summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/krb5
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/lib/krb5')
-rw-r--r--source4/heimdal/lib/krb5/acache.c2
-rw-r--r--source4/heimdal/lib/krb5/add_et_list.c2
-rw-r--r--source4/heimdal/lib/krb5/addr_families.c2
-rw-r--r--source4/heimdal/lib/krb5/appdefault.c2
-rw-r--r--source4/heimdal/lib/krb5/asn1_glue.c2
-rw-r--r--source4/heimdal/lib/krb5/auth_context.c2
-rw-r--r--source4/heimdal/lib/krb5/build_ap_req.c2
-rw-r--r--source4/heimdal/lib/krb5/build_auth.c2
-rw-r--r--source4/heimdal/lib/krb5/cache.c2
-rw-r--r--source4/heimdal/lib/krb5/changepw.c4
-rw-r--r--source4/heimdal/lib/krb5/codec.c2
-rw-r--r--source4/heimdal/lib/krb5/config_file.c2
-rw-r--r--source4/heimdal/lib/krb5/config_file_netinfo.c2
-rw-r--r--source4/heimdal/lib/krb5/constants.c2
-rw-r--r--source4/heimdal/lib/krb5/context.c15
-rw-r--r--source4/heimdal/lib/krb5/convert_creds.c2
-rw-r--r--source4/heimdal/lib/krb5/copy_host_realm.c2
-rw-r--r--source4/heimdal/lib/krb5/crc.c2
-rw-r--r--source4/heimdal/lib/krb5/creds.c2
-rw-r--r--source4/heimdal/lib/krb5/crypto.c1603
-rw-r--r--source4/heimdal/lib/krb5/data.c2
-rw-r--r--source4/heimdal/lib/krb5/eai_to_heim_errno.c2
-rw-r--r--source4/heimdal/lib/krb5/error_string.c24
-rw-r--r--source4/heimdal/lib/krb5/expand_hostname.c2
-rw-r--r--source4/heimdal/lib/krb5/fcache.c12
-rw-r--r--source4/heimdal/lib/krb5/free.c2
-rw-r--r--source4/heimdal/lib/krb5/free_host_realm.c2
-rw-r--r--source4/heimdal/lib/krb5/generate_seq_number.c2
-rw-r--r--source4/heimdal/lib/krb5/generate_subkey.c2
-rw-r--r--source4/heimdal/lib/krb5/get_cred.c2
-rw-r--r--source4/heimdal/lib/krb5/get_default_principal.c2
-rw-r--r--source4/heimdal/lib/krb5/get_default_realm.c2
-rw-r--r--source4/heimdal/lib/krb5/get_for_creds.c2
-rw-r--r--source4/heimdal/lib/krb5/get_host_realm.c2
-rw-r--r--source4/heimdal/lib/krb5/get_in_tkt.c5
-rw-r--r--source4/heimdal/lib/krb5/get_in_tkt_with_keytab.c2
-rw-r--r--source4/heimdal/lib/krb5/get_port.c2
-rw-r--r--source4/heimdal/lib/krb5/heim_err.et2
-rw-r--r--[-rwxr-xr-x]source4/heimdal/lib/krb5/heim_threads.h2
-rw-r--r--source4/heimdal/lib/krb5/init_creds.c2
-rw-r--r--source4/heimdal/lib/krb5/init_creds_pw.c2
-rw-r--r--source4/heimdal/lib/krb5/k524_err.et2
-rw-r--r--source4/heimdal/lib/krb5/kcm.c4
-rw-r--r--source4/heimdal/lib/krb5/keyblock.c2
-rw-r--r--source4/heimdal/lib/krb5/keytab.c3
-rw-r--r--source4/heimdal/lib/krb5/keytab_any.c2
-rw-r--r--source4/heimdal/lib/krb5/keytab_file.c10
-rw-r--r--source4/heimdal/lib/krb5/keytab_keyfile.c8
-rw-r--r--source4/heimdal/lib/krb5/keytab_memory.c2
-rw-r--r--source4/heimdal/lib/krb5/krb5-v4compat.h2
-rw-r--r--source4/heimdal/lib/krb5/krb5.h24
-rw-r--r--source4/heimdal/lib/krb5/krb5_ccapi.h2
-rw-r--r--source4/heimdal/lib/krb5/krb5_err.et4
-rw-r--r--source4/heimdal/lib/krb5/krb5_locl.h12
-rw-r--r--source4/heimdal/lib/krb5/krbhst.c2
-rw-r--r--source4/heimdal/lib/krb5/locate_plugin.h2
-rw-r--r--source4/heimdal/lib/krb5/log.c6
-rw-r--r--source4/heimdal/lib/krb5/mcache.c2
-rw-r--r--source4/heimdal/lib/krb5/misc.c2
-rw-r--r--[-rwxr-xr-x]source4/heimdal/lib/krb5/mit_glue.c2
-rw-r--r--source4/heimdal/lib/krb5/mk_error.c2
-rw-r--r--source4/heimdal/lib/krb5/mk_priv.c2
-rw-r--r--source4/heimdal/lib/krb5/mk_rep.c2
-rw-r--r--source4/heimdal/lib/krb5/mk_req.c2
-rw-r--r--source4/heimdal/lib/krb5/mk_req_ext.c2
-rw-r--r--source4/heimdal/lib/krb5/n-fold.c2
-rw-r--r--source4/heimdal/lib/krb5/pac.c4
-rw-r--r--source4/heimdal/lib/krb5/padata.c2
-rw-r--r--[-rwxr-xr-x]source4/heimdal/lib/krb5/pkinit.c4
-rw-r--r--source4/heimdal/lib/krb5/plugin.c2
-rw-r--r--source4/heimdal/lib/krb5/principal.c11
-rw-r--r--source4/heimdal/lib/krb5/prompter_posix.c2
-rw-r--r--source4/heimdal/lib/krb5/rd_cred.c2
-rw-r--r--source4/heimdal/lib/krb5/rd_error.c2
-rw-r--r--source4/heimdal/lib/krb5/rd_priv.c21
-rw-r--r--source4/heimdal/lib/krb5/rd_rep.c2
-rw-r--r--source4/heimdal/lib/krb5/rd_req.c2
-rw-r--r--source4/heimdal/lib/krb5/replay.c2
-rw-r--r--source4/heimdal/lib/krb5/send_to_kdc.c6
-rw-r--r--source4/heimdal/lib/krb5/set_default_realm.c2
-rw-r--r--source4/heimdal/lib/krb5/store.c2
-rw-r--r--source4/heimdal/lib/krb5/store_emem.c2
-rw-r--r--source4/heimdal/lib/krb5/store_fd.c2
-rw-r--r--source4/heimdal/lib/krb5/store_mem.c2
-rw-r--r--source4/heimdal/lib/krb5/ticket.c2
-rw-r--r--source4/heimdal/lib/krb5/time.c2
-rw-r--r--source4/heimdal/lib/krb5/transited.c2
-rw-r--r--source4/heimdal/lib/krb5/v4_glue.c6
-rw-r--r--source4/heimdal/lib/krb5/version.c2
-rw-r--r--source4/heimdal/lib/krb5/warn.c2
90 files changed, 1096 insertions, 830 deletions
diff --git a/source4/heimdal/lib/krb5/acache.c b/source4/heimdal/lib/krb5/acache.c
index 8dd8687005..fb38abedfd 100644
--- a/source4/heimdal/lib/krb5/acache.c
+++ b/source4/heimdal/lib/krb5/acache.c
@@ -37,7 +37,7 @@
#include <dlfcn.h>
#endif
-RCSID("$Id: acache.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
/* XXX should we fetch these for each open ? */
static HEIMDAL_MUTEX acc_mutex = HEIMDAL_MUTEX_INITIALIZER;
diff --git a/source4/heimdal/lib/krb5/add_et_list.c b/source4/heimdal/lib/krb5/add_et_list.c
index 5455d8ac99..e61f775eef 100644
--- a/source4/heimdal/lib/krb5/add_et_list.c
+++ b/source4/heimdal/lib/krb5/add_et_list.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: add_et_list.c 22603 2008-02-21 18:44:57Z lha $");
+RCSID("$Id$");
/**
* Add a specified list of error messages to the et list in context.
diff --git a/source4/heimdal/lib/krb5/addr_families.c b/source4/heimdal/lib/krb5/addr_families.c
index 40abd874cc..dcb9a97154 100644
--- a/source4/heimdal/lib/krb5/addr_families.c
+++ b/source4/heimdal/lib/krb5/addr_families.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: addr_families.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
struct addr_operations {
int af;
diff --git a/source4/heimdal/lib/krb5/appdefault.c b/source4/heimdal/lib/krb5/appdefault.c
index b0bb171f4a..a5b6e67e30 100644
--- a/source4/heimdal/lib/krb5/appdefault.c
+++ b/source4/heimdal/lib/krb5/appdefault.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: appdefault.c 14465 2005-01-05 05:40:59Z lukeh $");
+RCSID("$Id$");
void KRB5_LIB_FUNCTION
krb5_appdefault_boolean(krb5_context context, const char *appname,
diff --git a/source4/heimdal/lib/krb5/asn1_glue.c b/source4/heimdal/lib/krb5/asn1_glue.c
index b3f775b4be..84c9cd8b68 100644
--- a/source4/heimdal/lib/krb5/asn1_glue.c
+++ b/source4/heimdal/lib/krb5/asn1_glue.c
@@ -37,7 +37,7 @@
#include "krb5_locl.h"
-RCSID("$Id: asn1_glue.c 21745 2007-07-31 16:11:25Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
_krb5_principal2principalname (PrincipalName *p,
diff --git a/source4/heimdal/lib/krb5/auth_context.c b/source4/heimdal/lib/krb5/auth_context.c
index e4fb50e5b8..cbb186d6c3 100644
--- a/source4/heimdal/lib/krb5/auth_context.c
+++ b/source4/heimdal/lib/krb5/auth_context.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: auth_context.c 23273 2008-06-23 03:25:00Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
krb5_auth_con_init(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/build_ap_req.c b/source4/heimdal/lib/krb5/build_ap_req.c
index b1968fe817..92051ba68a 100644
--- a/source4/heimdal/lib/krb5/build_ap_req.c
+++ b/source4/heimdal/lib/krb5/build_ap_req.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: build_ap_req.c 13863 2004-05-25 21:46:46Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
krb5_build_ap_req (krb5_context context,
diff --git a/source4/heimdal/lib/krb5/build_auth.c b/source4/heimdal/lib/krb5/build_auth.c
index fe3a5f523c..eb106dc23f 100644
--- a/source4/heimdal/lib/krb5/build_auth.c
+++ b/source4/heimdal/lib/krb5/build_auth.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: build_auth.c 23273 2008-06-23 03:25:00Z lha $");
+RCSID("$Id$");
static krb5_error_code
make_etypelist(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c
index 34bfb4a350..02db405f7e 100644
--- a/source4/heimdal/lib/krb5/cache.c
+++ b/source4/heimdal/lib/krb5/cache.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: cache.c 23417 2008-07-26 18:36:33Z lha $");
+RCSID("$Id$");
/**
* Add a new ccache type with operations `ops', overwriting any
diff --git a/source4/heimdal/lib/krb5/changepw.c b/source4/heimdal/lib/krb5/changepw.c
index ac1a2d312e..d57ed9e3b8 100644
--- a/source4/heimdal/lib/krb5/changepw.c
+++ b/source4/heimdal/lib/krb5/changepw.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: changepw.c 23445 2008-07-27 12:08:03Z lha $");
+RCSID("$Id$");
#undef __attribute__
#define __attribute__(X)
@@ -577,7 +577,7 @@ change_password_loop (krb5_context context,
for (a = ai; !done && a != NULL; a = a->ai_next) {
int replied = 0;
- sock = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+ sock = socket (a->ai_family, a->ai_socktype | SOCK_CLOEXEC, a->ai_protocol);
if (sock < 0)
continue;
rk_cloexec(sock);
diff --git a/source4/heimdal/lib/krb5/codec.c b/source4/heimdal/lib/krb5/codec.c
index 0d36b4b442..478f77ecef 100644
--- a/source4/heimdal/lib/krb5/codec.c
+++ b/source4/heimdal/lib/krb5/codec.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: codec.c 13863 2004-05-25 21:46:46Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
krb5_decode_EncTicketPart (krb5_context context,
diff --git a/source4/heimdal/lib/krb5/config_file.c b/source4/heimdal/lib/krb5/config_file.c
index bf3c432397..f7f7957b04 100644
--- a/source4/heimdal/lib/krb5/config_file.c
+++ b/source4/heimdal/lib/krb5/config_file.c
@@ -32,7 +32,7 @@
*/
#include "krb5_locl.h"
-RCSID("$Id: config_file.c 23280 2008-06-23 03:26:18Z lha $");
+RCSID("$Id$");
#ifndef HAVE_NETINFO
diff --git a/source4/heimdal/lib/krb5/config_file_netinfo.c b/source4/heimdal/lib/krb5/config_file_netinfo.c
index 1e01e7c5ff..d51739ae37 100644
--- a/source4/heimdal/lib/krb5/config_file_netinfo.c
+++ b/source4/heimdal/lib/krb5/config_file_netinfo.c
@@ -32,7 +32,7 @@
*/
#include "krb5_locl.h"
-RCSID("$Id: config_file_netinfo.c 13863 2004-05-25 21:46:46Z lha $");
+RCSID("$Id$");
/*
* Netinfo implementation from Luke Howard <lukeh@xedoc.com.au>
diff --git a/source4/heimdal/lib/krb5/constants.c b/source4/heimdal/lib/krb5/constants.c
index 8fffb0f402..dc96bcb632 100644
--- a/source4/heimdal/lib/krb5/constants.c
+++ b/source4/heimdal/lib/krb5/constants.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: constants.c 23026 2008-04-17 10:02:03Z lha $");
+RCSID("$Id$");
KRB5_LIB_VARIABLE const char *krb5_config_file =
#ifdef __APPLE__
diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c
index 9f17b8c205..358ab20349 100644
--- a/source4/heimdal/lib/krb5/context.c
+++ b/source4/heimdal/lib/krb5/context.c
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include <com_err.h>
-RCSID("$Id: context.c 23420 2008-07-26 18:37:48Z lha $");
+RCSID("$Id$");
#define INIT_FIELD(C, T, E, D, F) \
(C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
@@ -192,6 +192,19 @@ init_context_from_config_file(krb5_context context)
INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
context->default_cc_name = NULL;
context->default_cc_name_set = 0;
+
+ ret = krb5_config_get_bool_default(context, NULL, FALSE,
+ "libdefaults",
+ "allow_weak_crypto", NULL);
+ if (ret) {
+ krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
+ krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
+ krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
+ krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
+ krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
+ krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
+ }
+
return 0;
}
diff --git a/source4/heimdal/lib/krb5/convert_creds.c b/source4/heimdal/lib/krb5/convert_creds.c
index 07943efb28..d74f121207 100644
--- a/source4/heimdal/lib/krb5/convert_creds.c
+++ b/source4/heimdal/lib/krb5/convert_creds.c
@@ -32,7 +32,7 @@
*/
#include "krb5_locl.h"
-RCSID("$Id: convert_creds.c 23280 2008-06-23 03:26:18Z lha $");
+RCSID("$Id$");
#include "krb5-v4compat.h"
diff --git a/source4/heimdal/lib/krb5/copy_host_realm.c b/source4/heimdal/lib/krb5/copy_host_realm.c
index cbe333850c..db06e56fb6 100644
--- a/source4/heimdal/lib/krb5/copy_host_realm.c
+++ b/source4/heimdal/lib/krb5/copy_host_realm.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: copy_host_realm.c 23280 2008-06-23 03:26:18Z lha $");
+RCSID("$Id$");
/**
* Copy the list of realms from `from' to `to'.
diff --git a/source4/heimdal/lib/krb5/crc.c b/source4/heimdal/lib/krb5/crc.c
index e8ddecf7ba..cdb40b8110 100644
--- a/source4/heimdal/lib/krb5/crc.c
+++ b/source4/heimdal/lib/krb5/crc.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: crc.c 22862 2008-04-07 18:49:55Z lha $");
+RCSID("$Id$");
static u_long table[256];
diff --git a/source4/heimdal/lib/krb5/creds.c b/source4/heimdal/lib/krb5/creds.c
index 938ec294a4..d194041766 100644
--- a/source4/heimdal/lib/krb5/creds.c
+++ b/source4/heimdal/lib/krb5/creds.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: creds.c 23280 2008-06-23 03:26:18Z lha $");
+RCSID("$Id$");
#undef __attribute__
#define __attribute__(X)
diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c
index e91cb9391a..6675647736 100644
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -32,15 +32,25 @@
*/
#include "krb5_locl.h"
-RCSID("$Id: crypto.c 23454 2008-07-27 12:11:44Z lha $");
+RCSID("$Id$");
#include <pkinit_asn1.h>
-#undef CRYPTO_DEBUG
-#ifdef CRYPTO_DEBUG
-static void krb5_crypto_debug(krb5_context, int, size_t, krb5_keyblock*);
+#undef __attribute__
+#define __attribute__(X)
+
+#ifndef HEIMDAL_SMALLER
+#define WEAK_ENCTYPES 1
+#define DES3_OLD_ENCTYPE 1
#endif
+#ifdef HAVE_OPENSSL /* XXX forward decl for hcrypto glue */
+const EVP_CIPHER * _krb5_EVP_hcrypto_aes_128_cts(void);
+const EVP_CIPHER * _krb5_EVP_hcrypto_aes_256_cts(void);
+#define EVP_hcrypto_aes_128_cts _krb5_EVP_hcrypto_aes_128_cts
+#define EVP_hcrypto_aes_256_cts _krb5_EVP_hcrypto_aes_256_cts
+#endif
+
struct key_data {
krb5_keyblock *key;
krb5_data *schedule;
@@ -82,13 +92,12 @@ struct key_type {
size_t bits;
size_t size;
size_t schedule_size;
-#if 0
- krb5_enctype best_etype;
-#endif
void (*random_key)(krb5_context, krb5_keyblock*);
- void (*schedule)(krb5_context, struct key_data *);
+ void (*schedule)(krb5_context, struct key_type *, struct key_data *);
struct salt_type *string_to_key;
void (*random_to_key)(krb5_context, krb5_keyblock*, const void*, size_t);
+ void (*cleanup)(krb5_context, struct key_data *);
+ const EVP_CIPHER *(*evp)(void);
};
struct checksum_type {
@@ -97,11 +106,11 @@ struct checksum_type {
size_t blocksize;
size_t checksumsize;
unsigned flags;
- void (*checksum)(krb5_context context,
- struct key_data *key,
- const void *buf, size_t len,
- unsigned usage,
- Checksum *csum);
+ krb5_enctype (*checksum)(krb5_context context,
+ struct key_data *key,
+ const void *buf, size_t len,
+ unsigned usage,
+ Checksum *csum);
krb5_error_code (*verify)(krb5_context context,
struct key_data *key,
const void *buf, size_t len,
@@ -152,7 +161,9 @@ static krb5_error_code hmac(krb5_context context,
unsigned usage,
struct key_data *keyblock,
Checksum *result);
-static void free_key_data(krb5_context context, struct key_data *key);
+static void free_key_data(krb5_context,
+ struct key_data *,
+ struct encryption_type *);
static krb5_error_code usage2arcfour (krb5_context, unsigned *);
static void xor (DES_cblock *, const unsigned char *);
@@ -160,8 +171,13 @@ static void xor (DES_cblock *, const unsigned char *);
* *
************************************************************/
-static HEIMDAL_MUTEX crypto_mutex = HEIMDAL_MUTEX_INITIALIZER;
+struct evp_schedule {
+ EVP_CIPHER_CTX ectx;
+ EVP_CIPHER_CTX dctx;
+};
+
+static HEIMDAL_MUTEX crypto_mutex = HEIMDAL_MUTEX_INITIALIZER;
static void
krb5_DES_random_key(krb5_context context,
@@ -174,12 +190,16 @@ krb5_DES_random_key(krb5_context context,
} while(DES_is_weak_key(k));
}
+#ifdef WEAK_ENCTYPES
static void
-krb5_DES_schedule(krb5_context context,
- struct key_data *key)
+krb5_DES_schedule_old(krb5_context context,
+ struct key_type *kt,
+ struct key_data *key)
{
DES_set_key_unchecked(key->key->keyvalue.data, key->schedule->data);
}
+#endif /* WEAK_ENCTYPES */
+
#ifdef ENABLE_AFS_STRING_TO_KEY
@@ -384,17 +404,6 @@ DES3_random_key(krb5_context context,
DES_is_weak_key(&k[2]));
}
-static void
-DES3_schedule(krb5_context context,
- struct key_data *key)
-{
- DES_cblock *k = key->key->keyvalue.data;
- DES_key_schedule *s = key->schedule->data;
- DES_set_key_unchecked(&k[0], &s[0]);
- DES_set_key_unchecked(&k[1], &s[1]);
- DES_set_key_unchecked(&k[2], &s[2]);
-}
-
/*
* A = A xor B. A & B are 8 bytes.
*/
@@ -413,6 +422,7 @@ xor (DES_cblock *key, const unsigned char *b)
a[7] ^= b[7];
}
+#ifdef DES3_OLD_ENCTYPE
static krb5_error_code
DES3_string_to_key(krb5_context context,
krb5_enctype enctype,
@@ -476,6 +486,7 @@ DES3_string_to_key(krb5_context context,
free(str);
return 0;
}
+#endif
static krb5_error_code
DES3_string_to_key_derived(krb5_context context,
@@ -546,6 +557,7 @@ DES3_random_to_key(krb5_context context,
static void
ARCFOUR_schedule(krb5_context context,
+ struct key_type *kt,
struct key_data *kd)
{
RC4_set_key (kd->schedule->data,
@@ -561,20 +573,30 @@ ARCFOUR_string_to_key(krb5_context context,
krb5_keyblock *key)
{
krb5_error_code ret;
- uint16_t *s;
+ uint16_t *s = NULL;
size_t len, i;
- MD4_CTX m;
+ EVP_MD_CTX *m;
+
+ m = EVP_MD_CTX_create();
+ if (m == NULL) {
+ ret = ENOMEM;
+ krb5_set_error_message(context, ret, "Malloc: out of memory");
+ goto out;
+ }
+
+ EVP_DigestInit_ex(m, EVP_md4(), NULL);
ret = wind_utf8ucs2_length(password.data, &len);
if (ret) {
krb5_set_error_message (context, ret, "Password not an UCS2 string");
- return ret;
+ goto out;
}
s = malloc (len * sizeof(s[0]));
if (len != 0 && s == NULL) {
krb5_set_error_message (context, ENOMEM, "malloc: out of memory");
- return ENOMEM;
+ ret = ENOMEM;
+ goto out;
}
ret = wind_utf8ucs2(password.data, s, &len);
@@ -584,13 +606,12 @@ ARCFOUR_string_to_key(krb5_context context,
}
/* LE encoding */
- MD4_Init (&m);
for (i = 0; i < len; i++) {
unsigned char p;
p = (s[i] & 0xff);
- MD4_Update (&m, &p, 1);
+ EVP_DigestUpdate (m, &p, 1);
p = (s[i] >> 8) & 0xff;
- MD4_Update (&m, &p, 1);
+ EVP_DigestUpdate (m, &p, 1);
}
key->keytype = enctype;
@@ -599,10 +620,12 @@ ARCFOUR_string_to_key(krb5_context context,
krb5_set_error_message (context, ENOMEM, "malloc: out of memory");
goto out;
}
- MD4_Final (key->keyvalue.data, &m);
- ret = 0;
+ EVP_DigestFinal_ex (m, key->keyvalue.data, NULL);
+
out:
- memset (s, 0, len);
+ EVP_MD_CTX_destroy(m);
+ if (s)
+ memset (s, 0, len);
free (s);
return ret;
}
@@ -657,7 +680,7 @@ AES_string_to_key(krb5_context context,
iter,
et->keytype->size, kd.key->keyvalue.data);
if (ret != 1) {
- free_key_data(context, &kd);
+ free_key_data(context, &kd, et);
krb5_set_error_message(context, KRB5_PROG_KEYTYPE_NOSUPP,
"Error calculating s2k");
return KRB5_PROG_KEYTYPE_NOSUPP;
@@ -666,26 +689,30 @@ AES_string_to_key(krb5_context context,
ret = derive_key(context, et, &kd, "kerberos", strlen("kerberos"));
if (ret == 0)
ret = krb5_copy_keyblock_contents(context, kd.key, key);
- free_key_data(context, &kd);
+ free_key_data(context, &kd, et);
return ret;
}
-struct krb5_aes_schedule {
- AES_KEY ekey;
- AES_KEY dkey;
-};
-
static void
-AES_schedule(krb5_context context,
- struct key_data *kd)
+evp_schedule(krb5_context context, struct key_type *kt, struct key_data *kd)
{
- struct krb5_aes_schedule *key = kd->schedule->data;
- int bits = kd->key->keyvalue.length * 8;
+ struct evp_schedule *key = kd->schedule->data;
+ const EVP_CIPHER *c = (*kt->evp)();
+
+ EVP_CIPHER_CTX_init(&key->ectx);
+ EVP_CIPHER_CTX_init(&key->dctx);
- memset(key, 0, sizeof(*key));
- AES_set_encrypt_key(kd->key->keyvalue.data, bits, &key->ekey);
- AES_set_decrypt_key(kd->key->keyvalue.data, bits, &key->dkey);
+ EVP_CipherInit_ex(&key->ectx, c, NULL, kd->key->keyvalue.data, NULL, 1);
+ EVP_CipherInit_ex(&key->dctx, c, NULL, kd->key->keyvalue.data, NULL, 0);
+}
+
+static void
+evp_cleanup(krb5_context context, struct key_data *kd)
+{
+ struct evp_schedule *key = kd->schedule->data;
+ EVP_CIPHER_CTX_cleanup(&key->ectx);
+ EVP_CIPHER_CTX_cleanup(&key->dctx);
}
/*
@@ -708,6 +735,7 @@ static struct salt_type des_salt[] = {
{ 0 }
};
+#ifdef DES3_OLD_ENCTYPE
static struct salt_type des3_salt[] = {
{
KRB5_PW_SALT,
@@ -716,6 +744,7 @@ static struct salt_type des3_salt[] = {
},
{ 0 }
};
+#endif
static struct salt_type des3_salt_derived[] = {
{
@@ -759,40 +788,62 @@ static struct key_type keytype_null = {
NULL
};
-static struct key_type keytype_des = {
+#ifdef WEAK_ENCTYPES
+static struct key_type keytype_des_old = {
KEYTYPE_DES,
- "des",
+ "des-old",
56,
- sizeof(DES_cblock),
+ 8,
sizeof(DES_key_schedule),
krb5_DES_random_key,
- krb5_DES_schedule,
+ krb5_DES_schedule_old,
des_salt,
krb5_DES_random_to_key
};
+#endif /* WEAK_ENCTYPES */
+static struct key_type keytype_des = {
+ KEYTYPE_DES,
+ "des",
+ 56,
+ 8,
+ sizeof(struct evp_schedule),
+ krb5_DES_random_key,
+ evp_schedule,
+ des_salt,
+ krb5_DES_random_to_key,
+ evp_cleanup,
+ EVP_des_cbc
+};
+
+#ifdef DES3_OLD_ENCTYPE
static struct key_type keytype_des3 = {
KEYTYPE_DES3,
"des3",
168,
- 3 * sizeof(DES_cblock),
- 3 * sizeof(DES_key_schedule),
+ 24,
+ sizeof(struct evp_schedule),
DES3_random_key,
- DES3_schedule,
+ evp_schedule,
des3_salt,
- DES3_random_to_key
+ DES3_random_to_key,
+ evp_cleanup,
+ EVP_des_ede3_cbc
};
+#endif
static struct key_type keytype_des3_derived = {
KEYTYPE_DES3,
"des3",
168,
- 3 * sizeof(DES_cblock),
- 3 * sizeof(DES_key_schedule),
+ 24,
+ sizeof(struct evp_schedule),
DES3_random_key,
- DES3_schedule,
+ evp_schedule,
des3_salt_derived,
- DES3_random_to_key
+ DES3_random_to_key,
+ evp_cleanup,
+ EVP_des_ede3_cbc
};
static struct key_type keytype_aes128 = {
@@ -800,10 +851,13 @@ static struct key_type keytype_aes128 = {
"aes-128",
128,
16,
- sizeof(struct krb5_aes_schedule),
+ sizeof(struct evp_schedule),
+ NULL,
+ evp_schedule,
+ AES_salt,
NULL,
- AES_schedule,
- AES_salt
+ evp_cleanup,
+ EVP_hcrypto_aes_128_cts
};
static struct key_type keytype_aes256 = {
@@ -811,10 +865,13 @@ static struct key_type keytype_aes256 = {
"aes-256",
256,
32,
- sizeof(struct krb5_aes_schedule),
+ sizeof(struct evp_schedule),
+ NULL,
+ evp_schedule,
+ AES_salt,
NULL,
- AES_schedule,
- AES_salt
+ evp_cleanup,
+ EVP_hcrypto_aes_256_cts
};
static struct key_type keytype_arcfour = {
@@ -832,7 +889,9 @@ static struct key_type *keytypes[] = {
&keytype_null,
&keytype_des,
&keytype_des3_derived,
+#ifdef DES3_OLD_ENCTYPE
&keytype_des3,
+#endif
&keytype_aes128,
&keytype_aes256,
&keytype_arcfour
@@ -1058,51 +1117,6 @@ krb5_string_to_key_salt_opaque (krb5_context context,
}
krb5_error_code KRB5_LIB_FUNCTION
-krb5_keytype_to_string(krb5_context context,
- krb5_keytype keytype,
- char **string)
-{
- struct key_type *kt = _find_keytype(keytype);
- if(kt == NULL) {
- krb5_set_error_message(context, KRB5_PROG_KEYTYPE_NOSUPP,
- "key type %d not supported", keytype);
- return KRB5_PROG_KEYTYPE_NOSUPP;
- }
- *string = strdup(kt->name);
- if(*string == NULL) {
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
- return ENOMEM;
- }
- return 0;
-}
-
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_string_to_keytype(krb5_context context,
- const char *string,
- krb5_keytype *keytype)
-{
- char *end;
- int i;
-
- for(i = 0; i < num_keytypes; i++)
- if(strcasecmp(keytypes[i]->name, string) == 0){
- *keytype = keytypes[i]->type;
- return 0;
- }
-
- /* check if the enctype is a number */
- *keytype = strtol(string, &end, 0);
- if(*end == '\0' && *keytype != 0) {
- if (krb5_enctype_valid(context, *keytype) == 0)
- return 0;
- }
-
- krb5_set_error_message(context, KRB5_PROG_KEYTYPE_NOSUPP,
- "key type %s not supported", string);
- return KRB5_PROG_KEYTYPE_NOSUPP;
-}
-
-krb5_error_code KRB5_LIB_FUNCTION
krb5_enctype_keysize(krb5_context context,
krb5_enctype type,
size_t *keysize)
@@ -1182,7 +1196,7 @@ _key_schedule(krb5_context context,
key->schedule = NULL;
return ret;
}
- (*kt->schedule)(context, key);
+ (*kt->schedule)(context, kt, key);
return 0;
}
@@ -1190,7 +1204,7 @@ _key_schedule(krb5_context context,
* *
************************************************************/
-static void
+static krb5_error_code
NONE_checksum(krb5_context context,
struct key_data *key,
const void *data,
@@ -1198,9 +1212,10 @@ NONE_checksum(krb5_context context,
unsigned usage,
Checksum *C)
{
+ return 0;
}
-static void
+static krb5_error_code
CRC32_checksum(krb5_context context,
struct key_data *key,
const void *data,
@@ -1216,9 +1231,10 @@ CRC32_checksum(krb5_context context,
r[1] = (crc >> 8) & 0xff;
r[2] = (crc >> 16) & 0xff;
r[3] = (crc >> 24) & 0xff;
+ return 0;
}
-static void
+static krb5_error_code
RSA_MD4_checksum(krb5_context context,
struct key_data *key,
const void *data,
@@ -1226,64 +1242,74 @@ RSA_MD4_checksum(krb5_context context,
unsigned usage,
Checksum *C)
{
- MD4_CTX m;
-
- MD4_Init (&m);
- MD4_Update (&m, data, len);
- MD4_Final (C->checksum.data, &m);
+ if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_md4(), NULL) != 1)
+ krb5_abortx(context, "md4 checksum failed");
+ return 0;
}
-static void
-RSA_MD4_DES_checksum(krb5_context context,
- struct key_data *key,
- const void *data,
- size_t len,
- unsigned usage,
- Checksum *cksum)
+static krb5_error_code
+des_checksum(krb5_context context,
+ const EVP_MD *evp_md,
+ struct key_data *key,
+ const void *data,
+ size_t len,
+ Checksum *cksum)
{
- MD4_CTX md4;
+ struct evp_schedule *ctx = key->schedule->data;
+ EVP_MD_CTX *m;
DES_cblock ivec;
unsigned char *p = cksum->checksum.data;
krb5_generate_random_block(p, 8);
- MD4_Init (&md4);
- MD4_Update (&md4, p, 8);
- MD4_Update (&md4, data, len);
- MD4_Final (p + 8, &md4);
+
+ m = EVP_MD_CTX_create();
+ if (m == NULL) {
+ krb5_set_error_message(context, ENOMEM, "Malloc: out of memory");
+ return ENOMEM;
+ }
+
+ EVP_DigestInit_ex(m, evp_md, NULL);
+ EVP_DigestUpdate(m, p, 8);
+ EVP_DigestUpdate(m, data, len);
+ EVP_DigestFinal_ex (m, p + 8, NULL);
+ EVP_MD_CTX_destroy(m);
memset (&ivec, 0, sizeof(ivec));
- DES_cbc_encrypt(p,
- p,
- 24,
- key->schedule->data,
- &ivec,
- DES_ENCRYPT);
+ EVP_CipherInit_ex(&ctx->ectx, NULL, NULL, NULL, (void *)&ivec, -1);
+ EVP_Cipher(&ctx->ectx, p, p, 24);
+
+ return 0;
}
static krb5_error_code
-RSA_MD4_DES_verify(krb5_context context,
- struct key_data *key,
- const void *data,
- size_t len,
- unsigned usage,
- Checksum *C)
+des_verify(krb5_context context,
+ const EVP_MD *evp_md,
+ struct key_data *key,
+ const void *data,
+ size_t len,
+ Checksum *C)
{
- MD4_CTX md4;
+ struct evp_schedule *ctx = key->schedule->data;
+ EVP_MD_CTX *m;
unsigned char tmp[24];
unsigned char res[16];
DES_cblock ivec;
krb5_error_code ret = 0;
+ m = EVP_MD_CTX_create();
+ if (m == NULL) {
+ krb5_set_error_message(context, ENOMEM, "Malloc: out of memory");
+ return ENOMEM;
+ }
+
memset(&ivec, 0, sizeof(ivec));
- DES_cbc_encrypt(C->checksum.data,
- (void*)tmp,
- C->checksum.length,
- key->schedule->data,
- &ivec,
- DES_DECRYPT);
- MD4_Init (&md4);
- MD4_Update (&md4, tmp, 8); /* confounder */
- MD4_Update (&md4, data, len);
- MD4_Final (res, &md4);
+ EVP_CipherInit_ex(&ctx->dctx, NULL, NULL, NULL, (void *)&ivec, -1);
+ EVP_Cipher(&ctx->dctx, tmp, C->checksum.data, 24);
+
+ EVP_DigestInit_ex(m, evp_md, NULL);
+ EVP_DigestUpdate(m, tmp, 8); /* confounder */
+ EVP_DigestUpdate(m, data, len);
+ EVP_DigestFinal_ex (m, res, NULL);
+ EVP_MD_CTX_destroy(m);
if(memcmp(res, tmp + 8, sizeof(res)) != 0) {
krb5_clear_error_string (context);
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
@@ -1293,7 +1319,29 @@ RSA_MD4_DES_verify(krb5_context context,
return ret;
}
-static void
+static krb5_error_code
+RSA_MD4_DES_checksum(krb5_context context,
+ struct key_data *key,
+ const void *data,
+ size_t len,
+ unsigned usage,
+ Checksum *cksum)
+{
+ return des_checksum(context, EVP_md4(), key, data, len, cksum);
+}
+
+static krb5_error_code
+RSA_MD4_DES_verify(krb5_context context,
+ struct key_data *key,
+ const void *data,
+ size_t len,
+ unsigned usage,
+ Checksum *C)
+{
+ return des_verify(context, EVP_md5(), key, data, len, C);
+}
+
+static krb5_error_code
RSA_MD5_checksum(krb5_context context,
struct key_data *key,
const void *data,
@@ -1301,14 +1349,12 @@ RSA_MD5_checksum(krb5_context context,
unsigned usage,
Checksum *C)
{
- MD5_CTX m;
-
- MD5_Init (&m);
- MD5_Update(&m, data, len);
- MD5_Final (C->checksum.data, &m);
+ if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_md5(), NULL) != 1)
+ krb5_abortx(context, "md5 checksum failed");
+ return 0;
}
-static void
+static krb5_error_code
RSA_MD5_DES_checksum(krb5_context context,
struct key_data *key,
const void *data,
@@ -1316,22 +1362,7 @@ RSA_MD5_DES_checksum(krb5_context context,
unsigned usage,
Checksum *C)
{
- MD5_CTX md5;
- DES_cblock ivec;
- unsigned char *p = C->checksum.data;
-
- krb5_generate_random_block(p, 8);
- MD5_Init (&md5);
- MD5_Update (&md5, p, 8);
- MD5_Update (&md5, data, len);
- MD5_Final (p + 8, &md5);
- memset (&ivec, 0, sizeof(ivec));
- DES_cbc_encrypt(p,
- p,
- 24,
- key->schedule->data,
- &ivec,
- DES_ENCRYPT);
+ return des_checksum(context, EVP_md5(), key, data, len, C);
}
static krb5_error_code
@@ -1342,34 +1373,10 @@ RSA_MD5_DES_verify(krb5_context context,
unsigned usage,
Checksum *C)
{
- MD5_CTX md5;
- unsigned char tmp[24];
- unsigned char res[16];
- DES_cblock ivec;
- DES_key_schedule *sched = key->schedule->data;
- krb5_error_code ret = 0;
-
- memset(&ivec, 0, sizeof(ivec));
- DES_cbc_encrypt(C->checksum.data,
- (void*)tmp,
- C->checksum.length,
- &sched[0],
- &ivec,
- DES_DECRYPT);
- MD5_Init (&md5);
- MD5_Update (&md5, tmp, 8); /* confounder */
- MD5_Update (&md5, data, len);
- MD5_Final (res, &md5);
- if(memcmp(res, tmp + 8, sizeof(res)) != 0) {
- krb5_clear_error_string (context);
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
- }
- memset(tmp, 0, sizeof(tmp));
- memset(res, 0, sizeof(res));
- return ret;
+ return des_verify(context, EVP_md5(), key, data, len, C);
}
-static void
+static krb5_error_code
RSA_MD5_DES3_checksum(krb5_context context,
struct key_data *key,
const void *data,
@@ -1377,23 +1384,7 @@ RSA_MD5_DES3_checksum(krb5_context context,
unsigned usage,
Checksum *C)
{
- MD5_CTX md5;
- DES_cblock ivec;
- unsigned char *p = C->checksum.data;
- DES_key_schedule *sched = key->schedule->data;
-
- krb5_generate_random_block(p, 8);
- MD5_Init (&md5);
- MD5_Update (&md5, p, 8);
- MD5_Update (&md5, data, len);
- MD5_Final (p + 8, &md5);
- memset (&ivec, 0, sizeof(ivec));
- DES_ede3_cbc_encrypt(p,
- p,
- 24,
- &sched[0], &sched[1], &sched[2],
- &ivec,
- DES_ENCRYPT);
+ return des_checksum(context, EVP_md5(), key, data, len, C);
}
static krb5_error_code
@@ -1404,34 +1395,10 @@ RSA_MD5_DES3_verify(krb5_context context,
unsigned usage,
Checksum *C)
{
- MD5_CTX md5;
- unsigned char tmp[24];
- unsigned char res[16];
- DES_cblock ivec;
- DES_key_schedule *sched = key->schedule->data;
- krb5_error_code ret = 0;
-
- memset(&ivec, 0, sizeof(ivec));
- DES_ede3_cbc_encrypt(C->checksum.data,
- (void*)tmp,
- C->checksum.length,
- &sched[0], &sched[1], &sched[2],
- &ivec,
- DES_DECRYPT);
- MD5_Init (&md5);
- MD5_Update (&md5, tmp, 8); /* confounder */
- MD5_Update (&md5, data, len);
- MD5_Final (res, &md5);
- if(memcmp(res, tmp + 8, sizeof(res)) != 0) {
- krb5_clear_error_string (context);
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
- }
- memset(tmp, 0, sizeof(tmp));
- memset(res, 0, sizeof(res));
- return ret;
+ return des_verify(context, EVP_md5(), key, data, len, C);
}
-static void
+static krb5_error_code
SHA1_checksum(krb5_context context,
struct key_data *key,
const void *data,
@@ -1439,11 +1406,9 @@ SHA1_checksum(krb5_context context,
unsigned usage,
Checksum *C)
{
- SHA_CTX m;
-
- SHA1_Init(&m);
- SHA1_Update(&m, data, len);
- SHA1_Final(C->checksum.data, &m);
+ if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_sha1(), NULL) != 1)
+ krb5_abortx(context, "sha1 checksum failed");
+ return 0;
}
/* HMAC according to RFC2104 */
@@ -1535,7 +1500,7 @@ krb5_hmac(krb5_context context,
return ret;
}
-static void
+static krb5_error_code
SP_HMAC_SHA1_checksum(krb5_context context,
struct key_data *key,
const void *data,
@@ -1555,13 +1520,14 @@ SP_HMAC_SHA1_checksum(krb5_context context,
if (ret)
krb5_abortx(context, "hmac failed");
memcpy(result->checksum.data, res.checksum.data, result->checksum.length);
+ return 0;
}
/*
* checksum according to section 5. of draft-brezak-win2k-krb-rc4-hmac-03.txt
*/
-static void
+static krb5_error_code
HMAC_MD5_checksum(krb5_context context,
struct key_data *key,
const void *data,
@@ -1569,7 +1535,7 @@ HMAC_MD5_checksum(krb5_context context,
unsigned usage,
Checksum *result)
{
- MD5_CTX md5;
+ EVP_MD_CTX *m;
struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5);
const char signature[] = "signaturekey";
Checksum ksign_c;
@@ -1580,61 +1546,34 @@ HMAC_MD5_checksum(krb5_context context,
unsigned char ksign_c_data[16];
krb5_error_code ret;
+ m = EVP_MD_CTX_create();
+ if (m == NULL) {
+ krb5_set_error_message(context, ENOMEM, "Malloc: out of memory");
+ return ENOMEM;
+ }
ksign_c.checksum.length = sizeof(ksign_c_data);
ksign_c.checksum.data = ksign_c_data;
ret = hmac(context, c, signature, sizeof(signature), 0, key, &ksign_c);
- if (ret)
- krb5_abortx(context, "hmac failed");
+ if (ret) {
+ EVP_MD_CTX_destroy(m);
+ return ret;
+ }
ksign.key = &kb;
kb.keyvalue = ksign_c.checksum;
- MD5_Init (&md5);
+ EVP_DigestInit_ex(m, EVP_md5(), NULL);
t[0] = (usage >> 0) & 0xFF;
t[1] = (usage >> 8) & 0xFF;
t[2] = (usage >> 16) & 0xFF;
t[3] = (usage >> 24) & 0xFF;
- MD5_Update (&md5, t, 4);
- MD5_Update (&md5, data, len);
- MD5_Final (tmp, &md5);
- ret = hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result);
- if (ret)
- krb5_abortx(context, "hmac failed");
-}
-
-/*
- * same as previous but being used while encrypting.
- */
+ EVP_DigestUpdate(m, t, 4);
+ EVP_DigestUpdate(m, data, len);
+ EVP_DigestFinal_ex (m, tmp, NULL);
+ EVP_MD_CTX_destroy(m);
-static void
-HMAC_MD5_checksum_enc(krb5_context context,
- struct key_data *key,
- const void *data,
- size_t len,
- unsigned usage,
- Checksum *result)
-{
- struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5);
- Checksum ksign_c;
- struct key_data ksign;
- krb5_keyblock kb;
- unsigned char t[4];
- unsigned char ksign_c_data[16];
- krb5_error_code ret;
-
- t[0] = (usage >> 0) & 0xFF;
- t[1] = (usage >> 8) & 0xFF;
- t[2] = (usage >> 16) & 0xFF;
- t[3] = (usage >> 24) & 0xFF;
-
- ksign_c.checksum.length = sizeof(ksign_c_data);
- ksign_c.checksum.data = ksign_c_data;
- ret = hmac(context, c, t, sizeof(t), 0, key, &ksign_c);
- if (ret)
- krb5_abortx(context, "hmac failed");
- ksign.key = &kb;
- kb.keyvalue = ksign_c.checksum;
- ret = hmac(context, c, data, len, 0, &ksign, result);
+ ret = hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result);
if (ret)
- krb5_abortx(context, "hmac failed");
+ return ret;
+ return 0;
}
static struct checksum_type checksum_none = {
@@ -1673,33 +1612,6 @@ static struct checksum_type checksum_rsa_md4_des = {
RSA_MD4_DES_checksum,
RSA_MD4_DES_verify
};
-#if 0
-static struct checksum_type checksum_des_mac = {
- CKSUMTYPE_DES_MAC,
- "des-mac",
- 0,
- 0,
- 0,
- DES_MAC_checksum
-};
-static struct checksum_type checksum_des_mac_k = {
- CKSUMTYPE_DES_MAC_K,
- "des-mac-k",
- 0,
- 0,
- 0,
- DES_MAC_K_checksum
-};
-static struct checksum_type checksum_rsa_md4_des_k = {
- CKSUMTYPE_RSA_MD4_DES_K,
- "rsa-md4-des-k",
- 0,
- 0,
- 0,
- RSA_MD4_DES_K_checksum,
- RSA_MD4_DES_K_verify
-};
-#endif
static struct checksum_type checksum_rsa_md5 = {
CKSUMTYPE_RSA_MD5,
"rsa-md5",
@@ -1718,6 +1630,7 @@ static struct checksum_type checksum_rsa_md5_des = {
RSA_MD5_DES_checksum,
RSA_MD5_DES_verify
};
+#ifdef DES3_OLD_ENCTYPE
static struct checksum_type checksum_rsa_md5_des3 = {
CKSUMTYPE_RSA_MD5_DES3,
"rsa-md5-des3",
@@ -1727,6 +1640,7 @@ static struct checksum_type checksum_rsa_md5_des3 = {
RSA_MD5_DES3_checksum,
RSA_MD5_DES3_verify
};
+#endif
static struct checksum_type checksum_sha1 = {
CKSUMTYPE_SHA1,
"sha1",
@@ -1776,35 +1690,21 @@ static struct checksum_type checksum_hmac_md5 = {
NULL
};
-static struct checksum_type checksum_hmac_md5_enc = {
- CKSUMTYPE_HMAC_MD5_ENC,
- "hmac-md5-enc",
- 64,
- 16,
- F_KEYED | F_CPROOF | F_PSEUDO,
- HMAC_MD5_checksum_enc,
- NULL
-};
-
static struct checksum_type *checksum_types[] = {
&checksum_none,
&checksum_crc32,
&checksum_rsa_md4,
&checksum_rsa_md4_des,
-#if 0
- &checksum_des_mac,
- &checksum_des_mac_k,
- &checksum_rsa_md4_des_k,
-#endif
&checksum_rsa_md5,
&checksum_rsa_md5_des,
+#ifdef DES3_OLD_ENCTYPE
&checksum_rsa_md5_des3,
+#endif
&checksum_sha1,
&checksum_hmac_sha1_des3,
&checksum_hmac_sha1_aes128,
&checksum_hmac_sha1_aes256,
- &checksum_hmac_md5,
- &checksum_hmac_md5_enc
+ &checksum_hmac_md5
};
static int num_checksums = sizeof(checksum_types) / sizeof(checksum_types[0]);
@@ -1886,8 +1786,7 @@ create_checksum (krb5_context context,
ret = krb5_data_alloc(&result->checksum, ct->checksumsize);
if (ret)
return (ret);
- (*ct->checksum)(context, dkey, data, len, usage, result);
- return 0;
+ return (*ct->checksum)(context, dkey, data, len, usage, result);
}
static int
@@ -1968,9 +1867,11 @@ verify_checksum(krb5_context context,
ct->name);
return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
}
- if(keyed_checksum)
+ if(keyed_checksum) {
ret = get_checksum_key(context, crypto, usage, ct, &dkey);
- else
+ if (ret)
+ return ret;
+ } else
dkey = NULL;
if(ct->verify)
return (*ct->verify)(context, dkey, data, len, usage, cksum);
@@ -1979,7 +1880,11 @@ verify_checksum(krb5_context context,
if (ret)
return ret;
- (*ct->checksum)(context, dkey, data, len, usage, &c);
+ ret = (*ct->checksum)(context, dkey, data, len, usage, &c);
+ if (ret) {
+ krb5_data_free(&c.checksum);
+ return ret;
+ }
if(c.checksum.length != cksum->checksum.length ||
memcmp(c.checksum.data, cksum->checksum.data, c.checksum.length)) {
@@ -2125,7 +2030,37 @@ NULL_encrypt(krb5_context context,
}
static krb5_error_code
-DES_CBC_encrypt_null_ivec(krb5_context context,
+evp_encrypt(krb5_context context,
+ struct key_data *key,
+ void *data,
+ size_t len,
+ krb5_boolean encryptp,
+ int usage,
+ void *ivec)
+{
+ struct evp_schedule *ctx = key->schedule->data;
+ EVP_CIPHER_CTX *c;
+ c = encryptp ? &ctx->ectx : &ctx->dctx;
+ if (ivec == NULL) {
+ /* alloca ? */
+ size_t len = EVP_CIPHER_CTX_iv_length(c);
+ void *loiv = malloc(len);
+ if (loiv == NULL) {
+ krb5_clear_error_string(context);
+ return ENOMEM;
+ }
+ memset(loiv, 0, len);
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, loiv, -1);
+ free(loiv);
+ } else
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1);
+ EVP_Cipher(c, data, data, len);
+ return 0;
+}
+
+#ifdef WEAK_ENCTYPES
+static krb5_error_code
+evp_des_encrypt_null_ivec(krb5_context context,
struct key_data *key,
void *data,
size_t len,
@@ -2133,15 +2068,18 @@ DES_CBC_encrypt_null_ivec(krb5_context context,
int usage,
void *ignore_ivec)
{
+ struct evp_schedule *ctx = key->schedule->data;
+ EVP_CIPHER_CTX *c;
DES_cblock ivec;
- DES_key_schedule *s = key->schedule->data;
memset(&ivec, 0, sizeof(ivec));
- DES_cbc_encrypt(data, data, len, s, &ivec, encryptp);
+ c = encryptp ? &ctx->ectx : &ctx->dctx;
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, (void *)&ivec, -1);
+ EVP_Cipher(c, data, data, len);
return 0;
}
static krb5_error_code
-DES_CBC_encrypt_key_ivec(krb5_context context,
+evp_des_encrypt_key_ivec(krb5_context context,
struct key_data *key,
void *data,
size_t len,
@@ -2149,29 +2087,13 @@ DES_CBC_encrypt_key_ivec(krb5_context context,
int usage,
void *ignore_ivec)
{
+ struct evp_schedule *ctx = key->schedule->data;
+ EVP_CIPHER_CTX *c;
DES_cblock ivec;
- DES_key_schedule *s = key->schedule->data;
memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec));
- DES_cbc_encrypt(data, data, len, s, &ivec, encryptp);
- return 0;
-}
-
-static krb5_error_code
-DES3_CBC_encrypt(krb5_context context,
- struct key_data *key,
- void *data,
- size_t len,
- krb5_boolean encryptp,
- int usage,
- void *ivec)
-{
- DES_cblock local_ivec;
- DES_key_schedule *s = key->schedule->data;
- if(ivec == NULL) {
- ivec = &local_ivec;
- memset(local_ivec, 0, sizeof(local_ivec));
- }
- DES_ede3_cbc_encrypt(data, data, len, &s[0], &s[1], &s[2], ivec, encryptp);
+ c = encryptp ? &ctx->ectx : &ctx->dctx;
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, (void *)&ivec, -1);
+ EVP_Cipher(c, data, data, len);
return 0;
}
@@ -2209,114 +2131,7 @@ DES_PCBC_encrypt_key_ivec(krb5_context context,
DES_pcbc_encrypt(data, data, len, s, &ivec, encryptp);
return 0;
}
-
-/*
- * AES draft-raeburn-krb-rijndael-krb-02
- */
-
-void KRB5_LIB_FUNCTION
-_krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out,
- size_t len, const AES_KEY *key,
- unsigned char *ivec, const int encryptp)
-{
- unsigned char tmp[AES_BLOCK_SIZE];
- int i;
-
- /*
- * In the framework of kerberos, the length can never be shorter
- * then at least one blocksize.
- */
-
- if (encryptp) {
-
- while(len > AES_BLOCK_SIZE) {
- for (i = 0; i < AES_BLOCK_SIZE; i++)
- tmp[i] = in[i] ^ ivec[i];
- AES_encrypt(tmp, out, key);
- memcpy(ivec, out, AES_BLOCK_SIZE);
- len -= AES_BLOCK_SIZE;
- in += AES_BLOCK_SIZE;
- out += AES_BLOCK_SIZE;
- }
-
- for (i = 0; i < len; i++)
- tmp[i] = in[i] ^ ivec[i];
- for (; i < AES_BLOCK_SIZE; i++)
- tmp[i] = 0 ^ ivec[i];
-
- AES_encrypt(tmp, out - AES_BLOCK_SIZE, key);
-
- memcpy(out, ivec, len);
- memcpy(ivec, out - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
-
- } else {
- unsigned char tmp2[AES_BLOCK_SIZE];
- unsigned char tmp3[AES_BLOCK_SIZE];
-
- while(len > AES_BLOCK_SIZE * 2) {
- memcpy(tmp, in, AES_BLOCK_SIZE);
- AES_decrypt(in, out, key);
- for (i = 0; i < AES_BLOCK_SIZE; i++)
- out[i] ^= ivec[i];
- memcpy(ivec, tmp, AES_BLOCK_SIZE);
- len -= AES_BLOCK_SIZE;
- in += AES_BLOCK_SIZE;
- out += AES_BLOCK_SIZE;
- }
-
- len -= AES_BLOCK_SIZE;
-
- memcpy(tmp, in, AES_BLOCK_SIZE); /* save last iv */
- AES_decrypt(in, tmp2, key);
-
- memcpy(tmp3, in + AES_BLOCK_SIZE, len);
- memcpy(tmp3 + len, tmp2 + len, AES_BLOCK_SIZE - len); /* xor 0 */
-
- for (i = 0; i < len; i++)
- out[i + AES_BLOCK_SIZE] = tmp2[i] ^ tmp3[i];
-
- AES_decrypt(tmp3, out, key);
- for (i = 0; i < AES_BLOCK_SIZE; i++)
- out[i] ^= ivec[i];
- memcpy(ivec, tmp, AES_BLOCK_SIZE);
- }
-}
-
-static krb5_error_code
-AES_CTS_encrypt(krb5_context context,
- struct key_data *key,
- void *data,
- size_t len,
- krb5_boolean encryptp,
- int usage,
- void *ivec)
-{
- struct krb5_aes_schedule *aeskey = key->schedule->data;
- char local_ivec[AES_BLOCK_SIZE];
- AES_KEY *k;
-
- if (encryptp)
- k = &aeskey->ekey;
- else
- k = &aeskey->dkey;
-
- if (len < AES_BLOCK_SIZE)
- krb5_abortx(context, "invalid use of AES_CTS_encrypt");
- if (len == AES_BLOCK_SIZE) {
- if (encryptp)
- AES_encrypt(data, data, k);
- else
- AES_decrypt(data, data, k);
- } else {
- if(ivec == NULL) {
- memset(local_ivec, 0, sizeof(local_ivec));
- ivec = local_ivec;
- }
- _krb5_aes_cts_encrypt(data, data, len, k, ivec, encryptp);
- }
-
- return 0;
-}
+#endif
/*
* section 6 of draft-brezak-win2k-krb-rc4-hmac-03
@@ -2530,7 +2345,11 @@ AES_PRF(krb5_context context,
return ret;
}
- (*ct->checksum)(context, NULL, in->data, in->length, 0, &result);
+ ret = (*ct->checksum)(context, NULL, in->data, in->length, 0, &result);
+ if (ret) {
+ krb5_data_free(&result.checksum);
+ return ret;
+ }
if (result.checksum.length < crypto->et->blocksize)
krb5_abortx(context, "internal prf error");
@@ -2546,12 +2365,13 @@ AES_PRF(krb5_context context,
krb5_abortx(context, "malloc failed");
{
- AES_KEY key;
-
- AES_set_encrypt_key(derived->keyvalue.data,
- crypto->et->keytype->bits, &key);
- AES_encrypt(result.checksum.data, out->data, &key);
- memset(&key, 0, sizeof(key));
+ const EVP_CIPHER *c = (*crypto->et->keytype->evp)();
+ EVP_CIPHER_CTX ctx;
+ /* XXX blksz 1 for cts, so we can't use that */
+ EVP_CIPHER_CTX_init(&ctx); /* ivec all zero */
+ EVP_CipherInit_ex(&ctx, c, NULL, derived->keyvalue.data, NULL, 1);
+ EVP_Cipher(&ctx, out->data, result.checksum.data, 16);
+ EVP_CIPHER_CTX_cleanup(&ctx);
}
krb5_data_free(&result.checksum);
@@ -2578,48 +2398,6 @@ static struct encryption_type enctype_null = {
0,
NULL
};
-static struct encryption_type enctype_des_cbc_crc = {
- ETYPE_DES_CBC_CRC,
- "des-cbc-crc",
- 8,
- 8,
- 8,
- &keytype_des,
- &checksum_crc32,
- NULL,
- 0,
- DES_CBC_encrypt_key_ivec,
- 0,
- NULL
-};
-static struct encryption_type enctype_des_cbc_md4 = {
- ETYPE_DES_CBC_MD4,
- "des-cbc-md4",
- 8,
- 8,
- 8,
- &keytype_des,
- &checksum_rsa_md4,
- &checksum_rsa_md4_des,
- 0,
- DES_CBC_encrypt_null_ivec,
- 0,
- NULL
-};
-static struct encryption_type enctype_des_cbc_md5 = {
- ETYPE_DES_CBC_MD5,
- "des-cbc-md5",
- 8,
- 8,
- 8,
- &keytype_des,
- &checksum_rsa_md5,
- &checksum_rsa_md5_des,
- 0,
- DES_CBC_encrypt_null_ivec,
- 0,
- NULL
-};
static struct encryption_type enctype_arcfour_hmac_md5 = {
ETYPE_ARCFOUR_HMAC_MD5,
"arcfour-hmac-md5",
@@ -2634,6 +2412,7 @@ static struct encryption_type enctype_arcfour_hmac_md5 = {
0,
NULL
};
+#ifdef DES3_OLD_ENCTYPE
static struct encryption_type enctype_des3_cbc_md5 = {
ETYPE_DES3_CBC_MD5,
"des3-cbc-md5",
@@ -2644,10 +2423,11 @@ static struct encryption_type enctype_des3_cbc_md5 = {
&checksum_rsa_md5,
&checksum_rsa_md5_des3,
0,
- DES3_CBC_encrypt,
+ evp_encrypt,
0,
NULL
};
+#endif
static struct encryption_type enctype_des3_cbc_sha1 = {
ETYPE_DES3_CBC_SHA1,
"des3-cbc-sha1",
@@ -2658,10 +2438,11 @@ static struct encryption_type enctype_des3_cbc_sha1 = {
&checksum_sha1,
&checksum_hmac_sha1_des3,
F_DERIVED,
- DES3_CBC_encrypt,
+ evp_encrypt,
0,
NULL
};
+#ifdef DES3_OLD_ENCTYPE
static struct encryption_type enctype_old_des3_cbc_sha1 = {
ETYPE_OLD_DES3_CBC_SHA1,
"old-des3-cbc-sha1",
@@ -2672,10 +2453,11 @@ static struct encryption_type enctype_old_des3_cbc_sha1 = {
&checksum_sha1,
&checksum_hmac_sha1_des3,
0,
- DES3_CBC_encrypt,
+ evp_encrypt,
0,
NULL
};
+#endif
static struct encryption_type enctype_aes128_cts_hmac_sha1 = {
ETYPE_AES128_CTS_HMAC_SHA1_96,
"aes128-cts-hmac-sha1-96",
@@ -2686,7 +2468,7 @@ static struct encryption_type enctype_aes128_cts_hmac_sha1 = {
&checksum_sha1,
&checksum_hmac_sha1_aes128,
F_DERIVED,
- AES_CTS_encrypt,
+ evp_encrypt,
16,
AES_PRF
};
@@ -2700,10 +2482,67 @@ static struct encryption_type enctype_aes256_cts_hmac_sha1 = {
&checksum_sha1,
&checksum_hmac_sha1_aes256,
F_DERIVED,
- AES_CTS_encrypt,
+ evp_encrypt,
16,
AES_PRF
};
+static struct encryption_type enctype_des3_cbc_none = {
+ ETYPE_DES3_CBC_NONE,
+ "des3-cbc-none",
+ 8,
+ 8,
+ 0,
+ &keytype_des3_derived,
+ &checksum_none,
+ NULL,
+ F_PSEUDO,
+ evp_encrypt,
+ 0,
+ NULL
+};
+#ifdef WEAK_ENCTYPES
+static struct encryption_type enctype_des_cbc_crc = {
+ ETYPE_DES_CBC_CRC,
+ "des-cbc-crc",
+ 8,
+ 8,
+ 8,
+ &keytype_des,
+ &checksum_crc32,
+ NULL,
+ F_DISABLED,
+ evp_des_encrypt_key_ivec,
+ 0,
+ NULL
+};
+static struct encryption_type enctype_des_cbc_md4 = {
+ ETYPE_DES_CBC_MD4,
+ "des-cbc-md4",
+ 8,
+ 8,
+ 8,
+ &keytype_des,
+ &checksum_rsa_md4,
+ &checksum_rsa_md4_des,
+ F_DISABLED,
+ evp_des_encrypt_null_ivec,
+ 0,
+ NULL
+};
+static struct encryption_type enctype_des_cbc_md5 = {
+ ETYPE_DES_CBC_MD5,
+ "des-cbc-md5",
+ 8,
+ 8,
+ 8,
+ &keytype_des,
+ &checksum_rsa_md5,
+ &checksum_rsa_md5_des,
+ F_DISABLED,
+ evp_des_encrypt_null_ivec,
+ 0,
+ NULL
+};
static struct encryption_type enctype_des_cbc_none = {
ETYPE_DES_CBC_NONE,
"des-cbc-none",
@@ -2713,8 +2552,8 @@ static struct encryption_type enctype_des_cbc_none = {
&keytype_des,
&checksum_none,
NULL,
- F_PSEUDO,
- DES_CBC_encrypt_null_ivec,
+ F_PSEUDO|F_DISABLED,
+ evp_des_encrypt_null_ivec,
0,
NULL
};
@@ -2724,10 +2563,10 @@ static struct encryption_type enctype_des_cfb64_none = {
1,
1,
0,
- &keytype_des,
+ &keytype_des_old,
&checksum_none,
NULL,
- F_PSEUDO,
+ F_PSEUDO|F_DISABLED,
DES_CFB64_encrypt_null_ivec,
0,
NULL
@@ -2738,44 +2577,35 @@ static struct encryption_type enctype_des_pcbc_none = {
8,
8,
0,
- &keytype_des,
+ &keytype_des_old,
&checksum_none,
NULL,
- F_PSEUDO,
+ F_PSEUDO|F_DISABLED,
DES_PCBC_encrypt_key_ivec,
0,
NULL
};
-static struct encryption_type enctype_des3_cbc_none = {
- ETYPE_DES3_CBC_NONE,
- "des3-cbc-none",
- 8,
- 8,
- 0,
- &keytype_des3_derived,
- &checksum_none,
- NULL,
- F_PSEUDO,
- DES3_CBC_encrypt,
- 0,
- NULL
-};
+#endif /* WEAK_ENCTYPES */
static struct encryption_type *etypes[] = {
- &enctype_null,
- &enctype_des_cbc_crc,
- &enctype_des_cbc_md4,
- &enctype_des_cbc_md5,
+ &enctype_aes256_cts_hmac_sha1,
+ &enctype_aes128_cts_hmac_sha1,
+ &enctype_des3_cbc_sha1,
+ &enctype_des3_cbc_none, /* used by the gss-api mech */
&enctype_arcfour_hmac_md5,
+#ifdef DES3_OLD_ENCTYPE
&enctype_des3_cbc_md5,
- &enctype_des3_cbc_sha1,
&enctype_old_des3_cbc_sha1,
- &enctype_aes128_cts_hmac_sha1,
- &enctype_aes256_cts_hmac_sha1,
+#endif
+#ifdef WEAK_ENCTYPES
+ &enctype_des_cbc_crc,
+ &enctype_des_cbc_md4,
+ &enctype_des_cbc_md5,
&enctype_des_cbc_none,
&enctype_des_cfb64_none,
&enctype_des_pcbc_none,
- &enctype_des3_cbc_none
+#endif
+ &enctype_null
};
static unsigned num_etypes = sizeof(etypes) / sizeof(etypes[0]);
@@ -2878,37 +2708,6 @@ krb5_keytype_to_enctypes (krb5_context context,
return 0;
}
-/*
- * First take the configured list of etypes for `keytype' if available,
- * else, do `krb5_keytype_to_enctypes'.
- */
-
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_keytype_to_enctypes_default (krb5_context context,
- krb5_keytype keytype,
- unsigned *len,
- krb5_enctype **val)
-{
- unsigned int i, n;
- krb5_enctype *ret;
-
- if (keytype != KEYTYPE_DES || context->etypes_des == NULL)
- return krb5_keytype_to_enctypes (context, keytype, len, val);
-
- for (n = 0; context->etypes_des[n]; ++n)
- ;
- ret = malloc (n * sizeof(*ret));
- if (ret == NULL && n != 0) {
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
- return ENOMEM;
- }
- for (i = 0; i < n; ++i)
- ret[i] = context->etypes_des[i];
- *len = n;
- *val = ret;
- return 0;
-}
-
krb5_error_code KRB5_LIB_FUNCTION
krb5_enctype_valid(krb5_context context,
krb5_enctype etype)
@@ -3032,9 +2831,6 @@ encrypt_internal_derived(krb5_context context,
ret = _key_schedule(context, dkey);
if(ret)
goto fail;
-#ifdef CRYPTO_DEBUG
- krb5_crypto_debug(context, 1, block_sz, dkey->key);
-#endif
ret = (*et->encrypt)(context, dkey, p, block_sz, 1, usage, ivec);
if (ret)
goto fail;
@@ -3098,9 +2894,6 @@ encrypt_internal(krb5_context context,
ret = _key_schedule(context, &crypto->key);
if(ret)
goto fail;
-#ifdef CRYPTO_DEBUG
- krb5_crypto_debug(context, 1, block_sz, crypto->key.key);
-#endif
ret = (*et->encrypt)(context, &crypto->key, p, block_sz, 1, 0, ivec);
if (ret) {
memset(p, 0, block_sz);
@@ -3202,9 +2995,6 @@ decrypt_internal_derived(krb5_context context,
free(p);
return ret;
}
-#ifdef CRYPTO_DEBUG
- krb5_crypto_debug(context, 0, len, dkey->key);
-#endif
ret = (*et->encrypt)(context, dkey, p, len, 0, usage, ivec);
if (ret) {
free(p);
@@ -3269,9 +3059,6 @@ decrypt_internal(krb5_context context,
free(p);
return ret;
}
-#ifdef CRYPTO_DEBUG
- krb5_crypto_debug(context, 0, len, crypto->key.key);
-#endif
ret = (*et->encrypt)(context, &crypto->key, p, len, 0, 0, ivec);
if (ret) {
free(p);
@@ -3346,6 +3133,386 @@ decrypt_internal_special(krb5_context context,
return 0;
}
+/**
+ * Inline encrypt a kerberos message
+ *
+ * @param context Kerberos context
+ * @param crypto Kerberos crypto context
+ * @param usage Key usage for this buffer
+ * @param data array of buffers to process
+ * @param num_data length of array
+ * @param ivec initial cbc/cts vector
+ *
+ * @return Return an error code or 0.
+ * @ingroup krb5_crypto
+ *
+ * Kerberos encrypted data look like this:
+ *
+ * 1. KRB5_CRYPTO_TYPE_HEADER
+ * 2. array KRB5_CRYPTO_TYPE_DATA and KRB5_CRYPTO_TYPE_SIGN_ONLY in
+ * any order, however the receiver have to aware of the
+ * order. KRB5_CRYPTO_TYPE_SIGN_ONLY is commonly used headers and
+ * trailers.
+ * 3. KRB5_CRYPTO_TYPE_TRAILER
+ */
+
+static krb5_crypto_iov *
+find_iv(krb5_crypto_iov *data, int num_data, int type)
+{
+ int i;
+ for (i = 0; i < num_data; i++)
+ if (data[i].flags == type)
+ return &data[i];
+ return NULL;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_encrypt_iov_ivec(krb5_context context,
+ krb5_crypto crypto,
+ unsigned usage,
+ krb5_crypto_iov *data,
+ size_t num_data,
+ void *ivec)
+{
+ size_t headersz, trailersz, len;
+ size_t i, sz, block_sz, pad_sz;
+ Checksum cksum;
+ unsigned char *p, *q;
+ krb5_error_code ret;
+ struct key_data *dkey;
+ const struct encryption_type *et = crypto->et;
+ krb5_crypto_iov *tiv, *piv, *hiv;
+
+ if(!derived_crypto(context, crypto)) {
+ krb5_clear_error_string(context);
+ return KRB5_CRYPTO_INTERNAL;
+ }
+
+ headersz = et->confoundersize;
+ trailersz = CHECKSUMSIZE(et->keyed_checksum);
+
+ for (len = 0, i = 0; i < num_data; i++) {
+ if (data[i].flags != KRB5_CRYPTO_TYPE_HEADER &&
+ data[i].flags == KRB5_CRYPTO_TYPE_DATA) {
+ len += data[i].data.length;
+ }
+ }
+
+ sz = headersz + len;
+ block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */
+
+ pad_sz = block_sz - sz;
+ trailersz += pad_sz;
+
+ /* header */
+
+ hiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
+ if (hiv == NULL || hiv->data.length != headersz)
+ return KRB5_BAD_MSIZE;
+
+ krb5_generate_random_block(hiv->data.data, hiv->data.length);
+
+ /* padding */
+
+ piv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_PADDING);
+ /* its ok to have no TYPE_PADDING if there is no padding */
+ if (piv == NULL && pad_sz != 0)
+ return KRB5_BAD_MSIZE;
+ if (piv) {
+ if (piv->data.length < pad_sz)
+ return KRB5_BAD_MSIZE;
+ piv->data.length = pad_sz;
+ }
+
+
+ /* trailer */
+
+ tiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
+ if (tiv == NULL || tiv->data.length != trailersz)
+ return KRB5_BAD_MSIZE;
+
+
+ /*
+ * XXX replace with EVP_Sign? at least make create_checksum an iov
+ * function.
+ * XXX CTS EVP is broken, can't handle multi buffers :(
+ */
+
+ len = hiv->data.length;
+ for (i = 0; i < num_data; i++) {
+ if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
+ data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
+ continue;
+ len += data[i].data.length;
+ }
+
+ p = q = malloc(len);
+
+ memcpy(q, hiv->data.data, hiv->data.length);
+ q += hiv->data.length;
+ for (i = 0; i < num_data; i++) {
+ if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
+ data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
+ continue;
+ memcpy(q, data[i].data.data, data[i].data.length);
+ q += data[i].data.length;
+ }
+
+ ret = create_checksum(context,
+ et->keyed_checksum,
+ crypto,
+ INTEGRITY_USAGE(usage),
+ p,
+ len,
+ &cksum);
+ free(p);
+ if(ret == 0 && cksum.checksum.length != trailersz) {
+ free_Checksum (&cksum);
+ krb5_clear_error_string (context);
+ ret = KRB5_CRYPTO_INTERNAL;
+ }
+ if(ret)
+ return ret;
+
+ /* save cksum at end */
+ memcpy(tiv->data.data, cksum.checksum.data, cksum.checksum.length);
+ free_Checksum (&cksum);
+
+ /* now encrypt data */
+
+ ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
+ if(ret)
+ return ret;
+ ret = _key_schedule(context, dkey);
+ if(ret)
+ return ret;
+
+ /* XXX replace with EVP_Cipher */
+
+ len = hiv->data.length;
+ for (i = 0; i < num_data; i++) {
+ if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
+ data[i].flags != KRB5_CRYPTO_TYPE_PADDING)
+ continue;
+ len += data[i].data.length;
+ }
+
+ p = q = malloc(len);
+ if(p == NULL)
+ return ENOMEM;
+
+ memcpy(q, hiv->data.data, hiv->data.length);
+ q += hiv->data.length;
+ for (i = 0; i < num_data; i++) {
+ if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
+ data[i].flags != KRB5_CRYPTO_TYPE_PADDING)
+ continue;
+ memcpy(q, data[i].data.data, data[i].data.length);
+ q += data[i].data.length;
+ }
+
+ ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
+ if(ret) {
+ free(p);
+ return ret;
+ }
+ ret = _key_schedule(context, dkey);
+ if(ret) {
+ free(p);
+ return ret;
+ }
+
+ ret = (*et->encrypt)(context, dkey, p, len, 1, usage, ivec);
+ if (ret) {
+ free(p);
+ return ret;
+ }
+
+ /* now copy data back to buffers */
+ q = p;
+ memcpy(hiv->data.data, q, hiv->data.length);
+ q += hiv->data.length;
+
+ for (i = 0; i < num_data; i++) {
+ if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
+ data[i].flags != KRB5_CRYPTO_TYPE_PADDING)
+ continue;
+ memcpy(data[i].data.data, q, data[i].data.length);
+ q += data[i].data.length;
+ }
+ free(p);
+
+ return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_decrypt_iov_ivec(krb5_context context,
+ krb5_crypto crypto,
+ unsigned usage,
+ krb5_crypto_iov *data,
+ size_t num_data,
+ void *ivec)
+{
+ size_t headersz, trailersz, len;
+ size_t i, sz, block_sz, pad_sz;
+ Checksum cksum;
+ unsigned char *p, *q;
+ krb5_error_code ret;
+ struct key_data *dkey;
+ struct encryption_type *et = crypto->et;
+ krb5_crypto_iov *tiv, *hiv;
+
+ if(!derived_crypto(context, crypto)) {
+ krb5_clear_error_string(context);
+ return KRB5_CRYPTO_INTERNAL;
+ }
+
+ headersz = et->confoundersize;
+ trailersz = CHECKSUMSIZE(et->keyed_checksum);
+
+ for (len = 0, i = 0; i < num_data; i++)
+ if (data[i].flags == KRB5_CRYPTO_TYPE_DATA)
+ len += data[i].data.length;
+
+ sz = headersz + len;
+ block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */
+
+ pad_sz = block_sz - sz;
+ trailersz += pad_sz;
+
+ /* header */
+
+ hiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
+ if (hiv == NULL || hiv->data.length < headersz)
+ return KRB5_BAD_MSIZE;
+ hiv->data.length = headersz;
+
+ /* trailer */
+
+ tiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
+ if (tiv == NULL || tiv->data.length < trailersz)
+ return KRB5_BAD_MSIZE;
+ tiv->data.length = trailersz;
+
+ /* body */
+
+ /* XXX replace with EVP_Cipher */
+
+ for (len = 0, i = 0; i < num_data; i++) {
+ if (data[i].flags != KRB5_CRYPTO_TYPE_HEADER &&
+ data[i].flags != KRB5_CRYPTO_TYPE_DATA)
+ continue;
+ len += data[i].data.length;
+ }
+
+ p = q = malloc(len);
+ if (p == NULL)
+ return ENOMEM;
+
+ memcpy(q, hiv->data.data, hiv->data.length);
+ q += hiv->data.length;
+ for (i = 0; i < num_data; i++) {
+ if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
+ continue;
+ memcpy(q, data[i].data.data, data[i].data.length);
+ q += data[i].data.length;
+ }
+
+ ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
+ if(ret) {
+ free(p);
+ return ret;
+ }
+ ret = _key_schedule(context, dkey);
+ if(ret) {
+ free(p);
+ return ret;
+ }
+
+ ret = (*et->encrypt)(context, dkey, p, len, 0, usage, ivec);
+ if (ret) {
+ free(p);
+ return ret;
+ }
+
+ /* XXX now copy data back to buffers */
+ q = p;
+ memcpy(hiv->data.data, q, hiv->data.length);
+ q += hiv->data.length;
+ len -= hiv->data.length;
+
+ for (i = 0; i < num_data; i++) {
+ if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
+ continue;
+ if (len < data[i].data.length)
+ data[i].data.length = len;
+ memcpy(data[i].data.data, q, data[i].data.length);
+ q += data[i].data.length;
+ len -= data[i].data.length;
+ }
+ free(p);
+ if (len)
+ krb5_abortx(context, "data still in the buffer");
+
+ len = hiv->data.length;
+ for (i = 0; i < num_data; i++) {
+ if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
+ data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
+ continue;
+ len += data[i].data.length;
+ }
+
+ p = q = malloc(len);
+
+ memcpy(q, hiv->data.data, hiv->data.length);
+ q += hiv->data.length;
+ for (i = 0; i < num_data; i++) {
+ if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
+ data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
+ continue;
+ memcpy(q, data[i].data.data, data[i].data.length);
+ q += data[i].data.length;
+ }
+
+ cksum.checksum.data = tiv->data.data;
+ cksum.checksum.length = tiv->data.length;
+ cksum.cksumtype = CHECKSUMTYPE(et->keyed_checksum);
+
+ ret = verify_checksum(context,
+ crypto,
+ INTEGRITY_USAGE(usage),
+ p,
+ len,
+ &cksum);
+ free(p);
+ if(ret)
+ return ret;
+
+ return 0;
+}
+
+
+size_t KRB5_LIB_FUNCTION
+krb5_crypto_length(krb5_context context,
+ krb5_crypto crypto,
+ int type)
+{
+ if (!derived_crypto(context, crypto))
+ return (size_t)-1;
+ switch(type) {
+ case KRB5_CRYPTO_TYPE_EMPTY:
+ return 0;
+ case KRB5_CRYPTO_TYPE_HEADER:
+ return crypto->et->blocksize;
+ case KRB5_CRYPTO_TYPE_PADDING:
+ if (crypto->et->padsize > 1)
+ return crypto->et->padsize;
+ return 0;
+ case KRB5_CRYPTO_TYPE_TRAILER:
+ return CHECKSUMSIZE(crypto->et->keyed_checksum);
+ }
+ return (size_t)-1;
+}
krb5_error_code KRB5_LIB_FUNCTION
krb5_encrypt_ivec(krb5_context context,
@@ -3452,7 +3619,7 @@ seed_something(void)
so use 0 for the entropy estimate */
if (RAND_file_name(seedfile, sizeof(seedfile))) {
int fd;
- fd = open(seedfile, O_RDONLY);
+ fd = open(seedfile, O_RDONLY | O_BINARY | O_CLOEXEC);
if (fd >= 0) {
ssize_t ret;
rk_cloexec(fd);
@@ -3652,7 +3819,7 @@ krb5_derive_key(krb5_context context,
ret = derive_key(context, et, &d, constant, constant_len);
if (ret == 0)
ret = krb5_copy_keyblock(context, d.key, derived_key);
- free_key_data(context, &d);
+ free_key_data(context, &d, et);
return ret;
}
@@ -3727,19 +3894,23 @@ krb5_crypto_init(krb5_context context,
}
static void
-free_key_data(krb5_context context, struct key_data *key)
+free_key_data(krb5_context context, struct key_data *key,
+ struct encryption_type *et)
{
krb5_free_keyblock(context, key->key);
if(key->schedule) {
+ if (et->keytype->cleanup)
+ (*et->keytype->cleanup)(context, key);
memset(key->schedule->data, 0, key->schedule->length);
krb5_free_data(context, key->schedule);
}
}
static void
-free_key_usage(krb5_context context, struct key_usage *ku)
+free_key_usage(krb5_context context, struct key_usage *ku,
+ struct encryption_type *et)
{
- free_key_data(context, &ku->key);
+ free_key_data(context, &ku->key, et);
}
krb5_error_code KRB5_LIB_FUNCTION
@@ -3749,9 +3920,9 @@ krb5_crypto_destroy(krb5_context context,
int i;
for(i = 0; i < crypto->num_key_usage; i++)
- free_key_usage(context, &crypto->key_usage[i]);
+ free_key_usage(context, &crypto->key_usage[i], crypto->et);
free(crypto->key_usage);
- free_key_data(context, &crypto->key);
+ free_key_data(context, &crypto->key, crypto->et);
free (crypto);
return 0;
}
@@ -3792,6 +3963,18 @@ krb5_crypto_getconfoundersize(krb5_context context,
return 0;
}
+
+/**
+ * Disable encryption type
+ *
+ * @param context Kerberos 5 context
+ * @param enctype encryption type to disable
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_enctype_disable(krb5_context context,
krb5_enctype enctype)
@@ -3808,6 +3991,34 @@ krb5_enctype_disable(krb5_context context,
return 0;
}
+/**
+ * Enable encryption type
+ *
+ * @param context Kerberos 5 context
+ * @param enctype encryption type to enable
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_enctype_enable(krb5_context context,
+ krb5_enctype enctype)
+{
+ struct encryption_type *et = _find_enctype(enctype);
+ if(et == NULL) {
+ if (context)
+ krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
+ "encryption type %d not supported",
+ enctype);
+ return KRB5_PROG_ETYPE_NOSUPP;
+ }
+ et->flags &= ~F_DISABLED;
+ return 0;
+}
+
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_string_to_key_derived(krb5_context context,
const void *str,
@@ -3862,8 +4073,12 @@ krb5_string_to_key_derived(krb5_context context,
&kd,
"kerberos", /* XXX well known constant */
strlen("kerberos"));
+ if (ret) {
+ free_key_data(context, &kd, et);
+ return ret;
+ }
ret = krb5_copy_keyblock_contents(context, kd.key, key);
- free_key_data(context, &kd);
+ free_key_data(context, &kd, et);
return ret;
}
@@ -4265,108 +4480,86 @@ krb5_crypto_prf(krb5_context context,
return (*et->prf)(context, crypto, input, output);
}
-
+#ifndef HEIMDAL_SMALLER
+/*
+ * First take the configured list of etypes for `keytype' if available,
+ * else, do `krb5_keytype_to_enctypes'.
+ */
-#ifdef CRYPTO_DEBUG
-
-static krb5_error_code
-krb5_get_keyid(krb5_context context,
- krb5_keyblock *key,
- uint32_t *keyid)
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_keytype_to_enctypes_default (krb5_context context,
+ krb5_keytype keytype,
+ unsigned *len,
+ krb5_enctype **val)
+ __attribute__((deprecated))
{
- MD5_CTX md5;
- unsigned char tmp[16];
+ unsigned int i, n;
+ krb5_enctype *ret;
- MD5_Init (&md5);
- MD5_Update (&md5, key->keyvalue.data, key->keyvalue.length);
- MD5_Final (tmp, &md5);
- *keyid = (tmp[12] << 24) | (tmp[13] << 16) | (tmp[14] << 8) | tmp[15];
+ if (keytype != KEYTYPE_DES || context->etypes_des == NULL)
+ return krb5_keytype_to_enctypes (context, keytype, len, val);
+
+ for (n = 0; context->etypes_des[n]; ++n)
+ ;
+ ret = malloc (n * sizeof(*ret));
+ if (ret == NULL && n != 0) {
+ krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+ return ENOMEM;
+ }
+ for (i = 0; i < n; ++i)
+ ret[i] = context->etypes_des[i];
+ *len = n;
+ *val = ret;
return 0;
}
-static void
-krb5_crypto_debug(krb5_context context,
- int encryptp,
- size_t len,
- krb5_keyblock *key)
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_keytype_to_string(krb5_context context,
+ krb5_keytype keytype,
+ char **string)
+ __attribute__((deprecated))
{
- uint32_t keyid;
- char *kt;
- krb5_get_keyid(context, key, &keyid);
- krb5_enctype_to_string(context, key->keytype, &kt);
- krb5_warnx(context, "%s %lu bytes with key-id %#x (%s)",
- encryptp ? "encrypting" : "decrypting",
- (unsigned long)len,
- keyid,
- kt);
- free(kt);
+ struct key_type *kt = _find_keytype(keytype);
+ if(kt == NULL) {
+ krb5_set_error_message(context, KRB5_PROG_KEYTYPE_NOSUPP,
+ "key type %d not supported", keytype);
+ return KRB5_PROG_KEYTYPE_NOSUPP;
+ }
+ *string = strdup(kt->name);
+ if(*string == NULL) {
+ krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+ return ENOMEM;
+ }
+ return 0;
}
-#endif /* CRYPTO_DEBUG */
-#if 0
-int
-main()
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_string_to_keytype(krb5_context context,
+ const char *string,
+ krb5_keytype *keytype)
+ __attribute__((deprecated))
{
-#if 0
- int i;
- krb5_context context;
- krb5_crypto crypto;
- struct key_data *d;
- krb5_keyblock key;
- char constant[4];
- unsigned usage = ENCRYPTION_USAGE(3);
- krb5_error_code ret;
-
- ret = krb5_init_context(&context);
- if (ret)
- errx (1, "krb5_init_context failed: %d", ret);
-
- key.keytype = ETYPE_NEW_DES3_CBC_SHA1;
- key.keyvalue.data = "\xb3\x85\x58\x94\xd9\xdc\x7c\xc8"
- "\x25\xe9\x85\xab\x3e\xb5\xfb\x0e"
- "\xc8\xdf\xab\x26\x86\x64\x15\x25";
- key.keyvalue.length = 24;
-
- krb5_crypto_init(context, &key, 0, &crypto);
-
- d = _new_derived_key(crypto, usage);
- if(d == NULL)
- krb5_errx(context, 1, "_new_derived_key failed");
- krb5_copy_keyblock(context, crypto->key.key, &d->key);
- _krb5_put_int(constant, usage, 4);
- derive_key(context, crypto->et, d, constant, sizeof(constant));
- return 0;
-#else
+ char *end;
int i;
- krb5_context context;
- krb5_crypto crypto;
- struct key_data *d;
- krb5_keyblock key;
- krb5_error_code ret;
- Checksum res;
-
- char *data = "what do ya want for nothing?";
- ret = krb5_init_context(&context);
- if (ret)
- errx (1, "krb5_init_context failed: %d", ret);
-
- key.keytype = ETYPE_NEW_DES3_CBC_SHA1;
- key.keyvalue.data = "Jefe";
- /* "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
- "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"; */
- key.keyvalue.length = 4;
+ for(i = 0; i < num_keytypes; i++)
+ if(strcasecmp(keytypes[i]->name, string) == 0){
+ *keytype = keytypes[i]->type;
+ return 0;
+ }
- d = ecalloc(1, sizeof(*d));
- d->key = &key;
- res.checksum.length = 20;
- res.checksum.data = emalloc(res.checksum.length);
- SP_HMAC_SHA1_checksum(context, d, data, 28, &res);
+ /* check if the enctype is a number */
+ *keytype = strtol(string, &end, 0);
+ if(*end == '\0' && *keytype != 0) {
+ if (krb5_enctype_valid(context, *keytype) == 0)
+ return 0;
+ }
- return 0;
-#endif
+ krb5_set_error_message(context, KRB5_PROG_KEYTYPE_NOSUPP,
+ "key type %s not supported", string);
+ return KRB5_PROG_KEYTYPE_NOSUPP;
}
#endif
diff --git a/source4/heimdal/lib/krb5/data.c b/source4/heimdal/lib/krb5/data.c
index 2b78bfb32b..0286316214 100644
--- a/source4/heimdal/lib/krb5/data.c
+++ b/source4/heimdal/lib/krb5/data.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: data.c 23280 2008-06-23 03:26:18Z lha $");
+RCSID("$Id$");
/**
* Reset the (potentially uninitalized) krb5_data structure.
diff --git a/source4/heimdal/lib/krb5/eai_to_heim_errno.c b/source4/heimdal/lib/krb5/eai_to_heim_errno.c
index 19315cea86..c06e8fb9bb 100644
--- a/source4/heimdal/lib/krb5/eai_to_heim_errno.c
+++ b/source4/heimdal/lib/krb5/eai_to_heim_errno.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: eai_to_heim_errno.c 22065 2007-11-11 16:41:06Z lha $");
+RCSID("$Id$");
/**
* Convert the getaddrinfo() error code to a Kerberos et error code.
diff --git a/source4/heimdal/lib/krb5/error_string.c b/source4/heimdal/lib/krb5/error_string.c
index 6679b76749..17bc30572b 100644
--- a/source4/heimdal/lib/krb5/error_string.c
+++ b/source4/heimdal/lib/krb5/error_string.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: error_string.c 23274 2008-06-23 03:25:08Z lha $");
+RCSID("$Id$");
#undef __attribute__
#define __attribute__(X)
@@ -199,7 +199,7 @@ krb5_free_error_message(krb5_context context, const char *msg)
* @param context Kerberos context
* @param msg error message to free
*
- * @ingroup krb5_error
+ * @ingroup krb5_deprecated
*/
void KRB5_LIB_FUNCTION __attribute__((deprecated))
@@ -208,6 +208,16 @@ krb5_free_error_string(krb5_context context, char *str)
krb5_free_error_message(context, str);
}
+/**
+ * Set the error message returned by krb5_get_error_string(),
+ * deprecated, use krb5_set_error_message().
+ *
+ * @param context Kerberos context
+ * @param msg error message to free
+ *
+ * @ingroup krb5_deprecated
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_set_error_string(krb5_context context, const char *fmt, ...)
__attribute__((format (printf, 2, 3))) __attribute__((deprecated))
@@ -220,6 +230,16 @@ krb5_set_error_string(krb5_context context, const char *fmt, ...)
return 0;
}
+/**
+ * Set the error message returned by krb5_get_error_string(),
+ * deprecated, use krb5_set_error_message().
+ *
+ * @param context Kerberos context
+ * @param msg error message to free
+ *
+ * @ingroup krb5_deprecated
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_vset_error_string(krb5_context context, const char *fmt, va_list args)
__attribute__ ((format (printf, 2, 0))) __attribute__((deprecated))
diff --git a/source4/heimdal/lib/krb5/expand_hostname.c b/source4/heimdal/lib/krb5/expand_hostname.c
index d06d576432..4ada4b8110 100644
--- a/source4/heimdal/lib/krb5/expand_hostname.c
+++ b/source4/heimdal/lib/krb5/expand_hostname.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: expand_hostname.c 23280 2008-06-23 03:26:18Z lha $");
+RCSID("$Id$");
static krb5_error_code
copy_hostname(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/fcache.c b/source4/heimdal/lib/krb5/fcache.c
index 8951bdb24e..fc11893452 100644
--- a/source4/heimdal/lib/krb5/fcache.c
+++ b/source4/heimdal/lib/krb5/fcache.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: fcache.c 23444 2008-07-27 12:07:47Z lha $");
+RCSID("$Id$");
typedef struct krb5_fcache{
char *filename;
@@ -395,7 +395,7 @@ fcc_initialize(krb5_context context,
unlink (filename);
- ret = fcc_open(context, id, &fd, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600);
+ ret = fcc_open(context, id, &fd, O_RDWR | O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC, 0600);
if(ret)
return ret;
{
@@ -462,7 +462,7 @@ fcc_store_cred(krb5_context context,
int ret;
int fd;
- ret = fcc_open(context, id, &fd, O_WRONLY | O_APPEND | O_BINARY, 0);
+ ret = fcc_open(context, id, &fd, O_WRONLY | O_APPEND | O_BINARY | O_CLOEXEC, 0);
if(ret)
return ret;
{
@@ -503,7 +503,7 @@ init_fcc (krb5_context context,
krb5_storage *sp;
krb5_error_code ret;
- ret = fcc_open(context, id, &fd, O_RDONLY | O_BINARY, 0);
+ ret = fcc_open(context, id, &fd, O_RDONLY | O_BINARY | O_CLOEXEC, 0);
if(ret)
return ret;
@@ -851,14 +851,14 @@ fcc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
int fd1, fd2;
char buf[BUFSIZ];
- ret = fcc_open(context, from, &fd1, O_RDONLY | O_BINARY, 0);
+ ret = fcc_open(context, from, &fd1, O_RDONLY | O_BINARY | O_CLOEXEC, 0);
if(ret)
return ret;
unlink(FILENAME(to));
ret = fcc_open(context, to, &fd2,
- O_WRONLY | O_CREAT | O_EXCL | O_BINARY, 0600);
+ O_WRONLY | O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC, 0600);
if(ret)
goto out1;
diff --git a/source4/heimdal/lib/krb5/free.c b/source4/heimdal/lib/krb5/free.c
index 1b0bd05412..d0eac84ca1 100644
--- a/source4/heimdal/lib/krb5/free.c
+++ b/source4/heimdal/lib/krb5/free.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: free.c 15175 2005-05-18 10:06:16Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *rep)
diff --git a/source4/heimdal/lib/krb5/free_host_realm.c b/source4/heimdal/lib/krb5/free_host_realm.c
index 6b13ce7d0e..a9287de5fd 100644
--- a/source4/heimdal/lib/krb5/free_host_realm.c
+++ b/source4/heimdal/lib/krb5/free_host_realm.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: free_host_realm.c 13863 2004-05-25 21:46:46Z lha $");
+RCSID("$Id$");
/*
* Free all memory allocated by `realmlist'
diff --git a/source4/heimdal/lib/krb5/generate_seq_number.c b/source4/heimdal/lib/krb5/generate_seq_number.c
index 8a04f048c8..472fff7fd5 100644
--- a/source4/heimdal/lib/krb5/generate_seq_number.c
+++ b/source4/heimdal/lib/krb5/generate_seq_number.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: generate_seq_number.c 17442 2006-05-05 09:31:15Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
krb5_generate_seq_number(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/generate_subkey.c b/source4/heimdal/lib/krb5/generate_subkey.c
index fb7efbcd29..aa68d14df6 100644
--- a/source4/heimdal/lib/krb5/generate_subkey.c
+++ b/source4/heimdal/lib/krb5/generate_subkey.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: generate_subkey.c 23280 2008-06-23 03:26:18Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
krb5_generate_subkey(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/get_cred.c b/source4/heimdal/lib/krb5/get_cred.c
index 268550b229..c19a5e4abc 100644
--- a/source4/heimdal/lib/krb5/get_cred.c
+++ b/source4/heimdal/lib/krb5/get_cred.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: get_cred.c 23280 2008-06-23 03:26:18Z lha $");
+RCSID("$Id$");
/*
* Take the `body' and encode it into `padata' using the credentials
diff --git a/source4/heimdal/lib/krb5/get_default_principal.c b/source4/heimdal/lib/krb5/get_default_principal.c
index 5a7a7829fc..6a56218ed7 100644
--- a/source4/heimdal/lib/krb5/get_default_principal.c
+++ b/source4/heimdal/lib/krb5/get_default_principal.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: get_default_principal.c 23280 2008-06-23 03:26:18Z lha $");
+RCSID("$Id$");
/*
* Try to find out what's a reasonable default principal.
diff --git a/source4/heimdal/lib/krb5/get_default_realm.c b/source4/heimdal/lib/krb5/get_default_realm.c
index 1c996031e8..8e8c1ef974 100644
--- a/source4/heimdal/lib/krb5/get_default_realm.c
+++ b/source4/heimdal/lib/krb5/get_default_realm.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: get_default_realm.c 23280 2008-06-23 03:26:18Z lha $");
+RCSID("$Id$");
/*
* Return a NULL-terminated list of default realms in `realms'.
diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c
index a8aac950ec..f005460e3f 100644
--- a/source4/heimdal/lib/krb5/get_for_creds.c
+++ b/source4/heimdal/lib/krb5/get_for_creds.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: get_for_creds.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
static krb5_error_code
add_addrs(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/get_host_realm.c b/source4/heimdal/lib/krb5/get_host_realm.c
index f4c875b347..e226598101 100644
--- a/source4/heimdal/lib/krb5/get_host_realm.c
+++ b/source4/heimdal/lib/krb5/get_host_realm.c
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include <resolve.h>
-RCSID("$Id: get_host_realm.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
/* To automagically find the correct realm of a host (without
* [domain_realm] in krb5.conf) add a text record for your domain with
diff --git a/source4/heimdal/lib/krb5/get_in_tkt.c b/source4/heimdal/lib/krb5/get_in_tkt.c
index 8bdc8c0eb2..c835a9a29e 100644
--- a/source4/heimdal/lib/krb5/get_in_tkt.c
+++ b/source4/heimdal/lib/krb5/get_in_tkt.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: get_in_tkt.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
krb5_init_etype (krb5_context context,
@@ -383,8 +383,7 @@ _krb5_extract_ticket(krb5_context context,
* based on the DNS Name.
*/
flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
- flags |=EXTRACT_TICKET_ALLOW_CNAME_MISMATCH ;
-
+ flags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
/* compare client and save */
ret = _krb5_principalname2krb5_principal (context,
diff --git a/source4/heimdal/lib/krb5/get_in_tkt_with_keytab.c b/source4/heimdal/lib/krb5/get_in_tkt_with_keytab.c
index 52f95c4bc4..78a1c340ac 100644
--- a/source4/heimdal/lib/krb5/get_in_tkt_with_keytab.c
+++ b/source4/heimdal/lib/krb5/get_in_tkt_with_keytab.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: get_in_tkt_with_keytab.c 15477 2005-06-17 04:56:44Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
krb5_keytab_key_proc (krb5_context context,
diff --git a/source4/heimdal/lib/krb5/get_port.c b/source4/heimdal/lib/krb5/get_port.c
index 85587ea766..895c21a433 100644
--- a/source4/heimdal/lib/krb5/get_port.c
+++ b/source4/heimdal/lib/krb5/get_port.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: get_port.c 13863 2004-05-25 21:46:46Z lha $");
+RCSID("$Id$");
int KRB5_LIB_FUNCTION
krb5_getportbyname (krb5_context context,
diff --git a/source4/heimdal/lib/krb5/heim_err.et b/source4/heimdal/lib/krb5/heim_err.et
index 1b8ab49bc1..547a14e04c 100644
--- a/source4/heimdal/lib/krb5/heim_err.et
+++ b/source4/heimdal/lib/krb5/heim_err.et
@@ -3,7 +3,7 @@
#
# This might look like a com_err file, but is not
#
-id "$Id: heim_err.et 13352 2004-02-13 16:23:40Z lha $"
+id "$Id$"
error_table heim
diff --git a/source4/heimdal/lib/krb5/heim_threads.h b/source4/heimdal/lib/krb5/heim_threads.h
index 3c27d13d81..c550499499 100755..100644
--- a/source4/heimdal/lib/krb5/heim_threads.h
+++ b/source4/heimdal/lib/krb5/heim_threads.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: heim_threads.h 14409 2004-12-18 16:03:38Z lha $ */
+/* $Id$ */
/*
* Provide wrapper macros for thread synchronization primitives so we
diff --git a/source4/heimdal/lib/krb5/init_creds.c b/source4/heimdal/lib/krb5/init_creds.c
index 74c9ff78e5..b2b3b6550d 100644
--- a/source4/heimdal/lib/krb5/init_creds.c
+++ b/source4/heimdal/lib/krb5/init_creds.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: init_creds.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
void KRB5_LIB_FUNCTION
krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c
index e3098b0a92..f56d069b37 100644
--- a/source4/heimdal/lib/krb5/init_creds_pw.c
+++ b/source4/heimdal/lib/krb5/init_creds_pw.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: init_creds_pw.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
typedef struct krb5_get_init_creds_ctx {
KDCOptions flags;
diff --git a/source4/heimdal/lib/krb5/k524_err.et b/source4/heimdal/lib/krb5/k524_err.et
index 0ca25f74d4..4827b397af 100644
--- a/source4/heimdal/lib/krb5/k524_err.et
+++ b/source4/heimdal/lib/krb5/k524_err.et
@@ -3,7 +3,7 @@
#
# This might look like a com_err file, but is not
#
-id "$Id: k524_err.et 10141 2001-06-20 02:45:58Z joda $"
+id "$Id$"
error_table k524
diff --git a/source4/heimdal/lib/krb5/kcm.c b/source4/heimdal/lib/krb5/kcm.c
index 0c91fbb3a0..d5f38c5aaf 100644
--- a/source4/heimdal/lib/krb5/kcm.c
+++ b/source4/heimdal/lib/krb5/kcm.c
@@ -43,7 +43,7 @@
#include "kcm.h"
-RCSID("$Id: kcm.c 23446 2008-07-27 12:08:37Z lha $");
+RCSID("$Id$");
typedef struct krb5_kcmcache {
char *name;
@@ -105,7 +105,7 @@ try_unix_socket(krb5_context context,
krb5_error_code ret;
int fd;
- fd = socket(AF_UNIX, SOCK_STREAM, 0);
+ fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
if (fd < 0)
return KRB5_CC_IO;
rk_cloexec(fd);
diff --git a/source4/heimdal/lib/krb5/keyblock.c b/source4/heimdal/lib/krb5/keyblock.c
index fa19e1e726..38a856624e 100644
--- a/source4/heimdal/lib/krb5/keyblock.c
+++ b/source4/heimdal/lib/krb5/keyblock.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: keyblock.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
void KRB5_LIB_FUNCTION
krb5_keyblock_zero(krb5_keyblock *keyblock)
diff --git a/source4/heimdal/lib/krb5/keytab.c b/source4/heimdal/lib/krb5/keytab.c
index 09e130d850..f3e6b9e8f4 100644
--- a/source4/heimdal/lib/krb5/keytab.c
+++ b/source4/heimdal/lib/krb5/keytab.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: keytab.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
/*
* Register a new keytab in `ops'
@@ -341,6 +341,7 @@ krb5_kt_get_entry(krb5_context context,
if (ret) {
/* This is needed for krb5_verify_init_creds, but keep error
* string from previous error for the human. */
+ context->error_code = KRB5_KT_NOTFOUND;
return KRB5_KT_NOTFOUND;
}
diff --git a/source4/heimdal/lib/krb5/keytab_any.c b/source4/heimdal/lib/krb5/keytab_any.c
index 9e93191045..a4b15394a5 100644
--- a/source4/heimdal/lib/krb5/keytab_any.c
+++ b/source4/heimdal/lib/krb5/keytab_any.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: keytab_any.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
struct any_data {
krb5_keytab kt;
diff --git a/source4/heimdal/lib/krb5/keytab_file.c b/source4/heimdal/lib/krb5/keytab_file.c
index e830ab3412..17f2d57742 100644
--- a/source4/heimdal/lib/krb5/keytab_file.c
+++ b/source4/heimdal/lib/krb5/keytab_file.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: keytab_file.c 23469 2008-07-27 12:17:12Z lha $");
+RCSID("$Id$");
#define KRB5_KT_VNO_1 1
#define KRB5_KT_VNO_2 2
@@ -385,7 +385,7 @@ fkt_start_seq_get(krb5_context context,
krb5_keytab id,
krb5_kt_cursor *c)
{
- return fkt_start_seq_get_int(context, id, O_RDONLY | O_BINARY, 0, c);
+ return fkt_start_seq_get_int(context, id, O_RDONLY | O_BINARY | O_CLOEXEC, 0, c);
}
static krb5_error_code
@@ -488,9 +488,9 @@ fkt_add_entry(krb5_context context,
krb5_data keytab;
int32_t len;
- fd = open (d->filename, O_RDWR | O_BINARY);
+ fd = open (d->filename, O_RDWR | O_BINARY | O_CLOEXEC);
if (fd < 0) {
- fd = open (d->filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600);
+ fd = open (d->filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC, 0600);
if (fd < 0) {
ret = errno;
krb5_set_error_message(context, ret, "open(%s): %s", d->filename,
@@ -632,7 +632,7 @@ fkt_remove_entry(krb5_context context,
int found = 0;
krb5_error_code ret;
- ret = fkt_start_seq_get_int(context, id, O_RDWR | O_BINARY, 1, &cursor);
+ ret = fkt_start_seq_get_int(context, id, O_RDWR | O_BINARY | O_CLOEXEC, 1, &cursor);
if(ret != 0)
goto out; /* return other error here? */
while(fkt_next_entry_int(context, id, &e, &cursor,
diff --git a/source4/heimdal/lib/krb5/keytab_keyfile.c b/source4/heimdal/lib/krb5/keytab_keyfile.c
index 7e14cbd329..3339a96319 100644
--- a/source4/heimdal/lib/krb5/keytab_keyfile.c
+++ b/source4/heimdal/lib/krb5/keytab_keyfile.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: keytab_keyfile.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
/* afs keyfile operations --------------------------------------- */
@@ -194,7 +194,7 @@ akf_start_seq_get(krb5_context context,
int32_t ret;
struct akf_data *d = id->data;
- c->fd = open (d->filename, O_RDONLY|O_BINARY, 0600);
+ c->fd = open (d->filename, O_RDONLY | O_BINARY | O_CLOEXEC, 0600);
if (c->fd < 0) {
ret = errno;
krb5_set_error_message(context, ret, "keytab afs keyfil open %s failed: %s",
@@ -301,10 +301,10 @@ akf_add_entry(krb5_context context,
return 0;
}
- fd = open (d->filename, O_RDWR | O_BINARY);
+ fd = open (d->filename, O_RDWR | O_BINARY | O_CLOEXEC);
if (fd < 0) {
fd = open (d->filename,
- O_RDWR | O_BINARY | O_CREAT | O_EXCL, 0600);
+ O_RDWR | O_BINARY | O_CREAT | O_EXCL | O_CLOEXEC, 0600);
if (fd < 0) {
ret = errno;
krb5_set_error_message(context, ret, "open(%s): %s", d->filename,
diff --git a/source4/heimdal/lib/krb5/keytab_memory.c b/source4/heimdal/lib/krb5/keytab_memory.c
index eabee7c693..5f648d9bce 100644
--- a/source4/heimdal/lib/krb5/keytab_memory.c
+++ b/source4/heimdal/lib/krb5/keytab_memory.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: keytab_memory.c 23293 2008-06-23 03:28:22Z lha $");
+RCSID("$Id$");
/* memory operations -------------------------------------------- */
diff --git a/source4/heimdal/lib/krb5/krb5-v4compat.h b/source4/heimdal/lib/krb5/krb5-v4compat.h
index dfd7e94460..9470f10337 100644
--- a/source4/heimdal/lib/krb5/krb5-v4compat.h
+++ b/source4/heimdal/lib/krb5/krb5-v4compat.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: krb5-v4compat.h 21575 2007-07-16 07:44:54Z lha $ */
+/* $Id$ */
#ifndef __KRB5_V4COMPAT_H__
#define __KRB5_V4COMPAT_H__
diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h
index b1e2781d52..aedabcc350 100644
--- a/source4/heimdal/lib/krb5/krb5.h
+++ b/source4/heimdal/lib/krb5/krb5.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: krb5.h 23026 2008-04-17 10:02:03Z lha $ */
+/* $Id$ */
#ifndef __KRB5_H__
#define __KRB5_H__
@@ -761,6 +761,28 @@ struct credentials; /* this is to keep the compiler happy */
struct getargs;
struct sockaddr;
+/**
+ * Semi private, not stable yet
+ */
+
+typedef struct krb5_crypto_iov {
+ unsigned int flags;
+ /* ignored */
+#define KRB5_CRYPTO_TYPE_EMPTY 0
+ /* OUT krb5_crypto_length(KRB5_CRYPTO_TYPE_HEADER) */
+#define KRB5_CRYPTO_TYPE_HEADER 1
+ /* IN and OUT */
+#define KRB5_CRYPTO_TYPE_DATA 2
+ /* IN */
+#define KRB5_CRYPTO_TYPE_SIGN_ONLY 3
+ /* (only for encryption) OUT krb5_crypto_length(KRB5_CRYPTO_TYPE_TRAILER) */
+#define KRB5_CRYPTO_TYPE_PADDING 4
+ /* OUT krb5_crypto_length(KRB5_CRYPTO_TYPE_TRAILER) */
+#define KRB5_CRYPTO_TYPE_TRAILER 5
+ krb5_data data;
+} krb5_crypto_iov;
+
+
#include <krb5-protos.h>
/* variables */
diff --git a/source4/heimdal/lib/krb5/krb5_ccapi.h b/source4/heimdal/lib/krb5/krb5_ccapi.h
index 59a38425c2..7a8ac584a1 100644
--- a/source4/heimdal/lib/krb5/krb5_ccapi.h
+++ b/source4/heimdal/lib/krb5/krb5_ccapi.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: krb5_ccapi.h 22090 2007-12-02 23:23:43Z lha $ */
+/* $Id$ */
#ifndef KRB5_CCAPI_H
#define KRB5_CCAPI_H 1
diff --git a/source4/heimdal/lib/krb5/krb5_err.et b/source4/heimdal/lib/krb5/krb5_err.et
index 8e49ffcc4a..c076992d0b 100644
--- a/source4/heimdal/lib/krb5/krb5_err.et
+++ b/source4/heimdal/lib/krb5/krb5_err.et
@@ -3,7 +3,7 @@
#
# This might look like a com_err file, but is not
#
-id "$Id: krb5_err.et 23354 2008-07-15 11:23:34Z lha $"
+id "$Id$"
error_table krb5
@@ -110,7 +110,7 @@ error_code PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED, "Public key encryption not suppo
index 128
prefix
-error_code KRB5_ERR_RCSID, "$Id: krb5_err.et 23354 2008-07-15 11:23:34Z lha $"
+error_code KRB5_ERR_RCSID, "$Id$"
error_code KRB5_LIBOS_BADLOCKFLAG, "Invalid flag for file lock mode"
error_code KRB5_LIBOS_CANTREADPWD, "Cannot read password"
diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h
index aaabd4541b..73075bf56c 100644
--- a/source4/heimdal/lib/krb5/krb5_locl.h
+++ b/source4/heimdal/lib/krb5/krb5_locl.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: krb5_locl.h 23324 2008-06-26 03:54:45Z lha $ */
+/* $Id$ */
#ifndef __KRB5_LOCL_H__
#define __KRB5_LOCL_H__
@@ -133,6 +133,7 @@ struct sockaddr_dl;
#include <wind.h>
+#define HC_DEPRECATED_CRYPTO
#include "crypto-headers.h"
@@ -176,6 +177,15 @@ struct _krb5_krb_auth_data;
#define O_BINARY 0
#endif
+#ifndef O_CLOEXEC
+#define O_CLOEXEC 0
+#endif
+
+#ifndef SOCK_CLOEXEC
+#define SOCK_CLOEXEC 0
+#endif
+
+
#define KRB5_BUFSIZ 1024
typedef enum {
diff --git a/source4/heimdal/lib/krb5/krbhst.c b/source4/heimdal/lib/krb5/krbhst.c
index 3514a026b7..8e49818c50 100644
--- a/source4/heimdal/lib/krb5/krbhst.c
+++ b/source4/heimdal/lib/krb5/krbhst.c
@@ -35,7 +35,7 @@
#include <resolve.h>
#include "locate_plugin.h"
-RCSID("$Id: krbhst.c 23447 2008-07-27 12:09:05Z lha $");
+RCSID("$Id$");
static int
string_to_proto(const char *string)
diff --git a/source4/heimdal/lib/krb5/locate_plugin.h b/source4/heimdal/lib/krb5/locate_plugin.h
index a342617d38..baca037ebc 100644
--- a/source4/heimdal/lib/krb5/locate_plugin.h
+++ b/source4/heimdal/lib/krb5/locate_plugin.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: locate_plugin.h 23351 2008-07-15 11:22:39Z lha $ */
+/* $Id$ */
#ifndef HEIMDAL_KRB5_LOCATE_PLUGIN_H
#define HEIMDAL_KRB5_LOCATE_PLUGIN_H 1
diff --git a/source4/heimdal/lib/krb5/log.c b/source4/heimdal/lib/krb5/log.c
index 721e3691ca..2ed061c80b 100644
--- a/source4/heimdal/lib/krb5/log.c
+++ b/source4/heimdal/lib/krb5/log.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: log.c 23443 2008-07-27 12:07:25Z lha $");
+RCSID("$Id$");
struct facility {
int min;
@@ -358,12 +358,12 @@ krb5_openlog(krb5_context context,
if(p == NULL)
p = krb5_config_get_strings(context, NULL, "logging", "default", NULL);
if(p){
- for(q = p; *q; q++)
+ for(q = p; *q && ret == 0; q++)
ret = krb5_addlog_dest(context, *fac, *q);
krb5_config_free_strings(p);
}else
ret = krb5_addlog_dest(context, *fac, "SYSLOG");
- return 0;
+ return ret;
}
krb5_error_code KRB5_LIB_FUNCTION
diff --git a/source4/heimdal/lib/krb5/mcache.c b/source4/heimdal/lib/krb5/mcache.c
index 682f9f6abd..3f26b27a46 100644
--- a/source4/heimdal/lib/krb5/mcache.c
+++ b/source4/heimdal/lib/krb5/mcache.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: mcache.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
typedef struct krb5_mcache {
char *name;
diff --git a/source4/heimdal/lib/krb5/misc.c b/source4/heimdal/lib/krb5/misc.c
index 8050bdb9b4..1ed4f08d77 100644
--- a/source4/heimdal/lib/krb5/misc.c
+++ b/source4/heimdal/lib/krb5/misc.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: misc.c 21174 2007-06-19 10:10:58Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
_krb5_s4u2self_to_checksumdata(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/mit_glue.c b/source4/heimdal/lib/krb5/mit_glue.c
index 7440d54762..c157c5d365 100755..100644
--- a/source4/heimdal/lib/krb5/mit_glue.c
+++ b/source4/heimdal/lib/krb5/mit_glue.c
@@ -32,7 +32,7 @@
*/
#include "krb5_locl.h"
-RCSID("$Id: mit_glue.c 20042 2007-01-23 20:37:43Z lha $");
+RCSID("$Id$");
/*
* Glue for MIT API
diff --git a/source4/heimdal/lib/krb5/mk_error.c b/source4/heimdal/lib/krb5/mk_error.c
index 7046649934..d4c3867edd 100644
--- a/source4/heimdal/lib/krb5/mk_error.c
+++ b/source4/heimdal/lib/krb5/mk_error.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: mk_error.c 15457 2005-06-16 21:16:40Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
krb5_mk_error(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/mk_priv.c b/source4/heimdal/lib/krb5/mk_priv.c
index 3b4b6e30b7..a1a9ea4dff 100644
--- a/source4/heimdal/lib/krb5/mk_priv.c
+++ b/source4/heimdal/lib/krb5/mk_priv.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: mk_priv.c 23297 2008-06-23 03:28:53Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
diff --git a/source4/heimdal/lib/krb5/mk_rep.c b/source4/heimdal/lib/krb5/mk_rep.c
index 069df42e26..65c97b5803 100644
--- a/source4/heimdal/lib/krb5/mk_rep.c
+++ b/source4/heimdal/lib/krb5/mk_rep.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: mk_rep.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
krb5_mk_rep(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/mk_req.c b/source4/heimdal/lib/krb5/mk_req.c
index 5f64f01e95..1068aaa668 100644
--- a/source4/heimdal/lib/krb5/mk_req.c
+++ b/source4/heimdal/lib/krb5/mk_req.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: mk_req.c 13863 2004-05-25 21:46:46Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
krb5_mk_req_exact(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/mk_req_ext.c b/source4/heimdal/lib/krb5/mk_req_ext.c
index b6d55c8815..645dadee22 100644
--- a/source4/heimdal/lib/krb5/mk_req_ext.c
+++ b/source4/heimdal/lib/krb5/mk_req_ext.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: mk_req_ext.c 19511 2006-12-27 12:07:22Z lha $");
+RCSID("$Id$");
krb5_error_code
_krb5_mk_req_internal(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/n-fold.c b/source4/heimdal/lib/krb5/n-fold.c
index 287f8cf64f..147f6aeac7 100644
--- a/source4/heimdal/lib/krb5/n-fold.c
+++ b/source4/heimdal/lib/krb5/n-fold.c
@@ -32,7 +32,7 @@
#include "krb5_locl.h"
-RCSID("$Id: n-fold.c 22923 2008-04-08 14:51:33Z lha $");
+RCSID("$Id$");
static krb5_error_code
rr13(unsigned char *buf, size_t len)
diff --git a/source4/heimdal/lib/krb5/pac.c b/source4/heimdal/lib/krb5/pac.c
index fbc754efda..ac7e3eda9b 100644
--- a/source4/heimdal/lib/krb5/pac.c
+++ b/source4/heimdal/lib/krb5/pac.c
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include <wind.h>
-RCSID("$Id: pac.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
struct PAC_INFO_BUFFER {
uint32_t type;
@@ -819,7 +819,7 @@ pac_checksum(krb5_context context,
return ret;
ret = krb5_crypto_get_checksum_type(context, crypto, &cktype);
- ret = krb5_crypto_destroy(context, crypto);
+ krb5_crypto_destroy(context, crypto);
if (ret)
return ret;
diff --git a/source4/heimdal/lib/krb5/padata.c b/source4/heimdal/lib/krb5/padata.c
index 9dc3fe69a5..2cd3c18287 100644
--- a/source4/heimdal/lib/krb5/padata.c
+++ b/source4/heimdal/lib/krb5/padata.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: padata.c 23300 2008-06-23 03:29:22Z lha $");
+RCSID("$Id$");
PA_DATA *
krb5_find_padata(PA_DATA *val, unsigned len, int type, int *idx)
diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c
index 1e82971c6e..634ef26c7f 100755..100644
--- a/source4/heimdal/lib/krb5/pkinit.c
+++ b/source4/heimdal/lib/krb5/pkinit.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: pkinit.c 23450 2008-07-27 12:10:10Z lha $");
+RCSID("$Id$");
struct krb5_dh_moduli {
char *name;
@@ -381,7 +381,7 @@ build_auth_pack(krb5_context context,
ret = krb5_data_alloc(a->clientDHNonce, 40);
if (a->clientDHNonce == NULL) {
krb5_clear_error_string(context);
- return ENOMEM;
+ return ret;
}
memset(a->clientDHNonce->data, 0, a->clientDHNonce->length);
ret = krb5_copy_data(context, a->clientDHNonce,
diff --git a/source4/heimdal/lib/krb5/plugin.c b/source4/heimdal/lib/krb5/plugin.c
index 8dda27fa59..fb1ee32285 100644
--- a/source4/heimdal/lib/krb5/plugin.c
+++ b/source4/heimdal/lib/krb5/plugin.c
@@ -32,7 +32,7 @@
*/
#include "krb5_locl.h"
-RCSID("$Id: plugin.c 23451 2008-07-27 12:10:30Z lha $");
+RCSID("$Id$");
#ifdef HAVE_DLFCN_H
#include <dlfcn.h>
#endif
diff --git a/source4/heimdal/lib/krb5/principal.c b/source4/heimdal/lib/krb5/principal.c
index 0d6d72dbcf..3a1d184c3d 100644
--- a/source4/heimdal/lib/krb5/principal.c
+++ b/source4/heimdal/lib/krb5/principal.c
@@ -57,7 +57,7 @@ host/admin@H5L.ORG
#include <fnmatch.h>
#include "resolve.h"
-RCSID("$Id: principal.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
#define princ_num_comp(P) ((P)->name.name_string.len)
#define princ_type(P) ((P)->name.name_type)
@@ -1259,7 +1259,14 @@ krb5_sname_to_principal (krb5_context context,
return KRB5_SNAME_UNSUPP_NAMETYPE;
}
if(hostname == NULL) {
- gethostname(localhost, sizeof(localhost));
+ ret = gethostname(localhost, sizeof(localhost) - 1);
+ if (ret != 0) {
+ ret = errno;
+ krb5_set_error_message(context, ret,
+ "Failed to get local hostname");
+ return ret;
+ }
+ localhost[sizeof(localhost) - 1] = '\0';
hostname = localhost;
}
if(sname == NULL)
diff --git a/source4/heimdal/lib/krb5/prompter_posix.c b/source4/heimdal/lib/krb5/prompter_posix.c
index e0f407fb24..840bb328ca 100644
--- a/source4/heimdal/lib/krb5/prompter_posix.c
+++ b/source4/heimdal/lib/krb5/prompter_posix.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: prompter_posix.c 13863 2004-05-25 21:46:46Z lha $");
+RCSID("$Id$");
int KRB5_LIB_FUNCTION
krb5_prompter_posix (krb5_context context,
diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c
index 26aa3f2d79..e2807c20d0 100644
--- a/source4/heimdal/lib/krb5/rd_cred.c
+++ b/source4/heimdal/lib/krb5/rd_cred.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: rd_cred.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
static krb5_error_code
compare_addrs(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/rd_error.c b/source4/heimdal/lib/krb5/rd_error.c
index 9e50af539a..9f23d8df29 100644
--- a/source4/heimdal/lib/krb5/rd_error.c
+++ b/source4/heimdal/lib/krb5/rd_error.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: rd_error.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
krb5_rd_error(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/rd_priv.c b/source4/heimdal/lib/krb5/rd_priv.c
index ed7a2ccc52..da8f44febb 100644
--- a/source4/heimdal/lib/krb5/rd_priv.c
+++ b/source4/heimdal/lib/krb5/rd_priv.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: rd_priv.c 21751 2007-07-31 20:42:20Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
krb5_rd_priv(krb5_context context,
@@ -50,14 +50,18 @@ krb5_rd_priv(krb5_context context,
krb5_keyblock *key;
krb5_crypto crypto;
- if (outbuf)
- krb5_data_zero(outbuf);
+ krb5_data_zero(outbuf);
if ((auth_context->flags &
- (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
- outdata == NULL) {
- krb5_clear_error_string (context);
- return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+ (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)))
+ {
+ if (outdata == NULL) {
+ krb5_clear_error_string (context);
+ return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+ }
+ /* if these fields are not present in the priv-part, silently
+ return zero */
+ memset(outdata, 0, sizeof(*outdata));
}
memset(&priv, 0, sizeof(priv));
@@ -165,9 +169,6 @@ krb5_rd_priv(krb5_context context,
if ((auth_context->flags &
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
- /* if these fields are not present in the priv-part, silently
- return zero */
- memset(outdata, 0, sizeof(*outdata));
if(part.timestamp)
outdata->timestamp = *part.timestamp;
if(part.usec)
diff --git a/source4/heimdal/lib/krb5/rd_rep.c b/source4/heimdal/lib/krb5/rd_rep.c
index 0e6e3d09af..846de26c60 100644
--- a/source4/heimdal/lib/krb5/rd_rep.c
+++ b/source4/heimdal/lib/krb5/rd_rep.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: rd_rep.c 23304 2008-06-23 03:29:56Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
krb5_rd_rep(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c
index ddf1f69ae4..ef91f9fdd6 100644
--- a/source4/heimdal/lib/krb5/rd_req.c
+++ b/source4/heimdal/lib/krb5/rd_req.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: rd_req.c 23415 2008-07-26 18:35:44Z lha $");
+RCSID("$Id$");
static krb5_error_code
decrypt_tkt_enc_part (krb5_context context,
diff --git a/source4/heimdal/lib/krb5/replay.c b/source4/heimdal/lib/krb5/replay.c
index 7639bfa2ce..cd717f27ac 100644
--- a/source4/heimdal/lib/krb5/replay.c
+++ b/source4/heimdal/lib/krb5/replay.c
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include <vis.h>
-RCSID("$Id: replay.c 23467 2008-07-27 12:16:37Z lha $");
+RCSID("$Id$");
struct krb5_rcache_data {
char *name;
diff --git a/source4/heimdal/lib/krb5/send_to_kdc.c b/source4/heimdal/lib/krb5/send_to_kdc.c
index 1ddb5afd1f..45b728aa6c 100644
--- a/source4/heimdal/lib/krb5/send_to_kdc.c
+++ b/source4/heimdal/lib/krb5/send_to_kdc.c
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include "send_to_kdc_plugin.h"
-RCSID("$Id: send_to_kdc.c 23448 2008-07-27 12:09:22Z lha $");
+RCSID("$Id$");
struct send_to_kdc {
krb5_send_to_kdc_func func;
@@ -288,7 +288,7 @@ send_via_proxy (krb5_context context,
return krb5_eai_to_heim_errno(ret, errno);
for (a = ai; a != NULL; a = a->ai_next) {
- s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+ s = socket (a->ai_family, a->ai_socktype, a->ai_protocol | SOCK_CLOEXEC);
if (s < 0)
continue;
rk_cloexec(s);
@@ -411,7 +411,7 @@ krb5_sendto (krb5_context context,
continue;
for (a = ai; a != NULL; a = a->ai_next) {
- fd = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+ fd = socket (a->ai_family, a->ai_socktype | SOCK_CLOEXEC, a->ai_protocol);
if (fd < 0)
continue;
rk_cloexec(fd);
diff --git a/source4/heimdal/lib/krb5/set_default_realm.c b/source4/heimdal/lib/krb5/set_default_realm.c
index 55abf2ea7d..c21ac453a2 100644
--- a/source4/heimdal/lib/krb5/set_default_realm.c
+++ b/source4/heimdal/lib/krb5/set_default_realm.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: set_default_realm.c 23309 2008-06-23 03:30:41Z lha $");
+RCSID("$Id$");
/*
* Convert the simple string `s' into a NULL-terminated and freshly allocated
diff --git a/source4/heimdal/lib/krb5/store.c b/source4/heimdal/lib/krb5/store.c
index c9cbbb5cef..321ca633a6 100644
--- a/source4/heimdal/lib/krb5/store.c
+++ b/source4/heimdal/lib/krb5/store.c
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include "store-int.h"
-RCSID("$Id: store.c 22071 2007-11-14 20:04:50Z lha $");
+RCSID("$Id$");
#define BYTEORDER_IS(SP, V) (((SP)->flags & KRB5_STORAGE_BYTEORDER_MASK) == (V))
#define BYTEORDER_IS_LE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_LE)
diff --git a/source4/heimdal/lib/krb5/store_emem.c b/source4/heimdal/lib/krb5/store_emem.c
index c38c1b53c3..3cb561ec77 100644
--- a/source4/heimdal/lib/krb5/store_emem.c
+++ b/source4/heimdal/lib/krb5/store_emem.c
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include "store-int.h"
-RCSID("$Id: store_emem.c 22574 2008-02-05 20:31:55Z lha $");
+RCSID("$Id$");
typedef struct emem_storage{
unsigned char *base;
diff --git a/source4/heimdal/lib/krb5/store_fd.c b/source4/heimdal/lib/krb5/store_fd.c
index 15f86fcac3..21fa171c28 100644
--- a/source4/heimdal/lib/krb5/store_fd.c
+++ b/source4/heimdal/lib/krb5/store_fd.c
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include "store-int.h"
-RCSID("$Id: store_fd.c 17779 2006-06-30 21:23:19Z lha $");
+RCSID("$Id$");
typedef struct fd_storage {
int fd;
diff --git a/source4/heimdal/lib/krb5/store_mem.c b/source4/heimdal/lib/krb5/store_mem.c
index e6e62b5a62..6d8306051a 100644
--- a/source4/heimdal/lib/krb5/store_mem.c
+++ b/source4/heimdal/lib/krb5/store_mem.c
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include "store-int.h"
-RCSID("$Id: store_mem.c 20307 2007-04-11 11:16:28Z lha $");
+RCSID("$Id$");
typedef struct mem_storage{
unsigned char *base;
diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c
index 5eff64e12d..77ce8cb221 100644
--- a/source4/heimdal/lib/krb5/ticket.c
+++ b/source4/heimdal/lib/krb5/ticket.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: ticket.c 23310 2008-06-23 03:30:49Z lha $");
+RCSID("$Id$");
krb5_error_code KRB5_LIB_FUNCTION
krb5_free_ticket(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/time.c b/source4/heimdal/lib/krb5/time.c
index 46f88a86cd..7a9b36372c 100644
--- a/source4/heimdal/lib/krb5/time.c
+++ b/source4/heimdal/lib/krb5/time.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: time.c 23260 2008-06-21 15:22:37Z lha $");
+RCSID("$Id$");
/**
* Set the absolute time that the caller knows the kdc has so the
diff --git a/source4/heimdal/lib/krb5/transited.c b/source4/heimdal/lib/krb5/transited.c
index 58b00a4b7a..c9db832348 100644
--- a/source4/heimdal/lib/krb5/transited.c
+++ b/source4/heimdal/lib/krb5/transited.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: transited.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
/* this is an attempt at one of the most horrible `compression'
schemes that has ever been invented; it's so amazingly brain-dead
diff --git a/source4/heimdal/lib/krb5/v4_glue.c b/source4/heimdal/lib/krb5/v4_glue.c
index 55570c44dd..baa4bd6892 100644
--- a/source4/heimdal/lib/krb5/v4_glue.c
+++ b/source4/heimdal/lib/krb5/v4_glue.c
@@ -32,7 +32,7 @@
*/
#include "krb5_locl.h"
-RCSID("$Id: v4_glue.c 23452 2008-07-27 12:10:54Z lha $");
+RCSID("$Id$");
#include "krb5-v4compat.h"
@@ -348,12 +348,12 @@ storage_to_etext(krb5_context context,
krb5_ssize_t size;
krb5_data data;
- /* multiple of eight bytes */
+ /* multiple of eight bytes, don't round up */
size = krb5_storage_seek(sp, 0, SEEK_END);
if (size < 0)
return KRB4ET_RD_AP_UNDEC;
- size = 8 - (size & 7);
+ size = ((size+7) & ~7) - size;
ret = krb5_storage_write(sp, eightzeros, size);
if (ret != size)
diff --git a/source4/heimdal/lib/krb5/version.c b/source4/heimdal/lib/krb5/version.c
index f7ccff5bc8..cbc4f8c3e1 100644
--- a/source4/heimdal/lib/krb5/version.c
+++ b/source4/heimdal/lib/krb5/version.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: version.c 7464 1999-12-02 17:05:13Z joda $");
+RCSID("$Id$");
/* this is just to get a version stamp in the library file */
diff --git a/source4/heimdal/lib/krb5/warn.c b/source4/heimdal/lib/krb5/warn.c
index 97a6cc9e0a..c7fe5640b5 100644
--- a/source4/heimdal/lib/krb5/warn.c
+++ b/source4/heimdal/lib/krb5/warn.c
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include <err.h>
-RCSID("$Id: warn.c 23206 2008-05-29 02:13:41Z lha $");
+RCSID("$Id$");
static krb5_error_code _warnerr(krb5_context context, int do_errtext,
krb5_error_code code, int level, const char *fmt, va_list ap)