diff options
author | Stefan Metzmacher <metze@samba.org> | 2008-10-27 11:35:07 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2008-10-28 08:53:09 +0100 |
commit | 2b29b7186459d945ec448694164bfe4239b30d72 (patch) | |
tree | 561495b1870facf03f7892559a184f4f49df1fe2 /source4/heimdal/kdc | |
parent | 698b7fd43658d9e96d28f26c9e1dae5e770bb57f (diff) | |
download | samba-2b29b7186459d945ec448694164bfe4239b30d72.tar.gz samba-2b29b7186459d945ec448694164bfe4239b30d72.tar.bz2 samba-2b29b7186459d945ec448694164bfe4239b30d72.zip |
s4: import lorikeet-heimdal-200810271034
metze
Diffstat (limited to 'source4/heimdal/kdc')
-rw-r--r-- | source4/heimdal/kdc/524.c | 94 | ||||
-rw-r--r-- | source4/heimdal/kdc/default_config.c | 150 | ||||
-rw-r--r-- | source4/heimdal/kdc/digest.c | 220 | ||||
-rw-r--r-- | source4/heimdal/kdc/headers.h | 54 | ||||
-rw-r--r-- | source4/heimdal/kdc/kaserver.c | 86 | ||||
-rw-r--r-- | source4/heimdal/kdc/kdc.h | 58 | ||||
-rw-r--r-- | source4/heimdal/kdc/kdc_locl.h | 54 | ||||
-rw-r--r-- | source4/heimdal/kdc/kerberos4.c | 132 | ||||
-rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 340 | ||||
-rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 50 | ||||
-rw-r--r-- | source4/heimdal/kdc/kx509.c | 92 | ||||
-rw-r--r-- | source4/heimdal/kdc/log.c | 58 | ||||
-rw-r--r-- | source4/heimdal/kdc/misc.c | 56 | ||||
-rw-r--r-- | source4/heimdal/kdc/pkinit.c | 218 | ||||
-rw-r--r-- | source4/heimdal/kdc/process.c | 72 | ||||
-rw-r--r-- | source4/heimdal/kdc/rx.h | 50 | ||||
-rw-r--r-- | source4/heimdal/kdc/windc.c | 60 | ||||
-rw-r--r-- | source4/heimdal/kdc/windc_plugin.h | 58 |
18 files changed, 951 insertions, 951 deletions
diff --git a/source4/heimdal/kdc/524.c b/source4/heimdal/kdc/524.c index a46c9175b0..d15310384a 100644 --- a/source4/heimdal/kdc/524.c +++ b/source4/heimdal/kdc/524.c @@ -1,34 +1,34 @@ /* - * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "kdc_locl.h" @@ -43,7 +43,7 @@ RCSID("$Id$"); */ static krb5_error_code -fetch_server (krb5_context context, +fetch_server (krb5_context context, krb5_kdc_configuration *config, const Ticket *t, char **spn, @@ -67,7 +67,7 @@ fetch_server (krb5_context context, krb5_get_err_text(context, ret)); return ret; } - ret = _kdc_db_fetch(context, config, sprinc, HDB_F_GET_SERVER, + ret = _kdc_db_fetch(context, config, sprinc, HDB_F_GET_SERVER, NULL, server); krb5_free_principal(context, sprinc); if (ret) { @@ -82,7 +82,7 @@ fetch_server (krb5_context context, } static krb5_error_code -log_524 (krb5_context context, +log_524 (krb5_context context, krb5_kdc_configuration *config, const EncTicketPart *et, const char *from, @@ -92,7 +92,7 @@ log_524 (krb5_context context, char *cpn; krb5_error_code ret; - ret = _krb5_principalname2krb5_principal(context, &client, + ret = _krb5_principalname2krb5_principal(context, &client, et->cname, et->crealm); if (ret) { kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s", @@ -113,7 +113,7 @@ log_524 (krb5_context context, } static krb5_error_code -verify_flags (krb5_context context, +verify_flags (krb5_context context, krb5_kdc_configuration *config, const EncTicketPart *et, const char *spn) @@ -135,7 +135,7 @@ verify_flags (krb5_context context, */ static krb5_error_code -set_address (krb5_context context, +set_address (krb5_context context, krb5_kdc_configuration *config, EncTicketPart *et, struct sockaddr *addr, @@ -154,7 +154,7 @@ set_address (krb5_context context, kdc_log(context, config, 0, "Failed to convert address (%s)", from); return ret; } - + if (et->caddr && !krb5_address_search (context, v4_addr, et->caddr)) { kdc_log(context, config, 0, "Incorrect network address (%s)", from); krb5_free_address(context, v4_addr); @@ -187,11 +187,11 @@ set_address (krb5_context context, static krb5_error_code -encrypt_v4_ticket(krb5_context context, +encrypt_v4_ticket(krb5_context context, krb5_kdc_configuration *config, - void *buf, - size_t len, - krb5_keyblock *skey, + void *buf, + size_t len, + krb5_keyblock *skey, EncryptedData *reply) { krb5_crypto crypto; @@ -204,7 +204,7 @@ encrypt_v4_ticket(krb5_context context, return ret; } - ret = krb5_encrypt_EncryptedData(context, + ret = krb5_encrypt_EncryptedData(context, crypto, KRB5_KU_TICKET, buf, @@ -221,10 +221,10 @@ encrypt_v4_ticket(krb5_context context, } static krb5_error_code -encode_524_response(krb5_context context, +encode_524_response(krb5_context context, krb5_kdc_configuration *config, const char *spn, const EncTicketPart et, - const Ticket *t, hdb_entry_ex *server, + const Ticket *t, hdb_entry_ex *server, EncryptedData *ticket, int *kvno) { krb5_error_code ret; @@ -233,12 +233,12 @@ encode_524_response(krb5_context context, use_2b = krb5_config_get_bool(context, NULL, "kdc", "use_2b", spn, NULL); if(use_2b) { - ASN1_MALLOC_ENCODE(EncryptedData, - ticket->cipher.data, ticket->cipher.length, + ASN1_MALLOC_ENCODE(EncryptedData, + ticket->cipher.data, ticket->cipher.length, &t->enc_part, &len, ret); if (ret) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Failed to encode v4 (2b) ticket (%s)", spn); return ret; } @@ -256,7 +256,7 @@ encode_524_response(krb5_context context, return KRB5KDC_ERR_POLICY; } - ret = _kdc_encode_v4_ticket(context, config, + ret = _kdc_encode_v4_ticket(context, config, buf + sizeof(buf) - 1, sizeof(buf), &et, &t->sname, &len); if(ret){ @@ -270,7 +270,7 @@ encode_524_response(krb5_context context, "no suitable DES key for server (%s)", spn); return ret; } - ret = encrypt_v4_ticket(context, config, buf + sizeof(buf) - len, len, + ret = encrypt_v4_ticket(context, config, buf + sizeof(buf) - len, len, &skey->key, ticket); if(ret){ kdc_log(context, config, 0, @@ -289,7 +289,7 @@ encode_524_response(krb5_context context, */ krb5_error_code -_kdc_do_524(krb5_context context, +_kdc_do_524(krb5_context context, krb5_kdc_configuration *config, const Ticket *t, krb5_data *reply, const char *from, struct sockaddr *addr) @@ -306,7 +306,7 @@ _kdc_do_524(krb5_context context, unsigned char buf[MAX_KTXT_LEN + 4 * 4]; size_t len; int kvno = 0; - + if(!config->enable_524) { ret = KRB5KDC_ERR_POLICY; kdc_log(context, config, 0, @@ -342,7 +342,7 @@ _kdc_do_524(krb5_context context, "Failed to decrypt ticket from %s for %s", from, spn); goto out; } - ret = krb5_decode_EncTicketPart(context, et_data.data, et_data.length, + ret = krb5_decode_EncTicketPart(context, et_data.data, et_data.length, &et, &len); krb5_data_free(&et_data); if(ret){ diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c index 87952ca6eb..60fbc92903 100644 --- a/source4/heimdal/kdc/default_config.c +++ b/source4/heimdal/kdc/default_config.c @@ -1,35 +1,35 @@ /* - * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). + * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). * - * All rights reserved. + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "kdc_locl.h" @@ -68,32 +68,32 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) c->logf = NULL; c->require_preauth = - krb5_config_get_bool_default(context, NULL, + krb5_config_get_bool_default(context, NULL, c->require_preauth, "kdc", "require-preauth", NULL); - c->enable_v4 = - krb5_config_get_bool_default(context, NULL, - c->enable_v4, + c->enable_v4 = + krb5_config_get_bool_default(context, NULL, + c->enable_v4, "kdc", "enable-kerberos4", NULL); c->enable_v4_cross_realm = krb5_config_get_bool_default(context, NULL, - c->enable_v4_cross_realm, + c->enable_v4_cross_realm, "kdc", "enable-kerberos4-cross-realm", NULL); c->enable_524 = - krb5_config_get_bool_default(context, NULL, - c->enable_v4, + krb5_config_get_bool_default(context, NULL, + c->enable_v4, "kdc", "enable-524", NULL); - c->enable_digest = - krb5_config_get_bool_default(context, NULL, + c->enable_digest = + krb5_config_get_bool_default(context, NULL, FALSE, "kdc", "enable-digest", NULL); { const char *digests; - digests = krb5_config_get_string(context, NULL, - "kdc", + digests = krb5_config_get_string(context, NULL, + "kdc", "digests_allowed", NULL); if (digests == NULL) digests = "ntlm-v2"; @@ -111,17 +111,17 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) } } - c->enable_kx509 = - krb5_config_get_bool_default(context, NULL, - FALSE, + c->enable_kx509 = + krb5_config_get_bool_default(context, NULL, + FALSE, "kdc", "enable-kx509", NULL); if (c->enable_kx509) { c->kx509_template = - krb5_config_get_string(context, NULL, + krb5_config_get_string(context, NULL, "kdc", "kx509_template", NULL); c->kx509_ca = - krb5_config_get_string(context, NULL, + krb5_config_get_string(context, NULL, "kdc", "kx509_ca", NULL); if (c->kx509_ca == NULL || c->kx509_template == NULL) { kdc_log(context, c, 0, @@ -130,26 +130,26 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) } } - c->check_ticket_addresses = - krb5_config_get_bool_default(context, NULL, - c->check_ticket_addresses, - "kdc", + c->check_ticket_addresses = + krb5_config_get_bool_default(context, NULL, + c->check_ticket_addresses, + "kdc", "check-ticket-addresses", NULL); - c->allow_null_ticket_addresses = - krb5_config_get_bool_default(context, NULL, - c->allow_null_ticket_addresses, - "kdc", + c->allow_null_ticket_addresses = + krb5_config_get_bool_default(context, NULL, + c->allow_null_ticket_addresses, + "kdc", "allow-null-ticket-addresses", NULL); - c->allow_anonymous = - krb5_config_get_bool_default(context, NULL, + c->allow_anonymous = + krb5_config_get_bool_default(context, NULL, c->allow_anonymous, - "kdc", + "kdc", "allow-anonymous", NULL); c->max_datagram_reply_length = - krb5_config_get_int_default(context, - NULL, + krb5_config_get_int_default(context, + NULL, 1400, "kdc", "max-kdc-datagram-reply-length", @@ -158,8 +158,8 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) { const char *trpolicy_str; - trpolicy_str = - krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc", + trpolicy_str = + krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc", "transited-policy", NULL); if(strcasecmp(trpolicy_str, "always-check") == 0) { c->trpolicy = TRPOLICY_ALWAYS_CHECK; @@ -167,19 +167,19 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL; } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) { c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST; - } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) { + } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) { /* default */ } else { kdc_log(context, c, 0, "unknown transited-policy: %s, " - "reverting to default (always-check)", + "reverting to default (always-check)", trpolicy_str); } } { const char *p; - p = krb5_config_get_string (context, NULL, + p = krb5_config_get_string (context, NULL, "kdc", "v4-realm", NULL); @@ -192,19 +192,19 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) } } - c->enable_kaserver = - krb5_config_get_bool_default(context, - NULL, + c->enable_kaserver = + krb5_config_get_bool_default(context, + NULL, c->enable_kaserver, "kdc", "enable-kaserver", NULL); c->encode_as_rep_as_tgs_rep = - krb5_config_get_bool_default(context, NULL, - c->encode_as_rep_as_tgs_rep, - "kdc", + krb5_config_get_bool_default(context, NULL, + c->encode_as_rep_as_tgs_rep, + "kdc", "encode_as_rep_as_tgs_rep", NULL); - + c->kdc_warn_pwexpire = krb5_config_get_time_default (context, NULL, c->kdc_warn_pwexpire, @@ -212,9 +212,9 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) #ifdef PKINIT - c->enable_pkinit = - krb5_config_get_bool_default(context, - NULL, + c->enable_pkinit = + krb5_config_get_bool_default(context, + NULL, c->enable_pkinit, "kdc", "enable-pkinit", @@ -223,7 +223,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) const char *user_id, *anchors, *ocsp_file; char **pool_list, **revoke_list; - user_id = + user_id = krb5_config_get_string(context, NULL, "kdc", "pkinit_identity", NULL); if (user_id == NULL) @@ -242,7 +242,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) krb5_config_get_strings(context, NULL, "kdc", "pkinit_revoke", NULL); - ocsp_file = + ocsp_file = krb5_config_get_string(context, NULL, "kdc", "pkinit_kdc_ocsp", NULL); if (ocsp_file) { @@ -251,20 +251,20 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) krb5_errx(context, 1, "out of memory"); } - _kdc_pk_initialize(context, c, user_id, anchors, + _kdc_pk_initialize(context, c, user_id, anchors, pool_list, revoke_list); krb5_config_free_strings(pool_list); krb5_config_free_strings(revoke_list); - c->pkinit_princ_in_cert = + c->pkinit_princ_in_cert = krb5_config_get_bool_default(context, NULL, c->pkinit_princ_in_cert, "kdc", "pkinit_principal_in_certificate", NULL); - c->pkinit_require_binding = + c->pkinit_require_binding = krb5_config_get_bool_default(context, NULL, c->pkinit_require_binding, "kdc", @@ -273,7 +273,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) } c->pkinit_dh_min_bits = - krb5_config_get_int_default(context, NULL, + krb5_config_get_int_default(context, NULL, 0, "kdc", "pkinit_dh_min_bits", NULL); diff --git a/source4/heimdal/kdc/digest.c b/source4/heimdal/kdc/digest.c index 401ca1db11..96986c1a87 100644 --- a/source4/heimdal/kdc/digest.c +++ b/source4/heimdal/kdc/digest.c @@ -1,34 +1,34 @@ /* - * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "kdc_locl.h" @@ -63,7 +63,7 @@ get_digest_key(krb5_context context, krb5_error_code ret; krb5_enctype enctype; Key *key; - + ret = _kdc_get_preferred_key(context, config, server, @@ -115,8 +115,8 @@ fill_targetinfo(krb5_context context, ti.domainname = targetname; p = client->entry.principal; str = krb5_principal_get_comp_string(context, p, 0); - if (str != NULL && - (strcmp("host", str) == 0 || + if (str != NULL && + (strcmp("host", str) == 0 || strcmp("ftp", str) == 0 || strcmp("imap", str) == 0 || strcmp("pop", str) == 0 || @@ -125,7 +125,7 @@ fill_targetinfo(krb5_context context, str = krb5_principal_get_comp_string(context, p, 1); ti.dnsservername = rk_UNCONST(str); } - + ret = heim_ntlm_encode_targetinfo(&ti, 1, &d); if (ret) return ret; @@ -199,7 +199,7 @@ get_password_entry(krb5_context context, */ krb5_error_code -_kdc_do_digest(krb5_context context, +_kdc_do_digest(krb5_context context, krb5_kdc_configuration *config, const DigestREQ *req, krb5_data *reply, const char *from, struct sockaddr *addr) @@ -223,7 +223,7 @@ _kdc_do_digest(krb5_context context, krb5_data serverNonce; if(!config->enable_digest) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Rejected digest request (disabled) from %s", from); return KRB5KDC_ERR_POLICY; } @@ -243,7 +243,7 @@ _kdc_do_digest(krb5_context context, goto out; } - ret = krb5_rd_req(context, + ret = krb5_rd_req(context, &ac, &req->apReq, NULL, @@ -288,7 +288,7 @@ _kdc_do_digest(krb5_context context, krb5_free_principal(context, principal); goto out; } - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = _kdc_db_fetch(context, config, principal, HDB_F_GET_SERVER, NULL, &server); @@ -319,9 +319,9 @@ _kdc_do_digest(krb5_context context, goto out; if (client->entry.flags.allow_digest == 0) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Client %s tried to use digest " - "but is not allowed to", + "but is not allowed to", client_name); ret = KRB5KDC_ERR_POLICY; krb5_set_error_message(context, ret, @@ -355,7 +355,7 @@ _kdc_do_digest(krb5_context context, crypto = NULL; if (ret) goto out; - + ret = decode_DigestReqInner(buf.data, buf.length, &ireq, NULL); krb5_data_free(&buf); if (ret) { @@ -363,7 +363,7 @@ _kdc_do_digest(krb5_context context, goto out; } - kdc_log(context, config, 0, "Valid digest request from %s (%s)", + kdc_log(context, config, 0, "Valid digest request from %s (%s)", client_name, from); /* @@ -399,7 +399,7 @@ _kdc_do_digest(krb5_context context, } ret = krb5_store_stringz(sp, ireq.u.init.type); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } @@ -421,12 +421,12 @@ _kdc_do_digest(krb5_context context, ret = krb5_store_stringz(sp, r.u.initReply.nonce); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } if (strcasecmp(ireq.u.init.type, "CHAP") == 0) { - r.u.initReply.identifier = + r.u.initReply.identifier = malloc(sizeof(*r.u.initReply.identifier)); if (r.u.initReply.identifier == NULL) { ret = ENOMEM; @@ -447,14 +447,14 @@ _kdc_do_digest(krb5_context context, if (ireq.u.init.hostname) { ret = krb5_store_stringz(sp, *ireq.u.init.hostname); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } } ret = krb5_storage_to_data(sp, &buf); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } @@ -488,7 +488,7 @@ _kdc_do_digest(krb5_context context, hex_encode(buf.data, buf.length, &r.u.initReply.opaque); free(buf.data); if (r.u.initReply.opaque == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } @@ -507,7 +507,7 @@ _kdc_do_digest(krb5_context context, } ret = krb5_store_stringz(sp, ireq.u.digestRequest.type); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } @@ -516,7 +516,7 @@ _kdc_do_digest(krb5_context context, if (ireq.u.digestRequest.hostname) { ret = krb5_store_stringz(sp, *ireq.u.digestRequest.hostname); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } } @@ -546,7 +546,7 @@ _kdc_do_digest(krb5_context context, ret = krb5_storage_to_data(sp, &buf); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } @@ -557,15 +557,15 @@ _kdc_do_digest(krb5_context context, krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } - + /* * CHAP does the checksum of the raw nonce, but do it for all * types, since we need to check the timestamp. */ { ssize_t ssize; - - ssize = hex_decode(ireq.u.digestRequest.serverNonce, + + ssize = hex_decode(ireq.u.digestRequest.serverNonce, serverNonce.data, serverNonce.length); if (ssize <= 0) { ret = ENOMEM; @@ -579,7 +579,7 @@ _kdc_do_digest(krb5_context context, if (ret) goto out; - ret = krb5_verify_checksum(context, crypto, + ret = krb5_verify_checksum(context, crypto, KRB5_KU_DIGEST_OPAQUE, buf.data, buf.length, &res); krb5_crypto_destroy(context, crypto); @@ -591,7 +591,7 @@ _kdc_do_digest(krb5_context context, { unsigned char *p = serverNonce.data; uint32_t t; - + if (serverNonce.length < 4) { ret = EINVAL; krb5_set_error_message(context, ret, "server nonce too short"); @@ -623,14 +623,14 @@ _kdc_do_digest(krb5_context context, "from CHAP request"); goto out; } - + if (hex_decode(*ireq.u.digestRequest.identifier, &id, 1) != 1) { ret = EINVAL; krb5_set_error_message(context, ret, "failed to decode identifier"); goto out; } - - ret = get_password_entry(context, config, + + ret = get_password_entry(context, config, ireq.u.digestRequest.username, &password); if (ret) @@ -644,7 +644,7 @@ _kdc_do_digest(krb5_context context, hex_encode(md, sizeof(md), &mdx); if (mdx == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } @@ -656,7 +656,7 @@ _kdc_do_digest(krb5_context context, if (ret == 0) { r.u.response.success = TRUE; } else { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "CHAP reply mismatch for %s", ireq.u.digestRequest.username); r.u.response.success = FALSE; @@ -673,16 +673,16 @@ _kdc_do_digest(krb5_context context, goto out; } - if (ireq.u.digestRequest.nonceCount == NULL) + if (ireq.u.digestRequest.nonceCount == NULL) goto out; - if (ireq.u.digestRequest.clientNonce == NULL) + if (ireq.u.digestRequest.clientNonce == NULL) goto out; - if (ireq.u.digestRequest.qop == NULL) + if (ireq.u.digestRequest.qop == NULL) goto out; - if (ireq.u.digestRequest.realm == NULL) + if (ireq.u.digestRequest.realm == NULL) goto out; - - ret = get_password_entry(context, config, + + ret = get_password_entry(context, config, ireq.u.digestRequest.username, &password); if (ret) @@ -697,7 +697,7 @@ _kdc_do_digest(krb5_context context, MD5_Update(&ctx, ":", 1); MD5_Update(&ctx, password, strlen(password)); MD5_Final(md, &ctx); - + MD5_Init(&ctx); MD5_Update(&ctx, md, sizeof(md)); MD5_Update(&ctx, ":", 1); @@ -718,7 +718,7 @@ _kdc_do_digest(krb5_context context, krb5_set_error_message(context, ret, "malloc: out of memory"); goto failed; } - + MD5_Init(&ctx); MD5_Update(&ctx, "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1); MD5_Update(&ctx, *ireq.u.digestRequest.uri, @@ -729,7 +729,7 @@ _kdc_do_digest(krb5_context context, static char conf_zeros[] = ":00000000000000000000000000000000"; MD5_Update(&ctx, conf_zeros, sizeof(conf_zeros) - 1); } - + MD5_Final(md, &ctx); hex_encode(md, sizeof(md), &A2); if (A2 == NULL) { @@ -763,7 +763,7 @@ _kdc_do_digest(krb5_context context, hex_encode(md, sizeof(md), &mdx); if (mdx == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } @@ -774,7 +774,7 @@ _kdc_do_digest(krb5_context context, if (ret == 0) { r.u.response.success = TRUE; } else { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "DIGEST-MD5 reply mismatch for %s", ireq.u.digestRequest.username); r.u.response.success = FALSE; @@ -796,13 +796,13 @@ _kdc_do_digest(krb5_context context, if (ireq.u.digestRequest.clientNonce == NULL) { ret = EINVAL; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "MS-CHAP-V2 clientNonce missing"); goto failed; - } + } if (serverNonce.length != 16) { ret = EINVAL; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "MS-CHAP-V2 serverNonce wrong length"); goto failed; } @@ -828,11 +828,11 @@ _kdc_do_digest(krb5_context context, goto out; } - ssize = hex_decode(*ireq.u.digestRequest.clientNonce, + ssize = hex_decode(*ireq.u.digestRequest.clientNonce, clientNonce.data, clientNonce.length); if (ssize != 16) { ret = ENOMEM; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "Failed to decode clientNonce"); goto out; } @@ -847,21 +847,21 @@ _kdc_do_digest(krb5_context context, ret = krb5_parse_name(context, username, &clientprincipal); if (ret) goto failed; - + ret = _kdc_db_fetch(context, config, clientprincipal, HDB_F_GET_CLIENT, NULL, &user); krb5_free_principal(context, clientprincipal); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "MS-CHAP-V2 user %s not in database", username); goto failed; } - ret = hdb_enctype2key(context, &user->entry, + ret = hdb_enctype2key(context, &user->entry, ETYPE_ARCFOUR_HMAC_MD5, &key); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "MS-CHAP-V2 missing arcfour key %s", username); goto failed; @@ -875,11 +875,11 @@ _kdc_do_digest(krb5_context context, krb5_set_error_message(context, ret, "NTLM missing arcfour key"); goto failed; } - + hex_encode(answer.data, answer.length, &mdx); if (mdx == NULL) { free(answer.data); - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } @@ -889,7 +889,7 @@ _kdc_do_digest(krb5_context context, if (ret == 0) { r.u.response.success = TRUE; } else { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "MS-CHAP-V2 hash mismatch for %s", ireq.u.digestRequest.username); r.u.response.success = FALSE; @@ -904,7 +904,7 @@ _kdc_do_digest(krb5_context context, MD4_CTX hctx; MD4_Init(&hctx); - MD4_Update(&hctx, key->key.keyvalue.data, + MD4_Update(&hctx, key->key.keyvalue.data, key->key.keyvalue.length); MD4_Final(hashhash, &hctx); } @@ -925,7 +925,7 @@ _kdc_do_digest(krb5_context context, r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp)); if (r.u.response.rsp == NULL) { free(answer.data); - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } @@ -933,7 +933,7 @@ _kdc_do_digest(krb5_context context, hex_encode(md, sizeof(md), r.u.response.rsp); if (r.u.response.rsp == NULL) { free(answer.data); - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } @@ -947,24 +947,24 @@ _kdc_do_digest(krb5_context context, free(answer.data); - r.u.response.session_key = + r.u.response.session_key = calloc(1, sizeof(*r.u.response.session_key)); if (r.u.response.session_key == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } ret = krb5_data_copy(r.u.response.session_key, md, 16); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } } } else { r.element = choice_DigestRepInner_error; - asprintf(&r.u.error.reason, "Unsupported digest type %s", + asprintf(&r.u.error.reason, "Unsupported digest type %s", ireq.u.digestRequest.type); if (r.u.error.reason == NULL) { ret = ENOMEM; @@ -1002,7 +1002,7 @@ _kdc_do_digest(krb5_context context, goto failed; } - r.u.ntlmInitReply.flags |= + r.u.ntlmInitReply.flags |= NTLM_NEG_TARGET | NTLM_TARGET_DOMAIN | NTLM_ENC_128; @@ -1018,7 +1018,7 @@ _kdc_do_digest(krb5_context context, #undef ALL - r.u.ntlmInitReply.targetname = + r.u.ntlmInitReply.targetname = get_ntlm_targetname(context, client); if (r.u.ntlmInitReply.targetname == NULL) { ret = ENOMEM; @@ -1033,7 +1033,7 @@ _kdc_do_digest(krb5_context context, } r.u.ntlmInitReply.challange.length = 8; if (RAND_bytes(r.u.ntlmInitReply.challange.data, - r.u.ntlmInitReply.challange.length) != 1) + r.u.ntlmInitReply.challange.length) != 1) { ret = ENOMEM; krb5_set_error_message(context, ret, "out of random error"); @@ -1057,7 +1057,7 @@ _kdc_do_digest(krb5_context context, goto out; } - /* + /* * Save data encryted in opaque for the second part of the * ntlm authentication */ @@ -1076,13 +1076,13 @@ _kdc_do_digest(krb5_context context, } ret = krb5_store_uint32(sp, r.u.ntlmInitReply.flags); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } ret = krb5_storage_to_data(sp, &buf); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } @@ -1109,7 +1109,7 @@ _kdc_do_digest(krb5_context context, uint32_t flags; Key *key = NULL; int version; - + r.element = choice_DigestRepInner_ntlmResponse; r.u.ntlmResponse.success = 0; r.u.ntlmResponse.flags = 0; @@ -1142,7 +1142,7 @@ _kdc_do_digest(krb5_context context, krb5_crypto_destroy(context, crypto); crypto = NULL; if (ret) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Failed to decrypt nonce from %s", from); goto failed; } @@ -1173,7 +1173,7 @@ _kdc_do_digest(krb5_context context, goto out; } - ret = hdb_enctype2key(context, &user->entry, + ret = hdb_enctype2key(context, &user->entry, ETYPE_ARCFOUR_HMAC_MD5, &key); if (ret) { krb5_set_error_message(context, ret, "NTLM missing arcfour key"); @@ -1255,7 +1255,7 @@ _kdc_do_digest(krb5_context context, goto failed; } } - + ret = heim_ntlm_calculate_ntlm1(key->key.keyvalue.data, key->key.keyvalue.length, challange, &answer); @@ -1263,7 +1263,7 @@ _kdc_do_digest(krb5_context context, krb5_set_error_message(context, ret, "NTLM missing arcfour key"); goto failed; } - + if (ireq.u.ntlmRequest.ntlm.length != answer.length || memcmp(ireq.u.ntlmRequest.ntlm.data, answer.data, answer.length) != 0) { @@ -1278,7 +1278,7 @@ _kdc_do_digest(krb5_context context, MD4_CTX ctx; MD4_Init(&ctx); - MD4_Update(&ctx, + MD4_Update(&ctx, key->key.keyvalue.data, key->key.keyvalue.length); MD4_Final(sessionkey, &ctx); } @@ -1288,7 +1288,7 @@ _kdc_do_digest(krb5_context context, unsigned char masterkey[MD4_DIGEST_LENGTH]; RC4_KEY rc4; size_t len; - + if ((flags & NTLM_NEG_KEYEX) == 0) { ret = EINVAL; krb5_set_error_message(context, ret, @@ -1296,7 +1296,7 @@ _kdc_do_digest(krb5_context context, "exchange but still sent key"); goto failed; } - + len = ireq.u.ntlmRequest.sessionkey->length; if (len != sizeof(masterkey)){ ret = EINVAL; @@ -1305,22 +1305,22 @@ _kdc_do_digest(krb5_context context, (unsigned long)len); goto failed; } - + RC4_set_key(&rc4, sizeof(sessionkey), sessionkey); - + RC4(&rc4, sizeof(masterkey), - ireq.u.ntlmRequest.sessionkey->data, + ireq.u.ntlmRequest.sessionkey->data, masterkey); memset(&rc4, 0, sizeof(rc4)); - - r.u.ntlmResponse.sessionkey = + + r.u.ntlmResponse.sessionkey = malloc(sizeof(*r.u.ntlmResponse.sessionkey)); if (r.u.ntlmResponse.sessionkey == NULL) { ret = EINVAL; krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } - + ret = krb5_data_copy(r.u.ntlmResponse.sessionkey, masterkey, sizeof(masterkey)); if (ret) { @@ -1364,7 +1364,7 @@ _kdc_do_digest(krb5_context context, s = krb5_get_error_message(context, ret); if (s == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } @@ -1410,10 +1410,10 @@ _kdc_do_digest(krb5_context context, goto out; } - ret = krb5_encrypt_EncryptedData(context, crypto, KRB5_KU_DIGEST_ENCRYPT, + ret = krb5_encrypt_EncryptedData(context, crypto, KRB5_KU_DIGEST_ENCRYPT, buf.data, buf.length, 0, &rep.innerRep); - + ASN1_MALLOC_ENCODE(DigestREP, reply->data, reply->length, &rep, &size, ret); if (ret) { krb5_set_error_message(context, ret, "Failed to encode digest reply"); @@ -1422,7 +1422,7 @@ _kdc_do_digest(krb5_context context, if (size != reply->length) krb5_abortx(context, "ASN1 internal error"); - + out: if (ac) krb5_auth_con_free(context, ac); diff --git a/source4/heimdal/kdc/headers.h b/source4/heimdal/kdc/headers.h index c2bd4c5b4f..3635d3c56a 100644 --- a/source4/heimdal/kdc/headers.h +++ b/source4/heimdal/kdc/headers.h @@ -1,38 +1,38 @@ /* - * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -/* - * $Id$ +/* + * $Id$ */ #ifndef __HEADERS_H__ diff --git a/source4/heimdal/kdc/kaserver.c b/source4/heimdal/kdc/kaserver.c index 8f3c3e02ea..9226ae115d 100644 --- a/source4/heimdal/kdc/kaserver.c +++ b/source4/heimdal/kdc/kaserver.c @@ -1,34 +1,34 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "kdc_locl.h" @@ -192,8 +192,8 @@ init_reply_header (struct rx_header *hdr, } /* - * Create an error `reply´ using for the packet `hdr' with the error - * `error´ code. + * Create an error `reply´ using for the packet `hdr' with the error + * `error´ code. */ static void make_error_reply (struct rx_header *hdr, @@ -280,7 +280,7 @@ krb5_store_xdr_data(krb5_storage *sp, static krb5_error_code -create_reply_ticket (krb5_context context, +create_reply_ticket (krb5_context context, struct rx_header *hdr, Key *skey, char *name, char *instance, char *realm, @@ -430,7 +430,7 @@ unparse_auth_args (krb5_storage *sp, } static void -do_authenticate (krb5_context context, +do_authenticate (krb5_context context, krb5_kdc_configuration *config, struct rx_header *hdr, krb5_storage *sp, @@ -473,7 +473,7 @@ do_authenticate (krb5_context context, kdc_log(context, config, 0, "AS-REQ (kaserver) %s from %s for %s", client_name, from, server_name); - ret = _kdc_db_fetch4 (context, config, name, instance, + ret = _kdc_db_fetch4 (context, config, name, instance, config->v4_realm, HDB_F_GET_CLIENT, &client_entry); if (ret) { @@ -483,8 +483,8 @@ do_authenticate (krb5_context context, goto out; } - ret = _kdc_db_fetch4 (context, config, "krbtgt", - config->v4_realm, config->v4_realm, + ret = _kdc_db_fetch4 (context, config, "krbtgt", + config->v4_realm, config->v4_realm, HDB_F_GET_KRBTGT, &server_entry); if (ret) { kdc_log(context, config, 0, "Server not found in database: %s: %s", @@ -564,7 +564,7 @@ do_authenticate (krb5_context context, life = krb_time_to_life(kdc_time, kdc_time + max_life); - create_reply_ticket (context, + create_reply_ticket (context, hdr, skey, name, instance, config->v4_realm, addr, life, server_entry->entry.kvno, @@ -643,7 +643,7 @@ unparse_getticket_args (krb5_storage *sp, } static void -do_getticket (krb5_context context, +do_getticket (krb5_context context, krb5_kdc_configuration *config, struct rx_header *hdr, krb5_storage *sp, @@ -690,7 +690,7 @@ do_getticket (krb5_context context, snprintf (server_name, sizeof(server_name), "%s.%s@%s", name, instance, config->v4_realm); - ret = _kdc_db_fetch4 (context, config, name, instance, + ret = _kdc_db_fetch4 (context, config, name, instance, config->v4_realm, HDB_F_GET_SERVER, &server_entry); if (ret) { kdc_log(context, config, 0, "Server not found in database: %s: %s", @@ -699,7 +699,7 @@ do_getticket (krb5_context context, goto out; } - ret = _kdc_db_fetch4 (context, config, "krbtgt", + ret = _kdc_db_fetch4 (context, config, "krbtgt", config->v4_realm, config->v4_realm, HDB_F_GET_KRBTGT, &krbtgt_entry); if (ret) { kdc_log(context, config, 0, @@ -734,7 +734,7 @@ do_getticket (krb5_context context, char *sname = NULL; char *sinstance = NULL; - ret = _krb5_krb_decomp_ticket(context, &aticket, &kkey->key, + ret = _krb5_krb_decomp_ticket(context, &aticket, &kkey->key, config->v4_realm, &sname, &sinstance, &ad); if (ret) { @@ -772,7 +772,7 @@ do_getticket (krb5_context context, kdc_log(context, config, 0, "TGS-REQ (kaserver) %s from %s for %s", client_name, from, server_name); - ret = _kdc_db_fetch4 (context, config, + ret = _kdc_db_fetch4 (context, config, ad.pname, ad.pinst, ad.prealm, HDB_F_GET_CLIENT, &client_entry); if(ret && ret != HDB_ERR_NOENTRY) { @@ -783,14 +783,14 @@ do_getticket (krb5_context context, goto out; } if (client_entry == NULL && strcmp(ad.prealm, config->v4_realm) == 0) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Local client not found in database: (krb4) " "%s", client_name); make_error_reply (hdr, KANOENT, reply); goto out; } - ret = _kdc_check_flags (context, config, + ret = _kdc_check_flags (context, config, client_entry, client_name, server_entry, server_name, FALSE); @@ -839,7 +839,7 @@ do_getticket (krb5_context context, life = _krb5_krb_time_to_life(kdc_time, kdc_time + max_life); - create_reply_ticket (context, + create_reply_ticket (context, hdr, skey, ad.pname, ad.pinst, ad.prealm, addr, life, server_entry->entry.kvno, @@ -847,7 +847,7 @@ do_getticket (krb5_context context, name, instance, 0, "gtkt", &ad.session, reply); - + out: _krb5_krb_free_auth_data(context, &ad); if (aticket.length) { @@ -871,7 +871,7 @@ do_getticket (krb5_context context, } krb5_error_code -_kdc_do_kaserver(krb5_context context, +_kdc_do_kaserver(krb5_context context, krb5_kdc_configuration *config, unsigned char *buf, size_t len, diff --git a/source4/heimdal/kdc/kdc.h b/source4/heimdal/kdc/kdc.h index f0edae721f..843bd5fa56 100644 --- a/source4/heimdal/kdc/kdc.h +++ b/source4/heimdal/kdc/kdc.h @@ -1,41 +1,41 @@ /* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). + * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). * * Copyright (c) 2005 Andrew Bartlett <abartlet@samba.org> - * - * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * All rights reserved. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -/* - * $Id$ +/* + * $Id$ */ #ifndef __KDC_H__ @@ -45,7 +45,7 @@ enum krb5_kdc_trpolicy { TRPOLICY_ALWAYS_CHECK, - TRPOLICY_ALLOW_PER_PRINCIPAL, + TRPOLICY_ALLOW_PER_PRINCIPAL, TRPOLICY_ALWAYS_HONOUR_REQUEST }; diff --git a/source4/heimdal/kdc/kdc_locl.h b/source4/heimdal/kdc/kdc_locl.h index 6ce4a9f40f..8e34c50049 100644 --- a/source4/heimdal/kdc/kdc_locl.h +++ b/source4/heimdal/kdc/kdc_locl.h @@ -1,38 +1,38 @@ /* - * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -/* - * $Id$ +/* + * $Id$ */ #ifndef __KDC_LOCL_H__ diff --git a/source4/heimdal/kdc/kerberos4.c b/source4/heimdal/kdc/kerberos4.c index 3e9a70057e..2bd2383940 100644 --- a/source4/heimdal/kdc/kerberos4.c +++ b/source4/heimdal/kdc/kerberos4.c @@ -1,34 +1,34 @@ /* - * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "kdc_locl.h" @@ -58,7 +58,7 @@ static void make_err_reply(krb5_context context, krb5_data *reply, int code, const char *msg) { - _krb5_krb_cr_err_reply(context, "", "", "", + _krb5_krb_cr_err_reply(context, "", "", "", kdc_time, code, msg, reply); } @@ -106,8 +106,8 @@ _kdc_db_fetch4(krb5_context context, ctx.config = config; ctx.flags = flags; - - ret = krb5_425_conv_principal_ext2(context, name, instance, realm, + + ret = krb5_425_conv_principal_ext2(context, name, instance, realm, valid_princ, &ctx, 0, &p); if(ret) return ret; @@ -125,7 +125,7 @@ _kdc_db_fetch4(krb5_context context, */ krb5_error_code -_kdc_do_version4(krb5_context context, +_kdc_do_version4(krb5_context context, krb5_kdc_configuration *config, unsigned char *buf, size_t len, @@ -193,7 +193,7 @@ _kdc_do_version4(krb5_context context, kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s", client_name, from, server_name); - ret = _kdc_db_fetch4(context, config, name, inst, realm, + ret = _kdc_db_fetch4(context, config, name, inst, realm, HDB_F_GET_CLIENT, &client); if(ret) { kdc_log(context, config, 0, "Client not found in database: %s: %s", @@ -212,7 +212,7 @@ _kdc_do_version4(krb5_context context, goto out1; } - ret = _kdc_check_flags (context, config, + ret = _kdc_check_flags (context, config, client, client_name, server, server_name, TRUE); @@ -254,7 +254,7 @@ _kdc_do_version4(krb5_context context, ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey); if(ret){ kdc_log(context, config, 0, "no suitable DES key for client"); - make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, + make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "no suitable DES key for client"); goto out1; } @@ -262,7 +262,7 @@ _kdc_do_version4(krb5_context context, ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey); if(ret){ kdc_log(context, config, 0, "no suitable DES key for server"); - make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, + make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "no suitable DES key for server"); goto out1; } @@ -274,7 +274,7 @@ _kdc_do_version4(krb5_context context, max_life = min(max_life, *server->entry.max_life); life = krb_time_to_life(kdc_time, kdc_time + max_life); - + ret = krb5_generate_random_keyblock(context, ETYPE_DES_PCBC_NONE, &session); @@ -318,7 +318,7 @@ _kdc_do_version4(krb5_context context, krb5_free_keyblock_contents(context, &session); krb5_data_free(&ticket); if (ret) { - make_err_reply(context, reply, KFAILURE, + make_err_reply(context, reply, KFAILURE, "Failed to create v4 cipher"); goto out1; } @@ -362,9 +362,9 @@ _kdc_do_version4(krb5_context context, &tgt_princ); if(ret){ kdc_log(context, config, 0, - "Converting krbtgt principal (krb4): %s", + "Converting krbtgt principal (krb4): %s", krb5_get_err_text(context, ret)); - make_err_reply(context, reply, KFAILURE, + make_err_reply(context, reply, KFAILURE, "Failed to convert v4 principal (krbtgt)"); goto out2; } @@ -374,7 +374,7 @@ _kdc_do_version4(krb5_context context, if(ret){ char *s; s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not " - "found in database (krb4): krbtgt.%s@%s: %s", + "found in database (krb4): krbtgt.%s@%s: %s", realm, config->v4_realm, krb5_get_err_text(context, ret)); make_err_reply(context, reply, KFAILURE, s); @@ -385,7 +385,7 @@ _kdc_do_version4(krb5_context context, if(tgt->entry.kvno % 256 != kvno){ kdc_log(context, config, 0, "tgs-req (krb4) with old kvno %d (current %d) for " - "krbtgt.%s@%s", kvno, tgt->entry.kvno % 256, + "krbtgt.%s@%s", kvno, tgt->entry.kvno % 256, realm, config->v4_realm); make_err_reply(context, reply, KRB4ET_KDC_AUTH_EXP, "old krbtgt kvno used"); @@ -394,9 +394,9 @@ _kdc_do_version4(krb5_context context, ret = _kdc_get_des_key(context, tgt, TRUE, FALSE, &tkey); if(ret){ - kdc_log(context, config, 0, + kdc_log(context, config, 0, "no suitable DES key for krbtgt (krb4)"); - make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, + make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "no suitable DES key for krbtgt"); goto out2; } @@ -414,7 +414,7 @@ _kdc_do_version4(krb5_context context, else address = 0; - ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm, + ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm, config->v4_realm, address, &tkey->key, &ad); if(ret){ @@ -440,15 +440,15 @@ _kdc_do_version4(krb5_context context, client_name, from, server_name); if(strcmp(ad.prealm, realm)){ - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Can't hop realms (krb4) %s -> %s", realm, ad.prealm); - make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, + make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, "Can't hop realms"); goto out2; } if (!config->enable_v4_cross_realm && strcmp(realm, config->v4_realm) != 0) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "krb4 Cross-realm %s -> %s disabled", realm, config->v4_realm); make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, @@ -457,9 +457,9 @@ _kdc_do_version4(krb5_context context, } if(strcmp(sname, "changepw") == 0){ - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Bad request for changepw ticket (krb4)"); - make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, + make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, "Can't authorize password change based on TGT"); goto out2; } @@ -497,7 +497,7 @@ _kdc_do_version4(krb5_context context, goto out2; } - ret = _kdc_check_flags (context, config, + ret = _kdc_check_flags (context, config, client, client_name, server, server_name, FALSE); @@ -509,9 +509,9 @@ _kdc_do_version4(krb5_context context, ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey); if(ret){ - kdc_log(context, config, 0, + kdc_log(context, config, 0, "no suitable DES key for server (krb4)"); - make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, + make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "no suitable DES key for server"); goto out2; } @@ -589,7 +589,7 @@ _kdc_do_version4(krb5_context context, "failed to create v4 cipher"); goto out2; } - + ret = _krb5_krb_create_auth_reply(context, ad.pname, ad.pinst, @@ -614,7 +614,7 @@ _kdc_do_version4(krb5_context context, ret = EINVAL; break; default: - kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s", + kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s", msg_type, from); make_err_reply(context, reply, KFAILURE, "Unknown message type"); @@ -640,7 +640,7 @@ _kdc_do_version4(krb5_context context, } krb5_error_code -_kdc_encode_v4_ticket(krb5_context context, +_kdc_encode_v4_ticket(krb5_context context, krb5_kdc_configuration *config, void *buf, size_t len, const EncTicketPart *et, const PrincipalName *service, size_t *size) @@ -656,7 +656,7 @@ _kdc_encode_v4_ticket(krb5_context context, &princ, *service, et->crealm); - ret = krb5_524_conv_principal(context, + ret = krb5_524_conv_principal(context, princ, sname, sinst, @@ -669,8 +669,8 @@ _kdc_encode_v4_ticket(krb5_context context, &princ, et->cname, et->crealm); - - ret = krb5_524_conv_principal(context, + + ret = krb5_524_conv_principal(context, princ, name, inst, @@ -681,7 +681,7 @@ _kdc_encode_v4_ticket(krb5_context context, return ret; sp = krb5_storage_emem(); - + krb5_store_int8(sp, 0); /* flags */ krb5_store_stringz(sp, name); krb5_store_stringz(sp, inst); @@ -702,11 +702,11 @@ _kdc_encode_v4_ticket(krb5_context context, if((et->key.keytype != ETYPE_DES_CBC_MD5 && et->key.keytype != ETYPE_DES_CBC_MD4 && - et->key.keytype != ETYPE_DES_CBC_CRC) || + et->key.keytype != ETYPE_DES_CBC_CRC) || et->key.keyvalue.length != 8) return -1; krb5_storage_write(sp, et->key.keyvalue.data, 8); - + { time_t start = et->starttime ? *et->starttime : et->authtime; krb5_store_int8(sp, krb_time_to_life(start, et->endtime)); @@ -715,7 +715,7 @@ _kdc_encode_v4_ticket(krb5_context context, krb5_store_stringz(sp, sname); krb5_store_stringz(sp, sinst); - + { krb5_data data; krb5_storage_to_data(sp, &data); @@ -731,19 +731,19 @@ _kdc_encode_v4_ticket(krb5_context context, } krb5_error_code -_kdc_get_des_key(krb5_context context, - hdb_entry_ex *principal, krb5_boolean is_server, +_kdc_get_des_key(krb5_context context, + hdb_entry_ex *principal, krb5_boolean is_server, krb5_boolean prefer_afs_key, Key **ret_key) { Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL; int i; - krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5, - ETYPE_DES_CBC_MD4, + krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5, + ETYPE_DES_CBC_MD4, ETYPE_DES_CBC_CRC }; for(i = 0; i < sizeof(etypes)/sizeof(etypes[0]) - && (v5_key == NULL || v4_key == NULL || + && (v5_key == NULL || v4_key == NULL || afs_key == NULL || server_key == NULL); ++i) { Key *key = NULL; @@ -751,7 +751,7 @@ _kdc_get_des_key(krb5_context context, if(key->salt == NULL) { if(v5_key == NULL) v5_key = key; - } else if(key->salt->type == hdb_pw_salt && + } else if(key->salt->type == hdb_pw_salt && key->salt->salt.length == 0) { if(v4_key == NULL) v4_key = key; diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 7930ef42e4..c715e0812f 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -1,34 +1,34 @@ /* - * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "kdc_locl.h" @@ -126,7 +126,7 @@ is_default_salt_p(const krb5_salt *default_salt, const Key *key) krb5_error_code _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ, - krb5_enctype *etypes, unsigned len, + krb5_enctype *etypes, unsigned len, Key **ret_key, krb5_enctype *ret_etype) { int i; @@ -178,44 +178,44 @@ _kdc_make_anonymous_principalname (PrincipalName *pn) } void -_kdc_log_timestamp(krb5_context context, +_kdc_log_timestamp(krb5_context context, krb5_kdc_configuration *config, const char *type, - KerberosTime authtime, KerberosTime *starttime, + KerberosTime authtime, KerberosTime *starttime, KerberosTime endtime, KerberosTime *renew_till) { - char authtime_str[100], starttime_str[100], + char authtime_str[100], starttime_str[100], endtime_str[100], renewtime_str[100]; - - krb5_format_time(context, authtime, - authtime_str, sizeof(authtime_str), TRUE); + + krb5_format_time(context, authtime, + authtime_str, sizeof(authtime_str), TRUE); if (starttime) - krb5_format_time(context, *starttime, - starttime_str, sizeof(starttime_str), TRUE); + krb5_format_time(context, *starttime, + starttime_str, sizeof(starttime_str), TRUE); else strlcpy(starttime_str, "unset", sizeof(starttime_str)); - krb5_format_time(context, endtime, - endtime_str, sizeof(endtime_str), TRUE); + krb5_format_time(context, endtime, + endtime_str, sizeof(endtime_str), TRUE); if (renew_till) - krb5_format_time(context, *renew_till, - renewtime_str, sizeof(renewtime_str), TRUE); + krb5_format_time(context, *renew_till, + renewtime_str, sizeof(renewtime_str), TRUE); else strlcpy(renewtime_str, "unset", sizeof(renewtime_str)); - + kdc_log(context, config, 5, "%s authtime: %s starttime: %s endtime: %s renew till: %s", type, authtime_str, starttime_str, endtime_str, renewtime_str); } static void -log_patypes(krb5_context context, +log_patypes(krb5_context context, krb5_kdc_configuration *config, METHOD_DATA *padata) { struct rk_strpool *p = NULL; char *str; int i; - + for (i = 0; i < padata->len; i++) { switch(padata->val[i].padata_type) { case KRB5_PADATA_PK_AS_REQ: @@ -257,8 +257,8 @@ log_patypes(krb5_context context, krb5_error_code _kdc_encode_reply(krb5_context context, krb5_kdc_configuration *config, - KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek, - krb5_enctype etype, + KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek, + krb5_enctype etype, int skvno, const EncryptionKey *skey, int ckvno, const EncryptionKey *ckey, const char **e_text, @@ -272,7 +272,7 @@ _kdc_encode_reply(krb5_context context, ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, et, &len, ret); if(ret) { - kdc_log(context, config, 0, "Failed to encode ticket: %s", + kdc_log(context, config, 0, "Failed to encode ticket: %s", krb5_get_err_text(context, ret)); return ret; } @@ -291,7 +291,7 @@ _kdc_encode_reply(krb5_context context, return ret; } - ret = krb5_encrypt_EncryptedData(context, + ret = krb5_encrypt_EncryptedData(context, crypto, KRB5_KU_TICKET, buf, @@ -305,13 +305,13 @@ _kdc_encode_reply(krb5_context context, krb5_get_err_text(context, ret)); return ret; } - + if(rep->msg_type == krb_as_rep && !config->encode_as_rep_as_tgs_rep) ASN1_MALLOC_ENCODE(EncASRepPart, buf, buf_size, ek, &len, ret); else ASN1_MALLOC_ENCODE(EncTGSRepPart, buf, buf_size, ek, &len, ret); if(ret) { - kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", + kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", krb5_get_err_text(context, ret)); return ret; } @@ -351,7 +351,7 @@ _kdc_encode_reply(krb5_context context, } krb5_crypto_destroy(context, crypto); if(ret) { - kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", + kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", krb5_get_err_text(context, ret)); return ret; } @@ -381,7 +381,7 @@ older_enctype(krb5_enctype enctype) case ETYPE_DES3_CBC_SHA1: case ETYPE_ARCFOUR_HMAC_MD5: case ETYPE_ARCFOUR_HMAC_MD5_56: - /* + /* * The following three is "old" windows enctypes and is needed for * windows 2000 hosts. */ @@ -423,7 +423,7 @@ make_etype_info_entry(krb5_context context, ETYPE_INFO_ENTRY *ent, Key *key) else if(key->salt->type == hdb_afs3_salt) *ent->salttype = 2; else { - kdc_log(context, config, 0, "unknown salt-type: %d", + kdc_log(context, config, 0, "unknown salt-type: %d", key->salt->type); return KRB5KRB_ERR_GENERIC; } @@ -436,7 +436,7 @@ make_etype_info_entry(krb5_context context, ETYPE_INFO_ENTRY *ent, Key *key) ALLOC(ent->salttype); *ent->salttype = key->salt->type; #else - /* + /* * We shouldn't sent salttype since it is incompatible with the * specification and it breaks windows clients. The afs * salting problem is solved by using KRB5-PADATA-AFS3-SALT @@ -459,9 +459,9 @@ make_etype_info_entry(krb5_context context, ETYPE_INFO_ENTRY *ent, Key *key) } static krb5_error_code -get_pa_etype_info(krb5_context context, +get_pa_etype_info(krb5_context context, krb5_kdc_configuration *config, - METHOD_DATA *md, hdb_entry *client, + METHOD_DATA *md, hdb_entry *client, ENCTYPE *etypes, unsigned int etypes_len) { krb5_error_code ret = 0; @@ -470,7 +470,7 @@ get_pa_etype_info(krb5_context context, ETYPE_INFO pa; unsigned char *buf; size_t len; - + pa.len = client->keys.len; if(pa.len > UINT_MAX/sizeof(*pa.val)) @@ -492,8 +492,8 @@ get_pa_etype_info(krb5_context context, continue; if (n >= pa.len) krb5_abortx(context, "internal error: n >= p.len"); - if((ret = make_etype_info_entry(context, - &pa.val[n++], + if((ret = make_etype_info_entry(context, + &pa.val[n++], &client->keys.val[i])) != 0) { free_ETYPE_INFO(&pa); return ret; @@ -515,15 +515,15 @@ get_pa_etype_info(krb5_context context, continue; if (n >= pa.len) krb5_abortx(context, "internal error: n >= p.len"); - if((ret = make_etype_info_entry(context, - &pa.val[n++], + if((ret = make_etype_info_entry(context, + &pa.val[n++], &client->keys.val[i])) != 0) { free_ETYPE_INFO(&pa); return ret; } skip2:; } - + if(n < pa.len) { /* stripped out dups, newer enctypes, and not valid enctypes */ pa.len = n; @@ -584,8 +584,8 @@ make_etype_info2_entry(ETYPE_INFO2_ENTRY *ent, Key *key) ent->s2kparams = NULL; return ENOMEM; } - _krb5_put_int(ent->s2kparams->data, - _krb5_AES_string_to_default_iterator, + _krb5_put_int(ent->s2kparams->data, + _krb5_AES_string_to_default_iterator, ent->s2kparams->length); break; case ETYPE_DES_CBC_CRC: @@ -603,7 +603,7 @@ make_etype_info2_entry(ETYPE_INFO2_ENTRY *ent, Key *key) ent->s2kparams = NULL; return ENOMEM; } - _krb5_put_int(ent->s2kparams->data, + _krb5_put_int(ent->s2kparams->data, 1, ent->s2kparams->length); } @@ -621,9 +621,9 @@ make_etype_info2_entry(ETYPE_INFO2_ENTRY *ent, Key *key) */ static krb5_error_code -get_pa_etype_info2(krb5_context context, +get_pa_etype_info2(krb5_context context, krb5_kdc_configuration *config, - METHOD_DATA *md, hdb_entry *client, + METHOD_DATA *md, hdb_entry *client, ENCTYPE *etypes, unsigned int etypes_len) { krb5_error_code ret = 0; @@ -651,7 +651,7 @@ get_pa_etype_info2(krb5_context context, continue; if (n >= pa.len) krb5_abortx(context, "internal error: n >= p.len"); - if((ret = make_etype_info2_entry(&pa.val[n++], + if((ret = make_etype_info2_entry(&pa.val[n++], &client->keys.val[i])) != 0) { free_ETYPE_INFO2(&pa); return ret; @@ -679,7 +679,7 @@ get_pa_etype_info2(krb5_context context, } skip2:; } - + if(n < pa.len) { /* stripped out dups, and not valid enctypes */ pa.len = n; @@ -715,7 +715,7 @@ log_as_req(krb5_context context, struct rk_strpool *p = NULL; char *str; int i; - + for (i = 0; i < b->etype.len; i++) { ret = krb5_enctype_to_string(context, b->etype.val[i], &str); if (ret == 0) { @@ -732,7 +732,7 @@ log_as_req(krb5_context context, } if (p == NULL) p = rk_strpoolprintf(p, "no encryption types"); - + str = rk_strpoolcollect(p); kdc_log(context, config, 0, "Client supported enctypes: %s", str); free(str); @@ -753,10 +753,10 @@ log_as_req(krb5_context context, if (ret != 0) kdc_log(context, config, 5, "Using e-types %d/%d", cetype, setype); } - + { char fixedstr[128]; - unparse_flags(KDCOptions2int(b->kdc_options), asn1_KDCOptions_units(), + unparse_flags(KDCOptions2int(b->kdc_options), asn1_KDCOptions_units(), fixedstr, sizeof(fixedstr)); if(*fixedstr) kdc_log(context, config, 2, "Requested flags: %s", fixedstr); @@ -770,7 +770,7 @@ log_as_req(krb5_context context, */ krb5_error_code -_kdc_check_flags(krb5_context context, +_kdc_check_flags(krb5_context context, krb5_kdc_configuration *config, hdb_entry_ex *client_ex, const char *client_name, hdb_entry_ex *server_ex, const char *server_name, @@ -781,7 +781,7 @@ _kdc_check_flags(krb5_context context, /* check client */ if (client->flags.invalid) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Client (%s) has invalid bit set", client_name); return KRB5KDC_ERR_POLICY; } @@ -794,38 +794,38 @@ _kdc_check_flags(krb5_context context, if (client->valid_start && *client->valid_start > kdc_time) { char starttime_str[100]; - krb5_format_time(context, *client->valid_start, - starttime_str, sizeof(starttime_str), TRUE); + krb5_format_time(context, *client->valid_start, + starttime_str, sizeof(starttime_str), TRUE); kdc_log(context, config, 0, - "Client not yet valid until %s -- %s", + "Client not yet valid until %s -- %s", starttime_str, client_name); return KRB5KDC_ERR_CLIENT_NOTYET; } if (client->valid_end && *client->valid_end < kdc_time) { char endtime_str[100]; - krb5_format_time(context, *client->valid_end, - endtime_str, sizeof(endtime_str), TRUE); + krb5_format_time(context, *client->valid_end, + endtime_str, sizeof(endtime_str), TRUE); kdc_log(context, config, 0, "Client expired at %s -- %s", endtime_str, client_name); return KRB5KDC_ERR_NAME_EXP; } - if (client->pw_end && *client->pw_end < kdc_time + if (client->pw_end && *client->pw_end < kdc_time && (server_ex == NULL || !server_ex->entry.flags.change_pw)) { char pwend_str[100]; - krb5_format_time(context, *client->pw_end, - pwend_str, sizeof(pwend_str), TRUE); + krb5_format_time(context, *client->pw_end, + pwend_str, sizeof(pwend_str), TRUE); kdc_log(context, config, 0, - "Client's key has expired at %s -- %s", + "Client's key has expired at %s -- %s", pwend_str, client_name); return KRB5KDC_ERR_KEY_EXPIRED; } } /* check server */ - + if (server_ex != NULL) { hdb_entry *server = &server_ex->entry; @@ -849,8 +849,8 @@ _kdc_check_flags(krb5_context context, if (server->valid_start && *server->valid_start > kdc_time) { char starttime_str[100]; - krb5_format_time(context, *server->valid_start, - starttime_str, sizeof(starttime_str), TRUE); + krb5_format_time(context, *server->valid_start, + starttime_str, sizeof(starttime_str), TRUE); kdc_log(context, config, 0, "Server not yet valid until %s -- %s", starttime_str, server_name); @@ -859,20 +859,20 @@ _kdc_check_flags(krb5_context context, if (server->valid_end && *server->valid_end < kdc_time) { char endtime_str[100]; - krb5_format_time(context, *server->valid_end, - endtime_str, sizeof(endtime_str), TRUE); + krb5_format_time(context, *server->valid_end, + endtime_str, sizeof(endtime_str), TRUE); kdc_log(context, config, 0, - "Server expired at %s -- %s", + "Server expired at %s -- %s", endtime_str, server_name); return KRB5KDC_ERR_SERVICE_EXP; } if (server->pw_end && *server->pw_end < kdc_time) { char pwend_str[100]; - krb5_format_time(context, *server->pw_end, - pwend_str, sizeof(pwend_str), TRUE); + krb5_format_time(context, *server->pw_end, + pwend_str, sizeof(pwend_str), TRUE); kdc_log(context, config, 0, - "Server's key has expired at -- %s", + "Server's key has expired at -- %s", pwend_str, server_name); return KRB5KDC_ERR_KEY_EXPIRED; } @@ -887,7 +887,7 @@ _kdc_check_flags(krb5_context context, */ krb5_boolean -_kdc_check_addresses(krb5_context context, +_kdc_check_addresses(krb5_context context, krb5_kdc_configuration *config, HostAddresses *addresses, const struct sockaddr *from) { @@ -896,13 +896,13 @@ _kdc_check_addresses(krb5_context context, krb5_boolean result; krb5_boolean only_netbios = TRUE; int i; - + if(config->check_ticket_addresses == 0) return TRUE; if(addresses == NULL) return config->allow_null_ticket_addresses; - + for (i = 0; i < addresses->len; ++i) { if (addresses->val[i].addr_type != KRB5_ADDRESS_NETBIOS) { only_netbios = FALSE; @@ -938,7 +938,7 @@ send_pac_p(krb5_context context, KDC_REQ *req) PA_PAC_REQUEST pacreq; const PA_DATA *pa; int i = 0; - + pa = _kdc_find_padata(req, &i, KRB5_PADATA_PA_PAC_REQUEST); if (pa == NULL) return TRUE; @@ -961,10 +961,10 @@ send_pac_p(krb5_context context, KDC_REQ *req) */ krb5_error_code -_kdc_as_rep(krb5_context context, +_kdc_as_rep(krb5_context context, krb5_kdc_configuration *config, - KDC_REQ *req, - const krb5_data *req_buffer, + KDC_REQ *req, + const krb5_data *req_buffer, krb5_data *reply, const char *from, struct sockaddr *from_addr, @@ -1008,11 +1008,11 @@ _kdc_as_rep(krb5_context context, ret = krb5_unparse_name(context, server_princ, &server_name); } if (ret) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "AS-REQ malformed server name from %s", from); goto out; } - + if(b->cname == NULL){ ret = KRB5KRB_ERR_GENERIC; e_text = "No client in request"; @@ -1022,7 +1022,7 @@ _kdc_as_rep(krb5_context context, if (b->cname->name_string.len != 1) { kdc_log(context, config, 0, "AS-REQ malformed canon request from %s, " - "enterprise name with %d name components", + "enterprise name with %d name components", from, b->cname->name_string.len); ret = KRB5_PARSE_MALFORMED; goto out; @@ -1047,10 +1047,10 @@ _kdc_as_rep(krb5_context context, goto out; } - kdc_log(context, config, 0, "AS-REQ %s from %s for %s", + kdc_log(context, config, 0, "AS-REQ %s from %s for %s", client_name, from, server_name); - ret = _kdc_db_fetch(context, config, client_princ, + ret = _kdc_db_fetch(context, config, client_princ, HDB_F_GET_CLIENT | flags, NULL, &client); if(ret){ kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, @@ -1073,7 +1073,7 @@ _kdc_as_rep(krb5_context context, if(ret) goto out; - ret = _kdc_check_flags(context, config, + ret = _kdc_check_flags(context, config, client, client_name, server, server_name, TRUE); @@ -1091,7 +1091,7 @@ _kdc_as_rep(krb5_context context, log_patypes(context, config, req->padata); #ifdef PKINIT - kdc_log(context, config, 5, + kdc_log(context, config, 5, "Looking for PKINIT pa-data -- %s", client_name); e_text = "No PKINIT PA found"; @@ -1110,8 +1110,8 @@ _kdc_as_rep(krb5_context context, ret = _kdc_pk_rd_padata(context, config, req, pa, &pkp); if (ret) { ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - kdc_log(context, config, 5, - "Failed to decode PKINIT PA-DATA -- %s", + kdc_log(context, config, 5, + "Failed to decode PKINIT PA-DATA -- %s", client_name); goto ts_enc; } @@ -1135,7 +1135,7 @@ _kdc_as_rep(krb5_context context, found_pa = 1; et.flags.pre_authent = 1; kdc_log(context, config, 0, - "PKINIT pre-authentication succeeded -- %s using %s", + "PKINIT pre-authentication succeeded -- %s using %s", client_name, client_cert); free(client_cert); if (pkp) @@ -1143,7 +1143,7 @@ _kdc_as_rep(krb5_context context, } ts_enc: #endif - kdc_log(context, config, 5, "Looking for ENC-TS pa-data -- %s", + kdc_log(context, config, 5, "Looking for ENC-TS pa-data -- %s", client_name); i = 0; @@ -1155,21 +1155,21 @@ _kdc_as_rep(krb5_context context, EncryptedData enc_data; Key *pa_key; char *str; - + found_pa = 1; - + ret = decode_EncryptedData(pa->padata_value.data, pa->padata_value.length, &enc_data, &len); if (ret) { ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - kdc_log(context, config, 5, "Failed to decode PA-DATA -- %s", + kdc_log(context, config, 5, "Failed to decode PA-DATA -- %s", client_name); goto out; } - - ret = hdb_enctype2key(context, &client->entry, + + ret = hdb_enctype2key(context, &client->entry, enc_data.etype, &pa_key); if(ret){ char *estr; @@ -1178,15 +1178,15 @@ _kdc_as_rep(krb5_context context, if(krb5_enctype_to_string(context, enc_data.etype, &estr)) estr = NULL; if(estr == NULL) - kdc_log(context, config, 5, - "No client key matching pa-data (%d) -- %s", + kdc_log(context, config, 5, + "No client key matching pa-data (%d) -- %s", enc_data.etype, client_name); else kdc_log(context, config, 5, - "No client key matching pa-data (%s) -- %s", + "No client key matching pa-data (%s) -- %s", estr, client_name); free(estr); - + free_EncryptedData(&enc_data); continue; } @@ -1208,19 +1208,19 @@ _kdc_as_rep(krb5_context context, krb5_crypto_destroy(context, crypto); if(ret){ krb5_error_code ret2; - ret2 = krb5_enctype_to_string(context, + ret2 = krb5_enctype_to_string(context, pa_key->key.keytype, &str); if (ret2) str = NULL; - kdc_log(context, config, 5, + kdc_log(context, config, 5, "Failed to decrypt PA-DATA -- %s " "(enctype %s) error %s", client_name, - str ? str : "unknown enctype", + str ? str : "unknown enctype", krb5_get_err_text(context, ret)); free(str); - if(hdb_next_enctype2key(context, &client->entry, + if(hdb_next_enctype2key(context, &client->entry, enc_data.etype, &pa_key) == 0) goto try_next_key; e_text = "Failed to decrypt PA-DATA"; @@ -1238,7 +1238,7 @@ _kdc_as_rep(krb5_context context, if(ret){ e_text = "Failed to decode PA-ENC-TS-ENC"; ret = KRB5KDC_ERR_PREAUTH_FAILED; - kdc_log(context, config, + kdc_log(context, config, 5, "Failed to decode PA-ENC-TS_ENC -- %s", client_name); continue; @@ -1247,20 +1247,20 @@ _kdc_as_rep(krb5_context context, if (abs(kdc_time - p.patimestamp) > context->max_skew) { char client_time[100]; - krb5_format_time(context, p.patimestamp, - client_time, sizeof(client_time), TRUE); + krb5_format_time(context, p.patimestamp, + client_time, sizeof(client_time), TRUE); ret = KRB5KRB_AP_ERR_SKEW; kdc_log(context, config, 0, "Too large time skew, " - "client time %s is out by %u > %u seconds -- %s", - client_time, - (unsigned)abs(kdc_time - p.patimestamp), + "client time %s is out by %u > %u seconds -- %s", + client_time, + (unsigned)abs(kdc_time - p.patimestamp), context->max_skew, client_name); #if 1 /* This code is from samba, needs testing */ - /* + /* * the following is needed to make windows clients * to retry using the timestamp in the error message * @@ -1280,7 +1280,7 @@ _kdc_as_rep(krb5_context context, str = NULL; kdc_log(context, config, 2, - "ENC-TS Pre-authentication succeeded -- %s using %s", + "ENC-TS Pre-authentication succeeded -- %s using %s", client_name, str ? str : "unknown enctype"); free(str); break; @@ -1305,7 +1305,7 @@ _kdc_as_rep(krb5_context context, unsigned char *buf; size_t len; - use_pa: + use_pa: method_data.len = 0; method_data.val = NULL; @@ -1329,8 +1329,8 @@ _kdc_as_rep(krb5_context context, pa->padata_value.data = NULL; #endif - /* - * RFC4120 requires: + /* + * RFC4120 requires: * - If the client only knows about old enctypes, then send * both info replies (we send 'info' first in the list). * - If the client is 'modern', because it knows about 'new' @@ -1340,10 +1340,10 @@ _kdc_as_rep(krb5_context context, /* XXX check ret */ if (only_older_enctype_p(req)) ret = get_pa_etype_info(context, config, - &method_data, &client->entry, - b->etype.val, b->etype.len); + &method_data, &client->entry, + b->etype.val, b->etype.len); /* XXX check ret */ - ret = get_pa_etype_info2(context, config, &method_data, + ret = get_pa_etype_info2(context, config, &method_data, &client->entry, b->etype.val, b->etype.len); @@ -1361,7 +1361,7 @@ _kdc_as_rep(krb5_context context, client_name); goto out; } - + /* * Find the client key (for preauth ENC-TS verification and reply * encryption). Then the best encryption type for the KDC and @@ -1372,7 +1372,7 @@ _kdc_as_rep(krb5_context context, ret = _kdc_find_etype(context, client, b->etype.val, b->etype.len, &ckey, &cetype); if (ret) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Client (%s) has no support for etypes", client_name); goto out; } @@ -1383,7 +1383,7 @@ _kdc_as_rep(krb5_context context, if(ret) goto out; - /* + /* * Select a session enctype from the list of the crypto systems * supported enctype, is supported by the client and is one of the * enctype of the enctype of the krbtgt. @@ -1415,13 +1415,13 @@ _kdc_as_rep(krb5_context context, Key *dummy; /* check with client */ if (p[i] != b->etype.val[j]) - continue; + continue; /* save best of union of { client, crypto system } */ if (clientbest == ETYPE_NULL) clientbest = p[i]; /* check with krbtgt */ ret = hdb_enctype2key(context, &server->entry, p[i], &dummy); - if (ret) + if (ret) continue; sessionetype = p[i]; } @@ -1432,8 +1432,8 @@ _kdc_as_rep(krb5_context context, } else if (sessionetype == ETYPE_NULL) { kdc_log(context, config, 0, "Client (%s) from %s has no common enctypes with KDC" - "to use for the session key", - client_name, from); + "to use for the session key", + client_name, from); goto out; } } @@ -1446,18 +1446,18 @@ _kdc_as_rep(krb5_context context, kdc_log(context, config, 0, "Bad KDC options -- %s", client_name); goto out; } - + rep.pvno = 5; rep.msg_type = krb_as_rep; copy_Realm(&client->entry.principal->realm, &rep.crealm); if (f.request_anonymous) _kdc_make_anonymous_principalname (&rep.cname); else - _krb5_principal2principalname(&rep.cname, + _krb5_principal2principalname(&rep.cname, client->entry.principal); rep.ticket.tkt_vno = 5; copy_Realm(&server->entry.principal->realm, &rep.ticket.realm); - _krb5_principal2principalname(&rep.ticket.sname, + _krb5_principal2principalname(&rep.ticket.sname, server->entry.principal); /* java 1.6 expects the name to be the same type, lets allow that * uncomplicated name-types. */ @@ -1479,7 +1479,7 @@ _kdc_as_rep(krb5_context context, et.flags.proxiable = f.proxiable; else if (f.proxiable) { ret = KRB5KDC_ERR_POLICY; - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Ticket may not be proxiable -- %s", client_name); goto out; } @@ -1505,13 +1505,13 @@ _kdc_as_rep(krb5_context context, goto out; copy_PrincipalName(&rep.cname, &et.cname); copy_Realm(&rep.crealm, &et.crealm); - + { time_t start; time_t t; start = et.authtime = kdc_time; - + if(f.postdated && req->req_body.from){ ALLOC(et.starttime); start = *et.starttime = *req->req_body.from; @@ -1559,15 +1559,15 @@ _kdc_as_rep(krb5_context context, if (f.request_anonymous) et.flags.anonymous = 1; - + if(b->addresses){ ALLOC(et.caddr); copy_HostAddresses(b->addresses, et.caddr); } - + et.transited.tr_type = DOMAIN_X500_COMPRESS; - krb5_data_zero(&et.transited.contents); - + krb5_data_zero(&et.transited.contents); + copy_EncryptionKey(&et.key, &ek.key); /* The MIT ASN.1 library (obviously) doesn't tell lengths encoded @@ -1607,7 +1607,7 @@ _kdc_as_rep(krb5_context context, ALLOC(ek.key_expiration); if (client->entry.valid_end) { if (client->entry.pw_end) - *ek.key_expiration = min(*client->entry.valid_end, + *ek.key_expiration = min(*client->entry.valid_end, *client->entry.pw_end); else *ek.key_expiration = *client->entry.valid_end; @@ -1640,8 +1640,8 @@ _kdc_as_rep(krb5_context context, reply_key = &ckey->key; #if PKINIT if (pkp) { - ret = _kdc_pk_mk_pa_reply(context, config, pkp, client, - req, req_buffer, + ret = _kdc_pk_mk_pa_reply(context, config, pkp, client, + req, req_buffer, &reply_key, rep.padata); if (ret) goto out; @@ -1671,7 +1671,7 @@ _kdc_as_rep(krb5_context context, ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length, &canon.names, &len, ret); - if (ret) + if (ret) goto out; if (data.length != len) krb5_abortx(context, "internal asn.1 error"); @@ -1683,7 +1683,7 @@ _kdc_as_rep(krb5_context context, goto out; } - ret = krb5_create_checksum(context, crypto, + ret = krb5_create_checksum(context, crypto, KRB5_KU_CANONICALIZED_NAMES, 0, data.data, data.length, &canon.canon_checksum); @@ -1691,11 +1691,11 @@ _kdc_as_rep(krb5_context context, krb5_crypto_destroy(context, crypto); if (ret) goto out; - + ASN1_MALLOC_ENCODE(PA_ClientCanonicalized, data.data, data.length, &canon, &len, ret); free_Checksum(&canon.canon_checksum); - if (ret) + if (ret) goto out; if (data.length != len) krb5_abortx(context, "internal asn.1 error"); @@ -1720,19 +1720,19 @@ _kdc_as_rep(krb5_context context, ret = _kdc_pac_generate(context, client, &p); if (ret) { - kdc_log(context, config, 0, "PAC generation failed for -- %s", + kdc_log(context, config, 0, "PAC generation failed for -- %s", client_name); goto out; } if (p != NULL) { ret = _krb5_pac_sign(context, p, et.authtime, client->entry.principal, - &skey->key, /* Server key */ + &skey->key, /* Server key */ &skey->key, /* FIXME: should be krbtgt key */ &data); krb5_pac_free(context, p); if (ret) { - kdc_log(context, config, 0, "PAC signing failed for -- %s", + kdc_log(context, config, 0, "PAC signing failed for -- %s", client_name); goto out; } @@ -1746,7 +1746,7 @@ _kdc_as_rep(krb5_context context, } } - _kdc_log_timestamp(context, config, "AS-REQ", et.authtime, et.starttime, + _kdc_log_timestamp(context, config, "AS-REQ", et.authtime, et.starttime, et.endtime, et.renew_till); /* do this as the last thing since this signs the EncTicketPart */ @@ -1760,9 +1760,9 @@ _kdc_as_rep(krb5_context context, if (ret) goto out; - ret = _kdc_encode_reply(context, config, - &rep, &et, &ek, setype, server->entry.kvno, - &skey->key, client->entry.kvno, + ret = _kdc_encode_reply(context, config, + &rep, &et, &ek, setype, server->entry.kvno, + &skey->key, client->entry.kvno, reply_key, &e_text, reply); free_EncTicketPart(&et); free_EncKDCRepPart(&ek); @@ -1810,8 +1810,8 @@ out: } /* - * Add the AuthorizationData `data´ of `type´ to the last element in - * the sequence of authorization_data in `tkt´ wrapped in an IF_RELEVANT + * Add the AuthorizationData `data´ of `type´ to the last element in + * the sequence of authorization_data in `tkt´ wrapped in an IF_RELEVANT */ krb5_error_code @@ -1847,8 +1847,8 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context, ade.ad_type = KRB5_AUTHDATA_IF_RELEVANT; - ASN1_MALLOC_ENCODE(AuthorizationData, - ade.ad_data.data, ade.ad_data.length, + ASN1_MALLOC_ENCODE(AuthorizationData, + ade.ad_data.data, ade.ad_data.length, &ad, &size, ret); free_AuthorizationData(&ad); if (ret) { diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index d557da2a5b..b986279ad4 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -501,7 +501,7 @@ check_constrained_delegation(krb5_context context, ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } @@ -888,7 +888,7 @@ tgs_make_reply(krb5_context context, } if (krb5_enctype_valid(context, et.key.keytype) != 0 - && _kdc_is_weak_expection(server->entry.principal, et.key.keytype)) + && _kdc_is_weak_expection(server->entry.principal, et.key.keytype)) { krb5_enctype_enable(context, et.key.keytype); is_weak = 1; @@ -1295,7 +1295,7 @@ build_server_referral(krb5_context context, memset(&ref, 0, sizeof(ref)); if (referred_realm) { - ref.referred_realm = malloc(sizeof(ref.referred_realm)); + ALLOC(ref.referred_realm); if (ref.referred_realm == NULL) goto eout; *ref.referred_realm = strdup(referred_realm); @@ -1303,8 +1303,7 @@ build_server_referral(krb5_context context, goto eout; } if (true_principal_name) { - ref.true_principal_name = - malloc(sizeof(ref.true_principal_name)); + ALLOC(ref.true_principal_name); if (ref.true_principal_name == NULL) goto eout; ret = copy_PrincipalName(true_principal_name, ref.true_principal_name); @@ -1312,8 +1311,7 @@ build_server_referral(krb5_context context, goto eout; } if (requested_principal) { - ref.requested_principal_name = - malloc(sizeof(ref.requested_principal_name)); + ALLOC(ref.requested_principal_name); if (ref.requested_principal_name == NULL) goto eout; ret = copy_PrincipalName(requested_principal, @@ -1393,8 +1391,6 @@ tgs_build_reply(krb5_context context, char opt_str[128]; int signedpath = 0; - Key *tkey; - memset(&sessionkey, 0, sizeof(sessionkey)); memset(&adtkt, 0, sizeof(adtkt)); krb5_data_zero(&rspac); @@ -1582,7 +1578,7 @@ server_lookup: if(i == b->etype.len) { kdc_log(context, config, 0, "Addition ticket have not matching etypes", spp); - krb5_clear_error_string(context); + krb5_clear_error_message(context); return KRB5KDC_ERR_ETYPE_NOSUPP; } etype = b->etype.val[i]; @@ -1632,22 +1628,26 @@ server_lookup: } /* check PAC if not cross realm and if there is one */ - ret = hdb_enctype2key(context, &krbtgt->entry, - krbtgt_etype, &tkey); - if(ret) { - kdc_log(context, config, 0, + if (!cross_realm) { + Key *tkey; + + ret = hdb_enctype2key(context, &krbtgt->entry, + krbtgt_etype, &tkey); + if(ret) { + kdc_log(context, config, 0, "Failed to find key for krbtgt PAC check"); - goto out; - } + goto out; + } - ret = check_PAC(context, config, cp, - client, server, ekey, &tkey->key, - tgt, &rspac, &signedpath); - if (ret) { - kdc_log(context, config, 0, - "Verify PAC failed for %s (%s) from %s with %s", - spn, cpn, from, krb5_get_err_text(context, ret)); - goto out; + ret = check_PAC(context, config, cp, + client, server, ekey, &tkey->key, + tgt, &rspac, &signedpath); + if (ret) { + kdc_log(context, config, 0, + "Verify PAC failed for %s (%s) from %s with %s", + spn, cpn, from, krb5_get_err_text(context, ret)); + goto out; + } } /* also check the krbtgt for signature */ diff --git a/source4/heimdal/kdc/kx509.c b/source4/heimdal/kdc/kx509.c index 33991d1907..83e05b81c5 100644 --- a/source4/heimdal/kdc/kx509.c +++ b/source4/heimdal/kdc/kx509.c @@ -1,34 +1,34 @@ /* - * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "kdc_locl.h" @@ -59,13 +59,13 @@ _kdc_try_kx509_request(void *ptr, size_t len, Kx509Request *req, size_t *size) static const unsigned char version_2_0[4] = {0 , 0, 2, 0}; static krb5_error_code -verify_req_hash(krb5_context context, +verify_req_hash(krb5_context context, const Kx509Request *req, krb5_keyblock *key) { unsigned char digest[SHA_DIGEST_LENGTH]; HMAC_CTX ctx; - + if (req->pk_hash.length != sizeof(digest)) { krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "pk-hash have wrong length: %lu", @@ -74,8 +74,8 @@ verify_req_hash(krb5_context context, } HMAC_CTX_init(&ctx); - HMAC_Init_ex(&ctx, - key->keyvalue.data, key->keyvalue.length, + HMAC_Init_ex(&ctx, + key->keyvalue.data, key->keyvalue.length, EVP_sha1(), NULL); if (sizeof(digest) != HMAC_size(&ctx)) krb5_abortx(context, "runtime error, hmac buffer wrong size in kx509"); @@ -98,11 +98,11 @@ calculate_reply_hash(krb5_context context, Kx509Response *rep) { HMAC_CTX ctx; - + HMAC_CTX_init(&ctx); - HMAC_Init_ex(&ctx, - key->keyvalue.data, key->keyvalue.length, + HMAC_Init_ex(&ctx, + key->keyvalue.data, key->keyvalue.length, EVP_sha1(), NULL); rep->hash->length = HMAC_size(&ctx); rep->hash->data = malloc(rep->hash->length); @@ -133,11 +133,11 @@ calculate_reply_hash(krb5_context context, } /* - * Build a certifate for `principal´ that will expire at `endtime´. + * Build a certifate for `principal´ that will expire at `endtime´. */ static krb5_error_code -build_certificate(krb5_context context, +build_certificate(krb5_context context, krb5_kdc_configuration *config, const krb5_data *key, time_t endtime, @@ -159,8 +159,8 @@ build_certificate(krb5_context context, ret = hx509_context_init(&hxctx); if (ret) goto out; - - ret = hx509_env_add(hxctx, &env, "principal-name", + + ret = hx509_env_add(hxctx, &env, "principal-name", krb5_principal_get_comp_string(context, principal, 0)); if (ret) goto out; @@ -208,7 +208,7 @@ build_certificate(krb5_context context, spki.subjectPublicKey.data = key->data; spki.subjectPublicKey.length = key->length * 8; - ret = der_copy_oid(oid_id_pkcs1_rsaEncryption(), + ret = der_copy_oid(oid_id_pkcs1_rsaEncryption(), &spki.algorithm.algorithm); any.data = "\x05\x00"; @@ -239,7 +239,7 @@ build_certificate(krb5_context context, config->kx509_template); goto out; } - ret = hx509_ca_tbs_set_template(hxctx, tbs, + ret = hx509_ca_tbs_set_template(hxctx, tbs, HX509_CA_TEMPLATE_SUBJECT| HX509_CA_TEMPLATE_KU| HX509_CA_TEMPLATE_EKU, @@ -265,7 +265,7 @@ build_certificate(krb5_context context, hx509_cert_free(cert); if (ret) goto out; - + hx509_context_free(&hxctx); return 0; @@ -287,7 +287,7 @@ out: */ krb5_error_code -_kdc_do_kx509(krb5_context context, +_kdc_do_kx509(krb5_context context, krb5_kdc_configuration *config, const Kx509Request *req, krb5_data *reply, const char *from, struct sockaddr *addr) @@ -307,7 +307,7 @@ _kdc_do_kx509(krb5_context context, memset(&rep, 0, sizeof(rep)); if(!config->enable_kx509) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Rejected kx509 request (disabled) from %s", from); return KRB5KDC_ERR_POLICY; } @@ -320,7 +320,7 @@ _kdc_do_kx509(krb5_context context, goto out; } - ret = krb5_rd_req(context, + ret = krb5_rd_req(context, &ac, &req->authenticator, NULL, @@ -337,7 +337,7 @@ _kdc_do_kx509(krb5_context context, ret = krb5_unparse_name(context, cprincipal, &cname); if (ret) goto out; - + /* verify server principal */ ret = krb5_sname_to_principal(context, NULL, "kca_service", @@ -362,7 +362,7 @@ _kdc_do_kx509(krb5_context context, goto out; } } - + ret = krb5_auth_con_getkey(context, ac, &key); if (ret == 0 && key == NULL) ret = KRB5KDC_ERR_NULL_KEY; @@ -370,7 +370,7 @@ _kdc_do_kx509(krb5_context context, krb5_set_error_message(context, ret, "Kx509 can't get session key"); goto out; } - + ret = verify_req_hash(context, req, key); if (ret) goto out; @@ -398,7 +398,7 @@ _kdc_do_kx509(krb5_context context, goto out; krb5_data_zero(rep.hash); - ret = build_certificate(context, config, &req->pk_key, + ret = build_certificate(context, config, &req->pk_key, krb5_ticket_get_endtime(context, ticket), cprincipal, rep.certificate); if (ret) diff --git a/source4/heimdal/kdc/log.c b/source4/heimdal/kdc/log.c index 98b25b92db..b4161da45d 100644 --- a/source4/heimdal/kdc/log.c +++ b/source4/heimdal/kdc/log.c @@ -1,41 +1,41 @@ /* - * Copyright (c) 1997, 1998, 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997, 1998, 2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "kdc_locl.h" RCSID("$Id$"); void -kdc_openlog(krb5_context context, +kdc_openlog(krb5_context context, krb5_kdc_configuration *config) { char **s = NULL, **p; @@ -57,7 +57,7 @@ kdc_openlog(krb5_context context, } char* -kdc_log_msg_va(krb5_context context, +kdc_log_msg_va(krb5_context context, krb5_kdc_configuration *config, int level, const char *fmt, va_list ap) { @@ -67,7 +67,7 @@ kdc_log_msg_va(krb5_context context, } char* -kdc_log_msg(krb5_context context, +kdc_log_msg(krb5_context context, krb5_kdc_configuration *config, int level, const char *fmt, ...) { @@ -80,7 +80,7 @@ kdc_log_msg(krb5_context context, } void -kdc_log(krb5_context context, +kdc_log(krb5_context context, krb5_kdc_configuration *config, int level, const char *fmt, ...) { diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c index 0c64dd568e..8a53fc8827 100644 --- a/source4/heimdal/kdc/misc.c +++ b/source4/heimdal/kdc/misc.c @@ -1,34 +1,34 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "kdc_locl.h" @@ -58,11 +58,11 @@ _kdc_db_fetch(krb5_context context, for(i = 0; i < config->num_db; i++) { ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0); if (ret) { - kdc_log(context, config, 0, "Failed to open database: %s", + kdc_log(context, config, 0, "Failed to open database: %s", krb5_get_err_text(context, ret)); continue; } - ret = config->db[i]->hdb_fetch(context, + ret = config->db[i]->hdb_fetch(context, config->db[i], principal, flags | HDB_F_DECRYPT, @@ -116,7 +116,7 @@ _kdc_get_preferred_key(krb5_context context, } } - krb5_set_error_message(context, EINVAL, + krb5_set_error_message(context, EINVAL, "No valid kerberos key found for %s", name); return EINVAL; } diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index 57767c4f48..82358682d8 100644 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -1,34 +1,34 @@ /* - * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2003 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "kdc_locl.h" @@ -90,7 +90,7 @@ pk_check_pkauthenticator_win2k(krb5_context context, /* XXX cusec */ if (a->ctime == 0 || abs(a->ctime - now) > context->max_skew) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return KRB5KRB_AP_ERR_SKEW; } return 0; @@ -112,13 +112,13 @@ pk_check_pkauthenticator(krb5_context context, /* XXX cusec */ if (a->ctime == 0 || abs(a->ctime - now) > context->max_skew) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return KRB5KRB_AP_ERR_SKEW; } ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } if (buf_size != len) @@ -133,18 +133,18 @@ pk_check_pkauthenticator(krb5_context context, &checksum); free(buf); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } if (a->paChecksum == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = KRB5_KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED; goto out; } if (der_heim_octet_string_cmp(a->paChecksum, &checksum.checksum) != 0) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = KRB5KRB_ERR_GENERIC; } @@ -155,7 +155,7 @@ out: } void -_kdc_pk_free_client_param(krb5_context context, +_kdc_pk_free_client_param(krb5_context context, pk_client_params *client_params) { if (client_params->cert) @@ -293,7 +293,7 @@ get_dh_param(krb5_context context, } - ret = _krb5_dh_group_ok(context, config->pkinit_dh_min_bits, + ret = _krb5_dh_group_ok(context, config->pkinit_dh_min_bits, &dhparam.p, &dhparam.g, &dhparam.q, moduli, &client_params->dh_group_name); if (ret) { @@ -327,7 +327,7 @@ get_dh_param(krb5_context context, &glue, &size); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } @@ -344,7 +344,7 @@ get_dh_param(krb5_context context, client_params->dh = dh; dh = NULL; ret = 0; - + out: if (dh) DH_free(dh); @@ -368,10 +368,10 @@ _kdc_pk_rd_padata(krb5_context context, int have_data = 0; *ret_params = NULL; - + if (!config->enable_pkinit) { kdc_log(context, config, 0, "PK-INIT request but PK-INIT not enabled"); - krb5_clear_error_string(context); + krb5_clear_error_message(context); return 0; } @@ -379,7 +379,7 @@ _kdc_pk_rd_padata(krb5_context context, client_params = calloc(1, sizeof(*client_params)); if (client_params == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } @@ -405,7 +405,7 @@ _kdc_pk_rd_padata(krb5_context context, &have_data); free_PA_PK_AS_REQ_Win2k(&r); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "Can't decode PK-AS-REQ: %d", ret); goto out; } @@ -474,7 +474,7 @@ _kdc_pk_rd_padata(krb5_context context, hx509_query_free(kdc_identity->hx509ctx, q); if (ret) continue; - hx509_certs_add(kdc_identity->hx509ctx, + hx509_certs_add(kdc_identity->hx509ctx, client_params->client_anchors, cert); hx509_cert_free(cert); } @@ -486,13 +486,13 @@ _kdc_pk_rd_padata(krb5_context context, &have_data); free_PA_PK_AS_REQ(&r); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "Can't unwrap ContentInfo: %d", ret); goto out; } - } else { - krb5_clear_error_string(context); + } else { + krb5_clear_error_message(context); ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; goto out; } @@ -500,7 +500,7 @@ _kdc_pk_rd_padata(krb5_context context, ret = der_heim_oid_cmp(&contentInfoOid, oid_id_pkcs7_signedData()); if (ret != 0) { ret = KRB5KRB_ERR_GENERIC; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "PK-AS-REQ-Win2k invalid content type oid"); goto out; } @@ -559,8 +559,8 @@ _kdc_pk_rd_padata(krb5_context context, krb5_set_error_message(context, ret, "can't decode AuthPack: %d", ret); goto out; } - - ret = pk_check_pkauthenticator_win2k(context, + + ret = pk_check_pkauthenticator_win2k(context, &ap.pkAuthenticator, req); if (ret) { @@ -590,8 +590,8 @@ _kdc_pk_rd_padata(krb5_context context, free_AuthPack(&ap); goto out; } - - ret = pk_check_pkauthenticator(context, + + ret = pk_check_pkauthenticator(context, &ap.pkAuthenticator, req); if (ret) { @@ -603,7 +603,7 @@ _kdc_pk_rd_padata(krb5_context context, client_params->nonce = ap.pkAuthenticator.nonce; if (ap.clientPublicValue) { - ret = get_dh_param(context, config, + ret = get_dh_param(context, config, ap.clientPublicValue, client_params); if (ret) { free_AuthPack(&ap); @@ -659,7 +659,7 @@ BN_to_integer(krb5_context context, BIGNUM *bn, heim_integer *integer) integer->length = BN_num_bytes(bn); integer->data = malloc(integer->length); if (integer->data == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ENOMEM; } BN_bn2bin(bn, integer->data); @@ -676,7 +676,7 @@ pk_mk_pa_reply_enckey(krb5_context context, krb5_keyblock *reply_key, ContentInfo *content_info) { - const heim_oid *envelopedAlg = NULL, *sdAlg = NULL; + const heim_oid *envelopedAlg = NULL, *sdAlg = NULL, *evAlg = NULL; krb5_error_code ret; krb5_data buf, signed_data; size_t size; @@ -699,29 +699,31 @@ pk_mk_pa_reply_enckey(krb5_context context, { do_win2k = 1; } + sdAlg = oid_id_pkcs7_data(); + evAlg = oid_id_pkcs7_data(); + envelopedAlg = oid_id_rsadsi_des_ede3_cbc(); break; } case PKINIT_27: + sdAlg = oid_id_pkrkeydata(); + evAlg = oid_id_pkcs7_signedData(); break; default: krb5_abortx(context, "internal pkinit error"); - } + } if (do_win2k) { ReplyKeyPack_Win2k kp; memset(&kp, 0, sizeof(kp)); - envelopedAlg = oid_id_rsadsi_des_ede3_cbc(); - sdAlg = oid_id_pkcs7_data(); - ret = copy_EncryptionKey(reply_key, &kp.replyKey); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } kp.nonce = client_params->nonce; - ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k, + ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k, buf.data, buf.length, &kp, &size,ret); free_ReplyKeyPack_Win2k(&kp); @@ -730,17 +732,15 @@ pk_mk_pa_reply_enckey(krb5_context context, ReplyKeyPack kp; memset(&kp, 0, sizeof(kp)); - sdAlg = oid_id_pkrkeydata(); - ret = copy_EncryptionKey(reply_key, &kp.replyKey); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } ret = krb5_crypto_init(context, reply_key, 0, &ascrypto); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } @@ -748,13 +748,13 @@ pk_mk_pa_reply_enckey(krb5_context context, req_buffer->data, req_buffer->length, &kp.asChecksum); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } - + ret = krb5_crypto_destroy(context, ascrypto); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } ASN1_MALLOC_ENCODE(ReplyKeyPack, buf.data, buf.length, &kp, &size,ret); @@ -779,9 +779,9 @@ pk_mk_pa_reply_enckey(krb5_context context, hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); - ret = hx509_certs_find(kdc_identity->hx509ctx, - kdc_identity->certs, - q, + ret = hx509_certs_find(kdc_identity->hx509ctx, + kdc_identity->certs, + q, &cert); hx509_query_free(kdc_identity->hx509ctx, q); if (ret) @@ -802,7 +802,7 @@ pk_mk_pa_reply_enckey(krb5_context context, } krb5_data_free(&buf); - if (ret) + if (ret) goto out; if (client_params->type == PKINIT_WIN2K) { @@ -818,12 +818,12 @@ pk_mk_pa_reply_enckey(krb5_context context, ret = hx509_cms_envelope_1(kdc_identity->hx509ctx, 0, client_params->cert, - signed_data.data, signed_data.length, + signed_data.data, signed_data.length, envelopedAlg, - oid_id_pkcs7_signedData(), &buf); + evAlg, &buf); if (ret) goto out; - + ret = _krb5_pk_mk_ContentInfo(context, &buf, oid_id_pkcs7_envelopedData(), @@ -875,10 +875,10 @@ pk_mk_pa_reply_dh(krb5_context context, dh_info.subjectPublicKey.length = buf.length * 8; dh_info.subjectPublicKey.data = buf.data; - + dh_info.nonce = client_params->nonce; - ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size, + ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size, ret); if (ret) { krb5_set_error_message(context, ret, "ASN.1 encoding of " @@ -888,7 +888,7 @@ pk_mk_pa_reply_dh(krb5_context context, if (buf.length != size) krb5_abortx(context, "Internal ASN.1 encoder error"); - /* + /* * Create the SignedData structure and sign the KdcDHKeyInfo * filled in above */ @@ -904,9 +904,9 @@ pk_mk_pa_reply_dh(krb5_context context, hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); - ret = hx509_certs_find(kdc_identity->hx509ctx, - kdc_identity->certs, - q, + ret = hx509_certs_find(kdc_identity->hx509ctx, + kdc_identity->certs, + q, &cert); hx509_query_free(kdc_identity->hx509ctx, q); if (ret) @@ -971,7 +971,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, int i; if (!config->enable_pkinit) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return 0; } @@ -1004,7 +1004,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, rep.element = choice_PA_PK_AS_REP_encKeyPack; - ret = krb5_generate_random_keyblock(context, enctype, + ret = krb5_generate_random_keyblock(context, enctype, &client_params->reply_key); if (ret) { free_PA_PK_AS_REP(&rep); @@ -1021,8 +1021,8 @@ _kdc_pk_mk_pa_reply(krb5_context context, free_PA_PK_AS_REP(&rep); goto out; } - ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data, - rep.u.encKeyPack.length, &info, &size, + ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data, + rep.u.encKeyPack.length, &info, &size, ret); free_ContentInfo(&info); if (ret) { @@ -1049,7 +1049,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, return ret; ret = pk_mk_pa_reply_dh(context, client_params->dh, - client_params, + client_params, &client_params->reply_key, &info, &kdc_cert); @@ -1100,7 +1100,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, pa_type = KRB5_PADATA_PK_AS_REP_19; rep.element = choice_PA_PK_AS_REP_encKeyPack; - ret = krb5_generate_random_keyblock(context, enctype, + ret = krb5_generate_random_keyblock(context, enctype, &client_params->reply_key); if (ret) { free_PA_PK_AS_REP_Win2k(&rep); @@ -1117,8 +1117,8 @@ _kdc_pk_mk_pa_reply(krb5_context context, free_PA_PK_AS_REP_Win2k(&rep); goto out; } - ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data, - rep.u.encKeyPack.length, &info, &size, + ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data, + rep.u.encKeyPack.length, &info, &size, ret); free_ContentInfo(&info); if (ret) { @@ -1164,7 +1164,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY); if (fd < 0) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "PK-INIT failed to open ocsp data file %d", errno); goto out_ocsp; } @@ -1172,15 +1172,15 @@ _kdc_pk_mk_pa_reply(krb5_context context, if (ret) { ret = errno; close(fd); - kdc_log(context, config, 0, + kdc_log(context, config, 0, "PK-INIT failed to stat ocsp data %d", ret); goto out_ocsp; } - + ret = krb5_data_alloc(&ocsp.data, sb.st_size); if (ret) { close(fd); - kdc_log(context, config, 0, + kdc_log(context, config, 0, "PK-INIT failed to stat ocsp data %d", ret); goto out_ocsp; } @@ -1188,7 +1188,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, ret = read(fd, ocsp.data.data, sb.st_size); close(fd); if (ret != sb.st_size) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "PK-INIT failed to read ocsp data %d", errno); goto out_ocsp; } @@ -1200,7 +1200,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, ocsp.data.data, ocsp.data.length, &ocsp.expire); if (ret) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "PK-INIT failed to verify ocsp data %d", ret); krb5_data_free(&ocsp.data); ocsp.expire = 0; @@ -1216,7 +1216,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, if (ocsp.expire != 0 && ocsp.expire > kdc_time) { - ret = krb5_padata_add(context, md, + ret = krb5_padata_add(context, md, KRB5_PADATA_PA_PK_OCSP_RESPONSE, ocsp.data.data, ocsp.data.length); if (ret) { @@ -1237,10 +1237,10 @@ out: } static int -match_rfc_san(krb5_context context, +match_rfc_san(krb5_context context, krb5_kdc_configuration *config, hx509_context hx509ctx, - hx509_cert client_cert, + hx509_cert client_cert, krb5_const_principal match) { hx509_octet_string_list list; @@ -1260,7 +1260,7 @@ match_rfc_san(krb5_context context, KRB5PrincipalName kn; size_t size; - ret = decode_KRB5PrincipalName(list.val[i].data, + ret = decode_KRB5PrincipalName(list.val[i].data, list.val[i].length, &kn, &size); if (ret) { @@ -1284,7 +1284,7 @@ match_rfc_san(krb5_context context, } out: - hx509_free_octet_string_list(&list); + hx509_free_octet_string_list(&list); if (ret) return ret; @@ -1295,10 +1295,10 @@ out: } static int -match_ms_upn_san(krb5_context context, +match_ms_upn_san(krb5_context context, krb5_kdc_configuration *config, hx509_context hx509ctx, - hx509_cert client_cert, + hx509_cert client_cert, krb5_const_principal match) { hx509_octet_string_list list; @@ -1337,7 +1337,7 @@ match_ms_upn_san(krb5_context context, goto out; } - /* + /* * This is very wrong, but will do for now, should really and a * plugin to the windc layer to very this ACL. */ @@ -1349,7 +1349,7 @@ match_ms_upn_san(krb5_context context, out: if (principal) krb5_free_principal(context, principal); - hx509_free_octet_string_list(&list); + hx509_free_octet_string_list(&list); if (ret) return ret; @@ -1383,7 +1383,7 @@ _kdc_pk_check_client(krb5_context context, return ret; kdc_log(context, config, 0, - "Trying to authorize PK-INIT subject DN %s", + "Trying to authorize PK-INIT subject DN %s", *subject_name); if (config->pkinit_princ_in_cert) { @@ -1460,7 +1460,7 @@ _kdc_pk_check_client(krb5_context context, } static krb5_error_code -add_principal_mapping(krb5_context context, +add_principal_mapping(krb5_context context, const char *principal_name, const char * subject) { @@ -1502,7 +1502,7 @@ _kdc_add_inital_verified_cas(krb5_context context, size_t size; memset(&cas, 0, sizeof(cas)); - + /* XXX add CAs to cas here */ ASN1_MALLOC_ENCODE(AD_INITIAL_VERIFIED_CAS, data.data, data.length, @@ -1512,7 +1512,7 @@ _kdc_add_inital_verified_cas(krb5_context context, if (data.length != size) krb5_abortx(context, "internal asn.1 encoder error"); - ret = _kdc_tkt_add_if_relevant_ad(context, tkt, + ret = _kdc_tkt_add_if_relevant_ad(context, tkt, KRB5_AUTHDATA_INITIAL_VERIFIED_CAS, &data); krb5_data_free(&data); @@ -1537,7 +1537,7 @@ load_mappings(krb5_context context, const char *fn) while (fgets(buf, sizeof(buf), f) != NULL) { char *subject_name, *p; - + buf[strcspn(buf, "\n")] = '\0'; lineno++; @@ -1561,11 +1561,11 @@ load_mappings(krb5_context context, const char *fn) lineno, buf); continue; } - } + } fclose(f); } - + /* * */ @@ -1637,7 +1637,7 @@ _kdc_pk_initialize(krb5_context context, "certifiate with a public key"); } - ret = krb5_config_get_bool_default(context, + ret = krb5_config_get_bool_default(context, NULL, FALSE, "kdc", @@ -1645,7 +1645,7 @@ _kdc_pk_initialize(krb5_context context, NULL); _krb5_pk_allow_proxy_certificate(kdc_identity, ret); - file = krb5_config_get_string(context, + file = krb5_config_get_string(context, NULL, "kdc", "pkinit_mappings_file", diff --git a/source4/heimdal/kdc/process.c b/source4/heimdal/kdc/process.c index 1a0c7c72ce..a27911914b 100644 --- a/source4/heimdal/kdc/process.c +++ b/source4/heimdal/kdc/process.c @@ -1,35 +1,35 @@ /* - * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). * - * All rights reserved. + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "kdc_locl.h" @@ -55,10 +55,10 @@ krb5_kdc_update_time(struct timeval *tv) */ int -krb5_kdc_process_request(krb5_context context, +krb5_kdc_process_request(krb5_context context, krb5_kdc_configuration *config, - unsigned char *buf, - size_t len, + unsigned char *buf, + size_t len, krb5_data *reply, krb5_boolean *prependlength, const char *from, @@ -78,7 +78,7 @@ krb5_kdc_process_request(krb5_context context, req_buffer.data = buf; req_buffer.length = len; - ret = _kdc_as_rep(context, config, &req, &req_buffer, + ret = _kdc_as_rep(context, config, &req, &req_buffer, reply, from, addr, datagram_reply); free_AS_REQ(&req); return ret; @@ -100,7 +100,7 @@ krb5_kdc_process_request(krb5_context context, return ret; } else if(_kdc_maybe_version4(buf, len)){ *prependlength = FALSE; /* elbitapmoc sdrawkcab XXX */ - ret = _kdc_do_version4(context, config, buf, len, reply, from, + ret = _kdc_do_version4(context, config, buf, len, reply, from, (struct sockaddr_in*)addr); return ret; } else if (config->enable_kaserver) { @@ -108,7 +108,7 @@ krb5_kdc_process_request(krb5_context context, (struct sockaddr_in*)addr); return ret; } - + return -1; } @@ -120,10 +120,10 @@ krb5_kdc_process_request(krb5_context context, */ int -krb5_kdc_process_krb5_request(krb5_context context, +krb5_kdc_process_krb5_request(krb5_context context, krb5_kdc_configuration *config, - unsigned char *buf, - size_t len, + unsigned char *buf, + size_t len, krb5_data *reply, const char *from, struct sockaddr *addr, @@ -156,7 +156,7 @@ krb5_kdc_process_krb5_request(krb5_context context, */ int -krb5_kdc_save_request(krb5_context context, +krb5_kdc_save_request(krb5_context context, const char *fn, const unsigned char *buf, size_t len, @@ -181,7 +181,7 @@ krb5_kdc_save_request(krb5_context context, krb5_set_error_message(context, saved_errno, "Failed to open: %s", fn); return saved_errno; } - + sp = krb5_storage_from_fd(fd); close(fd); if (sp == NULL) { diff --git a/source4/heimdal/kdc/rx.h b/source4/heimdal/kdc/rx.h index a84e5ec5f5..f914e93e6e 100644 --- a/source4/heimdal/kdc/rx.h +++ b/source4/heimdal/kdc/rx.h @@ -1,34 +1,34 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ /* $Id$ */ diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c index e057a3e6fb..fe3cd997e7 100644 --- a/source4/heimdal/kdc/windc.c +++ b/source4/heimdal/kdc/windc.c @@ -1,34 +1,34 @@ /* - * Copyright (c) 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "kdc_locl.h" @@ -72,9 +72,9 @@ krb5_kdc_windc_init(krb5_context context) } -krb5_error_code +krb5_error_code _kdc_pac_generate(krb5_context context, - hdb_entry_ex *client, + hdb_entry_ex *client, krb5_pac *pac) { *pac = NULL; @@ -83,8 +83,8 @@ _kdc_pac_generate(krb5_context context, return (windcft->pac_generate)(windcctx, context, client, pac); } -krb5_error_code -_kdc_pac_verify(krb5_context context, +krb5_error_code +_kdc_pac_verify(krb5_context context, const krb5_principal client_principal, hdb_entry_ex *client, hdb_entry_ex *server, @@ -94,7 +94,7 @@ _kdc_pac_verify(krb5_context context, krb5_set_error_message(context, EINVAL, "Can't verify PAC, no function"); return EINVAL; } - return (windcft->pac_verify)(windcctx, context, + return (windcft->pac_verify)(windcctx, context, client_principal, client, server, pac); } diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h index 3780258ad0..34016694b2 100644 --- a/source4/heimdal/kdc/windc_plugin.h +++ b/source4/heimdal/kdc/windc_plugin.h @@ -1,34 +1,34 @@ /* - * Copyright (c) 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ /* $Id$ */ @@ -51,18 +51,18 @@ struct hdb_entry_ex; -typedef krb5_error_code +typedef krb5_error_code (*krb5plugin_windc_pac_generate)(void *, krb5_context, struct hdb_entry_ex *, krb5_pac *); -typedef krb5_error_code +typedef krb5_error_code (*krb5plugin_windc_pac_verify)(void *, krb5_context, const krb5_principal, - struct hdb_entry_ex *, + struct hdb_entry_ex *, struct hdb_entry_ex *, krb5_pac *); -typedef krb5_error_code +typedef krb5_error_code (*krb5plugin_windc_client_access)( void *, krb5_context, struct hdb_entry_ex *, KDC_REQ *, krb5_data *); |