summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/krb5
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/lib/krb5')
-rw-r--r--source4/heimdal/lib/krb5/acache.c18
-rw-r--r--source4/heimdal/lib/krb5/addr_families.c159
-rw-r--r--source4/heimdal/lib/krb5/appdefault.c2
-rw-r--r--source4/heimdal/lib/krb5/auth_context.c2
-rw-r--r--source4/heimdal/lib/krb5/build_auth.c8
-rw-r--r--source4/heimdal/lib/krb5/cache.c26
-rw-r--r--source4/heimdal/lib/krb5/changepw.c18
-rw-r--r--source4/heimdal/lib/krb5/codec.c34
-rw-r--r--source4/heimdal/lib/krb5/config_file.c34
-rw-r--r--source4/heimdal/lib/krb5/context.c186
-rw-r--r--source4/heimdal/lib/krb5/convert_creds.c6
-rw-r--r--source4/heimdal/lib/krb5/creds.c2
-rw-r--r--source4/heimdal/lib/krb5/crypto-des.c4
-rw-r--r--source4/heimdal/lib/krb5/crypto-des3.c2
-rw-r--r--source4/heimdal/lib/krb5/crypto-evp.c4
-rw-r--r--source4/heimdal/lib/krb5/crypto-pk.c23
-rw-r--r--source4/heimdal/lib/krb5/crypto.c47
-rw-r--r--source4/heimdal/lib/krb5/error_string.c2
-rw-r--r--source4/heimdal/lib/krb5/expand_path.c16
-rw-r--r--source4/heimdal/lib/krb5/fcache.c70
-rw-r--r--source4/heimdal/lib/krb5/get_addrs.c42
-rw-r--r--source4/heimdal/lib/krb5/get_cred.c63
-rw-r--r--source4/heimdal/lib/krb5/get_default_principal.c2
-rw-r--r--source4/heimdal/lib/krb5/get_for_creds.c10
-rw-r--r--source4/heimdal/lib/krb5/get_host_realm.c2
-rw-r--r--source4/heimdal/lib/krb5/get_in_tkt.c31
-rw-r--r--source4/heimdal/lib/krb5/heim_err.et1
-rw-r--r--source4/heimdal/lib/krb5/init_creds.c8
-rw-r--r--source4/heimdal/lib/krb5/init_creds_pw.c55
-rw-r--r--source4/heimdal/lib/krb5/kcm.c36
-rw-r--r--source4/heimdal/lib/krb5/keyblock.c2
-rw-r--r--source4/heimdal/lib/krb5/keytab.c73
-rw-r--r--source4/heimdal/lib/krb5/keytab_file.c17
-rw-r--r--source4/heimdal/lib/krb5/keytab_keyfile.c8
-rw-r--r--source4/heimdal/lib/krb5/krb5.h91
-rw-r--r--source4/heimdal/lib/krb5/krb5_locl.h13
-rw-r--r--source4/heimdal/lib/krb5/krbhst.c8
-rw-r--r--source4/heimdal/lib/krb5/log.c2
-rw-r--r--source4/heimdal/lib/krb5/mcache.c4
-rw-r--r--source4/heimdal/lib/krb5/misc.c45
-rw-r--r--source4/heimdal/lib/krb5/mit_glue.c6
-rw-r--r--source4/heimdal/lib/krb5/mk_error.c5
-rw-r--r--source4/heimdal/lib/krb5/mk_priv.c2
-rw-r--r--source4/heimdal/lib/krb5/mk_rep.c2
-rw-r--r--source4/heimdal/lib/krb5/n-fold.c2
-rw-r--r--source4/heimdal/lib/krb5/pac.c15
-rw-r--r--source4/heimdal/lib/krb5/padata.c4
-rw-r--r--source4/heimdal/lib/krb5/pkinit.c128
-rw-r--r--source4/heimdal/lib/krb5/plugin.c24
-rw-r--r--source4/heimdal/lib/krb5/principal.c20
-rw-r--r--source4/heimdal/lib/krb5/rd_cred.c15
-rw-r--r--source4/heimdal/lib/krb5/rd_rep.c2
-rw-r--r--source4/heimdal/lib/krb5/rd_req.c32
-rw-r--r--source4/heimdal/lib/krb5/replay.c4
-rw-r--r--source4/heimdal/lib/krb5/salt-arcfour.c2
-rw-r--r--source4/heimdal/lib/krb5/salt-des.c6
-rw-r--r--source4/heimdal/lib/krb5/salt.c3
-rw-r--r--source4/heimdal/lib/krb5/send_to_kdc.c14
-rw-r--r--source4/heimdal/lib/krb5/store-int.c2
-rw-r--r--source4/heimdal/lib/krb5/store-int.h1
-rw-r--r--source4/heimdal/lib/krb5/store.c115
-rw-r--r--source4/heimdal/lib/krb5/store_emem.c13
-rw-r--r--source4/heimdal/lib/krb5/store_fd.c3
-rw-r--r--source4/heimdal/lib/krb5/store_mem.c10
-rw-r--r--source4/heimdal/lib/krb5/ticket.c10
-rw-r--r--source4/heimdal/lib/krb5/transited.c63
-rw-r--r--source4/heimdal/lib/krb5/version-script.map6
-rw-r--r--source4/heimdal/lib/krb5/warn.c4
68 files changed, 991 insertions, 698 deletions
diff --git a/source4/heimdal/lib/krb5/acache.c b/source4/heimdal/lib/krb5/acache.c
index 6f20cdcf6c..19eeecda42 100644
--- a/source4/heimdal/lib/krb5/acache.c
+++ b/source4/heimdal/lib/krb5/acache.c
@@ -78,7 +78,7 @@ static const struct {
static krb5_error_code
translate_cc_error(krb5_context context, cc_int32 error)
{
- int i;
+ size_t i;
krb5_clear_error_message(context);
for(i = 0; i < sizeof(cc_errors)/sizeof(cc_errors[0]); i++)
if (cc_errors[i].error == error)
@@ -259,7 +259,7 @@ make_cred_from_ccred(krb5_context context,
if (cred->addresses.val == NULL)
goto nomem;
cred->addresses.len = i;
-
+
for (i = 0; i < cred->addresses.len; i++) {
cred->addresses.val[i].addr_type = incred->addresses[i]->type;
ret = krb5_data_copy(&cred->addresses.val[i].address,
@@ -337,7 +337,7 @@ make_ccred_from_cred(krb5_context context,
cc_credentials_v5_t *cred)
{
krb5_error_code ret;
- int i;
+ size_t i;
memset(cred, 0, sizeof(*cred));
@@ -546,7 +546,7 @@ acc_resolve(krb5_context context, krb5_ccache *id, const char *res)
error = (*a->ccache->func->get_kdc_time_offset)(a->ccache,
cc_credentials_v5,
&offset);
- if (error == 0)
+ if (error == 0)
context->kdc_sec_offset = offset;
} else if (error == ccErrCCacheNotFound) {
@@ -887,7 +887,7 @@ acc_get_version(krb5_context context,
{
return 0;
}
-
+
struct cache_iter {
cc_context_t context;
cc_ccache_iterator_t iter;
@@ -961,7 +961,7 @@ acc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
acc_close(context, *id);
*id = NULL;
return translate_cc_error(context, error);
- }
+ }
return 0;
}
@@ -1031,7 +1031,7 @@ acc_get_default_name(krb5_context context, char **str)
(*cc->func->release)(cc);
return translate_cc_error(context, error);
}
-
+
error = asprintf(str, "API:%s", name->data);
(*name->func->release)(name);
(*cc->func->release)(cc);
@@ -1114,7 +1114,9 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops = {
acc_move,
acc_get_default_name,
acc_set_default,
- acc_lastchange
+ acc_lastchange,
+ NULL,
+ NULL,
};
#endif
diff --git a/source4/heimdal/lib/krb5/addr_families.c b/source4/heimdal/lib/krb5/addr_families.c
index cccf1cbc9a..5d321a7e91 100644
--- a/source4/heimdal/lib/krb5/addr_families.c
+++ b/source4/heimdal/lib/krb5/addr_families.c
@@ -44,6 +44,7 @@ struct addr_operations {
void (*h_addr2sockaddr)(const char *, struct sockaddr *, krb5_socklen_t *, int);
krb5_error_code (*h_addr2addr)(const char *, krb5_address *);
krb5_boolean (*uninteresting)(const struct sockaddr *);
+ krb5_boolean (*is_loopback)(const struct sockaddr *);
void (*anyaddr)(struct sockaddr *, krb5_socklen_t *, int);
int (*print_addr)(const krb5_address *, char *, size_t);
int (*parse_addr)(krb5_context, const char*, krb5_address *);
@@ -136,6 +137,17 @@ ipv4_uninteresting (const struct sockaddr *sa)
return FALSE;
}
+static krb5_boolean
+ipv4_is_loopback (const struct sockaddr *sa)
+{
+ const struct sockaddr_in *sin4 = (const struct sockaddr_in *)sa;
+
+ if ((ntohl(sin4->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET)
+ return TRUE;
+
+ return FALSE;
+}
+
static void
ipv4_anyaddr (struct sockaddr *sa, krb5_socklen_t *sa_size, int port)
{
@@ -310,11 +322,19 @@ ipv6_uninteresting (const struct sockaddr *sa)
const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa;
const struct in6_addr *in6 = (const struct in6_addr *)&sin6->sin6_addr;
- return
- IN6_IS_ADDR_LINKLOCAL(in6)
+ return IN6_IS_ADDR_LINKLOCAL(in6)
|| IN6_IS_ADDR_V4COMPAT(in6);
}
+static krb5_boolean
+ipv6_is_loopback (const struct sockaddr *sa)
+{
+ const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa;
+ const struct in6_addr *in6 = (const struct in6_addr *)&sin6->sin6_addr;
+
+ return (IN6_IS_ADDR_LOOPBACK(in6));
+}
+
static void
ipv6_anyaddr (struct sockaddr *sa, krb5_socklen_t *sa_size, int port)
{
@@ -334,7 +354,7 @@ ipv6_print_addr (const krb5_address *addr, char *str, size_t len)
if(inet_ntop(AF_INET6, addr->address.data, buf, sizeof(buf)) == NULL)
{
/* XXX this is pretty ugly, but better than abort() */
- int i;
+ size_t i;
unsigned char *p = addr->address.data;
buf[0] = '\0';
for(i = 0; i < addr->address.length; i++) {
@@ -401,7 +421,7 @@ ipv6_mask_boundary(krb5_context context, const krb5_address *inaddr,
sub_len = min(8, len);
m = 0xff << (8 - sub_len);
-
+
laddr.s6_addr[i] = addr.s6_addr[i] & m;
haddr.s6_addr[i] = (addr.s6_addr[i] & m) | ~m;
@@ -471,7 +491,7 @@ arange_parse_addr (krb5_context context,
krb5_free_addresses(context, &addrmask);
return -1;
}
-
+
address += p - address + 1;
num = strtol(address, &q, 10);
@@ -488,7 +508,7 @@ arange_parse_addr (krb5_context context,
} else {
krb5_addresses low, high;
-
+
strsep_copy(&address, "-", buf, sizeof(buf));
ret = krb5_parse_address(context, buf, &low);
if(ret)
@@ -497,14 +517,14 @@ arange_parse_addr (krb5_context context,
krb5_free_addresses(context, &low);
return -1;
}
-
+
strsep_copy(&address, "-", buf, sizeof(buf));
ret = krb5_parse_address(context, buf, &high);
if(ret) {
krb5_free_addresses(context, &low);
return ret;
}
-
+
if(high.len != 1 && high.val[0].addr_type != low.val[0].addr_type) {
krb5_free_addresses(context, &low);
krb5_free_addresses(context, &high);
@@ -590,7 +610,7 @@ arange_print_addr (const krb5_address *addr, char *str, size_t len)
if (l > len)
l = len;
size = l;
-
+
ret = krb5_print_address (&a->low, str + size, len - size, &l);
if (ret)
return ret;
@@ -632,9 +652,11 @@ arange_order_addr(krb5_context context,
a = addr2->address.data;
a2 = addr1;
sign = -1;
- } else
+ } else {
abort();
-
+ UNREACHABLE(return 0);
+ }
+
if(a2->addr_type == KRB5_ADDRESS_ARANGE) {
struct arange *b = a2->address.data;
tmp1 = krb5_address_order(context, &a->low, &b->low);
@@ -707,34 +729,78 @@ addrport_print_addr (const krb5_address *addr, char *str, size_t len)
}
static struct addr_operations at[] = {
- {AF_INET, KRB5_ADDRESS_INET, sizeof(struct sockaddr_in),
- ipv4_sockaddr2addr,
- ipv4_sockaddr2port,
- ipv4_addr2sockaddr,
- ipv4_h_addr2sockaddr,
- ipv4_h_addr2addr,
- ipv4_uninteresting, ipv4_anyaddr, ipv4_print_addr, ipv4_parse_addr,
- NULL, NULL, NULL, ipv4_mask_boundary },
+ {
+ AF_INET, KRB5_ADDRESS_INET, sizeof(struct sockaddr_in),
+ ipv4_sockaddr2addr,
+ ipv4_sockaddr2port,
+ ipv4_addr2sockaddr,
+ ipv4_h_addr2sockaddr,
+ ipv4_h_addr2addr,
+ ipv4_uninteresting,
+ ipv4_is_loopback,
+ ipv4_anyaddr,
+ ipv4_print_addr,
+ ipv4_parse_addr,
+ NULL,
+ NULL,
+ NULL,
+ ipv4_mask_boundary
+ },
#ifdef HAVE_IPV6
- {AF_INET6, KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6),
- ipv6_sockaddr2addr,
- ipv6_sockaddr2port,
- ipv6_addr2sockaddr,
- ipv6_h_addr2sockaddr,
- ipv6_h_addr2addr,
- ipv6_uninteresting, ipv6_anyaddr, ipv6_print_addr, ipv6_parse_addr,
- NULL, NULL, NULL, ipv6_mask_boundary } ,
+ {
+ AF_INET6, KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6),
+ ipv6_sockaddr2addr,
+ ipv6_sockaddr2port,
+ ipv6_addr2sockaddr,
+ ipv6_h_addr2sockaddr,
+ ipv6_h_addr2addr,
+ ipv6_uninteresting,
+ ipv6_is_loopback,
+ ipv6_anyaddr,
+ ipv6_print_addr,
+ ipv6_parse_addr,
+ NULL,
+ NULL,
+ NULL,
+ ipv6_mask_boundary
+ } ,
#endif
#ifndef HEIMDAL_SMALLER
/* fake address type */
- {KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange),
- NULL, NULL, NULL, NULL, NULL, NULL, NULL,
- arange_print_addr, arange_parse_addr,
- arange_order_addr, arange_free, arange_copy },
+ {
+ KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange),
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ arange_print_addr,
+ arange_parse_addr,
+ arange_order_addr,
+ arange_free,
+ arange_copy,
+ NULL
+ },
#endif
- {KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0,
- NULL, NULL, NULL, NULL, NULL,
- NULL, NULL, addrport_print_addr, NULL, NULL, NULL, NULL }
+ {
+ KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ addrport_print_addr,
+ NULL,
+ NULL,
+ NULL,
+ NULL
+ }
};
static int num_addrs = sizeof(at) / sizeof(at[0]);
@@ -757,7 +823,7 @@ find_af(int af)
}
static struct addr_operations *
-find_atype(int atype)
+find_atype(krb5_address_type atype)
{
struct addr_operations *a;
@@ -912,6 +978,15 @@ krb5_sockaddr_uninteresting(const struct sockaddr *sa)
return (*a->uninteresting)(sa);
}
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_sockaddr_is_loopback(const struct sockaddr *sa)
+{
+ struct addr_operations *a = find_af(sa->sa_family);
+ if (a == NULL || a->is_loopback == NULL)
+ return TRUE;
+ return (*a->is_loopback)(sa);
+}
+
/**
* krb5_h_addr2sockaddr initializes a "struct sockaddr sa" from af and
* the "struct hostent" (see gethostbyname(3) ) h_addr_list
@@ -1038,17 +1113,17 @@ krb5_print_address (const krb5_address *addr,
if (a == NULL || a->print_addr == NULL) {
char *s;
int l;
- int i;
+ size_t i;
s = str;
l = snprintf(s, len, "TYPE_%d:", addr->addr_type);
- if (l < 0 || l >= len)
+ if (l < 0 || (size_t)l >= len)
return EINVAL;
s += l;
len -= l;
for(i = 0; i < addr->address.length; i++) {
l = snprintf(s, len, "%02x", ((char*)addr->address.data)[i]);
- if (l < 0 || l >= len)
+ if (l < 0 || (size_t)l >= len)
return EINVAL;
len -= l;
s += l;
@@ -1234,7 +1309,7 @@ krb5_address_search(krb5_context context,
const krb5_address *addr,
const krb5_addresses *addrlist)
{
- int i;
+ size_t i;
for (i = 0; i < addrlist->len; ++i)
if (krb5_address_compare (context, addr, &addrlist->val[i]))
@@ -1282,7 +1357,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_free_addresses(krb5_context context,
krb5_addresses *addresses)
{
- int i;
+ size_t i;
for(i = 0; i < addresses->len; i++)
krb5_free_address(context, &addresses->val[i]);
free(addresses->val);
@@ -1333,7 +1408,7 @@ krb5_copy_addresses(krb5_context context,
const krb5_addresses *inaddr,
krb5_addresses *outaddr)
{
- int i;
+ size_t i;
ALLOC_SEQ(outaddr, inaddr->len);
if(inaddr->len > 0 && outaddr->val == NULL)
return ENOMEM;
@@ -1362,7 +1437,7 @@ krb5_append_addresses(krb5_context context,
{
krb5_address *tmp;
krb5_error_code ret;
- int i;
+ size_t i;
if(source->len > 0) {
tmp = realloc(dest->val, (dest->len + source->len) * sizeof(*tmp));
if(tmp == NULL) {
diff --git a/source4/heimdal/lib/krb5/appdefault.c b/source4/heimdal/lib/krb5/appdefault.c
index d4dc758faa..d4e963d74a 100644
--- a/source4/heimdal/lib/krb5/appdefault.c
+++ b/source4/heimdal/lib/krb5/appdefault.c
@@ -47,7 +47,7 @@ krb5_appdefault_boolean(krb5_context context, const char *appname,
if(realm != NULL)
def_val = krb5_config_get_bool_default(context, NULL, def_val,
"realms", realm, option, NULL);
-
+
def_val = krb5_config_get_bool_default(context, NULL, def_val,
"appdefaults",
option,
diff --git a/source4/heimdal/lib/krb5/auth_context.c b/source4/heimdal/lib/krb5/auth_context.c
index ea59c73931..518e19359c 100644
--- a/source4/heimdal/lib/krb5/auth_context.c
+++ b/source4/heimdal/lib/krb5/auth_context.c
@@ -262,6 +262,7 @@ krb5_auth_con_getaddrs(krb5_context context,
return 0;
}
+/* coverity[+alloc : arg-*2] */
static krb5_error_code
copy_key(krb5_context context,
krb5_keyblock *in,
@@ -289,6 +290,7 @@ krb5_auth_con_getlocalsubkey(krb5_context context,
return copy_key(context, auth_context->local_subkey, keyblock);
}
+/* coverity[+alloc : arg-*2] */
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_auth_con_getremotesubkey(krb5_context context,
krb5_auth_context auth_context,
diff --git a/source4/heimdal/lib/krb5/build_auth.c b/source4/heimdal/lib/krb5/build_auth.c
index 85d64525de..01145a28c6 100644
--- a/source4/heimdal/lib/krb5/build_auth.c
+++ b/source4/heimdal/lib/krb5/build_auth.c
@@ -41,10 +41,12 @@ make_etypelist(krb5_context context,
krb5_error_code ret;
krb5_authdata ad;
u_char *buf;
- size_t len;
+ size_t len = 0;
size_t buf_size;
- ret = krb5_init_etype(context, &etypes.len, &etypes.val, NULL);
+ ret = _krb5_init_etype(context, KRB5_PDU_NONE,
+ &etypes.len, &etypes.val,
+ NULL);
if (ret)
return ret;
@@ -111,7 +113,7 @@ _krb5_build_authenticator (krb5_context context,
Authenticator auth;
u_char *buf = NULL;
size_t buf_size;
- size_t len;
+ size_t len = 0;
krb5_error_code ret;
krb5_crypto crypto;
diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c
index 211642e568..616044e67b 100644
--- a/source4/heimdal/lib/krb5/cache.c
+++ b/source4/heimdal/lib/krb5/cache.c
@@ -38,7 +38,7 @@
/**
* @page krb5_ccache_intro The credential cache functions
* @section section_krb5_ccache Kerberos credential caches
- *
+ *
* krb5_ccache structure holds a Kerberos credential cache.
*
* Heimdal support the follow types of credential caches:
@@ -837,7 +837,7 @@ krb5_cc_set_flags(krb5_context context,
{
return (*id->ops->set_flags)(context, id, flags);
}
-
+
/**
* Get the flags of `id', store them in `flags'.
*
@@ -1144,7 +1144,7 @@ krb5_cc_cache_match (krb5_context context,
ret = krb5_cc_get_principal(context, cache, &principal);
if (ret == 0) {
krb5_boolean match;
-
+
match = krb5_principal_compare(context, principal, client);
krb5_free_principal(context, principal);
if (match)
@@ -1245,7 +1245,7 @@ build_conf_principals(krb5_context context, krb5_ccache id,
krb5_free_principal(context, client);
return ret;
}
-
+
/**
* Return TRUE (non zero) if the principal is a configuration
* principal (generated part of krb5_cc_set_config()). Returns FALSE
@@ -1267,7 +1267,7 @@ krb5_is_config_principal(krb5_context context,
if (principal->name.name_string.len == 0 ||
strcmp(principal->name.name_string.val[0], KRB5_CONF_NAME) != 0)
return FALSE;
-
+
return TRUE;
}
@@ -1306,11 +1306,11 @@ krb5_cc_set_config(krb5_context context, krb5_ccache id,
/* not that anyone care when this expire */
cred.times.authtime = time(NULL);
cred.times.endtime = cred.times.authtime + 3600 * 24 * 30;
-
+
ret = krb5_data_copy(&cred.ticket, data->data, data->length);
if (ret)
goto out;
-
+
ret = krb5_cc_store_cred(context, id, &cred);
}
@@ -1396,7 +1396,7 @@ krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor)
}
/**
- * Get next credential cache from the iteration.
+ * Get next credential cache from the iteration.
*
* @param context A Kerberos 5 context
* @param cursor the iteration cursor
@@ -1418,13 +1418,13 @@ krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
krb5_ccache *cache)
{
krb5_error_code ret;
-
+
*cache = NULL;
while (cursor->idx < context->num_cc_ops) {
if (cursor->cursor == NULL) {
- ret = krb5_cc_cache_get_first (context,
+ ret = krb5_cc_cache_get_first (context,
context->cc_ops[cursor->idx]->prefix,
&cursor->cursor);
if (ret) {
@@ -1493,7 +1493,7 @@ krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor)
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_last_change_time(krb5_context context,
- krb5_ccache id,
+ krb5_ccache id,
krb5_timestamp *mtime)
{
*mtime = 0;
@@ -1630,7 +1630,7 @@ krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t)
*t = 0;
now = time(NULL);
-
+
ret = krb5_cc_start_seq_get(context, id, &cursor);
if (ret)
return ret;
@@ -1644,7 +1644,7 @@ krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t)
}
krb5_free_cred_contents(context, &cred);
}
-
+
krb5_cc_end_seq_get(context, id, &cursor);
return ret;
diff --git a/source4/heimdal/lib/krb5/changepw.c b/source4/heimdal/lib/krb5/changepw.c
index 22a7c87ef3..1e7cd0d464 100644
--- a/source4/heimdal/lib/krb5/changepw.c
+++ b/source4/heimdal/lib/krb5/changepw.c
@@ -31,8 +31,6 @@
* SUCH DAMAGE.
*/
-#define KRB5_DEPRECATED
-
#include "krb5_locl.h"
#undef __attribute__
@@ -173,7 +171,7 @@ setpw_send_request (krb5_context context,
krb5_data krb_priv_data;
krb5_data pwd_data;
ChangePasswdDataMS chpw;
- size_t len;
+ size_t len = 0;
u_char header[4 + 6];
u_char *p;
struct iovec iov[3];
@@ -199,7 +197,7 @@ setpw_send_request (krb5_context context,
chpw.targname = NULL;
chpw.targrealm = NULL;
}
-
+
ASN1_MALLOC_ENCODE(ChangePasswdDataMS, pwd_data.data, pwd_data.length,
&chpw, &len, ret);
if (ret) {
@@ -276,7 +274,7 @@ process_reply (krb5_context context,
{
krb5_error_code ret;
u_char reply[1024 * 3];
- ssize_t len;
+ size_t len;
uint16_t pkt_len, pkt_ver;
krb5_data ap_rep_data;
int save_errno;
@@ -304,7 +302,7 @@ process_reply (krb5_context context,
_krb5_get_int(reply, &size, 4);
if (size + 4 < len)
continue;
- memmove(reply, reply + 4, size);
+ memmove(reply, reply + 4, size);
len = size;
break;
}
@@ -328,7 +326,7 @@ process_reply (krb5_context context,
if (len < 6) {
str2data (result_string, "server %s sent to too short message "
- "(%ld bytes)", host, (long)len);
+ "(%zu bytes)", host, len);
*result_code = KRB5_KPASSWD_MALFORMED;
return 0;
}
@@ -496,7 +494,7 @@ static struct kpwd_proc {
chgpw_send_request,
process_reply
},
- { NULL }
+ { NULL, 0, NULL, NULL }
};
/*
@@ -588,7 +586,7 @@ change_password_loop (krb5_context context,
if (!replied) {
replied = 0;
-
+
ret = (*proc->send_req) (context,
&auth_context,
creds,
@@ -686,7 +684,6 @@ find_chpw_proto(const char *name)
* @ingroup @krb5_deprecated
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_change_password (krb5_context context,
krb5_creds *creds,
@@ -694,6 +691,7 @@ krb5_change_password (krb5_context context,
int *result_code,
krb5_data *result_code_string,
krb5_data *result_string)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
struct kpwd_proc *p = find_chpw_proto("change password");
diff --git a/source4/heimdal/lib/krb5/codec.c b/source4/heimdal/lib/krb5/codec.c
index d73a719100..5e754c60cb 100644
--- a/source4/heimdal/lib/krb5/codec.c
+++ b/source4/heimdal/lib/krb5/codec.c
@@ -31,184 +31,182 @@
* SUCH DAMAGE.
*/
-#define KRB5_DEPRECATED
-
#include "krb5_locl.h"
#ifndef HEIMDAL_SMALLER
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_decode_EncTicketPart (krb5_context context,
const void *data,
size_t length,
EncTicketPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return decode_EncTicketPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_encode_EncTicketPart (krb5_context context,
void *data,
size_t length,
EncTicketPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return encode_EncTicketPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_decode_EncASRepPart (krb5_context context,
const void *data,
size_t length,
EncASRepPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return decode_EncASRepPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_encode_EncASRepPart (krb5_context context,
void *data,
size_t length,
EncASRepPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return encode_EncASRepPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_decode_EncTGSRepPart (krb5_context context,
const void *data,
size_t length,
EncTGSRepPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return decode_EncTGSRepPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_encode_EncTGSRepPart (krb5_context context,
void *data,
size_t length,
EncTGSRepPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return encode_EncTGSRepPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_decode_EncAPRepPart (krb5_context context,
const void *data,
size_t length,
EncAPRepPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return decode_EncAPRepPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_encode_EncAPRepPart (krb5_context context,
void *data,
size_t length,
EncAPRepPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return encode_EncAPRepPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_decode_Authenticator (krb5_context context,
const void *data,
size_t length,
Authenticator *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return decode_Authenticator(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_encode_Authenticator (krb5_context context,
void *data,
size_t length,
Authenticator *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return encode_Authenticator(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_decode_EncKrbCredPart (krb5_context context,
const void *data,
size_t length,
EncKrbCredPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return decode_EncKrbCredPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_encode_EncKrbCredPart (krb5_context context,
void *data,
size_t length,
EncKrbCredPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return encode_EncKrbCredPart (data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_decode_ETYPE_INFO (krb5_context context,
const void *data,
size_t length,
ETYPE_INFO *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return decode_ETYPE_INFO(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_encode_ETYPE_INFO (krb5_context context,
void *data,
size_t length,
ETYPE_INFO *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return encode_ETYPE_INFO (data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_decode_ETYPE_INFO2 (krb5_context context,
const void *data,
size_t length,
ETYPE_INFO2 *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return decode_ETYPE_INFO2(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_encode_ETYPE_INFO2 (krb5_context context,
void *data,
size_t length,
ETYPE_INFO2 *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return encode_ETYPE_INFO2 (data, length, t, len);
}
diff --git a/source4/heimdal/lib/krb5/config_file.c b/source4/heimdal/lib/krb5/config_file.c
index 89f778823d..4ac25ae287 100644
--- a/source4/heimdal/lib/krb5/config_file.c
+++ b/source4/heimdal/lib/krb5/config_file.c
@@ -33,8 +33,6 @@
* SUCH DAMAGE.
*/
-#define KRB5_DEPRECATED
-
#include "krb5_locl.h"
#ifdef __APPLE__
@@ -63,7 +61,7 @@ config_fgets(char *str, size_t len, struct fileptr *ptr)
p = ptr->s + strcspn(ptr->s, "\n");
if(*p == '\n')
p++;
- l = min(len, p - ptr->s);
+ l = min(len, (size_t)(p - ptr->s));
if(len > 0) {
memcpy(str, ptr->s, l);
str[l] = '\0';
@@ -91,7 +89,7 @@ _krb5_config_get_entry(krb5_config_section **parent, const char *name, int type)
for(q = parent; *q != NULL; q = &(*q)->next)
if(type == krb5_config_list &&
- type == (*q)->type &&
+ (unsigned)type == (*q)->type &&
strcmp(name, (*q)->name) == 0)
return *q;
*q = calloc(1, sizeof(**q));
@@ -250,7 +248,7 @@ cfstring2cstring(CFStringRef string)
{
CFIndex len;
char *str;
-
+
str = (char *) CFStringGetCStringPtr(string, kCFStringEncodingUTF8);
if (str)
return strdup(str);
@@ -260,7 +258,7 @@ cfstring2cstring(CFStringRef string)
str = malloc(len);
if (str == NULL)
return NULL;
-
+
if (!CFStringGetCString (string, str, len, kCFStringEncodingUTF8)) {
free (str);
return NULL;
@@ -299,7 +297,7 @@ parse_plist_config(krb5_context context, const char *path, krb5_config_section *
CFReadStreamRef s;
CFDictionaryRef d;
CFURLRef url;
-
+
url = CFURLCreateFromFileSystemRepresentation(kCFAllocatorDefault, (UInt8 *)path, strlen(path), FALSE);
if (url == NULL) {
krb5_clear_error_message(context);
@@ -321,7 +319,7 @@ parse_plist_config(krb5_context context, const char *path, krb5_config_section *
#ifdef HAVE_CFPROPERTYLISTCREATEWITHSTREAM
d = (CFDictionaryRef)CFPropertyListCreateWithStream(NULL, s, 0, kCFPropertyListImmutable, NULL, NULL);
-#else
+#else
d = (CFDictionaryRef)CFPropertyListCreateFromStream(NULL, s, 0, kCFPropertyListImmutable, NULL, NULL);
#endif
CFRelease(s);
@@ -441,7 +439,7 @@ krb5_config_parse_file_multi (krb5_context context,
home = getenv("HOME");
if (home == NULL) {
- struct passwd *pw = getpwuid(getuid());
+ struct passwd *pw = getpwuid(getuid());
if(pw != NULL)
home = pw->pw_dir;
}
@@ -455,7 +453,7 @@ krb5_config_parse_file_multi (krb5_context context,
fname = newfname;
}
#else /* KRB5_USE_PATH_TOKENS */
- if (asprintf(&newfname, "%%{USERCONFIG}%s", &fname[1]) < 0 ||
+ if (asprintf(&newfname, "%%{USERCONFIG}%s", &fname[1]) < 0 ||
newfname == NULL)
{
krb5_set_error_message(context, ENOMEM,
@@ -477,7 +475,7 @@ krb5_config_parse_file_multi (krb5_context context,
return ret;
}
#else
- krb5_set_error_message(context, ENOENT,
+ krb5_set_error_message(context, ENOENT,
"no support for plist configuration files");
return ENOENT;
#endif
@@ -491,7 +489,7 @@ krb5_config_parse_file_multi (krb5_context context,
free(newfname);
return ret;
}
-
+
if (newfname)
free(newfname);
fname = newfname = exp_fname;
@@ -507,7 +505,7 @@ krb5_config_parse_file_multi (krb5_context context,
free(newfname);
return ret;
}
-
+
ret = krb5_config_parse_debug (&f, res, &lineno, &str);
fclose(f.f);
if (ret) {
@@ -635,7 +633,7 @@ vget_next(krb5_context context,
const char *p = va_arg(args, const char *);
while(b != NULL) {
if(strcmp(b->name, name) == 0) {
- if(b->type == type && p == NULL) {
+ if(b->type == (unsigned)type && p == NULL) {
*pointer = b;
return b->u.generic;
} else if(b->type == krb5_config_list && p != NULL) {
@@ -675,7 +673,7 @@ _krb5_config_vget_next (krb5_context context,
/* we were called again, so just look for more entries with the
same name and type */
for (b = (*pointer)->next; b != NULL; b = b->next) {
- if(strcmp(b->name, (*pointer)->name) == 0 && b->type == type) {
+ if(strcmp(b->name, (*pointer)->name) == 0 && b->type == (unsigned)type) {
*pointer = b;
return b->u.generic;
}
@@ -770,7 +768,7 @@ krb5_config_vget_list (krb5_context context,
*
* @ingroup krb5_support
*/
-
+
KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_config_get_string (krb5_context context,
const krb5_config_section *c,
@@ -865,7 +863,7 @@ krb5_config_get_string_default (krb5_context context,
}
static char *
-next_component_string(char * begin, char * delims, char **state)
+next_component_string(char * begin, const char * delims, char **state)
{
char * end;
@@ -1302,11 +1300,11 @@ krb5_config_get_int (krb5_context context,
* @ingroup krb5_deprecated
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_config_parse_string_multi(krb5_context context,
const char *string,
krb5_config_section **res)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
const char *str;
unsigned lineno = 0;
diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c
index b6c6870938..99bf1b419b 100644
--- a/source4/heimdal/lib/krb5/context.c
+++ b/source4/heimdal/lib/krb5/context.c
@@ -34,6 +34,7 @@
*/
#include "krb5_locl.h"
+#include <assert.h>
#include <com_err.h>
#define INIT_FIELD(C, T, E, D, F) \
@@ -128,6 +129,24 @@ init_context_from_config_file(krb5_context context)
free(context->etypes_des);
context->etypes_des = tmptypes;
+ ret = set_etypes (context, "default_as_etypes", &tmptypes);
+ if(ret)
+ return ret;
+ free(context->as_etypes);
+ context->as_etypes = tmptypes;
+
+ ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
+ if(ret)
+ return ret;
+ free(context->tgs_etypes);
+ context->tgs_etypes = tmptypes;
+
+ ret = set_etypes (context, "permitted_enctypes", &tmptypes);
+ if(ret)
+ return ret;
+ free(context->permitted_enctypes);
+ context->permitted_enctypes = tmptypes;
+
/* default keytab name */
tmp = NULL;
if(!issuid())
@@ -317,7 +336,7 @@ kt_ops_copy(krb5_context context, const krb5_context src_context)
return 0;
}
-static const char *sysplugin_dirs[] = {
+static const char *sysplugin_dirs[] = {
LIBDIR "/plugin/krb5",
#ifdef __APPLE__
"/Library/KerberosPlugins/KerberosFrameworkPlugins",
@@ -332,7 +351,7 @@ init_context_once(void *ctx)
krb5_context context = ctx;
_krb5_load_plugins(context, "krb5", sysplugin_dirs);
-
+
bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
}
@@ -392,7 +411,7 @@ krb5_init_context(krb5_context *context)
ret = hx509_context_init(&p->hx509ctx);
if (ret)
goto out;
-#endif
+#endif
if (rk_SOCK_INIT())
p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
@@ -413,7 +432,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_permitted_enctypes(krb5_context context,
krb5_enctype **etypes)
{
- return krb5_get_default_in_tkt_etypes(context, etypes);
+ return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes);
}
/*
@@ -433,7 +452,7 @@ copy_etypes (krb5_context context,
*ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i);
if (*ret_enctypes == NULL) {
- krb5_set_error_message(context, ENOMEM,
+ krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
@@ -481,7 +500,7 @@ krb5_copy_context(krb5_context context, krb5_context *out)
p->default_cc_name = strdup(context->default_cc_name);
if (context->default_cc_name_env)
p->default_cc_name_env = strdup(context->default_cc_name_env);
-
+
if (context->etypes) {
ret = copy_etypes(context, context->etypes, &p->etypes);
if (ret)
@@ -494,7 +513,7 @@ krb5_copy_context(krb5_context context, krb5_context *out)
}
if (context->default_realms) {
- ret = krb5_copy_host_realm(context,
+ ret = krb5_copy_host_realm(context,
context->default_realms, &p->default_realms);
if (ret)
goto out;
@@ -736,7 +755,7 @@ krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
krb5_free_config_files(defpp);
if (ret) {
return ret;
- }
+ }
*pfilenames = pp;
return 0;
}
@@ -874,36 +893,51 @@ krb5_kerberos_enctypes(krb5_context context)
}
/*
- * set `etype' to a malloced list of the default enctypes
+ *
*/
static krb5_error_code
-default_etypes(krb5_context context, krb5_enctype **etype)
+copy_enctypes(krb5_context context,
+ const krb5_enctype *in,
+ krb5_enctype **out)
{
- const krb5_enctype *p;
- krb5_enctype *e = NULL, *ep;
- int i, n = 0;
-
- p = krb5_kerberos_enctypes(context);
+ krb5_enctype *p = NULL;
+ size_t m, n;
- for (i = 0; p[i] != ETYPE_NULL; i++) {
- if (krb5_enctype_valid(context, p[i]) != 0)
+ for (n = 0; in[n]; n++)
+ ;
+ n++;
+ ALLOC(p, n);
+ if(p == NULL)
+ return krb5_enomem(context);
+ for (n = 0, m = 0; in[n]; n++) {
+ if (krb5_enctype_valid(context, in[n]) != 0)
continue;
- ep = realloc(e, (n + 2) * sizeof(*e));
- if (ep == NULL) {
- free(e);
- krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
- }
- e = ep;
- e[n] = p[i];
- e[n + 1] = ETYPE_NULL;
- n++;
+ p[m++] = in[n];
+ }
+ p[m] = KRB5_ENCTYPE_NULL;
+ if (m == 0) {
+ free(p);
+ krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
+ N_("no valid enctype set", ""));
+ return KRB5_PROG_ETYPE_NOSUPP;
}
- *etype = e;
+ *out = p;
return 0;
}
+
+/*
+ * set `etype' to a malloced list of the default enctypes
+ */
+
+static krb5_error_code
+default_etypes(krb5_context context, krb5_enctype **etype)
+{
+ const krb5_enctype *p = krb5_kerberos_enctypes(context);
+ return copy_enctypes(context, p, etype);
+}
+
/**
* Set the default encryption types that will be use in communcation
* with the KDC, clients and servers.
@@ -923,31 +957,11 @@ krb5_set_default_in_tkt_etypes(krb5_context context,
{
krb5_error_code ret;
krb5_enctype *p = NULL;
- unsigned int n, m;
if(etypes) {
- for (n = 0; etypes[n]; n++)
- ;
- n++;
- ALLOC(p, n);
- if(!p) {
- krb5_set_error_message (context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
- }
- for (n = 0, m = 0; etypes[n]; n++) {
- ret = krb5_enctype_valid(context, etypes[n]);
- if (ret)
- continue;
- p[m++] = etypes[n];
- }
- p[m] = ETYPE_NULL;
- if (m == 0) {
- free(p);
- krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
- N_("no valid enctype set", ""));
- return KRB5_PROG_ETYPE_NOSUPP;
- }
+ ret = copy_enctypes(context, etypes, &p);
+ if (ret)
+ return ret;
}
if(context->etypes)
free(context->etypes);
@@ -971,21 +985,28 @@ krb5_set_default_in_tkt_etypes(krb5_context context,
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_default_in_tkt_etypes(krb5_context context,
+ krb5_pdu pdu_type,
krb5_enctype **etypes)
{
- krb5_enctype *p;
- int i;
+ krb5_enctype *enctypes = NULL;
krb5_error_code ret;
+ krb5_enctype *p;
- if(context->etypes) {
- for(i = 0; context->etypes[i]; i++);
- ++i;
- ALLOC(p, i);
- if(!p) {
- krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
- }
- memmove(p, context->etypes, i * sizeof(krb5_enctype));
+ heim_assert(pdu_type == KRB5_PDU_AS_REQUEST ||
+ pdu_type == KRB5_PDU_TGS_REQUEST ||
+ pdu_type == KRB5_PDU_NONE, "pdu contant not as expected");
+
+ if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL)
+ enctypes = context->as_etypes;
+ else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL)
+ enctypes = context->tgs_etypes;
+ else if (context->etypes != NULL)
+ enctypes = context->etypes;
+
+ if (enctypes != NULL) {
+ ret = copy_enctypes(context, enctypes, &p);
+ if (ret)
+ return ret;
} else {
ret = default_etypes(context, &p);
if (ret)
@@ -1390,10 +1411,11 @@ krb5_set_max_time_skew (krb5_context context, time_t t)
context->max_skew = t;
}
-/**
+/*
* Init encryption types in len, val with etypes.
*
* @param context Kerberos 5 context.
+ * @param pdu_type type of pdu
* @param len output length of val.
* @param val output array of enctypes.
* @param etypes etypes to set val and len to, if NULL, use default enctypes.
@@ -1405,39 +1427,27 @@ krb5_set_max_time_skew (krb5_context context, time_t t)
*/
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_etype (krb5_context context,
+_krb5_init_etype(krb5_context context,
+ krb5_pdu pdu_type,
unsigned *len,
krb5_enctype **val,
const krb5_enctype *etypes)
{
- unsigned int i;
krb5_error_code ret;
- krb5_enctype *tmp = NULL;
- ret = 0;
- if (etypes == NULL) {
- ret = krb5_get_default_in_tkt_etypes(context, &tmp);
- if (ret)
- return ret;
- etypes = tmp;
- }
+ if (etypes == NULL)
+ ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val);
+ else
+ ret = copy_enctypes(context, etypes, val);
+ if (ret)
+ return ret;
- for (i = 0; etypes[i]; ++i)
- ;
- *len = i;
- *val = malloc(i * sizeof(**val));
- if (i != 0 && *val == NULL) {
- ret = ENOMEM;
- krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
- goto cleanup;
+ if (len) {
+ *len = 0;
+ while ((*val)[*len] != KRB5_ENCTYPE_NULL)
+ (*len)++;
}
- memmove (*val,
- etypes,
- i * sizeof(*tmp));
-cleanup:
- if (tmp != NULL)
- free (tmp);
- return ret;
+ return 0;
}
/*
diff --git a/source4/heimdal/lib/krb5/convert_creds.c b/source4/heimdal/lib/krb5/convert_creds.c
index e700425ffe..fc371c6377 100644
--- a/source4/heimdal/lib/krb5/convert_creds.c
+++ b/source4/heimdal/lib/krb5/convert_creds.c
@@ -31,8 +31,6 @@
* SUCH DAMAGE.
*/
-#define KRB5_DEPRECATED
-
#include "krb5_locl.h"
#include "krb5-v4compat.h"
@@ -54,11 +52,11 @@
* @ingroup krb5_v4compat
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb524_convert_creds_kdc(krb5_context context,
krb5_creds *in_cred,
struct credentials *v4creds)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
memset(v4creds, 0, sizeof(*v4creds));
krb5_set_error_message(context, EINVAL,
@@ -81,12 +79,12 @@ krb524_convert_creds_kdc(krb5_context context,
* @ingroup krb5_v4compat
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb524_convert_creds_kdc_ccache(krb5_context context,
krb5_ccache ccache,
krb5_creds *in_cred,
struct credentials *v4creds)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
memset(v4creds, 0, sizeof(*v4creds));
krb5_set_error_message(context, EINVAL,
diff --git a/source4/heimdal/lib/krb5/creds.c b/source4/heimdal/lib/krb5/creds.c
index 69aacdc032..7ef8eb9609 100644
--- a/source4/heimdal/lib/krb5/creds.c
+++ b/source4/heimdal/lib/krb5/creds.c
@@ -228,7 +228,7 @@ krb5_compare_creds(krb5_context context, krb5_flags whichfields,
match = krb5_principal_compare (context, mcreds->client,
creds->client);
}
-
+
if (match && (whichfields & KRB5_TC_MATCH_KEYTYPE))
match = mcreds->session.keytype == creds->session.keytype;
diff --git a/source4/heimdal/lib/krb5/crypto-des.c b/source4/heimdal/lib/krb5/crypto-des.c
index 1c062b5e61..63ce901d92 100644
--- a/source4/heimdal/lib/krb5/crypto-des.c
+++ b/source4/heimdal/lib/krb5/crypto-des.c
@@ -77,7 +77,9 @@ static struct _krb5_key_type keytype_des_old = {
krb5_DES_random_key,
krb5_DES_schedule_old,
_krb5_des_salt,
- krb5_DES_random_to_key
+ krb5_DES_random_to_key,
+ NULL,
+ NULL
};
static struct _krb5_key_type keytype_des = {
diff --git a/source4/heimdal/lib/krb5/crypto-des3.c b/source4/heimdal/lib/krb5/crypto-des3.c
index b61948895a..d50c5cebe2 100644
--- a/source4/heimdal/lib/krb5/crypto-des3.c
+++ b/source4/heimdal/lib/krb5/crypto-des3.c
@@ -202,7 +202,7 @@ _krb5_DES3_random_to_key(krb5_context context,
DES_cblock *k;
int i, j;
- memset(x, 0, sizeof(x));
+ memset(key->keyvalue.data, 0, key->keyvalue.length);
for (i = 0; i < 3; ++i) {
unsigned char foo;
for (j = 0; j < 7; ++j) {
diff --git a/source4/heimdal/lib/krb5/crypto-evp.c b/source4/heimdal/lib/krb5/crypto-evp.c
index 3f9cd57bbc..e8fb1caf6a 100644
--- a/source4/heimdal/lib/krb5/crypto-evp.c
+++ b/source4/heimdal/lib/krb5/crypto-evp.c
@@ -98,7 +98,7 @@ _krb5_evp_encrypt_cts(krb5_context context,
{
size_t i, blocksize;
struct _krb5_evp_schedule *ctx = key->schedule->data;
- char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH];
+ unsigned char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH];
EVP_CIPHER_CTX *c;
unsigned char *p;
@@ -142,7 +142,7 @@ _krb5_evp_encrypt_cts(krb5_context context,
if (ivec)
memcpy(ivec, p, blocksize);
} else {
- char tmp2[EVP_MAX_BLOCK_LENGTH], tmp3[EVP_MAX_BLOCK_LENGTH];
+ unsigned char tmp2[EVP_MAX_BLOCK_LENGTH], tmp3[EVP_MAX_BLOCK_LENGTH];
p = data;
if (len > blocksize * 2) {
diff --git a/source4/heimdal/lib/krb5/crypto-pk.c b/source4/heimdal/lib/krb5/crypto-pk.c
index eb783c8998..7fedb65c9e 100644
--- a/source4/heimdal/lib/krb5/crypto-pk.c
+++ b/source4/heimdal/lib/krb5/crypto-pk.c
@@ -110,7 +110,7 @@ encode_uvinfo(krb5_context context, krb5_const_principal p, krb5_data *data)
{
KRB5PrincipalName pn;
krb5_error_code ret;
- size_t size;
+ size_t size = 0;
pn.principalName = p->name;
pn.realm = p->realm;
@@ -143,7 +143,7 @@ encode_otherinfo(krb5_context context,
PkinitSuppPubInfo pubinfo;
krb5_error_code ret;
krb5_data pub;
- size_t size;
+ size_t size = 0;
krb5_data_zero(other);
memset(&otherinfo, 0, sizeof(otherinfo));
@@ -192,6 +192,8 @@ encode_otherinfo(krb5_context context,
return 0;
}
+
+
krb5_error_code
_krb5_pk_kdf(krb5_context context,
const struct AlgorithmIdentifier *ai,
@@ -211,10 +213,17 @@ _krb5_pk_kdf(krb5_context context,
size_t keylen, offset;
uint32_t counter;
unsigned char *keydata;
- unsigned char shaoutput[SHA_DIGEST_LENGTH];
+ unsigned char shaoutput[SHA512_DIGEST_LENGTH];
+ const EVP_MD *md;
EVP_MD_CTX *m;
- if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha1, &ai->algorithm) != 0) {
+ if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha1, &ai->algorithm) == 0) {
+ md = EVP_sha1();
+ } else if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha256, &ai->algorithm) == 0) {
+ md = EVP_sha256();
+ } else if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha512, &ai->algorithm) == 0) {
+ md = EVP_sha512();
+ } else {
krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
N_("KDF not supported", ""));
return KRB5_PROG_ETYPE_NOSUPP;
@@ -264,7 +273,7 @@ _krb5_pk_kdf(krb5_context context,
do {
unsigned char cdata[4];
- EVP_DigestInit_ex(m, EVP_sha1(), NULL);
+ EVP_DigestInit_ex(m, md, NULL);
_krb5_put_int(cdata, counter, 4);
EVP_DigestUpdate(m, cdata, 4);
EVP_DigestUpdate(m, dhdata, dhsize);
@@ -274,9 +283,9 @@ _krb5_pk_kdf(krb5_context context,
memcpy((unsigned char *)keydata + offset,
shaoutput,
- min(keylen - offset, sizeof(shaoutput)));
+ min(keylen - offset, EVP_MD_CTX_size(m)));
- offset += sizeof(shaoutput);
+ offset += EVP_MD_CTX_size(m);
counter++;
} while(offset < keylen);
memset(shaoutput, 0, sizeof(shaoutput));
diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c
index 5d274e9af7..63aedc4568 100644
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -31,8 +31,6 @@
* SUCH DAMAGE.
*/
-#define KRB5_DEPRECATED
-
#include "krb5_locl.h"
struct _krb5_key_usage {
@@ -180,7 +178,7 @@ _krb5_internal_hmac(krb5_context context,
unsigned char *ipad, *opad;
unsigned char *key;
size_t key_len;
- int i;
+ size_t i;
ipad = malloc(cm->blocksize + len);
if (ipad == NULL)
@@ -311,7 +309,7 @@ get_checksum_key(krb5_context context,
if(ct->flags & F_DERIVED)
ret = _get_derived_key(context, crypto, usage, key);
else if(ct->flags & F_VARIANT) {
- int i;
+ size_t i;
*key = _new_derived_key(crypto, 0xff/* KRB5_KU_RFC1510_VARIANT */);
if(*key == NULL) {
@@ -479,7 +477,7 @@ verify_checksum(krb5_context context,
if(ct->verify) {
ret = (*ct->verify)(context, dkey, data, len, usage, cksum);
if (ret)
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
N_("Decrypt integrity check failed for checksum "
"type %s, key type %s", ""),
ct->name, (crypto != NULL)? crypto->et->name : "(none)");
@@ -1160,9 +1158,9 @@ decrypt_internal_special(krb5_context context,
}
static krb5_crypto_iov *
-find_iv(krb5_crypto_iov *data, int num_data, int type)
+find_iv(krb5_crypto_iov *data, size_t num_data, unsigned type)
{
- int i;
+ size_t i;
for (i = 0; i < num_data; i++)
if (data[i].flags == type)
return &data[i];
@@ -1403,11 +1401,6 @@ krb5_decrypt_iov_ivec(krb5_context context,
struct _krb5_encryption_type *et = crypto->et;
krb5_crypto_iov *tiv, *hiv;
- if (num_data < 0) {
- krb5_clear_error_message(context);
- return KRB5_CRYPTO_INTERNAL;
- }
-
if(!derived_crypto(context, crypto)) {
krb5_clear_error_message(context);
return KRB5_CRYPTO_INTERNAL;
@@ -1545,15 +1538,10 @@ krb5_create_checksum_iov(krb5_context context,
Checksum cksum;
krb5_crypto_iov *civ;
krb5_error_code ret;
- int i;
+ size_t i;
size_t len;
char *p, *q;
- if (num_data < 0) {
- krb5_clear_error_message(context);
- return KRB5_CRYPTO_INTERNAL;
- }
-
if(!derived_crypto(context, crypto)) {
krb5_clear_error_message(context);
return KRB5_CRYPTO_INTERNAL;
@@ -1629,15 +1617,10 @@ krb5_verify_checksum_iov(krb5_context context,
Checksum cksum;
krb5_crypto_iov *civ;
krb5_error_code ret;
- int i;
+ size_t i;
size_t len;
char *p, *q;
- if (num_data < 0) {
- krb5_clear_error_message(context);
- return KRB5_CRYPTO_INTERNAL;
- }
-
if(!derived_crypto(context, crypto)) {
krb5_clear_error_message(context);
return KRB5_CRYPTO_INTERNAL;
@@ -1689,7 +1672,7 @@ krb5_crypto_length(krb5_context context,
krb5_set_error_message(context, EINVAL, "not a derived crypto");
return EINVAL;
}
-
+
switch(type) {
case KRB5_CRYPTO_TYPE_EMPTY:
*len = 0;
@@ -1730,7 +1713,7 @@ krb5_crypto_length_iov(krb5_context context,
unsigned int num_data)
{
krb5_error_code ret;
- int i;
+ size_t i;
for (i = 0; i < num_data; i++) {
ret = krb5_crypto_length(context, crypto,
@@ -2120,7 +2103,7 @@ krb5_crypto_destroy(krb5_context context,
/**
* Return the blocksize used algorithm referenced by the crypto context
- *
+ *
* @param context Kerberos context
* @param crypto crypto context to query
* @param blocksize the resulting blocksize
@@ -2141,7 +2124,7 @@ krb5_crypto_getblocksize(krb5_context context,
/**
* Return the encryption type used by the crypto context
- *
+ *
* @param context Kerberos context
* @param crypto crypto context to query
* @param enctype the resulting encryption type
@@ -2162,7 +2145,7 @@ krb5_crypto_getenctype(krb5_context context,
/**
* Return the padding size used by the crypto context
- *
+ *
* @param context Kerberos context
* @param crypto crypto context to query
* @param padsize the return padding size
@@ -2183,7 +2166,7 @@ krb5_crypto_getpadsize(krb5_context context,
/**
* Return the confounder size used by the crypto context
- *
+ *
* @param context Kerberos context
* @param crypto crypto context to query
* @param confoundersize the returned confounder size
@@ -2593,12 +2576,12 @@ krb5_crypto_fx_cf2(krb5_context context,
* @ingroup krb5_deprecated
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_keytype_to_enctypes (krb5_context context,
krb5_keytype keytype,
unsigned *len,
krb5_enctype **val)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
int i;
unsigned n = 0;
@@ -2640,11 +2623,11 @@ krb5_keytype_to_enctypes (krb5_context context,
*/
/* if two enctypes have compatible keys */
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_enctypes_compatible_keys(krb5_context context,
krb5_enctype etype1,
krb5_enctype etype2)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
struct _krb5_encryption_type *e1 = _krb5_find_enctype(etype1);
struct _krb5_encryption_type *e2 = _krb5_find_enctype(etype2);
diff --git a/source4/heimdal/lib/krb5/error_string.c b/source4/heimdal/lib/krb5/error_string.c
index dc2d4586a0..7a7b989b69 100644
--- a/source4/heimdal/lib/krb5/error_string.c
+++ b/source4/heimdal/lib/krb5/error_string.c
@@ -288,9 +288,9 @@ krb5_free_error_message(krb5_context context, const char *msg)
* @ingroup krb5
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_get_err_text(krb5_context context, krb5_error_code code)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
const char *p = NULL;
if(context != NULL)
diff --git a/source4/heimdal/lib/krb5/expand_path.c b/source4/heimdal/lib/krb5/expand_path.c
index 70096e1c7a..4c4898a79e 100644
--- a/source4/heimdal/lib/krb5/expand_path.c
+++ b/source4/heimdal/lib/krb5/expand_path.c
@@ -2,19 +2,19 @@
/***********************************************************************
* Copyright (c) 2009, Secure Endpoints Inc.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
- *
+ *
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
- *
+ *
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
@@ -27,7 +27,7 @@
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
- *
+ *
**********************************************************************/
#include "krb5_locl.h"
@@ -168,7 +168,7 @@ _expand_userid(krb5_context context, PTYPE param, const char *postfix, char **re
if (le != 0) {
if (context)
- krb5_set_error_message(context, rv,
+ krb5_set_error_message(context, rv,
"Can't open thread token (GLE=%d)", le);
goto _exit;
}
@@ -247,7 +247,7 @@ _expand_csidl(krb5_context context, PTYPE folder, const char *postfix, char **re
if (context)
krb5_set_error_message(context, EINVAL, "Unable to determine folder path");
return EINVAL;
- }
+ }
len = strlen(path);
@@ -464,7 +464,7 @@ _krb5_expand_path_tokens(krb5_context context,
return ENOMEM;
}
-
+
{
size_t append_len = strlen(append);
char * new_str = realloc(*ppath_out, len + append_len + 1);
diff --git a/source4/heimdal/lib/krb5/fcache.c b/source4/heimdal/lib/krb5/fcache.c
index 218bd2cdbf..731f293414 100644
--- a/source4/heimdal/lib/krb5/fcache.c
+++ b/source4/heimdal/lib/krb5/fcache.c
@@ -62,6 +62,9 @@ static const char* KRB5_CALLCONV
fcc_get_name(krb5_context context,
krb5_ccache id)
{
+ if (FCACHE(id) == NULL)
+ return NULL;
+
return FILENAME(id);
}
@@ -155,7 +158,7 @@ write_storage(krb5_context context, krb5_storage *sp, int fd)
return ret;
}
sret = write(fd, data.data, data.length);
- ret = (sret != data.length);
+ ret = (sret != (ssize_t)data.length);
krb5_data_free(&data);
if (ret) {
ret = errno;
@@ -220,7 +223,7 @@ scrub_file (int fd)
return errno;
memset(buf, 0, sizeof(buf));
while(pos > 0) {
- ssize_t tmp = write(fd, buf, min(sizeof(buf), pos));
+ ssize_t tmp = write(fd, buf, min((off_t)sizeof(buf), pos));
if (tmp < 0)
return errno;
@@ -334,11 +337,11 @@ fcc_gen_new(krb5_context context, krb5_ccache *id)
fd = mkstemp(exp_file);
if(fd < 0) {
- int ret = errno;
- krb5_set_error_message(context, ret, N_("mkstemp %s failed", ""), exp_file);
+ int xret = errno;
+ krb5_set_error_message(context, xret, N_("mkstemp %s failed", ""), exp_file);
free(f);
free(exp_file);
- return ret;
+ return xret;
}
close(fd);
f->filename = exp_file;
@@ -383,8 +386,14 @@ fcc_open(krb5_context context,
krb5_boolean exclusive = ((flags | O_WRONLY) == flags ||
(flags | O_RDWR) == flags);
krb5_error_code ret;
- const char *filename = FILENAME(id);
+ const char *filename;
int fd;
+
+ if (FCACHE(id) == NULL)
+ return krb5_einval(context, 2);
+
+ filename = FILENAME(id);
+
fd = open(filename, flags, mode);
if(fd < 0) {
char buf[128];
@@ -412,9 +421,11 @@ fcc_initialize(krb5_context context,
krb5_fcache *f = FCACHE(id);
int ret = 0;
int fd;
- char *filename = f->filename;
- unlink (filename);
+ if (f == NULL)
+ return krb5_einval(context, 2);
+
+ unlink (f->filename);
ret = fcc_open(context, id, &fd, O_RDWR | O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC, 0600);
if(ret)
@@ -443,7 +454,7 @@ fcc_initialize(krb5_context context,
}
}
ret |= krb5_store_principal(sp, primary_principal);
-
+
ret |= write_storage(context, sp, fd);
krb5_storage_free(sp);
@@ -464,6 +475,9 @@ static krb5_error_code KRB5_CALLCONV
fcc_close(krb5_context context,
krb5_ccache id)
{
+ if (FCACHE(id) == NULL)
+ return krb5_einval(context, 2);
+
free (FILENAME(id));
krb5_data_free(&id->data);
return 0;
@@ -473,6 +487,9 @@ static krb5_error_code KRB5_CALLCONV
fcc_destroy(krb5_context context,
krb5_ccache id)
{
+ if (FCACHE(id) == NULL)
+ return krb5_einval(context, 2);
+
_krb5_erase_file(context, FILENAME(id));
return 0;
}
@@ -701,6 +718,9 @@ fcc_get_first (krb5_context context,
krb5_error_code ret;
krb5_principal principal;
+ if (FCACHE(id) == NULL)
+ return krb5_einval(context, 2);
+
*cursor = malloc(sizeof(struct fcc_cursor));
if (*cursor == NULL) {
krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
@@ -733,6 +753,13 @@ fcc_get_next (krb5_context context,
krb5_creds *creds)
{
krb5_error_code ret;
+
+ if (FCACHE(id) == NULL)
+ return krb5_einval(context, 2);
+
+ if (FCC_CURSOR(*cursor) == NULL)
+ return krb5_einval(context, 3);
+
if((ret = fcc_lock(context, id, FCC_CURSOR(*cursor)->fd, FALSE)) != 0)
return ret;
@@ -749,6 +776,13 @@ fcc_end_get (krb5_context context,
krb5_ccache id,
krb5_cc_cursor *cursor)
{
+
+ if (FCACHE(id) == NULL)
+ return krb5_einval(context, 2);
+
+ if (FCC_CURSOR(*cursor) == NULL)
+ return krb5_einval(context, 3);
+
krb5_storage_free(FCC_CURSOR(*cursor)->sp);
close (FCC_CURSOR(*cursor)->fd);
free(*cursor);
@@ -767,6 +801,9 @@ fcc_remove_cred(krb5_context context,
char *newname = NULL;
int fd;
+ if (FCACHE(id) == NULL)
+ return krb5_einval(context, 2);
+
ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &copy);
if (ret)
return ret;
@@ -827,6 +864,9 @@ fcc_set_flags(krb5_context context,
krb5_ccache id,
krb5_flags flags)
{
+ if (FCACHE(id) == NULL)
+ return krb5_einval(context, 2);
+
return 0; /* XXX */
}
@@ -834,9 +874,12 @@ static int KRB5_CALLCONV
fcc_get_version(krb5_context context,
krb5_ccache id)
{
+ if (FCACHE(id) == NULL)
+ return -1;
+
return FCACHE(id)->version;
}
-
+
struct fcache_iter {
int first;
};
@@ -864,6 +907,9 @@ fcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
const char *fn;
char *expandedfn = NULL;
+ if (iter == NULL)
+ return krb5_einval(context, 2);
+
if (!iter->first) {
krb5_clear_error_message(context);
return KRB5_CC_END;
@@ -900,6 +946,10 @@ static krb5_error_code KRB5_CALLCONV
fcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
{
struct fcache_iter *iter = cursor;
+
+ if (iter == NULL)
+ return krb5_einval(context, 2);
+
free(iter);
return 0;
}
diff --git a/source4/heimdal/lib/krb5/get_addrs.c b/source4/heimdal/lib/krb5/get_addrs.c
index 829b2acc17..0e2bfcf66f 100644
--- a/source4/heimdal/lib/krb5/get_addrs.c
+++ b/source4/heimdal/lib/krb5/get_addrs.c
@@ -82,8 +82,8 @@ gethostname_fallback (krb5_context context, krb5_addresses *res)
}
enum {
- LOOP = 1, /* do include loopback interfaces */
- LOOP_IF_NONE = 2, /* include loopback if no other if's */
+ LOOP = 1, /* do include loopback addrs */
+ LOOP_IF_NONE = 2, /* include loopback addrs if no others */
EXTRA_ADDRESSES = 4, /* include extra addresses */
SCAN_INTERFACES = 8 /* scan interfaces for addresses */
};
@@ -146,11 +146,9 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags)
continue;
if (krb5_sockaddr_uninteresting(ifa->ifa_addr))
continue;
- if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) {
+ if (krb5_sockaddr_is_loopback(ifa->ifa_addr) && (flags & LOOP) == 0)
/* We'll deal with the LOOP_IF_NONE case later. */
- if ((flags & LOOP) == 0)
- continue;
- }
+ continue;
ret = krb5_sockaddr2address(context, ifa->ifa_addr, &res->val[idx]);
if (ret) {
@@ -189,24 +187,22 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags)
continue;
if (krb5_sockaddr_uninteresting(ifa->ifa_addr))
continue;
-
- if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) {
- ret = krb5_sockaddr2address(context,
- ifa->ifa_addr, &res->val[idx]);
- if (ret) {
- /*
- * See comment above.
- */
- continue;
- }
- if((flags & EXTRA_ADDRESSES) &&
- krb5_address_search(context, &res->val[idx],
- &ignore_addresses)) {
- krb5_free_address(context, &res->val[idx]);
- continue;
- }
- idx++;
+ if (!krb5_sockaddr_is_loopback(ifa->ifa_addr))
+ continue;
+ if ((ifa->ifa_flags & IFF_LOOPBACK) == 0)
+ /* Presumably loopback addrs are only used on loopback ifs! */
+ continue;
+ ret = krb5_sockaddr2address(context,
+ ifa->ifa_addr, &res->val[idx]);
+ if (ret)
+ continue; /* We don't consider this failure fatal */
+ if((flags & EXTRA_ADDRESSES) &&
+ krb5_address_search(context, &res->val[idx],
+ &ignore_addresses)) {
+ krb5_free_address(context, &res->val[idx]);
+ continue;
}
+ idx++;
}
}
diff --git a/source4/heimdal/lib/krb5/get_cred.c b/source4/heimdal/lib/krb5/get_cred.c
index 7f2b57247d..e3bb23a2e9 100644
--- a/source4/heimdal/lib/krb5/get_cred.c
+++ b/source4/heimdal/lib/krb5/get_cred.c
@@ -55,7 +55,7 @@ make_pa_tgs_req(krb5_context context,
{
u_char *buf;
size_t buf_size;
- size_t len;
+ size_t len = 0;
krb5_data in_data;
krb5_error_code ret;
@@ -90,7 +90,7 @@ set_auth_data (krb5_context context,
krb5_keyblock *subkey)
{
if(authdata->len) {
- size_t len, buf_size;
+ size_t len = 0, buf_size;
unsigned char *buf;
krb5_crypto crypto;
krb5_error_code ret;
@@ -166,10 +166,11 @@ init_tgs_req (krb5_context context,
}
t->req_body.etype.val[0] = in_creds->session.keytype;
} else {
- ret = krb5_init_etype(context,
- &t->req_body.etype.len,
- &t->req_body.etype.val,
- NULL);
+ ret = _krb5_init_etype(context,
+ KRB5_PDU_TGS_REQUEST,
+ &t->req_body.etype.len,
+ &t->req_body.etype.val,
+ NULL);
}
if (ret)
goto fail;
@@ -235,7 +236,7 @@ init_tgs_req (krb5_context context,
goto fail;
}
{
- int i;
+ size_t i;
for (i = 0; i < padata->len; i++) {
ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]);
if (ret) {
@@ -249,16 +250,16 @@ init_tgs_req (krb5_context context,
ret = krb5_auth_con_init(context, &ac);
if(ret)
goto fail;
-
+
ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session);
if (ret)
goto fail;
-
+
ret = set_auth_data (context, &t->req_body, &in_creds->authdata,
ac->local_subkey);
if (ret)
goto fail;
-
+
ret = make_pa_tgs_req(context,
ac,
&t->req_body,
@@ -334,6 +335,8 @@ decrypt_tkt_with_subkey (krb5_context context,
assert(usage == 0);
+ krb5_data_zero(&data);
+
/*
* start out with trying with subkey if we have one
*/
@@ -383,7 +386,7 @@ decrypt_tkt_with_subkey (krb5_context context,
&dec_rep->enc_part,
&size);
if (ret)
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
N_("Failed to decode encpart in ticket", ""));
krb5_data_free (&data);
return ret;
@@ -408,7 +411,7 @@ get_cred_kdc(krb5_context context,
krb5_error_code ret;
unsigned nonce;
krb5_keyblock *subkey = NULL;
- size_t len;
+ size_t len = 0;
Ticket second_ticket_data;
METHOD_DATA padata;
@@ -435,12 +438,12 @@ get_cred_kdc(krb5_context context,
PA_S4U2Self self;
krb5_data data;
void *buf;
- size_t size;
+ size_t size = 0;
self.name = impersonate_principal->name;
self.realm = impersonate_principal->realm;
self.auth = estrdup("Kerberos");
-
+
ret = _krb5_s4u2self_to_checksumdata(context, &self, &data);
if (ret) {
free(self.auth);
@@ -475,7 +478,7 @@ get_cred_kdc(krb5_context context,
goto out;
if (len != size)
krb5_abortx(context, "internal asn1 error");
-
+
ret = krb5_padata_add(context, &padata, KRB5_PADATA_FOR_USER, buf, len);
if (ret)
goto out;
@@ -609,7 +612,7 @@ get_cred_kdc_address(krb5_context context,
krb5_appdefault_boolean(context, NULL, krbtgt->server->realm,
"no-addresses", FALSE, &noaddr);
-
+
if (!noaddr) {
krb5_get_all_client_addrs(context, &addresses);
/* XXX this sucks. */
@@ -734,7 +737,7 @@ get_cred_kdc_capath_worker(krb5_context context,
krb5_creds *in_creds,
krb5_const_realm try_realm,
krb5_principal impersonate_principal,
- Ticket *second_ticket,
+ Ticket *second_ticket,
krb5_creds **out_creds,
krb5_creds ***ret_tgts)
{
@@ -809,7 +812,7 @@ get_cred_kdc_capath_worker(krb5_context context,
krb5_free_principal(context, tmp_creds.client);
return ret;
}
- /*
+ /*
* if either of the chain or the ok_as_delegate was stripped
* by the kdc, make sure we strip it too.
*/
@@ -842,7 +845,7 @@ get_cred_kdc_capath_worker(krb5_context context,
return ret;
}
}
-
+
krb5_free_principal(context, tmp_creds.server);
krb5_free_principal(context, tmp_creds.client);
*out_creds = calloc(1, sizeof(**out_creds));
@@ -860,7 +863,7 @@ get_cred_kdc_capath_worker(krb5_context context,
}
krb5_free_creds(context, tgt);
return ret;
-}
+}
/*
get_cred(server)
@@ -883,7 +886,7 @@ get_cred_kdc_capath(krb5_context context,
krb5_ccache ccache,
krb5_creds *in_creds,
krb5_principal impersonate_principal,
- Ticket *second_ticket,
+ Ticket *second_ticket,
krb5_creds **out_creds,
krb5_creds ***ret_tgts)
{
@@ -918,7 +921,7 @@ get_cred_kdc_referral(krb5_context context,
krb5_ccache ccache,
krb5_creds *in_creds,
krb5_principal impersonate_principal,
- Ticket *second_ticket,
+ Ticket *second_ticket,
krb5_creds **out_creds,
krb5_creds ***ret_tgts)
{
@@ -946,7 +949,7 @@ get_cred_kdc_referral(krb5_context context,
/* find tgt for the clients base realm */
{
krb5_principal tgtname;
-
+
ret = krb5_make_principal(context, &tgtname,
client_realm,
KRB5_TGS_NAME,
@@ -954,7 +957,7 @@ get_cred_kdc_referral(krb5_context context,
NULL);
if(ret)
return ret;
-
+
ret = find_cred(context, ccache, tgtname, *ret_tgts, &tgt);
krb5_free_principal(context, tgtname);
if (ret)
@@ -1032,9 +1035,9 @@ get_cred_kdc_referral(krb5_context context,
goto out;
}
tickets++;
- }
+ }
- /*
+ /*
* if either of the chain or the ok_as_delegate was stripped
* by the kdc, make sure we strip it too.
*/
@@ -1080,7 +1083,7 @@ _krb5_get_cred_kdc_any(krb5_context context,
krb5_ccache ccache,
krb5_creds *in_creds,
krb5_principal impersonate_principal,
- Ticket *second_ticket,
+ Ticket *second_ticket,
krb5_creds **out_creds,
krb5_creds ***ret_tgts)
{
@@ -1165,7 +1168,7 @@ krb5_get_credentials_with_flags(krb5_context context,
*out_creds = res_creds;
return 0;
}
-
+
krb5_timeofday(context, &timeret);
if(res_creds->times.endtime > timeret) {
*out_creds = res_creds;
@@ -1382,7 +1385,7 @@ krb5_get_creds(krb5_context context,
krb5_free_principal(context, in_creds.client);
goto out;
}
-
+
krb5_timeofday(context, &timeret);
if(res_creds->times.endtime > timeret) {
*out_creds = res_creds;
@@ -1467,7 +1470,7 @@ krb5_get_renewed_creds(krb5_context context,
}
} else {
const char *realm = krb5_principal_get_realm(context, client);
-
+
ret = krb5_make_principal(context, &in.server, realm, KRB5_TGS_NAME,
realm, NULL);
if (ret) {
diff --git a/source4/heimdal/lib/krb5/get_default_principal.c b/source4/heimdal/lib/krb5/get_default_principal.c
index ba4301ce29..44baa6d1c2 100644
--- a/source4/heimdal/lib/krb5/get_default_principal.c
+++ b/source4/heimdal/lib/krb5/get_default_principal.c
@@ -76,7 +76,7 @@ _krb5_get_default_principal_local (krb5_context context,
else
ret = krb5_make_principal(context, princ, NULL, "root", NULL);
} else {
- struct passwd *pw = getpwuid(uid);
+ struct passwd *pw = getpwuid(uid);
if(pw != NULL)
user = pw->pw_name;
else {
diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c
index a109c71326..979fc9b0ae 100644
--- a/source4/heimdal/lib/krb5/get_for_creds.c
+++ b/source4/heimdal/lib/krb5/get_for_creds.c
@@ -225,7 +225,7 @@ krb5_get_forwarded_creds (krb5_context context,
if (!noaddr)
paddrs = &addrs;
}
-
+
/*
* If tickets have addresses, get the address of the remote host.
*/
@@ -241,7 +241,7 @@ krb5_get_forwarded_creds (krb5_context context,
hostname, gai_strerror(ret));
return ret2;
}
-
+
ret = add_addrs (context, &addrs, ai);
freeaddrinfo (ai);
if (ret)
@@ -287,9 +287,9 @@ krb5_get_forwarded_creds (krb5_context context,
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
krb5_timestamp sec;
int32_t usec;
-
+
krb5_us_timeofday (context, &sec, &usec);
-
+
ALLOC(enc_krb_cred_part.timestamp, 1);
if (enc_krb_cred_part.timestamp == NULL) {
ret = ENOMEM;
@@ -418,7 +418,7 @@ krb5_get_forwarded_creds (krb5_context context,
* used. Heimdal 0.7.2 and newer have code to try both in the
* receiving end.
*/
-
+
ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
if (ret) {
free(buf);
diff --git a/source4/heimdal/lib/krb5/get_host_realm.c b/source4/heimdal/lib/krb5/get_host_realm.c
index 7aee02734b..ed7f54b3d6 100644
--- a/source4/heimdal/lib/krb5/get_host_realm.c
+++ b/source4/heimdal/lib/krb5/get_host_realm.c
@@ -109,7 +109,7 @@ dns_find_realm(krb5_context context,
domain++;
for (i = 0; labels[i] != NULL; i++) {
ret = snprintf(dom, sizeof(dom), "%s.%s.", labels[i], domain);
- if(ret < 0 || ret >= sizeof(dom)) {
+ if(ret < 0 || (size_t)ret >= sizeof(dom)) {
if (config_labels)
krb5_config_free_strings(config_labels);
return -1;
diff --git a/source4/heimdal/lib/krb5/get_in_tkt.c b/source4/heimdal/lib/krb5/get_in_tkt.c
index 15cbfba89d..27f4964e61 100644
--- a/source4/heimdal/lib/krb5/get_in_tkt.c
+++ b/source4/heimdal/lib/krb5/get_in_tkt.c
@@ -31,8 +31,6 @@
* SUCH DAMAGE.
*/
-#define KRB5_DEPRECATED
-
#include "krb5_locl.h"
#ifndef HEIMDAL_SMALLER
@@ -44,7 +42,7 @@ make_pa_enc_timestamp(krb5_context context, PA_DATA *pa,
PA_ENC_TS_ENC p;
unsigned char *buf;
size_t buf_size;
- size_t len;
+ size_t len = 0;
EncryptedData encdata;
krb5_error_code ret;
int32_t usec;
@@ -76,7 +74,7 @@ make_pa_enc_timestamp(krb5_context context, PA_DATA *pa,
krb5_crypto_destroy(context, crypto);
if (ret)
return ret;
-
+
ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret);
free_EncryptedData(&encdata);
if (ret)
@@ -103,7 +101,7 @@ add_padata(krb5_context context,
PA_DATA *pa2;
krb5_salt salt2;
krb5_enctype *ep;
- int i;
+ size_t i;
if(salt == NULL) {
/* default to standard salt */
@@ -209,7 +207,8 @@ init_as_req (krb5_context context,
*a->req_body.rtime = creds->times.renew_till;
}
a->req_body.nonce = nonce;
- ret = krb5_init_etype (context,
+ ret = _krb5_init_etype(context,
+ KRB5_PDU_AS_REQUEST,
&a->req_body.etype.len,
&a->req_body.etype.val,
etypes);
@@ -247,7 +246,7 @@ init_as_req (krb5_context context,
a->req_body.additional_tickets = NULL;
if(preauth != NULL) {
- int i;
+ size_t i;
ALLOC(a->padata, 1);
if(a->padata == NULL) {
ret = ENOMEM;
@@ -258,7 +257,7 @@ init_as_req (krb5_context context,
a->padata->len = 0;
for(i = 0; i < preauth->len; i++) {
if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){
- int j;
+ size_t j;
for(j = 0; j < preauth->val[i].info.len; j++) {
krb5_salt *sp = &salt;
@@ -300,7 +299,7 @@ init_as_req (krb5_context context,
add_padata(context, a->padata, creds->client,
key_proc, keyseed, a->req_body.etype.val,
a->req_body.etype.len, NULL);
-
+
/* make a v4 salted pa-data */
salt.salttype = KRB5_PW_SALT;
krb5_data_zero(&salt.saltvalue);
@@ -331,7 +330,7 @@ set_ptypes(krb5_context context,
if(error->e_data) {
METHOD_DATA md;
- int i;
+ size_t i;
decode_METHOD_DATA(error->e_data->data,
error->e_data->length,
&md,
@@ -361,7 +360,6 @@ set_ptypes(krb5_context context,
return(1);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_in_cred(krb5_context context,
krb5_flags options,
@@ -375,12 +373,13 @@ krb5_get_in_cred(krb5_context context,
krb5_const_pointer decryptarg,
krb5_creds *creds,
krb5_kdc_rep *ret_as_reply)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
krb5_error_code ret;
AS_REQ a;
krb5_kdc_rep rep;
krb5_data req, resp;
- size_t len;
+ size_t len = 0;
krb5_salt salt;
krb5_keyblock *key;
size_t size;
@@ -483,12 +482,12 @@ krb5_get_in_cred(krb5_context context,
if(pa) {
salt.salttype = pa->padata_type;
salt.saltvalue = pa->padata_value;
-
+
ret = (*key_proc)(context, etype, salt, keyseed, &key);
} else {
/* make a v5 salted pa-data */
ret = krb5_get_pw_salt (context, creds->client, &salt);
-
+
if (ret)
goto out;
ret = (*key_proc)(context, etype, salt, keyseed, &key);
@@ -496,7 +495,7 @@ krb5_get_in_cred(krb5_context context,
}
if (ret)
goto out;
-
+
{
unsigned flags = EXTRACT_TICKET_TIMESYNC;
if (opts.request_anonymous)
@@ -526,7 +525,6 @@ out:
return ret;
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_in_tkt(krb5_context context,
krb5_flags options,
@@ -540,6 +538,7 @@ krb5_get_in_tkt(krb5_context context,
krb5_creds *creds,
krb5_ccache ccache,
krb5_kdc_rep *ret_as_reply)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
krb5_error_code ret;
diff --git a/source4/heimdal/lib/krb5/heim_err.et b/source4/heimdal/lib/krb5/heim_err.et
index 2e8a0d18d8..c47f77092f 100644
--- a/source4/heimdal/lib/krb5/heim_err.et
+++ b/source4/heimdal/lib/krb5/heim_err.et
@@ -19,6 +19,7 @@ error_code BAD_MKEY, "Failed to get the master key"
error_code SERVICE_NOMATCH, "Unacceptable service used"
error_code NOT_SEEKABLE, "File descriptor not seekable"
error_code TOO_BIG, "Offset too large"
+error_code BAD_HDBENT_ENCODING, "Invalid HDB entry encoding"
index 64
prefix HEIM_PKINIT
diff --git a/source4/heimdal/lib/krb5/init_creds.c b/source4/heimdal/lib/krb5/init_creds.c
index f555c724ed..25bef0f340 100644
--- a/source4/heimdal/lib/krb5/init_creds.c
+++ b/source4/heimdal/lib/krb5/init_creds.c
@@ -61,14 +61,14 @@ krb5_get_init_creds_opt_alloc(krb5_context context,
*opt = NULL;
o = calloc(1, sizeof(*o));
if (o == NULL) {
- krb5_set_error_message(context, ENOMEM,
+ krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
o->opt_private = calloc(1, sizeof(*o->opt_private));
if (o->opt_private == NULL) {
- krb5_set_error_message(context, ENOMEM,
+ krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
free(o);
return ENOMEM;
@@ -402,9 +402,9 @@ krb5_get_init_creds_opt_set_process_last_req(krb5_context context,
* @ingroup krb5_deprecated
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
memset (opt, 0, sizeof(*opt));
}
@@ -416,11 +416,11 @@ krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
* @ingroup krb5_deprecated
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_init_creds_opt_get_error(krb5_context context,
krb5_get_init_creds_opt *opt,
KRB_ERROR **error)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
*error = calloc(1, sizeof(**error));
if (*error == NULL) {
diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c
index 29b882d053..f2185628e5 100644
--- a/source4/heimdal/lib/krb5/init_creds_pw.c
+++ b/source4/heimdal/lib/krb5/init_creds_pw.c
@@ -71,7 +71,7 @@ typedef struct krb5_get_init_creds_ctx {
KRB_ERROR error;
AS_REP as_rep;
EncKDCRepPart enc_part;
-
+
krb5_prompter_fct prompter;
void *prompter_data;
@@ -313,14 +313,14 @@ process_last_request(krb5_context context,
if (lr->val[i].lr_value <= t) {
switch (abs(lr->val[i].lr_type)) {
case LR_PW_EXPTIME :
- report_expiration(context, ctx->prompter,
+ report_expiration(context, ctx->prompter,
ctx->prompter_data,
"Your password will expire at ",
lr->val[i].lr_value);
reported = TRUE;
break;
case LR_ACCT_EXPTIME :
- report_expiration(context, ctx->prompter,
+ report_expiration(context, ctx->prompter,
ctx->prompter_data,
"Your account will expire at ",
lr->val[i].lr_value);
@@ -333,7 +333,7 @@ process_last_request(krb5_context context,
if (!reported
&& ctx->enc_part.key_expiration
&& *ctx->enc_part.key_expiration <= t) {
- report_expiration(context, ctx->prompter,
+ report_expiration(context, ctx->prompter,
ctx->prompter_data,
"Your password/account will expire at ",
*ctx->enc_part.key_expiration);
@@ -367,7 +367,7 @@ get_init_creds_common(krb5_context context,
if (options->opt_private) {
if (options->opt_private->password) {
- ret = krb5_init_creds_set_password(context, ctx,
+ ret = krb5_init_creds_set_password(context, ctx,
options->opt_private->password);
if (ret)
goto out;
@@ -384,7 +384,7 @@ get_init_creds_common(krb5_context context,
ctx->keyproc = default_s2k_func;
/* Enterprise name implicitly turns on canonicalize */
- if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) ||
+ if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) ||
krb5_principal_get_type(context, client) == KRB5_NT_ENTERPRISE_PRINCIPAL)
ctx->flags.canonicalize = 1;
@@ -671,7 +671,8 @@ init_as_req (krb5_context context,
*a->req_body.rtime = creds->times.renew_till;
}
a->req_body.nonce = 0;
- ret = krb5_init_etype (context,
+ ret = _krb5_init_etype(context,
+ KRB5_PDU_AS_REQUEST,
&a->req_body.etype.len,
&a->req_body.etype.val,
etypes);
@@ -759,7 +760,7 @@ pa_etype_info2(krb5_context context,
krb5_error_code ret;
ETYPE_INFO2 e;
size_t sz;
- int i, j;
+ size_t i, j;
memset(&e, 0, sizeof(e));
ret = decode_ETYPE_INFO2(data->data, data->length, &e, &sz);
@@ -808,7 +809,7 @@ pa_etype_info(krb5_context context,
krb5_error_code ret;
ETYPE_INFO e;
size_t sz;
- int i, j;
+ size_t i, j;
memset(&e, 0, sizeof(e));
ret = decode_ETYPE_INFO(data->data, data->length, &e, &sz);
@@ -889,9 +890,9 @@ static struct pa_info pa_prefs[] = {
};
static PA_DATA *
-find_pa_data(const METHOD_DATA *md, int type)
+find_pa_data(const METHOD_DATA *md, unsigned type)
{
- int i;
+ size_t i;
if (md == NULL)
return NULL;
for (i = 0; i < md->len; i++)
@@ -908,7 +909,7 @@ process_pa_info(krb5_context context,
METHOD_DATA *md)
{
struct pa_info_data *p = NULL;
- int i;
+ size_t i;
for (i = 0; p == NULL && i < sizeof(pa_prefs)/sizeof(pa_prefs[0]); i++) {
PA_DATA *pa = find_pa_data(md, pa_prefs[i].type);
@@ -928,7 +929,7 @@ make_pa_enc_timestamp(krb5_context context, METHOD_DATA *md,
PA_ENC_TS_ENC p;
unsigned char *buf;
size_t buf_size;
- size_t len;
+ size_t len = 0;
EncryptedData encdata;
krb5_error_code ret;
int32_t usec;
@@ -989,7 +990,7 @@ add_enc_ts_padata(krb5_context context,
krb5_error_code ret;
krb5_salt salt2;
krb5_enctype *ep;
- int i;
+ size_t i;
if(salt == NULL) {
/* default to standard salt */
@@ -1109,7 +1110,7 @@ pa_data_add_pac_request(krb5_context context,
krb5_get_init_creds_ctx *ctx,
METHOD_DATA *md)
{
- size_t len, length;
+ size_t len = 0, length;
krb5_error_code ret;
PA_PAC_REQUEST req;
void *buf;
@@ -1179,14 +1180,14 @@ process_pa_data_to_md(krb5_context context,
_krb5_debug(context, 5, "krb5_get_init_creds: "
"prepareing PKINIT padata (%s)",
(ctx->used_pa_types & USED_PKINIT_W2K) ? "win2k" : "ietf");
-
+
if (ctx->used_pa_types & USED_PKINIT_W2K) {
krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
"Already tried pkinit, looping");
return KRB5_GET_IN_TKT_LOOP;
}
- ret = pa_data_to_md_pkinit(context, a, creds->client,
+ ret = pa_data_to_md_pkinit(context, a, creds->client,
(ctx->used_pa_types & USED_PKINIT),
ctx, *out_md);
if (ret)
@@ -1526,14 +1527,14 @@ krb5_init_creds_set_keytab(krb5_context context,
krb5_error_code ret;
size_t netypes = 0;
int kvno = 0;
-
+
a = malloc(sizeof(*a));
if (a == NULL) {
krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
-
+
a->principal = ctx->cred.client;
a->keytab = keytab;
@@ -1568,7 +1569,7 @@ krb5_init_creds_set_keytab(krb5_context context,
kvno = entry.vno;
} else if (entry.vno != kvno)
goto next;
-
+
/* check if enctype is supported */
if (krb5_enctype_valid(context, entry.keyblock.keytype) != 0)
goto next;
@@ -1619,7 +1620,7 @@ krb5_init_creds_set_keyblock(krb5_context context,
/**
* The core loop if krb5_get_init_creds() function family. Create the
- * packets and have the caller send them off to the KDC.
+ * packets and have the caller send them off to the KDC.
*
* If the caller want all work been done for them, use
* krb5_init_creds_get() instead.
@@ -1647,7 +1648,7 @@ krb5_init_creds_step(krb5_context context,
unsigned int *flags)
{
krb5_error_code ret;
- size_t len;
+ size_t len = 0;
size_t size;
krb5_data_zero(out);
@@ -1768,13 +1769,13 @@ krb5_init_creds_step(krb5_context context,
"options send by KDC", ""));
}
} else if (ret == KRB5KRB_AP_ERR_SKEW && context->kdc_sec_offset == 0) {
- /*
+ /*
* Try adapt to timeskrew when we are using pre-auth, and
* if there was a time skew, try again.
*/
krb5_set_real_time(context, ctx->error.stime, -1);
if (context->kdc_sec_offset)
- ret = 0;
+ ret = 0;
_krb5_debug(context, 10, "init_creds: err skew updateing kdc offset to %d",
context->kdc_sec_offset);
@@ -1793,7 +1794,7 @@ krb5_init_creds_step(krb5_context context,
"krb5_get_init_creds: got referal to realm %s",
*ctx->error.crealm);
- ret = krb5_principal_set_realm(context,
+ ret = krb5_principal_set_realm(context,
ctx->cred.client,
*ctx->error.crealm);
@@ -1934,7 +1935,7 @@ krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx)
if ((flags & 1) == 0)
break;
- ret = krb5_sendto_context (context, stctx, &out,
+ ret = krb5_sendto_context (context, stctx, &out,
ctx->cred.client->realm, &in);
if (ret)
goto out;
@@ -2013,7 +2014,7 @@ krb5_get_init_creds_password(krb5_context context,
}
ret = krb5_init_creds_get(context, ctx);
-
+
if (ret == 0)
process_last_request(context, options, ctx);
diff --git a/source4/heimdal/lib/krb5/kcm.c b/source4/heimdal/lib/krb5/kcm.c
index 1fe15d8064..5a28b5138b 100644
--- a/source4/heimdal/lib/krb5/kcm.c
+++ b/source4/heimdal/lib/krb5/kcm.c
@@ -157,7 +157,7 @@ kcm_alloc(krb5_context context, const char *name, krb5_ccache *id)
}
} else
k->name = NULL;
-
+
(*id)->data.data = k;
(*id)->data.length = sizeof(*k);
@@ -554,7 +554,7 @@ kcm_get_first (krb5_context context,
c = calloc(1, sizeof(*c));
if (c == NULL) {
ret = ENOMEM;
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
return ret;
}
@@ -577,7 +577,7 @@ kcm_get_first (krb5_context context,
if (ptr == NULL) {
free(c->uuids);
free(c);
- krb5_set_error_message(context, ENOMEM,
+ krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
@@ -637,7 +637,7 @@ kcm_get_next (krb5_context context,
return ret;
}
- sret = krb5_storage_write(request,
+ sret = krb5_storage_write(request,
&c->uuids[c->offset],
sizeof(c->uuids[c->offset]));
c->offset++;
@@ -789,7 +789,7 @@ kcm_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
c = calloc(1, sizeof(*c));
if (c == NULL) {
ret = ENOMEM;
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto out;
}
@@ -820,7 +820,7 @@ kcm_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
ptr = realloc(c->uuids, sizeof(c->uuids[0]) * (c->length + 1));
if (ptr == NULL) {
ret = ENOMEM;
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto out;
}
@@ -837,7 +837,7 @@ kcm_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
if (ret && c) {
free(c->uuids);
free(c);
- } else
+ } else
*cursor = c;
return ret;
@@ -869,7 +869,7 @@ kcm_get_cache_next(krb5_context context, krb5_cc_cursor cursor, const krb5_cc_op
if (ret)
return ret;
- sret = krb5_storage_write(request,
+ sret = krb5_storage_write(request,
&c->uuids[c->offset],
sizeof(c->uuids[c->offset]));
c->offset++;
@@ -956,14 +956,14 @@ kcm_move(krb5_context context, krb5_ccache from, krb5_ccache to)
}
static krb5_error_code
-kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops,
+kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops,
const char *defstr, char **str)
{
krb5_error_code ret;
krb5_storage *request, *response;
krb5_data response_data;
char *name;
-
+
*str = NULL;
ret = krb5_kcm_storage_request(context, KCM_OP_GET_DEFAULT_CACHE, &request);
@@ -1039,7 +1039,7 @@ kcm_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat kdc_offset)
krb5_kcmcache *k = KCMCACHE(id);
krb5_error_code ret;
krb5_storage *request;
-
+
ret = krb5_kcm_storage_request(context, KCM_OP_SET_KDC_OFFSET, &request);
if (ret)
return ret;
@@ -1069,7 +1069,7 @@ kcm_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset
krb5_storage *request, *response;
krb5_data response_data;
int32_t offset;
-
+
ret = krb5_kcm_storage_request(context, KCM_OP_GET_KDC_OFFSET, &request);
if (ret)
return ret;
@@ -1155,11 +1155,13 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops = {
kcm_move,
kcm_get_default_name_api,
kcm_set_default,
- kcm_lastchange
+ kcm_lastchange,
+ NULL,
+ NULL
};
-krb5_boolean
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
_krb5_kcm_is_running(krb5_context context)
{
krb5_error_code ret;
@@ -1184,7 +1186,7 @@ _krb5_kcm_is_running(krb5_context context)
* Response:
*
*/
-krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_kcm_noop(krb5_context context,
krb5_ccache id)
{
@@ -1212,7 +1214,7 @@ _krb5_kcm_noop(krb5_context context,
* Repsonse:
*
*/
-krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_kcm_get_initial_ticket(krb5_context context,
krb5_ccache id,
krb5_principal server,
@@ -1269,7 +1271,7 @@ _krb5_kcm_get_initial_ticket(krb5_context context,
* Repsonse:
*
*/
-krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_kcm_get_ticket(krb5_context context,
krb5_ccache id,
krb5_kdc_flags flags,
diff --git a/source4/heimdal/lib/krb5/keyblock.c b/source4/heimdal/lib/krb5/keyblock.c
index f34a5c4f90..9ba9c4b290 100644
--- a/source4/heimdal/lib/krb5/keyblock.c
+++ b/source4/heimdal/lib/krb5/keyblock.c
@@ -131,7 +131,7 @@ krb5_copy_keyblock (krb5_context context,
{
krb5_error_code ret;
krb5_keyblock *k;
-
+
*to = NULL;
k = calloc (1, sizeof(*k));
diff --git a/source4/heimdal/lib/krb5/keytab.c b/source4/heimdal/lib/krb5/keytab.c
index 96c0bce273..8ca515f213 100644
--- a/source4/heimdal/lib/krb5/keytab.c
+++ b/source4/heimdal/lib/krb5/keytab.c
@@ -50,7 +50,7 @@
*
* A keytab name is on the form type:residual. The residual part is
* specific to each keytab-type.
- *
+ *
* When a keytab-name is resolved, the type is matched with an internal
* list of keytab types. If there is no matching keytab type,
* the default keytab is used. The current default type is FILE.
@@ -60,7 +60,7 @@
* [defaults]default_keytab_name.
*
* The keytab types that are implemented in Heimdal are:
- * - file
+ * - file
* store the keytab in a file, the type's name is FILE . The
* residual part is a filename. For compatibility with other
* Kerberos implemtation WRFILE and JAVA14 is also accepted. WRFILE
@@ -166,29 +166,27 @@ krb5_kt_register(krb5_context context,
}
static const char *
-keytab_name(const char * name, const char ** ptype, size_t * ptype_len)
+keytab_name(const char *name, const char **type, size_t *type_len)
{
- const char * residual;
+ const char *residual;
residual = strchr(name, ':');
- if (residual == NULL
-
+ if (residual == NULL ||
+ name[0] == '/'
#ifdef _WIN32
-
/* Avoid treating <drive>:<path> as a keytab type
* specification */
-
|| name + 1 == residual
#endif
) {
- *ptype = "FILE";
- *ptype_len = strlen(*ptype);
+ *type = "FILE";
+ *type_len = strlen(*type);
residual = name;
} else {
- *ptype = name;
- *ptype_len = residual - name;
+ *type = name;
+ *type_len = residual - name;
residual++;
}
@@ -439,7 +437,7 @@ krb5_kt_get_full_name(krb5_context context,
char type[KRB5_KT_PREFIX_MAX_LEN];
char name[MAXPATHLEN];
krb5_error_code ret;
-
+
*str = NULL;
ret = krb5_kt_get_type(context, keytab, type, sizeof(type));
@@ -568,16 +566,16 @@ _krb5_kt_principal_not_found(krb5_context context,
{
char princ[256], kvno_str[25], *kt_name;
char *enctype_str = NULL;
-
+
krb5_unparse_name_fixed (context, principal, princ, sizeof(princ));
krb5_kt_get_full_name (context, id, &kt_name);
krb5_enctype_to_string(context, enctype, &enctype_str);
-
+
if (kvno)
snprintf(kvno_str, sizeof(kvno_str), "(kvno %d)", kvno);
else
kvno_str[0] = '\0';
-
+
krb5_set_error_message (context, ret,
N_("Failed to find %s%s in keytab %s (%s)",
"principal, kvno, keytab file, enctype"),
@@ -850,3 +848,46 @@ krb5_kt_remove_entry(krb5_context context,
}
return (*id->remove)(context, id, entry);
}
+
+/**
+ * Return true if the keytab exists and have entries
+ *
+ * @param context a Keberos context.
+ * @param id a keytab.
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_keytab
+ */
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_kt_have_content(krb5_context context,
+ krb5_keytab id)
+{
+ krb5_keytab_entry entry;
+ krb5_kt_cursor cursor;
+ krb5_error_code ret;
+ char *name;
+
+ ret = krb5_kt_start_seq_get(context, id, &cursor);
+ if (ret)
+ goto notfound;
+
+ ret = krb5_kt_next_entry(context, id, &entry, &cursor);
+ krb5_kt_end_seq_get(context, id, &cursor);
+ if (ret)
+ goto notfound;
+
+ krb5_kt_free_entry(context, &entry);
+
+ return 0;
+
+ notfound:
+ ret = krb5_kt_get_full_name(context, id, &name);
+ if (ret == 0) {
+ krb5_set_error_message(context, KRB5_KT_NOTFOUND,
+ N_("No entry in keytab: %s", ""), name);
+ free(name);
+ }
+ return KRB5_KT_NOTFOUND;
+}
diff --git a/source4/heimdal/lib/krb5/keytab_file.c b/source4/heimdal/lib/krb5/keytab_file.c
index 2b9ea7f11d..ccaf62fcb4 100644
--- a/source4/heimdal/lib/krb5/keytab_file.c
+++ b/source4/heimdal/lib/krb5/keytab_file.c
@@ -101,7 +101,7 @@ krb5_kt_store_data(krb5_context context,
if(ret < 0)
return ret;
ret = krb5_storage_write(sp, data.data, data.length);
- if(ret != data.length){
+ if(ret != (int)data.length){
if(ret < 0)
return errno;
return KRB5_KT_END;
@@ -119,7 +119,7 @@ krb5_kt_store_string(krb5_storage *sp,
if(ret < 0)
return ret;
ret = krb5_storage_write(sp, data, len);
- if(ret != len){
+ if(ret != (int)len){
if(ret < 0)
return errno;
return KRB5_KT_END;
@@ -182,7 +182,7 @@ krb5_kt_ret_principal(krb5_context context,
krb5_storage *sp,
krb5_principal *princ)
{
- int i;
+ size_t i;
int ret;
krb5_principal p;
int16_t len;
@@ -262,7 +262,7 @@ krb5_kt_store_principal(krb5_context context,
krb5_storage *sp,
krb5_principal p)
{
- int i;
+ size_t i;
int ret;
if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS))
@@ -536,7 +536,7 @@ fkt_setup_keytab(krb5_context context,
id->version = KRB5_KT_VNO;
return krb5_store_int8 (sp, id->version);
}
-
+
static krb5_error_code KRB5_CALLCONV
fkt_add_entry(krb5_context context,
krb5_keytab id,
@@ -699,7 +699,7 @@ fkt_add_entry(krb5_context context,
}
if(len < 0) {
len = -len;
- if(len >= keytab.length) {
+ if(len >= (int)keytab.length) {
krb5_storage_seek(sp, -4, SEEK_CUR);
break;
}
@@ -749,8 +749,9 @@ fkt_remove_entry(krb5_context context,
krb5_store_int32(cursor.sp, -len);
memset(buf, 0, sizeof(buf));
while(len > 0) {
- krb5_storage_write(cursor.sp, buf, min(len, sizeof(buf)));
- len -= min(len, sizeof(buf));
+ krb5_storage_write(cursor.sp, buf,
+ min((size_t)len, sizeof(buf)));
+ len -= min((size_t)len, sizeof(buf));
}
}
krb5_kt_free_entry(context, &e);
diff --git a/source4/heimdal/lib/krb5/keytab_keyfile.c b/source4/heimdal/lib/krb5/keytab_keyfile.c
index 28bbaeee8c..ea74c32780 100644
--- a/source4/heimdal/lib/krb5/keytab_keyfile.c
+++ b/source4/heimdal/lib/krb5/keytab_keyfile.c
@@ -348,7 +348,7 @@ akf_add_entry(krb5_context context,
strerror(ret));
return ret;
}
-
+
ret = krb5_ret_int32(sp, &len);
if(ret) {
krb5_storage_free(sp);
@@ -387,7 +387,7 @@ akf_add_entry(krb5_context context,
}
len++;
-
+
if(krb5_storage_seek(sp, 0, SEEK_SET) < 0) {
ret = errno;
krb5_set_error_message (context, ret,
@@ -395,7 +395,7 @@ akf_add_entry(krb5_context context,
strerror(ret));
goto out;
}
-
+
ret = krb5_store_int32(sp, len);
if(ret) {
ret = errno;
@@ -410,7 +410,7 @@ akf_add_entry(krb5_context context,
N_("seek to end: %s", ""), strerror(ret));
goto out;
}
-
+
ret = krb5_store_int32(sp, entry->vno);
if(ret) {
krb5_set_error_message(context, ret,
diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h
index 8d671e3d36..2224b92e95 100644
--- a/source4/heimdal/lib/krb5/krb5.h
+++ b/source4/heimdal/lib/krb5/krb5.h
@@ -53,16 +53,6 @@
#define KRB5KDC_ERR_KEY_EXP KRB5KDC_ERR_KEY_EXPIRED
#endif
-#ifndef KRB5_DEPRECATED
-#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 )))
-#define KRB5_DEPRECATED __attribute__((deprecated))
-#elif defined(_MSC_VER) && (_MSC_VER>1200)
-#define KRB5_DEPRECATED __declspec(deprecated)
-#else
-#define KRB5_DEPRECATED
-#endif
-#endif
-
#ifdef _WIN32
#define KRB5_CALLCONV __stdcall
#else
@@ -128,28 +118,69 @@ typedef struct krb5_enc_data {
/* alternative names */
enum {
- ENCTYPE_NULL = ETYPE_NULL,
- ENCTYPE_DES_CBC_CRC = ETYPE_DES_CBC_CRC,
- ENCTYPE_DES_CBC_MD4 = ETYPE_DES_CBC_MD4,
- ENCTYPE_DES_CBC_MD5 = ETYPE_DES_CBC_MD5,
- ENCTYPE_DES3_CBC_MD5 = ETYPE_DES3_CBC_MD5,
- ENCTYPE_OLD_DES3_CBC_SHA1 = ETYPE_OLD_DES3_CBC_SHA1,
- ENCTYPE_SIGN_DSA_GENERATE = ETYPE_SIGN_DSA_GENERATE,
- ENCTYPE_ENCRYPT_RSA_PRIV = ETYPE_ENCRYPT_RSA_PRIV,
- ENCTYPE_ENCRYPT_RSA_PUB = ETYPE_ENCRYPT_RSA_PUB,
- ENCTYPE_DES3_CBC_SHA1 = ETYPE_DES3_CBC_SHA1,
- ENCTYPE_AES128_CTS_HMAC_SHA1_96 = ETYPE_AES128_CTS_HMAC_SHA1_96,
- ENCTYPE_AES256_CTS_HMAC_SHA1_96 = ETYPE_AES256_CTS_HMAC_SHA1_96,
- ENCTYPE_ARCFOUR_HMAC = ETYPE_ARCFOUR_HMAC_MD5,
- ENCTYPE_ARCFOUR_HMAC_MD5 = ETYPE_ARCFOUR_HMAC_MD5,
- ENCTYPE_ARCFOUR_HMAC_MD5_56 = ETYPE_ARCFOUR_HMAC_MD5_56,
- ENCTYPE_ENCTYPE_PK_CROSS = ETYPE_ENCTYPE_PK_CROSS,
- ENCTYPE_DES_CBC_NONE = ETYPE_DES_CBC_NONE,
- ENCTYPE_DES3_CBC_NONE = ETYPE_DES3_CBC_NONE,
- ENCTYPE_DES_CFB64_NONE = ETYPE_DES_CFB64_NONE,
- ENCTYPE_DES_PCBC_NONE = ETYPE_DES_PCBC_NONE
+ ENCTYPE_NULL = KRB5_ENCTYPE_NULL,
+ ENCTYPE_DES_CBC_CRC = KRB5_ENCTYPE_DES_CBC_CRC,
+ ENCTYPE_DES_CBC_MD4 = KRB5_ENCTYPE_DES_CBC_MD4,
+ ENCTYPE_DES_CBC_MD5 = KRB5_ENCTYPE_DES_CBC_MD5,
+ ENCTYPE_DES3_CBC_MD5 = KRB5_ENCTYPE_DES3_CBC_MD5,
+ ENCTYPE_OLD_DES3_CBC_SHA1 = KRB5_ENCTYPE_OLD_DES3_CBC_SHA1,
+ ENCTYPE_SIGN_DSA_GENERATE = KRB5_ENCTYPE_SIGN_DSA_GENERATE,
+ ENCTYPE_ENCRYPT_RSA_PRIV = KRB5_ENCTYPE_ENCRYPT_RSA_PRIV,
+ ENCTYPE_ENCRYPT_RSA_PUB = KRB5_ENCTYPE_ENCRYPT_RSA_PUB,
+ ENCTYPE_DES3_CBC_SHA1 = KRB5_ENCTYPE_DES3_CBC_SHA1,
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ ENCTYPE_ARCFOUR_HMAC = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
+ ENCTYPE_ARCFOUR_HMAC_MD5 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
+ ENCTYPE_ARCFOUR_HMAC_MD5_56 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56,
+ ENCTYPE_ENCTYPE_PK_CROSS = KRB5_ENCTYPE_ENCTYPE_PK_CROSS,
+ ENCTYPE_DES_CBC_NONE = KRB5_ENCTYPE_DES_CBC_NONE,
+ ENCTYPE_DES3_CBC_NONE = KRB5_ENCTYPE_DES3_CBC_NONE,
+ ENCTYPE_DES_CFB64_NONE = KRB5_ENCTYPE_DES_CFB64_NONE,
+ ENCTYPE_DES_PCBC_NONE = KRB5_ENCTYPE_DES_PCBC_NONE,
+ ETYPE_NULL = KRB5_ENCTYPE_NULL,
+ ETYPE_DES_CBC_CRC = KRB5_ENCTYPE_DES_CBC_CRC,
+ ETYPE_DES_CBC_MD4 = KRB5_ENCTYPE_DES_CBC_MD4,
+ ETYPE_DES_CBC_MD5 = KRB5_ENCTYPE_DES_CBC_MD5,
+ ETYPE_DES3_CBC_MD5 = KRB5_ENCTYPE_DES3_CBC_MD5,
+ ETYPE_OLD_DES3_CBC_SHA1 = KRB5_ENCTYPE_OLD_DES3_CBC_SHA1,
+ ETYPE_SIGN_DSA_GENERATE = KRB5_ENCTYPE_SIGN_DSA_GENERATE,
+ ETYPE_ENCRYPT_RSA_PRIV = KRB5_ENCTYPE_ENCRYPT_RSA_PRIV,
+ ETYPE_ENCRYPT_RSA_PUB = KRB5_ENCTYPE_ENCRYPT_RSA_PUB,
+ ETYPE_DES3_CBC_SHA1 = KRB5_ENCTYPE_DES3_CBC_SHA1,
+ ETYPE_AES128_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ ETYPE_AES256_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ ETYPE_ARCFOUR_HMAC_MD5 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
+ ETYPE_ARCFOUR_HMAC_MD5_56 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56,
+ ETYPE_ENCTYPE_PK_CROSS = KRB5_ENCTYPE_ENCTYPE_PK_CROSS,
+ ETYPE_ARCFOUR_MD4 = KRB5_ENCTYPE_ARCFOUR_MD4,
+ ETYPE_ARCFOUR_HMAC_OLD = KRB5_ENCTYPE_ARCFOUR_HMAC_OLD,
+ ETYPE_ARCFOUR_HMAC_OLD_EXP = KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP,
+ ETYPE_DES_CBC_NONE = KRB5_ENCTYPE_DES_CBC_NONE,
+ ETYPE_DES3_CBC_NONE = KRB5_ENCTYPE_DES3_CBC_NONE,
+ ETYPE_DES_CFB64_NONE = KRB5_ENCTYPE_DES_CFB64_NONE,
+ ETYPE_DES_PCBC_NONE = KRB5_ENCTYPE_DES_PCBC_NONE,
+ ETYPE_DIGEST_MD5_NONE = KRB5_ENCTYPE_DIGEST_MD5_NONE,
+ ETYPE_CRAM_MD5_NONE = KRB5_ENCTYPE_CRAM_MD5_NONE
+
};
+/* PDU types */
+typedef enum krb5_pdu {
+ KRB5_PDU_ERROR = 0,
+ KRB5_PDU_TICKET = 1,
+ KRB5_PDU_AS_REQUEST = 2,
+ KRB5_PDU_AS_REPLY = 3,
+ KRB5_PDU_TGS_REQUEST = 4,
+ KRB5_PDU_TGS_REPLY = 5,
+ KRB5_PDU_AP_REQUEST = 6,
+ KRB5_PDU_AP_REPLY = 7,
+ KRB5_PDU_KRB_SAFE = 8,
+ KRB5_PDU_KRB_PRIV = 9,
+ KRB5_PDU_KRB_CRED = 10,
+ KRB5_PDU_NONE = 11 /* See krb5_get_permitted_enctypes() */
+} krb5_pdu;
+
typedef PADATA_TYPE krb5_preauthtype;
typedef enum krb5_key_usage {
diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h
index bdd725e9ea..d0c68927ff 100644
--- a/source4/heimdal/lib/krb5/krb5_locl.h
+++ b/source4/heimdal/lib/krb5/krb5_locl.h
@@ -188,6 +188,12 @@ struct _krb5_krb_auth_data;
#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
#define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
+#ifndef __func__
+#define __func__ "unknown-function"
+#endif
+
+#define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum))
+
#ifndef PATH_SEP
#define PATH_SEP ":"
#endif
@@ -240,9 +246,14 @@ struct _krb5_get_init_creds_opt_private {
} lr;
};
+typedef uint32_t krb5_enctype_set;
+
typedef struct krb5_context_data {
krb5_enctype *etypes;
- krb5_enctype *etypes_des;
+ krb5_enctype *etypes_des;/* deprecated */
+ krb5_enctype *as_etypes;
+ krb5_enctype *tgs_etypes;
+ krb5_enctype *permitted_enctypes;
char **default_realms;
time_t max_skew;
time_t kdc_timeout;
diff --git a/source4/heimdal/lib/krb5/krbhst.c b/source4/heimdal/lib/krb5/krbhst.c
index 7d11157848..3242cdb999 100644
--- a/source4/heimdal/lib/krb5/krbhst.c
+++ b/source4/heimdal/lib/krb5/krbhst.c
@@ -123,7 +123,7 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
(*res)[num_srv++] = hi;
hi->proto = proto_num;
-
+
hi->def_port = def_port;
if (port != 0)
hi->port = port;
@@ -134,7 +134,7 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
}
*count = num_srv;
-
+
rk_dns_free_data(r);
return 0;
}
@@ -508,7 +508,7 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
ret = asprintf(&host, "%s.%s.", serv_string, kd->realm);
else
ret = asprintf(&host, "%s-%d.%s.",
- serv_string, kd->fallback_count, kd->realm);
+ serv_string, kd->fallback_count, kd->realm);
if (ret < 0 || host == NULL)
return ENOMEM;
@@ -605,7 +605,7 @@ plugin_get_hosts(krb5_context context,
service = _krb5_plugin_get_symbol(e);
if (service->minor_version != 0)
continue;
-
+
(*service->init)(context, &ctx);
ret = (*service->lookup)(ctx, type, kd->realm, 0, 0, add_locate, kd);
(*service->fini)(ctx);
diff --git a/source4/heimdal/lib/krb5/log.c b/source4/heimdal/lib/krb5/log.c
index ca0756fdb9..4b289afd80 100644
--- a/source4/heimdal/lib/krb5/log.c
+++ b/source4/heimdal/lib/krb5/log.c
@@ -501,7 +501,7 @@ _krb5_debug(krb5_context context,
if (context == NULL || context->debug_dest == NULL)
return;
-
+
va_start(ap, fmt);
krb5_vlog(context, context->debug_dest, level, fmt, ap);
va_end(ap);
diff --git a/source4/heimdal/lib/krb5/mcache.c b/source4/heimdal/lib/krb5/mcache.c
index 19e6b2345e..e4b90c17e7 100644
--- a/source4/heimdal/lib/krb5/mcache.c
+++ b/source4/heimdal/lib/krb5/mcache.c
@@ -220,7 +220,7 @@ mcc_destroy(krb5_context context,
l = m->creds;
while (l != NULL) {
struct link *old;
-
+
krb5_free_cred_contents (context, &l->cred);
old = l;
l = l->next;
@@ -347,7 +347,7 @@ mcc_set_flags(krb5_context context,
{
return 0; /* XXX */
}
-
+
struct mcache_iter {
krb5_mcache *cache;
};
diff --git a/source4/heimdal/lib/krb5/misc.c b/source4/heimdal/lib/krb5/misc.c
index f90624cfca..ac6720c4e9 100644
--- a/source4/heimdal/lib/krb5/misc.c
+++ b/source4/heimdal/lib/krb5/misc.c
@@ -32,6 +32,9 @@
*/
#include "krb5_locl.h"
+#ifdef HAVE_EXECINFO_H
+#include <execinfo.h>
+#endif
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_s4u2self_to_checksumdata(krb5_context context,
@@ -42,7 +45,7 @@ _krb5_s4u2self_to_checksumdata(krb5_context context,
krb5_ssize_t ssize;
krb5_storage *sp;
size_t size;
- int i;
+ size_t i;
sp = krb5_storage_emem();
if (sp == NULL) {
@@ -56,20 +59,20 @@ _krb5_s4u2self_to_checksumdata(krb5_context context,
for (i = 0; i < self->name.name_string.len; i++) {
size = strlen(self->name.name_string.val[i]);
ssize = krb5_storage_write(sp, self->name.name_string.val[i], size);
- if (ssize != size) {
+ if (ssize != (krb5_ssize_t)size) {
ret = ENOMEM;
goto out;
}
}
size = strlen(self->realm);
ssize = krb5_storage_write(sp, self->realm, size);
- if (ssize != size) {
+ if (ssize != (krb5_ssize_t)size) {
ret = ENOMEM;
goto out;
}
size = strlen(self->auth);
ssize = krb5_storage_write(sp, self->auth, size);
- if (ssize != size) {
+ if (ssize != (krb5_ssize_t)size) {
ret = ENOMEM;
goto out;
}
@@ -89,3 +92,37 @@ krb5_enomem(krb5_context context)
krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
return ENOMEM;
}
+
+void
+_krb5_debug_backtrace(krb5_context context)
+{
+#if defined(HAVE_BACKTRACE) && !defined(HEIMDAL_SMALLER)
+ void *stack[128];
+ char **strs = NULL;
+ int i, frames = backtrace(stack, sizeof(stack) / sizeof(stack[0]));
+ if (frames > 0)
+ strs = backtrace_symbols(stack, frames);
+ if (strs) {
+ for (i = 0; i < frames; i++)
+ _krb5_debug(context, 10, "frame %d: %s", i, strs[i]);
+ free(strs);
+ }
+#endif
+}
+
+krb5_error_code
+_krb5_einval(krb5_context context, const char *func, unsigned long argn)
+{
+#ifndef HEIMDAL_SMALLER
+ krb5_set_error_message(context, EINVAL,
+ N_("programmer error: invalid argument to %s argument %lu",
+ "function:line"),
+ func, argn);
+ if (_krb5_have_debug(context, 10)) {
+ _krb5_debug(context, 10, "invalid argument to function %s argument %lu",
+ func, argn);
+ _krb5_debug_backtrace(context);
+ }
+#endif
+ return EINVAL;
+}
diff --git a/source4/heimdal/lib/krb5/mit_glue.c b/source4/heimdal/lib/krb5/mit_glue.c
index 93489b607b..803a5bf289 100644
--- a/source4/heimdal/lib/krb5/mit_glue.c
+++ b/source4/heimdal/lib/krb5/mit_glue.c
@@ -31,8 +31,6 @@
* SUCH DAMAGE.
*/
-#define KRB5_DEPRECATED
-
#include "krb5_locl.h"
#ifndef HEIMDAL_SMALLER
@@ -226,7 +224,7 @@ krb5_c_decrypt(krb5_context context,
krb5_crypto_destroy(context, crypto);
return ret;
}
-
+
if (blocksize > ivec->length) {
krb5_crypto_destroy(context, crypto);
return KRB5_BAD_MSIZE;
@@ -316,12 +314,12 @@ krb5_c_encrypt_length(krb5_context context,
* @ingroup krb5_deprecated
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_c_enctype_compare(krb5_context context,
krb5_enctype e1,
krb5_enctype e2,
krb5_boolean *similar)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
*similar = (e1 == e2);
return 0;
diff --git a/source4/heimdal/lib/krb5/mk_error.c b/source4/heimdal/lib/krb5/mk_error.c
index a837b5e290..5fee1d6bed 100644
--- a/source4/heimdal/lib/krb5/mk_error.c
+++ b/source4/heimdal/lib/krb5/mk_error.c
@@ -48,7 +48,7 @@ krb5_mk_error(krb5_context context,
KRB_ERROR msg;
krb5_timestamp sec;
int32_t usec;
- size_t len;
+ size_t len = 0;
krb5_error_code ret = 0;
krb5_us_timeofday (context, &sec, &usec);
@@ -75,7 +75,8 @@ krb5_mk_error(krb5_context context,
msg.realm = server->realm;
msg.sname = server->name;
}else{
- msg.realm = "<unspecified realm>";
+ static char unspec[] = "<unspecified realm>";
+ msg.realm = unspec;
}
if(client){
msg.crealm = &client->realm;
diff --git a/source4/heimdal/lib/krb5/mk_priv.c b/source4/heimdal/lib/krb5/mk_priv.c
index 833821341d..dede6d2fa4 100644
--- a/source4/heimdal/lib/krb5/mk_priv.c
+++ b/source4/heimdal/lib/krb5/mk_priv.c
@@ -45,7 +45,7 @@ krb5_mk_priv(krb5_context context,
EncKrbPrivPart part;
u_char *buf = NULL;
size_t buf_size;
- size_t len;
+ size_t len = 0;
krb5_crypto crypto;
krb5_keyblock *key;
krb5_replay_data rdata;
diff --git a/source4/heimdal/lib/krb5/mk_rep.c b/source4/heimdal/lib/krb5/mk_rep.c
index 2b9c3fbdbb..84c315291c 100644
--- a/source4/heimdal/lib/krb5/mk_rep.c
+++ b/source4/heimdal/lib/krb5/mk_rep.c
@@ -43,7 +43,7 @@ krb5_mk_rep(krb5_context context,
EncAPRepPart body;
u_char *buf = NULL;
size_t buf_size;
- size_t len;
+ size_t len = 0;
krb5_crypto crypto;
ap.pvno = 5;
diff --git a/source4/heimdal/lib/krb5/n-fold.c b/source4/heimdal/lib/krb5/n-fold.c
index f94a1ea125..2e6092c5ca 100644
--- a/source4/heimdal/lib/krb5/n-fold.c
+++ b/source4/heimdal/lib/krb5/n-fold.c
@@ -64,7 +64,7 @@ rr13(unsigned char *buf, size_t len)
/* byte offset and shift count */
b1 = bb / 8;
s1 = bb % 8;
-
+
if(bb + 8 > bytes * 8)
/* watch for wraparound */
s2 = (len + 8 - s1) % 8;
diff --git a/source4/heimdal/lib/krb5/pac.c b/source4/heimdal/lib/krb5/pac.c
index 046a89cc6a..f4caaddc26 100644
--- a/source4/heimdal/lib/krb5/pac.c
+++ b/source4/heimdal/lib/krb5/pac.c
@@ -106,7 +106,7 @@ HMAC_MD5_any_checksum(krb5_context context,
ret = _krb5_HMAC_MD5_checksum(context, &local_key, data, len, usage, result);
if (ret)
krb5_data_free(&result->checksum);
-
+
krb5_free_keyblock(context, local_key.key);
return ret;
}
@@ -464,7 +464,7 @@ verify_checksum(krb5_context context,
goto out;
}
ret = krb5_storage_read(sp, cksum.checksum.data, cksum.checksum.length);
- if (ret != cksum.checksum.length) {
+ if (ret != (int)cksum.checksum.length) {
ret = EINVAL;
krb5_set_error_message(context, ret, "PAC checksum missing checksum");
goto out;
@@ -546,7 +546,7 @@ create_checksum(krb5_context context,
* http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx
* for Microsoft's explaination */
- if (cksumtype == CKSUMTYPE_HMAC_MD5) {
+ if (cksumtype == (uint32_t)CKSUMTYPE_HMAC_MD5) {
ret = HMAC_MD5_any_checksum(context, key, data, datalen,
KRB5_KU_OTHER_CKSUM, &cksum);
} else {
@@ -748,7 +748,7 @@ build_logon_name(krb5_context context,
ret = krb5_storage_write(sp, s2, len * 2);
free(s2);
- if (ret != len * 2) {
+ if (ret != (int)(len * 2)) {
ret = krb5_enomem(context);
goto out;
}
@@ -932,7 +932,8 @@ _krb5_pac_sign(krb5_context context,
size_t server_size, priv_size;
uint32_t server_offset = 0, priv_offset = 0;
uint32_t server_cksumtype = 0, priv_cksumtype = 0;
- int i, num = 0;
+ int num = 0;
+ size_t i;
krb5_data logon, d;
krb5_data_zero(&logon);
@@ -1049,7 +1050,7 @@ _krb5_pac_sign(krb5_context context,
end += len;
e = ((end + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT;
- if (end != e) {
+ if ((int32_t)end != e) {
CHECK(ret, fill_zeros(context, spdata, e - end), out);
}
end = e;
@@ -1066,7 +1067,7 @@ _krb5_pac_sign(krb5_context context,
goto out;
}
ret = krb5_storage_write(sp, d.data, d.length);
- if (ret != d.length) {
+ if (ret != (int)d.length) {
krb5_data_free(&d);
ret = krb5_enomem(context);
goto out;
diff --git a/source4/heimdal/lib/krb5/padata.c b/source4/heimdal/lib/krb5/padata.c
index 98420a7332..babe22cb38 100644
--- a/source4/heimdal/lib/krb5/padata.c
+++ b/source4/heimdal/lib/krb5/padata.c
@@ -36,8 +36,8 @@
KRB5_LIB_FUNCTION PA_DATA * KRB5_LIB_CALL
krb5_find_padata(PA_DATA *val, unsigned len, int type, int *idx)
{
- for(; *idx < len; (*idx)++)
- if(val[*idx].padata_type == type)
+ for(; *idx < (int)len; (*idx)++)
+ if(val[*idx].padata_type == (unsigned)type)
return val + *idx;
return NULL;
}
diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c
index 7a8502727e..1103a17807 100644
--- a/source4/heimdal/lib/krb5/pkinit.c
+++ b/source4/heimdal/lib/krb5/pkinit.c
@@ -188,7 +188,8 @@ find_cert(krb5_context context, struct krb5_pk_identity *id,
{ "MS EKU" },
{ "any (or no)" }
};
- int i, ret, start = 1;
+ int ret = HX509_CERT_NOT_FOUND;
+ size_t i, start = 1;
unsigned oids[] = { 1, 2, 840, 113635, 100, 3, 2, 1 };
const heim_oid mobileMe = { sizeof(oids)/sizeof(oids[0]), oids };
@@ -298,8 +299,8 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c)
{
IssuerAndSerialNumber iasn;
hx509_name issuer;
- size_t size;
-
+ size_t size = 0;
+
memset(&iasn, 0, sizeof(iasn));
ret = hx509_cert_get_issuer(c, &issuer);
@@ -314,7 +315,7 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c)
free_ExternalPrincipalIdentifier(&id);
return ret;
}
-
+
ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber);
if (ret) {
free_IssuerAndSerialNumber(&iasn);
@@ -364,7 +365,7 @@ build_auth_pack(krb5_context context,
const KDC_REQ_BODY *body,
AuthPack *a)
{
- size_t buf_size, len;
+ size_t buf_size, len = 0;
krb5_error_code ret;
void *buf;
krb5_timestamp sec;
@@ -413,7 +414,7 @@ build_auth_pack(krb5_context context,
const char *moduli_file;
unsigned long dh_min_bits;
krb5_data dhbuf;
- size_t size;
+ size_t size = 0;
krb5_data_zero(&dhbuf);
@@ -433,7 +434,7 @@ build_auth_pack(krb5_context context,
ret = _krb5_parse_moduli(context, moduli_file, &ctx->m);
if (ret)
return ret;
-
+
ctx->u.dh = DH_new();
if (ctx->u.dh == NULL) {
krb5_set_error_message(context, ENOMEM,
@@ -483,9 +484,9 @@ build_auth_pack(krb5_context context,
&a->clientPublicValue->algorithm.algorithm);
if (ret)
return ret;
-
+
memset(&dp, 0, sizeof(dp));
-
+
ret = BN_to_integer(context, dh->p, &dp.p);
if (ret) {
free_DomainParameters(&dp);
@@ -503,14 +504,14 @@ build_auth_pack(krb5_context context,
}
dp.j = NULL;
dp.validationParms = NULL;
-
+
a->clientPublicValue->algorithm.parameters =
malloc(sizeof(*a->clientPublicValue->algorithm.parameters));
if (a->clientPublicValue->algorithm.parameters == NULL) {
free_DomainParameters(&dp);
return ret;
}
-
+
ASN1_MALLOC_ENCODE(DomainParameters,
a->clientPublicValue->algorithm.parameters->data,
a->clientPublicValue->algorithm.parameters->length,
@@ -520,11 +521,11 @@ build_auth_pack(krb5_context context,
return ret;
if (size != a->clientPublicValue->algorithm.parameters->length)
krb5_abortx(context, "Internal ASN1 encoder error");
-
+
ret = BN_to_integer(context, dh->pub_key, &dh_pub_key);
if (ret)
return ret;
-
+
ASN1_MALLOC_ENCODE(DHPublicKey, dhbuf.data, dhbuf.length,
&dh_pub_key, &size, ret);
der_free_heim_integer(&dh_pub_key);
@@ -536,7 +537,7 @@ build_auth_pack(krb5_context context,
#ifdef HAVE_OPENSSL
ECParameters ecp;
unsigned char *p;
- int len;
+ int xlen;
/* copy in public key, XXX find the best curve that the server support or use the clients curve if possible */
@@ -551,13 +552,13 @@ build_auth_pack(krb5_context context,
free_ECParameters(&ecp);
return ENOMEM;
}
- ASN1_MALLOC_ENCODE(ECParameters, p, len, &ecp, &size, ret);
+ ASN1_MALLOC_ENCODE(ECParameters, p, xlen, &ecp, &size, ret);
free_ECParameters(&ecp);
if (ret)
return ret;
- if (size != len)
+ if ((int)size != xlen)
krb5_abortx(context, "asn1 internal error");
-
+
a->clientPublicValue->algorithm.parameters->data = p;
a->clientPublicValue->algorithm.parameters->length = size;
@@ -578,18 +579,18 @@ build_auth_pack(krb5_context context,
/* encode onto dhkey */
- len = i2o_ECPublicKey(ctx->u.eckey, NULL);
- if (len <= 0)
+ xlen = i2o_ECPublicKey(ctx->u.eckey, NULL);
+ if (xlen <= 0)
abort();
- dhbuf.data = malloc(len);
+ dhbuf.data = malloc(xlen);
if (dhbuf.data == NULL)
abort();
- dhbuf.length = len;
+ dhbuf.length = xlen;
p = dhbuf.data;
- len = i2o_ECPublicKey(ctx->u.eckey, &p);
- if (len <= 0)
+ xlen = i2o_ECPublicKey(ctx->u.eckey, &p);
+ if (xlen <= 0)
abort();
/* XXX verify that this is right with RFC3279 */
@@ -601,13 +602,14 @@ build_auth_pack(krb5_context context,
a->clientPublicValue->subjectPublicKey.length = dhbuf.length * 8;
a->clientPublicValue->subjectPublicKey.data = dhbuf.data;
}
-
+
{
a->supportedCMSTypes = calloc(1, sizeof(*a->supportedCMSTypes));
if (a->supportedCMSTypes == NULL)
return ENOMEM;
- ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL, NULL,
+ ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL,
+ ctx->id->cert,
&a->supportedCMSTypes->val,
&a->supportedCMSTypes->len);
if (ret)
@@ -648,10 +650,10 @@ pk_mk_padata(krb5_context context,
{
struct ContentInfo content_info;
krb5_error_code ret;
- const heim_oid *oid;
- size_t size;
+ const heim_oid *oid = NULL;
+ size_t size = 0;
krb5_data buf, sd_buf;
- int pa_type;
+ int pa_type = -1;
krb5_data_zero(&buf);
krb5_data_zero(&sd_buf);
@@ -698,7 +700,7 @@ pk_mk_padata(krb5_context context,
oid = &asn1_oid_id_pkcs7_data;
} else if (ctx->type == PKINIT_27) {
AuthPack ap;
-
+
memset(&ap, 0, sizeof(ap));
ret = build_auth_pack(context, nonce, ctx, req_body, &ap);
@@ -755,7 +757,7 @@ pk_mk_padata(krb5_context context,
pa_type = KRB5_PADATA_PK_AS_REQ;
memset(&req, 0, sizeof(req));
- req.signedAuthPack = buf;
+ req.signedAuthPack = buf;
if (ctx->trustedCertifiers) {
@@ -926,7 +928,7 @@ pk_verify_sign(krb5_context context,
ret = ENOMEM;
goto out;
}
-
+
ret = hx509_get_one_cert(context->hx509ctx, signer_certs, &(*signer)->cert);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
@@ -968,7 +970,7 @@ get_reply_key_win(krb5_context context,
return ret;
}
- if (key_pack.nonce != nonce) {
+ if ((unsigned)key_pack.nonce != nonce) {
krb5_set_error_message(context, ret,
N_("PKINIT enckey nonce is wrong", ""));
free_ReplyKeyPack_Win2k(&key_pack);
@@ -1081,7 +1083,7 @@ pk_verify_host(krb5_context context,
}
if (ctx->require_krbtgt_otherName) {
hx509_octet_string_list list;
- int i;
+ size_t i;
ret = hx509_cert_find_subjectAltName_otherName(context->hx509ctx,
host->cert,
@@ -1203,9 +1205,9 @@ pk_rd_pa_reply_enckey(krb5_context context,
size_t ph = 1 + der_length_len(content.length);
unsigned char *ptr = malloc(content.length + ph);
size_t l;
-
+
memcpy(ptr + ph, content.data, content.length);
-
+
ret = der_put_length_and_tag (ptr + ph - 1, ph, content.length,
ASN1_C_UNIV, CONS, UT_Sequence, &l);
if (ret)
@@ -1424,7 +1426,7 @@ pk_rd_pa_reply_dh(krb5_context context,
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto out;
}
-
+
dh_gen_keylen = DH_compute_key(dh_gen_key, kdc_dh_pubkey, ctx->u.dh);
if (dh_gen_keylen == -1) {
ret = KRB5KRB_ERR_GENERIC;
@@ -1433,7 +1435,7 @@ pk_rd_pa_reply_dh(krb5_context context,
N_("PKINIT: Can't compute Diffie-Hellman key", ""));
goto out;
}
- if (dh_gen_keylen < size) {
+ if (dh_gen_keylen < (int)size) {
size -= dh_gen_keylen;
memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen);
memset(dh_gen_key, 0, size);
@@ -1488,7 +1490,7 @@ pk_rd_pa_reply_dh(krb5_context context,
ret = EINVAL;
#endif
}
-
+
if (dh_gen_keylen <= 0) {
ret = EINVAL;
krb5_set_error_message(context, ret,
@@ -1555,7 +1557,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
PA_PK_AS_REP rep;
heim_octet_string os, data;
heim_oid oid;
-
+
if (pa->padata_type != KRB5_PADATA_PK_AS_REP) {
krb5_set_error_message(context, EINVAL,
N_("PKINIT: wrong padata recv", ""));
@@ -1585,7 +1587,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
PA_PK_AS_REP_BTMM btmm;
free_PA_PK_AS_REP(&rep);
memset(&rep, 0, sizeof(rep));
-
+
_krb5_debug(context, 5, "krb5_get_init_creds: using BTMM kinit enc reply key");
ret = decode_PA_PK_AS_REP_BTMM(pa->padata_value.data,
@@ -1661,7 +1663,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
#endif
memset(&w2krep, 0, sizeof(w2krep));
-
+
ret = decode_PA_PK_AS_REP_Win2k(pa->padata_value.data,
pa->padata_value.length,
&w2krep,
@@ -1674,12 +1676,12 @@ _krb5_pk_rd_pa_reply(krb5_context context,
}
krb5_clear_error_message(context);
-
+
switch (w2krep.element) {
case choice_PA_PK_AS_REP_Win2k_encKeyPack: {
heim_octet_string data;
heim_oid oid;
-
+
ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack,
&oid, &data, NULL);
free_PA_PK_AS_REP_Win2k(&w2krep);
@@ -1744,7 +1746,7 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter)
default:
prompt.type = KRB5_PROMPT_TYPE_PASSWORD;
break;
- }
+ }
ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt);
if (ret) {
@@ -1780,10 +1782,10 @@ _krb5_pk_set_user_id(krb5_context context,
"Allocate query to find signing certificate");
return ret;
}
-
+
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
-
+
if (principal && strncmp("LKDC:SHA1.", krb5_principal_get_realm(context, principal), 9) == 0) {
ctx->id->flags |= PKINIT_BTMM;
}
@@ -1799,7 +1801,7 @@ _krb5_pk_set_user_id(krb5_context context,
ret = hx509_cert_get_subject(ctx->id->cert, &name);
if (ret)
goto out;
-
+
ret = hx509_name_to_string(name, &str);
hx509_name_free(&name);
if (ret)
@@ -1857,7 +1859,7 @@ _krb5_pk_load_id(krb5_context context,
krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
- }
+ }
if (user_id) {
hx509_lock lock;
@@ -1867,15 +1869,15 @@ _krb5_pk_load_id(krb5_context context,
pk_copy_error(context, context->hx509ctx, ret, "Failed init lock");
goto out;
}
-
+
if (password && password[0])
hx509_lock_add_password(lock, password);
-
+
if (prompter) {
p.context = context;
p.prompter = prompter;
p.prompter_data = prompter_data;
-
+
ret = hx509_lock_set_prompter(lock, hx_pass_prompter, &p);
if (ret) {
hx509_lock_free(lock);
@@ -2083,7 +2085,7 @@ _krb5_parse_moduli_line(krb5_context context,
"bits on line %d", ""), file, lineno);
goto out;
}
-
+
ret = parse_integer(context, &p, file, lineno, "p", &m1->p);
if (ret)
goto out;
@@ -2249,7 +2251,7 @@ _krb5_parse_moduli(krb5_context context, const char *file,
return ENOMEM;
}
m = m2;
-
+
m[n] = NULL;
ret = _krb5_parse_moduli_line(context, file, lineno, buf, &element);
@@ -2321,7 +2323,7 @@ _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt)
break;
case USE_RSA:
break;
- case USE_ECDH:
+ case USE_ECDH:
#ifdef HAVE_OPENSSL
if (ctx->u.eckey)
EC_KEY_free(ctx->u.eckey);
@@ -2457,7 +2459,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
krb5_set_error_message(context, EINVAL,
N_("No anonymous pkinit support in RSA mode", ""));
return EINVAL;
- }
+ }
}
return 0;
@@ -2484,7 +2486,7 @@ krb5_get_init_creds_opt_set_pkinit_user_certs(krb5_context context,
N_("PKINIT: on pkinit context", ""));
return EINVAL;
}
-
+
_krb5_pk_set_user_id(context, NULL, opt->opt_private->pk_init_ctx, certs);
return 0;
@@ -2517,7 +2519,7 @@ get_ms_san(hx509_context context, hx509_cert cert, char **upn)
upn, NULL);
else
ret = 1;
- hx509_free_octet_string_list(&list);
+ hx509_free_octet_string_list(&list);
return ret;
}
@@ -2552,14 +2554,14 @@ krb5_pk_enterprise_cert(krb5_context context,
#ifdef PKINIT
krb5_error_code ret;
hx509_certs certs, result;
- hx509_cert cert;
+ hx509_cert cert = NULL;
hx509_query *q;
char *name;
*principal = NULL;
if (res)
*res = NULL;
-
+
if (user_id == NULL) {
krb5_set_error_message(context, ENOENT, "no user id");
return ENOENT;
@@ -2592,7 +2594,7 @@ krb5_pk_enterprise_cert(krb5_context context,
"Failed to find PKINIT certificate");
return ret;
}
-
+
ret = hx509_get_one_cert(context->hx509ctx, result, &cert);
hx509_certs_free(&result);
if (ret) {
@@ -2617,11 +2619,9 @@ krb5_pk_enterprise_cert(krb5_context context,
if (res) {
ret = hx509_certs_init(context->hx509ctx, "MEMORY:", 0, NULL, res);
- if (ret) {
- hx509_cert_free(cert);
+ if (ret)
goto out;
- }
-
+
ret = hx509_certs_add(context->hx509ctx, *res, cert);
if (ret) {
hx509_certs_free(res);
diff --git a/source4/heimdal/lib/krb5/plugin.c b/source4/heimdal/lib/krb5/plugin.c
index ea47e13a7b..9303b6c615 100644
--- a/source4/heimdal/lib/krb5/plugin.c
+++ b/source4/heimdal/lib/krb5/plugin.c
@@ -63,7 +63,7 @@ static HEIMDAL_MUTEX plugin_mutex = HEIMDAL_MUTEX_INITIALIZER;
static struct plugin *registered = NULL;
static int plugins_needs_scan = 1;
-static const char *sysplugin_dirs[] = {
+static const char *sysplugin_dirs[] = {
LIBDIR "/plugin/krb5",
#ifdef __APPLE__
"/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
@@ -196,9 +196,9 @@ is_valid_plugin_filename(const char * n)
return !stricmp(ext, ".dll");
}
-#endif
-
+#else
return 1;
+#endif
}
static void
@@ -305,7 +305,7 @@ static krb5_error_code
add_symbol(krb5_context context, struct krb5_plugin **list, void *symbol)
{
struct krb5_plugin *e;
-
+
e = calloc(1, sizeof(*e));
if (e == NULL) {
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
@@ -329,7 +329,7 @@ _krb5_plugin_find(krb5_context context,
*list = NULL;
HEIMDAL_MUTEX_lock(&plugin_mutex);
-
+
load_plugins(context);
for (ret = 0, e = registered; e != NULL; e = e->next) {
@@ -379,7 +379,7 @@ _krb5_plugin_free(struct krb5_plugin *list)
/*
* module - dict of {
* ModuleName = [
- * plugin = object{
+ * plugin = object{
* array = { ptr, ctx }
* }
* ]
@@ -556,7 +556,7 @@ search_modules(void *ctx, heim_object_t key, heim_object_t value)
return;
pl = heim_alloc(sizeof(*pl), "struct-plug", plug_free);
-
+
cpm = pl->dataptr = dlsym(p->dsohandle, s->name);
if (cpm) {
int ret;
@@ -569,10 +569,10 @@ search_modules(void *ctx, heim_object_t key, heim_object_t value)
} else {
cpm = pl->dataptr;
}
-
+
if (cpm && cpm->version >= s->min_version)
heim_array_append_value(s->result, pl);
-
+
heim_release(pl);
}
@@ -619,11 +619,11 @@ _krb5_plugin_run_f(krb5_context context,
s.userctx = userctx;
heim_dict_iterate_f(dict, search_modules, &s);
-
+
heim_release(dict);
-
+
HEIMDAL_MUTEX_unlock(&plugin_mutex);
-
+
s.ret = KRB5_PLUGIN_NO_HANDLE;
heim_array_iterate_f(s.result, eval_results, &s);
diff --git a/source4/heimdal/lib/krb5/principal.c b/source4/heimdal/lib/krb5/principal.c
index 42169fc2f9..a10d2d0798 100644
--- a/source4/heimdal/lib/krb5/principal.c
+++ b/source4/heimdal/lib/krb5/principal.c
@@ -140,7 +140,7 @@ krb5_principal_get_realm(krb5_context context,
krb5_const_principal principal)
{
return princ_realm(principal);
-}
+}
KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_principal_get_comp_string(krb5_context context,
@@ -426,7 +426,7 @@ unparse_name_fixed(krb5_context context,
int flags)
{
size_t idx = 0;
- int i;
+ size_t i;
int short_form = (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) != 0;
int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) != 0;
int display = (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) != 0;
@@ -549,7 +549,7 @@ unparse_name(krb5_context context,
int flags)
{
size_t len = 0, plen;
- int i;
+ size_t i;
krb5_error_code ret;
/* count length */
if (princ_realm(principal)) {
@@ -917,7 +917,7 @@ krb5_principal_compare_any_realm(krb5_context context,
krb5_const_principal princ1,
krb5_const_principal princ2)
{
- int i;
+ size_t i;
if(princ_num_comp(princ1) != princ_num_comp(princ2))
return FALSE;
for(i = 0; i < princ_num_comp(princ1); i++){
@@ -932,7 +932,7 @@ _krb5_principal_compare_PrincipalName(krb5_context context,
krb5_const_principal princ1,
PrincipalName *princ2)
{
- int i;
+ size_t i;
if (princ_num_comp(princ1) != princ2->name_string.len)
return FALSE;
for(i = 0; i < princ_num_comp(princ1); i++){
@@ -1001,7 +1001,7 @@ krb5_principal_match(krb5_context context,
krb5_const_principal princ,
krb5_const_principal pattern)
{
- int i;
+ size_t i;
if(princ_num_comp(princ) != princ_num_comp(pattern))
return FALSE;
if(fnmatch(princ_realm(pattern), princ_realm(princ), 0) != 0)
@@ -1028,7 +1028,7 @@ krb5_principal_match(krb5_context context,
*
* @ingroup krb5_principal
*/
-
+
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_sname_to_principal (krb5_context context,
const char *hostname,
@@ -1039,7 +1039,7 @@ krb5_sname_to_principal (krb5_context context,
krb5_error_code ret;
char localhost[MAXHOSTNAMELEN];
char **realms, *host = NULL;
-
+
if(type != KRB5_NT_SRV_HST && type != KRB5_NT_UNKNOWN) {
krb5_set_error_message(context, KRB5_SNAME_UNSUPP_NAMETYPE,
N_("unsupported name type %d", ""),
@@ -1053,7 +1053,7 @@ krb5_sname_to_principal (krb5_context context,
krb5_set_error_message(context, ret,
N_("Failed to get local hostname", ""));
return ret;
- }
+ }
localhost[sizeof(localhost) - 1] = '\0';
hostname = localhost;
}
@@ -1096,7 +1096,7 @@ static const struct {
{ "ENT_PRINCIPAL_AND_ID", KRB5_NT_ENT_PRINCIPAL_AND_ID },
{ "MS_PRINCIPAL", KRB5_NT_MS_PRINCIPAL },
{ "MS_PRINCIPAL_AND_ID", KRB5_NT_MS_PRINCIPAL_AND_ID },
- { NULL }
+ { NULL, 0 }
};
/**
diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c
index 094f748b9f..c08547112b 100644
--- a/source4/heimdal/lib/krb5/rd_cred.c
+++ b/source4/heimdal/lib/krb5/rd_cred.c
@@ -65,9 +65,10 @@ krb5_rd_cred(krb5_context context,
EncKrbCredPart enc_krb_cred_part;
krb5_data enc_krb_cred_part_data;
krb5_crypto crypto;
- int i;
+ size_t i;
memset(&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
+ krb5_data_zero(&enc_krb_cred_part_data);
if ((auth_context->flags &
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
@@ -118,7 +119,7 @@ krb5_rd_cred(krb5_context context,
KRB5_KU_KRB_CRED,
&cred.enc_part,
&enc_krb_cred_part_data);
-
+
krb5_crypto_destroy(context, crypto);
}
@@ -134,13 +135,13 @@ krb5_rd_cred(krb5_context context,
if (ret)
goto out;
-
+
ret = krb5_decrypt_EncryptedData(context,
crypto,
KRB5_KU_KRB_CRED,
&cred.enc_part,
&enc_krb_cred_part_data);
-
+
krb5_crypto_destroy(context, crypto);
}
if (ret)
@@ -195,7 +196,7 @@ krb5_rd_cred(krb5_context context,
auth_context->local_port);
if (ret)
goto out;
-
+
ret = compare_addrs(context, a, enc_krb_cred_part.r_address,
N_("receiver address is wrong "
"in received creds", ""));
@@ -299,9 +300,9 @@ krb5_rd_cred(krb5_context context,
krb5_copy_addresses (context,
kci->caddr,
&creds->addresses);
-
+
(*ret_creds)[i] = creds;
-
+
}
(*ret_creds)[i] = NULL;
diff --git a/source4/heimdal/lib/krb5/rd_rep.c b/source4/heimdal/lib/krb5/rd_rep.c
index f8963a53b2..391d81c191 100644
--- a/source4/heimdal/lib/krb5/rd_rep.c
+++ b/source4/heimdal/lib/krb5/rd_rep.c
@@ -65,7 +65,7 @@ krb5_rd_rep(krb5_context context,
if (ret)
goto out;
ret = krb5_decrypt_EncryptedData (context,
- crypto,
+ crypto,
KRB5_KU_AP_REQ_ENC_PART,
&ap_rep.enc_part,
&data);
diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c
index 25aa8674c7..21daeb596b 100644
--- a/source4/heimdal/lib/krb5/rd_req.c
+++ b/source4/heimdal/lib/krb5/rd_req.c
@@ -59,7 +59,7 @@ decrypt_tkt_enc_part (krb5_context context,
ret = decode_EncTicketPart(plain.data, plain.length, decr_part, &len);
if (ret)
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
N_("Failed to decode encrypted "
"ticket part", ""));
krb5_data_free (&plain);
@@ -135,9 +135,9 @@ static krb5_error_code
check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc)
{
char **realms;
- unsigned int num_realms;
+ unsigned int num_realms, n;
krb5_error_code ret;
-
+
/*
* Windows 2000 and 2003 uses this inside their TGT so it's normaly
* not seen by others, however, samba4 joined with a Windows AD as
@@ -161,6 +161,8 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc)
ret = krb5_check_transited(context, enc->crealm,
ticket->realm,
realms, num_realms, NULL);
+ for (n = 0; n < num_realms; n++)
+ free(realms[n]);
free(realms);
return ret;
}
@@ -175,7 +177,7 @@ find_etypelist(krb5_context context,
krb5_authdata adIfRelevant;
unsigned i;
- adIfRelevant.len = 0;
+ memset(&adIfRelevant, 0, sizeof(adIfRelevant));
etypes->len = 0;
etypes->val = NULL;
@@ -250,7 +252,7 @@ krb5_decrypt_ticket(krb5_context context,
krb5_clear_error_message (context);
return KRB5KRB_AP_ERR_TKT_EXPIRED;
}
-
+
if(!t.flags.transited_policy_checked) {
ret = check_transited(context, ticket, &t);
if(ret) {
@@ -402,7 +404,7 @@ krb5_verify_ap_req2(krb5_context context,
{
krb5_principal p1, p2;
krb5_boolean res;
-
+
_krb5_principalname2krb5_principal(context,
&p1,
ac->authenticator->cname,
@@ -466,7 +468,7 @@ krb5_verify_ap_req2(krb5_context context,
ac->keytype = ETYPE_NULL;
if (etypes.val) {
- int i;
+ size_t i;
for (i = 0; i < etypes.len; i++) {
if (krb5_enctype_valid(context, etypes.val[i]) == 0) {
@@ -508,7 +510,7 @@ krb5_verify_ap_req2(krb5_context context,
krb5_auth_con_free (context, ac);
return ret;
}
-
+
/*
*
*/
@@ -949,7 +951,7 @@ krb5_rd_req_ctx(krb5_context context,
&o->ap_req_options,
&o->ticket,
KRB5_KU_AP_REQ_AUTH);
-
+
if (ret)
goto out;
@@ -972,7 +974,7 @@ krb5_rd_req_ctx(krb5_context context,
goto out;
done = 0;
- while (!done) {
+ while (!done) {
krb5_principal p;
ret = krb5_kt_next_entry(context, id, &entry, &cursor);
@@ -1007,14 +1009,14 @@ krb5_rd_req_ctx(krb5_context context,
* and update the service principal in the ticket to match
* whatever is in the keytab.
*/
-
- ret = krb5_copy_keyblock(context,
+
+ ret = krb5_copy_keyblock(context,
&entry.keyblock,
&o->keyblock);
if (ret) {
krb5_kt_free_entry (context, &entry);
goto out;
- }
+ }
ret = krb5_copy_principal(context, entry.principal, &p);
if (ret) {
@@ -1023,7 +1025,7 @@ krb5_rd_req_ctx(krb5_context context,
}
krb5_free_principal(context, o->ticket->server);
o->ticket->server = p;
-
+
krb5_kt_free_entry (context, &entry);
done = 1;
@@ -1045,7 +1047,7 @@ krb5_rd_req_ctx(krb5_context context,
krb5_data_free(&data);
if (ret)
goto out;
-
+
ret = krb5_pac_verify(context,
pac,
o->ticket->ticket.authtime,
diff --git a/source4/heimdal/lib/krb5/replay.c b/source4/heimdal/lib/krb5/replay.c
index 375a4aaba6..965dd44437 100644
--- a/source4/heimdal/lib/krb5/replay.c
+++ b/source4/heimdal/lib/krb5/replay.c
@@ -282,14 +282,14 @@ krb5_rc_get_name(krb5_context context,
{
return id->name;
}
-
+
KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_rc_get_type(krb5_context context,
krb5_rcache id)
{
return "FILE";
}
-
+
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_server_rcache(krb5_context context,
const krb5_data *piece,
diff --git a/source4/heimdal/lib/krb5/salt-arcfour.c b/source4/heimdal/lib/krb5/salt-arcfour.c
index b222b47e16..ab5e51270c 100644
--- a/source4/heimdal/lib/krb5/salt-arcfour.c
+++ b/source4/heimdal/lib/krb5/salt-arcfour.c
@@ -43,7 +43,7 @@ ARCFOUR_string_to_key(krb5_context context,
{
krb5_error_code ret;
uint16_t *s = NULL;
- size_t len, i;
+ size_t len = 0, i;
EVP_MD_CTX *m;
m = EVP_MD_CTX_create();
diff --git a/source4/heimdal/lib/krb5/salt-des.c b/source4/heimdal/lib/krb5/salt-des.c
index 6939b6b50b..56b285f72e 100644
--- a/source4/heimdal/lib/krb5/salt-des.c
+++ b/source4/heimdal/lib/krb5/salt-des.c
@@ -52,7 +52,7 @@ krb5_DES_AFS3_CMU_string_to_key (krb5_data pw,
DES_cblock *key)
{
char password[8+1]; /* crypt is limited to 8 chars anyway */
- int i;
+ size_t i;
for(i = 0; i < 8; i++) {
char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^
@@ -89,7 +89,7 @@ krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw,
memcpy(password, pw.data, min(pw.length, sizeof(password)));
if(pw.length < sizeof(password)) {
int len = min(cell.length, sizeof(password) - pw.length);
- int i;
+ size_t i;
memcpy(password + pw.length, cell.data, len);
for (i = pw.length; i < pw.length + len; ++i)
@@ -138,7 +138,7 @@ static void
DES_string_to_key_int(unsigned char *data, size_t length, DES_cblock *key)
{
DES_key_schedule schedule;
- int i;
+ size_t i;
int reverse = 0;
unsigned char *p;
diff --git a/source4/heimdal/lib/krb5/salt.c b/source4/heimdal/lib/krb5/salt.c
index 6f18308743..5e4c8a1c85 100644
--- a/source4/heimdal/lib/krb5/salt.c
+++ b/source4/heimdal/lib/krb5/salt.c
@@ -33,6 +33,7 @@
#include "krb5_locl.h"
+/* coverity[+alloc : arg-*3] */
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_salttype_to_string (krb5_context context,
krb5_enctype etype,
@@ -98,7 +99,7 @@ krb5_get_pw_salt(krb5_context context,
krb5_salt *salt)
{
size_t len;
- int i;
+ size_t i;
krb5_error_code ret;
char *p;
diff --git a/source4/heimdal/lib/krb5/send_to_kdc.c b/source4/heimdal/lib/krb5/send_to_kdc.c
index 2ae8153c8d..edf1d33c9d 100644
--- a/source4/heimdal/lib/krb5/send_to_kdc.c
+++ b/source4/heimdal/lib/krb5/send_to_kdc.c
@@ -88,7 +88,7 @@ recv_loop (krb5_socket_t fd,
return 0;
if (limit)
- nbytes = min(nbytes, limit - rep->length);
+ nbytes = min((size_t)nbytes, limit - rep->length);
tmp = realloc (rep->data, rep->length + nbytes);
if (tmp == NULL) {
@@ -268,7 +268,7 @@ send_via_proxy (krb5_context context,
int ret;
krb5_socket_t s = rk_INVALID_SOCKET;
char portstr[NI_MAXSERV];
-
+
if (proxy == NULL)
return ENOMEM;
if (strncmp (proxy, "http://", 7) == 0)
@@ -339,7 +339,7 @@ send_via_plugin(krb5_context context,
service = _krb5_plugin_get_symbol(e);
if (service->minor_version != 0)
continue;
-
+
(*service->init)(context, &ctx);
ret = (*service->send_to_kdc)(context, ctx, hi,
timeout, send_data, receive);
@@ -366,12 +366,12 @@ send_via_plugin(krb5_context context,
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_sendto (krb5_context context,
const krb5_data *send_data,
- krb5_krbhst_handle handle,
+ krb5_krbhst_handle handle,
krb5_data *receive)
{
krb5_error_code ret;
krb5_socket_t fd;
- int i;
+ size_t i;
krb5_data_zero(receive);
@@ -511,7 +511,7 @@ _krb5_copy_send_to_kdc_func(krb5_context context, krb5_context to)
{
if (context->send_to_kdc)
return krb5_set_send_to_kdc_func(to,
- context->send_to_kdc->func,
+ context->send_to_kdc->func,
context->send_to_kdc->data);
else
return krb5_set_send_to_kdc_func(to, NULL, NULL);
@@ -602,7 +602,7 @@ krb5_sendto_context(krb5_context context,
type = KRB5_KRBHST_KDC;
}
- if (send_data->length > context->large_msg_size)
+ if ((int)send_data->length > context->large_msg_size)
ctx->flags |= KRB5_KRBHST_FLAGS_LARGE_MSG;
/* loop until we get back a appropriate response */
diff --git a/source4/heimdal/lib/krb5/store-int.c b/source4/heimdal/lib/krb5/store-int.c
index 0a18d0dddf..d577629718 100644
--- a/source4/heimdal/lib/krb5/store-int.c
+++ b/source4/heimdal/lib/krb5/store-int.c
@@ -50,7 +50,7 @@ _krb5_get_int(void *buffer, unsigned long *value, size_t size)
{
unsigned char *p = buffer;
unsigned long v = 0;
- int i;
+ size_t i;
for (i = 0; i < size; i++)
v = (v << 8) + p[i];
*value = v;
diff --git a/source4/heimdal/lib/krb5/store-int.h b/source4/heimdal/lib/krb5/store-int.h
index 0b7accb860..877ccc008d 100644
--- a/source4/heimdal/lib/krb5/store-int.h
+++ b/source4/heimdal/lib/krb5/store-int.h
@@ -43,6 +43,7 @@ struct krb5_storage_data {
void (*free)(struct krb5_storage_data*);
krb5_flags flags;
int eof_code;
+ size_t max_alloc;
};
#endif /* __store_int_h__ */
diff --git a/source4/heimdal/lib/krb5/store.c b/source4/heimdal/lib/krb5/store.c
index 0dedba3d72..3aeb8d6281 100644
--- a/source4/heimdal/lib/krb5/store.c
+++ b/source4/heimdal/lib/krb5/store.c
@@ -120,6 +120,41 @@ krb5_storage_get_byteorder(krb5_storage *sp)
}
/**
+ * Set the max alloc value
+ *
+ * @param sp the storage buffer set the max allow for
+ * @param size maximum size to allocate, use 0 to remove limit
+ *
+ * @ingroup krb5_storage
+ */
+
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
+krb5_storage_set_max_alloc(krb5_storage *sp, size_t size)
+{
+ sp->max_alloc = size;
+}
+
+/* don't allocate unresonable amount of memory */
+static krb5_error_code
+size_too_large(krb5_storage *sp, size_t size)
+{
+ if (sp->max_alloc && sp->max_alloc < size)
+ return HEIM_ERR_TOO_BIG;
+ return 0;
+}
+
+static krb5_error_code
+size_too_large_num(krb5_storage *sp, size_t count, size_t size)
+{
+ if (sp->max_alloc == 0 || size == 0)
+ return 0;
+ size = sp->max_alloc / size;
+ if (size < count)
+ return HEIM_ERR_TOO_BIG;
+ return 0;
+}
+
+/**
* Seek to a new offset.
*
* @param sp the storage buffer to seek in.
@@ -262,10 +297,11 @@ krb5_storage_to_data(krb5_storage *sp, krb5_data *data)
pos = sp->seek(sp, 0, SEEK_CUR);
if (pos < 0)
return HEIM_ERR_NOT_SEEKABLE;
- size = (size_t)sp->seek(sp, 0, SEEK_END);
- if (size > (size_t)-1)
- return HEIM_ERR_TOO_BIG;
- ret = krb5_data_alloc (data, size);
+ size = sp->seek(sp, 0, SEEK_END);
+ ret = size_too_large(sp, size);
+ if (ret)
+ return ret;
+ ret = krb5_data_alloc(data, size);
if (ret) {
sp->seek(sp, pos, SEEK_SET);
return ret;
@@ -290,8 +326,10 @@ krb5_store_int(krb5_storage *sp,
return EINVAL;
_krb5_put_int(v, value, len);
ret = sp->store(sp, v, len);
- if (ret != len)
- return (ret<0)?errno:sp->eof_code;
+ if (ret < 0)
+ return errno;
+ if ((size_t)ret != len)
+ return sp->eof_code;
return 0;
}
@@ -346,8 +384,10 @@ krb5_ret_int(krb5_storage *sp,
unsigned char v[4];
unsigned long w;
ret = sp->fetch(sp, v, len);
- if(ret != len)
- return (ret<0)?errno:sp->eof_code;
+ if (ret < 0)
+ return errno;
+ if ((size_t)ret != len)
+ return sp->eof_code;
_krb5_get_int(v, &w, len);
*value = w;
return 0;
@@ -612,11 +652,10 @@ krb5_store_data(krb5_storage *sp,
if(ret < 0)
return ret;
ret = sp->store(sp, data.data, data.length);
- if(ret != data.length){
- if(ret < 0)
- return errno;
+ if(ret < 0)
+ return errno;
+ if((size_t)ret != data.length)
return sp->eof_code;
- }
return 0;
}
@@ -641,6 +680,9 @@ krb5_ret_data(krb5_storage *sp,
ret = krb5_ret_int32(sp, &size);
if(ret)
return ret;
+ ret = size_too_large(sp, size);
+ if (ret)
+ return ret;
ret = krb5_data_alloc (data, size);
if (ret)
return ret;
@@ -722,12 +764,10 @@ krb5_store_stringz(krb5_storage *sp, const char *s)
ssize_t ret;
ret = sp->store(sp, s, len);
- if(ret != len) {
- if(ret < 0)
- return ret;
- else
- return sp->eof_code;
- }
+ if(ret < 0)
+ return ret;
+ if((size_t)ret != len)
+ return sp->eof_code;
return 0;
}
@@ -755,6 +795,9 @@ krb5_ret_stringz(krb5_storage *sp,
char *tmp;
len++;
+ ret = size_too_large(sp, len);
+ if (ret)
+ break;
tmp = realloc (s, len);
if (tmp == NULL) {
free (s);
@@ -782,12 +825,10 @@ krb5_store_stringnl(krb5_storage *sp, const char *s)
ssize_t ret;
ret = sp->store(sp, s, len);
- if(ret != len) {
- if(ret < 0)
- return ret;
- else
- return sp->eof_code;
- }
+ if(ret < 0)
+ return ret;
+ if((size_t)ret != len)
+ return sp->eof_code;
ret = sp->store(sp, "\n", 1);
if(ret != 1) {
if(ret < 0)
@@ -823,6 +864,9 @@ krb5_ret_stringnl(krb5_storage *sp,
}
len++;
+ ret = size_too_large(sp, len);
+ if (ret)
+ break;
tmp = realloc (s, len);
if (tmp == NULL) {
free (s);
@@ -860,7 +904,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_store_principal(krb5_storage *sp,
krb5_const_principal p)
{
- int i;
+ size_t i;
int ret;
if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) {
@@ -923,6 +967,11 @@ krb5_ret_principal(krb5_storage *sp,
free(p);
return EINVAL;
}
+ ret = size_too_large_num(sp, ncomp, sizeof(p->name.name_string.val[0]));
+ if (ret) {
+ free(p);
+ return ret;
+ }
p->name.name_type = type;
p->name.name_string.len = ncomp;
ret = krb5_ret_string(sp, &p->realm);
@@ -930,7 +979,7 @@ krb5_ret_principal(krb5_storage *sp,
free(p);
return ret;
}
- p->name.name_string.val = calloc(ncomp, sizeof(*p->name.name_string.val));
+ p->name.name_string.val = calloc(ncomp, sizeof(p->name.name_string.val[0]));
if(p->name.name_string.val == NULL && ncomp != 0){
free(p->realm);
free(p);
@@ -1122,7 +1171,7 @@ krb5_ret_address(krb5_storage *sp, krb5_address *adr)
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_store_addrs(krb5_storage *sp, krb5_addresses p)
{
- int i;
+ size_t i;
int ret;
ret = krb5_store_int32(sp, p.len);
if(ret) return ret;
@@ -1147,12 +1196,14 @@ krb5_store_addrs(krb5_storage *sp, krb5_addresses p)
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr)
{
- int i;
+ size_t i;
int ret;
int32_t tmp;
ret = krb5_ret_int32(sp, &tmp);
if(ret) return ret;
+ ret = size_too_large_num(sp, tmp, sizeof(adr->val[0]));
+ if (ret) return ret;
adr->len = tmp;
ALLOC(adr->val, adr->len);
if (adr->val == NULL && adr->len != 0)
@@ -1179,7 +1230,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_store_authdata(krb5_storage *sp, krb5_authdata auth)
{
krb5_error_code ret;
- int i;
+ size_t i;
ret = krb5_store_int32(sp, auth.len);
if(ret) return ret;
for(i = 0; i < auth.len; i++){
@@ -1211,6 +1262,8 @@ krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth)
int i;
ret = krb5_ret_int32(sp, &tmp);
if(ret) return ret;
+ ret = size_too_large_num(sp, tmp, sizeof(auth->val[0]));
+ if (ret) return ret;
ALLOC_SEQ(auth, tmp);
if (auth->val == NULL && tmp != 0)
return ENOMEM;
@@ -1345,7 +1398,7 @@ krb5_ret_creds(krb5_storage *sp, krb5_creds *creds)
ret = krb5_ret_data (sp, &creds->second_ticket);
cleanup:
if(ret) {
-#if 0
+#if 0
krb5_free_cred_contents(context, creds); /* XXX */
#endif
}
@@ -1530,7 +1583,7 @@ krb5_ret_creds_tag(krb5_storage *sp,
cleanup:
if(ret) {
-#if 0
+#if 0
krb5_free_cred_contents(context, creds); /* XXX */
#endif
}
diff --git a/source4/heimdal/lib/krb5/store_emem.c b/source4/heimdal/lib/krb5/store_emem.c
index ccda751afb..7f91b08486 100644
--- a/source4/heimdal/lib/krb5/store_emem.c
+++ b/source4/heimdal/lib/krb5/store_emem.c
@@ -45,7 +45,7 @@ static ssize_t
emem_fetch(krb5_storage *sp, void *data, size_t size)
{
emem_storage *s = (emem_storage*)sp->data;
- if(s->base + s->len - s->ptr < size)
+ if((size_t)(s->base + s->len - s->ptr) < size)
size = s->base + s->len - s->ptr;
memmove(data, s->ptr, size);
sp->seek(sp, size, SEEK_CUR);
@@ -56,7 +56,7 @@ static ssize_t
emem_store(krb5_storage *sp, const void *data, size_t size)
{
emem_storage *s = (emem_storage*)sp->data;
- if(size > s->base + s->size - s->ptr){
+ if(size > (size_t)(s->base + s->size - s->ptr)){
void *base;
size_t sz, off;
off = s->ptr - s->base;
@@ -81,12 +81,12 @@ emem_seek(krb5_storage *sp, off_t offset, int whence)
emem_storage *s = (emem_storage*)sp->data;
switch(whence){
case SEEK_SET:
- if(offset > s->size)
+ if((size_t)offset > s->size)
offset = s->size;
if(offset < 0)
offset = 0;
s->ptr = s->base + offset;
- if(offset > s->len)
+ if((size_t)offset > s->len)
s->len = offset;
break;
case SEEK_CUR:
@@ -115,14 +115,14 @@ emem_trunc(krb5_storage *sp, off_t offset)
s->size = 0;
s->base = NULL;
s->ptr = NULL;
- } else if (offset > s->size || (s->size / 2) > offset) {
+ } else if ((size_t)offset > s->size || (s->size / 2) > (size_t)offset) {
void *base;
size_t off;
off = s->ptr - s->base;
base = realloc(s->base, offset);
if(base == NULL)
return ENOMEM;
- if (offset > s->size)
+ if ((size_t)offset > s->size)
memset((char *)base + s->size, 0, offset - s->size);
s->size = offset;
s->base = base;
@@ -190,5 +190,6 @@ krb5_storage_emem(void)
sp->seek = emem_seek;
sp->trunc = emem_trunc;
sp->free = emem_free;
+ sp->max_alloc = UINT_MAX/8;
return sp;
}
diff --git a/source4/heimdal/lib/krb5/store_fd.c b/source4/heimdal/lib/krb5/store_fd.c
index bd357dbe3b..2b72dea3a3 100644
--- a/source4/heimdal/lib/krb5/store_fd.c
+++ b/source4/heimdal/lib/krb5/store_fd.c
@@ -73,7 +73,7 @@ fd_free(krb5_storage * sp)
}
/**
- *
+ *
*
* @return A krb5_storage on success, or NULL on out of memory error.
*
@@ -128,5 +128,6 @@ krb5_storage_from_fd(krb5_socket_t fd_in)
sp->seek = fd_seek;
sp->trunc = fd_trunc;
sp->free = fd_free;
+ sp->max_alloc = UINT_MAX/8;
return sp;
}
diff --git a/source4/heimdal/lib/krb5/store_mem.c b/source4/heimdal/lib/krb5/store_mem.c
index b79bc19155..e674a95dba 100644
--- a/source4/heimdal/lib/krb5/store_mem.c
+++ b/source4/heimdal/lib/krb5/store_mem.c
@@ -44,7 +44,7 @@ static ssize_t
mem_fetch(krb5_storage *sp, void *data, size_t size)
{
mem_storage *s = (mem_storage*)sp->data;
- if(size > s->base + s->size - s->ptr)
+ if(size > (size_t)(s->base + s->size - s->ptr))
size = s->base + s->size - s->ptr;
memmove(data, s->ptr, size);
sp->seek(sp, size, SEEK_CUR);
@@ -55,7 +55,7 @@ static ssize_t
mem_store(krb5_storage *sp, const void *data, size_t size)
{
mem_storage *s = (mem_storage*)sp->data;
- if(size > s->base + s->size - s->ptr)
+ if(size > (size_t)(s->base + s->size - s->ptr))
size = s->base + s->size - s->ptr;
memmove(s->ptr, data, size);
sp->seek(sp, size, SEEK_CUR);
@@ -74,7 +74,7 @@ mem_seek(krb5_storage *sp, off_t offset, int whence)
mem_storage *s = (mem_storage*)sp->data;
switch(whence){
case SEEK_SET:
- if(offset > s->size)
+ if((size_t)offset > s->size)
offset = s->size;
if(offset < 0)
offset = 0;
@@ -95,7 +95,7 @@ static int
mem_trunc(krb5_storage *sp, off_t offset)
{
mem_storage *s = (mem_storage*)sp->data;
- if(offset > s->size)
+ if((size_t)offset > s->size)
return ERANGE;
s->size = offset;
if ((s->ptr - s->base) > offset)
@@ -145,6 +145,7 @@ krb5_storage_from_mem(void *buf, size_t len)
sp->seek = mem_seek;
sp->trunc = mem_trunc;
sp->free = NULL;
+ sp->max_alloc = UINT_MAX/8;
return sp;
}
@@ -203,5 +204,6 @@ krb5_storage_from_readonly_mem(const void *buf, size_t len)
sp->seek = mem_seek;
sp->trunc = mem_no_trunc;
sp->free = NULL;
+ sp->max_alloc = UINT_MAX/8;
return sp;
}
diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c
index d816242f09..09bff30fe9 100644
--- a/source4/heimdal/lib/krb5/ticket.c
+++ b/source4/heimdal/lib/krb5/ticket.c
@@ -195,7 +195,7 @@ find_type_in_ad(krb5_context context,
int level)
{
krb5_error_code ret = 0;
- int i;
+ size_t i;
if (level > 9) {
ret = ENOENT; /* XXX */
@@ -639,7 +639,7 @@ decrypt_tkt (krb5_context context,
&size);
krb5_data_free (&data);
if (ret) {
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
N_("Failed to decode encpart in ticket", ""));
return ret;
}
@@ -661,7 +661,7 @@ _krb5_extract_ticket(krb5_context context,
{
krb5_error_code ret;
krb5_principal tmp_principal;
- size_t len;
+ size_t len = 0;
time_t tmp_time;
krb5_timestamp sec_now;
@@ -757,7 +757,7 @@ _krb5_extract_ticket(krb5_context context,
/* compare nonces */
- if (nonce != rep->enc_part.nonce) {
+ if (nonce != (unsigned)rep->enc_part.nonce) {
ret = KRB5KRB_AP_ERR_MODIFIED;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto out;
@@ -837,7 +837,7 @@ _krb5_extract_ticket(krb5_context context,
creds->addresses.val = NULL;
}
creds->flags.b = rep->enc_part.flags;
-
+
creds->authdata.len = 0;
creds->authdata.val = NULL;
diff --git a/source4/heimdal/lib/krb5/transited.c b/source4/heimdal/lib/krb5/transited.c
index a72adc0351..5e21987bca 100644
--- a/source4/heimdal/lib/krb5/transited.c
+++ b/source4/heimdal/lib/krb5/transited.c
@@ -55,7 +55,7 @@ free_realms(struct tr_realm *r)
r = r->next;
free(p->realm);
free(p);
- }
+ }
}
static int
@@ -71,7 +71,7 @@ make_path(krb5_context context, struct tr_realm *r,
from = to;
to = str;
}
-
+
if(strcmp(from + strlen(from) - strlen(to), to) == 0){
p = from;
while(1){
@@ -84,20 +84,15 @@ make_path(krb5_context context, struct tr_realm *r,
if(strcmp(p, to) == 0)
break;
tmp = calloc(1, sizeof(*tmp));
- if(tmp == NULL){
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ if(tmp == NULL)
+ return krb5_enomem(context);
tmp->next = r->next;
r->next = tmp;
tmp->realm = strdup(p);
if(tmp->realm == NULL){
r->next = tmp->next;
free(tmp);
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;;
+ return krb5_enomem(context);
}
}
}else if(strncmp(from, to, strlen(to)) == 0){
@@ -110,20 +105,15 @@ make_path(krb5_context context, struct tr_realm *r,
if(strncmp(to, from, p - from) == 0)
break;
tmp = calloc(1, sizeof(*tmp));
- if(tmp == NULL){
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ if(tmp == NULL)
+ return krb5_enomem(context);
tmp->next = r->next;
r->next = tmp;
tmp->realm = malloc(p - from + 1);
if(tmp->realm == NULL){
r->next = tmp->next;
free(tmp);
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
+ return krb5_enomem(context);
}
memcpy(tmp->realm, from, p - from);
tmp->realm[p - from] = '\0';
@@ -187,9 +177,7 @@ expand_realms(krb5_context context,
tmp = realloc(r->realm, len);
if(tmp == NULL){
free_realms(realms);
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
+ return krb5_enomem(context);
}
r->realm = tmp;
strlcat(r->realm, prev_realm, len);
@@ -202,9 +190,7 @@ expand_realms(krb5_context context,
tmp = malloc(len);
if(tmp == NULL){
free_realms(realms);
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
+ return krb5_enomem(context);
}
strlcpy(tmp, prev_realm, len);
strlcat(tmp, r->realm, len);
@@ -288,19 +274,14 @@ decode_realms(krb5_context context,
}
if(tr[i] == ','){
tmp = malloc(tr + i - start + 1);
- if(tmp == NULL){
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ if(tmp == NULL)
+ return krb5_enomem(context);
memcpy(tmp, start, tr + i - start);
tmp[tr + i - start] = '\0';
r = make_realm(tmp);
if(r == NULL){
free_realms(*realms);
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
+ return krb5_enomem(context);
}
*realms = append_realm(*realms, r);
start = tr + i + 1;
@@ -309,18 +290,14 @@ decode_realms(krb5_context context,
tmp = malloc(tr + i - start + 1);
if(tmp == NULL){
free(*realms);
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
+ return krb5_enomem(context);
}
memcpy(tmp, start, tr + i - start);
tmp[tr + i - start] = '\0';
r = make_realm(tmp);
if(r == NULL){
free_realms(*realms);
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
+ return krb5_enomem(context);
}
*realms = append_realm(*realms, r);
@@ -370,14 +347,14 @@ krb5_domain_x500_decode(krb5_context context,
(*num_realms)++;
}
}
- if (*num_realms < 0 || *num_realms + 1 > UINT_MAX/sizeof(**realms))
+ if (*num_realms + 1 > UINT_MAX/sizeof(**realms))
return ERANGE;
{
char **R;
R = malloc((*num_realms + 1) * sizeof(*R));
if (R == NULL)
- return ENOMEM;
+ return krb5_enomem(context);
*realms = R;
while(r){
*R++ = r->realm;
@@ -410,7 +387,7 @@ krb5_domain_x500_encode(char **realms, unsigned int num_realms,
return ENOMEM;
*s = '\0';
for(i = 0; i < num_realms; i++){
- if(i && i < num_realms - 1)
+ if(i)
strlcat(s, ",", len + 1);
if(realms[i][0] == '/')
strlcat(s, " ", len + 1);
@@ -431,7 +408,7 @@ krb5_check_transited(krb5_context context,
{
char **tr_realms;
char **p;
- int i;
+ size_t i;
if(num_realms == 0)
return 0;
@@ -467,7 +444,7 @@ krb5_check_transited_realms(krb5_context context,
unsigned int num_realms,
int *bad_realm)
{
- int i;
+ size_t i;
int ret = 0;
char **bad_realms = krb5_config_get_strings(context, NULL,
"libdefaults",
diff --git a/source4/heimdal/lib/krb5/version-script.map b/source4/heimdal/lib/krb5/version-script.map
index c32a094f6d..fad84ebb5b 100644
--- a/source4/heimdal/lib/krb5/version-script.map
+++ b/source4/heimdal/lib/krb5/version-script.map
@@ -167,6 +167,7 @@ HEIMDAL_KRB5_2.0 {
krb5_copy_checksum;
krb5_copy_creds;
krb5_copy_creds_contents;
+ krb5_copy_context;
krb5_copy_data;
krb5_copy_host_realm;
krb5_copy_keyblock;
@@ -383,10 +384,11 @@ HEIMDAL_KRB5_2.0 {
krb5_hmac;
krb5_init_context;
krb5_init_ets;
- krb5_init_etype;
krb5_initlog;
krb5_is_config_principal;
krb5_is_thread_safe;
+ krb5_kcm_call;
+ krb5_kcm_storage_request;
krb5_kerberos_enctypes;
krb5_keyblock_get_enctype;
krb5_keyblock_init;
@@ -418,6 +420,7 @@ HEIMDAL_KRB5_2.0 {
krb5_kt_get_full_name;
krb5_kt_get_name;
krb5_kt_get_type;
+ krb5_kt_have_content;
krb5_kt_next_entry;
krb5_kt_read_service_key;
krb5_kt_register;
@@ -602,6 +605,7 @@ HEIMDAL_KRB5_2.0 {
krb5_storage_set_byteorder;
krb5_storage_set_eof_code;
krb5_storage_set_flags;
+ krb5_storage_set_max_alloc;
krb5_storage_to_data;
krb5_storage_truncate;
krb5_storage_write;
diff --git a/source4/heimdal/lib/krb5/warn.c b/source4/heimdal/lib/krb5/warn.c
index f7581d1f90..cb3be76fcc 100644
--- a/source4/heimdal/lib/krb5/warn.c
+++ b/source4/heimdal/lib/krb5/warn.c
@@ -37,7 +37,7 @@
static krb5_error_code _warnerr(krb5_context context, int do_errtext,
krb5_error_code code, int level, const char *fmt, va_list ap)
__attribute__((__format__(__printf__, 5, 0)));
-
+
static krb5_error_code
_warnerr(krb5_context context, int do_errtext,
krb5_error_code code, int level, const char *fmt, va_list ap)
@@ -69,7 +69,7 @@ _warnerr(krb5_context context, int do_errtext,
*arg= "<unknown error>";
}
}
-
+
if(context && context->warn_dest)
krb5_log(context, context->warn_dest, level, xfmt, args[0], args[1]);
else