summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/krb5
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/lib/krb5')
-rw-r--r--source4/heimdal/lib/krb5/addr_families.c6
-rw-r--r--source4/heimdal/lib/krb5/changepw.c4
-rw-r--r--source4/heimdal/lib/krb5/crc.c6
-rw-r--r--source4/heimdal/lib/krb5/crypto.c12
-rw-r--r--source4/heimdal/lib/krb5/generate_seq_number.c6
-rw-r--r--source4/heimdal/lib/krb5/init_creds_pw.c3
-rw-r--r--source4/heimdal/lib/krb5/kcm.c10
-rw-r--r--source4/heimdal/lib/krb5/keytab_file.c4
-rw-r--r--source4/heimdal/lib/krb5/keytab_keyfile.c7
-rw-r--r--source4/heimdal/lib/krb5/krb5-private.h26
-rw-r--r--source4/heimdal/lib/krb5/krb5-protos.h34
-rw-r--r--source4/heimdal/lib/krb5/krb5-v4compat.h10
-rw-r--r--source4/heimdal/lib/krb5/krb5.h12
-rw-r--r--source4/heimdal/lib/krb5/krb5_ccapi.h4
-rw-r--r--source4/heimdal/lib/krb5/krb5_locl.h2
-rw-r--r--source4/heimdal/lib/krb5/log.c6
-rwxr-xr-xsource4/heimdal/lib/krb5/pkinit.c193
-rw-r--r--source4/heimdal/lib/krb5/principal.c3
-rw-r--r--source4/heimdal/lib/krb5/store.c79
-rw-r--r--source4/heimdal/lib/krb5/v4_glue.c38
20 files changed, 358 insertions, 107 deletions
diff --git a/source4/heimdal/lib/krb5/addr_families.c b/source4/heimdal/lib/krb5/addr_families.c
index ebdbcfed46..895b01f9d8 100644
--- a/source4/heimdal/lib/krb5/addr_families.c
+++ b/source4/heimdal/lib/krb5/addr_families.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: addr_families.c,v 1.51 2006/04/02 02:17:31 lha Exp $");
+RCSID("$Id: addr_families.c,v 1.52 2006/05/05 09:26:22 lha Exp $");
struct addr_operations {
int af;
@@ -199,7 +199,7 @@ ipv4_mask_boundary(krb5_context context, const krb5_address *inaddr,
unsigned long len, krb5_address *low, krb5_address *high)
{
unsigned long ia;
- u_int32_t l, h, m = 0xffffffff;
+ uint32_t l, h, m = 0xffffffff;
if (len > 32) {
krb5_set_error_string(context, "IPv4 prefix too large (%ld)", len);
@@ -391,7 +391,7 @@ ipv6_mask_boundary(krb5_context context, const krb5_address *inaddr,
unsigned long len, krb5_address *low, krb5_address *high)
{
struct in6_addr addr, laddr, haddr;
- u_int32_t m;
+ uint32_t m;
int i, sub_len;
if (len > 128) {
diff --git a/source4/heimdal/lib/krb5/changepw.c b/source4/heimdal/lib/krb5/changepw.c
index 7907e1ad9c..ba584a04a4 100644
--- a/source4/heimdal/lib/krb5/changepw.c
+++ b/source4/heimdal/lib/krb5/changepw.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: changepw.c,v 1.55 2005/12/12 12:48:57 lha Exp $");
+RCSID("$Id: changepw.c,v 1.56 2006/05/05 09:26:47 lha Exp $");
static void
str2data (krb5_data *d,
@@ -271,7 +271,7 @@ process_reply (krb5_context context,
krb5_error_code ret;
u_char reply[1024 * 3];
ssize_t len;
- u_int16_t pkt_len, pkt_ver;
+ uint16_t pkt_len, pkt_ver;
krb5_data ap_rep_data;
int save_errno;
diff --git a/source4/heimdal/lib/krb5/crc.c b/source4/heimdal/lib/krb5/crc.c
index c7cedd8c9e..4cfed75154 100644
--- a/source4/heimdal/lib/krb5/crc.c
+++ b/source4/heimdal/lib/krb5/crc.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: crc.c,v 1.9 2000/08/03 01:45:14 assar Exp $");
+RCSID("$Id: crc.c,v 1.10 2006/05/05 09:27:09 lha Exp $");
static u_long table[256];
@@ -62,8 +62,8 @@ _krb5_crc_init_table(void)
flag = 1;
}
-u_int32_t
-_krb5_crc_update (const char *p, size_t len, u_int32_t res)
+uint32_t
+_krb5_crc_update (const char *p, size_t len, uint32_t res)
{
while (len--)
res = table[(res ^ *p++) & 0xFF] ^ (res >> 8);
diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c
index 3a90995283..2e8160518b 100644
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -32,7 +32,7 @@
*/
#include "krb5_locl.h"
-RCSID("$Id: crypto.c,v 1.134 2006/04/10 08:58:53 lha Exp $");
+RCSID("$Id: crypto.c,v 1.135 2006/05/05 09:27:24 lha Exp $");
#undef CRYPTO_DEBUG
#ifdef CRYPTO_DEBUG
@@ -602,7 +602,7 @@ AES_string_to_key(krb5_context context,
krb5_keyblock *key)
{
krb5_error_code ret;
- u_int32_t iter;
+ uint32_t iter;
struct encryption_type *et;
struct key_data kd;
@@ -611,7 +611,7 @@ AES_string_to_key(krb5_context context,
else if (opaque.length == 4) {
unsigned long v;
_krb5_get_int(opaque.data, &v, 4);
- iter = ((u_int32_t)v);
+ iter = ((uint32_t)v);
} else
return KRB5_PROG_KEYTYPE_NOSUPP; /* XXX */
@@ -1296,7 +1296,7 @@ CRC32_checksum(krb5_context context,
unsigned usage,
Checksum *C)
{
- u_int32_t crc;
+ uint32_t crc;
unsigned char *r = C->checksum.data;
_krb5_crc_init_table ();
crc = _krb5_crc_update (data, len, 0);
@@ -4282,7 +4282,7 @@ _krb5_pk_octetstring2key(krb5_context context,
static krb5_error_code
krb5_get_keyid(krb5_context context,
krb5_keyblock *key,
- u_int32_t *keyid)
+ uint32_t *keyid)
{
MD5_CTX md5;
unsigned char tmp[16];
@@ -4300,7 +4300,7 @@ krb5_crypto_debug(krb5_context context,
size_t len,
krb5_keyblock *key)
{
- u_int32_t keyid;
+ uint32_t keyid;
char *kt;
krb5_get_keyid(context, key, &keyid);
krb5_enctype_to_string(context, key->keytype, &kt);
diff --git a/source4/heimdal/lib/krb5/generate_seq_number.c b/source4/heimdal/lib/krb5/generate_seq_number.c
index f9e9cded5f..7f79e29858 100644
--- a/source4/heimdal/lib/krb5/generate_seq_number.c
+++ b/source4/heimdal/lib/krb5/generate_seq_number.c
@@ -33,16 +33,16 @@
#include <krb5_locl.h>
-RCSID("$Id: generate_seq_number.c,v 1.9 2004/05/25 21:25:22 lha Exp $");
+RCSID("$Id: generate_seq_number.c,v 1.10 2006/05/05 09:28:06 lha Exp $");
krb5_error_code KRB5_LIB_FUNCTION
krb5_generate_seq_number(krb5_context context,
const krb5_keyblock *key,
- u_int32_t *seqno)
+ uint32_t *seqno)
{
krb5_error_code ret;
krb5_keyblock *subkey;
- u_int32_t q;
+ uint32_t q;
u_char *p;
int i;
diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c
index 489a88a31b..70b6c3e4c3 100644
--- a/source4/heimdal/lib/krb5/init_creds_pw.c
+++ b/source4/heimdal/lib/krb5/init_creds_pw.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: init_creds_pw.c,v 1.92 2006/04/02 01:20:15 lha Exp $");
+RCSID("$Id: init_creds_pw.c,v 1.94 2006/04/24 08:49:08 lha Exp $");
typedef struct krb5_get_init_creds_ctx {
krb5_kdc_flags flags;
@@ -1150,6 +1150,7 @@ process_pa_data_to_key(krb5_context context,
if (pa && ctx->pk_init_ctx) {
#ifdef PKINIT
ret = _krb5_pk_rd_pa_reply(context,
+ a->req_body.realm,
ctx->pk_init_ctx,
etype,
hi,
diff --git a/source4/heimdal/lib/krb5/kcm.c b/source4/heimdal/lib/krb5/kcm.c
index f4372422ac..8f2d9f7f86 100644
--- a/source4/heimdal/lib/krb5/kcm.c
+++ b/source4/heimdal/lib/krb5/kcm.c
@@ -43,7 +43,7 @@
#include "kcm.h"
-RCSID("$Id: kcm.c,v 1.8 2005/09/19 20:23:05 lha Exp $");
+RCSID("$Id: kcm.c,v 1.9 2006/05/05 09:28:48 lha Exp $");
typedef struct krb5_kcmcache {
char *name;
@@ -53,7 +53,7 @@ typedef struct krb5_kcmcache {
#define KCMCACHE(X) ((krb5_kcmcache *)(X)->data.data)
#define CACHENAME(X) (KCMCACHE(X)->name)
-#define KCMCURSOR(C) (*(u_int32_t *)(C))
+#define KCMCURSOR(C) (*(uint32_t *)(C))
static krb5_error_code
try_door(krb5_context context, const krb5_kcmcache *k,
@@ -903,7 +903,7 @@ _krb5_kcm_noop(krb5_context context,
krb5_error_code
_krb5_kcm_chmod(krb5_context context,
krb5_ccache id,
- u_int16_t mode)
+ uint16_t mode)
{
krb5_error_code ret;
krb5_kcmcache *k = KCMCACHE(id);
@@ -944,8 +944,8 @@ _krb5_kcm_chmod(krb5_context context,
krb5_error_code
_krb5_kcm_chown(krb5_context context,
krb5_ccache id,
- u_int32_t uid,
- u_int32_t gid)
+ uint32_t uid,
+ uint32_t gid)
{
krb5_error_code ret;
krb5_kcmcache *k = KCMCACHE(id);
diff --git a/source4/heimdal/lib/krb5/keytab_file.c b/source4/heimdal/lib/krb5/keytab_file.c
index f9a76e634a..1b06387339 100644
--- a/source4/heimdal/lib/krb5/keytab_file.c
+++ b/source4/heimdal/lib/krb5/keytab_file.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: keytab_file.c,v 1.22 2006/04/07 21:57:31 lha Exp $");
+RCSID("$Id: keytab_file.c,v 1.23 2006/05/05 12:36:57 lha Exp $");
#define KRB5_KT_VNO_1 1
#define KRB5_KT_VNO_2 2
@@ -428,7 +428,7 @@ loop:
* if it's zero, assume that the 8bit one was right,
* otherwise trust the new value */
curpos = krb5_storage_seek(cursor->sp, 0, SEEK_CUR);
- if(len + 4 + pos - curpos == 4) {
+ if(len + 4 + pos - curpos >= 4) {
ret = krb5_ret_int32(cursor->sp, &tmp32);
if (ret == 0 && tmp32 != 0) {
entry->vno = tmp32;
diff --git a/source4/heimdal/lib/krb5/keytab_keyfile.c b/source4/heimdal/lib/krb5/keytab_keyfile.c
index 32fb48a8a2..d7f8a720e1 100644
--- a/source4/heimdal/lib/krb5/keytab_keyfile.c
+++ b/source4/heimdal/lib/krb5/keytab_keyfile.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: keytab_keyfile.c,v 1.18 2006/04/02 01:24:52 lha Exp $");
+RCSID("$Id: keytab_keyfile.c,v 1.19 2006/04/24 15:06:57 lha Exp $");
/* afs keyfile operations --------------------------------------- */
@@ -63,8 +63,7 @@ struct akf_data {
*/
static int
-get_cell_and_realm (krb5_context context,
- struct akf_data *d)
+get_cell_and_realm (krb5_context context, struct akf_data *d)
{
FILE *f;
char buf[BUFSIZ], *cp;
@@ -95,6 +94,7 @@ get_cell_and_realm (krb5_context context,
if (f != NULL) {
if (fgets (buf, sizeof(buf), f) == NULL) {
free (d->cell);
+ d->cell = NULL;
fclose (f);
krb5_set_error_string (context, "no realm in %s",
AFS_SERVERMAGICKRBCONF);
@@ -110,6 +110,7 @@ get_cell_and_realm (krb5_context context,
d->realm = strdup (buf);
if (d->realm == NULL) {
free (d->cell);
+ d->cell = NULL;
krb5_set_error_string (context, "malloc: out of memory");
return ENOMEM;
}
diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h
index 00126d60ed..17b282f1d8 100644
--- a/source4/heimdal/lib/krb5/krb5-private.h
+++ b/source4/heimdal/lib/krb5/krb5-private.h
@@ -30,11 +30,11 @@ _krb5_cc_allocate (
void
_krb5_crc_init_table (void);
-u_int32_t
+uint32_t
_krb5_crc_update (
const char */*p*/,
size_t /*len*/,
- u_int32_t /*res*/);
+ uint32_t /*res*/);
krb5_error_code
_krb5_dh_group_ok (
@@ -120,14 +120,14 @@ krb5_error_code
_krb5_kcm_chmod (
krb5_context /*context*/,
krb5_ccache /*id*/,
- u_int16_t /*mode*/);
+ uint16_t /*mode*/);
krb5_error_code
_krb5_kcm_chown (
krb5_context /*context*/,
krb5_ccache /*id*/,
- u_int32_t /*uid*/,
- u_int32_t /*gid*/);
+ uint32_t /*uid*/,
+ uint32_t /*gid*/);
krb5_error_code
_krb5_kcm_get_initial_ticket (
@@ -158,8 +158,8 @@ _krb5_krb_cr_err_reply (
const char */*name*/,
const char */*inst*/,
const char */*realm*/,
- u_int32_t /*time_ws*/,
- u_int32_t /*e*/,
+ uint32_t /*time_ws*/,
+ uint32_t /*e*/,
const char */*e_string*/,
krb5_data */*data*/);
@@ -171,7 +171,7 @@ _krb5_krb_create_auth_reply (
const char */*prealm*/,
int32_t /*time_ws*/,
int /*n*/,
- u_int32_t /*x_date*/,
+ uint32_t /*x_date*/,
unsigned char /*kvno*/,
const krb5_data */*cipher*/,
krb5_data */*data*/);
@@ -183,10 +183,10 @@ _krb5_krb_create_ciph (
const char */*service*/,
const char */*instance*/,
const char */*realm*/,
- u_int32_t /*life*/,
+ uint32_t /*life*/,
unsigned char /*kvno*/,
const krb5_data */*ticket*/,
- u_int32_t /*kdc_time*/,
+ uint32_t /*kdc_time*/,
const krb5_keyblock */*key*/,
krb5_data */*enc_data*/);
@@ -299,6 +299,11 @@ _krb5_parse_moduli_line (
struct krb5_dh_moduli **/*m*/);
void KRB5_LIB_FUNCTION
+_krb5_pk_allow_proxy_certificate (
+ struct krb5_pk_identity */*id*/,
+ int /*boolean*/);
+
+void KRB5_LIB_FUNCTION
_krb5_pk_cert_free (struct krb5_pk_cert */*cert*/);
krb5_error_code KRB5_LIB_FUNCTION
@@ -341,6 +346,7 @@ _krb5_pk_octetstring2key (
krb5_error_code KRB5_LIB_FUNCTION
_krb5_pk_rd_pa_reply (
krb5_context /*context*/,
+ const char */*realm*/,
void */*c*/,
krb5_enctype /*etype*/,
const krb5_krbhst_info */*hi*/,
diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h
index 56f43f6c3d..37293ff982 100644
--- a/source4/heimdal/lib/krb5/krb5-protos.h
+++ b/source4/heimdal/lib/krb5/krb5-protos.h
@@ -1592,7 +1592,7 @@ krb5_error_code KRB5_LIB_FUNCTION
krb5_generate_seq_number (
krb5_context /*context*/,
const krb5_keyblock */*key*/,
- u_int32_t */*seqno*/);
+ uint32_t */*seqno*/);
krb5_error_code KRB5_LIB_FUNCTION
krb5_generate_subkey (
@@ -2803,6 +2803,21 @@ krb5_ret_times (
krb5_times */*times*/);
krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint16 (
+ krb5_storage */*sp*/,
+ uint16_t */*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint32 (
+ krb5_storage */*sp*/,
+ uint32_t */*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint8 (
+ krb5_storage */*sp*/,
+ uint8_t */*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
krb5_salttype_to_string (
krb5_context /*context*/,
krb5_enctype /*etype*/,
@@ -3087,7 +3102,7 @@ krb5_store_keyblock (
krb5_error_code KRB5_LIB_FUNCTION
krb5_store_principal (
krb5_storage */*sp*/,
- krb5_principal /*p*/);
+ krb5_const_principal /*p*/);
krb5_error_code KRB5_LIB_FUNCTION
krb5_store_string (
@@ -3105,6 +3120,21 @@ krb5_store_times (
krb5_times /*times*/);
krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint16 (
+ krb5_storage */*sp*/,
+ uint16_t /*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint32 (
+ krb5_storage */*sp*/,
+ uint32_t /*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint8 (
+ krb5_storage */*sp*/,
+ uint8_t /*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
krb5_string_to_deltat (
const char */*string*/,
krb5_deltat */*deltat*/);
diff --git a/source4/heimdal/lib/krb5/krb5-v4compat.h b/source4/heimdal/lib/krb5/krb5-v4compat.h
index 1d092dcbc9..3e14c5a38f 100644
--- a/source4/heimdal/lib/krb5/krb5-v4compat.h
+++ b/source4/heimdal/lib/krb5/krb5-v4compat.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: krb5-v4compat.h,v 1.6 2005/04/23 19:38:16 lha Exp $ */
+/* $Id: krb5-v4compat.h,v 1.7 2006/05/05 09:29:07 lha Exp $ */
#ifndef __KRB5_V4COMPAT_H__
#define __KRB5_V4COMPAT_H__
@@ -119,7 +119,7 @@
struct ktext {
unsigned int length; /* Length of the text */
unsigned char dat[MAX_KTXT_LEN]; /* The data itself */
- u_int32_t mbz; /* zero to catch runaway strings */
+ uint32_t mbz; /* zero to catch runaway strings */
};
struct credentials {
@@ -157,11 +157,11 @@ struct _krb5_krb_auth_data {
char *pname; /* Principal's name */
char *pinst; /* His Instance */
char *prealm; /* His Realm */
- u_int32_t checksum; /* Data checksum (opt) */
+ uint32_t checksum; /* Data checksum (opt) */
krb5_keyblock session; /* Session Key */
unsigned char life; /* Life of ticket */
- u_int32_t time_sec; /* Time ticket issued */
- u_int32_t address; /* Address in ticket */
+ uint32_t time_sec; /* Time ticket issued */
+ uint32_t address; /* Address in ticket */
};
time_t _krb5_krb_life_to_time (int, int);
diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h
index 9814817600..32fdd6d383 100644
--- a/source4/heimdal/lib/krb5/krb5.h
+++ b/source4/heimdal/lib/krb5/krb5.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: krb5.h,v 1.240 2005/11/30 15:20:32 lha Exp $ */
+/* $Id: krb5.h,v 1.241 2006/05/05 09:29:36 lha Exp $ */
#ifndef __KRB5_H__
#define __KRB5_H__
@@ -64,7 +64,7 @@ typedef int32_t krb5_error_code;
typedef int krb5_kvno;
-typedef u_int32_t krb5_flags;
+typedef uint32_t krb5_flags;
typedef void *krb5_pointer;
typedef const void *krb5_const_pointer;
@@ -492,7 +492,7 @@ typedef struct krb5_keytab_entry {
krb5_principal principal;
krb5_kvno vno;
krb5_keyblock keyblock;
- u_int32_t timestamp;
+ uint32_t timestamp;
} krb5_keytab_entry;
typedef struct krb5_kt_cursor {
@@ -536,7 +536,7 @@ typedef struct krb5_keytab_key_proc_args krb5_keytab_key_proc_args;
typedef struct krb5_replay_data {
krb5_timestamp timestamp;
int32_t usec;
- u_int32_t seq;
+ uint32_t seq;
} krb5_replay_data;
/* flags for krb5_auth_con_setflags */
@@ -569,8 +569,8 @@ typedef struct krb5_auth_context_data {
krb5_keyblock *local_subkey;
krb5_keyblock *remote_subkey;
- u_int32_t local_seqnumber;
- u_int32_t remote_seqnumber;
+ uint32_t local_seqnumber;
+ uint32_t remote_seqnumber;
krb5_authenticator authenticator;
diff --git a/source4/heimdal/lib/krb5/krb5_ccapi.h b/source4/heimdal/lib/krb5/krb5_ccapi.h
index 29b2ddbecc..d59b589304 100644
--- a/source4/heimdal/lib/krb5/krb5_ccapi.h
+++ b/source4/heimdal/lib/krb5/krb5_ccapi.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: krb5_ccapi.h,v 1.2 2006/03/27 04:21:06 lha Exp $ */
+/* $Id: krb5_ccapi.h,v 1.3 2006/05/05 09:29:59 lha Exp $ */
#ifndef KRB5_CCAPI_H
#define KRB5_CCAPI_H 1
@@ -84,7 +84,7 @@ enum {
};
typedef int32_t cc_int32;
-typedef u_int32_t cc_uint32;
+typedef uint32_t cc_uint32;
typedef struct cc_context_t *cc_context_t;
typedef struct cc_ccache_t *cc_ccache_t;
typedef struct cc_ccache_iterator_t *cc_ccache_iterator_t;
diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h
index 92dd3271f5..4dcac40c7a 100644
--- a/source4/heimdal/lib/krb5/krb5_locl.h
+++ b/source4/heimdal/lib/krb5/krb5_locl.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
diff --git a/source4/heimdal/lib/krb5/log.c b/source4/heimdal/lib/krb5/log.c
index 7e478bf1e0..e6fcb6bbb9 100644
--- a/source4/heimdal/lib/krb5/log.c
+++ b/source4/heimdal/lib/krb5/log.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: log.c,v 1.38 2006/04/10 09:41:26 lha Exp $");
+RCSID("$Id: log.c,v 1.39 2006/04/24 15:09:27 lha Exp $");
struct facility {
int min;
@@ -221,8 +221,10 @@ log_file(const char *timestr,
if(f->fd == NULL)
return;
fprintf(f->fd, "%s %s\n", timestr, msg);
- if(f->keep_open == 0)
+ if(f->keep_open == 0) {
fclose(f->fd);
+ f->fd = NULL;
+ }
}
static void
diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c
index fa4fb4699e..7e91946095 100755
--- a/source4/heimdal/lib/krb5/pkinit.c
+++ b/source4/heimdal/lib/krb5/pkinit.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: pkinit.c,v 1.88 2006/04/23 21:30:17 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.98 2006/05/06 13:24:54 lha Exp $");
struct krb5_dh_moduli {
char *name;
@@ -84,6 +84,7 @@ struct krb5_pk_init_ctx_data {
int require_binding;
int require_eku;
int require_krbtgt_otherName;
+ int require_hostname_match;
};
void KRB5_LIB_FUNCTION
@@ -161,6 +162,109 @@ _krb5_pk_create_sign(krb5_context context,
return ret;
}
+static int
+cert2epi(hx509_context context, void *ctx, hx509_cert c)
+{
+ ExternalPrincipalIdentifiers *ids = ctx;
+ ExternalPrincipalIdentifier id;
+ hx509_name subject = NULL;
+ void *p;
+ int ret;
+
+ memset(&id, 0, sizeof(id));
+
+ ret = hx509_cert_get_subject(c, &subject);
+ if (ret)
+ return ret;
+
+ if (hx509_name_is_null_p(subject) != 0) {
+
+ id.subjectName = calloc(1, sizeof(*id.subjectName));
+ if (id.subjectName == NULL) {
+ hx509_name_free(&subject);
+ free_ExternalPrincipalIdentifier(&id);
+ return ENOMEM;
+ }
+
+ ret = hx509_name_to_der_name(subject, &id.subjectName->data,
+ &id.subjectName->length);
+ if (ret) {
+ hx509_name_free(&subject);
+ free_ExternalPrincipalIdentifier(&id);
+ return ret;
+ }
+ }
+ hx509_name_free(&subject);
+
+
+ id.issuerAndSerialNumber = calloc(1, sizeof(*id.issuerAndSerialNumber));
+ if (id.issuerAndSerialNumber == NULL) {
+ free_ExternalPrincipalIdentifier(&id);
+ return ENOMEM;
+ }
+
+ {
+ IssuerAndSerialNumber iasn;
+ hx509_name issuer;
+ size_t size;
+
+ memset(&iasn, 0, sizeof(iasn));
+
+ ret = hx509_cert_get_issuer(c, &issuer);
+ if (ret) {
+ free_ExternalPrincipalIdentifier(&id);
+ return ret;
+ }
+
+ ret = hx509_name_to_Name(issuer, &iasn.issuer);
+ hx509_name_free(&issuer);
+ if (ret) {
+ free_ExternalPrincipalIdentifier(&id);
+ return ret;
+ }
+
+ ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber);
+ if (ret) {
+ free_IssuerAndSerialNumber(&iasn);
+ free_ExternalPrincipalIdentifier(&id);
+ return ret;
+ }
+
+ ASN1_MALLOC_ENCODE(IssuerAndSerialNumber,
+ id.issuerAndSerialNumber->data,
+ id.issuerAndSerialNumber->length,
+ &iasn, &size, ret);
+ free_IssuerAndSerialNumber(&iasn);
+ if (ret)
+ return ret;
+ if (id.issuerAndSerialNumber->length != size)
+ abort();
+ }
+
+ id.subjectKeyIdentifier = NULL;
+
+ p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1));
+ if (p == NULL) {
+ free_ExternalPrincipalIdentifier(&id);
+ return ENOMEM;
+ }
+
+ ids->val = p;
+ ids->val[ids->len] = id;
+ ids->len++;
+
+ return 0;
+}
+
+static krb5_error_code
+build_edi(krb5_context context,
+ hx509_context hx509ctx,
+ hx509_certs certs,
+ ExternalPrincipalIdentifiers *ids)
+{
+ return hx509_certs_iter(hx509ctx, certs, cert2epi, ids);
+}
+
static krb5_error_code
build_auth_pack(krb5_context context,
unsigned nonce,
@@ -446,8 +550,19 @@ pk_mk_padata(krb5_context context,
memset(&req, 0, sizeof(req));
req.signedAuthPack = buf;
- /* XXX tell the kdc what CAs the client is willing to accept */
- req.trustedCertifiers = NULL;
+ req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers));
+ if (req.trustedCertifiers == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ free_PA_PK_AS_REQ(&req);
+ goto out;
+ }
+ ret = build_edi(context, ctx->id->hx509ctx,
+ ctx->id->anchors, req.trustedCertifiers);
+ if (ret) {
+ krb5_set_error_string(context, "pk-init: failed to build trustedCertifiers");
+ free_PA_PK_AS_REQ(&req);
+ goto out;
+ }
req.kdcPkId = NULL;
ASN1_MALLOC_ENCODE(PA_PK_AS_REQ, buf.data, buf.length,
@@ -524,6 +639,13 @@ _krb5_pk_mk_padata(krb5_context context,
"pkinit_require_krbtgt_otherName",
NULL);
+ ctx->require_hostname_match =
+ krb5_config_get_bool_default(context, NULL,
+ FALSE,
+ "realms",
+ req_body->realm,
+ "pkinit_require_hostname_match",
+ NULL);
return pk_mk_padata(context, type, ctx, req_body, nonce, md);
}
@@ -710,6 +832,8 @@ get_reply_key(krb5_context context,
static krb5_error_code
pk_verify_host(krb5_context context,
+ const char *realm,
+ const krb5_krbhst_info *hi,
struct krb5_pk_init_ctx_data *ctx,
struct krb5_pk_cert *host)
{
@@ -719,13 +843,12 @@ pk_verify_host(krb5_context context,
ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert,
oid_id_pkkdcekuoid(), 0);
if (ret) {
- krb5_clear_error_string(context);
+ krb5_set_error_string(context, "No PK-INIT KDC EKU in kdc certificate");
return ret;
}
}
if (ctx->require_krbtgt_otherName) {
hx509_octet_string_list list;
- krb5_error_code ret;
int i;
ret = hx509_cert_find_subjectAltName_otherName(host->cert,
@@ -738,6 +861,7 @@ pk_verify_host(krb5_context context,
for (i = 0; i < list.len; i++) {
KRB5PrincipalName r;
+
ret = decode_KRB5PrincipalName(list.val[i].data,
list.val[i].length,
&r,
@@ -747,13 +871,15 @@ pk_verify_host(krb5_context context,
break;
}
-#if 0
- if (r.principalName.name.len != 2) {
- krb5_clear_error_string(context);
+ if (r.principalName.name_string.len != 2 ||
+ strcmp(r.principalName.name_string.val[0], KRB5_TGS_NAME) != 0 ||
+ strcmp(r.principalName.name_string.val[1], realm) != 0 ||
+ strcmp(r.realm, realm) != 0)
+ {
+ krb5_set_error_string(context, "KDC have wrong realm name in "
+ "the certificate");
ret = EINVAL;
}
-#endif
- /* XXX verify realm */
free_KRB5PrincipalName(&r);
if (ret)
@@ -761,14 +887,26 @@ pk_verify_host(krb5_context context,
}
hx509_free_octet_string_list(&list);
}
+ if (ret)
+ return ret;
+
+ if (hi) {
+ ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert,
+ ctx->require_hostname_match,
+ hi->hostname,
+ hi->ai->ai_addr, hi->ai->ai_addrlen);
+ if (ret)
+ krb5_set_error_string(context, "Address mismatch in the KDC certificate");
+ }
return ret;
}
static krb5_error_code
pk_rd_pa_reply_enckey(krb5_context context,
int type,
- ContentInfo *rep,
+ const ContentInfo *rep,
+ const char *realm,
krb5_pk_init_ctx ctx,
krb5_enctype etype,
const krb5_krbhst_info *hi,
@@ -846,7 +984,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
goto out;
/* make sure that it is the kdc's certificate */
- ret = pk_verify_host(context, ctx, host);
+ ret = pk_verify_host(context, realm, hi, ctx, host);
if (ret) {
krb5_set_error_string(context, "PKINIT: failed verify host: %d", ret);
goto out;
@@ -894,7 +1032,8 @@ pk_rd_pa_reply_enckey(krb5_context context,
static krb5_error_code
pk_rd_pa_reply_dh(krb5_context context,
- ContentInfo *rep,
+ const ContentInfo *rep,
+ const char *realm,
krb5_pk_init_ctx ctx,
krb5_enctype etype,
const krb5_krbhst_info *hi,
@@ -938,7 +1077,7 @@ pk_rd_pa_reply_dh(krb5_context context,
goto out;
/* make sure that it is the kdc's certificate */
- ret = pk_verify_host(context, ctx, host);
+ ret = pk_verify_host(context, realm, hi, ctx, host);
if (ret)
goto out;
@@ -1066,6 +1205,7 @@ pk_rd_pa_reply_dh(krb5_context context,
krb5_error_code KRB5_LIB_FUNCTION
_krb5_pk_rd_pa_reply(krb5_context context,
+ const char *realm,
void *c,
krb5_enctype etype,
const krb5_krbhst_info *hi,
@@ -1106,7 +1246,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
free_PA_PK_AS_REP(&rep);
break;
}
- ret = pk_rd_pa_reply_dh(context, &ci, ctx, etype, hi,
+ ret = pk_rd_pa_reply_dh(context, &ci, realm, ctx, etype, hi,
ctx->clientDHNonce,
rep.u.dhInfo.serverDHNonce,
nonce, pa, key);
@@ -1126,7 +1266,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
"ContentInfo: %d", ret);
break;
}
- ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &ci, ctx,
+ ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &ci, realm, ctx,
etype, hi, nonce, req_buffer, pa, key);
free_ContentInfo(&ci);
return ret;
@@ -1173,7 +1313,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
ret);
return ret;
}
- ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &ci, ctx,
+ ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &ci, realm, ctx,
etype, hi, nonce, req_buffer, pa, key);
free_ContentInfo(&ci);
break;
@@ -1204,8 +1344,8 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter)
krb5_data password_data;
struct prompter *p = data;
- password_data.data = prompter->reply->data;
- password_data.length = prompter->reply->length;
+ password_data.data = prompter->reply.data;
+ password_data.length = prompter->reply.length;
prompt.prompt = "Enter your private key passphrase: ";
prompt.hidden = 1;
prompt.reply = &password_data;
@@ -1216,12 +1356,21 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter)
ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt);
if (ret) {
- memset (prompter->reply->data, 0, prompter->reply->length);
+ memset (prompter->reply.data, 0, prompter->reply.length);
return 0;
}
- return strlen(prompter->reply->data);
+ return strlen(prompter->reply.data);
+}
+
+
+void KRB5_LIB_FUNCTION
+_krb5_pk_allow_proxy_certificate(struct krb5_pk_identity *id,
+ int boolean)
+{
+ hx509_verify_set_proxy_certificate(id->verify_ctx, boolean);
}
+
krb5_error_code KRB5_LIB_FUNCTION
_krb5_pk_load_id(krb5_context context,
struct krb5_pk_identity **ret_id,
@@ -1715,7 +1864,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
}
if (DH_generate_key(opt->opt_private->pk_init_ctx->dh) != 1) {
- krb5_set_error_string(context, "malloc: out of memory");
+ krb5_set_error_string(context, "pkinit: failed to generate DH key");
_krb5_get_init_creds_opt_free_pkinit(opt);
return ENOMEM;
}
diff --git a/source4/heimdal/lib/krb5/principal.c b/source4/heimdal/lib/krb5/principal.c
index 34086b1fbe..f6e3847cce 100644
--- a/source4/heimdal/lib/krb5/principal.c
+++ b/source4/heimdal/lib/krb5/principal.c
@@ -41,7 +41,7 @@
#include <fnmatch.h>
#include "resolve.h"
-RCSID("$Id: principal.c,v 1.94 2006/04/10 10:10:01 lha Exp $");
+RCSID("$Id: principal.c,v 1.95 2006/04/24 15:16:14 lha Exp $");
#define princ_num_comp(P) ((P)->name.name_string.len)
#define princ_type(P) ((P)->name.name_type)
@@ -829,7 +829,6 @@ krb5_425_conv_principal_ext2(krb5_context context,
if (r) {
if (r->head && r->head->type == T_AAAA) {
inst = strdup(r->head->domain);
- dns_free_data(r);
passed = TRUE;
}
dns_free_data(r);
diff --git a/source4/heimdal/lib/krb5/store.c b/source4/heimdal/lib/krb5/store.c
index 4a567bb379..a6f4a011a1 100644
--- a/source4/heimdal/lib/krb5/store.c
+++ b/source4/heimdal/lib/krb5/store.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include "store-int.h"
-RCSID("$Id: store.c,v 1.51 2006/04/07 22:23:20 lha Exp $");
+RCSID("$Id: store.c,v 1.58 2006/05/05 07:15:18 lha Exp $");
#define BYTEORDER_IS(SP, V) (((SP)->flags & KRB5_STORAGE_BYTEORDER_MASK) == (V))
#define BYTEORDER_IS_LE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_LE)
@@ -181,6 +181,13 @@ krb5_store_int32(krb5_storage *sp,
return krb5_store_int(sp, value, 4);
}
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint32(krb5_storage *sp,
+ uint32_t value)
+{
+ return krb5_store_int32(sp, (int32_t)value);
+}
+
static krb5_error_code
krb5_ret_int(krb5_storage *sp,
int32_t *value,
@@ -212,6 +219,20 @@ krb5_ret_int32(krb5_storage *sp,
}
krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint32(krb5_storage *sp,
+ uint32_t *value)
+{
+ krb5_error_code ret;
+ int32_t v;
+
+ ret = krb5_ret_int32(sp, &v);
+ if (ret == 0)
+ *value = (uint32_t)v;
+
+ return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
krb5_store_int16(krb5_storage *sp,
int16_t value)
{
@@ -223,6 +244,13 @@ krb5_store_int16(krb5_storage *sp,
}
krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint16(krb5_storage *sp,
+ uint16_t value)
+{
+ return krb5_store_int16(sp, (int16_t)value);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_int16(krb5_storage *sp,
int16_t *value)
{
@@ -240,6 +268,20 @@ krb5_ret_int16(krb5_storage *sp,
}
krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint16(krb5_storage *sp,
+ uint16_t *value)
+{
+ krb5_error_code ret;
+ int16_t v;
+
+ ret = krb5_ret_int16(sp, &v);
+ if (ret == 0)
+ *value = (uint16_t)v;
+
+ return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
krb5_store_int8(krb5_storage *sp,
int8_t value)
{
@@ -252,6 +294,13 @@ krb5_store_int8(krb5_storage *sp,
}
krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint8(krb5_storage *sp,
+ uint8_t value)
+{
+ return krb5_store_int8(sp, (int8_t)value);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_int8(krb5_storage *sp,
int8_t *value)
{
@@ -264,6 +313,20 @@ krb5_ret_int8(krb5_storage *sp,
}
krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint8(krb5_storage *sp,
+ uint8_t *value)
+{
+ krb5_error_code ret;
+ int8_t v;
+
+ ret = krb5_ret_int8(sp, &v);
+ if (ret == 0)
+ *value = (uint8_t)v;
+
+ return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
krb5_store_data(krb5_storage *sp,
krb5_data data)
{
@@ -380,19 +443,19 @@ krb5_ret_stringz(krb5_storage *sp,
krb5_error_code KRB5_LIB_FUNCTION
krb5_store_principal(krb5_storage *sp,
- krb5_principal p)
+ krb5_const_principal p)
{
int i;
int ret;
if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) {
- ret = krb5_store_int32(sp, p->name.name_type);
- if(ret) return ret;
+ ret = krb5_store_int32(sp, p->name.name_type);
+ if(ret) return ret;
}
if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS))
ret = krb5_store_int32(sp, p->name.name_string.len + 1);
else
- ret = krb5_store_int32(sp, p->name.name_string.len);
+ ret = krb5_store_int32(sp, p->name.name_string.len);
if(ret) return ret;
ret = krb5_store_string(sp, p->realm);
@@ -710,7 +773,7 @@ krb5_ret_creds(krb5_storage *sp, krb5_creds *creds)
* format.
*/
{
- u_int32_t mask = 0xffff0000;
+ uint32_t mask = 0xffff0000;
creds->flags.i = 0;
creds->flags.b.anonymous = 1;
if (creds->flags.i & mask)
@@ -865,7 +928,7 @@ krb5_ret_creds_tag(krb5_storage *sp,
* format.
*/
{
- u_int32_t mask = 0xffff0000;
+ uint32_t mask = 0xffff0000;
creds->flags.i = 0;
creds->flags.b.anonymous = 1;
if (creds->flags.i & mask)
diff --git a/source4/heimdal/lib/krb5/v4_glue.c b/source4/heimdal/lib/krb5/v4_glue.c
index dd294c8943..b1e12674dc 100644
--- a/source4/heimdal/lib/krb5/v4_glue.c
+++ b/source4/heimdal/lib/krb5/v4_glue.c
@@ -32,7 +32,7 @@
*/
#include "krb5_locl.h"
-RCSID("$Id: v4_glue.c,v 1.3 2006/04/02 01:39:54 lha Exp $");
+RCSID("$Id: v4_glue.c,v 1.5 2006/05/05 09:31:00 lha Exp $");
#include "krb5-v4compat.h"
@@ -463,10 +463,10 @@ _krb5_krb_create_ciph(krb5_context context,
const char *service,
const char *instance,
const char *realm,
- u_int32_t life,
+ uint32_t life,
unsigned char kvno,
const krb5_data *ticket,
- u_int32_t kdc_time,
+ uint32_t kdc_time,
const krb5_keyblock *key,
krb5_data *enc_data)
{
@@ -523,7 +523,7 @@ _krb5_krb_create_auth_reply(krb5_context context,
const char *prealm,
int32_t time_ws,
int n,
- u_int32_t x_date,
+ uint32_t x_date,
unsigned char kvno,
const krb5_data *cipher,
krb5_data *data)
@@ -573,8 +573,8 @@ _krb5_krb_cr_err_reply(krb5_context context,
const char *name,
const char *inst,
const char *realm,
- u_int32_t time_ws,
- u_int32_t e,
+ uint32_t time_ws,
+ uint32_t e,
const char *e_string,
krb5_data *data)
{
@@ -668,7 +668,7 @@ _krb5_krb_decomp_ticket(krb5_context context,
RCHECK(ret, get_v4_stringz(sp, &ad->pname, ANAME_SZ), error);
RCHECK(ret, get_v4_stringz(sp, &ad->pinst, INST_SZ), error);
RCHECK(ret, get_v4_stringz(sp, &ad->prealm, REALM_SZ), error);
- RCHECK(ret, krb5_ret_int32(sp, &ad->address), error);
+ RCHECK(ret, krb5_ret_uint32(sp, &ad->address), error);
size = krb5_storage_read(sp, des_key, sizeof(des_key));
if (size != sizeof(des_key)) {
@@ -676,14 +676,14 @@ _krb5_krb_decomp_ticket(krb5_context context,
goto error;
}
- RCHECK(ret, krb5_ret_int8(sp, &ad->life), error);
+ RCHECK(ret, krb5_ret_uint8(sp, &ad->life), error);
if (ad->k_flags & 1)
krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE);
else
krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
- RCHECK(ret, krb5_ret_int32(sp, &ad->time_sec), error);
+ RCHECK(ret, krb5_ret_uint32(sp, &ad->time_sec), error);
RCHECK(ret, get_v4_stringz(sp, sname, ANAME_SZ), error);
RCHECK(ret, get_v4_stringz(sp, sinstance, INST_SZ), error);
@@ -744,9 +744,9 @@ _krb5_krb_rd_req(krb5_context context,
int8_t pvno;
int8_t type;
int8_t s_kvno;
- u_int8_t ticket_length;
- u_int8_t eaut_length;
- u_int8_t time_5ms;
+ uint8_t ticket_length;
+ uint8_t eaut_length;
+ uint8_t time_5ms;
char *realm = NULL;
char *sname = NULL;
char *sinstance = NULL;
@@ -754,7 +754,7 @@ _krb5_krb_rd_req(krb5_context context,
char *r_name = NULL;
char *r_instance = NULL;
- u_int32_t r_time_sec; /* Coarse time from authenticator */
+ uint32_t r_time_sec; /* Coarse time from authenticator */
unsigned long delta_t; /* Time in authenticator - local time */
long tkt_age; /* Age of ticket */
@@ -795,8 +795,8 @@ _krb5_krb_rd_req(krb5_context context,
RCHECK(ret, krb5_ret_int8(sp, &s_kvno), error);
RCHECK(ret, get_v4_stringz(sp, &realm, REALM_SZ), error);
- RCHECK(ret, krb5_ret_int8(sp, &ticket_length), error);
- RCHECK(ret, krb5_ret_int8(sp, &eaut_length), error);
+ RCHECK(ret, krb5_ret_uint8(sp, &ticket_length), error);
+ RCHECK(ret, krb5_ret_uint8(sp, &eaut_length), error);
RCHECK(ret, krb5_data_alloc(&ticket, ticket_length), error);
size = krb5_storage_read(sp, ticket.data, ticket.length);
@@ -842,9 +842,9 @@ _krb5_krb_rd_req(krb5_context context,
RCHECK(ret, get_v4_stringz(sp, &r_instance, INST_SZ), error);
RCHECK(ret, get_v4_stringz(sp, &r_realm, REALM_SZ), error);
- RCHECK(ret, krb5_ret_int32(sp, &ad->checksum), error);
- RCHECK(ret, krb5_ret_int8(sp, &time_5ms), error);
- RCHECK(ret, krb5_ret_int32(sp, &r_time_sec), error);
+ RCHECK(ret, krb5_ret_uint32(sp, &ad->checksum), error);
+ RCHECK(ret, krb5_ret_uint8(sp, &time_5ms), error);
+ RCHECK(ret, krb5_ret_uint32(sp, &r_time_sec), error);
if (strcmp(ad->pname, r_name) != 0 ||
strcmp(ad->pinst, r_instance) != 0 ||
@@ -853,7 +853,7 @@ _krb5_krb_rd_req(krb5_context context,
goto error;
}
- if (from_addr && from_addr == ad->address) {
+ if (from_addr && from_addr != ad->address) {
ret = EINVAL; /* RD_AP_BADD */
goto error;
}