diff options
Diffstat (limited to 'source4/heimdal/lib/krb5')
| -rw-r--r-- | source4/heimdal/lib/krb5/cache.c | 39 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/changepw.c | 6 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/get_cred.c | 12 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/init_creds.c | 7 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/init_creds_pw.c | 4 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/krb5-private.h | 4 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/krb5-protos.h | 8 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/krb5-v4compat.h | 50 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/krb5.h | 13 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/krb5_locl.h | 10 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/krb_err.et | 63 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/krbhst.c | 6 | ||||
| -rwxr-xr-x | source4/heimdal/lib/krb5/pkinit.c | 52 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/plugin.c | 16 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/rd_priv.c | 16 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/v4_glue.c | 64 |
16 files changed, 242 insertions, 128 deletions
diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c index 5be3935f2b..59aae40d28 100644 --- a/source4/heimdal/lib/krb5/cache.c +++ b/source4/heimdal/lib/krb5/cache.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: cache.c 20503 2007-04-21 22:03:56Z lha $"); +RCSID("$Id: cache.c 21498 2007-07-11 09:41:43Z lha $"); /* * Add a new ccache type with operations `ops', overwriting any @@ -339,6 +339,35 @@ _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res) } /* + * Return non-zero if envirnoment that will determine default krb5cc + * name has changed. + */ + +static int +environment_changed(krb5_context context) +{ + const char *e; + + if(issuid()) + return 0; + + e = getenv("KRB5CCNAME"); + if (e == NULL) { + if (context->default_cc_name_env) { + free(context->default_cc_name_env); + context->default_cc_name_env = NULL; + return 1; + } + } else { + if (context->default_cc_name_env == NULL) + return 1; + if (strcmp(e, context->default_cc_name_env) != 0) + return 1; + } + return 0; +} + +/* * Set the default cc name for `context' to `name'. */ @@ -353,8 +382,12 @@ krb5_cc_set_default_name(krb5_context context, const char *name) if(!issuid()) { e = getenv("KRB5CCNAME"); - if (e) + if (e) { p = strdup(e); + if (context->default_cc_name_env) + free(context->default_cc_name_env); + context->default_cc_name_env = strdup(e); + } } if (e == NULL) { e = krb5_config_get_string(context, NULL, "libdefaults", @@ -389,7 +422,7 @@ krb5_cc_set_default_name(krb5_context context, const char *name) const char* KRB5_LIB_FUNCTION krb5_cc_default_name(krb5_context context) { - if (context->default_cc_name == NULL) + if (context->default_cc_name == NULL || environment_changed(context)) krb5_cc_set_default_name(context, NULL); return context->default_cc_name; diff --git a/source4/heimdal/lib/krb5/changepw.c b/source4/heimdal/lib/krb5/changepw.c index 3ceb6df89c..703cf43eb6 100644 --- a/source4/heimdal/lib/krb5/changepw.c +++ b/source4/heimdal/lib/krb5/changepw.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: changepw.c 17442 2006-05-05 09:31:15Z lha $"); +RCSID("$Id: changepw.c 21505 2007-07-12 12:28:38Z lha $"); static void str2data (krb5_data *d, @@ -46,10 +46,12 @@ str2data (krb5_data *d, ...) { va_list args; + char *str; va_start(args, fmt); - d->length = vasprintf ((char **)&d->data, fmt, args); + d->length = vasprintf (&str, fmt, args); va_end(args); + d->data = str; } /* diff --git a/source4/heimdal/lib/krb5/get_cred.c b/source4/heimdal/lib/krb5/get_cred.c index 8a0af23e40..7c3f128ae5 100644 --- a/source4/heimdal/lib/krb5/get_cred.c +++ b/source4/heimdal/lib/krb5/get_cred.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: get_cred.c 21327 2007-06-26 10:54:15Z lha $"); +RCSID("$Id: get_cred.c 21669 2007-07-22 11:29:13Z lha $"); /* * Take the `body' and encode it into `padata' using the credentials @@ -1224,9 +1224,10 @@ krb5_get_renewed_creds(krb5_context context, { krb5_error_code ret; krb5_kdc_flags flags; - krb5_creds in, *template; + krb5_creds in, *template, *out = NULL; memset(&in, 0, sizeof(in)); + memset(creds, 0, sizeof(*creds)); ret = krb5_copy_principal(context, client, &in.client); if (ret) @@ -1263,9 +1264,14 @@ krb5_get_renewed_creds(krb5_context context, krb5_free_creds (context, template); } - ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &in, &creds); + ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &in, &out); krb5_free_principal(context, in.client); krb5_free_principal(context, in.server); + if (ret) + return ret; + + ret = krb5_copy_creds_contents(context, out, creds); + krb5_free_creds(context, out); return ret; } diff --git a/source4/heimdal/lib/krb5/init_creds.c b/source4/heimdal/lib/krb5/init_creds.c index 5bdf23d97f..bd250cef2b 100644 --- a/source4/heimdal/lib/krb5/init_creds.c +++ b/source4/heimdal/lib/krb5/init_creds.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: init_creds.c 20541 2007-04-23 12:19:14Z lha $"); +RCSID("$Id: init_creds.c 21712 2007-07-27 14:23:41Z lha $"); void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) @@ -225,9 +225,8 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context, krb5_get_init_creds_opt_set_renew_life(opt, t); krb5_appdefault_boolean(context, appname, realm, "no-addresses", - FALSE, &b); - if (b) - krb5_get_init_creds_opt_set_addressless (context, opt, TRUE); + KRB5_ADDRESSLESS_DEFAULT, &b); + krb5_get_init_creds_opt_set_addressless (context, opt, b); #if 0 krb5_appdefault_boolean(context, appname, realm, "anonymous", FALSE, &b); diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c index 1676da3bd6..0043b5ef3c 100644 --- a/source4/heimdal/lib/krb5/init_creds_pw.c +++ b/source4/heimdal/lib/krb5/init_creds_pw.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: init_creds_pw.c 21061 2007-06-12 17:56:30Z lha $"); +RCSID("$Id: init_creds_pw.c 21428 2007-07-10 12:31:58Z lha $"); typedef struct krb5_get_init_creds_ctx { KDCOptions flags; diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h index a551c42ecd..9a84dde61a 100644 --- a/source4/heimdal/lib/krb5/krb5-private.h +++ b/source4/heimdal/lib/krb5/krb5-private.h @@ -383,7 +383,7 @@ _krb5_pk_verify_sign ( krb5_error_code _krb5_plugin_find ( krb5_context /*context*/, - enum plugin_type /*type*/, + enum krb5_plugin_type /*type*/, const char */*name*/, struct krb5_plugin **/*list*/); @@ -399,7 +399,7 @@ _krb5_plugin_get_symbol (struct krb5_plugin */*p*/); krb5_error_code _krb5_plugin_register ( krb5_context /*context*/, - enum plugin_type /*type*/, + enum krb5_plugin_type /*type*/, const char */*name*/, void */*symbol*/); diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h index 058496434e..740b394be8 100644 --- a/source4/heimdal/lib/krb5/krb5-protos.h +++ b/source4/heimdal/lib/krb5/krb5-protos.h @@ -2244,14 +2244,6 @@ krb5_get_pw_salt ( krb5_salt */*salt*/); krb5_error_code KRB5_LIB_FUNCTION -krb5_get_renewed_creds ( - krb5_context /*context*/, - krb5_creds */*creds*/, - krb5_const_principal /*client*/, - krb5_ccache /*ccache*/, - const char */*in_tkt_service*/); - -krb5_error_code KRB5_LIB_FUNCTION krb5_get_server_rcache ( krb5_context /*context*/, const krb5_data */*piece*/, diff --git a/source4/heimdal/lib/krb5/krb5-v4compat.h b/source4/heimdal/lib/krb5/krb5-v4compat.h index 2ea534cfe3..dfd7e94460 100644 --- a/source4/heimdal/lib/krb5/krb5-v4compat.h +++ b/source4/heimdal/lib/krb5/krb5-v4compat.h @@ -31,11 +31,13 @@ * SUCH DAMAGE. */ -/* $Id: krb5-v4compat.h 17442 2006-05-05 09:31:15Z lha $ */ +/* $Id: krb5-v4compat.h 21575 2007-07-16 07:44:54Z lha $ */ #ifndef __KRB5_V4COMPAT_H__ #define __KRB5_V4COMPAT_H__ +#include "krb_err.h" + /* * This file must only be included with v4 compat glue stuff in * heimdal sources. @@ -57,56 +59,10 @@ #define AUTH_MSG_KDC_RENEW (10<<1) #define AUTH_MSG_DIE (63<<1) -/* values for kerb error codes */ - -#define KERB_ERR_OK 0 -#define KERB_ERR_NAME_EXP 1 -#define KERB_ERR_SERVICE_EXP 2 -#define KERB_ERR_AUTH_EXP 3 -#define KERB_ERR_PKT_VER 4 -#define KERB_ERR_NAME_MAST_KEY_VER 5 -#define KERB_ERR_SERV_MAST_KEY_VER 6 -#define KERB_ERR_BYTE_ORDER 7 -#define KERB_ERR_PRINCIPAL_UNKNOWN 8 -#define KERB_ERR_PRINCIPAL_NOT_UNIQUE 9 -#define KERB_ERR_NULL_KEY 10 -#define KERB_ERR_TIMEOUT 11 - - -/* Error codes returned from the KDC */ -#define KDC_OK 0 /* Request OK */ -#define KDC_NAME_EXP 1 /* Principal expired */ -#define KDC_SERVICE_EXP 2 /* Service expired */ -#define KDC_AUTH_EXP 3 /* Auth expired */ -#define KDC_PKT_VER 4 /* Protocol version unknown */ -#define KDC_P_MKEY_VER 5 /* Wrong master key version */ -#define KDC_S_MKEY_VER 6 /* Wrong master key version */ -#define KDC_BYTE_ORDER 7 /* Byte order unknown */ -#define KDC_PR_UNKNOWN 8 /* Principal unknown */ -#define KDC_PR_N_UNIQUE 9 /* Principal not unique */ -#define KDC_NULL_KEY 10 /* Principal has null key */ -#define KDC_GEN_ERR 20 /* Generic error from KDC */ - /* General definitions */ #define KSUCCESS 0 #define KFAILURE 255 -/* Values returned by rd_ap_req */ -#define RD_AP_OK 0 /* Request authentic */ -#define RD_AP_UNDEC 31 /* Can't decode authenticator */ -#define RD_AP_EXP 32 /* Ticket expired */ -#define RD_AP_NYV 33 /* Ticket not yet valid */ -#define RD_AP_REPEAT 34 /* Repeated request */ -#define RD_AP_NOT_US 35 /* The ticket isn't for us */ -#define RD_AP_INCON 36 /* Request is inconsistent */ -#define RD_AP_TIME 37 /* delta_t too big */ -#define RD_AP_BADD 38 /* Incorrect net address */ -#define RD_AP_VERSION 39 /* protocol version mismatch */ -#define RD_AP_MSG_TYPE 40 /* invalid msg type */ -#define RD_AP_MODIFIED 41 /* message stream modified */ -#define RD_AP_ORDER 42 /* message out of order */ -#define RD_AP_UNAUTHOR 43 /* unauthorized request */ - /* */ #define MAX_KTXT_LEN 1250 diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h index 345fe70764..4f9a63bf05 100644 --- a/source4/heimdal/lib/krb5/krb5.h +++ b/source4/heimdal/lib/krb5/krb5.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5.h 21252 2007-06-21 04:18:28Z lha $ */ +/* $Id: krb5.h 21551 2007-07-15 09:03:39Z lha $ */ #ifndef __KRB5_H__ #define __KRB5_H__ @@ -436,11 +436,6 @@ typedef struct krb5_config_binding krb5_config_binding; typedef krb5_config_binding krb5_config_section; -enum { - KRB5_PKINIT_WIN2K = 1, /* wire compatible with Windows 2k */ - KRB5_PKINIT_PACKET_CABLE = 2 /* use packet cable standard */ -}; - typedef struct krb5_ticket { EncTicketPart ticket; krb5_principal client; @@ -766,6 +761,12 @@ typedef struct krb5_sendto_ctx *krb5_sendto_ctx; typedef krb5_error_code (*krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *, const krb5_data *, int *); +struct krb5_plugin; +enum krb5_plugin_type { + PLUGIN_TYPE_DATA = 1, + PLUGIN_TYPE_FUNC +}; + struct credentials; /* this is to keep the compiler happy */ struct getargs; struct sockaddr; diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h index 87169fc430..b41e6e1182 100644 --- a/source4/heimdal/lib/krb5/krb5_locl.h +++ b/source4/heimdal/lib/krb5/krb5_locl.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5_locl.h 20261 2007-02-18 00:32:22Z lha $ */ +/* $Id: krb5_locl.h 21552 2007-07-15 09:04:00Z lha $ */ #ifndef __KRB5_LOCL_H__ #define __KRB5_LOCL_H__ @@ -148,12 +148,6 @@ struct krb5_dh_moduli; /* v4 glue */ struct _krb5_krb_auth_data; -struct krb5_plugin; -enum plugin_type { - PLUGIN_TYPE_DATA = 1, - PLUGIN_TYPE_FUNC -}; - #include <der.h> #include <krb5.h> @@ -236,7 +230,7 @@ typedef struct krb5_context_data { char error_buf[256]; krb5_addresses *ignore_addresses; char *default_cc_name; - int pkinit_flags; + char *default_cc_name_env; void *mutex; /* protects error_string/error_buf */ int large_msg_size; int dns_canonicalize_hostname; diff --git a/source4/heimdal/lib/krb5/krb_err.et b/source4/heimdal/lib/krb5/krb_err.et new file mode 100644 index 0000000000..f7dbb6ce7a --- /dev/null +++ b/source4/heimdal/lib/krb5/krb_err.et @@ -0,0 +1,63 @@ +# +# Error messages for the krb4 library +# +# This might look like a com_err file, but is not +# +id "$Id: krb_err.et,v 1.7 1998/03/29 14:19:52 bg Exp $" + +error_table krb + +prefix KRB4ET +ec KSUCCESS, "Kerberos 4 successful" +ec KDC_NAME_EXP, "Kerberos 4 principal expired" +ec KDC_SERVICE_EXP, "Kerberos 4 service expired" +ec KDC_AUTH_EXP, "Kerberos 4 auth expired" +ec KDC_PKT_VER, "Incorrect Kerberos 4 master key version" +ec KDC_P_MKEY_VER, "Incorrect Kerberos 4 master key version" +ec KDC_S_MKEY_VER, "Incorrect Kerberos 4 master key version" +ec KDC_BYTE_ORDER, "Kerberos 4 byte order unknown" +ec KDC_PR_UNKNOWN, "Kerberos 4 principal unknown" +ec KDC_PR_N_UNIQUE, "Kerberos 4 principal not unique" +ec KDC_NULL_KEY, "Kerberos 4 principal has null key" +index 20 +ec KDC_GEN_ERR, "Generic error from KDC (Kerberos 4)" +ec GC_TKFIL, "Can't read Kerberos 4 ticket file" +ec GC_NOTKT, "Can't find Kerberos 4 ticket or TGT" +index 26 +ec MK_AP_TGTEXP, "Kerberos 4 TGT Expired" +index 31 +ec RD_AP_UNDEC, "Kerberos 4: Can't decode authenticator" +ec RD_AP_EXP, "Kerberos 4 ticket expired" +ec RD_AP_NYV, "Kerberos 4 ticket not yet valid" +ec RD_AP_REPEAT, "Kerberos 4: Repeated request" +ec RD_AP_NOT_US, "The Kerberos 4 ticket isn't for us" +ec RD_AP_INCON, "Kerberos 4 request inconsistent" +ec RD_AP_TIME, "Kerberos 4: delta_t too big" +ec RD_AP_BADD, "Kerberos 4: incorrect net address" +ec RD_AP_VERSION, "Kerberos protocol not version 4" +ec RD_AP_MSG_TYPE, "Kerberos 4: invalid msg type" +ec RD_AP_MODIFIED, "Kerberos 4: message stream modified" +ec RD_AP_ORDER, "Kerberos 4: message out of order" +ec RD_AP_UNAUTHOR, "Kerberos 4: unauthorized request" +index 51 +ec GT_PW_NULL, "Kerberos 4: current PW is null" +ec GT_PW_BADPW, "Kerberos 4: Incorrect current password" +ec GT_PW_PROT, "Kerberos 4 protocol error" +ec GT_PW_KDCERR, "Error returned by KDC (Kerberos 4)" +ec GT_PW_NULLTKT, "Null Kerberos 4 ticket returned by KDC" +ec SKDC_RETRY, "Kerberos 4: Retry count exceeded" +ec SKDC_CANT, "Kerberos 4: Can't send request" +index 61 +ec INTK_W_NOTALL, "Kerberos 4: not all tickets returned" +ec INTK_BADPW, "Kerberos 4: incorrect password" +ec INTK_PROT, "Kerberos 4: Protocol Error" +index 70 +ec INTK_ERR, "Other error in Kerberos 4" +ec AD_NOTGT, "Don't have Kerberos 4 ticket-granting ticket" +index 76 +ec NO_TKT_FIL, "No Kerberos 4 ticket file found" +ec TKT_FIL_ACC, "Couldn't access Kerberos 4 ticket file" +ec TKT_FIL_LCK, "Couldn't lock Kerberos 4 ticket file" +ec TKT_FIL_FMT, "Bad Kerberos 4 ticket file format" +ec TKT_FIL_INI, "Kerberos 4: tf_init not called first" +ec KNAME_FMT, "Bad Kerberos 4 name format" diff --git a/source4/heimdal/lib/krb5/krbhst.c b/source4/heimdal/lib/krb5/krbhst.c index 69b52dd808..094fd4f9c6 100644 --- a/source4/heimdal/lib/krb5/krbhst.c +++ b/source4/heimdal/lib/krb5/krbhst.c @@ -35,7 +35,7 @@ #include <resolve.h> #include "locate_plugin.h" -RCSID("$Id: krbhst.c 21131 2007-06-18 20:48:09Z lha $"); +RCSID("$Id: krbhst.c 21457 2007-07-10 12:53:25Z lha $"); static int string_to_proto(const char *string) @@ -919,8 +919,10 @@ gethostlist(krb5_context context, const char *realm, while(krb5_krbhst_next(context, handle, &hostinfo) == 0) nhost++; - if(nhost == 0) + if(nhost == 0) { + krb5_set_error_string(context, "No KDC found for realm %s", realm); return KRB5_KDC_UNREACH; + } *hostlist = calloc(nhost + 1, sizeof(**hostlist)); if(*hostlist == NULL) { krb5_krbhst_free(context, handle); diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c index 105cab554d..c8587770f4 100755 --- a/source4/heimdal/lib/krb5/pkinit.c +++ b/source4/heimdal/lib/krb5/pkinit.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: pkinit.c 21321 2007-06-26 05:21:56Z lha $"); +RCSID("$Id: pkinit.c 21684 2007-07-23 23:09:10Z lha $"); struct krb5_dh_moduli { char *name; @@ -645,8 +645,6 @@ _krb5_pk_mk_padata(krb5_context context, req_body->realm, "pkinit_win2k", NULL); - if (context->pkinit_flags & KRB5_PKINIT_WIN2K) - win2k_compat = 1; if (win2k_compat) { ctx->require_binding = @@ -1721,7 +1719,7 @@ _krb5_free_moduli(struct krb5_dh_moduli **moduli) free(moduli); } -static const char *default_moduli = +static const char *default_moduli_RFC2412_MODP_group2 = /* name */ "RFC2412-MODP-group2 " /* bits */ @@ -1743,6 +1741,37 @@ static const char *default_moduli = "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F67329C0" "FFFFFFFF" "FFFFFFFF"; +static const char *default_moduli_rfc3526_MODP_group14 = + /* name */ + "rfc3526-MODP-group14 " + /* bits */ + "1760 " + /* p */ + "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" + "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" + "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" + "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" + "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D" + "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F" + "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D" + "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B" + "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9" + "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510" + "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF " + /* g */ + "02 " + /* q */ + "7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68" + "94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E" + "F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122" + "F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6" + "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F6722D9E" + "E1003E5C" "50B1DF82" "CC6D241B" "0E2AE9CD" "348B1FD4" "7E9267AF" + "C1B2AE91" "EE51D6CB" "0E3179AB" "1042A95D" "CF6A9483" "B84B4B36" + "B3861AA7" "255E4C02" "78BA3604" "650C10BE" "19482F23" "171B671D" + "F1CF3B96" "0C074301" "CD93C1D1" "7603D147" "DAE2AEF8" "37A62964" + "EF15E5FB" "4AAC0B8C" "1CCAA4BE" "754AB572" "8AE9130C" "4C7D0288" + "0AB9472D" "45565534" "7FFFFFFF" "FFFFFFFF"; krb5_error_code _krb5_parse_moduli(krb5_context context, const char *file, @@ -1757,19 +1786,28 @@ _krb5_parse_moduli(krb5_context context, const char *file, *moduli = NULL; - m = calloc(1, sizeof(m[0]) * 2); + m = calloc(1, sizeof(m[0]) * 3); if (m == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } - strlcpy(buf, default_moduli, sizeof(buf)); + strlcpy(buf, default_moduli_rfc3526_MODP_group14, sizeof(buf)); ret = _krb5_parse_moduli_line(context, "builtin", 1, buf, &m[0]); if (ret) { _krb5_free_moduli(m); return ret; } - n = 1; + n++; + + strlcpy(buf, default_moduli_RFC2412_MODP_group2, sizeof(buf)); + ret = _krb5_parse_moduli_line(context, "builtin", 1, buf, &m[1]); + if (ret) { + _krb5_free_moduli(m); + return ret; + } + n++; + if (file == NULL) file = MODULI_FILE; diff --git a/source4/heimdal/lib/krb5/plugin.c b/source4/heimdal/lib/krb5/plugin.c index 68317a12c0..43fa3f5b45 100644 --- a/source4/heimdal/lib/krb5/plugin.c +++ b/source4/heimdal/lib/krb5/plugin.c @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: plugin.c 21134 2007-06-18 21:02:23Z lha $"); +RCSID("$Id: plugin.c 21702 2007-07-26 19:13:53Z lha $"); #ifdef HAVE_DLFCN_H #include <dlfcn.h> #endif @@ -45,7 +45,7 @@ struct krb5_plugin { }; struct plugin { - enum plugin_type type; + enum krb5_plugin_type type; void *name; void *symbol; struct plugin *next; @@ -76,9 +76,11 @@ _krb5_plugin_get_next(struct krb5_plugin *p) * */ +#ifdef HAVE_DLOPEN + static krb5_error_code loadlib(krb5_context context, - enum plugin_type type, + enum krb5_plugin_type type, const char *name, const char *lib, struct krb5_plugin **e) @@ -113,10 +115,11 @@ loadlib(krb5_context context, return 0; } +#endif /* HAVE_DLOPEN */ krb5_error_code _krb5_plugin_register(krb5_context context, - enum plugin_type type, + enum krb5_plugin_type type, const char *name, void *symbol) { @@ -146,7 +149,7 @@ _krb5_plugin_register(krb5_context context, krb5_error_code _krb5_plugin_find(krb5_context context, - enum plugin_type type, + enum krb5_plugin_type type, const char *name, struct krb5_plugin **list) { @@ -181,6 +184,8 @@ _krb5_plugin_find(krb5_context context, } HEIMDAL_MUTEX_unlock(&plugin_mutex); +#ifdef HAVE_DLOPEN + dirs = krb5_config_get_strings(context, NULL, "libdefaults", "plugin_dir", NULL); if (dirs == NULL) { @@ -213,6 +218,7 @@ _krb5_plugin_find(krb5_context context, } if (dirs != sysdirs) krb5_config_free_strings(dirs); +#endif /* HAVE_DLOPEN */ if (*list == NULL) { krb5_set_error_string(context, "Did not find a plugin for %s", name); diff --git a/source4/heimdal/lib/krb5/rd_priv.c b/source4/heimdal/lib/krb5/rd_priv.c index d3920dd941..47b5df85b2 100644 --- a/source4/heimdal/lib/krb5/rd_priv.c +++ b/source4/heimdal/lib/krb5/rd_priv.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: rd_priv.c 17056 2006-04-12 16:18:10Z lha $"); +RCSID("$Id: rd_priv.c 21770 2007-08-01 04:04:33Z lha $"); krb5_error_code KRB5_LIB_FUNCTION krb5_rd_priv(krb5_context context, @@ -55,13 +55,17 @@ krb5_rd_priv(krb5_context context, if ((auth_context->flags & (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - outdata == NULL) + outdata == NULL) { + krb5_clear_error_string (context); return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */ + } memset(&priv, 0, sizeof(priv)); ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len); - if (ret) + if (ret) { + krb5_clear_error_string (context); goto failure; + } if (priv.pvno != 5) { krb5_clear_error_string (context); ret = KRB5KRB_AP_ERR_BADVERSION; @@ -94,8 +98,10 @@ krb5_rd_priv(krb5_context context, ret = decode_EncKrbPrivPart (plain.data, plain.length, &part, &len); krb5_data_free (&plain); - if (ret) + if (ret) { + krb5_clear_error_string (context); goto failure; + } /* check sender address */ diff --git a/source4/heimdal/lib/krb5/v4_glue.c b/source4/heimdal/lib/krb5/v4_glue.c index d42fbec3a5..3f99df6391 100644 --- a/source4/heimdal/lib/krb5/v4_glue.c +++ b/source4/heimdal/lib/krb5/v4_glue.c @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: v4_glue.c 17442 2006-05-05 09:31:15Z lha $"); +RCSID("$Id: v4_glue.c 21572 2007-07-16 05:13:08Z lha $"); #include "krb5-v4compat.h" @@ -351,12 +351,12 @@ storage_to_etext(krb5_context context, size = krb5_storage_seek(sp, 0, SEEK_END); if (size < 0) - return EINVAL; + return KRB4ET_RD_AP_UNDEC; size = 8 - (size & 7); ret = krb5_storage_write(sp, eightzeros, size); if (ret != size) - return EINVAL; + return KRB4ET_RD_AP_UNDEC; ret = krb5_storage_to_data(sp, &data); if (ret) @@ -435,7 +435,7 @@ _krb5_krb_create_ticket(krb5_context context, session->keyvalue.data, session->keyvalue.length); if (ret != session->keyvalue.length) { - ret = EINVAL; + ret = KRB4ET_INTK_PROT; goto error; } @@ -487,7 +487,7 @@ _krb5_krb_create_ciph(krb5_context context, session->keyvalue.data, session->keyvalue.length); if (ret != session->keyvalue.length) { - ret = EINVAL; + ret = KRB4ET_INTK_PROT; goto error; } @@ -497,7 +497,7 @@ _krb5_krb_create_ciph(krb5_context context, RCHECK(ret, krb5_store_int8(sp, ticket->length), error); ret = krb5_storage_write(sp, ticket->data, ticket->length); if (ret != ticket->length) { - ret = EINVAL; + ret = KRB4ET_INTK_PROT; goto error; } RCHECK(ret, krb5_store_int32(sp, kdc_time), error); @@ -550,7 +550,7 @@ _krb5_krb_create_auth_reply(krb5_context context, RCHECK(ret, krb5_store_int16(sp, cipher->length), error); ret = krb5_storage_write(sp, cipher->data, cipher->length); if (ret != cipher->length) { - ret = EINVAL; + ret = KRB4ET_INTK_PROT; goto error; } @@ -599,6 +599,9 @@ _krb5_krb_cr_err_reply(krb5_context context, RCHECK(ret, krb5_store_int8(sp, AUTH_MSG_ERR_REPLY), error); RCHECK(ret, put_nir(sp, name, inst, realm), error); RCHECK(ret, krb5_store_int32(sp, time_ws), error); + /* If its a Kerberos 4 error-code, remove the et BASE */ + if (e >= ERROR_TABLE_BASE_krb && e <= ERROR_TABLE_BASE_krb + 255) + e -= ERROR_TABLE_BASE_krb; RCHECK(ret, krb5_store_int32(sp, e), error); RCHECK(ret, krb5_store_stringz(sp, e_string), error); @@ -623,7 +626,7 @@ get_v4_stringz(krb5_storage *sp, char **str, size_t max_len) if (strlen(*str) > max_len) { free(*str); *str = NULL; - return EINVAL; + return KRB4ET_INTK_PROT; } return 0; } @@ -662,7 +665,7 @@ _krb5_krb_decomp_ticket(krb5_context context, return ENOMEM; } - krb5_storage_set_eof_code(sp, EINVAL); /* XXX */ + krb5_storage_set_eof_code(sp, KRB4ET_INTK_PROT); RCHECK(ret, krb5_ret_int8(sp, &ad->k_flags), error); RCHECK(ret, get_v4_stringz(sp, &ad->pname, ANAME_SZ), error); @@ -672,7 +675,7 @@ _krb5_krb_decomp_ticket(krb5_context context, size = krb5_storage_read(sp, des_key, sizeof(des_key)); if (size != sizeof(des_key)) { - ret = EINVAL; /* XXX */ + ret = KRB4ET_INTK_PROT; goto error; } @@ -770,26 +773,32 @@ _krb5_krb_rd_req(krb5_context context, return ENOMEM; } - krb5_storage_set_eof_code(sp, EINVAL); /* XXX */ + krb5_storage_set_eof_code(sp, KRB4ET_INTK_PROT); ret = krb5_ret_int8(sp, &pvno); - if (ret) + if (ret) { + krb5_set_error_string(context, "Failed reading v4 pvno"); goto error; + } if (pvno != KRB_PROT_VERSION) { - ret = EINVAL; /* XXX */ + ret = KRB4ET_RD_AP_VERSION; + krb5_set_error_string(context, "Failed v4 pvno not 4"); goto error; } ret = krb5_ret_int8(sp, &type); - if (ret) + if (ret) { + krb5_set_error_string(context, "Failed readin v4 type"); goto error; + } little_endian = type & 1; type &= ~1; if(type != AUTH_MSG_APPL_REQUEST && type != AUTH_MSG_APPL_REQUEST_MUTUAL) { - ret = EINVAL; /* RD_AP_MSG_TYPE */ + ret = KRB4ET_RD_AP_MSG_TYPE; + krb5_set_error_string(context, "Not a valid v4 request type"); goto error; } @@ -801,7 +810,8 @@ _krb5_krb_rd_req(krb5_context context, size = krb5_storage_read(sp, ticket.data, ticket.length); if (size != ticket.length) { - ret = EINVAL; + ret = KRB4ET_INTK_PROT; + krb5_set_error_string(context, "Failed reading v4 ticket"); goto error; } @@ -815,7 +825,8 @@ _krb5_krb_rd_req(krb5_context context, size = krb5_storage_read(sp, eaut.data, eaut.length); if (size != eaut.length) { - ret = EINVAL; + ret = KRB4ET_INTK_PROT; + krb5_set_error_string(context, "Failed reading v4 authenticator"); goto error; } @@ -828,8 +839,8 @@ _krb5_krb_rd_req(krb5_context context, sp = krb5_storage_from_data(&aut); if (sp == NULL) { - krb5_set_error_string(context, "alloc: out of memory"); ret = ENOMEM; + krb5_set_error_string(context, "alloc: out of memory"); goto error; } @@ -849,19 +860,22 @@ _krb5_krb_rd_req(krb5_context context, if (strcmp(ad->pname, r_name) != 0 || strcmp(ad->pinst, r_instance) != 0 || strcmp(ad->prealm, r_realm) != 0) { - ret = EINVAL; /* RD_AP_INCON */ + krb5_set_error_string(context, "v4 principal mismatch"); + ret = KRB4ET_RD_AP_INCON; goto error; } - if (from_addr && from_addr != ad->address) { - ret = EINVAL; /* RD_AP_BADD */ + if (from_addr && ad->address && from_addr != ad->address) { + krb5_set_error_string(context, "v4 bad address in ticket"); + ret = KRB4ET_RD_AP_BADD; goto error; } gettimeofday(&tv, NULL); delta_t = abs((int)(tv.tv_sec - r_time_sec)); if (delta_t > CLOCK_SKEW) { - ret = EINVAL; /* RD_AP_TIME */ + ret = KRB4ET_RD_AP_TIME; + krb5_set_error_string(context, "v4 clock skew"); goto error; } @@ -870,12 +884,14 @@ _krb5_krb_rd_req(krb5_context context, tkt_age = tv.tv_sec - ad->time_sec; if ((tkt_age < 0) && (-tkt_age > CLOCK_SKEW)) { - ret = EINVAL; /* RD_AP_NYV */ + ret = KRB4ET_RD_AP_NYV; + krb5_set_error_string(context, "v4 clock skew for expiration"); goto error; } if (tv.tv_sec > _krb5_krb_life_to_time(ad->time_sec, ad->life)) { - ret = EINVAL; /* RD_AP_EXP */ + ret = KRB4ET_RD_AP_EXP; + krb5_set_error_string(context, "v4 ticket expired"); goto error; } |