heimdal: update to lorikeet-heimdal rev 801
authorStefan Metzmacher <metze@samba.org>
Fri, 1 Aug 2008 05:08:51 +0000 (07:08 +0200)
committerStefan Metzmacher <metze@samba.org>
Fri, 1 Aug 2008 14:11:00 +0000 (16:11 +0200)
metze
(This used to be commit d6c54a66fb23c784ef221a3c1cf766b72bdb5a0b)

233 files changed:
source4/heimdal/README
source4/heimdal/cf/check-var.m4
source4/heimdal/cf/find-func-no-libs.m4
source4/heimdal/cf/find-func-no-libs2.m4
source4/heimdal/cf/find-func.m4
source4/heimdal/cf/resolv.m4
source4/heimdal/kdc/default_config.c
source4/heimdal/kdc/digest.c
source4/heimdal/kdc/kaserver.c
source4/heimdal/kdc/kerberos5.c
source4/heimdal/kdc/krb5tgs.c
source4/heimdal/kdc/kx509.c
source4/heimdal/kdc/misc.c
source4/heimdal/kdc/pkinit.c
source4/heimdal/kdc/process.c
source4/heimdal/kdc/windc.c
source4/heimdal/kdc/windc_plugin.h
source4/heimdal/kuser/kinit.c
source4/heimdal/lib/asn1/der.h
source4/heimdal/lib/asn1/der_free.c
source4/heimdal/lib/asn1/gen.c
source4/heimdal/lib/asn1/k5.asn1
source4/heimdal/lib/asn1/lex.c
source4/heimdal/lib/asn1/lex.l
source4/heimdal/lib/asn1/pkinit.asn1
source4/heimdal/lib/asn1/test.gen
source4/heimdal/lib/com_err/lex.c
source4/heimdal/lib/com_err/lex.l
source4/heimdal/lib/gssapi/gssapi/gssapi.h
source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
source4/heimdal/lib/gssapi/gssapi/gssapi_spnego.h
source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
source4/heimdal/lib/gssapi/krb5/delete_sec_context.c
source4/heimdal/lib/gssapi/krb5/display_status.c
source4/heimdal/lib/gssapi/krb5/external.c
source4/heimdal/lib/gssapi/krb5/get_mic.c
source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
source4/heimdal/lib/gssapi/krb5/import_sec_context.c
source4/heimdal/lib/gssapi/krb5/init_sec_context.c
source4/heimdal/lib/gssapi/krb5/set_cred_option.c
source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
source4/heimdal/lib/gssapi/krb5/unwrap.c
source4/heimdal/lib/gssapi/krb5/verify_mic.c
source4/heimdal/lib/gssapi/krb5/wrap.c
source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c
source4/heimdal/lib/gssapi/mech/gss_add_cred.c
source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c
source4/heimdal/lib/gssapi/mech/gss_buffer_set.c
source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c
source4/heimdal/lib/gssapi/mech/gss_compare_name.c
source4/heimdal/lib/gssapi/mech/gss_context_time.c
source4/heimdal/lib/gssapi/mech/gss_create_empty_oid_set.c
source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c
source4/heimdal/lib/gssapi/mech/gss_delete_sec_context.c
source4/heimdal/lib/gssapi/mech/gss_display_name.c
source4/heimdal/lib/gssapi/mech/gss_display_status.c
source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c
source4/heimdal/lib/gssapi/mech/gss_export_name.c
source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c
source4/heimdal/lib/gssapi/mech/gss_get_mic.c
source4/heimdal/lib/gssapi/mech/gss_import_name.c
source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c
source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c
source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c
source4/heimdal/lib/gssapi/mech/gss_inquire_context.c
source4/heimdal/lib/gssapi/mech/gss_inquire_cred.c
source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_mech.c
source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c
source4/heimdal/lib/gssapi/mech/gss_inquire_mechs_for_name.c
source4/heimdal/lib/gssapi/mech/gss_inquire_names_for_mech.c
source4/heimdal/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c
source4/heimdal/lib/gssapi/mech/gss_krb5.c
source4/heimdal/lib/gssapi/mech/gss_mech_switch.c
source4/heimdal/lib/gssapi/mech/gss_oid_equal.c
source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c
source4/heimdal/lib/gssapi/mech/gss_process_context_token.c
source4/heimdal/lib/gssapi/mech/gss_release_buffer.c
source4/heimdal/lib/gssapi/mech/gss_release_cred.c
source4/heimdal/lib/gssapi/mech/gss_release_name.c
source4/heimdal/lib/gssapi/mech/gss_release_oid.c
source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c
source4/heimdal/lib/gssapi/mech/gss_seal.c
source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c
source4/heimdal/lib/gssapi/mech/gss_set_sec_context_option.c
source4/heimdal/lib/gssapi/mech/gss_sign.c
source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c
source4/heimdal/lib/gssapi/mech/gss_unseal.c
source4/heimdal/lib/gssapi/mech/gss_unwrap.c
source4/heimdal/lib/gssapi/mech/gss_verify.c
source4/heimdal/lib/gssapi/mech/gss_verify_mic.c
source4/heimdal/lib/gssapi/mech/gss_wrap.c
source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c
source4/heimdal/lib/gssapi/spnego/accept_sec_context.c
source4/heimdal/lib/gssapi/spnego/compat.c
source4/heimdal/lib/gssapi/spnego/context_stubs.c
source4/heimdal/lib/gssapi/spnego/cred_stubs.c
source4/heimdal/lib/gssapi/spnego/external.c
source4/heimdal/lib/gssapi/spnego/spnego-private.h
source4/heimdal/lib/gssapi/spnego/spnego_locl.h
source4/heimdal/lib/hcrypto/aes.c [changed mode: 0755->0644]
source4/heimdal/lib/hcrypto/aes.h [changed mode: 0755->0644]
source4/heimdal/lib/hcrypto/bn.c
source4/heimdal/lib/hcrypto/camellia-ntt.c
source4/heimdal/lib/hcrypto/camellia-ntt.h
source4/heimdal/lib/hcrypto/camellia.h
source4/heimdal/lib/hcrypto/des.c
source4/heimdal/lib/hcrypto/des.h
source4/heimdal/lib/hcrypto/evp.c
source4/heimdal/lib/hcrypto/evp.h
source4/heimdal/lib/hcrypto/imath/LICENSE
source4/heimdal/lib/hcrypto/pkcs12.c
source4/heimdal/lib/hcrypto/pkcs5.c
source4/heimdal/lib/hcrypto/rand-egd.c
source4/heimdal/lib/hcrypto/rand-fortuna.c
source4/heimdal/lib/hcrypto/rand-unix.c
source4/heimdal/lib/hcrypto/rand.c
source4/heimdal/lib/hcrypto/rc2.c [changed mode: 0755->0644]
source4/heimdal/lib/hcrypto/rc2.h [changed mode: 0755->0644]
source4/heimdal/lib/hcrypto/rc4.c [changed mode: 0755->0644]
source4/heimdal/lib/hcrypto/rijndael-alg-fst.c [changed mode: 0755->0644]
source4/heimdal/lib/hcrypto/rijndael-alg-fst.h [changed mode: 0755->0644]
source4/heimdal/lib/hcrypto/rnd_keys.c
source4/heimdal/lib/hcrypto/ui.c
source4/heimdal/lib/hdb/db.c
source4/heimdal/lib/hdb/dbinfo.c
source4/heimdal/lib/hdb/ext.c
source4/heimdal/lib/hdb/hdb.c
source4/heimdal/lib/hdb/keys.c
source4/heimdal/lib/hdb/keytab.c
source4/heimdal/lib/hdb/mkey.c
source4/heimdal/lib/hdb/ndbm.c
source4/heimdal/lib/hx509/ca.c
source4/heimdal/lib/hx509/cert.c
source4/heimdal/lib/hx509/cms.c
source4/heimdal/lib/hx509/crypto.c
source4/heimdal/lib/hx509/env.c
source4/heimdal/lib/hx509/file.c
source4/heimdal/lib/hx509/hx509-private.h
source4/heimdal/lib/hx509/hx509-protos.h
source4/heimdal/lib/hx509/hx509.h
source4/heimdal/lib/hx509/hx_locl.h
source4/heimdal/lib/hx509/keyset.c
source4/heimdal/lib/hx509/ks_dir.c
source4/heimdal/lib/hx509/ks_file.c
source4/heimdal/lib/hx509/ks_p11.c
source4/heimdal/lib/hx509/ks_p12.c
source4/heimdal/lib/hx509/name.c
source4/heimdal/lib/hx509/req.c
source4/heimdal/lib/hx509/revoke.c
source4/heimdal/lib/hx509/sel-gram.c [new file with mode: 0644]
source4/heimdal/lib/hx509/sel-gram.h [new file with mode: 0644]
source4/heimdal/lib/hx509/sel-gram.y [new file with mode: 0644]
source4/heimdal/lib/hx509/sel-lex.c [new file with mode: 0644]
source4/heimdal/lib/hx509/sel-lex.l [new file with mode: 0644]
source4/heimdal/lib/hx509/sel.c [new file with mode: 0644]
source4/heimdal/lib/hx509/sel.h [new file with mode: 0644]
source4/heimdal/lib/hx509/test_name.c
source4/heimdal/lib/krb5/acache.c
source4/heimdal/lib/krb5/addr_families.c
source4/heimdal/lib/krb5/auth_context.c
source4/heimdal/lib/krb5/build_auth.c
source4/heimdal/lib/krb5/cache.c
source4/heimdal/lib/krb5/changepw.c
source4/heimdal/lib/krb5/config_file.c
source4/heimdal/lib/krb5/constants.c
source4/heimdal/lib/krb5/context.c
source4/heimdal/lib/krb5/convert_creds.c
source4/heimdal/lib/krb5/copy_host_realm.c
source4/heimdal/lib/krb5/crc.c
source4/heimdal/lib/krb5/creds.c
source4/heimdal/lib/krb5/crypto.c
source4/heimdal/lib/krb5/data.c
source4/heimdal/lib/krb5/error_string.c
source4/heimdal/lib/krb5/expand_hostname.c
source4/heimdal/lib/krb5/fcache.c
source4/heimdal/lib/krb5/generate_subkey.c
source4/heimdal/lib/krb5/get_cred.c
source4/heimdal/lib/krb5/get_default_principal.c
source4/heimdal/lib/krb5/get_default_realm.c
source4/heimdal/lib/krb5/get_for_creds.c
source4/heimdal/lib/krb5/get_host_realm.c
source4/heimdal/lib/krb5/get_in_tkt.c
source4/heimdal/lib/krb5/init_creds.c
source4/heimdal/lib/krb5/init_creds_pw.c
source4/heimdal/lib/krb5/kcm.c
source4/heimdal/lib/krb5/keyblock.c
source4/heimdal/lib/krb5/keytab.c
source4/heimdal/lib/krb5/keytab_any.c
source4/heimdal/lib/krb5/keytab_file.c
source4/heimdal/lib/krb5/keytab_keyfile.c
source4/heimdal/lib/krb5/keytab_memory.c
source4/heimdal/lib/krb5/krb5-private.h
source4/heimdal/lib/krb5/krb5-protos.h
source4/heimdal/lib/krb5/krb5.h
source4/heimdal/lib/krb5/krb5_err.et
source4/heimdal/lib/krb5/krb5_locl.h
source4/heimdal/lib/krb5/krbhst.c
source4/heimdal/lib/krb5/locate_plugin.h
source4/heimdal/lib/krb5/log.c
source4/heimdal/lib/krb5/mcache.c
source4/heimdal/lib/krb5/mk_priv.c
source4/heimdal/lib/krb5/mk_rep.c
source4/heimdal/lib/krb5/n-fold.c
source4/heimdal/lib/krb5/pac.c
source4/heimdal/lib/krb5/padata.c
source4/heimdal/lib/krb5/pkinit.c
source4/heimdal/lib/krb5/plugin.c
source4/heimdal/lib/krb5/principal.c
source4/heimdal/lib/krb5/rd_cred.c
source4/heimdal/lib/krb5/rd_error.c
source4/heimdal/lib/krb5/rd_rep.c
source4/heimdal/lib/krb5/rd_req.c
source4/heimdal/lib/krb5/replay.c
source4/heimdal/lib/krb5/send_to_kdc.c
source4/heimdal/lib/krb5/send_to_kdc_plugin.h [new file with mode: 0644]
source4/heimdal/lib/krb5/set_default_realm.c
source4/heimdal/lib/krb5/ticket.c
source4/heimdal/lib/krb5/time.c
source4/heimdal/lib/krb5/transited.c
source4/heimdal/lib/krb5/v4_glue.c
source4/heimdal/lib/krb5/warn.c
source4/heimdal/lib/ntlm/ntlm.c
source4/heimdal/lib/roken/dumpdata.c
source4/heimdal/lib/roken/err.hin
source4/heimdal/lib/roken/resolve.c
source4/heimdal/lib/roken/roken-common.h
source4/heimdal/lib/roken/roken.h.in
source4/heimdal/lib/roken/vis.hin
source4/heimdal/lib/wind/stringprep.c
source4/heimdal/lib/wind/utf8.c
source4/heimdal/lib/wind/wind.h
source4/heimdal/lib/wind/wind_err.et
source4/heimdal/lib/wind/windlocl.h

index 131cc574fb7c9b03b18520356e52499fc2509841..88ab7fd12135aef1117c8534cef0c3a36d8787ef 100644 (file)
@@ -1,6 +1,19 @@
-This directory contains a copy of portions of a project known as
-'lorikeet-heimdal', a branch of the Heimdal Kerberos distribution.
+$Id: README 8839 2000-07-27 02:33:54Z assar $
 
-The purpose of these files is to provide kerberos support to Samba4 in
-a predicatable manner, without reliance on the system kerberos
-libraries.
+Heimdal is a Kerberos 5 implementation.
+
+Please see the manual in doc, by default installed in
+/usr/heimdal/info/heimdal.info for information on how to install.
+There are also briefer man pages for most of the commands.
+
+Bug reports and bugs are appreciated, see more under Bug reports in
+the manual on how we prefer them.
+
+For more information see the web-page at
+<http://www.pdc.kth.se/heimdal/> or the mailing lists:
+
+heimdal-announce@sics.se       low-volume announcement
+heimdal-discuss@sics.se                high-volume discussion
+
+send a mail to heimdal-announce-request@sics.se and
+heimdal-discuss-request@sics.se respectively to subscribe.
index 1f06b479c6cba1f35634ac0bb21e17b8c4c2403f..ffa61915e9a2f35c3ea9d5271a0881d9c13e94d3 100644 (file)
@@ -1,4 +1,4 @@
-dnl $Id: check-var.m4,v 1.12 2005/06/16 18:59:10 lha Exp $
+dnl $Id: check-var.m4 15422 2005-06-16 18:59:29Z lha $
 dnl
 dnl rk_CHECK_VAR(variable, includes)
 AC_DEFUN([rk_CHECK_VAR], [
@@ -23,4 +23,5 @@ if test "$ac_foo" = yes; then
 fi
 ])
 
+dnl AC_WARNING_ENABLE([obsolete])
 AU_DEFUN([AC_CHECK_VAR], [rk_CHECK_VAR([$2], [$1])], [foo])
index 03ff6dc02be5caf37b5fff9e617bf4ffc1d6fb7b..76965a84ee8aa7942f0c8b8fa5d81327cd6a1f8e 100644 (file)
@@ -1,4 +1,4 @@
-dnl $Id: find-func-no-libs.m4,v 1.6 2004/02/12 14:20:45 lha Exp $
+dnl $Id: find-func-no-libs.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 dnl
 dnl Look for function in any of the specified libraries
index 2e7c8b7d4b569018f43ebd02388667d18af9f215..617a09e8da1b8f7d10ca13d7f6570d91e4629442 100644 (file)
@@ -1,4 +1,4 @@
-dnl $Id: find-func-no-libs2.m4,v 1.9 2004/08/26 12:35:42 joda Exp $
+dnl $Id: find-func-no-libs2.m4 14166 2004-08-26 12:35:42Z joda $
 dnl
 dnl
 dnl Look for function in any of the specified libraries
index aa500283f29a17515abf85e9b46d7ea785723883..2354f38e5e4bb6fe95fb6c7dbb54046e7564c9c7 100644 (file)
@@ -1,4 +1,4 @@
-dnl $Id: find-func.m4,v 1.2 2004/02/12 14:20:47 lha Exp $
+dnl $Id: find-func.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 dnl AC_FIND_FUNC(func, libraries, includes, arguments)
 AC_DEFUN([AC_FIND_FUNC], [
index 20e85a8400bb8a884fb30963477d4d512d00c397..8bb5e4ecbb0f8752b7b32be7123386d875a729b4 100644 (file)
@@ -1,6 +1,6 @@
 dnl stuff used by DNS resolv code in roken
 dnl
-dnl $Id: resolv.m4,v 1.1 2005/09/02 10:17:38 lha Exp $
+dnl $Id: resolv.m4 16009 2005-09-02 10:17:38Z lha $
 dnl
 
 AC_DEFUN([rk_RESOLV],[
index 5f336e3275db23a1efa1076cda23db6a18e61fc8..33a2c297fa11fc9891f726e54847035ae82d3a9e 100644 (file)
@@ -36,7 +36,7 @@
 #include <getarg.h>
 #include <parse_bytes.h>
 
-RCSID("$Id: default_config.c 21405 2007-07-04 10:35:45Z lha $");
+RCSID("$Id: default_config.c 23316 2008-06-23 04:32:32Z lha $");
 
 krb5_error_code
 krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
@@ -45,7 +45,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
 
     c = calloc(1, sizeof(*c));
     if (c == NULL) {
-       krb5_set_error_string(context, "malloc: out of memory");
+       krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
        return ENOMEM;
     }
 
index b845b0f9a894e03760881a35d009e2647cdd95e5..bf1e45b328a17e188da00f595400c212570cf616 100644 (file)
@@ -34,7 +34,7 @@
 #include "kdc_locl.h"
 #include <hex.h>
 
-RCSID("$Id: digest.c 22374 2007-12-28 18:36:52Z lha $");
+RCSID("$Id: digest.c 23316 2008-06-23 04:32:32Z lha $");
 
 #define MS_CHAP_V2     0x20
 #define CHAP_MD5       0x10
@@ -44,13 +44,13 @@ RCSID("$Id: digest.c 22374 2007-12-28 18:36:52Z lha $");
 #define NTLM_V1                0x01
 
 const struct units _kdc_digestunits[] = {
-       {"ms-chap-v2",          1U << 5},
-       {"chap-md5",            1U << 4},
-       {"digest-md5",          1U << 3},
-       {"ntlm-v2",             1U << 2},
-       {"ntlm-v1-session",     1U << 1},
-       {"ntlm-v1",             1U << 0},
-       {NULL,  0}
+    {"ms-chap-v2",             1U << 5},
+    {"chap-md5",               1U << 4},
+    {"digest-md5",             1U << 3},
+    {"ntlm-v2",                1U << 2},
+    {"ntlm-v1-session",        1U << 1},
+    {"ntlm-v1",                1U << 0},
+    {NULL,     0}
 };
 
 
@@ -121,10 +121,10 @@ fill_targetinfo(krb5_context context,
         strcmp("imap", str) == 0 ||
         strcmp("pop", str) == 0 ||
         strcmp("smtp", str)))
-    {
-       str = krb5_principal_get_comp_string(context, p, 1);
-       ti.dnsservername = rk_UNCONST(str);
-    }
+       {
+           str = krb5_principal_get_comp_string(context, p, 1);
+           ti.dnsservername = rk_UNCONST(str);
+       }
     
     ret = heim_ntlm_encode_targetinfo(&ti, 1, &d);
     if (ret)
@@ -186,7 +186,7 @@ get_password_entry(krb5_context context,
     if (ret || password == NULL) {
        if (ret == 0) {
            ret = EINVAL;
-           krb5_set_error_string(context, "password missing");
+           krb5_set_error_message(context, ret, "password missing");
        }
        memset(user, 0, sizeof(*user));
     }
@@ -263,7 +263,7 @@ _kdc_do_digest(krb5_context context,
            goto out;
 
        ret = EINVAL;
-       krb5_set_error_string(context, "Wrong digest server principal used");
+       krb5_set_error_message(context, ret, "Wrong digest server principal used");
        p = krb5_principal_get_comp_string(context, principal, 0);
        if (p == NULL) {
            krb5_free_principal(context, principal);
@@ -323,9 +323,9 @@ _kdc_do_digest(krb5_context context,
                    "Client %s tried to use digest "
                    "but is not allowed to", 
                    client_name);
-           krb5_set_error_string(context, 
-                                 "Client is not permitted to use digest");
            ret = KRB5KDC_ERR_POLICY;
+           krb5_set_error_message(context, ret,
+                                  "Client is not permitted to use digest");
            goto out;
        }
     }
@@ -338,8 +338,8 @@ _kdc_do_digest(krb5_context context,
        if (ret)
            goto out;
        if (key == NULL) {
-           krb5_set_error_string(context, "digest: remote subkey not found");
            ret = EINVAL;
+           krb5_set_error_message(context, ret, "digest: remote subkey not found");
            goto out;
        }
 
@@ -359,7 +359,7 @@ _kdc_do_digest(krb5_context context,
     ret = decode_DigestReqInner(buf.data, buf.length, &ireq, NULL);
     krb5_data_free(&buf);
     if (ret) {
-       krb5_set_error_string(context, "Failed to decode digest inner request");
+       krb5_set_error_message(context, ret, "Failed to decode digest inner request");
        goto out;
     }
 
@@ -386,15 +386,15 @@ _kdc_do_digest(krb5_context context,
 
        hex_encode(server_nonce, sizeof(server_nonce), &r.u.initReply.nonce);
        if (r.u.initReply.nonce == NULL) {
-           krb5_set_error_string(context, "Failed to decode server nonce");
            ret = ENOMEM;
+           krb5_set_error_message(context, ret, "Failed to decode server nonce");
            goto out;
        }
 
        sp = krb5_storage_emem();
        if (sp == NULL) {
            ret = ENOMEM;
-           krb5_set_error_string(context, "out of memory");
+           krb5_set_error_message(context, ret, "malloc: out of memory");
            goto out;
        }
        ret = krb5_store_stringz(sp, ireq.u.init.type);
@@ -410,9 +410,9 @@ _kdc_do_digest(krb5_context context,
                     ireq.u.init.channel->cb_type,
                     ireq.u.init.channel->cb_binding);
            if (s == NULL) {
-               krb5_set_error_string(context, "Failed to allocate "
-                                     "channel binding");
                ret = ENOMEM;
+               krb5_set_error_message(context, ret,
+                                      "Failed to allocate channel binding");
                goto out;
            }
            free(r.u.initReply.nonce);
@@ -429,15 +429,15 @@ _kdc_do_digest(krb5_context context,
            r.u.initReply.identifier = 
                malloc(sizeof(*r.u.initReply.identifier));
            if (r.u.initReply.identifier == NULL) {
-               krb5_set_error_string(context, "out of memory");
                ret = ENOMEM;
+               krb5_set_error_message(context, ret, "malloc: out of memory");
                goto out;
            }
 
            asprintf(r.u.initReply.identifier, "%02X", identifier & 0xff);
            if (*r.u.initReply.identifier == NULL) {
-               krb5_set_error_string(context, "out of memory");
                ret = ENOMEM;
+               krb5_set_error_message(context, ret, "malloc: out of memory");
                goto out;
            }
 
@@ -478,8 +478,8 @@ _kdc_do_digest(krb5_context context,
        ASN1_MALLOC_ENCODE(Checksum, buf.data, buf.length, &res, &size, ret);
        free_Checksum(&res);
        if (ret) {
-           krb5_set_error_string(context, "Failed to encode "
-                                 "checksum in digest request");
+           krb5_set_error_message(context, ret, "Failed to encode "
+                                  "checksum in digest request");
            goto out;
        }
        if (size != buf.length)
@@ -502,7 +502,7 @@ _kdc_do_digest(krb5_context context,
        sp = krb5_storage_emem();
        if (sp == NULL) {
            ret = ENOMEM;
-           krb5_set_error_string(context, "out of memory");
+           krb5_set_error_message(context, ret, "malloc: out of memory");
            goto out;
        }
        ret = krb5_store_stringz(sp, ireq.u.digestRequest.type);
@@ -524,15 +524,15 @@ _kdc_do_digest(krb5_context context,
        buf.length = strlen(ireq.u.digestRequest.opaque);
        buf.data = malloc(buf.length);
        if (buf.data == NULL) {
-           krb5_set_error_string(context, "out of memory");
            ret = ENOMEM;
+           krb5_set_error_message(context, ret, "malloc: out of memory");
            goto out;
        }
 
        ret = hex_decode(ireq.u.digestRequest.opaque, buf.data, buf.length);
        if (ret <= 0) {
-           krb5_set_error_string(context, "Failed to decode opaque");
            ret = ENOMEM;
+           krb5_set_error_message(context, ret, "Failed to decode opaque");
            goto out;
        }
        buf.length = ret;
@@ -540,7 +540,7 @@ _kdc_do_digest(krb5_context context,
        ret = decode_Checksum(buf.data, buf.length, &res, NULL);
        free(buf.data);
        if (ret) {
-           krb5_set_error_string(context, "Failed to decode digest Checksum");
+           krb5_set_error_message(context, ret, "Failed to decode digest Checksum");
            goto out;
        }
        
@@ -553,8 +553,8 @@ _kdc_do_digest(krb5_context context,
        serverNonce.length = strlen(ireq.u.digestRequest.serverNonce);
        serverNonce.data = malloc(serverNonce.length);
        if (serverNonce.data == NULL) {
-           krb5_set_error_string(context, "out of memory");
            ret = ENOMEM;
+           krb5_set_error_message(context, ret, "malloc: out of memory");
            goto out;
        }
            
@@ -568,8 +568,8 @@ _kdc_do_digest(krb5_context context,
            ssize = hex_decode(ireq.u.digestRequest.serverNonce, 
                               serverNonce.data, serverNonce.length);
            if (ssize <= 0) {
-               krb5_set_error_string(context, "Failed to decode serverNonce");
                ret = ENOMEM;
+               krb5_set_error_message(context, ret, "Failed to decode serverNonce");
                goto out;
            }
            serverNonce.length = ssize;
@@ -593,15 +593,15 @@ _kdc_do_digest(krb5_context context,
            uint32_t t;
            
            if (serverNonce.length < 4) {
-               krb5_set_error_string(context, "server nonce too short");
                ret = EINVAL;
+               krb5_set_error_message(context, ret, "server nonce too short");
                goto out;
            }
            t = p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
 
            if (abs((kdc_time & 0xffffffff) - t) > context->max_skew) {
-               krb5_set_error_string(context, "time screw in server nonce ");
                ret = EINVAL;
+               krb5_set_error_message(context, ret, "time screw in server nonce ");
                goto out;
            }
        }
@@ -618,15 +618,15 @@ _kdc_do_digest(krb5_context context,
            }
 
            if (ireq.u.digestRequest.identifier == NULL) {
-               krb5_set_error_string(context, "Identifier missing "
-                                     "from CHAP request");
                ret = EINVAL;
+               krb5_set_error_message(context, ret, "Identifier missing "
+                                      "from CHAP request");
                goto out;
            }
            
            if (hex_decode(*ireq.u.digestRequest.identifier, &id, 1) != 1) {
-               krb5_set_error_string(context, "failed to decode identifier");
                ret = EINVAL;
+               krb5_set_error_message(context, ret, "failed to decode identifier");
                goto out;
            }
            
@@ -714,8 +714,8 @@ _kdc_do_digest(krb5_context context,
            MD5_Final(md, &ctx);
            hex_encode(md, sizeof(md), &A1);
            if (A1 == NULL) {
-               krb5_set_error_string(context, "out of memory");
                ret = ENOMEM;
+               krb5_set_error_message(context, ret, "malloc: out of memory");
                goto failed;
            }
            
@@ -733,8 +733,8 @@ _kdc_do_digest(krb5_context context,
            MD5_Final(md, &ctx);
            hex_encode(md, sizeof(md), &A2);
            if (A2 == NULL) {
-               krb5_set_error_string(context, "out of memory");
                ret = ENOMEM;
+               krb5_set_error_message(context, ret, "malloc: out of memory");
                free(A1);
                goto failed;
            }
@@ -795,15 +795,15 @@ _kdc_do_digest(krb5_context context,
            }
 
            if (ireq.u.digestRequest.clientNonce == NULL)  {
-               krb5_set_error_string(context, 
-                                     "MS-CHAP-V2 clientNonce missing");
                ret = EINVAL;
+               krb5_set_error_message(context, ret, 
+                                      "MS-CHAP-V2 clientNonce missing");
                goto failed;
            }       
            if (serverNonce.length != 16) {
-               krb5_set_error_string(context, 
-                                     "MS-CHAP-V2 serverNonce wrong length");
                ret = EINVAL;
+               krb5_set_error_message(context, ret, 
+                                      "MS-CHAP-V2 serverNonce wrong length");
                goto failed;
            }
 
@@ -824,16 +824,16 @@ _kdc_do_digest(krb5_context context,
                clientNonce.data = malloc(clientNonce.length);
                if (clientNonce.data == NULL) {
                    ret = ENOMEM;
-                   krb5_set_error_string(context, "out of memory");
+                   krb5_set_error_message(context, ret, "malloc: out of memory");
                    goto out;
                }
 
                ssize = hex_decode(*ireq.u.digestRequest.clientNonce, 
                                   clientNonce.data, clientNonce.length);
                if (ssize != 16) {
-                   krb5_set_error_string(context, 
-                                         "Failed to decode clientNonce");
                    ret = ENOMEM;
+                   krb5_set_error_message(context, ret, 
+                                          "Failed to decode clientNonce");
                    goto out;
                }
                SHA1_Update(&ctx, clientNonce.data, ssize);
@@ -852,18 +852,18 @@ _kdc_do_digest(krb5_context context,
                                HDB_F_GET_CLIENT, NULL, &user);
            krb5_free_principal(context, clientprincipal);
            if (ret) {
-               krb5_set_error_string(context, 
-                                     "MS-CHAP-V2 user %s not in database",
-                                     username);
+               krb5_set_error_message(context, ret, 
+                                      "MS-CHAP-V2 user %s not in database",
+                                      username);
                goto failed;
            }
 
            ret = hdb_enctype2key(context, &user->entry, 
                                  ETYPE_ARCFOUR_HMAC_MD5, &key);
            if (ret) {
-               krb5_set_error_string(context, 
-                                     "MS-CHAP-V2 missing arcfour key %s",
-                                     username);
+               krb5_set_error_message(context, ret, 
+                                      "MS-CHAP-V2 missing arcfour key %s",
+                                      username);
                goto failed;
            }
 
@@ -872,7 +872,7 @@ _kdc_do_digest(krb5_context context,
                                            key->key.keyvalue.length,
                                            challange, &answer);
            if (ret) {
-               krb5_set_error_string(context, "NTLM missing arcfour key");
+               krb5_set_error_message(context, ret, "NTLM missing arcfour key");
                goto failed;
            }
            
@@ -967,8 +967,8 @@ _kdc_do_digest(krb5_context context,
            asprintf(&r.u.error.reason, "Unsupported digest type %s", 
                     ireq.u.digestRequest.type);
            if (r.u.error.reason == NULL) {
-               krb5_set_error_string(context, "out of memory");
                ret = ENOMEM;
+               krb5_set_error_message(context, ret, "malloc: out of memory");
                goto out;
            }
            r.u.error.code = EINVAL;
@@ -1021,29 +1021,29 @@ _kdc_do_digest(krb5_context context,
        r.u.ntlmInitReply.targetname = 
            get_ntlm_targetname(context, client);
        if (r.u.ntlmInitReply.targetname == NULL) {
-           krb5_set_error_string(context, "out of memory");
            ret = ENOMEM;
+           krb5_set_error_message(context, ret, "malloc: out of memory");
            goto out;
        }
        r.u.ntlmInitReply.challange.data = malloc(8);
        if (r.u.ntlmInitReply.challange.data == NULL) {
-           krb5_set_error_string(context, "out of memory");
            ret = ENOMEM;
+           krb5_set_error_message(context, ret, "malloc: out of memory");
            goto out;
        }
        r.u.ntlmInitReply.challange.length = 8;
        if (RAND_bytes(r.u.ntlmInitReply.challange.data,
                       r.u.ntlmInitReply.challange.length) != 1) 
-       {
-           krb5_set_error_string(context, "out of random error");
-           ret = ENOMEM;
-           goto out;
-       }
+           {
+               ret = ENOMEM;
+               krb5_set_error_message(context, ret, "out of random error");
+               goto out;
+           }
        /* XXX fix targetinfo */
        ALLOC(r.u.ntlmInitReply.targetinfo);
        if (r.u.ntlmInitReply.targetinfo == NULL) {
-           krb5_set_error_string(context, "out of memory");
            ret = ENOMEM;
+           krb5_set_error_message(context, ret, "malloc: out of memory");
            goto out;
        }
 
@@ -1052,8 +1052,8 @@ _kdc_do_digest(krb5_context context,
                              client,
                              r.u.ntlmInitReply.targetinfo);
        if (ret) {
-           krb5_set_error_string(context, "out of memory");
            ret = ENOMEM;
+           krb5_set_error_message(context, ret, "malloc: out of memory");
            goto out;
        }
 
@@ -1064,14 +1064,14 @@ _kdc_do_digest(krb5_context context,
        sp = krb5_storage_emem();
        if (sp == NULL) {
            ret = ENOMEM;
-           krb5_set_error_string(context, "out of memory");
+           krb5_set_error_message(context, ret, "malloc: out of memory");
            goto out;
        }
        
        ret = krb5_storage_write(sp, r.u.ntlmInitReply.challange.data, 8);
        if (ret != 8) {
            ret = ENOMEM;
-           krb5_set_error_string(context, "storage write challange");
+           krb5_set_error_message(context, ret, "storage write challange");
            goto out;
        }
        ret = krb5_store_uint32(sp, r.u.ntlmInitReply.flags);
@@ -1127,8 +1127,8 @@ _kdc_do_digest(krb5_context context,
                            HDB_F_GET_CLIENT, NULL, &user);
        krb5_free_principal(context, clientprincipal);
        if (ret) {
-           krb5_set_error_string(context, "NTLM user %s not in database",
-                                 ireq.u.ntlmRequest.username);
+           krb5_set_error_message(context, ret, "NTLM user %s not in database",
+                                  ireq.u.ntlmRequest.username);
            goto failed;
        }
 
@@ -1150,33 +1150,33 @@ _kdc_do_digest(krb5_context context,
        sp = krb5_storage_from_data(&buf);
        if (sp == NULL) {
            ret = ENOMEM;
-           krb5_set_error_string(context, "out of memory");
+           krb5_set_error_message(context, ret, "malloc: out of memory");
            goto out;
        }
        
        ret = krb5_storage_read(sp, challange, sizeof(challange));
        if (ret != sizeof(challange)) {
-           krb5_set_error_string(context, "NTLM storage read challange");
            ret = ENOMEM;
+           krb5_set_error_message(context, ret, "NTLM storage read challange");
            goto out;
        }
        ret = krb5_ret_uint32(sp, &flags);
        if (ret) {
-           krb5_set_error_string(context, "NTLM storage read flags");
+           krb5_set_error_message(context, ret, "NTLM storage read flags");
            goto out;
        }
        krb5_data_free(&buf);
 
        if ((flags & NTLM_NEG_NTLM) == 0) {
            ret = EINVAL;
-           krb5_set_error_string(context, "NTLM not negotiated");
+           krb5_set_error_message(context, ret, "NTLM not negotiated");
            goto out;
        }
 
        ret = hdb_enctype2key(context, &user->entry, 
                              ETYPE_ARCFOUR_HMAC_MD5, &key);
        if (ret) {
-           krb5_set_error_string(context, "NTLM missing arcfour key");
+           krb5_set_error_message(context, ret, "NTLM missing arcfour key");
            goto out;
        }
 
@@ -1194,8 +1194,8 @@ _kdc_do_digest(krb5_context context,
 
            targetname = get_ntlm_targetname(context, client);
            if (targetname == NULL) {
-               krb5_set_error_string(context, "out of memory");
                ret = ENOMEM;
+               krb5_set_error_message(context, ret, "malloc: out of memory");
                goto out;
            }
 
@@ -1213,7 +1213,7 @@ _kdc_do_digest(krb5_context context,
                                         sessionkey);
            free(targetname);
            if (ret) {
-               krb5_set_error_string(context, "NTLM v2 verify failed");
+               krb5_set_error_message(context, ret, "NTLM v2 verify failed");
                goto failed;
            }
 
@@ -1238,9 +1238,9 @@ _kdc_do_digest(krb5_context context,
                }
 
                if (ireq.u.ntlmRequest.lm.length != 24) {
-                   krb5_set_error_string(context, "LM hash have wrong length "
-                                         "for NTLM session key");
                    ret = EINVAL;
+                   krb5_set_error_message(context, ret, "LM hash have wrong length "
+                                          "for NTLM session key");
                    goto failed;
                }
                
@@ -1260,18 +1260,18 @@ _kdc_do_digest(krb5_context context,
                                            key->key.keyvalue.length,
                                            challange, &answer);
            if (ret) {
-               krb5_set_error_string(context, "NTLM missing arcfour key");
+               krb5_set_error_message(context, ret, "NTLM missing arcfour key");
                goto failed;
            }
            
            if (ireq.u.ntlmRequest.ntlm.length != answer.length ||
                memcmp(ireq.u.ntlmRequest.ntlm.data, answer.data, answer.length) != 0)
-           {
-               free(answer.data);
-               ret = EINVAL;
-               krb5_set_error_string(context, "NTLM hash mismatch");
-               goto failed;
-           }
+               {
+                   free(answer.data);
+                   ret = EINVAL;
+                   krb5_set_error_message(context, ret, "NTLM hash mismatch");
+                   goto failed;
+               }
            free(answer.data);
 
            {
@@ -1290,18 +1290,19 @@ _kdc_do_digest(krb5_context context,
            size_t len;
            
            if ((flags & NTLM_NEG_KEYEX) == 0) {
-               krb5_set_error_string(context,
-                                     "NTLM client failed to neg key "
-                                     "exchange but still sent key");
                ret = EINVAL;
+               krb5_set_error_message(context, ret,
+                                      "NTLM client failed to neg key "
+                                      "exchange but still sent key");
                goto failed;
            }
            
            len = ireq.u.ntlmRequest.sessionkey->length;
            if (len != sizeof(masterkey)){
-               krb5_set_error_string(context,
-                                     "NTLM master key wrong length: %lu",
-                                     (unsigned long)len);
+               ret = EINVAL;
+               krb5_set_error_message(context, ret,
+                                      "NTLM master key wrong length: %lu",
+                                      (unsigned long)len);
                goto failed;
            }
            
@@ -1315,14 +1316,15 @@ _kdc_do_digest(krb5_context context,
            r.u.ntlmResponse.sessionkey = 
                malloc(sizeof(*r.u.ntlmResponse.sessionkey));
            if (r.u.ntlmResponse.sessionkey == NULL) {
-               krb5_set_error_string(context, "out of memory");
+               ret = EINVAL;
+               krb5_set_error_message(context, ret, "malloc: out of memory");
                goto out;
            }
            
            ret = krb5_data_copy(r.u.ntlmResponse.sessionkey,
                                 masterkey, sizeof(masterkey));
            if (ret) {
-               krb5_set_error_string(context, "out of memory");
+               krb5_set_error_message(context, ret, "malloc: out of memory");
                goto out;
            }
        }
@@ -1354,11 +1356,11 @@ _kdc_do_digest(krb5_context context,
        break;
 
     default: {
-       char *s;
-       krb5_set_error_string(context, "unknown operation to digest");
+       const char *s;
        ret = EINVAL;
+       krb5_set_error_message(context, ret, "unknown operation to digest");
 
-    failed:
+       failed:
 
        s = krb5_get_error_message(context, ret);
        if (s == NULL) {
@@ -1370,10 +1372,10 @@ _kdc_do_digest(krb5_context context,
 
        r.element = choice_DigestRepInner_error;
        r.u.error.reason = strdup("unknown error");
-       krb5_free_error_string(context, s);
+       krb5_free_error_message(context, s);
        if (r.u.error.reason == NULL) {
-           krb5_set_error_string(context, "out of memory");
            ret = ENOMEM;
+           krb5_set_error_message(context, ret, "malloc: out of memory");
            goto out;
        }
        r.u.error.code = EINVAL;
@@ -1383,7 +1385,7 @@ _kdc_do_digest(krb5_context context,
 
     ASN1_MALLOC_ENCODE(DigestRepInner, buf.data, buf.length, &r, &size, ret);
     if (ret) {
-       krb5_set_error_string(context, "Failed to encode inner digest reply");
+       krb5_set_error_message(context, ret, "Failed to encode inner digest reply");
        goto out;
     }
     if (size != buf.length)
@@ -1414,14 +1416,14 @@ _kdc_do_digest(krb5_context context,
     
     ASN1_MALLOC_ENCODE(DigestREP, reply->data, reply->length, &rep, &size, ret);
     if (ret) {
-       krb5_set_error_string(context, "Failed to encode digest reply");
+       krb5_set_error_message(context, ret, "Failed to encode digest reply");
        goto out;
     }
     if (size != reply->length)
        krb5_abortx(context, "ASN1 internal error");
 
     
-out:
+ out:
     if (ac)
        krb5_auth_con_free(context, ac);
     if (ret)
index 27f497ea6643c5ecc485160061b5e0840e28fbec..4f257d717ee35b1162d9f3817113087e963b3feb 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kaserver.c 21654 2007-07-21 17:30:18Z lha $");
+RCSID("$Id: kaserver.c 23110 2008-04-27 18:51:17Z lha $");
 
 #include <krb5-v4compat.h>
 #include <rx.h>
@@ -366,7 +366,7 @@ create_reply_ticket (krb5_context context,
        DES_cblock deskey;
        
        memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
-       DES_set_key (&deskey, &schedule);
+       DES_set_key_unchecked (&deskey, &schedule);
        DES_pcbc_encrypt (enc_data.data,
                          enc_data.data,
                          enc_data.length,
@@ -524,7 +524,7 @@ do_authenticate (krb5_context context,
        
        /* try to decode the `request' */
        memcpy (&key, ckey->key.keyvalue.data, sizeof(key));
-       DES_set_key (&key, &schedule);
+       DES_set_key_unchecked (&key, &schedule);
        DES_pcbc_encrypt (request.data,
                          request.data,
                          request.length,
@@ -801,7 +801,7 @@ do_getticket (krb5_context context,
 
     /* decrypt the times */
     memcpy(&session, ad.session.keyvalue.data, sizeof(session));
-    DES_set_key (&session, &schedule);
+    DES_set_key_unchecked (&session, &schedule);
     DES_ecb_encrypt (times.data,
                     times.data,
                     &schedule,
index f1dea6499df0252d71c15d4c64dcb27e7da02f65..2a2c48c233a657d3138b29b37865e2a05155e6b8 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kerberos5.c 22071 2007-11-14 20:04:50Z lha $");
+RCSID("$Id: kerberos5.c 23316 2008-06-23 04:32:32Z lha $");
 
 #define MAX_TIME ((time_t)((1U << 31) - 1))
 
@@ -1648,7 +1648,7 @@ _kdc_as_rep(krb5_context context,
        memset(&canon, 0, sizeof(canon));
 
        canon.names.requested_name = *b->cname;
-       canon.names.real_name = client->entry.principal->name;
+       canon.names.mapped_name = client->entry.principal->name;
 
        ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
                           &canon.names, &len, ret);
@@ -1807,7 +1807,7 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
     if (tkt->authorization_data == NULL) {
        tkt->authorization_data = calloc(1, sizeof(*tkt->authorization_data));
        if (tkt->authorization_data == NULL) {
-           krb5_set_error_string(context, "out of memory");
+           krb5_set_error_message(context, ENOMEM, "out of memory");
            return ENOMEM;
        }
     }
@@ -1822,7 +1822,7 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
 
        ret = add_AuthorizationData(&ad, &ade);
        if (ret) {
-           krb5_set_error_string(context, "add AuthorizationData failed");
+           krb5_set_error_message(context, ret, "add AuthorizationData failed");
            return ret;
        }
 
@@ -1833,8 +1833,8 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
                           &ad, &size, ret);
        free_AuthorizationData(&ad);
        if (ret) {
-           krb5_set_error_string(context, "ASN.1 encode of "
-                                 "AuthorizationData failed");
+           krb5_set_error_message(context, ret, "ASN.1 encode of "
+                                  "AuthorizationData failed");
            return ret;
        }
        if (ade.ad_data.length != size)
@@ -1843,7 +1843,7 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
        ret = add_AuthorizationData(tkt->authorization_data, &ade);
        der_free_octet_string(&ade.ad_data);
        if (ret) {
-           krb5_set_error_string(context, "add AuthorizationData failed");
+           krb5_set_error_message(context, ret, "add AuthorizationData failed");
            return ret;
        }
     }
index 32bdee9799ca8407852b3ac2881465645839eaa2..071a30d5a78a674d1ce126683f4dc5e3185c7615 100644 (file)
@@ -1,45 +1,45 @@
 /*
- * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
 #include "kdc_locl.h"
 
-RCSID("$Id: krb5tgs.c 22071 2007-11-14 20:04:50Z lha $");
+RCSID("$Id: krb5tgs.c 23316 2008-06-23 04:32:32Z lha $");
 
 /*
  * return the realm of a krbtgt-ticket or NULL
  */
 
-static Realm 
+static Realm
 get_krbtgt_realm(const PrincipalName *p)
 {
     if(p->name_string.len == 2
@@ -80,8 +80,8 @@ find_KRB5SignedPath(krb5_context context,
                                   &child,
                                   NULL);
     if (ret) {
-       krb5_set_error_string(context, "Failed to decode "
-                             "IF_RELEVANT with %d", ret);
+       krb5_set_error_message(context, ret, "Failed to decode "
+                              "IF_RELEVANT with %d", ret);
        return ret;
     }
 
@@ -168,7 +168,7 @@ _kdc_add_KRB5SignedPath(krb5_context context,
     if (data.length != size)
        krb5_abortx(context, "internal asn.1 encoder error");
 
-    
+
     /*
      * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
      * authorization data field.
@@ -187,13 +187,14 @@ check_KRB5SignedPath(krb5_context context,
                     hdb_entry_ex *krbtgt,
                     EncTicketPart *tkt,
                     KRB5SignedPathPrincipals **delegated,
-                    int require_signedpath)
+                    int *signedpath)
 {
     krb5_error_code ret;
     krb5_data data;
     krb5_crypto crypto = NULL;
 
-    *delegated = NULL;
+    if (delegated)
+       *delegated = NULL;
 
     ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
     if (ret == 0) {
@@ -236,8 +237,8 @@ check_KRB5SignedPath(krb5_context context,
                return ret;
            }
        }
-       ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 
-                                  data.data, data.length, 
+       ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
+                                  data.data, data.length,
                                   &sp.cksum);
        krb5_crypto_destroy(context, crypto);
        free(data.data);
@@ -246,7 +247,7 @@ check_KRB5SignedPath(krb5_context context,
            return ret;
        }
 
-       if (sp.delegated) {
+       if (delegated && sp.delegated) {
 
            *delegated = malloc(sizeof(*sp.delegated));
            if (*delegated == NULL) {
@@ -263,10 +264,8 @@ check_KRB5SignedPath(krb5_context context,
            }
        }
        free_KRB5SignedPath(&sp);
-       
-    } else {
-       if (require_signedpath)
-           return KRB5KDC_ERR_BADOPTION;
+
+       *signedpath = 1;
     }
 
     return 0;
@@ -286,7 +285,7 @@ check_PAC(krb5_context context,
          const EncryptionKey *krbtgt_key,
          EncTicketPart *tkt,
          krb5_data *rspac,
-         int *require_signedpath)
+         int *signedpath)
 {
     AuthorizationData *ad = tkt->authorization_data;
     unsigned i, j;
@@ -306,8 +305,8 @@ check_PAC(krb5_context context,
                                       &child,
                                       NULL);
        if (ret) {
-           krb5_set_error_string(context, "Failed to decode "
-                                 "IF_RELEVANT with %d", ret);
+           krb5_set_error_message(context, ret, "Failed to decode "
+                                  "IF_RELEVANT with %d", ret);
            return ret;
        }
        for (j = 0; j < child.len; j++) {
@@ -324,7 +323,7 @@ check_PAC(krb5_context context,
                if (ret)
                    return ret;
 
-               ret = krb5_pac_verify(context, pac, tkt->authtime, 
+               ret = krb5_pac_verify(context, pac, tkt->authtime,
                                      client_principal,
                                      krbtgt_key, NULL);
                if (ret) {
@@ -332,13 +331,13 @@ check_PAC(krb5_context context,
                    return ret;
                }
 
-               ret = _kdc_pac_verify(context, client_principal, 
+               ret = _kdc_pac_verify(context, client_principal,
                                      client, server, &pac);
                if (ret) {
                    krb5_pac_free(context, pac);
                    return ret;
                }
-               *require_signedpath = 0;
+               *signedpath = 1;
 
                ret = _krb5_pac_sign(context, pac, tkt->authtime,
                                     client_principal,
@@ -359,7 +358,7 @@ check_PAC(krb5_context context,
  */
 
 static krb5_error_code
-check_tgs_flags(krb5_context context,        
+check_tgs_flags(krb5_context context,
                krb5_kdc_configuration *config,
                KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
 {
@@ -379,7 +378,7 @@ check_tgs_flags(krb5_context context,
        /* XXX  tkt = tgt */
        et->flags.invalid = 0;
     }else if(tgt->flags.invalid){
-       kdc_log(context, config, 0, 
+       kdc_log(context, config, 0,
                "Ticket-granting ticket has INVALID flag set");
        return KRB5KRB_AP_ERR_TKT_INVALID;
     }
@@ -473,8 +472,8 @@ check_tgs_flags(krb5_context context,
        et->endtime = *et->starttime + old_life;
        if (et->renew_till != NULL)
            et->endtime = min(*et->renew_till, et->endtime);
-    }      
-    
+    }  
+
 #if 0
     /* checks for excess flags */
     if(f.request_anonymous && !config->allow_anonymous){
@@ -491,7 +490,7 @@ check_tgs_flags(krb5_context context,
  */
 
 static krb5_error_code
-check_constrained_delegation(krb5_context context, 
+check_constrained_delegation(krb5_context context,
                             krb5_kdc_configuration *config,
                             hdb_entry_ex *client,
                             krb5_const_principal server)
@@ -522,7 +521,7 @@ check_constrained_delegation(krb5_context context,
  */
 
 static krb5_error_code
-verify_flags (krb5_context context, 
+verify_flags (krb5_context context,
              krb5_kdc_configuration *config,
              const EncTicketPart *et,
              const char *pstr)
@@ -543,18 +542,18 @@ verify_flags (krb5_context context,
  */
 
 static krb5_error_code
-fix_transited_encoding(krb5_context context, 
+fix_transited_encoding(krb5_context context,
                       krb5_kdc_configuration *config,
                       krb5_boolean check_policy,
-                      const TransitedEncoding *tr, 
-                      EncTicketPart *et, 
-                      const char *client_realm, 
-                      const char *server_realm, 
+                      const TransitedEncoding *tr,
+                      EncTicketPart *et,
+                      const char *client_realm,
+                      const char *server_realm,
                       const char *tgt_realm)
 {
     krb5_error_code ret = 0;
     char **realms, **tmp;
-    int num_realms;
+    unsigned int num_realms;
     int i;
 
     switch (tr->tr_type) {
@@ -576,9 +575,9 @@ fix_transited_encoding(krb5_context context,
        return KRB5KDC_ERR_TRTYPE_NOSUPP;
     }
 
-    ret = krb5_domain_x500_decode(context, 
+    ret = krb5_domain_x500_decode(context,
                                  tr->contents,
-                                 &realms, 
+                                 &realms,
                                  &num_realms,
                                  client_realm,
                                  server_realm);
@@ -589,7 +588,7 @@ fix_transited_encoding(krb5_context context,
     }
     if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
        /* not us, so add the previous realm to transited set */
-       if (num_realms < 0 || num_realms + 1 > UINT_MAX/sizeof(*realms)) {
+       if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
            ret = ERANGE;
            goto free_realms;
        }
@@ -607,7 +606,7 @@ fix_transited_encoding(krb5_context context,
        num_realms++;
     }
     if(num_realms == 0) {
-       if(strcmp(client_realm, server_realm)) 
+       if(strcmp(client_realm, server_realm))
            kdc_log(context, config, 0,
                    "cross-realm %s -> %s", client_realm, server_realm);
     } else {
@@ -630,11 +629,11 @@ fix_transited_encoding(krb5_context context,
        }
     }
     if(check_policy) {
-       ret = krb5_check_transited(context, client_realm, 
-                                  server_realm, 
+       ret = krb5_check_transited(context, client_realm,
+                                  server_realm,
                                   realms, num_realms, NULL);
        if(ret) {
-           krb5_warn(context, ret, "cross-realm %s -> %s", 
+           krb5_warn(context, ret, "cross-realm %s -> %s",
                      client_realm, server_realm);
            goto free_realms;
        }
@@ -653,23 +652,24 @@ fix_transited_encoding(krb5_context context,
 
 
 static krb5_error_code
-tgs_make_reply(krb5_context context, 
+tgs_make_reply(krb5_context context,
               krb5_kdc_configuration *config,
-              KDC_REQ_BODY *b, 
+              KDC_REQ_BODY *b,
               krb5_const_principal tgt_name,
-              const EncTicketPart *tgt, 
+              const EncTicketPart *tgt,
               const EncryptionKey *serverkey,
               const krb5_keyblock *sessionkey,
               krb5_kvno kvno,
               AuthorizationData *auth_data,
-              hdb_entry_ex *server, 
-              const char *server_name, 
-              hdb_entry_ex *client, 
-              krb5_principal client_principal, 
+              hdb_entry_ex *server,
+              const char *server_name,
+              hdb_entry_ex *client,
+              krb5_principal client_principal,
               hdb_entry_ex *krbtgt,
               krb5_enctype krbtgt_etype,
               KRB5SignedPathPrincipals *spp,
               const krb5_data *rspac,
+              const METHOD_DATA *enc_pa_data,
               const char **e_text,
               krb5_data *reply)
 {
@@ -678,11 +678,11 @@ tgs_make_reply(krb5_context context,
     EncTicketPart et;
     KDCOptions f = b->kdc_options;
     krb5_error_code ret;
-    
+
     memset(&rep, 0, sizeof(rep));
     memset(&et, 0, sizeof(et));
     memset(&ek, 0, sizeof(ek));
-    
+
     rep.pvno = 5;
     rep.msg_type = krb_tgs_rep;
 
@@ -691,7 +691,7 @@ tgs_make_reply(krb5_context context,
     et.endtime = min(tgt->endtime, *b->till);
     ALLOC(et.starttime);
     *et.starttime = kdc_time;
-    
+
     ret = check_tgs_flags(context, config, b, tgt, &et);
     if(ret)
        goto out;
@@ -715,11 +715,11 @@ tgs_make_reply(krb5_context context,
 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P)             0
 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P)     0
 
-    ret = fix_transited_encoding(context, config, 
+    ret = fix_transited_encoding(context, config,
                                 !f.disable_transited_check ||
                                 GLOBAL_FORCE_TRANSITED_CHECK ||
                                 PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
-                                !((GLOBAL_ALLOW_PER_PRINCIPAL && 
+                                !((GLOBAL_ALLOW_PER_PRINCIPAL &&
                                    PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
                                   GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
                                 &tgt->transited, &et,
@@ -729,7 +729,7 @@ tgs_make_reply(krb5_context context,
     if(ret)
        goto out;
 
-    copy_Realm(krb5_princ_realm(context, server->entry.principal), 
+    copy_Realm(krb5_princ_realm(context, server->entry.principal),
               &rep.ticket.realm);
     _krb5_principal2principalname(&rep.ticket.sname, server->entry.principal);
     copy_Realm(&tgt_name->realm, &rep.crealm);
@@ -754,7 +754,7 @@ tgs_make_reply(krb5_context context,
            life = min(life, *server->entry.max_life);
        et.endtime = *et.starttime + life;
     }
-    if(f.renewable_ok && tgt->flags.renewable && 
+    if(f.renewable_ok && tgt->flags.renewable &&
        et.renew_till == NULL && et.endtime < *b->till){
        et.flags.renewable = 1;
        ALLOC(et.renew_till);
@@ -769,13 +769,13 @@ tgs_make_reply(krb5_context context,
            renew = min(renew, *server->entry.max_renew);
        *et.renew_till = et.authtime + renew;
     }
-           
+       
     if(et.renew_till){
        *et.renew_till = min(*et.renew_till, *tgt->renew_till);
        *et.starttime = min(*et.starttime, *et.renew_till);
        et.endtime = min(et.endtime, *et.renew_till);
     }
-    
+
     *et.starttime = min(*et.starttime, et.endtime);
 
     if(*et.starttime == et.endtime){
@@ -787,12 +787,12 @@ tgs_make_reply(krb5_context context,
        et.renew_till = NULL;
        et.flags.renewable = 0;
     }
-    
+
     et.flags.pre_authent = tgt->flags.pre_authent;
     et.flags.hw_authent  = tgt->flags.hw_authent;
     et.flags.anonymous   = tgt->flags.anonymous;
     et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
-           
+       
     if (auth_data) {
        /* XXX Check enc-authorization-data */
        et.authorization_data = calloc(1, sizeof(*et.authorization_data));
@@ -836,7 +836,7 @@ tgs_make_reply(krb5_context context,
        goto out;
     et.crealm = tgt->crealm;
     et.cname = tgt_name->name;
-           
+       
     ek.key = et.key;
     /* MIT must have at least one last_req */
     ek.last_req.len = 1;
@@ -853,8 +853,8 @@ tgs_make_reply(krb5_context context,
     ek.renew_till = et.renew_till;
     ek.srealm = rep.ticket.realm;
     ek.sname = rep.ticket.sname;
-    
-    _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime, 
+
+    _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
                       et.endtime, et.renew_till);
 
     /* Don't sign cross realm tickets, they can't be checked anyway */
@@ -874,6 +874,17 @@ tgs_make_reply(krb5_context context,
        }
     }
 
+    if (enc_pa_data->len) {
+       rep.padata = calloc(1, sizeof(*rep.padata));
+       if (rep.padata == NULL) {
+           ret = ENOMEM;
+           goto out;
+       }
+       ret = copy_METHOD_DATA(enc_pa_data, rep.padata);
+       if (ret)
+           goto out;
+    }
+
     /* It is somewhat unclear where the etype in the following
        encryption should come from. What we have is a session
        key in the passed tgt, and a list of preferred etypes
@@ -884,9 +895,9 @@ tgs_make_reply(krb5_context context,
        CAST session key. Should the DES3 etype be added to the
        etype list, even if we don't want a session key with
        DES3? */
-    ret = _kdc_encode_reply(context, config, 
+    ret = _kdc_encode_reply(context, config,
                            &rep, &et, &ek, et.key.keytype,
-                           kvno, 
+                           kvno,
                            serverkey, 0, &tgt->key, e_text, reply);
 out:
     free_TGS_REP(&rep);
@@ -906,10 +917,10 @@ out:
 }
 
 static krb5_error_code
-tgs_check_authenticator(krb5_context context, 
+tgs_check_authenticator(krb5_context context,
                        krb5_kdc_configuration *config,
                        krb5_auth_context ac,
-                       KDC_REQ_BODY *b, 
+                       KDC_REQ_BODY *b,
                        const char **e_text,
                        krb5_keyblock *key)
 {
@@ -919,7 +930,7 @@ tgs_check_authenticator(krb5_context context,
     size_t buf_size;
     krb5_error_code ret;
     krb5_crypto crypto;
-    
+
     krb5_auth_con_getauthenticator(context, ac, &auth);
     if(auth->cksum == NULL){
        kdc_log(context, config, 0, "No authenticator in request");
@@ -936,7 +947,7 @@ tgs_check_authenticator(krb5_context context,
        ||
 #endif
  !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
-       kdc_log(context, config, 0, "Bad checksum type in authenticator: %d", 
+       kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
                auth->cksum->cksumtype);
        ret =  KRB5KRB_AP_ERR_INAPP_CKSUM;
        goto out;
@@ -945,7 +956,7 @@ tgs_check_authenticator(krb5_context context,
     /* XXX should not re-encode this */
     ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
     if(ret){
-       kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", 
+       kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s",
                krb5_get_err_text(context, ret));
        goto out;
     }
@@ -966,14 +977,14 @@ tgs_check_authenticator(krb5_context context,
     ret = krb5_verify_checksum(context,
                               crypto,
                               KRB5_KU_TGS_REQ_AUTH_CKSUM,
-                              buf, 
+                              buf,
                               len,
                               auth->cksum);
     free(buf);
     krb5_crypto_destroy(context, crypto);
     if(ret){
        kdc_log(context, config, 0,
-               "Failed to verify authenticator checksum: %s", 
+               "Failed to verify authenticator checksum: %s",
                krb5_get_err_text(context, ret));
     }
 out:
@@ -991,27 +1002,38 @@ find_rpath(krb5_context context, Realm crealm, Realm srealm)
 {
     const char *new_realm = krb5_config_get_string(context,
                                                   NULL,
-                                                  "capaths", 
+                                                  "capaths",
                                                   crealm,
                                                   srealm,
                                                   NULL);
     return new_realm;
 }
-           
+       
 
 static krb5_boolean
-need_referral(krb5_context context, krb5_principal server, krb5_realm **realms)
+need_referral(krb5_context context, krb5_kdc_configuration *config,
+             const KDCOptions * const options, krb5_principal server,
+             krb5_realm **realms)
 {
-    if(server->name.name_type != KRB5_NT_SRV_INST ||
-       server->name.name_string.len != 2)
+    const char *name;
+
+    if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
+       return FALSE;
+
+    if (server->name.name_string.len == 1)
+       name = server->name.name_string.val[0];
+    if (server->name.name_string.len > 1)
+       name = server->name.name_string.val[1];
+    else
        return FALSE;
-    return _krb5_get_host_realm_int(context, server->name.name_string.val[1],
-                                   FALSE, realms) == 0;
+
+    kdc_log(context, config, 0, "Searching referral for %s", name);
+
+    return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
 }
 
 static krb5_error_code
-tgs_parse_request(krb5_context context, 
+tgs_parse_request(krb5_context context,
                  krb5_kdc_configuration *config,
                  KDC_REQ_BODY *b,
                  const PA_DATA *tgs_req,
@@ -1041,7 +1063,7 @@ tgs_parse_request(krb5_context context,
     memset(&ap_req, 0, sizeof(ap_req));
     ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
     if(ret){
-       kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", 
+       kdc_log(context, config, 0, "Failed to decode AP-REQ: %s",
                krb5_get_err_text(context, ret));
        goto out;
     }
@@ -1052,12 +1074,12 @@ tgs_parse_request(krb5_context context,
        ret = KRB5KDC_ERR_POLICY; /* ? */
        goto out;
     }
-    
+
     _krb5_principalname2krb5_principal(context,
                                       &princ,
                                       ap_req.ticket.sname,
                                       ap_req.ticket.realm);
-    
+
     ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt);
 
     if(ret) {
@@ -1074,8 +1096,8 @@ tgs_parse_request(krb5_context context,
        ret = KRB5KRB_AP_ERR_NOT_US;
        goto out;
     }
-    
-    if(ap_req.ticket.enc_part.kvno && 
+
+    if(ap_req.ticket.enc_part.kvno &&
        *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
        char *p;
 
@@ -1084,7 +1106,7 @@ tgs_parse_request(krb5_context context,
        if (ret != 0)
            p = "<unparse_name failed>";
        kdc_log(context, config, 0,
-               "Ticket kvno = %d, DB kvno = %d (%s)", 
+               "Ticket kvno = %d, DB kvno = %d (%s)",
                *ap_req.ticket.enc_part.kvno,
                (*krbtgt)->entry.kvno,
                p);
@@ -1096,7 +1118,7 @@ tgs_parse_request(krb5_context context,
 
     *krbtgt_etype = ap_req.ticket.enc_part.etype;
 
-    ret = hdb_enctype2key(context, &(*krbtgt)->entry, 
+    ret = hdb_enctype2key(context, &(*krbtgt)->entry,
                          ap_req.ticket.enc_part.etype, &tkey);
     if(ret){
        char *str = NULL, *p = NULL;
@@ -1112,7 +1134,7 @@ tgs_parse_request(krb5_context context,
        ret = KRB5KRB_AP_ERR_BADKEYVER;
        goto out;
     }
-    
+
     if (b->kdc_options.validate)
        verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
     else
@@ -1127,10 +1149,10 @@ tgs_parse_request(krb5_context context,
                              &ap_req_options,
                              ticket,
                              KRB5_KU_TGS_REQ_AUTH);
-                            
+                       
     krb5_free_principal(context, princ);
     if(ret) {
-       kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", 
+       kdc_log(context, config, 0, "Failed to verify AP-REQ: %s",
                krb5_get_err_text(context, ret));
        goto out;
     }
@@ -1158,7 +1180,7 @@ tgs_parse_request(krb5_context context,
        }
     }
 
-    ret = tgs_check_authenticator(context, config, 
+    ret = tgs_check_authenticator(context, config,
                                  ac, b, e_text, &(*ticket)->ticket.key);
     if (ret) {
        krb5_auth_con_free(context, ac);
@@ -1175,7 +1197,7 @@ tgs_parse_request(krb5_context context,
                                            &subkey);
        if(ret){
            krb5_auth_con_free(context, ac);
-           kdc_log(context, config, 0, "Failed to get remote subkey: %s", 
+           kdc_log(context, config, 0, "Failed to get remote subkey: %s",
                    krb5_get_err_text(context, ret));
            goto out;
        }
@@ -1184,7 +1206,7 @@ tgs_parse_request(krb5_context context,
            ret = krb5_auth_con_getkey(context, ac, &subkey);
            if(ret) {
                krb5_auth_con_free(context, ac);
-               kdc_log(context, config, 0, "Failed to get session key: %s", 
+               kdc_log(context, config, 0, "Failed to get session key: %s",
                        krb5_get_err_text(context, ret));
                goto out;
            }
@@ -1211,7 +1233,7 @@ tgs_parse_request(krb5_context context,
        krb5_crypto_destroy(context, crypto);
        if(ret){
            krb5_auth_con_free(context, ac);
-           kdc_log(context, config, 0, 
+           kdc_log(context, config, 0,
                    "Failed to decrypt enc-authorization-data");
            ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
            goto out;
@@ -1235,17 +1257,95 @@ tgs_parse_request(krb5_context context,
     }
 
     krb5_auth_con_free(context, ac);
-    
+
 out:
     free_AP_REQ(&ap_req);
-    
+
     return ret;
 }
 
 static krb5_error_code
-tgs_build_reply(krb5_context context, 
+build_server_referral(krb5_context context,
+                     krb5_kdc_configuration *config,
+                     krb5_crypto session,
+                     krb5_const_realm referred_realm,
+                     const PrincipalName *true_principal_name,
+                     const PrincipalName *requested_principal,
+                     krb5_data *outdata)
+{              
+    PA_ServerReferralData ref;
+    krb5_error_code ret;
+    EncryptedData ed;
+    krb5_data data;
+    size_t size;
+
+    memset(&ref, 0, sizeof(ref));
+
+    if (referred_realm) {
+       ref.referred_realm = malloc(sizeof(ref.referred_realm));
+       if (ref.referred_realm == NULL)
+           goto eout;
+       *ref.referred_realm = strdup(referred_realm);
+       if (*ref.referred_realm == NULL)
+           goto eout;
+    }
+    if (true_principal_name) {
+       ref.true_principal_name =
+           malloc(sizeof(ref.true_principal_name));
+       if (ref.true_principal_name == NULL)
+           goto eout;
+       ret = copy_PrincipalName(true_principal_name, ref.true_principal_name);
+       if (ret)
+           goto eout;
+    }
+    if (requested_principal) {
+       ref.requested_principal_name =
+           malloc(sizeof(ref.requested_principal_name));
+       if (ref.requested_principal_name == NULL)
+           goto eout;
+       ret = copy_PrincipalName(requested_principal,
+                                ref.requested_principal_name);
+       if (ret)
+           goto eout;
+    }
+
+    ASN1_MALLOC_ENCODE(PA_ServerReferralData,
+                      data.data, data.length,
+                      &ref, &size, ret);
+    free_PA_ServerReferralData(&ref);
+    if (ret)
+       return ret;
+    if (data.length != size)
+       krb5_abortx(context, "internal asn.1 encoder error");
+
+    ret = krb5_encrypt_EncryptedData(context, session,
+                                    KRB5_KU_PA_SERVER_REFERRAL,
+                                    data.data, data.length,
+                                    0 /* kvno */, &ed);
+    free(data.data);
+    if (ret)
+       return ret;
+
+    ASN1_MALLOC_ENCODE(EncryptedData,
+                      outdata->data, outdata->length,
+                      &ed, &size, ret);
+    free_EncryptedData(&ed);
+    if (ret)
+       return ret;
+    if (outdata->length != size)
+       krb5_abortx(context, "internal asn.1 encoder error");
+
+    return 0;
+eout:
+    free_PA_ServerReferralData(&ref);
+    krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+    return ENOMEM;
+}
+
+static krb5_error_code
+tgs_build_reply(krb5_context context,
                krb5_kdc_configuration *config,
-               KDC_REQ *req, 
+               KDC_REQ *req,
                KDC_REQ_BODY *b,
                hdb_entry_ex *krbtgt,
                krb5_enctype krbtgt_etype,
@@ -1253,7 +1353,7 @@ tgs_build_reply(krb5_context context,
                krb5_data *reply,
                const char *from,
                const char **e_text,
-               AuthorizationData *auth_data,
+               AuthorizationData **auth_data,
                const struct sockaddr *from_addr,
                int datagram_reply)
 {
@@ -1262,6 +1362,7 @@ tgs_build_reply(krb5_context context,
     krb5_principal client_principal = NULL;
     char *spn = NULL, *cpn = NULL;
     hdb_entry_ex *server = NULL, *client = NULL;
+    krb5_realm ref_realm = NULL;
     EncTicketPart *tgt = &ticket->ticket;
     KRB5SignedPathPrincipals *spp = NULL;
     const EncryptionKey *ekey;
@@ -1270,16 +1371,19 @@ tgs_build_reply(krb5_context context,
     krb5_data rspac;
     int cross_realm = 0;
 
+    METHOD_DATA enc_pa_data;
+
     PrincipalName *s;
     Realm r;
     int nloop = 0;
     EncTicketPart adtkt;
     char opt_str[128];
-    int require_signedpath = 0;
+    int signedpath = 0;
 
     memset(&sessionkey, 0, sizeof(sessionkey));
     memset(&adtkt, 0, sizeof(adtkt));
     krb5_data_zero(&rspac);
+    memset(&enc_pa_data, 0, sizeof(enc_pa_data));
 
     s = b->sname;
     r = b->realm;
@@ -1289,8 +1393,8 @@ tgs_build_reply(krb5_context context,
        hdb_entry_ex *uu;
        krb5_principal p;
        Key *uukey;
-           
-       if(b->additional_tickets == NULL || 
+       
+       if(b->additional_tickets == NULL ||
           b->additional_tickets->len == 0){
            ret = KRB5KDC_ERR_BADOPTION; /* ? */
            kdc_log(context, config, 0,
@@ -1305,8 +1409,8 @@ tgs_build_reply(krb5_context context,
            goto out;
        }
        _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
-       ret = _kdc_db_fetch(context, config, p, 
-                           HDB_F_GET_CLIENT|HDB_F_GET_SERVER, 
+       ret = _kdc_db_fetch(context, config, p,
+                           HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
                            NULL, &uu);
        krb5_free_principal(context, p);
        if(ret){
@@ -1314,7 +1418,7 @@ tgs_build_reply(krb5_context context,
                ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
            goto out;
        }
-       ret = hdb_enctype2key(context, &uu->entry, 
+       ret = hdb_enctype2key(context, &uu->entry,
                              t->enc_part.etype, &uukey);
        if(ret){
            _kdc_free_ent(context, uu);
@@ -1347,7 +1451,7 @@ tgs_build_reply(krb5_context context,
                   opt_str, sizeof(opt_str));
     if(*opt_str)
        kdc_log(context, config, 0,
-               "TGS-REQ %s from %s for %s [%s]", 
+               "TGS-REQ %s from %s for %s [%s]",
                cpn, from, spn, opt_str);
     else
        kdc_log(context, config, 0,
@@ -1370,20 +1474,23 @@ server_lookup:
                new_rlm = find_rpath(context, tgt->crealm, req_rlm);
                if(new_rlm) {
                    kdc_log(context, config, 5, "krbtgt for realm %s "
-                           "not found, trying %s", 
+                           "not found, trying %s",
                            req_rlm, new_rlm);
                    krb5_free_principal(context, sp);
                    free(spn);
-                   krb5_make_principal(context, &sp, r, 
+                   krb5_make_principal(context, &sp, r,
                                        KRB5_TGS_NAME, new_rlm, NULL);
                    ret = krb5_unparse_name(context, sp, &spn); 
                    if (ret)
                        goto out;
-                   auth_data = NULL; /* ms don't handle AD in referals */
+
+                   if (ref_realm)
+                       free(ref_realm);
+                   ref_realm = strdup(new_rlm);
                    goto server_lookup;
                }
            }
-       } else if(need_referral(context, sp, &realms)) {
+       } else if(need_referral(context, config, &b->kdc_options, sp, &realms)) {
            if (strcmp(realms[0], sp->realm) != 0) {
                kdc_log(context, config, 5,
                        "Returning a referral to realm %s for "
@@ -1396,8 +1503,12 @@ server_lookup:
                ret = krb5_unparse_name(context, sp, &spn);
                if (ret)
                    goto out;
+
+               if (ref_realm)
+                   free(ref_realm);
+               ref_realm = strdup(realms[0]);
+
                krb5_free_host_realm(context, realms);
-               auth_data = NULL; /* ms don't handle AD in referals */
                goto server_lookup;
            }
            krb5_free_host_realm(context, realms);
@@ -1412,7 +1523,7 @@ server_lookup:
 
     ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, NULL, &client);
     if(ret) {
-       const char *krbtgt_realm; 
+       const char *krbtgt_realm;
 
        /*
         * If the client belongs to the same realm as our krbtgt, it
@@ -1420,8 +1531,8 @@ server_lookup:
         *
         */
 
-       krbtgt_realm = 
-           krb5_principal_get_comp_string(context, 
+       krbtgt_realm =
+           krb5_principal_get_comp_string(context,
                                           krbtgt->entry.principal, 1);
 
        if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
@@ -1437,16 +1548,60 @@ server_lookup:
 
        cross_realm = 1;
     }
-    
+
+    /*
+     * Select enctype, return key and kvno.
+     */
+
+    {
+       krb5_enctype etype;
+
+       if(b->kdc_options.enc_tkt_in_skey) {
+           int i;
+           ekey = &adtkt.key;
+           for(i = 0; i < b->etype.len; i++)
+               if (b->etype.val[i] == adtkt.key.keytype)
+                   break;
+           if(i == b->etype.len) {
+               kdc_log(context, config, 0,
+                       "Addition ticket have not matching etypes", spp);
+               krb5_clear_error_string(context);
+               return KRB5KDC_ERR_ETYPE_NOSUPP;
+           }
+           etype = b->etype.val[i];
+           kvno = 0;
+       } else {
+           Key *skey;
+       
+           ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len,
+                                 &skey, &etype);
+           if(ret) {
+               kdc_log(context, config, 0,
+                       "Server (%s) has no support for etypes", spn);
+               return ret;
+           }
+           ekey = &skey->key;
+           kvno = server->entry.kvno;
+       }
+       
+       ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
+       if (ret)
+           goto out;
+    }
+
+    /*
+     * Validate authoriation data
+     */
+
     /*
      * Check that service is in the same realm as the krbtgt. If it's
      * not the same, it's someone that is using a uni-directional trust
      * backward.
      */
-    
+
     if (strcmp(krb5_principal_get_realm(context, sp),
-              krb5_principal_get_comp_string(context, 
-                                             krbtgt->entry.principal, 
+              krb5_principal_get_comp_string(context,
+                                             krbtgt->entry.principal,
                                              1)) != 0) {
        char *tpn;
        ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
@@ -1459,8 +1614,45 @@ server_lookup:
        goto out;
     }
 
+    /* check PAC if not cross realm and if there is one */
+    if (!cross_realm) {
+       Key *tkey;
+
+       ret = hdb_enctype2key(context, &krbtgt->entry,
+                             krbtgt_etype, &tkey);
+       if(ret) {
+           kdc_log(context, config, 0,
+                   "Failed to find key for krbtgt PAC check");
+           goto out;
+       }
+
+       ret = check_PAC(context, config, cp,
+                       client, server, ekey, &tkey->key,
+                       tgt, &rspac, &signedpath);
+       if (ret) {
+           kdc_log(context, config, 0,
+                   "Verify PAC failed for %s (%s) from %s with %s",
+                   spn, cpn, from, krb5_get_err_text(context, ret));
+           goto out;
+       }
+    }
+
+    /* also check the krbtgt for signature */
+    ret = check_KRB5SignedPath(context,
+                              config,
+                              krbtgt,
+                              tgt,
+                              &spp,
+                              &signedpath);
+    if (ret) {
+       kdc_log(context, config, 0,
+               "KRB5SignedPath check failed for %s (%s) from %s with %s",
+               spn, cpn, from, krb5_get_err_text(context, ret));
+       goto out;
+    }
+
     /*
-     *
+     * Process request
      */
 
     client_principal = cp;
@@ -1477,7 +1669,7 @@ server_lookup:
            char *selfcpn = NULL;
            const char *str;
 
-           ret = decode_PA_S4U2Self(sdata->padata_value.data, 
+           ret = decode_PA_S4U2Self(sdata->padata_value.data,
                                     sdata->padata_value.length,
                                     &self, NULL);
            if (ret) {
@@ -1501,14 +1693,14 @@ server_lookup:
            ret = krb5_verify_checksum(context,
                                       crypto,
                                       KRB5_KU_OTHER_CKSUM,
-                                      datack.data, 
-                                      datack.length, 
+                                      datack.data,
+                                      datack.length,
                                       &self.cksum);
            krb5_data_free(&datack);
            krb5_crypto_destroy(context, crypto);
            if (ret) {
                free_PA_S4U2Self(&self);
-               kdc_log(context, config, 0, 
+               kdc_log(context, config, 0,
                        "krb5_verify_checksum failed for S4U2Self: %s",
                        krb5_get_err_text(context, ret));
                goto out;
@@ -1566,13 +1758,26 @@ server_lookup:
        && b->additional_tickets->len != 0
        && b->kdc_options.enc_tkt_in_skey == 0)
     {
+       int ad_signedpath = 0;
        Key *clientkey;
        Ticket *t;
        char *str;
 
+       /*
+        * Require that the KDC have issued the service's krbtgt (not
+        * self-issued ticket with kimpersonate(1).
+        */
+       if (!signedpath) {
+           ret = KRB5KDC_ERR_BADOPTION;
+           kdc_log(context, config, 0,
+                   "Constrained delegation done on service ticket %s/%s",
+                   cpn, spn);
+           goto out;
+       }
+
        t = &b->additional_tickets->val[0];
 
-       ret = hdb_enctype2key(context, &client->entry, 
+       ret = hdb_enctype2key(context, &client->entry,
                              t->enc_part.etype, &clientkey);
        if(ret){
            ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
@@ -1588,19 +1793,18 @@ server_lookup:
        }
 
        /* check that ticket is valid */
-
        if (adtkt.flags.forwardable == 0) {
            kdc_log(context, config, 0,
                    "Missing forwardable flag on ticket for "
                    "constrained delegation from %s to %s ", spn, cpn);
-           ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
+           ret = KRB5KDC_ERR_BADOPTION;
            goto out;
        }
 
        ret = check_constrained_delegation(context, config, client, sp);
        if (ret) {
            kdc_log(context, config, 0,
-                   "constrained delegation from %s to %s not allowed", 
+                   "constrained delegation from %s to %s not allowed",
                    spn, cpn);
            goto out;
        }
@@ -1623,16 +1827,16 @@ server_lookup:
        }
 
        /*
-        * Check KRB5SignedPath in authorization data and add new entry to
-        * make sure servers can't fake a ticket to us.
+        * Check that the KDC issued the user's ticket.
         */
-
        ret = check_KRB5SignedPath(context,
                                   config,
                                   krbtgt,
                                   &adtkt,
-                                  &spp,
-                                  1);
+                                  NULL,
+                                  &ad_signedpath);
+       if (ret == 0 && !ad_signedpath)
+           ret = KRB5KDC_ERR_BADOPTION;
        if (ret) {
            kdc_log(context, config, 0,
                    "KRB5SignedPath check from service %s failed "
@@ -1646,27 +1850,21 @@ server_lookup:
        kdc_log(context, config, 0, "constrained delegation for %s "
                "from %s to %s", str, cpn, spn);
        free(str);
-
-       /* 
-        * Also require that the KDC have issue the service's krbtgt
-        * used to do the request. 
-        */
-       require_signedpath = 1;
     }
 
     /*
      * Check flags
      */
 
-    ret = _kdc_check_flags(context, config, 
+    ret = _kdc_check_flags(context, config,
                           client, cpn,
                           server, spn,
                           FALSE);
     if(ret)
        goto out;
 
-    if((b->kdc_options.validate || b->kdc_options.renew) && 
-       !krb5_principal_compare(context, 
+    if((b->kdc_options.validate || b->kdc_options.renew) &&
+       !krb5_principal_compare(context,
                               krbtgt->entry.principal,
                               server->entry.principal)){
        kdc_log(context, config, 0, "Inconsistent request.");
@@ -1682,108 +1880,68 @@ server_lookup:
     }
        
     /*
-     * Select enctype, return key and kvno.
+     * If this is an referral, add server referral data to the
+     * auth_data reply .
      */
+    if (ref_realm) {
+       PA_DATA pa;
+       krb5_crypto crypto;
 
-    {
-       krb5_enctype etype;
+       kdc_log(context, config, 0,
+               "Adding server referral to %s", ref_realm);
 
-       if(b->kdc_options.enc_tkt_in_skey) {
-           int i;
-           ekey = &adtkt.key;
-           for(i = 0; i < b->etype.len; i++)
-               if (b->etype.val[i] == adtkt.key.keytype)
-                   break;
-           if(i == b->etype.len) {
-               krb5_clear_error_string(context);
-               return KRB5KDC_ERR_ETYPE_NOSUPP;
-           }
-           etype = b->etype.val[i];
-           kvno = 0;
-       } else {
-           Key *skey;
-           
-           ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len,
-                                 &skey, &etype);
-           if(ret) {
-               kdc_log(context, config, 0, 
-                       "Server (%s) has no support for etypes", spp);
-               return ret;
-           }
-           ekey = &skey->key;
-           kvno = server->entry.kvno;
-       }
-       
-       ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
+       ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
        if (ret)
            goto out;
-    }
-
-    /* check PAC if not cross realm and if there is one */
-    if (!cross_realm) {
-       Key *tkey;
 
-       ret = hdb_enctype2key(context, &krbtgt->entry, 
-                             krbtgt_etype, &tkey);
-       if(ret) {
+       ret = build_server_referral(context, config, crypto, ref_realm,
+                                   NULL, s, &pa.padata_value);
+       krb5_crypto_destroy(context, crypto);
+       if (ret) {
            kdc_log(context, config, 0,
-                   "Failed to find key for krbtgt PAC check");
+                   "Failed building server referral");
            goto out;
        }
+       pa.padata_type = KRB5_PADATA_SERVER_REFERRAL;
 
-       ret = check_PAC(context, config, client_principal, 
-                       client, server, ekey, &tkey->key,
-                       tgt, &rspac, &require_signedpath);
+       ret = add_METHOD_DATA(&enc_pa_data, &pa);
+       krb5_data_free(&pa.padata_value);
        if (ret) {
            kdc_log(context, config, 0,
-                   "Verify PAC failed for %s (%s) from %s with %s",
-                   spn, cpn, from, krb5_get_err_text(context, ret));
+                   "Add server referral METHOD-DATA failed");
            goto out;
        }
     }
 
-    /* also check the krbtgt for signature */
-    ret = check_KRB5SignedPath(context,
-                              config,
-                              krbtgt,
-                              tgt,
-                              &spp,
-                              require_signedpath);
-    if (ret) {
-       kdc_log(context, config, 0,
-               "KRB5SignedPath check failed for %s (%s) from %s with %s",
-               spn, cpn, from, krb5_get_err_text(context, ret));
-       goto out;
-    }
-
     /*
      *
      */
 
     ret = tgs_make_reply(context,
-                        config, 
-                        b, 
+                        config,
+                        b,
                         client_principal,
-                        tgt, 
+                        tgt,
                         ekey,
                         &sessionkey,
                         kvno,
-                        auth_data,
-                        server, 
+                        *auth_data,
+                        server,
                         spn,
-                        client, 
-                        cp, 
-                        krbtgt, 
+                        client,
+                        cp,
+                        krbtgt,
                         krbtgt_etype,
                         spp,
                         &rspac,
+                        &enc_pa_data,
                         e_text,
                         reply);
        
 out:
     free(spn);
     free(cpn);
-           
+       
     krb5_data_free(&rspac);
     krb5_free_keyblock_contents(context, &sessionkey);
     if(server)
@@ -1797,6 +1955,9 @@ out:
        krb5_free_principal(context, cp);
     if (sp)
        krb5_free_principal(context, sp);
+    if (ref_realm)
+       free(ref_realm);
+    free_METHOD_DATA(&enc_pa_data);
 
     free_EncTicketPart(&adtkt);
 
@@ -1808,9 +1969,9 @@ out:
  */
 
 krb5_error_code
-_kdc_tgs_rep(krb5_context context, 
+_kdc_tgs_rep(krb5_context context,
             krb5_kdc_configuration *config,
-            KDC_REQ *req, 
+            KDC_REQ *req,
             krb5_data *data,
             const char *from,
             struct sockaddr *from_addr,
@@ -1835,17 +1996,17 @@ _kdc_tgs_rep(krb5_context context,
                "TGS-REQ from %s without PA-DATA", from);
        goto out;
     }
-    
+
     tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
 
     if(tgs_req == NULL){
        ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
        
-       kdc_log(context, config, 0, 
+       kdc_log(context, config, 0,
                "TGS-REQ from %s without PA-TGS-REQ", from);
        goto out;
     }
-    ret = tgs_parse_request(context, config, 
+    ret = tgs_parse_request(context, config,
                            &req->req_body, tgs_req,
                            &krbtgt,
                            &krbtgt_etype,
@@ -1855,7 +2016,7 @@ _kdc_tgs_rep(krb5_context context,
                            &csec, &cusec,
                            &auth_data);
     if (ret) {
-       kdc_log(context, config, 0, 
+       kdc_log(context, config, 0,
                "Failed parsing TGS-REQ from %s", from);
        goto out;
     }
@@ -1870,11 +2031,11 @@ _kdc_tgs_rep(krb5_context context,
                          data,
                          from,
                          &e_text,
-                         auth_data,
+                         &auth_data,
                          from_addr,
                          datagram_reply);
     if (ret) {
-       kdc_log(context, config, 0, 
+       kdc_log(context, config, 0,
                "Failed building TGS-REP to %s", from);
        goto out;
     }
index b1b861efef88efe507e624119d595669a32a1dee..8f117cebc0507b03d0b46ef07d10c1f288b5c666 100644 (file)
@@ -36,7 +36,7 @@
 #include <rfc2459_asn1.h>
 #include <hx509.h>
 
-RCSID("$Id: kx509.c 21607 2007-07-17 07:04:52Z lha $");
+RCSID("$Id: kx509.c 23316 2008-06-23 04:32:32Z lha $");
 
 /*
  *
@@ -67,8 +67,9 @@ verify_req_hash(krb5_context context,
     HMAC_CTX ctx;
     
     if (req->pk_hash.length != sizeof(digest)) {
-       krb5_set_error_string(context, "pk-hash have wrong length: %lu",
-                             (unsigned long)req->pk_hash.length);
+       krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
+                              "pk-hash have wrong length: %lu",
+                              (unsigned long)req->pk_hash.length);
        return KRB5KDC_ERR_PREAUTH_FAILED;
     }
 
@@ -84,7 +85,8 @@ verify_req_hash(krb5_context context,
     HMAC_CTX_cleanup(&ctx);
 
     if (memcmp(req->pk_hash.data, digest, sizeof(digest)) != 0) {
-       krb5_set_error_string(context, "pk-hash is not correct");
+       krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
+                              "pk-hash is not correct");
        return KRB5KDC_ERR_PREAUTH_FAILED;
     }
     return 0;
@@ -106,7 +108,7 @@ calculate_reply_hash(krb5_context context,
     rep->hash->data = malloc(rep->hash->length);
     if (rep->hash->data == NULL) {
        HMAC_CTX_cleanup(&ctx);
-       krb5_set_error_string(context, "out of memory");
+       krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
        return ENOMEM;
     }
 
@@ -157,12 +159,8 @@ build_certificate(krb5_context context,
     ret = hx509_context_init(&hxctx);
     if (ret)
        goto out;
-
-    ret = hx509_env_init(hxctx, &env);
-    if (ret)
-       goto out;
-
-    ret = hx509_env_add(hxctx, env, "principal-name", 
+    
+    ret = hx509_env_add(hxctx, &env, "principal-name", 
                        krb5_principal_get_comp_string(context, principal, 0));
     if (ret)
        goto out;
@@ -280,7 +278,7 @@ out:
        hx509_cert_free(signer);
     if (hxctx)
        hx509_context_free(&hxctx);
-    krb5_set_error_string(context, "cert creation failed");
+    krb5_set_error_message(context, ret, "cert creation failed");
     return ret;
 }
 
@@ -358,16 +356,18 @@ _kdc_do_kx509(krb5_context context,
        krb5_free_principal(context, principal);
        if (ret != TRUE) {
            ret = KRB5KDC_ERR_SERVER_NOMATCH;
-           krb5_set_error_string(context, 
-                                 "User %s used wrong Kx509 service principal",
-                                 cname);
+           krb5_set_error_message(context, ret,
+                                  "User %s used wrong Kx509 service principal",
+                                  cname);
            goto out;
        }
     }
     
     ret = krb5_auth_con_getkey(context, ac, &key);
-    if (ret || key == NULL) {
-       krb5_set_error_string(context, "Kx509 can't get session key");
+    if (ret == 0 && key == NULL)
+       ret = KRB5KDC_ERR_NULL_KEY;
+    if (ret) {
+       krb5_set_error_message(context, ret, "Kx509 can't get session key");
        goto out;
     }
     
@@ -418,7 +418,7 @@ _kdc_do_kx509(krb5_context context,
        ASN1_MALLOC_ENCODE(Kx509Response, data.data, data.length, &rep,
                           &size, ret);
        if (ret) {
-           krb5_set_error_string(context, "Failed to encode kx509 reply");
+           krb5_set_error_message(context, ret, "Failed to encode kx509 reply");
            goto out;
        }
        if (size != data.length)
index 072df44042979c06116d83fcfb0ec4b6fc9fac6c..528b9e6a3b674220731463f2a9fc0d13332177b6 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: misc.c 21106 2007-06-18 10:18:11Z lha $");
+RCSID("$Id: misc.c 23316 2008-06-23 04:32:32Z lha $");
 
 struct timeval _kdc_now;
 
@@ -51,7 +51,7 @@ _kdc_db_fetch(krb5_context context,
 
     ent = calloc (1, sizeof (*ent));
     if (ent == NULL) {
-       krb5_set_error_string(context, "out of memory");
+       krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
        return ENOMEM;
     }
 
@@ -76,8 +76,8 @@ _kdc_db_fetch(krb5_context context,
        }
     }
     free(ent);
-    krb5_set_error_string(context, "no such entry found in hdb");
-    return  HDB_ERR_NOENTRY;
+    krb5_set_error_message(context, HDB_ERR_NOENTRY, "no such entry found in hdb");
+    return HDB_ERR_NOENTRY;
 }
 
 void
@@ -116,7 +116,8 @@ _kdc_get_preferred_key(krb5_context context,
        }
     }
 
-    krb5_set_error_string(context, "No valid kerberos key found for %s", name);
+    krb5_set_error_message(context, EINVAL, 
+                          "No valid kerberos key found for %s", name);
     return EINVAL;
 }
 
index bf248af588fcbbb81d6ae7abfeabfcec81c551cc..9f6d57f588feae5661a39c3d1eaad1979e3a0e67 100755 (executable)
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: pkinit.c 22243 2007-12-08 23:39:30Z lha $");
+RCSID("$Id: pkinit.c 23316 2008-06-23 04:32:32Z lha $");
 
 #ifdef PKINIT
 
@@ -45,23 +45,8 @@ RCSID("$Id: pkinit.c 22243 2007-12-08 23:39:30Z lha $");
 #include <hx509.h>
 #include "crypto-headers.h"
 
-/* XXX copied from lib/krb5/pkinit.c */
-struct krb5_pk_identity {
-    hx509_context hx509ctx;
-    hx509_verify_ctx verify_ctx;
-    hx509_certs certs;
-    hx509_certs anchors;
-    hx509_certs certpool;
-    hx509_revoke_ctx revoke;
-};
-
-enum pkinit_type {
-    PKINIT_COMPAT_WIN2K = 1,
-    PKINIT_COMPAT_27 = 3
-};
-
 struct pk_client_params {
-    enum pkinit_type type;
+    enum krb5_pk_type type;
     BIGNUM *dh_public_key;
     hx509_cert cert;
     unsigned nonce;
@@ -202,13 +187,13 @@ generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
     memset(&key, 0, sizeof(key));
 
     if (!DH_generate_key(client_params->dh)) {
-       krb5_set_error_string(context, "Can't generate Diffie-Hellman keys");
        ret = KRB5KRB_ERR_GENERIC;
+       krb5_set_error_message(context, ret, "Can't generate Diffie-Hellman keys");
        goto out;
     }
     if (client_params->dh_public_key == NULL) {
-       krb5_set_error_string(context, "dh_public_key");
        ret = KRB5KRB_ERR_GENERIC;
+       krb5_set_error_message(context, ret, "dh_public_key");
        goto out;
     }
 
@@ -219,8 +204,8 @@ generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
 
     dh_gen_key = malloc(size);
     if (dh_gen_key == NULL) {
-       krb5_set_error_string(context, "malloc: out of memory");
        ret = ENOMEM;
+       krb5_set_error_message(context, ret, "malloc: out of memory");
        goto out;
     }
     memset(dh_gen_key, 0, size - dh_gen_keylen);
@@ -229,8 +214,8 @@ generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
                                   client_params->dh_public_key,
                                   client_params->dh);
     if (dh_gen_keylen == -1) {
-       krb5_set_error_string(context, "Can't compute Diffie-Hellman key");
        ret = KRB5KRB_ERR_GENERIC;
+       krb5_set_error_message(context, ret, "Can't compute Diffie-Hellman key");
        goto out;
     }
 
@@ -256,7 +241,8 @@ integer_to_BN(krb5_context context, const char *field, heim_integer *f)
 
     bn = BN_bin2bn((const unsigned char *)f->data, f->length, NULL);
     if (bn == NULL) {
-       krb5_set_error_string(context, "PKINIT: parsing BN failed %s", field);
+       krb5_set_error_message(context, KRB5_BADMSGTYPE,
+                              "PKINIT: parsing BN failed %s", field);
        return NULL;
     }
     BN_set_negative(bn, f->negative);
@@ -276,13 +262,14 @@ get_dh_param(krb5_context context,
     memset(&dhparam, 0, sizeof(dhparam));
 
     if (der_heim_oid_cmp(&dh_key_info->algorithm.algorithm, oid_id_dhpublicnumber())) {
-       krb5_set_error_string(context,
-                             "PKINIT invalid oid in clientPublicValue");
+       krb5_set_error_message(context, KRB5_BADMSGTYPE,
+                              "PKINIT invalid oid in clientPublicValue");
        return KRB5_BADMSGTYPE;
     }
 
     if (dh_key_info->algorithm.parameters == NULL) {
-       krb5_set_error_string(context, "PKINIT missing algorithm parameter "
+       krb5_set_error_message(context, KRB5_BADMSGTYPE,
+                              "PKINIT missing algorithm parameter "
                              "in clientPublicValue");
        return KRB5_BADMSGTYPE;
     }
@@ -292,15 +279,16 @@ get_dh_param(krb5_context context,
                                  &dhparam,
                                  NULL);
     if (ret) {
-       krb5_set_error_string(context, "Can't decode algorithm "
-                             "parameters in clientPublicValue");
+       krb5_set_error_message(context, ret, "Can't decode algorithm "
+                              "parameters in clientPublicValue");
        goto out;
     }
 
     if ((dh_key_info->subjectPublicKey.length % 8) != 0) {
        ret = KRB5_BADMSGTYPE;
-       krb5_set_error_string(context, "PKINIT: subjectPublicKey not aligned "
-                             "to 8 bit boundary");
+       krb5_set_error_message(context, ret,
+                              "PKINIT: subjectPublicKey not aligned "
+                              "to 8 bit boundary");
        goto out;
     }
 
@@ -315,8 +303,8 @@ get_dh_param(krb5_context context,
 
     dh = DH_new();
     if (dh == NULL) {
-       krb5_set_error_string(context, "Cannot create DH structure");
        ret = ENOMEM;
+       krb5_set_error_message(context, ret, "Cannot create DH structure");
        goto out;
     }
     ret = KRB5_BADMSGTYPE;
@@ -347,8 +335,10 @@ get_dh_param(krb5_context context,
                                                     "subjectPublicKey",
                                                     &glue);
        der_free_heim_integer(&glue);
-       if (client_params->dh_public_key == NULL)
+       if (client_params->dh_public_key == NULL) {
+           ret = KRB5_BADMSGTYPE;
            goto out;
+       }
     }
 
     client_params->dh = dh;
@@ -385,7 +375,7 @@ _kdc_pk_rd_padata(krb5_context context,
        return 0;
     }
 
-    hx509_verify_set_time(kdc_identity->verify_ctx, _kdc_now.tv_sec);
+    hx509_verify_set_time(kdc_identity->verify_ctx, kdc_time);
 
     client_params = calloc(1, sizeof(*client_params));
     if (client_params == NULL) {
@@ -404,8 +394,8 @@ _kdc_pk_rd_padata(krb5_context context,
                                        &r,
                                        NULL);
        if (ret) {
-           krb5_set_error_string(context, "Can't decode "
-                                 "PK-AS-REQ-Win2k: %d", ret);
+           krb5_set_error_message(context, ret, "Can't decode "
+                                  "PK-AS-REQ-Win2k: %d", ret);
            goto out;
        }
        
@@ -415,7 +405,8 @@ _kdc_pk_rd_padata(krb5_context context,
                                           &have_data);
        free_PA_PK_AS_REQ_Win2k(&r);
        if (ret) {
-           krb5_set_error_string(context, "Can't decode PK-AS-REQ: %d", ret);
+           krb5_set_error_message(context, ret, 
+                                  "Can't decode PK-AS-REQ: %d", ret);
            goto out;
        }
 
@@ -429,7 +420,7 @@ _kdc_pk_rd_padata(krb5_context context,
                                  &r,
                                  NULL);
        if (ret) {
-           krb5_set_error_string(context, "Can't decode PK-AS-REQ: %d", ret);
+           krb5_set_error_message(context, ret, "Can't decode PK-AS-REQ: %d", ret);
            goto out;
        }
        
@@ -443,7 +434,7 @@ _kdc_pk_rd_padata(krb5_context context,
                                   0, NULL,
                                   &client_params->client_anchors);
            if (ret) {
-               krb5_set_error_string(context, "Can't allocate client anchors: %d", ret);
+               krb5_set_error_message(context, ret, "Can't allocate client anchors: %d", ret);
                goto out;
 
            }
@@ -458,7 +449,7 @@ _kdc_pk_rd_padata(krb5_context context,
 
                ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
                if (ret) {
-                   krb5_set_error_string(context, 
+                   krb5_set_error_message(context, ret,
                                          "Failed to allocate hx509_query");
                    goto out;
                }
@@ -495,7 +486,8 @@ _kdc_pk_rd_padata(krb5_context context,
                                           &have_data);
        free_PA_PK_AS_REQ(&r);
        if (ret) {
-           krb5_set_error_string(context, "Can't unwrap ContentInfo: %d", ret);
+           krb5_set_error_message(context, ret, 
+                                  "Can't unwrap ContentInfo: %d", ret);
            goto out;
        }
 
@@ -507,16 +499,16 @@ _kdc_pk_rd_padata(krb5_context context,
 
     ret = der_heim_oid_cmp(&contentInfoOid, oid_id_pkcs7_signedData());
     if (ret != 0) {
-       krb5_set_error_string(context, "PK-AS-REQ-Win2k invalid content "
-                             "type oid");
        ret = KRB5KRB_ERR_GENERIC;
+       krb5_set_error_message(context, ret, 
+                              "PK-AS-REQ-Win2k invalid content type oid");
        goto out;
     }
        
     if (!have_data) {
-       krb5_set_error_string(context,
-                             "PK-AS-REQ-Win2k no signed auth pack");
        ret = KRB5KRB_ERR_GENERIC;
+       krb5_set_error_message(context, ret,
+                             "PK-AS-REQ-Win2k no signed auth pack");
        goto out;
     }
 
@@ -551,8 +543,8 @@ _kdc_pk_rd_padata(krb5_context context,
     if (der_heim_oid_cmp(&eContentType, oid_id_pkcs7_data()) != 0 &&
        der_heim_oid_cmp(&eContentType, oid_id_pkauthdata()) != 0)
     {
-       krb5_set_error_string(context, "got wrong oid for pkauthdata");
        ret = KRB5_BADMSGTYPE;
+       krb5_set_error_message(context, ret, "got wrong oid for pkauthdata");
        goto out;
     }
 
@@ -564,7 +556,7 @@ _kdc_pk_rd_padata(krb5_context context,
                                    &ap,
                                    NULL);
        if (ret) {
-           krb5_set_error_string(context, "can't decode AuthPack: %d", ret);
+           krb5_set_error_message(context, ret, "can't decode AuthPack: %d", ret);
            goto out;
        }
   
@@ -576,12 +568,12 @@ _kdc_pk_rd_padata(krb5_context context,
            goto out;
        }
 
-       client_params->type = PKINIT_COMPAT_WIN2K;
+       client_params->type = PKINIT_WIN2K;
        client_params->nonce = ap.pkAuthenticator.nonce;
 
        if (ap.clientPublicValue) {
-           krb5_set_error_string(context, "DH not supported for windows");
            ret = KRB5KRB_ERR_GENERIC;
+           krb5_set_error_message(context, ret, "DH not supported for windows");
            goto out;
        }
        free_AuthPack_Win2k(&ap);
@@ -594,7 +586,7 @@ _kdc_pk_rd_padata(krb5_context context,
                              &ap,
                              NULL);
        if (ret) {
-           krb5_set_error_string(context, "can't decode AuthPack: %d", ret);
+           krb5_set_error_message(context, ret, "can't decode AuthPack: %d", ret);
            free_AuthPack(&ap);
            goto out;
        }
@@ -607,7 +599,7 @@ _kdc_pk_rd_padata(krb5_context context,
            goto out;
        }
 
-       client_params->type = PKINIT_COMPAT_27;
+       client_params->type = PKINIT_27;
        client_params->nonce = ap.pkAuthenticator.nonce;
 
        if (ap.clientPublicValue) {
@@ -700,7 +692,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
      */
 
     switch (client_params->type) {
-    case PKINIT_COMPAT_WIN2K: {
+    case PKINIT_WIN2K: {
        int i = 0;
        if (_kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_09_BINDING) == NULL
            && config->pkinit_require_binding == 0)
@@ -709,7 +701,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
        }
        break;
     }
-    case PKINIT_COMPAT_27:
+    case PKINIT_27:
        break;
     default:
        krb5_abortx(context, "internal pkinit error");
@@ -769,8 +761,8 @@ pk_mk_pa_reply_enckey(krb5_context context,
        free_ReplyKeyPack(&kp);
     }
     if (ret) {
-       krb5_set_error_string(context, "ASN.1 encoding of ReplyKeyPack "
-                             "failed (%d)", ret);
+       krb5_set_error_message(context, ret, "ASN.1 encoding of ReplyKeyPack "
+                              "failed (%d)", ret);
        goto out;
     }
     if (buf.length != size)
@@ -813,7 +805,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
     if (ret) 
        goto out;
 
-    if (client_params->type == PKINIT_COMPAT_WIN2K) {
+    if (client_params->type == PKINIT_WIN2K) {
        ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(),
                                         &signed_data,
                                         &buf);
@@ -874,9 +866,8 @@ pk_mk_pa_reply_dh(krb5_context context,
 
     ASN1_MALLOC_ENCODE(DHPublicKey, buf.data, buf.length, &i, &size, ret);
     if (ret) {
-       krb5_set_error_string(context, "ASN.1 encoding of "
-                             "DHPublicKey failed (%d)", ret);
-       krb5_clear_error_string(context);
+       krb5_set_error_message(context, ret, "ASN.1 encoding of "
+                              "DHPublicKey failed (%d)", ret);
        return ret;
     }
     if (buf.length != size)
@@ -890,8 +881,8 @@ pk_mk_pa_reply_dh(krb5_context context,
     ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size, 
                       ret);
     if (ret) {
-       krb5_set_error_string(context, "ASN.1 encoding of "
-                             "KdcDHKeyInfo failed (%d)", ret);
+       krb5_set_error_message(context, ret, "ASN.1 encoding of "
+                              "KdcDHKeyInfo failed (%d)", ret);
        goto out;
     }
     if (buf.length != size)
@@ -990,15 +981,15 @@ _kdc_pk_mk_pa_reply(krb5_context context,
                break;
        if (req->req_body.etype.len <= i) {
            ret = KRB5KRB_ERR_GENERIC;
-           krb5_set_error_string(context,
-                                 "No valid enctype available from client");
+           krb5_set_error_message(context, ret,
+                                  "No valid enctype available from client");
            goto out;
        }       
        enctype = req->req_body.etype.val[i];
     } else
        enctype = ETYPE_DES3_CBC_SHA1;
 
-    if (client_params->type == PKINIT_COMPAT_27) {
+    if (client_params->type == PKINIT_27) {
        PA_PK_AS_REP rep;
        const char *type, *other = "";
 
@@ -1035,8 +1026,8 @@ _kdc_pk_mk_pa_reply(krb5_context context,
                               ret);
            free_ContentInfo(&info);
            if (ret) {
-               krb5_set_error_string(context, "encoding of Key ContentInfo "
-                                     "failed %d", ret);
+               krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
+                                      "failed %d", ret);
                free_PA_PK_AS_REP(&rep);
                goto out;
            }
@@ -1068,8 +1059,8 @@ _kdc_pk_mk_pa_reply(krb5_context context,
                               ret);
            free_ContentInfo(&info);
            if (ret) {
-               krb5_set_error_string(context, "encoding of Key ContentInfo "
-                                     "failed %d", ret);
+               krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
+                                      "failed %d", ret);
                free_PA_PK_AS_REP(&rep);
                goto out;
            }
@@ -1085,8 +1076,8 @@ _kdc_pk_mk_pa_reply(krb5_context context,
        ASN1_MALLOC_ENCODE(PA_PK_AS_REP, buf, len, &rep, &size, ret);
        free_PA_PK_AS_REP(&rep);
        if (ret) {
-           krb5_set_error_string(context, "encode PA-PK-AS-REP failed %d",
-                                 ret);
+           krb5_set_error_message(context, ret, "encode PA-PK-AS-REP failed %d",
+                                  ret);
            goto out;
        }
        if (len != size)
@@ -1094,13 +1085,13 @@ _kdc_pk_mk_pa_reply(krb5_context context,
 
        kdc_log(context, config, 0, "PK-INIT using %s %s", type, other);
 
-    } else if (client_params->type == PKINIT_COMPAT_WIN2K) {
+    } else if (client_params->type == PKINIT_WIN2K) {
        PA_PK_AS_REP_Win2k rep;
        ContentInfo info;
 
        if (client_params->dh) {
-           krb5_set_error_string(context, "Windows PK-INIT doesn't support DH");
            ret = KRB5KRB_ERR_GENERIC;
+           krb5_set_error_message(context, ret, "Windows PK-INIT doesn't support DH");
            goto out;
        }
 
@@ -1131,7 +1122,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
                           ret);
        free_ContentInfo(&info);
        if (ret) {
-           krb5_set_error_string(context, "encoding of Key ContentInfo "
+           krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
                                  "failed %d", ret);
            free_PA_PK_AS_REP_Win2k(&rep);
            goto out;
@@ -1142,7 +1133,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
        ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret);
        free_PA_PK_AS_REP_Win2k(&rep);
        if (ret) {
-           krb5_set_error_string(context, 
+           krb5_set_error_message(context, ret,
                                  "encode PA-PK-AS-REP-Win2k failed %d", ret);
            goto out;
        }
@@ -1155,7 +1146,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
 
     ret = krb5_padata_add(context, md, pa_type, buf, len);
     if (ret) {
-       krb5_set_error_string(context, "failed adding PA-PK-AS-REP %d", ret);
+       krb5_set_error_message(context, ret, "failed adding PA-PK-AS-REP %d", ret);
        free(buf);
        goto out;
     }
@@ -1229,8 +1220,8 @@ _kdc_pk_mk_pa_reply(krb5_context context,
                                  KRB5_PADATA_PA_PK_OCSP_RESPONSE,
                                  ocsp.data.data, ocsp.data.length);
            if (ret) {
-               krb5_set_error_string(context, 
-                                     "Failed adding OCSP response %d", ret);
+               krb5_set_error_message(context, ret,
+                                      "Failed adding OCSP response %d", ret);
                goto out;
            }
        }
@@ -1453,7 +1444,8 @@ _kdc_pk_check_client(krb5_context context,
        return 0;
     }
 
-    krb5_set_error_string(context,
+    ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+    krb5_set_error_message(context, ret,
                          "PKINIT no matching principals for %s",
                          *subject_name);
 
@@ -1464,7 +1456,7 @@ _kdc_pk_check_client(krb5_context context,
     free(*subject_name);
     *subject_name = NULL;
 
-    return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+    return ret;
 }
 
 static krb5_error_code
index 1d0a01a215d10caa162ca62a6e1a4b4c55d6368e..550bfb04b2a15db05f3ede316cb7c3325d01de00 100644 (file)
@@ -34,7 +34,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: process.c 20959 2007-06-07 04:46:06Z lha $");
+RCSID("$Id: process.c 23316 2008-06-23 04:32:32Z lha $");
 
 /*
  *
@@ -177,14 +177,15 @@ krb5_kdc_save_request(krb5_context context,
 
     fd = open(fn, O_WRONLY|O_CREAT|O_APPEND, 0600);
     if (fd < 0) {
-       krb5_set_error_string(context, "Failed to open: %s", fn);
-       return errno;
+       int saved_errno = errno;
+       krb5_set_error_message(context, saved_errno, "Failed to open: %s", fn);
+       return saved_errno;
     }
     
     sp = krb5_storage_from_fd(fd);
     close(fd);
     if (sp == NULL) {
-       krb5_set_error_string(context, "Storage failed to open fd");
+       krb5_set_error_message(context, ENOMEM, "Storage failed to open fd");
        return ENOMEM;
     }
 
index 85e4d7f725cb415d036409b8a675d9823d0bef78..621757f6dcf972c493c6517a9c3a68ab9fe404b8 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: windc.c 20559 2007-04-24 16:00:07Z lha $");
+RCSID("$Id: windc.c 23316 2008-06-23 04:32:32Z lha $");
 
 static krb5plugin_windc_ftable *windcft;
 static void *windcctx;
@@ -63,7 +63,7 @@ krb5_kdc_windc_init(krb5_context context)
     }
     if (e == NULL) {
        _krb5_plugin_free(list);
-       krb5_set_error_string(context, "Did not find any WINDC plugin");
+       krb5_set_error_message(context, ENOENT, "Did not find any WINDC plugin");
        windcft = NULL;
        return ENOENT;
     }
@@ -91,7 +91,7 @@ _kdc_pac_verify(krb5_context context,
                krb5_pac *pac)
 {
     if (windcft == NULL) {
-       krb5_set_error_string(context, "Can't verify PAC, no function");
+       krb5_set_error_message(context, EINVAL, "Can't verify PAC, no function");
        return EINVAL;
     }
     return (windcft->pac_verify)(windcctx, context, 
index 3ae0c94681e785cd28cdf9eaf3d2db456c361de4..44aab9e22b7ada10492764af98628350548fed9f 100644 (file)
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: windc_plugin.h 19798 2007-01-10 15:24:51Z lha $ */
+/* $Id: windc_plugin.h 22693 2008-03-19 08:57:49Z lha $ */
 
 #ifndef HEIMDAL_KRB5_PAC_PLUGIN_H
 #define HEIMDAL_KRB5_PAC_PLUGIN_H 1
@@ -67,7 +67,7 @@ typedef krb5_error_code
     void *, krb5_context, struct hdb_entry_ex *, KDC_REQ *, krb5_data *);
 
 
-#define KRB5_WINDC_PLUGING_MINOR               2
+#define KRB5_WINDC_PLUGING_MINOR               3
 
 typedef struct krb5plugin_windc_ftable {
     int                        minor_version;
index 2676309859089bda9136eeaa0d157e9c48cad707..0e03dc4d377e7588206d243fc156d01d583a2ec6 100644 (file)
@@ -32,7 +32,7 @@
  */
 
 #include "kuser_locl.h"
-RCSID("$Id: kinit.c 22116 2007-12-03 21:22:58Z lha $");
+RCSID("$Id: kinit.c 23418 2008-07-26 18:36:48Z lha $");
 
 #include "krb5-v4compat.h"
 
@@ -66,6 +66,8 @@ char *pk_user_id      = NULL;
 char *pk_x509_anchors  = NULL;
 int pk_use_enckey      = 0;
 static int canonicalize_flag = 0;
+static int ok_as_delegate_flag = 0;
+static int windows_flag = 0;
 static char *ntlm_domain;
 
 static char *krb4_cc_name;
@@ -161,6 +163,12 @@ static struct getargs args[] = {
     { "ntlm-domain",   0,  arg_string, &ntlm_domain,
       "NTLM domain", "domain" },
 
+    { "ok-as-delegate",        0,  arg_flag, &ok_as_delegate_flag,
+      "honor ok-as-delegate on tickets" },
+
+    { "windows",       0,  arg_flag, &windows_flag,
+      "get windows behavior" },
+
     { "version",       0,   arg_flag, &version_flag },
     { "help",          0,   arg_flag, &help_flag }
 };
@@ -329,36 +337,25 @@ out:
 }
 
 static krb5_error_code
-store_ntlmkey(krb5_context context, krb5_ccache id, 
-             const char *domain, krb5_const_principal client,
-             struct ntlm_buf *buf)
+store_ntlmkey(krb5_context context, krb5_ccache id,
+             const char *domain, struct ntlm_buf *buf)
 {
     krb5_error_code ret;
-    krb5_creds cred;
-    
-    memset(&cred, 0, sizeof(cred));
+    krb5_data data;
+    char *name;
 
-    ret = krb5_make_principal(context, &cred.server,
-                             krb5_principal_get_realm(context, client),
-                             "@ntlm-key", domain, NULL);
-    if (ret)
-       goto out;
-    ret = krb5_copy_principal(context, client, &cred.client);
-    if (ret)
-       goto out;
+    asprintf(&name, "ntlm-key-%s", domain);
+    if (name == NULL) {
+       krb5_clear_error_string(context);
+       return ENOMEM;
+    }
     
-    cred.times.authtime = time(NULL);
-    cred.times.endtime = time(NULL) + 3600 * 24 * 30; /* XXX */
-    cred.session.keytype = ENCTYPE_ARCFOUR_HMAC_MD5;
-    ret = krb5_data_copy(&cred.session.keyvalue, buf->data, buf->length);
-    if (ret)
-       goto out;
-
-    ret = krb5_cc_store_cred(context, id, &cred);
+    data.length = buf->length;
+    data.data = buf->data;
 
-out:
-    krb5_free_cred_contents (context, &cred);
-    return 0;
+    ret = krb5_cc_set_config(context, id, NULL, name, &data);
+    free(name);
+    return ret;
 }
 
 static krb5_error_code
@@ -598,7 +595,17 @@ get_new_tickets(krb5_context context,
        krb5_err (context, 1, ret, "krb5_cc_move");
 
     if (ntlm_domain && ntlmkey.data)
-       store_ntlmkey(context, ccache, ntlm_domain, principal, &ntlmkey);
+       store_ntlmkey(context, ccache, ntlm_domain, &ntlmkey);
+
+    if (ok_as_delegate_flag || windows_flag) {
+       krb5_data data;
+
+       data.length = 1;
+       data.data = "\x01";
+
+       krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
+    }
+
 
     if (enctype)
        free(enctype);
index 13e39320d4ecdcb910eacd604a110b175579c385..0484137192c47a24e363cf062bbe083b5bb80f04 100644 (file)
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: der.h 18437 2006-10-14 05:16:08Z lha $ */
+/* $Id: der.h 23183 2008-05-22 09:56:51Z lha $ */
 
 #ifndef __DER_H__
 #define __DER_H__
index 851cb1d40775f8b5ad9218cb1f5e195815f021dd..f59ec72eb7f5c0040af819f61bbc595178fa5405 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: der_free.c 19539 2006-12-28 17:15:05Z lha $");
+RCSID("$Id: der_free.c 23182 2008-05-22 02:59:04Z lha $");
 
 void
 der_free_general_string (heim_general_string *str)
index 499f8eab363b56f51392a5f0977c3a894b90b795..39dba89e4e1cb847a242b6e16f2bc67c4af34600 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen.c 22429 2008-01-13 10:25:50Z lha $");
+RCSID("$Id: gen.c 22896 2008-04-07 18:52:24Z lha $");
 
 FILE *headerfile, *codefile, *logfile;
 
@@ -294,13 +294,18 @@ generate_constant (const Symbol *s)
        break;
     case objectidentifiervalue: {
        struct objid *o, **list;
-       int i, len;
+       unsigned int i, len;
 
        generate_header_of_codefile(s->gen_name);
 
        len = 0;
        for (o = s->value->u.objectidentifiervalue; o != NULL; o = o->next)
            len++;
+       if (len == 0) {
+           printf("s->gen_name: %s",s->gen_name);
+           fflush(stdout);
+           break;
+       }
        list = emalloc(sizeof(*list) * len);
 
        i = 0;
@@ -308,8 +313,8 @@ generate_constant (const Symbol *s)
            list[i++] = o;
 
        fprintf (headerfile, "/* OBJECT IDENTIFIER %s ::= { ", s->name);
-       for (i = len - 1 ; i >= 0; i--) {
-           o = list[i];
+       for (i = len ; i > 0; i--) {
+           o = list[i - 1];
            fprintf(headerfile, "%s(%d) ",
                    o->label ? o->label : "label-less", o->value);
        }
@@ -320,8 +325,8 @@ generate_constant (const Symbol *s)
 
        fprintf (codefile, "static unsigned oid_%s_variable_num[%d] =  {",
                 s->gen_name, len);
-       for (i = len - 1 ; i >= 0; i--) {
-           fprintf(codefile, "%d%s ", list[i]->value, i > 0 ? "," : "");
+       for (i = len ; i > 0; i--) {
+           fprintf(codefile, "%d%s ", list[i - 1]->value, i > 1 ? "," : "");
        }
        fprintf(codefile, "};\n");
 
index 18f1e1541b5f6723b256ac89645abab219cc52a3..ea20eb99d24ba87ba90e12629109ef088d2d17e4 100644 (file)
@@ -1,4 +1,4 @@
--- $Id: k5.asn1 21965 2007-10-18 18:24:36Z lha $
+-- $Id: k5.asn1 22745 2008-03-24 12:07:54Z lha $
 
 KERBEROS5 DEFINITIONS ::=
 BEGIN
@@ -634,18 +634,18 @@ KRB5SignedPath ::= SEQUENCE {
 }
 
 PA-ClientCanonicalizedNames ::= SEQUENCE{
-       requested-name [0] PrincipalName,
-       real-name      [1] PrincipalName
+       requested-name  [0] PrincipalName,
+       mapped-name     [1] PrincipalName
 }
 
 PA-ClientCanonicalized ::= SEQUENCE {
-       names          [0] PA-ClientCanonicalizedNames,
-       canon-checksum [1] Checksum
+       names           [0] PA-ClientCanonicalizedNames,
+       canon-checksum  [1] Checksum
 }
 
 AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
-       login-alias  [0] PrincipalName,
-       checksum     [1] Checksum
+       login-alias     [0] PrincipalName,
+       checksum        [1] Checksum
 }
 
 -- old ms referral
@@ -654,6 +654,16 @@ PA-SvrReferralData ::= SEQUENCE {
        referred-realm  [0] Realm
 }
 
+PA-SERVER-REFERRAL-DATA ::= EncryptedData
+
+PA-ServerReferralData ::= SEQUENCE {
+       referred-realm          [0] Realm OPTIONAL,
+       true-principal-name     [1] PrincipalName OPTIONAL,
+       requested-principal-name [2] PrincipalName OPTIONAL,
+       referral-valid-until     [3] KerberosTime OPTIONAL,
+       ...
+}
+
 END
 
 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1
index da4f729c3d6966e6026ada705541fea8c93ac16a..175760be4406d1c45cbbc790776b9d6cbe69a4e5 100644 (file)
@@ -1,5 +1,6 @@
+#include "config.h"
 
-#line 3 "lex.c"
+#line 3 "heimdal/lib/asn1/lex.c"
 
 #define  YY_INT_ALIGNED short int
 
@@ -8,7 +9,7 @@
 #define FLEX_SCANNER
 #define YY_FLEX_MAJOR_VERSION 2
 #define YY_FLEX_MINOR_VERSION 5
-#define YY_FLEX_SUBMINOR_VERSION 33
+#define YY_FLEX_SUBMINOR_VERSION 34
 #if YY_FLEX_SUBMINOR_VERSION > 0
 #define FLEX_BETA
 #endif
@@ -30,7 +31,7 @@
 
 /* C99 systems have <inttypes.h>. Non-C99 systems may or may not. */
 
-#if __STDC_VERSION__ >= 199901L
+#if defined (__STDC_VERSION__) && __STDC_VERSION__ >= 199901L
 
 /* C99 says to define __STDC_LIMIT_MACROS before including stdint.h,
  * if you want the limit (max/min) macros for int types. 
@@ -93,11 +94,12 @@ typedef unsigned int flex_uint32_t;
 
 #else  /* ! __cplusplus */
 
-#if __STDC__
+/* C99 requires __STDC__ to be defined as 1. */
+#if defined (__STDC__)
 
 #define YY_USE_CONST
 
-#endif /* __STDC__ */
+#endif /* defined (__STDC__) */
 #endif /* ! __cplusplus */
 
 #ifdef YY_USE_CONST
@@ -180,11 +182,13 @@ extern FILE *yyin, *yyout;
 /* The following is because we cannot portably get our hands on size_t
  * (without autoconf's help, which isn't available because we want
  * flex-generated scanners to compile on their own).
+ * Given that the standard has decreed that size_t exists since 1989,
+ * I guess we can afford to depend on it. Manoj.
  */
 
 #ifndef YY_TYPEDEF_YY_SIZE_T
 #define YY_TYPEDEF_YY_SIZE_T
-typedef unsigned int yy_size_t;
+typedef size_t yy_size_t;
 #endif
 
 #ifndef YY_STRUCT_YY_BUFFER_STATE
@@ -851,7 +855,7 @@ static unsigned lineno = 1;
 static void unterminated(const char *, unsigned);
 
 /* This is for broken old lexes (solaris 10 and hpux) */
-#line 855 "lex.c"
+#line 858 "heimdal/lib/asn1/lex.c"
 
 #define INITIAL 0
 
@@ -869,35 +873,6 @@ static void unterminated(const char *, unsigned);
 
 static int yy_init_globals (void );
 
-/* Accessor methods to globals.
-   These are made visible to non-reentrant scanners for convenience. */
-
-int yylex_destroy (void );
-
-int yyget_debug (void );
-
-void yyset_debug (int debug_flag  );
-
-YY_EXTRA_TYPE yyget_extra (void );
-
-void yyset_extra (YY_EXTRA_TYPE user_defined  );
-
-FILE *yyget_in (void );
-
-void yyset_in  (FILE * in_str  );
-
-FILE *yyget_out (void );
-
-void yyset_out  (FILE * out_str  );
-
-int yyget_leng (void );
-
-char *yyget_text (void );
-
-int yyget_lineno (void );
-
-void yyset_lineno (int line_number  );
-
 /* Macros after this point can all be overridden by user definitions in
  * section 1.
  */
@@ -940,7 +915,7 @@ static int input (void );
 /* This used to be an fputs(), but since the string might contain NUL's,
  * we now use fwrite().
  */
-#define ECHO (void) fwrite( yytext, yyleng, 1, yyout )
+#define ECHO fwrite( yytext, yyleng, 1, yyout )
 #endif
 
 /* Gets input and stuffs it into "buf".  number of characters read, or YY_NULL,
@@ -951,7 +926,7 @@ static int input (void );
        if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
                { \
                int c = '*'; \
-               size_t n; \
+               int n; \
                for ( n = 0; n < max_size && \
                             (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
                        buf[n] = (char) c; \
@@ -1035,7 +1010,7 @@ YY_DECL
     
 #line 68 "lex.l"
 
-#line 1039 "lex.c"
+#line 1013 "heimdal/lib/asn1/lex.c"
 
        if ( !(yy_init) )
                {
@@ -1704,7 +1679,7 @@ YY_RULE_SETUP
 #line 274 "lex.l"
 ECHO;
        YY_BREAK
-#line 1708 "lex.c"
+#line 1682 "heimdal/lib/asn1/lex.c"
 case YY_STATE_EOF(INITIAL):
        yyterminate();
 
@@ -1935,7 +1910,7 @@ static int yy_get_next_buffer (void)
 
                /* Read in more data. */
                YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
-                       (yy_n_chars), num_to_read );
+                       (yy_n_chars), (size_t) num_to_read );
 
                YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
                }
@@ -1959,6 +1934,14 @@ static int yy_get_next_buffer (void)
        else
                ret_val = EOB_ACT_CONTINUE_SCAN;
 
+       if ((yy_size_t) ((yy_n_chars) + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) {
+               /* Extend the array by 50%, plus the number we really need. */
+               yy_size_t new_size = (yy_n_chars) + number_to_move + ((yy_n_chars) >> 1);
+               YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) yyrealloc((void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf,new_size  );
+               if ( ! YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
+                       YY_FATAL_ERROR( "out of dynamic memory in yy_get_next_buffer()" );
+       }
+
        (yy_n_chars) += number_to_move;
        YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] = YY_END_OF_BUFFER_CHAR;
        YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] = YY_END_OF_BUFFER_CHAR;
@@ -2374,7 +2357,9 @@ static void yyensure_buffer_stack (void)
                (yy_buffer_stack) = (struct yy_buffer_state**)yyalloc
                                                                (num_to_alloc * sizeof(struct yy_buffer_state*)
                                                                );
-               
+               if ( ! (yy_buffer_stack) )
+                       YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
+                                                                 
                memset((yy_buffer_stack), 0, num_to_alloc * sizeof(struct yy_buffer_state*));
                                
                (yy_buffer_stack_max) = num_to_alloc;
@@ -2392,6 +2377,8 @@ static void yyensure_buffer_stack (void)
                                                                ((yy_buffer_stack),
                                                                num_to_alloc * sizeof(struct yy_buffer_state*)
                                                                );
+               if ( ! (yy_buffer_stack) )
+                       YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
 
                /* zero only the new slots.*/
                memset((yy_buffer_stack) + (yy_buffer_stack_max), 0, grow_size * sizeof(struct yy_buffer_state*));
@@ -2436,7 +2423,7 @@ YY_BUFFER_STATE yy_scan_buffer  (char * base, yy_size_t  size )
 
 /** Setup the input buffer state to scan a string. The next call to yylex() will
  * scan from a @e copy of @a str.
- * @param str a NUL-terminated string to scan
+ * @param yystr a NUL-terminated string to scan
  * 
  * @return the newly allocated buffer state object.
  * @note If you want to scan bytes that may contain NUL values, then use
index 6ec7b67bb9cdd65fdd2eb2ccdd072d366ebba9a3..ec744220e9c0a353e41653156792971d54f16ed1 100644 (file)
@@ -32,7 +32,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: lex.l,v 1.31 2006/10/21 11:57:22 lha Exp $ */
+/* $Id: lex.l 18738 2006-10-21 11:57:22Z lha $ */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
index 989b26581b3a1b69eea569b96e37bbef624da33a..758af6f86e8734879b75c562113762c993f4a239 100644 (file)
@@ -17,6 +17,11 @@ id-pkrkeydata  OBJECT IDENTIFIER  ::= { id-pkinit 3 }
 id-pkekuoid    OBJECT IDENTIFIER  ::= { id-pkinit 4 }
 id-pkkdcekuoid OBJECT IDENTIFIER  ::= { id-pkinit 5 }
 
+id-pkinit-kdf OBJECT IDENTIFIER           ::= { id-pkinit 6 }
+id-pkinit-kdf-ah-sha1 OBJECT IDENTIFIER   ::= { id-pkinit-kdf 1 }
+id-pkinit-kdf-ah-sha256 OBJECT IDENTIFIER ::= { id-pkinit-kdf 2 }
+id-pkinit-kdf-ah-sha512 OBJECT IDENTIFIER ::= { id-pkinit-kdf 3 }
+
 id-pkinit-san  OBJECT IDENTIFIER ::=
   { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
     x509-sanan(2) }
@@ -171,6 +176,14 @@ ReplyKeyPack-Win2k ::= SEQUENCE {
        ...
 }
 
+PkinitSP80056AOtherInfo ::= SEQUENCE { 
+       algorithmID   AlgorithmIdentifier, 
+       partyUInfo     [0] OCTET STRING, 
+       partyVInfo     [1] OCTET STRING, 
+       suppPubInfo    [2] OCTET STRING OPTIONAL, 
+       suppPrivInfo   [3] OCTET STRING OPTIONAL 
+}
+
 PkinitSuppPubInfo ::= SEQUENCE {
        enctype           [0] INTEGER (-2147483648..2147483647),
        as-REQ            [1] OCTET STRING,
index 9a1f3547917dd6cd4a728f6197f3e87e3d8e83ca..d0fc7d98a44b6cebe2b9a49ae18d51793fd93156 100644 (file)
@@ -1,4 +1,4 @@
-# $Id: test.gen,v 1.2 2005/07/12 06:27:41 lha Exp $
+# $Id: test.gen 15617 2005-07-12 06:27:42Z lha $
 # Sample for TESTSeq in test.asn1
 #
 
index 3c6ea3beb71dfa4a8e78a718bfcb93c0c1234d3d..b70ef4749f86ea0336b736ffcc1b65e2fb84ff54 100644 (file)
@@ -1,5 +1,6 @@
+#include "config.h"
 
-#line 3 "lex.c"
+#line 3 "heimdal/lib/com_err/lex.c"
 
 #define  YY_INT_ALIGNED short int
 
@@ -8,7 +9,7 @@
 #define FLEX_SCANNER
 #define YY_FLEX_MAJOR_VERSION 2
 #define YY_FLEX_MINOR_VERSION 5
-#define YY_FLEX_SUBMINOR_VERSION 33
+#define YY_FLEX_SUBMINOR_VERSION 34
 #if YY_FLEX_SUBMINOR_VERSION > 0
 #define FLEX_BETA
 #endif
@@ -30,7 +31,7 @@
 
 /* C99 systems have <inttypes.h>. Non-C99 systems may or may not. */
 
-#if __STDC_VERSION__ >= 199901L
+#if defined (__STDC_VERSION__) && __STDC_VERSION__ >= 199901L
 
 /* C99 says to define __STDC_LIMIT_MACROS before including stdint.h,
  * if you want the limit (max/min) macros for int types. 
@@ -93,11 +94,12 @@ typedef unsigned int flex_uint32_t;
 
 #else  /* ! __cplusplus */
 
-#if __STDC__
+/* C99 requires __STDC__ to be defined as 1. */
+#if defined (__STDC__)
 
 #define YY_USE_CONST
 
-#endif /* __STDC__ */
+#endif /* defined (__STDC__) */
 #endif /* ! __cplusplus */
 
 #ifdef YY_USE_CONST
@@ -180,11 +182,13 @@ extern FILE *yyin, *yyout;
 /* The following is because we cannot portably get our hands on size_t
  * (without autoconf's help, which isn't available because we want
  * flex-generated scanners to compile on their own).
+ * Given that the standard has decreed that size_t exists since 1989,
+ * I guess we can afford to depend on it. Manoj.
  */
 
 #ifndef YY_TYPEDEF_YY_SIZE_T
 #define YY_TYPEDEF_YY_SIZE_T
-typedef unsigned int yy_size_t;
+typedef size_t yy_size_t;
 #endif
 
 #ifndef YY_STRUCT_YY_BUFFER_STATE
@@ -532,7 +536,7 @@ static int getstring(void);
 
 #undef ECHO
 
-#line 536 "lex.c"
+#line 539 "heimdal/lib/com_err/lex.c"
 
 #define INITIAL 0
 
@@ -550,35 +554,6 @@ static int getstring(void);
 
 static int yy_init_globals (void );
 
-/* Accessor methods to globals.
-   These are made visible to non-reentrant scanners for convenience. */
-
-int yylex_destroy (void );
-
-int yyget_debug (void );
-
-void yyset_debug (int debug_flag  );
-
-YY_EXTRA_TYPE yyget_extra (void );
-
-void yyset_extra (YY_EXTRA_TYPE user_defined  );
-
-FILE *yyget_in (void );
-
-void yyset_in  (FILE * in_str  );
-
-FILE *yyget_out (void );
-
-void yyset_out  (FILE * out_str  );
-
-int yyget_leng (void );
-
-char *yyget_text (void );
-
-int yyget_lineno (void );
-
-void yyset_lineno (int line_number  );
-
 /* Macros after this point can all be overridden by user definitions in
  * section 1.
  */
@@ -621,7 +596,7 @@ static int input (void );
 /* This used to be an fputs(), but since the string might contain NUL's,
  * we now use fwrite().
  */
-#define ECHO (void) fwrite( yytext, yyleng, 1, yyout )
+#define ECHO fwrite( yytext, yyleng, 1, yyout )
 #endif
 
 /* Gets input and stuffs it into "buf".  number of characters read, or YY_NULL,
@@ -632,7 +607,7 @@ static int input (void );
        if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
                { \
                int c = '*'; \
-               size_t n; \
+               int n; \
                for ( n = 0; n < max_size && \
                             (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
                        buf[n] = (char) c; \
@@ -716,7 +691,7 @@ YY_DECL
     
 #line 59 "lex.l"
 
-#line 720 "lex.c"
+#line 694 "heimdal/lib/com_err/lex.c"
 
        if ( !(yy_init) )
                {
@@ -880,7 +855,7 @@ YY_RULE_SETUP
 #line 75 "lex.l"
 ECHO;
        YY_BREAK
-#line 884 "lex.c"
+#line 858 "heimdal/lib/com_err/lex.c"
 case YY_STATE_EOF(INITIAL):
        yyterminate();
 
@@ -1111,7 +1086,7 @@ static int yy_get_next_buffer (void)
 
                /* Read in more data. */
                YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
-                       (yy_n_chars), num_to_read );
+                       (yy_n_chars), (size_t) num_to_read );
 
                YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
                }
@@ -1135,6 +1110,14 @@ static int yy_get_next_buffer (void)
        else
                ret_val = EOB_ACT_CONTINUE_SCAN;
 
+       if ((yy_size_t) ((yy_n_chars) + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) {
+               /* Extend the array by 50%, plus the number we really need. */
+               yy_size_t new_size = (yy_n_chars) + number_to_move + ((yy_n_chars) >> 1);
+               YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) yyrealloc((void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf,new_size  );
+               if ( ! YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
+                       YY_FATAL_ERROR( "out of dynamic memory in yy_get_next_buffer()" );
+       }
+
        (yy_n_chars) += number_to_move;
        YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] = YY_END_OF_BUFFER_CHAR;
        YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] = YY_END_OF_BUFFER_CHAR;
@@ -1550,7 +1533,9 @@ static void yyensure_buffer_stack (void)
                (yy_buffer_stack) = (struct yy_buffer_state**)yyalloc
                                                                (num_to_alloc * sizeof(struct yy_buffer_state*)
                                                                );
-               
+               if ( ! (yy_buffer_stack) )
+                       YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
+                                                                 
                memset((yy_buffer_stack), 0, num_to_alloc * sizeof(struct yy_buffer_state*));
                                
                (yy_buffer_stack_max) = num_to_alloc;
@@ -1568,6 +1553,8 @@ static void yyensure_buffer_stack (void)
                                                                ((yy_buffer_stack),
                                                                num_to_alloc * sizeof(struct yy_buffer_state*)
                                                                );
+               if ( ! (yy_buffer_stack) )
+                       YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
 
                /* zero only the new slots.*/
                memset((yy_buffer_stack) + (yy_buffer_stack_max), 0, grow_size * sizeof(struct yy_buffer_state*));
@@ -1612,7 +1599,7 @@ YY_BUFFER_STATE yy_scan_buffer  (char * base, yy_size_t  size )
 
 /** Setup the input buffer state to scan a string. The next call to yylex() will
  * scan from a @e copy of @a str.
- * @param str a NUL-terminated string to scan
+ * @param yystr a NUL-terminated string to scan
  * 
  * @return the newly allocated buffer state object.
  * @note If you want to scan bytes that may contain NUL values, then use
index d60e67c136e9fde6d56c1bc82e0d8df4adaf5c17..08aef516b304bce23e0de098a5125998b4cc281e 100644 (file)
@@ -44,7 +44,7 @@
 #include "parse.h"
 #include "lex.h"
 
-RCSID("$Id: lex.l,v 1.8 2005/05/16 08:52:54 lha Exp $");
+RCSID("$Id: lex.l 15143 2005-05-16 08:52:54Z lha $");
 
 static unsigned lineno = 1;
 static int getstring(void);
index fbc638c48fca41dd47fcd1de525cc875c02a0bee..63f66f73133e2ec1d8883cd46ea23f242cb756bd 100644 (file)
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: gssapi.h 21004 2007-06-08 01:53:10Z lha $ */
+/* $Id: gssapi.h 23025 2008-04-17 10:01:57Z lha $ */
 
 #ifndef GSSAPI_GSSAPI_H_
 #define GSSAPI_GSSAPI_H_
 
 #include <krb5-types.h>
 
+#ifndef BUILD_GSSAPI_LIB
+#if defined(_WIN32)
+#define GSSAPI_LIB_FUNCTION _stdcall __declspec(dllimport)
+#define GSSAPI_LIB_VARIABLE __declspec(dllimport)
+#else
+#define GSSAPI_LIB_FUNCTION
+#define GSSAPI_LIB_VARIABLE
+#endif
+#endif
+
 /*
  * Now define the three implementation-dependent types.
  */
@@ -210,7 +220,7 @@ extern "C" {
  * GSS_C_NT_USER_NAME should be initialized to point
  * to that gss_OID_desc.
  */
-extern gss_OID GSS_C_NT_USER_NAME;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_USER_NAME;
 
 /*
  * The implementation must reserve static storage for a
@@ -223,7 +233,7 @@ extern gss_OID GSS_C_NT_USER_NAME;
  * The constant GSS_C_NT_MACHINE_UID_NAME should be
  * initialized to point to that gss_OID_desc.
  */
-extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_MACHINE_UID_NAME;
 
 /*
  * The implementation must reserve static storage for a
@@ -236,7 +246,7 @@ extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
  * The constant GSS_C_NT_STRING_UID_NAME should be
  * initialized to point to that gss_OID_desc.
  */
-extern gss_OID GSS_C_NT_STRING_UID_NAME;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_STRING_UID_NAME;
 
 /*
  * The implementation must reserve static storage for a
@@ -255,7 +265,7 @@ extern gss_OID GSS_C_NT_STRING_UID_NAME;
  * parameter, but should not be emitted by GSS-API
  * implementations
  */
-extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
 
 /*
  * The implementation must reserve static storage for a
@@ -268,7 +278,7 @@ extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
  * GSS_C_NT_HOSTBASED_SERVICE should be initialized
  * to point to that gss_OID_desc.
  */
-extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_HOSTBASED_SERVICE;
 
 /*
  * The implementation must reserve static storage for a
@@ -280,7 +290,7 @@ extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
  * and GSS_C_NT_ANONYMOUS should be initialized to point
  * to that gss_OID_desc.
  */
-extern gss_OID GSS_C_NT_ANONYMOUS;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_ANONYMOUS;
 
 /*
  * The implementation must reserve static storage for a
@@ -292,19 +302,19 @@ extern gss_OID GSS_C_NT_ANONYMOUS;
  * GSS_C_NT_EXPORT_NAME should be initialized to point
  * to that gss_OID_desc.
  */
-extern gss_OID GSS_C_NT_EXPORT_NAME;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_EXPORT_NAME;
 
 /*
  * Digest mechanism
  */
 
-extern gss_OID GSS_SASL_DIGEST_MD5_MECHANISM;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_SASL_DIGEST_MD5_MECHANISM;
 
 /*
  * NTLM mechanism
  */
 
-extern gss_OID GSS_NTLM_MECHANISM;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_NTLM_MECHANISM;
 
 /* Major status codes */
 
@@ -387,7 +397,7 @@ extern gss_OID GSS_NTLM_MECHANISM;
  * Finally, function prototypes for the GSS-API routines.
  */
 
-OM_uint32 gss_acquire_cred
+OM_uint32 GSSAPI_LIB_FUNCTION gss_acquire_cred
            (OM_uint32 * /*minor_status*/,
             const gss_name_t /*desired_name*/,
             OM_uint32 /*time_req*/,
@@ -398,12 +408,12 @@ OM_uint32 gss_acquire_cred
             OM_uint32 * /*time_rec*/
            );
 
-OM_uint32 gss_release_cred
+OM_uint32 GSSAPI_LIB_FUNCTION gss_release_cred
            (OM_uint32 * /*minor_status*/,
             gss_cred_id_t * /*cred_handle*/
            );
 
-OM_uint32 gss_init_sec_context
+OM_uint32 GSSAPI_LIB_FUNCTION gss_init_sec_context
            (OM_uint32 * /*minor_status*/,
             const gss_cred_id_t /*initiator_cred_handle*/,
             gss_ctx_id_t * /*context_handle*/,
@@ -419,7 +429,7 @@ OM_uint32 gss_init_sec_context
             OM_uint32 * /*time_rec*/
            );
 
-OM_uint32 gss_accept_sec_context
+OM_uint32 GSSAPI_LIB_FUNCTION gss_accept_sec_context
            (OM_uint32 * /*minor_status*/,
             gss_ctx_id_t * /*context_handle*/,
             const gss_cred_id_t /*acceptor_cred_handle*/,
@@ -433,25 +443,25 @@ OM_uint32 gss_accept_sec_context
             gss_cred_id_t * /*delegated_cred_handle*/
            );
 
-OM_uint32 gss_process_context_token
+OM_uint32 GSSAPI_LIB_FUNCTION gss_process_context_token
            (OM_uint32 * /*minor_status*/,
             const gss_ctx_id_t /*context_handle*/,
             const gss_buffer_t /*token_buffer*/
            );
 
-OM_uint32 gss_delete_sec_context
+OM_uint32 GSSAPI_LIB_FUNCTION gss_delete_sec_context
            (OM_uint32 * /*minor_status*/,
             gss_ctx_id_t * /*context_handle*/,
             gss_buffer_t /*output_token*/
            );
 
-OM_uint32 gss_context_time
+OM_uint32 GSSAPI_LIB_FUNCTION gss_context_time
            (OM_uint32 * /*minor_status*/,
             const gss_ctx_id_t /*context_handle*/,
             OM_uint32 * /*time_rec*/
            );
 
-OM_uint32 gss_get_mic
+OM_uint32 GSSAPI_LIB_FUNCTION gss_get_mic
            (OM_uint32 * /*minor_status*/,
             const gss_ctx_id_t /*context_handle*/,
             gss_qop_t /*qop_req*/,
@@ -459,7 +469,7 @@ OM_uint32 gss_get_mic
             gss_buffer_t /*message_token*/
            );
 
-OM_uint32 gss_verify_mic
+OM_uint32 GSSAPI_LIB_FUNCTION gss_verify_mic
            (OM_uint32 * /*minor_status*/,
             const gss_ctx_id_t /*context_handle*/,
             const gss_buffer_t /*message_buffer*/,
@@ -467,7 +477,7 @@ OM_uint32 gss_verify_mic
             gss_qop_t * /*qop_state*/
            );
 
-OM_uint32 gss_wrap
+OM_uint32 GSSAPI_LIB_FUNCTION gss_wrap
            (OM_uint32 * /*minor_status*/,
             const gss_ctx_id_t /*context_handle*/,
             int /*conf_req_flag*/,
@@ -477,7 +487,7 @@ OM_uint32 gss_wrap
             gss_buffer_t /*output_message_buffer*/
            );
 
-OM_uint32 gss_unwrap
+OM_uint32 GSSAPI_LIB_FUNCTION gss_unwrap
            (OM_uint32 * /*minor_status*/,
             const gss_ctx_id_t /*context_handle*/,
             const gss_buffer_t /*input_message_buffer*/,
@@ -486,7 +496,7 @@ OM_uint32 gss_unwrap
             gss_qop_t * /*qop_state*/
            );
 
-OM_uint32 gss_display_status
+OM_uint32 GSSAPI_LIB_FUNCTION gss_display_status
            (OM_uint32 * /*minor_status*/,
             OM_uint32 /*status_value*/,
             int /*status_type*/,
@@ -495,54 +505,54 @@ OM_uint32 gss_display_status
             gss_buffer_t /*status_string*/
            );
 
-OM_uint32 gss_indicate_mechs
+OM_uint32 GSSAPI_LIB_FUNCTION gss_indicate_mechs
            (OM_uint32 * /*minor_status*/,
             gss_OID_set * /*mech_set*/
            );
 
-OM_uint32 gss_compare_name
+OM_uint32 GSSAPI_LIB_FUNCTION gss_compare_name
            (OM_uint32 * /*minor_status*/,
             const gss_name_t /*name1*/,
             const gss_name_t /*name2*/,
             int * /*name_equal*/
            );
 
-OM_uint32 gss_display_name
+OM_uint32 GSSAPI_LIB_FUNCTION gss_display_name
            (OM_uint32 * /*minor_status*/,
             const gss_name_t /*input_name*/,
             gss_buffer_t /*output_name_buffer*/,
             gss_OID * /*output_name_type*/
            );
 
-OM_uint32 gss_import_name
+OM_uint32 GSSAPI_LIB_FUNCTION gss_import_name
            (OM_uint32 * /*minor_status*/,
             const gss_buffer_t /*input_name_buffer*/,
             const gss_OID /*input_name_type*/,
             gss_name_t * /*output_name*/
            );
 
-OM_uint32 gss_export_name
+OM_uint32 GSSAPI_LIB_FUNCTION gss_export_name
            (OM_uint32  * /*minor_status*/,
             const gss_name_t /*input_name*/,
             gss_buffer_t /*exported_name*/
            );
 
-OM_uint32 gss_release_name
+OM_uint32 GSSAPI_LIB_FUNCTION gss_release_name
            (OM_uint32 * /*minor_status*/,
             gss_name_t * /*input_name*/
            );
 
-OM_uint32 gss_release_buffer
+OM_uint32 GSSAPI_LIB_FUNCTION gss_release_buffer
            (OM_uint32 * /*minor_status*/,
             gss_buffer_t /*buffer*/
            );
 
-OM_uint32 gss_release_oid_set
+OM_uint32 GSSAPI_LIB_FUNCTION gss_release_oid_set
            (OM_uint32 * /*minor_status*/,
             gss_OID_set * /*set*/
            );
 
-OM_uint32 gss_inquire_cred
+OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_cred
            (OM_uint32 * /*minor_status*/,
             const gss_cred_id_t /*cred_handle*/,
             gss_name_t * /*name*/,
@@ -551,7 +561,7 @@ OM_uint32 gss_inquire_cred
             gss_OID_set * /*mechanisms*/
            );
 
-OM_uint32 gss_inquire_context (
+OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_context (
             OM_uint32 * /*minor_status*/,
             const gss_ctx_id_t /*context_handle*/,
             gss_name_t * /*src_name*/,
@@ -563,7 +573,7 @@ OM_uint32 gss_inquire_context (
             int * /*open_context*/
            );
 
-OM_uint32 gss_wrap_size_limit (
+OM_uint32 GSSAPI_LIB_FUNCTION gss_wrap_size_limit (
             OM_uint32 * /*minor_status*/,
             const gss_ctx_id_t /*context_handle*/,
             int /*conf_req_flag*/,
@@ -572,7 +582,7 @@ OM_uint32 gss_wrap_size_limit (
             OM_uint32 * /*max_input_size*/
            );
 
-OM_uint32 gss_add_cred (
+OM_uint32 GSSAPI_LIB_FUNCTION gss_add_cred (
             OM_uint32 * /*minor_status*/,
             const gss_cred_id_t /*input_cred_handle*/,
             const gss_name_t /*desired_name*/,
@@ -586,7 +596,7 @@ OM_uint32 gss_add_cred (
             OM_uint32 * /*acceptor_time_rec*/
            );
 
-OM_uint32 gss_inquire_cred_by_mech (
+OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_cred_by_mech (
             OM_uint32 * /*minor_status*/,
             const gss_cred_id_t /*cred_handle*/,
             const gss_OID /*mech_type*/,
@@ -596,80 +606,81 @@ OM_uint32 gss_inquire_cred_by_mech (
             gss_cred_usage_t * /*cred_usage*/
            );
 
-OM_uint32 gss_export_sec_context (
+OM_uint32 GSSAPI_LIB_FUNCTION gss_export_sec_context (
             OM_uint32 * /*minor_status*/,
             gss_ctx_id_t * /*context_handle*/,
             gss_buffer_t /*interprocess_token*/
            );
 
-OM_uint32 gss_import_sec_context (
+OM_uint32 GSSAPI_LIB_FUNCTION gss_import_sec_context (
             OM_uint32 * /*minor_status*/,
             const gss_buffer_t /*interprocess_token*/,
             gss_ctx_id_t * /*context_handle*/
            );
 
-OM_uint32 gss_create_empty_oid_set (
+OM_uint32 GSSAPI_LIB_FUNCTION gss_create_empty_oid_set (
             OM_uint32 * /*minor_status*/,
             gss_OID_set * /*oid_set*/
            );
 
-OM_uint32 gss_add_oid_set_member (
+OM_uint32 GSSAPI_LIB_FUNCTION gss_add_oid_set_member (
             OM_uint32 * /*minor_status*/,
             const gss_OID /*member_oid*/,
             gss_OID_set * /*oid_set*/
            );
 
-OM_uint32 gss_test_oid_set_member (
+OM_uint32 GSSAPI_LIB_FUNCTION gss_test_oid_set_member (
             OM_uint32 * /*minor_status*/,
             const gss_OID /*member*/,
             const gss_OID_set /*set*/,
             int * /*present*/
            );
 
-OM_uint32 gss_inquire_names_for_mech (
+OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_names_for_mech (
             OM_uint32 * /*minor_status*/,
             const gss_OID /*mechanism*/,
             gss_OID_set * /*name_types*/
            );
 
-OM_uint32 gss_inquire_mechs_for_name (
+OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_mechs_for_name (
             OM_uint32 * /*minor_status*/,
             const gss_name_t /*input_name*/,
             gss_OID_set * /*mech_types*/
            );
 
-OM_uint32 gss_canonicalize_name (
+OM_uint32 GSSAPI_LIB_FUNCTION gss_canonicalize_name (
             OM_uint32 * /*minor_status*/,
             const gss_name_t /*input_name*/,
             const gss_OID /*mech_type*/,
             gss_name_t * /*output_name*/
            );
 
-OM_uint32 gss_duplicate_name (
+OM_uint32 GSSAPI_LIB_FUNCTION gss_duplicate_name (
             OM_uint32 * /*minor_status*/,
             const gss_name_t /*src_name*/,
             gss_name_t * /*dest_name*/
            );
 
-OM_uint32 gss_duplicate_oid (
+OM_uint32 GSSAPI_LIB_FUNCTION gss_duplicate_oid (
            OM_uint32 * /* minor_status */,
            gss_OID /* src_oid */,
            gss_OID * /* dest_oid */
            );
-OM_uint32
+
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_release_oid
        (OM_uint32 * /*minor_status*/,
         gss_OID * /* oid */
        );
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_oid_to_str(
            OM_uint32 * /*minor_status*/,
            gss_OID /* oid */,
            gss_buffer_t /* str */
            );
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_inquire_sec_context_by_oid(
            OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
@@ -677,38 +688,38 @@ gss_inquire_sec_context_by_oid(
             gss_buffer_set_t *data_set
            );
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_set_sec_context_option (OM_uint32 *minor_status,
                            gss_ctx_id_t *context_handle,
                            const gss_OID desired_object,
                            const gss_buffer_t value);
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_set_cred_option (OM_uint32 *minor_status,
                     gss_cred_id_t *cred_handle,
                     const gss_OID object,
                     const gss_buffer_t value);
 
-int
+int GSSAPI_LIB_FUNCTION
 gss_oid_equal(const gss_OID a, const gss_OID b);
 
-OM_uint32 
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_create_empty_buffer_set
           (OM_uint32 * minor_status,
            gss_buffer_set_t *buffer_set);
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_add_buffer_set_member
           (OM_uint32 * minor_status,
            const gss_buffer_t member_buffer,
            gss_buffer_set_t *buffer_set);
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_release_buffer_set
           (OM_uint32 * minor_status,
            gss_buffer_set_t *buffer_set);
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_inquire_cred_by_oid(OM_uint32 *minor_status,
                        const gss_cred_id_t cred_handle,
                        const gss_OID desired_object,
@@ -721,7 +732,7 @@ gss_inquire_cred_by_oid(OM_uint32 *minor_status,
 #define GSS_C_PRF_KEY_FULL 0
 #define GSS_C_PRF_KEY_PARTIAL 1
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_pseudo_random
        (OM_uint32 *minor_status,
         gss_ctx_id_t context,
@@ -742,7 +753,7 @@ gss_pseudo_random
  * obsolete versions of these routines and their current forms.
  */
 
-OM_uint32 gss_sign
+OM_uint32 GSSAPI_LIB_FUNCTION gss_sign
            (OM_uint32 * /*minor_status*/,
             gss_ctx_id_t /*context_handle*/,
             int /*qop_req*/,
@@ -750,7 +761,7 @@ OM_uint32 gss_sign
             gss_buffer_t /*message_token*/
            );
 
-OM_uint32 gss_verify
+OM_uint32 GSSAPI_LIB_FUNCTION gss_verify
            (OM_uint32 * /*minor_status*/,
             gss_ctx_id_t /*context_handle*/,
             gss_buffer_t /*message_buffer*/,
@@ -758,7 +769,7 @@ OM_uint32 gss_verify
             int * /*qop_state*/
            );
 
-OM_uint32 gss_seal
+OM_uint32 GSSAPI_LIB_FUNCTION gss_seal
            (OM_uint32 * /*minor_status*/,
             gss_ctx_id_t /*context_handle*/,
             int /*conf_req_flag*/,
@@ -768,7 +779,7 @@ OM_uint32 gss_seal
             gss_buffer_t /*output_message_buffer*/
            );
 
-OM_uint32 gss_unseal
+OM_uint32 GSSAPI_LIB_FUNCTION gss_unseal
            (OM_uint32 * /*minor_status*/,
             gss_ctx_id_t /*context_handle*/,
             gss_buffer_t /*input_message_buffer*/,
@@ -781,18 +792,18 @@ OM_uint32 gss_unseal
  *
  */
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
                                const gss_ctx_id_t context_handle,
                                const gss_OID desired_object,
                                gss_buffer_set_t *data_set);
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_encapsulate_token(gss_buffer_t /* input_token */,
                      gss_OID /* oid */,
                      gss_buffer_t /* output_token */);
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_decapsulate_token(gss_buffer_t /* input_token */,
                      gss_OID /* oid */,
                      gss_buffer_t /* output_token */);
index 2223f4f22f778f916d6e36fb3c4ee4b761785c68..55f78866588c8c86be32929b9eee55de36a94801 100644 (file)
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: gssapi_krb5.h 22655 2008-02-26 12:40:35Z lha $ */
+/* $Id: gssapi_krb5.h 23420 2008-07-26 18:37:48Z lha $ */
 
 #ifndef GSSAPI_KRB5_H_
 #define GSSAPI_KRB5_H_
@@ -46,12 +46,12 @@ extern "C" {
  * This is for kerberos5 names.
  */
 
-extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME;
-extern gss_OID GSS_KRB5_NT_USER_NAME;
-extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME;
-extern gss_OID GSS_KRB5_NT_STRING_UID_NAME;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_NT_PRINCIPAL_NAME;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_NT_USER_NAME;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_NT_MACHINE_UID_NAME;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_NT_STRING_UID_NAME;
 
-extern gss_OID GSS_KRB5_MECHANISM;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_MECHANISM;
 
 /* for compatibility with MIT api */
 
@@ -59,28 +59,30 @@ extern gss_OID GSS_KRB5_MECHANISM;
 #define gss_krb5_nt_general_name GSS_KRB5_NT_PRINCIPAL_NAME
 
 /* Extensions set contexts options */
-extern gss_OID GSS_KRB5_COPY_CCACHE_X;
-extern gss_OID GSS_KRB5_COMPAT_DES3_MIC_X;
-extern gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X;
-extern gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X;
-extern gss_OID GSS_KRB5_SEND_TO_KDC_X;
-extern gss_OID GSS_KRB5_SET_DEFAULT_REALM_X;
-extern gss_OID GSS_KRB5_CCACHE_NAME_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_COPY_CCACHE_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_COMPAT_DES3_MIC_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_SEND_TO_KDC_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_SET_DEFAULT_REALM_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_CCACHE_NAME_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_SET_TIME_OFFSET_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_TIME_OFFSET_X;
 /* Extensions inquire context */
-extern gss_OID GSS_KRB5_GET_TKT_FLAGS_X;
-extern gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X;
-extern gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO;
-extern gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X;
-extern gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X;
-extern gss_OID GSS_KRB5_GET_SUBKEY_X;
-extern gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X;
-extern gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X;
-extern gss_OID GSS_KRB5_GET_AUTHTIME_X;
-extern gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_TKT_FLAGS_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_SUBKEY_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_AUTHTIME_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X;
 /* Extensions creds */
-extern gss_OID GSS_KRB5_IMPORT_CRED_X;
-extern gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X;
-extern gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_IMPORT_CRED_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X;
 
 /*
  * kerberos mechanism specific functions
@@ -90,39 +92,42 @@ struct krb5_keytab_data;
 struct krb5_ccache_data;
 struct Principal;
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_krb5_ccache_name(OM_uint32 * /*minor_status*/, 
                     const char * /*name */,
                     const char ** /*out_name */);
 
-OM_uint32 gsskrb5_register_acceptor_identity
+OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_register_acceptor_identity
         (const char */*identity*/);
 
-OM_uint32 gss_krb5_copy_ccache
+OM_uint32 GSSAPI_LIB_FUNCTION krb5_gss_register_acceptor_identity
+       (const char */*identity*/);
+
+OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_copy_ccache
        (OM_uint32 */*minor*/,
         gss_cred_id_t /*cred*/,
         struct krb5_ccache_data */*out*/);
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_krb5_import_cred(OM_uint32 */*minor*/,
                     struct krb5_ccache_data * /*in*/,
                     struct Principal * /*keytab_principal*/,
                     struct krb5_keytab_data * /*keytab*/,
                     gss_cred_id_t */*out*/);
 
-OM_uint32 gss_krb5_get_tkt_flags
+OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_get_tkt_flags
        (OM_uint32 */*minor*/,
         gss_ctx_id_t /*context_handle*/,
         OM_uint32 */*tkt_flags*/);
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gsskrb5_extract_authz_data_from_sec_context
        (OM_uint32 * /*minor_status*/,
         gss_ctx_id_t /*context_handle*/,
         int /*ad_type*/,
         gss_buffer_t /*ad_data*/);
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gsskrb5_set_dns_canonicalize(int);
 
 struct gsskrb5_send_to_kdc {
@@ -130,30 +135,36 @@ struct gsskrb5_send_to_kdc {
     void *ptr;
 };
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *);
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gsskrb5_set_default_realm(const char *);
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, time_t *);
 
 struct EncryptionKey;
 
-OM_uint32 
+OM_uint32 GSSAPI_LIB_FUNCTION
 gsskrb5_extract_service_keyblock(OM_uint32 *minor_status,
                                 gss_ctx_id_t context_handle,
                                 struct EncryptionKey **out);
-OM_uint32 
+OM_uint32 GSSAPI_LIB_FUNCTION
 gsskrb5_get_initiator_subkey(OM_uint32 *minor_status,
                                 gss_ctx_id_t context_handle,
                                 struct EncryptionKey **out);
-OM_uint32 
+OM_uint32 GSSAPI_LIB_FUNCTION
 gsskrb5_get_subkey(OM_uint32 *minor_status,
                   gss_ctx_id_t context_handle,
                   struct EncryptionKey **out);
 
+OM_uint32 GSSAPI_LIB_FUNCTION
+gsskrb5_set_time_offset(int);
+
+OM_uint32 GSSAPI_LIB_FUNCTION
+gsskrb5_get_time_offset(int *);
+
 /*
  * Lucid - NFSv4 interface to GSS-API KRB5 to expose key material to
  * do GSS content token handling in-kernel.
@@ -196,19 +207,19 @@ typedef struct gss_krb5_lucid_context_version {
  * Function declarations
  */
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
                                  gss_ctx_id_t *context_handle,
                                  OM_uint32 version,
                                  void **kctx);
 
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status,
                                void *kctx);
 
 
-OM_uint32
+OM_uint32 GSSAPI_LIB_FUNCTION
 gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, 
                                gss_cred_id_t cred,
                                OM_uint32 num_enctypes,
index fbb7906369be50221110eae6588a5d3cfac23f14..3358863a801613af9617b09b4e8fee509ae61cbc 100644 (file)
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: gssapi_spnego.h 18335 2006-10-07 22:26:21Z lha $ */
+/* $Id: gssapi_spnego.h 23025 2008-04-17 10:01:57Z lha $ */
 
 #ifndef GSSAPI_SPNEGO_H_
 #define GSSAPI_SPNEGO_H_
@@ -48,7 +48,7 @@ extern "C" {
  *  negotiation token is identified by the Object Identifier
  *  iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
  */
-extern gss_OID GSS_SPNEGO_MECHANISM;
+extern GSSAPI_LIB_VARIABLE gss_OID GSS_SPNEGO_MECHANISM;
 #define gss_mech_spnego GSS_SPNEGO_MECHANISM
 
 #ifdef __cplusplus
index 73b93ceba4c6bb472c546afd52981bcf13051173..8dbd087da62669129a0c6896630c27544c78ffac 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: accept_sec_context.c 20199 2007-02-07 22:36:39Z lha $");
+RCSID("$Id: accept_sec_context.c 23433 2008-07-26 18:44:26Z lha $");
 
 HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
 krb5_keytab _gsskrb5_keytab;
@@ -250,6 +250,62 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
     return GSS_S_COMPLETE;
 }
 
+static OM_uint32
+send_error_token(OM_uint32 *minor_status,
+                krb5_context context,
+                krb5_error_code kret,
+                krb5_principal server,
+                krb5_data *indata,
+                gss_buffer_t output_token)
+{
+    krb5_principal ap_req_server = NULL;
+    krb5_error_code ret;
+    krb5_data outbuf;
+
+    /* build server from request if the acceptor had not selected one */
+    if (server == NULL) {
+       AP_REQ ap_req;
+
+       ret = krb5_decode_ap_req(context, indata, &ap_req);
+       if (ret) {
+           *minor_status = ret;
+           return GSS_S_FAILURE;
+       }
+       ret = _krb5_principalname2krb5_principal(context,
+                                                 &ap_req_server,
+                                                 ap_req.ticket.sname,
+                                                 ap_req.ticket.realm);
+       free_AP_REQ(&ap_req);
+       if (ret) {
+           *minor_status = ret;
+           return GSS_S_FAILURE;
+       }
+       server = ap_req_server;
+    }
+    
+    ret = krb5_mk_error(context, kret, NULL, NULL, NULL,
+                       server, NULL, NULL, &outbuf);
+    if (ap_req_server)
+       krb5_free_principal(context, ap_req_server);
+    if (ret) {
+       *minor_status = ret;
+       return GSS_S_FAILURE;
+    }
+    
+    ret = _gsskrb5_encapsulate(minor_status,
+                              &outbuf,
+                              output_token,
+                              "\x03\x00",
+                              GSS_KRB5_MECHANISM);
+    krb5_data_free (&outbuf);
+    if (ret)
+       return ret;
+
+    *minor_status = 0;
+    return GSS_S_CONTINUE_NEEDED;
+}
+
+
 static OM_uint32
 gsskrb5_acceptor_start(OM_uint32 * minor_status,
                       gsskrb5_ctx ctx,
@@ -304,6 +360,10 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
     {
        krb5_rd_req_in_ctx in = NULL;
        krb5_rd_req_out_ctx out = NULL;
+       krb5_principal server = NULL;
+
+       if (acceptor_cred)
+           server = acceptor_cred->principal;
 
        kret = krb5_rd_req_in_ctx_alloc(context, &in);
        if (kret == 0)
@@ -319,17 +379,20 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
        kret = krb5_rd_req_ctx(context,
                               &ctx->auth_context,
                               &indata,
-                              (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred->principal,
+                              server,
                               in, &out);
        krb5_rd_req_in_ctx_free(context, in);
        if (kret) {
-           ret = GSS_S_FAILURE;
-           *minor_status = kret;
-           return ret;
+           /* 
+            * No reply in non-MUTUAL mode, but we don't know that its
+            * non-MUTUAL mode yet, thats inside the 8003 checksum.
+            */
+           return send_error_token(minor_status, context, kret,
+                                   server, &indata, output_token);
        }
 
        /*
-        * We need to remember some data on the context_handle.
+        * we need to remember some data on the context_handle.
         */
        kret = krb5_rd_req_out_get_ap_req_options(context, out,
                                                  &ap_options);
index abad98655026a2199ce208ca286868d1009608d7..9c618ac6a621b6a1b54aea21279354b505e8f3f4 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: delete_sec_context.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id: delete_sec_context.c 23420 2008-07-26 18:37:48Z lha $");
 
 OM_uint32
 _gsskrb5_delete_sec_context(OM_uint32 * minor_status,
@@ -61,6 +61,8 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status,
     HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
 
     krb5_auth_con_free (context, ctx->auth_context);
+    if (ctx->kcred)
+       krb5_free_creds(context, ctx->kcred);
     if(ctx->source)
        krb5_free_principal (context, ctx->source);
     if(ctx->target)
index c0192522a72a42e3ae75ae0d104beec2db6b68dc..f932261ffa098b30b9c0088172993d6ce5b3d3a5 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: display_status.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id: display_status.c 23316 2008-06-23 04:32:32Z lha $");
 
 static const char *
 calling_error(OM_uint32 v)
@@ -135,7 +135,7 @@ _gsskrb5_set_status (const char *fmt, ...)
     vasprintf(&str, fmt, args);
     va_end(args);
     if (str) {
-       krb5_set_error_string(context, str);
+       krb5_set_error_message(context, 0, str);
        free(str);
     }
 }
index 03fe61dc5744f772dfd98934d08d16b97aa92fa2..2ee018708a536f583b9f66167d6ab9f78f2ca192 100644 (file)
@@ -34,7 +34,7 @@
 #include "krb5/gsskrb5_locl.h"
 #include <gssapi_mech.h>
 
-RCSID("$Id: external.c 22128 2007-12-04 00:56:55Z lha $");
+RCSID("$Id: external.c 23420 2008-07-26 18:37:48Z lha $");
 
 /*
  * The implementation must reserve static storage for a
@@ -49,9 +49,10 @@ RCSID("$Id: external.c 22128 2007-12-04 00:56:55Z lha $");
  */
 
 static gss_OID_desc gss_c_nt_user_name_oid_desc =
-{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x01")};
+    {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x01")};
 
-gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_USER_NAME =
+    &gss_c_nt_user_name_oid_desc;
 
 /*
  * The implementation must reserve static storage for a
@@ -66,9 +67,10 @@ gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
  */
 
 static gss_OID_desc gss_c_nt_machine_uid_name_oid_desc =
-{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x02")};
+    {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x02")};
 
-gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_MACHINE_UID_NAME =
+    &gss_c_nt_machine_uid_name_oid_desc;
 
 /*
  * The implementation must reserve static storage for a
@@ -83,9 +85,10 @@ gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
  */
 
 static gss_OID_desc gss_c_nt_string_uid_name_oid_desc =
-{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x03")};
+    {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x03")};
 
-gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_STRING_UID_NAME =
+    &gss_c_nt_string_uid_name_oid_desc;
 
 /*
  * The implementation must reserve static storage for a
@@ -106,9 +109,10 @@ gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
  */
 
 static gss_OID_desc gss_c_nt_hostbased_service_x_oid_desc =
-{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x02")};
+    {6, rk_UNCONST("\x2b\x06\x01\x05\x06\x02")};
 
-gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_HOSTBASED_SERVICE_X =
+    &gss_c_nt_hostbased_service_x_oid_desc;
 
 /*
  * The implementation must reserve static storage for a
@@ -122,9 +126,10 @@ gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc;
  * to point to that gss_OID_desc.
  */
 static gss_OID_desc gss_c_nt_hostbased_service_oid_desc =
-{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04")};
+    {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04")};
 
-gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_HOSTBASED_SERVICE =
+    &gss_c_nt_hostbased_service_oid_desc;
 
 /*
  * The implementation must reserve static storage for a
@@ -138,9 +143,10 @@ gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc;
  */
 
 static gss_OID_desc gss_c_nt_anonymous_oid_desc =
-{6, rk_UNCONST("\x2b\x06\01\x05\x06\x03")};
+    {6, rk_UNCONST("\x2b\x06\01\x05\x06\x03")};
 
-gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_ANONYMOUS =
+    &gss_c_nt_anonymous_oid_desc;
 
 /*
  * The implementation must reserve static storage for a
@@ -154,9 +160,10 @@ gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc;
  */
 
 static gss_OID_desc gss_c_nt_export_name_oid_desc =
-{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x04") };
+    {6, rk_UNCONST("\x2b\x06\x01\x05\x06\x04") };
 
-gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_EXPORT_NAME =
+    &gss_c_nt_export_name_oid_desc;
 
 /*
  *   This name form shall be represented by the Object Identifier {iso(1)
@@ -166,9 +173,10 @@ gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc;
  */
 
 static gss_OID_desc gss_krb5_nt_principal_name_oid_desc =
-{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01") };
+    {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01") };
 
-gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_NT_PRINCIPAL_NAME =
+    &gss_krb5_nt_principal_name_oid_desc;
 
 /*
  *   This name form shall be represented by the Object Identifier {iso(1)
@@ -177,7 +185,8 @@ gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc;
  *   type is "GSS_KRB5_NT_USER_NAME".
  */
 
-gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_NT_USER_NAME =
+    &gss_c_nt_user_name_oid_desc;
 
 /*
  *   This name form shall be represented by the Object Identifier {iso(1)
@@ -186,7 +195,8 @@ gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
  *   this type is "GSS_KRB5_NT_MACHINE_UID_NAME".
  */
 
-gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_NT_MACHINE_UID_NAME =
+    &gss_c_nt_machine_uid_name_oid_desc;
 
 /*
  *   This name form shall be represented by the Object Identifier {iso(1)
@@ -195,7 +205,8 @@ gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
  *   this type is "GSS_KRB5_NT_STRING_UID_NAME".
  */
 
-gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_NT_STRING_UID_NAME =
+    &gss_c_nt_string_uid_name_oid_desc;
 
 /*
  *   To support ongoing experimentation, testing, and evolution of the
@@ -217,14 +228,15 @@ gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
 #if 0 /* This is the old OID */
 
 static gss_OID_desc gss_krb5_mechanism_oid_desc =
-{5, rk_UNCONST("\x2b\x05\x01\x05\x02")};
+    {5, rk_UNCONST("\x2b\x05\x01\x05\x02")};
 
 #endif
 
 static gss_OID_desc gss_krb5_mechanism_oid_desc =
-{9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") };
+    {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") };
 
-gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_MECHANISM =
+    &gss_krb5_mechanism_oid_desc;
 
 /*
  * draft-ietf-cat-iakerb-09, IAKERB:
@@ -240,23 +252,26 @@ gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc;
  */
 
 static gss_OID_desc gss_iakerb_proxy_mechanism_oid_desc =
-{7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x01")};
+    {7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x01")};
 
-gss_OID GSS_IAKERB_PROXY_MECHANISM = &gss_iakerb_proxy_mechanism_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_IAKERB_PROXY_MECHANISM =
+    &gss_iakerb_proxy_mechanism_oid_desc;
 
 static gss_OID_desc gss_iakerb_min_msg_mechanism_oid_desc =
-{7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x02") };
+    {7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x02") };
 
-gss_OID GSS_IAKERB_MIN_MSG_MECHANISM = &gss_iakerb_min_msg_mechanism_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_IAKERB_MIN_MSG_MECHANISM =
+    &gss_iakerb_min_msg_mechanism_oid_desc;
 
 /*
  *
  */
 
 static gss_OID_desc gss_c_peer_has_updated_spnego_oid_desc =
-{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"};
+    {9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"};
 
-gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_C_PEER_HAS_UPDATED_SPNEGO =
+    &gss_c_peer_has_updated_spnego_oid_desc;
 
 /*
  * 1.2.752.43.13 Heimdal GSS-API Extentions
@@ -264,111 +279,143 @@ gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc;
 
 /* 1.2.752.43.13.1 */
 static gss_OID_desc gss_krb5_copy_ccache_x_oid_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01")};
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01")};
 
-gss_OID GSS_KRB5_COPY_CCACHE_X = &gss_krb5_copy_ccache_x_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_COPY_CCACHE_X =
+    &gss_krb5_copy_ccache_x_oid_desc;
 
 /* 1.2.752.43.13.2 */
 static gss_OID_desc gss_krb5_get_tkt_flags_x_oid_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02")};
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02")};
 
-gss_OID GSS_KRB5_GET_TKT_FLAGS_X = &gss_krb5_get_tkt_flags_x_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_TKT_FLAGS_X =
+    &gss_krb5_get_tkt_flags_x_oid_desc;
 
 /* 1.2.752.43.13.3 */
 static gss_OID_desc gss_krb5_extract_authz_data_from_sec_context_x_oid_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03")};
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03")};
 
-gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X = &gss_krb5_extract_authz_data_from_sec_context_x_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X =
+    &gss_krb5_extract_authz_data_from_sec_context_x_oid_desc;
 
 /* 1.2.752.43.13.4 */
 static gss_OID_desc gss_krb5_compat_des3_mic_x_oid_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04")};
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04")};
 
-gss_OID GSS_KRB5_COMPAT_DES3_MIC_X = &gss_krb5_compat_des3_mic_x_oid_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_COMPAT_DES3_MIC_X =
+    &gss_krb5_compat_des3_mic_x_oid_desc;
 
 /* 1.2.752.43.13.5 */
 static gss_OID_desc gss_krb5_register_acceptor_identity_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")};
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")};
 
-gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X = &gss_krb5_register_acceptor_identity_x_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X =
+    &gss_krb5_register_acceptor_identity_x_desc;
 
 /* 1.2.752.43.13.6 */
 static gss_OID_desc gss_krb5_export_lucid_context_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06")};
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06")};
 
-gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X = &gss_krb5_export_lucid_context_x_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_EXPORT_LUCID_CONTEXT_X =
+    &gss_krb5_export_lucid_context_x_desc;
 
 /* 1.2.752.43.13.6.1 */
 static gss_OID_desc gss_krb5_export_lucid_context_v1_x_desc =
-{7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01")};
+    {7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01")};
 
-gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X = &gss_krb5_export_lucid_context_v1_x_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X =
+    &gss_krb5_export_lucid_context_v1_x_desc;
 
 /* 1.2.752.43.13.7 */
 static gss_OID_desc gss_krb5_set_dns_canonicalize_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07")};
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07")};
 
-gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X = &gss_krb5_set_dns_canonicalize_x_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SET_DNS_CANONICALIZE_X =
+    &gss_krb5_set_dns_canonicalize_x_desc;
 
 /* 1.2.752.43.13.8 */
 static gss_OID_desc gss_krb5_get_subkey_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08")};
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08")};
 
-gss_OID GSS_KRB5_GET_SUBKEY_X = &gss_krb5_get_subkey_x_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_SUBKEY_X =
+    &gss_krb5_get_subkey_x_desc;
 
 /* 1.2.752.43.13.9 */
 static gss_OID_desc gss_krb5_get_initiator_subkey_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09")};
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09")};
 
-gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X = &gss_krb5_get_initiator_subkey_x_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_INITIATOR_SUBKEY_X =
+    &gss_krb5_get_initiator_subkey_x_desc;
 
 /* 1.2.752.43.13.10 */
 static gss_OID_desc gss_krb5_get_acceptor_subkey_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a")};
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a")};
 
-gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X = &gss_krb5_get_acceptor_subkey_x_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_ACCEPTOR_SUBKEY_X =
+    &gss_krb5_get_acceptor_subkey_x_desc;
 
 /* 1.2.752.43.13.11 */
 static gss_OID_desc gss_krb5_send_to_kdc_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b")};
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b")};
 
-gss_OID GSS_KRB5_SEND_TO_KDC_X = &gss_krb5_send_to_kdc_x_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SEND_TO_KDC_X =
+    &gss_krb5_send_to_kdc_x_desc;
 
 /* 1.2.752.43.13.12 */
 static gss_OID_desc gss_krb5_get_authtime_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c")};
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c")};
 
-gss_OID GSS_KRB5_GET_AUTHTIME_X = &gss_krb5_get_authtime_x_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_AUTHTIME_X =
+    &gss_krb5_get_authtime_x_desc;
 
 /* 1.2.752.43.13.13 */
 static gss_OID_desc gss_krb5_get_service_keyblock_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")};
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")};
 
-gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X = &gss_krb5_get_service_keyblock_x_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_SERVICE_KEYBLOCK_X =
+    &gss_krb5_get_service_keyblock_x_desc;
 
 /* 1.2.752.43.13.14 */
 static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e")};
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e")};
 
-gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = &gss_krb5_set_allowable_enctypes_x_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X =
+    &gss_krb5_set_allowable_enctypes_x_desc;
 
 /* 1.2.752.43.13.15 */
 static gss_OID_desc gss_krb5_set_default_realm_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f")};
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f")};
 
-gss_OID GSS_KRB5_SET_DEFAULT_REALM_X = &gss_krb5_set_default_realm_x_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SET_DEFAULT_REALM_X =
+    &gss_krb5_set_default_realm_x_desc;
 
 /* 1.2.752.43.13.16 */
 static gss_OID_desc gss_krb5_ccache_name_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10")};
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10")};
 
-gss_OID GSS_KRB5_CCACHE_NAME_X = &gss_krb5_ccache_name_x_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_CCACHE_NAME_X =
+    &gss_krb5_ccache_name_x_desc;
+
+/* 1.2.752.43.13.17 */
+static gss_OID_desc gss_krb5_set_time_offset_x_desc =
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11")};
+
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SET_TIME_OFFSET_X =
+    &gss_krb5_set_time_offset_x_desc;
+
+/* 1.2.752.43.13.18 */
+static gss_OID_desc gss_krb5_get_time_offset_x_desc =
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12")};
+
+gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_TIME_OFFSET_X =
+    &gss_krb5_get_time_offset_x_desc;
 
 /* 1.2.752.43.14.1 */
 static gss_OID_desc gss_sasl_digest_md5_mechanism_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
+    {6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
 
-gss_OID GSS_SASL_DIGEST_MD5_MECHANISM = &gss_sasl_digest_md5_mechanism_desc;
+gss_OID GSSAPI_LIB_VARIABLE GSS_SASL_DIGEST_MD5_MECHANISM = 
+    &gss_sasl_digest_md5_mechanism_desc;
 
 /*
  * Context for krb5 calls.
index 133481ffe17369834488ac8e651f54ca1a619700..f689e624a89b23ed0db6a0561cd87b4d9fef65cd 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: get_mic.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id: get_mic.c 23112 2008-04-27 18:51:26Z lha $");
 
 static OM_uint32
 mic_des
@@ -88,7 +88,7 @@ mic_des
 
   memset (&zero, 0, sizeof(zero));
   memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
-  DES_set_key (&deskey, &schedule);
+  DES_set_key_unchecked (&deskey, &schedule);
   DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
                 &schedule, &zero);
   memcpy (p - 8, hash, 8);     /* SGN_CKSUM */
@@ -108,7 +108,7 @@ mic_des
          (ctx->more_flags & LOCAL) ? 0 : 0xFF,
          4);
 
-  DES_set_key (&deskey, &schedule);
+  DES_set_key_unchecked (&deskey, &schedule);
   DES_cbc_encrypt ((void *)p, (void *)p, 8,
                   &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT);
 
index 3e8c1b8fa65de5d7952a343478b037f24b183c32..d9af44f960cd1d09105a2a2da361b9bb453210c4 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: gsskrb5_locl.h 22655 2008-02-26 12:40:35Z lha $ */
+/* $Id: gsskrb5_locl.h 23435 2008-07-26 20:49:35Z lha $ */
 
 #ifndef GSSKRB5_LOCL_H
 #define GSSKRB5_LOCL_H
@@ -62,11 +62,14 @@ typedef struct {
   enum { LOCAL = 1, OPEN = 2, 
         COMPAT_OLD_DES3 = 4,
          COMPAT_OLD_DES3_SELECTED = 8,
-        ACCEPTOR_SUBKEY = 16
+        ACCEPTOR_SUBKEY = 16,
+        RETRIED = 32,
+        CLOSE_CCACHE = 64
   } more_flags;
   enum gss_ctx_id_t_state {
       /* initiator states */
       INITIATOR_START,
+      INITIATOR_RESTART,
       INITIATOR_WAIT_FOR_MUTAL,
       INITIATOR_READY,
       /* acceptor states */
@@ -74,6 +77,8 @@ typedef struct {
       ACCEPTOR_WAIT_FOR_DCESTYLE,
       ACCEPTOR_READY
   } state;
+  krb5_creds *kcred;
+  krb5_ccache ccache;
   struct krb5_ticket *ticket;
   OM_uint32 lifetime;
   HEIMDAL_MUTEX ctx_id_mutex;
index 3300036a81b32dcbce5cb8cfa2b0c249f5318f70..5fd8c941042020fef32a10a6fbbe49e18309f25c 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: import_sec_context.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id: import_sec_context.c 22997 2008-04-15 19:36:25Z lha $");
 
 OM_uint32
 _gsskrb5_import_sec_context (
@@ -52,8 +52,7 @@ _gsskrb5_import_sec_context (
     krb5_data data;
     gss_buffer_desc buffer;
     krb5_keyblock keyblock;
-    int32_t tmp;
-    int32_t flags;
+    int32_t flags, tmp;
     gsskrb5_ctx ctx;
     gss_name_t name;
 
@@ -96,8 +95,9 @@ _gsskrb5_import_sec_context (
     /* retrieve the auth context */
 
     ac = ctx->auth_context;
-    if (krb5_ret_uint32 (sp, &ac->flags) != 0)
+    if (krb5_ret_int32 (sp, &tmp) != 0)
        goto failure;
+    ac->flags = tmp;
     if (flags & SC_LOCAL_ADDRESS) {
        if (krb5_ret_address (sp, localp = &local) != 0)
            goto failure;
index c455a5dc8b7246c0c8e795206be5b9c3db114cb8..c9b9e155888f54384a35f37d32dc028bb93c5086 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: init_sec_context.c 22671 2008-03-09 23:57:54Z lha $");
+RCSID("$Id: init_sec_context.c 23422 2008-07-26 18:38:29Z lha $");
 
 /*
  * copy the addresses from `input_chan_bindings' (if any) to
@@ -121,6 +121,8 @@ _gsskrb5_create_ctx(
     ctx->auth_context          = NULL;
     ctx->source                        = NULL;
     ctx->target                        = NULL;
+    ctx->kcred                 = NULL;
+    ctx->ccache                        = NULL;
     ctx->state                 = state;
     ctx->flags                 = 0;
     ctx->more_flags            = 0;
@@ -134,9 +136,7 @@ _gsskrb5_create_ctx(
     kret = krb5_auth_con_init (context, &ctx->auth_context);
     if (kret) {
        *minor_status = kret;
-
        HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
-               
        return GSS_S_FAILURE;
     }
 
@@ -232,27 +232,32 @@ gsskrb5_initiator_ready(
        gsskrb5_ctx ctx,
        krb5_context context)
 {
-       OM_uint32 ret;
-       int32_t seq_number;
-       int is_cfx = 0;
-       OM_uint32 flags = ctx->flags;
-
-       krb5_auth_getremoteseqnumber (context,
-                                     ctx->auth_context,
-                                     &seq_number);
-
-       _gsskrb5i_is_cfx(ctx, &is_cfx);
-
-       ret = _gssapi_msg_order_create(minor_status,
-                                      &ctx->order,
-                                      _gssapi_msg_order_f(flags),
-                                      seq_number, 0, is_cfx);
-       if (ret) return ret;
+    OM_uint32 ret;
+    int32_t seq_number;
+    int is_cfx = 0;
+    OM_uint32 flags = ctx->flags;
+    
+    krb5_free_creds(context, ctx->kcred);
+    ctx->kcred = NULL;
 
-       ctx->state      = INITIATOR_READY;
-       ctx->more_flags |= OPEN;
+    if (ctx->more_flags & CLOSE_CCACHE)
+       krb5_cc_close(context, ctx->ccache);
+    ctx->ccache = NULL;
 
-       return GSS_S_COMPLETE;
+    krb5_auth_getremoteseqnumber (context, ctx->auth_context, &seq_number);
+    
+    _gsskrb5i_is_cfx(ctx, &is_cfx);
+    
+    ret = _gssapi_msg_order_create(minor_status,
+                                  &ctx->order,
+                                  _gssapi_msg_order_f(flags),
+                                  seq_number, 0, is_cfx);
+    if (ret) return ret;
+    
+    ctx->state = INITIATOR_READY;
+    ctx->more_flags    |= OPEN;
+    
+    return GSS_S_COMPLETE;
 }
 
 /*
@@ -333,7 +338,6 @@ init_auth
  const gss_OID mech_type,
  OM_uint32 req_flags,
  OM_uint32 time_req,
- const gss_channel_bindings_t input_chan_bindings,
  const gss_buffer_t input_token,
  gss_OID * actual_mech_type,
  gss_buffer_t output_token,
@@ -343,14 +347,7 @@ init_auth
 {
     OM_uint32 ret = GSS_S_FAILURE;
     krb5_error_code kret;
-    krb5_flags ap_options;
-    krb5_creds *kcred = NULL;
     krb5_data outbuf;
-    krb5_ccache ccache = NULL;
-    uint32_t flags;
-    krb5_data authenticator;
-    Checksum cksum;
-    krb5_enctype enctype;
     krb5_data fwd_data;
     OM_uint32 lifetime_rec;
 
@@ -363,16 +360,17 @@ init_auth
        *actual_mech_type = GSS_KRB5_MECHANISM;
 
     if (cred == NULL) {
-       kret = krb5_cc_default (context, &ccache);
+       kret = krb5_cc_default (context, &ctx->ccache);
        if (kret) {
            *minor_status = kret;
            ret = GSS_S_FAILURE;
            goto failure;
        }
+       ctx->more_flags |= CLOSE_CCACHE;
     } else
-       ccache = cred->ccache;
+       ctx->ccache = cred->ccache;
 
-    kret = krb5_cc_get_principal (context, ccache, &ctx->source);
+    kret = krb5_cc_get_principal (context, ctx->ccache, &ctx->source);
     if (kret) {
        *minor_status = kret;
        ret = GSS_S_FAILURE;
@@ -407,16 +405,16 @@ init_auth
 
     ret = gsskrb5_get_creds(minor_status,
                            context,
-                           ccache,
+                           ctx->ccache,
                            ctx,
                            ctx->target,
                            time_req,
                            time_rec,
-                           &kcred);
+                           &ctx->kcred);
     if (ret)
        goto failure;
 
-    ctx->lifetime = kcred->times.endtime;
+    ctx->lifetime = ctx->kcred->times.endtime;
 
     ret = _gsskrb5_lifetime_left(minor_status,
                                 context,
@@ -434,17 +432,59 @@ init_auth
 
     krb5_auth_con_setkey(context, 
                         ctx->auth_context, 
-                        &kcred->session);
+                        &ctx->kcred->session);
 
     kret = krb5_auth_con_generatelocalsubkey(context, 
                                             ctx->auth_context,
-                                            &kcred->session);
+                                            &ctx->kcred->session);
     if(kret) {
        *minor_status = kret;
        ret = GSS_S_FAILURE;
        goto failure;
     }
-    
+
+    return GSS_S_COMPLETE;
+
+failure:
+    if (ctx->ccache && (ctx->more_flags & CLOSE_CCACHE))
+       krb5_cc_close(context, ctx->ccache);
+    ctx->ccache = NULL;
+
+    return ret;
+
+}
+
+static OM_uint32
+init_auth_restart
+(OM_uint32 * minor_status,
+ gsskrb5_cred cred,
+ gsskrb5_ctx ctx,
+ krb5_context context,
+ OM_uint32 req_flags,
+ const gss_channel_bindings_t input_chan_bindings,
+ const gss_buffer_t input_token,
+ gss_OID * actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec
+    )
+{
+    OM_uint32 ret = GSS_S_FAILURE;
+    krb5_error_code kret;
+    krb5_flags ap_options;
+    krb5_data outbuf;
+    uint32_t flags;
+    krb5_data authenticator;
+    Checksum cksum;
+    krb5_enctype enctype;
+    krb5_data fwd_data, timedata;
+    int32_t offset = 0, oldoffset;
+
+    krb5_data_zero(&outbuf);
+    krb5_data_zero(&fwd_data);
+
+    *minor_status = 0;
+
     /* 
      * If the credential doesn't have ok-as-delegate, check what local
      * policy say about ok-as-delegate, default is FALSE that makes
@@ -452,12 +492,24 @@ init_auth
      * requested. If it is TRUE, strip of the GSS_C_DELEG_FLAG if the
      * KDC doesn't set ok-as-delegate.
      */
-    if (!kcred->flags.b.ok_as_delegate) {
-       krb5_boolean delegate;
+    if (!ctx->kcred->flags.b.ok_as_delegate) {
+       krb5_boolean delegate, realm_setting;
+       krb5_data data;
     
-       krb5_appdefault_boolean(context,
-                               "gssapi", name->realm,
-                               "ok-as-delegate", FALSE, &delegate);
+       realm_setting = FALSE;
+
+       ret = krb5_cc_get_config(context, ctx->ccache, NULL,
+                                "realm-config", &data);
+       if (ret == 0) {
+           /* XXX 1 is use ok-as-delegate */
+           if (data.length > 0 && (((unsigned char *)data.data)[0]) & 1)
+               realm_setting = TRUE;
+           krb5_data_free(&data);
+       }
+
+       krb5_appdefault_boolean(context, "gssapi", ctx->target->realm,
+                               "ok-as-delegate", realm_setting,
+                               &delegate);
        if (delegate)
            req_flags &= ~GSS_C_DELEG_FLAG;
     }
@@ -467,7 +519,8 @@ init_auth
     if (req_flags & GSS_C_DELEG_FLAG)
        do_delegation (context,
                       ctx->auth_context,
-                      ccache, kcred, name, &fwd_data, &flags);
+                      ctx->ccache, ctx->kcred, ctx->target,
+                      &fwd_data, &flags);
     
     if (req_flags & GSS_C_MUTUAL_FLAG) {
        flags |= GSS_C_MUTUAL_FLAG;
@@ -518,16 +571,33 @@ init_auth
 
     enctype = ctx->auth_context->keyblock->keytype;
 
+    ret = krb5_cc_get_config(context, ctx->ccache, ctx->target,
+                            "time-offset", &timedata);
+    if (ret == 0) {
+       if (timedata.length == 4) {
+           const u_char *p = timedata.data;
+           offset = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0);
+       }
+       krb5_data_free(&timedata);
+    }
+
+    if (offset) {
+       krb5_get_kdc_sec_offset (context, &oldoffset, NULL);
+       krb5_set_kdc_sec_offset (context, offset, -1);
+    }
+
     kret = krb5_build_authenticator (context,
                                     ctx->auth_context,
                                     enctype,
-                                    kcred,
+                                    ctx->kcred,
                                     &cksum,
                                     NULL,
                                     &authenticator,
                                     KRB5_KU_AP_REQ_AUTH);
 
     if (kret) {
+       if (offset)
+           krb5_set_kdc_sec_offset (context, oldoffset, -1);
        *minor_status = kret;
        ret = GSS_S_FAILURE;
        goto failure;
@@ -535,11 +605,12 @@ init_auth
 
     kret = krb5_build_ap_req (context,
                              enctype,
-                             kcred,
+                             ctx->kcred,
                              ap_options,
                              authenticator,
                              &outbuf);
-
+    if (offset)
+       krb5_set_kdc_sec_offset (context, oldoffset, -1);
     if (kret) {
        *minor_status = kret;
        ret = GSS_S_FAILURE;
@@ -552,16 +623,12 @@ init_auth
     } else {
         ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token,
                                    (u_char *)"\x01\x00", GSS_KRB5_MECHANISM);
+       krb5_data_free (&outbuf);
        if (ret)
            goto failure;
-
-       krb5_data_free (&outbuf);
     }
 
-    krb5_free_creds(context, kcred);
     free_Checksum(&cksum);
-    if (cred == NULL)
-       krb5_cc_close(context, ccache);
 
     if (flags & GSS_C_MUTUAL_FLAG) {
        ctx->state = INITIATOR_WAIT_FOR_MUTAL;
@@ -570,15 +637,14 @@ init_auth
 
     return gsskrb5_initiator_ready(minor_status, ctx, context);
 failure:
-    if(kcred)
-       krb5_free_creds(context, kcred);
-    if (ccache && cred == NULL)
-       krb5_cc_close(context, ccache);
+    if (ctx->ccache && (ctx->more_flags & CLOSE_CCACHE))
+       krb5_cc_close(context, ctx->ccache);
+    ctx->ccache = NULL;
 
     return ret;
-
 }
 
+
 static OM_uint32
 repl_mutual
 (OM_uint32 * minor_status,
@@ -617,8 +683,46 @@ repl_mutual
                                    &indata,
                                    "\x02\x00",
                                    GSS_KRB5_MECHANISM);
-       if (ret) {
-           /* XXX - Handle AP_ERROR */
+       if (ret == GSS_S_DEFECTIVE_TOKEN) {
+           /* check if there is an error token sent instead */
+           ret = _gsskrb5_decapsulate (minor_status,
+                                       input_token,
+                                       &indata,
+                                       "\x03\x00",
+                                       GSS_KRB5_MECHANISM);
+           if (ret == GSS_S_COMPLETE) {
+               KRB_ERROR error;
+               
+               kret = krb5_rd_error(context, &indata, &error);
+               if (kret == 0) {
+                   kret = krb5_error_from_rd_error(context, &error, NULL);
+
+                   /* save the time skrew for this host */
+                   if (kret == KRB5KRB_AP_ERR_SKEW) {
+                       krb5_data timedata;
+                       unsigned char p[4];
+                       int32_t t = error.stime - time(NULL);
+
+                       p[0] = (t >> 24) & 0xFF;
+                       p[1] = (t >> 16) & 0xFF;
+                       p[2] = (t >> 8)  & 0xFF;
+                       p[3] = (t >> 0)  & 0xFF;
+
+                       timedata.data = p;
+                       timedata.length = sizeof(p);
+
+                       krb5_cc_set_config(context, ctx->ccache, ctx->target,
+                                          "time-offset", &timedata);
+
+                       if ((ctx->more_flags & RETRIED) == 0)
+                           ctx->state = INITIATOR_RESTART;
+                       ctx->more_flags |= RETRIED;
+                   }
+                   free_KRB_ERROR (&error);
+               }
+               *minor_status = kret;
+               return GSS_S_FAILURE;
+           }
            return ret;
        }
     }
@@ -661,30 +765,31 @@ repl_mutual
        *ret_flags = ctx->flags;
 
     if (req_flags & GSS_C_DCE_STYLE) {
-       int32_t con_flags;
+       int32_t local_seq, remote_seq;
        krb5_data outbuf;
 
-       /* Do don't do sequence number for the mk-rep */
-       krb5_auth_con_removeflags(context,
-                                 ctx->auth_context,
-                                 KRB5_AUTH_CONTEXT_DO_SEQUENCE,
-                                 &con_flags);
+       /*
+        * So DCE_STYLE is strange. The client echos the seq number
+        * that the server used in the server's mk_rep in its own
+        * mk_rep(). After when done, it resets to it's own seq number
+        * for the gss_wrap calls.
+        */
 
-       kret = krb5_mk_rep(context,
-                          ctx->auth_context,
-                          &outbuf);
+       krb5_auth_getremoteseqnumber(context, ctx->auth_context, &remote_seq);
+       krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &local_seq);
+       krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, remote_seq);
+
+       kret = krb5_mk_rep(context, ctx->auth_context, &outbuf);
        if (kret) {
            *minor_status = kret;
            return GSS_S_FAILURE;
        }
        
+       /* reset local seq number */
+       krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq); 
+
        output_token->length = outbuf.length;
        output_token->value  = outbuf.data;
-
-       krb5_auth_con_removeflags(context,
-                                 ctx->auth_context,
-                                 KRB5_AUTH_CONTEXT_DO_SEQUENCE,
-                                 NULL);
     }
 
     return gsskrb5_initiator_ready(minor_status, ctx, context);
@@ -768,6 +873,7 @@ OM_uint32 _gsskrb5_init_sec_context
 
     HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
 
+ again:
     switch (ctx->state) {
     case INITIATOR_START:
        ret = init_auth(minor_status,
@@ -778,12 +884,26 @@ OM_uint32 _gsskrb5_init_sec_context
                        mech_type,
                        req_flags,
                        time_req,
-                       input_chan_bindings,
                        input_token,
                        actual_mech_type,
                        output_token,
                        ret_flags,
                        time_rec);
+       if (ret != GSS_S_COMPLETE)
+           break;          
+       /* FALL THOUGH */
+    case INITIATOR_RESTART:
+       ret = init_auth_restart(minor_status,
+                               cred,
+                               ctx,
+                               context,
+                               req_flags,
+                               input_chan_bindings,
+                               input_token,
+                               actual_mech_type,
+                               output_token,
+                               ret_flags,
+                               time_rec);
        break;
     case INITIATOR_WAIT_FOR_MUTAL:
        ret = repl_mutual(minor_status,
@@ -798,6 +918,8 @@ OM_uint32 _gsskrb5_init_sec_context
                          output_token,
                          ret_flags,
                          time_rec);
+       if (ctx->state == INITIATOR_RESTART)
+           goto again;
        break;
     case INITIATOR_READY:
        /* 
index 85b50d032286fe12caec230283a0cf88b81cc1ae..8c554fb8e0f54a3b340c9e303bed6d468f1e6b80 100644 (file)
@@ -32,7 +32,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: set_cred_option.c 22655 2008-02-26 12:40:35Z lha $");
+RCSID("$Id: set_cred_option.c 23331 2008-06-27 12:01:48Z lha $");
 
 /* 1.2.752.43.13.17 */
 static gss_OID_desc gss_krb5_cred_no_ci_flags_x_oid_desc =
index 50441a11ad3cb88c5c4eecfc29c859c7639404c6..fd76838af514688bf8d61dcd8eb1e74f96501128 100644 (file)
@@ -36,7 +36,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: set_sec_context_option.c 20384 2007-04-18 08:51:06Z lha $");
+RCSID("$Id: set_sec_context_option.c 23420 2008-07-26 18:37:48Z lha $");
 
 static OM_uint32
 get_bool(OM_uint32 *minor_status,
@@ -70,6 +70,36 @@ get_string(OM_uint32 *minor_status,
     return GSS_S_COMPLETE;
 }
 
+static OM_uint32
+get_int32(OM_uint32 *minor_status,
+         const gss_buffer_t value,
+         OM_uint32 *ret)
+{
+    *minor_status = 0;
+    if (value == NULL || value->length == 0)
+       *ret = 0;
+    else if (value->length == sizeof(*ret))
+       memcpy(ret, value->value, sizeof(*ret));
+    else
+       return GSS_S_UNAVAILABLE;
+
+    return GSS_S_COMPLETE;
+}
+
+static OM_uint32
+set_int32(OM_uint32 *minor_status,
+         const gss_buffer_t value,
+         OM_uint32 set)
+{
+    *minor_status = 0;
+    if (value->length == sizeof(set))
+       memcpy(value->value, &set, sizeof(set));
+    else
+       return GSS_S_UNAVAILABLE;
+
+    return GSS_S_COMPLETE;
+}
+
 OM_uint32
 _gsskrb5_set_sec_context_option
            (OM_uint32 *minor_status,
@@ -185,6 +215,35 @@ _gsskrb5_set_sec_context_option
            return GSS_S_FAILURE;
 
        return GSS_S_COMPLETE;
+    } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_TIME_OFFSET_X)) {
+       OM_uint32 offset;
+       time_t t;
+
+       maj_stat = get_int32(minor_status, value, &offset);
+       if (maj_stat != GSS_S_COMPLETE)
+           return maj_stat;
+
+       t = time(NULL) + offset;
+       
+       krb5_set_real_time(context, t, 0);
+
+       *minor_status = 0;
+       return GSS_S_COMPLETE;
+    } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_TIME_OFFSET_X)) {
+       krb5_timestamp sec;
+       int32_t usec;
+       time_t t;
+
+       t = time(NULL);
+
+       krb5_us_timeofday (context, &sec, &usec);
+
+       maj_stat = set_int32(minor_status, value, sec - t);
+       if (maj_stat != GSS_S_COMPLETE)
+           return maj_stat;
+
+       *minor_status = 0;
+       return GSS_S_COMPLETE;
     }
 
     *minor_status = EINVAL;
index d0a33d86fbfcbde2b15b7f068b31286138f8fb74..eec4078a706017102c3a12e63a0072e84de13283 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: unwrap.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id: unwrap.c 23112 2008-04-27 18:51:26Z lha $");
 
 static OM_uint32
 unwrap_des
@@ -93,7 +93,7 @@ unwrap_des
 
       for (i = 0; i < sizeof(deskey); ++i)
          deskey[i] ^= 0xf0;
-      DES_set_key (&deskey, &schedule);
+      DES_set_key_unchecked (&deskey, &schedule);
       memset (&zero, 0, sizeof(zero));
       DES_cbc_encrypt ((void *)p,
                       (void *)p,
@@ -119,7 +119,7 @@ unwrap_des
 
   memset (&zero, 0, sizeof(zero));
   memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
-  DES_set_key (&deskey, &schedule);
+  DES_set_key_unchecked (&deskey, &schedule);
   DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
                 &schedule, &zero);
   if (memcmp (p - 8, hash, 8) != 0)
@@ -130,7 +130,7 @@ unwrap_des
   HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
 
   p -= 16;
-  DES_set_key (&deskey, &schedule);
+  DES_set_key_unchecked (&deskey, &schedule);
   DES_cbc_encrypt ((void *)p, (void *)p, 8,
                   &schedule, (DES_cblock *)hash, DES_DECRYPT);
 
index 52381afcc28ae9fc11645ca1119df452c0667432..560c14bc89560d442c6c86fffc9983d98ea63214 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: verify_mic.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id: verify_mic.c 23112 2008-04-27 18:51:26Z lha $");
 
 static OM_uint32
 verify_mic_des
@@ -83,7 +83,7 @@ verify_mic_des
   memset (&zero, 0, sizeof(zero));
   memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
 
-  DES_set_key (&deskey, &schedule);
+  DES_set_key_unchecked (&deskey, &schedule);
   DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
                 &schedule, &zero);
   if (memcmp (p - 8, hash, 8) != 0) {
@@ -97,7 +97,7 @@ verify_mic_des
   HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
 
   p -= 16;
-  DES_set_key (&deskey, &schedule);
+  DES_set_key_unchecked (&deskey, &schedule);
   DES_cbc_encrypt ((void *)p, (void *)p, 8,
                   &schedule, (DES_cblock *)hash, DES_DECRYPT);
 
index d41379870ae90976023c661c0a317ba91a4de65f..6d00f2adcfbadf708d1b43e397cdd4b371e0fd42 100644 (file)
@@ -33,7 +33,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: wrap.c 19035 2006-11-14 09:49:56Z lha $");
+RCSID("$Id: wrap.c 23316 2008-06-23 04:32:32Z lha $");
 
 /*
  * Return initiator subkey, or if that doesn't exists, the subkey.
@@ -61,7 +61,7 @@ _gsskrb5i_get_initiator_subkey(const gsskrb5_ctx ctx,
                                   ctx->auth_context, 
                                   key);
     if (ret == 0 && *key == NULL) {
-       krb5_set_error_string(context, "No initiator subkey available");
+       krb5_set_error_message(context, 0, "No initiator subkey available");
        return GSS_KRB5_S_KG_NO_SUBKEY;
     }
     return ret;
@@ -85,7 +85,7 @@ _gsskrb5i_get_acceptor_subkey(const gsskrb5_ctx ctx,
                                     key);
     }
     if (ret == 0 && *key == NULL) {
-       krb5_set_error_string(context, "No acceptor subkey available");
+       krb5_set_error_message(context, 0, "No acceptor subkey available");
        return GSS_KRB5_S_KG_NO_SUBKEY;
     }
     return ret;
@@ -106,7 +106,7 @@ _gsskrb5i_get_token_key(const gsskrb5_ctx ctx,
            _gsskrb5i_get_initiator_subkey(ctx, context, key);
     }
     if (*key == NULL) {
-       krb5_set_error_string(context, "No token key available");
+       krb5_set_error_message(context, 0, "No token key available");
        return GSS_KRB5_S_KG_NO_SUBKEY;
     }
     return 0;
@@ -259,7 +259,7 @@ wrap_des
 
   memset (&zero, 0, sizeof(zero));
   memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
-  DES_set_key (&deskey, &schedule);
+  DES_set_key_unchecked (&deskey, &schedule);
   DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
                 &schedule, &zero);
   memcpy (p - 8, hash, 8);
@@ -279,7 +279,7 @@ wrap_des
          (ctx->more_flags & LOCAL) ? 0 : 0xFF,
          4);
 
-  DES_set_key (&deskey, &schedule);
+  DES_set_key_unchecked (&deskey, &schedule);
   DES_cbc_encrypt ((void *)p, (void *)p, 8,
                   &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT);
 
@@ -296,7 +296,7 @@ wrap_des
 
       for (i = 0; i < sizeof(deskey); ++i)
          deskey[i] ^= 0xf0;
-      DES_set_key (&deskey, &schedule);
+      DES_set_key_unchecked (&deskey, &schedule);
       memset (&zero, 0, sizeof(zero));
       DES_cbc_encrypt ((void *)p,
                       (void *)p,
index cb1b62308c0a0b28cb5110011eb5f243eb55e982..a2757140ae24db293fd34cbfff0fb6f692ecaa45 100644 (file)
--- a/