diff options
Diffstat (limited to 'source4/heimdal/lib/krb5')
68 files changed, 991 insertions, 698 deletions
diff --git a/source4/heimdal/lib/krb5/acache.c b/source4/heimdal/lib/krb5/acache.c index 6f20cdcf6c..19eeecda42 100644 --- a/source4/heimdal/lib/krb5/acache.c +++ b/source4/heimdal/lib/krb5/acache.c @@ -78,7 +78,7 @@ static const struct { static krb5_error_code translate_cc_error(krb5_context context, cc_int32 error) { - int i; + size_t i; krb5_clear_error_message(context); for(i = 0; i < sizeof(cc_errors)/sizeof(cc_errors[0]); i++) if (cc_errors[i].error == error) @@ -259,7 +259,7 @@ make_cred_from_ccred(krb5_context context, if (cred->addresses.val == NULL) goto nomem; cred->addresses.len = i; - + for (i = 0; i < cred->addresses.len; i++) { cred->addresses.val[i].addr_type = incred->addresses[i]->type; ret = krb5_data_copy(&cred->addresses.val[i].address, @@ -337,7 +337,7 @@ make_ccred_from_cred(krb5_context context, cc_credentials_v5_t *cred) { krb5_error_code ret; - int i; + size_t i; memset(cred, 0, sizeof(*cred)); @@ -546,7 +546,7 @@ acc_resolve(krb5_context context, krb5_ccache *id, const char *res) error = (*a->ccache->func->get_kdc_time_offset)(a->ccache, cc_credentials_v5, &offset); - if (error == 0) + if (error == 0) context->kdc_sec_offset = offset; } else if (error == ccErrCCacheNotFound) { @@ -887,7 +887,7 @@ acc_get_version(krb5_context context, { return 0; } - + struct cache_iter { cc_context_t context; cc_ccache_iterator_t iter; @@ -961,7 +961,7 @@ acc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id) acc_close(context, *id); *id = NULL; return translate_cc_error(context, error); - } + } return 0; } @@ -1031,7 +1031,7 @@ acc_get_default_name(krb5_context context, char **str) (*cc->func->release)(cc); return translate_cc_error(context, error); } - + error = asprintf(str, "API:%s", name->data); (*name->func->release)(name); (*cc->func->release)(cc); @@ -1114,7 +1114,9 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops = { acc_move, acc_get_default_name, acc_set_default, - acc_lastchange + acc_lastchange, + NULL, + NULL, }; #endif diff --git a/source4/heimdal/lib/krb5/addr_families.c b/source4/heimdal/lib/krb5/addr_families.c index cccf1cbc9a..5d321a7e91 100644 --- a/source4/heimdal/lib/krb5/addr_families.c +++ b/source4/heimdal/lib/krb5/addr_families.c @@ -44,6 +44,7 @@ struct addr_operations { void (*h_addr2sockaddr)(const char *, struct sockaddr *, krb5_socklen_t *, int); krb5_error_code (*h_addr2addr)(const char *, krb5_address *); krb5_boolean (*uninteresting)(const struct sockaddr *); + krb5_boolean (*is_loopback)(const struct sockaddr *); void (*anyaddr)(struct sockaddr *, krb5_socklen_t *, int); int (*print_addr)(const krb5_address *, char *, size_t); int (*parse_addr)(krb5_context, const char*, krb5_address *); @@ -136,6 +137,17 @@ ipv4_uninteresting (const struct sockaddr *sa) return FALSE; } +static krb5_boolean +ipv4_is_loopback (const struct sockaddr *sa) +{ + const struct sockaddr_in *sin4 = (const struct sockaddr_in *)sa; + + if ((ntohl(sin4->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET) + return TRUE; + + return FALSE; +} + static void ipv4_anyaddr (struct sockaddr *sa, krb5_socklen_t *sa_size, int port) { @@ -310,11 +322,19 @@ ipv6_uninteresting (const struct sockaddr *sa) const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa; const struct in6_addr *in6 = (const struct in6_addr *)&sin6->sin6_addr; - return - IN6_IS_ADDR_LINKLOCAL(in6) + return IN6_IS_ADDR_LINKLOCAL(in6) || IN6_IS_ADDR_V4COMPAT(in6); } +static krb5_boolean +ipv6_is_loopback (const struct sockaddr *sa) +{ + const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa; + const struct in6_addr *in6 = (const struct in6_addr *)&sin6->sin6_addr; + + return (IN6_IS_ADDR_LOOPBACK(in6)); +} + static void ipv6_anyaddr (struct sockaddr *sa, krb5_socklen_t *sa_size, int port) { @@ -334,7 +354,7 @@ ipv6_print_addr (const krb5_address *addr, char *str, size_t len) if(inet_ntop(AF_INET6, addr->address.data, buf, sizeof(buf)) == NULL) { /* XXX this is pretty ugly, but better than abort() */ - int i; + size_t i; unsigned char *p = addr->address.data; buf[0] = '\0'; for(i = 0; i < addr->address.length; i++) { @@ -401,7 +421,7 @@ ipv6_mask_boundary(krb5_context context, const krb5_address *inaddr, sub_len = min(8, len); m = 0xff << (8 - sub_len); - + laddr.s6_addr[i] = addr.s6_addr[i] & m; haddr.s6_addr[i] = (addr.s6_addr[i] & m) | ~m; @@ -471,7 +491,7 @@ arange_parse_addr (krb5_context context, krb5_free_addresses(context, &addrmask); return -1; } - + address += p - address + 1; num = strtol(address, &q, 10); @@ -488,7 +508,7 @@ arange_parse_addr (krb5_context context, } else { krb5_addresses low, high; - + strsep_copy(&address, "-", buf, sizeof(buf)); ret = krb5_parse_address(context, buf, &low); if(ret) @@ -497,14 +517,14 @@ arange_parse_addr (krb5_context context, krb5_free_addresses(context, &low); return -1; } - + strsep_copy(&address, "-", buf, sizeof(buf)); ret = krb5_parse_address(context, buf, &high); if(ret) { krb5_free_addresses(context, &low); return ret; } - + if(high.len != 1 && high.val[0].addr_type != low.val[0].addr_type) { krb5_free_addresses(context, &low); krb5_free_addresses(context, &high); @@ -590,7 +610,7 @@ arange_print_addr (const krb5_address *addr, char *str, size_t len) if (l > len) l = len; size = l; - + ret = krb5_print_address (&a->low, str + size, len - size, &l); if (ret) return ret; @@ -632,9 +652,11 @@ arange_order_addr(krb5_context context, a = addr2->address.data; a2 = addr1; sign = -1; - } else + } else { abort(); - + UNREACHABLE(return 0); + } + if(a2->addr_type == KRB5_ADDRESS_ARANGE) { struct arange *b = a2->address.data; tmp1 = krb5_address_order(context, &a->low, &b->low); @@ -707,34 +729,78 @@ addrport_print_addr (const krb5_address *addr, char *str, size_t len) } static struct addr_operations at[] = { - {AF_INET, KRB5_ADDRESS_INET, sizeof(struct sockaddr_in), - ipv4_sockaddr2addr, - ipv4_sockaddr2port, - ipv4_addr2sockaddr, - ipv4_h_addr2sockaddr, - ipv4_h_addr2addr, - ipv4_uninteresting, ipv4_anyaddr, ipv4_print_addr, ipv4_parse_addr, - NULL, NULL, NULL, ipv4_mask_boundary }, + { + AF_INET, KRB5_ADDRESS_INET, sizeof(struct sockaddr_in), + ipv4_sockaddr2addr, + ipv4_sockaddr2port, + ipv4_addr2sockaddr, + ipv4_h_addr2sockaddr, + ipv4_h_addr2addr, + ipv4_uninteresting, + ipv4_is_loopback, + ipv4_anyaddr, + ipv4_print_addr, + ipv4_parse_addr, + NULL, + NULL, + NULL, + ipv4_mask_boundary + }, #ifdef HAVE_IPV6 - {AF_INET6, KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6), - ipv6_sockaddr2addr, - ipv6_sockaddr2port, - ipv6_addr2sockaddr, - ipv6_h_addr2sockaddr, - ipv6_h_addr2addr, - ipv6_uninteresting, ipv6_anyaddr, ipv6_print_addr, ipv6_parse_addr, - NULL, NULL, NULL, ipv6_mask_boundary } , + { + AF_INET6, KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6), + ipv6_sockaddr2addr, + ipv6_sockaddr2port, + ipv6_addr2sockaddr, + ipv6_h_addr2sockaddr, + ipv6_h_addr2addr, + ipv6_uninteresting, + ipv6_is_loopback, + ipv6_anyaddr, + ipv6_print_addr, + ipv6_parse_addr, + NULL, + NULL, + NULL, + ipv6_mask_boundary + } , #endif #ifndef HEIMDAL_SMALLER /* fake address type */ - {KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange), - NULL, NULL, NULL, NULL, NULL, NULL, NULL, - arange_print_addr, arange_parse_addr, - arange_order_addr, arange_free, arange_copy }, + { + KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange), + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + arange_print_addr, + arange_parse_addr, + arange_order_addr, + arange_free, + arange_copy, + NULL + }, #endif - {KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0, - NULL, NULL, NULL, NULL, NULL, - NULL, NULL, addrport_print_addr, NULL, NULL, NULL, NULL } + { + KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + addrport_print_addr, + NULL, + NULL, + NULL, + NULL + } }; static int num_addrs = sizeof(at) / sizeof(at[0]); @@ -757,7 +823,7 @@ find_af(int af) } static struct addr_operations * -find_atype(int atype) +find_atype(krb5_address_type atype) { struct addr_operations *a; @@ -912,6 +978,15 @@ krb5_sockaddr_uninteresting(const struct sockaddr *sa) return (*a->uninteresting)(sa); } +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_sockaddr_is_loopback(const struct sockaddr *sa) +{ + struct addr_operations *a = find_af(sa->sa_family); + if (a == NULL || a->is_loopback == NULL) + return TRUE; + return (*a->is_loopback)(sa); +} + /** * krb5_h_addr2sockaddr initializes a "struct sockaddr sa" from af and * the "struct hostent" (see gethostbyname(3) ) h_addr_list @@ -1038,17 +1113,17 @@ krb5_print_address (const krb5_address *addr, if (a == NULL || a->print_addr == NULL) { char *s; int l; - int i; + size_t i; s = str; l = snprintf(s, len, "TYPE_%d:", addr->addr_type); - if (l < 0 || l >= len) + if (l < 0 || (size_t)l >= len) return EINVAL; s += l; len -= l; for(i = 0; i < addr->address.length; i++) { l = snprintf(s, len, "%02x", ((char*)addr->address.data)[i]); - if (l < 0 || l >= len) + if (l < 0 || (size_t)l >= len) return EINVAL; len -= l; s += l; @@ -1234,7 +1309,7 @@ krb5_address_search(krb5_context context, const krb5_address *addr, const krb5_addresses *addrlist) { - int i; + size_t i; for (i = 0; i < addrlist->len; ++i) if (krb5_address_compare (context, addr, &addrlist->val[i])) @@ -1282,7 +1357,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_addresses(krb5_context context, krb5_addresses *addresses) { - int i; + size_t i; for(i = 0; i < addresses->len; i++) krb5_free_address(context, &addresses->val[i]); free(addresses->val); @@ -1333,7 +1408,7 @@ krb5_copy_addresses(krb5_context context, const krb5_addresses *inaddr, krb5_addresses *outaddr) { - int i; + size_t i; ALLOC_SEQ(outaddr, inaddr->len); if(inaddr->len > 0 && outaddr->val == NULL) return ENOMEM; @@ -1362,7 +1437,7 @@ krb5_append_addresses(krb5_context context, { krb5_address *tmp; krb5_error_code ret; - int i; + size_t i; if(source->len > 0) { tmp = realloc(dest->val, (dest->len + source->len) * sizeof(*tmp)); if(tmp == NULL) { diff --git a/source4/heimdal/lib/krb5/appdefault.c b/source4/heimdal/lib/krb5/appdefault.c index d4dc758faa..d4e963d74a 100644 --- a/source4/heimdal/lib/krb5/appdefault.c +++ b/source4/heimdal/lib/krb5/appdefault.c @@ -47,7 +47,7 @@ krb5_appdefault_boolean(krb5_context context, const char *appname, if(realm != NULL) def_val = krb5_config_get_bool_default(context, NULL, def_val, "realms", realm, option, NULL); - + def_val = krb5_config_get_bool_default(context, NULL, def_val, "appdefaults", option, diff --git a/source4/heimdal/lib/krb5/auth_context.c b/source4/heimdal/lib/krb5/auth_context.c index ea59c73931..518e19359c 100644 --- a/source4/heimdal/lib/krb5/auth_context.c +++ b/source4/heimdal/lib/krb5/auth_context.c @@ -262,6 +262,7 @@ krb5_auth_con_getaddrs(krb5_context context, return 0; } +/* coverity[+alloc : arg-*2] */ static krb5_error_code copy_key(krb5_context context, krb5_keyblock *in, @@ -289,6 +290,7 @@ krb5_auth_con_getlocalsubkey(krb5_context context, return copy_key(context, auth_context->local_subkey, keyblock); } +/* coverity[+alloc : arg-*2] */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, diff --git a/source4/heimdal/lib/krb5/build_auth.c b/source4/heimdal/lib/krb5/build_auth.c index 85d64525de..01145a28c6 100644 --- a/source4/heimdal/lib/krb5/build_auth.c +++ b/source4/heimdal/lib/krb5/build_auth.c @@ -41,10 +41,12 @@ make_etypelist(krb5_context context, krb5_error_code ret; krb5_authdata ad; u_char *buf; - size_t len; + size_t len = 0; size_t buf_size; - ret = krb5_init_etype(context, &etypes.len, &etypes.val, NULL); + ret = _krb5_init_etype(context, KRB5_PDU_NONE, + &etypes.len, &etypes.val, + NULL); if (ret) return ret; @@ -111,7 +113,7 @@ _krb5_build_authenticator (krb5_context context, Authenticator auth; u_char *buf = NULL; size_t buf_size; - size_t len; + size_t len = 0; krb5_error_code ret; krb5_crypto crypto; diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c index 211642e568..616044e67b 100644 --- a/source4/heimdal/lib/krb5/cache.c +++ b/source4/heimdal/lib/krb5/cache.c @@ -38,7 +38,7 @@ /** * @page krb5_ccache_intro The credential cache functions * @section section_krb5_ccache Kerberos credential caches - * + * * krb5_ccache structure holds a Kerberos credential cache. * * Heimdal support the follow types of credential caches: @@ -837,7 +837,7 @@ krb5_cc_set_flags(krb5_context context, { return (*id->ops->set_flags)(context, id, flags); } - + /** * Get the flags of `id', store them in `flags'. * @@ -1144,7 +1144,7 @@ krb5_cc_cache_match (krb5_context context, ret = krb5_cc_get_principal(context, cache, &principal); if (ret == 0) { krb5_boolean match; - + match = krb5_principal_compare(context, principal, client); krb5_free_principal(context, principal); if (match) @@ -1245,7 +1245,7 @@ build_conf_principals(krb5_context context, krb5_ccache id, krb5_free_principal(context, client); return ret; } - + /** * Return TRUE (non zero) if the principal is a configuration * principal (generated part of krb5_cc_set_config()). Returns FALSE @@ -1267,7 +1267,7 @@ krb5_is_config_principal(krb5_context context, if (principal->name.name_string.len == 0 || strcmp(principal->name.name_string.val[0], KRB5_CONF_NAME) != 0) return FALSE; - + return TRUE; } @@ -1306,11 +1306,11 @@ krb5_cc_set_config(krb5_context context, krb5_ccache id, /* not that anyone care when this expire */ cred.times.authtime = time(NULL); cred.times.endtime = cred.times.authtime + 3600 * 24 * 30; - + ret = krb5_data_copy(&cred.ticket, data->data, data->length); if (ret) goto out; - + ret = krb5_cc_store_cred(context, id, &cred); } @@ -1396,7 +1396,7 @@ krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor) } /** - * Get next credential cache from the iteration. + * Get next credential cache from the iteration. * * @param context A Kerberos 5 context * @param cursor the iteration cursor @@ -1418,13 +1418,13 @@ krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor, krb5_ccache *cache) { krb5_error_code ret; - + *cache = NULL; while (cursor->idx < context->num_cc_ops) { if (cursor->cursor == NULL) { - ret = krb5_cc_cache_get_first (context, + ret = krb5_cc_cache_get_first (context, context->cc_ops[cursor->idx]->prefix, &cursor->cursor); if (ret) { @@ -1493,7 +1493,7 @@ krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor) KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_last_change_time(krb5_context context, - krb5_ccache id, + krb5_ccache id, krb5_timestamp *mtime) { *mtime = 0; @@ -1630,7 +1630,7 @@ krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t) *t = 0; now = time(NULL); - + ret = krb5_cc_start_seq_get(context, id, &cursor); if (ret) return ret; @@ -1644,7 +1644,7 @@ krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t) } krb5_free_cred_contents(context, &cred); } - + krb5_cc_end_seq_get(context, id, &cursor); return ret; diff --git a/source4/heimdal/lib/krb5/changepw.c b/source4/heimdal/lib/krb5/changepw.c index 22a7c87ef3..1e7cd0d464 100644 --- a/source4/heimdal/lib/krb5/changepw.c +++ b/source4/heimdal/lib/krb5/changepw.c @@ -31,8 +31,6 @@ * SUCH DAMAGE. */ -#define KRB5_DEPRECATED - #include "krb5_locl.h" #undef __attribute__ @@ -173,7 +171,7 @@ setpw_send_request (krb5_context context, krb5_data krb_priv_data; krb5_data pwd_data; ChangePasswdDataMS chpw; - size_t len; + size_t len = 0; u_char header[4 + 6]; u_char *p; struct iovec iov[3]; @@ -199,7 +197,7 @@ setpw_send_request (krb5_context context, chpw.targname = NULL; chpw.targrealm = NULL; } - + ASN1_MALLOC_ENCODE(ChangePasswdDataMS, pwd_data.data, pwd_data.length, &chpw, &len, ret); if (ret) { @@ -276,7 +274,7 @@ process_reply (krb5_context context, { krb5_error_code ret; u_char reply[1024 * 3]; - ssize_t len; + size_t len; uint16_t pkt_len, pkt_ver; krb5_data ap_rep_data; int save_errno; @@ -304,7 +302,7 @@ process_reply (krb5_context context, _krb5_get_int(reply, &size, 4); if (size + 4 < len) continue; - memmove(reply, reply + 4, size); + memmove(reply, reply + 4, size); len = size; break; } @@ -328,7 +326,7 @@ process_reply (krb5_context context, if (len < 6) { str2data (result_string, "server %s sent to too short message " - "(%ld bytes)", host, (long)len); + "(%zu bytes)", host, len); *result_code = KRB5_KPASSWD_MALFORMED; return 0; } @@ -496,7 +494,7 @@ static struct kpwd_proc { chgpw_send_request, process_reply }, - { NULL } + { NULL, 0, NULL, NULL } }; /* @@ -588,7 +586,7 @@ change_password_loop (krb5_context context, if (!replied) { replied = 0; - + ret = (*proc->send_req) (context, &auth_context, creds, @@ -686,7 +684,6 @@ find_chpw_proto(const char *name) * @ingroup @krb5_deprecated */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_change_password (krb5_context context, krb5_creds *creds, @@ -694,6 +691,7 @@ krb5_change_password (krb5_context context, int *result_code, krb5_data *result_code_string, krb5_data *result_string) + KRB5_DEPRECATED_FUNCTION("Use X instead") { struct kpwd_proc *p = find_chpw_proto("change password"); diff --git a/source4/heimdal/lib/krb5/codec.c b/source4/heimdal/lib/krb5/codec.c index d73a719100..5e754c60cb 100644 --- a/source4/heimdal/lib/krb5/codec.c +++ b/source4/heimdal/lib/krb5/codec.c @@ -31,184 +31,182 @@ * SUCH DAMAGE. */ -#define KRB5_DEPRECATED - #include "krb5_locl.h" #ifndef HEIMDAL_SMALLER -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncTicketPart (krb5_context context, const void *data, size_t length, EncTicketPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_EncTicketPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncTicketPart (krb5_context context, void *data, size_t length, EncTicketPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_EncTicketPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncASRepPart (krb5_context context, const void *data, size_t length, EncASRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_EncASRepPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncASRepPart (krb5_context context, void *data, size_t length, EncASRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_EncASRepPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncTGSRepPart (krb5_context context, const void *data, size_t length, EncTGSRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_EncTGSRepPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncTGSRepPart (krb5_context context, void *data, size_t length, EncTGSRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_EncTGSRepPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncAPRepPart (krb5_context context, const void *data, size_t length, EncAPRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_EncAPRepPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncAPRepPart (krb5_context context, void *data, size_t length, EncAPRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_EncAPRepPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_Authenticator (krb5_context context, const void *data, size_t length, Authenticator *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_Authenticator(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_Authenticator (krb5_context context, void *data, size_t length, Authenticator *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_Authenticator(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncKrbCredPart (krb5_context context, const void *data, size_t length, EncKrbCredPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_EncKrbCredPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncKrbCredPart (krb5_context context, void *data, size_t length, EncKrbCredPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_EncKrbCredPart (data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_ETYPE_INFO (krb5_context context, const void *data, size_t length, ETYPE_INFO *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_ETYPE_INFO(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_ETYPE_INFO (krb5_context context, void *data, size_t length, ETYPE_INFO *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_ETYPE_INFO (data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_ETYPE_INFO2 (krb5_context context, const void *data, size_t length, ETYPE_INFO2 *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_ETYPE_INFO2(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_ETYPE_INFO2 (krb5_context context, void *data, size_t length, ETYPE_INFO2 *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_ETYPE_INFO2 (data, length, t, len); } diff --git a/source4/heimdal/lib/krb5/config_file.c b/source4/heimdal/lib/krb5/config_file.c index 89f778823d..4ac25ae287 100644 --- a/source4/heimdal/lib/krb5/config_file.c +++ b/source4/heimdal/lib/krb5/config_file.c @@ -33,8 +33,6 @@ * SUCH DAMAGE. */ -#define KRB5_DEPRECATED - #include "krb5_locl.h" #ifdef __APPLE__ @@ -63,7 +61,7 @@ config_fgets(char *str, size_t len, struct fileptr *ptr) p = ptr->s + strcspn(ptr->s, "\n"); if(*p == '\n') p++; - l = min(len, p - ptr->s); + l = min(len, (size_t)(p - ptr->s)); if(len > 0) { memcpy(str, ptr->s, l); str[l] = '\0'; @@ -91,7 +89,7 @@ _krb5_config_get_entry(krb5_config_section **parent, const char *name, int type) for(q = parent; *q != NULL; q = &(*q)->next) if(type == krb5_config_list && - type == (*q)->type && + (unsigned)type == (*q)->type && strcmp(name, (*q)->name) == 0) return *q; *q = calloc(1, sizeof(**q)); @@ -250,7 +248,7 @@ cfstring2cstring(CFStringRef string) { CFIndex len; char *str; - + str = (char *) CFStringGetCStringPtr(string, kCFStringEncodingUTF8); if (str) return strdup(str); @@ -260,7 +258,7 @@ cfstring2cstring(CFStringRef string) str = malloc(len); if (str == NULL) return NULL; - + if (!CFStringGetCString (string, str, len, kCFStringEncodingUTF8)) { free (str); return NULL; @@ -299,7 +297,7 @@ parse_plist_config(krb5_context context, const char *path, krb5_config_section * CFReadStreamRef s; CFDictionaryRef d; CFURLRef url; - + url = CFURLCreateFromFileSystemRepresentation(kCFAllocatorDefault, (UInt8 *)path, strlen(path), FALSE); if (url == NULL) { krb5_clear_error_message(context); @@ -321,7 +319,7 @@ parse_plist_config(krb5_context context, const char *path, krb5_config_section * #ifdef HAVE_CFPROPERTYLISTCREATEWITHSTREAM d = (CFDictionaryRef)CFPropertyListCreateWithStream(NULL, s, 0, kCFPropertyListImmutable, NULL, NULL); -#else +#else d = (CFDictionaryRef)CFPropertyListCreateFromStream(NULL, s, 0, kCFPropertyListImmutable, NULL, NULL); #endif CFRelease(s); @@ -441,7 +439,7 @@ krb5_config_parse_file_multi (krb5_context context, home = getenv("HOME"); if (home == NULL) { - struct passwd *pw = getpwuid(getuid()); + struct passwd *pw = getpwuid(getuid()); if(pw != NULL) home = pw->pw_dir; } @@ -455,7 +453,7 @@ krb5_config_parse_file_multi (krb5_context context, fname = newfname; } #else /* KRB5_USE_PATH_TOKENS */ - if (asprintf(&newfname, "%%{USERCONFIG}%s", &fname[1]) < 0 || + if (asprintf(&newfname, "%%{USERCONFIG}%s", &fname[1]) < 0 || newfname == NULL) { krb5_set_error_message(context, ENOMEM, @@ -477,7 +475,7 @@ krb5_config_parse_file_multi (krb5_context context, return ret; } #else - krb5_set_error_message(context, ENOENT, + krb5_set_error_message(context, ENOENT, "no support for plist configuration files"); return ENOENT; #endif @@ -491,7 +489,7 @@ krb5_config_parse_file_multi (krb5_context context, free(newfname); return ret; } - + if (newfname) free(newfname); fname = newfname = exp_fname; @@ -507,7 +505,7 @@ krb5_config_parse_file_multi (krb5_context context, free(newfname); return ret; } - + ret = krb5_config_parse_debug (&f, res, &lineno, &str); fclose(f.f); if (ret) { @@ -635,7 +633,7 @@ vget_next(krb5_context context, const char *p = va_arg(args, const char *); while(b != NULL) { if(strcmp(b->name, name) == 0) { - if(b->type == type && p == NULL) { + if(b->type == (unsigned)type && p == NULL) { *pointer = b; return b->u.generic; } else if(b->type == krb5_config_list && p != NULL) { @@ -675,7 +673,7 @@ _krb5_config_vget_next (krb5_context context, /* we were called again, so just look for more entries with the same name and type */ for (b = (*pointer)->next; b != NULL; b = b->next) { - if(strcmp(b->name, (*pointer)->name) == 0 && b->type == type) { + if(strcmp(b->name, (*pointer)->name) == 0 && b->type == (unsigned)type) { *pointer = b; return b->u.generic; } @@ -770,7 +768,7 @@ krb5_config_vget_list (krb5_context context, * * @ingroup krb5_support */ - + KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_config_get_string (krb5_context context, const krb5_config_section *c, @@ -865,7 +863,7 @@ krb5_config_get_string_default (krb5_context context, } static char * -next_component_string(char * begin, char * delims, char **state) +next_component_string(char * begin, const char * delims, char **state) { char * end; @@ -1302,11 +1300,11 @@ krb5_config_get_int (krb5_context context, * @ingroup krb5_deprecated */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_config_parse_string_multi(krb5_context context, const char *string, krb5_config_section **res) + KRB5_DEPRECATED_FUNCTION("Use X instead") { const char *str; unsigned lineno = 0; diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c index b6c6870938..99bf1b419b 100644 --- a/source4/heimdal/lib/krb5/context.c +++ b/source4/heimdal/lib/krb5/context.c @@ -34,6 +34,7 @@ */ #include "krb5_locl.h" +#include <assert.h> #include <com_err.h> #define INIT_FIELD(C, T, E, D, F) \ @@ -128,6 +129,24 @@ init_context_from_config_file(krb5_context context) free(context->etypes_des); context->etypes_des = tmptypes; + ret = set_etypes (context, "default_as_etypes", &tmptypes); + if(ret) + return ret; + free(context->as_etypes); + context->as_etypes = tmptypes; + + ret = set_etypes (context, "default_tgs_etypes", &tmptypes); + if(ret) + return ret; + free(context->tgs_etypes); + context->tgs_etypes = tmptypes; + + ret = set_etypes (context, "permitted_enctypes", &tmptypes); + if(ret) + return ret; + free(context->permitted_enctypes); + context->permitted_enctypes = tmptypes; + /* default keytab name */ tmp = NULL; if(!issuid()) @@ -317,7 +336,7 @@ kt_ops_copy(krb5_context context, const krb5_context src_context) return 0; } -static const char *sysplugin_dirs[] = { +static const char *sysplugin_dirs[] = { LIBDIR "/plugin/krb5", #ifdef __APPLE__ "/Library/KerberosPlugins/KerberosFrameworkPlugins", @@ -332,7 +351,7 @@ init_context_once(void *ctx) krb5_context context = ctx; _krb5_load_plugins(context, "krb5", sysplugin_dirs); - + bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR); } @@ -392,7 +411,7 @@ krb5_init_context(krb5_context *context) ret = hx509_context_init(&p->hx509ctx); if (ret) goto out; -#endif +#endif if (rk_SOCK_INIT()) p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED; @@ -413,7 +432,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **etypes) { - return krb5_get_default_in_tkt_etypes(context, etypes); + return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes); } /* @@ -433,7 +452,7 @@ copy_etypes (krb5_context context, *ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i); if (*ret_enctypes == NULL) { - krb5_set_error_message(context, ENOMEM, + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } @@ -481,7 +500,7 @@ krb5_copy_context(krb5_context context, krb5_context *out) p->default_cc_name = strdup(context->default_cc_name); if (context->default_cc_name_env) p->default_cc_name_env = strdup(context->default_cc_name_env); - + if (context->etypes) { ret = copy_etypes(context, context->etypes, &p->etypes); if (ret) @@ -494,7 +513,7 @@ krb5_copy_context(krb5_context context, krb5_context *out) } if (context->default_realms) { - ret = krb5_copy_host_realm(context, + ret = krb5_copy_host_realm(context, context->default_realms, &p->default_realms); if (ret) goto out; @@ -736,7 +755,7 @@ krb5_prepend_config_files_default(const char *filelist, char ***pfilenames) krb5_free_config_files(defpp); if (ret) { return ret; - } + } *pfilenames = pp; return 0; } @@ -874,36 +893,51 @@ krb5_kerberos_enctypes(krb5_context context) } /* - * set `etype' to a malloced list of the default enctypes + * */ static krb5_error_code -default_etypes(krb5_context context, krb5_enctype **etype) +copy_enctypes(krb5_context context, + const krb5_enctype *in, + krb5_enctype **out) { - const krb5_enctype *p; - krb5_enctype *e = NULL, *ep; - int i, n = 0; - - p = krb5_kerberos_enctypes(context); + krb5_enctype *p = NULL; + size_t m, n; - for (i = 0; p[i] != ETYPE_NULL; i++) { - if (krb5_enctype_valid(context, p[i]) != 0) + for (n = 0; in[n]; n++) + ; + n++; + ALLOC(p, n); + if(p == NULL) + return krb5_enomem(context); + for (n = 0, m = 0; in[n]; n++) { + if (krb5_enctype_valid(context, in[n]) != 0) continue; - ep = realloc(e, (n + 2) * sizeof(*e)); - if (ep == NULL) { - free(e); - krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); - return ENOMEM; - } - e = ep; - e[n] = p[i]; - e[n + 1] = ETYPE_NULL; - n++; + p[m++] = in[n]; + } + p[m] = KRB5_ENCTYPE_NULL; + if (m == 0) { + free(p); + krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, + N_("no valid enctype set", "")); + return KRB5_PROG_ETYPE_NOSUPP; } - *etype = e; + *out = p; return 0; } + +/* + * set `etype' to a malloced list of the default enctypes + */ + +static krb5_error_code +default_etypes(krb5_context context, krb5_enctype **etype) +{ + const krb5_enctype *p = krb5_kerberos_enctypes(context); + return copy_enctypes(context, p, etype); +} + /** * Set the default encryption types that will be use in communcation * with the KDC, clients and servers. @@ -923,31 +957,11 @@ krb5_set_default_in_tkt_etypes(krb5_context context, { krb5_error_code ret; krb5_enctype *p = NULL; - unsigned int n, m; if(etypes) { - for (n = 0; etypes[n]; n++) - ; - n++; - ALLOC(p, n); - if(!p) { - krb5_set_error_message (context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; - } - for (n = 0, m = 0; etypes[n]; n++) { - ret = krb5_enctype_valid(context, etypes[n]); - if (ret) - continue; - p[m++] = etypes[n]; - } - p[m] = ETYPE_NULL; - if (m == 0) { - free(p); - krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, - N_("no valid enctype set", "")); - return KRB5_PROG_ETYPE_NOSUPP; - } + ret = copy_enctypes(context, etypes, &p); + if (ret) + return ret; } if(context->etypes) free(context->etypes); @@ -971,21 +985,28 @@ krb5_set_default_in_tkt_etypes(krb5_context context, KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_default_in_tkt_etypes(krb5_context context, + krb5_pdu pdu_type, krb5_enctype **etypes) { - krb5_enctype *p; - int i; + krb5_enctype *enctypes = NULL; krb5_error_code ret; + krb5_enctype *p; - if(context->etypes) { - for(i = 0; context->etypes[i]; i++); - ++i; - ALLOC(p, i); - if(!p) { - krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); - return ENOMEM; - } - memmove(p, context->etypes, i * sizeof(krb5_enctype)); + heim_assert(pdu_type == KRB5_PDU_AS_REQUEST || + pdu_type == KRB5_PDU_TGS_REQUEST || + pdu_type == KRB5_PDU_NONE, "pdu contant not as expected"); + + if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL) + enctypes = context->as_etypes; + else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL) + enctypes = context->tgs_etypes; + else if (context->etypes != NULL) + enctypes = context->etypes; + + if (enctypes != NULL) { + ret = copy_enctypes(context, enctypes, &p); + if (ret) + return ret; } else { ret = default_etypes(context, &p); if (ret) @@ -1390,10 +1411,11 @@ krb5_set_max_time_skew (krb5_context context, time_t t) context->max_skew = t; } -/** +/* * Init encryption types in len, val with etypes. * * @param context Kerberos 5 context. + * @param pdu_type type of pdu * @param len output length of val. * @param val output array of enctypes. * @param etypes etypes to set val and len to, if NULL, use default enctypes. @@ -1405,39 +1427,27 @@ krb5_set_max_time_skew (krb5_context context, time_t t) */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL -krb5_init_etype (krb5_context context, +_krb5_init_etype(krb5_context context, + krb5_pdu pdu_type, unsigned *len, krb5_enctype **val, const krb5_enctype *etypes) { - unsigned int i; krb5_error_code ret; - krb5_enctype *tmp = NULL; - ret = 0; - if (etypes == NULL) { - ret = krb5_get_default_in_tkt_etypes(context, &tmp); - if (ret) - return ret; - etypes = tmp; - } + if (etypes == NULL) + ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val); + else + ret = copy_enctypes(context, etypes, val); + if (ret) + return ret; - for (i = 0; etypes[i]; ++i) - ; - *len = i; - *val = malloc(i * sizeof(**val)); - if (i != 0 && *val == NULL) { - ret = ENOMEM; - krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); - goto cleanup; + if (len) { + *len = 0; + while ((*val)[*len] != KRB5_ENCTYPE_NULL) + (*len)++; } - memmove (*val, - etypes, - i * sizeof(*tmp)); -cleanup: - if (tmp != NULL) - free (tmp); - return ret; + return 0; } /* diff --git a/source4/heimdal/lib/krb5/convert_creds.c b/source4/heimdal/lib/krb5/convert_creds.c index e700425ffe..fc371c6377 100644 --- a/source4/heimdal/lib/krb5/convert_creds.c +++ b/source4/heimdal/lib/krb5/convert_creds.c @@ -31,8 +31,6 @@ * SUCH DAMAGE. */ -#define KRB5_DEPRECATED - #include "krb5_locl.h" #include "krb5-v4compat.h" @@ -54,11 +52,11 @@ * @ingroup krb5_v4compat */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb524_convert_creds_kdc(krb5_context context, krb5_creds *in_cred, struct credentials *v4creds) + KRB5_DEPRECATED_FUNCTION("Use X instead") { memset(v4creds, 0, sizeof(*v4creds)); krb5_set_error_message(context, EINVAL, @@ -81,12 +79,12 @@ krb524_convert_creds_kdc(krb5_context context, * @ingroup krb5_v4compat */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb524_convert_creds_kdc_ccache(krb5_context context, krb5_ccache ccache, krb5_creds *in_cred, struct credentials *v4creds) + KRB5_DEPRECATED_FUNCTION("Use X instead") { memset(v4creds, 0, sizeof(*v4creds)); krb5_set_error_message(context, EINVAL, diff --git a/source4/heimdal/lib/krb5/creds.c b/source4/heimdal/lib/krb5/creds.c index 69aacdc032..7ef8eb9609 100644 --- a/source4/heimdal/lib/krb5/creds.c +++ b/source4/heimdal/lib/krb5/creds.c @@ -228,7 +228,7 @@ krb5_compare_creds(krb5_context context, krb5_flags whichfields, match = krb5_principal_compare (context, mcreds->client, creds->client); } - + if (match && (whichfields & KRB5_TC_MATCH_KEYTYPE)) match = mcreds->session.keytype == creds->session.keytype; diff --git a/source4/heimdal/lib/krb5/crypto-des.c b/source4/heimdal/lib/krb5/crypto-des.c index 1c062b5e61..63ce901d92 100644 --- a/source4/heimdal/lib/krb5/crypto-des.c +++ b/source4/heimdal/lib/krb5/crypto-des.c @@ -77,7 +77,9 @@ static struct _krb5_key_type keytype_des_old = { krb5_DES_random_key, krb5_DES_schedule_old, _krb5_des_salt, - krb5_DES_random_to_key + krb5_DES_random_to_key, + NULL, + NULL }; static struct _krb5_key_type keytype_des = { diff --git a/source4/heimdal/lib/krb5/crypto-des3.c b/source4/heimdal/lib/krb5/crypto-des3.c index b61948895a..d50c5cebe2 100644 --- a/source4/heimdal/lib/krb5/crypto-des3.c +++ b/source4/heimdal/lib/krb5/crypto-des3.c @@ -202,7 +202,7 @@ _krb5_DES3_random_to_key(krb5_context context, DES_cblock *k; int i, j; - memset(x, 0, sizeof(x)); + memset(key->keyvalue.data, 0, key->keyvalue.length); for (i = 0; i < 3; ++i) { unsigned char foo; for (j = 0; j < 7; ++j) { diff --git a/source4/heimdal/lib/krb5/crypto-evp.c b/source4/heimdal/lib/krb5/crypto-evp.c index 3f9cd57bbc..e8fb1caf6a 100644 --- a/source4/heimdal/lib/krb5/crypto-evp.c +++ b/source4/heimdal/lib/krb5/crypto-evp.c @@ -98,7 +98,7 @@ _krb5_evp_encrypt_cts(krb5_context context, { size_t i, blocksize; struct _krb5_evp_schedule *ctx = key->schedule->data; - char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH]; + unsigned char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH]; EVP_CIPHER_CTX *c; unsigned char *p; @@ -142,7 +142,7 @@ _krb5_evp_encrypt_cts(krb5_context context, if (ivec) memcpy(ivec, p, blocksize); } else { - char tmp2[EVP_MAX_BLOCK_LENGTH], tmp3[EVP_MAX_BLOCK_LENGTH]; + unsigned char tmp2[EVP_MAX_BLOCK_LENGTH], tmp3[EVP_MAX_BLOCK_LENGTH]; p = data; if (len > blocksize * 2) { diff --git a/source4/heimdal/lib/krb5/crypto-pk.c b/source4/heimdal/lib/krb5/crypto-pk.c index eb783c8998..7fedb65c9e 100644 --- a/source4/heimdal/lib/krb5/crypto-pk.c +++ b/source4/heimdal/lib/krb5/crypto-pk.c @@ -110,7 +110,7 @@ encode_uvinfo(krb5_context context, krb5_const_principal p, krb5_data *data) { KRB5PrincipalName pn; krb5_error_code ret; - size_t size; + size_t size = 0; pn.principalName = p->name; pn.realm = p->realm; @@ -143,7 +143,7 @@ encode_otherinfo(krb5_context context, PkinitSuppPubInfo pubinfo; krb5_error_code ret; krb5_data pub; - size_t size; + size_t size = 0; krb5_data_zero(other); memset(&otherinfo, 0, sizeof(otherinfo)); @@ -192,6 +192,8 @@ encode_otherinfo(krb5_context context, return 0; } + + krb5_error_code _krb5_pk_kdf(krb5_context context, const struct AlgorithmIdentifier *ai, @@ -211,10 +213,17 @@ _krb5_pk_kdf(krb5_context context, size_t keylen, offset; uint32_t counter; unsigned char *keydata; - unsigned char shaoutput[SHA_DIGEST_LENGTH]; + unsigned char shaoutput[SHA512_DIGEST_LENGTH]; + const EVP_MD *md; EVP_MD_CTX *m; - if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha1, &ai->algorithm) != 0) { + if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha1, &ai->algorithm) == 0) { + md = EVP_sha1(); + } else if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha256, &ai->algorithm) == 0) { + md = EVP_sha256(); + } else if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha512, &ai->algorithm) == 0) { + md = EVP_sha512(); + } else { krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, N_("KDF not supported", "")); return KRB5_PROG_ETYPE_NOSUPP; @@ -264,7 +273,7 @@ _krb5_pk_kdf(krb5_context context, do { unsigned char cdata[4]; - EVP_DigestInit_ex(m, EVP_sha1(), NULL); + EVP_DigestInit_ex(m, md, NULL); _krb5_put_int(cdata, counter, 4); EVP_DigestUpdate(m, cdata, 4); EVP_DigestUpdate(m, dhdata, dhsize); @@ -274,9 +283,9 @@ _krb5_pk_kdf(krb5_context context, memcpy((unsigned char *)keydata + offset, shaoutput, - min(keylen - offset, sizeof(shaoutput))); + min(keylen - offset, EVP_MD_CTX_size(m))); - offset += sizeof(shaoutput); + offset += EVP_MD_CTX_size(m); counter++; } while(offset < keylen); memset(shaoutput, 0, sizeof(shaoutput)); diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c index 5d274e9af7..63aedc4568 100644 --- a/source4/heimdal/lib/krb5/crypto.c +++ b/source4/heimdal/lib/krb5/crypto.c @@ -31,8 +31,6 @@ * SUCH DAMAGE. */ -#define KRB5_DEPRECATED - #include "krb5_locl.h" struct _krb5_key_usage { @@ -180,7 +178,7 @@ _krb5_internal_hmac(krb5_context context, unsigned char *ipad, *opad; unsigned char *key; size_t key_len; - int i; + size_t i; ipad = malloc(cm->blocksize + len); if (ipad == NULL) @@ -311,7 +309,7 @@ get_checksum_key(krb5_context context, if(ct->flags & F_DERIVED) ret = _get_derived_key(context, crypto, usage, key); else if(ct->flags & F_VARIANT) { - int i; + size_t i; *key = _new_derived_key(crypto, 0xff/* KRB5_KU_RFC1510_VARIANT */); if(*key == NULL) { @@ -479,7 +477,7 @@ verify_checksum(krb5_context context, if(ct->verify) { ret = (*ct->verify)(context, dkey, data, len, usage, cksum); if (ret) - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, N_("Decrypt integrity check failed for checksum " "type %s, key type %s", ""), ct->name, (crypto != NULL)? crypto->et->name : "(none)"); @@ -1160,9 +1158,9 @@ decrypt_internal_special(krb5_context context, } static krb5_crypto_iov * -find_iv(krb5_crypto_iov *data, int num_data, int type) +find_iv(krb5_crypto_iov *data, size_t num_data, unsigned type) { - int i; + size_t i; for (i = 0; i < num_data; i++) if (data[i].flags == type) return &data[i]; @@ -1403,11 +1401,6 @@ krb5_decrypt_iov_ivec(krb5_context context, struct _krb5_encryption_type *et = crypto->et; krb5_crypto_iov *tiv, *hiv; - if (num_data < 0) { - krb5_clear_error_message(context); - return KRB5_CRYPTO_INTERNAL; - } - if(!derived_crypto(context, crypto)) { krb5_clear_error_message(context); return KRB5_CRYPTO_INTERNAL; @@ -1545,15 +1538,10 @@ krb5_create_checksum_iov(krb5_context context, Checksum cksum; krb5_crypto_iov *civ; krb5_error_code ret; - int i; + size_t i; size_t len; char *p, *q; - if (num_data < 0) { - krb5_clear_error_message(context); - return KRB5_CRYPTO_INTERNAL; - } - if(!derived_crypto(context, crypto)) { krb5_clear_error_message(context); return KRB5_CRYPTO_INTERNAL; @@ -1629,15 +1617,10 @@ krb5_verify_checksum_iov(krb5_context context, Checksum cksum; krb5_crypto_iov *civ; krb5_error_code ret; - int i; + size_t i; size_t len; char *p, *q; - if (num_data < 0) { - krb5_clear_error_message(context); - return KRB5_CRYPTO_INTERNAL; - } - if(!derived_crypto(context, crypto)) { krb5_clear_error_message(context); return KRB5_CRYPTO_INTERNAL; @@ -1689,7 +1672,7 @@ krb5_crypto_length(krb5_context context, krb5_set_error_message(context, EINVAL, "not a derived crypto"); return EINVAL; } - + switch(type) { case KRB5_CRYPTO_TYPE_EMPTY: *len = 0; @@ -1730,7 +1713,7 @@ krb5_crypto_length_iov(krb5_context context, unsigned int num_data) { krb5_error_code ret; - int i; + size_t i; for (i = 0; i < num_data; i++) { ret = krb5_crypto_length(context, crypto, @@ -2120,7 +2103,7 @@ krb5_crypto_destroy(krb5_context context, /** * Return the blocksize used algorithm referenced by the crypto context - * + * * @param context Kerberos context * @param crypto crypto context to query * @param blocksize the resulting blocksize @@ -2141,7 +2124,7 @@ krb5_crypto_getblocksize(krb5_context context, /** * Return the encryption type used by the crypto context - * + * * @param context Kerberos context * @param crypto crypto context to query * @param enctype the resulting encryption type @@ -2162,7 +2145,7 @@ krb5_crypto_getenctype(krb5_context context, /** * Return the padding size used by the crypto context - * + * * @param context Kerberos context * @param crypto crypto context to query * @param padsize the return padding size @@ -2183,7 +2166,7 @@ krb5_crypto_getpadsize(krb5_context context, /** * Return the confounder size used by the crypto context - * + * * @param context Kerberos context * @param crypto crypto context to query * @param confoundersize the returned confounder size @@ -2593,12 +2576,12 @@ krb5_crypto_fx_cf2(krb5_context context, * @ingroup krb5_deprecated */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_keytype_to_enctypes (krb5_context context, krb5_keytype keytype, unsigned *len, krb5_enctype **val) + KRB5_DEPRECATED_FUNCTION("Use X instead") { int i; unsigned n = 0; @@ -2640,11 +2623,11 @@ krb5_keytype_to_enctypes (krb5_context context, */ /* if two enctypes have compatible keys */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_enctypes_compatible_keys(krb5_context context, krb5_enctype etype1, krb5_enctype etype2) + KRB5_DEPRECATED_FUNCTION("Use X instead") { struct _krb5_encryption_type *e1 = _krb5_find_enctype(etype1); struct _krb5_encryption_type *e2 = _krb5_find_enctype(etype2); diff --git a/source4/heimdal/lib/krb5/error_string.c b/source4/heimdal/lib/krb5/error_string.c index dc2d4586a0..7a7b989b69 100644 --- a/source4/heimdal/lib/krb5/error_string.c +++ b/source4/heimdal/lib/krb5/error_string.c @@ -288,9 +288,9 @@ krb5_free_error_message(krb5_context context, const char *msg) * @ingroup krb5 */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_get_err_text(krb5_context context, krb5_error_code code) + KRB5_DEPRECATED_FUNCTION("Use X instead") { const char *p = NULL; if(context != NULL) diff --git a/source4/heimdal/lib/krb5/expand_path.c b/source4/heimdal/lib/krb5/expand_path.c index 70096e1c7a..4c4898a79e 100644 --- a/source4/heimdal/lib/krb5/expand_path.c +++ b/source4/heimdal/lib/krb5/expand_path.c @@ -2,19 +2,19 @@ /*********************************************************************** * Copyright (c) 2009, Secure Endpoints Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * - Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * - Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -27,7 +27,7 @@ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. - * + * **********************************************************************/ #include "krb5_locl.h" @@ -168,7 +168,7 @@ _expand_userid(krb5_context context, PTYPE param, const char *postfix, char **re if (le != 0) { if (context) - krb5_set_error_message(context, rv, + krb5_set_error_message(context, rv, "Can't open thread token (GLE=%d)", le); goto _exit; } @@ -247,7 +247,7 @@ _expand_csidl(krb5_context context, PTYPE folder, const char *postfix, char **re if (context) krb5_set_error_message(context, EINVAL, "Unable to determine folder path"); return EINVAL; - } + } len = strlen(path); @@ -464,7 +464,7 @@ _krb5_expand_path_tokens(krb5_context context, return ENOMEM; } - + { size_t append_len = strlen(append); char * new_str = realloc(*ppath_out, len + append_len + 1); diff --git a/source4/heimdal/lib/krb5/fcache.c b/source4/heimdal/lib/krb5/fcache.c index 218bd2cdbf..731f293414 100644 --- a/source4/heimdal/lib/krb5/fcache.c +++ b/source4/heimdal/lib/krb5/fcache.c @@ -62,6 +62,9 @@ static const char* KRB5_CALLCONV fcc_get_name(krb5_context context, krb5_ccache id) { + if (FCACHE(id) == NULL) + return NULL; + return FILENAME(id); } @@ -155,7 +158,7 @@ write_storage(krb5_context context, krb5_storage *sp, int fd) return ret; } sret = write(fd, data.data, data.length); - ret = (sret != data.length); + ret = (sret != (ssize_t)data.length); krb5_data_free(&data); if (ret) { ret = errno; @@ -220,7 +223,7 @@ scrub_file (int fd) return errno; memset(buf, 0, sizeof(buf)); while(pos > 0) { - ssize_t tmp = write(fd, buf, min(sizeof(buf), pos)); + ssize_t tmp = write(fd, buf, min((off_t)sizeof(buf), pos)); if (tmp < 0) return errno; @@ -334,11 +337,11 @@ fcc_gen_new(krb5_context context, krb5_ccache *id) fd = mkstemp(exp_file); if(fd < 0) { - int ret = errno; - krb5_set_error_message(context, ret, N_("mkstemp %s failed", ""), exp_file); + int xret = errno; + krb5_set_error_message(context, xret, N_("mkstemp %s failed", ""), exp_file); free(f); free(exp_file); - return ret; + return xret; } close(fd); f->filename = exp_file; @@ -383,8 +386,14 @@ fcc_open(krb5_context context, krb5_boolean exclusive = ((flags | O_WRONLY) == flags || (flags | O_RDWR) == flags); krb5_error_code ret; - const char *filename = FILENAME(id); + const char *filename; int fd; + + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + + filename = FILENAME(id); + fd = open(filename, flags, mode); if(fd < 0) { char buf[128]; @@ -412,9 +421,11 @@ fcc_initialize(krb5_context context, krb5_fcache *f = FCACHE(id); int ret = 0; int fd; - char *filename = f->filename; - unlink (filename); + if (f == NULL) + return krb5_einval(context, 2); + + unlink (f->filename); ret = fcc_open(context, id, &fd, O_RDWR | O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC, 0600); if(ret) @@ -443,7 +454,7 @@ fcc_initialize(krb5_context context, } } ret |= krb5_store_principal(sp, primary_principal); - + ret |= write_storage(context, sp, fd); krb5_storage_free(sp); @@ -464,6 +475,9 @@ static krb5_error_code KRB5_CALLCONV fcc_close(krb5_context context, krb5_ccache id) { + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + free (FILENAME(id)); krb5_data_free(&id->data); return 0; @@ -473,6 +487,9 @@ static krb5_error_code KRB5_CALLCONV fcc_destroy(krb5_context context, krb5_ccache id) { + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + _krb5_erase_file(context, FILENAME(id)); return 0; } @@ -701,6 +718,9 @@ fcc_get_first (krb5_context context, krb5_error_code ret; krb5_principal principal; + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + *cursor = malloc(sizeof(struct fcc_cursor)); if (*cursor == NULL) { krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); @@ -733,6 +753,13 @@ fcc_get_next (krb5_context context, krb5_creds *creds) { krb5_error_code ret; + + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + + if (FCC_CURSOR(*cursor) == NULL) + return krb5_einval(context, 3); + if((ret = fcc_lock(context, id, FCC_CURSOR(*cursor)->fd, FALSE)) != 0) return ret; @@ -749,6 +776,13 @@ fcc_end_get (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) { + + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + + if (FCC_CURSOR(*cursor) == NULL) + return krb5_einval(context, 3); + krb5_storage_free(FCC_CURSOR(*cursor)->sp); close (FCC_CURSOR(*cursor)->fd); free(*cursor); @@ -767,6 +801,9 @@ fcc_remove_cred(krb5_context context, char *newname = NULL; int fd; + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, ©); if (ret) return ret; @@ -827,6 +864,9 @@ fcc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags) { + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + return 0; /* XXX */ } @@ -834,9 +874,12 @@ static int KRB5_CALLCONV fcc_get_version(krb5_context context, krb5_ccache id) { + if (FCACHE(id) == NULL) + return -1; + return FCACHE(id)->version; } - + struct fcache_iter { int first; }; @@ -864,6 +907,9 @@ fcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id) const char *fn; char *expandedfn = NULL; + if (iter == NULL) + return krb5_einval(context, 2); + if (!iter->first) { krb5_clear_error_message(context); return KRB5_CC_END; @@ -900,6 +946,10 @@ static krb5_error_code KRB5_CALLCONV fcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor) { struct fcache_iter *iter = cursor; + + if (iter == NULL) + return krb5_einval(context, 2); + free(iter); return 0; } diff --git a/source4/heimdal/lib/krb5/get_addrs.c b/source4/heimdal/lib/krb5/get_addrs.c index 829b2acc17..0e2bfcf66f 100644 --- a/source4/heimdal/lib/krb5/get_addrs.c +++ b/source4/heimdal/lib/krb5/get_addrs.c @@ -82,8 +82,8 @@ gethostname_fallback (krb5_context context, krb5_addresses *res) } enum { - LOOP = 1, /* do include loopback interfaces */ - LOOP_IF_NONE = 2, /* include loopback if no other if's */ + LOOP = 1, /* do include loopback addrs */ + LOOP_IF_NONE = 2, /* include loopback addrs if no others */ EXTRA_ADDRESSES = 4, /* include extra addresses */ SCAN_INTERFACES = 8 /* scan interfaces for addresses */ }; @@ -146,11 +146,9 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags) continue; if (krb5_sockaddr_uninteresting(ifa->ifa_addr)) continue; - if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) { + if (krb5_sockaddr_is_loopback(ifa->ifa_addr) && (flags & LOOP) == 0) /* We'll deal with the LOOP_IF_NONE case later. */ - if ((flags & LOOP) == 0) - continue; - } + continue; ret = krb5_sockaddr2address(context, ifa->ifa_addr, &res->val[idx]); if (ret) { @@ -189,24 +187,22 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags) continue; if (krb5_sockaddr_uninteresting(ifa->ifa_addr)) continue; - - if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) { - ret = krb5_sockaddr2address(context, - ifa->ifa_addr, &res->val[idx]); - if (ret) { - /* - * See comment above. - */ - continue; - } - if((flags & EXTRA_ADDRESSES) && - krb5_address_search(context, &res->val[idx], - &ignore_addresses)) { - krb5_free_address(context, &res->val[idx]); - continue; - } - idx++; + if (!krb5_sockaddr_is_loopback(ifa->ifa_addr)) + continue; + if ((ifa->ifa_flags & IFF_LOOPBACK) == 0) + /* Presumably loopback addrs are only used on loopback ifs! */ + continue; + ret = krb5_sockaddr2address(context, + ifa->ifa_addr, &res->val[idx]); + if (ret) + continue; /* We don't consider this failure fatal */ + if((flags & EXTRA_ADDRESSES) && + krb5_address_search(context, &res->val[idx], + &ignore_addresses)) { + krb5_free_address(context, &res->val[idx]); + continue; } + idx++; } } diff --git a/source4/heimdal/lib/krb5/get_cred.c b/source4/heimdal/lib/krb5/get_cred.c index 7f2b57247d..e3bb23a2e9 100644 --- a/source4/heimdal/lib/krb5/get_cred.c +++ b/source4/heimdal/lib/krb5/get_cred.c @@ -55,7 +55,7 @@ make_pa_tgs_req(krb5_context context, { u_char *buf; size_t buf_size; - size_t len; + size_t len = 0; krb5_data in_data; krb5_error_code ret; @@ -90,7 +90,7 @@ set_auth_data (krb5_context context, krb5_keyblock *subkey) { if(authdata->len) { - size_t len, buf_size; + size_t len = 0, buf_size; unsigned char *buf; krb5_crypto crypto; krb5_error_code ret; @@ -166,10 +166,11 @@ init_tgs_req (krb5_context context, } t->req_body.etype.val[0] = in_creds->session.keytype; } else { - ret = krb5_init_etype(context, - &t->req_body.etype.len, - &t->req_body.etype.val, - NULL); + ret = _krb5_init_etype(context, + KRB5_PDU_TGS_REQUEST, + &t->req_body.etype.len, + &t->req_body.etype.val, + NULL); } if (ret) goto fail; @@ -235,7 +236,7 @@ init_tgs_req (krb5_context context, goto fail; } { - int i; + size_t i; for (i = 0; i < padata->len; i++) { ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]); if (ret) { @@ -249,16 +250,16 @@ init_tgs_req (krb5_context context, ret = krb5_auth_con_init(context, &ac); if(ret) goto fail; - + ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session); if (ret) goto fail; - + ret = set_auth_data (context, &t->req_body, &in_creds->authdata, ac->local_subkey); if (ret) goto fail; - + ret = make_pa_tgs_req(context, ac, &t->req_body, @@ -334,6 +335,8 @@ decrypt_tkt_with_subkey (krb5_context context, assert(usage == 0); + krb5_data_zero(&data); + /* * start out with trying with subkey if we have one */ @@ -383,7 +386,7 @@ decrypt_tkt_with_subkey (krb5_context context, &dec_rep->enc_part, &size); if (ret) - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, N_("Failed to decode encpart in ticket", "")); krb5_data_free (&data); return ret; @@ -408,7 +411,7 @@ get_cred_kdc(krb5_context context, krb5_error_code ret; unsigned nonce; krb5_keyblock *subkey = NULL; - size_t len; + size_t len = 0; Ticket second_ticket_data; METHOD_DATA padata; @@ -435,12 +438,12 @@ get_cred_kdc(krb5_context context, PA_S4U2Self self; krb5_data data; void *buf; - size_t size; + size_t size = 0; self.name = impersonate_principal->name; self.realm = impersonate_principal->realm; self.auth = estrdup("Kerberos"); - + ret = _krb5_s4u2self_to_checksumdata(context, &self, &data); if (ret) { free(self.auth); @@ -475,7 +478,7 @@ get_cred_kdc(krb5_context context, goto out; if (len != size) krb5_abortx(context, "internal asn1 error"); - + ret = krb5_padata_add(context, &padata, KRB5_PADATA_FOR_USER, buf, len); if (ret) goto out; @@ -609,7 +612,7 @@ get_cred_kdc_address(krb5_context context, krb5_appdefault_boolean(context, NULL, krbtgt->server->realm, "no-addresses", FALSE, &noaddr); - + if (!noaddr) { krb5_get_all_client_addrs(context, &addresses); /* XXX this sucks. */ @@ -734,7 +737,7 @@ get_cred_kdc_capath_worker(krb5_context context, krb5_creds *in_creds, krb5_const_realm try_realm, krb5_principal impersonate_principal, - Ticket *second_ticket, + Ticket *second_ticket, krb5_creds **out_creds, krb5_creds ***ret_tgts) { @@ -809,7 +812,7 @@ get_cred_kdc_capath_worker(krb5_context context, krb5_free_principal(context, tmp_creds.client); return ret; } - /* + /* * if either of the chain or the ok_as_delegate was stripped * by the kdc, make sure we strip it too. */ @@ -842,7 +845,7 @@ get_cred_kdc_capath_worker(krb5_context context, return ret; } } - + krb5_free_principal(context, tmp_creds.server); krb5_free_principal(context, tmp_creds.client); *out_creds = calloc(1, sizeof(**out_creds)); @@ -860,7 +863,7 @@ get_cred_kdc_capath_worker(krb5_context context, } krb5_free_creds(context, tgt); return ret; -} +} /* get_cred(server) @@ -883,7 +886,7 @@ get_cred_kdc_capath(krb5_context context, krb5_ccache ccache, krb5_creds *in_creds, krb5_principal impersonate_principal, - Ticket *second_ticket, + Ticket *second_ticket, krb5_creds **out_creds, krb5_creds ***ret_tgts) { @@ -918,7 +921,7 @@ get_cred_kdc_referral(krb5_context context, krb5_ccache ccache, krb5_creds *in_creds, krb5_principal impersonate_principal, - Ticket *second_ticket, + Ticket *second_ticket, krb5_creds **out_creds, krb5_creds ***ret_tgts) { @@ -946,7 +949,7 @@ get_cred_kdc_referral(krb5_context context, /* find tgt for the clients base realm */ { krb5_principal tgtname; - + ret = krb5_make_principal(context, &tgtname, client_realm, KRB5_TGS_NAME, @@ -954,7 +957,7 @@ get_cred_kdc_referral(krb5_context context, NULL); if(ret) return ret; - + ret = find_cred(context, ccache, tgtname, *ret_tgts, &tgt); krb5_free_principal(context, tgtname); if (ret) @@ -1032,9 +1035,9 @@ get_cred_kdc_referral(krb5_context context, goto out; } tickets++; - } + } - /* + /* * if either of the chain or the ok_as_delegate was stripped * by the kdc, make sure we strip it too. */ @@ -1080,7 +1083,7 @@ _krb5_get_cred_kdc_any(krb5_context context, krb5_ccache ccache, krb5_creds *in_creds, krb5_principal impersonate_principal, - Ticket *second_ticket, + Ticket *second_ticket, krb5_creds **out_creds, krb5_creds ***ret_tgts) { @@ -1165,7 +1168,7 @@ krb5_get_credentials_with_flags(krb5_context context, *out_creds = res_creds; return 0; } - + krb5_timeofday(context, &timeret); if(res_creds->times.endtime > timeret) { *out_creds = res_creds; @@ -1382,7 +1385,7 @@ krb5_get_creds(krb5_context context, krb5_free_principal(context, in_creds.client); goto out; } - + krb5_timeofday(context, &timeret); if(res_creds->times.endtime > timeret) { *out_creds = res_creds; @@ -1467,7 +1470,7 @@ krb5_get_renewed_creds(krb5_context context, } } else { const char *realm = krb5_principal_get_realm(context, client); - + ret = krb5_make_principal(context, &in.server, realm, KRB5_TGS_NAME, realm, NULL); if (ret) { diff --git a/source4/heimdal/lib/krb5/get_default_principal.c b/source4/heimdal/lib/krb5/get_default_principal.c index ba4301ce29..44baa6d1c2 100644 --- a/source4/heimdal/lib/krb5/get_default_principal.c +++ b/source4/heimdal/lib/krb5/get_default_principal.c @@ -76,7 +76,7 @@ _krb5_get_default_principal_local (krb5_context context, else ret = krb5_make_principal(context, princ, NULL, "root", NULL); } else { - struct passwd *pw = getpwuid(uid); + struct passwd *pw = getpwuid(uid); if(pw != NULL) user = pw->pw_name; else { diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c index a109c71326..979fc9b0ae 100644 --- a/source4/heimdal/lib/krb5/get_for_creds.c +++ b/source4/heimdal/lib/krb5/get_for_creds.c @@ -225,7 +225,7 @@ krb5_get_forwarded_creds (krb5_context context, if (!noaddr) paddrs = &addrs; } - + /* * If tickets have addresses, get the address of the remote host. */ @@ -241,7 +241,7 @@ krb5_get_forwarded_creds (krb5_context context, hostname, gai_strerror(ret)); return ret2; } - + ret = add_addrs (context, &addrs, ai); freeaddrinfo (ai); if (ret) @@ -287,9 +287,9 @@ krb5_get_forwarded_creds (krb5_context context, if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_timestamp sec; int32_t usec; - + krb5_us_timeofday (context, &sec, &usec); - + ALLOC(enc_krb_cred_part.timestamp, 1); if (enc_krb_cred_part.timestamp == NULL) { ret = ENOMEM; @@ -418,7 +418,7 @@ krb5_get_forwarded_creds (krb5_context context, * used. Heimdal 0.7.2 and newer have code to try both in the * receiving end. */ - + ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); if (ret) { free(buf); diff --git a/source4/heimdal/lib/krb5/get_host_realm.c b/source4/heimdal/lib/krb5/get_host_realm.c index 7aee02734b..ed7f54b3d6 100644 --- a/source4/heimdal/lib/krb5/get_host_realm.c +++ b/source4/heimdal/lib/krb5/get_host_realm.c @@ -109,7 +109,7 @@ dns_find_realm(krb5_context context, domain++; for (i = 0; labels[i] != NULL; i++) { ret = snprintf(dom, sizeof(dom), "%s.%s.", labels[i], domain); - if(ret < 0 || ret >= sizeof(dom)) { + if(ret < 0 || (size_t)ret >= sizeof(dom)) { if (config_labels) krb5_config_free_strings(config_labels); return -1; diff --git a/source4/heimdal/lib/krb5/get_in_tkt.c b/source4/heimdal/lib/krb5/get_in_tkt.c index 15cbfba89d..27f4964e61 100644 --- a/source4/heimdal/lib/krb5/get_in_tkt.c +++ b/source4/heimdal/lib/krb5/get_in_tkt.c @@ -31,8 +31,6 @@ * SUCH DAMAGE. */ -#define KRB5_DEPRECATED - #include "krb5_locl.h" #ifndef HEIMDAL_SMALLER @@ -44,7 +42,7 @@ make_pa_enc_timestamp(krb5_context context, PA_DATA *pa, PA_ENC_TS_ENC p; unsigned char *buf; size_t buf_size; - size_t len; + size_t len = 0; EncryptedData encdata; krb5_error_code ret; int32_t usec; @@ -76,7 +74,7 @@ make_pa_enc_timestamp(krb5_context context, PA_DATA *pa, krb5_crypto_destroy(context, crypto); if (ret) return ret; - + ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret); free_EncryptedData(&encdata); if (ret) @@ -103,7 +101,7 @@ add_padata(krb5_context context, PA_DATA *pa2; krb5_salt salt2; krb5_enctype *ep; - int i; + size_t i; if(salt == NULL) { /* default to standard salt */ @@ -209,7 +207,8 @@ init_as_req (krb5_context context, *a->req_body.rtime = creds->times.renew_till; } a->req_body.nonce = nonce; - ret = krb5_init_etype (context, + ret = _krb5_init_etype(context, + KRB5_PDU_AS_REQUEST, &a->req_body.etype.len, &a->req_body.etype.val, etypes); @@ -247,7 +246,7 @@ init_as_req (krb5_context context, a->req_body.additional_tickets = NULL; if(preauth != NULL) { - int i; + size_t i; ALLOC(a->padata, 1); if(a->padata == NULL) { ret = ENOMEM; @@ -258,7 +257,7 @@ init_as_req (krb5_context context, a->padata->len = 0; for(i = 0; i < preauth->len; i++) { if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){ - int j; + size_t j; for(j = 0; j < preauth->val[i].info.len; j++) { krb5_salt *sp = &salt; @@ -300,7 +299,7 @@ init_as_req (krb5_context context, add_padata(context, a->padata, creds->client, key_proc, keyseed, a->req_body.etype.val, a->req_body.etype.len, NULL); - + /* make a v4 salted pa-data */ salt.salttype = KRB5_PW_SALT; krb5_data_zero(&salt.saltvalue); @@ -331,7 +330,7 @@ set_ptypes(krb5_context context, if(error->e_data) { METHOD_DATA md; - int i; + size_t i; decode_METHOD_DATA(error->e_data->data, error->e_data->length, &md, @@ -361,7 +360,6 @@ set_ptypes(krb5_context context, return(1); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_in_cred(krb5_context context, krb5_flags options, @@ -375,12 +373,13 @@ krb5_get_in_cred(krb5_context context, krb5_const_pointer decryptarg, krb5_creds *creds, krb5_kdc_rep *ret_as_reply) + KRB5_DEPRECATED_FUNCTION("Use X instead") { krb5_error_code ret; AS_REQ a; krb5_kdc_rep rep; krb5_data req, resp; - size_t len; + size_t len = 0; krb5_salt salt; krb5_keyblock *key; size_t size; @@ -483,12 +482,12 @@ krb5_get_in_cred(krb5_context context, if(pa) { salt.salttype = pa->padata_type; salt.saltvalue = pa->padata_value; - + ret = (*key_proc)(context, etype, salt, keyseed, &key); } else { /* make a v5 salted pa-data */ ret = krb5_get_pw_salt (context, creds->client, &salt); - + if (ret) goto out; ret = (*key_proc)(context, etype, salt, keyseed, &key); @@ -496,7 +495,7 @@ krb5_get_in_cred(krb5_context context, } if (ret) goto out; - + { unsigned flags = EXTRACT_TICKET_TIMESYNC; if (opts.request_anonymous) @@ -526,7 +525,6 @@ out: return ret; } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_in_tkt(krb5_context context, krb5_flags options, @@ -540,6 +538,7 @@ krb5_get_in_tkt(krb5_context context, krb5_creds *creds, krb5_ccache ccache, krb5_kdc_rep *ret_as_reply) + KRB5_DEPRECATED_FUNCTION("Use X instead") { krb5_error_code ret; diff --git a/source4/heimdal/lib/krb5/heim_err.et b/source4/heimdal/lib/krb5/heim_err.et index 2e8a0d18d8..c47f77092f 100644 --- a/source4/heimdal/lib/krb5/heim_err.et +++ b/source4/heimdal/lib/krb5/heim_err.et @@ -19,6 +19,7 @@ error_code BAD_MKEY, "Failed to get the master key" error_code SERVICE_NOMATCH, "Unacceptable service used" error_code NOT_SEEKABLE, "File descriptor not seekable" error_code TOO_BIG, "Offset too large" +error_code BAD_HDBENT_ENCODING, "Invalid HDB entry encoding" index 64 prefix HEIM_PKINIT diff --git a/source4/heimdal/lib/krb5/init_creds.c b/source4/heimdal/lib/krb5/init_creds.c index f555c724ed..25bef0f340 100644 --- a/source4/heimdal/lib/krb5/init_creds.c +++ b/source4/heimdal/lib/krb5/init_creds.c @@ -61,14 +61,14 @@ krb5_get_init_creds_opt_alloc(krb5_context context, *opt = NULL; o = calloc(1, sizeof(*o)); if (o == NULL) { - krb5_set_error_message(context, ENOMEM, + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } o->opt_private = calloc(1, sizeof(*o->opt_private)); if (o->opt_private == NULL) { - krb5_set_error_message(context, ENOMEM, + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); free(o); return ENOMEM; @@ -402,9 +402,9 @@ krb5_get_init_creds_opt_set_process_last_req(krb5_context context, * @ingroup krb5_deprecated */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) + KRB5_DEPRECATED_FUNCTION("Use X instead") { memset (opt, 0, sizeof(*opt)); } @@ -416,11 +416,11 @@ krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) * @ingroup krb5_deprecated */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_get_error(krb5_context context, krb5_get_init_creds_opt *opt, KRB_ERROR **error) + KRB5_DEPRECATED_FUNCTION("Use X instead") { *error = calloc(1, sizeof(**error)); if (*error == NULL) { diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c index 29b882d053..f2185628e5 100644 --- a/source4/heimdal/lib/krb5/init_creds_pw.c +++ b/source4/heimdal/lib/krb5/init_creds_pw.c @@ -71,7 +71,7 @@ typedef struct krb5_get_init_creds_ctx { KRB_ERROR error; AS_REP as_rep; EncKDCRepPart enc_part; - + krb5_prompter_fct prompter; void *prompter_data; @@ -313,14 +313,14 @@ process_last_request(krb5_context context, if (lr->val[i].lr_value <= t) { switch (abs(lr->val[i].lr_type)) { case LR_PW_EXPTIME : - report_expiration(context, ctx->prompter, + report_expiration(context, ctx->prompter, ctx->prompter_data, "Your password will expire at ", lr->val[i].lr_value); reported = TRUE; break; case LR_ACCT_EXPTIME : - report_expiration(context, ctx->prompter, + report_expiration(context, ctx->prompter, ctx->prompter_data, "Your account will expire at ", lr->val[i].lr_value); @@ -333,7 +333,7 @@ process_last_request(krb5_context context, if (!reported && ctx->enc_part.key_expiration && *ctx->enc_part.key_expiration <= t) { - report_expiration(context, ctx->prompter, + report_expiration(context, ctx->prompter, ctx->prompter_data, "Your password/account will expire at ", *ctx->enc_part.key_expiration); @@ -367,7 +367,7 @@ get_init_creds_common(krb5_context context, if (options->opt_private) { if (options->opt_private->password) { - ret = krb5_init_creds_set_password(context, ctx, + ret = krb5_init_creds_set_password(context, ctx, options->opt_private->password); if (ret) goto out; @@ -384,7 +384,7 @@ get_init_creds_common(krb5_context context, ctx->keyproc = default_s2k_func; /* Enterprise name implicitly turns on canonicalize */ - if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) || + if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) || krb5_principal_get_type(context, client) == KRB5_NT_ENTERPRISE_PRINCIPAL) ctx->flags.canonicalize = 1; @@ -671,7 +671,8 @@ init_as_req (krb5_context context, *a->req_body.rtime = creds->times.renew_till; } a->req_body.nonce = 0; - ret = krb5_init_etype (context, + ret = _krb5_init_etype(context, + KRB5_PDU_AS_REQUEST, &a->req_body.etype.len, &a->req_body.etype.val, etypes); @@ -759,7 +760,7 @@ pa_etype_info2(krb5_context context, krb5_error_code ret; ETYPE_INFO2 e; size_t sz; - int i, j; + size_t i, j; memset(&e, 0, sizeof(e)); ret = decode_ETYPE_INFO2(data->data, data->length, &e, &sz); @@ -808,7 +809,7 @@ pa_etype_info(krb5_context context, krb5_error_code ret; ETYPE_INFO e; size_t sz; - int i, j; + size_t i, j; memset(&e, 0, sizeof(e)); ret = decode_ETYPE_INFO(data->data, data->length, &e, &sz); @@ -889,9 +890,9 @@ static struct pa_info pa_prefs[] = { }; static PA_DATA * -find_pa_data(const METHOD_DATA *md, int type) +find_pa_data(const METHOD_DATA *md, unsigned type) { - int i; + size_t i; if (md == NULL) return NULL; for (i = 0; i < md->len; i++) @@ -908,7 +909,7 @@ process_pa_info(krb5_context context, METHOD_DATA *md) { struct pa_info_data *p = NULL; - int i; + size_t i; for (i = 0; p == NULL && i < sizeof(pa_prefs)/sizeof(pa_prefs[0]); i++) { PA_DATA *pa = find_pa_data(md, pa_prefs[i].type); @@ -928,7 +929,7 @@ make_pa_enc_timestamp(krb5_context context, METHOD_DATA *md, PA_ENC_TS_ENC p; unsigned char *buf; size_t buf_size; - size_t len; + size_t len = 0; EncryptedData encdata; krb5_error_code ret; int32_t usec; @@ -989,7 +990,7 @@ add_enc_ts_padata(krb5_context context, krb5_error_code ret; krb5_salt salt2; krb5_enctype *ep; - int i; + size_t i; if(salt == NULL) { /* default to standard salt */ @@ -1109,7 +1110,7 @@ pa_data_add_pac_request(krb5_context context, krb5_get_init_creds_ctx *ctx, METHOD_DATA *md) { - size_t len, length; + size_t len = 0, length; krb5_error_code ret; PA_PAC_REQUEST req; void *buf; @@ -1179,14 +1180,14 @@ process_pa_data_to_md(krb5_context context, _krb5_debug(context, 5, "krb5_get_init_creds: " "prepareing PKINIT padata (%s)", (ctx->used_pa_types & USED_PKINIT_W2K) ? "win2k" : "ietf"); - + if (ctx->used_pa_types & USED_PKINIT_W2K) { krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP, "Already tried pkinit, looping"); return KRB5_GET_IN_TKT_LOOP; } - ret = pa_data_to_md_pkinit(context, a, creds->client, + ret = pa_data_to_md_pkinit(context, a, creds->client, (ctx->used_pa_types & USED_PKINIT), ctx, *out_md); if (ret) @@ -1526,14 +1527,14 @@ krb5_init_creds_set_keytab(krb5_context context, krb5_error_code ret; size_t netypes = 0; int kvno = 0; - + a = malloc(sizeof(*a)); if (a == NULL) { krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } - + a->principal = ctx->cred.client; a->keytab = keytab; @@ -1568,7 +1569,7 @@ krb5_init_creds_set_keytab(krb5_context context, kvno = entry.vno; } else if (entry.vno != kvno) goto next; - + /* check if enctype is supported */ if (krb5_enctype_valid(context, entry.keyblock.keytype) != 0) goto next; @@ -1619,7 +1620,7 @@ krb5_init_creds_set_keyblock(krb5_context context, /** * The core loop if krb5_get_init_creds() function family. Create the - * packets and have the caller send them off to the KDC. + * packets and have the caller send them off to the KDC. * * If the caller want all work been done for them, use * krb5_init_creds_get() instead. @@ -1647,7 +1648,7 @@ krb5_init_creds_step(krb5_context context, unsigned int *flags) { krb5_error_code ret; - size_t len; + size_t len = 0; size_t size; krb5_data_zero(out); @@ -1768,13 +1769,13 @@ krb5_init_creds_step(krb5_context context, "options send by KDC", "")); } } else if (ret == KRB5KRB_AP_ERR_SKEW && context->kdc_sec_offset == 0) { - /* + /* * Try adapt to timeskrew when we are using pre-auth, and * if there was a time skew, try again. */ krb5_set_real_time(context, ctx->error.stime, -1); if (context->kdc_sec_offset) - ret = 0; + ret = 0; _krb5_debug(context, 10, "init_creds: err skew updateing kdc offset to %d", context->kdc_sec_offset); @@ -1793,7 +1794,7 @@ krb5_init_creds_step(krb5_context context, "krb5_get_init_creds: got referal to realm %s", *ctx->error.crealm); - ret = krb5_principal_set_realm(context, + ret = krb5_principal_set_realm(context, ctx->cred.client, *ctx->error.crealm); @@ -1934,7 +1935,7 @@ krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx) if ((flags & 1) == 0) break; - ret = krb5_sendto_context (context, stctx, &out, + ret = krb5_sendto_context (context, stctx, &out, ctx->cred.client->realm, &in); if (ret) goto out; @@ -2013,7 +2014,7 @@ krb5_get_init_creds_password(krb5_context context, } ret = krb5_init_creds_get(context, ctx); - + if (ret == 0) process_last_request(context, options, ctx); diff --git a/source4/heimdal/lib/krb5/kcm.c b/source4/heimdal/lib/krb5/kcm.c index 1fe15d8064..5a28b5138b 100644 --- a/source4/heimdal/lib/krb5/kcm.c +++ b/source4/heimdal/lib/krb5/kcm.c @@ -157,7 +157,7 @@ kcm_alloc(krb5_context context, const char *name, krb5_ccache *id) } } else k->name = NULL; - + (*id)->data.data = k; (*id)->data.length = sizeof(*k); @@ -554,7 +554,7 @@ kcm_get_first (krb5_context context, c = calloc(1, sizeof(*c)); if (c == NULL) { ret = ENOMEM; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); return ret; } @@ -577,7 +577,7 @@ kcm_get_first (krb5_context context, if (ptr == NULL) { free(c->uuids); free(c); - krb5_set_error_message(context, ENOMEM, + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } @@ -637,7 +637,7 @@ kcm_get_next (krb5_context context, return ret; } - sret = krb5_storage_write(request, + sret = krb5_storage_write(request, &c->uuids[c->offset], sizeof(c->uuids[c->offset])); c->offset++; @@ -789,7 +789,7 @@ kcm_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) c = calloc(1, sizeof(*c)); if (c == NULL) { ret = ENOMEM; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; } @@ -820,7 +820,7 @@ kcm_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) ptr = realloc(c->uuids, sizeof(c->uuids[0]) * (c->length + 1)); if (ptr == NULL) { ret = ENOMEM; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; } @@ -837,7 +837,7 @@ kcm_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) if (ret && c) { free(c->uuids); free(c); - } else + } else *cursor = c; return ret; @@ -869,7 +869,7 @@ kcm_get_cache_next(krb5_context context, krb5_cc_cursor cursor, const krb5_cc_op if (ret) return ret; - sret = krb5_storage_write(request, + sret = krb5_storage_write(request, &c->uuids[c->offset], sizeof(c->uuids[c->offset])); c->offset++; @@ -956,14 +956,14 @@ kcm_move(krb5_context context, krb5_ccache from, krb5_ccache to) } static krb5_error_code -kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops, +kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops, const char *defstr, char **str) { krb5_error_code ret; krb5_storage *request, *response; krb5_data response_data; char *name; - + *str = NULL; ret = krb5_kcm_storage_request(context, KCM_OP_GET_DEFAULT_CACHE, &request); @@ -1039,7 +1039,7 @@ kcm_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat kdc_offset) krb5_kcmcache *k = KCMCACHE(id); krb5_error_code ret; krb5_storage *request; - + ret = krb5_kcm_storage_request(context, KCM_OP_SET_KDC_OFFSET, &request); if (ret) return ret; @@ -1069,7 +1069,7 @@ kcm_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset krb5_storage *request, *response; krb5_data response_data; int32_t offset; - + ret = krb5_kcm_storage_request(context, KCM_OP_GET_KDC_OFFSET, &request); if (ret) return ret; @@ -1155,11 +1155,13 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops = { kcm_move, kcm_get_default_name_api, kcm_set_default, - kcm_lastchange + kcm_lastchange, + NULL, + NULL }; -krb5_boolean +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL _krb5_kcm_is_running(krb5_context context) { krb5_error_code ret; @@ -1184,7 +1186,7 @@ _krb5_kcm_is_running(krb5_context context) * Response: * */ -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_kcm_noop(krb5_context context, krb5_ccache id) { @@ -1212,7 +1214,7 @@ _krb5_kcm_noop(krb5_context context, * Repsonse: * */ -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_kcm_get_initial_ticket(krb5_context context, krb5_ccache id, krb5_principal server, @@ -1269,7 +1271,7 @@ _krb5_kcm_get_initial_ticket(krb5_context context, * Repsonse: * */ -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_kcm_get_ticket(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, diff --git a/source4/heimdal/lib/krb5/keyblock.c b/source4/heimdal/lib/krb5/keyblock.c index f34a5c4f90..9ba9c4b290 100644 --- a/source4/heimdal/lib/krb5/keyblock.c +++ b/source4/heimdal/lib/krb5/keyblock.c @@ -131,7 +131,7 @@ krb5_copy_keyblock (krb5_context context, { krb5_error_code ret; krb5_keyblock *k; - + *to = NULL; k = calloc (1, sizeof(*k)); diff --git a/source4/heimdal/lib/krb5/keytab.c b/source4/heimdal/lib/krb5/keytab.c index 96c0bce273..8ca515f213 100644 --- a/source4/heimdal/lib/krb5/keytab.c +++ b/source4/heimdal/lib/krb5/keytab.c @@ -50,7 +50,7 @@ * * A keytab name is on the form type:residual. The residual part is * specific to each keytab-type. - * + * * When a keytab-name is resolved, the type is matched with an internal * list of keytab types. If there is no matching keytab type, * the default keytab is used. The current default type is FILE. @@ -60,7 +60,7 @@ * [defaults]default_keytab_name. * * The keytab types that are implemented in Heimdal are: - * - file + * - file * store the keytab in a file, the type's name is FILE . The * residual part is a filename. For compatibility with other * Kerberos implemtation WRFILE and JAVA14 is also accepted. WRFILE @@ -166,29 +166,27 @@ krb5_kt_register(krb5_context context, } static const char * -keytab_name(const char * name, const char ** ptype, size_t * ptype_len) +keytab_name(const char *name, const char **type, size_t *type_len) { - const char * residual; + const char *residual; residual = strchr(name, ':'); - if (residual == NULL - + if (residual == NULL || + name[0] == '/' #ifdef _WIN32 - /* Avoid treating <drive>:<path> as a keytab type * specification */ - || name + 1 == residual #endif ) { - *ptype = "FILE"; - *ptype_len = strlen(*ptype); + *type = "FILE"; + *type_len = strlen(*type); residual = name; } else { - *ptype = name; - *ptype_len = residual - name; + *type = name; + *type_len = residual - name; residual++; } @@ -439,7 +437,7 @@ krb5_kt_get_full_name(krb5_context context, char type[KRB5_KT_PREFIX_MAX_LEN]; char name[MAXPATHLEN]; krb5_error_code ret; - + *str = NULL; ret = krb5_kt_get_type(context, keytab, type, sizeof(type)); @@ -568,16 +566,16 @@ _krb5_kt_principal_not_found(krb5_context context, { char princ[256], kvno_str[25], *kt_name; char *enctype_str = NULL; - + krb5_unparse_name_fixed (context, principal, princ, sizeof(princ)); krb5_kt_get_full_name (context, id, &kt_name); krb5_enctype_to_string(context, enctype, &enctype_str); - + if (kvno) snprintf(kvno_str, sizeof(kvno_str), "(kvno %d)", kvno); else kvno_str[0] = '\0'; - + krb5_set_error_message (context, ret, N_("Failed to find %s%s in keytab %s (%s)", "principal, kvno, keytab file, enctype"), @@ -850,3 +848,46 @@ krb5_kt_remove_entry(krb5_context context, } return (*id->remove)(context, id, entry); } + +/** + * Return true if the keytab exists and have entries + * + * @param context a Keberos context. + * @param id a keytab. + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab + */ + +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_kt_have_content(krb5_context context, + krb5_keytab id) +{ + krb5_keytab_entry entry; + krb5_kt_cursor cursor; + krb5_error_code ret; + char *name; + + ret = krb5_kt_start_seq_get(context, id, &cursor); + if (ret) + goto notfound; + + ret = krb5_kt_next_entry(context, id, &entry, &cursor); + krb5_kt_end_seq_get(context, id, &cursor); + if (ret) + goto notfound; + + krb5_kt_free_entry(context, &entry); + + return 0; + + notfound: + ret = krb5_kt_get_full_name(context, id, &name); + if (ret == 0) { + krb5_set_error_message(context, KRB5_KT_NOTFOUND, + N_("No entry in keytab: %s", ""), name); + free(name); + } + return KRB5_KT_NOTFOUND; +} diff --git a/source4/heimdal/lib/krb5/keytab_file.c b/source4/heimdal/lib/krb5/keytab_file.c index 2b9ea7f11d..ccaf62fcb4 100644 --- a/source4/heimdal/lib/krb5/keytab_file.c +++ b/source4/heimdal/lib/krb5/keytab_file.c @@ -101,7 +101,7 @@ krb5_kt_store_data(krb5_context context, if(ret < 0) return ret; ret = krb5_storage_write(sp, data.data, data.length); - if(ret != data.length){ + if(ret != (int)data.length){ if(ret < 0) return errno; return KRB5_KT_END; @@ -119,7 +119,7 @@ krb5_kt_store_string(krb5_storage *sp, if(ret < 0) return ret; ret = krb5_storage_write(sp, data, len); - if(ret != len){ + if(ret != (int)len){ if(ret < 0) return errno; return KRB5_KT_END; @@ -182,7 +182,7 @@ krb5_kt_ret_principal(krb5_context context, krb5_storage *sp, krb5_principal *princ) { - int i; + size_t i; int ret; krb5_principal p; int16_t len; @@ -262,7 +262,7 @@ krb5_kt_store_principal(krb5_context context, krb5_storage *sp, krb5_principal p) { - int i; + size_t i; int ret; if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)) @@ -536,7 +536,7 @@ fkt_setup_keytab(krb5_context context, id->version = KRB5_KT_VNO; return krb5_store_int8 (sp, id->version); } - + static krb5_error_code KRB5_CALLCONV fkt_add_entry(krb5_context context, krb5_keytab id, @@ -699,7 +699,7 @@ fkt_add_entry(krb5_context context, } if(len < 0) { len = -len; - if(len >= keytab.length) { + if(len >= (int)keytab.length) { krb5_storage_seek(sp, -4, SEEK_CUR); break; } @@ -749,8 +749,9 @@ fkt_remove_entry(krb5_context context, krb5_store_int32(cursor.sp, -len); memset(buf, 0, sizeof(buf)); while(len > 0) { - krb5_storage_write(cursor.sp, buf, min(len, sizeof(buf))); - len -= min(len, sizeof(buf)); + krb5_storage_write(cursor.sp, buf, + min((size_t)len, sizeof(buf))); + len -= min((size_t)len, sizeof(buf)); } } krb5_kt_free_entry(context, &e); diff --git a/source4/heimdal/lib/krb5/keytab_keyfile.c b/source4/heimdal/lib/krb5/keytab_keyfile.c index 28bbaeee8c..ea74c32780 100644 --- a/source4/heimdal/lib/krb5/keytab_keyfile.c +++ b/source4/heimdal/lib/krb5/keytab_keyfile.c @@ -348,7 +348,7 @@ akf_add_entry(krb5_context context, strerror(ret)); return ret; } - + ret = krb5_ret_int32(sp, &len); if(ret) { krb5_storage_free(sp); @@ -387,7 +387,7 @@ akf_add_entry(krb5_context context, } len++; - + if(krb5_storage_seek(sp, 0, SEEK_SET) < 0) { ret = errno; krb5_set_error_message (context, ret, @@ -395,7 +395,7 @@ akf_add_entry(krb5_context context, strerror(ret)); goto out; } - + ret = krb5_store_int32(sp, len); if(ret) { ret = errno; @@ -410,7 +410,7 @@ akf_add_entry(krb5_context context, N_("seek to end: %s", ""), strerror(ret)); goto out; } - + ret = krb5_store_int32(sp, entry->vno); if(ret) { krb5_set_error_message(context, ret, diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h index 8d671e3d36..2224b92e95 100644 --- a/source4/heimdal/lib/krb5/krb5.h +++ b/source4/heimdal/lib/krb5/krb5.h @@ -53,16 +53,6 @@ #define KRB5KDC_ERR_KEY_EXP KRB5KDC_ERR_KEY_EXPIRED #endif -#ifndef KRB5_DEPRECATED -#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 ))) -#define KRB5_DEPRECATED __attribute__((deprecated)) -#elif defined(_MSC_VER) && (_MSC_VER>1200) -#define KRB5_DEPRECATED __declspec(deprecated) -#else -#define KRB5_DEPRECATED -#endif -#endif - #ifdef _WIN32 #define KRB5_CALLCONV __stdcall #else @@ -128,28 +118,69 @@ typedef struct krb5_enc_data { /* alternative names */ enum { - ENCTYPE_NULL = ETYPE_NULL, - ENCTYPE_DES_CBC_CRC = ETYPE_DES_CBC_CRC, - ENCTYPE_DES_CBC_MD4 = ETYPE_DES_CBC_MD4, - ENCTYPE_DES_CBC_MD5 = ETYPE_DES_CBC_MD5, - ENCTYPE_DES3_CBC_MD5 = ETYPE_DES3_CBC_MD5, - ENCTYPE_OLD_DES3_CBC_SHA1 = ETYPE_OLD_DES3_CBC_SHA1, - ENCTYPE_SIGN_DSA_GENERATE = ETYPE_SIGN_DSA_GENERATE, - ENCTYPE_ENCRYPT_RSA_PRIV = ETYPE_ENCRYPT_RSA_PRIV, - ENCTYPE_ENCRYPT_RSA_PUB = ETYPE_ENCRYPT_RSA_PUB, - ENCTYPE_DES3_CBC_SHA1 = ETYPE_DES3_CBC_SHA1, - ENCTYPE_AES128_CTS_HMAC_SHA1_96 = ETYPE_AES128_CTS_HMAC_SHA1_96, - ENCTYPE_AES256_CTS_HMAC_SHA1_96 = ETYPE_AES256_CTS_HMAC_SHA1_96, - ENCTYPE_ARCFOUR_HMAC = ETYPE_ARCFOUR_HMAC_MD5, - ENCTYPE_ARCFOUR_HMAC_MD5 = ETYPE_ARCFOUR_HMAC_MD5, - ENCTYPE_ARCFOUR_HMAC_MD5_56 = ETYPE_ARCFOUR_HMAC_MD5_56, - ENCTYPE_ENCTYPE_PK_CROSS = ETYPE_ENCTYPE_PK_CROSS, - ENCTYPE_DES_CBC_NONE = ETYPE_DES_CBC_NONE, - ENCTYPE_DES3_CBC_NONE = ETYPE_DES3_CBC_NONE, - ENCTYPE_DES_CFB64_NONE = ETYPE_DES_CFB64_NONE, - ENCTYPE_DES_PCBC_NONE = ETYPE_DES_PCBC_NONE + ENCTYPE_NULL = KRB5_ENCTYPE_NULL, + ENCTYPE_DES_CBC_CRC = KRB5_ENCTYPE_DES_CBC_CRC, + ENCTYPE_DES_CBC_MD4 = KRB5_ENCTYPE_DES_CBC_MD4, + ENCTYPE_DES_CBC_MD5 = KRB5_ENCTYPE_DES_CBC_MD5, + ENCTYPE_DES3_CBC_MD5 = KRB5_ENCTYPE_DES3_CBC_MD5, + ENCTYPE_OLD_DES3_CBC_SHA1 = KRB5_ENCTYPE_OLD_DES3_CBC_SHA1, + ENCTYPE_SIGN_DSA_GENERATE = KRB5_ENCTYPE_SIGN_DSA_GENERATE, + ENCTYPE_ENCRYPT_RSA_PRIV = KRB5_ENCTYPE_ENCRYPT_RSA_PRIV, + ENCTYPE_ENCRYPT_RSA_PUB = KRB5_ENCTYPE_ENCRYPT_RSA_PUB, + ENCTYPE_DES3_CBC_SHA1 = KRB5_ENCTYPE_DES3_CBC_SHA1, + ENCTYPE_AES128_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_AES256_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96, + ENCTYPE_ARCFOUR_HMAC = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5, + ENCTYPE_ARCFOUR_HMAC_MD5 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5, + ENCTYPE_ARCFOUR_HMAC_MD5_56 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56, + ENCTYPE_ENCTYPE_PK_CROSS = KRB5_ENCTYPE_ENCTYPE_PK_CROSS, + ENCTYPE_DES_CBC_NONE = KRB5_ENCTYPE_DES_CBC_NONE, + ENCTYPE_DES3_CBC_NONE = KRB5_ENCTYPE_DES3_CBC_NONE, + ENCTYPE_DES_CFB64_NONE = KRB5_ENCTYPE_DES_CFB64_NONE, + ENCTYPE_DES_PCBC_NONE = KRB5_ENCTYPE_DES_PCBC_NONE, + ETYPE_NULL = KRB5_ENCTYPE_NULL, + ETYPE_DES_CBC_CRC = KRB5_ENCTYPE_DES_CBC_CRC, + ETYPE_DES_CBC_MD4 = KRB5_ENCTYPE_DES_CBC_MD4, + ETYPE_DES_CBC_MD5 = KRB5_ENCTYPE_DES_CBC_MD5, + ETYPE_DES3_CBC_MD5 = KRB5_ENCTYPE_DES3_CBC_MD5, + ETYPE_OLD_DES3_CBC_SHA1 = KRB5_ENCTYPE_OLD_DES3_CBC_SHA1, + ETYPE_SIGN_DSA_GENERATE = KRB5_ENCTYPE_SIGN_DSA_GENERATE, + ETYPE_ENCRYPT_RSA_PRIV = KRB5_ENCTYPE_ENCRYPT_RSA_PRIV, + ETYPE_ENCRYPT_RSA_PUB = KRB5_ENCTYPE_ENCRYPT_RSA_PUB, + ETYPE_DES3_CBC_SHA1 = KRB5_ENCTYPE_DES3_CBC_SHA1, + ETYPE_AES128_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ETYPE_AES256_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96, + ETYPE_ARCFOUR_HMAC_MD5 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5, + ETYPE_ARCFOUR_HMAC_MD5_56 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56, + ETYPE_ENCTYPE_PK_CROSS = KRB5_ENCTYPE_ENCTYPE_PK_CROSS, + ETYPE_ARCFOUR_MD4 = KRB5_ENCTYPE_ARCFOUR_MD4, + ETYPE_ARCFOUR_HMAC_OLD = KRB5_ENCTYPE_ARCFOUR_HMAC_OLD, + ETYPE_ARCFOUR_HMAC_OLD_EXP = KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP, + ETYPE_DES_CBC_NONE = KRB5_ENCTYPE_DES_CBC_NONE, + ETYPE_DES3_CBC_NONE = KRB5_ENCTYPE_DES3_CBC_NONE, + ETYPE_DES_CFB64_NONE = KRB5_ENCTYPE_DES_CFB64_NONE, + ETYPE_DES_PCBC_NONE = KRB5_ENCTYPE_DES_PCBC_NONE, + ETYPE_DIGEST_MD5_NONE = KRB5_ENCTYPE_DIGEST_MD5_NONE, + ETYPE_CRAM_MD5_NONE = KRB5_ENCTYPE_CRAM_MD5_NONE + }; +/* PDU types */ +typedef enum krb5_pdu { + KRB5_PDU_ERROR = 0, + KRB5_PDU_TICKET = 1, + KRB5_PDU_AS_REQUEST = 2, + KRB5_PDU_AS_REPLY = 3, + KRB5_PDU_TGS_REQUEST = 4, + KRB5_PDU_TGS_REPLY = 5, + KRB5_PDU_AP_REQUEST = 6, + KRB5_PDU_AP_REPLY = 7, + KRB5_PDU_KRB_SAFE = 8, + KRB5_PDU_KRB_PRIV = 9, + KRB5_PDU_KRB_CRED = 10, + KRB5_PDU_NONE = 11 /* See krb5_get_permitted_enctypes() */ +} krb5_pdu; + typedef PADATA_TYPE krb5_preauthtype; typedef enum krb5_key_usage { diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h index bdd725e9ea..d0c68927ff 100644 --- a/source4/heimdal/lib/krb5/krb5_locl.h +++ b/source4/heimdal/lib/krb5/krb5_locl.h @@ -188,6 +188,12 @@ struct _krb5_krb_auth_data; #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0) +#ifndef __func__ +#define __func__ "unknown-function" +#endif + +#define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum)) + #ifndef PATH_SEP #define PATH_SEP ":" #endif @@ -240,9 +246,14 @@ struct _krb5_get_init_creds_opt_private { } lr; }; +typedef uint32_t krb5_enctype_set; + typedef struct krb5_context_data { krb5_enctype *etypes; - krb5_enctype *etypes_des; + krb5_enctype *etypes_des;/* deprecated */ + krb5_enctype *as_etypes; + krb5_enctype *tgs_etypes; + krb5_enctype *permitted_enctypes; char **default_realms; time_t max_skew; time_t kdc_timeout; diff --git a/source4/heimdal/lib/krb5/krbhst.c b/source4/heimdal/lib/krb5/krbhst.c index 7d11157848..3242cdb999 100644 --- a/source4/heimdal/lib/krb5/krbhst.c +++ b/source4/heimdal/lib/krb5/krbhst.c @@ -123,7 +123,7 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, (*res)[num_srv++] = hi; hi->proto = proto_num; - + hi->def_port = def_port; if (port != 0) hi->port = port; @@ -134,7 +134,7 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, } *count = num_srv; - + rk_dns_free_data(r); return 0; } @@ -508,7 +508,7 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, ret = asprintf(&host, "%s.%s.", serv_string, kd->realm); else ret = asprintf(&host, "%s-%d.%s.", - serv_string, kd->fallback_count, kd->realm); + serv_string, kd->fallback_count, kd->realm); if (ret < 0 || host == NULL) return ENOMEM; @@ -605,7 +605,7 @@ plugin_get_hosts(krb5_context context, service = _krb5_plugin_get_symbol(e); if (service->minor_version != 0) continue; - + (*service->init)(context, &ctx); ret = (*service->lookup)(ctx, type, kd->realm, 0, 0, add_locate, kd); (*service->fini)(ctx); diff --git a/source4/heimdal/lib/krb5/log.c b/source4/heimdal/lib/krb5/log.c index ca0756fdb9..4b289afd80 100644 --- a/source4/heimdal/lib/krb5/log.c +++ b/source4/heimdal/lib/krb5/log.c @@ -501,7 +501,7 @@ _krb5_debug(krb5_context context, if (context == NULL || context->debug_dest == NULL) return; - + va_start(ap, fmt); krb5_vlog(context, context->debug_dest, level, fmt, ap); va_end(ap); diff --git a/source4/heimdal/lib/krb5/mcache.c b/source4/heimdal/lib/krb5/mcache.c index 19e6b2345e..e4b90c17e7 100644 --- a/source4/heimdal/lib/krb5/mcache.c +++ b/source4/heimdal/lib/krb5/mcache.c @@ -220,7 +220,7 @@ mcc_destroy(krb5_context context, l = m->creds; while (l != NULL) { struct link *old; - + krb5_free_cred_contents (context, &l->cred); old = l; l = l->next; @@ -347,7 +347,7 @@ mcc_set_flags(krb5_context context, { return 0; /* XXX */ } - + struct mcache_iter { krb5_mcache *cache; }; diff --git a/source4/heimdal/lib/krb5/misc.c b/source4/heimdal/lib/krb5/misc.c index f90624cfca..ac6720c4e9 100644 --- a/source4/heimdal/lib/krb5/misc.c +++ b/source4/heimdal/lib/krb5/misc.c @@ -32,6 +32,9 @@ */ #include "krb5_locl.h" +#ifdef HAVE_EXECINFO_H +#include <execinfo.h> +#endif KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_s4u2self_to_checksumdata(krb5_context context, @@ -42,7 +45,7 @@ _krb5_s4u2self_to_checksumdata(krb5_context context, krb5_ssize_t ssize; krb5_storage *sp; size_t size; - int i; + size_t i; sp = krb5_storage_emem(); if (sp == NULL) { @@ -56,20 +59,20 @@ _krb5_s4u2self_to_checksumdata(krb5_context context, for (i = 0; i < self->name.name_string.len; i++) { size = strlen(self->name.name_string.val[i]); ssize = krb5_storage_write(sp, self->name.name_string.val[i], size); - if (ssize != size) { + if (ssize != (krb5_ssize_t)size) { ret = ENOMEM; goto out; } } size = strlen(self->realm); ssize = krb5_storage_write(sp, self->realm, size); - if (ssize != size) { + if (ssize != (krb5_ssize_t)size) { ret = ENOMEM; goto out; } size = strlen(self->auth); ssize = krb5_storage_write(sp, self->auth, size); - if (ssize != size) { + if (ssize != (krb5_ssize_t)size) { ret = ENOMEM; goto out; } @@ -89,3 +92,37 @@ krb5_enomem(krb5_context context) krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } + +void +_krb5_debug_backtrace(krb5_context context) +{ +#if defined(HAVE_BACKTRACE) && !defined(HEIMDAL_SMALLER) + void *stack[128]; + char **strs = NULL; + int i, frames = backtrace(stack, sizeof(stack) / sizeof(stack[0])); + if (frames > 0) + strs = backtrace_symbols(stack, frames); + if (strs) { + for (i = 0; i < frames; i++) + _krb5_debug(context, 10, "frame %d: %s", i, strs[i]); + free(strs); + } +#endif +} + +krb5_error_code +_krb5_einval(krb5_context context, const char *func, unsigned long argn) +{ +#ifndef HEIMDAL_SMALLER + krb5_set_error_message(context, EINVAL, + N_("programmer error: invalid argument to %s argument %lu", + "function:line"), + func, argn); + if (_krb5_have_debug(context, 10)) { + _krb5_debug(context, 10, "invalid argument to function %s argument %lu", + func, argn); + _krb5_debug_backtrace(context); + } +#endif + return EINVAL; +} diff --git a/source4/heimdal/lib/krb5/mit_glue.c b/source4/heimdal/lib/krb5/mit_glue.c index 93489b607b..803a5bf289 100644 --- a/source4/heimdal/lib/krb5/mit_glue.c +++ b/source4/heimdal/lib/krb5/mit_glue.c @@ -31,8 +31,6 @@ * SUCH DAMAGE. */ -#define KRB5_DEPRECATED - #include "krb5_locl.h" #ifndef HEIMDAL_SMALLER @@ -226,7 +224,7 @@ krb5_c_decrypt(krb5_context context, krb5_crypto_destroy(context, crypto); return ret; } - + if (blocksize > ivec->length) { krb5_crypto_destroy(context, crypto); return KRB5_BAD_MSIZE; @@ -316,12 +314,12 @@ krb5_c_encrypt_length(krb5_context context, * @ingroup krb5_deprecated */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2, krb5_boolean *similar) + KRB5_DEPRECATED_FUNCTION("Use X instead") { *similar = (e1 == e2); return 0; diff --git a/source4/heimdal/lib/krb5/mk_error.c b/source4/heimdal/lib/krb5/mk_error.c index a837b5e290..5fee1d6bed 100644 --- a/source4/heimdal/lib/krb5/mk_error.c +++ b/source4/heimdal/lib/krb5/mk_error.c @@ -48,7 +48,7 @@ krb5_mk_error(krb5_context context, KRB_ERROR msg; krb5_timestamp sec; int32_t usec; - size_t len; + size_t len = 0; krb5_error_code ret = 0; krb5_us_timeofday (context, &sec, &usec); @@ -75,7 +75,8 @@ krb5_mk_error(krb5_context context, msg.realm = server->realm; msg.sname = server->name; }else{ - msg.realm = "<unspecified realm>"; + static char unspec[] = "<unspecified realm>"; + msg.realm = unspec; } if(client){ msg.crealm = &client->realm; diff --git a/source4/heimdal/lib/krb5/mk_priv.c b/source4/heimdal/lib/krb5/mk_priv.c index 833821341d..dede6d2fa4 100644 --- a/source4/heimdal/lib/krb5/mk_priv.c +++ b/source4/heimdal/lib/krb5/mk_priv.c @@ -45,7 +45,7 @@ krb5_mk_priv(krb5_context context, EncKrbPrivPart part; u_char *buf = NULL; size_t buf_size; - size_t len; + size_t len = 0; krb5_crypto crypto; krb5_keyblock *key; krb5_replay_data rdata; diff --git a/source4/heimdal/lib/krb5/mk_rep.c b/source4/heimdal/lib/krb5/mk_rep.c index 2b9c3fbdbb..84c315291c 100644 --- a/source4/heimdal/lib/krb5/mk_rep.c +++ b/source4/heimdal/lib/krb5/mk_rep.c @@ -43,7 +43,7 @@ krb5_mk_rep(krb5_context context, EncAPRepPart body; u_char *buf = NULL; size_t buf_size; - size_t len; + size_t len = 0; krb5_crypto crypto; ap.pvno = 5; diff --git a/source4/heimdal/lib/krb5/n-fold.c b/source4/heimdal/lib/krb5/n-fold.c index f94a1ea125..2e6092c5ca 100644 --- a/source4/heimdal/lib/krb5/n-fold.c +++ b/source4/heimdal/lib/krb5/n-fold.c @@ -64,7 +64,7 @@ rr13(unsigned char *buf, size_t len) /* byte offset and shift count */ b1 = bb / 8; s1 = bb % 8; - + if(bb + 8 > bytes * 8) /* watch for wraparound */ s2 = (len + 8 - s1) % 8; diff --git a/source4/heimdal/lib/krb5/pac.c b/source4/heimdal/lib/krb5/pac.c index 046a89cc6a..f4caaddc26 100644 --- a/source4/heimdal/lib/krb5/pac.c +++ b/source4/heimdal/lib/krb5/pac.c @@ -106,7 +106,7 @@ HMAC_MD5_any_checksum(krb5_context context, ret = _krb5_HMAC_MD5_checksum(context, &local_key, data, len, usage, result); if (ret) krb5_data_free(&result->checksum); - + krb5_free_keyblock(context, local_key.key); return ret; } @@ -464,7 +464,7 @@ verify_checksum(krb5_context context, goto out; } ret = krb5_storage_read(sp, cksum.checksum.data, cksum.checksum.length); - if (ret != cksum.checksum.length) { + if (ret != (int)cksum.checksum.length) { ret = EINVAL; krb5_set_error_message(context, ret, "PAC checksum missing checksum"); goto out; @@ -546,7 +546,7 @@ create_checksum(krb5_context context, * http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx * for Microsoft's explaination */ - if (cksumtype == CKSUMTYPE_HMAC_MD5) { + if (cksumtype == (uint32_t)CKSUMTYPE_HMAC_MD5) { ret = HMAC_MD5_any_checksum(context, key, data, datalen, KRB5_KU_OTHER_CKSUM, &cksum); } else { @@ -748,7 +748,7 @@ build_logon_name(krb5_context context, ret = krb5_storage_write(sp, s2, len * 2); free(s2); - if (ret != len * 2) { + if (ret != (int)(len * 2)) { ret = krb5_enomem(context); goto out; } @@ -932,7 +932,8 @@ _krb5_pac_sign(krb5_context context, size_t server_size, priv_size; uint32_t server_offset = 0, priv_offset = 0; uint32_t server_cksumtype = 0, priv_cksumtype = 0; - int i, num = 0; + int num = 0; + size_t i; krb5_data logon, d; krb5_data_zero(&logon); @@ -1049,7 +1050,7 @@ _krb5_pac_sign(krb5_context context, end += len; e = ((end + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT; - if (end != e) { + if ((int32_t)end != e) { CHECK(ret, fill_zeros(context, spdata, e - end), out); } end = e; @@ -1066,7 +1067,7 @@ _krb5_pac_sign(krb5_context context, goto out; } ret = krb5_storage_write(sp, d.data, d.length); - if (ret != d.length) { + if (ret != (int)d.length) { krb5_data_free(&d); ret = krb5_enomem(context); goto out; diff --git a/source4/heimdal/lib/krb5/padata.c b/source4/heimdal/lib/krb5/padata.c index 98420a7332..babe22cb38 100644 --- a/source4/heimdal/lib/krb5/padata.c +++ b/source4/heimdal/lib/krb5/padata.c @@ -36,8 +36,8 @@ KRB5_LIB_FUNCTION PA_DATA * KRB5_LIB_CALL krb5_find_padata(PA_DATA *val, unsigned len, int type, int *idx) { - for(; *idx < len; (*idx)++) - if(val[*idx].padata_type == type) + for(; *idx < (int)len; (*idx)++) + if(val[*idx].padata_type == (unsigned)type) return val + *idx; return NULL; } diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c index 7a8502727e..1103a17807 100644 --- a/source4/heimdal/lib/krb5/pkinit.c +++ b/source4/heimdal/lib/krb5/pkinit.c @@ -188,7 +188,8 @@ find_cert(krb5_context context, struct krb5_pk_identity *id, { "MS EKU" }, { "any (or no)" } }; - int i, ret, start = 1; + int ret = HX509_CERT_NOT_FOUND; + size_t i, start = 1; unsigned oids[] = { 1, 2, 840, 113635, 100, 3, 2, 1 }; const heim_oid mobileMe = { sizeof(oids)/sizeof(oids[0]), oids }; @@ -298,8 +299,8 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c) { IssuerAndSerialNumber iasn; hx509_name issuer; - size_t size; - + size_t size = 0; + memset(&iasn, 0, sizeof(iasn)); ret = hx509_cert_get_issuer(c, &issuer); @@ -314,7 +315,7 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c) free_ExternalPrincipalIdentifier(&id); return ret; } - + ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber); if (ret) { free_IssuerAndSerialNumber(&iasn); @@ -364,7 +365,7 @@ build_auth_pack(krb5_context context, const KDC_REQ_BODY *body, AuthPack *a) { - size_t buf_size, len; + size_t buf_size, len = 0; krb5_error_code ret; void *buf; krb5_timestamp sec; @@ -413,7 +414,7 @@ build_auth_pack(krb5_context context, const char *moduli_file; unsigned long dh_min_bits; krb5_data dhbuf; - size_t size; + size_t size = 0; krb5_data_zero(&dhbuf); @@ -433,7 +434,7 @@ build_auth_pack(krb5_context context, ret = _krb5_parse_moduli(context, moduli_file, &ctx->m); if (ret) return ret; - + ctx->u.dh = DH_new(); if (ctx->u.dh == NULL) { krb5_set_error_message(context, ENOMEM, @@ -483,9 +484,9 @@ build_auth_pack(krb5_context context, &a->clientPublicValue->algorithm.algorithm); if (ret) return ret; - + memset(&dp, 0, sizeof(dp)); - + ret = BN_to_integer(context, dh->p, &dp.p); if (ret) { free_DomainParameters(&dp); @@ -503,14 +504,14 @@ build_auth_pack(krb5_context context, } dp.j = NULL; dp.validationParms = NULL; - + a->clientPublicValue->algorithm.parameters = malloc(sizeof(*a->clientPublicValue->algorithm.parameters)); if (a->clientPublicValue->algorithm.parameters == NULL) { free_DomainParameters(&dp); return ret; } - + ASN1_MALLOC_ENCODE(DomainParameters, a->clientPublicValue->algorithm.parameters->data, a->clientPublicValue->algorithm.parameters->length, @@ -520,11 +521,11 @@ build_auth_pack(krb5_context context, return ret; if (size != a->clientPublicValue->algorithm.parameters->length) krb5_abortx(context, "Internal ASN1 encoder error"); - + ret = BN_to_integer(context, dh->pub_key, &dh_pub_key); if (ret) return ret; - + ASN1_MALLOC_ENCODE(DHPublicKey, dhbuf.data, dhbuf.length, &dh_pub_key, &size, ret); der_free_heim_integer(&dh_pub_key); @@ -536,7 +537,7 @@ build_auth_pack(krb5_context context, #ifdef HAVE_OPENSSL ECParameters ecp; unsigned char *p; - int len; + int xlen; /* copy in public key, XXX find the best curve that the server support or use the clients curve if possible */ @@ -551,13 +552,13 @@ build_auth_pack(krb5_context context, free_ECParameters(&ecp); return ENOMEM; } - ASN1_MALLOC_ENCODE(ECParameters, p, len, &ecp, &size, ret); + ASN1_MALLOC_ENCODE(ECParameters, p, xlen, &ecp, &size, ret); free_ECParameters(&ecp); if (ret) return ret; - if (size != len) + if ((int)size != xlen) krb5_abortx(context, "asn1 internal error"); - + a->clientPublicValue->algorithm.parameters->data = p; a->clientPublicValue->algorithm.parameters->length = size; @@ -578,18 +579,18 @@ build_auth_pack(krb5_context context, /* encode onto dhkey */ - len = i2o_ECPublicKey(ctx->u.eckey, NULL); - if (len <= 0) + xlen = i2o_ECPublicKey(ctx->u.eckey, NULL); + if (xlen <= 0) abort(); - dhbuf.data = malloc(len); + dhbuf.data = malloc(xlen); if (dhbuf.data == NULL) abort(); - dhbuf.length = len; + dhbuf.length = xlen; p = dhbuf.data; - len = i2o_ECPublicKey(ctx->u.eckey, &p); - if (len <= 0) + xlen = i2o_ECPublicKey(ctx->u.eckey, &p); + if (xlen <= 0) abort(); /* XXX verify that this is right with RFC3279 */ @@ -601,13 +602,14 @@ build_auth_pack(krb5_context context, a->clientPublicValue->subjectPublicKey.length = dhbuf.length * 8; a->clientPublicValue->subjectPublicKey.data = dhbuf.data; } - + { a->supportedCMSTypes = calloc(1, sizeof(*a->supportedCMSTypes)); if (a->supportedCMSTypes == NULL) return ENOMEM; - ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL, NULL, + ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL, + ctx->id->cert, &a->supportedCMSTypes->val, &a->supportedCMSTypes->len); if (ret) @@ -648,10 +650,10 @@ pk_mk_padata(krb5_context context, { struct ContentInfo content_info; krb5_error_code ret; - const heim_oid *oid; - size_t size; + const heim_oid *oid = NULL; + size_t size = 0; krb5_data buf, sd_buf; - int pa_type; + int pa_type = -1; krb5_data_zero(&buf); krb5_data_zero(&sd_buf); @@ -698,7 +700,7 @@ pk_mk_padata(krb5_context context, oid = &asn1_oid_id_pkcs7_data; } else if (ctx->type == PKINIT_27) { AuthPack ap; - + memset(&ap, 0, sizeof(ap)); ret = build_auth_pack(context, nonce, ctx, req_body, &ap); @@ -755,7 +757,7 @@ pk_mk_padata(krb5_context context, pa_type = KRB5_PADATA_PK_AS_REQ; memset(&req, 0, sizeof(req)); - req.signedAuthPack = buf; + req.signedAuthPack = buf; if (ctx->trustedCertifiers) { @@ -926,7 +928,7 @@ pk_verify_sign(krb5_context context, ret = ENOMEM; goto out; } - + ret = hx509_get_one_cert(context->hx509ctx, signer_certs, &(*signer)->cert); if (ret) { pk_copy_error(context, context->hx509ctx, ret, @@ -968,7 +970,7 @@ get_reply_key_win(krb5_context context, return ret; } - if (key_pack.nonce != nonce) { + if ((unsigned)key_pack.nonce != nonce) { krb5_set_error_message(context, ret, N_("PKINIT enckey nonce is wrong", "")); free_ReplyKeyPack_Win2k(&key_pack); @@ -1081,7 +1083,7 @@ pk_verify_host(krb5_context context, } if (ctx->require_krbtgt_otherName) { hx509_octet_string_list list; - int i; + size_t i; ret = hx509_cert_find_subjectAltName_otherName(context->hx509ctx, host->cert, @@ -1203,9 +1205,9 @@ pk_rd_pa_reply_enckey(krb5_context context, size_t ph = 1 + der_length_len(content.length); unsigned char *ptr = malloc(content.length + ph); size_t l; - + memcpy(ptr + ph, content.data, content.length); - + ret = der_put_length_and_tag (ptr + ph - 1, ph, content.length, ASN1_C_UNIV, CONS, UT_Sequence, &l); if (ret) @@ -1424,7 +1426,7 @@ pk_rd_pa_reply_dh(krb5_context context, krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; } - + dh_gen_keylen = DH_compute_key(dh_gen_key, kdc_dh_pubkey, ctx->u.dh); if (dh_gen_keylen == -1) { ret = KRB5KRB_ERR_GENERIC; @@ -1433,7 +1435,7 @@ pk_rd_pa_reply_dh(krb5_context context, N_("PKINIT: Can't compute Diffie-Hellman key", "")); goto out; } - if (dh_gen_keylen < size) { + if (dh_gen_keylen < (int)size) { size -= dh_gen_keylen; memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen); memset(dh_gen_key, 0, size); @@ -1488,7 +1490,7 @@ pk_rd_pa_reply_dh(krb5_context context, ret = EINVAL; #endif } - + if (dh_gen_keylen <= 0) { ret = EINVAL; krb5_set_error_message(context, ret, @@ -1555,7 +1557,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, PA_PK_AS_REP rep; heim_octet_string os, data; heim_oid oid; - + if (pa->padata_type != KRB5_PADATA_PK_AS_REP) { krb5_set_error_message(context, EINVAL, N_("PKINIT: wrong padata recv", "")); @@ -1585,7 +1587,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, PA_PK_AS_REP_BTMM btmm; free_PA_PK_AS_REP(&rep); memset(&rep, 0, sizeof(rep)); - + _krb5_debug(context, 5, "krb5_get_init_creds: using BTMM kinit enc reply key"); ret = decode_PA_PK_AS_REP_BTMM(pa->padata_value.data, @@ -1661,7 +1663,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, #endif memset(&w2krep, 0, sizeof(w2krep)); - + ret = decode_PA_PK_AS_REP_Win2k(pa->padata_value.data, pa->padata_value.length, &w2krep, @@ -1674,12 +1676,12 @@ _krb5_pk_rd_pa_reply(krb5_context context, } krb5_clear_error_message(context); - + switch (w2krep.element) { case choice_PA_PK_AS_REP_Win2k_encKeyPack: { heim_octet_string data; heim_oid oid; - + ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack, &oid, &data, NULL); free_PA_PK_AS_REP_Win2k(&w2krep); @@ -1744,7 +1746,7 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter) default: prompt.type = KRB5_PROMPT_TYPE_PASSWORD; break; - } + } ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt); if (ret) { @@ -1780,10 +1782,10 @@ _krb5_pk_set_user_id(krb5_context context, "Allocate query to find signing certificate"); return ret; } - + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); - + if (principal && strncmp("LKDC:SHA1.", krb5_principal_get_realm(context, principal), 9) == 0) { ctx->id->flags |= PKINIT_BTMM; } @@ -1799,7 +1801,7 @@ _krb5_pk_set_user_id(krb5_context context, ret = hx509_cert_get_subject(ctx->id->cert, &name); if (ret) goto out; - + ret = hx509_name_to_string(name, &str); hx509_name_free(&name); if (ret) @@ -1857,7 +1859,7 @@ _krb5_pk_load_id(krb5_context context, krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; - } + } if (user_id) { hx509_lock lock; @@ -1867,15 +1869,15 @@ _krb5_pk_load_id(krb5_context context, pk_copy_error(context, context->hx509ctx, ret, "Failed init lock"); goto out; } - + if (password && password[0]) hx509_lock_add_password(lock, password); - + if (prompter) { p.context = context; p.prompter = prompter; p.prompter_data = prompter_data; - + ret = hx509_lock_set_prompter(lock, hx_pass_prompter, &p); if (ret) { hx509_lock_free(lock); @@ -2083,7 +2085,7 @@ _krb5_parse_moduli_line(krb5_context context, "bits on line %d", ""), file, lineno); goto out; } - + ret = parse_integer(context, &p, file, lineno, "p", &m1->p); if (ret) goto out; @@ -2249,7 +2251,7 @@ _krb5_parse_moduli(krb5_context context, const char *file, return ENOMEM; } m = m2; - + m[n] = NULL; ret = _krb5_parse_moduli_line(context, file, lineno, buf, &element); @@ -2321,7 +2323,7 @@ _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt) break; case USE_RSA: break; - case USE_ECDH: + case USE_ECDH: #ifdef HAVE_OPENSSL if (ctx->u.eckey) EC_KEY_free(ctx->u.eckey); @@ -2457,7 +2459,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, krb5_set_error_message(context, EINVAL, N_("No anonymous pkinit support in RSA mode", "")); return EINVAL; - } + } } return 0; @@ -2484,7 +2486,7 @@ krb5_get_init_creds_opt_set_pkinit_user_certs(krb5_context context, N_("PKINIT: on pkinit context", "")); return EINVAL; } - + _krb5_pk_set_user_id(context, NULL, opt->opt_private->pk_init_ctx, certs); return 0; @@ -2517,7 +2519,7 @@ get_ms_san(hx509_context context, hx509_cert cert, char **upn) upn, NULL); else ret = 1; - hx509_free_octet_string_list(&list); + hx509_free_octet_string_list(&list); return ret; } @@ -2552,14 +2554,14 @@ krb5_pk_enterprise_cert(krb5_context context, #ifdef PKINIT krb5_error_code ret; hx509_certs certs, result; - hx509_cert cert; + hx509_cert cert = NULL; hx509_query *q; char *name; *principal = NULL; if (res) *res = NULL; - + if (user_id == NULL) { krb5_set_error_message(context, ENOENT, "no user id"); return ENOENT; @@ -2592,7 +2594,7 @@ krb5_pk_enterprise_cert(krb5_context context, "Failed to find PKINIT certificate"); return ret; } - + ret = hx509_get_one_cert(context->hx509ctx, result, &cert); hx509_certs_free(&result); if (ret) { @@ -2617,11 +2619,9 @@ krb5_pk_enterprise_cert(krb5_context context, if (res) { ret = hx509_certs_init(context->hx509ctx, "MEMORY:", 0, NULL, res); - if (ret) { - hx509_cert_free(cert); + if (ret) goto out; - } - + ret = hx509_certs_add(context->hx509ctx, *res, cert); if (ret) { hx509_certs_free(res); diff --git a/source4/heimdal/lib/krb5/plugin.c b/source4/heimdal/lib/krb5/plugin.c index ea47e13a7b..9303b6c615 100644 --- a/source4/heimdal/lib/krb5/plugin.c +++ b/source4/heimdal/lib/krb5/plugin.c @@ -63,7 +63,7 @@ static HEIMDAL_MUTEX plugin_mutex = HEIMDAL_MUTEX_INITIALIZER; static struct plugin *registered = NULL; static int plugins_needs_scan = 1; -static const char *sysplugin_dirs[] = { +static const char *sysplugin_dirs[] = { LIBDIR "/plugin/krb5", #ifdef __APPLE__ "/System/Library/KerberosPlugins/KerberosFrameworkPlugins", @@ -196,9 +196,9 @@ is_valid_plugin_filename(const char * n) return !stricmp(ext, ".dll"); } -#endif - +#else return 1; +#endif } static void @@ -305,7 +305,7 @@ static krb5_error_code add_symbol(krb5_context context, struct krb5_plugin **list, void *symbol) { struct krb5_plugin *e; - + e = calloc(1, sizeof(*e)); if (e == NULL) { krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); @@ -329,7 +329,7 @@ _krb5_plugin_find(krb5_context context, *list = NULL; HEIMDAL_MUTEX_lock(&plugin_mutex); - + load_plugins(context); for (ret = 0, e = registered; e != NULL; e = e->next) { @@ -379,7 +379,7 @@ _krb5_plugin_free(struct krb5_plugin *list) /* * module - dict of { * ModuleName = [ - * plugin = object{ + * plugin = object{ * array = { ptr, ctx } * } * ] @@ -556,7 +556,7 @@ search_modules(void *ctx, heim_object_t key, heim_object_t value) return; pl = heim_alloc(sizeof(*pl), "struct-plug", plug_free); - + cpm = pl->dataptr = dlsym(p->dsohandle, s->name); if (cpm) { int ret; @@ -569,10 +569,10 @@ search_modules(void *ctx, heim_object_t key, heim_object_t value) } else { cpm = pl->dataptr; } - + if (cpm && cpm->version >= s->min_version) heim_array_append_value(s->result, pl); - + heim_release(pl); } @@ -619,11 +619,11 @@ _krb5_plugin_run_f(krb5_context context, s.userctx = userctx; heim_dict_iterate_f(dict, search_modules, &s); - + heim_release(dict); - + HEIMDAL_MUTEX_unlock(&plugin_mutex); - + s.ret = KRB5_PLUGIN_NO_HANDLE; heim_array_iterate_f(s.result, eval_results, &s); diff --git a/source4/heimdal/lib/krb5/principal.c b/source4/heimdal/lib/krb5/principal.c index 42169fc2f9..a10d2d0798 100644 --- a/source4/heimdal/lib/krb5/principal.c +++ b/source4/heimdal/lib/krb5/principal.c @@ -140,7 +140,7 @@ krb5_principal_get_realm(krb5_context context, krb5_const_principal principal) { return princ_realm(principal); -} +} KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_principal_get_comp_string(krb5_context context, @@ -426,7 +426,7 @@ unparse_name_fixed(krb5_context context, int flags) { size_t idx = 0; - int i; + size_t i; int short_form = (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) != 0; int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) != 0; int display = (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) != 0; @@ -549,7 +549,7 @@ unparse_name(krb5_context context, int flags) { size_t len = 0, plen; - int i; + size_t i; krb5_error_code ret; /* count length */ if (princ_realm(principal)) { @@ -917,7 +917,7 @@ krb5_principal_compare_any_realm(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) { - int i; + size_t i; if(princ_num_comp(princ1) != princ_num_comp(princ2)) return FALSE; for(i = 0; i < princ_num_comp(princ1); i++){ @@ -932,7 +932,7 @@ _krb5_principal_compare_PrincipalName(krb5_context context, krb5_const_principal princ1, PrincipalName *princ2) { - int i; + size_t i; if (princ_num_comp(princ1) != princ2->name_string.len) return FALSE; for(i = 0; i < princ_num_comp(princ1); i++){ @@ -1001,7 +1001,7 @@ krb5_principal_match(krb5_context context, krb5_const_principal princ, krb5_const_principal pattern) { - int i; + size_t i; if(princ_num_comp(princ) != princ_num_comp(pattern)) return FALSE; if(fnmatch(princ_realm(pattern), princ_realm(princ), 0) != 0) @@ -1028,7 +1028,7 @@ krb5_principal_match(krb5_context context, * * @ingroup krb5_principal */ - + KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sname_to_principal (krb5_context context, const char *hostname, @@ -1039,7 +1039,7 @@ krb5_sname_to_principal (krb5_context context, krb5_error_code ret; char localhost[MAXHOSTNAMELEN]; char **realms, *host = NULL; - + if(type != KRB5_NT_SRV_HST && type != KRB5_NT_UNKNOWN) { krb5_set_error_message(context, KRB5_SNAME_UNSUPP_NAMETYPE, N_("unsupported name type %d", ""), @@ -1053,7 +1053,7 @@ krb5_sname_to_principal (krb5_context context, krb5_set_error_message(context, ret, N_("Failed to get local hostname", "")); return ret; - } + } localhost[sizeof(localhost) - 1] = '\0'; hostname = localhost; } @@ -1096,7 +1096,7 @@ static const struct { { "ENT_PRINCIPAL_AND_ID", KRB5_NT_ENT_PRINCIPAL_AND_ID }, { "MS_PRINCIPAL", KRB5_NT_MS_PRINCIPAL }, { "MS_PRINCIPAL_AND_ID", KRB5_NT_MS_PRINCIPAL_AND_ID }, - { NULL } + { NULL, 0 } }; /** diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c index 094f748b9f..c08547112b 100644 --- a/source4/heimdal/lib/krb5/rd_cred.c +++ b/source4/heimdal/lib/krb5/rd_cred.c @@ -65,9 +65,10 @@ krb5_rd_cred(krb5_context context, EncKrbCredPart enc_krb_cred_part; krb5_data enc_krb_cred_part_data; krb5_crypto crypto; - int i; + size_t i; memset(&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part)); + krb5_data_zero(&enc_krb_cred_part_data); if ((auth_context->flags & (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && @@ -118,7 +119,7 @@ krb5_rd_cred(krb5_context context, KRB5_KU_KRB_CRED, &cred.enc_part, &enc_krb_cred_part_data); - + krb5_crypto_destroy(context, crypto); } @@ -134,13 +135,13 @@ krb5_rd_cred(krb5_context context, if (ret) goto out; - + ret = krb5_decrypt_EncryptedData(context, crypto, KRB5_KU_KRB_CRED, &cred.enc_part, &enc_krb_cred_part_data); - + krb5_crypto_destroy(context, crypto); } if (ret) @@ -195,7 +196,7 @@ krb5_rd_cred(krb5_context context, auth_context->local_port); if (ret) goto out; - + ret = compare_addrs(context, a, enc_krb_cred_part.r_address, N_("receiver address is wrong " "in received creds", "")); @@ -299,9 +300,9 @@ krb5_rd_cred(krb5_context context, krb5_copy_addresses (context, kci->caddr, &creds->addresses); - + (*ret_creds)[i] = creds; - + } (*ret_creds)[i] = NULL; diff --git a/source4/heimdal/lib/krb5/rd_rep.c b/source4/heimdal/lib/krb5/rd_rep.c index f8963a53b2..391d81c191 100644 --- a/source4/heimdal/lib/krb5/rd_rep.c +++ b/source4/heimdal/lib/krb5/rd_rep.c @@ -65,7 +65,7 @@ krb5_rd_rep(krb5_context context, if (ret) goto out; ret = krb5_decrypt_EncryptedData (context, - crypto, + crypto, KRB5_KU_AP_REQ_ENC_PART, &ap_rep.enc_part, &data); diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c index 25aa8674c7..21daeb596b 100644 --- a/source4/heimdal/lib/krb5/rd_req.c +++ b/source4/heimdal/lib/krb5/rd_req.c @@ -59,7 +59,7 @@ decrypt_tkt_enc_part (krb5_context context, ret = decode_EncTicketPart(plain.data, plain.length, decr_part, &len); if (ret) - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, N_("Failed to decode encrypted " "ticket part", "")); krb5_data_free (&plain); @@ -135,9 +135,9 @@ static krb5_error_code check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) { char **realms; - unsigned int num_realms; + unsigned int num_realms, n; krb5_error_code ret; - + /* * Windows 2000 and 2003 uses this inside their TGT so it's normaly * not seen by others, however, samba4 joined with a Windows AD as @@ -161,6 +161,8 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) ret = krb5_check_transited(context, enc->crealm, ticket->realm, realms, num_realms, NULL); + for (n = 0; n < num_realms; n++) + free(realms[n]); free(realms); return ret; } @@ -175,7 +177,7 @@ find_etypelist(krb5_context context, krb5_authdata adIfRelevant; unsigned i; - adIfRelevant.len = 0; + memset(&adIfRelevant, 0, sizeof(adIfRelevant)); etypes->len = 0; etypes->val = NULL; @@ -250,7 +252,7 @@ krb5_decrypt_ticket(krb5_context context, krb5_clear_error_message (context); return KRB5KRB_AP_ERR_TKT_EXPIRED; } - + if(!t.flags.transited_policy_checked) { ret = check_transited(context, ticket, &t); if(ret) { @@ -402,7 +404,7 @@ krb5_verify_ap_req2(krb5_context context, { krb5_principal p1, p2; krb5_boolean res; - + _krb5_principalname2krb5_principal(context, &p1, ac->authenticator->cname, @@ -466,7 +468,7 @@ krb5_verify_ap_req2(krb5_context context, ac->keytype = ETYPE_NULL; if (etypes.val) { - int i; + size_t i; for (i = 0; i < etypes.len; i++) { if (krb5_enctype_valid(context, etypes.val[i]) == 0) { @@ -508,7 +510,7 @@ krb5_verify_ap_req2(krb5_context context, krb5_auth_con_free (context, ac); return ret; } - + /* * */ @@ -949,7 +951,7 @@ krb5_rd_req_ctx(krb5_context context, &o->ap_req_options, &o->ticket, KRB5_KU_AP_REQ_AUTH); - + if (ret) goto out; @@ -972,7 +974,7 @@ krb5_rd_req_ctx(krb5_context context, goto out; done = 0; - while (!done) { + while (!done) { krb5_principal p; ret = krb5_kt_next_entry(context, id, &entry, &cursor); @@ -1007,14 +1009,14 @@ krb5_rd_req_ctx(krb5_context context, * and update the service principal in the ticket to match * whatever is in the keytab. */ - - ret = krb5_copy_keyblock(context, + + ret = krb5_copy_keyblock(context, &entry.keyblock, &o->keyblock); if (ret) { krb5_kt_free_entry (context, &entry); goto out; - } + } ret = krb5_copy_principal(context, entry.principal, &p); if (ret) { @@ -1023,7 +1025,7 @@ krb5_rd_req_ctx(krb5_context context, } krb5_free_principal(context, o->ticket->server); o->ticket->server = p; - + krb5_kt_free_entry (context, &entry); done = 1; @@ -1045,7 +1047,7 @@ krb5_rd_req_ctx(krb5_context context, krb5_data_free(&data); if (ret) goto out; - + ret = krb5_pac_verify(context, pac, o->ticket->ticket.authtime, diff --git a/source4/heimdal/lib/krb5/replay.c b/source4/heimdal/lib/krb5/replay.c index 375a4aaba6..965dd44437 100644 --- a/source4/heimdal/lib/krb5/replay.c +++ b/source4/heimdal/lib/krb5/replay.c @@ -282,14 +282,14 @@ krb5_rc_get_name(krb5_context context, { return id->name; } - + KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_rc_get_type(krb5_context context, krb5_rcache id) { return "FILE"; } - + KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_server_rcache(krb5_context context, const krb5_data *piece, diff --git a/source4/heimdal/lib/krb5/salt-arcfour.c b/source4/heimdal/lib/krb5/salt-arcfour.c index b222b47e16..ab5e51270c 100644 --- a/source4/heimdal/lib/krb5/salt-arcfour.c +++ b/source4/heimdal/lib/krb5/salt-arcfour.c @@ -43,7 +43,7 @@ ARCFOUR_string_to_key(krb5_context context, { krb5_error_code ret; uint16_t *s = NULL; - size_t len, i; + size_t len = 0, i; EVP_MD_CTX *m; m = EVP_MD_CTX_create(); diff --git a/source4/heimdal/lib/krb5/salt-des.c b/source4/heimdal/lib/krb5/salt-des.c index 6939b6b50b..56b285f72e 100644 --- a/source4/heimdal/lib/krb5/salt-des.c +++ b/source4/heimdal/lib/krb5/salt-des.c @@ -52,7 +52,7 @@ krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, DES_cblock *key) { char password[8+1]; /* crypt is limited to 8 chars anyway */ - int i; + size_t i; for(i = 0; i < 8; i++) { char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^ @@ -89,7 +89,7 @@ krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw, memcpy(password, pw.data, min(pw.length, sizeof(password))); if(pw.length < sizeof(password)) { int len = min(cell.length, sizeof(password) - pw.length); - int i; + size_t i; memcpy(password + pw.length, cell.data, len); for (i = pw.length; i < pw.length + len; ++i) @@ -138,7 +138,7 @@ static void DES_string_to_key_int(unsigned char *data, size_t length, DES_cblock *key) { DES_key_schedule schedule; - int i; + size_t i; int reverse = 0; unsigned char *p; diff --git a/source4/heimdal/lib/krb5/salt.c b/source4/heimdal/lib/krb5/salt.c index 6f18308743..5e4c8a1c85 100644 --- a/source4/heimdal/lib/krb5/salt.c +++ b/source4/heimdal/lib/krb5/salt.c @@ -33,6 +33,7 @@ #include "krb5_locl.h" +/* coverity[+alloc : arg-*3] */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_salttype_to_string (krb5_context context, krb5_enctype etype, @@ -98,7 +99,7 @@ krb5_get_pw_salt(krb5_context context, krb5_salt *salt) { size_t len; - int i; + size_t i; krb5_error_code ret; char *p; diff --git a/source4/heimdal/lib/krb5/send_to_kdc.c b/source4/heimdal/lib/krb5/send_to_kdc.c index 2ae8153c8d..edf1d33c9d 100644 --- a/source4/heimdal/lib/krb5/send_to_kdc.c +++ b/source4/heimdal/lib/krb5/send_to_kdc.c @@ -88,7 +88,7 @@ recv_loop (krb5_socket_t fd, return 0; if (limit) - nbytes = min(nbytes, limit - rep->length); + nbytes = min((size_t)nbytes, limit - rep->length); tmp = realloc (rep->data, rep->length + nbytes); if (tmp == NULL) { @@ -268,7 +268,7 @@ send_via_proxy (krb5_context context, int ret; krb5_socket_t s = rk_INVALID_SOCKET; char portstr[NI_MAXSERV]; - + if (proxy == NULL) return ENOMEM; if (strncmp (proxy, "http://", 7) == 0) @@ -339,7 +339,7 @@ send_via_plugin(krb5_context context, service = _krb5_plugin_get_symbol(e); if (service->minor_version != 0) continue; - + (*service->init)(context, &ctx); ret = (*service->send_to_kdc)(context, ctx, hi, timeout, send_data, receive); @@ -366,12 +366,12 @@ send_via_plugin(krb5_context context, KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sendto (krb5_context context, const krb5_data *send_data, - krb5_krbhst_handle handle, + krb5_krbhst_handle handle, krb5_data *receive) { krb5_error_code ret; krb5_socket_t fd; - int i; + size_t i; krb5_data_zero(receive); @@ -511,7 +511,7 @@ _krb5_copy_send_to_kdc_func(krb5_context context, krb5_context to) { if (context->send_to_kdc) return krb5_set_send_to_kdc_func(to, - context->send_to_kdc->func, + context->send_to_kdc->func, context->send_to_kdc->data); else return krb5_set_send_to_kdc_func(to, NULL, NULL); @@ -602,7 +602,7 @@ krb5_sendto_context(krb5_context context, type = KRB5_KRBHST_KDC; } - if (send_data->length > context->large_msg_size) + if ((int)send_data->length > context->large_msg_size) ctx->flags |= KRB5_KRBHST_FLAGS_LARGE_MSG; /* loop until we get back a appropriate response */ diff --git a/source4/heimdal/lib/krb5/store-int.c b/source4/heimdal/lib/krb5/store-int.c index 0a18d0dddf..d577629718 100644 --- a/source4/heimdal/lib/krb5/store-int.c +++ b/source4/heimdal/lib/krb5/store-int.c @@ -50,7 +50,7 @@ _krb5_get_int(void *buffer, unsigned long *value, size_t size) { unsigned char *p = buffer; unsigned long v = 0; - int i; + size_t i; for (i = 0; i < size; i++) v = (v << 8) + p[i]; *value = v; diff --git a/source4/heimdal/lib/krb5/store-int.h b/source4/heimdal/lib/krb5/store-int.h index 0b7accb860..877ccc008d 100644 --- a/source4/heimdal/lib/krb5/store-int.h +++ b/source4/heimdal/lib/krb5/store-int.h @@ -43,6 +43,7 @@ struct krb5_storage_data { void (*free)(struct krb5_storage_data*); krb5_flags flags; int eof_code; + size_t max_alloc; }; #endif /* __store_int_h__ */ diff --git a/source4/heimdal/lib/krb5/store.c b/source4/heimdal/lib/krb5/store.c index 0dedba3d72..3aeb8d6281 100644 --- a/source4/heimdal/lib/krb5/store.c +++ b/source4/heimdal/lib/krb5/store.c @@ -120,6 +120,41 @@ krb5_storage_get_byteorder(krb5_storage *sp) } /** + * Set the max alloc value + * + * @param sp the storage buffer set the max allow for + * @param size maximum size to allocate, use 0 to remove limit + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_storage_set_max_alloc(krb5_storage *sp, size_t size) +{ + sp->max_alloc = size; +} + +/* don't allocate unresonable amount of memory */ +static krb5_error_code +size_too_large(krb5_storage *sp, size_t size) +{ + if (sp->max_alloc && sp->max_alloc < size) + return HEIM_ERR_TOO_BIG; + return 0; +} + +static krb5_error_code +size_too_large_num(krb5_storage *sp, size_t count, size_t size) +{ + if (sp->max_alloc == 0 || size == 0) + return 0; + size = sp->max_alloc / size; + if (size < count) + return HEIM_ERR_TOO_BIG; + return 0; +} + +/** * Seek to a new offset. * * @param sp the storage buffer to seek in. @@ -262,10 +297,11 @@ krb5_storage_to_data(krb5_storage *sp, krb5_data *data) pos = sp->seek(sp, 0, SEEK_CUR); if (pos < 0) return HEIM_ERR_NOT_SEEKABLE; - size = (size_t)sp->seek(sp, 0, SEEK_END); - if (size > (size_t)-1) - return HEIM_ERR_TOO_BIG; - ret = krb5_data_alloc (data, size); + size = sp->seek(sp, 0, SEEK_END); + ret = size_too_large(sp, size); + if (ret) + return ret; + ret = krb5_data_alloc(data, size); if (ret) { sp->seek(sp, pos, SEEK_SET); return ret; @@ -290,8 +326,10 @@ krb5_store_int(krb5_storage *sp, return EINVAL; _krb5_put_int(v, value, len); ret = sp->store(sp, v, len); - if (ret != len) - return (ret<0)?errno:sp->eof_code; + if (ret < 0) + return errno; + if ((size_t)ret != len) + return sp->eof_code; return 0; } @@ -346,8 +384,10 @@ krb5_ret_int(krb5_storage *sp, unsigned char v[4]; unsigned long w; ret = sp->fetch(sp, v, len); - if(ret != len) - return (ret<0)?errno:sp->eof_code; + if (ret < 0) + return errno; + if ((size_t)ret != len) + return sp->eof_code; _krb5_get_int(v, &w, len); *value = w; return 0; @@ -612,11 +652,10 @@ krb5_store_data(krb5_storage *sp, if(ret < 0) return ret; ret = sp->store(sp, data.data, data.length); - if(ret != data.length){ - if(ret < 0) - return errno; + if(ret < 0) + return errno; + if((size_t)ret != data.length) return sp->eof_code; - } return 0; } @@ -641,6 +680,9 @@ krb5_ret_data(krb5_storage *sp, ret = krb5_ret_int32(sp, &size); if(ret) return ret; + ret = size_too_large(sp, size); + if (ret) + return ret; ret = krb5_data_alloc (data, size); if (ret) return ret; @@ -722,12 +764,10 @@ krb5_store_stringz(krb5_storage *sp, const char *s) ssize_t ret; ret = sp->store(sp, s, len); - if(ret != len) { - if(ret < 0) - return ret; - else - return sp->eof_code; - } + if(ret < 0) + return ret; + if((size_t)ret != len) + return sp->eof_code; return 0; } @@ -755,6 +795,9 @@ krb5_ret_stringz(krb5_storage *sp, char *tmp; len++; + ret = size_too_large(sp, len); + if (ret) + break; tmp = realloc (s, len); if (tmp == NULL) { free (s); @@ -782,12 +825,10 @@ krb5_store_stringnl(krb5_storage *sp, const char *s) ssize_t ret; ret = sp->store(sp, s, len); - if(ret != len) { - if(ret < 0) - return ret; - else - return sp->eof_code; - } + if(ret < 0) + return ret; + if((size_t)ret != len) + return sp->eof_code; ret = sp->store(sp, "\n", 1); if(ret != 1) { if(ret < 0) @@ -823,6 +864,9 @@ krb5_ret_stringnl(krb5_storage *sp, } len++; + ret = size_too_large(sp, len); + if (ret) + break; tmp = realloc (s, len); if (tmp == NULL) { free (s); @@ -860,7 +904,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_principal(krb5_storage *sp, krb5_const_principal p) { - int i; + size_t i; int ret; if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) { @@ -923,6 +967,11 @@ krb5_ret_principal(krb5_storage *sp, free(p); return EINVAL; } + ret = size_too_large_num(sp, ncomp, sizeof(p->name.name_string.val[0])); + if (ret) { + free(p); + return ret; + } p->name.name_type = type; p->name.name_string.len = ncomp; ret = krb5_ret_string(sp, &p->realm); @@ -930,7 +979,7 @@ krb5_ret_principal(krb5_storage *sp, free(p); return ret; } - p->name.name_string.val = calloc(ncomp, sizeof(*p->name.name_string.val)); + p->name.name_string.val = calloc(ncomp, sizeof(p->name.name_string.val[0])); if(p->name.name_string.val == NULL && ncomp != 0){ free(p->realm); free(p); @@ -1122,7 +1171,7 @@ krb5_ret_address(krb5_storage *sp, krb5_address *adr) KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_addrs(krb5_storage *sp, krb5_addresses p) { - int i; + size_t i; int ret; ret = krb5_store_int32(sp, p.len); if(ret) return ret; @@ -1147,12 +1196,14 @@ krb5_store_addrs(krb5_storage *sp, krb5_addresses p) KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr) { - int i; + size_t i; int ret; int32_t tmp; ret = krb5_ret_int32(sp, &tmp); if(ret) return ret; + ret = size_too_large_num(sp, tmp, sizeof(adr->val[0])); + if (ret) return ret; adr->len = tmp; ALLOC(adr->val, adr->len); if (adr->val == NULL && adr->len != 0) @@ -1179,7 +1230,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_authdata(krb5_storage *sp, krb5_authdata auth) { krb5_error_code ret; - int i; + size_t i; ret = krb5_store_int32(sp, auth.len); if(ret) return ret; for(i = 0; i < auth.len; i++){ @@ -1211,6 +1262,8 @@ krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth) int i; ret = krb5_ret_int32(sp, &tmp); if(ret) return ret; + ret = size_too_large_num(sp, tmp, sizeof(auth->val[0])); + if (ret) return ret; ALLOC_SEQ(auth, tmp); if (auth->val == NULL && tmp != 0) return ENOMEM; @@ -1345,7 +1398,7 @@ krb5_ret_creds(krb5_storage *sp, krb5_creds *creds) ret = krb5_ret_data (sp, &creds->second_ticket); cleanup: if(ret) { -#if 0 +#if 0 krb5_free_cred_contents(context, creds); /* XXX */ #endif } @@ -1530,7 +1583,7 @@ krb5_ret_creds_tag(krb5_storage *sp, cleanup: if(ret) { -#if 0 +#if 0 krb5_free_cred_contents(context, creds); /* XXX */ #endif } diff --git a/source4/heimdal/lib/krb5/store_emem.c b/source4/heimdal/lib/krb5/store_emem.c index ccda751afb..7f91b08486 100644 --- a/source4/heimdal/lib/krb5/store_emem.c +++ b/source4/heimdal/lib/krb5/store_emem.c @@ -45,7 +45,7 @@ static ssize_t emem_fetch(krb5_storage *sp, void *data, size_t size) { emem_storage *s = (emem_storage*)sp->data; - if(s->base + s->len - s->ptr < size) + if((size_t)(s->base + s->len - s->ptr) < size) size = s->base + s->len - s->ptr; memmove(data, s->ptr, size); sp->seek(sp, size, SEEK_CUR); @@ -56,7 +56,7 @@ static ssize_t emem_store(krb5_storage *sp, const void *data, size_t size) { emem_storage *s = (emem_storage*)sp->data; - if(size > s->base + s->size - s->ptr){ + if(size > (size_t)(s->base + s->size - s->ptr)){ void *base; size_t sz, off; off = s->ptr - s->base; @@ -81,12 +81,12 @@ emem_seek(krb5_storage *sp, off_t offset, int whence) emem_storage *s = (emem_storage*)sp->data; switch(whence){ case SEEK_SET: - if(offset > s->size) + if((size_t)offset > s->size) offset = s->size; if(offset < 0) offset = 0; s->ptr = s->base + offset; - if(offset > s->len) + if((size_t)offset > s->len) s->len = offset; break; case SEEK_CUR: @@ -115,14 +115,14 @@ emem_trunc(krb5_storage *sp, off_t offset) s->size = 0; s->base = NULL; s->ptr = NULL; - } else if (offset > s->size || (s->size / 2) > offset) { + } else if ((size_t)offset > s->size || (s->size / 2) > (size_t)offset) { void *base; size_t off; off = s->ptr - s->base; base = realloc(s->base, offset); if(base == NULL) return ENOMEM; - if (offset > s->size) + if ((size_t)offset > s->size) memset((char *)base + s->size, 0, offset - s->size); s->size = offset; s->base = base; @@ -190,5 +190,6 @@ krb5_storage_emem(void) sp->seek = emem_seek; sp->trunc = emem_trunc; sp->free = emem_free; + sp->max_alloc = UINT_MAX/8; return sp; } diff --git a/source4/heimdal/lib/krb5/store_fd.c b/source4/heimdal/lib/krb5/store_fd.c index bd357dbe3b..2b72dea3a3 100644 --- a/source4/heimdal/lib/krb5/store_fd.c +++ b/source4/heimdal/lib/krb5/store_fd.c @@ -73,7 +73,7 @@ fd_free(krb5_storage * sp) } /** - * + * * * @return A krb5_storage on success, or NULL on out of memory error. * @@ -128,5 +128,6 @@ krb5_storage_from_fd(krb5_socket_t fd_in) sp->seek = fd_seek; sp->trunc = fd_trunc; sp->free = fd_free; + sp->max_alloc = UINT_MAX/8; return sp; } diff --git a/source4/heimdal/lib/krb5/store_mem.c b/source4/heimdal/lib/krb5/store_mem.c index b79bc19155..e674a95dba 100644 --- a/source4/heimdal/lib/krb5/store_mem.c +++ b/source4/heimdal/lib/krb5/store_mem.c @@ -44,7 +44,7 @@ static ssize_t mem_fetch(krb5_storage *sp, void *data, size_t size) { mem_storage *s = (mem_storage*)sp->data; - if(size > s->base + s->size - s->ptr) + if(size > (size_t)(s->base + s->size - s->ptr)) size = s->base + s->size - s->ptr; memmove(data, s->ptr, size); sp->seek(sp, size, SEEK_CUR); @@ -55,7 +55,7 @@ static ssize_t mem_store(krb5_storage *sp, const void *data, size_t size) { mem_storage *s = (mem_storage*)sp->data; - if(size > s->base + s->size - s->ptr) + if(size > (size_t)(s->base + s->size - s->ptr)) size = s->base + s->size - s->ptr; memmove(s->ptr, data, size); sp->seek(sp, size, SEEK_CUR); @@ -74,7 +74,7 @@ mem_seek(krb5_storage *sp, off_t offset, int whence) mem_storage *s = (mem_storage*)sp->data; switch(whence){ case SEEK_SET: - if(offset > s->size) + if((size_t)offset > s->size) offset = s->size; if(offset < 0) offset = 0; @@ -95,7 +95,7 @@ static int mem_trunc(krb5_storage *sp, off_t offset) { mem_storage *s = (mem_storage*)sp->data; - if(offset > s->size) + if((size_t)offset > s->size) return ERANGE; s->size = offset; if ((s->ptr - s->base) > offset) @@ -145,6 +145,7 @@ krb5_storage_from_mem(void *buf, size_t len) sp->seek = mem_seek; sp->trunc = mem_trunc; sp->free = NULL; + sp->max_alloc = UINT_MAX/8; return sp; } @@ -203,5 +204,6 @@ krb5_storage_from_readonly_mem(const void *buf, size_t len) sp->seek = mem_seek; sp->trunc = mem_no_trunc; sp->free = NULL; + sp->max_alloc = UINT_MAX/8; return sp; } diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c index d816242f09..09bff30fe9 100644 --- a/source4/heimdal/lib/krb5/ticket.c +++ b/source4/heimdal/lib/krb5/ticket.c @@ -195,7 +195,7 @@ find_type_in_ad(krb5_context context, int level) { krb5_error_code ret = 0; - int i; + size_t i; if (level > 9) { ret = ENOENT; /* XXX */ @@ -639,7 +639,7 @@ decrypt_tkt (krb5_context context, &size); krb5_data_free (&data); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, N_("Failed to decode encpart in ticket", "")); return ret; } @@ -661,7 +661,7 @@ _krb5_extract_ticket(krb5_context context, { krb5_error_code ret; krb5_principal tmp_principal; - size_t len; + size_t len = 0; time_t tmp_time; krb5_timestamp sec_now; @@ -757,7 +757,7 @@ _krb5_extract_ticket(krb5_context context, /* compare nonces */ - if (nonce != rep->enc_part.nonce) { + if (nonce != (unsigned)rep->enc_part.nonce) { ret = KRB5KRB_AP_ERR_MODIFIED; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; @@ -837,7 +837,7 @@ _krb5_extract_ticket(krb5_context context, creds->addresses.val = NULL; } creds->flags.b = rep->enc_part.flags; - + creds->authdata.len = 0; creds->authdata.val = NULL; diff --git a/source4/heimdal/lib/krb5/transited.c b/source4/heimdal/lib/krb5/transited.c index a72adc0351..5e21987bca 100644 --- a/source4/heimdal/lib/krb5/transited.c +++ b/source4/heimdal/lib/krb5/transited.c @@ -55,7 +55,7 @@ free_realms(struct tr_realm *r) r = r->next; free(p->realm); free(p); - } + } } static int @@ -71,7 +71,7 @@ make_path(krb5_context context, struct tr_realm *r, from = to; to = str; } - + if(strcmp(from + strlen(from) - strlen(to), to) == 0){ p = from; while(1){ @@ -84,20 +84,15 @@ make_path(krb5_context context, struct tr_realm *r, if(strcmp(p, to) == 0) break; tmp = calloc(1, sizeof(*tmp)); - if(tmp == NULL){ - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; - } + if(tmp == NULL) + return krb5_enomem(context); tmp->next = r->next; r->next = tmp; tmp->realm = strdup(p); if(tmp->realm == NULL){ r->next = tmp->next; free(tmp); - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM;; + return krb5_enomem(context); } } }else if(strncmp(from, to, strlen(to)) == 0){ @@ -110,20 +105,15 @@ make_path(krb5_context context, struct tr_realm *r, if(strncmp(to, from, p - from) == 0) break; tmp = calloc(1, sizeof(*tmp)); - if(tmp == NULL){ - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; - } + if(tmp == NULL) + return krb5_enomem(context); tmp->next = r->next; r->next = tmp; tmp->realm = malloc(p - from + 1); if(tmp->realm == NULL){ r->next = tmp->next; free(tmp); - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; + return krb5_enomem(context); } memcpy(tmp->realm, from, p - from); tmp->realm[p - from] = '\0'; @@ -187,9 +177,7 @@ expand_realms(krb5_context context, tmp = realloc(r->realm, len); if(tmp == NULL){ free_realms(realms); - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; + return krb5_enomem(context); } r->realm = tmp; strlcat(r->realm, prev_realm, len); @@ -202,9 +190,7 @@ expand_realms(krb5_context context, tmp = malloc(len); if(tmp == NULL){ free_realms(realms); - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; + return krb5_enomem(context); } strlcpy(tmp, prev_realm, len); strlcat(tmp, r->realm, len); @@ -288,19 +274,14 @@ decode_realms(krb5_context context, } if(tr[i] == ','){ tmp = malloc(tr + i - start + 1); - if(tmp == NULL){ - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; - } + if(tmp == NULL) + return krb5_enomem(context); memcpy(tmp, start, tr + i - start); tmp[tr + i - start] = '\0'; r = make_realm(tmp); if(r == NULL){ free_realms(*realms); - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; + return krb5_enomem(context); } *realms = append_realm(*realms, r); start = tr + i + 1; @@ -309,18 +290,14 @@ decode_realms(krb5_context context, tmp = malloc(tr + i - start + 1); if(tmp == NULL){ free(*realms); - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; + return krb5_enomem(context); } memcpy(tmp, start, tr + i - start); tmp[tr + i - start] = '\0'; r = make_realm(tmp); if(r == NULL){ free_realms(*realms); - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; + return krb5_enomem(context); } *realms = append_realm(*realms, r); @@ -370,14 +347,14 @@ krb5_domain_x500_decode(krb5_context context, (*num_realms)++; } } - if (*num_realms < 0 || *num_realms + 1 > UINT_MAX/sizeof(**realms)) + if (*num_realms + 1 > UINT_MAX/sizeof(**realms)) return ERANGE; { char **R; R = malloc((*num_realms + 1) * sizeof(*R)); if (R == NULL) - return ENOMEM; + return krb5_enomem(context); *realms = R; while(r){ *R++ = r->realm; @@ -410,7 +387,7 @@ krb5_domain_x500_encode(char **realms, unsigned int num_realms, return ENOMEM; *s = '\0'; for(i = 0; i < num_realms; i++){ - if(i && i < num_realms - 1) + if(i) strlcat(s, ",", len + 1); if(realms[i][0] == '/') strlcat(s, " ", len + 1); @@ -431,7 +408,7 @@ krb5_check_transited(krb5_context context, { char **tr_realms; char **p; - int i; + size_t i; if(num_realms == 0) return 0; @@ -467,7 +444,7 @@ krb5_check_transited_realms(krb5_context context, unsigned int num_realms, int *bad_realm) { - int i; + size_t i; int ret = 0; char **bad_realms = krb5_config_get_strings(context, NULL, "libdefaults", diff --git a/source4/heimdal/lib/krb5/version-script.map b/source4/heimdal/lib/krb5/version-script.map index c32a094f6d..fad84ebb5b 100644 --- a/source4/heimdal/lib/krb5/version-script.map +++ b/source4/heimdal/lib/krb5/version-script.map @@ -167,6 +167,7 @@ HEIMDAL_KRB5_2.0 { krb5_copy_checksum; krb5_copy_creds; krb5_copy_creds_contents; + krb5_copy_context; krb5_copy_data; krb5_copy_host_realm; krb5_copy_keyblock; @@ -383,10 +384,11 @@ HEIMDAL_KRB5_2.0 { krb5_hmac; krb5_init_context; krb5_init_ets; - krb5_init_etype; krb5_initlog; krb5_is_config_principal; krb5_is_thread_safe; + krb5_kcm_call; + krb5_kcm_storage_request; krb5_kerberos_enctypes; krb5_keyblock_get_enctype; krb5_keyblock_init; @@ -418,6 +420,7 @@ HEIMDAL_KRB5_2.0 { krb5_kt_get_full_name; krb5_kt_get_name; krb5_kt_get_type; + krb5_kt_have_content; krb5_kt_next_entry; krb5_kt_read_service_key; krb5_kt_register; @@ -602,6 +605,7 @@ HEIMDAL_KRB5_2.0 { krb5_storage_set_byteorder; krb5_storage_set_eof_code; krb5_storage_set_flags; + krb5_storage_set_max_alloc; krb5_storage_to_data; krb5_storage_truncate; krb5_storage_write; diff --git a/source4/heimdal/lib/krb5/warn.c b/source4/heimdal/lib/krb5/warn.c index f7581d1f90..cb3be76fcc 100644 --- a/source4/heimdal/lib/krb5/warn.c +++ b/source4/heimdal/lib/krb5/warn.c @@ -37,7 +37,7 @@ static krb5_error_code _warnerr(krb5_context context, int do_errtext, krb5_error_code code, int level, const char *fmt, va_list ap) __attribute__((__format__(__printf__, 5, 0))); - + static krb5_error_code _warnerr(krb5_context context, int do_errtext, krb5_error_code code, int level, const char *fmt, va_list ap) @@ -69,7 +69,7 @@ _warnerr(krb5_context context, int do_errtext, *arg= "<unknown error>"; } } - + if(context && context->warn_dest) krb5_log(context, context->warn_dest, level, xfmt, args[0], args[1]); else |