s4:heimdal: import lorikeet-heimdal-201107150856 (commit 48936803fae4a2fb362c79365d31...
authorStefan Metzmacher <metze@samba.org>
Fri, 15 Jul 2011 07:10:30 +0000 (09:10 +0200)
committerStefan Metzmacher <metze@samba.org>
Fri, 15 Jul 2011 09:15:05 +0000 (11:15 +0200)
312 files changed:
source4/heimdal/base/baselocl.h
source4/heimdal/base/dict.c
source4/heimdal/base/heimbase.c
source4/heimdal/base/heimbase.h
source4/heimdal/cf/make-proto.pl
source4/heimdal/include/heim_threads.h
source4/heimdal/kdc/default_config.c
source4/heimdal/kdc/digest.c
source4/heimdal/kdc/kdc.h
source4/heimdal/kdc/kerberos5.c
source4/heimdal/kdc/krb5tgs.c
source4/heimdal/kdc/kx509.c
source4/heimdal/kdc/log.c
source4/heimdal/kdc/misc.c
source4/heimdal/kdc/pkinit.c
source4/heimdal/kdc/process.c
source4/heimdal/kdc/windc.c
source4/heimdal/kdc/windc_plugin.h
source4/heimdal/kpasswd/kpasswd.c
source4/heimdal/kuser/kinit.c
source4/heimdal/lib/asn1/asn1-common.h
source4/heimdal/lib/asn1/asn1parse.c
source4/heimdal/lib/asn1/asn1parse.y
source4/heimdal/lib/asn1/der_cmp.c
source4/heimdal/lib/asn1/der_format.c
source4/heimdal/lib/asn1/der_get.c
source4/heimdal/lib/asn1/der_length.c
source4/heimdal/lib/asn1/der_put.c
source4/heimdal/lib/asn1/extra.c
source4/heimdal/lib/asn1/gen.c
source4/heimdal/lib/asn1/gen_decode.c
source4/heimdal/lib/asn1/gen_encode.c
source4/heimdal/lib/asn1/gen_free.c
source4/heimdal/lib/asn1/gen_template.c
source4/heimdal/lib/asn1/krb5.asn1
source4/heimdal/lib/asn1/lex.c
source4/heimdal/lib/asn1/lex.l
source4/heimdal/lib/asn1/main.c
source4/heimdal/lib/asn1/test.asn1
source4/heimdal/lib/asn1/timegm.c
source4/heimdal/lib/com_err/compile_et.c
source4/heimdal/lib/com_err/error.c
source4/heimdal/lib/com_err/parse.c
source4/heimdal/lib/com_err/parse.y
source4/heimdal/lib/gssapi/gssapi/gssapi.h
source4/heimdal/lib/gssapi/gssapi/gssapi_oid.h
source4/heimdal/lib/gssapi/gssapi_mech.h
source4/heimdal/lib/gssapi/krb5/8003.c
source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
source4/heimdal/lib/gssapi/krb5/acquire_cred.c
source4/heimdal/lib/gssapi/krb5/add_cred.c
source4/heimdal/lib/gssapi/krb5/aeap.c
source4/heimdal/lib/gssapi/krb5/arcfour.c
source4/heimdal/lib/gssapi/krb5/cfx.c
source4/heimdal/lib/gssapi/krb5/compat.c
source4/heimdal/lib/gssapi/krb5/context_time.c
source4/heimdal/lib/gssapi/krb5/copy_ccache.c
source4/heimdal/lib/gssapi/krb5/creds.c
source4/heimdal/lib/gssapi/krb5/encapsulate.c
source4/heimdal/lib/gssapi/krb5/external.c
source4/heimdal/lib/gssapi/krb5/import_name.c
source4/heimdal/lib/gssapi/krb5/init_sec_context.c
source4/heimdal/lib/gssapi/krb5/inquire_cred.c
source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c
source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
source4/heimdal/lib/gssapi/krb5/prf.c
source4/heimdal/lib/gssapi/krb5/process_context_token.c
source4/heimdal/lib/gssapi/krb5/sequence.c
source4/heimdal/lib/gssapi/krb5/set_cred_option.c
source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
source4/heimdal/lib/gssapi/krb5/store_cred.c
source4/heimdal/lib/gssapi/krb5/unwrap.c
source4/heimdal/lib/gssapi/krb5/verify_mic.c
source4/heimdal/lib/gssapi/krb5/wrap.c
source4/heimdal/lib/gssapi/mech/cred.h
source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c
source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c
source4/heimdal/lib/gssapi/mech/gss_add_cred.c
source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c
source4/heimdal/lib/gssapi/mech/gss_aeap.c
source4/heimdal/lib/gssapi/mech/gss_buffer_set.c
source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c
source4/heimdal/lib/gssapi/mech/gss_cred.c
source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c
source4/heimdal/lib/gssapi/mech/gss_display_status.c
source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c
source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c
source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c
source4/heimdal/lib/gssapi/mech/gss_import_name.c
source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c
source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c
source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c
source4/heimdal/lib/gssapi/mech/gss_inquire_context.c
source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c
source4/heimdal/lib/gssapi/mech/gss_krb5.c
source4/heimdal/lib/gssapi/mech/gss_mech_switch.c
source4/heimdal/lib/gssapi/mech/gss_mo.c
source4/heimdal/lib/gssapi/mech/gss_names.c
source4/heimdal/lib/gssapi/mech/gss_oid.c
source4/heimdal/lib/gssapi/mech/gss_oid_equal.c
source4/heimdal/lib/gssapi/mech/gss_release_name.c
source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c
source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c
source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c
source4/heimdal/lib/gssapi/mech/mech_locl.h
source4/heimdal/lib/gssapi/spnego/accept_sec_context.c
source4/heimdal/lib/gssapi/spnego/compat.c
source4/heimdal/lib/gssapi/spnego/context_stubs.c
source4/heimdal/lib/gssapi/spnego/cred_stubs.c
source4/heimdal/lib/gssapi/spnego/external.c
source4/heimdal/lib/gssapi/spnego/init_sec_context.c
source4/heimdal/lib/gssapi/spnego/spnego_locl.h
source4/heimdal/lib/gssapi/version-script.map
source4/heimdal/lib/hcrypto/camellia-ntt.c
source4/heimdal/lib/hcrypto/des.c
source4/heimdal/lib/hcrypto/des.h
source4/heimdal/lib/hcrypto/dh-ltm.c
source4/heimdal/lib/hcrypto/dh.c
source4/heimdal/lib/hcrypto/engine.c
source4/heimdal/lib/hcrypto/evp.c
source4/heimdal/lib/hcrypto/evp.h
source4/heimdal/lib/hcrypto/libtommath/bn_fast_mp_invmod.c
source4/heimdal/lib/hcrypto/libtommath/bn_fast_s_mp_mul_digs.c
source4/heimdal/lib/hcrypto/libtommath/bn_fast_s_mp_mul_high_digs.c
source4/heimdal/lib/hcrypto/libtommath/bn_fast_s_mp_sqr.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_2expt.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_abs.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_clamp.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_clear_multi.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_cmp.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_cmp_mag.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_cnt_lsb.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_count_bits.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_div.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_div_3.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_div_d.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_dr_setup.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_exch.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_exptmod.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_exptmod_fast.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_exteuclid.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_find_prime.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_fread.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_fwrite.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_gcd.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_get_int.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_init_multi.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_init_size.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_invmod.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_invmod_slow.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_is_square.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_isprime.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_karatsuba_mul.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_karatsuba_sqr.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_mul.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_mul_2.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_mul_2d.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_n_root.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_fermat.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_is_divisible.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_miller_rabin.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_next_prime.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_random_ex.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_radix_size.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_read_radix.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_l.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_setup.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_setup_l.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_is_2k.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_is_2k_l.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_setup.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_rshd.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_set_int.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_sqr.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_sqrt.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_toom_mul.c
source4/heimdal/lib/hcrypto/libtommath/bn_mp_toradix_n.c
source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_add.c
source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_exptmod.c
source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_mul_digs.c
source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_sqr.c
source4/heimdal/lib/hcrypto/libtommath/bncore.c
source4/heimdal/lib/hcrypto/libtommath/mtest/mpi-config.h
source4/heimdal/lib/hcrypto/libtommath/mtest/mpi.c
source4/heimdal/lib/hcrypto/libtommath/tommath.h
source4/heimdal/lib/hcrypto/libtommath/tommath_superclass.h
source4/heimdal/lib/hcrypto/pkcs12.c
source4/heimdal/lib/hcrypto/rand-egd.c
source4/heimdal/lib/hcrypto/rc2.c
source4/heimdal/lib/hcrypto/rsa-ltm.c
source4/heimdal/lib/hcrypto/rsa.c
source4/heimdal/lib/hcrypto/sha256.c
source4/heimdal/lib/hcrypto/sha512.c
source4/heimdal/lib/hcrypto/ui.c
source4/heimdal/lib/hcrypto/validate.c
source4/heimdal/lib/hdb/dbinfo.c
source4/heimdal/lib/hdb/ext.c
source4/heimdal/lib/hdb/hdb-keytab.c
source4/heimdal/lib/hdb/hdb.c
source4/heimdal/lib/hdb/hdb.h
source4/heimdal/lib/hdb/keys.c
source4/heimdal/lib/hdb/keytab.c
source4/heimdal/lib/hdb/mkey.c
source4/heimdal/lib/hx509/ca.c
source4/heimdal/lib/hx509/cert.c
source4/heimdal/lib/hx509/char_map.h
source4/heimdal/lib/hx509/cms.c
source4/heimdal/lib/hx509/collector.c
source4/heimdal/lib/hx509/crypto.c
source4/heimdal/lib/hx509/file.c
source4/heimdal/lib/hx509/keyset.c
source4/heimdal/lib/hx509/ks_dir.c
source4/heimdal/lib/hx509/ks_file.c
source4/heimdal/lib/hx509/ks_keychain.c
source4/heimdal/lib/hx509/ks_mem.c
source4/heimdal/lib/hx509/ks_p11.c
source4/heimdal/lib/hx509/ks_p12.c
source4/heimdal/lib/hx509/lock.c
source4/heimdal/lib/hx509/name.c
source4/heimdal/lib/hx509/print.c
source4/heimdal/lib/hx509/revoke.c
source4/heimdal/lib/hx509/sel.c
source4/heimdal/lib/hx509/sel.h
source4/heimdal/lib/hx509/test_name.c
source4/heimdal/lib/krb5/acache.c
source4/heimdal/lib/krb5/addr_families.c
source4/heimdal/lib/krb5/appdefault.c
source4/heimdal/lib/krb5/auth_context.c
source4/heimdal/lib/krb5/build_auth.c
source4/heimdal/lib/krb5/cache.c
source4/heimdal/lib/krb5/changepw.c
source4/heimdal/lib/krb5/codec.c
source4/heimdal/lib/krb5/config_file.c
source4/heimdal/lib/krb5/context.c
source4/heimdal/lib/krb5/convert_creds.c
source4/heimdal/lib/krb5/creds.c
source4/heimdal/lib/krb5/crypto-des.c
source4/heimdal/lib/krb5/crypto-des3.c
source4/heimdal/lib/krb5/crypto-evp.c
source4/heimdal/lib/krb5/crypto-pk.c
source4/heimdal/lib/krb5/crypto.c
source4/heimdal/lib/krb5/error_string.c
source4/heimdal/lib/krb5/expand_path.c
source4/heimdal/lib/krb5/fcache.c
source4/heimdal/lib/krb5/get_addrs.c
source4/heimdal/lib/krb5/get_cred.c
source4/heimdal/lib/krb5/get_default_principal.c
source4/heimdal/lib/krb5/get_for_creds.c
source4/heimdal/lib/krb5/get_host_realm.c
source4/heimdal/lib/krb5/get_in_tkt.c
source4/heimdal/lib/krb5/heim_err.et
source4/heimdal/lib/krb5/init_creds.c
source4/heimdal/lib/krb5/init_creds_pw.c
source4/heimdal/lib/krb5/kcm.c
source4/heimdal/lib/krb5/keyblock.c
source4/heimdal/lib/krb5/keytab.c
source4/heimdal/lib/krb5/keytab_file.c
source4/heimdal/lib/krb5/keytab_keyfile.c
source4/heimdal/lib/krb5/krb5.h
source4/heimdal/lib/krb5/krb5_locl.h
source4/heimdal/lib/krb5/krbhst.c
source4/heimdal/lib/krb5/log.c
source4/heimdal/lib/krb5/mcache.c
source4/heimdal/lib/krb5/misc.c
source4/heimdal/lib/krb5/mit_glue.c
source4/heimdal/lib/krb5/mk_error.c
source4/heimdal/lib/krb5/mk_priv.c
source4/heimdal/lib/krb5/mk_rep.c
source4/heimdal/lib/krb5/n-fold.c
source4/heimdal/lib/krb5/pac.c
source4/heimdal/lib/krb5/padata.c
source4/heimdal/lib/krb5/pkinit.c
source4/heimdal/lib/krb5/plugin.c
source4/heimdal/lib/krb5/principal.c
source4/heimdal/lib/krb5/rd_cred.c
source4/heimdal/lib/krb5/rd_rep.c
source4/heimdal/lib/krb5/rd_req.c
source4/heimdal/lib/krb5/replay.c
source4/heimdal/lib/krb5/salt-arcfour.c
source4/heimdal/lib/krb5/salt-des.c
source4/heimdal/lib/krb5/salt.c
source4/heimdal/lib/krb5/send_to_kdc.c
source4/heimdal/lib/krb5/store-int.c
source4/heimdal/lib/krb5/store-int.h
source4/heimdal/lib/krb5/store.c
source4/heimdal/lib/krb5/store_emem.c
source4/heimdal/lib/krb5/store_fd.c
source4/heimdal/lib/krb5/store_mem.c
source4/heimdal/lib/krb5/ticket.c
source4/heimdal/lib/krb5/transited.c
source4/heimdal/lib/krb5/version-script.map
source4/heimdal/lib/krb5/warn.c
source4/heimdal/lib/ntlm/ntlm.c
source4/heimdal/lib/roken/dumpdata.c
source4/heimdal/lib/roken/get_window_size.c
source4/heimdal/lib/roken/getarg.c
source4/heimdal/lib/roken/hex.c
source4/heimdal/lib/roken/parse_units.c
source4/heimdal/lib/roken/resolve.c
source4/heimdal/lib/roken/rkpty.c
source4/heimdal/lib/roken/roken.h.in
source4/heimdal/lib/roken/roken_gethostby.c
source4/heimdal/lib/roken/socket.c
source4/heimdal/lib/roken/strsep_copy.c
source4/heimdal/lib/roken/version-script.map
source4/heimdal/lib/vers/print_version.c
source4/heimdal/lib/wind/ldap.c
source4/heimdal/lib/wind/normalize.c
source4/heimdal/lib/wind/stringprep.c
source4/heimdal/lib/wind/utf8.c

index b3c81b9460e8261ee161c46b49b78152d232237c..901e8606fd97a47565296a9dd32710d1160ec437 100644 (file)
 
 #include "config.h"
 
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
index 7522c8c1c412a2499a193d80078b1a502400ed62..1f9d71a0f506c7912baac0c615905ce03fd25caa 100644 (file)
@@ -77,7 +77,7 @@ struct heim_type_data dict_object = {
 static size_t
 isprime(size_t p)
 {
-    int q, i;
+    size_t q, i;
 
     for(i = 2 ; i < p; i++) {
        q = p / i;
@@ -120,7 +120,7 @@ heim_dict_create(size_t size)
        heim_release(dict);
        return NULL;
     }
-    
+
     dict->tab = calloc(dict->size, sizeof(dict->tab[0]));
     if (dict->tab == NULL) {
        dict->size = 0;
index 01668716a300144ec5650c1fa9b6b329f180e1ff..7031af9e49806ad7a483d57d66053ce0c7de4515 100644 (file)
@@ -369,7 +369,7 @@ void
 heim_abortv(const char *fmt, va_list ap)
 {
     static char str[1024];
-    
+
     vsnprintf(str, sizeof(str), fmt, ap);
     syslog(LOG_ERR, "heim_abort: %s", str);
     abort();
index d1ca5aa89968e991438c61acea06e2a2fc4f50a1..ad1b3f0c48d33f1bf655856a2128ad94bd3994e3 100644 (file)
@@ -48,6 +48,22 @@ typedef heim_object_t heim_null_t;
 #define HEIM_BASE_ONCE_INIT 0
 typedef long heim_base_once_t; /* XXX arch dependant */
 
+#if !defined(__has_extension)
+#define __has_extension(x) 0
+#endif
+
+#define HEIM_REQUIRE_GNUC(m,n,p) \
+    (((__GNUC__ * 10000) + (__GNUC_MINOR__ * 100) + __GNUC_PATCHLEVEL__) >= \
+     (((m) * 10000) + ((n) * 100) + (p)))
+
+
+#if __has_extension(__builtin_expect) || HEIM_REQUIRE_GNUC(3,0,0)
+#define heim_builtin_expect(_op,_res) __builtin_expect(_op,_res)
+#else
+#define heim_builtin_expect(_op,_res) (_op)
+#endif
+
+
 void * heim_retain(heim_object_t);
 void   heim_release(heim_object_t);
 
@@ -79,7 +95,7 @@ heim_abortv(const char *fmt, va_list ap)
     HEIMDAL_PRINTF_ATTRIBUTE((printf, 1, 0));
 
 #define heim_assert(e,t) \
-    (__builtin_expect(!(e), 0) ? heim_abort(t ":" #e) : (void)0)
+    (heim_builtin_expect(!(e), 0) ? heim_abort(t ":" #e) : (void)0)
 
 /*
  *
index bc323b9433eb8e8c97a04d8fccf1914dd3030b5f..6894dc143e17f7b1e52bf15fd75c258475982097 100644 (file)
@@ -11,6 +11,7 @@ my $line = "";
 my $debug = 0;
 my $oproto = 1;
 my $private_func_re = "^_";
+my %depfunction = ();
 
 Getopts('x:m:o:p:dqE:R:P:') || die "foo";
 
@@ -25,7 +26,7 @@ if($opt_q) {
 if($opt_R) {
     $private_func_re = $opt_R;
 }
-%flags = (
+my %flags = (
          'multiline-proto' => 1,
          'header' => 1,
          'function-blocking' => 0,
@@ -100,16 +101,21 @@ while(<>) {
        s/^\s*//;
        s/\s*$//;
        s/\s+/ /g;
-       if($_ =~ /\)$/ or $_ =~ /DEPRECATED$/){
+       if($_ =~ /\)$/){
            if(!/^static/ && !/^PRIVATE/){
                $attr = "";
                if(m/(.*)(__attribute__\s?\(.*\))/) {
                    $attr .= " $2";
                    $_ = $1;
                }
-               if(m/(.*)\s(\w+DEPRECATED)/) {
+               if(m/(.*)\s(\w+DEPRECATED_FUNCTION)\s?(\(.*\))(.*)/) {
+                   $depfunction{$2} = 1;
+                   $attr .= " $2$3";
+                   $_ = "$1 $4";
+               }
+               if(m/(.*)\s(\w+DEPRECATED)(.*)/) {
                    $attr .= " $2";
-                   $_ = $1;
+                   $_ = "$1 $3";
                }
                # remove outer ()
                s/\s*\(/</;
@@ -302,17 +308,44 @@ if($flags{"gnuc-attribute"}) {
 ";
     }
 }
+
+my $depstr = "";
+my $undepstr = "";
+foreach (keys %depfunction) {
+    $depstr .= "#ifndef $_
+#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 )))
+#define $_(X) __attribute__((__deprecated__))
+#else
+#define $_(X)
+#endif
+#endif
+
+
+";
+    $public_h_trailer .= "#undef $_
+
+";
+    $private_h_trailer .= "#undef $_
+#define $_(X)
+
+";
+}
+
+$public_h_header .= $depstr;
+$private_h_header .= $depstr;
+
+
 if($flags{"cxx"}) {
     $public_h_header .= "#ifdef __cplusplus
 extern \"C\" {
 #endif
 
 ";
-    $public_h_trailer .= "#ifdef __cplusplus
+    $public_h_trailer = "#ifdef __cplusplus
 }
 #endif
 
-";
+" . $public_h_trailer;
 
 }
 if ($opt_E) {
@@ -348,6 +381,9 @@ if ($opt_E) {
 ";
 }
     
+$public_h_trailer .= $undepstr;
+$private_h_trailer .= $undepstr;
+
 if ($public_h ne "" && $flags{"header"}) {
     $public_h = $public_h_header . $public_h . 
        $public_h_trailer . "#endif /* $block */\n";
index c4f841fb61f08fb54337ff5a83c217e8ce65c88d..8ff677f3309c3040441480fbb6447f92dd980a06 100644 (file)
 
 #define HEIMDAL_RWLOCK rwlock_t
 #define HEIMDAL_RWLOCK_INITIALIZER RWLOCK_INITIALIZER
-#define        HEIMDAL_RWLOCK_init(l) rwlock_init(l, NULL)     
-#define        HEIMDAL_RWLOCK_rdlock(l) rwlock_rdlock(l)       
-#define        HEIMDAL_RWLOCK_wrlock(l) rwlock_wrlock(l)       
-#define        HEIMDAL_RWLOCK_tryrdlock(l) rwlock_tryrdlock(l) 
-#define        HEIMDAL_RWLOCK_trywrlock(l) rwlock_trywrlock(l) 
-#define        HEIMDAL_RWLOCK_unlock(l) rwlock_unlock(l)       
-#define        HEIMDAL_RWLOCK_destroy(l) rwlock_destroy(l)     
+#define        HEIMDAL_RWLOCK_init(l) rwlock_init(l, NULL)
+#define        HEIMDAL_RWLOCK_rdlock(l) rwlock_rdlock(l)
+#define        HEIMDAL_RWLOCK_wrlock(l) rwlock_wrlock(l)
+#define        HEIMDAL_RWLOCK_tryrdlock(l) rwlock_tryrdlock(l)
+#define        HEIMDAL_RWLOCK_trywrlock(l) rwlock_trywrlock(l)
+#define        HEIMDAL_RWLOCK_unlock(l) rwlock_unlock(l)
+#define        HEIMDAL_RWLOCK_destroy(l) rwlock_destroy(l)
 
 #define HEIMDAL_thread_key thread_key_t
 #define HEIMDAL_key_create(k,d,r) do { r = thr_keycreate(k,d); } while(0)
 
 #define HEIMDAL_RWLOCK rwlock_t
 #define HEIMDAL_RWLOCK_INITIALIZER RWLOCK_INITIALIZER
-#define        HEIMDAL_RWLOCK_init(l) pthread_rwlock_init(l, NULL)     
-#define        HEIMDAL_RWLOCK_rdlock(l) pthread_rwlock_rdlock(l)       
-#define        HEIMDAL_RWLOCK_wrlock(l) pthread_rwlock_wrlock(l)       
-#define        HEIMDAL_RWLOCK_tryrdlock(l) pthread_rwlock_tryrdlock(l) 
-#define        HEIMDAL_RWLOCK_trywrlock(l) pthread_rwlock_trywrlock(l) 
-#define        HEIMDAL_RWLOCK_unlock(l) pthread_rwlock_unlock(l)       
-#define        HEIMDAL_RWLOCK_destroy(l) pthread_rwlock_destroy(l)     
+#define        HEIMDAL_RWLOCK_init(l) pthread_rwlock_init(l, NULL)
+#define        HEIMDAL_RWLOCK_rdlock(l) pthread_rwlock_rdlock(l)
+#define        HEIMDAL_RWLOCK_wrlock(l) pthread_rwlock_wrlock(l)
+#define        HEIMDAL_RWLOCK_tryrdlock(l) pthread_rwlock_tryrdlock(l)
+#define        HEIMDAL_RWLOCK_trywrlock(l) pthread_rwlock_trywrlock(l)
+#define        HEIMDAL_RWLOCK_unlock(l) pthread_rwlock_unlock(l)
+#define        HEIMDAL_RWLOCK_destroy(l) pthread_rwlock_destroy(l)
 
 #define HEIMDAL_thread_key pthread_key_t
 #define HEIMDAL_key_create(k,d,r) do { r = pthread_key_create(k,d); } while(0)
index 1441c3161e8306abb1947df8ffab350c432c7f82..fe977ded5a24a102cccbdbb52bc42d2c2d17121d 100644 (file)
@@ -51,14 +51,14 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
     c->require_preauth = TRUE;
     c->kdc_warn_pwexpire = 0;
     c->encode_as_rep_as_tgs_rep = FALSE;
+    c->as_use_strongest_session_key = FALSE;
+    c->preauth_use_strongest_session_key = FALSE;
+    c->tgs_use_strongest_session_key = FALSE;
+    c->use_strongest_server_key = FALSE;
     c->check_ticket_addresses = TRUE;
     c->allow_null_ticket_addresses = TRUE;
     c->allow_anonymous = FALSE;
     c->trpolicy = TRPOLICY_ALWAYS_CHECK;
-    c->enable_v4 = FALSE;
-    c->enable_kaserver = FALSE;
-    c->enable_524 = FALSE;
-    c->enable_v4_cross_realm = FALSE;
     c->enable_pkinit = FALSE;
     c->pkinit_princ_in_cert = TRUE;
     c->pkinit_require_binding = TRUE;
@@ -70,19 +70,6 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
        krb5_config_get_bool_default(context, NULL,
                                     c->require_preauth,
                                     "kdc", "require-preauth", NULL);
-    c->enable_v4 =
-       krb5_config_get_bool_default(context, NULL,
-                                    c->enable_v4,
-                                    "kdc", "enable-kerberos4", NULL);
-    c->enable_v4_cross_realm =
-       krb5_config_get_bool_default(context, NULL,
-                                    c->enable_v4_cross_realm,
-                                    "kdc",
-                                    "enable-kerberos4-cross-realm", NULL);
-    c->enable_524 =
-       krb5_config_get_bool_default(context, NULL,
-                                    c->enable_v4,
-                                    "kdc", "enable-524", NULL);
 #ifdef DIGEST
     c->enable_digest =
        krb5_config_get_bool_default(context, NULL,
@@ -133,6 +120,27 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
     }
 #endif
 
+    c->as_use_strongest_session_key =
+       krb5_config_get_bool_default(context, NULL,
+                                    c->as_use_strongest_session_key,
+                                    "kdc",
+                                    "as-use-strongest-session-key", NULL);
+    c->preauth_use_strongest_session_key =
+       krb5_config_get_bool_default(context, NULL,
+                                    c->preauth_use_strongest_session_key,
+                                    "kdc",
+                                    "preauth-use-strongest-session-key", NULL);
+    c->tgs_use_strongest_session_key =
+       krb5_config_get_bool_default(context, NULL,
+                                    c->tgs_use_strongest_session_key,
+                                    "kdc",
+                                    "tgs-use-strongest-session-key", NULL);
+    c->use_strongest_server_key =
+       krb5_config_get_bool_default(context, NULL,
+                                    c->use_strongest_server_key,
+                                    "kdc",
+                                    "use-strongest-server-key", NULL);
+
     c->check_ticket_addresses =
        krb5_config_get_bool_default(context, NULL,
                                     c->check_ticket_addresses,
@@ -180,28 +188,6 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
        }
     }
 
-    {
-       const char *p;
-       p = krb5_config_get_string (context, NULL,
-                                   "kdc",
-                                   "v4-realm",
-                                   NULL);
-       if(p != NULL) {
-           c->v4_realm = strdup(p);
-           if (c->v4_realm == NULL)
-               krb5_errx(context, 1, "out of memory");
-       } else {
-           c->v4_realm = NULL;
-       }
-    }
-
-    c->enable_kaserver =
-       krb5_config_get_bool_default(context,
-                                    NULL,
-                                    c->enable_kaserver,
-                                    "kdc", "enable-kaserver", NULL);
-
-
     c->encode_as_rep_as_tgs_rep =
        krb5_config_get_bool_default(context, NULL,
                                     c->encode_as_rep_as_tgs_rep,
@@ -223,7 +209,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
                                     NULL);
 
 
-    c->pkinit_kdc_identity = 
+    c->pkinit_kdc_identity =
        krb5_config_get_string(context, NULL,
                               "kdc", "pkinit_identity", NULL);
     c->pkinit_kdc_anchors =
@@ -235,7 +221,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
     c->pkinit_kdc_revoke =
        krb5_config_get_strings(context, NULL,
                                "kdc", "pkinit_revoke", NULL);
-    c->pkinit_kdc_ocsp_file = 
+    c->pkinit_kdc_ocsp_file =
        krb5_config_get_string(context, NULL,
                               "kdc", "pkinit_kdc_ocsp", NULL);
     c->pkinit_kdc_friendly_name =
@@ -272,7 +258,7 @@ krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
 
     if (config->pkinit_kdc_identity == NULL) {
        if (config->pkinit_kdc_friendly_name == NULL)
-           config->pkinit_kdc_friendly_name = 
+           config->pkinit_kdc_friendly_name =
                strdup("O=System Identity,CN=com.apple.kerberos.kdc");
        config->pkinit_kdc_identity = strdup("KEYCHAIN:");
     }
@@ -284,7 +270,7 @@ krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
     if (config->enable_pkinit) {
        if (config->pkinit_kdc_identity == NULL)
            krb5_errx(context, 1, "pkinit enabled but no identity");
+
        if (config->pkinit_kdc_anchors == NULL)
            krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
 
@@ -298,4 +284,4 @@ krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
 
     return 0;
 #endif /* PKINIT */
-}   
+}
index 70b45c2af6fb7b7b1db4e0de075e4c055aa72454..5f0d27441a23cbf4f56f1bb111b3296586ae121b 100644 (file)
@@ -257,7 +257,7 @@ _kdc_do_digest(krb5_context context,
     /* check the server principal in the ticket matches digest/R@R */
     {
        krb5_principal principal = NULL;
-       const char *p, *r;
+       const char *p, *rr;
 
        ret = krb5_ticket_get_server(context, ticket, &principal);
        if (ret)
@@ -280,12 +280,12 @@ _kdc_do_digest(krb5_context context,
            krb5_free_principal(context, principal);
            goto out;
        }
-       r = krb5_principal_get_realm(context, principal);
-       if (r == NULL) {
+       rr = krb5_principal_get_realm(context, principal);
+       if (rr == NULL) {
            krb5_free_principal(context, principal);
            goto out;
        }
-       if (strcmp(p, r) != 0) {
+       if (strcmp(p, rr) != 0) {
            krb5_free_principal(context, principal);
            goto out;
        }
@@ -356,7 +356,7 @@ _kdc_do_digest(krb5_context context,
     crypto = NULL;
     if (ret)
        goto out;
-       
+
     ret = decode_DigestReqInner(buf.data, buf.length, &ireq, NULL);
     krb5_data_free(&buf);
     if (ret) {
@@ -419,7 +419,7 @@ _kdc_do_digest(krb5_context context,
            free(r.u.initReply.nonce);
            r.u.initReply.nonce = s;
        }
-       
+
        ret = krb5_store_stringz(sp, r.u.initReply.nonce);
        if (ret) {
            krb5_clear_error_message(context);
@@ -475,7 +475,7 @@ _kdc_do_digest(krb5_context context,
        krb5_data_free(&buf);
        if (ret)
            goto out;
-       
+
        ASN1_MALLOC_ENCODE(Checksum, buf.data, buf.length, &res, &size, ret);
        free_Checksum(&res);
        if (ret) {
@@ -547,7 +547,7 @@ _kdc_do_digest(krb5_context context,
                                   "Failed to decode digest Checksum");
            goto out;
        }
-       
+
        ret = krb5_storage_to_data(sp, &buf);
        if (ret) {
            krb5_clear_error_message(context);
@@ -561,14 +561,14 @@ _kdc_do_digest(krb5_context context,
            krb5_set_error_message(context, ret, "malloc: out of memory");
            goto out;
        }
-       
+
        /*
         * CHAP does the checksum of the raw nonce, but do it for all
         * types, since we need to check the timestamp.
         */
        {
            ssize_t ssize;
-       
+
            ssize = hex_decode(ireq.u.digestRequest.serverNonce,
                               serverNonce.data, serverNonce.length);
            if (ssize <= 0) {
@@ -597,7 +597,7 @@ _kdc_do_digest(krb5_context context,
        {
            unsigned char *p = serverNonce.data;
            uint32_t t;
-       
+
            if (serverNonce.length < 4) {
                ret = EINVAL;
                krb5_set_error_message(context, ret, "server nonce too short");
@@ -616,7 +616,7 @@ _kdc_do_digest(krb5_context context,
            EVP_MD_CTX *ctx;
            unsigned char md[MD5_DIGEST_LENGTH];
            char *mdx;
-           char id;
+           char idx;
 
            if ((config->digests_allowed & CHAP_MD5) == 0) {
                kdc_log(context, config, 0, "Digest CHAP MD5 not allowed");
@@ -629,13 +629,13 @@ _kdc_do_digest(krb5_context context,
                                       "from CHAP request");
                goto out;
            }
-       
-           if (hex_decode(*ireq.u.digestRequest.identifier, &id, 1) != 1) {
+
+           if (hex_decode(*ireq.u.digestRequest.identifier, &idx, 1) != 1) {
                ret = EINVAL;
                krb5_set_error_message(context, ret, "failed to decode identifier");
                goto out;
            }
-       
+
            ret = get_password_entry(context, config,
                                     ireq.u.digestRequest.username,
                                     &password);
@@ -645,7 +645,7 @@ _kdc_do_digest(krb5_context context,
            ctx = EVP_MD_CTX_create();
 
            EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
-           EVP_DigestUpdate(ctx, &id, 1);
+           EVP_DigestUpdate(ctx, &idx, 1);
            EVP_DigestUpdate(ctx, password, strlen(password));
            EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length);
            EVP_DigestFinal_ex(ctx, md, NULL);
@@ -691,7 +691,7 @@ _kdc_do_digest(krb5_context context,
                goto out;
            if (ireq.u.digestRequest.realm == NULL)
                goto out;
-       
+
            ret = get_password_entry(context, config,
                                     ireq.u.digestRequest.username,
                                     &password);
@@ -709,7 +709,7 @@ _kdc_do_digest(krb5_context context,
            EVP_DigestUpdate(ctx, ":", 1);
            EVP_DigestUpdate(ctx, password, strlen(password));
            EVP_DigestFinal_ex(ctx, md, NULL);
-       
+
            EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
            EVP_DigestUpdate(ctx, md, sizeof(md));
            EVP_DigestUpdate(ctx, ":", 1);
@@ -731,19 +731,19 @@ _kdc_do_digest(krb5_context context,
                EVP_MD_CTX_destroy(ctx);
                goto failed;
            }
-       
+
            EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
            EVP_DigestUpdate(ctx,
                             "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1);
            EVP_DigestUpdate(ctx, *ireq.u.digestRequest.uri,
                       strlen(*ireq.u.digestRequest.uri));
-       
+
            /* conf|int */
            if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) {
                static char conf_zeros[] = ":00000000000000000000000000000000";
                EVP_DigestUpdate(ctx, conf_zeros, sizeof(conf_zeros) - 1);
            }
-       
+
            EVP_DigestFinal_ex(ctx, md, NULL);
 
            hex_encode(md, sizeof(md), &A2);
@@ -804,7 +804,7 @@ _kdc_do_digest(krb5_context context,
            const char *username;
            struct ntlm_buf answer;
            Key *key = NULL;
-           EVP_MD_CTX *ctx;
+           EVP_MD_CTX *ctp;
 
            if ((config->digests_allowed & MS_CHAP_V2) == 0) {
                kdc_log(context, config, 0, "MS-CHAP-V2 not allowed");
@@ -816,7 +816,7 @@ _kdc_do_digest(krb5_context context,
                krb5_set_error_message(context, ret,
                                       "MS-CHAP-V2 clientNonce missing");
                goto failed;
-           }   
+           }
            if (serverNonce.length != 16) {
                ret = EINVAL;
                krb5_set_error_message(context, ret,
@@ -831,21 +831,21 @@ _kdc_do_digest(krb5_context context,
            else
                username++;
 
-           ctx = EVP_MD_CTX_create();
+           ctp = EVP_MD_CTX_create();
 
            /* ChallangeHash */
-           EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+           EVP_DigestInit_ex(ctp, EVP_sha1(), NULL);
            {
                ssize_t ssize;
                krb5_data clientNonce;
-               
+
                clientNonce.length = strlen(*ireq.u.digestRequest.clientNonce);
                clientNonce.data = malloc(clientNonce.length);
                if (clientNonce.data == NULL) {
                    ret = ENOMEM;
                    krb5_set_error_message(context, ret,
                                           "malloc: out of memory");
-                   EVP_MD_CTX_destroy(ctx);
+                   EVP_MD_CTX_destroy(ctp);
                    goto out;
                }
 
@@ -855,24 +855,24 @@ _kdc_do_digest(krb5_context context,
                    ret = ENOMEM;
                    krb5_set_error_message(context, ret,
                                           "Failed to decode clientNonce");
-                   EVP_MD_CTX_destroy(ctx);
+                   EVP_MD_CTX_destroy(ctp);
                    goto out;
                }
-               EVP_DigestUpdate(ctx, clientNonce.data, ssize);
+               EVP_DigestUpdate(ctp, clientNonce.data, ssize);
                free(clientNonce.data);
            }
-           EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length);
-           EVP_DigestUpdate(ctx, username, strlen(username));
+           EVP_DigestUpdate(ctp, serverNonce.data, serverNonce.length);
+           EVP_DigestUpdate(ctp, username, strlen(username));
 
-           EVP_DigestFinal_ex(ctx, challange, NULL);
+           EVP_DigestFinal_ex(ctp, challange, NULL);
 
-           EVP_MD_CTX_destroy(ctx);
+           EVP_MD_CTX_destroy(ctp);
 
            /* NtPasswordHash */
            ret = krb5_parse_name(context, username, &clientprincipal);
            if (ret)
                goto failed;
-       
+
            ret = _kdc_db_fetch(context, config, clientprincipal,
                                HDB_F_GET_CLIENT, NULL, NULL, &user);
            krb5_free_principal(context, clientprincipal);
@@ -900,7 +900,7 @@ _kdc_do_digest(krb5_context context,
                krb5_set_error_message(context, ret, "NTLM missing arcfour key");
                goto failed;
            }
-       
+
            hex_encode(answer.data, answer.length, &mdx);
            if (mdx == NULL) {
                free(answer.data);
@@ -923,39 +923,39 @@ _kdc_do_digest(krb5_context context,
 
            if (r.u.response.success) {
                unsigned char hashhash[MD4_DIGEST_LENGTH];
-               EVP_MD_CTX *ctx;
+               EVP_MD_CTX *ctxp;
 
-               ctx = EVP_MD_CTX_create();
+               ctxp = EVP_MD_CTX_create();
 
                /* hashhash */
                {
-                   EVP_DigestInit_ex(ctx, EVP_md4(), NULL);
-                   EVP_DigestUpdate(ctx,
+                   EVP_DigestInit_ex(ctxp, EVP_md4(), NULL);
+                   EVP_DigestUpdate(ctxp,
                                     key->key.keyvalue.data,
                                     key->key.keyvalue.length);
-                   EVP_DigestFinal_ex(ctx, hashhash, NULL);
+                   EVP_DigestFinal_ex(ctxp, hashhash, NULL);
                }
 
                /* GenerateAuthenticatorResponse */
-               EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
-               EVP_DigestUpdate(ctx, hashhash, sizeof(hashhash));
-               EVP_DigestUpdate(ctx, answer.data, answer.length);
-               EVP_DigestUpdate(ctx, ms_chap_v2_magic1,
+               EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
+               EVP_DigestUpdate(ctxp, hashhash, sizeof(hashhash));
+               EVP_DigestUpdate(ctxp, answer.data, answer.length);
+               EVP_DigestUpdate(ctxp, ms_chap_v2_magic1,
                                 sizeof(ms_chap_v2_magic1));
-               EVP_DigestFinal_ex(ctx, md, NULL);
+               EVP_DigestFinal_ex(ctxp, md, NULL);
 
-               EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
-               EVP_DigestUpdate(ctx, md, sizeof(md));
-               EVP_DigestUpdate(ctx, challange, 8);
-               EVP_DigestUpdate(ctx, ms_chap_v2_magic2,
+               EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
+               EVP_DigestUpdate(ctxp, md, sizeof(md));
+               EVP_DigestUpdate(ctxp, challange, 8);
+               EVP_DigestUpdate(ctxp, ms_chap_v2_magic2,
                                 sizeof(ms_chap_v2_magic2));
-               EVP_DigestFinal_ex(ctx, md, NULL);
+               EVP_DigestFinal_ex(ctxp, md, NULL);
 
                r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp));
                if (r.u.response.rsp == NULL) {
                    free(answer.data);
                    krb5_clear_error_message(context);
-                   EVP_MD_CTX_destroy(ctx);
+                   EVP_MD_CTX_destroy(ctxp);
                    ret = ENOMEM;
                    goto out;
                }
@@ -964,22 +964,22 @@ _kdc_do_digest(krb5_context context,
                if (r.u.response.rsp == NULL) {
                    free(answer.data);
                    krb5_clear_error_message(context);
-                   EVP_MD_CTX_destroy(ctx);
+                   EVP_MD_CTX_destroy(ctxp);
                    ret = ENOMEM;
                    goto out;
                }
 
                /* get_master, rfc 3079 3.4 */
-               EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
-               EVP_DigestUpdate(ctx, hashhash, 16);
-               EVP_DigestUpdate(ctx, answer.data, answer.length);
-               EVP_DigestUpdate(ctx, ms_rfc3079_magic1,
+               EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
+               EVP_DigestUpdate(ctxp, hashhash, 16);
+               EVP_DigestUpdate(ctxp, answer.data, answer.length);
+               EVP_DigestUpdate(ctxp, ms_rfc3079_magic1,
                                 sizeof(ms_rfc3079_magic1));
-               EVP_DigestFinal_ex(ctx, md, NULL);
+               EVP_DigestFinal_ex(ctxp, md, NULL);
 
                free(answer.data);
 
-               EVP_MD_CTX_destroy(ctx);
+               EVP_MD_CTX_destroy(ctxp);
 
                r.u.response.session_key =
                    calloc(1, sizeof(*r.u.response.session_key));
@@ -1101,7 +1101,7 @@ _kdc_do_digest(krb5_context context,
            krb5_set_error_message(context, ret, "malloc: out of memory");
            goto out;
        }
-       
+
        ret = krb5_storage_write(sp, r.u.ntlmInitReply.challange.data, 8);
        if (ret != 8) {
            ret = ENOMEM;
@@ -1143,7 +1143,7 @@ _kdc_do_digest(krb5_context context,
        uint32_t flags;
        Key *key = NULL;
        int version;
-       
+
        r.element = choice_DigestRepInner_ntlmResponse;
        r.u.ntlmResponse.success = 0;
        r.u.ntlmResponse.flags = 0;
@@ -1187,7 +1187,7 @@ _kdc_do_digest(krb5_context context,
            krb5_set_error_message(context, ret, "malloc: out of memory");
            goto out;
        }
-       
+
        ret = krb5_storage_read(sp, challange, sizeof(challange));
        if (ret != sizeof(challange)) {
            ret = ENOMEM;
@@ -1266,7 +1266,7 @@ _kdc_do_digest(krb5_context context,
            if (flags & NTLM_NEG_NTLM2_SESSION) {
                unsigned char sessionhash[MD5_DIGEST_LENGTH];
                EVP_MD_CTX *ctx;
-               
+
                if ((config->digests_allowed & NTLM_V1_SESSION) == 0) {
                    kdc_log(context, config, 0, "NTLM v1-session not allowed");
                    ret = EINVAL;
@@ -1279,7 +1279,7 @@ _kdc_do_digest(krb5_context context,
                                           "for NTLM session key");
                    goto failed;
                }
-               
+
                ctx = EVP_MD_CTX_create();
 
                EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
@@ -1297,7 +1297,7 @@ _kdc_do_digest(krb5_context context,
                    goto failed;
                }
            }
-       
+
            ret = heim_ntlm_calculate_ntlm1(key->key.keyvalue.data,
                                            key->key.keyvalue.length,
                                            challange, &answer);
@@ -1305,7 +1305,7 @@ _kdc_do_digest(krb5_context context,
                krb5_set_error_message(context, ret, "NTLM missing arcfour key");
                goto failed;
            }
-       
+
            if (ireq.u.ntlmRequest.ntlm.length != answer.length ||
                memcmp(ireq.u.ntlmRequest.ntlm.data, answer.data, answer.length) != 0)
                {
@@ -1335,7 +1335,7 @@ _kdc_do_digest(krb5_context context,
            unsigned char masterkey[MD4_DIGEST_LENGTH];
            EVP_CIPHER_CTX rc4;
            size_t len;
-       
+
            if ((flags & NTLM_NEG_KEYEX) == 0) {
                ret = EINVAL;
                krb5_set_error_message(context, ret,
@@ -1343,7 +1343,7 @@ _kdc_do_digest(krb5_context context,
                                       "exchange but still sent key");
                goto failed;
            }
-       
+
            len = ireq.u.ntlmRequest.sessionkey->length;
            if (len != sizeof(masterkey)){
                ret = EINVAL;
@@ -1352,7 +1352,7 @@ _kdc_do_digest(krb5_context context,
                                       (unsigned long)len);
                goto failed;
            }
-       
+
 
            EVP_CIPHER_CTX_init(&rc4);
            EVP_CipherInit_ex(&rc4, EVP_rc4(), NULL, sessionkey, NULL, 1);
@@ -1360,7 +1360,7 @@ _kdc_do_digest(krb5_context context,
                       masterkey, ireq.u.ntlmRequest.sessionkey->data,
                       sizeof(masterkey));
            EVP_CIPHER_CTX_cleanup(&rc4);
-       
+
            r.u.ntlmResponse.sessionkey =
                malloc(sizeof(*r.u.ntlmResponse.sessionkey));
            if (r.u.ntlmResponse.sessionkey == NULL) {
@@ -1368,7 +1368,7 @@ _kdc_do_digest(krb5_context context,
                krb5_set_error_message(context, ret, "malloc: out of memory");
                goto out;
            }
-       
+
            ret = krb5_data_copy(r.u.ntlmResponse.sessionkey,
                                 masterkey, sizeof(masterkey));
            if (ret) {
@@ -1415,7 +1415,7 @@ _kdc_do_digest(krb5_context context,
            krb5_clear_error_message(context);
            goto out;
        }
-       
+
        kdc_log(context, config, 0, "Digest failed with: %s", s);
 
        r.element = choice_DigestRepInner_error;
index 139b5e70875f416f110ac4fabbba9fb799628a2a..9d52fd4c2ec16cbde0f695e039e4b459e3d074c4 100644 (file)
@@ -58,21 +58,17 @@ typedef struct krb5_kdc_configuration {
     int num_db;
 
     krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
-       
+
+    krb5_boolean as_use_strongest_session_key;
+    krb5_boolean preauth_use_strongest_session_key;
+    krb5_boolean tgs_use_strongest_session_key;
+    krb5_boolean use_strongest_server_key;
+
     krb5_boolean check_ticket_addresses;
     krb5_boolean allow_null_ticket_addresses;
     krb5_boolean allow_anonymous;
     enum krb5_kdc_trpolicy trpolicy;
 
-    char *v4_realm;
-    krb5_boolean enable_v4;
-    krb5_boolean enable_v4_cross_realm;
-    krb5_boolean enable_v4_per_principal;
-
-    krb5_boolean enable_kaserver;
-
-    krb5_boolean enable_524;
-
     krb5_boolean enable_pkinit;
     krb5_boolean pkinit_princ_in_cert;
     const char *pkinit_kdc_identity;
index a437b9dbd91e18d60dee1ba8d8f4be6bba8b5cec..4bc1619170b04aa6cde039cd6759f3350365ba14 100644 (file)
@@ -74,9 +74,9 @@ _kdc_find_padata(const KDC_REQ *req, int *start, int type)
     if (req->padata == NULL)
        return NULL;
 
-    while(*start < req->padata->len){
+    while((size_t)*start < req->padata->len){
        (*start)++;
-       if(req->padata->val[*start - 1].padata_type == type)
+       if(req->padata->val[*start - 1].padata_type == (unsigned)type)
            return &req->padata->val[*start - 1];
     }
     return NULL;
@@ -123,36 +123,103 @@ is_default_salt_p(const krb5_salt *default_salt, const Key *key)
  */
 
 krb5_error_code
-_kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
+_kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
+               krb5_boolean is_preauth, hdb_entry_ex *princ,
                krb5_enctype *etypes, unsigned len,
-               Key **ret_key)
+               krb5_enctype *ret_enctype, Key **ret_key)
 {
-    int i;
-    krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP;
+    krb5_error_code ret;
     krb5_salt def_salt;
+    krb5_enctype enctype = ETYPE_NULL;
+    Key *key;
+    int i;
 
-    krb5_get_pw_salt (context, princ->entry.principal, &def_salt);
+    /* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
+    ret = krb5_get_pw_salt(context, princ->entry.principal, &def_salt);
+    if (ret)
+       return ret;
 
-    for(i = 0; ret != 0 && i < len ; i++) {
-       Key *key = NULL;
+    ret = KRB5KDC_ERR_ETYPE_NOSUPP;
 
-       if (krb5_enctype_valid(context, etypes[i]) != 0 &&
-           !_kdc_is_weak_exception(princ->entry.principal, etypes[i]))
-           continue;
+    if (use_strongest_session_key) {
+       const krb5_enctype *p;
+       krb5_enctype clientbest = ETYPE_NULL;
+       int j;
 
-       while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) {
-           if (key->key.keyvalue.length == 0) {
-               ret = KRB5KDC_ERR_NULL_KEY;
+       /*
+        * Pick the strongest key that the KDC, target service, and
+        * client all support, using the local cryptosystem enctype
+        * list in strongest-to-weakest order to drive the search.
+        *
+        * This is not what RFC4120 says to do, but it encourages
+        * adoption of stronger enctypes.  This doesn't play well with
+        * clients that have multiple Kerberos client implementations
+        * available with different supported enctype lists.
+        */
+
+       /* drive the search with local supported enctypes list */
+       p = krb5_kerberos_enctypes(context);
+       for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) {
+           if (krb5_enctype_valid(context, p[i]) != 0)
                continue;
+
+           /* check that the client supports it too */
+           for (j = 0; j < len && enctype == ETYPE_NULL; j++) {
+               if (p[i] != etypes[j])
+                   continue;
+               /* save best of union of { client, crypto system } */
+               if (clientbest == ETYPE_NULL)
+                   clientbest = p[i];
+               /* check target princ support */
+               ret = hdb_enctype2key(context, &princ->entry, p[i], &key);
+               if (ret)
+                   continue;
+               if (is_preauth && !is_default_salt_p(&def_salt, key))
+                   continue;
+               enctype = p[i];
            }
-           *ret_key   = key;
-           ret = 0;
-           if (is_default_salt_p(&def_salt, key)) {
-               krb5_free_salt (context, def_salt);
-               return ret;
+       }
+       if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL)
+           enctype = clientbest;
+       else if (enctype == ETYPE_NULL)
+           ret = KRB5KDC_ERR_ETYPE_NOSUPP;
+       if (ret == 0 && ret_enctype != NULL)
+           *ret_enctype = enctype;
+       if (ret == 0 && ret_key != NULL)
+           *ret_key = key;
+    } else {
+       /*
+        * Pick the first key from the client's enctype list that is
+        * supported by the cryptosystem and by the given principal.
+        *
+        * RFC4120 says we SHOULD pick the first _strong_ key from the
+        * client's list... not the first key...  If the admin disallows
+        * weak enctypes in krb5.conf and selects this key selection
+        * algorithm, then we get exactly what RFC4120 says.
+        */
+       for(key = NULL, i = 0; ret != 0 && i < len; i++, key = NULL) {
+
+           if (krb5_enctype_valid(context, etypes[i]) != 0 &&
+               !_kdc_is_weak_exception(princ->entry.principal, etypes[i]))
+               continue;
+
+           while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) {
+               if (key->key.keyvalue.length == 0) {
+                   ret = KRB5KDC_ERR_NULL_KEY;
+                   continue;
+               }
+               if (ret_key != NULL)
+                   *ret_key = key;
+               if (ret_enctype != NULL)
+                   *ret_enctype = etypes[i];
+               ret = 0;
+               if (is_preauth && is_default_salt_p(&def_salt, key))
+                   goto out;
            }
        }
     }
+
+out:
     krb5_free_salt (context, def_salt);
     return ret;
 }
@@ -211,8 +278,8 @@ log_patypes(krb5_context context,
 {
     struct rk_strpool *p = NULL;
     char *str;
-    int i;
-       
+    size_t i;
+
     for (i = 0; i < padata->len; i++) {
        switch(padata->val[i].padata_type) {
        case KRB5_PADATA_PK_AS_REQ:
@@ -240,7 +307,7 @@ log_patypes(krb5_context context,
     }
     if (p == NULL)
        p = rk_strpoolprintf(p, "none");
-       
+
     str = rk_strpoolcollect(p);
     kdc_log(context, config, 0, "Client sent patypes: %s", str);
     free(str);
@@ -264,7 +331,7 @@ _kdc_encode_reply(krb5_context context,
 {
     unsigned char *buf;
     size_t buf_size;
-    size_t len;
+    size_t len = 0;
     krb5_error_code ret;
     krb5_crypto crypto;
 
@@ -614,7 +681,7 @@ log_as_req(krb5_context context,
     krb5_error_code ret;
     struct rk_strpool *p;
     char *str;
-    int i;
+    size_t i;
 
     p = rk_strpoolprintf(NULL, "%s", "Client supported enctypes: ");
 
@@ -694,13 +761,13 @@ kdc_check_flags(krb5_context context,
                    "Client (%s) has invalid bit set", client_name);
            return KRB5KDC_ERR_POLICY;
        }
-       
+
        if(!client->flags.client){
            kdc_log(context, config, 0,
                    "Principal may not act as client -- %s", client_name);
            return KRB5KDC_ERR_POLICY;
        }
-       
+
        if (client->valid_start && *client->valid_start > kdc_time) {
            char starttime_str[100];
            krb5_format_time(context, *client->valid_start,
@@ -710,7 +777,7 @@ kdc_check_flags(krb5_context context,
                    starttime_str, client_name);
            return KRB5KDC_ERR_CLIENT_NOTYET;
        }
-       
+
        if (client->valid_end && *client->valid_end < kdc_time) {
            char endtime_str[100];
            krb5_format_time(context, *client->valid_end,
@@ -720,7 +787,7 @@ kdc_check_flags(krb5_context context,
                    endtime_str, client_name);
            return KRB5KDC_ERR_NAME_EXP;
        }
-       
+
        if (client->pw_end && *client->pw_end < kdc_time
            && (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
            char pwend_str[100];
@@ -809,7 +876,7 @@ _kdc_check_addresses(krb5_context context,
     krb5_address addr;
     krb5_boolean result;
     krb5_boolean only_netbios = TRUE;
-    int i;
+    size_t i;
 
     if(config->check_ticket_addresses == 0)
        return TRUE;
@@ -976,7 +1043,7 @@ _kdc_as_rep(krb5_context context,
            goto out;
        }
     } else if (b->kdc_options.request_anonymous) {
-       kdc_log(context, config, 0, 
+       kdc_log(context, config, 0,
                "Request for a anonymous ticket with non "
                "anonymous client name: %s", client_name);
        ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
@@ -1018,59 +1085,31 @@ _kdc_as_rep(krb5_context context,
     memset(&ek, 0, sizeof(ek));
 
     /*
-     * Select a session enctype from the list of the crypto systems
-     * supported enctype, is supported by the client and is one of the
-     * enctype of the enctype of the krbtgt.
+     * Select a session enctype from the list of the crypto system
+     * supported enctypes that is supported by the client and is one of
+     * the enctype of the enctype of the service (likely krbtgt).
      *
-     * The later is used as a hint what enctype all KDC are supporting
-     * to make sure a newer version of KDC wont generate a session
-     * enctype that and older version of a KDC in the same realm can't
+     * The latter is used as a hint of what enctypes all KDC support,
+     * to make sure a newer version of KDC won't generate a session
+     * enctype that an older version of a KDC in the same realm can't
      * decrypt.
-     *
-     * But if the KDC admin is paranoid and doesn't want to have "no
+     */
+    ret = _kdc_find_etype(context, config->as_use_strongest_session_key, FALSE,
+                         client, b->etype.val, b->etype.len, &sessionetype,
+                         NULL);
+    if (ret) {
+       kdc_log(context, config, 0,
+               "Client (%s) from %s has no common enctypes with KDC "
+               "to use for the session key",
+               client_name, from);
+       goto out;
+    }
+    /*
+     * But if the KDC admin is paranoid and doesn't want to have "not
      * the best" enctypes on the krbtgt, lets save the best pick from
      * the client list and hope that that will work for any other
      * KDCs.
      */
-    {
-       const krb5_enctype *p;
-       krb5_enctype clientbest = ETYPE_NULL;
-       int i, j;
-
-       p = krb5_kerberos_enctypes(context);
-
-       sessionetype = ETYPE_NULL;
-
-       for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) {
-           if (krb5_enctype_valid(context, p[i]) != 0)
-               continue;
-
-           for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) {
-               Key *dummy;
-               /* check with client */
-               if (p[i] != b->etype.val[j])
-                   continue;
-               /* save best of union of { client, crypto system } */
-               if (clientbest == ETYPE_NULL)
-                   clientbest = p[i];
-               /* check with krbtgt */
-               ret = hdb_enctype2key(context, &server->entry, p[i], &dummy);
-               if (ret)
-                   continue;
-               sessionetype = p[i];
-           }
-       }
-       /* if krbtgt had no shared keys with client, pick clients best */
-       if (clientbest != ETYPE_NULL && sessionetype == ETYPE_NULL) {
-           sessionetype = clientbest;
-       } else if (sessionetype == ETYPE_NULL) {
-           kdc_log(context, config, 0,
-                   "Client (%s) from %s has no common enctypes with KDC"
-                   "to use for the session key",
-                   client_name, from);
-           goto out;
-       }
-    }
 
     /*
      * Pre-auth processing
@@ -1111,7 +1150,7 @@ _kdc_as_rep(krb5_context context,
 
            ret = _kdc_pk_check_client(context,
                                       config,
-                                      clientdb, 
+                                      clientdb,
                                       client,
                                       pkp,
                                       &client_cert);
@@ -1119,7 +1158,7 @@ _kdc_as_rep(krb5_context context,
                e_text = "PKINIT certificate not allowed to "
                    "impersonate principal";
                _kdc_pk_free_client_param(context, pkp);
-               
+
                kdc_log(context, config, 0, "%s", e_text);
                pkp = NULL;
                goto out;
@@ -1148,9 +1187,9 @@ _kdc_as_rep(krb5_context context,
            EncryptedData enc_data;
            Key *pa_key;
            char *str;
-       
+
            found_pa = 1;
-       
+
            if (b->kdc_options.request_anonymous) {
                ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
                kdc_log(context, config, 0, "ENC-TS doesn't support anon");
@@ -1167,7 +1206,7 @@ _kdc_as_rep(krb5_context context,
                        client_name);
                goto out;
            }
-       
+
            ret = hdb_enctype2key(context, &client->entry,
                                  enc_data.etype, &pa_key);
            if(ret){
@@ -1256,7 +1295,7 @@ _kdc_as_rep(krb5_context context,
            free_PA_ENC_TS_ENC(&p);
            if (abs(kdc_time - p.patimestamp) > context->max_skew) {
                char client_time[100];
-               
+
                krb5_format_time(context, p.patimestamp,
                                 client_time, sizeof(client_time), TRUE);
 
@@ -1353,8 +1392,9 @@ _kdc_as_rep(krb5_context context,
        /*
         * If there is a client key, send ETYPE_INFO{,2}
         */
-       ret = _kdc_find_etype(context, client, b->etype.val, b->etype.len,
-                             &ckey);
+       ret = _kdc_find_etype(context,
+                             config->preauth_use_strongest_session_key, TRUE,
+                             client, b->etype.val, b->etype.len, NULL, &ckey);
        if (ret == 0) {
 
            /*
@@ -1384,7 +1424,7 @@ _kdc_as_rep(krb5_context context,
                goto out;
            }
        }
-       
+
        ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret);
        free_METHOD_DATA(&method_data);
 
@@ -1401,7 +1441,7 @@ _kdc_as_rep(krb5_context context,
     }
 
     if (clientdb->hdb_auth_status)
-       (clientdb->hdb_auth_status)(context, clientdb, client, 
+       (clientdb->hdb_auth_status)(context, clientdb, client,
                                    HDB_AUTH_SUCCESS);
 
     /*
@@ -1503,7 +1543,7 @@ _kdc_as_rep(krb5_context context,
     {
        time_t start;
        time_t t;
-       
+
        start = et.authtime = kdc_time;
 
        if(f.postdated && req->req_body.from){
@@ -1663,8 +1703,8 @@ _kdc_as_rep(krb5_context context,
        PA_ClientCanonicalized canon;
        krb5_data data;
        PA_DATA pa;
-       krb5_crypto crypto;
-       size_t len;
+       krb5_crypto cryptox;
+       size_t len = 0;
 
        memset(&canon, 0, sizeof(canon));
 
@@ -1679,21 +1719,21 @@ _kdc_as_rep(krb5_context context,
            krb5_abortx(context, "internal asn.1 error");
 
        /* sign using "returned session key" */
-       ret = krb5_crypto_init(context, &et.key, 0, &crypto);
+       ret = krb5_crypto_init(context, &et.key, 0, &cryptox);
        if (ret) {
            free(data.data);
            goto out;
        }
 
-       ret = krb5_create_checksum(context, crypto,
+       ret = krb5_create_checksum(context, cryptox,
                                   KRB5_KU_CANONICALIZED_NAMES, 0,
                                   data.data, data.length,
                                   &canon.canon_checksum);
        free(data.data);
-       krb5_crypto_destroy(context, crypto);
+       krb5_crypto_destroy(context, cryptox);
        if (ret)
            goto out;
-       
+
        ASN1_MALLOC_ENCODE(PA_ClientCanonicalized, data.data, data.length,
                           &canon, &len, ret);
        free_Checksum(&canon.canon_checksum);
@@ -1826,7 +1866,7 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
                            const krb5_data *data)
 {
     krb5_error_code ret;
-    size_t size;
+    size_t size = 0;
 
     if (tkt->authorization_data == NULL) {
        tkt->authorization_data = calloc(1, sizeof(*tkt->authorization_data));
@@ -1835,7 +1875,7 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
            return ENOMEM;
        }
     }
-       
+
     /* add the entry to the last element */
     {
        AuthorizationData ad = { 0, NULL };
@@ -1863,7 +1903,7 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
        }
        if (ade.ad_data.length != size)
            krb5_abortx(context, "internal asn.1 encoder error");
-       
+
        ret = add_AuthorizationData(tkt->authorization_data, &ade);
        der_free_octet_string(&ade.ad_data);
        if (ret) {
index 55d5d09edec0153db9bb78a76b82f107c2c09805..92cce5759f49ed2d6d0922dce51080748f9c0c46 100644 (file)
@@ -64,7 +64,7 @@ find_KRB5SignedPath(krb5_context context,
     AuthorizationData child;
     krb5_error_code ret;
     int pos;
-       
+
     if (ad == NULL || ad->len == 0)
        return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
 
@@ -113,7 +113,7 @@ _kdc_add_KRB5SignedPath(krb5_context context,
     KRB5SignedPath sp;
     krb5_data data;
     krb5_crypto crypto = NULL;
-    size_t size;
+    size_t size = 0;
 
     if (server && principals) {
        ret = add_Principals(principals, server);
@@ -123,12 +123,12 @@ _kdc_add_KRB5SignedPath(krb5_context context,
 
     {
        KRB5SignedPathData spd;
-       
+
        spd.client = client;
        spd.authtime = tkt->authtime;
        spd.delegated = principals;
        spd.method_data = NULL;
-       
+
        ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
                           &spd, &size, ret);
        if (ret)
@@ -203,7 +203,7 @@ check_KRB5SignedPath(krb5_context context,
     if (ret == 0) {
        KRB5SignedPathData spd;
        KRB5SignedPath sp;
-       size_t size;
+       size_t size = 0;
 
        ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
        krb5_data_free(&data);
@@ -357,7 +357,7 @@ check_PAC(krb5_context context,
                                         server_sign_key, krbtgt_sign_key, rspac);
                }
                krb5_pac_free(context, pac);
-               
+
                return ret;
            }
        }
@@ -376,7 +376,7 @@ check_tgs_flags(krb5_context context,
                KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
 {
     KDCOptions f = b->kdc_options;
-       
+
     if(f.validate){
        if(!tgt->flags.invalid || tgt->starttime == NULL){
            kdc_log(context, config, 0,
@@ -415,7 +415,7 @@ check_tgs_flags(krb5_context context,
     }
     if(tgt->flags.forwarded)
        et->flags.forwarded = 1;
-       
+
     if(f.proxiable){
        if(!tgt->flags.proxiable){
            kdc_log(context, config, 0,
@@ -485,7 +485,7 @@ check_tgs_flags(krb5_context context,
        et->endtime = *et->starttime + old_life;
        if (et->renew_till != NULL)
            et->endtime = min(*et->renew_till, et->endtime);
-    }  
+    }
 
 #if 0
     /* checks for excess flags */
@@ -512,7 +512,7 @@ check_constrained_delegation(krb5_context context,
 {
     const HDB_Ext_Constrained_delegation_acl *acl;
     krb5_error_code ret;
-    int i;
+    size_t i;
 
     /*
      * constrained_delegation (S4U2Proxy) only works within
@@ -541,7 +541,7 @@ check_constrained_delegation(krb5_context context,
            krb5_clear_error_message(context);
            return ret;
        }
-       
+
        if (acl) {
            for (i = 0; i < acl->len; i++) {
                if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
@@ -623,7 +623,7 @@ fix_transited_encoding(krb5_context context,
     krb5_error_code ret = 0;
     char **realms, **tmp;
     unsigned int num_realms;
-    int i;
+    size_t i;
 
     switch (tr->tr_type) {
     case DOMAIN_X500_COMPRESS:
@@ -843,7 +843,7 @@ tgs_make_reply(krb5_context context,
            renew = min(renew, *server->entry.max_renew);
        *et.renew_till = et.authtime + renew;
     }
-       
+
     if(et.renew_till){
        *et.renew_till = min(*et.renew_till, *tgt->renew_till);
        *et.starttime = min(*et.starttime, *et.renew_till);
@@ -877,7 +877,7 @@ tgs_make_reply(krb5_context context,
        if (ret)
            goto out;
     }
-       
+
     if (auth_data) {
        unsigned int i = 0;
 
@@ -919,7 +919,7 @@ tgs_make_reply(krb5_context context,
        goto out;
     et.crealm = tgt_name->realm;
     et.cname = tgt_name->name;
-       
+
     ek.key = et.key;
     /* MIT must have at least one last_req */
     ek.last_req.len = 1;
@@ -1021,7 +1021,7 @@ tgs_check_authenticator(krb5_context context,
                        krb5_keyblock *key)
 {
     krb5_authenticator auth;
-    size_t len;
+    size_t len = 0;
     unsigned char *buf;
     size_t buf_size;
     krb5_error_code ret;
@@ -1048,7 +1048,7 @@ tgs_check_authenticator(krb5_context context,
        ret =  KRB5KRB_AP_ERR_INAPP_CKSUM;
        goto out;
     }
-               
+
     /* XXX should not re-encode this */
     ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
     if(ret){
@@ -1107,7 +1107,7 @@ find_rpath(krb5_context context, Realm crealm, Realm srealm)
                                                   NULL);
     return new_realm;
 }
-       
+
 
 static krb5_boolean
 need_referral(krb5_context context, krb5_kdc_configuration *config,
@@ -1148,6 +1148,7 @@ tgs_parse_request(krb5_context context,
                  krb5_keyblock **replykey,
                  int *rk_is_subkey)
 {
+    static char failed[] = "<unparse_name failed>";
     krb5_ap_req ap_req;
     krb5_error_code ret;
     krb5_principal princ;
@@ -1191,7 +1192,7 @@ tgs_parse_request(krb5_context context,
        char *p;
        ret = krb5_unparse_name(context, princ, &p);
        if (ret != 0)
-           p = "<unparse_name failed>";
+           p = failed;
        krb5_free_principal(context, princ);
        kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p);
        if (ret == 0)
@@ -1203,7 +1204,7 @@ tgs_parse_request(krb5_context context,
        char *p;
        ret = krb5_unparse_name(context, princ, &p);
        if (ret != 0)
-           p = "<unparse_name failed>";
+           p = failed;
        krb5_free_principal(context, princ);
        kdc_log(context, config, 0,
                "Ticket-granting ticket not found in database: %s", msg);
@@ -1215,13 +1216,13 @@ tgs_parse_request(krb5_context context,
     }
 
     if(ap_req.ticket.enc_part.kvno &&
-       *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
+       (unsigned int)*ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
        char *p;
 
        ret = krb5_unparse_name (context, princ, &p);
        krb5_free_principal(context, princ);
        if (ret != 0)
-           p = "<unparse_name failed>";
+           p = failed;
        kdc_log(context, config, 0,
                "Ticket kvno = %d, DB kvno = %d (%s)",
                *ap_req.ticket.enc_part.kvno,
@@ -1266,7 +1267,7 @@ tgs_parse_request(krb5_context context,
                              &ap_req_options,
                              ticket,
                              KRB5_KU_TGS_REQ_AUTH);
-                       
+
     krb5_free_principal(context, princ);
     if(ret) {
        const char *msg = krb5_get_error_message(context, ret);
@@ -1396,12 +1397,12 @@ build_server_referral(krb5_context context,
                      const PrincipalName *true_principal_name,
                      const PrincipalName *requested_principal,
                      krb5_data *outdata)
-{              
+{
     PA_ServerReferralData ref;
     krb5_error_code ret;
     EncryptedData ed;
     krb5_data data;
-    size_t size;
+    size_t size = 0;
 
     memset(&ref, 0, sizeof(ref));
 
@@ -1521,7 +1522,7 @@ tgs_build_reply(krb5_context context,
        hdb_entry_ex *uu;
        krb5_principal p;
        Key *uukey;
-       
+
        if(b->additional_tickets == NULL ||
           b->additional_tickets->len == 0){
            ret = KRB5KDC_ERR_BADOPTION; /* ? */
@@ -1567,7 +1568,7 @@ tgs_build_reply(krb5_context context,
     }
 
     _krb5_principalname2krb5_principal(context, &sp, *s, r);
-    ret = krb5_unparse_name(context, sp, &spn);        
+    ret = krb5_unparse_name(context, sp, &spn);
     if (ret)
        goto out;
     _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
@@ -1612,7 +1613,7 @@ server_lookup:
                    free(spn);
                    krb5_make_principal(context, &sp, r,
                                        KRB5_TGS_NAME, new_rlm, NULL);
-                   ret = krb5_unparse_name(context, sp, &spn); 
+                   ret = krb5_unparse_name(context, sp, &spn);
                    if (ret)
                        goto out;
 
@@ -1662,7 +1663,7 @@ server_lookup:
        krb5_enctype etype;
 
        if(b->kdc_options.enc_tkt_in_skey) {
-           int i;
+           size_t i;
            ekey = &adtkt.key;
            for(i = 0; i < b->etype.len; i++)
                if (b->etype.val[i] == adtkt.key.keytype)
@@ -1678,9 +1679,11 @@ server_lookup:
            kvno = 0;
        } else {
            Key *skey;
-       
-           ret = _kdc_find_etype(context, server,
-                                 b->etype.val, b->etype.len, &skey);
+
+           ret = _kdc_find_etype(context,
+                                 config->tgs_use_strongest_session_key, FALSE,
+                                 server, b->etype.val, b->etype.len, NULL,
+                                 &skey);
            if(ret) {
                kdc_log(context, config, 0,
                        "Server (%s) has no support for etypes", spn);
@@ -1690,7 +1693,7 @@ server_lookup:
            etype = skey->key.keytype;
            kvno = server->entry.kvno;
        }
-       
+
        ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
        if (ret)
            goto out;
@@ -1717,11 +1720,11 @@ server_lookup:
     /* Now refetch the primary krbtgt, and get the current kvno (the
      * sign check may have been on an old kvno, and the server may
      * have been an incoming trust) */
-    ret = krb5_make_principal(context, &krbtgt_principal, 
+    ret = krb5_make_principal(context, &krbtgt_principal,
                              krb5_principal_get_comp_string(context,
                                                             krbtgt->entry.principal,
                                                             1),
-                             KRB5_TGS_NAME, 
+                             KRB5_TGS_NAME,
                              krb5_principal_get_comp_string(context,
                                                             krbtgt->entry.principal,
                                                             1), NULL);
@@ -2052,7 +2055,7 @@ server_lookup:
            goto out;
        }
 
-       ret = check_constrained_delegation(context, config, clientdb, 
+       ret = check_constrained_delegation(context, config, clientdb,
                                           client, server, sp);
        if (ret) {
            kdc_log(context, config, 0,
@@ -2067,17 +2070,18 @@ server_lookup:
        }
 
        krb5_data_free(&rspac);
+
        /*
-        * generate the PAC for the user and pass
-        * dp for the S4U_DELEGATION_INFO blob in the PAC.
+        * generate the PAC for the user.
+        *
+        * TODO: pass in t->sname and t->realm and build
+        * a S4U_DELEGATION_INFO blob to the PAC.
         */
        ret = check_PAC(context, config, tp, dp,
                        client, server, krbtgt,
                        &clientkey->key, &tkey_check->key,
                        ekey, &tkey_sign->key,
                        &adtkt, &rspac, &ad_signedpath);
-       if (ret == 0 && !ad_signedpath)
-           ret = KRB5KDC_ERR_BADOPTION;
        if (ret) {
            const char *msg = krb5_get_error_message(context, ret);
            kdc_log(context, config, 0,
@@ -2094,12 +2098,10 @@ server_lookup:
        ret = check_KRB5SignedPath(context,
                                   config,
                                   krbtgt,
-                                  tp,
+                                  cp,
                                   &adtkt,
                                   NULL,
                                   &ad_signedpath);
-       if (ret == 0 && !ad_signedpath)
-           ret = KRB5KDC_ERR_BADOPTION;
        if (ret) {
            const char *msg = krb5_get_error_message(context, ret);
            kdc_log(context, config, 0,
@@ -2111,6 +2113,16 @@ server_lookup:
            goto out;
        }
 
+       if (!ad_signedpath) {
+           ret = KRB5KDC_ERR_BADOPTION;
+           kdc_log(context, config, 0,
+                   "Ticket not signed with PAC nor SignedPath service %s failed "
+                   "for delegation to %s for client %s (%s)"
+                   "from %s",
+                   spn, tpn, dpn, cpn, from);
+           goto out;
+       }
+
        kdc_log(context, config, 0, "constrained delegation for %s "
                "from %s (%s) to %s", tpn, cpn, dpn, spn);
     }
@@ -2141,7 +2153,7 @@ server_lookup:
        kdc_log(context, config, 0, "Request from wrong address");
        goto out;
     }
-       
+
     /*
      * If this is an referral, add server referral data to the
      * auth_data reply .
@@ -2203,7 +2215,7 @@ server_lookup:
                         &enc_pa_data,
                         e_text,
                         reply);
-       
+
 out:
     if (tpn != cpn)
            free(tpn);
@@ -2279,7 +2291,7 @@ _kdc_tgs_rep(krb5_context context,
 
     if(tgs_req == NULL){
        ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
-       
+
        kdc_log(context, config, 0,
                "TGS-REQ from %s without PA-TGS-REQ", from);
        goto out;
index f6f8f8a3bd6ee8f48c32ec8bf0dfeb00d01b78d3..8d683d50a375ddb35968f801c6b8cd7c741c6afd 100644 (file)
@@ -259,7 +259,7 @@ build_certificate(krb5_context context,
     hx509_cert_free(cert);
     if (ret)
        goto out;
-               
+
     return 0;
 out:
     if (env)
@@ -355,7 +355,7 @@ _kdc_do_kx509(krb5_context context,
                krb5_xfree(expected);
                goto out;
            }
-           
+
            ret = KRB5KDC_ERR_SERVER_NOMATCH;
            krb5_set_error_message(context, ret,
                                   "User %s used wrong Kx509 service "
index 6657aca5cb48eadba9ddd0c66d4b7ee51f3c8d3e..6d85729f514cb6cef898331ceec0f8612e5cbab5 100644 (file)
@@ -50,10 +50,12 @@ kdc_openlog(krb5_context context,
            krb5_addlog_dest(context, config->logf, *p);
        krb5_config_free_strings(s);
     }else {
-       char *s;
-       asprintf(&s, "0-1/FILE:%s/%s", hdb_db_dir(context), KDC_LOG_FILE);
-       krb5_addlog_dest(context, config->logf, s);
-       free(s);
+       char *ss;
+       if (asprintf(&ss, "0-1/FILE:%s/%s", hdb_db_dir(context),
+           KDC_LOG_FILE) < 0)
+           err(1, NULL);
+       krb5_addlog_dest(context, config->logf, ss);
+       free(ss);
     }
     krb5_set_warn_dest(context, config->logf);
 }
index 297fa3824b72e88a7bbd418e54cfbea084178615..f9b34571a32a13930a9793111f1a8571de8dc77a 100644 (file)
@@ -62,7 +62,7 @@ _kdc_db_fetch(krb5_context context,
 
     for(i = 0; i < config->num_db; i++) {
        krb5_principal enterprise_principal = NULL;
-       if (!(config->db[i]->hdb_capability_flags & HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL) 
+       if (!(config->db[i]->hdb_capability_flags & HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL)
            && principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
            if (principal->name.name_string.len != 1) {
                ret = KRB5_PARSE_MALFORMED;
@@ -134,24 +134,41 @@ _kdc_get_preferred_key(krb5_context context,
                       krb5_enctype *enctype,
                       Key **key)
 {
-    const krb5_enctype *p;
     krb5_error_code ret;
     int i;
 
-    p = krb5_kerberos_enctypes(context);
-
-    for (i = 0; p[i] != ETYPE_NULL; i++) {
-       if (krb5_enctype_valid(context, p[i]) != 0)
-           continue;
-       ret = hdb_enctype2key(context, &h->entry, p[i], key);
-       if (ret == 0) {
-           *enctype = p[i];
+    if (config->use_strongest_server_key) {
+       const krb5_enctype *p = krb5_kerberos_enctypes(context);
+
+       for (i = 0; p[i] != ETYPE_NULL; i++) {
+           if (krb5_enctype_valid(context, p[i]) != 0)
+               continue;
+           ret = hdb_enctype2key(context, &h->entry, p[i], key);
+           if (ret != 0)
+               continue;
+           if (enctype != NULL)
+               *enctype = p[i];
+           return 0;
+       }
+    } else {
+       *key = NULL;
+
+       for (i = 0; i < h->entry.keys.len; i++) {
+           if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype)
+               != 0)
+               continue;
+           ret = hdb_enctype2key(context, &h->entry,
+               h->entry.keys.val[i].key.keytype, key);
+           if (ret != 0)
+               continue;
+           if (enctype != NULL)
+               *enctype = (*key)->key.keytype;
            return 0;
        }
     }
 
     krb5_set_error_message(context, EINVAL,
                           "No valid kerberos key found for %s", name);
-    return EINVAL;
+    return EINVAL; /* XXX */
 }
 
index 9c0be23b14c3d78d44b137af97a9a5fc7db4a7cd..a02cb816ab7e1bdc3765badaf5823111bf4b5945 100644 (file)
@@ -116,7 +116,7 @@ pk_check_pkauthenticator(krb5_context context,
     u_char *buf = NULL;
     size_t buf_size;
     krb5_error_code ret;
-    size_t len;
+    size_t len = 0;
     krb5_timestamp now;
     Checksum checksum;
 
@@ -148,7 +148,7 @@ pk_check_pkauthenticator(krb5_context context,
        krb5_clear_error_message(context);
        return ret;
     }
-       
+
     if (a->paChecksum == NULL) {
        krb5_clear_error_message(context);
        ret = KRB5_KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED;
@@ -222,7 +222,7 @@ generate_dh_keyblock(krb5_context context,
 
        if (!DH_generate_key(client_params->u.dh.key)) {
            ret = KRB5KRB_ERR_GENERIC;
-           krb5_set_error_message(context, ret, 
+           krb5_set_error_message(context, ret,
                                   "Can't generate Diffie-Hellman keys");
            goto out;
        }
@@ -237,7 +237,7 @@ generate_dh_keyblock(krb5_context context,
        }
 
        dh_gen_keylen = DH_compute_key(dh_gen_key,client_params->u.dh.public_key, client_params->u.dh.key);
-       if (dh_gen_keylen == -1) {
+       if (dh_gen_keylen == (size_t)-1) {
            ret = KRB5KRB_ERR_GENERIC;
            krb5_set_error_message(context, ret,
                                   "Can't compute Diffie-Hellman key");
@@ -281,14 +281,14 @@ generate_dh_keyblock(krb5_context context,
            goto out;
        }
 
-       dh_gen_keylen = ECDH_compute_key(dh_gen_key, size, 
+       dh_gen_keylen = ECDH_compute_key(dh_gen_key, size,
                                         EC_KEY_get0_public_key(client_params->u.ecdh.public_key),
                                         client_params->u.ecdh.key, NULL);
 
 #endif /* HAVE_OPENSSL */
     } else {
        ret = KRB5KRB_ERR_GENERIC;
-       krb5_set_error_message(context, ret, 
+       krb5_set_error_message(context, ret,
                               "Diffie-Hellman not selected keys");
        goto out;
     }
@@ -525,7 +525,7 @@ _kdc_pk_rd_padata(krb5_context context,
        goto out;
     }
 
-    ret = hx509_certs_merge(context->hx509ctx, trust_anchors, 
+    ret = hx509_certs_merge(context->hx509ctx, trust_anchors,
                            kdc_identity->anchors);
     if (ret) {
        hx509_certs_free(&trust_anchors);
@@ -538,7 +538,7 @@ _kdc_pk_rd_padata(krb5_context context,
     if (ret == 0 && pc != NULL) {
        hx509_cert cert;
        unsigned int i;
-       
+
        for (i = 0; i < pc->len; i++) {
            ret = hx509_cert_init_data(context->hx509ctx,
                                       pc->val[i].cert.data,
@@ -572,7 +572,7 @@ _kdc_pk_rd_padata(krb5_context context,
 
        if (req->req_body.kdc_options.request_anonymous) {
            ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
-           krb5_set_error_message(context, ret, 
+           krb5_set_error_message(context, ret,
                                   "Anon not supported in RSA mode");
            goto out;
        }
@@ -586,7 +586,7 @@ _kdc_pk_rd_padata(krb5_context context,
                                   "PK-AS-REQ-Win2k: %d", ret);
            goto out;
        }
-       
+
        ret = hx509_cms_unwrap_ContentInfo(&r.signed_auth_pack,
                                           &contentInfoOid,
                                           &signed_content,
@@ -612,7 +612,7 @@ _kdc_pk_rd_padata(krb5_context context,
                                   "Can't decode PK-AS-REQ: %d", ret);
            goto out;
        }
-       
+
        /* XXX look at r.kdcPkId */
        if (r.trustedCertifiers) {
            ExternalPrincipalIdentifiers *edi = r.trustedCertifiers;
@@ -624,12 +624,12 @@ _kdc_pk_rd_padata(krb5_context context,
                                   &cp->client_anchors);
            if (ret) {
                krb5_set_error_message(context, ret,
-                                      "Can't allocate client anchors: %d", 
+                                      "Can't allocate client anchors: %d",
                                       ret);
                goto out;
 
            }
-           /* 
+           /*
             * If the client sent more then 10 EDI, don't bother
             * looking more then 10 of performance reasons.
             */
@@ -651,7 +651,7 @@ _kdc_pk_rd_padata(krb5_context context,
                                          "Failed to allocate hx509_query");
                    goto out;
                }
-               
+
                ret = decode_IssuerAndSerialNumber(edi->val[i].issuerAndSerialNumber->data,
                                                   edi->val[i].issuerAndSerialNumber->length,
                                                   &iasn,
@@ -704,7 +704,7 @@ _kdc_pk_rd_padata(krb5_context context,
                               "PK-AS-REQ-Win2k invalid content type oid");
        goto out;
     }
-       
+
     if (!have_data) {
        ret = KRB5KRB_ERR_GENERIC;
        krb5_set_error_message(context, ret,
@@ -805,7 +805,7 @@ _kdc_pk_rd_padata(krb5_context context,
            ap.clientPublicValue == NULL) {
            free_AuthPack(&ap);
            ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
-           krb5_set_error_message(context, ret, 
+           krb5_set_error_message(context, ret,
                                   "Anon not supported in RSA mode");
            goto out;
        }
@@ -849,7 +849,7 @@ _kdc_pk_rd_padata(krb5_context context,
            free_AuthPack(&ap);
            goto out;
        }
-       
+
        if (ap.supportedCMSTypes) {
            ret = hx509_peer_info_set_cms_algs(context->hx509ctx,
                                               cp->peer,
@@ -885,7 +885,7 @@ out:
     der_free_oid(&contentInfoOid);
     if (ret) {
         _kdc_pk_free_client_param(context, cp);
-    } else 
+    } else
        *ret_params = cp;
     return ret;
 }
@@ -921,7 +921,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
     const heim_oid *envelopedAlg = NULL, *sdAlg = NULL, *evAlg = NULL;
     krb5_error_code ret;
     krb5_data buf, signed_data;
-    size_t size;
+    size_t size = 0;
     int do_win2k = 0;
 
     krb5_data_zero(&buf);
@@ -954,7 +954,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
        break;
     default:
        krb5_abortx(context, "internal pkinit error");
-    }  
+    }
 
     if (do_win2k) {
        ReplyKeyPack_Win2k kp;
@@ -966,7 +966,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
            goto out;
        }
        kp.nonce = cp->nonce;
-       
+
        ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k,
                           buf.data, buf.length,
                           &kp, &size,ret);
@@ -995,7 +995,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
            krb5_clear_error_message(context);
            goto out;
        }
-                       
+
        ret = krb5_crypto_destroy(context, ascrypto);
        if (ret) {
            krb5_clear_error_message(context);
@@ -1015,15 +1015,15 @@ pk_mk_pa_reply_enckey(krb5_context context,
     {
        hx509_query *q;
        hx509_cert cert;
-       
+
        ret = hx509_query_alloc(context->hx509ctx, &q);
        if (ret)
            goto out;
-       
+
        hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
        if (config->pkinit_kdc_friendly_name)
            hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
-       
+
        ret = hx509_certs_find(context->hx509ctx,
                               kdc_identity->certs,
                               q,
@@ -1031,7 +1031,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
        hx509_query_free(context->hx509ctx, q);
        if (ret)
            goto out;
-       
+
        ret = hx509_cms_create_signed_1(context->hx509ctx,
                                        0,
                                        sdAlg,
@@ -1078,7 +1078,7 @@ out:
         hx509_cert_free(*kdc_cert);
        *kdc_cert = NULL;
     }
-      
+
     krb5_data_free(&buf);
     krb5_data_free(&signed_data);
     return ret;
@@ -1101,7 +1101,7 @@ pk_mk_pa_reply_dh(krb5_context context,
     krb5_error_code ret;
     hx509_cert cert;
     hx509_query *q;
-    size_t size;
+    size_t size = 0;
 
     memset(&contentinfo, 0, sizeof(contentinfo));
     memset(&dh_info, 0, sizeof(dh_info));
@@ -1117,7 +1117,7 @@ pk_mk_pa_reply_dh(krb5_context context,
        ret = BN_to_integer(context, kdc_dh->pub_key, &i);
        if (ret)
            return ret;
-       
+
        ASN1_MALLOC_ENCODE(DHPublicKey, buf.data, buf.length, &i, &size, ret);
        der_free_heim_integer(&i);
        if (ret) {
@@ -1127,7 +1127,7 @@ pk_mk_pa_reply_dh(krb5_context context,
        }
        if (buf.length != size)
            krb5_abortx(context, "Internal ASN.1 encoder error");
-       
+
        dh_info.subjectPublicKey.length = buf.length * 8;
        dh_info.subjectPublicKey.data = buf.data;
        krb5_data_zero(&buf);
@@ -1154,7 +1154,7 @@ pk_mk_pa_reply_dh(krb5_context context,
     } else
        krb5_abortx(context, "no keyex selected ?");
 
-       
+
     dh_info.nonce = cp->nonce;
 
     ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size,
@@ -1175,11 +1175,11 @@ pk_mk_pa_reply_dh(krb5_context context,
     ret = hx509_query_alloc(context->hx509ctx, &q);
     if (ret)
        goto out;
-    
+
     hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
     if (config->pkinit_kdc_friendly_name)
        hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
-    
+
     ret = hx509_certs_find(context->hx509ctx,
                           kdc_identity->certs,
                           q,
@@ -1187,7 +1187,7 @@ pk_mk_pa_reply_dh(krb5_context context,
     hx509_query_free(context->hx509ctx, q);
     if (ret)
        goto out;
-    
+
     ret = hx509_cms_create_signed_1(context->hx509ctx,
                                    0,
                                    &asn1_oid_id_pkdhkeydata,
@@ -1242,12 +1242,12 @@ _kdc_pk_mk_pa_reply(krb5_context context,
                    METHOD_DATA *md)
 {
     krb5_error_code ret;
-    void *buf;
-    size_t len, size;
+    void *buf = NULL;
+    size_t len = 0, size = 0;
     krb5_enctype enctype;
     int pa_type;
     hx509_cert kdc_cert = NULL;
-    int i;
+    size_t i;
 
     if (!config->enable_pkinit) {
        krb5_clear_error_message(context);
@@ -1263,7 +1263,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
            krb5_set_error_message(context, ret,
                                   "No valid enctype available from client");
            goto out;
-       }       
+       }
        enctype = req->req_body.etype.val[i];
     } else
        enctype = ETYPE_DES3_CBC_SHA1;
@@ -1314,7 +1314,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
            if (rep.u.encKeyPack.length != size)
                krb5_abortx(context, "Internal ASN.1 encoder error");
 
-           ret = krb5_generate_random_keyblock(context, sessionetype, 
+           ret = krb5_generate_random_keyblock(context, sessionetype,
                                                sessionkey);
            if (ret) {
                free_PA_PK_AS_REP(&rep);
@@ -1368,7 +1368,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
                krb5_abortx(context, "Internal ASN.1 encoder error");
 
            /* XXX KRB-FX-CF2 */
-           ret = krb5_generate_random_keyblock(context, sessionetype, 
+           ret = krb5_generate_random_keyblock(context, sessionetype,
                                                sessionkey);
            if (ret) {
                free_PA_PK_AS_REP(&rep);
@@ -1463,7 +1463,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
        if (len != size)
            krb5_abortx(context, "Internal ASN.1 encoder error");
 
-       ret = krb5_generate_random_keyblock(context, sessionetype, 
+       ret = krb5_generate_random_keyblock(context, sessionetype,
                                            sessionkey);
        if (ret) {
            free(buf);
@@ -1507,7 +1507,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
                        "PK-INIT failed to stat ocsp data %d", ret);
                goto out_ocsp;
            }
-       
+
            ret = krb5_data_alloc(&ocsp.data, sb.st_size);
            if (ret) {
                close(fd);
@@ -1575,7 +1575,8 @@ match_rfc_san(krb5_context context,
              krb5_const_principal match)
 {
     hx509_octet_string_list list;
-    int ret, i, found = 0;
+    int ret, found = 0;
+    size_t i;
 
     memset(&list, 0 , sizeof(list));
 
@@ -1679,12 +1680,12 @@ match_ms_upn_san(krb5_context context,
     if (clientdb->hdb_check_pkinit_ms_upn_match) {
        ret = clientdb->hdb_check_pkinit_ms_upn_match(context, clientdb, client, principal);
     } else {
-           
+
        /*
         * This is very wrong, but will do for a fallback
         */
        strupr(principal->realm);
-           
+
        if (krb5_principal_compare(context, principal, client->entry.principal) == FALSE)
            ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
     }
@@ -1709,7 +1710,7 @@ _kdc_pk_check_client(krb5_context context,
     const HDB_Ext_PKINIT_cert *pc;
     krb5_error_code ret;
     hx509_name name;
-    int i;
+    size_t i;
 
     if (cp->cert == NULL) {
 
@@ -1737,12 +1738,12 @@ _kdc_pk_check_client(krb5_context context,
     ret = hdb_entry_get_pkinit_cert(&client->entry, &pc);
     if (ret == 0 && pc) {
        hx509_cert cert;
-       unsigned int i;
-       
-       for (i = 0; i < pc->len; i++) {
+       size_t j;
+
+       for (j = 0; j < pc->len; j++) {
            ret = hx509_cert_init_data(context->hx509ctx,
-                                      pc->val[i].cert.data,
-                                      pc->val[i].cert.length,
+                                      pc->val[j].cert.data,
+                                      pc->val[j].cert.length,
                                       &cert);
            if (ret)
                continue;
@@ -1770,7 +1771,7 @@ _kdc_pk_check_client(krb5_context context,
        ret = match_ms_upn_san(context, config,
                               context->hx509ctx,
                               cp->cert,
-                              clientdb, 
+                              clientdb,
                               client);
        if (ret == 0) {
            kdc_log(context, config, 5,
@@ -1871,7 +1872,7 @@ _kdc_add_inital_verified_cas(krb5_context context,
     AD_INITIAL_VERIFIED_CAS cas;
     krb5_error_code ret;
     krb5_data data;
-    size_t size;
+    size_t size = 0;
 
     memset(&cas, 0, sizeof(cas));
 
@@ -1937,7 +1938,7 @@ load_mappings(krb5_context context, const char *fn)
 
     fclose(f);
 }
-               
+
 /*
  *
  */
@@ -1982,17 +1983,17 @@ krb5_kdc_pk_initialize(krb5_context context,
     {
        hx509_query *q;
        hx509_cert cert;
-       
+
        ret = hx509_query_alloc(context->hx509ctx, &q);
        if (ret) {
            krb5_warnx(context, "PKINIT: out of memory");
            return ENOMEM;
        }
-       
+
        hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
        if (config->pkinit_kdc_friendly_name)
            hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
-       
+
        ret = hx509_certs_find(context->hx509ctx,
                               kdc_identity->certs,
                               q,
index 42266003312e5d214d0d77b556bf46214af69cc8..6f36915800bb9ee3245828334c8514f14e915e94 100644 (file)
@@ -47,7 +47,7 @@ krb5_kdc_update_time(struct timeval *tv)
        _kdc_now = *tv;
 }
 
-static krb5_error_code 
+static krb5_error_code
 kdc_as_req(krb5_context context,
           krb5_kdc_configuration *config,
           krb5_data *req_buffer,
@@ -74,7 +74,7 @@ kdc_as_req(krb5_context context,
 }
 
 
-static krb5_error_code 
+static krb5_error_code
 kdc_tgs_req(krb5_context context,
            krb5_kdc_configuration *config,
            krb5_data *req_buffer,
@@ -91,10 +91,10 @@ kdc_tgs_req(krb5_context context,
     ret = decode_TGS_REQ(req_buffer->data, req_buffer->length, &req, &len);
     if (ret)
        return ret;
-    
+
     *claim = 1;
 
-    ret = _kdc_tgs_rep(context, config, &req, reply, 
+    ret = _kdc_tgs_rep(context, config, &req, reply,
                       from, addr, datagram_reply);
     free_TGS_REQ(&req);
     return ret;
@@ -102,7 +102,7 @@ kdc_tgs_req(krb5_context context,
 
 #ifdef DIGEST
 
-static krb5_error_code 
+static krb5_error_code
 kdc_digest(krb5_context context,
           krb5_kdc_configuration *config,
           krb5_data *req_buffer,
@@ -132,7 +132,7 @@ kdc_digest(krb5_context context,
 
 #ifdef KX509
 
-static krb5_error_code 
+static krb5_error_code
 kdc_kx509(krb5_context context,
          krb5_kdc_configuration *config,
          krb5_data *req_buffer,
@@ -193,7 +193,7 @@ krb5_kdc_process_request(krb5_context context,
     unsigned int i;
     krb5_data req_buffer;
     int claim = 0;
-    
+
     req_buffer.data = buf;
     req_buffer.length = len;
 
@@ -232,7 +232,7 @@ krb5_kdc_process_krb5_request(krb5_context context,
     unsigned int i;
     krb5_data req_buffer;
     int claim = 0;
-    
+
     req_buffer.data = buf;
     req_buffer.length = len;
 
@@ -245,7 +245,7 @@ krb5_kdc_process_krb5_request(krb5_context context,
        if (claim)
            return ret;
     }
-                       
+
     return -1;
 }
 
index a58cebb8b241a407270509f9316e07207eea0c76..ba87abb7cc0b93fd20535149571426a3735c1e33 100644 (file)
@@ -55,7 +55,7 @@ krb5_kdc_windc_init(krb5_context context)
        windcft = _krb5_plugin_get_symbol(e);
        if (windcft->minor_version < KRB5_WINDC_PLUGIN_MINOR)
            continue;
-       
+
        (*windcft->init)(context, &windcctx);
        break;
     }
@@ -119,9 +119,9 @@ _kdc_check_access(krb5_context context,
                                   server_ex, server_name,
                                   req->msg_type == krb_as_req);
 
-    return (windcft->client_access)(windcctx, 
-                                   context, config, 
-                                   client_ex, client_name, 
-                                   server_ex, server_name, 
+    return (windcft->client_access)(windcctx,
+                                   context, config,
+                                   client_ex, client_name,
+                                   server_ex, server_name,
                                    req, e_data);
 }
index b328e3ffb3889124ec5add8d7e4c73df5cad6e61..fa4ba434f3edbc4c2bcaed7a56e0ef313c8d47ca 100644 (file)
@@ -66,10 +66,10 @@ typedef krb5_error_code
 
 typedef krb5_error_code
 (*krb5plugin_windc_client_access)(
-       void *, krb5_context, 
+       void *, krb5_context,
        krb5_kdc_configuration *config,
-       hdb_entry_ex *, const char *, 
-       hdb_entry_ex *, const char *, 
+       hdb_entry_ex *, const char *,
+       hdb_entry_ex *, const char *,
        KDC_REQ *, krb5_data *);
 
 
index 0258c1ac09ac6fa07cb49d88717320085f7bcbc5..e681a359d464172e39982e4972fa12e2764b354b 100644 (file)
@@ -40,10 +40,11 @@ static char *admin_principal_str;
 static char *cred_cache_str;
 
 static struct getargs args[] = {
-    { "admin-principal",       0,   arg_string, &admin_principal_str },
-    { "cache",                 'c', arg_string, &cred_cache_str },
-    { "version",               0,   arg_flag, &version_flag },
-    { "help",                  0,   arg_flag, &help_flag }
+    { "admin-principal",       0,   arg_string, &admin_principal_str, NULL,
+        NULL },
+    { "cache",                 'c', arg_string, &cred_cache_str, NULL, NULL },
+    { "version",               0,   arg_flag, &version_flag, NULL, NULL },
+    { "help",                  0,   arg_flag, &help_flag, NULL, NULL }
 };
 
 static void
@@ -197,9 +198,9 @@ main (int argc, char **argv)
        default:
            krb5_err(context, 1, ret, "krb5_get_init_creds");
        }
-       
+
        krb5_get_init_creds_opt_free(context, opt);
-       
+
        ret = krb5_cc_initialize(context, id, admin_principal);
        krb5_free_principal(context, admin_principal);
        if (ret)
@@ -208,7 +209,7 @@ main (int argc, char **argv)
        ret = krb5_cc_store_cred(context, id, &cred);
        if (ret)
            krb5_err(context, 1, ret, "krb5_cc_store_cred");
-       
+
        krb5_free_cred_contents (context, &cred);
     }
 
index 846232a4f293c6e32c5efae790c191c9337c0ec0..e872fef9bee035ab82da930cd93c5dcab690e1fc 100644 (file)
@@ -96,31 +96,31 @@ static struct getargs args[] = {
      * 9:
      */
     { "afslog",        0  , arg_flag, &do_afslog,
-      NP_("obtain afs tokens", "")  },
+      NP_("obtain afs tokens", ""), NULL },
 
     { "cache",                 'c', arg_string, &cred_cache,
       NP_("credentials cache", ""), "cachename" },
 
     { "forwardable",   0, arg_negative_flag, &forwardable_flag,
-      NP_("get tickets not forwardable", "")},
+      NP_("get tickets not forwardable", ""), NULL },
 
     { NULL,            'f', arg_flag, &forwardable_flag,
-      NP_("get forwardable tickets", "")},
+      NP_("get forwardable tickets", ""), NULL },
 
     { "keytab",         't', arg_string, &keytab_str,
       NP_("keytab to use", ""), "keytabname" },
 
     { "lifetime",      'l', arg_string, &lifetime,
-      NP_("lifetime of tickets", ""), "time"},
+      NP_("lifetime of tickets", ""), "time" },
 
     { "proxiable",     'p', arg_flag, &proxiable_flag,
-      NP_("get proxiable tickets", "") },
+      NP_("get proxiable tickets", ""), NULL },
 
     { "renew",          'R', arg_flag, &renew_flag,
-      NP_("renew TGT", "") },
+      NP_("renew TGT", ""), NULL },
 
     { "renewable",     0,   arg_flag, &renewable_flag,
-      NP_("get renewable tickets", "") },
+      NP_("get renewable tickets", ""), NULL },
 
     { "renewable-life",        'r', arg_string, &renew_life,
       NP_("renewable lifetime of tickets", ""), "time" },
@@ -132,40 +132,40 @@ static struct getargs args[] = {
       NP_("when ticket gets valid", ""), "time" },
 
     { "use-keytab",     'k', arg_flag, &use_keytab,
-      NP_("get key from keytab", "") },
+      NP_("get key from keytab", ""), NULL },
 
     { "validate",      'v', arg_flag, &validate_flag,
-      NP_("validate TGT", "") },
+      NP_("validate TGT", ""), NULL },
 
     { "enctypes",      'e', arg_strings, &etype_str,
       NP_("encryption types to use", ""), "enctypes" },
 
     { "fcache-version", 0,   arg_integer, &fcache_version,
-      NP_("file cache version to create", "") },
+      NP_("file cache version to create", ""), NULL },
 
     { "addresses",     'A',   arg_negative_flag,       &addrs_flag,
-      NP_("request a ticket with no addresses", "") },
+      NP_("request a ticket with no addresses", ""), NULL },
 
     { "extra-addresses",'a', arg_strings,      &extra_addresses,
       NP_("include these extra addresses", ""), "addresses" },
 
     { "anonymous",     0,   arg_flag,  &anonymous_flag,
-      NP_("request an anonymous ticket", "") },
+      NP_("request an anonymous ticket", ""), NULL },
 
     { "request-pac",   0,   arg_flag,  &pac_flag,
-      NP_("request a Windows PAC", "") },
+      NP_("request a Windows PAC", ""), NULL },
 
     { "password-file", 0,   arg_string, &password_file,
-      NP_("read the password from a file", "") },
+      NP_("read the password from a file", ""), NULL },
 
     { "canonicalize",0,   arg_flag, &canonicalize_flag,
-      NP_("canonicalize client principal", "") },
+      NP_("canonicalize client principal", ""), NULL },
 
     { "enterprise",0,   arg_flag, &enterprise_flag,
-      NP_("parse principal as a KRB5-NT-ENTERPRISE name", "") },
+      NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL },
 #ifdef PKINIT
     { "pk-enterprise", 0,      arg_flag,       &pk_enterprise_flag,
-      NP_("use enterprise name from certificate", "") },
+      NP_("use enterprise name from certificate", ""), NULL },
 
     { "pk-user",       'C',    arg_string,     &pk_user_id,
       NP_("principal's public/private/certificate identifier", ""), "id" },
@@ -174,7 +174,7 @@ static struct getargs args[] = {
       NP_("directory with CA certificates", ""), "directory" },
 
     { "pk-use-enckey", 0,  arg_flag, &pk_use_enckey,
-      NP_("Use RSA encrypted reply (instead of DH)", "") },
+      NP_("Use RSA encrypted reply (instead of DH)", ""), NULL },
 #endif
 #ifndef NO_NTLM
     { "ntlm-domain",   0,  arg_string, &ntlm_domain,
@@ -182,19 +182,19 @@ static struct getargs args[] = {
 #endif
 
     { "change-default",  0,  arg_negative_flag, &switch_cache_flags,
-      NP_("switch the default cache to the new credentials cache", "") },
+      NP_("switch the default cache to the new credentials cache", ""), NULL },
 
     { "ok-as-delegate",        0,  arg_flag, &ok_as_delegate_flag,
-      NP_("honor ok-as-delegate on tickets", "") },
+      NP_("honor ok-as-delegate on tickets", ""), NULL },
 
     { "use-referrals", 0,  arg_flag, &use_referrals_flag,
-      NP_("only use referrals, no dns canalisation", "") },
+      NP_("only use referrals, no dns canalisation", ""), NULL },
 
     { "windows",       0,  arg_flag, &windows_flag,
-      NP_("get windows behavior", "") },
+      NP_("get windows behavior", ""), NULL },
 
-    { "version",       0,   arg_flag, &version_flag },
-    { "help",          0,   arg_flag, &help_flag }
+    { "version",       0,   arg_flag, &version_flag, NULL, NULL },
+    { "help",          0,   arg_flag, &help_flag, NULL, NULL }
 };
 
 static void
@@ -357,7 +357,7 @@ get_new_tickets(krb5_context context,
     char passwd[256];
     krb5_deltat start_time = 0;
     krb5_deltat renew = 0;
-    char *renewstr = NULL;
+    const char *renewstr = NULL;
     krb5_enctype *enctype = NULL;
     krb5_ccache tempccache;
 #ifndef NO_NTLM
@@ -466,7 +466,7 @@ get_new_tickets(krb5_context context,
        renew = parse_time (renewstr, "s");
        if (renew < 0)
            errx (1, "unparsable time: %s", renewstr);
-       
+
        krb5_get_init_creds_opt_set_renew_life (opt, renew);
     }
 
@@ -532,11 +532,11 @@ get_new_tickets(krb5_context context,
 
        if (passwd[0] == '\0') {
            char *p, *prompt;
-       
+
            krb5_unparse_name (context, principal, &p);
            asprintf (&prompt, N_("%s's Password: ", ""), p);
            free (p);
-       
+
            if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
                memset(passwd, 0, sizeof(passwd));
                exit(1);
@@ -544,7 +544,7 @@ get_new_tickets(krb5_context context,
            free (prompt);
        }
 
-       
+
        ret = krb5_get_init_creds_password (context,
                                            &cred,
                                            principal,
@@ -592,7 +592,7 @@ get_new_tickets(krb5_context context,
            char life[64];
            unparse_time_approx(cred.times.renew_till - cred.times.starttime,
                                life, sizeof(life));
-           krb5_warnx(context, 
+           krb5_warnx(context,
                       N_("NOTICE: ticket renewable lifetime is %s", ""),
                       life);
        }
@@ -773,7 +773,7 @@ main (int argc, char **argv)
     } else if (anonymous_flag) {
 
        ret = krb5_make_principal(context, &principal, argv[0],
-                                 KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME, 
+                                 KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME,
                                  NULL);
        if (ret)
            krb5_err(context, 1, ret, "krb5_make_principal");
@@ -825,7 +825,7 @@ main (int argc, char **argv)
                if (ret)
                    krb5_err (context, 1, ret, N_("resolving credentials cache", ""));
 
-               /* 
+               /*
                 * Check if the type support switching, and we do,
                 * then do that instead over overwriting the current
                 * default credential
@@ -904,7 +904,7 @@ main (int argc, char **argv)
            krb5_warnx(context, N_("permission denied: %s", ""), argv[1]);
        else if(ret == EX_NOTFOUND)
            krb5_warnx(context, N_("command not found: %s", ""), argv[1]);
-       
+
        krb5_cc_destroy(context, ccache);
 #ifndef NO_AFS
        if(k_hasafs())
index 9c8793e0ccfcde9af6d75c01072165a2e51ce69e..4083ebc23dd65031911ac613dafa03fe95066e74 100644 (file)
@@ -75,5 +75,5 @@ typedef struct heim_octet_string heim_any_set;
 #define ASN1EXP
 #define ASN1CALL
 #endif
-         
+
 #endif
index 08d068b6a433f787a81392638f016479b8c2c206..8c64a35fca99734ee2afc24a9be597db87b25c03 100644 (file)
@@ -1905,7 +1905,7 @@ yyreduce:
 
 /* Line 1455 of yacc.c  */
 #line 368 "asn1parse.c"
-    {  
+    {
                    if((yyvsp[(2) - (5)].value)->type != integervalue)
                        lex_error_message("Non-integer in first part of range");
                    (yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
@@ -1918,7 +1918,7 @@ yyreduce:
 
 /* Line 1455 of yacc.c  */
 #line 376 "asn1parse.c"
-    {  
+    {
                    if((yyvsp[(4) - (5)].value)->type != integervalue)
                        lex_error_message("Non-integer in second part of range");
                    (yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
index a7a8f31827a653ca8d86e24a155a0e543af61b35..e3bea6ce0ac9241823606f47598c1db573799148 100644 (file)
@@ -365,7 +365,7 @@ range               : '(' Value RANGE Value ')'
                    $$->max = $4->u.integervalue;
                }
                | '(' Value RANGE kw_MAX ')'
-               {       
+               {
                    if($2->type != integervalue)
                        lex_error_message("Non-integer in first part of range");
                    $$ = ecalloc(1, sizeof(*$$));
@@ -373,7 +373,7 @@ range               : '(' Value RANGE Value ')'
                    $$->max = $2->u.integervalue - 1;
                }
                | '(' kw_MIN RANGE Value ')'
-               {       
+               {
                    if($4->type != integervalue)
                        lex_error_message("Non-integer in second part of range");
                    $$ = ecalloc(1, sizeof(*$$));
index 84aee4cce06221b629db1a6eea0d38f11f97dbd0..468ccb2d040ccc0afbc444afef88c3484a6d4013 100644 (file)
@@ -53,14 +53,14 @@ der_heim_octet_string_cmp(const heim_octet_string *p,
 }
 
 int
-der_printable_string_cmp(const heim_printable_string *p, 
+der_printable_string_cmp(const heim_printable_string *p,
                         const heim_printable_string *q)
 {
     return der_heim_octet_string_cmp(p, q);
 }
 
 int
-der_ia5_string_cmp(const heim_ia5_string *p, 
+der_ia5_string_cmp(const heim_ia5_string *p,
                   const heim_ia5_string *q)
 {
     return der_heim_octet_string_cmp(p, q);
index fc79a30b565facba2b40b033892a9efac94a538e..4f06c1b01fd996a0ebd3ee41461c28807d622075 100644 (file)
@@ -108,7 +108,7 @@ int
 der_print_heim_oid (const heim_oid *oid, char delim, char **str)
 {
     struct rk_strpool *p = NULL;
-    int i;
+    size_t i;
 
     if (oid->length == 0)
        return EINVAL;
index 3ea0d5ea1816f407a320c8e3c084b39e4910c3d3..3112da86f93b4e5169e7ae2103b81d073184eb9d 100644 (file)
@@ -141,9 +141,9 @@ der_get_general_string (const unsigned char *p, size_t len,
         * an strings in the NEED_PREAUTH case that includes a
         * trailing NUL.
         */
-       while (p1 - p < len && *p1 == '\0')
+       while ((size_t)(p1 - p) < len && *p1 == '\0')
            p1++;
-       if (p1 - p != len)
+       if ((size_t)(p1 - p) != len)
            return ASN1_BAD_CHARACTER;
     }
     if (len > len + 1)
index 7a41de9d225cac8e64c2bc994d5c46fb8dfbf9fa..db82025861ea5baa18cf6755093a357cec54eb3b 100644 (file)
@@ -86,7 +86,7 @@ static size_t
 len_oid (const heim_oid *oid)
 {
     size_t ret = 1;
-    int n;
+    size_t n;
 
     for (n = 2; n < oid->length; ++n) {
        unsigned u = oid->components[n];
index b8101458ad4be9866f3e43dd9e4c08606855a67d..0b276d1ebdcec86683b2b3e68f32a9155a054298 100644 (file)
@@ -433,7 +433,8 @@ _heim_time2generalizedtime (time_t t, heim_octet_string *s, int gtimep)
      if (s->data == NULL)
         return ENOMEM;
      s->length = len;
-     _der_gmtime(t, &tm);
+     if (_der_gmtime(t, &tm) == NULL)
+        return ASN1_BAD_TIMEFORMAT;
      if (gtimep)
         snprintf (s->data, len + 1, "%04d%02d%02d%02d%02d%02dZ",
                   tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
index 95780a78987f26e9e132e9705b330d4e2c353a74..a18797ec259433a013cfe58eda5573e4edf2185f 100644 (file)
@@ -71,13 +71,13 @@ decode_heim_any(const unsigned char *p, size_t len,
        if (len < length + len_len + l)
            return ASN1_OVERFLOW;
     }
-   
+
     data->data = malloc(length + len_len + l);
     if (data->data == NULL)
        return ENOMEM;
     data->length = length + len_len + l;
     memcpy(data->data, p, length + len_len + l);
-   
+
     if (size)
        *size = length + len_len + l;
 
index d59f3bfa4755de9f790c231c7518dd2660e02fd8..2194b329ce1d76c993489efd4421fcfbfdbbd0a2 100644 (file)
@@ -761,7 +761,7 @@ define_type (int level, const char *name, const char *basename, Type *t, int typ
            fprintf (headerfile, "struct %s {\n", newbasename);
            ASN1_TAILQ_FOREACH(m, t->members, members) {
                char *n = NULL;
-       
+
                /* pad unused */
                while (pos < m->val) {
                    if (asprintf (&n, "_unused%d:1", pos) < 0 || n == NULL)
@@ -1021,7 +1021,7 @@ generate_type (const Symbol *s)
        h = privheaderfile;
        exp = "";
     }
-   
+
     fprintf (h,
             "%sint    ASN1CALL "
             "decode_%s(const unsigned char *, size_t, %s *, size_t *);\n",
@@ -1044,7 +1044,7 @@ generate_type (const Symbol *s)
             "%svoid   ASN1CALL free_%s  (%s *);\n",
             exp,
             s->gen_name, s->gen_name);
-   
+
     fprintf(h, "\n\n");
 
     if (!one_code_file) {
index 002a471e96e7dc33c8e012e0cf1b144625eb6883..9d816d5400d700965136da24f4934f3ab4aaf88d 100644 (file)
@@ -209,7 +209,8 @@ range_check(const char *name,
 
 static int
 decode_type (const char *name, const Type *t, int optional,
-            const char *forwstr, const char *tmpstr, const char *dertype)
+            const char *forwstr, const char *tmpstr, const char *dertype,
+            unsigned int depth)
 {
     switch (t->type) {
     case TType: {
@@ -328,7 +329,8 @@ decode_type (const char *name, const Type *t, int optional,
            if (asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&",
                          name, m->gen_name) < 0 || s == NULL)
                errx(1, "malloc");
-           decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL);
+           decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL,
+               depth + 1);
            free (s);
        }
 
@@ -369,7 +371,7 @@ decode_type (const char *name, const Type *t, int optional,
                        "%s = calloc(1, sizeof(*%s));\n"
                        "if (%s == NULL) { e = ENOMEM; %s; }\n",
                        s, s, s, forwstr);
-           decode_type (s, m->type, 0, forwstr, m->gen_name, NULL);
+           decode_type (s, m->type, 0, forwstr, m->gen_name, NULL, depth + 1);
            free (s);
 
            fprintf(codefile, "members |= (1 << %d);\n", memno);
@@ -442,7 +444,7 @@ decode_type (const char *name, const Type *t, int optional,
            errx(1, "malloc");
        if (asprintf (&sname, "%s_s_of", tmpstr) < 0 || sname == NULL)
            errx(1, "malloc");
-       decode_type (n, t->subtype, 0, forwstr, sname, NULL);
+       decode_type (n, t->subtype, 0, forwstr, sname, NULL, depth + 1);
        fprintf (codefile,
                 "(%s)->len++;\n"
                 "len = %s_origlen - ret;\n"
@@ -480,7 +482,7 @@ decode_type (const char *name, const Type *t, int optional,
                tmpstr, tmpstr, typestring);
        if(support_ber)
            fprintf(codefile,
-                   "int is_indefinite;\n");
+                   "int is_indefinite%u;\n", depth);
 
        fprintf(codefile, "e = der_match_tag_and_length(p, len, %s, &%s, %s, "
                "&%s_datalen, &l);\n",
@@ -516,20 +518,20 @@ decode_type (const char *name, const Type *t, int optional,
                 tmpstr);
        if(support_ber)
            fprintf (codefile,
-                    "if((is_indefinite = _heim_fix_dce(%s_datalen, &len)) < 0)\n"
+                    "if((is_indefinite%u = _heim_fix_dce(%s_datalen, &len)) < 0)\n"
                     "{ e = ASN1_BAD_FORMAT; %s; }\n"
-                    "if (is_indefinite) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }",
-                    tmpstr, forwstr, forwstr);
+                    "if (is_indefinite%u) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }",
+                    depth, tmpstr, forwstr, depth, forwstr);
        else
            fprintf(codefile,
                    "if (%s_datalen > len) { e = ASN1_OVERRUN; %s; }\n"
                    "len = %s_datalen;\n", tmpstr, forwstr, tmpstr);
        if (asprintf (&tname, "%s_Tag", tmpstr) < 0 || tname == NULL)
            errx(1, "malloc");
-       decode_type (name, t->subtype, 0, forwstr, tname, ide);
+       decode_type (name, t->subtype, 0, forwstr, tname, ide, depth + 1);
        if(support_ber)
            fprintf(codefile,
-                   "if(is_indefinite){\n"
+                   "if(is_indefinite%u){\n"
                    "len += 2;\n"
                    "e = der_match_tag_and_length(p, len, "
                    "(Der_class)0, &%s, UT_EndOfContent, "
@@ -538,6 +540,7 @@ decode_type (const char *name, const Type *t, int optional,
                    "p += l; len -= l; ret += l;\n"
                    "if (%s != (Der_type)0) { e = ASN1_BAD_ID; %s; }\n"
                    "} else \n",
+                   depth,
                    typestring,
                    tmpstr,
                    forwstr,
@@ -584,7 +587,8 @@ decode_type (const char *name, const Type *t, int optional,
            if (asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&",
                          name, m->gen_name) < 0 || s == NULL)
                errx(1, "malloc");
-           decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL);
+           decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL,
+               depth + 1);
            fprintf(codefile,
                    "(%s)->element = %s;\n",
                    name, m->label);
@@ -605,7 +609,7 @@ decode_type (const char *name, const Type *t, int optional,
                    "(%s)->element = %s;\n"
                    "p += len;\n"
                    "ret += len;\n"
-                   "len -= len;\n"
+                   "len = 0;\n"
                    "}\n",
                    name, have_ellipsis->gen_name,
                    name, have_ellipsis->gen_name,
@@ -662,8 +666,8 @@ generate_type_decode (const Symbol *s)
     int preserve = preserve_type(s->name) ? TRUE : FALSE;
 
     fprintf (codefile, "int ASN1CALL\n"
-            "decode_%s(const unsigned char *p,"
-            " size_t len, %s *data, size_t *size)\n"
+            "decode_%s(const unsigned char *p HEIMDAL_UNUSED_ATTRIBUTE,"
+            " size_t len HEIMDAL_UNUSED_ATTRIBUTE, %s *data, size_t *size)\n"
             "{\n",
             s->gen_name, s->gen_name);
 
@@ -694,15 +698,15 @@ generate_type_decode (const Symbol *s)
     case TChoice:
        fprintf (codefile,
                 "size_t ret = 0;\n"
-                "size_t l;\n"
-                "int e;\n");
+                "size_t l HEIMDAL_UNUSED_ATTRIBUTE;\n"
+                "int e HEIMDAL_UNUSED_ATTRIBUTE;\n");
        if (preserve)
            fprintf (codefile, "const unsigned char *begin = p;\n");
 
        fprintf (codefile, "\n");
        fprintf (codefile, "memset(data, 0, sizeof(*data));\n"); /* hack to avoid `unused variable' */
 
-       decode_type ("data", s->type, 0, "goto fail", "Top", NULL);
+       decode_type ("data", s->type, 0, "goto fail", "Top", NULL, 1);
        if (preserve)
            fprintf (codefile,
                     "data->_save.data = calloc(1, ret);\n"
index 43f29c1fe123fa7e466b057d5b3c7424815d9b1d..1bd47484d83aa5a6b36becd87dbc7f46836dea33 100644 (file)
@@ -274,7 +274,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
            else if(m->defval)
                gen_compare_defval(s + 1, m->defval);
            fprintf (codefile, "{\n");
-           fprintf (codefile, "size_t %s_oldret = ret;\n", tmpstr);
+           fprintf (codefile, "size_t %s_oldret HEIMDAL_UNUSED_ATTRIBUTE = ret;\n", tmpstr);
            fprintf (codefile, "ret = 0;\n");
            encode_type (s, m->type, m->gen_name);
            fprintf (codefile, "ret += %s_oldret;\n", tmpstr);
@@ -302,7 +302,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
                name, name);
 
        fprintf(codefile,
-               "for(i = 0; i < (%s)->len; i++) {\n",
+               "for(i = 0; i < (int)(%s)->len; i++) {\n",
                name);
 
        fprintf(codefile,
@@ -326,7 +326,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
 
        fprintf(codefile,
                "if (totallen > len) {\n"
-               "for (i = 0; i < (%s)->len; i++) {\n"
+               "for (i = 0; i < (int)(%s)->len; i++) {\n"
                "free(val[i].data);\n"
                "}\n"
                "free(val);\n"
@@ -339,7 +339,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
                name);
 
        fprintf (codefile,
-                "for(i = (%s)->len - 1; i >= 0; --i) {\n"
+                "for(i = (int)(%s)->len - 1; i >= 0; --i) {\n"
                 "p -= val[i].length;\n"
                 "ret += val[i].length;\n"
                 "memcpy(p + 1, val[i].data, val[i].length);\n"
@@ -355,7 +355,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
        char *n = NULL;
 
        fprintf (codefile,
-                "for(i = (%s)->len - 1; i >= 0; --i) {\n"
+                "for(i = (int)(%s)->len - 1; i >= 0; --i) {\n"
                 "size_t %s_for_oldret = ret;\n"
                 "ret = 0;\n",
                 name, tmpstr);
@@ -503,7 +503,7 @@ void
 generate_type_encode (const Symbol *s)
 {
     fprintf (codefile, "int ASN1CALL\n"
-            "encode_%s(unsigned char *p, size_t len,"
+            "encode_%s(unsigned char *p HEIMDAL_UNUSED_ATTRIBUTE, size_t len HEIMDAL_UNUSED_ATTRIBUTE,"
             " const %s *data, size_t *size)\n"
             "{\n",
             s->gen_name, s->gen_name);
@@ -534,10 +534,9 @@ generate_type_encode (const Symbol *s)
     case TType:
     case TChoice:
        fprintf (codefile,
-                "size_t ret = 0;\n"
-                "size_t l;\n"
-                "int i, e;\n\n");
-       fprintf(codefile, "i = 0;\n"); /* hack to avoid `unused variable' */
+                "size_t ret HEIMDAL_UNUSED_ATTRIBUTE = 0;\n"
+                "size_t l HEIMDAL_UNUSED_ATTRIBUTE;\n"
+                "int i HEIMDAL_UNUSED_ATTRIBUTE, e HEIMDAL_UNUSED_ATTRIBUTE;\n\n");
 
        encode_type("data", s->type, "Top");
 
index 7c88751c32b28388dc9196a87299d3d93401748c..b9cae7533b17a13c471266230d71956ebcfaf28d 100644 (file)
@@ -179,12 +179,12 @@ void
 generate_type_free (const Symbol *s)
 {
     int preserve = preserve_type(s->name) ? TRUE : FALSE;
-   
+
     fprintf (codefile, "void ASN1CALL\n"
             "free_%s(%s *data)\n"
             "{\n",
             s->gen_name, s->gen_name);
-   
+
     free_type ("data", s->type, preserve);
     fprintf (codefile, "}\n\n");
 }
index 791fb910f9a07454f7dd0666a93c0ea72dd2ac1a..edd68e12238009d796c30f2fa77667a507b4291b 100644 (file)
@@ -342,7 +342,7 @@ tlist_cmp(const struct tlist *tl, const struct tlist *ql)
 
     ret = strcmp(tl->header, ql->header);
     if (ret) return ret;
-       
+
     q = ASN1_TAILQ_FIRST(&ql->template);
     ASN1_TAILQ_FOREACH(t, &tl->template, members) {
        if (q == NULL) return 1;
@@ -353,7 +353,7 @@ tlist_cmp(const struct tlist *tl, const struct tlist *ql)
        } else {
            ret = strcmp(t->tt, q->tt);
            if (ret) return ret;
-           
+
            ret = strcmp(t->offset, q->offset);
            if (ret) return ret;
 
@@ -479,12 +479,12 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
                     optional ? "|A1_FLAG_OPTIONAL" : "",
                     poffset, t->symbol->gen_name);
        } else {
-           add_line_pointer(temp, t->symbol->gen_name, poffset, 
+           add_line_pointer(temp, t->symbol->gen_name, poffset,
                             "A1_OP_TYPE %s", optional ? "|A1_FLAG_OPTIONAL" : "");
        }
        break;
     case TInteger: {
-       char *itype;
+       char *itype = NULL;
 
        if (t->members)
            itype = "IMEMBER";
@@ -499,7 +499,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
        else
            errx(1, "%s: unsupported range %d -> %d",
                 name, t->range->min, t->range->max);
-          
+
        add_line(temp, "{ A1_PARSE_T(A1T_%s), %s, NULL }", itype, poffset);
        break;
     }
@@ -557,7 +557,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
            break;
        }
 
-       if (asprintf(&bname, "bmember_%s_%lu", name ? name : "", (unsigned long)t) < 0 || bname == NULL)
+       if (asprintf(&bname, "bmember_%s_%p", name ? name : "", t) < 0 || bname == NULL)
            errx(1, "malloc");
        output_name(bname);
 
@@ -591,7 +591,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
 
        ASN1_TAILQ_FOREACH(m, t->members, members) {
            char *newbasename = NULL;
-           
+
            if (m->ellipsis)
                continue;
 
@@ -620,7 +620,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
        else
            sename = symbol_name(basetype, t->subtype);
 
-       if (asprintf(&tname, "tag_%s_%lu", name ? name : "", (unsigned long)t) < 0 || tname == NULL)
+       if (asprintf(&tname, "tag_%s_%p", name ? name : "", t) < 0 || tname == NULL)
            errx(1, "malloc");
        output_name(tname);
 
@@ -644,7 +644,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
     }
     case TSetOf:
     case TSequenceOf: {
-       const char *type, *tname, *dupname;
+       const char *type = NULL, *tname, *dupname;
        char *sename = NULL, *elname = NULL;
        int subtype_is_struct = is_struct(t->subtype, 0);
 
@@ -670,7 +670,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
        else if (t->type == TSequenceOf) type = "A1_OP_SEQOF";
        else abort();
 
-       if (asprintf(&elname, "%s_%s_%lu", basetype, tname, (unsigned long)t) < 0 || elname == NULL)
+       if (asprintf(&elname, "%s_%s_%p", basetype, tname, t) < 0 || elname == NULL)
            errx(1, "malloc");
 
        generate_template_type(elname, &dupname, NULL, sename, NULL, t->subtype,
@@ -699,7 +699,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
            char *elname = NULL;
            char *newbasename = NULL;
            int subtype_is_struct;
-           
+
            if (m->ellipsis) {
                ellipsis = 1;
                continue;
index 78cb5a3b84c4a25c5367e0b9b498fb803a76b733..02fab7a3a69a919668e8c92cc7e4bb4642988ef5 100644 (file)
@@ -221,32 +221,32 @@ CKSUMTYPE ::= INTEGER {
 
 --enctypes
 ENCTYPE ::= INTEGER {
-       ETYPE_NULL(0),
-       ETYPE_DES_CBC_CRC(1),
-       ETYPE_DES_CBC_MD4(2),
-       ETYPE_DES_CBC_MD5(3),
-       ETYPE_DES3_CBC_MD5(5),
-       ETYPE_OLD_DES3_CBC_SHA1(7),
-       ETYPE_SIGN_DSA_GENERATE(8),
-       ETYPE_ENCRYPT_RSA_PRIV(9),
-       ETYPE_ENCRYPT_RSA_PUB(10),
-       ETYPE_DES3_CBC_SHA1(16),        -- with key derivation
-       ETYPE_AES128_CTS_HMAC_SHA1_96(17),
-       ETYPE_AES256_CTS_HMAC_SHA1_96(18),
-       ETYPE_ARCFOUR_HMAC_MD5(23),
-       ETYPE_ARCFOUR_HMAC_MD5_56(24),
-       ETYPE_ENCTYPE_PK_CROSS(48),
+       KRB5_ENCTYPE_NULL(0),
+       KRB5_ENCTYPE_DES_CBC_CRC(1),
+       KRB5_ENCTYPE_DES_CBC_MD4(2),
+       KRB5_ENCTYPE_DES_CBC_MD5(3),
+       KRB5_ENCTYPE_DES3_CBC_MD5(5),
+       KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7),
+       KRB5_ENCTYPE_SIGN_DSA_GENERATE(8),
+       KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9),
+       KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10),
+       KRB5_ENCTYPE_DES3_CBC_SHA1(16), -- with key derivation
+       KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17),
+       KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18),
+       KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23),
+       KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24),
+       KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48),
 -- some "old" windows types
-       ETYPE_ARCFOUR_MD4(-128),
-       ETYPE_ARCFOUR_HMAC_OLD(-133),
-       ETYPE_ARCFOUR_HMAC_OLD_EXP(-135),
+       KRB5_ENCTYPE_ARCFOUR_MD4(-128),
+       KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133),
+       KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135),
 -- these are for Heimdal internal use
-       ETYPE_DES_CBC_NONE(-0x1000),
-       ETYPE_DES3_CBC_NONE(-0x1001),
-       ETYPE_DES_CFB64_NONE(-0x1002),
-       ETYPE_DES_PCBC_NONE(-0x1003),
-       ETYPE_DIGEST_MD5_NONE(-0x1004),         -- private use, lukeh@padl.com
-       ETYPE_CRAM_MD5_NONE(-0x1005)            -- private use, lukeh@padl.com
+       KRB5_ENCTYPE_DES_CBC_NONE(-0x1000),
+       KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001),
+       KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002),
+       KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003),
+       KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004),          -- private use, lukeh@padl.com
+       KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005)             -- private use, lukeh@padl.com
 }
 
 
@@ -625,7 +625,7 @@ ChangePasswdDataMS ::= SEQUENCE {
        targrealm[2]            Realm OPTIONAL
 }
 
-EtypeList ::= SEQUENCE OF krb5int32
+EtypeList ::= SEQUENCE OF ENCTYPE
        -- the client's proposed enctype list in
        -- decreasing preference order, favorite choice first
 
index 12c71b7e2eca716ccc1fdb3acda1b51165d46384..e8d9f38eaa4460e9a0123291f120b07ac7992e14 100644 (file)
@@ -1626,7 +1626,7 @@ YY_RULE_SETUP
                            char *p = buf;
                            int f = 0;
                            int skip_ws = 0;
-               
+
                            while((c = input()) != EOF) {
                                if(isspace(c) && skip_ws) {
                                    if(c == '\n')
@@ -1634,7 +1634,7 @@ YY_RULE_SETUP
                                    continue;
                                }
                                skip_ws = 0;
-                       
+
                                if(c == '"') {
                                    if(f) {
                                        *p++ = '"';
index dece0961646cc79e83e0dd03f6c9d7daca11c37c..2d32020266c8bce6b6762374f5b276de61c89be3 100644 (file)
@@ -216,7 +216,7 @@ WITH                        { return kw_WITH; }
                            char *p = buf;
                            int f = 0;
                            int skip_ws = 0;
-               
+
                            while((c = input()) != EOF) {
                                if(isspace(c) && skip_ws) {
                                    if(c == '\n')
@@ -224,7 +224,7 @@ WITH                        { return kw_WITH; }
                                    continue;
                                }
                                skip_ws = 0;
-                       
+
                                if(c == '"') {
                                    if(f) {
                                        *p++ = '"';
index a99e69d0f916f9a6c39ecd775e833157eea2a37e..f22dc8792c276bd2c5c74aa8c6c800e980dc7637 100644 (file)
@@ -202,6 +202,6 @@ main(int argc, char **argv)
            free(arg[i]);
        free(arg);
     }
-   
+
     return 0;
 }
index e3c72ac76eca682a106207cfe81cd48605fb8982..89154e337c8f443b0be0cc51204b24c7fa85c40d 100644 (file)
@@ -132,4 +132,7 @@ TESTBitString ::= BIT STRING {
              thirtyone(31)
 }
 
+TESTMechType::= OBJECT IDENTIFIER
+TESTMechTypeList ::= SEQUENCE OF TESTMechType
+
 END
index b5694784138ce12b76833c5d6a069d47d1cfde6a..d9f4adbd5591a1372b78e1a22d6aee9f72484ce9 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "der_locl.h"
 
-RCSID("$Id$");
+#define ASN1_MAX_YEAR  2000
 
 static int
 is_leap(unsigned y)
@@ -56,13 +56,19 @@ time_t
 _der_timegm (struct tm *tm)
 {
   time_t res = 0;
-  unsigned i;
+  int i;
+
+  /*
+   * See comment in _der_gmtime
+   */
+  if (tm->tm_year > ASN1_MAX_YEAR)
+      return 0;
 
   if (tm->tm_year < 0)
       return -1;
   if (tm->tm_mon < 0 || tm->tm_mon > 11)
       return -1;
-  if (tm->tm_mday < 1 || tm->tm_mday > ndays[is_leap(tm->tm_year)][tm->tm_mon])
+  if (tm->tm_mday < 1 || tm->tm_mday > (int)ndays[is_leap(tm->tm_year)][tm->tm_mon])
       return -1;
   if (tm->tm_hour < 0 || tm->tm_hour > 23)
       return -1;
@@ -98,6 +104,15 @@ _der_gmtime(time_t t, struct tm *tm)
     tm->tm_min = (secday % 3600) / 60;
     tm->tm_hour = secday / 3600;
 
+    /*
+     * Refuse to calculate time ~ 2000 years into the future, this is
+     * not possible for systems where time_t is a int32_t, however,
+     * when time_t is a int64_t, that can happen, and this becomes a
+     * denial of sevice.
+     */
+    if (days > (ASN1_MAX_YEAR * 365))
+       return NULL;
+
     tm->tm_year = 70;
     while(1) {
        unsigned dayinyear = (is_leap(tm->tm_year) ? 366 : 365);
index 11beaeba4b840e0f18365fc5bbcaf2f6cbf33d0d..c72abdecc863033f6db48a4338c1218e9dc5a62d 100644 (file)
@@ -93,7 +93,7 @@ generate_c(void)
            fprintf(c_file, "\t/* %03d */ \"Reserved %s error (%d)\",\n",
                    n, name, n);
            n++;
-       
+
        }
        fprintf(c_file, "\t/* %03d */ N_(\"%s\"),\n",
                ec->number, ec->string);
@@ -220,7 +220,7 @@ main(int argc, char **argv)
     yyin = fopen(filename, "r");
     if(yyin == NULL)
        err(1, "%s", filename);
-       
+
 
     p = strrchr(filename, rk_PATH_DELIM);
     if(p)
index 0e49a94104911319ec26529370e427af4ff3944e..6864e870a41e695e749e91c1d7d6b14c34f04e43 100644 (file)
@@ -101,7 +101,7 @@ initialize_error_table_r(struct et_list **list,
     et->next = NULL;
     *end = et;
 }
-                       
+
 
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 free_error_table(struct et_list *et)
index 1c104812b79f55d58df1b33a9ac9081f82b36e4f..cb770a3a6e7f47a3f40a8059a241df9577599210 100644 (file)
@@ -1465,7 +1465,7 @@ yyreduce:
 #line 118 "parse.c"
     {
                    struct error_code *ec = malloc(sizeof(*ec));
-               
+
                    if (ec == NULL)
                        errx(1, "malloc");
 
index 194965c3495f01bbf11134b6264f5cc1385d3b8a..0c2e5084b51f4a99258b2d50035fc27548f2b60f 100644 (file)
@@ -117,7 +117,7 @@ statement   : INDEX NUMBER
                | EC STRING ',' STRING
                {
                    struct error_code *ec = malloc(sizeof(*ec));
-               
+
                    if (ec == NULL)
                        errx(1, "malloc");
 
index caa1af8b3a681f82d1eca3f93471283f7db0e2d6..fa53a29d240966e919900068c4baf7073993ddaf 100644 (file)
@@ -31,8 +31,6 @@
  * SUCH DAMAGE.
  */
 
-/* $Id$ */
-
 #ifndef GSSAPI_GSSAPI_H_
 #define GSSAPI_GSSAPI_H_
 
 #endif
 #endif
 
-#ifndef GSSAPI_DEPRECATED
+#ifndef GSSAPI_DEPRECATED_FUNCTION
 #if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 )))
-#define GSSAPI_DEPRECATED __attribute__((deprecated))
-#elif defined(_MSC_VER)
-#define GSSAPI_DEPRECATED __declspec(deprecated)
+#define GSSAPI_DEPRECATED_FUNCTION(X) __attribute__((deprecated))
 #else
-#define GSSAPI_DEPRECATED
+#define GSSAPI_DEPRECATED_FUNCTION(X)
 #endif
 #endif
 
@@ -375,7 +371,7 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_anonymous_oid_desc;
  * to that gss_OID_desc.
  */
 extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc;
-#define GSS_C_NT_EXPORT_NAME (&__gss_c_nt_export_name_oid_desc) 
+#define GSS_C_NT_EXPORT_NAME (&__gss_c_nt_export_name_oid_desc)
 
 /* Major status codes */
 
@@ -446,6 +442,11 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc;
 #define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET)
 #define GSS_S_BAD_MECH_ATTR (19ul << GSS_C_ROUTINE_ERROR_OFFSET)
 
+/*
+ * Apparently awating spec fix.
+ */
+#define GSS_S_CRED_UNAVAIL GSS_S_FAILURE
+
 /*
  * Supplementary info bits:
  */
@@ -459,6 +460,9 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc;
  * Finally, function prototypes for the GSS-API routines.
  */
 
+#define GSS_C_OPTION_MASK 0xffff
+#define GSS_C_CRED_NO_UI  0x10000
+
 GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_acquire_cred
            (OM_uint32 * /*minor_status*/,
             const gss_name_t /*desired_name*/,
@@ -827,7 +831,7 @@ typedef struct {
     size_t blocksize; /**< Specificed optimal size of messages, also
                         is the maximum padding size
                         (GSS_IOV_BUFFER_TYPE_PADDING) */
-} gss_context_stream_sizes; 
+} gss_context_stream_sizes;
 
 extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_attr_stream_sizes_oid_desc;
 #define GSS_C_ATTR_STREAM_SIZES (&__gss_c_attr_stream_sizes_oid_desc)
@@ -850,23 +854,23 @@ gss_context_query_attributes(OM_uint32 * /* minor_status */,
  * obsolete versions of these routines and their current forms.
  */
 
-GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_sign
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_sign
            (OM_uint32 * /*minor_status*/,
             gss_ctx_id_t /*context_handle*/,
             int /*qop_req*/,
             gss_buffer_t /*message_buffer*/,
             gss_buffer_t /*message_token*/
-           );
+           ) GSSAPI_DEPRECATED_FUNCTION("Use gss_get_mic");
 
-GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_verify
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_verify
            (OM_uint32 * /*minor_status*/,
             gss_ctx_id_t /*context_handle*/,
             gss_buffer_t /*message_buffer*/,
             gss_buffer_t /*token_buffer*/,
             int * /*qop_state*/
-           );
+           ) GSSAPI_DEPRECATED_FUNCTION("Use gss_verify_mic");
 
-GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal
            (OM_uint32 * /*minor_status*/,
             gss_ctx_id_t /*context_handle*/,
             int /*conf_req_flag*/,
@@ -874,29 +878,29 @@ GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal
             gss_buffer_t /*input_message_buffer*/,
             int * /*conf_state*/,
             gss_buffer_t /*output_message_buffer*/
-           );
+           ) GSSAPI_DEPRECATED_FUNCTION("Use gss_wrap");
 
-GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_unseal
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_unseal
            (OM_uint32 * /*minor_status*/,
             gss_ctx_id_t /*context_handle*/,
             gss_buffer_t /*input_message_buffer*/,
             gss_buffer_t /*output_message_buffer*/,
             int * /*conf_state*/,
             int * /*qop_state*/
-           );
+           )  GSSAPI_DEPRECATED_FUNCTION("Use gss_unwrap");
 
 /**
  *
  */
 
 GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
-gss_encapsulate_token(const gss_buffer_t /* input_token */,
-                     const gss_OID /* oid */,
+gss_encapsulate_token(gss_const_buffer_t /* input_token */,
+                     gss_const_OID /* oid */,
                      gss_buffer_t /* output_token */);
 
 GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
-gss_decapsulate_token(const gss_buffer_t /* input_token */,
-                     const gss_OID /* oid */,
+gss_decapsulate_token(gss_const_buffer_t /* input_token */,
+                     gss_const_OID /* oid */,
                      gss_buffer_t /* output_token */);
 
 
@@ -989,6 +993,56 @@ gss_display_mech_attr(OM_uint32 * minor_status,
                      gss_buffer_t short_desc,
                      gss_buffer_t long_desc);
 
+/*
+ * Solaris compat
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_acquire_cred_with_password
+           (OM_uint32 * /*minor_status*/,
+            const gss_name_t /*desired_name*/,
+            const gss_buffer_t /*password*/,
+            OM_uint32 /*time_req*/,
+            const gss_OID_set /*desired_mechs*/,
+            gss_cred_usage_t /*cred_usage*/,
+            gss_cred_id_t * /*output_cred_handle*/,
+            gss_OID_set * /*actual_mechs*/,
+            OM_uint32 * /*time_rec*/
+           );
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_add_cred_with_password (
+            OM_uint32 * /*minor_status*/,
+            const gss_cred_id_t /*input_cred_handle*/,
+            const gss_name_t /*desired_name*/,
+            const gss_OID /*desired_mech*/,
+            const gss_buffer_t /*password*/,
+            gss_cred_usage_t /*cred_usage*/,
+            OM_uint32 /*initiator_time_req*/,
+            OM_uint32 /*acceptor_time_req*/,
+            gss_cred_id_t * /*output_cred_handle*/,
+            gss_OID_set * /*actual_mechs*/,
+            OM_uint32 * /*initiator_time_rec*/,
+            OM_uint32 * /*acceptor_time_rec*/
+           );
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_pname_to_uid(
+        OM_uint32 *minor,
+        const gss_name_t name,
+        const gss_OID mech_type,
+        uid_t *uidOut);
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_authorize_localname(
+        OM_uint32 *minor,
+        const gss_name_t name,
+        const gss_name_t user);
+
+GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
+gss_userok(const gss_name_t name,
+           const char *user);
+
+extern GSSAPI_LIB_VARIABLE gss_buffer_t GSS_C_ATTR_LOCAL_LOGIN_USER;
+
 /*
  * Naming extensions
  */
@@ -1051,4 +1105,6 @@ gss_name_to_oid(const char *name);
 
 GSSAPI_CPP_END
 
+#undef GSSAPI_DEPRECATED_FUNCTION
+
 #endif /* GSSAPI_GSSAPI_H_ */
index e7b56dc7d43848ce8605d8adefe2cb2fb8014c77..9465efc77f44d729ebca7a86f7c75c28f7fe8089 100644 (file)
@@ -109,6 +109,13 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_name_oid_desc;
 extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_description_oid_desc;
 #define GSS_C_MA_MECH_DESCRIPTION (&__gss_c_ma_mech_description_oid_desc)
 
+ /* credential types */
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_password_oid_desc;
+#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_certificate_oid_desc;
+#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc)
+
 /* Heimdal mechanisms - 1.2.752.43.14 */
 extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_sasl_digest_md5_mechanism_oid_desc;
 #define GSS_SASL_DIGEST_MD5_MECHANISM (&__gss_sasl_digest_md5_mechanism_oid_desc)
index 1431dbcee6f91a332f0cfc6c41539c1152da7755..e4ccfdb0cd99fcc3c5c982a8904487f6cd618b44 100644 (file)
@@ -355,14 +355,14 @@ _gss_import_cred_t(OM_uint32 * minor_status,
 
 
 typedef OM_uint32 GSSAPI_CALLCONV
-_gss_acquire_cred_ex_t(void * /* status */,
-                      const gss_name_t /* desired_name */,
-                      OM_uint32 /* flags */,
-                      OM_uint32 /* time_req */,
-                      gss_cred_usage_t /* cred_usage */,
-                      void * /* identity */,
-                      void * /* ctx */,
-                      void (* /*complete */)(void *, OM_uint32, void *, gss_cred_id_t, OM_uint32));
+_gss_acquire_cred_ext_t(OM_uint32 * /*minor_status */,
+                       const gss_name_t /* desired_name */,
+                       gss_const_OID /* credential_type */,
+                       const void * /* credential_data */,
+                       OM_uint32 /* time_req */,
+                       gss_const_OID /* desired_mech */,
+                       gss_cred_usage_t /* cred_usage */,
+                       gss_cred_id_t * /* output_cred_handle */);
 
 typedef void GSSAPI_CALLCONV
 _gss_iter_creds_t(OM_uint32 /* flags */,
@@ -460,13 +460,28 @@ struct gss_mo_desc_struct {
     int (*set)(gss_const_OID, gss_mo_desc *, int, gss_buffer_t);
 };
 
+typedef OM_uint32 GSSAPI_CALLCONV _gss_pname_to_uid_t (
+              OM_uint32 *,             /* minor_status */
+              const gss_name_t,        /* name */
+              const gss_OID,           /* mech_type */
+              uid_t *                  /* uidOut */
+             );
+
+typedef OM_uint32 GSSAPI_CALLCONV _gss_authorize_localname_t (
+              OM_uint32 *,             /* minor_status */
+              const gss_name_t,        /* name */
+              gss_const_buffer_t,      /* user */
+              gss_const_OID            /* user_name_type */
+             );
+
+/* mechglue internal */
+struct gss_mech_compat_desc_struct;
 
 #define GMI_VERSION 5
 
 /* gm_flags */
 #define GM_USE_MG_CRED         1       /* uses mech glue credentials */
 
-
 typedef struct gssapi_mech_interface_desc {
        unsigned                        gm_version;
        const char                      *gm_name;
@@ -512,7 +527,7 @@ typedef struct gssapi_mech_interface_desc {
        _gss_store_cred_t               *gm_store_cred;
        _gss_export_cred_t              *gm_export_cred;
        _gss_import_cred_t              *gm_import_cred;
-       _gss_acquire_cred_ex_t          *gm_acquire_cred_ex;
+       _gss_acquire_cred_ext_t         *gm_acquire_cred_ext;
        _gss_iter_creds_t               *gm_iter_creds;
        _gss_destroy_cred_t             *gm_destroy_cred;
        _gss_cred_hold_t                *gm_cred_hold;
@@ -521,12 +536,15 @@ typedef struct gssapi_mech_interface_desc {
        _gss_cred_label_set_t           *gm_cred_label_set;
         gss_mo_desc                    *gm_mo;
         size_t                          gm_mo_num;
+        _gss_pname_to_uid_t             *gm_pname_to_uid;
+        _gss_authorize_localname_t      *gm_authorize_localname;
         _gss_display_name_ext_t         *gm_display_name_ext;
         _gss_inquire_name_t             *gm_inquire_name;
         _gss_get_name_attribute_t       *gm_get_name_attribute;
         _gss_set_name_attribute_t       *gm_set_name_attribute;
         _gss_delete_name_attribute_t    *gm_delete_name_attribute;
         _gss_export_name_composite_t    *gm_export_name_composite;
+        struct gss_mech_compat_desc_struct  *gm_compat;
 } gssapi_mech_interface_desc, *gssapi_mech_interface;
 
 gssapi_mech_interface
@@ -552,4 +570,25 @@ struct _gss_oid_name_table {
 extern struct _gss_oid_name_table _gss_ont_mech[];
 extern struct _gss_oid_name_table _gss_ont_ma[];
 
+/*
+ * Extended credentials acqusition API, not to be exported until
+ * it or something equivalent has been standardised.
+ */
+extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc;
+#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc)
+
+extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc;
+#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc)
+
+OM_uint32 _gss_acquire_cred_ext
+           (OM_uint32 * /*minor_status*/,
+            const gss_name_t /*desired_name*/,
+            gss_const_OID /*credential_type*/,
+            const void * /*credential_data*/,
+            OM_uint32 /*time_req*/,
+            gss_const_OID /*desired_mech*/,
+            gss_cred_usage_t /*cred_usage*/,
+            gss_cred_id_t * /*output_cred_handle*/
+           );
+
 #endif /* GSSAPI_MECH_H */
index 65db343cad93aad5bb5ebba0fcddd50f24c7d5f6..d4555c51042b2795feae4118c3d87f40de325c48 100644 (file)
@@ -92,7 +92,7 @@ hash_input_chan_bindings (const gss_channel_bindings_t b,
   _gsskrb5_encode_om_uint32 (b->acceptor_address.length, num);
   EVP_DigestUpdate(ctx, num, sizeof(num));
   if (b->acceptor_address.length)
-      EVP_DigestUpdate(ctx, 
+      EVP_DigestUpdate(ctx,
                       b->acceptor_address.value,
                       b->acceptor_address.length);
   _gsskrb5_encode_om_uint32 (b->application_data.length, num);
index a5e9d054c41339a3032cbe4e6a7c97ba088ed49f..5a00e124c2cf5d606ca9ce05a3ea7882bbb16a46 100644 (file)
 HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
 krb5_keytab _gsskrb5_keytab;
 
+static krb5_error_code
+validate_keytab(krb5_context context, const char *name, krb5_keytab *id)
+{
+    krb5_error_code ret;
+
+    ret = krb5_kt_resolve(context, name, id);
+    if (ret)
+       return ret;
+
+    ret = krb5_kt_have_content(context, *id);
+    if (ret) {
+       krb5_kt_close(context, *id);
+       *id = NULL;
+    }
+
+    return ret;
+}
+
 OM_uint32
-_gsskrb5_register_acceptor_identity (const char *identity)
+_gsskrb5_register_acceptor_identity(OM_uint32 *min_stat, const char *identity)
 {
     krb5_context context;
     krb5_error_code ret;
 
+    *min_stat = 0;
+
     ret = _gsskrb5_init(&context);
     if(ret)
        return GSS_S_FAILURE;
@@ -55,19 +75,29 @@ _gsskrb5_register_acceptor_identity (const char *identity)
     if (identity == NULL) {
        ret = krb5_kt_default(context, &_gsskrb5_keytab);
     } else {
-       char *p = NULL;
-
-       ret = asprintf(&p, "FILE:%s", identity);
-       if(ret < 0 || p == NULL) {
-           HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
-           return GSS_S_FAILURE;
+       /*
+        * First check if we can the keytab as is and if it has content...
+        */
+       ret = validate_keytab(context, identity, &_gsskrb5_keytab);
+       /*
+        * if it doesn't, lets prepend FILE: and try again
+        */
+       if (ret) {
+           char *p = NULL;
+           ret = asprintf(&p, "FILE:%s", identity);
+           if(ret < 0 || p == NULL) {
+               HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
+               return GSS_S_FAILURE;
+           }
+           ret = validate_keytab(context, p, &_gsskrb5_keytab);
+           free(p);
        }
-       ret = krb5_kt_resolve(context, p, &_gsskrb5_keytab);
-       free(p);
     }
     HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
-    if(ret)
+    if(ret) {
+       *min_stat = ret;
        return GSS_S_FAILURE;
+    }
     return GSS_S_COMPLETE;
 }
 
@@ -93,7 +123,7 @@ _gsskrb5i_is_cfx(krb5_context context, gsskrb5_ctx ctx, int acceptor)
 
     if (key == NULL)
        return;
-       
+
     switch (key->keytype) {
     case ETYPE_DES_CBC_CRC:
     case ETYPE_DES_CBC_MD4:
@@ -171,7 +201,7 @@ gsskrb5_accept_delegated_token
 
     if (delegated_cred_handle) {
        gsskrb5_cred handle;
-       
+
        ret = _gsskrb5_krb5_import_cred(minor_status,
                                        ccache,
                                        NULL,
@@ -541,10 +571,10 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
     if(ctx->flags & GSS_C_MUTUAL_FLAG) {
        krb5_data outbuf;
        int use_subkey = 0;
-       
+
        _gsskrb5i_is_cfx(context, ctx, 1);
        is_cfx = (ctx->more_flags & IS_CFX);
-       
+
        if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) {
            use_subkey = 1;
        } else {
@@ -572,7 +602,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
                                   KRB5_AUTH_CONTEXT_USE_SUBKEY,
                                   NULL);
        }
-       
+
        kret = krb5_mk_rep(context,
                           ctx->auth_context,
                           &outbuf);
@@ -580,7 +610,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
            *minor_status = kret;
            return GSS_S_FAILURE;
        }
-       
+
        if (IS_DCE_STYLE(ctx)) {
            output_token->length = outbuf.length;
            output_token->value = outbuf.data;
@@ -659,7 +689,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
     krb5_error_code kret;
     krb5_data inbuf;
     int32_t r_seq_number, l_seq_number;
-       
+
     /*
      * We know it's GSS_C_DCE_STYLE so we don't need to decapsulate the AP_REP
      */
@@ -706,7 +736,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
     {
        krb5_ap_rep_enc_part *repl;
        int32_t auth_flags;
-               
+
        krb5_auth_con_removeflags(context,
                                  ctx->auth_context,
                                  KRB5_AUTH_CONTEXT_DO_TIME,
@@ -735,7 +765,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
        if (lifetime_rec == 0) {
            return GSS_S_CONTEXT_EXPIRED;
        }
-       
+
        if (time_rec) *time_rec = lifetime_rec;
     }
 
@@ -793,7 +823,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
     {
        kret = krb5_auth_con_setremoteseqnumber(context,
                                                ctx->auth_context,
-                                               r_seq_number);  
+                                               r_seq_number);
        if (kret) {
            *minor_status = kret;
            return GSS_S_FAILURE;
index d0042e874b53fcbd5752693952a32b015da0b6ca..0f1f5f81cffc0bee2cfc2b25070a96b8b966bea9 100644 (file)
@@ -46,7 +46,7 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
 
     memset(&in_cred, 0, sizeof(in_cred));
     in_cred.client = principal;
-       
+
     realm = krb5_principal_get_realm(context,  principal);
     if (realm == NULL) {
        _gsskrb5_clear_status ();
@@ -81,17 +81,18 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
 static krb5_error_code
 get_keytab(krb5_context context, krb5_keytab *keytab)
 {
-    char kt_name[256];
     krb5_error_code kret;
 
     HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
 
     if (_gsskrb5_keytab != NULL) {
-       kret = krb5_kt_get_name(context,
-                               _gsskrb5_keytab,
-                               kt_name, sizeof(kt_name));
-       if (kret == 0)
-           kret = krb5_kt_resolve(context, kt_name, keytab);
+       char *name = NULL;
+
+       kret = krb5_kt_get_full_name(context, _gsskrb5_keytab, &name);
+       if (kret == 0) {
+           kret = krb5_kt_resolve(context, name, keytab);
+           krb5_xfree(name);
+       }
     } else
        kret = krb5_kt_default(context, keytab);
 
@@ -103,13 +104,13 @@ get_keytab(krb5_context context, krb5_keytab *keytab)
 static OM_uint32 acquire_initiator_cred
                  (OM_uint32 * minor_status,
                   krb5_context context,
+                  gss_const_OID credential_type,
+                  const void *credential_data,
                   const gss_name_t desired_name,
                   OM_uint32 time_req,
-                  const gss_OID_set desired_mechs,
+                  gss_const_OID desired_mech,
                   gss_cred_usage_t cred_usage,
-                  gsskrb5_cred handle,
-                  gss_OID_set * actual_mechs,
-                  OM_uint32 * time_rec
+                  gsskrb5_cred handle
                  )
 {
     OM_uint32 ret;
@@ -132,6 +133,12 @@ static OM_uint32 acquire_initiator_cred
      * errors while searching.
      */
 
+    if (credential_type != GSS_C_NO_OID &&
+       !gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
+       kret = KRB5_NOCREDS_SUPPLIED; /* XXX */
+       goto end;
+    }
+
     if (handle->principal) {
        kret = krb5_cc_cache_match (context,
                                    handle->principal,
@@ -174,14 +181,29 @@ static OM_uint32 acquire_initiator_cred
            if (kret)
                goto end;
        }
-       kret = get_keytab(context, &keytab);
-       if (kret)
-           goto end;
        kret = krb5_get_init_creds_opt_alloc(context, &opt);
        if (kret)
            goto end;
-       kret = krb5_get_init_creds_keytab(context, &cred,
-           handle->principal, keytab, 0, NULL, opt);
+       if (credential_type != GSS_C_NO_OID &&
+           gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
+           gss_buffer_t password = (gss_buffer_t)credential_data;
+
+           /* XXX are we requiring password to be NUL terminated? */
+
+           kret = krb5_get_init_creds_password(context, &cred,
+                                               handle->principal,
+                                               password->value,
+                                               NULL, NULL, 0, NULL, opt);
+       } else {
+           kret = get_keytab(context, &keytab);
+           if (kret) {
+               krb5_get_init_creds_opt_free(context, opt);
+               goto end;
+           }
+           kret = krb5_get_init_creds_keytab(context, &cred,
+                                             handle->principal, keytab,
+                                             0, NULL, opt);
+       }
        krb5_get_init_creds_opt_free(context, opt);
        if (kret)
            goto end;
@@ -233,19 +255,25 @@ end:
 static OM_uint32 acquire_acceptor_cred
                  (OM_uint32 * minor_status,
                   krb5_context context,
+                  gss_const_OID credential_type,
+                  const void *credential_data,
                   const gss_name_t desired_name,
                   OM_uint32 time_req,
-                  const gss_OID_set desired_mechs,
+                  gss_const_OID desired_mech,
                   gss_cred_usage_t cred_usage,
-                  gsskrb5_cred handle,
-                  gss_OID_set * actual_mechs,
-                  OM_uint32 * time_rec
+                  gsskrb5_cred handle
                  )
 {
     OM_uint32 ret;
     krb5_error_code kret;
 
     ret = GSS_S_FAILURE;
+
+    if (credential_type != GSS_C_NO_OID) {
+       kret = EINVAL;
+       goto end;
+    }
+
     kret = get_keytab(context, &handle->keytab);
     if (kret)
        goto end;
@@ -299,23 +327,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
  OM_uint32 * time_rec
     )
 {
-    krb5_context context;
-    gsskrb5_cred handle;
     OM_uint32 ret;
 
-    if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
-       *minor_status = GSS_KRB5_S_G_BAD_USAGE;
-       return GSS_S_FAILURE;
-    }
-
-    GSSAPI_KRB5_INIT(&context);
-
-    *output_cred_handle = NULL;
-    if (time_rec)
-       *time_rec = 0;
-    if (actual_mechs)
-       *actual_mechs = GSS_C_NO_OID_SET;
-
     if (desired_mechs) {
        int present = 0;
 
@@ -329,6 +342,54 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
        }
     }
 
+    ret = _gsskrb5_acquire_cred_ext(minor_status,
+                                   desired_name,
+                                   GSS_C_NO_OID,
+                                   NULL,
+                                   time_req,
+                                   GSS_KRB5_MECHANISM,
+                                   cred_usage,
+                                   output_cred_handle);
+    if (ret)
+       return ret;
+
+
+    ret = _gsskrb5_inquire_cred(minor_status, *output_cred_handle,
+                               NULL, time_rec, NULL, actual_mechs);
+    if (ret) {
+       OM_uint32 tmp;
+       _gsskrb5_release_cred(&tmp, output_cred_handle);
+    }
+
+    return ret;
+}
+
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext
+(OM_uint32 * minor_status,
+ const gss_name_t desired_name,
+ gss_const_OID credential_type,
+ const void *credential_data,
+ OM_uint32 time_req,
+ gss_const_OID desired_mech,
+ gss_cred_usage_t cred_usage,
+ gss_cred_id_t * output_cred_handle
+    )
+{
+    krb5_context context;
+    gsskrb5_cred handle;
+    OM_uint32 ret;
+
+    cred_usage &= GSS_C_OPTION_MASK;
+
+    if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
+       *minor_status = GSS_KRB5_S_G_BAD_USAGE;
+       return GSS_S_FAILURE;
+    }
+
+    GSSAPI_KRB5_INIT(&context);
+
+    *output_cred_handle = NULL;
+
     handle = calloc(1, sizeof(*handle));
     if (handle == NULL) {
        *minor_status = ENOMEM;
@@ -338,7 +399,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
     HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
 
     if (desired_name != GSS_C_NO_NAME) {
-
        ret = _gsskrb5_canon_name(minor_status, context, 1, NULL,
                                  desired_name, &handle->principal);
        if (ret) {
@@ -349,9 +409,9 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
     }
     if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
        ret = acquire_initiator_cred(minor_status, context,
+                                    credential_type, credential_data,
                                     desired_name, time_req,
-                                    desired_mechs, cred_usage, handle,
-                                    actual_mechs, time_rec);
+                                    desired_mech, cred_usage, handle);
        if (ret != GSS_S_COMPLETE) {
            HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
            krb5_free_principal(context, handle->principal);
@@ -361,8 +421,9 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
     }
     if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
        ret = acquire_acceptor_cred(minor_status, context,
+                                   credential_type, credential_data,
                                    desired_name, time_req,
-                                   desired_mechs, cred_usage, handle, actual_mechs, time_rec);
+                                   desired_mech, cred_usage, handle);
        if (ret != GSS_S_COMPLETE) {
            HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
            krb5_free_principal(context, handle->principal);
@@ -374,9 +435,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
     if (ret == GSS_S_COMPLETE)
        ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
                                     &handle->mechanisms);
-    if (ret == GSS_S_COMPLETE)
-       ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle,
-                                   NULL, time_rec, NULL, actual_mechs);
     if (ret != GSS_S_COMPLETE) {
        if (handle->mechanisms != NULL)
            gss_release_oid_set(NULL, &handle->mechanisms);
@@ -385,17 +443,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
        free(handle);
        return (ret);
     }
-    *minor_status = 0;
-    if (time_rec) {
-       ret = _gsskrb5_lifetime_left(minor_status,
-                                    context,
-                                    handle->lifetime,
-                                    time_rec);
-
-       if (ret)
-           return ret;
-    }
     handle->usage = cred_usage;
+    *minor_status = 0;
     *output_cred_handle = (gss_cred_id_t)handle;
     return (GSS_S_COMPLETE);
 }
index a326613eddf067a9755bbc3c81d8aac750ddd8a5..00cf55f62d651314a6e1a486006e5450554d60bd 100644 (file)
@@ -81,7 +81,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
            return(GSS_S_FAILURE);
        }
     }
-       
+
     /* check that we have the same name */
     if (dname != NULL &&
        krb5_principal_compare(context, dname,
@@ -110,7 +110,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
        handle->ccache = NULL;
        handle->mechanisms = NULL;
        HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
-       
+
        ret = GSS_S_FAILURE;
 
        kret = krb5_copy_principal(context, cred->principal,
@@ -123,23 +123,11 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
        }
 
        if (cred->keytab) {
-           char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN];
-           int len;
-       
-           ret = GSS_S_FAILURE;
+           char *name = NULL;
 
-           kret = krb5_kt_get_type(context, cred->keytab,
-                                   name, KRB5_KT_PREFIX_MAX_LEN);
-           if (kret) {
-               *minor_status = kret;
-               goto failure;
-           }
-           len = strlen(name);
-           name[len++] = ':';
+           ret = GSS_S_FAILURE;
 
-           kret = krb5_kt_get_name(context, cred->keytab,
-                                   name + len,
-                                   sizeof(name) - len);
+           kret = krb5_kt_get_full_name(context, cred->keytab, &name);
            if (kret) {
                *minor_status = kret;
                goto failure;
@@ -147,6 +135,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
 
            kret = krb5_kt_resolve(context, name,
                                   &handle->keytab);
+           krb5_xfree(name);
            if (kret){
                *minor_status = kret;
                goto failure;
@@ -166,7 +155,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
            }
 
            if (strcmp(type, "MEMORY") == 0) {
-               ret = krb5_cc_new_unique(context, type, 
+               ret = krb5_cc_new_unique(context, type,
                                         NULL, &handle->ccache);
                if (ret) {
                    *minor_status = ret;
@@ -186,20 +175,20 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
                    *minor_status = ENOMEM;
                    goto failure;
                }
-               
+
                kret = asprintf(&type_name, "%s:%s", type, name);
                if (kret < 0 || type_name == NULL) {
                    *minor_status = ENOMEM;
                    goto failure;
                }
-               
+
                kret = krb5_cc_resolve(context, type_name,
                                       &handle->ccache);
                free(type_name);
                if (kret) {
                    *minor_status = kret;
                    goto failure;
-               }       
+               }
            }
        }
        ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
index 040cd3ee7686bcd779b149ae93b6c3a469d50809..47913e4aec03244ef85004dde0792be290c49232 100644 (file)
@@ -69,11 +69,11 @@ _gk_unwrap_iov(OM_uint32 *minor_status,
     krb5_context context;
 
     GSSAPI_KRB5_INIT (&context);
-    
+
     if (ctx->more_flags & IS_CFX)
        return _gssapi_unwrap_cfx_iov(minor_status, ctx, context,
                                      conf_state, qop_state, iov, iov_count);
-    
+
     return GSS_S_FAILURE;
 }
 
@@ -88,13 +88,13 @@ _gk_wrap_iov_length(OM_uint32 * minor_status,
 {
     const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
     krb5_context context;
-    
+
     GSSAPI_KRB5_INIT (&context);
-    
+
     if (ctx->more_flags & IS_CFX)
        return _gssapi_wrap_iov_length_cfx(minor_status, ctx, context,
                                           conf_req_flag, qop_req, conf_state,
                                           iov, iov_count);
-    
+
     return GSS_S_FAILURE;
 }
index dc59e997bd6d40827386e19da6d6c91f24119955..0264207e4a8ceb467fdaf80c9079c3c88e74e7cb 100644 (file)
@@ -255,7 +255,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
                           const gss_buffer_t token_buffer,
                           gss_qop_t * qop_state,
                           krb5_keyblock *key,
-                          char *type)
+                          const char *type)
 {
     krb5_error_code ret;
     uint32_t seq_number;
@@ -270,7 +270,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
     p = token_buffer->value;
     omret = _gsskrb5_verify_header (&p,
                                       token_buffer->length,
-                                      (u_char *)type,
+                                      type,
                                       GSS_KRB5_MECHANISM);
     if (omret)
        return omret;
@@ -309,7 +309,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
 
     {
        EVP_CIPHER_CTX rc4_key;
-       
+
        EVP_CIPHER_CTX_init(&rc4_key);
        EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL, 0);
        EVP_Cipher(&rc4_key, SND_SEQ, p, 8);
@@ -462,7 +462,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
 
     if(conf_req_flag) {
        EVP_CIPHER_CTX rc4_key;
-       
+
        EVP_CIPHER_CTX_init(&rc4_key);
        EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
        EVP_Cipher(&rc4_key, p0 + 24, p0 + 24, 8 + datalen);
@@ -481,7 +481,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
 
     {
        EVP_CIPHER_CTX rc4_key;
-       
+
        EVP_CIPHER_CTX_init(&rc4_key);
        EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
        EVP_Cipher(&rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8);
@@ -581,7 +581,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
 
     {
        EVP_CIPHER_CTX rc4_key;
-       
+
        EVP_CIPHER_CTX_init(&rc4_key);
        EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
        EVP_Cipher(&rc4_key, SND_SEQ, p0 + 8, 8);
@@ -629,7 +629,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
 
     if(conf_flag) {
        EVP_CIPHER_CTX rc4_key;
-       
+
        EVP_CIPHER_CTX_init(&rc4_key);
        EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
        EVP_Cipher(&rc4_key, Confounder, p0 + 24, 8);
index 1189718adcf38b0f8156f8e9567e2e92f914fa4d..3c1536b60ea5add9b479ecc46bdfde4c8f5bcc2a 100755 (executable)
@@ -285,7 +285,8 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status,
     gss_iov_buffer_desc *header, *trailer, *padding;
     size_t gsshsize, k5hsize;
     size_t gsstsize, k5tsize;
-    size_t i, rrc = 0, ec = 0;
+    size_t rrc = 0, ec = 0;
+    int i;
     gss_cfx_wrap_token token;
     krb5_error_code ret;
     int32_t seq_number;
@@ -424,6 +425,9 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status,
     token->Flags     = 0;
     token->Filler    = 0xFF;
 
+    if ((ctx->more_flags & LOCAL) == 0)
+       token->Flags |= CFXSentByAcceptor;
+
     if (ctx->more_flags & ACCEPTOR_SUBKEY)
        token->Flags |= CFXAcceptorSubkey;
 
@@ -565,7 +569,7 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status,
          plain packet:
 
          {data | "header" | gss-trailer (krb5 checksum)
-         
+
          don't do RRC != 0
 
         */
@@ -647,7 +651,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int
            GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING ||
            GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER)
            len += iov[i].buffer.length;
-    
+
     p = malloc(len);
     if (p == NULL) {
        *minor_status = ENOMEM;
@@ -666,7 +670,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int
            q += iov[i].buffer.length;
        }
     }
-    assert((q - p) == len);
+    assert((size_t)(q - p) == len);
 
     /* unrotate first part */
     q = p + rrc;
index 221d219c69fa3739ead198f9fdc38f3fe360163e..3381dffa19eed1460d9a50c54ae10b0fd333a37b 100644 (file)
@@ -59,7 +59,7 @@ check_compat(OM_uint32 *minor_status,
            *compat = match_val;
            break;
        }
-       
+
        krb5_free_principal(context, match);
        match = NULL;
     }
index 7b27906b5b12f6efb5ae5713b09ee540002b96e3..cb1550011cd7e41237d898d2a35359a0f89ef034 100644 (file)
@@ -88,6 +88,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_context_time
 
     if (*time_rec == 0)
        return GSS_S_CONTEXT_EXPIRED;
-       
+
     return GSS_S_COMPLETE;
 }
index 4e65fc1cf30448aae2c87475317327b69e024e80..e332d29c84aaf689b8d6ce921aa3ff18a23853c9 100644 (file)
@@ -100,7 +100,7 @@ _gsskrb5_krb5_import_cred(OM_uint32 *minor_status,
            *minor_status = kret;
            return GSS_S_FAILURE;
        }
-       
+
        if (keytab_principal) {
            krb5_boolean match;
 
index d2c253e84bbedde24bd5cc4b48ccaca88faa55a1..fa45d19b9812843dbc3dbde3aea18b394cf1ab0c 100644 (file)
@@ -47,7 +47,7 @@ _gsskrb5_export_cred(OM_uint32 *minor_status,
     char *str;
 
     GSSAPI_KRB5_INIT (&context);
-    
+
     if (handle->usage != GSS_C_INITIATE && handle->usage != GSS_C_BOTH) {
        *minor_status = GSS_KRB5_S_G_BAD_USAGE;
        return GSS_S_FAILURE;
@@ -93,14 +93,14 @@ _gsskrb5_export_cred(OM_uint32 *minor_status,
            *minor_status = ret;
            return GSS_S_FAILURE;
        }
-       
+
        ret = krb5_cc_get_full_name(context, handle->ccache, &str);
        if (ret) {
            krb5_storage_free(sp);
            *minor_status = ret;
            return GSS_S_FAILURE;
        }
-       
+
        ret = krb5_store_string(sp, str);
        free(str);
        if (ret) {
@@ -222,7 +222,7 @@ _gsskrb5_import_cred(OM_uint32 * minor_status,
            *minor_status = ret;
            return GSS_S_FAILURE;
        }
-       
+
        ret = krb5_cc_resolve(context, str, &id);
        krb5_xfree(str);
        if (ret) {
index 79cd9232e19dc4cc761af66e78b541d565710286..fe5dac7c60b26342039f08200c6561df978818d3 100644 (file)
@@ -114,7 +114,7 @@ _gssapi_encapsulate(
     if (output_token->value == NULL) {
        *minor_status = ENOMEM;
        return GSS_S_FAILURE;
-    }  
+    }
 
     p = _gssapi_make_mech_header (output_token->value, len, mech);
     memcpy (p, in_data->data, in_data->length);
@@ -145,7 +145,7 @@ _gsskrb5_encapsulate(
     if (output_token->value == NULL) {
        *minor_status = ENOMEM;
        return GSS_S_FAILURE;
-    }  
+    }
 
     p = _gsskrb5_make_header (output_token->value, len, type, mech);
     memcpy (p, in_data->data, in_data->length);
index d6f14a48f7c7f01a3c1e2d7dcdfc13349aa80160..26ede2487d30309cb37c80c2ca4be0c8c46f45cc 100644 (file)
@@ -180,7 +180,7 @@ static gss_mo_desc krb5_mo[] = {
        GSS_C_MA_SASL_MECH_NAME,
        GSS_MO_MA,
        "SASL mech name",
-       "GS2-KRB5",
+       rk_UNCONST("GS2-KRB5"),
        _gss_mo_get_ctx_as_string,
        NULL
     },
@@ -188,7 +188,7 @@ static gss_mo_desc krb5_mo[] = {
        GSS_C_MA_MECH_NAME,
        GSS_MO_MA,
        "Mechanism name",
-       "KRB5",
+       rk_UNCONST("KRB5"),
        _gss_mo_get_ctx_as_string,
        NULL
     },
@@ -196,7 +196,7 @@ static gss_mo_desc krb5_mo[] = {
        GSS_C_MA_MECH_DESCRIPTION,
        GSS_MO_MA,
        "Mechanism description",
-       "Heimdal Kerberos 5 mech",
+       rk_UNCONST("Heimdal Kerberos 5 mech"),
        _gss_mo_get_ctx_as_string,
        NULL
     },
@@ -273,7 +273,7 @@ static gss_mo_desc krb5_mo[] = {
 static gssapi_mech_interface_desc krb5_mech = {
     GMI_VERSION,
     "kerberos 5",
-    {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" },
+    {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") },
     0,
     _gsskrb5_acquire_cred,
     _gsskrb5_release_cred,
@@ -315,7 +315,7 @@ static gssapi_mech_interface_desc krb5_mech = {
     _gsskrb5_store_cred,
     _gsskrb5_export_cred,
     _gsskrb5_import_cred,
-    NULL,
+    _gsskrb5_acquire_cred_ext,
     NULL,
     NULL,
     NULL,
@@ -323,7 +323,16 @@ static gssapi_mech_interface_desc krb5_mech = {
     NULL,
     NULL,
     krb5_mo,
-    sizeof(krb5_mo) / sizeof(krb5_mo[0])
+    sizeof(krb5_mo) / sizeof(krb5_mo[0]),
+    _gsskrb5_pname_to_uid,
+    _gsskrb5_authorize_localname,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL
 };
 
 gssapi_mech_interface
index 2a071a305efc8f9c88449687e577035a47c40713..5fe512672f95867a7a0eb17ba40641d7e619e9e8 100644 (file)
@@ -107,9 +107,9 @@ _gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
            return GSS_S_BAD_NAME;
        else if (p->name.name_string.len > 1)
            hostname = p->name.name_string.val[1];
-       
+
        service = p->name.name_string.val[0];
-       
+
        ret = krb5_sname_to_principal(context,
                                      hostname,
                                      service,
index 53855ca045322993ac766573ae6e39ca3401800d..5f8b01b7270712e4bdc311f7ef7cc87e3e3a2dc1 100644 (file)
@@ -41,7 +41,7 @@
 static OM_uint32
 set_addresses (krb5_context context,
               krb5_auth_context ac,
-              const gss_channel_bindings_t input_chan_bindings)        
+              const gss_channel_bindings_t input_chan_bindings)
 {
     /* Port numbers are expected to be in application_data.value,
      * initator's port first */
@@ -422,11 +422,6 @@ init_auth
        goto failure;
     }
 
-    ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
-    if (ret)
-       goto failure;
-
-
     /*
      * This is hideous glue for (NFS) clients that wants to limit the
      * available enctypes to what it can support (encryption in
@@ -458,17 +453,21 @@ init_auth
      * DNS canonicalizion.
      */
     ret = gsskrb5_get_creds(minor_status, context, ctx->ccache,
-                           ctx, name, 0, time_req, 
+                           ctx, name, 0, time_req,
                            time_rec);
     if (ret && allow_dns)
        ret = gsskrb5_get_creds(minor_status, context, ctx->ccache,
-                               ctx, name, 1, time_req, 
+                               ctx, name, 1, time_req,
                                time_rec);
     if (ret)
        goto failure;
 
     ctx->lifetime = ctx->kcred->times.endtime;
 
+    ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
+    if (ret)
+       goto failure;
+
     ret = _gsskrb5_lifetime_left(minor_status,
                                 context,
                                 ctx->lifetime,
@@ -530,7 +529,7 @@ init_auth_restart
     Checksum cksum;
     krb5_enctype enctype;
     krb5_data fwd_data, timedata;
-    int32_t offset = 0, oldoffset;
+    int32_t offset = 0, oldoffset = 0;
     uint32_t flagmask;
 
     krb5_data_zero(&outbuf);
@@ -544,7 +543,7 @@ init_auth_restart
      */
     if (!ctx->kcred->flags.b.ok_as_delegate) {
        krb5_data data;
-       
+
        ret = krb5_cc_get_config(context, ctx->ccache, NULL,
                                 "realm-config", &data);
        if (ret == 0) {
@@ -676,7 +675,8 @@ init_auth_restart
        output_token->length = outbuf.length;
     } else {
         ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token,
-                                   (u_char *)"\x01\x00", GSS_KRB5_MECHANISM);
+                                   (u_char *)(intptr_t)"\x01\x00",
+                                   GSS_KRB5_MECHANISM);
        krb5_data_free (&outbuf);
        if (ret)
            goto failure;
@@ -848,9 +848,9 @@ repl_mutual
            *minor_status = kret;
            return GSS_S_FAILURE;
        }
-       
+
        /* reset local seq number */
-       krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq); 
+       krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq);
 
        output_token->length = outbuf.length;
        output_token->value  = outbuf.data;
@@ -911,20 +911,20 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context
        return GSS_S_BAD_MECH;
 
     if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) {
-       OM_uint32 ret;
+       OM_uint32 ret1;
 
        if (*context_handle != GSS_C_NO_CONTEXT) {
            *minor_status = 0;
            return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE;
        }
 
-       ret = _gsskrb5_create_ctx(minor_status,
+       ret1 = _gsskrb5_create_ctx(minor_status,
                                  context_handle,
                                  context,
                                  input_chan_bindings,
                                  INITIATOR_START);
-       if (ret)
-           return ret;
+       if (ret1)
+           return ret1;
     }
 
     if (*context_handle == GSS_C_NO_CONTEXT) {
@@ -953,7 +953,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context
                        ret_flags,
                        time_rec);
        if (ret != GSS_S_COMPLETE)
-           break;      
+           break;
        /* FALL THOUGH */
     case INITIATOR_RESTART:
        ret = init_auth_restart(minor_status,
index d3798623ff3fceaa091515983da5a1807f1a1362..f88199692cd7ad537aa7b7545156f4d94a6c6fa1 100644 (file)
@@ -95,12 +95,12 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_cred
     if (output_name != NULL) {
        if (icred && icred->principal != NULL) {
            gss_name_t name;
-       
+
            if (acred && acred->principal)
                name = (gss_name_t)acred->principal;
            else
                name = (gss_name_t)icred->principal;
-               
+
             ret = _gsskrb5_duplicate_name(minor_status, name, output_name);
             if (ret)
                goto out;
index dc02b99851a31ce8da8182b8637062f6a3343822..65bd49c971ba0b2662f16e8f2bc6674272b7afca 100644 (file)
@@ -72,6 +72,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_names_for_mech (
 
     if (ret != GSS_S_COMPLETE)
        gss_release_oid_set(NULL, name_types);
-       
+
     return GSS_S_COMPLETE;
 }
index 14816e7a056f216af969aef3340a22413a0e75c3..b57217a4e8303d24d1d8c9a11ac2147dd8a9dfbb 100644 (file)
@@ -159,10 +159,10 @@ static OM_uint32 inquire_sec_context_get_subkey
 
     {
        gss_buffer_desc value;
-       
+
        value.length = data.length;
        value.value = data.data;
-       
+
        maj_stat = gss_add_buffer_set_member(minor_status,
                                             &value,
                                             data_set);
@@ -179,6 +179,46 @@ out:
     return maj_stat;
 }
 
+static OM_uint32 inquire_sec_context_get_sspi_session_key
+            (OM_uint32 *minor_status,
+             const gsskrb5_ctx context_handle,
+             krb5_context context,
+             gss_buffer_set_t *data_set)
+{
+    krb5_keyblock *key;
+    OM_uint32 maj_stat = GSS_S_COMPLETE;
+    krb5_error_code ret;
+    gss_buffer_desc value;
+
+    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+    ret = _gsskrb5i_get_token_key(context_handle, context, &key);
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+    if (ret)
+        goto out;
+    if (key == NULL) {
+        ret = EINVAL;
+        goto out;
+    }
+
+    value.length = key->keyvalue.length;
+    value.value = key->keyvalue.data;
+
+    maj_stat = gss_add_buffer_set_member(minor_status,
+                                         &value,
+                                         data_set);
+    krb5_free_keyblock(context, key);
+
+    /* MIT also returns the enctype encoded as an OID in data_set[1] */
+
+out:
+    if (ret) {
+        *minor_status = ret;
+        maj_stat = GSS_S_FAILURE;
+    }
+    return maj_stat;
+}
+
 static OM_uint32 inquire_sec_context_authz_data
            (OM_uint32 *minor_status,
             const gsskrb5_ctx context_handle,
@@ -464,10 +504,10 @@ get_service_keyblock
 
     {
        gss_buffer_desc value;
-       
+
        value.length = data.length;
        value.value = data.data;
-       
+
        maj_stat = gss_add_buffer_set_member(minor_status,
                                             &value,
                                             data_set);
@@ -530,6 +570,11 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_sec_context_by_oid
                                              context,
                                              ACCEPTOR_KEY,
                                              data_set);
+    } else if (gss_oid_equal(desired_object, GSS_C_INQ_SSPI_SESSION_KEY)) {
+        return inquire_sec_context_get_sspi_session_key(minor_status,
+                                                        ctx,
+                                                        context,
+                                                        data_set);
     } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_AUTHTIME_X)) {
        return get_authtime(minor_status, ctx, data_set);
     } else if (oid_prefix_equal(desired_object,
index 323b4cc722962bc24fe7e15c8294981c3af313d5..162a3097099f737dad0c29a5962f3cd6eda09502 100644 (file)
@@ -47,18 +47,21 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
     krb5_crypto crypto;
     krb5_data input, output;
     uint32_t num;
+    OM_uint32 junk;
     unsigned char *p;
     krb5_keyblock *key = NULL;
+    size_t dol;
 
     if (ctx == NULL) {
        *minor_status = 0;
        return GSS_S_NO_CONTEXT;
     }
 
-    if (desired_output_len <= 0) {
+    if (desired_output_len <= 0 || prf_in->length + 4 < prf_in->length) {
        *minor_status = 0;
        return GSS_S_FAILURE;
     }
+    dol = desired_output_len;
 
     GSSAPI_KRB5_INIT (&context);
 
@@ -88,21 +91,20 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
        return GSS_S_FAILURE;
     }
 
-    prf_out->value = malloc(desired_output_len);
+    prf_out->value = malloc(dol);
     if (prf_out->value == NULL) {
        _gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
        *minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
        krb5_crypto_destroy(context, crypto);
        return GSS_S_FAILURE;
     }
-    prf_out->length = desired_output_len;
+    prf_out->length = dol;
 
     HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
 
     input.length = prf_in->length + 4;
     input.data = malloc(prf_in->length + 4);
     if (input.data == NULL) {
-       OM_uint32 junk;
        _gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
        *minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
        gss_release_buffer(&junk, prf_out);
@@ -110,15 +112,17 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
        HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
        return GSS_S_FAILURE;
     }
-    memcpy(((unsigned char *)input.data) + 4, prf_in->value, prf_in->length);
+    memcpy(((uint8_t *)input.data) + 4, prf_in->value, prf_in->length);
 
     num = 0;
     p = prf_out->value;
-    while(desired_output_len > 0) {
+    while(dol > 0) {
+       size_t tsize;
+
        _gsskrb5_encode_om_uint32(num, input.data);
+
        ret = krb5_crypto_prf(context, crypto, &input, &output);
        if (ret) {
-           OM_uint32 junk;
            *minor_status = ret;
            free(input.data);
            gss_release_buffer(&junk, prf_out);
@@ -126,9 +130,11 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
            HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
            return GSS_S_FAILURE;
        }
-       memcpy(p, output.data, min(desired_output_len, output.length));
+
+       tsize = min(dol, output.length);
+       memcpy(p, output.data, tsize);
        p += output.length;
-       desired_output_len -= output.length;
+       dol -= tsize;
        krb5_data_free(&output);
        num++;
     }
index 4feda0de04a4892807510c854c58c9b1a63de586..0cc1c07cfbe9d7d9bea697f84daefa4a479018b3 100644 (file)
@@ -52,7 +52,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_process_context_token (
                                       (gsskrb5_ctx)context_handle,
                                       context,
                                       token_buffer, &empty_buffer,
-                                      GSS_C_QOP_DEFAULT, "\x01\x02");
+                                      GSS_C_QOP_DEFAULT,
+                                      "\x01\x02");
 
     if (ret == GSS_S_COMPLETE)
        ret = _gsskrb5_delete_sec_context(minor_status,
index fbbc5b6c7037ca0d5d1b859b08976db0a6e632c8..2e0e7b20f922565ca6f4a4bf2b1efff2a74d56a1 100644 (file)
@@ -64,7 +64,7 @@ msg_order_alloc(OM_uint32 *minor_status,
     if (*o == NULL) {
        *minor_status = ENOMEM;
        return GSS_S_FAILURE;
-    }  
+    }
 
     *minor_status = 0;
     return GSS_S_COMPLETE;
@@ -141,7 +141,7 @@ OM_uint32
 _gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num)
 {
     OM_uint32 r;
-    int i;
+    size_t i;
 
     if (o == NULL)
        return GSS_S_COMPLETE;
index 5ff6172fb92da53e1ae123ee83e2a482a1109695..bd3871675109f89da1620fd7feaffc3733e2b285 100644 (file)
@@ -209,7 +209,7 @@ no_ci_flags(OM_uint32 *minor_status,
 
     cred = (gsskrb5_cred)*cred_handle;
     cred->cred_flags |= GSS_CF_NO_CI_FLAGS;
-       
+
     *minor_status = 0;
     return GSS_S_COMPLETE;
 
@@ -241,7 +241,7 @@ _gsskrb5_set_cred_option
     if (gss_oid_equal(desired_object, GSS_KRB5_CRED_NO_CI_FLAGS_X)) {
        return no_ci_flags(minor_status, context, cred_handle, value);
     }
-       
+
 
     *minor_status = EINVAL;
     return GSS_S_FAILURE;
index 237af1a52c87e48f94f8494dffe4cb16f56f2e42..141ff722fb648ee96982daa7240149b8e0573f8c 100644 (file)
@@ -154,11 +154,10 @@ _gsskrb5_set_sec_context_option
        if (maj_stat != GSS_S_COMPLETE)
            return maj_stat;
 
-       _gsskrb5_register_acceptor_identity(str);
+       maj_stat = _gsskrb5_register_acceptor_identity(minor_status, str);
        free(str);
 
-       *minor_status = 0;
-       return GSS_S_COMPLETE;
+       return maj_stat;
 
     } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) {
        char *str;
@@ -222,7 +221,7 @@ _gsskrb5_set_sec_context_option
            return maj_stat;
 
        t = time(NULL) + offset;
-       
+
        krb5_set_real_time(context, t, 0);
 
        *minor_status = 0;
index 21f9f6e8aba847d60aa1520b2332d0cd64953108..a3aa2fb83e7129287f011492d400d244a550d756 100644 (file)
@@ -103,7 +103,7 @@ _gsskrb5_store_cred(OM_uint32         *minor_status,
        *minor_status = ret;
        return(GSS_S_FAILURE);
     }
-       
+
     if (default_cred)
        krb5_cc_switch(context, id);
 
index 7620d691bda6f030105bea25b7fd3e65d3934967..d6bc20477787c744b6eda069c4226cb985e59e3c 100644 (file)
@@ -54,7 +54,7 @@ unwrap_des
   DES_key_schedule schedule;
   DES_cblock deskey;
   DES_cblock zero;
-  int i;
+  size_t i;
   uint32_t seq_number;
   size_t padlength;
   OM_uint32 ret;
@@ -98,6 +98,7 @@ unwrap_des
   if(cstate) {
       /* decrypt data */
       memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+      memset (&zero, 0, sizeof(zero));
 
       for (i = 0; i < sizeof(deskey); ++i)
          deskey[i] ^= 0xf0;