summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-08-20 06:00:50 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:33:35 -0500
commit55f5453bc81d9a3a4fe67ff0a6ba528d8d0f7984 (patch)
tree19d28e75e07ead51f0096328ddf913726cfbd59e /source4
parentb456bfa0155ea70ca60590a83e19232c63ec1ac1 (diff)
downloadsamba-55f5453bc81d9a3a4fe67ff0a6ba528d8d0f7984.tar.gz
samba-55f5453bc81d9a3a4fe67ff0a6ba528d8d0f7984.tar.bz2
samba-55f5453bc81d9a3a4fe67ff0a6ba528d8d0f7984.zip
r9413: Bring Samba4 back up to date with lorikeet-heimdal.
Delete test_crypto_wrapping.c, previously included but unbuilt. Andrew Bartlett (This used to be commit d5fb30fb0cef330e0947969f0c9afc1f58fc4c7d)
Diffstat (limited to 'source4')
-rw-r--r--source4/heimdal/kdc/kdc_locl.h5
-rw-r--r--source4/heimdal/kdc/kerberos5.c36
-rwxr-xr-xsource4/heimdal/kdc/pkinit.c44
-rw-r--r--source4/heimdal/kdc/process.c18
-rw-r--r--source4/heimdal/lib/asn1/asn1_gen.c10
-rw-r--r--source4/heimdal/lib/asn1/canthandle.asn18
-rw-r--r--source4/heimdal/lib/asn1/lex.c6
-rw-r--r--source4/heimdal/lib/asn1/parse.c519
-rw-r--r--source4/heimdal/lib/asn1/parse.h6
-rw-r--r--source4/heimdal/lib/gssapi/init_sec_context.c5
-rw-r--r--source4/heimdal/lib/hdb/ext.c366
-rw-r--r--source4/heimdal/lib/hdb/hdb-private.h28
-rw-r--r--source4/heimdal/lib/hdb/hdb-protos.h59
-rw-r--r--source4/heimdal/lib/hdb/hdb.asn150
-rw-r--r--source4/heimdal/lib/hdb/hdb.h17
-rw-r--r--source4/heimdal/lib/hdb/hdb_err.et3
-rw-r--r--source4/heimdal/lib/hdb/mkey.c595
-rw-r--r--source4/heimdal/lib/krb5/crypto.c10
-rw-r--r--source4/heimdal/lib/krb5/fcache.c2
-rw-r--r--source4/heimdal/lib/krb5/init_creds_pw.c19
-rw-r--r--source4/heimdal/lib/krb5/krb5-private.h10
-rw-r--r--source4/heimdal/lib/krb5/krb5-protos.h8
-rwxr-xr-xsource4/heimdal/lib/krb5/pkinit.c115
-rw-r--r--source4/heimdal/lib/krb5/test_crypto_wrapping.c163
-rw-r--r--source4/heimdal/lib/krb5/test_pkinit_dh2key.c110
-rw-r--r--source4/heimdal_build/config.mk10
26 files changed, 1613 insertions, 609 deletions
diff --git a/source4/heimdal/kdc/kdc_locl.h b/source4/heimdal/kdc/kdc_locl.h
index d347c6080c..b87895d56c 100644
--- a/source4/heimdal/kdc/kdc_locl.h
+++ b/source4/heimdal/kdc/kdc_locl.h
@@ -32,7 +32,7 @@
*/
/*
- * $Id: kdc_locl.h,v 1.71 2005/07/01 15:36:16 lha Exp $
+ * $Id: kdc_locl.h,v 1.72 2005/08/12 08:46:39 lha Exp $
*/
#ifndef __KDC_LOCL_H__
@@ -61,7 +61,8 @@ extern struct timeval _kdc_now;
krb5_error_code
_kdc_as_rep(krb5_context context,
krb5_kdc_configuration *config,
- KDC_REQ*, krb5_data*, const char*, struct sockaddr*);
+ KDC_REQ*, const krb5_data*, krb5_data*,
+ const char*, struct sockaddr*);
krb5_kdc_configuration *
configure(krb5_context context, int argc, char **argv);
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index e85a269a01..27a25d95ff 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -189,7 +189,8 @@ log_timestamp(krb5_context context,
KerberosTime authtime, KerberosTime *starttime,
KerberosTime endtime, KerberosTime *renew_till)
{
- char authtime_str[100], starttime_str[100], endtime_str[100], renewtime_str[100];
+ char authtime_str[100], starttime_str[100],
+ endtime_str[100], renewtime_str[100];
krb5_format_time(context, authtime,
authtime_str, sizeof(authtime_str), TRUE);
@@ -728,6 +729,7 @@ krb5_error_code
_kdc_as_rep(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ *req,
+ const krb5_data *req_buffer,
krb5_data *reply,
const char *from,
struct sockaddr *from_addr)
@@ -940,7 +942,8 @@ _kdc_as_rep(krb5_context context,
kdc_log(context, config, 5,
"Failed to decrypt PA-DATA -- %s "
"(enctype %s) error %s",
- client_name, str ? str : "unknown enctype",
+ client_name,
+ str ? str : "unknown enctype",
krb5_get_err_text(context, ret));
free(str);
@@ -1308,8 +1311,9 @@ _kdc_as_rep(krb5_context context,
reply_key = &ckey->key;
#if PKINIT
if (pkp) {
- ret = _kdc_pk_mk_pa_reply(context, config, pkp, client, req,
- &reply_key, rep.padata);
+ ret = _kdc_pk_mk_pa_reply(context, config, pkp, client,
+ req, req_buffer,
+ &reply_key, rep.padata);
if (ret)
goto out;
}
@@ -1372,30 +1376,35 @@ check_tgs_flags(krb5_context context,
if(f.validate){
if(!tgt->flags.invalid || tgt->starttime == NULL){
- kdc_log(context, config, 0, "Bad request to validate ticket");
+ kdc_log(context, config, 0,
+ "Bad request to validate ticket");
return KRB5KDC_ERR_BADOPTION;
}
if(*tgt->starttime > kdc_time){
- kdc_log(context, config, 0, "Early request to validate ticket");
+ kdc_log(context, config, 0,
+ "Early request to validate ticket");
return KRB5KRB_AP_ERR_TKT_NYV;
}
/* XXX tkt = tgt */
et->flags.invalid = 0;
}else if(tgt->flags.invalid){
- kdc_log(context, config, 0, "Ticket-granting ticket has INVALID flag set");
+ kdc_log(context, config, 0,
+ "Ticket-granting ticket has INVALID flag set");
return KRB5KRB_AP_ERR_TKT_INVALID;
}
if(f.forwardable){
if(!tgt->flags.forwardable){
- kdc_log(context, config, 0, "Bad request for forwardable ticket");
+ kdc_log(context, config, 0,
+ "Bad request for forwardable ticket");
return KRB5KDC_ERR_BADOPTION;
}
et->flags.forwardable = 1;
}
if(f.forwarded){
if(!tgt->flags.forwardable){
- kdc_log(context, config, 0, "Request to forward non-forwardable ticket");
+ kdc_log(context, config, 0,
+ "Request to forward non-forwardable ticket");
return KRB5KDC_ERR_BADOPTION;
}
et->flags.forwarded = 1;
@@ -1906,7 +1915,8 @@ tgs_check_authenticator(krb5_context context,
free(buf);
krb5_crypto_destroy(context, crypto);
if(ret){
- kdc_log(context, config, 0, "Failed to verify authenticator checksum: %s",
+ kdc_log(context, config, 0,
+ "Failed to verify authenticator checksum: %s",
krb5_get_err_text(context, ret));
}
out:
@@ -2102,11 +2112,11 @@ tgs_rep2(krb5_context context,
ret = tgs_check_authenticator(context, config,
ac, b, &e_text, &tgt->key);
- if(ret){
+ if (ret) {
krb5_auth_con_free(context, ac);
goto out2;
}
-
+
if (b->enc_authorization_data) {
krb5_keyblock *subkey;
krb5_data ad;
@@ -2167,6 +2177,8 @@ tgs_rep2(krb5_context context,
}
}
+ krb5_auth_con_free(context, ac);
+
{
PrincipalName *s;
Realm r;
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index f591aa8fc1..fdeaf27ac4 100755
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: pkinit.c,v 1.37 2005/07/26 18:37:02 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.41 2005/08/12 09:21:40 lha Exp $");
#ifdef PKINIT
@@ -66,7 +66,7 @@ struct krb5_pk_cert {
enum pkinit_type {
PKINIT_COMPAT_WIN2K = 1,
PKINIT_COMPAT_19 = 2,
- PKINIT_COMPAT_25 = 3
+ PKINIT_COMPAT_27 = 3
};
struct pk_client_params {
@@ -640,7 +640,7 @@ _kdc_pk_rd_padata(krb5_context context,
PA_PK_AS_REQ r;
ContentInfo info;
- type = "PK-INIT-25";
+ type = "PK-INIT-27";
pa_contentType = oid_id_pkauthdata();
ret = decode_PA_PK_AS_REQ(pa->padata_value.data,
@@ -796,7 +796,7 @@ _kdc_pk_rd_padata(krb5_context context,
goto out;
}
- client_params->type = PKINIT_COMPAT_25;
+ client_params->type = PKINIT_COMPAT_27;
client_params->nonce = ap.pkAuthenticator.nonce;
if (ap.clientPublicValue) {
@@ -851,6 +851,7 @@ static krb5_error_code
pk_mk_pa_reply_enckey(krb5_context context,
pk_client_params *client_params,
const KDC_REQ *req,
+ const krb5_data *req_buffer,
krb5_keyblock *reply_key,
ContentInfo *content_info)
{
@@ -945,7 +946,8 @@ pk_mk_pa_reply_enckey(krb5_context context,
&kp, &size,ret);
free_ReplyKeyPack_19(&kp);
}
- case PKINIT_COMPAT_25: {
+ case PKINIT_COMPAT_27: {
+ krb5_crypto ascrypto;
ReplyKeyPack kp;
memset(&kp, 0, sizeof(kp));
@@ -954,9 +956,29 @@ pk_mk_pa_reply_enckey(krb5_context context,
krb5_clear_error_string(context);
goto out;
}
- /* XXX add whatever is the outcome of asChecksum discussion here */
+
+ ret = krb5_crypto_init(context, reply_key, 0, &ascrypto);
+ if (ret) {
+ krb5_clear_error_string(context);
+ goto out;
+ }
+
+ ret = krb5_create_checksum(context, ascrypto, 6, 0,
+ req_buffer->data, req_buffer->length,
+ &kp.asChecksum);
+ if (ret) {
+ krb5_clear_error_string(context);
+ goto out;
+ }
+
+ ret = krb5_crypto_destroy(context, ascrypto);
+ if (ret) {
+ krb5_clear_error_string(context);
+ goto out;
+ }
ASN1_MALLOC_ENCODE(ReplyKeyPack, buf.data, buf.length, &kp, &size,ret);
free_ReplyKeyPack(&kp);
+ break;
}
default:
krb5_abortx(context, "internal pkinit error");
@@ -1194,6 +1216,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
pk_client_params *client_params,
const hdb_entry *client,
const KDC_REQ *req,
+ const krb5_data *req_buffer,
krb5_keyblock **reply_key,
METHOD_DATA *md)
{
@@ -1223,7 +1246,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
} else
enctype = ETYPE_DES3_CBC_SHA1;
- if (client_params->type == PKINIT_COMPAT_25) {
+ if (client_params->type == PKINIT_COMPAT_27) {
PA_PK_AS_REP rep;
pa_type = KRB5_PADATA_PK_AS_REP;
@@ -1239,6 +1262,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ret = pk_mk_pa_reply_enckey(context,
client_params,
req,
+ req_buffer,
&client_params->reply_key,
&info);
if (ret) {
@@ -1259,7 +1283,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
krb5_abortx(context, "Internal ASN.1 encoder error");
} else {
- krb5_set_error_string(context, "DH -25 not implemented");
+ krb5_set_error_string(context, "DH -27 not implemented");
ret = KRB5KRB_ERR_GENERIC;
}
if (ret) {
@@ -1291,6 +1315,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ret = pk_mk_pa_reply_enckey(context,
client_params,
req,
+ req_buffer,
&client_params->reply_key,
&rep.u.encKeyPack);
} else {
@@ -1332,7 +1357,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
memset(&rep, 0, sizeof(rep));
if (client_params->dh) {
- krb5_set_error_string(context, "DH -25 not implemented");
+ krb5_set_error_string(context, "DH -27 not implemented");
ret = KRB5KRB_ERR_GENERIC;
} else {
rep.element = choice_PA_PK_AS_REP_encKeyPack;
@@ -1343,6 +1368,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ret = pk_mk_pa_reply_enckey(context,
client_params,
req,
+ req_buffer,
&client_params->reply_key,
&info);
if (ret) {
diff --git a/source4/heimdal/kdc/process.c b/source4/heimdal/kdc/process.c
index 22cf23c48d..d0f8245bf9 100644
--- a/source4/heimdal/kdc/process.c
+++ b/source4/heimdal/kdc/process.c
@@ -34,7 +34,7 @@
#include "kdc_locl.h"
-RCSID("$Id: process.c,v 1.2 2005/06/30 01:54:49 lha Exp $");
+RCSID("$Id: process.c,v 1.3 2005/08/12 08:25:48 lha Exp $");
/*
* handle the request in `buf, len', from `addr' (or `from' as a string),
@@ -58,7 +58,13 @@ krb5_kdc_process_generic_request(krb5_context context,
gettimeofday(&_kdc_now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){
- ret = _kdc_as_rep(context, config, &req, reply, from, addr);
+ krb5_data req_buffer;
+
+ req_buffer.data = buf;
+ req_buffer.length = len;
+
+ ret = _kdc_as_rep(context, config, &req, &req_buffer,
+ reply, from, addr);
free_AS_REQ(&req);
return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
@@ -105,7 +111,13 @@ krb5_kdc_process_krb5_request(krb5_context context,
gettimeofday(&_kdc_now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){
- ret = _kdc_as_rep(context, config, &req, reply, from, addr);
+ krb5_data req_buffer;
+
+ req_buffer.data = buf;
+ req_buffer.length = len;
+
+ ret = _kdc_as_rep(context, config, &req, &req_buffer,
+ reply, from, addr);
free_AS_REQ(&req);
return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
diff --git a/source4/heimdal/lib/asn1/asn1_gen.c b/source4/heimdal/lib/asn1/asn1_gen.c
index 939fb1123e..95d670cbb1 100644
--- a/source4/heimdal/lib/asn1/asn1_gen.c
+++ b/source4/heimdal/lib/asn1/asn1_gen.c
@@ -40,7 +40,7 @@
#include <hex.h>
#include <err.h>
-RCSID("$Id: asn1_gen.c,v 1.2 2005/07/12 06:27:14 lha Exp $");
+RCSID("$Id: asn1_gen.c,v 1.3 2005/08/11 10:44:43 lha Exp $");
static int
doit(const char *fn)
@@ -166,11 +166,11 @@ usage(int code)
int
main(int argc, char **argv)
{
- int optind = 0;
+ int optidx = 0;
setprogname (argv[0]);
- if(getarg(args, num_args, argc, argv, &optind))
+ if(getarg(args, num_args, argc, argv, &optidx))
usage(1);
if(help_flag)
usage(0);
@@ -178,8 +178,8 @@ main(int argc, char **argv)
print_version(NULL);
exit(0);
}
- argv += optind;
- argc -= optind;
+ argv += optidx;
+ argc -= optidx;
if (argc != 1)
usage (1);
diff --git a/source4/heimdal/lib/asn1/canthandle.asn1 b/source4/heimdal/lib/asn1/canthandle.asn1
index 55ba4d1bb6..7d012ed6f8 100644
--- a/source4/heimdal/lib/asn1/canthandle.asn1
+++ b/source4/heimdal/lib/asn1/canthandle.asn1
@@ -1,4 +1,4 @@
--- $Id: canthandle.asn1,v 1.4 2005/07/21 20:49:15 lha Exp $ --
+-- $Id: canthandle.asn1,v 1.5 2005/08/11 14:07:21 lha Exp $ --
CANTHANDLE DEFINITIONS ::= BEGIN
@@ -31,4 +31,10 @@ Bar ::= SEQUENCE {
Baz ::= SET OF INTEGER
+-- Allocation is done on CONTEXT tags.
+
+Alloc ::= SEQUENCE {
+ a heim_any OPTIONAL
+}
+
END
diff --git a/source4/heimdal/lib/asn1/lex.c b/source4/heimdal/lib/asn1/lex.c
index 713a3d26aa..3b563038e8 100644
--- a/source4/heimdal/lib/asn1/lex.c
+++ b/source4/heimdal/lib/asn1/lex.c
@@ -760,7 +760,7 @@ static unsigned lineno = 1;
static void handle_comment(int type);
static char *handle_string(void);
-#line 764 "lex.yy.c"
+#line 764 "lex.c"
/* Macros after this point can all be overridden by user definitions in
* section 1.
@@ -913,7 +913,7 @@ YY_DECL
#line 62 "lex.l"
-#line 917 "lex.yy.c"
+#line 917 "lex.c"
if ( yy_init )
{
@@ -1481,7 +1481,7 @@ YY_RULE_SETUP
#line 168 "lex.l"
ECHO;
YY_BREAK
-#line 1485 "lex.yy.c"
+#line 1485 "lex.c"
case YY_STATE_EOF(INITIAL):
yyterminate();
diff --git a/source4/heimdal/lib/asn1/parse.c b/source4/heimdal/lib/asn1/parse.c
index 2d8697843b..83e8ccb8b5 100644
--- a/source4/heimdal/lib/asn1/parse.c
+++ b/source4/heimdal/lib/asn1/parse.c
@@ -1,7 +1,7 @@
-/* A Bison parser, made by GNU Bison 1.875c. */
+/* A Bison parser, made by GNU Bison 2.0. */
/* Skeleton parser for Yacc-like parsing with Bison,
- Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003 Free Software Foundation, Inc.
+ Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -291,7 +291,7 @@ typedef union YYSTYPE {
struct tagtype tag;
struct memhead *members;
} YYSTYPE;
-/* Line 191 of yacc.c. */
+/* Line 190 of yacc.c. */
#line 296 "parse.c"
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
# define YYSTYPE_IS_DECLARED 1
@@ -303,7 +303,7 @@ typedef union YYSTYPE {
/* Copy the second part of user declarations. */
-/* Line 214 of yacc.c. */
+/* Line 213 of yacc.c. */
#line 308 "parse.c"
#if ! defined (yyoverflow) || YYERROR_VERBOSE
@@ -319,14 +319,10 @@ typedef union YYSTYPE {
# ifdef YYSTACK_USE_ALLOCA
# if YYSTACK_USE_ALLOCA
-# define YYSTACK_ALLOC alloca
-# endif
-# else
-# if defined (alloca) || defined (_ALLOCA_H)
-# define YYSTACK_ALLOC alloca
-# else
# ifdef __GNUC__
# define YYSTACK_ALLOC __builtin_alloca
+# else
+# define YYSTACK_ALLOC alloca
# endif
# endif
# endif
@@ -352,7 +348,7 @@ typedef union YYSTYPE {
/* A type that is properly aligned for any stack member. */
union yyalloc
{
- short yyss;
+ short int yyss;
YYSTYPE yyvs;
};
@@ -362,7 +358,7 @@ union yyalloc
/* The size of an array large to enough to hold all stacks, each with
N elements. */
# define YYSTACK_BYTES(N) \
- ((N) * (sizeof (short) + sizeof (YYSTYPE)) \
+ ((N) * (sizeof (short int) + sizeof (YYSTYPE)) \
+ YYSTACK_GAP_MAXIMUM)
/* Copy COUNT objects from FROM to TO. The source and destination do
@@ -404,7 +400,7 @@ union yyalloc
#if defined (__STDC__) || defined (__cplusplus)
typedef signed char yysigned_char;
#else
- typedef short yysigned_char;
+ typedef short int yysigned_char;
#endif
/* YYFINAL -- State number of the termination state. */
@@ -471,7 +467,7 @@ static const unsigned char yytranslate[] =
#if YYDEBUG
/* YYPRHS[YYN] -- Index of the first RHS symbol of rule number YYN in
YYRHS. */
-static const unsigned short yyprhs[] =
+static const unsigned short int yyprhs[] =
{
0, 0, 3, 12, 15, 18, 21, 22, 25, 26,
29, 30, 34, 35, 37, 38, 40, 43, 48, 50,
@@ -489,7 +485,7 @@ static const unsigned short yyprhs[] =
};
/* YYRHS -- A `-1'-separated list of the rules' RHS. */
-static const short yyrhs[] =
+static const short int yyrhs[] =
{
99, 0, -1, 86, 21, 100, 101, 84, 8, 102,
24, -1, 27, 70, -1, 38, 70, -1, 7, 70,
@@ -527,7 +523,7 @@ static const short yyrhs[] =
};
/* YYRLINE[YYN] -- source line where rule number YYN was defined. */
-static const unsigned short yyrline[] =
+static const unsigned short int yyrline[] =
{
0, 222, 222, 229, 230, 232, 234, 237, 239, 242,
243, 246, 247, 250, 251, 254, 255, 258, 269, 270,
@@ -592,7 +588,7 @@ static const char *const yytname[] =
# ifdef YYPRINT
/* YYTOKNUM[YYLEX-NUM] -- Internal token number corresponding to
token YYLEX-NUM. */
-static const unsigned short yytoknum[] =
+static const unsigned short int yytoknum[] =
{
0, 256, 257, 258, 259, 260, 261, 262, 263, 264,
265, 266, 267, 268, 269, 270, 271, 272, 273, 274,
@@ -670,7 +666,7 @@ static const unsigned char yydefact[] =
};
/* YYDEFGOTO[NTERM-NUM]. */
-static const short yydefgoto[] =
+static const short int yydefgoto[] =
{
-1, 2, 8, 13, 18, 19, 21, 22, 23, 27,
28, 24, 29, 56, 57, 58, 85, 59, 110, 111,
@@ -724,7 +720,7 @@ static const yysigned_char yypgoto[] =
number is the opposite. If zero, do what YYDEFACT says.
If YYTABLE_NINF, syntax error. */
#define YYTABLE_NINF -13
-static const short yytable[] =
+static const short int yytable[] =
{
35, 36, 37, 88, 139, 38, 90, 17, 93, 98,
5, 149, 151, 105, 105, 150, 39, 154, 167, 105,
@@ -744,7 +740,7 @@ static const short yytable[] =
163, 0, 170
};
-static const short yycheck[] =
+static const short int yycheck[] =
{
9, 10, 11, 53, 97, 14, 53, 40, 6, 27,
7, 91, 20, 86, 86, 95, 25, 91, 85, 86,
@@ -840,20 +836,53 @@ do \
} \
while (0)
+
#define YYTERROR 1
#define YYERRCODE 256
-/* YYLLOC_DEFAULT -- Compute the default location (before the actions
- are run). */
+/* YYLLOC_DEFAULT -- Set CURRENT to span from RHS[1] to RHS[N].
+ If N is 0, then set CURRENT to the empty location which ends
+ the previous symbol: RHS[0] (always defined). */
+
+#define YYRHSLOC(Rhs, K) ((Rhs)[K])
#ifndef YYLLOC_DEFAULT
-# define YYLLOC_DEFAULT(Current, Rhs, N) \
- ((Current).first_line = (Rhs)[1].first_line, \
- (Current).first_column = (Rhs)[1].first_column, \
- (Current).last_line = (Rhs)[N].last_line, \
- (Current).last_column = (Rhs)[N].last_column)
+# define YYLLOC_DEFAULT(Current, Rhs, N) \
+ do \
+ if (N) \
+ { \
+ (Current).first_line = YYRHSLOC (Rhs, 1).first_line; \
+ (Current).first_column = YYRHSLOC (Rhs, 1).first_column; \
+ (Current).last_line = YYRHSLOC (Rhs, N).last_line; \
+ (Current).last_column = YYRHSLOC (Rhs, N).last_column; \
+ } \
+ else \
+ { \
+ (Current).first_line = (Current).last_line = \
+ YYRHSLOC (Rhs, 0).last_line; \
+ (Current).first_column = (Current).last_column = \
+ YYRHSLOC (Rhs, 0).last_column; \
+ } \
+ while (0)
#endif
+
+/* YY_LOCATION_PRINT -- Print the location on the stream.
+ This macro was not mandated originally: define only if we know
+ we won't break user code: when these are the locations we know. */
+
+#ifndef YY_LOCATION_PRINT
+# if YYLTYPE_IS_TRIVIAL
+# define YY_LOCATION_PRINT(File, Loc) \
+ fprintf (File, "%d.%d-%d.%d", \
+ (Loc).first_line, (Loc).first_column, \
+ (Loc).last_line, (Loc).last_column)
+# else
+# define YY_LOCATION_PRINT(File, Loc) ((void) 0)
+# endif
+#endif
+
+
/* YYLEX -- calling `yylex' with the right arguments. */
#ifdef YYLEX_PARAM
@@ -876,19 +905,13 @@ do { \
YYFPRINTF Args; \
} while (0)
-# define YYDSYMPRINT(Args) \
-do { \
- if (yydebug) \
- yysymprint Args; \
-} while (0)
-
-# define YYDSYMPRINTF(Title, Token, Value, Location) \
+# define YY_SYMBOL_PRINT(Title, Type, Value, Location) \
do { \
if (yydebug) \
{ \
YYFPRINTF (stderr, "%s ", Title); \
yysymprint (stderr, \
- Token, Value); \
+ Type, Value); \
YYFPRINTF (stderr, "\n"); \
} \
} while (0)
@@ -900,12 +923,12 @@ do { \
#if defined (__STDC__) || defined (__cplusplus)
static void
-yy_stack_print (short *bottom, short *top)
+yy_stack_print (short int *bottom, short int *top)
#else
static void
yy_stack_print (bottom, top)
- short *bottom;
- short *top;
+ short int *bottom;
+ short int *top;
#endif
{
YYFPRINTF (stderr, "Stack now");
@@ -955,8 +978,7 @@ do { \
int yydebug;
#else /* !YYDEBUG */
# define YYDPRINTF(Args)
-# define YYDSYMPRINT(Args)
-# define YYDSYMPRINTF(Title, Token, Value, Location)
+# define YY_SYMBOL_PRINT(Title, Type, Value, Location)
# define YY_STACK_PRINT(Bottom, Top)
# define YY_REDUCE_PRINT(Rule)
#endif /* !YYDEBUG */
@@ -974,10 +996,6 @@ int yydebug;
SIZE_MAX < YYSTACK_BYTES (YYMAXDEPTH)
evaluated with infinite-precision integer arithmetic. */
-#if defined (YYMAXDEPTH) && YYMAXDEPTH == 0
-# undef YYMAXDEPTH
-#endif
-
#ifndef YYMAXDEPTH
# define YYMAXDEPTH 10000
#endif
@@ -1059,15 +1077,15 @@ yysymprint (yyoutput, yytype, yyvaluep)
(void) yyvaluep;
if (yytype < YYNTOKENS)
- {
- YYFPRINTF (yyoutput, "token %s (", yytname[yytype]);
-# ifdef YYPRINT
- YYPRINT (yyoutput, yytoknum[yytype], *yyvaluep);
-# endif
- }
+ YYFPRINTF (yyoutput, "token %s (", yytname[yytype]);
else
YYFPRINTF (yyoutput, "nterm %s (", yytname[yytype]);
+
+# ifdef YYPRINT
+ if (yytype < YYNTOKENS)
+ YYPRINT (yyoutput, yytoknum[yytype], *yyvaluep);
+# endif
switch (yytype)
{
default:
@@ -1083,10 +1101,11 @@ yysymprint (yyoutput, yytype, yyvaluep)
#if defined (__STDC__) || defined (__cplusplus)
static void
-yydestruct (int yytype, YYSTYPE *yyvaluep)
+yydestruct (const char *yymsg, int yytype, YYSTYPE *yyvaluep)
#else
static void
-yydestruct (yytype, yyvaluep)
+yydestruct (yymsg, yytype, yyvaluep)
+ const char *yymsg;
int yytype;
YYSTYPE *yyvaluep;
#endif
@@ -1094,6 +1113,10 @@ yydestruct (yytype, yyvaluep)
/* Pacify ``unused variable'' warnings. */
(void) yyvaluep;
+ if (!yymsg)
+ yymsg = "Deleting";
+ YY_SYMBOL_PRINT (yymsg, yytype, yyvaluep, yylocationp);
+
switch (yytype)
{
@@ -1121,10 +1144,10 @@ int yyparse ();
-/* The lookahead symbol. */
+/* The look-ahead symbol. */
int yychar;
-/* The semantic value of the lookahead symbol. */
+/* The semantic value of the look-ahead symbol. */
YYSTYPE yylval;
/* Number of syntax errors so far. */
@@ -1160,7 +1183,7 @@ yyparse ()
int yyresult;
/* Number of tokens to shift before error messages enabled. */
int yyerrstatus;
- /* Lookahead token as an internal (translated) token number. */
+ /* Look-ahead token as an internal (translated) token number. */
int yytoken = 0;
/* Three stacks and their tools:
@@ -1172,9 +1195,9 @@ yyparse ()
to reallocate them elsewhere. */
/* The state stack. */
- short yyssa[YYINITDEPTH];
- short *yyss = yyssa;
- register short *yyssp;
+ short int yyssa[YYINITDEPTH];
+ short int *yyss = yyssa;
+ register short int *yyssp;
/* The semantic value stack. */
YYSTYPE yyvsa[YYINITDEPTH];
@@ -1211,6 +1234,9 @@ yyparse ()
yyssp = yyss;
yyvsp = yyvs;
+
+ yyvsp[0] = yylval;
+
goto yysetstate;
/*------------------------------------------------------------.
@@ -1236,7 +1262,7 @@ yyparse ()
these so that the &'s don't force the real ones into
memory. */
YYSTYPE *yyvs1 = yyvs;
- short *yyss1 = yyss;
+ short int *yyss1 = yyss;
/* Each stack pointer address is followed by the size of the
@@ -1264,7 +1290,7 @@ yyparse ()
yystacksize = YYMAXDEPTH;
{
- short *yyss1 = yyss;
+ short int *yyss1 = yyss;
union yyalloc *yyptr =
(union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize));
if (! yyptr)
@@ -1300,18 +1326,18 @@ yyparse ()
yybackup:
/* Do appropriate processing given the current state. */
-/* Read a lookahead token if we need one and don't already have one. */
+/* Read a look-ahead token if we need one and don't already have one. */
/* yyresume: */
- /* First try to decide what to do without reference to lookahead token. */
+ /* First try to decide what to do without reference to look-ahead token. */
yyn = yypact[yystate];
if (yyn == YYPACT_NINF)
goto yydefault;
- /* Not known => get a lookahead token if don't already have one. */
+ /* Not known => get a look-ahead token if don't already have one. */
- /* YYCHAR is either YYEMPTY or YYEOF or a valid lookahead symbol. */
+ /* YYCHAR is either YYEMPTY or YYEOF or a valid look-ahead symbol. */
if (yychar == YYEMPTY)
{
YYDPRINTF ((stderr, "Reading a token: "));
@@ -1326,7 +1352,7 @@ yybackup:
else
{
yytoken = YYTRANSLATE (yychar);
- YYDSYMPRINTF ("Next token is", yytoken, &yylval, &yylloc);
+ YY_SYMBOL_PRINT ("Next token is", yytoken, &yylval, &yylloc);
}
/* If the proper action on seeing token YYTOKEN is to reduce or to
@@ -1346,8 +1372,8 @@ yybackup:
if (yyn == YYFINAL)
YYACCEPT;
- /* Shift the lookahead token. */
- YYDPRINTF ((stderr, "Shifting token %s, ", yytname[yytoken]));
+ /* Shift the look-ahead token. */
+ YY_SYMBOL_PRINT ("Shifting", yytoken, &yylval, &yylloc);
/* Discard the token being shifted unless it is eof. */
if (yychar != YYEOF)
@@ -1422,38 +1448,38 @@ yyreduce:
#line 259 "parse.y"
{
struct string_list *sl;
- for(sl = yyvsp[-3].sl; sl != NULL; sl = sl->next) {
+ for(sl = (yyvsp[-3].sl); sl != NULL; sl = sl->next) {
Symbol *s = addsym(sl->string);
s->stype = Stype;
}
- add_import(yyvsp[-1].name);
+ add_import((yyvsp[-1].name));
}
break;
case 22:
#line 278 "parse.y"
{
- yyval.sl = emalloc(sizeof(*yyval.sl));
- yyval.sl->string = yyvsp[-2].name;
- yyval.sl->next = yyvsp[0].sl;
+ (yyval.sl) = emalloc(sizeof(*(yyval.sl)));
+ (yyval.sl)->string = (yyvsp[-2].name);
+ (yyval.sl)->next = (yyvsp[0].sl);
}
break;
case 23:
#line 284 "parse.y"
{
- yyval.sl = emalloc(sizeof(*yyval.sl));
- yyval.sl->string = yyvsp[0].name;
- yyval.sl->next = NULL;
+ (yyval.sl) = emalloc(sizeof(*(yyval.sl)));
+ (yyval.sl)->string = (yyvsp[0].name);
+ (yyval.sl)->next = NULL;
}
break;
case 24:
#line 292 "parse.y"
{
- Symbol *s = addsym (yyvsp[-2].name);
+ Symbol *s = addsym ((yyvsp[-2].name));
s->stype = Stype;
- s->type = yyvsp[0].type;
+ s->type = (yyvsp[0].type);
fix_labels(s);
generate_type (s);
}
@@ -1462,7 +1488,7 @@ yyreduce:
case 41:
#line 322 "parse.y"
{
- yyval.type = new_tag(ASN1_C_UNIV, UT_Boolean,
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_Boolean,
TE_EXPLICIT, new_type(TBoolean));
}
break;
@@ -1470,18 +1496,18 @@ yyreduce:
case 42:
#line 329 "parse.y"
{
- if(yyvsp[-3].value->type != integervalue ||
- yyvsp[-1].value->type != integervalue)
+ if((yyvsp[-3].value)->type != integervalue ||
+ (yyvsp[-1].value)->type != integervalue)
error_message("Non-integer value used in range");
- yyval.range.min = yyvsp[-3].value->u.integervalue;
- yyval.range.max = yyvsp[-1].value->u.integervalue;
+ (yyval.range).min = (yyvsp[-3].value)->u.integervalue;
+ (yyval.range).max = (yyvsp[-1].value)->u.integervalue;
}
break;
case 43:
#line 339 "parse.y"
{
- yyval.type = new_tag(ASN1_C_UNIV, UT_Integer,
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_Integer,
TE_EXPLICIT, new_type(TInteger));
}
break;
@@ -1489,90 +1515,90 @@ yyreduce:
case 44:
#line 344 "parse.y"
{
- yyval.type = new_type(TInteger);
- yyval.type->range = emalloc(sizeof(*yyval.type->range));
- *(yyval.type->range) = yyvsp[0].range;
- yyval.type = new_tag(ASN1_C_UNIV, UT_Integer, TE_EXPLICIT, yyval.type);
+ (yyval.type) = new_type(TInteger);
+ (yyval.type)->range = emalloc(sizeof(*(yyval.type)->range));
+ *((yyval.type)->range) = (yyvsp[0].range);
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_Integer, TE_EXPLICIT, (yyval.type));
}
break;
case 45:
#line 351 "parse.y"
{
- yyval.type = new_type(TInteger);
- yyval.type->members = yyvsp[-1].members;
- yyval.type = new_tag(ASN1_C_UNIV, UT_Integer, TE_EXPLICIT, yyval.type);
+ (yyval.type) = new_type(TInteger);
+ (yyval.type)->members = (yyvsp[-1].members);
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_Integer, TE_EXPLICIT, (yyval.type));
}
break;
case 46:
#line 359 "parse.y"
{
- yyval.members = emalloc(sizeof(*yyval.members));
- ASN1_TAILQ_INIT(yyval.members);
- ASN1_TAILQ_INSERT_HEAD(yyval.members, yyvsp[0].member, members);
+ (yyval.members) = emalloc(sizeof(*(yyval.members)));
+ ASN1_TAILQ_INIT((yyval.members));
+ ASN1_TAILQ_INSERT_HEAD((yyval.members), (yyvsp[0].member), members);
}
break;
case 47:
#line 365 "parse.y"
{
- ASN1_TAILQ_INSERT_TAIL(yyvsp[-2].members, yyvsp[0].member, members);
- yyval.members = yyvsp[-2].members;
+ ASN1_TAILQ_INSERT_TAIL((yyvsp[-2].members), (yyvsp[0].member), members);
+ (yyval.members) = (yyvsp[-2].members);
}
break;
case 48:
#line 370 "parse.y"
- { yyval.members = yyvsp[-2].members; }
+ { (yyval.members) = (yyvsp[-2].members); }
break;
case 49:
#line 374 "parse.y"
{
- yyval.member = emalloc(sizeof(*yyval.member));
- yyval.member->name = yyvsp[-3].name;
- yyval.member->gen_name = estrdup(yyvsp[-3].name);
- output_name (yyval.member->gen_name);
- yyval.member->val = yyvsp[-1].constant;
- yyval.member->optional = 0;
- yyval.member->ellipsis = 0;
- yyval.member->type = NULL;
+ (yyval.member) = emalloc(sizeof(*(yyval.member)));
+ (yyval.member)->name = (yyvsp[-3].name);
+ (yyval.member)->gen_name = estrdup((yyvsp[-3].name));
+ output_name ((yyval.member)->gen_name);
+ (yyval.member)->val = (yyvsp[-1].constant);
+ (yyval.member)->optional = 0;
+ (yyval.member)->ellipsis = 0;
+ (yyval.member)->type = NULL;
}
break;
case 50:
#line 387 "parse.y"
{
- yyval.type = new_type(TInteger);
- yyval.type->members = yyvsp[-1].members;
- yyval.type = new_tag(ASN1_C_UNIV, UT_Enumerated, TE_EXPLICIT, yyval.type);
+ (yyval.type) = new_type(TInteger);
+ (yyval.type)->members = (yyvsp[-1].members);
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_Enumerated, TE_EXPLICIT, (yyval.type));
}
break;
case 52:
#line 398 "parse.y"
{
- yyval.type = new_type(TBitString);
- yyval.type->members = emalloc(sizeof(*yyval.type->members));
- ASN1_TAILQ_INIT(yyval.type->members);
- yyval.type = new_tag(ASN1_C_UNIV, UT_BitString, TE_EXPLICIT, yyval.type);
+ (yyval.type) = new_type(TBitString);
+ (yyval.type)->members = emalloc(sizeof(*(yyval.type)->members));
+ ASN1_TAILQ_INIT((yyval.type)->members);
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_BitString, TE_EXPLICIT, (yyval.type));
}
break;
case 53:
#line 405 "parse.y"
{
- yyval.type = new_type(TBitString);
- yyval.type->members = yyvsp[-1].members;
- yyval.type = new_tag(ASN1_C_UNIV, UT_BitString, TE_EXPLICIT, yyval.type);
+ (yyval.type) = new_type(TBitString);
+ (yyval.type)->members = (yyvsp[-1].members);
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_BitString, TE_EXPLICIT, (yyval.type));
}
break;
case 54:
#line 413 "parse.y"
{
- yyval.type = new_tag(ASN1_C_UNIV, UT_OID,
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_OID,
TE_EXPLICIT, new_type(TOID));
}
break;
@@ -1580,7 +1606,7 @@ yyreduce:
case 55:
#line 419 "parse.y"
{
- yyval.type = new_tag(ASN1_C_UNIV, UT_OctetString,
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_OctetString,
TE_EXPLICIT, new_type(TOctetString));
}
break;
@@ -1588,7 +1614,7 @@ yyreduce:
case 56:
#line 426 "parse.y"
{
- yyval.type = new_tag(ASN1_C_UNIV, UT_Null,
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_Null,
TE_EXPLICIT, new_type(TNull));
}
break;
@@ -1596,81 +1622,81 @@ yyreduce:
case 57:
#line 433 "parse.y"
{
- yyval.type = new_type(TSequence);
- yyval.type->members = yyvsp[-1].members;
- yyval.type = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, yyval.type);
+ (yyval.type) = new_type(TSequence);
+ (yyval.type)->members = (yyvsp[-1].members);
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type));
}
break;
case 58:
#line 439 "parse.y"
{
- yyval.type = new_type(TSequence);
- yyval.type->members = NULL;
- yyval.type = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, yyval.type);
+ (yyval.type) = new_type(TSequence);
+ (yyval.type)->members = NULL;
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type));
}
break;
case 59:
#line 447 "parse.y"
{
- yyval.type = new_type(TSequenceOf);
- yyval.type->subtype = yyvsp[0].type;
- yyval.type = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, yyval.type);
+ (yyval.type) = new_type(TSequenceOf);
+ (yyval.type)->subtype = (yyvsp[0].type);
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type));
}
break;
case 60:
#line 455 "parse.y"
{
- yyval.type = new_type(TSet);
- yyval.type->members = yyvsp[-1].members;
- yyval.type = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, yyval.type);
+ (yyval.type) = new_type(TSet);
+ (yyval.type)->members = (yyvsp[-1].members);
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, (yyval.type));
}
break;
case 61:
#line 461 "parse.y"
{
- yyval.type = new_type(TSet);
- yyval.type->members = NULL;
- yyval.type = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, yyval.type);
+ (yyval.type) = new_type(TSet);
+ (yyval.type)->members = NULL;
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, (yyval.type));
}
break;
case 62:
#line 469 "parse.y"
{
- yyval.type = new_type(TSetOf);
- yyval.type->subtype = yyvsp[0].type;
- yyval.type = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, yyval.type);
+ (yyval.type) = new_type(TSetOf);
+ (yyval.type)->subtype = (yyvsp[0].type);
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, (yyval.type));
}
break;
case 63:
#line 477 "parse.y"
{
- yyval.type = new_type(TChoice);
- yyval.type->members = yyvsp[-1].members;
+ (yyval.type) = new_type(TChoice);
+ (yyval.type)->members = (yyvsp[-1].members);
}
break;
case 66:
#line 488 "parse.y"
{
- Symbol *s = addsym(yyvsp[0].name);
- yyval.type = new_type(TType);
+ Symbol *s = addsym((yyvsp[0].name));
+ (yyval.type) = new_type(TType);
if(s->stype != Stype && s->stype != SUndefined)
- error_message ("%s is not a type\n", yyvsp[0].name);
+ error_message ("%s is not a type\n", (yyvsp[0].name));
else
- yyval.type->symbol = s;
+ (yyval.type)->symbol = s;
}
break;
case 67:
#line 499 "parse.y"
{
- yyval.type = new_tag(ASN1_C_UNIV, UT_GeneralizedTime,
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralizedTime,
TE_EXPLICIT, new_type(TGeneralizedTime));
}
break;
@@ -1678,7 +1704,7 @@ yyreduce:
case 68:
#line 504 "parse.y"
{
- yyval.type = new_tag(ASN1_C_UNIV, UT_UTCTime,
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_UTCTime,
TE_EXPLICIT, new_type(TUTCTime));
}
break;
@@ -1686,72 +1712,72 @@ yyreduce:
case 69:
#line 511 "parse.y"
{
- yyval.type = new_type(TTag);
- yyval.type->tag = yyvsp[-2].tag;
- yyval.type->tag.tagenv = yyvsp[-1].constant;
- if(yyvsp[0].type->type == TTag && yyvsp[-1].constant == TE_IMPLICIT) {
- yyval.type->subtype = yyvsp[0].type->subtype;
- free(yyvsp[0].type);
+ (yyval.type) = new_type(TTag);
+ (yyval.type)->tag = (yyvsp[-2].tag);
+ (yyval.type)->tag.tagenv = (yyvsp[-1].constant);
+ if((yyvsp[0].type)->type == TTag && (yyvsp[-1].constant) == TE_IMPLICIT) {
+ (yyval.type)->subtype = (yyvsp[0].type)->subtype;
+ free((yyvsp[0].type));
} else
- yyval.type->subtype = yyvsp[0].type;
+ (yyval.type)->subtype = (yyvsp[0].type);
}
break;
case 70:
#line 524 "parse.y"
{
- yyval.tag.tagclass = yyvsp[-2].constant;
- yyval.tag.tagvalue = yyvsp[-1].constant;
- yyval.tag.tagenv = TE_EXPLICIT;
+ (yyval.tag).tagclass = (yyvsp[-2].constant);
+ (yyval.tag).tagvalue = (yyvsp[-1].constant);
+ (yyval.tag).tagenv = TE_EXPLICIT;
}
break;
case 71:
#line 532 "parse.y"
{
- yyval.constant = ASN1_C_CONTEXT;
+ (yyval.constant) = ASN1_C_CONTEXT;
}
break;
case 72:
#line 536 "parse.y"
{
- yyval.constant = ASN1_C_UNIV;
+ (yyval.constant) = ASN1_C_UNIV;
}
break;
case 73:
#line 540 "parse.y"
{
- yyval.constant = ASN1_C_APPL;
+ (yyval.constant) = ASN1_C_APPL;
}
break;
case 74:
#line 544 "parse.y"
{
- yyval.constant = ASN1_C_PRIVATE;
+ (yyval.constant) = ASN1_C_PRIVATE;
}
break;
case 75:
#line 550 "parse.y"
{
- yyval.constant = TE_EXPLICIT;
+ (yyval.constant) = TE_EXPLICIT;
}
break;
case 76:
#line 554 "parse.y"
{
- yyval.constant = TE_EXPLICIT;
+ (yyval.constant) = TE_EXPLICIT;
}
break;
case 77:
#line 558 "parse.y"
{
- yyval.constant = TE_IMPLICIT;
+ (yyval.constant) = TE_IMPLICIT;
}
break;
@@ -1759,10 +1785,10 @@ yyreduce:
#line 565 "parse.y"
{
Symbol *s;
- s = addsym (yyvsp[-3].name);
+ s = addsym ((yyvsp[-3].name));
s->stype = SValue;
- s->value = yyvsp[0].value;
+ s->value = (yyvsp[0].value);
generate_constant (s);
}
break;
@@ -1770,7 +1796,7 @@ yyreduce:
case 80:
#line 579 "parse.y"
{
- yyval.type = new_tag(ASN1_C_UNIV, UT_GeneralString,
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralString,
TE_EXPLICIT, new_type(TGeneralString));
}
break;
@@ -1778,7 +1804,7 @@ yyreduce:
case 81:
#line 584 "parse.y"
{
- yyval.type = new_tag(ASN1_C_UNIV, UT_UTF8String,
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_UTF8String,
TE_EXPLICIT, new_type(TUTF8String));
}
break;
@@ -1786,7 +1812,7 @@ yyreduce:
case 82:
#line 589 "parse.y"
{
- yyval.type = new_tag(ASN1_C_UNIV, UT_PrintableString,
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_PrintableString,
TE_EXPLICIT, new_type(TPrintableString));
}
break;
@@ -1794,7 +1820,7 @@ yyreduce:
case 83:
#line 594 "parse.y"
{
- yyval.type = new_tag(ASN1_C_UNIV, UT_IA5String,
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_IA5String,
TE_EXPLICIT, new_type(TIA5String));
}
break;
@@ -1802,7 +1828,7 @@ yyreduce:
case 84:
#line 599 "parse.y"
{
- yyval.type = new_tag(ASN1_C_UNIV, UT_BMPString,
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_BMPString,
TE_EXPLICIT, new_type(TBMPString));
}
break;
@@ -1810,7 +1836,7 @@ yyreduce:
case 85:
#line 604 "parse.y"
{
- yyval.type = new_tag(ASN1_C_UNIV, UT_UniversalString,
+ (yyval.type) = new_tag(ASN1_C_UNIV, UT_UniversalString,
TE_EXPLICIT, new_type(TUniversalString));
}
break;
@@ -1818,17 +1844,17 @@ yyreduce:
case 86:
#line 612 "parse.y"
{
- yyval.members = emalloc(sizeof(*yyval.members));
- ASN1_TAILQ_INIT(yyval.members);
- ASN1_TAILQ_INSERT_HEAD(yyval.members, yyvsp[0].member, members);
+ (yyval.members) = emalloc(sizeof(*(yyval.members)));
+ ASN1_TAILQ_INIT((yyval.members));
+ ASN1_TAILQ_INSERT_HEAD((yyval.members), (yyvsp[0].member), members);
}
break;
case 87:
#line 618 "parse.y"
{
- ASN1_TAILQ_INSERT_TAIL(yyvsp[-2].members, yyvsp[0].member, members);
- yyval.members = yyvsp[-2].members;
+ ASN1_TAILQ_INSERT_TAIL((yyvsp[-2].members), (yyvsp[0].member), members);
+ (yyval.members) = (yyvsp[-2].members);
}
break;
@@ -1839,108 +1865,108 @@ yyreduce:
m->name = estrdup("...");
m->gen_name = estrdup("asn1_ellipsis");
m->ellipsis = 1;
- ASN1_TAILQ_INSERT_TAIL(yyvsp[-2].members, m, members);
- yyval.members = yyvsp[-2].members;
+ ASN1_TAILQ_INSERT_TAIL((yyvsp[-2].members), m, members);
+ (yyval.members) = (yyvsp[-2].members);
}
break;
case 89:
#line 634 "parse.y"
{
- yyval.member = emalloc(sizeof(*yyval.member));
- yyval.member->name = yyvsp[-1].name;
- yyval.member->gen_name = estrdup(yyvsp[-1].name);
- output_name (yyval.member->gen_name);
- yyval.member->type = yyvsp[0].type;
- yyval.member->ellipsis = 0;
+ (yyval.member) = emalloc(sizeof(*(yyval.member)));
+ (yyval.member)->name = (yyvsp[-1].name);
+ (yyval.member)->gen_name = estrdup((yyvsp[-1].name));
+ output_name ((yyval.member)->gen_name);
+ (yyval.member)->type = (yyvsp[0].type);
+ (yyval.member)->ellipsis = 0;
}
break;
case 90:
#line 645 "parse.y"
{
- yyval.member = yyvsp[0].member;
- yyval.member->optional = 0;
- yyval.member->defval = NULL;
+ (yyval.member) = (yyvsp[0].member);
+ (yyval.member)->optional = 0;
+ (yyval.member)->defval = NULL;
}
break;
case 91:
#line 651 "parse.y"
{
- yyval.member = yyvsp[-1].member;
- yyval.member->optional = 1;
- yyval.member->defval = NULL;
+ (yyval.member) = (yyvsp[-1].member);
+ (yyval.member)->optional = 1;
+ (yyval.member)->defval = NULL;
}
break;
case 92:
#line 657 "parse.y"
{
- yyval.member = yyvsp[-2].member;
- yyval.member->optional = 0;
- yyval.member->defval = yyvsp[0].value;
+ (yyval.member) = (yyvsp[-2].member);
+ (yyval.member)->optional = 0;
+ (yyval.member)->defval = (yyvsp[0].value);
}
break;
case 93:
#line 665 "parse.y"
{
- yyval.members = emalloc(sizeof(*yyval.members));
- ASN1_TAILQ_INIT(yyval.members);
- ASN1_TAILQ_INSERT_HEAD(yyval.members, yyvsp[0].member, members);
+ (yyval.members) = emalloc(sizeof(*(yyval.members)));
+ ASN1_TAILQ_INIT((yyval.members));
+ ASN1_TAILQ_INSERT_HEAD((yyval.members), (yyvsp[0].member), members);
}
break;
case 94:
#line 671 "parse.y"
{
- ASN1_TAILQ_INSERT_TAIL(yyvsp[-2].members, yyvsp[0].member, members);
- yyval.members = yyvsp[-2].members;
+ ASN1_TAILQ_INSERT_TAIL((yyvsp[-2].members), (yyvsp[0].member), members);
+ (yyval.members) = (yyvsp[-2].members);
}
break;
case 95:
#line 678 "parse.y"
{
- yyval.member = emalloc(sizeof(*yyval.member));
- yyval.member->name = yyvsp[-3].name;
- yyval.member->gen_name = estrdup(yyvsp[-3].name);
- output_name (yyval.member->gen_name);
- yyval.member->val = yyvsp[-1].constant;
- yyval.member->optional = 0;
- yyval.member->ellipsis = 0;
- yyval.member->type = NULL;
+ (yyval.member) = emalloc(sizeof(*(yyval.member)));
+ (yyval.member)->name = (yyvsp[-3].name);
+ (yyval.member)->gen_name = estrdup((yyvsp[-3].name));
+ output_name ((yyval.member)->gen_name);
+ (yyval.member)->val = (yyvsp[-1].constant);
+ (yyval.member)->optional = 0;
+ (yyval.member)->ellipsis = 0;
+ (yyval.member)->type = NULL;
}
break;
case 97:
#line 691 "parse.y"
- { yyval.objid = NULL; }
+ { (yyval.objid) = NULL; }
break;
case 98:
#line 695 "parse.y"
{
- yyval.objid = yyvsp[-1].objid;
+ (yyval.objid) = (yyvsp[-1].objid);
}
break;
case 99:
#line 701 "parse.y"
{
- yyval.objid = NULL;
+ (yyval.objid) = NULL;
}
break;
case 100:
#line 705 "parse.y"
{
- if (yyvsp[0].objid) {
- yyval.objid = yyvsp[0].objid;
- add_oid_to_tail(yyvsp[0].objid, yyvsp[-1].objid);
+ if ((yyvsp[0].objid)) {
+ (yyval.objid) = (yyvsp[0].objid);
+ add_oid_to_tail((yyvsp[0].objid), (yyvsp[-1].objid));
} else {
- yyval.objid = yyvsp[-1].objid;
+ (yyval.objid) = (yyvsp[-1].objid);
}
}
break;
@@ -1948,76 +1974,76 @@ yyreduce:
case 101:
#line 716 "parse.y"
{
- yyval.objid = new_objid(yyvsp[-3].name, yyvsp[-1].constant);
+ (yyval.objid) = new_objid((yyvsp[-3].name), (yyvsp[-1].constant));
}
break;
case 102:
#line 720 "parse.y"
{
- Symbol *s = addsym(yyvsp[0].name);
+ Symbol *s = addsym((yyvsp[0].name));
if(s->stype != SValue ||
s->value->type != objectidentifiervalue) {
error_message("%s is not an object identifier\n",
s->name);
exit(1);
}
- yyval.objid = s->value->u.objectidentifiervalue;
+ (yyval.objid) = s->value->u.objectidentifiervalue;
}
break;
case 103:
#line 731 "parse.y"
{
- yyval.objid = new_objid(NULL, yyvsp[0].constant);
+ (yyval.objid) = new_objid(NULL, (yyvsp[0].constant));
}
break;
case 113:
#line 754 "parse.y"
{
- Symbol *s = addsym(yyvsp[0].name);
+ Symbol *s = addsym((yyvsp[0].name));
if(s->stype != SValue)
error_message ("%s is not a value\n",
s->name);
else
- yyval.value = s->value;
+ (yyval.value) = s->value;
}
break;
case 114:
#line 765 "parse.y"
{
- yyval.value = emalloc(sizeof(*yyval.value));
- yyval.value->type = stringvalue;
- yyval.value->u.stringvalue = yyvsp[0].name;
+ (yyval.value) = emalloc(sizeof(*(yyval.value)));
+ (yyval.value)->type = stringvalue;
+ (yyval.value)->u.stringvalue = (yyvsp[0].name);
}
break;
case 115:
#line 773 "parse.y"
{
- yyval.value = emalloc(sizeof(*yyval.value));
- yyval.value->type = booleanvalue;
- yyval.value->u.booleanvalue = 0;
+ (yyval.value) = emalloc(sizeof(*(yyval.value)));
+ (yyval.value)->type = booleanvalue;
+ (yyval.value)->u.booleanvalue = 0;
}
break;
case 116:
#line 779 "parse.y"
{
- yyval.value = emalloc(sizeof(*yyval.value));
- yyval.value->type = booleanvalue;
- yyval.value->u.booleanvalue = 0;
+ (yyval.value) = emalloc(sizeof(*(yyval.value)));
+ (yyval.value)->type = booleanvalue;
+ (yyval.value)->u.booleanvalue = 0;
}
break;
case 117:
#line 787 "parse.y"
{
- yyval.value = emalloc(sizeof(*yyval.value));
- yyval.value->type = integervalue;
- yyval.value->u.integervalue = yyvsp[0].constant;
+ (yyval.value) = emalloc(sizeof(*(yyval.value)));
+ (yyval.value)->type = integervalue;
+ (yyval.value)->u.integervalue = (yyvsp[0].constant);
}
break;
@@ -2030,17 +2056,17 @@ yyreduce:
case 120:
#line 803 "parse.y"
{
- yyval.value = emalloc(sizeof(*yyval.value));
- yyval.value->type = objectidentifiervalue;
- yyval.value->u.objectidentifiervalue = yyvsp[0].objid;
+ (yyval.value) = emalloc(sizeof(*(yyval.value)));
+ (yyval.value)->type = objectidentifiervalue;
+ (yyval.value)->u.objectidentifiervalue = (yyvsp[0].objid);
}
break;
}
-/* Line 1000 of yacc.c. */
-#line 2044 "parse.c"
+/* Line 1037 of yacc.c. */
+#line 2070 "parse.c"
yyvsp -= yylen;
yyssp -= yylen;
@@ -2140,7 +2166,7 @@ yyerrlab:
if (yyerrstatus == 3)
{
- /* If just tried and failed to reuse lookahead token after an
+ /* If just tried and failed to reuse look-ahead token after an
error, discard it. */
if (yychar <= YYEOF)
@@ -2150,23 +2176,22 @@ yyerrlab:
if (yychar == YYEOF)
for (;;)
{
+
YYPOPSTACK;
if (yyssp == yyss)
YYABORT;
- YYDSYMPRINTF ("Error: popping", yystos[*yyssp], yyvsp, yylsp);
- yydestruct (yystos[*yyssp], yyvsp);
+ yydestruct ("Error: popping",
+ yystos[*yyssp], yyvsp);
}
}
else
{
- YYDSYMPRINTF ("Error: discarding", yytoken, &yylval, &yylloc);
- yydestruct (yytoken, &yylval);
+ yydestruct ("Error: discarding", yytoken, &yylval);
yychar = YYEMPTY;
-
}
}
- /* Else will try to reuse lookahead token after shifting the error
+ /* Else will try to reuse look-ahead token after shifting the error
token. */
goto yyerrlab1;
@@ -2183,7 +2208,7 @@ yyerrorlab:
goto yyerrorlab;
#endif
- yyvsp -= yylen;
+yyvsp -= yylen;
yyssp -= yylen;
yystate = *yyssp;
goto yyerrlab1;
@@ -2213,8 +2238,8 @@ yyerrlab1:
if (yyssp == yyss)
YYABORT;
- YYDSYMPRINTF ("Error: popping", yystos[*yyssp], yyvsp, yylsp);
- yydestruct (yystos[yystate], yyvsp);
+
+ yydestruct ("Error: popping", yystos[yystate], yyvsp);
YYPOPSTACK;
yystate = *yyssp;
YY_STACK_PRINT (yyss, yyssp);
@@ -2223,11 +2248,12 @@ yyerrlab1:
if (yyn == YYFINAL)
YYACCEPT;
- YYDPRINTF ((stderr, "Shifting error token, "));
-
*++yyvsp = yylval;
+ /* Shift the error token. */
+ YY_SYMBOL_PRINT ("Shifting", yystos[yyn], yyvsp, yylsp);
+
yystate = yyn;
goto yynewstate;
@@ -2243,6 +2269,9 @@ yyacceptlab:
| yyabortlab -- YYABORT comes here. |
`-----------------------------------*/
yyabortlab:
+ yydestruct ("Error: discarding lookahead",
+ yytoken, &yylval);
+ yychar = YYEMPTY;
yyresult = 1;
goto yyreturn;
diff --git a/source4/heimdal/lib/asn1/parse.h b/source4/heimdal/lib/asn1/parse.h
index ad2ed3c4a2..76ff8755c9 100644
--- a/source4/heimdal/lib/asn1/parse.h
+++ b/source4/heimdal/lib/asn1/parse.h
@@ -1,7 +1,7 @@
-/* A Bison parser, made by GNU Bison 1.875c. */
+/* A Bison parser, made by GNU Bison 2.0. */
/* Skeleton parser for Yacc-like parsing with Bison,
- Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003 Free Software Foundation, Inc.
+ Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -224,7 +224,7 @@ typedef union YYSTYPE {
struct tagtype tag;
struct memhead *members;
} YYSTYPE;
-/* Line 1275 of yacc.c. */
+/* Line 1318 of yacc.c. */
#line 229 "parse.h"
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
# define YYSTYPE_IS_DECLARED 1
diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c
index 0376ca30bf..6a80934e46 100644
--- a/source4/heimdal/lib/gssapi/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/init_sec_context.c
@@ -33,7 +33,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: init_sec_context.c,v 1.58 2005/07/13 07:00:15 lha Exp $");
+RCSID("$Id: init_sec_context.c,v 1.59 2005/08/11 10:47:25 lha Exp $");
/*
* copy the addresses from `input_chan_bindings' (if any) to
@@ -989,9 +989,6 @@ spnego_initial
u_char *buf;
size_t buf_size, buf_len;
krb5_data data;
-#if 1
- size_t ni_len;
-#endif
memset (&ni, 0, sizeof(ni));
diff --git a/source4/heimdal/lib/hdb/ext.c b/source4/heimdal/lib/hdb/ext.c
new file mode 100644
index 0000000000..850b23fb04
--- /dev/null
+++ b/source4/heimdal/lib/hdb/ext.c
@@ -0,0 +1,366 @@
+/*
+ * Copyright (c) 2004 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "hdb_locl.h"
+#include <der.h>
+
+RCSID("$Id: ext.c,v 1.1 2005/08/11 20:49:31 lha Exp $");
+
+krb5_error_code
+hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent)
+{
+ int i;
+
+ if (ent->extensions == NULL)
+ return 0;
+
+ /*
+ * check for unknown extensions and if they where tagged mandatory
+ */
+
+ for (i = 0; i < ent->extensions->len; i++) {
+ if (ent->extensions->val[i].data.element !=
+ choice_HDB_extension_data_asn1_ellipsis)
+ continue;
+ if (ent->extensions->val[i].mandatory) {
+ krb5_set_error_string(context, "Principal have unknown "
+ "mandatory extension");
+ return HDB_ERR_MANDATORY_OPTION;
+ }
+ }
+ return 0;
+}
+
+HDB_extension *
+hdb_find_extension(const hdb_entry *entry, int type)
+{
+ int i;
+
+ if (entry->extensions == NULL)
+ return NULL;
+
+ for (i = 0; i < entry->extensions->len; i++)
+ if (entry->extensions->val[i].data.element == type)
+ return &entry->extensions->val[i];
+ return NULL;
+}
+
+/*
+ * Replace the extension `ext' in `entry'. Make a copy of the
+ * extension, so the caller must still free `ext' on both success and
+ * failure. Returns 0 or error code.
+ */
+
+krb5_error_code
+hdb_replace_extension(krb5_context context,
+ hdb_entry *entry,
+ const HDB_extension *ext)
+{
+ HDB_extension *ext2;
+ HDB_extension *es;
+ int ret;
+
+ ext2 = NULL;
+
+ if (entry->extensions == NULL) {
+ entry->extensions = calloc(1, sizeof(*entry->extensions));
+ if (entry->extensions == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ return ENOMEM;
+ }
+ } else if (ext->data.element != choice_HDB_extension_data_asn1_ellipsis) {
+ ext2 = hdb_find_extension(entry, ext->data.element);
+ } else {
+ /*
+ * This is an unknown extention, and we are asked to replace a
+ * possible entry in `entry' that is of the same type. This
+ * might seem impossible, but ASN.1 CHOICE comes to our
+ * rescue. The first tag in each branch in the CHOICE is
+ * unique, so just find the element in the list that have the
+ * same tag was we are putting into the list.
+ */
+ Der_class replace_class, list_class;
+ Der_type replace_type, list_type;
+ unsigned int replace_tag, list_tag;
+ size_t size;
+ int i;
+
+ ret = der_get_tag(ext->data.u.asn1_ellipsis.data,
+ ext->data.u.asn1_ellipsis.length,
+ &replace_class, &replace_type, &replace_tag,
+ &size);
+ if (ret) {
+ krb5_set_error_string(context, "hdb: failed to decode "
+ "replacement hdb extention");
+ return ret;
+ }
+
+ for (i = 0; i < entry->extensions->len; i++) {
+ HDB_extension *ext3 = &entry->extensions->val[i];
+
+ if (ext3->data.element != choice_HDB_extension_data_asn1_ellipsis)
+ continue;
+
+ ret = der_get_tag(ext3->data.u.asn1_ellipsis.data,
+ ext3->data.u.asn1_ellipsis.length,
+ &list_class, &list_type, &list_tag,
+ &size);
+ if (ret) {
+ krb5_set_error_string(context, "hdb: failed to decode "
+ "present hdb extention");
+ return ret;
+ }
+
+ if (MAKE_TAG(replace_class,replace_type,replace_type) ==
+ MAKE_TAG(list_class,list_type,list_type)) {
+ ext2 = ext3;
+ break;
+ }
+ }
+ }
+
+ if (ext2) {
+ free_HDB_extension(ext2);
+ ret = copy_HDB_extension(ext, ext2);
+ if (ret)
+ krb5_set_error_string(context, "hdb: failed to copy replacement "
+ "hdb extention");
+ return ret;
+ }
+
+ es = realloc(entry->extensions->val,
+ (entry->extensions->len+1)*sizeof(entry->extensions->val[0]));
+ if (es == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ return ENOMEM;
+ }
+ entry->extensions->val = es;
+
+ ret = copy_HDB_extension(ext,
+ &entry->extensions->val[entry->extensions->len]);
+ if (ret == 0) {
+ entry->extensions->len++;
+ krb5_set_error_string(context, "hdb: failed to copy new extension");
+ }
+
+ return ret;
+}
+
+krb5_error_code
+hdb_clear_extension(krb5_context context,
+ hdb_entry *entry,
+ int type)
+{
+ int i;
+
+ if (entry->extensions == NULL)
+ return 0;
+
+ for (i = 0; i < entry->extensions->len; i++) {
+ if (entry->extensions->val[i].data.element == type) {
+ free_HDB_extension(&entry->extensions->val[i]);
+ memmove(&entry->extensions->val[i],
+ &entry->extensions->val[i + 1],
+ sizeof(entry->extensions->val[i]) * (entry->extensions->len - i - 1));
+ entry->extensions->len--;
+ }
+ }
+ if (entry->extensions->len == 0) {
+ free(entry->extensions->val);
+ free(entry->extensions);
+ entry->extensions = NULL;
+ }
+
+ return 0;
+}
+
+
+krb5_error_code
+hdb_entry_get_pkinit_acl(const hdb_entry *entry, const HDB_Ext_PKINIT_acl **a)
+{
+ const HDB_extension *ext;
+
+ ext = hdb_find_extension(entry, choice_HDB_extension_data_pkinit_acl);
+ if (ext)
+ *a = &ext->data.u.pkinit_acl;
+ else
+ *a = NULL;
+
+ return 0;
+}
+
+krb5_error_code
+hdb_entry_get_pw_change_time(const hdb_entry *entry, time_t *t)
+{
+ const HDB_extension *ext;
+
+ ext = hdb_find_extension(entry, choice_HDB_extension_data_last_pw_change);
+ if (ext)
+ *t = ext->data.u.last_pw_change;
+ else
+ *t = 0;
+
+ return 0;
+}
+
+krb5_error_code
+hdb_entry_set_pw_change_time(krb5_context context,
+ hdb_entry *entry,
+ time_t t)
+{
+ HDB_extension ext;
+
+ ext.mandatory = FALSE;
+ ext.data.element = choice_HDB_extension_data_last_pw_change;
+ if (t == 0)
+ t = time(NULL);
+ ext.data.u.last_pw_change = t;
+
+ return hdb_replace_extension(context, entry, &ext);
+}
+
+int
+hdb_entry_get_password(krb5_context context, HDB *db,
+ const hdb_entry *entry, char **p)
+{
+ HDB_extension *ext;
+ int ret;
+
+ ext = hdb_find_extension(entry, choice_HDB_extension_data_password);
+ if (ext) {
+ heim_utf8_string str;
+ heim_octet_string pw;
+
+ if (db->hdb_master_key_set && ext->data.u.password.mkvno) {
+ hdb_master_key key;
+
+ key = _hdb_find_master_key(ext->data.u.password.mkvno,
+ db->hdb_master_key);
+
+ if (key == NULL) {
+ krb5_set_error_string(context, "master key %d missing",
+ *ext->data.u.password.mkvno);
+ return HDB_ERR_NO_MKEY;
+ }
+
+ ret = _hdb_mkey_decrypt(context, key, HDB_KU_MKEY,
+ ext->data.u.password.password.data,
+ ext->data.u.password.password.length,
+ &pw);
+ } else {
+ ret = copy_octet_string(&ext->data.u.password.password, &pw);
+ }
+ if (ret) {
+ krb5_clear_error_string(context);
+ return ret;
+ }
+
+ str = pw.data;
+ if (str[pw.length - 1] != '\0') {
+ krb5_set_error_string(context, "password malformated");
+ return EINVAL;
+ }
+
+ *p = strdup(str);
+
+ free_octet_string(&pw);
+ if (*p == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ return ENOMEM;
+ }
+ return 0;
+ }
+ krb5_set_error_string(context, "password attribute not found");
+ return ENOENT;
+}
+
+int
+hdb_entry_set_password(krb5_context context, HDB *db,
+ hdb_entry *entry, const char *p)
+{
+ HDB_extension ext;
+ hdb_master_key key;
+ int ret;
+
+ ext.mandatory = FALSE;
+ ext.data.element = choice_HDB_extension_data_password;
+
+ if (db->hdb_master_key_set) {
+
+ key = _hdb_find_master_key(NULL, db->hdb_master_key);
+ if (key == NULL) {
+ krb5_set_error_string(context, "hdb_entry_set_password: "
+ "failed to find masterkey");
+ return HDB_ERR_NO_MKEY;
+ }
+
+ ret = _hdb_mkey_encrypt(context, key, HDB_KU_MKEY,
+ p, strlen(p) + 1,
+ &ext.data.u.password.password);
+ if (ret)
+ return ret;
+
+ ext.data.u.password.mkvno =
+ malloc(sizeof(*ext.data.u.password.mkvno));
+ if (ext.data.u.password.mkvno == NULL) {
+ free_HDB_extension(&ext);
+ krb5_set_error_string(context, "malloc: out of memory");
+ return ENOMEM;
+ }
+ *ext.data.u.password.mkvno = _hdb_mkey_version(key);
+
+ } else {
+ ext.data.u.password.mkvno = NULL;
+
+ ret = krb5_data_copy(&ext.data.u.password.password,
+ p, strlen(p) + 1);
+ if (ret) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ free_HDB_extension(&ext);
+ return ret;
+ }
+ }
+
+ ret = hdb_replace_extension(context, entry, &ext);
+
+ free_HDB_extension(&ext);
+
+ return ret;
+}
+
+int
+hdb_entry_clear_password(krb5_context context, hdb_entry *entry)
+{
+ return hdb_clear_extension(context, entry,
+ choice_HDB_extension_data_password);
+}
diff --git a/source4/heimdal/lib/hdb/hdb-private.h b/source4/heimdal/lib/hdb/hdb-private.h
index a2b96bb047..7baa944053 100644
--- a/source4/heimdal/lib/hdb/hdb-private.h
+++ b/source4/heimdal/lib/hdb/hdb-private.h
@@ -9,10 +9,36 @@ _hdb_fetch (
krb5_context /*context*/,
HDB */*db*/,
unsigned /*flags*/,
- krb5_principal /*principal*/,
+ krb5_const_principal /*principal*/,
enum hdb_ent_type /*ent_type*/,
hdb_entry */*entry*/);
+hdb_master_key
+_hdb_find_master_key (
+ u_int32_t */*mkvno*/,
+ hdb_master_key /*mkey*/);
+
+int
+_hdb_mkey_decrypt (
+ krb5_context /*context*/,
+ hdb_master_key /*key*/,
+ krb5_key_usage /*usage*/,
+ void */*ptr*/,
+ size_t /*size*/,
+ krb5_data */*res*/);
+
+int
+_hdb_mkey_encrypt (
+ krb5_context /*context*/,
+ hdb_master_key /*key*/,
+ krb5_key_usage /*usage*/,
+ const void */*ptr*/,
+ size_t /*size*/,
+ krb5_data */*res*/);
+
+int
+_hdb_mkey_version (hdb_master_key /*mkey*/);
+
krb5_error_code
_hdb_remove (
krb5_context /*context*/,
diff --git a/source4/heimdal/lib/hdb/hdb-protos.h b/source4/heimdal/lib/hdb/hdb-protos.h
index 886d48e5bd..799f013eba 100644
--- a/source4/heimdal/lib/hdb/hdb-protos.h
+++ b/source4/heimdal/lib/hdb/hdb-protos.h
@@ -20,6 +20,12 @@ hdb_check_db_format (
HDB */*db*/);
krb5_error_code
+hdb_clear_extension (
+ krb5_context /*context*/,
+ hdb_entry */*entry*/,
+ int /*type*/);
+
+krb5_error_code
hdb_clear_master_key (
krb5_context /*context*/,
HDB */*db*/);
@@ -56,6 +62,51 @@ hdb_entry2value (
krb5_data */*value*/);
krb5_error_code
+hdb_entry_check_mandatory (
+ krb5_context /*context*/,
+ const hdb_entry */*ent*/);
+
+int
+hdb_entry_clear_password (
+ krb5_context /*context*/,
+ hdb_entry */*entry*/);
+
+int
+hdb_entry_get_password (
+ krb5_context /*context*/,
+ HDB */*db*/,
+ const hdb_entry */*entry*/,
+ char **/*p*/);
+
+krb5_error_code
+hdb_entry_get_pkinit_acl (
+ const hdb_entry */*entry*/,
+ const HDB_Ext_PKINIT_acl **/*a*/);
+
+krb5_error_code
+hdb_entry_get_pw_change_time (
+ const hdb_entry */*entry*/,
+ time_t */*t*/);
+
+int
+hdb_entry_set_password (
+ krb5_context /*context*/,
+ HDB */*db*/,
+ hdb_entry */*entry*/,
+ const char */*p*/);
+
+krb5_error_code
+hdb_entry_set_pw_change_time (
+ krb5_context /*context*/,
+ hdb_entry */*entry*/,
+ time_t /*t*/);
+
+HDB_extension *
+hdb_find_extension (
+ const hdb_entry */*entry*/,
+ int /*type*/);
+
+krb5_error_code
hdb_foreach (
krb5_context /*context*/,
HDB */*db*/,
@@ -141,7 +192,7 @@ hdb_next_enctype2key (
int
hdb_principal2key (
krb5_context /*context*/,
- krb5_principal /*p*/,
+ krb5_const_principal /*p*/,
krb5_data */*key*/);
krb5_error_code
@@ -166,6 +217,12 @@ hdb_read_master_key (
hdb_master_key */*mkey*/);
krb5_error_code
+hdb_replace_extension (
+ krb5_context /*context*/,
+ hdb_entry */*entry*/,
+ const HDB_extension */*ext*/);
+
+krb5_error_code
hdb_seal_key (
krb5_context /*context*/,
HDB */*db*/,
diff --git a/source4/heimdal/lib/hdb/hdb.asn1 b/source4/heimdal/lib/hdb/hdb.asn1
index 770acf4dce..c8a1a34b4f 100644
--- a/source4/heimdal/lib/hdb/hdb.asn1
+++ b/source4/heimdal/lib/hdb/hdb.asn1
@@ -1,4 +1,4 @@
--- $Id: hdb.asn1,v 1.12 2004/11/10 18:50:27 lha Exp $
+-- $Id: hdb.asn1,v 1.13 2005/08/11 13:15:44 lha Exp $
HDB DEFINITIONS ::=
BEGIN
@@ -50,6 +50,51 @@ GENERATION ::= SEQUENCE {
gen[2] INTEGER (0..4294967295) -- generation number
}
+HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE {
+ subject[0] UTF8String,
+ issuer[1] UTF8String
+}
+
+HDB-Ext-PKINIT-certificate ::= SEQUENCE OF OCTET STRING
+
+HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal
+
+-- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA
+
+HDB-Ext-Lan-Manager-OWF ::= OCTET STRING
+
+HDB-Ext-Password ::= SEQUENCE {
+ mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number
+ password OCTET STRING
+}
+
+HDB-Ext-Aliases ::= SEQUENCE {
+ case-insensitive[0] BOOLEAN, -- case insensitive name allowed
+ aliases[1] SEQUENCE OF Principal -- all names, inc primary
+}
+
+
+HDB-extension ::= SEQUENCE {
+ mandatory[0] BOOLEAN, -- kdc MUST understand this extension,
+ -- if not the whole entry must
+ -- be rejected
+ data[1] CHOICE {
+ pkinit-acl[0] HDB-Ext-PKINIT-acl,
+ pkinit-cert[1] HDB-Ext-PKINIT-certificate,
+ allowed-to-delegate-to[2] HDB-Ext-Constrained-delegation-acl,
+-- referral-info[3] HDB-Ext-Referrals,
+ lm-owf[4] HDB-Ext-Lan-Manager-OWF,
+ password[5] HDB-Ext-Password,
+ aliases[6] HDB-Ext-Aliases,
+ last-pw-change[7] KerberosTime,
+ ...
+ },
+ ...
+}
+
+HDB-extensions ::= SEQUENCE OF HDB-extension
+
+
hdb_entry ::= SEQUENCE {
principal[0] Principal OPTIONAL, -- this is optional only
-- for compatibility with libkrb5
@@ -64,7 +109,8 @@ hdb_entry ::= SEQUENCE {
max-renew[9] INTEGER (0..4294967295) OPTIONAL,
flags[10] HDBFlags,
etypes[11] SEQUENCE OF INTEGER (0..4294967295) OPTIONAL,
- generation[12] GENERATION OPTIONAL
+ generation[12] GENERATION OPTIONAL,
+ extensions[13] HDB-extensions OPTIONAL
}
END
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
index 481d4ea93d..fe86f0ae72 100644
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -31,20 +31,21 @@
* SUCH DAMAGE.
*/
-/* $Id: hdb.h,v 1.33 2003/09/19 00:19:36 lha Exp $ */
+/* $Id: hdb.h,v 1.35 2005/08/11 13:16:44 lha Exp $ */
#ifndef __HDB_H__
#define __HDB_H__
#include <hdb_err.h>
+#include <heim_asn1.h>
#include <hdb_asn1.h>
enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
/* flags for various functions */
-#define HDB_F_DECRYPT 1 /* decrypt keys */
-#define HDB_F_REPLACE 2 /* replace entry */
+#define HDB_F_DECRYPT 1 /* decrypt keys */
+#define HDB_F_REPLACE 2 /* replace entry */
/* key usage for master key */
#define HDB_KU_MKEY 0x484442
@@ -68,20 +69,20 @@ typedef struct HDB{
krb5_error_code (*hdb_store)(krb5_context,struct HDB*,unsigned,hdb_entry*);
krb5_error_code (*hdb_remove)(krb5_context, struct HDB*, hdb_entry*);
krb5_error_code (*hdb_firstkey)(krb5_context, struct HDB*,
- unsigned, hdb_entry*);
+ unsigned, hdb_entry*);
krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*,
- unsigned, hdb_entry*);
+ unsigned, hdb_entry*);
krb5_error_code (*hdb_lock)(krb5_context, struct HDB*, int operation);
krb5_error_code (*hdb_unlock)(krb5_context, struct HDB*);
krb5_error_code (*hdb_rename)(krb5_context, struct HDB*, const char*);
krb5_error_code (*hdb__get)(krb5_context,struct HDB*,krb5_data,krb5_data*);
krb5_error_code (*hdb__put)(krb5_context, struct HDB*, int,
- krb5_data, krb5_data);
+ krb5_data, krb5_data);
krb5_error_code (*hdb__del)(krb5_context, struct HDB*, krb5_data);
krb5_error_code (*hdb_destroy)(krb5_context, struct HDB*);
}HDB;
-#define HDB_INTERFACE_VERSION 1
+#define HDB_INTERFACE_VERSION 2
struct hdb_so_method {
int version;
diff --git a/source4/heimdal/lib/hdb/hdb_err.et b/source4/heimdal/lib/hdb/hdb_err.et
index 9929a56311..f2636b2fea 100644
--- a/source4/heimdal/lib/hdb/hdb_err.et
+++ b/source4/heimdal/lib/hdb/hdb_err.et
@@ -3,7 +3,7 @@
#
# This might look like a com_err file, but is not
#
-id "$Id: hdb_err.et,v 1.5 2001/01/28 23:05:52 assar Exp $"
+id "$Id: hdb_err.et,v 1.6 2005/08/11 13:17:22 lha Exp $"
error_table hdb
@@ -23,5 +23,6 @@ error_code CANT_LOCK_DB, "Insufficient access to lock database"
error_code EXISTS, "Entry already exists in database"
error_code BADVERSION, "Wrong database version"
error_code NO_MKEY, "No correct master key"
+error_code MANDATORY_OPTION, "Entry contains unknown mandatory extension"
end
diff --git a/source4/heimdal/lib/hdb/mkey.c b/source4/heimdal/lib/hdb/mkey.c
new file mode 100644
index 0000000000..9e04dc6d8d
--- /dev/null
+++ b/source4/heimdal/lib/hdb/mkey.c
@@ -0,0 +1,595 @@
+/*
+ * Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "hdb_locl.h"
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+
+RCSID("$Id: mkey.c,v 1.20 2005/08/10 08:41:03 lha Exp $");
+
+struct hdb_master_key_data {
+ krb5_keytab_entry keytab;
+ krb5_crypto crypto;
+ struct hdb_master_key_data *next;
+};
+
+void
+hdb_free_master_key(krb5_context context, hdb_master_key mkey)
+{
+ struct hdb_master_key_data *ptr;
+ while(mkey) {
+ krb5_kt_free_entry(context, &mkey->keytab);
+ if (mkey->crypto)
+ krb5_crypto_destroy(context, mkey->crypto);
+ ptr = mkey;
+ mkey = mkey->next;
+ free(ptr);
+ }
+}
+
+krb5_error_code
+hdb_process_master_key(krb5_context context,
+ int kvno, krb5_keyblock *key, krb5_enctype etype,
+ hdb_master_key *mkey)
+{
+ krb5_error_code ret;
+
+ *mkey = calloc(1, sizeof(**mkey));
+ if(*mkey == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ return ENOMEM;
+ }
+ (*mkey)->keytab.vno = kvno;
+ ret = krb5_parse_name(context, "K/M", &(*mkey)->keytab.principal);
+ if(ret)
+ goto fail;
+ ret = krb5_copy_keyblock_contents(context, key, &(*mkey)->keytab.keyblock);
+ if(ret)
+ goto fail;
+ if(etype != 0)
+ (*mkey)->keytab.keyblock.keytype = etype;
+ (*mkey)->keytab.timestamp = time(NULL);
+ ret = krb5_crypto_init(context, key, etype, &(*mkey)->crypto);
+ if(ret)
+ goto fail;
+ return 0;
+ fail:
+ hdb_free_master_key(context, *mkey);
+ *mkey = NULL;
+ return ret;
+}
+
+krb5_error_code
+hdb_add_master_key(krb5_context context, krb5_keyblock *key,
+ hdb_master_key *inout)
+{
+ int vno = 0;
+ hdb_master_key p;
+ krb5_error_code ret;
+
+ for(p = *inout; p; p = p->next)
+ vno = max(vno, p->keytab.vno);
+ vno++;
+ ret = hdb_process_master_key(context, vno, key, 0, &p);
+ if(ret)
+ return ret;
+ p->next = *inout;
+ *inout = p;
+ return 0;
+}
+
+static krb5_error_code
+read_master_keytab(krb5_context context, const char *filename,
+ hdb_master_key *mkey)
+{
+ krb5_error_code ret;
+ krb5_keytab id;
+ krb5_kt_cursor cursor;
+ krb5_keytab_entry entry;
+ hdb_master_key p;
+
+ ret = krb5_kt_resolve(context, filename, &id);
+ if(ret)
+ return ret;
+
+ ret = krb5_kt_start_seq_get(context, id, &cursor);
+ if(ret)
+ goto out;
+ *mkey = NULL;
+ while(krb5_kt_next_entry(context, id, &entry, &cursor) == 0) {
+ p = calloc(1, sizeof(*p));
+ p->keytab = entry;
+ ret = krb5_crypto_init(context, &p->keytab.keyblock, 0, &p->crypto);
+ p->next = *mkey;
+ *mkey = p;
+ }
+ krb5_kt_end_seq_get(context, id, &cursor);
+ out:
+ krb5_kt_close(context, id);
+ return ret;
+}
+
+/* read a MIT master keyfile */
+static krb5_error_code
+read_master_mit(krb5_context context, const char *filename,
+ hdb_master_key *mkey)
+{
+ int fd;
+ krb5_error_code ret;
+ krb5_storage *sp;
+ int16_t enctype;
+ krb5_keyblock key;
+
+ fd = open(filename, O_RDONLY | O_BINARY);
+ if(fd < 0) {
+ int save_errno = errno;
+ krb5_set_error_string(context, "failed to open %s: %s", filename,
+ strerror(save_errno));
+ return save_errno;
+ }
+ sp = krb5_storage_from_fd(fd);
+ if(sp == NULL) {
+ close(fd);
+ return errno;
+ }
+ krb5_storage_set_flags(sp, KRB5_STORAGE_HOST_BYTEORDER);
+#if 0
+ /* could possibly use ret_keyblock here, but do it with more
+ checks for now */
+ ret = krb5_ret_keyblock(sp, &key);
+#else
+ ret = krb5_ret_int16(sp, &enctype);
+ if((htons(enctype) & 0xff00) == 0x3000) {
+ krb5_set_error_string(context, "unknown keytype in %s: %#x, expected %#x",
+ filename, htons(enctype), 0x3000);
+ ret = HEIM_ERR_BAD_MKEY;
+ goto out;
+ }
+ key.keytype = enctype;
+ ret = krb5_ret_data(sp, &key.keyvalue);
+ if(ret)
+ goto out;
+#endif
+ ret = hdb_process_master_key(context, 0, &key, 0, mkey);
+ krb5_free_keyblock_contents(context, &key);
+ out:
+ krb5_storage_free(sp);
+ close(fd);
+ return ret;
+}
+
+/* read an old master key file */
+static krb5_error_code
+read_master_encryptionkey(krb5_context context, const char *filename,
+ hdb_master_key *mkey)
+{
+ int fd;
+ krb5_keyblock key;
+ krb5_error_code ret;
+ unsigned char buf[256];
+ ssize_t len;
+ size_t ret_len;
+
+ fd = open(filename, O_RDONLY | O_BINARY);
+ if(fd < 0) {
+ int save_errno = errno;
+ krb5_set_error_string(context, "failed to open %s: %s",
+ filename, strerror(save_errno));
+ return save_errno;
+ }
+
+ len = read(fd, buf, sizeof(buf));
+ close(fd);
+ if(len < 0) {
+ int save_errno = errno;
+ krb5_set_error_string(context, "error reading %s: %s",
+ filename, strerror(save_errno));
+ return save_errno;
+ }
+
+ ret = decode_EncryptionKey(buf, len, &key, &ret_len);
+ memset(buf, 0, sizeof(buf));
+ if(ret)
+ return ret;
+
+ /* Originally, the keytype was just that, and later it got changed
+ to des-cbc-md5, but we always used des in cfb64 mode. This
+ should cover all cases, but will break if someone has hacked
+ this code to really use des-cbc-md5 -- but then that's not my
+ problem. */
+ if(key.keytype == KEYTYPE_DES || key.keytype == ETYPE_DES_CBC_MD5)
+ key.keytype = ETYPE_DES_CFB64_NONE;
+
+ ret = hdb_process_master_key(context, 0, &key, 0, mkey);
+ krb5_free_keyblock_contents(context, &key);
+ return ret;
+}
+
+/* read a krb4 /.k style file */
+static krb5_error_code
+read_master_krb4(krb5_context context, const char *filename,
+ hdb_master_key *mkey)
+{
+ int fd;
+ krb5_keyblock key;
+ krb5_error_code ret;
+ unsigned char buf[256];
+ ssize_t len;
+
+ fd = open(filename, O_RDONLY | O_BINARY);
+ if(fd < 0) {
+ int save_errno = errno;
+ krb5_set_error_string(context, "failed to open %s: %s",
+ filename, strerror(save_errno));
+ return save_errno;
+ }
+
+ len = read(fd, buf, sizeof(buf));
+ close(fd);
+ if(len < 0) {
+ int save_errno = errno;
+ krb5_set_error_string(context, "error reading %s: %s",
+ filename, strerror(save_errno));
+ return save_errno;
+ }
+ if(len != 8) {
+ krb5_set_error_string(context, "bad contents of %s", filename);
+ return HEIM_ERR_EOF; /* XXX file might be too large */
+ }
+
+ memset(&key, 0, sizeof(key));
+ key.keytype = ETYPE_DES_PCBC_NONE;
+ ret = krb5_data_copy(&key.keyvalue, buf, len);
+ memset(buf, 0, sizeof(buf));
+ if(ret)
+ return ret;
+
+ ret = hdb_process_master_key(context, 0, &key, 0, mkey);
+ krb5_free_keyblock_contents(context, &key);
+ return ret;
+}
+
+krb5_error_code
+hdb_read_master_key(krb5_context context, const char *filename,
+ hdb_master_key *mkey)
+{
+ FILE *f;
+ unsigned char buf[16];
+ krb5_error_code ret;
+
+ off_t len;
+
+ *mkey = NULL;
+
+ if(filename == NULL)
+ filename = HDB_DB_DIR "/m-key";
+
+ f = fopen(filename, "r");
+ if(f == NULL) {
+ int save_errno = errno;
+ krb5_set_error_string(context, "failed to open %s: %s",
+ filename, strerror(save_errno));
+ return save_errno;
+ }
+
+ if(fread(buf, 1, 2, f) != 2) {
+ krb5_set_error_string(context, "end of file reading %s", filename);
+ fclose(f);
+ return HEIM_ERR_EOF;
+ }
+
+ fseek(f, 0, SEEK_END);
+ len = ftell(f);
+
+ if(fclose(f) != 0)
+ return errno;
+
+ if(len < 0)
+ return errno;
+
+ if(len == 8) {
+ ret = read_master_krb4(context, filename, mkey);
+ } else if(buf[0] == 0x30 && len <= 127 && buf[1] == len - 2) {
+ ret = read_master_encryptionkey(context, filename, mkey);
+ } else if(buf[0] == 5 && buf[1] >= 1 && buf[1] <= 2) {
+ ret = read_master_keytab(context, filename, mkey);
+ } else {
+ ret = read_master_mit(context, filename, mkey);
+ }
+ return ret;
+}
+
+krb5_error_code
+hdb_write_master_key(krb5_context context, const char *filename,
+ hdb_master_key mkey)
+{
+ krb5_error_code ret;
+ hdb_master_key p;
+ krb5_keytab kt;
+
+ if(filename == NULL)
+ filename = HDB_DB_DIR "/m-key";
+
+ ret = krb5_kt_resolve(context, filename, &kt);
+ if(ret)
+ return ret;
+
+ for(p = mkey; p; p = p->next) {
+ ret = krb5_kt_add_entry(context, kt, &p->keytab);
+ }
+
+ krb5_kt_close(context, kt);
+
+ return ret;
+}
+
+hdb_master_key
+_hdb_find_master_key(u_int32_t *mkvno, hdb_master_key mkey)
+{
+ hdb_master_key ret = NULL;
+ while(mkey) {
+ if(ret == NULL && mkey->keytab.vno == 0)
+ ret = mkey;
+ if(mkvno == NULL) {
+ if(ret == NULL || mkey->keytab.vno > ret->keytab.vno)
+ ret = mkey;
+ } else if(mkey->keytab.vno == *mkvno)
+ return mkey;
+ mkey = mkey->next;
+ }
+ return ret;
+}
+
+int
+_hdb_mkey_version(hdb_master_key mkey)
+{
+ return mkey->keytab.vno;
+}
+
+int
+_hdb_mkey_decrypt(krb5_context context, hdb_master_key key,
+ krb5_key_usage usage,
+ void *ptr, size_t size, krb5_data *res)
+{
+ return krb5_decrypt(context, key->crypto, usage,
+ ptr, size, res);
+}
+
+int
+_hdb_mkey_encrypt(krb5_context context, hdb_master_key key,
+ krb5_key_usage usage,
+ const void *ptr, size_t size, krb5_data *res)
+{
+ return krb5_encrypt(context, key->crypto, usage,
+ ptr, size, res);
+}
+
+krb5_error_code
+hdb_unseal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey)
+{
+
+ krb5_error_code ret;
+ krb5_data res;
+ size_t keysize;
+
+ hdb_master_key key;
+
+ if(k->mkvno == NULL)
+ return 0;
+
+ key = _hdb_find_master_key(k->mkvno, mkey);
+
+ if (key == NULL)
+ return HDB_ERR_NO_MKEY;
+
+ ret = _hdb_mkey_decrypt(context, key, HDB_KU_MKEY,
+ k->key.keyvalue.data,
+ k->key.keyvalue.length,
+ &res);
+ if(ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+ /* try to decrypt with MIT key usage */
+ ret = _hdb_mkey_decrypt(context, key, 0,
+ k->key.keyvalue.data,
+ k->key.keyvalue.length,
+ &res);
+ }
+ if (ret)
+ return ret;
+
+ /* fixup keylength if the key got padded when encrypting it */
+ ret = krb5_enctype_keysize(context, k->key.keytype, &keysize);
+ if (ret) {
+ krb5_data_free(&res);
+ return ret;
+ }
+ if (keysize > res.length) {
+ krb5_data_free(&res);
+ return KRB5_BAD_KEYSIZE;
+ }
+
+ memset(k->key.keyvalue.data, 0, k->key.keyvalue.length);
+ free(k->key.keyvalue.data);
+ k->key.keyvalue = res;
+ k->key.keyvalue.length = keysize;
+ free(k->mkvno);
+ k->mkvno = NULL;
+
+ return 0;
+}
+
+krb5_error_code
+hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
+{
+ int i;
+
+ for(i = 0; i < ent->keys.len; i++){
+ krb5_error_code ret;
+
+ ret = hdb_unseal_key_mkey(context, &ent->keys.val[i], mkey);
+ if (ret)
+ return ret;
+ }
+ return 0;
+}
+
+krb5_error_code
+hdb_unseal_keys(krb5_context context, HDB *db, hdb_entry *ent)
+{
+ if (db->hdb_master_key_set == 0)
+ return 0;
+ return hdb_unseal_keys_mkey(context, ent, db->hdb_master_key);
+}
+
+krb5_error_code
+hdb_unseal_key(krb5_context context, HDB *db, Key *k)
+{
+ if (db->hdb_master_key_set == 0)
+ return 0;
+ return hdb_unseal_key_mkey(context, k, db->hdb_master_key);
+}
+
+krb5_error_code
+hdb_seal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey)
+{
+ krb5_error_code ret;
+ krb5_data res;
+ hdb_master_key key;
+
+ key = _hdb_find_master_key(k->mkvno, mkey);
+
+ if (key == NULL)
+ return HDB_ERR_NO_MKEY;
+
+ ret = _hdb_mkey_encrypt(context, key, HDB_KU_MKEY,
+ k->key.keyvalue.data,
+ k->key.keyvalue.length,
+ &res);
+ if (ret)
+ return ret;
+
+ memset(k->key.keyvalue.data, 0, k->key.keyvalue.length);
+ free(k->key.keyvalue.data);
+ k->key.keyvalue = res;
+
+ if (k->mkvno == NULL) {
+ k->mkvno = malloc(sizeof(*k->mkvno));
+ if (k->mkvno == NULL)
+ return ENOMEM;
+ }
+ *k->mkvno = key->keytab.vno;
+
+ return 0;
+}
+
+krb5_error_code
+hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
+{
+ int i;
+ for(i = 0; i < ent->keys.len; i++){
+ krb5_error_code ret;
+
+ ret = hdb_seal_key_mkey(context, &ent->keys.val[i], mkey);
+ if (ret)
+ return ret;
+ }
+ return 0;
+}
+
+krb5_error_code
+hdb_seal_keys(krb5_context context, HDB *db, hdb_entry *ent)
+{
+ if (db->hdb_master_key_set == 0)
+ return 0;
+
+ return hdb_seal_keys_mkey(context, ent, db->hdb_master_key);
+}
+
+krb5_error_code
+hdb_seal_key(krb5_context context, HDB *db, Key *k)
+{
+ if (db->hdb_master_key_set == 0)
+ return 0;
+
+ return hdb_seal_key_mkey(context, k, db->hdb_master_key);
+}
+
+krb5_error_code
+hdb_set_master_key (krb5_context context,
+ HDB *db,
+ krb5_keyblock *key)
+{
+ krb5_error_code ret;
+ hdb_master_key mkey;
+
+ ret = hdb_process_master_key(context, 0, key, 0, &mkey);
+ if (ret)
+ return ret;
+ db->hdb_master_key = mkey;
+#if 0 /* XXX - why? */
+ des_set_random_generator_seed(key.keyvalue.data);
+#endif
+ db->hdb_master_key_set = 1;
+ return 0;
+}
+
+krb5_error_code
+hdb_set_master_keyfile (krb5_context context,
+ HDB *db,
+ const char *keyfile)
+{
+ hdb_master_key key;
+ krb5_error_code ret;
+
+ ret = hdb_read_master_key(context, keyfile, &key);
+ if (ret) {
+ if (ret != ENOENT)
+ return ret;
+ krb5_clear_error_string(context);
+ return 0;
+ }
+ db->hdb_master_key = key;
+ db->hdb_master_key_set = 1;
+ return ret;
+}
+
+krb5_error_code
+hdb_clear_master_key (krb5_context context,
+ HDB *db)
+{
+ if (db->hdb_master_key_set) {
+ hdb_free_master_key(context, db->hdb_master_key);
+ db->hdb_master_key_set = 0;
+ }
+ return 0;
+}
diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c
index c8fa556696..1c3e8d2a10 100644
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -2124,8 +2124,7 @@ verify_checksum(krb5_context context,
return KRB5_PROG_SUMTYPE_NOSUPP;
}
if(ct->checksumsize != cksum->checksum.length) {
- krb5_set_error_string (context, "checksum length was %d, but should be %d for checksum type %s",
- cksum->checksum.length, ct->checksumsize, ct->name);
+ krb5_clear_error_string (context);
return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */
}
keyed_checksum = (ct->flags & F_KEYED) != 0;
@@ -2146,11 +2145,8 @@ verify_checksum(krb5_context context,
(*ct->checksum)(context, dkey, data, len, usage, &c);
- if(c.checksum.length != cksum->checksum.length) {
- krb5_set_error_string (context, "(INTERNAL ERROR) our checksum length was %d, but should be %d for checksum type %s",
- c.checksum.length, ct->checksumsize, ct->name);
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
- } else if (memcmp(c.checksum.data, cksum->checksum.data, c.checksum.length)) {
+ if(c.checksum.length != cksum->checksum.length ||
+ memcmp(c.checksum.data, cksum->checksum.data, c.checksum.length)) {
krb5_clear_error_string (context);
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
} else {
diff --git a/source4/heimdal/lib/krb5/fcache.c b/source4/heimdal/lib/krb5/fcache.c
index 03848abb9a..f8ebe837b7 100644
--- a/source4/heimdal/lib/krb5/fcache.c
+++ b/source4/heimdal/lib/krb5/fcache.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: fcache.c,v 1.49 2005/06/16 20:25:20 lha Exp $");
+RCSID("$Id: fcache.c,v 1.51 2005/08/12 13:31:19 lha Exp $");
typedef struct krb5_fcache{
char *filename;
diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c
index 8b3975f418..8fd5c4611f 100644
--- a/source4/heimdal/lib/krb5/init_creds_pw.c
+++ b/source4/heimdal/lib/krb5/init_creds_pw.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: init_creds_pw.c,v 1.87 2005/06/17 04:15:20 lha Exp $");
+RCSID("$Id: init_creds_pw.c,v 1.88 2005/08/13 08:25:32 lha Exp $");
typedef struct krb5_get_init_creds_ctx {
krb5_kdc_flags flags;
@@ -45,6 +45,7 @@ typedef struct krb5_get_init_creds_ctx {
unsigned nonce;
unsigned pk_nonce;
+ krb5_data req_buffer;
AS_REQ as_req;
int pa_counter;
@@ -1158,6 +1159,7 @@ process_pa_data_to_key(krb5_context context,
ctx->pk_init_ctx,
etype,
ctx->pk_nonce,
+ &ctx->req_buffer,
pa,
key);
#else
@@ -1218,7 +1220,6 @@ init_cred_loop(krb5_context context,
ctx->pa_counter = 0;
while (ctx->pa_counter < MAX_PA_COUNTER) {
- krb5_data req;
ctx->pa_counter++;
@@ -1237,17 +1238,20 @@ init_cred_loop(krb5_context context,
prompter, prompter_data);
if (ret)
goto out;
- ASN1_MALLOC_ENCODE(AS_REQ, req.data, req.length,
+
+ krb5_data_free(&ctx->req_buffer);
+
+ ASN1_MALLOC_ENCODE(AS_REQ,
+ ctx->req_buffer.data, ctx->req_buffer.length,
&ctx->as_req, &len, ret);
if (ret)
goto out;
- if(len != req.length)
+ if(len != ctx->req_buffer.length)
krb5_abortx(context, "internal error in ASN.1 encoder");
- ret = krb5_sendto_kdc_flags (context, &req,
+ ret = krb5_sendto_kdc_flags (context, &ctx->req_buffer,
&creds->client->realm, &resp,
send_to_kdc_flags);
- krb5_data_free(&req);
if (ret)
goto out;
@@ -1336,6 +1340,7 @@ init_cred_loop(krb5_context context,
krb5_free_keyblock(context, key);
}
out:
+ krb5_data_free(&ctx->req_buffer);
free_METHOD_DATA(&md);
memset(&md, 0, sizeof(md));
diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h
index b877de8cf2..e70527845b 100644
--- a/source4/heimdal/lib/krb5/krb5-private.h
+++ b/source4/heimdal/lib/krb5/krb5-private.h
@@ -293,6 +293,16 @@ _krb5_pk_mk_padata (
unsigned /*nonce*/,
METHOD_DATA */*md*/);
+krb5_error_code
+_krb5_pk_octetstring2key (
+ krb5_context /*context*/,
+ krb5_enctype /*type*/,
+ const void */*dhdata*/,
+ size_t /*dhsize*/,
+ const heim_octet_string */*c_n*/,
+ const heim_octet_string */*k_n*/,
+ krb5_keyblock */*key*/);
+
krb5_error_code KRB5_LIB_FUNCTION
_krb5_pk_rd_pa_reply (
krb5_context /*context*/,
diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h
index f306bf949f..2750c8b5d2 100644
--- a/source4/heimdal/lib/krb5/krb5-protos.h
+++ b/source4/heimdal/lib/krb5/krb5-protos.h
@@ -3251,6 +3251,14 @@ krb5_verify_init_creds_opt_set_ap_req_nofail (
krb5_verify_init_creds_opt */*options*/,
int /*ap_req_nofail*/);
+int KRB5_LIB_FUNCTION
+krb5_verify_opt_alloc (
+ krb5_context /*context*/,
+ krb5_verify_opt **/*opt*/);
+
+void KRB5_LIB_FUNCTION
+krb5_verify_opt_free (krb5_verify_opt */*opt*/);
+
void KRB5_LIB_FUNCTION
krb5_verify_opt_init (krb5_verify_opt */*opt*/);
diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c
index 35a751c291..69f72d7b88 100755
--- a/source4/heimdal/lib/krb5/pkinit.c
+++ b/source4/heimdal/lib/krb5/pkinit.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: pkinit.c,v 1.58 2005/07/23 10:42:01 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.59 2005/08/12 08:53:00 lha Exp $");
#ifdef PKINIT
@@ -58,7 +58,7 @@ RCSID("$Id: pkinit.c,v 1.58 2005/07/23 10:42:01 lha Exp $");
enum {
COMPAT_WIN2K = 1,
COMPAT_19 = 2,
- COMPAT_25 = 3
+ COMPAT_27 = 3
};
@@ -716,7 +716,7 @@ pk_mk_padata(krb5_context context,
krb5_abortx(context, "internal ASN1 encoder error");
oid = oid_id_pkauthdata();
- } else if (compat == COMPAT_25) {
+ } else if (compat == COMPAT_27) {
AuthPack ap;
memset(&ap, 0, sizeof(ap));
@@ -802,7 +802,7 @@ pk_mk_padata(krb5_context context,
free_PA_PK_AS_REQ_19(&req_19);
- } else if (compat == COMPAT_25) {
+ } else if (compat == COMPAT_27) {
pa_type = KRB5_PADATA_PK_AS_REQ;
@@ -871,7 +871,7 @@ _krb5_pk_mk_padata(krb5_context context,
if (ret)
goto out;
- ret = pk_mk_padata(context, COMPAT_25, ctx, req_body, nonce, md);
+ ret = pk_mk_padata(context, COMPAT_27, ctx, req_body, nonce, md);
if (ret)
goto out;
}
@@ -1280,10 +1280,10 @@ _krb5_pk_verify_sign(krb5_context context,
}
static krb5_error_code
-get_reply_key(krb5_context context,
- const krb5_data *content,
- unsigned nonce,
- krb5_keyblock **key)
+get_reply_key_19(krb5_context context,
+ const krb5_data *content,
+ unsigned nonce,
+ krb5_keyblock **key)
{
ReplyKeyPack_19 key_pack;
krb5_error_code ret;
@@ -1324,6 +1324,69 @@ get_reply_key(krb5_context context,
}
static krb5_error_code
+get_reply_key(krb5_context context,
+ const krb5_data *content,
+ const krb5_data *req_buffer,
+ krb5_keyblock **key)
+{
+ ReplyKeyPack key_pack;
+ krb5_error_code ret;
+ size_t size;
+
+ ret = decode_ReplyKeyPack(content->data,
+ content->length,
+ &key_pack,
+ &size);
+ if (ret) {
+ krb5_set_error_string(context, "PKINIT decoding reply key failed");
+ free_ReplyKeyPack(&key_pack);
+ return ret;
+ }
+
+ {
+ krb5_crypto crypto;
+
+ /*
+ * XXX Verify kp.replyKey is a allowed enctype in the
+ * configuration file
+ */
+
+ ret = krb5_crypto_init(context, &key_pack.replyKey, 0, &crypto);
+ if (ret) {
+ free_ReplyKeyPack(&key_pack);
+ return ret;
+ }
+
+ ret = krb5_verify_checksum(context, crypto, 6,
+ req_buffer->data, req_buffer->length,
+ &key_pack.asChecksum);
+ krb5_crypto_destroy(context, crypto);
+ if (ret) {
+ free_ReplyKeyPack(&key_pack);
+ return ret;
+ }
+ }
+
+ *key = malloc (sizeof (**key));
+ if (*key == NULL) {
+ krb5_set_error_string(context, "PKINIT failed allocating reply key");
+ free_ReplyKeyPack(&key_pack);
+ krb5_set_error_string(context, "malloc: out of memory");
+ return ENOMEM;
+ }
+
+ ret = copy_EncryptionKey(&key_pack.replyKey, *key);
+ free_ReplyKeyPack(&key_pack);
+ if (ret) {
+ krb5_set_error_string(context, "PKINIT failed copying reply key");
+ free(*key);
+ }
+
+ return ret;
+}
+
+
+static krb5_error_code
pk_verify_host(krb5_context context, struct krb5_pk_cert *host)
{
/* XXX */
@@ -1332,11 +1395,12 @@ pk_verify_host(krb5_context context, struct krb5_pk_cert *host)
static krb5_error_code
pk_rd_pa_reply_enckey(krb5_context context,
- int win2k_compat,
+ int type,
ContentInfo *rep,
krb5_pk_init_ctx ctx,
krb5_enctype etype,
unsigned nonce,
+ const krb5_data *req_buffer,
PA_DATA *pa,
krb5_keyblock **key)
{
@@ -1418,7 +1482,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
/* verify content type */
- if (win2k_compat) {
+ if (type == COMPAT_WIN2K) {
if (heim_oid_cmp(&ed.encryptedContentInfo.contentType, oid_id_pkcs7_data())) {
ret = KRB5KRB_AP_ERR_MSG_TYPE;
goto out;
@@ -1481,7 +1545,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
length = plain.length;
/* win2k uses ContentInfo */
- if (win2k_compat) {
+ if (type == COMPAT_WIN2K) {
ContentInfo ci;
ret = decode_ContentInfo(p, length, &ci, &size);
@@ -1518,7 +1582,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
goto out;
}
- if (win2k_compat) {
+ if (type == COMPAT_WIN2K) {
if (heim_oid_cmp(&contentType, oid_id_pkcs7_data()) != 0) {
krb5_set_error_string(context, "PKINIT: reply key, wrong oid");
ret = KRB5KRB_AP_ERR_MSG_TYPE;
@@ -1532,7 +1596,15 @@ pk_rd_pa_reply_enckey(krb5_context context,
}
}
- ret = get_reply_key(context, &content, nonce, key);
+ switch(type) {
+ case COMPAT_WIN2K:
+ case COMPAT_19:
+ ret = get_reply_key_19(context, &content, nonce, key);
+ break;
+ case COMPAT_27:
+ ret = get_reply_key(context, &content, req_buffer, key);
+ break;
+ }
if (ret)
goto out;
@@ -1728,6 +1800,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
void *c,
krb5_enctype etype,
unsigned nonce,
+ const krb5_data *req_buffer,
PA_DATA *pa,
krb5_keyblock **key)
{
@@ -1736,7 +1809,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
ContentInfo ci;
size_t size;
- /* Check for PK-INIT -25 */
+ /* Check for PK-INIT -27 */
if (pa->padata_type == KRB5_PADATA_PK_AS_REP) {
PA_PK_AS_REP rep;
@@ -1781,8 +1854,8 @@ _krb5_pk_rd_pa_reply(krb5_context context,
"ContentInfo: %d", ret);
break;
}
- ret = pk_rd_pa_reply_enckey(context, 0, &ci, ctx,
- etype, nonce, pa, key);
+ ret = pk_rd_pa_reply_enckey(context, COMPAT_27, &ci, ctx,
+ etype, nonce, req_buffer, pa, key);
free_ContentInfo(&ci);
return ret;
default:
@@ -1811,9 +1884,9 @@ _krb5_pk_rd_pa_reply(krb5_context context,
nonce, pa, key);
break;
case choice_PA_PK_AS_REP_19_encKeyPack:
- ret = pk_rd_pa_reply_enckey(context, 0,
+ ret = pk_rd_pa_reply_enckey(context, COMPAT_19,
&rep19.u.encKeyPack, ctx,
- etype, nonce, pa, key);
+ etype, nonce, NULL, pa, key);
break;
default:
krb5_set_error_string(context, "PKINIT: -19 reply invalid "
@@ -1857,8 +1930,8 @@ _krb5_pk_rd_pa_reply(krb5_context context,
ret);
return ret;
}
- ret = pk_rd_pa_reply_enckey(context, 1, &ci, ctx,
- etype, nonce, pa, key);
+ ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &ci, ctx,
+ etype, nonce, NULL, pa, key);
free_ContentInfo(&ci);
break;
default:
diff --git a/source4/heimdal/lib/krb5/test_crypto_wrapping.c b/source4/heimdal/lib/krb5/test_crypto_wrapping.c
deleted file mode 100644
index 37d9bbacb7..0000000000
--- a/source4/heimdal/lib/krb5/test_crypto_wrapping.c
+++ /dev/null
@@ -1,163 +0,0 @@
-/*
- * Copyright (c) 2005 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of KTH nor the names of its contributors may be
- * used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
- * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
- * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
-
-#include "krb5_locl.h"
-#include <err.h>
-#include <getarg.h>
-
-RCSID("$Id: test_crypto_wrapping.c,v 1.2 2005/07/09 01:31:43 lha Exp $");
-
-static void
-test_wrapping(krb5_context context,
- size_t min_size,
- size_t max_size,
- size_t step,
- krb5_enctype etype)
-{
- krb5_error_code ret;
- krb5_keyblock key;
- krb5_crypto crypto;
- krb5_data data;
- char *etype_name;
- void *buf;
- size_t size;
-
- ret = krb5_generate_random_keyblock(context, etype, &key);
- if (ret)
- krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
-
- ret = krb5_enctype_to_string(context, etype, &etype_name);
- if (ret)
- krb5_err(context, 1, ret, "krb5_enctype_to_string");
-
- buf = malloc(max_size);
- if (buf == NULL)
- krb5_errx(context, 1, "out of memory");
- memset(buf, 0, max_size);
-
- ret = krb5_crypto_init(context, &key, 0, &crypto);
- if (ret)
- krb5_err(context, 1, ret, "krb5_crypto_init");
-
- for (size = min_size; size < max_size; size += step) {
- size_t wrapped_size;
-
- ret = krb5_encrypt(context, crypto, 0, buf, size, &data);
- if (ret)
- krb5_err(context, 1, ret, "encrypt size %d using %s",
- size, etype_name);
-
- wrapped_size = krb5_get_wrapped_length(context, crypto, size);
-
- if (wrapped_size != data.length)
- krb5_errx(context, 1, "calculated wrapped length %lu != "
- "real wrapped length %lu for data length %lu using "
- "enctype %s",
- (unsigned long)wrapped_size,
- (unsigned long)data.length,
- (unsigned long)size,
- etype_name);
- krb5_data_free(&data);
- }
-
- free(buf);
- krb5_crypto_destroy(context, crypto);
- krb5_free_keyblock_contents(context, &key);
-}
-
-
-
-static int version_flag = 0;
-static int help_flag = 0;
-
-static struct getargs args[] = {
- {"version", 0, arg_flag, &version_flag,
- "print version", NULL },
- {"help", 0, arg_flag, &help_flag,
- NULL, NULL }
-};
-
-static void
-usage (int ret)
-{
- arg_printusage (args,
- sizeof(args)/sizeof(*args),
- NULL,
- "");
- exit (ret);
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_context context;
- krb5_error_code ret;
- int i, optidx = 0;
-
- krb5_enctype enctypes[] = {
- ETYPE_DES_CBC_CRC,
- ETYPE_DES_CBC_MD4,
- ETYPE_DES_CBC_MD5,
- ETYPE_DES3_CBC_SHA1,
- ETYPE_ARCFOUR_HMAC_MD5,
- ETYPE_AES128_CTS_HMAC_SHA1_96,
- ETYPE_AES256_CTS_HMAC_SHA1_96
- };
-
- setprogname(argv[0]);
-
- if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
- usage(1);
-
- if (help_flag)
- usage (0);
-
- if(version_flag){
- print_version(NULL);
- exit(0);
- }
-
- argc -= optidx;
- argv += optidx;
-
- ret = krb5_init_context(&context);
- if (ret)
- errx (1, "krb5_init_context failed: %d", ret);
-
- for (i = 0; i < sizeof(enctypes)/sizeof(enctypes[0]); i++) {
- test_wrapping(context, 0, 1024, 1, enctypes[i]);
- test_wrapping(context, 1024, 1024 * 100, 1024, enctypes[i]);
- }
- krb5_free_context(context);
-
- return 0;
-}
diff --git a/source4/heimdal/lib/krb5/test_pkinit_dh2key.c b/source4/heimdal/lib/krb5/test_pkinit_dh2key.c
deleted file mode 100644
index a40c218e12..0000000000
--- a/source4/heimdal/lib/krb5/test_pkinit_dh2key.c
+++ /dev/null
@@ -1,110 +0,0 @@
-/*
- * Copyright (c) 2005 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of KTH nor the names of its contributors may be
- * used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
- * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
- * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
-
-#include "krb5_locl.h"
-#include <err.h>
-#include <getarg.h>
-
-RCSID("$Id: test_pkinit_dh2key.c,v 1.1 2005/07/20 16:27:58 lha Exp $");
-
-static void
-test_dh2key(krb5_context context,
- const heim_octet_string *K,
- const heim_octet_string *c_n,
- const heim_octet_string *k_n,
- krb5_enctype etype)
-{
- return;
-}
-
-
-
-static int version_flag = 0;
-static int help_flag = 0;
-
-static struct getargs args[] = {
- {"version", 0, arg_flag, &version_flag,
- "print version", NULL },
- {"help", 0, arg_flag, &help_flag,
- NULL, NULL }
-};
-
-static void
-usage (int ret)
-{
- arg_printusage (args,
- sizeof(args)/sizeof(*args),
- NULL,
- "");
- exit (ret);
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_context context;
- krb5_error_code ret;
- int i, optidx = 0;
-
- krb5_enctype enctypes[] = {
- ETYPE_AES128_CTS_HMAC_SHA1_96,
- ETYPE_AES256_CTS_HMAC_SHA1_96
- };
-
- setprogname(argv[0]);
-
- if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
- usage(1);
-
- if (help_flag)
- usage (0);
-
- if(version_flag){
- print_version(NULL);
- exit(0);
- }
-
- argc -= optidx;
- argv += optidx;
-
- ret = krb5_init_context(&context);
- if (ret)
- errx (1, "krb5_init_context failed: %d", ret);
-
- for (i = 0; i < sizeof(enctypes)/sizeof(enctypes[0]); i++) {
- test_dh2key(context, NULL, NULL, NULL, enctypes[i]);
- }
-
- krb5_free_context(context);
-
- return 0;
-}
diff --git a/source4/heimdal_build/config.mk b/source4/heimdal_build/config.mk
index 6e8882ed11..d311f8636f 100644
--- a/source4/heimdal_build/config.mk
+++ b/source4/heimdal_build/config.mk
@@ -21,11 +21,21 @@ NOPROTO = YES
ADD_OBJ_FILES = \
heimdal/lib/hdb/db.o \
heimdal/lib/hdb/hdb.o \
+ heimdal/lib/hdb/ext.o \
heimdal/lib/hdb/keys.o \
+ heimdal/lib/hdb/mkey.o \
heimdal/lib/hdb/ndbm.o \
heimdal/lib/hdb/asn1_Event.o \
heimdal/lib/hdb/asn1_GENERATION.o \
heimdal/lib/hdb/asn1_HDBFlags.o \
+ heimdal/lib/hdb/asn1_HDB_Ext_Aliases.o \
+ heimdal/lib/hdb/asn1_HDB_Ext_Constrained_delegation_acl.o \
+ heimdal/lib/hdb/asn1_HDB_Ext_Lan_Manager_OWF.o \
+ heimdal/lib/hdb/asn1_HDB_Ext_PKINIT_acl.o \
+ heimdal/lib/hdb/asn1_HDB_Ext_PKINIT_certificate.o \
+ heimdal/lib/hdb/asn1_HDB_Ext_Password.o \
+ heimdal/lib/hdb/asn1_HDB_extension.o \
+ heimdal/lib/hdb/asn1_HDB_extensions.o \
heimdal/lib/hdb/asn1_Key.o \
heimdal/lib/hdb/asn1_Salt.o \
heimdal/lib/hdb/asn1_hdb_entry.o \