r23456: Update Samba4 to current lorikeet-heimdal.
authorAndrew Bartlett <abartlet@samba.org>
Wed, 13 Jun 2007 05:44:24 +0000 (05:44 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 19:53:18 +0000 (14:53 -0500)
Andrew Bartlett

454 files changed:
source/heimdal/kdc/524.c
source/heimdal/kdc/default_config.c
source/heimdal/kdc/digest.c
source/heimdal/kdc/headers.h
source/heimdal/kdc/kaserver.c
source/heimdal/kdc/kdc-private.h
source/heimdal/kdc/kdc-protos.h
source/heimdal/kdc/kdc.h
source/heimdal/kdc/kdc_locl.h
source/heimdal/kdc/kerberos4.c
source/heimdal/kdc/kerberos5.c
source/heimdal/kdc/krb5tgs.c
source/heimdal/kdc/kx509.c
source/heimdal/kdc/log.c
source/heimdal/kdc/misc.c
source/heimdal/kdc/pkinit.c
source/heimdal/kdc/process.c
source/heimdal/kdc/rx.h
source/heimdal/kdc/windc.c
source/heimdal/kdc/windc_plugin.h
source/heimdal/kuser/kinit.c
source/heimdal/kuser/kuser_locl.h
source/heimdal/lib/asn1/CMS.asn1
source/heimdal/lib/asn1/asn1-common.h
source/heimdal/lib/asn1/asn1_err.et
source/heimdal/lib/asn1/asn1_gen.c
source/heimdal/lib/asn1/asn1_queue.h
source/heimdal/lib/asn1/canthandle.asn1
source/heimdal/lib/asn1/der.c
source/heimdal/lib/asn1/der.h
source/heimdal/lib/asn1/der_copy.c
source/heimdal/lib/asn1/der_format.c
source/heimdal/lib/asn1/der_free.c
source/heimdal/lib/asn1/der_get.c
source/heimdal/lib/asn1/der_length.c
source/heimdal/lib/asn1/der_locl.h
source/heimdal/lib/asn1/der_put.c
source/heimdal/lib/asn1/digest.asn1
source/heimdal/lib/asn1/extra.c
source/heimdal/lib/asn1/gen.c
source/heimdal/lib/asn1/gen_copy.c
source/heimdal/lib/asn1/gen_decode.c
source/heimdal/lib/asn1/gen_encode.c
source/heimdal/lib/asn1/gen_free.c
source/heimdal/lib/asn1/gen_glue.c
source/heimdal/lib/asn1/gen_length.c
source/heimdal/lib/asn1/gen_locl.h
source/heimdal/lib/asn1/gen_seq.c
source/heimdal/lib/asn1/hash.c
source/heimdal/lib/asn1/hash.h
source/heimdal/lib/asn1/k5.asn1
source/heimdal/lib/asn1/kx509.asn1
source/heimdal/lib/asn1/lex.c
source/heimdal/lib/asn1/lex.h
source/heimdal/lib/asn1/libasn1.h
source/heimdal/lib/asn1/main.c
source/heimdal/lib/asn1/parse.c
source/heimdal/lib/asn1/parse.h
source/heimdal/lib/asn1/pkcs12.asn1
source/heimdal/lib/asn1/pkcs8.asn1
source/heimdal/lib/asn1/pkcs9.asn1
source/heimdal/lib/asn1/pkinit.asn1
source/heimdal/lib/asn1/rfc2459.asn1
source/heimdal/lib/asn1/symbol.c
source/heimdal/lib/asn1/symbol.h
source/heimdal/lib/asn1/test.asn1
source/heimdal/lib/asn1/timegm.c
source/heimdal/lib/com_err/com_err.c
source/heimdal/lib/com_err/com_err.h
source/heimdal/lib/com_err/com_right.h
source/heimdal/lib/com_err/compile_et.c
source/heimdal/lib/com_err/compile_et.h
source/heimdal/lib/com_err/error.c
source/heimdal/lib/com_err/lex.c
source/heimdal/lib/com_err/lex.h
source/heimdal/lib/com_err/parse.c
source/heimdal/lib/com_err/parse.h
source/heimdal/lib/gssapi/gssapi/gssapi.h
source/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
source/heimdal/lib/gssapi/gssapi/gssapi_spnego.h
source/heimdal/lib/gssapi/gssapi_mech.h
source/heimdal/lib/gssapi/krb5/8003.c
source/heimdal/lib/gssapi/krb5/accept_sec_context.c
source/heimdal/lib/gssapi/krb5/acquire_cred.c
source/heimdal/lib/gssapi/krb5/add_cred.c
source/heimdal/lib/gssapi/krb5/add_oid_set_member.c [deleted file]
source/heimdal/lib/gssapi/krb5/arcfour.c
source/heimdal/lib/gssapi/krb5/canonicalize_name.c
source/heimdal/lib/gssapi/krb5/cfx.c
source/heimdal/lib/gssapi/krb5/cfx.h
source/heimdal/lib/gssapi/krb5/compare_name.c
source/heimdal/lib/gssapi/krb5/compat.c
source/heimdal/lib/gssapi/krb5/context_time.c
source/heimdal/lib/gssapi/krb5/copy_ccache.c
source/heimdal/lib/gssapi/krb5/create_emtpy_oid_set.c [deleted file]
source/heimdal/lib/gssapi/krb5/decapsulate.c
source/heimdal/lib/gssapi/krb5/delete_sec_context.c
source/heimdal/lib/gssapi/krb5/display_name.c
source/heimdal/lib/gssapi/krb5/display_status.c
source/heimdal/lib/gssapi/krb5/duplicate_name.c
source/heimdal/lib/gssapi/krb5/encapsulate.c
source/heimdal/lib/gssapi/krb5/export_name.c
source/heimdal/lib/gssapi/krb5/export_sec_context.c
source/heimdal/lib/gssapi/krb5/external.c
source/heimdal/lib/gssapi/krb5/get_mic.c
source/heimdal/lib/gssapi/krb5/gkrb5_err.et
source/heimdal/lib/gssapi/krb5/gsskrb5-private.h
source/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
source/heimdal/lib/gssapi/krb5/import_name.c
source/heimdal/lib/gssapi/krb5/import_sec_context.c
source/heimdal/lib/gssapi/krb5/indicate_mechs.c
source/heimdal/lib/gssapi/krb5/init.c
source/heimdal/lib/gssapi/krb5/init_sec_context.c
source/heimdal/lib/gssapi/krb5/inquire_context.c
source/heimdal/lib/gssapi/krb5/inquire_cred.c
source/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c
source/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c
source/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c
source/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c
source/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
source/heimdal/lib/gssapi/krb5/prf.c [new file with mode: 0644]
source/heimdal/lib/gssapi/krb5/process_context_token.c
source/heimdal/lib/gssapi/krb5/release_buffer.c
source/heimdal/lib/gssapi/krb5/release_cred.c
source/heimdal/lib/gssapi/krb5/release_name.c
source/heimdal/lib/gssapi/krb5/release_oid_set.c [deleted file]
source/heimdal/lib/gssapi/krb5/sequence.c
source/heimdal/lib/gssapi/krb5/set_cred_option.c
source/heimdal/lib/gssapi/krb5/set_sec_context_option.c
source/heimdal/lib/gssapi/krb5/unwrap.c
source/heimdal/lib/gssapi/krb5/verify_mic.c
source/heimdal/lib/gssapi/krb5/wrap.c
source/heimdal/lib/gssapi/mech/context.c [new file with mode: 0644]
source/heimdal/lib/gssapi/mech/context.h
source/heimdal/lib/gssapi/mech/cred.h
source/heimdal/lib/gssapi/mech/gss_accept_sec_context.c
source/heimdal/lib/gssapi/mech/gss_acquire_cred.c
source/heimdal/lib/gssapi/mech/gss_add_cred.c
source/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c
source/heimdal/lib/gssapi/mech/gss_buffer_set.c
source/heimdal/lib/gssapi/mech/gss_canonicalize_name.c
source/heimdal/lib/gssapi/mech/gss_compare_name.c
source/heimdal/lib/gssapi/mech/gss_context_time.c
source/heimdal/lib/gssapi/mech/gss_create_empty_oid_set.c
source/heimdal/lib/gssapi/mech/gss_decapsulate_token.c
source/heimdal/lib/gssapi/mech/gss_delete_sec_context.c
source/heimdal/lib/gssapi/mech/gss_display_name.c
source/heimdal/lib/gssapi/mech/gss_display_status.c
source/heimdal/lib/gssapi/mech/gss_duplicate_name.c
source/heimdal/lib/gssapi/mech/gss_duplicate_oid.c
source/heimdal/lib/gssapi/mech/gss_encapsulate_token.c
source/heimdal/lib/gssapi/mech/gss_export_name.c
source/heimdal/lib/gssapi/mech/gss_export_sec_context.c
source/heimdal/lib/gssapi/mech/gss_get_mic.c
source/heimdal/lib/gssapi/mech/gss_import_name.c
source/heimdal/lib/gssapi/mech/gss_import_sec_context.c
source/heimdal/lib/gssapi/mech/gss_indicate_mechs.c
source/heimdal/lib/gssapi/mech/gss_init_sec_context.c
source/heimdal/lib/gssapi/mech/gss_inquire_context.c
source/heimdal/lib/gssapi/mech/gss_inquire_cred.c
source/heimdal/lib/gssapi/mech/gss_inquire_cred_by_mech.c
source/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c
source/heimdal/lib/gssapi/mech/gss_inquire_mechs_for_name.c
source/heimdal/lib/gssapi/mech/gss_inquire_names_for_mech.c
source/heimdal/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c
source/heimdal/lib/gssapi/mech/gss_krb5.c
source/heimdal/lib/gssapi/mech/gss_mech_switch.c
source/heimdal/lib/gssapi/mech/gss_names.c
source/heimdal/lib/gssapi/mech/gss_oid_equal.c
source/heimdal/lib/gssapi/mech/gss_oid_to_str.c [moved from source/heimdal/lib/gssapi/krb5/test_oid_set_member.c with 72% similarity]
source/heimdal/lib/gssapi/mech/gss_process_context_token.c
source/heimdal/lib/gssapi/mech/gss_release_buffer.c
source/heimdal/lib/gssapi/mech/gss_release_cred.c
source/heimdal/lib/gssapi/mech/gss_release_name.c
source/heimdal/lib/gssapi/mech/gss_release_oid.c
source/heimdal/lib/gssapi/mech/gss_release_oid_set.c
source/heimdal/lib/gssapi/mech/gss_seal.c
source/heimdal/lib/gssapi/mech/gss_set_cred_option.c
source/heimdal/lib/gssapi/mech/gss_set_sec_context_option.c
source/heimdal/lib/gssapi/mech/gss_sign.c
source/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c
source/heimdal/lib/gssapi/mech/gss_unseal.c
source/heimdal/lib/gssapi/mech/gss_unwrap.c
source/heimdal/lib/gssapi/mech/gss_utils.c
source/heimdal/lib/gssapi/mech/gss_verify.c
source/heimdal/lib/gssapi/mech/gss_verify_mic.c
source/heimdal/lib/gssapi/mech/gss_wrap.c
source/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c
source/heimdal/lib/gssapi/mech/gssapi.asn1
source/heimdal/lib/gssapi/mech/mech_locl.h
source/heimdal/lib/gssapi/mech/mech_switch.h
source/heimdal/lib/gssapi/mech/name.h
source/heimdal/lib/gssapi/mech/utils.h
source/heimdal/lib/gssapi/spnego/accept_sec_context.c
source/heimdal/lib/gssapi/spnego/compat.c
source/heimdal/lib/gssapi/spnego/context_stubs.c
source/heimdal/lib/gssapi/spnego/cred_stubs.c
source/heimdal/lib/gssapi/spnego/external.c
source/heimdal/lib/gssapi/spnego/init_sec_context.c
source/heimdal/lib/gssapi/spnego/spnego.asn1
source/heimdal/lib/gssapi/spnego/spnego_locl.h
source/heimdal/lib/hcrypto/aes.c [moved from source/heimdal/lib/des/aes.c with 98% similarity]
source/heimdal/lib/hcrypto/aes.h [moved from source/heimdal/lib/des/aes.h with 97% similarity]
source/heimdal/lib/hcrypto/bn.c [moved from source/heimdal/lib/des/bn.c with 99% similarity]
source/heimdal/lib/hcrypto/bn.h [moved from source/heimdal/lib/des/bn.h with 98% similarity]
source/heimdal/lib/hcrypto/des-tables.h [moved from source/heimdal/lib/des/des-tables.h with 100% similarity]
source/heimdal/lib/hcrypto/des.c [moved from source/heimdal/lib/des/des.c with 99% similarity]
source/heimdal/lib/hcrypto/des.h [moved from source/heimdal/lib/des/des.h with 98% similarity]
source/heimdal/lib/hcrypto/dh-imath.c [moved from source/heimdal/lib/des/dh-imath.c with 98% similarity]
source/heimdal/lib/hcrypto/dh.c [moved from source/heimdal/lib/des/dh.c with 98% similarity]
source/heimdal/lib/hcrypto/dh.h [moved from source/heimdal/lib/des/dh.h with 98% similarity]
source/heimdal/lib/hcrypto/dsa.c [moved from source/heimdal/lib/des/dsa.c with 98% similarity]
source/heimdal/lib/hcrypto/dsa.h [moved from source/heimdal/lib/des/dsa.h with 98% similarity]
source/heimdal/lib/hcrypto/engine.c [moved from source/heimdal/lib/des/engine.c with 93% similarity]
source/heimdal/lib/hcrypto/engine.h [moved from source/heimdal/lib/des/engine.h with 98% similarity]
source/heimdal/lib/hcrypto/evp.c [moved from source/heimdal/lib/des/evp.c with 100% similarity]
source/heimdal/lib/hcrypto/evp.h [moved from source/heimdal/lib/des/evp.h with 99% similarity]
source/heimdal/lib/hcrypto/hash.h [moved from source/heimdal/lib/des/hash.h with 97% similarity]
source/heimdal/lib/hcrypto/hmac.c [moved from source/heimdal/lib/des/hmac.c with 100% similarity]
source/heimdal/lib/hcrypto/hmac.h [moved from source/heimdal/lib/des/hmac.h with 98% similarity]
source/heimdal/lib/hcrypto/imath/LICENSE [moved from source/heimdal/lib/des/imath/LICENSE with 100% similarity]
source/heimdal/lib/hcrypto/imath/imath.c [moved from source/heimdal/lib/des/imath/imath.c with 96% similarity]
source/heimdal/lib/hcrypto/imath/imath.h [moved from source/heimdal/lib/des/imath/imath.h with 98% similarity]
source/heimdal/lib/hcrypto/imath/iprime.c [moved from source/heimdal/lib/des/imath/iprime.c with 99% similarity]
source/heimdal/lib/hcrypto/imath/iprime.h [moved from source/heimdal/lib/des/imath/iprime.h with 96% similarity]
source/heimdal/lib/hcrypto/md2.c [moved from source/heimdal/lib/des/md2.c with 98% similarity]
source/heimdal/lib/hcrypto/md2.h [moved from source/heimdal/lib/des/md2.h with 97% similarity]
source/heimdal/lib/hcrypto/md4.c [moved from source/heimdal/lib/des/md4.c with 99% similarity]
source/heimdal/lib/hcrypto/md4.h [moved from source/heimdal/lib/des/md4.h with 97% similarity]
source/heimdal/lib/hcrypto/md5.c [moved from source/heimdal/lib/des/md5.c with 99% similarity]
source/heimdal/lib/hcrypto/md5.h [moved from source/heimdal/lib/des/md5.h with 97% similarity]
source/heimdal/lib/hcrypto/pkcs12.c [moved from source/heimdal/lib/des/pkcs12.c with 93% similarity]
source/heimdal/lib/hcrypto/pkcs12.h [moved from source/heimdal/lib/des/pkcs12.h with 97% similarity]
source/heimdal/lib/hcrypto/pkcs5.c [moved from source/heimdal/lib/des/pkcs5.c with 98% similarity]
source/heimdal/lib/hcrypto/rand-egd.c [new file with mode: 0644]
source/heimdal/lib/hcrypto/rand-fortuna.c [new file with mode: 0644]
source/heimdal/lib/hcrypto/rand-unix.c [moved from source/heimdal/lib/des/rand-unix.c with 95% similarity]
source/heimdal/lib/hcrypto/rand.c [moved from source/heimdal/lib/des/rand.c with 58% similarity]
source/heimdal/lib/hcrypto/rand.h [moved from source/heimdal/lib/des/rand.h with 86% similarity]
source/heimdal/lib/hcrypto/randi.h [moved from source/heimdal/lib/gssapi/gssapi.h with 83% similarity]
source/heimdal/lib/hcrypto/rc2.c [moved from source/heimdal/lib/des/rc2.c with 99% similarity]
source/heimdal/lib/hcrypto/rc2.h [moved from source/heimdal/lib/des/rc2.h with 97% similarity]
source/heimdal/lib/hcrypto/rc4.c [moved from source/heimdal/lib/des/rc4.c with 97% similarity]
source/heimdal/lib/hcrypto/rc4.h [moved from source/heimdal/lib/des/rc4.h with 97% similarity]
source/heimdal/lib/hcrypto/resource.h [moved from source/heimdal/lib/des/resource.h with 100% similarity]
source/heimdal/lib/hcrypto/rijndael-alg-fst.c [moved from source/heimdal/lib/des/rijndael-alg-fst.c with 99% similarity]
source/heimdal/lib/hcrypto/rijndael-alg-fst.h [moved from source/heimdal/lib/des/rijndael-alg-fst.h with 100% similarity]
source/heimdal/lib/hcrypto/rnd_keys.c [moved from source/heimdal/lib/des/rnd_keys.c with 99% similarity]
source/heimdal/lib/hcrypto/rsa-imath.c [moved from source/heimdal/lib/des/rsa-imath.c with 99% similarity]
source/heimdal/lib/hcrypto/rsa.c [moved from source/heimdal/lib/des/rsa.c with 97% similarity]
source/heimdal/lib/hcrypto/rsa.h [moved from source/heimdal/lib/des/rsa.h with 99% similarity]
source/heimdal/lib/hcrypto/sha.c [moved from source/heimdal/lib/des/sha.c with 99% similarity]
source/heimdal/lib/hcrypto/sha.h [moved from source/heimdal/lib/des/sha.h with 97% similarity]
source/heimdal/lib/hcrypto/sha256.c [moved from source/heimdal/lib/des/sha256.c with 99% similarity]
source/heimdal/lib/hcrypto/ui.c [moved from source/heimdal/lib/des/ui.c with 98% similarity]
source/heimdal/lib/hcrypto/ui.h [moved from source/heimdal/lib/des/ui.h with 97% similarity]
source/heimdal/lib/hdb/db.c
source/heimdal/lib/hdb/ext.c
source/heimdal/lib/hdb/hdb-protos.h
source/heimdal/lib/hdb/hdb.asn1
source/heimdal/lib/hdb/hdb.c
source/heimdal/lib/hdb/hdb.h
source/heimdal/lib/hdb/hdb_err.et
source/heimdal/lib/hdb/hdb_locl.h
source/heimdal/lib/hdb/keys.c
source/heimdal/lib/hdb/keytab.c
source/heimdal/lib/hdb/mkey.c
source/heimdal/lib/hdb/ndbm.c
source/heimdal/lib/hx509/ca.c
source/heimdal/lib/hx509/cert.c
source/heimdal/lib/hx509/cms.c
source/heimdal/lib/hx509/collector.c
source/heimdal/lib/hx509/crmf.asn1
source/heimdal/lib/hx509/crypto.c
source/heimdal/lib/hx509/env.c [new file with mode: 0644]
source/heimdal/lib/hx509/error.c
source/heimdal/lib/hx509/file.c
source/heimdal/lib/hx509/hx509-private.h
source/heimdal/lib/hx509/hx509-protos.h
source/heimdal/lib/hx509/hx509.h
source/heimdal/lib/hx509/hx509_err.et
source/heimdal/lib/hx509/hx_locl.h
source/heimdal/lib/hx509/keyset.c
source/heimdal/lib/hx509/ks_dir.c
source/heimdal/lib/hx509/ks_file.c
source/heimdal/lib/hx509/ks_keychain.c [new file with mode: 0644]
source/heimdal/lib/hx509/ks_mem.c
source/heimdal/lib/hx509/ks_null.c
source/heimdal/lib/hx509/ks_p11.c
source/heimdal/lib/hx509/ks_p12.c
source/heimdal/lib/hx509/lock.c
source/heimdal/lib/hx509/name.c
source/heimdal/lib/hx509/ocsp.asn1
source/heimdal/lib/hx509/peer.c
source/heimdal/lib/hx509/pkcs10.asn1
source/heimdal/lib/hx509/print.c
source/heimdal/lib/hx509/req.c
source/heimdal/lib/hx509/revoke.c
source/heimdal/lib/hx509/test_name.c
source/heimdal/lib/krb5/acache.c
source/heimdal/lib/krb5/add_et_list.c
source/heimdal/lib/krb5/addr_families.c
source/heimdal/lib/krb5/appdefault.c
source/heimdal/lib/krb5/asn1_glue.c
source/heimdal/lib/krb5/auth_context.c
source/heimdal/lib/krb5/build_ap_req.c
source/heimdal/lib/krb5/build_auth.c
source/heimdal/lib/krb5/cache.c
source/heimdal/lib/krb5/changepw.c
source/heimdal/lib/krb5/codec.c
source/heimdal/lib/krb5/config_file.c
source/heimdal/lib/krb5/config_file_netinfo.c
source/heimdal/lib/krb5/constants.c
source/heimdal/lib/krb5/context.c
source/heimdal/lib/krb5/convert_creds.c
source/heimdal/lib/krb5/copy_host_realm.c
source/heimdal/lib/krb5/crc.c
source/heimdal/lib/krb5/creds.c
source/heimdal/lib/krb5/crypto.c
source/heimdal/lib/krb5/data.c
source/heimdal/lib/krb5/eai_to_heim_errno.c
source/heimdal/lib/krb5/error_string.c
source/heimdal/lib/krb5/expand_hostname.c
source/heimdal/lib/krb5/fcache.c
source/heimdal/lib/krb5/free.c
source/heimdal/lib/krb5/free_host_realm.c
source/heimdal/lib/krb5/generate_seq_number.c
source/heimdal/lib/krb5/generate_subkey.c
source/heimdal/lib/krb5/get_cred.c
source/heimdal/lib/krb5/get_default_principal.c
source/heimdal/lib/krb5/get_default_realm.c
source/heimdal/lib/krb5/get_for_creds.c
source/heimdal/lib/krb5/get_host_realm.c
source/heimdal/lib/krb5/get_in_tkt.c
source/heimdal/lib/krb5/get_in_tkt_with_keytab.c
source/heimdal/lib/krb5/get_port.c
source/heimdal/lib/krb5/heim_err.et
source/heimdal/lib/krb5/heim_threads.h
source/heimdal/lib/krb5/init_creds.c
source/heimdal/lib/krb5/init_creds_pw.c
source/heimdal/lib/krb5/k524_err.et
source/heimdal/lib/krb5/kcm.c
source/heimdal/lib/krb5/keyblock.c
source/heimdal/lib/krb5/keytab.c
source/heimdal/lib/krb5/keytab_any.c
source/heimdal/lib/krb5/keytab_file.c
source/heimdal/lib/krb5/keytab_keyfile.c
source/heimdal/lib/krb5/keytab_krb4.c
source/heimdal/lib/krb5/keytab_memory.c
source/heimdal/lib/krb5/krb5-private.h
source/heimdal/lib/krb5/krb5-protos.h
source/heimdal/lib/krb5/krb5-v4compat.h
source/heimdal/lib/krb5/krb5.h
source/heimdal/lib/krb5/krb5_ccapi.h
source/heimdal/lib/krb5/krb5_err.et
source/heimdal/lib/krb5/krb5_locl.h
source/heimdal/lib/krb5/krbhst.c
source/heimdal/lib/krb5/locate_plugin.h
source/heimdal/lib/krb5/log.c
source/heimdal/lib/krb5/mcache.c
source/heimdal/lib/krb5/misc.c
source/heimdal/lib/krb5/mit_glue.c
source/heimdal/lib/krb5/mk_error.c
source/heimdal/lib/krb5/mk_priv.c
source/heimdal/lib/krb5/mk_rep.c
source/heimdal/lib/krb5/mk_req.c
source/heimdal/lib/krb5/mk_req_ext.c
source/heimdal/lib/krb5/n-fold.c
source/heimdal/lib/krb5/pac.c
source/heimdal/lib/krb5/padata.c
source/heimdal/lib/krb5/pkinit.c
source/heimdal/lib/krb5/plugin.c
source/heimdal/lib/krb5/principal.c
source/heimdal/lib/krb5/prompter_posix.c
source/heimdal/lib/krb5/rd_cred.c
source/heimdal/lib/krb5/rd_error.c
source/heimdal/lib/krb5/rd_priv.c
source/heimdal/lib/krb5/rd_rep.c
source/heimdal/lib/krb5/rd_req.c
source/heimdal/lib/krb5/replay.c
source/heimdal/lib/krb5/send_to_kdc.c
source/heimdal/lib/krb5/set_default_realm.c
source/heimdal/lib/krb5/store.c
source/heimdal/lib/krb5/store_emem.c
source/heimdal/lib/krb5/store_fd.c
source/heimdal/lib/krb5/store_mem.c
source/heimdal/lib/krb5/ticket.c
source/heimdal/lib/krb5/time.c
source/heimdal/lib/krb5/transited.c
source/heimdal/lib/krb5/v4_glue.c
source/heimdal/lib/krb5/version.c
source/heimdal/lib/krb5/warn.c
source/heimdal/lib/ntlm/heimntlm-protos.h
source/heimdal/lib/ntlm/heimntlm.h
source/heimdal/lib/ntlm/ntlm.c
source/heimdal/lib/roken/base64.c
source/heimdal/lib/roken/base64.h
source/heimdal/lib/roken/bswap.c
source/heimdal/lib/roken/closefrom.c
source/heimdal/lib/roken/copyhostent.c
source/heimdal/lib/roken/dumpdata.c
source/heimdal/lib/roken/ecalloc.c
source/heimdal/lib/roken/emalloc.c
source/heimdal/lib/roken/erealloc.c
source/heimdal/lib/roken/estrdup.c
source/heimdal/lib/roken/freeaddrinfo.c
source/heimdal/lib/roken/freehostent.c
source/heimdal/lib/roken/gai_strerror.c
source/heimdal/lib/roken/get_window_size.c
source/heimdal/lib/roken/getaddrinfo.c
source/heimdal/lib/roken/getarg.c
source/heimdal/lib/roken/getarg.h
source/heimdal/lib/roken/getipnodebyaddr.c
source/heimdal/lib/roken/getipnodebyname.c
source/heimdal/lib/roken/getnameinfo.c
source/heimdal/lib/roken/getprogname.c
source/heimdal/lib/roken/h_errno.c
source/heimdal/lib/roken/hex.c
source/heimdal/lib/roken/hex.h
source/heimdal/lib/roken/hostent_find_fqdn.c
source/heimdal/lib/roken/inet_aton.c
source/heimdal/lib/roken/inet_ntop.c
source/heimdal/lib/roken/inet_pton.c
source/heimdal/lib/roken/issuid.c
source/heimdal/lib/roken/net_read.c
source/heimdal/lib/roken/net_write.c
source/heimdal/lib/roken/parse_bytes.h
source/heimdal/lib/roken/parse_time.c
source/heimdal/lib/roken/parse_time.h
source/heimdal/lib/roken/parse_units.c
source/heimdal/lib/roken/parse_units.h
source/heimdal/lib/roken/resolve.c
source/heimdal/lib/roken/resolve.h
source/heimdal/lib/roken/roken-common.h
source/heimdal/lib/roken/roken_gethostby.c
source/heimdal/lib/roken/rtbl.c [new file with mode: 0644]
source/heimdal/lib/roken/rtbl.h [new file with mode: 0644]
source/heimdal/lib/roken/setprogname.c
source/heimdal/lib/roken/signal.c
source/heimdal/lib/roken/simple_exec.c
source/heimdal/lib/roken/socket.c
source/heimdal/lib/roken/strcollect.c
source/heimdal/lib/roken/strlwr.c
source/heimdal/lib/roken/strpool.c
source/heimdal/lib/roken/strsep.c
source/heimdal/lib/roken/strsep_copy.c
source/heimdal/lib/roken/strupr.c
source/heimdal/lib/roken/vis.c
source/heimdal/lib/vers/print_version.c
source/heimdal_build/asn1_deps.pl
source/heimdal_build/config.mk
source/heimdal_build/hcrypto-deps.pl
source/kdc/kdc.c
source/static_deps.mk

index 56c12efd6003641f06548da559169c27673e0cc6..3e4ad292537b4622577bd61f11e9c21940fdbde0 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: 524.c,v 1.40 2006/10/06 17:06:30 lha Exp $");
+RCSID("$Id: 524.c 18270 2006-10-06 17:06:30Z lha $");
 
 #include <krb5-v4compat.h>
 
index 2352020d86c06a56bc23b252169cd7b774c80850..c28bd424ead197893793630326674b54791922b1 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  *
  * All rights reserved. 
  */
 
 #include "kdc_locl.h"
+#include <getarg.h>
+#include <parse_bytes.h>
 
-int require_preauth = -1; /* 1 == require preauth for all principals */
+RCSID("$Id: default_config.c 20532 2007-04-23 07:46:57Z lha $");
 
-const char *trpolicy_str;
 
-int disable_des = -1;
-int enable_v4 = -1;
-int enable_kaserver = -1;
-int enable_524 = -1;
-int enable_v4_cross_realm = -1;
-int detach_from_console = -1;
-
-char *v4_realm;
-
-/* 
- * Setup some of the defaults for the KDC configuration.
- * 
- * Note: Caller must also fill in:
- * - db
- * - num_db
- * - logf
- *
-*/
-
-void
-krb5_kdc_default_config(krb5_kdc_configuration *config)
-{
-    memset(config, 0, sizeof(*config));
-    config->require_preauth = TRUE;
-    config->kdc_warn_pwexpire = 0;
-    config->encode_as_rep_as_tgs_rep = FALSE; /* bug compatibility */
-    config->check_ticket_addresses = TRUE;
-    config->allow_null_ticket_addresses = TRUE;
-    config->allow_anonymous = FALSE;
-    config->trpolicy = TRPOLICY_ALWAYS_CHECK;
-    config->enable_v4 = FALSE;
-    config->enable_kaserver = FALSE;
-    config->enable_524 = FALSE; /* overriden by enable_v4 in configure()) */
-    config->enable_v4_cross_realm = FALSE;
-    config->enable_pkinit = FALSE;
-    config->enable_pkinit_princ_in_cert = TRUE;
-    config->db = NULL;
-    config->num_db = 0;
-    config->logf = NULL;
-}
-
-
-/* 
- * Setup some valudes for the KDC configuration, from the config file
- * 
- * Note: Caller must also fill in:
- * - db
- * - num_db
- * - logf
- *
-*/
-
-void krb5_kdc_configure(krb5_context context, krb5_kdc_configuration *config)
+int
+krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
 {
-    const char *p;
-    if(require_preauth == -1) {
-       config->require_preauth = krb5_config_get_bool_default(context, NULL, 
-                                                              config->require_preauth,
-                                                              "kdc", 
-                                                              "require-preauth", NULL);
-    } else {
-       config->require_preauth = require_preauth;
-    }
+    krb5_kdc_configuration *c;
 
-    if(enable_v4 == -1) {
-       config->enable_v4 = krb5_config_get_bool_default(context, NULL, 
-                                                        config->enable_v4, 
-                                                        "kdc", 
-                                                        "enable-kerberos4", 
-                                                        NULL);
-    } else {
-       config->enable_v4 = enable_v4;
+    c = calloc(1, sizeof(*c));
+    if (c == NULL) {
+       krb5_set_error_string(context, "malloc: out of memory");
+       return ENOMEM;
     }
 
-    if(enable_v4_cross_realm == -1) {
-       config->enable_v4_cross_realm =
-           krb5_config_get_bool_default(context, NULL,
-                                        config->enable_v4_cross_realm, 
-                                        "kdc", 
-                                        "enable-kerberos4-cross-realm",
-                                        NULL);
-    } else {
-       config->enable_v4_cross_realm = enable_v4_cross_realm;
-    }
-
-    if(enable_524 == -1) {
-       config->enable_524 = krb5_config_get_bool_default(context, NULL, 
-                                                         config->enable_v4, 
-                                                         "kdc", "enable-524", 
-                                                         NULL);
-    } else {
-       config->enable_524 = enable_524;
-    }
-
-    config->enable_digest = 
+    c->require_preauth = TRUE;
+    c->kdc_warn_pwexpire = 0;
+    c->encode_as_rep_as_tgs_rep = FALSE;
+    c->check_ticket_addresses = TRUE;
+    c->allow_null_ticket_addresses = TRUE;
+    c->allow_anonymous = FALSE;
+    c->trpolicy = TRPOLICY_ALWAYS_CHECK;
+    c->enable_v4 = FALSE;
+    c->enable_kaserver = FALSE;
+    c->enable_524 = FALSE;
+    c->enable_v4_cross_realm = FALSE;
+    c->enable_pkinit = FALSE;
+    c->enable_pkinit_princ_in_cert = TRUE;
+    c->db = NULL;
+    c->num_db = 0;
+    c->logf = NULL;
+
+    c->require_preauth =
        krb5_config_get_bool_default(context, NULL, 
-                                    FALSE, 
-                                    "kdc", 
-                                    "enable-digest", NULL);
+                                    c->require_preauth,
+                                    "kdc", "require-preauth", NULL);
+    c->enable_v4 = 
+       krb5_config_get_bool_default(context, NULL, 
+                                    c->enable_v4, 
+                                    "kdc", "enable-kerberos4", NULL);
+    c->enable_v4_cross_realm =
+       krb5_config_get_bool_default(context, NULL,
+                                    c->enable_v4_cross_realm, 
+                                    "kdc",
+                                    "enable-kerberos4-cross-realm", NULL);
+    c->enable_524 =
+       krb5_config_get_bool_default(context, NULL, 
+                                    c->enable_v4, 
+                                    "kdc", "enable-524", NULL);
+    c->enable_digest = 
+       krb5_config_get_bool_default(context, NULL, 
+                                    FALSE,
+                                    "kdc", "enable-digest", NULL);
 
     {
        const char *digests;
@@ -146,46 +97,57 @@ void krb5_kdc_configure(krb5_context context, krb5_kdc_configuration *config)
                                         "digests_allowed", NULL);
        if (digests == NULL)
            digests = "ntlm-v2";
-       config->digests_allowed = parse_flags(digests,
-                                             _kdc_digestunits,
-                                             0);
-       if (config->digests_allowed == -1) {
-           kdc_log(context, config, 0,
+       c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0);
+       if (c->digests_allowed == -1) {
+           kdc_log(context, c, 0,
                    "unparsable digest units (%s), turning off digest",
                    digests);
-           config->enable_digest = 0;
-       } else if (config->digests_allowed == 0) {
-           kdc_log(context, config, 0,
+           c->enable_digest = 0;
+       } else if (c->digests_allowed == 0) {
+           kdc_log(context, c, 0,
                    "no digest enable, turning digest off",
                    digests);
-           config->enable_digest = 0;
+           c->enable_digest = 0;
        }
     }
 
-    config->enable_kx509 = 
+    c->enable_kx509 = 
        krb5_config_get_bool_default(context, NULL, 
                                     FALSE, 
-                                    "kdc", 
-                                    "enable-kx509", NULL);
+                                    "kdc", "enable-kx509", NULL);
+
+    if (c->enable_kx509) {
+       c->kx509_template =
+           krb5_config_get_string(context, NULL, 
+                                  "kdc", "kx509_template", NULL);
+       c->kx509_ca =
+           krb5_config_get_string(context, NULL, 
+                                  "kdc", "kx509_ca", NULL);
+       if (c->kx509_ca == NULL || c->kx509_template == NULL) {
+           kdc_log(context, c, 0,
+                   "missing kx509 configuration, turning off");
+           c->enable_kx509 = FALSE;
+       }
+    }
 
-    config->check_ticket_addresses = 
+    c->check_ticket_addresses = 
        krb5_config_get_bool_default(context, NULL, 
-                                    config->check_ticket_addresses, 
+                                    c->check_ticket_addresses, 
                                     "kdc", 
                                     "check-ticket-addresses", NULL);
-    config->allow_null_ticket_addresses = 
+    c->allow_null_ticket_addresses = 
        krb5_config_get_bool_default(context, NULL, 
-                                    config->allow_null_ticket_addresses, 
+                                    c->allow_null_ticket_addresses, 
                                     "kdc", 
                                     "allow-null-ticket-addresses", NULL);
 
-    config->allow_anonymous = 
+    c->allow_anonymous = 
        krb5_config_get_bool_default(context, NULL, 
-                                    config->allow_anonymous,
+                                    c->allow_anonymous,
                                     "kdc", 
                                     "allow-anonymous", NULL);
 
-    config->max_datagram_reply_length =
+    c->max_datagram_reply_length =
        krb5_config_get_int_default(context, 
                                    NULL, 
                                    1400,
@@ -193,178 +155,124 @@ void krb5_kdc_configure(krb5_context context, krb5_kdc_configuration *config)
                                    "max-kdc-datagram-reply-length",
                                    NULL);
 
-    trpolicy_str = 
-       krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc", 
-                                      "transited-policy", NULL);
-    if(strcasecmp(trpolicy_str, "always-check") == 0) {
-       config->trpolicy = TRPOLICY_ALWAYS_CHECK;
-    } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
-       config->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
-    } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
-       config->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
-    } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) { 
-       /* default */
-    } else {
-       kdc_log(context, config, 
-               0, "unknown transited-policy: %s, reverting to default (always-check)", 
-               trpolicy_str);
+    {
+       const char *trpolicy_str;
+
+       trpolicy_str = 
+           krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc", 
+                                          "transited-policy", NULL);
+       if(strcasecmp(trpolicy_str, "always-check") == 0) {
+           c->trpolicy = TRPOLICY_ALWAYS_CHECK;
+       } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
+           c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
+       } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
+           c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
+       } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) { 
+           /* default */
+       } else {
+           kdc_log(context, c, 0,
+                   "unknown transited-policy: %s, "
+                   "reverting to default (always-check)", 
+                   trpolicy_str);
+       }
     }
-       
-    if (krb5_config_get_string(context, NULL, "kdc", 
-                              "enforce-transited-policy", NULL))
-       krb5_errx(context, 1, "enforce-transited-policy deprecated, "
-                 "use [kdc]transited-policy instead");
 
-    if(v4_realm == NULL){
+    {
+       const char *p;
        p = krb5_config_get_string (context, NULL, 
                                    "kdc",
                                    "v4-realm",
                                    NULL);
        if(p != NULL) {
-           config->v4_realm = strdup(p);
-           if (config->v4_realm == NULL)
+           c->v4_realm = strdup(p);
+           if (c->v4_realm == NULL)
                krb5_errx(context, 1, "out of memory");
        } else {
-           config->v4_realm = NULL;
+           c->v4_realm = NULL;
        }
-    } else {
-       config->v4_realm = v4_realm;
     }
 
-    if (enable_kaserver == -1) {
-       config->enable_kaserver = 
-           krb5_config_get_bool_default(context, 
-                                        NULL, 
-                                        config->enable_kaserver,
-                                        "kdc",
-                                        "enable-kaserver",
-                                        NULL);
-    } else {
-       config->enable_kaserver = enable_kaserver;
-    }
+    c->enable_kaserver = 
+       krb5_config_get_bool_default(context, 
+                                    NULL, 
+                                    c->enable_kaserver,
+                                    "kdc", "enable-kaserver", NULL);
 
-    config->encode_as_rep_as_tgs_rep =
+
+    c->encode_as_rep_as_tgs_rep =
        krb5_config_get_bool_default(context, NULL, 
-                                    config->encode_as_rep_as_tgs_rep, 
+                                    c->encode_as_rep_as_tgs_rep, 
                                     "kdc", 
-                                    "encode_as_rep_as_tgs_rep", 
-                                    NULL);
-
-    config->kdc_warn_pwexpire =
+                                    "encode_as_rep_as_tgs_rep", NULL);
+    
+    c->kdc_warn_pwexpire =
        krb5_config_get_time_default (context, NULL,
-                                     config->kdc_warn_pwexpire,
-                                     "kdc",
-                                     "kdc_warn_pwexpire",
-                                     NULL);
+                                     c->kdc_warn_pwexpire,
+                                     "kdc", "kdc_warn_pwexpire", NULL);
 
-    if(detach_from_console == -1) 
-       detach_from_console = krb5_config_get_bool_default(context, NULL, 
-                                                          DETACH_IS_DEFAULT,
-                                                          "kdc",
-                                                          "detach", NULL);
 
 #ifdef PKINIT
-    config->enable_pkinit = 
+    c->enable_pkinit = 
        krb5_config_get_bool_default(context, 
                                     NULL, 
-                                    config->enable_pkinit,
+                                    c->enable_pkinit,
                                     "kdc",
                                     "enable-pkinit",
                                     NULL);
-    if (config->enable_pkinit) {
+    if (c->enable_pkinit) {
        const char *user_id, *anchors, *ocsp_file;
        char **pool_list, **revoke_list;
 
-       user_id = krb5_config_get_string(context, NULL,
-                                        "kdc",
-                                        "pkinit_identity",
-                                        NULL);
+       user_id = 
+           krb5_config_get_string(context, NULL,
+                                  "kdc", "pkinit_identity", NULL);
        if (user_id == NULL)
            krb5_errx(context, 1, "pkinit enabled but no identity");
 
        anchors = krb5_config_get_string(context, NULL,
-                                        "kdc",
-                                        "pkinit_anchors",
-                                        NULL);
+                                        "kdc", "pkinit_anchors", NULL);
        if (anchors == NULL)
            krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
 
-       pool_list = krb5_config_get_strings(context, NULL,
-                                           "kdc",
-                                           "pkinit_pool",
-                                           NULL);
+       pool_list =
+           krb5_config_get_strings(context, NULL,
+                                   "kdc", "pkinit_pool", NULL);
 
-       revoke_list = krb5_config_get_strings(context, NULL,
-                                             "kdc",
-                                             "pkinit_revoke",
-                                             NULL);
+       revoke_list =
+           krb5_config_get_strings(context, NULL,
+                                   "kdc", "pkinit_revoke", NULL);
 
        ocsp_file = 
            krb5_config_get_string(context, NULL,
-                                  "kdc",
-                                  "pkinit_kdc_ocsp",
-                                  NULL);
+                                  "kdc", "pkinit_kdc_ocsp", NULL);
        if (ocsp_file) {
-           config->pkinit_kdc_ocsp_file = strdup(ocsp_file);
-           if (config->pkinit_kdc_ocsp_file == NULL)
+           c->pkinit_kdc_ocsp_file = strdup(ocsp_file);
+           if (c->pkinit_kdc_ocsp_file == NULL)
                krb5_errx(context, 1, "out of memory");
        }
-       _kdc_pk_initialize(context, config, user_id, anchors, 
+
+       _kdc_pk_initialize(context, c, user_id, anchors, 
                           pool_list, revoke_list);
 
        krb5_config_free_strings(pool_list);
        krb5_config_free_strings(revoke_list);
 
-       config->enable_pkinit_princ_in_cert = 
-           krb5_config_get_bool_default(context, 
-                                        NULL,
-                                        config->enable_pkinit_princ_in_cert,
+       c->enable_pkinit_princ_in_cert = 
+           krb5_config_get_bool_default(context, NULL,
+                                        c->enable_pkinit_princ_in_cert,
                                         "kdc",
                                         "pkinit_principal_in_certificate",
                                         NULL);
     }
 
-    config->pkinit_dh_min_bits =
-       krb5_config_get_int_default(context, 
-                                   NULL, 
+    c->pkinit_dh_min_bits =
+       krb5_config_get_int_default(context, NULL, 
                                    0,
-                                   "kdc",
-                                   "pkinit_dh_min_bits",
-                                   NULL);
+                                   "kdc", "pkinit_dh_min_bits", NULL);
 
 #endif
 
-    if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4)){
-#ifdef KRB4
-       config->v4_realm = malloc(40); /* REALM_SZ */
-       if (config->v4_realm == NULL)
-           krb5_errx(context, 1, "out of memory");
-       krb_get_lrealm(config->v4_realm, 1);
-#else
-       krb5_errx(context, 1, "No Kerberos 4 realm configured");
-#endif
-    }
-    if(disable_des == -1)
-       disable_des = krb5_config_get_bool_default(context, NULL, 
-                                                  FALSE,
-                                                  "kdc",
-                                                  "disable-des", NULL);
-    if(disable_des) {
-       krb5_enctype_disable(context, ETYPE_DES_CBC_CRC);
-       krb5_enctype_disable(context, ETYPE_DES_CBC_MD4);
-       krb5_enctype_disable(context, ETYPE_DES_CBC_MD5);
-       krb5_enctype_disable(context, ETYPE_DES_CBC_NONE);
-       krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE);
-       krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE);
-
-       kdc_log(context, config, 
-               0, "DES was disabled, turned off Kerberos V4, 524 "
-               "and kaserver");
-       config->enable_v4 = 0;
-       config->enable_524 = 0;
-       config->enable_kaserver = 0;
-    }
+    *config = c;
 
-    _kdc_windc_init(context);
+    return 0;
 }
-
index 2c012a2ead53c1f43ef0d448a88f539f5f3db869..811ab639f1c2da78552a33511fb8a316631d9d13 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,8 +34,9 @@
 #include "kdc_locl.h"
 #include <hex.h>
 
-RCSID("$Id: digest.c,v 1.19 2006/12/28 17:03:51 lha Exp $");
+RCSID("$Id: digest.c 20877 2007-06-04 04:07:26Z lha $");
 
+#define MS_CHAP_V2     0x20
 #define CHAP_MD5       0x10
 #define DIGEST_MD5     0x08
 #define NTLM_V2                0x04
@@ -43,6 +44,7 @@ RCSID("$Id: digest.c,v 1.19 2006/12/28 17:03:51 lha Exp $");
 #define NTLM_V1                0x01
 
 const struct units _kdc_digestunits[] = {
+       {"ms-chap-v2",          1U << 5},
        {"chap-md5",            1U << 4},
        {"digest-md5",          1U << 3},
        {"ntlm-v2",             1U << 2},
@@ -135,6 +137,25 @@ fill_targetinfo(krb5_context context,
 }
 
 
+static const unsigned char ms_chap_v2_magic1[39] = {
+    0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
+    0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
+    0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
+    0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74
+};
+static const unsigned char ms_chap_v2_magic2[41] = {
+    0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
+    0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
+    0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
+    0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
+    0x6E
+};
+static const unsigned char ms_rfc3079_magic1[27] = {
+    0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
+    0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
+    0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79
+};
+
 /*
  *
  */
@@ -382,11 +403,6 @@ _kdc_do_digest(krb5_context context,
                goto out;
            }
 
-           ret = krb5_store_stringz(sp, *r.u.initReply.identifier);
-           if (ret) {
-               krb5_clear_error_string(context);
-               goto out;
-           }
        } else
            r.u.initReply.identifier = NULL;
 
@@ -461,13 +477,7 @@ _kdc_do_digest(krb5_context context,
        }
 
        krb5_store_stringz(sp, ireq.u.digestRequest.serverNonce);
-       if (ireq.u.digestRequest.identifier) {
-           ret = krb5_store_stringz(sp, *ireq.u.digestRequest.identifier);
-           if (ret) {
-               krb5_clear_error_string(context);
-               goto out;
-           }
-       }
+
        if (ireq.u.digestRequest.hostname) {
            ret = krb5_store_stringz(sp, *ireq.u.digestRequest.hostname);
            if (ret) {
@@ -587,6 +597,7 @@ _kdc_do_digest(krb5_context context,
        if (strcasecmp(ireq.u.digestRequest.type, "CHAP") == 0) {
            MD5_CTX ctx;
            unsigned char md[MD5_DIGEST_LENGTH];
+           char *mdx;
            char id;
 
            if ((config->digests_allowed & CHAP_MD5) == 0) {
@@ -613,16 +624,30 @@ _kdc_do_digest(krb5_context context,
            MD5_Update(&ctx, serverNonce.data, serverNonce.length);
            MD5_Final(md, &ctx);
 
-           r.element = choice_DigestRepInner_response;
-           hex_encode(md, sizeof(md), &r.u.response.responseData);
-           if (r.u.response.responseData == NULL) {
+           hex_encode(md, sizeof(md), &mdx);
+           if (mdx == NULL) {
                krb5_clear_error_string(context);
                ret = ENOMEM;
                goto out;
            }
+
+           r.element = choice_DigestRepInner_response;
+
+           ret = strcasecmp(mdx, ireq.u.digestRequest.responseData);
+           free(mdx);
+           if (ret == 0) {
+               r.u.response.success = TRUE;
+           } else {
+               kdc_log(context, config, 0, 
+                       "CHAP reply mismatch for %s",
+                       ireq.u.digestRequest.username);
+               r.u.response.success = FALSE;
+           }
+
        } else if (strcasecmp(ireq.u.digestRequest.type, "SASL-DIGEST-MD5") == 0) {
            MD5_CTX ctx;
            unsigned char md[MD5_DIGEST_LENGTH];
+           char *mdx;
            char *A1, *A2;
 
            if ((config->digests_allowed & DIGEST_MD5) == 0) {
@@ -709,21 +734,212 @@ _kdc_do_digest(krb5_context context,
 
            MD5_Final(md, &ctx);
 
-           r.element = choice_DigestRepInner_response;
-           hex_encode(md, sizeof(md), &r.u.response.responseData);
-
            free(A1);
            free(A2);
 
-           if (r.u.response.responseData == NULL) {
-               krb5_set_error_string(context, "out of memory");
+           hex_encode(md, sizeof(md), &mdx);
+           if (mdx == NULL) {
+               krb5_clear_error_string(context);
+               ret = ENOMEM;
+               goto out;
+           }
+
+           r.element = choice_DigestRepInner_response;
+           ret = strcasecmp(mdx, ireq.u.digestRequest.responseData);
+           free(mdx);
+           if (ret == 0) {
+               r.u.response.success = TRUE;
+           } else {
+               kdc_log(context, config, 0, 
+                       "DIGEST-MD5 reply mismatch for %s",
+                       ireq.u.digestRequest.username);
+               r.u.response.success = FALSE;
+           }
+
+       } else if (strcasecmp(ireq.u.digestRequest.type, "MS-CHAP-V2") == 0) {
+           unsigned char md[SHA_DIGEST_LENGTH], challange[SHA_DIGEST_LENGTH];
+           char *mdx;
+           const char *username;
+           struct ntlm_buf answer;
+           Key *key = NULL;
+           SHA_CTX ctx;
+
+           if ((config->digests_allowed & MS_CHAP_V2) == 0) {
+               kdc_log(context, config, 0, "MS-CHAP-V2 not allowed");
+               goto out;
+           }
+
+           if (ireq.u.digestRequest.clientNonce == NULL)  {
+               krb5_set_error_string(context, 
+                                     "MS-CHAP-V2 clientNonce missing");
+               ret = EINVAL;
+               goto out;
+           }       
+           if (serverNonce.length != 16) {
+               krb5_set_error_string(context, 
+                                     "MS-CHAP-V2 serverNonce wrong length");
+               ret = EINVAL;
+               goto out;
+           }
+
+           /* strip of the domain component */
+           username = strchr(ireq.u.digestRequest.username, '\\');
+           if (username == NULL)
+               username = ireq.u.digestRequest.username;
+           else
+               username++;
+
+           /* ChallangeHash */
+           SHA1_Init(&ctx);
+           {
+               ssize_t ssize;
+               krb5_data clientNonce;
+               
+               clientNonce.length = strlen(*ireq.u.digestRequest.clientNonce);
+               clientNonce.data = malloc(clientNonce.length);
+               if (clientNonce.data == NULL) {
+                   ret = ENOMEM;
+                   krb5_set_error_string(context, "out of memory");
+                   goto out;
+               }
+
+               ssize = hex_decode(*ireq.u.digestRequest.clientNonce, 
+                                  clientNonce.data, clientNonce.length);
+               if (ssize != 16) {
+                   krb5_set_error_string(context, 
+                                         "Failed to decode clientNonce");
+                   ret = ENOMEM;
+                   goto out;
+               }
+               SHA1_Update(&ctx, clientNonce.data, ssize);
+               free(clientNonce.data);
+           }
+           SHA1_Update(&ctx, serverNonce.data, serverNonce.length);
+           SHA1_Update(&ctx, username, strlen(username));
+           SHA1_Final(challange, &ctx);
+
+           /* NtPasswordHash */
+           ret = krb5_parse_name(context, username, &clientprincipal);
+           if (ret)
+               goto out;
+           
+           ret = _kdc_db_fetch(context, config, clientprincipal,
+                               HDB_F_GET_CLIENT, NULL, &user);
+           krb5_free_principal(context, clientprincipal);
+           if (ret) {
+               krb5_set_error_string(context, 
+                                     "MS-CHAP-V2 user %s not in database",
+                                     username);
+               goto out;
+           }
+
+           ret = hdb_enctype2key(context, &user->entry, 
+                                 ETYPE_ARCFOUR_HMAC_MD5, &key);
+           if (ret) {
+               krb5_set_error_string(context, 
+                                     "MS-CHAP-V2 missing arcfour key %s",
+                                     username);
+               goto out;
+           }
+
+           /* ChallengeResponse */
+           ret = heim_ntlm_calculate_ntlm1(key->key.keyvalue.data,
+                                           key->key.keyvalue.length,
+                                           challange, &answer);
+           if (ret) {
+               krb5_set_error_string(context, "NTLM missing arcfour key");
+               goto out;
+           }
+           
+           hex_encode(answer.data, answer.length, &mdx);
+           if (mdx == NULL) {
+               free(answer.data);
+               krb5_clear_error_string(context);
                ret = ENOMEM;
                goto out;
            }
 
+           r.element = choice_DigestRepInner_response;
+           ret = strcasecmp(mdx, ireq.u.digestRequest.responseData);
+           free(mdx);
+           if (ret == 0) {
+               r.u.response.success = TRUE;
+           } else {
+               kdc_log(context, config, 0, 
+                       "MS-CHAP-V2 reply mismatch for %s",
+                       ireq.u.digestRequest.username);
+               r.u.response.success = FALSE;
+           }
+
+           if (r.u.response.success) {
+               unsigned char hashhash[MD4_DIGEST_LENGTH];
+
+               /* hashhash */
+               {
+                   MD4_CTX hctx;
+
+                   MD4_Init(&hctx);
+                   MD4_Update(&hctx, key->key.keyvalue.data, 
+                              key->key.keyvalue.length);
+                   MD4_Final(hashhash, &hctx);
+               }
+
+               /* GenerateAuthenticatorResponse */
+               SHA1_Init(&ctx);
+               SHA1_Update(&ctx, hashhash, sizeof(hashhash));
+               SHA1_Update(&ctx, answer.data, answer.length);
+               SHA1_Update(&ctx, ms_chap_v2_magic1,sizeof(ms_chap_v2_magic1));
+               SHA1_Final(md, &ctx);
+
+               SHA1_Init(&ctx);
+               SHA1_Update(&ctx, md, sizeof(md));
+               SHA1_Update(&ctx, challange, 8);
+               SHA1_Update(&ctx, ms_chap_v2_magic2, sizeof(ms_chap_v2_magic2));
+               SHA1_Final(md, &ctx);
+
+               r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp));
+               if (r.u.response.rsp == NULL) {
+                   free(answer.data);
+                   krb5_clear_error_string(context);
+                   ret = ENOMEM;
+                   goto out;
+               }
+
+               hex_encode(md, sizeof(md), r.u.response.rsp);
+               if (r.u.response.rsp == NULL) {
+                   free(answer.data);
+                   krb5_clear_error_string(context);
+                   ret = ENOMEM;
+                   goto out;
+               }
+
+               /* get_master, rfc 3079 3.4 */
+               SHA1_Init(&ctx);
+               SHA1_Update(&ctx, hashhash, 16); /* md4(hash) */
+               SHA1_Update(&ctx, answer.data, answer.length);
+               SHA1_Update(&ctx, ms_rfc3079_magic1, sizeof(ms_rfc3079_magic1));
+               SHA1_Final(md, &ctx);
+
+               free(answer.data);
+
+               r.u.response.session_key = 
+                   calloc(1, sizeof(*r.u.response.session_key));
+               if (r.u.response.session_key == NULL) {
+                   krb5_clear_error_string(context);
+                   ret = ENOMEM;
+                   goto out;
+               }
+
+               ret = krb5_data_copy(r.u.response.session_key, md, 16);
+               if (ret) {
+                   krb5_clear_error_string(context);
+                   goto out;
+               }
+           }
+
        } else {
            r.element = choice_DigestRepInner_error;
-           asprintf(&r.u.error.reason, "unsupported digest type %s", 
+           asprintf(&r.u.error.reason, "Unsupported digest type %s", 
                     ireq.u.digestRequest.type);
            if (r.u.error.reason == NULL) {
                krb5_set_error_string(context, "out of memory");
@@ -745,7 +961,6 @@ _kdc_do_digest(krb5_context context,
            goto out;
        }
 
-
        r.element = choice_DigestRepInner_ntlmInitReply;
 
        r.u.ntlmInitReply.flags = NTLM_NEG_UNICODE;
@@ -766,12 +981,12 @@ _kdc_do_digest(krb5_context context,
            NTLM_NEG_TARGET_DOMAIN |
            NTLM_ENC_128;
 
-#define ALL \
-       NTLM_NEG_SIGN| \
-       NTLM_NEG_SEAL| \
-       NTLM_NEG_ALWAYS_SIGN| \
-       NTLM_NEG_NTLM2_SESSION| \
-       NTLM_NEG_KEYEX
+#define ALL                                    \
+       NTLM_NEG_SIGN|                          \
+           NTLM_NEG_SEAL|                      \
+           NTLM_NEG_ALWAYS_SIGN|               \
+           NTLM_NEG_NTLM2_SESSION|             \
+           NTLM_NEG_KEYEX
 
        r.u.ntlmInitReply.flags |= (ireq.u.ntlmInit.flags & (ALL));
 
@@ -989,6 +1204,7 @@ _kdc_do_digest(krb5_context context,
                
                if ((config->digests_allowed & NTLM_V1_SESSION) == 0) {
                    kdc_log(context, config, 0, "NTLM v1-session not allowed");
+                   ret = EINVAL;
                    goto out;
                }
 
@@ -1048,6 +1264,7 @@ _kdc_do_digest(krb5_context context,
                krb5_set_error_string(context,
                                      "NTLM client failed to neg key "
                                      "exchange but still sent key");
+               ret = EINVAL;
                goto out;
            }
            
index 56ddc8090b64b1a7b6a3e94b67158fcf017f3f89..64f6b6e438cb60e3555df677b8ada4042249ea0c 100644 (file)
@@ -32,7 +32,7 @@
  */
 
 /* 
- * $Id: headers.h,v 1.22 2007/01/04 00:15:34 lha Exp $ 
+ * $Id: headers.h 19658 2007-01-04 00:15:34Z lha $ 
  */
 
 #ifndef __HEADERS_H__
index ac282717ed0c3988e0da5010abb9a6a2ffb4b884..deb32e1019954daff756f1cad50ad2cb9b31a7b4 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kaserver.c,v 1.36 2006/08/23 11:43:44 lha Exp $");
+RCSID("$Id: kaserver.c 17904 2006-08-23 11:45:16Z lha $");
 
 #include <krb5-v4compat.h>
 #include <rx.h>
index d896bd10e9988be4c3800a9657aadf2d8c632943..030be9ae58baeabc2717d43acb642d99c58d1e01 100644 (file)
@@ -149,9 +149,9 @@ _kdc_find_etype (
        Key **/*ret_key*/,
        krb5_enctype */*ret_etype*/);
 
-PA_DATA*
+const PA_DATA*
 _kdc_find_padata (
-       KDC_REQ */*req*/,
+       const KDC_REQ */*req*/,
        int */*start*/,
        int /*type*/);
 
@@ -249,8 +249,8 @@ krb5_error_code
 _kdc_pk_rd_padata (
        krb5_context /*context*/,
        krb5_kdc_configuration */*config*/,
-       KDC_REQ */*req*/,
-       PA_DATA */*pa*/,
+       const KDC_REQ */*req*/,
+       const PA_DATA */*pa*/,
        pk_client_params **/*ret_params*/);
 
 krb5_error_code
@@ -283,7 +283,4 @@ _kdc_windc_client_access (
        struct hdb_entry_ex */*client*/,
        KDC_REQ */*req*/);
 
-krb5_error_code
-_kdc_windc_init (krb5_context /*context*/);
-
 #endif /* __kdc_private_h__ */
index 69bc871b01dd30ebacdd5443edfeb340a6f1d290..f7df365eb2aa9503f2178da17cc56723a3050010 100644 (file)
@@ -37,8 +37,10 @@ kdc_openlog (
        krb5_context /*context*/,
        krb5_kdc_configuration */*config*/);
 
-void
-krb5_kdc_default_config (krb5_kdc_configuration */*config*/);
+int
+krb5_kdc_get_config (
+       krb5_context /*context*/,
+       krb5_kdc_configuration **/*config*/);
 
 int
 krb5_kdc_process_krb5_request (
@@ -63,6 +65,21 @@ krb5_kdc_process_request (
        struct sockaddr */*addr*/,
        int /*datagram_reply*/);
 
+int
+krb5_kdc_save_request (
+       krb5_context /*context*/,
+       const char */*fn*/,
+       const unsigned char */*buf*/,
+       size_t /*len*/,
+       const krb5_data */*reply*/,
+       const struct sockaddr */*sa*/);
+
+void
+krb5_kdc_update_time (struct timeval */*tv*/);
+
+krb5_error_code
+krb5_kdc_windc_init (krb5_context /*context*/);
+
 #ifdef __cplusplus
 }
 #endif
index ea9eb7125e504d86b02463082f2afb5723c53429..eb24b4ee97012dad0ef50f801763d1d7c7cf1df4 100644 (file)
@@ -35,7 +35,7 @@
  */
 
 /* 
- * $Id: kdc.h,v 1.11 2006/12/28 21:06:56 lha Exp $ 
+ * $Id: kdc.h 19907 2007-01-14 23:10:24Z lha $ 
  */
 
 #ifndef __KDC_H__
@@ -86,6 +86,8 @@ typedef struct krb5_kdc_configuration {
     size_t max_datagram_reply_length;
 
     int enable_kx509;
+    const char *kx509_template;
+    const char *kx509_ca;
 
 } krb5_kdc_configuration;
 
index ae3b6584a570b91ff015cfcdfeb91dacd81330c8..fdbdf271defa233a161caf75256e03828517a977 100644 (file)
@@ -32,7 +32,7 @@
  */
 
 /* 
- * $Id: kdc_locl.h,v 1.76 2006/12/26 17:18:14 lha Exp $ 
+ * $Id: kdc_locl.h 20954 2007-06-07 03:30:15Z lha $ 
  */
 
 #ifndef __KDC_LOCL_H__
@@ -46,6 +46,7 @@ typedef struct pk_client_params pk_client_params;
 
 extern sig_atomic_t exit_flag;
 extern size_t max_request;
+extern const char *request_log;
 extern const char *port_str;
 extern krb5_addresses explicit_addresses;
 
@@ -55,18 +56,6 @@ extern int enable_http;
 
 extern int detach_from_console;
 
-extern int require_preauth; /* 1 == require preauth for all principals */
-
-extern const char *trpolicy_str;
-
-extern int disable_des;
-extern int enable_v4;
-extern int enable_kaserver;
-extern int enable_524;
-extern int enable_v4_cross_realm;
-
-extern char *v4_realm;
-
 extern const struct units _kdc_digestunits[];
 
 #define _PATH_KDC_CONF         HDB_DB_DIR "/kdc.conf"
@@ -81,6 +70,4 @@ loop(krb5_context context, krb5_kdc_configuration *config);
 krb5_kdc_configuration *
 configure(krb5_context context, int argc, char **argv);
 
-void krb5_kdc_configure(krb5_context context, krb5_kdc_configuration *config);
-
 #endif /* __KDC_LOCL_H__ */
index 97e98d86ad3ae931b7a4da7f56e66e05a4618a3a..3c76bb99b22a24fb6bdeede9ca77fde3af14f4c2 100644 (file)
@@ -35,7 +35,7 @@
 
 #include <krb5-v4compat.h>
 
-RCSID("$Id: kerberos4.c,v 1.63 2006/10/08 13:43:27 lha Exp $");
+RCSID("$Id: kerberos4.c 18349 2006-10-08 13:43:52Z lha $");
 
 #ifndef swap32
 static uint32_t
index bb0fda89e7693b5b9672faa38327529d8df82566..e34938447a263eb2479d01cbed4916a85186d647 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kerberos5.c,v 1.231 2007/01/04 13:27:27 lha Exp $");
+RCSID("$Id: kerberos5.c 21040 2007-06-10 06:20:59Z lha $");
 
 #define MAX_TIME ((time_t)((1U << 31) - 1))
 
@@ -70,9 +70,12 @@ set_salt_padata (METHOD_DATA *md, Salt *salt)
     }
 }
 
-PA_DATA*
-_kdc_find_padata(KDC_REQ *req, int *start, int type)
+const PA_DATA*
+_kdc_find_padata(const KDC_REQ *req, int *start, int type)
 {
+    if (req->padata == NULL)
+       return NULL;
+
     while(*start < req->padata->len){
        (*start)++;
        if(req->padata->val[*start - 1].padata_type == type)
@@ -431,7 +434,8 @@ get_pa_etype_info(krb5_context context,
        ret = krb5_unparse_name(context, client->principal, &name);
        if (ret)
            name = rk_UNCONST("<unparse_name failed>");
-       kdc_log(context, config, 0, "internal error in get_pa_etype_info(%s): %d != %d", 
+       kdc_log(context, config, 0, 
+               "internal error in get_pa_etype_info(%s): %d != %d", 
                name, n, pa.len);
        if (ret == 0)
            free(name);
@@ -689,11 +693,11 @@ log_as_req(krb5_context context,
     }
     
     {
-       char _str[128];
+       char fixedstr[128];
        unparse_flags(KDCOptions2int(b->kdc_options), asn1_KDCOptions_units(), 
-                     _str, sizeof(_str));
-       if(*_str)
-           kdc_log(context, config, 2, "Requested flags: %s", _str);
+                     fixedstr, sizeof(fixedstr));
+       if(*fixedstr)
+           kdc_log(context, config, 2, "Requested flags: %s", fixedstr);
     }
 }
 
@@ -870,7 +874,7 @@ send_pac_p(krb5_context context, KDC_REQ *req)
 {
     krb5_error_code ret;
     PA_PAC_REQUEST pacreq;
-    PA_DATA *pa;
+    const PA_DATA *pa;
     int i = 0;
     
     pa = _kdc_find_padata(req, &i, KRB5_PADATA_PA_PAC_REQUEST);
@@ -909,32 +913,37 @@ _kdc_as_rep(krb5_context context,
     KDCOptions f = b->kdc_options;
     hdb_entry_ex *client = NULL, *server = NULL;
     krb5_enctype cetype, setype, sessionetype;
+    krb5_data e_data;
     EncTicketPart et;
     EncKDCRepPart ek;
     krb5_principal client_princ = NULL, server_princ = NULL;
     char *client_name = NULL, *server_name = NULL;
     krb5_error_code ret = 0;
     const char *e_text = NULL;
-    krb5_data e_data;
     krb5_crypto crypto;
     Key *ckey, *skey;
     EncryptionKey *reply_key;
+    int flags = 0;
 #ifdef PKINIT
     pk_client_params *pkp = NULL;
 #endif
 
     memset(&rep, 0, sizeof(rep));
-    memset(&e_data, 0, sizeof(e_data));
+    krb5_data_zero(&e_data);
+
+    if (f.canonicalize)
+       flags |= HDB_F_CANON;
 
     if(b->sname == NULL){
        ret = KRB5KRB_ERR_GENERIC;
        e_text = "No server in request";
     } else{
-       _krb5_principalname2krb5_principal (context,
-                                           &server_princ,
-                                           *(b->sname),
-                                           b->realm);
-       ret = krb5_unparse_name(context, server_princ, &server_name);
+       ret = _krb5_principalname2krb5_principal (context,
+                                                 &server_princ,
+                                                 *(b->sname),
+                                                 b->realm);
+       if (ret == 0)
+           ret = krb5_unparse_name(context, server_princ, &server_name);
     }
     if (ret) {
        kdc_log(context, config, 0, 
@@ -946,10 +955,26 @@ _kdc_as_rep(krb5_context context,
        ret = KRB5KRB_ERR_GENERIC;
        e_text = "No client in request";
     } else {
-       _krb5_principalname2krb5_principal (context,
-                                           &client_princ,
-                                           *(b->cname),
-                                           b->realm);
+
+       if (b->cname->name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+           if (b->cname->name_string.len != 1) {
+               kdc_log(context, config, 0,
+                       "AS-REQ malformed canon request from %s", from);
+               ret = KRB5_PARSE_MALFORMED;
+               goto out;
+           }
+           ret = krb5_parse_name(context, b->cname->name_string.val[0],
+                                 &client_princ);
+           if (ret)
+               goto out;
+       } else {
+           ret = _krb5_principalname2krb5_principal (context,
+                                                     &client_princ,
+                                                     *(b->cname),
+                                                     b->realm);
+           if (ret)
+               goto out;
+       }
        ret = krb5_unparse_name(context, client_princ, &client_name);
     }
     if (ret) {
@@ -962,7 +987,7 @@ _kdc_as_rep(krb5_context context,
            client_name, from, server_name);
 
     ret = _kdc_db_fetch(context, config, client_princ, 
-                       HDB_F_GET_CLIENT, NULL, &client);
+                       HDB_F_GET_CLIENT | flags, NULL, &client);
     if(ret){
        kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name,
                krb5_get_err_text(context, ret));
@@ -996,7 +1021,7 @@ _kdc_as_rep(krb5_context context,
 
     if(req->padata){
        int i;
-       PA_DATA *pa;
+       const PA_DATA *pa;
        int found_pa = 0;
 
        log_patypes(context, config, req->padata);
@@ -1041,7 +1066,7 @@ _kdc_as_rep(krb5_context context,
 
                kdc_log(context, config, 0, "%s", e_text);
                pkp = NULL;
-               goto ts_enc;
+               goto out;
            }
            found_pa = 1;
            et.flags.pre_authent = 1;
@@ -1169,6 +1194,8 @@ _kdc_as_rep(krb5_context context,
                        (unsigned)abs(kdc_time - p.patimestamp), 
                        context->max_skew,
                        client_name);
+#if 1
+               /* This code is from samba, needs testing */
                /* 
                 * the following is needed to make windows clients
                 * to retry using the timestamp in the error message
@@ -1177,6 +1204,9 @@ _kdc_as_rep(krb5_context context,
                 * is present...
                 */
                e_text = NULL;
+#else
+               e_text = "Too large time skew";
+#endif
                goto out;
            }
            et.flags.pre_authent = 1;
@@ -1227,6 +1257,12 @@ _kdc_as_rep(krb5_context context,
        pa->padata_type         = KRB5_PADATA_PK_AS_REQ;
        pa->padata_value.length = 0;
        pa->padata_value.data   = NULL;
+
+       ret = realloc_method_data(&method_data);
+       pa = &method_data.val[method_data.len-1];
+       pa->padata_type         = KRB5_PADATA_PK_AS_REQ_WIN;
+       pa->padata_value.length = 0;
+       pa->padata_value.data   = NULL;
 #endif
 
        /* 
@@ -1253,12 +1289,12 @@ _kdc_as_rep(krb5_context context,
        e_data.data   = buf;
        e_data.length = len;
        e_text ="Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ",
+
        ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
 
        kdc_log(context, config, 0,
                "No preauth found, returning PREAUTH-REQUIRED -- %s",
                client_name);
-
        goto out;
     }
     
@@ -1283,45 +1319,57 @@ _kdc_as_rep(krb5_context context,
     if(ret)
        goto out;
 
+    /* 
+     * Select a session enctype from the list of the crypto systems
+     * supported enctype, is supported by the client and is one of the
+     * enctype of the enctype of the krbtgt.
+     *
+     * The later is used as a hint what enctype all KDC are supporting
+     * to make sure a newer version of KDC wont generate a session
+     * enctype that and older version of a KDC in the same realm can't
+     * decrypt.
+     *
+     * But if the KDC admin is paranoid and doesn't want to have "no
+     * the best" enctypes on the krbtgt, lets save the best pick from
+     * the client list and hope that that will work for any other
+     * KDCs.
+     */
     {
        const krb5_enctype *p;
-       int i, j, y;
+       krb5_enctype clientbest = ETYPE_NULL;
+       int i, j;
 
        p = krb5_kerberos_enctypes(context);
 
        sessionetype = ETYPE_NULL;
 
        for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) {
-           /* check it's valid */
            if (krb5_enctype_valid(context, p[i]) != 0)
                continue;
 
-           /* check if the client supports it */
            for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) {
-               if (p[i] == b->etype.val[j]) {
-                   /*
-                    * if the server (krbtgt) has explicit etypes,
-                    * check if it also supports it
-                    */
-                   if (server->entry.etypes) {
-                       for (y = 0; y < server->entry.etypes->len; y++) {
-                           if (p[i] == server->entry.etypes->val[y]) {
-                               sessionetype = p[i];
-                               break;
-                           }
-                       }
-                   } else {
-                       sessionetype = p[i];
-                       break;
-                   }
-               }
+               Key *dummy;
+               /* check with client */
+               if (p[i] != b->etype.val[j])
+                   continue; 
+               /* save best of union of { client, crypto system } */
+               if (clientbest == ETYPE_NULL)
+                   clientbest = p[i];
+               /* check with krbtgt */
+               ret = hdb_enctype2key(context, &server->entry, p[i], &dummy);
+               if (ret) 
+                   continue;
+               sessionetype = p[i];
            }
        }
-       if (sessionetype == ETYPE_NULL) {
-           kdc_log(context, config, 0, 
+       /* if krbtgt had no shared keys with client, pick clients best */
+       if (clientbest != ETYPE_NULL && sessionetype == ETYPE_NULL) {
+           sessionetype = clientbest;
+       } else if (sessionetype == ETYPE_NULL) {
+           kdc_log(context, config, 0,
                    "Client (%s) from %s has no common enctypes with KDC"
-                   "to use for the session key",
-                   client_name, from);
+                   "to use for the session key", 
+                   client_name, from); 
            goto out;
        }
     }
@@ -1534,6 +1582,58 @@ _kdc_as_rep(krb5_context context,
 
     set_salt_padata (rep.padata, ckey->salt);
 
+    /* Add signing of alias referral */
+    if (f.canonicalize) {
+       PA_ClientCanonicalized canon;
+       krb5_data data;
+       PA_DATA pa;
+       krb5_crypto crypto;
+       size_t len;
+
+       memset(&canon, 0, sizeof(canon));
+
+       canon.names.requested_name = *b->cname;
+       canon.names.real_name = client->entry.principal->name;
+
+       ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
+                          &canon.names, &len, ret);
+       if (ret) 
+           goto out;
+       if (data.length != len)
+           krb5_abortx(context, "internal asn.1 error");
+
+       /* sign using "returned session key" */
+       ret = krb5_crypto_init(context, &et.key, 0, &crypto);
+       if (ret) {
+           free(data.data);
+           goto out;
+       }
+
+       ret = krb5_create_checksum(context, crypto, 
+                                  KRB5_KU_CANONICALIZED_NAMES, 0,
+                                  data.data, data.length,
+                                  &canon.canon_checksum);
+       free(data.data);
+       krb5_crypto_destroy(context, crypto);
+       if (ret)
+           goto out;
+         
+       ASN1_MALLOC_ENCODE(PA_ClientCanonicalized, data.data, data.length,
+                          &canon, &len, ret);
+       free_Checksum(&canon.canon_checksum);
+       if (ret) 
+           goto out;
+       if (data.length != len)
+           krb5_abortx(context, "internal asn.1 error");
+
+       pa.padata_type = KRB5_PADATA_CLIENT_CANONICALIZED;
+       pa.padata_value = data;
+       ret = add_METHOD_DATA(rep.padata, &pa);
+       free(data.data);
+       if (ret)
+           goto out;
+    }
+
     if (rep.padata->len == 0) {
        free(rep.padata);
        rep.padata = NULL;
index a056839e5f3751a5a7034b429b34e89389b422cd..02cd92de2e3cb17f059ba31bc271ebf946d1b14c 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: krb5tgs.c,v 1.25 2007/01/04 12:49:45 lha Exp $");
+RCSID("$Id: krb5tgs.c 21041 2007-06-10 06:21:12Z lha $");
 
 /*
  * return the realm of a krbtgt-ticket or NULL
@@ -656,7 +656,7 @@ tgs_make_reply(krb5_context context,
               KDC_REQ_BODY *b, 
               krb5_const_principal tgt_name,
               const EncTicketPart *tgt, 
-              const EncryptionKey *ekey,
+              const EncryptionKey *serverkey,
               const krb5_keyblock *sessionkey,
               krb5_kvno kvno,
               AuthorizationData *auth_data,
@@ -883,7 +883,7 @@ tgs_make_reply(krb5_context context,
     ret = _kdc_encode_reply(context, config, 
                            &rep, &et, &ek, et.key.keytype,
                            kvno, 
-                           ekey, 0, &tgt->key, e_text, reply);
+                           serverkey, 0, &tgt->key, e_text, reply);
 out:
     free_TGS_REP(&rep);
     free_TransitedEncoding(&et.transited);
@@ -1010,7 +1010,7 @@ static krb5_error_code
 tgs_parse_request(krb5_context context, 
                  krb5_kdc_configuration *config,
                  KDC_REQ_BODY *b,
-                 PA_DATA *tgs_req,
+                 const PA_DATA *tgs_req,
                  hdb_entry_ex **krbtgt,
                  krb5_enctype *krbtgt_etype,
                  krb5_ticket **ticket,
@@ -1258,6 +1258,7 @@ tgs_build_reply(krb5_context context,
     krb5_keyblock sessionkey;
     krb5_kvno kvno;
     krb5_data rspac;
+    int cross_realm = 0;
 
     PrincipalName *s;
     Realm r;
@@ -1421,6 +1422,8 @@ server_lookup:
        
        kdc_log(context, config, 1, "Client not found in database: %s: %s",
                cpn, krb5_get_err_text(context, ret));
+
+       cross_realm = 1;
     }
     
     /*
@@ -1707,21 +1710,25 @@ server_lookup:
     /* check PAC if there is one */
     {
        Key *tkey;
+       krb5_keyblock *tgtkey = NULL;
 
-       ret = hdb_enctype2key(context, &krbtgt->entry, 
-                             krbtgt_etype, &tkey);
-       if(ret) {
-           kdc_log(context, config, 0,
-                   "Failed to find key for krbtgt PAC check");
-           goto out;
+       if (!cross_realm) {
+           ret = hdb_enctype2key(context, &krbtgt->entry, 
+                                 krbtgt_etype, &tkey);
+           if(ret) {
+               kdc_log(context, config, 0,
+                       "Failed to find key for krbtgt PAC check");
+               goto out;
+           }
+           tgtkey = &tkey->key;
        }
 
        ret = check_PAC(context, config, client_principal, 
-                       client, server, ekey, &tkey->key, 
+                       client, server, ekey, tgtkey,
                        tgt, &rspac, &require_signedpath);
        if (ret) {
            kdc_log(context, config, 0,
-                   "check_PAC check failed for %s (%s) from %s with %s",
+                   "Verify PAC failed for %s (%s) from %s with %s",
                    spn, cpn, from, krb5_get_err_text(context, ret));
            goto out;
        }
@@ -1804,7 +1811,7 @@ _kdc_tgs_rep(krb5_context context,
     AuthorizationData *auth_data = NULL;
     krb5_error_code ret;
     int i = 0;
-    PA_DATA *tgs_req = NULL;
+    const PA_DATA *tgs_req;
 
     hdb_entry_ex *krbtgt = NULL;
     krb5_ticket *ticket = NULL;
index d817338f731decafb2afe3d7e5ababddc30b46b6..8414ecb4b2a2b5abf7c2fa9d895b47719268230d 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
 
 #include "kdc_locl.h"
 #include <hex.h>
+#include <rfc2459_asn1.h>
+#include <hx509.h>
 
-RCSID("$Id: kx509.c,v 1.1 2006/12/28 21:03:53 lha Exp $");
+RCSID("$Id: kx509.c 19992 2007-01-20 09:06:18Z lha $");
 
 /*
  *
@@ -140,72 +142,146 @@ build_certificate(krb5_context context,
                  krb5_principal principal,
                  krb5_data *certificate)
 {
-    /* XXX write code here to generate certificates */
-    FILE *in, *out;
-    krb5_error_code ret;
-    const char *program;
-    char *str, *strkey;
-    char tstr[64];
-    pid_t pid;
+    hx509_context hxctx = NULL;
+    hx509_ca_tbs tbs = NULL;
+    hx509_env env = NULL;
+    hx509_cert cert = NULL;
+    hx509_cert signer = NULL;
+    int ret;
+
+    if (krb5_principal_get_comp_string(context, principal, 1) != NULL) {
+       kdc_log(context, config, 0, "Principal is not a user");
+       return EINVAL;
+    }
 
-    snprintf(tstr, sizeof(tstr), "%lu", (unsigned long)endtime);
+    ret = hx509_context_init(&hxctx);
+    if (ret)
+       goto out;
 
-    ret = base64_encode(key->data, key->length, &strkey);
-    if (ret < 0) {
-       krb5_set_error_string(context, "failed to base64 encode key");
-       return ENOMEM;
-    }
+    ret = hx509_env_init(hxctx, &env);
+    if (ret)
+       goto out;
 
-    program = krb5_config_get_string(context,
-                                    NULL,
-                                    "kdc",
-                                    "kx509_cert_program",
-                                    NULL);
-    if (program == NULL) {
-       free(strkey);
-       krb5_set_error_string(context, "no certificate program configured");
-       return ENOENT;
-    }
+    ret = hx509_env_add(hxctx, env, "principal-name", 
+                       krb5_principal_get_comp_string(context, principal, 0));
+    if (ret)
+       goto out;
 
-    ret = krb5_unparse_name(context, principal, &str);
-    if (ret) {
-       free(strkey);
-       return ret;
+    {
+       hx509_certs certs;
+       hx509_query *q;
+
+       ret = hx509_certs_init(hxctx, config->kx509_ca, 0,
+                              NULL, &certs);
+       if (ret) {
+           kdc_log(context, config, 0, "Failed to load CA %s",
+                   config->kx509_ca);
+           goto out;
+       }
+       ret = hx509_query_alloc(hxctx, &q);
+       if (ret) {
+           hx509_certs_free(&certs);
+           goto out;
+       }
+
+       hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+       hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN);
+
+       ret = hx509_certs_find(hxctx, certs, q, &signer);
+       hx509_query_free(hxctx, q);
+       hx509_certs_free(&certs);
+       if (ret) {
+           kdc_log(context, config, 0, "Failed to find a CA in %s",
+                   config->kx509_ca);
+           goto out;
+       }
     }
 
-    pid = pipe_execv(&in, &out, NULL, program, str, tstr, NULL);
-    free(str);
-    if (pid <= 0) {
-       free(strkey);
-       krb5_set_error_string(context, 
-                             "Failed to run the cert program %s",
-                             program);
-       return ret;
+    ret = hx509_ca_tbs_init(hxctx, &tbs);
+    if (ret)
+       goto out;
+
+    {
+       SubjectPublicKeyInfo spki;
+       heim_any any;
+
+       memset(&spki, 0, sizeof(spki));
+
+       spki.subjectPublicKey.data = key->data;
+       spki.subjectPublicKey.length = key->length * 8;
+
+       ret = der_copy_oid(oid_id_pkcs1_rsaEncryption(), 
+                          &spki.algorithm.algorithm);
+
+       any.data = "\x05\x00";
+       any.length = 2;
+       spki.algorithm.parameters = &any;
+
+       ret = hx509_ca_tbs_set_spki(hxctx, tbs, &spki);
+       der_free_oid(&spki.algorithm.algorithm);
+       if (ret)
+           goto out;
     }
-    fprintf(in, "%s\n", strkey);
-    fclose(in);
-    free(strkey);
 
     {
-       unsigned buf[1024 * 10];
-       size_t len;
+       hx509_certs certs;
+       hx509_cert template;
 
-       len = fread(buf, 1, sizeof(buf), out);
-       fclose(out);
-       if(len == 0) {
-           krb5_set_error_string(context, 
-                                 "Certificate program returned no data");
-           return KRB5KDC_ERR_PREAUTH_FAILED;
+       ret = hx509_certs_init(hxctx, config->kx509_template, 0,
+                              NULL, &certs);
+       if (ret) {
+           kdc_log(context, config, 0, "Failed to load template %s",
+                   config->kx509_template);
+           goto out;
        }
-       ret = krb5_data_copy(certificate, buf, len);
+       ret = hx509_get_one_cert(hxctx, certs, &template);
+       hx509_certs_free(&certs);
        if (ret) {
-           krb5_set_error_string(context, "Failed To copy certificate");
-           return ret;
+           kdc_log(context, config, 0, "Failed to find template in %s",
+                   config->kx509_template);
+           goto out;
        }
+       ret = hx509_ca_tbs_set_template(hxctx, tbs, 
+                                       HX509_CA_TEMPLATE_SUBJECT|
+                                       HX509_CA_TEMPLATE_KU|
+                                       HX509_CA_TEMPLATE_EKU,
+                                       template);
+       hx509_cert_free(template);
+       if (ret)
+           goto out;
     }
-    kill(pid, SIGKILL);
-    waitpid(pid, NULL, 0);
+
+    hx509_ca_tbs_set_notAfter(hxctx, tbs, endtime);
+
+    hx509_ca_tbs_subject_expand(hxctx, tbs, env);
+    hx509_env_free(&env);
+
+    ret = hx509_ca_sign(hxctx, tbs, signer, &cert);
+    hx509_cert_free(signer);
+    if (ret)
+       goto out;
+
+    hx509_ca_tbs_free(&tbs);
+
+    ret = hx509_cert_binary(hxctx, cert, certificate);
+    hx509_cert_free(cert);
+    if (ret)
+       goto out;
+                     
+    hx509_context_free(&hxctx);
+
     return 0;
+out:
+    if (env)
+       hx509_env_free(&env);
+    if (tbs)
+       hx509_ca_tbs_free(&tbs);
+    if (signer)
+       hx509_cert_free(signer);
+    if (hxctx)
+       hx509_context_free(&hxctx);
+    krb5_set_error_string(context, "cert creation failed");
+    return ret;
 }
 
 /*
@@ -299,6 +375,20 @@ _kdc_do_kx509(krb5_context context,
     if (ret)
        goto out;
 
+    /* Verify that the key is encoded RSA key */
+    {
+       RSAPublicKey key;
+       size_t size;
+
+       ret = decode_RSAPublicKey(req->pk_key.data, req->pk_key.length,
+                                 &key, &size);
+       if (ret)
+           goto out;
+       free_RSAPublicKey(&key);
+       if (size != req->pk_key.length)
+           ;
+    }
+
     ALLOC(rep.certificate);
     if (rep.certificate == NULL)
        goto out;
index c316b0c5f88b0856827b547135d8b7efb47f9b74..977b1c9476015f3bd41a557cf57b74ef546eebc7 100644 (file)
@@ -32,7 +32,7 @@
  */
 
 #include "kdc_locl.h"
-RCSID("$Id: log.c,v 1.16 2005/06/30 01:52:48 lha Exp $");
+RCSID("$Id: log.c 15532 2005-06-30 01:54:49Z lha $");
 
 void
 kdc_openlog(krb5_context context, 
index b511e1a7a8d39a575ff8abec7ebad541bb0ae14a..ebf28735996a08c782af748133a62a09fa29fde3 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: misc.c,v 1.32 2006/08/28 14:41:49 lha Exp $");
+RCSID("$Id: misc.c 17951 2006-08-28 14:41:49Z lha $");
 
 struct timeval _kdc_now;
 
index 418a38d0307ab2b3969332c0cdf3b5725e20e9eb..bf62f879db7719eb18132d6a7cf0055bc3076a75 100755 (executable)
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: pkinit.c,v 1.86 2007/01/04 12:54:09 lha Exp $");
+RCSID("$Id: pkinit.c 21039 2007-06-10 06:20:31Z lha $");
 
 #ifdef PKINIT
 
@@ -97,7 +97,7 @@ static struct {
 static krb5_error_code
 pk_check_pkauthenticator_win2k(krb5_context context,
                               PKAuthenticator_Win2k *a,
-                              KDC_REQ *req)
+                              const KDC_REQ *req)
 {
     krb5_timestamp now;
 
@@ -114,7 +114,7 @@ pk_check_pkauthenticator_win2k(krb5_context context,
 static krb5_error_code
 pk_check_pkauthenticator(krb5_context context,
                         PKAuthenticator *a,
-                        KDC_REQ *req)
+                        const KDC_REQ *req)
 {
     u_char *buf = NULL;
     size_t buf_size;
@@ -365,8 +365,8 @@ get_dh_param(krb5_context context,
 krb5_error_code
 _kdc_pk_rd_padata(krb5_context context,
                  krb5_kdc_configuration *config,
-                 KDC_REQ *req,
-                 PA_DATA *pa,
+                 const KDC_REQ *req,
+                 const PA_DATA *pa,
                  pk_client_params **ret_params)
 {
     pk_client_params *client_params;
@@ -375,7 +375,6 @@ _kdc_pk_rd_padata(krb5_context context,
     krb5_data eContent = { 0, NULL };
     krb5_data signed_content = { 0, NULL };
     const char *type = "unknown type";
-    const heim_oid *pa_contentType;
     int have_data = 0;
 
     *ret_params = NULL;
@@ -385,6 +384,8 @@ _kdc_pk_rd_padata(krb5_context context,
        return 0;
     }
 
+    hx509_verify_set_time(kdc_identity->verify_ctx, _kdc_now.tv_sec);
+
     client_params = calloc(1, sizeof(*client_params));
     if (client_params == NULL) {
        krb5_clear_error_string(context);
@@ -396,7 +397,6 @@ _kdc_pk_rd_padata(krb5_context context,
        PA_PK_AS_REQ_Win2k r;
 
        type = "PK-INIT-Win2k";
-       pa_contentType = oid_id_pkcs7_data();
 
        ret = decode_PA_PK_AS_REQ_Win2k(pa->padata_value.data,
                                        pa->padata_value.length,
@@ -422,7 +422,6 @@ _kdc_pk_rd_padata(krb5_context context,
        PA_PK_AS_REQ r;
 
        type = "PK-INIT-IETF";
-       pa_contentType = oid_id_pkauthdata();
 
        ret = decode_PA_PK_AS_REQ(pa->padata_value.data,
                                  pa->padata_value.length,
@@ -467,7 +466,7 @@ _kdc_pk_rd_padata(krb5_context context,
                                                   edi->val[i].issuerAndSerialNumber->length,
                                                   &iasn,
                                                   &size);
-               if (ret || size != 0) {
+               if (ret) {
                    hx509_query_free(kdc_identity->hx509ctx, q);
                    continue;
                }
@@ -527,6 +526,7 @@ _kdc_pk_rd_padata(krb5_context context,
                                      kdc_identity->verify_ctx,
                                      signed_content.data,
                                      signed_content.length,
+                                     NULL,
                                      kdc_identity->certpool,
                                      &eContentType,
                                      &eContent,
@@ -547,7 +547,9 @@ _kdc_pk_rd_padata(krb5_context context,
     }
 
     /* Signature is correct, now verify the signed message */
-    if (der_heim_oid_cmp(&eContentType, pa_contentType)) {
+    if (der_heim_oid_cmp(&eContentType, oid_id_pkcs7_data()) != 0 &&
+       der_heim_oid_cmp(&eContentType, oid_id_pkauthdata()) != 0)
+    {
        krb5_set_error_string(context, "got wrong oid for pkauthdata");
        ret = KRB5_BADMSGTYPE;
        goto out;
@@ -639,6 +641,8 @@ _kdc_pk_rd_padata(krb5_context context,
     kdc_log(context, config, 0, "PK-INIT request of type %s", type);
 
 out:
+    if (ret)
+       krb5_warn(context, ret, "PKINIT");
 
     if (signed_content.data)
        free(signed_content.data);
@@ -678,18 +682,41 @@ pk_mk_pa_reply_enckey(krb5_context context,
                      krb5_keyblock *reply_key,
                      ContentInfo *content_info)
 {
+    const heim_oid *envelopedAlg = NULL, *sdAlg = NULL;
     krb5_error_code ret;
     krb5_data buf, signed_data;
     size_t size;
+    int do_win2k = 0;
 
     krb5_data_zero(&buf);
     krb5_data_zero(&signed_data);
 
+    /*
+     * If the message client is a win2k-type but it send pa data
+     * 09-binding it expects a IETF (checksum) reply so there can be
+     * no replay attacks.
+     */
+
     switch (client_params->type) {
     case PKINIT_COMPAT_WIN2K: {
+       int i = 0;
+       if (_kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_09_BINDING) == NULL)
+           do_win2k = 1;
+       break;
+    }
+    case PKINIT_COMPAT_27:
+       break;
+    default:
+       krb5_abortx(context, "internal pkinit error");
+    }      
+
+    if (do_win2k) {
        ReplyKeyPack_Win2k kp;
        memset(&kp, 0, sizeof(kp));
 
+       envelopedAlg = oid_id_rsadsi_des_ede3_cbc();
+       sdAlg = oid_id_pkcs7_data();
+
        ret = copy_EncryptionKey(reply_key, &kp.replyKey);
        if (ret) {
            krb5_clear_error_string(context);
@@ -701,13 +728,13 @@ pk_mk_pa_reply_enckey(krb5_context context,
                           buf.data, buf.length,
                           &kp, &size,ret);
        free_ReplyKeyPack_Win2k(&kp);
-       break;
-    }
-    case PKINIT_COMPAT_27: {
+    } else {
        krb5_crypto ascrypto;
        ReplyKeyPack kp;
        memset(&kp, 0, sizeof(kp));
 
+       sdAlg = oid_id_pkrkeydata();
+
        ret = copy_EncryptionKey(reply_key, &kp.replyKey);
        if (ret) {
            krb5_clear_error_string(context);
@@ -735,10 +762,6 @@ pk_mk_pa_reply_enckey(krb5_context context,
        }
        ASN1_MALLOC_ENCODE(ReplyKeyPack, buf.data, buf.length, &kp, &size,ret);
        free_ReplyKeyPack(&kp);
-       break;
-    }
-    default:
-       krb5_abortx(context, "internal pkinit error");
     }
     if (ret) {
        krb5_set_error_string(context, "ASN.1 encoding of ReplyKeyPack "
@@ -768,7 +791,8 @@ pk_mk_pa_reply_enckey(krb5_context context,
            goto out;
        
        ret = hx509_cms_create_signed_1(kdc_identity->hx509ctx,
-                                       oid_id_pkrkeydata(),
+                                       0,
+                                       sdAlg,
                                        buf.data,
                                        buf.length,
                                        NULL,
@@ -784,9 +808,21 @@ pk_mk_pa_reply_enckey(krb5_context context,
     if (ret) 
        goto out;
 
+    if (client_params->type == PKINIT_COMPAT_WIN2K) {
+       ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(),
+                                        &signed_data,
+                                        &buf);
+       if (ret)
+           goto out;
+       krb5_data_free(&signed_data);
+       signed_data = buf;
+    }
+
     ret = hx509_cms_envelope_1(kdc_identity->hx509ctx,
+                              0,
                               client_params->cert,
-                              signed_data.data, signed_data.length, NULL,
+                              signed_data.data, signed_data.length, 
+                              envelopedAlg,
                               oid_id_pkcs7_signedData(), &buf);
     if (ret)
        goto out;
@@ -881,6 +917,7 @@ pk_mk_pa_reply_dh(krb5_context context,
            goto out;
        
        ret = hx509_cms_create_signed_1(kdc_identity->hx509ctx,
+                                       0,
                                        oid_id_pkdhkeydata(),
                                        buf.data,
                                        buf.length,
@@ -1125,6 +1162,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
            krb5_data_free(&ocsp.data);
 
            ocsp.expire = 0;
+           ocsp.next_update = kdc_time + 60 * 5;
 
            fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY);
            if (fd < 0) {
@@ -1168,11 +1206,13 @@ _kdc_pk_mk_pa_reply(krb5_context context,
                        "PK-INIT failed to verify ocsp data %d", ret);
                krb5_data_free(&ocsp.data);
                ocsp.expire = 0;
-           } else if (ocsp.expire > 180)
+           } else if (ocsp.expire > 180) {
                ocsp.expire -= 180; /* refetch the ocsp before it expire */
-           
+               ocsp.next_update = ocsp.expire;
+           } else {
+               ocsp.next_update = kdc_time;
+           }
        out_ocsp:
-           ocsp.next_update = kdc_time + 3600;
            ret = 0;
        }
 
@@ -1199,10 +1239,10 @@ out:
 }
 
 static int
-pk_principal_from_X509(krb5_context context, 
-                      krb5_kdc_configuration *config,
-                      hx509_cert client_cert, 
-                      krb5_const_principal match)
+match_rfc_san(krb5_context context, 
+             krb5_kdc_configuration *config,
+             hx509_cert client_cert, 
+             krb5_const_principal match)
 {
     hx509_octet_string_list list;
     int ret, i, found = 0;
@@ -1254,6 +1294,68 @@ out:
     return 0;
 }
 
+static int
+match_ms_upn_san(krb5_context context, 
+                krb5_kdc_configuration *config,
+                hx509_cert client_cert, 
+                krb5_const_principal match)
+{
+    hx509_octet_string_list list;
+    krb5_principal principal = NULL;
+    int ret, found = 0;
+    MS_UPN_SAN upn;
+    size_t size;
+
+    memset(&list, 0 , sizeof(list));
+
+    ret = hx509_cert_find_subjectAltName_otherName(client_cert,
+                                                  oid_id_pkinit_ms_san(),
+                                                  &list);
+    if (ret)
+       goto out;
+
+    if (list.len != 1) {
+       kdc_log(context, config, 0,
+               "More then one PK-INIT MS UPN SAN");
+       goto out;
+    }
+
+    ret = decode_MS_UPN_SAN(list.val[0].data, list.val[0].length, &upn, &size);
+    if (ret) {
+       kdc_log(context, config, 0, "Decode of MS-UPN-SAN failed");
+       goto out;
+    }
+
+    kdc_log(context, config, 0, "found MS UPN SAN: %s", upn);
+
+    ret = krb5_parse_name(context, upn, &principal);
+    free_MS_UPN_SAN(&upn);
+    if (ret) {
+       kdc_log(context, config, 0, "Failed to parse principal in MS UPN SAN");
+       goto out;
+    }
+
+    /* 
+     * This is very wrong, but will do for now, should really and a
+     * plugin to the windc layer to very this ACL.
+    */
+    strupr(principal->realm);
+
+    if (krb5_principal_compare(context, principal, match) == TRUE)
+       found = 1;
+
+out:
+    if (principal)
+       krb5_free_principal(context, principal);
+    hx509_free_octet_string_list(&list);    
+    if (ret)
+       return ret;
+
+    if (!found)
+       return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+
+    return 0;
+}
 
 krb5_error_code
 _kdc_pk_check_client(krb5_context context,
@@ -1283,14 +1385,22 @@ _kdc_pk_check_client(krb5_context context,
            *subject_name);
 
     if (config->enable_pkinit_princ_in_cert) {
-       ret = pk_principal_from_X509(context, config, 
-                                    client_params->cert,
-                                    client->entry.principal);
+       ret = match_rfc_san(context, config,
+                           client_params->cert,
+                           client->entry.principal);
        if (ret == 0) {
            kdc_log(context, config, 5,
                    "Found matching PK-INIT SAN in certificate");
            return 0;
        }
+       ret = match_ms_upn_san(context, config,
+                              client_params->cert,
+                              client->entry.principal);
+       if (ret == 0) {
+           kdc_log(context, config, 5,
+                   "Found matching MS UPN SAN in certificate");
+           return 0;
+       }
     }
 
     ret = hdb_entry_get_pkinit_acl(&client->entry, &acl);
@@ -1330,10 +1440,17 @@ _kdc_pk_check_client(krb5_context context,
        return 0;
     }
 
+    krb5_set_error_string(context,
+                         "PKINIT no matching principals for %s",
+                         *subject_name);
+
+    kdc_log(context, config, 5,
+           "PKINIT no matching principals for %s",
+           *subject_name);
+
     free(*subject_name);
     *subject_name = NULL;
 
-    krb5_set_error_string(context, "PKINIT no matching principals");
     return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
 }
 
@@ -1396,7 +1513,56 @@ _kdc_add_inital_verified_cas(krb5_context context,
     return ret;
 }
 
+/*
+ *
+ */
 
+static void
+load_mappings(krb5_context context, const char *fn)
+{
+    krb5_error_code ret;
+    char buf[1024];
+    unsigned long lineno = 0;
+    FILE *f;
+
+    f = fopen(fn, "r");
+    if (f == NULL)
+       return;
+
+    while (fgets(buf, sizeof(buf), f) != NULL) {
+       char *subject_name, *p;
+    
+       buf[strcspn(buf, "\n")] = '\0';
+       lineno++;
+
+       p = buf + strspn(buf, " \t");
+
+       if (*p == '#' || *p == '\0')
+           continue;
+
+       subject_name = strchr(p, ':');
+       if (subject_name == NULL) {
+           krb5_warnx(context, "pkinit mapping file line %lu "
+                      "missing \":\" :%s",
+                      lineno, buf);
+           continue;
+       }
+       *subject_name++ = '\0';
+
+       ret = add_principal_mapping(context, p, subject_name);
+       if (ret) {
+           krb5_warn(context, ret, "failed to add line %lu \":\" :%s\n",
+                     lineno, buf);
+           continue;
+       }
+    } 
+
+    fclose(f);
+}
+                  
+/*
+ *
+ */
 
 krb5_error_code
 _kdc_pk_initialize(krb5_context context,
@@ -1408,9 +1574,6 @@ _kdc_pk_initialize(krb5_context context,
 {
     const char *file; 
     krb5_error_code ret;
-    char buf[1024];
-    unsigned long lineno = 0;
-    FILE *f;
 
     file = krb5_config_get_string(context, NULL,
                                  "libdefaults", "moduli", NULL);
@@ -1481,41 +1644,8 @@ _kdc_pk_initialize(krb5_context context,
                                          "kdc",
                                          "pkinit_mappings_file",
                                          NULL);
-    f = fopen(file, "r");
-    if (f == NULL) {
-       krb5_warnx(context, "PKINIT: failed to load mappings file %s", file);
-       return 0;
-    }
-
-    while (fgets(buf, sizeof(buf), f) != NULL) {
-       char *subject_name, *p;
-    
-       buf[strcspn(buf, "\n")] = '\0';
-       lineno++;
-
-       p = buf + strspn(buf, " \t");
-
-       if (*p == '#' || *p == '\0')
-           continue;
 
-       subject_name = strchr(p, ':');
-       if (subject_name == NULL) {
-           krb5_warnx(context, "pkinit mapping file line %lu "
-                      "missing \":\" :%s",
-                      lineno, buf);
-           continue;
-       }
-       *subject_name++ = '\0';
-
-       ret = add_principal_mapping(context, p, subject_name);
-       if (ret) {
-           krb5_warn(context, ret, "failed to add line %lu \":\" :%s\n",
-                     lineno, buf);
-           continue;
-       }
-    } 
-
-    fclose(f);
+    load_mappings(context, file);
 
     return 0;
 }
index a64efaa05ddd216d7898fa7170ff0fa8b265dbe7..1d0a01a215d10caa162ca62a6e1a4b4c55d6368e 100644 (file)
 
 #include "kdc_locl.h"
 
-RCSID("$Id: process.c,v 1.7 2006/12/28 21:09:35 lha Exp $");
+RCSID("$Id: process.c 20959 2007-06-07 04:46:06Z lha $");
+
+/*
+ *
+ */
+
+void
+krb5_kdc_update_time(struct timeval *tv)
+{
+    if (tv == NULL)
+       gettimeofday(&_kdc_now, NULL);
+    else
+       _kdc_now = *tv;
+}
 
 /*
  * handle the request in `buf, len', from `addr' (or `from' as a string),
@@ -59,7 +72,6 @@ krb5_kdc_process_request(krb5_context context,
     krb5_error_code ret;
     size_t i;
 
-    gettimeofday(&_kdc_now, NULL);
     if(decode_AS_REQ(buf, len, &req, &i) == 0){
        krb5_data req_buffer;
 
@@ -121,7 +133,6 @@ krb5_kdc_process_krb5_request(krb5_context context,
     krb5_error_code ret;
     size_t i;
 
-    gettimeofday(&_kdc_now, NULL);
     if(decode_AS_REQ(buf, len, &req, &i) == 0){
        krb5_data req_buffer;
 
@@ -139,3 +150,70 @@ krb5_kdc_process_krb5_request(krb5_context context,
     }
     return -1;
 }
+
+/*
+ *
+ */
+
+int
+krb5_kdc_save_request(krb5_context context, 
+                     const char *fn,
+                     const unsigned char *buf,
+                     size_t len,
+                     const krb5_data *reply,
+                     const struct sockaddr *sa)
+{
+    krb5_storage *sp;
+    krb5_address a;
+    int fd, ret;
+    uint32_t t;
+    krb5_data d;
+
+    memset(&a, 0, sizeof(a));
+
+    d.data = rk_UNCONST(buf);
+    d.length = len;
+    t = _kdc_now.tv_sec;
+
+    fd = open(fn, O_WRONLY|O_CREAT|O_APPEND, 0600);
+    if (fd < 0) {
+       krb5_set_error_string(context, "Failed to open: %s", fn);
+       return errno;
+    }
+    
+    sp = krb5_storage_from_fd(fd);
+    close(fd);
+    if (sp == NULL) {
+       krb5_set_error_string(context, "Storage failed to open fd");
+       return ENOMEM;
+    }
+
+    ret = krb5_sockaddr2address(context, sa, &a);
+    if (ret)
+       goto out;
+
+    krb5_store_uint32(sp, 1);
+    krb5_store_uint32(sp, t);
+    krb5_store_address(sp, a);
+    krb5_store_data(sp, d);
+    {
+       Der_class cl;
+       Der_type ty;
+       unsigned int tag;
+       ret = der_get_tag (reply->data, reply->length,
+                          &cl, &ty, &tag, NULL);
+       if (ret) {
+           krb5_store_uint32(sp, 0xffffffff);
+           krb5_store_uint32(sp, 0xffffffff);
+       } else {
+           krb5_store_uint32(sp, MAKE_TAG(cl, ty, 0));
+           krb5_store_uint32(sp, tag);
+       }
+    }
+
+    krb5_free_address(context, &a);
+out:
+    krb5_storage_free(sp);
+
+    return 0;
+}
index 370e33732f4acc98090a8a1db8ae37cb768fa680..18806d79dae694a4371b899a78743440e7ba6d70 100644 (file)
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: rx.h,v 1.5 2006/05/05 10:51:10 lha Exp $ */
+/* $Id: rx.h 17447 2006-05-05 10:52:01Z lha $ */
 
 #ifndef __RX_H__
 #define __RX_H__
index 41e4ad1bbc8f967ebbf82acc33a33654e3ce8de7..395ab7343284667ab7119def32d9cf1ff5e38dae 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: windc.c,v 1.3 2007/01/04 11:10:06 lha Exp $");
+RCSID("$Id: windc.c 20559 2007-04-24 16:00:07Z lha $");
 
 static krb5plugin_windc_ftable *windcft;
 static void *windcctx;
@@ -43,7 +43,7 @@ static void *windcctx;
  */
 
 krb5_error_code
-_kdc_windc_init(krb5_context context)
+krb5_kdc_windc_init(krb5_context context)
 {
     struct krb5_plugin *list = NULL, *e;
     krb5_error_code ret;
@@ -91,10 +91,11 @@ _kdc_pac_verify(krb5_context context,
                krb5_pac *pac)
 {
     if (windcft == NULL) {
-       krb5_set_error_string(context, "Can't verify WINDC, no function");
+       krb5_set_error_string(context, "Can't verify PAC, no function");
        return EINVAL;
     }
-    return (windcft->pac_verify)(windcctx, context, client_principal, client, server, pac);
+    return (windcft->pac_verify)(windcctx, context, 
+                                client_principal, client, server, pac);
 }
 
 krb5_error_code
index a3b7534480a649d0a93f58d620614bcedd708c1c..ec480cf950c667414e0e392da0e5607a530c2b59 100644 (file)
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: windc_plugin.h,v 1.2 2007/01/04 11:13:51 lha Exp $ */
+/* $Id: windc_plugin.h 19798 2007-01-10 15:24:51Z lha $ */
 
 #ifndef HEIMDAL_KRB5_PAC_PLUGIN_H
 #define HEIMDAL_KRB5_PAC_PLUGIN_H 1
@@ -58,7 +58,9 @@ typedef krb5_error_code
 typedef krb5_error_code 
 (*krb5plugin_windc_pac_verify)(void *, krb5_context,
                               const krb5_principal,
-                              struct hdb_entry_ex *,  struct hdb_entry_ex *, krb5_pac *);
+                              struct hdb_entry_ex *, 
+                              struct hdb_entry_ex *,
+                              krb5_pac *);
 
 typedef krb5_error_code 
 (*krb5plugin_windc_client_access)(
index 667e0963b012cf841c7b99382bfad2db60d3129a..29a9bdd5c725742753f41085a4a943b28a8f4e18 100644 (file)
  */
 
 #include "kuser_locl.h"
-RCSID("$Id: kinit.c,v 1.141 2006/12/12 16:35:41 lha Exp $");
+RCSID("$Id: kinit.c 20517 2007-04-22 10:42:26Z lha $");
 
-#ifndef KRB4
 #include "krb5-v4compat.h"
-#endif
 
 struct krb5_pk_identity;
 struct krb5_pk_cert;
@@ -46,6 +44,7 @@ struct krb5_dh_moduli;
 struct krb5_plugin;
 enum plugin_type;
 #include "krb5-private.h"
+#include "heimntlm.h"
 
 int forwardable_flag   = -1;
 int proxiable_flag     = -1;
@@ -74,6 +73,8 @@ char *password_file   = NULL;
 char *pk_user_id       = NULL;
 char *pk_x509_anchors  = NULL;
 int pk_use_enckey      = 0;
+static int canonicalize_flag = 0;
+static char *ntlm_domain;
 
 static char *krb4_cc_name;
 
@@ -153,18 +154,21 @@ static struct getargs args[] = {
     { "password-file", 0,   arg_string, &password_file,
       "read the password from a file" },
 
+    { "canonicalize",0,   arg_flag, &canonicalize_flag,
+      "canonicalize client principal" },
 #ifdef PKINIT
-    {  "pk-user",      'C',    arg_string,     &pk_user_id,
-       "principal's public/private/certificate identifier",
-       "id" },
-
-    {  "x509-anchors", 'D',  arg_string, &pk_x509_anchors,
-       "directory with CA certificates", "directory" },
+    { "pk-user",       'C',    arg_string,     &pk_user_id,
+      "principal's public/private/certificate identifier", "id" },
 
-    {  "pk-use-enckey",        0,  arg_flag, &pk_use_enckey,
-       "Use RSA encrypted reply (instead of DH)" },
+    { "x509-anchors",  'D',  arg_string, &pk_x509_anchors,
+      "directory with CA certificates", "directory" },
 
+    { "pk-use-enckey", 0,  arg_flag, &pk_use_enckey,
+      "Use RSA encrypted reply (instead of DH)" },
 #endif
+    { "ntlm-domain",   0,  arg_string, &ntlm_domain,
+      "NTLM domain", "domain" },
+
     { "version",       0,   arg_flag, &version_flag },
     { "help",          0,   arg_flag, &help_flag }
 };
@@ -179,130 +183,6 @@ usage (int ret)
     exit (ret);
 }
 
-#ifdef KRB4
-/* for when the KDC tells us it's a v4 one, we try to talk that */
-
-static int
-key_to_key(const char *user,
-          char *instance,
-          const char *realm,
-          const void *arg,
-          des_cblock *key)
-{
-    memcpy(key, arg, sizeof(des_cblock));
-    return 0;
-}
-
-static int
-do_v4_fallback (krb5_context context,
-               const krb5_principal principal,
-               int lifetime,
-               int use_srvtab, const char *srvtab_str,
-               const char *passwd)
-{
-    int ret;
-    krb_principal princ;
-    des_cblock key;
-    krb5_error_code kret;
-
-    if (lifetime == 0)
-       lifetime = DEFAULT_TKT_LIFE;
-    else
-       lifetime = krb_time_to_life (0, lifetime);
-
-    kret = krb5_524_conv_principal (context, principal,
-                                   princ.name,
-                                   princ.instance,
-                                   princ.realm);
-    if (kret) {
-       krb5_warn (context, kret, "krb5_524_conv_principal");
-       return 1;
-    }
-
-    if (use_srvtab || srvtab_str) {
-       if (srvtab_str == NULL)
-           srvtab_str = KEYFILE;
-
-       ret = read_service_key (princ.name, princ.instance, princ.realm,
-                               0, srvtab_str, (char *)&key);
-       if (ret) {
-           warnx ("read_service_key %s: %s", srvtab_str,
-                  krb_get_err_text (ret));
-           return 1;
-       }
-       ret = krb_get_in_tkt (princ.name, princ.instance, princ.realm,
-                             KRB_TICKET_GRANTING_TICKET, princ.realm,
-                             lifetime, key_to_key, NULL, key);
-    } else {
-       ret = krb_get_pw_in_tkt(princ.name, princ.instance, princ.realm, 
-                               KRB_TICKET_GRANTING_TICKET, princ.realm, 
-                               lifetime, passwd);
-    }
-    memset (key, 0, sizeof(key));
-    if (ret) {
-       warnx ("%s", krb_get_err_text(ret));
-       return 1;
-    }
-    if (do_afslog && k_hasafs()) {
-       if ((ret = krb_afslog(NULL, NULL)) != 0 && ret != KDC_PR_UNKNOWN) {
-           if(ret > 0)
-               warnx ("%s", krb_get_err_text(ret));
-           else
-               warnx ("failed to store AFS token");
-       }
-    }
-    return 0;
-}
-
-
-/*
- * the special version of get_default_principal that takes v4 into account
- */
-
-static krb5_error_code
-kinit_get_default_principal (krb5_context context,
-                            krb5_principal *princ)
-{
-    krb5_error_code ret;
-    krb5_ccache id;
-    krb_principal v4_princ;
-    int kret;
-
-    ret = krb5_cc_default (context, &id);
-    if (ret == 0) {
-       ret = krb5_cc_get_principal (context, id, princ);
-       krb5_cc_close (context, id);
-       if (ret == 0)
-           return 0;
-    }
-
-    kret = krb_get_tf_fullname (tkt_string(),
-                               v4_princ.name,
-                               v4_princ.instance,
-                               v4_princ.realm);
-    if (kret == KSUCCESS) {
-       ret = krb5_425_conv_principal (context,
-                                      v4_princ.name,
-                                      v4_princ.instance,
-                                      v4_princ.realm,
-                                      princ);
-       if (ret == 0)
-           return 0;
-    }
-    return krb5_get_default_principal (context, princ);
-}
-
-#else /* !KRB4 */
-
-static krb5_error_code
-kinit_get_default_principal (krb5_context context,
-                            krb5_principal *princ)
-{
-    return krb5_get_default_principal (context, princ);
-}
-
-#endif /* !KRB4 */
-
 static krb5_error_code
 get_server(krb5_context context,
           krb5_principal client,
@@ -456,6 +336,39 @@ out:
     return ret;
 }
 
+static krb5_error_code
+store_ntlmkey(krb5_context context, krb5_ccache id, 
+             const char *domain, krb5_const_principal client,
+             struct ntlm_buf *buf)
+{
+    krb5_error_code ret;
+    krb5_creds cred;
+    
+    memset(&cred, 0, sizeof(cred));
+
+    ret = krb5_make_principal(context, &cred.server,
+                             krb5_principal_get_realm(context, client),
+                             "@ntlm-key", domain, NULL);
+    if (ret)
+       goto out;
+    ret = krb5_copy_principal(context, client, &cred.client);
+    if (ret)
+       goto out;
+    
+    cred.times.authtime = time(NULL);
+    cred.times.endtime = time(NULL) + 3600 * 24 * 30; /* XXX */
+    cred.session.keytype = ENCTYPE_ARCFOUR_HMAC_MD5;
+    ret = krb5_data_copy(&cred.session.keyvalue, buf->data, buf->length);
+    if (ret)
+       goto out;
+
+    ret = krb5_cc_store_cred(context, id, &cred);
+
+out:
+    krb5_free_cred_contents (context, &cred);
+    return 0;
+}
+
 static krb5_error_code
 get_new_tickets(krb5_context context, 
                krb5_principal principal,
@@ -471,7 +384,9 @@ get_new_tickets(krb5_context context,
     krb5_deltat renew = 0;
     char *renewstr = NULL;
     krb5_enctype *enctype = NULL;
+    struct ntlm_buf ntlmkey;
 
+    memset(&ntlmkey, 0, sizeof(ntlmkey));
     passwd[0] = '\0';
 
     if (password_file) {
@@ -500,8 +415,8 @@ get_new_tickets(krb5_context context,
     if (ret)
        krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
     
-    krb5_get_init_creds_opt_set_default_flags(context, "kinit", 
-                                             /* XXX */principal->realm, opt);
+    krb5_get_init_creds_opt_set_default_flags(context, "kinit",
+       krb5_principal_get_realm(context, principal), opt);
 
     if(forwardable_flag != -1)
        krb5_get_init_creds_opt_set_forwardable (opt, forwardable_flag);
@@ -512,6 +427,8 @@ get_new_tickets(krb5_context context,
     if (pac_flag != -1)
        krb5_get_init_creds_opt_set_pac_request(context, opt, 
                                                pac_flag ? TRUE : FALSE);
+    if (canonicalize_flag)
+       krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
     if (pk_user_id) {
        ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
                                                 principal,
@@ -629,19 +546,8 @@ get_new_tickets(krb5_context context,
                                            opt);
     }
     krb5_get_init_creds_opt_free(context, opt);
-#ifdef KRB4
-    if (ret == KRB5KRB_AP_ERR_V4_REPLY || ret == KRB5_KDC_UNREACH) {
-       int exit_val;
-
-       exit_val = do_v4_fallback (context, principal, ticket_life,
-                                  use_keytab, keytab_str, passwd);
-       get_v4_tgt = 0;
-       do_afslog  = 0;
-       memset(passwd, 0, sizeof(passwd));
-       if (exit_val == 0 || ret == KRB5KRB_AP_ERR_V4_REPLY)
-           return exit_val;
-    }
-#endif
+    if (ntlm_domain && passwd[0])
+       heim_ntlm_nt_key(passwd, &ntlmkey);
     memset(passwd, 0, sizeof(passwd));
 
     switch(ret){
@@ -651,8 +557,12 @@ get_new_tickets(krb5_context context,
        exit(1);
     case KRB5KRB_AP_ERR_BAD_INTEGRITY:
     case KRB5KRB_AP_ERR_MODIFIED:
+    case KRB5KDC_ERR_PREAUTH_FAILED:
        krb5_errx(context, 1, "Password incorrect");
        break;
+    case KRB5KRB_AP_ERR_V4_REPLY:
+       krb5_errx(context, 1, "Looks like a Kerberos 4 reply");
+       break;
     default:
        krb5_err(context, 1, ret, "krb5_get_init_creds");
     }
@@ -685,6 +595,9 @@ get_new_tickets(krb5_context context,
 
     krb5_free_cred_contents (context, &cred);
 
+    if (ntlm_domain && ntlmkey.data)
+       store_ntlmkey(context, ccache, ntlm_domain, principal, &ntlmkey);
+
     if (enctype)
        free(enctype);
 
@@ -774,6 +687,7 @@ main (int argc, char **argv)
     krb5_principal principal;
     int optidx = 0;
     krb5_deltat ticket_life = 0;
+    int parseflags = 0;
 
     setprogname (argv[0]);
     
@@ -797,12 +711,15 @@ main (int argc, char **argv)
     argc -= optidx;
     argv += optidx;
 
+    if (canonicalize_flag)
+       parseflags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
+
     if (argv[0]) {
-       ret = krb5_parse_name (context, argv[0], &principal);
+       ret = krb5_parse_name_flags (context, argv[0], parseflags, &principal);
        if (ret)
            krb5_err (context, 1, ret, "krb5_parse_name");
     } else {
-       ret = kinit_get_default_principal (context, &principal);
+       ret = krb5_get_default_principal (context, &principal);
        if (ret)
            krb5_err (context, 1, ret, "krb5_get_default_principal");
     }
index 06403cbe67e03f9aaa6c6cb65478d941b577ce6e..36ea01a9a59f391e30596eff2025c0ef787ba52d 100644 (file)
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: kuser_locl.h,v 1.13 2003/01/21 14:13:51 nectar Exp $ */
+/* $Id: kuser_locl.h 20458 2007-04-19 20:41:27Z lha $ */
 
 #ifndef __KUSER_LOCL_H__
 #define __KUSER_LOCL_H__
@@ -75,9 +75,6 @@
 #include <err.h>
 #include <krb5.h>
 
-#ifdef KRB4
-#include <krb.h>
-#endif
 #if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
 #include <sys/ioctl.h>
 #endif
index ce43c2cd02f944f1941c93e4f4a2c2f5c303276e..685f0b1898313f9d03399a949590c499468058d7 100644 (file)
@@ -1,5 +1,5 @@
 -- From RFC 3369 --
--- $Id: CMS.asn1,v 1.5 2006/09/07 12:20:42 lha Exp $ --
+-- $Id: CMS.asn1 18054 2006-09-07 12:20:42Z lha $ --
 
 CMS DEFINITIONS ::= BEGIN
 
index 5f09cd6794650750cdc658c03c07e4de4e659365..15c4a09cd0d0725492c3ab9f155508a363dfe1ab 100644 (file)
@@ -1,4 +1,4 @@
-/* $Id: asn1-common.h,v 1.7 2006/12/28 17:14:10 lha Exp $ */
+/* $Id: asn1-common.h 19539 2006-12-28 17:15:05Z lha $ */
 
 #include <stddef.h>
 #include <time.h>
index 938b8eb988d98f496a638bcbdd8bbe289c09e646..67af1a44fc3b9977d418ae8817913187867a0096 100644 (file)
@@ -3,7 +3,7 @@
 #
 # This might look like a com_err file, but is not
 #
-id "$Id: asn1_err.et,v 1.6 2006/10/24 14:11:20 lha Exp $"
+id "$Id: asn1_err.et 20010 2007-01-20 21:52:27Z lha $"
 
 error_table asn1
 prefix ASN1
@@ -18,4 +18,5 @@ error_code BAD_LENGTH,                "ASN.1 length doesn't match expected value"
 error_code BAD_FORMAT,         "ASN.1 badly-formatted encoding"
 error_code PARSE_ERROR,                "ASN.1 parse error"
 error_code EXTRA_DATA,         "ASN.1 extra data past end of end structure"
+error_code BAD_CHARACTER,      "ASN.1 invalid character in string"
 end
index 5dc0ba2e2d399e8a54a29ad128878a5738b3bce1..65b382e6daf0bf3eabcaf50c8bf942cde819246f 100644 (file)
@@ -40,7 +40,7 @@
 #include <hex.h>
 #include <err.h>
 
-RCSID("$Id: asn1_gen.c,v 1.4 2006/01/30 15:06:03 lha Exp $");
+RCSID("$Id: asn1_gen.c 16666 2006-01-30 15:06:03Z lha $");
 
 static int
 doit(const char *fn)
index 2874b35f6a31ce8ff506652092f655a05e97ad6d..3659b3859d0d0a77c60b79e37587140cfdf13f1b 100644 (file)
@@ -1,5 +1,5 @@
 /*     $NetBSD: queue.h,v 1.38 2004/04/18 14:12:05 lukem Exp $ */
-/*     $Id: asn1_queue.h,v 1.2 2005/07/12 06:27:15 lha Exp $ */
+/*     $Id: asn1_queue.h 15617 2005-07-12 06:27:42Z lha $ */
 
 /*
  * Copyright (c) 1991, 1993
index 057f571bac7191c899f798ea30e912031020f762..edb8375ee35c38b20d967ad87c0096976250639c 100644 (file)
@@ -1,4 +1,4 @@
--- $Id: canthandle.asn1,v 1.6 2006/01/18 19:12:33 lha Exp $ --
+-- $Id: canthandle.asn1 16593 2006-01-18 19:12:33Z lha $ --
 
 CANTHANDLE DEFINITIONS ::= BEGIN
 
index 687b38112145623951b02331aaa751a7d3b49404..c7b911b8d6c82cc8601c187c0df32436d20bf804 100644 (file)
@@ -38,7 +38,7 @@
 #include <getarg.h>
 #include <err.h>
 
-RCSID("$Id: der.c,v 1.2 2005/07/12 06:27:19 lha Exp $");
+RCSID("$Id: der.c 15617 2005-07-12 06:27:42Z lha $");
 
 
 static const char *class_names[] = {
index b0170e35fe534bc1a5f76ae48c41deb81216e299..13e39320d4ecdcb910eacd604a110b175579c385 100644 (file)
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: der.h,v 1.36 2006/10/14 05:16:08 lha Exp $ */
+/* $Id: der.h 18437 2006-10-14 05:16:08Z lha $ */
 
 #ifndef __DER_H__
 #define __DER_H__
index 15e7b817a04ba4d9ef0eb47f283371548303ce41..04c4531ca5782224b2a25d638ebe13d1745b0aa9 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: der_copy.c,v 1.17 2006/12/28 17:14:17 lha Exp $");
+RCSID("$Id: der_copy.c 19539 2006-12-28 17:15:05Z lha $");
 
 int
 der_copy_general_string (const heim_general_string *from, 
index 32cf23cb39b665e98e4e7805e7b588389dcd2d0b..6908bddcc26ea7e40101130bb9bea3efdca7b64b 100644 (file)
@@ -34,7 +34,7 @@
 #include "der_locl.h"
 #include <hex.h>
 
-RCSID("$Id: der_format.c,v 1.8 2006/11/27 10:32:21 lha Exp $");
+RCSID("$Id: der_format.c 20861 2007-06-03 20:18:29Z lha $");
 
 int
 der_parse_hex_heim_integer (const char *p, heim_integer *data)
@@ -51,7 +51,7 @@ der_parse_hex_heim_integer (const char *p, heim_integer *data)
     }
 
     len = strlen(p);
-    if (len < 0) {
+    if (len <= 0) {
        data->data = NULL;
        data->length = 0;
        return EINVAL;
@@ -74,7 +74,7 @@ der_parse_hex_heim_integer (const char *p, heim_integer *data)
 
     {
        unsigned char *q = data->data;
-       while(*q == 0 && len > 0) {
+       while(len > 0 && *q == 0) {
            q++;
            len--;
        }
index 6827486d9f7720d44b5955d889e83760982746f7..851cb1d40775f8b5ad9218cb1f5e195815f021dd 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: der_free.c,v 1.14 2006/12/28 17:14:21 lha Exp $");
+RCSID("$Id: der_free.c 19539 2006-12-28 17:15:05Z lha $");
 
 void
 der_free_general_string (heim_general_string *str)
index a1ed23f10bce13f4300ef8f237dbf8c9a0566b9e..3022435b336497b9e4a414f8aa6978cb14ca6d69 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: der_get.c,v 1.51 2006/12/28 17:14:25 lha Exp $");
+RCSID("$Id: der_get.c 20570 2007-04-27 14:06:27Z lha $");
 
 #include <version.h>
 
@@ -135,8 +135,21 @@ int
 der_get_general_string (const unsigned char *p, size_t len, 
                        heim_general_string *str, size_t *size)
 {
+    const unsigned char *p1;
     char *s;
 
+    p1 = memchr(p, 0, len);
+    if (p1 != NULL) {
+       /* 
+        * Allow trailing NULs. We allow this since MIT Kerberos sends
+        * an strings in the NEED_PREAUTH case that includes a
+        * trailing NUL.
+        */
+       while (p1 - p < len && *p1 == '\0')
+           p1++;
+       if (p1 - p != len)
+           return ASN1_BAD_CHARACTER;
+    }
     if (len > len + 1)
        return ASN1_BAD_LENGTH;
 
@@ -180,6 +193,8 @@ der_get_bmp_string (const unsigned char *p, size_t len,
     if (len & 1)
        return ASN1_BAD_FORMAT;
     data->length = len / 2;
+    if (data->length > UINT_MAX/sizeof(data->data[0]))
+       return ERANGE;
     data->data = malloc(data->length * sizeof(data->data[0]));
     if (data->data == NULL && data->length != 0)
        return ENOMEM;
@@ -202,6 +217,8 @@ der_get_universal_string (const unsigned char *p, size_t len,
     if (len & 3)
        return ASN1_BAD_FORMAT;
     data->length = len / 4;
+    if (data->length > UINT_MAX/sizeof(data->data[0]))
+       return ERANGE;
     data->data = malloc(data->length * sizeof(data->data[0]));
     if (data->data == NULL && data->length != 0)
        return ENOMEM;
@@ -366,7 +383,7 @@ int
 der_get_oid (const unsigned char *p, size_t len,
             heim_oid *data, size_t *size)
 {
-    int n;
+    size_t n;
     size_t oldlen = len;
 
     if (len < 1)
@@ -375,7 +392,10 @@ der_get_oid (const unsigned char *p, size_t len,
     if (len > len + 1)
        return ASN1_BAD_LENGTH;
 
-    data->components = malloc((len + 1) * sizeof(*data->components));
+    if (len + 1 > UINT_MAX/sizeof(data->components[0]))
+       return ERANGE;
+
+    data->components = malloc((len + 1) * sizeof(data->components[0]));
     if (data->components == NULL)
        return ENOMEM;
     data->components[0] = (*p) / 40;
index 93cabe466c1e6cc05883feb050b15f6bfc0dc60e..a7f8f593a20e115aa692376af9eca8665838fb9a 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: der_length.c,v 1.20 2006/12/28 17:14:28 lha Exp $");
+RCSID("$Id: der_length.c 19539 2006-12-28 17:15:05Z lha $");
 
 size_t
 _heim_len_unsigned (unsigned val)
index 1a87aaaee996e1b61fa259858fca54b3d3e07c0e..5b97557d74a3c5cced0691ef87613c70324975c4 100644 (file)
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: der_locl.h,v 1.8 2006/10/19 16:24:02 lha Exp $ */
+/* $Id: der_locl.h 18608 2006-10-19 16:24:02Z lha $ */
 
 #ifndef __DER_LOCL_H__
 #define __DER_LOCL_H__
index 9ed8f21906e76f1987ca8be10ebff7de850ebddd..1fdbfe1305d6df8562e62cdd50d0142bba21c482 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: der_put.c,v 1.34 2006/12/28 17:14:33 lha Exp $");
+RCSID("$Id: der_put.c 19539 2006-12-28 17:15:05Z lha $");
 
 /*
  * All encoding functions take a pointer `p' to first position in
index 92bfb232343a5162bc39a3a2f75669582ba7cd16..17341863c66b080ad49301dd73d939733604fd3e 100644 (file)
@@ -1,4 +1,4 @@
--- $Id: digest.asn1,v 1.10 2006/12/15 19:13:39 lha Exp $
+-- $Id: digest.asn1 20138 2007-02-02 21:08:24Z lha $
 
 DIGEST DEFINITIONS ::=
 BEGIN
@@ -25,6 +25,7 @@ DigestRequest ::= SEQUENCE  {
     type               UTF8String, -- http, sasl-md5, chap, cram-md5 --
     digest             UTF8String, -- http:md5/md5-sess sasl:clear/int/conf --
     username           UTF8String, -- username user used
+    responseData       UTF8String, -- client response
     authid             [0] UTF8String OPTIONAL,
     authentication-user        [1] Principal OPTIONAL, -- principal to get key from
     realm              [2] UTF8String OPTIONAL,
@@ -48,14 +49,14 @@ DigestError ::= SEQUENCE {
 }
 
 DigestResponse ::= SEQUENCE  {
-    responseData       UTF8String,
+    success            BOOLEAN,
     rsp                        [0] UTF8String OPTIONAL,
     tickets            [1] SEQUENCE OF OCTET STRING OPTIONAL,
     channel            [2] SEQUENCE {
        cb-type         UTF8String,
        cb-binding      UTF8String
     } OPTIONAL,
-    hash-a1            [3] OCTET STRING OPTIONAL
+    session-key                [3] OCTET STRING OPTIONAL
 }
 
 NTLMInit ::= SEQUENCE {
index 4f70f191df23de21b5c9ae96140948e39dde064a..e29a4378785132242736841d1790e4169cb2813c 100644 (file)
@@ -34,7 +34,7 @@
 #include "der_locl.h"
 #include "heim_asn1.h"
 
-RCSID("$Id: extra.c,v 1.6 2006/01/31 09:44:54 lha Exp $");
+RCSID("$Id: extra.c 16672 2006-01-31 09:44:54Z lha $");
 
 int
 encode_heim_any(unsigned char *p, size_t len, 
index 3bb9022be85db9338c7eab7f832394df861512b3..cc1a3056def8a56e370aae83495b053e1234e267 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen.c,v 1.70 2006/12/28 17:14:37 lha Exp $");
+RCSID("$Id: gen.c 20670 2007-05-11 00:39:41Z lha $");
 
 FILE *headerfile, *codefile, *logfile;
 
@@ -167,6 +167,7 @@ init_generate (const char *filename, const char *base)
          "    }                                                          \\\n"
          "  } while (0)\n\n",
          headerfile);
+    fprintf (headerfile, "struct units;\n\n");
     fprintf (headerfile, "#endif\n\n");
     asprintf(&fn, "%s_files", base);
     if (fn == NULL)
index 95646d0a3c8f70e8819e63dd0107dde4557593e0..abf11859d5f495cd75dbdb50208fc8871af26bc6 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_copy.c,v 1.19 2006/12/28 17:14:42 lha Exp $");
+RCSID("$Id: gen_copy.c 19539 2006-12-28 17:15:05Z lha $");
 
 static int used_fail;
 
index 19ddbb46db67f1fc46cfbd7087873c685b4d5ffc..7ebef6cdceb75d274cf6d5d37ee454550e8bb068 100644 (file)
@@ -34,7 +34,7 @@
 #include "gen_locl.h"
 #include "lex.h"
 
-RCSID("$Id: gen_decode.c,v 1.32 2006/12/29 17:30:32 lha Exp $");
+RCSID("$Id: gen_decode.c 19572 2006-12-29 17:30:32Z lha $");
 
 static void
 decode_primitive (const char *typename, const char *name, const char *forwstr)
index bc2aff86e5dd085c4ce9da8aa43b1cdb05645d77..b5337b1c430104e3e71b2b103ed86a5a351d2f18 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_encode.c,v 1.22 2006/12/29 17:30:03 lha Exp $");
+RCSID("$Id: gen_encode.c 19572 2006-12-29 17:30:32Z lha $");
 
 static void
 encode_primitive (const char *typename, const char *name)
index 26e02e39dd4937ff73880649d8f9e4f3e070eadd..d667c5d31aad674111eb02c3018c4438e84e9863 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_free.c,v 1.17 2006/12/28 17:14:54 lha Exp $");
+RCSID("$Id: gen_free.c 19539 2006-12-28 17:15:05Z lha $");
 
 static void
 free_primitive (const char *typename, const char *name)
index 2f3e283ad63c0f64821b61c2a963decb2e588d04..8d8bd152a3b70f3fbd685dc33ae5ee4700727d86 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_glue.c,v 1.9 2005/07/12 06:27:29 lha Exp $");
+RCSID("$Id: gen_glue.c 15617 2005-07-12 06:27:42Z lha $");
 
 static void
 generate_2int (const Type *t, const char *gen_name)
index 7f9dc7257b98f9f2efcf3073271ef0b9e6916600..a1f7cc66444e84dd99378ba5872e018803a820ce 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_length.c,v 1.22 2006/12/28 17:14:57 lha Exp $");
+RCSID("$Id: gen_length.c 19539 2006-12-28 17:15:05Z lha $");
 
 static void
 length_primitive (const char *typename,
index c9ea714c5f7f0a3f8e4213869891c2b1ad5c0d27..8cd4dbad5a84a2727188d0534a508f166f1d6d73 100644 (file)
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: gen_locl.h,v 1.14 2006/09/05 12:29:18 lha Exp $ */
+/* $Id: gen_locl.h 18008 2006-09-05 12:29:18Z lha $ */
 
 #ifndef __GEN_LOCL_H__
 #define __GEN_LOCL_H__
index fa3813fd61158248d5894bba219e01ed28289964..54776752c2e3eaa0ac412658f8731ee087cfe489 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_seq.c,v 1.4 2006/10/04 10:18:10 lha Exp $");
+RCSID("$Id: gen_seq.c 20561 2007-04-24 16:14:30Z lha $");
 
 void
 generate_type_seq (const Symbol *s)
@@ -111,7 +111,7 @@ generate_type_seq (const Symbol *s)
             "\t\tsizeof(data->val[0]) * data->len);\n"
             /* resize but don't care about failures since it doesn't matter */
             "ptr = realloc(data->val, data->len * sizeof(data->val[0]));\n"
-            "if (ptr) data->val = ptr;\n"
+            "if (ptr != NULL || data->len == 0) data->val = ptr;\n"
             "return 0;\n",
             subname);
 
index f03d6b856bbad486ad7a112d895e40ce98cd67e5..eeb6b6d63dc9eef3829412c52dbb68a03eaee8f0 100644 (file)
@@ -37,7 +37,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: hash.c,v 1.11 2006/04/07 22:16:00 lha Exp $");
+RCSID("$Id: hash.c 17016 2006-04-07 22:16:00Z lha $");
 
 static Hashentry *_search(Hashtab * htab,      /* The hash table */
                          void *ptr);   /* And key */
index b54e10234a74d79012434a1096c3ee125ac8bf74..10d8ce99b0b5b983465f2698fdeda34496a94e4a 100644 (file)
@@ -35,7 +35,7 @@
  * hash.h. Header file for hash table functions
  */
 
-/* $Id: hash.h,v 1.3 1999/12/02 17:05:02 joda Exp $ */
+/* $Id: hash.h 7464 1999-12-02 17:05:13Z joda $ */
 
 struct hashentry {             /* Entry in bucket */
      struct hashentry **prev;
index a86df38a999175a06c88bfdfcf37d0586ff5db10..0c7021f87f42e469276debac220d808e6b4b8fed 100644 (file)
@@ -1,4 +1,4 @@
--- $Id: k5.asn1,v 1.51 2006/11/21 05:17:47 lha Exp $
+-- $Id: k5.asn1 21004 2007-06-08 01:53:10Z lha $
 
 KERBEROS5 DEFINITIONS ::=
 BEGIN
@@ -59,6 +59,7 @@ PADATA-TYPE ::= INTEGER {
        KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
        KRB5-PADATA-ETYPE-INFO2(19),
        KRB5-PADATA-USE-SPECIFIED-KVNO(20),
+       KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
        KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
        KRB5-PADATA-GET-FROM-TYPED-DATA(22),
        KRB5-PADATA-SAM-ETYPE-INFO(23),
@@ -71,10 +72,11 @@ PADATA-TYPE ::= INTEGER {
        KRB5-PADATA-TD-REQ-SEQ(108),            -- INTEGER
        KRB5-PADATA-PA-PAC-REQUEST(128),        -- jbrezak@exchange.microsoft.com
        KRB5-PADATA-S4U2SELF(129),
-       KRB5-PADATA-PK-AS-09-BINDING(132)       -- client send this to 
+       KRB5-PADATA-PK-AS-09-BINDING(132),      -- client send this to 
                                                -- tell KDC that is supports 
                                                -- the asCheckSum in the
                                                --  PK-AS-REP
+       KRB5-PADATA-CLIENT-CANONICALIZED(133)   -- 
 }
 
 AUTHDATA-TYPE ::= INTEGER {
@@ -229,6 +231,7 @@ KDCOptions ::= BIT STRING {
        unused11(11),
        request-anonymous(14),
        canonicalize(15),
+       constrained-delegation(16), -- ms extension
        disable-transited-check(26),
        renewable-ok(27),
        enc-tkt-in-skey(28),
@@ -409,7 +412,8 @@ EncKDCRepPart ::= SEQUENCE {
        renew-till[8]           KerberosTime OPTIONAL,
        srealm[9]               Realm,
        sname[10]               PrincipalName,
-       caddr[11]               HostAddresses OPTIONAL
+       caddr[11]               HostAddresses OPTIONAL,
+       encrypted-pa-data[12]   METHOD-DATA OPTIONAL
 }
 
 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
@@ -624,6 +628,27 @@ KRB5SignedPath ::= SEQUENCE {
        delegated[2]    KRB5SignedPathPrincipals OPTIONAL
 }
 
+PA-ClientCanonicalizedNames ::= SEQUENCE{
+       requested-name [0] PrincipalName,
+       real-name      [1] PrincipalName
+}
+
+PA-ClientCanonicalized ::= SEQUENCE {
+       names          [0] PA-ClientCanonicalizedNames,
+       canon-checksum [1] Checksum
+}
+
+AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
+       login-alias  [0] PrincipalName,
+       checksum     [1] Checksum
+}
+
+-- old ms referral
+PA-SvrReferralData ::= SEQUENCE {
+       referred-name   [1] PrincipalName OPTIONAL,
+       referred-realm  [0] Realm
+}
+
 END
 
 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1
index 9706b061c37f7ac9fadc95dbc771d74b634d4015..fc6a696dab3a8c242cd81102196431d28bf2289b 100644 (file)
@@ -1,4 +1,4 @@
--- $Id: kx509.asn1,v 1.1 2006/12/28 21:05:23 lha Exp $
+-- $Id: kx509.asn1 19546 2006-12-28 21:05:23Z lha $
 
 KX509 DEFINITIONS ::=
 BEGIN
index 10b4d65a7e3655b965847af870d53696ad86200a..d628e4696f5d7caf68d2fcc4aa105bc6d2d122fe 100644 (file)
@@ -1,31 +1,92 @@
-/* A lexical scanner generated by flex*/
 
-/* Scanner skeleton version:
- * $Header: /home/daffy/u0/vern/flex/RCS/flex.skl,v 2.91 96/09/10 16:58:48 vern Exp $
- */
+#line 3 "lex.c"
+
+#define  YY_INT_ALIGNED short int
+
+/* A lexical scanner generated by flex */
 
 #define FLEX_SCANNER
 #define YY_FLEX_MAJOR_VERSION 2
 #define YY_FLEX_MINOR_VERSION 5
+#define YY_FLEX_SUBMINOR_VERSION 33
+#if YY_FLEX_SUBMINOR_VERSION > 0
+#define FLEX_BETA
+#endif
 
+/* First, we deal with  platform-specific or compiler-specific issues. */
+
+/* begin standard C headers. */
 #include <stdio.h>
-#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
 
+/* end standard C headers. */
 
-/* cfront 1.2 defines "c_plusplus" instead of "__cplusplus" */
-#ifdef c_plusplus
-#ifndef __cplusplus
-#define __cplusplus
-#endif
+/* flex integer type definitions */
+
+#ifndef FLEXINT_H
+#define FLEXINT_H
+
+/* C99 systems have <inttypes.h>. Non-C99 systems may or may not. */
+
+#if __STDC_VERSION__ >= 199901L
+
+/* C99 says to define __STDC_LIMIT_MACROS before including stdint.h,
+ * if you want the limit (max/min) macros for int types. 
+ */
+#ifndef __STDC_LIMIT_MACROS
+#define __STDC_LIMIT_MACROS 1
 #endif
 
+#include <inttypes.h>
+typedef int8_t flex_int8_t;
+typedef uint8_t flex_uint8_t;
+typedef int16_t flex_int16_t;
+typedef uint16_t flex_uint16_t;
+typedef int32_t flex_int32_t;
+typedef uint32_t flex_uint32_t;
+#else
+typedef signed char flex_int8_t;
+typedef short int flex_int16_t;
+typedef int flex_int32_t;
+typedef unsigned char flex_uint8_t; 
+typedef unsigned short int flex_uint16_t;
+typedef unsigned int flex_uint32_t;
+#endif /* ! C99 */
 
-#ifdef __cplusplus
+/* Limits of integral types. */
+#ifndef INT8_MIN
+#define INT8_MIN               (-128)
+#endif
+#ifndef INT16_MIN
+#define INT16_MIN              (-32767-1)
+#endif
+#ifndef INT32_MIN
+#define INT32_MIN              (-2147483647-1)
+#endif
+#ifndef INT8_MAX
+#define INT8_MAX               (127)
+#endif
+#ifndef INT16_MAX
+#define INT16_MAX              (32767)
+#endif
+#ifndef INT32_MAX
+#define INT32_MAX              (2147483647)
+#endif
+#ifndef UINT8_MAX
+#define UINT8_MAX              (255U)
+#endif
+#ifndef UINT16_MAX
+#define UINT16_MAX             (65535U)
+#endif
+#ifndef UINT32_MAX
+#define UINT32_MAX             (4294967295U)
+#endif
 
-#include <stdlib.h>
+#endif /* ! FLEXINT_H */
 
-/* Use prototypes in function declarations. */
-#define YY_USE_PROTOS
+#ifdef __cplusplus
 
 /* The "const" storage-class-modifier is valid. */
 #define YY_USE_CONST
 
 #if __STDC__
 
-#define YY_USE_PROTOS
 #define YY_USE_CONST
 
 #endif /* __STDC__ */
 #endif /* ! __cplusplus */
 
-#ifdef __TURBOC__
- #pragma warn -rch
- #pragma warn -use
-#include <io.h>
-#include <stdlib.h>
-#define YY_USE_CONST
-#define YY_USE_PROTOS
-#endif
-
 #ifdef YY_USE_CONST
 #define yyconst const
 #else
 #define yyconst
 #endif
 
-
-#ifdef YY_USE_PROTOS
-#define YY_PROTO(proto) proto
-#else
-#define YY_PROTO(proto) ()
-#endif
-
 /* Returned upon end-of-file. */
 #define YY_NULL 0
 
  * but we do it the disgusting crufty way forced on us by the ()-less
  * definition of BEGIN.
  */
-#define BEGIN yy_start = 1 + 2 *
+#define BEGIN (yy_start) = 1 + 2 *
 
 /* Translate the current start state into a value that can be later handed
  * to BEGIN to return to the state.  The YYSTATE alias is for lex
  * compatibility.
  */
-#define YY_START ((yy_start - 1) / 2)
+#define YY_START (((yy_start) - 1) / 2)
 #define YYSTATE YY_START
 
 /* Action number for EOF rule of a given start state. */
 #define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
 
 /* Special action meaning "start processing a new file". */
-#define YY_NEW_FILE yyrestart( yyin )
+#define YY_NEW_FILE yyrestart(yyin  )
 
 #define YY_END_OF_BUFFER_CHAR 0
 
 /* Size of default input buffer. */
+#ifndef YY_BUF_SIZE
 #define YY_BUF_SIZE 16384
+#endif
 
+/* The state buf must be large enough to hold one state per character in the main buffer.
+ */
+#define YY_STATE_BUF_SIZE   ((YY_BUF_SIZE + 2) * sizeof(yy_state_type))
+
+#ifndef YY_TYPEDEF_YY_BUFFER_STATE
+#define YY_TYPEDEF_YY_BUFFER_STATE
 typedef struct yy_buffer_state *YY_BUFFER_STATE;
+#endif
 
 extern int yyleng;
+
 extern FILE *yyin, *yyout;
 
 #define EOB_ACT_CONTINUE_SCAN 0
 #define EOB_ACT_END_OF_FILE 1
 #define EOB_ACT_LAST_MATCH 2
 
-/* The funky do-while in the following #define is used to turn the definition
- * int a single C statement (which needs a semi-colon terminator).  This
- * avoids problems with code like:
- *
- *     if ( condition_holds )
- *             yyless( 5 );
- *     else
- *             do_something_else();
- *
- * Prior to using the do-while the compiler would get upset at the
- * "else" because it interpreted the "if" statement as being all
- * done when it reached the ';' after the yyless() call.
- */
-
-/* Return all but the first 'n' matched characters back to the input stream. */
-
+    #define YY_LESS_LINENO(n)
+    
+/* Return all but the first "n" matched characters back to the input stream. */
 #define yyless(n) \
        do \
                { \
                /* Undo effects of setting up yytext. */ \
-               *yy_cp = yy_hold_char; \
+        int yyless_macro_arg = (n); \
+        YY_LESS_LINENO(yyless_macro_arg);\
+               *yy_cp = (yy_hold_char); \
                YY_RESTORE_YY_MORE_OFFSET \
-               yy_c_buf_p = yy_cp = yy_bp + n - YY_MORE_ADJ; \
+               (yy_c_buf_p) = yy_cp = yy_bp + yyless_macro_arg - YY_MORE_ADJ; \
                YY_DO_BEFORE_ACTION; /* set up yytext again */ \
                } \
        while ( 0 )
 
-#define unput(c) yyunput( c, yytext_ptr )
-
-/* Some routines like yy_flex_realloc() are emitted as static but are
-   not called by all lexers. This generates warnings in some compilers,
-   notably GCC. Arrange to suppress these. */
-#ifdef __GNUC__
-#define YY_MAY_BE_UNUSED __attribute__((unused))
-#else
-#define YY_MAY_BE_UNUSED
-#endif
+#define unput(c) yyunput( c, (yytext_ptr)  )
 
 /* The following is because we cannot portably get our hands on size_t
  * (without autoconf's help, which isn't available because we want
  * flex-generated scanners to compile on their own).
  */
-typedef unsigned int yy_size_t;
 
+#ifndef YY_TYPEDEF_YY_SIZE_T
+#define YY_TYPEDEF_YY_SIZE_T
+typedef unsigned int yy_size_t;
+#endif
 
+#ifndef YY_STRUCT_YY_BUFFER_STATE
+#define YY_STRUCT_YY_BUFFER_STATE
 struct yy_buffer_state
        {
        FILE *yy_input_file;
@@ -186,12 +225,16 @@ struct yy_buffer_state
         */
        int yy_at_bol;
 
+    int yy_bs_lineno; /**< The line count. */
+    int yy_bs_column; /**< The column count. */
+    
        /* Whether to try to fill the input buffer when we reach the
         * end of it.
         */
        int yy_fill_buffer;
 
        int yy_buffer_status;
+
 #define YY_BUFFER_NEW 0
 #define YY_BUFFER_NORMAL 1
        /* When an EOF's been seen but there's still some text to process
@@ -205,28 +248,38 @@ struct yy_buffer_state
         * just pointing yyin at a new input file.
         */
 #define YY_BUFFER_EOF_PENDING 2
+
        };
+#endif /* !YY_STRUCT_YY_BUFFER_STATE */
 
-static YY_BUFFER_STATE yy_current_buffer = 0;
+/* Stack of input buffers. */
+static size_t yy_buffer_stack_top = 0; /**< index of top of stack. */
+static size_t yy_buffer_stack_max = 0; /**< capacity of stack. */
+static YY_BUFFER_STATE * yy_buffer_stack = 0; /**< Stack as an array. */
 
 /* We provide macros for accessing buffer states in case in the
  * future we want to put the buffer states in a more general
  * "scanner state".
+ *
+ * Returns the top of the stack, or NULL.
  */
-#define YY_CURRENT_BUFFER yy_current_buffer
+#define YY_CURRENT_BUFFER ( (yy_buffer_stack) \
+                          ? (yy_buffer_stack)[(yy_buffer_stack_top)] \
+                          : NULL)
 
+/* Same as previous macro, but useful when we know that the buffer stack is not
+ * NULL or when we need an lvalue. For internal use only.
+ */
+#define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)]
 
 /* yy_hold_char holds the character lost when yytext is formed. */
 static char yy_hold_char;
-
 static int yy_n_chars;         /* number of characters read into yy_ch_buf */
-
-
 int yyleng;
 
 /* Points to current character in buffer. */
 static char *yy_c_buf_p = (char *) 0;
-static int yy_init = 1;                /* whether we need to initialize */
+static int yy_init = 0;                /* whether we need to initialize */
 static int yy_start = 0;       /* start state number */
 
 /* Flag which is used to allow yywrap()'s to do buffer switches
@@ -234,66 +287,92 @@ static int yy_start = 0;  /* start state number */
  */
 static int yy_did_buffer_switch_on_eof;
 
-void yyrestart YY_PROTO(( FILE *input_file ));
+void yyrestart (FILE *input_file  );
+void yy_switch_to_buffer (YY_BUFFER_STATE new_buffer  );
+YY_BUFFER_STATE yy_create_buffer (FILE *file,int size  );
+void yy_delete_buffer (YY_BUFFER_STATE b  );
+void yy_flush_buffer (YY_BUFFER_STATE b  );
+void yypush_buffer_state (YY_BUFFER_STATE new_buffer  );
+void yypop_buffer_state (void );
+
+static void yyensure_buffer_stack (void );
+static void yy_load_buffer_state (void );
+static void yy_init_buffer (YY_BUFFER_STATE b,FILE *file  );
 
-void yy_switch_to_buffer YY_PROTO(( YY_BUFFER_STATE new_buffer ));
-void yy_load_buffer_state YY_PROTO(( void ));
-YY_BUFFER_STATE yy_create_buffer YY_PROTO(( FILE *file, int size ));
-void yy_delete_buffer YY_PROTO(( YY_BUFFER_STATE b ));
-void yy_init_buffer YY_PROTO(( YY_BUFFER_STATE b, FILE *file ));
-void yy_flush_buffer YY_PROTO(( YY_BUFFER_STATE b ));
-#define YY_FLUSH_BUFFER yy_flush_buffer( yy_current_buffer )
+#define YY_FLUSH_BUFFER yy_flush_buffer(YY_CURRENT_BUFFER )
 
-YY_BUFFER_STATE yy_scan_buffer YY_PROTO(( char *base, yy_size_t size ));
-YY_BUFFER_STATE yy_scan_string YY_PROTO(( yyconst char *yy_str ));
-YY_BUFFER_STATE yy_scan_bytes YY_PROTO(( yyconst char *bytes, int len ));
+YY_BUFFER_STATE yy_scan_buffer (char *base,yy_size_t size  );
+YY_BUFFER_STATE yy_scan_string (yyconst char *yy_str  );
+YY_BUFFER_STATE yy_scan_bytes (yyconst char *bytes,int len  );
 
-static void *yy_flex_alloc YY_PROTO(( yy_size_t ));
-static void *yy_flex_realloc YY_PROTO(( void *, yy_size_t )) YY_MAY_BE_UNUSED;
-static void yy_flex_free YY_PROTO(( void * ));
+void *yyalloc (yy_size_t  );
+void *yyrealloc (void *,yy_size_t  );
+void yyfree (void *  );
 
 #define yy_new_buffer yy_create_buffer
 
 #define yy_set_interactive(is_interactive) \
        { \
-       if ( ! yy_current_buffer ) \
-               yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \
-       yy_current_buffer->yy_is_interactive = is_interactive; \
+       if ( ! YY_CURRENT_BUFFER ){ \
+        yyensure_buffer_stack (); \
+               YY_CURRENT_BUFFER_LVALUE =    \
+            yy_create_buffer(yyin,YY_BUF_SIZE ); \
+       } \
+       YY_CURRENT_BUFFER_LVALUE->yy_is_interactive = is_interactive; \
        }
 
 #define yy_set_bol(at_bol) \
        { \
-       if ( ! yy_current_buffer ) \
-               yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \
-       yy_current_buffer->yy_at_bol = at_bol; \
+       if ( ! YY_CURRENT_BUFFER ){\
+        yyensure_buffer_stack (); \
+               YY_CURRENT_BUFFER_LVALUE =    \
+            yy_create_buffer(yyin,YY_BUF_SIZE ); \
+       } \
+       YY_CURRENT_BUFFER_LVALUE->yy_at_bol = at_bol; \
        }
 
-#define YY_AT_BOL() (yy_current_buffer->yy_at_bol)
+#define YY_AT_BOL() (YY_CURRENT_BUFFER_LVALUE->yy_at_bol)
+
+/* Begin user sect3 */
 
 typedef unsigned char YY_CHAR;
+
 FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0;
+
 typedef int yy_state_type;
+
+extern int yylineno;
+
+int yylineno = 1;
+
 extern char *yytext;
 #define yytext_ptr yytext
 
-static yy_state_type yy_get_previous_state YY_PROTO(( void ));
-static yy_state_type yy_try_NUL_trans YY_PROTO(( yy_state_type current_state ));
-static int yy_get_next_buffer YY_PROTO(( void ));
-static void yy_fatal_error YY_PROTO(( yyconst char msg[] ));
+static yy_state_type yy_get_previous_state (void );
+static yy_state_type yy_try_NUL_trans (yy_state_type current_state  );
+static int yy_get_next_buffer (void );
+static void yy_fatal_error (yyconst char msg[]  );
 
 /* Done after the current pattern has been matched and before the
  * corresponding action - sets up yytext.
  */
 #define YY_DO_BEFORE_ACTION \
-       yytext_ptr = yy_bp; \
-       yyleng = (int) (yy_cp - yy_bp); \
-       yy_hold_char = *yy_cp; \
+       (yytext_ptr) = yy_bp; \
+       yyleng = (size_t) (yy_cp - yy_bp); \
+       (yy_hold_char) = *yy_cp; \
        *yy_cp = '\0'; \
-       yy_c_buf_p = yy_cp;
+       (yy_c_buf_p) = yy_cp;
 
 #define YY_NUM_RULES 95
 #define YY_END_OF_BUFFER 96
-static yyconst short int yy_accept[568] =
+/* This struct is not used in this scanner,
+   but its presence is necessary. */
+struct yy_trans_info
+       {
+       flex_int32_t yy_verify;
+       flex_int32_t yy_nxt;
+       };
+static yyconst flex_int16_t yy_accept[568] =
     {   0,
         0,    0,   96,   94,   90,   91,   87,   81,   81,   94,
        94,   88,   88,   94,   89,   89,   89,   89,   89,   89,
@@ -359,7 +438,7 @@ static yyconst short int yy_accept[568] =
        32,   89,   59,   70,   77,   53,    0
     } ;
 
-static yyconst int yy_ec[256] =
+static yyconst flex_int32_t yy_ec[256] =
     {   0,
         1,    1,    1,    1,    1,    1,    1,    1,    2,    3,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
@@ -391,7 +470,7 @@ static yyconst int yy_ec[256] =
         1,    1,    1,    1,    1
     } ;
 
-static yyconst int yy_meta[70] =
+static yyconst flex_int32_t yy_meta[70] =
     {   0,
         1,    1,    1,    1,    1,    1,    2,    1,    1,    3,
         3,    3,    3,    3,    3,    3,    1,    1,    3,    3,
@@ -402,7 +481,7 @@ static yyconst int yy_meta[70] =
         2,    2,    2,    2,    2,    2,    2,    2,    2
     } ;
 
-static yyconst short int yy_base[570] =
+static yyconst flex_int16_t yy_base[570] =
     {   0,
         0,    0,  636,  637,  637,  637,  637,  637,   63,  627,
       628,   70,   77,  616,   74,   72,   76,  609,   65,   81,
@@ -468,7 +547,7 @@ static yyconst short int yy_base[570] =
         0,  101,    0,    0,    0,    0,  637,  223,   69
     } ;
 
-static yyconst short int yy_def[570] =
+static yyconst flex_int16_t yy_def[570] =
     {   0,
       567,    1,  567,  567,  567,  567,  567,  567,  567,  567,
       567,  567,  567,  567,  568,  568,  568,  568,  568,  568,
@@ -534,7 +613,7 @@ static yyconst short int yy_def[570] =
       568,  568,  568,  568,  568,  568,    0,  567,  567
     } ;
 
-static yyconst short int yy_nxt[707] =
+static yyconst flex_int16_t yy_nxt[707] =
     {   0,
         4,    5,    6,    7,    8,    4,    9,   10,   11,   12,
        13,   13,   13,   13,   13,   13,   14,    4,   15,   16,
@@ -616,7 +695,7 @@ static yyconst short int yy_nxt[707] =
       567,  567,  567,  567,  567,  567
     } ;
 
-static yyconst short int yy_chk[707] =
+static yyconst flex_int16_t yy_chk[707] =
     {   0,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
@@ -701,6 +780,9 @@ static yyconst short int yy_chk[707] =
 static yy_state_type yy_last_accepting_state;
 static char *yy_last_accepting_cpos;
 
+extern int yy_flex_debug;
+int yy_flex_debug = 0;
+
 /* The intent behind this definition is that it'll catch
  * any uses of REJECT which flex missed.
  */
@@ -710,7 +792,6 @@ static char *yy_last_accepting_cpos;
 #define YY_RESTORE_YY_MORE_OFFSET
 char *yytext;
 #line 1 "lex.l"
-#define INITIAL 0
 #line 2 "lex.l"
 /*
  * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
@@ -745,7 +826,7 @@ char *yytext;
  * SUCH DAMAGE. 
  */
 
-/* $Id: lex.l,v 1.31 2006/10/21 11:57:22 lha Exp $ */
+/* $Id: lex.l 18738 2006-10-21 11:57:22Z lha $ */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
@@ -770,7 +851,23 @@ static unsigned lineno = 1;
 static void unterminated(const char *, unsigned);
 
 /* This is for broken old lexes (solaris 10 and hpux) */
-#line 774 "lex.c"
+#line 855 "lex.c"
+
+#define INITIAL 0
+
+#ifndef YY_NO_UNISTD_H
+/* Special case for "unistd.h", since it is non-ANSI. We include it way
+ * down here because we want the user's section 1 to have been scanned first.
+ * The user has a chance to override it with an option.
+ */
+#include <unistd.h>
+#endif
+
+#ifndef YY_EXTRA_TYPE
+#define YY_EXTRA_TYPE void *
+#endif
+
+static int yy_init_globals (void );
 
 /* Macros after this point can all be overridden by user definitions in
  * section 1.
@@ -778,65 +875,30 @@ static void unterminated(const char *, unsigned);
 
 #ifndef YY_SKIP_YYWRAP
 #ifdef __cplusplus
-extern "C" int yywrap YY_PROTO(( void ));
+extern "C" int yywrap (void );
 #else
-extern int yywrap YY_PROTO(( void ));
+extern int yywrap (void );
 #endif
 #endif
 
-#ifndef YY_NO_UNPUT
-static void yyunput YY_PROTO(( int c, char *buf_ptr ));
-#endif
-
+    static void yyunput (int c,char *buf_ptr  );
+    
 #ifndef yytext_ptr
-static void yy_flex_strncpy YY_PROTO(( char *, yyconst char *, int ));
+static void yy_flex_strncpy (char *,yyconst char *,int );
 #endif
 
 #ifdef YY_NEED_STRLEN
-static int yy_flex_strlen YY_PROTO(( yyconst char * ));
+static int yy_flex_strlen (yyconst char * );
 #endif
 
 #ifndef YY_NO_INPUT
-#ifdef __cplusplus
-static int yyinput YY_PROTO(( void ));
-#else
-static int input YY_PROTO(( void ));
-#endif
-#endif
-
-#if YY_STACK_USED
-static int yy_start_stack_ptr = 0;
-static int yy_start_stack_depth = 0;
-static int *yy_start_stack = 0;
-#ifndef YY_NO_PUSH_STATE
-static void yy_push_state YY_PROTO(( int new_state ));
-#endif
-#ifndef YY_NO_POP_STATE
-static void yy_pop_state YY_PROTO(( void ));
-#endif
-#ifndef YY_NO_TOP_STATE
-static int yy_top_state YY_PROTO(( void ));
-#endif
 
+#ifdef __cplusplus
+static int yyinput (void );
 #else
-#define YY_NO_PUSH_STATE 1
-#define YY_NO_POP_STATE 1
-#define YY_NO_TOP_STATE 1
+static int input (void );
 #endif
 
-#ifdef YY_MALLOC_DECL
-YY_MALLOC_DECL
-#else
-#if __STDC__
-#ifndef __cplusplus
-#include <stdlib.h>
-#endif
-#else
-/* Just try to get by without declaring the routines.  This will fail
- * miserably on non-ANSI systems for which sizeof(size_t) != sizeof(int)
- * or sizeof(void*) != sizeof(int).
- */
-#endif
 #endif
 
 /* Amount of stuff to slurp up with each read. */
@@ -845,7 +907,6 @@ YY_MALLOC_DECL
 #endif
 
 /* Copy whatever the last rule matched to the standard output. */
-
 #ifndef ECHO
 /* This used to be an fputs(), but since the string might contain NUL's,
  * we now use fwrite().
@@ -858,9 +919,10 @@ YY_MALLOC_DECL
  */
 #ifndef YY_INPUT
 #define YY_INPUT(buf,result,max_size) \
-       if ( yy_current_buffer->yy_is_interactive ) \
+       if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
                { \
-               int c = '*', n; \
+               int c = '*'; \
+               size_t n; \
                for ( n = 0; n < max_size && \
                             (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
                        buf[n] = (char) c; \
@@ -870,9 +932,22 @@ YY_MALLOC_DECL
                        YY_FATAL_ERROR( "input in flex scanner failed" ); \
                result = n; \
                } \
-       else if ( ((result = fread( buf, 1, max_size, yyin )) == 0) \
-                 && ferror( yyin ) ) \
-               YY_FATAL_ERROR( "input in flex scanner failed" );
+       else \
+               { \
+               errno=0; \
+               while ( (result = fread(buf, 1, max_size, yyin))==0 && ferror(yyin)) \
+                       { \
+                       if( errno != EINTR) \
+                               { \
+                               YY_FATAL_ERROR( "input in flex scanner failed" ); \
+                               break; \
+                               } \
+                       errno=0; \
+                       clearerr(yyin); \
+                       } \
+               }\
+\
+
 #endif
 
 /* No semi-colon after return; correct usage is to write "yyterminate();" -
@@ -893,12 +968,18 @@ YY_MALLOC_DECL
 #define YY_FATAL_ERROR(msg) yy_fatal_error( msg )
 #endif
 
+/* end tables serialization structures and prototypes */
+
 /* Default declaration of generated scanner - a define so the user can
  * easily add parameters.
  */
 #ifndef YY_DECL
-#define YY_DECL int yylex YY_PROTO(( void ))
-#endif
+#define YY_DECL_IS_OURS 1
+
+extern int yylex (void);
+
+#define YY_DECL int yylex (void)
+#endif /* !YY_DECL */
 
 /* Code executed at the beginning of each rule, after yytext and yyleng
  * have been set up.
@@ -915,26 +996,28 @@ YY_MALLOC_DECL
 #define YY_RULE_SETUP \
        YY_USER_ACTION
 
+/** The main scanner function which does all the work.
+ */
 YY_DECL
-       {
+{
        register yy_state_type yy_current_state;
-       register char *yy_cp = NULL, *yy_bp = NULL;
+       register char *yy_cp, *yy_bp;
        register int yy_act;
-
+    
 #line 68 "lex.l"
 
-#line 927 "lex.c"
+#line 1010 "lex.c"
 
-       if ( yy_init )
+       if ( !(yy_init) )
                {
-               yy_init = 0;
+               (yy_init) = 1;
 
 #ifdef YY_USER_INIT
                YY_USER_INIT;
 #endif
 
-               if ( ! yy_start )
-                       yy_start = 1;   /* first start state */
+               if ( ! (yy_start) )
+                       (yy_start) = 1; /* first start state */
 
                if ( ! yyin )
                        yyin = stdin;
@@ -942,34 +1025,36 @@ YY_DECL
                if ( ! yyout )
                        yyout = stdout;
 
-               if ( ! yy_current_buffer )
-                       yy_current_buffer =
-                               yy_create_buffer( yyin, YY_BUF_SIZE );
+               if ( ! YY_CURRENT_BUFFER ) {
+                       yyensure_buffer_stack ();
+                       YY_CURRENT_BUFFER_LVALUE =
+                               yy_create_buffer(yyin,YY_BUF_SIZE );
+               }
 
-               yy_load_buffer_state();
+               yy_load_buffer_state( );
                }
 
        while ( 1 )             /* loops until end-of-file is reached */
                {
-               yy_cp = yy_c_buf_p;
+               yy_cp = (yy_c_buf_p);
 
                /* Support of yytext. */
-               *yy_cp = yy_hold_char;
+               *yy_cp = (yy_hold_char);
 
                /* yy_bp points to the position in yy_ch_buf of the start of
                 * the current run.
                 */
                yy_bp = yy_cp;
 
-               yy_current_state = yy_start;
+               yy_current_state = (yy_start);
 yy_match:
                do
                        {
                        register YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)];
                        if ( yy_accept[yy_current_state] )
                                {
-                               yy_last_accepting_state = yy_current_state;
-                               yy_last_accepting_cpos = yy_cp;
+                               (yy_last_accepting_state) = yy_current_state;
+                               (yy_last_accepting_cpos) = yy_cp;
                                }
                        while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
                                {
@@ -986,24 +1071,22 @@ yy_find_action:
                yy_act = yy_accept[yy_current_state];
                if ( yy_act == 0 )
                        { /* have to back up */
-                       yy_cp = yy_last_accepting_cpos;
-                       yy_current_state = yy_last_accepting_state;
+                       yy_cp = (yy_last_accepting_cpos);
+                       yy_current_state = (yy_last_accepting_state);
                        yy_act = yy_accept[yy_current_state];
                        }
 
                YY_DO_BEFORE_ACTION;
 
-
 do_action:     /* This label is used only to access EOF actions. */
 
-
                switch ( yy_act )
        { /* beginning of action switch */
                        case 0: /* must back up */
                        /* undo the effects of YY_DO_BEFORE_ACTION */
-                       *yy_cp = yy_hold_char;
-                       yy_cp = yy_last_accepting_cpos;
-                       yy_current_state = yy_last_accepting_state;
+                       *yy_cp = (yy_hold_char);
+                       yy_cp = (yy_last_accepting_cpos);
+                       yy_current_state = (yy_last_accepting_state);
                        goto yy_find_action;
 
 case 1:
@@ -1567,6 +1650,7 @@ YY_RULE_SETUP
 ;
        YY_BREAK
 case 91:
+/* rule 91 can match eol */
 YY_RULE_SETUP
 #line 270 "lex.l"
 { ++lineno; }
@@ -1591,33 +1675,33 @@ YY_RULE_SETUP
 #line 274 "lex.l"
 ECHO;
        YY_BREAK
-#line 1595 "lex.c"
+#line 1679 "lex.c"
 case YY_STATE_EOF(INITIAL):
        yyterminate();
 
        case YY_END_OF_BUFFER:
                {
                /* Amount of text matched not including the EOB char. */
-               int yy_amount_of_matched_text = (int) (yy_cp - yytext_ptr) - 1;
+               int yy_amount_of_matched_text = (int) (yy_cp - (yytext_ptr)) - 1;
 
                /* Undo the effects of YY_DO_BEFORE_ACTION. */
-               *yy_cp = yy_hold_char;
+               *yy_cp = (yy_hold_char);
                YY_RESTORE_YY_MORE_OFFSET
 
-               if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_NEW )
+               if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_NEW )
                        {
                        /* We're scanning a new file or input source.  It's
                         * possible that this happened because the user
                         * just pointed yyin at a new source and called
                         * yylex().  If so, then we have to assure
-                        * consistency between yy_current_buffer and our
+                        * consistency between YY_CURRENT_BUFFER and our
                         * globals.  Here is the right place to do so, because
                         * this is the first action (other than possibly a
                         * back-up) that will match for the new input source.
                         */
-                       yy_n_chars = yy_current_buffer->yy_n_chars;
-                       yy_current_buffer->yy_input_file = yyin;
-                       yy_current_buffer->yy_buffer_status = YY_BUFFER_NORMAL;
+                       (yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars;
+                       YY_CURRENT_BUFFER_LVALUE->yy_input_file = yyin;
+                       YY_CURRENT_BUFFER_LVALUE->yy_buffer_status = YY_BUFFER_NORMAL;
                        }
 
                /* Note that here we test for yy_c_buf_p "<=" to the position
@@ -1627,13 +1711,13 @@ case YY_STATE_EOF(INITIAL):
                 * end-of-buffer state).  Contrast this with the test
                 * in input().
                 */
-               if ( yy_c_buf_p <= &yy_current_buffer->yy_ch_buf[yy_n_chars] )
+               if ( (yy_c_buf_p) <= &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] )
                        { /* This was really a NUL. */
                        yy_state_type yy_next_state;
 
-                       yy_c_buf_p = yytext_ptr + yy_amount_of_matched_text;
+                       (yy_c_buf_p) = (yytext_ptr) + yy_amount_of_matched_text;
 
-                       yy_current_state = yy_get_previous_state();
+                       yy_current_state = yy_get_previous_state(  );
 
                        /* Okay, we're now positioned to make the NUL
                         * transition.  We couldn't have
@@ -1646,30 +1730,30 @@ case YY_STATE_EOF(INITIAL):
 
                        yy_next_state = yy_try_NUL_trans( yy_current_state );
 
-                       yy_bp = yytext_ptr + YY_MORE_ADJ;
+                       yy_bp = (yytext_ptr) + YY_MORE_ADJ;
 
                        if ( yy_next_state )
                                {
                                /* Consume the NUL. */
-                               yy_cp = ++yy_c_buf_p;
+                               yy_cp = ++(yy_c_buf_p);
                                yy_current_state = yy_next_state;
                                goto yy_match;
                                }
 
                        else
                                {
-                               yy_cp = yy_c_buf_p;
+                               yy_cp = (yy_c_buf_p);
                                goto yy_find_action;
                                }
                        }
 
-               else switch ( yy_get_next_buffer() )
+               else switch ( yy_get_next_buffer(  ) )
                        {
                        case EOB_ACT_END_OF_FILE:
                                {
-                               yy_did_buffer_switch_on_eof = 0;
+                               (yy_did_buffer_switch_on_eof) = 0;
 
-                               if ( yywrap() )
+                               if ( yywrap( ) )
                                        {
                                        /* Note: because we've taken care in
                                         * yy_get_next_buffer() to have set up
@@ -1680,7 +1764,7 @@ case YY_STATE_EOF(INITIAL):
                                         * YY_NULL, it'll still work - another
                                         * YY_NULL will get returned.
                                         */
-                                       yy_c_buf_p = yytext_ptr + YY_MORE_ADJ;
+                                       (yy_c_buf_p) = (yytext_ptr) + YY_MORE_ADJ;
 
                                        yy_act = YY_STATE_EOF(YY_START);
                                        goto do_action;
@@ -1688,30 +1772,30 @@ case YY_STATE_EOF(INITIAL):
 
                                else
                                        {
-                                       if ( ! yy_did_buffer_switch_on_eof )
+                                       if ( ! (yy_did_buffer_switch_on_eof) )
                                                YY_NEW_FILE;
                                        }
                                break;
                                }
 
                        case EOB_ACT_CONTINUE_SCAN:
-                               yy_c_buf_p =
-                                       yytext_ptr + yy_amount_of_matched_text;
+                               (yy_c_buf_p) =
+                                       (yytext_ptr) + yy_amount_of_matched_text;
 
-                               yy_current_state = yy_get_previous_state();
+                               yy_current_state = yy_get_previous_state(  );
 
-                               yy_cp = yy_c_buf_p;
-                               yy_bp = yytext_ptr + YY_MORE_ADJ;
+                               yy_cp = (yy_c_buf_p);
+                               yy_bp = (yytext_ptr) + YY_MORE_ADJ;
                                goto yy_match;
 
                        case EOB_ACT_LAST_MATCH:
-                               yy_c_buf_p =
-                               &yy_current_buffer->yy_ch_buf[yy_n_chars];
+                               (yy_c_buf_p) =
+                               &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)];
 
-                               yy_current_state = yy_get_previous_state();
+                               yy_current_state = yy_get_previous_state(  );
 
-                               yy_cp = yy_c_buf_p;
-                               yy_bp = yytext_ptr + YY_MORE_ADJ;
+                               yy_cp = (yy_c_buf_p);
+                               yy_bp = (yytext_ptr) + YY_MORE_ADJ;
                                goto yy_find_action;
                        }
                break;
@@ -1722,8 +1806,7 @@ case YY_STATE_EOF(INITIAL):
                        "fatal flex scanner internal error--no action found" );
        } /* end of action switch */
                } /* end of scanning one token */
-       } /* end of yylex */
-
+} /* end of yylex */
 
 /* yy_get_next_buffer - try to read in a new buffer
  *
@@ -1732,21 +1815,20 @@ case YY_STATE_EOF(INITIAL):
  *     EOB_ACT_CONTINUE_SCAN - continue scanning from current position
  *     EOB_ACT_END_OF_FILE - end of file
  */
-
-static int yy_get_next_buffer()
-       {
-       register char *dest = yy_current_buffer->yy_ch_buf;
-       register char *source = yytext_ptr;
+static int yy_get_next_buffer (void)
+{
+       register char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf;
+       register char *source = (yytext_ptr);
        register int number_to_move, i;
        int ret_val;
 
-       if ( yy_c_buf_p > &yy_current_buffer->yy_ch_buf[yy_n_chars + 1] )
+       if ( (yy_c_buf_p) > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] )
                YY_FATAL_ERROR(
                "fatal flex scanner internal error--end of buffer missed" );
 
-       if ( yy_current_buffer->yy_fill_buffer == 0 )
+       if ( YY_CURRENT_BUFFER_LVALUE->yy_fill_buffer == 0 )
                { /* Don't try to fill the buffer, so this is an EOF. */
-               if ( yy_c_buf_p - yytext_ptr - YY_MORE_ADJ == 1 )
+               if ( (yy_c_buf_p) - (yytext_ptr) - YY_MORE_ADJ == 1 )
                        {
                        /* We matched a single character, the EOB, so
                         * treat this as a final EOF.
@@ -1766,34 +1848,30 @@ static int yy_get_next_buffer()
        /* Try to read more data. */
 
        /* First move last chars to start of buffer. */
-       number_to_move = (int) (yy_c_buf_p - yytext_ptr) - 1;
+       number_to_move = (int) ((yy_c_buf_p) - (yytext_ptr)) - 1;
 
        for ( i = 0; i < number_to_move; ++i )
                *(dest++) = *(source++);
 
-       if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_EOF_PENDING )
+       if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
                /* don't do the read, it's not guaranteed to return an EOF,
                 * just force an EOF
                 */
-               yy_current_buffer->yy_n_chars = yy_n_chars = 0;
+               YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars) = 0;
 
        else
                {
-               int num_to_read =
-                       yy_current_buffer->yy_buf_size - number_to_move - 1;
+                       int num_to_read =
+                       YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
 
                while ( num_to_read <= 0 )
                        { /* Not enough room in the buffer - grow it. */
-#ifdef YY_USES_REJECT
-                       YY_FATAL_ERROR(
-"input buffer overflow, can't enlarge buffer because scanner uses REJECT" );
-#else
 
                        /* just a shorter name for the current buffer */
-                       YY_BUFFER_STATE b = yy_current_buffer;
+                       YY_BUFFER_STATE b = YY_CURRENT_BUFFER;
 
                        int yy_c_buf_p_offset =
-                               (int) (yy_c_buf_p - b->yy_ch_buf);
+                               (int) ((yy_c_buf_p) - b->yy_ch_buf);
 
                        if ( b->yy_is_our_buffer )
                                {
@@ -1806,8 +1884,7 @@ static int yy_get_next_buffer()
 
                                b->yy_ch_buf = (char *)
                                        /* Include room in for 2 EOB chars. */
-                                       yy_flex_realloc( (void *) b->yy_ch_buf,
-                                                        b->yy_buf_size + 2 );
+                                       yyrealloc((void *) b->yy_ch_buf,b->yy_buf_size + 2  );
                                }
                        else
                                /* Can't grow it, we don't own it. */
@@ -1817,35 +1894,35 @@ static int yy_get_next_buffer()
                                YY_FATAL_ERROR(
                                "fatal error - scanner input buffer overflow" );
 
-                       yy_c_buf_p = &b->yy_ch_buf[yy_c_buf_p_offset];
+                       (yy_c_buf_p) = &b->yy_ch_buf[yy_c_buf_p_offset];
 
-                       num_to_read = yy_current_buffer->yy_buf_size -
+                       num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size -
                                                number_to_move - 1;
-#endif
+
                        }
 
                if ( num_to_read > YY_READ_BUF_SIZE )
                        num_to_read = YY_READ_BUF_SIZE;
 
                /* Read in more data. */
-               YY_INPUT( (&yy_current_buffer->yy_ch_buf[number_to_move]),
-                       yy_n_chars, num_to_read );
+               YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
+                       (yy_n_chars), num_to_read );
 
-               yy_current_buffer->yy_n_chars = yy_n_chars;
+               YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
                }
 
-       if ( yy_n_chars == 0 )
+       if ( (yy_n_chars) == 0 )
                {
                if ( number_to_move == YY_MORE_ADJ )
                        {
                        ret_val = EOB_ACT_END_OF_FILE;
-                       yyrestart( yyin );
+                       yyrestart(yyin  );
                        }
 
                else
                        {
                        ret_val = EOB_ACT_LAST_MATCH;
-                       yy_current_buffer->yy_buffer_status =
+                       YY_CURRENT_BUFFER_LVALUE->yy_buffer_status =
                                YY_BUFFER_EOF_PENDING;
                        }
                }
@@ -1853,32 +1930,31 @@ static int yy_get_next_buffer()
        else
                ret_val = EOB_ACT_CONTINUE_SCAN;
 
-       yy_n_chars += number_to_move;
-       yy_current_buffer->yy_ch_buf[yy_n_chars] = YY_END_OF_BUFFER_CHAR;
-       yy_current_buffer->yy_ch_buf[yy_n_chars + 1] = YY_END_OF_BUFFER_CHAR;
+       (yy_n_chars) += number_to_move;
+       YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] = YY_END_OF_BUFFER_CHAR;
+       YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] = YY_END_OF_BUFFER_CHAR;
 
-       yytext_ptr = &yy_current_buffer->yy_ch_buf[0];
+       (yytext_ptr) = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[0];
 
        return ret_val;
-       }
-
+}
 
 /* yy_get_previous_state - get the state just before the EOB char was reached */
 
-static yy_state_type yy_get_previous_state()
-       {
+    static yy_state_type yy_get_previous_state (void)
+{
        register yy_state_type yy_current_state;
        register char *yy_cp;
+    
+       yy_current_state = (yy_start);
 
-       yy_current_state = yy_start;
-
-       for ( yy_cp = yytext_ptr + YY_MORE_ADJ; yy_cp < yy_c_buf_p; ++yy_cp )
+       for ( yy_cp = (yytext_ptr) + YY_MORE_ADJ; yy_cp < (yy_c_buf_p); ++yy_cp )
                {
                register YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1);
                if ( yy_accept[yy_current_state] )
                        {
-                       yy_last_accepting_state = yy_current_state;
-                       yy_last_accepting_cpos = yy_cp;
+                       (yy_last_accepting_state) = yy_current_state;
+                       (yy_last_accepting_cpos) = yy_cp;
                        }
                while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
                        {
@@ -1890,30 +1966,23 @@ static yy_state_type yy_get_previous_state()
                }
 
        return yy_current_state;
-       }
-
+}
 
 /* yy_try_NUL_trans - try to make a transition on the NUL character
  *
  * synopsis
  *     next_state = yy_try_NUL_trans( current_state );
  */
-
-#ifdef YY_USE_PROTOS
-static yy_state_type yy_try_NUL_trans( yy_state_type yy_current_state )
-#else
-static yy_state_type yy_try_NUL_trans( yy_current_state )
-yy_state_type yy_current_state;
-#endif
-       {
+    static yy_state_type yy_try_NUL_trans  (yy_state_type yy_current_state )
+{
        register int yy_is_jam;
-       register char *yy_cp = yy_c_buf_p;
+       register char *yy_cp = (yy_c_buf_p);
 
        register YY_CHAR yy_c = 1;
        if ( yy_accept[yy_current_state] )
                {
-               yy_last_accepting_state = yy_current_state;
-               yy_last_accepting_cpos = yy_cp;
+               (yy_last_accepting_state) = yy_current_state;
+               (yy_last_accepting_cpos) = yy_cp;
                }
        while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
                {
@@ -1925,81 +1994,73 @@ yy_state_type yy_current_state;
        yy_is_jam = (yy_current_state == 567);
 
        return yy_is_jam ? 0 : yy_current_state;
-       }
-
+}
 
-#ifndef YY_NO_UNPUT
-#ifdef YY_USE_PROTOS
-static void yyunput( int c, register char *yy_bp )
-#else
-static void yyunput( c, yy_bp )
-int c;
-register char *yy_bp;
-#endif
-       {
-       register char *yy_cp = yy_c_buf_p;
+    static void yyunput (int c, register char * yy_bp )
+{
+       register char *yy_cp;
+    
+    yy_cp = (yy_c_buf_p);
 
        /* undo effects of setting up yytext */
-       *yy_cp = yy_hold_char;
+       *yy_cp = (yy_hold_char);
 
-       if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 )
+       if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
                { /* need to shift things up to make room */
                /* +2 for EOB chars. */
-               register int number_to_move = yy_n_chars + 2;
-               register char *dest = &yy_current_buffer->yy_ch_buf[
-                                       yy_current_buffer->yy_buf_size + 2];
+               register int number_to_move = (yy_n_chars) + 2;
+               register char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[
+                                       YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2];
                register char *source =
-                               &yy_current_buffer->yy_ch_buf[number_to_move];
+                               &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move];
 
-               while ( source > yy_current_buffer->yy_ch_buf )
+               while ( source > YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
                        *--dest = *--source;
 
                yy_cp += (int) (dest - source);
                yy_bp += (int) (dest - source);
-               yy_current_buffer->yy_n_chars =
-                       yy_n_chars = yy_current_buffer->yy_buf_size;
+               YY_CURRENT_BUFFER_LVALUE->yy_n_chars =
+                       (yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_buf_size;
 
-               if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 )
+               if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
                        YY_FATAL_ERROR( "flex scanner push-back overflow" );
                }
 
        *--yy_cp = (char) c;
 
-
-       yytext_ptr = yy_bp;
-       yy_hold_char = *yy_cp;
-       yy_c_buf_p = yy_cp;
-       }
-#endif /* ifndef YY_NO_UNPUT */
-
+       (yytext_ptr) = yy_bp;
+       (yy_hold_char) = *yy_cp;
+       (yy_c_buf_p) = yy_cp;
+}
 
 #ifndef YY_NO_INPUT
 #ifdef __cplusplus
-static int yyinput()
+    static int yyinput (void)
 #else
-static int input()
+    static int input  (void)
 #endif
-       {
-       int c;
 
-       *yy_c_buf_p = yy_hold_char;
+{
+       int c;
+    
+       *(yy_c_buf_p) = (yy_hold_char);
 
-       if ( *yy_c_buf_p == YY_END_OF_BUFFER_CHAR )
+       if ( *(yy_c_buf_p) == YY_END_OF_BUFFER_CHAR )
                {
                /* yy_c_buf_p now points to the character we want to return.
                 * If this occurs *before* the EOB characters, then it's a
                 * valid NUL; if not, then we've hit the end of the buffer.
                 */
-               if ( yy_c_buf_p < &yy_current_buffer->yy_ch_buf[yy_n_chars] )
+               if ( (yy_c_buf_p) < &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] )
                        /* This wa