator */
+ if (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) {
+ /* omit realm if local realm */
+ krb5_principal_data p;
+ ret = krb5_get_default_realm(context, &default_realm);
+ if (ret != 0)
+ goto cleanup;
+
+ krb5_princ_realm(context, &p)->length = strlen(default_realm);
+ krb5_princ_realm(context, &p)->data = default_realm;
+
+ if (krb5_realm_compare(context, &p, principal))
+ flags |= KRB5_PRINCIPAL_UNPARSE_NO_REALM;
+ }
+
+ if ((flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) == 0) {
+ totalsize += component_length_quoted(krb5_princ_realm(context,
+ principal),
+ flags);
+ totalsize++; /* This is for the separator */
+ }
+
nelem = krb5_princ_size(context, principal);
for (i = 0; i < (int) nelem; i++) {
cp = krb5_princ_component(context, principal, i)->data;
- totalsize += component_length_quoted(krb5_princ_component(context, principal, i));
+ totalsize += component_length_quoted(krb5_princ_component(context, principal, i), flags);
totalsize++; /* This is for the separator */
}
if (nelem == 0)
@@ -143,7 +189,7 @@
* provided, use it, realloc'ing it if necessary.
*
* We need only n-1 seperators for n components, but we need
- * an extra byte for the NULL at the end.
+ * an extra byte for the NUL at the end.
*/
if (size) {
if (*name && (*size < totalsize)) {
@@ -156,8 +202,10 @@
*name = malloc(totalsize);
}
- if (!*name)
- return ENOMEM;
+ if (!*name) {
+ ret = ENOMEM;
+ goto cleanup;
+ }
q = *name;
@@ -167,24 +215,55 @@
q += copy_component_quoting(q,
krb5_princ_component(context,
principal,
- i));
+ i),
+ flags);
*q++ = COMPONENT_SEP;
}
if (i > 0)
q--; /* Back up last component separator */
- *q++ = REALM_SEP;
- q += copy_component_quoting(q, krb5_princ_realm(context, principal));
+ if ((flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) == 0) {
+ *q++ = REALM_SEP;
+ q += copy_component_quoting(q, krb5_princ_realm(context, principal), flags);
+ }
*q++ = '\0';
-
- return 0;
+
+cleanup:
+ if (default_realm != NULL)
+ krb5_free_default_realm(context, default_realm);
+
+ return ret;
}
krb5_error_code KRB5_CALLCONV
krb5_unparse_name(krb5_context context, krb5_const_principal principal, register char **name)
{
- if (name) /* name == NULL will return error from _ext */
- *name = NULL;
- return(krb5_unparse_name_ext(context, principal, name, NULL));
+ if (name != NULL) /* name == NULL will return error from _ext */
+ *name = NULL;
+
+ return k5_unparse_name(context, principal, 0, name, NULL);
}
+krb5_error_code KRB5_CALLCONV
+krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal,
+ char **name, unsigned int *size)
+{
+ return k5_unparse_name(context, principal, 0, name, size);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal,
+ int flags, char **name)
+{
+ if (name != NULL)
+ *name = NULL;
+ return k5_unparse_name(context, principal, flags, name, NULL);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_unparse_name_flags_ext(krb5_context context, krb5_const_principal principal,
+ int flags, char **name, unsigned int *size)
+{
+ return k5_unparse_name(context, principal, flags, name, size);
+}
+
Deleted: branches/mkey_migrate/src/lib/krb5/krb/v4lifetime.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/v4lifetime.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/v4lifetime.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,149 +0,0 @@
-/*
- * Copyright 2000, 2001, 2003 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- */
-
-#include "k5-int.h"
-
-/*
- * Only lifetime bytes values less than 128 are on a linear scale.
- * The following table contains an exponential scale that covers the
- * lifetime values 128 to 191 inclusive (a total of 64 values).
- * Values greater than 191 get interpreted the same as 191, but they
- * will never be generated by the functions in this file.
- *
- * The ratio is approximately 1.069144898 (actually exactly
- * exp(log(67.5)/63), where 67.5 = 2592000/38400, and 259200 = 30
- * days, and 38400 = 128*5 minutes. This allows a lifetime byte of
- * 191 to correspond to a ticket life of exactly 30 days and a
- * lifetime byte of 128 to correspond to exactly 128*5 minutes, with
- * the other values spread on an exponential curve fit in between
- * them. This table should correspond exactly to the set of extended
- * ticket lifetime values used by AFS and CMU.
- *
- * The following awk script is sufficient to reproduce the table:
- * BEGIN {
- * r = exp(log(2592000/38400)/63);
- * x = 38400;
- * for (i=0;i<64;i++) {
- * printf("%d\n",x+0.5);
- * x *= r;
- * }
- * }
- */
-#ifndef SHORT_LIFETIME
-#define NLIFETIMES 64
-static const krb5_int32 lifetimes[NLIFETIMES] = {
- 38400, 41055, /* 00:10:40:00, 00:11:24:15 */
- 43894, 46929, /* 00:12:11:34, 00:13:02:09 */
- 50174, 53643, /* 00:13:56:14, 00:14:54:03 */
- 57352, 61318, /* 00:15:55:52, 00:17:01:58 */
- 65558, 70091, /* 00:18:12:38, 00:19:28:11 */
- 74937, 80119, /* 00:20:48:57, 00:22:15:19 */
- 85658, 91581, /* 00:23:47:38, 01:01:26:21 */
- 97914, 104684, /* 01:03:11:54, 01:05:04:44 */
- 111922, 119661, /* 01:07:05:22, 01:09:14:21 */
- 127935, 136781, /* 01:11:32:15, 01:13:59:41 */
- 146239, 156350, /* 01:16:37:19, 01:19:25:50 */
- 167161, 178720, /* 01:22:26:01, 02:01:38:40 */
- 191077, 204289, /* 02:05:04:37, 02:08:44:49 */
- 218415, 233517, /* 02:12:40:15, 02:16:51:57 */
- 249664, 266926, /* 02:21:21:04, 03:02:08:46 */
- 285383, 305116, /* 03:07:16:23, 03:12:45:16 */
- 326213, 348769, /* 03:18:36:53, 04:00:52:49 */
- 372885, 398668, /* 04:07:34:45, 04:14:44:28 */
- 426234, 455705, /* 04:22:23:54, 05:06:35:05 */
- 487215, 520904, /* 05:15:20:15, 06:00:41:44 */
- 556921, 595430, /* 06:10:42:01, 06:21:23:50 */
- 636601, 680618, /* 07:08:50:01, 07:21:03:38 */
- 727680, 777995, /* 08:10:08:00, 09:00:06:35 */
- 831789, 889303, /* 09:15:03:09, 10:07:01:43 */
- 950794, 1016537, /* 11:00:06:34, 11:18:22:17 */
- 1086825, 1161973, /* 12:13:53:45, 13:10:46:13 */
- 1242318, 1328218, /* 14:09:05:18, 15:08:56:58 */
- 1420057, 1518247, /* 16:10:27:37, 17:13:44:07 */
- 1623226, 1735464, /* 18:18:53:46, 20:02:04:24 */
- 1855462, 1983758, /* 21:11:24:22, 22:23:02:38 */
- 2120925, 2267576, /* 24:13:08:45, 26:05:52:56 */
- 2424367, 2592000 /* 28:01:26:07, 30:00:00:00 */
-};
-#define MINFIXED 0x80
-#define MAXFIXED (MINFIXED + NLIFETIMES - 1)
-#endif /* !SHORT_LIFETIME */
-
-/*
- * krb_life_to_time
- *
- * Given a start date and a lifetime byte, compute the expiration
- * date.
- */
-krb5_int32
-krb5int_krb_life_to_time(krb5_int32 start, int life)
-{
- if (life < 0 || life > 255) /* possibly sign botch in caller */
- return start;
-#ifndef SHORT_LIFETIME
- if (life < MINFIXED)
- return start + life * 5 * 60;
- if (life > MAXFIXED)
- return start + lifetimes[NLIFETIMES - 1];
- return start + lifetimes[life - MINFIXED];
-#else /* SHORT_LIFETIME */
- return start + life * 5 * 60;
-#endif /* SHORT_LIFETIME */
-}
-
-/*
- * krb_time_to_life
- *
- * Given the start date and the end date, compute the lifetime byte.
- * Round up, since we can adjust the start date backwards if we are
- * issuing the ticket to cause it to expire at the correct time.
- */
-int
-krb5int_krb_time_to_life(krb5_int32 start, krb5_int32 end)
-{
- krb5_int32 dt;
-#ifndef SHORT_LIFETIME
- int i;
-#endif
-
- dt = end - start;
- if (dt <= 0)
- return 0;
-#ifndef SHORT_LIFETIME
- if (dt < lifetimes[0])
- return (dt + 5 * 60 - 1) / (5 * 60);
- /* This depends on the array being ordered. */
- for (i = 0; i < NLIFETIMES; i++) {
- if (lifetimes[i] >= dt)
- return i + MINFIXED;
- }
- return MAXFIXED;
-#else /* SHORT_LIFETIME */
- if (dt > 5 * 60 * 255)
- return 255;
- else
- return (dt + 5 * 60 - 1) / (5 * 60);
-#endif /* SHORT_LIFETIME */
-}
Modified: branches/mkey_migrate/src/lib/krb5/krb/valid_times.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/valid_times.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/valid_times.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -29,8 +29,6 @@
#include "k5-int.h"
-#define in_clock_skew(date) (labs((date)-currenttime) < context->clockskew)
-
/*
* This is an internal routine which validates the krb5_timestamps
* field in a krb5_ticket.
Modified: branches/mkey_migrate/src/lib/krb5/krb/vfy_increds.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/vfy_increds.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/vfy_increds.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -76,7 +76,9 @@
ap_req.data = NULL;
if (server_arg) {
- server = server_arg;
+ ret = krb5_copy_principal(context, server_arg, &server);
+ if (ret)
+ goto cleanup;
} else {
if ((ret = krb5_sname_to_principal(context, NULL, NULL,
KRB5_NT_SRV_HST, &server)))
@@ -94,6 +96,12 @@
if ((ret = krb5_kt_default(context, &keytab)))
goto cleanup;
}
+ if (krb5_is_referral_realm(&server->realm)) {
+ krb5_free_data_contents(context, &server->realm);
+ ret = krb5_get_default_realm(context, &server->realm.data);
+ if (ret) goto cleanup;
+ server->realm.length = strlen(server->realm.data);
+ }
if ((ret = krb5_kt_get_entry(context, keytab, server, 0, 0, &kte))) {
/* this means there is no keying material. This is ok, as long as
@@ -207,7 +215,7 @@
accordingly. either that, or it's zero, which is fine, too */
cleanup:
- if (!server_arg && server)
+ if ( server)
krb5_free_principal(context, server);
if (!keytab_arg && keytab)
krb5_kt_close(context, keytab);
Modified: branches/mkey_migrate/src/lib/krb5/krb/walk_rtree.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/walk_rtree.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/walk_rtree.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,14 +1,14 @@
/*
* lib/krb5/krb/walk_rtree.c
*
- * Copyright 1990,1991,2008 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2008,2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -22,11 +22,104 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
*
* krb5_walk_realm_tree()
+ *
+ * internal function, used by krb5_get_cred_from_kdc()
*/
+#include "k5-int.h"
+#include "int-proto.h"
+
+/*
+ * Structure to help with finding the common suffix between client and
+ * server realm during hierarchical traversal.
+ */
+struct hstate {
+ char *str;
+ size_t len;
+ char *tail;
+ char *dot;
+};
+
+static krb5_error_code
+rtree_capath_tree(
+ krb5_context context,
+ const krb5_data *client,
+ const krb5_data *server,
+ char **vals,
+ krb5_principal **tree);
+
+static krb5_error_code
+rtree_capath_vals(
+ krb5_context context,
+ const krb5_data *client,
+ const krb5_data *server,
+ char ***vals);
+
+static krb5_error_code
+rtree_hier_tree(
+ krb5_context context,
+ const krb5_data *client,
+ const krb5_data *server,
+ krb5_principal **rettree,
+ int sep);
+
+static krb5_error_code
+rtree_hier_realms(
+ krb5_context context,
+ const krb5_data *client,
+ const krb5_data *server,
+ krb5_data **realms,
+ size_t *nrealms,
+ int sep);
+
+static krb5_error_code
+rtree_hier_tweens(
+ krb5_context context,
+ struct hstate *realm,
+ krb5_data **tweens,
+ size_t *ntweens,
+ int dotail,
+ int sep);
+
+static void
+adjtail(struct hstate *c, struct hstate *s, int sep);
+
+static void
+comtail(struct hstate *c, struct hstate *s, int sep);
+
+krb5_error_code
+krb5_walk_realm_tree(
+ krb5_context context,
+ const krb5_data *client,
+ const krb5_data *server,
+ krb5_principal **tree,
+ int realm_sep)
+{
+ krb5_error_code retval = 0;
+ char **capvals;
+
+ if (client->data == NULL || server->data == NULL)
+ return KRB5_NO_TKT_IN_RLM;
+
+ if (client->length == server->length &&
+ memcmp(client->data, server->data, server->length) == 0) {
+ return KRB5_NO_TKT_IN_RLM;
+ }
+ retval = rtree_capath_vals(context, client, server, &capvals);
+ if (retval)
+ return retval;
+
+ if (capvals != NULL) {
+ retval = rtree_capath_tree(context, client, server, capvals, tree);
+ return retval;
+ }
+
+ retval = rtree_hier_tree(context, client, server, tree, realm_sep);
+ return retval;
+}
+
/* ANL - Modified to allow Configurable Authentication Paths.
* This modification removes the restriction on the choice of realm
* names, i.e. they nolonger have to be hierarchical. This
@@ -52,8 +145,8 @@
* NERSC.GOV = ES.NET
* PNL.GOV = ES.NET
* ES.NET = .
- * HAL.COM = K5.MOON
- * HAL.COM = K5.JUPITER
+ * HAL.COM = K5.MOON
+ * HAL.COM = K5.JUPITER
* }
* NERSC.GOV = {
* ANL.GOV = ES.NET
@@ -62,7 +155,7 @@
* ANL.GOV = ES.NET
* }
* ES.NET = {
- * ANL.GOV = .
+ * ANL.GOV = .
* }
* HAL.COM = {
* ANL.GOV = K5.JUPITER
@@ -82,326 +175,384 @@
* will work together.
* DEE - 5/23/95
*/
-#include "k5-int.h"
-#include "int-proto.h"
-/* internal function, used by krb5_get_cred_from_kdc() */
+/*
+ * Build a tree given a set of profile values retrieved by
+ * walk_rtree_capath_vals().
+ */
+static krb5_error_code
+rtree_capath_tree(
+ krb5_context context,
+ const krb5_data *client,
+ const krb5_data *server,
+ char **vals,
+ krb5_principal **rettree)
+{
+ krb5_error_code retval = 0;
+ unsigned int nvals, nlinks, nprincs, i;
+ krb5_data srcrealm, dstrealm;
+ krb5_principal *tree, *pprinc;
-#ifndef min
-#define min(x,y) ((x) < (y) ? (x) : (y))
-#define max(x,y) ((x) > (y) ? (x) : (y))
-#endif
+ *rettree = NULL;
+ tree = pprinc = NULL;
+ for (nvals = 0; vals[nvals] != NULL; nvals++)
+ ;
+ if (vals[0] != NULL && *vals[0] == '.') {
+ nlinks = 0;
+ } else {
+ nlinks = nvals;
+ }
+ nprincs = nlinks + 2;
+ tree = calloc(nprincs + 1, sizeof(krb5_principal));
+ if (tree == NULL) {
+ retval = ENOMEM;
+ goto error;
+ }
+ for (i = 0; i < nprincs + 1; i++)
+ tree[i] = NULL;
+ /* Invariant: PPRINC points one past end of list. */
+ pprinc = &tree[0];
+ /* Local TGS name */
+ retval = krb5_tgtname(context, client, client, pprinc++);
+ if (retval) goto error;
+ srcrealm = *client;
+ for (i = 0; i < nlinks; i++) {
+ dstrealm.data = vals[i];
+ dstrealm.length = strcspn(vals[i], "\t ");
+ retval = krb5_tgtname(context, &dstrealm, &srcrealm, pprinc++);
+ if (retval) goto error;
+ srcrealm = dstrealm;
+ }
+ retval = krb5_tgtname(context, server, &srcrealm, pprinc++);
+ if (retval) goto error;
+ *rettree = tree;
+error:
+ profile_free_list(vals);
+ if (retval) {
+ while (pprinc != NULL && pprinc > &tree[0]) {
+ /* krb5_free_principal() correctly handles null input */
+ krb5_free_principal(context, *--pprinc);
+ *pprinc = NULL;
+ }
+ free(tree);
+ }
+ return retval;
+}
+
/*
- * xxx The following function is very confusing to read and probably
- * is buggy. It should be documented better. Here is what I've
- * learned about it doing a quick bug fixing walk through. The
- * function takes a client and server realm name and returns the set
- * of realms (in a field called tree) that you need to get tickets in
- * in order to get from the source realm to the destination realm. It
- * takes a realm separater character (normally ., but presumably there
- * for all those X.500 realms) . There are two modes it runs in: the
- * ANL krb5.conf mode and the hierarchy mode. The ANL mode is
- * fairly obvious. The hierarchy mode looks for common components in
- * both the client and server realms. In general, the pointer scp and
- * ccp are used to walk through the client and server realms. The
- * com_sdot and com_cdot pointers point to (I think) the beginning of
- * the common part of the realm names. I.E. strcmp(com_cdot,
- * com_sdot) ==0 is roughly an invarient. However, there are cases
- * where com_sdot and com_cdot are set to point before the start of
- * the client or server strings. I think this only happens when there
- * are no common components. --hartmans 2002/03/14
+ * Get realm list from "capaths" section of the profile. Deliberately
+ * returns success but leaves VALS null if profile_get_values() fails
+ * by not finding anything.
*/
-
-krb5_error_code
-krb5_walk_realm_tree(krb5_context context, const krb5_data *client, const krb5_data *server, krb5_principal **tree, int realm_branch_char)
+static krb5_error_code
+rtree_capath_vals(
+ krb5_context context,
+ const krb5_data *client,
+ const krb5_data *server,
+ char ***vals)
{
- krb5_error_code retval;
- krb5_principal *rettree;
- register char *ccp, *scp;
- register char *prevccp = 0, *prevscp = 0;
- char *com_sdot = 0, *com_cdot = 0;
- register int i, links = 0;
- int clen, slen = -1;
- krb5_data tmpcrealm, tmpsrealm;
- int nocommon = 1;
+ krb5_error_code retval = 0;
+ /* null-terminated realm names */
+ char *clientz = NULL, *serverz = NULL;
+ const char *key[4];
- const char *cap_names[4];
- char *cap_client, *cap_server;
- char **cap_nodes;
- krb5_error_code cap_code;
+ *vals = NULL;
-#ifdef DEBUG_REFERRALS
- printf("krb5_walk_realm_tree starting\n");
- printf(" client is %s\n",client->data);
- printf(" server is %s\n",server->data);
-#endif
+ clientz = calloc(client->length + 1, 1);
+ if (clientz == NULL) {
+ retval = ENOMEM;
+ goto error;
+ }
+ memcpy(clientz, client->data, client->length);
- if (!(client->data &&server->data))
- return KRB5_NO_TKT_IN_RLM;
- if ((cap_client = (char *)malloc(client->length + 1)) == NULL)
- return ENOMEM;
- strncpy(cap_client, client->data, client->length);
- cap_client[client->length] = '\0';
- if ((cap_server = (char *)malloc(server->length + 1)) == NULL) {
- krb5_xfree(cap_client);
- return ENOMEM;
+ serverz = calloc(server->length + 1, 1);
+ if (clientz == NULL) {
+ retval = ENOMEM;
+ goto error;
}
- strncpy(cap_server, server->data, server->length);
- cap_server[server->length] = '\0';
- cap_names[0] = "capaths";
- cap_names[1] = cap_client;
- cap_names[2] = cap_server;
- cap_names[3] = 0;
- cap_code = profile_get_values(context->profile, cap_names, &cap_nodes);
- krb5_xfree(cap_client); /* done with client string */
- cap_names[1] = 0;
- if (cap_code == 0) { /* found a path, so lets use it */
- links = 0;
- if (*cap_nodes[0] != '.') { /* a link of . means direct */
- while(cap_nodes[links]) {
- links++;
- }
- }
- if (cap_nodes[links] != NULL)
- krb5_xfree(cap_nodes[links]);
+ memcpy(serverz, server->data, server->length);
- cap_nodes[links] = cap_server; /* put server on end of list */
- /* this simplifies the code later and make */
- /* cleanup eaiser as well */
- links++; /* count the null entry at end */
- } else { /* no path use hierarchical method */
- krb5_xfree(cap_server); /* failed, don't need server string */
- cap_names[2] = 0;
+ key[0] = "capaths";
+ key[1] = clientz;
+ key[2] = serverz;
+ key[3] = NULL;
+ retval = profile_get_values(context->profile, key, vals);
+ switch (retval) {
+ case PROF_NO_SECTION:
+ case PROF_NO_RELATION:
+ /*
+ * Not found; don't return an error.
+ */
+ retval = 0;
+ break;
+ default:
+ break;
+ }
+error:
+ free(clientz);
+ free(serverz);
+ return retval;
+}
- clen = client->length;
- slen = server->length;
+/*
+ * Build tree by hierarchical traversal.
+ */
+static krb5_error_code
+rtree_hier_tree(
+ krb5_context context,
+ const krb5_data *client,
+ const krb5_data *server,
+ krb5_principal **rettree,
+ int sep)
+{
+ krb5_error_code retval;
+ krb5_data *realms;
+ const krb5_data *dstrealm, *srcrealm;
+ krb5_principal *tree, *pprinc;
+ size_t nrealms, nprincs, i;
- for (com_cdot = ccp = client->data + clen - 1,
- com_sdot = scp = server->data + slen - 1;
- clen && slen && *ccp == *scp ;
- ccp--, scp--, clen--, slen--) {
- if (*ccp == realm_branch_char) {
- com_cdot = ccp;
- com_sdot = scp;
- nocommon = 0;
- }
- }
+ *rettree = NULL;
+ retval = rtree_hier_realms(context, client, server,
+ &realms, &nrealms, sep);
+ if (retval)
+ return retval;
+ nprincs = nrealms;
+ pprinc = tree = calloc(nprincs + 1, sizeof(krb5_principal));
+ if (tree == NULL) {
+ retval = ENOMEM;
+ goto error;
+ }
+ for (i = 0; i < nrealms; i++)
+ tree[i] = NULL;
+ srcrealm = client;
+ for (i = 0; i < nrealms; i++) {
+ dstrealm = &realms[i];
+ retval = krb5_tgtname(context, dstrealm, srcrealm, pprinc++);
+ if (retval) goto error;
+ srcrealm = dstrealm;
+ }
+ *rettree = tree;
+ return 0;
+error:
+ while (pprinc != NULL && pprinc > tree) {
+ krb5_free_principal(context, *--pprinc);
+ *pprinc = NULL;
+ }
+ free(tree);
+ return retval;
+}
- /* ccp, scp point to common root.
- com_cdot, com_sdot point to common components. */
- /* handle case of one ran out */
- if (!clen) {
- /* construct path from client to server, down the tree */
- if (!slen)
- /* in the same realm--this means there is no ticket
- in this realm. */
- return KRB5_NO_TKT_IN_RLM;
- if (*scp == realm_branch_char) {
- /* one is a subdomain of the other */
- com_cdot = client->data;
- com_sdot = scp;
- nocommon = 0;
- } /* else normal case of two sharing parents */
- }
- if (!slen) {
- /* construct path from client to server, up the tree */
- if (*ccp == realm_branch_char) {
- /* one is a subdomain of the other */
- com_sdot = server->data;
- com_cdot = ccp;
- nocommon = 0;
- } /* else normal case of two sharing parents */
- }
- /* determine #links to/from common ancestor */
- if (nocommon)
- links = 1;
- else
- links = 2;
- /* if no common ancestor, artificially set up common root at the last
- component, then join with special code */
- for (ccp = client->data; ccp < com_cdot; ccp++) {
- if (*ccp == realm_branch_char) {
- links++;
- if (nocommon)
- prevccp = ccp;
- }
- }
+/*
+ * Construct list of realms between client and server.
+ */
+static krb5_error_code
+rtree_hier_realms(
+ krb5_context context,
+ const krb5_data *client,
+ const krb5_data *server,
+ krb5_data **realms,
+ size_t *nrealms,
+ int sep)
+{
+ krb5_error_code retval;
+ struct hstate c, s;
+ krb5_data *ctweens, *stweens, *twp, *r, *rp;
+ size_t nctween, nstween;
- for (scp = server->data; scp < com_sdot; scp++) {
- if (*scp == realm_branch_char) {
- links++;
- if (nocommon)
- prevscp = scp;
- }
- }
- if (nocommon) {
- if (prevccp)
- com_cdot = prevccp;
- if (prevscp)
- com_sdot = prevscp;
+ r = rp = NULL;
+ c.str = client->data;
+ c.len = client->length;
+ c.dot = c.tail = NULL;
+ s.str = server->data;
+ s.len = server->length;
+ s.dot = s.tail = NULL;
- if(com_cdot == client->data + client->length -1)
- com_cdot = client->data - 1 ;
- if(com_sdot == server->data + server->length -1)
- com_sdot = server->data - 1 ;
- }
- } /* end of if use hierarchical method */
+ comtail(&c, &s, sep);
+ adjtail(&c, &s, sep);
- if (!(rettree = (krb5_principal *)calloc(links+2,
- sizeof(krb5_principal)))) {
- return ENOMEM;
+ retval = rtree_hier_tweens(context, &c, &ctweens, &nctween, 1, sep);
+ if (retval) goto error;
+ retval = rtree_hier_tweens(context, &s, &stweens, &nstween, 0, sep);
+ if (retval) goto error;
+
+ *nrealms = nctween + nstween;
+ rp = r = calloc(*nrealms, sizeof(krb5_data));
+ if (r == NULL) {
+ retval = ENOMEM;
+ goto error;
}
- i = 1;
- if ((retval = krb5_tgtname(context, client, client, &rettree[0]))) {
- krb5_xfree(rettree);
- return retval;
+ /* Copy client realm "tweens" forward. */
+ for (twp = ctweens; twp < &ctweens[nctween]; twp++) {
+ retval = krb5int_copy_data_contents(context, twp, rp++);
+ if (retval) goto error;
}
- links--; /* dont count the null entry on end */
- if (cap_code == 0) { /* found a path above */
- tmpcrealm.data = client->data;
- tmpcrealm.length = client->length;
- while( i-1 <= links) {
-
- tmpsrealm.data = cap_nodes[i-1];
- /* don't count trailing whitespace from profile_get */
- tmpsrealm.length = strcspn(cap_nodes[i-1],"\t ");
- if ((retval = krb5_tgtname(context,
- &tmpsrealm,
- &tmpcrealm,
- &rettree[i]))) {
- while (i) {
- krb5_free_principal(context, rettree[i-1]);
- i--;
- }
- krb5_xfree(rettree);
- /* cleanup the cap_nodes from profile_get */
- for (i = 0; i<=links; i++) {
- krb5_xfree(cap_nodes[i]);
- }
- krb5_xfree((char *)cap_nodes);
- return retval;
- }
- tmpcrealm.data = tmpsrealm.data;
- tmpcrealm.length = tmpsrealm.length;
- i++;
+ /* Copy server realm "tweens" backward. */
+ for (twp = &stweens[nstween]; twp-- > stweens;) {
+ krb5int_copy_data_contents(context, twp, rp++);
+ if (retval) goto error;
+ }
+error:
+ if (retval) {
+ *nrealms = 0;
+ while (rp > r) {
+ krb5_free_data_contents(context, --rp);
}
- /* cleanup the cap_nodes from profile_get last one has server */
- for (i = 0; i<=links; i++) {
- krb5_xfree(cap_nodes[i]);
- }
- krb5_xfree((char *)cap_nodes);
- } else { /* if not cap then use hierarchical method */
- for (prevccp = ccp = client->data;
- ccp <= com_cdot;
- ccp++) {
- if (*ccp != realm_branch_char)
- continue;
- ++ccp; /* advance past dot */
- tmpcrealm.data = prevccp;
- tmpcrealm.length = client->length -
- (prevccp - client->data);
- tmpsrealm.data = ccp;
- tmpsrealm.length = client->length -
- (ccp - client->data);
- if ((retval = krb5_tgtname(context, &tmpsrealm, &tmpcrealm,
- &rettree[i]))) {
- while (i) {
- krb5_free_principal(context, rettree[i-1]);
- i--;
- }
- krb5_xfree(rettree);
- return retval;
- }
- prevccp = ccp;
- i++;
- }
- if (nocommon) {
- tmpcrealm.data = com_cdot + 1;
- tmpcrealm.length = client->length -
- (com_cdot + 1 - client->data);
- tmpsrealm.data = com_sdot + 1;
- tmpsrealm.length = server->length -
- (com_sdot + 1 - server->data);
- if ((retval = krb5_tgtname(context, &tmpsrealm, &tmpcrealm,
- &rettree[i]))) {
- while (i) {
- krb5_free_principal(context, rettree[i-1]);
- i--;
- }
- krb5_xfree(rettree);
- return retval;
- }
- i++;
- }
+ free(r);
+ r = NULL;
+ }
+ free(ctweens);
+ free(stweens);
+ *realms = r;
+ return retval;
+}
- for (prevscp = com_sdot + 1, scp = com_sdot - 1;
- scp > server->data;
- scp--) {
- if (*scp != realm_branch_char)
- continue;
- if (scp - 1 < server->data)
- break; /* XXX only if . starts realm? */
- tmpcrealm.data = prevscp;
- tmpcrealm.length = server->length -
- (prevscp - server->data);
- tmpsrealm.data = scp + 1;
- tmpsrealm.length = server->length -
- (scp + 1 - server->data);
- if ((retval = krb5_tgtname(context, &tmpsrealm, &tmpcrealm,
- &rettree[i]))) {
- while (i) {
- krb5_free_principal(context, rettree[i-1]);
- i--;
- }
- krb5_xfree(rettree);
- return retval;
- }
- prevscp = scp + 1;
- i++;
+/*
+ * Build a list of realms between a given realm and the common
+ * suffix. The original realm is included, but the "tail" is only
+ * included if DOTAIL is true.
+ *
+ * Warning: This function intentionally aliases memory. Caller must
+ * make copies as needed and not call krb5_free_data_contents, etc.
+ */
+static krb5_error_code
+rtree_hier_tweens(
+ krb5_context context,
+ struct hstate *realm,
+ krb5_data **tweens,
+ size_t *ntweens,
+ int dotail,
+ int sep)
+{
+ char *p, *r, *rtail, *lp;
+ size_t rlen, n;
+ krb5_data *tws, *ntws;
+
+ r = realm->str;
+ rlen = realm->len;
+ rtail = realm->tail;
+ *tweens = ntws = tws = NULL;
+ *ntweens = n = 0;
+
+ for (lp = p = r; p < &r[rlen]; p++) {
+ if (*p != sep && &p[1] != &r[rlen])
+ continue;
+ if (lp == rtail && !dotail)
+ break;
+ ntws = realloc(tws, (n + 1) * sizeof(krb5_data));
+ if (ntws == NULL) {
+ free(tws);
+ return ENOMEM;
}
- if (slen && com_sdot >= server->data) {
- /* only necessary if building down tree from ancestor or client */
- /* however, we can get here if we have only one component
- in the server realm name, hence we make sure we found a component
- separator there... */
- tmpcrealm.data = prevscp;
- tmpcrealm.length = server->length -
- (prevscp - server->data);
- if ((retval = krb5_tgtname(context, server, &tmpcrealm,
- &rettree[i]))) {
- while (i) {
- krb5_free_principal(context, rettree[i-1]);
- i--;
- }
- krb5_xfree(rettree);
- return retval;
- }
- }
+ tws = ntws;
+ tws[n].data = lp;
+ tws[n].length = &r[rlen] - lp;
+ n++;
+ if (lp == rtail)
+ break;
+ lp = &p[1];
}
- *tree = rettree;
+ *tweens = tws;
+ *ntweens = n;
+ return 0;
+}
-#ifdef DEBUG_REFERRALS
- printf("krb5_walk_realm_tree ending; tree (length %d) is:\n",links);
- for(i=0;i<links+2;i++) {
- if ((*tree)[i])
- krb5int_dbgref_dump_principal("krb5_walk_realm_tree tree",(*tree)[i]);
- else
- printf("tree element %i null\n");
+/*
+ * Adjust suffixes that each starts at the beginning of a component,
+ * to avoid the problem where "BC.EXAMPLE.COM" is erroneously reported
+ * as a parent of "ABC.EXAMPLE.COM".
+ */
+static void
+adjtail(struct hstate *c, struct hstate *s, int sep)
+{
+ int cfull, sfull;
+ char *cp, *sp;
+
+ cp = c->tail;
+ sp = s->tail;
+ if (cp == NULL || sp == NULL)
+ return;
+ /*
+ * Is it a full component? Yes, if it's the beginning of the
+ * string or there's a separator to the left.
+ *
+ * The index of -1 is valid because it only gets evaluated if the
+ * pointer is not at the beginning of the string.
+ */
+ cfull = (cp == c->str || cp[-1] == sep);
+ sfull = (sp == s->str || sp[-1] == sep);
+ /*
+ * If they're both full components, we're done.
+ */
+ if (cfull && sfull) {
+ return;
+ } else if (c->dot != NULL && s->dot != NULL) {
+ cp = c->dot + 1;
+ sp = s->dot + 1;
+ /*
+ * Out of bounds? Can only happen if there are trailing dots.
+ */
+ if (cp >= &c->str[c->len] || sp >= &s->str[s->len]) {
+ cp = sp = NULL;
+ }
+ } else {
+ cp = sp = NULL;
}
-#endif
- return 0;
+ c->tail = cp;
+ s->tail = sp;
}
-#ifdef DEBUG_REFERRALS
-void krb5int_dbgref_dump_principal(char *d, krb5_principal p)
+/*
+ * Find common suffix of C and S.
+ *
+ * C->TAIL and S->TAIL will point to the respective suffixes. C->DOT
+ * and S->DOT will point to the nearest instances of SEP to the right
+ * of the start of each suffix. Caller must initialize TAIL and DOT
+ * pointers to null.
+ */
+static void
+comtail(struct hstate *c, struct hstate *s, int sep)
{
- int n;
-
- printf(" **%s: ",d);
- for (n=0;n<p->length;n++)
- printf("%s<%.*s>",(n>0)?"/":"",p->data[n].length,p->data[n].data);
- printf("@<%.*s> (length %d, type %d)\n",p->realm.length,p->realm.data,
- p->length, p->type);
+ char *cp, *sp, *cdot, *sdot;
+
+ if (c->len == 0 || s->len == 0)
+ return;
+
+ cdot = sdot = NULL;
+ /*
+ * ANSI/ISO C allows a pointer one past the end but not one
+ * before the beginning of an array.
+ */
+ cp = &c->str[c->len];
+ sp = &s->str[s->len];
+ /*
+ * Set CP and SP to point to the common suffix of each string.
+ * When we run into separators (dots, unless someone has a X.500
+ * style realm), keep pointers to the latest pair.
+ */
+ while (cp > c->str && sp > s->str) {
+ if (*--cp != *--sp) {
+ /*
+ * Didn't match, so most recent match is one byte to the
+ * right (or not at all).
+ */
+ cp++;
+ sp++;
+ break;
+ }
+ /*
+ * Keep track of matching dots.
+ */
+ if (*cp == sep) {
+ cdot = cp;
+ sdot = sp;
+ }
+ }
+ /* No match found at all. */
+ if (cp == &c->str[c->len])
+ return;
+ c->tail = cp;
+ s->tail = sp;
+ c->dot = cdot;
+ s->dot = sdot;
}
-#endif
Modified: branches/mkey_migrate/src/lib/krb5/krb/walktree-tests
===================================================================
--- branches/mkey_migrate/src/lib/krb5/krb/walktree-tests 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/krb/walktree-tests 2009-01-10 01:06:45 UTC (rev 21722)
@@ -68,4 +68,12 @@
set A.EXAMPLE.COM EXAMPLE.COM "A.EXAMPLE.COM at A.EXAMPLE.COM EXAMPLE.COM at A.EXAMPLE.COM"
eval $check
+echo CAPATH test
+set ATHENA.MIT.EDU KERBEROS.COM "ATHENA.MIT.EDU at ATHENA.MIT.EDU KERBEROS.COM at ATHENA.MIT.EDU"
+eval $check
+
+echo CAPATH test
+set LCS.MIT.EDU KABLOOEY.KERBEROS.COM "LCS.MIT.EDU at LCS.MIT.EDU ATHENA.MIT.EDU at LCS.MIT.EDU KERBEROS.COM at ATHENA.MIT.EDU KABLOOEY.KERBEROS.COM at KERBEROS.COM"
+eval $check
+
exit $err
Modified: branches/mkey_migrate/src/lib/krb5/libkrb5.exports
===================================================================
--- branches/mkey_migrate/src/lib/krb5/libkrb5.exports 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/libkrb5.exports 2009-01-10 01:06:45 UTC (rev 21722)
@@ -19,6 +19,8 @@
decode_krb5_etype_info
decode_krb5_kdc_req_body
decode_krb5_pa_enc_ts
+decode_krb5_pa_for_user
+decode_krb5_pa_pac_req
decode_krb5_padata_sequence
decode_krb5_predicted_sam_response
decode_krb5_priv
@@ -27,6 +29,7 @@
decode_krb5_safe
decode_krb5_sam_challenge
decode_krb5_sam_response
+decode_krb5_setpw_req
decode_krb5_tgs_rep
decode_krb5_tgs_req
decode_krb5_ticket
@@ -51,6 +54,9 @@
encode_krb5_etype_info2
encode_krb5_kdc_req_body
encode_krb5_pa_enc_ts
+encode_krb5_pa_for_user
+encode_krb5_pa_server_referral_data
+encode_krb5_pa_svr_referral_data
encode_krb5_padata_sequence
encode_krb5_predicted_sam_response
encode_krb5_priv
@@ -120,6 +126,7 @@
krb5_build_principal
krb5_build_principal_ext
krb5_build_principal_va
+krb5_build_principal_alloc_va
krb5_cc_close
krb5_cc_copy_creds
krb5_cc_default
@@ -166,6 +173,7 @@
krb5_copy_ticket
krb5_create_secure_file
krb5_crypto_us_timeofday
+krb5_decode_authdata_container
krb5_decode_kdc_rep
krb5_decode_ticket
krb5_decrypt_tkt_part
@@ -174,6 +182,7 @@
krb5_defkeyname
krb5_deltat_to_string
krb5_do_preauth
+krb5_encode_authdata_container
krb5_encode_kdc_rep
krb5_encrypt_helper
krb5_encrypt_tkt_part
@@ -220,6 +229,10 @@
krb5_free_last_req
krb5_free_pa_data
krb5_free_pa_enc_ts
+krb5_free_pa_pac_req
+krb5_free_pa_for_user
+krb5_free_pa_server_referral_data
+krb5_free_pa_svr_referral_data
krb5_free_predicted_sam_response
krb5_free_predicted_sam_response_contents
krb5_free_principal
@@ -261,6 +274,7 @@
krb5_get_default_in_tkt_ktypes
krb5_get_default_realm
krb5_get_error_message
+krb5_get_fallback_host_realm
krb5_get_host_realm
krb5_get_in_tkt
krb5_get_in_tkt_with_keytab
@@ -274,6 +288,7 @@
krb5_get_init_creds_opt_get_pa
krb5_get_init_creds_opt_init
krb5_get_init_creds_opt_set_address_list
+krb5_get_init_creds_opt_set_canonicalize
krb5_get_init_creds_opt_set_change_password_prompt
krb5_get_init_creds_opt_set_etype_list
krb5_get_init_creds_opt_set_forwardable
@@ -336,6 +351,7 @@
krb5_mk_ncred
krb5_mk_priv
krb5_mk_rep
+krb5_mk_rep_dce
krb5_mk_req
krb5_mk_req_extended
krb5_mk_safe
@@ -347,10 +363,20 @@
krb5_os_init_context
krb5_os_localaddr
krb5_overridekeyname
+krb5_pac_add_buffer
+krb5_pac_free
+krb5_pac_get_buffer
+krb5_pac_get_types
+krb5_pac_init
+krb5_pac_parse
+krb5_pac_verify
krb5_parse_name
+krb5_parse_name_flags
krb5_principal2salt
krb5_principal2salt_norealm
krb5_principal_compare
+krb5_principal_compare_any_realm
+krb5_principal_compare_flags
krb5_process_padata
krb5_prompter_posix
krb5_rc_close
@@ -396,6 +422,7 @@
krb5_rd_error
krb5_rd_priv
krb5_rd_rep
+krb5_rd_rep_dce
krb5_rd_req
krb5_rd_req_decoded
krb5_rd_req_decoded_anyflag
@@ -461,6 +488,8 @@
krb5_unpack_full_ipaddr
krb5_unparse_name
krb5_unparse_name_ext
+krb5_unparse_name_flags
+krb5_unparse_name_flags_ext
krb5_us_timeofday
krb5_use_natural_time
krb5_validate_times
@@ -478,6 +507,7 @@
krb5int_free_addrlist
krb5int_init_context_kdc
krb5int_initialize_library
+krb5int_pac_sign
krb5int_sendtokdc_debug_handler
profile_abandon
profile_add_node
Modified: branches/mkey_migrate/src/lib/krb5/os/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -48,7 +48,6 @@
read_pwd.o \
realm_dom.o \
realm_iter.o \
- send524.o \
sendto_kdc.o \
sn2princ.o \
thread_safe.o \
@@ -93,7 +92,6 @@
$(OUTPRE)read_pwd.$(OBJEXT) \
$(OUTPRE)realm_dom.$(OBJEXT) \
$(OUTPRE)realm_iter.$(OBJEXT) \
- $(OUTPRE)send524.$(OBJEXT) \
$(OUTPRE)sendto_kdc.$(OBJEXT) \
$(OUTPRE)sn2princ.$(OBJEXT) \
$(OUTPRE)thread_safe.$(OBJEXT) \
@@ -138,7 +136,6 @@
$(srcdir)/realm_dom.c \
$(srcdir)/realm_iter.c \
$(srcdir)/port2ip.c \
- $(srcdir)/send524.c \
$(srcdir)/sendto_kdc.c \
$(srcdir)/sn2princ.c \
$(srcdir)/thread_safe.c \
@@ -241,466 +238,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-accessor.so accessor.po $(OUTPRE)accessor.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- accessor.c os-proto.h
-an_to_ln.so an_to_ln.po $(OUTPRE)an_to_ln.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- an_to_ln.c
-c_ustime.so c_ustime.po $(OUTPRE)c_ustime.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- c_ustime.c
-def_realm.so def_realm.po $(OUTPRE)def_realm.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- def_realm.c os-proto.h
-ccdefname.so ccdefname.po $(OUTPRE)ccdefname.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- ccdefname.c
-changepw.so changepw.po $(OUTPRE)changepw.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/cm.h $(SRCTOP)/include/fake-addrinfo.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- changepw.c os-proto.h
-dnsglue.so dnsglue.po $(OUTPRE)dnsglue.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h dnsglue.c dnsglue.h \
- os-proto.h
-dnssrv.so dnssrv.po $(OUTPRE)dnssrv.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h dnsglue.h dnssrv.c \
- os-proto.h
-free_krbhs.so free_krbhs.po $(OUTPRE)free_krbhs.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- free_krbhs.c
-free_hstrl.so free_hstrl.po $(OUTPRE)free_hstrl.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- free_hstrl.c
-full_ipadr.so full_ipadr.po $(OUTPRE)full_ipadr.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- full_ipadr.c os-proto.h
-get_krbhst.so get_krbhst.po $(OUTPRE)get_krbhst.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- get_krbhst.c
-gen_port.so gen_port.po $(OUTPRE)gen_port.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- gen_port.c os-proto.h
-genaddrs.so genaddrs.po $(OUTPRE)genaddrs.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- genaddrs.c os-proto.h
-gen_rname.so gen_rname.po $(OUTPRE)gen_rname.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- gen_rname.c os-proto.h
-hostaddr.so hostaddr.po $(OUTPRE)hostaddr.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h hostaddr.c
-hst_realm.so hst_realm.po $(OUTPRE)hst_realm.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h dnsglue.h hst_realm.c \
- os-proto.h
-init_os_ctx.so init_os_ctx.po $(OUTPRE)init_os_ctx.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/util/profile/prof_int.h init_os_ctx.c os-proto.h
-krbfileio.so krbfileio.po $(OUTPRE)krbfileio.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- krbfileio.c
-ktdefname.so ktdefname.po $(OUTPRE)ktdefname.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- ktdefname.c
-kuserok.so kuserok.po $(OUTPRE)kuserok.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h kuserok.c
-mk_faddr.so mk_faddr.po $(OUTPRE)mk_faddr.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- mk_faddr.c os-proto.h
-localaddr.so localaddr.po $(OUTPRE)localaddr.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/foreachaddr.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h localaddr.c
-locate_kdc.so locate_kdc.po $(OUTPRE)locate_kdc.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h locate_kdc.c os-proto.h
-lock_file.so lock_file.po $(OUTPRE)lock_file.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- lock_file.c
-net_read.so net_read.po $(OUTPRE)net_read.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- net_read.c
-net_write.so net_write.po $(OUTPRE)net_write.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- net_write.c
-osconfig.so osconfig.po $(OUTPRE)osconfig.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- osconfig.c
-prompter.so prompter.po $(OUTPRE)prompter.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- prompter.c
-read_msg.so read_msg.po $(OUTPRE)read_msg.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- read_msg.c
-read_pwd.so read_pwd.po $(OUTPRE)read_pwd.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- read_pwd.c
-realm_dom.so realm_dom.po $(OUTPRE)realm_dom.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- realm_dom.c
-realm_iter.so realm_iter.po $(OUTPRE)realm_iter.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- realm_iter.c
-port2ip.so port2ip.po $(OUTPRE)port2ip.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h os-proto.h port2ip.c
-send524.so send524.po $(OUTPRE)send524.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- os-proto.h send524.c
-sendto_kdc.so sendto_kdc.po $(OUTPRE)sendto_kdc.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/cm.h $(SRCTOP)/include/fake-addrinfo.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- os-proto.h sendto_kdc.c
-sn2princ.so sn2princ.po $(OUTPRE)sn2princ.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h os-proto.h sn2princ.c
-thread_safe.so thread_safe.po $(OUTPRE)thread_safe.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- thread_safe.c
-timeofday.so timeofday.po $(OUTPRE)timeofday.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- timeofday.c
-toffset.so toffset.po $(OUTPRE)toffset.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h toffset.c
-unlck_file.so unlck_file.po $(OUTPRE)unlck_file.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- unlck_file.c
-ustime.so ustime.po $(OUTPRE)ustime.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h ustime.c
-write_msg.so write_msg.po $(OUTPRE)write_msg.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- write_msg.c
-t_an_to_ln.so t_an_to_ln.po $(OUTPRE)t_an_to_ln.$(OBJEXT): \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h \
- t_an_to_ln.c
-t_gifconf.so t_gifconf.po $(OUTPRE)t_gifconf.$(OBJEXT): \
- t_gifconf.c
-t_locate_kdc.so t_locate_kdc.po $(OUTPRE)t_locate_kdc.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h dnsglue.c dnsglue.h \
- dnssrv.c locate_kdc.c os-proto.h t_locate_kdc.c
-t_realm_iter.so t_realm_iter.po $(OUTPRE)t_realm_iter.$(OBJEXT): \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h \
- t_realm_iter.c
-t_std_conf.so t_std_conf.po $(OUTPRE)t_std_conf.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h os-proto.h t_std_conf.c
Modified: branches/mkey_migrate/src/lib/krb5/os/accessor.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/accessor.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/accessor.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -67,16 +67,11 @@
SC (free_srv_dns_data, krb5int_free_srv_dns_data),
SC (use_dns_kdc, _krb5_use_dns_kdc),
#undef SC
+ S (clean_hostname, krb5int_clean_hostname),
-#ifdef KRB5_KRB4_COMPAT
-#define SC(FIELD, VAL) S(FIELD, VAL)
-#else /* disable */
-#define SC(FIELD, VAL) S(FIELD, 0)
-#endif
- SC (krb_life_to_time, krb5int_krb_life_to_time),
- SC (krb_time_to_life, krb5int_krb_time_to_life),
- SC (krb524_encode_v4tkt, krb5int_encode_v4tkt),
-#undef SC
+ S (krb_life_to_time, 0),
+ S (krb_time_to_life, 0),
+ S (krb524_encode_v4tkt, 0),
S (krb5int_c_mandatory_cksumtype, krb5int_c_mandatory_cksumtype),
#ifndef LEAN_CLIENT
@@ -134,6 +129,9 @@
SC (encode_krb5_authdata_elt, encode_krb5_authdata_elt),
#undef SC
+ S (encode_krb5_sam_response_2, encode_krb5_sam_response_2),
+ S (encode_krb5_enc_sam_response_enc_2, encode_krb5_enc_sam_response_enc_2),
+
#if DESIGNATED_INITIALIZERS
};
#else
Modified: branches/mkey_migrate/src/lib/krb5/os/an_to_ln.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/an_to_ln.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/an_to_ln.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -600,9 +600,7 @@
kret = aname_replacer(selstring, ¤t, &outstring);
if (outstring) {
/* Copy out the value if there's enough room */
- if (strlen(outstring)+1 <= (size_t) lnsize)
- strcpy(lname, outstring);
- else
+ if (strlcpy(lname, outstring, lnsize) >= lnsize)
kret = KRB5_CONFIG_NOTENUFSPACE;
free(outstring);
}
@@ -728,9 +726,8 @@
}
/* Copy out the value if there's enough room */
- if (strlen(mapping_values[nvalid-1])+1 <= (size_t) lnsize)
- strcpy(lname, mapping_values[nvalid-1]);
- else
+ if (strlcpy(lname, mapping_values[nvalid-1],
+ lnsize) >= lnsize)
kret = KRB5_CONFIG_NOTENUFSPACE;
/* Free residue */
Modified: branches/mkey_migrate/src/lib/krb5/os/ccdefname.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/ccdefname.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/ccdefname.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -251,13 +251,9 @@
if (name != NULL) {
if (!err) {
/* If the name isn't NULL, make a copy of it */
- new_ccname = malloc (strlen (name) + 1);
+ new_ccname = strdup (name);
if (new_ccname == NULL) { err = ENOMEM; }
}
-
- if (!err) {
- strcpy (new_ccname, name);
- }
}
if (!err) {
Modified: branches/mkey_migrate/src/lib/krb5/os/changepw.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/changepw.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/changepw.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -34,6 +34,7 @@
#include "k5-int.h"
#include "os-proto.h"
#include "cm.h"
+#include "../krb/auth_con.h"
#include <stdio.h>
#include <errno.h>
@@ -48,6 +49,7 @@
krb5_principal set_password_for;
char *newpw;
krb5_data ap_req;
+ krb5_ui_4 remote_seq_num, local_seq_num;
};
/*
@@ -62,11 +64,12 @@
int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM);
code = krb5int_locate_server (context, realm, addrlist,
- locate_service_kpasswd, sockType, 0);
+ locate_service_kpasswd, sockType, AF_INET);
if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) {
code = krb5int_locate_server (context, realm, addrlist,
- locate_service_kadmin, SOCK_STREAM, 0);
+ locate_service_kadmin, SOCK_STREAM,
+ AF_INET);
if (!code) {
/* Success with admin_server but now we need to change the
port number to use DEFAULT_KPASSWD_PORT and the socktype. */
@@ -159,6 +162,9 @@
&local_kaddr, NULL)))
goto cleanup;
+ ctx->auth_context->remote_seq_number = ctx->remote_seq_num;
+ ctx->auth_context->local_seq_number = ctx->local_seq_num;
+
if (ctx->set_password_for)
code = krb5int_mk_setpw_req(ctx->context,
ctx->auth_context,
@@ -208,6 +214,7 @@
struct sockaddr_storage remote_addr;
struct addrlist al = ADDRLIST_INIT;
+ memset(&chpw_rep, 0, sizeof(krb5_data));
memset( &callback_ctx, 0, sizeof(struct sendto_callback_context));
callback_ctx.context = context;
callback_ctx.newpw = newpw;
@@ -225,6 +232,9 @@
&callback_ctx.ap_req)))
goto cleanup;
+ callback_ctx.remote_seq_num = callback_ctx.auth_context->remote_seq_number;
+ callback_ctx.local_seq_num = callback_ctx.auth_context->local_seq_number;
+
do {
if ((code = krb5_locate_kpasswd(callback_ctx.context,
krb5_princ_realm(callback_ctx.context,
@@ -330,6 +340,7 @@
krb5int_free_addrlist (&al);
krb5_free_data_contents(callback_ctx.context, &callback_ctx.ap_req);
+ krb5_free_data_contents(callback_ctx.context, &chpw_rep);
return(code);
}
Modified: branches/mkey_migrate/src/lib/krb5/os/def_realm.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/def_realm.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/def_realm.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -72,7 +72,6 @@
krb5_get_default_realm(krb5_context context, char **lrealm)
{
char *realm = 0;
- char *cp;
krb5_error_code retval;
if (!context || (context->magic != KV5M_CONTEXT))
@@ -90,12 +89,11 @@
&realm);
if (!retval && realm) {
- context->default_realm = malloc(strlen(realm) + 1);
+ context->default_realm = strdup(realm);
if (!context->default_realm) {
profile_release_string(realm);
return ENOMEM;
}
- strcpy(context->default_realm, realm);
profile_release_string(realm);
}
}
@@ -155,9 +153,8 @@
realm = context->default_realm;
- if (!(*lrealm = cp = malloc((unsigned int) strlen(realm) + 1)))
+ if (!(*lrealm = strdup(realm)))
return ENOMEM;
- strcpy(cp, realm);
return(0);
}
@@ -176,12 +173,11 @@
NULL */
if (!lrealm) return 0;
- context->default_realm = malloc(strlen (lrealm) + 1);
+ context->default_realm = strdup(lrealm);
if (!context->default_realm)
return ENOMEM;
- strcpy(context->default_realm, lrealm);
return(0);
}
Copied: branches/mkey_migrate/src/lib/krb5/os/deps (from rev 21721, trunk/src/lib/krb5/os/deps)
Modified: branches/mkey_migrate/src/lib/krb5/os/dnssrv.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/dnssrv.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/dnssrv.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -60,10 +60,11 @@
struct srv_dns_entry **answers)
{
const unsigned char *p = NULL, *base = NULL;
- char host[MAXDNAME], *h;
- int size, ret, rdlen, nlen;
+ char host[MAXDNAME];
+ int size, ret, rdlen, nlen, len;
unsigned short priority, weight, port;
struct krb5int_dns_state *ds = NULL;
+ struct k5buf buf;
struct srv_dns_entry *head = NULL;
struct srv_dns_entry *srv = NULL, *entry = NULL;
@@ -81,13 +82,9 @@
if (memchr(realm->data, 0, realm->length))
return 0;
- if ( strlen(service) + strlen(protocol) + realm->length + 6
- > MAXDNAME )
- return 0;
- if (snprintf(host, sizeof(host), "%s.%s.%.*s",
- service, protocol, (int) realm->length,
- realm->data) >= sizeof(host))
- return 0;
+ krb5int_buf_init_fixed(&buf, host, sizeof(host));
+ krb5int_buf_add_fmt(&buf, "%s.%s.", service, protocol);
+ krb5int_buf_add_len(&buf, realm->data, realm->length);
/* Realm names don't (normally) end with ".", but if the query
doesn't end with "." and doesn't get an answer as is, the
@@ -98,10 +95,13 @@
a search on the prefix alone then the intention is to allow
the local domain or domain search lists to be expanded. */
- h = host + strlen (host);
- if ((h[-1] != '.') && ((h - host + 1) < sizeof(host)))
- strcpy (h, ".");
+ len = krb5int_buf_len(&buf);
+ if (len > 0 && host[len - 1] != '.')
+ krb5int_buf_add(&buf, ".");
+ if (krb5int_buf_data(&buf) == NULL)
+ return 0;
+
#ifdef TEST
fprintf (stderr, "sending DNS SRV query for %s\n", host);
#endif
@@ -144,10 +144,7 @@
srv->port = port;
/* The returned names are fully qualified. Don't let the
local resolver code do domain search path stuff. */
- if (strlen(host) + 2 < sizeof(host))
- strcat(host, ".");
- srv->host = strdup(host);
- if (srv->host == NULL) {
+ if (asprintf(&srv->host, "%s.", host) < 0) {
free(srv);
goto out;
}
Modified: branches/mkey_migrate/src/lib/krb5/os/hst_realm.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/hst_realm.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/hst_realm.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -78,6 +78,10 @@
#include "fake-addrinfo.h"
+static krb5_error_code
+domain_heuristic(krb5_context context, const char *domain,
+ char **realm, int limit);
+
#ifdef KRB5_DNS_LOOKUP
#include "dnsglue.h"
@@ -90,23 +94,20 @@
{
krb5_error_code retval = KRB5_ERR_HOST_REALM_UNKNOWN;
const unsigned char *p, *base;
- char host[MAXDNAME], *h;
+ char host[MAXDNAME];
int ret, rdlen, len;
struct krb5int_dns_state *ds = NULL;
+ struct k5buf buf;
/*
* Form our query, and send it via DNS
*/
+ krb5int_buf_init_fixed(&buf, host, sizeof(host));
if (name == NULL || name[0] == '\0') {
- if (strlen (prefix) >= sizeof(host)-1)
- return KRB5_ERR_HOST_REALM_UNKNOWN;
- strcpy(host,prefix);
+ krb5int_buf_add(&buf, prefix);
} else {
- if ( strlen(prefix) + strlen(name) + 3 > MAXDNAME )
- return KRB5_ERR_HOST_REALM_UNKNOWN;
- if (snprintf(host, sizeof(host), "%s.%s", prefix, name) >= sizeof(host))
- return KRB5_ERR_HOST_REALM_UNKNOWN;
+ krb5int_buf_add_fmt(&buf, "%s.%s", prefix, name);
/* Realm names don't (normally) end with ".", but if the query
doesn't end with "." and doesn't get an answer as is, the
@@ -118,10 +119,12 @@
the local domain or domain search lists to be expanded.
*/
- h = host + strlen (host);
- if ((h > host) && (h[-1] != '.') && ((h - host + 1) < sizeof(host)))
- strcpy (h, ".");
+ len = krb5int_buf_len(&buf);
+ if (len > 0 && host[len - 1] != '.')
+ krb5int_buf_add(&buf, ".");
}
+ if (krb5int_buf_data(&buf) == NULL)
+ return KRB5_ERR_HOST_REALM_UNKNOWN;
ret = krb5int_dns_init(&ds, host, C_IN, T_TXT);
if (ret < 0)
goto errout;
@@ -250,19 +253,17 @@
#ifdef DEBUG_REFERRALS
printf(" temp_realm is %s\n",temp_realm);
#endif
- realm = malloc(strlen(temp_realm) + 1);
+ realm = strdup(temp_realm);
if (!realm) {
profile_release_string(temp_realm);
return ENOMEM;
}
- strcpy(realm, temp_realm);
profile_release_string(temp_realm);
}
if (realm == (char *)NULL) {
- if (!(cp = (char *)malloc(strlen(KRB5_REFERRAL_REALM)+1)))
+ if (!(cp = strdup(KRB5_REFERRAL_REALM)))
return ENOMEM;
- strcpy(cp, KRB5_REFERRAL_REALM);
realm = cp;
}
@@ -337,7 +338,7 @@
krb5_get_fallback_host_realm(krb5_context context, krb5_data *hdata, char ***realmsp)
{
char **retrealms;
- char *default_realm, *realm, *cp, *temp_realm;
+ char *realm, *cp;
krb5_error_code retval;
char local_host[MAXDNAME+1], host[MAXDNAME+1];
@@ -351,72 +352,71 @@
krb5int_clean_hostname(context, host, local_host, sizeof local_host);
- /* Scan hostname for DNS realm, and save as last-ditch realm
- assumption. */
- cp = local_host;
-#ifdef DEBUG_REFERRALS
- printf(" local_host: %s\n",local_host);
-#endif
- realm = default_realm = (char *)NULL;
- temp_realm = 0;
- while (cp && !default_realm) {
- if (*cp == '.') {
- cp++;
- if (default_realm == (char *)NULL) {
- /* If nothing else works, use the host's domain */
- default_realm = cp;
- }
- } else {
- cp = strchr(cp, '.');
- }
+ /*
+ * Try looking up a _kerberos.<hostname> TXT record in DNS. This
+ * heuristic is turned off by default since, in the absence of
+ * secure DNS, it can allow an attacker to control the realm used
+ * for a host.
+ */
+ realm = (char *)NULL;
+#ifdef KRB5_DNS_LOOKUP
+ if (_krb5_use_dns_realm(context)) {
+ cp = local_host;
+ do {
+ retval = krb5_try_realm_txt_rr("_kerberos", cp, &realm);
+ cp = strchr(cp,'.');
+ if (cp)
+ cp++;
+ } while (retval && cp && cp[0]);
}
-#ifdef DEBUG_REFERRALS
- printf(" done finding DNS-based default realm: >%s<\n",default_realm);
-#endif
+#endif /* KRB5_DNS_LOOKUP */
-#ifdef KRB5_DNS_LOOKUP
+ /*
+ * Next try searching the domain components as realms. This
+ * heuristic is also turned off by default. If DNS lookups for
+ * KDCs are enabled (as they are by default), an attacker could
+ * control which domain component is used as the realm for a host.
+ */
if (realm == (char *)NULL) {
- int use_dns = _krb5_use_dns_realm(context);
- if ( use_dns ) {
- /*
- * Since this didn't appear in our config file, try looking
- * it up via DNS. Look for a TXT records of the form:
- *
- * _kerberos.<hostname>
- *
- */
- cp = local_host;
- do {
- retval = krb5_try_realm_txt_rr("_kerberos", cp, &realm);
- cp = strchr(cp,'.');
- if (cp)
- cp++;
- } while (retval && cp && cp[0]);
- }
+ int limit;
+ errcode_t code;
+
+ code = profile_get_integer(context->profile, "libdefaults",
+ "realm_try_domains", 0, -1, &limit);
+ if (code == 0) {
+ retval = domain_heuristic(context, local_host, &realm, limit);
+ if (retval)
+ return retval;
+ }
}
-#endif /* KRB5_DNS_LOOKUP */
-
+ /*
+ * The next fallback--and the first one to apply with default
+ * configuration--is to use the upper-cased parent domain of the
+ * hostname, regardless of whether we can actually look it up as a
+ * realm.
+ */
if (realm == (char *)NULL) {
- if (default_realm != (char *)NULL) {
- /* We are defaulting to the realm of the host */
- if (!(cp = (char *)malloc(strlen(default_realm)+1)))
- return ENOMEM;
- strcpy(cp, default_realm);
- realm = cp;
-
- /* Assume the realm name is upper case */
+ cp = strchr(local_host, '.');
+ if (cp) {
+ if (!(realm = strdup(cp + 1)))
+ return ENOMEM;
for (cp = realm; *cp; cp++)
if (islower((int) (*cp)))
*cp = toupper((int) *cp);
- } else {
- /* We are defaulting to the local realm */
- retval = krb5_get_default_realm(context, &realm);
- if (retval) {
- return retval;
- }
- }
+ }
}
+
+ /*
+ * The final fallback--used when the fully-qualified hostname has
+ * only one component--is to use the local default realm.
+ */
+ if (realm == (char *)NULL) {
+ retval = krb5_get_default_realm(context, &realm);
+ if (retval)
+ return retval;
+ }
+
if (!(retrealms = (char **)calloc(2, sizeof(*retrealms)))) {
if (realm != (char *)NULL)
free(realm);
@@ -492,3 +492,70 @@
#endif
return 0;
}
+
+/*
+ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+
+/*
+ * Walk through the components of a domain. At each stage determine
+ * if a KDC can be located for that domain. Return a realm
+ * corresponding to the upper-cased domain name for which a KDC was
+ * found or NULL if no KDC was found. Stop searching after limit
+ * labels have been removed from the domain (-1 means don't search at
+ * all, 0 means try only the full domain itself, 1 means also try the
+ * parent domain, etc.) or when we reach a parent with only one label.
+ */
+static krb5_error_code
+domain_heuristic(krb5_context context, const char *domain,
+ char **realm, int limit)
+{
+ krb5_error_code retval = 0, r;
+ struct addrlist alist;
+ krb5_data drealm;
+ char *cp = NULL;
+ char *fqdn = NULL;
+
+ *realm = NULL;
+ if (limit < 0)
+ return 0;
+
+ memset(&drealm, 0, sizeof (drealm));
+ if (!(fqdn = strdup(domain))) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ /* Upper case the domain (for use as a realm) */
+ for (cp = fqdn; *cp; cp++)
+ if (islower((int)(*cp)))
+ *cp = toupper((int)*cp);
+
+ /* Search up to limit parents, as long as we have multiple labels. */
+ cp = fqdn;
+ while (limit-- >= 0 && strchr(cp, '.') != NULL) {
+
+ drealm.length = strlen(cp);
+ drealm.data = cp;
+
+ /* Find a kdc based on this part of the domain name. */
+ r = krb5_locate_kdc(context, &drealm, &alist, 0, SOCK_DGRAM, 0);
+ if (!r) { /* Found a KDC! */
+ krb5int_free_addrlist(&alist);
+ if (!(*realm = strdup(cp))) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ break;
+ }
+
+ cp = strchr(cp, '.');
+ cp++;
+ }
+
+cleanup:
+ if (fqdn)
+ free(fqdn);
+ return retval;
+}
Modified: branches/mkey_migrate/src/lib/krb5/os/init_os_ctx.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/init_os_ctx.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/init_os_ctx.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -198,9 +198,8 @@
char *env = getenv("KRB5_CONFIG");
if (env)
{
- name = malloc(strlen(env) + 1);
+ name = strdup(env);
if (!name) return ENOMEM;
- strcpy(name, env);
}
}
if (!name && !secure)
@@ -420,7 +419,6 @@
return profile_copy (ctx->profile, profile);
}
-
krb5_error_code
krb5_set_config_files(krb5_context ctx, const char **filenames)
{
Modified: branches/mkey_migrate/src/lib/krb5/os/ktdefname.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/ktdefname.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/ktdefname.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -44,22 +44,19 @@
unsigned int namesize = (name_size < 0 ? 0 : name_size);
if (krb5_overridekeyname) {
- if (namesize < (strlen(krb5_overridekeyname)+1))
+ if (strlcpy(name, krb5_overridekeyname, namesize) >= namesize)
return KRB5_CONFIG_NOTENUFSPACE;
- strcpy(name, krb5_overridekeyname);
} else if ((context->profile_secure == FALSE) &&
(cp = getenv("KRB5_KTNAME"))) {
- if (namesize < (strlen(cp)+1))
+ if (strlcpy(name, cp, namesize) >= namesize)
return KRB5_CONFIG_NOTENUFSPACE;
- strcpy(name, cp);
} else if ((profile_get_string(context->profile,
"libdefaults",
"default_keytab_name", NULL,
NULL, &retval) == 0) &&
retval) {
- if (namesize < (strlen(retval)+1))
+ if (strlcpy(name, retval, namesize) >= namesize)
return KRB5_CONFIG_NOTENUFSPACE;
- strcpy(name, retval);
profile_release_string(retval);
} else {
#if defined(_WIN32)
@@ -74,9 +71,8 @@
snprintf(name, namesize, krb5_defkeyname, defname);
}
#else
- if (namesize < (strlen(krb5_defkeyname)+1))
+ if (strlcpy(name, krb5_defkeyname, namesize) >= namesize)
return KRB5_CONFIG_NOTENUFSPACE;
- strcpy(name, krb5_defkeyname);
#endif
}
return 0;
Modified: branches/mkey_migrate/src/lib/krb5/os/promptusr.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/promptusr.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/promptusr.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -90,11 +90,10 @@
} while (ch != EOF && ch != '\n');
read_string[sizeof(read_string)-1] = 0;
- if ((p->response = malloc(strlen(read_string)+1)) == NULL) {
+ if ((p->response = strdup(read_string)) == NULL) {
errno = ENOMEM;
goto cleanup;
}
- strcpy(p->response, read_string);
if ((p->flags & KRB5_UIO_ECHORESPONSE) == 0) {
(void) putchar('\n');
Modified: branches/mkey_migrate/src/lib/krb5/os/realm_dom.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/realm_dom.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/realm_dom.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -55,11 +55,9 @@
"default_domain", realm, &temp_domain);
if (!retval && temp_domain)
{
- *domain = malloc(strlen(temp_domain) + 1);
+ *domain = strdup(temp_domain);
if (!*domain) {
retval = ENOMEM;
- } else {
- strcpy(*domain, temp_domain);
}
profile_release_string(temp_domain);
}
Deleted: branches/mkey_migrate/src/lib/krb5/os/send524.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/send524.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/send524.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,107 +0,0 @@
-/*
- * Copyright 1990,1991,1997 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * Send a packet to a service and await a reply, using an exponential
- * backoff retry algorithm. This is based on krb5_sendto_kdc.
- */
-
-/* Grab socket stuff. This might want to go away later. */
-#include "fake-addrinfo.h" /* for custom addrinfo if needed */
-#include "k5-int.h"
-
-#ifndef _WIN32
-#include <unistd.h>
-#include <sys/time.h>
-#endif
-
-#include <stdlib.h>
-#include <string.h>
-
-#include "os-proto.h"
-
-/*
- * krb524_sendto_kdc:
- *
- * A slightly modified version of krb5_sendto_kdc.
- *
- * send the formatted request 'message' to a KDC for realm 'realm' and
- * return the response (if any) in 'reply'.
- *
- * If the message is sent and a response is received, 0 is returned,
- * otherwise an error code is returned.
- *
- * The storage for 'reply' is allocated and should be freed by the caller
- * when finished.
- */
-
-krb5_error_code
-krb5int_524_sendto_kdc (context, message, realm, reply, addr, addrlen)
- krb5_context context;
- const krb5_data * message;
- const krb5_data * realm;
- krb5_data * reply;
- struct sockaddr *addr;
- socklen_t *addrlen;
-{
-#if defined(KRB5_KRB4_COMPAT) || defined(_WIN32) /* yuck! */
- int i;
- struct addrlist al = ADDRLIST_INIT;
- struct servent *serv;
- krb5_error_code retval;
- int port;
-
- /*
- * find KDC location(s) for realm
- */
-
- serv = getservbyname(KRB524_SERVICE, "udp");
- port = serv ? serv->s_port : htons (KRB524_PORT);
-
- retval = krb5int_locate_server(context, realm, &al, locate_service_krb524,
- SOCK_DGRAM, PF_INET);
- if (retval == KRB5_REALM_CANT_RESOLVE || retval == KRB5_REALM_UNKNOWN) {
- /* Fallback heuristic: Assume krb524 port on every KDC might
- work. */
- retval = krb5_locate_kdc(context, realm, &al, 0, SOCK_DGRAM, PF_INET);
- /*
- * Bash the ports numbers.
- */
- if (retval == 0)
- for (i = 0; i < al.naddrs; i++) {
- al.addrs[i].ai->ai_socktype = SOCK_DGRAM;
- if (al.addrs[i].ai->ai_family == AF_INET)
- sa2sin (al.addrs[i].ai->ai_addr)->sin_port = port;
- }
- }
- if (retval)
- return retval;
- if (al.naddrs == 0)
- return KRB5_REALM_UNKNOWN;
-
- retval = krb5int_sendto (context, message, &al, NULL, reply, addr, addrlen, NULL, 0, NULL, NULL, NULL);
- krb5int_free_addrlist (&al);
- return retval;
-#else
- return KRB524_KRB4_DISABLED;
-#endif
-}
Modified: branches/mkey_migrate/src/lib/krb5/os/sendto_kdc.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/sendto_kdc.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/sendto_kdc.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -116,6 +116,7 @@
#define max(a,b) ((a) > (b) ? (a) : (b))
#endif
char tmpbuf[max(NI_MAXHOST + NI_MAXSERV + 30, 200)];
+ struct k5buf buf;
if (!krb5int_debug_sendto_kdc)
return;
@@ -221,26 +222,27 @@
case 'A':
/* %A => addrinfo */
ai = va_arg(args, struct addrinfo *);
+ krb5int_buf_init_dynamic(&buf);
if (ai->ai_socktype == SOCK_DGRAM)
- strcpy(tmpbuf, "dgram");
+ krb5int_buf_add(&buf, "dgram");
else if (ai->ai_socktype == SOCK_STREAM)
- strcpy(tmpbuf, "stream");
+ krb5int_buf_add(&buf, "stream");
else
- snprintf(tmpbuf, sizeof(tmpbuf), "socktype%d", ai->ai_socktype);
+ krb5int_buf_add_fmt(&buf, "socktype%d", ai->ai_socktype);
+
if (0 != getnameinfo (ai->ai_addr, ai->ai_addrlen,
addrbuf, sizeof (addrbuf),
portbuf, sizeof (portbuf),
NI_NUMERICHOST | NI_NUMERICSERV)) {
if (ai->ai_addr->sa_family == AF_UNSPEC)
- strcpy(tmpbuf + strlen(tmpbuf), " AF_UNSPEC");
+ krb5int_buf_add(&buf, " AF_UNSPEC");
else
- snprintf(tmpbuf + strlen(tmpbuf),
- sizeof(tmpbuf)-strlen(tmpbuf),
- " af%d", ai->ai_addr->sa_family);
+ krb5int_buf_add_fmt(&buf, " af%d", ai->ai_addr->sa_family);
} else
- snprintf(tmpbuf + strlen(tmpbuf), sizeof(tmpbuf)-strlen(tmpbuf),
- " %s.%s", addrbuf, portbuf);
- putstr(tmpbuf);
+ krb5int_buf_add_fmt(&buf, " %s.%s", addrbuf, portbuf);
+ if (krb5int_buf_data(&buf))
+ putstr(krb5int_buf_data(&buf));
+ krb5int_free_buf(&buf);
break;
case 'D':
/* %D => krb5_data * */
Modified: branches/mkey_migrate/src/lib/krb5/os/sn2princ.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/sn2princ.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/sn2princ.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -107,6 +107,7 @@
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET;
+ hints.ai_flags = AI_CANONNAME;
try_getaddrinfo_again:
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {
@@ -147,7 +148,8 @@
if (!remote_host)
return ENOMEM;
}
- }
+ } else
+ freeaddrinfo(ai);
} else /* type == KRB5_NT_UNKNOWN */ {
remote_host = strdup(hostname);
}
Modified: branches/mkey_migrate/src/lib/krb5/os/t_gifconf.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/t_gifconf.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/t_gifconf.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -97,7 +97,7 @@
/* Solaris returns "Invalid argument" if the buffer is too
small. AIX and Linux return no error indication. */
int e = errno;
- sprintf (buffer, "SIOCGIFCONF(%d)", t);
+ snprintf (buffer, sizeof(buffer), "SIOCGIFCONF(%d)", t);
errno = e;
perror (buffer);
if (e == EINVAL)
Modified: branches/mkey_migrate/src/lib/krb5/os/t_locate_kdc.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/t_locate_kdc.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/t_locate_kdc.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -37,7 +37,7 @@
case SOCK_RAW:
return "raw";
default:
- sprintf(buf, "?%d", stype);
+ snprintf(buf, sizeof(buf), "?%d", stype);
return buf;
}
}
Modified: branches/mkey_migrate/src/lib/krb5/os/timeofday.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/os/timeofday.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/os/timeofday.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -35,9 +35,13 @@
krb5_error_code KRB5_CALLCONV
krb5_timeofday(krb5_context context, register krb5_timestamp *timeret)
{
- krb5_os_context os_ctx = &context->os_context;
+ krb5_os_context os_ctx;
time_t tval;
+ if (context == NULL)
+ return EINVAL;
+
+ os_ctx = &context->os_context;
if (os_ctx->os_flags & KRB5_OS_TOFFSET_TIME) {
*timeret = os_ctx->time_offset;
return 0;
Modified: branches/mkey_migrate/src/lib/krb5/rcache/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/krb5/rcache/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/rcache/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -45,84 +45,3 @@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-rc_base.so rc_base.po $(OUTPRE)rc_base.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h rc-int.h rc_base.c \
- rc_base.h
-rc_dfl.so rc_dfl.po $(OUTPRE)rc_dfl.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h rc-int.h rc_base.h \
- rc_dfl.c rc_dfl.h rc_io.h
-rc_io.so rc_io.po $(OUTPRE)rc_io.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h rc_base.h rc_dfl.h \
- rc_io.c rc_io.h
-rcdef.so rcdef.po $(OUTPRE)rcdef.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h rc-int.h rc_dfl.h \
- rcdef.c
-rc_none.so rc_none.po $(OUTPRE)rc_none.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h rc-int.h rc_none.c
-rc_conv.so rc_conv.po $(OUTPRE)rc_conv.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h rc_base.h rc_conv.c
-ser_rc.so ser_rc.po $(OUTPRE)ser_rc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h rc-int.h ser_rc.c
-rcfns.so rcfns.po $(OUTPRE)rcfns.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h rc-int.h rcfns.c
Copied: branches/mkey_migrate/src/lib/krb5/rcache/deps (from rev 21721, trunk/src/lib/krb5/rcache/deps)
Modified: branches/mkey_migrate/src/lib/krb5/rcache/rc-int.h
===================================================================
--- branches/mkey_migrate/src/lib/krb5/rcache/rc-int.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/rcache/rc-int.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/krb5/keytab/rc-int.h
*
@@ -8,7 +9,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -22,8 +23,8 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
*
+ *
* This file contains constant and function declarations used in the
* file-based replay cache routines.
*/
@@ -46,25 +47,25 @@
krb5_magic magic;
char *type;
krb5_error_code (KRB5_CALLCONV *init)
- (krb5_context, krb5_rcache,krb5_deltat); /* create */
+ (krb5_context, krb5_rcache,krb5_deltat); /* create */
krb5_error_code (KRB5_CALLCONV *recover)
- (krb5_context, krb5_rcache); /* open */
+ (krb5_context, krb5_rcache); /* open */
krb5_error_code (KRB5_CALLCONV *recover_or_init)
- (krb5_context, krb5_rcache,krb5_deltat);
+ (krb5_context, krb5_rcache,krb5_deltat);
krb5_error_code (KRB5_CALLCONV *destroy)
- (krb5_context, krb5_rcache);
+ (krb5_context, krb5_rcache);
krb5_error_code (KRB5_CALLCONV *close)
- (krb5_context, krb5_rcache);
+ (krb5_context, krb5_rcache);
krb5_error_code (KRB5_CALLCONV *store)
- (krb5_context, krb5_rcache,krb5_donot_replay *);
+ (krb5_context, krb5_rcache,krb5_donot_replay *);
krb5_error_code (KRB5_CALLCONV *expunge)
- (krb5_context, krb5_rcache);
+ (krb5_context, krb5_rcache);
krb5_error_code (KRB5_CALLCONV *get_span)
- (krb5_context, krb5_rcache,krb5_deltat *);
+ (krb5_context, krb5_rcache,krb5_deltat *);
char *(KRB5_CALLCONV *get_name)
- (krb5_context, krb5_rcache);
+ (krb5_context, krb5_rcache);
krb5_error_code (KRB5_CALLCONV *resolve)
- (krb5_context, krb5_rcache, char *);
+ (krb5_context, krb5_rcache, char *);
};
typedef struct _krb5_rc_ops krb5_rc_ops;
Modified: branches/mkey_migrate/src/lib/krb5/rcache/rc_base.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/rcache/rc_base.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/rcache/rc_base.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/krb5/rcache/rc_base.c
*
@@ -6,7 +7,6 @@
*
*/
-
/*
* Base "glue" functions for the replay cache.
*/
@@ -35,29 +35,29 @@
struct krb5_rc_typelist *t, *t_next;
k5_mutex_destroy(&rc_typelist_lock);
for (t = typehead; t != &krb5_rc_typelist_dfl; t = t_next) {
- t_next = t->next;
- free(t);
+ t_next = t->next;
+ free(t);
}
}
krb5_error_code krb5_rc_register_type(krb5_context context,
- const krb5_rc_ops *ops)
+ const krb5_rc_ops *ops)
{
struct krb5_rc_typelist *t;
krb5_error_code err;
err = k5_mutex_lock(&rc_typelist_lock);
if (err)
- return err;
+ return err;
for (t = typehead;t && strcmp(t->ops->type,ops->type);t = t->next)
- ;
+ ;
if (t) {
- k5_mutex_unlock(&rc_typelist_lock);
- return KRB5_RC_TYPE_EXISTS;
+ k5_mutex_unlock(&rc_typelist_lock);
+ return KRB5_RC_TYPE_EXISTS;
}
t = (struct krb5_rc_typelist *) malloc(sizeof(struct krb5_rc_typelist));
if (t == NULL) {
- k5_mutex_unlock(&rc_typelist_lock);
- return KRB5_RC_MALLOC;
+ k5_mutex_unlock(&rc_typelist_lock);
+ return KRB5_RC_MALLOC;
}
t->next = typehead;
t->ops = ops;
@@ -67,18 +67,18 @@
}
krb5_error_code krb5_rc_resolve_type(krb5_context context, krb5_rcache *id,
- char *type)
+ char *type)
{
struct krb5_rc_typelist *t;
krb5_error_code err;
err = k5_mutex_lock(&rc_typelist_lock);
if (err)
- return err;
+ return err;
for (t = typehead;t && strcmp(t->ops->type,type);t = t->next)
- ;
+ ;
if (!t) {
- k5_mutex_unlock(&rc_typelist_lock);
- return KRB5_RC_TYPE_NOTFOUND;
+ k5_mutex_unlock(&rc_typelist_lock);
+ return KRB5_RC_TYPE_NOTFOUND;
}
/* allocate *id? nah */
(*id)->ops = t->ops;
@@ -95,18 +95,18 @@
{
char *s;
if ((s = getenv("KRB5RCACHETYPE")))
- return s;
+ return s;
else
- return "dfl";
+ return "dfl";
}
char * krb5_rc_default_name(krb5_context context)
{
char *s;
if ((s = getenv("KRB5RCACHENAME")))
- return s;
+ return s;
else
- return (char *) 0;
+ return (char *) 0;
}
krb5_error_code
@@ -115,18 +115,18 @@
krb5_error_code retval;
if (!(*id = (krb5_rcache )malloc(sizeof(**id))))
- return KRB5_RC_MALLOC;
+ return KRB5_RC_MALLOC;
- if ((retval = krb5_rc_resolve_type(context, id,
- krb5_rc_default_type(context)))) {
- FREE(*id);
- return retval;
+ if ((retval = krb5_rc_resolve_type(context, id,
+ krb5_rc_default_type(context)))) {
+ FREE(*id);
+ return retval;
}
- if ((retval = krb5_rc_resolve(context, *id,
- krb5_rc_default_name(context)))) {
- k5_mutex_destroy(&(*id)->lock);
- FREE(*id);
- return retval;
+ if ((retval = krb5_rc_resolve(context, *id,
+ krb5_rc_default_name(context)))) {
+ k5_mutex_destroy(&(*id)->lock);
+ FREE(*id);
+ return retval;
}
(*id)->magic = KV5M_RCACHE;
return retval;
@@ -141,31 +141,30 @@
unsigned int diff;
if (!(residual = strchr(string_name,':')))
- return KRB5_RC_PARSE;
-
+ return KRB5_RC_PARSE;
+
diff = residual - string_name;
if (!(type = malloc(diff + 1)))
- return KRB5_RC_MALLOC;
+ return KRB5_RC_MALLOC;
(void) strncpy(type, string_name, diff);
type[residual - string_name] = '\0';
if (!(*id = (krb5_rcache) malloc(sizeof(**id)))) {
- FREE(type);
- return KRB5_RC_MALLOC;
+ FREE(type);
+ return KRB5_RC_MALLOC;
}
if ((retval = krb5_rc_resolve_type(context, id,type))) {
- FREE(type);
- FREE(*id);
- return retval;
+ FREE(type);
+ FREE(*id);
+ return retval;
}
FREE(type);
if ((retval = krb5_rc_resolve(context, *id,residual + 1))) {
- k5_mutex_destroy(&(*id)->lock);
- FREE(*id);
- return retval;
+ k5_mutex_destroy(&(*id)->lock);
+ FREE(*id);
+ return retval;
}
(*id)->magic = KV5M_RCACHE;
return retval;
}
-
Modified: branches/mkey_migrate/src/lib/krb5/rcache/rc_base.h
===================================================================
--- branches/mkey_migrate/src/lib/krb5/rcache/rc_base.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/rcache/rc_base.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/krb5/rcache/rc_base.h
*
Modified: branches/mkey_migrate/src/lib/krb5/rcache/rc_conv.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/rcache/rc_conv.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/rcache/rc_conv.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/krb5/rcache/rc_conv.c
*
@@ -6,7 +7,6 @@
*
*/
-
/*
* An implementation for the default replay cache type.
*/
@@ -16,23 +16,23 @@
#include "rc_base.h"
/*
-Local stuff:
- krb5_auth_to_replay(context, krb5_tkt_authent *auth,krb5_donot_replay *rep)
+ Local stuff:
+ krb5_auth_to_replay(context, krb5_tkt_authent *auth,krb5_donot_replay *rep)
given auth, take important information and make rep; return -1 if failed
*/
krb5_error_code
krb5_auth_to_rep(krb5_context context, krb5_tkt_authent *auth, krb5_donot_replay *rep)
{
- krb5_error_code retval;
- rep->cusec = auth->authenticator->cusec;
- rep->ctime = auth->authenticator->ctime;
- if ((retval = krb5_unparse_name(context, auth->ticket->server, &rep->server)))
- return retval; /* shouldn't happen */
- if ((retval = krb5_unparse_name(context, auth->authenticator->client,
- &rep->client))) {
- FREE(rep->server);
- return retval; /* shouldn't happen. */
- }
- return 0;
+ krb5_error_code retval;
+ rep->cusec = auth->authenticator->cusec;
+ rep->ctime = auth->authenticator->ctime;
+ if ((retval = krb5_unparse_name(context, auth->ticket->server, &rep->server)))
+ return retval; /* shouldn't happen */
+ if ((retval = krb5_unparse_name(context, auth->authenticator->client,
+ &rep->client))) {
+ FREE(rep->server);
+ return retval; /* shouldn't happen. */
+ }
+ return 0;
}
Modified: branches/mkey_migrate/src/lib/krb5/rcache/rc_dfl.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/rcache/rc_dfl.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/rcache/rc_dfl.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/krb5/rcache/rc_dfl.c
*
@@ -6,7 +7,6 @@
*
*/
-
/*
* An implementation for the default replay cache type.
*/
@@ -22,23 +22,23 @@
*/
/*
-Local stuff:
+ Local stuff:
-static int hash(krb5_donot_replay *rep, int hsize)
+ static int hash(krb5_donot_replay *rep, int hsize)
returns hash value of *rep, between 0 and hsize - 1
-HASHSIZE
+ HASHSIZE
size of hash table (constant), can be preset
-static int cmp(krb5_donot_replay *old, krb5_donot_replay *new, krb5_deltat t)
+ static int cmp(krb5_donot_replay *old, krb5_donot_replay *new, krb5_deltat t)
compare old and new; return CMP_REPLAY or CMP_HOHUM
-static int alive(krb5_context, krb5_donot_replay *new, krb5_deltat t)
+ static int alive(krb5_context, krb5_donot_replay *new, krb5_deltat t)
see if new is still alive; return CMP_EXPIRED or CMP_HOHUM
-CMP_MALLOC, CMP_EXPIRED, CMP_REPLAY, CMP_HOHUM
+ CMP_MALLOC, CMP_EXPIRED, CMP_REPLAY, CMP_HOHUM
return codes from cmp(), alive(), and store()
-struct dfl_data
+ struct dfl_data
data stored in this cache type, namely "dfl"
-struct authlist
+ struct authlist
multilinked list of reps
-static int rc_store(context, krb5_rcache id, krb5_donot_replay *rep)
+ static int rc_store(context, krb5_rcache id, krb5_donot_replay *rep)
store rep in cache id; return CMP_REPLAY if replay, else CMP_MALLOC/CMP_HOHUM
*/
@@ -83,10 +83,10 @@
cmp(krb5_donot_replay *old, krb5_donot_replay *new1, krb5_deltat t)
{
if ((old->cusec == new1->cusec) && /* most likely to distinguish */
- (old->ctime == new1->ctime) &&
- (strcmp(old->client, new1->client) == 0) &&
- (strcmp(old->server, new1->server) == 0)) /* always true */
- return CMP_REPLAY;
+ (old->ctime == new1->ctime) &&
+ (strcmp(old->client, new1->client) == 0) &&
+ (strcmp(old->server, new1->server) == 0)) /* always true */
+ return CMP_REPLAY;
return CMP_HOHUM;
}
@@ -94,10 +94,10 @@
alive(krb5_int32 mytime, krb5_donot_replay *new1, krb5_deltat t)
{
if (mytime == 0)
- return CMP_HOHUM; /* who cares? */
+ return CMP_HOHUM; /* who cares? */
/* I hope we don't have to worry about overflow */
if (new1->ctime + t < mytime)
- return CMP_EXPIRED;
+ return CMP_EXPIRED;
return CMP_HOHUM;
}
@@ -128,7 +128,7 @@
static int
rc_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep,
- krb5_int32 now)
+ krb5_int32 now)
{
struct dfl_data *t = (struct dfl_data *)id->data;
unsigned int rephash;
@@ -137,34 +137,34 @@
rephash = hash(rep, t->hsize);
for (ta = t->h[rephash]; ta; ta = ta->nh) {
- switch(cmp(&ta->rep, rep, t->lifespan))
- {
- case CMP_REPLAY:
- return CMP_REPLAY;
- case CMP_HOHUM:
- if (alive(now, &ta->rep, t->lifespan) == CMP_EXPIRED)
- t->nummisses++;
- else
- t->numhits++;
- break;
- default:
- ; /* wtf? */
- }
+ switch(cmp(&ta->rep, rep, t->lifespan))
+ {
+ case CMP_REPLAY:
+ return CMP_REPLAY;
+ case CMP_HOHUM:
+ if (alive(now, &ta->rep, t->lifespan) == CMP_EXPIRED)
+ t->nummisses++;
+ else
+ t->numhits++;
+ break;
+ default:
+ ; /* wtf? */
+ }
}
if (!(ta = (struct authlist *) malloc(sizeof(struct authlist))))
- return CMP_MALLOC;
+ return CMP_MALLOC;
ta->na = t->a; t->a = ta;
ta->nh = t->h[rephash]; t->h[rephash] = ta;
ta->rep = *rep;
if (!(ta->rep.client = strdup(rep->client))) {
- FREE(ta);
- return CMP_MALLOC;
+ FREE(ta);
+ return CMP_MALLOC;
}
if (!(ta->rep.server = strdup(rep->server))) {
- FREE(ta->rep.client);
- FREE(ta);
- return CMP_MALLOC;
+ FREE(ta->rep.client);
+ FREE(ta);
+ return CMP_MALLOC;
}
return CMP_HOHUM;
@@ -178,14 +178,14 @@
krb5_error_code KRB5_CALLCONV
krb5_rc_dfl_get_span(krb5_context context, krb5_rcache id,
- krb5_deltat *lifespan)
+ krb5_deltat *lifespan)
{
krb5_error_code err;
struct dfl_data *t;
err = k5_mutex_lock(&id->lock);
if (err)
- return err;
+ return err;
t = (struct dfl_data *) id->data;
*lifespan = t->lifespan;
k5_mutex_unlock(&id->lock);
@@ -202,12 +202,12 @@
/* default to clockskew from the context */
#ifndef NOIOSTUFF
if ((retval = krb5_rc_io_creat(context, &t->d, &t->name))) {
- return retval;
+ return retval;
}
if ((krb5_rc_io_write(context, &t->d,
- (krb5_pointer) &t->lifespan, sizeof(t->lifespan))
- || krb5_rc_io_sync(context, &t->d))) {
- return KRB5_RC_IO;
+ (krb5_pointer) &t->lifespan, sizeof(t->lifespan))
+ || krb5_rc_io_sync(context, &t->d))) {
+ return KRB5_RC_IO;
}
#endif
return 0;
@@ -220,7 +220,7 @@
retval = k5_mutex_lock(&id->lock);
if (retval)
- return retval;
+ return retval;
retval = krb5_rc_dfl_init_locked(context, id, lifespan);
k5_mutex_unlock(&id->lock);
return retval;
@@ -235,13 +235,13 @@
FREE(t->h);
if (t->name)
- FREE(t->name);
+ FREE(t->name);
while ((q = t->a))
{
- t->a = q->na;
- FREE(q->rep.client);
- FREE(q->rep.server);
- FREE(q);
+ t->a = q->na;
+ FREE(q->rep.client);
+ FREE(q->rep.server);
+ FREE(q);
}
#ifndef NOIOSTUFF
(void) krb5_rc_io_close(context, &t->d);
@@ -256,7 +256,7 @@
krb5_error_code retval;
retval = k5_mutex_lock(&id->lock);
if (retval)
- return retval;
+ return retval;
krb5_rc_dfl_close_no_free(context, id);
k5_mutex_unlock(&id->lock);
k5_mutex_destroy(&id->lock);
@@ -269,7 +269,7 @@
{
#ifndef NOIOSTUFF
if (krb5_rc_io_destroy(context, &((struct dfl_data *) (id->data))->d))
- return KRB5_RC_IO;
+ return KRB5_RC_IO;
#endif
return krb5_rc_dfl_close(context, id);
}
@@ -282,23 +282,22 @@
/* allocate id? no */
if (!(t = (struct dfl_data *) calloc(1, sizeof(struct dfl_data))))
- return KRB5_RC_MALLOC;
+ return KRB5_RC_MALLOC;
id->data = (krb5_pointer) t;
if (name) {
- t->name = malloc(strlen(name)+1);
- if (!t->name) {
- retval = KRB5_RC_MALLOC;
- goto cleanup;
- }
- strcpy(t->name, name);
+ t->name = strdup(name);
+ if (!t->name) {
+ retval = KRB5_RC_MALLOC;
+ goto cleanup;
+ }
} else
- t->name = 0;
+ t->name = 0;
t->numhits = t->nummisses = 0;
t->hsize = HASHSIZE; /* no need to store---it's memory-only */
t->h = (struct authlist **) malloc(t->hsize*sizeof(struct authlist *));
if (!t->h) {
- retval = KRB5_RC_MALLOC;
- goto cleanup;
+ retval = KRB5_RC_MALLOC;
+ goto cleanup;
}
memset(t->h, 0, t->hsize*sizeof(struct authlist *));
t->a = (struct authlist *) 0;
@@ -310,11 +309,11 @@
cleanup:
if (t) {
- if (t->name)
- krb5_xfree(t->name);
- if (t->h)
- krb5_xfree(t->h);
- krb5_xfree(t);
+ if (t->name)
+ krb5_xfree(t->name);
+ if (t->h)
+ krb5_xfree(t->h);
+ krb5_xfree(t);
}
return retval;
}
@@ -327,20 +326,20 @@
*rep = NULL;
if (rp)
{
- if (rp->client)
- free(rp->client);
+ if (rp->client)
+ free(rp->client);
- if (rp->server)
- free(rp->server);
- rp->client = NULL;
- rp->server = NULL;
- free(rp);
+ if (rp->server)
+ free(rp->server);
+ rp->client = NULL;
+ rp->server = NULL;
+ free(rp);
}
}
static krb5_error_code
krb5_rc_io_fetch(krb5_context context, struct dfl_data *t,
- krb5_donot_replay *rep, int maxlen)
+ krb5_donot_replay *rep, int maxlen)
{
int len2;
unsigned int len;
@@ -349,60 +348,60 @@
rep->client = rep->server = 0;
retval = krb5_rc_io_read(context, &t->d, (krb5_pointer) &len2,
- sizeof(len2));
+ sizeof(len2));
if (retval)
- return retval;
+ return retval;
if ((len2 <= 0) || (len2 >= maxlen))
- return KRB5_RC_IO_EOF;
+ return KRB5_RC_IO_EOF;
len = len2;
rep->client = malloc (len);
if (!rep->client)
- return KRB5_RC_MALLOC;
+ return KRB5_RC_MALLOC;
retval = krb5_rc_io_read(context, &t->d, (krb5_pointer) rep->client, len);
if (retval)
- goto errout;
+ goto errout;
- retval = krb5_rc_io_read(context, &t->d, (krb5_pointer) &len2,
- sizeof(len2));
+ retval = krb5_rc_io_read(context, &t->d, (krb5_pointer) &len2,
+ sizeof(len2));
if (retval)
- goto errout;
+ goto errout;
if ((len2 <= 0) || (len2 >= maxlen)) {
- retval = KRB5_RC_IO_EOF;
- goto errout;
+ retval = KRB5_RC_IO_EOF;
+ goto errout;
}
len = len2;
rep->server = malloc (len);
if (!rep->server) {
- retval = KRB5_RC_MALLOC;
- goto errout;
+ retval = KRB5_RC_MALLOC;
+ goto errout;
}
retval = krb5_rc_io_read(context, &t->d, (krb5_pointer) rep->server, len);
if (retval)
- goto errout;
+ goto errout;
retval = krb5_rc_io_read(context, &t->d, (krb5_pointer) &rep->cusec,
- sizeof(rep->cusec));
+ sizeof(rep->cusec));
if (retval)
- goto errout;
+ goto errout;
retval = krb5_rc_io_read(context, &t->d, (krb5_pointer) &rep->ctime,
- sizeof(rep->ctime));
+ sizeof(rep->ctime));
if (retval)
- goto errout;
+ goto errout;
return 0;
errout:
if (rep->client)
- krb5_xfree(rep->client);
+ krb5_xfree(rep->client);
if (rep->server)
- krb5_xfree(rep->server);
+ krb5_xfree(rep->server);
rep->client = rep->server = 0;
return retval;
}
@@ -426,7 +425,7 @@
krb5_int32 now;
if ((retval = krb5_rc_io_open(context, &t->d, t->name))) {
- return retval;
+ return retval;
}
t->recovering = 1;
@@ -435,50 +434,50 @@
rep = NULL;
if (krb5_rc_io_read(context, &t->d, (krb5_pointer) &t->lifespan,
- sizeof(t->lifespan))) {
- retval = KRB5_RC_IO;
- goto io_fail;
+ sizeof(t->lifespan))) {
+ retval = KRB5_RC_IO;
+ goto io_fail;
}
if (!(rep = (krb5_donot_replay *) malloc(sizeof(krb5_donot_replay)))) {
- retval = KRB5_RC_MALLOC;
- goto io_fail;
+ retval = KRB5_RC_MALLOC;
+ goto io_fail;
}
rep->client = NULL;
rep->server = NULL;
if (krb5_timeofday(context, &now))
- now = 0;
+ now = 0;
/* now read in each auth_replay and insert into table */
for (;;) {
- if (krb5_rc_io_mark(context, &t->d)) {
- retval = KRB5_RC_IO;
- goto io_fail;
- }
+ if (krb5_rc_io_mark(context, &t->d)) {
+ retval = KRB5_RC_IO;
+ goto io_fail;
+ }
- retval = krb5_rc_io_fetch(context, t, rep, (int) max_size);
+ retval = krb5_rc_io_fetch(context, t, rep, (int) max_size);
- if (retval == KRB5_RC_IO_EOF)
- break;
- else if (retval != 0)
- goto io_fail;
+ if (retval == KRB5_RC_IO_EOF)
+ break;
+ else if (retval != 0)
+ goto io_fail;
- if (alive(now, rep, t->lifespan) != CMP_EXPIRED) {
- if (rc_store(context, id, rep, now) == CMP_MALLOC) {
- retval = KRB5_RC_MALLOC; goto io_fail;
- }
- } else {
- expired_entries++;
- }
- /*
- * free fields allocated by rc_io_fetch
- */
- FREE(rep->server);
- FREE(rep->client);
- rep->server = 0;
- rep->client = 0;
+ if (alive(now, rep, t->lifespan) != CMP_EXPIRED) {
+ if (rc_store(context, id, rep, now) == CMP_MALLOC) {
+ retval = KRB5_RC_MALLOC; goto io_fail;
+ }
+ } else {
+ expired_entries++;
+ }
+ /*
+ * free fields allocated by rc_io_fetch
+ */
+ FREE(rep->server);
+ FREE(rep->client);
+ rep->server = 0;
+ rep->client = 0;
}
retval = 0;
krb5_rc_io_unmark(context, &t->d);
@@ -489,9 +488,9 @@
io_fail:
krb5_rc_free_entry(context, &rep);
if (retval)
- krb5_rc_io_close(context, &t->d);
+ krb5_rc_io_close(context, &t->d);
else if (expired_entries > EXCESSREPS)
- retval = krb5_rc_dfl_expunge_locked(context, id);
+ retval = krb5_rc_dfl_expunge_locked(context, id);
t->recovering = 0;
return retval;
@@ -504,7 +503,7 @@
krb5_error_code ret;
ret = k5_mutex_lock(&id->lock);
if (ret)
- return ret;
+ return ret;
ret = krb5_rc_dfl_recover_locked(context, id);
k5_mutex_unlock(&id->lock);
return ret;
@@ -512,23 +511,23 @@
krb5_error_code KRB5_CALLCONV
krb5_rc_dfl_recover_or_init(krb5_context context, krb5_rcache id,
- krb5_deltat lifespan)
+ krb5_deltat lifespan)
{
krb5_error_code retval;
retval = k5_mutex_lock(&id->lock);
if (retval)
- return retval;
+ return retval;
retval = krb5_rc_dfl_recover_locked(context, id);
if (retval)
- retval = krb5_rc_dfl_init_locked(context, id, lifespan);
+ retval = krb5_rc_dfl_init_locked(context, id, lifespan);
k5_mutex_unlock(&id->lock);
return retval;
}
static krb5_error_code
krb5_rc_io_store(krb5_context context, struct dfl_data *t,
- krb5_donot_replay *rep)
+ krb5_donot_replay *rep)
{
unsigned int clientlen, serverlen, len;
char *buf, *ptr;
@@ -537,10 +536,10 @@
clientlen = strlen(rep->client) + 1;
serverlen = strlen(rep->server) + 1;
len = sizeof(clientlen) + clientlen + sizeof(serverlen) + serverlen +
- sizeof(rep->cusec) + sizeof(rep->ctime);
+ sizeof(rep->cusec) + sizeof(rep->ctime);
buf = malloc(len);
if (buf == 0)
- return KRB5_RC_MALLOC;
+ return KRB5_RC_MALLOC;
ptr = buf;
memcpy(ptr, &clientlen, sizeof(clientlen)); ptr += sizeof(clientlen);
memcpy(ptr, rep->client, clientlen); ptr += clientlen;
@@ -565,19 +564,19 @@
ret = krb5_timeofday(context, &now);
if (ret)
- return ret;
+ return ret;
ret = k5_mutex_lock(&id->lock);
if (ret)
- return ret;
+ return ret;
switch(rc_store(context, id, rep, now)) {
case CMP_MALLOC:
- k5_mutex_unlock(&id->lock);
- return KRB5_RC_MALLOC;
+ k5_mutex_unlock(&id->lock);
+ return KRB5_RC_MALLOC;
case CMP_REPLAY:
- k5_mutex_unlock(&id->lock);
- return KRB5KRB_AP_ERR_REPEAT;
+ k5_mutex_unlock(&id->lock);
+ return KRB5KRB_AP_ERR_REPEAT;
case 0: break;
default: /* wtf? */ ;
}
@@ -585,24 +584,24 @@
#ifndef NOIOSTUFF
ret = krb5_rc_io_store(context, t, rep);
if (ret) {
- k5_mutex_unlock(&id->lock);
- return ret;
+ k5_mutex_unlock(&id->lock);
+ return ret;
}
#endif
/* Shall we automatically expunge? */
if (t->nummisses > t->numhits + EXCESSREPS)
{
- ret = krb5_rc_dfl_expunge_locked(context, id);
- k5_mutex_unlock(&id->lock);
- return ret;
+ ret = krb5_rc_dfl_expunge_locked(context, id);
+ k5_mutex_unlock(&id->lock);
+ return ret;
}
#ifndef NOIOSTUFF
else
{
- if (krb5_rc_io_sync(context, &t->d)) {
- k5_mutex_unlock(&id->lock);
- return KRB5_RC_IO;
- }
+ if (krb5_rc_io_sync(context, &t->d)) {
+ k5_mutex_unlock(&id->lock);
+ return KRB5_RC_IO;
+ }
}
#endif
k5_mutex_unlock(&id->lock);
@@ -622,24 +621,24 @@
krb5_int32 now;
if (krb5_timestamp(context, &now))
- now = 0;
+ now = 0;
for (q = &t->a; *q; q = qt) {
- qt = &(*q)->na;
- if (alive(now, &(*q)->rep, t->lifespan) == CMP_EXPIRED) {
- FREE((*q)->rep.client);
- FREE((*q)->rep.server);
- FREE(*q);
- *q = *qt; /* why doesn't this feel right? */
- }
+ qt = &(*q)->na;
+ if (alive(now, &(*q)->rep, t->lifespan) == CMP_EXPIRED) {
+ FREE((*q)->rep.client);
+ FREE((*q)->rep.server);
+ FREE(*q);
+ *q = *qt; /* why doesn't this feel right? */
+ }
}
for (i = 0; i < t->hsize; i++)
- t->h[i] = (struct authlist *) 0;
+ t->h[i] = (struct authlist *) 0;
for (r = t->a; r; r = r->na) {
- i = hash(&r->rep, t->hsize);
- rt = t->h[i];
- t->h[i] = r;
- r->nh = rt;
+ i = hash(&r->rep, t->hsize);
+ rt = t->h[i];
+ t->h[i] = r;
+ r->nh = rt;
}
return 0;
#else
@@ -650,22 +649,22 @@
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
if (! t->recovering) {
- name = t->name;
- t->name = 0; /* Clear name so it isn't freed */
- (void) krb5_rc_dfl_close_no_free(context, id);
- retval = krb5_rc_dfl_resolve(context, id, name);
- free(name);
- if (retval)
- return retval;
- retval = krb5_rc_dfl_recover_locked(context, id);
- if (retval)
- return retval;
- t = (struct dfl_data *)id->data; /* point to recovered cache */
+ name = t->name;
+ t->name = 0; /* Clear name so it isn't freed */
+ (void) krb5_rc_dfl_close_no_free(context, id);
+ retval = krb5_rc_dfl_resolve(context, id, name);
+ free(name);
+ if (retval)
+ return retval;
+ retval = krb5_rc_dfl_recover_locked(context, id);
+ if (retval)
+ return retval;
+ t = (struct dfl_data *)id->data; /* point to recovered cache */
}
tmp = (krb5_rcache) malloc(sizeof(*tmp));
if (!tmp)
- return ENOMEM;
+ return ENOMEM;
retval = krb5_rc_resolve_type(context, &tmp, "dfl");
if (retval) {
free(tmp);
@@ -678,7 +677,7 @@
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
- if (krb5_rc_io_store(context, (struct dfl_data *)tmp->data, &q->rep)) {
+ if (krb5_rc_io_store(context, (struct dfl_data *)tmp->data, &q->rep)) {
retval = KRB5_RC_IO;
goto cleanup;
}
@@ -692,7 +691,7 @@
if (krb5_rc_io_move(context, &t->d, &((struct dfl_data *)tmp->data)->d))
goto cleanup;
retval = 0;
- cleanup:
+cleanup:
(void) krb5_rc_dfl_close(context, tmp);
return retval;
#endif
@@ -704,7 +703,7 @@
krb5_error_code ret;
ret = k5_mutex_lock(&id->lock);
if (ret)
- return ret;
+ return ret;
ret = krb5_rc_dfl_expunge_locked(context, id);
k5_mutex_unlock(&id->lock);
return ret;
Modified: branches/mkey_migrate/src/lib/krb5/rcache/rc_dfl.h
===================================================================
--- branches/mkey_migrate/src/lib/krb5/rcache/rc_dfl.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/rcache/rc_dfl.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/krb5/rcache/rc_dfl.h
*
@@ -13,44 +14,43 @@
#ifndef KRB5_RC_DFL_H
#define KRB5_RC_DFL_H
-krb5_error_code KRB5_CALLCONV krb5_rc_dfl_init
- (krb5_context,
- krb5_rcache,
- krb5_deltat);
-krb5_error_code KRB5_CALLCONV krb5_rc_dfl_recover
- (krb5_context,
- krb5_rcache);
+krb5_error_code KRB5_CALLCONV krb5_rc_dfl_init
+ (krb5_context,
+ krb5_rcache,
+ krb5_deltat);
+krb5_error_code KRB5_CALLCONV krb5_rc_dfl_recover
+ (krb5_context,
+ krb5_rcache);
krb5_error_code KRB5_CALLCONV krb5_rc_dfl_recover_or_init
- (krb5_context, krb5_rcache, krb5_deltat);
-krb5_error_code KRB5_CALLCONV krb5_rc_dfl_destroy
- (krb5_context,
- krb5_rcache);
-krb5_error_code KRB5_CALLCONV krb5_rc_dfl_close
- (krb5_context,
- krb5_rcache);
-krb5_error_code KRB5_CALLCONV krb5_rc_dfl_store
- (krb5_context,
- krb5_rcache,
- krb5_donot_replay *);
-krb5_error_code KRB5_CALLCONV krb5_rc_dfl_expunge
- (krb5_context,
- krb5_rcache);
-krb5_error_code KRB5_CALLCONV krb5_rc_dfl_get_span
- (krb5_context,
- krb5_rcache,
- krb5_deltat *);
-char * KRB5_CALLCONV krb5_rc_dfl_get_name
- (krb5_context,
- krb5_rcache);
-krb5_error_code KRB5_CALLCONV krb5_rc_dfl_resolve
- (krb5_context,
- krb5_rcache,
- char *);
+ (krb5_context, krb5_rcache, krb5_deltat);
+krb5_error_code KRB5_CALLCONV krb5_rc_dfl_destroy
+ (krb5_context,
+ krb5_rcache);
+krb5_error_code KRB5_CALLCONV krb5_rc_dfl_close
+ (krb5_context,
+ krb5_rcache);
+krb5_error_code KRB5_CALLCONV krb5_rc_dfl_store
+ (krb5_context,
+ krb5_rcache,
+ krb5_donot_replay *);
+krb5_error_code KRB5_CALLCONV krb5_rc_dfl_expunge
+ (krb5_context,
+ krb5_rcache);
+krb5_error_code KRB5_CALLCONV krb5_rc_dfl_get_span
+ (krb5_context,
+ krb5_rcache,
+ krb5_deltat *);
+char * KRB5_CALLCONV krb5_rc_dfl_get_name
+ (krb5_context,
+ krb5_rcache);
+krb5_error_code KRB5_CALLCONV krb5_rc_dfl_resolve
+ (krb5_context,
+ krb5_rcache,
+ char *);
krb5_error_code krb5_rc_dfl_close_no_free
- (krb5_context,
- krb5_rcache);
-void krb5_rc_free_entry
- (krb5_context,
- krb5_donot_replay **);
+ (krb5_context,
+ krb5_rcache);
+void krb5_rc_free_entry
+ (krb5_context,
+ krb5_donot_replay **);
#endif
-
Modified: branches/mkey_migrate/src/lib/krb5/rcache/rc_io.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/rcache/rc_io.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/rcache/rc_io.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/krb5/rcache/rc_io.c
*
@@ -6,7 +7,6 @@
*
*/
-
/*
* I/O functions for the replay cache default implementation.
*/
@@ -17,7 +17,7 @@
# define PATH_SEPARATOR "/"
#endif
-#define KRB5_RC_VNO 0x0501 /* krb5, rcache v 1 */
+#define KRB5_RC_VNO 0x0501 /* krb5, rcache v 1 */
#if HAVE_SYS_STAT_H
#include <sys/stat.h>
@@ -52,17 +52,17 @@
if (!(dir = getenv("KRB5RCACHEDIR"))) {
#if defined(_WIN32)
- if (!(dir = getenv("TEMP")))
- if (!(dir = getenv("TMP")))
- dir = "C:";
+ if (!(dir = getenv("TEMP")))
+ if (!(dir = getenv("TMP")))
+ dir = "C:";
#else
- if (!(dir = getenv("TMPDIR"))) {
+ if (!(dir = getenv("TMPDIR"))) {
#ifdef RCTMPDIR
- dir = RCTMPDIR;
+ dir = RCTMPDIR;
#else
- dir = "/tmp";
+ dir = "/tmp";
#endif
- }
+ }
#endif
}
return dir;
@@ -85,17 +85,17 @@
memset(&stbuf, 0, sizeof(stbuf));
if (asprintf(&d->fn, "%s%skrb5_RCXXXXXX",
- dir, PATH_SEPARATOR) < 0) {
- d->fn = NULL;
- return KRB5_RC_IO_MALLOC;
+ dir, PATH_SEPARATOR) < 0) {
+ d->fn = NULL;
+ return KRB5_RC_IO_MALLOC;
}
d->fd = mkstemp(d->fn);
if (d->fd == -1) {
- /*
- * This return value is deliberate because d->fd == -1 causes
- * caller to go into errno interpretation code.
- */
- return 0;
+ /*
+ * This return value is deliberate because d->fd == -1 causes
+ * caller to go into errno interpretation code.
+ */
+ return 0;
}
#if HAVE_SYS_STAT_H
/*
@@ -104,18 +104,18 @@
*/
retval = fstat(d->fd, &stbuf);
if (retval) {
- krb5_set_error_message(context, retval,
- "Cannot fstat replay cache file %s: %s",
- d->fn, strerror(errno));
- return KRB5_RC_IO_UNKNOWN;
+ krb5_set_error_message(context, retval,
+ "Cannot fstat replay cache file %s: %s",
+ d->fn, strerror(errno));
+ return KRB5_RC_IO_UNKNOWN;
}
if (stbuf.st_mode & 077) {
- krb5_set_error_message(context, retval,
- "Insecure mkstemp() file mode "
- "for replay cache file %s; "
- "try running this program "
- "with umask 077 ", d->fn);
- return KRB5_RC_IO_UNKNOWN;
+ krb5_set_error_message(context, retval,
+ "Insecure mkstemp() file mode "
+ "for replay cache file %s; "
+ "try running this program "
+ "with umask 077 ", d->fn);
+ return KRB5_RC_IO_UNKNOWN;
}
#endif
return 0;
@@ -127,7 +127,7 @@
static krb5_error_code
rc_map_errno (krb5_context context, int e, const char *fn,
- const char *operation)
+ const char *operation)
{
switch (e) {
case EFBIG:
@@ -135,25 +135,25 @@
case EDQUOT:
#endif
case ENOSPC:
- return KRB5_RC_IO_SPACE;
+ return KRB5_RC_IO_SPACE;
case EIO:
- return KRB5_RC_IO_IO;
+ return KRB5_RC_IO_IO;
case EPERM:
case EACCES:
case EROFS:
case EEXIST:
- krb5_set_error_message(context, KRB5_RC_IO_PERM,
- "Cannot %s replay cache file %s: %s",
- operation, fn, strerror(e));
- return KRB5_RC_IO_PERM;
+ krb5_set_error_message(context, KRB5_RC_IO_PERM,
+ "Cannot %s replay cache file %s: %s",
+ operation, fn, strerror(e));
+ return KRB5_RC_IO_PERM;
default:
- krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN,
- "Cannot %s replay cache: %s",
- operation, strerror(e));
- return KRB5_RC_IO_UNKNOWN;
+ krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN,
+ "Cannot %s replay cache: %s",
+ operation, strerror(e));
+ return KRB5_RC_IO_UNKNOWN;
}
}
@@ -169,58 +169,55 @@
GETDIR;
if (fn && *fn) {
- if (!(d->fn = malloc(strlen(*fn) + dirlen + 1)))
- return KRB5_RC_IO_MALLOC;
- (void) strcpy(d->fn, dir);
- (void) strcat(d->fn, PATH_SEPARATOR);
- (void) strcat(d->fn, *fn);
- unlink(d->fn);
- d->fd = THREEPARAMOPEN(d->fn, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL |
- O_BINARY, 0600);
+ if (asprintf(&d->fn, "%s%s%s", dir, PATH_SEPARATOR, *fn) < 0)
+ return KRB5_RC_IO_MALLOC;
+ unlink(d->fn);
+ d->fd = THREEPARAMOPEN(d->fn, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL |
+ O_BINARY, 0600);
} else {
- retval = krb5_rc_io_mkstemp(context, d, dir);
- if (retval)
- goto cleanup;
- if (d->fd != -1 && fn) {
- *fn = strdup(d->fn + dirlen);
- if (*fn == NULL) {
- free(d->fn);
- return KRB5_RC_IO_MALLOC;
- }
- }
+ retval = krb5_rc_io_mkstemp(context, d, dir);
+ if (retval)
+ goto cleanup;
+ if (d->fd != -1 && fn) {
+ *fn = strdup(d->fn + dirlen);
+ if (*fn == NULL) {
+ free(d->fn);
+ return KRB5_RC_IO_MALLOC;
+ }
+ }
}
if (d->fd == -1) {
- retval = rc_map_errno(context, errno, d->fn, "create");
- if (retval == KRB5_RC_IO_PERM)
- do_not_unlink = 1;
- goto cleanup;
+ retval = rc_map_errno(context, errno, d->fn, "create");
+ if (retval == KRB5_RC_IO_PERM)
+ do_not_unlink = 1;
+ goto cleanup;
}
set_cloexec_fd(d->fd);
retval = krb5_rc_io_write(context, d, (krb5_pointer)&rc_vno,
- sizeof(rc_vno));
+ sizeof(rc_vno));
if (retval)
- goto cleanup;
+ goto cleanup;
retval = krb5_rc_io_sync(context, d);
- cleanup:
+cleanup:
if (retval) {
- if (d->fn) {
- if (!do_not_unlink)
- (void) unlink(d->fn);
- FREE(d->fn);
- d->fn = NULL;
- }
- if (d->fd != -1) {
- (void) close(d->fd);
- }
+ if (d->fn) {
+ if (!do_not_unlink)
+ (void) unlink(d->fn);
+ FREE(d->fn);
+ d->fn = NULL;
+ }
+ if (d->fd != -1) {
+ (void) close(d->fd);
+ }
}
return retval;
}
static krb5_error_code
krb5_rc_io_open_internal(krb5_context context, krb5_rc_iostuff *d, char *fn,
- char* full_pathname)
+ char* full_pathname)
{
krb5_int16 rc_vno;
krb5_error_code retval = 0;
@@ -233,58 +230,54 @@
GETDIR;
if (full_pathname) {
- if (!(d->fn = malloc(strlen(full_pathname) + 1)))
- return KRB5_RC_IO_MALLOC;
- (void) strcpy(d->fn, full_pathname);
+ if (!(d->fn = strdup(full_pathname)))
+ return KRB5_RC_IO_MALLOC;
} else {
- if (!(d->fn = malloc(strlen(fn) + dirlen + 1)))
- return KRB5_RC_IO_MALLOC;
- (void) strcpy(d->fn, dir);
- (void) strcat(d->fn, PATH_SEPARATOR);
- (void) strcat(d->fn, fn);
+ if (asprintf(&d->fn, "%s%s%s", dir, PATH_SEPARATOR, fn) < 0)
+ return KRB5_RC_IO_MALLOC;
}
#ifdef NO_USERID
d->fd = THREEPARAMOPEN(d->fn, O_RDWR | O_BINARY, 0600);
#else
if ((d->fd = stat(d->fn, &statb)) != -1) {
- uid_t me;
+ uid_t me;
- me = geteuid();
- /* must be owned by this user, to prevent some security problems with
- * other users modifying replay cache stufff */
- if ((statb.st_uid != me) || ((statb.st_mode & S_IFMT) != S_IFREG)) {
- FREE(d->fn);
- return KRB5_RC_IO_PERM;
- }
- d->fd = THREEPARAMOPEN(d->fn, O_RDWR | O_BINARY, 0600);
+ me = geteuid();
+ /* must be owned by this user, to prevent some security problems with
+ * other users modifying replay cache stufff */
+ if ((statb.st_uid != me) || ((statb.st_mode & S_IFMT) != S_IFREG)) {
+ FREE(d->fn);
+ return KRB5_RC_IO_PERM;
+ }
+ d->fd = THREEPARAMOPEN(d->fn, O_RDWR | O_BINARY, 0600);
}
#endif
if (d->fd == -1) {
- retval = rc_map_errno(context, errno, d->fn, "open");
- goto cleanup;
+ retval = rc_map_errno(context, errno, d->fn, "open");
+ goto cleanup;
}
set_cloexec_fd(d->fd);
do_not_unlink = 0;
retval = krb5_rc_io_read(context, d, (krb5_pointer) &rc_vno,
- sizeof(rc_vno));
+ sizeof(rc_vno));
if (retval)
- goto cleanup;
+ goto cleanup;
if (ntohs(rc_vno) != KRB5_RC_VNO)
- retval = KRB5_RCACHE_BADVNO;
+ retval = KRB5_RCACHE_BADVNO;
- cleanup:
+cleanup:
if (retval) {
- if (d->fn) {
- if (!do_not_unlink)
- (void) unlink(d->fn);
- FREE(d->fn);
- d->fn = NULL;
- }
- if (d->fd >= 0)
- (void) close(d->fd);
+ if (d->fn) {
+ if (!do_not_unlink)
+ (void) unlink(d->fn);
+ FREE(d->fn);
+ d->fn = NULL;
+ }
+ if (d->fd >= 0)
+ (void) close(d->fd);
}
return retval;
}
@@ -297,7 +290,7 @@
krb5_error_code
krb5_rc_io_move(krb5_context context, krb5_rc_iostuff *new1,
- krb5_rc_iostuff *old)
+ krb5_rc_iostuff *old)
{
#if defined(_WIN32) || defined(__CYGWIN__)
char *new_fn = NULL;
@@ -341,29 +334,29 @@
old->fd = -1;
if (rename(old_fn, new_fn) == -1) { /* MUST be atomic! */
- retval = KRB5_RC_IO_UNKNOWN;
- goto cleanup;
+ retval = KRB5_RC_IO_UNKNOWN;
+ goto cleanup;
}
retval = krb5_rc_io_open_internal(context, new1, 0, new_fn);
if (retval)
- goto cleanup;
+ goto cleanup;
if (lseek(new1->fd, offset, SEEK_SET) == -1) {
- retval = KRB5_RC_IO_UNKNOWN;
- goto cleanup;
+ retval = KRB5_RC_IO_UNKNOWN;
+ goto cleanup;
}
- cleanup:
+cleanup:
free(new_fn);
free(old_fn);
return retval;
#else
char *fn = NULL;
if (rename(old->fn, new1->fn) == -1) /* MUST be atomic! */
- return KRB5_RC_IO_UNKNOWN;
+ return KRB5_RC_IO_UNKNOWN;
fn = new1->fn;
- new1->fn = NULL; /* avoid clobbering */
+ new1->fn = NULL; /* avoid clobbering */
(void) krb5_rc_io_close(context, new1);
new1->fn = fn;
new1->fd = dup(old->fd);
@@ -374,32 +367,32 @@
krb5_error_code
krb5_rc_io_write(krb5_context context, krb5_rc_iostuff *d, krb5_pointer buf,
- unsigned int num)
+ unsigned int num)
{
if (write(d->fd, (char *) buf, num) == -1)
- switch(errno)
- {
+ switch(errno)
+ {
#ifdef EDQUOT
- case EDQUOT:
+ case EDQUOT:
#endif
- case EFBIG:
- case ENOSPC:
- krb5_set_error_message (context, KRB5_RC_IO_SPACE,
- "Can't write to replay cache: %s",
- strerror(errno));
- return KRB5_RC_IO_SPACE;
- case EIO:
- krb5_set_error_message (context, KRB5_RC_IO_IO,
- "Can't write to replay cache: %s",
- strerror(errno));
- return KRB5_RC_IO_IO;
- case EBADF:
- default:
- krb5_set_error_message (context, KRB5_RC_IO_UNKNOWN,
- "Can't write to replay cache: %s",
- strerror(errno));
- return KRB5_RC_IO_UNKNOWN;
- }
+ case EFBIG:
+ case ENOSPC:
+ krb5_set_error_message (context, KRB5_RC_IO_SPACE,
+ "Can't write to replay cache: %s",
+ strerror(errno));
+ return KRB5_RC_IO_SPACE;
+ case EIO:
+ krb5_set_error_message (context, KRB5_RC_IO_IO,
+ "Can't write to replay cache: %s",
+ strerror(errno));
+ return KRB5_RC_IO_IO;
+ case EBADF:
+ default:
+ krb5_set_error_message (context, KRB5_RC_IO_UNKNOWN,
+ "Can't write to replay cache: %s",
+ strerror(errno));
+ return KRB5_RC_IO_UNKNOWN;
+ }
return 0;
}
@@ -412,38 +405,38 @@
#endif
#endif
if (fsync(d->fd) == -1) {
- switch(errno)
- {
- case EBADF: return KRB5_RC_IO_UNKNOWN;
- case EIO: return KRB5_RC_IO_IO;
- default:
- krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN,
- "Cannot sync replay cache file: %s",
- strerror(errno));
- return KRB5_RC_IO_UNKNOWN;
- }
+ switch(errno)
+ {
+ case EBADF: return KRB5_RC_IO_UNKNOWN;
+ case EIO: return KRB5_RC_IO_IO;
+ default:
+ krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN,
+ "Cannot sync replay cache file: %s",
+ strerror(errno));
+ return KRB5_RC_IO_UNKNOWN;
+ }
}
return 0;
}
krb5_error_code
krb5_rc_io_read(krb5_context context, krb5_rc_iostuff *d, krb5_pointer buf,
- unsigned int num)
+ unsigned int num)
{
int count;
if ((count = read(d->fd, (char *) buf, num)) == -1)
- switch(errno)
- {
- case EIO: return KRB5_RC_IO_IO;
- case EBADF:
- default:
- krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN,
- "Can't read from replay cache: %s",
- strerror(errno));
- return KRB5_RC_IO_UNKNOWN;
- }
+ switch(errno)
+ {
+ case EIO: return KRB5_RC_IO_IO;
+ case EBADF:
+ default:
+ krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN,
+ "Can't read from replay cache: %s",
+ strerror(errno));
+ return KRB5_RC_IO_UNKNOWN;
+ }
if (count < 0 || (unsigned int)count != num)
- return KRB5_RC_IO_EOF;
+ return KRB5_RC_IO_EOF;
return 0;
}
@@ -451,13 +444,13 @@
krb5_rc_io_close(krb5_context context, krb5_rc_iostuff *d)
{
if (d->fn != NULL) {
- FREE(d->fn);
- d->fn = NULL;
+ FREE(d->fn);
+ d->fn = NULL;
}
if (d->fd != -1) {
- if (close(d->fd) == -1) /* can't happen */
- return KRB5_RC_IO_UNKNOWN;
- d->fd = -1;
+ if (close(d->fd) == -1) /* can't happen */
+ return KRB5_RC_IO_UNKNOWN;
+ d->fd = -1;
}
return 0;
}
@@ -466,27 +459,27 @@
krb5_rc_io_destroy(krb5_context context, krb5_rc_iostuff *d)
{
if (unlink(d->fn) == -1)
- switch(errno)
- {
- case EIO:
- krb5_set_error_message(context, KRB5_RC_IO_IO,
- "Can't destroy replay cache: %s",
- strerror(errno));
- return KRB5_RC_IO_IO;
- case EPERM:
- case EBUSY:
- case EROFS:
- krb5_set_error_message(context, KRB5_RC_IO_PERM,
- "Can't destroy replay cache: %s",
- strerror(errno));
- return KRB5_RC_IO_PERM;
- case EBADF:
- default:
- krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN,
- "Can't destroy replay cache: %s",
- strerror(errno));
- return KRB5_RC_IO_UNKNOWN;
- }
+ switch(errno)
+ {
+ case EIO:
+ krb5_set_error_message(context, KRB5_RC_IO_IO,
+ "Can't destroy replay cache: %s",
+ strerror(errno));
+ return KRB5_RC_IO_IO;
+ case EPERM:
+ case EBUSY:
+ case EROFS:
+ krb5_set_error_message(context, KRB5_RC_IO_PERM,
+ "Can't destroy replay cache: %s",
+ strerror(errno));
+ return KRB5_RC_IO_PERM;
+ case EBADF:
+ default:
+ krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN,
+ "Can't destroy replay cache: %s",
+ strerror(errno));
+ return KRB5_RC_IO_UNKNOWN;
+ }
return 0;
}
@@ -510,7 +503,7 @@
struct stat statb;
if (fstat(d->fd, &statb) == 0)
- return statb.st_size;
+ return statb.st_size;
else
- return 0;
+ return 0;
}
Modified: branches/mkey_migrate/src/lib/krb5/rcache/rc_io.h
===================================================================
--- branches/mkey_migrate/src/lib/krb5/rcache/rc_io.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/rcache/rc_io.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/krb5/rcache/rc_io.h
*
@@ -27,44 +28,44 @@
/* first argument is always iostuff for result file */
-krb5_error_code krb5_rc_io_creat
- (krb5_context,
- krb5_rc_iostuff *,
- char **);
-krb5_error_code krb5_rc_io_open
- (krb5_context,
- krb5_rc_iostuff *,
- char *);
-krb5_error_code krb5_rc_io_move
- (krb5_context,
- krb5_rc_iostuff *,
- krb5_rc_iostuff *);
-krb5_error_code krb5_rc_io_write
- (krb5_context,
- krb5_rc_iostuff *,
- krb5_pointer,
- unsigned int);
-krb5_error_code krb5_rc_io_read
- (krb5_context,
- krb5_rc_iostuff *,
- krb5_pointer,
- unsigned int);
-krb5_error_code krb5_rc_io_close
- (krb5_context,
- krb5_rc_iostuff *);
-krb5_error_code krb5_rc_io_destroy
- (krb5_context,
- krb5_rc_iostuff *);
-krb5_error_code krb5_rc_io_mark
- (krb5_context,
- krb5_rc_iostuff *);
-krb5_error_code krb5_rc_io_unmark
- (krb5_context,
- krb5_rc_iostuff *);
+krb5_error_code krb5_rc_io_creat
+ (krb5_context,
+ krb5_rc_iostuff *,
+ char **);
+krb5_error_code krb5_rc_io_open
+ (krb5_context,
+ krb5_rc_iostuff *,
+ char *);
+krb5_error_code krb5_rc_io_move
+ (krb5_context,
+ krb5_rc_iostuff *,
+ krb5_rc_iostuff *);
+krb5_error_code krb5_rc_io_write
+ (krb5_context,
+ krb5_rc_iostuff *,
+ krb5_pointer,
+ unsigned int);
+krb5_error_code krb5_rc_io_read
+ (krb5_context,
+ krb5_rc_iostuff *,
+ krb5_pointer,
+ unsigned int);
+krb5_error_code krb5_rc_io_close
+ (krb5_context,
+ krb5_rc_iostuff *);
+krb5_error_code krb5_rc_io_destroy
+ (krb5_context,
+ krb5_rc_iostuff *);
+krb5_error_code krb5_rc_io_mark
+ (krb5_context,
+ krb5_rc_iostuff *);
+krb5_error_code krb5_rc_io_unmark
+ (krb5_context,
+ krb5_rc_iostuff *);
krb5_error_code krb5_rc_io_sync
- (krb5_context,
- krb5_rc_iostuff *);
+ (krb5_context,
+ krb5_rc_iostuff *);
long krb5_rc_io_size
- (krb5_context,
- krb5_rc_iostuff *);
+ (krb5_context,
+ krb5_rc_iostuff *);
#endif
Modified: branches/mkey_migrate/src/lib/krb5/rcache/rc_none.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/rcache/rc_none.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/rcache/rc_none.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/krb5/rcache/rc_none.c
*
@@ -8,7 +9,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -22,8 +23,8 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
*
+ *
* replay cache no-op implementation
*/
@@ -42,10 +43,10 @@
{
return 0;
}
-#define krb5_rc_none_recover krb5_rc_none_noargs
-#define krb5_rc_none_destroy krb5_rc_none_noargs
-#define krb5_rc_none_close krb5_rc_none_noargs
-#define krb5_rc_none_expunge krb5_rc_none_noargs
+#define krb5_rc_none_recover krb5_rc_none_noargs
+#define krb5_rc_none_destroy krb5_rc_none_noargs
+#define krb5_rc_none_close krb5_rc_none_noargs
+#define krb5_rc_none_expunge krb5_rc_none_noargs
static krb5_error_code KRB5_CALLCONV
krb5_rc_none_store(krb5_context ctx, krb5_rcache rc, krb5_donot_replay *r)
Modified: branches/mkey_migrate/src/lib/krb5/rcache/rcdef.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/rcache/rcdef.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/rcache/rcdef.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/krb5/rcache/rcdef.c
*
@@ -32,18 +33,17 @@
#include "rc_dfl.h"
const krb5_rc_ops krb5_rc_dfl_ops =
- {
- 0,
- "dfl",
- krb5_rc_dfl_init,
- krb5_rc_dfl_recover,
- krb5_rc_dfl_recover_or_init,
- krb5_rc_dfl_destroy,
- krb5_rc_dfl_close,
- krb5_rc_dfl_store,
- krb5_rc_dfl_expunge,
- krb5_rc_dfl_get_span,
- krb5_rc_dfl_get_name,
- krb5_rc_dfl_resolve
- }
-;
+{
+ 0,
+ "dfl",
+ krb5_rc_dfl_init,
+ krb5_rc_dfl_recover,
+ krb5_rc_dfl_recover_or_init,
+ krb5_rc_dfl_destroy,
+ krb5_rc_dfl_close,
+ krb5_rc_dfl_store,
+ krb5_rc_dfl_expunge,
+ krb5_rc_dfl_get_span,
+ krb5_rc_dfl_get_name,
+ krb5_rc_dfl_resolve
+};
Modified: branches/mkey_migrate/src/lib/krb5/rcache/rcfns.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/rcache/rcfns.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/rcache/rcfns.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/krb5/rcache/rcfns.c
*
@@ -8,7 +9,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -39,7 +40,7 @@
krb5_error_code KRB5_CALLCONV
krb5_rc_recover_or_initialize (krb5_context context, krb5_rcache id,
- krb5_deltat span)
+ krb5_deltat span)
{
return krb5_x(id->ops->recover_or_init,(context, id, span));
}
@@ -64,7 +65,7 @@
krb5_error_code KRB5_CALLCONV
krb5_rc_store (krb5_context context, krb5_rcache id,
- krb5_donot_replay *dontreplay)
+ krb5_donot_replay *dontreplay)
{
return krb5_x((id)->ops->store,(context, id, dontreplay));
}
@@ -77,7 +78,7 @@
krb5_error_code KRB5_CALLCONV
krb5_rc_get_lifespan (krb5_context context, krb5_rcache id,
- krb5_deltat *spanp)
+ krb5_deltat *spanp)
{
return krb5_x((id)->ops->get_span,(context, id, spanp));
}
Modified: branches/mkey_migrate/src/lib/krb5/rcache/ser_rc.c
===================================================================
--- branches/mkey_migrate/src/lib/krb5/rcache/ser_rc.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/krb5/rcache/ser_rc.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/krb5/rcache/ser_rc.c
*
@@ -33,167 +34,167 @@
/*
* Routines to deal with externalizing krb5_rcache.
- * krb5_rcache_size();
- * krb5_rcache_externalize();
- * krb5_rcache_internalize();
+ * krb5_rcache_size();
+ * krb5_rcache_externalize();
+ * krb5_rcache_internalize();
*/
static krb5_error_code krb5_rcache_size
- (krb5_context, krb5_pointer, size_t *);
+ (krb5_context, krb5_pointer, size_t *);
static krb5_error_code krb5_rcache_externalize
- (krb5_context, krb5_pointer, krb5_octet **, size_t *);
+ (krb5_context, krb5_pointer, krb5_octet **, size_t *);
static krb5_error_code krb5_rcache_internalize
- (krb5_context,krb5_pointer *, krb5_octet **, size_t *);
+ (krb5_context,krb5_pointer *, krb5_octet **, size_t *);
/*
* Serialization entry for this type.
*/
static const krb5_ser_entry krb5_rcache_ser_entry = {
- KV5M_RCACHE, /* Type */
- krb5_rcache_size, /* Sizer routine */
- krb5_rcache_externalize, /* Externalize routine */
- krb5_rcache_internalize /* Internalize routine */
+ KV5M_RCACHE, /* Type */
+ krb5_rcache_size, /* Sizer routine */
+ krb5_rcache_externalize, /* Externalize routine */
+ krb5_rcache_internalize /* Internalize routine */
};
/*
- * krb5_rcache_size() - Determine the size required to externalize
- * this krb5_rcache variant.
+ * krb5_rcache_size() - Determine the size required to externalize
+ * this krb5_rcache variant.
*/
static krb5_error_code
krb5_rcache_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
{
- krb5_error_code kret;
- krb5_rcache rcache;
- size_t required;
+ krb5_error_code kret;
+ krb5_rcache rcache;
+ size_t required;
kret = EINVAL;
if ((rcache = (krb5_rcache) arg)) {
- /*
- * Saving FILE: variants of krb5_rcache requires at minimum:
- * krb5_int32 for KV5M_RCACHE
- * krb5_int32 for length of rcache name.
- * krb5_int32 for KV5M_RCACHE
- */
- required = sizeof(krb5_int32) * 3;
- if (rcache->ops && rcache->ops->type)
- required += (strlen(rcache->ops->type)+1);
+ /*
+ * Saving FILE: variants of krb5_rcache requires at minimum:
+ * krb5_int32 for KV5M_RCACHE
+ * krb5_int32 for length of rcache name.
+ * krb5_int32 for KV5M_RCACHE
+ */
+ required = sizeof(krb5_int32) * 3;
+ if (rcache->ops && rcache->ops->type)
+ required += (strlen(rcache->ops->type)+1);
- /*
- * The rcache name is formed as follows:
- * <type>:<name>
- */
- required += strlen(krb5_rc_get_name(kcontext, rcache));
+ /*
+ * The rcache name is formed as follows:
+ * <type>:<name>
+ */
+ required += strlen(krb5_rc_get_name(kcontext, rcache));
- kret = 0;
- *sizep += required;
+ kret = 0;
+ *sizep += required;
}
return(kret);
}
/*
- * krb5_rcache_externalize() - Externalize the krb5_rcache.
+ * krb5_rcache_externalize() - Externalize the krb5_rcache.
*/
static krb5_error_code
krb5_rcache_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain)
{
- krb5_error_code kret;
- krb5_rcache rcache;
- size_t required;
- krb5_octet *bp;
- size_t remain;
- char *rcname;
- size_t namelen;
- char *fnamep;
+ krb5_error_code kret;
+ krb5_rcache rcache;
+ size_t required;
+ krb5_octet *bp;
+ size_t remain;
+ char *rcname;
+ size_t namelen;
+ char *fnamep;
required = 0;
bp = *buffer;
remain = *lenremain;
kret = EINVAL;
if ((rcache = (krb5_rcache) arg)) {
- kret = ENOMEM;
- if (!krb5_rcache_size(kcontext, arg, &required) &&
- (required <= remain)) {
- /* Our identifier */
- (void) krb5_ser_pack_int32(KV5M_RCACHE, &bp, &remain);
+ kret = ENOMEM;
+ if (!krb5_rcache_size(kcontext, arg, &required) &&
+ (required <= remain)) {
+ /* Our identifier */
+ (void) krb5_ser_pack_int32(KV5M_RCACHE, &bp, &remain);
- /* Calculate the length of the name */
- namelen = (rcache->ops && rcache->ops->type) ?
- strlen(rcache->ops->type)+1 : 0;
- fnamep = krb5_rc_get_name(kcontext, rcache);
- namelen += (strlen(fnamep)+1);
+ /* Calculate the length of the name */
+ namelen = (rcache->ops && rcache->ops->type) ?
+ strlen(rcache->ops->type)+1 : 0;
+ fnamep = krb5_rc_get_name(kcontext, rcache);
+ namelen += (strlen(fnamep)+1);
- if (rcache->ops && rcache->ops->type) {
- if (asprintf(&rcname, "%s:%s", rcache->ops->type, fnamep) < 0)
- rcname = NULL;
- } else
- rcname = strdup(fnamep);
+ if (rcache->ops && rcache->ops->type) {
+ if (asprintf(&rcname, "%s:%s", rcache->ops->type, fnamep) < 0)
+ rcname = NULL;
+ } else
+ rcname = strdup(fnamep);
- if (rcname) {
- /* Put the length of the file name */
- (void) krb5_ser_pack_int32((krb5_int32) strlen(rcname),
- &bp, &remain);
-
- /* Put the name */
- (void) krb5_ser_pack_bytes((krb5_octet *) rcname,
- strlen(rcname),
- &bp, &remain);
+ if (rcname) {
+ /* Put the length of the file name */
+ (void) krb5_ser_pack_int32((krb5_int32) strlen(rcname),
+ &bp, &remain);
- /* Put the trailer */
- (void) krb5_ser_pack_int32(KV5M_RCACHE, &bp, &remain);
- kret = 0;
- *buffer = bp;
- *lenremain = remain;
- free(rcname);
- }
- }
+ /* Put the name */
+ (void) krb5_ser_pack_bytes((krb5_octet *) rcname,
+ strlen(rcname),
+ &bp, &remain);
+
+ /* Put the trailer */
+ (void) krb5_ser_pack_int32(KV5M_RCACHE, &bp, &remain);
+ kret = 0;
+ *buffer = bp;
+ *lenremain = remain;
+ free(rcname);
+ }
+ }
}
return(kret);
}
/*
- * krb5_rcache_internalize() - Internalize the krb5_rcache.
+ * krb5_rcache_internalize() - Internalize the krb5_rcache.
*/
static krb5_error_code
krb5_rcache_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain)
{
- krb5_error_code kret;
- krb5_rcache rcache;
- krb5_int32 ibuf;
- krb5_octet *bp;
- size_t remain;
- char *rcname;
+ krb5_error_code kret;
+ krb5_rcache rcache;
+ krb5_int32 ibuf;
+ krb5_octet *bp;
+ size_t remain;
+ char *rcname;
bp = *buffer;
remain = *lenremain;
kret = EINVAL;
/* Read our magic number */
if (krb5_ser_unpack_int32(&ibuf, &bp, &remain))
- ibuf = 0;
+ ibuf = 0;
if (ibuf == KV5M_RCACHE) {
- kret = ENOMEM;
+ kret = ENOMEM;
- /* Get the length of the rcache name */
- kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ /* Get the length of the rcache name */
+ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- if (!kret &&
- (rcname = (char *) malloc((size_t) (ibuf+1))) &&
- !(kret = krb5_ser_unpack_bytes((krb5_octet *) rcname,
- (size_t) ibuf,
- &bp, &remain))) {
- rcname[ibuf] = '\0';
- if (!(kret = krb5_rc_resolve_full(kcontext, &rcache, rcname))) {
- (void) krb5_rc_recover(kcontext, rcache);
- if (!kret &&
- !(kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)) &&
- (ibuf == KV5M_RCACHE)) {
- *buffer = bp;
- *lenremain = remain;
- *argp = (krb5_pointer) rcache;
- }
- else
- krb5_rc_close(kcontext, rcache);
- }
- free(rcname);
- }
+ if (!kret &&
+ (rcname = (char *) malloc((size_t) (ibuf+1))) &&
+ !(kret = krb5_ser_unpack_bytes((krb5_octet *) rcname,
+ (size_t) ibuf,
+ &bp, &remain))) {
+ rcname[ibuf] = '\0';
+ if (!(kret = krb5_rc_resolve_full(kcontext, &rcache, rcname))) {
+ (void) krb5_rc_recover(kcontext, rcache);
+ if (!kret &&
+ !(kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)) &&
+ (ibuf == KV5M_RCACHE)) {
+ *buffer = bp;
+ *lenremain = remain;
+ *argp = (krb5_pointer) rcache;
+ }
+ else
+ krb5_rc_close(kcontext, rcache);
+ }
+ free(rcname);
+ }
}
return(kret);
}
Copied: branches/mkey_migrate/src/lib/krb5/unicode (from rev 21721, trunk/src/lib/krb5/unicode)
Modified: branches/mkey_migrate/src/lib/rpc/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/rpc/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/rpc/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -239,326 +239,3 @@
@lib_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-auth_none.so auth_none.po $(OUTPRE)auth_none.$(OBJEXT): \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/xdr.h \
- auth_none.c
-auth_unix.so auth_unix.po $(OUTPRE)auth_unix.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/xdr.h \
- auth_unix.c
-authgss_prot.so authgss_prot.po $(OUTPRE)authgss_prot.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- authgss_prot.c
-authunix_prot.so authunix_prot.po $(OUTPRE)authunix_prot.$(OBJEXT): \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/xdr.h authunix_prot.c
-auth_gss.so auth_gss.po $(OUTPRE)auth_gss.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h auth_gss.c
-auth_gssapi.so auth_gssapi.po $(OUTPRE)auth_gssapi.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_gssapi.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/krb5.h auth_gssapi.c
-auth_gssapi_misc.so auth_gssapi_misc.po $(OUTPRE)auth_gssapi_misc.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_gssapi.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h auth_gssapi_misc.c
-bindresvport.so bindresvport.po $(OUTPRE)bindresvport.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- bindresvport.c
-clnt_generic.so clnt_generic.po $(OUTPRE)clnt_generic.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h clnt_generic.c
-clnt_perror.so clnt_perror.po $(OUTPRE)clnt_perror.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/xdr.h \
- clnt_perror.c
-clnt_raw.so clnt_raw.po $(OUTPRE)clnt_raw.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- clnt_raw.c
-clnt_simple.so clnt_simple.po $(OUTPRE)clnt_simple.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/port-sockets.h \
- clnt_simple.c
-clnt_tcp.so clnt_tcp.po $(OUTPRE)clnt_tcp.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/pmap_clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/port-sockets.h clnt_tcp.c
-clnt_udp.so clnt_udp.po $(OUTPRE)clnt_udp.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/pmap_clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/port-sockets.h clnt_udp.c
-dyn.so dyn.po $(OUTPRE)dyn.$(OBJEXT): dyn.c dyn.h dynP.h
-rpc_dtablesize.so rpc_dtablesize.po $(OUTPRE)rpc_dtablesize.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- rpc_dtablesize.c
-get_myaddress.so get_myaddress.po $(OUTPRE)get_myaddress.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/pmap_prot.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/krb5.h get_myaddress.c
-getrpcport.so getrpcport.po $(OUTPRE)getrpcport.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/pmap_clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- getrpcport.c
-pmap_clnt.so pmap_clnt.po $(OUTPRE)pmap_clnt.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/pmap_clnt.h $(SRCTOP)/include/gssrpc/pmap_prot.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- pmap_clnt.c
-pmap_getmaps.so pmap_getmaps.po $(OUTPRE)pmap_getmaps.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/pmap_clnt.h $(SRCTOP)/include/gssrpc/pmap_prot.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- pmap_getmaps.c
-pmap_getport.so pmap_getport.po $(OUTPRE)pmap_getport.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/pmap_clnt.h $(SRCTOP)/include/gssrpc/pmap_prot.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- pmap_getport.c
-pmap_prot.so pmap_prot.po $(OUTPRE)pmap_prot.$(OBJEXT): \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/pmap_prot.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/xdr.h \
- pmap_prot.c
-pmap_prot2.so pmap_prot2.po $(OUTPRE)pmap_prot2.$(OBJEXT): \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/pmap_prot.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/xdr.h \
- pmap_prot2.c
-pmap_rmt.so pmap_rmt.po $(OUTPRE)pmap_rmt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/pmap_clnt.h \
- $(SRCTOP)/include/gssrpc/pmap_prot.h $(SRCTOP)/include/gssrpc/pmap_rmt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/port-sockets.h pmap_rmt.c
-rpc_prot.so rpc_prot.po $(OUTPRE)rpc_prot.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- rpc_prot.c
-rpc_commondata.so rpc_commondata.po $(OUTPRE)rpc_commondata.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- rpc_commondata.c
-rpc_callmsg.so rpc_callmsg.po $(OUTPRE)rpc_callmsg.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- rpc_callmsg.c
-svc.so svc.po $(OUTPRE)svc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/pmap_clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h svc.c
-svc_auth.so svc_auth.po $(OUTPRE)svc_auth.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- svc_auth.c
-svc_auth_gss.so svc_auth_gss.po $(OUTPRE)svc_auth_gss.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_gssapi.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- svc_auth_gss.c
-svc_auth_none.so svc_auth_none.po $(OUTPRE)svc_auth_none.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- svc_auth_none.c
-svc_auth_unix.so svc_auth_unix.po $(OUTPRE)svc_auth_unix.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- svc_auth_unix.c
-svc_auth_gssapi.so svc_auth_gssapi.po $(OUTPRE)svc_auth_gssapi.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_gssapi.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/krb5.h \
- svc_auth_gssapi.c
-svc_raw.so svc_raw.po $(OUTPRE)svc_raw.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h svc_raw.c
-svc_run.so svc_run.po $(OUTPRE)svc_run.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h svc_run.c
-svc_simple.so svc_simple.po $(OUTPRE)svc_simple.$(OBJEXT): \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/pmap_clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h svc_simple.c
-svc_tcp.so svc_tcp.po $(OUTPRE)svc_tcp.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/port-sockets.h svc_tcp.c
-svc_udp.so svc_udp.po $(OUTPRE)svc_udp.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/port-sockets.h svc_udp.c
-xdr.so xdr.po $(OUTPRE)xdr.$(OBJEXT): $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/xdr.h \
- xdr.c
-xdr_array.so xdr_array.po $(OUTPRE)xdr_array.$(OBJEXT): \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/xdr.h xdr_array.c
-xdr_float.so xdr_float.po $(OUTPRE)xdr_float.$(OBJEXT): \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/xdr.h xdr_float.c
-xdr_mem.so xdr_mem.po $(OUTPRE)xdr_mem.$(OBJEXT): $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/xdr.h \
- xdr_mem.c
-xdr_rec.so xdr_rec.po $(OUTPRE)xdr_rec.$(OBJEXT): $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/xdr.h \
- xdr_rec.c
-xdr_reference.so xdr_reference.po $(OUTPRE)xdr_reference.$(OBJEXT): \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/xdr.h xdr_reference.c
-xdr_stdio.so xdr_stdio.po $(OUTPRE)xdr_stdio.$(OBJEXT): \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/xdr.h xdr_stdio.c
-xdr_sizeof.so xdr_sizeof.po $(OUTPRE)xdr_sizeof.$(OBJEXT): \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/xdr.h xdr_sizeof.c
-xdr_alloc.so xdr_alloc.po $(OUTPRE)xdr_alloc.$(OBJEXT): \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/xdr.h dyn.h xdr_alloc.c
Modified: branches/mkey_migrate/src/lib/rpc/auth_gssapi.c
===================================================================
--- branches/mkey_migrate/src/lib/rpc/auth_gssapi.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/rpc/auth_gssapi.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -16,6 +16,8 @@
#include <gssrpc/rpc.h>
#include <gssrpc/auth_gssapi.h>
+#include "gssrpcint.h"
+
#ifdef __CODECENTER__
#define DEBUG_GSSAPI 1
#endif
Modified: branches/mkey_migrate/src/lib/rpc/auth_gssapi_misc.c
===================================================================
--- branches/mkey_migrate/src/lib/rpc/auth_gssapi_misc.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/rpc/auth_gssapi_misc.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -9,6 +9,8 @@
#include <gssapi/gssapi.h>
#include <gssrpc/auth_gssapi.h>
+#include "gssrpcint.h"
+
#ifdef __CODECENTER__
#define DEBUG_GSSAPI 1
#endif
@@ -181,7 +183,7 @@
putc ('\n', stderr);
if (misc_debug_gssapi)
gssrpcint_printf("GSS-API authentication error %s: %*s\n",
- m, msg.length, msg.value);
+ m, msg.length, (char *) msg.value);
(void) gss_release_buffer(&minor_stat, &msg);
if (!msg_ctx)
Modified: branches/mkey_migrate/src/lib/rpc/clnt_perror.c
===================================================================
--- branches/mkey_migrate/src/lib/rpc/clnt_perror.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/rpc/clnt_perror.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -233,7 +233,7 @@
char *
clnt_sperrno(enum clnt_stat stat)
{
- int i;
+ unsigned int i;
for (i = 0; i < sizeof(rpc_errlist)/sizeof(struct rpc_errtab); i++) {
if (rpc_errlist[i].status == stat) {
@@ -339,7 +339,7 @@
static char *
auth_errmsg(enum auth_stat stat)
{
- int i;
+ unsigned int i;
for (i = 0; i < sizeof(auth_errlist)/sizeof(struct auth_errtab); i++) {
if (auth_errlist[i].status == stat) {
Modified: branches/mkey_migrate/src/lib/rpc/clnt_simple.c
===================================================================
--- branches/mkey_migrate/src/lib/rpc/clnt_simple.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/rpc/clnt_simple.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -51,7 +51,9 @@
static struct callrpc_private {
CLIENT *client;
SOCKET socket;
- int oldprognum, oldversnum, valid;
+ rpcprog_t oldprognum;
+ rpcvers_t oldversnum;
+ int valid;
char *oldhost;
} *callrpc_private;
Copied: branches/mkey_migrate/src/lib/rpc/deps (from rev 21721, trunk/src/lib/rpc/deps)
Copied: branches/mkey_migrate/src/lib/rpc/gssrpcint.h (from rev 21721, trunk/src/lib/rpc/gssrpcint.h)
Modified: branches/mkey_migrate/src/lib/rpc/svc_auth_gss.c
===================================================================
--- branches/mkey_migrate/src/lib/rpc/svc_auth_gss.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/rpc/svc_auth_gss.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -47,6 +47,7 @@
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_generic.h>
#endif
+#include "k5-platform.h" /* SIZE_MAX */
#ifdef DEBUG_GSSAPI
int svc_debug_gss = DEBUG_GSSAPI;
Modified: branches/mkey_migrate/src/lib/rpc/svc_auth_gssapi.c
===================================================================
--- branches/mkey_migrate/src/lib/rpc/svc_auth_gssapi.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/rpc/svc_auth_gssapi.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -24,6 +24,8 @@
#include <gssapi/gssapi_krb5.h>
#endif
+#include "gssrpcint.h"
+
#ifdef GSSAPI_KRB5
/* This is here for the krb5_error_code typedef and the
KRB5KRB_AP_WRONG_PRINC #define.*/
@@ -403,7 +405,7 @@
break;
PRINTF(("accept_sec_context returned 0x%x 0x%x wrong-princ=%#x\n",
- call_res.gss_major, call_res.gss_minor, KRB5KRB_AP_WRONG_PRINC));
+ call_res.gss_major, call_res.gss_minor, (int) KRB5KRB_AP_WRONG_PRINC));
if (call_res.gss_major == GSS_S_COMPLETE ||
call_res.gss_major == GSS_S_CONTINUE_NEEDED) {
/* server_creds was right, set it! */
@@ -950,7 +952,7 @@
in_buf.value = names[i].name;
in_buf.length = strlen(in_buf.value) + 1;
- PRINTF(("svcauth_gssapi_set_names: importing %s\n", in_buf.value));
+ PRINTF(("svcauth_gssapi_set_names: importing %s\n", names[i].name));
gssstat = gss_import_name(&minor_stat, &in_buf, names[i].type,
&server_name_list[i]);
Modified: branches/mkey_migrate/src/lib/rpc/unit-test/Makefile.in
===================================================================
--- branches/mkey_migrate/src/lib/rpc/unit-test/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/rpc/unit-test/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -69,39 +69,3 @@
$(RM) server client
$(RM) dbg.log rpc_test.log rpc_test.sum
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)client.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_gssapi.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h client.c rpc_test.h
-$(OUTPRE)rpc_test_clnt.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h rpc_test.h rpc_test_clnt.c
-$(OUTPRE)rpc_test_svc.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h rpc_test.h rpc_test_svc.c
-$(OUTPRE)server.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_gssapi.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/pmap_clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h rpc_test.h server.c
Modified: branches/mkey_migrate/src/lib/rpc/unit-test/client.c
===================================================================
--- branches/mkey_migrate/src/lib/rpc/unit-test/client.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/rpc/unit-test/client.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -139,7 +139,7 @@
*/
echo_arg = buf;
for (i = 0; i < 3; i++) {
- sprintf(buf, "testing %d\n", i);
+ snprintf(buf, sizeof(buf), "testing %d\n", i);
echo_resp = rpc_test_echo_1(&echo_arg, clnt);
if (echo_resp == NULL) {
Copied: branches/mkey_migrate/src/lib/rpc/unit-test/deps (from rev 21721, trunk/src/lib/rpc/unit-test/deps)
Modified: branches/mkey_migrate/src/lib/rpc/unit-test/server.c
===================================================================
--- branches/mkey_migrate/src/lib/rpc/unit-test/server.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/lib/rpc/unit-test/server.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -9,6 +9,8 @@
static char *rcsid = "$Header$";
#endif
+#include "k5-platform.h"
+
#include <stdio.h>
#include <stdlib.h>
#include "autoconf.h"
@@ -158,8 +160,7 @@
if (res)
free(res);
- res = (char *) malloc(strlen(*arg) + strlen("Echo: ") + 1);
- sprintf(res, "Echo: %s", *arg);
+ asprintf(&res, "Echo: %s", *arg);
return &res;
}
Modified: branches/mkey_migrate/src/plugins/authdata/greet/Makefile.in
===================================================================
--- branches/mkey_migrate/src/plugins/authdata/greet/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/authdata/greet/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -37,11 +37,3 @@
@libnover_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-greet_auth.so greet_auth.po $(OUTPRE)greet_auth.$(OBJEXT): \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/authdata_plugin.h \
- greet_auth.c
Copied: branches/mkey_migrate/src/plugins/authdata/greet/deps (from rev 21721, trunk/src/plugins/authdata/greet/deps)
Modified: branches/mkey_migrate/src/plugins/authdata/greet/greet_auth.c
===================================================================
--- branches/mkey_migrate/src/plugins/authdata/greet/greet_auth.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/authdata/greet/greet_auth.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -65,11 +65,11 @@
free(a);
return ENOMEM;
}
- strcpy(p, "hello there");
+ strncpy(p, "hello there", GREET_SIZE-1);
a->magic = KV5M_AUTHDATA;
a->ad_type = -42;
a->length = GREET_SIZE;
- a->contents = p;
+ a->contents = (unsigned char *)p;
if (enc_tkt_reply->authorization_data == 0) {
count = 0;
} else {
Modified: branches/mkey_migrate/src/plugins/kdb/db2/Makefile.in
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/db2/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/db2/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -93,73 +93,3 @@
.d: .depend-verify-db
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-kdb_xdr.so kdb_xdr.po $(OUTPRE)kdb_xdr.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h kdb_xdr.c kdb_xdr.h
-adb_openclose.so adb_openclose.po $(OUTPRE)adb_openclose.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/lib/kdb/adb_err.h \
- $(COM_ERR_DEPS) $(DB_DEPS) $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h adb_openclose.c policy_db.h
-adb_policy.so adb_policy.po $(OUTPRE)adb_policy.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/lib/kdb/adb_err.h \
- $(COM_ERR_DEPS) $(DB_DEPS) $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h adb_policy.c policy_db.h
-kdb_db2.so kdb_db2.po $(OUTPRE)kdb_db2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(BUILDTOP)/lib/kdb/adb_err.h $(COM_ERR_DEPS) $(DB_DEPS) \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_db2.c kdb_db2.h kdb_xdr.h policy_db.h
-pol_xdr.so pol_xdr.po $(OUTPRE)pol_xdr.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/lib/kdb/adb_err.h \
- $(COM_ERR_DEPS) $(DB_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h pol_xdr.c policy_db.h
-db2_exp.so db2_exp.po $(OUTPRE)db2_exp.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(BUILDTOP)/lib/kdb/adb_err.h $(COM_ERR_DEPS) $(DB_DEPS) \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- db2_exp.c kdb_db2.h kdb_xdr.h policy_db.h
Modified: branches/mkey_migrate/src/plugins/kdb/db2/db2_exp.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/db2/db2_exp.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/db2/db2_exp.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -124,6 +124,7 @@
WRAP_K (krb5_db2_db_get_principal,
(krb5_context ctx,
krb5_const_principal p,
+ unsigned int flags,
krb5_db_entry *d,
int * i,
krb5_boolean *b),
@@ -264,4 +265,5 @@
/* get_master_key_list */ wrap_krb5_db2_db_get_mkey_list,
/* blah blah blah */ 0,0,0,0,0,0,0,
/* promote_db */ wrap_krb5_db2_promote_db,
+ 0,0,0,
};
Copied: branches/mkey_migrate/src/plugins/kdb/db2/deps (from rev 21721, trunk/src/plugins/kdb/db2/deps)
Modified: branches/mkey_migrate/src/plugins/kdb/db2/kdb_db2.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/db2/kdb_db2.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/db2/kdb_db2.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -219,11 +219,8 @@
if (sfx == NULL)
return ((char *) NULL);
- dbsuffix = malloc(strlen(db_name) + strlen(sfx) + 1);
- if (!dbsuffix)
+ if (asprintf(&dbsuffix, "%s%s", db_name, sfx) < 0)
return (0);
- (void) strcpy(dbsuffix, db_name);
- (void) strcat(dbsuffix, sfx);
return dbsuffix;
}
@@ -1769,7 +1766,7 @@
retval = errno;
goto errout;
}
- strcat(new_policy, ".lock");
+ strlcat(new_policy, ".lock",sizeof(new_policy));
(void) unlink(new_policy);
}
Modified: branches/mkey_migrate/src/plugins/kdb/db2/libdb2/btree/Makefile.in
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/db2/libdb2/btree/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/db2/libdb2/btree/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -15,74 +15,3 @@
clean-unix:: clean-libobjs
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-bt_close.so bt_close.po $(OUTPRE)bt_close.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \
- $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h bt_close.c btree.h extern.h
-bt_conv.so bt_conv.po $(OUTPRE)bt_conv.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \
- $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \
- $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \
- bt_conv.c btree.h extern.h
-bt_debug.so bt_debug.po $(OUTPRE)bt_debug.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \
- $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h bt_debug.c btree.h extern.h
-bt_delete.so bt_delete.po $(OUTPRE)bt_delete.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \
- $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h bt_delete.c btree.h extern.h
-bt_get.so bt_get.po $(OUTPRE)bt_get.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \
- $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \
- $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \
- bt_get.c btree.h extern.h
-bt_open.so bt_open.po $(OUTPRE)bt_open.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \
- $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \
- $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \
- bt_open.c btree.h extern.h
-bt_overflow.so bt_overflow.po $(OUTPRE)bt_overflow.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \
- $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h bt_overflow.c btree.h extern.h
-bt_page.so bt_page.po $(OUTPRE)bt_page.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \
- $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \
- $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \
- bt_page.c btree.h extern.h
-bt_put.so bt_put.po $(OUTPRE)bt_put.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \
- $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \
- $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \
- bt_put.c btree.h extern.h
-bt_search.so bt_search.po $(OUTPRE)bt_search.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \
- $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h bt_search.c btree.h extern.h
-bt_seq.so bt_seq.po $(OUTPRE)bt_seq.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \
- $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \
- $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \
- bt_seq.c btree.h extern.h
-bt_split.so bt_split.po $(OUTPRE)bt_split.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \
- $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h bt_split.c btree.h extern.h
-bt_utils.so bt_utils.po $(OUTPRE)bt_utils.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \
- $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h bt_utils.c btree.h extern.h
Copied: branches/mkey_migrate/src/plugins/kdb/db2/libdb2/btree/deps (from rev 21721, trunk/src/plugins/kdb/db2/libdb2/btree/deps)
Modified: branches/mkey_migrate/src/plugins/kdb/db2/libdb2/db/Makefile.in
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/db2/libdb2/db/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/db2/libdb2/db/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -12,12 +12,3 @@
SRCS= $(STLIBOBJS:.o=.c)
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-db.so db.po $(OUTPRE)db.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \
- $(srcdir)/../include/db-int.h $(srcdir)/../include/db.h \
- db.c
Copied: branches/mkey_migrate/src/plugins/kdb/db2/libdb2/db/deps (from rev 21721, trunk/src/plugins/kdb/db2/libdb2/db/deps)
Copied: branches/mkey_migrate/src/plugins/kdb/db2/libdb2/deps (from rev 21721, trunk/src/plugins/kdb/db2/libdb2/deps)
Modified: branches/mkey_migrate/src/plugins/kdb/db2/libdb2/hash/Makefile.in
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/db2/libdb2/hash/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/db2/libdb2/hash/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -14,49 +14,3 @@
SRCS= $(STLIBOBJS:.o=.c)
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-hash.so hash.po $(OUTPRE)hash.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \
- $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \
- $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \
- extern.h hash.c hash.h page.h
-hash_bigkey.so hash_bigkey.po $(OUTPRE)hash_bigkey.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \
- $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h extern.h hash.h hash_bigkey.c \
- page.h
-hash_debug.so hash_debug.po $(OUTPRE)hash_debug.$(OBJEXT): \
- hash_debug.c
-hash_func.so hash_func.po $(OUTPRE)hash_func.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \
- $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h extern.h hash.h hash_func.c \
- page.h
-hash_log2.so hash_log2.po $(OUTPRE)hash_log2.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \
- $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h extern.h hash.h hash_log2.c \
- page.h
-hash_page.so hash_page.po $(OUTPRE)hash_page.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \
- $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h extern.h hash.h hash_page.c \
- page.h
-hsearch.so hsearch.po $(OUTPRE)hsearch.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \
- $(srcdir)/../include/db-int.h $(srcdir)/../include/db.h \
- hsearch.c search.h
-dbm.so dbm.po $(OUTPRE)dbm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/db-ndbm.h $(BUILDTOP)/include/db.h \
- $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \
- $(srcdir)/../include/db-dbm.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h dbm.c hash.h
Copied: branches/mkey_migrate/src/plugins/kdb/db2/libdb2/hash/deps (from rev 21721, trunk/src/plugins/kdb/db2/libdb2/hash/deps)
Modified: branches/mkey_migrate/src/plugins/kdb/db2/libdb2/mpool/Makefile.in
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/db2/libdb2/mpool/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/db2/libdb2/mpool/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -12,12 +12,3 @@
SRCS= $(STLIBOBJS:.o=.c)
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-mpool.so mpool.po $(OUTPRE)mpool.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \
- $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \
- $(srcdir)/../include/db.h mpool.c mpool.h
Copied: branches/mkey_migrate/src/plugins/kdb/db2/libdb2/mpool/deps (from rev 21721, trunk/src/plugins/kdb/db2/libdb2/mpool/deps)
Modified: branches/mkey_migrate/src/plugins/kdb/db2/libdb2/recno/Makefile.in
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/db2/libdb2/recno/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/db2/libdb2/recno/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -14,56 +14,3 @@
SRCS= $(STLIBOBJS:.o=.c)
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-rec_close.so rec_close.po $(OUTPRE)rec_close.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(srcdir)/../btree/btree.h \
- $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \
- $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h extern.h rec_close.c recno.h
-rec_delete.so rec_delete.po $(OUTPRE)rec_delete.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(srcdir)/../btree/btree.h \
- $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \
- $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h extern.h rec_delete.c recno.h
-rec_get.so rec_get.po $(OUTPRE)rec_get.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(srcdir)/../btree/btree.h $(srcdir)/../btree/extern.h \
- $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \
- $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \
- $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \
- extern.h rec_get.c recno.h
-rec_open.so rec_open.po $(OUTPRE)rec_open.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(srcdir)/../btree/btree.h \
- $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \
- $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h extern.h rec_open.c recno.h
-rec_put.so rec_put.po $(OUTPRE)rec_put.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(srcdir)/../btree/btree.h $(srcdir)/../btree/extern.h \
- $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \
- $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \
- $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \
- extern.h rec_put.c recno.h
-rec_search.so rec_search.po $(OUTPRE)rec_search.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(srcdir)/../btree/btree.h \
- $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \
- $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h extern.h rec_search.c recno.h
-rec_seq.so rec_seq.po $(OUTPRE)rec_seq.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(srcdir)/../btree/btree.h $(srcdir)/../btree/extern.h \
- $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \
- $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \
- $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \
- extern.h rec_seq.c recno.h
-rec_utils.so rec_utils.po $(OUTPRE)rec_utils.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(srcdir)/../btree/btree.h \
- $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \
- $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \
- $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \
- $(srcdir)/../mpool/mpool.h extern.h rec_utils.c recno.h
Copied: branches/mkey_migrate/src/plugins/kdb/db2/libdb2/recno/deps (from rev 21721, trunk/src/plugins/kdb/db2/libdb2/recno/deps)
Modified: branches/mkey_migrate/src/plugins/kdb/db2/libdb2/test/dbtest.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/db2/libdb2/test/dbtest.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/db2/libdb2/test/dbtest.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -163,7 +163,7 @@
p = getenv("TMPDIR");
if (p == NULL)
p = "/var/tmp";
- (void)sprintf(buf, "%s/__dbtest", p);
+ (void)snprintf(buf, sizeof(buf), "%s/__dbtest", p);
fname = buf;
(void)unlink(buf);
} else if (!sflag)
Copied: branches/mkey_migrate/src/plugins/kdb/db2/libdb2/test/deps (from rev 21721, trunk/src/plugins/kdb/db2/libdb2/test/deps)
Modified: branches/mkey_migrate/src/plugins/kdb/db2/libdb2/test/hash1.tests/driver2.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/db2/libdb2/test/hash1.tests/driver2.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/db2/libdb2/test/hash1.tests/driver2.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -82,7 +82,7 @@
#endif
info.lorder = 0;
if (!(db = dbopen("bigtest", O_RDWR | O_CREAT | O_BINARY, 0644, DB_HASH, &info))) {
- sprintf(buf, "dbopen: failed on file bigtest");
+ snprintf(buf, sizeof(buf), "dbopen: failed on file bigtest");
perror(buf);
exit(1);
}
@@ -96,10 +96,10 @@
content.size = 128 + (rand()&1023);
/* printf("%d: Key size %d, data size %d\n", i, key.size,
content.size); */
- sprintf(keybuf, "Key #%d", i);
- sprintf(contentbuf, "Contents #%d", i);
+ snprintf(keybuf, sizeof(keybuf), "Key #%d", i);
+ snprintf(contentbuf, sizeof(contentbuf), "Contents #%d", i);
if ((db->put)(db, &key, &content, R_NOOVERWRITE)) {
- sprintf(buf, "dbm_store #%d", i);
+ snprintf(buf, sizeof(buf), "dbm_store #%d", i);
perror(buf);
}
}
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/Makefile.in
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -45,21 +45,3 @@
@libnover_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-ldap_exp.so ldap_exp.po $(OUTPRE)ldap_exp.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- $(srcdir)/libkdb_ldap/kdb_ldap.h $(srcdir)/libkdb_ldap/ldap_krbcontainer.h \
- $(srcdir)/libkdb_ldap/ldap_principal.h $(srcdir)/libkdb_ldap/ldap_pwd_policy.h \
- $(srcdir)/libkdb_ldap/ldap_realm.h $(srcdir)/libkdb_ldap/ldap_tkt_policy.h \
- ldap_exp.c
Copied: branches/mkey_migrate/src/plugins/kdb/ldap/deps (from rev 21721, trunk/src/plugins/kdb/ldap/deps)
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/Makefile.in
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -4,7 +4,7 @@
BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
DEFINES = -DKDB4_DISABLE
DEFS=
-LOCALINCLUDES = -I. @KRB4_INCLUDES@ -I$(srcdir)/../libkdb_ldap -I$(SRCTOP)/lib/kdb
+LOCALINCLUDES = -I. -I$(srcdir)/../libkdb_ldap -I$(SRCTOP)/lib/kdb
PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH)
PROG_RPATH=$(KRB5_LIBDIR)
#KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS)
@@ -17,9 +17,9 @@
all:: $(PROG)
-$(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB4COMPAT_DEPLIBS) $(GETDATE)
+$(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE)
$(CC_LINK) -o $(PROG) $(OBJS) $(GETDATE) \
- $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB4COMPAT_LIBS)
+ $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB5_BASE_LIBS)
install::
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
Copied: branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/deps (from rev 21721, trunk/src/plugins/kdb/ldap/ldap_util/deps)
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -874,8 +874,7 @@
minutes = duration / 60;
duration %= 60;
seconds = duration;
- sprintf(out, "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
- days, days == 1 ? "day" : "days",
- hours, minutes, seconds);
+ snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
+ days, days == 1 ? "day" : "days", hours, minutes, seconds);
return out;
}
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -87,6 +87,7 @@
#include <stdio.h>
#include <k5-int.h>
#include <kadm5/admin.h>
+#include <adm_proto.h>
#include "kdb5_ldap_util.h"
#include "kdb5_ldap_list.h"
#include <ldap_principal.h>
@@ -1991,7 +1992,7 @@
minutes = duration / 60;
duration %= 60;
seconds = duration;
- sprintf(out, "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
+ snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
days, days == 1 ? "day" : "days",
hours, minutes, seconds);
return out;
@@ -2004,7 +2005,7 @@
static void print_realm_params(krb5_ldap_realm_params *rparams, int mask)
{
char **slist = NULL;
- int num_entry_printed = 0, i = 0;
+ unsigned int num_entry_printed = 0, i = 0;
/* Print the Realm Attributes on the standard output */
printf("%25s: %-50s\n", "Realm Name", global_params.realm);
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -85,9 +85,11 @@
/* Parse for the protocol string and translate to number */
strncpy (proto_str, pchr + 1, PROTOCOL_STR_LEN);
if (!strcmp(proto_str, "udp"))
- sprintf (proto_str, "%d", PROTOCOL_NUM_UDP);
+ snprintf (proto_str, sizeof(proto_str), "%d",
+ PROTOCOL_NUM_UDP);
else if (!strcmp(proto_str, "tcp"))
- sprintf (proto_str, "%d", PROTOCOL_NUM_TCP);
+ snprintf (proto_str, sizeof(proto_str), "%d",
+ PROTOCOL_NUM_TCP);
else
proto_str[0] = '\0'; /* Make the string null if invalid */
@@ -109,27 +111,32 @@
and port values if they are absent or not matching */
if (servicetype == LDAP_KDC_SERVICE) {
if (proto_str[0] == '\0')
- sprintf (proto_str, "%d", PROTOCOL_DEFAULT_KDC);
+ snprintf (proto_str, sizeof(proto_str), "%d",
+ PROTOCOL_DEFAULT_KDC);
if (port_str[0] == '\0')
- sprintf (port_str, "%d", PORT_DEFAULT_KDC);
+ snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_KDC);
} else if (servicetype == LDAP_ADMIN_SERVICE) {
if (proto_str[0] == '\0')
- sprintf (proto_str, "%d", PROTOCOL_DEFAULT_ADM);
+ snprintf (proto_str, sizeof(proto_str), "%d",
+ PROTOCOL_DEFAULT_ADM);
else if (strcmp(proto_str, "1")) {
- sprintf (proto_str, "%d", PROTOCOL_DEFAULT_ADM);
+ snprintf (proto_str, sizeof(proto_str), "%d",
+ PROTOCOL_DEFAULT_ADM);
/* Print warning message */
printf ("Admin Server supports only TCP protocol, hence setting that\n");
}
if (port_str[0] == '\0')
- sprintf (port_str, "%d", PORT_DEFAULT_ADM);
+ snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_ADM);
} else if (servicetype == LDAP_PASSWD_SERVICE) {
if (proto_str[0] == '\0')
- sprintf (proto_str, "%d", PROTOCOL_DEFAULT_PWD);
+ snprintf (proto_str, sizeof(proto_str), "%d",
+ PROTOCOL_DEFAULT_PWD);
else if (strcmp(proto_str, "0")) {
- sprintf (proto_str, "%d", PROTOCOL_DEFAULT_PWD);
+ snprintf (proto_str, sizeof(proto_str), "%d",
+ PROTOCOL_DEFAULT_PWD);
/* Print warning message */
printf ("Password Server supports only UDP protocol, hence setting that\n");
@@ -1538,7 +1545,6 @@
unsigned int passwd_len = 0;
krb5_error_code errcode = -1;
int retval = 0, i = 0;
- unsigned int len = 0;
krb5_boolean print_usage = FALSE;
FILE *pfile = NULL;
char *str = NULL;
@@ -1667,23 +1673,17 @@
memset(passwd, 0, MAX_SERVICE_PASSWD_LEN + 1);
passwd_len = MAX_SERVICE_PASSWD_LEN;
- len = strlen(service_object);
- /* size of allocation=strlen of servicedn + strlen("Password for \" \"")=20 */
- prompt1 = (char *)malloc(len + 20);
- if (prompt1 == NULL) {
+ if (asprintf(&prompt1, "Password for \"%s\"", service_object) < 0) {
com_err(me, ENOMEM, "while setting service object password");
goto cleanup;
}
- sprintf(prompt1, "Password for \"%s\"", service_object);
- /* size of allocation=strlen of servicedn + strlen("Re-enter Password for \" \"")=30 */
- prompt2 = (char *)malloc(len + 30);
- if (prompt2 == NULL) {
+ if (asprintf(&prompt2, "Re-enter password for \"%s\"",
+ service_object) < 0) {
com_err(me, ENOMEM, "while setting service object password");
free(prompt1);
goto cleanup;
}
- sprintf(prompt2, "Re-enter password for \"%s\"", service_object);
retval = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len);
free(prompt1);
@@ -1718,19 +1718,15 @@
goto cleanup;
}
/* Password = {HEX}<encrypted password>:<encrypted key> */
- encrypted_passwd.value = (unsigned char *)malloc(strlen(service_object) +
- 1 + 5 + hex.length + 2);
- if (encrypted_passwd.value == NULL) {
+ if (asprintf(&str, "%s#{HEX}%s\n", service_object, hex.data) < 0) {
com_err(me, ENOMEM, "while setting service object password");
memset(passwd, 0, passwd_len);
memset(hex.data, 0, hex.length);
free(hex.data);
goto cleanup;
}
- encrypted_passwd.value[strlen(service_object) +
- 1 + 5 + hex.length + 1] = '\0';
- sprintf((char *)encrypted_passwd.value, "%s#{HEX}%s\n", service_object, hex.data);
- encrypted_passwd.len = strlen((char *)encrypted_passwd.value);
+ encrypted_passwd.data = (unsigned char *)str;
+ encrypted_passwd.len = strlen(str);
memset(hex.data, 0, hex.length);
free(hex.data);
}
@@ -1806,12 +1802,10 @@
mode_t omask;
/* Create a new file with the extension .tmp */
- tmp_file = (char *) malloc(sizeof(char) * (strlen(file_name) + 4 + 1));
- if (tmp_file == NULL) {
+ if (asprintf(&tmp_file,"%s.tmp",file_name) < 0) {
com_err(me, ENOMEM, "while setting service object password");
goto cleanup;
}
- sprintf(tmp_file,"%s.%s",file_name,"tmp");
omask = umask(077);
newfile = fopen(tmp_file, "w+");
@@ -1832,7 +1826,6 @@
goto cleanup;
}
} else {
- len = strlen(line);
if (fprintf(newfile, "%s", line) < 0) {
com_err(me, errno, "Failed to write service object password to file");
fclose(newfile);
@@ -1998,12 +1991,12 @@
/* size of prompt = strlen of servicedn + strlen("Password for \" \"") */
assert (sizeof (prompt1) > (strlen (service_object)
+ sizeof ("Password for \" \"")));
- sprintf(prompt1, "Password for \"%s\"", service_object);
+ snprintf(prompt1, sizeof(prompt1), "Password for \"%s\"", service_object);
/* size of prompt = strlen of servicedn + strlen("Re-enter Password for \" \"") */
assert (sizeof (prompt2) > (strlen (service_object)
+ sizeof ("Re-enter Password for \" \"")));
- sprintf(prompt2, "Re-enter password for \"%s\"", service_object);
+ snprintf(prompt2, sizeof(prompt2), "Re-enter password for \"%s\"", service_object);
ret = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len);
if (ret != 0) {
@@ -2082,13 +2075,11 @@
mode_t omask;
/* Create a new file with the extension .tmp */
- tmp_file = (char *) malloc(sizeof(char) * (strlen(file_name) + 4 + 1));
- if (tmp_file == NULL) {
+ if (asprintf(&tmp_file,"%s.tmp",file_name) < 0) {
com_err(me, ENOMEM, "while setting service object password");
fclose(pfile);
goto cleanup;
}
- sprintf(tmp_file,"%s.%s",file_name,"tmp");
omask = umask(077);
newfile = fopen(tmp_file, "w");
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -104,7 +104,7 @@
* This function prints the usage of kdb5_ldap_util, which is
* the LDAP configuration utility.
*/
-void usage()
+void usage(void)
{
fprintf(stderr, "Usage: "
"kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n"
@@ -420,7 +420,6 @@
* we will print the help corresponding to the sub-command.
*/
if (print_help_message) {
- char *cmd_name = cmd_argv[0];
free(cmd_argv);
cmd_argv = NULL;
usage();
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -63,10 +63,10 @@
extern int exit_status;
extern krb5_context util_context;
-extern void usage();
+extern void usage(void);
extern void db_usage(int);
-#define ARG_VAL (--argc > 0 ? (koptarg = *(++argv)) : (char *)(usage(MAIN_HELP), NULL))
+#define ARG_VAL (--argc > 0 ? (koptarg = *(++argv)) : (char *)(db_usage(MAIN_HELP), NULL))
/* Following are the bitmaps that indicate which of the options among -D, -w, -h, -p & -t
* were specified on the command line.
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -84,245 +84,3 @@
@lib_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-kdb_ldap.so kdb_ldap.po $(OUTPRE)kdb_ldap.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_ldap.c kdb_ldap.h ldap_err.h ldap_krbcontainer.h \
- ldap_misc.h ldap_realm.h ldap_services.h
-kdb_ldap_conn.so kdb_ldap_conn.po $(OUTPRE)kdb_ldap_conn.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_ldap.h kdb_ldap_conn.c ldap_handle.h ldap_krbcontainer.h \
- ldap_main.h ldap_misc.h ldap_realm.h ldap_service_stash.h \
- ldap_services.h
-ldap_realm.so ldap_realm.po $(OUTPRE)ldap_realm.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \
- ldap_main.h ldap_misc.h ldap_principal.h ldap_pwd_policy.h \
- ldap_realm.c ldap_realm.h ldap_services.h ldap_tkt_policy.h
-ldap_create.so ldap_create.po $(OUTPRE)ldap_create.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_ldap.h ldap_create.c ldap_err.h ldap_handle.h ldap_krbcontainer.h \
- ldap_main.h ldap_misc.h ldap_principal.h ldap_realm.h \
- ldap_services.h ldap_tkt_policy.h
-ldap_krbcontainer.so ldap_krbcontainer.po $(OUTPRE)ldap_krbcontainer.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.c \
- ldap_krbcontainer.h ldap_main.h ldap_misc.h ldap_realm.h \
- ldap_services.h
-ldap_principal.so ldap_principal.po $(OUTPRE)ldap_principal.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \
- ldap_main.h ldap_misc.h ldap_principal.c ldap_principal.h \
- ldap_realm.h ldap_services.h ldap_tkt_policy.h princ_xdr.h
-ldap_principal2.so ldap_principal2.po $(OUTPRE)ldap_principal2.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \
- ldap_main.h ldap_misc.h ldap_principal.h ldap_principal2.c \
- ldap_pwd_policy.h ldap_realm.h ldap_services.h ldap_tkt_policy.h \
- princ_xdr.h
-ldap_pwd_policy.so ldap_pwd_policy.po $(OUTPRE)ldap_pwd_policy.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \
- ldap_main.h ldap_misc.h ldap_pwd_policy.c ldap_pwd_policy.h \
- ldap_realm.h ldap_services.h
-ldap_misc.so ldap_misc.po $(OUTPRE)ldap_misc.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \
- ldap_misc.c ldap_misc.h ldap_principal.h ldap_pwd_policy.h \
- ldap_realm.h ldap_services.h ldap_tkt_policy.h princ_xdr.h
-ldap_handle.so ldap_handle.po $(OUTPRE)ldap_handle.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_ldap.h ldap_handle.c ldap_handle.h ldap_krbcontainer.h \
- ldap_main.h ldap_misc.h ldap_realm.h ldap_services.h
-ldap_tkt_policy.so ldap_tkt_policy.po $(OUTPRE)ldap_tkt_policy.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \
- ldap_main.h ldap_misc.h ldap_realm.h ldap_services.h \
- ldap_tkt_policy.c ldap_tkt_policy.h
-ldap_services.so ldap_services.po $(OUTPRE)ldap_services.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \
- ldap_main.h ldap_misc.h ldap_realm.h ldap_services.c \
- ldap_services.h
-ldap_service_rights.so ldap_service_rights.po $(OUTPRE)ldap_service_rights.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \
- ldap_main.h ldap_misc.h ldap_realm.h ldap_service_rights.c \
- ldap_services.h
-princ_xdr.so princ_xdr.po $(OUTPRE)princ_xdr.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_ldap.h ldap_krbcontainer.h ldap_principal.h ldap_realm.h \
- ldap_tkt_policy.h princ_xdr.c princ_xdr.h
-ldap_fetch_mkey.so ldap_fetch_mkey.po $(OUTPRE)ldap_fetch_mkey.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_ldap.h ldap_fetch_mkey.c ldap_handle.h ldap_krbcontainer.h \
- ldap_main.h ldap_misc.h ldap_realm.h ldap_services.h
-ldap_service_stash.so ldap_service_stash.po $(OUTPRE)ldap_service_stash.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/kdb/kdb5.h \
- kdb_ldap.h ldap_handle.h ldap_krbcontainer.h ldap_main.h \
- ldap_misc.h ldap_realm.h ldap_service_stash.c ldap_service_stash.h \
- ldap_services.h
-kdb_xdr.so kdb_xdr.po $(OUTPRE)kdb_xdr.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h kdb_xdr.c kdb_xdr.h
-ldap_err.so ldap_err.po $(OUTPRE)ldap_err.$(OBJEXT): \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h \
- ldap_err.c ldap_err.h
Copied: branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/deps (from rev 21721, trunk/src/plugins/kdb/ldap/libkdb_ldap/deps)
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -39,6 +39,10 @@
#include <kdb5.h>
#include <kadm5/admin.h>
+#if defined(NEED_ISBLANK_PROTO) && !defined(isblank)
+extern int isblank();
+#endif
+
krb5_error_code
krb5_ldap_get_db_opt(char *input, char **opt, char **val)
{
@@ -389,32 +393,17 @@
goto clean_n_exit;
}
} else {
- void *tmp=NULL;
- char *oldstr = NULL;
- unsigned int len=0;
+ char *newstr;
- oldstr = strdup(ldap_context->root_certificate_file);
- if (oldstr == NULL) {
+ if (asprintf(&newstr, "%s %s",
+ ldap_context->root_certificate_file, val) < 0) {
free (opt);
free (val);
status = ENOMEM;
goto clean_n_exit;
}
-
- tmp = ldap_context->root_certificate_file;
- len = strlen(ldap_context->root_certificate_file) + 2 + strlen(val);
- ldap_context->root_certificate_file = realloc(ldap_context->root_certificate_file,
- len);
- if (ldap_context->root_certificate_file == NULL) {
- free (tmp);
- free (opt);
- free (val);
- status = ENOMEM;
- goto clean_n_exit;
- }
- memset(ldap_context->root_certificate_file, 0, len);
- sprintf(ldap_context->root_certificate_file,"%s %s", oldstr, val);
- free (oldstr);
+ free(ldap_context->root_certificate_file);
+ ldap_context->root_certificate_file = newstr;
}
#endif
} else {
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -285,6 +285,10 @@
int
has_sasl_external_mech(krb5_context, char *);
+krb5_error_code
+krb5_ldap_free_server_context_params(krb5_ldap_context *ldap_context);
+
+
/* DAL functions */
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -212,7 +212,7 @@
server_info = ldap_context->server_info_list[cnt];
if (server_info->server_status == NOTSET) {
- int conns=0;
+ unsigned int conns=0;
/*
* Check if the server has to perform certificate-based authentication
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -198,32 +198,16 @@
goto cleanup;
}
} else {
- void *tmp=NULL;
- char *oldstr = NULL;
- unsigned int len=0;
+ char *newstr;
- oldstr = strdup(ldap_context->root_certificate_file);
- if (oldstr == NULL) {
+ if (asprintf(&newstr, "%s %s",
+ ldap_context->root_certificate_file, val) < 0) {
free (opt);
free (val);
status = ENOMEM;
goto cleanup;
}
-
- tmp = ldap_context->root_certificate_file;
- len = strlen(ldap_context->root_certificate_file) + 2 + strlen(val);
- ldap_context->root_certificate_file = realloc(ldap_context->root_certificate_file,
- len);
- if (ldap_context->root_certificate_file == NULL) {
- free (tmp);
- free (opt);
- free (val);
- status = ENOMEM;
- goto cleanup;
- }
- memset(ldap_context->root_certificate_file, 0, len);
- sprintf(ldap_context->root_certificate_file,"%s %s", oldstr, val);
- free (oldstr);
+ ldap_context->root_certificate_file = newstr;
}
#endif
} else {
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1499,7 +1499,7 @@
format_d (int val)
{
char tmpbuf[2+3*sizeof(val)];
- sprintf(tmpbuf, "%d", val);
+ snprintf(tmpbuf, sizeof(tmpbuf), "%d", val);
return strdup(tmpbuf);
}
@@ -1655,14 +1655,12 @@
goto cleanup;
}
- filter = (char *) malloc (strlen (refattr) + strlen (ptr) + 2);
- if (filter == NULL) {
+ if (asprintf (&filter, "%s=%s", refattr, ptr) < 0) {
+ filter = NULL;
st = ENOMEM;
goto cleanup;
}
- sprintf (filter, "%s=%s", refattr, ptr);
-
if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
goto cleanup;
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -150,4 +150,6 @@
krb5_const_principal princ,
krb5_db_entry *entry);
+int kldap_ensure_initialized (void);
+
#endif
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -143,7 +143,7 @@
krb5_db_entry entry;
krb5_principal principal;
char **subtree=NULL, *princ_name=NULL, *realm=NULL, **values=NULL, *filter=NULL;
- unsigned int filterlen=0, tree=0, ntree=1, i=0;
+ unsigned int tree=0, ntree=1, i=0;
krb5_error_code st=0, tempst=0;
LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
@@ -174,11 +174,9 @@
if (match_expr == NULL)
match_expr = default_match_expr;
- filterlen = strlen(FILTER) + strlen(match_expr) + 2 + 1; /* 2 for closing brackets */
- filter = malloc (filterlen);
+ if (asprintf(&filter, FILTER"%s))", match_expr) < 0)
+ filter = NULL;
CHECK_NULL(filter);
- memset(filter, 0, filterlen);
- sprintf(filter, FILTER"%s))", match_expr);
if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntree)) != 0)
goto cleanup;
@@ -256,7 +254,7 @@
SETUP_CONTEXT();
/* get the principal info */
- if ((st=krb5_ldap_get_principal(context, searchfor, &entries, nentries, &more)) != 0 || *nentries == 0)
+ if ((st=krb5_ldap_get_principal(context, searchfor, 0, &entries, nentries, &more)) != 0 || *nentries == 0)
goto cleanup;
if (((st=krb5_get_princ_type(context, &entries, &(ptype))) != 0) ||
@@ -385,52 +383,17 @@
krb5_error_code
krb5_ldap_unparse_principal_name(char *user_name)
{
- char *tmp_princ_name=NULL, *princ_name=NULL, *tmp=NULL;
- int l=0;
- krb5_error_code st=0;
+ char *in, *out;
- if (strstr(user_name, "\\@")) {
-
- tmp_princ_name = strdup(user_name);
- if (!tmp_princ_name) {
- st = ENOMEM;
- goto cleanup;
- }
- tmp = tmp_princ_name;
-
- princ_name = (char *) malloc (strlen(user_name));
- if (!princ_name) {
- st = ENOMEM;
- goto cleanup;
- }
- memset(princ_name, 0, strlen(user_name));
-
- l = 0;
- while (*tmp_princ_name) {
- if ((*tmp_princ_name == '\\') && (*(tmp_princ_name+1) == '@')) {
- tmp_princ_name += 1;
- } else {
- *(princ_name + l) = *tmp_princ_name++;
- l++;
- }
- }
-
- memset(user_name, 0, strlen(user_name));
- sprintf(user_name, "%s", princ_name);
+ out = user_name;
+ for (in = user_name; *in; in++) {
+ if (*in == '\\' && *(in + 1) == '@')
+ continue;
+ *out++ = *in;
}
+ *out = '\0';
-cleanup:
- if (tmp) {
- free(tmp);
- tmp = NULL;
- }
-
- if (princ_name) {
- free(princ_name);
- princ_name = NULL;
- }
-
- return st;
+ return 0;
}
@@ -452,62 +415,25 @@
char *i_princ_name;
char **o_princ_name;
{
- char *tmp_princ_name = NULL, *princ_name = NULL, *at_rlm_name = NULL;
- int l = 0, m = 0, tmp_princ_name_len = 0, princ_name_len = 0, at_count = 0;
- krb5_error_code st = 0;
+ const char *at_rlm_name, *p;
+ struct k5buf buf;
at_rlm_name = strrchr(i_princ_name, '@');
-
if (!at_rlm_name) {
*o_princ_name = strdup(i_princ_name);
- if (!o_princ_name) {
- st = ENOMEM;
- goto cleanup;
- }
+ if (!o_princ_name)
+ return ENOMEM;
} else {
- tmp_princ_name_len = at_rlm_name - i_princ_name;
-
- tmp_princ_name = (char *) malloc ((unsigned) tmp_princ_name_len + 1);
- if (!tmp_princ_name) {
- st = ENOMEM;
- goto cleanup;
+ krb5int_buf_init_dynamic(&buf);
+ for (p = i_princ_name; p < at_rlm_name; p++) {
+ if (*p == '@')
+ krb5int_buf_add(&buf, "\\");
+ krb5int_buf_add_len(&buf, p, 1);
}
- memset(tmp_princ_name, 0, (unsigned) tmp_princ_name_len + 1);
- memcpy(tmp_princ_name, i_princ_name, (unsigned) tmp_princ_name_len);
-
- l = 0;
- while (tmp_princ_name[l]) {
- if (tmp_princ_name[l++] == '@')
- at_count++;
- }
-
- princ_name_len = strlen(i_princ_name) + at_count + 1;
- princ_name = (char *) malloc ((unsigned) princ_name_len);
- if (!princ_name) {
- st = ENOMEM;
- goto cleanup;
- }
- memset(princ_name, 0, (unsigned) princ_name_len);
-
- l = 0;
- m = 0;
- while (tmp_princ_name[l]) {
- if (tmp_princ_name[l] == '@') {
- princ_name[m++]='\\';
- }
- princ_name[m++]=tmp_princ_name[l++];
- }
- strcat(princ_name, at_rlm_name);
-
- *o_princ_name = princ_name;
+ krb5int_buf_add(&buf, at_rlm_name);
+ *o_princ_name = krb5int_buf_data(&buf);
+ if (!*o_princ_name)
+ return ENOMEM;
}
-
-cleanup:
-
- if (tmp_princ_name) {
- free(tmp_princ_name);
- tmp_princ_name = NULL;
- }
-
- return st;
+ return 0;
}
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -89,7 +89,7 @@
krb5_error_code
krb5_ldap_get_principal(krb5_context , krb5_const_principal ,
- krb5_db_entry *,int *, krb5_boolean *);
+ unsigned int, krb5_db_entry *,int *, krb5_boolean *);
krb5_error_code
krb5_ldap_delete_principal(krb5_context, krb5_const_principal, int *);
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -74,9 +74,10 @@
*/
krb5_error_code
-krb5_ldap_get_principal(context, searchfor, entries, nentries, more)
+krb5_ldap_get_principal(context, searchfor, flags, entries, nentries, more)
krb5_context context;
krb5_const_principal searchfor;
+ unsigned int flags;
krb5_db_entry *entries; /* filled in */
int *nentries; /* how much room/how many found */
krb5_boolean *more; /* are there more? */
@@ -319,13 +320,13 @@
}
krb5int_access accessor;
-extern int kldap_ensure_initialized (void);
static krb5_error_code
asn1_encode_sequence_of_keys (krb5_key_data *key_data, krb5_int16 n_key_data,
krb5_int32 mkvno, krb5_data **code)
{
krb5_error_code err;
+ ldap_seqof_key_data val;
/*
* This should be pushed back into other library initialization
@@ -335,8 +336,11 @@
if (err)
return err;
- return accessor.asn1_ldap_encode_sequence_of_keys(key_data, n_key_data,
- mkvno, code);
+ val.key_data = key_data;
+ val.n_key_data = n_key_data;
+ val.mkvno = mkvno;
+
+ return accessor.asn1_ldap_encode_sequence_of_keys(&val, code);
}
static krb5_error_code
@@ -344,6 +348,7 @@
krb5_int16 *n_key_data, int *mkvno)
{
krb5_error_code err;
+ ldap_seqof_key_data *p;
/*
* This should be pushed back into other library initialization
@@ -353,8 +358,14 @@
if (err)
return err;
- return accessor.asn1_ldap_decode_sequence_of_keys(in, out, n_key_data,
- mkvno);
+ err = accessor.asn1_ldap_decode_sequence_of_keys(in, &p);
+ if (err)
+ return err;
+ *out = p->key_data;
+ *n_key_data = p->n_key_data;
+ *mkvno = p->mkvno;
+ free(p);
+ return 0;
}
@@ -614,7 +625,8 @@
if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
int ost = st;
st = EINVAL;
- sprintf(errbuf, "'%s' not found: ", xargs.containerdn);
+ snprintf(errbuf, sizeof(errbuf), "'%s' not found: ",
+ xargs.containerdn);
prepend_err_str(context, errbuf, st, ost);
}
goto cleanup;
@@ -631,10 +643,10 @@
}
CHECK_NULL(subtree);
- standalone_principal_dn = malloc(strlen("krbprincipalname=") + strlen(user) + strlen(",") +
- strlen(subtree) + 1);
+ if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s",
+ user, subtree) < 0)
+ standalone_principal_dn = NULL;
CHECK_NULL(standalone_principal_dn);
- sprintf(standalone_principal_dn, "krbprincipalname=%s,%s", user, subtree);
/*
* free subtree when you are done using the subtree
* set the boolean create_standalone_prinicipal to TRUE
@@ -1062,7 +1074,7 @@
/* a load operation must replace an existing entry */
st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL);
if (st != LDAP_SUCCESS) {
- sprintf(errbuf, "Principal delete failed (trying to replace entry): %s",
+ snprintf(errbuf, sizeof(errbuf), "Principal delete failed (trying to replace entry): %s",
ldap_err2string(st));
st = translate_ldap_error (st, OP_ADD);
krb5_set_error_message(context, st, "%s", errbuf);
@@ -1072,7 +1084,7 @@
}
}
if (st != LDAP_SUCCESS) {
- sprintf(errbuf, "Principal add failed: %s", ldap_err2string(st));
+ snprintf(errbuf, sizeof(errbuf), "Principal add failed: %s", ldap_err2string(st));
st = translate_ldap_error (st, OP_ADD);
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
@@ -1109,7 +1121,7 @@
st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL);
if (st != LDAP_SUCCESS) {
- sprintf(errbuf, "User modification failed: %s", ldap_err2string(st));
+ snprintf(errbuf, sizeof(errbuf), "User modification failed: %s", ldap_err2string(st));
st = translate_ldap_error (st, OP_MOD);
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -179,7 +179,7 @@
return(st);
}
-krb5_error_code
+static krb5_error_code
populate_policy(krb5_context context,
LDAP *ld,
LDAPMessage *ent,
@@ -209,7 +209,7 @@
return st;
}
-krb5_error_code
+static krb5_error_code
krb5_ldap_get_password_policy_from_dn (krb5_context context,
char *pol_name,
char *pol_dn,
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -203,7 +203,7 @@
goto cleanup;
}
- *realms = calloc(count+1, sizeof (char *));
+ *realms = calloc((unsigned int) count+1, sizeof (char *));
CHECK_NULL(*realms);
for (ent = ldap_first_entry(ld, result), count = 0; ent != NULL;
@@ -288,7 +288,7 @@
assert (sizeof (filter) >= sizeof ("(krbprincipalname=)") +
strlen (realm) + 2 /* "*@" */ + 1);
- sprintf (filter, "(krbprincipalname=*@%s)", realm);
+ snprintf (filter, sizeof(filter), "(krbprincipalname=*@%s)", realm);
free (realm);
/* LDAP_SEARCH(NULL, LDAP_SCOPE_SUBTREE, filter, attr); */
@@ -297,7 +297,8 @@
if ((st=krb5_get_subtree_info(&lcontext, &subtrees, &ntree)) != 0)
goto cleanup;
- result_arr = (LDAPMessage **) calloc(ntree+1, sizeof(LDAPMessage *));
+ result_arr = (LDAPMessage **) calloc((unsigned int)ntree+1,
+ sizeof(LDAPMessage *));
if (result_arr == NULL) {
st = ENOMEM;
goto cleanup;
@@ -642,8 +643,8 @@
for (i=0; oldkdcservers[i]; ++i)
if ((st=deleteAttribute(ld, oldkdcservers[i], "krbRealmReferences",
rparams->realmdn)) != 0) {
- sprintf (errbuf, "Error removing 'krbRealmReferences' from %s: ",
- oldkdcservers[i]);
+ snprintf (errbuf, sizeof(errbuf), "Error removing 'krbRealmReferences' from %s: ",
+ oldkdcservers[i]);
prepend_err_str (context, errbuf, st, st);
goto cleanup;
}
@@ -653,8 +654,8 @@
for (i=0; newkdcservers[i]; ++i)
if ((st=updateAttribute(ld, newkdcservers[i], "krbRealmReferences",
rparams->realmdn)) != 0) {
- sprintf (errbuf, "Error adding 'krbRealmReferences' to %s: ",
- newkdcservers[i]);
+ snprintf (errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
+ newkdcservers[i]);
prepend_err_str (context, errbuf, st, st);
goto cleanup;
}
@@ -679,8 +680,8 @@
for (i=0; oldadminservers[i]; ++i)
if ((st=deleteAttribute(ld, oldadminservers[i], "krbRealmReferences",
rparams->realmdn)) != 0) {
- sprintf(errbuf, "Error removing 'krbRealmReferences' from "
- "%s: ", oldadminservers[i]);
+ snprintf(errbuf, sizeof(errbuf), "Error removing 'krbRealmReferences' from "
+ "%s: ", oldadminservers[i]);
prepend_err_str (context, errbuf, st, st);
goto cleanup;
}
@@ -690,8 +691,8 @@
for (i=0; newadminservers[i]; ++i)
if ((st=updateAttribute(ld, newadminservers[i], "krbRealmReferences",
rparams->realmdn)) != 0) {
- sprintf(errbuf, "Error adding 'krbRealmReferences' to %s: ",
- newadminservers[i]);
+ snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
+ newadminservers[i]);
prepend_err_str (context, errbuf, st, st);
goto cleanup;
}
@@ -715,8 +716,8 @@
for (i=0; oldpasswdservers[i]; ++i)
if ((st=deleteAttribute(ld, oldpasswdservers[i], "krbRealmReferences",
rparams->realmdn)) != 0) {
- sprintf(errbuf, "Error removing 'krbRealmReferences' from "
- "%s: ", oldpasswdservers[i]);
+ snprintf(errbuf, sizeof(errbuf), "Error removing 'krbRealmReferences' from "
+ "%s: ", oldpasswdservers[i]);
prepend_err_str (context, errbuf, st, st);
goto cleanup;
}
@@ -726,8 +727,8 @@
for (i=0; newpasswdservers[i]; ++i)
if ((st=updateAttribute(ld, newpasswdservers[i], "krbRealmReferences",
rparams->realmdn)) != 0) {
- sprintf(errbuf, "Error adding 'krbRealmReferences' to %s: ",
- newpasswdservers[i]);
+ snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
+ newpasswdservers[i]);
prepend_err_str (context, errbuf, st, st);
goto cleanup;
}
@@ -994,9 +995,10 @@
realm_name = rparams->realm_name;
- dn = malloc(strlen("cn=") + strlen(realm_name) + strlen(ldap_context->krbcontainer->DN) + 2);
+ if (asprintf(&dn, "cn=%s,%s", realm_name,
+ ldap_context->krbcontainer->DN) < 0)
+ dn = NULL;
CHECK_NULL(dn);
- sprintf(dn, "cn=%s,%s", realm_name, ldap_context->krbcontainer->DN);
strval[0] = realm_name;
strval[1] = NULL;
@@ -1135,8 +1137,8 @@
if (mask & LDAP_REALM_KDCSERVERS)
for (i=0; rparams->kdcservers[i]; ++i)
if ((st=updateAttribute(ld, rparams->kdcservers[i], "krbRealmReferences", dn)) != 0) {
- sprintf(errbuf, "Error adding 'krbRealmReferences' to %s: ",
- rparams->kdcservers[i]);
+ snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
+ rparams->kdcservers[i]);
prepend_err_str (context, errbuf, st, st);
/* delete Realm, status ignored intentionally */
ldap_delete_ext_s(ld, dn, NULL, NULL);
@@ -1146,8 +1148,8 @@
if (mask & LDAP_REALM_ADMINSERVERS)
for (i=0; rparams->adminservers[i]; ++i)
if ((st=updateAttribute(ld, rparams->adminservers[i], "krbRealmReferences", dn)) != 0) {
- sprintf(errbuf, "Error adding 'krbRealmReferences' to %s: ",
- rparams->adminservers[i]);
+ snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
+ rparams->adminservers[i]);
prepend_err_str (context, errbuf, st, st);
/* delete Realm, status ignored intentionally */
ldap_delete_ext_s(ld, dn, NULL, NULL);
@@ -1157,8 +1159,8 @@
if (mask & LDAP_REALM_PASSWDSERVERS)
for (i=0; rparams->passwdservers[i]; ++i)
if ((st=updateAttribute(ld, rparams->passwdservers[i], "krbRealmReferences", dn)) != 0) {
- sprintf(errbuf, "Error adding 'krbRealmReferences' to %s: ",
- rparams->passwdservers[i]);
+ snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
+ rparams->passwdservers[i]);
prepend_err_str (context, errbuf, st, st);
/* delete Realm, status ignored intentionally */
ldap_delete_ext_s(ld, dn, NULL, NULL);
@@ -1241,12 +1243,11 @@
krbcontDN = ldap_context->krbcontainer->DN;
- rlparams->realmdn = (char *) malloc(strlen("cn=") + strlen(lrealm) + strlen(krbcontDN) + 2);
- if (rlparams->realmdn == NULL) {
+ if (asprintf(&rlparams->realmdn, "cn=%s,%s", lrealm, krbcontDN) < 0) {
+ rlparams->realmdn = NULL;
st = ENOMEM;
goto cleanup;
}
- sprintf(rlparams->realmdn, "cn=%s,%s", lrealm, krbcontDN);
/* populate the realm name in the structure */
rlparams->realm_name = strdup(lrealm);
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -322,12 +322,8 @@
for (i=0; strcmp(security_container[i][0], "") != 0; i++) {
- seccontacls[0] = (char *)malloc(strlen(security_container[i][0]) +
- strlen(serviceobjdn) +
- strlen(security_container[i][1]) + 1);
-
- sprintf(seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn,
- security_container[i][1]);
+ asprintf(&seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn,
+ security_container[i][1]);
seccontclass.mod_values = seccontacls;
seccontarr[0] = &seccontclass;
@@ -351,10 +347,8 @@
krbcontclass.mod_type = "ACL";
for (i=0; strcmp(kerberos_container[i][0], "") != 0; i++) {
- krbcontacls[0] = (char *)malloc(strlen(kerberos_container[i][0]) + strlen(serviceobjdn)
- + strlen(kerberos_container[i][1]) + 1);
- sprintf(krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn,
- kerberos_container[i][1]);
+ asprintf(&krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn,
+ kerberos_container[i][1]);
krbcontclass.mod_values = krbcontacls;
krbcontarr[0] = &krbcontclass;
@@ -373,20 +367,15 @@
}
/* Construct the realm dn from realm name */
- realmdn = (char *)malloc(strlen("cn=") + strlen(realmname) +
- strlen(ldap_context->krbcontainer->DN) + 2);
- sprintf(realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
+ asprintf(&realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
realmclass.mod_op = LDAP_MOD_ADD;
realmclass.mod_type = "ACL";
if (servicetype == LDAP_KDC_SERVICE) {
for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
- realmacls[0] = (char *)malloc(strlen(kdcrights_realmcontainer[i][0])
- + strlen(serviceobjdn) +
- strlen(kdcrights_realmcontainer[i][1]) + 1);
- sprintf(realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
- kdcrights_realmcontainer[i][1]);
+ asprintf(&realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
+ kdcrights_realmcontainer[i][1]);
realmclass.mod_values = realmacls;
realmarr[0] = &realmclass;
@@ -405,11 +394,8 @@
}
} else if (servicetype == LDAP_ADMIN_SERVICE) {
for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
- realmacls[0] = (char *) malloc(strlen(adminrights_realmcontainer[i][0]) +
- strlen(serviceobjdn) +
- strlen(adminrights_realmcontainer[i][1]) + 1);
- sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
- adminrights_realmcontainer[i][1]);
+ asprintf(&realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
+ adminrights_realmcontainer[i][1]);
realmclass.mod_values = realmacls;
realmarr[0] = &realmclass;
@@ -428,11 +414,8 @@
}
} else if (servicetype == LDAP_PASSWD_SERVICE) {
for (i=0; strcmp(pwdrights_realmcontainer[i][0], "")!=0; i++) {
- realmacls[0] = (char *) malloc(strlen(pwdrights_realmcontainer[i][0]) +
- strlen(serviceobjdn) +
- strlen(pwdrights_realmcontainer[i][1]) + 1);
- sprintf(realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
- pwdrights_realmcontainer[i][1]);
+ asprintf(&realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
+ pwdrights_realmcontainer[i][1]);
realmclass.mod_values = realmacls;
realmarr[0] = &realmclass;
@@ -462,11 +445,8 @@
if (servicetype == LDAP_KDC_SERVICE) {
for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
- subtreeacls[0] = (char *) malloc(strlen(kdcrights_subtree[i][0]) +
- strlen(serviceobjdn) +
- strlen(kdcrights_subtree[i][1]) + 1);
- sprintf(subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
- kdcrights_subtree[i][1]);
+ asprintf(&subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
+ kdcrights_subtree[i][1]);
subtreeclass.mod_values = subtreeacls;
subtreearr[0] = &subtreeclass;
@@ -488,11 +468,8 @@
}
} else if (servicetype == LDAP_ADMIN_SERVICE) {
for (i=0; strcmp(adminrights_subtree[i][0], "")!=0; i++) {
- subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0])
- + strlen(serviceobjdn)
- + strlen(adminrights_subtree[i][1]) + 1);
- sprintf(subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
- adminrights_subtree[i][1]);
+ asprintf(&subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
+ adminrights_subtree[i][1]);
subtreeclass.mod_values = subtreeacls;
subtreearr[0] = &subtreeclass;
@@ -514,11 +491,8 @@
}
} else if (servicetype == LDAP_PASSWD_SERVICE) {
for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
- subtreeacls[0] = (char *)malloc(strlen(pwdrights_subtree[i][0])
- + strlen(serviceobjdn)
- + strlen(pwdrights_subtree[i][1]) + 1);
- sprintf(subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
- pwdrights_subtree[i][1]);
+ asprintf(&subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
+ pwdrights_subtree[i][1]);
subtreeclass.mod_values = subtreeacls;
subtreearr[0] = &subtreeclass;
@@ -632,21 +606,15 @@
/* Set the rights for the realm */
if (mask & LDAP_REALM_RIGHTS) {
- /* Construct the realm dn from realm name */
- realmdn = (char *) malloc(strlen("cn=") + strlen(realmname) +
- strlen(ldap_context->krbcontainer->DN) + 2);
- sprintf(realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
+ asprintf(&realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
realmclass.mod_op=LDAP_MOD_DELETE;
realmclass.mod_type="ACL";
if (servicetype == LDAP_KDC_SERVICE) {
for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
- realmacls[0] = (char *) malloc(strlen(kdcrights_realmcontainer[i][0])
- + strlen(serviceobjdn) +
- strlen(kdcrights_realmcontainer[i][1]) + 1);
- sprintf(realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
- kdcrights_realmcontainer[i][1]);
+ asprintf(&realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
+ kdcrights_realmcontainer[i][1]);
realmclass.mod_values= realmacls;
realmarr[0]=&realmclass;
@@ -665,11 +633,8 @@
}
} else if (servicetype == LDAP_ADMIN_SERVICE) {
for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
- realmacls[0] = (char *) malloc(strlen(adminrights_realmcontainer[i][0]) +
- strlen(serviceobjdn) +
- strlen(adminrights_realmcontainer[i][1]) + 1);
- sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
- adminrights_realmcontainer[i][1]);
+ asprintf(&realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
+ adminrights_realmcontainer[i][1]);
realmclass.mod_values= realmacls;
realmarr[0]=&realmclass;
@@ -688,11 +653,8 @@
}
} else if (servicetype == LDAP_PASSWD_SERVICE) {
for (i=0; strcmp(pwdrights_realmcontainer[i][0], "") != 0; i++) {
- realmacls[0]=(char *)malloc(strlen(pwdrights_realmcontainer[i][0])
- + strlen(serviceobjdn)
- + strlen(pwdrights_realmcontainer[i][1]) + 1);
- sprintf(realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
- pwdrights_realmcontainer[i][1]);
+ asprintf(&realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
+ pwdrights_realmcontainer[i][1]);
realmclass.mod_values= realmacls;
realmarr[0]=&realmclass;
@@ -723,11 +685,8 @@
if (servicetype == LDAP_KDC_SERVICE) {
for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
- subtreeacls[0] = (char *) malloc(strlen(kdcrights_subtree[i][0])
- + strlen(serviceobjdn)
- + strlen(kdcrights_subtree[i][1]) + 1);
- sprintf(subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
- kdcrights_subtree[i][1]);
+ asprintf(&subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
+ kdcrights_subtree[i][1]);
subtreeclass.mod_values= subtreeacls;
subtreearr[0]=&subtreeclass;
@@ -748,11 +707,8 @@
}
} else if (servicetype == LDAP_ADMIN_SERVICE) {
for (i=0; strcmp(adminrights_subtree[i][0], "") != 0; i++) {
- subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0])
- + strlen(serviceobjdn)
- + strlen(adminrights_subtree[i][1]) + 1);
- sprintf(subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
- adminrights_subtree[i][1]);
+ asprintf(&subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
+ adminrights_subtree[i][1]);
subtreeclass.mod_values= subtreeacls;
subtreearr[0]=&subtreeclass;
@@ -773,11 +729,8 @@
}
} else if (servicetype == LDAP_PASSWD_SERVICE) {
for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
- subtreeacls[0] = (char *) malloc(strlen(pwdrights_subtree[i][0])
- + strlen(serviceobjdn)
- + strlen(pwdrights_subtree[i][1]) + 1);
- sprintf(subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
- pwdrights_subtree[i][1]);
+ asprintf(&subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
+ pwdrights_subtree[i][1]);
subtreeclass.mod_values= subtreeacls;
subtreearr[0]=&subtreeclass;
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -125,16 +125,16 @@
/* Check if the entry has the path of a certificate */
if (!strncmp(start, "{FILE}", strlen("{FILE}"))) {
/* Set *password = {FILE}<path to cert>\0<cert password> */
- /*ptr = strchr(start, ':');
- if (ptr == NULL) { */
- *password = (unsigned char *)malloc(strlen(start) + 2);
+ size_t len = strlen(start);
+
+ *password = (unsigned char *)malloc(len + 2);
if (*password == NULL) {
st = ENOMEM;
goto rp_exit;
}
- (*password)[strlen(start) + 1] = '\0';
- (*password)[strlen(start)] = '\0';
- strcpy((char *)(*password), start);
+ memcpy((char *)(*password), start, len);
+ (*password)[len] = '\0';
+ (*password)[len + 1] = '\0';
goto got_password;
} else {
CT.value = (unsigned char *)start;
@@ -198,7 +198,7 @@
ret->data[ret->length] = 0;
for (i = 0; i < in.length; i++)
- sprintf(ret->data + 2 * i, "%02x", in.data[i] & 0xff);
+ snprintf(ret->data + 2 * i, 3, "%02x", in.data[i] & 0xff);
cleanup:
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -148,8 +148,9 @@
for (i=0; service->krbrealmreferences[i]; ++i) {
if ((st=updateAttribute(ld, service->krbrealmreferences[i], realmattr,
service->servicedn)) != 0) {
- sprintf (errbuf, "Error adding 'krbRealmReferences' to %s: ",
- service->krbrealmreferences[i]);
+ snprintf (errbuf, sizeof(errbuf),
+ "Error adding 'krbRealmReferences' to %s: ",
+ service->krbrealmreferences[i]);
prepend_err_str (context, errbuf, st, st);
/* delete service object, status ignored intentionally */
ldap_delete_ext_s(ld, service->servicedn, NULL, NULL);
Modified: branches/mkey_migrate/src/plugins/locate/python/Makefile.in
===================================================================
--- branches/mkey_migrate/src/plugins/locate/python/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/locate/python/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -11,7 +11,7 @@
MODULE_INSTALL_DIR = $(KRB5_LIBKRB5_MODULE_DIR)
SHLIB_EXPDEPS= $(KRB5_DEPLIB) $(SUPPORT_DEPLIB)
-SHLIB_EXPLIBS= -lpython2.3 $(KRB5_LIB) $(SUPPORT_LIB)
+SHLIB_EXPLIBS= @PYTHON_LIB@ $(KRB5_LIB) $(SUPPORT_LIB)
SHLIB_DIRS=-L$(TOPLIBD)
SHLIB_RDIRS=$(KRB5_LIBDIR)
@@ -28,14 +28,3 @@
@libnover_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-py-locate.so py-locate.po $(OUTPRE)py-locate.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- py-locate.c
Copied: branches/mkey_migrate/src/plugins/locate/python/deps (from rev 21721, trunk/src/plugins/locate/python/deps)
Modified: branches/mkey_migrate/src/plugins/locate/python/py-locate.c
===================================================================
--- branches/mkey_migrate/src/plugins/locate/python/py-locate.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/locate/python/py-locate.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -66,6 +66,8 @@
#include <Python.h>
#elif HAVE_PYTHON2_3_PYTHON_H
#include <python2.3/Python.h>
+#elif HAVE_PYTHON2_5_PYTHON_H
+#include <python2.5/Python.h>
#else
#error "Where's the Python header file?"
#endif
@@ -261,7 +263,7 @@
if (PyString_Check (field)) {
portstr = PyString_AsString (field);
} else if (PyInt_Check (field)) {
- sprintf(portbuf, "%ld", PyInt_AsLong (field));
+ snprintf(portbuf, sizeof(portbuf), "%ld", PyInt_AsLong (field));
portstr = portbuf;
} else {
krb5_set_error_message(blob, -1,
Modified: branches/mkey_migrate/src/plugins/preauth/cksum_body/Makefile.in
===================================================================
--- branches/mkey_migrate/src/plugins/preauth/cksum_body/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/preauth/cksum_body/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -39,12 +39,3 @@
@libnover_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-cksum_body_main.so cksum_body_main.po $(OUTPRE)cksum_body_main.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/preauth_plugin.h \
- cksum_body_main.c
Modified: branches/mkey_migrate/src/plugins/preauth/cksum_body/cksum_body_main.c
===================================================================
--- branches/mkey_migrate/src/plugins/preauth/cksum_body/cksum_body_main.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/preauth/cksum_body/cksum_body_main.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -535,8 +535,9 @@
my_authz_data[0]->ad_type = 1;
my_authz_data[0]->length = AD_ALLOC_SIZE;
memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header));
- sprintf(my_authz_data[0]->contents + sizeof(ad_header),
- "cksum authorization data: %d bytes worth!\n", AD_ALLOC_SIZE);
+ snprintf(my_authz_data[0]->contents + sizeof(ad_header),
+ AD_ALLOC_SIZE - sizeof(ad_header),
+ "cksum authorization data: %d bytes worth!\n", AD_ALLOC_SIZE);
*authz_data = my_authz_data;
#ifdef DEBUG
fprintf(stderr, "Returning %d bytes of authorization data\n",
Copied: branches/mkey_migrate/src/plugins/preauth/cksum_body/deps (from rev 21721, trunk/src/plugins/preauth/cksum_body/deps)
Modified: branches/mkey_migrate/src/plugins/preauth/pkinit/Makefile.in
===================================================================
--- branches/mkey_migrate/src/plugins/preauth/pkinit/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/preauth/pkinit/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -56,54 +56,3 @@
@libnover_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-pkinit_accessor.so pkinit_accessor.po $(OUTPRE)pkinit_accessor.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h pkinit_accessor.c \
- pkinit_accessor.h
-pkinit_srv.so pkinit_srv.po $(OUTPRE)pkinit_srv.$(OBJEXT): \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_srv.c
-pkinit_lib.so pkinit_lib.po $(OUTPRE)pkinit_lib.$(OBJEXT): \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_lib.c
-pkinit_clnt.so pkinit_clnt.po $(OUTPRE)pkinit_clnt.$(OBJEXT): \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- pkinit.h pkinit_accessor.h pkinit_clnt.c pkinit_crypto.h
-pkinit_profile.so pkinit_profile.po $(OUTPRE)pkinit_profile.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h pkinit.h pkinit_accessor.h \
- pkinit_crypto.h pkinit_profile.c
-pkinit_identity.so pkinit_identity.po $(OUTPRE)pkinit_identity.$(OBJEXT): \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_identity.c
-pkinit_matching.so pkinit_matching.po $(OUTPRE)pkinit_matching.$(OBJEXT): \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h pkinit.h pkinit_accessor.h \
- pkinit_crypto.h pkinit_matching.c
-pkinit_crypto_openssl.so pkinit_crypto_openssl.po $(OUTPRE)pkinit_crypto_openssl.$(OBJEXT): \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_crypto_openssl.c \
- pkinit_crypto_openssl.h
Copied: branches/mkey_migrate/src/plugins/preauth/pkinit/deps (from rev 21721, trunk/src/plugins/preauth/pkinit/deps)
Modified: branches/mkey_migrate/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
===================================================================
--- branches/mkey_migrate/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -3200,6 +3200,7 @@
{
krb5_data rdat;
char *prompt;
+ const char *warning;
krb5_prompt kprompt;
krb5_prompt_type prompt_type;
int r = 0;
@@ -3208,15 +3209,17 @@
rdat.data = NULL;
rdat.length = 0;
} else {
- if ((prompt = (char *) malloc(sizeof (tip->label) + 32)) == NULL)
- return ENOMEM;
- sprintf(prompt, "%.*s PIN", sizeof (tip->label), tip->label);
if (tip->flags & CKF_USER_PIN_LOCKED)
- strcat(prompt, " (Warning: PIN locked)");
+ warning = " (Warning: PIN locked)";
else if (tip->flags & CKF_USER_PIN_FINAL_TRY)
- strcat(prompt, " (Warning: PIN final try)");
+ warning = " (Warning: PIN final try)";
else if (tip->flags & CKF_USER_PIN_COUNT_LOW)
- strcat(prompt, " (Warning: PIN count low)");
+ warning = " (Warning: PIN count low)";
+ else
+ warning = "";
+ if (asprintf(&prompt, "%.*s PIN%s", (int) sizeof (tip->label),
+ tip->label, warning) < 0)
+ return ENOMEM;
rdat.data = (char *)malloc(tip->ulMaxPinLen + 2);
rdat.length = tip->ulMaxPinLen + 1;
@@ -5610,6 +5613,6 @@
break;
if (pkcs11_errstrings[i].text != NULL)
return (pkcs11_errstrings[i].text);
- sprintf(uc, "unknown code 0x%x", err);
+ snprintf(uc, sizeof(uc), "unknown code 0x%x", err);
return (uc);
}
Modified: branches/mkey_migrate/src/plugins/preauth/pkinit/pkinit_profile.c
===================================================================
--- branches/mkey_migrate/src/plugins/preauth/pkinit/pkinit_profile.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/preauth/pkinit/pkinit_profile.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -161,11 +161,9 @@
if (values[0] == NULL) {
retval = ENOENT;
} else {
- *ret_value = malloc(strlen(values[0]) + 1);
+ *ret_value = strdup(values[0]);
if (*ret_value == NULL)
retval = ENOMEM;
- else
- strcpy(*ret_value, values[0]);
}
profile_free_list(values);
@@ -321,11 +319,9 @@
if (values[0] == NULL) {
retval = ENOENT;
} else {
- *ret_value = malloc(strlen(values[0]) + 1);
+ *ret_value = strdup(values[0]);
if (*ret_value == NULL)
retval = ENOMEM;
- else
- strcpy(*ret_value, values[0]);
}
profile_free_list(values);
Modified: branches/mkey_migrate/src/plugins/preauth/wpse/Makefile.in
===================================================================
--- branches/mkey_migrate/src/plugins/preauth/wpse/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/preauth/wpse/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -39,12 +39,3 @@
@libnover_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-wpse_main.so wpse_main.po $(OUTPRE)wpse_main.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/preauth_plugin.h \
- wpse_main.c
Copied: branches/mkey_migrate/src/plugins/preauth/wpse/deps (from rev 21721, trunk/src/plugins/preauth/wpse/deps)
Modified: branches/mkey_migrate/src/plugins/preauth/wpse/wpse_main.c
===================================================================
--- branches/mkey_migrate/src/plugins/preauth/wpse/wpse_main.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/plugins/preauth/wpse/wpse_main.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -333,8 +333,9 @@
my_authz_data[0]->ad_type = 1;
my_authz_data[0]->length = AD_ALLOC_SIZE;
memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header));
- sprintf(my_authz_data[0]->contents + sizeof(ad_header),
- "wpse authorization data: %d bytes worth!\n", AD_ALLOC_SIZE);
+ snprintf(my_authz_data[0]->contents + sizeof(ad_header),
+ AD_ALLOC_SIZE - sizeof(ad_header),
+ "wpse authorization data: %d bytes worth!\n", AD_ALLOC_SIZE);
*authz_data = my_authz_data;
#ifdef DEBUG
fprintf(stderr, "Returning %d bytes of authorization data\n",
Modified: branches/mkey_migrate/src/slave/Makefile.in
===================================================================
--- branches/mkey_migrate/src/slave/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/slave/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -38,68 +38,8 @@
done
clean::
- $(RM) $(CLIENTOBJS) $(SERVEROBJS)
+ $(RM) $(CLIENTOBJS) $(SERVEROBJS) $(LOGOBJS)
clean::
- $(RM) kprop kpropd
+ $(RM) kprop kpropd kproplog
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)kprop.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h kprop.c kprop.h
-$(OUTPRE)kpropd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/iprop.h $(SRCTOP)/include/iprop_hdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- kprop.h kpropd.c
-$(OUTPRE)kpropd_rpc.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/iprop.h \
- kpropd_rpc.c
-$(OUTPRE)kproplog.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \
- $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \
- $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \
- $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \
- $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \
- $(SRCTOP)/include/iprop.h $(SRCTOP)/include/iprop_hdr.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
- $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- kproplog.c
Copied: branches/mkey_migrate/src/slave/deps (from rev 21721, trunk/src/slave/deps)
Modified: branches/mkey_migrate/src/slave/kprop.c
===================================================================
--- branches/mkey_migrate/src/slave/kprop.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/slave/kprop.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -241,7 +241,7 @@
* Initialize cache file which we're going to be using
*/
(void) mktemp(tkstring);
- sprintf(buf, "FILE:%s", tkstring);
+ snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
retval = krb5_cc_resolve(context, buf, &ccache);
if (retval) {
@@ -337,7 +337,7 @@
hp = gethostbyname(host);
if (hp == NULL) {
- (void) sprintf(Errmsg, "%s: unknown host", host);
+ (void) snprintf(Errmsg, ErrmsgSz, "%s: unknown host", host);
*fd = -1;
return(0);
}
@@ -355,13 +355,13 @@
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0) {
- (void) sprintf(Errmsg, "in call to socket");
+ (void) snprintf(Errmsg, ErrmsgSz, "in call to socket");
return(errno);
}
if (connect(s, (struct sockaddr *)&my_sin, sizeof my_sin) < 0) {
retval = errno;
close(s);
- (void) sprintf(Errmsg, "in call to connect");
+ (void) snprintf(Errmsg, ErrmsgSz, "in call to connect");
return(retval);
}
*fd = s;
@@ -379,7 +379,7 @@
if (getsockname(s, (struct sockaddr *)&my_sin, &socket_length) < 0) {
retval = errno;
close(s);
- (void) sprintf(Errmsg, "in call to getsockname");
+ (void) snprintf(Errmsg, ErrmsgSz, "in call to getsockname");
return(retval);
}
sender_addr.addrtype = ADDRTYPE_INET;
@@ -492,13 +492,10 @@
data_fn);
exit(1);
}
- if ((data_ok_fn = (char *) malloc(strlen(data_fn)+strlen(ok)+1))
- == NULL) {
+ if (asprintf(&data_ok_fn, "%s%s", data_fn, ok) < 0) {
com_err(progname, ENOMEM, "while trying to malloc data_ok_fn");
exit(1);
}
- strcpy(data_ok_fn, data_fn);
- strcat(data_ok_fn, ok);
if (stat(data_ok_fn, &stbuf_ok)) {
com_err(progname, errno, "while trying to stat %s",
data_ok_fn);
@@ -600,7 +597,7 @@
retval = krb5_mk_priv(context, auth_context, &inbuf,
&outbuf, NULL);
if (retval) {
- sprintf(buf,
+ snprintf(buf, sizeof(buf),
"while encoding database block starting at %d",
sent_size);
com_err(progname, retval, buf);
@@ -711,9 +708,8 @@
else
text = error_message(err_code);
error.text.length = strlen(text) + 1;
- error.text.data = malloc((unsigned int) error.text.length);
+ error.text.data = strdup(text);
if (error.text.data) {
- strcpy(error.text.data, text);
if (!krb5_mk_error(context, &error, &outbuf)) {
(void) krb5_write_message(context, (void *)&fd,&outbuf);
krb5_free_data_contents(context, &outbuf);
@@ -731,17 +727,12 @@
int fd;
static char last_prop[]=".last_prop";
- if ((file_last_prop = (char *)malloc(strlen(file_name) +
- strlen(hostname) + 1 +
- strlen(last_prop) + 1)) == NULL) {
+ if (asprintf(&file_last_prop, "%s.%s%s", file_name, hostname,
+ last_prop) < 0) {
com_err(progname, ENOMEM,
"while allocating filename for update_last_prop_file");
return;
}
- strcpy(file_last_prop, file_name);
- strcat(file_last_prop, ".");
- strcat(file_last_prop, hostname);
- strcat(file_last_prop, last_prop);
if ((fd = THREEPARAMOPEN(file_last_prop, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
com_err(progname, errno,
"while creating 'last_prop' file, '%s'",
Modified: branches/mkey_migrate/src/slave/kpropd.c
===================================================================
--- branches/mkey_migrate/src/slave/kpropd.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/slave/kpropd.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -98,11 +98,17 @@
#endif
#define SYSLOG_CLASS LOG_DAEMON
+#define INITIAL_TIMER 10
char *def_realm = NULL;
int runonce = 0;
/*
+ * Global fd to close upon alarm time-out.
+ */
+volatile int gfd = -1;
+
+/*
* This struct simulates the use of _kadm5_server_handle_t
*
* This is a COPY of kadm5_server_handle_t from
@@ -243,6 +249,14 @@
exit(ret);
}
+static void resync_alarm(int sn)
+{
+ close (gfd);
+ if (debug)
+ fprintf(stderr, _("resync_alarm: closing fd: %d\n"), gfd);
+ gfd = -1;
+}
+
int do_standalone(iprop_role iproprole)
{
struct sockaddr_in my_sin, frominet;
@@ -250,7 +264,13 @@
int finet, s;
GETPEERNAME_ARG3_TYPE fromlen;
int ret;
+ /*
+ * Timer for accept/read calls, in case of network type errors.
+ */
+ int backoff_timer = INITIAL_TIMER;
+retry:
+
finet = socket(AF_INET, SOCK_STREAM, 0);
if (finet < 0) {
com_err(progname, errno, "while obtaining socket");
@@ -281,13 +301,30 @@
if (setsockopt(finet, SOL_SOCKET, SO_REUSEADDR,
(char *)&on, sizeof(on)) < 0)
com_err(progname, errno,
- _("in setsockopt(SO_REUSEADDR)"));
+ _("while setting socket option (SO_REUSEADDR)"));
linger.l_onoff = 1;
linger.l_linger = 2;
if (setsockopt(finet, SOL_SOCKET, SO_LINGER,
(void *)&linger, sizeof(linger)) < 0)
com_err(progname, errno,
- _("in setsockopt(SO_LINGER)"));
+ _("while setting socket option (SO_LINGER)"));
+ /*
+ * We also want to set a timer so that the slave is not waiting
+ * until infinity for an update from the master.
+ */
+ gfd = finet;
+ signal(SIGALRM, resync_alarm);
+ if (debug) {
+ fprintf(stderr, "do_standalone: setting resync alarm to %d\n",
+ backoff_timer);
+ }
+ if (alarm(backoff_timer) != 0) {
+ if (debug) {
+ fprintf(stderr,
+ _("%s: alarm already set\n"), progname);
+ }
+ }
+ backoff_timer *= 2;
}
if ((ret = bind(finet, (struct sockaddr *) &my_sin, sizeof(my_sin))) < 0) {
if (debug) {
@@ -331,11 +368,30 @@
s = accept(finet, (struct sockaddr *) &frominet, &fromlen);
if (s < 0) {
- if (errno != EINTR)
- com_err(progname, errno,
- "from accept system call");
- continue;
+ int e = errno;
+ if (e != EINTR) {
+ com_err(progname, e,
+ _("while accepting connection"));
+ if (e != EBADF)
+ backoff_timer = INITIAL_TIMER;
+ }
+ /*
+ * If we got EBADF, an alarm signal handler closed
+ * the file descriptor on us.
+ */
+ if (e != EBADF)
+ close(finet);
+ /*
+ * An alarm could have been set and the fd closed, we
+ * should retry in case of transient network error for
+ * up to a couple of minutes.
+ */
+ if (backoff_timer > 120)
+ return EINTR;
+ goto retry;
}
+ alarm(0);
+ gfd = -1;
if (debug && iproprole != IPROP_SLAVE)
child_pid = 0;
else
@@ -351,10 +407,18 @@
close(s);
_exit(0);
default:
+ /*
+ * Errors should not be considered fatal in the
+ * iprop case as we could have transient type
+ * errors, such as network outage, etc. Sleeping
+ * 3s for 2s linger interval.
+ */
if (wait(&status) < 0) {
com_err(progname, errno,
_("while waiting to receive database"));
- exit(1);
+ if (iproprole != IPROP_SLAVE)
+ exit(1);
+ sleep(3);
}
close(s);
@@ -384,6 +448,23 @@
krb5_enctype etype;
int database_fd;
+ if (kpropd_context->kdblog_context &&
+ kpropd_context->kdblog_context->iproprole == IPROP_SLAVE) {
+ /*
+ * We also want to set a timer so that the slave is not waiting
+ * until infinity for an update from the master.
+ */
+ if (debug)
+ fprintf(stderr, "doit: setting resync alarm to 5s\n");
+ signal(SIGALRM, resync_alarm);
+ gfd = fd;
+ if (alarm(INITIAL_TIMER) != 0) {
+ if (debug) {
+ fprintf(stderr,
+ _("%s: alarm already set\n"), progname);
+ }
+ }
+ }
fromlen = sizeof (from);
if (getpeername(fd, (struct sockaddr *) &from, &fromlen) < 0) {
#ifdef ENOTSOCK
@@ -423,6 +504,12 @@
*/
kerberos_authenticate(kpropd_context, fd, &client, &etype, from);
+ /*
+ * Turn off alarm upon successful authentication from master.
+ */
+ alarm(0);
+ gfd = -1;
+
if (!authorized_principal(kpropd_context, client, etype)) {
char *name;
@@ -512,7 +599,6 @@
void *server_handle = NULL;
char *iprop_svc_princstr = NULL;
char *master_svc_princstr = NULL;
- char *keytab_name = NULL;
unsigned int pollin, backoff_time;
int backoff_cnt = 0;
int reinit_cnt = 0;
@@ -553,8 +639,9 @@
params.realm = def_realm;
if (master_svc_princstr == NULL) {
- if (retval = kadm5_get_kiprop_host_srv_name(kpropd_context,
- def_realm, &master_svc_princstr)) {
+ if ((retval = kadm5_get_kiprop_host_srv_name(kpropd_context,
+ def_realm,
+ &master_svc_princstr))) {
com_err(progname, retval,
_("%s: unable to get kiprop host based "
"service name for realm %s\n"),
@@ -566,7 +653,7 @@
/*
* Set cc to the default credentials cache
*/
- if (retval = krb5_cc_default(kpropd_context, &cc)) {
+ if ((retval = krb5_cc_default(kpropd_context, &cc))) {
com_err(progname, retval,
_("while opening default "
"credentials cache"));
@@ -596,8 +683,8 @@
}
/* XXX Memory leak: Old r->data value. */
}
- if (retval = krb5_unparse_name(kpropd_context, iprop_svc_principal,
- &iprop_svc_princstr)) {
+ if ((retval = krb5_unparse_name(kpropd_context, iprop_svc_principal,
+ &iprop_svc_princstr))) {
com_err(progname, retval,
_("while canonicalizing principal name"));
krb5_free_principal(kpropd_context, iprop_svc_principal);
@@ -609,7 +696,7 @@
/*
* Authentication, initialize rpcsec_gss handle etc.
*/
- retval = kadm5_init_with_skey(iprop_svc_princstr, keytab_name,
+ retval = kadm5_init_with_skey(iprop_svc_princstr, srvtab,
master_svc_princstr,
¶ms,
KADM5_STRUCT_VERSION,
@@ -725,10 +812,6 @@
* the full dump
*/
ret = do_standalone(log_ctx->iproprole);
- if (ret)
- syslog(LOG_WARNING,
- _("kpropd: Full resync, "
- "invalid return."));
if (debug) {
if (ret)
fprintf(stderr,
@@ -739,7 +822,13 @@
_("Full resync "
"was successful\n"));
}
- frdone = 1;
+ if (ret) {
+ syslog(LOG_WARNING,
+ _("kpropd: Full resync, invalid return."));
+ frdone = 0;
+ backoff_cnt++;
+ } else
+ frdone = 1;
break;
case UPDATE_BUSY:
@@ -783,9 +872,12 @@
db_args);
if (retval) {
- syslog(LOG_ERR, _("kpropd: ulog_replay"
- " failed, updates not registered."));
- break;
+ char *msg = krb5_get_error_message(kpropd_context,
+ retval);
+ syslog(LOG_ERR,
+ _("kpropd: ulog_replay failed (%s), updates not registered."), msg);
+ krb5_free_error_message(kpropd_context, msg);
+ break;
}
if (debug)
@@ -860,7 +952,7 @@
free(iprop_svc_princstr);
if (master_svc_princstr)
free(master_svc_princstr);
- if (retval = krb5_cc_close(kpropd_context, cc)) {
+ if ((retval = krb5_cc_close(kpropd_context, cc))) {
com_err(progname, retval,
_("while closing default ccache"));
exit(1);
@@ -894,23 +986,21 @@
return (btime);
}
+static void
+kpropd_com_err_proc(const char *whoami,
+ long code,
+ const char *fmt,
+ va_list args)
+#if !defined(__cplusplus) && (__GNUC__ > 2)
+ __attribute__((__format__(__printf__, 3, 0)))
+#endif
+ ;
-static char *
-copy_leading_substring(char *src, size_t len)
-{
- char *result;
- result = malloc((len + 1) * sizeof(char));
- (void) strncpy(result, src, len+1);
- result[len] = 0;
- return result;
-}
-
static void
-kpropd_com_err_proc(whoami, code, fmt, args)
- const char *whoami;
- long code;
- const char *fmt;
- va_list args;
+kpropd_com_err_proc(const char *whoami,
+ long code,
+ const char *fmt,
+ va_list args)
{
char error_buf[8096];
@@ -1082,14 +1172,11 @@
/*
* Construct the name of the temporary file.
*/
- if ((temp_file_name = (char *) malloc(strlen(file) +
- strlen(tmp) + 1)) == NULL) {
+ if (asprintf(&temp_file_name, "%s%s", file, tmp) < 0) {
com_err(progname, ENOMEM,
"while allocating filename for temp file");
exit(1);
}
- strcpy(temp_file_name, file);
- strcat(temp_file_name, tmp);
retval = kadm5_get_config_params(kpropd_context, 1, ¶ms, ¶ms);
if (retval) {
@@ -1346,7 +1433,7 @@
while (received_size < database_size) {
retval = krb5_read_message(context, (void *) &fd, &inbuf);
if (retval) {
- sprintf(buf,
+ snprintf(buf, sizeof(buf),
"while reading database block starting at offset %d",
received_size);
com_err(progname, retval, buf);
@@ -1358,7 +1445,7 @@
retval = krb5_rd_priv(context, auth_context, &inbuf,
&outbuf, NULL);
if (retval) {
- sprintf(buf,
+ snprintf(buf, sizeof(buf),
"while decoding database block starting at offset %d",
received_size);
com_err(progname, retval, buf);
@@ -1370,12 +1457,12 @@
krb5_free_data_contents(context, &inbuf);
krb5_free_data_contents(context, &outbuf);
if (n < 0) {
- sprintf(buf,
+ snprintf(buf, sizeof(buf),
"while writing database block starting at offset %d",
received_size);
send_error(context, fd, errno, buf);
} else if (n != outbuf.length) {
- sprintf(buf,
+ snprintf(buf, sizeof(buf),
"incomplete write while writing database block starting at \noffset %d (%d written, %d expected)",
received_size, n, outbuf.length);
send_error(context, fd, KRB5KRB_ERR_GENERIC, buf);
@@ -1386,7 +1473,7 @@
* OK, we've seen the entire file. Did we get too many bytes?
*/
if (received_size > database_size) {
- sprintf(buf,
+ snprintf(buf, sizeof(buf),
"Received %d bytes, expected %d bytes for database file",
received_size, database_size);
send_error(context, fd, KRB5KRB_ERR_GENERIC, buf);
@@ -1435,15 +1522,14 @@
if (error.error > 127) {
error.error = KRB_ERR_GENERIC;
if (err_text) {
- sprintf(buf, "%s %s", error_message(err_code),
- err_text);
+ snprintf(buf, sizeof(buf), "%s %s",
+ error_message(err_code), err_text);
text = buf;
}
}
error.text.length = strlen(text) + 1;
- error.text.data = malloc(error.text.length);
+ error.text.data = strdup(text);
if (error.text.data) {
- strcpy(error.text.data, text);
if (!krb5_mk_error(context, &error, &outbuf)) {
(void) krb5_write_message(context, (void *)&fd,&outbuf);
krb5_free_data_contents(context, &outbuf);
@@ -1474,7 +1560,7 @@
} else if (error->error) {
com_err(progname,
(krb5_error_code) error->error + ERROR_TABLE_BASE_krb5,
- "signalled from server");
+ "signaled from server");
if (error->text.data)
fprintf(stderr,
"Error text from client: %s\n",
@@ -1583,18 +1669,15 @@
const char *realm,
char **host_service_name)
{
- kadm5_ret_t ret;
char *name;
char *host;
host = params.admin_server; /* XXX */
- name = malloc(strlen(KADM5_KIPROP_HOST_SERVICE) + strlen(host) + 2);
- if (name == NULL) {
+ if (asprintf(&name, "%s/%s", KADM5_KIPROP_HOST_SERVICE, host) < 0) {
free(host);
return (ENOMEM);
}
- sprintf(name, "%s/%s", KADM5_KIPROP_HOST_SERVICE, host);
*host_service_name = name;
return (KADM5_OK);
Modified: branches/mkey_migrate/src/slave/kproplog.c
===================================================================
--- branches/mkey_migrate/src/slave/kproplog.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/slave/kproplog.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,5 +1,5 @@
/*
- * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -28,77 +28,340 @@
static void
usage()
{
- (void) fprintf(stderr, _("\nUsage: %s [-h] [-v] [-e num]\n\n"),
+ (void) fprintf(stderr, _("\nUsage: %s [-h] [-v] [-v] [-e num]\n\n"),
progname);
exit(1);
}
/*
+ * Print the attribute flags of principal in human readable form.
+ */
+static void
+print_flags(unsigned int flags)
+{
+ unsigned int i;
+ static char *prflags[] = {
+ "DISALLOW_POSTDATED", /* 0x00000001 */
+ "DISALLOW_FORWARDABLE", /* 0x00000002 */
+ "DISALLOW_TGT_BASED", /* 0x00000004 */
+ "DISALLOW_RENEWABLE", /* 0x00000008 */
+ "DISALLOW_PROXIABLE", /* 0x00000010 */
+ "DISALLOW_DUP_SKEY", /* 0x00000020 */
+ "DISALLOW_ALL_TIX", /* 0x00000040 */
+ "REQUIRES_PRE_AUTH", /* 0x00000080 */
+ "REQUIRES_HW_AUTH", /* 0x00000100 */
+ "REQUIRES_PWCHANGE", /* 0x00000200 */
+ "UNKNOWN_0x00000400", /* 0x00000400 */
+ "UNKNOWN_0x00000800", /* 0x00000800 */
+ "DISALLOW_SVR", /* 0x00001000 */
+ "PWCHANGE_SERVICE", /* 0x00002000 */
+ "SUPPORT_DESMD5", /* 0x00004000 */
+ "NEW_PRINC", /* 0x00008000 */
+ };
+
+ for (i = 0; i < sizeof (prflags) / sizeof (char *); i++) {
+ if (flags & (krb5_flags) 1 << i)
+ printf("\t\t\t%s\n", prflags[i]);
+ }
+}
+
+/*
+ * Display time information.
+ */
+static void
+print_time(unsigned int *timep)
+{
+ if (*timep == 0L)
+ printf("\t\t\tNone\n");
+ else {
+ time_t ltime = *timep;
+ printf("\t\t\t%s", ctime(<ime));
+ }
+}
+
+/*
+ * Display string in hex primitive.
+ */
+static void
+print_hex(const char *tag, utf8str_t *str)
+{
+ unsigned int i;
+ unsigned int len;
+
+ len = str->utf8str_t_len;
+
+ (void) printf("\t\t\t%s(%d): 0x", tag, len);
+ for (i = 0; i < len; i++) {
+ printf("%02x", (krb5_octet) str->utf8str_t_val[i]);
+ }
+ (void) printf("\n");
+}
+
+/*
+ * Display string primitive.
+ */
+static void
+print_str(const char *tag, utf8str_t *str)
+{
+ char *dis;
+ unsigned int len;
+
+ /* + 1 for null byte */
+ len = str->utf8str_t_len + 1;
+ dis = (char *) malloc(len);
+
+ if (!dis) {
+ (void) fprintf(stderr, _("\nCouldn't allocate memory"));
+ exit(1);
+ }
+
+ (void) snprintf(dis, len, "%s", str->utf8str_t_val);
+
+ (void) printf("\t\t\t%s(%d): %s\n", tag, len - 1, dis);
+
+ free(dis);
+}
+
+/*
+ * Display data components.
+ */
+static void
+print_data(const char *tag, kdbe_data_t *data)
+{
+
+ (void) printf("\t\t\tmagic: 0x%x\n", data->k_magic);
+
+ (void) print_str(tag, &data->k_data);
+}
+
+/*
+ * Display the principal components.
+ */
+static void
+print_princ(kdbe_princ_t *princ)
+{
+ int i, len;
+ kdbe_data_t *data;
+
+ print_str("realm", &princ->k_realm);
+
+ len = princ->k_components.k_components_len;
+ data = princ->k_components.k_components_val;
+
+ for (i = 0; i < len; i++, data++) {
+
+ print_data("princ", data);
+ }
+}
+
+/*
+ * Display individual key.
+ */
+static void
+print_key(kdbe_key_t *k)
+{
+ unsigned int i;
+ utf8str_t *str;
+
+ printf("\t\t\tver: %d\n", k->k_ver);
+
+ printf("\t\t\tkvno: %d\n", k->k_kvno);
+
+ for (i = 0; i < k->k_enctype.k_enctype_len; i++) {
+ printf("\t\t\tenc type: 0x%x\n",
+ k->k_enctype.k_enctype_val[i]);
+ }
+
+ str = k->k_contents.k_contents_val;
+ for (i = 0; i < k->k_contents.k_contents_len; i++, str++) {
+ print_hex("key", str);
+ }
+}
+
+/*
+ * Display all key data.
+ */
+static void
+print_keydata(kdbe_key_t *keys, unsigned int len)
+{
+ unsigned int i;
+
+ for (i = 0; i < len; i++, keys++) {
+ print_key(keys);
+ }
+}
+
+/*
+ * Display TL item.
+ */
+static void
+print_tl(kdbe_tl_t *tl)
+{
+ int i, len;
+
+ printf("\t\t\ttype: 0x%x\n", tl->tl_type);
+
+ len = tl->tl_data.tl_data_len;
+
+ printf("\t\t\tvalue(%d): 0x", len);
+ for (i = 0; i < len; i++) {
+ printf("%02x", (krb5_octet) tl->tl_data.tl_data_val[i]);
+ }
+ printf("\n");
+}
+
+/*
+ * Display TL data items.
+ */
+static void
+print_tldata(kdbe_tl_t *tldata, int len)
+{
+ int i;
+
+ printf("\t\t\titems: %d\n", len);
+
+ for (i = 0; i < len; i++, tldata++) {
+ print_tl(tldata);
+ }
+}
+
+/*
* Print the individual types if verbose mode was specified.
+ * If verbose-verbose then print types along with respective values.
*/
static void
-print_attr(kdbe_attr_type_t type)
+print_attr(kdbe_val_t *val, int vverbose)
{
- switch (type) {
+ switch (val->av_type) {
case AT_ATTRFLAGS:
(void) printf(_("\t\tAttribute flags\n"));
+ if (vverbose) {
+ print_flags(val->kdbe_val_t_u.av_attrflags);
+ }
break;
case AT_MAX_LIFE:
(void) printf(_("\t\tMaximum ticket life\n"));
+ if (vverbose) {
+ print_time(&val->kdbe_val_t_u.av_max_life);
+ }
break;
case AT_MAX_RENEW_LIFE:
(void) printf(_("\t\tMaximum renewable life\n"));
+ if (vverbose) {
+ print_time(&val->kdbe_val_t_u.av_max_renew_life);
+ }
break;
case AT_EXP:
(void) printf(_("\t\tPrincipal expiration\n"));
+ if (vverbose) {
+ print_time(&val->kdbe_val_t_u.av_exp);
+ }
break;
case AT_PW_EXP:
(void) printf(_("\t\tPassword expiration\n"));
+ if (vverbose) {
+ print_time(&val->kdbe_val_t_u.av_pw_exp);
+ }
break;
case AT_LAST_SUCCESS:
(void) printf(_("\t\tLast successful auth\n"));
+ if (vverbose) {
+ print_time(&val->kdbe_val_t_u.av_last_success);
+ }
break;
case AT_LAST_FAILED:
(void) printf(_("\t\tLast failed auth\n"));
+ if (vverbose) {
+ print_time(&val->kdbe_val_t_u.av_last_failed);
+ }
break;
case AT_FAIL_AUTH_COUNT:
(void) printf(_("\t\tFailed passwd attempt\n"));
+ if (vverbose) {
+ (void) printf("\t\t\t%d\n",
+ val->kdbe_val_t_u.av_fail_auth_count);
+ }
break;
case AT_PRINC:
(void) printf(_("\t\tPrincipal\n"));
+ if (vverbose) {
+ print_princ(&val->kdbe_val_t_u.av_princ);
+ }
break;
case AT_KEYDATA:
(void) printf(_("\t\tKey data\n"));
+ if (vverbose) {
+ print_keydata(
+ val->kdbe_val_t_u.av_keydata.av_keydata_val,
+ val->kdbe_val_t_u.av_keydata.av_keydata_len);
+ }
break;
case AT_TL_DATA:
(void) printf(_("\t\tTL data\n"));
+ if (vverbose) {
+ print_tldata(
+ val->kdbe_val_t_u.av_tldata.av_tldata_val,
+ val->kdbe_val_t_u.av_tldata.av_tldata_len);
+ }
break;
case AT_LEN:
(void) printf(_("\t\tLength\n"));
+ if (vverbose) {
+ (void) printf("\t\t\t%d\n",
+ val->kdbe_val_t_u.av_len);
+ }
break;
+ case AT_PW_LAST_CHANGE:
+ (void) printf(_("\t\tPassword last changed\n"));
+ if (vverbose) {
+ print_time(&val->kdbe_val_t_u.av_pw_last_change);
+ }
+ break;
case AT_MOD_PRINC:
(void) printf(_("\t\tModifying principal\n"));
+ if (vverbose) {
+ print_princ(&val->kdbe_val_t_u.av_mod_princ);
+ }
break;
case AT_MOD_TIME:
(void) printf(_("\t\tModification time\n"));
+ if (vverbose) {
+ print_time(&val->kdbe_val_t_u.av_mod_time);
+ }
break;
case AT_MOD_WHERE:
(void) printf(_("\t\tModified where\n"));
+ if (vverbose) {
+ print_str("where",
+ &val->kdbe_val_t_u.av_mod_where);
+ }
break;
- case AT_PW_LAST_CHANGE:
- (void) printf(_("\t\tPassword last changed\n"));
- break;
case AT_PW_POLICY:
(void) printf(_("\t\tPassword policy\n"));
+ if (vverbose) {
+ print_str("policy",
+ &val->kdbe_val_t_u.av_pw_policy);
+ }
break;
case AT_PW_POLICY_SWITCH:
(void) printf(_("\t\tPassword policy switch\n"));
+ if (vverbose) {
+ (void) printf("\t\t\t%d\n",
+ val->kdbe_val_t_u.av_pw_policy_switch);
+ }
break;
case AT_PW_HIST_KVNO:
(void) printf(_("\t\tPassword history KVNO\n"));
+ if (vverbose) {
+ (void) printf("\t\t\t%d\n",
+ val->kdbe_val_t_u.av_pw_hist_kvno);
+ }
break;
case AT_PW_HIST:
(void) printf(_("\t\tPassword history\n"));
+ if (vverbose) {
+ (void) printf("\t\t\tPW history elided\n");
+ }
break;
} /* switch */
@@ -107,7 +370,7 @@
* Print the update entry information
*/
static void
-print_update(kdb_hlog_t *ulog, uint32_t entry, bool_t verbose)
+print_update(kdb_hlog_t *ulog, uint32_t entry, unsigned int verbose)
{
XDR xdrs;
uint32_t start_sno, i, j, indx;
@@ -161,7 +424,7 @@
exit(1);
}
(void) strncpy(dbprinc, upd.kdb_princ_name.utf8str_t_val,
- (upd.kdb_princ_name.utf8str_t_len + 1));
+ upd.kdb_princ_name.utf8str_t_len);
dbprinc[upd.kdb_princ_name.utf8str_t_len] = 0;
(void) printf(_("\tUpdate principal : %s\n"), dbprinc);
@@ -182,8 +445,8 @@
if (verbose)
for (j = 0; j < upd.kdb_update.kdbe_t_len; j++)
- print_attr(
- upd.kdb_update.kdbe_t_val[j].av_type);
+ print_attr(&upd.kdb_update.kdbe_t_val[j],
+ verbose > 1 ? 1 : 0);
xdr_free(xdr_kdb_incr_update_t, (char *)&upd);
free(dbprinc);
@@ -194,7 +457,7 @@
main(int argc, char **argv)
{
int c;
- bool_t verbose = FALSE;
+ unsigned int verbose = 0;
bool_t headeronly = FALSE;
uint32_t entry = 0;
krb5_context context;
@@ -222,7 +485,7 @@
entry = atoi(optarg);
break;
case 'v':
- verbose = TRUE;
+ verbose++;
break;
default:
usage();
@@ -243,12 +506,12 @@
exit(1);
}
- (void) printf(_("\nKerberos update log (%s.ulog)\n"),
- params.dbname);
+ (void) printf(_("\nKerberos update log (%s)\n"),
+ params.iprop_logfile);
if (ulog_map(context, params.iprop_logfile, 0, FKPROPLOG, db_args)) {
- (void) fprintf(stderr, _("Unable to map log file "
- "%s.ulog\n\n"), params.dbname);
+ (void) fprintf(stderr, _("Unable to map log file %s\n\n"),
+ params.iprop_logfile);
exit(1);
}
@@ -256,8 +519,8 @@
if (log_ctx)
ulog = log_ctx->ulog;
else {
- (void) fprintf(stderr, _("Unable to map log file "
- "%s.ulog\n\n"), params.dbname);
+ (void) fprintf(stderr, _("Unable to map log file %s\n\n"),
+ params.iprop_logfile);
exit(1);
}
Modified: branches/mkey_migrate/src/tests/asn.1/Makefile.in
===================================================================
--- branches/mkey_migrate/src/tests/asn.1/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/asn.1/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -4,6 +4,7 @@
BUILDTOP=$(REL)..$(S)..
PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
+LDAP=@LDAP@
RUN_SETUP = @KRB5_RUN_ENV@
@@ -28,25 +29,43 @@
t_trval: t_trval.o
$(CC) -o t_trval $(ALL_CFLAGS) t_trval.o
-check:: krb5_decode_test krb5_encode_test
+check:: check-encode check-encode-trval check-decode
+
+check-decode: krb5_decode_test
KRB5_CONFIG=$(SRCTOP)/config-files/krb5.conf ; \
export KRB5_CONFIG ;\
$(RUN_SETUP) $(VALGRIND) ./krb5_decode_test
- $(RM) test.out
+
+expected_encode.out: reference_encode.out ldap_encode.out
+ if test "$(LDAP)" = yes; then \
+ cat $(srcdir)/reference_encode.out $(srcdir)/ldap_encode.out > expected_encode.out; \
+ else \
+ cat $(srcdir)/reference_encode.out > expected_encode.out; \
+ fi
+
+expected_trval.out: trval_reference.out ldap_trval.out
+ if test "$(LDAP)" = yes; then \
+ cat $(srcdir)/trval_reference.out $(srcdir)/ldap_trval.out > expected_trval.out; \
+ else \
+ cat $(srcdir)/trval_reference.out > expected_trval.out; \
+ fi
+
+check-encode: krb5_encode_test expected_encode.out
KRB5_CONFIG=$(SRCTOP)/config-files/krb5.conf ; \
export KRB5_CONFIG ;\
$(RUN_SETUP) $(VALGRIND) ./krb5_encode_test > test.out
- cmp test.out $(srcdir)/reference_encode.out
+ cmp test.out expected_encode.out
+
+check-encode-trval: krb5_encode_test expected_trval.out
KRB5_CONFIG=$(SRCTOP)/config-files/krb5.conf ; \
export KRB5_CONFIG ;\
- $(RUN_SETUP) $(VALGRIND) ./krb5_encode_test -t > test.out
- cmp test.out $(srcdir)/trval_reference.out
- $(RM) test.out
+ $(RUN_SETUP) $(VALGRIND) ./krb5_encode_test -t > trval.out
+ cmp trval.out expected_trval.out
install::
clean::
- rm -f *~ *.o krb5_encode_test krb5_decode_test test.out trval t_trval
+ rm -f *~ *.o krb5_encode_test krb5_decode_test test.out trval t_trval expected_encode.out expected_trval.out trval.out
################ Dependencies ################
@@ -59,51 +78,3 @@
#utility.h: krbasn1.h asn1buf.h
##############################################
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)krb5_encode_test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/krb5/asn.1/asn1buf.h \
- $(SRCTOP)/lib/krb5/asn.1/krbasn1.h debug.h krb5_encode_test.c \
- ktest.h utility.h
-$(OUTPRE)ktest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/krb5/asn.1/asn1buf.h \
- $(SRCTOP)/lib/krb5/asn.1/krbasn1.h ktest.c ktest.h \
- utility.h
-$(OUTPRE)ktest_equal.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h ktest_equal.c ktest_equal.h
-$(OUTPRE)utility.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/krb5/asn.1/asn1buf.h \
- $(SRCTOP)/lib/krb5/asn.1/krbasn1.h utility.c utility.h
-$(OUTPRE)trval.$(OBJEXT): trval.c
-$(OUTPRE)t_trval.$(OBJEXT): t_trval.c trval.c
Copied: branches/mkey_migrate/src/tests/asn.1/deps (from rev 21721, trunk/src/tests/asn.1/deps)
Modified: branches/mkey_migrate/src/tests/asn.1/krb5_decode_test.c
===================================================================
--- branches/mkey_migrate/src/tests/asn.1/krb5_decode_test.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/asn.1/krb5_decode_test.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -16,237 +16,238 @@
void krb5_ktest_free_enc_data(krb5_context context, krb5_enc_data *val);
int main(argc, argv)
- int argc;
- char **argv;
+ int argc;
+ char **argv;
{
- krb5_data code;
- krb5_error_code retval;
+ krb5_data code;
+ krb5_error_code retval;
- retval = krb5_init_context(&test_context);
- if (retval) {
- com_err(argv[0], retval, "while initializing krb5");
- exit(1);
- }
+ retval = krb5_init_context(&test_context);
+ if (retval) {
+ com_err(argv[0], retval, "while initializing krb5");
+ exit(1);
+ }
+ init_access(argv[0]);
-#define setup(type,typestring,constructor)\
- type ref, *var;\
- retval = constructor(&ref);\
- if(retval){\
- com_err("krb5_decode_test", retval, "while making sample %s", typestring);\
- exit(1);\
- }
+#define setup(type,typestring,constructor) \
+ type ref, *var; \
+ retval = constructor(&ref); \
+ if (retval) { \
+ com_err("krb5_decode_test", retval, "while making sample %s", typestring); \
+ exit(1); \
+ }
-#define decode_run(typestring,description,encoding,decoder,comparator,cleanup)\
- retval = krb5_data_hex_parse(&code,encoding);\
- if(retval){\
- com_err("krb5_decode_test", retval, "while parsing %s", typestring);\
- exit(1);\
- }\
- retval = decoder(&code,&var);\
- if(retval){\
- com_err("krb5_decode_test", retval, "while decoding %s", typestring);\
- error_count++;\
- }\
- test(comparator(&ref,var),typestring);\
- printf("%s\n",description);\
- krb5_free_data_contents(test_context, &code);\
+#define decode_run(typestring,description,encoding,decoder,comparator,cleanup) \
+ retval = krb5_data_hex_parse(&code,encoding); \
+ if (retval) { \
+ com_err("krb5_decode_test", retval, "while parsing %s", typestring); \
+ exit(1); \
+ } \
+ retval = decoder(&code,&var); \
+ if (retval) { \
+ com_err("krb5_decode_test", retval, "while decoding %s", typestring); \
+ error_count++; \
+ } \
+ test(comparator(&ref,var),typestring); \
+ printf("%s\n",description); \
+ krb5_free_data_contents(test_context, &code); \
cleanup(test_context, var);
- /****************************************************************/
- /* decode_krb5_authenticator */
- {
- setup(krb5_authenticator,"krb5_authenticator",ktest_make_sample_authenticator);
+ /****************************************************************/
+ /* decode_krb5_authenticator */
+ {
+ setup(krb5_authenticator,"krb5_authenticator",ktest_make_sample_authenticator);
- decode_run("authenticator","","62 81 A1 30 81 9E A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A7 03 02 01 11 A8 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
+ decode_run("authenticator","","62 81 A1 30 81 9E A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A7 03 02 01 11 A8 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
- ref.seq_number = 0xffffff80;
- decode_run("authenticator","(80 -> seq-number 0xffffff80)",
- "62 81 A1 30 81 9E"
- " A0 03 02 01 05"
- " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
- " A2 1A 30 18"
- " A0 03 02 01 01"
- " A1 11 30 0F"
- " 1B 06 68 66 74 73 61 69"
- " 1B 05 65 78 74 72 61"
- " A3 0F 30 0D"
- " A0 03 02 01 01"
- " A1 06 04 04 31 32 33 34"
- " A4 05 02 03 01 E2 40"
- " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
- " A6 13 30 11"
- " A0 03 02 01 01"
- " A1 0A 04 08 31 32 33 34 35 36 37 38"
- " A7 03 02 01 80"
- " A8 24 30 22"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
+ ref.seq_number = 0xffffff80;
+ decode_run("authenticator","(80 -> seq-number 0xffffff80)",
+ "62 81 A1 30 81 9E"
+ " A0 03 02 01 05"
+ " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
+ " A2 1A 30 18"
+ " A0 03 02 01 01"
+ " A1 11 30 0F"
+ " 1B 06 68 66 74 73 61 69"
+ " 1B 05 65 78 74 72 61"
+ " A3 0F 30 0D"
+ " A0 03 02 01 01"
+ " A1 06 04 04 31 32 33 34"
+ " A4 05 02 03 01 E2 40"
+ " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
+ " A6 13 30 11"
+ " A0 03 02 01 01"
+ " A1 0A 04 08 31 32 33 34 35 36 37 38"
+ " A7 03 02 01 80"
+ " A8 24 30 22"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
- ref.seq_number = 0xffffffff;
- decode_run("authenticator","(FF -> seq-number 0xffffffff)",
- "62 81 A1 30 81 9E"
- " A0 03 02 01 05"
- " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
- " A2 1A 30 18"
- " A0 03 02 01 01"
- " A1 11 30 0F"
- " 1B 06 68 66 74 73 61 69"
- " 1B 05 65 78 74 72 61"
- " A3 0F 30 0D"
- " A0 03 02 01 01"
- " A1 06 04 04 31 32 33 34"
- " A4 05 02 03 01 E2 40"
- " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
- " A6 13 30 11"
- " A0 03 02 01 01"
- " A1 0A 04 08 31 32 33 34 35 36 37 38"
- " A7 03 02 01 FF"
- " A8 24 30 22"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
+ ref.seq_number = 0xffffffff;
+ decode_run("authenticator","(FF -> seq-number 0xffffffff)",
+ "62 81 A1 30 81 9E"
+ " A0 03 02 01 05"
+ " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
+ " A2 1A 30 18"
+ " A0 03 02 01 01"
+ " A1 11 30 0F"
+ " 1B 06 68 66 74 73 61 69"
+ " 1B 05 65 78 74 72 61"
+ " A3 0F 30 0D"
+ " A0 03 02 01 01"
+ " A1 06 04 04 31 32 33 34"
+ " A4 05 02 03 01 E2 40"
+ " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
+ " A6 13 30 11"
+ " A0 03 02 01 01"
+ " A1 0A 04 08 31 32 33 34 35 36 37 38"
+ " A7 03 02 01 FF"
+ " A8 24 30 22"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
- ref.seq_number = 0xff;
- decode_run("authenticator","(00FF -> seq-number 0xff)",
- "62 81 A2 30 81 9F"
- " A0 03 02 01 05"
- " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
- " A2 1A 30 18"
- " A0 03 02 01 01"
- " A1 11 30 0F"
- " 1B 06 68 66 74 73 61 69"
- " 1B 05 65 78 74 72 61"
- " A3 0F 30 0D"
- " A0 03 02 01 01"
- " A1 06 04 04 31 32 33 34"
- " A4 05 02 03 01 E2 40"
- " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
- " A6 13 30 11"
- " A0 03 02 01 01"
- " A1 0A 04 08 31 32 33 34 35 36 37 38"
- " A7 04 02 02 00 FF"
- " A8 24 30 22"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
+ ref.seq_number = 0xff;
+ decode_run("authenticator","(00FF -> seq-number 0xff)",
+ "62 81 A2 30 81 9F"
+ " A0 03 02 01 05"
+ " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
+ " A2 1A 30 18"
+ " A0 03 02 01 01"
+ " A1 11 30 0F"
+ " 1B 06 68 66 74 73 61 69"
+ " 1B 05 65 78 74 72 61"
+ " A3 0F 30 0D"
+ " A0 03 02 01 01"
+ " A1 06 04 04 31 32 33 34"
+ " A4 05 02 03 01 E2 40"
+ " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
+ " A6 13 30 11"
+ " A0 03 02 01 01"
+ " A1 0A 04 08 31 32 33 34 35 36 37 38"
+ " A7 04 02 02 00 FF"
+ " A8 24 30 22"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
- ref.seq_number = 0xffffffff;
- decode_run("authenticator","(00FFFFFFFF -> seq-number 0xffffffff)",
- "62 81 A5 30 81 A2"
- " A0 03 02 01 05"
- " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
- " A2 1A 30 18"
- " A0 03 02 01 01"
- " A1 11 30 0F"
- " 1B 06 68 66 74 73 61 69"
- " 1B 05 65 78 74 72 61"
- " A3 0F 30 0D"
- " A0 03 02 01 01"
- " A1 06 04 04 31 32 33 34"
- " A4 05 02 03 01 E2 40"
- " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
- " A6 13 30 11"
- " A0 03 02 01 01"
- " A1 0A 04 08 31 32 33 34 35 36 37 38"
- " A7 07 02 05 00 FF FF FF FF"
- " A8 24 30 22"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
+ ref.seq_number = 0xffffffff;
+ decode_run("authenticator","(00FFFFFFFF -> seq-number 0xffffffff)",
+ "62 81 A5 30 81 A2"
+ " A0 03 02 01 05"
+ " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
+ " A2 1A 30 18"
+ " A0 03 02 01 01"
+ " A1 11 30 0F"
+ " 1B 06 68 66 74 73 61 69"
+ " 1B 05 65 78 74 72 61"
+ " A3 0F 30 0D"
+ " A0 03 02 01 01"
+ " A1 06 04 04 31 32 33 34"
+ " A4 05 02 03 01 E2 40"
+ " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
+ " A6 13 30 11"
+ " A0 03 02 01 01"
+ " A1 0A 04 08 31 32 33 34 35 36 37 38"
+ " A7 07 02 05 00 FF FF FF FF"
+ " A8 24 30 22"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
- ref.seq_number = 0x7fffffff;
- decode_run("authenticator","(7FFFFFFF -> seq-number 0x7fffffff)",
- "62 81 A4 30 81 A1"
- " A0 03 02 01 05"
- " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
- " A2 1A 30 18"
- " A0 03 02 01 01"
- " A1 11 30 0F"
- " 1B 06 68 66 74 73 61 69"
- " 1B 05 65 78 74 72 61"
- " A3 0F 30 0D"
- " A0 03 02 01 01"
- " A1 06 04 04 31 32 33 34"
- " A4 05 02 03 01 E2 40"
- " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
- " A6 13 30 11"
- " A0 03 02 01 01"
- " A1 0A 04 08 31 32 33 34 35 36 37 38"
- " A7 06 02 04 7F FF FF FF"
- " A8 24 30 22"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
+ ref.seq_number = 0x7fffffff;
+ decode_run("authenticator","(7FFFFFFF -> seq-number 0x7fffffff)",
+ "62 81 A4 30 81 A1"
+ " A0 03 02 01 05"
+ " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
+ " A2 1A 30 18"
+ " A0 03 02 01 01"
+ " A1 11 30 0F"
+ " 1B 06 68 66 74 73 61 69"
+ " 1B 05 65 78 74 72 61"
+ " A3 0F 30 0D"
+ " A0 03 02 01 01"
+ " A1 06 04 04 31 32 33 34"
+ " A4 05 02 03 01 E2 40"
+ " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
+ " A6 13 30 11"
+ " A0 03 02 01 01"
+ " A1 0A 04 08 31 32 33 34 35 36 37 38"
+ " A7 06 02 04 7F FF FF FF"
+ " A8 24 30 22"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
- ref.seq_number = 0xffffffff;
- decode_run("authenticator","(FFFFFFFF -> seq-number 0xffffffff)",
- "62 81 A4 30 81 A1"
- " A0 03 02 01 05"
- " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
- " A2 1A 30 18"
- " A0 03 02 01 01"
- " A1 11 30 0F"
- " 1B 06 68 66 74 73 61 69"
- " 1B 05 65 78 74 72 61"
- " A3 0F 30 0D"
- " A0 03 02 01 01"
- " A1 06 04 04 31 32 33 34"
- " A4 05 02 03 01 E2 40"
- " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
- " A6 13 30 11"
- " A0 03 02 01 01"
- " A1 0A 04 08 31 32 33 34 35 36 37 38"
- " A7 06 02 04 FF FF FF FF"
- " A8 24 30 22"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
+ ref.seq_number = 0xffffffff;
+ decode_run("authenticator","(FFFFFFFF -> seq-number 0xffffffff)",
+ "62 81 A4 30 81 A1"
+ " A0 03 02 01 05"
+ " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
+ " A2 1A 30 18"
+ " A0 03 02 01 01"
+ " A1 11 30 0F"
+ " 1B 06 68 66 74 73 61 69"
+ " 1B 05 65 78 74 72 61"
+ " A3 0F 30 0D"
+ " A0 03 02 01 01"
+ " A1 06 04 04 31 32 33 34"
+ " A4 05 02 03 01 E2 40"
+ " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
+ " A6 13 30 11"
+ " A0 03 02 01 01"
+ " A1 0A 04 08 31 32 33 34 35 36 37 38"
+ " A7 06 02 04 FF FF FF FF"
+ " A8 24 30 22"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
- ktest_destroy_checksum(&(ref.checksum));
- ktest_destroy_keyblock(&(ref.subkey));
- ref.seq_number = 0;
- ktest_empty_authorization_data(ref.authorization_data);
- decode_run("authenticator","(optionals empty)","62 4F 30 4D A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
+ ktest_destroy_checksum(&(ref.checksum));
+ ktest_destroy_keyblock(&(ref.subkey));
+ ref.seq_number = 0;
+ ktest_empty_authorization_data(ref.authorization_data);
+ decode_run("authenticator","(optionals empty)","62 4F 30 4D A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
- ktest_destroy_authorization_data(&(ref.authorization_data));
+ ktest_destroy_authorization_data(&(ref.authorization_data));
- decode_run("authenticator","(optionals NULL)","62 4F 30 4D A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
+ decode_run("authenticator","(optionals NULL)","62 4F 30 4D A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
- ktest_empty_authenticator(&ref);
- }
+ ktest_empty_authenticator(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_ticket */
- {
- setup(krb5_ticket,"krb5_ticket",ktest_make_sample_ticket);
- decode_run("ticket","","61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket);
- decode_run("ticket","(+ trailing [4] INTEGER","61 61 30 5F A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A4 03 02 01 01",decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket);
+ /****************************************************************/
+ /* decode_krb5_ticket */
+ {
+ setup(krb5_ticket,"krb5_ticket",ktest_make_sample_ticket);
+ decode_run("ticket","","61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket);
+ decode_run("ticket","(+ trailing [4] INTEGER","61 61 30 5F A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A4 03 02 01 01",decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket);
/*
"61 80 30 80 "
@@ -267,7 +268,7 @@
" 00 00 00 00"
"00 00 00 00"
*/
- decode_run("ticket","(indefinite lengths)", "61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00" ,decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket);
+ decode_run("ticket","(indefinite lengths)", "61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00" ,decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket);
/*
"61 80 30 80 "
" A0 03 02 01 05 "
@@ -288,617 +289,628 @@
" A4 03 02 01 01 "
"00 00 00 00"
*/
- decode_run("ticket","(indefinite lengths + trailing [4] INTEGER)", "61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 A4 03 02 01 01 00 00 00 00",decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket);
+ decode_run("ticket","(indefinite lengths + trailing [4] INTEGER)", "61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 A4 03 02 01 01 00 00 00 00",decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket);
- ktest_empty_ticket(&ref);
+ ktest_empty_ticket(&ref);
- }
+ }
- /****************************************************************/
- /* decode_krb5_encryption_key */
- {
- setup(krb5_keyblock,"krb5_keyblock",ktest_make_sample_keyblock);
+ /****************************************************************/
+ /* decode_krb5_encryption_key */
+ {
+ setup(krb5_keyblock,"krb5_keyblock",ktest_make_sample_keyblock);
- decode_run("encryption_key","","30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ decode_run("encryption_key","","30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- decode_run("encryption_key","(+ trailing [2] INTEGER)","30 16 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- decode_run("encryption_key","(+ trailing [2] SEQUENCE {[0] INTEGER})","30 1A A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 07 30 05 A0 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- decode_run("encryption_key","(indefinite lengths)","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- decode_run("encryption_key","(indefinite lengths + trailing [2] INTEGER)","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- decode_run("encryption_key","(indefinite lengths + trailing [2] SEQUENCE {[0] INTEGER})","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 80 30 80 A0 03 02 01 01 00 00 00 00 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- decode_run("encryption_key","(indefinite lengths + trailing SEQUENCE {[0] INTEGER})","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 80 A0 03 02 01 01 00 00 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- ref.enctype = -1;
- decode_run("encryption_key","(enctype = -1)","30 11 A0 03 02 01 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- ref.enctype = -255;
- decode_run("encryption_key","(enctype = -255)","30 12 A0 04 02 02 FF 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- ref.enctype = 255;
- decode_run("encryption_key","(enctype = 255)","30 12 A0 04 02 02 00 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- ref.enctype = -2147483648U;
- decode_run("encryption_key","(enctype = -2147483648)","30 14 A0 06 02 04 80 00 00 00 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- ref.enctype = 2147483647;
- decode_run("encryption_key","(enctype = 2147483647)","30 14 A0 06 02 04 7F FF FF FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ decode_run("encryption_key","(+ trailing [2] INTEGER)","30 16 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ decode_run("encryption_key","(+ trailing [2] SEQUENCE {[0] INTEGER})","30 1A A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 07 30 05 A0 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ decode_run("encryption_key","(indefinite lengths)","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ decode_run("encryption_key","(indefinite lengths + trailing [2] INTEGER)","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ decode_run("encryption_key","(indefinite lengths + trailing [2] SEQUENCE {[0] INTEGER})","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 80 30 80 A0 03 02 01 01 00 00 00 00 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ decode_run("encryption_key","(indefinite lengths + trailing SEQUENCE {[0] INTEGER})","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 80 A0 03 02 01 01 00 00 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ ref.enctype = -1;
+ decode_run("encryption_key","(enctype = -1)","30 11 A0 03 02 01 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ ref.enctype = -255;
+ decode_run("encryption_key","(enctype = -255)","30 12 A0 04 02 02 FF 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ ref.enctype = 255;
+ decode_run("encryption_key","(enctype = 255)","30 12 A0 04 02 02 00 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ ref.enctype = -2147483648U;
+ decode_run("encryption_key","(enctype = -2147483648)","30 14 A0 06 02 04 80 00 00 00 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ ref.enctype = 2147483647;
+ decode_run("encryption_key","(enctype = 2147483647)","30 14 A0 06 02 04 7F FF FF FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- ktest_empty_keyblock(&ref);
- }
+ ktest_empty_keyblock(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_enc_tkt_part */
- {
- setup(krb5_enc_tkt_part,"krb5_enc_tkt_part",ktest_make_sample_enc_tkt_part);
- decode_run("enc_tkt_part","","63 82 01 14 30 82 01 10 A0 07 03 05 00 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
+ /****************************************************************/
+ /* decode_krb5_enc_tkt_part */
+ {
+ setup(krb5_enc_tkt_part,"krb5_enc_tkt_part",ktest_make_sample_enc_tkt_part);
+ decode_run("enc_tkt_part","","63 82 01 14 30 82 01 10 A0 07 03 05 00 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
- /* ref.times.starttime = 0; */
- ref.times.starttime = ref.times.authtime;
- ref.times.renew_till = 0;
- ktest_destroy_address(&(ref.caddrs[1]));
- ktest_destroy_address(&(ref.caddrs[0]));
- ktest_destroy_authdata(&(ref.authorization_data[1]));
- ktest_destroy_authdata(&(ref.authorization_data[0]));
- /* ISODE version fails on the empty caddrs field */
- ktest_destroy_addresses(&(ref.caddrs));
- ktest_destroy_authorization_data(&(ref.authorization_data));
+ /* ref.times.starttime = 0; */
+ ref.times.starttime = ref.times.authtime;
+ ref.times.renew_till = 0;
+ ktest_destroy_address(&(ref.caddrs[1]));
+ ktest_destroy_address(&(ref.caddrs[0]));
+ ktest_destroy_authdata(&(ref.authorization_data[1]));
+ ktest_destroy_authdata(&(ref.authorization_data[0]));
+ /* ISODE version fails on the empty caddrs field */
+ ktest_destroy_addresses(&(ref.caddrs));
+ ktest_destroy_authorization_data(&(ref.authorization_data));
- decode_run("enc_tkt_part","(optionals NULL)","63 81 A5 30 81 A2 A0 07 03 05 00 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part, krb5_free_enc_tkt_part);
+ decode_run("enc_tkt_part","(optionals NULL)","63 81 A5 30 81 A2 A0 07 03 05 00 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part, krb5_free_enc_tkt_part);
- decode_run("enc_tkt_part","(optionals NULL + bitstring enlarged to 38 bits)","63 81 A6 30 81 A3 A0 08 03 06 02 FE DC BA 98 DC A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
+ decode_run("enc_tkt_part","(optionals NULL + bitstring enlarged to 38 bits)","63 81 A6 30 81 A3 A0 08 03 06 02 FE DC BA 98 DC A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
- decode_run("enc_tkt_part","(optionals NULL + bitstring enlarged to 40 bits)","63 81 A6 30 81 A3 A0 08 03 06 00 FE DC BA 98 DE A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
+ decode_run("enc_tkt_part","(optionals NULL + bitstring enlarged to 40 bits)","63 81 A6 30 81 A3 A0 08 03 06 00 FE DC BA 98 DE A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
- decode_run("enc_tkt_part","(optionals NULL + bitstring reduced to 29 bits)","63 81 A5 30 81 A2 A0 07 03 05 03 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
+ decode_run("enc_tkt_part","(optionals NULL + bitstring reduced to 29 bits)","63 81 A5 30 81 A2 A0 07 03 05 03 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
- ref.flags &= 0xFFFFFF00;
+ ref.flags &= 0xFFFFFF00;
- decode_run("enc_tkt_part","(optionals NULL + bitstring reduced to 24 bits)","63 81 A4 30 81 A1 A0 06 03 04 00 FE DC BA A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
+ decode_run("enc_tkt_part","(optionals NULL + bitstring reduced to 24 bits)","63 81 A4 30 81 A1 A0 06 03 04 00 FE DC BA A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
- ktest_empty_enc_tkt_part(&ref);
- }
+ ktest_empty_enc_tkt_part(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_enc_kdc_rep_part */
- {
- setup(krb5_enc_kdc_rep_part,"krb5_enc_kdc_rep_part",ktest_make_sample_enc_kdc_rep_part);
+ /****************************************************************/
+ /* decode_krb5_enc_kdc_rep_part */
+ {
+ setup(krb5_enc_kdc_rep_part,"krb5_enc_kdc_rep_part",ktest_make_sample_enc_kdc_rep_part);
#ifdef KRB5_GENEROUS_LR_TYPE
- decode_run("enc_kdc_rep_part","(compat_lr_type)","7A 82 01 10 30 82 01 0C A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 38 30 36 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 07 03 05 00 FE DC BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part);
+ decode_run("enc_kdc_rep_part","(compat_lr_type)","7A 82 01 10 30 82 01 0C A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 38 30 36 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 07 03 05 00 FE DC BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part);
#endif
- decode_run("enc_kdc_rep_part","","7A 82 01 0E 30 82 01 0A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 36 30 34 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 07 03 05 00 FE DC BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part);
+ decode_run("enc_kdc_rep_part","","7A 82 01 0E 30 82 01 0A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 36 30 34 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 07 03 05 00 FE DC BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part);
- ref.key_exp = 0;
- /* ref.times.starttime = 0;*/
- ref.times.starttime = ref.times.authtime;
- ref.times.renew_till = 0;
- ref.flags &= ~TKT_FLG_RENEWABLE;
- ktest_destroy_addresses(&(ref.caddrs));
+ ref.key_exp = 0;
+ /* ref.times.starttime = 0;*/
+ ref.times.starttime = ref.times.authtime;
+ ref.times.renew_till = 0;
+ ref.flags &= ~TKT_FLG_RENEWABLE;
+ ktest_destroy_addresses(&(ref.caddrs));
#ifdef KRB5_GENEROUS_LR_TYPE
- decode_run("enc_kdc_rep_part","(optionals NULL)(compat lr_type)","7A 81 B4 30 81 B1 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 38 30 36 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A4 07 03 05 00 FE 5C BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part);
+ decode_run("enc_kdc_rep_part","(optionals NULL)(compat lr_type)","7A 81 B4 30 81 B1 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 38 30 36 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A4 07 03 05 00 FE 5C BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part);
#endif
- decode_run("enc_kdc_rep_part","(optionals NULL)","7A 81 B2 30 81 AF A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 36 30 34 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A4 07 03 05 00 FE 5C BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part);
+ decode_run("enc_kdc_rep_part","(optionals NULL)","7A 81 B2 30 81 AF A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 36 30 34 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A4 07 03 05 00 FE 5C BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part);
- ktest_empty_enc_kdc_rep_part(&ref);
- }
+ ktest_empty_enc_kdc_rep_part(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_as_rep */
- {
- setup(krb5_kdc_rep,"krb5_kdc_rep",ktest_make_sample_kdc_rep);
- ref.msg_type = KRB5_AS_REP;
+ /****************************************************************/
+ /* decode_krb5_as_rep */
+ {
+ setup(krb5_kdc_rep,"krb5_kdc_rep",ktest_make_sample_kdc_rep);
+ ref.msg_type = KRB5_AS_REP;
- decode_run("as_rep","","6B 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0B A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_rep,ktest_equal_as_rep,krb5_free_kdc_rep);
+ decode_run("as_rep","","6B 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0B A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_rep,ktest_equal_as_rep,krb5_free_kdc_rep);
/*
6B 80 30 80
- A0 03 02 01 05
- A1 03 02 01 0B
- A2 80 30 80
- 30 80
- A1 03 02 01 0D
- A2 09 04 07 70 61 2D 64 61 74 61
- 00 00
- 30 80
- A1 03 02 01 0D
- A2 09 04 07 70 61 2D 64 61 74 61
- 00 00
- 00 00 00 00
- A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55
- A4 80 30 80
- A0 03 02 01 01
- A1 80 30 80
- 1B 06 68 66 74 73 61 69
- 1B 05 65 78 74 72 61
- 00 00 00 00
- 00 00 00 00
- A5 80 61 80 30 80
- A0 03 02 01 05
- A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55
- A2 80 30 80
- A0 03 02 01 01
- A1 80 30 80
- 1B 06 68 66 74 73 61 69
- 1B 05 65 78 74 72 61
- 00 00 00 00
- 00 00 00 00
- A3 80 30 80
- A0 03 02 01 00
- A1 03 02 01 05
- A2 17 04 15 6B 72 62 41 53 4E 2E 31
- 20 74 65 73 74 20 6D 65
- 73 73 61 67 65
- 00 00 00 00
- 00 00 00 00 00 00
- A6 80 30 80
- A0 03 02 01 00
- A1 03 02 01 05
- A2 17 04 15 6B 72 62 41 53 4E 2E 31
- 20 74 65 73 74 20 6D 65
- 73 73 61 67 65
- 00 00 00 00
+ A0 03 02 01 05
+ A1 03 02 01 0B
+ A2 80 30 80
+ 30 80
+ A1 03 02 01 0D
+ A2 09 04 07 70 61 2D 64 61 74 61
+ 00 00
+ 30 80
+ A1 03 02 01 0D
+ A2 09 04 07 70 61 2D 64 61 74 61
+ 00 00
00 00 00 00
+ A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55
+ A4 80 30 80
+ A0 03 02 01 01
+ A1 80 30 80
+ 1B 06 68 66 74 73 61 69
+ 1B 05 65 78 74 72 61
+ 00 00 00 00
+ 00 00 00 00
+ A5 80 61 80 30 80
+ A0 03 02 01 05
+ A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55
+ A2 80 30 80
+ A0 03 02 01 01
+ A1 80 30 80
+ 1B 06 68 66 74 73 61 69
+ 1B 05 65 78 74 72 61
+ 00 00 00 00
+ 00 00 00 00
+ A3 80 30 80
+ A0 03 02 01 00
+ A1 03 02 01 05
+ A2 17 04 15 6B 72 62 41 53 4E 2E 31
+ 20 74 65 73 74 20 6D 65
+ 73 73 61 67 65
+ 00 00 00 00
+ 00 00 00 00 00 00
+ A6 80 30 80
+ A0 03 02 01 00
+ A1 03 02 01 05
+ A2 17 04 15 6B 72 62 41 53 4E 2E 31
+ 20 74 65 73 74 20 6D 65
+ 73 73 61 67 65
+ 00 00 00 00
+ 00 00 00 00
*/
- decode_run("as_rep","(indefinite lengths)","6B 80 30 80 A0 03 02 01 05 A1 03 02 01 0B A2 80 30 80 30 80 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 00 00 30 80 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 00 00 00 00 00 00 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A5 80 61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00 00 00 A6 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00",decode_krb5_as_rep,ktest_equal_as_rep,krb5_free_kdc_rep);
- ktest_destroy_pa_data_array(&(ref.padata));
- decode_run("as_rep","(optionals NULL)","6B 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0B A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_rep,ktest_equal_as_rep,krb5_free_kdc_rep);
+ decode_run("as_rep","(indefinite lengths)","6B 80 30 80 A0 03 02 01 05 A1 03 02 01 0B A2 80 30 80 30 80 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 00 00 30 80 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 00 00 00 00 00 00 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A5 80 61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00 00 00 A6 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00",decode_krb5_as_rep,ktest_equal_as_rep,krb5_free_kdc_rep);
+ ktest_destroy_pa_data_array(&(ref.padata));
+ decode_run("as_rep","(optionals NULL)","6B 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0B A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_rep,ktest_equal_as_rep,krb5_free_kdc_rep);
- ktest_empty_kdc_rep(&ref);
- }
+ ktest_empty_kdc_rep(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_tgs_rep */
- {
- setup(krb5_kdc_rep,"krb5_kdc_rep",ktest_make_sample_kdc_rep);
- ref.msg_type = KRB5_TGS_REP;
+ /****************************************************************/
+ /* decode_krb5_tgs_rep */
+ {
+ setup(krb5_kdc_rep,"krb5_kdc_rep",ktest_make_sample_kdc_rep);
+ ref.msg_type = KRB5_TGS_REP;
- decode_run("tgs_rep","","6D 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0D A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_rep,ktest_equal_tgs_rep,krb5_free_kdc_rep);
+ decode_run("tgs_rep","","6D 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0D A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_rep,ktest_equal_tgs_rep,krb5_free_kdc_rep);
- ktest_destroy_pa_data_array(&(ref.padata));
- decode_run("tgs_rep","(optionals NULL)","6D 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0D A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_rep,ktest_equal_tgs_rep,krb5_free_kdc_rep);
+ ktest_destroy_pa_data_array(&(ref.padata));
+ decode_run("tgs_rep","(optionals NULL)","6D 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0D A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_rep,ktest_equal_tgs_rep,krb5_free_kdc_rep);
- ktest_empty_kdc_rep(&ref);
- }
+ ktest_empty_kdc_rep(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_ap_req */
- {
- setup(krb5_ap_req,"krb5_ap_req",ktest_make_sample_ap_req);
- decode_run("ap_req","","6E 81 9D 30 81 9A A0 03 02 01 05 A1 03 02 01 0E A2 07 03 05 00 FE DC BA 98 A3 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A4 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ap_req,ktest_equal_ap_req,krb5_free_ap_req);
- ktest_empty_ap_req(&ref);
+ /****************************************************************/
+ /* decode_krb5_ap_req */
+ {
+ setup(krb5_ap_req,"krb5_ap_req",ktest_make_sample_ap_req);
+ decode_run("ap_req","","6E 81 9D 30 81 9A A0 03 02 01 05 A1 03 02 01 0E A2 07 03 05 00 FE DC BA 98 A3 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A4 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ap_req,ktest_equal_ap_req,krb5_free_ap_req);
+ ktest_empty_ap_req(&ref);
- }
+ }
- /****************************************************************/
- /* decode_krb5_ap_rep */
- {
- setup(krb5_ap_rep,"krb5_ap_rep",ktest_make_sample_ap_rep);
- decode_run("ap_rep","","6F 33 30 31 A0 03 02 01 05 A1 03 02 01 0F A2 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ap_rep,ktest_equal_ap_rep,krb5_free_ap_rep);
- ktest_empty_ap_rep(&ref);
- }
+ /****************************************************************/
+ /* decode_krb5_ap_rep */
+ {
+ setup(krb5_ap_rep,"krb5_ap_rep",ktest_make_sample_ap_rep);
+ decode_run("ap_rep","","6F 33 30 31 A0 03 02 01 05 A1 03 02 01 0F A2 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ap_rep,ktest_equal_ap_rep,krb5_free_ap_rep);
+ ktest_empty_ap_rep(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_ap_rep_enc_part */
- {
- setup(krb5_ap_rep_enc_part,"krb5_ap_rep_enc_part",ktest_make_sample_ap_rep_enc_part);
+ /****************************************************************/
+ /* decode_krb5_ap_rep_enc_part */
+ {
+ setup(krb5_ap_rep_enc_part,"krb5_ap_rep_enc_part",ktest_make_sample_ap_rep_enc_part);
- decode_run("ap_rep_enc_part","","7B 36 30 34 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40 A2 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A3 03 02 01 11",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
+ decode_run("ap_rep_enc_part","","7B 36 30 34 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40 A2 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A3 03 02 01 11",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
- ktest_destroy_keyblock(&(ref.subkey));
- ref.seq_number = 0;
- decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
- ktest_empty_ap_rep_enc_part(&ref);
- }
+ ktest_destroy_keyblock(&(ref.subkey));
+ ref.seq_number = 0;
+ decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
+ ktest_empty_ap_rep_enc_part(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_as_req */
- {
- setup(krb5_kdc_req,"krb5_kdc_req",ktest_make_sample_kdc_req);
- ref.msg_type = KRB5_AS_REQ;
+ /****************************************************************/
+ /* decode_krb5_as_req */
+ {
+ setup(krb5_kdc_req,"krb5_kdc_req",ktest_make_sample_kdc_req);
+ ref.msg_type = KRB5_AS_REQ;
- ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("as_req","","6A 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0A A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4
D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_req,ktest_equal_as_req,krb5_free_kdc_req);
+ ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
+ decode_run("as_req","","6A 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0A A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 4
9 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_req,ktest_equal_as_req,krb5_free_kdc_req);
- ktest_destroy_pa_data_array(&(ref.padata));
- ktest_destroy_principal(&(ref.client));
+ ktest_destroy_pa_data_array(&(ref.padata));
+ ktest_destroy_principal(&(ref.client));
#ifndef ISODE_SUCKS
- ktest_destroy_principal(&(ref.server));
+ ktest_destroy_principal(&(ref.server));
#endif
- ref.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
- ref.from = 0;
- ref.rtime = 0;
- ktest_destroy_addresses(&(ref.addresses));
- ktest_destroy_enc_data(&(ref.authorization_data));
- decode_run("as_req","(optionals NULL except second_ticket)","6A 82 01 14 30 82 01 10 A1 03 02 01 05 A2 03 02 01 0A A4 82 01 02 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_req,ktest_equal_as_req,krb5_free_kdc_req);
- ktest_destroy_sequence_of_ticket(&(ref.second_ticket));
+ ref.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
+ ref.from = 0;
+ ref.rtime = 0;
+ ktest_destroy_addresses(&(ref.addresses));
+ ktest_destroy_enc_data(&(ref.authorization_data));
+ decode_run("as_req","(optionals NULL except second_ticket)","6A 82 01 14 30 82 01 10 A1 03 02 01 05 A2 03 02 01 0A A4 82 01 02 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_req,ktest_equal_as_req,krb5_free_kdc_req);
+ ktest_destroy_sequence_of_ticket(&(ref.second_ticket));
#ifndef ISODE_SUCKS
- ktest_make_sample_principal(&(ref.server));
+ ktest_make_sample_principal(&(ref.server));
#endif
- ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("as_req","(optionals NULL except server)","6A 69 30 67 A1 03 02 01 05 A2 03 02 01 0A A4 5B 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_as_req,ktest_equal_as_req,krb5_free_kdc_req);
+ ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
+ decode_run("as_req","(optionals NULL except server)","6A 69 30 67 A1 03 02 01 05 A2 03 02 01 0A A4 5B 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_as_req,ktest_equal_as_req,krb5_free_kdc_req);
- ktest_empty_kdc_req(&ref);
+ ktest_empty_kdc_req(&ref);
- }
+ }
- /****************************************************************/
- /* decode_krb5_tgs_req */
- {
- setup(krb5_kdc_req,"krb5_kdc_req",ktest_make_sample_kdc_req);
- ref.msg_type = KRB5_TGS_REQ;
+ /****************************************************************/
+ /* decode_krb5_tgs_req */
+ {
+ setup(krb5_kdc_req,"krb5_kdc_req",ktest_make_sample_kdc_req);
+ ref.msg_type = KRB5_TGS_REQ;
- ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("tgs_req","","6C 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0C A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E
4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_req,ktest_equal_tgs_req,krb5_free_kdc_req);
+ ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
+ decode_run("tgs_req","","6C 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0C A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D
49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_req,ktest_equal_tgs_req,krb5_free_kdc_req);
- ktest_destroy_pa_data_array(&(ref.padata));
- ktest_destroy_principal(&(ref.client));
+ ktest_destroy_pa_data_array(&(ref.padata));
+ ktest_destroy_principal(&(ref.client));
#ifndef ISODE_SUCKS
- ktest_destroy_principal(&(ref.server));
+ ktest_destroy_principal(&(ref.server));
#endif
- ref.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
- ref.from = 0;
- ref.rtime = 0;
- ktest_destroy_addresses(&(ref.addresses));
- ktest_destroy_enc_data(&(ref.authorization_data));
- decode_run("tgs_req","(optionals NULL except second_ticket)","6C 82 01 14 30 82 01 10 A1 03 02 01 05 A2 03 02 01 0C A4 82 01 02 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_req,ktest_equal_tgs_req,krb5_free_kdc_req);
+ ref.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
+ ref.from = 0;
+ ref.rtime = 0;
+ ktest_destroy_addresses(&(ref.addresses));
+ ktest_destroy_enc_data(&(ref.authorization_data));
+ decode_run("tgs_req","(optionals NULL except second_ticket)","6C 82 01 14 30 82 01 10 A1 03 02 01 05 A2 03 02 01 0C A4 82 01 02 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_req,ktest_equal_tgs_req,krb5_free_kdc_req);
- ktest_destroy_sequence_of_ticket(&(ref.second_ticket));
+ ktest_destroy_sequence_of_ticket(&(ref.second_ticket));
#ifndef ISODE_SUCKS
- ktest_make_sample_principal(&(ref.server));
+ ktest_make_sample_principal(&(ref.server));
#endif
- ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("tgs_req","(optionals NULL except server)","6C 69 30 67 A1 03 02 01 05 A2 03 02 01 0C A4 5B 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_tgs_req,ktest_equal_tgs_req,krb5_free_kdc_req);
+ ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
+ decode_run("tgs_req","(optionals NULL except server)","6C 69 30 67 A1 03 02 01 05 A2 03 02 01 0C A4 5B 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_tgs_req,ktest_equal_tgs_req,krb5_free_kdc_req);
- ktest_empty_kdc_req(&ref);
- }
+ ktest_empty_kdc_req(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_kdc_req_body */
- {
- krb5_kdc_req ref, *var;
- memset(&ref, 0, sizeof(krb5_kdc_req));
- retval = ktest_make_sample_kdc_req_body(&ref);
- if(retval){
- com_err("making sample kdc_req_body",retval,"");
- exit(1);
- }
- ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("kdc_req_body","","30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 3
1 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req);
+ /****************************************************************/
+ /* decode_krb5_kdc_req_body */
+ {
+ krb5_kdc_req ref, *var;
+ memset(&ref, 0, sizeof(krb5_kdc_req));
+ retval = ktest_make_sample_kdc_req_body(&ref);
+ if (retval) {
+ com_err("making sample kdc_req_body",retval,"");
+ exit(1);
+ }
+ ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
+ decode_run("kdc_req_body","","30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 2
0 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req);
- ktest_destroy_principal(&(ref.client));
+ ktest_destroy_principal(&(ref.client));
#ifndef ISODE_SUCKS
- ktest_destroy_principal(&(ref.server));
+ ktest_destroy_principal(&(ref.server));
#endif
- ref.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
- ref.from = 0;
- ref.rtime = 0;
- ktest_destroy_addresses(&(ref.addresses));
- ktest_destroy_enc_data(&(ref.authorization_data));
- decode_run("kdc_req_body","(optionals NULL except second_ticket)","30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req);
+ ref.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
+ ref.from = 0;
+ ref.rtime = 0;
+ ktest_destroy_addresses(&(ref.addresses));
+ ktest_destroy_enc_data(&(ref.authorization_data));
+ decode_run("kdc_req_body","(optionals NULL except second_ticket)","30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req);
- ktest_destroy_sequence_of_ticket(&(ref.second_ticket));
+ ktest_destroy_sequence_of_ticket(&(ref.second_ticket));
#ifndef ISODE_SUCKS
- ktest_make_sample_principal(&(ref.server));
+ ktest_make_sample_principal(&(ref.server));
#endif
- ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("kdc_req_body","(optionals NULL except server)","30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req);
- ref.nktypes = 0;
- free(ref.ktype);
- ref.ktype = NULL;
- decode_run("kdc_req_body","(optionals NULL except server; zero-length etypes)","30 53 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 02 30 00",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req);
+ ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
+ decode_run("kdc_req_body","(optionals NULL except server)","30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req);
+ ref.nktypes = 0;
+ free(ref.ktype);
+ ref.ktype = NULL;
+ decode_run("kdc_req_body","(optionals NULL except server; zero-length etypes)","30 53 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 02 30 00",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req);
- ktest_empty_kdc_req(&ref);
- }
+ ktest_empty_kdc_req(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_safe */
- {
- setup(krb5_safe,"krb5_safe",ktest_make_sample_safe);
- decode_run("safe","","74 6E 30 6C A0 03 02 01 05 A1 03 02 01 14 A2 4F 30 4D A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 05 02 03 01 E2 40 A3 03 02 01 11 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_safe,ktest_equal_safe,krb5_free_safe);
+ /****************************************************************/
+ /* decode_krb5_safe */
+ {
+ setup(krb5_safe,"krb5_safe",ktest_make_sample_safe);
+ decode_run("safe","","74 6E 30 6C A0 03 02 01 05 A1 03 02 01 14 A2 4F 30 4D A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 05 02 03 01 E2 40 A3 03 02 01 11 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_safe,ktest_equal_safe,krb5_free_safe);
- ref.timestamp = 0;
- ref.usec = 0;
- ref.seq_number = 0;
- ktest_destroy_address(&(ref.r_address));
- decode_run("safe","(optionals NULL)","74 3E 30 3C A0 03 02 01 05 A1 03 02 01 14 A2 1F 30 1D A0 0A 04 08 6B 72 62 35 64 61 74 61 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_safe,ktest_equal_safe,krb5_free_safe);
+ ref.timestamp = 0;
+ ref.usec = 0;
+ ref.seq_number = 0;
+ ktest_destroy_address(&(ref.r_address));
+ decode_run("safe","(optionals NULL)","74 3E 30 3C A0 03 02 01 05 A1 03 02 01 14 A2 1F 30 1D A0 0A 04 08 6B 72 62 35 64 61 74 61 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_safe,ktest_equal_safe,krb5_free_safe);
- ktest_empty_safe(&ref);
- }
+ ktest_empty_safe(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_priv */
- {
- setup(krb5_priv,"krb5_priv",ktest_make_sample_priv);
- decode_run("priv","","75 33 30 31 A0 03 02 01 05 A1 03 02 01 15 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_priv,ktest_equal_priv,krb5_free_priv);
- ktest_empty_priv(&ref);
- }
+ /****************************************************************/
+ /* decode_krb5_priv */
+ {
+ setup(krb5_priv,"krb5_priv",ktest_make_sample_priv);
+ decode_run("priv","","75 33 30 31 A0 03 02 01 05 A1 03 02 01 15 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_priv,ktest_equal_priv,krb5_free_priv);
+ ktest_empty_priv(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_enc_priv_part */
- {
- setup(krb5_priv_enc_part,"krb5_priv_enc_part",ktest_make_sample_priv_enc_part);
- decode_run("enc_priv_part","","7C 4F 30 4D A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 05 02 03 01 E2 40 A3 03 02 01 11 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_priv_part,ktest_equal_enc_priv_part,krb5_free_priv_enc_part);
+ /****************************************************************/
+ /* decode_krb5_enc_priv_part */
+ {
+ setup(krb5_priv_enc_part,"krb5_priv_enc_part",ktest_make_sample_priv_enc_part);
+ decode_run("enc_priv_part","","7C 4F 30 4D A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 05 02 03 01 E2 40 A3 03 02 01 11 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_priv_part,ktest_equal_enc_priv_part,krb5_free_priv_enc_part);
- ref.timestamp = 0;
- ref.usec = 0;
- ref.seq_number = 0;
- ktest_destroy_address(&(ref.r_address));
- decode_run("enc_priv_part","(optionals NULL)","7C 1F 30 1D A0 0A 04 08 6B 72 62 35 64 61 74 61 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_priv_part,ktest_equal_enc_priv_part,krb5_free_priv_enc_part);
- ktest_empty_priv_enc_part(&ref);
- }
+ ref.timestamp = 0;
+ ref.usec = 0;
+ ref.seq_number = 0;
+ ktest_destroy_address(&(ref.r_address));
+ decode_run("enc_priv_part","(optionals NULL)","7C 1F 30 1D A0 0A 04 08 6B 72 62 35 64 61 74 61 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_priv_part,ktest_equal_enc_priv_part,krb5_free_priv_enc_part);
+ ktest_empty_priv_enc_part(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_cred */
- {
- setup(krb5_cred,"krb5_cred",ktest_make_sample_cred);
- decode_run("cred","","76 81 F6 30 81 F3 A0 03 02 01 05 A1 03 02 01 16 A2 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_cred,ktest_equal_cred,krb5_free_cred);
- ktest_empty_cred(&ref);
- }
+ /****************************************************************/
+ /* decode_krb5_cred */
+ {
+ setup(krb5_cred,"krb5_cred",ktest_make_sample_cred);
+ decode_run("cred","","76 81 F6 30 81 F3 A0 03 02 01 05 A1 03 02 01 16 A2 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_cred,ktest_equal_cred,krb5_free_cred);
+ ktest_empty_cred(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_enc_cred_part */
- {
- setup(krb5_cred_enc_part,"krb5_cred_enc_part",ktest_make_sample_cred_enc_part);
- decode_run("enc_cred_part","","7D 82 02 23 30 82 02 1F A0 82 01 DA 30 82 01 D6 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78
74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part,krb5_free_cred_enc_part);
- /* free_cred_enc_part does not free the pointer */
- krb5_xfree(var);
- ktest_destroy_principal(&(ref.ticket_info[0]->client));
- ktest_destroy_principal(&(ref.ticket_info[0]->server));
- ref.ticket_info[0]->flags = 0;
- ref.ticket_info[0]->times.authtime = 0;
- ref.ticket_info[0]->times.starttime = 0;
- ref.ticket_info[0]->times.endtime = 0;
- ref.ticket_info[0]->times.renew_till = 0;
- ktest_destroy_addresses(&(ref.ticket_info[0]->caddrs));
- ref.nonce = 0;
- ref.timestamp = 0;
- ref.usec = 0;
- ktest_destroy_address(&(ref.s_address));
- ktest_destroy_address(&(ref.r_address));
- decode_run("enc_cred_part","(optionals NULL)","7D 82 01 0E 30 82 01 0A A0 82 01 06 30 82 01 02 30 15 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part,krb5_free_cred_enc_part);
- /* free_cred_enc_part does not free the pointer */
- krb5_xfree(var);
+ /****************************************************************/
+ /* decode_krb5_enc_cred_part */
+ {
+ setup(krb5_cred_enc_part,"krb5_cred_enc_part",ktest_make_sample_cred_enc_part);
+ decode_run("enc_cred_part","","7D 82 02 23 30 82 02 1F A0 82 01 DA 30 82 01 D6 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74
72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part,krb5_free_cred_enc_part);
+ /* free_cred_enc_part does not free the pointer */
+ krb5_xfree(var);
+ ktest_destroy_principal(&(ref.ticket_info[0]->client));
+ ktest_destroy_principal(&(ref.ticket_info[0]->server));
+ ref.ticket_info[0]->flags = 0;
+ ref.ticket_info[0]->times.authtime = 0;
+ ref.ticket_info[0]->times.starttime = 0;
+ ref.ticket_info[0]->times.endtime = 0;
+ ref.ticket_info[0]->times.renew_till = 0;
+ ktest_destroy_addresses(&(ref.ticket_info[0]->caddrs));
+ ref.nonce = 0;
+ ref.timestamp = 0;
+ ref.usec = 0;
+ ktest_destroy_address(&(ref.s_address));
+ ktest_destroy_address(&(ref.r_address));
+ decode_run("enc_cred_part","(optionals NULL)","7D 82 01 0E 30 82 01 0A A0 82 01 06 30 82 01 02 30 15 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part,krb5_free_cred_enc_part);
+ /* free_cred_enc_part does not free the pointer */
+ krb5_xfree(var);
- ktest_empty_cred_enc_part(&ref);
- }
+ ktest_empty_cred_enc_part(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_error */
- {
- setup(krb5_error,"krb5_error",ktest_make_sample_error);
- decode_run("error","","7E 81 BA 30 81 B7 A0 03 02 01 05 A1 03 02 01 1E A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 05 02 03 01 E2 40 A6 03 02 01 3C A7 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A8 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 0A 1B 08 6B 72 62 35 64 61 74 61 AC 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_error,ktest_equal_error,krb5_free_error);
+ /****************************************************************/
+ /* decode_krb5_error */
+ {
+ setup(krb5_error,"krb5_error",ktest_make_sample_error);
+ decode_run("error","","7E 81 BA 30 81 B7 A0 03 02 01 05 A1 03 02 01 1E A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 05 02 03 01 E2 40 A6 03 02 01 3C A7 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A8 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 0A 1B 08 6B 72 62 35 64 61 74 61 AC 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_error,ktest_equal_error,krb5_free_error);
- ref.ctime = 0;
- ktest_destroy_principal(&(ref.client));
- ktest_empty_data(&(ref.text));
- ktest_empty_data(&(ref.e_data));
- decode_run("error","(optionals NULL)","7E 60 30 5E A0 03 02 01 05 A1 03 02 01 1E A3 05 02 03 01 E2 40 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 05 02 03 01 E2 40 A6 03 02 01 3C A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_error,ktest_equal_error,krb5_free_error);
+ ref.ctime = 0;
+ ktest_destroy_principal(&(ref.client));
+ ktest_empty_data(&(ref.text));
+ ktest_empty_data(&(ref.e_data));
+ decode_run("error","(optionals NULL)","7E 60 30 5E A0 03 02 01 05 A1 03 02 01 1E A3 05 02 03 01 E2 40 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 05 02 03 01 E2 40 A6 03 02 01 3C A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_error,ktest_equal_error,krb5_free_error);
- ktest_empty_error(&ref);
- }
+ ktest_empty_error(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_authdata */
- {
- krb5_authdata **ref, **var;
- retval = ktest_make_sample_authorization_data(&ref);
- if(retval){
- com_err("making sample authorization_data",retval,"");
- exit(1);
+ /****************************************************************/
+ /* decode_krb5_authdata */
+ {
+ krb5_authdata **ref, **var;
+ retval = ktest_make_sample_authorization_data(&ref);
+ if (retval) {
+ com_err("making sample authorization_data",retval,"");
+ exit(1);
+ }
+ retval = krb5_data_hex_parse(&code,"30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72");
+ if (retval) {
+ com_err("parsing authorization_data",retval,"");
+ exit(1);
+ }
+ retval = decode_krb5_authdata(&code,&var);
+ if (retval) com_err("decoding authorization_data",retval,"");
+ test(ktest_equal_authorization_data(ref,var),"authorization_data\n")
+ krb5_free_data_contents(test_context, &code);
+ krb5_free_authdata(test_context, var);
+ ktest_destroy_authorization_data(&ref);
}
- retval = krb5_data_hex_parse(&code,"30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72");
- if(retval){
- com_err("parsing authorization_data",retval,"");
- exit(1);
+
+ /****************************************************************/
+ /* decode_pwd_sequence */
+ {
+ setup(passwd_phrase_element,"passwd_phrase_element",ktest_make_sample_passwd_phrase_element);
+ decode_run("PasswdSequence","","30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_pwd_sequence,ktest_equal_passwd_phrase_element,krb5_ktest_free_pwd_sequence);
+ ktest_empty_passwd_phrase_element(&ref);
}
- retval = decode_krb5_authdata(&code,&var);
- if(retval) com_err("decoding authorization_data",retval,"");
- test(ktest_equal_authorization_data(ref,var),"authorization_data\n")
- krb5_free_data_contents(test_context, &code);
- krb5_free_authdata(test_context, var);
- ktest_destroy_authorization_data(&ref);
- }
-
- /****************************************************************/
- /* decode_pwd_sequence */
- {
- setup(passwd_phrase_element,"passwd_phrase_element",ktest_make_sample_passwd_phrase_element);
- decode_run("PasswdSequence","","30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_pwd_sequence,ktest_equal_passwd_phrase_element,krb5_ktest_free_pwd_sequence);
- ktest_empty_passwd_phrase_element(&ref);
- }
- /****************************************************************/
- /* decode_passwd_data */
- {
- setup(krb5_pwd_data,"krb5_pwd_data",ktest_make_sample_krb5_pwd_data);
- decode_run("PasswdData","","30 3D A0 03 02 01 02 A1 36 30 34 30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_pwd_data,ktest_equal_krb5_pwd_data,krb5_free_pwd_data);
- ktest_empty_pwd_data(&ref);
- }
+ /****************************************************************/
+ /* decode_passwd_data */
+ {
+ setup(krb5_pwd_data,"krb5_pwd_data",ktest_make_sample_krb5_pwd_data);
+ decode_run("PasswdData","","30 3D A0 03 02 01 02 A1 36 30 34 30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_pwd_data,ktest_equal_krb5_pwd_data,krb5_free_pwd_data);
+ ktest_empty_pwd_data(&ref);
+ }
- /****************************************************************/
- /* decode_krb5_padata_sequence */
- {
- krb5_pa_data **ref, **var;
- retval = ktest_make_sample_pa_data_array(&ref);
- if(retval){
- com_err("making sample pa_data array",retval,"");
- exit(1);
+ /****************************************************************/
+ /* decode_krb5_padata_sequence */
+ {
+ krb5_pa_data **ref, **var;
+ retval = ktest_make_sample_pa_data_array(&ref);
+ if (retval) {
+ com_err("making sample pa_data array",retval,"");
+ exit(1);
+ }
+ retval = krb5_data_hex_parse(&code,"30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61");
+ if (retval) {
+ com_err("parsing padata_sequence",retval,"");
+ exit(1);
+ }
+ retval = decode_krb5_padata_sequence(&code,&var);
+ if (retval) com_err("decoding padata_sequence",retval,"");
+ test(ktest_equal_sequence_of_pa_data(ref,var),"pa_data\n");
+ krb5_free_pa_data(test_context, var);
+ krb5_free_data_contents(test_context, &code);
+ ktest_destroy_pa_data_array(&ref);
}
- retval = krb5_data_hex_parse(&code,"30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61");
- if(retval){
- com_err("parsing padata_sequence",retval,"");
- exit(1);
+
+ /****************************************************************/
+ /* decode_krb5_padata_sequence (empty) */
+ {
+ krb5_pa_data **ref, **var;
+ retval = ktest_make_sample_empty_pa_data_array(&ref);
+ if (retval) {
+ com_err("making sample empty pa_data array",retval,"");
+ exit(1);
+ }
+ retval = krb5_data_hex_parse(&code,"30 00");
+ if (retval) {
+ com_err("parsing padata_sequence (empty)",retval,"");
+ exit(1);
+ }
+ retval = decode_krb5_padata_sequence(&code,&var);
+ if (retval) com_err("decoding padata_sequence (empty)",retval,"");
+ test(ktest_equal_sequence_of_pa_data(ref,var),"pa_data (empty)\n");
+ krb5_free_pa_data(test_context, var);
+ krb5_free_data_contents(test_context, &code);
+ ktest_destroy_pa_data_array(&ref);
}
- retval = decode_krb5_padata_sequence(&code,&var);
- if(retval) com_err("decoding padata_sequence",retval,"");
- test(ktest_equal_sequence_of_pa_data(ref,var),"pa_data\n");
- krb5_free_pa_data(test_context, var);
- krb5_free_data_contents(test_context, &code);
- ktest_destroy_pa_data_array(&ref);
- }
- /****************************************************************/
- /* decode_krb5_padata_sequence (empty) */
- {
- krb5_pa_data **ref, **var;
- retval = ktest_make_sample_empty_pa_data_array(&ref);
- if(retval){
- com_err("making sample empty pa_data array",retval,"");
- exit(1);
+ /****************************************************************/
+ /* decode_pwd_sequence */
+ {
+ setup(krb5_alt_method,"krb5_alt_method",ktest_make_sample_alt_method);
+ decode_run("alt_method","","30 0F A0 03 02 01 2A A1 08 04 06 73 65 63 72 65 74",decode_krb5_alt_method,ktest_equal_krb5_alt_method,krb5_ktest_free_alt_method);
+ ref.length = 0;
+ decode_run("alt_method (no data)","","30 05 A0 03 02 01 2A",decode_krb5_alt_method,ktest_equal_krb5_alt_method,krb5_ktest_free_alt_method);
+ ktest_empty_alt_method(&ref);
}
- retval = krb5_data_hex_parse(&code,"30 00");
- if(retval){
- com_err("parsing padata_sequence (empty)",retval,"");
- exit(1);
- }
- retval = decode_krb5_padata_sequence(&code,&var);
- if(retval) com_err("decoding padata_sequence (empty)",retval,"");
- test(ktest_equal_sequence_of_pa_data(ref,var),"pa_data (empty)\n");
- krb5_free_pa_data(test_context, var);
- krb5_free_data_contents(test_context, &code);
- ktest_destroy_pa_data_array(&ref);
- }
-
- /****************************************************************/
- /* decode_pwd_sequence */
- {
- setup(krb5_alt_method,"krb5_alt_method",ktest_make_sample_alt_method);
- decode_run("alt_method","","30 0F A0 03 02 01 2A A1 08 04 06 73 65 63 72 65 74",decode_krb5_alt_method,ktest_equal_krb5_alt_method,krb5_ktest_free_alt_method);
- ref.length = 0;
- decode_run("alt_method (no data)","","30 05 A0 03 02 01 2A",decode_krb5_alt_method,ktest_equal_krb5_alt_method,krb5_ktest_free_alt_method);
- ktest_empty_alt_method(&ref);
- }
- /****************************************************************/
- /* decode_etype_info */
- {
- krb5_etype_info ref, var;
+ /****************************************************************/
+ /* decode_etype_info */
+ {
+ krb5_etype_info ref, var;
- retval = ktest_make_sample_etype_info(&ref);
- if (retval) {
- com_err("krb5_decode_test", retval,
- "while making sample etype info");
- exit(1);
- }
- retval = krb5_data_hex_parse(&code,"30 33 30 14 A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 30 05 A0 03 02 01 01 30 14 A0 03 02 01 02 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 32");
- if(retval){
- com_err("krb5_decode_test", retval, "while parsing etype_info");
- exit(1);
- }
- retval = decode_krb5_etype_info(&code,&var);
- if(retval){
- com_err("krb5_decode_test", retval, "while decoding etype_info");
- }
- test(ktest_equal_etype_info(ref,var),"etype_info\n");
+ retval = ktest_make_sample_etype_info(&ref);
+ if (retval) {
+ com_err("krb5_decode_test", retval,
+ "while making sample etype info");
+ exit(1);
+ }
+ retval = krb5_data_hex_parse(&code,"30 33 30 14 A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 30 05 A0 03 02 01 01 30 14 A0 03 02 01 02 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 32");
+ if (retval) {
+ com_err("krb5_decode_test", retval, "while parsing etype_info");
+ exit(1);
+ }
+ retval = decode_krb5_etype_info(&code,&var);
+ if (retval) {
+ com_err("krb5_decode_test", retval, "while decoding etype_info");
+ }
+ test(ktest_equal_etype_info(ref,var),"etype_info\n");
- ktest_destroy_etype_info(var);
- ktest_destroy_etype_info_entry(ref[2]); ref[2] = 0;
- ktest_destroy_etype_info_entry(ref[1]); ref[1] = 0;
- krb5_free_data_contents(test_context, &code);
+ ktest_destroy_etype_info(var);
+ ktest_destroy_etype_info_entry(ref[2]); ref[2] = 0;
+ ktest_destroy_etype_info_entry(ref[1]); ref[1] = 0;
+ krb5_free_data_contents(test_context, &code);
- retval = krb5_data_hex_parse(&code,"30 16 30 14 A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30");
- if(retval){
- com_err("krb5_decode_test", retval,
- "while parsing etype_info (only one)");
- exit(1);
- }
- retval = decode_krb5_etype_info(&code,&var);
- if(retval){
- com_err("krb5_decode_test", retval,
- "while decoding etype_info (only one)");
- }
- test(ktest_equal_etype_info(ref,var),"etype_info (only one)\n");
+ retval = krb5_data_hex_parse(&code,"30 16 30 14 A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30");
+ if (retval) {
+ com_err("krb5_decode_test", retval,
+ "while parsing etype_info (only one)");
+ exit(1);
+ }
+ retval = decode_krb5_etype_info(&code,&var);
+ if (retval) {
+ com_err("krb5_decode_test", retval,
+ "while decoding etype_info (only one)");
+ }
+ test(ktest_equal_etype_info(ref,var),"etype_info (only one)\n");
- ktest_destroy_etype_info(var);
- ktest_destroy_etype_info_entry(ref[0]); ref[0] = 0;
- krb5_free_data_contents(test_context, &code);
+ ktest_destroy_etype_info(var);
+ ktest_destroy_etype_info_entry(ref[0]); ref[0] = 0;
+ krb5_free_data_contents(test_context, &code);
- retval = krb5_data_hex_parse(&code,"30 00");
- if(retval){
- com_err("krb5_decode_test", retval,
- "while parsing etype_info (no info)");
- exit(1);
- }
- retval = decode_krb5_etype_info(&code,&var);
- if(retval){
- com_err("krb5_decode_test", retval,
- "while decoding etype_info (no info)");
- }
- test(ktest_equal_etype_info(ref,var),"etype_info (no info)\n");
+ retval = krb5_data_hex_parse(&code,"30 00");
+ if (retval) {
+ com_err("krb5_decode_test", retval,
+ "while parsing etype_info (no info)");
+ exit(1);
+ }
+ retval = decode_krb5_etype_info(&code,&var);
+ if (retval) {
+ com_err("krb5_decode_test", retval,
+ "while decoding etype_info (no info)");
+ }
+ test(ktest_equal_etype_info(ref,var),"etype_info (no info)\n");
- krb5_free_data_contents(test_context, &code);
- ktest_destroy_etype_info(var);
- ktest_destroy_etype_info(ref);
- }
+ krb5_free_data_contents(test_context, &code);
+ ktest_destroy_etype_info(var);
+ ktest_destroy_etype_info(ref);
+ }
- /****************************************************************/
- /* decode_pa_enc_ts */
- {
- setup(krb5_pa_enc_ts,"krb5_pa_enc_ts",ktest_make_sample_pa_enc_ts);
- decode_run("pa_enc_ts","","30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_pa_enc_ts,ktest_equal_krb5_pa_enc_ts,krb5_free_pa_enc_ts);
- ref.pausec = 0;
- decode_run("pa_enc_ts (no usec)","","30 13 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_pa_enc_ts,ktest_equal_krb5_pa_enc_ts,krb5_free_pa_enc_ts);
- }
+ /****************************************************************/
+ /* decode_pa_enc_ts */
+ {
+ setup(krb5_pa_enc_ts,"krb5_pa_enc_ts",ktest_make_sample_pa_enc_ts);
+ decode_run("pa_enc_ts","","30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_pa_enc_ts,ktest_equal_krb5_pa_enc_ts,krb5_free_pa_enc_ts);
+ ref.pausec = 0;
+ decode_run("pa_enc_ts (no usec)","","30 13 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_pa_enc_ts,ktest_equal_krb5_pa_enc_ts,krb5_free_pa_enc_ts);
+ }
- /****************************************************************/
- /* decode_enc_data */
- {
- setup(krb5_enc_data,"krb5_enc_data",ktest_make_sample_enc_data);
- decode_run("enc_data","","30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_enc_data,ktest_equal_enc_data,krb5_ktest_free_enc_data);
- ktest_destroy_enc_data(&ref);
- }
+ /****************************************************************/
+ /* decode_enc_data */
+ {
+ setup(krb5_enc_data,"krb5_enc_data",ktest_make_sample_enc_data);
+ decode_run("enc_data","","30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_enc_data,ktest_equal_enc_data,krb5_ktest_free_enc_data);
+ ktest_destroy_enc_data(&ref);
+ }
- /****************************************************************/
- /* decode_sam_challenge */
- {
- setup(krb5_sam_challenge,"krb5_sam_challenge",ktest_make_sample_sam_challenge);
- decode_run("sam_challenge","","30 78 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A3 02 04 00 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A7 02 04 00 A8 05 02 03 54 32 10 A9 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_sam_challenge,ktest_equal_sam_challenge,krb5_free_sam_challenge);
- ktest_empty_sam_challenge(&ref);
+ /****************************************************************/
+ /* decode_sam_challenge */
+ {
+ setup(krb5_sam_challenge,"krb5_sam_challenge",ktest_make_sample_sam_challenge);
+ decode_run("sam_challenge","","30 78 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A3 02 04 00 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A7 02 04 00 A8 05 02 03 54 32 10 A9 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_sam_challenge,ktest_equal_sam_challenge,krb5_free_sam_challenge);
+ ktest_empty_sam_challenge(&ref);
- }
+ }
- /****************************************************************/
- /* decode_sam_challenge */
- {
- setup(krb5_sam_challenge,"krb5_sam_challenge - no optionals",ktest_make_sample_sam_challenge);
- decode_run("sam_challenge","","30 70 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_sam_challenge,ktest_equal_sam_challenge,krb5_free_sam_challenge);
- ktest_empty_sam_challenge(&ref);
- }
+ /****************************************************************/
+ /* decode_sam_challenge */
+ {
+ setup(krb5_sam_challenge,"krb5_sam_challenge - no optionals",ktest_make_sample_sam_challenge);
+ decode_run("sam_challenge","","30 70 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_sam_challenge,ktest_equal_sam_challenge,krb5_free_sam_challenge);
+ ktest_empty_sam_challenge(&ref);
+ }
- /****************************************************************/
- /* decode_sam_response */
- {
- setup(krb5_sam_response,"krb5_sam_response",ktest_make_sample_sam_response);
- decode_run("sam_response","","30 6A A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 14 30 12 A0 03 02 01 01 A1 04 02 02 07 96 A2 05 04 03 6B 65 79 A4 1C 30 1A A0 03 02 01 01 A1 04 02 02 0D 36 A2 0D 04 0B 6E 6F 6E 63 65 20 6F 72 20 74 73 A5 05 02 03 54 32 10 A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_sam_response,ktest_equal_sam_response,krb5_free_sam_response);
+ /****************************************************************/
+ /* decode_sam_response */
+ {
+ setup(krb5_sam_response,"krb5_sam_response",ktest_make_sample_sam_response);
+ decode_run("sam_response","","30 6A A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 14 30 12 A0 03 02 01 01 A1 04 02 02 07 96 A2 05 04 03 6B 65 79 A4 1C 30 1A A0 03 02 01 01 A1 04 02 02 0D 36 A2 0D 04 0B 6E 6F 6E 63 65 20 6F 72 20 74 73 A5 05 02 03 54 32 10 A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_sam_response,ktest_equal_sam_response,krb5_free_sam_response);
- ktest_empty_sam_response(&ref);
- }
+ ktest_empty_sam_response(&ref);
+ }
- krb5_free_context(test_context);
- exit(error_count);
- return(error_count);
+#ifdef ENABLE_LDAP
+ /* ldap sequence_of_keys */
+ {
+ setup(ldap_seqof_key_data,"ldap_seqof_key_data",
+ ktest_make_sample_ldap_seqof_key_data);
+ decode_run("ldap_seqof_key_data","","30 81 87 A0 03 02 01 01 A1 03 02 01 01 A2 03 02 01 2A A3 03 02 01 0E A4 71 30 6F 30 23 A0 10 30 0E A0 03 02 01 00 A1 07 04 05 73 61 6C 74 30 A1 0F 30 0D A0 03 02 01 02 A1 06 04 04 6B 65 79 30 30 23 A0 10 30 0E A0 03 02 01 01 A1 07 04 05 73 61 6C 74 31 A1 0F 30 0D A0 03 02 01 02 A1 06 04 04 6B 65 79 31 30 23 A0 10 30 0E A0 03 02 01 02 A1 07 04 05 73 61 6C 74 32 A1 0F 30 0D A0 03 02 01 02 A1 06 04 04 6B 65 79 32",acc.asn1_ldap_decode_sequence_of_keys,ktest_equal_ldap_sequence_of_keys,ktest_empty_ldap_seqof_key_data);
+ ktest_empty_ldap_seqof_key_data(test_context, &ref);
+ }
+
+#endif
+
+ krb5_free_context(test_context);
+ exit(error_count);
+ return(error_count);
}
void krb5_ktest_free_alt_method(krb5_context context, krb5_alt_method *val)
{
- if (val->data)
- krb5_xfree(val->data);
- krb5_xfree(val);
+ if (val->data)
+ krb5_xfree(val->data);
+ krb5_xfree(val);
}
void krb5_ktest_free_pwd_sequence(krb5_context context,
passwd_phrase_element *val)
{
- krb5_free_data(context, val->passwd);
- krb5_free_data(context, val->phrase);
- krb5_xfree(val);
+ krb5_free_data(context, val->passwd);
+ krb5_free_data(context, val->phrase);
+ krb5_xfree(val);
}
void krb5_ktest_free_enc_data(krb5_context context, krb5_enc_data *val)
{
- if(val) {
- krb5_free_data_contents(context, &(val->ciphertext));
- free(val);
- }
+ if (val) {
+ krb5_free_data_contents(context, &(val->ciphertext));
+ free(val);
+ }
}
Modified: branches/mkey_migrate/src/tests/asn.1/krb5_encode_test.c
===================================================================
--- branches/mkey_migrate/src/tests/asn.1/krb5_encode_test.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/asn.1/krb5_encode_test.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -16,666 +16,698 @@
int trval2();
static void encoder_print_results(code, typestring, description)
- krb5_data *code;
- char *typestring;
- char *description;
+ krb5_data *code;
+ char *typestring;
+ char *description;
{
- char *code_string = NULL;
- krb5_error_code retval;
- int r, rlen;
+ char *code_string = NULL;
+ krb5_error_code retval;
+ int r, rlen;
- if (do_trval) {
- printf("encode_krb5_%s%s:\n", typestring, description);
- r = trval2(stdout, code->data, code->length, 0, &rlen);
- printf("\n\n");
- if (rlen != code->length) {
- printf("Error: length mismatch: was %d, parsed %d\n",
- code->length, rlen);
- exit(1);
- }
- if (r != 0) {
- printf("Error: Return from trval2 is %d.\n", r);
- exit(1);
- }
- current_appl_type = -1; /* Reset type */
- } else {
- retval = asn1_krb5_data_unparse(code,&(code_string));
- if(retval) {
- com_err("krb5_encode_test", retval ,
- "while unparsing %s", typestring);
- exit(1);
- }
- printf("encode_krb5_%s%s: %s\n", typestring, description,
- code_string);
- free(code_string);
+ if (do_trval) {
+ printf("encode_krb5_%s%s:\n", typestring, description);
+ r = trval2(stdout, code->data, code->length, 0, &rlen);
+ printf("\n\n");
+ if (rlen < 0 || (unsigned int) rlen != code->length) {
+ printf("Error: length mismatch: was %d, parsed %d\n",
+ code->length, rlen);
+ exit(1);
}
- ktest_destroy_data(&code);
+ if (r != 0) {
+ printf("Error: Return from trval2 is %d.\n", r);
+ exit(1);
+ }
+ current_appl_type = -1; /* Reset type */
+ } else {
+ retval = asn1_krb5_data_unparse(code,&(code_string));
+ if (retval) {
+ com_err("krb5_encode_test", retval ,
+ "while unparsing %s", typestring);
+ exit(1);
+ }
+ printf("encode_krb5_%s%s: %s\n", typestring, description,
+ code_string);
+ free(code_string);
+ }
+ ktest_destroy_data(&code);
}
static void PRS(argc, argv)
- int argc;
- char **argv;
+ int argc;
+ char **argv;
{
- extern char *optarg;
- int optchar;
- extern int print_types, print_krb5_types, print_id_and_len,
- print_constructed_length, print_skip_context,
- print_skip_tagnum, print_context_shortcut;
+ extern char *optarg;
+ int optchar;
+ extern int print_types, print_krb5_types, print_id_and_len,
+ print_constructed_length, print_skip_context,
+ print_skip_tagnum, print_context_shortcut;
- while ((optchar = getopt(argc, argv, "tp:")) != -1) {
- switch(optchar) {
- case 't':
- do_trval = 1;
- break;
- case 'p':
- sample_principal_name = optarg;
- break;
- case '?':
- default:
- fprintf(stderr, "Usage: %s [-t] [-p principal]\n",
- argv[0]);
- exit(1);
- }
+ while ((optchar = getopt(argc, argv, "tp:")) != -1) {
+ switch(optchar) {
+ case 't':
+ do_trval = 1;
+ break;
+ case 'p':
+ sample_principal_name = optarg;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Usage: %s [-t] [-p principal]\n",
+ argv[0]);
+ exit(1);
}
- print_types = 1;
- print_krb5_types = 1;
- print_id_and_len = 0;
- print_constructed_length = 0;
- print_skip_context = 1;
- print_skip_tagnum = 1;
- print_context_shortcut = 1;
+ }
+ print_types = 1;
+ print_krb5_types = 1;
+ print_id_and_len = 0;
+ print_constructed_length = 0;
+ print_skip_context = 1;
+ print_skip_tagnum = 1;
+ print_context_shortcut = 1;
}
int
main(argc, argv)
- int argc;
- char **argv;
+ int argc;
+ char **argv;
{
- krb5_data *code;
- krb5_error_code retval;
+ krb5_data *code;
+ krb5_error_code retval;
- PRS(argc, argv);
+ PRS(argc, argv);
- retval = krb5_init_context(&test_context);
- if (retval) {
- com_err(argv[0], retval, "while initializing krb5");
- exit(1);
- }
+ retval = krb5_init_context(&test_context);
+ if (retval) {
+ com_err(argv[0], retval, "while initializing krb5");
+ exit(1);
+ }
+ init_access(argv[0]);
-#define setup(value,type,typestring,constructor)\
- retval = constructor(&(value));\
- if(retval){\
- com_err("krb5_encode_test", retval, "while making sample %s", typestring);\
- exit(1);\
- }
+#define setup(value,type,typestring,constructor) \
+ retval = constructor(&(value)); \
+ if (retval) { \
+ com_err("krb5_encode_test", retval, "while making sample %s", typestring); \
+ exit(1); \
+ }
-#define encode_run(value,type,typestring,description,encoder)\
- retval = encoder(&(value),&(code));\
- if(retval){\
- com_err("krb5_encode_test", retval,"while encoding %s", typestring);\
- exit(1);\
- }\
- encoder_print_results(code, typestring, description);
+#define encode_run(value,type,typestring,description,encoder) \
+ retval = encoder(&(value),&(code)); \
+ if (retval) { \
+ com_err("krb5_encode_test", retval,"while encoding %s", typestring); \
+ exit(1); \
+ } \
+ encoder_print_results(code, typestring, description);
- /****************************************************************/
- /* encode_krb5_authenticator */
- {
- krb5_authenticator authent;
- setup(authent,authenticator,"authenticator",ktest_make_sample_authenticator);
+ /****************************************************************/
+ /* encode_krb5_authenticator */
+ {
+ krb5_authenticator authent;
+ setup(authent,authenticator,"authenticator",ktest_make_sample_authenticator);
- encode_run(authent,authenticator,"authenticator","",encode_krb5_authenticator);
+ encode_run(authent,authenticator,"authenticator","",encode_krb5_authenticator);
- ktest_destroy_checksum(&(authent.checksum));
- ktest_destroy_keyblock(&(authent.subkey));
- authent.seq_number = 0;
- ktest_empty_authorization_data(authent.authorization_data);
- encode_run(authent,authenticator,"authenticator","(optionals empty)",encode_krb5_authenticator);
+ ktest_destroy_checksum(&(authent.checksum));
+ ktest_destroy_keyblock(&(authent.subkey));
+ authent.seq_number = 0;
+ ktest_empty_authorization_data(authent.authorization_data);
+ encode_run(authent,authenticator,"authenticator","(optionals empty)",encode_krb5_authenticator);
- ktest_destroy_authorization_data(&(authent.authorization_data));
- encode_run(authent,authenticator,"authenticator","(optionals NULL)",encode_krb5_authenticator);
- ktest_empty_authenticator(&authent);
- }
+ ktest_destroy_authorization_data(&(authent.authorization_data));
+ encode_run(authent,authenticator,"authenticator","(optionals NULL)",encode_krb5_authenticator);
+ ktest_empty_authenticator(&authent);
+ }
- /****************************************************************/
- /* encode_krb5_ticket */
- {
- krb5_ticket tkt;
- setup(tkt,ticket,"ticket",ktest_make_sample_ticket);
- encode_run(tkt,ticket,"ticket","",encode_krb5_ticket);
- ktest_empty_ticket(&tkt);
- }
+ /****************************************************************/
+ /* encode_krb5_ticket */
+ {
+ krb5_ticket tkt;
+ setup(tkt,ticket,"ticket",ktest_make_sample_ticket);
+ encode_run(tkt,ticket,"ticket","",encode_krb5_ticket);
+ ktest_empty_ticket(&tkt);
+ }
- /****************************************************************/
- /* encode_krb5_encryption_key */
- {
- krb5_keyblock keyblk;
- setup(keyblk,keyblock,"keyblock",ktest_make_sample_keyblock);
- current_appl_type = 1005;
- encode_run(keyblk,keyblock,"keyblock","",encode_krb5_encryption_key);
- ktest_empty_keyblock(&keyblk);
- }
+ /****************************************************************/
+ /* encode_krb5_encryption_key */
+ {
+ krb5_keyblock keyblk;
+ setup(keyblk,keyblock,"keyblock",ktest_make_sample_keyblock);
+ current_appl_type = 1005;
+ encode_run(keyblk,keyblock,"keyblock","",encode_krb5_encryption_key);
+ ktest_empty_keyblock(&keyblk);
+ }
- /****************************************************************/
- /* encode_krb5_enc_tkt_part */
- {
- krb5_ticket tkt;
- memset(&tkt, 0, sizeof(krb5_ticket));
- tkt.enc_part2 = (krb5_enc_tkt_part*)calloc(1,sizeof(krb5_enc_tkt_part));
- if(tkt.enc_part2 == NULL) com_err("allocating enc_tkt_part",errno,"");
- setup(*(tkt.enc_part2),enc_tkt_part,"enc_tkt_part",ktest_make_sample_enc_tkt_part);
+ /****************************************************************/
+ /* encode_krb5_enc_tkt_part */
+ {
+ krb5_ticket tkt;
+ memset(&tkt, 0, sizeof(krb5_ticket));
+ tkt.enc_part2 = (krb5_enc_tkt_part*)calloc(1,sizeof(krb5_enc_tkt_part));
+ if (tkt.enc_part2 == NULL) com_err("allocating enc_tkt_part",errno,"");
+ setup(*(tkt.enc_part2),enc_tkt_part,"enc_tkt_part",ktest_make_sample_enc_tkt_part);
- encode_run(*(tkt.enc_part2),enc_tkt_part,"enc_tkt_part","",encode_krb5_enc_tkt_part);
+ encode_run(*(tkt.enc_part2),enc_tkt_part,"enc_tkt_part","",encode_krb5_enc_tkt_part);
- tkt.enc_part2->times.starttime = 0;
- tkt.enc_part2->times.renew_till = 0;
- ktest_destroy_address(&(tkt.enc_part2->caddrs[1]));
- ktest_destroy_address(&(tkt.enc_part2->caddrs[0]));
- ktest_destroy_authdata(&(tkt.enc_part2->authorization_data[1]));
- ktest_destroy_authdata(&(tkt.enc_part2->authorization_data[0]));
+ tkt.enc_part2->times.starttime = 0;
+ tkt.enc_part2->times.renew_till = 0;
+ ktest_destroy_address(&(tkt.enc_part2->caddrs[1]));
+ ktest_destroy_address(&(tkt.enc_part2->caddrs[0]));
+ ktest_destroy_authdata(&(tkt.enc_part2->authorization_data[1]));
+ ktest_destroy_authdata(&(tkt.enc_part2->authorization_data[0]));
- /* ISODE version fails on the empty caddrs field */
- ktest_destroy_addresses(&(tkt.enc_part2->caddrs));
- ktest_destroy_authorization_data(&(tkt.enc_part2->authorization_data));
+ /* ISODE version fails on the empty caddrs field */
+ ktest_destroy_addresses(&(tkt.enc_part2->caddrs));
+ ktest_destroy_authorization_data(&(tkt.enc_part2->authorization_data));
- encode_run(*(tkt.enc_part2),enc_tkt_part,"enc_tkt_part","(optionals NULL)",encode_krb5_enc_tkt_part);
- ktest_empty_ticket(&tkt);
- }
+ encode_run(*(tkt.enc_part2),enc_tkt_part,"enc_tkt_part","(optionals NULL)",encode_krb5_enc_tkt_part);
+ ktest_empty_ticket(&tkt);
+ }
- /****************************************************************/
- /* encode_krb5_enc_kdc_rep_part */
- {
- krb5_kdc_rep kdcr;
+ /****************************************************************/
+ /* encode_krb5_enc_kdc_rep_part */
+ {
+ krb5_kdc_rep kdcr;
- memset(&kdcr, 0, sizeof(kdcr));
+ memset(&kdcr, 0, sizeof(kdcr));
- kdcr.enc_part2 = (krb5_enc_kdc_rep_part*)
- calloc(1,sizeof(krb5_enc_kdc_rep_part));
- if(kdcr.enc_part2 == NULL) com_err("allocating enc_kdc_rep_part",errno,"");
- setup(*(kdcr.enc_part2),enc_kdc_rep_part,"enc_kdc_rep_part",ktest_make_sample_enc_kdc_rep_part);
+ kdcr.enc_part2 = (krb5_enc_kdc_rep_part*)
+ calloc(1,sizeof(krb5_enc_kdc_rep_part));
+ if (kdcr.enc_part2 == NULL) com_err("allocating enc_kdc_rep_part",errno,"");
+ setup(*(kdcr.enc_part2),enc_kdc_rep_part,"enc_kdc_rep_part",ktest_make_sample_enc_kdc_rep_part);
- encode_run(*(kdcr.enc_part2),enc_kdc_rep_part,"enc_kdc_rep_part","",encode_krb5_enc_kdc_rep_part);
+ encode_run(*(kdcr.enc_part2),enc_kdc_rep_part,"enc_kdc_rep_part","",encode_krb5_enc_kdc_rep_part);
- kdcr.enc_part2->key_exp = 0;
- kdcr.enc_part2->times.starttime = 0;
- kdcr.enc_part2->flags &= ~TKT_FLG_RENEWABLE;
- ktest_destroy_addresses(&(kdcr.enc_part2->caddrs));
+ kdcr.enc_part2->key_exp = 0;
+ kdcr.enc_part2->times.starttime = 0;
+ kdcr.enc_part2->flags &= ~TKT_FLG_RENEWABLE;
+ ktest_destroy_addresses(&(kdcr.enc_part2->caddrs));
- encode_run(*(kdcr.enc_part2),enc_kdc_rep_part,"enc_kdc_rep_part","(optionals NULL)",encode_krb5_enc_kdc_rep_part);
+ encode_run(*(kdcr.enc_part2),enc_kdc_rep_part,"enc_kdc_rep_part","(optionals NULL)",encode_krb5_enc_kdc_rep_part);
- ktest_empty_kdc_rep(&kdcr);
- }
+ ktest_empty_kdc_rep(&kdcr);
+ }
- /****************************************************************/
- /* encode_krb5_as_rep */
- {
- krb5_kdc_rep kdcr;
- setup(kdcr,kdc_rep,"kdc_rep",ktest_make_sample_kdc_rep);
+ /****************************************************************/
+ /* encode_krb5_as_rep */
+ {
+ krb5_kdc_rep kdcr;
+ setup(kdcr,kdc_rep,"kdc_rep",ktest_make_sample_kdc_rep);
/* kdcr.msg_type = KRB5_TGS_REP;
- test(encode_krb5_as_rep(&kdcr,&code) == KRB5_BADMSGTYPE,
- "encode_krb5_as_rep type check\n");
- ktest_destroy_data(&code);*/
+ test(encode_krb5_as_rep(&kdcr,&code) == KRB5_BADMSGTYPE,
+ "encode_krb5_as_rep type check\n");
+ ktest_destroy_data(&code);*/
- kdcr.msg_type = KRB5_AS_REP;
- encode_run(kdcr,as_rep,"as_rep","",encode_krb5_as_rep);
+ kdcr.msg_type = KRB5_AS_REP;
+ encode_run(kdcr,as_rep,"as_rep","",encode_krb5_as_rep);
- ktest_destroy_pa_data_array(&(kdcr.padata));
- encode_run(kdcr,as_rep,"as_rep","(optionals NULL)",encode_krb5_as_rep);
+ ktest_destroy_pa_data_array(&(kdcr.padata));
+ encode_run(kdcr,as_rep,"as_rep","(optionals NULL)",encode_krb5_as_rep);
- ktest_empty_kdc_rep(&kdcr);
+ ktest_empty_kdc_rep(&kdcr);
- }
+ }
- /****************************************************************/
- /* encode_krb5_tgs_rep */
- {
- krb5_kdc_rep kdcr;
- setup(kdcr,kdc_rep,"kdc_rep",ktest_make_sample_kdc_rep);
+ /****************************************************************/
+ /* encode_krb5_tgs_rep */
+ {
+ krb5_kdc_rep kdcr;
+ setup(kdcr,kdc_rep,"kdc_rep",ktest_make_sample_kdc_rep);
/* kdcr.msg_type = KRB5_AS_REP;
- test(encode_krb5_tgs_rep(&kdcr,&code) == KRB5_BADMSGTYPE,
- "encode_krb5_tgs_rep type check\n");*/
+ test(encode_krb5_tgs_rep(&kdcr,&code) == KRB5_BADMSGTYPE,
+ "encode_krb5_tgs_rep type check\n");*/
- kdcr.msg_type = KRB5_TGS_REP;
- encode_run(kdcr,tgs_rep,"tgs_rep","",encode_krb5_tgs_rep);
+ kdcr.msg_type = KRB5_TGS_REP;
+ encode_run(kdcr,tgs_rep,"tgs_rep","",encode_krb5_tgs_rep);
- ktest_destroy_pa_data_array(&(kdcr.padata));
- encode_run(kdcr,tgs_rep,"tgs_rep","(optionals NULL)",encode_krb5_tgs_rep);
+ ktest_destroy_pa_data_array(&(kdcr.padata));
+ encode_run(kdcr,tgs_rep,"tgs_rep","(optionals NULL)",encode_krb5_tgs_rep);
- ktest_empty_kdc_rep(&kdcr);
+ ktest_empty_kdc_rep(&kdcr);
- }
+ }
- /****************************************************************/
- /* encode_krb5_ap_req */
- {
- krb5_ap_req apreq;
- setup(apreq,ap_req,"ap_req",ktest_make_sample_ap_req);
- encode_run(apreq,ap_req,"ap_req","",encode_krb5_ap_req);
- ktest_empty_ap_req(&apreq);
- }
+ /****************************************************************/
+ /* encode_krb5_ap_req */
+ {
+ krb5_ap_req apreq;
+ setup(apreq,ap_req,"ap_req",ktest_make_sample_ap_req);
+ encode_run(apreq,ap_req,"ap_req","",encode_krb5_ap_req);
+ ktest_empty_ap_req(&apreq);
+ }
- /****************************************************************/
- /* encode_krb5_ap_rep */
- {
- krb5_ap_rep aprep;
- setup(aprep,ap_rep,"ap_rep",ktest_make_sample_ap_rep);
- encode_run(aprep,ap_rep,"ap_rep","",encode_krb5_ap_rep);
- ktest_empty_ap_rep(&aprep);
- }
+ /****************************************************************/
+ /* encode_krb5_ap_rep */
+ {
+ krb5_ap_rep aprep;
+ setup(aprep,ap_rep,"ap_rep",ktest_make_sample_ap_rep);
+ encode_run(aprep,ap_rep,"ap_rep","",encode_krb5_ap_rep);
+ ktest_empty_ap_rep(&aprep);
+ }
- /****************************************************************/
- /* encode_krb5_ap_rep_enc_part */
- {
- krb5_ap_rep_enc_part apenc;
- setup(apenc,ap_rep_enc_part,"ap_rep_enc_part",ktest_make_sample_ap_rep_enc_part);
- encode_run(apenc,ap_rep_enc_part,"ap_rep_enc_part","",encode_krb5_ap_rep_enc_part);
+ /****************************************************************/
+ /* encode_krb5_ap_rep_enc_part */
+ {
+ krb5_ap_rep_enc_part apenc;
+ setup(apenc,ap_rep_enc_part,"ap_rep_enc_part",ktest_make_sample_ap_rep_enc_part);
+ encode_run(apenc,ap_rep_enc_part,"ap_rep_enc_part","",encode_krb5_ap_rep_enc_part);
- ktest_destroy_keyblock(&(apenc.subkey));
- apenc.seq_number = 0;
- encode_run(apenc,ap_rep_enc_part,"ap_rep_enc_part","(optionals NULL)",encode_krb5_ap_rep_enc_part);
- ktest_empty_ap_rep_enc_part(&apenc);
- }
+ ktest_destroy_keyblock(&(apenc.subkey));
+ apenc.seq_number = 0;
+ encode_run(apenc,ap_rep_enc_part,"ap_rep_enc_part","(optionals NULL)",encode_krb5_ap_rep_enc_part);
+ ktest_empty_ap_rep_enc_part(&apenc);
+ }
- /****************************************************************/
- /* encode_krb5_as_req */
- {
- krb5_kdc_req asreq;
- setup(asreq,kdc_req,"kdc_req",ktest_make_sample_kdc_req);
- asreq.msg_type = KRB5_AS_REQ;
- asreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- encode_run(asreq,as_req,"as_req","",encode_krb5_as_req);
+ /****************************************************************/
+ /* encode_krb5_as_req */
+ {
+ krb5_kdc_req asreq;
+ setup(asreq,kdc_req,"kdc_req",ktest_make_sample_kdc_req);
+ asreq.msg_type = KRB5_AS_REQ;
+ asreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
+ encode_run(asreq,as_req,"as_req","",encode_krb5_as_req);
- ktest_destroy_pa_data_array(&(asreq.padata));
- ktest_destroy_principal(&(asreq.client));
+ ktest_destroy_pa_data_array(&(asreq.padata));
+ ktest_destroy_principal(&(asreq.client));
#ifndef ISODE_SUCKS
- ktest_destroy_principal(&(asreq.server));
+ ktest_destroy_principal(&(asreq.server));
#endif
- asreq.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
- asreq.from = 0;
- asreq.rtime = 0;
- ktest_destroy_addresses(&(asreq.addresses));
- ktest_destroy_enc_data(&(asreq.authorization_data));
- encode_run(asreq,as_req,"as_req","(optionals NULL except second_ticket)",encode_krb5_as_req);
- ktest_destroy_sequence_of_ticket(&(asreq.second_ticket));
+ asreq.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
+ asreq.from = 0;
+ asreq.rtime = 0;
+ ktest_destroy_addresses(&(asreq.addresses));
+ ktest_destroy_enc_data(&(asreq.authorization_data));
+ encode_run(asreq,as_req,"as_req","(optionals NULL except second_ticket)",encode_krb5_as_req);
+ ktest_destroy_sequence_of_ticket(&(asreq.second_ticket));
#ifndef ISODE_SUCKS
- ktest_make_sample_principal(&(asreq.server));
+ ktest_make_sample_principal(&(asreq.server));
#endif
- asreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- encode_run(asreq,as_req,"as_req","(optionals NULL except server)",encode_krb5_as_req);
- ktest_empty_kdc_req(&asreq);
- }
+ asreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
+ encode_run(asreq,as_req,"as_req","(optionals NULL except server)",encode_krb5_as_req);
+ ktest_empty_kdc_req(&asreq);
+ }
- /****************************************************************/
- /* encode_krb5_tgs_req */
- {
- krb5_kdc_req tgsreq;
- setup(tgsreq,kdc_req,"kdc_req",ktest_make_sample_kdc_req);
- tgsreq.msg_type = KRB5_TGS_REQ;
- tgsreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- encode_run(tgsreq,tgs_req,"tgs_req","",encode_krb5_tgs_req);
+ /****************************************************************/
+ /* encode_krb5_tgs_req */
+ {
+ krb5_kdc_req tgsreq;
+ setup(tgsreq,kdc_req,"kdc_req",ktest_make_sample_kdc_req);
+ tgsreq.msg_type = KRB5_TGS_REQ;
+ tgsreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
+ encode_run(tgsreq,tgs_req,"tgs_req","",encode_krb5_tgs_req);
- ktest_destroy_pa_data_array(&(tgsreq.padata));
- ktest_destroy_principal(&(tgsreq.client));
+ ktest_destroy_pa_data_array(&(tgsreq.padata));
+ ktest_destroy_principal(&(tgsreq.client));
#ifndef ISODE_SUCKS
- ktest_destroy_principal(&(tgsreq.server));
+ ktest_destroy_principal(&(tgsreq.server));
#endif
- tgsreq.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
- tgsreq.from = 0;
- tgsreq.rtime = 0;
- ktest_destroy_addresses(&(tgsreq.addresses));
- ktest_destroy_enc_data(&(tgsreq.authorization_data));
- encode_run(tgsreq,tgs_req,"tgs_req","(optionals NULL except second_ticket)",encode_krb5_tgs_req);
+ tgsreq.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
+ tgsreq.from = 0;
+ tgsreq.rtime = 0;
+ ktest_destroy_addresses(&(tgsreq.addresses));
+ ktest_destroy_enc_data(&(tgsreq.authorization_data));
+ encode_run(tgsreq,tgs_req,"tgs_req","(optionals NULL except second_ticket)",encode_krb5_tgs_req);
- ktest_destroy_sequence_of_ticket(&(tgsreq.second_ticket));
+ ktest_destroy_sequence_of_ticket(&(tgsreq.second_ticket));
#ifndef ISODE_SUCKS
- ktest_make_sample_principal(&(tgsreq.server));
+ ktest_make_sample_principal(&(tgsreq.server));
#endif
- tgsreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- encode_run(tgsreq,tgs_req,"tgs_req","(optionals NULL except server)",encode_krb5_tgs_req);
+ tgsreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
+ encode_run(tgsreq,tgs_req,"tgs_req","(optionals NULL except server)",encode_krb5_tgs_req);
- ktest_empty_kdc_req(&tgsreq);
- }
+ ktest_empty_kdc_req(&tgsreq);
+ }
- /****************************************************************/
- /* encode_krb5_kdc_req_body */
- {
- krb5_kdc_req kdcrb;
- memset(&kdcrb, 0, sizeof(kdcrb));
- setup(kdcrb,kdc_req_body,"kdc_req_body",ktest_make_sample_kdc_req_body);
- kdcrb.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- current_appl_type = 1007; /* Force interpretation as kdc-req-body */
- encode_run(kdcrb,kdc_req_body,"kdc_req_body","",encode_krb5_kdc_req_body);
+ /****************************************************************/
+ /* encode_krb5_kdc_req_body */
+ {
+ krb5_kdc_req kdcrb;
+ memset(&kdcrb, 0, sizeof(kdcrb));
+ setup(kdcrb,kdc_req_body,"kdc_req_body",ktest_make_sample_kdc_req_body);
+ kdcrb.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
+ current_appl_type = 1007; /* Force interpretation as kdc-req-body */
+ encode_run(kdcrb,kdc_req_body,"kdc_req_body","",encode_krb5_kdc_req_body);
- ktest_destroy_principal(&(kdcrb.client));
+ ktest_destroy_principal(&(kdcrb.client));
#ifndef ISODE_SUCKS
- ktest_destroy_principal(&(kdcrb.server));
+ ktest_destroy_principal(&(kdcrb.server));
#endif
- kdcrb.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
- kdcrb.from = 0;
- kdcrb.rtime = 0;
- ktest_destroy_addresses(&(kdcrb.addresses));
- ktest_destroy_enc_data(&(kdcrb.authorization_data));
- current_appl_type = 1007; /* Force interpretation as kdc-req-body */
- encode_run(kdcrb,kdc_req_body,"kdc_req_body","(optionals NULL except second_ticket)",encode_krb5_kdc_req_body);
+ kdcrb.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
+ kdcrb.from = 0;
+ kdcrb.rtime = 0;
+ ktest_destroy_addresses(&(kdcrb.addresses));
+ ktest_destroy_enc_data(&(kdcrb.authorization_data));
+ current_appl_type = 1007; /* Force interpretation as kdc-req-body */
+ encode_run(kdcrb,kdc_req_body,"kdc_req_body","(optionals NULL except second_ticket)",encode_krb5_kdc_req_body);
- ktest_destroy_sequence_of_ticket(&(kdcrb.second_ticket));
+ ktest_destroy_sequence_of_ticket(&(kdcrb.second_ticket));
#ifndef ISODE_SUCKS
- ktest_make_sample_principal(&(kdcrb.server));
+ ktest_make_sample_principal(&(kdcrb.server));
#endif
- kdcrb.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- current_appl_type = 1007; /* Force interpretation as kdc-req-body */
- encode_run(kdcrb,kdc_req_body,"kdc_req_body","(optionals NULL except server)",encode_krb5_kdc_req_body);
+ kdcrb.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
+ current_appl_type = 1007; /* Force interpretation as kdc-req-body */
+ encode_run(kdcrb,kdc_req_body,"kdc_req_body","(optionals NULL except server)",encode_krb5_kdc_req_body);
- ktest_empty_kdc_req(&kdcrb);
- }
+ ktest_empty_kdc_req(&kdcrb);
+ }
- /****************************************************************/
- /* encode_krb5_safe */
- {
- krb5_safe s;
- setup(s,safe,"safe",ktest_make_sample_safe);
- encode_run(s,safe,"safe","",encode_krb5_safe);
+ /****************************************************************/
+ /* encode_krb5_safe */
+ {
+ krb5_safe s;
+ setup(s,safe,"safe",ktest_make_sample_safe);
+ encode_run(s,safe,"safe","",encode_krb5_safe);
- s.timestamp = 0;
- /* s.usec should be opted out by the timestamp */
- s.seq_number = 0;
- ktest_destroy_address(&(s.r_address));
- encode_run(s,safe,"safe","(optionals NULL)",encode_krb5_safe);
+ s.timestamp = 0;
+ /* s.usec should be opted out by the timestamp */
+ s.seq_number = 0;
+ ktest_destroy_address(&(s.r_address));
+ encode_run(s,safe,"safe","(optionals NULL)",encode_krb5_safe);
- ktest_empty_safe(&s);
- }
+ ktest_empty_safe(&s);
+ }
- /****************************************************************/
- /* encode_krb5_priv */
- {
- krb5_priv p;
- setup(p,priv,"priv",ktest_make_sample_priv);
- encode_run(p,priv,"priv","",encode_krb5_priv);
- ktest_empty_priv(&p);
- }
+ /****************************************************************/
+ /* encode_krb5_priv */
+ {
+ krb5_priv p;
+ setup(p,priv,"priv",ktest_make_sample_priv);
+ encode_run(p,priv,"priv","",encode_krb5_priv);
+ ktest_empty_priv(&p);
+ }
- /****************************************************************/
- /* encode_krb5_enc_priv_part */
- {
- krb5_priv_enc_part ep;
- setup(ep,priv_enc_part,"priv_enc_part",ktest_make_sample_priv_enc_part);
- encode_run(ep,enc_priv_part,"enc_priv_part","",encode_krb5_enc_priv_part);
+ /****************************************************************/
+ /* encode_krb5_enc_priv_part */
+ {
+ krb5_priv_enc_part ep;
+ setup(ep,priv_enc_part,"priv_enc_part",ktest_make_sample_priv_enc_part);
+ encode_run(ep,enc_priv_part,"enc_priv_part","",encode_krb5_enc_priv_part);
- ep.timestamp = 0;
- /* ep.usec should be opted out along with timestamp */
- ep.seq_number = 0;
- ktest_destroy_address(&(ep.r_address));
- encode_run(ep,enc_priv_part,"enc_priv_part","(optionals NULL)",encode_krb5_enc_priv_part);
+ ep.timestamp = 0;
+ /* ep.usec should be opted out along with timestamp */
+ ep.seq_number = 0;
+ ktest_destroy_address(&(ep.r_address));
+ encode_run(ep,enc_priv_part,"enc_priv_part","(optionals NULL)",encode_krb5_enc_priv_part);
- ktest_empty_priv_enc_part(&ep);
- }
+ ktest_empty_priv_enc_part(&ep);
+ }
- /****************************************************************/
- /* encode_krb5_cred */
- {
- krb5_cred c;
- setup(c,cred,"cred",ktest_make_sample_cred);
- encode_run(c,cred,"cred","",encode_krb5_cred);
- ktest_empty_cred(&c);
- }
+ /****************************************************************/
+ /* encode_krb5_cred */
+ {
+ krb5_cred c;
+ setup(c,cred,"cred",ktest_make_sample_cred);
+ encode_run(c,cred,"cred","",encode_krb5_cred);
+ ktest_empty_cred(&c);
+ }
- /****************************************************************/
- /* encode_krb5_enc_cred_part */
- {
- krb5_cred_enc_part cep;
- setup(cep,cred_enc_part,"cred_enc_part",ktest_make_sample_cred_enc_part);
- encode_run(cep,enc_cred_part,"enc_cred_part","",encode_krb5_enc_cred_part);
+ /****************************************************************/
+ /* encode_krb5_enc_cred_part */
+ {
+ krb5_cred_enc_part cep;
+ setup(cep,cred_enc_part,"cred_enc_part",ktest_make_sample_cred_enc_part);
+ encode_run(cep,enc_cred_part,"enc_cred_part","",encode_krb5_enc_cred_part);
- ktest_destroy_principal(&(cep.ticket_info[0]->client));
- ktest_destroy_principal(&(cep.ticket_info[0]->server));
- cep.ticket_info[0]->flags = 0;
- cep.ticket_info[0]->times.authtime = 0;
- cep.ticket_info[0]->times.starttime = 0;
- cep.ticket_info[0]->times.endtime = 0;
- cep.ticket_info[0]->times.renew_till = 0;
- ktest_destroy_addresses(&(cep.ticket_info[0]->caddrs));
- cep.nonce = 0;
- cep.timestamp = 0;
- ktest_destroy_address(&(cep.s_address));
- ktest_destroy_address(&(cep.r_address));
- encode_run(cep,enc_cred_part,"enc_cred_part","(optionals NULL)",encode_krb5_enc_cred_part);
+ ktest_destroy_principal(&(cep.ticket_info[0]->client));
+ ktest_destroy_principal(&(cep.ticket_info[0]->server));
+ cep.ticket_info[0]->flags = 0;
+ cep.ticket_info[0]->times.authtime = 0;
+ cep.ticket_info[0]->times.starttime = 0;
+ cep.ticket_info[0]->times.endtime = 0;
+ cep.ticket_info[0]->times.renew_till = 0;
+ ktest_destroy_addresses(&(cep.ticket_info[0]->caddrs));
+ cep.nonce = 0;
+ cep.timestamp = 0;
+ ktest_destroy_address(&(cep.s_address));
+ ktest_destroy_address(&(cep.r_address));
+ encode_run(cep,enc_cred_part,"enc_cred_part","(optionals NULL)",encode_krb5_enc_cred_part);
- ktest_empty_cred_enc_part(&cep);
- }
+ ktest_empty_cred_enc_part(&cep);
+ }
- /****************************************************************/
- /* encode_krb5_error */
- {
- krb5_error kerr;
- setup(kerr,error,"error",ktest_make_sample_error);
- encode_run(kerr,error,"error","",encode_krb5_error);
+ /****************************************************************/
+ /* encode_krb5_error */
+ {
+ krb5_error kerr;
+ setup(kerr,error,"error",ktest_make_sample_error);
+ encode_run(kerr,error,"error","",encode_krb5_error);
- kerr.ctime = 0;
- ktest_destroy_principal(&(kerr.client));
- ktest_empty_data(&(kerr.text));
- ktest_empty_data(&(kerr.e_data));
- encode_run(kerr,error,"error","(optionals NULL)",encode_krb5_error);
+ kerr.ctime = 0;
+ ktest_destroy_principal(&(kerr.client));
+ ktest_empty_data(&(kerr.text));
+ ktest_empty_data(&(kerr.e_data));
+ encode_run(kerr,error,"error","(optionals NULL)",encode_krb5_error);
- ktest_empty_error(&kerr);
- }
+ ktest_empty_error(&kerr);
+ }
- /****************************************************************/
- /* encode_krb5_authdata */
- {
- krb5_authdata **ad;
- setup(ad,authorization_data,"authorization_data",ktest_make_sample_authorization_data);
+ /****************************************************************/
+ /* encode_krb5_authdata */
+ {
+ krb5_authdata **ad;
+ setup(ad,authorization_data,"authorization_data",ktest_make_sample_authorization_data);
- retval = encode_krb5_authdata((const krb5_authdata**)ad,&(code));
- if(retval) {
- com_err("encoding authorization_data",retval,"");
- exit(1);
+ retval = encode_krb5_authdata(ad,&(code));
+ if (retval) {
+ com_err("encoding authorization_data",retval,"");
+ exit(1);
+ }
+ current_appl_type = 1004; /* Force type to be authdata */
+ encoder_print_results(code, "authorization_data", "");
+
+ ktest_destroy_authorization_data(&ad);
}
- current_appl_type = 1004; /* Force type to be authdata */
- encoder_print_results(code, "authorization_data", "");
-
- ktest_destroy_authorization_data(&ad);
- }
- /****************************************************************/
- /* encode_pwd_sequence */
- {
- passwd_phrase_element ppe;
- setup(ppe,passwd_phrase_element,"PasswdSequence",ktest_make_sample_passwd_phrase_element);
- encode_run(ppe,passwd_phrase_element,"pwd_sequence","",encode_krb5_pwd_sequence);
- ktest_empty_passwd_phrase_element(&ppe);
- }
+ /****************************************************************/
+ /* encode_pwd_sequence */
+ {
+ passwd_phrase_element ppe;
+ setup(ppe,passwd_phrase_element,"PasswdSequence",ktest_make_sample_passwd_phrase_element);
+ encode_run(ppe,passwd_phrase_element,"pwd_sequence","",encode_krb5_pwd_sequence);
+ ktest_empty_passwd_phrase_element(&ppe);
+ }
- /****************************************************************/
- /* encode_passwd_data */
- {
- krb5_pwd_data pd;
- setup(pd,krb5_pwd_data,"PasswdData",ktest_make_sample_krb5_pwd_data);
- encode_run(pd,krb5_pwd_data,"pwd_data","",encode_krb5_pwd_data);
- ktest_empty_pwd_data(&pd);
- }
+ /****************************************************************/
+ /* encode_passwd_data */
+ {
+ krb5_pwd_data pd;
+ setup(pd,krb5_pwd_data,"PasswdData",ktest_make_sample_krb5_pwd_data);
+ encode_run(pd,krb5_pwd_data,"pwd_data","",encode_krb5_pwd_data);
+ ktest_empty_pwd_data(&pd);
+ }
- /****************************************************************/
- /* encode_padata_sequence */
- {
- krb5_pa_data **pa;
+ /****************************************************************/
+ /* encode_padata_sequence */
+ {
+ krb5_pa_data **pa;
- setup(pa,krb5_pa_data,"PreauthData",ktest_make_sample_pa_data_array);
- retval = encode_krb5_padata_sequence((const krb5_pa_data**)pa,&(code));
- if(retval) {
- com_err("encoding padata_sequence",retval,"");
- exit(1);
+ setup(pa,krb5_pa_data,"PreauthData",ktest_make_sample_pa_data_array);
+ retval = encode_krb5_padata_sequence(pa,&(code));
+ if (retval) {
+ com_err("encoding padata_sequence",retval,"");
+ exit(1);
+ }
+ encoder_print_results(code, "padata_sequence", "");
+
+ ktest_destroy_pa_data_array(&pa);
}
- encoder_print_results(code, "padata_sequence", "");
+
+ /****************************************************************/
+ /* encode_padata_sequence (empty) */
+ {
+ krb5_pa_data **pa;
- ktest_destroy_pa_data_array(&pa);
- }
+ setup(pa,krb5_pa_data,"EmptyPreauthData",ktest_make_sample_empty_pa_data_array);
+ retval = encode_krb5_padata_sequence(pa,&(code));
+ if (retval) {
+ com_err("encoding padata_sequence(empty)",retval,"");
+ exit(1);
+ }
+ encoder_print_results(code, "padata_sequence(empty)", "");
- /****************************************************************/
- /* encode_padata_sequence (empty) */
- {
- krb5_pa_data **pa;
-
- setup(pa,krb5_pa_data,"EmptyPreauthData",ktest_make_sample_empty_pa_data_array);
- retval = encode_krb5_padata_sequence((const krb5_pa_data**)pa,&(code));
- if(retval) {
- com_err("encoding padata_sequence(empty)",retval,"");
- exit(1);
+ ktest_destroy_pa_data_array(&pa);
}
- encoder_print_results(code, "padata_sequence(empty)", "");
- ktest_destroy_pa_data_array(&pa);
- }
+ /****************************************************************/
+ /* encode_alt_method */
+ {
+ krb5_alt_method am;
+ setup(am,krb5_alt_method,"AltMethod",ktest_make_sample_alt_method);
+ encode_run(am,krb5_alt_method,"alt_method","",encode_krb5_alt_method);
+ am.length = 0;
+ if (am.data)
+ free(am.data);
+ am.data = 0;
+ encode_run(am,krb5_alt_method,"alt_method (no data)","",
+ encode_krb5_alt_method);
+ ktest_empty_alt_method(&am);
+ }
- /****************************************************************/
- /* encode_alt_method */
- {
- krb5_alt_method am;
- setup(am,krb5_alt_method,"AltMethod",ktest_make_sample_alt_method);
- encode_run(am,krb5_alt_method,"alt_method","",encode_krb5_alt_method);
- am.length = 0;
- if (am.data)
- free(am.data);
- am.data = 0;
- encode_run(am,krb5_alt_method,"alt_method (no data)","",
- encode_krb5_alt_method);
- ktest_empty_alt_method(&am);
- }
+ /****************************************************************/
+ /* encode_etype_info */
+ {
+ krb5_etype_info_entry **info;
+
+ setup(info,krb5_etype_info_entry **,"etype_info",
+ ktest_make_sample_etype_info);
+ retval = encode_krb5_etype_info(info,&(code));
+ if (retval) {
+ com_err("encoding etype_info",retval,"");
+ exit(1);
+ }
+ encoder_print_results(code, "etype_info", "");
+ ktest_destroy_etype_info_entry(info[2]); info[2] = 0;
+ ktest_destroy_etype_info_entry(info[1]); info[1] = 0;
- /****************************************************************/
- /* encode_etype_info */
- {
- krb5_etype_info_entry **info;
+ retval = encode_krb5_etype_info(info,&(code));
+ if (retval) {
+ com_err("encoding etype_info (only 1)",retval,"");
+ exit(1);
+ }
+ encoder_print_results(code, "etype_info (only 1)", "");
+
+ ktest_destroy_etype_info_entry(info[0]); info[0] = 0;
- setup(info,krb5_etype_info_entry **,"etype_info",
- ktest_make_sample_etype_info);
- retval = encode_krb5_etype_info((const krb5_etype_info_entry **)info,&(code));
- if(retval) {
- com_err("encoding etype_info",retval,"");
- exit(1);
- }
- encoder_print_results(code, "etype_info", "");
- ktest_destroy_etype_info_entry(info[2]); info[2] = 0;
- ktest_destroy_etype_info_entry(info[1]); info[1] = 0;
+ retval = encode_krb5_etype_info(info,&(code));
+ if (retval) {
+ com_err("encoding etype_info (no info)",retval,"");
+ exit(1);
+ }
+ encoder_print_results(code, "etype_info (no info)", "");
- retval = encode_krb5_etype_info((const krb5_etype_info_entry **)info,&(code));
- if(retval) {
- com_err("encoding etype_info (only 1)",retval,"");
- exit(1);
+ ktest_destroy_etype_info(info);
}
- encoder_print_results(code, "etype_info (only 1)", "");
- ktest_destroy_etype_info_entry(info[0]); info[0] = 0;
+ /* encode_etype_info 2*/
+ {
+ krb5_etype_info_entry **info;
- retval = encode_krb5_etype_info((const krb5_etype_info_entry **)info,&(code));
- if(retval) {
- com_err("encoding etype_info (no info)",retval,"");
- exit(1);
- }
- encoder_print_results(code, "etype_info (no info)", "");
+ setup(info,krb5_etype_info_entry **,"etype_info2",
+ ktest_make_sample_etype_info2);
+ retval = encode_krb5_etype_info2(info,&(code));
+ if (retval) {
+ com_err("encoding etype_info",retval,"");
+ exit(1);
+ }
+ encoder_print_results(code, "etype_info2", "");
+ ktest_destroy_etype_info_entry(info[2]); info[2] = 0;
+ ktest_destroy_etype_info_entry(info[1]); info[1] = 0;
- ktest_destroy_etype_info(info);
- }
+ retval = encode_krb5_etype_info2(info,&(code));
+ if (retval) {
+ com_err("encoding etype_info (only 1)",retval,"");
+ exit(1);
+ }
+ encoder_print_results(code, "etype_info2 (only 1)", "");
- /* encode_etype_info 2*/
- {
- krb5_etype_info_entry **info;
+ ktest_destroy_etype_info(info);
+/* ktest_destroy_etype_info_entry(info[0]); info[0] = 0;*/
- setup(info,krb5_etype_info_entry **,"etype_info2",
- ktest_make_sample_etype_info2);
- retval = encode_krb5_etype_info2((const krb5_etype_info_entry **)info,&(code));
- if(retval) {
- com_err("encoding etype_info",retval,"");
- exit(1);
}
- encoder_print_results(code, "etype_info2", "");
- ktest_destroy_etype_info_entry(info[2]); info[2] = 0;
- ktest_destroy_etype_info_entry(info[1]); info[1] = 0;
- retval = encode_krb5_etype_info2((const krb5_etype_info_entry **)info,&(code));
- if(retval) {
- com_err("encoding etype_info (only 1)",retval,"");
- exit(1);
+ /****************************************************************/
+ /* encode_pa_enc_ts */
+ {
+ krb5_pa_enc_ts pa_enc;
+ setup(pa_enc,krb5_pa_enc_ts,"pa_enc_ts",ktest_make_sample_pa_enc_ts);
+ encode_run(pa_enc,krb5_pa_enc_ts,"pa_enc_ts","",encode_krb5_pa_enc_ts);
+ pa_enc.pausec = 0;
+ encode_run(pa_enc,krb5_pa_enc_ts,"pa_enc_ts (no usec)","",encode_krb5_pa_enc_ts);
}
- encoder_print_results(code, "etype_info2 (only 1)", "");
- ktest_destroy_etype_info(info);
-/* ktest_destroy_etype_info_entry(info[0]); info[0] = 0;*/
-
- }
-
+ /****************************************************************/
+ /* encode_enc_data */
+ {
+ krb5_enc_data enc_data;
+ setup(enc_data,krb5_enc_data,"enc_data",ktest_make_sample_enc_data);
+ current_appl_type = 1001;
+ encode_run(enc_data,krb5_enc_data,"enc_data","",encode_krb5_enc_data);
+ ktest_destroy_enc_data(&enc_data);
+ }
+ /****************************************************************/
+ /* encode_krb5_sam_challenge */
+ {
+ krb5_sam_challenge sam_ch;
+ setup(sam_ch,krb5_sam_challenge,"sam_challenge",
+ ktest_make_sample_sam_challenge);
+ encode_run(sam_ch,krb5_sam_challenge,"sam_challenge","",
+ encode_krb5_sam_challenge);
+ ktest_empty_sam_challenge(&sam_ch);
+ }
+ /****************************************************************/
+ /* encode_krb5_sam_response */
+ {
+ krb5_sam_response sam_ch;
+ setup(sam_ch,krb5_sam_response,"sam_response",
+ ktest_make_sample_sam_response);
+ encode_run(sam_ch,krb5_sam_response,"sam_response","",
+ encode_krb5_sam_response);
+ ktest_empty_sam_response(&sam_ch);
+ }
+ /****************************************************************/
+ /* encode_krb5_sam_key */
+ {
+ krb5_sam_key sam_ch;
+ setup(sam_ch,krb5_sam_key,"sam_key",
+ ktest_make_sample_sam_key);
+ encode_run(sam_ch,krb5_sam_key,"sam_key","",
+ encode_krb5_sam_key);
+ ktest_empty_sam_key(&sam_ch);
+ }
+ /****************************************************************/
+ /* encode_krb5_enc_sam_response_enc */
+ {
+ krb5_enc_sam_response_enc sam_ch;
+ setup(sam_ch,krb5_enc_sam_response_enc,"enc_sam_response_enc",
+ ktest_make_sample_enc_sam_response_enc);
+ encode_run(sam_ch,krb5_enc_sam_response_enc,"enc_sam_response_enc","",
+ encode_krb5_enc_sam_response_enc);
+ ktest_empty_enc_sam_response_enc(&sam_ch);
+ }
+ /****************************************************************/
+ /* encode_krb5_predicted_sam_response */
+ {
+ krb5_predicted_sam_response sam_ch;
+ setup(sam_ch,krb5_predicted_sam_response,"predicted_sam_response",
+ ktest_make_sample_predicted_sam_response);
+ encode_run(sam_ch,krb5_predicted_sam_response,"predicted_sam_response","",
+ encode_krb5_predicted_sam_response);
+ ktest_empty_predicted_sam_response(&sam_ch);
+ }
/****************************************************************/
- /* encode_pa_enc_ts */
- {
- krb5_pa_enc_ts pa_enc;
- setup(pa_enc,krb5_pa_enc_ts,"pa_enc_ts",ktest_make_sample_pa_enc_ts);
- encode_run(pa_enc,krb5_pa_enc_ts,"pa_enc_ts","",encode_krb5_pa_enc_ts);
- pa_enc.pausec = 0;
- encode_run(pa_enc,krb5_pa_enc_ts,"pa_enc_ts (no usec)","",encode_krb5_pa_enc_ts);
- }
+ /* encode_krb5_sam_response_2 */
+ {
+ krb5_sam_response_2 sam_ch2;
+ setup(sam_ch2,krb5_sam_response_2,"sam_response_2",
+ ktest_make_sample_sam_response_2);
+ encode_run(sam_ch2,krb5_sam_response_2,"sam_response_2","",
+ acc.encode_krb5_sam_response_2);
+ ktest_empty_sam_response_2(&sam_ch2);
+ }
+ /****************************************************************/
+ /* encode_krb5_sam_response_enc_2 */
+ {
+ krb5_enc_sam_response_enc_2 sam_ch2;
+ setup(sam_ch2,krb5_enc_sam_response_enc_2,"enc_sam_response_enc_2",
+ ktest_make_sample_enc_sam_response_enc_2);
+ encode_run(sam_ch2,krb5_enc_sam_response_enc_2,
+ "enc_sam_response_enc_2","",
+ acc.encode_krb5_enc_sam_response_enc_2);
+ ktest_empty_enc_sam_response_enc_2(&sam_ch2);
+ }
+#ifdef ENABLE_LDAP
+ {
+ ldap_seqof_key_data skd;
- /****************************************************************/
- /* encode_enc_data */
- {
- krb5_enc_data enc_data;
- setup(enc_data,krb5_enc_data,"enc_data",ktest_make_sample_enc_data);
- current_appl_type = 1001;
- encode_run(enc_data,krb5_enc_data,"enc_data","",encode_krb5_enc_data);
- ktest_destroy_enc_data(&enc_data);
- }
- /****************************************************************/
- /* encode_krb5_sam_challenge */
- {
- krb5_sam_challenge sam_ch;
- setup(sam_ch,krb5_sam_challenge,"sam_challenge",
- ktest_make_sample_sam_challenge);
- encode_run(sam_ch,krb5_sam_challenge,"sam_challenge","",
- encode_krb5_sam_challenge);
- ktest_empty_sam_challenge(&sam_ch);
- }
- /****************************************************************/
- /* encode_krb5_sam_response */
- {
- krb5_sam_response sam_ch;
- setup(sam_ch,krb5_sam_response,"sam_response",
- ktest_make_sample_sam_response);
- encode_run(sam_ch,krb5_sam_response,"sam_response","",
- encode_krb5_sam_response);
- ktest_empty_sam_response(&sam_ch);
- }
-#if 0
- /****************************************************************/
- /* encode_krb5_sam_key */
- {
- krb5_sam_key sam_ch;
- setup(sam_ch,krb5_sam_key,"sam_key",
- ktest_make_sample_sam_key);
- encode_run(sam_ch,krb5_sam_key,"sam_key","",
- encode_krb5_sam_key);
- }
- /****************************************************************/
- /* encode_krb5_enc_sam_response_enc */
- {
- krb5_enc_sam_response_enc sam_ch;
- setup(sam_ch,krb5_enc_sam_response_enc,"enc_sam_response_enc",
- ktest_make_sample_enc_sam_response_enc);
- encode_run(sam_ch,krb5_enc_sam_response_enc,"enc_sam_response_enc","",
- encode_krb5_enc_sam_response_enc);
- }
- /****************************************************************/
- /* encode_krb5_predicted_sam_response */
- {
- krb5_predicted_sam_response sam_ch;
- setup(sam_ch,krb5_predicted_sam_response,"predicted_sam_response",
- ktest_make_sample_predicted_sam_response);
- encode_run(sam_ch,krb5_predicted_sam_response,"predicted_sam_response","",
- encode_krb5_predicted_sam_response);
- }
+ setup(skd, ldap_seqof_key_data, "ldap_seqof_key_data",
+ ktest_make_sample_ldap_seqof_key_data);
+ encode_run(skd, ldap_seqof_key_data, "ldap_seqof_key_data", "",
+ acc.asn1_ldap_encode_sequence_of_keys);
+ ktest_empty_ldap_seqof_key_data(test_context, &skd);
+ }
#endif
- krb5_free_context(test_context);
- exit(error_count);
- return(error_count);
+ krb5_free_context(test_context);
+ exit(error_count);
+ return(error_count);
}
-
-
Modified: branches/mkey_migrate/src/tests/asn.1/ktest.c
===================================================================
--- branches/mkey_migrate/src/tests/asn.1/ktest.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/asn.1/ktest.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -5,640 +5,640 @@
char *sample_principal_name = "hftsai/extra at ATHENA.MIT.EDU";
krb5_error_code ktest_make_sample_authenticator(a)
- krb5_authenticator * a;
+ krb5_authenticator * a;
{
- krb5_error_code retval;
+ krb5_error_code retval;
- retval = ktest_make_sample_principal(&(a->client));
- if(retval) return retval;
- a->checksum = (krb5_checksum*)calloc(1,sizeof(krb5_checksum));
- if(a->checksum == NULL) return ENOMEM;
- retval = ktest_make_sample_checksum(a->checksum);
- if(retval) return retval;
- a->cusec = SAMPLE_USEC;
- a->ctime = SAMPLE_TIME;
- a->subkey = (krb5_keyblock*)calloc(1,sizeof(krb5_keyblock));
- if(a->subkey == NULL) return ENOMEM;
- retval = ktest_make_sample_keyblock(a->subkey);
- if(retval) return retval;
- a->seq_number = SAMPLE_SEQ_NUMBER;
- retval = ktest_make_sample_authorization_data(&(a->authorization_data));
- if(retval) return retval;
+ retval = ktest_make_sample_principal(&(a->client));
+ if (retval) return retval;
+ a->checksum = (krb5_checksum*)calloc(1,sizeof(krb5_checksum));
+ if (a->checksum == NULL) return ENOMEM;
+ retval = ktest_make_sample_checksum(a->checksum);
+ if (retval) return retval;
+ a->cusec = SAMPLE_USEC;
+ a->ctime = SAMPLE_TIME;
+ a->subkey = (krb5_keyblock*)calloc(1,sizeof(krb5_keyblock));
+ if (a->subkey == NULL) return ENOMEM;
+ retval = ktest_make_sample_keyblock(a->subkey);
+ if (retval) return retval;
+ a->seq_number = SAMPLE_SEQ_NUMBER;
+ retval = ktest_make_sample_authorization_data(&(a->authorization_data));
+ if (retval) return retval;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_principal(p)
- krb5_principal * p;
+ krb5_principal * p;
{
- krb5_error_code retval;
+ krb5_error_code retval;
- retval = krb5_parse_name(test_context, sample_principal_name, p);
- return retval;
+ retval = krb5_parse_name(test_context, sample_principal_name, p);
+ return retval;
}
krb5_error_code ktest_make_sample_checksum(cs)
- krb5_checksum * cs;
+ krb5_checksum * cs;
{
- cs->checksum_type = 1;
- cs->length = 4;
- cs->contents = (krb5_octet*)calloc(4,sizeof(krb5_octet));
- if(cs->contents == NULL) return ENOMEM;
- memcpy(cs->contents,"1234",4);
+ cs->checksum_type = 1;
+ cs->length = 4;
+ cs->contents = (krb5_octet*)calloc(4,sizeof(krb5_octet));
+ if (cs->contents == NULL) return ENOMEM;
+ memcpy(cs->contents,"1234",4);
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_keyblock(kb)
- krb5_keyblock * kb;
+ krb5_keyblock * kb;
{
- kb->magic = KV5M_KEYBLOCK;
- kb->enctype = 1;
- kb->length = 8;
- kb->contents = (krb5_octet*)calloc(8,sizeof(krb5_octet));
- if(kb->contents == NULL) return ENOMEM;
- memcpy(kb->contents,"12345678",8);
+ kb->magic = KV5M_KEYBLOCK;
+ kb->enctype = 1;
+ kb->length = 8;
+ kb->contents = (krb5_octet*)calloc(8,sizeof(krb5_octet));
+ if (kb->contents == NULL) return ENOMEM;
+ memcpy(kb->contents,"12345678",8);
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_ticket(tkt)
- krb5_ticket * tkt;
+ krb5_ticket * tkt;
{
- krb5_error_code retval;
+ krb5_error_code retval;
- retval = ktest_make_sample_principal(&(tkt->server));
- if(retval) return retval;
- retval = ktest_make_sample_enc_data(&(tkt->enc_part));
- if(retval) return retval;
- tkt->enc_part2 = NULL;
+ retval = ktest_make_sample_principal(&(tkt->server));
+ if (retval) return retval;
+ retval = ktest_make_sample_enc_data(&(tkt->enc_part));
+ if (retval) return retval;
+ tkt->enc_part2 = NULL;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_enc_data(ed)
- krb5_enc_data * ed;
+ krb5_enc_data * ed;
{
- krb5_error_code retval;
+ krb5_error_code retval;
- ed->kvno = 5;
- ed->enctype = 0;
- retval = krb5_data_parse(&(ed->ciphertext),"krbASN.1 test message");
- if(retval) return retval;
+ ed->kvno = 5;
+ ed->enctype = 0;
+ retval = krb5_data_parse(&(ed->ciphertext),"krbASN.1 test message");
+ if (retval) return retval;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_enc_tkt_part(etp)
- krb5_enc_tkt_part * etp;
+ krb5_enc_tkt_part * etp;
{
- krb5_error_code retval;
+ krb5_error_code retval;
- etp->flags = SAMPLE_FLAGS;
- etp->session = (krb5_keyblock*)calloc(1,sizeof(krb5_keyblock));
- if(etp->session == NULL) return ENOMEM;
- retval = ktest_make_sample_keyblock(etp->session);
- if(retval) return retval;
- retval = ktest_make_sample_principal(&(etp->client));
- if(retval) return retval;
- retval = ktest_make_sample_transited(&(etp->transited));
- if(retval) return retval;
- retval = ktest_make_sample_ticket_times(&(etp->times));
- if(retval) return retval;
- retval = ktest_make_sample_addresses(&(etp->caddrs));
- if(retval) return retval;
- retval = ktest_make_sample_authorization_data(&(etp->authorization_data));
- if(retval) return retval;
- return 0;
+ etp->flags = SAMPLE_FLAGS;
+ etp->session = (krb5_keyblock*)calloc(1,sizeof(krb5_keyblock));
+ if (etp->session == NULL) return ENOMEM;
+ retval = ktest_make_sample_keyblock(etp->session);
+ if (retval) return retval;
+ retval = ktest_make_sample_principal(&(etp->client));
+ if (retval) return retval;
+ retval = ktest_make_sample_transited(&(etp->transited));
+ if (retval) return retval;
+ retval = ktest_make_sample_ticket_times(&(etp->times));
+ if (retval) return retval;
+ retval = ktest_make_sample_addresses(&(etp->caddrs));
+ if (retval) return retval;
+ retval = ktest_make_sample_authorization_data(&(etp->authorization_data));
+ if (retval) return retval;
+ return 0;
}
krb5_error_code ktest_make_sample_addresses(caddrs)
- krb5_address *** caddrs;
+ krb5_address *** caddrs;
{
- asn1_error_code retval;
- int i;
+ asn1_error_code retval;
+ int i;
- *caddrs = (krb5_address**)calloc(3,sizeof(krb5_address*));
- if(*caddrs == NULL) return ENOMEM;
- for(i=0; i<2; i++){
- (*caddrs)[i] = (krb5_address*)calloc(1,sizeof(krb5_address));
- if((*caddrs)[i] == NULL) return ENOMEM;
- retval = ktest_make_sample_address((*caddrs)[i]);
- if(retval) return retval;
- }
- (*caddrs)[2] = NULL;
- return 0;
+ *caddrs = (krb5_address**)calloc(3,sizeof(krb5_address*));
+ if (*caddrs == NULL) return ENOMEM;
+ for (i=0; i<2; i++) {
+ (*caddrs)[i] = (krb5_address*)calloc(1,sizeof(krb5_address));
+ if ((*caddrs)[i] == NULL) return ENOMEM;
+ retval = ktest_make_sample_address((*caddrs)[i]);
+ if (retval) return retval;
+ }
+ (*caddrs)[2] = NULL;
+ return 0;
}
krb5_error_code ktest_make_sample_authorization_data(ad)
- krb5_authdata *** ad;
+ krb5_authdata *** ad;
{
- krb5_error_code retval;
- int i;
+ krb5_error_code retval;
+ int i;
- *ad = (krb5_authdata**)calloc(3,sizeof(krb5_authdata*));
- if(*ad == NULL) return ENOMEM;
+ *ad = (krb5_authdata**)calloc(3,sizeof(krb5_authdata*));
+ if (*ad == NULL) return ENOMEM;
- for(i=0; i<=1; i++){
- (*ad)[i] = (krb5_authdata*)calloc(1,sizeof(krb5_authdata));
- if((*ad)[i] == NULL) return ENOMEM;
- retval = ktest_make_sample_authdata((*ad)[i]);
- if(retval) return retval;
- }
- (*ad)[2] = NULL;
+ for (i=0; i<=1; i++) {
+ (*ad)[i] = (krb5_authdata*)calloc(1,sizeof(krb5_authdata));
+ if ((*ad)[i] == NULL) return ENOMEM;
+ retval = ktest_make_sample_authdata((*ad)[i]);
+ if (retval) return retval;
+ }
+ (*ad)[2] = NULL;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_transited(t)
- krb5_transited * t;
+ krb5_transited * t;
{
- t->tr_type = 1;
- return krb5_data_parse(&(t->tr_contents),
- "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.");
+ t->tr_type = 1;
+ return krb5_data_parse(&(t->tr_contents),
+ "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.");
}
krb5_error_code ktest_make_sample_ticket_times(tt)
- krb5_ticket_times * tt;
+ krb5_ticket_times * tt;
{
- tt->authtime = SAMPLE_TIME;
- tt->starttime = SAMPLE_TIME;
- tt->endtime = SAMPLE_TIME;
- tt->renew_till = SAMPLE_TIME;
- return 0;
+ tt->authtime = SAMPLE_TIME;
+ tt->starttime = SAMPLE_TIME;
+ tt->endtime = SAMPLE_TIME;
+ tt->renew_till = SAMPLE_TIME;
+ return 0;
}
krb5_error_code ktest_make_sample_address(a)
- krb5_address * a;
+ krb5_address * a;
{
- a->addrtype = ADDRTYPE_INET;
- a->length = 4;
- a->contents = (krb5_octet*)calloc(4,sizeof(krb5_octet));
- if(a->contents == NULL) return ENOMEM;
- a->contents[0] = 18;
- a->contents[1] = 208;
- a->contents[2] = 0;
- a->contents[3] = 35;
+ a->addrtype = ADDRTYPE_INET;
+ a->length = 4;
+ a->contents = (krb5_octet*)calloc(4,sizeof(krb5_octet));
+ if (a->contents == NULL) return ENOMEM;
+ a->contents[0] = 18;
+ a->contents[1] = 208;
+ a->contents[2] = 0;
+ a->contents[3] = 35;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_authdata(ad)
- krb5_authdata * ad;
+ krb5_authdata * ad;
{
- ad->ad_type = 1;
- ad->length = 6;
- ad->contents = (krb5_octet*)calloc(6,sizeof(krb5_octet));
- if(ad->contents == NULL) return ENOMEM;
- memcpy(ad->contents,"foobar",6);
- return 0;
+ ad->ad_type = 1;
+ ad->length = 6;
+ ad->contents = (krb5_octet*)calloc(6,sizeof(krb5_octet));
+ if (ad->contents == NULL) return ENOMEM;
+ memcpy(ad->contents,"foobar",6);
+ return 0;
}
krb5_error_code ktest_make_sample_enc_kdc_rep_part(ekr)
- krb5_enc_kdc_rep_part * ekr;
+ krb5_enc_kdc_rep_part * ekr;
{
- krb5_error_code retval;
+ krb5_error_code retval;
- ekr->session = (krb5_keyblock*)calloc(1,sizeof(krb5_keyblock));
- if(ekr->session == NULL) return ENOMEM;
- retval = ktest_make_sample_keyblock(ekr->session);
- if(retval) return retval;
- retval = ktest_make_sample_last_req(&(ekr->last_req));
- if(retval) return retval;
- ekr->nonce = SAMPLE_NONCE;
- ekr->key_exp = SAMPLE_TIME;
- ekr->flags = SAMPLE_FLAGS;
- ekr->times.authtime = SAMPLE_TIME;
- ekr->times.starttime = SAMPLE_TIME;
- ekr->times.endtime = SAMPLE_TIME;
- ekr->times.renew_till = SAMPLE_TIME;
- retval = ktest_make_sample_principal(&(ekr->server));
- if(retval) return retval;
- retval = ktest_make_sample_addresses(&(ekr->caddrs));
- if(retval) return retval;
+ ekr->session = (krb5_keyblock*)calloc(1,sizeof(krb5_keyblock));
+ if (ekr->session == NULL) return ENOMEM;
+ retval = ktest_make_sample_keyblock(ekr->session);
+ if (retval) return retval;
+ retval = ktest_make_sample_last_req(&(ekr->last_req));
+ if (retval) return retval;
+ ekr->nonce = SAMPLE_NONCE;
+ ekr->key_exp = SAMPLE_TIME;
+ ekr->flags = SAMPLE_FLAGS;
+ ekr->times.authtime = SAMPLE_TIME;
+ ekr->times.starttime = SAMPLE_TIME;
+ ekr->times.endtime = SAMPLE_TIME;
+ ekr->times.renew_till = SAMPLE_TIME;
+ retval = ktest_make_sample_principal(&(ekr->server));
+ if (retval) return retval;
+ retval = ktest_make_sample_addresses(&(ekr->caddrs));
+ if (retval) return retval;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_last_req(lr)
- krb5_last_req_entry *** lr;
+ krb5_last_req_entry *** lr;
{
- krb5_error_code retval;
- int i;
+ krb5_error_code retval;
+ int i;
- *lr = (krb5_last_req_entry**)calloc(3,sizeof(krb5_last_req_entry*));
- if(*lr == NULL) return ENOMEM;
- for(i=0; i<=1; i++){
- retval = ktest_make_sample_last_req_entry(&((*lr)[i]));
- if(retval) return retval;
- }
- (*lr)[2] = NULL;
- return 0;
+ *lr = (krb5_last_req_entry**)calloc(3,sizeof(krb5_last_req_entry*));
+ if (*lr == NULL) return ENOMEM;
+ for (i=0; i<=1; i++) {
+ retval = ktest_make_sample_last_req_entry(&((*lr)[i]));
+ if (retval) return retval;
+ }
+ (*lr)[2] = NULL;
+ return 0;
}
krb5_error_code ktest_make_sample_last_req_entry(lre)
- krb5_last_req_entry ** lre;
+ krb5_last_req_entry ** lre;
{
- *lre = (krb5_last_req_entry*)calloc(1,sizeof(krb5_last_req_entry));
- if(*lre == NULL) return ENOMEM;
- (*lre)->lr_type = -5;
- (*lre)->value = SAMPLE_TIME;
- return 0;
+ *lre = (krb5_last_req_entry*)calloc(1,sizeof(krb5_last_req_entry));
+ if (*lre == NULL) return ENOMEM;
+ (*lre)->lr_type = -5;
+ (*lre)->value = SAMPLE_TIME;
+ return 0;
}
krb5_error_code ktest_make_sample_kdc_rep(kdcr)
- krb5_kdc_rep * kdcr;
+ krb5_kdc_rep * kdcr;
{
- krb5_error_code retval;
+ krb5_error_code retval;
- retval = ktest_make_sample_pa_data_array(&(kdcr->padata));
- if(retval) return retval;
- retval = ktest_make_sample_principal(&(kdcr->client));
- if(retval) return retval;
- kdcr->ticket = (krb5_ticket*)calloc(1,sizeof(krb5_ticket));
- if(kdcr->ticket == NULL) return ENOMEM;
- retval = ktest_make_sample_ticket(kdcr->ticket);
- if(retval) return retval;
- retval = ktest_make_sample_enc_data(&(kdcr->enc_part));
- if(retval) return retval;
- kdcr->enc_part2 = NULL;
+ retval = ktest_make_sample_pa_data_array(&(kdcr->padata));
+ if (retval) return retval;
+ retval = ktest_make_sample_principal(&(kdcr->client));
+ if (retval) return retval;
+ kdcr->ticket = (krb5_ticket*)calloc(1,sizeof(krb5_ticket));
+ if (kdcr->ticket == NULL) return ENOMEM;
+ retval = ktest_make_sample_ticket(kdcr->ticket);
+ if (retval) return retval;
+ retval = ktest_make_sample_enc_data(&(kdcr->enc_part));
+ if (retval) return retval;
+ kdcr->enc_part2 = NULL;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_pa_data_array(pad)
- krb5_pa_data *** pad;
+ krb5_pa_data *** pad;
{
- krb5_error_code retval;
- int i;
+ krb5_error_code retval;
+ int i;
- *pad = (krb5_pa_data**)calloc(3,sizeof(krb5_pa_data*));
- if(*pad == NULL) return ENOMEM;
+ *pad = (krb5_pa_data**)calloc(3,sizeof(krb5_pa_data*));
+ if (*pad == NULL) return ENOMEM;
- for(i=0; i<=1; i++){
- (*pad)[i] = (krb5_pa_data*)calloc(1,sizeof(krb5_pa_data));
- if((*pad)[i] == NULL) return ENOMEM;
- retval = ktest_make_sample_pa_data((*pad)[i]);
- if(retval) return retval;
- }
- (*pad)[2] = NULL;
+ for (i=0; i<=1; i++) {
+ (*pad)[i] = (krb5_pa_data*)calloc(1,sizeof(krb5_pa_data));
+ if ((*pad)[i] == NULL) return ENOMEM;
+ retval = ktest_make_sample_pa_data((*pad)[i]);
+ if (retval) return retval;
+ }
+ (*pad)[2] = NULL;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_empty_pa_data_array(pad)
- krb5_pa_data *** pad;
+ krb5_pa_data *** pad;
{
- *pad = (krb5_pa_data**)calloc(1,sizeof(krb5_pa_data*));
- if(*pad == NULL) return ENOMEM;
+ *pad = (krb5_pa_data**)calloc(1,sizeof(krb5_pa_data*));
+ if (*pad == NULL) return ENOMEM;
- (*pad)[0] = NULL;
+ (*pad)[0] = NULL;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_pa_data(pad)
- krb5_pa_data * pad;
+ krb5_pa_data * pad;
{
- pad->pa_type = 13;
- pad->length = 7;
- pad->contents = (krb5_octet*)calloc(7,sizeof(krb5_octet));
- if(pad->contents == NULL) return ENOMEM;
- memcpy(pad->contents,"pa-data",7);
- return 0;
+ pad->pa_type = 13;
+ pad->length = 7;
+ pad->contents = (krb5_octet*)calloc(7,sizeof(krb5_octet));
+ if (pad->contents == NULL) return ENOMEM;
+ memcpy(pad->contents,"pa-data",7);
+ return 0;
}
krb5_error_code ktest_make_sample_ap_req(ar)
- krb5_ap_req * ar;
+ krb5_ap_req * ar;
{
- krb5_error_code retval;
- ar->ap_options = SAMPLE_FLAGS;
- ar->ticket = (krb5_ticket*)calloc(1,sizeof(krb5_ticket));
- if(ar->ticket == NULL) return ENOMEM;
- retval = ktest_make_sample_ticket(ar->ticket);
- if(retval) return retval;
- retval = ktest_make_sample_enc_data(&(ar->authenticator));
- if(retval) return retval;
- return 0;
+ krb5_error_code retval;
+ ar->ap_options = SAMPLE_FLAGS;
+ ar->ticket = (krb5_ticket*)calloc(1,sizeof(krb5_ticket));
+ if (ar->ticket == NULL) return ENOMEM;
+ retval = ktest_make_sample_ticket(ar->ticket);
+ if (retval) return retval;
+ retval = ktest_make_sample_enc_data(&(ar->authenticator));
+ if (retval) return retval;
+ return 0;
}
krb5_error_code ktest_make_sample_ap_rep(ar)
- krb5_ap_rep * ar;
+ krb5_ap_rep * ar;
{
- return ktest_make_sample_enc_data(&(ar->enc_part));
+ return ktest_make_sample_enc_data(&(ar->enc_part));
}
krb5_error_code ktest_make_sample_ap_rep_enc_part(arep)
- krb5_ap_rep_enc_part * arep;
+ krb5_ap_rep_enc_part * arep;
{
- krb5_error_code retval;
+ krb5_error_code retval;
- arep->ctime = SAMPLE_TIME;
- arep->cusec = SAMPLE_USEC;
- arep->subkey = (krb5_keyblock*)calloc(1,sizeof(krb5_keyblock));
- if(arep->subkey == NULL) return ENOMEM;
- retval = ktest_make_sample_keyblock(arep->subkey);
- if(retval) return retval;
- arep->seq_number = SAMPLE_SEQ_NUMBER;
+ arep->ctime = SAMPLE_TIME;
+ arep->cusec = SAMPLE_USEC;
+ arep->subkey = (krb5_keyblock*)calloc(1,sizeof(krb5_keyblock));
+ if (arep->subkey == NULL) return ENOMEM;
+ retval = ktest_make_sample_keyblock(arep->subkey);
+ if (retval) return retval;
+ arep->seq_number = SAMPLE_SEQ_NUMBER;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_kdc_req(kr)
- krb5_kdc_req * kr;
+ krb5_kdc_req * kr;
{
- krb5_error_code retval;
+ krb5_error_code retval;
- /* msg_type is left up to the calling procedure */
- retval = ktest_make_sample_pa_data_array(&(kr->padata));
- if(retval) return retval;
- kr->kdc_options = SAMPLE_FLAGS;
- retval = ktest_make_sample_principal(&(kr->client));
- if(retval) return retval;
- retval = ktest_make_sample_principal(&(kr->server));
- if(retval) return retval;
- kr->from = SAMPLE_TIME;
- kr->till = SAMPLE_TIME;
- kr->rtime = SAMPLE_TIME;
- kr->nonce = SAMPLE_NONCE;
- kr->nktypes = 2;
- kr->ktype = (krb5_enctype*)calloc(2,sizeof(krb5_enctype));
- kr->ktype[0] = 0;
- kr->ktype[1] = 1;
- retval = ktest_make_sample_addresses(&(kr->addresses));
- if(retval) return retval;
- retval = ktest_make_sample_enc_data(&(kr->authorization_data));
- if(retval) return retval;
- retval = ktest_make_sample_authorization_data(&(kr->unenc_authdata));
- if(retval) return retval;
- retval = ktest_make_sample_sequence_of_ticket(&(kr->second_ticket));
- if(retval) return retval;
- return 0;
+ /* msg_type is left up to the calling procedure */
+ retval = ktest_make_sample_pa_data_array(&(kr->padata));
+ if (retval) return retval;
+ kr->kdc_options = SAMPLE_FLAGS;
+ retval = ktest_make_sample_principal(&(kr->client));
+ if (retval) return retval;
+ retval = ktest_make_sample_principal(&(kr->server));
+ if (retval) return retval;
+ kr->from = SAMPLE_TIME;
+ kr->till = SAMPLE_TIME;
+ kr->rtime = SAMPLE_TIME;
+ kr->nonce = SAMPLE_NONCE;
+ kr->nktypes = 2;
+ kr->ktype = (krb5_enctype*)calloc(2,sizeof(krb5_enctype));
+ kr->ktype[0] = 0;
+ kr->ktype[1] = 1;
+ retval = ktest_make_sample_addresses(&(kr->addresses));
+ if (retval) return retval;
+ retval = ktest_make_sample_enc_data(&(kr->authorization_data));
+ if (retval) return retval;
+ retval = ktest_make_sample_authorization_data(&(kr->unenc_authdata));
+ if (retval) return retval;
+ retval = ktest_make_sample_sequence_of_ticket(&(kr->second_ticket));
+ if (retval) return retval;
+ return 0;
}
krb5_error_code ktest_make_sample_kdc_req_body(krb)
- krb5_kdc_req * krb;
+ krb5_kdc_req * krb;
{
- krb5_error_code retval;
+ krb5_error_code retval;
- krb->kdc_options = SAMPLE_FLAGS;
- retval = ktest_make_sample_principal(&(krb->client));
- if(retval) return retval;
- retval = ktest_make_sample_principal(&(krb->server));
- if(retval) return retval;
- krb->from = SAMPLE_TIME;
- krb->till = SAMPLE_TIME;
- krb->rtime = SAMPLE_TIME;
- krb->nonce = SAMPLE_NONCE;
- krb->nktypes = 2;
- krb->ktype = (krb5_enctype*)calloc(2,sizeof(krb5_enctype));
- krb->ktype[0] = 0;
- krb->ktype[1] = 1;
- retval = ktest_make_sample_addresses(&(krb->addresses));
- if(retval) return retval;
- retval = ktest_make_sample_enc_data(&(krb->authorization_data));
- if(retval) return retval;
- retval = ktest_make_sample_authorization_data(&(krb->unenc_authdata));
- if(retval) return retval;
- retval = ktest_make_sample_sequence_of_ticket(&(krb->second_ticket));
- if(retval) return retval;
- return 0;
+ krb->kdc_options = SAMPLE_FLAGS;
+ retval = ktest_make_sample_principal(&(krb->client));
+ if (retval) return retval;
+ retval = ktest_make_sample_principal(&(krb->server));
+ if (retval) return retval;
+ krb->from = SAMPLE_TIME;
+ krb->till = SAMPLE_TIME;
+ krb->rtime = SAMPLE_TIME;
+ krb->nonce = SAMPLE_NONCE;
+ krb->nktypes = 2;
+ krb->ktype = (krb5_enctype*)calloc(2,sizeof(krb5_enctype));
+ krb->ktype[0] = 0;
+ krb->ktype[1] = 1;
+ retval = ktest_make_sample_addresses(&(krb->addresses));
+ if (retval) return retval;
+ retval = ktest_make_sample_enc_data(&(krb->authorization_data));
+ if (retval) return retval;
+ retval = ktest_make_sample_authorization_data(&(krb->unenc_authdata));
+ if (retval) return retval;
+ retval = ktest_make_sample_sequence_of_ticket(&(krb->second_ticket));
+ if (retval) return retval;
+ return 0;
}
krb5_error_code ktest_make_sample_safe(s)
- krb5_safe * s;
+ krb5_safe * s;
{
- krb5_error_code retval;
+ krb5_error_code retval;
- retval = ktest_make_sample_data(&(s->user_data));
- if(retval) return retval;
- s->timestamp = SAMPLE_TIME;
- s->usec = SAMPLE_USEC;
- s->seq_number = SAMPLE_SEQ_NUMBER;
- s->s_address = (krb5_address*)calloc(1,sizeof(krb5_address));
- if(s->s_address == NULL) return ENOMEM;
- retval = ktest_make_sample_address(s->s_address);
- if(retval) return retval;
- s->r_address = (krb5_address*)calloc(1,sizeof(krb5_address));
- if(s->r_address == NULL) return ENOMEM;
- retval = ktest_make_sample_address(s->r_address);
- if(retval) return retval;
- s->checksum = (krb5_checksum*)calloc(1,sizeof(krb5_checksum));
- if(s->checksum == NULL) return ENOMEM;
- retval = ktest_make_sample_checksum(s->checksum);
- if(retval) return retval;
+ retval = ktest_make_sample_data(&(s->user_data));
+ if (retval) return retval;
+ s->timestamp = SAMPLE_TIME;
+ s->usec = SAMPLE_USEC;
+ s->seq_number = SAMPLE_SEQ_NUMBER;
+ s->s_address = (krb5_address*)calloc(1,sizeof(krb5_address));
+ if (s->s_address == NULL) return ENOMEM;
+ retval = ktest_make_sample_address(s->s_address);
+ if (retval) return retval;
+ s->r_address = (krb5_address*)calloc(1,sizeof(krb5_address));
+ if (s->r_address == NULL) return ENOMEM;
+ retval = ktest_make_sample_address(s->r_address);
+ if (retval) return retval;
+ s->checksum = (krb5_checksum*)calloc(1,sizeof(krb5_checksum));
+ if (s->checksum == NULL) return ENOMEM;
+ retval = ktest_make_sample_checksum(s->checksum);
+ if (retval) return retval;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_priv(p)
- krb5_priv * p;
+ krb5_priv * p;
{
- return ktest_make_sample_enc_data(&(p->enc_part));
+ return ktest_make_sample_enc_data(&(p->enc_part));
}
krb5_error_code ktest_make_sample_priv_enc_part(pep)
- krb5_priv_enc_part * pep;
+ krb5_priv_enc_part * pep;
{
- krb5_error_code retval;
- retval = ktest_make_sample_data(&(pep->user_data));
- if(retval) return retval;
- pep->timestamp = SAMPLE_TIME;
- pep->usec = SAMPLE_USEC;
- pep->seq_number = SAMPLE_SEQ_NUMBER;
- pep->s_address = (krb5_address*)calloc(1,sizeof(krb5_address));
- if(pep->s_address == NULL) return ENOMEM;
- retval = ktest_make_sample_address(pep->s_address);
- if(retval) return retval;
- pep->r_address = (krb5_address*)calloc(1,sizeof(krb5_address));
- if(pep->r_address == NULL) return ENOMEM;
- retval = ktest_make_sample_address(pep->r_address);
- if(retval) return retval;
- return 0;
+ krb5_error_code retval;
+ retval = ktest_make_sample_data(&(pep->user_data));
+ if (retval) return retval;
+ pep->timestamp = SAMPLE_TIME;
+ pep->usec = SAMPLE_USEC;
+ pep->seq_number = SAMPLE_SEQ_NUMBER;
+ pep->s_address = (krb5_address*)calloc(1,sizeof(krb5_address));
+ if (pep->s_address == NULL) return ENOMEM;
+ retval = ktest_make_sample_address(pep->s_address);
+ if (retval) return retval;
+ pep->r_address = (krb5_address*)calloc(1,sizeof(krb5_address));
+ if (pep->r_address == NULL) return ENOMEM;
+ retval = ktest_make_sample_address(pep->r_address);
+ if (retval) return retval;
+ return 0;
}
krb5_error_code ktest_make_sample_cred(c)
- krb5_cred * c;
+ krb5_cred * c;
{
- krb5_error_code retval;
- retval = ktest_make_sample_sequence_of_ticket(&(c->tickets));
- if(retval) return retval;
- retval = ktest_make_sample_enc_data(&(c->enc_part));
- if(retval) return retval;
- return 0;
+ krb5_error_code retval;
+ retval = ktest_make_sample_sequence_of_ticket(&(c->tickets));
+ if (retval) return retval;
+ retval = ktest_make_sample_enc_data(&(c->enc_part));
+ if (retval) return retval;
+ return 0;
}
krb5_error_code ktest_make_sample_sequence_of_ticket(sot)
- krb5_ticket *** sot;
+ krb5_ticket *** sot;
{
- krb5_error_code retval;
- int i;
+ krb5_error_code retval;
+ int i;
- *sot = (krb5_ticket**)calloc(3,sizeof(krb5_ticket*));
- if(*sot == NULL) return ENOMEM;
- for(i=0; i<2; i++){
- (*sot)[i] = (krb5_ticket*)calloc(1,sizeof(krb5_ticket));
- if((*sot)[i] == NULL) return ENOMEM;
- retval = ktest_make_sample_ticket((*sot)[i]);
- if(retval) return retval;
- }
- (*sot)[2] = NULL;
+ *sot = (krb5_ticket**)calloc(3,sizeof(krb5_ticket*));
+ if (*sot == NULL) return ENOMEM;
+ for (i=0; i<2; i++) {
+ (*sot)[i] = (krb5_ticket*)calloc(1,sizeof(krb5_ticket));
+ if ((*sot)[i] == NULL) return ENOMEM;
+ retval = ktest_make_sample_ticket((*sot)[i]);
+ if (retval) return retval;
+ }
+ (*sot)[2] = NULL;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_cred_enc_part(cep)
- krb5_cred_enc_part * cep;
+ krb5_cred_enc_part * cep;
{
- krb5_error_code retval;
+ krb5_error_code retval;
- cep->nonce = SAMPLE_NONCE;
- cep->timestamp = SAMPLE_TIME;
- cep->usec = SAMPLE_USEC;
- cep->s_address = (krb5_address*)calloc(1,sizeof(krb5_address));
- if(cep->s_address == NULL) return ENOMEM;
- retval = ktest_make_sample_address(cep->s_address);
- if(retval) return retval;
- cep->r_address = (krb5_address*)calloc(1,sizeof(krb5_address));
- if(cep->r_address == NULL) return ENOMEM;
- retval = ktest_make_sample_address(cep->r_address);
- if(retval) return retval;
- retval = ktest_make_sequence_of_cred_info(&(cep->ticket_info));
- if(retval) return retval;
+ cep->nonce = SAMPLE_NONCE;
+ cep->timestamp = SAMPLE_TIME;
+ cep->usec = SAMPLE_USEC;
+ cep->s_address = (krb5_address*)calloc(1,sizeof(krb5_address));
+ if (cep->s_address == NULL) return ENOMEM;
+ retval = ktest_make_sample_address(cep->s_address);
+ if (retval) return retval;
+ cep->r_address = (krb5_address*)calloc(1,sizeof(krb5_address));
+ if (cep->r_address == NULL) return ENOMEM;
+ retval = ktest_make_sample_address(cep->r_address);
+ if (retval) return retval;
+ retval = ktest_make_sequence_of_cred_info(&(cep->ticket_info));
+ if (retval) return retval;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sequence_of_cred_info(soci)
- krb5_cred_info *** soci;
+ krb5_cred_info *** soci;
{
- krb5_error_code retval;
- int i;
+ krb5_error_code retval;
+ int i;
- *soci = (krb5_cred_info**)calloc(3,sizeof(krb5_cred_info*));
- if(*soci == NULL) return ENOMEM;
- for(i=0; i<2; i++){
- (*soci)[i] = (krb5_cred_info*)calloc(1,sizeof(krb5_cred_info));
- if((*soci)[i] == NULL) return ENOMEM;
- retval = ktest_make_sample_cred_info((*soci)[i]);
- if(retval) return retval;
- }
- (*soci)[2] = NULL;
+ *soci = (krb5_cred_info**)calloc(3,sizeof(krb5_cred_info*));
+ if (*soci == NULL) return ENOMEM;
+ for (i=0; i<2; i++) {
+ (*soci)[i] = (krb5_cred_info*)calloc(1,sizeof(krb5_cred_info));
+ if ((*soci)[i] == NULL) return ENOMEM;
+ retval = ktest_make_sample_cred_info((*soci)[i]);
+ if (retval) return retval;
+ }
+ (*soci)[2] = NULL;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_cred_info(ci)
- krb5_cred_info * ci;
+ krb5_cred_info * ci;
{
- krb5_error_code retval;
+ krb5_error_code retval;
- ci->session = (krb5_keyblock*)calloc(1,sizeof(krb5_keyblock));
- if(ci->session == NULL) return ENOMEM;
- retval = ktest_make_sample_keyblock(ci->session);
- if(retval) return retval;
- retval = ktest_make_sample_principal(&(ci->client));
- if(retval) return retval;
- retval = ktest_make_sample_principal(&(ci->server));
- if(retval) return retval;
- ci->flags = SAMPLE_FLAGS;
- ci->times.authtime = SAMPLE_TIME;
- ci->times.starttime = SAMPLE_TIME;
- ci->times.endtime = SAMPLE_TIME;
- ci->times.renew_till = SAMPLE_TIME;
- retval = ktest_make_sample_addresses(&(ci->caddrs));
- if(retval) return retval;
+ ci->session = (krb5_keyblock*)calloc(1,sizeof(krb5_keyblock));
+ if (ci->session == NULL) return ENOMEM;
+ retval = ktest_make_sample_keyblock(ci->session);
+ if (retval) return retval;
+ retval = ktest_make_sample_principal(&(ci->client));
+ if (retval) return retval;
+ retval = ktest_make_sample_principal(&(ci->server));
+ if (retval) return retval;
+ ci->flags = SAMPLE_FLAGS;
+ ci->times.authtime = SAMPLE_TIME;
+ ci->times.starttime = SAMPLE_TIME;
+ ci->times.endtime = SAMPLE_TIME;
+ ci->times.renew_till = SAMPLE_TIME;
+ retval = ktest_make_sample_addresses(&(ci->caddrs));
+ if (retval) return retval;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_error(kerr)
- krb5_error * kerr;
+ krb5_error * kerr;
{
- krb5_error_code retval;
+ krb5_error_code retval;
- kerr->ctime = SAMPLE_TIME;
- kerr->cusec = SAMPLE_USEC;
- kerr->susec = SAMPLE_USEC;
- kerr->stime = SAMPLE_TIME;
- kerr->error = SAMPLE_ERROR;
- retval = ktest_make_sample_principal(&(kerr->client));
- if(retval) return retval;
- retval = ktest_make_sample_principal(&(kerr->server));
- if(retval) return retval;
- retval = ktest_make_sample_data(&(kerr->text));
- if(retval) return retval;
- retval = ktest_make_sample_data(&(kerr->e_data));
- if(retval) return retval;
+ kerr->ctime = SAMPLE_TIME;
+ kerr->cusec = SAMPLE_USEC;
+ kerr->susec = SAMPLE_USEC;
+ kerr->stime = SAMPLE_TIME;
+ kerr->error = SAMPLE_ERROR;
+ retval = ktest_make_sample_principal(&(kerr->client));
+ if (retval) return retval;
+ retval = ktest_make_sample_principal(&(kerr->server));
+ if (retval) return retval;
+ retval = ktest_make_sample_data(&(kerr->text));
+ if (retval) return retval;
+ retval = ktest_make_sample_data(&(kerr->e_data));
+ if (retval) return retval;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_data(d)
- krb5_data * d;
+ krb5_data * d;
{
- d->data = (char*)calloc(8,sizeof(char));
- if(d->data == NULL) return ENOMEM;
- d->length = 8;
- memcpy(d->data,"krb5data",8);
+ d->data = (char*)calloc(8,sizeof(char));
+ if (d->data == NULL) return ENOMEM;
+ d->length = 8;
+ memcpy(d->data,"krb5data",8);
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_passwd_phrase_element(ppe)
- passwd_phrase_element * ppe;
+ passwd_phrase_element * ppe;
{
- krb5_error_code retval;
+ krb5_error_code retval;
- ppe->passwd = (krb5_data*)calloc(1,sizeof(krb5_data));
- if(ppe->passwd == NULL) return ENOMEM;
- retval = ktest_make_sample_data(ppe->passwd);
- if(retval) return retval;
- ppe->phrase = (krb5_data*)calloc(1,sizeof(krb5_data));
- if(ppe->phrase == NULL) return ENOMEM;
- retval = ktest_make_sample_data(ppe->phrase);
- if(retval) return retval;
- return 0;
+ ppe->passwd = (krb5_data*)calloc(1,sizeof(krb5_data));
+ if (ppe->passwd == NULL) return ENOMEM;
+ retval = ktest_make_sample_data(ppe->passwd);
+ if (retval) return retval;
+ ppe->phrase = (krb5_data*)calloc(1,sizeof(krb5_data));
+ if (ppe->phrase == NULL) return ENOMEM;
+ retval = ktest_make_sample_data(ppe->phrase);
+ if (retval) return retval;
+ return 0;
}
krb5_error_code ktest_make_sample_krb5_pwd_data(pd)
- krb5_pwd_data * pd;
+ krb5_pwd_data * pd;
{
- krb5_error_code retval;
- int i;
+ krb5_error_code retval;
+ int i;
- pd->sequence_count = 2;
+ pd->sequence_count = 2;
- pd->element = (passwd_phrase_element**)calloc(3,sizeof(passwd_phrase_element*));
- if(pd->element == NULL) return ENOMEM;
+ pd->element = (passwd_phrase_element**)calloc(3,sizeof(passwd_phrase_element*));
+ if (pd->element == NULL) return ENOMEM;
- for(i=0; i<=1; i++){
- pd->element[i] = (passwd_phrase_element*)calloc(1,sizeof(passwd_phrase_element));
- if(pd->element[i] == NULL) return ENOMEM;
- retval = ktest_make_sample_passwd_phrase_element(pd->element[i]);
- if(retval) return retval;
- }
- pd->element[2] = NULL;
+ for (i=0; i<=1; i++) {
+ pd->element[i] = (passwd_phrase_element*)calloc(1,sizeof(passwd_phrase_element));
+ if (pd->element[i] == NULL) return ENOMEM;
+ retval = ktest_make_sample_passwd_phrase_element(pd->element[i]);
+ if (retval) return retval;
+ }
+ pd->element[2] = NULL;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_alt_method(p)
- krb5_alt_method * p;
+ krb5_alt_method * p;
{
p->method = 42;
p->data = (krb5_octet *) strdup("secret");
- if(p->data == NULL) return ENOMEM;
+ if (p->data == NULL) return ENOMEM;
p->length = strlen((char *) p->data);
return 0;
}
krb5_error_code ktest_make_sample_etype_info(p)
- krb5_etype_info_entry *** p;
+ krb5_etype_info_entry *** p;
{
krb5_etype_info_entry **info;
- int i;
- char buf[80];
+ int i, len;
+ char *str;
info = malloc(sizeof(krb5_etype_info_entry *) * 4);
if (!info)
@@ -650,12 +650,11 @@
if (info[i] == 0)
goto memfail;
info[i]->etype = i;
- sprintf(buf, "Morton's #%d", i);
- info[i]->length = strlen(buf);
- info[i]->salt = malloc((size_t) (info[i]->length+1));
- if (info[i]->salt == 0)
+ len = asprintf(&str, "Morton's #%d", i);
+ if (len < 0)
goto memfail;
- strcpy((char *) info[i]->salt, buf);
+ info[i]->salt = (krb5_octet *) str;
+ info[i]->length = len;
info[i]->s2kparams.data = NULL;
info[i]->s2kparams.length = 0;
info[i]->magic = KV5M_ETYPE_INFO_ENTRY;
@@ -672,11 +671,11 @@
krb5_error_code ktest_make_sample_etype_info2(p)
- krb5_etype_info_entry *** p;
+ krb5_etype_info_entry *** p;
{
krb5_etype_info_entry **info;
- int i;
- char buf[80];
+ int i, len;
+ char *str;
info = malloc(sizeof(krb5_etype_info_entry *) * 4);
if (!info)
@@ -688,18 +687,15 @@
if (info[i] == 0)
goto memfail;
info[i]->etype = i;
- sprintf(buf, "Morton's #%d", i);
- info[i]->length = strlen(buf);
- info[i]->salt = malloc((size_t) (info[i]->length+1));
- if (info[i]->salt == 0)
+ len = asprintf(&str, "Morton's #%d", i);
+ if (len < 0)
goto memfail;
- strcpy((char *) info[i]->salt, buf);
- sprintf(buf, "s2k: %d", i);
- info[i]->s2kparams.data = malloc(strlen(buf)+1);
- if (info[i]->s2kparams.data == NULL)
+ info[i]->salt = (krb5_octet *) str;
+ info[i]->length = (unsigned int) len;
+ len = asprintf(&info[i]->s2kparams.data, "s2k: %d", i);
+ if (len < 0)
goto memfail;
- strcpy( info[i]->s2kparams.data, buf);
- info[i]->s2kparams.length = strlen(buf);
+ info[i]->s2kparams.length = (unsigned int) len;
info[i]->magic = KV5M_ETYPE_INFO_ENTRY;
}
free(info[1]->salt);
@@ -714,279 +710,380 @@
krb5_error_code ktest_make_sample_pa_enc_ts(pa_enc)
- krb5_pa_enc_ts * pa_enc;
+ krb5_pa_enc_ts * pa_enc;
{
- pa_enc->patimestamp = SAMPLE_TIME;
- pa_enc->pausec = SAMPLE_USEC;
+ pa_enc->patimestamp = SAMPLE_TIME;
+ pa_enc->pausec = SAMPLE_USEC;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_sam_challenge(p)
- krb5_sam_challenge * p;
+ krb5_sam_challenge * p;
{
- krb5_error_code retval;
+ krb5_error_code retval;
- p->magic = KV5M_SAM_CHALLENGE;
- p->sam_type = 42; /* information */
- p->sam_flags = KRB5_SAM_USE_SAD_AS_KEY; /* KRB5_SAM_* values */
- p->sam_type_name.data = strdup("type name");
- if (p->sam_type_name.data == NULL) return ENOMEM;
- p->sam_type_name.length = strlen(p->sam_type_name.data);
- p->sam_track_id.data = 0;
- p->sam_track_id.length = 0;
- p->sam_challenge_label.data = strdup("challenge label");
- if (p->sam_challenge_label.data == NULL) return ENOMEM;
- p->sam_challenge_label.length = strlen(p->sam_challenge_label.data);
- p->sam_challenge.data = strdup("challenge ipse");
- if (p->sam_challenge.data == NULL) return ENOMEM;
- p->sam_challenge.length = strlen(p->sam_challenge.data);
- p->sam_response_prompt.data = strdup("response_prompt ipse");
- if (p->sam_response_prompt.data == NULL) return ENOMEM;
- p->sam_response_prompt.length = strlen(p->sam_response_prompt.data);
- p->sam_pk_for_sad.data = 0;
- p->sam_pk_for_sad.length = 0;
- p->sam_nonce = 0x543210;
- retval = ktest_make_sample_checksum(&p->sam_cksum);
- if(retval) return retval;
+ p->magic = KV5M_SAM_CHALLENGE;
+ p->sam_type = 42; /* information */
+ p->sam_flags = KRB5_SAM_USE_SAD_AS_KEY; /* KRB5_SAM_* values */
+ p->sam_type_name.data = strdup("type name");
+ if (p->sam_type_name.data == NULL) return ENOMEM;
+ p->sam_type_name.length = strlen(p->sam_type_name.data);
+ p->sam_track_id.data = 0;
+ p->sam_track_id.length = 0;
+ p->sam_challenge_label.data = strdup("challenge label");
+ if (p->sam_challenge_label.data == NULL) return ENOMEM;
+ p->sam_challenge_label.length = strlen(p->sam_challenge_label.data);
+ p->sam_challenge.data = strdup("challenge ipse");
+ if (p->sam_challenge.data == NULL) return ENOMEM;
+ p->sam_challenge.length = strlen(p->sam_challenge.data);
+ p->sam_response_prompt.data = strdup("response_prompt ipse");
+ if (p->sam_response_prompt.data == NULL) return ENOMEM;
+ p->sam_response_prompt.length = strlen(p->sam_response_prompt.data);
+ p->sam_pk_for_sad.data = 0;
+ p->sam_pk_for_sad.length = 0;
+ p->sam_nonce = 0x543210;
+ retval = ktest_make_sample_checksum(&p->sam_cksum);
+ if (retval) return retval;
- return 0;
+ return 0;
}
krb5_error_code ktest_make_sample_sam_response(p)
- krb5_sam_response * p;
+ krb5_sam_response * p;
{
- p->magic = KV5M_SAM_RESPONSE;
- p->sam_type = 42; /* information */
- p->sam_flags = KRB5_SAM_USE_SAD_AS_KEY; /* KRB5_SAM_* values */
- p->sam_track_id.data = strdup("track data");
- if (p->sam_track_id.data == NULL) return ENOMEM;
- p->sam_track_id.length = strlen(p->sam_track_id.data);
- p->sam_enc_key.ciphertext.data = strdup("key");
- if (p->sam_enc_key.ciphertext.data == NULL) return ENOMEM;
- p->sam_enc_key.ciphertext.length = strlen(p->sam_enc_key.ciphertext.data);
- p->sam_enc_key.enctype = ENCTYPE_DES_CBC_CRC;
- p->sam_enc_key.kvno = 1942;
- p->sam_enc_nonce_or_ts.ciphertext.data = strdup("nonce or ts");
- if (p->sam_enc_nonce_or_ts.ciphertext.data == NULL) return ENOMEM;
- p->sam_enc_nonce_or_ts.ciphertext.length =
- strlen(p->sam_enc_nonce_or_ts.ciphertext.data);
- p->sam_enc_nonce_or_ts.enctype = ENCTYPE_DES_CBC_CRC;
- p->sam_enc_nonce_or_ts.kvno = 3382;
- p->sam_nonce = 0x543210;
- p->sam_patimestamp = SAMPLE_TIME;
+ p->magic = KV5M_SAM_RESPONSE;
+ p->sam_type = 42; /* information */
+ p->sam_flags = KRB5_SAM_USE_SAD_AS_KEY; /* KRB5_SAM_* values */
+ p->sam_track_id.data = strdup("track data");
+ if (p->sam_track_id.data == NULL) return ENOMEM;
+ p->sam_track_id.length = strlen(p->sam_track_id.data);
+ p->sam_enc_key.ciphertext.data = strdup("key");
+ if (p->sam_enc_key.ciphertext.data == NULL) return ENOMEM;
+ p->sam_enc_key.ciphertext.length = strlen(p->sam_enc_key.ciphertext.data);
+ p->sam_enc_key.enctype = ENCTYPE_DES_CBC_CRC;
+ p->sam_enc_key.kvno = 1942;
+ p->sam_enc_nonce_or_ts.ciphertext.data = strdup("nonce or ts");
+ if (p->sam_enc_nonce_or_ts.ciphertext.data == NULL) return ENOMEM;
+ p->sam_enc_nonce_or_ts.ciphertext.length =
+ strlen(p->sam_enc_nonce_or_ts.ciphertext.data);
+ p->sam_enc_nonce_or_ts.enctype = ENCTYPE_DES_CBC_CRC;
+ p->sam_enc_nonce_or_ts.kvno = 3382;
+ p->sam_nonce = 0x543210;
+ p->sam_patimestamp = SAMPLE_TIME;
- return 0;
+ return 0;
}
+krb5_error_code ktest_make_sample_sam_response_2(p)
+ krb5_sam_response_2 * p;
+{
+ p->magic = KV5M_SAM_RESPONSE;
+ p->sam_type = 43; /* information */
+ p->sam_flags = KRB5_SAM_USE_SAD_AS_KEY; /* KRB5_SAM_* values */
+ p->sam_track_id.data = strdup("track data");
+ if (p->sam_track_id.data == NULL) return ENOMEM;
+ p->sam_track_id.length = strlen(p->sam_track_id.data);
+ p->sam_enc_nonce_or_sad.ciphertext.data = strdup("nonce or sad");
+ if (p->sam_enc_nonce_or_sad.ciphertext.data == NULL) return ENOMEM;
+ p->sam_enc_nonce_or_sad.ciphertext.length =
+ strlen(p->sam_enc_nonce_or_sad.ciphertext.data);
+ p->sam_enc_nonce_or_sad.enctype = ENCTYPE_DES_CBC_CRC;
+ p->sam_enc_nonce_or_sad.kvno = 3382;
+ p->sam_nonce = 0x543210;
+ return 0;
+}
+krb5_error_code ktest_make_sample_sam_key(p)
+ krb5_sam_key *p;
+{
+ p->magic = 99;
+ return ktest_make_sample_keyblock(&p->sam_key);
+}
+krb5_error_code ktest_make_sample_enc_sam_response_enc(p)
+ krb5_enc_sam_response_enc *p;
+{
+ p->magic = 78;
+ p->sam_nonce = 78634;
+ p->sam_timestamp = 99999;
+ p->sam_usec = 399;
+ p->sam_sad.data = strdup("enc_sam_response_enc");
+ if (p->sam_sad.data == NULL) return ENOMEM;
+ p->sam_sad.length = strlen(p->sam_sad.data);
+ return 0;
+}
+krb5_error_code ktest_make_sample_enc_sam_response_enc_2(p)
+ krb5_enc_sam_response_enc_2 *p;
+{
+ p->magic = 83;
+ p->sam_nonce = 88;
+ p->sam_sad.data = strdup("enc_sam_response_enc_2");
+ if (p->sam_sad.data == NULL) return ENOMEM;
+ p->sam_sad.length = strlen(p->sam_sad.data);
+ return 0;
+}
+#ifdef ENABLE_LDAP
+static krb5_error_code ktest_make_sample_key_data(krb5_key_data *p, int i)
+{
+ char *str;
+ int len;
+ p->key_data_ver = 2;
+ p->key_data_kvno = 42;
+ len = asprintf(&str, "key%d", i);
+ p->key_data_type[0] = 2;
+ p->key_data_length[0] = (unsigned int) len;
+ p->key_data_contents[0] = (krb5_octet *) str;
+ len = asprintf(&str, "salt%d", i);
+ p->key_data_type[1] = i;
+ p->key_data_length[1] = (unsigned int) len;
+ p->key_data_contents[1] = (krb5_octet *) str;
+ if (p->key_data_contents[0] == NULL || p->key_data_contents[1] == NULL)
+ return ENOMEM;
+ return 0;
+}
+
+krb5_error_code ktest_make_sample_ldap_seqof_key_data(p)
+ ldap_seqof_key_data *p;
+{
+ int i;
+ p->mkvno = 14;
+ p->n_key_data = 3;
+ p->key_data = calloc(3,sizeof(krb5_key_data));
+ for (i = 0; i < 3; i++) {
+ krb5_error_code ret;
+ ret = ktest_make_sample_key_data(&p->key_data[i], i);
+ if (ret) return ret;
+ }
+ return 0;
+}
+#endif
+
+krb5_error_code ktest_make_sample_predicted_sam_response(p)
+ krb5_predicted_sam_response *p;
+{
+ krb5_error_code retval;
+
+ p->magic = 79;
+ retval = ktest_make_sample_keyblock(&p->sam_key);
+ if (retval) return retval;
+ p->sam_flags = 9;
+ p->stime = 17;
+ p->susec = 18;
+ retval = ktest_make_sample_principal(&p->client);
+ if (retval) return retval;
+ retval = krb5_data_parse(&p->msd, "hello");
+ if (retval) return retval;
+ return 0;
+}
+
+
/****************************************************************/
/* destructors */
void ktest_destroy_data(d)
- krb5_data ** d;
+ krb5_data ** d;
{
- if(*d != NULL){
- if((*d)->data != NULL) free((*d)->data);
- free(*d);
- *d = NULL;
- }
+ if (*d != NULL) {
+ if ((*d)->data != NULL) free((*d)->data);
+ free(*d);
+ *d = NULL;
+ }
}
void ktest_empty_data(d)
- krb5_data * d;
+ krb5_data * d;
{
- if(d->data != NULL){
- free(d->data);
- d->data = NULL;
- d->length = 0;
- }
+ if (d->data != NULL) {
+ free(d->data);
+ d->data = NULL;
+ d->length = 0;
+ }
}
void ktest_destroy_checksum(cs)
- krb5_checksum ** cs;
+ krb5_checksum ** cs;
{
- if(*cs != NULL){
- if((*cs)->contents != NULL) free((*cs)->contents);
- free(*cs);
- *cs = NULL;
- }
+ if (*cs != NULL) {
+ if ((*cs)->contents != NULL) free((*cs)->contents);
+ free(*cs);
+ *cs = NULL;
+ }
}
void ktest_empty_keyblock(kb)
- krb5_keyblock * kb;
+ krb5_keyblock * kb;
{
- if (kb != NULL) {
- if (kb->contents) {
- free (kb->contents);
- kb->contents = NULL;
+ if (kb != NULL) {
+ if (kb->contents) {
+ free (kb->contents);
+ kb->contents = NULL;
+ }
}
- }
}
void ktest_destroy_keyblock(kb)
- krb5_keyblock ** kb;
+ krb5_keyblock ** kb;
{
- if(*kb != NULL){
- if((*kb)->contents != NULL) free((*kb)->contents);
- free(*kb);
- *kb = NULL;
- }
+ if (*kb != NULL) {
+ if ((*kb)->contents != NULL) free((*kb)->contents);
+ free(*kb);
+ *kb = NULL;
+ }
}
void ktest_empty_authorization_data(ad)
- krb5_authdata ** ad;
+ krb5_authdata ** ad;
{
- int i;
+ int i;
- if(*ad != NULL) {
- for(i=0; ad[i] != NULL; i++)
- ktest_destroy_authdata(&(ad[i]));
- }
+ if (*ad != NULL) {
+ for (i=0; ad[i] != NULL; i++)
+ ktest_destroy_authdata(&(ad[i]));
+ }
}
void ktest_destroy_authorization_data(ad)
- krb5_authdata *** ad;
+ krb5_authdata *** ad;
{
- ktest_empty_authorization_data(*ad);
- free(*ad);
- *ad = NULL;
+ ktest_empty_authorization_data(*ad);
+ free(*ad);
+ *ad = NULL;
}
void ktest_destroy_authdata(ad)
- krb5_authdata ** ad;
+ krb5_authdata ** ad;
{
- if(*ad != NULL){
- if((*ad)->contents != NULL) free((*ad)->contents);
- free(*ad);
- *ad = NULL;
- }
+ if (*ad != NULL) {
+ if ((*ad)->contents != NULL) free((*ad)->contents);
+ free(*ad);
+ *ad = NULL;
+ }
}
void ktest_empty_pa_data_array(pad)
- krb5_pa_data ** pad;
+ krb5_pa_data ** pad;
{
- int i;
+ int i;
- for(i=0; pad[i] != NULL; i++)
- ktest_destroy_pa_data(&(pad[i]));
+ for (i=0; pad[i] != NULL; i++)
+ ktest_destroy_pa_data(&(pad[i]));
}
void ktest_destroy_pa_data_array(pad)
- krb5_pa_data *** pad;
+ krb5_pa_data *** pad;
{
- ktest_empty_pa_data_array(*pad);
- free(*pad);
- *pad = NULL;
+ ktest_empty_pa_data_array(*pad);
+ free(*pad);
+ *pad = NULL;
}
void ktest_destroy_pa_data(pad)
- krb5_pa_data ** pad;
+ krb5_pa_data ** pad;
{
- if(*pad != NULL){
- if((*pad)->contents != NULL) free((*pad)->contents);
- free(*pad);
- *pad = NULL;
- }
+ if (*pad != NULL) {
+ if ((*pad)->contents != NULL) free((*pad)->contents);
+ free(*pad);
+ *pad = NULL;
+ }
}
void ktest_destroy_address(a)
- krb5_address ** a;
+ krb5_address ** a;
{
- if(*a != NULL){
- if((*a)->contents != NULL) free((*a)->contents);
- free(*a);
- *a = NULL;
- }
+ if (*a != NULL) {
+ if ((*a)->contents != NULL) free((*a)->contents);
+ free(*a);
+ *a = NULL;
+ }
}
void ktest_empty_addresses(a)
- krb5_address ** a;
+ krb5_address ** a;
{
- int i;
+ int i;
- for(i=0; a[i] != NULL; i++)
- ktest_destroy_address(&(a[i]));
+ for (i=0; a[i] != NULL; i++)
+ ktest_destroy_address(&(a[i]));
}
void ktest_destroy_addresses(a)
- krb5_address *** a;
+ krb5_address *** a;
{
- ktest_empty_addresses(*a);
- free(*a);
- *a = NULL;
+ ktest_empty_addresses(*a);
+ free(*a);
+ *a = NULL;
}
void ktest_destroy_principal(p)
- krb5_principal * p;
+ krb5_principal * p;
{
- int i;
+ int i;
- for(i=0; i<(*p)->length; i++)
- ktest_empty_data(&(((*p)->data)[i]));
- ktest_empty_data(&((*p)->realm));
- free((*p)->data);
- free(*p);
- *p = NULL;
+ for (i=0; i<(*p)->length; i++)
+ ktest_empty_data(&(((*p)->data)[i]));
+ ktest_empty_data(&((*p)->realm));
+ free((*p)->data);
+ free(*p);
+ *p = NULL;
}
void ktest_destroy_sequence_of_integer(soi)
- long ** soi;
+ long ** soi;
{
- free(*soi);
- *soi = NULL;
+ free(*soi);
+ *soi = NULL;
}
#if 0
void ktest_destroy_sequence_of_enctype(soi)
- krb5_enctype ** soi;
+ krb5_enctype ** soi;
{
- free(*soi);
- *soi = NULL;
+ free(*soi);
+ *soi = NULL;
}
#endif
void ktest_destroy_sequence_of_ticket(sot)
- krb5_ticket *** sot;
+ krb5_ticket *** sot;
{
- int i;
+ int i;
- for(i=0; (*sot)[i] != NULL; i++)
- ktest_destroy_ticket(&((*sot)[i]));
- free(*sot);
- *sot = NULL;
+ for (i=0; (*sot)[i] != NULL; i++)
+ ktest_destroy_ticket(&((*sot)[i]));
+ free(*sot);
+ *sot = NULL;
}
void ktest_destroy_ticket(tkt)
- krb5_ticket ** tkt;
+ krb5_ticket ** tkt;
{
- ktest_destroy_principal(&((*tkt)->server));
- ktest_destroy_enc_data(&((*tkt)->enc_part));
- /* ktest_empty_enc_tkt_part(((*tkt)->enc_part2));*/
- free(*tkt);
- *tkt = NULL;
+ ktest_destroy_principal(&((*tkt)->server));
+ ktest_destroy_enc_data(&((*tkt)->enc_part));
+ /* ktest_empty_enc_tkt_part(((*tkt)->enc_part2));*/
+ free(*tkt);
+ *tkt = NULL;
}
void ktest_empty_ticket(tkt)
- krb5_ticket * tkt;
+ krb5_ticket * tkt;
{
- if(tkt->server)
- ktest_destroy_principal(&((tkt)->server));
- ktest_destroy_enc_data(&((tkt)->enc_part));
- if (tkt->enc_part2) {
- ktest_destroy_enc_tkt_part(&(tkt->enc_part2));
- }
+ if (tkt->server)
+ ktest_destroy_principal(&((tkt)->server));
+ ktest_destroy_enc_data(&((tkt)->enc_part));
+ if (tkt->enc_part2) {
+ ktest_destroy_enc_tkt_part(&(tkt->enc_part2));
+ }
}
void ktest_destroy_enc_data(ed)
- krb5_enc_data * ed;
+ krb5_enc_data * ed;
{
- ktest_empty_data(&(ed->ciphertext));
- ed->kvno = 0;
+ ktest_empty_data(&(ed->ciphertext));
+ ed->kvno = 0;
}
void ktest_destroy_etype_info_entry(i)
@@ -1001,291 +1098,338 @@
void ktest_destroy_etype_info(info)
krb5_etype_info_entry **info;
{
- int i;
+ int i;
- for(i=0; info[i] != NULL; i++)
- ktest_destroy_etype_info_entry(info[i]);
- free(info);
+ for (i=0; info[i] != NULL; i++)
+ ktest_destroy_etype_info_entry(info[i]);
+ free(info);
}
void ktest_empty_kdc_req(kr)
- krb5_kdc_req *kr;
+ krb5_kdc_req *kr;
{
- if (kr->padata)
- ktest_destroy_pa_data_array(&(kr->padata));
+ if (kr->padata)
+ ktest_destroy_pa_data_array(&(kr->padata));
- if (kr->client)
- ktest_destroy_principal(&(kr->client));
+ if (kr->client)
+ ktest_destroy_principal(&(kr->client));
- if (kr->server)
- ktest_destroy_principal(&(kr->server));
- if (kr->ktype)
- free(kr->ktype);
- if (kr->addresses)
- ktest_destroy_addresses(&(kr->addresses));
- ktest_destroy_enc_data(&(kr->authorization_data));
- if (kr->unenc_authdata)
- ktest_destroy_authorization_data(&(kr->unenc_authdata));
- if (kr->second_ticket)
- ktest_destroy_sequence_of_ticket(&(kr->second_ticket));
+ if (kr->server)
+ ktest_destroy_principal(&(kr->server));
+ if (kr->ktype)
+ free(kr->ktype);
+ if (kr->addresses)
+ ktest_destroy_addresses(&(kr->addresses));
+ ktest_destroy_enc_data(&(kr->authorization_data));
+ if (kr->unenc_authdata)
+ ktest_destroy_authorization_data(&(kr->unenc_authdata));
+ if (kr->second_ticket)
+ ktest_destroy_sequence_of_ticket(&(kr->second_ticket));
}
void ktest_empty_kdc_rep(kr)
- krb5_kdc_rep *kr;
+ krb5_kdc_rep *kr;
{
- if (kr->padata)
- ktest_destroy_pa_data_array(&(kr->padata));
+ if (kr->padata)
+ ktest_destroy_pa_data_array(&(kr->padata));
- if (kr->client)
- ktest_destroy_principal(&(kr->client));
+ if (kr->client)
+ ktest_destroy_principal(&(kr->client));
- if (kr->ticket)
- ktest_destroy_ticket(&(kr->ticket));
+ if (kr->ticket)
+ ktest_destroy_ticket(&(kr->ticket));
- ktest_destroy_enc_data(&kr->enc_part);
+ ktest_destroy_enc_data(&kr->enc_part);
- if (kr->enc_part2) {
- ktest_empty_enc_kdc_rep_part(kr->enc_part2);
- free(kr->enc_part2);
- kr->enc_part2 = NULL;
- }
+ if (kr->enc_part2) {
+ ktest_empty_enc_kdc_rep_part(kr->enc_part2);
+ free(kr->enc_part2);
+ kr->enc_part2 = NULL;
+ }
}
void ktest_empty_authenticator(a)
- krb5_authenticator * a;
+ krb5_authenticator * a;
{
- if(a->client)
- ktest_destroy_principal(&(a->client));
- if(a->checksum)
- ktest_destroy_checksum(&(a->checksum));
- if(a->subkey)
- ktest_destroy_keyblock(&(a->subkey));
- if(a->authorization_data)
- ktest_destroy_authorization_data(&(a->authorization_data));
+ if (a->client)
+ ktest_destroy_principal(&(a->client));
+ if (a->checksum)
+ ktest_destroy_checksum(&(a->checksum));
+ if (a->subkey)
+ ktest_destroy_keyblock(&(a->subkey));
+ if (a->authorization_data)
+ ktest_destroy_authorization_data(&(a->authorization_data));
}
void ktest_empty_enc_tkt_part(etp)
- krb5_enc_tkt_part * etp;
+ krb5_enc_tkt_part * etp;
{
- if(etp->session)
- ktest_destroy_keyblock(&(etp->session));
- if(etp->client)
- ktest_destroy_principal(&(etp->client));
- if (etp->caddrs)
- ktest_destroy_addresses(&(etp->caddrs));
- if(etp->authorization_data)
- ktest_destroy_authorization_data(&(etp->authorization_data));
- ktest_destroy_transited(&(etp->transited));
+ if (etp->session)
+ ktest_destroy_keyblock(&(etp->session));
+ if (etp->client)
+ ktest_destroy_principal(&(etp->client));
+ if (etp->caddrs)
+ ktest_destroy_addresses(&(etp->caddrs));
+ if (etp->authorization_data)
+ ktest_destroy_authorization_data(&(etp->authorization_data));
+ ktest_destroy_transited(&(etp->transited));
}
void ktest_destroy_enc_tkt_part(etp)
- krb5_enc_tkt_part ** etp;
+ krb5_enc_tkt_part ** etp;
{
- if(*etp) {
- ktest_empty_enc_tkt_part(*etp);
- free(*etp);
- *etp = NULL;
- }
+ if (*etp) {
+ ktest_empty_enc_tkt_part(*etp);
+ free(*etp);
+ *etp = NULL;
+ }
}
void ktest_empty_enc_kdc_rep_part(ekr)
- krb5_enc_kdc_rep_part * ekr;
+ krb5_enc_kdc_rep_part * ekr;
{
- if(ekr->session)
- ktest_destroy_keyblock(&(ekr->session));
+ if (ekr->session)
+ ktest_destroy_keyblock(&(ekr->session));
- if(ekr->server)
- ktest_destroy_principal(&(ekr->server));
+ if (ekr->server)
+ ktest_destroy_principal(&(ekr->server));
- if (ekr->caddrs)
- ktest_destroy_addresses(&(ekr->caddrs));
- ktest_destroy_last_req(&(ekr->last_req));
+ if (ekr->caddrs)
+ ktest_destroy_addresses(&(ekr->caddrs));
+ ktest_destroy_last_req(&(ekr->last_req));
}
void ktest_destroy_transited(t)
- krb5_transited * t;
+ krb5_transited * t;
{
- if(t->tr_contents.data)
- ktest_empty_data(&(t->tr_contents));
+ if (t->tr_contents.data)
+ ktest_empty_data(&(t->tr_contents));
}
void ktest_empty_ap_rep(ar)
- krb5_ap_rep * ar;
+ krb5_ap_rep * ar;
{
- ktest_destroy_enc_data(&ar->enc_part);
+ ktest_destroy_enc_data(&ar->enc_part);
}
void ktest_empty_ap_req(ar)
- krb5_ap_req * ar;
+ krb5_ap_req * ar;
{
- if(ar->ticket)
- ktest_destroy_ticket(&(ar->ticket));
- ktest_destroy_enc_data(&(ar->authenticator));
+ if (ar->ticket)
+ ktest_destroy_ticket(&(ar->ticket));
+ ktest_destroy_enc_data(&(ar->authenticator));
}
void ktest_empty_cred_enc_part(cep)
- krb5_cred_enc_part * cep;
+ krb5_cred_enc_part * cep;
{
- if (cep->s_address)
- ktest_destroy_address(&(cep->s_address));
- if (cep->r_address)
- ktest_destroy_address(&(cep->r_address));
- if (cep->ticket_info)
- ktest_destroy_sequence_of_cred_info(&(cep->ticket_info));
+ if (cep->s_address)
+ ktest_destroy_address(&(cep->s_address));
+ if (cep->r_address)
+ ktest_destroy_address(&(cep->r_address));
+ if (cep->ticket_info)
+ ktest_destroy_sequence_of_cred_info(&(cep->ticket_info));
}
void ktest_destroy_cred_info(ci)
- krb5_cred_info ** ci;
+ krb5_cred_info ** ci;
{
- if((*ci)->session)
- ktest_destroy_keyblock(&((*ci)->session));
- if((*ci)->client)
- ktest_destroy_principal(&((*ci)->client));
- if((*ci)->server)
- ktest_destroy_principal(&((*ci)->server));
- if ((*ci)->caddrs)
- ktest_destroy_addresses(&((*ci)->caddrs));
- free(*ci);
- *ci = NULL;
+ if ((*ci)->session)
+ ktest_destroy_keyblock(&((*ci)->session));
+ if ((*ci)->client)
+ ktest_destroy_principal(&((*ci)->client));
+ if ((*ci)->server)
+ ktest_destroy_principal(&((*ci)->server));
+ if ((*ci)->caddrs)
+ ktest_destroy_addresses(&((*ci)->caddrs));
+ free(*ci);
+ *ci = NULL;
}
void ktest_destroy_sequence_of_cred_info(soci)
- krb5_cred_info *** soci;
+ krb5_cred_info *** soci;
{
- int i;
+ int i;
- for(i=0; (*soci)[i] != NULL; i++)
- ktest_destroy_cred_info(&((*soci)[i]));
- free(*soci);
- *soci = NULL;
+ for (i=0; (*soci)[i] != NULL; i++)
+ ktest_destroy_cred_info(&((*soci)[i]));
+ free(*soci);
+ *soci = NULL;
}
void ktest_empty_safe(s)
- krb5_safe * s;
+ krb5_safe * s;
{
- ktest_empty_data(&(s->user_data));
- ktest_destroy_address(&(s->s_address));
- ktest_destroy_address(&(s->r_address));
- ktest_destroy_checksum(&(s->checksum));
+ ktest_empty_data(&(s->user_data));
+ ktest_destroy_address(&(s->s_address));
+ ktest_destroy_address(&(s->r_address));
+ ktest_destroy_checksum(&(s->checksum));
}
void ktest_empty_priv_enc_part(pep)
- krb5_priv_enc_part * pep;
+ krb5_priv_enc_part * pep;
{
- ktest_empty_data(&(pep->user_data));
- ktest_destroy_address(&(pep->s_address));
- ktest_destroy_address(&(pep->r_address));
+ ktest_empty_data(&(pep->user_data));
+ ktest_destroy_address(&(pep->s_address));
+ ktest_destroy_address(&(pep->r_address));
}
void ktest_empty_priv(p)
- krb5_priv * p;
+ krb5_priv * p;
{
- ktest_destroy_enc_data(&(p->enc_part));
+ ktest_destroy_enc_data(&(p->enc_part));
}
void ktest_empty_cred(c)
- krb5_cred * c;
+ krb5_cred * c;
{
- ktest_destroy_sequence_of_ticket(&(c->tickets));
- ktest_destroy_enc_data(&(c->enc_part));
- /* enc_part2 */
+ ktest_destroy_sequence_of_ticket(&(c->tickets));
+ ktest_destroy_enc_data(&(c->enc_part));
+ /* enc_part2 */
}
void ktest_destroy_last_req(lr)
- krb5_last_req_entry *** lr;
+ krb5_last_req_entry *** lr;
{
- int i;
+ int i;
- if(*lr) {
- for(i=0; (*lr)[i] != NULL; i++) {
- free((*lr)[i]);
+ if (*lr) {
+ for (i=0; (*lr)[i] != NULL; i++) {
+ free((*lr)[i]);
+ }
+ free(*lr);
}
- free(*lr);
- }
}
void ktest_empty_error(kerr)
- krb5_error * kerr;
+ krb5_error * kerr;
{
- if(kerr->client)
- ktest_destroy_principal(&(kerr->client));
- if(kerr->server)
- ktest_destroy_principal(&(kerr->server));
- ktest_empty_data(&(kerr->text));
- ktest_empty_data(&(kerr->e_data));
+ if (kerr->client)
+ ktest_destroy_principal(&(kerr->client));
+ if (kerr->server)
+ ktest_destroy_principal(&(kerr->server));
+ ktest_empty_data(&(kerr->text));
+ ktest_empty_data(&(kerr->e_data));
}
void ktest_empty_ap_rep_enc_part(arep)
- krb5_ap_rep_enc_part * arep;
+ krb5_ap_rep_enc_part * arep;
{
- ktest_destroy_keyblock(&((arep)->subkey));
+ ktest_destroy_keyblock(&((arep)->subkey));
}
void ktest_empty_passwd_phrase_element(ppe)
- passwd_phrase_element * ppe;
+ passwd_phrase_element * ppe;
{
- ktest_destroy_data(&(ppe->passwd));
- ktest_destroy_data(&(ppe->phrase));
+ ktest_destroy_data(&(ppe->passwd));
+ ktest_destroy_data(&(ppe->phrase));
}
void ktest_empty_pwd_data(pd)
- krb5_pwd_data * pd;
+ krb5_pwd_data * pd;
{
- int i;
+ int i;
- for(i=0; i <= pd->sequence_count; i++){
- if(pd->element[i]) {
- ktest_empty_passwd_phrase_element(pd->element[i]);
- free(pd->element[i]);
- pd->element[i] = NULL;
+ for (i=0; i <= pd->sequence_count; i++) {
+ if (pd->element[i]) {
+ ktest_empty_passwd_phrase_element(pd->element[i]);
+ free(pd->element[i]);
+ pd->element[i] = NULL;
+ }
}
- }
- free(pd->element);
+ free(pd->element);
}
void ktest_empty_alt_method(am)
- krb5_alt_method *am;
+ krb5_alt_method *am;
{
- if (am->data) {
- free(am->data);
- am->data = NULL;
- }
+ if (am->data) {
+ free(am->data);
+ am->data = NULL;
+ }
}
void ktest_empty_sam_challenge(p)
- krb5_sam_challenge * p;
+ krb5_sam_challenge * p;
{
- ktest_empty_data(&(p->sam_type_name));
- ktest_empty_data(&(p->sam_track_id));
- ktest_empty_data(&(p->sam_challenge_label));
- ktest_empty_data(&(p->sam_challenge));
- ktest_empty_data(&(p->sam_response_prompt));
- ktest_empty_data(&(p->sam_pk_for_sad));
+ ktest_empty_data(&(p->sam_type_name));
+ ktest_empty_data(&(p->sam_track_id));
+ ktest_empty_data(&(p->sam_challenge_label));
+ ktest_empty_data(&(p->sam_challenge));
+ ktest_empty_data(&(p->sam_response_prompt));
+ ktest_empty_data(&(p->sam_pk_for_sad));
- if(p->sam_cksum.contents != NULL) {
- free(p->sam_cksum.contents);
- p->sam_cksum.contents = NULL;
- }
+ if (p->sam_cksum.contents != NULL) {
+ free(p->sam_cksum.contents);
+ p->sam_cksum.contents = NULL;
+ }
}
void ktest_empty_sam_response(p)
- krb5_sam_response * p;
+ krb5_sam_response * p;
{
- ktest_empty_data(&(p->sam_track_id));
- ktest_empty_data(&(p->sam_enc_key.ciphertext));
- ktest_empty_data(&(p->sam_enc_nonce_or_ts.ciphertext));
+ ktest_empty_data(&(p->sam_track_id));
+ ktest_empty_data(&(p->sam_enc_key.ciphertext));
+ ktest_empty_data(&(p->sam_enc_nonce_or_ts.ciphertext));
}
+
+void ktest_empty_sam_key(p)
+ krb5_sam_key *p;
+{
+ if (p->sam_key.contents)
+ free(p->sam_key.contents);
+}
+
+void ktest_empty_predicted_sam_response(p)
+ krb5_predicted_sam_response *p;
+{
+ ktest_empty_keyblock(&p->sam_key);
+ ktest_destroy_principal(&p->client);
+ ktest_empty_data(&p->msd);
+}
+
+void ktest_empty_enc_sam_response_enc(p)
+ krb5_enc_sam_response_enc *p;
+{
+ ktest_empty_data(&p->sam_sad);
+}
+
+void ktest_empty_sam_response_2(p)
+ krb5_sam_response_2 *p;
+{
+ ktest_empty_data(&p->sam_track_id);
+ ktest_empty_data(&p->sam_enc_nonce_or_sad.ciphertext);
+}
+void ktest_empty_enc_sam_response_enc_2(p)
+ krb5_enc_sam_response_enc_2 *p;
+{
+ ktest_empty_data(&p->sam_sad);
+}
+
+#ifdef ENABLE_LDAP
+void ktest_empty_ldap_seqof_key_data(ctx, p)
+ krb5_context ctx;
+ ldap_seqof_key_data *p;
+{
+ int i;
+ for (i = 0; i < p->n_key_data; i++) {
+ free(p->key_data[i].key_data_contents[0]);
+ free(p->key_data[i].key_data_contents[1]);
+ }
+ free(p->key_data);
+}
+#endif
Modified: branches/mkey_migrate/src/tests/asn.1/ktest.h
===================================================================
--- branches/mkey_migrate/src/tests/asn.1/ktest.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/asn.1/ktest.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,6 +2,7 @@
#define __KTEST_H__
#include "k5-int.h"
+#include "kdb.h"
#define SAMPLE_USEC 123456
#define SAMPLE_TIME 771228197 /* Fri Jun 10 6:03:17 GMT 1994 */
@@ -97,7 +98,18 @@
(krb5_sam_challenge * p);
krb5_error_code ktest_make_sample_sam_response
(krb5_sam_response * p);
+krb5_error_code ktest_make_sample_sam_response_2
+ (krb5_sam_response_2 * p);
+krb5_error_code ktest_make_sample_sam_key(krb5_sam_key *p);
+krb5_error_code ktest_make_sample_enc_sam_response_enc
+ (krb5_enc_sam_response_enc *p);
+krb5_error_code ktest_make_sample_predicted_sam_response(krb5_predicted_sam_response *p);
+krb5_error_code ktest_make_sample_enc_sam_response_enc_2(krb5_enc_sam_response_enc_2 *p);
+
+#ifdef ENABLE_LDAP
+krb5_error_code ktest_make_sample_ldap_seqof_key_data(ldap_seqof_key_data * p);
+#endif
/*----------------------------------------------------------------------*/
void ktest_empty_authorization_data
@@ -197,7 +209,16 @@
(krb5_sam_challenge * p);
void ktest_empty_sam_response
(krb5_sam_response * p);
+void ktest_empty_sam_key(krb5_sam_key *p);
+void ktest_empty_enc_sam_response_enc(krb5_enc_sam_response_enc *p);
+void ktest_empty_predicted_sam_response(krb5_predicted_sam_response *p);
+void ktest_empty_sam_response_2(krb5_sam_response_2 *p);
+void ktest_empty_enc_sam_response_enc_2(krb5_enc_sam_response_enc_2 *p);
+#ifdef ENABLE_LDAP
+void ktest_empty_ldap_seqof_key_data(krb5_context, ldap_seqof_key_data *p);
+#endif
+
extern krb5_context test_context;
extern char *sample_principal_name;
Modified: branches/mkey_migrate/src/tests/asn.1/ktest_equal.c
===================================================================
--- branches/mkey_migrate/src/tests/asn.1/ktest_equal.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/asn.1/ktest_equal.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -5,464 +5,464 @@
#define FALSE 0
#define TRUE 1
-#define struct_equal(field,comparator)\
-comparator(&(ref->field),&(var->field))
+#define struct_equal(field,comparator) \
+ comparator(&(ref->field),&(var->field))
-#define ptr_equal(field,comparator)\
-comparator(ref->field,var->field)
+#define ptr_equal(field,comparator) \
+ comparator(ref->field,var->field)
-#define scalar_equal(field)\
-((ref->field) == (var->field))
+#define scalar_equal(field) \
+ ((ref->field) == (var->field))
-#define len_equal(length,field,comparator)\
-((ref->length == var->length) && \
- comparator(ref->length,ref->field,var->field))
+#define len_equal(length,field,comparator) \
+ ((ref->length == var->length) && \
+ comparator(ref->length,ref->field,var->field))
int ktest_equal_authenticator(ref, var)
- krb5_authenticator * ref;
- krb5_authenticator * var;
+ krb5_authenticator * ref;
+ krb5_authenticator * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p = p && ptr_equal(client,ktest_equal_principal_data);
- p = p && ptr_equal(checksum,ktest_equal_checksum);
- p = p && scalar_equal(cusec);
- p = p && scalar_equal(ctime);
- p = p && ptr_equal(subkey,ktest_equal_keyblock);
- p = p && scalar_equal(seq_number);
- p = p && ptr_equal(authorization_data,ktest_equal_authorization_data);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p = p && ptr_equal(client,ktest_equal_principal_data);
+ p = p && ptr_equal(checksum,ktest_equal_checksum);
+ p = p && scalar_equal(cusec);
+ p = p && scalar_equal(ctime);
+ p = p && ptr_equal(subkey,ktest_equal_keyblock);
+ p = p && scalar_equal(seq_number);
+ p = p && ptr_equal(authorization_data,ktest_equal_authorization_data);
+ return p;
}
int ktest_equal_principal_data(ref, var)
- krb5_principal_data * ref;
- krb5_principal_data * var;
+ krb5_principal_data * ref;
+ krb5_principal_data * var;
{
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- return(struct_equal(realm,ktest_equal_data) &&
- len_equal(length,data,ktest_equal_array_of_data) &&
- scalar_equal(type));
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ return(struct_equal(realm,ktest_equal_data) &&
+ len_equal(length,data,ktest_equal_array_of_data) &&
+ scalar_equal(type));
}
int ktest_equal_authdata(ref, var)
- krb5_authdata * ref;
- krb5_authdata * var;
+ krb5_authdata * ref;
+ krb5_authdata * var;
{
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- return(scalar_equal(ad_type) &&
- len_equal(length,contents,ktest_equal_array_of_octet));
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ return(scalar_equal(ad_type) &&
+ len_equal(length,contents,ktest_equal_array_of_octet));
}
int ktest_equal_checksum(ref, var)
- krb5_checksum * ref;
- krb5_checksum * var;
+ krb5_checksum * ref;
+ krb5_checksum * var;
{
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- return(scalar_equal(checksum_type) && len_equal(length,contents,ktest_equal_array_of_octet));
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ return(scalar_equal(checksum_type) && len_equal(length,contents,ktest_equal_array_of_octet));
}
int ktest_equal_keyblock(ref, var)
- krb5_keyblock * ref;
- krb5_keyblock * var;
+ krb5_keyblock * ref;
+ krb5_keyblock * var;
{
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- return(scalar_equal(enctype) && len_equal(length,contents,ktest_equal_array_of_octet));
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ return(scalar_equal(enctype) && len_equal(length,contents,ktest_equal_array_of_octet));
}
int ktest_equal_data(ref, var)
- krb5_data * ref;
- krb5_data * var;
+ krb5_data * ref;
+ krb5_data * var;
{
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- return(len_equal(length,data,ktest_equal_array_of_char));
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ return(len_equal(length,data,ktest_equal_array_of_char));
}
int ktest_equal_ticket(ref, var)
- krb5_ticket * ref;
- krb5_ticket * var;
+ krb5_ticket * ref;
+ krb5_ticket * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p = p && ptr_equal(server,ktest_equal_principal_data);
- p = p && struct_equal(enc_part,ktest_equal_enc_data);
- /* enc_part2 is irrelevant, as far as the ASN.1 code is concerned */
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p = p && ptr_equal(server,ktest_equal_principal_data);
+ p = p && struct_equal(enc_part,ktest_equal_enc_data);
+ /* enc_part2 is irrelevant, as far as the ASN.1 code is concerned */
+ return p;
}
int ktest_equal_enc_data(ref, var)
- krb5_enc_data * ref;
- krb5_enc_data * var;
+ krb5_enc_data * ref;
+ krb5_enc_data * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&scalar_equal(enctype);
- p=p&&scalar_equal(kvno);
- p=p&&struct_equal(ciphertext,ktest_equal_data);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(enctype);
+ p=p&&scalar_equal(kvno);
+ p=p&&struct_equal(ciphertext,ktest_equal_data);
+ return p;
}
int ktest_equal_encryption_key(ref, var)
- krb5_keyblock * ref;
- krb5_keyblock * var;
+ krb5_keyblock * ref;
+ krb5_keyblock * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(enctype);
- p = p && len_equal(length,contents,ktest_equal_array_of_octet);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p = p && scalar_equal(enctype);
+ p = p && len_equal(length,contents,ktest_equal_array_of_octet);
+ return p;
}
int ktest_equal_enc_tkt_part(ref, var)
- krb5_enc_tkt_part * ref;
- krb5_enc_tkt_part * var;
+ krb5_enc_tkt_part * ref;
+ krb5_enc_tkt_part * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(flags);
- p = p && ptr_equal(session,ktest_equal_encryption_key);
- p = p && ptr_equal(client,ktest_equal_principal_data);
- p = p && struct_equal(transited,ktest_equal_transited);
- p = p && struct_equal(times,ktest_equal_ticket_times);
- p = p && ptr_equal(caddrs,ktest_equal_addresses);
- p = p && ptr_equal(authorization_data,ktest_equal_authorization_data);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p = p && scalar_equal(flags);
+ p = p && ptr_equal(session,ktest_equal_encryption_key);
+ p = p && ptr_equal(client,ktest_equal_principal_data);
+ p = p && struct_equal(transited,ktest_equal_transited);
+ p = p && struct_equal(times,ktest_equal_ticket_times);
+ p = p && ptr_equal(caddrs,ktest_equal_addresses);
+ p = p && ptr_equal(authorization_data,ktest_equal_authorization_data);
+ return p;
}
int ktest_equal_transited(ref, var)
- krb5_transited * ref;
- krb5_transited * var;
+ krb5_transited * ref;
+ krb5_transited * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(tr_type);
- p = p && struct_equal(tr_contents,ktest_equal_data);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p = p && scalar_equal(tr_type);
+ p = p && struct_equal(tr_contents,ktest_equal_data);
+ return p;
}
int ktest_equal_ticket_times(ref, var)
- krb5_ticket_times * ref;
- krb5_ticket_times * var;
+ krb5_ticket_times * ref;
+ krb5_ticket_times * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(authtime);
- p = p && scalar_equal(starttime);
- p = p && scalar_equal(endtime);
- p = p && scalar_equal(renew_till);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p = p && scalar_equal(authtime);
+ p = p && scalar_equal(starttime);
+ p = p && scalar_equal(endtime);
+ p = p && scalar_equal(renew_till);
+ return p;
}
int ktest_equal_address(ref, var)
- krb5_address * ref;
- krb5_address * var;
+ krb5_address * ref;
+ krb5_address * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&scalar_equal(addrtype);
- p=p&&len_equal(length,contents,ktest_equal_array_of_octet);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(addrtype);
+ p=p&&len_equal(length,contents,ktest_equal_array_of_octet);
+ return p;
}
int ktest_equal_enc_kdc_rep_part(ref, var)
- krb5_enc_kdc_rep_part * ref;
- krb5_enc_kdc_rep_part * var;
+ krb5_enc_kdc_rep_part * ref;
+ krb5_enc_kdc_rep_part * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&ptr_equal(session,ktest_equal_keyblock);
- p=p&&ptr_equal(last_req,ktest_equal_last_req);
- p=p&&scalar_equal(nonce);
- p=p&&scalar_equal(key_exp);
- p=p&&scalar_equal(flags);
- p=p&&struct_equal(times,ktest_equal_ticket_times);
- p=p&&ptr_equal(server,ktest_equal_principal_data);
- p=p&&ptr_equal(caddrs,ktest_equal_addresses);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&ptr_equal(session,ktest_equal_keyblock);
+ p=p&&ptr_equal(last_req,ktest_equal_last_req);
+ p=p&&scalar_equal(nonce);
+ p=p&&scalar_equal(key_exp);
+ p=p&&scalar_equal(flags);
+ p=p&&struct_equal(times,ktest_equal_ticket_times);
+ p=p&&ptr_equal(server,ktest_equal_principal_data);
+ p=p&&ptr_equal(caddrs,ktest_equal_addresses);
+ return p;
}
int ktest_equal_priv(ref, var)
- krb5_priv * ref;
- krb5_priv * var;
+ krb5_priv * ref;
+ krb5_priv * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&struct_equal(enc_part,ktest_equal_enc_data);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&struct_equal(enc_part,ktest_equal_enc_data);
+ return p;
}
int ktest_equal_cred(ref, var)
- krb5_cred * ref;
- krb5_cred * var;
+ krb5_cred * ref;
+ krb5_cred * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&ptr_equal(tickets,ktest_equal_sequence_of_ticket);
- p=p&&struct_equal(enc_part,ktest_equal_enc_data);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&ptr_equal(tickets,ktest_equal_sequence_of_ticket);
+ p=p&&struct_equal(enc_part,ktest_equal_enc_data);
+ return p;
}
int ktest_equal_error(ref, var)
- krb5_error * ref;
- krb5_error * var;
+ krb5_error * ref;
+ krb5_error * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&scalar_equal(ctime);
- p=p&&scalar_equal(cusec);
- p=p&&scalar_equal(susec);
- p=p&&scalar_equal(stime);
- p=p&&scalar_equal(error);
- p=p&&ptr_equal(client,ktest_equal_principal_data);
- p=p&&ptr_equal(server,ktest_equal_principal_data);
- p=p&&struct_equal(text,ktest_equal_data);
- p=p&&struct_equal(e_data,ktest_equal_data);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(ctime);
+ p=p&&scalar_equal(cusec);
+ p=p&&scalar_equal(susec);
+ p=p&&scalar_equal(stime);
+ p=p&&scalar_equal(error);
+ p=p&&ptr_equal(client,ktest_equal_principal_data);
+ p=p&&ptr_equal(server,ktest_equal_principal_data);
+ p=p&&struct_equal(text,ktest_equal_data);
+ p=p&&struct_equal(e_data,ktest_equal_data);
+ return p;
}
int ktest_equal_ap_req(ref, var)
- krb5_ap_req * ref;
- krb5_ap_req * var;
+ krb5_ap_req * ref;
+ krb5_ap_req * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&scalar_equal(ap_options);
- p=p&&ptr_equal(ticket,ktest_equal_ticket);
- p=p&&struct_equal(authenticator,ktest_equal_enc_data);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(ap_options);
+ p=p&&ptr_equal(ticket,ktest_equal_ticket);
+ p=p&&struct_equal(authenticator,ktest_equal_enc_data);
+ return p;
}
int ktest_equal_ap_rep(ref, var)
- krb5_ap_rep * ref;
- krb5_ap_rep * var;
+ krb5_ap_rep * ref;
+ krb5_ap_rep * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&struct_equal(enc_part,ktest_equal_enc_data);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&struct_equal(enc_part,ktest_equal_enc_data);
+ return p;
}
int ktest_equal_ap_rep_enc_part(ref, var)
- krb5_ap_rep_enc_part * ref;
- krb5_ap_rep_enc_part * var;
+ krb5_ap_rep_enc_part * ref;
+ krb5_ap_rep_enc_part * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&scalar_equal(ctime);
- p=p&&scalar_equal(cusec);
- p=p&&ptr_equal(subkey,ktest_equal_encryption_key);
- p=p&&scalar_equal(seq_number);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(ctime);
+ p=p&&scalar_equal(cusec);
+ p=p&&ptr_equal(subkey,ktest_equal_encryption_key);
+ p=p&&scalar_equal(seq_number);
+ return p;
}
int ktest_equal_safe(ref, var)
- krb5_safe * ref;
- krb5_safe * var;
+ krb5_safe * ref;
+ krb5_safe * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&struct_equal(user_data,ktest_equal_data);
- p=p&&scalar_equal(timestamp);
- p=p&&scalar_equal(usec);
- p=p&&scalar_equal(seq_number);
- p=p&&ptr_equal(s_address,ktest_equal_address);
- p=p&&ptr_equal(r_address,ktest_equal_address);
- p=p&&ptr_equal(checksum,ktest_equal_checksum);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&struct_equal(user_data,ktest_equal_data);
+ p=p&&scalar_equal(timestamp);
+ p=p&&scalar_equal(usec);
+ p=p&&scalar_equal(seq_number);
+ p=p&&ptr_equal(s_address,ktest_equal_address);
+ p=p&&ptr_equal(r_address,ktest_equal_address);
+ p=p&&ptr_equal(checksum,ktest_equal_checksum);
+ return p;
}
int ktest_equal_enc_cred_part(ref, var)
- krb5_cred_enc_part * ref;
- krb5_cred_enc_part * var;
+ krb5_cred_enc_part * ref;
+ krb5_cred_enc_part * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&scalar_equal(nonce);
- p=p&&scalar_equal(timestamp);
- p=p&&scalar_equal(usec);
- p=p&&ptr_equal(s_address,ktest_equal_address);
- p=p&&ptr_equal(r_address,ktest_equal_address);
- p=p&&ptr_equal(ticket_info,ktest_equal_sequence_of_cred_info);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(nonce);
+ p=p&&scalar_equal(timestamp);
+ p=p&&scalar_equal(usec);
+ p=p&&ptr_equal(s_address,ktest_equal_address);
+ p=p&&ptr_equal(r_address,ktest_equal_address);
+ p=p&&ptr_equal(ticket_info,ktest_equal_sequence_of_cred_info);
+ return p;
}
int ktest_equal_enc_priv_part(ref, var)
- krb5_priv_enc_part * ref;
- krb5_priv_enc_part * var;
+ krb5_priv_enc_part * ref;
+ krb5_priv_enc_part * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&struct_equal(user_data,ktest_equal_data);
- p=p&&scalar_equal(timestamp);
- p=p&&scalar_equal(usec);
- p=p&&scalar_equal(seq_number);
- p=p&&ptr_equal(s_address,ktest_equal_address);
- p=p&&ptr_equal(r_address,ktest_equal_address);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&struct_equal(user_data,ktest_equal_data);
+ p=p&&scalar_equal(timestamp);
+ p=p&&scalar_equal(usec);
+ p=p&&scalar_equal(seq_number);
+ p=p&&ptr_equal(s_address,ktest_equal_address);
+ p=p&&ptr_equal(r_address,ktest_equal_address);
+ return p;
}
int ktest_equal_as_rep(ref, var)
- krb5_kdc_rep * ref;
- krb5_kdc_rep * var;
+ krb5_kdc_rep * ref;
+ krb5_kdc_rep * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&scalar_equal(msg_type);
- p=p&&ptr_equal(padata,ktest_equal_sequence_of_pa_data);
- p=p&&ptr_equal(client,ktest_equal_principal_data);
- p=p&&ptr_equal(ticket,ktest_equal_ticket);
- p=p&&struct_equal(enc_part,ktest_equal_enc_data);
- p=p&&ptr_equal(enc_part2,ktest_equal_enc_kdc_rep_part);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(msg_type);
+ p=p&&ptr_equal(padata,ktest_equal_sequence_of_pa_data);
+ p=p&&ptr_equal(client,ktest_equal_principal_data);
+ p=p&&ptr_equal(ticket,ktest_equal_ticket);
+ p=p&&struct_equal(enc_part,ktest_equal_enc_data);
+ p=p&&ptr_equal(enc_part2,ktest_equal_enc_kdc_rep_part);
+ return p;
}
int ktest_equal_tgs_rep(ref, var)
- krb5_kdc_rep * ref;
- krb5_kdc_rep * var;
+ krb5_kdc_rep * ref;
+ krb5_kdc_rep * var;
{
- return ktest_equal_as_rep(ref,var);
+ return ktest_equal_as_rep(ref,var);
}
int ktest_equal_as_req(ref, var)
- krb5_kdc_req * ref;
- krb5_kdc_req * var;
+ krb5_kdc_req * ref;
+ krb5_kdc_req * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&scalar_equal(msg_type);
- p=p&&ptr_equal(padata,ktest_equal_sequence_of_pa_data);
- p=p&&scalar_equal(kdc_options);
- p=p&&ptr_equal(client,ktest_equal_principal_data);
- p=p&&ptr_equal(server,ktest_equal_principal_data);
- p=p&&scalar_equal(from);
- p=p&&scalar_equal(till);
- p=p&&scalar_equal(rtime);
- p=p&&scalar_equal(nonce);
- p=p&&len_equal(nktypes,ktype,ktest_equal_array_of_enctype);
- p=p&&ptr_equal(addresses,ktest_equal_addresses);
- p=p&&struct_equal(authorization_data,ktest_equal_enc_data);
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(msg_type);
+ p=p&&ptr_equal(padata,ktest_equal_sequence_of_pa_data);
+ p=p&&scalar_equal(kdc_options);
+ p=p&&ptr_equal(client,ktest_equal_principal_data);
+ p=p&&ptr_equal(server,ktest_equal_principal_data);
+ p=p&&scalar_equal(from);
+ p=p&&scalar_equal(till);
+ p=p&&scalar_equal(rtime);
+ p=p&&scalar_equal(nonce);
+ p=p&&len_equal(nktypes,ktype,ktest_equal_array_of_enctype);
+ p=p&&ptr_equal(addresses,ktest_equal_addresses);
+ p=p&&struct_equal(authorization_data,ktest_equal_enc_data);
/* This field isn't actually in the ASN.1 encoding. */
/* p=p&&ptr_equal(unenc_authdata,ktest_equal_authorization_data); */
- return p;
+ return p;
}
int ktest_equal_tgs_req(ref, var)
- krb5_kdc_req * ref;
- krb5_kdc_req * var;
+ krb5_kdc_req * ref;
+ krb5_kdc_req * var;
{
- return ktest_equal_as_req(ref,var);
+ return ktest_equal_as_req(ref,var);
}
int ktest_equal_kdc_req_body(ref, var)
- krb5_kdc_req * ref;
- krb5_kdc_req * var;
+ krb5_kdc_req * ref;
+ krb5_kdc_req * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&scalar_equal(kdc_options);
- p=p&&ptr_equal(client,ktest_equal_principal_data);
- p=p&&ptr_equal(server,ktest_equal_principal_data);
- p=p&&scalar_equal(from);
- p=p&&scalar_equal(till);
- p=p&&scalar_equal(rtime);
- p=p&&scalar_equal(nonce);
- p=p&&len_equal(nktypes,ktype,ktest_equal_array_of_enctype);
- p=p&&ptr_equal(addresses,ktest_equal_addresses);
- p=p&&struct_equal(authorization_data,ktest_equal_enc_data);
- /* This isn't part of the ASN.1 encoding. */
- /* p=p&&ptr_equal(unenc_authdata,ktest_equal_authorization_data); */
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(kdc_options);
+ p=p&&ptr_equal(client,ktest_equal_principal_data);
+ p=p&&ptr_equal(server,ktest_equal_principal_data);
+ p=p&&scalar_equal(from);
+ p=p&&scalar_equal(till);
+ p=p&&scalar_equal(rtime);
+ p=p&&scalar_equal(nonce);
+ p=p&&len_equal(nktypes,ktype,ktest_equal_array_of_enctype);
+ p=p&&ptr_equal(addresses,ktest_equal_addresses);
+ p=p&&struct_equal(authorization_data,ktest_equal_enc_data);
+ /* This isn't part of the ASN.1 encoding. */
+ /* p=p&&ptr_equal(unenc_authdata,ktest_equal_authorization_data); */
+ return p;
}
int ktest_equal_last_req_entry(ref, var)
- krb5_last_req_entry * ref;
- krb5_last_req_entry * var;
+ krb5_last_req_entry * ref;
+ krb5_last_req_entry * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&scalar_equal(lr_type);
- p=p&&scalar_equal(value);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(lr_type);
+ p=p&&scalar_equal(value);
+ return p;
}
int ktest_equal_pa_data(ref, var)
- krb5_pa_data * ref;
- krb5_pa_data * var;
+ krb5_pa_data * ref;
+ krb5_pa_data * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&scalar_equal(pa_type);
- p=p&&len_equal(length,contents,ktest_equal_array_of_octet);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(pa_type);
+ p=p&&len_equal(length,contents,ktest_equal_array_of_octet);
+ return p;
}
int ktest_equal_cred_info(ref, var)
- krb5_cred_info * ref;
- krb5_cred_info * var;
+ krb5_cred_info * ref;
+ krb5_cred_info * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&ptr_equal(session,ktest_equal_keyblock);
- p=p&&ptr_equal(client,ktest_equal_principal_data);
- p=p&&ptr_equal(server,ktest_equal_principal_data);
- p=p&&scalar_equal(flags);
- p=p&&struct_equal(times,ktest_equal_ticket_times);
- p=p&&ptr_equal(caddrs,ktest_equal_addresses);
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&ptr_equal(session,ktest_equal_keyblock);
+ p=p&&ptr_equal(client,ktest_equal_principal_data);
+ p=p&&ptr_equal(server,ktest_equal_principal_data);
+ p=p&&scalar_equal(flags);
+ p=p&&struct_equal(times,ktest_equal_ticket_times);
+ p=p&&ptr_equal(caddrs,ktest_equal_addresses);
- return p;
+ return p;
}
int ktest_equal_passwd_phrase_element(ref, var)
- passwd_phrase_element * ref;
- passwd_phrase_element * var;
+ passwd_phrase_element * ref;
+ passwd_phrase_element * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&ptr_equal(passwd,ktest_equal_data);
- p=p&&ptr_equal(phrase,ktest_equal_data);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&ptr_equal(passwd,ktest_equal_data);
+ p=p&&ptr_equal(phrase,ktest_equal_data);
+ return p;
}
int ktest_equal_krb5_pwd_data(ref, var)
- krb5_pwd_data * ref;
- krb5_pwd_data * var;
+ krb5_pwd_data * ref;
+ krb5_pwd_data * var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&scalar_equal(sequence_count);
- p=p&&ptr_equal(element,ktest_equal_array_of_passwd_phrase_element);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(sequence_count);
+ p=p&&ptr_equal(element,ktest_equal_array_of_passwd_phrase_element);
+ return p;
}
int ktest_equal_krb5_alt_method(ref, var)
@@ -496,174 +496,213 @@
krb5_pa_enc_ts *ref;
krb5_pa_enc_ts *var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&scalar_equal(patimestamp);
- p=p&&scalar_equal(pausec);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(patimestamp);
+ p=p&&scalar_equal(pausec);
+ return p;
}
#define equal_str(f) struct_equal(f,ktest_equal_data)
int ktest_equal_sam_challenge(ref, var)
- krb5_sam_challenge *ref;
- krb5_sam_challenge *var;
+ krb5_sam_challenge *ref;
+ krb5_sam_challenge *var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&scalar_equal(sam_type);
- p=p&&scalar_equal(sam_flags);
- p=p&&scalar_equal(sam_nonce);
- p=p&&ktest_equal_checksum(&ref->sam_cksum,&var->sam_cksum);
- p=p&&equal_str(sam_track_id);
- p=p&&equal_str(sam_challenge_label);
- p=p&&equal_str(sam_challenge);
- p=p&&equal_str(sam_response_prompt);
- p=p&&equal_str(sam_pk_for_sad);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(sam_type);
+ p=p&&scalar_equal(sam_flags);
+ p=p&&scalar_equal(sam_nonce);
+ p=p&&ktest_equal_checksum(&ref->sam_cksum,&var->sam_cksum);
+ p=p&&equal_str(sam_track_id);
+ p=p&&equal_str(sam_challenge_label);
+ p=p&&equal_str(sam_challenge);
+ p=p&&equal_str(sam_response_prompt);
+ p=p&&equal_str(sam_pk_for_sad);
+ return p;
}
int ktest_equal_sam_response(ref, var)
- krb5_sam_response *ref;
- krb5_sam_response *var;
+ krb5_sam_response *ref;
+ krb5_sam_response *var;
{
- int p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- p=p&&scalar_equal(sam_type);
- p=p&&scalar_equal(sam_flags);
- p=p&&equal_str(sam_track_id);
- p=p&&struct_equal(sam_enc_key,ktest_equal_enc_data);
- p=p&&struct_equal(sam_enc_nonce_or_ts,ktest_equal_enc_data);
- p=p&&scalar_equal(sam_nonce);
- p=p&&scalar_equal(sam_patimestamp);
- return p;
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(sam_type);
+ p=p&&scalar_equal(sam_flags);
+ p=p&&equal_str(sam_track_id);
+ p=p&&struct_equal(sam_enc_key,ktest_equal_enc_data);
+ p=p&&struct_equal(sam_enc_nonce_or_ts,ktest_equal_enc_data);
+ p=p&&scalar_equal(sam_nonce);
+ p=p&&scalar_equal(sam_patimestamp);
+ return p;
}
+#ifdef ENABLE_LDAP
+static int equal_key_data(ref, var)
+ krb5_key_data *ref;
+ krb5_key_data *var;
+{
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(key_data_ver);
+ p=p&&scalar_equal(key_data_kvno);
+ p=p&&scalar_equal(key_data_type[0]);
+ p=p&&scalar_equal(key_data_type[1]);
+ p=p&&len_equal(key_data_length[0],key_data_contents[0],
+ ktest_equal_array_of_octet);
+ p=p&&len_equal(key_data_length[1],key_data_contents[1],
+ ktest_equal_array_of_octet);
+ return p;
+}
+static int equal_key_data_array(int n, krb5_key_data *ref, krb5_key_data *val)
+{
+ int i, p=TRUE;
+ for (i = 0; i < n; i++) {
+ p=p&&equal_key_data(ref+i, val+i);
+ }
+ return p;
+}
+int ktest_equal_ldap_sequence_of_keys(ref, var)
+ ldap_seqof_key_data *ref;
+ ldap_seqof_key_data *var;
+{
+ int p=TRUE;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(mkvno);
+ p=p&&len_equal(n_key_data,key_data,equal_key_data_array);
+ return p;
+}
+#endif
+
/**** arrays ****************************************************************/
int ktest_equal_array_of_data(length, ref, var)
- const int length;
- krb5_data * ref;
- krb5_data * var;
+ const int length;
+ krb5_data * ref;
+ krb5_data * var;
{
- int i,p=TRUE;
+ int i,p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- for(i=0; i<(length); i++){
- p = p && ktest_equal_data(&(ref[i]),&(var[i]));
- }
- return p;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ for (i=0; i<(length); i++) {
+ p = p && ktest_equal_data(&(ref[i]),&(var[i]));
+ }
+ return p;
}
int ktest_equal_array_of_octet(length, ref, var)
- const unsigned int length;
- krb5_octet * ref;
- krb5_octet * var;
+ const unsigned int length;
+ krb5_octet * ref;
+ krb5_octet * var;
{
- int i, p=TRUE;
+ unsigned int i, p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- for(i=0; i<length; i++)
- p = p && (ref[i] == var[i]);
- return p;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ for (i=0; i<length; i++)
+ p = p && (ref[i] == var[i]);
+ return p;
}
int ktest_equal_array_of_char(length, ref, var)
- const unsigned int length;
- char * ref;
- char * var;
+ const unsigned int length;
+ char * ref;
+ char * var;
{
- int i, p=TRUE;
+ unsigned int i, p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- for(i=0; i<length; i++)
- p = p && (ref[i] == var[i]);
- return p;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ for (i=0; i<length; i++)
+ p = p && (ref[i] == var[i]);
+ return p;
}
int ktest_equal_array_of_enctype(length, ref, var)
- const int length;
- krb5_enctype * ref;
- krb5_enctype * var;
+ const int length;
+ krb5_enctype * ref;
+ krb5_enctype * var;
{
- int i, p=TRUE;
+ int i, p=TRUE;
- if(ref==var) return TRUE;
- else if(ref == NULL || var == NULL) return FALSE;
- for(i=0; i<length; i++)
- p = p && (ref[i] == var[i]);
- return p;
+ if (ref==var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ for (i=0; i<length; i++)
+ p = p && (ref[i] == var[i]);
+ return p;
}
-#define array_compare(comparator)\
-int i,p=TRUE;\
-if(ref==var) return TRUE;\
-if(!ref || !ref[0])\
- return (!var || !var[0]);\
-if(!var || !var[0]) return FALSE;\
-for(i=0; ref[i] != NULL && var[i] != NULL; i++)\
- p = p && comparator(ref[i],var[i]);\
-if(ref[i] == NULL && var[i] == NULL) return p;\
-else return FALSE
+#define array_compare(comparator) \
+ int i,p=TRUE; \
+ if (ref==var) return TRUE; \
+ if (!ref || !ref[0]) \
+ return (!var || !var[0]); \
+ if (!var || !var[0]) return FALSE; \
+ for (i=0; ref[i] != NULL && var[i] != NULL; i++) \
+ p = p && comparator(ref[i],var[i]); \
+ if (ref[i] == NULL && var[i] == NULL) return p; \
+ else return FALSE
int ktest_equal_authorization_data(ref, var)
- krb5_authdata ** ref;
- krb5_authdata ** var;
+ krb5_authdata ** ref;
+ krb5_authdata ** var;
{
- array_compare(ktest_equal_authdata);
+ array_compare(ktest_equal_authdata);
}
int ktest_equal_addresses(ref, var)
- krb5_address ** ref;
- krb5_address ** var;
+ krb5_address ** ref;
+ krb5_address ** var;
{
- array_compare(ktest_equal_address);
+ array_compare(ktest_equal_address);
}
int ktest_equal_last_req(ref, var)
- krb5_last_req_entry ** ref;
- krb5_last_req_entry ** var;
+ krb5_last_req_entry ** ref;
+ krb5_last_req_entry ** var;
{
- array_compare(ktest_equal_last_req_entry);
+ array_compare(ktest_equal_last_req_entry);
}
int ktest_equal_sequence_of_ticket(ref, var)
- krb5_ticket ** ref;
- krb5_ticket ** var;
+ krb5_ticket ** ref;
+ krb5_ticket ** var;
{
- array_compare(ktest_equal_ticket);
+ array_compare(ktest_equal_ticket);
}
int ktest_equal_sequence_of_pa_data(ref, var)
- krb5_pa_data ** ref;
- krb5_pa_data ** var;
+ krb5_pa_data ** ref;
+ krb5_pa_data ** var;
{
- array_compare(ktest_equal_pa_data);
+ array_compare(ktest_equal_pa_data);
}
int ktest_equal_sequence_of_cred_info(ref, var)
- krb5_cred_info ** ref;
- krb5_cred_info ** var;
+ krb5_cred_info ** ref;
+ krb5_cred_info ** var;
{
- array_compare(ktest_equal_cred_info);
+ array_compare(ktest_equal_cred_info);
}
int ktest_equal_array_of_passwd_phrase_element(ref, var)
- passwd_phrase_element ** ref;
- passwd_phrase_element ** var;
+ passwd_phrase_element ** ref;
+ passwd_phrase_element ** var;
{
- array_compare(ktest_equal_passwd_phrase_element);
+ array_compare(ktest_equal_passwd_phrase_element);
}
int ktest_equal_etype_info(ref, var)
- krb5_etype_info_entry ** ref;
- krb5_etype_info_entry ** var;
+ krb5_etype_info_entry ** ref;
+ krb5_etype_info_entry ** var;
{
- array_compare(ktest_equal_krb5_etype_info_entry);
+ array_compare(ktest_equal_krb5_etype_info_entry);
}
Modified: branches/mkey_migrate/src/tests/asn.1/ktest_equal.h
===================================================================
--- branches/mkey_migrate/src/tests/asn.1/ktest_equal.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/asn.1/ktest_equal.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,6 +2,7 @@
#define __KTEST_EQUAL_H__
#include "k5-int.h"
+#include "kdb.h"
/* int ktest_equal_structure(krb5_structure *ref, *var) */
/* effects Returns true (non-zero) if ref and var are
@@ -90,4 +91,6 @@
(krb5_etype_info_entry * ref,
krb5_etype_info_entry * var);
+int ktest_equal_ldap_sequence_of_keys(ldap_seqof_key_data *ref,
+ ldap_seqof_key_data *var);
#endif
Copied: branches/mkey_migrate/src/tests/asn.1/ldap_encode.out (from rev 21721, trunk/src/tests/asn.1/ldap_encode.out)
Copied: branches/mkey_migrate/src/tests/asn.1/ldap_trval.out (from rev 21721, trunk/src/tests/asn.1/ldap_trval.out)
Modified: branches/mkey_migrate/src/tests/asn.1/reference_encode.out
===================================================================
--- branches/mkey_migrate/src/tests/asn.1/reference_encode.out 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/asn.1/reference_encode.out 2009-01-10 01:06:45 UTC (rev 21722)
@@ -51,3 +51,8 @@
encode_krb5_enc_data: 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
encode_krb5_sam_challenge: 30 70 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
encode_krb5_sam_response: 30 6A A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 14 30 12 A0 03 02 01 01 A1 04 02 02 07 96 A2 05 04 03 6B 65 79 A4 1C 30 1A A0 03 02 01 01 A1 04 02 02 0D 36 A2 0D 04 0B 6E 6F 6E 63 65 20 6F 72 20 74 73 A5 05 02 03 54 32 10 A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A
+encode_krb5_sam_key: 30 15 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38
+encode_krb5_enc_sam_response_enc: 30 38 A0 05 02 03 01 33 2A A1 11 18 0F 31 39 37 30 30 31 30 32 30 33 34 36 33 39 5A A2 04 02 02 01 8F A3 16 04 14 65 6E 63 5F 73 61 6D 5F 72 65 73 70 6F 6E 73 65 5F 65 6E 63
+encode_krb5_predicted_sam_response: 30 6D A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 07 03 05 00 00 00 00 09 A2 11 18 0F 31 39 37 30 30 31 30 31 30 30 30 30 31 37 5A A3 03 02 01 12 A4 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A6 07 04 05 68 65 6C 6C 6F
+encode_krb5_sam_response_2: 30 42 A0 03 02 01 2B A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 1D 30 1B A0 03 02 01 01 A1 04 02 02 0D 36 A2 0E 04 0C 6E 6F 6E 63 65 20 6F 72 20 73 61 64 A4 05 02 03 54 32 10
+encode_krb5_enc_sam_response_enc_2: 30 1F A0 03 02 01 58 A1 18 04 16 65 6E 63 5F 73 61 6D 5F 72 65 73 70 6F 6E 73 65 5F 65 6E 63 5F 32
Modified: branches/mkey_migrate/src/tests/asn.1/t_trval.c
===================================================================
--- branches/mkey_migrate/src/tests/asn.1/t_trval.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/asn.1/t_trval.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -38,8 +38,8 @@
static void usage()
{
- fprintf(stderr, "Usage: trval [--types] [--krb5] [--krb5decode] [--hex] [-notypebytes] [file]\n");
- exit(1);
+ fprintf(stderr, "Usage: trval [--types] [--krb5] [--krb5decode] [--hex] [-notypebytes] [file]\n");
+ exit(1);
}
/*
@@ -48,60 +48,60 @@
*/
static
int check_option(word, option)
- char *word;
- char *option;
+ char *word;
+ char *option;
{
- if (word[0] != '-')
- return 0;
- if (word[1] == '-')
- word++;
- if (strcmp(word+1, option))
- return 0;
- return 1;
+ if (word[0] != '-')
+ return 0;
+ if (word[1] == '-')
+ word++;
+ if (strcmp(word+1, option))
+ return 0;
+ return 1;
}
int main(argc, argv)
- int argc;
- char **argv;
+ int argc;
+ char **argv;
{
- int optflg = 1;
- FILE *fp;
- int r = 0;
+ int optflg = 1;
+ FILE *fp;
+ int r = 0;
- while (--argc > 0) {
- argv++;
- if (optflg && *(argv)[0] == '-') {
- if (check_option(*argv, "help"))
- usage();
- else if (check_option(*argv, "types"))
- print_types = 1;
- else if (check_option(*argv, "notypes"))
- print_types = 0;
- else if (check_option(*argv, "krb5"))
- print_krb5_types = 1;
- else if (check_option(*argv, "hex"))
- do_hex = 1;
- else if (check_option(*argv, "notypebytes"))
- print_id_and_len = 0;
- else if (check_option(*argv, "krb5decode")) {
- print_id_and_len = 0;
- print_krb5_types = 1;
- print_types = 1;
- } else {
- fprintf(stderr,"trval: unknown option: %s\n", *argv);
- usage();
- }
- } else {
- optflg = 0;
- if ((fp = fopen(*argv,"r")) == NULL) {
- fprintf(stderr,"trval: unable to open %s\n", *argv);
- continue;
- }
- r = trval(fp, stdout);
- fclose(fp);
- }
+ while (--argc > 0) {
+ argv++;
+ if (optflg && *(argv)[0] == '-') {
+ if (check_option(*argv, "help"))
+ usage();
+ else if (check_option(*argv, "types"))
+ print_types = 1;
+ else if (check_option(*argv, "notypes"))
+ print_types = 0;
+ else if (check_option(*argv, "krb5"))
+ print_krb5_types = 1;
+ else if (check_option(*argv, "hex"))
+ do_hex = 1;
+ else if (check_option(*argv, "notypebytes"))
+ print_id_and_len = 0;
+ else if (check_option(*argv, "krb5decode")) {
+ print_id_and_len = 0;
+ print_krb5_types = 1;
+ print_types = 1;
+ } else {
+ fprintf(stderr,"trval: unknown option: %s\n", *argv);
+ usage();
+ }
+ } else {
+ optflg = 0;
+ if ((fp = fopen(*argv,"r")) == NULL) {
+ fprintf(stderr,"trval: unable to open %s\n", *argv);
+ continue;
+ }
+ r = trval(fp, stdout);
+ fclose(fp);
}
- if (optflg) r = trval(stdin, stdout);
+ }
+ if (optflg) r = trval(stdin, stdout);
- exit(r);
+ exit(r);
}
Modified: branches/mkey_migrate/src/tests/asn.1/trval.c
===================================================================
--- branches/mkey_migrate/src/tests/asn.1/trval.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/asn.1/trval.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -44,21 +44,21 @@
#define OK 0
#define NOTOK (-1)
- /* IDENTIFIER OCTET = TAG CLASS | FORM OF ENCODING | TAG NUMBER */
+/* IDENTIFIER OCTET = TAG CLASS | FORM OF ENCODING | TAG NUMBER */
- /* TAG CLASSES */
+/* TAG CLASSES */
#define ID_CLASS 0xc0 /* bits 8 and 7 */
#define CLASS_UNIV 0x00 /* 0 = universal */
#define CLASS_APPL 0x40 /* 1 = application */
#define CLASS_CONT 0x80 /* 2 = context-specific */
#define CLASS_PRIV 0xc0 /* 3 = private */
- /* FORM OF ENCODING */
+/* FORM OF ENCODING */
#define ID_FORM 0x20 /* bit 6 */
#define FORM_PRIM 0x00 /* 0 = primitive */
#define FORM_CONS 0x20 /* 1 = constructed */
- /* TAG NUMBERS */
+/* TAG NUMBERS */
#define ID_TAG 0x1f /* bits 5-1 */
#define PRIM_BOOL 0x01 /* Boolean */
#define PRIM_INT 0x02 /* Integer */
@@ -131,192 +131,192 @@
}
int trval(fin, fout)
- FILE *fin;
- FILE *fout;
+ FILE *fin;
+ FILE *fout;
{
- unsigned char *p;
- unsigned int maxlen;
- int len;
- int cc, cc2, n1, n2;
- int r;
- int rlen;
+ unsigned char *p;
+ unsigned int maxlen;
+ int len;
+ int cc, cc2, n1, n2;
+ int r;
+ int rlen;
- maxlen = BUFSIZ;
- p = (unsigned char *)malloc(maxlen);
- len = 0;
- while ((cc = fgetc(fin)) != EOF) {
- if (len == maxlen) {
- maxlen += BUFSIZ;
- p = (unsigned char *)realloc(p, maxlen);
- }
- if (do_hex) {
- if (cc == ' ' || cc == '\n' || cc == '\t')
- continue;
- cc2 = fgetc(fin);
- if (cc2 == EOF)
- break;
- n1 = convert_nibble(cc);
- n2 = convert_nibble(cc2);
- cc = (n1 << 4) + n2;
- }
- p[len++] = cc;
+ maxlen = BUFSIZ;
+ p = (unsigned char *)malloc(maxlen);
+ len = 0;
+ while ((cc = fgetc(fin)) != EOF) {
+ if ((unsigned int) len == maxlen) {
+ maxlen += BUFSIZ;
+ p = (unsigned char *)realloc(p, maxlen);
}
- fprintf(fout, "<%d>", len);
- r = trval2(fout, p, len, 0, &rlen);
- fprintf(fout, "\n");
- (void) free(p);
- return(r);
+ if (do_hex) {
+ if (cc == ' ' || cc == '\n' || cc == '\t')
+ continue;
+ cc2 = fgetc(fin);
+ if (cc2 == EOF)
+ break;
+ n1 = convert_nibble(cc);
+ n2 = convert_nibble(cc2);
+ cc = (n1 << 4) + n2;
+ }
+ p[len++] = cc;
+ }
+ fprintf(fout, "<%d>", len);
+ r = trval2(fout, p, len, 0, &rlen);
+ fprintf(fout, "\n");
+ (void) free(p);
+ return(r);
}
int trval2(fp, enc, len, lev, rlen)
- FILE *fp;
- unsigned char *enc;
- int len;
- int lev;
- int *rlen;
+ FILE *fp;
+ unsigned char *enc;
+ int len;
+ int lev;
+ int *rlen;
{
- int l, eid, elen, xlen, r, rlen2;
- int rlen_ext = 0;
+ int l, eid, elen, xlen, r, rlen2;
+ int rlen_ext = 0;
- r = OK;
+ r = OK;
- if (len < 2) {
- fprintf(fp, "missing id and length octets (%d)\n", len);
- return(NOTOK);
- }
+ if (len < 2) {
+ fprintf(fp, "missing id and length octets (%d)\n", len);
+ return(NOTOK);
+ }
- fprintf(fp, "\n");
- for (l=0; l<lev; l++) fprintf(fp, ". ");
+ fprintf(fp, "\n");
+ for (l=0; l<lev; l++) fprintf(fp, ". ");
context_restart:
- eid = enc[0];
- elen = enc[1];
+ eid = enc[0];
+ elen = enc[1];
- if (print_id_and_len) {
- fprintf(fp, "%02x ", eid);
- fprintf(fp, "%02x ", elen);
- }
+ if (print_id_and_len) {
+ fprintf(fp, "%02x ", eid);
+ fprintf(fp, "%02x ", elen);
+ }
- if (elen == LEN_XTND) {
- fprintf(fp,
- "indefinite length encoding not implemented (0x%02x)\n", elen);
- return(NOTOK);
- }
+ if (elen == LEN_XTND) {
+ fprintf(fp,
+ "indefinite length encoding not implemented (0x%02x)\n", elen);
+ return(NOTOK);
+ }
- xlen = 0;
- if (elen & LEN_XTND) {
- xlen = elen & LEN_MASK;
- if (xlen > len - 2) {
- fprintf(fp, "extended length too long (%d > %d - 2)\n", xlen, len);
- return(NOTOK);
- }
- elen = decode_len(fp, enc+2, xlen);
+ xlen = 0;
+ if (elen & LEN_XTND) {
+ xlen = elen & LEN_MASK;
+ if (xlen > len - 2) {
+ fprintf(fp, "extended length too long (%d > %d - 2)\n", xlen, len);
+ return(NOTOK);
}
+ elen = decode_len(fp, enc+2, xlen);
+ }
- if (elen > len - 2 - xlen) {
- fprintf(fp, "length too long (%d > %d - 2 - %d)\n", elen, len, xlen);
- return(NOTOK);
- }
+ if (elen > len - 2 - xlen) {
+ fprintf(fp, "length too long (%d > %d - 2 - %d)\n", elen, len, xlen);
+ return(NOTOK);
+ }
- print_tag_type(fp, eid, lev);
+ print_tag_type(fp, eid, lev);
- if (print_context_shortcut &&
- ((eid & ID_CLASS) == CLASS_CONT) && (lev > 0)) {
- rlen_ext += 2 + xlen;
- enc += 2 + xlen;
- goto context_restart;
- }
+ if (print_context_shortcut &&
+ ((eid & ID_CLASS) == CLASS_CONT) && (lev > 0)) {
+ rlen_ext += 2 + xlen;
+ enc += 2 + xlen;
+ goto context_restart;
+ }
- switch(eid & ID_FORM) {
- case FORM_PRIM:
- r = do_prim(fp, eid & ID_TAG, enc+2+xlen, elen, lev+1);
- *rlen = 2 + xlen + elen + rlen_ext;
- break;
- case FORM_CONS:
- if (print_constructed_length) {
- fprintf(fp, "constr ");
- fprintf(fp, "<%d>", elen);
- }
- r = do_cons(fp, enc+2+xlen, elen, lev+1, &rlen2);
- *rlen = 2 + xlen + rlen2 + rlen_ext;
- break;
+ switch(eid & ID_FORM) {
+ case FORM_PRIM:
+ r = do_prim(fp, eid & ID_TAG, enc+2+xlen, elen, lev+1);
+ *rlen = 2 + xlen + elen + rlen_ext;
+ break;
+ case FORM_CONS:
+ if (print_constructed_length) {
+ fprintf(fp, "constr ");
+ fprintf(fp, "<%d>", elen);
}
+ r = do_cons(fp, enc+2+xlen, elen, lev+1, &rlen2);
+ *rlen = 2 + xlen + rlen2 + rlen_ext;
+ break;
+ }
- return(r);
+ return(r);
}
int decode_len(fp, enc, len)
- FILE *fp;
- unsigned char *enc;
- int len;
+ FILE *fp;
+ unsigned char *enc;
+ int len;
{
- int rlen;
- int i;
+ int rlen;
+ int i;
+ if (print_id_and_len)
+ fprintf(fp, "%02x ", enc[0]);
+ rlen = enc[0];
+ for (i=1; i<len; i++) {
if (print_id_and_len)
- fprintf(fp, "%02x ", enc[0]);
- rlen = enc[0];
- for (i=1; i<len; i++) {
- if (print_id_and_len)
- fprintf(fp, "%02x ", enc[i]);
- rlen = (rlen * 0x100) + enc[i];
- }
- return(rlen);
+ fprintf(fp, "%02x ", enc[i]);
+ rlen = (rlen * 0x100) + enc[i];
+ }
+ return(rlen);
}
/*
* This is the printing function for bit strings
*/
int do_prim_bitstring(fp, tag, enc, len, lev)
- FILE *fp;
- int tag;
- unsigned char *enc;
- int len;
- int lev;
+ FILE *fp;
+ int tag;
+ unsigned char *enc;
+ int len;
+ int lev;
{
- int i;
- long num = 0;
+ int i;
+ long num = 0;
- if (tag != PRIM_BITS || len > 5)
- return 0;
+ if (tag != PRIM_BITS || len > 5)
+ return 0;
- for (i=1; i < len; i++) {
- num = num << 8;
- num += enc[i];
- }
+ for (i=1; i < len; i++) {
+ num = num << 8;
+ num += enc[i];
+ }
- fprintf(fp, "0x%lx", num);
- if (enc[0])
- fprintf(fp, " (%d unused bits)", enc[0]);
- return 1;
+ fprintf(fp, "0x%lx", num);
+ if (enc[0])
+ fprintf(fp, " (%d unused bits)", enc[0]);
+ return 1;
}
/*
* This is the printing function for integers
*/
int do_prim_int(fp, tag, enc, len, lev)
- FILE *fp;
- int tag;
- unsigned char *enc;
- int len;
- int lev;
+ FILE *fp;
+ int tag;
+ unsigned char *enc;
+ int len;
+ int lev;
{
- int i;
- long num = 0;
+ int i;
+ long num = 0;
- if (tag != PRIM_INT || len > 4)
- return 0;
+ if (tag != PRIM_INT || len > 4)
+ return 0;
- if (enc[0] & 0x80)
- num = -1;
+ if (enc[0] & 0x80)
+ num = -1;
- for (i=0; i < len; i++) {
- num = num << 8;
- num += enc[i];
- }
+ for (i=0; i < len; i++) {
+ num = num << 8;
+ num += enc[i];
+ }
- fprintf(fp, "%ld", num);
- return 1;
+ fprintf(fp, "%ld", num);
+ return 1;
}
@@ -325,80 +325,80 @@
* other other type which is best printed as a string
*/
int do_prim_string(fp, tag, enc, len, lev)
- FILE *fp;
- int tag;
- unsigned char *enc;
- int len;
- int lev;
+ FILE *fp;
+ int tag;
+ unsigned char *enc;
+ int len;
+ int lev;
{
- int i;
+ int i;
- /*
- * Only try this printing function with "reasonable" types
- */
- if ((tag < DEFN_NUMS) && (tag != PRIM_OCTS))
- return 0;
+ /*
+ * Only try this printing function with "reasonable" types
+ */
+ if ((tag < DEFN_NUMS) && (tag != PRIM_OCTS))
+ return 0;
- for (i=0; i < len; i++)
- if (!isprint(enc[i]))
- return 0;
- fprintf(fp, "\"%.*s\"", len, enc);
- return 1;
+ for (i=0; i < len; i++)
+ if (!isprint(enc[i]))
+ return 0;
+ fprintf(fp, "\"%.*s\"", len, enc);
+ return 1;
}
int do_prim(fp, tag, enc, len, lev)
- FILE *fp;
- int tag;
- unsigned char *enc;
- int len;
- int lev;
+ FILE *fp;
+ int tag;
+ unsigned char *enc;
+ int len;
+ int lev;
{
- int n;
- int i;
- int j;
- int width;
+ int n;
+ int i;
+ int j;
+ int width;
- if (do_prim_string(fp, tag, enc, len, lev))
- return OK;
- if (do_prim_int(fp, tag, enc, len, lev))
- return OK;
- if (do_prim_bitstring(fp, tag, enc, len, lev))
- return OK;
+ if (do_prim_string(fp, tag, enc, len, lev))
+ return OK;
+ if (do_prim_int(fp, tag, enc, len, lev))
+ return OK;
+ if (do_prim_bitstring(fp, tag, enc, len, lev))
+ return OK;
- if (print_primitive_length)
- fprintf(fp, "<%d>", len);
+ if (print_primitive_length)
+ fprintf(fp, "<%d>", len);
- width = (80 - (lev * 3) - 8) / 4;
+ width = (80 - (lev * 3) - 8) / 4;
- for (n = 0; n < len; n++) {
- if ((n % width) == 0) {
- fprintf(fp, "\n");
- for (i=0; i<lev; i++) fprintf(fp, " ");
- }
- fprintf(fp, "%02x ", enc[n]);
- if ((n % width) == (width-1)) {
- fprintf(fp, " ");
- for (i=n-(width-1); i<=n; i++)
- if (isprint(enc[i])) fprintf(fp, "%c", enc[i]);
- else fprintf(fp, ".");
- }
+ for (n = 0; n < len; n++) {
+ if ((n % width) == 0) {
+ fprintf(fp, "\n");
+ for (i=0; i<lev; i++) fprintf(fp, " ");
}
- if ((j = (n % width)) != 0) {
- fprintf(fp, " ");
- for (i=0; i<width-j; i++) fprintf(fp, " ");
- for (i=n-j; i<n; i++)
- if (isprint(enc[i])) fprintf(fp, "%c", enc[i]);
- else fprintf(fp, ".");
+ fprintf(fp, "%02x ", enc[n]);
+ if ((n % width) == (width-1)) {
+ fprintf(fp, " ");
+ for (i=n-(width-1); i<=n; i++)
+ if (isprint(enc[i])) fprintf(fp, "%c", enc[i]);
+ else fprintf(fp, ".");
}
- return(OK);
+ }
+ if ((j = (n % width)) != 0) {
+ fprintf(fp, " ");
+ for (i=0; i<width-j; i++) fprintf(fp, " ");
+ for (i=n-j; i<n; i++)
+ if (isprint(enc[i])) fprintf(fp, "%c", enc[i]);
+ else fprintf(fp, ".");
+ }
+ return(OK);
}
int do_cons(fp, enc, len, lev, rlen)
-FILE *fp;
-unsigned char *enc;
-int len;
-int lev;
-int *rlen;
+ FILE *fp;
+ unsigned char *enc;
+ int len;
+ int lev;
+ int *rlen;
{
int n;
int r = 0;
@@ -414,7 +414,7 @@
}
if (rlent != len) {
fprintf(fp, "inconsistent constructed lengths (%d != %d)\n",
- rlent, len);
+ rlent, len);
return(NOTOK);
}
*rlen = rlent;
@@ -422,344 +422,344 @@
}
struct typestring_table {
- int k1, k2;
- char *str;
- int new_appl;
+ int k1, k2;
+ char *str;
+ int new_appl;
};
static char *lookup_typestring(table, key1, key2)
- struct typestring_table *table;
- int key1, key2;
+ struct typestring_table *table;
+ int key1, key2;
{
- struct typestring_table *ent;
+ struct typestring_table *ent;
- for (ent = table; ent->k1 > 0; ent++) {
- if ((ent->k1 == key1) &&
- (ent->k2 == key2)) {
- if (ent->new_appl)
- current_appl_type = ent->new_appl;
- return ent->str;
- }
+ for (ent = table; ent->k1 > 0; ent++) {
+ if ((ent->k1 == key1) &&
+ (ent->k2 == key2)) {
+ if (ent->new_appl)
+ current_appl_type = ent->new_appl;
+ return ent->str;
}
- return 0;
+ }
+ return 0;
}
struct typestring_table univ_types[] = {
- { PRIM_BOOL, -1, "Boolean"},
- { PRIM_INT, -1, "Integer"},
- { PRIM_BITS, -1, "Bit String"},
- { PRIM_OCTS, -1, "Octet String"},
- { PRIM_NULL, -1, "Null"},
- { PRIM_OID, -1, "Object Identifier"},
- { PRIM_ODE, -1, "Object Descriptor"},
- { CONS_EXTN, -1, "External"},
- { PRIM_REAL, -1, "Real"},
- { PRIM_ENUM, -1, "Enumerated type"},
- { PRIM_ENCR, -1, "Encrypted"},
- { CONS_SEQ, -1, "Sequence/Sequence Of"},
- { CONS_SET, -1, "Set/Set Of"},
- { DEFN_NUMS, -1, "Numeric String"},
- { DEFN_PRTS, -1, "Printable String"},
- { DEFN_T61S, -1, "T.61 String"},
- { DEFN_VTXS, -1, "Videotex String"},
- { DEFN_IA5S, -1, "IA5 String"},
- { DEFN_UTCT, -1, "UTCTime"},
- { DEFN_GENT, -1, "Generalized Time"},
- { DEFN_GFXS, -1, "Graphics string (ISO2375)"},
- { DEFN_VISS, -1, "Visible string"},
- { DEFN_GENS, -1, "General string"},
- { DEFN_CHRS, -1, "Character string"},
- { -1, -1, 0}
- };
+ { PRIM_BOOL, -1, "Boolean"},
+ { PRIM_INT, -1, "Integer"},
+ { PRIM_BITS, -1, "Bit String"},
+ { PRIM_OCTS, -1, "Octet String"},
+ { PRIM_NULL, -1, "Null"},
+ { PRIM_OID, -1, "Object Identifier"},
+ { PRIM_ODE, -1, "Object Descriptor"},
+ { CONS_EXTN, -1, "External"},
+ { PRIM_REAL, -1, "Real"},
+ { PRIM_ENUM, -1, "Enumerated type"},
+ { PRIM_ENCR, -1, "Encrypted"},
+ { CONS_SEQ, -1, "Sequence/Sequence Of"},
+ { CONS_SET, -1, "Set/Set Of"},
+ { DEFN_NUMS, -1, "Numeric String"},
+ { DEFN_PRTS, -1, "Printable String"},
+ { DEFN_T61S, -1, "T.61 String"},
+ { DEFN_VTXS, -1, "Videotex String"},
+ { DEFN_IA5S, -1, "IA5 String"},
+ { DEFN_UTCT, -1, "UTCTime"},
+ { DEFN_GENT, -1, "Generalized Time"},
+ { DEFN_GFXS, -1, "Graphics string (ISO2375)"},
+ { DEFN_VISS, -1, "Visible string"},
+ { DEFN_GENS, -1, "General string"},
+ { DEFN_CHRS, -1, "Character string"},
+ { -1, -1, 0}
+};
#ifdef KRB5
struct typestring_table krb5_types[] = {
- { 1, -1, "Krb5 Ticket"},
- { 2, -1, "Krb5 Autenticator"},
- { 3, -1, "Krb5 Encrypted ticket part"},
- { 10, -1, "Krb5 AS-REQ packet"},
- { 11, -1, "Krb5 AS-REP packet"},
- { 12, -1, "Krb5 TGS-REQ packet"},
- { 13, -1, "Krb5 TGS-REP packet"},
- { 14, -1, "Krb5 AP-REQ packet"},
- { 15, -1, "Krb5 AP-REP packet"},
- { 20, -1, "Krb5 SAFE packet"},
- { 21, -1, "Krb5 PRIV packet"},
- { 22, -1, "Krb5 CRED packet"},
- { 30, -1, "Krb5 ERROR packet"},
- { 25, -1, "Krb5 Encrypted AS-REP part"},
- { 26, -1, "Krb5 Encrypted TGS-REP part"},
- { 27, -1, "Krb5 Encrypted AP-REP part"},
- { 28, -1, "Krb5 Encrypted PRIV part"},
- { 29, -1, "Krb5 Encrypted CRED part"},
- { -1, -1, 0}
+ { 1, -1, "Krb5 Ticket"},
+ { 2, -1, "Krb5 Autenticator"},
+ { 3, -1, "Krb5 Encrypted ticket part"},
+ { 10, -1, "Krb5 AS-REQ packet"},
+ { 11, -1, "Krb5 AS-REP packet"},
+ { 12, -1, "Krb5 TGS-REQ packet"},
+ { 13, -1, "Krb5 TGS-REP packet"},
+ { 14, -1, "Krb5 AP-REQ packet"},
+ { 15, -1, "Krb5 AP-REP packet"},
+ { 20, -1, "Krb5 SAFE packet"},
+ { 21, -1, "Krb5 PRIV packet"},
+ { 22, -1, "Krb5 CRED packet"},
+ { 30, -1, "Krb5 ERROR packet"},
+ { 25, -1, "Krb5 Encrypted AS-REP part"},
+ { 26, -1, "Krb5 Encrypted TGS-REP part"},
+ { 27, -1, "Krb5 Encrypted AP-REP part"},
+ { 28, -1, "Krb5 Encrypted PRIV part"},
+ { 29, -1, "Krb5 Encrypted CRED part"},
+ { -1, -1, 0}
};
struct typestring_table krb5_fields[] = {
- { 1000, 0, "name-type"}, /* PrincipalName */
- { 1000, 1, "name-string"},
+ { 1000, 0, "name-type"}, /* PrincipalName */
+ { 1000, 1, "name-string"},
- { 1001, 0, "etype"}, /* Encrypted data */
- { 1001, 1, "kvno"},
- { 1001, 2, "cipher"},
+ { 1001, 0, "etype"}, /* Encrypted data */
+ { 1001, 1, "kvno"},
+ { 1001, 2, "cipher"},
- { 1002, 0, "addr-type"}, /* HostAddress */
- { 1002, 1, "address"},
+ { 1002, 0, "addr-type"}, /* HostAddress */
+ { 1002, 1, "address"},
- { 1003, 0, "addr-type"}, /* HostAddresses */
- { 1003, 1, "address"},
+ { 1003, 0, "addr-type"}, /* HostAddresses */
+ { 1003, 1, "address"},
- { 1004, 0, "ad-type"}, /* AuthorizationData */
- { 1004, 1, "ad-data"},
+ { 1004, 0, "ad-type"}, /* AuthorizationData */
+ { 1004, 1, "ad-data"},
- { 1005, 0, "keytype"}, /* EncryptionKey */
- { 1005, 1, "keyvalue"},
+ { 1005, 0, "keytype"}, /* EncryptionKey */
+ { 1005, 1, "keyvalue"},
- { 1006, 0, "cksumtype"}, /* Checksum */
- { 1006, 1, "checksum"},
+ { 1006, 0, "cksumtype"}, /* Checksum */
+ { 1006, 1, "checksum"},
- { 1007, 0, "kdc-options"}, /* KDC-REQ-BODY */
- { 1007, 1, "cname", 1000},
- { 1007, 2, "realm"},
- { 1007, 3, "sname", 1000},
- { 1007, 4, "from"},
- { 1007, 5, "till"},
- { 1007, 6, "rtime"},
- { 1007, 7, "nonce"},
- { 1007, 8, "etype"},
- { 1007, 9, "addresses", 1003},
- { 1007, 10, "enc-authorization-data", 1001},
- { 1007, 11, "additional-tickets"},
+ { 1007, 0, "kdc-options"}, /* KDC-REQ-BODY */
+ { 1007, 1, "cname", 1000},
+ { 1007, 2, "realm"},
+ { 1007, 3, "sname", 1000},
+ { 1007, 4, "from"},
+ { 1007, 5, "till"},
+ { 1007, 6, "rtime"},
+ { 1007, 7, "nonce"},
+ { 1007, 8, "etype"},
+ { 1007, 9, "addresses", 1003},
+ { 1007, 10, "enc-authorization-data", 1001},
+ { 1007, 11, "additional-tickets"},
- { 1008, 1, "padata-type"}, /* PA-DATA */
- { 1008, 2, "pa-data"},
+ { 1008, 1, "padata-type"}, /* PA-DATA */
+ { 1008, 2, "pa-data"},
- { 1009, 0, "user-data"}, /* KRB-SAFE-BODY */
- { 1009, 1, "timestamp"},
- { 1009, 2, "usec"},
- { 1009, 3, "seq-number"},
- { 1009, 4, "s-address", 1002},
- { 1009, 5, "r-address", 1002},
+ { 1009, 0, "user-data"}, /* KRB-SAFE-BODY */
+ { 1009, 1, "timestamp"},
+ { 1009, 2, "usec"},
+ { 1009, 3, "seq-number"},
+ { 1009, 4, "s-address", 1002},
+ { 1009, 5, "r-address", 1002},
- { 1010, 0, "lr-type"}, /* LastReq */
- { 1010, 1, "lr-value"},
+ { 1010, 0, "lr-type"}, /* LastReq */
+ { 1010, 1, "lr-value"},
- { 1011, 0, "key", 1005}, /* KRB-CRED-INFO */
- { 1011, 1, "prealm"},
- { 1011, 2, "pname", 1000},
- { 1011, 3, "flags"},
- { 1011, 4, "authtime"},
- { 1011, 5, "startime"},
- { 1011, 6, "endtime"},
- { 1011, 7, "renew-till"},
- { 1011, 8, "srealm"},
- { 1011, 9, "sname", 1000},
- { 1011, 10, "caddr", 1002},
+ { 1011, 0, "key", 1005}, /* KRB-CRED-INFO */
+ { 1011, 1, "prealm"},
+ { 1011, 2, "pname", 1000},
+ { 1011, 3, "flags"},
+ { 1011, 4, "authtime"},
+ { 1011, 5, "startime"},
+ { 1011, 6, "endtime"},
+ { 1011, 7, "renew-till"},
+ { 1011, 8, "srealm"},
+ { 1011, 9, "sname", 1000},
+ { 1011, 10, "caddr", 1002},
- { 1, 0, "tkt-vno"}, /* Ticket */
- { 1, 1, "realm"},
- { 1, 2, "sname", 1000},
- { 1, 3, "tkt-enc-part", 1001},
+ { 1, 0, "tkt-vno"}, /* Ticket */
+ { 1, 1, "realm"},
+ { 1, 2, "sname", 1000},
+ { 1, 3, "tkt-enc-part", 1001},
- { 2, 0, "authenticator-vno"}, /* Authenticator */
- { 2, 1, "crealm"},
- { 2, 2, "cname", 1000},
- { 2, 3, "cksum", 1006},
- { 2, 4, "cusec"},
- { 2, 5, "ctime"},
- { 2, 6, "subkey", 1005},
- { 2, 7, "seq-number"},
- { 2, 8, "authorization-data", 1004},
+ { 2, 0, "authenticator-vno"}, /* Authenticator */
+ { 2, 1, "crealm"},
+ { 2, 2, "cname", 1000},
+ { 2, 3, "cksum", 1006},
+ { 2, 4, "cusec"},
+ { 2, 5, "ctime"},
+ { 2, 6, "subkey", 1005},
+ { 2, 7, "seq-number"},
+ { 2, 8, "authorization-data", 1004},
- { 3, 0, "flags"}, /* EncTicketPart */
- { 3, 1, "key", 1005},
- { 3, 2, "crealm"},
- { 3, 3, "cname", 1000},
- { 3, 4, "transited"},
- { 3, 5, "authtime"},
- { 3, 6, "starttime"},
- { 3, 7, "endtime"},
- { 3, 8, "renew-till"},
- { 3, 9, "caddr", 1003},
- { 3, 10, "authorization-data", 1004},
+ { 3, 0, "flags"}, /* EncTicketPart */
+ { 3, 1, "key", 1005},
+ { 3, 2, "crealm"},
+ { 3, 3, "cname", 1000},
+ { 3, 4, "transited"},
+ { 3, 5, "authtime"},
+ { 3, 6, "starttime"},
+ { 3, 7, "endtime"},
+ { 3, 8, "renew-till"},
+ { 3, 9, "caddr", 1003},
+ { 3, 10, "authorization-data", 1004},
- { 10, 1, "pvno"}, /* AS-REQ */
- { 10, 2, "msg-type"},
- { 10, 3, "padata", 1008},
- { 10, 4, "req-body", 1007},
+ { 10, 1, "pvno"}, /* AS-REQ */
+ { 10, 2, "msg-type"},
+ { 10, 3, "padata", 1008},
+ { 10, 4, "req-body", 1007},
- { 11, 0, "pvno"}, /* AS-REP */
- { 11, 1, "msg-type"},
- { 11, 2, "padata", 1008},
- { 11, 3, "crealm"},
- { 11, 4, "cname", 1000},
- { 11, 5, "ticket"},
- { 11, 6, "enc-part", 1001},
+ { 11, 0, "pvno"}, /* AS-REP */
+ { 11, 1, "msg-type"},
+ { 11, 2, "padata", 1008},
+ { 11, 3, "crealm"},
+ { 11, 4, "cname", 1000},
+ { 11, 5, "ticket"},
+ { 11, 6, "enc-part", 1001},
- { 12, 1, "pvno"}, /* TGS-REQ */
- { 12, 2, "msg-type"},
- { 12, 3, "padata", 1008},
- { 12, 4, "req-body", 1007},
+ { 12, 1, "pvno"}, /* TGS-REQ */
+ { 12, 2, "msg-type"},
+ { 12, 3, "padata", 1008},
+ { 12, 4, "req-body", 1007},
- { 13, 0, "pvno"}, /* TGS-REP */
- { 13, 1, "msg-type"},
- { 13, 2, "padata", 1008},
- { 13, 3, "crealm"},
- { 13, 4, "cname", 1000},
- { 13, 5, "ticket"},
- { 13, 6, "enc-part", 1001},
+ { 13, 0, "pvno"}, /* TGS-REP */
+ { 13, 1, "msg-type"},
+ { 13, 2, "padata", 1008},
+ { 13, 3, "crealm"},
+ { 13, 4, "cname", 1000},
+ { 13, 5, "ticket"},
+ { 13, 6, "enc-part", 1001},
- { 14, 0, "pvno"}, /* AP-REQ */
- { 14, 1, "msg-type"},
- { 14, 2, "ap-options"},
- { 14, 3, "ticket"},
- { 14, 4, "authenticator", 1001},
+ { 14, 0, "pvno"}, /* AP-REQ */
+ { 14, 1, "msg-type"},
+ { 14, 2, "ap-options"},
+ { 14, 3, "ticket"},
+ { 14, 4, "authenticator", 1001},
- { 15, 0, "pvno"}, /* AP-REP */
- { 15, 1, "msg-type"},
- { 15, 2, "enc-part", 1001},
+ { 15, 0, "pvno"}, /* AP-REP */
+ { 15, 1, "msg-type"},
+ { 15, 2, "enc-part", 1001},
- { 20, 0, "pvno"}, /* KRB-SAFE */
- { 20, 1, "msg-type"},
- { 20, 2, "safe-body", 1009},
- { 20, 3, "cksum", 1006},
+ { 20, 0, "pvno"}, /* KRB-SAFE */
+ { 20, 1, "msg-type"},
+ { 20, 2, "safe-body", 1009},
+ { 20, 3, "cksum", 1006},
- { 21, 0, "pvno"}, /* KRB-PRIV */
- { 21, 1, "msg-type"},
- { 21, 2, "enc-part", 1001},
+ { 21, 0, "pvno"}, /* KRB-PRIV */
+ { 21, 1, "msg-type"},
+ { 21, 2, "enc-part", 1001},
- { 22, 0, "pvno"}, /* KRB-CRED */
- { 22, 1, "msg-type"},
- { 22, 2, "tickets"},
- { 22, 3, "enc-part", 1001},
+ { 22, 0, "pvno"}, /* KRB-CRED */
+ { 22, 1, "msg-type"},
+ { 22, 2, "tickets"},
+ { 22, 3, "enc-part", 1001},
- { 25, 0, "key", 1005}, /* EncASRepPart */
- { 25, 1, "last-req", 1010},
- { 25, 2, "nonce"},
- { 25, 3, "key-expiration"},
- { 25, 4, "flags"},
- { 25, 5, "authtime"},
- { 25, 6, "starttime"},
- { 25, 7, "enddtime"},
- { 25, 8, "renew-till"},
- { 25, 9, "srealm"},
- { 25, 10, "sname", 1000},
- { 25, 11, "caddr", 1003},
+ { 25, 0, "key", 1005}, /* EncASRepPart */
+ { 25, 1, "last-req", 1010},
+ { 25, 2, "nonce"},
+ { 25, 3, "key-expiration"},
+ { 25, 4, "flags"},
+ { 25, 5, "authtime"},
+ { 25, 6, "starttime"},
+ { 25, 7, "enddtime"},
+ { 25, 8, "renew-till"},
+ { 25, 9, "srealm"},
+ { 25, 10, "sname", 1000},
+ { 25, 11, "caddr", 1003},
- { 26, 0, "key", 1005}, /* EncTGSRepPart */
- { 26, 1, "last-req", 1010},
- { 26, 2, "nonce"},
- { 26, 3, "key-expiration"},
- { 26, 4, "flags"},
- { 26, 5, "authtime"},
- { 26, 6, "starttime"},
- { 26, 7, "enddtime"},
- { 26, 8, "renew-till"},
- { 26, 9, "srealm"},
- { 26, 10, "sname", 1000},
- { 26, 11, "caddr", 1003},
+ { 26, 0, "key", 1005}, /* EncTGSRepPart */
+ { 26, 1, "last-req", 1010},
+ { 26, 2, "nonce"},
+ { 26, 3, "key-expiration"},
+ { 26, 4, "flags"},
+ { 26, 5, "authtime"},
+ { 26, 6, "starttime"},
+ { 26, 7, "enddtime"},
+ { 26, 8, "renew-till"},
+ { 26, 9, "srealm"},
+ { 26, 10, "sname", 1000},
+ { 26, 11, "caddr", 1003},
- { 27, 0, "ctime"}, /* EncApRepPart */
- { 27, 1, "cusec"},
- { 27, 2, "subkey", 1005},
- { 27, 3, "seq-number"},
+ { 27, 0, "ctime"}, /* EncApRepPart */
+ { 27, 1, "cusec"},
+ { 27, 2, "subkey", 1005},
+ { 27, 3, "seq-number"},
- { 28, 0, "user-data"}, /* EncKrbPrivPart */
- { 28, 1, "timestamp"},
- { 28, 2, "usec"},
- { 28, 3, "seq-number"},
- { 28, 4, "s-address", 1002},
- { 28, 5, "r-address", 1002},
+ { 28, 0, "user-data"}, /* EncKrbPrivPart */
+ { 28, 1, "timestamp"},
+ { 28, 2, "usec"},
+ { 28, 3, "seq-number"},
+ { 28, 4, "s-address", 1002},
+ { 28, 5, "r-address", 1002},
- { 29, 0, "ticket-info", 1011}, /* EncKrbCredPart */
- { 29, 1, "nonce"},
- { 29, 2, "timestamp"},
- { 29, 3, "usec"},
- { 29, 4, "s-address", 1002},
- { 29, 5, "r-address", 1002},
+ { 29, 0, "ticket-info", 1011}, /* EncKrbCredPart */
+ { 29, 1, "nonce"},
+ { 29, 2, "timestamp"},
+ { 29, 3, "usec"},
+ { 29, 4, "s-address", 1002},
+ { 29, 5, "r-address", 1002},
- { 30, 0, "pvno"}, /* KRB-ERROR */
- { 30, 1, "msg-type"},
- { 30, 2, "ctime"},
- { 30, 3, "cusec"},
- { 30, 4, "stime"},
- { 30, 5, "susec"},
- { 30, 6, "error-code"},
- { 30, 7, "crealm"},
- { 30, 8, "cname", 1000},
- { 30, 9, "realm"},
- { 30, 10, "sname", 1000},
- { 30, 11, "e-text"},
- { 30, 12, "e-data"},
+ { 30, 0, "pvno"}, /* KRB-ERROR */
+ { 30, 1, "msg-type"},
+ { 30, 2, "ctime"},
+ { 30, 3, "cusec"},
+ { 30, 4, "stime"},
+ { 30, 5, "susec"},
+ { 30, 6, "error-code"},
+ { 30, 7, "crealm"},
+ { 30, 8, "cname", 1000},
+ { 30, 9, "realm"},
+ { 30, 10, "sname", 1000},
+ { 30, 11, "e-text"},
+ { 30, 12, "e-data"},
- { -1, -1, 0}
+ { -1, -1, 0}
};
#endif
void print_tag_type(fp, eid, lev)
- FILE *fp;
- int eid;
- int lev;
+ FILE *fp;
+ int eid;
+ int lev;
{
- int tag = eid & ID_TAG;
- int do_space = 1;
- char *str;
+ int tag = eid & ID_TAG;
+ int do_space = 1;
+ char *str;
- fprintf(fp, "[");
+ fprintf(fp, "[");
- switch(eid & ID_CLASS) {
- case CLASS_UNIV:
- if (print_types && print_skip_tagnum)
- do_space = 0;
- else
- fprintf(fp, "UNIV %d", tag);
+ switch(eid & ID_CLASS) {
+ case CLASS_UNIV:
+ if (print_types && print_skip_tagnum)
+ do_space = 0;
+ else
+ fprintf(fp, "UNIV %d", tag);
+ break;
+ case CLASS_APPL:
+ current_appl_type = tag;
+#ifdef KRB5
+ if (print_krb5_types) {
+ str = lookup_typestring(krb5_types, tag, -1);
+ if (str) {
+ fputs(str, fp);
break;
- case CLASS_APPL:
- current_appl_type = tag;
-#ifdef KRB5
- if (print_krb5_types) {
- str = lookup_typestring(krb5_types, tag, -1);
- if (str) {
- fputs(str, fp);
- break;
- }
- }
+ }
+ }
#endif
- fprintf(fp, "APPL %d", tag);
- break;
- case CLASS_CONT:
+ fprintf(fp, "APPL %d", tag);
+ break;
+ case CLASS_CONT:
#ifdef KRB5
- if (print_krb5_types && current_appl_type) {
- str = lookup_typestring(krb5_fields,
- current_appl_type, tag);
- if (str) {
- fputs(str, fp);
- break;
- }
- }
-#endif
- if (print_skip_context && lev)
- fprintf(fp, "%d", tag);
- else
- fprintf(fp, "CONT %d", tag);
+ if (print_krb5_types && current_appl_type) {
+ str = lookup_typestring(krb5_fields,
+ current_appl_type, tag);
+ if (str) {
+ fputs(str, fp);
break;
- case CLASS_PRIV:
- fprintf(fp, "PRIV %d", tag);
- break;
+ }
}
+#endif
+ if (print_skip_context && lev)
+ fprintf(fp, "%d", tag);
+ else
+ fprintf(fp, "CONT %d", tag);
+ break;
+ case CLASS_PRIV:
+ fprintf(fp, "PRIV %d", tag);
+ break;
+ }
- if (print_types && ((eid & ID_CLASS) == CLASS_UNIV)) {
- if (do_space)
- fputs(" ", fp);
- str = lookup_typestring(univ_types, eid & ID_TAG, -1);
- if (str)
- fputs(str, fp);
- else
- fprintf(fp, "UNIV %d???", eid & ID_TAG);
- }
+ if (print_types && ((eid & ID_CLASS) == CLASS_UNIV)) {
+ if (do_space)
+ fputs(" ", fp);
+ str = lookup_typestring(univ_types, eid & ID_TAG, -1);
+ if (str)
+ fputs(str, fp);
+ else
+ fprintf(fp, "UNIV %d???", eid & ID_TAG);
+ }
- fprintf(fp, "] ");
+ fprintf(fp, "] ");
}
Modified: branches/mkey_migrate/src/tests/asn.1/trval_reference.out
===================================================================
--- branches/mkey_migrate/src/tests/asn.1/trval_reference.out 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/asn.1/trval_reference.out 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1196,3 +1196,53 @@
. [5] [Integer] 5517840
. [6] [Generalized Time] "19940610060317Z"
+encode_krb5_sam_key:
+
+[Sequence/Sequence Of]
+. [0] [Sequence/Sequence Of]
+. . [0] [Integer] 1
+. . [1] [Octet String] "12345678"
+
+encode_krb5_enc_sam_response_enc:
+
+[Sequence/Sequence Of]
+. [0] [Integer] 78634
+. [1] [Generalized Time] "19700102034639Z"
+. [2] [Integer] 399
+. [3] [Octet String] "enc_sam_response_enc"
+
+encode_krb5_predicted_sam_response:
+
+[Sequence/Sequence Of]
+. [0] [Sequence/Sequence Of]
+. . [0] [Integer] 1
+. . [1] [Octet String] "12345678"
+. [1] [Bit String] 0x9
+. [2] [Generalized Time] "19700101000017Z"
+. [3] [Integer] 18
+. [4] [General string] "ATHENA.MIT.EDU"
+. [5] [Sequence/Sequence Of]
+. . [0] [Integer] 1
+. . [1] [Sequence/Sequence Of]
+. . . [General string] "hftsai"
+. . . [General string] "extra"
+. [6] [Octet String] "hello"
+
+encode_krb5_sam_response_2:
+
+[Sequence/Sequence Of]
+. [0] [Integer] 43
+. [1] [Bit String] 0x80000000
+. [2] [Octet String] "track data"
+. [3] [Sequence/Sequence Of]
+. . [0] [Integer] 1
+. . [1] [Integer] 3382
+. . [2] [Octet String] "nonce or sad"
+. [4] [Integer] 5517840
+
+encode_krb5_enc_sam_response_enc_2:
+
+[Sequence/Sequence Of]
+. [0] [Integer] 88
+. [1] [Octet String] "enc_sam_response_enc_2"
+
Modified: branches/mkey_migrate/src/tests/asn.1/utility.c
===================================================================
--- branches/mkey_migrate/src/tests/asn.1/utility.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/asn.1/utility.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -4,61 +4,61 @@
#include <stdio.h>
#include <ctype.h>
+krb5int_access acc;
+
char hexchar (const unsigned int digit);
asn1_error_code asn1_krb5_data_unparse(code, s)
- const krb5_data * code;
- char ** s;
+ const krb5_data * code;
+ char ** s;
{
- if(*s != NULL) free(*s);
+ if (*s != NULL) free(*s);
- if(code==NULL){
- *s = (char*)calloc(strlen("<NULL>")+1, sizeof(char));
- if(*s == NULL) return ENOMEM;
- strcpy(*s,"<NULL>");
- }else if(code->data == NULL || ((int) code->length) <= 0){
- *s = (char*)calloc(strlen("<EMPTY>")+1, sizeof(char));
- if(*s==NULL) return ENOMEM;
- strcpy(*s,"<EMPTY>");
- }else{
- int i;
+ if (code==NULL) {
+ *s = strdup("<NULL>");
+ if (*s == NULL) return ENOMEM;
+ } else if (code->data == NULL || ((int) code->length) <= 0) {
+ *s = strdup("<EMPTY>");
+ if (*s==NULL) return ENOMEM;
+ } else {
+ unsigned int i;
- *s = (char*)calloc((size_t) 3*(code->length), sizeof(char));
- if(*s == NULL) return ENOMEM;
- for(i = 0; i < code->length; i++){
- (*s)[3*i] = hexchar((unsigned char) (((code->data)[i]&0xF0)>>4));
- (*s)[3*i+1] = hexchar((unsigned char) ((code->data)[i]&0x0F));
- (*s)[3*i+2] = ' ';
+ *s = (char*)calloc((size_t) 3*(code->length), sizeof(char));
+ if (*s == NULL) return ENOMEM;
+ for (i = 0; i < code->length; i++) {
+ (*s)[3*i] = hexchar((unsigned char) (((code->data)[i]&0xF0)>>4));
+ (*s)[3*i+1] = hexchar((unsigned char) ((code->data)[i]&0x0F));
+ (*s)[3*i+2] = ' ';
+ }
+ (*s)[3*(code->length)-1] = '\0';
}
- (*s)[3*(code->length)-1] = '\0';
- }
- return 0;
+ return 0;
}
char hexchar(digit)
- const unsigned int digit;
+ const unsigned int digit;
{
- if(digit<=9)
- return '0'+digit;
- else if(digit<=15)
- return 'A'+digit-10;
- else
- return 'X';
+ if (digit<=9)
+ return '0'+digit;
+ else if (digit<=15)
+ return 'A'+digit-10;
+ else
+ return 'X';
}
krb5_error_code krb5_data_parse(d, s)
- krb5_data * d;
- const char * s;
+ krb5_data * d;
+ const char * s;
{
- /*if(d->data != NULL){
- free(d->data);
- d->length = 0;
- }*/
- d->data = (char*)calloc(strlen(s),sizeof(char));
- if(d->data == NULL) return ENOMEM;
- d->length = strlen(s);
- memcpy(d->data,s,strlen(s));
- return 0;
+ /*if (d->data != NULL) {
+ free(d->data);
+ d->length = 0;
+ }*/
+ d->data = (char*)calloc(strlen(s),sizeof(char));
+ if (d->data == NULL) return ENOMEM;
+ d->length = strlen(s);
+ memcpy(d->data,s,strlen(s));
+ return 0;
}
krb5_error_code krb5_data_hex_parse(krb5_data *d, const char *s)
@@ -99,27 +99,37 @@
#if 0
void asn1buf_print(buf)
- const asn1buf * buf;
+ const asn1buf * buf;
{
- asn1buf bufcopy;
- char *s=NULL;
- int length;
- int i;
+ asn1buf bufcopy;
+ char *s=NULL;
+ int length;
+ int i;
- bufcopy.base = bufcopy.next = buf->next;
- bufcopy.bound = buf->bound;
- length = asn1buf_len(&bufcopy);
+ bufcopy.base = bufcopy.next = buf->next;
+ bufcopy.bound = buf->bound;
+ length = asn1buf_len(&bufcopy);
- s = calloc(3*length, sizeof(char));
- if(s == NULL) return;
- for(i=0; i<length; i++){
- s[3*i] = hexchar(((bufcopy.base)[i]&0xF0)>>4);
- s[3*i+1] = hexchar((bufcopy.base)[i]&0x0F);
- s[3*i+2] = ' ';
- }
- s[3*length-1] = '\0';
+ s = calloc(3*length, sizeof(char));
+ if (s == NULL) return;
+ for (i=0; i<length; i++) {
+ s[3*i] = hexchar(((bufcopy.base)[i]&0xF0)>>4);
+ s[3*i+1] = hexchar((bufcopy.base)[i]&0x0F);
+ s[3*i+2] = ' ';
+ }
+ s[3*length-1] = '\0';
- printf("%s\n",s);
- free(s);
+ printf("%s\n",s);
+ free(s);
}
#endif
+
+void init_access(const char *progname)
+{
+ krb5_error_code ret;
+ ret = krb5int_accessor(&acc, KRB5INT_ACCESS_VERSION);
+ if (ret) {
+ com_err(progname, ret, "while initializing accessor");
+ exit(1);
+ }
+}
Modified: branches/mkey_migrate/src/tests/asn.1/utility.h
===================================================================
--- branches/mkey_migrate/src/tests/asn.1/utility.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/asn.1/utility.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -3,6 +3,7 @@
#include "krbasn1.h"
#include "asn1buf.h"
+#include "k5-int.h"
asn1_error_code asn1_krb5_data_unparse
(const krb5_data *code, char **s);
@@ -28,4 +29,7 @@
void asn1buf_print
(const asn1buf *buf);
+extern krb5int_access acc;
+extern void init_access(const char *progname);
+
#endif
Modified: branches/mkey_migrate/src/tests/create/Makefile.in
===================================================================
--- branches/mkey_migrate/src/tests/create/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/create/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -19,17 +19,3 @@
clean::
$(RM) kdb5_mkdums.o kdb5_mkdums
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)kdb5_mkdums.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SS_DEPS) kdb5_mkdums.c
Copied: branches/mkey_migrate/src/tests/create/deps (from rev 21721, trunk/src/tests/create/deps)
Modified: branches/mkey_migrate/src/tests/create/kdb5_mkdums.c
===================================================================
--- branches/mkey_migrate/src/tests/create/kdb5_mkdums.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/create/kdb5_mkdums.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -96,6 +96,7 @@
int num_to_create;
char principal_string[BUFSIZ];
char *suffix = 0;
+ size_t suffix_size;
int depth;
krb5_init_context(&test_context);
@@ -121,6 +122,8 @@
strncpy(principal_string, optarg, sizeof(principal_string) - 1);
principal_string[sizeof(principal_string) - 1] = '\0';
suffix = principal_string + strlen(principal_string);
+ suffix_size = sizeof(principal_string) -
+ (suffix - principal_string);
break;
case 'n': /* how many to create */
num_to_create = atoi(optarg);
@@ -175,14 +178,15 @@
/* build the new principal name */
/* we can't pick random names because we need to generate all the names
again given a prefix and count to test the db lib and kdb */
- (void) sprintf(suffix, "%d", n);
- (void) sprintf(tmp, "%s-DEPTH-1", principal_string);
+ (void) snprintf(suffix, suffix_size, "%d", n);
+ (void) snprintf(tmp, sizeof(tmp), "%s-DEPTH-1", principal_string);
tmp[sizeof(tmp) - 1] = '\0';
str_newprinc = tmp;
add_princ(test_context, str_newprinc);
for (i = 2; i <= depth; i++) {
- (void) sprintf(tmp2, "/%s-DEPTH-%d", principal_string, i);
+ (void) snprintf(tmp2, sizeof(tmp2), "/%s-DEPTH-%d",
+ principal_string, i);
tmp2[sizeof(tmp2) - 1] = '\0';
strncat(tmp, tmp2, sizeof(tmp) - 1 - strlen(tmp));
str_newprinc = tmp;
@@ -215,7 +219,7 @@
char princ_name[4096];
memset((char *)&newentry, 0, sizeof(newentry));
- sprintf(princ_name, "%s@%s", str_newprinc, cur_realm);
+ snprintf(princ_name, sizeof(princ_name), "%s@%s", str_newprinc, cur_realm);
if ((retval = krb5_parse_name(context, princ_name, &newprinc))) {
com_err(progname, retval, "while parsing '%s'", princ_name);
return;
@@ -375,12 +379,10 @@
}
/* Pathname is passed to db2 via 'args' parameter. */
args[1] = NULL;
- args[0] = malloc(sizeof("dbname=") + strlen(dbname));
- if (args[0] == NULL) {
+ if (asprintf(&args[0], "dbname=%s", dbname) < 0) {
com_err(pname, errno, "while setting up db parameters");
return 1;
}
- sprintf(args[0], "dbname=%s", dbname);
if ((retval = krb5_db_open(test_context, args, KRB5_KDB_OPEN_RO))) {
com_err(pname, retval, "while initializing database");
Modified: branches/mkey_migrate/src/tests/dejagnu/Makefile.in
===================================================================
--- branches/mkey_migrate/src/tests/dejagnu/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/dejagnu/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -7,7 +7,6 @@
KRB5_RUN_ENV= @KRB5_RUN_ENV@
PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
-KRB4_RUNTESTFLAGS=@KRB4_DEJAGNU_TEST@
SRCS=$(srcdir)/t_inetd.c
@@ -21,8 +20,9 @@
@echo "+++ runtest is unavailable."
@echo "+++"
+# Set VALGRIND at run time, that may be changed when running 'make'.
check-runtest-yes:: t_inetd site.exp
- $(RUNTEST) --tool krb --srcdir $(srcdir) $(KRB4_RUNTESTFLAGS) PRIOCNTL_HACK=@PRIOCNTL_HACK@ VALGRIND="$(VALGRIND)" $(RUNTESTFLAGS)
+ $(RUNTEST) --tool krb --srcdir $(srcdir) VALGRIND="$(VALGRIND)" $(RUNTESTFLAGS)
t_inetd:: t_inetd.o $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o t_inetd t_inetd.o $(KRB5_BASE_LIBS)
@@ -45,11 +45,5 @@
echo "set runvarlist [list `cat runenv.vals | tr '\n' ' '`]" | \
sed -e 's%=\.%='`pwd`'/.%g' > site.exp
echo "set KRB5_DB_MODULE_DIR {$(KRB5_DB_MODULE_DIR)}" >> site.exp
+ echo "set PRIOCNTL_HACK @PRIOCNTL_HACK@" >> site.exp
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)t_inetd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(COM_ERR_DEPS) t_inetd.c
Modified: branches/mkey_migrate/src/tests/dejagnu/config/default.exp
===================================================================
--- branches/mkey_migrate/src/tests/dejagnu/config/default.exp 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/dejagnu/config/default.exp 2009-01-10 01:06:45 UTC (rev 21722)
@@ -180,18 +180,6 @@
{dummy=[verbose -log "AES + DES enctypes"]}
}
{
- aes-tcp
- mode=tcp
- des3_krbtgt=0
- {supported_enctypes=aes256-cts-hmac-sha1-96:normal}
- {kdc_supported_enctypes=aes256-cts-hmac-sha1-96:normal}
- {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96}
- {permitted_enctypes(client)=aes256-cts-hmac-sha1-96}
- {permitted_enctypes(server)=aes256-cts-hmac-sha1-96}
- {master_key_type=aes256-cts-hmac-sha1-96}
- {dummy=[verbose -log "AES via TCP"]}
- }
- {
aes-des3
mode=udp
des3_krbtgt=0
@@ -351,6 +339,18 @@
}
{dummy=[verbose -log "DES3 TGT, default enctypes"]}
}
+ {
+ aes-tcp
+ mode=tcp
+ des3_krbtgt=0
+ {supported_enctypes=aes256-cts-hmac-sha1-96:normal}
+ {kdc_supported_enctypes=aes256-cts-hmac-sha1-96:normal}
+ {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96}
+ {permitted_enctypes(client)=aes256-cts-hmac-sha1-96}
+ {permitted_enctypes(server)=aes256-cts-hmac-sha1-96}
+ {master_key_type=aes256-cts-hmac-sha1-96}
+ {dummy=[verbose -log "AES via TCP"]}
+ }
}
# {supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal }
# {kdc_supported_enctypes= des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal}
@@ -408,8 +408,25 @@
# Clear away any files left over from a previous run.
# We can't use them now because we don't know the right KEY.
# krb5.conf might change if running tests on another host
-catch "exec rm -f $tmppwd/db.ok $tmppwd/srvtab $tmppwd/krb5.conf $tmppwd/kdc.conf $tmppwd/cpw_srvtab $tmppwd/krb.realms $tmppwd/krb.conf"
+file delete $tmppwd/krb5.conf $tmppwd/kdc.conf $tmppwd/slave.conf \
+ $tmppwd/krb.realms $tmppwd/krb.conf \
+ $tmppwd/krb5.client.conf $tmppwd/krb5.server.conf \
+ $tmppwd/krb5.kdc.conf $tmppwd/krb5.slave.conf
+proc delete_db {} {
+ global tmppwd
+ # Master and slave db files
+ file delete $tmppwd/kdc-db $tmppwd/kdc-db.ok $tmppwd/kdc-db.kadm5 \
+ $tmppwd/kdc-db.kadm5.lock \
+ $tmppwd/kdc-db.ulog \
+ $tmppwd/slave-db $tmppwd/slave-db.ok $tmppwd/slave-db.kadm5 $tmppwd/slave-db.kadm5.lock \
+ $tmppwd/slave-db~ $tmppwd/slave-db~.ok $tmppwd/slave-db~.kadm5 $tmppwd/slave-db~.kadm5.lock
+ # Creating a new database means we need a new srvtab.
+ file delete $tmppwd/srvtab $tmppwd/cpw_srvtab
+}
+
+delete_db
+
# Put the installed kerberos directories on PATH.
# This needs to be fixed for V5.
# set env(PATH) $env(PATH):/usr/kerberos/bin:/usr/kerberos/etc
@@ -450,6 +467,10 @@
{KDESTROY $objdir/../../clients/kdestroy/kdestroy}
{RESOLVE $objdir/../resolve/resolve}
{T_INETD $objdir/t_inetd}
+ {KPROPLOG $objdir/../../slave/kproplog}
+ {KPASSWD $objdir/../../clients/kpasswd/kpasswd}
+ {KPROPD $objdir/../../slave/kpropd}
+ {KPROP $objdir/../../slave/kprop}
} {
set varname [lindex $i 0]
if ![info exists $varname] {
@@ -488,6 +509,23 @@
stop_kerberos_daemons;
} [exit -onexit]]
+# run_once
+
+# Many tests are independent of the actual enctypes used, which is
+# what our passes are (currently) all about. Use this to prevent
+# multiple invocations. If a test depends on, say, the master key
+# type but nothing else, you could also use the master key type in the
+# tag name, and avoid redundant tests in additional passes using the
+# same master key type.
+
+proc run_once { tag body } {
+ global run_once_tags
+ if ![info exists run_once_tags($tag)] {
+ set run_once_tags($tag) 1
+ uplevel 1 $body
+ }
+}
+
# check_k5login
# Most of the tests won't work if the user has a .k5login file, unless
@@ -562,11 +600,11 @@
}
# check_exit_status
-# Check the exit status of a spawned program. Returns 1 if the
-# program succeeded, 0 if it failed.
+# Check the exit status of a spawned program (using the caller's value
+# of spawn_id). Returns 1 if the program succeeded, 0 if it failed.
proc check_exit_status { testname } {
- global spawn_id
+ upvar 1 spawn_id spawn_id
verbose "about to wait ($testname)"
set status_list [wait -i $spawn_id]
@@ -734,7 +772,7 @@
return 0
}
close $file
- catch "exec rm -f $tmppwd/hostname" exec_output
+ file delete $tmppwd/hostname
regexp "^(\[^.\]*)\\.(.*)$" $hostname foo localhostname domain
set hostname [string tolower $hostname]
@@ -751,7 +789,10 @@
global KADMIN_LOCAL
global REALMNAME
+ envstack_push
+ setup_kerberos_env kdc
spawn $KADMIN_LOCAL -r $REALMNAME
+ envstack_pop
expect_after {
eof {
fail "modprinc (kadmin.local)"
@@ -779,14 +820,18 @@
# client tries +1 and +6
# kadmind +4
# kpasswd +5
-# krb524 +7
+# (nothing) +6
# application servers (krlogind, telnetd, krshd, ftpd, etc) +8
+# iprop +9 (if enabled)
+# kpropd +10
if [info exists PORTBASE] {
set portbase $PORTBASE
} else {
set portbase 3085
}
+set ulog 0
+
# setup_kerberos_files
# This procedure will create some Kerberos files which must be created
# manually before trying to run any Kerberos programs. Returns 1 on
@@ -804,6 +849,7 @@
global master_key_type
global mode
global portbase
+ global ulog
if ![get_hostname] {
return 0
@@ -812,6 +858,7 @@
setup_krb5_conf client
setup_krb5_conf server
setup_krb5_conf kdc
+ setup_krb5_conf slave
# Create a kdc.conf file.
if { ![file exists $tmppwd/kdc.conf] \
@@ -829,7 +876,9 @@
# puts $conffile " database_name = $tmppwd/db"
puts $conffile " admin_database_name = $tmppwd/adb"
puts $conffile " admin_database_lockfile = $tmppwd/adb.lock"
- puts $conffile " key_stash_file = $tmppwd/stash"
+ # Testing with a colon in the name exercises default handling
+ # for pathnames.
+ puts $conffile " key_stash_file = $tmppwd/stash:foo"
puts $conffile " acl_file = $tmppwd/acl"
puts $conffile " kadmind_port = [expr 4 + $portbase]"
puts $conffile " kpasswd_port = [expr 5 + $portbase]"
@@ -849,15 +898,74 @@
puts $conffile " default_principal_expiration = 2037.12.31.23.59.59"
puts $conffile " default_principal_flags = -postdateable forwardable"
puts $conffile " dict_file = $tmppwd/dictfile"
+ if { $ulog != 0 } {
+ puts $conffile " iprop_enable = true"
+ puts $conffile " iprop_port = [expr 9 + $portbase]"
+ puts $conffile " iprop_logfile = $tmppwd/db.ulog"
+ } else {
+ puts $conffile "# no ulog"
+ }
puts $conffile " \}"
puts $conffile ""
close $conffile
}
+ # Create a config file for the slave KDC (kpropd only, no normal
+ # KDC processes).
+ if { ![file exists $tmppwd/slave.conf] \
+ || $last_passname_conf != $multipass_name } {
+ if ![info exists master_key_type] {
+ set master_key_type des-cbc-md5
+ }
+ set conffile [open $tmppwd/slave.conf w]
+ puts $conffile "\[kdcdefaults\]"
+ puts $conffile " kdc_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
+ puts $conffile " kdc_tcp_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
+ puts $conffile ""
+ puts $conffile "\[realms\]"
+ puts $conffile " $REALMNAME = \{"
+# puts $conffile " database_name = $tmppwd/slave-db"
+ puts $conffile " admin_database_name = $tmppwd/slave-adb"
+ puts $conffile " admin_database_lockfile = $tmppwd/slave-adb.lock"
+ # Testing with a colon in the name exercises default handling
+ # for pathnames.
+ puts $conffile " key_stash_file = $tmppwd/slave-stash"
+ puts $conffile " acl_file = $tmppwd/slave-acl"
+ puts $conffile " kadmind_port = [expr 4 + $portbase]"
+ puts $conffile " kpasswd_port = [expr 5 + $portbase]"
+ puts $conffile " max_life = 1:00:00"
+ puts $conffile " max_renewable_life = 3:00:00"
+ puts $conffile " master_key_type = $master_key_type"
+ puts $conffile " master_key_name = master/key"
+ puts $conffile " supported_enctypes = $supported_enctypes"
+ puts $conffile " kdc_supported_enctypes = $kdc_supported_enctypes"
+ if { $mode == "tcp" } {
+ puts $conffile " kdc_ports = [expr 3 + $portbase]"
+ puts $conffile " kdc_tcp_ports = [expr 1 + $portbase],[expr 3 + $portbase]"
+ } else {
+ puts $conffile " kdc_ports = [expr 1 + $portbase]"
+ puts $conffile " kdc_tcp_ports = [expr 3 + $portbase]"
+ }
+ puts $conffile " default_principal_expiration = 2037.12.31.23.59.59"
+ puts $conffile " default_principal_flags = -postdateable forwardable"
+ puts $conffile " dict_file = $tmppwd/dictfile"
+ if { $ulog != 0 } {
+ puts $conffile " iprop_enable = true"
+ puts $conffile " iprop_port = [expr 9 + $portbase]"
+ puts $conffile " iprop_logfile = $tmppwd/slave-db.ulog"
+ } else {
+ puts $conffile "# no ulog"
+ }
+ puts $conffile " \}"
+ puts $conffile ""
+ close $conffile
+ }
+
# Create ACL file.
if ![file exists $tmppwd/acl] {
set aclfile [open $tmppwd/acl w]
puts $aclfile "krbtest/admin@$REALMNAME *"
+ puts $aclfile "kiprop/$hostname@$REALMNAME p"
close $aclfile
}
@@ -888,6 +996,13 @@
return 1
}
+proc reset_kerberos_files { } {
+ global tmppwd
+ file delete $tmppwd/kdc.conf $tmppwd/slave.conf $tmppwd/krb5.client.conf \
+ $tmppwd/krb5.server.conf $tmppwd/krb5.kdc.conf
+ setup_kerberos_files
+}
+
proc setup_krb5_conf { {type client} } {
global tmppwd
global hostname
@@ -923,7 +1038,6 @@
}
puts $conffile " krb4_config = $tmppwd/krb.conf"
puts $conffile " krb4_realms = $tmppwd/krb.realms"
- puts $conffile " krb4_srvtab = $tmppwd/v4srvtab"
if { $mode == "tcp" } {
puts $conffile " udp_preference_limit = 1"
}
@@ -942,7 +1056,6 @@
puts $conffile " admin_server = $hostname:[expr 4 + $portbase]"
puts $conffile " kpasswd_server = $hostname:[expr 5 + $portbase]"
puts $conffile " default_domain = $domain"
- puts $conffile " krb524_server = $hostname:[expr 7 + $portbase]"
puts $conffile " database_module = foo_db2"
puts $conffile " \}"
puts $conffile ""
@@ -959,7 +1072,7 @@
puts $conffile " db_module_dir = $tmppwd/../../../util/fakedest$KRB5_DB_MODULE_DIR"
puts $conffile " foo_db2 = {"
puts $conffile " db_library = db2"
- puts $conffile " database_name = $tmppwd/db"
+ puts $conffile " database_name = $tmppwd/$type-db"
puts $conffile " }"
close $conffile
}
@@ -1015,10 +1128,6 @@
set env(KRB5CCNAME) $tmppwd/tkt
verbose "KRB5CCNAME=$env(KRB5CCNAME)"
- # Direct the Kerberos programs at a local ticket file.
- set env(KRBTKFILE) $tmppwd/tktv4
- verbose "KRBTKFILE=$env(KRBTKFILE)"
-
# Direct the Kerberos server at a cache file stored in the
# temporary directory.
set env(KRB5RCACHEDIR) $tmppwd
@@ -1031,18 +1140,30 @@
# Get the run time environment variables... (including LD_LIBRARY_PATH)
setup_runtime_env
- # Set our kdc config file.
- set env(KRB5_KDC_PROFILE) $tmppwd/kdc.conf
- verbose "KRB5_KDC_PROFILE=$env(KRB5_KDC_PROFILE)"
+ # Set our kdc config file, if needed.
+ switch $type {
+ client -
+ server { catch {unset env(KRB5_KDC_PROFILE)} }
+ kdc { set env(KRB5_KDC_PROFILE) $tmppwd/kdc.conf }
+ slave { set env(KRB5_KDC_PROFILE) $tmppwd/slave.conf }
+ default { error "unknown config file type $type" }
+ }
+ if [info exists env(KRB5_KDC_PROFILE)] {
+ verbose "KRB5_KDC_PROFILE=$env(KRB5_KDC_PROFILE)"
+ }
# Create an environment setup script. (For convenience)
- if ![file exists $tmppwd/env.sh] {
- set envfile [open $tmppwd/env.sh w]
+ if ![file exists $tmppwd/$type-env.sh] {
+ set envfile [open $tmppwd/$type-env.sh w]
puts $envfile "KRB5_CONFIG=$env(KRB5_CONFIG)"
puts $envfile "KRB5CCNAME=$env(KRB5CCNAME)"
puts $envfile "KRB5RCACHEDIR=$env(KRB5RCACHEDIR)"
puts $envfile "KERBEROS_SERVER=$env(KERBEROS_SERVER)"
- puts $envfile "KRB5_KDC_PROFILE=$env(KRB5_KDC_PROFILE)"
+ if [info exists env(KRB5_KDC_PROFILE)] {
+ puts $envfile "KRB5_KDC_PROFILE=$env(KRB5_KDC_PROFILE)"
+ } else {
+ puts $envfile "unset KRB5_KDC_PROFILE"
+ }
puts $envfile "export KRB5_CONFIG KRB5CCNAME KRB5RCACHEDIR"
puts $envfile "export KERBEROS_SERVER KRB5_KDC_PROFILE"
foreach i $krb5_init_vars {
@@ -1052,13 +1173,17 @@
}
close $envfile
}
- if ![file exists $tmppwd/env.csh] {
- set envfile [open $tmppwd/env.csh w]
+ if ![file exists $tmppwd/$type-env.csh] {
+ set envfile [open $tmppwd/$type-env.csh w]
puts $envfile "setenv KRB5_CONFIG $env(KRB5_CONFIG)"
puts $envfile "setenv KRB5CCNAME $env(KRB5CCNAME)"
puts $envfile "setenv KRB5RCACHEDIR $env(KRB5RCACHEDIR)"
puts $envfile "setenv KERBEROS_SERVER $env(KERBEROS_SERVER)"
- puts $envfile "setenv KRB5_KDC_PROFILE $env(KRB5_KDC_PROFILE)"
+ if [info exists env(KRB5_KDC_PROFILE)] {
+ puts $envfile "setenv KRB5_KDC_PROFILE $env(KRB5_KDC_PROFILE)"
+ } else {
+ puts $envfile "unsetenv KRB5_KDC_PROFILE"
+ }
foreach i $krb5_init_vars {
regexp "^(\[^=\]*)=(.*)" $i foo evar evalue
puts $envfile "setenv $evar $env($evar)"
@@ -1109,29 +1234,21 @@
# pass at relevant points. Returns 1 on success, 0 on failure.
proc setup_kerberos_db { standalone } {
- global REALMNAME
- global KDB5_UTIL
- global KADMIN_LOCAL
- global KEY
- global tmppwd
+ global REALMNAME KDB5_UTIL KADMIN_LOCAL KEY
+ global tmppwd hostname
global spawn_id
- global des3_krbtgt
- global tgt_support_desmd5
- global multipass_name
- global last_passname_db
+ global des3_krbtgt tgt_support_desmd5
+ global multipass_name last_passname_db
set failall 0
- if {!$standalone && [file exists $tmppwd/db.ok] \
+ if {!$standalone && [file exists $tmppwd/kdc-db.ok] \
&& $last_passname_db == $multipass_name} {
return 1
}
- catch "exec rm -f [glob -nocomplain $tmppwd/db* $tmppwd/adb*]"
+ delete_db
- # Creating a new database means we need a new srvtab.
- catch "exec rm -f $tmppwd/srvtab"
-
envstack_push
if { ![setup_kerberos_files] || ![setup_kerberos_env kdc] } {
set failall 1
@@ -1219,7 +1336,7 @@
if $standalone {
fail $test
} else {
- catch "exec rm -f $tmppwd/db.ok $tmppwd/adb.db"
+ delete_db
}
} else {
if $standalone {
@@ -1228,8 +1345,6 @@
}
# Add an admin user.
-#send_user "will run: $KADMIN_LOCAL -r $REALMNAME\n"
-#exec xterm
set test "kadmin.local ank krbtest/admin"
set body {
if $failall {
@@ -1267,7 +1382,7 @@
if $standalone {
fail $test
} else {
- catch "exec rm -f $tmppwd/db.ok $tmppwd/adb.db"
+ delete_db
}
} else {
if $standalone {
@@ -1275,6 +1390,52 @@
}
}
+ # Add an incremental-propagation service.
+ set test "kadmin.local ank kiprop/$hostname"
+ set body {
+ if $failall {
+ break
+ }
+ spawn $KADMIN_LOCAL -r $REALMNAME
+ verbose "starting $test"
+ expect_after $def_exp_after
+
+ expect "kadmin.local: "
+ send "ank kiprop/$hostname@$REALMNAME\r"
+ # It echos...
+ expect "ank kiprop/$hostname@$REALMNAME\r"
+ expect "Enter password for principal \"kiprop/$hostname@$REALMNAME\":"
+ send "kiproppass$KEY\r"
+ expect "Re-enter password for principal \"kiprop/$hostname@$REALMNAME\":"
+ send "kiproppass$KEY\r"
+ expect {
+ "Principal \"kiprop/$hostname@$REALMNAME\" created" { }
+ "Principal or policy already exists while creating*" { }
+ }
+ expect "kadmin.local: "
+ send "quit\r"
+ expect eof
+ catch expect_after
+ if ![check_exit_status kadmin_local] {
+ break
+ }
+ }
+ set ret [catch $body]
+ catch "expect eof"
+ catch expect_after
+ if $ret {
+ set failall 1
+ if $standalone {
+ fail $test
+ } else {
+ delete_db
+ }
+ } else {
+ if $standalone {
+ pass $test
+ }
+ }
+
if $des3_krbtgt {
# Set the TGT key to DES3.
set test "kadmin.local TGT to DES3"
@@ -1309,7 +1470,7 @@
if $standalone {
fail $test
} else {
- catch "exec rm -f $tmppwd/db.ok $tmppwd/adb.db"
+ delete_db
}
} else {
if $standalone {
@@ -1351,7 +1512,7 @@
if $standalone {
fail $test
} else {
- catch "exec rm -f $tmppwd/db.ok $tmppwd/adb.db"
+ delete_db
}
} else {
if $standalone {
@@ -1368,6 +1529,122 @@
return 1
}
+# setup_slave_db
+# Initialize the slave Kerberos database. Returns 1 on success, 0 on
+# failure.
+
+proc setup_slave_db { } {
+ global REALMNAME
+ global KDB5_UTIL
+ global KADMIN_LOCAL
+ global KEY
+ global tmppwd
+ global spawn_id
+
+ set failall 0
+
+ envstack_push
+ if { ![setup_kerberos_files] || ![setup_kerberos_env slave] } {
+ set failall 1
+ }
+
+ # Set up a common expect_after for use in multiple places.
+ set def_exp_after {
+ timeout {
+ set test "$test (timeout)"
+ break
+ }
+ eof {
+ set test "$test (eof)"
+ break
+ }
+ }
+
+ set test "slave kdb5_util create "
+ set body {
+ if $failall {
+ break
+ }
+ #exec xterm
+ verbose "starting $test"
+ spawn $KDB5_UTIL -r $REALMNAME create
+ expect_after $def_exp_after
+
+ expect "Enter KDC database master key:"
+
+ set test "slave kdb5_util create (verify)"
+ send "masterkey$KEY\r"
+ expect "Re-enter KDC database master key to verify:"
+
+ set test "slave kdb5_util create"
+ send "masterkey$KEY\r"
+ expect {
+ -re "\[Cc\]ouldn't" {
+ expect eof
+ break
+ }
+ "Cannot find/read stored" exp_continue
+ "Warning: proceeding without master key" exp_continue
+ eof { }
+ }
+ catch expect_after
+ if ![check_exit_status kdb5_util] {
+ break
+ }
+ }
+ set ret [catch $body]
+ catch expect_after
+ if $ret {
+ set failall 1
+ }
+
+ # Stash the master key in a file.
+ set test "slave kdb5_util stash"
+ set body {
+ if $failall {
+ break
+ }
+ spawn $KDB5_UTIL -r $REALMNAME stash
+ verbose "starting $test"
+ expect_after $def_exp_after
+ expect "Enter KDC database master key:"
+ send "masterkey$KEY\r"
+ expect eof
+ catch expect_after
+ if ![check_exit_status kdb5_util] {
+ break
+ }
+ }
+ set ret [catch $body]
+ catch "expect eof"
+ catch expect_after
+ if $ret {
+ set failall 1
+ delete_db
+ }
+
+ if !$failall {
+ # create the admin database lock file
+ catch "exec touch $tmppwd/slave-adb.lock"
+ }
+
+ return [expr !$failall]
+}
+
+proc start_kpropd {} {
+ global kpropd_pid kpropd_spawn_id KPROPD T_INETD KDB5_UTIL portbase tmppwd
+ global spawn_id
+
+ envstack_push
+ setup_kerberos_env slave
+ spawn $KPROPD -S -d -P [expr 10 + $portbase] -s $tmppwd/srvtab -f $tmppwd/incoming-slave-datatrans -p $KDB5_UTIL -a $tmppwd/kpropd-acl
+ set kpropd_pid [exp_pid]
+ set kpropd_spawn_id $spawn_id
+# send_user [list $KPROPD -S -d -P [expr 10 + $portbase] -s $tmppwd/srvtab -f $tmppwd/incoming-slave-datatrans -p $KDB5_UTIL -a $tmppwd/kpropd-acl]\n
+# spawn_shell
+ envstack_pop
+}
+
proc start_tail { fname spawnid_var pid_var which standalone } {
upvar $spawnid_var spawnid
upvar $pid_var pid
@@ -1385,12 +1662,12 @@
set p 0
set otimeout $timeout
- set timeout 1
+ set timeout 3
set ok 0
while { $ok == 0 && $p < 3 } {
expect {
-i $spawn_id
- -ex "$markstr\r\n" { set ok 1 }
+ -ex "$markstr" { set ok 1 }
-re "\[^\r\n\]*\r\n" { exp_continue }
timeout {
# Some versions of GNU tail had a race condition where
@@ -1458,9 +1735,7 @@
}
if {$standalone} {
- catch "exec rm -f $tmppwd/krb.log"
- catch "exec rm -f $tmppwd/kadmind.log"
- catch "exec rm -f $tmppwd/krb5kdc_rcache"
+ file delete $tmppwd/krb.log $tmppwd/kadmind.log $tmppwd/krb5kdc_rcache
}
# Start up the kerberos daemon
@@ -1480,7 +1755,7 @@
envstack_push
setup_kerberos_env kdc
- spawn $KRB5KDC -r $REALMNAME -n -4 full
+ spawn $KRB5KDC -r $REALMNAME -n full
envstack_pop
set kdc_pid [exp_pid]
set kdc_spawn_id $spawn_id
@@ -1829,13 +2104,13 @@
return 1
}
- catch "exec rm -f $tmppwd/srvtab $tmppwd/srvtab.old"
+ file delete $tmppwd/srvtab $tmppwd/srvtab.old
if ![get_hostname] {
return 0
}
- catch "exec rm -f $hostname-new-srvtab"
+ file delete $hostname-new-srvtab
envstack_push
setup_kerberos_env kdc
@@ -1845,7 +2120,7 @@
-re "(.*)\r\nkadmin.local: " {
fail "kadmin.local srvtab (unmatched output: $expect_out(1,string))"
if {!$standalone} {
- catch "exec rm -f $tmppwd/srvtab"
+ file delete $tmppwd/srvtab
}
catch "expect_after"
return 0
@@ -1853,7 +2128,7 @@
timeout {
fail "kadmin.local srvtab"
if {!$standalone} {
- catch "exec rm -f $tmppwd/srvtab"
+ file delete $tmppwd/srvtab
}
catch "expect_after"
return 0
@@ -1861,22 +2136,22 @@
eof {
fail "kadmin.local srvtab"
if {!$standalone} {
- catch "exec rm -f $tmppwd/srvtab"
+ file delete $tmppwd/srvtab
}
catch "expect_after"
return 0
}
}
expect "kadmin.local: "
- send "xst -k $hostname-new-srvtab $id/$hostname\r"
- expect "xst -k $hostname-new-srvtab $id/$hostname\r\n"
+ send "xst -k $hostname-new-srvtab $id/$hostname kiprop/$hostname\r"
+ expect "xst -k $hostname-new-srvtab $id/$hostname kiprop/$hostname\r\n"
expect {
-re ".*Entry for principal $id/$hostname.* added to keytab WRFILE:$hostname-new-srvtab." { }
-re "\r\nkadmin.local: " {
if {$standalone} {
fail "kadmin.local srvtab"
} else {
- catch "exec rm -f $tmppwd/srvtab"
+ file delete $tmppwd/srvtab
}
catch expect_after
return 0
@@ -1888,7 +2163,7 @@
catch expect_after
if ![check_exit_status "kadmin.local srvtab"] {
if {!$standalone} {
- catch "exec rm -f $tmppwd/srvtab"
+ file delete $tmppwd/srvtab
}
return 0
}
@@ -2157,171 +2432,6 @@
}
}
-# kinit
-# Use kinit to get a ticket. If the argument is non-zero, call pass
-# at relevant points. Returns 1 on success, 0 on failure.
-
-proc v4kinit { name pass standalone } {
- global REALMNAME
- global KINIT
- global spawn_id
- global des3_krbtgt
-
- # Use kinit to get a ticket.
- #
- # For now always get forwardable tickets. Later when we need to make
- # tests that distiguish between forwardable tickets and otherwise
- # we should but another option to this proc. --proven
- #
- spawn $KINIT -4 $name@$REALMNAME
- expect {
- "Password for $name@$REALMNAME:" {
- verbose "v4kinit started"
- }
- timeout {
- fail "v4kinit"
- return 0
- }
- eof {
- fail "v4kinit"
- return 0
- }
- }
- send "$pass\r"
- expect eof
- if {$des3_krbtgt == 0} {
- if ![check_exit_status v4kinit] {
- return 0
- }
- } else {
- # Fail if kinit is successful with a des3 TGT.
- set status_list [wait -i $spawn_id]
- set testname v4kinit
- verbose "wait -i $spawn_id returned $status_list ($testname)"
- if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 1 } {
- verbose -log "exit status: $status_list"
- fail "$testname (exit status)"
- }
- }
- if {$standalone} {
- pass "v4kinit"
- }
-
- return 1
-}
-
-proc v4kinit_kt { name keytab standalone } {
- global REALMNAME
- global KINIT
- global spawn_id
-
- # Use kinit to get a ticket.
- #
- # For now always get forwardable tickets. Later when we need to make
- # tests that distiguish between forwardable tickets and otherwise
- # we should but another option to this proc. --proven
- #
- spawn $KINIT -4 -k -t $keytab $name@$REALMNAME
- expect {
- timeout {
- fail "v4kinit"
- return 0
- }
- eof { }
- }
- if ![check_exit_status kinit] {
- return 0
- }
-
- if {$standalone} {
- pass "v4kinit"
- }
-
- return 1
-}
-
-# List v4 tickets.
-# Client and server are regular expressions.
-proc v4klist { client server testname } {
- global KLIST
- global tmppwd
-
- spawn $KLIST -4
- expect {
- -re "Kerberos 4 ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*Principal:\[ \]*$client.*$server\r\n" {
- verbose "klist started"
- }
- timeout {
- fail $testname
- return 0
- }
- eof {
- fail $testname
- return 0
- }
- }
-
- expect eof
-
- if ![check_exit_status $testname] {
- return 0
- }
- pass $testname
- return 1
-}
-
-# Destroy tickets.
-proc v4kdestroy { testname } {
- global KDESTROY
- spawn $KDESTROY -4
- if ![check_exit_status $testname] {
- return 0
- }
- pass $testname
- return 1
-}
-
-# Try to list the krb4 tickets -- there shouldn't be any ticket file.
-proc v4klist_none { testname } {
- global KLIST
- global tmppwd
-
- # Double check that the ticket was destroyed.
- spawn $KLIST -4
- expect {
- -re "Kerberos 4 ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*klist: You have no tickets cached.*\r\n" {
- verbose "v4klist started"
- pass "$testname (output)"
- }
- timeout {
- fail "$testname (output)"
- # Skip the 'wait' below, if it's taking too long.
- untested "$testname (exit status)"
- return 0
- }
- eof {
- fail "$testname (output)"
- }
- }
- # We can't use check_exit_status, because we expect an exit status
- # of 1.
- expect eof
- set status_list [wait -i $spawn_id]
- verbose "wait -i $spawn_id returned $status_list (v4klist)"
- if { [lindex $status_list 2] != 0 } {
- fail "$testname (exit status)"
- return 0
- } else {
- if { [lindex $status_list 3] != 1 } {
- fail "$testname (exit status)"
- return 0
- } else {
- pass "$testname (exit status)"
- }
- }
- return 1
-}
-
# Set up a root shell using rlogin $hostname -l root. This is used
# when testing the daemons that must be run as root, such as telnetd
# or rlogind. This sets the global variables rlogin_spawn_id and
@@ -2399,7 +2509,7 @@
set got_refused 1
exp_continue
}
- -re "word:|erberos rlogin failed|ection refused|ection reset by peer|not authorized" {
+ -re "word:|erberos rlogin failed|ection refused|ection reset by peer|not authorized|Ticket expired" {
note "$testname test requires ability to rlogin as root"
unsupported "$testname"
set timeout $old_timeout
@@ -2668,7 +2778,7 @@
global krb5_init_vars
# We will start with a BINSH script
- catch "exec rm -f $file"
+ file delete $file
set f [open $file "w" 0777]
puts $f "#!$BINSH"
@@ -2690,11 +2800,19 @@
}
# helpful sometimes for debugging the test suite
-proc spawn_xterm { } {
+proc export_debug_envvars { } {
global env
- foreach i {KDB5_UTIL KRB5KDC KADMIND KADMIN KADMIN_LOCAL KINIT KTUTIL KLIST RLOGIN RLOGIND FTP FTPD KPASSWD REALMNAME GSSCLIENT} {
+ foreach i {KDB5_UTIL KRB5KDC KADMIND KADMIN KADMIN_LOCAL KINIT KTUTIL KLIST RLOGIN RLOGIND FTP FTPD KPASSWD REALMNAME GSSCLIENT KPROPLOG} {
global $i
if [info exists $i] { set env($i) [set $i] }
}
+}
+proc spawn_xterm { } {
+ export_debug_envvars
exec "xterm"
}
+proc spawn_shell { } {
+ export_debug_envvars
+ spawn "sh"
+ exp_interact
+}
Copied: branches/mkey_migrate/src/tests/dejagnu/deps (from rev 21721, trunk/src/tests/dejagnu/deps)
Modified: branches/mkey_migrate/src/tests/dejagnu/krb-root/rlogin.exp
===================================================================
--- branches/mkey_migrate/src/tests/dejagnu/krb-root/rlogin.exp 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/dejagnu/krb-root/rlogin.exp 2009-01-10 01:06:45 UTC (rev 21722)
@@ -174,6 +174,7 @@
# prompt.
set testname "shell"
send "$BINSH\r"
+ expect "$BINSH"
expect -re "$SHELL_PROMPT"
set testname "date"
@@ -249,6 +250,7 @@
# prompt.
set testname "shell"
send "$BINSH\r"
+ expect "$BINSH"
expect -re "$SHELL_PROMPT"
# Make sure the encryption is not destroying the text.
Modified: branches/mkey_migrate/src/tests/dejagnu/krb-root/telnet.exp
===================================================================
--- branches/mkey_migrate/src/tests/dejagnu/krb-root/telnet.exp 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/dejagnu/krb-root/telnet.exp 2009-01-10 01:06:45 UTC (rev 21722)
@@ -25,29 +25,6 @@
return
}
-# Remove old wrapper script
- catch "exec rm -f $tmppwd/login.wrap"
-
-# Start up a root shell.
-if ![setup_root_shell telnet] {
- return
-}
-
-# Make sure .k5login is reasonable.
-if ![check_k5login rlogin] {
- stop_root_shell
- return
-}
-
-# Set up the kerberos database.
-if {![get_hostname] \
- || ![setup_kerberos_files] \
- || ![setup_kerberos_env] \
- || ![setup_kerberos_db 0]} {
- stop_root_shell
- return
-}
-
# A procedure to start up the telnet daemon.
proc start_telnet_daemon { args } {
@@ -70,7 +47,7 @@
# we don't need to use inetd. The portbase+8 is the port to listen at.
# Note that tmppwd here is a shell variable, which is set in
# setup_root_shell, not a TCL variable.
- send -i $rlogin_spawn_id "sh -c \"$TELNETD $args -debug -t \$tmppwd/srvtab -R $REALMNAME -L $tmppwd/login.wrap -X KERBEROS_V4 [expr 8 + $portbase]\" &\r"
+ send -i $rlogin_spawn_id "sh -c \"$TELNETD $args -debug -t \$tmppwd/srvtab -R $REALMNAME -L $tmppwd/login.wrap [expr 8 + $portbase]\" &\r"
expect {
-i $rlogin_spawn_id
-re "$ROOT_PROMPT" { }
@@ -427,23 +404,48 @@
stop_telnet_daemon
}
-# Run the test. Logging in sometimes takes a while, so increase the
-# timeout.
-set oldtimeout $timeout
-set timeout 60
-set status [catch telnet_test msg]
-set timeout $oldtimeout
+run_once telnet {
+ # Remove old wrapper script
+ catch "exec rm -f $tmppwd/login.wrap"
-# Shut down the kerberos daemons, the telnet daemon, and the rlogin
-# process.
-stop_kerberos_daemons
+ # Start up a root shell.
+ if ![setup_root_shell telnet] {
+ return
+ }
-stop_telnet_daemon
+ # Make sure .k5login is reasonable.
+ if ![check_k5login rlogin] {
+ stop_root_shell
+ return
+ }
-stop_root_shell
+ # Set up the kerberos database.
+ if {![get_hostname] \
+ || ![setup_kerberos_files] \
+ || ![setup_kerberos_env] \
+ || ![setup_kerberos_db 0]} {
+ stop_root_shell
+ return
+ }
-if { $status != 0 } {
- send_error "ERROR: error in telnet.exp\n"
- send_error "$msg\n"
- exit 1
+ # Run the test. Logging in sometimes takes a while, so increase the
+ # timeout.
+ set oldtimeout $timeout
+ set timeout 60
+ set status [catch telnet_test msg]
+ set timeout $oldtimeout
+
+ # Shut down the kerberos daemons, the telnet daemon, and the rlogin
+ # process.
+ stop_kerberos_daemons
+
+ stop_telnet_daemon
+
+ stop_root_shell
+
+ if { $status != 0 } {
+ send_error "ERROR: error in telnet.exp\n"
+ send_error "$msg\n"
+ exit 1
+ }
}
Modified: branches/mkey_migrate/src/tests/dejagnu/krb-standalone/gssftp.exp
===================================================================
--- branches/mkey_migrate/src/tests/dejagnu/krb-standalone/gssftp.exp 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/dejagnu/krb-standalone/gssftp.exp 2009-01-10 01:06:45 UTC (rev 21722)
@@ -16,19 +16,6 @@
set FTPD [findfile $objdir/../../appl/gssftp/ftpd/ftpd]
}
-# Make sure .klogin is reasonable.
-if ![check_k5login ftp] {
- return
-}
-
-# Set up the kerberos database.
-if {![get_hostname] \
- || ![setup_kerberos_files] \
- || ![setup_kerberos_env] \
- || ![setup_kerberos_db 0]} {
- return
-}
-
# A procedure to start up the ftp daemon.
proc start_ftp_daemon { } {
@@ -68,20 +55,6 @@
}
}
-# Create a file to use for ftp testing.
-set file [open $tmppwd/ftp-test w]
-puts $file "This file is used for ftp testing."
-close $file
-
-# Create a large file to use for ftp testing. File needs to be
-# larger that 2^20 or 1MB for PBSZ testing.
-set file [open $tmppwd/bigftp-test w]
-puts $file "This file is used for ftp testing.\n"
-seek $file 1048576 current
-puts $file "This file is used for ftp testing."
-close $file
-
-
# Test that a file was copied correctly.
proc check_file { filename {bigfile 0}} {
if ![file exists $filename] {
@@ -206,7 +179,7 @@
spawn $FTP -d -v $hostname [expr 8 + $portbase]
expect_after {
-re "--->\[^\r\n\]*\r\n" { exp_continue }
- -re "encoding \[0-9\]* bytes MIC \[a-zA-Z/+\]*" { exp_continue }
+ -re "encoding \[0-9\]* bytes MIC \[a-zA-Z0-9/+=\]*\r\n" { exp_continue }
-re "sealed \[A-Z()\]*" { exp_continue }
-re "secure_command\[A-Z()\]*" { exp_continue }
timeout {
@@ -470,37 +443,65 @@
}
}
-# The ftp client will look in $HOME/.netrc for the user name to use.
-# To avoid confusing the testsuite, point $HOME at a directory where
-# we know there is no .netrc file.
-if [info exists env(HOME)] {
- set home $env(HOME)
-} elseif [info exists home] {
- unset home
-}
-set env(HOME) $tmppwd
+run_once gssftp {
+ # Make sure .klogin is reasonable.
+ if ![check_k5login ftp] {
+ return
+ }
-# Run the test. Logging in sometimes takes a while, so increase the
-# timeout.
-set oldtimeout $timeout
-set timeout 60
-set status [catch ftp_test msg]
-set timeout $oldtimeout
+ # Set up the kerberos database.
+ if {![get_hostname] \
+ || ![setup_kerberos_files] \
+ || ![setup_kerberos_env] \
+ || ![setup_kerberos_db 0]} {
+ return
+ }
-# Shut down the kerberos daemons and the ftp daemon.
-stop_kerberos_daemons
+ # Create a file to use for ftp testing.
+ set file [open $tmppwd/ftp-test w]
+ puts $file "This file is used for ftp testing."
+ close $file
-stop_ftp_daemon
+ # Create a large file to use for ftp testing. File needs to be
+ # larger that 2^20 or 1MB for PBSZ testing.
+ set file [open $tmppwd/bigftp-test w]
+ puts $file "This file is used for ftp testing.\n"
+ seek $file 1048576 current
+ puts $file "This file is used for ftp testing."
+ close $file
-ftp_restore_env
+ # The ftp client will look in $HOME/.netrc for the user name to use.
+ # To avoid confusing the testsuite, point $HOME at a directory where
+ # we know there is no .netrc file.
+ if [info exists env(HOME)] {
+ set home $env(HOME)
+ } elseif [info exists home] {
+ unset home
+ }
+ set env(HOME) $tmppwd
-# Reset $HOME, for safety in case we are going to run more tests.
-if [info exists home] {
- set env(HOME) $home
-} else {
- unset env(HOME)
-}
+ # Run the test. Logging in sometimes takes a while, so increase the
+ # timeout.
+ set oldtimeout $timeout
+ set timeout 60
+ set status [catch ftp_test msg]
+ set timeout $oldtimeout
-if { $status != 0 } {
- perror "error in gssftp.exp: $msg"
+ # Shut down the kerberos daemons and the ftp daemon.
+ stop_kerberos_daemons
+
+ stop_ftp_daemon
+
+ ftp_restore_env
+
+ # Reset $HOME, for safety in case we are going to run more tests.
+ if [info exists home] {
+ set env(HOME) $home
+ } else {
+ unset env(HOME)
+ }
+
+ if { $status != 0 } {
+ perror "error in gssftp.exp: $msg"
+ }
}
Copied: branches/mkey_migrate/src/tests/dejagnu/krb-standalone/iprop.exp (from rev 21721, trunk/src/tests/dejagnu/krb-standalone/iprop.exp)
Modified: branches/mkey_migrate/src/tests/dejagnu/krb-standalone/kadmin.exp
===================================================================
--- branches/mkey_migrate/src/tests/dejagnu/krb-standalone/kadmin.exp 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/dejagnu/krb-standalone/kadmin.exp 2009-01-10 01:06:45 UTC (rev 21722)
@@ -2,24 +2,6 @@
# This is a DejaGnu test script.
# This script tests Kerberos kadmin5 using kadmin.local as verification.
-# Set up the kerberos database.
-if {![get_hostname] \
- || ![setup_kerberos_files] \
- || ![setup_kerberos_env] \
- || ![setup_kerberos_db 0]} {
- return
-}
-
-# find kpasswd
-if ![info exists KPASSWD] {
- set KPASSWD [findfile $objdir/../../clients/kpasswd/kpasswd]
-}
-
-# find kdestroy
-if ![info exists KDESTROY] {
- set KDESTROY [findfile $objdir/../../clients/kdestroy/kdestroy]
-}
-
#++
# kadmin_add - Test add new v5 principal function of kadmin.
#
@@ -68,7 +50,10 @@
# use kadmin.local to verify that a principal was created and that its
# salt types are 0 (normal).
#
+ envstack_push
+ setup_kerberos_env kdc
spawn $KADMIN_LOCAL -r $REALMNAME
+ envstack_pop
expect_after {
-i $spawn_id
timeout {
@@ -169,7 +154,10 @@
# use kadmin.local to verify that a principal was created and that its
# salt types are 0 (normal).
#
+ envstack_push
+ setup_kerberos_env kdc
spawn $KADMIN_LOCAL -r $REALMNAME
+ envstack_pop
expect_after {
-i $spawn_id
timeout {
@@ -395,7 +383,9 @@
global KEY
global spawn_id
- spawn $KADMIN -p krbtest/admin@$REALMNAME -q "get_principals *"
+ # "*" would match everything
+ # "*n" should match a few like kadmin/admin but see ticket 5667
+ spawn $KADMIN -p krbtest/admin@$REALMNAME -q "get_principals *n"
expect_after {
"Cannot contact any KDC" {
fail "kadmin ldb lost KDC"
@@ -568,7 +558,10 @@
#
# use kadmin.local to verify that the old principal is not present.
#
+ envstack_push
+ setup_kerberos_env kdc
spawn $KADMIN_LOCAL -r $REALMNAME
+ envstack_pop
expect_after {
-i $spawn_id
timeout {
@@ -692,7 +685,10 @@
#
# use kadmin.local to verify that a policy was created
#
+ envstack_push
+ setup_kerberos_env kdc
spawn $KADMIN_LOCAL -r $REALMNAME
+ envstack_pop
expect_after {
-i $spawn_id
timeout {
@@ -775,7 +771,10 @@
#
# use kadmin.local to verify that the old policy is not present.
#
+ envstack_push
+ setup_kerberos_env kdc
spawn $KADMIN_LOCAL -r $REALMNAME
+ envstack_pop
expect_after {
-i $spawn_id
timeout {
@@ -1062,14 +1061,24 @@
verbose "kadmin_test succeeded"
}
-# Run the test.
-set status [catch kadmin_test msg]
+run_once kadmin {
+ # Set up the kerberos database.
+ if {![get_hostname] \
+ || ![setup_kerberos_files] \
+ || ![setup_kerberos_env] \
+ || ![setup_kerberos_db 0]} {
+ return
+ }
-# Shut down the kerberos daemons and the rsh daemon.
-stop_kerberos_daemons
+ # Run the test.
+ set status [catch kadmin_test msg]
-if { $status != 0 } {
- send_error "ERROR: error in kadmin.exp\n"
- send_error "$msg\n"
- exit 1
+ # Shut down the kerberos daemons and the rsh daemon.
+ stop_kerberos_daemons
+
+ if { $status != 0 } {
+ send_error "ERROR: error in kadmin.exp\n"
+ send_error "$msg\n"
+ exit 1
+ }
}
Copied: branches/mkey_migrate/src/tests/dejagnu/krb-standalone/kprop.exp (from rev 21721, trunk/src/tests/dejagnu/krb-standalone/kprop.exp)
Copied: branches/mkey_migrate/src/tests/dejagnu/krb-standalone/pwchange.exp (from rev 21721, trunk/src/tests/dejagnu/krb-standalone/pwchange.exp)
Modified: branches/mkey_migrate/src/tests/dejagnu/krb-standalone/pwhist.exp
===================================================================
--- branches/mkey_migrate/src/tests/dejagnu/krb-standalone/pwhist.exp 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/dejagnu/krb-standalone/pwhist.exp 2009-01-10 01:06:45 UTC (rev 21722)
@@ -121,95 +121,97 @@
}
}
-# Set up the kerberos database.
-if {![get_hostname] \
- || ![setup_kerberos_files] \
- || ![setup_kerberos_env] \
- || ![setup_kerberos_db 0]} {
- return
-}
+run_once pwhist {
+ # Set up the kerberos database.
+ if {![get_hostname] \
+ || ![setup_kerberos_files] \
+ || ![setup_kerberos_env kdc] \
+ || ![setup_kerberos_db 0]} {
+ return
+ }
-set failall 0
-wraptest "nkeys=1, nhist=3" {
- mustrun { addpol crashpol }
- mustrun { modpol crashpol "-history 3"}
- mustrun { addprinc crash 1111 }
- mustrun { modprinc crash "-policy crashpol" }
- chkpass { cpw crash 2222 }
- chkfail { cpw crash 2222 }
- chkfail { cpw crash 1111 }
-}
-verbose {old_keys [ 1111 ->[] ]}
+ set failall 0
+ wraptest "nkeys=1, nhist=3" {
+ mustrun { addpol crashpol }
+ mustrun { modpol crashpol "-history 3"}
+ mustrun { addprinc crash 1111 }
+ mustrun { modprinc crash "-policy crashpol" }
+ chkpass { cpw crash 2222 }
+ chkfail { cpw crash 2222 }
+ chkfail { cpw crash 1111 }
+ }
+ verbose {old_keys [ 1111 ->[] ]}
-# The following will result in reading/writing past array bounds if
-# add_to_history() is not patched.
-#
-# NOTE: A pass from this test does not mean the bug isn't present;
-# check with Purify, valgrind, etc.
-wraptest "array bounds ok on nkeys=1, nhist 3->2" {
- mustrun { modpol crashpol "-history 2" }
- chkpass { cpw crash 3333 }
-}
-verbose {old_keys [ ->2222 ]}
+ # The following will result in reading/writing past array bounds if
+ # add_to_history() is not patched.
+ #
+ # NOTE: A pass from this test does not mean the bug isn't present;
+ # check with Purify, valgrind, etc.
+ wraptest "array bounds ok on nkeys=1, nhist 3->2" {
+ mustrun { modpol crashpol "-history 2" }
+ chkpass { cpw crash 3333 }
+ }
+ verbose {old_keys [ ->2222 ]}
-wraptest "verify nhist=2" {
- mustrun { delprinc crash }
- mustrun { addprinc crash 1111 }
- mustrun { modprinc crash "-policy crashpol" }
- chkpass { cpw crash 2222 }
- chkfail { cpw crash 2222 }
- chkfail { cpw crash 1111 }
-}
-verbose {old_keys [ ->1111 ]}
+ wraptest "verify nhist=2" {
+ mustrun { delprinc crash }
+ mustrun { addprinc crash 1111 }
+ mustrun { modprinc crash "-policy crashpol" }
+ chkpass { cpw crash 2222 }
+ chkfail { cpw crash 2222 }
+ chkfail { cpw crash 1111 }
+ }
+ verbose {old_keys [ ->1111 ]}
-# The following will fail if growing the history array causes an extra
-# key to be lost due to failure to shift entries.
-wraptest "grow nhist 2->3" {
- mustrun { modpol crashpol "-history 3" }
- chkpass { cpw crash 3333 }
- chkfail { cpw crash 3333 }
- chkfail { cpw crash 2222 }
- chkfail { cpw crash 1111 }
-}
-verbose {old_keys [ 2222 ->1111 ]}
+ # The following will fail if growing the history array causes an extra
+ # key to be lost due to failure to shift entries.
+ wraptest "grow nhist 2->3" {
+ mustrun { modpol crashpol "-history 3" }
+ chkpass { cpw crash 3333 }
+ chkfail { cpw crash 3333 }
+ chkfail { cpw crash 2222 }
+ chkfail { cpw crash 1111 }
+ }
+ verbose {old_keys [ 2222 ->1111 ]}
-wraptest "grow nhist 3->4" {
- mustrun { modpol crashpol "-history 4" }
- chkfail { cpw crash 3333 }
- chkfail { cpw crash 2222 }
- chkfail { cpw crash 1111 }
- chkpass { cpw crash 4444 }
- chkfail { cpw crash 3333 }
- chkfail { cpw crash 2222 }
- chkfail { cpw crash 1111 }
-}
-verbose {old_keys [ 2222 3333 ->1111 ]}
-wraptest "shrink nhist 4->3" {
- mustrun { modpol crashpol "-history 3" }
- chkfail { cpw crash 4444 }
- chkfail { cpw crash 3333 }
- chkfail { cpw crash 2222 }
- chkfail { cpw crash 1111 }
- chkpass { cpw crash 5555 }
-}
-verbose {old_keys [ 4444 ->3333 ]}
-wraptest "verify nhist=3" {
- chkfail { cpw crash 5555 }
- chkfail { cpw crash 4444 }
- chkfail { cpw crash 3333 }
- chkpass { cpw crash 2222 }
-}
-verbose {old_keys [ ->4444 5555 ]}
-wraptest "shrink nhist 3->2" {
- mustrun { modpol crashpol "-history 2" }
- chkfail { cpw crash 2222 }
- chkfail { cpw crash 5555 }
- chkfail { cpw crash 4444 }
- chkpass { cpw crash 3333 }
-}
-verbose {old_keys [ ->2222 ]}
+ wraptest "grow nhist 3->4" {
+ mustrun { modpol crashpol "-history 4" }
+ chkfail { cpw crash 3333 }
+ chkfail { cpw crash 2222 }
+ chkfail { cpw crash 1111 }
+ chkpass { cpw crash 4444 }
+ chkfail { cpw crash 3333 }
+ chkfail { cpw crash 2222 }
+ chkfail { cpw crash 1111 }
+ }
+ verbose {old_keys [ 2222 3333 ->1111 ]}
+ wraptest "shrink nhist 4->3" {
+ mustrun { modpol crashpol "-history 3" }
+ chkfail { cpw crash 4444 }
+ chkfail { cpw crash 3333 }
+ chkfail { cpw crash 2222 }
+ chkfail { cpw crash 1111 }
+ chkpass { cpw crash 5555 }
+ }
+ verbose {old_keys [ 4444 ->3333 ]}
+ wraptest "verify nhist=3" {
+ chkfail { cpw crash 5555 }
+ chkfail { cpw crash 4444 }
+ chkfail { cpw crash 3333 }
+ chkpass { cpw crash 2222 }
+ }
+ verbose {old_keys [ ->4444 5555 ]}
+ wraptest "shrink nhist 3->2" {
+ mustrun { modpol crashpol "-history 2" }
+ chkfail { cpw crash 2222 }
+ chkfail { cpw crash 5555 }
+ chkfail { cpw crash 4444 }
+ chkpass { cpw crash 3333 }
+ }
+ verbose {old_keys [ ->2222 ]}
-delprinc crash
-delpol crashpol
+ delprinc crash
+ delpol crashpol
-stop_kerberos_daemons
+ stop_kerberos_daemons
+}
Copied: branches/mkey_migrate/src/tests/dejagnu/krb-standalone/simple.exp (from rev 21721, trunk/src/tests/dejagnu/krb-standalone/simple.exp)
Modified: branches/mkey_migrate/src/tests/dejagnu/krb-standalone/standalone.exp
===================================================================
--- branches/mkey_migrate/src/tests/dejagnu/krb-standalone/standalone.exp 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/dejagnu/krb-standalone/standalone.exp 2009-01-10 01:06:45 UTC (rev 21722)
@@ -89,6 +89,8 @@
global portbase
global mode
+ setup_kerberos_env kdc
+
# Start up the kerberos and kadmind daemons.
if ![start_kerberos_daemons 1] {
return
@@ -138,6 +140,7 @@
verbose "wait -i $spawn_id returned $k_stat (kadmin addpol)"
catch "close -i $spawn_id"
+ setup_kerberos_env client
# Use kinit to get a ticket.
if ![kinit krbtest/admin adminpass$KEY 1] {
return
@@ -172,51 +175,11 @@
kinit_kt "foo/bar" $tmppwd/fookeytab 1 "kt kvno $vno"
do_klist "foo/bar" "krbtgt/$REALMNAME@$REALMNAME" "klist kt foo/bar vno $vno"
do_kdestroy "kdestroy foo/bar vno $vno"
-
- if {[info exists KRBIV] && $KRBIV &&
- [regexp {des-cbc-[a-z0-9-]*:v4} [lindex $supported_enctypes 0]]} {
- catch "exec rm -f $tmppwd/foosrvtab"
- spawn $KTUTIL
- expect_after {
- timeout { fail "ktutil converting keytab to srvtab" ; set ok 0 }
- eof { fail "ktutil converting keytab to srvtab" ; set ok 0 }
- }
- expect "ktutil: "
- send "rkt $tmppwd/fookeytab\r"
- expect -ex "rkt $tmppwd/fookeytab\r"
- expect "ktutil: "
-# for debugging, just log this
-# send "list\r"
-# expect "ktutil: "
- #
- send "wst $tmppwd/foosrvtab\r"
- expect -ex "wst $tmppwd/foosrvtab\r"
- expect "ktutil: "
-# for debugging, just log this
-# send "clear\r"
-# expect "ktutil: "
-# send "rst $tmppwd/foosrvtab\r"
-# expect "ktutil: "
-# send "list\r"
-# expect "ktutil: "
- # okay, now quit and finish testing
- send "quit\r"
- expect eof
- catch expect_after
- if [check_exit_status "ktutil converting keytab to srvtab (vno $vno)"] {
- pass "ktutil converting keytab to srvtab (vno $vno)"
- do_klist_kt $tmppwd/fookeytab "klist srvtab foo/bar vno $vno"
- kinit_kt "foo/bar" "SRVTAB:$tmppwd/foosrvtab" 1 "st kvno $vno"
- do_klist "foo/bar" "krbtgt/$REALMNAME@$REALMNAME" "klist st foo/bar vno $vno"
- do_kdestroy "kdestroy st foo/bar vno $vno"
- }
- } else {
- verbose "skipping v5kinit/srvtab tests because of non-v4 enctype"
- }
}
catch "exec rm -f $keytab"
# Check that kadmin.local can actually read the correct kvno, even
# if we don't expect kadmin to be able to.
+ setup_kerberos_env kdc
spawn $KADMIN_LOCAL -r $REALMNAME
set ok 1
expect_after {
@@ -234,36 +197,6 @@
pass "kadmin.local correct high kvno"
}
}
-
- if { $mode == "tcp" } {
- set response {}
- set got_response 0
- set kdcsock ""
- catch {
- send_log "connecting to $hostname [expr 3 + $portbase]\n"
- set kdcsock [socket $hostname [expr 3 + $portbase]]
- fconfigure $kdcsock -encoding binary -blocking 0 -buffering none
- puts -nonewline $kdcsock [binary format H* ffffffff]
- # XXX
- sleep 3
- set response [read $kdcsock]
- set got_response 1
- } msg
- if [string length $kdcsock] { catch "close $kdcsock" }
- if $got_response {
-# send_log [list sent length -1, got back $response]
-# send_log "\n"
- if [string length $response]>10 {
- pass "too-long TCP request"
- } else {
- send_log "response too short\n"
- fail "too-long TCP request"
- }
- } else {
- send_log "too-long connect/exchange failure: $msg\n"
- fail "too-long TCP request"
- }
- }
}
set status [catch doit msg]
Copied: branches/mkey_migrate/src/tests/dejagnu/krb-standalone/tcp.exp (from rev 21721, trunk/src/tests/dejagnu/krb-standalone/tcp.exp)
Deleted: branches/mkey_migrate/src/tests/dejagnu/krb-standalone/v4gssftp.exp
===================================================================
--- branches/mkey_migrate/src/tests/dejagnu/krb-standalone/v4gssftp.exp 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/dejagnu/krb-standalone/v4gssftp.exp 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,506 +0,0 @@
-# Kerberos ftp test.
-# This is a DejaGnu test script.
-# This script tests Kerberos ftp.
-# Originally written by Ian Lance Taylor, Cygnus Support, <ian at cygnus.com>.
-# Modified bye Ezra Peisach for GSSAPI support.
-
-# Find the programs we need. We use the binaries from the build tree
-# if they exist. If they do not, then they must be in PATH. We
-# expect $objdir to be .../kerberos/build/tests/dejagnu
-
-if ![info exists FTP] {
- set FTP [findfile $objdir/../../appl/gssftp/ftp/ftp]
-}
-
-if ![info exists FTPD] {
- set FTPD [findfile $objdir/../../appl/gssftp/ftpd/ftpd]
-}
-
-# If we do not have what is for a V4 test - return
-if ![v4_compatible_enctype] {
- return
-}
-
-# Make sure .klogin is reasonable.
-if ![check_k5login ftp] {
- return
-}
-
-if ![check_klogin ftp] {
- return
-}
-
-# Set up the kerberos database.
-if {![get_hostname] \
- || ![setup_kerberos_files] \
- || ![setup_kerberos_env] \
- || ![setup_kerberos_db 0]} {
- return
-}
-
-# A procedure to start up the ftp daemon.
-
-proc start_ftp_daemon { } {
- global FTPD
- global tmppwd
- global ftpd_spawn_id
- global ftpd_pid
- global portbase
-
- # The -p argument tells it to accept a single connection, so we
- # don't need to use inetd. Portbase+8 is the port to listen at.
- # We rely on KRB5_KTNAME being set to the proper keyfile as there is
- # no way to cleanly set it with the gssapi API.
- # The -U argument tells it to use an alternate ftpusers file (using
- # /dev/null will allow root to login regardless of /etc/ftpusers).
- # The -a argument requires authorization, to mitigate any
- # vulnerability introduced by circumventing ftpusers.
- spawn $FTPD -p [expr 8 + $portbase] -a -U /dev/null -r $tmppwd/krb.conf
- set ftpd_spawn_id $spawn_id
- set ftpd_pid [exp_pid]
-
- # Give the ftp daemon a few seconds to get set up.
- sleep 2
-}
-
-# A procedure to stop the ftp daemon.
-
-proc stop_ftp_daemon { } {
- global ftpd_spawn_id
- global ftpd_pid
-
- if [info exists ftpd_pid] {
- catch "close -i $ftpd_spawn_id"
- catch "exec kill $ftpd_pid"
- catch "wait -i $ftpd_spawn_id"
- unset ftpd_pid
- }
-}
-
-# Create a file to use for ftp testing.
-set file [open $tmppwd/ftp-test w]
-puts $file "This file is used for ftp testing."
-close $file
-
-# Create a large file to use for ftp testing. File needs to be
-# larger that 2^20 or 1MB for PBSZ testing.
-set file [open $tmppwd/bigftp-test w]
-puts $file "This file is used for ftp testing.\n"
-seek $file 1048576 current
-puts $file "This file is used for ftp testing."
-close $file
-
-# Test that a file was copied correctly.
-proc check_file { filename {bigfile 0}} {
- if ![file exists $filename] {
- verbose "$filename does not exist"
- send_log "$filename does not exist\n"
- return 0
- }
-
- set file [open $filename r]
- if { [gets $file line] == -1 } {
- verbose "$filename is empty"
- send_log "$filename is empty\n"
- close $file
- return 0
- }
-
- if ![string match "This file is used for ftp testing." $line] {
- verbose "$filename contains $line"
- send_log "$filename contains $line\n"
- close $file
- return 0
- }
-
- if {$bigfile} {
- # + 1 for the newline
- seek $file 1048577 current
- if { [gets $file line] == -1 } {
- verbose "$filename is truncated"
- send_log "$filename is truncated\n"
- close $file
- return 0
- }
-
- if ![string match "This file is used for ftp testing." $line] {
- verbose "$filename contains $line"
- send_log "$filename contains $line\n"
- close $file
- return 0
- }
- }
-
- if { [gets $file line] != -1} {
- verbose "$filename is too long ($line)"
- send_log "$filename is too long ($line)\n"
- close $file
- return 0
- }
-
- close $file
-
- return 1
-}
-
-#
-# Restore environment variables possibly set.
-#
-proc ftp_restore_env { } {
- global env
- global ftp_save_ktname
- global ftp_save_ccname
-
- catch "unset env(KRB5_KTNAME)"
- if [info exists ftp_save_ktname] {
- set env(KRB5_KTNAME) $ftp_save_ktname
- unset ftp_save_ktname
- }
-
- catch "unset env(KRB5CCNAME)"
- if [info exists ftp_save_ccname] {
- set env(KRB5CCNAME) $ftp_save_ccname
- unset ftp_save_ccname
- }
-}
-
-# Wrap the tests in a procedure, so that we can kill the daemons if
-# we get some sort of error.
-
-proc v4ftp_test { } {
- global FTP
- global KEY
- global REALMNAME
- global hostname
- global localhostname
- global env
- global ftpd_spawn_id
- global ftpd_pid
- global spawn_id
- global tmppwd
- global ftp_save_ktname
- global ftp_save_ccname
- global des3_krbtgt
- global portbase
-
- if {$des3_krbtgt} {
- return
- }
- # Start up the kerberos and kadmind daemons and get a srvtab and a
- # ticket file.
- if {![start_kerberos_daemons 0] \
- || ![add_random_key ftp/$hostname 0] \
- || ![setup_srvtab 0 ftp] \
- || ![add_kerberos_key $env(USER) 0] \
- || ![v4kinit $env(USER) $env(USER)$KEY 0]} {
- return
- }
-
- #
- # Save settings of KRB5_KTNAME
- #
- if [info exists env(KRB5_KTNAME)] {
- set ftp_save_ktname $env(KRB5_KTNAME)
- }
-
- #
- # set KRB5_KTNAME
- #
- set env(KRB5_KTNAME) FILE:$tmppwd/srvtab
- verbose "KRB5_KTNAME=$env(KRB5_KTNAME)"
-
- #
- # Save settings of KRB5CCNAME
- # These tests fail if the krb5 cache happens to have a valid credential
- # which can result from running the gssftp.exp test immediately
- # preceeding these tests.
- #
- if [info exists env(KRB5CCNAME)] {
- set ftp_save_ccname $env(KRB5CCNAME)
- }
-
- #
- # set KRB5_KTNAME
- #
- set env(KRB5CCNAME) FILE:$tmppwd/non-existant-cache
- verbose "KRB5CCNAME=$env(KRB5CCNAME)"
-
- # Start the ftp daemon.
- start_ftp_daemon
-
- # Make an ftp client connection to it.
- spawn $FTP $hostname [expr 8 + $portbase]
-
- expect_after {
- timeout {
- fail "$testname (timeout)"
- catch "expect_after"
- return
- }
- eof {
- fail "$testname (eof)"
- catch "expect_after"
- return
- }
- }
-
- set testname "ftp connection(v4)"
- expect -nocase "connected to $hostname"
- expect -nocase -re "$localhostname.*ftp server .version \[0-9.\]*. ready."
- expect -re "Using authentication type GSSAPI; ADAT must follow"
- expect "GSSAPI accepted as authentication type"
- expect -re "GSSAPI error major: (Unspecified GSS|Miscellaneous) failure"
- expect {
- "GSSAPI error minor: Unsupported credentials cache format version number" {}
- "GSSAPI error minor: No credentials cache found" {}
- -re "GSSAPI error minor: Credentials cache file '.*' not found" {}
- "GSSAPI error minor: Decrypt integrity check failed" {}
- }
- expect "GSSAPI error: initializing context"
- expect "GSSAPI authentication failed"
- expect -re "Using authentication type KERBEROS_V4; ADAT must follow"
- expect {
- "Kerberos V4 authentication succeeded" { pass "ftp authentication" }
- eof { fail "ftp authentication" ; catch "expect_after" ; return }
- -re "Kerberos V4 .* failed.*\r" {
- fail "ftp authentication";
- send "quit\r"; catch "expect_after";
- return
- }
- }
- expect -nocase "name ($hostname:$env(USER)): "
- send "$env(USER)\r"
- expect "Kerberos user $env(USER)@$REALMNAME is authorized as $env(USER)"
- expect "Remote system type is UNIX."
- expect "Using binary mode to transfer files."
- expect "ftp> " {
- pass $testname
- }
-
- set testname "binary(v4)"
- send "binary\r"
- expect "ftp> " {
- pass $testname
- }
-
- set testname "status(v4)"
- send "status\r"
- expect -nocase "connected to $hostname."
- expect "Authentication type: KERBEROS_V4"
- expect "ftp> " {
- pass $testname
- }
-
- set testname "ls(v4)"
- send "ls $tmppwd/ftp-test\r"
- expect -re "Opening ASCII mode data connection for .*ls."
- expect -re ".* $tmppwd/ftp-test"
- expect "ftp> " {
- pass $testname
- }
-
- set testname "nlist(v4)"
- send "nlist $tmppwd/ftp-test\r"
- expect -re "Opening ASCII mode data connection for file list."
- expect -re "$tmppwd/ftp-test"
- expect -re ".* Transfer complete."
- expect "ftp> " {
- pass $testname
- }
-
- set testname "ls missing(v4)"
- send "ls $tmppwd/ftp-testmiss\r"
- expect -re "Opening ASCII mode data connection for .*ls."
- expect {
- -re "$tmppwd/ftp-testmiss not found" {}
- -re "$tmppwd/ftp-testmiss: No such file or directory"
- }
- expect "ftp> " {
- pass $testname
- }
-
-
- set testname "get(v4)"
- catch "exec rm -f $tmppwd/copy"
- send "get $tmppwd/ftp-test $tmppwd/copy\r"
- expect "Opening BINARY mode data connection for $tmppwd/ftp-test"
- expect "Transfer complete"
- expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds"
- expect "ftp> "
- if [check_file $tmppwd/copy] {
- pass $testname
- } else {
- fail $testname
- }
-
- set testname "put(v4)"
- catch "exec rm -f $tmppwd/copy"
- send "put $tmppwd/ftp-test $tmppwd/copy\r"
- expect "Opening BINARY mode data connection for $tmppwd/copy"
- expect "Transfer complete"
- expect -re "\[0-9\]+ bytes sent in \[0-9.e-\]+ seconds"
- expect "ftp> "
- if [check_file $tmppwd/copy] {
- pass $testname
- } else {
- fail $testname
- }
-
- set testname "cd(v4)"
- send "cd $tmppwd\r"
- expect "CWD command successful."
- expect "ftp> " {
- pass $testname
- }
-
- set testname "lcd(v4)"
- send "lcd $tmppwd\r"
- expect "Local directory now $tmppwd"
- expect "ftp> " {
- pass $testname
- }
-
- set testname "local get(v4)"
- catch "exec rm -f $tmppwd/copy"
- send "get ftp-test copy\r"
- expect "Opening BINARY mode data connection for ftp-test"
- expect "Transfer complete"
- expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds"
- expect "ftp> "
- if [check_file $tmppwd/copy] {
- pass $testname
- } else {
- fail $testname
- }
-
- set testname "big local get(v4)"
- catch "exec rm -f $tmppwd/copy"
- send "get bigftp-test copy\r"
- expect "Opening BINARY mode data connection for bigftp-test"
- expect "Transfer complete"
- expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds"
- expect "ftp> "
- if [check_file $tmppwd/copy 1] {
- pass $testname
- } else {
- fail $testname
- }
-
- set testname "start encryption(v4)"
- send "private\r"
- expect "Data channel protection level set to private"
- expect "ftp> " {
- pass $testname
- }
-
- set testname "status(v4)"
- send "status\r"
- expect "Protection Level: private"
- expect "ftp> " {
- pass $testname
- }
-
- set testname "encrypted get(v4)"
- catch "exec rm -f $tmppwd/copy"
- send "get ftp-test copy\r"
- expect "Opening BINARY mode data connection for ftp-test"
- expect "Transfer complete"
- expect {
- -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" {}
- -re "krb_rd_priv failed for KERBEROS_V4" {
- fail $testname
- send "quit\r"
- catch "expect_after"
- return
- }
- }
- expect "ftp> "
- if [check_file $tmppwd/copy] {
- pass $testname
- } else {
- fail $testname
- }
-
-
- # Test a large file that will overflow PBSZ size
- set testname "big encrypted get(v4)"
- catch "exec rm -f $tmppwd/copy"
- send "get bigftp-test copy\r"
- expect "Opening BINARY mode data connection for bigftp-test"
- expect "Transfer complete"
- expect {
- -re "\[0-9\]+ bytes received in \[0-9.e+-\]+ seconds" {}
- -re "krb_rd_priv failed for KERBEROS_V4" {
- fail $testname
- send "quit\r"
- catch "expect_after"
- return
- }
- }
- expect "ftp> "
- if [check_file $tmppwd/copy 1] {
- pass $testname
- } else {
- fail $testname
- }
-
- set testname "close(v4)"
- send "close\r"
- expect "Goodbye."
- expect "ftp> "
- set status_list [wait -i $ftpd_spawn_id]
- verbose "wait -i $ftpd_spawn_id returned $status_list ($testname)"
- catch "close -i $ftpd_spawn_id"
- if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 0 } {
- send_log "exit status: $status_list\n"
- verbose "exit status: $status_list"
- fail $testname
- } else {
- pass $testname
- unset ftpd_pid
- }
-
- set testname "quit(v4)"
- send "quit\r"
- expect_after
- expect eof
- if [check_exit_status $testname] {
- pass $testname
- }
-
-}
-
-# The ftp client will look in $HOME/.netrc for the user name to use.
-# To avoid confusing the testsuite, point $HOME at a directory where
-# we know there is no .netrc file.
-if [info exists env(HOME)] {
- set home $env(HOME)
-} elseif [info exists home] {
- unset home
-}
-set env(HOME) $tmppwd
-
-# Run the test. Logging in sometimes takes a while, so increase the
-# timeout.
-set oldtimeout $timeout
-set timeout 60
-set status [catch v4ftp_test msg]
-set timeout $oldtimeout
-
-# Shut down the kerberos daemons and the ftp daemon.
-stop_kerberos_daemons
-
-stop_ftp_daemon
-
-ftp_restore_env
-
-# Reset $HOME, for safety in case we are going to run more tests.
-if [info exists home] {
- set env(HOME) $home
-} else {
- unset env(HOME)
-}
-
-if { $status != 0 } {
- perror "error in v4gssftp.exp: $msg"
-}
Deleted: branches/mkey_migrate/src/tests/dejagnu/krb-standalone/v4krb524d.exp
===================================================================
--- branches/mkey_migrate/src/tests/dejagnu/krb-standalone/v4krb524d.exp 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/dejagnu/krb-standalone/v4krb524d.exp 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,168 +0,0 @@
-# Standalone Kerberos test.
-# This is a DejaGnu test script.
-# This script tests that the Kerberos tools can talk to each other.
-
-# This mostly just calls procedures in testsuite/config/default.exp.
-
-if ![info exists K524INIT] {
- set K524INIT [findfile $objdir/../../krb524/k524init]
-}
-
-if ![info exists KRB524D] {
- set KRB524D [findfile $objdir/../../krb524/krb524d]
-}
-
-if ![info exists KLIST] {
- set KLIST [findfile $objdir/../../clients/klist/klist]
-}
-
-if ![info exists KDESTROY] {
- set KDESTROY [findfile $objdir/../../clients/kdestroy/kdestroy]
-}
-
-# Set up the Kerberos files and environment.
-if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} {
- return
-}
-
-# If we do not have what is for a V4 test - return
-if ![v4_compatible_enctype] {
- return
-}
-
-# Initialize the Kerberos database. The argument tells
-# setup_kerberos_db that it is being called from here.
-if ![setup_kerberos_db 1] {
- return
-}
-
-# A procedure to stop the krb524 daemon.
-proc start_k524_daemon { } {
- global KRB524D
- global k524d_spawn_id
- global k524d_pid
- global REALMNAME
- global portbase
-
- spawn $KRB524D -m -p [expr 7 + $portbase] -r $REALMNAME -nofork
- set k524d_spawn_id $spawn_id
- set k524d_pid [exp_pid]
-
- # Give the krb524d daemon a few seconds to get set up.
- sleep 2
-}
-
-# A procedure to stop the krb524 daemon.
-proc stop_k524_daemon { } {
- global k524d_spawn_id
- global k524d_pid
-
- if [info exists k524d_pid] {
- catch "close -i $k524d_spawn_id"
- catch "exec kill $k524d_pid"
- catch "wait -i $k524d_spawn_id"
- unset k524d_pid
- }
-}
-
-# We are about to start up a couple of daemon processes. We do all
-# the rest of the tests inside a proc, so that we can easily kill the
-# processes when the procedure ends.
-
-proc doit { } {
- global env
- global KEY
- global K524INIT
- # To pass spawn_id to the wait process
- global spawn_id
- global KLIST
- global KDESTROY
- global tmppwd
- global REALMNAME
- global des3_krbtgt
-
- if {$des3_krbtgt} {
- return
- }
- # Start up the kerberos and kadmind daemons.
- if ![start_kerberos_daemons 1] {
- return
- }
-
- # Add a user key and get a V5 ticket
- if {![add_kerberos_key $env(USER) 0] \
- || ![kinit $env(USER) $env(USER)$KEY 0]} {
- return
- }
-
- # Start the krb524d daemon.
- start_k524_daemon
-
- # The k524init program does not advertise anything on success -
- #only failure.
- spawn $K524INIT
- expect {
- -timeout 10
- -re "k524init: .*\r" {
- fail "k524init"
- return
- }
- eof {}
- timeout {}
- }
-
-
- if ![check_exit_status "k524init"] {
- return
- }
- pass "k524init"
-
- # Make sure that klist can see the ticket.
- spawn $KLIST -4
- expect {
- -re "Kerberos 4 ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*Principal:\[ \]*$env(USER)@$REALMNAME.*krbtgt\.$REALMNAME@$REALMNAME\r\n" {
- verbose "klist started"
- }
- timeout {
- fail "v4klist"
- return
- }
- eof {
- fail "v4klist"
- return
- }
- }
-
- expect {
- "\r" { }
- eof { }
- }
-
- if ![check_exit_status "klist"] {
- return
- }
- pass "krb524d: v4klist"
-
- # Destroy the ticket.
- spawn $KDESTROY -4
- if ![check_exit_status "kdestroy"] {
- return
- }
- pass "krb524d: v4kdestroy"
-
- pass "krb524d: krb524d"
-}
-
-set status [catch doit msg]
-
-stop_kerberos_daemons
-
-stop_k524_daemon
-
-if { $status != 0 } {
- send_error "ERROR: error in v4krb524d.exp\n"
- send_error "$msg\n"
- exit 1
-}
-
-
Deleted: branches/mkey_migrate/src/tests/dejagnu/krb-standalone/v4standalone.exp
===================================================================
--- branches/mkey_migrate/src/tests/dejagnu/krb-standalone/v4standalone.exp 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/dejagnu/krb-standalone/v4standalone.exp 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,95 +0,0 @@
-# Standalone Kerberos test.
-# This is a DejaGnu test script.
-# This script tests that the Kerberos tools can talk to each other.
-
-# This mostly just calls procedures in testsuite/config/default.exp.
-
-# Set up the Kerberos files and environment.
-if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} {
- return
-}
-
-# If we do not have what is for a V4 test - return
-if ![v4_compatible_enctype] {
- return
-}
-
-# Initialize the Kerberos database. The argument tells
-# setup_kerberos_db that it is being called from here.
-if ![setup_kerberos_db 1] {
- return
-}
-
-# We are about to start up a couple of daemon processes. We do all
-# the rest of the tests inside a proc, so that we can easily kill the
-# processes when the procedure ends.
-
-proc check_and_destroy_v4_tix { client server } {
- global REALMNAME
- global des3_krbtgt
-
- # Skip this if we're using a des3 TGT, since that's supposed to fail.
- if {$des3_krbtgt} {
- return
- }
- # Make sure that klist can see the ticket.
- if ![v4klist "$client" "$server" "v4klist"] {
- return
- }
-
- # Destroy the ticket.
- if ![v4kdestroy "v4kdestroy"] {
- return
- }
-
- if ![v4klist_none "v4klist no tix 1"] {
- return
- }
-}
-
-proc doit { } {
- global REALMNAME
- global KLIST
- global KDESTROY
- global KEY
- global hostname
- global spawn_id
- global tmppwd
-
- # Start up the kerberos and kadmind daemons.
- if ![start_kerberos_daemons 1] {
- return
- }
-
- # Use kadmin to add an host key.
- if ![add_random_key host/$hostname 1] {
- return
- }
-
- # Use ksrvutil to create a srvtab entry.
- if ![setup_srvtab 1] {
- return
- }
-
- # Use kinit to get a ticket.
- if [v4kinit krbtest.admin adminpass$KEY 1] {
- check_and_destroy_v4_tix krbtest.admin@$REALMNAME krbtgt.$REALMNAME@$REALMNAME
- }
-
- # Use kinit with srvtab to get a ticket.
- # XXX - Currently kinit doesn't support "-4 -k"!
-# set shorthost [string range $hostname 0 [expr [string first . $hostname] - 1]]
-# if [v4kinit_kt host.$shorthost SRVTAB:$tmppwd/srvtab 1] {
-# check_and_destroy_v4_tix host.$shorthost@$REALMNAME krbtgt.$REALMNAME@$REALMNAME
-# }
-}
-
-set status [catch doit msg]
-
-stop_kerberos_daemons
-
-if { $status != 0 } {
- send_error "ERROR: error in v4standalone.exp\n"
- send_error "$msg\n"
- exit 1
-}
Copied: branches/mkey_migrate/src/tests/deps (from rev 21721, trunk/src/tests/deps)
Modified: branches/mkey_migrate/src/tests/gss-threads/Makefile.in
===================================================================
--- branches/mkey_migrate/src/tests/gss-threads/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/gss-threads/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -36,19 +36,3 @@
install-unix::
# $(INSTALL_PROGRAM) gss-client $(DESTDIR)$(CLIENT_BINDIR)/gss-tclient
# $(INSTALL_PROGRAM) gss-server $(DESTDIR)$(SERVER_BINDIR)/gss-tserver
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)gss-client.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h gss-client.c gss-misc.h
-$(OUTPRE)gss-misc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- gss-misc.c gss-misc.h
-$(OUTPRE)gss-server.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- $(SRCTOP)/include/port-sockets.h gss-misc.h gss-server.c
Copied: branches/mkey_migrate/src/tests/gss-threads/deps (from rev 21721, trunk/src/tests/gss-threads/deps)
Modified: branches/mkey_migrate/src/tests/gss-threads/gss-client.c
===================================================================
--- branches/mkey_migrate/src/tests/gss-threads/gss-client.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/gss-threads/gss-client.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -66,6 +66,7 @@
#include "gss-misc.h"
#include "port-sockets.h"
#include "fake-addrinfo.h"
+#include "k5-platform.h"
static int verbose = 1;
@@ -606,12 +607,10 @@
OM_uint32 maj_stat, min_stat;
if (isdigit((int) mechanism[0])) {
- mechstr = malloc(strlen(mechanism)+5);
- if (!mechstr) {
+ if (asprintf(&mechstr, "{ %s }", mechanism) < 0) {
fprintf(stderr, "Couldn't allocate mechanism scratch!\n");
return;
}
- sprintf(mechstr, "{ %s }", mechanism);
for (cp = mechstr; *cp; cp++)
if (*cp == '.')
*cp = ' ';
Modified: branches/mkey_migrate/src/tests/gssapi/Makefile.in
===================================================================
--- branches/mkey_migrate/src/tests/gssapi/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/gssapi/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -18,10 +18,3 @@
clean::
$(RM) t_imp_name
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)t_imp_name.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_generic.h t_imp_name.c
Copied: branches/mkey_migrate/src/tests/gssapi/deps (from rev 21721, trunk/src/tests/gssapi/deps)
Modified: branches/mkey_migrate/src/tests/hammer/Makefile.in
===================================================================
--- branches/mkey_migrate/src/tests/hammer/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/hammer/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -17,17 +17,3 @@
clean::
$(RM) kdc5_hammer.o kdc5_hammer
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)kdc5_hammer.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h kdc5_hammer.c
Copied: branches/mkey_migrate/src/tests/hammer/deps (from rev 21721, trunk/src/tests/hammer/deps)
Modified: branches/mkey_migrate/src/tests/hammer/kdc5_hammer.c
===================================================================
--- branches/mkey_migrate/src/tests/hammer/kdc5_hammer.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/hammer/kdc5_hammer.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -217,12 +217,12 @@
again given a prefix and count to test the db lib and kdb */
ctmp[0] = '\0';
for (i = 1; i <= depth; i++) {
- (void) sprintf(ctmp2, "%s%s%d-DEPTH-%d", (i != 1) ? "/" : "",
- prefix, n, i);
+ (void) snprintf(ctmp2, sizeof(ctmp2), "%s%s%d-DEPTH-%d",
+ (i != 1) ? "/" : "", prefix, n, i);
ctmp2[sizeof(ctmp2) - 1] = '\0';
strncat(ctmp, ctmp2, sizeof(ctmp) - 1 - strlen(ctmp));
ctmp[sizeof(ctmp) - 1] = '\0';
- sprintf(client, "%s@%s", ctmp, cur_realm);
+ snprintf(client, sizeof(client), "%s@%s", ctmp, cur_realm);
if (get_tgt (test_context, client, &client_princ, ccache)) {
errors++;
@@ -233,12 +233,12 @@
stmp[0] = '\0';
for (j = 1; j <= depth; j++) {
- (void) sprintf(stmp2, "%s%s%d-DEPTH-%d", (j != 1) ? "/" : "",
- prefix, n, j);
+ (void) snprintf(stmp2, sizeof(stmp2), "%s%s%d-DEPTH-%d",
+ (j != 1) ? "/" : "", prefix, n, j);
stmp2[sizeof (stmp2) - 1] = '\0';
strncat(stmp, stmp2, sizeof(stmp) - 1 - strlen(stmp));
stmp[sizeof(stmp) - 1] = '\0';
- sprintf(server, "%s@%s", stmp, cur_realm);
+ snprintf(server, sizeof(server), "%s@%s", stmp, cur_realm);
if (verify_cs_pair(test_context, client, client_princ,
stmp, cur_realm, n, i, j, ccache))
errors++;
@@ -343,9 +343,7 @@
memset((char *)&creds, 0, sizeof(creds));
/* Do client side */
- sname = (char *) malloc(strlen(service)+strlen(hostname)+2);
- if (sname) {
- sprintf(sname, "%s@%s", service, hostname);
+ if (asprintf(&sname, "%s@%s", service, hostname) >= 0) {
retval = krb5_parse_name(context, sname, &creds.server);
free(sname);
}
Modified: branches/mkey_migrate/src/tests/misc/Makefile.in
===================================================================
--- branches/mkey_migrate/src/tests/misc/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/misc/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -29,11 +29,11 @@
$(CC_LINK) $(ALL_CFLAGS) -o test_getsockname $(OUTPRE)test_getsockname.$(OBJEXT) $(LIBS)
test_cxx_krb5: $(OUTPRE)test_cxx_krb5.$(OBJEXT) $(KRB5_DEPLIB)
- $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_krb5 $(OUTPRE)test_cxx_krb5.$(OBJEXT) $(KRB5_LIB) $(LIBS)
+ $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_krb5 $(OUTPRE)test_cxx_krb5.$(OBJEXT) $(KRB5_BASE_LIBS) $(LIBS)
test_cxx_gss: $(OUTPRE)test_cxx_gss.$(OBJEXT)
$(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_gss $(OUTPRE)test_cxx_gss.$(OBJEXT) $(LIBS)
test_cxx_rpc: $(OUTPRE)test_cxx_rpc.$(OBJEXT) $(GSSRPC_DEPLIBS)
- $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_rpc $(OUTPRE)test_cxx_rpc.$(OBJEXT) $(GSSRPC_LIBS) $(LIBS)
+ $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_rpc $(OUTPRE)test_cxx_rpc.$(OBJEXT) $(GSSRPC_LIBS) $(KRB5_BASE_LIBS) $(LIBS)
test_cxx_krb5.$(OBJEXT): test_cxx_krb5.cpp
test_cxx_gss.$(OBJEXT): test_cxx_gss.cpp
@@ -44,25 +44,3 @@
clean::
$(RM) test_getpw test_cxx_krb5 test_cxx_gss *.o
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)test_getpw.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- test_getpw.c
-$(OUTPRE)test_getsockname.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- test_getsockname.c
-$(OUTPRE)test_cxx_krb5.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h test_cxx_krb5.cpp
-$(OUTPRE)test_cxx_gss.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- test_cxx_gss.cpp
-$(OUTPRE)test_cxx_rpc.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \
- $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
- $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
- $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
- $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
- $(SRCTOP)/include/gssrpc/xdr.h test_cxx_rpc.cpp
Copied: branches/mkey_migrate/src/tests/misc/deps (from rev 21721, trunk/src/tests/misc/deps)
Modified: branches/mkey_migrate/src/tests/mkeystash_compat/Makefile.in
===================================================================
--- branches/mkey_migrate/src/tests/mkeystash_compat/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/mkeystash_compat/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -32,6 +32,9 @@
krb5.conf: Makefile
cat $(SRCTOP)/config-files/krb5.conf > krb5.new
+ echo "[dbmodules]" >> krb5.new
+ echo " db_module_dir = $(BUILDTOP)/util/fakedest$(KRB5_DB_MODULE_DIR)" >> krb5.new
+ mv krb5.new krb5.conf
# Verify that the mkey stash code is backward compat with old/non-keytab stashfile format
mkeystash_check: kdc.conf krb5.conf bigendian
@@ -47,9 +50,3 @@
clean::
$(RM) kdc.conf
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)bigendian.$(OBJEXT): bigendian.c
Copied: branches/mkey_migrate/src/tests/mkeystash_compat/deps (from rev 21721, trunk/src/tests/mkeystash_compat/deps)
Modified: branches/mkey_migrate/src/tests/resolve/Makefile.in
===================================================================
--- branches/mkey_migrate/src/tests/resolve/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/resolve/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -16,7 +16,7 @@
$(CC_LINK) -o $@ resolve.o $(LIBS)
addrinfo-test: addrinfo-test.o
- $(CC_LINK) -o $@ addrinfo-test.o $(LIBS)
+ $(CC_LINK) -o $@ addrinfo-test.o $(SUPPORT_LIB) $(LIBS)
fake-addrinfo-test: fake-addrinfo-test.o
$(CC_LINK) -o $@ fake-addrinfo-test.o $(SUPPORT_LIB) $(LIBS)
@@ -31,15 +31,3 @@
clean::
$(RM) resolve addrinfo-test fake-addrinfo-test
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)resolve.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- resolve.c
-$(OUTPRE)addrinfo-test.$(OBJEXT): addrinfo-test.c
-$(OUTPRE)fake-addrinfo-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h addrinfo-test.c fake-addrinfo-test.c
Modified: branches/mkey_migrate/src/tests/resolve/addrinfo-test.c
===================================================================
--- branches/mkey_migrate/src/tests/resolve/addrinfo-test.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/resolve/addrinfo-test.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -44,6 +44,7 @@
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h> /* needed for IPPROTO_* on NetBSD */
+#include <k5-platform.h>
#ifdef USE_FAKE_ADDRINFO
#include "fake-addrinfo.h"
#endif
@@ -70,7 +71,7 @@
X(COMP);
#endif
- sprintf(buf, " %-2d", p);
+ snprintf(buf, sizeof(buf), " %-2d", p);
return buf;
}
@@ -83,7 +84,7 @@
case SOCK_RDM: return "RDM";
case SOCK_SEQPACKET: return "SEQPACKET";
}
- sprintf(buf, " %-2d", t);
+ snprintf(buf, sizeof(buf), " %-2d", t);
return buf;
}
@@ -124,7 +125,7 @@
static char buf[30];
switch (f) {
default:
- sprintf(buf, "AF %d", f);
+ snprintf(buf, sizeof(buf), "AF %d", f);
return buf;
case AF_INET: return "AF_INET";
#ifdef AF_INET6
@@ -284,8 +285,10 @@
ap2->ai_addr->sa_family = ap2->ai_family;
}
if (getnameinfo(ap2->ai_addr, ap2->ai_addrlen, hbuf, sizeof(hbuf),
- pbuf, sizeof(pbuf), NI_NUMERICHOST | NI_NUMERICSERV))
- strcpy(hbuf, "..."), strcpy(pbuf, "...");
+ pbuf, sizeof(pbuf), NI_NUMERICHOST | NI_NUMERICSERV)) {
+ strlcpy(hbuf, "...", sizeof(hbuf));
+ strlcpy(pbuf, "...", sizeof(pbuf));
+ }
printf("%p:\n"
"\tfamily = %s\tproto = %-4s\tsocktype = %s\n",
ap2, familyname(ap2->ai_family),
Copied: branches/mkey_migrate/src/tests/resolve/deps (from rev 21721, trunk/src/tests/resolve/deps)
Modified: branches/mkey_migrate/src/tests/shlib/Makefile.in
===================================================================
--- branches/mkey_migrate/src/tests/shlib/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/shlib/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -27,11 +27,3 @@
clean::
$(RM) t_loader.o t_loader
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)t_loader.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h t_loader.c
Copied: branches/mkey_migrate/src/tests/shlib/deps (from rev 21721, trunk/src/tests/shlib/deps)
Modified: branches/mkey_migrate/src/tests/shlib/t_loader.c
===================================================================
--- branches/mkey_migrate/src/tests/shlib/t_loader.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/shlib/t_loader.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -5,6 +5,7 @@
#include "autoconf.h"
#include "krb5.h"
#include "gssapi/gssapi.h"
+#include "k5-platform.h"
#define HAVE_DLOPEN 1
static int verbose = 1;
@@ -53,28 +54,20 @@
{
void *p;
char *namebuf;
- size_t sz;
+ int r;
if (verbose)
printf("from line %d: do_open(%s)...%*s", line, libname,
HORIZ-strlen(libname), "");
- sz = strlen(SHLIB_SUFFIX) + strlen(libname) + 4;
#ifdef _AIX
- sz += strlen(rev) + 8;
+ r = asprintf(&namebuf, "lib%s%s", libname, SHLIB_SUFFIX);
+#else
+ r = asprintf(&namebuf, "lib%s%s(shr.o.%s)", libname, SHLIB_SUFFIX, rev);
#endif
- namebuf = malloc(sz);
- if (namebuf == 0) {
- perror("malloc");
+ if (r < 0) {
+ perror("asprintf");
exit(1);
}
- strcpy(namebuf, "lib");
- strcat(namebuf, libname);
- strcat(namebuf, SHLIB_SUFFIX);
-#ifdef _AIX
- strcat(namebuf, "(shr.o.");
- strcat(namebuf, rev);
- strcat(namebuf, ")");
-#endif
#ifndef RTLD_MEMBER
#define RTLD_MEMBER 0
@@ -116,7 +109,7 @@
{
if (verbose) {
char pbuf[3*sizeof(libhandle)+4];
- sprintf(pbuf, "%p", libhandle);
+ snprintf(pbuf, sizeof(pbuf), "%p", libhandle);
printf("from line %d: do_close(%s)...%*s", line, pbuf,
HORIZ-1-strlen(pbuf), "");
}
Modified: branches/mkey_migrate/src/tests/threads/Makefile.in
===================================================================
--- branches/mkey_migrate/src/tests/threads/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/threads/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -36,9 +36,3 @@
clean::
$(RM) t_rcache.o t_rcache
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-
Copied: branches/mkey_migrate/src/tests/threads/deps (from rev 21721, trunk/src/tests/threads/deps)
Modified: branches/mkey_migrate/src/tests/threads/t_rcache.c
===================================================================
--- branches/mkey_migrate/src/tests/threads/t_rcache.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/threads/t_rcache.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -58,12 +58,14 @@
char buf[100], buf2[100];
krb5_rcache my_rcache;
- sprintf(buf, "host/all-in-one.mit.edu/%p at ATHENA.MIT.EDU", buf);
+ snprintf(buf, sizeof(buf), "host/all-in-one.mit.edu/%p at ATHENA.MIT.EDU",
+ buf);
r.server = buf;
r.client = (t->my_cusec & 7) + "abcdefgh at ATHENA.MIT.EDU";
if (t->now != t->my_ctime) {
if (t->my_ctime != 0) {
- sprintf(buf2, "%3d: %ld %5d\n", t->idx, t->my_ctime, t->my_cusec);
+ snprintf(buf2, sizeof(buf2), "%3d: %ld %5d\n", t->idx,
+ t->my_ctime, t->my_cusec);
printf("%s", buf2);
}
t->my_ctime = t->now;
Modified: branches/mkey_migrate/src/tests/verify/Makefile.in
===================================================================
--- branches/mkey_migrate/src/tests/verify/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/verify/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -18,17 +18,3 @@
clean::
$(RM) kdb5_verify.o kdb5_verify
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)kdb5_verify.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SS_DEPS) kdb5_verify.c
Copied: branches/mkey_migrate/src/tests/verify/deps (from rev 21721, trunk/src/tests/verify/deps)
Modified: branches/mkey_migrate/src/tests/verify/kdb5_verify.c
===================================================================
--- branches/mkey_migrate/src/tests/verify/kdb5_verify.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/tests/verify/kdb5_verify.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -97,6 +97,7 @@
int num_to_check;
char principal_string[BUFSIZ];
char *suffix = 0;
+ size_t suffix_size;
int depth, errors;
krb5_init_context(&context);
@@ -122,6 +123,8 @@
strncpy(principal_string, optarg, sizeof(principal_string) - 1);
principal_string[sizeof(principal_string) - 1] = '\0';
suffix = principal_string + strlen(principal_string);
+ suffix_size = sizeof(principal_string) -
+ (suffix - principal_string);
break;
case 'n': /* how many to check */
num_to_check = atoi(optarg);
@@ -182,13 +185,14 @@
/* build the new principal name */
/* we can't pick random names because we need to generate all the names
again given a prefix and count to test the db lib and kdb */
- (void) sprintf(suffix, "%d", n);
- (void) sprintf(tmp, "%s-DEPTH-1", principal_string);
+ (void) snprintf(suffix, suffix_size, "%d", n);
+ (void) snprintf(tmp, sizeof(tmp), "%s-DEPTH-1", principal_string);
str_princ = tmp;
if (check_princ(context, str_princ)) errors++;
for (i = 2; i <= depth; i++) {
- (void) sprintf(tmp2, "/%s-DEPTH-%d", principal_string, i);
+ (void) snprintf(tmp2, sizeof(tmp2), "/%s-DEPTH-%d",
+ principal_string, i);
tmp2[sizeof(tmp2) - 1] = '\0';
strncat(tmp, tmp2, sizeof(tmp) - 1 - strlen(tmp));
str_princ = tmp;
@@ -234,7 +238,7 @@
/* char *str_mod_name; */
char princ_name[4096];
- sprintf(princ_name, "%s@%s", str_princ, cur_realm);
+ snprintf(princ_name, sizeof(princ_name), "%s@%s", str_princ, cur_realm);
fprintf(stderr, "\t%s ...\n", princ_name);
@@ -405,12 +409,10 @@
}
/* Pathname is passed to db2 via 'args' parameter. */
args[1] = NULL;
- args[0] = malloc(sizeof("dbname=") + strlen(dbname));
- if (args[0] == NULL) {
+ if (asprintf(&args[0], "dbname=%s", dbname) < 0) {
com_err(pname, errno, "while setting up db parameters");
return 1;
}
- sprintf(args[0], "dbname=%s", dbname);
if ((retval = krb5_db_open(context, args, KRB5_KDB_OPEN_RO))) {
com_err(pname, retval, "while initializing database");
Modified: branches/mkey_migrate/src/util/Makefile.in
===================================================================
--- branches/mkey_migrate/src/util/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -16,14 +16,6 @@
MAYBE_ET_sys =
MAYBE_SS_sys =
-editsh = sed -e 's,@''ARADD''@,$(ARADD),g' -e 's,@''ARCHIVE''@,$(ARCHIVE),g'
-HOST_TYPE=@HOST_TYPE@
-HAVE_GCC=@HAVE_GCC@
-SLIBSH=sed -e 's|@''CC''@|$(CC)|g' -e 's,@''HOST_TYPE''@,$(HOST_TYPE),g' -e 's,@''HAVE_GCC''@,$(HAVE_GCC),g'
-
-DL_COMPILE=@DL_COMPILE@
-DL_COMPILE_TAIL=@DL_COMPILE_TAIL@
-
all-recurse:
clean-unix::
Modified: branches/mkey_migrate/src/util/collected-client-lib/Makefile.in
===================================================================
--- branches/mkey_migrate/src/util/collected-client-lib/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/collected-client-lib/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -77,8 +77,3 @@
@lib_frag@
#@#libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
Copied: branches/mkey_migrate/src/util/collected-client-lib/deps (from rev 21721, trunk/src/util/collected-client-lib/deps)
Modified: branches/mkey_migrate/src/util/depfix.pl
===================================================================
--- branches/mkey_migrate/src/util/depfix.pl 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/depfix.pl 2009-01-10 01:06:45 UTC (rev 21722)
@@ -1,6 +1,6 @@
#!env perl -w
#
-# Copyright 1995,2001,2002,2003,2004,2005 by the Massachusetts Institute of Technology.
+# Copyright 1995,2001,2002,2003,2004,2005,2009 by the Massachusetts Institute of Technology.
# All Rights Reserved.
#
# Export of this software from the United States of America may
@@ -162,10 +162,6 @@
$_ = &uniquify($_);
- # Some krb4 dependencies should only be present if building with krb4
- # enabled.
- s;\$\(BUILDTOP\)/include/kerberosIV/krb_err.h ;\$(KRB_ERR_H_DEP) ;g;
-
# Delete trailing whitespace.
s; *$;;g;
@@ -204,10 +200,8 @@
}
print <<EOH ;
-# +++ Dependency line eater +++
#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
+# Generated makefile dependencies follow.
#
EOH
my $buf = '';
Copied: branches/mkey_migrate/src/util/deps (from rev 21721, trunk/src/util/deps)
Modified: branches/mkey_migrate/src/util/et/Makefile.in
===================================================================
--- branches/mkey_migrate/src/util/et/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/et/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -248,17 +248,3 @@
@lib_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-error_message.so error_message.po $(OUTPRE)error_message.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h com_err.h error_message.c \
- error_table.h
-et_name.so et_name.po $(OUTPRE)et_name.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(SRCTOP)/include/k5-thread.h com_err.h error_table.h \
- et_name.c
-com_err.so com_err.po $(OUTPRE)com_err.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(SRCTOP)/include/k5-thread.h com_err.c com_err.h error_table.h
Copied: branches/mkey_migrate/src/util/et/deps (from rev 21721, trunk/src/util/et/deps)
Modified: branches/mkey_migrate/src/util/et/error_message.c
===================================================================
--- branches/mkey_migrate/src/util/et/error_message.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/et/error_message.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -260,7 +260,7 @@
if (cp == NULL)
return "Unknown error code";
cp1 = cp;
- strcpy(cp, "Unknown code ");
+ strlcpy(cp, "Unknown code ", ET_EBUFSIZ);
cp += sizeof("Unknown code ") - 1;
if (table_num != 0L) {
(void) error_table_name_r(table_num, cp);
Modified: branches/mkey_migrate/src/util/et/error_table.y
===================================================================
--- branches/mkey_migrate/src/util/et/error_table.y 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/et/error_table.y 2009-01-10 01:06:45 UTC (rev 21722)
@@ -100,10 +100,7 @@
ds(string)
char const *string;
{
- char *rv;
- rv = malloc(strlen(string)+1);
- strcpy(rv, string);
- return(rv);
+ return strdup(string);
}
char *
@@ -111,10 +108,7 @@
char const *string;
{
char *rv;
- rv = malloc(strlen(string)+3);
- strcpy(rv, "\"");
- strcat(rv, string);
- strcat(rv, "\"");
+ asprintf(&rv, "\"%s\"", string);
return(rv);
}
Modified: branches/mkey_migrate/src/util/et/internal.h
===================================================================
--- branches/mkey_migrate/src/util/et/internal.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/et/internal.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -5,6 +5,8 @@
#include <errno.h>
+#include "k5-platform.h"
+
#ifndef SYS_ERRLIST_DECLARED
extern char const * const sys_errlist[];
extern const int sys_nerr;
Modified: branches/mkey_migrate/src/util/et/t_com_err.c
===================================================================
--- branches/mkey_migrate/src/util/et/t_com_err.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/et/t_com_err.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -15,14 +15,14 @@
const char *msg = error_message (code);
char buffy[1024];
- sprintf (buffy, "error table %d message %d", table, msgno);
+ snprintf (buffy, sizeof(buffy), "error table %d message %d", table, msgno);
if (0 == strcmp (buffy, msg)) {
if (!known) {
known_err++;
}
return;
}
- sprintf (buffy, "Unknown code et%d %d", table, msgno);
+ snprintf (buffy, sizeof(buffy), "Unknown code et%d %d", table, msgno);
if (!strcmp (buffy, msg)) {
if (known)
known_err++;
Modified: branches/mkey_migrate/src/util/mac/k5_mig_client.c
===================================================================
--- branches/mkey_migrate/src/util/mac/k5_mig_client.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/mac/k5_mig_client.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -27,24 +27,115 @@
#ifndef LEAN_CLIENT
#include "k5_mig_client.h"
-
-#include <Kerberos/kipc_client.h>
#include "k5_mig_request.h"
#include "k5_mig_replyServer.h"
#include "k5-thread.h"
-#define KIPC_SERVICE_COUNT 3
+#include <mach/mach.h>
+#include <servers/bootstrap.h>
-typedef struct k5_ipc_request_port {
- char *service_id;
- mach_port_t port;
-} k5_ipc_request_port;
-static k5_ipc_request_port k5_ipc_known_ports[KIPC_SERVICE_COUNT] = {
+
+/* Number of services available. Update if modifying the lists below */
+#define KIPC_SERVICE_COUNT 2
+
+/* ------------------------------------------------------------------------ */
+
+/* This struct exists to store the global service port shared between all
+ * threads. Note that there is one of these ports per server, whereas
+ * there is one connection port per thread. Thus this is global and mutexed,
+ * whereas the connection ports below are in TLS */
+
+typedef struct k5_ipc_service_port {
+ const char *service_id;
+ mach_port_t service_port;
+} k5_ipc_service_port;
+
+/* global service ports and mutex to protect it */
+static k5_mutex_t g_service_ports_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
+static k5_ipc_service_port g_service_ports[KIPC_SERVICE_COUNT] = {
{ "edu.mit.Kerberos.CCacheServer", MACH_PORT_NULL },
-{ "edu.mit.Kerberos.KerberosAgent", MACH_PORT_NULL },
-{ "edu.mit.Kerberos.OldKerberosAgent", MACH_PORT_NULL } };
+{ "edu.mit.Kerberos.KerberosAgent", MACH_PORT_NULL } };
+/* ------------------------------------------------------------------------ */
+
+/* This struct exists to hold the per-thread connection port used for ipc
+ * messages to the server. Each thread is issued a separate connection
+ * port so that the server can distinguish between threads in the same
+ * application. */
+
+typedef struct k5_ipc_connection {
+ const char *service_id;
+ mach_port_t port;
+} *k5_ipc_connection;
+
+typedef struct k5_ipc_connection_info {
+ struct k5_ipc_connection connections[KIPC_SERVICE_COUNT];
+ boolean_t server_died;
+ k5_ipc_stream reply_stream;
+} *k5_ipc_connection_info;
+
+/* initializer for k5_ipc_request_port to fill in server names in TLS */
+static const char *k5_ipc_known_services[KIPC_SERVICE_COUNT] = {
+"edu.mit.Kerberos.CCacheServer",
+"edu.mit.Kerberos.KerberosAgent" };
+
+/* ------------------------------------------------------------------------ */
+
+static void k5_ipc_client_cinfo_free (void *io_cinfo)
+{
+ if (io_cinfo) {
+ k5_ipc_connection_info cinfo = io_cinfo;
+ int i;
+
+ for (i = 0; i < KIPC_SERVICE_COUNT; i++) {
+ if (MACH_PORT_VALID (cinfo->connections[i].port)) {
+ mach_port_mod_refs (mach_task_self(),
+ cinfo->connections[i].port,
+ MACH_PORT_RIGHT_SEND, -1 );
+ cinfo->connections[i].port = MACH_PORT_NULL;
+ }
+ }
+ /* reply_stream will always be freed by k5_ipc_send_request() */
+ free (cinfo);
+ }
+}
+
+/* ------------------------------------------------------------------------ */
+
+static int k5_ipc_client_cinfo_allocate (k5_ipc_connection_info *out_cinfo)
+{
+ int err = 0;
+ k5_ipc_connection_info cinfo = NULL;
+
+ cinfo = malloc (sizeof (*cinfo));
+ if (!cinfo) { err = ENOMEM; }
+
+ if (!err) {
+ int i;
+
+ cinfo->server_died = 0;
+ cinfo->reply_stream = NULL;
+
+ for (i = 0; i < KIPC_SERVICE_COUNT; i++) {
+ cinfo->connections[i].service_id = k5_ipc_known_services[i];
+ cinfo->connections[i].port = MACH_PORT_NULL;
+ }
+ }
+
+ if (!err) {
+ *out_cinfo = cinfo;
+ cinfo = NULL;
+ }
+
+ k5_ipc_client_cinfo_free (cinfo);
+
+ return err;
+}
+
+
+#pragma mark -
+
MAKE_INIT_FUNCTION(k5_cli_ipc_thread_init);
MAKE_FINI_FUNCTION(k5_cli_ipc_thread_fini);
@@ -53,15 +144,12 @@
static int k5_cli_ipc_thread_init (void)
{
int err = 0;
-
- err = k5_key_register (K5_KEY_IPC_REQUEST_PORTS, free);
- if (!err) {
- err = k5_key_register (K5_KEY_IPC_REPLY_STREAM, NULL);
- }
+ err = k5_key_register (K5_KEY_IPC_CONNECTION_INFO,
+ k5_ipc_client_cinfo_free);
if (!err) {
- err = k5_key_register (K5_KEY_IPC_SERVER_DIED, NULL);
+ err = k5_mutex_finish_init (&g_service_ports_mutex);
}
return err;
@@ -71,15 +159,125 @@
static void k5_cli_ipc_thread_fini (void)
{
- k5_key_delete (K5_KEY_IPC_REQUEST_PORTS);
- k5_key_delete (K5_KEY_IPC_REPLY_STREAM);
- k5_key_delete (K5_KEY_IPC_SERVER_DIED);
+ int err = 0;
+
+ err = k5_mutex_lock (&g_service_ports_mutex);
+
+ if (!err) {
+ int i;
+
+ for (i = 0; i < KIPC_SERVICE_COUNT; i++) {
+ if (MACH_PORT_VALID (g_service_ports[i].service_port)) {
+ mach_port_destroy (mach_task_self (),
+ g_service_ports[i].service_port);
+ g_service_ports[i].service_port = MACH_PORT_NULL;
+ }
+ }
+ k5_mutex_unlock (&g_service_ports_mutex);
+ }
+
+ k5_key_delete (K5_KEY_IPC_CONNECTION_INFO);
+ k5_mutex_destroy (&g_service_ports_mutex);
}
#pragma mark -
/* ------------------------------------------------------------------------ */
+static kern_return_t k5_ipc_client_lookup_server (const char *in_service_id,
+ boolean_t in_launch_if_necessary,
+ boolean_t in_use_cached_port,
+ mach_port_t *out_service_port)
+{
+ kern_return_t err = 0;
+ kern_return_t lock_err = 0;
+ mach_port_t k5_service_port = MACH_PORT_NULL;
+ boolean_t found_entry = 0;
+ int i;
+
+ if (!in_service_id ) { err = EINVAL; }
+ if (!out_service_port) { err = EINVAL; }
+
+ if (!err) {
+ lock_err = k5_mutex_lock (&g_service_ports_mutex);
+ if (lock_err) { err = lock_err; }
+ }
+
+ for (i = 0; !err && i < KIPC_SERVICE_COUNT; i++) {
+ if (!strcmp (in_service_id, g_service_ports[i].service_id)) {
+ found_entry = 1;
+ if (in_use_cached_port) {
+ k5_service_port = g_service_ports[i].service_port;
+ }
+ break;
+ }
+ }
+
+ if (!err && (!MACH_PORT_VALID (k5_service_port) || !in_use_cached_port)) {
+ mach_port_t boot_port = MACH_PORT_NULL;
+ char *service = NULL;
+
+ /* Get our bootstrap port */
+ err = task_get_bootstrap_port (mach_task_self (), &boot_port);
+
+ if (!err && !in_launch_if_necessary) {
+ char *lookup = NULL;
+ mach_port_t lookup_port = MACH_PORT_NULL;
+
+ int w = asprintf (&lookup, "%s%s",
+ in_service_id, K5_MIG_LOOKUP_SUFFIX);
+ if (w < 0) { err = ENOMEM; }
+
+ if (!err) {
+ /* Use the lookup name because the service name will return
+ * a valid port even if the server isn't running */
+ err = bootstrap_look_up (boot_port, lookup, &lookup_port);
+ }
+
+ free (lookup);
+ if (MACH_PORT_VALID (lookup_port)) {
+ mach_port_deallocate (mach_task_self (), lookup_port);
+ }
+ }
+
+ if (!err) {
+ int w = asprintf (&service, "%s%s",
+ in_service_id, K5_MIG_SERVICE_SUFFIX);
+ if (w < 0) { err = ENOMEM; }
+ }
+
+ if (!err) {
+ err = bootstrap_look_up (boot_port, service, &k5_service_port);
+
+ if (!err && found_entry) {
+ /* Free old port if it is valid */
+ if (!err && MACH_PORT_VALID (g_service_ports[i].service_port)) {
+ mach_port_deallocate (mach_task_self (),
+ g_service_ports[i].service_port);
+ }
+
+ g_service_ports[i].service_port = k5_service_port;
+ }
+ }
+
+ free (service);
+ if (MACH_PORT_VALID (boot_port)) { mach_port_deallocate (mach_task_self (),
+ boot_port); }
+ }
+
+ if (!err) {
+ *out_service_port = k5_service_port;
+ }
+
+ if (!lock_err) { k5_mutex_unlock (&g_service_ports_mutex); }
+
+ return err;
+}
+
+#pragma mark -
+
+/* ------------------------------------------------------------------------ */
+
static boolean_t k5_ipc_reply_demux (mach_msg_header_t *request,
mach_msg_header_t *reply)
{
@@ -90,9 +288,9 @@
}
if (!handled && request->msgh_id == MACH_NOTIFY_NO_SENDERS) {
- int32_t *server_died = k5_getspecific (K5_KEY_IPC_SERVER_DIED);
- if (!server_died) {
- *server_died = 1;
+ k5_ipc_connection_info cinfo = k5_getspecific (K5_KEY_IPC_CONNECTION_INFO);
+ if (cinfo) {
+ cinfo->server_died = 1;
}
handled = 1; /* server died */
@@ -114,30 +312,34 @@
mach_msg_type_number_t in_ool_replyCnt)
{
kern_return_t err = KERN_SUCCESS;
- k5_ipc_stream reply_stream = NULL;
+ k5_ipc_connection_info cinfo = NULL;
if (!err) {
err = CALL_INIT_FUNCTION (k5_cli_ipc_thread_init);
}
if (!err) {
- reply_stream = k5_getspecific (K5_KEY_IPC_REPLY_STREAM);
- if (!reply_stream) { err = EINVAL; }
+ cinfo = k5_getspecific (K5_KEY_IPC_CONNECTION_INFO);
+ if (!cinfo || !cinfo->reply_stream) { err = EINVAL; }
}
if (!err) {
if (in_inl_replyCnt) {
- err = k5_ipc_stream_write (reply_stream, in_inl_reply, in_inl_replyCnt);
+ err = k5_ipc_stream_write (cinfo->reply_stream,
+ in_inl_reply, in_inl_replyCnt);
} else if (in_ool_replyCnt) {
- err = k5_ipc_stream_write (reply_stream, in_ool_reply, in_ool_replyCnt);
+ err = k5_ipc_stream_write (cinfo->reply_stream,
+ in_ool_reply, in_ool_replyCnt);
} else {
err = EINVAL;
}
}
- if (in_ool_replyCnt) { vm_deallocate (mach_task_self (), (vm_address_t) in_ool_reply, in_ool_replyCnt); }
+ if (in_ool_replyCnt) { vm_deallocate (mach_task_self (),
+ (vm_address_t) in_ool_reply,
+ in_ool_replyCnt); }
return err;
}
@@ -154,16 +356,15 @@
int err = 0;
int32_t done = 0;
int32_t try_count = 0;
- int32_t server_died = 0;
mach_port_t server_port = MACH_PORT_NULL;
- mach_port_t *request_port = NULL;
+ k5_ipc_connection_info cinfo = NULL;
+ k5_ipc_connection connection = NULL;
mach_port_t reply_port = MACH_PORT_NULL;
const char *inl_request = NULL; /* char * so we can pass the buffer in directly */
mach_msg_type_number_t inl_request_length = 0;
k5_ipc_ool_request_t ool_request = NULL;
mach_msg_type_number_t ool_request_length = 0;
- k5_ipc_stream reply_stream = NULL;
-
+
if (!in_request_stream) { err = EINVAL; }
if (!out_reply_stream ) { err = EINVAL; }
@@ -176,16 +377,18 @@
* the slow dynamically allocated buffer */
mach_msg_type_number_t request_length = k5_ipc_stream_size (in_request_stream);
- if (request_length > K5_IPC_MAX_MSG_SIZE) {
- //dprintf ("%s choosing out of line buffer (size is %d)",
- // __FUNCTION__, request_length);
+ if (request_length > K5_IPC_MAX_INL_MSG_SIZE) {
+ /*dprintf ("%s choosing out of line buffer (size is %d)",
+ * __FUNCTION__, request_length); */
err = vm_read (mach_task_self (),
- (vm_address_t) k5_ipc_stream_data (in_request_stream), request_length,
- (vm_address_t *) &ool_request, &ool_request_length);
+ (vm_address_t) k5_ipc_stream_data (in_request_stream),
+ request_length,
+ (vm_address_t *) &ool_request,
+ &ool_request_length);
} else {
- //dprintf ("%s choosing in line buffer (size is %d)",
- // __FUNCTION__, request_length);
+ /*dprintf ("%s choosing in line buffer (size is %d)",
+ * __FUNCTION__, request_length); */
inl_request_length = request_length;
inl_request = k5_ipc_stream_data (in_request_stream);
@@ -193,25 +396,13 @@
}
if (!err) {
- k5_ipc_request_port *port_list = NULL;
-
- port_list = k5_getspecific (K5_KEY_IPC_REQUEST_PORTS);
+ cinfo = k5_getspecific (K5_KEY_IPC_CONNECTION_INFO);
- if (!port_list) {
- int size = sizeof (*port_list) * KIPC_SERVICE_COUNT;
-
- port_list = malloc (size);
- if (!port_list) { err = ENOMEM; }
-
+ if (!cinfo) {
+ err = k5_ipc_client_cinfo_allocate (&cinfo);
+
if (!err) {
- int i;
-
- for (i = 0; i < KIPC_SERVICE_COUNT; i++) {
- port_list[i].service_id = k5_ipc_known_ports[i].service_id;
- port_list[i].port = k5_ipc_known_ports[i].port;
- }
-
- err = k5_setspecific (K5_KEY_IPC_REQUEST_PORTS, port_list);
+ err = k5_setspecific (K5_KEY_IPC_CONNECTION_INFO, cinfo);
}
}
@@ -219,9 +410,9 @@
int i, found = 0;
for (i = 0; i < KIPC_SERVICE_COUNT; i++) {
- if (!strcmp (in_service_id, port_list[i].service_id)) {
+ if (!strcmp (in_service_id, cinfo->connections[i].service_id)) {
found = 1;
- request_port = &port_list[i].port;
+ connection = &cinfo->connections[i];
break;
}
}
@@ -231,21 +422,23 @@
}
if (!err) {
- err = mach_port_allocate (mach_task_self (), MACH_PORT_RIGHT_RECEIVE, &reply_port);
+ err = k5_ipc_client_lookup_server (in_service_id, in_launch_server,
+ TRUE, &server_port);
}
if (!err) {
- err = kipc_client_lookup_server (in_service_id, in_launch_server,
- TRUE, &server_port);
+ err = mach_port_allocate (mach_task_self (), MACH_PORT_RIGHT_RECEIVE,
+ &reply_port);
}
while (!err && !done) {
- if (!err && !MACH_PORT_VALID (*request_port)) {
- err = k5_ipc_client_create_client_connection (server_port, request_port);
+ if (!err && !MACH_PORT_VALID (connection->port)) {
+ err = k5_ipc_client_create_client_connection (server_port,
+ &connection->port);
}
if (!err) {
- err = k5_ipc_client_request (*request_port, reply_port,
+ err = k5_ipc_client_request (connection->port, reply_port,
inl_request, inl_request_length,
ool_request, ool_request_length);
@@ -257,15 +450,16 @@
err = 0;
}
- if (request_port && MACH_PORT_VALID (*request_port)) {
- mach_port_mod_refs (mach_task_self(), *request_port, MACH_PORT_RIGHT_SEND, -1 );
- *request_port = MACH_PORT_NULL;
+ if (MACH_PORT_VALID (connection->port)) {
+ mach_port_mod_refs (mach_task_self(), connection->port,
+ MACH_PORT_RIGHT_SEND, -1 );
+ connection->port = MACH_PORT_NULL;
}
/* Look up server name again without using the cached copy */
- err = kipc_client_lookup_server (in_service_id,
- in_launch_server,
- FALSE, &server_port);
+ err = k5_ipc_client_lookup_server (in_service_id,
+ in_launch_server,
+ FALSE, &server_port);
} else {
/* Talked to server, though we may have gotten an error */
@@ -279,23 +473,16 @@
}
if (!err) {
- err = k5_ipc_stream_new (&reply_stream);
+ err = k5_ipc_stream_new (&cinfo->reply_stream);
}
if (!err) {
- err = k5_setspecific (K5_KEY_IPC_REPLY_STREAM, reply_stream);
- }
-
- if (!err) {
- err = k5_setspecific (K5_KEY_IPC_SERVER_DIED, &server_died);
- }
-
- if (!err) {
mach_port_t old_notification_target = MACH_PORT_NULL;
- /* request no-senders notification so we can get a message when server dies */
+ /* request no-senders notification so we know when server dies */
err = mach_port_request_notification (mach_task_self (), reply_port,
- MACH_NOTIFY_NO_SENDERS, 1, reply_port,
+ MACH_NOTIFY_NO_SENDERS, 1,
+ reply_port,
MACH_MSG_TYPE_MAKE_SEND_ONCE,
&old_notification_target);
@@ -305,29 +492,37 @@
}
if (!err) {
- err = mach_msg_server_once (k5_ipc_reply_demux, kkipc_max_message_size,
+ cinfo->server_died = 0;
+
+ err = mach_msg_server_once (k5_ipc_reply_demux, K5_IPC_MAX_MSG_SIZE,
reply_port, MACH_MSG_TIMEOUT_NONE);
+
+ if (!err && cinfo->server_died) {
+ err = ENOTCONN;
+ }
}
- if (!err && server_died) {
- err = ENOTCONN;
- }
-
if (err == BOOTSTRAP_UNKNOWN_SERVICE && !in_launch_server) {
- err = 0; /* If the server is not running just return an empty stream. */
+ err = 0; /* If server is not running just return an empty stream. */
}
if (!err) {
- *out_reply_stream = reply_stream;
- reply_stream = NULL;
+ *out_reply_stream = cinfo->reply_stream;
+ cinfo->reply_stream = NULL;
}
+
+ if (reply_port != MACH_PORT_NULL) {
+ mach_port_destroy (mach_task_self (), reply_port);
+ }
+ if (ool_request_length) {
+ vm_deallocate (mach_task_self (),
+ (vm_address_t) ool_request, ool_request_length);
+ }
+ if (cinfo && cinfo->reply_stream) {
+ k5_ipc_stream_release (cinfo->reply_stream);
+ cinfo->reply_stream = NULL;
+ }
- k5_setspecific (K5_KEY_IPC_REPLY_STREAM, NULL);
- k5_setspecific (K5_KEY_IPC_SERVER_DIED, NULL);
- if (reply_port != MACH_PORT_NULL) { mach_port_destroy (mach_task_self (), reply_port); }
- if (ool_request_length ) { vm_deallocate (mach_task_self (), (vm_address_t) ool_request, ool_request_length); }
- if (reply_stream ) { k5_ipc_stream_release (reply_stream); }
-
return err;
}
Modified: branches/mkey_migrate/src/util/mac/k5_mig_server.c
===================================================================
--- branches/mkey_migrate/src/util/mac/k5_mig_server.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/mac/k5_mig_server.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -27,30 +27,48 @@
#include "k5_mig_server.h"
#include <syslog.h>
-#include <Kerberos/kipc_server.h>
#include "k5_mig_requestServer.h"
#include "k5_mig_reply.h"
+#include <CoreFoundation/CoreFoundation.h>
+#include <mach/mach.h>
+#include <servers/bootstrap.h>
+#include <string.h>
+/* Global variables for servers (used by k5_ipc_request_demux) */
+static mach_port_t g_service_port = MACH_PORT_NULL;
+static mach_port_t g_notify_port = MACH_PORT_NULL;
+static mach_port_t g_listen_port_set = MACH_PORT_NULL;
+static boolean_t g_ready_to_quit = 0;
+
+
/* ------------------------------------------------------------------------ */
static boolean_t k5_ipc_request_demux (mach_msg_header_t *request,
mach_msg_header_t *reply)
{
- boolean_t handled = false;
+ boolean_t handled = 0;
if (!handled) {
handled = k5_ipc_request_server (request, reply);
}
+ /* Our session has a send right. If that goes away it's time to quit. */
+ if (!handled && (request->msgh_id == MACH_NOTIFY_NO_SENDERS &&
+ request->msgh_local_port == g_notify_port)) {
+ g_ready_to_quit = 1;
+ handled = 1;
+ }
+
+ /* Check here for a client death. If so remove it */
if (!handled && request->msgh_id == MACH_NOTIFY_NO_SENDERS) {
kern_return_t err = KERN_SUCCESS;
err = k5_ipc_server_remove_client (request->msgh_local_port);
if (!err) {
- /* Check here for a client in our table and free rights associated with it */
- err = mach_port_mod_refs (mach_task_self (), request->msgh_local_port,
+ err = mach_port_mod_refs (mach_task_self (),
+ request->msgh_local_port,
MACH_PORT_RIGHT_RECEIVE, -1);
}
@@ -58,7 +76,7 @@
handled = 1; /* was a port we are tracking */
}
}
-
+
return handled;
}
@@ -72,18 +90,23 @@
mach_port_t old_notification_target = MACH_PORT_NULL;
if (!err) {
- err = mach_port_allocate (mach_task_self (), MACH_PORT_RIGHT_RECEIVE, &connection_port);
+ err = mach_port_allocate (mach_task_self (),
+ MACH_PORT_RIGHT_RECEIVE, &connection_port);
}
if (!err) {
- err = mach_port_move_member (mach_task_self (), connection_port, kipc_server_get_listen_portset ());
+ err = mach_port_move_member (mach_task_self (),
+ connection_port, g_listen_port_set);
}
if (!err) {
/* request no-senders notification so we can tell when client quits/crashes */
- err = mach_port_request_notification (mach_task_self (), connection_port,
- MACH_NOTIFY_NO_SENDERS, 1, connection_port,
- MACH_MSG_TYPE_MAKE_SEND_ONCE, &old_notification_target );
+ err = mach_port_request_notification (mach_task_self (),
+ connection_port,
+ MACH_NOTIFY_NO_SENDERS, 1,
+ connection_port,
+ MACH_MSG_TYPE_MAKE_SEND_ONCE,
+ &old_notification_target );
}
if (!err) {
@@ -138,6 +161,71 @@
return err;
}
+/* ------------------------------------------------------------------------ */
+
+static kern_return_t k5_ipc_server_get_lookup_and_service_names (char **out_lookup,
+ char **out_service)
+{
+ kern_return_t err = KERN_SUCCESS;
+ CFBundleRef bundle = NULL;
+ CFStringRef id_string = NULL;
+ CFIndex len = 0;
+ char *service_id = NULL;
+ char *lookup = NULL;
+ char *service = NULL;
+
+ if (!out_lookup ) { err = EINVAL; }
+ if (!out_service) { err = EINVAL; }
+
+ if (!err) {
+ bundle = CFBundleGetMainBundle ();
+ if (!bundle) { err = ENOENT; }
+ }
+
+ if (!err) {
+ id_string = CFBundleGetIdentifier (bundle);
+ if (!id_string) { err = ENOMEM; }
+ }
+
+ if (!err) {
+ len = CFStringGetMaximumSizeForEncoding (CFStringGetLength (id_string),
+ kCFStringEncodingUTF8) + 1;
+ }
+
+ if (!err) {
+ service_id = calloc (len, sizeof (char));
+ if (!service_id) { err = errno; }
+ }
+
+ if (!err && !CFStringGetCString (id_string, service_id, len,
+ kCFStringEncodingUTF8)) {
+ err = ENOMEM;
+ }
+
+ if (!err) {
+ int w = asprintf (&lookup, "%s%s", service_id, K5_MIG_LOOKUP_SUFFIX);
+ if (w < 0) { err = ENOMEM; }
+ }
+
+ if (!err) {
+ int w = asprintf (&service, "%s%s", service_id, K5_MIG_SERVICE_SUFFIX);
+ if (w < 0) { err = ENOMEM; }
+ }
+
+ if (!err) {
+ *out_lookup = lookup;
+ lookup = NULL;
+ *out_service = service;
+ service = NULL;
+ }
+
+ free (service);
+ free (lookup);
+ free (service_id);
+
+ return err;
+}
+
#pragma mark -
/* ------------------------------------------------------------------------ */
@@ -148,7 +236,97 @@
* This will call k5_ipc_server_create_client_connection for new clients
* and k5_ipc_server_request for existing clients */
- return kipc_server_run_server (k5_ipc_request_demux);
+ kern_return_t err = KERN_SUCCESS;
+ char *service = NULL;
+ char *lookup = NULL;
+ mach_port_t lookup_port = MACH_PORT_NULL;
+ mach_port_t boot_port = MACH_PORT_NULL;
+ mach_port_t previous_notify_port = MACH_PORT_NULL;
+
+ if (!err) {
+ err = k5_ipc_server_get_lookup_and_service_names (&lookup, &service);
+ }
+
+ if (!err) {
+ /* Get the bootstrap port */
+ err = task_get_bootstrap_port (mach_task_self (), &boot_port);
+ }
+
+ if (!err) {
+ /* We are an on-demand server so our lookup port already exists. */
+ err = bootstrap_check_in (boot_port, lookup, &lookup_port);
+ }
+
+ if (!err) {
+ /* We are an on-demand server so our service port already exists. */
+ err = bootstrap_check_in (boot_port, service, &g_service_port);
+ }
+
+ if (!err) {
+ /* Create the port set that the server will listen on */
+ err = mach_port_allocate (mach_task_self (), MACH_PORT_RIGHT_RECEIVE,
+ &g_notify_port);
+ }
+
+ if (!err) {
+ /* Ask for notification when the server port has no more senders
+ * A send-once right != a send right so our send-once right will
+ * not interfere with the notification */
+ err = mach_port_request_notification (mach_task_self (), g_service_port,
+ MACH_NOTIFY_NO_SENDERS, true,
+ g_notify_port,
+ MACH_MSG_TYPE_MAKE_SEND_ONCE,
+ &previous_notify_port);
+ }
+
+ if (!err) {
+ /* Create the port set that the server will listen on */
+ err = mach_port_allocate (mach_task_self (),
+ MACH_PORT_RIGHT_PORT_SET, &g_listen_port_set);
+ }
+
+ if (!err) {
+ /* Add the lookup port to the port set */
+ err = mach_port_move_member (mach_task_self (),
+ lookup_port, g_listen_port_set);
+ }
+
+ if (!err) {
+ /* Add the service port to the port set */
+ err = mach_port_move_member (mach_task_self (),
+ g_service_port, g_listen_port_set);
+ }
+
+ if (!err) {
+ /* Add the notify port to the port set */
+ err = mach_port_move_member (mach_task_self (),
+ g_notify_port, g_listen_port_set);
+ }
+
+ while (!err && !g_ready_to_quit) {
+ /* Handle one message at a time so we can check to see if
+ * the server wants to quit */
+ err = mach_msg_server_once (k5_ipc_request_demux, K5_IPC_MAX_MSG_SIZE,
+ g_listen_port_set, MACH_MSG_OPTION_NONE);
+ }
+
+ /* Clean up the ports and strings */
+ if (MACH_PORT_VALID (g_notify_port)) {
+ mach_port_destroy (mach_task_self (), g_notify_port);
+ g_notify_port = MACH_PORT_NULL;
+ }
+ if (MACH_PORT_VALID (g_listen_port_set)) {
+ mach_port_destroy (mach_task_self (), g_listen_port_set);
+ g_listen_port_set = MACH_PORT_NULL;
+ }
+ if (MACH_PORT_VALID (boot_port)) {
+ mach_port_deallocate (mach_task_self (), boot_port);
+ }
+
+ free (service);
+ free (lookup);
+
+ return err;
}
/* ------------------------------------------------------------------------ */
@@ -170,7 +348,7 @@
* the slow dynamically allocated buffer */
mach_msg_type_number_t reply_length = k5_ipc_stream_size (in_reply_stream);
- if (reply_length > K5_IPC_MAX_MSG_SIZE) {
+ if (reply_length > K5_IPC_MAX_INL_MSG_SIZE) {
//dprintf ("%s choosing out of line buffer (size is %d)",
// __FUNCTION__, reply_length);
@@ -203,3 +381,10 @@
return err;
}
+
+/* ------------------------------------------------------------------------ */
+
+void k5_ipc_server_quit (void)
+{
+ g_ready_to_quit = 1;
+}
Modified: branches/mkey_migrate/src/util/mac/k5_mig_server.h
===================================================================
--- branches/mkey_migrate/src/util/mac/k5_mig_server.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/mac/k5_mig_server.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -41,9 +41,12 @@
/* Server control functions */
+/* WARNING: Currently only supports running server loop on a single thread! */
int32_t k5_ipc_server_listen_loop (void);
int32_t k5_ipc_server_send_reply (mach_port_t in_reply_pipe,
k5_ipc_stream in_reply_stream);
+void k5_ipc_server_quit (void);
+
#endif /* K5_MIG_SERVER */
Modified: branches/mkey_migrate/src/util/mac/k5_mig_types.h
===================================================================
--- branches/mkey_migrate/src/util/mac/k5_mig_types.h 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/mac/k5_mig_types.h 2009-01-10 01:06:45 UTC (rev 21722)
@@ -44,12 +44,16 @@
#ifndef K5_MIG_TYPES_H
#define K5_MIG_TYPES_H
+#define K5_IPC_MAX_MSG_SIZE 2048 + MAX_TRAILER_SIZE
-#define K5_IPC_MAX_MSG_SIZE 1024
+#define K5_MIG_LOOKUP_SUFFIX ".ipcLookup"
+#define K5_MIG_SERVICE_SUFFIX ".ipcService"
-typedef const char k5_ipc_inl_request_t[K5_IPC_MAX_MSG_SIZE];
+#define K5_IPC_MAX_INL_MSG_SIZE 1024
+
+typedef const char k5_ipc_inl_request_t[K5_IPC_MAX_INL_MSG_SIZE];
typedef const char *k5_ipc_ool_request_t;
-typedef char k5_ipc_inl_reply_t[K5_IPC_MAX_MSG_SIZE];
+typedef char k5_ipc_inl_reply_t[K5_IPC_MAX_INL_MSG_SIZE];
typedef char *k5_ipc_ool_reply_t;
#endif /* K5_MIG_TYPES_H */
Modified: branches/mkey_migrate/src/util/profile/Makefile.in
===================================================================
--- branches/mkey_migrate/src/util/profile/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/profile/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -154,44 +154,3 @@
@lib_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-prof_tree.so prof_tree.po $(OUTPRE)prof_tree.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- prof_int.h prof_tree.c
-prof_file.so prof_file.po $(OUTPRE)prof_file.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- prof_file.c prof_int.h
-prof_parse.so prof_parse.po $(OUTPRE)prof_parse.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- prof_int.h prof_parse.c
-prof_get.so prof_get.po $(OUTPRE)prof_get.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- prof_get.c prof_int.h
-prof_set.so prof_set.po $(OUTPRE)prof_set.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- prof_int.h prof_set.c
-prof_err.so prof_err.po $(OUTPRE)prof_err.$(OBJEXT): \
- $(COM_ERR_DEPS) prof_err.c
-prof_init.so prof_init.po $(OUTPRE)prof_init.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- prof_init.c prof_int.h
-test_parse.so test_parse.po $(OUTPRE)test_parse.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- prof_int.h test_parse.c
-test_profile.so test_profile.po $(OUTPRE)test_profile.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- argv_parse.h prof_int.h test_profile.c
-profile_tcl.so profile_tcl.po $(OUTPRE)profile_tcl.$(OBJEXT): \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) profile_tcl.c
Copied: branches/mkey_migrate/src/util/profile/deps (from rev 21721, trunk/src/util/profile/deps)
Modified: branches/mkey_migrate/src/util/profile/prof_file.c
===================================================================
--- branches/mkey_migrate/src/util/profile/prof_file.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/profile/prof_file.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -182,7 +182,7 @@
memset(d, 0, len);
fcopy = (char *) d + slen;
assert(fcopy == d->filespec);
- strcpy(fcopy, filename);
+ strlcpy(fcopy, filename, flen + 1);
d->refcount = 1;
d->comment = NULL;
d->magic = PROF_MAGIC_FILE_DATA;
@@ -198,7 +198,6 @@
prf_file_t prf;
errcode_t retval;
char *home_env = 0;
- unsigned int len;
prf_data_t data;
char *expanded_filename;
@@ -214,7 +213,6 @@
memset(prf, 0, sizeof(struct _prf_file_t));
prf->magic = PROF_MAGIC_FILE;
- len = strlen(filespec)+1;
if (filespec[0] == '~' && filespec[1] == '/') {
home_env = getenv("HOME");
#ifdef HAVE_PWD_H
@@ -229,19 +227,17 @@
home_env = pw->pw_dir;
}
#endif
- if (home_env)
- len += strlen(home_env);
}
- expanded_filename = malloc(len);
+ if (home_env) {
+ if (asprintf(&expanded_filename, "%s%s", home_env,
+ filespec + 1) < 0)
+ expanded_filename = 0;
+ } else
+ expanded_filename = strdup(filespec);
if (expanded_filename == 0) {
free(prf);
return ENOMEM;
}
- if (home_env) {
- strcpy(expanded_filename, home_env);
- strcat(expanded_filename, filespec+1);
- } else
- memcpy(expanded_filename, filespec, len);
retval = k5_mutex_lock(&g_shared_trees_mutex);
if (retval) {
Modified: branches/mkey_migrate/src/util/profile/prof_get.c
===================================================================
--- branches/mkey_migrate/src/util/profile/prof_get.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/profile/prof_get.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -28,8 +28,8 @@
struct profile_string_list {
char **list;
- int num;
- int max;
+ unsigned int num;
+ unsigned int max;
};
/*
@@ -75,7 +75,7 @@
static errcode_t add_to_list(struct profile_string_list *list, const char *str)
{
char *newstr, **newlist;
- int newmax;
+ unsigned int newmax;
if (list->num+1 >= list->max) {
newmax = list->max + 10;
@@ -85,10 +85,9 @@
list->max = newmax;
list->list = newlist;
}
- newstr = malloc(strlen(str)+1);
+ newstr = strdup(str);
if (newstr == 0)
return ENOMEM;
- strcpy(newstr, str);
list->list[list->num++] = newstr;
list->list[list->num] = 0;
@@ -217,10 +216,9 @@
value = def_val;
if (value) {
- *ret_string = malloc(strlen(value)+1);
+ *ret_string = strdup(value);
if (*ret_string == 0)
return ENOMEM;
- strcpy(*ret_string, value);
} else
*ret_string = 0;
return 0;
Modified: branches/mkey_migrate/src/util/profile/prof_init.c
===================================================================
--- branches/mkey_migrate/src/util/profile/prof_init.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/profile/prof_init.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -42,7 +42,7 @@
for (fs = files; !PROFILE_LAST_FILESPEC(*fs); fs++) {
retval = profile_open_file(*fs, &new_file);
/* if this file is missing, skip to the next */
- if (retval == ENOENT || retval == EACCES) {
+ if (retval == ENOENT || retval == EACCES || retval == EPERM) {
continue;
}
if (retval) {
@@ -71,7 +71,7 @@
#define COUNT_LINKED_LIST(COUNT, PTYPE, START, FIELD) \
{ \
- int cll_counter = 0; \
+ size_t cll_counter = 0; \
PTYPE cll_ptr = (START); \
while (cll_ptr != NULL) { \
cll_counter++; \
@@ -106,7 +106,8 @@
profile_init_path(const_profile_filespec_list_t filepath,
profile_t *ret_profile)
{
- int n_entries, i;
+ unsigned int n_entries;
+ int i;
unsigned int ent_len;
const char *s, *t;
profile_filespec_t *filenames;
@@ -125,7 +126,7 @@
/* measure, copy, and skip each one */
for(s = filepath, i=0; (t = strchr(s, ':')) || (t=s+strlen(s)); s=t+1, i++) {
- ent_len = t-s;
+ ent_len = (unsigned int) (t-s);
filenames[i] = (char*) malloc(ent_len + 1);
if (filenames[i] == 0) {
/* if malloc fails, free the ones that worked */
@@ -252,7 +253,6 @@
free(profile);
}
-#ifndef LEAN_CLIENT
/*
* Here begins the profile serialization functions.
*/
@@ -344,6 +344,7 @@
bp = *bufpp;
remain = *remainp;
+ fcount = 0;
if (remain >= 12)
(void) unpack_int32(&tmp, &bp, &remain);
@@ -358,11 +359,11 @@
(void) unpack_int32(&fcount, &bp, &remain);
retval = ENOMEM;
- flist = (profile_filespec_t *) malloc(sizeof(profile_filespec_t) * (fcount + 1));
+ flist = (profile_filespec_t *) malloc(sizeof(profile_filespec_t) * (size_t) (fcount + 1));
if (!flist)
goto cleanup;
- memset(flist, 0, sizeof(char *) * (fcount+1));
+ memset(flist, 0, sizeof(char *) * (size_t) (fcount+1));
for (i=0; i<fcount; i++) {
if (!unpack_int32(&tmp, &bp, &remain)) {
flist[i] = (char *) malloc((size_t) (tmp+1));
@@ -398,5 +399,4 @@
}
return(retval);
}
-#endif /* LEAN_CLIENT */
Modified: branches/mkey_migrate/src/util/profile/prof_tree.c
===================================================================
--- branches/mkey_migrate/src/util/profile/prof_tree.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/profile/prof_tree.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -638,11 +638,10 @@
if (!node->value)
return PROF_SET_SECTION_VALUE;
- cp = malloc(strlen(new_value)+1);
+ cp = strdup(new_value);
if (!cp)
return ENOMEM;
- strcpy(cp, new_value);
free(node->value);
node->value = cp;
@@ -667,10 +666,9 @@
/*
* Make sure we can allocate memory for the new name, first!
*/
- new_string = malloc(strlen(new_name)+1);
+ new_string = strdup(new_name);
if (!new_string)
return ENOMEM;
- strcpy(new_string, new_name);
/*
* Find the place to where the new node should go. We look
Copied: branches/mkey_migrate/src/util/send-pr/deps (from rev 21721, trunk/src/util/send-pr/deps)
Modified: branches/mkey_migrate/src/util/ss/Makefile.in
===================================================================
--- branches/mkey_migrate/src/util/ss/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/ss/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -170,73 +170,3 @@
@lib_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-invocation.so invocation.po $(OUTPRE)invocation.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/ss/ss_err.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- copyright.h invocation.c ss.h ss_internal.h
-help.so help.po $(OUTPRE)help.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h copyright.h help.c ss.h \
- ss_internal.h
-execute_cmd.so execute_cmd.po $(OUTPRE)execute_cmd.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/ss/ss_err.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- copyright.h execute_cmd.c ss.h ss_internal.h
-listen.so listen.po $(OUTPRE)listen.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h copyright.h listen.c \
- ss.h ss_internal.h
-parse.so parse.po $(OUTPRE)parse.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h copyright.h parse.c ss.h \
- ss_internal.h
-error.so error.po $(OUTPRE)error.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h copyright.h error.c ss.h \
- ss_internal.h
-prompt.so prompt.po $(OUTPRE)prompt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h copyright.h prompt.c \
- ss.h ss_internal.h
-request_tbl.so request_tbl.po $(OUTPRE)request_tbl.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/ss/ss_err.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- copyright.h request_tbl.c ss.h ss_internal.h
-list_rqs.so list_rqs.po $(OUTPRE)list_rqs.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/ss/ss_err.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- copyright.h list_rqs.c ss.h ss_internal.h
-pager.so pager.po $(OUTPRE)pager.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h copyright.h pager.c ss.h \
- ss_internal.h
-requests.so requests.po $(OUTPRE)requests.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/ss/ss_err.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- requests.c ss.h ss_internal.h
-data.so data.po $(OUTPRE)data.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h copyright.h data.c ss.h \
- ss_internal.h
-mk_cmds.so mk_cmds.po $(OUTPRE)mk_cmds.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h copyright.h mk_cmds.c \
- ss.h ss_internal.h
-utils.so utils.po $(OUTPRE)utils.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h copyright.h ss.h ss_internal.h \
- utils.c
-options.so options.po $(OUTPRE)options.$(OBJEXT): $(BUILDTOP)/include/ss/ss_err.h \
- $(COM_ERR_DEPS) copyright.h options.c ss.h
-cmd_tbl.lex.o: cmd_tbl.lex.c ct.tab.h
-ct.tab.o: $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) \
- ct.tab.c ss.h
-ss_err.so ss_err.po $(OUTPRE)ss_err.$(OBJEXT): $(COM_ERR_DEPS) \
- ss_err.c
-std_rqs.so std_rqs.po $(OUTPRE)std_rqs.$(OBJEXT): $(COM_ERR_DEPS) \
- $(SS_DEPS) std_rqs.c
Copied: branches/mkey_migrate/src/util/ss/deps (from rev 21721, trunk/src/util/ss/deps)
Modified: branches/mkey_migrate/src/util/ss/execute_cmd.c
===================================================================
--- branches/mkey_migrate/src/util/ss/execute_cmd.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/ss/execute_cmd.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -27,19 +27,7 @@
* Has been replaced by a macro.
*/
-#ifdef __SABER__
-/* sigh. saber won't deal with pointer-to-const-struct */
-static struct _ss_request_entry * get_request (tbl, idx)
- ss_request_table * tbl;
- int idx;
-{
- struct _ss_request_table *tbl1 = (struct _ss_request_table *) tbl;
- struct _ss_request_entry *e = (struct _ss_request_entry *) tbl1->requests;
- return e + idx;
-}
-#else
#define get_request(tbl,idx) ((tbl) -> requests + (idx))
-#endif
/*
* check_request_table(rqtbl, argc, argv, sci_idx)
@@ -69,11 +57,7 @@
char *argv[];
int sci_idx;
{
-#ifdef __SABER__
- struct _ss_request_entry *request;
-#else
register ss_request_entry *request;
-#endif
register ss_data *info;
register char const * const * name;
char *string = argv[0];
Modified: branches/mkey_migrate/src/util/ss/help.c
===================================================================
--- branches/mkey_migrate/src/util/ss/help.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/ss/help.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -128,8 +128,7 @@
}
info->info_dirs = dirs;
dirs[n_dirs + 1] = (char *)NULL;
- dirs[n_dirs] = malloc((unsigned)strlen(info_dir)+1);
- strcpy(dirs[n_dirs], info_dir);
+ dirs[n_dirs] = strdup(info_dir);
*code_ptr = 0;
}
Modified: branches/mkey_migrate/src/util/ss/utils.c
===================================================================
--- branches/mkey_migrate/src/util/ss/utils.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/ss/utils.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -56,26 +56,11 @@
char const *cmds;
int options;
{
- int size;
- char *string, *var_name, numbuf[16];
+ char *string, *var_name;
var_name = generate_cmds_string(cmds);
generate_function_definition(func_name);
- size = 6; /* " { " */
- size += strlen(var_name)+8; /* "quux, " */
- size += strlen(func_name)+8; /* "foo, " */
- size += strlen(info_string)+8; /* "\"Info!\", " */
- sprintf(numbuf, "%d", options);
- size += strlen(numbuf)+5; /* " }," + NL + NUL */
- string = malloc(size);
- strcpy(string, " { ");
- strcat(string, var_name);
- strcat(string, ",\n ");
- strcat(string, func_name);
- strcat(string, ",\n ");
- strcat(string, info_string);
- strcat(string, ",\n ");
- strcat(string, numbuf);
- strcat(string, " },\n");
+ asprintf(&string, " { %s,\n %s,\n %s,\n %d },\n",
+ var_name, func_name, info_string, options);
return(string);
}
@@ -85,9 +70,8 @@
{
char *symbol;
- symbol = malloc((strlen(name)+6) * sizeof(char));
gensym_n++;
- sprintf(symbol, "%s%05ld", name, gensym_n);
+ asprintf(&symbol, "%s%05ld", name, gensym_n);
return(symbol);
}
@@ -96,14 +80,8 @@
register char *a, *b, *c;
{
char *result;
- int size_a = strlen(a);
- int size_b = strlen(b);
- int size_c = strlen(c);
- result = malloc((size_a + size_b + size_c + 2)*sizeof(char));
- strcpy(result, a);
- strcpy(&result[size_a], c);
- strcpy(&result[size_a+size_c], b);
+ asprintf(&result, "%s%s%s", a, c, b);
return(result);
}
@@ -112,13 +90,8 @@
register char *string;
{
register char *result;
- int len;
- len = strlen(string)+1;
- result = malloc(len+2);
- result[0] = '"';
- strncpy(&result[1], string, len-1);
- result[len] = '"';
- result[len+1] = '\0';
+
+ asprintf(&result, "\"%s\"", string);
return(result);
}
Modified: branches/mkey_migrate/src/util/support/Makefile.in
===================================================================
--- branches/mkey_migrate/src/util/support/Makefile.in 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/support/Makefile.in 2009-01-10 01:06:45 UTC (rev 21722)
@@ -30,13 +30,24 @@
##DOS##MKSTEMP_ST_OBJ= mkstemp.o
##DOS##MKSTEMP_OBJ= $(OUTPRE)mkstemp.$(OBJEXT)
+STRLCPY_ST_OBJ=@STRLCPY_ST_OBJ@
+STRLCPY_OBJ=@STRLCPY_OBJ@
+
+PRINTF_ST_OBJ= @PRINTF_ST_OBJ@
+PRINTF_OBJ= @PRINTF_OBJ@
+
STLIBOBJS= \
threads.o \
init-addrinfo.o \
plugins.o \
errors.o \
+ k5buf.o \
gmt_mktime.o \
fake-addrinfo.o \
+ utf8.o \
+ utf8_conv.o \
+ $(STRLCPY_ST_OBJ) \
+ $(PRINTF_ST_OBJ) \
$(MKSTEMP_ST_OBJ)
LIBOBJS= \
@@ -44,8 +55,13 @@
$(OUTPRE)init-addrinfo.$(OBJEXT) \
$(OUTPRE)plugins.$(OBJEXT) \
$(OUTPRE)errors.$(OBJEXT) \
+ $(OUTPRE)k5buf.$(OBJEXT) \
$(OUTPRE)gmt_mktime.$(OBJEXT) \
$(OUTPRE)fake-addrinfo.$(OBJEXT) \
+ $(OUTPRE)utf8.$(OBJEXT) \
+ $(OUTPRE)utf8_conv.$(OBJEXT) \
+ $(STRLCPY_OBJ) \
+ $(PRINTF_OBJ) \
$(MKSTEMP_OBJ)
STOBJLISTS=OBJS.ST
@@ -58,9 +74,15 @@
$(srcdir)/threads.c \
$(srcdir)/init-addrinfo.c \
$(srcdir)/errors.c \
+ $(srcdir)/k5buf.c \
$(srcdir)/gmt_mktime.c \
$(srcdir)/fake-addrinfo.c \
- $(srcdir)/mkstemp.c
+ $(srcdir)/utf8.c \
+ $(srcdir)/utf8_conv.c \
+ $(srcdir)/strlcpy.c \
+ $(srcdir)/printf.c \
+ $(srcdir)/mkstemp.c \
+ $(srcdir)/t_k5buf.c
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
@@ -105,35 +127,19 @@
##DOS## $(RM) libkrb5support.exports
##DOS## $(MV) new-exports libkrb5support.exports
+T_K5BUF_OBJS= t_k5buf.o k5buf.o $(PRINTF_ST_OBJ)
+
+t_k5buf: $(T_K5BUF_OBJS)
+ $(CC_LINK) -o t_k5buf $(T_K5BUF_OBJS)
+
+TEST_PROGS= t_k5buf
+
+check-unix:: $(TEST_PROGS)
+ ./t_k5buf
+
+clean::
+ $(RM) t_k5buf.o t_k5buf
+
@lib_frag@
@libobj_frag@
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-threads.so threads.po $(OUTPRE)threads.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h cache-addrinfo.h supp-int.h \
- threads.c
-init-addrinfo.so init-addrinfo.po $(OUTPRE)init-addrinfo.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(SRCTOP)/include/fake-addrinfo.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- cache-addrinfo.h init-addrinfo.c
-errors.so errors.po $(OUTPRE)errors.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-thread.h errors.c supp-int.h
-gmt_mktime.so gmt_mktime.po $(OUTPRE)gmt_mktime.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(SRCTOP)/include/k5-gmt_mktime.h \
- gmt_mktime.c
-fake-addrinfo.so fake-addrinfo.po $(OUTPRE)fake-addrinfo.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(SRCTOP)/include/fake-addrinfo.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- cache-addrinfo.h fake-addrinfo.c supp-int.h
-mkstemp.so mkstemp.po $(OUTPRE)mkstemp.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
- mkstemp.c
Copied: branches/mkey_migrate/src/util/support/deps (from rev 21721, trunk/src/util/support/deps)
Modified: branches/mkey_migrate/src/util/support/errors.c
===================================================================
--- branches/mkey_migrate/src/util/support/errors.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/support/errors.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -11,6 +11,10 @@
#include "k5-platform.h"
#include "supp-int.h"
+#ifdef USE_KIM
+#include "kim_string_private.h"
+#endif
+
/* It would be nice to just use error_message() always. Pity that
it's defined in a library that depends on this one, and we're not
allowed to make circular dependencies. */
@@ -43,27 +47,45 @@
krb5int_vset_error (struct errinfo *ep, long code,
const char *fmt, va_list args)
{
- char *p;
+ va_list args2;
char *str = NULL;
- va_list args2;
-
- if (ep->msg && ep->msg != ep->scratch_buf) {
- free (ep->msg);
- ep->msg = NULL;
+ const char *loc_fmt = NULL;
+
+#ifdef USE_KIM
+ /* Try to localize the format string */
+ if (kim_os_string_create_localized(&loc_fmt, fmt) != KIM_NO_ERROR) {
+ loc_fmt = fmt;
}
- ep->code = code;
+#else
+ loc_fmt = fmt;
+#endif
+
+ /* try vasprintf first */
va_copy(args2, args);
- if (vasprintf(&str, fmt, args2) >= 0 && str != NULL) {
- va_end(args2);
- ep->msg = str;
- return;
+ if (vasprintf(&str, loc_fmt, args2) < 0) {
+ str = NULL;
}
va_end(args2);
- /* Allocation failure? */
- vsnprintf(ep->scratch_buf, sizeof(ep->scratch_buf), fmt, args);
- /* Try again, just in case. */
- p = strdup(ep->scratch_buf);
- ep->msg = p ? p : ep->scratch_buf;
+
+ /* If that failed, try using scratch_buf */
+ if (str == NULL) {
+ vsnprintf(ep->scratch_buf, sizeof(ep->scratch_buf), loc_fmt, args);
+ str = strdup(ep->scratch_buf); /* try allocating again */
+ }
+
+ /* free old string before setting new one */
+ if (ep->msg && ep->msg != ep->scratch_buf) {
+ free ((char *) ep->msg);
+ ep->msg = NULL;
+ }
+ ep->code = code;
+ ep->msg = str ? str : ep->scratch_buf;
+
+#ifdef USE_KIM
+ if (loc_fmt != fmt) { kim_string_free(&loc_fmt); }
+#else
+ if (loc_fmt != fmt) { free((char *) loc_fmt); }
+#endif
}
const char *
@@ -73,7 +95,8 @@
if (code == ep->code && ep->msg) {
r = strdup(ep->msg);
if (r == NULL) {
- strcpy(ep->scratch_buf, _("Out of memory"));
+ strlcpy(ep->scratch_buf, _("Out of memory"),
+ sizeof(ep->scratch_buf));
r = ep->scratch_buf;
}
return r;
@@ -130,7 +153,8 @@
unlock();
goto format_number;
}
- r2 = strdup (r);
+
+ r2 = strdup(r);
if (r2 == NULL) {
strncpy(ep->scratch_buf, r, sizeof(ep->scratch_buf));
unlock();
Modified: branches/mkey_migrate/src/util/support/fake-addrinfo.c
===================================================================
--- branches/mkey_migrate/src/util/support/fake-addrinfo.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/support/fake-addrinfo.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -102,7 +102,7 @@
#include "k5-thread.h"
#include "supp-int.h"
-#include <stdio.h> /* for sprintf */
+#include <stdio.h>
#include <errno.h>
#define IMPLEMENT_FAKE_GETADDRINFO
@@ -354,7 +354,7 @@
#if (!defined (HAVE_GETADDRINFO) || defined (WRAP_GETADDRINFO)) && defined(DEBUG_ADDRINFO)
/* Some debug routines. */
-static const char *protoname (int p, char *buf) {
+static const char *protoname (int p, char *buf, size_t bufsize) {
#define X(N) if (p == IPPROTO_ ## N) return #N
X(TCP);
@@ -373,11 +373,11 @@
X(IGMP);
#endif
- sprintf(buf, " %-2d", p);
+ snprintf(buf, bufsize, " %-2d", p);
return buf;
}
-static const char *socktypename (int t, char *buf) {
+static const char *socktypename (int t, char *buf, size_t bufsize) {
switch (t) {
case SOCK_DGRAM: return "DGRAM";
case SOCK_STREAM: return "STREAM";
@@ -385,14 +385,14 @@
case SOCK_RDM: return "RDM";
case SOCK_SEQPACKET: return "SEQPACKET";
}
- sprintf(buf, " %-2d", t);
+ snprintf(buf, bufsize, " %-2d", t);
return buf;
}
-static const char *familyname (int f, char *buf) {
+static const char *familyname (int f, char *buf, size_t bufsize) {
switch (f) {
default:
- sprintf(buf, "AF %d", f);
+ snprintf(buf, bufsize, "AF %d", f);
return buf;
case AF_INET: return "AF_INET";
case AF_INET6: return "AF_INET6";
@@ -422,11 +422,14 @@
if (sep[0] == 0)
fprintf(stderr, "no-flags");
if (hint->ai_family)
- fprintf(stderr, " %s", familyname(hint->ai_family, buf));
+ fprintf(stderr, " %s", familyname(hint->ai_family, buf,
+ sizeof(buf)));
if (hint->ai_socktype)
- fprintf(stderr, " SOCK_%s", socktypename(hint->ai_socktype, buf));
+ fprintf(stderr, " SOCK_%s", socktypename(hint->ai_socktype, buf,
+ sizeof(buf)));
if (hint->ai_protocol)
- fprintf(stderr, " IPPROTO_%s", protoname(hint->ai_protocol, buf));
+ fprintf(stderr, " IPPROTO_%s", protoname(hint->ai_protocol, buf,
+ sizeof(buf)));
} else
fprintf(stderr, "(null)");
fprintf(stderr, " }):\n");
@@ -444,11 +447,13 @@
fprintf(stderr, "addrinfos returned:\n");
while (ai) {
fprintf(stderr, "%p...", ai);
- fprintf(stderr, " socktype=%s", socktypename(ai->ai_socktype, buf));
- fprintf(stderr, " ai_family=%s", familyname(ai->ai_family, buf));
+ fprintf(stderr, " socktype=%s", socktypename(ai->ai_socktype, buf,
+ sizeof(buf)));
+ fprintf(stderr, " ai_family=%s", familyname(ai->ai_family, buf,
+ sizeof(buf)));
if (ai->ai_family != ai->ai_addr->sa_family)
fprintf(stderr, " sa_family=%s",
- familyname(ai->ai_addr->sa_family, buf));
+ familyname(ai->ai_addr->sa_family, buf, sizeof(buf)));
fprintf(stderr, "\n");
ai = ai->ai_next;
count++;
@@ -960,7 +965,8 @@
char tmpbuf[20];
numeric_host:
uc = (const unsigned char *) &sinp->sin_addr;
- sprintf(tmpbuf, "%d.%d.%d.%d", uc[0], uc[1], uc[2], uc[3]);
+ snprintf(tmpbuf, sizeof(tmpbuf), "%d.%d.%d.%d",
+ uc[0], uc[1], uc[2], uc[3]);
strncpy(host, tmpbuf, hlen);
#else
char *p;
@@ -996,7 +1002,7 @@
port = ntohs (sinp->sin_port);
if (port < 0 || port > 65535)
return EAI_FAIL;
- sprintf (numbuf, "%d", port);
+ snprintf (numbuf, sizeof(numbuf), "%d", port);
strncpy (service, numbuf, slen);
} else {
int serr;
Modified: branches/mkey_migrate/src/util/support/init-addrinfo.c
===================================================================
--- branches/mkey_migrate/src/util/support/init-addrinfo.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/support/init-addrinfo.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -50,7 +50,7 @@
#include "k5-platform.h"
#include "k5-thread.h"
-#include <stdio.h> /* for sprintf */
+#include <stdio.h>
#include <errno.h>
#define IMPLEMENT_FAKE_GETADDRINFO
Copied: branches/mkey_migrate/src/util/support/k5buf-int.h (from rev 21721, trunk/src/util/support/k5buf-int.h)
Copied: branches/mkey_migrate/src/util/support/k5buf.c (from rev 21721, trunk/src/util/support/k5buf.c)
Modified: branches/mkey_migrate/src/util/support/libkrb5support-fixed.exports
===================================================================
--- branches/mkey_migrate/src/util/support/libkrb5support-fixed.exports 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/support/libkrb5support-fixed.exports 2009-01-10 01:06:45 UTC (rev 21722)
@@ -29,3 +29,20 @@
krb5int_clear_error
krb5int_set_error_info_callout_fn
krb5int_gmt_mktime
+krb5int_buf_init_fixed
+krb5int_buf_init_dynamic
+krb5int_buf_add
+krb5int_buf_add_len
+krb5int_buf_add_fmt
+krb5int_buf_truncate
+krb5int_buf_data
+krb5int_buf_len
+krb5int_free_buf
+krb5int_utf8cs_to_ucs2les
+krb5int_utf8s_to_ucs2les
+krb5int_ucs2lecs_to_utf8s
+krb5int_ucs4_to_utf8
+krb5int_utf8_to_ucs4
+krb5int_utf8_lentab
+krb5int_utf8_mintab
+krb5int_utf8_next
Modified: branches/mkey_migrate/src/util/support/plugins.c
===================================================================
--- branches/mkey_migrate/src/util/support/plugins.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/util/support/plugins.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -453,12 +453,12 @@
}
static long
-krb5int_plugin_file_handle_array_add (struct plugin_file_handle ***harray, int *count,
+krb5int_plugin_file_handle_array_add (struct plugin_file_handle ***harray, size_t *count,
struct plugin_file_handle *p)
{
long err = 0;
struct plugin_file_handle **newharray = NULL;
- int newcount = *count + 1;
+ size_t newcount = *count + 1;
newharray = realloc (*harray, ((newcount + 1) * sizeof (**harray))); /* +1 for NULL */
if (newharray == NULL) {
@@ -528,7 +528,7 @@
}
if (!err) {
- int j;
+ size_t j;
for (i = 0; !err && filebases[i]; i++) {
for (j = 0; !err && fileexts[j]; j++) {
if (asprintf(&tempnames[(i*exts_count)+j], "%s%s",
@@ -564,7 +564,7 @@
{
long err = 0;
struct plugin_file_handle **h = NULL;
- int count = 0;
+ size_t count = 0;
char **filenames = NULL;
int i;
@@ -683,7 +683,7 @@
{
long err = 0;
void **p = NULL;
- int count = 0;
+ size_t count = 0;
/* XXX Do we need to add a leading "_" to the symbol name on any
modern platforms? */
@@ -742,7 +742,7 @@
{
long err = 0;
void (**p)() = NULL;
- int count = 0;
+ size_t count = 0;
/* XXX Do we need to add a leading "_" to the symbol name on any
modern platforms? */
Copied: branches/mkey_migrate/src/util/support/printf.c (from rev 21721, trunk/src/util/support/printf.c)
Copied: branches/mkey_migrate/src/util/support/strlcpy.c (from rev 21721, trunk/src/util/support/strlcpy.c)
Copied: branches/mkey_migrate/src/util/support/t_k5buf.c (from rev 21721, trunk/src/util/support/t_k5buf.c)
Copied: branches/mkey_migrate/src/util/support/utf8.c (from rev 21721, trunk/src/util/support/utf8.c)
Copied: branches/mkey_migrate/src/util/support/utf8_conv.c (from rev 21721, trunk/src/util/support/utf8_conv.c)
Modified: branches/mkey_migrate/src/wconfig.c
===================================================================
--- branches/mkey_migrate/src/wconfig.c 2009-01-09 20:11:57 UTC (rev 21721)
+++ branches/mkey_migrate/src/wconfig.c 2009-01-10 01:06:45 UTC (rev 21722)
@@ -57,9 +57,10 @@
{
char *ignore_str = "--ignore=";
int ignore_len;
- char *cp, tmp[80];
+ char *cp, *tmp;
char *win_flag;
char wflags[1024];
+ size_t wlen, alen;
#ifdef _WIN32
win_flag = win32_flag;
@@ -67,21 +68,22 @@
win_flag = "UNIX##";
#endif
- wflags[0] = 0;
+ wlen = 0;
ignore_len = strlen(ignore_str);
argc--; argv++;
while (*argv && *argv[0] == '-') {
- wflags[sizeof(wflags) - 1] = '\0';
- if (strlen (wflags) + 1 + strlen (*argv) > sizeof (wflags) - 1) {
+ alen = strlen(*argv);
+ if (wlen + 1 + alen > sizeof (wflags) - 1) {
fprintf (stderr,
- "wconfig: argument list too long (internal limit %d)",
- sizeof (wflags));
+ "wconfig: argument list too long (internal limit %lu)",
+ (unsigned long) sizeof (wflags));
exit (1);
}
- if (wflags[0])
- strcat(wflags, " ");
- strcat(wflags, *argv);
+ if (wlen > 0)
+ wflags[wlen++] = ' ';
+ memcpy(&wflags[wlen], *argv, alen);
+ wlen += alen;
if (!strcmp(*argv, "--mit")) {
mit_specific = 1;
@@ -99,19 +101,19 @@
continue;
}
if (!strncmp(*argv, "--enable-", 9)) {
- sprintf(tmp, "%s##", (*argv)+ignore_len);
+ tmp = malloc(alen - ignore_len + 3);
+ if (!tmp) {
+ fprintf(stderr,
+ "wconfig: malloc failed!\n");
+ exit(1);
+ }
+ memcpy(tmp, *argv + ignore_len, alen - ignore_len);
+ memcpy(tmp + alen - ignore_len, "##", 3);
for (cp = tmp; *cp; cp++) {
if (islower(*cp))
*cp = toupper(*cp);
}
- cp = malloc(strlen(tmp)+1);
- if (!cp) {
- fprintf(stderr,
- "wconfig: malloc failed!\n");
- exit(1);
- }
- strcpy(cp, tmp);
- add_ignore_list(cp);
+ add_ignore_list(tmp);
argc--; argv++;
continue;
}
@@ -123,6 +125,7 @@
fprintf(stderr, "Invalid option: %s\n", *argv);
exit(1);
}
+ wflags[wlen] = '\0';
if (win_flag)
add_ignore_list(win_flag);
@@ -175,16 +178,25 @@
FILE *fin;
char buf[1024];
char **cpp, *ptr;
- int len;
+ size_t len, plen, flen;
if (strcmp(fname, "-") == 0) {
fin = stdin;
} else {
+ plen = strlen(path);
+ flen = strlen(fname);
+ if (plen + 1 + flen > sizeof(buf) - 1) {
+ fprintf(stderr, "Name %s or %s too long", path, fname);
+ return 1;
+ }
+ memcpy(buf, path, plen);
#ifdef _WIN32
- sprintf(buf, "%s\\%s", path, fname);
+ buf[plen] = '\\';
#else
- sprintf(buf, "%s/%s", path, fname);
+ buf[plen] = '/';
#endif
+ memcpy(buf + plen + 1, fname, flen);
+ buf[plen + 1 + flen] = '\0';
fin = fopen (buf, "r"); /* File to read */
if (fin == NULL) {
fprintf(stderr, "wconfig: Can't open file %s\n", buf);
Property changes on: branches/mkey_migrate
___________________________________________________________________
Name: svk:merge
- 122d7f7f-0217-0410-a6d0-d37b9a318acc:/local/krb5/trunk:21526
304ed8f4-7412-0410-a0db-8249d8f37659:/my-branches/kdb-config:339
7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/1ac:533
7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/advisory:1726
7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/misc:1927
7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/sprintf:936
dc483132-0cff-0310-8789-dd5450dbe970:/branches/ccapi:18199
dc483132-0cff-0310-8789-dd5450dbe970:/branches/referrals/trunk:18581
f228080b-b206-47c0-aedc-518b743a947e:/krb5/dev/coverity:18
f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/ldap-patches-080218:908
f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/threads-no-debug:832
f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/walk-rtree:767
f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/warnings:837
+ 122d7f7f-0217-0410-a6d0-d37b9a318acc:/local/krb5/trunk:22385
304ed8f4-7412-0410-a0db-8249d8f37659:/my-branches/kdb-config:339
7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/1ac:533
7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/advisory:1726
7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/misc:1927
7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/sprintf:936
dc483132-0cff-0310-8789-dd5450dbe970:/branches/ccapi:18199
dc483132-0cff-0310-8789-dd5450dbe970:/branches/referrals/trunk:18581
f228080b-b206-47c0-aedc-518b743a947e:/krb5/dev/coverity:18
f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1:1187
f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1-encode-tests:1181
f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/ldap-patches-080218:908
f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/threads-no-debug:832
f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/walk-rtree:767
f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/warnings:837
Property changes on: branches/mkey_migrate/src
___________________________________________________________________
Name: svn:ignore
- kerbsrc.zip
kerbsrc.mac.tar
kerbsrc-nt.zip
config.cache
krb5-config
krb5-stamp-h
configure
autom4te.cache
Makefile
config.log
config.status
+ kerbsrc.zip
kerbsrc.mac.tar
kerbsrc-nt.zip
config.cache
krb5-config
krb5-stamp-h
configure
autom4te.cache
Makefile
config.log
config.status
config.status.lineno
Property changes on: branches/mkey_migrate/src/appl/bsd
___________________________________________________________________
Name: svn:ignore
- rsh
rcp
rlogin
kshd
klogind
login.krb5
v4rcp
configure
autom4te.cache
Makefile
config.status
config.log
+ rsh
rcp
rlogin
kshd
klogind
login.krb5
v4rcp
configure
autom4te.cache
Makefile
config.status
config.status.lineno
config.log
Property changes on: branches/mkey_migrate/src/appl/gssftp
___________________________________________________________________
Name: svn:ignore
- configure
autom4te.cache
Makefile
config.status
config.log
+ configure
autom4te.cache
Makefile
config.status
config.status.lineno
config.log
Copied: branches/mkey_migrate/src/appl/gssftp/deps (from rev 21721, trunk/src/appl/gssftp/deps)
Property changes on: branches/mkey_migrate/src/appl/libpty
___________________________________________________________________
Name: svn:ignore
- pty_err.h
pty_err.c
configure
autom4te.cache
Makefile
config.status
config.log
OBJS.*
*.a
+ pty_err.h
pty_err.c
configure
autom4te.cache
Makefile
config.status
config.status.lineno
config.log
OBJS.*
*.a
Property changes on: branches/mkey_migrate/src/appl/telnet
___________________________________________________________________
Name: svn:ignore
- configure
autom4te.cache
Makefile
config.status
config.log
+ configure
autom4te.cache
Makefile
config.status
config.status.lineno
config.log
Property changes on: branches/mkey_migrate/src/kadmin/passwd/unit-test
___________________________________________________________________
Name: svn:ignore
- Makefile
+ kpasswd.sum
dbg.log
kpasswd.log
Makefile
Copied: branches/mkey_migrate/src/kadmin/passwd/unit-test/deps (from rev 21721, trunk/src/kadmin/passwd/unit-test/deps)
Property changes on: branches/mkey_migrate/src/kadmin/testing
___________________________________________________________________
Name: svn:ignore
- krb5-test-root
kdc_rcache.*
rc_kadmin_*
rc_ovsec-137adm_*
Makefile
+ admin_*
init-*
kadmin_*
krb5-test-root
kdc_rcache.*
ovsec-*
rc_kadmin_*
rc_ovsec-137adm_*
Makefile
Copied: branches/mkey_migrate/src/kadmin/testing/deps (from rev 21721, trunk/src/kadmin/testing/deps)
Copied: branches/mkey_migrate/src/kadmin/testing/scripts/deps (from rev 21721, trunk/src/kadmin/testing/scripts/deps)
Property changes on: branches/mkey_migrate/src/lib/krb5/ccache
___________________________________________________________________
Name: svn:ignore
- t_cc
Makefile
*.so
OBJS.*
+ t_cc
t_cccursor
Makefile
*.so
OBJS.*
Property changes on: branches/mkey_migrate/src/lib/krb5/keytab
___________________________________________________________________
Name: svn:ignore
- Makefile
*.so
OBJS.*
+ Makefile
*.so
OBJS.*
t_keytab
Property changes on: branches/mkey_migrate/src/plugins/authdata/greet
___________________________________________________________________
Name: svn:ignore
+ Makefile
Property changes on: branches/mkey_migrate/src/plugins/preauth/pkinit
___________________________________________________________________
Name: svn:ignore
+ *.so
binutils.versions
OBJS.SH
Makefile
Property changes on: branches/mkey_migrate/src/slave
___________________________________________________________________
Name: svn:ignore
- kprop
kpropd
Makefile
+ kprop
kpropd
kproplog
Makefile
Property changes on: branches/mkey_migrate/src/tests
___________________________________________________________________
Name: svn:ignore
- kdc.conf
configure
autom4te.cache
Makefile
config.status
config.log
+ kdc.conf
krb5.conf
configure
autom4te.cache
Makefile
config.status
config.log
Property changes on: branches/mkey_migrate/src/tests/asn.1
___________________________________________________________________
Name: svn:ignore
- krb5_encode_test
krb5_decode_test
trval
Makefile
t_trval
+ krb5_encode_test
krb5_decode_test
trval
Makefile
t_trval
expected_trval.out
expected_encode.out
test.out
trval.out
Property changes on: branches/mkey_migrate/src/tests/dejagnu
___________________________________________________________________
Name: svn:ignore
- t_inetd
runenv.vars
runenv.vals
site.exp
tmpdir
Makefile
+ t_inetd
runenv.vars
runenv.vals
site.exp
tmpdir
krb.sum
krb.log
dbg.log
Makefile
Property changes on: branches/mkey_migrate/src/tests/misc
___________________________________________________________________
Name: svn:ignore
- Makefile
test_getpw
+ Makefile
test_getpw
test_cxx_krb5
test_cxx_rpc
test_cxx_gss
Property changes on: branches/mkey_migrate/src/tests/mkeystash_compat
___________________________________________________________________
Name: svn:ignore
+ Makefile
kdc.conf
krb5.conf
bigendian
Property changes on: branches/mkey_migrate/src/util/collected-client-lib
___________________________________________________________________
Name: svn:ignore
+ Makefile
Property changes on: branches/mkey_migrate/src/util/support
___________________________________________________________________
Name: svn:ignore
- Makefile
*.so
OBJS.*
lib*.so.*
binutils.versions
libkrb5support.exports
+ Makefile
*.so
OBJS.*
lib*.so.*
binutils.versions
libkrb5support.exports
t_k5buf
More information about the cvs-krb5
mailing list