summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-05-07 04:51:30 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:05:39 -0500
commit835926c87921a0f4186a9331b6e31b2e6f1c0d90 (patch)
tree1086d806019f4f7a86dc7b0073017a0fb876b6c2
parent7a0b65efce3669643d21a2e209d4bf2626a5e948 (diff)
downloadsamba-835926c87921a0f4186a9331b6e31b2e6f1c0d90.tar.gz
samba-835926c87921a0f4186a9331b6e31b2e6f1c0d90.tar.bz2
samba-835926c87921a0f4186a9331b6e31b2e6f1c0d90.zip
r15481: Update heimdal/ to match current lorikeet-heimdal.
This includes many useful upstream changes, many of which should reduce warnings in our compile. It also includes a change to the HDB interface, which removes the need for Samba4/lorikeet-heimdal to deviate from upstream for hdb_fetch(). The new flags replace the old entry type enum. (This required the rework in hdb-ldb.c included in this commit) Andrew Bartlett (This used to be commit ef5604b87744c89e66e4d845f45b23563754ec05)
-rw-r--r--source4/heimdal/kdc/524.c6
-rw-r--r--source4/heimdal/kdc/kaserver.c119
-rw-r--r--source4/heimdal/kdc/kdc-private.h6
-rw-r--r--source4/heimdal/kdc/kdc.h3
-rw-r--r--source4/heimdal/kdc/kerberos4.c60
-rw-r--r--source4/heimdal/kdc/kerberos5.c87
-rw-r--r--source4/heimdal/kdc/misc.c12
-rwxr-xr-xsource4/heimdal/kdc/pkinit.c208
-rw-r--r--source4/heimdal/kdc/rx.h16
-rw-r--r--source4/heimdal/lib/asn1/parse.c106
-rw-r--r--source4/heimdal/lib/asn1/pkcs9.asn13
-rwxr-xr-xsource4/heimdal/lib/des/aes.h4
-rw-r--r--source4/heimdal/lib/des/des.c6
-rw-r--r--source4/heimdal/lib/des/dh.h4
-rw-r--r--source4/heimdal/lib/des/engine.h6
-rw-r--r--source4/heimdal/lib/des/evp.c2
-rw-r--r--source4/heimdal/lib/des/hash.h6
-rw-r--r--source4/heimdal/lib/des/md4.c24
-rw-r--r--source4/heimdal/lib/des/md4.h4
-rw-r--r--source4/heimdal/lib/des/md5.c24
-rw-r--r--source4/heimdal/lib/des/md5.h6
-rw-r--r--source4/heimdal/lib/des/pkcs5.c8
-rwxr-xr-xsource4/heimdal/lib/des/rijndael-alg-fst.c8
-rwxr-xr-xsource4/heimdal/lib/des/rijndael-alg-fst.h8
-rw-r--r--source4/heimdal/lib/des/rnd_keys.c8
-rw-r--r--source4/heimdal/lib/des/sha.c28
-rw-r--r--source4/heimdal/lib/des/sha.h6
-rw-r--r--source4/heimdal/lib/des/sha256.c28
-rw-r--r--source4/heimdal/lib/gssapi/8003.c8
-rw-r--r--source4/heimdal/lib/gssapi/arcfour.c14
-rwxr-xr-xsource4/heimdal/lib/gssapi/cfx.c11
-rw-r--r--source4/heimdal/lib/gssapi/gssapi.h8
-rw-r--r--source4/heimdal/lib/gssapi/gssapi_locl.h6
-rw-r--r--source4/heimdal/lib/gssapi/init_sec_context.c2
-rw-r--r--source4/heimdal/lib/gssapi/wrap.c4
-rw-r--r--source4/heimdal/lib/hdb/ext.c6
-rw-r--r--source4/heimdal/lib/hdb/hdb-private.h7
-rw-r--r--source4/heimdal/lib/hdb/hdb.c2
-rw-r--r--source4/heimdal/lib/hdb/hdb.h86
-rw-r--r--source4/heimdal/lib/hdb/keys.c16
-rw-r--r--source4/heimdal/lib/hdb/keytab.c4
-rw-r--r--source4/heimdal/lib/hdb/mkey.c4
-rw-r--r--source4/heimdal/lib/hdb/ndbm.c2
-rw-r--r--source4/heimdal/lib/krb5/addr_families.c6
-rw-r--r--source4/heimdal/lib/krb5/changepw.c4
-rw-r--r--source4/heimdal/lib/krb5/crc.c6
-rw-r--r--source4/heimdal/lib/krb5/crypto.c12
-rw-r--r--source4/heimdal/lib/krb5/generate_seq_number.c6
-rw-r--r--source4/heimdal/lib/krb5/init_creds_pw.c3
-rw-r--r--source4/heimdal/lib/krb5/kcm.c10
-rw-r--r--source4/heimdal/lib/krb5/keytab_file.c4
-rw-r--r--source4/heimdal/lib/krb5/keytab_keyfile.c7
-rw-r--r--source4/heimdal/lib/krb5/krb5-private.h26
-rw-r--r--source4/heimdal/lib/krb5/krb5-protos.h34
-rw-r--r--source4/heimdal/lib/krb5/krb5-v4compat.h10
-rw-r--r--source4/heimdal/lib/krb5/krb5.h12
-rw-r--r--source4/heimdal/lib/krb5/krb5_ccapi.h4
-rw-r--r--source4/heimdal/lib/krb5/krb5_locl.h2
-rw-r--r--source4/heimdal/lib/krb5/log.c6
-rwxr-xr-xsource4/heimdal/lib/krb5/pkinit.c193
-rw-r--r--source4/heimdal/lib/krb5/principal.c3
-rw-r--r--source4/heimdal/lib/krb5/store.c79
-rw-r--r--source4/heimdal/lib/krb5/v4_glue.c38
-rw-r--r--source4/kdc/hdb-ldb.c360
64 files changed, 1143 insertions, 668 deletions
diff --git a/source4/heimdal/kdc/524.c b/source4/heimdal/kdc/524.c
index 9fcf40a4c2..14969aaa52 100644
--- a/source4/heimdal/kdc/524.c
+++ b/source4/heimdal/kdc/524.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: 524.c,v 1.36 2006/04/07 22:12:28 lha Exp $");
+RCSID("$Id: 524.c,v 1.37 2006/04/27 11:33:20 lha Exp $");
#include <krb5-v4compat.h>
@@ -66,7 +66,7 @@ fetch_server (krb5_context context,
krb5_get_err_text(context, ret));
return ret;
}
- ret = _kdc_db_fetch(context, config, sprinc, HDB_ENT_TYPE_SERVER, server);
+ ret = _kdc_db_fetch(context, config, sprinc, HDB_F_GET_SERVER, server);
krb5_free_principal(context, sprinc);
if (ret) {
kdc_log(context, config, 0,
diff --git a/source4/heimdal/kdc/kaserver.c b/source4/heimdal/kdc/kaserver.c
index 05fedeca29..c08a51b9cc 100644
--- a/source4/heimdal/kdc/kaserver.c
+++ b/source4/heimdal/kdc/kaserver.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: kaserver.c,v 1.32 2006/04/02 01:54:37 lha Exp $");
+RCSID("$Id: kaserver.c,v 1.35 2006/05/05 10:49:50 lha Exp $");
#include <krb5-v4compat.h>
#include <rx.h>
@@ -107,38 +107,69 @@ RCSID("$Id: kaserver.c,v 1.32 2006/04/02 01:54:37 lha Exp $");
#define KATOOSOON (180521L)
#define KALOCKED (180522L)
-static void
+
+static krb5_error_code
decode_rx_header (krb5_storage *sp,
struct rx_header *h)
{
- krb5_ret_int32(sp, &h->epoch);
- krb5_ret_int32(sp, &h->connid);
- krb5_ret_int32(sp, &h->callid);
- krb5_ret_int32(sp, &h->seqno);
- krb5_ret_int32(sp, &h->serialno);
- krb5_ret_int8(sp, &h->type);
- krb5_ret_int8(sp, &h->flags);
- krb5_ret_int8(sp, &h->status);
- krb5_ret_int8(sp, &h->secindex);
- krb5_ret_int16(sp, &h->reserved);
- krb5_ret_int16(sp, &h->serviceid);
+ krb5_error_code ret;
+
+ ret = krb5_ret_uint32(sp, &h->epoch);
+ if (ret) return ret;
+ ret = krb5_ret_uint32(sp, &h->connid);
+ if (ret) return ret;
+ ret = krb5_ret_uint32(sp, &h->callid);
+ if (ret) return ret;
+ ret = krb5_ret_uint32(sp, &h->seqno);
+ if (ret) return ret;
+ ret = krb5_ret_uint32(sp, &h->serialno);
+ if (ret) return ret;
+ ret = krb5_ret_uint8(sp, &h->type);
+ if (ret) return ret;
+ ret = krb5_ret_uint8(sp, &h->flags);
+ if (ret) return ret;
+ ret = krb5_ret_uint8(sp, &h->status);
+ if (ret) return ret;
+ ret = krb5_ret_uint8(sp, &h->secindex);
+ if (ret) return ret;
+ ret = krb5_ret_uint16(sp, &h->reserved);
+ if (ret) return ret;
+ ret = krb5_ret_uint16(sp, &h->serviceid);
+ if (ret) return ret;
+
+ return 0;
}
-static void
+static krb5_error_code
encode_rx_header (struct rx_header *h,
krb5_storage *sp)
{
- krb5_store_int32(sp, h->epoch);
- krb5_store_int32(sp, h->connid);
- krb5_store_int32(sp, h->callid);
- krb5_store_int32(sp, h->seqno);
- krb5_store_int32(sp, h->serialno);
- krb5_store_int8(sp, h->type);
- krb5_store_int8(sp, h->flags);
- krb5_store_int8(sp, h->status);
- krb5_store_int8(sp, h->secindex);
- krb5_store_int16(sp, h->reserved);
- krb5_store_int16(sp, h->serviceid);
+ krb5_error_code ret;
+
+ ret = krb5_store_uint32(sp, h->epoch);
+ if (ret) return ret;
+ ret = krb5_store_uint32(sp, h->connid);
+ if (ret) return ret;
+ ret = krb5_store_uint32(sp, h->callid);
+ if (ret) return ret;
+ ret = krb5_store_uint32(sp, h->seqno);
+ if (ret) return ret;
+ ret = krb5_store_uint32(sp, h->serialno);
+ if (ret) return ret;
+ ret = krb5_store_uint8(sp, h->type);
+ if (ret) return ret;
+ ret = krb5_store_uint8(sp, h->flags);
+ if (ret) return ret;
+ ret = krb5_store_uint8(sp, h->status);
+ if (ret) return ret;
+ ret = krb5_store_uint8(sp, h->secindex);
+ if (ret) return ret;
+ ret = krb5_store_uint16(sp, h->reserved);
+ if (ret) return ret;
+ ret = krb5_store_uint16(sp, h->serviceid);
+ if (ret) return ret;
+
+ return 0;
}
static void
@@ -162,7 +193,7 @@ init_reply_header (struct rx_header *hdr,
static void
make_error_reply (struct rx_header *hdr,
- u_int32_t ret,
+ uint32_t ret,
krb5_data *reply)
{
@@ -171,7 +202,7 @@ make_error_reply (struct rx_header *hdr,
init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST);
sp = krb5_storage_emem();
- encode_rx_header (&reply_hdr, sp);
+ ret = encode_rx_header (&reply_hdr, sp);
krb5_store_int32(sp, ret);
krb5_storage_to_data (sp, reply);
krb5_storage_free (sp);
@@ -249,11 +280,12 @@ create_reply_ticket (krb5_context context,
int kvno,
int32_t max_seq_len,
const char *sname, const char *sinstance,
- u_int32_t challenge,
+ uint32_t challenge,
const char *label,
krb5_keyblock *key,
krb5_data *reply)
{
+ krb5_error_code ret;
krb5_data ticket;
krb5_keyblock session;
krb5_storage *sp;
@@ -339,7 +371,7 @@ create_reply_ticket (krb5_context context,
/* create the reply packet */
init_reply_header (hdr, &reply_hdr, HT_DATA, HF_LAST);
sp = krb5_storage_emem ();
- encode_rx_header (&reply_hdr, sp);
+ ret = encode_rx_header (&reply_hdr, sp);
krb5_store_int32 (sp, max_seq_len);
krb5_store_xdr_data (sp, enc_data);
krb5_data_free (&enc_data);
@@ -410,7 +442,7 @@ do_authenticate (krb5_context context,
Key *skey = NULL;
krb5_storage *reply_sp;
time_t max_life;
- u_int8_t life;
+ uint8_t life;
int32_t chal;
char client_name[256];
char server_name[256];
@@ -433,8 +465,7 @@ do_authenticate (krb5_context context,
client_name, from, server_name);
ret = _kdc_db_fetch4 (context, config, name, instance,
- config->v4_realm, HDB_ENT_TYPE_CLIENT,
- &client_entry);
+ config->v4_realm, HDB_F_GET_CLIENT, &client_entry);
if (ret) {
kdc_log(context, config, 0, "Client not found in database: %s: %s",
client_name, krb5_get_err_text(context, ret));
@@ -444,7 +475,7 @@ do_authenticate (krb5_context context,
ret = _kdc_db_fetch4 (context, config, "krbtgt",
config->v4_realm, config->v4_realm,
- HDB_ENT_TYPE_SERVER, &server_entry);
+ HDB_F_GET_KRBTGT, &server_entry);
if (ret) {
kdc_log(context, config, 0, "Server not found in database: %s: %s",
server_name, krb5_get_err_text(context, ret));
@@ -650,8 +681,7 @@ do_getticket (krb5_context context,
"%s.%s@%s", name, instance, config->v4_realm);
ret = _kdc_db_fetch4 (context, config, name, instance,
- config->v4_realm, HDB_ENT_TYPE_SERVER,
- &server_entry);
+ config->v4_realm, HDB_F_GET_SERVER, &server_entry);
if (ret) {
kdc_log(context, config, 0, "Server not found in database: %s: %s",
server_name, krb5_get_err_text(context, ret));
@@ -660,8 +690,7 @@ do_getticket (krb5_context context,
}
ret = _kdc_db_fetch4 (context, config, "krbtgt",
- config->v4_realm, config->v4_realm,
- HDB_ENT_TYPE_CLIENT, &krbtgt_entry);
+ config->v4_realm, config->v4_realm, HDB_F_GET_KRBTGT, &krbtgt_entry);
if (ret) {
kdc_log(context, config, 0,
"Server not found in database: %s.%s@%s: %s",
@@ -734,8 +763,8 @@ do_getticket (krb5_context context,
client_name, from, server_name);
ret = _kdc_db_fetch4 (context, config,
- ad.pname, ad.pinst, ad.prealm,
- HDB_ENT_TYPE_CLIENT, &client_entry);
+ ad.pname, ad.pinst, ad.prealm, HDB_F_GET_CLIENT,
+ &client_entry);
if(ret && ret != HDB_ERR_NOENTRY) {
kdc_log(context, config, 0,
"Client not found in database: (krb4) %s: %s",
@@ -842,14 +871,16 @@ _kdc_do_kaserver(krb5_context context,
{
krb5_error_code ret = 0;
struct rx_header hdr;
- u_int32_t op;
+ uint32_t op;
krb5_storage *sp;
if (len < RX_HEADER_SIZE)
return -1;
sp = krb5_storage_from_mem (buf, len);
- decode_rx_header (sp, &hdr);
+ ret = decode_rx_header (sp, &hdr);
+ if (ret)
+ goto out;
buf += RX_HEADER_SIZE;
len -= RX_HEADER_SIZE;
@@ -875,7 +906,9 @@ _kdc_do_kaserver(krb5_context context,
goto out;
}
- krb5_ret_int32(sp, &op);
+ ret = krb5_ret_uint32(sp, &op);
+ if (ret)
+ goto out;
switch (op) {
case AUTHENTICATE :
case AUTHENTICATE_V2 :
diff --git a/source4/heimdal/kdc/kdc-private.h b/source4/heimdal/kdc/kdc-private.h
index c718b1fd52..251e06b14a 100644
--- a/source4/heimdal/kdc/kdc-private.h
+++ b/source4/heimdal/kdc/kdc-private.h
@@ -28,8 +28,8 @@ krb5_error_code
_kdc_db_fetch (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
- krb5_principal /*principal*/,
- enum hdb_ent_type /*ent_type*/,
+ krb5_const_principal /*principal*/,
+ unsigned /*flags*/,
hdb_entry_ex **/*h*/);
krb5_error_code
@@ -39,7 +39,7 @@ _kdc_db_fetch4 (
const char */*name*/,
const char */*instance*/,
const char */*realm*/,
- enum hdb_ent_type /*ent_type*/,
+ unsigned /*flags*/,
hdb_entry_ex **/*ent*/);
krb5_error_code
diff --git a/source4/heimdal/kdc/kdc.h b/source4/heimdal/kdc/kdc.h
index 3d25729d4e..2948570e3a 100644
--- a/source4/heimdal/kdc/kdc.h
+++ b/source4/heimdal/kdc/kdc.h
@@ -35,7 +35,7 @@
*/
/*
- * $Id: kdc.h,v 1.5 2005/10/21 17:11:21 lha Exp $
+ * $Id: kdc.h,v 1.6 2006/05/03 12:03:29 lha Exp $
*/
#ifndef __KDC_H__
@@ -72,6 +72,7 @@ typedef struct krb5_kdc_configuration {
krb5_boolean enable_pkinit;
krb5_boolean enable_pkinit_princ_in_cert;
+ char *pkinit_kdc_ocsp_file;
krb5_log_facility *logf;
diff --git a/source4/heimdal/kdc/kerberos4.c b/source4/heimdal/kdc/kerberos4.c
index 030405adc2..4ece1a47d6 100644
--- a/source4/heimdal/kdc/kerberos4.c
+++ b/source4/heimdal/kdc/kerberos4.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -35,11 +35,11 @@
#include <krb5-v4compat.h>
-RCSID("$Id: kerberos4.c,v 1.57 2006/04/02 01:54:37 lha Exp $");
+RCSID("$Id: kerberos4.c,v 1.60 2006/05/05 10:50:44 lha Exp $");
#ifndef swap32
-static u_int32_t
-swap32(u_int32_t x)
+static uint32_t
+swap32(uint32_t x)
{
return ((x << 24) & 0xff000000) |
((x << 8) & 0xff0000) |
@@ -62,12 +62,17 @@ make_err_reply(krb5_context context, krb5_data *reply,
kdc_time, code, msg, reply);
}
+struct valid_princ_ctx {
+ krb5_kdc_configuration *config;
+ unsigned flags;
+};
+
static krb5_boolean
valid_princ(krb5_context context,
void *funcctx,
krb5_principal princ)
{
- krb5_kdc_configuration *config = funcctx;
+ struct valid_princ_ctx *ctx = funcctx;
krb5_error_code ret;
char *s;
hdb_entry_ex *ent;
@@ -75,14 +80,14 @@ valid_princ(krb5_context context,
ret = krb5_unparse_name(context, princ, &s);
if (ret)
return FALSE;
- ret = _kdc_db_fetch(context, config, princ, HDB_ENT_TYPE_ANY, &ent);
+ ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, &ent);
if (ret) {
- kdc_log(context, config, 7, "Lookup %s failed: %s", s,
+ kdc_log(context, ctx->config, 7, "Lookup %s failed: %s", s,
krb5_get_err_text (context, ret));
free(s);
return FALSE;
}
- kdc_log(context, config, 7, "Lookup %s succeeded", s);
+ kdc_log(context, ctx->config, 7, "Lookup %s succeeded", s);
free(s);
_kdc_free_ent(context, ent);
return TRUE;
@@ -90,19 +95,23 @@ valid_princ(krb5_context context,
krb5_error_code
_kdc_db_fetch4(krb5_context context,
- krb5_kdc_configuration *config,
- const char *name, const char *instance, const char *realm,
- enum hdb_ent_type ent_type,
- hdb_entry_ex **ent)
+ krb5_kdc_configuration *config,
+ const char *name, const char *instance, const char *realm,
+ unsigned flags,
+ hdb_entry_ex **ent)
{
krb5_principal p;
krb5_error_code ret;
+ struct valid_princ_ctx ctx;
+
+ ctx.config = config;
+ ctx.flags = flags;
ret = krb5_425_conv_principal_ext2(context, name, instance, realm,
- valid_princ, config, 0, &p);
+ valid_princ, &ctx, 0, &p);
if(ret)
return ret;
- ret = _kdc_db_fetch(context, config, p, ent_type, ent);
+ ret = _kdc_db_fetch(context, config, p, flags, ent);
krb5_free_principal(context, p);
return ret;
}
@@ -135,7 +144,7 @@ _kdc_do_version4(krb5_context context,
char *sname = NULL, *sinst = NULL;
int32_t req_time;
time_t max_life;
- u_int8_t life;
+ uint8_t life;
char client_name[256];
char server_name[256];
@@ -171,7 +180,7 @@ _kdc_do_version4(krb5_context context,
RCHECK(krb5_ret_int32(sp, &req_time), out1);
if(lsb)
req_time = swap32(req_time);
- RCHECK(krb5_ret_int8(sp, &life), out1);
+ RCHECK(krb5_ret_uint8(sp, &life), out1);
RCHECK(krb5_ret_stringz(sp, &sname), out1);
RCHECK(krb5_ret_stringz(sp, &sinst), out1);
snprintf (client_name, sizeof(client_name),
@@ -182,7 +191,8 @@ _kdc_do_version4(krb5_context context,
kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s",
client_name, from, server_name);
- ret = _kdc_db_fetch4(context, config, name, inst, realm, HDB_ENT_TYPE_CLIENT, &client);
+ ret = _kdc_db_fetch4(context, config, name, inst, realm,
+ HDB_F_GET_CLIENT, &client);
if(ret) {
kdc_log(context, config, 0, "Client not found in database: %s: %s",
client_name, krb5_get_err_text(context, ret));
@@ -190,8 +200,8 @@ _kdc_do_version4(krb5_context context,
"principal unknown");
goto out1;
}
- ret = _kdc_db_fetch4(context, config, sname, sinst,
- config->v4_realm, HDB_ENT_TYPE_SERVER, &server);
+ ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
+ HDB_F_GET_SERVER, &server);
if(ret){
kdc_log(context, config, 0, "Server not found in database: %s: %s",
server_name, krb5_get_err_text(context, ret));
@@ -361,7 +371,8 @@ _kdc_do_version4(krb5_context context,
goto out2;
}
- ret = _kdc_db_fetch(context, config, tgt_princ, HDB_ENT_TYPE_SERVER, &tgt);
+ ret = _kdc_db_fetch(context, config, tgt_princ,
+ HDB_F_GET_KRBTGT, &tgt);
if(ret){
char *s;
s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not "
@@ -418,7 +429,7 @@ _kdc_do_version4(krb5_context context,
RCHECK(krb5_ret_int32(sp, &req_time), out2);
if(lsb)
req_time = swap32(req_time);
- RCHECK(krb5_ret_int8(sp, &life), out2);
+ RCHECK(krb5_ret_uint8(sp, &life), out2);
RCHECK(krb5_ret_stringz(sp, &sname), out2);
RCHECK(krb5_ret_stringz(sp, &sinst), out2);
snprintf (server_name, sizeof(server_name),
@@ -456,7 +467,8 @@ _kdc_do_version4(krb5_context context,
goto out2;
}
- ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm, HDB_ENT_TYPE_CLIENT, &client);
+ ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm,
+ HDB_F_GET_CLIENT, &client);
if(ret && ret != HDB_ERR_NOENTRY) {
char *s;
s = kdc_log_msg(context, config, 0,
@@ -476,8 +488,8 @@ _kdc_do_version4(krb5_context context,
goto out2;
}
- ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
- HDB_ENT_TYPE_SERVER, &server);
+ ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
+ HDB_F_GET_SERVER, &server);
if(ret){
char *s;
s = kdc_log_msg(context, config, 0,
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 68720d692e..877b88c155 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: kerberos5.c,v 1.206 2006/04/02 01:54:37 lha Exp $");
+RCSID("$Id: kerberos5.c,v 1.211 2006/04/27 12:01:09 lha Exp $");
#define MAX_TIME ((time_t)((1U << 31) - 1))
@@ -120,7 +120,9 @@ static krb5_error_code
find_keys(krb5_context context,
krb5_kdc_configuration *config,
const hdb_entry_ex *client,
- const hdb_entry_ex *server,
+ const char *client_name,
+ const hdb_entry_ex *server,
+ const char *server_name,
Key **ckey,
krb5_enctype *cetype,
Key **skey,
@@ -128,20 +130,14 @@ find_keys(krb5_context context,
krb5_enctype *etypes,
unsigned num_etypes)
{
- char unparse_name[] = "krb5_unparse_name failed";
krb5_error_code ret;
- char *name;
if(client){
/* find client key */
ret = find_etype(context, client, etypes, num_etypes, ckey, cetype);
if (ret) {
- if (krb5_unparse_name(context, client->entry.principal, &name) != 0)
- name = unparse_name;
kdc_log(context, config, 0,
- "Client (%s) has no support for etypes", name);
- if (name != unparse_name)
- free(name);
+ "Client (%s) has no support for etypes", client_name);
return ret;
}
}
@@ -150,12 +146,8 @@ find_keys(krb5_context context,
/* find server key */
ret = find_etype(context, server, etypes, num_etypes, skey, setype);
if (ret) {
- if (krb5_unparse_name(context, server->entry.principal, &name) != 0)
- name = unparse_name;
kdc_log(context, config, 0,
- "Server (%s) has no support for etypes", name);
- if (name != unparse_name)
- free(name);
+ "Server (%s) has no support for etypes", server_name);
return ret;
}
}
@@ -243,6 +235,9 @@ log_patypes(krb5_context context,
return;
}
}
+ if (p == NULL)
+ p = rk_strpoolprintf(p, "none");
+
str = rk_strpoolcollect(p);
kdc_log(context, config, 0, "Client sent patypes: %s", str);
free(str);
@@ -899,7 +894,8 @@ _kdc_as_rep(krb5_context context,
kdc_log(context, config, 0, "AS-REQ %s from %s for %s",
client_name, from, server_name);
- ret = _kdc_db_fetch(context, config, client_princ, HDB_ENT_TYPE_CLIENT, &client);
+ ret = _kdc_db_fetch(context, config, client_princ,
+ HDB_F_GET_CLIENT, &client);
if(ret){
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name,
krb5_get_err_text(context, ret));
@@ -907,7 +903,8 @@ _kdc_as_rep(krb5_context context,
goto out;
}
- ret = _kdc_db_fetch(context, config, server_princ, HDB_ENT_TYPE_SERVER, &server);
+ ret = _kdc_db_fetch(context, config, server_princ,
+ HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, &server);
if(ret){
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name,
krb5_get_err_text(context, ret));
@@ -1166,6 +1163,7 @@ _kdc_as_rep(krb5_context context,
* - If the client is 'modern', because it knows about 'new'
* enctype types, then only send the 'info2' reply.
*/
+
/* XXX check ret */
if (only_older_enctype_p(req))
ret = get_pa_etype_info(context, config,
@@ -1200,12 +1198,12 @@ _kdc_as_rep(krb5_context context,
}
ret = find_keys(context, config,
- client, server, &ckey, &cetype, &skey, &setype,
+ client, client_name,
+ server, server_name,
+ &ckey, &cetype, &skey, &setype,
b->etype.val, b->etype.len);
- if(ret) {
- kdc_log(context, config, 0, "Server/client has no support for etypes");
+ if(ret)
goto out;
- }
{
struct rk_strpool *p = NULL;
@@ -1226,6 +1224,9 @@ _kdc_as_rep(krb5_context context,
goto out;
}
}
+ if (p == NULL)
+ p = rk_strpoolprintf(p, "no encryption types");
+
str = rk_strpoolcollect(p);
kdc_log(context, config, 0, "Client supported enctypes: %s", str);
free(str);
@@ -1757,6 +1758,7 @@ tgs_make_reply(krb5_context context,
AuthorizationData *auth_data,
krb5_ticket *tgs_ticket,
hdb_entry_ex *server,
+ const char *server_name,
hdb_entry_ex *client,
krb5_principal client_principal,
hdb_entry_ex *krbtgt,
@@ -1788,12 +1790,11 @@ tgs_make_reply(krb5_context context,
etype = b->etype.val[i];
}else{
ret = find_keys(context, config,
- NULL, server, NULL, NULL, &skey, &etype,
+ NULL, NULL, server, server_name,
+ NULL, NULL, &skey, &etype,
b->etype.val, b->etype.len);
- if(ret) {
- kdc_log(context, config, 0, "Server has no support for etypes");
+ if(ret)
return ret;
- }
ekey = &skey->key;
}
@@ -2140,7 +2141,7 @@ tgs_rep2(krb5_context context,
ap_req.ticket.sname,
ap_req.ticket.realm);
- ret = _kdc_db_fetch(context, config, princ, HDB_ENT_TYPE_SERVER, &krbtgt);
+ ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, &krbtgt);
if(ret) {
char *p;
@@ -2340,7 +2341,8 @@ tgs_rep2(krb5_context context,
goto out2;
}
_krb5_principalname2krb5_principal(&p, t->sname, t->realm);
- ret = _kdc_db_fetch(context, config, p, HDB_ENT_TYPE_SERVER, &uu);
+ ret = _kdc_db_fetch(context, config, p,
+ HDB_F_GET_CLIENT|HDB_F_GET_SERVER, &uu);
krb5_free_principal(context, p);
if(ret){
if (ret == HDB_ERR_NOENTRY)
@@ -2381,7 +2383,7 @@ tgs_rep2(krb5_context context,
kdc_log(context, config, 0,
"TGS-REQ %s from %s for %s", cpn, from, spn);
server_lookup:
- ret = _kdc_db_fetch(context, config, sp, HDB_ENT_TYPE_SERVER, &server);
+ ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER, &server);
if(ret){
const char *new_rlm;
@@ -2430,24 +2432,28 @@ tgs_rep2(krb5_context context,
goto out;
}
- ret = _kdc_db_fetch(context, config, cp, HDB_ENT_TYPE_CLIENT, &client);
+ ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, &client);
if(ret)
kdc_log(context, config, 1, "Client not found in database: %s: %s",
cpn, krb5_get_err_text(context, ret));
-#if 0
- /* XXX check client only if same realm as krbtgt-instance */
- if(ret){
- kdc_log(context, config, 0,
- "Client not found in database: %s: %s",
- cpn, krb5_get_err_text(context, ret));
- if (ret == HDB_ERR_NOENTRY)
- ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
- goto out;
- }
-#endif
+
+ /*
+ * If the client belongs to the same realm as our krbtgt, it
+ * should exist in the local database.
+ *
+ * If its not the same, check the "direction" on the krbtgt,
+ * so its not a backward uni-directional trust.
+ */
if(strcmp(krb5_principal_get_realm(context, sp),
- krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1)) != 0) {
+ krb5_principal_get_comp_string(context,
+ krbtgt->entry.principal, 1)) == 0) {
+ if(ret) {
+ if (ret == HDB_ERR_NOENTRY)
+ ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ goto out;
+ }
+ } else {
char *tpn;
ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
kdc_log(context, config, 0,
@@ -2491,6 +2497,7 @@ tgs_rep2(krb5_context context,
auth_data,
ticket,
server,
+ spn,
client,
cp,
krbtgt,
diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c
index 4d38e1f12d..a61c647f71 100644
--- a/source4/heimdal/kdc/misc.c
+++ b/source4/heimdal/kdc/misc.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,14 +33,15 @@
#include "kdc_locl.h"
-RCSID("$Id: misc.c,v 1.27 2006/01/01 23:17:16 lha Exp $");
+RCSID("$Id: misc.c,v 1.29 2006/04/27 11:33:21 lha Exp $");
struct timeval _kdc_now;
krb5_error_code
_kdc_db_fetch(krb5_context context,
krb5_kdc_configuration *config,
- krb5_principal principal, enum hdb_ent_type ent_type,
+ krb5_const_principal principal,
+ unsigned flags,
hdb_entry_ex **h)
{
hdb_entry_ex *ent;
@@ -60,9 +61,8 @@ _kdc_db_fetch(krb5_context context,
}
ret = config->db[i]->hdb_fetch(context,
config->db[i],
- HDB_F_DECRYPT,
- principal,
- ent_type,
+ principal,
+ flags | HDB_F_DECRYPT,
ent);
config->db[i]->hdb_close(context, config->db[i]);
if(ret == 0) {
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index 3f064f9d50..c220e70ddd 100755
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: pkinit.c,v 1.59 2006/04/22 12:10:16 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.65 2006/05/06 13:22:33 lha Exp $");
#ifdef PKINIT
@@ -82,6 +82,12 @@ static struct krb5_pk_identity *kdc_identity;
static struct pk_principal_mapping principal_mappings;
static struct krb5_dh_moduli **moduli;
+static struct {
+ krb5_data data;
+ time_t expire;
+ time_t next_update;
+} ocsp;
+
/*
*
*/
@@ -260,7 +266,6 @@ get_dh_param(krb5_context context,
DomainParameters dhparam;
DH *dh = NULL;
krb5_error_code ret;
- int dhret;
memset(&dhparam, 0, sizeof(dhparam));
@@ -338,14 +343,6 @@ get_dh_param(krb5_context context,
goto out;
}
-
- if (DH_check_pubkey(dh, client_params->dh_public_key, &dhret) != 1 ||
- dhret != 0) {
- krb5_set_error_string(context, "PKINIT DH data not ok");
- ret = KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
- goto out;
- }
-
client_params->dh = dh;
dh = NULL;
ret = 0;
@@ -754,7 +751,8 @@ pk_mk_pa_reply_dh(krb5_context context,
DH *kdc_dh,
pk_client_params *client_params,
krb5_keyblock *reply_key,
- ContentInfo *content_info)
+ ContentInfo *content_info,
+ hx509_cert *kdc_cert)
{
KDCDHKeyInfo dh_info;
krb5_data signed_data, buf;
@@ -768,6 +766,8 @@ pk_mk_pa_reply_dh(krb5_context context,
krb5_data_zero(&buf);
krb5_data_zero(&signed_data);
+ *kdc_cert = NULL;
+
ret = BN_to_integer(context, kdc_dh->pub_key, &i);
if (ret)
return ret;
@@ -803,8 +803,8 @@ pk_mk_pa_reply_dh(krb5_context context,
*/
{
- hx509_cert cert;
hx509_query *q;
+ hx509_cert cert;
ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
if (ret)
@@ -830,7 +830,7 @@ pk_mk_pa_reply_dh(krb5_context context,
kdc_identity->anchors,
kdc_identity->certpool,
&signed_data);
- hx509_cert_free(cert);
+ *kdc_cert = cert;
}
if (ret)
goto out;
@@ -843,6 +843,11 @@ pk_mk_pa_reply_dh(krb5_context context,
goto out;
out:
+ if (ret && *kdc_cert) {
+ hx509_cert_free(*kdc_cert);
+ *kdc_cert = NULL;
+ }
+
krb5_data_free(&buf);
krb5_data_free(&signed_data);
free_KDCDHKeyInfo(&dh_info);
@@ -869,6 +874,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
size_t len, size;
krb5_enctype enctype;
int pa_type;
+ hx509_cert kdc_cert = NULL;
int i;
if (!config->enable_pkinit) {
@@ -947,7 +953,8 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ret = pk_mk_pa_reply_dh(context, client_params->dh,
client_params,
&client_params->reply_key,
- &info);
+ &info,
+ &kdc_cert);
ASN1_MALLOC_ENCODE(ContentInfo, rep.u.dhInfo.dhSignedData.data,
rep.u.dhInfo.dhSignedData.length, &info, &size,
@@ -982,48 +989,43 @@ _kdc_pk_mk_pa_reply(krb5_context context,
} else if (client_params->type == PKINIT_COMPAT_WIN2K) {
PA_PK_AS_REP_Win2k rep;
-
- pa_type = KRB5_PADATA_PK_AS_REP_19;
-
- memset(&rep, 0, sizeof(rep));
+ ContentInfo info;
if (client_params->dh) {
- krb5_set_error_string(context, "DH -27 not implemented");
+ krb5_set_error_string(context, "Windows PK-INIT doesn't support DH");
ret = KRB5KRB_ERR_GENERIC;
- } else {
- rep.element = choice_PA_PK_AS_REP_encKeyPack;
- ContentInfo info;
+ goto out;
+ }
- krb5_generate_random_keyblock(context, enctype,
- &client_params->reply_key);
- ret = pk_mk_pa_reply_enckey(context,
- client_params,
- req,
- req_buffer,
- &client_params->reply_key,
- &info);
- if (ret) {
- free_PA_PK_AS_REP_Win2k(&rep);
- goto out;
- }
- ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data,
- rep.u.encKeyPack.length, &info, &size,
- ret);
- free_ContentInfo(&info);
- if (ret) {
- krb5_set_error_string(context, "encoding of Key ContentInfo "
- "failed %d", ret);
- free_PA_PK_AS_REP_Win2k(&rep);
- goto out;
- }
- if (rep.u.encKeyPack.length != size)
- krb5_abortx(context, "Internal ASN.1 encoder error");
+ memset(&rep, 0, sizeof(rep));
+ pa_type = KRB5_PADATA_PK_AS_REP_19;
+ rep.element = choice_PA_PK_AS_REP_encKeyPack;
+
+ krb5_generate_random_keyblock(context, enctype,
+ &client_params->reply_key);
+ ret = pk_mk_pa_reply_enckey(context,
+ client_params,
+ req,
+ req_buffer,
+ &client_params->reply_key,
+ &info);
+ if (ret) {
+ free_PA_PK_AS_REP_Win2k(&rep);
+ goto out;
}
+ ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data,
+ rep.u.encKeyPack.length, &info, &size,
+ ret);
+ free_ContentInfo(&info);
if (ret) {
+ krb5_set_error_string(context, "encoding of Key ContentInfo "
+ "failed %d", ret);
free_PA_PK_AS_REP_Win2k(&rep);
goto out;
}
+ if (rep.u.encKeyPack.length != size)
+ krb5_abortx(context, "Internal ASN.1 encoder error");
ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret);
free_PA_PK_AS_REP_Win2k(&rep);
@@ -1041,11 +1043,88 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ret = krb5_padata_add(context, md, pa_type, buf, len);
if (ret) {
- krb5_set_error_string(context, "failed adding "
- "PA-PK-AS-REP-19 %d", ret);
+ krb5_set_error_string(context, "failed adding PA-PK-AS-REP %d", ret);
free(buf);
+ goto out;
}
- out:
+
+ if (config->pkinit_kdc_ocsp_file) {
+
+ if (ocsp.expire == 0 && ocsp.next_update > kdc_time) {
+ struct stat sb;
+ int fd;
+
+ krb5_data_free(&ocsp.data);
+
+ ocsp.expire = 0;
+
+ fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY);
+ if (fd < 0) {
+ kdc_log(context, config, 0,
+ "PK-INIT failed to open ocsp data file %d", errno);
+ goto out_ocsp;
+ }
+ ret = fstat(fd, &sb);
+ if (ret) {
+ ret = errno;
+ close(fd);
+ kdc_log(context, config, 0,
+ "PK-INIT failed to stat ocsp data %d", ret);
+ goto out_ocsp;
+ }
+
+ ret = krb5_data_alloc(&ocsp.data, sb.st_size);
+ if (ret) {
+ close(fd);
+ kdc_log(context, config, 0,
+ "PK-INIT failed to stat ocsp data %d", ret);
+ goto out_ocsp;
+ }
+ ocsp.data.length = sb.st_size;
+ ret = read(fd, ocsp.data.data, sb.st_size);
+ close(fd);
+ if (ret != sb.st_size) {
+ kdc_log(context, config, 0,
+ "PK-INIT failed to read ocsp data %d", errno);
+ goto out_ocsp;
+ }
+
+ ret = hx509_ocsp_verify(kdc_identity->hx509ctx,
+ kdc_time,
+ kdc_cert,
+ 0,
+ ocsp.data.data, ocsp.data.length,
+ &ocsp.expire);
+ if (ret) {
+ kdc_log(context, config, 0,
+ "PK-INIT failed to verify ocsp data %d", ret);
+ krb5_data_free(&ocsp.data);
+ ocsp.expire = 0;
+ } else if (ocsp.expire > 180)
+ ocsp.expire -= 180; /* refetch the ocsp before it expire */
+
+ out_ocsp:
+ ocsp.next_update = kdc_time + 3600;
+ ret = 0;
+ }
+
+ if (ocsp.expire != 0 && ocsp.expire > kdc_time) {
+
+ ret = krb5_padata_add(context, md,
+ KRB5_PADATA_PA_PK_OCSP_RESPONSE,
+ ocsp.data.data, ocsp.data.length);
+ if (ret) {
+ krb5_set_error_string(context,
+ "Failed adding OCSP response %d", ret);
+ goto out;
+ }
+ }
+ }
+
+out:
+ if (kdc_cert)
+ hx509_cert_free(kdc_cert);
+
if (ret == 0)
*reply_key = &client_params->reply_key;
return ret;
@@ -1120,15 +1199,9 @@ _kdc_pk_check_client(krb5_context context,
hx509_name name;
int i;
- if (config->enable_pkinit_princ_in_cert) {
- ret = pk_principal_from_X509(context, config,
- client_params->cert,
- client_princ);
- if (ret == 0)
- return 0;
- }
-
- ret = hx509_cert_get_subject(client_params->cert, &name);
+ ret = hx509_cert_get_base_subject(kdc_identity->hx509ctx,
+ client_params->cert,
+ &name);
if (ret)
return ret;
@@ -1141,6 +1214,17 @@ _kdc_pk_check_client(krb5_context context,
"Trying to authorize subject DN %s",
*subject_name);
+ if (config->enable_pkinit_princ_in_cert) {
+ ret = pk_principal_from_X509(context, config,
+ client_params->cert,
+ client_princ);
+ if (ret == 0) {
+ kdc_log(context, config, 5,
+ "Found matching PK-INIT SAN in certificate");
+ return 0;
+ }
+ }
+
for (i = 0; i < principal_mappings.len; i++) {
krb5_boolean b;
@@ -1231,6 +1315,14 @@ _kdc_pk_initialize(krb5_context context,
return ret;
}
+ ret = krb5_config_get_bool_default(context,
+ NULL,
+ FALSE,
+ "kdc",
+ "pki-allow-proxy-certificate",
+ NULL);
+ _krb5_pk_allow_proxy_certificate(kdc_identity, ret);
+
file = krb5_config_get_string_default(context,
NULL,
HDB_DB_DIR "/pki-mapping",
diff --git a/source4/heimdal/kdc/rx.h b/source4/heimdal/kdc/rx.h
index ab8ec80523..370e33732f 100644
--- a/source4/heimdal/kdc/rx.h
+++ b/source4/heimdal/kdc/rx.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: rx.h,v 1.4 1999/12/02 17:05:00 joda Exp $ */
+/* $Id: rx.h,v 1.5 2006/05/05 10:51:10 lha Exp $ */
#ifndef __RX_H__
#define __RX_H__
@@ -59,17 +59,17 @@ enum rx_header_flag {
};
struct rx_header {
- u_int32_t epoch;
- u_int32_t connid; /* And channel ID */
- u_int32_t callid;
- u_int32_t seqno;
- u_int32_t serialno;
+ uint32_t epoch;
+ uint32_t connid; /* And channel ID */
+ uint32_t callid;
+ uint32_t seqno;
+ uint32_t serialno;
u_char type;
u_char flags;
u_char status;
u_char secindex;
- u_int16_t reserved; /* ??? verifier? */
- u_int16_t serviceid;
+ uint16_t reserved; /* ??? verifier? */
+ uint16_t serviceid;
/* This should be the other way around according to everything but */
/* tcpdump */
};
diff --git a/source4/heimdal/lib/asn1/parse.c b/source4/heimdal/lib/asn1/parse.c
index 0bf3cdafdb..e498d8f965 100644
--- a/source4/heimdal/lib/asn1/parse.c
+++ b/source4/heimdal/lib/asn1/parse.c
@@ -247,7 +247,7 @@
#include "gen_locl.h"
#include "der.h"
-RCSID("$Id: parse.y,v 1.27 2005/12/14 09:44:36 lha Exp $");
+RCSID("$Id: parse.y,v 1.28 2006/04/28 10:51:35 lha Exp $");
static Type *new_type (Typetype t);
static struct constraint_spec *new_constraint_spec(enum ctype);
@@ -538,13 +538,13 @@ static const unsigned short int yyrline[] =
327, 328, 331, 338, 348, 353, 360, 368, 374, 379,
383, 396, 404, 407, 414, 422, 428, 435, 442, 448,
456, 464, 470, 478, 486, 493, 494, 497, 508, 513,
- 520, 536, 541, 543, 544, 547, 553, 561, 571, 577,
- 590, 599, 602, 606, 610, 617, 620, 624, 631, 642,
- 645, 650, 655, 660, 665, 670, 678, 684, 689, 700,
- 711, 717, 723, 731, 737, 744, 757, 758, 761, 768,
- 771, 782, 786, 797, 803, 804, 807, 808, 809, 810,
- 811, 814, 817, 820, 831, 839, 845, 853, 861, 864,
- 869
+ 520, 536, 542, 545, 546, 549, 555, 563, 573, 579,
+ 592, 601, 604, 608, 612, 619, 622, 626, 633, 644,
+ 647, 652, 657, 662, 667, 672, 680, 686, 691, 702,
+ 713, 719, 725, 733, 739, 746, 759, 760, 763, 770,
+ 773, 784, 788, 799, 805, 806, 809, 810, 811, 812,
+ 813, 816, 819, 822, 833, 841, 847, 855, 863, 866,
+ 871
};
#endif
@@ -1752,7 +1752,7 @@ yyreduce:
break;
case 75:
-#line 548 "parse.y"
+#line 550 "parse.y"
{
(yyval.constraint_spec) = new_constraint_spec(CT_CONTENTS);
(yyval.constraint_spec)->u.content.type = (yyvsp[0].type);
@@ -1761,7 +1761,7 @@ yyreduce:
break;
case 76:
-#line 554 "parse.y"
+#line 556 "parse.y"
{
if ((yyvsp[0].value)->type != objectidentifiervalue)
error_message("Non-OID used in ENCODED BY constraint");
@@ -1772,7 +1772,7 @@ yyreduce:
break;
case 77:
-#line 562 "parse.y"
+#line 564 "parse.y"
{
if ((yyvsp[0].value)->type != objectidentifiervalue)
error_message("Non-OID used in ENCODED BY constraint");
@@ -1783,14 +1783,14 @@ yyreduce:
break;
case 78:
-#line 572 "parse.y"
+#line 574 "parse.y"
{
(yyval.constraint_spec) = new_constraint_spec(CT_USER);
}
break;
case 79:
-#line 578 "parse.y"
+#line 580 "parse.y"
{
(yyval.type) = new_type(TTag);
(yyval.type)->tag = (yyvsp[-2].tag);
@@ -1804,7 +1804,7 @@ yyreduce:
break;
case 80:
-#line 591 "parse.y"
+#line 593 "parse.y"
{
(yyval.tag).tagclass = (yyvsp[-2].constant);
(yyval.tag).tagvalue = (yyvsp[-1].constant);
@@ -1813,56 +1813,56 @@ yyreduce:
break;
case 81:
-#line 599 "parse.y"
+#line 601 "parse.y"
{
(yyval.constant) = ASN1_C_CONTEXT;
}
break;
case 82:
-#line 603 "parse.y"
+#line 605 "parse.y"
{
(yyval.constant) = ASN1_C_UNIV;
}
break;
case 83:
-#line 607 "parse.y"
+#line 609 "parse.y"
{
(yyval.constant) = ASN1_C_APPL;
}
break;
case 84:
-#line 611 "parse.y"
+#line 613 "parse.y"
{
(yyval.constant) = ASN1_C_PRIVATE;
}
break;
case 85:
-#line 617 "parse.y"
+#line 619 "parse.y"
{
(yyval.constant) = TE_EXPLICIT;
}
break;
case 86:
-#line 621 "parse.y"
+#line 623 "parse.y"
{
(yyval.constant) = TE_EXPLICIT;
}
break;
case 87:
-#line 625 "parse.y"
+#line 627 "parse.y"
{
(yyval.constant) = TE_IMPLICIT;
}
break;
case 88:
-#line 632 "parse.y"
+#line 634 "parse.y"
{
Symbol *s;
s = addsym ((yyvsp[-3].name));
@@ -1874,7 +1874,7 @@ yyreduce:
break;
case 90:
-#line 646 "parse.y"
+#line 648 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralString,
TE_EXPLICIT, new_type(TGeneralString));
@@ -1882,7 +1882,7 @@ yyreduce:
break;
case 91:
-#line 651 "parse.y"
+#line 653 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_UTF8String,
TE_EXPLICIT, new_type(TUTF8String));
@@ -1890,7 +1890,7 @@ yyreduce:
break;
case 92:
-#line 656 "parse.y"
+#line 658 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_PrintableString,
TE_EXPLICIT, new_type(TPrintableString));
@@ -1898,7 +1898,7 @@ yyreduce:
break;
case 93:
-#line 661 "parse.y"
+#line 663 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_IA5String,
TE_EXPLICIT, new_type(TIA5String));
@@ -1906,7 +1906,7 @@ yyreduce:
break;
case 94:
-#line 666 "parse.y"
+#line 668 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_BMPString,
TE_EXPLICIT, new_type(TBMPString));
@@ -1914,7 +1914,7 @@ yyreduce:
break;
case 95:
-#line 671 "parse.y"
+#line 673 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_UniversalString,
TE_EXPLICIT, new_type(TUniversalString));
@@ -1922,7 +1922,7 @@ yyreduce:
break;
case 96:
-#line 679 "parse.y"
+#line 681 "parse.y"
{
(yyval.members) = emalloc(sizeof(*(yyval.members)));
ASN1_TAILQ_INIT((yyval.members));
@@ -1931,7 +1931,7 @@ yyreduce:
break;
case 97:
-#line 685 "parse.y"
+#line 687 "parse.y"
{
ASN1_TAILQ_INSERT_TAIL((yyvsp[-2].members), (yyvsp[0].member), members);
(yyval.members) = (yyvsp[-2].members);
@@ -1939,7 +1939,7 @@ yyreduce:
break;
case 98:
-#line 690 "parse.y"
+#line 692 "parse.y"
{
struct member *m = ecalloc(1, sizeof(*m));
m->name = estrdup("...");
@@ -1951,7 +1951,7 @@ yyreduce:
break;
case 99:
-#line 701 "parse.y"
+#line 703 "parse.y"
{
(yyval.member) = emalloc(sizeof(*(yyval.member)));
(yyval.member)->name = (yyvsp[-1].name);
@@ -1963,7 +1963,7 @@ yyreduce:
break;
case 100:
-#line 712 "parse.y"
+#line 714 "parse.y"
{
(yyval.member) = (yyvsp[0].member);
(yyval.member)->optional = 0;
@@ -1972,7 +1972,7 @@ yyreduce:
break;
case 101:
-#line 718 "parse.y"
+#line 720 "parse.y"
{
(yyval.member) = (yyvsp[-1].member);
(yyval.member)->optional = 1;
@@ -1981,7 +1981,7 @@ yyreduce:
break;
case 102:
-#line 724 "parse.y"
+#line 726 "parse.y"
{
(yyval.member) = (yyvsp[-2].member);
(yyval.member)->optional = 0;
@@ -1990,7 +1990,7 @@ yyreduce:
break;
case 103:
-#line 732 "parse.y"
+#line 734 "parse.y"
{
(yyval.members) = emalloc(sizeof(*(yyval.members)));
ASN1_TAILQ_INIT((yyval.members));
@@ -1999,7 +1999,7 @@ yyreduce:
break;
case 104:
-#line 738 "parse.y"
+#line 740 "parse.y"
{
ASN1_TAILQ_INSERT_TAIL((yyvsp[-2].members), (yyvsp[0].member), members);
(yyval.members) = (yyvsp[-2].members);
@@ -2007,7 +2007,7 @@ yyreduce:
break;
case 105:
-#line 745 "parse.y"
+#line 747 "parse.y"
{
(yyval.member) = emalloc(sizeof(*(yyval.member)));
(yyval.member)->name = (yyvsp[-3].name);
@@ -2021,26 +2021,26 @@ yyreduce:
break;
case 107:
-#line 758 "parse.y"
+#line 760 "parse.y"
{ (yyval.objid) = NULL; }
break;
case 108:
-#line 762 "parse.y"
+#line 764 "parse.y"
{
(yyval.objid) = (yyvsp[-1].objid);
}
break;
case 109:
-#line 768 "parse.y"
+#line 770 "parse.y"
{
(yyval.objid) = NULL;
}
break;
case 110:
-#line 772 "parse.y"
+#line 774 "parse.y"
{
if ((yyvsp[0].objid)) {
(yyval.objid) = (yyvsp[0].objid);
@@ -2052,14 +2052,14 @@ yyreduce:
break;
case 111:
-#line 783 "parse.y"
+#line 785 "parse.y"
{
(yyval.objid) = new_objid((yyvsp[-3].name), (yyvsp[-1].constant));
}
break;
case 112:
-#line 787 "parse.y"
+#line 789 "parse.y"
{
Symbol *s = addsym((yyvsp[0].name));
if(s->stype != SValue ||
@@ -2073,14 +2073,14 @@ yyreduce:
break;
case 113:
-#line 798 "parse.y"
+#line 800 "parse.y"
{
(yyval.objid) = new_objid(NULL, (yyvsp[0].constant));
}
break;
case 123:
-#line 821 "parse.y"
+#line 823 "parse.y"
{
Symbol *s = addsym((yyvsp[0].name));
if(s->stype != SValue)
@@ -2092,7 +2092,7 @@ yyreduce:
break;
case 124:
-#line 832 "parse.y"
+#line 834 "parse.y"
{
(yyval.value) = emalloc(sizeof(*(yyval.value)));
(yyval.value)->type = stringvalue;
@@ -2101,7 +2101,7 @@ yyreduce:
break;
case 125:
-#line 840 "parse.y"
+#line 842 "parse.y"
{
(yyval.value) = emalloc(sizeof(*(yyval.value)));
(yyval.value)->type = booleanvalue;
@@ -2110,7 +2110,7 @@ yyreduce:
break;
case 126:
-#line 846 "parse.y"
+#line 848 "parse.y"
{
(yyval.value) = emalloc(sizeof(*(yyval.value)));
(yyval.value)->type = booleanvalue;
@@ -2119,7 +2119,7 @@ yyreduce:
break;
case 127:
-#line 854 "parse.y"
+#line 856 "parse.y"
{
(yyval.value) = emalloc(sizeof(*(yyval.value)));
(yyval.value)->type = integervalue;
@@ -2128,13 +2128,13 @@ yyreduce:
break;
case 129:
-#line 865 "parse.y"
+#line 867 "parse.y"
{
}
break;
case 130:
-#line 870 "parse.y"
+#line 872 "parse.y"
{
(yyval.value) = emalloc(sizeof(*(yyval.value)));
(yyval.value)->type = objectidentifiervalue;
@@ -2374,7 +2374,7 @@ yyreturn:
}
-#line 877 "parse.y"
+#line 879 "parse.y"
void
diff --git a/source4/heimdal/lib/asn1/pkcs9.asn1 b/source4/heimdal/lib/asn1/pkcs9.asn1
index bcc8f50398..e6df32f65d 100644
--- a/source4/heimdal/lib/asn1/pkcs9.asn1
+++ b/source4/heimdal/lib/asn1/pkcs9.asn1
@@ -1,4 +1,4 @@
--- $Id: pkcs9.asn1,v 1.3 2005/07/23 10:38:28 lha Exp $ --
+-- $Id: pkcs9.asn1,v 1.5 2006/04/24 08:59:10 lha Exp $ --
PKCS9 DEFINITIONS ::=
@@ -9,6 +9,7 @@ BEGIN
id-pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) }
+id-pkcs9-emailAddress OBJECT IDENTIFIER ::= {id-pkcs-9 1 }
id-pkcs9-contentType OBJECT IDENTIFIER ::= {id-pkcs-9 3 }
id-pkcs9-messageDigest OBJECT IDENTIFIER ::= {id-pkcs-9 4 }
id-pkcs9-signingTime OBJECT IDENTIFIER ::= {id-pkcs-9 5 }
diff --git a/source4/heimdal/lib/des/aes.h b/source4/heimdal/lib/des/aes.h
index 8a62c6461d..3ea1c141be 100755
--- a/source4/heimdal/lib/des/aes.h
+++ b/source4/heimdal/lib/des/aes.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: aes.h,v 1.5 2006/01/08 21:47:27 lha Exp $ */
+/* $Id: aes.h,v 1.6 2006/05/05 11:06:35 lha Exp $ */
#ifndef HEIM_AES_H
#define HEIM_AES_H 1
@@ -54,7 +54,7 @@
#define AES_DECRYPT 0
typedef struct aes_key {
- u_int32_t key[(AES_MAXNR+1)*4];
+ uint32_t key[(AES_MAXNR+1)*4];
int rounds;
} AES_KEY;
diff --git a/source4/heimdal/lib/des/des.c b/source4/heimdal/lib/des/des.c
index 32d479e372..5b1f5c29f4 100644
--- a/source4/heimdal/lib/des/des.c
+++ b/source4/heimdal/lib/des/des.c
@@ -45,7 +45,7 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
-RCSID("$Id: des.c,v 1.17 2006/04/14 14:19:36 lha Exp $");
+RCSID("$Id: des.c,v 1.18 2006/04/24 14:26:19 lha Exp $");
#endif
#include <stdio.h>
@@ -513,9 +513,10 @@ DES_cfb64_encrypt(const void *in, void *out,
load(*iv, uiv);
+ assert(*num >= 0 && *num < DES_CBLOCK_LEN);
+
if (forward_encrypt) {
int i = *num;
- assert(i >= 0);
while (length > 0) {
if (i == 0)
@@ -537,7 +538,6 @@ DES_cfb64_encrypt(const void *in, void *out,
} else {
int i = *num;
unsigned char c;
- assert(i >= 0);
while (length > 0) {
if (i == 0) {
diff --git a/source4/heimdal/lib/des/dh.h b/source4/heimdal/lib/des/dh.h
index 419c7d8902..105d298bc3 100644
--- a/source4/heimdal/lib/des/dh.h
+++ b/source4/heimdal/lib/des/dh.h
@@ -32,7 +32,7 @@
*/
/*
- * $Id: dh.h,v 1.5 2006/04/20 18:16:17 lha Exp $
+ * $Id: dh.h,v 1.6 2006/05/06 13:11:15 lha Exp $
*/
#ifndef _HEIM_DH_H
@@ -40,6 +40,7 @@
/* symbol renaming */
#define DH_null_method hc_DH_null_method
+#define DH_imath_method hc_DH_imath_method
#define DH_new hc_DH_new
#define DH_new_method hc_DH_new_method
#define DH_free hc_DH_free
@@ -113,6 +114,7 @@ struct DH {
*/
const DH_METHOD *DH_null_method(void);
+const DH_METHOD *DH_imath_method(void);
DH * DH_new(void);
DH * DH_new_method(ENGINE *);
diff --git a/source4/heimdal/lib/des/engine.h b/source4/heimdal/lib/des/engine.h
index 757d0f75fb..65588f7d78 100644
--- a/source4/heimdal/lib/des/engine.h
+++ b/source4/heimdal/lib/des/engine.h
@@ -32,7 +32,7 @@
*/
/*
- * $Id: engine.h,v 1.5 2006/04/17 13:16:17 lha Exp $
+ * $Id: engine.h,v 1.6 2006/05/06 12:34:36 lha Exp $
*/
#ifndef _HEIM_ENGINE_H
@@ -55,6 +55,10 @@
#define ENGINE_set_name hc_ENGINE_set_name
#define ENGINE_set_destroy_function hc_ENGINE_set_destroy_function
#define ENGINE_up_ref hc_ENGINE_up_ref
+#define ENGINE_get_default_DH hc_ENGINE_get_default_DH
+#define ENGINE_get_default_RSA hc_ENGINE_get_default_RSA
+#define ENGINE_set_default_DH hc_ENGINE_set_default_DH
+#define ENGINE_set_default_RSA hc_ENGINE_set_default_RSA
/*
*
diff --git a/source4/heimdal/lib/des/evp.c b/source4/heimdal/lib/des/evp.c
index 475bb7314e..fd6ac63ec2 100644
--- a/source4/heimdal/lib/des/evp.c
+++ b/source4/heimdal/lib/des/evp.c
@@ -841,11 +841,13 @@ EVP_BytesToKey(const EVP_CIPHER *type,
EVP_DigestUpdate(&c, salt, PKCS5_SALT_LEN);
EVP_DigestFinal_ex(&c, buf, &mds);
+ assert(mds == EVP_MD_size(md));
for (i = 1; i < count; i++) {
EVP_DigestInit_ex(&c, md, NULL);
EVP_DigestUpdate(&c, buf, mds);
EVP_DigestFinal_ex(&c, buf, &mds);
+ assert(mds == EVP_MD_size(md));
}
i = 0;
diff --git a/source4/heimdal/lib/des/hash.h b/source4/heimdal/lib/des/hash.h
index 24217a27a5..b6da9bd8e0 100644
--- a/source4/heimdal/lib/des/hash.h
+++ b/source4/heimdal/lib/des/hash.h
@@ -30,7 +30,7 @@
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
-/* $Id: hash.h,v 1.3 2005/04/27 11:53:48 lha Exp $ */
+/* $Id: hash.h,v 1.4 2006/05/05 11:06:49 lha Exp $ */
/* stuff in common between md4, md5, and sha1 */
@@ -61,8 +61,8 @@
#define CRAYFIX(X) (X)
#endif
-static inline u_int32_t
-cshift (u_int32_t x, unsigned int n)
+static inline uint32_t
+cshift (uint32_t x, unsigned int n)
{
x = CRAYFIX(x);
return CRAYFIX((x << n) | (x >> (32 - n)));
diff --git a/source4/heimdal/lib/des/md4.c b/source4/heimdal/lib/des/md4.c
index 693b8f5c76..ded4fe12e8 100644
--- a/source4/heimdal/lib/des/md4.c
+++ b/source4/heimdal/lib/des/md4.c
@@ -34,7 +34,7 @@
#ifdef HAVE_CONFIG_H
#include "config.h"
-RCSID("$Id: md4.c,v 1.17 2005/04/27 11:54:56 lha Exp $");
+RCSID("$Id: md4.c,v 1.18 2006/05/05 10:22:04 lha Exp $");
#endif
#include "hash.h"
@@ -69,9 +69,9 @@ a = cshift(a + OP(b,c,d) + X[k] + i, s)
#define DO3(a,b,c,d,k,s,i) DOIT(a,b,c,d,k,s,i,H)
static inline void
-calc (struct md4 *m, u_int32_t *data)
+calc (struct md4 *m, uint32_t *data)
{
- u_int32_t AA, BB, CC, DD;
+ uint32_t AA, BB, CC, DD;
AA = A;
BB = B;
@@ -155,10 +155,10 @@ calc (struct md4 *m, u_int32_t *data)
*/
#if defined(WORDS_BIGENDIAN)
-static inline u_int32_t
-swap_u_int32_t (u_int32_t t)
+static inline uint32_t
+swap_uint32_t (uint32_t t)
{
- u_int32_t temp1, temp2;
+ uint32_t temp1, temp2;
temp1 = cshift(t, 16);
temp2 = temp1 >> 8;
@@ -194,15 +194,15 @@ MD4_Update (struct md4 *m, const void *v, size_t len)
if(offset == 64) {
#if defined(WORDS_BIGENDIAN)
int i;
- u_int32_t current[16];
+ uint32_t current[16];
struct x32 *u = (struct x32*)m->save;
for(i = 0; i < 8; i++){
- current[2*i+0] = swap_u_int32_t(u[i].a);
- current[2*i+1] = swap_u_int32_t(u[i].b);
+ current[2*i+0] = swap_uint32_t(u[i].a);
+ current[2*i+1] = swap_uint32_t(u[i].b);
}
calc(m, current);
#else
- calc(m, (u_int32_t*)m->save);
+ calc(m, (uint32_t*)m->save);
#endif
offset = 0;
}
@@ -241,10 +241,10 @@ MD4_Final (void *res, struct md4 *m)
#if 0
{
int i;
- u_int32_t *r = (u_int32_t *)res;
+ uint32_t *r = (uint32_t *)res;
for (i = 0; i < 4; ++i)
- r[i] = swap_u_int32_t (m->counter[i]);
+ r[i] = swap_uint32_t (m->counter[i]);
}
#endif
}
diff --git a/source4/heimdal/lib/des/md4.h b/source4/heimdal/lib/des/md4.h
index 79055e0fb0..f8c011b9b7 100644
--- a/source4/heimdal/lib/des/md4.h
+++ b/source4/heimdal/lib/des/md4.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: md4.h,v 1.10 2006/01/08 21:47:28 lha Exp $ */
+/* $Id: md4.h,v 1.11 2006/05/05 11:07:01 lha Exp $ */
#ifndef HEIM_MD4_H
#define HEIM_MD4_H 1
@@ -49,7 +49,7 @@
struct md4 {
unsigned int sz[2];
- u_int32_t counter[4];
+ uint32_t counter[4];
unsigned char save[64];
};
diff --git a/source4/heimdal/lib/des/md5.c b/source4/heimdal/lib/des/md5.c
index d5b7c245f6..e23d6c8fd7 100644
--- a/source4/heimdal/lib/des/md5.c
+++ b/source4/heimdal/lib/des/md5.c
@@ -34,7 +34,7 @@
#ifdef HAVE_CONFIG_H
#include "config.h"
-RCSID("$Id: md5.c,v 1.17 2005/04/27 11:54:35 lha Exp $");
+RCSID("$Id: md5.c,v 1.18 2006/05/05 10:22:35 lha Exp $");
#endif
#include "hash.h"
@@ -71,9 +71,9 @@ a = b + cshift(a + OP(b,c,d) + X[k] + (i), s)
#define DO4(a,b,c,d,k,s,i) DOIT(a,b,c,d,k,s,i,I)
static inline void
-calc (struct md5 *m, u_int32_t *data)
+calc (struct md5 *m, uint32_t *data)
{
- u_int32_t AA, BB, CC, DD;
+ uint32_t AA, BB, CC, DD;
AA = A;
BB = B;
@@ -179,10 +179,10 @@ calc (struct md5 *m, u_int32_t *data)
*/
#if defined(WORDS_BIGENDIAN)
-static inline u_int32_t
-swap_u_int32_t (u_int32_t t)
+static inline uint32_t
+swap_uint32_t (uint32_t t)
{
- u_int32_t temp1, temp2;
+ uint32_t temp1, temp2;
temp1 = cshift(t, 16);
temp2 = temp1 >> 8;
@@ -218,15 +218,15 @@ MD5_Update (struct md5 *m, const void *v, size_t len)
if(offset == 64){
#if defined(WORDS_BIGENDIAN)
int i;
- u_int32_t current[16];
+ uint32_t current[16];
struct x32 *u = (struct x32*)m->save;
for(i = 0; i < 8; i++){
- current[2*i+0] = swap_u_int32_t(u[i].a);
- current[2*i+1] = swap_u_int32_t(u[i].b);
+ current[2*i+0] = swap_uint32_t(u[i].a);
+ current[2*i+1] = swap_uint32_t(u[i].b);
}
calc(m, current);
#else
- calc(m, (u_int32_t*)m->save);
+ calc(m, (uint32_t*)m->save);
#endif
offset = 0;
}
@@ -265,10 +265,10 @@ MD5_Final (void *res, struct md5 *m)
#if 0
{
int i;
- u_int32_t *r = (u_int32_t *)res;
+ uint32_t *r = (uint32_t *)res;
for (i = 0; i < 4; ++i)
- r[i] = swap_u_int32_t (m->counter[i]);
+ r[i] = swap_uint32_t (m->counter[i]);
}
#endif
}
diff --git a/source4/heimdal/lib/des/md5.h b/source4/heimdal/lib/des/md5.h
index 534bc9917e..54c34fe572 100644
--- a/source4/heimdal/lib/des/md5.h
+++ b/source4/heimdal/lib/des/md5.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: md5.h,v 1.10 2006/01/08 21:47:28 lha Exp $ */
+/* $Id: md5.h,v 1.11 2006/05/05 11:07:11 lha Exp $ */
#ifndef HEIM_MD5_H
#define HEIM_MD5_H 1
@@ -49,7 +49,7 @@
struct md5 {
unsigned int sz[2];
- u_int32_t counter[4];
+ uint32_t counter[4];
unsigned char save[64];
};
@@ -57,6 +57,6 @@ typedef struct md5 MD5_CTX;
void MD5_Init (struct md5 *m);
void MD5_Update (struct md5 *m, const void *p, size_t len);
-void MD5_Final (void *res, struct md5 *m); /* u_int32_t res[4] */
+void MD5_Final (void *res, struct md5 *m); /* uint32_t res[4] */
#endif /* HEIM_MD5_H */
diff --git a/source4/heimdal/lib/des/pkcs5.c b/source4/heimdal/lib/des/pkcs5.c
index 4bfc313741..9ed494ef6f 100644
--- a/source4/heimdal/lib/des/pkcs5.c
+++ b/source4/heimdal/lib/des/pkcs5.c
@@ -35,7 +35,11 @@
#include <config.h>
#endif
-RCSID("$Id: pkcs5.c,v 1.1 2006/02/28 14:16:57 lha Exp $");
+RCSID("$Id: pkcs5.c,v 1.3 2006/05/05 10:23:11 lha Exp $");
+
+#ifdef KRB5
+#include <krb5-types.h>
+#endif
#include <stdio.h>
#include <stdlib.h>
@@ -53,7 +57,7 @@ PKCS5_PBKDF2_HMAC_SHA1(const void * password, size_t password_len,
{
size_t datalen, leftofkey, checksumsize;
char *data, *tmpcksum;
- u_int32_t keypart;
+ uint32_t keypart;
const EVP_MD *md;
unsigned long i;
int j;
diff --git a/source4/heimdal/lib/des/rijndael-alg-fst.c b/source4/heimdal/lib/des/rijndael-alg-fst.c
index 65b36ab741..d6e4f45c18 100755
--- a/source4/heimdal/lib/des/rijndael-alg-fst.c
+++ b/source4/heimdal/lib/des/rijndael-alg-fst.c
@@ -31,7 +31,7 @@
#ifdef HAVE_CONFIG_H
#include "config.h"
-RCSID("$Id: rijndael-alg-fst.c,v 1.2 2004/06/02 20:09:48 lha Exp $");
+RCSID("$Id: rijndael-alg-fst.c,v 1.3 2006/05/05 10:23:41 lha Exp $");
#endif
#ifdef KRB5
@@ -41,9 +41,9 @@ RCSID("$Id: rijndael-alg-fst.c,v 1.2 2004/06/02 20:09:48 lha Exp $");
#include <rijndael-alg-fst.h>
/* the file should not be used from outside */
-typedef u_int8_t u8;
-typedef u_int16_t u16;
-typedef u_int32_t u32;
+typedef uint8_t u8;
+typedef uint16_t u16;
+typedef uint32_t u32;
/*
Te0[x] = S [x].[02, 01, 01, 03];
diff --git a/source4/heimdal/lib/des/rijndael-alg-fst.h b/source4/heimdal/lib/des/rijndael-alg-fst.h
index 6b6e2a5cd3..7e2e1935fd 100755
--- a/source4/heimdal/lib/des/rijndael-alg-fst.h
+++ b/source4/heimdal/lib/des/rijndael-alg-fst.h
@@ -38,9 +38,9 @@
#define RIJNDAEL_MAXKB (256/8)
#define RIJNDAEL_MAXNR 14
-int rijndaelKeySetupEnc(u_int32_t rk[/*4*(Nr + 1)*/], const u_int8_t cipherKey[], int keyBits);
-int rijndaelKeySetupDec(u_int32_t rk[/*4*(Nr + 1)*/], const u_int8_t cipherKey[], int keyBits);
-void rijndaelEncrypt(const u_int32_t rk[/*4*(Nr + 1)*/], int Nr, const u_int8_t pt[16], u_int8_t ct[16]);
-void rijndaelDecrypt(const u_int32_t rk[/*4*(Nr + 1)*/], int Nr, const u_int8_t ct[16], u_int8_t pt[16]);
+int rijndaelKeySetupEnc(uint32_t rk[/*4*(Nr + 1)*/], const uint8_t cipherKey[], int keyBits);
+int rijndaelKeySetupDec(uint32_t rk[/*4*(Nr + 1)*/], const uint8_t cipherKey[], int keyBits);
+void rijndaelEncrypt(const uint32_t rk[/*4*(Nr + 1)*/], int Nr, const uint8_t pt[16], uint8_t ct[16]);
+void rijndaelDecrypt(const uint32_t rk[/*4*(Nr + 1)*/], int Nr, const uint8_t ct[16], uint8_t pt[16]);
#endif /* __RIJNDAEL_ALG_FST_H */
diff --git a/source4/heimdal/lib/des/rnd_keys.c b/source4/heimdal/lib/des/rnd_keys.c
index e27b00defa..e58faefcb0 100644
--- a/source4/heimdal/lib/des/rnd_keys.c
+++ b/source4/heimdal/lib/des/rnd_keys.c
@@ -34,7 +34,7 @@
#ifdef HAVE_CONFIG_H
#include "config.h"
-RCSID("$Id: rnd_keys.c,v 1.70 2006/01/08 21:47:29 lha Exp $");
+RCSID("$Id: rnd_keys.c,v 1.71 2006/05/05 10:24:31 lha Exp $");
#endif
#ifdef KRB5
@@ -82,8 +82,8 @@ static
int
sumFile (const char *name, int len, void *res)
{
- u_int32_t sum[2] = { 0, 0 };
- u_int32_t buf[1024*2];
+ uint32_t sum[2] = { 0, 0 };
+ uint32_t buf[1024*2];
int fd, i;
fd = open (name, 0);
@@ -148,7 +148,7 @@ md5sumFile (const char *name, int len, int32_t sum[4])
* based on an initial des key used as a seed.
*/
static DES_key_schedule sequence_seed;
-static u_int32_t sequence_index[2];
+static uint32_t sequence_index[2];
/*
* Random number generator based on ideas from truerand in cryptolib
diff --git a/source4/heimdal/lib/des/sha.c b/source4/heimdal/lib/des/sha.c
index ca6c1c16d4..fae0fe01cb 100644
--- a/source4/heimdal/lib/des/sha.c
+++ b/source4/heimdal/lib/des/sha.c
@@ -34,7 +34,7 @@
#ifdef HAVE_CONFIG_H
#include "config.h"
-RCSID("$Id: sha.c,v 1.18 2005/04/27 11:55:05 lha Exp $");
+RCSID("$Id: sha.c,v 1.19 2006/05/05 10:25:00 lha Exp $");
#endif
#include "hash.h"
@@ -72,7 +72,7 @@ SHA1_Init (struct sha *m)
#define DO(t,f,k) \
do { \
- u_int32_t temp; \
+ uint32_t temp; \
\
temp = cshift(AA, 5) + f(BB,CC,DD) + EE + data[t] + k; \
EE = DD; \
@@ -83,10 +83,10 @@ do { \
} while(0)
static inline void
-calc (struct sha *m, u_int32_t *in)
+calc (struct sha *m, uint32_t *in)
{
- u_int32_t AA, BB, CC, DD, EE;
- u_int32_t data[80];
+ uint32_t AA, BB, CC, DD, EE;
+ uint32_t data[80];
int i;
AA = A;
@@ -204,11 +204,11 @@ calc (struct sha *m, u_int32_t *in)
*/
#if !defined(WORDS_BIGENDIAN) || defined(_CRAY)
-static inline u_int32_t
-swap_u_int32_t (u_int32_t t)
+static inline uint32_t
+swap_uint32_t (uint32_t t)
{
#define ROL(x,n) ((x)<<(n))|((x)>>(32-(n)))
- u_int32_t temp1, temp2;
+ uint32_t temp1, temp2;
temp1 = cshift(t, 16);
temp2 = temp1 >> 8;
@@ -244,15 +244,15 @@ SHA1_Update (struct sha *m, const void *v, size_t len)
if(offset == 64){
#if !defined(WORDS_BIGENDIAN) || defined(_CRAY)
int i;
- u_int32_t current[16];
+ uint32_t current[16];
struct x32 *u = (struct x32*)m->save;
for(i = 0; i < 8; i++){
- current[2*i+0] = swap_u_int32_t(u[i].a);
- current[2*i+1] = swap_u_int32_t(u[i].b);
+ current[2*i+0] = swap_uint32_t(u[i].a);
+ current[2*i+1] = swap_uint32_t(u[i].b);
}
calc(m, current);
#else
- calc(m, (u_int32_t*)m->save);
+ calc(m, (uint32_t*)m->save);
#endif
offset = 0;
}
@@ -291,10 +291,10 @@ SHA1_Final (void *res, struct sha *m)
#if 0
{
int i;
- u_int32_t *r = (u_int32_t *)res;
+ uint32_t *r = (uint32_t *)res;
for (i = 0; i < 5; ++i)
- r[i] = swap_u_int32_t (m->counter[i]);
+ r[i] = swap_uint32_t (m->counter[i]);
}
#endif
}
diff --git a/source4/heimdal/lib/des/sha.h b/source4/heimdal/lib/des/sha.h
index 6021823f5c..977b9f7bb2 100644
--- a/source4/heimdal/lib/des/sha.h
+++ b/source4/heimdal/lib/des/sha.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: sha.h,v 1.10 2006/04/15 07:54:11 lha Exp $ */
+/* $Id: sha.h,v 1.11 2006/05/05 11:06:21 lha Exp $ */
#ifndef HEIM_SHA_H
#define HEIM_SHA_H 1
@@ -52,7 +52,7 @@
struct sha {
unsigned int sz[2];
- u_int32_t counter[5];
+ uint32_t counter[5];
unsigned char save[64];
};
@@ -70,7 +70,7 @@ void SHA1_Final (void *res, struct sha *m);
struct hc_sha256state {
unsigned int sz[2];
- u_int32_t counter[8];
+ uint32_t counter[8];
unsigned char save[64];
};
diff --git a/source4/heimdal/lib/des/sha256.c b/source4/heimdal/lib/des/sha256.c
index 8c12ce504c..58fb92815a 100644
--- a/source4/heimdal/lib/des/sha256.c
+++ b/source4/heimdal/lib/des/sha256.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1995 - 2001, 2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -34,7 +34,7 @@
#ifdef HAVE_CONFIG_H
#include "config.h"
-RCSID("$Id: sha256.c,v 1.1 2006/04/15 07:53:07 lha Exp $");
+RCSID("$Id: sha256.c,v 1.2 2006/05/05 10:25:37 lha Exp $");
#endif
#include "hash.h"
@@ -59,7 +59,7 @@ RCSID("$Id: sha256.c,v 1.1 2006/04/15 07:53:07 lha Exp $");
#define G m->counter[6]
#define H m->counter[7]
-static const u_int32_t constant_256[64] = {
+static const uint32_t constant_256[64] = {
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
@@ -94,10 +94,10 @@ SHA256_Init (SHA256_CTX *m)
}
static void
-calc (SHA256_CTX *m, u_int32_t *in)
+calc (SHA256_CTX *m, uint32_t *in)
{
- u_int32_t AA, BB, CC, DD, EE, FF, GG, HH;
- u_int32_t data[64];
+ uint32_t AA, BB, CC, DD, EE, FF, GG, HH;
+ uint32_t data[64];
int i;
AA = A;
@@ -116,7 +116,7 @@ calc (SHA256_CTX *m, u_int32_t *in)
sigma0(data[i-15]) + data[i - 16];
for (i = 0; i < 64; i++) {
- u_int32_t T1, T2;
+ uint32_t T1, T2;
T1 = HH + Sigma1(EE) + Ch(EE, FF, GG) + constant_256[i] + data[i];
T2 = Sigma0(AA) + Maj(AA,BB,CC);
@@ -146,11 +146,11 @@ calc (SHA256_CTX *m, u_int32_t *in)
*/
#if !defined(WORDS_BIGENDIAN) || defined(_CRAY)
-static inline u_int32_t
-swap_u_int32_t (u_int32_t t)
+static inline uint32_t
+swap_uint32_t (uint32_t t)
{
#define ROL(x,n) ((x)<<(n))|((x)>>(32-(n)))
- u_int32_t temp1, temp2;
+ uint32_t temp1, temp2;
temp1 = cshift(t, 16);
temp2 = temp1 >> 8;
@@ -186,15 +186,15 @@ SHA256_Update (SHA256_CTX *m, const void *v, size_t len)
if(offset == 64){
#if !defined(WORDS_BIGENDIAN) || defined(_CRAY)
int i;
- u_int32_t current[16];
+ uint32_t current[16];
struct x32 *u = (struct x32*)m->save;
for(i = 0; i < 8; i++){
- current[2*i+0] = swap_u_int32_t(u[i].a);
- current[2*i+1] = swap_u_int32_t(u[i].b);
+ current[2*i+0] = swap_uint32_t(u[i].a);
+ current[2*i+1] = swap_uint32_t(u[i].b);
}
calc(m, current);
#else
- calc(m, (u_int32_t*)m->save);
+ calc(m, (uint32_t*)m->save);
#endif
offset = 0;
}
diff --git a/source4/heimdal/lib/gssapi/8003.c b/source4/heimdal/lib/gssapi/8003.c
index 0062068d5b..ad580811a5 100644
--- a/source4/heimdal/lib/gssapi/8003.c
+++ b/source4/heimdal/lib/gssapi/8003.c
@@ -33,7 +33,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: 8003.c,v 1.17 2005/04/01 08:55:36 lha Exp $");
+RCSID("$Id: 8003.c,v 1.18 2006/05/04 11:55:40 lha Exp $");
krb5_error_code
gssapi_encode_om_uint32(OM_uint32 n, u_char *p)
@@ -56,15 +56,17 @@ gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p)
}
krb5_error_code
-gssapi_decode_om_uint32(u_char *p, OM_uint32 *n)
+gssapi_decode_om_uint32(const void *ptr, OM_uint32 *n)
{
+ const u_char *p = ptr;
*n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
return 0;
}
krb5_error_code
-gssapi_decode_be_om_uint32(u_char *p, OM_uint32 *n)
+gssapi_decode_be_om_uint32(const void *ptr, OM_uint32 *n)
{
+ const u_char *p = ptr;
*n = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0);
return 0;
}
diff --git a/source4/heimdal/lib/gssapi/arcfour.c b/source4/heimdal/lib/gssapi/arcfour.c
index 01c6c75ecc..936a20d403 100644
--- a/source4/heimdal/lib/gssapi/arcfour.c
+++ b/source4/heimdal/lib/gssapi/arcfour.c
@@ -33,7 +33,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: arcfour.c,v 1.18 2005/11/01 06:55:55 lha Exp $");
+RCSID("$Id: arcfour.c,v 1.19 2006/05/04 11:56:50 lha Exp $");
/*
* Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
@@ -246,8 +246,8 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
krb5_error_code ret;
int32_t seq_number;
OM_uint32 omret;
- char cksum_data[8], k6_data[16], SND_SEQ[8];
- u_char *p;
+ u_char SND_SEQ[8], cksum_data[8], *p;
+ char k6_data[16];
int cmp;
if (qop_state)
@@ -295,7 +295,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
{
RC4_KEY rc4_key;
- RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
+ RC4_set_key (&rc4_key, sizeof(k6_data), (void*)k6_data);
RC4 (&rc4_key, 8, p, SND_SEQ);
memset(&rc4_key, 0, sizeof(rc4_key));
@@ -480,7 +480,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
if(conf_req_flag) {
RC4_KEY rc4_key;
- RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
+ RC4_set_key (&rc4_key, sizeof(k6_data), (void *)k6_data);
/* XXX ? */
RC4 (&rc4_key, 8 + datalen, p0 + 24, p0 + 24); /* Confounder + data */
memset(&rc4_key, 0, sizeof(rc4_key));
@@ -526,8 +526,8 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
int32_t seq_number;
size_t len, datalen;
OM_uint32 omret;
- char k6_data[16], SND_SEQ[8], Confounder[8];
- char cksum_data[8];
+ u_char k6_data[16], SND_SEQ[8], Confounder[8];
+ u_char cksum_data[8];
u_char *p, *p0;
int cmp;
int conf_flag;
diff --git a/source4/heimdal/lib/gssapi/cfx.c b/source4/heimdal/lib/gssapi/cfx.c
index 3e7592b3a7..1aebd008a6 100755
--- a/source4/heimdal/lib/gssapi/cfx.c
+++ b/source4/heimdal/lib/gssapi/cfx.c
@@ -32,7 +32,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: cfx.c,v 1.17 2005/04/27 17:47:32 lha Exp $");
+RCSID("$Id: cfx.c,v 1.19 2006/05/05 10:26:43 lha Exp $");
/*
* Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt
@@ -143,11 +143,10 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
*/
static krb5_error_code
-rrc_rotate(void *data, size_t len, u_int16_t rrc, krb5_boolean unrotate)
+rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate)
{
- u_char *tmp;
+ u_char *tmp, buf[256];
size_t left;
- char buf[256];
if (len == 0)
return 0;
@@ -220,7 +219,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
}
/* Always rotate encrypted token (if any) and checksum to header */
- rrc = (conf_req_flag ? sizeof(*token) : 0) + (u_int16_t)cksumsize;
+ rrc = (conf_req_flag ? sizeof(*token) : 0) + (uint16_t)cksumsize;
output_message_buffer->length = wrapped_len;
output_message_buffer->value = malloc(output_message_buffer->length);
@@ -420,7 +419,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
krb5_error_code ret;
unsigned usage;
krb5_data data;
- u_int16_t ec, rrc;
+ uint16_t ec, rrc;
OM_uint32 seq_number_lo, seq_number_hi;
size_t len;
u_char *p;
diff --git a/source4/heimdal/lib/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi.h
index b93ad4e481..eac2737f43 100644
--- a/source4/heimdal/lib/gssapi/gssapi.h
+++ b/source4/heimdal/lib/gssapi/gssapi.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: gssapi.h,v 1.39 2005/12/05 11:52:45 lha Exp $ */
+/* $Id: gssapi.h,v 1.40 2006/05/05 11:08:29 lha Exp $ */
#ifndef GSSAPI_H_
#define GSSAPI_H_
@@ -47,9 +47,9 @@
* Now define the three implementation-dependent types.
*/
-typedef u_int32_t OM_uint32;
+typedef uint32_t OM_uint32;
-typedef u_int32_t gss_uint32;
+typedef uint32_t gss_uint32;
/*
* This is to avoid having to include <krb5.h>
diff --git a/source4/heimdal/lib/gssapi/gssapi_locl.h b/source4/heimdal/lib/gssapi/gssapi_locl.h
index be2277b96f..81169a8500 100644
--- a/source4/heimdal/lib/gssapi/gssapi_locl.h
+++ b/source4/heimdal/lib/gssapi/gssapi_locl.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: gssapi_locl.h,v 1.44 2006/04/12 17:44:05 lha Exp $ */
+/* $Id: gssapi_locl.h,v 1.45 2006/05/04 11:56:14 lha Exp $ */
#ifndef GSSAPI_LOCL_H
#define GSSAPI_LOCL_H
@@ -307,9 +307,9 @@ krb5_error_code
gssapi_encode_be_om_uint32(OM_uint32, u_char *);
krb5_error_code
-gssapi_decode_om_uint32(u_char *, OM_uint32 *);
+gssapi_decode_om_uint32(const void *, OM_uint32 *);
krb5_error_code
-gssapi_decode_be_om_uint32(u_char *, OM_uint32 *);
+gssapi_decode_be_om_uint32(const void *, OM_uint32 *);
#endif
diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c
index e363ee22f7..dc937daae5 100644
--- a/source4/heimdal/lib/gssapi/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/init_sec_context.c
@@ -33,7 +33,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: init_sec_context.c,v 1.62 2006/04/09 18:45:18 lha Exp $");
+RCSID("$Id: init_sec_context.c,v 1.63 2006/05/05 10:27:13 lha Exp $");
/*
* copy the addresses from `input_chan_bindings' (if any) to
diff --git a/source4/heimdal/lib/gssapi/wrap.c b/source4/heimdal/lib/gssapi/wrap.c
index 0c089067b6..7072ca2754 100644
--- a/source4/heimdal/lib/gssapi/wrap.c
+++ b/source4/heimdal/lib/gssapi/wrap.c
@@ -33,7 +33,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: wrap.c,v 1.32 2006/04/02 02:10:03 lha Exp $");
+RCSID("$Id: wrap.c,v 1.33 2006/05/05 10:27:36 lha Exp $");
OM_uint32
gsskrb5_get_initiator_subkey(OM_uint32 *minor_status,
@@ -428,7 +428,7 @@ wrap_des3
u_char seq[8];
int32_t seq_number;
size_t len, total_len, padlength, datalen;
- u_int32_t ret;
+ uint32_t ret;
krb5_crypto crypto;
Checksum cksum;
krb5_data encdata;
diff --git a/source4/heimdal/lib/hdb/ext.c b/source4/heimdal/lib/hdb/ext.c
index 850b23fb04..a8995e4138 100644
--- a/source4/heimdal/lib/hdb/ext.c
+++ b/source4/heimdal/lib/hdb/ext.c
@@ -34,7 +34,7 @@
#include "hdb_locl.h"
#include <der.h>
-RCSID("$Id: ext.c,v 1.1 2005/08/11 20:49:31 lha Exp $");
+RCSID("$Id: ext.c,v 1.2 2006/04/25 10:20:22 lha Exp $");
krb5_error_code
hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent)
@@ -168,10 +168,10 @@ hdb_replace_extension(krb5_context context,
ret = copy_HDB_extension(ext,
&entry->extensions->val[entry->extensions->len]);
- if (ret == 0) {
+ if (ret == 0)
entry->extensions->len++;
+ else
krb5_set_error_string(context, "hdb: failed to copy new extension");
- }
return ret;
}
diff --git a/source4/heimdal/lib/hdb/hdb-private.h b/source4/heimdal/lib/hdb/hdb-private.h
index e602f01373..5147d8b90b 100644
--- a/source4/heimdal/lib/hdb/hdb-private.h
+++ b/source4/heimdal/lib/hdb/hdb-private.h
@@ -8,14 +8,13 @@ krb5_error_code
_hdb_fetch (
krb5_context /*context*/,
HDB */*db*/,
- unsigned /*flags*/,
krb5_const_principal /*principal*/,
- enum hdb_ent_type /*ent_type*/,
+ unsigned /*flags*/,
hdb_entry_ex */*entry*/);
hdb_master_key
_hdb_find_master_key (
- u_int32_t */*mkvno*/,
+ uint32_t */*mkvno*/,
hdb_master_key /*mkey*/);
int
@@ -43,7 +42,7 @@ krb5_error_code
_hdb_remove (
krb5_context /*context*/,
HDB */*db*/,
- hdb_entry_ex */*entry*/);
+ krb5_const_principal /*principal*/);
krb5_error_code
_hdb_store (
diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c
index b89937f82f..5d2ce8f3bb 100644
--- a/source4/heimdal/lib/hdb/hdb.c
+++ b/source4/heimdal/lib/hdb/hdb.c
@@ -33,7 +33,7 @@
#include "hdb_locl.h"
-RCSID("$Id: hdb.c,v 1.60 2005/12/12 12:35:36 lha Exp $");
+RCSID("$Id: hdb.c,v 1.61 2006/04/24 20:57:58 lha Exp $");
#ifdef HAVE_DLFCN_H
#include <dlfcn.h>
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
index 463cbf71f2..d14eea7ddc 100644
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: hdb.h,v 1.36 2005/12/12 12:35:36 lha Exp $ */
+/* $Id: hdb.h,v 1.38 2006/04/28 07:37:11 lha Exp $ */
#ifndef __HDB_H__
#define __HDB_H__
@@ -44,14 +44,16 @@
enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
/* flags for various functions */
-#define HDB_F_DECRYPT 1 /* decrypt keys */
-#define HDB_F_REPLACE 2 /* replace entry */
+#define HDB_F_DECRYPT 1 /* decrypt keys */
+#define HDB_F_REPLACE 2 /* replace entry */
+#define HDB_F_GET_CLIENT 4 /* fetch client */
+#define HDB_F_GET_SERVER 8 /* fetch server */
+#define HDB_F_GET_KRBTGT 16 /* fetch krbtgt */
+#define HDB_F_GET_ANY 28 /* fetch any of client,server,krbtgt */
/* key usage for master key */
#define HDB_KU_MKEY 0x484442
-enum hdb_ent_type{ HDB_ENT_TYPE_CLIENT, HDB_ENT_TYPE_SERVER, HDB_ENT_TYPE_ANY };
-
typedef struct hdb_master_key_data *hdb_master_key;
typedef struct hdb_entry_ex {
@@ -87,30 +89,60 @@ typedef struct HDB{
hdb_master_key hdb_master_key;
void *hdb_openp;
- krb5_error_code (*hdb_open)(krb5_context, struct HDB*, int, mode_t);
- krb5_error_code (*hdb_close)(krb5_context, struct HDB*);
- void (*hdb_free)(krb5_context,struct HDB*,hdb_entry_ex*);
- krb5_error_code (*hdb_fetch)(krb5_context,struct HDB*,unsigned hdb_flags,
- krb5_const_principal principal,
- enum hdb_ent_type ent_type, hdb_entry_ex*);
- krb5_error_code (*hdb_store)(krb5_context,struct HDB*,
- unsigned,hdb_entry_ex*);
- krb5_error_code (*hdb_remove)(krb5_context, struct HDB*, hdb_entry_ex*);
- krb5_error_code (*hdb_firstkey)(krb5_context, struct HDB*,
- unsigned, hdb_entry_ex*);
- krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*,
- unsigned, hdb_entry_ex*);
- krb5_error_code (*hdb_lock)(krb5_context, struct HDB*, int operation);
- krb5_error_code (*hdb_unlock)(krb5_context, struct HDB*);
- krb5_error_code (*hdb_rename)(krb5_context, struct HDB*, const char*);
- krb5_error_code (*hdb__get)(krb5_context,struct HDB*,krb5_data,krb5_data*);
- krb5_error_code (*hdb__put)(krb5_context, struct HDB*, int,
- krb5_data, krb5_data);
- krb5_error_code (*hdb__del)(krb5_context, struct HDB*, krb5_data);
- krb5_error_code (*hdb_destroy)(krb5_context, struct HDB*);
+ krb5_error_code (*hdb_open)(krb5_context,
+ struct HDB*,
+ int,
+ mode_t);
+ krb5_error_code (*hdb_close)(krb5_context,
+ struct HDB*);
+ void (*hdb_free)(krb5_context,
+ struct HDB*,
+ hdb_entry_ex*);
+ krb5_error_code (*hdb_fetch)(krb5_context,
+ struct HDB*,
+ krb5_const_principal,
+ unsigned,
+ hdb_entry_ex*);
+ krb5_error_code (*hdb_store)(krb5_context,
+ struct HDB*,
+ unsigned,
+ hdb_entry_ex*);
+ krb5_error_code (*hdb_remove)(krb5_context,
+ struct HDB*,
+ krb5_const_principal);
+ krb5_error_code (*hdb_firstkey)(krb5_context,
+ struct HDB*,
+ unsigned,
+ hdb_entry_ex*);
+ krb5_error_code (*hdb_nextkey)(krb5_context,
+ struct HDB*,
+ unsigned,
+ hdb_entry_ex*);
+ krb5_error_code (*hdb_lock)(krb5_context,
+ struct HDB*,
+ int operation);
+ krb5_error_code (*hdb_unlock)(krb5_context,
+ struct HDB*);
+ krb5_error_code (*hdb_rename)(krb5_context,
+ struct HDB*,
+ const char*);
+ krb5_error_code (*hdb__get)(krb5_context,
+ struct HDB*,
+ krb5_data,
+ krb5_data*);
+ krb5_error_code (*hdb__put)(krb5_context,
+ struct HDB*,
+ int,
+ krb5_data,
+ krb5_data);
+ krb5_error_code (*hdb__del)(krb5_context,
+ struct HDB*,
+ krb5_data);
+ krb5_error_code (*hdb_destroy)(krb5_context,
+ struct HDB*);
}HDB;
-#define HDB_INTERFACE_VERSION 3
+#define HDB_INTERFACE_VERSION 4
struct hdb_so_method {
int version;
diff --git a/source4/heimdal/lib/hdb/keys.c b/source4/heimdal/lib/hdb/keys.c
index 0ca3846f9d..d7c2f2c89b 100644
--- a/source4/heimdal/lib/hdb/keys.c
+++ b/source4/heimdal/lib/hdb/keys.c
@@ -33,7 +33,7 @@
#include "hdb_locl.h"
-RCSID("$Id: keys.c,v 1.4 2006/04/02 00:45:48 lha Exp $");
+RCSID("$Id: keys.c,v 1.5 2006/04/25 08:09:38 lha Exp $");
/*
* free all the memory used by (len, keys)
@@ -112,23 +112,19 @@ parse_key_set(krb5_context context, const char *key,
if(strcmp(buf[i], "des") == 0) {
enctypes = all_etypes;
num_enctypes = 3;
- continue;
} else if(strcmp(buf[i], "des3") == 0) {
e = ETYPE_DES3_CBC_SHA1;
enctypes = &e;
num_enctypes = 1;
- continue;
} else {
ret = krb5_string_to_enctype(context, buf[i], &e);
if (ret == 0) {
enctypes = &e;
num_enctypes = 1;
- continue;
- }
+ } else
+ return ret;
}
- }
-
- if(salt->salttype == 0) {
+ } else if(salt->salttype == 0) {
/* interpret string as a salt specifier, if no etype
is set, this sets default values */
/* XXX should perhaps use string_to_salttype, but that
@@ -152,7 +148,7 @@ parse_key_set(krb5_context context, const char *key,
v4 compat, and a cell name for afs compat */
salt->saltvalue.data = strdup(buf[i]);
if (salt->saltvalue.data == NULL) {
- krb5_set_error_string(context, "malloc out of memory");
+ krb5_set_error_string(context, "out of memory");
return ENOMEM;
}
salt->saltvalue.length = strlen(buf[i]);
@@ -297,7 +293,7 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal,
ret = parse_key_set(context, p,
&enctypes, &num_enctypes, &salt, principal);
if (ret) {
- krb5_warnx(context, "bad value for default_keys `%s'", *kp);
+ krb5_warn(context, ret, "bad value for default_keys `%s'", *kp);
ret = 0;
continue;
}
diff --git a/source4/heimdal/lib/hdb/keytab.c b/source4/heimdal/lib/hdb/keytab.c
index 12979eaecf..b4fa5f84c9 100644
--- a/source4/heimdal/lib/hdb/keytab.c
+++ b/source4/heimdal/lib/hdb/keytab.c
@@ -35,7 +35,7 @@
/* keytab backend for HDB databases */
-RCSID("$Id: keytab.c,v 1.10 2006/04/02 20:20:45 lha Exp $");
+RCSID("$Id: keytab.c,v 1.11 2006/04/27 11:01:30 lha Exp $");
struct hdb_data {
char *dbname;
@@ -218,8 +218,8 @@ hdb_get_entry(krb5_context context,
(*db->hdb_destroy)(context, db);
return ret;
}
+ ret = (*db->hdb_fetch)(context, db, principal, HDB_F_DECRYPT, &ent);
- ret = (*db->hdb_fetch)(context, db, HDB_F_DECRYPT, principal, HDB_ENT_TYPE_SERVER, &ent);
/* Shutdown the hdb on error */
if(ret == HDB_ERR_NOENTRY) {
diff --git a/source4/heimdal/lib/hdb/mkey.c b/source4/heimdal/lib/hdb/mkey.c
index f12f73e809..40569b29ad 100644
--- a/source4/heimdal/lib/hdb/mkey.c
+++ b/source4/heimdal/lib/hdb/mkey.c
@@ -36,7 +36,7 @@
#define O_BINARY 0
#endif
-RCSID("$Id: mkey.c,v 1.21 2005/08/19 13:07:03 lha Exp $");
+RCSID("$Id: mkey.c,v 1.22 2006/05/05 10:27:59 lha Exp $");
struct hdb_master_key_data {
krb5_keytab_entry keytab;
@@ -355,7 +355,7 @@ hdb_write_master_key(krb5_context context, const char *filename,
}
hdb_master_key
-_hdb_find_master_key(u_int32_t *mkvno, hdb_master_key mkey)
+_hdb_find_master_key(uint32_t *mkvno, hdb_master_key mkey)
{
hdb_master_key ret = NULL;
while(mkey) {
diff --git a/source4/heimdal/lib/hdb/ndbm.c b/source4/heimdal/lib/hdb/ndbm.c
index f4c2497abc..6c72ea78c5 100644
--- a/source4/heimdal/lib/hdb/ndbm.c
+++ b/source4/heimdal/lib/hdb/ndbm.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
diff --git a/source4/heimdal/lib/krb5/addr_families.c b/source4/heimdal/lib/krb5/addr_families.c
index ebdbcfed46..895b01f9d8 100644
--- a/source4/heimdal/lib/krb5/addr_families.c
+++ b/source4/heimdal/lib/krb5/addr_families.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: addr_families.c,v 1.51 2006/04/02 02:17:31 lha Exp $");
+RCSID("$Id: addr_families.c,v 1.52 2006/05/05 09:26:22 lha Exp $");
struct addr_operations {
int af;
@@ -199,7 +199,7 @@ ipv4_mask_boundary(krb5_context context, const krb5_address *inaddr,
unsigned long len, krb5_address *low, krb5_address *high)
{
unsigned long ia;
- u_int32_t l, h, m = 0xffffffff;
+ uint32_t l, h, m = 0xffffffff;
if (len > 32) {
krb5_set_error_string(context, "IPv4 prefix too large (%ld)", len);
@@ -391,7 +391,7 @@ ipv6_mask_boundary(krb5_context context, const krb5_address *inaddr,
unsigned long len, krb5_address *low, krb5_address *high)
{
struct in6_addr addr, laddr, haddr;
- u_int32_t m;
+ uint32_t m;
int i, sub_len;
if (len > 128) {
diff --git a/source4/heimdal/lib/krb5/changepw.c b/source4/heimdal/lib/krb5/changepw.c
index 7907e1ad9c..ba584a04a4 100644
--- a/source4/heimdal/lib/krb5/changepw.c
+++ b/source4/heimdal/lib/krb5/changepw.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: changepw.c,v 1.55 2005/12/12 12:48:57 lha Exp $");
+RCSID("$Id: changepw.c,v 1.56 2006/05/05 09:26:47 lha Exp $");
static void
str2data (krb5_data *d,
@@ -271,7 +271,7 @@ process_reply (krb5_context context,
krb5_error_code ret;
u_char reply[1024 * 3];
ssize_t len;
- u_int16_t pkt_len, pkt_ver;
+ uint16_t pkt_len, pkt_ver;
krb5_data ap_rep_data;
int save_errno;
diff --git a/source4/heimdal/lib/krb5/crc.c b/source4/heimdal/lib/krb5/crc.c
index c7cedd8c9e..4cfed75154 100644
--- a/source4/heimdal/lib/krb5/crc.c
+++ b/source4/heimdal/lib/krb5/crc.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: crc.c,v 1.9 2000/08/03 01:45:14 assar Exp $");
+RCSID("$Id: crc.c,v 1.10 2006/05/05 09:27:09 lha Exp $");
static u_long table[256];
@@ -62,8 +62,8 @@ _krb5_crc_init_table(void)
flag = 1;
}
-u_int32_t
-_krb5_crc_update (const char *p, size_t len, u_int32_t res)
+uint32_t
+_krb5_crc_update (const char *p, size_t len, uint32_t res)
{
while (len--)
res = table[(res ^ *p++) & 0xFF] ^ (res >> 8);
diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c
index 3a90995283..2e8160518b 100644
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -32,7 +32,7 @@
*/
#include "krb5_locl.h"
-RCSID("$Id: crypto.c,v 1.134 2006/04/10 08:58:53 lha Exp $");
+RCSID("$Id: crypto.c,v 1.135 2006/05/05 09:27:24 lha Exp $");
#undef CRYPTO_DEBUG
#ifdef CRYPTO_DEBUG
@@ -602,7 +602,7 @@ AES_string_to_key(krb5_context context,
krb5_keyblock *key)
{
krb5_error_code ret;
- u_int32_t iter;
+ uint32_t iter;
struct encryption_type *et;
struct key_data kd;
@@ -611,7 +611,7 @@ AES_string_to_key(krb5_context context,
else if (opaque.length == 4) {
unsigned long v;
_krb5_get_int(opaque.data, &v, 4);
- iter = ((u_int32_t)v);
+ iter = ((uint32_t)v);
} else
return KRB5_PROG_KEYTYPE_NOSUPP; /* XXX */
@@ -1296,7 +1296,7 @@ CRC32_checksum(krb5_context context,
unsigned usage,
Checksum *C)
{
- u_int32_t crc;
+ uint32_t crc;
unsigned char *r = C->checksum.data;
_krb5_crc_init_table ();
crc = _krb5_crc_update (data, len, 0);
@@ -4282,7 +4282,7 @@ _krb5_pk_octetstring2key(krb5_context context,
static krb5_error_code
krb5_get_keyid(krb5_context context,
krb5_keyblock *key,
- u_int32_t *keyid)
+ uint32_t *keyid)
{
MD5_CTX md5;
unsigned char tmp[16];
@@ -4300,7 +4300,7 @@ krb5_crypto_debug(krb5_context context,
size_t len,
krb5_keyblock *key)
{
- u_int32_t keyid;
+ uint32_t keyid;
char *kt;
krb5_get_keyid(context, key, &keyid);
krb5_enctype_to_string(context, key->keytype, &kt);
diff --git a/source4/heimdal/lib/krb5/generate_seq_number.c b/source4/heimdal/lib/krb5/generate_seq_number.c
index f9e9cded5f..7f79e29858 100644
--- a/source4/heimdal/lib/krb5/generate_seq_number.c
+++ b/source4/heimdal/lib/krb5/generate_seq_number.c
@@ -33,16 +33,16 @@
#include <krb5_locl.h>
-RCSID("$Id: generate_seq_number.c,v 1.9 2004/05/25 21:25:22 lha Exp $");
+RCSID("$Id: generate_seq_number.c,v 1.10 2006/05/05 09:28:06 lha Exp $");
krb5_error_code KRB5_LIB_FUNCTION
krb5_generate_seq_number(krb5_context context,
const krb5_keyblock *key,
- u_int32_t *seqno)
+ uint32_t *seqno)
{
krb5_error_code ret;
krb5_keyblock *subkey;
- u_int32_t q;
+ uint32_t q;
u_char *p;
int i;
diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c
index 489a88a31b..70b6c3e4c3 100644
--- a/source4/heimdal/lib/krb5/init_creds_pw.c
+++ b/source4/heimdal/lib/krb5/init_creds_pw.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: init_creds_pw.c,v 1.92 2006/04/02 01:20:15 lha Exp $");
+RCSID("$Id: init_creds_pw.c,v 1.94 2006/04/24 08:49:08 lha Exp $");
typedef struct krb5_get_init_creds_ctx {
krb5_kdc_flags flags;
@@ -1150,6 +1150,7 @@ process_pa_data_to_key(krb5_context context,
if (pa && ctx->pk_init_ctx) {
#ifdef PKINIT
ret = _krb5_pk_rd_pa_reply(context,
+ a->req_body.realm,
ctx->pk_init_ctx,
etype,
hi,
diff --git a/source4/heimdal/lib/krb5/kcm.c b/source4/heimdal/lib/krb5/kcm.c
index f4372422ac..8f2d9f7f86 100644
--- a/source4/heimdal/lib/krb5/kcm.c
+++ b/source4/heimdal/lib/krb5/kcm.c
@@ -43,7 +43,7 @@
#include "kcm.h"
-RCSID("$Id: kcm.c,v 1.8 2005/09/19 20:23:05 lha Exp $");
+RCSID("$Id: kcm.c,v 1.9 2006/05/05 09:28:48 lha Exp $");
typedef struct krb5_kcmcache {
char *name;
@@ -53,7 +53,7 @@ typedef struct krb5_kcmcache {
#define KCMCACHE(X) ((krb5_kcmcache *)(X)->data.data)
#define CACHENAME(X) (KCMCACHE(X)->name)
-#define KCMCURSOR(C) (*(u_int32_t *)(C))
+#define KCMCURSOR(C) (*(uint32_t *)(C))
static krb5_error_code
try_door(krb5_context context, const krb5_kcmcache *k,
@@ -903,7 +903,7 @@ _krb5_kcm_noop(krb5_context context,
krb5_error_code
_krb5_kcm_chmod(krb5_context context,
krb5_ccache id,
- u_int16_t mode)
+ uint16_t mode)
{
krb5_error_code ret;
krb5_kcmcache *k = KCMCACHE(id);
@@ -944,8 +944,8 @@ _krb5_kcm_chmod(krb5_context context,
krb5_error_code
_krb5_kcm_chown(krb5_context context,
krb5_ccache id,
- u_int32_t uid,
- u_int32_t gid)
+ uint32_t uid,
+ uint32_t gid)
{
krb5_error_code ret;
krb5_kcmcache *k = KCMCACHE(id);
diff --git a/source4/heimdal/lib/krb5/keytab_file.c b/source4/heimdal/lib/krb5/keytab_file.c
index f9a76e634a..1b06387339 100644
--- a/source4/heimdal/lib/krb5/keytab_file.c
+++ b/source4/heimdal/lib/krb5/keytab_file.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: keytab_file.c,v 1.22 2006/04/07 21:57:31 lha Exp $");
+RCSID("$Id: keytab_file.c,v 1.23 2006/05/05 12:36:57 lha Exp $");
#define KRB5_KT_VNO_1 1
#define KRB5_KT_VNO_2 2
@@ -428,7 +428,7 @@ loop:
* if it's zero, assume that the 8bit one was right,
* otherwise trust the new value */
curpos = krb5_storage_seek(cursor->sp, 0, SEEK_CUR);
- if(len + 4 + pos - curpos == 4) {
+ if(len + 4 + pos - curpos >= 4) {
ret = krb5_ret_int32(cursor->sp, &tmp32);
if (ret == 0 && tmp32 != 0) {
entry->vno = tmp32;
diff --git a/source4/heimdal/lib/krb5/keytab_keyfile.c b/source4/heimdal/lib/krb5/keytab_keyfile.c
index 32fb48a8a2..d7f8a720e1 100644
--- a/source4/heimdal/lib/krb5/keytab_keyfile.c
+++ b/source4/heimdal/lib/krb5/keytab_keyfile.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: keytab_keyfile.c,v 1.18 2006/04/02 01:24:52 lha Exp $");
+RCSID("$Id: keytab_keyfile.c,v 1.19 2006/04/24 15:06:57 lha Exp $");
/* afs keyfile operations --------------------------------------- */
@@ -63,8 +63,7 @@ struct akf_data {
*/
static int
-get_cell_and_realm (krb5_context context,
- struct akf_data *d)
+get_cell_and_realm (krb5_context context, struct akf_data *d)
{
FILE *f;
char buf[BUFSIZ], *cp;
@@ -95,6 +94,7 @@ get_cell_and_realm (krb5_context context,
if (f != NULL) {
if (fgets (buf, sizeof(buf), f) == NULL) {
free (d->cell);
+ d->cell = NULL;
fclose (f);
krb5_set_error_string (context, "no realm in %s",
AFS_SERVERMAGICKRBCONF);
@@ -110,6 +110,7 @@ get_cell_and_realm (krb5_context context,
d->realm = strdup (buf);
if (d->realm == NULL) {
free (d->cell);
+ d->cell = NULL;
krb5_set_error_string (context, "malloc: out of memory");
return ENOMEM;
}
diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h
index 00126d60ed..17b282f1d8 100644
--- a/source4/heimdal/lib/krb5/krb5-private.h
+++ b/source4/heimdal/lib/krb5/krb5-private.h
@@ -30,11 +30,11 @@ _krb5_cc_allocate (
void
_krb5_crc_init_table (void);
-u_int32_t
+uint32_t
_krb5_crc_update (
const char */*p*/,
size_t /*len*/,
- u_int32_t /*res*/);
+ uint32_t /*res*/);
krb5_error_code
_krb5_dh_group_ok (
@@ -120,14 +120,14 @@ krb5_error_code
_krb5_kcm_chmod (
krb5_context /*context*/,
krb5_ccache /*id*/,
- u_int16_t /*mode*/);
+ uint16_t /*mode*/);
krb5_error_code
_krb5_kcm_chown (
krb5_context /*context*/,
krb5_ccache /*id*/,
- u_int32_t /*uid*/,
- u_int32_t /*gid*/);
+ uint32_t /*uid*/,
+ uint32_t /*gid*/);
krb5_error_code
_krb5_kcm_get_initial_ticket (
@@ -158,8 +158,8 @@ _krb5_krb_cr_err_reply (
const char */*name*/,
const char */*inst*/,
const char */*realm*/,
- u_int32_t /*time_ws*/,
- u_int32_t /*e*/,
+ uint32_t /*time_ws*/,
+ uint32_t /*e*/,
const char */*e_string*/,
krb5_data */*data*/);
@@ -171,7 +171,7 @@ _krb5_krb_create_auth_reply (
const char */*prealm*/,
int32_t /*time_ws*/,
int /*n*/,
- u_int32_t /*x_date*/,
+ uint32_t /*x_date*/,
unsigned char /*kvno*/,
const krb5_data */*cipher*/,
krb5_data */*data*/);
@@ -183,10 +183,10 @@ _krb5_krb_create_ciph (
const char */*service*/,
const char */*instance*/,
const char */*realm*/,
- u_int32_t /*life*/,
+ uint32_t /*life*/,
unsigned char /*kvno*/,
const krb5_data */*ticket*/,
- u_int32_t /*kdc_time*/,
+ uint32_t /*kdc_time*/,
const krb5_keyblock */*key*/,
krb5_data */*enc_data*/);
@@ -299,6 +299,11 @@ _krb5_parse_moduli_line (
struct krb5_dh_moduli **/*m*/);
void KRB5_LIB_FUNCTION
+_krb5_pk_allow_proxy_certificate (
+ struct krb5_pk_identity */*id*/,
+ int /*boolean*/);
+
+void KRB5_LIB_FUNCTION
_krb5_pk_cert_free (struct krb5_pk_cert */*cert*/);
krb5_error_code KRB5_LIB_FUNCTION
@@ -341,6 +346,7 @@ _krb5_pk_octetstring2key (
krb5_error_code KRB5_LIB_FUNCTION
_krb5_pk_rd_pa_reply (
krb5_context /*context*/,
+ const char */*realm*/,
void */*c*/,
krb5_enctype /*etype*/,
const krb5_krbhst_info */*hi*/,
diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h
index 56f43f6c3d..37293ff982 100644
--- a/source4/heimdal/lib/krb5/krb5-protos.h
+++ b/source4/heimdal/lib/krb5/krb5-protos.h
@@ -1592,7 +1592,7 @@ krb5_error_code KRB5_LIB_FUNCTION
krb5_generate_seq_number (
krb5_context /*context*/,
const krb5_keyblock */*key*/,
- u_int32_t */*seqno*/);
+ uint32_t */*seqno*/);
krb5_error_code KRB5_LIB_FUNCTION
krb5_generate_subkey (
@@ -2803,6 +2803,21 @@ krb5_ret_times (
krb5_times */*times*/);
krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint16 (
+ krb5_storage */*sp*/,
+ uint16_t */*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint32 (
+ krb5_storage */*sp*/,
+ uint32_t */*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint8 (
+ krb5_storage */*sp*/,
+ uint8_t */*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
krb5_salttype_to_string (
krb5_context /*context*/,
krb5_enctype /*etype*/,
@@ -3087,7 +3102,7 @@ krb5_store_keyblock (
krb5_error_code KRB5_LIB_FUNCTION
krb5_store_principal (
krb5_storage */*sp*/,
- krb5_principal /*p*/);
+ krb5_const_principal /*p*/);
krb5_error_code KRB5_LIB_FUNCTION
krb5_store_string (
@@ -3105,6 +3120,21 @@ krb5_store_times (
krb5_times /*times*/);
krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint16 (
+ krb5_storage */*sp*/,
+ uint16_t /*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint32 (
+ krb5_storage */*sp*/,
+ uint32_t /*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint8 (
+ krb5_storage */*sp*/,
+ uint8_t /*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
krb5_string_to_deltat (
const char */*string*/,
krb5_deltat */*deltat*/);
diff --git a/source4/heimdal/lib/krb5/krb5-v4compat.h b/source4/heimdal/lib/krb5/krb5-v4compat.h
index 1d092dcbc9..3e14c5a38f 100644
--- a/source4/heimdal/lib/krb5/krb5-v4compat.h
+++ b/source4/heimdal/lib/krb5/krb5-v4compat.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: krb5-v4compat.h,v 1.6 2005/04/23 19:38:16 lha Exp $ */
+/* $Id: krb5-v4compat.h,v 1.7 2006/05/05 09:29:07 lha Exp $ */
#ifndef __KRB5_V4COMPAT_H__
#define __KRB5_V4COMPAT_H__
@@ -119,7 +119,7 @@
struct ktext {
unsigned int length; /* Length of the text */
unsigned char dat[MAX_KTXT_LEN]; /* The data itself */
- u_int32_t mbz; /* zero to catch runaway strings */
+ uint32_t mbz; /* zero to catch runaway strings */
};
struct credentials {
@@ -157,11 +157,11 @@ struct _krb5_krb_auth_data {
char *pname; /* Principal's name */
char *pinst; /* His Instance */
char *prealm; /* His Realm */
- u_int32_t checksum; /* Data checksum (opt) */
+ uint32_t checksum; /* Data checksum (opt) */
krb5_keyblock session; /* Session Key */
unsigned char life; /* Life of ticket */
- u_int32_t time_sec; /* Time ticket issued */
- u_int32_t address; /* Address in ticket */
+ uint32_t time_sec; /* Time ticket issued */
+ uint32_t address; /* Address in ticket */
};
time_t _krb5_krb_life_to_time (int, int);
diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h
index 9814817600..32fdd6d383 100644
--- a/source4/heimdal/lib/krb5/krb5.h
+++ b/source4/heimdal/lib/krb5/krb5.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: krb5.h,v 1.240 2005/11/30 15:20:32 lha Exp $ */
+/* $Id: krb5.h,v 1.241 2006/05/05 09:29:36 lha Exp $ */
#ifndef __KRB5_H__
#define __KRB5_H__
@@ -64,7 +64,7 @@ typedef int32_t krb5_error_code;
typedef int krb5_kvno;
-typedef u_int32_t krb5_flags;
+typedef uint32_t krb5_flags;
typedef void *krb5_pointer;
typedef const void *krb5_const_pointer;
@@ -492,7 +492,7 @@ typedef struct krb5_keytab_entry {
krb5_principal principal;
krb5_kvno vno;
krb5_keyblock keyblock;
- u_int32_t timestamp;
+ uint32_t timestamp;
} krb5_keytab_entry;
typedef struct krb5_kt_cursor {
@@ -536,7 +536,7 @@ typedef struct krb5_keytab_key_proc_args krb5_keytab_key_proc_args;
typedef struct krb5_replay_data {
krb5_timestamp timestamp;
int32_t usec;
- u_int32_t seq;
+ uint32_t seq;
} krb5_replay_data;
/* flags for krb5_auth_con_setflags */
@@ -569,8 +569,8 @@ typedef struct krb5_auth_context_data {
krb5_keyblock *local_subkey;
krb5_keyblock *remote_subkey;
- u_int32_t local_seqnumber;
- u_int32_t remote_seqnumber;
+ uint32_t local_seqnumber;
+ uint32_t remote_seqnumber;
krb5_authenticator authenticator;
diff --git a/source4/heimdal/lib/krb5/krb5_ccapi.h b/source4/heimdal/lib/krb5/krb5_ccapi.h
index 29b2ddbecc..d59b589304 100644
--- a/source4/heimdal/lib/krb5/krb5_ccapi.h
+++ b/source4/heimdal/lib/krb5/krb5_ccapi.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: krb5_ccapi.h,v 1.2 2006/03/27 04:21:06 lha Exp $ */
+/* $Id: krb5_ccapi.h,v 1.3 2006/05/05 09:29:59 lha Exp $ */
#ifndef KRB5_CCAPI_H
#define KRB5_CCAPI_H 1
@@ -84,7 +84,7 @@ enum {
};
typedef int32_t cc_int32;
-typedef u_int32_t cc_uint32;
+typedef uint32_t cc_uint32;
typedef struct cc_context_t *cc_context_t;
typedef struct cc_ccache_t *cc_ccache_t;
typedef struct cc_ccache_iterator_t *cc_ccache_iterator_t;
diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h
index 92dd3271f5..4dcac40c7a 100644
--- a/source4/heimdal/lib/krb5/krb5_locl.h
+++ b/source4/heimdal/lib/krb5/krb5_locl.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
diff --git a/source4/heimdal/lib/krb5/log.c b/source4/heimdal/lib/krb5/log.c
index 7e478bf1e0..e6fcb6bbb9 100644
--- a/source4/heimdal/lib/krb5/log.c
+++ b/source4/heimdal/lib/krb5/log.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: log.c,v 1.38 2006/04/10 09:41:26 lha Exp $");
+RCSID("$Id: log.c,v 1.39 2006/04/24 15:09:27 lha Exp $");
struct facility {
int min;
@@ -221,8 +221,10 @@ log_file(const char *timestr,
if(f->fd == NULL)
return;
fprintf(f->fd, "%s %s\n", timestr, msg);
- if(f->keep_open == 0)
+ if(f->keep_open == 0) {
fclose(f->fd);
+ f->fd = NULL;
+ }
}
static void
diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c
index fa4fb4699e..7e91946095 100755
--- a/source4/heimdal/lib/krb5/pkinit.c
+++ b/source4/heimdal/lib/krb5/pkinit.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: pkinit.c,v 1.88 2006/04/23 21:30:17 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.98 2006/05/06 13:24:54 lha Exp $");
struct krb5_dh_moduli {
char *name;
@@ -84,6 +84,7 @@ struct krb5_pk_init_ctx_data {
int require_binding;
int require_eku;
int require_krbtgt_otherName;
+ int require_hostname_match;
};
void KRB5_LIB_FUNCTION
@@ -161,6 +162,109 @@ _krb5_pk_create_sign(krb5_context context,
return ret;
}
+static int
+cert2epi(hx509_context context, void *ctx, hx509_cert c)
+{
+ ExternalPrincipalIdentifiers *ids = ctx;
+ ExternalPrincipalIdentifier id;
+ hx509_name subject = NULL;
+ void *p;
+ int ret;
+
+ memset(&id, 0, sizeof(id));
+
+ ret = hx509_cert_get_subject(c, &subject);
+ if (ret)
+ return ret;
+
+ if (hx509_name_is_null_p(subject) != 0) {
+
+ id.subjectName = calloc(1, sizeof(*id.subjectName));
+ if (id.subjectName == NULL) {
+ hx509_name_free(&subject);
+ free_ExternalPrincipalIdentifier(&id);
+ return ENOMEM;
+ }
+
+ ret = hx509_name_to_der_name(subject, &id.subjectName->data,
+ &id.subjectName->length);
+ if (ret) {
+ hx509_name_free(&subject);
+ free_ExternalPrincipalIdentifier(&id);
+ return ret;
+ }
+ }
+ hx509_name_free(&subject);
+
+
+ id.issuerAndSerialNumber = calloc(1, sizeof(*id.issuerAndSerialNumber));
+ if (id.issuerAndSerialNumber == NULL) {
+ free_ExternalPrincipalIdentifier(&id);
+ return ENOMEM;
+ }
+
+ {
+ IssuerAndSerialNumber iasn;
+ hx509_name issuer;
+ size_t size;
+
+ memset(&iasn, 0, sizeof(iasn));
+
+ ret = hx509_cert_get_issuer(c, &issuer);
+ if (ret) {
+ free_ExternalPrincipalIdentifier(&id);
+ return ret;
+ }
+
+ ret = hx509_name_to_Name(issuer, &iasn.issuer);
+ hx509_name_free(&issuer);
+ if (ret) {
+ free_ExternalPrincipalIdentifier(&id);
+ return ret;
+ }
+
+ ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber);
+ if (ret) {
+ free_IssuerAndSerialNumber(&iasn);
+ free_ExternalPrincipalIdentifier(&id);
+ return ret;
+ }
+
+ ASN1_MALLOC_ENCODE(IssuerAndSerialNumber,
+ id.issuerAndSerialNumber->data,
+ id.issuerAndSerialNumber->length,
+ &iasn, &size, ret);
+ free_IssuerAndSerialNumber(&iasn);
+ if (ret)
+ return ret;
+ if (id.issuerAndSerialNumber->length != size)
+ abort();
+ }
+
+ id.subjectKeyIdentifier = NULL;
+
+ p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1));
+ if (p == NULL) {
+ free_ExternalPrincipalIdentifier(&id);
+ return ENOMEM;
+ }
+
+ ids->val = p;
+ ids->val[ids->len] = id;
+ ids->len++;
+
+ return 0;
+}
+
+static krb5_error_code
+build_edi(krb5_context context,
+ hx509_context hx509ctx,
+ hx509_certs certs,
+ ExternalPrincipalIdentifiers *ids)
+{
+ return hx509_certs_iter(hx509ctx, certs, cert2epi, ids);
+}
+
static krb5_error_code
build_auth_pack(krb5_context context,
unsigned nonce,
@@ -446,8 +550,19 @@ pk_mk_padata(krb5_context context,
memset(&req, 0, sizeof(req));
req.signedAuthPack = buf;
- /* XXX tell the kdc what CAs the client is willing to accept */
- req.trustedCertifiers = NULL;
+ req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers));
+ if (req.trustedCertifiers == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ free_PA_PK_AS_REQ(&req);
+ goto out;
+ }
+ ret = build_edi(context, ctx->id->hx509ctx,
+ ctx->id->anchors, req.trustedCertifiers);
+ if (ret) {
+ krb5_set_error_string(context, "pk-init: failed to build trustedCertifiers");
+ free_PA_PK_AS_REQ(&req);
+ goto out;
+ }
req.kdcPkId = NULL;
ASN1_MALLOC_ENCODE(PA_PK_AS_REQ, buf.data, buf.length,
@@ -524,6 +639,13 @@ _krb5_pk_mk_padata(krb5_context context,
"pkinit_require_krbtgt_otherName",
NULL);
+ ctx->require_hostname_match =
+ krb5_config_get_bool_default(context, NULL,
+ FALSE,
+ "realms",
+ req_body->realm,
+ "pkinit_require_hostname_match",
+ NULL);
return pk_mk_padata(context, type, ctx, req_body, nonce, md);
}
@@ -710,6 +832,8 @@ get_reply_key(krb5_context context,
static krb5_error_code
pk_verify_host(krb5_context context,
+ const char *realm,
+ const krb5_krbhst_info *hi,
struct krb5_pk_init_ctx_data *ctx,
struct krb5_pk_cert *host)
{
@@ -719,13 +843,12 @@ pk_verify_host(krb5_context context,
ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert,
oid_id_pkkdcekuoid(), 0);
if (ret) {
- krb5_clear_error_string(context);
+ krb5_set_error_string(context, "No PK-INIT KDC EKU in kdc certificate");
return ret;
}
}
if (ctx->require_krbtgt_otherName) {
hx509_octet_string_list list;
- krb5_error_code ret;
int i;
ret = hx509_cert_find_subjectAltName_otherName(host->cert,
@@ -738,6 +861,7 @@ pk_verify_host(krb5_context context,
for (i = 0; i < list.len; i++) {
KRB5PrincipalName r;
+
ret = decode_KRB5PrincipalName(list.val[i].data,
list.val[i].length,
&r,
@@ -747,13 +871,15 @@ pk_verify_host(krb5_context context,
break;
}
-#if 0
- if (r.principalName.name.len != 2) {
- krb5_clear_error_string(context);
+ if (r.principalName.name_string.len != 2 ||
+ strcmp(r.principalName.name_string.val[0], KRB5_TGS_NAME) != 0 ||
+ strcmp(r.principalName.name_string.val[1], realm) != 0 ||
+ strcmp(r.realm, realm) != 0)
+ {
+ krb5_set_error_string(context, "KDC have wrong realm name in "
+ "the certificate");
ret = EINVAL;
}
-#endif
- /* XXX verify realm */
free_KRB5PrincipalName(&r);
if (ret)
@@ -761,14 +887,26 @@ pk_verify_host(krb5_context context,
}
hx509_free_octet_string_list(&list);
}
+ if (ret)
+ return ret;
+
+ if (hi) {
+ ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert,
+ ctx->require_hostname_match,
+ hi->hostname,
+ hi->ai->ai_addr, hi->ai->ai_addrlen);
+ if (ret)
+ krb5_set_error_string(context, "Address mismatch in the KDC certificate");
+ }
return ret;
}
static krb5_error_code
pk_rd_pa_reply_enckey(krb5_context context,
int type,
- ContentInfo *rep,
+ const ContentInfo *rep,
+ const char *realm,
krb5_pk_init_ctx ctx,
krb5_enctype etype,
const krb5_krbhst_info *hi,
@@ -846,7 +984,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
goto out;
/* make sure that it is the kdc's certificate */
- ret = pk_verify_host(context, ctx, host);
+ ret = pk_verify_host(context, realm, hi, ctx, host);
if (ret) {
krb5_set_error_string(context, "PKINIT: failed verify host: %d", ret);
goto out;
@@ -894,7 +1032,8 @@ pk_rd_pa_reply_enckey(krb5_context context,
static krb5_error_code
pk_rd_pa_reply_dh(krb5_context context,
- ContentInfo *rep,
+ const ContentInfo *rep,
+ const char *realm,
krb5_pk_init_ctx ctx,
krb5_enctype etype,
const krb5_krbhst_info *hi,
@@ -938,7 +1077,7 @@ pk_rd_pa_reply_dh(krb5_context context,
goto out;
/* make sure that it is the kdc's certificate */
- ret = pk_verify_host(context, ctx, host);
+ ret = pk_verify_host(context, realm, hi, ctx, host);
if (ret)
goto out;
@@ -1066,6 +1205,7 @@ pk_rd_pa_reply_dh(krb5_context context,
krb5_error_code KRB5_LIB_FUNCTION
_krb5_pk_rd_pa_reply(krb5_context context,
+ const char *realm,
void *c,
krb5_enctype etype,
const krb5_krbhst_info *hi,
@@ -1106,7 +1246,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
free_PA_PK_AS_REP(&rep);
break;
}
- ret = pk_rd_pa_reply_dh(context, &ci, ctx, etype, hi,
+ ret = pk_rd_pa_reply_dh(context, &ci, realm, ctx, etype, hi,
ctx->clientDHNonce,
rep.u.dhInfo.serverDHNonce,
nonce, pa, key);
@@ -1126,7 +1266,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
"ContentInfo: %d", ret);
break;
}
- ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &ci, ctx,
+ ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &ci, realm, ctx,
etype, hi, nonce, req_buffer, pa, key);
free_ContentInfo(&ci);
return ret;
@@ -1173,7 +1313,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
ret);
return ret;
}
- ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &ci, ctx,
+ ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &ci, realm, ctx,
etype, hi, nonce, req_buffer, pa, key);
free_ContentInfo(&ci);
break;
@@ -1204,8 +1344,8 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter)
krb5_data password_data;
struct prompter *p = data;
- password_data.data = prompter->reply->data;
- password_data.length = prompter->reply->length;
+ password_data.data = prompter->reply.data;
+ password_data.length = prompter->reply.length;
prompt.prompt = "Enter your private key passphrase: ";
prompt.hidden = 1;
prompt.reply = &password_data;
@@ -1216,12 +1356,21 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter)
ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt);
if (ret) {
- memset (prompter->reply->data, 0, prompter->reply->length);
+ memset (prompter->reply.data, 0, prompter->reply.length);
return 0;
}
- return strlen(prompter->reply->data);
+ return strlen(prompter->reply.data);
+}
+
+
+void KRB5_LIB_FUNCTION
+_krb5_pk_allow_proxy_certificate(struct krb5_pk_identity *id,
+ int boolean)
+{
+ hx509_verify_set_proxy_certificate(id->verify_ctx, boolean);
}
+
krb5_error_code KRB5_LIB_FUNCTION
_krb5_pk_load_id(krb5_context context,
struct krb5_pk_identity **ret_id,
@@ -1715,7 +1864,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
}
if (DH_generate_key(opt->opt_private->pk_init_ctx->dh) != 1) {
- krb5_set_error_string(context, "malloc: out of memory");
+ krb5_set_error_string(context, "pkinit: failed to generate DH key");
_krb5_get_init_creds_opt_free_pkinit(opt);
return ENOMEM;
}
diff --git a/source4/heimdal/lib/krb5/principal.c b/source4/heimdal/lib/krb5/principal.c
index 34086b1fbe..f6e3847cce 100644
--- a/source4/heimdal/lib/krb5/principal.c
+++ b/source4/heimdal/lib/krb5/principal.c
@@ -41,7 +41,7 @@
#include <fnmatch.h>
#include "resolve.h"
-RCSID("$Id: principal.c,v 1.94 2006/04/10 10:10:01 lha Exp $");
+RCSID("$Id: principal.c,v 1.95 2006/04/24 15:16:14 lha Exp $");
#define princ_num_comp(P) ((P)->name.name_string.len)
#define princ_type(P) ((P)->name.name_type)
@@ -829,7 +829,6 @@ krb5_425_conv_principal_ext2(krb5_context context,
if (r) {
if (r->head && r->head->type == T_AAAA) {
inst = strdup(r->head->domain);
- dns_free_data(r);
passed = TRUE;
}
dns_free_data(r);
diff --git a/source4/heimdal/lib/krb5/store.c b/source4/heimdal/lib/krb5/store.c
index 4a567bb379..a6f4a011a1 100644
--- a/source4/heimdal/lib/krb5/store.c
+++ b/source4/heimdal/lib/krb5/store.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include "store-int.h"
-RCSID("$Id: store.c,v 1.51 2006/04/07 22:23:20 lha Exp $");
+RCSID("$Id: store.c,v 1.58 2006/05/05 07:15:18 lha Exp $");
#define BYTEORDER_IS(SP, V) (((SP)->flags & KRB5_STORAGE_BYTEORDER_MASK) == (V))
#define BYTEORDER_IS_LE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_LE)
@@ -181,6 +181,13 @@ krb5_store_int32(krb5_storage *sp,
return krb5_store_int(sp, value, 4);
}
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint32(krb5_storage *sp,
+ uint32_t value)
+{
+ return krb5_store_int32(sp, (int32_t)value);
+}
+
static krb5_error_code
krb5_ret_int(krb5_storage *sp,
int32_t *value,
@@ -212,6 +219,20 @@ krb5_ret_int32(krb5_storage *sp,
}
krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint32(krb5_storage *sp,
+ uint32_t *value)
+{
+ krb5_error_code ret;
+ int32_t v;
+
+ ret = krb5_ret_int32(sp, &v);
+ if (ret == 0)
+ *value = (uint32_t)v;
+
+ return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
krb5_store_int16(krb5_storage *sp,
int16_t value)
{
@@ -223,6 +244,13 @@ krb5_store_int16(krb5_storage *sp,
}
krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint16(krb5_storage *sp,
+ uint16_t value)
+{
+ return krb5_store_int16(sp, (int16_t)value);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_int16(krb5_storage *sp,
int16_t *value)
{
@@ -240,6 +268,20 @@ krb5_ret_int16(krb5_storage *sp,
}
krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint16(krb5_storage *sp,
+ uint16_t *value)
+{
+ krb5_error_code ret;
+ int16_t v;
+
+ ret = krb5_ret_int16(sp, &v);
+ if (ret == 0)
+ *value = (uint16_t)v;
+
+ return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
krb5_store_int8(krb5_storage *sp,
int8_t value)
{
@@ -252,6 +294,13 @@ krb5_store_int8(krb5_storage *sp,
}
krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint8(krb5_storage *sp,
+ uint8_t value)
+{
+ return krb5_store_int8(sp, (int8_t)value);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_int8(krb5_storage *sp,
int8_t *value)
{
@@ -264,6 +313,20 @@ krb5_ret_int8(krb5_storage *sp,
}
krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint8(krb5_storage *sp,
+ uint8_t *value)
+{
+ krb5_error_code ret;
+ int8_t v;
+
+ ret = krb5_ret_int8(sp, &v);
+ if (ret == 0)
+ *value = (uint8_t)v;
+
+ return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
krb5_store_data(krb5_storage *sp,
krb5_data data)
{
@@ -380,19 +443,19 @@ krb5_ret_stringz(krb5_storage *sp,
krb5_error_code KRB5_LIB_FUNCTION
krb5_store_principal(krb5_storage *sp,
- krb5_principal p)
+ krb5_const_principal p)
{
int i;
int ret;
if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) {
- ret = krb5_store_int32(sp, p->name.name_type);
- if(ret) return ret;
+ ret = krb5_store_int32(sp, p->name.name_type);
+ if(ret) return ret;
}
if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS))
ret = krb5_store_int32(sp, p->name.name_string.len + 1);
else
- ret = krb5_store_int32(sp, p->name.name_string.len);
+ ret = krb5_store_int32(sp, p->name.name_string.len);
if(ret) return ret;
ret = krb5_store_string(sp, p->realm);
@@ -710,7 +773,7 @@ krb5_ret_creds(krb5_storage *sp, krb5_creds *creds)
* format.
*/
{
- u_int32_t mask = 0xffff0000;
+ uint32_t mask = 0xffff0000;
creds->flags.i = 0;
creds->flags.b.anonymous = 1;
if (creds->flags.i & mask)
@@ -865,7 +928,7 @@ krb5_ret_creds_tag(krb5_storage *sp,
* format.
*/
{
- u_int32_t mask = 0xffff0000;
+ uint32_t mask = 0xffff0000;
creds->flags.i = 0;
creds->flags.b.anonymous = 1;
if (creds->flags.i & mask)
diff --git a/source4/heimdal/lib/krb5/v4_glue.c b/source4/heimdal/lib/krb5/v4_glue.c
index dd294c8943..b1e12674dc 100644
--- a/source4/heimdal/lib/krb5/v4_glue.c
+++ b/source4/heimdal/lib/krb5/v4_glue.c
@@ -32,7 +32,7 @@
*/
#include "krb5_locl.h"
-RCSID("$Id: v4_glue.c,v 1.3 2006/04/02 01:39:54 lha Exp $");
+RCSID("$Id: v4_glue.c,v 1.5 2006/05/05 09:31:00 lha Exp $");
#include "krb5-v4compat.h"
@@ -463,10 +463,10 @@ _krb5_krb_create_ciph(krb5_context context,
const char *service,
const char *instance,
const char *realm,
- u_int32_t life,
+ uint32_t life,
unsigned char kvno,
const krb5_data *ticket,
- u_int32_t kdc_time,
+ uint32_t kdc_time,
const krb5_keyblock *key,
krb5_data *enc_data)
{
@@ -523,7 +523,7 @@ _krb5_krb_create_auth_reply(krb5_context context,
const char *prealm,
int32_t time_ws,
int n,
- u_int32_t x_date,
+ uint32_t x_date,
unsigned char kvno,
const krb5_data *cipher,
krb5_data *data)
@@ -573,8 +573,8 @@ _krb5_krb_cr_err_reply(krb5_context context,
const char *name,
const char *inst,
const char *realm,
- u_int32_t time_ws,
- u_int32_t e,
+ uint32_t time_ws,
+ uint32_t e,
const char *e_string,
krb5_data *data)
{
@@ -668,7 +668,7 @@ _krb5_krb_decomp_ticket(krb5_context context,
RCHECK(ret, get_v4_stringz(sp, &ad->pname, ANAME_SZ), error);
RCHECK(ret, get_v4_stringz(sp, &ad->pinst, INST_SZ), error);
RCHECK(ret, get_v4_stringz(sp, &ad->prealm, REALM_SZ), error);
- RCHECK(ret, krb5_ret_int32(sp, &ad->address), error);
+ RCHECK(ret, krb5_ret_uint32(sp, &ad->address), error);
size = krb5_storage_read(sp, des_key, sizeof(des_key));
if (size != sizeof(des_key)) {
@@ -676,14 +676,14 @@ _krb5_krb_decomp_ticket(krb5_context context,
goto error;
}
- RCHECK(ret, krb5_ret_int8(sp, &ad->life), error);
+ RCHECK(ret, krb5_ret_uint8(sp, &ad->life), error);
if (ad->k_flags & 1)
krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE);
else
krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
- RCHECK(ret, krb5_ret_int32(sp, &ad->time_sec), error);
+ RCHECK(ret, krb5_ret_uint32(sp, &ad->time_sec), error);
RCHECK(ret, get_v4_stringz(sp, sname, ANAME_SZ), error);
RCHECK(ret, get_v4_stringz(sp, sinstance, INST_SZ), error);
@@ -744,9 +744,9 @@ _krb5_krb_rd_req(krb5_context context,
int8_t pvno;
int8_t type;
int8_t s_kvno;
- u_int8_t ticket_length;
- u_int8_t eaut_length;
- u_int8_t time_5ms;
+ uint8_t ticket_length;
+ uint8_t eaut_length;
+ uint8_t time_5ms;
char *realm = NULL;
char *sname = NULL;
char *sinstance = NULL;
@@ -754,7 +754,7 @@ _krb5_krb_rd_req(krb5_context context,
char *r_name = NULL;
char *r_instance = NULL;
- u_int32_t r_time_sec; /* Coarse time from authenticator */
+ uint32_t r_time_sec; /* Coarse time from authenticator */
unsigned long delta_t; /* Time in authenticator - local time */
long tkt_age; /* Age of ticket */
@@ -795,8 +795,8 @@ _krb5_krb_rd_req(krb5_context context,
RCHECK(ret, krb5_ret_int8(sp, &s_kvno), error);
RCHECK(ret, get_v4_stringz(sp, &realm, REALM_SZ), error);
- RCHECK(ret, krb5_ret_int8(sp, &ticket_length), error);
- RCHECK(ret, krb5_ret_int8(sp, &eaut_length), error);
+ RCHECK(ret, krb5_ret_uint8(sp, &ticket_length), error);
+ RCHECK(ret, krb5_ret_uint8(sp, &eaut_length), error);
RCHECK(ret, krb5_data_alloc(&ticket, ticket_length), error);
size = krb5_storage_read(sp, ticket.data, ticket.length);
@@ -842,9 +842,9 @@ _krb5_krb_rd_req(krb5_context context,
RCHECK(ret, get_v4_stringz(sp, &r_instance, INST_SZ), error);
RCHECK(ret, get_v4_stringz(sp, &r_realm, REALM_SZ), error);
- RCHECK(ret, krb5_ret_int32(sp, &ad->checksum), error);
- RCHECK(ret, krb5_ret_int8(sp, &time_5ms), error);
- RCHECK(ret, krb5_ret_int32(sp, &r_time_sec), error);
+ RCHECK(ret, krb5_ret_uint32(sp, &ad->checksum), error);
+ RCHECK(ret, krb5_ret_uint8(sp, &time_5ms), error);
+ RCHECK(ret, krb5_ret_uint32(sp, &r_time_sec), error);
if (strcmp(ad->pname, r_name) != 0 ||
strcmp(ad->pinst, r_instance) != 0 ||
@@ -853,7 +853,7 @@ _krb5_krb_rd_req(krb5_context context,
goto error;
}
- if (from_addr && from_addr == ad->address) {
+ if (from_addr && from_addr != ad->address) {
ret = EINVAL; /* RD_AP_BADD */
goto error;
}
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index 5fd48c49ef..c1d74ee406 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -590,195 +590,233 @@ static krb5_error_code LDB_rename(krb5_context context, HDB *db, const char *new
return HDB_ERR_DB_INUSE;
}
-static krb5_error_code LDB_fetch(krb5_context context, HDB *db, unsigned flags,
- krb5_const_principal principal,
- enum hdb_ent_type ent_type,
- hdb_entry_ex *entry_ex)
-{
+static krb5_error_code LDB_fetch_client(krb5_context context, HDB *db,
+ TALLOC_CTX *mem_ctx,
+ krb5_const_principal principal,
+ unsigned flags,
+ hdb_entry_ex *entry_ex) {
+ NTSTATUS nt_status;
+ char *principal_string;
+ krb5_error_code ret;
struct ldb_message **msg = NULL;
struct ldb_message **realm_ref_msg = NULL;
- struct ldb_message **realm_fixed_msg = NULL;
- enum hdb_ldb_ent_type ldb_ent_type;
- krb5_error_code ret;
-
- const char *realm;
- const struct ldb_dn *realm_dn;
- TALLOC_CTX *mem_ctx = talloc_named(db, 0, "LDB_fetch context");
- if (!mem_ctx) {
- krb5_set_error_string(context, "LDB_fetch: talloc_named() failed!");
+ ret = krb5_unparse_name(context, principal, &principal_string);
+
+ if (ret != 0) {
+ return ret;
+ }
+
+ nt_status = sam_get_results_principal((struct ldb_context *)db->hdb_db,
+ mem_ctx, principal_string,
+ &msg, &realm_ref_msg);
+ free(principal_string);
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
+ talloc_free(mem_ctx);
+ return HDB_ERR_NOENTRY;
+ } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
+ talloc_free(mem_ctx);
return ENOMEM;
+ } else if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(mem_ctx);
+ return EINVAL;
}
+
+ ret = LDB_message2entry(context, db, mem_ctx,
+ principal, HDB_LDB_ENT_TYPE_CLIENT,
+ msg[0], realm_ref_msg[0], entry_ex);
+ return ret;
+}
- switch (ent_type) {
- case HDB_ENT_TYPE_CLIENT:
- {
- NTSTATUS nt_status;
- char *principal_string;
- ldb_ent_type = HDB_LDB_ENT_TYPE_CLIENT;
+static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
+ TALLOC_CTX *mem_ctx,
+ krb5_const_principal principal,
+ unsigned flags,
+ hdb_entry_ex *entry_ex)
+{
+ krb5_error_code ret;
+ struct ldb_message **msg = NULL;
+ struct ldb_message **realm_ref_msg = NULL;
+ const struct ldb_dn *realm_dn;
+
+ krb5_principal alloc_principal = NULL;
+ if (principal->name.name_string.len != 2
+ || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
+ /* Not a krbtgt */
+ return HDB_ERR_NOENTRY;
+ }
- ret = krb5_unparse_name(context, principal, &principal_string);
+ /* krbtgt case. Either us or a trusted realm */
+ if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
+ mem_ctx, principal->name.name_string.val[1], &realm_ref_msg) == 0)) {
+ /* us */
+ /* Cludge, cludge cludge. If the realm part of krbtgt/realm,
+ * is in our db, then direct the caller at our primary
+ * krgtgt */
- if (ret != 0) {
- talloc_free(mem_ctx);
+ const char *dnsdomain = ldb_msg_find_string(realm_ref_msg[0], "dnsRoot", NULL);
+ char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
+ if (!realm_fixed) {
+ krb5_set_error_string(context, "strupper_talloc: out of memory");
+ return ENOMEM;
+ }
+
+ ret = krb5_copy_principal(context, principal, &alloc_principal);
+ if (ret) {
return ret;
}
- nt_status = sam_get_results_principal((struct ldb_context *)db->hdb_db,
- mem_ctx, principal_string,
- &msg, &realm_ref_msg);
- free(principal_string);
- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
- talloc_free(mem_ctx);
- return HDB_ERR_NOENTRY;
- } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
- talloc_free(mem_ctx);
+ free(alloc_principal->name.name_string.val[1]);
+ alloc_principal->name.name_string.val[1] = strdup(realm_fixed);
+ talloc_free(realm_fixed);
+ if (!alloc_principal->name.name_string.val[1]) {
+ krb5_set_error_string(context, "LDB_fetch: strdup() failed!");
return ENOMEM;
- } else if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(mem_ctx);
- return EINVAL;
}
+ principal = alloc_principal;
+ realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL);
+
+ } else {
+ /* we should lookup trusted domains */
+ return HDB_ERR_NOENTRY;
+ }
- ret = LDB_message2entry(context, db, mem_ctx,
- principal, ldb_ent_type,
- msg[0], realm_ref_msg[0], entry_ex);
-
- talloc_free(mem_ctx);
+ realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL);
+
+ ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db,
+ mem_ctx,
+ principal, HDB_LDB_ENT_TYPE_KRBTGT, realm_dn, &msg);
+
+ if (ret != 0) {
+ krb5_warnx(context, "LDB_fetch: could not find principal in DB");
+ krb5_set_error_string(context, "LDB_fetch: could not find principal in DB");
return ret;
}
- case HDB_ENT_TYPE_SERVER:
- if (principal->name.name_string.len == 2
- && (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) == 0)) {
- /* krbtgt case. Either us or a trusted realm */
- if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
- mem_ctx, principal->name.name_string.val[1], &realm_fixed_msg) == 0)) {
- /* us */
- /* Cludge, cludge cludge. If the realm part of krbtgt/realm,
- * is in our db, then direct the caller at our primary
- * krgtgt */
-
- const char *dnsdomain = ldb_msg_find_string(realm_fixed_msg[0], "dnsRoot", NULL);
- char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
- if (!realm_fixed) {
- krb5_set_error_string(context, "strupper_talloc: out of memory");
- talloc_free(mem_ctx);
- return ENOMEM;
- }
-
- free(principal->name.name_string.val[1]);
- principal->name.name_string.val[1] = strdup(realm_fixed);
- talloc_free(realm_fixed);
- if (!principal->name.name_string.val[1]) {
- krb5_set_error_string(context, "LDB_fetch: strdup() failed!");
- talloc_free(mem_ctx);
- return ENOMEM;
- }
- ldb_ent_type = HDB_LDB_ENT_TYPE_KRBTGT;
- break;
- } else {
- /* we should lookup trusted domains */
- talloc_free(mem_ctx);
- return HDB_ERR_NOENTRY;
- }
- } else if (principal->name.name_string.len >= 2) {
- /* 'normal server' case */
- int ldb_ret;
- NTSTATUS nt_status;
- struct ldb_dn *user_dn, *domain_dn;
- char *principal_string;
- ldb_ent_type = HDB_LDB_ENT_TYPE_SERVER;
-
- ret = krb5_unparse_name_norealm(context, principal, &principal_string);
-
- if (ret != 0) {
- talloc_free(mem_ctx);
- return ret;
- }
-
- /* At this point we may find the host is known to be
- * in a different realm, so we should generate a
- * referral instead */
- nt_status = crack_service_principal_name((struct ldb_context *)db->hdb_db,
- mem_ctx, principal_string,
- &user_dn, &domain_dn);
- free(principal_string);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(mem_ctx);
- return HDB_ERR_NOENTRY;
- }
-
- ldb_ret = gendb_search_dn((struct ldb_context *)db->hdb_db,
- mem_ctx, user_dn, &msg, krb5_attrs);
-
- if (ldb_ret != 1) {
- talloc_free(mem_ctx);
- return HDB_ERR_NOENTRY;
- }
-
- ldb_ret = gendb_search((struct ldb_context *)db->hdb_db,
- mem_ctx, NULL, &realm_ref_msg, realm_ref_attrs,
- "ncName=%s", ldb_dn_linearize(mem_ctx, domain_dn));
-
- if (ldb_ret != 1) {
- talloc_free(mem_ctx);
- return HDB_ERR_NOENTRY;
- }
+ ret = LDB_message2entry(context, db, mem_ctx,
+ principal, HDB_LDB_ENT_TYPE_KRBTGT,
+ msg[0], realm_ref_msg[0], entry_ex);
+ if (ret != 0) {
+ krb5_warnx(context, "LDB_fetch: message2entry failed");
+ }
+ return ret;
+}
- ret = LDB_message2entry(context, db, mem_ctx,
- principal, ldb_ent_type,
- msg[0], realm_ref_msg[0], entry_ex);
- talloc_free(mem_ctx);
+static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db,
+ TALLOC_CTX *mem_ctx,
+ krb5_const_principal principal,
+ unsigned flags,
+ hdb_entry_ex *entry_ex)
+{
+ krb5_error_code ret;
+ const char *realm;
+ struct ldb_message **msg = NULL;
+ struct ldb_message **realm_ref_msg = NULL;
+ if (principal->name.name_string.len >= 2) {
+ /* 'normal server' case */
+ int ldb_ret;
+ NTSTATUS nt_status;
+ struct ldb_dn *user_dn, *domain_dn;
+ char *principal_string;
+
+ ret = krb5_unparse_name_norealm(context, principal, &principal_string);
+ if (ret != 0) {
return ret;
-
- } else {
- ldb_ent_type = HDB_LDB_ENT_TYPE_SERVER;
- /* server as client principal case, but we must not lookup userPrincipalNames */
- break;
}
- case HDB_ENT_TYPE_ANY:
- krb5_warnx(context, "LDB_fetch: ENT_TYPE_ANY is not valid in hdb-ldb!");
- talloc_free(mem_ctx);
- return HDB_ERR_NOENTRY;
- default:
- krb5_warnx(context, "LDB_fetch: invalid ent_type specified!");
- talloc_free(mem_ctx);
- return HDB_ERR_NOENTRY;
- }
-
+
+ /* At this point we may find the host is known to be
+ * in a different realm, so we should generate a
+ * referral instead */
+ nt_status = crack_service_principal_name((struct ldb_context *)db->hdb_db,
+ mem_ctx, principal_string,
+ &user_dn, &domain_dn);
+ free(principal_string);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return HDB_ERR_NOENTRY;
+ }
+
+ ldb_ret = gendb_search_dn((struct ldb_context *)db->hdb_db,
+ mem_ctx, user_dn, &msg, krb5_attrs);
+
+ if (ldb_ret != 1) {
+ return HDB_ERR_NOENTRY;
+ }
+
+ ldb_ret = gendb_search((struct ldb_context *)db->hdb_db,
+ mem_ctx, NULL, &realm_ref_msg, realm_ref_attrs,
+ "ncName=%s", ldb_dn_linearize(mem_ctx, domain_dn));
+
+ if (ldb_ret != 1) {
+ return HDB_ERR_NOENTRY;
+ }
+
+ } else {
+ const struct ldb_dn *realm_dn;
+ /* server as client principal case, but we must not lookup userPrincipalNames */
- realm = krb5_principal_get_realm(context, principal);
+ realm = krb5_principal_get_realm(context, principal);
+
+ ret = LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
+ mem_ctx, realm, &realm_ref_msg);
+ if (ret != 0) {
+ return HDB_ERR_NOENTRY;
+ }
+
+ realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL);
+
+ ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db,
+ mem_ctx,
+ principal, HDB_LDB_ENT_TYPE_SERVER, realm_dn, &msg);
+
+ if (ret != 0) {
+ return ret;
+ }
+ }
- ret = LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
- mem_ctx, realm, &realm_ref_msg);
+ ret = LDB_message2entry(context, db, mem_ctx,
+ principal, HDB_LDB_ENT_TYPE_SERVER,
+ msg[0], realm_ref_msg[0], entry_ex);
if (ret != 0) {
- krb5_warnx(context, "LDB_fetch: could not find realm");
- talloc_free(mem_ctx);
- return HDB_ERR_NOENTRY;
+ krb5_warnx(context, "LDB_fetch: message2entry failed");
}
- realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL);
+ return ret;
+}
+
+static krb5_error_code LDB_fetch(krb5_context context, HDB *db,
+ krb5_const_principal principal,
+ unsigned flags,
+ hdb_entry_ex *entry_ex)
+{
+ krb5_error_code ret;
- ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db,
- mem_ctx,
- principal, ldb_ent_type, realm_dn, &msg);
+ TALLOC_CTX *mem_ctx = talloc_named(db, 0, "LDB_fetch context");
- if (ret != 0) {
- krb5_warnx(context, "LDB_fetch: could not find principal in DB");
- krb5_set_error_string(context, "LDB_fetch: could not find principal in DB");
- talloc_free(mem_ctx);
- return ret;
- } else {
- ret = LDB_message2entry(context, db, mem_ctx,
- principal, ldb_ent_type,
- msg[0], realm_ref_msg[0], entry_ex);
- if (ret != 0) {
- krb5_warnx(context, "LDB_fetch: message2entry failed\n");
- }
+ if (!mem_ctx) {
+ krb5_set_error_string(context, "LDB_fetch: talloc_named() failed!");
+ return ENOMEM;
}
- talloc_free(mem_ctx);
+ if (flags & HDB_F_GET_CLIENT) {
+ ret = LDB_fetch_client(context, db, mem_ctx, principal, flags, entry_ex);
+ if (ret != HDB_ERR_NOENTRY) {
+ talloc_free(mem_ctx);
+ return ret;
+ }
+ }
+ if (flags & HDB_F_GET_SERVER) {
+ ret = LDB_fetch_server(context, db, mem_ctx, principal, flags, entry_ex);
+ if (ret != HDB_ERR_NOENTRY) {
+ return ret;
+ }
+ }
+ if (flags & HDB_F_GET_KRBTGT) {
+ ret = LDB_fetch_krbtgt(context, db, mem_ctx, principal, flags, entry_ex);
+ if (ret != HDB_ERR_NOENTRY) {
+ return ret;
+ }
+ }
return ret;
}
@@ -787,7 +825,7 @@ static krb5_error_code LDB_store(krb5_context context, HDB *db, unsigned flags,
return HDB_ERR_DB_INUSE;
}
-static krb5_error_code LDB_remove(krb5_context context, HDB *db, hdb_entry_ex *entry)
+static krb5_error_code LDB_remove(krb5_context context, HDB *db, krb5_const_principal principal)
{
return HDB_ERR_DB_INUSE;
}