summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/krb5
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/lib/krb5')
-rw-r--r--source4/heimdal/lib/krb5/cache.c44
-rw-r--r--source4/heimdal/lib/krb5/config_file.c357
-rw-r--r--source4/heimdal/lib/krb5/context.c85
-rw-r--r--source4/heimdal/lib/krb5/creds.c12
-rw-r--r--source4/heimdal/lib/krb5/crypto.c424
-rw-r--r--source4/heimdal/lib/krb5/init_creds_pw.c64
-rw-r--r--source4/heimdal/lib/krb5/keyblock.c6
-rw-r--r--source4/heimdal/lib/krb5/krb5_locl.h3
-rw-r--r--source4/heimdal/lib/krb5/krbhst.c104
-rw-r--r--source4/heimdal/lib/krb5/log.c16
-rw-r--r--source4/heimdal/lib/krb5/pkinit.c29
-rw-r--r--source4/heimdal/lib/krb5/principal.c78
-rw-r--r--source4/heimdal/lib/krb5/replay.c19
-rw-r--r--source4/heimdal/lib/krb5/send_to_kdc.c7
-rw-r--r--source4/heimdal/lib/krb5/store.c265
-rw-r--r--source4/heimdal/lib/krb5/store_mem.c6
-rw-r--r--source4/heimdal/lib/krb5/ticket.c77
-rw-r--r--source4/heimdal/lib/krb5/warn.c2
18 files changed, 1309 insertions, 289 deletions
diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c
index 12097470d5..3617a0eefd 100644
--- a/source4/heimdal/lib/krb5/cache.c
+++ b/source4/heimdal/lib/krb5/cache.c
@@ -119,8 +119,8 @@ krb5_cc_register(krb5_context context,
{
int i;
- for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
- if(strcmp(context->cc_ops[i].prefix, ops->prefix) == 0) {
+ for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
+ if(strcmp(context->cc_ops[i]->prefix, ops->prefix) == 0) {
if(!override) {
krb5_set_error_message(context,
KRB5_CC_TYPE_EXISTS,
@@ -132,20 +132,19 @@ krb5_cc_register(krb5_context context,
}
}
if(i == context->num_cc_ops) {
- krb5_cc_ops *o = realloc(context->cc_ops,
- (context->num_cc_ops + 1) *
- sizeof(*context->cc_ops));
+ const krb5_cc_ops **o = realloc(context->cc_ops,
+ (context->num_cc_ops + 1) *
+ sizeof(context->cc_ops[0]));
if(o == NULL) {
krb5_set_error_message(context, KRB5_CC_NOMEM,
N_("malloc: out of memory", ""));
return KRB5_CC_NOMEM;
}
- context->num_cc_ops++;
context->cc_ops = o;
- memset(context->cc_ops + i, 0,
- (context->num_cc_ops - i) * sizeof(*context->cc_ops));
+ context->cc_ops[context->num_cc_ops] = NULL;
+ context->num_cc_ops++;
}
- memcpy(&context->cc_ops[i], ops, sizeof(context->cc_ops[i]));
+ context->cc_ops[i] = ops;
return 0;
}
@@ -219,12 +218,12 @@ krb5_cc_resolve(krb5_context context,
*id = NULL;
- for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
- size_t prefix_len = strlen(context->cc_ops[i].prefix);
+ for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
+ size_t prefix_len = strlen(context->cc_ops[i]->prefix);
- if(strncmp(context->cc_ops[i].prefix, name, prefix_len) == 0
+ if(strncmp(context->cc_ops[i]->prefix, name, prefix_len) == 0
&& name[prefix_len] == ':') {
- return allocate_ccache (context, &context->cc_ops[i],
+ return allocate_ccache (context, context->cc_ops[i],
name + prefix_len + 1,
id);
}
@@ -673,6 +672,13 @@ krb5_cc_store_cred(krb5_context context,
* from `id' in `creds'. 'creds' must be free by the caller using
* krb5_free_cred_contents.
*
+ * @param context A Kerberos 5 context
+ * @param id a Kerberos 5 credential cache
+ * @param whichfields what fields to use for matching credentials, same
+ * flags as whichfields in krb5_compare_creds()
+ * @param mcreds template credential to use for comparing
+ * @param creds returned credential, free with krb5_free_cred_contents()
+ *
* @return Return an error code or 0, see krb5_get_error_message().
*
* @ingroup krb5_ccache
@@ -970,10 +976,10 @@ krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
if (p1)
*p1 = '\0';
- for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
- if(strcmp(context->cc_ops[i].prefix, p) == 0) {
+ for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
+ if(strcmp(context->cc_ops[i]->prefix, p) == 0) {
free(p);
- return &context->cc_ops[i];
+ return context->cc_ops[i];
}
}
free(p);
@@ -1046,6 +1052,10 @@ krb5_cc_cache_get_first (krb5_context context,
* Retrieve the next cache pointed to by (`cursor') in `id'
* and advance `cursor'.
*
+ * @param context A Kerberos 5 context
+ * @param cursor the iterator cursor, returned by krb5_cc_cache_get_first()
+ * @param id next ccache
+ *
* @return Return 0 or an error code. Returns KRB5_CC_END when the end
* of caches is reached, see krb5_get_error_message().
*
@@ -1398,7 +1408,7 @@ krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
if (cursor->cursor == NULL) {
ret = krb5_cc_cache_get_first (context,
- context->cc_ops[cursor->idx].prefix,
+ context->cc_ops[cursor->idx]->prefix,
&cursor->cursor);
if (ret) {
cursor->idx++;
diff --git a/source4/heimdal/lib/krb5/config_file.c b/source4/heimdal/lib/krb5/config_file.c
index ee226c78a2..03c0e335d4 100644
--- a/source4/heimdal/lib/krb5/config_file.c
+++ b/source4/heimdal/lib/krb5/config_file.c
@@ -31,6 +31,8 @@
* SUCH DAMAGE.
*/
+#define KRB5_DEPRECATED
+
#include "krb5_locl.h"
/* Gaah! I want a portable funopen */
@@ -278,27 +280,6 @@ krb5_config_parse_debug (struct fileptr *f,
return 0;
}
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_config_parse_string_multi(krb5_context context,
- const char *string,
- krb5_config_section **res)
-{
- const char *str;
- unsigned lineno = 0;
- krb5_error_code ret;
- struct fileptr f;
- f.f = NULL;
- f.s = string;
-
- ret = krb5_config_parse_debug (&f, res, &lineno, &str);
- if (ret) {
- krb5_set_error_message (context, ret, "%s:%u: %s",
- "<constant>", lineno, str);
- return ret;
- }
- return 0;
-}
-
/**
* Parse a configuration file and add the result into res. This
* interface can be used to parse several configuration files into one
@@ -403,6 +384,19 @@ free_binding (krb5_context context, krb5_config_binding *b)
}
}
+/**
+ * Free configuration file section, the result of
+ * krb5_config_parse_file() and krb5_config_parse_file_multi().
+ *
+ * @param context A Kerberos 5 context
+ * @param s the configuration section to free
+ *
+ * @return returns 0 on successes, otherwise an error code, see
+ * krb5_get_error_message()
+ *
+ * @ingroup krb5_support
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_config_file_free (krb5_context context, krb5_config_section *s)
{
@@ -410,6 +404,8 @@ krb5_config_file_free (krb5_context context, krb5_config_section *s)
return 0;
}
+#ifndef HEIMDAL_SMALLER
+
krb5_error_code
_krb5_config_copy(krb5_context context,
krb5_config_section *c,
@@ -444,20 +440,20 @@ _krb5_config_copy(krb5_context context,
return 0;
}
-
+#endif /* HEIMDAL_SMALLER */
const void *
-krb5_config_get_next (krb5_context context,
- const krb5_config_section *c,
- const krb5_config_binding **pointer,
- int type,
- ...)
+_krb5_config_get_next (krb5_context context,
+ const krb5_config_section *c,
+ const krb5_config_binding **pointer,
+ int type,
+ ...)
{
const char *ret;
va_list args;
va_start(args, type);
- ret = krb5_config_vget_next (context, c, pointer, type, args);
+ ret = _krb5_config_vget_next (context, c, pointer, type, args);
va_end(args);
return ret;
}
@@ -486,11 +482,11 @@ vget_next(krb5_context context,
}
const void *
-krb5_config_vget_next (krb5_context context,
- const krb5_config_section *c,
- const krb5_config_binding **pointer,
- int type,
- va_list args)
+_krb5_config_vget_next (krb5_context context,
+ const krb5_config_section *c,
+ const krb5_config_binding **pointer,
+ int type,
+ va_list args)
{
const krb5_config_binding *b;
const char *p;
@@ -522,31 +518,43 @@ krb5_config_vget_next (krb5_context context,
}
const void *
-krb5_config_get (krb5_context context,
- const krb5_config_section *c,
- int type,
- ...)
+_krb5_config_get (krb5_context context,
+ const krb5_config_section *c,
+ int type,
+ ...)
{
const void *ret;
va_list args;
va_start(args, type);
- ret = krb5_config_vget (context, c, type, args);
+ ret = _krb5_config_vget (context, c, type, args);
va_end(args);
return ret;
}
const void *
-krb5_config_vget (krb5_context context,
- const krb5_config_section *c,
- int type,
- va_list args)
+_krb5_config_vget (krb5_context context,
+ const krb5_config_section *c,
+ int type,
+ va_list args)
{
const krb5_config_binding *foo = NULL;
- return krb5_config_vget_next (context, c, &foo, type, args);
+ return _krb5_config_vget_next (context, c, &foo, type, args);
}
+/**
+ * Get a list of configuration binding list for more processing
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param ... a list of names, terminated with NULL.
+ *
+ * @return NULL if configuration list is not found, a list otherwise
+ *
+ * @ingroup krb5_support
+ */
+
const krb5_config_binding *
krb5_config_get_list (krb5_context context,
const krb5_config_section *c,
@@ -561,14 +569,41 @@ krb5_config_get_list (krb5_context context,
return ret;
}
+/**
+ * Get a list of configuration binding list for more processing
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param args a va_list of arguments
+ *
+ * @return NULL if configuration list is not found, a list otherwise
+ *
+ * @ingroup krb5_support
+ */
+
const krb5_config_binding *
krb5_config_vget_list (krb5_context context,
const krb5_config_section *c,
va_list args)
{
- return krb5_config_vget (context, c, krb5_config_list, args);
+ return _krb5_config_vget (context, c, krb5_config_list, args);
}
+/**
+ * Returns a "const char *" to a string in the configuration database.
+ * The string may not be valid after a reload of the configuration
+ * database so a caller should make a local copy if it needs to keep
+ * the string.
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param ... a list of names, terminated with NULL.
+ *
+ * @return NULL if configuration string not found, a string otherwise
+ *
+ * @ingroup krb5_support
+ */
+
const char* KRB5_LIB_FUNCTION
krb5_config_get_string (krb5_context context,
const krb5_config_section *c,
@@ -583,14 +618,41 @@ krb5_config_get_string (krb5_context context,
return ret;
}
+/**
+ * Like krb5_config_get_string(), but uses a va_list instead of ...
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param args a va_list of arguments
+ *
+ * @return NULL if configuration string not found, a string otherwise
+ *
+ * @ingroup krb5_support
+ */
+
const char* KRB5_LIB_FUNCTION
krb5_config_vget_string (krb5_context context,
const krb5_config_section *c,
va_list args)
{
- return krb5_config_vget (context, c, krb5_config_string, args);
+ return _krb5_config_vget (context, c, krb5_config_string, args);
}
+/**
+ * Like krb5_config_vget_string(), but instead of returning NULL,
+ * instead return a default value.
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param def_value the default value to return if no configuration
+ * found in the database.
+ * @param args a va_list of arguments
+ *
+ * @return a configuration string
+ *
+ * @ingroup krb5_support
+ */
+
const char* KRB5_LIB_FUNCTION
krb5_config_vget_string_default (krb5_context context,
const krb5_config_section *c,
@@ -605,6 +667,21 @@ krb5_config_vget_string_default (krb5_context context,
return ret;
}
+/**
+ * Like krb5_config_get_string(), but instead of returning NULL,
+ * instead return a default value.
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param def_value the default value to return if no configuration
+ * found in the database.
+ * @param ... a list of names, terminated with NULL.
+ *
+ * @return a configuration string
+ *
+ * @ingroup krb5_support
+ */
+
const char* KRB5_LIB_FUNCTION
krb5_config_get_string_default (krb5_context context,
const krb5_config_section *c,
@@ -620,6 +697,19 @@ krb5_config_get_string_default (krb5_context context,
return ret;
}
+/**
+ * Get a list of configuration strings, free the result with
+ * krb5_config_free_strings().
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param args a va_list of arguments
+ *
+ * @return TRUE or FALSE
+ *
+ * @ingroup krb5_support
+ */
+
char ** KRB5_LIB_FUNCTION
krb5_config_vget_strings(krb5_context context,
const krb5_config_section *c,
@@ -630,8 +720,8 @@ krb5_config_vget_strings(krb5_context context,
const krb5_config_binding *b = NULL;
const char *p;
- while((p = krb5_config_vget_next(context, c, &b,
- krb5_config_string, args))) {
+ while((p = _krb5_config_vget_next(context, c, &b,
+ krb5_config_string, args))) {
char *tmp = strdup(p);
char *pos = NULL;
char *s;
@@ -667,6 +757,19 @@ cleanup:
}
+/**
+ * Get a list of configuration strings, free the result with
+ * krb5_config_free_strings().
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param ... a list of names, terminated with NULL.
+ *
+ * @return TRUE or FALSE
+ *
+ * @ingroup krb5_support
+ */
+
char**
krb5_config_get_strings(krb5_context context,
const krb5_config_section *c,
@@ -680,6 +783,15 @@ krb5_config_get_strings(krb5_context context,
return ret;
}
+/**
+ * Free the resulting strings from krb5_config-get_strings() and
+ * krb5_config_vget_strings().
+ *
+ * @param strings strings to free
+ *
+ * @ingroup krb5_support
+ */
+
void KRB5_LIB_FUNCTION
krb5_config_free_strings(char **strings)
{
@@ -691,6 +803,24 @@ krb5_config_free_strings(char **strings)
free(strings);
}
+/**
+ * Like krb5_config_get_bool_default() but with a va_list list of
+ * configuration selection.
+ *
+ * Configuration value to a boolean value, where yes/true and any
+ * non-zero number means TRUE and other value is FALSE.
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param def_value the default value to return if no configuration
+ * found in the database.
+ * @param args a va_list of arguments
+ *
+ * @return TRUE or FALSE
+ *
+ * @ingroup krb5_support
+ */
+
krb5_boolean KRB5_LIB_FUNCTION
krb5_config_vget_bool_default (krb5_context context,
const krb5_config_section *c,
@@ -707,6 +837,20 @@ krb5_config_vget_bool_default (krb5_context context,
return FALSE;
}
+/**
+ * krb5_config_get_bool() will convert the configuration
+ * option value to a boolean value, where yes/true and any non-zero
+ * number means TRUE and other value is FALSE.
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param args a va_list of arguments
+ *
+ * @return TRUE or FALSE
+ *
+ * @ingroup krb5_support
+ */
+
krb5_boolean KRB5_LIB_FUNCTION
krb5_config_vget_bool (krb5_context context,
const krb5_config_section *c,
@@ -715,6 +859,22 @@ krb5_config_vget_bool (krb5_context context,
return krb5_config_vget_bool_default (context, c, FALSE, args);
}
+/**
+ * krb5_config_get_bool_default() will convert the configuration
+ * option value to a boolean value, where yes/true and any non-zero
+ * number means TRUE and other value is FALSE.
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param def_value the default value to return if no configuration
+ * found in the database.
+ * @param ... a list of names, terminated with NULL.
+ *
+ * @return TRUE or FALSE
+ *
+ * @ingroup krb5_support
+ */
+
krb5_boolean KRB5_LIB_FUNCTION
krb5_config_get_bool_default (krb5_context context,
const krb5_config_section *c,
@@ -729,6 +889,22 @@ krb5_config_get_bool_default (krb5_context context,
return ret;
}
+/**
+ * Like krb5_config_get_bool() but with a va_list list of
+ * configuration selection.
+ *
+ * Configuration value to a boolean value, where yes/true and any
+ * non-zero number means TRUE and other value is FALSE.
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param ... a list of names, terminated with NULL.
+ *
+ * @return TRUE or FALSE
+ *
+ * @ingroup krb5_support
+ */
+
krb5_boolean KRB5_LIB_FUNCTION
krb5_config_get_bool (krb5_context context,
const krb5_config_section *c,
@@ -742,6 +918,23 @@ krb5_config_get_bool (krb5_context context,
return ret;
}
+/**
+ * Get the time from the configuration file using a relative time.
+ *
+ * Like krb5_config_get_time_default() but with a va_list list of
+ * configuration selection.
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param def_value the default value to return if no configuration
+ * found in the database.
+ * @param args a va_list of arguments
+ *
+ * @return parsed the time (or def_value on parse error)
+ *
+ * @ingroup krb5_support
+ */
+
int KRB5_LIB_FUNCTION
krb5_config_vget_time_default (krb5_context context,
const krb5_config_section *c,
@@ -759,14 +952,40 @@ krb5_config_vget_time_default (krb5_context context,
return t;
}
+/**
+ * Get the time from the configuration file using a relative time, for example: 1h30s
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param args a va_list of arguments
+ *
+ * @return parsed the time or -1 on error
+ *
+ * @ingroup krb5_support
+ */
+
int KRB5_LIB_FUNCTION
-krb5_config_vget_time (krb5_context context,
- const krb5_config_section *c,
- va_list args)
+krb5_config_vget_time(krb5_context context,
+ const krb5_config_section *c,
+ va_list args)
{
return krb5_config_vget_time_default (context, c, -1, args);
}
+/**
+ * Get the time from the configuration file using a relative time, for example: 1h30s
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param def_value the default value to return if no configuration
+ * found in the database.
+ * @param ... a list of names, terminated with NULL.
+ *
+ * @return parsed the time (or def_value on parse error)
+ *
+ * @ingroup krb5_support
+ */
+
int KRB5_LIB_FUNCTION
krb5_config_get_time_default (krb5_context context,
const krb5_config_section *c,
@@ -781,6 +1000,18 @@ krb5_config_get_time_default (krb5_context context,
return ret;
}
+/**
+ * Get the time from the configuration file using a relative time, for example: 1h30s
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param ... a list of names, terminated with NULL.
+ *
+ * @return parsed the time or -1 on error
+ *
+ * @ingroup krb5_support
+ */
+
int KRB5_LIB_FUNCTION
krb5_config_get_time (krb5_context context,
const krb5_config_section *c,
@@ -850,3 +1081,29 @@ krb5_config_get_int (krb5_context context,
va_end(ap);
return ret;
}
+
+
+#ifndef HEIMDAL_SMALLER
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_config_parse_string_multi(krb5_context context,
+ const char *string,
+ krb5_config_section **res) KRB5_DEPRECATED
+{
+ const char *str;
+ unsigned lineno = 0;
+ krb5_error_code ret;
+ struct fileptr f;
+ f.f = NULL;
+ f.s = string;
+
+ ret = krb5_config_parse_debug (&f, res, &lineno, &str);
+ if (ret) {
+ krb5_set_error_message (context, ret, "%s:%u: %s",
+ "<constant>", lineno, str);
+ return ret;
+ }
+ return 0;
+}
+
+#endif
diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c
index 9ece38e145..8bf8b79022 100644
--- a/source4/heimdal/lib/krb5/context.c
+++ b/source4/heimdal/lib/krb5/context.c
@@ -85,32 +85,6 @@ set_etypes (krb5_context context,
}
/*
- *
- */
-
-static krb5_error_code
-copy_etypes (krb5_context context,
- krb5_enctype *enctypes,
- krb5_enctype **ret_enctypes)
-{
- unsigned int i;
-
- for (i = 0; enctypes[i]; i++)
- ;
- i++;
-
- *ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i);
- if (*ret_enctypes == NULL) {
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
- }
- memcpy(*ret_enctypes, enctypes, sizeof(ret_enctypes[0]) * i);
- return 0;
-}
-
-
-/*
* read variables from the configuration file and set in `context'
*/
@@ -119,6 +93,7 @@ init_context_from_config_file(krb5_context context)
{
krb5_error_code ret;
const char * tmp;
+ char **s;
krb5_enctype *tmptypes;
INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
@@ -229,6 +204,16 @@ init_context_from_config_file(krb5_context context)
krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
}
+ s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
+ if(s) {
+ char **p;
+ krb5_initlog(context, "libkrb5", &context->debug_dest);
+ for(p = s; *p; p++)
+ krb5_addlog_dest(context, context->debug_dest, *p);
+ krb5_config_free_strings(s);
+ }
+
+
return 0;
}
@@ -328,8 +313,35 @@ out:
return ret;
}
+#ifndef HEIMDAL_SMALLER
+
+/*
+ *
+ */
+
+static krb5_error_code
+copy_etypes (krb5_context context,
+ krb5_enctype *enctypes,
+ krb5_enctype **ret_enctypes)
+{
+ unsigned int i;
+
+ for (i = 0; enctypes[i]; i++)
+ ;
+ i++;
+
+ *ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i);
+ if (*ret_enctypes == NULL) {
+ krb5_set_error_message(context, ENOMEM,
+ N_("malloc: out of memory", ""));
+ return ENOMEM;
+ }
+ memcpy(*ret_enctypes, enctypes, sizeof(ret_enctypes[0]) * i);
+ return 0;
+}
+
/**
- * Make a copy for the Kerberos 5 context, allocated krb5_contex shoud
+ * Make a copy for the Kerberos 5 context, the new krb5_context shoud
* be freed with krb5_free_context().
*
* @param context the Kerberos context to copy
@@ -399,6 +411,8 @@ krb5_copy_context(krb5_context context, krb5_context *out)
#if 0 /* XXX */
if(context->warn_dest != NULL)
;
+ if(context->debug_dest != NULL)
+ ;
#endif
ret = krb5_set_extra_addresses(p, context->extra_addresses);
@@ -421,6 +435,8 @@ krb5_copy_context(krb5_context context, krb5_context *out)
return ret;
}
+#endif
+
/**
* Frees the krb5_context allocated by krb5_init_context().
*
@@ -446,6 +462,8 @@ krb5_free_context(krb5_context context)
krb5_clear_error_message(context);
if(context->warn_dest != NULL)
krb5_closelog(context, context->warn_dest);
+ if(context->debug_dest != NULL)
+ krb5_closelog(context, context->debug_dest);
krb5_set_extra_addresses(context, NULL);
krb5_set_ignore_addresses(context, NULL);
krb5_set_send_to_kdc_func(context, NULL, NULL);
@@ -835,21 +853,24 @@ krb5_init_ets(krb5_context context)
{
if(context->et_list == NULL){
krb5_add_et_list(context, initialize_krb5_error_table_r);
- bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
-
krb5_add_et_list(context, initialize_asn1_error_table_r);
- bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
-
krb5_add_et_list(context, initialize_heim_error_table_r);
- bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
krb5_add_et_list(context, initialize_k524_error_table_r);
+
+#ifdef COM_ERR_BINDDOMAIN_krb5
+ bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
+ bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
+ bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
+#endif
#ifdef PKINIT
krb5_add_et_list(context, initialize_hx_error_table_r);
+#ifdef COM_ERR_BINDDOMAIN_hx
bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
#endif
+#endif
}
}
diff --git a/source4/heimdal/lib/krb5/creds.c b/source4/heimdal/lib/krb5/creds.c
index 26c0dfbecb..6cc2714172 100644
--- a/source4/heimdal/lib/krb5/creds.c
+++ b/source4/heimdal/lib/krb5/creds.c
@@ -183,6 +183,18 @@ krb5_times_equal(const krb5_times *a, const krb5_times *b)
* Return TRUE if `mcreds' and `creds' are equal (`whichfields'
* determines what equal means).
*
+ *
+ * The following flags, set in whichfields affects the comparison:
+ * - KRB5_TC_MATCH_SRV_NAMEONLY Consider all realms equal when comparing the service principal.
+ * - KRB5_TC_MATCH_KEYTYPE Compare enctypes.
+ * - KRB5_TC_MATCH_FLAGS_EXACT Make sure that the ticket flags are identical.
+ * - KRB5_TC_MATCH_FLAGS Make sure that all ticket flags set in mcreds are also present in creds .
+ * - KRB5_TC_MATCH_TIMES_EXACT Compares the ticket times exactly.
+ * - KRB5_TC_MATCH_TIMES Compares only the expiration times of the creds.
+ * - KRB5_TC_MATCH_AUTHDATA Compares the authdata fields.
+ * - KRB5_TC_MATCH_2ND_TKT Compares the second tickets (used by user-to-user authentication).
+ * - KRB5_TC_MATCH_IS_SKEY Compares the existance of the second ticket.
+ *
* @param context Kerberos 5 context.
* @param whichfields which fields to compare.
* @param mcreds cred to compare with.
diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c
index 42e2fdf359..bdcdb2ea0a 100644
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -36,20 +36,10 @@
#include "krb5_locl.h"
#include <pkinit_asn1.h>
-#define WEAK_ENCTYPES 1
-
#ifndef HEIMDAL_SMALLER
#define DES3_OLD_ENCTYPE 1
#endif
-
-#ifdef HAVE_OPENSSL /* XXX forward decl for hcrypto glue */
-const EVP_CIPHER * _krb5_EVP_hcrypto_aes_128_cts(void);
-const EVP_CIPHER * _krb5_EVP_hcrypto_aes_256_cts(void);
-#define EVP_hcrypto_aes_128_cts _krb5_EVP_hcrypto_aes_128_cts
-#define EVP_hcrypto_aes_256_cts _krb5_EVP_hcrypto_aes_256_cts
-#endif
-
struct key_data {
krb5_keyblock *key;
krb5_data *schedule;
@@ -180,7 +170,7 @@ struct evp_schedule {
static HEIMDAL_MUTEX crypto_mutex = HEIMDAL_MUTEX_INITIALIZER;
-#ifdef WEAK_ENCTYPES
+#ifdef HEIM_WEAK_CRYPTO
static void
krb5_DES_random_key(krb5_context context,
krb5_keyblock *key)
@@ -555,15 +545,6 @@ DES3_random_to_key(krb5_context context,
* ARCFOUR
*/
-static void
-ARCFOUR_schedule(krb5_context context,
- struct key_type *kt,
- struct key_data *kd)
-{
- RC4_set_key (kd->schedule->data,
- kd->key->keyvalue.length, kd->key->keyvalue.data);
-}
-
static krb5_error_code
ARCFOUR_string_to_key(krb5_context context,
krb5_enctype enctype,
@@ -722,7 +703,7 @@ evp_cleanup(krb5_context context, struct key_data *kd)
*
*/
-#ifdef WEAK_ENCTYPES
+#ifdef HEIM_WEAK_CRYPTO
static struct salt_type des_salt[] = {
{
KRB5_PW_SALT,
@@ -793,7 +774,7 @@ static struct key_type keytype_null = {
NULL
};
-#ifdef WEAK_ENCTYPES
+#ifdef HEIM_WEAK_CRYPTO
static struct key_type keytype_des_old = {
KEYTYPE_DES,
"des-old",
@@ -819,7 +800,7 @@ static struct key_type keytype_des = {
evp_cleanup,
EVP_des_cbc
};
-#endif /* WEAK_ENCTYPES */
+#endif /* HEIM_WEAK_CRYPTO */
#ifdef DES3_OLD_ENCTYPE
static struct key_type keytype_des3 = {
@@ -862,7 +843,7 @@ static struct key_type keytype_aes128 = {
AES_salt,
NULL,
evp_cleanup,
- EVP_hcrypto_aes_128_cts
+ EVP_aes_128_cbc
};
static struct key_type keytype_aes256 = {
@@ -876,7 +857,7 @@ static struct key_type keytype_aes256 = {
AES_salt,
NULL,
evp_cleanup,
- EVP_hcrypto_aes_256_cts
+ EVP_aes_256_cbc
};
static struct key_type keytype_arcfour = {
@@ -884,10 +865,13 @@ static struct key_type keytype_arcfour = {
"arcfour",
128,
16,
- sizeof(RC4_KEY),
+ sizeof(struct evp_schedule),
+ NULL,
+ evp_schedule,
+ arcfour_salt,
NULL,
- ARCFOUR_schedule,
- arcfour_salt
+ evp_cleanup,
+ EVP_rc4
};
krb5_error_code KRB5_LIB_FUNCTION
@@ -1204,37 +1188,7 @@ NONE_checksum(krb5_context context,
return 0;
}
-static krb5_error_code
-CRC32_checksum(krb5_context context,
- struct key_data *key,
- const void *data,
- size_t len,
- unsigned usage,
- Checksum *C)
-{
- uint32_t crc;
- unsigned char *r = C->checksum.data;
- _krb5_crc_init_table ();
- crc = _krb5_crc_update (data, len, 0);
- r[0] = crc & 0xff;
- r[1] = (crc >> 8) & 0xff;
- r[2] = (crc >> 16) & 0xff;
- r[3] = (crc >> 24) & 0xff;
- return 0;
-}
-
-static krb5_error_code
-RSA_MD4_checksum(krb5_context context,
- struct key_data *key,
- const void *data,
- size_t len,
- unsigned usage,
- Checksum *C)
-{
- if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_md4(), NULL) != 1)
- krb5_abortx(context, "md4 checksum failed");
- return 0;
-}
+#if defined(DES3_OLD_ENCTYPE) || defined(HEIM_WEAK_CRYPTO)
static krb5_error_code
des_checksum(krb5_context context,
@@ -1299,7 +1253,7 @@ des_verify(krb5_context context,
EVP_DigestUpdate(m, data, len);
EVP_DigestFinal_ex (m, res, NULL);
EVP_MD_CTX_destroy(m);
- if(memcmp(res, tmp + 8, sizeof(res)) != 0) {
+ if(ct_memcmp(res, tmp + 8, sizeof(res)) != 0) {
krb5_clear_error_message (context);
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
}
@@ -1308,6 +1262,42 @@ des_verify(krb5_context context,
return ret;
}
+#endif
+
+#ifdef HEIM_WEAK_CRYPTO
+
+static krb5_error_code
+CRC32_checksum(krb5_context context,
+ struct key_data *key,
+ const void *data,
+ size_t len,
+ unsigned usage,
+ Checksum *C)
+{
+ uint32_t crc;
+ unsigned char *r = C->checksum.data;
+ _krb5_crc_init_table ();
+ crc = _krb5_crc_update (data, len, 0);
+ r[0] = crc & 0xff;
+ r[1] = (crc >> 8) & 0xff;
+ r[2] = (crc >> 16) & 0xff;
+ r[3] = (crc >> 24) & 0xff;
+ return 0;
+}
+
+static krb5_error_code
+RSA_MD4_checksum(krb5_context context,
+ struct key_data *key,
+ const void *data,
+ size_t len,
+ unsigned usage,
+ Checksum *C)
+{
+ if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_md4(), NULL) != 1)
+ krb5_abortx(context, "md4 checksum failed");
+ return 0;
+}
+
static krb5_error_code
RSA_MD4_DES_checksum(krb5_context context,
struct key_data *key,
@@ -1331,19 +1321,6 @@ RSA_MD4_DES_verify(krb5_context context,
}
static krb5_error_code
-RSA_MD5_checksum(krb5_context context,
- struct key_data *key,
- const void *data,
- size_t len,
- unsigned usage,
- Checksum *C)
-{
- if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_md5(), NULL) != 1)
- krb5_abortx(context, "md5 checksum failed");
- return 0;
-}
-
-static krb5_error_code
RSA_MD5_DES_checksum(krb5_context context,
struct key_data *key,
const void *data,
@@ -1365,6 +1342,8 @@ RSA_MD5_DES_verify(krb5_context context,
return des_verify(context, EVP_md5(), key, data, len, C);
}
+#endif /* HEIM_WEAK_CRYPTO */
+
#ifdef DES3_OLD_ENCTYPE
static krb5_error_code
RSA_MD5_DES3_checksum(krb5_context context,
@@ -1576,6 +1555,7 @@ static struct checksum_type checksum_none = {
NONE_checksum,
NULL
};
+#ifdef HEIM_WEAK_CRYPTO
static struct checksum_type checksum_crc32 = {
CKSUMTYPE_CRC32,
"crc32",
@@ -1603,15 +1583,6 @@ static struct checksum_type checksum_rsa_md4_des = {
RSA_MD4_DES_checksum,
RSA_MD4_DES_verify
};
-static struct checksum_type checksum_rsa_md5 = {
- CKSUMTYPE_RSA_MD5,
- "rsa-md5",
- 64,
- 16,
- F_CPROOF,
- RSA_MD5_checksum,
- NULL
-};
static struct checksum_type checksum_rsa_md5_des = {
CKSUMTYPE_RSA_MD5_DES,
"rsa-md5-des",
@@ -1621,6 +1592,31 @@ static struct checksum_type checksum_rsa_md5_des = {
RSA_MD5_DES_checksum,
RSA_MD5_DES_verify
};
+#endif /* HEIM_WEAK_CRYPTO */
+
+static krb5_error_code
+RSA_MD5_checksum(krb5_context context,
+ struct key_data *key,
+ const void *data,
+ size_t len,
+ unsigned usage,
+ Checksum *C)
+{
+ if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_md5(), NULL) != 1)
+ krb5_abortx(context, "md5 checksum failed");
+ return 0;
+}
+
+static struct checksum_type checksum_rsa_md5 = {
+ CKSUMTYPE_RSA_MD5,
+ "rsa-md5",
+ 64,
+ 16,
+ F_CPROOF,
+ RSA_MD5_checksum,
+ NULL
+};
+
#ifdef DES3_OLD_ENCTYPE
static struct checksum_type checksum_rsa_md5_des3 = {
CKSUMTYPE_RSA_MD5_DES3,
@@ -1683,14 +1679,16 @@ static struct checksum_type checksum_hmac_md5 = {
static struct checksum_type *checksum_types[] = {
&checksum_none,
+#ifdef HEIM_WEAK_CRYPTO
&checksum_crc32,
&checksum_rsa_md4,
&checksum_rsa_md4_des,
- &checksum_rsa_md5,
&checksum_rsa_md5_des,
+#endif
#ifdef DES3_OLD_ENCTYPE
&checksum_rsa_md5_des3,
#endif
+ &checksum_rsa_md5,
&checksum_sha1,
&checksum_hmac_sha1_des3,
&checksum_hmac_sha1_aes128,
@@ -1889,7 +1887,7 @@ verify_checksum(krb5_context context,
}
if(c.checksum.length != cksum->checksum.length ||
- memcmp(c.checksum.data, cksum->checksum.data, c.checksum.length)) {
+ ct_memcmp(c.checksum.data, cksum->checksum.data, c.checksum.length)) {
krb5_clear_error_message (context);
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
} else {
@@ -2060,7 +2058,103 @@ evp_encrypt(krb5_context context,
return 0;
}
-#ifdef WEAK_ENCTYPES
+static const char zero_ivec[EVP_MAX_BLOCK_LENGTH] = { 0 };
+
+static krb5_error_code
+evp_encrypt_cts(krb5_context context,
+ struct key_data *key,
+ void *data,
+ size_t len,
+ krb5_boolean encryptp,
+ int usage,
+ void *ivec)
+{
+ size_t i, blocksize;
+ struct evp_schedule *ctx = key->schedule->data;
+ char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH];
+ EVP_CIPHER_CTX *c;
+ unsigned char *p;
+
+ c = encryptp ? &ctx->ectx : &ctx->dctx;
+
+ blocksize = EVP_CIPHER_CTX_block_size(c);
+
+ if (len < blocksize) {
+ krb5_set_error_message(context, EINVAL,
+ "message block too short");
+ return EINVAL;
+ } else if (len == blocksize) {
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+ EVP_Cipher(c, data, data, len);
+ return 0;
+ }
+
+ if (ivec)
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1);
+ else
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+
+ if (encryptp) {
+
+ p = data;
+ i = ((len - 1) / blocksize) * blocksize;
+ EVP_Cipher(c, p, p, i);
+ p += i - blocksize;
+ len -= i;
+ memcpy(ivec2, p, blocksize);
+
+ for (i = 0; i < len; i++)
+ tmp[i] = p[i + blocksize] ^ ivec2[i];
+ for (; i < blocksize; i++)
+ tmp[i] = 0 ^ ivec2[i];
+
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+ EVP_Cipher(c, p, tmp, blocksize);
+
+ memcpy(p + blocksize, ivec2, len);
+ if (ivec)
+ memcpy(ivec, p, blocksize);
+ } else {
+ char tmp2[EVP_MAX_BLOCK_LENGTH], tmp3[EVP_MAX_BLOCK_LENGTH];
+
+ p = data;
+ if (len > blocksize * 2) {
+ /* remove last two blocks and round up, decrypt this with cbc, then do cts dance */
+ i = ((((len - blocksize * 2) + blocksize - 1) / blocksize) * blocksize);
+ memcpy(ivec2, p + i - blocksize, blocksize);
+ EVP_Cipher(c, p, p, i);
+ p += i;
+ len -= i + blocksize;
+ } else {
+ if (ivec)
+ memcpy(ivec2, ivec, blocksize);
+ else
+ memcpy(ivec2, zero_ivec, blocksize);
+ len -= blocksize;
+ }
+
+ memcpy(tmp, p, blocksize);
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+ EVP_Cipher(c, tmp2, p, blocksize);
+
+ memcpy(tmp3, p + blocksize, len);
+ memcpy(tmp3 + len, tmp2 + len, blocksize - len); /* xor 0 */
+
+ for (i = 0; i < len; i++)
+ p[i + blocksize] = tmp2[i] ^ tmp3[i];
+
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+ EVP_Cipher(c, p, tmp3, blocksize);
+
+ for (i = 0; i < blocksize; i++)
+ p[i] ^= ivec2[i];
+ if (ivec)
+ memcpy(ivec, tmp, blocksize);
+ }
+ return 0;
+}
+
+#ifdef HEIM_WEAK_CRYPTO
static krb5_error_code
evp_des_encrypt_null_ivec(krb5_context context,
struct key_data *key,
@@ -2149,12 +2243,12 @@ ARCFOUR_subencrypt(krb5_context context,
unsigned usage,
void *ivec)
{
+ EVP_CIPHER_CTX ctx;
struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5);
Checksum k1_c, k2_c, k3_c, cksum;
struct key_data ke;
krb5_keyblock kb;
unsigned char t[4];
- RC4_KEY rc4_key;
unsigned char *cdata = data;
unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
krb5_error_code ret;
@@ -2196,8 +2290,12 @@ ARCFOUR_subencrypt(krb5_context context,
if (ret)
krb5_abortx(context, "hmac failed");
- RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data);
- RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16);
+ EVP_CIPHER_CTX_init(&ctx);
+
+ EVP_CipherInit_ex(&ctx, EVP_rc4(), NULL, k3_c.checksum.data, NULL, 1);
+ EVP_Cipher(&ctx, cdata + 16, cdata + 16, len - 16);
+ EVP_CIPHER_CTX_cleanup(&ctx);
+
memset (k1_c_data, 0, sizeof(k1_c_data));
memset (k2_c_data, 0, sizeof(k2_c_data));
memset (k3_c_data, 0, sizeof(k3_c_data));
@@ -2212,12 +2310,12 @@ ARCFOUR_subdecrypt(krb5_context context,
unsigned usage,
void *ivec)
{
+ EVP_CIPHER_CTX ctx;
struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5);
Checksum k1_c, k2_c, k3_c, cksum;
struct key_data ke;
krb5_keyblock kb;
unsigned char t[4];
- RC4_KEY rc4_key;
unsigned char *cdata = data;
unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
unsigned char cksum_data[16];
@@ -2250,8 +2348,10 @@ ARCFOUR_subdecrypt(krb5_context context,
if (ret)
krb5_abortx(context, "hmac failed");
- RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data);
- RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16);
+ EVP_CIPHER_CTX_init(&ctx);
+ EVP_CipherInit_ex(&ctx, EVP_rc4(), NULL, k3_c.checksum.data, NULL, 0);
+ EVP_Cipher(&ctx, cdata + 16, cdata + 16, len - 16);
+ EVP_CIPHER_CTX_cleanup(&ctx);
ke.key = &kb;
kb.keyvalue = k2_c.checksum;
@@ -2267,7 +2367,7 @@ ARCFOUR_subdecrypt(krb5_context context,
memset (k2_c_data, 0, sizeof(k2_c_data));
memset (k3_c_data, 0, sizeof(k3_c_data));
- if (memcmp (cksum.checksum.data, data, 16) != 0) {
+ if (ct_memcmp (cksum.checksum.data, data, 16) != 0) {
krb5_clear_error_message (context);
return KRB5KRB_AP_ERR_BAD_INTEGRITY;
} else {
@@ -2471,7 +2571,7 @@ static struct encryption_type enctype_aes128_cts_hmac_sha1 = {
&checksum_sha1,
&checksum_hmac_sha1_aes128,
F_DERIVED,
- evp_encrypt,
+ evp_encrypt_cts,
16,
AES_PRF
};
@@ -2485,7 +2585,7 @@ static struct encryption_type enctype_aes256_cts_hmac_sha1 = {
&checksum_sha1,
&checksum_hmac_sha1_aes256,
F_DERIVED,
- evp_encrypt,
+ evp_encrypt_cts,
16,
AES_PRF
};
@@ -2503,7 +2603,7 @@ static struct encryption_type enctype_des3_cbc_none = {
0,
NULL
};
-#ifdef WEAK_ENCTYPES
+#ifdef HEIM_WEAK_CRYPTO
static struct encryption_type enctype_des_cbc_crc = {
ETYPE_DES_CBC_CRC,
"des-cbc-crc",
@@ -2588,7 +2688,7 @@ static struct encryption_type enctype_des_pcbc_none = {
0,
NULL
};
-#endif /* WEAK_ENCTYPES */
+#endif /* HEIM_WEAK_CRYPTO */
static struct encryption_type *etypes[] = {
&enctype_aes256_cts_hmac_sha1,
@@ -2600,7 +2700,7 @@ static struct encryption_type *etypes[] = {
&enctype_des3_cbc_md5,
&enctype_old_des3_cbc_sha1,
#endif
-#ifdef WEAK_ENCTYPES
+#ifdef HEIM_WEAK_CRYPTO
&enctype_des_cbc_crc,
&enctype_des_cbc_md4,
&enctype_des_cbc_md5,
@@ -3584,6 +3684,7 @@ krb5_create_checksum_iov(krb5_context context,
* @param usage Key usage for this buffer
* @param data array of buffers to process
* @param num_data length of array
+ * @param type return checksum type if not NULL
*
* @return Return an error code or 0.
* @ingroup krb5_crypto
@@ -4044,6 +4145,23 @@ _get_derived_key(krb5_context context,
return 0;
}
+/**
+ * Create a crypto context used for all encryption and signature
+ * operation. The encryption type to use is taken from the key, but
+ * can be overridden with the enctype parameter. This can be useful
+ * for encryptions types which is compatiable (DES for example).
+ *
+ * To free the crypto context, use krb5_crypto_destroy().
+ *
+ * @param context Kerberos context
+ * @param key the key block information with all key data
+ * @param etype the encryption type
+ * @param crypto the resulting crypto context
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
krb5_error_code KRB5_LIB_FUNCTION
krb5_crypto_init(krb5_context context,
@@ -4116,6 +4234,17 @@ free_key_usage(krb5_context context, struct key_usage *ku,
free_key_data(context, &ku->key, et);
}
+/**
+ * Free a crypto context created by krb5_crypto_init().
+ *
+ * @param context Kerberos context
+ * @param crypto crypto context to free
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_crypto_destroy(krb5_context context,
krb5_crypto crypto)
@@ -4130,6 +4259,18 @@ krb5_crypto_destroy(krb5_context context,
return 0;
}
+/**
+ * Return the blocksize used algorithm referenced by the crypto context
+ *
+ * @param context Kerberos context
+ * @param crypto crypto context to query
+ * @param blocksize the resulting blocksize
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_crypto_getblocksize(krb5_context context,
krb5_crypto crypto,
@@ -4139,6 +4280,18 @@ krb5_crypto_getblocksize(krb5_context context,
return 0;
}
+/**
+ * Return the encryption type used by the crypto context
+ *
+ * @param context Kerberos context
+ * @param crypto crypto context to query
+ * @param enctype the resulting encryption type
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_crypto_getenctype(krb5_context context,
krb5_crypto crypto,
@@ -4148,6 +4301,18 @@ krb5_crypto_getenctype(krb5_context context,
return 0;
}
+/**
+ * Return the padding size used by the crypto context
+ *
+ * @param context Kerberos context
+ * @param crypto crypto context to query
+ * @param padsize the return padding size
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_crypto_getpadsize(krb5_context context,
krb5_crypto crypto,
@@ -4157,6 +4322,18 @@ krb5_crypto_getpadsize(krb5_context context,
return 0;
}
+/**
+ * Return the confounder size used by the crypto context
+ *
+ * @param context Kerberos context
+ * @param crypto crypto context to query
+ * @param confoundersize the returned confounder size
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_crypto_getconfoundersize(krb5_context context,
krb5_crypto crypto,
@@ -4386,8 +4563,8 @@ krb5_crypto_overhead (krb5_context context, krb5_crypto crypto)
* @param context Kerberos 5 context
* @param type the enctype resulting key will be of
* @param data input random data to convert to a key
- * @param data size of input random data, at least krb5_enctype_keysize() long
- * @param data key, output key, free with krb5_free_keyblock_contents()
+ * @param size size of input random data, at least krb5_enctype_keysize() long
+ * @param key key, output key, free with krb5_free_keyblock_contents()
*
* @return Return an error code or 0.
*
@@ -4444,6 +4621,7 @@ _krb5_pk_octetstring2key(krb5_context context,
void *keydata;
unsigned char counter;
unsigned char shaoutput[SHA_DIGEST_LENGTH];
+ EVP_MD_CTX *m;
if(et == NULL) {
krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
@@ -4459,19 +4637,27 @@ _krb5_pk_octetstring2key(krb5_context context,
return ENOMEM;
}
+ m = EVP_MD_CTX_create();
+ if (m == NULL) {
+ free(keydata);
+ krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+ return ENOMEM;
+ }
+
counter = 0;
offset = 0;
do {
- SHA_CTX m;
- SHA1_Init(&m);
- SHA1_Update(&m, &counter, 1);
- SHA1_Update(&m, dhdata, dhsize);
+ EVP_DigestInit_ex(m, EVP_sha1(), NULL);
+ EVP_DigestUpdate(m, &counter, 1);
+ EVP_DigestUpdate(m, dhdata, dhsize);
+
if (c_n)
- SHA1_Update(&m, c_n->data, c_n->length);
+ EVP_DigestUpdate(m, c_n->data, c_n->length);
if (k_n)
- SHA1_Update(&m, k_n->data, k_n->length);
- SHA1_Final(shaoutput, &m);
+ EVP_DigestUpdate(m, k_n->data, k_n->length);
+
+ EVP_DigestFinal_ex(m, shaoutput, NULL);
memcpy((unsigned char *)keydata + offset,
shaoutput,
@@ -4482,6 +4668,8 @@ _krb5_pk_octetstring2key(krb5_context context,
} while(offset < keylen);
memset(shaoutput, 0, sizeof(shaoutput));
+ EVP_MD_CTX_destroy(m);
+
ret = krb5_random_to_key(context, type, keydata, keylen, key);
memset(keydata, 0, sizeof(keylen));
free(keydata);
@@ -4595,6 +4783,7 @@ _krb5_pk_kdf(krb5_context context,
uint32_t counter;
unsigned char *keydata;
unsigned char shaoutput[SHA_DIGEST_LENGTH];
+ EVP_MD_CTX *m;
if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha1, &ai->algorithm) != 0) {
krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
@@ -4633,18 +4822,26 @@ _krb5_pk_kdf(krb5_context context,
return ret;
}
+ m = EVP_MD_CTX_create();
+ if (m == NULL) {
+ free(keydata);
+ free(other.data);
+ krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+ return ENOMEM;
+ }
+
offset = 0;
counter = 1;
do {
unsigned char cdata[4];
- SHA_CTX m;
- SHA1_Init(&m);
+ EVP_DigestInit_ex(m, EVP_sha1(), NULL);
_krb5_put_int(cdata, counter, 4);
- SHA1_Update(&m, cdata, 4);
- SHA1_Update(&m, dhdata, dhsize);
- SHA1_Update(&m, other.data, other.length);
- SHA1_Final(shaoutput, &m);
+ EVP_DigestUpdate(m, cdata, 4);
+ EVP_DigestUpdate(m, dhdata, dhsize);
+ EVP_DigestUpdate(m, other.data, other.length);
+
+ EVP_DigestFinal_ex(m, shaoutput, NULL);
memcpy((unsigned char *)keydata + offset,
shaoutput,
@@ -4655,6 +4852,7 @@ _krb5_pk_kdf(krb5_context context,
} while(offset < keylen);
memset(shaoutput, 0, sizeof(shaoutput));
+ EVP_MD_CTX_destroy(m);
free(other.data);
ret = krb5_random_to_key(context, enctype, keydata, keylen, key);
@@ -4765,7 +4963,7 @@ krb5_crypto_prfplus(krb5_context context,
* @param crypto1 first key to combine
* @param crypto2 second key to combine
* @param pepper1 factor to combine with first key to garante uniqueness
- * @param pepper1 factor to combine with second key to garante uniqueness
+ * @param pepper2 factor to combine with second key to garante uniqueness
* @param enctype the encryption type of the resulting key
* @param res allocated key, free with krb5_free_keyblock_contents()
*
diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c
index ff89a90d55..5363d533e7 100644
--- a/source4/heimdal/lib/krb5/init_creds_pw.c
+++ b/source4/heimdal/lib/krb5/init_creds_pw.c
@@ -398,6 +398,9 @@ get_init_creds_common(krb5_context context,
}
}
if (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST) {
+ if (ctx->etypes)
+ free(ctx->etypes);
+
etypes = malloc((options->etype_list_length + 1)
* sizeof(krb5_enctype));
if (etypes == NULL) {
@@ -1417,10 +1420,17 @@ krb5_init_creds_set_keytab(krb5_context context,
krb5_keytab keytab)
{
krb5_keytab_key_proc_args *a;
+ krb5_keytab_entry entry;
+ krb5_kt_cursor cursor;
+ krb5_enctype *etypes = NULL;
+ krb5_error_code ret;
+ size_t netypes = 0;
+ int kvno = 0;
a = malloc(sizeof(*a));
if (a == NULL) {
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+ krb5_set_error_message(context, ENOMEM,
+ N_("malloc: out of memory", ""));
return ENOMEM;
}
@@ -1431,6 +1441,58 @@ krb5_init_creds_set_keytab(krb5_context context,
ctx->keyseed = (void *)a;
ctx->keyproc = keytab_key_proc;
+ /*
+ * We need to the KDC what enctypes we support for this keytab,
+ * esp if the keytab is really a password based entry, then the
+ * KDC might have more enctypes in the database then what we have
+ * in the keytab.
+ */
+
+ ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if(ret)
+ goto out;
+
+ while(krb5_kt_next_entry(context, keytab, &entry, &cursor) == 0){
+ void *ptr;
+
+ if (!krb5_principal_compare(context, entry.principal, ctx->cred.client))
+ goto next;
+
+ /* check if we ahve this kvno already */
+ if (entry.vno > kvno) {
+ /* remove old list of etype */
+ if (etypes)
+ free(etypes);
+ netypes = 0;
+ kvno = entry.vno;
+ } else if (entry.vno != kvno)
+ goto next;
+
+ /* check if enctype is supported */
+ if (krb5_enctype_valid(context, entry.keyblock.keytype) != 0)
+ goto next;
+
+ /* add enctype to supported list */
+ ptr = realloc(etypes, sizeof(etypes[0]) * (netypes + 2));
+ if (ptr == NULL)
+ goto next;
+
+ etypes = ptr;
+ etypes[netypes] = entry.keyblock.keytype;
+ etypes[netypes + 1] = ETYPE_NULL;
+ netypes++;
+ next:
+ krb5_kt_free_entry(context, &entry);
+ }
+ krb5_kt_end_seq_get(context, keytab, &cursor);
+
+ if (etypes) {
+ if (ctx->etypes)
+ free(ctx->etypes);
+ ctx->etypes = etypes;
+ }
+
+ out:
return 0;
}
diff --git a/source4/heimdal/lib/krb5/keyblock.c b/source4/heimdal/lib/krb5/keyblock.c
index 57ed7875fc..046caee6d6 100644
--- a/source4/heimdal/lib/krb5/keyblock.c
+++ b/source4/heimdal/lib/krb5/keyblock.c
@@ -97,7 +97,7 @@ krb5_free_keyblock(krb5_context context,
* @param inblock the key to copy
* @param to the output key.
*
- * @param 0 on success or a Kerberos 5 error code
+ * @return 0 on success or a Kerberos 5 error code
*
* @ingroup krb5_crypto
*/
@@ -118,7 +118,7 @@ krb5_copy_keyblock_contents (krb5_context context,
* @param inblock the key to copy
* @param to the output key.
*
- * @param 0 on success or a Kerberos 5 error code
+ * @return 0 on success or a Kerberos 5 error code
*
* @ingroup krb5_crypto
*/
@@ -165,6 +165,8 @@ krb5_keyblock_get_enctype(const krb5_keyblock *block)
* Fill in `key' with key data of type `enctype' from `data' of length
* `size'. Key should be freed using krb5_free_keyblock_contents().
*
+ * @return 0 on success or a Kerberos 5 error code
+ *
* @ingroup krb5_crypto
*/
diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h
index b56219cced..71dc1327c6 100644
--- a/source4/heimdal/lib/krb5/krb5_locl.h
+++ b/source4/heimdal/lib/krb5/krb5_locl.h
@@ -234,7 +234,8 @@ typedef struct krb5_context_data {
krb5_config_section *cf;
struct et_list *et_list;
struct krb5_log_facility *warn_dest;
- krb5_cc_ops *cc_ops;
+ struct krb5_log_facility *debug_dest;
+ const krb5_cc_ops **cc_ops;
int num_cc_ops;
const char *http_proxy;
const char *time_fmt;
diff --git a/source4/heimdal/lib/krb5/krbhst.c b/source4/heimdal/lib/krb5/krbhst.c
index e9111abec9..4e4b4562e5 100644
--- a/source4/heimdal/lib/krb5/krbhst.c
+++ b/source4/heimdal/lib/krb5/krbhst.c
@@ -86,8 +86,11 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
snprintf(domain, sizeof(domain), "_%s._%s.%s.", service, proto, realm);
r = rk_dns_lookup(domain, dns_type);
- if(r == NULL)
+ if(r == NULL) {
+ _krb5_debug(context, 0,
+ "DNS lookup failed domain: %s", domain);
return KRB5_KDC_UNREACH;
+ }
for(num_srv = 0, rr = r->head; rr; rr = rr->next)
if(rr->type == rk_ns_t_srv)
@@ -176,6 +179,15 @@ krbhst_get_default_proto(struct krb5_krbhst_data *kd)
return KRB5_KRBHST_UDP;
}
+/*
+ *
+ */
+
+const char *
+_krb5_krbhst_get_realm(krb5_krbhst_handle handle)
+{
+ return handle->realm;
+}
/*
* parse `spec' into a krb5_krbhst_info, defaulting the port to `def_port'
@@ -186,7 +198,7 @@ static struct krb5_krbhst_info*
parse_hostspec(krb5_context context, struct krb5_krbhst_data *kd,
const char *spec, int def_port, int port)
{
- const char *p = spec;
+ const char *p = spec, *q;
struct krb5_krbhst_info *hi;
hi = calloc(1, sizeof(*hi) + strlen(spec));
@@ -209,7 +221,17 @@ parse_hostspec(krb5_context context, struct krb5_krbhst_data *kd,
p += 4;
}
- if(strsep_copy(&p, ":", hi->hostname, strlen(spec) + 1) < 0) {
+ if (p[0] == '[' && (q = strchr(p, ']')) != NULL) {
+ /* if address looks like [foo:bar] or [foo:bar]: its a ipv6
+ adress, strip of [] */
+ memcpy(hi->hostname, &p[1], q - p - 1);
+ hi->hostname[q - p - 1] = '\0';
+ p = q + 1;
+ /* get trailing : */
+ if (p[0] == ':')
+ p++;
+ } else if(strsep_copy(&p, ":", hi->hostname, strlen(spec) + 1) < 0) {
+ /* copy everything before : */
free(hi);
return NULL;
}
@@ -218,7 +240,7 @@ parse_hostspec(krb5_context context, struct krb5_krbhst_data *kd,
strlwr(hi->hostname);
hi->port = hi->def_port = def_port;
- if(p != NULL) {
+ if(p != NULL && p[0]) {
char *end;
hi->port = strtol(p, &end, 0);
if(end == p) {
@@ -374,11 +396,15 @@ static void
srv_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
const char *proto, const char *service)
{
+ krb5_error_code ret;
krb5_krbhst_info **res;
int count, i;
- if (srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service,
- kd->port))
+ ret = srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service,
+ kd->port);
+ _krb5_debug(context, 2, "searching DNS for realm %s %s.%s -> %d",
+ kd->realm, proto, service, ret);
+ if (ret)
return;
for(i = 0; i < count; i++)
append_host_hostinfo(kd, res[i]);
@@ -395,11 +421,13 @@ config_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
const char *conf_string)
{
int i;
-
char **hostlist;
hostlist = krb5_config_get_strings(context, NULL,
"realms", kd->realm, conf_string, NULL);
+ _krb5_debug(context, 2, "configuration file for realm %s%s found",
+ kd->realm, hostlist ? "" : " not");
+
if(hostlist == NULL)
return;
kd->flags |= KD_CONFIG_EXISTS;
@@ -426,6 +454,9 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
struct addrinfo hints;
char portstr[NI_MAXSERV];
+ _krb5_debug(context, 2, "fallback lookup %d for realm %s (service %s)",
+ kd->fallback_count, kd->realm, serv_string);
+
/*
* Don't try forever in case the DNS server keep returning us
* entries (like wildcard entries or the .nu TLD)
@@ -545,8 +576,10 @@ plugin_get_hosts(krb5_context context,
N_("Locate plugin failed to lookup realm %s: %d", ""),
kd->realm, ret);
break;
- } else if (ret == 0)
+ } else if (ret == 0) {
+ _krb5_debug(context, 2, "plugin found result for realm %s", kd->realm);
kd->flags |= KD_CONFIG_EXISTS;
+ }
}
_krb5_plugin_free(list);
@@ -577,8 +610,12 @@ kdc_get_next(krb5_context context,
return 0;
}
- if (kd->flags & KD_CONFIG_EXISTS)
- return KRB5_KDC_UNREACH; /* XXX */
+ if (kd->flags & KD_CONFIG_EXISTS) {
+ _krb5_debug(context, 1,
+ "Configuration exists for realm %s, wont go to DNS",
+ kd->realm);
+ return KRB5_KDC_UNREACH;
+ }
if(context->srv_lookup) {
if((kd->flags & KD_SRV_UDP) == 0 && (kd->flags & KD_LARGE_MSG) == 0) {
@@ -612,6 +649,8 @@ kdc_get_next(krb5_context context,
return 0;
}
+ _krb5_debug(context, 0, "No KDC entries found for %s", kd->realm);
+
return KRB5_KDC_UNREACH; /* XXX */
}
@@ -636,8 +675,12 @@ admin_get_next(krb5_context context,
return 0;
}
- if (kd->flags & KD_CONFIG_EXISTS)
- return KRB5_KDC_UNREACH; /* XXX */
+ if (kd->flags & KD_CONFIG_EXISTS) {
+ _krb5_debug(context, 1,
+ "Configuration exists for realm %s, wont go to DNS",
+ kd->realm);
+ return KRB5_KDC_UNREACH;
+ }
if(context->srv_lookup) {
if((kd->flags & KD_SRV_TCP) == 0) {
@@ -660,6 +703,8 @@ admin_get_next(krb5_context context,
return 0;
}
+ _krb5_debug(context, 0, "No admin entries found for realm %s", kd->realm);
+
return KRB5_KDC_UNREACH; /* XXX */
}
@@ -684,8 +729,12 @@ kpasswd_get_next(krb5_context context,
return 0;
}
- if (kd->flags & KD_CONFIG_EXISTS)
- return KRB5_KDC_UNREACH; /* XXX */
+ if (kd->flags & KD_CONFIG_EXISTS) {
+ _krb5_debug(context, 1,
+ "Configuration exists for realm %s, wont go to DNS",
+ kd->realm);
+ return KRB5_KDC_UNREACH;
+ }
if(context->srv_lookup) {
if((kd->flags & KD_SRV_UDP) == 0) {
@@ -714,7 +763,9 @@ kpasswd_get_next(krb5_context context,
return ret;
}
- return KRB5_KDC_UNREACH; /* XXX */
+ _krb5_debug(context, 0, "No kpasswd entries found for realm %s", kd->realm);
+
+ return KRB5_KDC_UNREACH;
}
static krb5_error_code
@@ -736,8 +787,12 @@ krb524_get_next(krb5_context context,
kd->flags |= KD_CONFIG;
}
- if (kd->flags & KD_CONFIG_EXISTS)
- return KRB5_KDC_UNREACH; /* XXX */
+ if (kd->flags & KD_CONFIG_EXISTS) {
+ _krb5_debug(context, 1,
+ "Configuration exists for realm %s, wont go to DNS",
+ kd->realm);
+ return KRB5_KDC_UNREACH;
+ }
if(context->srv_lookup) {
if((kd->flags & KD_SRV_UDP) == 0) {
@@ -764,11 +819,14 @@ krb524_get_next(krb5_context context,
return (*kd->get_next)(context, kd, host);
}
- return KRB5_KDC_UNREACH; /* XXX */
+ _krb5_debug(context, 0, "No kpasswd entries found for realm %s", kd->realm);
+
+ return KRB5_KDC_UNREACH;
}
static struct krb5_krbhst_data*
common_init(krb5_context context,
+ const char *service,
const char *realm,
int flags)
{
@@ -782,6 +840,9 @@ common_init(krb5_context context,
return NULL;
}
+ _krb5_debug(context, 2, "Trying to find service %s for realm %s flags %x",
+ service, realm, flags);
+
/* For 'realms' without a . do not even think of going to DNS */
if (!strchr(realm, '.'))
kd->flags |= KD_CONFIG_EXISTS;
@@ -816,32 +877,37 @@ krb5_krbhst_init_flags(krb5_context context,
krb5_error_code (*next)(krb5_context, struct krb5_krbhst_data *,
krb5_krbhst_info **);
int def_port;
+ const char *service;
switch(type) {
case KRB5_KRBHST_KDC:
next = kdc_get_next;
def_port = ntohs(krb5_getportbyname (context, "kerberos", "udp", 88));
+ service = "kdc";
break;
case KRB5_KRBHST_ADMIN:
next = admin_get_next;
def_port = ntohs(krb5_getportbyname (context, "kerberos-adm",
"tcp", 749));
+ service = "admin";
break;
case KRB5_KRBHST_CHANGEPW:
next = kpasswd_get_next;
def_port = ntohs(krb5_getportbyname (context, "kpasswd", "udp",
KPASSWD_PORT));
+ service = "change_password";
break;
case KRB5_KRBHST_KRB524:
next = krb524_get_next;
def_port = ntohs(krb5_getportbyname (context, "krb524", "udp", 4444));
+ service = "524";
break;
default:
krb5_set_error_message(context, ENOTTY,
N_("unknown krbhst type (%u)", ""), type);
return ENOTTY;
}
- if((kd = common_init(context, realm, flags)) == NULL)
+ if((kd = common_init(context, service, realm, flags)) == NULL)
return ENOMEM;
kd->get_next = next;
kd->def_port = def_port;
diff --git a/source4/heimdal/lib/krb5/log.c b/source4/heimdal/lib/krb5/log.c
index 5b84bc2f4c..9f81460973 100644
--- a/source4/heimdal/lib/krb5/log.c
+++ b/source4/heimdal/lib/krb5/log.c
@@ -488,3 +488,19 @@ krb5_log(krb5_context context,
return ret;
}
+void KRB5_LIB_FUNCTION
+_krb5_debug(krb5_context context,
+ int level,
+ const char *fmt,
+ ...)
+ __attribute__((format (printf, 3, 4)))
+{
+ va_list ap;
+
+ if (context == NULL || context->debug_dest == NULL)
+ return;
+
+ va_start(ap, fmt);
+ krb5_vlog(context, context->debug_dest, level, fmt, ap);
+ va_end(ap);
+}
diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c
index af5568f44b..2f6d7854a5 100644
--- a/source4/heimdal/lib/krb5/pkinit.c
+++ b/source4/heimdal/lib/krb5/pkinit.c
@@ -1161,24 +1161,6 @@ pk_rd_pa_reply_enckey(krb5_context context,
}
der_free_oid(&contentType);
-#if 0 /* windows LH with interesting CMS packets, leaks memory */
- {
- size_t ph = 1 + der_length_len (length);
- unsigned char *ptr = malloc(length + ph);
- size_t l;
-
- memcpy(ptr + ph, p, length);
-
- ret = der_put_length_and_tag (ptr + ph - 1, ph, length,
- ASN1_C_UNIV, CONS, UT_Sequence, &l);
- if (ret)
- return ret;
- ptr += ph - l;
- length += l;
- p = ptr;
- }
-#endif
-
/* win2k uses ContentInfo */
if (type == PKINIT_WIN2K) {
heim_oid type;
@@ -1882,11 +1864,12 @@ pk_copy_error(krb5_context context,
{
va_list va;
char *s, *f;
+ int ret;
va_start(va, fmt);
- vasprintf(&f, fmt, va);
+ ret = vasprintf(&f, fmt, va);
va_end(va);
- if (f == NULL) {
+ if (ret == -1 || f == NULL) {
krb5_clear_error_message(context);
return;
}
@@ -2203,13 +2186,15 @@ _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt)
ctx = opt->opt_private->pk_init_ctx;
switch (ctx->keyex) {
case USE_DH:
- DH_free(ctx->u.dh);
+ if (ctx->u.dh)
+ DH_free(ctx->u.dh);
break;
case USE_RSA:
break;
case USE_ECDH:
#ifdef HAVE_OPENSSL
- EC_KEY_free(ctx->u.eckey);
+ if (ctx->u.eckey)
+ EC_KEY_free(ctx->u.eckey);
#endif
break;
}
diff --git a/source4/heimdal/lib/krb5/principal.c b/source4/heimdal/lib/krb5/principal.c
index 9899f5661f..1483d59f9d 100644
--- a/source4/heimdal/lib/krb5/principal.c
+++ b/source4/heimdal/lib/krb5/principal.c
@@ -425,6 +425,19 @@ unparse_name_fixed(krb5_context context,
return 0;
}
+/**
+ * Unparse the principal name to a fixed buffer
+ *
+ * @param context A Kerberos context.
+ * @param principal principal to unparse
+ * @param name buffer to write name to
+ * @param len length of buffer
+ *
+ * @return An krb5 error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5_principal
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_unparse_name_fixed(krb5_context context,
krb5_const_principal principal,
@@ -434,6 +447,20 @@ krb5_unparse_name_fixed(krb5_context context,
return unparse_name_fixed(context, principal, name, len, 0);
}
+/**
+ * Unparse the principal name to a fixed buffer. The realm is skipped
+ * if its a default realm.
+ *
+ * @param context A Kerberos context.
+ * @param principal principal to unparse
+ * @param name buffer to write name to
+ * @param len length of buffer
+ *
+ * @return An krb5 error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5_principal
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_unparse_name_fixed_short(krb5_context context,
krb5_const_principal principal,
@@ -444,6 +471,20 @@ krb5_unparse_name_fixed_short(krb5_context context,
KRB5_PRINCIPAL_UNPARSE_SHORT);
}
+/**
+ * Unparse the principal name with unparse flags to a fixed buffer.
+ *
+ * @param context A Kerberos context.
+ * @param principal principal to unparse
+ * @param flags unparse flags
+ * @param name buffer to write name to
+ * @param len length of buffer
+ *
+ * @return An krb5 error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5_principal
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_unparse_name_fixed_flags(krb5_context context,
krb5_const_principal principal,
@@ -538,6 +579,19 @@ krb5_unparse_name_flags(krb5_context context,
return unparse_name(context, principal, name, flags);
}
+/**
+ * Unparse the principal name to a allocated buffer. The realm is
+ * skipped if its a default realm.
+ *
+ * @param context A Kerberos context.
+ * @param principal principal to unparse
+ * @param name returned buffer, free with krb5_xfree()
+ *
+ * @return An krb5 error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5_principal
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_unparse_name_short(krb5_context context,
krb5_const_principal principal,
@@ -546,18 +600,18 @@ krb5_unparse_name_short(krb5_context context,
return unparse_name(context, principal, name, KRB5_PRINCIPAL_UNPARSE_SHORT);
}
-#if 0 /* not implemented */
-
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_unparse_name_ext(krb5_context context,
- krb5_const_principal principal,
- char **name,
- size_t *size)
-{
- krb5_abortx(context, "unimplemented krb5_unparse_name_ext called");
-}
-
-#endif
+/**
+ * Set a new realm for a principal, and as a side-effect free the
+ * previous realm.
+ *
+ * @param context A Kerberos context.
+ * @param principal principal set the realm for
+ * @param realm the new realm to set
+ *
+ * @return An krb5 error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5_principal
+ */
krb5_error_code KRB5_LIB_FUNCTION
krb5_principal_set_realm(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/replay.c b/source4/heimdal/lib/krb5/replay.c
index 37556cfbc5..be484c29dc 100644
--- a/source4/heimdal/lib/krb5/replay.c
+++ b/source4/heimdal/lib/krb5/replay.c
@@ -178,17 +178,20 @@ krb5_rc_close(krb5_context context,
static void
checksum_authenticator(Authenticator *auth, void *data)
{
- MD5_CTX md5;
- int i;
+ EVP_MD_CTX *m = EVP_MD_CTX_create();
+ unsigned i;
- MD5_Init (&md5);
- MD5_Update (&md5, auth->crealm, strlen(auth->crealm));
+ EVP_DigestInit_ex(m, EVP_md5(), NULL);
+
+ EVP_DigestUpdate(m, auth->crealm, strlen(auth->crealm));
for(i = 0; i < auth->cname.name_string.len; i++)
- MD5_Update(&md5, auth->cname.name_string.val[i],
+ EVP_DigestUpdate(m, auth->cname.name_string.val[i],
strlen(auth->cname.name_string.val[i]));
- MD5_Update (&md5, &auth->ctime, sizeof(auth->ctime));
- MD5_Update (&md5, &auth->cusec, sizeof(auth->cusec));
- MD5_Final (data, &md5);
+ EVP_DigestUpdate(m, &auth->ctime, sizeof(auth->ctime));
+ EVP_DigestUpdate(m, &auth->cusec, sizeof(auth->cusec));
+
+ EVP_DigestFinal_ex(m, data, NULL);
+ EVP_MD_CTX_destroy(m);
}
krb5_error_code KRB5_LIB_FUNCTION
diff --git a/source4/heimdal/lib/krb5/send_to_kdc.c b/source4/heimdal/lib/krb5/send_to_kdc.c
index 50b42f2f10..0efe14eb4f 100644
--- a/source4/heimdal/lib/krb5/send_to_kdc.c
+++ b/source4/heimdal/lib/krb5/send_to_kdc.c
@@ -379,6 +379,10 @@ krb5_sendto (krb5_context context,
while (krb5_krbhst_next(context, handle, &hi) == 0) {
struct addrinfo *ai, *a;
+ _krb5_debug(context, 2,
+ "trying to communicate with host %s in realm %s",
+ hi->hostname, _krb5_krbhst_get_realm(handle));
+
if (context->send_to_kdc) {
struct send_to_kdc *s = context->send_to_kdc;
@@ -441,6 +445,9 @@ krb5_sendto (krb5_context context,
krb5_clear_error_message (context);
ret = KRB5_KDC_UNREACH;
out:
+ _krb5_debug(context, 2,
+ "result of trying to talk to realm %s = %d",
+ _krb5_krbhst_get_realm(handle), ret);
return ret;
}
diff --git a/source4/heimdal/lib/krb5/store.c b/source4/heimdal/lib/krb5/store.c
index 2ba83ef0d5..6e1374adf9 100644
--- a/source4/heimdal/lib/krb5/store.c
+++ b/source4/heimdal/lib/krb5/store.c
@@ -40,12 +40,30 @@
#define BYTEORDER_IS_HOST(SP) (BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_HOST) || \
krb5_storage_is_flags((SP), KRB5_STORAGE_HOST_BYTEORDER))
+/**
+ * Add the flags on a storage buffer by or-ing in the flags to the buffer.
+ *
+ * @param sp the storage buffer to set the flags on
+ * @param flags the flags to set
+ *
+ * @ingroup krb5_storage
+ */
+
void KRB5_LIB_FUNCTION
krb5_storage_set_flags(krb5_storage *sp, krb5_flags flags)
{
sp->flags |= flags;
}
+/**
+ * Clear the flags on a storage buffer
+ *
+ * @param sp the storage buffer to clear the flags on
+ * @param flags the flags to clear
+ *
+ * @ingroup krb5_storage
+ */
+
void KRB5_LIB_FUNCTION
krb5_storage_clear_flags(krb5_storage *sp, krb5_flags flags)
{
@@ -359,6 +377,18 @@ krb5_ret_int(krb5_storage *sp,
return 0;
}
+/**
+ * Read a int32 from storage, byte order is controlled by the settings
+ * on the storage, see krb5_storage_set_byteorder().
+ *
+ * @param sp the storage to write too
+ * @param value the value read from the buffer
+ *
+ * @return 0 for success, or a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_int32(krb5_storage *sp,
int32_t *value)
@@ -373,6 +403,18 @@ krb5_ret_int32(krb5_storage *sp,
return 0;
}
+/**
+ * Read a uint32 from storage, byte order is controlled by the settings
+ * on the storage, see krb5_storage_set_byteorder().
+ *
+ * @param sp the storage to write too
+ * @param value the value read from the buffer
+ *
+ * @return 0 for success, or a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_uint32(krb5_storage *sp,
uint32_t *value)
@@ -429,6 +471,17 @@ krb5_store_uint16(krb5_storage *sp,
return krb5_store_int16(sp, (int16_t)value);
}
+/**
+ * Read a int16 from storage, byte order is controlled by the settings
+ * on the storage, see krb5_storage_set_byteorder().
+ *
+ * @param sp the storage to write too
+ * @param value the value read from the buffer
+ *
+ * @return 0 for success, or a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_int16(krb5_storage *sp,
int16_t *value)
@@ -446,6 +499,18 @@ krb5_ret_int16(krb5_storage *sp,
return 0;
}
+/**
+ * Read a int16 from storage, byte order is controlled by the settings
+ * on the storage, see krb5_storage_set_byteorder().
+ *
+ * @param sp the storage to write too
+ * @param value the value read from the buffer
+ *
+ * @return 0 for success, or a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_uint16(krb5_storage *sp,
uint16_t *value)
@@ -501,6 +566,17 @@ krb5_store_uint8(krb5_storage *sp,
return krb5_store_int8(sp, (int8_t)value);
}
+/**
+ * Read a int8 from storage
+ *
+ * @param sp the storage to write too
+ * @param value the value read from the buffer
+ *
+ * @return 0 for success, or a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_int8(krb5_storage *sp,
int8_t *value)
@@ -513,6 +589,17 @@ krb5_ret_int8(krb5_storage *sp,
return 0;
}
+/**
+ * Read a uint8 from storage
+ *
+ * @param sp the storage to write too
+ * @param value the value read from the buffer
+ *
+ * @return 0 for success, or a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_uint8(krb5_storage *sp,
uint8_t *value)
@@ -528,7 +615,8 @@ krb5_ret_uint8(krb5_storage *sp,
}
/**
- * Store a data to the storage.
+ * Store a data to the storage. The data is stored with an int32 as
+ * lenght plus the data (not padded).
*
* @param sp the storage buffer to write to
* @param data the buffer to store.
@@ -587,6 +675,18 @@ krb5_ret_data(krb5_storage *sp,
return 0;
}
+/**
+ * Store a string to the buffer. The data is formated as an len:uint32
+ * plus the string itself (not padded).
+ *
+ * @param sp the storage buffer to write to
+ * @param s the string to store.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_store_string(krb5_storage *sp, const char *s)
{
@@ -596,6 +696,18 @@ krb5_store_string(krb5_storage *sp, const char *s)
return krb5_store_data(sp, data);
}
+/**
+ * Parse a string from the storage.
+ *
+ * @param sp the storage buffer to read from
+ * @param string the parsed string
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_string(krb5_storage *sp,
char **string)
@@ -614,6 +726,18 @@ krb5_ret_string(krb5_storage *sp,
return 0;
}
+/**
+ * Store a zero terminated string to the buffer. The data is stored
+ * one character at a time until a NUL is stored.
+ *
+ * @param sp the storage buffer to write to
+ * @param s the string to store.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_store_stringz(krb5_storage *sp, const char *s)
{
@@ -630,6 +754,17 @@ krb5_store_stringz(krb5_storage *sp, const char *s)
return 0;
}
+/**
+ * Parse zero terminated string from the storage.
+ *
+ * @param sp the storage buffer to read from
+ * @param string the parsed string
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_stringz(krb5_storage *sp,
char **string)
@@ -733,6 +868,16 @@ krb5_ret_stringnl(krb5_storage *sp,
return 0;
}
+/**
+ * Write a principal block to storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param p the principal block to write.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
krb5_error_code KRB5_LIB_FUNCTION
krb5_store_principal(krb5_storage *sp,
@@ -760,6 +905,17 @@ krb5_store_principal(krb5_storage *sp,
return 0;
}
+/**
+ * Parse principal from the storage.
+ *
+ * @param sp the storage buffer to read from
+ * @param princ the parsed principal
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_principal(krb5_storage *sp,
krb5_principal *princ)
@@ -931,6 +1087,17 @@ krb5_ret_times(krb5_storage *sp, krb5_times *times)
return ret;
}
+/**
+ * Write a address block to storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param p the address block to write.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_store_address(krb5_storage *sp, krb5_address p)
{
@@ -941,6 +1108,17 @@ krb5_store_address(krb5_storage *sp, krb5_address p)
return ret;
}
+/**
+ * Read a address block from the storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param adr the address block read from storage
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_address(krb5_storage *sp, krb5_address *adr)
{
@@ -953,6 +1131,17 @@ krb5_ret_address(krb5_storage *sp, krb5_address *adr)
return ret;
}
+/**
+ * Write a addresses block to storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param p the addresses block to write.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_store_addrs(krb5_storage *sp, krb5_addresses p)
{
@@ -967,6 +1156,17 @@ krb5_store_addrs(krb5_storage *sp, krb5_addresses p)
return ret;
}
+/**
+ * Read a addresses block from the storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param adr the addresses block read from storage
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr)
{
@@ -987,6 +1187,17 @@ krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr)
return ret;
}
+/**
+ * Write a auth data block to storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param auth the auth data block to write.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_store_authdata(krb5_storage *sp, krb5_authdata auth)
{
@@ -1003,6 +1214,17 @@ krb5_store_authdata(krb5_storage *sp, krb5_authdata auth)
return 0;
}
+/**
+ * Read a auth data from the storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param auth the auth data block read from storage
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth)
{
@@ -1037,9 +1259,15 @@ bitswap32(int32_t b)
return r;
}
-
-/*
+/**
+ * Write a credentials block to storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param creds the creds block to write.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
*
+ * @ingroup krb5_storage
*/
krb5_error_code KRB5_LIB_FUNCTION
@@ -1083,6 +1311,17 @@ krb5_store_creds(krb5_storage *sp, krb5_creds *creds)
return ret;
}
+/**
+ * Read a credentials block from the storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param creds the credentials block read from storage
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_creds(krb5_storage *sp, krb5_creds *creds)
{
@@ -1144,8 +1383,15 @@ cleanup:
#define SC_AUTHDATA 0x0020
#define SC_ADDRESSES 0x0040
-/*
+/**
+ * Write a tagged credentials block to storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param creds the creds block to write.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
*
+ * @ingroup krb5_storage
*/
krb5_error_code KRB5_LIB_FUNCTION
@@ -1229,6 +1475,17 @@ krb5_store_creds_tag(krb5_storage *sp, krb5_creds *creds)
return ret;
}
+/**
+ * Read a tagged credentials block from the storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param creds the credentials block read from storage
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_ret_creds_tag(krb5_storage *sp,
krb5_creds *creds)
diff --git a/source4/heimdal/lib/krb5/store_mem.c b/source4/heimdal/lib/krb5/store_mem.c
index a7b0c2d2dc..a913e182d5 100644
--- a/source4/heimdal/lib/krb5/store_mem.c
+++ b/source4/heimdal/lib/krb5/store_mem.c
@@ -110,7 +110,7 @@ mem_no_trunc(krb5_storage *sp, off_t offset)
}
/**
- *
+ * Create a fixed size memory storage block
*
* @return A krb5_storage on success, or NULL on out of memory error.
*
@@ -149,7 +149,7 @@ krb5_storage_from_mem(void *buf, size_t len)
}
/**
- *
+ * Create a fixed size memory storage block
*
* @return A krb5_storage on success, or NULL on out of memory error.
*
@@ -168,7 +168,7 @@ krb5_storage_from_data(krb5_data *data)
}
/**
- *
+ * Create a fixed size memory storage block that is read only
*
* @return A krb5_storage on success, or NULL on out of memory error.
*
diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c
index 86c4924506..3bd9387906 100644
--- a/source4/heimdal/lib/krb5/ticket.c
+++ b/source4/heimdal/lib/krb5/ticket.c
@@ -33,6 +33,18 @@
#include "krb5_locl.h"
+/**
+ * Free ticket and content
+ *
+ * @param context a Kerberos 5 context
+ * @param ticket ticket to free
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_free_ticket(krb5_context context,
krb5_ticket *ticket)
@@ -44,6 +56,19 @@ krb5_free_ticket(krb5_context context,
return 0;
}
+/**
+ * Copy ticket and content
+ *
+ * @param context a Kerberos 5 context
+ * @param from ticket to copy
+ * @param to new copy of ticket, free with krb5_free_ticket()
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_copy_ticket(krb5_context context,
const krb5_ticket *from,
@@ -80,6 +105,19 @@ krb5_copy_ticket(krb5_context context,
return 0;
}
+/**
+ * Return client principal in ticket
+ *
+ * @param context a Kerberos 5 context
+ * @param ticket ticket to copy
+ * @param client client principal, free with krb5_free_principal()
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_ticket_get_client(krb5_context context,
const krb5_ticket *ticket,
@@ -88,6 +126,19 @@ krb5_ticket_get_client(krb5_context context,
return krb5_copy_principal(context, ticket->client, client);
}
+/**
+ * Return server principal in ticket
+ *
+ * @param context a Kerberos 5 context
+ * @param ticket ticket to copy
+ * @param server server principal, free with krb5_free_principal()
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_ticket_get_server(krb5_context context,
const krb5_ticket *ticket,
@@ -96,6 +147,17 @@ krb5_ticket_get_server(krb5_context context,
return krb5_copy_principal(context, ticket->server, server);
}
+/**
+ * Return end time of ticket
+ *
+ * @param context a Kerberos 5 context
+ * @param ticket ticket to copy
+ *
+ * @return end time of ticket
+ *
+ * @ingroup krb5
+ */
+
time_t KRB5_LIB_FUNCTION
krb5_ticket_get_endtime(krb5_context context,
const krb5_ticket *ticket)
@@ -261,10 +323,17 @@ out:
return ret;
}
-/*
- * Extract the authorization data type of `type' from the
- * 'ticket'. Store the field in `data'. This function is to use for
- * kerberos applications.
+/**
+ * Extract the authorization data type of type from the ticket. Store
+ * the field in data. This function is to use for kerberos
+ * applications.
+ *
+ * @param context a Kerberos 5 context
+ * @param ticket Kerberos ticket
+ * @param type type to fetch
+ * @param data returned data, free with krb5_data_free()
+ *
+ * @ingroup krb5
*/
krb5_error_code KRB5_LIB_FUNCTION
diff --git a/source4/heimdal/lib/krb5/warn.c b/source4/heimdal/lib/krb5/warn.c
index b88b2004fb..05239186ec 100644
--- a/source4/heimdal/lib/krb5/warn.c
+++ b/source4/heimdal/lib/krb5/warn.c
@@ -269,7 +269,7 @@ krb5_vabort(krb5_context context, krb5_error_code code,
}
/**
- * Log a warning to the log, default stderr, include bthe error from
+ * Log a warning to the log, default stderr, include the error from
* the last failure and then abort.
*
* @param context A Kerberos 5 context