#include <getarg.h>
#include <parse_bytes.h>
-RCSID("$Id$");
-
krb5_error_code
krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
{
#include <windc_plugin.h>
#undef ALLOC
-#define ALLOC(X) ((X) = malloc(sizeof(*(X))))
+#define ALLOC(X) ((X) = calloc(1, sizeof(*(X))))
#undef ALLOC_SEQ
#define ALLOC_SEQ(X, N) do { (X)->len = (N); \
(X)->val = calloc((X)->len, sizeof(*(X)->val)); } while(0)
config->v4_realm, &sname,
&sinstance, &ad);
if (ret) {
+ const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
- "kaserver: decomp failed for %s.%s with %d",
- sname, sinstance, ret);
+ "kaserver: decomp failed for %s.%s with %s %d",
+ msg, sname, sinstance, ret);
+ krb5_free_error_message(context, msg);
make_error_reply (hdr, KABADTICKET, reply);
goto out;
}
#include "kdc_locl.h"
-RCSID("$Id$");
-
#define MAX_TIME ((time_t)((1U << 31) - 1))
void
if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey
|| (f.request_anonymous && !config->allow_anonymous)) {
ret = KRB5KDC_ERR_BADOPTION;
+ e_text = "Bad KDC options";
kdc_log(context, config, 0, "Bad KDC options -- %s", client_name);
goto out;
}
if(client->entry.flags.forwardable && server->entry.flags.forwardable)
et.flags.forwardable = f.forwardable;
else if (f.forwardable) {
+ e_text = "Ticket may not be forwardable";
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, config, 0,
"Ticket may not be forwardable -- %s", client_name);
if(client->entry.flags.proxiable && server->entry.flags.proxiable)
et.flags.proxiable = f.proxiable;
else if (f.proxiable) {
+ e_text = "Ticket may not be proxiable";
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, config, 0,
"Ticket may not be proxiable -- %s", client_name);
if(client->entry.flags.postdate && server->entry.flags.postdate)
et.flags.may_postdate = f.allow_postdate;
else if (f.allow_postdate){
+ e_text = "Ticket may not be postdate";
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, config, 0,
"Ticket may not be postdatable -- %s", client_name);
/* check for valid set of addresses */
if(!_kdc_check_addresses(context, config, b->addresses, from_addr)) {
+ e_text = "Bad address list in requested";
ret = KRB5KRB_AP_ERR_BADADDR;
kdc_log(context, config, 0,
"Bad address list requested -- %s", client_name);
&et);
if (ret)
goto out;
+
} else
#endif
{
#include "kdc_locl.h"
-RCSID("$Id$");
-
/*
* return the realm of a krbtgt-ticket or NULL
*/
*/
#include "kdc_locl.h"
-RCSID("$Id$");
void
kdc_openlog(krb5_context context,
#include "kdc_locl.h"
-RCSID("$Id$");
-
struct timeval _kdc_now;
krb5_error_code
#include "kdc_locl.h"
-RCSID("$Id$");
-
#ifdef PKINIT
#include <heim_asn1.h>
#include "kdc_locl.h"
-RCSID("$Id$");
-
static krb5plugin_windc_ftable *windcft;
static void *windcctx;
#include <Security/Security.h>
#endif
-#ifndef HEIMDAL_SMALLER
-#include "krb5-v4compat.h"
-#endif
-
struct krb5_dh_moduli;
struct AlgorithmIdentifier;
struct _krb5_krb_auth_data;
int use_keytab = 0;
char *keytab_str = NULL;
int do_afslog = -1;
-#ifndef HEIMDAL_SMALLER
-int get_v4_tgt = -1;
-int convert_524 = 0;
-static char *krb4_cc_name;
-#endif
int fcache_version;
char *password_file = NULL;
char *pk_user_id = NULL;
* P: ~p
* C: v4 cache name?
* 5:
+ *
+ * old flags
+ * 4:
+ * 9:
*/
-#ifndef HEIMDAL_SMALLER
- { "524init", '4', arg_flag, &get_v4_tgt,
- NP_("obtain version 4 TGT", "") },
-
- { "524convert", '9', arg_flag, &convert_524,
- NP_("only convert ticket to version 4", "") },
-#endif
{ "afslog", 0 , arg_flag, &do_afslog,
NP_("obtain afs tokens", "") },
KRB5_TGS_NAME, realm, NULL);
}
-#ifndef HEIMDAL_SMALLER
-
-static krb5_error_code
-do_524init(krb5_context context, krb5_ccache ccache,
- krb5_creds *creds, const char *server)
-{
- krb5_error_code ret;
-
- struct credentials c;
- krb5_creds in_creds, *real_creds;
-
- if(creds != NULL)
- real_creds = creds;
- else {
- krb5_principal client;
- ret = krb5_cc_get_principal(context, ccache, &client);
- if (ret) {
- krb5_warn(context, ret, "524init: can't get client principal");
- return ret;
- }
- memset(&in_creds, 0, sizeof(in_creds));
- ret = get_server(context, client, server, &in_creds.server);
- if(ret) {
- krb5_warn(context, ret, "524init: can't get server principal");
- krb5_free_principal(context, client);
- return ret;
- }
- in_creds.client = client;
- ret = krb5_get_credentials(context, 0, ccache, &in_creds, &real_creds);
- krb5_free_principal(context, client);
- krb5_free_principal(context, in_creds.server);
- if(ret)
- return ret;
- }
- ret = krb524_convert_creds_kdc_ccache(context, ccache, real_creds, &c);
- if(ret)
- krb5_warn(context, ret, "converting creds");
- else {
- krb5_error_code tret = _krb5_krb_tf_setup(context, &c, NULL, 0);
- if(tret)
- krb5_warn(context, tret, "saving v4 creds");
- }
-
- if(creds == NULL)
- krb5_free_creds(context, real_creds);
- memset(&c, 0, sizeof(c));
-
- return ret;
-}
-
-#endif
-
static int
renew_validate(krb5_context context,
int renew,
if(ret == 0 && server == NULL) {
/* only do this if it's a general renew-my-tgt request */
-#ifndef HEIMDAL_SMALLER
- if(get_v4_tgt)
- do_524init(context, cache, out, NULL);
-#endif
#ifndef NO_AFS
if(do_afslog && k_hasafs())
krb5_afslog(context, cache, NULL, NULL);
get_new_tickets(ctx->context, ctx->principal,
ctx->ccache, ctx->ticket_life, 0);
-#ifndef HEIMDAL_SMALLER
- if(get_v4_tgt || convert_524)
- do_524init(ctx->context, ctx->ccache, NULL, server_str);
-#endif
#ifndef NO_AFS
if(do_afslog && k_hasafs())
krb5_afslog(ctx->context, ctx->ccache, NULL, NULL);
krb5_appdefault_boolean(context, "kinit",
krb5_principal_get_realm(context, principal),
"renewable", FALSE, &renewable_flag);
-#ifndef HEIMDAL_SMALLER
- if(get_v4_tgt == -1)
- krb5_appdefault_boolean(context, "kinit",
- krb5_principal_get_realm(context, principal),
- "krb4_get_tickets", FALSE, &get_v4_tgt);
-#endif
if(do_afslog == -1)
krb5_appdefault_boolean(context, "kinit",
krb5_principal_get_realm(context, principal),
krb5_cc_get_type(context, ccache),
krb5_cc_get_name(context, ccache));
setenv("KRB5CCNAME", s, 1);
-#ifndef HEIMDAL_SMALLER
- if (get_v4_tgt) {
- int fd;
- if (asprintf(&krb4_cc_name, "%s_XXXXXX", TKT_ROOT) < 0)
- krb5_errx(context, 1, "out of memory");
- if((fd = mkstemp(krb4_cc_name)) >= 0) {
- close(fd);
- setenv("KRBTKFILE", krb4_cc_name, 1);
- } else {
- free(krb4_cc_name);
- krb4_cc_name = NULL;
- }
- }
-#endif
} else {
ret = krb5_cc_cache_match(context, principal, &ccache);
if (ret) {
exit(ret != 0);
}
-#ifndef HEIMDAL_SMALLER
- if(!convert_524)
-#endif
- get_new_tickets(context, principal, ccache, ticket_life, 1);
+ get_new_tickets(context, principal, ccache, ticket_life, 1);
-#ifndef HEIMDAL_SMALLER
- if(get_v4_tgt || convert_524)
- do_524init(context, ccache, NULL, server_str);
-#endif
#ifndef NO_AFS
if(do_afslog && k_hasafs())
krb5_afslog(context, ccache, NULL, NULL);
krb5_warnx(context, N_("command not found: %s", ""), argv[1]);
krb5_cc_destroy(context, ccache);
-#ifndef HEIMDAL_SMALLER
- _krb5_krb_dest_tkt(context, krb4_cc_name);
-#endif
#ifndef NO_AFS
if(k_hasafs())
k_unlog();
KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
KRB5-AUTHDATA-WIN2K-PAC(128),
KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
- KRB5-AUTHDATA-SIGNTICKET-OLD(-17),
- KRB5-AUTHDATA-SIGNTICKET(142)
+ KRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
+ KRB5-AUTHDATA-SIGNTICKET-OLD(142),
+ KRB5-AUTHDATA-SIGNTICKET(512)
}
-- checksumtypes
int * /*qop_state*/
);
-/*
+/**
*
*/
OM_uint32 GSSAPI_LIB_FUNCTION
-gss_encapsulate_token(gss_buffer_t /* input_token */,
- gss_OID /* oid */,
+gss_encapsulate_token(const gss_buffer_t /* input_token */,
+ const gss_OID /* oid */,
gss_buffer_t /* output_token */);
OM_uint32 GSSAPI_LIB_FUNCTION
-gss_decapsulate_token(gss_buffer_t /* input_token */,
- gss_OID /* oid */,
+gss_decapsulate_token(const gss_buffer_t /* input_token */,
+ const gss_OID /* oid */,
gss_buffer_t /* output_token */);
if (mech_ret_flags & GSS_C_DELEG_FLAG) {
if (!delegated_cred_handle) {
m->gm_release_cred(minor_status, &delegated_mc);
- if (ret_flags)
- *ret_flags &= ~GSS_C_DELEG_FLAG;
+ mech_ret_flags &=
+ ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
} else if (gss_oid_equal(mech_ret_type, &m->gm_mech_oid) == 0) {
/*
* If the returned mech_type is not the same
#include "mech_locl.h"
OM_uint32 GSSAPI_LIB_FUNCTION
-gss_decapsulate_token(gss_buffer_t input_token,
- gss_OID oid,
+gss_decapsulate_token(const gss_buffer_t input_token,
+ const gss_OID oid,
gss_buffer_t output_token)
{
GSSAPIContextToken ct;
#include "mech_locl.h"
OM_uint32 GSSAPI_LIB_FUNCTION
-gss_encapsulate_token(gss_buffer_t input_token,
- gss_OID oid,
+gss_encapsulate_token(const gss_buffer_t input_token,
+ const gss_OID oid,
gss_buffer_t output_token)
{
GSSAPIContextToken ct;
return (GSS_S_COMPLETE);
}
+/**
+ * Import a name internal or mechanism name
+ *
+ * Type of name and their format:
+ * - GSS_C_NO_OID
+ * - GSS_C_NT_USER_NAME
+ * - GSS_C_NT_HOSTBASED_SERVICE
+ * - GSS_C_NT_EXPORT_NAME
+ * - GSS_C_NT_ANONYMOUS
+ * - GSS_KRB5_NT_PRINCIPAL_NAME
+ *
+ * For more information about @ref internalVSmechname.
+ *
+ * @param minor_status minor status code
+ * @param input_name_buffer import name buffer
+ * @param input_name_type type of the import name buffer
+ * @param output_name the resulting type, release with
+ * gss_release_name(), independent of input_name
+ *
+ * @returns a gss_error code, see gss_display_status() about printing
+ * the error code.
+ *
+ * @ingroup gssapi
+ */
+
OM_uint32 GSSAPI_LIB_FUNCTION
gss_import_name(OM_uint32 *minor_status,
const gss_buffer_t input_name_buffer,
return GSS_C_NO_CREDENTIAL;
}
+/**
+ * As the initiator build a context with an acceptor.
+ *
+ * Returns in the major
+ * - GSS_S_COMPLETE - if the context if build
+ * - GSS_S_CONTINUE_NEEDED - if the caller needs to continue another
+ * round of gss_i nit_sec_context
+ * - error code - any other error code
+ *
+ * @param minor_status minor status code.
+ *
+ * @param context_handle a pointer to a context handle, will be
+ * returned as long as there is not an error.
+ *
+ * @param target_name the target name of acceptor, created using
+ * gss_import_name(). The name is can be of any name types the
+ * mechanism supports, check supported name types with
+ * gss_inquire_names_for_mech().
+ *
+ * @param input_mech_type mechanism type to use, if GSS_C_NO_OID is
+ * used, Kerberos (GSS_KRB5_MECHANISM) will be tried. Other
+ * available mechanism are listed in the @ref gssapi_mechs_intro
+ * section.
+ *
+ * @param req_flags flags using when building the context, see @ref
+ * gssapi_context_ flags
+ *
+ * @param time_req time requested this context should be valid in
+ * seconds, common used value is GSS_C_INDEFINITE
+ *
+ * @param input_chan_bindings Channel bindings used, if not exepected
+ * otherwise, used GSS_C_NO_CHANNEL_BINDINGS
+ *
+ * @param input_token input token sent from the acceptor, for the
+ * initial packet the buffer of { NULL, 0 } should be used.
+ *
+ * @param actual_mech_type the actual mech used, MUST NOT be freed
+ * since it pointing to static memory.
+ *
+ * @param output_token if there is an output token, regardless of
+ * complete, continue_needed, or error it should be sent to the
+ * acceptor
+ *
+ * @param ret_flags return what flags was negotitated, caller should
+ * check if they are accetable. For example, if
+ * GSS_C_MUTUAL_FLAG was negotiated with the acceptor or not.
+ *
+ * @param time_rec amount of time this context is valid for
+ *
+ * @returns a gss_error code, see gss_display_status() about printing
+ * the error code.
+ *
+ * @ingroup gssapi
+ */
+
+
+
OM_uint32 GSSAPI_LIB_FUNCTION
gss_init_sec_context(OM_uint32 * minor_status,
const gss_cred_id_t initiator_cred_handle,
#include "mech_locl.h"
+/**
+ * Free a name
+ *
+ * import_name can point to NULL or be NULL, or a pointer to a
+ * gss_name_t structure. If it was a pointer to gss_name_t, the
+ * pointer will be set to NULL on success and failure.
+ *
+ * @param minor_status minor status code
+ * @param input_name name to free
+ *
+ * @returns a gss_error code, see gss_display_status() about printing
+ * the error code.
+ *
+ * @ingroup gssapi
+ */
OM_uint32 GSSAPI_LIB_FUNCTION
gss_release_name(OM_uint32 *minor_status,
gss_name_t *input_name)
ctx->buf = NULL;
}
if (ctx->opad) {
- memset(ctx->ipad, 0, ctx->key_length);
+ memset(ctx->opad, 0, EVP_MD_block_size(ctx->md));
free(ctx->opad);
ctx->opad = NULL;
}
if (ctx->ipad) {
- memset(ctx->ipad, 0, ctx->key_length);
+ memset(ctx->ipad, 0, EVP_MD_block_size(ctx->md));
free(ctx->ipad);
ctx->ipad = NULL;
}
* Unix /dev/random
*/
-static int
-get_device_fd(int flags)
+int
+_hc_unix_device_fd(int flags, char **fn)
{
static const char *rnd_devices[] = {
"/dev/urandom",
for(p = rnd_devices; *p; p++) {
int fd = open(*p, flags | O_NDELAY);
if(fd >= 0) {
+ if (fn)
+ *fn = *p;
rk_cloexec(fd);
return fd;
}
if (size <= 0)
return;
- fd = get_device_fd(O_WRONLY);
+ fd = _hc_unix_device_fd(O_WRONLY, NULL);
if (fd < 0)
return;
else if (size == 0)
return 1;
- fd = get_device_fd(O_RDONLY);
+ fd = _hc_unix_device_fd(O_RDONLY, NULL);
if (fd < 0)
return 0;
{
int fd;
- fd = get_device_fd(O_RDONLY);
+ fd = _hc_unix_device_fd(O_RDONLY, NULL);
if (fd < 0)
return 0;
close(fd);
const char *
RAND_file_name(char *filename, size_t size)
{
- const char *e = NULL;
+ char *e = NULL;
int pathp = 0, ret;
if (!issuid()) {
e = getenv("RANDFILE");
- if (e == NULL) {
+ if (e == NULL)
e = getenv("HOME");
- if (e)
- pathp = 1;
- }
+ if (e)
+ pathp = 1;
}
/*
* Here we really want to call getpwuid(getuid()) but this will
* cause recursive lookups if the nss library uses
* gssapi/krb5/hcrypto to authenticate to the ldap servers.
+ *
+ * So at least return the unix /dev/random if we have one
*/
+#ifndef _WIN32
+ if (e == NULL) {
+ int fd;
+ fd = _hc_unix_device_fd(O_RDONLY, &e);
+ if (fd >= 0)
+ close(fd);
+ }
+#endif
if (e == NULL)
return NULL;
extern const RAND_METHOD hc_rand_w32crypto_method;
const RAND_METHOD * RAND_timer_method(void);
+int _hc_unix_device_fd(int, char **);
#endif /* _HEIM_RANDI_H */
krb5_error_code (*hdb_unlock)(krb5_context, struct HDB*);
/**
* Rename the data base.
+ *
+ * Assume that the database is not hdb_open'ed and not locked.
*/
krb5_error_code (*hdb_rename)(krb5_context, struct HDB*, const char*);
/**
}
static krb5_error_code
-NDBM_rename(krb5_context context, HDB *db, const char *new_name)
+open_lock_file(krb5_context context, const char *db_name, int *fd)
{
- /* XXX this function will break */
- struct ndbm_db *d = db->hdb_db;
+ char *lock_file;
+
+ /* lock old and new databases */
+ asprintf(&lock_file, "%s.lock", db_name);
+ if(lock_file == NULL) {
+ krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+ return ENOMEM;
+ }
+
+ *fd = open(lock_file, O_RDWR | O_CREAT, 0600);
+ free(lock_file);
+ if(*fd < 0) {
+ int ret = errno;
+ krb5_set_error_message(context, ret, "open(%s): %s", lock_file,
+ strerror(ret));
+ return ret;
+ }
+ return 0;
+}
+
+static krb5_error_code
+NDBM_rename(krb5_context context, HDB *db, const char *new_name)
+{
int ret;
char *old_dir, *old_pag, *new_dir, *new_pag;
- char *new_lock;
- int lock_fd;
+ int old_lock_fd, new_lock_fd;
/* lock old and new databases */
- ret = db->hdb_lock(context, db, HDB_WLOCK);
- if(ret)
+ ret = open_lock_file(context, db->hdb_name, &old_lock_fd);
+ if (ret)
+ return ret;
+
+ ret = hdb_lock(old_lock_fd, HDB_WLOCK);
+ if(ret) {
+ close(old_lock_fd);
return ret;
- asprintf(&new_lock, "%s.lock", new_name);
- if(new_lock == NULL) {
- db->hdb_unlock(context, db);
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
- return ENOMEM;
}
- lock_fd = open(new_lock, O_RDWR | O_CREAT, 0600);
- if(lock_fd < 0) {
- ret = errno;
- db->hdb_unlock(context, db);
- krb5_set_error_message(context, ret, "open(%s): %s", new_lock,
- strerror(ret));
- free(new_lock);
+
+ ret = open_lock_file(context, new_name, &new_lock_fd);
+ if (ret) {
+ hdb_unlock(old_lock_fd);
+ close(old_lock_fd);
return ret;
}
- free(new_lock);
- ret = hdb_lock(lock_fd, HDB_WLOCK);
+
+ ret = hdb_lock(new_lock_fd, HDB_WLOCK);
if(ret) {
- db->hdb_unlock(context, db);
- close(lock_fd);
+ hdb_unlock(old_lock_fd);
+ close(old_lock_fd);
+ close(new_lock_fd);
return ret;
}
asprintf(&new_pag, "%s.pag", new_name);
ret = rename(old_dir, new_dir) || rename(old_pag, new_pag);
+ if (ret) {
+ ret = errno;
+ if (ret == 0)
+ ret = EPERM;
+ krb5_set_error_message(context, ret, "rename: %s", strerror(ret));
+ }
+
free(old_dir);
free(old_pag);
free(new_dir);
free(new_pag);
- hdb_unlock(lock_fd);
- db->hdb_unlock(context, db);
- if(ret) {
- ret = errno;
- close(lock_fd);
- krb5_set_error_message(context, ret, "rename: %s", strerror(ret));
- return ret;
- }
+ hdb_unlock(new_lock_fd);
+ hdb_unlock(old_lock_fd);
+ close(new_lock_fd);
+ close(old_lock_fd);
- close(d->lock_fd);
- d->lock_fd = lock_fd;
+ if(ret)
+ return ret;
free(db->hdb_name);
db->hdb_name = strdup(new_name);
{
krb5_error_code ret;
struct ndbm_db *d = malloc(sizeof(*d));
- char *lock_file;
if(d == NULL) {
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
}
- asprintf(&lock_file, "%s.lock", (char*)db->hdb_name);
- if(lock_file == NULL) {
- free(d);
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
- return ENOMEM;
- }
+
d->db = dbm_open((char*)db->hdb_name, flags, mode);
if(d->db == NULL){
ret = errno;
free(d);
- free(lock_file);
krb5_set_error_message(context, ret, "dbm_open(%s): %s", db->hdb_name,
strerror(ret));
return ret;
}
- d->lock_fd = open(lock_file, O_RDWR | O_CREAT, 0600);
- if(d->lock_fd < 0){
+
+ ret = open_lock_file(context, db->hdb_name, &d->lock_fd);
+ if (ret) {
ret = errno;
dbm_close(d->db);
free(d);
- krb5_set_error_message(context, ret, "open(%s): %s", lock_file,
+ krb5_set_error_message(context, ret, "open(lock file): %s",
strerror(ret));
- free(lock_file);
return ret;
}
- free(lock_file);
+
db->hdb_db = d;
if((flags & O_ACCMODE) == O_RDONLY)
ret = hdb_check_db_format(context, db);
if (ret <= 0) {
ret = HX509_CMS_FAILED_CREATE_SIGATURE;
hx509_set_error_string(context, 0, ret,
- "RSA private decrypt failed: %d", ret);
+ "RSA private encrypt failed: %d", ret);
return ret;
}
if (ret > sig->length)
struct hx_expr_input _hx509_expr_input;
+#ifndef YY_NULL
+#define YY_NULL 0
+#endif
+
#define YY_NO_UNPUT 1
#undef YY_INPUT
"~/Library/Preferences/edu.mit.Kerberos:"
"/Library/Preferences/edu.mit.Kerberos:"
#endif /* __APPLE__ */
+"~/.krb5/config:"
SYSCONFDIR "/krb5.conf"
#ifndef _WIN32
":/etc/krb5.conf"
krb5_set_send_to_kdc_func(context, NULL, NULL);
#ifdef PKINIT
- hx509_context_free(&context->hx509ctx);
+ if (context->hx509ctx)
+ hx509_context_free(&context->hx509ctx);
#endif
HEIMDAL_MUTEX_destroy(context->mutex);
krb5_set_default_in_tkt_etypes(krb5_context context,
const krb5_enctype *etypes)
{
+ krb5_error_code ret;
krb5_enctype *p = NULL;
- int i;
+ unsigned int n, m;
if(etypes) {
- for (i = 0; etypes[i]; ++i) {
- krb5_error_code ret;
- ret = krb5_enctype_valid(context, etypes[i]);
- if (ret)
- return ret;
- }
- ++i;
- ALLOC(p, i);
+ for (n = 0; etypes[n]; n++)
+ ;
+ n++;
+ ALLOC(p, n);
if(!p) {
- krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
+ krb5_set_error_message (context, ENOMEM,
+ N_("malloc: out of memory", ""));
return ENOMEM;
}
- memmove(p, etypes, i * sizeof(krb5_enctype));
+ for (n = 0, m = 0; etypes[n]; n++) {
+ ret = krb5_enctype_valid(context, etypes[n]);
+ if (ret)
+ continue;
+ p[m++] = etypes[n];
+ }
+ p[m] = ETYPE_NULL;
+ if (m == 0) {
+ free(p);
+ krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
+ N_("no valid enctype set", ""));
+ return KRB5_PROG_ETYPE_NOSUPP;
+ }
}
if(context->etypes)
free(context->etypes);
* @param allow allow if TRUE home directory
* @return the old value
*
+ * @ingroup krb5
*/
krb5_boolean
#define F_PSEUDO 16 /* not a real protocol type */
#define F_SPECIAL 32 /* backwards */
#define F_DISABLED 64 /* enctype/checksum disabled */
+#define F_WEAK 128 /* enctype is considered weak */
struct salt_type {
krb5_salttype type;
&keytype_des,
&checksum_crc32,
NULL,
- F_DISABLED,
+ F_DISABLED|F_WEAK,
evp_des_encrypt_key_ivec,
0,
NULL
&keytype_des,
&checksum_rsa_md4,
&checksum_rsa_md4_des,
- F_DISABLED,
+ F_DISABLED|F_WEAK,
evp_des_encrypt_null_ivec,
0,
NULL
&keytype_des,
&checksum_rsa_md5,
&checksum_rsa_md5_des,
- F_DISABLED,
+ F_DISABLED|F_WEAK,
evp_des_encrypt_null_ivec,
0,
NULL
&keytype_des,
&checksum_none,
NULL,
- F_PSEUDO|F_DISABLED,
+ F_PSEUDO|F_DISABLED|F_WEAK,
evp_des_encrypt_null_ivec,
0,
NULL
&keytype_des_old,
&checksum_none,
NULL,
- F_PSEUDO|F_DISABLED,
+ F_PSEUDO|F_DISABLED|F_WEAK,
DES_CFB64_encrypt_null_ivec,
0,
NULL
&keytype_des_old,
&checksum_none,
NULL,
- F_PSEUDO|F_DISABLED,
+ F_PSEUDO|F_DISABLED|F_WEAK,
DES_PCBC_encrypt_key_ivec,
0,
NULL
krb5_clear_error_message(context);
return KRB5_BAD_MSIZE;
}
-
checksum_sz = CHECKSUMSIZE(et->checksum);
+ if (len < checksum_sz + et->confoundersize) {
+ krb5_set_error_message(context, KRB5_BAD_MSIZE,
+ N_("Encrypted data shorter then "
+ "checksum + confunder", ""));
+ return KRB5_BAD_MSIZE;
+ }
+
p = malloc(len);
if(len != 0 && p == NULL) {
krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
krb5_clear_error_message(context);
return KRB5_BAD_MSIZE;
}
+ if (len < cksum_sz + et->confoundersize) {
+ krb5_set_error_message(context, KRB5_BAD_MSIZE,
+ N_("Encrypted data shorter then "
+ "checksum + confunder", ""));
+ return KRB5_BAD_MSIZE;
+ }
p = malloc (len);
if (p == NULL) {
return 0;
}
+/**
+ * Enable or disable all weak encryption types
+ *
+ * @param context Kerberos 5 context
+ * @param enable true to enable, false to disable
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_allow_weak_crypto(krb5_context context,
+ krb5_boolean enable)
+{
+ int i;
+
+ for(i = 0; i < num_etypes; i++)
+ if(etypes[i]->flags & F_WEAK) {
+ if(enable)
+ etypes[i]->flags &= ~F_DISABLED;
+ else
+ etypes[i]->flags |= F_DISABLED;
+ }
+ return 0;
+}
+
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_string_to_key_derived(krb5_context context,
ticket.server))
break;
- if (ticket.server->name.name_string.len != 2 &&
- strcmp(ticket.server->name.name_string.val[0], KRB5_TGS_NAME) != 0)
- {
+ if (!krb5_principal_is_krbtgt(context, ticket.server)) {
krb5_set_error_message(context, KRB5KRB_AP_ERR_NOT_US,
N_("Got back an non krbtgt "
"ticket referrals", ""));
free (ctx->pre_auth_types);
if (ctx->in_tkt_service)
free(ctx->in_tkt_service);
- if (ctx->password) {
- memset(ctx->password, 0, strlen(ctx->password));
- free(ctx->password);
- }
if (ctx->keytab_data)
free(ctx->keytab_data);
+ if (ctx->password) {
+ memset(ctx->password, 0, strlen(ctx->password));
+ free(ctx->password);
+ }
krb5_data_free(&ctx->req_buffer);
krb5_free_cred_contents(context, &ctx->cred);
free_METHOD_DATA(&ctx->md);
const char *password)
{
if (ctx->password) {
- memset(ctx->password, 0, strlen(ctx->password));
- free(ctx->password);
+ memset(ctx->password, 0, strlen(ctx->password));
+ free(ctx->password);
}
if (password) {
ctx->password = strdup(password);
N_("Failed to find name type %s", ""), str);
return KRB5_PARSE_MALFORMED;
}
+
+/**
+ * Check if the cname part of the principal is a krbtgt principal
+ *
+ * @ingroup krb5_principal
+ */
+
+krb5_boolean
+krb5_principal_is_krbtgt(krb5_context context, krb5_const_principal p)
+{
+ return p->name.name_string.len == 2 &&
+ strcmp(p->name.name_string.val[0], KRB5_TGS_NAME) == 0;
+
+}
* @param inbuf the (AP-REQ) authentication buffer
*
* @param server the server with authenticate as, if NULL the function
- * will try to find any available credential in the keytab
+ * will try to find any avaiable credentintial in the keytab
* that will verify the reply. The function will prefer the
* server the server client specified in the AP-REQ, but if
* there is no mach, it will try all keytab entries for a
return krb5_eai_to_heim_errno(ret, errno);
for (a = ai; a != NULL; a = a->ai_next) {
- s = socket (a->ai_family, a->ai_socktype, a->ai_protocol | SOCK_CLOEXEC);
+ s = socket (a->ai_family, a->ai_socktype | SOCK_CLOEXEC, a->ai_protocol);
if (s < 0)
continue;
rk_cloexec(s);
return KRB5KRB_AP_ERR_MODIFIED;
}
- if (returned->name.name_string.len == 2 &&
- strcmp(returned->name.name_string.val[0], KRB5_TGS_NAME) == 0)
- {
+ if (krb5_principal_is_krbtgt(context, returned)) {
const char *realm = returned->name.name_string.val[1];
if (ref.referred_realm == NULL
return ret;
noreferral:
- if (krb5_principal_compare(context, requested, returned) == FALSE) {
+ /*
+ * Expect excact match or that we got a krbtgt
+ */
+ if (krb5_principal_compare(context, requested, returned) != TRUE &&
+ (krb5_realm_compare(context, requested, returned) != TRUE &&
+ krb5_principal_is_krbtgt(context, returned) != TRUE))
+ {
krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
N_("Not same server principal returned "
"as requested", ""));
{
struct rk_dns_reply *r;
void *reply = NULL;
- int size;
- int len;
+ int size, len;
#if defined(HAVE_DNS_SEARCH)
struct sockaddr_storage from;
uint32_t fromsize = sizeof(from);
return NULL; /* is this the best we can do? */
#endif
- size = 0;
- len = 1000;
- do {
+ len = 1500;
+ while(1) {
if (reply) {
free(reply);
reply = NULL;
}
- if (size <= len)
- size = len;
if (_resolve_debug) {
#if defined(HAVE_DNS_SEARCH)
dns_set_debug(handle, 1);
state.options |= RES_DEBUG;
#endif
fprintf(stderr, "dns_lookup(%s, %d, %s), buffer size %d\n", domain,
- rr_class, rk_dns_type_to_string(rr_type), size);
+ rr_class, rk_dns_type_to_string(rr_type), len);
}
- reply = malloc(size);
+ reply = malloc(len);
if (reply == NULL) {
resolve_free_handle(handle);
return NULL;
}
- len = resolve_search(handle, domain, rr_class, rr_type, reply, size);
+ size = resolve_search(handle, domain, rr_class, rr_type, reply, len);
if (_resolve_debug) {
fprintf(stderr, "dns_lookup(%s, %d, %s) --> %d\n",
- domain, rr_class, rk_dns_type_to_string(rr_type), len);
- }
- if (len <= 0) {
+ domain, rr_class, rk_dns_type_to_string(rr_type), size);
+ }
+ if (size > len) {
+ /* resolver thinks it know better, go for it */
+ len = size;
+ } else if (size > 0) {
+ /* got a good reply */
+ break;
+ } else if (size <= 0 && len < rk_DNS_MAX_PACKET_SIZE) {
+ len *= 2;
+ if (len > rk_DNS_MAX_PACKET_SIZE)
+ len = rk_DNS_MAX_PACKET_SIZE;
+ } else {
+ /* the end, leave */
resolve_free_handle(handle);
free(reply);
return NULL;
}
- } while (size < len && len < rk_DNS_MAX_PACKET_SIZE);
- resolve_free_handle(handle);
+ }
len = min(len, size);
r = parse_reply(reply, len);
ROKEN_LIB_FUNCTION char * ROKEN_LIB_CALL strerror(int);
#endif
-#if !defined(HAVE_STRERROR_R) && !defined(strerror_r) && !defined(STRERROR_R_PROTO_COMPATIBLE)
+#if (!defined(HAVE_STRERROR_R) && !defined(strerror_r)) || (!defined(STRERROR_R_PROTO_COMPATIBLE) && defined(HAVE_STRERROR_R))
int ROKEN_LIB_FUNCTION rk_strerror_r(int, char *, size_t);
#else
#define rk_strerror_r strerror_r
int rk_flock(int fd, int operation);
#endif /* HAVE_FLOCK */
-#if defined(SunOS) || defined(_AIX)
+#ifndef HAVE_DIRFD
+#ifdef HAVE_DIR_DD_FD
#define dirfd(x) ((x)->dd_fd)
+#else
+#ifndef _WIN32 /* Windows code never calls dirfd */
+#error Missing dirfd() and ->dd_fd
+#endif
+#endif
#endif
ROKEN_LIB_FUNCTION time_t ROKEN_LIB_CALL tm2time (struct tm, int);
rk_qsort(void *, size_t, size_t, int (*)(const void *, const void *));
#endif
+#if defined(__linux__) && SOCK_CLOEXEC && !defined(SOCKET_WRAPPER_REPLACE)
+#undef socket
+#define socket(_fam,_type,_prot) rk_socket(_fam,_type,_prot)
+int ROKEN_LIB_FUNCTION rk_socket(int, int, int);
+#endif
+
#ifdef SOCKET_WRAPPER_REPLACE
#include <socket_wrapper.h>
#endif
return _open_osfhandle((intptr_t) sock, flags);
#endif
}
+
+#ifndef HEIMDAL_SMALLER
+#undef socket
+
+int rk_socket(int, int, int);
+
+int
+rk_socket(int domain, int type, int protocol)
+{
+ int s;
+ s = socket (domain, type, protocol);
+#ifdef SOCK_CLOEXEC
+ if ((SOCK_CLOEXEC & type) && s < 0 && errno == EINVAL) {
+ type &= ~SOCK_CLOEXEC;
+ s = socket (domain, type, protocol);
+ }
+#endif
+ return s;
+}
+
+#endif /* HEIMDAL_SMALLER */
#include <config.h>
-#if !defined(HAVE_STRERROR_R) && !defined(STRERROR_R_PROTO_COMPATIBLE)
+#if (!defined(HAVE_STRERROR_R) && !defined(strerror_r)) || (!defined(STRERROR_R_PROTO_COMPATIBLE) && defined(HAVE_STRERROR_R))
#include <stdio.h>
#include <string.h>
#include <errno.h>
+#include "roken.h"
#ifdef _MSC_VER
#else /* _MSC_VER */
-#ifndef HAVE_STRERROR_R
-extern int sys_nerr;
-extern char *sys_errlist[];
-#endif
-
int ROKEN_LIB_FUNCTION
rk_strerror_r(int eno, char *strerrbuf, size_t buflen)
{
return 0;
#else
int ret;
- if(eno < 0 || eno >= sys_nerr) {
- snprintf(strerrbuf, buflen, "Error %d occurred.", eno);
- return EINVAL;
- }
- ret = snprintf(strerrbuf, buflen, "%s", sys_errlist[eno]);
+ ret = strlcpy(strerrbuf, buflen, strerror(eno));
if (ret > buflen)
return ERANGE;
return 0;
git.samba.org / nivanova / samba-autobuild / .git / commitdiff