diff options
Diffstat (limited to 'source4')
312 files changed, 3559 insertions, 2505 deletions
diff --git a/source4/heimdal/base/baselocl.h b/source4/heimdal/base/baselocl.h index b3c81b9460..901e8606fd 100644 --- a/source4/heimdal/base/baselocl.h +++ b/source4/heimdal/base/baselocl.h @@ -35,6 +35,13 @@ #include "config.h" +#ifdef HAVE_SYS_TYPES_H +#include <sys/types.h> +#endif +#ifdef HAVE_SYS_SELECT_H +#include <sys/select.h> +#endif + #include <stdio.h> #include <stdlib.h> #include <string.h> diff --git a/source4/heimdal/base/dict.c b/source4/heimdal/base/dict.c index 7522c8c1c4..1f9d71a0f5 100644 --- a/source4/heimdal/base/dict.c +++ b/source4/heimdal/base/dict.c @@ -77,7 +77,7 @@ struct heim_type_data dict_object = { static size_t isprime(size_t p) { - int q, i; + size_t q, i; for(i = 2 ; i < p; i++) { q = p / i; @@ -120,7 +120,7 @@ heim_dict_create(size_t size) heim_release(dict); return NULL; } - + dict->tab = calloc(dict->size, sizeof(dict->tab[0])); if (dict->tab == NULL) { dict->size = 0; diff --git a/source4/heimdal/base/heimbase.c b/source4/heimdal/base/heimbase.c index 01668716a3..7031af9e49 100644 --- a/source4/heimdal/base/heimbase.c +++ b/source4/heimdal/base/heimbase.c @@ -369,7 +369,7 @@ void heim_abortv(const char *fmt, va_list ap) { static char str[1024]; - + vsnprintf(str, sizeof(str), fmt, ap); syslog(LOG_ERR, "heim_abort: %s", str); abort(); diff --git a/source4/heimdal/base/heimbase.h b/source4/heimdal/base/heimbase.h index d1ca5aa899..ad1b3f0c48 100644 --- a/source4/heimdal/base/heimbase.h +++ b/source4/heimdal/base/heimbase.h @@ -48,6 +48,22 @@ typedef heim_object_t heim_null_t; #define HEIM_BASE_ONCE_INIT 0 typedef long heim_base_once_t; /* XXX arch dependant */ +#if !defined(__has_extension) +#define __has_extension(x) 0 +#endif + +#define HEIM_REQUIRE_GNUC(m,n,p) \ + (((__GNUC__ * 10000) + (__GNUC_MINOR__ * 100) + __GNUC_PATCHLEVEL__) >= \ + (((m) * 10000) + ((n) * 100) + (p))) + + +#if __has_extension(__builtin_expect) || HEIM_REQUIRE_GNUC(3,0,0) +#define heim_builtin_expect(_op,_res) __builtin_expect(_op,_res) +#else +#define heim_builtin_expect(_op,_res) (_op) +#endif + + void * heim_retain(heim_object_t); void heim_release(heim_object_t); @@ -79,7 +95,7 @@ heim_abortv(const char *fmt, va_list ap) HEIMDAL_PRINTF_ATTRIBUTE((printf, 1, 0)); #define heim_assert(e,t) \ - (__builtin_expect(!(e), 0) ? heim_abort(t ":" #e) : (void)0) + (heim_builtin_expect(!(e), 0) ? heim_abort(t ":" #e) : (void)0) /* * diff --git a/source4/heimdal/cf/make-proto.pl b/source4/heimdal/cf/make-proto.pl index bc323b9433..6894dc143e 100644 --- a/source4/heimdal/cf/make-proto.pl +++ b/source4/heimdal/cf/make-proto.pl @@ -11,6 +11,7 @@ my $line = ""; my $debug = 0; my $oproto = 1; my $private_func_re = "^_"; +my %depfunction = (); Getopts('x:m:o:p:dqE:R:P:') || die "foo"; @@ -25,7 +26,7 @@ if($opt_q) { if($opt_R) { $private_func_re = $opt_R; } -%flags = ( +my %flags = ( 'multiline-proto' => 1, 'header' => 1, 'function-blocking' => 0, @@ -100,16 +101,21 @@ while(<>) { s/^\s*//; s/\s*$//; s/\s+/ /g; - if($_ =~ /\)$/ or $_ =~ /DEPRECATED$/){ + if($_ =~ /\)$/){ if(!/^static/ && !/^PRIVATE/){ $attr = ""; if(m/(.*)(__attribute__\s?\(.*\))/) { $attr .= " $2"; $_ = $1; } - if(m/(.*)\s(\w+DEPRECATED)/) { + if(m/(.*)\s(\w+DEPRECATED_FUNCTION)\s?(\(.*\))(.*)/) { + $depfunction{$2} = 1; + $attr .= " $2$3"; + $_ = "$1 $4"; + } + if(m/(.*)\s(\w+DEPRECATED)(.*)/) { $attr .= " $2"; - $_ = $1; + $_ = "$1 $3"; } # remove outer () s/\s*\(/</; @@ -302,17 +308,44 @@ if($flags{"gnuc-attribute"}) { "; } } + +my $depstr = ""; +my $undepstr = ""; +foreach (keys %depfunction) { + $depstr .= "#ifndef $_ +#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 ))) +#define $_(X) __attribute__((__deprecated__)) +#else +#define $_(X) +#endif +#endif + + +"; + $public_h_trailer .= "#undef $_ + +"; + $private_h_trailer .= "#undef $_ +#define $_(X) + +"; +} + +$public_h_header .= $depstr; +$private_h_header .= $depstr; + + if($flags{"cxx"}) { $public_h_header .= "#ifdef __cplusplus extern \"C\" { #endif "; - $public_h_trailer .= "#ifdef __cplusplus + $public_h_trailer = "#ifdef __cplusplus } #endif -"; +" . $public_h_trailer; } if ($opt_E) { @@ -348,6 +381,9 @@ if ($opt_E) { "; } +$public_h_trailer .= $undepstr; +$private_h_trailer .= $undepstr; + if ($public_h ne "" && $flags{"header"}) { $public_h = $public_h_header . $public_h . $public_h_trailer . "#endif /* $block */\n"; diff --git a/source4/heimdal/include/heim_threads.h b/source4/heimdal/include/heim_threads.h index c4f841fb61..8ff677f330 100644 --- a/source4/heimdal/include/heim_threads.h +++ b/source4/heimdal/include/heim_threads.h @@ -67,13 +67,13 @@ #define HEIMDAL_RWLOCK rwlock_t #define HEIMDAL_RWLOCK_INITIALIZER RWLOCK_INITIALIZER -#define HEIMDAL_RWLOCK_init(l) rwlock_init(l, NULL) -#define HEIMDAL_RWLOCK_rdlock(l) rwlock_rdlock(l) -#define HEIMDAL_RWLOCK_wrlock(l) rwlock_wrlock(l) -#define HEIMDAL_RWLOCK_tryrdlock(l) rwlock_tryrdlock(l) -#define HEIMDAL_RWLOCK_trywrlock(l) rwlock_trywrlock(l) -#define HEIMDAL_RWLOCK_unlock(l) rwlock_unlock(l) -#define HEIMDAL_RWLOCK_destroy(l) rwlock_destroy(l) +#define HEIMDAL_RWLOCK_init(l) rwlock_init(l, NULL) +#define HEIMDAL_RWLOCK_rdlock(l) rwlock_rdlock(l) +#define HEIMDAL_RWLOCK_wrlock(l) rwlock_wrlock(l) +#define HEIMDAL_RWLOCK_tryrdlock(l) rwlock_tryrdlock(l) +#define HEIMDAL_RWLOCK_trywrlock(l) rwlock_trywrlock(l) +#define HEIMDAL_RWLOCK_unlock(l) rwlock_unlock(l) +#define HEIMDAL_RWLOCK_destroy(l) rwlock_destroy(l) #define HEIMDAL_thread_key thread_key_t #define HEIMDAL_key_create(k,d,r) do { r = thr_keycreate(k,d); } while(0) @@ -94,13 +94,13 @@ #define HEIMDAL_RWLOCK rwlock_t #define HEIMDAL_RWLOCK_INITIALIZER RWLOCK_INITIALIZER -#define HEIMDAL_RWLOCK_init(l) pthread_rwlock_init(l, NULL) -#define HEIMDAL_RWLOCK_rdlock(l) pthread_rwlock_rdlock(l) -#define HEIMDAL_RWLOCK_wrlock(l) pthread_rwlock_wrlock(l) -#define HEIMDAL_RWLOCK_tryrdlock(l) pthread_rwlock_tryrdlock(l) -#define HEIMDAL_RWLOCK_trywrlock(l) pthread_rwlock_trywrlock(l) -#define HEIMDAL_RWLOCK_unlock(l) pthread_rwlock_unlock(l) -#define HEIMDAL_RWLOCK_destroy(l) pthread_rwlock_destroy(l) +#define HEIMDAL_RWLOCK_init(l) pthread_rwlock_init(l, NULL) +#define HEIMDAL_RWLOCK_rdlock(l) pthread_rwlock_rdlock(l) +#define HEIMDAL_RWLOCK_wrlock(l) pthread_rwlock_wrlock(l) +#define HEIMDAL_RWLOCK_tryrdlock(l) pthread_rwlock_tryrdlock(l) +#define HEIMDAL_RWLOCK_trywrlock(l) pthread_rwlock_trywrlock(l) +#define HEIMDAL_RWLOCK_unlock(l) pthread_rwlock_unlock(l) +#define HEIMDAL_RWLOCK_destroy(l) pthread_rwlock_destroy(l) #define HEIMDAL_thread_key pthread_key_t #define HEIMDAL_key_create(k,d,r) do { r = pthread_key_create(k,d); } while(0) diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c index 1441c3161e..fe977ded5a 100644 --- a/source4/heimdal/kdc/default_config.c +++ b/source4/heimdal/kdc/default_config.c @@ -51,14 +51,14 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) c->require_preauth = TRUE; c->kdc_warn_pwexpire = 0; c->encode_as_rep_as_tgs_rep = FALSE; + c->as_use_strongest_session_key = FALSE; + c->preauth_use_strongest_session_key = FALSE; + c->tgs_use_strongest_session_key = FALSE; + c->use_strongest_server_key = FALSE; c->check_ticket_addresses = TRUE; c->allow_null_ticket_addresses = TRUE; c->allow_anonymous = FALSE; c->trpolicy = TRPOLICY_ALWAYS_CHECK; - c->enable_v4 = FALSE; - c->enable_kaserver = FALSE; - c->enable_524 = FALSE; - c->enable_v4_cross_realm = FALSE; c->enable_pkinit = FALSE; c->pkinit_princ_in_cert = TRUE; c->pkinit_require_binding = TRUE; @@ -70,19 +70,6 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) krb5_config_get_bool_default(context, NULL, c->require_preauth, "kdc", "require-preauth", NULL); - c->enable_v4 = - krb5_config_get_bool_default(context, NULL, - c->enable_v4, - "kdc", "enable-kerberos4", NULL); - c->enable_v4_cross_realm = - krb5_config_get_bool_default(context, NULL, - c->enable_v4_cross_realm, - "kdc", - "enable-kerberos4-cross-realm", NULL); - c->enable_524 = - krb5_config_get_bool_default(context, NULL, - c->enable_v4, - "kdc", "enable-524", NULL); #ifdef DIGEST c->enable_digest = krb5_config_get_bool_default(context, NULL, @@ -133,6 +120,27 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) } #endif + c->as_use_strongest_session_key = + krb5_config_get_bool_default(context, NULL, + c->as_use_strongest_session_key, + "kdc", + "as-use-strongest-session-key", NULL); + c->preauth_use_strongest_session_key = + krb5_config_get_bool_default(context, NULL, + c->preauth_use_strongest_session_key, + "kdc", + "preauth-use-strongest-session-key", NULL); + c->tgs_use_strongest_session_key = + krb5_config_get_bool_default(context, NULL, + c->tgs_use_strongest_session_key, + "kdc", + "tgs-use-strongest-session-key", NULL); + c->use_strongest_server_key = + krb5_config_get_bool_default(context, NULL, + c->use_strongest_server_key, + "kdc", + "use-strongest-server-key", NULL); + c->check_ticket_addresses = krb5_config_get_bool_default(context, NULL, c->check_ticket_addresses, @@ -180,28 +188,6 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) } } - { - const char *p; - p = krb5_config_get_string (context, NULL, - "kdc", - "v4-realm", - NULL); - if(p != NULL) { - c->v4_realm = strdup(p); - if (c->v4_realm == NULL) - krb5_errx(context, 1, "out of memory"); - } else { - c->v4_realm = NULL; - } - } - - c->enable_kaserver = - krb5_config_get_bool_default(context, - NULL, - c->enable_kaserver, - "kdc", "enable-kaserver", NULL); - - c->encode_as_rep_as_tgs_rep = krb5_config_get_bool_default(context, NULL, c->encode_as_rep_as_tgs_rep, @@ -223,7 +209,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) NULL); - c->pkinit_kdc_identity = + c->pkinit_kdc_identity = krb5_config_get_string(context, NULL, "kdc", "pkinit_identity", NULL); c->pkinit_kdc_anchors = @@ -235,7 +221,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) c->pkinit_kdc_revoke = krb5_config_get_strings(context, NULL, "kdc", "pkinit_revoke", NULL); - c->pkinit_kdc_ocsp_file = + c->pkinit_kdc_ocsp_file = krb5_config_get_string(context, NULL, "kdc", "pkinit_kdc_ocsp", NULL); c->pkinit_kdc_friendly_name = @@ -272,7 +258,7 @@ krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config) if (config->pkinit_kdc_identity == NULL) { if (config->pkinit_kdc_friendly_name == NULL) - config->pkinit_kdc_friendly_name = + config->pkinit_kdc_friendly_name = strdup("O=System Identity,CN=com.apple.kerberos.kdc"); config->pkinit_kdc_identity = strdup("KEYCHAIN:"); } @@ -284,7 +270,7 @@ krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config) if (config->enable_pkinit) { if (config->pkinit_kdc_identity == NULL) krb5_errx(context, 1, "pkinit enabled but no identity"); - + if (config->pkinit_kdc_anchors == NULL) krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); @@ -298,4 +284,4 @@ krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config) return 0; #endif /* PKINIT */ -} +} diff --git a/source4/heimdal/kdc/digest.c b/source4/heimdal/kdc/digest.c index 70b45c2af6..5f0d27441a 100644 --- a/source4/heimdal/kdc/digest.c +++ b/source4/heimdal/kdc/digest.c @@ -257,7 +257,7 @@ _kdc_do_digest(krb5_context context, /* check the server principal in the ticket matches digest/R@R */ { krb5_principal principal = NULL; - const char *p, *r; + const char *p, *rr; ret = krb5_ticket_get_server(context, ticket, &principal); if (ret) @@ -280,12 +280,12 @@ _kdc_do_digest(krb5_context context, krb5_free_principal(context, principal); goto out; } - r = krb5_principal_get_realm(context, principal); - if (r == NULL) { + rr = krb5_principal_get_realm(context, principal); + if (rr == NULL) { krb5_free_principal(context, principal); goto out; } - if (strcmp(p, r) != 0) { + if (strcmp(p, rr) != 0) { krb5_free_principal(context, principal); goto out; } @@ -356,7 +356,7 @@ _kdc_do_digest(krb5_context context, crypto = NULL; if (ret) goto out; - + ret = decode_DigestReqInner(buf.data, buf.length, &ireq, NULL); krb5_data_free(&buf); if (ret) { @@ -419,7 +419,7 @@ _kdc_do_digest(krb5_context context, free(r.u.initReply.nonce); r.u.initReply.nonce = s; } - + ret = krb5_store_stringz(sp, r.u.initReply.nonce); if (ret) { krb5_clear_error_message(context); @@ -475,7 +475,7 @@ _kdc_do_digest(krb5_context context, krb5_data_free(&buf); if (ret) goto out; - + ASN1_MALLOC_ENCODE(Checksum, buf.data, buf.length, &res, &size, ret); free_Checksum(&res); if (ret) { @@ -547,7 +547,7 @@ _kdc_do_digest(krb5_context context, "Failed to decode digest Checksum"); goto out; } - + ret = krb5_storage_to_data(sp, &buf); if (ret) { krb5_clear_error_message(context); @@ -561,14 +561,14 @@ _kdc_do_digest(krb5_context context, krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } - + /* * CHAP does the checksum of the raw nonce, but do it for all * types, since we need to check the timestamp. */ { ssize_t ssize; - + ssize = hex_decode(ireq.u.digestRequest.serverNonce, serverNonce.data, serverNonce.length); if (ssize <= 0) { @@ -597,7 +597,7 @@ _kdc_do_digest(krb5_context context, { unsigned char *p = serverNonce.data; uint32_t t; - + if (serverNonce.length < 4) { ret = EINVAL; krb5_set_error_message(context, ret, "server nonce too short"); @@ -616,7 +616,7 @@ _kdc_do_digest(krb5_context context, EVP_MD_CTX *ctx; unsigned char md[MD5_DIGEST_LENGTH]; char *mdx; - char id; + char idx; if ((config->digests_allowed & CHAP_MD5) == 0) { kdc_log(context, config, 0, "Digest CHAP MD5 not allowed"); @@ -629,13 +629,13 @@ _kdc_do_digest(krb5_context context, "from CHAP request"); goto out; } - - if (hex_decode(*ireq.u.digestRequest.identifier, &id, 1) != 1) { + + if (hex_decode(*ireq.u.digestRequest.identifier, &idx, 1) != 1) { ret = EINVAL; krb5_set_error_message(context, ret, "failed to decode identifier"); goto out; } - + ret = get_password_entry(context, config, ireq.u.digestRequest.username, &password); @@ -645,7 +645,7 @@ _kdc_do_digest(krb5_context context, ctx = EVP_MD_CTX_create(); EVP_DigestInit_ex(ctx, EVP_md5(), NULL); - EVP_DigestUpdate(ctx, &id, 1); + EVP_DigestUpdate(ctx, &idx, 1); EVP_DigestUpdate(ctx, password, strlen(password)); EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length); EVP_DigestFinal_ex(ctx, md, NULL); @@ -691,7 +691,7 @@ _kdc_do_digest(krb5_context context, goto out; if (ireq.u.digestRequest.realm == NULL) goto out; - + ret = get_password_entry(context, config, ireq.u.digestRequest.username, &password); @@ -709,7 +709,7 @@ _kdc_do_digest(krb5_context context, EVP_DigestUpdate(ctx, ":", 1); EVP_DigestUpdate(ctx, password, strlen(password)); EVP_DigestFinal_ex(ctx, md, NULL); - + EVP_DigestInit_ex(ctx, EVP_md5(), NULL); EVP_DigestUpdate(ctx, md, sizeof(md)); EVP_DigestUpdate(ctx, ":", 1); @@ -731,19 +731,19 @@ _kdc_do_digest(krb5_context context, EVP_MD_CTX_destroy(ctx); goto failed; } - + EVP_DigestInit_ex(ctx, EVP_md5(), NULL); EVP_DigestUpdate(ctx, "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1); EVP_DigestUpdate(ctx, *ireq.u.digestRequest.uri, strlen(*ireq.u.digestRequest.uri)); - + /* conf|int */ if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) { static char conf_zeros[] = ":00000000000000000000000000000000"; EVP_DigestUpdate(ctx, conf_zeros, sizeof(conf_zeros) - 1); } - + EVP_DigestFinal_ex(ctx, md, NULL); hex_encode(md, sizeof(md), &A2); @@ -804,7 +804,7 @@ _kdc_do_digest(krb5_context context, const char *username; struct ntlm_buf answer; Key *key = NULL; - EVP_MD_CTX *ctx; + EVP_MD_CTX *ctp; if ((config->digests_allowed & MS_CHAP_V2) == 0) { kdc_log(context, config, 0, "MS-CHAP-V2 not allowed"); @@ -816,7 +816,7 @@ _kdc_do_digest(krb5_context context, krb5_set_error_message(context, ret, "MS-CHAP-V2 clientNonce missing"); goto failed; - } + } if (serverNonce.length != 16) { ret = EINVAL; krb5_set_error_message(context, ret, @@ -831,21 +831,21 @@ _kdc_do_digest(krb5_context context, else username++; - ctx = EVP_MD_CTX_create(); + ctp = EVP_MD_CTX_create(); /* ChallangeHash */ - EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); + EVP_DigestInit_ex(ctp, EVP_sha1(), NULL); { ssize_t ssize; krb5_data clientNonce; - + clientNonce.length = strlen(*ireq.u.digestRequest.clientNonce); clientNonce.data = malloc(clientNonce.length); if (clientNonce.data == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); - EVP_MD_CTX_destroy(ctx); + EVP_MD_CTX_destroy(ctp); goto out; } @@ -855,24 +855,24 @@ _kdc_do_digest(krb5_context context, ret = ENOMEM; krb5_set_error_message(context, ret, "Failed to decode clientNonce"); - EVP_MD_CTX_destroy(ctx); + EVP_MD_CTX_destroy(ctp); goto out; } - EVP_DigestUpdate(ctx, clientNonce.data, ssize); + EVP_DigestUpdate(ctp, clientNonce.data, ssize); free(clientNonce.data); } - EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length); - EVP_DigestUpdate(ctx, username, strlen(username)); + EVP_DigestUpdate(ctp, serverNonce.data, serverNonce.length); + EVP_DigestUpdate(ctp, username, strlen(username)); - EVP_DigestFinal_ex(ctx, challange, NULL); + EVP_DigestFinal_ex(ctp, challange, NULL); - EVP_MD_CTX_destroy(ctx); + EVP_MD_CTX_destroy(ctp); /* NtPasswordHash */ ret = krb5_parse_name(context, username, &clientprincipal); if (ret) goto failed; - + ret = _kdc_db_fetch(context, config, clientprincipal, HDB_F_GET_CLIENT, NULL, NULL, &user); krb5_free_principal(context, clientprincipal); @@ -900,7 +900,7 @@ _kdc_do_digest(krb5_context context, krb5_set_error_message(context, ret, "NTLM missing arcfour key"); goto failed; } - + hex_encode(answer.data, answer.length, &mdx); if (mdx == NULL) { free(answer.data); @@ -923,39 +923,39 @@ _kdc_do_digest(krb5_context context, if (r.u.response.success) { unsigned char hashhash[MD4_DIGEST_LENGTH]; - EVP_MD_CTX *ctx; + EVP_MD_CTX *ctxp; - ctx = EVP_MD_CTX_create(); + ctxp = EVP_MD_CTX_create(); /* hashhash */ { - EVP_DigestInit_ex(ctx, EVP_md4(), NULL); - EVP_DigestUpdate(ctx, + EVP_DigestInit_ex(ctxp, EVP_md4(), NULL); + EVP_DigestUpdate(ctxp, key->key.keyvalue.data, key->key.keyvalue.length); - EVP_DigestFinal_ex(ctx, hashhash, NULL); + EVP_DigestFinal_ex(ctxp, hashhash, NULL); } /* GenerateAuthenticatorResponse */ - EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); - EVP_DigestUpdate(ctx, hashhash, sizeof(hashhash)); - EVP_DigestUpdate(ctx, answer.data, answer.length); - EVP_DigestUpdate(ctx, ms_chap_v2_magic1, + EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL); + EVP_DigestUpdate(ctxp, hashhash, sizeof(hashhash)); + EVP_DigestUpdate(ctxp, answer.data, answer.length); + EVP_DigestUpdate(ctxp, ms_chap_v2_magic1, sizeof(ms_chap_v2_magic1)); - EVP_DigestFinal_ex(ctx, md, NULL); + EVP_DigestFinal_ex(ctxp, md, NULL); - EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); - EVP_DigestUpdate(ctx, md, sizeof(md)); - EVP_DigestUpdate(ctx, challange, 8); - EVP_DigestUpdate(ctx, ms_chap_v2_magic2, + EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL); + EVP_DigestUpdate(ctxp, md, sizeof(md)); + EVP_DigestUpdate(ctxp, challange, 8); + EVP_DigestUpdate(ctxp, ms_chap_v2_magic2, sizeof(ms_chap_v2_magic2)); - EVP_DigestFinal_ex(ctx, md, NULL); + EVP_DigestFinal_ex(ctxp, md, NULL); r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp)); if (r.u.response.rsp == NULL) { free(answer.data); krb5_clear_error_message(context); - EVP_MD_CTX_destroy(ctx); + EVP_MD_CTX_destroy(ctxp); ret = ENOMEM; goto out; } @@ -964,22 +964,22 @@ _kdc_do_digest(krb5_context context, if (r.u.response.rsp == NULL) { free(answer.data); krb5_clear_error_message(context); - EVP_MD_CTX_destroy(ctx); + EVP_MD_CTX_destroy(ctxp); ret = ENOMEM; goto out; } /* get_master, rfc 3079 3.4 */ - EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); - EVP_DigestUpdate(ctx, hashhash, 16); - EVP_DigestUpdate(ctx, answer.data, answer.length); - EVP_DigestUpdate(ctx, ms_rfc3079_magic1, + EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL); + EVP_DigestUpdate(ctxp, hashhash, 16); + EVP_DigestUpdate(ctxp, answer.data, answer.length); + EVP_DigestUpdate(ctxp, ms_rfc3079_magic1, sizeof(ms_rfc3079_magic1)); - EVP_DigestFinal_ex(ctx, md, NULL); + EVP_DigestFinal_ex(ctxp, md, NULL); free(answer.data); - EVP_MD_CTX_destroy(ctx); + EVP_MD_CTX_destroy(ctxp); r.u.response.session_key = calloc(1, sizeof(*r.u.response.session_key)); @@ -1101,7 +1101,7 @@ _kdc_do_digest(krb5_context context, krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } - + ret = krb5_storage_write(sp, r.u.ntlmInitReply.challange.data, 8); if (ret != 8) { ret = ENOMEM; @@ -1143,7 +1143,7 @@ _kdc_do_digest(krb5_context context, uint32_t flags; Key *key = NULL; int version; - + r.element = choice_DigestRepInner_ntlmResponse; r.u.ntlmResponse.success = 0; r.u.ntlmResponse.flags = 0; @@ -1187,7 +1187,7 @@ _kdc_do_digest(krb5_context context, krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } - + ret = krb5_storage_read(sp, challange, sizeof(challange)); if (ret != sizeof(challange)) { ret = ENOMEM; @@ -1266,7 +1266,7 @@ _kdc_do_digest(krb5_context context, if (flags & NTLM_NEG_NTLM2_SESSION) { unsigned char sessionhash[MD5_DIGEST_LENGTH]; EVP_MD_CTX *ctx; - + if ((config->digests_allowed & NTLM_V1_SESSION) == 0) { kdc_log(context, config, 0, "NTLM v1-session not allowed"); ret = EINVAL; @@ -1279,7 +1279,7 @@ _kdc_do_digest(krb5_context context, "for NTLM session key"); goto failed; } - + ctx = EVP_MD_CTX_create(); EVP_DigestInit_ex(ctx, EVP_md5(), NULL); @@ -1297,7 +1297,7 @@ _kdc_do_digest(krb5_context context, goto failed; } } - + ret = heim_ntlm_calculate_ntlm1(key->key.keyvalue.data, key->key.keyvalue.length, challange, &answer); @@ -1305,7 +1305,7 @@ _kdc_do_digest(krb5_context context, krb5_set_error_message(context, ret, "NTLM missing arcfour key"); goto failed; } - + if (ireq.u.ntlmRequest.ntlm.length != answer.length || memcmp(ireq.u.ntlmRequest.ntlm.data, answer.data, answer.length) != 0) { @@ -1335,7 +1335,7 @@ _kdc_do_digest(krb5_context context, unsigned char masterkey[MD4_DIGEST_LENGTH]; EVP_CIPHER_CTX rc4; size_t len; - + if ((flags & NTLM_NEG_KEYEX) == 0) { ret = EINVAL; krb5_set_error_message(context, ret, @@ -1343,7 +1343,7 @@ _kdc_do_digest(krb5_context context, "exchange but still sent key"); goto failed; } - + len = ireq.u.ntlmRequest.sessionkey->length; if (len != sizeof(masterkey)){ ret = EINVAL; @@ -1352,7 +1352,7 @@ _kdc_do_digest(krb5_context context, (unsigned long)len); goto failed; } - + EVP_CIPHER_CTX_init(&rc4); EVP_CipherInit_ex(&rc4, EVP_rc4(), NULL, sessionkey, NULL, 1); @@ -1360,7 +1360,7 @@ _kdc_do_digest(krb5_context context, masterkey, ireq.u.ntlmRequest.sessionkey->data, sizeof(masterkey)); EVP_CIPHER_CTX_cleanup(&rc4); - + r.u.ntlmResponse.sessionkey = malloc(sizeof(*r.u.ntlmResponse.sessionkey)); if (r.u.ntlmResponse.sessionkey == NULL) { @@ -1368,7 +1368,7 @@ _kdc_do_digest(krb5_context context, krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } - + ret = krb5_data_copy(r.u.ntlmResponse.sessionkey, masterkey, sizeof(masterkey)); if (ret) { @@ -1415,7 +1415,7 @@ _kdc_do_digest(krb5_context context, krb5_clear_error_message(context); goto out; } - + kdc_log(context, config, 0, "Digest failed with: %s", s); r.element = choice_DigestRepInner_error; diff --git a/source4/heimdal/kdc/kdc.h b/source4/heimdal/kdc/kdc.h index 139b5e7087..9d52fd4c2e 100644 --- a/source4/heimdal/kdc/kdc.h +++ b/source4/heimdal/kdc/kdc.h @@ -58,21 +58,17 @@ typedef struct krb5_kdc_configuration { int num_db; krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */ - + + krb5_boolean as_use_strongest_session_key; + krb5_boolean preauth_use_strongest_session_key; + krb5_boolean tgs_use_strongest_session_key; + krb5_boolean use_strongest_server_key; + krb5_boolean check_ticket_addresses; krb5_boolean allow_null_ticket_addresses; krb5_boolean allow_anonymous; enum krb5_kdc_trpolicy trpolicy; - char *v4_realm; - krb5_boolean enable_v4; - krb5_boolean enable_v4_cross_realm; - krb5_boolean enable_v4_per_principal; - - krb5_boolean enable_kaserver; - - krb5_boolean enable_524; - krb5_boolean enable_pkinit; krb5_boolean pkinit_princ_in_cert; const char *pkinit_kdc_identity; diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index a437b9dbd9..4bc1619170 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -74,9 +74,9 @@ _kdc_find_padata(const KDC_REQ *req, int *start, int type) if (req->padata == NULL) return NULL; - while(*start < req->padata->len){ + while((size_t)*start < req->padata->len){ (*start)++; - if(req->padata->val[*start - 1].padata_type == type) + if(req->padata->val[*start - 1].padata_type == (unsigned)type) return &req->padata->val[*start - 1]; } return NULL; @@ -123,36 +123,103 @@ is_default_salt_p(const krb5_salt *default_salt, const Key *key) */ krb5_error_code -_kdc_find_etype(krb5_context context, const hdb_entry_ex *princ, +_kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key, + krb5_boolean is_preauth, hdb_entry_ex *princ, krb5_enctype *etypes, unsigned len, - Key **ret_key) + krb5_enctype *ret_enctype, Key **ret_key) { - int i; - krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP; + krb5_error_code ret; krb5_salt def_salt; + krb5_enctype enctype = ETYPE_NULL; + Key *key; + int i; - krb5_get_pw_salt (context, princ->entry.principal, &def_salt); + /* We'll want to avoid keys with v4 salted keys in the pre-auth case... */ + ret = krb5_get_pw_salt(context, princ->entry.principal, &def_salt); + if (ret) + return ret; - for(i = 0; ret != 0 && i < len ; i++) { - Key *key = NULL; + ret = KRB5KDC_ERR_ETYPE_NOSUPP; - if (krb5_enctype_valid(context, etypes[i]) != 0 && - !_kdc_is_weak_exception(princ->entry.principal, etypes[i])) - continue; + if (use_strongest_session_key) { + const krb5_enctype *p; + krb5_enctype clientbest = ETYPE_NULL; + int j; - while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) { - if (key->key.keyvalue.length == 0) { - ret = KRB5KDC_ERR_NULL_KEY; + /* + * Pick the strongest key that the KDC, target service, and + * client all support, using the local cryptosystem enctype + * list in strongest-to-weakest order to drive the search. + * + * This is not what RFC4120 says to do, but it encourages + * adoption of stronger enctypes. This doesn't play well with + * clients that have multiple Kerberos client implementations + * available with different supported enctype lists. + */ + + /* drive the search with local supported enctypes list */ + p = krb5_kerberos_enctypes(context); + for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) { + if (krb5_enctype_valid(context, p[i]) != 0) continue; + + /* check that the client supports it too */ + for (j = 0; j < len && enctype == ETYPE_NULL; j++) { + if (p[i] != etypes[j]) + continue; + /* save best of union of { client, crypto system } */ + if (clientbest == ETYPE_NULL) + clientbest = p[i]; + /* check target princ support */ + ret = hdb_enctype2key(context, &princ->entry, p[i], &key); + if (ret) + continue; + if (is_preauth && !is_default_salt_p(&def_salt, key)) + continue; + enctype = p[i]; } - *ret_key = key; - ret = 0; - if (is_default_salt_p(&def_salt, key)) { - krb5_free_salt (context, def_salt); - return ret; + } + if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL) + enctype = clientbest; + else if (enctype == ETYPE_NULL) + ret = KRB5KDC_ERR_ETYPE_NOSUPP; + if (ret == 0 && ret_enctype != NULL) + *ret_enctype = enctype; + if (ret == 0 && ret_key != NULL) + *ret_key = key; + } else { + /* + * Pick the first key from the client's enctype list that is + * supported by the cryptosystem and by the given principal. + * + * RFC4120 says we SHOULD pick the first _strong_ key from the + * client's list... not the first key... If the admin disallows + * weak enctypes in krb5.conf and selects this key selection + * algorithm, then we get exactly what RFC4120 says. + */ + for(key = NULL, i = 0; ret != 0 && i < len; i++, key = NULL) { + + if (krb5_enctype_valid(context, etypes[i]) != 0 && + !_kdc_is_weak_exception(princ->entry.principal, etypes[i])) + continue; + + while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) { + if (key->key.keyvalue.length == 0) { + ret = KRB5KDC_ERR_NULL_KEY; + continue; + } + if (ret_key != NULL) + *ret_key = key; + if (ret_enctype != NULL) + *ret_enctype = etypes[i]; + ret = 0; + if (is_preauth && is_default_salt_p(&def_salt, key)) + goto out; } } } + +out: krb5_free_salt (context, def_salt); return ret; } @@ -211,8 +278,8 @@ log_patypes(krb5_context context, { struct rk_strpool *p = NULL; char *str; - int i; - + size_t i; + for (i = 0; i < padata->len; i++) { switch(padata->val[i].padata_type) { case KRB5_PADATA_PK_AS_REQ: @@ -240,7 +307,7 @@ log_patypes(krb5_context context, } if (p == NULL) p = rk_strpoolprintf(p, "none"); - + str = rk_strpoolcollect(p); kdc_log(context, config, 0, "Client sent patypes: %s", str); free(str); @@ -264,7 +331,7 @@ _kdc_encode_reply(krb5_context context, { unsigned char *buf; size_t buf_size; - size_t len; + size_t len = 0; krb5_error_code ret; krb5_crypto crypto; @@ -614,7 +681,7 @@ log_as_req(krb5_context context, krb5_error_code ret; struct rk_strpool *p; char *str; - int i; + size_t i; p = rk_strpoolprintf(NULL, "%s", "Client supported enctypes: "); @@ -694,13 +761,13 @@ kdc_check_flags(krb5_context context, "Client (%s) has invalid bit set", client_name); return KRB5KDC_ERR_POLICY; } - + if(!client->flags.client){ kdc_log(context, config, 0, "Principal may not act as client -- %s", client_name); return KRB5KDC_ERR_POLICY; } - + if (client->valid_start && *client->valid_start > kdc_time) { char starttime_str[100]; krb5_format_time(context, *client->valid_start, @@ -710,7 +777,7 @@ kdc_check_flags(krb5_context context, starttime_str, client_name); return KRB5KDC_ERR_CLIENT_NOTYET; } - + if (client->valid_end && *client->valid_end < kdc_time) { char endtime_str[100]; krb5_format_time(context, *client->valid_end, @@ -720,7 +787,7 @@ kdc_check_flags(krb5_context context, endtime_str, client_name); return KRB5KDC_ERR_NAME_EXP; } - + if (client->pw_end && *client->pw_end < kdc_time && (server_ex == NULL || !server_ex->entry.flags.change_pw)) { char pwend_str[100]; @@ -809,7 +876,7 @@ _kdc_check_addresses(krb5_context context, krb5_address addr; krb5_boolean result; krb5_boolean only_netbios = TRUE; - int i; + size_t i; if(config->check_ticket_addresses == 0) return TRUE; @@ -976,7 +1043,7 @@ _kdc_as_rep(krb5_context context, goto out; } } else if (b->kdc_options.request_anonymous) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Request for a anonymous ticket with non " "anonymous client name: %s", client_name); ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; @@ -1018,59 +1085,31 @@ _kdc_as_rep(krb5_context context, memset(&ek, 0, sizeof(ek)); /* - * Select a session enctype from the list of the crypto systems - * supported enctype, is supported by the client and is one of the - * enctype of the enctype of the krbtgt. + * Select a session enctype from the list of the crypto system + * supported enctypes that is supported by the client and is one of + * the enctype of the enctype of the service (likely krbtgt). * - * The later is used as a hint what enctype all KDC are supporting - * to make sure a newer version of KDC wont generate a session - * enctype that and older version of a KDC in the same realm can't + * The latter is used as a hint of what enctypes all KDC support, + * to make sure a newer version of KDC won't generate a session + * enctype that an older version of a KDC in the same realm can't * decrypt. - * - * But if the KDC admin is paranoid and doesn't want to have "no + */ + ret = _kdc_find_etype(context, config->as_use_strongest_session_key, FALSE, + client, b->etype.val, b->etype.len, &sessionetype, + NULL); + if (ret) { + kdc_log(context, config, 0, + "Client (%s) from %s has no common enctypes with KDC " + "to use for the session key", + client_name, from); + goto out; + } + /* + * But if the KDC admin is paranoid and doesn't want to have "not * the best" enctypes on the krbtgt, lets save the best pick from * the client list and hope that that will work for any other * KDCs. */ - { - const krb5_enctype *p; - krb5_enctype clientbest = ETYPE_NULL; - int i, j; - - p = krb5_kerberos_enctypes(context); - - sessionetype = ETYPE_NULL; - - for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) { - if (krb5_enctype_valid(context, p[i]) != 0) - continue; - - for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) { - Key *dummy; - /* check with client */ - if (p[i] != b->etype.val[j]) - continue; - /* save best of union of { client, crypto system } */ - if (clientbest == ETYPE_NULL) - clientbest = p[i]; - /* check with krbtgt */ - ret = hdb_enctype2key(context, &server->entry, p[i], &dummy); - if (ret) - continue; - sessionetype = p[i]; - } - } - /* if krbtgt had no shared keys with client, pick clients best */ - if (clientbest != ETYPE_NULL && sessionetype == ETYPE_NULL) { - sessionetype = clientbest; - } else if (sessionetype == ETYPE_NULL) { - kdc_log(context, config, 0, - "Client (%s) from %s has no common enctypes with KDC" - "to use for the session key", - client_name, from); - goto out; - } - } /* * Pre-auth processing @@ -1111,7 +1150,7 @@ _kdc_as_rep(krb5_context context, ret = _kdc_pk_check_client(context, config, - clientdb, + clientdb, client, pkp, &client_cert); @@ -1119,7 +1158,7 @@ _kdc_as_rep(krb5_context context, e_text = "PKINIT certificate not allowed to " "impersonate principal"; _kdc_pk_free_client_param(context, pkp); - + kdc_log(context, config, 0, "%s", e_text); pkp = NULL; goto out; @@ -1148,9 +1187,9 @@ _kdc_as_rep(krb5_context context, EncryptedData enc_data; Key *pa_key; char *str; - + found_pa = 1; - + if (b->kdc_options.request_anonymous) { ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; kdc_log(context, config, 0, "ENC-TS doesn't support anon"); @@ -1167,7 +1206,7 @@ _kdc_as_rep(krb5_context context, client_name); goto out; } - + ret = hdb_enctype2key(context, &client->entry, enc_data.etype, &pa_key); if(ret){ @@ -1256,7 +1295,7 @@ _kdc_as_rep(krb5_context context, free_PA_ENC_TS_ENC(&p); if (abs(kdc_time - p.patimestamp) > context->max_skew) { char client_time[100]; - + krb5_format_time(context, p.patimestamp, client_time, sizeof(client_time), TRUE); @@ -1353,8 +1392,9 @@ _kdc_as_rep(krb5_context context, /* * If there is a client key, send ETYPE_INFO{,2} */ - ret = _kdc_find_etype(context, client, b->etype.val, b->etype.len, - &ckey); + ret = _kdc_find_etype(context, + config->preauth_use_strongest_session_key, TRUE, + client, b->etype.val, b->etype.len, NULL, &ckey); if (ret == 0) { /* @@ -1384,7 +1424,7 @@ _kdc_as_rep(krb5_context context, goto out; } } - + ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret); free_METHOD_DATA(&method_data); @@ -1401,7 +1441,7 @@ _kdc_as_rep(krb5_context context, } if (clientdb->hdb_auth_status) - (clientdb->hdb_auth_status)(context, clientdb, client, + (clientdb->hdb_auth_status)(context, clientdb, client, HDB_AUTH_SUCCESS); /* @@ -1503,7 +1543,7 @@ _kdc_as_rep(krb5_context context, { time_t start; time_t t; - + start = et.authtime = kdc_time; if(f.postdated && req->req_body.from){ @@ -1663,8 +1703,8 @@ _kdc_as_rep(krb5_context context, PA_ClientCanonicalized canon; krb5_data data; PA_DATA pa; - krb5_crypto crypto; - size_t len; + krb5_crypto cryptox; + size_t len = 0; memset(&canon, 0, sizeof(canon)); @@ -1679,21 +1719,21 @@ _kdc_as_rep(krb5_context context, krb5_abortx(context, "internal asn.1 error"); /* sign using "returned session key" */ - ret = krb5_crypto_init(context, &et.key, 0, &crypto); + ret = krb5_crypto_init(context, &et.key, 0, &cryptox); if (ret) { free(data.data); goto out; } - ret = krb5_create_checksum(context, crypto, + ret = krb5_create_checksum(context, cryptox, KRB5_KU_CANONICALIZED_NAMES, 0, data.data, data.length, &canon.canon_checksum); free(data.data); - krb5_crypto_destroy(context, crypto); + krb5_crypto_destroy(context, cryptox); if (ret) goto out; - + ASN1_MALLOC_ENCODE(PA_ClientCanonicalized, data.data, data.length, &canon, &len, ret); free_Checksum(&canon.canon_checksum); @@ -1826,7 +1866,7 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context, const krb5_data *data) { krb5_error_code ret; - size_t size; + size_t size = 0; if (tkt->authorization_data == NULL) { tkt->authorization_data = calloc(1, sizeof(*tkt->authorization_data)); @@ -1835,7 +1875,7 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context, return ENOMEM; } } - + /* add the entry to the last element */ { AuthorizationData ad = { 0, NULL }; @@ -1863,7 +1903,7 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context, } if (ade.ad_data.length != size) krb5_abortx(context, "internal asn.1 encoder error"); - + ret = add_AuthorizationData(tkt->authorization_data, &ade); der_free_octet_string(&ade.ad_data); if (ret) { diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 55d5d09ede..92cce5759f 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -64,7 +64,7 @@ find_KRB5SignedPath(krb5_context context, AuthorizationData child; krb5_error_code ret; int pos; - + if (ad == NULL || ad->len == 0) return KRB5KDC_ERR_PADATA_TYPE_NOSUPP; @@ -113,7 +113,7 @@ _kdc_add_KRB5SignedPath(krb5_context context, KRB5SignedPath sp; krb5_data data; krb5_crypto crypto = NULL; - size_t size; + size_t size = 0; if (server && principals) { ret = add_Principals(principals, server); @@ -123,12 +123,12 @@ _kdc_add_KRB5SignedPath(krb5_context context, { KRB5SignedPathData spd; - + spd.client = client; spd.authtime = tkt->authtime; spd.delegated = principals; spd.method_data = NULL; - + ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length, &spd, &size, ret); if (ret) @@ -203,7 +203,7 @@ check_KRB5SignedPath(krb5_context context, if (ret == 0) { KRB5SignedPathData spd; KRB5SignedPath sp; - size_t size; + size_t size = 0; ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL); krb5_data_free(&data); @@ -357,7 +357,7 @@ check_PAC(krb5_context context, server_sign_key, krbtgt_sign_key, rspac); } krb5_pac_free(context, pac); - + return ret; } } @@ -376,7 +376,7 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et) { KDCOptions f = b->kdc_options; - + if(f.validate){ if(!tgt->flags.invalid || tgt->starttime == NULL){ kdc_log(context, config, 0, @@ -415,7 +415,7 @@ check_tgs_flags(krb5_context context, } if(tgt->flags.forwarded) et->flags.forwarded = 1; - + if(f.proxiable){ if(!tgt->flags.proxiable){ kdc_log(context, config, 0, @@ -485,7 +485,7 @@ check_tgs_flags(krb5_context context, et->endtime = *et->starttime + old_life; if (et->renew_till != NULL) et->endtime = min(*et->renew_till, et->endtime); - } + } #if 0 /* checks for excess flags */ @@ -512,7 +512,7 @@ check_constrained_delegation(krb5_context context, { const HDB_Ext_Constrained_delegation_acl *acl; krb5_error_code ret; - int i; + size_t i; /* * constrained_delegation (S4U2Proxy) only works within @@ -541,7 +541,7 @@ check_constrained_delegation(krb5_context context, krb5_clear_error_message(context); return ret; } - + if (acl) { for (i = 0; i < acl->len; i++) { if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE) @@ -623,7 +623,7 @@ fix_transited_encoding(krb5_context context, krb5_error_code ret = 0; char **realms, **tmp; unsigned int num_realms; - int i; + size_t i; switch (tr->tr_type) { case DOMAIN_X500_COMPRESS: @@ -843,7 +843,7 @@ tgs_make_reply(krb5_context context, renew = min(renew, *server->entry.max_renew); *et.renew_till = et.authtime + renew; } - + if(et.renew_till){ *et.renew_till = min(*et.renew_till, *tgt->renew_till); *et.starttime = min(*et.starttime, *et.renew_till); @@ -877,7 +877,7 @@ tgs_make_reply(krb5_context context, if (ret) goto out; } - + if (auth_data) { unsigned int i = 0; @@ -919,7 +919,7 @@ tgs_make_reply(krb5_context context, goto out; et.crealm = tgt_name->realm; et.cname = tgt_name->name; - + ek.key = et.key; /* MIT must have at least one last_req */ ek.last_req.len = 1; @@ -1021,7 +1021,7 @@ tgs_check_authenticator(krb5_context context, krb5_keyblock *key) { krb5_authenticator auth; - size_t len; + size_t len = 0; unsigned char *buf; size_t buf_size; krb5_error_code ret; @@ -1048,7 +1048,7 @@ tgs_check_authenticator(krb5_context context, ret = KRB5KRB_AP_ERR_INAPP_CKSUM; goto out; } - + /* XXX should not re-encode this */ ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret); if(ret){ @@ -1107,7 +1107,7 @@ find_rpath(krb5_context context, Realm crealm, Realm srealm) NULL); return new_realm; } - + static krb5_boolean need_referral(krb5_context context, krb5_kdc_configuration *config, @@ -1148,6 +1148,7 @@ tgs_parse_request(krb5_context context, krb5_keyblock **replykey, int *rk_is_subkey) { + static char failed[] = "<unparse_name failed>"; krb5_ap_req ap_req; krb5_error_code ret; krb5_principal princ; @@ -1191,7 +1192,7 @@ tgs_parse_request(krb5_context context, char *p; ret = krb5_unparse_name(context, princ, &p); if (ret != 0) - p = "<unparse_name failed>"; + p = failed; krb5_free_principal(context, princ); kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p); if (ret == 0) @@ -1203,7 +1204,7 @@ tgs_parse_request(krb5_context context, char *p; ret = krb5_unparse_name(context, princ, &p); if (ret != 0) - p = "<unparse_name failed>"; + p = failed; krb5_free_principal(context, princ); kdc_log(context, config, 0, "Ticket-granting ticket not found in database: %s", msg); @@ -1215,13 +1216,13 @@ tgs_parse_request(krb5_context context, } if(ap_req.ticket.enc_part.kvno && - *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){ + (unsigned int)*ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){ char *p; ret = krb5_unparse_name (context, princ, &p); krb5_free_principal(context, princ); if (ret != 0) - p = "<unparse_name failed>"; + p = failed; kdc_log(context, config, 0, "Ticket kvno = %d, DB kvno = %d (%s)", *ap_req.ticket.enc_part.kvno, @@ -1266,7 +1267,7 @@ tgs_parse_request(krb5_context context, &ap_req_options, ticket, KRB5_KU_TGS_REQ_AUTH); - + krb5_free_principal(context, princ); if(ret) { const char *msg = krb5_get_error_message(context, ret); @@ -1396,12 +1397,12 @@ build_server_referral(krb5_context context, const PrincipalName *true_principal_name, const PrincipalName *requested_principal, krb5_data *outdata) -{ +{ PA_ServerReferralData ref; krb5_error_code ret; EncryptedData ed; krb5_data data; - size_t size; + size_t size = 0; memset(&ref, 0, sizeof(ref)); @@ -1521,7 +1522,7 @@ tgs_build_reply(krb5_context context, hdb_entry_ex *uu; krb5_principal p; Key *uukey; - + if(b->additional_tickets == NULL || b->additional_tickets->len == 0){ ret = KRB5KDC_ERR_BADOPTION; /* ? */ @@ -1567,7 +1568,7 @@ tgs_build_reply(krb5_context context, } _krb5_principalname2krb5_principal(context, &sp, *s, r); - ret = krb5_unparse_name(context, sp, &spn); + ret = krb5_unparse_name(context, sp, &spn); if (ret) goto out; _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm); @@ -1612,7 +1613,7 @@ server_lookup: free(spn); krb5_make_principal(context, &sp, r, KRB5_TGS_NAME, new_rlm, NULL); - ret = krb5_unparse_name(context, sp, &spn); + ret = krb5_unparse_name(context, sp, &spn); if (ret) goto out; @@ -1662,7 +1663,7 @@ server_lookup: krb5_enctype etype; if(b->kdc_options.enc_tkt_in_skey) { - int i; + size_t i; ekey = &adtkt.key; for(i = 0; i < b->etype.len; i++) if (b->etype.val[i] == adtkt.key.keytype) @@ -1678,9 +1679,11 @@ server_lookup: kvno = 0; } else { Key *skey; - - ret = _kdc_find_etype(context, server, - b->etype.val, b->etype.len, &skey); + + ret = _kdc_find_etype(context, + config->tgs_use_strongest_session_key, FALSE, + server, b->etype.val, b->etype.len, NULL, + &skey); if(ret) { kdc_log(context, config, 0, "Server (%s) has no support for etypes", spn); @@ -1690,7 +1693,7 @@ server_lookup: etype = skey->key.keytype; kvno = server->entry.kvno; } - + ret = krb5_generate_random_keyblock(context, etype, &sessionkey); if (ret) goto out; @@ -1717,11 +1720,11 @@ server_lookup: /* Now refetch the primary krbtgt, and get the current kvno (the * sign check may have been on an old kvno, and the server may * have been an incoming trust) */ - ret = krb5_make_principal(context, &krbtgt_principal, + ret = krb5_make_principal(context, &krbtgt_principal, krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1), - KRB5_TGS_NAME, + KRB5_TGS_NAME, krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1), NULL); @@ -2052,7 +2055,7 @@ server_lookup: goto out; } - ret = check_constrained_delegation(context, config, clientdb, + ret = check_constrained_delegation(context, config, clientdb, client, server, sp); if (ret) { kdc_log(context, config, 0, @@ -2067,17 +2070,18 @@ server_lookup: } krb5_data_free(&rspac); + /* - * generate the PAC for the user and pass - * dp for the S4U_DELEGATION_INFO blob in the PAC. + * generate the PAC for the user. + * + * TODO: pass in t->sname and t->realm and build + * a S4U_DELEGATION_INFO blob to the PAC. */ ret = check_PAC(context, config, tp, dp, client, server, krbtgt, &clientkey->key, &tkey_check->key, ekey, &tkey_sign->key, &adtkt, &rspac, &ad_signedpath); - if (ret == 0 && !ad_signedpath) - ret = KRB5KDC_ERR_BADOPTION; if (ret) { const char *msg = krb5_get_error_message(context, ret); kdc_log(context, config, 0, @@ -2094,12 +2098,10 @@ server_lookup: ret = check_KRB5SignedPath(context, config, krbtgt, - tp, + cp, &adtkt, NULL, &ad_signedpath); - if (ret == 0 && !ad_signedpath) - ret = KRB5KDC_ERR_BADOPTION; if (ret) { const char *msg = krb5_get_error_message(context, ret); kdc_log(context, config, 0, @@ -2111,6 +2113,16 @@ server_lookup: goto out; } + if (!ad_signedpath) { + ret = KRB5KDC_ERR_BADOPTION; + kdc_log(context, config, 0, + "Ticket not signed with PAC nor SignedPath service %s failed " + "for delegation to %s for client %s (%s)" + "from %s", + spn, tpn, dpn, cpn, from); + goto out; + } + kdc_log(context, config, 0, "constrained delegation for %s " "from %s (%s) to %s", tpn, cpn, dpn, spn); } @@ -2141,7 +2153,7 @@ server_lookup: kdc_log(context, config, 0, "Request from wrong address"); goto out; } - + /* * If this is an referral, add server referral data to the * auth_data reply . @@ -2203,7 +2215,7 @@ server_lookup: &enc_pa_data, e_text, reply); - + out: if (tpn != cpn) free(tpn); @@ -2279,7 +2291,7 @@ _kdc_tgs_rep(krb5_context context, if(tgs_req == NULL){ ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; - + kdc_log(context, config, 0, "TGS-REQ from %s without PA-TGS-REQ", from); goto out; diff --git a/source4/heimdal/kdc/kx509.c b/source4/heimdal/kdc/kx509.c index f6f8f8a3bd..8d683d50a3 100644 --- a/source4/heimdal/kdc/kx509.c +++ b/source4/heimdal/kdc/kx509.c @@ -259,7 +259,7 @@ build_certificate(krb5_context context, hx509_cert_free(cert); if (ret) goto out; - + return 0; out: if (env) @@ -355,7 +355,7 @@ _kdc_do_kx509(krb5_context context, krb5_xfree(expected); goto out; } - + ret = KRB5KDC_ERR_SERVER_NOMATCH; krb5_set_error_message(context, ret, "User %s used wrong Kx509 service " diff --git a/source4/heimdal/kdc/log.c b/source4/heimdal/kdc/log.c index 6657aca5cb..6d85729f51 100644 --- a/source4/heimdal/kdc/log.c +++ b/source4/heimdal/kdc/log.c @@ -50,10 +50,12 @@ kdc_openlog(krb5_context context, krb5_addlog_dest(context, config->logf, *p); krb5_config_free_strings(s); }else { - char *s; - asprintf(&s, "0-1/FILE:%s/%s", hdb_db_dir(context), KDC_LOG_FILE); - krb5_addlog_dest(context, config->logf, s); - free(s); + char *ss; + if (asprintf(&ss, "0-1/FILE:%s/%s", hdb_db_dir(context), + KDC_LOG_FILE) < 0) + err(1, NULL); + krb5_addlog_dest(context, config->logf, ss); + free(ss); } krb5_set_warn_dest(context, config->logf); } diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c index 297fa3824b..f9b34571a3 100644 --- a/source4/heimdal/kdc/misc.c +++ b/source4/heimdal/kdc/misc.c @@ -62,7 +62,7 @@ _kdc_db_fetch(krb5_context context, for(i = 0; i < config->num_db; i++) { krb5_principal enterprise_principal = NULL; - if (!(config->db[i]->hdb_capability_flags & HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL) + if (!(config->db[i]->hdb_capability_flags & HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL) && principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) { if (principal->name.name_string.len != 1) { ret = KRB5_PARSE_MALFORMED; @@ -134,24 +134,41 @@ _kdc_get_preferred_key(krb5_context context, krb5_enctype *enctype, Key **key) { - const krb5_enctype *p; krb5_error_code ret; int i; - p = krb5_kerberos_enctypes(context); - - for (i = 0; p[i] != ETYPE_NULL; i++) { - if (krb5_enctype_valid(context, p[i]) != 0) - continue; - ret = hdb_enctype2key(context, &h->entry, p[i], key); - if (ret == 0) { - *enctype = p[i]; + if (config->use_strongest_server_key) { + const krb5_enctype *p = krb5_kerberos_enctypes(context); + + for (i = 0; p[i] != ETYPE_NULL; i++) { + if (krb5_enctype_valid(context, p[i]) != 0) + continue; + ret = hdb_enctype2key(context, &h->entry, p[i], key); + if (ret != 0) + continue; + if (enctype != NULL) + *enctype = p[i]; + return 0; + } + } else { + *key = NULL; + + for (i = 0; i < h->entry.keys.len; i++) { + if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype) + != 0) + continue; + ret = hdb_enctype2key(context, &h->entry, + h->entry.keys.val[i].key.keytype, key); + if (ret != 0) + continue; + if (enctype != NULL) + *enctype = (*key)->key.keytype; return 0; } } krb5_set_error_message(context, EINVAL, "No valid kerberos key found for %s", name); - return EINVAL; + return EINVAL; /* XXX */ } diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index 9c0be23b14..a02cb816ab 100644 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -116,7 +116,7 @@ pk_check_pkauthenticator(krb5_context context, u_char *buf = NULL; size_t buf_size; krb5_error_code ret; - size_t len; + size_t len = 0; krb5_timestamp now; Checksum checksum; @@ -148,7 +148,7 @@ pk_check_pkauthenticator(krb5_context context, krb5_clear_error_message(context); return ret; } - + if (a->paChecksum == NULL) { krb5_clear_error_message(context); ret = KRB5_KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED; @@ -222,7 +222,7 @@ generate_dh_keyblock(krb5_context context, if (!DH_generate_key(client_params->u.dh.key)) { ret = KRB5KRB_ERR_GENERIC; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "Can't generate Diffie-Hellman keys"); goto out; } @@ -237,7 +237,7 @@ generate_dh_keyblock(krb5_context context, } dh_gen_keylen = DH_compute_key(dh_gen_key,client_params->u.dh.public_key, client_params->u.dh.key); - if (dh_gen_keylen == -1) { + if (dh_gen_keylen == (size_t)-1) { ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, "Can't compute Diffie-Hellman key"); @@ -281,14 +281,14 @@ generate_dh_keyblock(krb5_context context, goto out; } - dh_gen_keylen = ECDH_compute_key(dh_gen_key, size, + dh_gen_keylen = ECDH_compute_key(dh_gen_key, size, EC_KEY_get0_public_key(client_params->u.ecdh.public_key), client_params->u.ecdh.key, NULL); #endif /* HAVE_OPENSSL */ } else { ret = KRB5KRB_ERR_GENERIC; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "Diffie-Hellman not selected keys"); goto out; } @@ -525,7 +525,7 @@ _kdc_pk_rd_padata(krb5_context context, goto out; } - ret = hx509_certs_merge(context->hx509ctx, trust_anchors, + ret = hx509_certs_merge(context->hx509ctx, trust_anchors, kdc_identity->anchors); if (ret) { hx509_certs_free(&trust_anchors); @@ -538,7 +538,7 @@ _kdc_pk_rd_padata(krb5_context context, if (ret == 0 && pc != NULL) { hx509_cert cert; unsigned int i; - + for (i = 0; i < pc->len; i++) { ret = hx509_cert_init_data(context->hx509ctx, pc->val[i].cert.data, @@ -572,7 +572,7 @@ _kdc_pk_rd_padata(krb5_context context, if (req->req_body.kdc_options.request_anonymous) { ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "Anon not supported in RSA mode"); goto out; } @@ -586,7 +586,7 @@ _kdc_pk_rd_padata(krb5_context context, "PK-AS-REQ-Win2k: %d", ret); goto out; } - + ret = hx509_cms_unwrap_ContentInfo(&r.signed_auth_pack, &contentInfoOid, &signed_content, @@ -612,7 +612,7 @@ _kdc_pk_rd_padata(krb5_context context, "Can't decode PK-AS-REQ: %d", ret); goto out; } - + /* XXX look at r.kdcPkId */ if (r.trustedCertifiers) { ExternalPrincipalIdentifiers *edi = r.trustedCertifiers; @@ -624,12 +624,12 @@ _kdc_pk_rd_padata(krb5_context context, &cp->client_anchors); if (ret) { krb5_set_error_message(context, ret, - "Can't allocate client anchors: %d", + "Can't allocate client anchors: %d", ret); goto out; } - /* + /* * If the client sent more then 10 EDI, don't bother * looking more then 10 of performance reasons. */ @@ -651,7 +651,7 @@ _kdc_pk_rd_padata(krb5_context context, "Failed to allocate hx509_query"); goto out; } - + ret = decode_IssuerAndSerialNumber(edi->val[i].issuerAndSerialNumber->data, edi->val[i].issuerAndSerialNumber->length, &iasn, @@ -704,7 +704,7 @@ _kdc_pk_rd_padata(krb5_context context, "PK-AS-REQ-Win2k invalid content type oid"); goto out; } - + if (!have_data) { ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, @@ -805,7 +805,7 @@ _kdc_pk_rd_padata(krb5_context context, ap.clientPublicValue == NULL) { free_AuthPack(&ap); ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "Anon not supported in RSA mode"); goto out; } @@ -849,7 +849,7 @@ _kdc_pk_rd_padata(krb5_context context, free_AuthPack(&ap); goto out; } - + if (ap.supportedCMSTypes) { ret = hx509_peer_info_set_cms_algs(context->hx509ctx, cp->peer, @@ -885,7 +885,7 @@ out: der_free_oid(&contentInfoOid); if (ret) { _kdc_pk_free_client_param(context, cp); - } else + } else *ret_params = cp; return ret; } @@ -921,7 +921,7 @@ pk_mk_pa_reply_enckey(krb5_context context, const heim_oid *envelopedAlg = NULL, *sdAlg = NULL, *evAlg = NULL; krb5_error_code ret; krb5_data buf, signed_data; - size_t size; + size_t size = 0; int do_win2k = 0; krb5_data_zero(&buf); @@ -954,7 +954,7 @@ pk_mk_pa_reply_enckey(krb5_context context, break; default: krb5_abortx(context, "internal pkinit error"); - } + } if (do_win2k) { ReplyKeyPack_Win2k kp; @@ -966,7 +966,7 @@ pk_mk_pa_reply_enckey(krb5_context context, goto out; } kp.nonce = cp->nonce; - + ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k, buf.data, buf.length, &kp, &size,ret); @@ -995,7 +995,7 @@ pk_mk_pa_reply_enckey(krb5_context context, krb5_clear_error_message(context); goto out; } - + ret = krb5_crypto_destroy(context, ascrypto); if (ret) { krb5_clear_error_message(context); @@ -1015,15 +1015,15 @@ pk_mk_pa_reply_enckey(krb5_context context, { hx509_query *q; hx509_cert cert; - + ret = hx509_query_alloc(context->hx509ctx, &q); if (ret) goto out; - + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); if (config->pkinit_kdc_friendly_name) hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name); - + ret = hx509_certs_find(context->hx509ctx, kdc_identity->certs, q, @@ -1031,7 +1031,7 @@ pk_mk_pa_reply_enckey(krb5_context context, hx509_query_free(context->hx509ctx, q); if (ret) goto out; - + ret = hx509_cms_create_signed_1(context->hx509ctx, 0, sdAlg, @@ -1078,7 +1078,7 @@ out: hx509_cert_free(*kdc_cert); *kdc_cert = NULL; } - + krb5_data_free(&buf); krb5_data_free(&signed_data); return ret; @@ -1101,7 +1101,7 @@ pk_mk_pa_reply_dh(krb5_context context, krb5_error_code ret; hx509_cert cert; hx509_query *q; - size_t size; + size_t size = 0; memset(&contentinfo, 0, sizeof(contentinfo)); memset(&dh_info, 0, sizeof(dh_info)); @@ -1117,7 +1117,7 @@ pk_mk_pa_reply_dh(krb5_context context, ret = BN_to_integer(context, kdc_dh->pub_key, &i); if (ret) return ret; - + ASN1_MALLOC_ENCODE(DHPublicKey, buf.data, buf.length, &i, &size, ret); der_free_heim_integer(&i); if (ret) { @@ -1127,7 +1127,7 @@ pk_mk_pa_reply_dh(krb5_context context, } if (buf.length != size) krb5_abortx(context, "Internal ASN.1 encoder error"); - + dh_info.subjectPublicKey.length = buf.length * 8; dh_info.subjectPublicKey.data = buf.data; krb5_data_zero(&buf); @@ -1154,7 +1154,7 @@ pk_mk_pa_reply_dh(krb5_context context, } else krb5_abortx(context, "no keyex selected ?"); - + dh_info.nonce = cp->nonce; ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size, @@ -1175,11 +1175,11 @@ pk_mk_pa_reply_dh(krb5_context context, ret = hx509_query_alloc(context->hx509ctx, &q); if (ret) goto out; - + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); if (config->pkinit_kdc_friendly_name) hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name); - + ret = hx509_certs_find(context->hx509ctx, kdc_identity->certs, q, @@ -1187,7 +1187,7 @@ pk_mk_pa_reply_dh(krb5_context context, hx509_query_free(context->hx509ctx, q); if (ret) goto out; - + ret = hx509_cms_create_signed_1(context->hx509ctx, 0, &asn1_oid_id_pkdhkeydata, @@ -1242,12 +1242,12 @@ _kdc_pk_mk_pa_reply(krb5_context context, METHOD_DATA *md) { krb5_error_code ret; - void *buf; - size_t len, size; + void *buf = NULL; + size_t len = 0, size = 0; krb5_enctype enctype; int pa_type; hx509_cert kdc_cert = NULL; - int i; + size_t i; if (!config->enable_pkinit) { krb5_clear_error_message(context); @@ -1263,7 +1263,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, krb5_set_error_message(context, ret, "No valid enctype available from client"); goto out; - } + } enctype = req->req_body.etype.val[i]; } else enctype = ETYPE_DES3_CBC_SHA1; @@ -1314,7 +1314,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, if (rep.u.encKeyPack.length != size) krb5_abortx(context, "Internal ASN.1 encoder error"); - ret = krb5_generate_random_keyblock(context, sessionetype, + ret = krb5_generate_random_keyblock(context, sessionetype, sessionkey); if (ret) { free_PA_PK_AS_REP(&rep); @@ -1368,7 +1368,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, krb5_abortx(context, "Internal ASN.1 encoder error"); /* XXX KRB-FX-CF2 */ - ret = krb5_generate_random_keyblock(context, sessionetype, + ret = krb5_generate_random_keyblock(context, sessionetype, sessionkey); if (ret) { free_PA_PK_AS_REP(&rep); @@ -1463,7 +1463,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, if (len != size) krb5_abortx(context, "Internal ASN.1 encoder error"); - ret = krb5_generate_random_keyblock(context, sessionetype, + ret = krb5_generate_random_keyblock(context, sessionetype, sessionkey); if (ret) { free(buf); @@ -1507,7 +1507,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, "PK-INIT failed to stat ocsp data %d", ret); goto out_ocsp; } - + ret = krb5_data_alloc(&ocsp.data, sb.st_size); if (ret) { close(fd); @@ -1575,7 +1575,8 @@ match_rfc_san(krb5_context context, krb5_const_principal match) { hx509_octet_string_list list; - int ret, i, found = 0; + int ret, found = 0; + size_t i; memset(&list, 0 , sizeof(list)); @@ -1679,12 +1680,12 @@ match_ms_upn_san(krb5_context context, if (clientdb->hdb_check_pkinit_ms_upn_match) { ret = clientdb->hdb_check_pkinit_ms_upn_match(context, clientdb, client, principal); } else { - + /* * This is very wrong, but will do for a fallback */ strupr(principal->realm); - + if (krb5_principal_compare(context, principal, client->entry.principal) == FALSE) ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; } @@ -1709,7 +1710,7 @@ _kdc_pk_check_client(krb5_context context, const HDB_Ext_PKINIT_cert *pc; krb5_error_code ret; hx509_name name; - int i; + size_t i; if (cp->cert == NULL) { @@ -1737,12 +1738,12 @@ _kdc_pk_check_client(krb5_context context, ret = hdb_entry_get_pkinit_cert(&client->entry, &pc); if (ret == 0 && pc) { hx509_cert cert; - unsigned int i; - - for (i = 0; i < pc->len; i++) { + size_t j; + + for (j = 0; j < pc->len; j++) { ret = hx509_cert_init_data(context->hx509ctx, - pc->val[i].cert.data, - pc->val[i].cert.length, + pc->val[j].cert.data, + pc->val[j].cert.length, &cert); if (ret) continue; @@ -1770,7 +1771,7 @@ _kdc_pk_check_client(krb5_context context, ret = match_ms_upn_san(context, config, context->hx509ctx, cp->cert, - clientdb, + clientdb, client); if (ret == 0) { kdc_log(context, config, 5, @@ -1871,7 +1872,7 @@ _kdc_add_inital_verified_cas(krb5_context context, AD_INITIAL_VERIFIED_CAS cas; krb5_error_code ret; krb5_data data; - size_t size; + size_t size = 0; memset(&cas, 0, sizeof(cas)); @@ -1937,7 +1938,7 @@ load_mappings(krb5_context context, const char *fn) fclose(f); } - + /* * */ @@ -1982,17 +1983,17 @@ krb5_kdc_pk_initialize(krb5_context context, { hx509_query *q; hx509_cert cert; - + ret = hx509_query_alloc(context->hx509ctx, &q); if (ret) { krb5_warnx(context, "PKINIT: out of memory"); return ENOMEM; } - + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); if (config->pkinit_kdc_friendly_name) hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name); - + ret = hx509_certs_find(context->hx509ctx, kdc_identity->certs, q, diff --git a/source4/heimdal/kdc/process.c b/source4/heimdal/kdc/process.c index 4226600331..6f36915800 100644 --- a/source4/heimdal/kdc/process.c +++ b/source4/heimdal/kdc/process.c @@ -47,7 +47,7 @@ krb5_kdc_update_time(struct timeval *tv) _kdc_now = *tv; } -static krb5_error_code +static krb5_error_code kdc_as_req(krb5_context context, krb5_kdc_configuration *config, krb5_data *req_buffer, @@ -74,7 +74,7 @@ kdc_as_req(krb5_context context, } -static krb5_error_code +static krb5_error_code kdc_tgs_req(krb5_context context, krb5_kdc_configuration *config, krb5_data *req_buffer, @@ -91,10 +91,10 @@ kdc_tgs_req(krb5_context context, ret = decode_TGS_REQ(req_buffer->data, req_buffer->length, &req, &len); if (ret) return ret; - + *claim = 1; - ret = _kdc_tgs_rep(context, config, &req, reply, + ret = _kdc_tgs_rep(context, config, &req, reply, from, addr, datagram_reply); free_TGS_REQ(&req); return ret; @@ -102,7 +102,7 @@ kdc_tgs_req(krb5_context context, #ifdef DIGEST -static krb5_error_code +static krb5_error_code kdc_digest(krb5_context context, krb5_kdc_configuration *config, krb5_data *req_buffer, @@ -132,7 +132,7 @@ kdc_digest(krb5_context context, #ifdef KX509 -static krb5_error_code +static krb5_error_code kdc_kx509(krb5_context context, krb5_kdc_configuration *config, krb5_data *req_buffer, @@ -193,7 +193,7 @@ krb5_kdc_process_request(krb5_context context, unsigned int i; krb5_data req_buffer; int claim = 0; - + req_buffer.data = buf; req_buffer.length = len; @@ -232,7 +232,7 @@ krb5_kdc_process_krb5_request(krb5_context context, unsigned int i; krb5_data req_buffer; int claim = 0; - + req_buffer.data = buf; req_buffer.length = len; @@ -245,7 +245,7 @@ krb5_kdc_process_krb5_request(krb5_context context, if (claim) return ret; } - + return -1; } diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c index a58cebb8b2..ba87abb7cc 100644 --- a/source4/heimdal/kdc/windc.c +++ b/source4/heimdal/kdc/windc.c @@ -55,7 +55,7 @@ krb5_kdc_windc_init(krb5_context context) windcft = _krb5_plugin_get_symbol(e); if (windcft->minor_version < KRB5_WINDC_PLUGIN_MINOR) continue; - + (*windcft->init)(context, &windcctx); break; } @@ -119,9 +119,9 @@ _kdc_check_access(krb5_context context, server_ex, server_name, req->msg_type == krb_as_req); - return (windcft->client_access)(windcctx, - context, config, - client_ex, client_name, - server_ex, server_name, + return (windcft->client_access)(windcctx, + context, config, + client_ex, client_name, + server_ex, server_name, req, e_data); } diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h index b328e3ffb3..fa4ba434f3 100644 --- a/source4/heimdal/kdc/windc_plugin.h +++ b/source4/heimdal/kdc/windc_plugin.h @@ -66,10 +66,10 @@ typedef krb5_error_code typedef krb5_error_code (*krb5plugin_windc_client_access)( - void *, krb5_context, + void *, krb5_context, krb5_kdc_configuration *config, - hdb_entry_ex *, const char *, - hdb_entry_ex *, const char *, + hdb_entry_ex *, const char *, + hdb_entry_ex *, const char *, KDC_REQ *, krb5_data *); diff --git a/source4/heimdal/kpasswd/kpasswd.c b/source4/heimdal/kpasswd/kpasswd.c index 0258c1ac09..e681a359d4 100644 --- a/source4/heimdal/kpasswd/kpasswd.c +++ b/source4/heimdal/kpasswd/kpasswd.c @@ -40,10 +40,11 @@ static char *admin_principal_str; static char *cred_cache_str; static struct getargs args[] = { - { "admin-principal", 0, arg_string, &admin_principal_str }, - { "cache", 'c', arg_string, &cred_cache_str }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } + { "admin-principal", 0, arg_string, &admin_principal_str, NULL, + NULL }, + { "cache", 'c', arg_string, &cred_cache_str, NULL, NULL }, + { "version", 0, arg_flag, &version_flag, NULL, NULL }, + { "help", 0, arg_flag, &help_flag, NULL, NULL } }; static void @@ -197,9 +198,9 @@ main (int argc, char **argv) default: krb5_err(context, 1, ret, "krb5_get_init_creds"); } - + krb5_get_init_creds_opt_free(context, opt); - + ret = krb5_cc_initialize(context, id, admin_principal); krb5_free_principal(context, admin_principal); if (ret) @@ -208,7 +209,7 @@ main (int argc, char **argv) ret = krb5_cc_store_cred(context, id, &cred); if (ret) krb5_err(context, 1, ret, "krb5_cc_store_cred"); - + krb5_free_cred_contents (context, &cred); } diff --git a/source4/heimdal/kuser/kinit.c b/source4/heimdal/kuser/kinit.c index 846232a4f2..e872fef9be 100644 --- a/source4/heimdal/kuser/kinit.c +++ b/source4/heimdal/kuser/kinit.c @@ -96,31 +96,31 @@ static struct getargs args[] = { * 9: */ { "afslog", 0 , arg_flag, &do_afslog, - NP_("obtain afs tokens", "") }, + NP_("obtain afs tokens", ""), NULL }, { "cache", 'c', arg_string, &cred_cache, NP_("credentials cache", ""), "cachename" }, { "forwardable", 0, arg_negative_flag, &forwardable_flag, - NP_("get tickets not forwardable", "")}, + NP_("get tickets not forwardable", ""), NULL }, { NULL, 'f', arg_flag, &forwardable_flag, - NP_("get forwardable tickets", "")}, + NP_("get forwardable tickets", ""), NULL }, { "keytab", 't', arg_string, &keytab_str, NP_("keytab to use", ""), "keytabname" }, { "lifetime", 'l', arg_string, &lifetime, - NP_("lifetime of tickets", ""), "time"}, + NP_("lifetime of tickets", ""), "time" }, { "proxiable", 'p', arg_flag, &proxiable_flag, - NP_("get proxiable tickets", "") }, + NP_("get proxiable tickets", ""), NULL }, { "renew", 'R', arg_flag, &renew_flag, - NP_("renew TGT", "") }, + NP_("renew TGT", ""), NULL }, { "renewable", 0, arg_flag, &renewable_flag, - NP_("get renewable tickets", "") }, + NP_("get renewable tickets", ""), NULL }, { "renewable-life", 'r', arg_string, &renew_life, NP_("renewable lifetime of tickets", ""), "time" }, @@ -132,40 +132,40 @@ static struct getargs args[] = { NP_("when ticket gets valid", ""), "time" }, { "use-keytab", 'k', arg_flag, &use_keytab, - NP_("get key from keytab", "") }, + NP_("get key from keytab", ""), NULL }, { "validate", 'v', arg_flag, &validate_flag, - NP_("validate TGT", "") }, + NP_("validate TGT", ""), NULL }, { "enctypes", 'e', arg_strings, &etype_str, NP_("encryption types to use", ""), "enctypes" }, { "fcache-version", 0, arg_integer, &fcache_version, - NP_("file cache version to create", "") }, + NP_("file cache version to create", ""), NULL }, { "addresses", 'A', arg_negative_flag, &addrs_flag, - NP_("request a ticket with no addresses", "") }, + NP_("request a ticket with no addresses", ""), NULL }, { "extra-addresses",'a', arg_strings, &extra_addresses, NP_("include these extra addresses", ""), "addresses" }, { "anonymous", 0, arg_flag, &anonymous_flag, - NP_("request an anonymous ticket", "") }, + NP_("request an anonymous ticket", ""), NULL }, { "request-pac", 0, arg_flag, &pac_flag, - NP_("request a Windows PAC", "") }, + NP_("request a Windows PAC", ""), NULL }, { "password-file", 0, arg_string, &password_file, - NP_("read the password from a file", "") }, + NP_("read the password from a file", ""), NULL }, { "canonicalize",0, arg_flag, &canonicalize_flag, - NP_("canonicalize client principal", "") }, + NP_("canonicalize client principal", ""), NULL }, { "enterprise",0, arg_flag, &enterprise_flag, - NP_("parse principal as a KRB5-NT-ENTERPRISE name", "") }, + NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL }, #ifdef PKINIT { "pk-enterprise", 0, arg_flag, &pk_enterprise_flag, - NP_("use enterprise name from certificate", "") }, + NP_("use enterprise name from certificate", ""), NULL }, { "pk-user", 'C', arg_string, &pk_user_id, NP_("principal's public/private/certificate identifier", ""), "id" }, @@ -174,7 +174,7 @@ static struct getargs args[] = { NP_("directory with CA certificates", ""), "directory" }, { "pk-use-enckey", 0, arg_flag, &pk_use_enckey, - NP_("Use RSA encrypted reply (instead of DH)", "") }, + NP_("Use RSA encrypted reply (instead of DH)", ""), NULL }, #endif #ifndef NO_NTLM { "ntlm-domain", 0, arg_string, &ntlm_domain, @@ -182,19 +182,19 @@ static struct getargs args[] = { #endif { "change-default", 0, arg_negative_flag, &switch_cache_flags, - NP_("switch the default cache to the new credentials cache", "") }, + NP_("switch the default cache to the new credentials cache", ""), NULL }, { "ok-as-delegate", 0, arg_flag, &ok_as_delegate_flag, - NP_("honor ok-as-delegate on tickets", "") }, + NP_("honor ok-as-delegate on tickets", ""), NULL }, { "use-referrals", 0, arg_flag, &use_referrals_flag, - NP_("only use referrals, no dns canalisation", "") }, + NP_("only use referrals, no dns canalisation", ""), NULL }, { "windows", 0, arg_flag, &windows_flag, - NP_("get windows behavior", "") }, + NP_("get windows behavior", ""), NULL }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } + { "version", 0, arg_flag, &version_flag, NULL, NULL }, + { "help", 0, arg_flag, &help_flag, NULL, NULL } }; static void @@ -357,7 +357,7 @@ get_new_tickets(krb5_context context, char passwd[256]; krb5_deltat start_time = 0; krb5_deltat renew = 0; - char *renewstr = NULL; + const char *renewstr = NULL; krb5_enctype *enctype = NULL; krb5_ccache tempccache; #ifndef NO_NTLM @@ -466,7 +466,7 @@ get_new_tickets(krb5_context context, renew = parse_time (renewstr, "s"); if (renew < 0) errx (1, "unparsable time: %s", renewstr); - + krb5_get_init_creds_opt_set_renew_life (opt, renew); } @@ -532,11 +532,11 @@ get_new_tickets(krb5_context context, if (passwd[0] == '\0') { char *p, *prompt; - + krb5_unparse_name (context, principal, &p); asprintf (&prompt, N_("%s's Password: ", ""), p); free (p); - + if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){ memset(passwd, 0, sizeof(passwd)); exit(1); @@ -544,7 +544,7 @@ get_new_tickets(krb5_context context, free (prompt); } - + ret = krb5_get_init_creds_password (context, &cred, principal, @@ -592,7 +592,7 @@ get_new_tickets(krb5_context context, char life[64]; unparse_time_approx(cred.times.renew_till - cred.times.starttime, life, sizeof(life)); - krb5_warnx(context, + krb5_warnx(context, N_("NOTICE: ticket renewable lifetime is %s", ""), life); } @@ -773,7 +773,7 @@ main (int argc, char **argv) } else if (anonymous_flag) { ret = krb5_make_principal(context, &principal, argv[0], - KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME, + KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME, NULL); if (ret) krb5_err(context, 1, ret, "krb5_make_principal"); @@ -825,7 +825,7 @@ main (int argc, char **argv) if (ret) krb5_err (context, 1, ret, N_("resolving credentials cache", "")); - /* + /* * Check if the type support switching, and we do, * then do that instead over overwriting the current * default credential @@ -904,7 +904,7 @@ main (int argc, char **argv) krb5_warnx(context, N_("permission denied: %s", ""), argv[1]); else if(ret == EX_NOTFOUND) krb5_warnx(context, N_("command not found: %s", ""), argv[1]); - + krb5_cc_destroy(context, ccache); #ifndef NO_AFS if(k_hasafs()) diff --git a/source4/heimdal/lib/asn1/asn1-common.h b/source4/heimdal/lib/asn1/asn1-common.h index 9c8793e0cc..4083ebc23d 100644 --- a/source4/heimdal/lib/asn1/asn1-common.h +++ b/source4/heimdal/lib/asn1/asn1-common.h @@ -75,5 +75,5 @@ typedef struct heim_octet_string heim_any_set; #define ASN1EXP #define ASN1CALL #endif - + #endif diff --git a/source4/heimdal/lib/asn1/asn1parse.c b/source4/heimdal/lib/asn1/asn1parse.c index 08d068b6a4..8c64a35fca 100644 --- a/source4/heimdal/lib/asn1/asn1parse.c +++ b/source4/heimdal/lib/asn1/asn1parse.c @@ -1905,7 +1905,7 @@ yyreduce: /* Line 1455 of yacc.c */ #line 368 "asn1parse.c" - { + { if((yyvsp[(2) - (5)].value)->type != integervalue) lex_error_message("Non-integer in first part of range"); (yyval.range) = ecalloc(1, sizeof(*(yyval.range))); @@ -1918,7 +1918,7 @@ yyreduce: /* Line 1455 of yacc.c */ #line 376 "asn1parse.c" - { + { if((yyvsp[(4) - (5)].value)->type != integervalue) lex_error_message("Non-integer in second part of range"); (yyval.range) = ecalloc(1, sizeof(*(yyval.range))); diff --git a/source4/heimdal/lib/asn1/asn1parse.y b/source4/heimdal/lib/asn1/asn1parse.y index a7a8f31827..e3bea6ce0a 100644 --- a/source4/heimdal/lib/asn1/asn1parse.y +++ b/source4/heimdal/lib/asn1/asn1parse.y @@ -365,7 +365,7 @@ range : '(' Value RANGE Value ')' $$->max = $4->u.integervalue; } | '(' Value RANGE kw_MAX ')' - { + { if($2->type != integervalue) lex_error_message("Non-integer in first part of range"); $$ = ecalloc(1, sizeof(*$$)); @@ -373,7 +373,7 @@ range : '(' Value RANGE Value ')' $$->max = $2->u.integervalue - 1; } | '(' kw_MIN RANGE Value ')' - { + { if($4->type != integervalue) lex_error_message("Non-integer in second part of range"); $$ = ecalloc(1, sizeof(*$$)); diff --git a/source4/heimdal/lib/asn1/der_cmp.c b/source4/heimdal/lib/asn1/der_cmp.c index 84aee4cce0..468ccb2d04 100644 --- a/source4/heimdal/lib/asn1/der_cmp.c +++ b/source4/heimdal/lib/asn1/der_cmp.c @@ -53,14 +53,14 @@ der_heim_octet_string_cmp(const heim_octet_string *p, } int -der_printable_string_cmp(const heim_printable_string *p, +der_printable_string_cmp(const heim_printable_string *p, const heim_printable_string *q) { return der_heim_octet_string_cmp(p, q); } int -der_ia5_string_cmp(const heim_ia5_string *p, +der_ia5_string_cmp(const heim_ia5_string *p, const heim_ia5_string *q) { return der_heim_octet_string_cmp(p, q); diff --git a/source4/heimdal/lib/asn1/der_format.c b/source4/heimdal/lib/asn1/der_format.c index fc79a30b56..4f06c1b01f 100644 --- a/source4/heimdal/lib/asn1/der_format.c +++ b/source4/heimdal/lib/asn1/der_format.c @@ -108,7 +108,7 @@ int der_print_heim_oid (const heim_oid *oid, char delim, char **str) { struct rk_strpool *p = NULL; - int i; + size_t i; if (oid->length == 0) return EINVAL; diff --git a/source4/heimdal/lib/asn1/der_get.c b/source4/heimdal/lib/asn1/der_get.c index 3ea0d5ea18..3112da86f9 100644 --- a/source4/heimdal/lib/asn1/der_get.c +++ b/source4/heimdal/lib/asn1/der_get.c @@ -141,9 +141,9 @@ der_get_general_string (const unsigned char *p, size_t len, * an strings in the NEED_PREAUTH case that includes a * trailing NUL. */ - while (p1 - p < len && *p1 == '\0') + while ((size_t)(p1 - p) < len && *p1 == '\0') p1++; - if (p1 - p != len) + if ((size_t)(p1 - p) != len) return ASN1_BAD_CHARACTER; } if (len > len + 1) diff --git a/source4/heimdal/lib/asn1/der_length.c b/source4/heimdal/lib/asn1/der_length.c index 7a41de9d22..db82025861 100644 --- a/source4/heimdal/lib/asn1/der_length.c +++ b/source4/heimdal/lib/asn1/der_length.c @@ -86,7 +86,7 @@ static size_t len_oid (const heim_oid *oid) { size_t ret = 1; - int n; + size_t n; for (n = 2; n < oid->length; ++n) { unsigned u = oid->components[n]; diff --git a/source4/heimdal/lib/asn1/der_put.c b/source4/heimdal/lib/asn1/der_put.c index b8101458ad..0b276d1ebd 100644 --- a/source4/heimdal/lib/asn1/der_put.c +++ b/source4/heimdal/lib/asn1/der_put.c @@ -433,7 +433,8 @@ _heim_time2generalizedtime (time_t t, heim_octet_string *s, int gtimep) if (s->data == NULL) return ENOMEM; s->length = len; - _der_gmtime(t, &tm); + if (_der_gmtime(t, &tm) == NULL) + return ASN1_BAD_TIMEFORMAT; if (gtimep) snprintf (s->data, len + 1, "%04d%02d%02d%02d%02d%02dZ", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, diff --git a/source4/heimdal/lib/asn1/extra.c b/source4/heimdal/lib/asn1/extra.c index 95780a7898..a18797ec25 100644 --- a/source4/heimdal/lib/asn1/extra.c +++ b/source4/heimdal/lib/asn1/extra.c @@ -71,13 +71,13 @@ decode_heim_any(const unsigned char *p, size_t len, if (len < length + len_len + l) return ASN1_OVERFLOW; } - + data->data = malloc(length + len_len + l); if (data->data == NULL) return ENOMEM; data->length = length + len_len + l; memcpy(data->data, p, length + len_len + l); - + if (size) *size = length + len_len + l; diff --git a/source4/heimdal/lib/asn1/gen.c b/source4/heimdal/lib/asn1/gen.c index d59f3bfa47..2194b329ce 100644 --- a/source4/heimdal/lib/asn1/gen.c +++ b/source4/heimdal/lib/asn1/gen.c @@ -761,7 +761,7 @@ define_type (int level, const char *name, const char *basename, Type *t, int typ fprintf (headerfile, "struct %s {\n", newbasename); ASN1_TAILQ_FOREACH(m, t->members, members) { char *n = NULL; - + /* pad unused */ while (pos < m->val) { if (asprintf (&n, "_unused%d:1", pos) < 0 || n == NULL) @@ -1021,7 +1021,7 @@ generate_type (const Symbol *s) h = privheaderfile; exp = ""; } - + fprintf (h, "%sint ASN1CALL " "decode_%s(const unsigned char *, size_t, %s *, size_t *);\n", @@ -1044,7 +1044,7 @@ generate_type (const Symbol *s) "%svoid ASN1CALL free_%s (%s *);\n", exp, s->gen_name, s->gen_name); - + fprintf(h, "\n\n"); if (!one_code_file) { diff --git a/source4/heimdal/lib/asn1/gen_decode.c b/source4/heimdal/lib/asn1/gen_decode.c index 002a471e96..9d816d5400 100644 --- a/source4/heimdal/lib/asn1/gen_decode.c +++ b/source4/heimdal/lib/asn1/gen_decode.c @@ -209,7 +209,8 @@ range_check(const char *name, static int decode_type (const char *name, const Type *t, int optional, - const char *forwstr, const char *tmpstr, const char *dertype) + const char *forwstr, const char *tmpstr, const char *dertype, + unsigned int depth) { switch (t->type) { case TType: { @@ -328,7 +329,8 @@ decode_type (const char *name, const Type *t, int optional, if (asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name) < 0 || s == NULL) errx(1, "malloc"); - decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL); + decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL, + depth + 1); free (s); } @@ -369,7 +371,7 @@ decode_type (const char *name, const Type *t, int optional, "%s = calloc(1, sizeof(*%s));\n" "if (%s == NULL) { e = ENOMEM; %s; }\n", s, s, s, forwstr); - decode_type (s, m->type, 0, forwstr, m->gen_name, NULL); + decode_type (s, m->type, 0, forwstr, m->gen_name, NULL, depth + 1); free (s); fprintf(codefile, "members |= (1 << %d);\n", memno); @@ -442,7 +444,7 @@ decode_type (const char *name, const Type *t, int optional, errx(1, "malloc"); if (asprintf (&sname, "%s_s_of", tmpstr) < 0 || sname == NULL) errx(1, "malloc"); - decode_type (n, t->subtype, 0, forwstr, sname, NULL); + decode_type (n, t->subtype, 0, forwstr, sname, NULL, depth + 1); fprintf (codefile, "(%s)->len++;\n" "len = %s_origlen - ret;\n" @@ -480,7 +482,7 @@ decode_type (const char *name, const Type *t, int optional, tmpstr, tmpstr, typestring); if(support_ber) fprintf(codefile, - "int is_indefinite;\n"); + "int is_indefinite%u;\n", depth); fprintf(codefile, "e = der_match_tag_and_length(p, len, %s, &%s, %s, " "&%s_datalen, &l);\n", @@ -516,20 +518,20 @@ decode_type (const char *name, const Type *t, int optional, tmpstr); if(support_ber) fprintf (codefile, - "if((is_indefinite = _heim_fix_dce(%s_datalen, &len)) < 0)\n" + "if((is_indefinite%u = _heim_fix_dce(%s_datalen, &len)) < 0)\n" "{ e = ASN1_BAD_FORMAT; %s; }\n" - "if (is_indefinite) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }", - tmpstr, forwstr, forwstr); + "if (is_indefinite%u) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }", + depth, tmpstr, forwstr, depth, forwstr); else fprintf(codefile, "if (%s_datalen > len) { e = ASN1_OVERRUN; %s; }\n" "len = %s_datalen;\n", tmpstr, forwstr, tmpstr); if (asprintf (&tname, "%s_Tag", tmpstr) < 0 || tname == NULL) errx(1, "malloc"); - decode_type (name, t->subtype, 0, forwstr, tname, ide); + decode_type (name, t->subtype, 0, forwstr, tname, ide, depth + 1); if(support_ber) fprintf(codefile, - "if(is_indefinite){\n" + "if(is_indefinite%u){\n" "len += 2;\n" "e = der_match_tag_and_length(p, len, " "(Der_class)0, &%s, UT_EndOfContent, " @@ -538,6 +540,7 @@ decode_type (const char *name, const Type *t, int optional, "p += l; len -= l; ret += l;\n" "if (%s != (Der_type)0) { e = ASN1_BAD_ID; %s; }\n" "} else \n", + depth, typestring, tmpstr, forwstr, @@ -584,7 +587,8 @@ decode_type (const char *name, const Type *t, int optional, if (asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&", name, m->gen_name) < 0 || s == NULL) errx(1, "malloc"); - decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL); + decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL, + depth + 1); fprintf(codefile, "(%s)->element = %s;\n", name, m->label); @@ -605,7 +609,7 @@ decode_type (const char *name, const Type *t, int optional, "(%s)->element = %s;\n" "p += len;\n" "ret += len;\n" - "len -= len;\n" + "len = 0;\n" "}\n", name, have_ellipsis->gen_name, name, have_ellipsis->gen_name, @@ -662,8 +666,8 @@ generate_type_decode (const Symbol *s) int preserve = preserve_type(s->name) ? TRUE : FALSE; fprintf (codefile, "int ASN1CALL\n" - "decode_%s(const unsigned char *p," - " size_t len, %s *data, size_t *size)\n" + "decode_%s(const unsigned char *p HEIMDAL_UNUSED_ATTRIBUTE," + " size_t len HEIMDAL_UNUSED_ATTRIBUTE, %s *data, size_t *size)\n" "{\n", s->gen_name, s->gen_name); @@ -694,15 +698,15 @@ generate_type_decode (const Symbol *s) case TChoice: fprintf (codefile, "size_t ret = 0;\n" - "size_t l;\n" - "int e;\n"); + "size_t l HEIMDAL_UNUSED_ATTRIBUTE;\n" + "int e HEIMDAL_UNUSED_ATTRIBUTE;\n"); if (preserve) fprintf (codefile, "const unsigned char *begin = p;\n"); fprintf (codefile, "\n"); fprintf (codefile, "memset(data, 0, sizeof(*data));\n"); /* hack to avoid `unused variable' */ - decode_type ("data", s->type, 0, "goto fail", "Top", NULL); + decode_type ("data", s->type, 0, "goto fail", "Top", NULL, 1); if (preserve) fprintf (codefile, "data->_save.data = calloc(1, ret);\n" diff --git a/source4/heimdal/lib/asn1/gen_encode.c b/source4/heimdal/lib/asn1/gen_encode.c index 43f29c1fe1..1bd47484d8 100644 --- a/source4/heimdal/lib/asn1/gen_encode.c +++ b/source4/heimdal/lib/asn1/gen_encode.c @@ -274,7 +274,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr) else if(m->defval) gen_compare_defval(s + 1, m->defval); fprintf (codefile, "{\n"); - fprintf (codefile, "size_t %s_oldret = ret;\n", tmpstr); + fprintf (codefile, "size_t %s_oldret HEIMDAL_UNUSED_ATTRIBUTE = ret;\n", tmpstr); fprintf (codefile, "ret = 0;\n"); encode_type (s, m->type, m->gen_name); fprintf (codefile, "ret += %s_oldret;\n", tmpstr); @@ -302,7 +302,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr) name, name); fprintf(codefile, - "for(i = 0; i < (%s)->len; i++) {\n", + "for(i = 0; i < (int)(%s)->len; i++) {\n", name); fprintf(codefile, @@ -326,7 +326,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr) fprintf(codefile, "if (totallen > len) {\n" - "for (i = 0; i < (%s)->len; i++) {\n" + "for (i = 0; i < (int)(%s)->len; i++) {\n" "free(val[i].data);\n" "}\n" "free(val);\n" @@ -339,7 +339,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr) name); fprintf (codefile, - "for(i = (%s)->len - 1; i >= 0; --i) {\n" + "for(i = (int)(%s)->len - 1; i >= 0; --i) {\n" "p -= val[i].length;\n" "ret += val[i].length;\n" "memcpy(p + 1, val[i].data, val[i].length);\n" @@ -355,7 +355,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr) char *n = NULL; fprintf (codefile, - "for(i = (%s)->len - 1; i >= 0; --i) {\n" + "for(i = (int)(%s)->len - 1; i >= 0; --i) {\n" "size_t %s_for_oldret = ret;\n" "ret = 0;\n", name, tmpstr); @@ -503,7 +503,7 @@ void generate_type_encode (const Symbol *s) { fprintf (codefile, "int ASN1CALL\n" - "encode_%s(unsigned char *p, size_t len," + "encode_%s(unsigned char *p HEIMDAL_UNUSED_ATTRIBUTE, size_t len HEIMDAL_UNUSED_ATTRIBUTE," " const %s *data, size_t *size)\n" "{\n", s->gen_name, s->gen_name); @@ -534,10 +534,9 @@ generate_type_encode (const Symbol *s) case TType: case TChoice: fprintf (codefile, - "size_t ret = 0;\n" - "size_t l;\n" - "int i, e;\n\n"); - fprintf(codefile, "i = 0;\n"); /* hack to avoid `unused variable' */ + "size_t ret HEIMDAL_UNUSED_ATTRIBUTE = 0;\n" + "size_t l HEIMDAL_UNUSED_ATTRIBUTE;\n" + "int i HEIMDAL_UNUSED_ATTRIBUTE, e HEIMDAL_UNUSED_ATTRIBUTE;\n\n"); encode_type("data", s->type, "Top"); diff --git a/source4/heimdal/lib/asn1/gen_free.c b/source4/heimdal/lib/asn1/gen_free.c index 7c88751c32..b9cae7533b 100644 --- a/source4/heimdal/lib/asn1/gen_free.c +++ b/source4/heimdal/lib/asn1/gen_free.c @@ -179,12 +179,12 @@ void generate_type_free (const Symbol *s) { int preserve = preserve_type(s->name) ? TRUE : FALSE; - + fprintf (codefile, "void ASN1CALL\n" "free_%s(%s *data)\n" "{\n", s->gen_name, s->gen_name); - + free_type ("data", s->type, preserve); fprintf (codefile, "}\n\n"); } diff --git a/source4/heimdal/lib/asn1/gen_template.c b/source4/heimdal/lib/asn1/gen_template.c index 791fb910f9..edd68e1223 100644 --- a/source4/heimdal/lib/asn1/gen_template.c +++ b/source4/heimdal/lib/asn1/gen_template.c @@ -342,7 +342,7 @@ tlist_cmp(const struct tlist *tl, const struct tlist *ql) ret = strcmp(tl->header, ql->header); if (ret) return ret; - + q = ASN1_TAILQ_FIRST(&ql->template); ASN1_TAILQ_FOREACH(t, &tl->template, members) { if (q == NULL) return 1; @@ -353,7 +353,7 @@ tlist_cmp(const struct tlist *tl, const struct tlist *ql) } else { ret = strcmp(t->tt, q->tt); if (ret) return ret; - + ret = strcmp(t->offset, q->offset); if (ret) return ret; @@ -479,12 +479,12 @@ template_members(struct templatehead *temp, const char *basetype, const char *na optional ? "|A1_FLAG_OPTIONAL" : "", poffset, t->symbol->gen_name); } else { - add_line_pointer(temp, t->symbol->gen_name, poffset, + add_line_pointer(temp, t->symbol->gen_name, poffset, "A1_OP_TYPE %s", optional ? "|A1_FLAG_OPTIONAL" : ""); } break; case TInteger: { - char *itype; + char *itype = NULL; if (t->members) itype = "IMEMBER"; @@ -499,7 +499,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na else errx(1, "%s: unsupported range %d -> %d", name, t->range->min, t->range->max); - + add_line(temp, "{ A1_PARSE_T(A1T_%s), %s, NULL }", itype, poffset); break; } @@ -557,7 +557,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na break; } - if (asprintf(&bname, "bmember_%s_%lu", name ? name : "", (unsigned long)t) < 0 || bname == NULL) + if (asprintf(&bname, "bmember_%s_%p", name ? name : "", t) < 0 || bname == NULL) errx(1, "malloc"); output_name(bname); @@ -591,7 +591,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na ASN1_TAILQ_FOREACH(m, t->members, members) { char *newbasename = NULL; - + if (m->ellipsis) continue; @@ -620,7 +620,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na else sename = symbol_name(basetype, t->subtype); - if (asprintf(&tname, "tag_%s_%lu", name ? name : "", (unsigned long)t) < 0 || tname == NULL) + if (asprintf(&tname, "tag_%s_%p", name ? name : "", t) < 0 || tname == NULL) errx(1, "malloc"); output_name(tname); @@ -644,7 +644,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na } case TSetOf: case TSequenceOf: { - const char *type, *tname, *dupname; + const char *type = NULL, *tname, *dupname; char *sename = NULL, *elname = NULL; int subtype_is_struct = is_struct(t->subtype, 0); @@ -670,7 +670,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na else if (t->type == TSequenceOf) type = "A1_OP_SEQOF"; else abort(); - if (asprintf(&elname, "%s_%s_%lu", basetype, tname, (unsigned long)t) < 0 || elname == NULL) + if (asprintf(&elname, "%s_%s_%p", basetype, tname, t) < 0 || elname == NULL) errx(1, "malloc"); generate_template_type(elname, &dupname, NULL, sename, NULL, t->subtype, @@ -699,7 +699,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na char *elname = NULL; char *newbasename = NULL; int subtype_is_struct; - + if (m->ellipsis) { ellipsis = 1; continue; diff --git a/source4/heimdal/lib/asn1/krb5.asn1 b/source4/heimdal/lib/asn1/krb5.asn1 index 78cb5a3b84..02fab7a3a6 100644 --- a/source4/heimdal/lib/asn1/krb5.asn1 +++ b/source4/heimdal/lib/asn1/krb5.asn1 @@ -221,32 +221,32 @@ CKSUMTYPE ::= INTEGER { --enctypes ENCTYPE ::= INTEGER { - ETYPE_NULL(0), - ETYPE_DES_CBC_CRC(1), - ETYPE_DES_CBC_MD4(2), - ETYPE_DES_CBC_MD5(3), - ETYPE_DES3_CBC_MD5(5), - ETYPE_OLD_DES3_CBC_SHA1(7), - ETYPE_SIGN_DSA_GENERATE(8), - ETYPE_ENCRYPT_RSA_PRIV(9), - ETYPE_ENCRYPT_RSA_PUB(10), - ETYPE_DES3_CBC_SHA1(16), -- with key derivation - ETYPE_AES128_CTS_HMAC_SHA1_96(17), - ETYPE_AES256_CTS_HMAC_SHA1_96(18), - ETYPE_ARCFOUR_HMAC_MD5(23), - ETYPE_ARCFOUR_HMAC_MD5_56(24), - ETYPE_ENCTYPE_PK_CROSS(48), + KRB5_ENCTYPE_NULL(0), + KRB5_ENCTYPE_DES_CBC_CRC(1), + KRB5_ENCTYPE_DES_CBC_MD4(2), + KRB5_ENCTYPE_DES_CBC_MD5(3), + KRB5_ENCTYPE_DES3_CBC_MD5(5), + KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7), + KRB5_ENCTYPE_SIGN_DSA_GENERATE(8), + KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9), + KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10), + KRB5_ENCTYPE_DES3_CBC_SHA1(16), -- with key derivation + KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17), + KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18), + KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23), + KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24), + KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48), -- some "old" windows types - ETYPE_ARCFOUR_MD4(-128), - ETYPE_ARCFOUR_HMAC_OLD(-133), - ETYPE_ARCFOUR_HMAC_OLD_EXP(-135), + KRB5_ENCTYPE_ARCFOUR_MD4(-128), + KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133), + KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135), -- these are for Heimdal internal use - ETYPE_DES_CBC_NONE(-0x1000), - ETYPE_DES3_CBC_NONE(-0x1001), - ETYPE_DES_CFB64_NONE(-0x1002), - ETYPE_DES_PCBC_NONE(-0x1003), - ETYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com - ETYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com + KRB5_ENCTYPE_DES_CBC_NONE(-0x1000), + KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001), + KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002), + KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003), + KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com + KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com } @@ -625,7 +625,7 @@ ChangePasswdDataMS ::= SEQUENCE { targrealm[2] Realm OPTIONAL } -EtypeList ::= SEQUENCE OF krb5int32 +EtypeList ::= SEQUENCE OF ENCTYPE -- the client's proposed enctype list in -- decreasing preference order, favorite choice first diff --git a/source4/heimdal/lib/asn1/lex.c b/source4/heimdal/lib/asn1/lex.c index 12c71b7e2e..e8d9f38eaa 100644 --- a/source4/heimdal/lib/asn1/lex.c +++ b/source4/heimdal/lib/asn1/lex.c @@ -1626,7 +1626,7 @@ YY_RULE_SETUP char *p = buf; int f = 0; int skip_ws = 0; - + while((c = input()) != EOF) { if(isspace(c) && skip_ws) { if(c == '\n') @@ -1634,7 +1634,7 @@ YY_RULE_SETUP continue; } skip_ws = 0; - + if(c == '"') { if(f) { *p++ = '"'; diff --git a/source4/heimdal/lib/asn1/lex.l b/source4/heimdal/lib/asn1/lex.l index dece096164..2d32020266 100644 --- a/source4/heimdal/lib/asn1/lex.l +++ b/source4/heimdal/lib/asn1/lex.l @@ -216,7 +216,7 @@ WITH { return kw_WITH; } char *p = buf; int f = 0; int skip_ws = 0; - + while((c = input()) != EOF) { if(isspace(c) && skip_ws) { if(c == '\n') @@ -224,7 +224,7 @@ WITH { return kw_WITH; } continue; } skip_ws = 0; - + if(c == '"') { if(f) { *p++ = '"'; diff --git a/source4/heimdal/lib/asn1/main.c b/source4/heimdal/lib/asn1/main.c index a99e69d0f9..f22dc8792c 100644 --- a/source4/heimdal/lib/asn1/main.c +++ b/source4/heimdal/lib/asn1/main.c @@ -202,6 +202,6 @@ main(int argc, char **argv) free(arg[i]); free(arg); } - + return 0; } diff --git a/source4/heimdal/lib/asn1/test.asn1 b/source4/heimdal/lib/asn1/test.asn1 index e3c72ac76e..89154e337c 100644 --- a/source4/heimdal/lib/asn1/test.asn1 +++ b/source4/heimdal/lib/asn1/test.asn1 @@ -132,4 +132,7 @@ TESTBitString ::= BIT STRING { thirtyone(31) } +TESTMechType::= OBJECT IDENTIFIER +TESTMechTypeList ::= SEQUENCE OF TESTMechType + END diff --git a/source4/heimdal/lib/asn1/timegm.c b/source4/heimdal/lib/asn1/timegm.c index b569478413..d9f4adbd55 100644 --- a/source4/heimdal/lib/asn1/timegm.c +++ b/source4/heimdal/lib/asn1/timegm.c @@ -33,7 +33,7 @@ #include "der_locl.h" -RCSID("$Id$"); +#define ASN1_MAX_YEAR 2000 static int is_leap(unsigned y) @@ -56,13 +56,19 @@ time_t _der_timegm (struct tm *tm) { time_t res = 0; - unsigned i; + int i; + + /* + * See comment in _der_gmtime + */ + if (tm->tm_year > ASN1_MAX_YEAR) + return 0; if (tm->tm_year < 0) return -1; if (tm->tm_mon < 0 || tm->tm_mon > 11) return -1; - if (tm->tm_mday < 1 || tm->tm_mday > ndays[is_leap(tm->tm_year)][tm->tm_mon]) + if (tm->tm_mday < 1 || tm->tm_mday > (int)ndays[is_leap(tm->tm_year)][tm->tm_mon]) return -1; if (tm->tm_hour < 0 || tm->tm_hour > 23) return -1; @@ -98,6 +104,15 @@ _der_gmtime(time_t t, struct tm *tm) tm->tm_min = (secday % 3600) / 60; tm->tm_hour = secday / 3600; + /* + * Refuse to calculate time ~ 2000 years into the future, this is + * not possible for systems where time_t is a int32_t, however, + * when time_t is a int64_t, that can happen, and this becomes a + * denial of sevice. + */ + if (days > (ASN1_MAX_YEAR * 365)) + return NULL; + tm->tm_year = 70; while(1) { unsigned dayinyear = (is_leap(tm->tm_year) ? 366 : 365); diff --git a/source4/heimdal/lib/com_err/compile_et.c b/source4/heimdal/lib/com_err/compile_et.c index 11beaeba4b..c72abdecc8 100644 --- a/source4/heimdal/lib/com_err/compile_et.c +++ b/source4/heimdal/lib/com_err/compile_et.c @@ -93,7 +93,7 @@ generate_c(void) fprintf(c_file, "\t/* %03d */ \"Reserved %s error (%d)\",\n", n, name, n); n++; - + } fprintf(c_file, "\t/* %03d */ N_(\"%s\"),\n", ec->number, ec->string); @@ -220,7 +220,7 @@ main(int argc, char **argv) yyin = fopen(filename, "r"); if(yyin == NULL) err(1, "%s", filename); - + p = strrchr(filename, rk_PATH_DELIM); if(p) diff --git a/source4/heimdal/lib/com_err/error.c b/source4/heimdal/lib/com_err/error.c index 0e49a94104..6864e870a4 100644 --- a/source4/heimdal/lib/com_err/error.c +++ b/source4/heimdal/lib/com_err/error.c @@ -101,7 +101,7 @@ initialize_error_table_r(struct et_list **list, et->next = NULL; *end = et; } - + KRB5_LIB_FUNCTION void KRB5_LIB_CALL free_error_table(struct et_list *et) diff --git a/source4/heimdal/lib/com_err/parse.c b/source4/heimdal/lib/com_err/parse.c index 1c104812b7..cb770a3a6e 100644 --- a/source4/heimdal/lib/com_err/parse.c +++ b/source4/heimdal/lib/com_err/parse.c @@ -1465,7 +1465,7 @@ yyreduce: #line 118 "parse.c" { struct error_code *ec = malloc(sizeof(*ec)); - + if (ec == NULL) errx(1, "malloc"); diff --git a/source4/heimdal/lib/com_err/parse.y b/source4/heimdal/lib/com_err/parse.y index 194965c349..0c2e5084b5 100644 --- a/source4/heimdal/lib/com_err/parse.y +++ b/source4/heimdal/lib/com_err/parse.y @@ -117,7 +117,7 @@ statement : INDEX NUMBER | EC STRING ',' STRING { struct error_code *ec = malloc(sizeof(*ec)); - + if (ec == NULL) errx(1, "malloc"); diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi/gssapi.h index caa1af8b3a..fa53a29d24 100644 --- a/source4/heimdal/lib/gssapi/gssapi/gssapi.h +++ b/source4/heimdal/lib/gssapi/gssapi/gssapi.h @@ -31,8 +31,6 @@ * SUCH DAMAGE. */ -/* $Id$ */ - #ifndef GSSAPI_GSSAPI_H_ #define GSSAPI_GSSAPI_H_ @@ -55,13 +53,11 @@ #endif #endif -#ifndef GSSAPI_DEPRECATED +#ifndef GSSAPI_DEPRECATED_FUNCTION #if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 ))) -#define GSSAPI_DEPRECATED __attribute__((deprecated)) -#elif defined(_MSC_VER) -#define GSSAPI_DEPRECATED __declspec(deprecated) +#define GSSAPI_DEPRECATED_FUNCTION(X) __attribute__((deprecated)) #else -#define GSSAPI_DEPRECATED +#define GSSAPI_DEPRECATED_FUNCTION(X) #endif #endif @@ -375,7 +371,7 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_anonymous_oid_desc; * to that gss_OID_desc. */ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc; -#define GSS_C_NT_EXPORT_NAME (&__gss_c_nt_export_name_oid_desc) +#define GSS_C_NT_EXPORT_NAME (&__gss_c_nt_export_name_oid_desc) /* Major status codes */ @@ -447,6 +443,11 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc; #define GSS_S_BAD_MECH_ATTR (19ul << GSS_C_ROUTINE_ERROR_OFFSET) /* + * Apparently awating spec fix. + */ +#define GSS_S_CRED_UNAVAIL GSS_S_FAILURE + +/* * Supplementary info bits: */ #define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) @@ -459,6 +460,9 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc; * Finally, function prototypes for the GSS-API routines. */ +#define GSS_C_OPTION_MASK 0xffff +#define GSS_C_CRED_NO_UI 0x10000 + GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_acquire_cred (OM_uint32 * /*minor_status*/, const gss_name_t /*desired_name*/, @@ -827,7 +831,7 @@ typedef struct { size_t blocksize; /**< Specificed optimal size of messages, also is the maximum padding size (GSS_IOV_BUFFER_TYPE_PADDING) */ -} gss_context_stream_sizes; +} gss_context_stream_sizes; extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_attr_stream_sizes_oid_desc; #define GSS_C_ATTR_STREAM_SIZES (&__gss_c_attr_stream_sizes_oid_desc) @@ -850,23 +854,23 @@ gss_context_query_attributes(OM_uint32 * /* minor_status */, * obsolete versions of these routines and their current forms. */ -GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_sign +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_sign (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, int /*qop_req*/, gss_buffer_t /*message_buffer*/, gss_buffer_t /*message_token*/ - ); + ) GSSAPI_DEPRECATED_FUNCTION("Use gss_get_mic"); -GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_verify +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_verify (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, gss_buffer_t /*message_buffer*/, gss_buffer_t /*token_buffer*/, int * /*qop_state*/ - ); + ) GSSAPI_DEPRECATED_FUNCTION("Use gss_verify_mic"); -GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, int /*conf_req_flag*/, @@ -874,29 +878,29 @@ GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal gss_buffer_t /*input_message_buffer*/, int * /*conf_state*/, gss_buffer_t /*output_message_buffer*/ - ); + ) GSSAPI_DEPRECATED_FUNCTION("Use gss_wrap"); -GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_unseal +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_unseal (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, gss_buffer_t /*input_message_buffer*/, gss_buffer_t /*output_message_buffer*/, int * /*conf_state*/, int * /*qop_state*/ - ); + ) GSSAPI_DEPRECATED_FUNCTION("Use gss_unwrap"); /** * */ GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL -gss_encapsulate_token(const gss_buffer_t /* input_token */, - const gss_OID /* oid */, +gss_encapsulate_token(gss_const_buffer_t /* input_token */, + gss_const_OID /* oid */, gss_buffer_t /* output_token */); GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL -gss_decapsulate_token(const gss_buffer_t /* input_token */, - const gss_OID /* oid */, +gss_decapsulate_token(gss_const_buffer_t /* input_token */, + gss_const_OID /* oid */, gss_buffer_t /* output_token */); @@ -990,6 +994,56 @@ gss_display_mech_attr(OM_uint32 * minor_status, gss_buffer_t long_desc); /* + * Solaris compat + */ + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_acquire_cred_with_password + (OM_uint32 * /*minor_status*/, + const gss_name_t /*desired_name*/, + const gss_buffer_t /*password*/, + OM_uint32 /*time_req*/, + const gss_OID_set /*desired_mechs*/, + gss_cred_usage_t /*cred_usage*/, + gss_cred_id_t * /*output_cred_handle*/, + gss_OID_set * /*actual_mechs*/, + OM_uint32 * /*time_rec*/ + ); + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_add_cred_with_password ( + OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*input_cred_handle*/, + const gss_name_t /*desired_name*/, + const gss_OID /*desired_mech*/, + const gss_buffer_t /*password*/, + gss_cred_usage_t /*cred_usage*/, + OM_uint32 /*initiator_time_req*/, + OM_uint32 /*acceptor_time_req*/, + gss_cred_id_t * /*output_cred_handle*/, + gss_OID_set * /*actual_mechs*/, + OM_uint32 * /*initiator_time_rec*/, + OM_uint32 * /*acceptor_time_rec*/ + ); + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_pname_to_uid( + OM_uint32 *minor, + const gss_name_t name, + const gss_OID mech_type, + uid_t *uidOut); + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_authorize_localname( + OM_uint32 *minor, + const gss_name_t name, + const gss_name_t user); + +GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL +gss_userok(const gss_name_t name, + const char *user); + +extern GSSAPI_LIB_VARIABLE gss_buffer_t GSS_C_ATTR_LOCAL_LOGIN_USER; + +/* * Naming extensions */ @@ -1051,4 +1105,6 @@ gss_name_to_oid(const char *name); GSSAPI_CPP_END +#undef GSSAPI_DEPRECATED_FUNCTION + #endif /* GSSAPI_GSSAPI_H_ */ diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi_oid.h b/source4/heimdal/lib/gssapi/gssapi/gssapi_oid.h index e7b56dc7d4..9465efc77f 100644 --- a/source4/heimdal/lib/gssapi/gssapi/gssapi_oid.h +++ b/source4/heimdal/lib/gssapi/gssapi/gssapi_oid.h @@ -109,6 +109,13 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_name_oid_desc; extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_description_oid_desc; #define GSS_C_MA_MECH_DESCRIPTION (&__gss_c_ma_mech_description_oid_desc) + /* credential types */ +extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_password_oid_desc; +#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc) + +extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_certificate_oid_desc; +#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc) + /* Heimdal mechanisms - 1.2.752.43.14 */ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_sasl_digest_md5_mechanism_oid_desc; #define GSS_SASL_DIGEST_MD5_MECHANISM (&__gss_sasl_digest_md5_mechanism_oid_desc) diff --git a/source4/heimdal/lib/gssapi/gssapi_mech.h b/source4/heimdal/lib/gssapi/gssapi_mech.h index 1431dbcee6..e4ccfdb0cd 100644 --- a/source4/heimdal/lib/gssapi/gssapi_mech.h +++ b/source4/heimdal/lib/gssapi/gssapi_mech.h @@ -355,14 +355,14 @@ _gss_import_cred_t(OM_uint32 * minor_status, typedef OM_uint32 GSSAPI_CALLCONV -_gss_acquire_cred_ex_t(void * /* status */, - const gss_name_t /* desired_name */, - OM_uint32 /* flags */, - OM_uint32 /* time_req */, - gss_cred_usage_t /* cred_usage */, - void * /* identity */, - void * /* ctx */, - void (* /*complete */)(void *, OM_uint32, void *, gss_cred_id_t, OM_uint32)); +_gss_acquire_cred_ext_t(OM_uint32 * /*minor_status */, + const gss_name_t /* desired_name */, + gss_const_OID /* credential_type */, + const void * /* credential_data */, + OM_uint32 /* time_req */, + gss_const_OID /* desired_mech */, + gss_cred_usage_t /* cred_usage */, + gss_cred_id_t * /* output_cred_handle */); typedef void GSSAPI_CALLCONV _gss_iter_creds_t(OM_uint32 /* flags */, @@ -460,13 +460,28 @@ struct gss_mo_desc_struct { int (*set)(gss_const_OID, gss_mo_desc *, int, gss_buffer_t); }; +typedef OM_uint32 GSSAPI_CALLCONV _gss_pname_to_uid_t ( + OM_uint32 *, /* minor_status */ + const gss_name_t, /* name */ + const gss_OID, /* mech_type */ + uid_t * /* uidOut */ + ); + +typedef OM_uint32 GSSAPI_CALLCONV _gss_authorize_localname_t ( + OM_uint32 *, /* minor_status */ + const gss_name_t, /* name */ + gss_const_buffer_t, /* user */ + gss_const_OID /* user_name_type */ + ); + +/* mechglue internal */ +struct gss_mech_compat_desc_struct; #define GMI_VERSION 5 /* gm_flags */ #define GM_USE_MG_CRED 1 /* uses mech glue credentials */ - typedef struct gssapi_mech_interface_desc { unsigned gm_version; const char *gm_name; @@ -512,7 +527,7 @@ typedef struct gssapi_mech_interface_desc { _gss_store_cred_t *gm_store_cred; _gss_export_cred_t *gm_export_cred; _gss_import_cred_t *gm_import_cred; - _gss_acquire_cred_ex_t *gm_acquire_cred_ex; + _gss_acquire_cred_ext_t *gm_acquire_cred_ext; _gss_iter_creds_t *gm_iter_creds; _gss_destroy_cred_t *gm_destroy_cred; _gss_cred_hold_t *gm_cred_hold; @@ -521,12 +536,15 @@ typedef struct gssapi_mech_interface_desc { _gss_cred_label_set_t *gm_cred_label_set; gss_mo_desc *gm_mo; size_t gm_mo_num; + _gss_pname_to_uid_t *gm_pname_to_uid; + _gss_authorize_localname_t *gm_authorize_localname; _gss_display_name_ext_t *gm_display_name_ext; _gss_inquire_name_t *gm_inquire_name; _gss_get_name_attribute_t *gm_get_name_attribute; _gss_set_name_attribute_t *gm_set_name_attribute; _gss_delete_name_attribute_t *gm_delete_name_attribute; _gss_export_name_composite_t *gm_export_name_composite; + struct gss_mech_compat_desc_struct *gm_compat; } gssapi_mech_interface_desc, *gssapi_mech_interface; gssapi_mech_interface @@ -552,4 +570,25 @@ struct _gss_oid_name_table { extern struct _gss_oid_name_table _gss_ont_mech[]; extern struct _gss_oid_name_table _gss_ont_ma[]; +/* + * Extended credentials acqusition API, not to be exported until + * it or something equivalent has been standardised. + */ +extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc; +#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc) + +extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc; +#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc) + +OM_uint32 _gss_acquire_cred_ext + (OM_uint32 * /*minor_status*/, + const gss_name_t /*desired_name*/, + gss_const_OID /*credential_type*/, + const void * /*credential_data*/, + OM_uint32 /*time_req*/, + gss_const_OID /*desired_mech*/, + gss_cred_usage_t /*cred_usage*/, + gss_cred_id_t * /*output_cred_handle*/ + ); + #endif /* GSSAPI_MECH_H */ diff --git a/source4/heimdal/lib/gssapi/krb5/8003.c b/source4/heimdal/lib/gssapi/krb5/8003.c index 65db343cad..d4555c5104 100644 --- a/source4/heimdal/lib/gssapi/krb5/8003.c +++ b/source4/heimdal/lib/gssapi/krb5/8003.c @@ -92,7 +92,7 @@ hash_input_chan_bindings (const gss_channel_bindings_t b, _gsskrb5_encode_om_uint32 (b->acceptor_address.length, num); EVP_DigestUpdate(ctx, num, sizeof(num)); if (b->acceptor_address.length) - EVP_DigestUpdate(ctx, + EVP_DigestUpdate(ctx, b->acceptor_address.value, b->acceptor_address.length); _gsskrb5_encode_om_uint32 (b->application_data.length, num); diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c index a5e9d054c4..5a00e124c2 100644 --- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c @@ -36,12 +36,32 @@ HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER; krb5_keytab _gsskrb5_keytab; +static krb5_error_code +validate_keytab(krb5_context context, const char *name, krb5_keytab *id) +{ + krb5_error_code ret; + + ret = krb5_kt_resolve(context, name, id); + if (ret) + return ret; + + ret = krb5_kt_have_content(context, *id); + if (ret) { + krb5_kt_close(context, *id); + *id = NULL; + } + + return ret; +} + OM_uint32 -_gsskrb5_register_acceptor_identity (const char *identity) +_gsskrb5_register_acceptor_identity(OM_uint32 *min_stat, const char *identity) { krb5_context context; krb5_error_code ret; + *min_stat = 0; + ret = _gsskrb5_init(&context); if(ret) return GSS_S_FAILURE; @@ -55,19 +75,29 @@ _gsskrb5_register_acceptor_identity (const char *identity) if (identity == NULL) { ret = krb5_kt_default(context, &_gsskrb5_keytab); } else { - char *p = NULL; - - ret = asprintf(&p, "FILE:%s", identity); - if(ret < 0 || p == NULL) { - HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); - return GSS_S_FAILURE; + /* + * First check if we can the keytab as is and if it has content... + */ + ret = validate_keytab(context, identity, &_gsskrb5_keytab); + /* + * if it doesn't, lets prepend FILE: and try again + */ + if (ret) { + char *p = NULL; + ret = asprintf(&p, "FILE:%s", identity); + if(ret < 0 || p == NULL) { + HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); + return GSS_S_FAILURE; + } + ret = validate_keytab(context, p, &_gsskrb5_keytab); + free(p); } - ret = krb5_kt_resolve(context, p, &_gsskrb5_keytab); - free(p); } HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); - if(ret) + if(ret) { + *min_stat = ret; return GSS_S_FAILURE; + } return GSS_S_COMPLETE; } @@ -93,7 +123,7 @@ _gsskrb5i_is_cfx(krb5_context context, gsskrb5_ctx ctx, int acceptor) if (key == NULL) return; - + switch (key->keytype) { case ETYPE_DES_CBC_CRC: case ETYPE_DES_CBC_MD4: @@ -171,7 +201,7 @@ gsskrb5_accept_delegated_token if (delegated_cred_handle) { gsskrb5_cred handle; - + ret = _gsskrb5_krb5_import_cred(minor_status, ccache, NULL, @@ -541,10 +571,10 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, if(ctx->flags & GSS_C_MUTUAL_FLAG) { krb5_data outbuf; int use_subkey = 0; - + _gsskrb5i_is_cfx(context, ctx, 1); is_cfx = (ctx->more_flags & IS_CFX); - + if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) { use_subkey = 1; } else { @@ -572,7 +602,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, KRB5_AUTH_CONTEXT_USE_SUBKEY, NULL); } - + kret = krb5_mk_rep(context, ctx->auth_context, &outbuf); @@ -580,7 +610,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, *minor_status = kret; return GSS_S_FAILURE; } - + if (IS_DCE_STYLE(ctx)) { output_token->length = outbuf.length; output_token->value = outbuf.data; @@ -659,7 +689,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status, krb5_error_code kret; krb5_data inbuf; int32_t r_seq_number, l_seq_number; - + /* * We know it's GSS_C_DCE_STYLE so we don't need to decapsulate the AP_REP */ @@ -706,7 +736,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status, { krb5_ap_rep_enc_part *repl; int32_t auth_flags; - + krb5_auth_con_removeflags(context, ctx->auth_context, KRB5_AUTH_CONTEXT_DO_TIME, @@ -735,7 +765,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status, if (lifetime_rec == 0) { return GSS_S_CONTEXT_EXPIRED; } - + if (time_rec) *time_rec = lifetime_rec; } @@ -793,7 +823,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status, { kret = krb5_auth_con_setremoteseqnumber(context, ctx->auth_context, - r_seq_number); + r_seq_number); if (kret) { *minor_status = kret; return GSS_S_FAILURE; diff --git a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c index d0042e874b..0f1f5f81cf 100644 --- a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c @@ -46,7 +46,7 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status, memset(&in_cred, 0, sizeof(in_cred)); in_cred.client = principal; - + realm = krb5_principal_get_realm(context, principal); if (realm == NULL) { _gsskrb5_clear_status (); @@ -81,17 +81,18 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status, static krb5_error_code get_keytab(krb5_context context, krb5_keytab *keytab) { - char kt_name[256]; krb5_error_code kret; HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); if (_gsskrb5_keytab != NULL) { - kret = krb5_kt_get_name(context, - _gsskrb5_keytab, - kt_name, sizeof(kt_name)); - if (kret == 0) - kret = krb5_kt_resolve(context, kt_name, keytab); + char *name = NULL; + + kret = krb5_kt_get_full_name(context, _gsskrb5_keytab, &name); + if (kret == 0) { + kret = krb5_kt_resolve(context, name, keytab); + krb5_xfree(name); + } } else kret = krb5_kt_default(context, keytab); @@ -103,13 +104,13 @@ get_keytab(krb5_context context, krb5_keytab *keytab) static OM_uint32 acquire_initiator_cred (OM_uint32 * minor_status, krb5_context context, + gss_const_OID credential_type, + const void *credential_data, const gss_name_t desired_name, OM_uint32 time_req, - const gss_OID_set desired_mechs, + gss_const_OID desired_mech, gss_cred_usage_t cred_usage, - gsskrb5_cred handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec + gsskrb5_cred handle ) { OM_uint32 ret; @@ -132,6 +133,12 @@ static OM_uint32 acquire_initiator_cred * errors while searching. */ + if (credential_type != GSS_C_NO_OID && + !gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) { + kret = KRB5_NOCREDS_SUPPLIED; /* XXX */ + goto end; + } + if (handle->principal) { kret = krb5_cc_cache_match (context, handle->principal, @@ -174,14 +181,29 @@ static OM_uint32 acquire_initiator_cred if (kret) goto end; } - kret = get_keytab(context, &keytab); - if (kret) - goto end; kret = krb5_get_init_creds_opt_alloc(context, &opt); if (kret) goto end; - kret = krb5_get_init_creds_keytab(context, &cred, - handle->principal, keytab, 0, NULL, opt); + if (credential_type != GSS_C_NO_OID && + gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) { + gss_buffer_t password = (gss_buffer_t)credential_data; + + /* XXX are we requiring password to be NUL terminated? */ + + kret = krb5_get_init_creds_password(context, &cred, + handle->principal, + password->value, + NULL, NULL, 0, NULL, opt); + } else { + kret = get_keytab(context, &keytab); + if (kret) { + krb5_get_init_creds_opt_free(context, opt); + goto end; + } + kret = krb5_get_init_creds_keytab(context, &cred, + handle->principal, keytab, + 0, NULL, opt); + } krb5_get_init_creds_opt_free(context, opt); if (kret) goto end; @@ -233,19 +255,25 @@ end: static OM_uint32 acquire_acceptor_cred (OM_uint32 * minor_status, krb5_context context, + gss_const_OID credential_type, + const void *credential_data, const gss_name_t desired_name, OM_uint32 time_req, - const gss_OID_set desired_mechs, + gss_const_OID desired_mech, gss_cred_usage_t cred_usage, - gsskrb5_cred handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec + gsskrb5_cred handle ) { OM_uint32 ret; krb5_error_code kret; ret = GSS_S_FAILURE; + + if (credential_type != GSS_C_NO_OID) { + kret = EINVAL; + goto end; + } + kret = get_keytab(context, &handle->keytab); if (kret) goto end; @@ -299,23 +327,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred OM_uint32 * time_rec ) { - krb5_context context; - gsskrb5_cred handle; OM_uint32 ret; - if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) { - *minor_status = GSS_KRB5_S_G_BAD_USAGE; - return GSS_S_FAILURE; - } - - GSSAPI_KRB5_INIT(&context); - - *output_cred_handle = NULL; - if (time_rec) - *time_rec = 0; - if (actual_mechs) - *actual_mechs = GSS_C_NO_OID_SET; - if (desired_mechs) { int present = 0; @@ -329,6 +342,54 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred } } + ret = _gsskrb5_acquire_cred_ext(minor_status, + desired_name, + GSS_C_NO_OID, + NULL, + time_req, + GSS_KRB5_MECHANISM, + cred_usage, + output_cred_handle); + if (ret) + return ret; + + + ret = _gsskrb5_inquire_cred(minor_status, *output_cred_handle, + NULL, time_rec, NULL, actual_mechs); + if (ret) { + OM_uint32 tmp; + _gsskrb5_release_cred(&tmp, output_cred_handle); + } + + return ret; +} + +OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext +(OM_uint32 * minor_status, + const gss_name_t desired_name, + gss_const_OID credential_type, + const void *credential_data, + OM_uint32 time_req, + gss_const_OID desired_mech, + gss_cred_usage_t cred_usage, + gss_cred_id_t * output_cred_handle + ) +{ + krb5_context context; + gsskrb5_cred handle; + OM_uint32 ret; + + cred_usage &= GSS_C_OPTION_MASK; + + if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) { + *minor_status = GSS_KRB5_S_G_BAD_USAGE; + return GSS_S_FAILURE; + } + + GSSAPI_KRB5_INIT(&context); + + *output_cred_handle = NULL; + handle = calloc(1, sizeof(*handle)); if (handle == NULL) { *minor_status = ENOMEM; @@ -338,7 +399,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred HEIMDAL_MUTEX_init(&handle->cred_id_mutex); if (desired_name != GSS_C_NO_NAME) { - ret = _gsskrb5_canon_name(minor_status, context, 1, NULL, desired_name, &handle->principal); if (ret) { @@ -349,9 +409,9 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred } if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) { ret = acquire_initiator_cred(minor_status, context, + credential_type, credential_data, desired_name, time_req, - desired_mechs, cred_usage, handle, - actual_mechs, time_rec); + desired_mech, cred_usage, handle); if (ret != GSS_S_COMPLETE) { HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); krb5_free_principal(context, handle->principal); @@ -361,8 +421,9 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred } if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { ret = acquire_acceptor_cred(minor_status, context, + credential_type, credential_data, desired_name, time_req, - desired_mechs, cred_usage, handle, actual_mechs, time_rec); + desired_mech, cred_usage, handle); if (ret != GSS_S_COMPLETE) { HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); krb5_free_principal(context, handle->principal); @@ -374,9 +435,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred if (ret == GSS_S_COMPLETE) ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, &handle->mechanisms); - if (ret == GSS_S_COMPLETE) - ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle, - NULL, time_rec, NULL, actual_mechs); if (ret != GSS_S_COMPLETE) { if (handle->mechanisms != NULL) gss_release_oid_set(NULL, &handle->mechanisms); @@ -385,17 +443,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred free(handle); return (ret); } - *minor_status = 0; - if (time_rec) { - ret = _gsskrb5_lifetime_left(minor_status, - context, - handle->lifetime, - time_rec); - - if (ret) - return ret; - } handle->usage = cred_usage; + *minor_status = 0; *output_cred_handle = (gss_cred_id_t)handle; return (GSS_S_COMPLETE); } diff --git a/source4/heimdal/lib/gssapi/krb5/add_cred.c b/source4/heimdal/lib/gssapi/krb5/add_cred.c index a326613edd..00cf55f62d 100644 --- a/source4/heimdal/lib/gssapi/krb5/add_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/add_cred.c @@ -81,7 +81,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( return(GSS_S_FAILURE); } } - + /* check that we have the same name */ if (dname != NULL && krb5_principal_compare(context, dname, @@ -110,7 +110,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( handle->ccache = NULL; handle->mechanisms = NULL; HEIMDAL_MUTEX_init(&handle->cred_id_mutex); - + ret = GSS_S_FAILURE; kret = krb5_copy_principal(context, cred->principal, @@ -123,23 +123,11 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( } if (cred->keytab) { - char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN]; - int len; - - ret = GSS_S_FAILURE; + char *name = NULL; - kret = krb5_kt_get_type(context, cred->keytab, - name, KRB5_KT_PREFIX_MAX_LEN); - if (kret) { - *minor_status = kret; - goto failure; - } - len = strlen(name); - name[len++] = ':'; + ret = GSS_S_FAILURE; - kret = krb5_kt_get_name(context, cred->keytab, - name + len, - sizeof(name) - len); + kret = krb5_kt_get_full_name(context, cred->keytab, &name); if (kret) { *minor_status = kret; goto failure; @@ -147,6 +135,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( kret = krb5_kt_resolve(context, name, &handle->keytab); + krb5_xfree(name); if (kret){ *minor_status = kret; goto failure; @@ -166,7 +155,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( } if (strcmp(type, "MEMORY") == 0) { - ret = krb5_cc_new_unique(context, type, + ret = krb5_cc_new_unique(context, type, NULL, &handle->ccache); if (ret) { *minor_status = ret; @@ -186,20 +175,20 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( *minor_status = ENOMEM; goto failure; } - + kret = asprintf(&type_name, "%s:%s", type, name); if (kret < 0 || type_name == NULL) { *minor_status = ENOMEM; goto failure; } - + kret = krb5_cc_resolve(context, type_name, &handle->ccache); free(type_name); if (kret) { *minor_status = kret; goto failure; - } + } } } ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); diff --git a/source4/heimdal/lib/gssapi/krb5/aeap.c b/source4/heimdal/lib/gssapi/krb5/aeap.c index 040cd3ee76..47913e4aec 100644 --- a/source4/heimdal/lib/gssapi/krb5/aeap.c +++ b/source4/heimdal/lib/gssapi/krb5/aeap.c @@ -69,11 +69,11 @@ _gk_unwrap_iov(OM_uint32 *minor_status, krb5_context context; GSSAPI_KRB5_INIT (&context); - + if (ctx->more_flags & IS_CFX) return _gssapi_unwrap_cfx_iov(minor_status, ctx, context, conf_state, qop_state, iov, iov_count); - + return GSS_S_FAILURE; } @@ -88,13 +88,13 @@ _gk_wrap_iov_length(OM_uint32 * minor_status, { const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; krb5_context context; - + GSSAPI_KRB5_INIT (&context); - + if (ctx->more_flags & IS_CFX) return _gssapi_wrap_iov_length_cfx(minor_status, ctx, context, conf_req_flag, qop_req, conf_state, iov, iov_count); - + return GSS_S_FAILURE; } diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c index dc59e997bd..0264207e4a 100644 --- a/source4/heimdal/lib/gssapi/krb5/arcfour.c +++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c @@ -255,7 +255,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, const gss_buffer_t token_buffer, gss_qop_t * qop_state, krb5_keyblock *key, - char *type) + const char *type) { krb5_error_code ret; uint32_t seq_number; @@ -270,7 +270,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, p = token_buffer->value; omret = _gsskrb5_verify_header (&p, token_buffer->length, - (u_char *)type, + type, GSS_KRB5_MECHANISM); if (omret) return omret; @@ -309,7 +309,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, { EVP_CIPHER_CTX rc4_key; - + EVP_CIPHER_CTX_init(&rc4_key); EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL, 0); EVP_Cipher(&rc4_key, SND_SEQ, p, 8); @@ -462,7 +462,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, if(conf_req_flag) { EVP_CIPHER_CTX rc4_key; - + EVP_CIPHER_CTX_init(&rc4_key); EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); EVP_Cipher(&rc4_key, p0 + 24, p0 + 24, 8 + datalen); @@ -481,7 +481,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, { EVP_CIPHER_CTX rc4_key; - + EVP_CIPHER_CTX_init(&rc4_key); EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); EVP_Cipher(&rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8); @@ -581,7 +581,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, { EVP_CIPHER_CTX rc4_key; - + EVP_CIPHER_CTX_init(&rc4_key); EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); EVP_Cipher(&rc4_key, SND_SEQ, p0 + 8, 8); @@ -629,7 +629,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, if(conf_flag) { EVP_CIPHER_CTX rc4_key; - + EVP_CIPHER_CTX_init(&rc4_key); EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); EVP_Cipher(&rc4_key, Confounder, p0 + 24, 8); diff --git a/source4/heimdal/lib/gssapi/krb5/cfx.c b/source4/heimdal/lib/gssapi/krb5/cfx.c index 1189718adc..3c1536b60e 100755 --- a/source4/heimdal/lib/gssapi/krb5/cfx.c +++ b/source4/heimdal/lib/gssapi/krb5/cfx.c @@ -285,7 +285,8 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, gss_iov_buffer_desc *header, *trailer, *padding; size_t gsshsize, k5hsize; size_t gsstsize, k5tsize; - size_t i, rrc = 0, ec = 0; + size_t rrc = 0, ec = 0; + int i; gss_cfx_wrap_token token; krb5_error_code ret; int32_t seq_number; @@ -424,6 +425,9 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, token->Flags = 0; token->Filler = 0xFF; + if ((ctx->more_flags & LOCAL) == 0) + token->Flags |= CFXSentByAcceptor; + if (ctx->more_flags & ACCEPTOR_SUBKEY) token->Flags |= CFXAcceptorSubkey; @@ -565,7 +569,7 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, plain packet: {data | "header" | gss-trailer (krb5 checksum) - + don't do RRC != 0 */ @@ -647,7 +651,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING || GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER) len += iov[i].buffer.length; - + p = malloc(len); if (p == NULL) { *minor_status = ENOMEM; @@ -666,7 +670,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int q += iov[i].buffer.length; } } - assert((q - p) == len); + assert((size_t)(q - p) == len); /* unrotate first part */ q = p + rrc; diff --git a/source4/heimdal/lib/gssapi/krb5/compat.c b/source4/heimdal/lib/gssapi/krb5/compat.c index 221d219c69..3381dffa19 100644 --- a/source4/heimdal/lib/gssapi/krb5/compat.c +++ b/source4/heimdal/lib/gssapi/krb5/compat.c @@ -59,7 +59,7 @@ check_compat(OM_uint32 *minor_status, *compat = match_val; break; } - + krb5_free_principal(context, match); match = NULL; } diff --git a/source4/heimdal/lib/gssapi/krb5/context_time.c b/source4/heimdal/lib/gssapi/krb5/context_time.c index 7b27906b5b..cb1550011c 100644 --- a/source4/heimdal/lib/gssapi/krb5/context_time.c +++ b/source4/heimdal/lib/gssapi/krb5/context_time.c @@ -88,6 +88,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_context_time if (*time_rec == 0) return GSS_S_CONTEXT_EXPIRED; - + return GSS_S_COMPLETE; } diff --git a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c index 4e65fc1cf3..e332d29c84 100644 --- a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c +++ b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c @@ -100,7 +100,7 @@ _gsskrb5_krb5_import_cred(OM_uint32 *minor_status, *minor_status = kret; return GSS_S_FAILURE; } - + if (keytab_principal) { krb5_boolean match; diff --git a/source4/heimdal/lib/gssapi/krb5/creds.c b/source4/heimdal/lib/gssapi/krb5/creds.c index d2c253e84b..fa45d19b98 100644 --- a/source4/heimdal/lib/gssapi/krb5/creds.c +++ b/source4/heimdal/lib/gssapi/krb5/creds.c @@ -47,7 +47,7 @@ _gsskrb5_export_cred(OM_uint32 *minor_status, char *str; GSSAPI_KRB5_INIT (&context); - + if (handle->usage != GSS_C_INITIATE && handle->usage != GSS_C_BOTH) { *minor_status = GSS_KRB5_S_G_BAD_USAGE; return GSS_S_FAILURE; @@ -93,14 +93,14 @@ _gsskrb5_export_cred(OM_uint32 *minor_status, *minor_status = ret; return GSS_S_FAILURE; } - + ret = krb5_cc_get_full_name(context, handle->ccache, &str); if (ret) { krb5_storage_free(sp); *minor_status = ret; return GSS_S_FAILURE; } - + ret = krb5_store_string(sp, str); free(str); if (ret) { @@ -222,7 +222,7 @@ _gsskrb5_import_cred(OM_uint32 * minor_status, *minor_status = ret; return GSS_S_FAILURE; } - + ret = krb5_cc_resolve(context, str, &id); krb5_xfree(str); if (ret) { diff --git a/source4/heimdal/lib/gssapi/krb5/encapsulate.c b/source4/heimdal/lib/gssapi/krb5/encapsulate.c index 79cd9232e1..fe5dac7c60 100644 --- a/source4/heimdal/lib/gssapi/krb5/encapsulate.c +++ b/source4/heimdal/lib/gssapi/krb5/encapsulate.c @@ -114,7 +114,7 @@ _gssapi_encapsulate( if (output_token->value == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; - } + } p = _gssapi_make_mech_header (output_token->value, len, mech); memcpy (p, in_data->data, in_data->length); @@ -145,7 +145,7 @@ _gsskrb5_encapsulate( if (output_token->value == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; - } + } p = _gsskrb5_make_header (output_token->value, len, type, mech); memcpy (p, in_data->data, in_data->length); diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c index d6f14a48f7..26ede2487d 100644 --- a/source4/heimdal/lib/gssapi/krb5/external.c +++ b/source4/heimdal/lib/gssapi/krb5/external.c @@ -180,7 +180,7 @@ static gss_mo_desc krb5_mo[] = { GSS_C_MA_SASL_MECH_NAME, GSS_MO_MA, "SASL mech name", - "GS2-KRB5", + rk_UNCONST("GS2-KRB5"), _gss_mo_get_ctx_as_string, NULL }, @@ -188,7 +188,7 @@ static gss_mo_desc krb5_mo[] = { GSS_C_MA_MECH_NAME, GSS_MO_MA, "Mechanism name", - "KRB5", + rk_UNCONST("KRB5"), _gss_mo_get_ctx_as_string, NULL }, @@ -196,7 +196,7 @@ static gss_mo_desc krb5_mo[] = { GSS_C_MA_MECH_DESCRIPTION, GSS_MO_MA, "Mechanism description", - "Heimdal Kerberos 5 mech", + rk_UNCONST("Heimdal Kerberos 5 mech"), _gss_mo_get_ctx_as_string, NULL }, @@ -273,7 +273,7 @@ static gss_mo_desc krb5_mo[] = { static gssapi_mech_interface_desc krb5_mech = { GMI_VERSION, "kerberos 5", - {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }, + {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }, 0, _gsskrb5_acquire_cred, _gsskrb5_release_cred, @@ -315,7 +315,7 @@ static gssapi_mech_interface_desc krb5_mech = { _gsskrb5_store_cred, _gsskrb5_export_cred, _gsskrb5_import_cred, - NULL, + _gsskrb5_acquire_cred_ext, NULL, NULL, NULL, @@ -323,7 +323,16 @@ static gssapi_mech_interface_desc krb5_mech = { NULL, NULL, krb5_mo, - sizeof(krb5_mo) / sizeof(krb5_mo[0]) + sizeof(krb5_mo) / sizeof(krb5_mo[0]), + _gsskrb5_pname_to_uid, + _gsskrb5_authorize_localname, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL }; gssapi_mech_interface diff --git a/source4/heimdal/lib/gssapi/krb5/import_name.c b/source4/heimdal/lib/gssapi/krb5/import_name.c index 2a071a305e..5fe512672f 100644 --- a/source4/heimdal/lib/gssapi/krb5/import_name.c +++ b/source4/heimdal/lib/gssapi/krb5/import_name.c @@ -107,9 +107,9 @@ _gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context, return GSS_S_BAD_NAME; else if (p->name.name_string.len > 1) hostname = p->name.name_string.val[1]; - + service = p->name.name_string.val[0]; - + ret = krb5_sname_to_principal(context, hostname, service, diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c index 53855ca045..5f8b01b727 100644 --- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c @@ -41,7 +41,7 @@ static OM_uint32 set_addresses (krb5_context context, krb5_auth_context ac, - const gss_channel_bindings_t input_chan_bindings) + const gss_channel_bindings_t input_chan_bindings) { /* Port numbers are expected to be in application_data.value, * initator's port first */ @@ -422,11 +422,6 @@ init_auth goto failure; } - ret = _gss_DES3_get_mic_compat(minor_status, ctx, context); - if (ret) - goto failure; - - /* * This is hideous glue for (NFS) clients that wants to limit the * available enctypes to what it can support (encryption in @@ -458,17 +453,21 @@ init_auth * DNS canonicalizion. */ ret = gsskrb5_get_creds(minor_status, context, ctx->ccache, - ctx, name, 0, time_req, + ctx, name, 0, time_req, time_rec); if (ret && allow_dns) ret = gsskrb5_get_creds(minor_status, context, ctx->ccache, - ctx, name, 1, time_req, + ctx, name, 1, time_req, time_rec); if (ret) goto failure; ctx->lifetime = ctx->kcred->times.endtime; + ret = _gss_DES3_get_mic_compat(minor_status, ctx, context); + if (ret) + goto failure; + ret = _gsskrb5_lifetime_left(minor_status, context, ctx->lifetime, @@ -530,7 +529,7 @@ init_auth_restart Checksum cksum; krb5_enctype enctype; krb5_data fwd_data, timedata; - int32_t offset = 0, oldoffset; + int32_t offset = 0, oldoffset = 0; uint32_t flagmask; krb5_data_zero(&outbuf); @@ -544,7 +543,7 @@ init_auth_restart */ if (!ctx->kcred->flags.b.ok_as_delegate) { krb5_data data; - + ret = krb5_cc_get_config(context, ctx->ccache, NULL, "realm-config", &data); if (ret == 0) { @@ -676,7 +675,8 @@ init_auth_restart output_token->length = outbuf.length; } else { ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token, - (u_char *)"\x01\x00", GSS_KRB5_MECHANISM); + (u_char *)(intptr_t)"\x01\x00", + GSS_KRB5_MECHANISM); krb5_data_free (&outbuf); if (ret) goto failure; @@ -848,9 +848,9 @@ repl_mutual *minor_status = kret; return GSS_S_FAILURE; } - + /* reset local seq number */ - krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq); + krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq); output_token->length = outbuf.length; output_token->value = outbuf.data; @@ -911,20 +911,20 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context return GSS_S_BAD_MECH; if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) { - OM_uint32 ret; + OM_uint32 ret1; if (*context_handle != GSS_C_NO_CONTEXT) { *minor_status = 0; return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE; } - ret = _gsskrb5_create_ctx(minor_status, + ret1 = _gsskrb5_create_ctx(minor_status, context_handle, context, input_chan_bindings, INITIATOR_START); - if (ret) - return ret; + if (ret1) + return ret1; } if (*context_handle == GSS_C_NO_CONTEXT) { @@ -953,7 +953,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context ret_flags, time_rec); if (ret != GSS_S_COMPLETE) - break; + break; /* FALL THOUGH */ case INITIATOR_RESTART: ret = init_auth_restart(minor_status, diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c index d3798623ff..f88199692c 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c @@ -95,12 +95,12 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_cred if (output_name != NULL) { if (icred && icred->principal != NULL) { gss_name_t name; - + if (acred && acred->principal) name = (gss_name_t)acred->principal; else name = (gss_name_t)icred->principal; - + ret = _gsskrb5_duplicate_name(minor_status, name, output_name); if (ret) goto out; diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c index dc02b99851..65bd49c971 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c @@ -72,6 +72,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_names_for_mech ( if (ret != GSS_S_COMPLETE) gss_release_oid_set(NULL, name_types); - + return GSS_S_COMPLETE; } diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c index 14816e7a05..b57217a4e8 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c @@ -159,10 +159,10 @@ static OM_uint32 inquire_sec_context_get_subkey { gss_buffer_desc value; - + value.length = data.length; value.value = data.data; - + maj_stat = gss_add_buffer_set_member(minor_status, &value, data_set); @@ -179,6 +179,46 @@ out: return maj_stat; } +static OM_uint32 inquire_sec_context_get_sspi_session_key + (OM_uint32 *minor_status, + const gsskrb5_ctx context_handle, + krb5_context context, + gss_buffer_set_t *data_set) +{ + krb5_keyblock *key; + OM_uint32 maj_stat = GSS_S_COMPLETE; + krb5_error_code ret; + gss_buffer_desc value; + + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + ret = _gsskrb5i_get_token_key(context_handle, context, &key); + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + + if (ret) + goto out; + if (key == NULL) { + ret = EINVAL; + goto out; + } + + value.length = key->keyvalue.length; + value.value = key->keyvalue.data; + + maj_stat = gss_add_buffer_set_member(minor_status, + &value, + data_set); + krb5_free_keyblock(context, key); + + /* MIT also returns the enctype encoded as an OID in data_set[1] */ + +out: + if (ret) { + *minor_status = ret; + maj_stat = GSS_S_FAILURE; + } + return maj_stat; +} + static OM_uint32 inquire_sec_context_authz_data (OM_uint32 *minor_status, const gsskrb5_ctx context_handle, @@ -464,10 +504,10 @@ get_service_keyblock { gss_buffer_desc value; - + value.length = data.length; value.value = data.data; - + maj_stat = gss_add_buffer_set_member(minor_status, &value, data_set); @@ -530,6 +570,11 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_sec_context_by_oid context, ACCEPTOR_KEY, data_set); + } else if (gss_oid_equal(desired_object, GSS_C_INQ_SSPI_SESSION_KEY)) { + return inquire_sec_context_get_sspi_session_key(minor_status, + ctx, + context, + data_set); } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_AUTHTIME_X)) { return get_authtime(minor_status, ctx, data_set); } else if (oid_prefix_equal(desired_object, diff --git a/source4/heimdal/lib/gssapi/krb5/prf.c b/source4/heimdal/lib/gssapi/krb5/prf.c index 323b4cc722..162a309709 100644 --- a/source4/heimdal/lib/gssapi/krb5/prf.c +++ b/source4/heimdal/lib/gssapi/krb5/prf.c @@ -47,18 +47,21 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, krb5_crypto crypto; krb5_data input, output; uint32_t num; + OM_uint32 junk; unsigned char *p; krb5_keyblock *key = NULL; + size_t dol; if (ctx == NULL) { *minor_status = 0; return GSS_S_NO_CONTEXT; } - if (desired_output_len <= 0) { + if (desired_output_len <= 0 || prf_in->length + 4 < prf_in->length) { *minor_status = 0; return GSS_S_FAILURE; } + dol = desired_output_len; GSSAPI_KRB5_INIT (&context); @@ -88,21 +91,20 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, return GSS_S_FAILURE; } - prf_out->value = malloc(desired_output_len); + prf_out->value = malloc(dol); if (prf_out->value == NULL) { _gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory"); *minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG; krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } - prf_out->length = desired_output_len; + prf_out->length = dol; HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); input.length = prf_in->length + 4; input.data = malloc(prf_in->length + 4); if (input.data == NULL) { - OM_uint32 junk; _gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory"); *minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG; gss_release_buffer(&junk, prf_out); @@ -110,15 +112,17 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return GSS_S_FAILURE; } - memcpy(((unsigned char *)input.data) + 4, prf_in->value, prf_in->length); + memcpy(((uint8_t *)input.data) + 4, prf_in->value, prf_in->length); num = 0; p = prf_out->value; - while(desired_output_len > 0) { + while(dol > 0) { + size_t tsize; + _gsskrb5_encode_om_uint32(num, input.data); + ret = krb5_crypto_prf(context, crypto, &input, &output); if (ret) { - OM_uint32 junk; *minor_status = ret; free(input.data); gss_release_buffer(&junk, prf_out); @@ -126,9 +130,11 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return GSS_S_FAILURE; } - memcpy(p, output.data, min(desired_output_len, output.length)); + + tsize = min(dol, output.length); + memcpy(p, output.data, tsize); p += output.length; - desired_output_len -= output.length; + dol -= tsize; krb5_data_free(&output); num++; } diff --git a/source4/heimdal/lib/gssapi/krb5/process_context_token.c b/source4/heimdal/lib/gssapi/krb5/process_context_token.c index 4feda0de04..0cc1c07cfb 100644 --- a/source4/heimdal/lib/gssapi/krb5/process_context_token.c +++ b/source4/heimdal/lib/gssapi/krb5/process_context_token.c @@ -52,7 +52,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_process_context_token ( (gsskrb5_ctx)context_handle, context, token_buffer, &empty_buffer, - GSS_C_QOP_DEFAULT, "\x01\x02"); + GSS_C_QOP_DEFAULT, + "\x01\x02"); if (ret == GSS_S_COMPLETE) ret = _gsskrb5_delete_sec_context(minor_status, diff --git a/source4/heimdal/lib/gssapi/krb5/sequence.c b/source4/heimdal/lib/gssapi/krb5/sequence.c index fbbc5b6c70..2e0e7b20f9 100644 --- a/source4/heimdal/lib/gssapi/krb5/sequence.c +++ b/source4/heimdal/lib/gssapi/krb5/sequence.c @@ -64,7 +64,7 @@ msg_order_alloc(OM_uint32 *minor_status, if (*o == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; - } + } *minor_status = 0; return GSS_S_COMPLETE; @@ -141,7 +141,7 @@ OM_uint32 _gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num) { OM_uint32 r; - int i; + size_t i; if (o == NULL) return GSS_S_COMPLETE; diff --git a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c index 5ff6172fb9..bd38716751 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c @@ -209,7 +209,7 @@ no_ci_flags(OM_uint32 *minor_status, cred = (gsskrb5_cred)*cred_handle; cred->cred_flags |= GSS_CF_NO_CI_FLAGS; - + *minor_status = 0; return GSS_S_COMPLETE; @@ -241,7 +241,7 @@ _gsskrb5_set_cred_option if (gss_oid_equal(desired_object, GSS_KRB5_CRED_NO_CI_FLAGS_X)) { return no_ci_flags(minor_status, context, cred_handle, value); } - + *minor_status = EINVAL; return GSS_S_FAILURE; diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c index 237af1a52c..141ff722fb 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c @@ -154,11 +154,10 @@ _gsskrb5_set_sec_context_option if (maj_stat != GSS_S_COMPLETE) return maj_stat; - _gsskrb5_register_acceptor_identity(str); + maj_stat = _gsskrb5_register_acceptor_identity(minor_status, str); free(str); - *minor_status = 0; - return GSS_S_COMPLETE; + return maj_stat; } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) { char *str; @@ -222,7 +221,7 @@ _gsskrb5_set_sec_context_option return maj_stat; t = time(NULL) + offset; - + krb5_set_real_time(context, t, 0); *minor_status = 0; diff --git a/source4/heimdal/lib/gssapi/krb5/store_cred.c b/source4/heimdal/lib/gssapi/krb5/store_cred.c index 21f9f6e8ab..a3aa2fb83e 100644 --- a/source4/heimdal/lib/gssapi/krb5/store_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/store_cred.c @@ -103,7 +103,7 @@ _gsskrb5_store_cred(OM_uint32 *minor_status, *minor_status = ret; return(GSS_S_FAILURE); } - + if (default_cred) krb5_cc_switch(context, id); diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c index 7620d691bd..d6bc204777 100644 --- a/source4/heimdal/lib/gssapi/krb5/unwrap.c +++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c @@ -54,7 +54,7 @@ unwrap_des DES_key_schedule schedule; DES_cblock deskey; DES_cblock zero; - int i; + size_t i; uint32_t seq_number; size_t padlength; OM_uint32 ret; @@ -98,6 +98,7 @@ unwrap_des if(cstate) { /* decrypt data */ memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); + memset (&zero, 0, sizeof(zero)); for (i = 0; i < sizeof(deskey); ++i) deskey[i] ^= 0xf0; diff --git a/source4/heimdal/lib/gssapi/krb5/verify_mic.c b/source4/heimdal/lib/gssapi/krb5/verify_mic.c index 9a5445698b..3123787ff4 100644 --- a/source4/heimdal/lib/gssapi/krb5/verify_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/verify_mic.c @@ -44,7 +44,7 @@ verify_mic_des const gss_buffer_t token_buffer, gss_qop_t * qop_state, krb5_keyblock *key, - char *type + const char *type ) { u_char *p; @@ -142,7 +142,7 @@ verify_mic_des3 const gss_buffer_t token_buffer, gss_qop_t * qop_state, krb5_keyblock *key, - char *type + const char *type ) { u_char *p; @@ -276,7 +276,7 @@ _gsskrb5_verify_mic_internal const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, gss_qop_t * qop_state, - char * type + const char * type ) { krb5_keyblock *key; @@ -348,7 +348,7 @@ _gsskrb5_verify_mic (gsskrb5_ctx)context_handle, context, message_buffer, token_buffer, - qop_state, "\x01\x01"); + qop_state, (void *)(intptr_t)"\x01\x01"); return ret; } diff --git a/source4/heimdal/lib/gssapi/krb5/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c index 54f92df609..efd0d82c49 100644 --- a/source4/heimdal/lib/gssapi/krb5/wrap.c +++ b/source4/heimdal/lib/gssapi/krb5/wrap.c @@ -214,7 +214,7 @@ wrap_des EVP_CIPHER_CTX des_ctx; DES_cblock deskey; DES_cblock zero; - int i; + size_t i; int32_t seq_number; size_t len, total_len, padlength, datalen; diff --git a/source4/heimdal/lib/gssapi/mech/cred.h b/source4/heimdal/lib/gssapi/mech/cred.h index adffe6893e..5661b53239 100644 --- a/source4/heimdal/lib/gssapi/mech/cred.h +++ b/source4/heimdal/lib/gssapi/mech/cred.h @@ -39,3 +39,19 @@ struct _gss_cred { struct _gss_mechanism_cred_list gc_mc; }; +struct _gss_mechanism_cred * +_gss_copy_cred(struct _gss_mechanism_cred *mc); + +struct _gss_mechanism_name; + +OM_uint32 +_gss_acquire_mech_cred(OM_uint32 *minor_status, + gssapi_mech_interface m, + const struct _gss_mechanism_name *mn, + gss_const_OID credential_type, + const void *credential_data, + OM_uint32 time_req, + gss_const_OID desired_mech, + gss_cred_usage_t cred_usage, + struct _gss_mechanism_cred **output_cred_handle); + diff --git a/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c index 92d7e7f05d..bf7ea03f72 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c @@ -34,17 +34,17 @@ parse_header(const gss_buffer_t input_token, gss_OID mech_oid) unsigned char *p = input_token->value; size_t len = input_token->length; size_t a, b; - + /* * Token must start with [APPLICATION 0] SEQUENCE. * But if it doesn't assume it is DCE-STYLE Kerberos! */ if (len == 0) return (GSS_S_DEFECTIVE_TOKEN); - + p++; len--; - + /* * Decode the length and make sure it agrees with the * token length. @@ -71,7 +71,7 @@ parse_header(const gss_buffer_t input_token, gss_OID mech_oid) } if (a != len) return (GSS_S_DEFECTIVE_TOKEN); - + /* * Decode the OID for the mechanism. Simplify life by * assuming that the OID length is less than 128 bytes. @@ -84,9 +84,9 @@ parse_header(const gss_buffer_t input_token, gss_OID mech_oid) p += 2; len -= 2; mech_oid->elements = p; - + return GSS_S_COMPLETE; -} +} static gss_OID_desc krb5_mechanism = {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")}; @@ -221,7 +221,7 @@ gss_accept_sec_context(OM_uint32 *minor_status, acceptor_mc = GSS_C_NO_CREDENTIAL; } delegated_mc = GSS_C_NO_CREDENTIAL; - + mech_ret_flags = 0; major_status = m->gm_accept_sec_context(minor_status, &ctx->gc_ctx, @@ -267,7 +267,7 @@ gss_accept_sec_context(OM_uint32 *minor_status, mech_ret_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG); } else if (gss_oid_equal(mech_ret_type, &m->gm_mech_oid) == 0) { - /* + /* * If the returned mech_type is not the same * as the mech, assume its pseudo mech type * and the returned type is already a diff --git a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c index c9900148c2..ade65df8ec 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c @@ -46,7 +46,7 @@ gss_acquire_cred(OM_uint32 *minor_status, struct _gss_cred *cred; struct _gss_mechanism_cred *mc; OM_uint32 min_time, cred_time; - int i; + size_t i; *minor_status = 0; if (output_cred_handle == NULL) diff --git a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c index 19deea5b06..a998bc60ff 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c @@ -28,7 +28,7 @@ #include "mech_locl.h" -static struct _gss_mechanism_cred * +struct _gss_mechanism_cred * _gss_copy_cred(struct _gss_mechanism_cred *mc) { struct _gss_mechanism_cred *new_mc; diff --git a/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c b/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c index 191a4a305c..a23270511e 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c +++ b/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c @@ -47,7 +47,7 @@ * * @returns a gss_error code, see gss_display_status() about printing * the error code. - * + * * @ingroup gssapi */ diff --git a/source4/heimdal/lib/gssapi/mech/gss_aeap.c b/source4/heimdal/lib/gssapi/mech/gss_aeap.c index 141b6ae5ac..3008c0d344 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_aeap.c +++ b/source4/heimdal/lib/gssapi/mech/gss_aeap.c @@ -1,6 +1,6 @@ /* * AEAD support - */ + */ #include "mech_locl.h" @@ -90,7 +90,7 @@ gss_unwrap_iov(OM_uint32 *minor_status, int iov_count) { struct _gss_context *ctx = (struct _gss_context *) context_handle; - gssapi_mech_interface m; + gssapi_mech_interface m; if (minor_status) *minor_status = 0; @@ -168,7 +168,7 @@ gss_release_iov_buffer(OM_uint32 *minor_status, int iov_count) { OM_uint32 junk; - size_t i; + int i; if (minor_status) *minor_status = 0; diff --git a/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c b/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c index 3099b163b5..48fb720ad0 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c +++ b/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c @@ -100,7 +100,7 @@ GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_release_buffer_set(OM_uint32 * minor_status, gss_buffer_set_t *buffer_set) { - int i; + size_t i; OM_uint32 minor; *minor_status = 0; diff --git a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c index e87931dc78..bd8ff52120 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c @@ -48,7 +48,7 @@ * * @returns a gss_error code, see gss_display_status() about printing * the error code. - * + * * @ingroup gssapi */ diff --git a/source4/heimdal/lib/gssapi/mech/gss_cred.c b/source4/heimdal/lib/gssapi/mech/gss_cred.c index b8fa11185a..99de68776e 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_cred.c @@ -85,7 +85,7 @@ gss_export_cred(OM_uint32 * minor_status, } ret = krb5_storage_write(sp, buffer.value, buffer.length); - if (ret != buffer.length) { + if (ret < 0 || (size_t)ret != buffer.length) { gss_release_buffer(minor_status, &buffer); krb5_storage_free(sp); *minor_status = EINVAL; @@ -183,7 +183,7 @@ gss_import_cred(OM_uint32 * minor_status, buffer.value = data.data; buffer.length = data.length; - major = m->gm_import_cred(minor_status, + major = m->gm_import_cred(minor_status, &buffer, &mcred); krb5_data_free(&data); if (major) { diff --git a/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c b/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c index 0fe3b4f5a5..3f2974e8ca 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c +++ b/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c @@ -34,8 +34,8 @@ #include "mech_locl.h" GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL -gss_decapsulate_token(const gss_buffer_t input_token, - const gss_OID oid, +gss_decapsulate_token(gss_const_buffer_t input_token, + gss_const_OID oid, gss_buffer_t output_token) { GSSAPIContextToken ct; @@ -55,7 +55,7 @@ gss_decapsulate_token(const gss_buffer_t input_token, if (ret) { der_free_oid(&o); return GSS_S_FAILURE; - } + } if (der_heim_oid_cmp(&ct.thisMech, &o) == 0) { status = GSS_S_COMPLETE; diff --git a/source4/heimdal/lib/gssapi/mech/gss_display_status.c b/source4/heimdal/lib/gssapi/mech/gss_display_status.c index d6aaf98827..1e508caa9b 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_display_status.c +++ b/source4/heimdal/lib/gssapi/mech/gss_display_status.c @@ -190,7 +190,7 @@ gss_display_status(OM_uint32 *minor_status, oid.value = rk_UNCONST("unknown"); oid.length = 7; } - + e = asprintf (&buf, "unknown mech-code %lu for mech %.*s", (unsigned long)status_value, (int)oid.length, (char *)oid.value); diff --git a/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c b/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c index 053825bbc3..a76c87cb85 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c @@ -52,7 +52,7 @@ gss_duplicate_name(OM_uint32 *minor_status, if (major_status != GSS_S_COMPLETE) return (major_status); new_name = (struct _gss_name *) *dest_name; - + HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { struct _gss_mechanism_name *mn2; _gss_find_mn(minor_status, new_name, @@ -67,10 +67,10 @@ gss_duplicate_name(OM_uint32 *minor_status, memset(new_name, 0, sizeof(struct _gss_name)); HEIM_SLIST_INIT(&new_name->gn_mn); *dest_name = (gss_name_t) new_name; - + HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { struct _gss_mechanism_name *new_mn; - + new_mn = malloc(sizeof(*new_mn)); if (!new_mn) { *minor_status = ENOMEM; @@ -78,7 +78,7 @@ gss_duplicate_name(OM_uint32 *minor_status, } new_mn->gmn_mech = mn->gmn_mech; new_mn->gmn_mech_oid = mn->gmn_mech_oid; - + major_status = mn->gmn_mech->gm_duplicate_name(minor_status, mn->gmn_name, &new_mn->gmn_name); diff --git a/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c b/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c index fc0ec736bb..1b1f973eaa 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c +++ b/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c @@ -34,8 +34,8 @@ #include "mech_locl.h" GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL -gss_encapsulate_token(const gss_buffer_t input_token, - const gss_OID oid, +gss_encapsulate_token(gss_const_buffer_t input_token, + gss_const_OID oid, gss_buffer_t output_token) { GSSAPIContextToken ct; @@ -58,7 +58,7 @@ gss_encapsulate_token(const gss_buffer_t input_token, if (ret) { _mg_buffer_zero(output_token); return GSS_S_FAILURE; - } + } if (output_token->length != size) abort(); diff --git a/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c index babc8ebdf4..369f3a2257 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c @@ -42,7 +42,7 @@ gss_export_sec_context(OM_uint32 *minor_status, major_status = m->gm_export_sec_context(minor_status, &ctx->gc_ctx, &buf); - + if (major_status == GSS_S_COMPLETE) { unsigned char *p; diff --git a/source4/heimdal/lib/gssapi/mech/gss_import_name.c b/source4/heimdal/lib/gssapi/mech/gss_import_name.c index 574c058fc2..d1b3dc95b4 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_import_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_import_name.c @@ -41,6 +41,7 @@ _gss_import_export_name(OM_uint32 *minor_status, gssapi_mech_interface m; struct _gss_name *name; gss_name_t new_canonical_name; + int composite = 0; *minor_status = 0; *output_name = 0; @@ -50,8 +51,17 @@ _gss_import_export_name(OM_uint32 *minor_status, */ if (len < 2) return (GSS_S_BAD_NAME); - if (p[0] != 4 || p[1] != 1) + if (p[0] != 4) return (GSS_S_BAD_NAME); + switch (p[1]) { + case 1: /* non-composite name */ + break; + case 2: /* composite name */ + composite = 1; + break; + default: + return (GSS_S_BAD_NAME); + } p += 2; len -= 2; @@ -106,7 +116,7 @@ _gss_import_export_name(OM_uint32 *minor_status, p += 4; len -= 4; - if (len != t) + if (!composite && len != t) return (GSS_S_BAD_NAME); m = __gss_get_mechanism(&mech_oid); @@ -159,7 +169,7 @@ _gss_import_export_name(OM_uint32 *minor_status, * * @returns a gss_error code, see gss_display_status() about printing * the error code. - * + * * @ingroup gssapi */ @@ -231,7 +241,7 @@ gss_import_name(OM_uint32 *minor_status, HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) { int present = 0; - major_status = gss_test_oid_set_member(minor_status, + major_status = gss_test_oid_set_member(minor_status, name_type, m->gm_name_types, &present); if (major_status || present == 0) diff --git a/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c index 2a376fefea..9865db78d4 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c @@ -58,7 +58,7 @@ gss_import_sec_context(OM_uint32 *minor_status, mech_oid.elements = p + 2; buf.length = len - 2 - mech_oid.length; buf.value = p + 2 + mech_oid.length; - + m = __gss_get_mechanism(&mech_oid); if (!m) return (GSS_S_DEFECTIVE_TOKEN); diff --git a/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c b/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c index 59a1dcf22b..8fd53d956d 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c +++ b/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c @@ -35,14 +35,14 @@ gss_indicate_mechs(OM_uint32 *minor_status, struct _gss_mech_switch *m; OM_uint32 major_status; gss_OID_set set; - int i; + size_t i; _gss_load_mech(); major_status = gss_create_empty_oid_set(minor_status, mech_set); if (major_status) return (major_status); - + HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) { if (m->gm_mech.gm_indicate_mechs) { major_status = m->gm_mech.gm_indicate_mechs( diff --git a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c index cf111ecbae..af0170a50a 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c @@ -99,7 +99,7 @@ _gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type) * * @returns a gss_error code, see gss_display_status() about printing * the error code. - * + * * @ingroup gssapi */ diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c index 0658267b2f..2568075988 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c @@ -37,7 +37,7 @@ gss_inquire_context(OM_uint32 *minor_status, gss_OID *mech_type, OM_uint32 *ctx_flags, int *locally_initiated, - int *open) + int *xopen) { OM_uint32 major_status; struct _gss_context *ctx = (struct _gss_context *) context_handle; @@ -47,8 +47,8 @@ gss_inquire_context(OM_uint32 *minor_status, if (locally_initiated) *locally_initiated = 0; - if (open) - *open = 0; + if (xopen) + *xopen = 0; if (lifetime_rec) *lifetime_rec = 0; @@ -68,7 +68,7 @@ gss_inquire_context(OM_uint32 *minor_status, mech_type, ctx_flags, locally_initiated, - open); + xopen); if (major_status != GSS_S_COMPLETE) { _gss_mg_error(m, major_status, *minor_status); diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c index 900370a5db..e674dd48f3 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c @@ -52,7 +52,7 @@ gss_inquire_cred_by_oid (OM_uint32 *minor_status, HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { gss_buffer_set_t rset = GSS_C_NO_BUFFER_SET; - int i; + size_t i; m = mc->gmc_mech; if (m == NULL) { diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c index 594b41ef8e..fe88a384b5 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -188,7 +188,7 @@ out: GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gsskrb5_register_acceptor_identity(const char *identity) { - struct _gss_mech_switch *m; + gssapi_mech_interface m; gss_buffer_desc buffer; OM_uint32 junk; @@ -197,14 +197,12 @@ gsskrb5_register_acceptor_identity(const char *identity) buffer.value = rk_UNCONST(identity); buffer.length = strlen(identity); - HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) { - if (m->gm_mech.gm_set_sec_context_option == NULL) - continue; - m->gm_mech.gm_set_sec_context_option(&junk, NULL, - GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer); - } + m = __gss_get_mechanism(GSS_KRB5_MECHANISM); + if (m == NULL || m->gm_set_sec_context_option == NULL) + return GSS_S_FAILURE; - return (GSS_S_COMPLETE); + return m->gm_set_sec_context_option(&junk, NULL, + GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer); } GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL @@ -441,7 +439,7 @@ gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, gss_buffer_desc buffer; krb5_storage *sp; krb5_data data; - int i; + size_t i; sp = krb5_storage_emem(); if (sp == NULL) { diff --git a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c index f7f75c13f9..55e01094ff 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c +++ b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c @@ -62,7 +62,7 @@ _gss_string_to_oid(const char* s, gss_OID oid) if (q) q = q + 1; number_count++; } - + /* * The first two numbers are in the first byte and each * subsequent number is encoded in a variable byte sequence. @@ -126,7 +126,7 @@ _gss_string_to_oid(const char* s, gss_OID oid) while (bytes) { if (res) { int bit = 7*(bytes-1); - + *res = (number >> bit) & 0x7f; if (bytes != 1) *res |= 0x80; @@ -152,7 +152,8 @@ _gss_string_to_oid(const char* s, gss_OID oid) #define SYM(name) \ do { \ m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \ - if (!m->gm_mech.gm_ ## name) { \ + if (!m->gm_mech.gm_ ## name || \ + m->gm_mech.gm_ ##name == gss_ ## name) { \ fprintf(stderr, "can't find symbol gss_" #name "\n"); \ goto bad; \ } \ @@ -160,7 +161,28 @@ do { \ #define OPTSYM(name) \ do { \ - m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \ + m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \ + if (m->gm_mech.gm_ ## name == gss_ ## name) \ + m->gm_mech.gm_ ## name = NULL; \ +} while (0) + +#define OPTSPISYM(name) \ +do { \ + m->gm_mech.gm_ ## name = dlsym(so, "gssspi_" #name); \ +} while (0) + +#define COMPATSYM(name) \ +do { \ + m->gm_mech.gm_compat->gmc_ ## name = dlsym(so, "gss_" #name); \ + if (m->gm_mech.gm_compat->gmc_ ## name == gss_ ## name) \ + m->gm_mech.gm_compat->gmc_ ## name = NULL; \ +} while (0) + +#define COMPATSPISYM(name) \ +do { \ + m->gm_mech.gm_compat->gmc_ ## name = dlsym(so, "gssspi_" #name);\ + if (m->gm_mech.gm_compat->gmc_ ## name == gss_ ## name) \ + m->gm_mech.gm_compat->gmc_ ## name = NULL; \ } while (0) /* @@ -283,28 +305,26 @@ _gss_load_mech(void) #endif so = dlopen(lib, RTLD_LAZY | RTLD_LOCAL | RTLD_GROUP); - if (!so) { + if (so == NULL) { /* fprintf(stderr, "dlopen: %s\n", dlerror()); */ - free(mech_oid.elements); - continue; + goto bad; } - m = malloc(sizeof(*m)); - if (!m) { - free(mech_oid.elements); - break; - } + m = calloc(1, sizeof(*m)); + if (m == NULL) + goto bad; + m->gm_so = so; m->gm_mech.gm_mech_oid = mech_oid; m->gm_mech.gm_flags = 0; - + m->gm_mech.gm_compat = calloc(1, sizeof(struct gss_mech_compat_desc_struct)); + if (m->gm_mech.gm_compat == NULL) + goto bad; + major_status = gss_add_oid_set_member(&minor_status, &m->gm_mech.gm_mech_oid, &_gss_mech_oids); - if (major_status) { - free(m->gm_mech.gm_mech_oid.elements); - free(m); - continue; - } + if (GSS_ERROR(major_status)) + goto bad; SYM(acquire_cred); SYM(release_cred); @@ -338,34 +358,64 @@ _gss_load_mech(void) OPTSYM(inquire_cred_by_oid); OPTSYM(inquire_sec_context_by_oid); OPTSYM(set_sec_context_option); - OPTSYM(set_cred_option); + OPTSPISYM(set_cred_option); OPTSYM(pseudo_random); OPTSYM(wrap_iov); OPTSYM(unwrap_iov); OPTSYM(wrap_iov_length); + OPTSYM(store_cred); + OPTSYM(export_cred); + OPTSYM(import_cred); +#if 0 + OPTSYM(acquire_cred_ext); + OPTSYM(iter_creds); + OPTSYM(destroy_cred); + OPTSYM(cred_hold); + OPTSYM(cred_unhold); + OPTSYM(cred_label_get); + OPTSYM(cred_label_set); +#endif OPTSYM(display_name_ext); OPTSYM(inquire_name); OPTSYM(get_name_attribute); OPTSYM(set_name_attribute); OPTSYM(delete_name_attribute); OPTSYM(export_name_composite); + OPTSYM(pname_to_uid); + OPTSPISYM(authorize_localname); mi = dlsym(so, "gss_mo_init"); if (mi != NULL) { - major_status = mi(&minor_status, - &mech_oid, - &m->gm_mech.gm_mo, - &m->gm_mech.gm_mo_num); + major_status = mi(&minor_status, &mech_oid, + &m->gm_mech.gm_mo, &m->gm_mech.gm_mo_num); if (GSS_ERROR(major_status)) goto bad; + } else { + /* API-as-SPI compatibility */ + COMPATSYM(inquire_saslname_for_mech); + COMPATSYM(inquire_mech_for_saslname); + COMPATSYM(inquire_attrs_for_mech); + COMPATSPISYM(acquire_cred_with_password); } + /* pick up the oid sets of names */ + + if (m->gm_mech.gm_inquire_names_for_mech) + (*m->gm_mech.gm_inquire_names_for_mech)(&minor_status, + &m->gm_mech.gm_mech_oid, &m->gm_name_types); + + if (m->gm_name_types == NULL) + gss_create_empty_oid_set(&minor_status, &m->gm_name_types); + HEIM_SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link); continue; bad: - free(m->gm_mech.gm_mech_oid.elements); - free(m); + if (m != NULL) { + free(m->gm_mech.gm_compat); + free(m->gm_mech.gm_mech_oid.elements); + free(m); + } dlclose(so); continue; } diff --git a/source4/heimdal/lib/gssapi/mech/gss_mo.c b/source4/heimdal/lib/gssapi/mech/gss_mo.c index cb24b764a5..ad74d9237a 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_mo.c +++ b/source4/heimdal/lib/gssapi/mech/gss_mo.c @@ -4,6 +4,7 @@ * All rights reserved. * * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * Portions Copyright (c) 2010 PADL Software Pty Ltd. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -35,13 +36,14 @@ #include "mech_locl.h" +#include <crypto-headers.h> + static int get_option_def(int def, gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value) { return def; } - int _gss_mo_get_option_1(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value) { @@ -60,10 +62,10 @@ _gss_mo_get_ctx_as_string(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t valu if (value) { value->value = strdup((char *)mo->ctx); if (value->value == NULL) - return 1; + return GSS_S_FAILURE; value->length = strlen((char *)mo->ctx); } - return 0; + return GSS_S_COMPLETE; } GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL @@ -79,7 +81,8 @@ gss_mo_set(gss_const_OID mech, gss_const_OID option, for (n = 0; n < m->gm_mo_num; n++) if (gss_oid_equal(option, m->gm_mo[n].option) && m->gm_mo[n].set) return m->gm_mo[n].set(mech, &m->gm_mo[n], enable, value); - return 0; + + return GSS_S_UNAVAILABLE; } GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL @@ -91,13 +94,13 @@ gss_mo_get(gss_const_OID mech, gss_const_OID option, gss_buffer_t value) _mg_buffer_zero(value); if ((m = __gss_get_mechanism(mech)) == NULL) - return 0; + return GSS_S_BAD_MECH; for (n = 0; n < m->gm_mo_num; n++) if (gss_oid_equal(option, m->gm_mo[n].option) && m->gm_mo[n].get) return m->gm_mo[n].get(mech, &m->gm_mo[n], value); - return 0; + return GSS_S_UNAVAILABLE; } static void @@ -147,7 +150,8 @@ gss_mo_name(gss_const_OID mech, gss_const_OID option, gss_buffer_t name) for (n = 0; n < m->gm_mo_num; n++) { if (gss_oid_equal(option, m->gm_mo[n].option)) { /* - * If ther is no name, its because its a GSS_C_MA and there is already a table for that. + * If there is no name, its because its a GSS_C_MA and + * there is already a table for that. */ if (m->gm_mo[n].name) { name->value = strdup(m->gm_mo[n].name); @@ -175,14 +179,86 @@ mo_value(const gss_const_OID mech, gss_const_OID option, gss_buffer_t name) if (name == NULL) return GSS_S_COMPLETE; - if (gss_mo_get(mech, option, name) != 0 && name->length == 0) - return GSS_S_FAILURE; + return gss_mo_get(mech, option, name); +} + +/* code derived from draft-ietf-cat-sasl-gssapi-01 */ +static char basis_32[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"; + +static OM_uint32 +make_sasl_name(OM_uint32 *minor, const gss_OID mech, char sasl_name[16]) +{ + EVP_MD_CTX *ctx; + char *p = sasl_name; + u_char hdr[2], hash[20], *h = hash; + + if (mech->length > 127) + return GSS_S_BAD_MECH; + + hdr[0] = 0x06; + hdr[1] = mech->length; + + ctx = EVP_MD_CTX_create(); + EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); + EVP_DigestUpdate(ctx, hdr, 2); + EVP_DigestUpdate(ctx, mech->elements, mech->length); + EVP_DigestFinal_ex(ctx, hash, NULL); + + memcpy(p, "GS2-", 4); + p += 4; + + *p++ = basis_32[(h[0] >> 3)]; + *p++ = basis_32[((h[0] & 7) << 2) | (h[1] >> 6)]; + *p++ = basis_32[(h[1] & 0x3f) >> 1]; + *p++ = basis_32[((h[1] & 1) << 4) | (h[2] >> 4)]; + *p++ = basis_32[((h[2] & 0xf) << 1) | (h[3] >> 7)]; + *p++ = basis_32[(h[3] & 0x7f) >> 2]; + *p++ = basis_32[((h[3] & 3) << 3) | (h[4] >> 5)]; + *p++ = basis_32[(h[4] & 0x1f)]; + *p++ = basis_32[(h[5] >> 3)]; + *p++ = basis_32[((h[5] & 7) << 2) | (h[6] >> 6)]; + *p++ = basis_32[(h[6] & 0x3f) >> 1]; + + *p = '\0'; return GSS_S_COMPLETE; } +/* + * gss_inquire_saslname_for_mech() wrapper that uses MIT SPI + */ +static OM_uint32 +inquire_saslname_for_mech_compat(OM_uint32 *minor, + const gss_OID desired_mech, + gss_buffer_t sasl_mech_name, + gss_buffer_t mech_name, + gss_buffer_t mech_description) +{ + struct gss_mech_compat_desc_struct *gmc; + gssapi_mech_interface m; + OM_uint32 major; + + m = __gss_get_mechanism(desired_mech); + if (m == NULL) + return GSS_S_BAD_MECH; + + gmc = m->gm_compat; + + if (gmc != NULL && gmc->gmc_inquire_saslname_for_mech != NULL) { + major = gmc->gmc_inquire_saslname_for_mech(minor, + desired_mech, + sasl_mech_name, + mech_name, + mech_description); + } else { + major = GSS_S_UNAVAILABLE; + } + + return major; +} + /** - * Returns differnt protocol names and description of the mechanism. + * Returns different protocol names and description of the mechanism. * * @param minor_status minor status code * @param desired_mech mech list query @@ -215,15 +291,41 @@ gss_inquire_saslname_for_mech(OM_uint32 *minor_status, return GSS_S_BAD_MECH; major = mo_value(desired_mech, GSS_C_MA_SASL_MECH_NAME, sasl_mech_name); - if (major) return major; + if (major == GSS_S_COMPLETE) { + /* Native SPI */ + major = mo_value(desired_mech, GSS_C_MA_MECH_NAME, mech_name); + if (GSS_ERROR(major)) + return major; + + major = mo_value(desired_mech, GSS_C_MA_MECH_DESCRIPTION, mech_description); + if (GSS_ERROR(major)) + return major; + } - major = mo_value(desired_mech, GSS_C_MA_MECH_NAME, mech_name); - if (major) return major; + if (GSS_ERROR(major)) { + /* API-as-SPI compatibility */ + major = inquire_saslname_for_mech_compat(minor_status, + desired_mech, + sasl_mech_name, + mech_name, + mech_description); + } - major = mo_value(desired_mech, GSS_C_MA_MECH_DESCRIPTION, mech_description); - if (major) return major; + if (GSS_ERROR(major)) { + /* Algorithmically dervied SASL mechanism name */ + char buf[16]; + gss_buffer_desc tmp = { sizeof(buf) - 1, buf }; - return GSS_S_COMPLETE; + major = make_sasl_name(minor_status, desired_mech, buf); + if (GSS_ERROR(major)) + return major; + + major = _gss_copy_buffer(minor_status, &tmp, sasl_mech_name); + if (GSS_ERROR(major)) + return major; + } + + return major; } /** @@ -243,29 +345,91 @@ gss_inquire_mech_for_saslname(OM_uint32 *minor_status, { struct _gss_mech_switch *m; gss_buffer_desc name; - OM_uint32 major; + OM_uint32 major, junk; + char buf[16]; _gss_load_mech(); *mech_type = NULL; HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) { - - major = mo_value(&m->gm_mech_oid, GSS_C_MA_SASL_MECH_NAME, &name); - if (major) - continue; - if (name.length == sasl_mech_name->length && - memcmp(name.value, sasl_mech_name->value, name.length) == 0) { - gss_release_buffer(&major, &name); - *mech_type = &m->gm_mech_oid; - return 0; + struct gss_mech_compat_desc_struct *gmc; + + /* Native SPI */ + major = mo_value(&m->gm_mech_oid, GSS_C_MA_SASL_MECH_NAME, &name); + if (major == GSS_S_COMPLETE && + name.length == sasl_mech_name->length && + memcmp(name.value, sasl_mech_name->value, name.length) == 0) { + gss_release_buffer(&junk, &name); + *mech_type = &m->gm_mech_oid; + return GSS_S_COMPLETE; } - gss_release_buffer(&major, &name); + gss_release_buffer(&junk, &name); + + if (GSS_ERROR(major)) { + /* API-as-SPI compatibility */ + gmc = m->gm_mech.gm_compat; + if (gmc && gmc->gmc_inquire_mech_for_saslname) { + major = gmc->gmc_inquire_mech_for_saslname(minor_status, + sasl_mech_name, + mech_type); + if (major == GSS_S_COMPLETE) + return GSS_S_COMPLETE; + } + } + + if (GSS_ERROR(major)) { + /* Algorithmically dervied SASL mechanism name */ + if (sasl_mech_name->length == 16 && + make_sasl_name(minor_status, &m->gm_mech_oid, buf) == GSS_S_COMPLETE && + memcmp(buf, sasl_mech_name->value, 16) == 0) { + *mech_type = &m->gm_mech_oid; + return GSS_S_COMPLETE; + } + } } return GSS_S_BAD_MECH; } +/* + * Test mechanism against indicated attributes using both Heimdal and + * MIT SPIs. + */ +static int +test_mech_attrs(gssapi_mech_interface mi, + gss_const_OID_set mech_attrs, + gss_const_OID_set against_attrs, + int except) +{ + size_t n, m; + int eq = 0; + + if (against_attrs == GSS_C_NO_OID_SET) + return 1; + + for (n = 0; n < against_attrs->count; n++) { + for (m = 0; m < mi->gm_mo_num; m++) { + eq = gss_oid_equal(mi->gm_mo[m].option, + &against_attrs->elements[n]); + if (eq) + break; + } + if (mech_attrs != GSS_C_NO_OID_SET) { + for (m = 0; m < mech_attrs->count; m++) { + eq = gss_oid_equal(&mech_attrs->elements[m], + &against_attrs->elements[n]); + if (eq) + break; + } + } + if (!eq ^ except) + return 0; + } + + return 1; +} + /** * Return set of mechanism that fullfill the criteria * @@ -286,57 +450,49 @@ gss_indicate_mechs_by_attrs(OM_uint32 * minor_status, gss_OID_set *mechs) { struct _gss_mech_switch *ms; + gss_OID_set mech_attrs = GSS_C_NO_OID_SET; + gss_OID_set known_mech_attrs = GSS_C_NO_OID_SET; OM_uint32 major; - size_t n, m; major = gss_create_empty_oid_set(minor_status, mechs); - if (major) + if (GSS_ERROR(major)) return major; _gss_load_mech(); HEIM_SLIST_FOREACH(ms, &_gss_mechs, gm_link) { gssapi_mech_interface mi = &ms->gm_mech; - - if (desired_mech_attrs) { - for (n = 0; n < desired_mech_attrs->count; n++) { - for (m = 0; m < mi->gm_mo_num; m++) - if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n])) - break; - if (m == mi->gm_mo_num) - goto next; - } - } - - if (except_mech_attrs) { - for (n = 0; n < desired_mech_attrs->count; n++) { - for (m = 0; m < mi->gm_mo_num; m++) { - if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n])) - goto next; - } - } - } - - if (critical_mech_attrs) { - for (n = 0; n < desired_mech_attrs->count; n++) { - for (m = 0; m < mi->gm_mo_num; m++) { - if (mi->gm_mo[m].flags & GSS_MO_MA_CRITICAL) - continue; - if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n])) - break; - } - if (m == mi->gm_mo_num) - goto next; - } - } - - - next: - do { } while(0); + struct gss_mech_compat_desc_struct *gmc = mi->gm_compat; + OM_uint32 tmp; + + if (gmc && gmc->gmc_inquire_attrs_for_mech) { + major = gmc->gmc_inquire_attrs_for_mech(minor_status, + &mi->gm_mech_oid, + &mech_attrs, + &known_mech_attrs); + if (GSS_ERROR(major)) + continue; + } + + /* + * Test mechanism supports all of desired_mech_attrs; + * none of except_mech_attrs; + * and knows of all critical_mech_attrs. + */ + if (test_mech_attrs(mi, mech_attrs, desired_mech_attrs, 0) && + test_mech_attrs(mi, mech_attrs, except_mech_attrs, 1) && + test_mech_attrs(mi, known_mech_attrs, critical_mech_attrs, 0)) { + major = gss_add_oid_set_member(minor_status, &mi->gm_mech_oid, mechs); + } + + gss_release_oid_set(&tmp, &mech_attrs); + gss_release_oid_set(&tmp, &known_mech_attrs); + + if (GSS_ERROR(major)) + break; } - - return GSS_S_FAILURE; + return major; } /** @@ -361,30 +517,45 @@ gss_inquire_attrs_for_mech(OM_uint32 * minor_status, { OM_uint32 major, junk; + if (known_mech_attrs) + *known_mech_attrs = GSS_C_NO_OID_SET; + if (mech_attr && mech) { gssapi_mech_interface m; + struct gss_mech_compat_desc_struct *gmc; if ((m = __gss_get_mechanism(mech)) == NULL) { *minor_status = 0; return GSS_S_BAD_MECH; } - major = gss_create_empty_oid_set(minor_status, mech_attr); - if (major != GSS_S_COMPLETE) + gmc = m->gm_compat; + + if (gmc && gmc->gmc_inquire_attrs_for_mech) { + major = gmc->gmc_inquire_attrs_for_mech(minor_status, + mech, + mech_attr, + known_mech_attrs); + } else { + major = gss_create_empty_oid_set(minor_status, mech_attr); + if (major == GSS_S_COMPLETE) + add_all_mo(m, mech_attr, GSS_MO_MA); + } + if (GSS_ERROR(major)) return major; - - add_all_mo(m, mech_attr, GSS_MO_MA); - } + } if (known_mech_attrs) { struct _gss_mech_switch *m; - major = gss_create_empty_oid_set(minor_status, known_mech_attrs); - if (major) { - if (mech_attr) - gss_release_oid_set(&junk, mech_attr); - return major; - } + if (*known_mech_attrs == GSS_C_NO_OID_SET) { + major = gss_create_empty_oid_set(minor_status, known_mech_attrs); + if (GSS_ERROR(major)) { + if (mech_attr) + gss_release_oid_set(&junk, mech_attr); + return major; + } + } _gss_load_mech(); @@ -434,28 +605,28 @@ gss_display_mech_attr(OM_uint32 * minor_status, return GSS_S_BAD_MECH_ATTR; if (name) { - gss_buffer_desc n; - n.value = rk_UNCONST(ma->name); - n.length = strlen(ma->name); - major = _gss_copy_buffer(minor_status, &n, name); + gss_buffer_desc bd; + bd.value = rk_UNCONST(ma->name); + bd.length = strlen(ma->name); + major = _gss_copy_buffer(minor_status, &bd, name); if (major != GSS_S_COMPLETE) return major; } if (short_desc) { - gss_buffer_desc n; - n.value = rk_UNCONST(ma->short_desc); - n.length = strlen(ma->short_desc); - major = _gss_copy_buffer(minor_status, &n, short_desc); + gss_buffer_desc bd; + bd.value = rk_UNCONST(ma->short_desc); + bd.length = strlen(ma->short_desc); + major = _gss_copy_buffer(minor_status, &bd, short_desc); if (major != GSS_S_COMPLETE) return major; } if (long_desc) { - gss_buffer_desc n; - n.value = rk_UNCONST(ma->long_desc); - n.length = strlen(ma->long_desc); - major = _gss_copy_buffer(minor_status, &n, long_desc); + gss_buffer_desc bd; + bd.value = rk_UNCONST(ma->long_desc); + bd.length = strlen(ma->long_desc); + major = _gss_copy_buffer(minor_status, &bd, long_desc); if (major != GSS_S_COMPLETE) return major; } diff --git a/source4/heimdal/lib/gssapi/mech/gss_names.c b/source4/heimdal/lib/gssapi/mech/gss_names.c index 4b470c775f..43e0e2a85c 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_names.c +++ b/source4/heimdal/lib/gssapi/mech/gss_names.c @@ -58,7 +58,7 @@ _gss_find_mn(OM_uint32 *minor_status, struct _gss_name *name, gss_OID mech, mn = malloc(sizeof(struct _gss_mechanism_name)); if (!mn) return GSS_S_FAILURE; - + major_status = m->gm_import_name(minor_status, &name->gn_value, (name->gn_type.elements diff --git a/source4/heimdal/lib/gssapi/mech/gss_oid.c b/source4/heimdal/lib/gssapi/mech/gss_oid.c index bac97cacd0..916d1e4dda 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_oid.c +++ b/source4/heimdal/lib/gssapi/mech/gss_oid.c @@ -2,220 +2,226 @@ #include "mech_locl.h" /* GSS_KRB5_COPY_CCACHE_X - 1.2.752.43.13.1 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_copy_ccache_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x01" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_copy_ccache_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01") }; /* GSS_KRB5_GET_TKT_FLAGS_X - 1.2.752.43.13.2 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_tkt_flags_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x02" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_tkt_flags_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02") }; /* GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X - 1.2.752.43.13.3 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x03" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03") }; /* GSS_KRB5_COMPAT_DES3_MIC_X - 1.2.752.43.13.4 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_compat_des3_mic_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x04" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_compat_des3_mic_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04") }; /* GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X - 1.2.752.43.13.5 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_register_acceptor_identity_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x05" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_register_acceptor_identity_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05") }; /* GSS_KRB5_EXPORT_LUCID_CONTEXT_X - 1.2.752.43.13.6 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x06" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06") }; /* GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X - 1.2.752.43.13.6.1 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_v1_x_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x06\x01" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_v1_x_oid_desc = { 7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01") }; /* GSS_KRB5_SET_DNS_CANONICALIZE_X - 1.2.752.43.13.7 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_dns_canonicalize_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x07" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_dns_canonicalize_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07") }; /* GSS_KRB5_GET_SUBKEY_X - 1.2.752.43.13.8 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x08" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08") }; /* GSS_KRB5_GET_INITIATOR_SUBKEY_X - 1.2.752.43.13.9 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_initiator_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x09" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_initiator_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09") }; /* GSS_KRB5_GET_ACCEPTOR_SUBKEY_X - 1.2.752.43.13.10 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_acceptor_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0a" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_acceptor_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a") }; /* GSS_KRB5_SEND_TO_KDC_X - 1.2.752.43.13.11 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_send_to_kdc_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0b" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_send_to_kdc_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b") }; /* GSS_KRB5_GET_AUTHTIME_X - 1.2.752.43.13.12 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_authtime_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0c" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_authtime_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c") }; /* GSS_KRB5_GET_SERVICE_KEYBLOCK_X - 1.2.752.43.13.13 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_service_keyblock_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0d" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_service_keyblock_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d") }; /* GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X - 1.2.752.43.13.14 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_allowable_enctypes_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0e" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_allowable_enctypes_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e") }; /* GSS_KRB5_SET_DEFAULT_REALM_X - 1.2.752.43.13.15 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_default_realm_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0f" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_default_realm_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f") }; /* GSS_KRB5_CCACHE_NAME_X - 1.2.752.43.13.16 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_ccache_name_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x10" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_ccache_name_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10") }; /* GSS_KRB5_SET_TIME_OFFSET_X - 1.2.752.43.13.17 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_time_offset_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x11" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_time_offset_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11") }; /* GSS_KRB5_GET_TIME_OFFSET_X - 1.2.752.43.13.18 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_time_offset_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x12" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_time_offset_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12") }; /* GSS_KRB5_PLUGIN_REGISTER_X - 1.2.752.43.13.19 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_plugin_register_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x13" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_plugin_register_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x13") }; /* GSS_NTLM_GET_SESSION_KEY_X - 1.2.752.43.13.20 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_get_session_key_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x14" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_get_session_key_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x14") }; /* GSS_C_NT_NTLM - 1.2.752.43.13.21 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_ntlm_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x15" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_ntlm_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x15") }; /* GSS_C_NT_DN - 1.2.752.43.13.22 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_dn_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x16" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_dn_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x16") }; /* GSS_KRB5_NT_PRINCIPAL_NAME_REFERRAL - 1.2.752.43.13.23 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_referral_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x17" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_referral_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x17") }; /* GSS_C_NTLM_AVGUEST - 1.2.752.43.13.24 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_avguest_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x18" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_avguest_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x18") }; /* GSS_C_NTLM_V1 - 1.2.752.43.13.25 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v1_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x19" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v1_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x19") }; /* GSS_C_NTLM_V2 - 1.2.752.43.13.26 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v2_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1a" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v2_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1a") }; /* GSS_C_NTLM_SESSION_KEY - 1.2.752.43.13.27 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_session_key_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1b" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_session_key_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1b") }; /* GSS_C_NTLM_FORCE_V1 - 1.2.752.43.13.28 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_force_v1_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1c" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_force_v1_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1c") }; /* GSS_KRB5_CRED_NO_CI_FLAGS_X - 1.2.752.43.13.29 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_cred_no_ci_flags_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1d" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_cred_no_ci_flags_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1d") }; /* GSS_KRB5_IMPORT_CRED_X - 1.2.752.43.13.30 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_import_cred_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1e" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_import_cred_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1e") }; /* GSS_C_MA_SASL_MECH_NAME - 1.2.752.43.13.100 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_sasl_mech_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x64" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_sasl_mech_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x64") }; /* GSS_C_MA_MECH_NAME - 1.2.752.43.13.101 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x65" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x65") }; /* GSS_C_MA_MECH_DESCRIPTION - 1.2.752.43.13.102 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x66" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x66") }; + +/* GSS_C_CRED_PASSWORD - 1.2.752.43.13.200 */ +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x81\x48" }; + +/* GSS_C_CRED_CERTIFICATE - 1.2.752.43.13.201 */ +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x81\x49" }; /* GSS_SASL_DIGEST_MD5_MECHANISM - 1.2.752.43.14.1 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x01" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") }; /* GSS_NETLOGON_MECHANISM - 1.2.752.43.14.2 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_mechanism_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x02" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x02") }; /* GSS_NETLOGON_SET_SESSION_KEY_X - 1.2.752.43.14.3 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_session_key_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x03" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_session_key_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x03") }; /* GSS_NETLOGON_SET_SIGN_ALGORITHM_X - 1.2.752.43.14.4 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_sign_algorithm_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x04" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_sign_algorithm_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x04") }; /* GSS_NETLOGON_NT_NETBIOS_DNS_NAME - 1.2.752.43.14.5 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_nt_netbios_dns_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x05" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_nt_netbios_dns_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x05") }; /* GSS_C_INQ_WIN2K_PAC_X - 1.2.752.43.13.3.128 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_win2k_pac_x_oid_desc = { 8, "\x2a\x85\x70\x2b\x0d\x03\x81\x00" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_win2k_pac_x_oid_desc = { 8, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03\x81\x00") }; /* GSS_C_INQ_SSPI_SESSION_KEY - 1.2.840.113554.1.2.2.5.5 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_sspi_session_key_oid_desc = { 11, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_sspi_session_key_oid_desc = { 11, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05") }; /* GSS_KRB5_MECHANISM - 1.2.840.113554.1.2.2 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc = { 9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc = { 9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }; /* GSS_NTLM_MECHANISM - 1.3.6.1.4.1.311.2.2.10 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_mechanism_oid_desc = { 10, "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_mechanism_oid_desc = { 10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") }; /* GSS_SPNEGO_MECHANISM - 1.3.6.1.5.5.2 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = { 6, "\x2b\x06\x01\x05\x05\x02" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = { 6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") }; /* GSS_C_PEER_HAS_UPDATED_SPNEGO - 1.3.6.1.4.1.9513.19.5 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, "\x2b\x06\x01\x04\x01\xca\x29\x13\x05" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, rk_UNCONST("\x2b\x06\x01\x04\x01\xca\x29\x13\x05") }; /* GSS_C_MA_MECH_CONCRETE - 1.3.6.1.5.5.13.1 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_concrete_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x01" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_concrete_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x01") }; /* GSS_C_MA_MECH_PSEUDO - 1.3.6.1.5.5.13.2 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_pseudo_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x02" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_pseudo_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x02") }; /* GSS_C_MA_MECH_COMPOSITE - 1.3.6.1.5.5.13.3 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_composite_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x03" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_composite_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x03") }; /* GSS_C_MA_MECH_NEGO - 1.3.6.1.5.5.13.4 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_nego_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x04" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_nego_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x04") }; /* GSS_C_MA_MECH_GLUE - 1.3.6.1.5.5.13.5 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_glue_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x05" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_glue_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x05") }; /* GSS_C_MA_NOT_MECH - 1.3.6.1.5.5.13.6 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_mech_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x06" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_mech_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x06") }; /* GSS_C_MA_DEPRECATED - 1.3.6.1.5.5.13.7 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deprecated_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x07" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deprecated_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x07") }; /* GSS_C_MA_NOT_DFLT_MECH - 1.3.6.1.5.5.13.8 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_dflt_mech_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x08" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_dflt_mech_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x08") }; /* GSS_C_MA_ITOK_FRAMED - 1.3.6.1.5.5.13.9 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_itok_framed_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x09" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_itok_framed_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x09") }; /* GSS_C_MA_AUTH_INIT - 1.3.6.1.5.5.13.10 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0a" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0a") }; /* GSS_C_MA_AUTH_TARG - 1.3.6.1.5.5.13.11 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0b" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0b") }; /* GSS_C_MA_AUTH_INIT_INIT - 1.3.6.1.5.5.13.12 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0c" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0c") }; /* GSS_C_MA_AUTH_TARG_INIT - 1.3.6.1.5.5.13.13 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0d" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0d") }; /* GSS_C_MA_AUTH_INIT_ANON - 1.3.6.1.5.5.13.14 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_anon_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0e" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_anon_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0e") }; /* GSS_C_MA_AUTH_TARG_ANON - 1.3.6.1.5.5.13.15 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_anon_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0f" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_anon_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0f") }; /* GSS_C_MA_DELEG_CRED - 1.3.6.1.5.5.13.16 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deleg_cred_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x10" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deleg_cred_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x10") }; /* GSS_C_MA_INTEG_PROT - 1.3.6.1.5.5.13.17 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_integ_prot_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x11" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_integ_prot_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x11") }; /* GSS_C_MA_CONF_PROT - 1.3.6.1.5.5.13.18 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_conf_prot_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x12" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_conf_prot_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x12") }; /* GSS_C_MA_MIC - 1.3.6.1.5.5.13.19 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mic_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x13" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mic_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x13") }; /* GSS_C_MA_WRAP - 1.3.6.1.5.5.13.20 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_wrap_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x14" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_wrap_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x14") }; /* GSS_C_MA_PROT_READY - 1.3.6.1.5.5.13.21 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_prot_ready_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x15" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_prot_ready_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x15") }; /* GSS_C_MA_REPLAY_DET - 1.3.6.1.5.5.13.22 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_replay_det_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x16" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_replay_det_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x16") }; /* GSS_C_MA_OOS_DET - 1.3.6.1.5.5.13.23 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_oos_det_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x17" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_oos_det_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x17") }; /* GSS_C_MA_CBINDINGS - 1.3.6.1.5.5.13.24 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_cbindings_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x18" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_cbindings_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x18") }; /* GSS_C_MA_PFS - 1.3.6.1.5.5.13.25 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_pfs_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x19" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_pfs_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x19") }; /* GSS_C_MA_COMPRESS - 1.3.6.1.5.5.13.26 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_compress_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x1a" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_compress_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1a") }; /* GSS_C_MA_CTX_TRANS - 1.3.6.1.5.5.13.27 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_ctx_trans_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x1b" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_ctx_trans_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1b") }; struct _gss_oid_name_table _gss_ont_ma[] = { { GSS_C_MA_COMPRESS, "GSS_C_MA_COMPRESS", "compress", "" }, diff --git a/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c b/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c index 7d6ded39e4..b125ede66f 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c +++ b/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c @@ -43,7 +43,7 @@ * * @return non-zero when both oid are the same OID, zero when they are * not the same. - * + * * @ingroup gssapi */ diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_name.c b/source4/heimdal/lib/gssapi/mech/gss_release_name.c index 759eaec4c3..fd0b5df36b 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_release_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_release_name.c @@ -40,7 +40,7 @@ * * @returns a gss_error code, see gss_display_status() about printing * the error code. - * + * * @ingroup gssapi */ GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL diff --git a/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c b/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c index 62be485a07..d33453d92f 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c +++ b/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c @@ -93,13 +93,13 @@ gss_set_cred_option (OM_uint32 *minor_status, HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { m = mc->gmc_mech; - + if (m == NULL) return GSS_S_BAD_MECH; - + if (m->gm_set_cred_option == NULL) continue; - + major_status = m->gm_set_cred_option(minor_status, &mc->gmc_cred, object, value); if (major_status == GSS_S_COMPLETE) diff --git a/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c b/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c index 4c4d349045..715d34bf06 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c +++ b/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c @@ -34,7 +34,7 @@ gss_test_oid_set_member(OM_uint32 *minor_status, const gss_OID_set set, int *present) { - int i; + size_t i; *present = 0; for (i = 0; i < set->count; i++) diff --git a/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c b/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c index e79814aea7..9bebcf6cf0 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c +++ b/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c @@ -38,7 +38,7 @@ gss_wrap_size_limit(OM_uint32 *minor_status, { struct _gss_context *ctx = (struct _gss_context *) context_handle; gssapi_mech_interface m; - + *max_input_size = 0; if (ctx == NULL) { *minor_status = 0; diff --git a/source4/heimdal/lib/gssapi/mech/mech_locl.h b/source4/heimdal/lib/gssapi/mech/mech_locl.h index cb10c23c38..6c23ac5256 100644 --- a/source4/heimdal/lib/gssapi/mech/mech_locl.h +++ b/source4/heimdal/lib/gssapi/mech/mech_locl.h @@ -62,6 +62,7 @@ #include "mech_switch.h" #include "name.h" #include "utils.h" +#include "compat.h" #define _mg_buffer_zero(buffer) \ do { \ diff --git a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c index 35bc56fbb7..3a51dd3a0a 100644 --- a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c @@ -90,7 +90,7 @@ send_supported_mechs (OM_uint32 *minor_status, gss_buffer_t output_token) { NegotiationTokenWin nt; - size_t buf_len; + size_t buf_len = 0; gss_buffer_desc data; OM_uint32 ret; @@ -132,8 +132,10 @@ send_supported_mechs (OM_uint32 *minor_status, *minor_status = ret; return GSS_S_FAILURE; } - if (data.length != buf_len) + if (data.length != buf_len) { abort(); + UNREACHABLE(return GSS_S_FAILURE); + } ret = gss_encapsulate_token(&data, GSS_SPNEGO_MECHANISM, output_token); @@ -316,7 +318,7 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p, gss_OID_desc oid; gss_OID oidp; gss_OID_set mechs; - int i; + size_t i; OM_uint32 ret, junk; ret = der_put_oid ((unsigned char *)mechbuf + sizeof(mechbuf) - 1, @@ -368,12 +370,13 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p, host = getenv("GSSAPI_SPNEGO_NAME"); if (host == NULL || issuid()) { + int rv; if (gethostname(hostname, sizeof(hostname)) != 0) { *minor_status = errno; return GSS_S_FAILURE; } - i = asprintf(&str, "host@%s", hostname); - if (i < 0 || str == NULL) { + rv = asprintf(&str, "host@%s", hostname); + if (rv < 0 || str == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; } @@ -410,10 +413,6 @@ acceptor_complete(OM_uint32 * minor_status, { OM_uint32 ret; int require_mic, verify_mic; - gss_buffer_desc buf; - - buf.length = 0; - buf.value = NULL; ret = _gss_spnego_require_mechlist_mic(minor_status, ctx, &require_mic); if (ret) @@ -435,11 +434,11 @@ acceptor_complete(OM_uint32 * minor_status, verify_mic = 0; *get_mic = 1; } - + if (verify_mic || *get_mic) { int eret; - size_t buf_len; - + size_t buf_len = 0; + ASN1_MALLOC_ENCODE(MechTypeList, mech_buf->value, mech_buf->length, &ctx->initiator_mech_types, &buf_len, eret); @@ -447,24 +446,19 @@ acceptor_complete(OM_uint32 * minor_status, *minor_status = eret; return GSS_S_FAILURE; } - if (buf.length != buf_len) - abort(); + heim_assert(mech_buf->length == buf_len, "Internal ASN.1 error"); + UNREACHABLE(return GSS_S_FAILURE); } - + if (verify_mic) { ret = verify_mechlist_mic(minor_status, ctx, mech_buf, mic); if (ret) { if (*get_mic) send_reject (minor_status, output_token); - if (buf.value) - free(buf.value); return ret; } ctx->verified_mic = 1; } - if (buf.value) - free(buf.value); - } else *get_mic = 0; @@ -491,7 +485,6 @@ acceptor_start NegotiationToken nt; size_t nt_len; NegTokenInit *ni; - int i; gss_buffer_desc data; gss_buffer_t mech_input_token = GSS_C_NO_BUFFER; gss_buffer_desc mech_output_token; @@ -507,7 +500,7 @@ acceptor_start if (input_token_buffer->length == 0) return send_supported_mechs (minor_status, output_token); - + ret = _gss_spnego_alloc_sec_context(minor_status, context_handle); if (ret != GSS_S_COMPLETE) return ret; @@ -573,7 +566,7 @@ acceptor_start if (ctx->mech_src_name != GSS_C_NO_NAME) gss_release_name(&junk, &ctx->mech_src_name); - + ret = gss_accept_sec_context(minor_status, &ctx->negotiated_ctx_id, acceptor_cred_handle, @@ -613,13 +606,14 @@ acceptor_start */ if (!first_ok && ni->mechToken != NULL) { + size_t j; preferred_mech_type = GSS_C_NO_OID; /* Call glue layer to find first mech we support */ - for (i = 1; i < ni->mechTypes.len; ++i) { + for (j = 1; j < ni->mechTypes.len; ++j) { ret = select_mech(minor_status, - &ni->mechTypes.val[i], + &ni->mechTypes.val[j], 1, &preferred_mech_type); if (ret == 0) diff --git a/source4/heimdal/lib/gssapi/spnego/compat.c b/source4/heimdal/lib/gssapi/spnego/compat.c index b23658cfd1..cf5ee30a84 100644 --- a/source4/heimdal/lib/gssapi/spnego/compat.c +++ b/source4/heimdal/lib/gssapi/spnego/compat.c @@ -41,10 +41,10 @@ * Kerberos mechanism. */ gss_OID_desc _gss_spnego_mskrb_mechanism_oid_desc = - {9, (void *)"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"}; + {9, rk_UNCONST("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02")}; gss_OID_desc _gss_spnego_krb5_mechanism_oid_desc = - {9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"}; + {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")}; /* * Allocate a SPNEGO context handle @@ -241,7 +241,7 @@ _gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status, gss_OID_set supported_mechs = GSS_C_NO_OID_SET; gss_OID first_mech = GSS_C_NO_OID; OM_uint32 ret; - int i; + size_t i; mechtypelist->len = 0; mechtypelist->val = NULL; diff --git a/source4/heimdal/lib/gssapi/spnego/context_stubs.c b/source4/heimdal/lib/gssapi/spnego/context_stubs.c index 18c13fe299..60b348ec46 100644 --- a/source4/heimdal/lib/gssapi/spnego/context_stubs.c +++ b/source4/heimdal/lib/gssapi/spnego/context_stubs.c @@ -37,7 +37,7 @@ spnego_supported_mechs(OM_uint32 *minor_status, gss_OID_set *mechs) { OM_uint32 ret, junk; gss_OID_set m; - int i; + size_t i; ret = gss_indicate_mechs(minor_status, &m); if (ret != GSS_S_COMPLETE) @@ -565,7 +565,7 @@ OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_names_for_mech ( { gss_OID_set mechs, names, n; OM_uint32 ret, junk; - int i, j; + size_t i, j; *name_types = NULL; diff --git a/source4/heimdal/lib/gssapi/spnego/cred_stubs.c b/source4/heimdal/lib/gssapi/spnego/cred_stubs.c index 2920f3d9b5..fc43d6a4a6 100644 --- a/source4/heimdal/lib/gssapi/spnego/cred_stubs.c +++ b/source4/heimdal/lib/gssapi/spnego/cred_stubs.c @@ -70,7 +70,7 @@ OM_uint32 GSSAPI_CALLCONV _gss_spnego_acquire_cred OM_uint32 ret, tmp; gss_OID_set_desc actual_desired_mechs; gss_OID_set mechs; - int i, j; + size_t i, j; *output_cred_handle = GSS_C_NO_CREDENTIAL; diff --git a/source4/heimdal/lib/gssapi/spnego/external.c b/source4/heimdal/lib/gssapi/spnego/external.c index 5054754150..ca06d46e82 100644 --- a/source4/heimdal/lib/gssapi/spnego/external.c +++ b/source4/heimdal/lib/gssapi/spnego/external.c @@ -39,13 +39,12 @@ * negotiation token is identified by the Object Identifier * iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2). */ - static gss_mo_desc spnego_mo[] = { { GSS_C_MA_SASL_MECH_NAME, GSS_MO_MA, "SASL mech name", - "SPNEGO", + rk_UNCONST("SPNEGO"), _gss_mo_get_ctx_as_string, NULL }, @@ -53,7 +52,7 @@ static gss_mo_desc spnego_mo[] = { GSS_C_MA_MECH_NAME, GSS_MO_MA, "Mechanism name", - "SPNEGO", + rk_UNCONST("SPNEGO"), _gss_mo_get_ctx_as_string, NULL }, @@ -61,7 +60,7 @@ static gss_mo_desc spnego_mo[] = { GSS_C_MA_MECH_DESCRIPTION, GSS_MO_MA, "Mechanism description", - "Heimdal SPNEGO Mechanism", + rk_UNCONST("Heimdal SPNEGO Mechanism"), _gss_mo_get_ctx_as_string, NULL }, @@ -78,7 +77,7 @@ static gss_mo_desc spnego_mo[] = { static gssapi_mech_interface_desc spnego_mech = { GMI_VERSION, "spnego", - {6, (void *)"\x2b\x06\x01\x05\x05\x02"}, + {6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") }, 0, _gss_spnego_acquire_cred, _gss_spnego_release_cred, @@ -128,7 +127,13 @@ static gssapi_mech_interface_desc spnego_mech = { NULL, NULL, spnego_mo, - sizeof(spnego_mo) / sizeof(spnego_mo[0]) + sizeof(spnego_mo) / sizeof(spnego_mo[0]), + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, }; gssapi_mech_interface diff --git a/source4/heimdal/lib/gssapi/spnego/init_sec_context.c b/source4/heimdal/lib/gssapi/spnego/init_sec_context.c index c9e182129d..b4b1bcefc5 100644 --- a/source4/heimdal/lib/gssapi/spnego/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/spnego/init_sec_context.c @@ -392,7 +392,7 @@ spnego_reply NegotiationToken resp; gss_OID_desc mech; int require_mic; - size_t buf_len; + size_t buf_len = 0; gss_buffer_desc mic_buf, mech_buf; gss_buffer_desc mech_output_token; gssspnego_ctx ctx; @@ -557,8 +557,10 @@ spnego_reply *minor_status = ret; return GSS_S_FAILURE; } - if (mech_buf.length != buf_len) + if (mech_buf.length != buf_len) { abort(); + UNREACHABLE(return GSS_S_FAILURE); + } if (resp.u.negTokenResp.mechListMIC == NULL) { HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); diff --git a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h index dacaa3310e..3e151c7c2a 100644 --- a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h +++ b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h @@ -71,6 +71,8 @@ #include "utils.h" #include <der.h> +#include <heimbase.h> + #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) typedef struct { diff --git a/source4/heimdal/lib/gssapi/version-script.map b/source4/heimdal/lib/gssapi/version-script.map index 7591121333..ebd8ee21ac 100644 --- a/source4/heimdal/lib/gssapi/version-script.map +++ b/source4/heimdal/lib/gssapi/version-script.map @@ -2,7 +2,8 @@ HEIMDAL_GSS_2.0 { global: - __gss_c_nt_anonymous; +# __gss_c_nt_anonymous; + __gss_c_nt_anonymous_oid_desc; __gss_c_nt_export_name_oid_desc; __gss_c_nt_hostbased_service_oid_desc; __gss_c_nt_hostbased_service_x_oid_desc; @@ -11,11 +12,17 @@ HEIMDAL_GSS_2.0 { __gss_c_nt_user_name_oid_desc; __gss_krb5_nt_principal_name_oid_desc; __gss_c_attr_stream_sizes_oid_desc; + __gss_c_cred_password_oid_desc; + __gss_c_cred_certificate_oid_desc; + GSS_C_ATTR_LOCAL_LOGIN_USER; gss_accept_sec_context; gss_acquire_cred; + gss_acquire_cred_with_password; gss_add_buffer_set_member; gss_add_cred; + gss_add_cred_with_password; gss_add_oid_set_member; + gss_authorize_localname; gss_canonicalize_name; gss_compare_name; gss_context_query_attributes; @@ -61,6 +68,7 @@ HEIMDAL_GSS_2.0 { gss_mg_collect_error; gss_oid_equal; gss_oid_to_str; + gss_pname_to_uid; gss_process_context_token; gss_pseudo_random; gss_release_buffer; @@ -75,10 +83,12 @@ HEIMDAL_GSS_2.0 { gss_set_name_attribute; gss_set_sec_context_option; gss_sign; + gss_store_cred; gss_test_oid_set_member; gss_unseal; gss_unwrap; gss_unwrap_iov; + gss_userok; gss_verify; gss_verify_mic; gss_wrap; diff --git a/source4/heimdal/lib/hcrypto/camellia-ntt.c b/source4/heimdal/lib/hcrypto/camellia-ntt.c index 79c5a884ec..0ee13f3f54 100644 --- a/source4/heimdal/lib/hcrypto/camellia-ntt.c +++ b/source4/heimdal/lib/hcrypto/camellia-ntt.c @@ -1050,7 +1050,7 @@ static void camellia_encrypt128(const u32 *subkey, u32 *io) io[1] = io[3]; io[2] = t0; io[3] = t1; - + return; } @@ -1268,7 +1268,7 @@ static void camellia_decrypt256(const u32 *subkey, u32 *io) /* pre whitening but absorb kw2*/ io[0] ^= CamelliaSubkeyL(32); io[1] ^= CamelliaSubkeyR(32); - + /* main iteration */ CAMELLIA_ROUNDSM(io[0],io[1], CamelliaSubkeyL(31),CamelliaSubkeyR(31), diff --git a/source4/heimdal/lib/hcrypto/des.c b/source4/heimdal/lib/hcrypto/des.c index 43ff8a3f50..2e3192bff8 100644 --- a/source4/heimdal/lib/hcrypto/des.c +++ b/source4/heimdal/lib/hcrypto/des.c @@ -254,10 +254,10 @@ DES_set_key_unchecked(DES_cblock *key, DES_key_schedule *ks) for (i = 0; i < 16; i++) { uint32_t kc, kd; - + ROTATE_LEFT28(c, shifts[i]); ROTATE_LEFT28(d, shifts[i]); - + kc = pc2_c_1[(c >> 22) & 0x3f] | pc2_c_2[((c >> 16) & 0x30) | ((c >> 15) & 0xf)] | pc2_c_3[((c >> 9 ) & 0x3c) | ((c >> 8 ) & 0x3)] | @@ -780,7 +780,7 @@ DES_cbc_cksum(const void *in, DES_cblock *output, u[0] ^= uiv[0]; u[1] ^= uiv[1]; DES_encrypt(u, ks, 1); uiv[0] = u[0]; uiv[1] = u[1]; - + length -= DES_CBLOCK_LEN; input += DES_CBLOCK_LEN; } diff --git a/source4/heimdal/lib/hcrypto/des.h b/source4/heimdal/lib/hcrypto/des.h index 99eb76c818..0824408c47 100644 --- a/source4/heimdal/lib/hcrypto/des.h +++ b/source4/heimdal/lib/hcrypto/des.h @@ -87,7 +87,7 @@ typedef struct DES_key_schedule #ifndef HC_DEPRECATED #if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 ))) #define HC_DEPRECATED __attribute__((deprecated)) -#elif defined(_MSC_VER) && (_MSC_VER>1200) +#elif defined(_MSC_VER) && (_MSC_VER>1200) #define HC_DEPRECATED __declspec(deprecated) #else #define HC_DEPRECATED diff --git a/source4/heimdal/lib/hcrypto/dh-ltm.c b/source4/heimdal/lib/hcrypto/dh-ltm.c index f66cd5aff2..6af43cf044 100644 --- a/source4/heimdal/lib/hcrypto/dh-ltm.c +++ b/source4/heimdal/lib/hcrypto/dh-ltm.c @@ -112,11 +112,11 @@ ltm_dh_generate_key(DH *dh) BN_free(dh->pub_key); mp_init_multi(&pub, &priv_key, &g, &p, NULL); - + BN2mpz(&priv_key, dh->priv_key); BN2mpz(&g, dh->g); BN2mpz(&p, dh->p); - + res = mp_exptmod(&g, &priv_key, &p, &pub); mp_clear_multi(&priv_key, &g, &p, NULL); @@ -127,7 +127,7 @@ ltm_dh_generate_key(DH *dh) mp_clear(&pub); if (dh->pub_key == NULL) return 0; - + if (DH_check_pubkey(dh, dh->pub_key, &codes) && codes == 0) break; if (have_private_key) diff --git a/source4/heimdal/lib/hcrypto/dh.c b/source4/heimdal/lib/hcrypto/dh.c index 43e1d6ac1b..e1f82bfd3b 100644 --- a/source4/heimdal/lib/hcrypto/dh.c +++ b/source4/heimdal/lib/hcrypto/dh.c @@ -539,8 +539,10 @@ i2d_DHparams(DH *dh, unsigned char **pp) free_DHParameter(&data); if (ret) return -1; - if (len != size) + if (len != size) { abort(); + return -1; + } memcpy(*pp, p, size); free(p); diff --git a/source4/heimdal/lib/hcrypto/engine.c b/source4/heimdal/lib/hcrypto/engine.c index 15853420f6..3b22e56201 100644 --- a/source4/heimdal/lib/hcrypto/engine.c +++ b/source4/heimdal/lib/hcrypto/engine.c @@ -339,7 +339,7 @@ ENGINE_by_dso(const char *path, const char *id) dlclose(handle); free(engine); return NULL; - } + } } { @@ -357,7 +357,7 @@ ENGINE_by_dso(const char *path, const char *id) dlclose(handle); free(engine); return NULL; - } + } } ENGINE_up_ref(engine); diff --git a/source4/heimdal/lib/hcrypto/evp.c b/source4/heimdal/lib/hcrypto/evp.c index 7bd066fd5d..75eefc4931 100644 --- a/source4/heimdal/lib/hcrypto/evp.c +++ b/source4/heimdal/lib/hcrypto/evp.c @@ -415,7 +415,7 @@ EVP_sha1(void) const EVP_MD * EVP_sha(void) HC_DEPRECATED - + { hcrypto_validate(); return EVP_sha1(); @@ -875,7 +875,7 @@ EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, void *out, int *outlen, ctx->buf_len += inlen; return 1; } - + /* fill in local buffer and encrypt */ memcpy(ctx->buf + ctx->buf_len, in, left); ret = (*ctx->cipher->do_cipher)(ctx, out, ctx->buf, blocksize); @@ -893,7 +893,7 @@ EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, void *out, int *outlen, if (inlen) { ctx->buf_len = (inlen & ctx->block_mask); inlen &= ~ctx->block_mask; - + ret = (*ctx->cipher->do_cipher)(ctx, out, in, inlen); if (ret != 1) return ret; diff --git a/source4/heimdal/lib/hcrypto/evp.h b/source4/heimdal/lib/hcrypto/evp.h index c56eedec45..626c463296 100644 --- a/source4/heimdal/lib/hcrypto/evp.h +++ b/source4/heimdal/lib/hcrypto/evp.h @@ -195,7 +195,7 @@ struct hc_evp_md { #ifndef HC_DEPRECATED #if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 ))) #define HC_DEPRECATED __attribute__((deprecated)) -#elif defined(_MSC_VER) && (_MSC_VER>1200) +#elif defined(_MSC_VER) && (_MSC_VER>1200) #define HC_DEPRECATED __declspec(deprecated) #else #define HC_DEPRECATED diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_fast_mp_invmod.c b/source4/heimdal/lib/hcrypto/libtommath/bn_fast_mp_invmod.c index ff03dfffe3..f4780d8e8c 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_fast_mp_invmod.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_fast_mp_invmod.c @@ -15,10 +15,10 @@ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ -/* computes the modular inverse via binary extended euclidean algorithm, - * that is c = 1/a mod b +/* computes the modular inverse via binary extended euclidean algorithm, + * that is c = 1/a mod b * - * Based on slow invmod except this is optimized for the case where b is + * Based on slow invmod except this is optimized for the case where b is * odd as per HAC Note 14.64 on pp. 610 */ int fast_mp_invmod (mp_int * a, mp_int * b, mp_int * c) diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_fast_s_mp_mul_digs.c b/source4/heimdal/lib/hcrypto/libtommath/bn_fast_s_mp_mul_digs.c index 91e10d670f..90f161b102 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_fast_s_mp_mul_digs.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_fast_s_mp_mul_digs.c @@ -17,15 +17,15 @@ /* Fast (comba) multiplier * - * This is the fast column-array [comba] multiplier. It is - * designed to compute the columns of the product first - * then handle the carries afterwards. This has the effect + * This is the fast column-array [comba] multiplier. It is + * designed to compute the columns of the product first + * then handle the carries afterwards. This has the effect * of making the nested loops that compute the columns very * simple and schedulable on super-scalar processors. * - * This has been modified to produce a variable number of - * digits of output so if say only a half-product is required - * you don't have to compute the upper half (a feature + * This has been modified to produce a variable number of + * digits of output so if say only a half-product is required + * you don't have to compute the upper half (a feature * required for fast Barrett reduction). * * Based on Algorithm 14.12 on pp.595 of HAC. @@ -49,7 +49,7 @@ int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs) /* clear the carry */ _W = 0; - for (ix = 0; ix < pa; ix++) { + for (ix = 0; ix < pa; ix++) { int tx, ty; int iy; mp_digit *tmpx, *tmpy; @@ -62,7 +62,7 @@ int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs) tmpx = a->dp + tx; tmpy = b->dp + ty; - /* this is the number of times the loop will iterrate, essentially + /* this is the number of times the loop will iterrate, essentially while (tx++ < a->used && ty-- >= 0) { ... } */ iy = MIN(a->used-tx, ty+1); diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_fast_s_mp_mul_high_digs.c b/source4/heimdal/lib/hcrypto/libtommath/bn_fast_s_mp_mul_high_digs.c index 5b114d717a..a03b9f1324 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_fast_s_mp_mul_high_digs.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_fast_s_mp_mul_high_digs.c @@ -41,7 +41,7 @@ int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs) /* number of output digits to produce */ pa = a->used + b->used; _W = 0; - for (ix = digs; ix < pa; ix++) { + for (ix = digs; ix < pa; ix++) { int tx, ty, iy; mp_digit *tmpx, *tmpy; @@ -53,7 +53,7 @@ int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs) tmpx = a->dp + tx; tmpy = b->dp + ty; - /* this is the number of times the loop will iterrate, essentially its + /* this is the number of times the loop will iterrate, essentially its while (tx++ < a->used && ty-- >= 0) { ... } */ iy = MIN(a->used-tx, ty+1); @@ -69,7 +69,7 @@ int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs) /* make next carry */ _W = _W >> ((mp_word)DIGIT_BIT); } - + /* setup dest */ olduse = c->used; c->used = pa; diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_fast_s_mp_sqr.c b/source4/heimdal/lib/hcrypto/libtommath/bn_fast_s_mp_sqr.c index 19e92ef180..848eaf0463 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_fast_s_mp_sqr.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_fast_s_mp_sqr.c @@ -16,10 +16,10 @@ */ /* the jist of squaring... - * you do like mult except the offset of the tmpx [one that - * starts closer to zero] can't equal the offset of tmpy. + * you do like mult except the offset of the tmpx [one that + * starts closer to zero] can't equal the offset of tmpy. * So basically you set up iy like before then you min it with - * (ty-tx) so that it never happens. You double all those + * (ty-tx) so that it never happens. You double all those * you add in the inner loop After that loop you do the squares and add them in. @@ -41,7 +41,7 @@ int fast_s_mp_sqr (mp_int * a, mp_int * b) /* number of output digits to produce */ W1 = 0; - for (ix = 0; ix < pa; ix++) { + for (ix = 0; ix < pa; ix++) { int tx, ty, iy; mp_word _W; mp_digit *tmpy; @@ -62,7 +62,7 @@ int fast_s_mp_sqr (mp_int * a, mp_int * b) */ iy = MIN(a->used-tx, ty+1); - /* now for squaring tx can never equal ty + /* now for squaring tx can never equal ty * we halve the distance since they approach at a rate of 2x * and we have to round because odd cases need to be executed */ diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_2expt.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_2expt.c index f422ffc994..11a508c7fb 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_2expt.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_2expt.c @@ -15,7 +15,7 @@ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ -/* computes a = 2**b +/* computes a = 2**b * * Simple algorithm which zeroes the int, grows it then just sets one bit * as required. diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_abs.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_abs.c index 09dd7229eb..d97e8db05f 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_abs.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_abs.c @@ -15,7 +15,7 @@ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ -/* b = |a| +/* b = |a| * * Simple function copies the input and fixes the sign to positive */ diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_clamp.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_clamp.c index 359c2ff24d..2a565e8dbd 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_clamp.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_clamp.c @@ -15,7 +15,7 @@ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ -/* trim unused digits +/* trim unused digits * * This is used to ensure that leading zero digits are * trimed and the leading "used" digit will be non-zero diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_clear_multi.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_clear_multi.c index daaea79a3b..e5e3da340a 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_clear_multi.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_clear_multi.c @@ -16,7 +16,7 @@ */ #include <stdarg.h> -void mp_clear_multi(mp_int *mp, ...) +void mp_clear_multi(mp_int *mp, ...) { mp_int* next_mp = mp; va_list args; diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_cmp.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_cmp.c index 533f36bf93..ccd2c8eb9b 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_cmp.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_cmp.c @@ -27,7 +27,7 @@ mp_cmp (mp_int * a, mp_int * b) return MP_GT; } } - + /* compare digits */ if (a->sign == MP_NEG) { /* if negative compare opposite direction */ diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_cmp_mag.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_cmp_mag.c index 693eb7cc72..4a505238a0 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_cmp_mag.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_cmp_mag.c @@ -25,7 +25,7 @@ int mp_cmp_mag (mp_int * a, mp_int * b) if (a->used > b->used) { return MP_GT; } - + if (a->used < b->used) { return MP_LT; } diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_cnt_lsb.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_cnt_lsb.c index 66d1a74714..2d4a8d4f0f 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_cnt_lsb.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_cnt_lsb.c @@ -15,7 +15,7 @@ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ -static const int lnz[16] = { +static const int lnz[16] = { 4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0 }; diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_count_bits.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_count_bits.c index 8bc5657a33..5dfd5f375c 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_count_bits.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_count_bits.c @@ -29,7 +29,7 @@ mp_count_bits (mp_int * a) /* get number of digits and add that */ r = (a->used - 1) * DIGIT_BIT; - + /* take the last digit and count the bits in it */ q = a->dp[a->used - 1]; while (q > ((mp_digit) 0)) { diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_div.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_div.c index aee9c94324..2c364b396f 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_div.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_div.c @@ -40,7 +40,7 @@ int mp_div(mp_int * a, mp_int * b, mp_int * c, mp_int * d) } return res; } - + /* init our temps */ if ((res = mp_init_multi(&ta, &tb, &tq, &q, NULL) != MP_OKAY)) { return res; @@ -50,7 +50,7 @@ int mp_div(mp_int * a, mp_int * b, mp_int * c, mp_int * d) mp_set(&tq, 1); n = mp_count_bits(a) - mp_count_bits(b); if (((res = mp_abs(a, &ta)) != MP_OKAY) || - ((res = mp_abs(b, &tb)) != MP_OKAY) || + ((res = mp_abs(b, &tb)) != MP_OKAY) || ((res = mp_mul_2d(&tb, n, &tb)) != MP_OKAY) || ((res = mp_mul_2d(&tq, n, &tq)) != MP_OKAY)) { goto LBL_ERR; @@ -87,17 +87,17 @@ LBL_ERR: #else -/* integer signed division. +/* integer signed division. * c*b + d == a [e.g. a/b, c=quotient, d=remainder] * HAC pp.598 Algorithm 14.20 * - * Note that the description in HAC is horribly - * incomplete. For example, it doesn't consider - * the case where digits are removed from 'x' in - * the inner loop. It also doesn't consider the + * Note that the description in HAC is horribly + * incomplete. For example, it doesn't consider + * the case where digits are removed from 'x' in + * the inner loop. It also doesn't consider the * case that y has fewer than three digits, etc.. * - * The overall algorithm is as described as + * The overall algorithm is as described as * 14.20 from HAC but fixed to treat these cases. */ int mp_div (mp_int * a, mp_int * b, mp_int * c, mp_int * d) @@ -187,7 +187,7 @@ int mp_div (mp_int * a, mp_int * b, mp_int * c, mp_int * d) continue; } - /* step 3.1 if xi == yt then set q{i-t-1} to b-1, + /* step 3.1 if xi == yt then set q{i-t-1} to b-1, * otherwise set q{i-t-1} to (xi*b + x{i-1})/yt */ if (x.dp[i] == y.dp[t]) { q.dp[i - t - 1] = ((((mp_digit)1) << DIGIT_BIT) - 1); @@ -201,10 +201,10 @@ int mp_div (mp_int * a, mp_int * b, mp_int * c, mp_int * d) q.dp[i - t - 1] = (mp_digit) (tmp & (mp_word) (MP_MASK)); } - /* while (q{i-t-1} * (yt * b + y{t-1})) > - xi * b**2 + xi-1 * b + xi-2 - - do q{i-t-1} -= 1; + /* while (q{i-t-1} * (yt * b + y{t-1})) > + xi * b**2 + xi-1 * b + xi-2 + + do q{i-t-1} -= 1; */ q.dp[i - t - 1] = (q.dp[i - t - 1] + 1) & MP_MASK; do { @@ -255,10 +255,10 @@ int mp_div (mp_int * a, mp_int * b, mp_int * c, mp_int * d) } } - /* now q is the quotient and x is the remainder - * [which we have to normalize] + /* now q is the quotient and x is the remainder + * [which we have to normalize] */ - + /* get sign before writing to c */ x.sign = x.used == 0 ? MP_ZPOS : a->sign; diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_div_3.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_div_3.c index 3c60269ece..78e2381b6e 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_div_3.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_div_3.c @@ -23,14 +23,14 @@ mp_div_3 (mp_int * a, mp_int *c, mp_digit * d) mp_word w, t; mp_digit b; int res, ix; - + /* b = 2**DIGIT_BIT / 3 */ b = (((mp_word)1) << ((mp_word)DIGIT_BIT)) / ((mp_word)3); if ((res = mp_init_size(&q, a->used)) != MP_OKAY) { return res; } - + q.used = a->used; q.sign = a->sign; w = 0; @@ -68,7 +68,7 @@ mp_div_3 (mp_int * a, mp_int *c, mp_digit * d) mp_exch(&q, c); } mp_clear(&q); - + return res; } diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_div_d.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_div_d.c index 6a26d4f0cf..7bd372c20d 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_div_d.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_div_d.c @@ -79,13 +79,13 @@ int mp_div_d (mp_int * a, mp_digit b, mp_int * c, mp_digit * d) if ((res = mp_init_size(&q, a->used)) != MP_OKAY) { return res; } - + q.used = a->used; q.sign = a->sign; w = 0; for (ix = a->used - 1; ix >= 0; ix--) { w = (w << ((mp_word)DIGIT_BIT)) | ((mp_word)a->dp[ix]); - + if (w >= b) { t = (mp_digit)(w / b); w -= ((mp_word)t) * ((mp_word)b); @@ -94,17 +94,17 @@ int mp_div_d (mp_int * a, mp_digit b, mp_int * c, mp_digit * d) } q.dp[ix] = (mp_digit)t; } - + if (d != NULL) { *d = (mp_digit)w; } - + if (c != NULL) { mp_clamp(&q); mp_exch(&q, c); } mp_clear(&q); - + return res; } diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_dr_setup.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_dr_setup.c index 1d7d856ef0..b7d5ed7c03 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_dr_setup.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_dr_setup.c @@ -21,7 +21,7 @@ void mp_dr_setup(mp_int *a, mp_digit *d) /* the casts are required if DIGIT_BIT is one less than * the number of bits in a mp_digit [e.g. DIGIT_BIT==31] */ - *d = (mp_digit)((((mp_word)1) << ((mp_word)DIGIT_BIT)) - + *d = (mp_digit)((((mp_word)1) << ((mp_word)DIGIT_BIT)) - ((mp_word)a->dp[0])); } diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_exch.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_exch.c index 38574e0a5e..ee551bc3e1 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_exch.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_exch.c @@ -15,7 +15,7 @@ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ -/* swap the elements of two integers, for cases where you can't simply swap the +/* swap the elements of two integers, for cases where you can't simply swap the * mp_int pointers around */ void diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_exptmod.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_exptmod.c index 023191657a..56d7c11d26 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_exptmod.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_exptmod.c @@ -59,7 +59,7 @@ int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y) err = mp_exptmod(&tmpG, &tmpX, P, Y); mp_clear_multi(&tmpG, &tmpX, NULL); return err; -#else +#else /* no invmod */ return MP_VAL; #endif @@ -86,7 +86,7 @@ int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y) dr = mp_reduce_is_2k(P) << 1; } #endif - + /* if the modulus is odd or dr != 0 use the montgomery method */ #ifdef BN_MP_EXPTMOD_FAST_C if (mp_isodd (P) == 1 || dr != 0) { diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_exptmod_fast.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_exptmod_fast.c index 2a3b3c9e81..64fbe7fe21 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_exptmod_fast.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_exptmod_fast.c @@ -84,7 +84,7 @@ int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmode /* determine and setup reduction code */ if (redmode == 0) { -#ifdef BN_MP_MONTGOMERY_SETUP_C +#ifdef BN_MP_MONTGOMERY_SETUP_C /* now setup montgomery */ if ((err = mp_montgomery_setup (P, &mp)) != MP_OKAY) { goto LBL_M; @@ -99,7 +99,7 @@ int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmode if (((P->used * 2 + 1) < MP_WARRAY) && P->used < (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) { redux = fast_mp_montgomery_reduce; - } else + } else #endif { #ifdef BN_MP_MONTGOMERY_REDUCE_C @@ -150,7 +150,7 @@ int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmode if ((err = mp_montgomery_calc_normalization (&res, P)) != MP_OKAY) { goto LBL_RES; } -#else +#else err = MP_VAL; goto LBL_RES; #endif diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_exteuclid.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_exteuclid.c index e6c4ce2b85..daf0c95ea6 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_exteuclid.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_exteuclid.c @@ -15,7 +15,7 @@ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ -/* Extended euclidean algorithm of (a, b) produces +/* Extended euclidean algorithm of (a, b) produces a*u1 + b*u2 = u3 */ int mp_exteuclid(mp_int *a, mp_int *b, mp_int *U1, mp_int *U2, mp_int *U3) diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_find_prime.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_find_prime.c index 0458744fc7..ef7b6532c5 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_find_prime.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_find_prime.c @@ -1,7 +1,7 @@ /* TomsFastMath, a fast ISO C bignum library. - * + * * This project is public domain and free for all purposes. - * + * * Love Hornquist Astrand <lha@h5l.org> */ #include <tommath.h> diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_fread.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_fread.c index b344b6f05d..52f7f32f0d 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_fread.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_fread.c @@ -19,10 +19,10 @@ int mp_fread(mp_int *a, int radix, FILE *stream) { int err, ch, neg, y; - + /* clear a */ mp_zero(a); - + /* if first digit is - then set negative */ ch = fgetc(stream); if (ch == '-') { @@ -31,7 +31,7 @@ int mp_fread(mp_int *a, int radix, FILE *stream) } else { neg = MP_ZPOS; } - + for (;;) { /* find y in the radix map */ for (y = 0; y < radix; y++) { @@ -42,7 +42,7 @@ int mp_fread(mp_int *a, int radix, FILE *stream) if (y == radix) { break; } - + /* shift up and add */ if ((err = mp_mul_d(a, radix, a)) != MP_OKAY) { return err; @@ -50,13 +50,13 @@ int mp_fread(mp_int *a, int radix, FILE *stream) if ((err = mp_add_d(a, y, a)) != MP_OKAY) { return err; } - + ch = fgetc(stream); } if (mp_cmp_d(a, 0) != MP_EQ) { a->sign = neg; } - + return MP_OKAY; } diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_fwrite.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_fwrite.c index a0b4c6b6d1..dc4529ba22 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_fwrite.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_fwrite.c @@ -19,7 +19,7 @@ int mp_fwrite(mp_int *a, int radix, FILE *stream) { char *buf; int err, len, x; - + if ((err = mp_radix_size(a, radix, &len)) != MP_OKAY) { return err; } @@ -28,19 +28,19 @@ int mp_fwrite(mp_int *a, int radix, FILE *stream) if (buf == NULL) { return MP_MEM; } - + if ((err = mp_toradix(a, buf, radix)) != MP_OKAY) { XFREE (buf); return err; } - + for (x = 0; x < len; x++) { if (fputc(buf[x], stream) == EOF) { XFREE (buf); return MP_VAL; } } - + XFREE (buf); return MP_OKAY; } diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_gcd.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_gcd.c index b39ba9041d..89795d564e 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_gcd.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_gcd.c @@ -76,17 +76,17 @@ int mp_gcd (mp_int * a, mp_int * b, mp_int * c) /* swap u and v to make sure v is >= u */ mp_exch(&u, &v); } - + /* subtract smallest from largest */ if ((res = s_mp_sub(&v, &u, &v)) != MP_OKAY) { goto LBL_V; } - + /* Divide out all factors of two */ if ((res = mp_div_2d(&v, mp_cnt_lsb(&v), &v, NULL)) != MP_OKAY) { goto LBL_V; - } - } + } + } /* multiply by 2**k which we divided out at the beginning */ if ((res = mp_mul_2d (&u, k, c)) != MP_OKAY) { diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_get_int.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_get_int.c index 17162e2bf1..e8e9b1d440 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_get_int.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_get_int.c @@ -16,7 +16,7 @@ */ /* get the lower 32-bits of an mp_int */ -unsigned long mp_get_int(mp_int * a) +unsigned long mp_get_int(mp_int * a) { int i; unsigned long res; @@ -30,7 +30,7 @@ unsigned long mp_get_int(mp_int * a) /* get most significant digit of result */ res = DIGIT(a,i); - + while (--i >= 0) { res = (res << DIGIT_BIT) | DIGIT(a,i); } diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_init_multi.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_init_multi.c index 59dc3a9ea7..56e8602767 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_init_multi.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_init_multi.c @@ -16,7 +16,7 @@ */ #include <stdarg.h> -int mp_init_multi(mp_int *mp, ...) +int mp_init_multi(mp_int *mp, ...) { mp_err res = MP_OKAY; /* Assume ok until proven otherwise */ int n = 0; /* Number of ok inits */ @@ -30,11 +30,11 @@ int mp_init_multi(mp_int *mp, ...) succeeded in init-ing, then return error. */ va_list clean_args; - + /* end the current list */ va_end(args); - - /* now start cleaning up */ + + /* now start cleaning up */ cur_arg = mp; va_start(clean_args, mp); while (n--) { diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_init_size.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_init_size.c index 8e014183a3..9578ac754c 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_init_size.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_init_size.c @@ -21,8 +21,8 @@ int mp_init_size (mp_int * a, int size) int x; /* pad size so there are always extra digits */ - size += (MP_PREC * 2) - (size % MP_PREC); - + size += (MP_PREC * 2) - (size % MP_PREC); + /* alloc mem */ a->dp = OPT_CAST(mp_digit) XMALLOC (sizeof (mp_digit) * size); if (a->dp == NULL) { diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_invmod.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_invmod.c index 154651468f..ac1a952319 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_invmod.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_invmod.c @@ -32,9 +32,9 @@ int mp_invmod (mp_int * a, mp_int * b, mp_int * c) #ifdef BN_MP_INVMOD_SLOW_C return mp_invmod_slow(a, b, c); -#endif - +#else return MP_VAL; +#endif } #endif diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_invmod_slow.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_invmod_slow.c index eedd47dcf1..4ec487efae 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_invmod_slow.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_invmod_slow.c @@ -27,7 +27,7 @@ int mp_invmod_slow (mp_int * a, mp_int * b, mp_int * c) } /* init temps */ - if ((res = mp_init_multi(&x, &y, &u, &v, + if ((res = mp_init_multi(&x, &y, &u, &v, &A, &B, &C, &D, NULL)) != MP_OKAY) { return res; } @@ -154,14 +154,14 @@ top: goto LBL_ERR; } } - + /* too big */ while (mp_cmp_mag(&C, b) != MP_LT) { if ((res = mp_sub(&C, b, &C)) != MP_OKAY) { goto LBL_ERR; } } - + /* C is now the inverse */ mp_exch (&C, c); res = MP_OKAY; diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_is_square.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_is_square.c index 50c524444e..027fcd2f5a 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_is_square.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_is_square.c @@ -38,7 +38,7 @@ static const char rem_105[105] = { }; /* Store non-zero to ret if arg is square, and zero if not */ -int mp_is_square(mp_int *arg,int *ret) +int mp_is_square(mp_int *arg,int *ret) { int res; mp_digit c; @@ -46,7 +46,7 @@ int mp_is_square(mp_int *arg,int *ret) unsigned long r; /* Default to Non-square :) */ - *ret = MP_NO; + *ret = MP_NO; if (arg->sign == MP_NEG) { return MP_VAL; @@ -80,8 +80,8 @@ int mp_is_square(mp_int *arg,int *ret) r = mp_get_int(&t); /* Check for other prime modules, note it's not an ERROR but we must * free "t" so the easiest way is to goto ERR. We know that res - * is already equal to MP_OKAY from the mp_mod call - */ + * is already equal to MP_OKAY from the mp_mod call + */ if ( (1L<<(r%11)) & 0x5C4L ) goto ERR; if ( (1L<<(r%13)) & 0x9E4L ) goto ERR; if ( (1L<<(r%17)) & 0x5CE8L ) goto ERR; diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_isprime.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_isprime.c index 07ce86f296..d3678d5dc1 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_isprime.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_isprime.c @@ -1,10 +1,10 @@ /* TomsFastMath, a fast ISO C bignum library. - * + * * This project is meant to fill in where LibTomMath * falls short. That is speed ;-) * * This project is public domain and free for all purposes. - * + * * Tom St Denis, tomstdenis@gmail.com */ #include <tommath.h> diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_karatsuba_mul.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_karatsuba_mul.c index 8ea2c2792a..72a2319c06 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_karatsuba_mul.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_karatsuba_mul.c @@ -15,33 +15,33 @@ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ -/* c = |a| * |b| using Karatsuba Multiplication using +/* c = |a| * |b| using Karatsuba Multiplication using * three half size multiplications * - * Let B represent the radix [e.g. 2**DIGIT_BIT] and - * let n represent half of the number of digits in + * Let B represent the radix [e.g. 2**DIGIT_BIT] and + * let n represent half of the number of digits in * the min(a,b) * * a = a1 * B**n + a0 * b = b1 * B**n + b0 * - * Then, a * b => + * Then, a * b => a1b1 * B**2n + ((a1 + a0)(b1 + b0) - (a0b0 + a1b1)) * B + a0b0 * - * Note that a1b1 and a0b0 are used twice and only need to be - * computed once. So in total three half size (half # of - * digit) multiplications are performed, a0b0, a1b1 and + * Note that a1b1 and a0b0 are used twice and only need to be + * computed once. So in total three half size (half # of + * digit) multiplications are performed, a0b0, a1b1 and * (a1+b1)(a0+b0) * * Note that a multiplication of half the digits requires - * 1/4th the number of single precision multiplications so in - * total after one call 25% of the single precision multiplications - * are saved. Note also that the call to mp_mul can end up back - * in this function if the a0, a1, b0, or b1 are above the threshold. - * This is known as divide-and-conquer and leads to the famous - * O(N**lg(3)) or O(N**1.584) work which is asymptopically lower than - * the standard O(N**2) that the baseline/comba methods use. - * Generally though the overhead of this method doesn't pay off + * 1/4th the number of single precision multiplications so in + * total after one call 25% of the single precision multiplications + * are saved. Note also that the call to mp_mul can end up back + * in this function if the a0, a1, b0, or b1 are above the threshold. + * This is known as divide-and-conquer and leads to the famous + * O(N**lg(3)) or O(N**1.584) work which is asymptopically lower than + * the standard O(N**2) that the baseline/comba methods use. + * Generally though the overhead of this method doesn't pay off * until a certain size (N ~ 80) is reached. */ int mp_karatsuba_mul (mp_int * a, mp_int * b, mp_int * c) @@ -109,7 +109,7 @@ int mp_karatsuba_mul (mp_int * a, mp_int * b, mp_int * c) } } - /* only need to clamp the lower words since by definition the + /* only need to clamp the lower words since by definition the * upper words x1/y1 must have a known number of digits */ mp_clamp (&x0); @@ -117,7 +117,7 @@ int mp_karatsuba_mul (mp_int * a, mp_int * b, mp_int * c) /* now calc the products x0y0 and x1y1 */ /* after this x0 is no longer required, free temp [x0==t2]! */ - if (mp_mul (&x0, &y0, &x0y0) != MP_OKAY) + if (mp_mul (&x0, &y0, &x0y0) != MP_OKAY) goto X1Y1; /* x0y0 = x0*y0 */ if (mp_mul (&x1, &y1, &x1y1) != MP_OKAY) goto X1Y1; /* x1y1 = x1*y1 */ diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_karatsuba_sqr.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_karatsuba_sqr.c index a5e198be12..56692c5ae7 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_karatsuba_sqr.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_karatsuba_sqr.c @@ -15,11 +15,11 @@ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ -/* Karatsuba squaring, computes b = a*a using three +/* Karatsuba squaring, computes b = a*a using three * half size squarings * - * See comments of karatsuba_mul for details. It - * is essentially the same algorithm but merely + * See comments of karatsuba_mul for details. It + * is essentially the same algorithm but merely * tuned to perform recursive squarings. */ int mp_karatsuba_sqr (mp_int * a, mp_int * b) diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_mul.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_mul.c index 8b1117a63b..816e7b2f0b 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_mul.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_mul.c @@ -25,29 +25,29 @@ int mp_mul (mp_int * a, mp_int * b, mp_int * c) #ifdef BN_MP_TOOM_MUL_C if (MIN (a->used, b->used) >= TOOM_MUL_CUTOFF) { res = mp_toom_mul(a, b, c); - } else + } else #endif #ifdef BN_MP_KARATSUBA_MUL_C /* use Karatsuba? */ if (MIN (a->used, b->used) >= KARATSUBA_MUL_CUTOFF) { res = mp_karatsuba_mul (a, b, c); - } else + } else #endif { /* can we use the fast multiplier? * - * The fast multiplier can be used if the output will - * have less than MP_WARRAY digits and the number of + * The fast multiplier can be used if the output will + * have less than MP_WARRAY digits and the number of * digits won't affect carry propagation */ int digs = a->used + b->used + 1; #ifdef BN_FAST_S_MP_MUL_DIGS_C if ((digs < MP_WARRAY) && - MIN(a->used, b->used) <= + MIN(a->used, b->used) <= (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) { res = fast_s_mp_mul_digs (a, b, c, digs); - } else + } else #endif #ifdef BN_S_MP_MUL_DIGS_C res = s_mp_mul (a, b, c); /* uses s_mp_mul_digs */ diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_mul_2.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_mul_2.c index 02455fc35d..f90654832b 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_mul_2.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_mul_2.c @@ -35,24 +35,24 @@ int mp_mul_2(mp_int * a, mp_int * b) /* alias for source */ tmpa = a->dp; - + /* alias for dest */ tmpb = b->dp; /* carry */ r = 0; for (x = 0; x < a->used; x++) { - - /* get what will be the *next* carry bit from the - * MSB of the current digit + + /* get what will be the *next* carry bit from the + * MSB of the current digit */ rr = *tmpa >> ((mp_digit)(DIGIT_BIT - 1)); - + /* now shift up this digit, add in the carry [from the previous] */ *tmpb++ = ((*tmpa++ << ((mp_digit)1)) | r) & MP_MASK; - - /* copy the carry that would be from the source - * digit into the next iteration + + /* copy the carry that would be from the source + * digit into the next iteration */ r = rr; } @@ -64,8 +64,8 @@ int mp_mul_2(mp_int * a, mp_int * b) ++(b->used); } - /* now zero any excess digits on the destination - * that we didn't write to + /* now zero any excess digits on the destination + * that we didn't write to */ tmpb = b->dp + b->used; for (x = b->used; x < oldused; x++) { diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_mul_2d.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_mul_2d.c index efeff2e751..d023b382cc 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_mul_2d.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_mul_2d.c @@ -69,7 +69,7 @@ int mp_mul_2d (mp_int * a, int b, mp_int * c) /* set the carry to the carry bits of the current word */ r = rr; } - + /* set final carry */ if (r != 0) { c->dp[(c->used)++] = r; diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_n_root.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_n_root.c index 0e7bedca72..85d335cb9e 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_n_root.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_n_root.c @@ -15,14 +15,14 @@ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ -/* find the n'th root of an integer +/* find the n'th root of an integer * - * Result found such that (c)**b <= a and (c+1)**b > a + * Result found such that (c)**b <= a and (c+1)**b > a * - * This algorithm uses Newton's approximation - * x[i+1] = x[i] - f(x[i])/f'(x[i]) - * which will find the root in log(N) time where - * each step involves a fair bit. This is not meant to + * This algorithm uses Newton's approximation + * x[i+1] = x[i] - f(x[i])/f'(x[i]) + * which will find the root in log(N) time where + * each step involves a fair bit. This is not meant to * find huge roots [square and cube, etc]. */ int mp_n_root (mp_int * a, mp_digit b, mp_int * c) @@ -61,31 +61,31 @@ int mp_n_root (mp_int * a, mp_digit b, mp_int * c) } /* t2 = t1 - ((t1**b - a) / (b * t1**(b-1))) */ - + /* t3 = t1**(b-1) */ - if ((res = mp_expt_d (&t1, b - 1, &t3)) != MP_OKAY) { + if ((res = mp_expt_d (&t1, b - 1, &t3)) != MP_OKAY) { goto LBL_T3; } /* numerator */ /* t2 = t1**b */ - if ((res = mp_mul (&t3, &t1, &t2)) != MP_OKAY) { + if ((res = mp_mul (&t3, &t1, &t2)) != MP_OKAY) { goto LBL_T3; } /* t2 = t1**b - a */ - if ((res = mp_sub (&t2, a, &t2)) != MP_OKAY) { + if ((res = mp_sub (&t2, a, &t2)) != MP_OKAY) { goto LBL_T3; } /* denominator */ /* t3 = t1**(b-1) * b */ - if ((res = mp_mul_d (&t3, b, &t3)) != MP_OKAY) { + if ((res = mp_mul_d (&t3, b, &t3)) != MP_OKAY) { goto LBL_T3; } /* t3 = (t1**b - a)/(b * t1**(b-1)) */ - if ((res = mp_div (&t2, &t3, &t3, NULL)) != MP_OKAY) { + if ((res = mp_div (&t2, &t3, &t3, NULL)) != MP_OKAY) { goto LBL_T3; } diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_fermat.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_fermat.c index c23d77f6de..8e74a337c5 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_fermat.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_fermat.c @@ -16,7 +16,7 @@ */ /* performs one Fermat test. - * + * * If "a" were prime then b**a == b (mod a) since the order of * the multiplicative sub-group would be phi(a) = a-1. That means * it would be the same as b**(a mod (a-1)) == b**1 == b (mod a). diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_is_divisible.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_is_divisible.c index 8e7871c2c6..766cde95a6 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_is_divisible.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_is_divisible.c @@ -15,7 +15,7 @@ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ -/* determines if an integers is divisible by one +/* determines if an integers is divisible by one * of the first PRIME_SIZE primes or not * * sets result to 0 if not, 1 if yes diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_miller_rabin.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_miller_rabin.c index ddf03582ac..60a8c48eae 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_miller_rabin.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_miller_rabin.c @@ -15,11 +15,11 @@ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ -/* Miller-Rabin test of "a" to the base of "b" as described in +/* Miller-Rabin test of "a" to the base of "b" as described in * HAC pp. 139 Algorithm 4.24 * * Sets result to 0 if definitely composite or 1 if probably prime. - * Randomly the chance of error is no more than 1/4 and often + * Randomly the chance of error is no more than 1/4 and often * very much lower. */ int mp_prime_miller_rabin (mp_int * a, mp_int * b, int *result) @@ -33,7 +33,7 @@ int mp_prime_miller_rabin (mp_int * a, mp_int * b, int *result) /* ensure b > 1 */ if (mp_cmp_d(b, 1) != MP_GT) { return MP_VAL; - } + } /* get n1 = a - 1 */ if ((err = mp_init_copy (&n1, a)) != MP_OKAY) { diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_next_prime.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_next_prime.c index daf2ec7c64..a2897f0878 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_next_prime.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_next_prime.c @@ -22,7 +22,7 @@ */ int mp_prime_next_prime(mp_int *a, int t, int bbs_style) { - int err, res, x, y; + int err, res = MP_NO, x, y; mp_digit res_tab[PRIME_SIZE], step, kstep; mp_int b; diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_random_ex.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_random_ex.c index 07aae4b072..7b0d15c94d 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_random_ex.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_prime_random_ex.c @@ -18,7 +18,7 @@ /* makes a truly random prime of a given size (bits), * * Flags are as follows: - * + * * LTM_PRIME_BBS - make prime congruent to 3 mod 4 * LTM_PRIME_SAFE - make sure (p-1)/2 is prime as well (implies LTM_PRIME_BBS) * LTM_PRIME_2MSB_OFF - make the 2nd highest bit zero @@ -63,7 +63,7 @@ int mp_prime_random_ex(mp_int *a, int t, int size, int flags, ltm_prime_callback maskOR_msb_offset = ((size & 7) == 1) ? 1 : 0; if (flags & LTM_PRIME_2MSB_ON) { maskOR_msb |= 0x80 >> ((9 - size) & 7); - } + } /* get the maskOR_lsb */ maskOR_lsb = 1; @@ -77,7 +77,7 @@ int mp_prime_random_ex(mp_int *a, int t, int size, int flags, ltm_prime_callback err = MP_VAL; goto error; } - + /* work over the MSbyte */ tmp[0] &= maskAND; tmp[0] |= 1 << ((size - 1) & 7); @@ -91,7 +91,7 @@ int mp_prime_random_ex(mp_int *a, int t, int size, int flags, ltm_prime_callback /* is it prime? */ if ((err = mp_prime_is_prime(a, t, &res)) != MP_OKAY) { goto error; } - if (res == MP_NO) { + if (res == MP_NO) { continue; } @@ -99,7 +99,7 @@ int mp_prime_random_ex(mp_int *a, int t, int size, int flags, ltm_prime_callback /* see if (a-1)/2 is prime */ if ((err = mp_sub_d(a, 1, a)) != MP_OKAY) { goto error; } if ((err = mp_div_2(a, a)) != MP_OKAY) { goto error; } - + /* is it prime? */ if ((err = mp_prime_is_prime(a, t, &res)) != MP_OKAY) { goto error; } } diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_radix_size.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_radix_size.c index 1b61e3a1be..af94be8676 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_radix_size.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_radix_size.c @@ -54,7 +54,7 @@ int mp_radix_size (mp_int * a, int radix, int *size) } /* force temp to positive */ - t.sign = MP_ZPOS; + t.sign = MP_ZPOS; /* fetch out all of the digits */ while (mp_iszero (&t) == MP_NO) { diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_read_radix.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_read_radix.c index 91c46c22f7..35ca886736 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_read_radix.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_read_radix.c @@ -29,8 +29,8 @@ int mp_read_radix (mp_int * a, const char *str, int radix) return MP_VAL; } - /* if the leading digit is a - * minus set the sign to negative. + /* if the leading digit is a + * minus set the sign to negative. */ if (*str == '-') { ++str; @@ -41,7 +41,7 @@ int mp_read_radix (mp_int * a, const char *str, int radix) /* set the integer to the default of zero */ mp_zero (a); - + /* process each digit of the string */ while (*str) { /* if the radix < 36 the conversion is case insensitive @@ -55,9 +55,9 @@ int mp_read_radix (mp_int * a, const char *str, int radix) } } - /* if the char was found in the map + /* if the char was found in the map * and is less than the given radix add it - * to the number, otherwise exit the loop. + * to the number, otherwise exit the loop. */ if (y < radix) { if ((res = mp_mul_d (a, (mp_digit) radix, a)) != MP_OKAY) { @@ -71,7 +71,7 @@ int mp_read_radix (mp_int * a, const char *str, int radix) } ++str; } - + /* set the sign only if a != 0 */ if (mp_iszero(a) != 1) { a->sign = neg; diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce.c index 21d0730905..ae57a6a003 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce.c @@ -15,7 +15,7 @@ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ -/* reduces x mod m, assumes 0 < x < m**2, mu is +/* reduces x mod m, assumes 0 < x < m**2, mu is * precomputed via mp_reduce_setup. * From HAC pp.604 Algorithm 14.42 */ @@ -30,7 +30,7 @@ int mp_reduce (mp_int * x, mp_int * m, mp_int * mu) } /* q1 = x / b**(k-1) */ - mp_rshd (&q, um - 1); + mp_rshd (&q, um - 1); /* according to HAC this optimization is ok */ if (((unsigned long) um) > (((mp_digit)1) << (DIGIT_BIT - 1))) { @@ -46,8 +46,8 @@ int mp_reduce (mp_int * x, mp_int * m, mp_int * mu) if ((res = fast_s_mp_mul_high_digs (&q, mu, &q, um)) != MP_OKAY) { goto CLEANUP; } -#else - { +#else + { res = MP_VAL; goto CLEANUP; } @@ -55,7 +55,7 @@ int mp_reduce (mp_int * x, mp_int * m, mp_int * mu) } /* q3 = q2 / b**(k+1) */ - mp_rshd (&q, um + 1); + mp_rshd (&q, um + 1); /* x = x mod b**(k+1), quick (no division) */ if ((res = mp_mod_2d (x, DIGIT_BIT * (um + 1), x)) != MP_OKAY) { @@ -87,7 +87,7 @@ int mp_reduce (mp_int * x, mp_int * m, mp_int * mu) goto CLEANUP; } } - + CLEANUP: mp_clear (&q); diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k.c index d9620c221c..1c4a751dda 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k.c @@ -20,35 +20,35 @@ int mp_reduce_2k(mp_int *a, mp_int *n, mp_digit d) { mp_int q; int p, res; - + if ((res = mp_init(&q)) != MP_OKAY) { return res; } - - p = mp_count_bits(n); + + p = mp_count_bits(n); top: /* q = a/2**p, a = a mod 2**p */ if ((res = mp_div_2d(a, p, &q, a)) != MP_OKAY) { goto ERR; } - + if (d != 1) { /* q = q * d */ - if ((res = mp_mul_d(&q, d, &q)) != MP_OKAY) { + if ((res = mp_mul_d(&q, d, &q)) != MP_OKAY) { goto ERR; } } - + /* a = a + q */ if ((res = s_mp_add(a, &q, a)) != MP_OKAY) { goto ERR; } - + if (mp_cmp_mag(a, n) != MP_LT) { s_mp_sub(a, n, a); goto top; } - + ERR: mp_clear(&q); return res; diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_l.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_l.c index f06103d6a6..71abeaebba 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_l.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_l.c @@ -15,7 +15,7 @@ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ -/* reduces a modulo n where n is of the form 2**p - d +/* reduces a modulo n where n is of the form 2**p - d This differs from reduce_2k since "d" can be larger than a single digit. */ @@ -23,33 +23,33 @@ int mp_reduce_2k_l(mp_int *a, mp_int *n, mp_int *d) { mp_int q; int p, res; - + if ((res = mp_init(&q)) != MP_OKAY) { return res; } - - p = mp_count_bits(n); + + p = mp_count_bits(n); top: /* q = a/2**p, a = a mod 2**p */ if ((res = mp_div_2d(a, p, &q, a)) != MP_OKAY) { goto ERR; } - + /* q = q * d */ - if ((res = mp_mul(&q, d, &q)) != MP_OKAY) { + if ((res = mp_mul(&q, d, &q)) != MP_OKAY) { goto ERR; } - + /* a = a + q */ if ((res = s_mp_add(a, &q, a)) != MP_OKAY) { goto ERR; } - + if (mp_cmp_mag(a, n) != MP_LT) { s_mp_sub(a, n, a); goto top; } - + ERR: mp_clear(&q); return res; diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_setup.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_setup.c index a80e7a22f2..dca723c815 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_setup.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_setup.c @@ -20,22 +20,22 @@ int mp_reduce_2k_setup(mp_int *a, mp_digit *d) { int res, p; mp_int tmp; - + if ((res = mp_init(&tmp)) != MP_OKAY) { return res; } - + p = mp_count_bits(a); if ((res = mp_2expt(&tmp, p)) != MP_OKAY) { mp_clear(&tmp); return res; } - + if ((res = s_mp_sub(&tmp, a, &tmp)) != MP_OKAY) { mp_clear(&tmp); return res; } - + *d = tmp.dp[0]; mp_clear(&tmp); return MP_OKAY; diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_setup_l.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_setup_l.c index 7cf002e888..cc59a6e715 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_setup_l.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_setup_l.c @@ -20,19 +20,19 @@ int mp_reduce_2k_setup_l(mp_int *a, mp_int *d) { int res; mp_int tmp; - + if ((res = mp_init(&tmp)) != MP_OKAY) { return res; } - + if ((res = mp_2expt(&tmp, mp_count_bits(a))) != MP_OKAY) { goto ERR; } - + if ((res = s_mp_sub(&tmp, a, d)) != MP_OKAY) { goto ERR; } - + ERR: mp_clear(&tmp); return res; diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_is_2k.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_is_2k.c index 7308be73e2..c8d25d83e2 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_is_2k.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_is_2k.c @@ -20,7 +20,7 @@ int mp_reduce_is_2k(mp_int *a) { int ix, iy, iw; mp_digit iz; - + if (a->used == 0) { return MP_NO; } else if (a->used == 1) { @@ -29,7 +29,7 @@ int mp_reduce_is_2k(mp_int *a) iy = mp_count_bits(a); iz = 1; iw = 1; - + /* Test every bit from the second digit up, must be 1 */ for (ix = DIGIT_BIT; ix < iy; ix++) { if ((a->dp[iw] & iz) == 0) { diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_is_2k_l.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_is_2k_l.c index 14a4d21846..ad006f39c5 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_is_2k_l.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_is_2k_l.c @@ -19,7 +19,7 @@ int mp_reduce_is_2k_l(mp_int *a) { int ix, iy; - + if (a->used == 0) { return MP_NO; } else if (a->used == 1) { @@ -32,7 +32,7 @@ int mp_reduce_is_2k_l(mp_int *a) } } return (iy >= (a->used/2)) ? MP_YES : MP_NO; - + } return MP_NO; } diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_setup.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_setup.c index 370f20bb17..035419bf34 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_setup.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_setup.c @@ -21,7 +21,7 @@ int mp_reduce_setup (mp_int * a, mp_int * b) { int res; - + if ((res = mp_2expt (a, b->used * 2 * DIGIT_BIT)) != MP_OKAY) { return res; } diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_rshd.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_rshd.c index 2a693c5a5b..ed13ce59a4 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_rshd.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_rshd.c @@ -42,8 +42,8 @@ void mp_rshd (mp_int * a, int b) /* top [offset into digits] */ top = a->dp + b; - /* this is implemented as a sliding window where - * the window is b-digits long and digits from + /* this is implemented as a sliding window where + * the window is b-digits long and digits from * the top of the window are copied to the bottom * * e.g. @@ -61,7 +61,7 @@ void mp_rshd (mp_int * a, int b) *bottom++ = 0; } } - + /* remove excess digits */ a->used -= b; } diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_set_int.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_set_int.c index cf10ea1a44..3072e76e1c 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_set_int.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_set_int.c @@ -21,7 +21,7 @@ int mp_set_int (mp_int * a, unsigned long b) int x, res; mp_zero (a); - + /* set four bits at a time */ for (x = 0; x < 8; x++) { /* shift the number up four bits */ diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_sqr.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_sqr.c index 868ccbbaef..90f4dd6d72 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_sqr.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_sqr.c @@ -26,18 +26,18 @@ mp_sqr (mp_int * a, mp_int * b) if (a->used >= TOOM_SQR_CUTOFF) { res = mp_toom_sqr(a, b); /* Karatsuba? */ - } else + } else #endif #ifdef BN_MP_KARATSUBA_SQR_C if (a->used >= KARATSUBA_SQR_CUTOFF) { res = mp_karatsuba_sqr (a, b); - } else + } else #endif { #ifdef BN_FAST_S_MP_SQR_C /* can we use the fast comba multiplier? */ - if ((a->used * 2 + 1) < MP_WARRAY && - a->used < + if ((a->used * 2 + 1) < MP_WARRAY && + a->used < (1 << (sizeof(mp_word) * CHAR_BIT - 2*DIGIT_BIT - 1))) { res = fast_s_mp_sqr (a, b); } else diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_sqrt.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_sqrt.c index 8fd057ceed..8391297f7e 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_sqrt.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_sqrt.c @@ -16,7 +16,7 @@ */ /* this function is less generic than mp_n_root, simpler and faster */ -int mp_sqrt(mp_int *arg, mp_int *ret) +int mp_sqrt(mp_int *arg, mp_int *ret) { int res; mp_int t1,t2; @@ -43,7 +43,7 @@ int mp_sqrt(mp_int *arg, mp_int *ret) /* First approx. (not very bad for large arg) */ mp_rshd (&t1,t1.used/2); - /* t1 > 0 */ + /* t1 > 0 */ if ((res = mp_div(arg,&t1,&t2,NULL)) != MP_OKAY) { goto E1; } @@ -54,7 +54,7 @@ int mp_sqrt(mp_int *arg, mp_int *ret) goto E1; } /* And now t1 > sqrt(arg) */ - do { + do { if ((res = mp_div(arg,&t1,&t2,NULL)) != MP_OKAY) { goto E1; } diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_toom_mul.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_toom_mul.c index ad5d9e9b64..b996342466 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_toom_mul.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_toom_mul.c @@ -15,28 +15,28 @@ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ -/* multiplication using the Toom-Cook 3-way algorithm +/* multiplication using the Toom-Cook 3-way algorithm * - * Much more complicated than Karatsuba but has a lower - * asymptotic running time of O(N**1.464). This algorithm is - * only particularly useful on VERY large inputs + * Much more complicated than Karatsuba but has a lower + * asymptotic running time of O(N**1.464). This algorithm is + * only particularly useful on VERY large inputs * (we're talking 1000s of digits here...). */ int mp_toom_mul(mp_int *a, mp_int *b, mp_int *c) { mp_int w0, w1, w2, w3, w4, tmp1, tmp2, a0, a1, a2, b0, b1, b2; int res, B; - + /* init temps */ - if ((res = mp_init_multi(&w0, &w1, &w2, &w3, &w4, - &a0, &a1, &a2, &b0, &b1, + if ((res = mp_init_multi(&w0, &w1, &w2, &w3, &w4, + &a0, &a1, &a2, &b0, &b1, &b2, &tmp1, &tmp2, NULL)) != MP_OKAY) { return res; } - + /* B */ B = MIN(a->used, b->used) / 3; - + /* a = a2 * B**2 + a1 * B + a0 */ if ((res = mp_mod_2d(a, DIGIT_BIT * B, &a0)) != MP_OKAY) { goto ERR; @@ -52,7 +52,7 @@ int mp_toom_mul(mp_int *a, mp_int *b, mp_int *c) goto ERR; } mp_rshd(&a2, B*2); - + /* b = b2 * B**2 + b1 * B + b0 */ if ((res = mp_mod_2d(b, DIGIT_BIT * B, &b0)) != MP_OKAY) { goto ERR; @@ -68,17 +68,17 @@ int mp_toom_mul(mp_int *a, mp_int *b, mp_int *c) goto ERR; } mp_rshd(&b2, B*2); - + /* w0 = a0*b0 */ if ((res = mp_mul(&a0, &b0, &w0)) != MP_OKAY) { goto ERR; } - + /* w4 = a2 * b2 */ if ((res = mp_mul(&a2, &b2, &w4)) != MP_OKAY) { goto ERR; } - + /* w1 = (a2 + 2(a1 + 2a0))(b2 + 2(b1 + 2b0)) */ if ((res = mp_mul_2(&a0, &tmp1)) != MP_OKAY) { goto ERR; @@ -92,7 +92,7 @@ int mp_toom_mul(mp_int *a, mp_int *b, mp_int *c) if ((res = mp_add(&tmp1, &a2, &tmp1)) != MP_OKAY) { goto ERR; } - + if ((res = mp_mul_2(&b0, &tmp2)) != MP_OKAY) { goto ERR; } @@ -105,11 +105,11 @@ int mp_toom_mul(mp_int *a, mp_int *b, mp_int *c) if ((res = mp_add(&tmp2, &b2, &tmp2)) != MP_OKAY) { goto ERR; } - + if ((res = mp_mul(&tmp1, &tmp2, &w1)) != MP_OKAY) { goto ERR; } - + /* w3 = (a0 + 2(a1 + 2a2))(b0 + 2(b1 + 2b2)) */ if ((res = mp_mul_2(&a2, &tmp1)) != MP_OKAY) { goto ERR; @@ -123,7 +123,7 @@ int mp_toom_mul(mp_int *a, mp_int *b, mp_int *c) if ((res = mp_add(&tmp1, &a0, &tmp1)) != MP_OKAY) { goto ERR; } - + if ((res = mp_mul_2(&b2, &tmp2)) != MP_OKAY) { goto ERR; } @@ -136,11 +136,11 @@ int mp_toom_mul(mp_int *a, mp_int *b, mp_int *c) if ((res = mp_add(&tmp2, &b0, &tmp2)) != MP_OKAY) { goto ERR; } - + if ((res = mp_mul(&tmp1, &tmp2, &w3)) != MP_OKAY) { goto ERR; } - + /* w2 = (a2 + a1 + a0)(b2 + b1 + b0) */ if ((res = mp_add(&a2, &a1, &tmp1)) != MP_OKAY) { @@ -158,19 +158,19 @@ int mp_toom_mul(mp_int *a, mp_int *b, mp_int *c) if ((res = mp_mul(&tmp1, &tmp2, &w2)) != MP_OKAY) { goto ERR; } - - /* now solve the matrix - + + /* now solve the matrix + 0 0 0 0 1 1 2 4 8 16 1 1 1 1 1 16 8 4 2 1 1 0 0 0 0 - - using 12 subtractions, 4 shifts, - 2 small divisions and 1 small multiplication + + using 12 subtractions, 4 shifts, + 2 small divisions and 1 small multiplication */ - + /* r1 - r4 */ if ((res = mp_sub(&w1, &w4, &w1)) != MP_OKAY) { goto ERR; @@ -242,7 +242,7 @@ int mp_toom_mul(mp_int *a, mp_int *b, mp_int *c) if ((res = mp_div_3(&w3, &w3, NULL)) != MP_OKAY) { goto ERR; } - + /* at this point shift W[n] by B*n */ if ((res = mp_lshd(&w1, 1*B)) != MP_OKAY) { goto ERR; @@ -255,8 +255,8 @@ int mp_toom_mul(mp_int *a, mp_int *b, mp_int *c) } if ((res = mp_lshd(&w4, 4*B)) != MP_OKAY) { goto ERR; - } - + } + if ((res = mp_add(&w0, &w1, c)) != MP_OKAY) { goto ERR; } @@ -268,15 +268,15 @@ int mp_toom_mul(mp_int *a, mp_int *b, mp_int *c) } if ((res = mp_add(&tmp1, c, c)) != MP_OKAY) { goto ERR; - } - + } + ERR: - mp_clear_multi(&w0, &w1, &w2, &w3, &w4, - &a0, &a1, &a2, &b0, &b1, + mp_clear_multi(&w0, &w1, &w2, &w3, &w4, + &a0, &a1, &a2, &b0, &b1, &b2, &tmp1, &tmp2, NULL); return res; -} - +} + #endif /* $Source: /cvs/libtom/libtommath/bn_mp_toom_mul.c,v $ */ diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_toradix_n.c b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_toradix_n.c index 796ed55c65..28085124ea 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_mp_toradix_n.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_mp_toradix_n.c @@ -15,9 +15,9 @@ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ -/* stores a bignum as a ASCII string in a given radix (2..64) +/* stores a bignum as a ASCII string in a given radix (2..64) * - * Stores upto maxlen-1 chars and always a NULL byte + * Stores upto maxlen-1 chars and always a NULL byte */ int mp_toradix_n(mp_int * a, char *str, int radix, int maxlen) { @@ -50,7 +50,7 @@ int mp_toradix_n(mp_int * a, char *str, int radix, int maxlen) /* store the flag and mark the number as positive */ *str++ = '-'; t.sign = MP_ZPOS; - + /* subtract a char */ --maxlen; } diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_add.c b/source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_add.c index f034ae62aa..e7f54f4cf1 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_add.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_add.c @@ -74,8 +74,8 @@ s_mp_add (mp_int * a, mp_int * b, mp_int * c) *tmpc++ &= MP_MASK; } - /* now copy higher words if any, that is in A+B - * if A or B has more digits add those in + /* now copy higher words if any, that is in A+B + * if A or B has more digits add those in */ if (min != max) { for (; i < max; i++) { diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_exptmod.c b/source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_exptmod.c index 097d894702..deb4b4ddb1 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_exptmod.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_exptmod.c @@ -54,7 +54,7 @@ int s_mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmode) /* init M array */ /* init first cell */ if ((err = mp_init(&M[1])) != MP_OKAY) { - return err; + return err; } /* now init the second half of the array */ @@ -72,7 +72,7 @@ int s_mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmode) if ((err = mp_init (&mu)) != MP_OKAY) { goto LBL_M; } - + if (redmode == 0) { if ((err = mp_reduce_setup (&mu, P)) != MP_OKAY) { goto LBL_MU; @@ -83,22 +83,22 @@ int s_mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmode) goto LBL_MU; } redux = mp_reduce_2k_l; - } + } /* create M table * - * The M table contains powers of the base, + * The M table contains powers of the base, * e.g. M[x] = G**x mod P * - * The first half of the table is not + * The first half of the table is not * computed though accept for M[0] and M[1] */ if ((err = mp_mod (G, P, &M[1])) != MP_OKAY) { goto LBL_MU; } - /* compute the value at M[1<<(winsize-1)] by squaring - * M[1] (winsize-1) times + /* compute the value at M[1<<(winsize-1)] by squaring + * M[1] (winsize-1) times */ if ((err = mp_copy (&M[1], &M[1 << (winsize - 1)])) != MP_OKAY) { goto LBL_MU; @@ -106,7 +106,7 @@ int s_mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmode) for (x = 0; x < (winsize - 1); x++) { /* square it */ - if ((err = mp_sqr (&M[1 << (winsize - 1)], + if ((err = mp_sqr (&M[1 << (winsize - 1)], &M[1 << (winsize - 1)])) != MP_OKAY) { goto LBL_MU; } diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_mul_digs.c b/source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_mul_digs.c index f5bbf39ce2..c5892181f9 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_mul_digs.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_mul_digs.c @@ -16,7 +16,7 @@ */ /* multiplies |a| * |b| and only computes upto digs digits of result - * HAC pp. 595, Algorithm 14.12 Modified so you can control how + * HAC pp. 595, Algorithm 14.12 Modified so you can control how * many digits of output are created. */ int s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs) @@ -29,7 +29,7 @@ int s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs) /* can we use the fast multiplier? */ if (((digs) < MP_WARRAY) && - MIN (a->used, b->used) < + MIN (a->used, b->used) < (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) { return fast_s_mp_mul_digs (a, b, c, digs); } @@ -51,10 +51,10 @@ int s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs) /* setup some aliases */ /* copy of the digit from a used within the nested loop */ tmpx = a->dp[ix]; - + /* an alias for the destination shifted ix places */ tmpt = t.dp + ix; - + /* an alias for the digits of b */ tmpy = b->dp; diff --git a/source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_sqr.c b/source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_sqr.c index d2531c2925..c1c3826db5 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_sqr.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bn_s_mp_sqr.c @@ -48,7 +48,7 @@ int s_mp_sqr (mp_int * a, mp_int * b) /* alias for where to store the results */ tmpt = t.dp + (2*ix + 1); - + for (iy = ix + 1; iy < pa; iy++) { /* first calculate the product */ r = ((mp_word)tmpx) * ((mp_word)a->dp[iy]); diff --git a/source4/heimdal/lib/hcrypto/libtommath/bncore.c b/source4/heimdal/lib/hcrypto/libtommath/bncore.c index 8fb1824c6f..919e3b33b0 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/bncore.c +++ b/source4/heimdal/lib/hcrypto/libtommath/bncore.c @@ -21,14 +21,14 @@ ------------------------------------------------------------- Intel P4 Northwood /GCC v3.4.1 / 88/ 128/LTM 0.32 ;-) AMD Athlon64 /GCC v3.4.4 / 80/ 120/LTM 0.35 - + */ int KARATSUBA_MUL_CUTOFF = 80, /* Min. number of digits before Karatsuba multiplication is used. */ KARATSUBA_SQR_CUTOFF = 120, /* Min. number of digits before Karatsuba squaring is used. */ - + TOOM_MUL_CUTOFF = 350, /* no optimal values of these are known yet so set em high */ - TOOM_SQR_CUTOFF = 400; + TOOM_SQR_CUTOFF = 400; #endif /* $Source: /cvs/libtom/libtommath/bncore.c,v $ */ diff --git a/source4/heimdal/lib/hcrypto/libtommath/mtest/mpi-config.h b/source4/heimdal/lib/hcrypto/libtommath/mtest/mpi-config.h index 6049c25ba7..f69e36d650 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/mtest/mpi-config.h +++ b/source4/heimdal/lib/hcrypto/libtommath/mtest/mpi-config.h @@ -5,7 +5,7 @@ #define MPI_CONFIG_H_ /* - For boolean options, + For boolean options, 0 = no 1 = yes diff --git a/source4/heimdal/lib/hcrypto/libtommath/mtest/mpi.c b/source4/heimdal/lib/hcrypto/libtommath/mtest/mpi.c index 7c712dd62d..4030841e54 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/mtest/mpi.c +++ b/source4/heimdal/lib/hcrypto/libtommath/mtest/mpi.c @@ -22,7 +22,7 @@ #define DIAG(T,V) #endif -/* +/* If MP_LOGTAB is not defined, use the math library to compute the logarithms on the fly. Otherwise, use the static table below. Pick which works best for your system. @@ -33,7 +33,7 @@ /* A table of the logs of 2 for various bases (the 0 and 1 entries of - this table are meaningless and should not be referenced). + this table are meaningless and should not be referenced). This table is used to compute output lengths for the mp_toradix() function. Since a number n in radix r takes up about log_r(n) @@ -43,7 +43,7 @@ log_r(n) = log_2(n) * log_r(2) This table, therefore, is a table of log_r(2) for 2 <= r <= 36, - which are the output bases supported. + which are the output bases supported. */ #include "logtab.h" @@ -104,7 +104,7 @@ static const char *mp_err_string[] = { /* Value to digit maps for radix conversion */ /* s_dmap_1 - standard digits and letters */ -static const char *s_dmap_1 = +static const char *s_dmap_1 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/"; #if 0 @@ -117,7 +117,7 @@ static const char *s_dmap_2 = /* {{{ Static function declarations */ -/* +/* If MP_MACRO is false, these will be defined as actual functions; otherwise, suitable macro definitions will be used. This works around the fact that ANSI C89 doesn't support an 'inline' keyword @@ -258,7 +258,7 @@ mp_err mp_init_array(mp_int mp[], int count) return MP_OKAY; CLEANUP: - while(--pos >= 0) + while(--pos >= 0) mp_clear(&mp[pos]); return res; @@ -355,7 +355,7 @@ mp_err mp_copy(mp_int *from, mp_int *to) if(ALLOC(to) >= USED(from)) { s_mp_setz(DIGITS(to) + USED(from), ALLOC(to) - USED(from)); s_mp_copy(DIGITS(from), DIGITS(to), USED(from)); - + } else { if((tmp = s_mp_alloc(USED(from), sizeof(mp_digit))) == NULL) return MP_MEM; @@ -445,7 +445,7 @@ void mp_clear_array(mp_int mp[], int count) { ARGCHK(mp != NULL && count > 0, MP_BADARG); - while(--count >= 0) + while(--count >= 0) mp_clear(&mp[count]); } /* end mp_clear_array() */ @@ -455,7 +455,7 @@ void mp_clear_array(mp_int mp[], int count) /* {{{ mp_zero(mp) */ /* - mp_zero(mp) + mp_zero(mp) Set mp to zero. Does not change the allocated size of the structure, and therefore cannot fail (except on a bad argument, which we ignore) @@ -506,7 +506,7 @@ mp_err mp_set_int(mp_int *mp, long z) if((res = s_mp_mul_2d(mp, CHAR_BIT)) != MP_OKAY) return res; - res = s_mp_add_d(mp, + res = s_mp_add_d(mp, (mp_digit)((v >> (ix * CHAR_BIT)) & UCHAR_MAX)); if(res != MP_OKAY) return res; @@ -841,9 +841,9 @@ mp_err mp_neg(mp_int *a, mp_int *b) if((res = mp_copy(a, b)) != MP_OKAY) return res; - if(s_mp_cmp_d(b, 0) == MP_EQ) + if(s_mp_cmp_d(b, 0) == MP_EQ) SIGN(b) = MP_ZPOS; - else + else SIGN(b) = (SIGN(b) == MP_NEG) ? MP_ZPOS : MP_NEG; return MP_OKAY; @@ -870,7 +870,7 @@ mp_err mp_add(mp_int *a, mp_int *b, mp_int *c) if(SIGN(a) == SIGN(b)) { /* same sign: add values, keep sign */ /* Commutativity of addition lets us do this in either order, - so we avoid having to use a temporary even if the result + so we avoid having to use a temporary even if the result is supposed to replace the output */ if(c == b) { @@ -880,14 +880,14 @@ mp_err mp_add(mp_int *a, mp_int *b, mp_int *c) if(c != a && (res = mp_copy(a, c)) != MP_OKAY) return res; - if((res = s_mp_add(c, b)) != MP_OKAY) + if((res = s_mp_add(c, b)) != MP_OKAY) return res; } } else if((cmp = s_mp_cmp(a, b)) > 0) { /* different sign: a > b */ /* If the output is going to be clobbered, we will use a temporary - variable; otherwise, we'll do it without touching the memory + variable; otherwise, we'll do it without touching the memory allocator at all, if possible */ if(c == b) { @@ -1019,7 +1019,7 @@ mp_err mp_sub(mp_int *a, mp_int *b, mp_int *c) mp_clear(&tmp); } else { - if(c != b && ((res = mp_copy(b, c)) != MP_OKAY)) + if(c != b && ((res = mp_copy(b, c)) != MP_OKAY)) return res; if((res = s_mp_sub(c, a)) != MP_OKAY) @@ -1066,12 +1066,12 @@ mp_err mp_mul(mp_int *a, mp_int *b, mp_int *c) if((res = s_mp_mul(c, b)) != MP_OKAY) return res; } - + if(sgn == MP_ZPOS || s_mp_cmp_d(c, 0) == MP_EQ) SIGN(c) = MP_ZPOS; else SIGN(c) = sgn; - + return MP_OKAY; } /* end mp_mul() */ @@ -1160,7 +1160,7 @@ mp_err mp_div(mp_int *a, mp_int *b, mp_int *q, mp_int *r) return res; } - if(q) + if(q) mp_zero(q); return MP_OKAY; @@ -1206,10 +1206,10 @@ mp_err mp_div(mp_int *a, mp_int *b, mp_int *q, mp_int *r) SIGN(&rtmp) = MP_ZPOS; /* Copy output, if it is needed */ - if(q) + if(q) s_mp_exch(&qtmp, q); - if(r) + if(r) s_mp_exch(&rtmp, r); CLEANUP: @@ -1286,12 +1286,12 @@ mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c) /* Loop over bits of each non-maximal digit */ for(bit = 0; bit < DIGIT_BIT; bit++) { if(d & 1) { - if((res = s_mp_mul(&s, &x)) != MP_OKAY) + if((res = s_mp_mul(&s, &x)) != MP_OKAY) goto CLEANUP; } d >>= 1; - + if((res = s_mp_sqr(&x)) != MP_OKAY) goto CLEANUP; } @@ -1311,7 +1311,7 @@ mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c) if((res = s_mp_sqr(&x)) != MP_OKAY) goto CLEANUP; } - + if(mp_iseven(b)) SIGN(&s) = SIGN(a); @@ -1362,7 +1362,7 @@ mp_err mp_mod(mp_int *a, mp_int *m, mp_int *c) /* If |a| > m, we need to divide to get the remainder and take the - absolute value. + absolute value. If |a| < m, we don't need to do any division, just copy and adjust the sign (if a is negative). @@ -1376,7 +1376,7 @@ mp_err mp_mod(mp_int *a, mp_int *m, mp_int *c) if((mag = s_mp_cmp(a, m)) > 0) { if((res = mp_div(a, m, NULL, c)) != MP_OKAY) return res; - + if(SIGN(c) == MP_NEG) { if((res = mp_add(c, m, c)) != MP_OKAY) return res; @@ -1391,7 +1391,7 @@ mp_err mp_mod(mp_int *a, mp_int *m, mp_int *c) return res; } - + } else { mp_zero(c); @@ -1464,9 +1464,9 @@ mp_err mp_sqrt(mp_int *a, mp_int *b) return MP_RANGE; /* Special cases for zero and one, trivial */ - if(mp_cmp_d(a, 0) == MP_EQ || mp_cmp_d(a, 1) == MP_EQ) + if(mp_cmp_d(a, 0) == MP_EQ || mp_cmp_d(a, 1) == MP_EQ) return mp_copy(a, b); - + /* Initialize the temporaries we'll use below */ if((res = mp_init_size(&t, USED(a))) != MP_OKAY) return res; @@ -1508,7 +1508,7 @@ mp_add_d(&x, 1, &x); CLEANUP: mp_clear(&x); X: - mp_clear(&t); + mp_clear(&t); return res; @@ -1626,7 +1626,7 @@ mp_err mp_sqrmod(mp_int *a, mp_int *m, mp_int *c) Compute c = (a ** b) mod m. Uses a standard square-and-multiply method with modular reductions at each step. (This is basically the same code as mp_expt(), except for the addition of the reductions) - + The modular reductions are done using Barrett's algorithm (see s_mp_reduce() below for details) */ @@ -1655,7 +1655,7 @@ mp_err mp_exptmod(mp_int *a, mp_int *b, mp_int *m, mp_int *c) mp_set(&s, 1); /* mu = b^2k / m */ - s_mp_add_d(&mu, 1); + s_mp_add_d(&mu, 1); s_mp_lshd(&mu, 2 * USED(m)); if((res = mp_div(&mu, m, &mu, NULL)) != MP_OKAY) goto CLEANUP; @@ -1866,7 +1866,7 @@ int mp_cmp_int(mp_int *a, long z) int out; ARGCHK(a != NULL, MP_EQ); - + mp_init(&tmp); mp_set_int(&tmp, z); out = mp_cmp(a, &tmp); mp_clear(&tmp); @@ -1953,13 +1953,13 @@ mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c) if(mp_isodd(&u)) { if((res = mp_copy(&v, &t)) != MP_OKAY) goto CLEANUP; - + /* t = -v */ if(SIGN(&v) == MP_ZPOS) SIGN(&t) = MP_NEG; else SIGN(&t) = MP_ZPOS; - + } else { if((res = mp_copy(&u, &t)) != MP_OKAY) goto CLEANUP; @@ -2152,7 +2152,7 @@ mp_err mp_xgcd(mp_int *a, mp_int *b, mp_int *g, mp_int *x, mp_int *y) if(y) if((res = mp_copy(&D, y)) != MP_OKAY) goto CLEANUP; - + if(g) if((res = mp_mul(&gx, &v, g)) != MP_OKAY) goto CLEANUP; @@ -2255,7 +2255,7 @@ void mp_print(mp_int *mp, FILE *ofp) /* {{{ mp_read_signed_bin(mp, str, len) */ -/* +/* mp_read_signed_bin(mp, str, len) Read in a raw value (base 256) into the given mp_int @@ -2332,16 +2332,16 @@ mp_err mp_read_unsigned_bin(mp_int *mp, unsigned char *str, int len) if((res = mp_add_d(mp, str[ix], mp)) != MP_OKAY) return res; } - + return MP_OKAY; - + } /* end mp_read_unsigned_bin() */ /* }}} */ /* {{{ mp_unsigned_bin_size(mp) */ -int mp_unsigned_bin_size(mp_int *mp) +int mp_unsigned_bin_size(mp_int *mp) { mp_digit topdig; int count; @@ -2440,7 +2440,7 @@ int mp_count_bits(mp_int *mp) } return len; - + } /* end mp_count_bits() */ /* }}} */ @@ -2462,14 +2462,14 @@ mp_err mp_read_radix(mp_int *mp, unsigned char *str, int radix) mp_err res; mp_sign sig = MP_ZPOS; - ARGCHK(mp != NULL && str != NULL && radix >= 2 && radix <= MAX_RADIX, + ARGCHK(mp != NULL && str != NULL && radix >= 2 && radix <= MAX_RADIX, MP_BADARG); mp_zero(mp); /* Skip leading non-digit characters until a digit or '-' or '+' */ - while(str[ix] && - (s_mp_tovalue(str[ix], radix) < 0) && + while(str[ix] && + (s_mp_tovalue(str[ix], radix) < 0) && str[ix] != '-' && str[ix] != '+') { ++ix; @@ -2525,7 +2525,7 @@ int mp_radix_size(mp_int *mp, int radix) /* num = number of digits qty = number of bits per digit radix = target base - + Return the number of digits in the specified radix that would be needed to express 'num' digits of 'qty' bits each. */ @@ -2594,7 +2594,7 @@ mp_err mp_toradix(mp_int *mp, unsigned char *str, int radix) ++ix; --pos; } - + mp_clear(&tmp); } @@ -2806,11 +2806,11 @@ void s_mp_exch(mp_int *a, mp_int *b) /* {{{ s_mp_lshd(mp, p) */ -/* +/* Shift mp leftward by p digits, growing if needed, and zero-filling the in-shifted digits at the right end. This is a convenient alternative to multiplication by powers of the radix - */ + */ mp_err s_mp_lshd(mp_int *mp, mp_size p) { @@ -2829,7 +2829,7 @@ mp_err s_mp_lshd(mp_int *mp, mp_size p) dp = DIGITS(mp); /* Shift all the significant figures over as needed */ - for(ix = pos - p; ix >= 0; ix--) + for(ix = pos - p; ix >= 0; ix--) dp[ix + p] = dp[ix]; /* Fill the bottom digits with zeroes */ @@ -2844,7 +2844,7 @@ mp_err s_mp_lshd(mp_int *mp, mp_size p) /* {{{ s_mp_rshd(mp, p) */ -/* +/* Shift mp rightward by p digits. Maintains the invariant that digits above the precision are all zero. Digits shifted off the end are lost. Cannot fail. @@ -3054,7 +3054,7 @@ void s_mp_div_2d(mp_int *mp, mp_digit d) end of the division process). We multiply by the smallest power of 2 that gives us a leading digit - at least half the radix. By choosing a power of 2, we simplify the + at least half the radix. By choosing a power of 2, we simplify the multiplication and division steps to simple shifts. */ mp_digit s_mp_norm(mp_int *a, mp_int *b) @@ -3066,7 +3066,7 @@ mp_digit s_mp_norm(mp_int *a, mp_int *b) t <<= 1; ++d; } - + if(d != 0) { s_mp_mul_2d(a, d); s_mp_mul_2d(b, d); @@ -3188,14 +3188,14 @@ mp_err s_mp_mul_d(mp_int *a, mp_digit d) test guarantees we have enough storage to do this safely. */ if(k) { - dp[max] = k; + dp[max] = k; USED(a) = max + 1; } s_mp_clamp(a); return MP_OKAY; - + } /* end s_mp_mul_d() */ /* }}} */ @@ -3289,7 +3289,7 @@ mp_err s_mp_add(mp_int *a, mp_int *b) /* magnitude addition */ } /* If we run out of 'b' digits before we're actually done, make - sure the carries get propagated upward... + sure the carries get propagated upward... */ used = USED(a); while(w && ix < used) { @@ -3351,7 +3351,7 @@ mp_err s_mp_sub(mp_int *a, mp_int *b) /* magnitude subtract */ /* Clobber any leading zeroes we created */ s_mp_clamp(a); - /* + /* If there was a borrow out, then |b| > |a| in violation of our input invariant. We've already done the work, but we'll at least complain about it... @@ -3387,7 +3387,7 @@ mp_err s_mp_reduce(mp_int *x, mp_int *m, mp_int *mu) s_mp_mod_2d(&q, (mp_digit)(DIGIT_BIT * (um + 1))); #else s_mp_mul_dig(&q, m, um + 1); -#endif +#endif /* x = x - q */ if((res = mp_sub(x, &q, x)) != MP_OKAY) @@ -3441,7 +3441,7 @@ mp_err s_mp_mul(mp_int *a, mp_int *b) pb = DIGITS(b); for(ix = 0; ix < ub; ++ix, ++pb) { - if(*pb == 0) + if(*pb == 0) continue; /* Inner product: Digits of a */ @@ -3480,7 +3480,7 @@ void s_mp_kmul(mp_digit *a, mp_digit *b, mp_digit *out, mp_size len) for(ix = 0; ix < len; ++ix, ++b) { if(*b == 0) continue; - + pa = a; for(jx = 0; jx < len; ++jx, ++pa) { pt = out + ix + jx; @@ -3547,7 +3547,7 @@ mp_err s_mp_sqr(mp_int *a) */ for(jx = ix + 1, pa2 = DIGITS(a) + jx; jx < used; ++jx, ++pa2) { mp_word u = 0, v; - + /* Store this in a temporary to avoid indirections later */ pt = pbt + ix + jx; @@ -3568,7 +3568,7 @@ mp_err s_mp_sqr(mp_int *a) v = *pt + k; /* If we do not already have an overflow carry, check to see - if the addition will cause one, and set the carry out if so + if the addition will cause one, and set the carry out if so */ u |= ((MP_WORD_MAX - v) < w); @@ -3592,7 +3592,7 @@ mp_err s_mp_sqr(mp_int *a) /* If we are carrying out, propagate the carry to the next digit in the output. This may cascade, so we have to be somewhat circumspect -- but we will have enough precision in the output - that we won't overflow + that we won't overflow */ kx = 1; while(k) { @@ -3664,7 +3664,7 @@ mp_err s_mp_div(mp_int *a, mp_int *b) while(ix >= 0) { /* Find a partial substring of a which is at least b */ while(s_mp_cmp(&rem, b) < 0 && ix >= 0) { - if((res = s_mp_lshd(&rem, 1)) != MP_OKAY) + if((res = s_mp_lshd(&rem, 1)) != MP_OKAY) goto CLEANUP; if((res = s_mp_lshd(", 1)) != MP_OKAY) @@ -3676,8 +3676,8 @@ mp_err s_mp_div(mp_int *a, mp_int *b) } /* If we didn't find one, we're finished dividing */ - if(s_mp_cmp(&rem, b) < 0) - break; + if(s_mp_cmp(&rem, b) < 0) + break; /* Compute a guess for the next quotient digit */ q = DIGIT(&rem, USED(&rem) - 1); @@ -3695,7 +3695,7 @@ mp_err s_mp_div(mp_int *a, mp_int *b) if((res = s_mp_mul_d(&t, q)) != MP_OKAY) goto CLEANUP; - /* + /* If it's too big, back it off. We should not have to do this more than once, or, in rare cases, twice. Knuth describes a method by which this could be reduced to a maximum of once, but @@ -3719,7 +3719,7 @@ mp_err s_mp_div(mp_int *a, mp_int *b) } /* Denormalize remainder */ - if(d != 0) + if(d != 0) s_mp_div_2d(&rem, d); s_mp_clamp("); @@ -3727,7 +3727,7 @@ mp_err s_mp_div(mp_int *a, mp_int *b) /* Copy quotient back to output */ s_mp_exch(", a); - + /* Copy remainder back to output */ s_mp_exch(&rem, b); @@ -3757,7 +3757,7 @@ mp_err s_mp_2expt(mp_int *a, mp_digit k) mp_zero(a); if((res = s_mp_pad(a, dig + 1)) != MP_OKAY) return res; - + DIGIT(a, dig) |= (1 << bit); return MP_OKAY; @@ -3815,7 +3815,7 @@ int s_mp_cmp_d(mp_int *a, mp_digit d) if(ua > 1) return MP_GT; - if(*ap < d) + if(*ap < d) return MP_LT; else if(*ap > d) return MP_GT; @@ -3857,7 +3857,7 @@ int s_mp_ispow2(mp_int *v) } return ((uv - 1) * DIGIT_BIT) + extra; - } + } return -1; @@ -3901,7 +3901,7 @@ int s_mp_ispow2d(mp_digit d) int s_mp_tovalue(char ch, int r) { int val, xch; - + if(r > 36) xch = ch; else @@ -3917,7 +3917,7 @@ int s_mp_tovalue(char ch, int r) val = 62; else if(xch == '/') val = 63; - else + else return -1; if(val < 0 || val >= r) @@ -3939,7 +3939,7 @@ int s_mp_tovalue(char ch, int r) The results may be odd if you use a radix < 2 or > 64, you are expected to know what you're doing. */ - + char s_mp_todigit(int val, int r, int low) { char ch; @@ -3960,7 +3960,7 @@ char s_mp_todigit(int val, int r, int low) /* {{{ s_mp_outlen(bits, radix) */ -/* +/* Return an estimate for how long a string is needed to hold a radix r representation of a number with 'bits' significant bits. diff --git a/source4/heimdal/lib/hcrypto/libtommath/tommath.h b/source4/heimdal/lib/hcrypto/libtommath/tommath.h index 426207a298..67d3b06af6 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/tommath.h +++ b/source4/heimdal/lib/hcrypto/libtommath/tommath.h @@ -46,7 +46,7 @@ extern "C" { /* detect 64-bit mode if possible */ -#if defined(__x86_64__) +#if defined(__x86_64__) #if !(defined(MP_64BIT) && defined(MP_16BIT) && defined(MP_8BIT)) #define MP_64BIT #endif @@ -82,7 +82,7 @@ extern "C" { /* this is to make porting into LibTomCrypt easier :-) */ #ifndef CRYPT - #if defined(_MSC_VER) || defined(__BORLANDC__) + #if defined(_MSC_VER) || defined(__BORLANDC__) typedef unsigned __int64 ulong64; typedef signed __int64 long64; #else @@ -94,20 +94,20 @@ extern "C" { typedef unsigned long mp_digit; typedef ulong64 mp_word; -#ifdef MP_31BIT +#ifdef MP_31BIT /* this is an extension that uses 31-bit digits */ #define DIGIT_BIT 31 #else /* default case is 28-bit digits, defines MP_28BIT as a handy macro to test */ #define DIGIT_BIT 28 #define MP_28BIT -#endif +#endif #endif /* define heap macros */ #ifndef CRYPT /* default to libc stuff */ - #ifndef XMALLOC + #ifndef XMALLOC #define XMALLOC malloc #define XFREE free #define XREALLOC realloc @@ -169,7 +169,7 @@ extern int KARATSUBA_MUL_CUTOFF, #define MP_PREC 32 /* default digits of precision */ #else #define MP_PREC 8 /* default digits of precision */ - #endif + #endif #endif /* size of comba arrays, should be at least 2 * 2**(BITS_PER_WORD - BITS_PER_DIGIT*2) */ @@ -473,7 +473,7 @@ int mp_prime_fermat(mp_int *a, mp_int *b, int *result); int mp_prime_miller_rabin(mp_int *a, mp_int *b, int *result); /* This gives [for a given bit size] the number of trials required - * such that Miller-Rabin gives a prob of failure lower than 2^-96 + * such that Miller-Rabin gives a prob of failure lower than 2^-96 */ int mp_prime_rabin_miller_trials(int size); @@ -494,7 +494,7 @@ int mp_prime_is_prime(mp_int *a, int t, int *result); int mp_prime_next_prime(mp_int *a, int t, int bbs_style); /* makes a truly random prime of a given size (bytes), - * call with bbs = 1 if you want it to be congruent to 3 mod 4 + * call with bbs = 1 if you want it to be congruent to 3 mod 4 * * You have to supply a callback which fills in a buffer with random bytes. "dat" is a parameter you can * have passed to the callback (e.g. a state or something). This function doesn't use "dat" itself @@ -507,7 +507,7 @@ int mp_prime_next_prime(mp_int *a, int t, int bbs_style); /* makes a truly random prime of a given size (bits), * * Flags are as follows: - * + * * LTM_PRIME_BBS - make prime congruent to 3 mod 4 * LTM_PRIME_SAFE - make sure (p-1)/2 is prime as well (implies LTM_PRIME_BBS) * LTM_PRIME_2MSB_OFF - make the 2nd highest bit zero diff --git a/source4/heimdal/lib/hcrypto/libtommath/tommath_superclass.h b/source4/heimdal/lib/hcrypto/libtommath/tommath_superclass.h index 2fdebe6838..a96c36feb8 100644 --- a/source4/heimdal/lib/hcrypto/libtommath/tommath_superclass.h +++ b/source4/heimdal/lib/hcrypto/libtommath/tommath_superclass.h @@ -60,9 +60,9 @@ #undef BN_FAST_MP_INVMOD_C /* To safely undefine these you have to make sure your RSA key won't exceed the Comba threshold - * which is roughly 255 digits [7140 bits for 32-bit machines, 15300 bits for 64-bit machines] + * which is roughly 255 digits [7140 bits for 32-bit machines, 15300 bits for 64-bit machines] * which means roughly speaking you can handle upto 2536-bit RSA keys with these defined without - * trouble. + * trouble. */ #undef BN_S_MP_MUL_DIGS_C #undef BN_S_MP_SQR_C diff --git a/source4/heimdal/lib/hcrypto/pkcs12.c b/source4/heimdal/lib/hcrypto/pkcs12.c index 92a40fa69a..a890f01a3d 100644 --- a/source4/heimdal/lib/hcrypto/pkcs12.c +++ b/source4/heimdal/lib/hcrypto/pkcs12.c @@ -141,7 +141,7 @@ PKCS12_key_gen(const void *key, size_t keylen, BN_bn2bin(bnI, I + i + vlen - j); } BN_free(bnI); - } + } BN_free(bnB); BN_free(bnOne); size_I = vlen * 2; diff --git a/source4/heimdal/lib/hcrypto/rand-egd.c b/source4/heimdal/lib/hcrypto/rand-egd.c index 00d3286f24..dd2d3e13ec 100644 --- a/source4/heimdal/lib/hcrypto/rand-egd.c +++ b/source4/heimdal/lib/hcrypto/rand-egd.c @@ -144,7 +144,7 @@ egd_seed(const void *indata, int size) break; indata = ((unsigned char *)indata) + len; size -= len; - } + } close(fd); } @@ -170,7 +170,7 @@ get_bytes(const char *path, unsigned char *outdata, int size) break; outdata += len; size -= len; - } + } close(fd); return ret; diff --git a/source4/heimdal/lib/hcrypto/rc2.c b/source4/heimdal/lib/hcrypto/rc2.c index dcfe42d02d..63bd3daa00 100644 --- a/source4/heimdal/lib/hcrypto/rc2.c +++ b/source4/heimdal/lib/hcrypto/rc2.c @@ -106,7 +106,7 @@ RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) k[j] = Sbox[k[j + 1] ^ k[j + T8]]; for (j = 0; j < 64; j++) - key->data[j] = k[(j * 2) + 0] | (k[(j * 2) + 1] << 8); + key->data[j] = k[(j * 2) + 0] | (k[(j * 2) + 1] << 8); memset(k, 0, sizeof(k)); } diff --git a/source4/heimdal/lib/hcrypto/rsa-ltm.c b/source4/heimdal/lib/hcrypto/rsa-ltm.c index 6ef4a83c51..5cd3e9361e 100644 --- a/source4/heimdal/lib/hcrypto/rsa-ltm.c +++ b/source4/heimdal/lib/hcrypto/rsa-ltm.c @@ -188,7 +188,7 @@ ltm_rsa_public_encrypt(int flen, const unsigned char* from, memcpy(p, from, flen); p += flen; assert((p - p0) == size - 1); - + mp_read_unsigned_bin(&dec, p0, size - 1); free(p0); diff --git a/source4/heimdal/lib/hcrypto/rsa.c b/source4/heimdal/lib/hcrypto/rsa.c index a3fc0cd7ae..c71ded1b7a 100644 --- a/source4/heimdal/lib/hcrypto/rsa.c +++ b/source4/heimdal/lib/hcrypto/rsa.c @@ -55,12 +55,12 @@ * * Speed for RSA in seconds * no key blinding - * 1000 iteration, + * 1000 iteration, * same rsa keys (1024 and 2048) * operation performed each eteration sign, verify, encrypt, decrypt on a random bit pattern * * name 1024 2048 4098 - * ================================= + * ================================= * gmp: 0.73 6.60 44.80 * tfm: 2.45 -- -- * ltm: 3.79 20.74 105.41 (default in hcrypto) @@ -442,11 +442,11 @@ RSA_verify(int type, const unsigned char *from, unsigned int flen, free_DigestInfo(&di); return -1; } - + ret = der_heim_oid_cmp(&digest_alg->algorithm, &di.digestAlgorithm.algorithm); free_DigestInfo(&di); - + if (ret != 0) return 0; return 1; @@ -577,7 +577,7 @@ d2i_RSAPrivateKey(RSA *rsa, const unsigned char **pp, size_t len) RSA_free(k); return NULL; } - + return k; } @@ -701,6 +701,6 @@ d2i_RSAPublicKey(RSA *rsa, const unsigned char **pp, size_t len) RSA_free(k); return NULL; } - + return k; } diff --git a/source4/heimdal/lib/hcrypto/sha256.c b/source4/heimdal/lib/hcrypto/sha256.c index 5e601bb358..108afdccc8 100644 --- a/source4/heimdal/lib/hcrypto/sha256.c +++ b/source4/heimdal/lib/hcrypto/sha256.c @@ -116,7 +116,7 @@ calc (SHA256_CTX *m, uint32_t *in) T1 = HH + Sigma1(EE) + Ch(EE, FF, GG) + constant_256[i] + data[i]; T2 = Sigma0(AA) + Maj(AA,BB,CC); - + HH = GG; GG = FF; FF = EE; diff --git a/source4/heimdal/lib/hcrypto/sha512.c b/source4/heimdal/lib/hcrypto/sha512.c index fb38cadb6f..4bea216668 100644 --- a/source4/heimdal/lib/hcrypto/sha512.c +++ b/source4/heimdal/lib/hcrypto/sha512.c @@ -140,7 +140,7 @@ calc (SHA512_CTX *m, uint64_t *in) T1 = HH + Sigma1(EE) + Ch(EE, FF, GG) + constant_512[i] + data[i]; T2 = Sigma0(AA) + Maj(AA,BB,CC); - + HH = GG; GG = FF; FF = EE; diff --git a/source4/heimdal/lib/hcrypto/ui.c b/source4/heimdal/lib/hcrypto/ui.c index e32bb9a0be..d0714fe6d5 100644 --- a/source4/heimdal/lib/hcrypto/ui.c +++ b/source4/heimdal/lib/hcrypto/ui.c @@ -62,7 +62,7 @@ intr(int sig) */ static int -read_string(const char *preprompt, const char *prompt, +read_string(const char *preprompt, const char *prompt, char *buf, size_t len, int echo) { int of = 0; @@ -86,13 +86,13 @@ read_string(const char *preprompt, const char *prompt, if(of) p--; *p = 0; - + if(echo == 0){ printf("\n"); } signal(SIGINT, oldsigintr); - + if(intr_flag) return -2; if(of) diff --git a/source4/heimdal/lib/hcrypto/validate.c b/source4/heimdal/lib/hcrypto/validate.c index f6f8be7030..48b9bfc6e3 100644 --- a/source4/heimdal/lib/hcrypto/validate.c +++ b/source4/heimdal/lib/hcrypto/validate.c @@ -69,7 +69,7 @@ struct tests tests[] = { "\xdc\x95\xc0\x78\xa2\x40\x89\x89\xad\x48\xa2\x14\x92\x84\x20\x87" }, #if 0 - { + { EVP_aes_128_cfb8, "aes-cfb8-128", "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", @@ -93,7 +93,7 @@ struct tests tests[] = { "\x55\x95\x97\x76\xa9\x6c\x66\x40\x64\xc7\xf4\x1c\x21\xb7\x14\x1b" }, #if 0 - { + { EVP_camellia_128_cbc, "camellia128", "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", @@ -105,7 +105,7 @@ struct tests tests[] = { NULL }, #endif - { + { EVP_rc4, "rc4 8", "\x01\x23\x45\x67\x89\xAB\xCD\xEF", diff --git a/source4/heimdal/lib/hdb/dbinfo.c b/source4/heimdal/lib/hdb/dbinfo.c index 5019016ed5..52e394106e 100644 --- a/source4/heimdal/lib/hdb/dbinfo.c +++ b/source4/heimdal/lib/hdb/dbinfo.c @@ -112,7 +112,7 @@ hdb_get_dbinfo(krb5_context context, struct hdb_dbinfo **dbp) if (ret == 0 && di) { databases = di; dt = &di->next; - } + } for ( ; db_binding != NULL; db_binding = db_binding->next) { diff --git a/source4/heimdal/lib/hdb/ext.c b/source4/heimdal/lib/hdb/ext.c index fb32fdb845..d2a4373b9b 100644 --- a/source4/heimdal/lib/hdb/ext.c +++ b/source4/heimdal/lib/hdb/ext.c @@ -37,7 +37,7 @@ krb5_error_code hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent) { - int i; + size_t i; if (ent->extensions == NULL) return 0; @@ -63,13 +63,13 @@ hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent) HDB_extension * hdb_find_extension(const hdb_entry *entry, int type) { - int i; + size_t i; if (entry->extensions == NULL) return NULL; for (i = 0; i < entry->extensions->len; i++) - if (entry->extensions->val[i].data.element == type) + if (entry->extensions->val[i].data.element == (unsigned)type) return &entry->extensions->val[i]; return NULL; } @@ -112,7 +112,7 @@ hdb_replace_extension(krb5_context context, Der_type replace_type, list_type; unsigned int replace_tag, list_tag; size_t size; - int i; + size_t i; ret = der_get_tag(ext->data.u.asn1_ellipsis.data, ext->data.u.asn1_ellipsis.length, @@ -180,13 +180,13 @@ hdb_clear_extension(krb5_context context, hdb_entry *entry, int type) { - int i; + size_t i; if (entry->extensions == NULL) return 0; for (i = 0; i < entry->extensions->len; i++) { - if (entry->extensions->val[i].data.element == type) { + if (entry->extensions->val[i].data.element == (unsigned)type) { free_HDB_extension(&entry->extensions->val[i]); memmove(&entry->extensions->val[i], &entry->extensions->val[i + 1], @@ -286,7 +286,7 @@ hdb_entry_get_password(krb5_context context, HDB *db, ext = hdb_find_extension(entry, choice_HDB_extension_data_password); if (ext) { - heim_utf8_string str; + heim_utf8_string xstr; heim_octet_string pw; if (db->hdb_master_key_set && ext->data.u.password.mkvno) { @@ -314,13 +314,13 @@ hdb_entry_get_password(krb5_context context, HDB *db, return ret; } - str = pw.data; - if (str[pw.length - 1] != '\0') { + xstr = pw.data; + if (xstr[pw.length - 1] != '\0') { krb5_set_error_message(context, EINVAL, "malformed password"); return EINVAL; } - *p = strdup(str); + *p = strdup(xstr); der_free_octet_string(&pw); if (*p == NULL) { diff --git a/source4/heimdal/lib/hdb/hdb-keytab.c b/source4/heimdal/lib/hdb/hdb-keytab.c index c1bad86796..ab2afb5d74 100644 --- a/source4/heimdal/lib/hdb/hdb-keytab.c +++ b/source4/heimdal/lib/hdb/hdb-keytab.c @@ -206,7 +206,7 @@ hdb_keytab_create(krb5_context context, HDB ** db, const char *arg) krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); return ENOMEM; } - + (*db)->hdb_db = k; diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c index 2c1de8b3d7..ca05cc4a17 100644 --- a/source4/heimdal/lib/hdb/hdb.c +++ b/source4/heimdal/lib/hdb/hdb.c @@ -78,7 +78,9 @@ static struct hdb_method methods[] = { { HDB_INTERFACE_VERSION, "ldap:", hdb_ldap_create}, { HDB_INTERFACE_VERSION, "ldapi:", hdb_ldapi_create}, #endif +#ifdef HAVE_SQLITE3 { HDB_INTERFACE_VERSION, "sqlite:", hdb_sqlite_create}, +#endif {0, NULL, NULL} }; @@ -166,7 +168,7 @@ hdb_unlock(int fd) void hdb_free_entry(krb5_context context, hdb_entry_ex *ent) { - int i; + size_t i; if (ent->free_entry) (*ent->free_entry)(context, ent); @@ -215,7 +217,7 @@ hdb_check_db_format(krb5_context context, HDB *db) if (ret) return ret; - tag.data = HDB_DB_FORMAT_ENTRY; + tag.data = (void *)(intptr_t)HDB_DB_FORMAT_ENTRY; tag.length = strlen(tag.data); ret = (*db->hdb__get)(context, db, tag, &version); ret2 = db->hdb_unlock(context, db); @@ -248,7 +250,7 @@ hdb_init_db(krb5_context context, HDB *db) if (ret) return ret; - tag.data = HDB_DB_FORMAT_ENTRY; + tag.data = (void *)(intptr_t)HDB_DB_FORMAT_ENTRY; tag.length = strlen(tag.data); snprintf(ver, sizeof(ver), "%u", HDB_DB_FORMAT); version.data = ver; @@ -317,7 +319,7 @@ find_dynamic_method (krb5_context context, if (asprintf(&symbol, "hdb_%s_interface", prefix) == -1) krb5_errx(context, 1, "out of memory"); - + mso = (struct hdb_so_method *) dlsym(dl, symbol); if (mso == NULL) { krb5_warnx(context, "error finding symbol %s in %s: %s\n", @@ -432,7 +434,7 @@ _hdb_keytab2hdb_entry(krb5_context context, entry->entry.keys.val[0].mkvno = NULL; entry->entry.keys.val[0].salt = NULL; - + return krb5_copy_keyblock_contents(context, &ktentry->keyblock, &entry->entry.keys.val[0].key); diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h index fffda7aef0..469ec82ec0 100644 --- a/source4/heimdal/lib/hdb/hdb.h +++ b/source4/heimdal/lib/hdb/hdb.h @@ -153,7 +153,7 @@ typedef struct HDB{ /** * As part of iteration, fetch next entry */ - krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*, + krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*, unsigned, hdb_entry_ex*); /** * Lock database @@ -221,7 +221,7 @@ typedef struct HDB{ * ->hdb_store() into the database. The backend will still perform * all other operations, increasing the kvno, and update * modification timestamp. - * + * * The backend needs to call _kadm5_set_keys() and perform password * quality checks. */ diff --git a/source4/heimdal/lib/hdb/keys.c b/source4/heimdal/lib/hdb/keys.c index 63f254d002..3d0b9d7c1b 100644 --- a/source4/heimdal/lib/hdb/keys.c +++ b/source4/heimdal/lib/hdb/keys.c @@ -221,10 +221,10 @@ add_enctype_to_key_set(Key **key_set, size_t *nkeyset, free_Key(&key); return ENOMEM; } - + key.salt->type = salt->salttype; krb5_data_zero (&key.salt->salt); - + ret = krb5_data_copy(&key.salt->salt, salt->saltvalue.data, salt->saltvalue.length); @@ -256,8 +256,8 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal, char **ktypes, **kp; krb5_error_code ret; Key *k, *key_set; - int i, j; - char *default_keytypes[] = { + size_t i, j; + static const char *default_keytypes[] = { "aes256-cts-hmac-sha1-96:pw-salt", "des3-cbc-sha1:pw-salt", "arcfour-hmac-md5:pw-salt", @@ -267,7 +267,7 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal, ktypes = krb5_config_get_strings(context, NULL, "kadmin", "default_keys", NULL); if (ktypes == NULL) - ktypes = default_keytypes; + ktypes = (char **)(intptr_t)default_keytypes; *ret_key_set = key_set = NULL; *nkeyset = 0; @@ -290,7 +290,7 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal, p = "des:afs3-salt"; else if (strcmp(p, "arcfour-hmac-md5") == 0) p = "arcfour-hmac-md5:pw-salt"; - + memset(&salt, 0, sizeof(salt)); ret = parse_key_set(context, p, @@ -337,7 +337,7 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal, *ret_key_set = key_set; out: - if (ktypes != default_keytypes) + if (ktypes != (char **)(intptr_t)default_keytypes) krb5_config_free_strings(ktypes); if (ret) { @@ -364,7 +364,7 @@ hdb_generate_key_set_password(krb5_context context, Key **keys, size_t *num_keys) { krb5_error_code ret; - int i; + size_t i; ret = hdb_generate_key_set(context, principal, keys, num_keys, 0); diff --git a/source4/heimdal/lib/hdb/keytab.c b/source4/heimdal/lib/hdb/keytab.c index 05b78dafc5..c72b797dab 100644 --- a/source4/heimdal/lib/hdb/keytab.c +++ b/source4/heimdal/lib/hdb/keytab.c @@ -37,7 +37,7 @@ struct hdb_data { char *dbname; - char *mkey; + char *mkey; }; struct hdb_cursor { @@ -184,7 +184,7 @@ hdb_get_entry(krb5_context context, const char *mkey = d->mkey; char *fdbname = NULL, *fmkey = NULL; HDB *db; - int i; + size_t i; memset(&ent, 0, sizeof(ent)); @@ -204,13 +204,13 @@ hdb_get_entry(krb5_context context, (*db->hdb_destroy)(context, db); goto out2; } - + ret = (*db->hdb_open)(context, db, O_RDONLY, 0); if (ret) { (*db->hdb_destroy)(context, db); goto out2; } - + ret = (*db->hdb_fetch_kvno)(context, db, principal, HDB_F_DECRYPT|HDB_F_KVNO_SPECIFIED| HDB_F_GET_CLIENT|HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, @@ -222,7 +222,7 @@ hdb_get_entry(krb5_context context, }else if(ret) goto out; - if(kvno && ent.entry.kvno != kvno) { + if(kvno && (krb5_kvno)ent.entry.kvno != kvno) { hdb_free_entry(context, &ent); ret = KRB5_KT_NOTFOUND; goto out; @@ -268,10 +268,10 @@ hdb_start_seq_get(krb5_context context, const char *dbname = d->dbname; const char *mkey = d->mkey; HDB *db; - + if (dbname == NULL) { /* - * We don't support enumerating without being told what + * We don't support enumerating without being told what * backend to enumerate on */ ret = KRB5_KT_NOTFOUND; @@ -286,7 +286,7 @@ hdb_start_seq_get(krb5_context context, (*db->hdb_destroy)(context, db); return ret; } - + ret = (*db->hdb_open)(context, db, O_RDONLY, 0); if (ret) { (*db->hdb_destroy)(context, db); @@ -314,16 +314,16 @@ static int KRB5_CALLCONV hdb_next_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry, - krb5_kt_cursor *cursor) + krb5_kt_cursor *cursor) { struct hdb_cursor *c = cursor->data; krb5_error_code ret; - + memset(entry, 0, sizeof(*entry)); if (c->first) { c->first = FALSE; - ret = (c->db->hdb_firstkey)(context, c->db, + ret = (c->db->hdb_firstkey)(context, c->db, HDB_F_DECRYPT| HDB_F_GET_CLIENT|HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, &c->hdb_entry); @@ -331,15 +331,15 @@ hdb_next_entry(krb5_context context, return KRB5_KT_END; else if (ret) return ret; - + if (c->hdb_entry.entry.keys.len == 0) hdb_free_entry(context, &c->hdb_entry); else c->next = FALSE; - } - + } + while (c->next) { - ret = (c->db->hdb_nextkey)(context, c->db, + ret = (c->db->hdb_nextkey)(context, c->db, HDB_F_DECRYPT| HDB_F_GET_CLIENT|HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, &c->hdb_entry); @@ -347,21 +347,21 @@ hdb_next_entry(krb5_context context, return KRB5_KT_END; else if (ret) return ret; - + /* If no keys on this entry, try again */ if (c->hdb_entry.entry.keys.len == 0) hdb_free_entry(context, &c->hdb_entry); else c->next = FALSE; } - + /* * Return next enc type (keytabs are one slot per key, while * hdb is one record per principal. */ - - ret = krb5_copy_principal(context, - c->hdb_entry.entry.principal, + + ret = krb5_copy_principal(context, + c->hdb_entry.entry.principal, &entry->principal); if (ret) return ret; @@ -376,13 +376,13 @@ hdb_next_entry(krb5_context context, return ret; } c->key_idx++; - - /* + + /* * Once we get to the end of the list, signal that we want the * next entry */ - - if (c->key_idx == c->hdb_entry.entry.keys.len) { + + if ((size_t)c->key_idx == c->hdb_entry.entry.keys.len) { hdb_free_entry(context, &c->hdb_entry); c->next = TRUE; c->key_idx = 0; diff --git a/source4/heimdal/lib/hdb/mkey.c b/source4/heimdal/lib/hdb/mkey.c index 760eccfd43..9a13d55a51 100644 --- a/source4/heimdal/lib/hdb/mkey.c +++ b/source4/heimdal/lib/hdb/mkey.c @@ -153,7 +153,7 @@ read_master_mit(krb5_context context, const char *filename, krb5_storage *sp; int16_t enctype; krb5_keyblock key; - + fd = open(filename, O_RDONLY | O_BINARY); if(fd < 0) { int save_errno = errno; @@ -200,7 +200,7 @@ read_master_encryptionkey(krb5_context context, const char *filename, unsigned char buf[256]; ssize_t len; size_t ret_len; - + fd = open(filename, O_RDONLY | O_BINARY); if(fd < 0) { int save_errno = errno; @@ -246,7 +246,7 @@ read_master_krb4(krb5_context context, const char *filename, krb5_error_code ret; unsigned char buf[256]; ssize_t len; - + fd = open(filename, O_RDONLY | O_BINARY); if(fd < 0) { int save_errno = errno; @@ -372,7 +372,7 @@ _hdb_find_master_key(uint32_t *mkvno, hdb_master_key mkey) if(mkvno == NULL) { if(ret == NULL || mkey->keytab.vno > ret->keytab.vno) ret = mkey; - } else if(mkey->keytab.vno == *mkvno) + } else if((uint32_t)mkey->keytab.vno == *mkvno) return mkey; mkey = mkey->next; } @@ -406,7 +406,7 @@ _hdb_mkey_encrypt(krb5_context context, hdb_master_key key, krb5_error_code hdb_unseal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey) { - + krb5_error_code ret; krb5_data res; size_t keysize; @@ -415,7 +415,7 @@ hdb_unseal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey) if(k->mkvno == NULL) return 0; - + key = _hdb_find_master_key(k->mkvno, mkey); if (key == NULL) @@ -459,7 +459,7 @@ hdb_unseal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey) krb5_error_code hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) { - int i; + size_t i; for(i = 0; i < ent->keys.len; i++){ krb5_error_code ret; @@ -519,14 +519,14 @@ hdb_seal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey) return ENOMEM; } *k->mkvno = key->keytab.vno; - + return 0; } krb5_error_code hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) { - int i; + size_t i; for(i = 0; i < ent->keys.len; i++){ krb5_error_code ret; diff --git a/source4/heimdal/lib/hx509/ca.c b/source4/heimdal/lib/hx509/ca.c index 492064d86d..cb5a7be62c 100644 --- a/source4/heimdal/lib/hx509/ca.c +++ b/source4/heimdal/lib/hx509/ca.c @@ -266,7 +266,7 @@ hx509_ca_tbs_set_template(hx509_context context, } if (flags & HX509_CA_TEMPLATE_EKU) { ExtKeyUsage eku; - int i; + size_t i; ret = _hx509_cert_get_eku(context, cert, &eku); if (ret) return ret; @@ -610,7 +610,7 @@ hx509_ca_tbs_add_san_pkinit(hx509_context context, const char *str; char *q; int n; - + /* count number of component */ n = 1; for(str = principal; *str != '\0' && *str != '@'; str++){ @@ -633,7 +633,7 @@ hx509_ca_tbs_add_san_pkinit(hx509_context context, goto out; } p.principalName.name_string.len = n; - + p.principalName.name_type = KRB5_NT_PRINCIPAL; q = s = strdup(principal); if (q == NULL) { @@ -689,7 +689,7 @@ add_utf8_san(hx509_context context, const heim_oid *oid, const char *string) { - const PKIXXmppAddr ustring = (const PKIXXmppAddr)string; + const PKIXXmppAddr ustring = (const PKIXXmppAddr)(intptr_t)string; heim_octet_string os; size_t size; int ret; @@ -866,7 +866,7 @@ hx509_ca_tbs_set_unique(hx509_context context, der_free_bit_string(&tbs->subjectUniqueID); der_free_bit_string(&tbs->issuerUniqueID); - + if (subjectUniqueID) { ret = der_copy_bit_string(subjectUniqueID, &tbs->subjectUniqueID); if (ret) diff --git a/source4/heimdal/lib/hx509/cert.c b/source4/heimdal/lib/hx509/cert.c index 7f95ea5560..70e5756037 100644 --- a/source4/heimdal/lib/hx509/cert.c +++ b/source4/heimdal/lib/hx509/cert.c @@ -327,7 +327,7 @@ _hx509_cert_assign_key(hx509_cert cert, hx509_private_key private_key) void hx509_cert_free(hx509_cert cert) { - int i; + size_t i; if (cert == NULL) return; @@ -355,7 +355,7 @@ hx509_cert_free(hx509_cert cert) free(cert->friendlyname); if (cert->basename) hx509_name_free(&cert->basename); - memset(cert, 0, sizeof(cert)); + memset(cert, 0, sizeof(*cert)); free(cert); } @@ -574,7 +574,7 @@ hx509_verify_ctx_f_allow_default_trustanchors(hx509_verify_ctx ctx, int boolean) } void -hx509_verify_ctx_f_allow_best_before_signature_algs(hx509_context ctx, +hx509_verify_ctx_f_allow_best_before_signature_algs(hx509_context ctx, int boolean) { if (boolean) @@ -584,7 +584,7 @@ hx509_verify_ctx_f_allow_best_before_signature_algs(hx509_context ctx, } static const Extension * -find_extension(const Certificate *cert, const heim_oid *oid, int *idx) +find_extension(const Certificate *cert, const heim_oid *oid, size_t *idx) { const TBSCertificate *c = &cert->tbsCertificate; @@ -604,7 +604,7 @@ find_extension_auth_key_id(const Certificate *subject, { const Extension *e; size_t size; - int i = 0; + size_t i = 0; memset(ai, 0, sizeof(*ai)); @@ -623,7 +623,7 @@ _hx509_find_extension_subject_key_id(const Certificate *issuer, { const Extension *e; size_t size; - int i = 0; + size_t i = 0; memset(si, 0, sizeof(*si)); @@ -642,7 +642,7 @@ find_extension_name_constraints(const Certificate *subject, { const Extension *e; size_t size; - int i = 0; + size_t i = 0; memset(nc, 0, sizeof(*nc)); @@ -656,7 +656,7 @@ find_extension_name_constraints(const Certificate *subject, } static int -find_extension_subject_alt_name(const Certificate *cert, int *i, +find_extension_subject_alt_name(const Certificate *cert, size_t *i, GeneralNames *sa) { const Extension *e; @@ -678,7 +678,7 @@ find_extension_eku(const Certificate *cert, ExtKeyUsage *eku) { const Extension *e; size_t size; - int i = 0; + size_t i = 0; memset(eku, 0, sizeof(*eku)); @@ -720,7 +720,7 @@ add_to_list(hx509_octet_string_list *list, const heim_octet_string *entry) void hx509_free_octet_string_list(hx509_octet_string_list *list) { - int i; + size_t i; for (i = 0; i < list->len; i++) der_free_octet_string(&list->val[i]); free(list->val); @@ -752,7 +752,8 @@ hx509_cert_find_subjectAltName_otherName(hx509_context context, hx509_octet_string_list *list) { GeneralNames sa; - int ret, i, j; + int ret; + size_t i, j; list->val = NULL; list->len = 0; @@ -796,7 +797,8 @@ check_key_usage(hx509_context context, const Certificate *cert, const Extension *e; KeyUsage ku; size_t size; - int ret, i = 0; + int ret; + size_t i = 0; unsigned ku_flags; if (_hx509_cert_get_version(cert) < 3) @@ -849,12 +851,13 @@ enum certtype { PROXY_CERT, EE_CERT, CA_CERT }; static int check_basic_constraints(hx509_context context, const Certificate *cert, - enum certtype type, int depth) + enum certtype type, size_t depth) { BasicConstraints bc; const Extension *e; size_t size; - int ret, i = 0; + int ret; + size_t i = 0; if (_hx509_cert_get_version(cert) < 3) return 0; @@ -966,7 +969,7 @@ _hx509_cert_is_parent_cmp(const Certificate *subject, return -1; if (ai.authorityCertIssuer->val[0].element != choice_GeneralName_directoryName) return -1; - + name.element = ai.authorityCertIssuer->val[0].u.directoryName.element; name.u.rdnSequence = @@ -1123,7 +1126,7 @@ find_parent(hx509_context context, hx509_clear_error_string(context); return HX509_ISSUER_NOT_FOUND; } - + hx509_set_error_string(context, 0, HX509_ISSUER_NOT_FOUND, "Failed to find issuer for " "certificate with subject: '%s'", str); @@ -1144,7 +1147,8 @@ is_proxy_cert(hx509_context context, ProxyCertInfo info; const Extension *e; size_t size; - int ret, i = 0; + int ret; + size_t i = 0; if (rinfo) memset(rinfo, 0, sizeof(*rinfo)); @@ -1511,7 +1515,7 @@ hx509_cert_get_SPKI_AlgorithmIdentifier(hx509_context context, } static int -get_x_unique_id(hx509_context context, const char *name, +get_x_unique_id(hx509_context context, const char *name, const heim_bit_string *cert, heim_bit_string *subject) { int ret; @@ -1695,7 +1699,7 @@ static int match_RDN(const RelativeDistinguishedName *c, const RelativeDistinguishedName *n) { - int i; + size_t i; if (c->len != n->len) return HX509_NAME_CONSTRAINT_ERROR; @@ -1717,7 +1721,8 @@ match_RDN(const RelativeDistinguishedName *c, static int match_X501Name(const Name *c, const Name *n) { - int i, ret; + size_t i; + int ret; if (c->element != choice_Name_rdnSequence || n->element != choice_Name_rdnSequence) @@ -1824,7 +1829,8 @@ match_alt_name(const GeneralName *n, const Certificate *c, int *same, int *match) { GeneralNames sa; - int ret, i, j; + int ret; + size_t i, j; i = 0; do { @@ -1869,7 +1875,7 @@ match_tree(const GeneralSubtrees *t, const Certificate *c, int *match) && !subject_null_p(c)) { GeneralName certname; - + memset(&certname, 0, sizeof(certname)); certname.element = choice_GeneralName_directoryName; certname.u.directoryName.element = @@ -1898,7 +1904,7 @@ check_name_constraints(hx509_context context, const Certificate *c) { int match, ret; - int i; + size_t i; for (i = 0 ; i < nc->len; i++) { GeneralSubtrees gs; @@ -1941,7 +1947,7 @@ check_name_constraints(hx509_context context, static void free_name_constraints(hx509_name_constraints *nc) { - int i; + size_t i; for (i = 0 ; i < nc->len; i++) free_NameConstraints(&nc->val[i]); @@ -1971,7 +1977,8 @@ hx509_verify_path(hx509_context context, { hx509_name_constraints nc; hx509_path path; - int ret, i, proxy_cert_depth, selfsigned_depth, diff; + int ret, proxy_cert_depth, selfsigned_depth, diff; + size_t i, k; enum certtype type; Name proxy_issuer; hx509_certs anchors = NULL; @@ -1979,7 +1986,7 @@ hx509_verify_path(hx509_context context, memset(&proxy_issuer, 0, sizeof(proxy_issuer)); ret = init_name_constraints(&nc); - if (ret) + if (ret) return ret; path.val = NULL; @@ -2031,7 +2038,7 @@ hx509_verify_path(hx509_context context, time_t t; c = _hx509_get_cert(path.val[i]); - + /* * Lets do some basic check on issuer like * keyUsage.keyCertSign and basicConstraints.cA bit depending @@ -2063,10 +2070,10 @@ hx509_verify_path(hx509_context context, break; case PROXY_CERT: { - ProxyCertInfo info; + ProxyCertInfo info; if (is_proxy_cert(context, c, &info) == 0) { - int j; + size_t j; if (info.pCPathLenConstraint != NULL && *info.pCPathLenConstraint < i) @@ -2080,7 +2087,7 @@ hx509_verify_path(hx509_context context, } /* XXX MUST check info.proxyPolicy */ free_ProxyCertInfo(&info); - + j = 0; if (find_extension(c, &asn1_oid_id_x509_ce_subjectAltName, &j)) { ret = HX509_PROXY_CERT_INVALID; @@ -2098,7 +2105,7 @@ hx509_verify_path(hx509_context context, "forbidden issuerAltName"); goto out; } - + /* * The subject name of the proxy certificate should be * CN=XXX,<proxy issuer>, prune of CN and check if its @@ -2189,7 +2196,7 @@ hx509_verify_path(hx509_context context, } if (cert->basename) hx509_name_free(&cert->basename); - + ret = _hx509_name_from_Name(&proxy_issuer, &cert->basename); if (ret) { hx509_clear_error_string(context); @@ -2204,7 +2211,7 @@ hx509_verify_path(hx509_context context, i - proxy_cert_depth - selfsigned_depth); if (ret) goto out; - + /* * Don't check the trust anchors expiration time since they * are transported out of band, from RFC3820. @@ -2236,9 +2243,10 @@ hx509_verify_path(hx509_context context, * checked in the right order. */ - for (ret = 0, i = path.len - 1; i >= 0; i--) { + for (ret = 0, k = path.len; k > 0; k--) { Certificate *c; int selfsigned; + i = k - 1; c = _hx509_get_cert(path.val[i]); @@ -2287,7 +2295,7 @@ hx509_verify_path(hx509_context context, } for (i = 0; i < path.len - 1; i++) { - int parent = (i < path.len - 1) ? i + 1 : i; + size_t parent = (i < path.len - 1) ? i + 1 : i; ret = hx509_revoke_verify(context, ctx->revoke_ctx, @@ -2308,9 +2316,10 @@ hx509_verify_path(hx509_context context, * parameter is passed up from the anchor up though the chain. */ - for (i = path.len - 1; i >= 0; i--) { + for (k = path.len; k > 0; k--) { hx509_cert signer; Certificate *c; + i = k - 1; c = _hx509_get_cert(path.val[i]); @@ -2343,7 +2352,7 @@ hx509_verify_path(hx509_context context, "Failed to verify signature of certificate"); goto out; } - /* + /* * Verify that the sigature algorithm "best-before" date is * before the creation date of the certificate, do this for * trust anchors too, since any trust anchor that is created @@ -2353,7 +2362,7 @@ hx509_verify_path(hx509_context context, */ if (i != 0 && (ctx->flags & HX509_VERIFY_CTX_F_NO_BEST_BEFORE_CHECK) == 0) { - time_t notBefore = + time_t notBefore = _hx509_Time2time_t(&c->tbsCertificate.validity.notBefore); ret = _hx509_signature_best_before(context, &c->signatureAlgorithm, @@ -2450,7 +2459,8 @@ hx509_verify_hostname(hx509_context context, { GeneralNames san; const Name *name; - int ret, i, j; + int ret; + size_t i, j, k; if (sa && sa_size <= 0) return EINVAL; @@ -2471,7 +2481,7 @@ hx509_verify_hostname(hx509_context context, heim_printable_string hn; hn.data = rk_UNCONST(hostname); hn.length = strlen(hostname); - + if (der_printable_string_cmp(&san.val[j].u.dNSName, &hn) == 0) { free_GeneralNames(&san); return 0; @@ -2488,7 +2498,8 @@ hx509_verify_hostname(hx509_context context, name = &cert->data->tbsCertificate.subject; /* Find first CN= in the name, and try to match the hostname on that */ - for (ret = 0, i = name->u.rdnSequence.len - 1; ret == 0 && i >= 0; i--) { + for (ret = 0, k = name->u.rdnSequence.len; ret == 0 && k > 0; k--) { + i = k - 1; for (j = 0; ret == 0 && j < name->u.rdnSequence.val[i].len; j++) { AttributeTypeAndValue *n = &name->u.rdnSequence.val[i].val[j]; @@ -2579,7 +2590,7 @@ _hx509_set_cert_attribute(hx509_context context, hx509_cert_attribute hx509_cert_get_attribute(hx509_cert cert, const heim_oid *oid) { - int i; + size_t i; for (i = 0; i < cert->attrs.len; i++) if (der_heim_oid_cmp(oid, &cert->attrs.val[i]->oid) == 0) return cert->attrs.val[i]; @@ -2625,7 +2636,8 @@ hx509_cert_get_friendly_name(hx509_cert cert) hx509_cert_attribute a; PKCS9_friendlyName n; size_t sz; - int ret, i; + int ret; + size_t i; if (cert->friendlyname) return cert->friendlyname; @@ -2647,7 +2659,7 @@ hx509_cert_get_friendly_name(hx509_cert cert) ret = decode_PKCS9_friendlyName(a->data.data, a->data.length, &n, &sz); if (ret) return NULL; - + if (n.len != 1) { free_PKCS9_friendlyName(&n); return NULL; @@ -3166,7 +3178,8 @@ hx509_query_unparse_stats(hx509_context context, int printtype, FILE *out) { rtbl_t t; FILE *f; - int type, mask, i, num; + int type, mask, num; + size_t i; unsigned long multiqueries = 0, totalqueries = 0; struct stat_el stats[32]; @@ -3254,7 +3267,8 @@ hx509_cert_check_eku(hx509_context context, hx509_cert cert, const heim_oid *eku, int allow_any_eku) { ExtKeyUsage e; - int ret, i; + int ret; + size_t i; ret = find_extension_eku(_hx509_get_cert(cert), &e); if (ret) { @@ -3289,7 +3303,8 @@ _hx509_cert_get_keyusage(hx509_context context, Certificate *cert; const Extension *e; size_t size; - int ret, i = 0; + int ret; + size_t i = 0; memset(ku, 0, sizeof(*ku)); @@ -3455,7 +3470,7 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env) else if (ret != 0) goto out; else { - int i; + size_t i; hx509_env enveku = NULL; for (i = 0; i < eku.len; i++) { @@ -3509,10 +3524,10 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env) "Out of memory"); goto out; } - + ret = hx509_env_add(context, &envhash, "sha1", buf); free(buf); - if (ret) + if (ret) goto out; ret = hx509_env_add_binding(context, &envcert, "hash", envhash); diff --git a/source4/heimdal/lib/hx509/char_map.h b/source4/heimdal/lib/hx509/char_map.h index d2b39d041f..8a3026c7e6 100644 --- a/source4/heimdal/lib/hx509/char_map.h +++ b/source4/heimdal/lib/hx509/char_map.h @@ -10,36 +10,36 @@ unsigned char char_map[] = { - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x06 , 0x00 , 0x00 , 0x10 , 0x00 , 0x00 , 0x00 , 0x00 , - 0x00 , 0x00 , 0x00 , 0x12 , 0x12 , 0x02 , 0x02 , 0x02 , - 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , - 0x02 , 0x02 , 0x02 , 0x10 , 0x10 , 0x12 , 0x10 , 0x02 , - 0x00 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , - 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , - 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , - 0x02 , 0x02 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , - 0x00 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , - 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , - 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , - 0x02 , 0x02 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x06 , 0x00 , 0x00 , 0x10 , 0x00 , 0x00 , 0x00 , 0x00 , + 0x00 , 0x00 , 0x00 , 0x12 , 0x12 , 0x02 , 0x02 , 0x02 , + 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , + 0x02 , 0x02 , 0x02 , 0x10 , 0x10 , 0x12 , 0x10 , 0x02 , + 0x00 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , + 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , + 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , + 0x02 , 0x02 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , + 0x00 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , + 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , + 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , + 0x02 , 0x02 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 }; diff --git a/source4/heimdal/lib/hx509/cms.c b/source4/heimdal/lib/hx509/cms.c index 6e4eefaa1c..4e0a2e03fc 100644 --- a/source4/heimdal/lib/hx509/cms.c +++ b/source4/heimdal/lib/hx509/cms.c @@ -362,7 +362,8 @@ hx509_cms_unenvelope(hx509_context context, heim_octet_string *params, params_data; heim_octet_string ivec; size_t size; - int ret, i, matched = 0, findflags = 0; + int ret, matched = 0, findflags = 0; + size_t i; memset(&key, 0, sizeof(key)); @@ -472,7 +473,7 @@ hx509_cms_unenvelope(hx509_context context, ret = hx509_crypto_init(context, NULL, &ai->algorithm, &crypto); if (ret) goto out; - + if (flags & HX509_CMS_UE_ALLOW_WEAK) hx509_crypto_allow_weak(crypto); @@ -492,7 +493,7 @@ hx509_cms_unenvelope(hx509_context context, "of EnvelopedData"); goto out; } - + ret = hx509_crypto_decrypt(crypto, enccontent->data, enccontent->length, @@ -619,7 +620,7 @@ hx509_cms_envelope_1(hx509_context context, "Failed to set crypto oid " "for EnvelopedData"); goto out; - } + } ALLOC(enc_alg->parameters, 1); if (enc_alg->parameters == NULL) { ret = ENOMEM; @@ -656,7 +657,7 @@ hx509_cms_envelope_1(hx509_context context, ri->version = 2; cmsidflag = CMS_ID_SKI; } - + ret = fill_CMSIdentifier(cert, cmsidflag, &ri->rid); if (ret) { hx509_set_error_string(context, 0, ret, @@ -718,7 +719,8 @@ out: static int any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs) { - int ret, i; + int ret; + size_t i; if (sd->certificates == NULL) return 0; @@ -744,7 +746,7 @@ any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs) static const Attribute * find_attribute(const CMSAttributes *attr, const heim_oid *oid) { - int i; + size_t i; for (i = 0; i < attr->len; i++) if (der_heim_oid_cmp(&attr->val[i].type, oid) == 0) return &attr->val[i]; @@ -790,7 +792,8 @@ hx509_cms_verify_signed(hx509_context context, hx509_certs certs = NULL; SignedData sd; size_t size; - int ret, i, found_valid_sig; + int ret, found_valid_sig; + size_t i; *signer_certs = NULL; content->data = NULL; @@ -889,7 +892,7 @@ hx509_cms_verify_signed(hx509_context context, if (signer_info->signedAttrs) { const Attribute *attr; - + CMSAttributes sa; heim_octet_string os; @@ -913,7 +916,7 @@ hx509_cms_verify_signed(hx509_context context, "messageDigest (signature)"); goto next_sigature; } - + ret = decode_MessageDigest(attr->value.val[0].data, attr->value.val[0].length, &os, @@ -1018,7 +1021,7 @@ hx509_cms_verify_signed(hx509_context context, if (ret) goto next_sigature; - /** + /** * If HX509_CMS_VS_NO_VALIDATE flags is set, do not verify the * signing certificates and leave that up to the caller. */ @@ -1113,7 +1116,7 @@ add_one_attribute(Attribute **attr, return 0; } - + /** * Decode SignedData and verify that the signature is correct. * @@ -1212,7 +1215,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert) hx509_clear_error_string(context); } else { ret = hx509_crypto_select(context, HX509_SELECT_DIGEST, - _hx509_cert_private_key(cert), + _hx509_cert_private_key(cert), sigctx->peer, &digest); } if (ret) @@ -1240,7 +1243,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert) if (ret) { hx509_clear_error_string(context); goto out; - } + } signer_info->signedAttrs = NULL; signer_info->unsignedAttrs = NULL; @@ -1256,7 +1259,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert) */ if (der_heim_oid_cmp(sigctx->eContentType, &asn1_oid_id_pkcs7_data) != 0) { - CMSAttributes sa; + CMSAttributes sa; heim_octet_string sig; ALLOC(signer_info->signedAttrs, 1); @@ -1322,7 +1325,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert) sa.val = signer_info->signedAttrs->val; sa.len = signer_info->signedAttrs->len; - + ASN1_MALLOC_ENCODE(CMSAttributes, sigdata.data, sigdata.length, @@ -1409,7 +1412,7 @@ cert_process(hx509_context context, void *ctx, hx509_cert cert) const unsigned int i = sigctx->sd.certificates->len; void *ptr; int ret; - + ptr = realloc(sigctx->sd.certificates->val, (i + 1) * sizeof(sigctx->sd.certificates->val[0])); if (ptr == NULL) @@ -1503,7 +1506,7 @@ hx509_cms_create_signed(hx509_context context, ret = ENOMEM; goto out; } - + sigctx.sd.encapContentInfo.eContent->data = malloc(length); if (sigctx.sd.encapContentInfo.eContent->data == NULL) { hx509_clear_error_string(context); @@ -1525,6 +1528,10 @@ hx509_cms_create_signed(hx509_context context, } if (sigctx.sd.signerInfos.len) { + + /* + * For each signerInfo, collect all different digest types. + */ for (i = 0; i < sigctx.sd.signerInfos.len; i++) { AlgorithmIdentifier *di = &sigctx.sd.signerInfos.val[i].digestAlgorithm; @@ -1532,7 +1539,7 @@ hx509_cms_create_signed(hx509_context context, for (j = 0; j < sigctx.sd.digestAlgorithms.len; j++) if (cmp_AlgorithmIdentifier(di, &sigctx.sd.digestAlgorithms.val[j]) == 0) break; - if (j < sigctx.sd.digestAlgorithms.len) { + if (j == sigctx.sd.digestAlgorithms.len) { ret = add_DigestAlgorithmIdentifiers(&sigctx.sd.digestAlgorithms, di); if (ret) { hx509_clear_error_string(context); @@ -1542,6 +1549,9 @@ hx509_cms_create_signed(hx509_context context, } } + /* + * Add certs we think are needed, build as part of sig_process + */ if (sigctx.certs) { ALLOC(sigctx.sd.certificates, 1); if (sigctx.sd.certificates == NULL) { diff --git a/source4/heimdal/lib/hx509/collector.c b/source4/heimdal/lib/hx509/collector.c index 0cb186399f..15f8163f80 100644 --- a/source4/heimdal/lib/hx509/collector.c +++ b/source4/heimdal/lib/hx509/collector.c @@ -133,7 +133,7 @@ _hx509_collector_private_key_add(hx509_context context, return ENOMEM; } c->val.data = d; - + ret = copy_AlgorithmIdentifier(alg, &key->alg); if (ret) { hx509_set_error_string(context, 0, ret, "Failed to copy " @@ -192,7 +192,7 @@ match_localkeyid(hx509_context context, ret = hx509_certs_find(context, certs, &q, &cert); if (ret == 0) { - + if (value->private_key) _hx509_cert_assign_key(cert, value->private_key); hx509_cert_free(cert); @@ -253,7 +253,8 @@ _hx509_collector_collect_certs(hx509_context context, hx509_certs *ret_certs) { hx509_certs certs; - int ret, i; + int ret; + size_t i; *ret_certs = NULL; @@ -286,7 +287,7 @@ _hx509_collector_collect_private_keys(hx509_context context, struct hx509_collector *c, hx509_private_key **keys) { - int i, nkeys; + size_t i, nkeys; *keys = NULL; @@ -315,7 +316,7 @@ _hx509_collector_collect_private_keys(hx509_context context, void _hx509_collector_free(struct hx509_collector *c) { - int i; + size_t i; if (c->unenvelop_certs) hx509_certs_free(&c->unenvelop_certs); diff --git a/source4/heimdal/lib/hx509/crypto.c b/source4/heimdal/lib/hx509/crypto.c index c69ddfb5d2..4559a9c493 100644 --- a/source4/heimdal/lib/hx509/crypto.c +++ b/source4/heimdal/lib/hx509/crypto.c @@ -286,7 +286,7 @@ heim_oid2ecnid(heim_oid *oid) } static int -parse_ECParameters(hx509_context context, +parse_ECParameters(hx509_context context, heim_octet_string *parameters, int *nid) { ECParameters ecparam; @@ -404,7 +404,7 @@ ecdsa_verify_signature(hx509_context context, ret = HX509_CRYPTO_SIG_INVALID_FORMAT; return ret; } - + return 0; } @@ -552,7 +552,7 @@ rsa_verify_signature(hx509_context context, p = spi->subjectPublicKey.data; size = spi->subjectPublicKey.length / 8; - + rsa = d2i_RSAPublicKey(NULL, &p, size); if (rsa == NULL) { ret = ENOMEM; @@ -587,14 +587,14 @@ rsa_verify_signature(hx509_context context, if (ret) { goto out; } - + /* Check for extra data inside the sigature */ - if (size != retsize) { + if (size != (size_t)retsize) { ret = HX509_CRYPTO_SIG_INVALID_FORMAT; hx509_set_error_string(context, 0, ret, "size from decryption mismatch"); goto out; } - + if (sig_alg->digest_alg && der_heim_oid_cmp(&di.digestAlgorithm.algorithm, &sig_alg->digest_alg->algorithm) != 0) @@ -603,7 +603,7 @@ rsa_verify_signature(hx509_context context, hx509_set_error_string(context, 0, ret, "object identifier in RSA sig mismatch"); goto out; } - + /* verify that the parameters are NULL or the NULL-type */ if (di.digestAlgorithm.parameters != NULL && (di.digestAlgorithm.parameters->length != 2 || @@ -620,7 +620,7 @@ rsa_verify_signature(hx509_context context, data, &di.digest); } else { - if (retsize != data->length || + if ((size_t)retsize != data->length || ct_memcmp(to, data->data, retsize) != 0) { ret = HX509_CRYPTO_SIG_INVALID_FORMAT; @@ -739,7 +739,7 @@ rsa_create_signature(hx509_context context, "RSA private encrypt failed: %d", ret); return ret; } - if (ret > sig->length) + if ((size_t)ret > sig->length) _hx509_abort("RSA signature prelen longer the output len"); sig->length = ret; @@ -960,11 +960,11 @@ ecdsa_private_key_import(hx509_context context, ret = parse_ECParameters(context, keyai->parameters, &groupnid); if (ret) return ret; - + key = EC_KEY_new(); if (key == NULL) return ENOMEM; - + group = EC_GROUP_new_by_curve_name(groupnid); if (group == NULL) { EC_KEY_free(key); @@ -1008,8 +1008,8 @@ ecdsa_generate_private_key(hx509_context context, } static BIGNUM * -ecdsa_get_internal(hx509_context context, - hx509_private_key key, +ecdsa_get_internal(hx509_context context, + hx509_private_key key, const char *type) { return NULL; @@ -1162,7 +1162,7 @@ evp_md_create_signature(hx509_context context, if (ret) return ret; } - + sig->data = malloc(sigsize); if (sig->data == NULL) { @@ -1256,7 +1256,8 @@ static const struct signature_alg heim_rsa_pkcs1_x509 = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg pkcs1_rsa_sha1_alg = { @@ -1269,7 +1270,8 @@ static const struct signature_alg pkcs1_rsa_sha1_alg = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_sha512_alg = { @@ -1282,7 +1284,8 @@ static const struct signature_alg rsa_with_sha512_alg = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_sha384_alg = { @@ -1295,7 +1298,8 @@ static const struct signature_alg rsa_with_sha384_alg = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_sha256_alg = { @@ -1308,7 +1312,8 @@ static const struct signature_alg rsa_with_sha256_alg = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_sha1_alg = { @@ -1321,7 +1326,8 @@ static const struct signature_alg rsa_with_sha1_alg = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_sha1_alg_secsig = { @@ -1334,7 +1340,8 @@ static const struct signature_alg rsa_with_sha1_alg_secsig = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_md5_alg = { @@ -1347,7 +1354,8 @@ static const struct signature_alg rsa_with_md5_alg = { 1230739889, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg dsa_sha1_alg = { @@ -1361,6 +1369,7 @@ static const struct signature_alg dsa_sha1_alg = { NULL, dsa_verify_signature, /* create_signature */ NULL, + 0 }; static const struct signature_alg sha512_alg = { @@ -1373,7 +1382,8 @@ static const struct signature_alg sha512_alg = { 0, EVP_sha512, evp_md_verify_signature, - evp_md_create_signature + evp_md_create_signature, + 0 }; static const struct signature_alg sha384_alg = { @@ -1386,7 +1396,8 @@ static const struct signature_alg sha384_alg = { 0, EVP_sha384, evp_md_verify_signature, - evp_md_create_signature + evp_md_create_signature, + 0 }; static const struct signature_alg sha256_alg = { @@ -1399,7 +1410,8 @@ static const struct signature_alg sha256_alg = { 0, EVP_sha256, evp_md_verify_signature, - evp_md_create_signature + evp_md_create_signature, + 0 }; static const struct signature_alg sha1_alg = { @@ -1412,7 +1424,8 @@ static const struct signature_alg sha1_alg = { 0, EVP_sha1, evp_md_verify_signature, - evp_md_create_signature + evp_md_create_signature, + 0 }; static const struct signature_alg md5_alg = { @@ -1425,7 +1438,8 @@ static const struct signature_alg md5_alg = { 0, EVP_md5, evp_md_verify_signature, - NULL + NULL, + 0 }; /* @@ -1481,7 +1495,7 @@ alg_for_privatekey(const hx509_private_key pk, int type) continue; if (der_heim_oid_cmp(sig_algs[i]->key_oid, keytype) != 0) continue; - if (pk->ops->available && + if (pk->ops->available && pk->ops->available(pk, sig_algs[i]->sig_alg) == 0) continue; if (type == HX509_SELECT_PUBLIC_SIG) @@ -1673,7 +1687,7 @@ _hx509_public_encrypt(hx509_context context, p = spi->subjectPublicKey.data; size = spi->subjectPublicKey.length / 8; - + rsa = d2i_RSAPublicKey(NULL, &p, size); if (rsa == NULL) { hx509_set_error_string(context, 0, ENOMEM, "out of memory"); @@ -1748,7 +1762,7 @@ hx509_private_key_private_decrypt(hx509_context context, "Failed to decrypt using private key: %d", ret); return HX509_CRYPTO_RSA_PRIVATE_DECRYPT; } - if (cleartext->length < ret) + if (cleartext->length < (size_t)ret) _hx509_abort("internal rsa decryption failure: ret > tosize"); cleartext->length = ret; @@ -2339,7 +2353,7 @@ static const struct hx509cipher ciphers[] = { static const struct hx509cipher * find_cipher_by_oid(const heim_oid *oid) { - int i; + size_t i; for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++) if (der_heim_oid_cmp(oid, ciphers[i].oid) == 0) @@ -2351,7 +2365,7 @@ find_cipher_by_oid(const heim_oid *oid) static const struct hx509cipher * find_cipher_by_name(const char *name) { - int i; + size_t i; for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++) if (strcasecmp(name, ciphers[i].name) == 0) @@ -2461,7 +2475,7 @@ hx509_crypto_set_padding(hx509_crypto crypto, int padding_type) int hx509_crypto_set_key_data(hx509_crypto crypto, const void *data, size_t length) { - if (EVP_CIPHER_key_length(crypto->c) > length) + if (EVP_CIPHER_key_length(crypto->c) > (int)length) return HX509_CRYPTO_INTERNAL_ERROR; if (crypto->key.data) { @@ -2558,7 +2572,7 @@ hx509_crypto_encrypt(hx509_crypto crypto, (crypto->flags & ALLOW_WEAK) == 0) return HX509_CRYPTO_ALGORITHM_BEST_BEFORE; - assert(EVP_CIPHER_iv_length(crypto->c) == ivec->length); + assert(EVP_CIPHER_iv_length(crypto->c) == (int)ivec->length); EVP_CIPHER_CTX_init(&evp); @@ -2595,10 +2609,10 @@ hx509_crypto_encrypt(hx509_crypto crypto, ret = ENOMEM; goto out; } - + memcpy((*ciphertext)->data, data, length); if (padsize) { - int i; + size_t i; unsigned char *p = (*ciphertext)->data; p += length; for (i = 0; i < padsize; i++) @@ -2647,7 +2661,7 @@ hx509_crypto_decrypt(hx509_crypto crypto, (crypto->flags & ALLOW_WEAK) == 0) return HX509_CRYPTO_ALGORITHM_BEST_BEFORE; - if (ivec && EVP_CIPHER_iv_length(crypto->c) < ivec->length) + if (ivec && EVP_CIPHER_iv_length(crypto->c) < (int)ivec->length) return HX509_CRYPTO_INTERNAL_ERROR; if (crypto->key.data == NULL) @@ -2683,7 +2697,7 @@ hx509_crypto_decrypt(hx509_crypto crypto, unsigned char *p; int j, bsize = EVP_CIPHER_block_size(crypto->c); - if (clear->length < bsize) { + if ((int)clear->length < bsize) { ret = HX509_CMS_PADDING_ERROR; goto out; } @@ -2854,7 +2868,8 @@ _hx509_pbe_decrypt(hx509_context context, const EVP_CIPHER *c; const EVP_MD *md; PBE_string2key_func s2k; - int i, ret = 0; + int ret = 0; + size_t i; memset(&key, 0, sizeof(key)); memset(&iv, 0, sizeof(iv)); @@ -2912,7 +2927,7 @@ _hx509_pbe_decrypt(hx509_context context, hx509_crypto_destroy(crypto); if (ret == 0) goto out; - + } out: if (key.data) @@ -3161,7 +3176,7 @@ hx509_crypto_available(hx509_context context, if (ptr == NULL) goto out; *val = ptr; - + ret = copy_AlgorithmIdentifier((ciphers[i].ai_func)(), &(*val)[len]); if (ret) goto out; diff --git a/source4/heimdal/lib/hx509/file.c b/source4/heimdal/lib/hx509/file.c index 56e25766ef..4f7e87f070 100644 --- a/source4/heimdal/lib/hx509/file.c +++ b/source4/heimdal/lib/hx509/file.c @@ -93,11 +93,11 @@ hx509_pem_write(hx509_context context, const char *type, while (size > 0) { ssize_t l; - + length = size; if (length > ENCODE_LINE_LENGTH) length = ENCODE_LINE_LENGTH; - + l = base64_encode(p, length, &line); if (l < 0) { hx509_set_error_string(context, 0, ENOMEM, @@ -211,7 +211,7 @@ hx509_pem_read(hx509_context context, if (i > 0) i--; } - + switch (where) { case BEFORE: if (strncmp("-----BEGIN ", buf, 11) == 0) { @@ -260,7 +260,7 @@ hx509_pem_read(hx509_context context, free(p); goto out; } - + data = erealloc(data, len + i); memcpy(((char *)data) + len, p, i); free(p); diff --git a/source4/heimdal/lib/hx509/keyset.c b/source4/heimdal/lib/hx509/keyset.c index 77cfd42cd2..c0275d949d 100644 --- a/source4/heimdal/lib/hx509/keyset.c +++ b/source4/heimdal/lib/hx509/keyset.c @@ -390,6 +390,21 @@ certs_iter(hx509_context context, void *ctx, hx509_cert cert) return func(cert); } +/** + * Iterate over all certificates in a keystore and call an block + * for each fo them. + * + * @param context a hx509 context. + * @param certs certificate store to iterate over. + * @param func block to call for each certificate. The function + * should return non-zero to abort the iteration, that value is passed + * back to the caller of hx509_certs_iter(). + * + * @return Returns an hx509 error code. + * + * @ingroup hx509_keyset + */ + int hx509_certs_iter(hx509_context context, hx509_certs certs, diff --git a/source4/heimdal/lib/hx509/ks_dir.c b/source4/heimdal/lib/hx509/ks_dir.c index 8c8c6e50c8..264b1bf552 100644 --- a/source4/heimdal/lib/hx509/ks_dir.c +++ b/source4/heimdal/lib/hx509/ks_dir.c @@ -158,10 +158,10 @@ dir_iter(hx509_context context, } if (strcmp(dir->d_name, ".") == 0 || strcmp(dir->d_name, "..") == 0) continue; - + if (asprintf(&fn, "FILE:%s/%s", (char *)data, dir->d_name) == -1) return ENOMEM; - + ret = hx509_certs_init(context, fn, 0, NULL, &d->certs); if (ret == 0) { diff --git a/source4/heimdal/lib/hx509/ks_file.c b/source4/heimdal/lib/hx509/ks_file.c index ecd3a6edaa..d21d889287 100644 --- a/source4/heimdal/lib/hx509/ks_file.c +++ b/source4/heimdal/lib/hx509/ks_file.c @@ -112,7 +112,7 @@ try_decrypt(hx509_context context, EVP_CipherInit_ex(&ctx, c, NULL, key, ivdata, 0); EVP_Cipher(&ctx, clear.data, cipher, len); EVP_CIPHER_CTX_cleanup(&ctx); - } + } ret = _hx509_collector_private_key_add(context, collector, @@ -138,7 +138,7 @@ parse_pkcs8_private_key(hx509_context context, const char *fn, { PKCS8PrivateKeyInfo ki; heim_octet_string keydata; - + int ret; ret = decode_PKCS8PrivateKeyInfo(data, length, &ki, NULL); @@ -177,7 +177,8 @@ parse_pem_private_key(hx509_context context, const char *fn, const EVP_CIPHER *cipher; const struct _hx509_password *pw; hx509_lock lock; - int i, decrypted = 0; + int decrypted = 0; + size_t i; lock = _hx509_collector_get_lock(c); if (lock == NULL) { @@ -252,7 +253,7 @@ parse_pem_private_key(hx509_context context, const char *fn, "private key file"); return HX509_PARSING_KEY_FAILED; } - + pw = _hx509_lock_get_passwords(lock); if (pw != NULL) { const void *password; @@ -261,8 +262,8 @@ parse_pem_private_key(hx509_context context, const char *fn, for (i = 0; i < pw->len; i++) { password = pw->val[i]; passwordlen = strlen(password); - - ret = try_decrypt(context, c, ai, cipher, ivdata, + + ret = try_decrypt(context, c, ai, cipher, ivdata, password, passwordlen, data, len); if (ret == 0) { decrypted = 1; @@ -283,7 +284,7 @@ parse_pem_private_key(hx509_context context, const char *fn, ret = hx509_lock_prompt(lock, &prompt); if (ret == 0) - ret = try_decrypt(context, c, ai, cipher, ivdata, password, + ret = try_decrypt(context, c, ai, cipher, ivdata, password, strlen(password), data, len); /* XXX add password to lock password collection ? */ memset(password, 0, sizeof(password)); @@ -329,7 +330,8 @@ pem_func(hx509_context context, const char *type, const void *data, size_t len, void *ctx) { struct pem_ctx *pem_ctx = (struct pem_ctx*)ctx; - int ret = 0, j; + int ret = 0; + size_t j; for (j = 0; j < sizeof(formats)/sizeof(formats[0]); j++) { const char *q = formats[j].name; @@ -338,7 +340,7 @@ pem_func(hx509_context context, const char *type, if (formats[j].ai != NULL) ai = (*formats[j].ai)(); - ret = (*formats[j].func)(context, NULL, pem_ctx->c, + ret = (*formats[j].func)(context, NULL, pem_ctx->c, header, data, len, ai); if (ret && (pem_ctx->flags & HX509_CERTS_UNPROTECT_ALL)) { hx509_set_error_string(context, HX509_ERROR_APPEND, ret, @@ -418,7 +420,7 @@ file_init_common(hx509_context context, pnext = strchr(p, ','); if (pnext) *pnext++ = '\0'; - + if ((f = fopen(p, "r")) == NULL) { ret = ENOENT; @@ -430,13 +432,13 @@ file_init_common(hx509_context context, rk_cloexec_file(f); ret = hx509_pem_read(context, f, pem_func, &pem_ctx); - fclose(f); + fclose(f); if (ret != 0 && ret != HX509_PARSING_KEY_FAILED) goto out; else if (ret == HX509_PARSING_KEY_FAILED) { size_t length; void *ptr; - int i; + size_t i; ret = rk_undumpdata(p, &ptr, &length); if (ret) { diff --git a/source4/heimdal/lib/hx509/ks_keychain.c b/source4/heimdal/lib/hx509/ks_keychain.c index e64d83c84d..0552d8f7e9 100644 --- a/source4/heimdal/lib/hx509/ks_keychain.c +++ b/source4/heimdal/lib/hx509/ks_keychain.c @@ -50,7 +50,7 @@ OSStatus SecKeyGetCredentials(SecKeyRef, CSSM_ACL_AUTHORIZATION_TAG, static int getAttribute(SecKeychainItemRef itemRef, SecItemAttr item, SecKeychainAttributeList **attrs) -{ +{ SecKeychainAttributeInfo attrInfo; UInt32 attrFormat = 0; OSStatus ret; @@ -138,10 +138,10 @@ kc_rsa_private_encrypt(int flen, in.Data = (uint8 *)from; in.Length = flen; - + sig.Data = (uint8 *)to; sig.Length = kc->keysize; - + cret = CSSM_SignData(sigHandle, &in, 1, CSSM_ALGID_NONE, &sig); if(cret) { /* cssmErrorString(cret); */ @@ -197,10 +197,10 @@ kc_rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to, in.Data = (uint8 *)from; in.Length = flen; - + out.Data = (uint8 *)to; out.Length = kc->keysize; - + rem.Data = (uint8 *)remdata; rem.Length = sizeof(remdata); @@ -485,7 +485,7 @@ keychain_iter(hx509_context context, return 0; else if (ret != 0) return EINVAL; - + /* * Pick out certificate and matching "keyid" */ @@ -517,7 +517,7 @@ keychain_iter(hx509_context context, attrKeyid.tag = kSecKeyLabel; attrKeyid.length = attrs->attr[0].length; attrKeyid.data = attrs->attr[0].data; - + attrList.count = 1; attrList.attr = &attrKeyid; diff --git a/source4/heimdal/lib/hx509/ks_mem.c b/source4/heimdal/lib/hx509/ks_mem.c index 9d3c66b294..684acb0adf 100644 --- a/source4/heimdal/lib/hx509/ks_mem.c +++ b/source4/heimdal/lib/hx509/ks_mem.c @@ -171,7 +171,7 @@ mem_getkeys(hx509_context context, hx509_set_error_string(context, 0, ENOMEM, "out of memory"); return ENOMEM; } - } + } (*keys)[i] = NULL; return 0; } diff --git a/source4/heimdal/lib/hx509/ks_p11.c b/source4/heimdal/lib/hx509/ks_p11.c index 30f5343b0e..120bf43ef4 100644 --- a/source4/heimdal/lib/hx509/ks_p11.c +++ b/source4/heimdal/lib/hx509/ks_p11.c @@ -152,7 +152,7 @@ p11_rsa_private_encrypt(int flen, } ret = P11FUNC(p11rsa->p, Sign, - (session, (CK_BYTE *)from, flen, to, &ck_sigsize)); + (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize)); p11_put_session(p11rsa->p, p11rsa->slot, session); if (ret != CKR_OK) return -1; @@ -190,7 +190,7 @@ p11_rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to, } ret = P11FUNC(p11rsa->p, Decrypt, - (session, (CK_BYTE *)from, flen, to, &ck_sigsize)); + (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize)); p11_put_session(p11rsa->p, p11rsa->slot, session); if (ret != CKR_OK) return -1; @@ -427,7 +427,7 @@ p11_get_session(hx509_context context, prompt.type = HX509_PROMPT_TYPE_PASSWORD; prompt.reply.data = pin; prompt.reply.length = sizeof(pin); - + ret = hx509_lock_prompt(lock, &prompt); if (ret) { free(str); @@ -513,7 +513,7 @@ iterate_entries(hx509_context context, } if (object_count == 0) break; - + for (i = 0; i < num_query; i++) query[i].pValue = NULL; @@ -535,7 +535,7 @@ iterate_entries(hx509_context context, ret = -1; goto out; } - + ret = (*func)(context, p, slot, session, object, ptr, query, num_query); if (ret) goto out; @@ -561,7 +561,7 @@ iterate_entries(hx509_context context, return ret; } - + static BIGNUM * getattr_bn(struct p11_module *p, struct p11_slot *slot, @@ -704,10 +704,10 @@ collect_cert(hx509_context context, { heim_octet_string data; - + data.data = query[0].pValue; data.length = query[0].ulValueLen; - + _hx509_set_cert_attribute(context, cert, &asn1_oid_id_pkcs_9_at_localKeyId, @@ -878,7 +878,8 @@ p11_init(hx509_context context, { CK_SLOT_ID_PTR slot_ids; - int i, num_tokens = 0; + int num_tokens = 0; + size_t i; slot_ids = malloc(p->num_slots * sizeof(*slot_ids)); if (slot_ids == NULL) { @@ -905,7 +906,7 @@ p11_init(hx509_context context, ret = ENOMEM; goto out; } - + for (i = 0; i < p->num_slots; i++) { ret = p11_init_slot(context, p, lock, slot_ids[i], i, &p->slot[i]); if (ret) @@ -933,7 +934,7 @@ p11_init(hx509_context context, static void p11_release_module(struct p11_module *p) { - int i; + size_t i; if (p->ref == 0) _hx509_abort("pkcs11 ref to low"); @@ -957,7 +958,7 @@ p11_release_module(struct p11_module *p) free(p->slot[i].mechs.list); if (p->slot[i].mechs.infos) { - int j; + size_t j; for (j = 0 ; j < p->slot[i].mechs.num ; j++) free(p->slot[i].mechs.infos[j]); @@ -981,7 +982,7 @@ static int p11_free(hx509_certs certs, void *data) { struct p11_module *p = data; - int i; + size_t i; for (i = 0; i < p->num_slots; i++) { if (p->slot[i].certs) @@ -1002,7 +1003,8 @@ p11_iter_start(hx509_context context, { struct p11_module *p = data; struct p11_cursor *c; - int ret, i; + int ret; + size_t i; c = malloc(sizeof(*c)); if (c == NULL) { @@ -1103,7 +1105,7 @@ p11_printinfo(hx509_context context, void *ctx) { struct p11_module *p = data; - int i, j; + size_t i, j; _hx509_pi_printf(func, ctx, "pkcs11 driver with %d slot%s", p->num_slots, p->num_slots > 1 ? "s" : ""); diff --git a/source4/heimdal/lib/hx509/ks_p12.c b/source4/heimdal/lib/hx509/ks_p12.c index 704cf071d7..0ca13de1eb 100644 --- a/source4/heimdal/lib/hx509/ks_p12.c +++ b/source4/heimdal/lib/hx509/ks_p12.c @@ -56,7 +56,7 @@ parse_pkcs12_type(hx509_context, struct hx509_collector *, const heim_oid *, static const PKCS12_Attribute * find_attribute(const PKCS12_Attributes *attrs, const heim_oid *oid) { - int i; + size_t i; if (attrs == NULL) return NULL; for (i = 0; i < attrs->len; i++) @@ -168,7 +168,7 @@ certBag_parser(hx509_context context, const heim_oid *oids[] = { &asn1_oid_id_pkcs_9_at_localKeyId, &asn1_oid_id_pkcs_9_at_friendlyName }; - int i; + size_t i; for (i = 0; i < sizeof(oids)/sizeof(oids[0]); i++) { const heim_oid *oid = oids[i]; @@ -176,7 +176,7 @@ certBag_parser(hx509_context context, if (attr) _hx509_set_cert_attribute(context, cert, oid, &attr->attrValues); - } + } } hx509_cert_free(cert); @@ -190,7 +190,8 @@ parse_safe_content(hx509_context context, const unsigned char *p, size_t len) { PKCS12_SafeContents sc; - int ret, i; + int ret; + size_t i; memset(&sc, 0, sizeof(sc)); @@ -236,7 +237,7 @@ encryptedData_parser(hx509_context context, heim_octet_string content; heim_oid contentType; int ret; - + memset(&contentType, 0, sizeof(contentType)); ret = hx509_cms_decrypt_encrypted(context, @@ -265,7 +266,7 @@ envelopedData_parser(hx509_context context, heim_oid contentType; hx509_lock lock; int ret; - + memset(&contentType, 0, sizeof(contentType)); lock = _hx509_collector_get_lock(c); @@ -310,7 +311,7 @@ parse_pkcs12_type(hx509_context context, const void *data, size_t length, const PKCS12_Attributes *attrs) { - int i; + size_t i; for (i = 0; i < sizeof(bagtypes)/sizeof(bagtypes[0]); i++) if (der_heim_oid_cmp(bagtypes[i].oid, oid) == 0) @@ -327,7 +328,8 @@ p12_init(hx509_context context, void *buf; PKCS12_PFX pfx; PKCS12_AuthenticatedSafe as; - int ret, i; + int ret; + size_t i; struct hx509_collector *c; *data = NULL; @@ -581,7 +583,7 @@ p12_store(hx509_context context, free_PKCS12_AuthenticatedSafe(&as); if (ret) return ret; - + ret = der_parse_hex_heim_integer("03", &pfx.version); if (ret) { free(asdata.data); diff --git a/source4/heimdal/lib/hx509/lock.c b/source4/heimdal/lib/hx509/lock.c index 07e9d36125..b72d45962b 100644 --- a/source4/heimdal/lib/hx509/lock.c +++ b/source4/heimdal/lib/hx509/lock.c @@ -121,7 +121,7 @@ _hx509_lock_unlock_certs(hx509_lock lock) void hx509_lock_reset_passwords(hx509_lock lock) { - int i; + size_t i; for (i = 0; i < lock->password.len; i++) free(lock->password.val[i]); free(lock->password.val); diff --git a/source4/heimdal/lib/hx509/name.c b/source4/heimdal/lib/hx509/name.c index 83b8f86d41..efd7b70342 100644 --- a/source4/heimdal/lib/hx509/name.c +++ b/source4/heimdal/lib/hx509/name.c @@ -66,17 +66,17 @@ static const struct { const heim_oid *o; wind_profile_flags flags; } no[] = { - { "C", &asn1_oid_id_at_countryName }, - { "CN", &asn1_oid_id_at_commonName }, - { "DC", &asn1_oid_id_domainComponent }, - { "L", &asn1_oid_id_at_localityName }, - { "O", &asn1_oid_id_at_organizationName }, - { "OU", &asn1_oid_id_at_organizationalUnitName }, - { "S", &asn1_oid_id_at_stateOrProvinceName }, - { "STREET", &asn1_oid_id_at_streetAddress }, - { "UID", &asn1_oid_id_Userid }, - { "emailAddress", &asn1_oid_id_pkcs9_emailAddress }, - { "serialNumber", &asn1_oid_id_at_serialNumber } + { "C", &asn1_oid_id_at_countryName, 0 }, + { "CN", &asn1_oid_id_at_commonName, 0 }, + { "DC", &asn1_oid_id_domainComponent, 0 }, + { "L", &asn1_oid_id_at_localityName, 0 }, + { "O", &asn1_oid_id_at_organizationName, 0 }, + { "OU", &asn1_oid_id_at_organizationalUnitName, 0 }, + { "S", &asn1_oid_id_at_stateOrProvinceName, 0 }, + { "STREET", &asn1_oid_id_at_streetAddress, 0 }, + { "UID", &asn1_oid_id_Userid, 0 }, + { "emailAddress", &asn1_oid_id_pkcs9_emailAddress, 0 }, + { "serialNumber", &asn1_oid_id_at_serialNumber, 0 } }; static char * @@ -159,7 +159,8 @@ oidtostring(const heim_oid *type) static int stringtooid(const char *name, size_t len, heim_oid *oid) { - int i, ret; + int ret; + size_t i; char *s; memset(oid, 0, sizeof(*oid)); @@ -200,20 +201,22 @@ int _hx509_Name_to_string(const Name *n, char **str) { size_t total_len = 0; - int i, j, ret; + size_t i, j, m; + int ret; *str = strdup(""); if (*str == NULL) return ENOMEM; - for (i = n->u.rdnSequence.len - 1 ; i >= 0 ; i--) { + for (m = n->u.rdnSequence.len; m > 0; m--) { size_t len; + i = m - 1; for (j = 0; j < n->u.rdnSequence.val[i].len; j++) { DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value; char *oidname; char *ss; - + oidname = oidtostring(&n->u.rdnSequence.val[i].val[j].type); switch(ds->element) { @@ -237,7 +240,7 @@ _hx509_Name_to_string(const Name *n, char **str) ret = wind_ucs2utf8_length(bmp, bmplen, &k); if (ret) return ret; - + ss = malloc(k + 1); if (ss == NULL) _hx509_abort("allocation failure"); /* XXX */ @@ -438,7 +441,8 @@ _hx509_name_ds_cmp(const DirectoryString *ds1, int _hx509_name_cmp(const Name *n1, const Name *n2, int *c) { - int ret, i, j; + int ret; + size_t i, j; *c = n1->u.rdnSequence.len - n2->u.rdnSequence.len; if (*c) @@ -454,7 +458,7 @@ _hx509_name_cmp(const Name *n1, const Name *n2, int *c) &n1->u.rdnSequence.val[i].val[j].type); if (*c) return 0; - + ret = _hx509_name_ds_cmp(&n1->u.rdnSequence.val[i].val[j].value, &n2->u.rdnSequence.val[i].val[j].value, c); @@ -533,7 +537,7 @@ _hx509_name_modify(hx509_context context, &name->u.rdnSequence.val[0], name->u.rdnSequence.len * sizeof(name->u.rdnSequence.val[0])); - + rdn = &name->u.rdnSequence.val[0]; } rdn->val = malloc(sizeof(rdn->val[0])); @@ -609,8 +613,8 @@ hx509_parse_name(hx509_context context, const char *str, hx509_name *name) "missing name before = in %s", p); goto out; } - - if ((q - p) > len) { + + if ((size_t)(q - p) > len) { ret = HX509_PARSING_NAME_FAILED; hx509_set_error_string(context, 0, ret, " = after , in %s", p); goto out; @@ -623,12 +627,12 @@ hx509_parse_name(hx509_context context, const char *str, hx509_name *name) "unknown type: %.*s", (int)(q - p), p); goto out; } - + { size_t pstr_len = len - (q - p) - 1; const char *pstr = p + (q - p) + 1; char *r; - + r = malloc(pstr_len + 1); if (r == NULL) { der_free_oid(&oid); @@ -727,7 +731,7 @@ hx509_name_expand(hx509_context context, hx509_env env) { Name *n = &name->der_name; - int i, j; + size_t i, j; if (env == NULL) return 0; diff --git a/source4/heimdal/lib/hx509/print.c b/source4/heimdal/lib/hx509/print.c index 56e4f72115..1e8bcabfa7 100644 --- a/source4/heimdal/lib/hx509/print.c +++ b/source4/heimdal/lib/hx509/print.c @@ -163,7 +163,7 @@ void hx509_bitstring_print(const heim_bit_string *b, hx509_vprint_func func, void *ctx) { - int i; + size_t i; print_func(func, ctx, "\tlength: %d\n\t", b->length); for (i = 0; i < (b->length + 7) / 8; i++) print_func(func, ctx, "%02x%s%s", @@ -481,7 +481,8 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx, { CRLDistributionPoints dp; size_t size; - int ret, i; + int ret; + size_t i; check_Null(ctx, status, cf, e); @@ -499,8 +500,8 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx, if (dp.val[i].distributionPoint) { DistributionPointName dpname; heim_any *data = dp.val[i].distributionPoint; - int j; - + size_t j; + ret = decode_DistributionPointName(data->data, data->length, &dpname, NULL); if (ret) { @@ -512,7 +513,7 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx, switch (dpname.element) { case choice_DistributionPointName_fullName: validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n"); - + for (j = 0 ; j < dpname.u.fullName.len; j++) { char *s; GeneralName *name = &dpname.u.fullName.val[j]; @@ -565,7 +566,8 @@ check_altName(hx509_validate_ctx ctx, { GeneralNames gn; size_t size; - int ret, i; + int ret; + size_t i; check_Null(ctx, status, cf, e); @@ -600,7 +602,7 @@ check_altName(hx509_validate_ctx ctx, if (der_heim_oid_cmp(altname_types[j].oid, &gn.val[i].u.otherName.type_id) != 0) continue; - + validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ", altname_types[j].name); (*altname_types[j].func)(ctx, &gn.val[i].u.otherName.value); @@ -717,7 +719,8 @@ check_authorityInfoAccess(hx509_validate_ctx ctx, { AuthorityInfoAccessSyntax aia; size_t size; - int ret, i; + int ret; + size_t i; check_Null(ctx, status, cf, e); @@ -773,7 +776,7 @@ struct { { ext(certificateIssuer, Null), M_C }, { ext(nameConstraints, Null), M_C }, { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C }, - { ext(certificatePolicies, Null) }, + { ext(certificatePolicies, Null), 0 }, { ext(policyMappings, Null), M_N_C }, { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C }, { ext(policyConstraints, Null), D_C }, @@ -789,7 +792,7 @@ struct { check_Null, D_C }, { "Netscape cert comment", &asn1_oid_id_netscape_cert_comment, check_Null, D_C }, - { NULL } + { NULL, NULL, NULL, 0 } }; /** @@ -900,7 +903,7 @@ hx509_validate_cert(hx509_context context, if ((t->version == NULL || *t->version < 2) && t->extensions) validate_print(ctx, HX509_VALIDATE_F_VALIDATE, "Not version 3 certificate with extensions\n"); - + if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL) validate_print(ctx, HX509_VALIDATE_F_VALIDATE, "Version 3 certificate without extensions\n"); @@ -936,7 +939,7 @@ hx509_validate_cert(hx509_context context, free(str); if (t->extensions) { - int i, j; + size_t i, j; if (t->extensions->len == 0) { validate_print(ctx, @@ -975,7 +978,7 @@ hx509_validate_cert(hx509_context context, } } else validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extentions\n"); - + if (status.isca) { if (!status.haveSKI) validate_print(ctx, HX509_VALIDATE_F_VALIDATE, @@ -987,7 +990,7 @@ hx509_validate_cert(hx509_context context, "Is not CA and doesn't have " "AuthorityKeyIdentifier\n"); } - + if (!status.haveSKI) validate_print(ctx, HX509_VALIDATE_F_VALIDATE, diff --git a/source4/heimdal/lib/hx509/revoke.c b/source4/heimdal/lib/hx509/revoke.c index 6d2cac4afb..2932280748 100644 --- a/source4/heimdal/lib/hx509/revoke.c +++ b/source4/heimdal/lib/hx509/revoke.c @@ -176,9 +176,9 @@ verify_ocsp(hx509_context context, hx509_cert signer = NULL; hx509_query q; int ret; - + _hx509_query_clear(&q); - + /* * Need to match on issuer too in case there are two CA that have * issued the same name to a certificate. One example of this is @@ -198,7 +198,7 @@ verify_ocsp(hx509_context context, q.keyhash_sha1 = &ocsp->ocsp.tbsResponseData.responderID.u.byKey; break; } - + ret = hx509_certs_find(context, certs, &q, &signer); if (ret && ocsp->certs) ret = hx509_certs_find(context, ocsp->certs, &q, &signer); @@ -349,7 +349,7 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp) } if (basic.certs) { - int i; + size_t i; ret = hx509_certs_init(context, "MEMORY:ocsp-certs", 0, NULL, &certs); @@ -360,11 +360,11 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp) for (i = 0; i < basic.certs->len; i++) { hx509_cert c; - + ret = hx509_cert_init(context, &basic.certs->val[i], &c); if (ret) continue; - + ret = hx509_certs_add(context, certs, c); hx509_cert_free(c); if (ret) @@ -463,7 +463,7 @@ verify_crl(hx509_context context, hx509_query q; time_t t; int ret; - + t = _hx509_Time2time_t(&crl->tbsCertList.thisUpdate); if (t > time_now) { hx509_set_error_string(context, 0, HX509_CRL_USED_BEFORE_TIME, @@ -485,7 +485,7 @@ verify_crl(hx509_context context, } _hx509_query_clear(&q); - + /* * If it's the signer have CRLSIGN bit set, use that as the signer * cert for the certificate, otherwise, search for a certificate. @@ -496,7 +496,7 @@ verify_crl(hx509_context context, q.match = HX509_QUERY_MATCH_SUBJECT_NAME; q.match |= HX509_QUERY_KU_CRLSIGN; q.subject_name = &crl->tbsCertList.issuer; - + ret = hx509_certs_find(context, certs, &q, &signer); if (ret) { hx509_set_error_string(context, HX509_ERROR_APPEND, ret, @@ -526,11 +526,11 @@ verify_crl(hx509_context context, hx509_cert crl_parent; _hx509_query_clear(&q); - + q.match = HX509_QUERY_MATCH_SUBJECT_NAME; q.match |= HX509_QUERY_KU_CRLSIGN; q.subject_name = &_hx509_get_cert(signer)->tbsCertificate.issuer; - + ret = hx509_certs_find(context, certs, &q, &crl_parent); if (ret) { hx509_set_error_string(context, HX509_ERROR_APPEND, ret, @@ -718,7 +718,7 @@ hx509_revoke_verify(hx509_context context, &c->tbsCertificate.serialNumber); if (ret != 0) continue; - + /* verify issuer hashes hash */ ret = _hx509_verify_signature(context, NULL, @@ -760,8 +760,7 @@ hx509_revoke_verify(hx509_context context, if (ocsp->ocsp.tbsResponseData.responses.val[j].nextUpdate) { if (*ocsp->ocsp.tbsResponseData.responses.val[j].nextUpdate < now) continue; - } else - /* Should force a refetch, but can we ? */; + } /* else should force a refetch, but can we ? */ return 0; } @@ -829,12 +828,12 @@ hx509_revoke_verify(hx509_context context, t = _hx509_Time2time_t(&crl->crl.tbsCertList.revokedCertificates->val[j].revocationDate); if (t > now) continue; - + if (crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions) for (k = 0; k < crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions->len; k++) if (crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions->val[k].critical) return HX509_CRL_UNKNOWN_EXTENSION; - + hx509_set_error_string(context, 0, HX509_CERT_REVOKED, "Certificate revoked by issuer in CRL"); @@ -1003,7 +1002,7 @@ hx509_ocsp_request(hx509_context context, } es = req.tbsRequest.requestExtensions; - + es->val = calloc(es->len, sizeof(es->val[0])); if (es->val == NULL) { ret = ENOMEM; @@ -1022,7 +1021,7 @@ hx509_ocsp_request(hx509_context context, goto out; } es->val[0].extnValue.length = 10; - + ret = RAND_bytes(es->val[0].extnValue.data, es->val[0].extnValue.length); if (ret != 1) { @@ -1055,8 +1054,13 @@ static char * printable_time(time_t t) { static char s[128]; - strlcpy(s, ctime(&t)+ 4, sizeof(s)); - s[20] = 0; + char *p; + if ((p = ctime(&t)) == NULL) + strlcpy(s, "?", sizeof(s)); + else { + strlcpy(s, p + 4, sizeof(s)); + s[20] = 0; + } return s; } @@ -1076,7 +1080,8 @@ int hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out) { struct revoke_ocsp ocsp; - int ret, i; + int ret; + size_t i; if (out == NULL) out = stdout; @@ -1141,7 +1146,7 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out) status = "element unknown"; } - fprintf(out, "\t%d. status: %s\n", i, status); + fprintf(out, "\t%zu. status: %s\n", i, status); fprintf(out, "\tthisUpdate: %s\n", printable_time(ocsp.ocsp.tbsResponseData.responses.val[i].thisUpdate)); @@ -1188,7 +1193,8 @@ hx509_ocsp_verify(hx509_context context, { const Certificate *c = _hx509_get_cert(cert); OCSPBasicOCSPResponse basic; - int ret, i; + int ret; + size_t i; if (now == 0) now = time(NULL); @@ -1208,7 +1214,7 @@ hx509_ocsp_verify(hx509_context context, &c->tbsCertificate.serialNumber); if (ret != 0) continue; - + /* verify issuer hashes hash */ ret = _hx509_verify_signature(context, NULL, @@ -1248,7 +1254,7 @@ hx509_ocsp_verify(hx509_context context, { hx509_name name; char *subject; - + ret = hx509_cert_get_subject(cert, &name); if (ret) { hx509_clear_error_string(context); diff --git a/source4/heimdal/lib/hx509/sel.c b/source4/heimdal/lib/hx509/sel.c index 561818c9f1..6930b50f7c 100644 --- a/source4/heimdal/lib/hx509/sel.c +++ b/source4/heimdal/lib/hx509/sel.c @@ -101,7 +101,7 @@ eval_comp(hx509_context context, hx509_env env, struct hx_expr *expr) if (expr->op == comp_TAILEQ) { size_t len1 = strlen(s1); size_t len2 = strlen(s2); - + if (len1 < len2) return 0; ret = strcmp(s1 + (len1 - len2), s2) == 0; @@ -133,7 +133,7 @@ eval_comp(hx509_context context, hx509_env env, struct hx_expr *expr) subenv = find_variable(context, env, subexpr); if (subenv == NULL) return FALSE; - + while (subenv) { if (subenv->type != env_string) continue; @@ -223,7 +223,7 @@ _hx509_expr_parse(const char *buf) } void -_hx509_sel_yyerror (char *s) +_hx509_sel_yyerror (const char *s) { if (_hx509_expr_input.error) free(_hx509_expr_input.error); diff --git a/source4/heimdal/lib/hx509/sel.h b/source4/heimdal/lib/hx509/sel.h index 1dfc41818c..177ec0a65b 100644 --- a/source4/heimdal/lib/hx509/sel.h +++ b/source4/heimdal/lib/hx509/sel.h @@ -78,5 +78,5 @@ extern struct hx_expr_input _hx509_expr_input; int _hx509_sel_yyparse(void); int _hx509_sel_yylex(void); -void _hx509_sel_yyerror(char *); +void _hx509_sel_yyerror(const char *); diff --git a/source4/heimdal/lib/hx509/test_name.c b/source4/heimdal/lib/hx509/test_name.c index 2cdcdf85f6..d932221ddf 100644 --- a/source4/heimdal/lib/hx509/test_name.c +++ b/source4/heimdal/lib/hx509/test_name.c @@ -336,7 +336,7 @@ test_compare(hx509_context context) if (ret) return 1; ret = compare_subject(c2, c3, &l3); if (ret) return 1; - + if (l0 != 0) return 1; if (l2 < l1) return 1; if (l3 < l2) return 1; diff --git a/source4/heimdal/lib/krb5/acache.c b/source4/heimdal/lib/krb5/acache.c index 6f20cdcf6c..19eeecda42 100644 --- a/source4/heimdal/lib/krb5/acache.c +++ b/source4/heimdal/lib/krb5/acache.c @@ -78,7 +78,7 @@ static const struct { static krb5_error_code translate_cc_error(krb5_context context, cc_int32 error) { - int i; + size_t i; krb5_clear_error_message(context); for(i = 0; i < sizeof(cc_errors)/sizeof(cc_errors[0]); i++) if (cc_errors[i].error == error) @@ -259,7 +259,7 @@ make_cred_from_ccred(krb5_context context, if (cred->addresses.val == NULL) goto nomem; cred->addresses.len = i; - + for (i = 0; i < cred->addresses.len; i++) { cred->addresses.val[i].addr_type = incred->addresses[i]->type; ret = krb5_data_copy(&cred->addresses.val[i].address, @@ -337,7 +337,7 @@ make_ccred_from_cred(krb5_context context, cc_credentials_v5_t *cred) { krb5_error_code ret; - int i; + size_t i; memset(cred, 0, sizeof(*cred)); @@ -546,7 +546,7 @@ acc_resolve(krb5_context context, krb5_ccache *id, const char *res) error = (*a->ccache->func->get_kdc_time_offset)(a->ccache, cc_credentials_v5, &offset); - if (error == 0) + if (error == 0) context->kdc_sec_offset = offset; } else if (error == ccErrCCacheNotFound) { @@ -887,7 +887,7 @@ acc_get_version(krb5_context context, { return 0; } - + struct cache_iter { cc_context_t context; cc_ccache_iterator_t iter; @@ -961,7 +961,7 @@ acc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id) acc_close(context, *id); *id = NULL; return translate_cc_error(context, error); - } + } return 0; } @@ -1031,7 +1031,7 @@ acc_get_default_name(krb5_context context, char **str) (*cc->func->release)(cc); return translate_cc_error(context, error); } - + error = asprintf(str, "API:%s", name->data); (*name->func->release)(name); (*cc->func->release)(cc); @@ -1114,7 +1114,9 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops = { acc_move, acc_get_default_name, acc_set_default, - acc_lastchange + acc_lastchange, + NULL, + NULL, }; #endif diff --git a/source4/heimdal/lib/krb5/addr_families.c b/source4/heimdal/lib/krb5/addr_families.c index cccf1cbc9a..5d321a7e91 100644 --- a/source4/heimdal/lib/krb5/addr_families.c +++ b/source4/heimdal/lib/krb5/addr_families.c @@ -44,6 +44,7 @@ struct addr_operations { void (*h_addr2sockaddr)(const char *, struct sockaddr *, krb5_socklen_t *, int); krb5_error_code (*h_addr2addr)(const char *, krb5_address *); krb5_boolean (*uninteresting)(const struct sockaddr *); + krb5_boolean (*is_loopback)(const struct sockaddr *); void (*anyaddr)(struct sockaddr *, krb5_socklen_t *, int); int (*print_addr)(const krb5_address *, char *, size_t); int (*parse_addr)(krb5_context, const char*, krb5_address *); @@ -136,6 +137,17 @@ ipv4_uninteresting (const struct sockaddr *sa) return FALSE; } +static krb5_boolean +ipv4_is_loopback (const struct sockaddr *sa) +{ + const struct sockaddr_in *sin4 = (const struct sockaddr_in *)sa; + + if ((ntohl(sin4->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET) + return TRUE; + + return FALSE; +} + static void ipv4_anyaddr (struct sockaddr *sa, krb5_socklen_t *sa_size, int port) { @@ -310,11 +322,19 @@ ipv6_uninteresting (const struct sockaddr *sa) const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa; const struct in6_addr *in6 = (const struct in6_addr *)&sin6->sin6_addr; - return - IN6_IS_ADDR_LINKLOCAL(in6) + return IN6_IS_ADDR_LINKLOCAL(in6) || IN6_IS_ADDR_V4COMPAT(in6); } +static krb5_boolean +ipv6_is_loopback (const struct sockaddr *sa) +{ + const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa; + const struct in6_addr *in6 = (const struct in6_addr *)&sin6->sin6_addr; + + return (IN6_IS_ADDR_LOOPBACK(in6)); +} + static void ipv6_anyaddr (struct sockaddr *sa, krb5_socklen_t *sa_size, int port) { @@ -334,7 +354,7 @@ ipv6_print_addr (const krb5_address *addr, char *str, size_t len) if(inet_ntop(AF_INET6, addr->address.data, buf, sizeof(buf)) == NULL) { /* XXX this is pretty ugly, but better than abort() */ - int i; + size_t i; unsigned char *p = addr->address.data; buf[0] = '\0'; for(i = 0; i < addr->address.length; i++) { @@ -401,7 +421,7 @@ ipv6_mask_boundary(krb5_context context, const krb5_address *inaddr, sub_len = min(8, len); m = 0xff << (8 - sub_len); - + laddr.s6_addr[i] = addr.s6_addr[i] & m; haddr.s6_addr[i] = (addr.s6_addr[i] & m) | ~m; @@ -471,7 +491,7 @@ arange_parse_addr (krb5_context context, krb5_free_addresses(context, &addrmask); return -1; } - + address += p - address + 1; num = strtol(address, &q, 10); @@ -488,7 +508,7 @@ arange_parse_addr (krb5_context context, } else { krb5_addresses low, high; - + strsep_copy(&address, "-", buf, sizeof(buf)); ret = krb5_parse_address(context, buf, &low); if(ret) @@ -497,14 +517,14 @@ arange_parse_addr (krb5_context context, krb5_free_addresses(context, &low); return -1; } - + strsep_copy(&address, "-", buf, sizeof(buf)); ret = krb5_parse_address(context, buf, &high); if(ret) { krb5_free_addresses(context, &low); return ret; } - + if(high.len != 1 && high.val[0].addr_type != low.val[0].addr_type) { krb5_free_addresses(context, &low); krb5_free_addresses(context, &high); @@ -590,7 +610,7 @@ arange_print_addr (const krb5_address *addr, char *str, size_t len) if (l > len) l = len; size = l; - + ret = krb5_print_address (&a->low, str + size, len - size, &l); if (ret) return ret; @@ -632,9 +652,11 @@ arange_order_addr(krb5_context context, a = addr2->address.data; a2 = addr1; sign = -1; - } else + } else { abort(); - + UNREACHABLE(return 0); + } + if(a2->addr_type == KRB5_ADDRESS_ARANGE) { struct arange *b = a2->address.data; tmp1 = krb5_address_order(context, &a->low, &b->low); @@ -707,34 +729,78 @@ addrport_print_addr (const krb5_address *addr, char *str, size_t len) } static struct addr_operations at[] = { - {AF_INET, KRB5_ADDRESS_INET, sizeof(struct sockaddr_in), - ipv4_sockaddr2addr, - ipv4_sockaddr2port, - ipv4_addr2sockaddr, - ipv4_h_addr2sockaddr, - ipv4_h_addr2addr, - ipv4_uninteresting, ipv4_anyaddr, ipv4_print_addr, ipv4_parse_addr, - NULL, NULL, NULL, ipv4_mask_boundary }, + { + AF_INET, KRB5_ADDRESS_INET, sizeof(struct sockaddr_in), + ipv4_sockaddr2addr, + ipv4_sockaddr2port, + ipv4_addr2sockaddr, + ipv4_h_addr2sockaddr, + ipv4_h_addr2addr, + ipv4_uninteresting, + ipv4_is_loopback, + ipv4_anyaddr, + ipv4_print_addr, + ipv4_parse_addr, + NULL, + NULL, + NULL, + ipv4_mask_boundary + }, #ifdef HAVE_IPV6 - {AF_INET6, KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6), - ipv6_sockaddr2addr, - ipv6_sockaddr2port, - ipv6_addr2sockaddr, - ipv6_h_addr2sockaddr, - ipv6_h_addr2addr, - ipv6_uninteresting, ipv6_anyaddr, ipv6_print_addr, ipv6_parse_addr, - NULL, NULL, NULL, ipv6_mask_boundary } , + { + AF_INET6, KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6), + ipv6_sockaddr2addr, + ipv6_sockaddr2port, + ipv6_addr2sockaddr, + ipv6_h_addr2sockaddr, + ipv6_h_addr2addr, + ipv6_uninteresting, + ipv6_is_loopback, + ipv6_anyaddr, + ipv6_print_addr, + ipv6_parse_addr, + NULL, + NULL, + NULL, + ipv6_mask_boundary + } , #endif #ifndef HEIMDAL_SMALLER /* fake address type */ - {KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange), - NULL, NULL, NULL, NULL, NULL, NULL, NULL, - arange_print_addr, arange_parse_addr, - arange_order_addr, arange_free, arange_copy }, + { + KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange), + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + arange_print_addr, + arange_parse_addr, + arange_order_addr, + arange_free, + arange_copy, + NULL + }, #endif - {KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0, - NULL, NULL, NULL, NULL, NULL, - NULL, NULL, addrport_print_addr, NULL, NULL, NULL, NULL } + { + KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + addrport_print_addr, + NULL, + NULL, + NULL, + NULL + } }; static int num_addrs = sizeof(at) / sizeof(at[0]); @@ -757,7 +823,7 @@ find_af(int af) } static struct addr_operations * -find_atype(int atype) +find_atype(krb5_address_type atype) { struct addr_operations *a; @@ -912,6 +978,15 @@ krb5_sockaddr_uninteresting(const struct sockaddr *sa) return (*a->uninteresting)(sa); } +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_sockaddr_is_loopback(const struct sockaddr *sa) +{ + struct addr_operations *a = find_af(sa->sa_family); + if (a == NULL || a->is_loopback == NULL) + return TRUE; + return (*a->is_loopback)(sa); +} + /** * krb5_h_addr2sockaddr initializes a "struct sockaddr sa" from af and * the "struct hostent" (see gethostbyname(3) ) h_addr_list @@ -1038,17 +1113,17 @@ krb5_print_address (const krb5_address *addr, if (a == NULL || a->print_addr == NULL) { char *s; int l; - int i; + size_t i; s = str; l = snprintf(s, len, "TYPE_%d:", addr->addr_type); - if (l < 0 || l >= len) + if (l < 0 || (size_t)l >= len) return EINVAL; s += l; len -= l; for(i = 0; i < addr->address.length; i++) { l = snprintf(s, len, "%02x", ((char*)addr->address.data)[i]); - if (l < 0 || l >= len) + if (l < 0 || (size_t)l >= len) return EINVAL; len -= l; s += l; @@ -1234,7 +1309,7 @@ krb5_address_search(krb5_context context, const krb5_address *addr, const krb5_addresses *addrlist) { - int i; + size_t i; for (i = 0; i < addrlist->len; ++i) if (krb5_address_compare (context, addr, &addrlist->val[i])) @@ -1282,7 +1357,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_addresses(krb5_context context, krb5_addresses *addresses) { - int i; + size_t i; for(i = 0; i < addresses->len; i++) krb5_free_address(context, &addresses->val[i]); free(addresses->val); @@ -1333,7 +1408,7 @@ krb5_copy_addresses(krb5_context context, const krb5_addresses *inaddr, krb5_addresses *outaddr) { - int i; + size_t i; ALLOC_SEQ(outaddr, inaddr->len); if(inaddr->len > 0 && outaddr->val == NULL) return ENOMEM; @@ -1362,7 +1437,7 @@ krb5_append_addresses(krb5_context context, { krb5_address *tmp; krb5_error_code ret; - int i; + size_t i; if(source->len > 0) { tmp = realloc(dest->val, (dest->len + source->len) * sizeof(*tmp)); if(tmp == NULL) { diff --git a/source4/heimdal/lib/krb5/appdefault.c b/source4/heimdal/lib/krb5/appdefault.c index d4dc758faa..d4e963d74a 100644 --- a/source4/heimdal/lib/krb5/appdefault.c +++ b/source4/heimdal/lib/krb5/appdefault.c @@ -47,7 +47,7 @@ krb5_appdefault_boolean(krb5_context context, const char *appname, if(realm != NULL) def_val = krb5_config_get_bool_default(context, NULL, def_val, "realms", realm, option, NULL); - + def_val = krb5_config_get_bool_default(context, NULL, def_val, "appdefaults", option, diff --git a/source4/heimdal/lib/krb5/auth_context.c b/source4/heimdal/lib/krb5/auth_context.c index ea59c73931..518e19359c 100644 --- a/source4/heimdal/lib/krb5/auth_context.c +++ b/source4/heimdal/lib/krb5/auth_context.c @@ -262,6 +262,7 @@ krb5_auth_con_getaddrs(krb5_context context, return 0; } +/* coverity[+alloc : arg-*2] */ static krb5_error_code copy_key(krb5_context context, krb5_keyblock *in, @@ -289,6 +290,7 @@ krb5_auth_con_getlocalsubkey(krb5_context context, return copy_key(context, auth_context->local_subkey, keyblock); } +/* coverity[+alloc : arg-*2] */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, diff --git a/source4/heimdal/lib/krb5/build_auth.c b/source4/heimdal/lib/krb5/build_auth.c index 85d64525de..01145a28c6 100644 --- a/source4/heimdal/lib/krb5/build_auth.c +++ b/source4/heimdal/lib/krb5/build_auth.c @@ -41,10 +41,12 @@ make_etypelist(krb5_context context, krb5_error_code ret; krb5_authdata ad; u_char *buf; - size_t len; + size_t len = 0; size_t buf_size; - ret = krb5_init_etype(context, &etypes.len, &etypes.val, NULL); + ret = _krb5_init_etype(context, KRB5_PDU_NONE, + &etypes.len, &etypes.val, + NULL); if (ret) return ret; @@ -111,7 +113,7 @@ _krb5_build_authenticator (krb5_context context, Authenticator auth; u_char *buf = NULL; size_t buf_size; - size_t len; + size_t len = 0; krb5_error_code ret; krb5_crypto crypto; diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c index 211642e568..616044e67b 100644 --- a/source4/heimdal/lib/krb5/cache.c +++ b/source4/heimdal/lib/krb5/cache.c @@ -38,7 +38,7 @@ /** * @page krb5_ccache_intro The credential cache functions * @section section_krb5_ccache Kerberos credential caches - * + * * krb5_ccache structure holds a Kerberos credential cache. * * Heimdal support the follow types of credential caches: @@ -837,7 +837,7 @@ krb5_cc_set_flags(krb5_context context, { return (*id->ops->set_flags)(context, id, flags); } - + /** * Get the flags of `id', store them in `flags'. * @@ -1144,7 +1144,7 @@ krb5_cc_cache_match (krb5_context context, ret = krb5_cc_get_principal(context, cache, &principal); if (ret == 0) { krb5_boolean match; - + match = krb5_principal_compare(context, principal, client); krb5_free_principal(context, principal); if (match) @@ -1245,7 +1245,7 @@ build_conf_principals(krb5_context context, krb5_ccache id, krb5_free_principal(context, client); return ret; } - + /** * Return TRUE (non zero) if the principal is a configuration * principal (generated part of krb5_cc_set_config()). Returns FALSE @@ -1267,7 +1267,7 @@ krb5_is_config_principal(krb5_context context, if (principal->name.name_string.len == 0 || strcmp(principal->name.name_string.val[0], KRB5_CONF_NAME) != 0) return FALSE; - + return TRUE; } @@ -1306,11 +1306,11 @@ krb5_cc_set_config(krb5_context context, krb5_ccache id, /* not that anyone care when this expire */ cred.times.authtime = time(NULL); cred.times.endtime = cred.times.authtime + 3600 * 24 * 30; - + ret = krb5_data_copy(&cred.ticket, data->data, data->length); if (ret) goto out; - + ret = krb5_cc_store_cred(context, id, &cred); } @@ -1396,7 +1396,7 @@ krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor) } /** - * Get next credential cache from the iteration. + * Get next credential cache from the iteration. * * @param context A Kerberos 5 context * @param cursor the iteration cursor @@ -1418,13 +1418,13 @@ krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor, krb5_ccache *cache) { krb5_error_code ret; - + *cache = NULL; while (cursor->idx < context->num_cc_ops) { if (cursor->cursor == NULL) { - ret = krb5_cc_cache_get_first (context, + ret = krb5_cc_cache_get_first (context, context->cc_ops[cursor->idx]->prefix, &cursor->cursor); if (ret) { @@ -1493,7 +1493,7 @@ krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor) KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_cc_last_change_time(krb5_context context, - krb5_ccache id, + krb5_ccache id, krb5_timestamp *mtime) { *mtime = 0; @@ -1630,7 +1630,7 @@ krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t) *t = 0; now = time(NULL); - + ret = krb5_cc_start_seq_get(context, id, &cursor); if (ret) return ret; @@ -1644,7 +1644,7 @@ krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t) } krb5_free_cred_contents(context, &cred); } - + krb5_cc_end_seq_get(context, id, &cursor); return ret; diff --git a/source4/heimdal/lib/krb5/changepw.c b/source4/heimdal/lib/krb5/changepw.c index 22a7c87ef3..1e7cd0d464 100644 --- a/source4/heimdal/lib/krb5/changepw.c +++ b/source4/heimdal/lib/krb5/changepw.c @@ -31,8 +31,6 @@ * SUCH DAMAGE. */ -#define KRB5_DEPRECATED - #include "krb5_locl.h" #undef __attribute__ @@ -173,7 +171,7 @@ setpw_send_request (krb5_context context, krb5_data krb_priv_data; krb5_data pwd_data; ChangePasswdDataMS chpw; - size_t len; + size_t len = 0; u_char header[4 + 6]; u_char *p; struct iovec iov[3]; @@ -199,7 +197,7 @@ setpw_send_request (krb5_context context, chpw.targname = NULL; chpw.targrealm = NULL; } - + ASN1_MALLOC_ENCODE(ChangePasswdDataMS, pwd_data.data, pwd_data.length, &chpw, &len, ret); if (ret) { @@ -276,7 +274,7 @@ process_reply (krb5_context context, { krb5_error_code ret; u_char reply[1024 * 3]; - ssize_t len; + size_t len; uint16_t pkt_len, pkt_ver; krb5_data ap_rep_data; int save_errno; @@ -304,7 +302,7 @@ process_reply (krb5_context context, _krb5_get_int(reply, &size, 4); if (size + 4 < len) continue; - memmove(reply, reply + 4, size); + memmove(reply, reply + 4, size); len = size; break; } @@ -328,7 +326,7 @@ process_reply (krb5_context context, if (len < 6) { str2data (result_string, "server %s sent to too short message " - "(%ld bytes)", host, (long)len); + "(%zu bytes)", host, len); *result_code = KRB5_KPASSWD_MALFORMED; return 0; } @@ -496,7 +494,7 @@ static struct kpwd_proc { chgpw_send_request, process_reply }, - { NULL } + { NULL, 0, NULL, NULL } }; /* @@ -588,7 +586,7 @@ change_password_loop (krb5_context context, if (!replied) { replied = 0; - + ret = (*proc->send_req) (context, &auth_context, creds, @@ -686,7 +684,6 @@ find_chpw_proto(const char *name) * @ingroup @krb5_deprecated */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_change_password (krb5_context context, krb5_creds *creds, @@ -694,6 +691,7 @@ krb5_change_password (krb5_context context, int *result_code, krb5_data *result_code_string, krb5_data *result_string) + KRB5_DEPRECATED_FUNCTION("Use X instead") { struct kpwd_proc *p = find_chpw_proto("change password"); diff --git a/source4/heimdal/lib/krb5/codec.c b/source4/heimdal/lib/krb5/codec.c index d73a719100..5e754c60cb 100644 --- a/source4/heimdal/lib/krb5/codec.c +++ b/source4/heimdal/lib/krb5/codec.c @@ -31,184 +31,182 @@ * SUCH DAMAGE. */ -#define KRB5_DEPRECATED - #include "krb5_locl.h" #ifndef HEIMDAL_SMALLER -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncTicketPart (krb5_context context, const void *data, size_t length, EncTicketPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_EncTicketPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncTicketPart (krb5_context context, void *data, size_t length, EncTicketPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_EncTicketPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncASRepPart (krb5_context context, const void *data, size_t length, EncASRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_EncASRepPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncASRepPart (krb5_context context, void *data, size_t length, EncASRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_EncASRepPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncTGSRepPart (krb5_context context, const void *data, size_t length, EncTGSRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_EncTGSRepPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncTGSRepPart (krb5_context context, void *data, size_t length, EncTGSRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_EncTGSRepPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncAPRepPart (krb5_context context, const void *data, size_t length, EncAPRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_EncAPRepPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncAPRepPart (krb5_context context, void *data, size_t length, EncAPRepPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_EncAPRepPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_Authenticator (krb5_context context, const void *data, size_t length, Authenticator *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_Authenticator(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_Authenticator (krb5_context context, void *data, size_t length, Authenticator *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_Authenticator(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_EncKrbCredPart (krb5_context context, const void *data, size_t length, EncKrbCredPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_EncKrbCredPart(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_EncKrbCredPart (krb5_context context, void *data, size_t length, EncKrbCredPart *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_EncKrbCredPart (data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_ETYPE_INFO (krb5_context context, const void *data, size_t length, ETYPE_INFO *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_ETYPE_INFO(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_ETYPE_INFO (krb5_context context, void *data, size_t length, ETYPE_INFO *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_ETYPE_INFO (data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_decode_ETYPE_INFO2 (krb5_context context, const void *data, size_t length, ETYPE_INFO2 *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return decode_ETYPE_INFO2(data, length, t, len); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_encode_ETYPE_INFO2 (krb5_context context, void *data, size_t length, ETYPE_INFO2 *t, size_t *len) + KRB5_DEPRECATED_FUNCTION("Use X instead") { return encode_ETYPE_INFO2 (data, length, t, len); } diff --git a/source4/heimdal/lib/krb5/config_file.c b/source4/heimdal/lib/krb5/config_file.c index 89f778823d..4ac25ae287 100644 --- a/source4/heimdal/lib/krb5/config_file.c +++ b/source4/heimdal/lib/krb5/config_file.c @@ -33,8 +33,6 @@ * SUCH DAMAGE. */ -#define KRB5_DEPRECATED - #include "krb5_locl.h" #ifdef __APPLE__ @@ -63,7 +61,7 @@ config_fgets(char *str, size_t len, struct fileptr *ptr) p = ptr->s + strcspn(ptr->s, "\n"); if(*p == '\n') p++; - l = min(len, p - ptr->s); + l = min(len, (size_t)(p - ptr->s)); if(len > 0) { memcpy(str, ptr->s, l); str[l] = '\0'; @@ -91,7 +89,7 @@ _krb5_config_get_entry(krb5_config_section **parent, const char *name, int type) for(q = parent; *q != NULL; q = &(*q)->next) if(type == krb5_config_list && - type == (*q)->type && + (unsigned)type == (*q)->type && strcmp(name, (*q)->name) == 0) return *q; *q = calloc(1, sizeof(**q)); @@ -250,7 +248,7 @@ cfstring2cstring(CFStringRef string) { CFIndex len; char *str; - + str = (char *) CFStringGetCStringPtr(string, kCFStringEncodingUTF8); if (str) return strdup(str); @@ -260,7 +258,7 @@ cfstring2cstring(CFStringRef string) str = malloc(len); if (str == NULL) return NULL; - + if (!CFStringGetCString (string, str, len, kCFStringEncodingUTF8)) { free (str); return NULL; @@ -299,7 +297,7 @@ parse_plist_config(krb5_context context, const char *path, krb5_config_section * CFReadStreamRef s; CFDictionaryRef d; CFURLRef url; - + url = CFURLCreateFromFileSystemRepresentation(kCFAllocatorDefault, (UInt8 *)path, strlen(path), FALSE); if (url == NULL) { krb5_clear_error_message(context); @@ -321,7 +319,7 @@ parse_plist_config(krb5_context context, const char *path, krb5_config_section * #ifdef HAVE_CFPROPERTYLISTCREATEWITHSTREAM d = (CFDictionaryRef)CFPropertyListCreateWithStream(NULL, s, 0, kCFPropertyListImmutable, NULL, NULL); -#else +#else d = (CFDictionaryRef)CFPropertyListCreateFromStream(NULL, s, 0, kCFPropertyListImmutable, NULL, NULL); #endif CFRelease(s); @@ -441,7 +439,7 @@ krb5_config_parse_file_multi (krb5_context context, home = getenv("HOME"); if (home == NULL) { - struct passwd *pw = getpwuid(getuid()); + struct passwd *pw = getpwuid(getuid()); if(pw != NULL) home = pw->pw_dir; } @@ -455,7 +453,7 @@ krb5_config_parse_file_multi (krb5_context context, fname = newfname; } #else /* KRB5_USE_PATH_TOKENS */ - if (asprintf(&newfname, "%%{USERCONFIG}%s", &fname[1]) < 0 || + if (asprintf(&newfname, "%%{USERCONFIG}%s", &fname[1]) < 0 || newfname == NULL) { krb5_set_error_message(context, ENOMEM, @@ -477,7 +475,7 @@ krb5_config_parse_file_multi (krb5_context context, return ret; } #else - krb5_set_error_message(context, ENOENT, + krb5_set_error_message(context, ENOENT, "no support for plist configuration files"); return ENOENT; #endif @@ -491,7 +489,7 @@ krb5_config_parse_file_multi (krb5_context context, free(newfname); return ret; } - + if (newfname) free(newfname); fname = newfname = exp_fname; @@ -507,7 +505,7 @@ krb5_config_parse_file_multi (krb5_context context, free(newfname); return ret; } - + ret = krb5_config_parse_debug (&f, res, &lineno, &str); fclose(f.f); if (ret) { @@ -635,7 +633,7 @@ vget_next(krb5_context context, const char *p = va_arg(args, const char *); while(b != NULL) { if(strcmp(b->name, name) == 0) { - if(b->type == type && p == NULL) { + if(b->type == (unsigned)type && p == NULL) { *pointer = b; return b->u.generic; } else if(b->type == krb5_config_list && p != NULL) { @@ -675,7 +673,7 @@ _krb5_config_vget_next (krb5_context context, /* we were called again, so just look for more entries with the same name and type */ for (b = (*pointer)->next; b != NULL; b = b->next) { - if(strcmp(b->name, (*pointer)->name) == 0 && b->type == type) { + if(strcmp(b->name, (*pointer)->name) == 0 && b->type == (unsigned)type) { *pointer = b; return b->u.generic; } @@ -770,7 +768,7 @@ krb5_config_vget_list (krb5_context context, * * @ingroup krb5_support */ - + KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_config_get_string (krb5_context context, const krb5_config_section *c, @@ -865,7 +863,7 @@ krb5_config_get_string_default (krb5_context context, } static char * -next_component_string(char * begin, char * delims, char **state) +next_component_string(char * begin, const char * delims, char **state) { char * end; @@ -1302,11 +1300,11 @@ krb5_config_get_int (krb5_context context, * @ingroup krb5_deprecated */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_config_parse_string_multi(krb5_context context, const char *string, krb5_config_section **res) + KRB5_DEPRECATED_FUNCTION("Use X instead") { const char *str; unsigned lineno = 0; diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c index b6c6870938..99bf1b419b 100644 --- a/source4/heimdal/lib/krb5/context.c +++ b/source4/heimdal/lib/krb5/context.c @@ -34,6 +34,7 @@ */ #include "krb5_locl.h" +#include <assert.h> #include <com_err.h> #define INIT_FIELD(C, T, E, D, F) \ @@ -128,6 +129,24 @@ init_context_from_config_file(krb5_context context) free(context->etypes_des); context->etypes_des = tmptypes; + ret = set_etypes (context, "default_as_etypes", &tmptypes); + if(ret) + return ret; + free(context->as_etypes); + context->as_etypes = tmptypes; + + ret = set_etypes (context, "default_tgs_etypes", &tmptypes); + if(ret) + return ret; + free(context->tgs_etypes); + context->tgs_etypes = tmptypes; + + ret = set_etypes (context, "permitted_enctypes", &tmptypes); + if(ret) + return ret; + free(context->permitted_enctypes); + context->permitted_enctypes = tmptypes; + /* default keytab name */ tmp = NULL; if(!issuid()) @@ -317,7 +336,7 @@ kt_ops_copy(krb5_context context, const krb5_context src_context) return 0; } -static const char *sysplugin_dirs[] = { +static const char *sysplugin_dirs[] = { LIBDIR "/plugin/krb5", #ifdef __APPLE__ "/Library/KerberosPlugins/KerberosFrameworkPlugins", @@ -332,7 +351,7 @@ init_context_once(void *ctx) krb5_context context = ctx; _krb5_load_plugins(context, "krb5", sysplugin_dirs); - + bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR); } @@ -392,7 +411,7 @@ krb5_init_context(krb5_context *context) ret = hx509_context_init(&p->hx509ctx); if (ret) goto out; -#endif +#endif if (rk_SOCK_INIT()) p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED; @@ -413,7 +432,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **etypes) { - return krb5_get_default_in_tkt_etypes(context, etypes); + return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes); } /* @@ -433,7 +452,7 @@ copy_etypes (krb5_context context, *ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i); if (*ret_enctypes == NULL) { - krb5_set_error_message(context, ENOMEM, + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } @@ -481,7 +500,7 @@ krb5_copy_context(krb5_context context, krb5_context *out) p->default_cc_name = strdup(context->default_cc_name); if (context->default_cc_name_env) p->default_cc_name_env = strdup(context->default_cc_name_env); - + if (context->etypes) { ret = copy_etypes(context, context->etypes, &p->etypes); if (ret) @@ -494,7 +513,7 @@ krb5_copy_context(krb5_context context, krb5_context *out) } if (context->default_realms) { - ret = krb5_copy_host_realm(context, + ret = krb5_copy_host_realm(context, context->default_realms, &p->default_realms); if (ret) goto out; @@ -736,7 +755,7 @@ krb5_prepend_config_files_default(const char *filelist, char ***pfilenames) krb5_free_config_files(defpp); if (ret) { return ret; - } + } *pfilenames = pp; return 0; } @@ -874,36 +893,51 @@ krb5_kerberos_enctypes(krb5_context context) } /* - * set `etype' to a malloced list of the default enctypes + * */ static krb5_error_code -default_etypes(krb5_context context, krb5_enctype **etype) +copy_enctypes(krb5_context context, + const krb5_enctype *in, + krb5_enctype **out) { - const krb5_enctype *p; - krb5_enctype *e = NULL, *ep; - int i, n = 0; - - p = krb5_kerberos_enctypes(context); + krb5_enctype *p = NULL; + size_t m, n; - for (i = 0; p[i] != ETYPE_NULL; i++) { - if (krb5_enctype_valid(context, p[i]) != 0) + for (n = 0; in[n]; n++) + ; + n++; + ALLOC(p, n); + if(p == NULL) + return krb5_enomem(context); + for (n = 0, m = 0; in[n]; n++) { + if (krb5_enctype_valid(context, in[n]) != 0) continue; - ep = realloc(e, (n + 2) * sizeof(*e)); - if (ep == NULL) { - free(e); - krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); - return ENOMEM; - } - e = ep; - e[n] = p[i]; - e[n + 1] = ETYPE_NULL; - n++; + p[m++] = in[n]; + } + p[m] = KRB5_ENCTYPE_NULL; + if (m == 0) { + free(p); + krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, + N_("no valid enctype set", "")); + return KRB5_PROG_ETYPE_NOSUPP; } - *etype = e; + *out = p; return 0; } + +/* + * set `etype' to a malloced list of the default enctypes + */ + +static krb5_error_code +default_etypes(krb5_context context, krb5_enctype **etype) +{ + const krb5_enctype *p = krb5_kerberos_enctypes(context); + return copy_enctypes(context, p, etype); +} + /** * Set the default encryption types that will be use in communcation * with the KDC, clients and servers. @@ -923,31 +957,11 @@ krb5_set_default_in_tkt_etypes(krb5_context context, { krb5_error_code ret; krb5_enctype *p = NULL; - unsigned int n, m; if(etypes) { - for (n = 0; etypes[n]; n++) - ; - n++; - ALLOC(p, n); - if(!p) { - krb5_set_error_message (context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; - } - for (n = 0, m = 0; etypes[n]; n++) { - ret = krb5_enctype_valid(context, etypes[n]); - if (ret) - continue; - p[m++] = etypes[n]; - } - p[m] = ETYPE_NULL; - if (m == 0) { - free(p); - krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, - N_("no valid enctype set", "")); - return KRB5_PROG_ETYPE_NOSUPP; - } + ret = copy_enctypes(context, etypes, &p); + if (ret) + return ret; } if(context->etypes) free(context->etypes); @@ -971,21 +985,28 @@ krb5_set_default_in_tkt_etypes(krb5_context context, KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_default_in_tkt_etypes(krb5_context context, + krb5_pdu pdu_type, krb5_enctype **etypes) { - krb5_enctype *p; - int i; + krb5_enctype *enctypes = NULL; krb5_error_code ret; + krb5_enctype *p; - if(context->etypes) { - for(i = 0; context->etypes[i]; i++); - ++i; - ALLOC(p, i); - if(!p) { - krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); - return ENOMEM; - } - memmove(p, context->etypes, i * sizeof(krb5_enctype)); + heim_assert(pdu_type == KRB5_PDU_AS_REQUEST || + pdu_type == KRB5_PDU_TGS_REQUEST || + pdu_type == KRB5_PDU_NONE, "pdu contant not as expected"); + + if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL) + enctypes = context->as_etypes; + else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL) + enctypes = context->tgs_etypes; + else if (context->etypes != NULL) + enctypes = context->etypes; + + if (enctypes != NULL) { + ret = copy_enctypes(context, enctypes, &p); + if (ret) + return ret; } else { ret = default_etypes(context, &p); if (ret) @@ -1390,10 +1411,11 @@ krb5_set_max_time_skew (krb5_context context, time_t t) context->max_skew = t; } -/** +/* * Init encryption types in len, val with etypes. * * @param context Kerberos 5 context. + * @param pdu_type type of pdu * @param len output length of val. * @param val output array of enctypes. * @param etypes etypes to set val and len to, if NULL, use default enctypes. @@ -1405,39 +1427,27 @@ krb5_set_max_time_skew (krb5_context context, time_t t) */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL -krb5_init_etype (krb5_context context, +_krb5_init_etype(krb5_context context, + krb5_pdu pdu_type, unsigned *len, krb5_enctype **val, const krb5_enctype *etypes) { - unsigned int i; krb5_error_code ret; - krb5_enctype *tmp = NULL; - ret = 0; - if (etypes == NULL) { - ret = krb5_get_default_in_tkt_etypes(context, &tmp); - if (ret) - return ret; - etypes = tmp; - } + if (etypes == NULL) + ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val); + else + ret = copy_enctypes(context, etypes, val); + if (ret) + return ret; - for (i = 0; etypes[i]; ++i) - ; - *len = i; - *val = malloc(i * sizeof(**val)); - if (i != 0 && *val == NULL) { - ret = ENOMEM; - krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); - goto cleanup; + if (len) { + *len = 0; + while ((*val)[*len] != KRB5_ENCTYPE_NULL) + (*len)++; } - memmove (*val, - etypes, - i * sizeof(*tmp)); -cleanup: - if (tmp != NULL) - free (tmp); - return ret; + return 0; } /* diff --git a/source4/heimdal/lib/krb5/convert_creds.c b/source4/heimdal/lib/krb5/convert_creds.c index e700425ffe..fc371c6377 100644 --- a/source4/heimdal/lib/krb5/convert_creds.c +++ b/source4/heimdal/lib/krb5/convert_creds.c @@ -31,8 +31,6 @@ * SUCH DAMAGE. */ -#define KRB5_DEPRECATED - #include "krb5_locl.h" #include "krb5-v4compat.h" @@ -54,11 +52,11 @@ * @ingroup krb5_v4compat */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb524_convert_creds_kdc(krb5_context context, krb5_creds *in_cred, struct credentials *v4creds) + KRB5_DEPRECATED_FUNCTION("Use X instead") { memset(v4creds, 0, sizeof(*v4creds)); krb5_set_error_message(context, EINVAL, @@ -81,12 +79,12 @@ krb524_convert_creds_kdc(krb5_context context, * @ingroup krb5_v4compat */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb524_convert_creds_kdc_ccache(krb5_context context, krb5_ccache ccache, krb5_creds *in_cred, struct credentials *v4creds) + KRB5_DEPRECATED_FUNCTION("Use X instead") { memset(v4creds, 0, sizeof(*v4creds)); krb5_set_error_message(context, EINVAL, diff --git a/source4/heimdal/lib/krb5/creds.c b/source4/heimdal/lib/krb5/creds.c index 69aacdc032..7ef8eb9609 100644 --- a/source4/heimdal/lib/krb5/creds.c +++ b/source4/heimdal/lib/krb5/creds.c @@ -228,7 +228,7 @@ krb5_compare_creds(krb5_context context, krb5_flags whichfields, match = krb5_principal_compare (context, mcreds->client, creds->client); } - + if (match && (whichfields & KRB5_TC_MATCH_KEYTYPE)) match = mcreds->session.keytype == creds->session.keytype; diff --git a/source4/heimdal/lib/krb5/crypto-des.c b/source4/heimdal/lib/krb5/crypto-des.c index 1c062b5e61..63ce901d92 100644 --- a/source4/heimdal/lib/krb5/crypto-des.c +++ b/source4/heimdal/lib/krb5/crypto-des.c @@ -77,7 +77,9 @@ static struct _krb5_key_type keytype_des_old = { krb5_DES_random_key, krb5_DES_schedule_old, _krb5_des_salt, - krb5_DES_random_to_key + krb5_DES_random_to_key, + NULL, + NULL }; static struct _krb5_key_type keytype_des = { diff --git a/source4/heimdal/lib/krb5/crypto-des3.c b/source4/heimdal/lib/krb5/crypto-des3.c index b61948895a..d50c5cebe2 100644 --- a/source4/heimdal/lib/krb5/crypto-des3.c +++ b/source4/heimdal/lib/krb5/crypto-des3.c @@ -202,7 +202,7 @@ _krb5_DES3_random_to_key(krb5_context context, DES_cblock *k; int i, j; - memset(x, 0, sizeof(x)); + memset(key->keyvalue.data, 0, key->keyvalue.length); for (i = 0; i < 3; ++i) { unsigned char foo; for (j = 0; j < 7; ++j) { diff --git a/source4/heimdal/lib/krb5/crypto-evp.c b/source4/heimdal/lib/krb5/crypto-evp.c index 3f9cd57bbc..e8fb1caf6a 100644 --- a/source4/heimdal/lib/krb5/crypto-evp.c +++ b/source4/heimdal/lib/krb5/crypto-evp.c @@ -98,7 +98,7 @@ _krb5_evp_encrypt_cts(krb5_context context, { size_t i, blocksize; struct _krb5_evp_schedule *ctx = key->schedule->data; - char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH]; + unsigned char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH]; EVP_CIPHER_CTX *c; unsigned char *p; @@ -142,7 +142,7 @@ _krb5_evp_encrypt_cts(krb5_context context, if (ivec) memcpy(ivec, p, blocksize); } else { - char tmp2[EVP_MAX_BLOCK_LENGTH], tmp3[EVP_MAX_BLOCK_LENGTH]; + unsigned char tmp2[EVP_MAX_BLOCK_LENGTH], tmp3[EVP_MAX_BLOCK_LENGTH]; p = data; if (len > blocksize * 2) { diff --git a/source4/heimdal/lib/krb5/crypto-pk.c b/source4/heimdal/lib/krb5/crypto-pk.c index eb783c8998..7fedb65c9e 100644 --- a/source4/heimdal/lib/krb5/crypto-pk.c +++ b/source4/heimdal/lib/krb5/crypto-pk.c @@ -110,7 +110,7 @@ encode_uvinfo(krb5_context context, krb5_const_principal p, krb5_data *data) { KRB5PrincipalName pn; krb5_error_code ret; - size_t size; + size_t size = 0; pn.principalName = p->name; pn.realm = p->realm; @@ -143,7 +143,7 @@ encode_otherinfo(krb5_context context, PkinitSuppPubInfo pubinfo; krb5_error_code ret; krb5_data pub; - size_t size; + size_t size = 0; krb5_data_zero(other); memset(&otherinfo, 0, sizeof(otherinfo)); @@ -192,6 +192,8 @@ encode_otherinfo(krb5_context context, return 0; } + + krb5_error_code _krb5_pk_kdf(krb5_context context, const struct AlgorithmIdentifier *ai, @@ -211,10 +213,17 @@ _krb5_pk_kdf(krb5_context context, size_t keylen, offset; uint32_t counter; unsigned char *keydata; - unsigned char shaoutput[SHA_DIGEST_LENGTH]; + unsigned char shaoutput[SHA512_DIGEST_LENGTH]; + const EVP_MD *md; EVP_MD_CTX *m; - if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha1, &ai->algorithm) != 0) { + if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha1, &ai->algorithm) == 0) { + md = EVP_sha1(); + } else if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha256, &ai->algorithm) == 0) { + md = EVP_sha256(); + } else if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha512, &ai->algorithm) == 0) { + md = EVP_sha512(); + } else { krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, N_("KDF not supported", "")); return KRB5_PROG_ETYPE_NOSUPP; @@ -264,7 +273,7 @@ _krb5_pk_kdf(krb5_context context, do { unsigned char cdata[4]; - EVP_DigestInit_ex(m, EVP_sha1(), NULL); + EVP_DigestInit_ex(m, md, NULL); _krb5_put_int(cdata, counter, 4); EVP_DigestUpdate(m, cdata, 4); EVP_DigestUpdate(m, dhdata, dhsize); @@ -274,9 +283,9 @@ _krb5_pk_kdf(krb5_context context, memcpy((unsigned char *)keydata + offset, shaoutput, - min(keylen - offset, sizeof(shaoutput))); + min(keylen - offset, EVP_MD_CTX_size(m))); - offset += sizeof(shaoutput); + offset += EVP_MD_CTX_size(m); counter++; } while(offset < keylen); memset(shaoutput, 0, sizeof(shaoutput)); diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c index 5d274e9af7..63aedc4568 100644 --- a/source4/heimdal/lib/krb5/crypto.c +++ b/source4/heimdal/lib/krb5/crypto.c @@ -31,8 +31,6 @@ * SUCH DAMAGE. */ -#define KRB5_DEPRECATED - #include "krb5_locl.h" struct _krb5_key_usage { @@ -180,7 +178,7 @@ _krb5_internal_hmac(krb5_context context, unsigned char *ipad, *opad; unsigned char *key; size_t key_len; - int i; + size_t i; ipad = malloc(cm->blocksize + len); if (ipad == NULL) @@ -311,7 +309,7 @@ get_checksum_key(krb5_context context, if(ct->flags & F_DERIVED) ret = _get_derived_key(context, crypto, usage, key); else if(ct->flags & F_VARIANT) { - int i; + size_t i; *key = _new_derived_key(crypto, 0xff/* KRB5_KU_RFC1510_VARIANT */); if(*key == NULL) { @@ -479,7 +477,7 @@ verify_checksum(krb5_context context, if(ct->verify) { ret = (*ct->verify)(context, dkey, data, len, usage, cksum); if (ret) - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, N_("Decrypt integrity check failed for checksum " "type %s, key type %s", ""), ct->name, (crypto != NULL)? crypto->et->name : "(none)"); @@ -1160,9 +1158,9 @@ decrypt_internal_special(krb5_context context, } static krb5_crypto_iov * -find_iv(krb5_crypto_iov *data, int num_data, int type) +find_iv(krb5_crypto_iov *data, size_t num_data, unsigned type) { - int i; + size_t i; for (i = 0; i < num_data; i++) if (data[i].flags == type) return &data[i]; @@ -1403,11 +1401,6 @@ krb5_decrypt_iov_ivec(krb5_context context, struct _krb5_encryption_type *et = crypto->et; krb5_crypto_iov *tiv, *hiv; - if (num_data < 0) { - krb5_clear_error_message(context); - return KRB5_CRYPTO_INTERNAL; - } - if(!derived_crypto(context, crypto)) { krb5_clear_error_message(context); return KRB5_CRYPTO_INTERNAL; @@ -1545,15 +1538,10 @@ krb5_create_checksum_iov(krb5_context context, Checksum cksum; krb5_crypto_iov *civ; krb5_error_code ret; - int i; + size_t i; size_t len; char *p, *q; - if (num_data < 0) { - krb5_clear_error_message(context); - return KRB5_CRYPTO_INTERNAL; - } - if(!derived_crypto(context, crypto)) { krb5_clear_error_message(context); return KRB5_CRYPTO_INTERNAL; @@ -1629,15 +1617,10 @@ krb5_verify_checksum_iov(krb5_context context, Checksum cksum; krb5_crypto_iov *civ; krb5_error_code ret; - int i; + size_t i; size_t len; char *p, *q; - if (num_data < 0) { - krb5_clear_error_message(context); - return KRB5_CRYPTO_INTERNAL; - } - if(!derived_crypto(context, crypto)) { krb5_clear_error_message(context); return KRB5_CRYPTO_INTERNAL; @@ -1689,7 +1672,7 @@ krb5_crypto_length(krb5_context context, krb5_set_error_message(context, EINVAL, "not a derived crypto"); return EINVAL; } - + switch(type) { case KRB5_CRYPTO_TYPE_EMPTY: *len = 0; @@ -1730,7 +1713,7 @@ krb5_crypto_length_iov(krb5_context context, unsigned int num_data) { krb5_error_code ret; - int i; + size_t i; for (i = 0; i < num_data; i++) { ret = krb5_crypto_length(context, crypto, @@ -2120,7 +2103,7 @@ krb5_crypto_destroy(krb5_context context, /** * Return the blocksize used algorithm referenced by the crypto context - * + * * @param context Kerberos context * @param crypto crypto context to query * @param blocksize the resulting blocksize @@ -2141,7 +2124,7 @@ krb5_crypto_getblocksize(krb5_context context, /** * Return the encryption type used by the crypto context - * + * * @param context Kerberos context * @param crypto crypto context to query * @param enctype the resulting encryption type @@ -2162,7 +2145,7 @@ krb5_crypto_getenctype(krb5_context context, /** * Return the padding size used by the crypto context - * + * * @param context Kerberos context * @param crypto crypto context to query * @param padsize the return padding size @@ -2183,7 +2166,7 @@ krb5_crypto_getpadsize(krb5_context context, /** * Return the confounder size used by the crypto context - * + * * @param context Kerberos context * @param crypto crypto context to query * @param confoundersize the returned confounder size @@ -2593,12 +2576,12 @@ krb5_crypto_fx_cf2(krb5_context context, * @ingroup krb5_deprecated */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_keytype_to_enctypes (krb5_context context, krb5_keytype keytype, unsigned *len, krb5_enctype **val) + KRB5_DEPRECATED_FUNCTION("Use X instead") { int i; unsigned n = 0; @@ -2640,11 +2623,11 @@ krb5_keytype_to_enctypes (krb5_context context, */ /* if two enctypes have compatible keys */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_enctypes_compatible_keys(krb5_context context, krb5_enctype etype1, krb5_enctype etype2) + KRB5_DEPRECATED_FUNCTION("Use X instead") { struct _krb5_encryption_type *e1 = _krb5_find_enctype(etype1); struct _krb5_encryption_type *e2 = _krb5_find_enctype(etype2); diff --git a/source4/heimdal/lib/krb5/error_string.c b/source4/heimdal/lib/krb5/error_string.c index dc2d4586a0..7a7b989b69 100644 --- a/source4/heimdal/lib/krb5/error_string.c +++ b/source4/heimdal/lib/krb5/error_string.c @@ -288,9 +288,9 @@ krb5_free_error_message(krb5_context context, const char *msg) * @ingroup krb5 */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_get_err_text(krb5_context context, krb5_error_code code) + KRB5_DEPRECATED_FUNCTION("Use X instead") { const char *p = NULL; if(context != NULL) diff --git a/source4/heimdal/lib/krb5/expand_path.c b/source4/heimdal/lib/krb5/expand_path.c index 70096e1c7a..4c4898a79e 100644 --- a/source4/heimdal/lib/krb5/expand_path.c +++ b/source4/heimdal/lib/krb5/expand_path.c @@ -2,19 +2,19 @@ /*********************************************************************** * Copyright (c) 2009, Secure Endpoints Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * - Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * - Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -27,7 +27,7 @@ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. - * + * **********************************************************************/ #include "krb5_locl.h" @@ -168,7 +168,7 @@ _expand_userid(krb5_context context, PTYPE param, const char *postfix, char **re if (le != 0) { if (context) - krb5_set_error_message(context, rv, + krb5_set_error_message(context, rv, "Can't open thread token (GLE=%d)", le); goto _exit; } @@ -247,7 +247,7 @@ _expand_csidl(krb5_context context, PTYPE folder, const char *postfix, char **re if (context) krb5_set_error_message(context, EINVAL, "Unable to determine folder path"); return EINVAL; - } + } len = strlen(path); @@ -464,7 +464,7 @@ _krb5_expand_path_tokens(krb5_context context, return ENOMEM; } - + { size_t append_len = strlen(append); char * new_str = realloc(*ppath_out, len + append_len + 1); diff --git a/source4/heimdal/lib/krb5/fcache.c b/source4/heimdal/lib/krb5/fcache.c index 218bd2cdbf..731f293414 100644 --- a/source4/heimdal/lib/krb5/fcache.c +++ b/source4/heimdal/lib/krb5/fcache.c @@ -62,6 +62,9 @@ static const char* KRB5_CALLCONV fcc_get_name(krb5_context context, krb5_ccache id) { + if (FCACHE(id) == NULL) + return NULL; + return FILENAME(id); } @@ -155,7 +158,7 @@ write_storage(krb5_context context, krb5_storage *sp, int fd) return ret; } sret = write(fd, data.data, data.length); - ret = (sret != data.length); + ret = (sret != (ssize_t)data.length); krb5_data_free(&data); if (ret) { ret = errno; @@ -220,7 +223,7 @@ scrub_file (int fd) return errno; memset(buf, 0, sizeof(buf)); while(pos > 0) { - ssize_t tmp = write(fd, buf, min(sizeof(buf), pos)); + ssize_t tmp = write(fd, buf, min((off_t)sizeof(buf), pos)); if (tmp < 0) return errno; @@ -334,11 +337,11 @@ fcc_gen_new(krb5_context context, krb5_ccache *id) fd = mkstemp(exp_file); if(fd < 0) { - int ret = errno; - krb5_set_error_message(context, ret, N_("mkstemp %s failed", ""), exp_file); + int xret = errno; + krb5_set_error_message(context, xret, N_("mkstemp %s failed", ""), exp_file); free(f); free(exp_file); - return ret; + return xret; } close(fd); f->filename = exp_file; @@ -383,8 +386,14 @@ fcc_open(krb5_context context, krb5_boolean exclusive = ((flags | O_WRONLY) == flags || (flags | O_RDWR) == flags); krb5_error_code ret; - const char *filename = FILENAME(id); + const char *filename; int fd; + + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + + filename = FILENAME(id); + fd = open(filename, flags, mode); if(fd < 0) { char buf[128]; @@ -412,9 +421,11 @@ fcc_initialize(krb5_context context, krb5_fcache *f = FCACHE(id); int ret = 0; int fd; - char *filename = f->filename; - unlink (filename); + if (f == NULL) + return krb5_einval(context, 2); + + unlink (f->filename); ret = fcc_open(context, id, &fd, O_RDWR | O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC, 0600); if(ret) @@ -443,7 +454,7 @@ fcc_initialize(krb5_context context, } } ret |= krb5_store_principal(sp, primary_principal); - + ret |= write_storage(context, sp, fd); krb5_storage_free(sp); @@ -464,6 +475,9 @@ static krb5_error_code KRB5_CALLCONV fcc_close(krb5_context context, krb5_ccache id) { + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + free (FILENAME(id)); krb5_data_free(&id->data); return 0; @@ -473,6 +487,9 @@ static krb5_error_code KRB5_CALLCONV fcc_destroy(krb5_context context, krb5_ccache id) { + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + _krb5_erase_file(context, FILENAME(id)); return 0; } @@ -701,6 +718,9 @@ fcc_get_first (krb5_context context, krb5_error_code ret; krb5_principal principal; + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + *cursor = malloc(sizeof(struct fcc_cursor)); if (*cursor == NULL) { krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); @@ -733,6 +753,13 @@ fcc_get_next (krb5_context context, krb5_creds *creds) { krb5_error_code ret; + + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + + if (FCC_CURSOR(*cursor) == NULL) + return krb5_einval(context, 3); + if((ret = fcc_lock(context, id, FCC_CURSOR(*cursor)->fd, FALSE)) != 0) return ret; @@ -749,6 +776,13 @@ fcc_end_get (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) { + + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + + if (FCC_CURSOR(*cursor) == NULL) + return krb5_einval(context, 3); + krb5_storage_free(FCC_CURSOR(*cursor)->sp); close (FCC_CURSOR(*cursor)->fd); free(*cursor); @@ -767,6 +801,9 @@ fcc_remove_cred(krb5_context context, char *newname = NULL; int fd; + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, ©); if (ret) return ret; @@ -827,6 +864,9 @@ fcc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags) { + if (FCACHE(id) == NULL) + return krb5_einval(context, 2); + return 0; /* XXX */ } @@ -834,9 +874,12 @@ static int KRB5_CALLCONV fcc_get_version(krb5_context context, krb5_ccache id) { + if (FCACHE(id) == NULL) + return -1; + return FCACHE(id)->version; } - + struct fcache_iter { int first; }; @@ -864,6 +907,9 @@ fcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id) const char *fn; char *expandedfn = NULL; + if (iter == NULL) + return krb5_einval(context, 2); + if (!iter->first) { krb5_clear_error_message(context); return KRB5_CC_END; @@ -900,6 +946,10 @@ static krb5_error_code KRB5_CALLCONV fcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor) { struct fcache_iter *iter = cursor; + + if (iter == NULL) + return krb5_einval(context, 2); + free(iter); return 0; } diff --git a/source4/heimdal/lib/krb5/get_addrs.c b/source4/heimdal/lib/krb5/get_addrs.c index 829b2acc17..0e2bfcf66f 100644 --- a/source4/heimdal/lib/krb5/get_addrs.c +++ b/source4/heimdal/lib/krb5/get_addrs.c @@ -82,8 +82,8 @@ gethostname_fallback (krb5_context context, krb5_addresses *res) } enum { - LOOP = 1, /* do include loopback interfaces */ - LOOP_IF_NONE = 2, /* include loopback if no other if's */ + LOOP = 1, /* do include loopback addrs */ + LOOP_IF_NONE = 2, /* include loopback addrs if no others */ EXTRA_ADDRESSES = 4, /* include extra addresses */ SCAN_INTERFACES = 8 /* scan interfaces for addresses */ }; @@ -146,11 +146,9 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags) continue; if (krb5_sockaddr_uninteresting(ifa->ifa_addr)) continue; - if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) { + if (krb5_sockaddr_is_loopback(ifa->ifa_addr) && (flags & LOOP) == 0) /* We'll deal with the LOOP_IF_NONE case later. */ - if ((flags & LOOP) == 0) - continue; - } + continue; ret = krb5_sockaddr2address(context, ifa->ifa_addr, &res->val[idx]); if (ret) { @@ -189,24 +187,22 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags) continue; if (krb5_sockaddr_uninteresting(ifa->ifa_addr)) continue; - - if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) { - ret = krb5_sockaddr2address(context, - ifa->ifa_addr, &res->val[idx]); - if (ret) { - /* - * See comment above. - */ - continue; - } - if((flags & EXTRA_ADDRESSES) && - krb5_address_search(context, &res->val[idx], - &ignore_addresses)) { - krb5_free_address(context, &res->val[idx]); - continue; - } - idx++; + if (!krb5_sockaddr_is_loopback(ifa->ifa_addr)) + continue; + if ((ifa->ifa_flags & IFF_LOOPBACK) == 0) + /* Presumably loopback addrs are only used on loopback ifs! */ + continue; + ret = krb5_sockaddr2address(context, + ifa->ifa_addr, &res->val[idx]); + if (ret) + continue; /* We don't consider this failure fatal */ + if((flags & EXTRA_ADDRESSES) && + krb5_address_search(context, &res->val[idx], + &ignore_addresses)) { + krb5_free_address(context, &res->val[idx]); + continue; } + idx++; } } diff --git a/source4/heimdal/lib/krb5/get_cred.c b/source4/heimdal/lib/krb5/get_cred.c index 7f2b57247d..e3bb23a2e9 100644 --- a/source4/heimdal/lib/krb5/get_cred.c +++ b/source4/heimdal/lib/krb5/get_cred.c @@ -55,7 +55,7 @@ make_pa_tgs_req(krb5_context context, { u_char *buf; size_t buf_size; - size_t len; + size_t len = 0; krb5_data in_data; krb5_error_code ret; @@ -90,7 +90,7 @@ set_auth_data (krb5_context context, krb5_keyblock *subkey) { if(authdata->len) { - size_t len, buf_size; + size_t len = 0, buf_size; unsigned char *buf; krb5_crypto crypto; krb5_error_code ret; @@ -166,10 +166,11 @@ init_tgs_req (krb5_context context, } t->req_body.etype.val[0] = in_creds->session.keytype; } else { - ret = krb5_init_etype(context, - &t->req_body.etype.len, - &t->req_body.etype.val, - NULL); + ret = _krb5_init_etype(context, + KRB5_PDU_TGS_REQUEST, + &t->req_body.etype.len, + &t->req_body.etype.val, + NULL); } if (ret) goto fail; @@ -235,7 +236,7 @@ init_tgs_req (krb5_context context, goto fail; } { - int i; + size_t i; for (i = 0; i < padata->len; i++) { ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]); if (ret) { @@ -249,16 +250,16 @@ init_tgs_req (krb5_context context, ret = krb5_auth_con_init(context, &ac); if(ret) goto fail; - + ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session); if (ret) goto fail; - + ret = set_auth_data (context, &t->req_body, &in_creds->authdata, ac->local_subkey); if (ret) goto fail; - + ret = make_pa_tgs_req(context, ac, &t->req_body, @@ -334,6 +335,8 @@ decrypt_tkt_with_subkey (krb5_context context, assert(usage == 0); + krb5_data_zero(&data); + /* * start out with trying with subkey if we have one */ @@ -383,7 +386,7 @@ decrypt_tkt_with_subkey (krb5_context context, &dec_rep->enc_part, &size); if (ret) - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, N_("Failed to decode encpart in ticket", "")); krb5_data_free (&data); return ret; @@ -408,7 +411,7 @@ get_cred_kdc(krb5_context context, krb5_error_code ret; unsigned nonce; krb5_keyblock *subkey = NULL; - size_t len; + size_t len = 0; Ticket second_ticket_data; METHOD_DATA padata; @@ -435,12 +438,12 @@ get_cred_kdc(krb5_context context, PA_S4U2Self self; krb5_data data; void *buf; - size_t size; + size_t size = 0; self.name = impersonate_principal->name; self.realm = impersonate_principal->realm; self.auth = estrdup("Kerberos"); - + ret = _krb5_s4u2self_to_checksumdata(context, &self, &data); if (ret) { free(self.auth); @@ -475,7 +478,7 @@ get_cred_kdc(krb5_context context, goto out; if (len != size) krb5_abortx(context, "internal asn1 error"); - + ret = krb5_padata_add(context, &padata, KRB5_PADATA_FOR_USER, buf, len); if (ret) goto out; @@ -609,7 +612,7 @@ get_cred_kdc_address(krb5_context context, krb5_appdefault_boolean(context, NULL, krbtgt->server->realm, "no-addresses", FALSE, &noaddr); - + if (!noaddr) { krb5_get_all_client_addrs(context, &addresses); /* XXX this sucks. */ @@ -734,7 +737,7 @@ get_cred_kdc_capath_worker(krb5_context context, krb5_creds *in_creds, krb5_const_realm try_realm, krb5_principal impersonate_principal, - Ticket *second_ticket, + Ticket *second_ticket, krb5_creds **out_creds, krb5_creds ***ret_tgts) { @@ -809,7 +812,7 @@ get_cred_kdc_capath_worker(krb5_context context, krb5_free_principal(context, tmp_creds.client); return ret; } - /* + /* * if either of the chain or the ok_as_delegate was stripped * by the kdc, make sure we strip it too. */ @@ -842,7 +845,7 @@ get_cred_kdc_capath_worker(krb5_context context, return ret; } } - + krb5_free_principal(context, tmp_creds.server); krb5_free_principal(context, tmp_creds.client); *out_creds = calloc(1, sizeof(**out_creds)); @@ -860,7 +863,7 @@ get_cred_kdc_capath_worker(krb5_context context, } krb5_free_creds(context, tgt); return ret; -} +} /* get_cred(server) @@ -883,7 +886,7 @@ get_cred_kdc_capath(krb5_context context, krb5_ccache ccache, krb5_creds *in_creds, krb5_principal impersonate_principal, - Ticket *second_ticket, + Ticket *second_ticket, krb5_creds **out_creds, krb5_creds ***ret_tgts) { @@ -918,7 +921,7 @@ get_cred_kdc_referral(krb5_context context, krb5_ccache ccache, krb5_creds *in_creds, krb5_principal impersonate_principal, - Ticket *second_ticket, + Ticket *second_ticket, krb5_creds **out_creds, krb5_creds ***ret_tgts) { @@ -946,7 +949,7 @@ get_cred_kdc_referral(krb5_context context, /* find tgt for the clients base realm */ { krb5_principal tgtname; - + ret = krb5_make_principal(context, &tgtname, client_realm, KRB5_TGS_NAME, @@ -954,7 +957,7 @@ get_cred_kdc_referral(krb5_context context, NULL); if(ret) return ret; - + ret = find_cred(context, ccache, tgtname, *ret_tgts, &tgt); krb5_free_principal(context, tgtname); if (ret) @@ -1032,9 +1035,9 @@ get_cred_kdc_referral(krb5_context context, goto out; } tickets++; - } + } - /* + /* * if either of the chain or the ok_as_delegate was stripped * by the kdc, make sure we strip it too. */ @@ -1080,7 +1083,7 @@ _krb5_get_cred_kdc_any(krb5_context context, krb5_ccache ccache, krb5_creds *in_creds, krb5_principal impersonate_principal, - Ticket *second_ticket, + Ticket *second_ticket, krb5_creds **out_creds, krb5_creds ***ret_tgts) { @@ -1165,7 +1168,7 @@ krb5_get_credentials_with_flags(krb5_context context, *out_creds = res_creds; return 0; } - + krb5_timeofday(context, &timeret); if(res_creds->times.endtime > timeret) { *out_creds = res_creds; @@ -1382,7 +1385,7 @@ krb5_get_creds(krb5_context context, krb5_free_principal(context, in_creds.client); goto out; } - + krb5_timeofday(context, &timeret); if(res_creds->times.endtime > timeret) { *out_creds = res_creds; @@ -1467,7 +1470,7 @@ krb5_get_renewed_creds(krb5_context context, } } else { const char *realm = krb5_principal_get_realm(context, client); - + ret = krb5_make_principal(context, &in.server, realm, KRB5_TGS_NAME, realm, NULL); if (ret) { diff --git a/source4/heimdal/lib/krb5/get_default_principal.c b/source4/heimdal/lib/krb5/get_default_principal.c index ba4301ce29..44baa6d1c2 100644 --- a/source4/heimdal/lib/krb5/get_default_principal.c +++ b/source4/heimdal/lib/krb5/get_default_principal.c @@ -76,7 +76,7 @@ _krb5_get_default_principal_local (krb5_context context, else ret = krb5_make_principal(context, princ, NULL, "root", NULL); } else { - struct passwd *pw = getpwuid(uid); + struct passwd *pw = getpwuid(uid); if(pw != NULL) user = pw->pw_name; else { diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c index a109c71326..979fc9b0ae 100644 --- a/source4/heimdal/lib/krb5/get_for_creds.c +++ b/source4/heimdal/lib/krb5/get_for_creds.c @@ -225,7 +225,7 @@ krb5_get_forwarded_creds (krb5_context context, if (!noaddr) paddrs = &addrs; } - + /* * If tickets have addresses, get the address of the remote host. */ @@ -241,7 +241,7 @@ krb5_get_forwarded_creds (krb5_context context, hostname, gai_strerror(ret)); return ret2; } - + ret = add_addrs (context, &addrs, ai); freeaddrinfo (ai); if (ret) @@ -287,9 +287,9 @@ krb5_get_forwarded_creds (krb5_context context, if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_timestamp sec; int32_t usec; - + krb5_us_timeofday (context, &sec, &usec); - + ALLOC(enc_krb_cred_part.timestamp, 1); if (enc_krb_cred_part.timestamp == NULL) { ret = ENOMEM; @@ -418,7 +418,7 @@ krb5_get_forwarded_creds (krb5_context context, * used. Heimdal 0.7.2 and newer have code to try both in the * receiving end. */ - + ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); if (ret) { free(buf); diff --git a/source4/heimdal/lib/krb5/get_host_realm.c b/source4/heimdal/lib/krb5/get_host_realm.c index 7aee02734b..ed7f54b3d6 100644 --- a/source4/heimdal/lib/krb5/get_host_realm.c +++ b/source4/heimdal/lib/krb5/get_host_realm.c @@ -109,7 +109,7 @@ dns_find_realm(krb5_context context, domain++; for (i = 0; labels[i] != NULL; i++) { ret = snprintf(dom, sizeof(dom), "%s.%s.", labels[i], domain); - if(ret < 0 || ret >= sizeof(dom)) { + if(ret < 0 || (size_t)ret >= sizeof(dom)) { if (config_labels) krb5_config_free_strings(config_labels); return -1; diff --git a/source4/heimdal/lib/krb5/get_in_tkt.c b/source4/heimdal/lib/krb5/get_in_tkt.c index 15cbfba89d..27f4964e61 100644 --- a/source4/heimdal/lib/krb5/get_in_tkt.c +++ b/source4/heimdal/lib/krb5/get_in_tkt.c @@ -31,8 +31,6 @@ * SUCH DAMAGE. */ -#define KRB5_DEPRECATED - #include "krb5_locl.h" #ifndef HEIMDAL_SMALLER @@ -44,7 +42,7 @@ make_pa_enc_timestamp(krb5_context context, PA_DATA *pa, PA_ENC_TS_ENC p; unsigned char *buf; size_t buf_size; - size_t len; + size_t len = 0; EncryptedData encdata; krb5_error_code ret; int32_t usec; @@ -76,7 +74,7 @@ make_pa_enc_timestamp(krb5_context context, PA_DATA *pa, krb5_crypto_destroy(context, crypto); if (ret) return ret; - + ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret); free_EncryptedData(&encdata); if (ret) @@ -103,7 +101,7 @@ add_padata(krb5_context context, PA_DATA *pa2; krb5_salt salt2; krb5_enctype *ep; - int i; + size_t i; if(salt == NULL) { /* default to standard salt */ @@ -209,7 +207,8 @@ init_as_req (krb5_context context, *a->req_body.rtime = creds->times.renew_till; } a->req_body.nonce = nonce; - ret = krb5_init_etype (context, + ret = _krb5_init_etype(context, + KRB5_PDU_AS_REQUEST, &a->req_body.etype.len, &a->req_body.etype.val, etypes); @@ -247,7 +246,7 @@ init_as_req (krb5_context context, a->req_body.additional_tickets = NULL; if(preauth != NULL) { - int i; + size_t i; ALLOC(a->padata, 1); if(a->padata == NULL) { ret = ENOMEM; @@ -258,7 +257,7 @@ init_as_req (krb5_context context, a->padata->len = 0; for(i = 0; i < preauth->len; i++) { if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){ - int j; + size_t j; for(j = 0; j < preauth->val[i].info.len; j++) { krb5_salt *sp = &salt; @@ -300,7 +299,7 @@ init_as_req (krb5_context context, add_padata(context, a->padata, creds->client, key_proc, keyseed, a->req_body.etype.val, a->req_body.etype.len, NULL); - + /* make a v4 salted pa-data */ salt.salttype = KRB5_PW_SALT; krb5_data_zero(&salt.saltvalue); @@ -331,7 +330,7 @@ set_ptypes(krb5_context context, if(error->e_data) { METHOD_DATA md; - int i; + size_t i; decode_METHOD_DATA(error->e_data->data, error->e_data->length, &md, @@ -361,7 +360,6 @@ set_ptypes(krb5_context context, return(1); } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_in_cred(krb5_context context, krb5_flags options, @@ -375,12 +373,13 @@ krb5_get_in_cred(krb5_context context, krb5_const_pointer decryptarg, krb5_creds *creds, krb5_kdc_rep *ret_as_reply) + KRB5_DEPRECATED_FUNCTION("Use X instead") { krb5_error_code ret; AS_REQ a; krb5_kdc_rep rep; krb5_data req, resp; - size_t len; + size_t len = 0; krb5_salt salt; krb5_keyblock *key; size_t size; @@ -483,12 +482,12 @@ krb5_get_in_cred(krb5_context context, if(pa) { salt.salttype = pa->padata_type; salt.saltvalue = pa->padata_value; - + ret = (*key_proc)(context, etype, salt, keyseed, &key); } else { /* make a v5 salted pa-data */ ret = krb5_get_pw_salt (context, creds->client, &salt); - + if (ret) goto out; ret = (*key_proc)(context, etype, salt, keyseed, &key); @@ -496,7 +495,7 @@ krb5_get_in_cred(krb5_context context, } if (ret) goto out; - + { unsigned flags = EXTRACT_TICKET_TIMESYNC; if (opts.request_anonymous) @@ -526,7 +525,6 @@ out: return ret; } -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_in_tkt(krb5_context context, krb5_flags options, @@ -540,6 +538,7 @@ krb5_get_in_tkt(krb5_context context, krb5_creds *creds, krb5_ccache ccache, krb5_kdc_rep *ret_as_reply) + KRB5_DEPRECATED_FUNCTION("Use X instead") { krb5_error_code ret; diff --git a/source4/heimdal/lib/krb5/heim_err.et b/source4/heimdal/lib/krb5/heim_err.et index 2e8a0d18d8..c47f77092f 100644 --- a/source4/heimdal/lib/krb5/heim_err.et +++ b/source4/heimdal/lib/krb5/heim_err.et @@ -19,6 +19,7 @@ error_code BAD_MKEY, "Failed to get the master key" error_code SERVICE_NOMATCH, "Unacceptable service used" error_code NOT_SEEKABLE, "File descriptor not seekable" error_code TOO_BIG, "Offset too large" +error_code BAD_HDBENT_ENCODING, "Invalid HDB entry encoding" index 64 prefix HEIM_PKINIT diff --git a/source4/heimdal/lib/krb5/init_creds.c b/source4/heimdal/lib/krb5/init_creds.c index f555c724ed..25bef0f340 100644 --- a/source4/heimdal/lib/krb5/init_creds.c +++ b/source4/heimdal/lib/krb5/init_creds.c @@ -61,14 +61,14 @@ krb5_get_init_creds_opt_alloc(krb5_context context, *opt = NULL; o = calloc(1, sizeof(*o)); if (o == NULL) { - krb5_set_error_message(context, ENOMEM, + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } o->opt_private = calloc(1, sizeof(*o->opt_private)); if (o->opt_private == NULL) { - krb5_set_error_message(context, ENOMEM, + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); free(o); return ENOMEM; @@ -402,9 +402,9 @@ krb5_get_init_creds_opt_set_process_last_req(krb5_context context, * @ingroup krb5_deprecated */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) + KRB5_DEPRECATED_FUNCTION("Use X instead") { memset (opt, 0, sizeof(*opt)); } @@ -416,11 +416,11 @@ krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) * @ingroup krb5_deprecated */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_get_error(krb5_context context, krb5_get_init_creds_opt *opt, KRB_ERROR **error) + KRB5_DEPRECATED_FUNCTION("Use X instead") { *error = calloc(1, sizeof(**error)); if (*error == NULL) { diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c index 29b882d053..f2185628e5 100644 --- a/source4/heimdal/lib/krb5/init_creds_pw.c +++ b/source4/heimdal/lib/krb5/init_creds_pw.c @@ -71,7 +71,7 @@ typedef struct krb5_get_init_creds_ctx { KRB_ERROR error; AS_REP as_rep; EncKDCRepPart enc_part; - + krb5_prompter_fct prompter; void *prompter_data; @@ -313,14 +313,14 @@ process_last_request(krb5_context context, if (lr->val[i].lr_value <= t) { switch (abs(lr->val[i].lr_type)) { case LR_PW_EXPTIME : - report_expiration(context, ctx->prompter, + report_expiration(context, ctx->prompter, ctx->prompter_data, "Your password will expire at ", lr->val[i].lr_value); reported = TRUE; break; case LR_ACCT_EXPTIME : - report_expiration(context, ctx->prompter, + report_expiration(context, ctx->prompter, ctx->prompter_data, "Your account will expire at ", lr->val[i].lr_value); @@ -333,7 +333,7 @@ process_last_request(krb5_context context, if (!reported && ctx->enc_part.key_expiration && *ctx->enc_part.key_expiration <= t) { - report_expiration(context, ctx->prompter, + report_expiration(context, ctx->prompter, ctx->prompter_data, "Your password/account will expire at ", *ctx->enc_part.key_expiration); @@ -367,7 +367,7 @@ get_init_creds_common(krb5_context context, if (options->opt_private) { if (options->opt_private->password) { - ret = krb5_init_creds_set_password(context, ctx, + ret = krb5_init_creds_set_password(context, ctx, options->opt_private->password); if (ret) goto out; @@ -384,7 +384,7 @@ get_init_creds_common(krb5_context context, ctx->keyproc = default_s2k_func; /* Enterprise name implicitly turns on canonicalize */ - if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) || + if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) || krb5_principal_get_type(context, client) == KRB5_NT_ENTERPRISE_PRINCIPAL) ctx->flags.canonicalize = 1; @@ -671,7 +671,8 @@ init_as_req (krb5_context context, *a->req_body.rtime = creds->times.renew_till; } a->req_body.nonce = 0; - ret = krb5_init_etype (context, + ret = _krb5_init_etype(context, + KRB5_PDU_AS_REQUEST, &a->req_body.etype.len, &a->req_body.etype.val, etypes); @@ -759,7 +760,7 @@ pa_etype_info2(krb5_context context, krb5_error_code ret; ETYPE_INFO2 e; size_t sz; - int i, j; + size_t i, j; memset(&e, 0, sizeof(e)); ret = decode_ETYPE_INFO2(data->data, data->length, &e, &sz); @@ -808,7 +809,7 @@ pa_etype_info(krb5_context context, krb5_error_code ret; ETYPE_INFO e; size_t sz; - int i, j; + size_t i, j; memset(&e, 0, sizeof(e)); ret = decode_ETYPE_INFO(data->data, data->length, &e, &sz); @@ -889,9 +890,9 @@ static struct pa_info pa_prefs[] = { }; static PA_DATA * -find_pa_data(const METHOD_DATA *md, int type) +find_pa_data(const METHOD_DATA *md, unsigned type) { - int i; + size_t i; if (md == NULL) return NULL; for (i = 0; i < md->len; i++) @@ -908,7 +909,7 @@ process_pa_info(krb5_context context, METHOD_DATA *md) { struct pa_info_data *p = NULL; - int i; + size_t i; for (i = 0; p == NULL && i < sizeof(pa_prefs)/sizeof(pa_prefs[0]); i++) { PA_DATA *pa = find_pa_data(md, pa_prefs[i].type); @@ -928,7 +929,7 @@ make_pa_enc_timestamp(krb5_context context, METHOD_DATA *md, PA_ENC_TS_ENC p; unsigned char *buf; size_t buf_size; - size_t len; + size_t len = 0; EncryptedData encdata; krb5_error_code ret; int32_t usec; @@ -989,7 +990,7 @@ add_enc_ts_padata(krb5_context context, krb5_error_code ret; krb5_salt salt2; krb5_enctype *ep; - int i; + size_t i; if(salt == NULL) { /* default to standard salt */ @@ -1109,7 +1110,7 @@ pa_data_add_pac_request(krb5_context context, krb5_get_init_creds_ctx *ctx, METHOD_DATA *md) { - size_t len, length; + size_t len = 0, length; krb5_error_code ret; PA_PAC_REQUEST req; void *buf; @@ -1179,14 +1180,14 @@ process_pa_data_to_md(krb5_context context, _krb5_debug(context, 5, "krb5_get_init_creds: " "prepareing PKINIT padata (%s)", (ctx->used_pa_types & USED_PKINIT_W2K) ? "win2k" : "ietf"); - + if (ctx->used_pa_types & USED_PKINIT_W2K) { krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP, "Already tried pkinit, looping"); return KRB5_GET_IN_TKT_LOOP; } - ret = pa_data_to_md_pkinit(context, a, creds->client, + ret = pa_data_to_md_pkinit(context, a, creds->client, (ctx->used_pa_types & USED_PKINIT), ctx, *out_md); if (ret) @@ -1526,14 +1527,14 @@ krb5_init_creds_set_keytab(krb5_context context, krb5_error_code ret; size_t netypes = 0; int kvno = 0; - + a = malloc(sizeof(*a)); if (a == NULL) { krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } - + a->principal = ctx->cred.client; a->keytab = keytab; @@ -1568,7 +1569,7 @@ krb5_init_creds_set_keytab(krb5_context context, kvno = entry.vno; } else if (entry.vno != kvno) goto next; - + /* check if enctype is supported */ if (krb5_enctype_valid(context, entry.keyblock.keytype) != 0) goto next; @@ -1619,7 +1620,7 @@ krb5_init_creds_set_keyblock(krb5_context context, /** * The core loop if krb5_get_init_creds() function family. Create the - * packets and have the caller send them off to the KDC. + * packets and have the caller send them off to the KDC. * * If the caller want all work been done for them, use * krb5_init_creds_get() instead. @@ -1647,7 +1648,7 @@ krb5_init_creds_step(krb5_context context, unsigned int *flags) { krb5_error_code ret; - size_t len; + size_t len = 0; size_t size; krb5_data_zero(out); @@ -1768,13 +1769,13 @@ krb5_init_creds_step(krb5_context context, "options send by KDC", "")); } } else if (ret == KRB5KRB_AP_ERR_SKEW && context->kdc_sec_offset == 0) { - /* + /* * Try adapt to timeskrew when we are using pre-auth, and * if there was a time skew, try again. */ krb5_set_real_time(context, ctx->error.stime, -1); if (context->kdc_sec_offset) - ret = 0; + ret = 0; _krb5_debug(context, 10, "init_creds: err skew updateing kdc offset to %d", context->kdc_sec_offset); @@ -1793,7 +1794,7 @@ krb5_init_creds_step(krb5_context context, "krb5_get_init_creds: got referal to realm %s", *ctx->error.crealm); - ret = krb5_principal_set_realm(context, + ret = krb5_principal_set_realm(context, ctx->cred.client, *ctx->error.crealm); @@ -1934,7 +1935,7 @@ krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx) if ((flags & 1) == 0) break; - ret = krb5_sendto_context (context, stctx, &out, + ret = krb5_sendto_context (context, stctx, &out, ctx->cred.client->realm, &in); if (ret) goto out; @@ -2013,7 +2014,7 @@ krb5_get_init_creds_password(krb5_context context, } ret = krb5_init_creds_get(context, ctx); - + if (ret == 0) process_last_request(context, options, ctx); diff --git a/source4/heimdal/lib/krb5/kcm.c b/source4/heimdal/lib/krb5/kcm.c index 1fe15d8064..5a28b5138b 100644 --- a/source4/heimdal/lib/krb5/kcm.c +++ b/source4/heimdal/lib/krb5/kcm.c @@ -157,7 +157,7 @@ kcm_alloc(krb5_context context, const char *name, krb5_ccache *id) } } else k->name = NULL; - + (*id)->data.data = k; (*id)->data.length = sizeof(*k); @@ -554,7 +554,7 @@ kcm_get_first (krb5_context context, c = calloc(1, sizeof(*c)); if (c == NULL) { ret = ENOMEM; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); return ret; } @@ -577,7 +577,7 @@ kcm_get_first (krb5_context context, if (ptr == NULL) { free(c->uuids); free(c); - krb5_set_error_message(context, ENOMEM, + krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } @@ -637,7 +637,7 @@ kcm_get_next (krb5_context context, return ret; } - sret = krb5_storage_write(request, + sret = krb5_storage_write(request, &c->uuids[c->offset], sizeof(c->uuids[c->offset])); c->offset++; @@ -789,7 +789,7 @@ kcm_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) c = calloc(1, sizeof(*c)); if (c == NULL) { ret = ENOMEM; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; } @@ -820,7 +820,7 @@ kcm_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) ptr = realloc(c->uuids, sizeof(c->uuids[0]) * (c->length + 1)); if (ptr == NULL) { ret = ENOMEM; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; } @@ -837,7 +837,7 @@ kcm_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) if (ret && c) { free(c->uuids); free(c); - } else + } else *cursor = c; return ret; @@ -869,7 +869,7 @@ kcm_get_cache_next(krb5_context context, krb5_cc_cursor cursor, const krb5_cc_op if (ret) return ret; - sret = krb5_storage_write(request, + sret = krb5_storage_write(request, &c->uuids[c->offset], sizeof(c->uuids[c->offset])); c->offset++; @@ -956,14 +956,14 @@ kcm_move(krb5_context context, krb5_ccache from, krb5_ccache to) } static krb5_error_code -kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops, +kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops, const char *defstr, char **str) { krb5_error_code ret; krb5_storage *request, *response; krb5_data response_data; char *name; - + *str = NULL; ret = krb5_kcm_storage_request(context, KCM_OP_GET_DEFAULT_CACHE, &request); @@ -1039,7 +1039,7 @@ kcm_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat kdc_offset) krb5_kcmcache *k = KCMCACHE(id); krb5_error_code ret; krb5_storage *request; - + ret = krb5_kcm_storage_request(context, KCM_OP_SET_KDC_OFFSET, &request); if (ret) return ret; @@ -1069,7 +1069,7 @@ kcm_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset krb5_storage *request, *response; krb5_data response_data; int32_t offset; - + ret = krb5_kcm_storage_request(context, KCM_OP_GET_KDC_OFFSET, &request); if (ret) return ret; @@ -1155,11 +1155,13 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops = { kcm_move, kcm_get_default_name_api, kcm_set_default, - kcm_lastchange + kcm_lastchange, + NULL, + NULL }; -krb5_boolean +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL _krb5_kcm_is_running(krb5_context context) { krb5_error_code ret; @@ -1184,7 +1186,7 @@ _krb5_kcm_is_running(krb5_context context) * Response: * */ -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_kcm_noop(krb5_context context, krb5_ccache id) { @@ -1212,7 +1214,7 @@ _krb5_kcm_noop(krb5_context context, * Repsonse: * */ -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_kcm_get_initial_ticket(krb5_context context, krb5_ccache id, krb5_principal server, @@ -1269,7 +1271,7 @@ _krb5_kcm_get_initial_ticket(krb5_context context, * Repsonse: * */ -krb5_error_code +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_kcm_get_ticket(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, diff --git a/source4/heimdal/lib/krb5/keyblock.c b/source4/heimdal/lib/krb5/keyblock.c index f34a5c4f90..9ba9c4b290 100644 --- a/source4/heimdal/lib/krb5/keyblock.c +++ b/source4/heimdal/lib/krb5/keyblock.c @@ -131,7 +131,7 @@ krb5_copy_keyblock (krb5_context context, { krb5_error_code ret; krb5_keyblock *k; - + *to = NULL; k = calloc (1, sizeof(*k)); diff --git a/source4/heimdal/lib/krb5/keytab.c b/source4/heimdal/lib/krb5/keytab.c index 96c0bce273..8ca515f213 100644 --- a/source4/heimdal/lib/krb5/keytab.c +++ b/source4/heimdal/lib/krb5/keytab.c @@ -50,7 +50,7 @@ * * A keytab name is on the form type:residual. The residual part is * specific to each keytab-type. - * + * * When a keytab-name is resolved, the type is matched with an internal * list of keytab types. If there is no matching keytab type, * the default keytab is used. The current default type is FILE. @@ -60,7 +60,7 @@ * [defaults]default_keytab_name. * * The keytab types that are implemented in Heimdal are: - * - file + * - file * store the keytab in a file, the type's name is FILE . The * residual part is a filename. For compatibility with other * Kerberos implemtation WRFILE and JAVA14 is also accepted. WRFILE @@ -166,29 +166,27 @@ krb5_kt_register(krb5_context context, } static const char * -keytab_name(const char * name, const char ** ptype, size_t * ptype_len) +keytab_name(const char *name, const char **type, size_t *type_len) { - const char * residual; + const char *residual; residual = strchr(name, ':'); - if (residual == NULL - + if (residual == NULL || + name[0] == '/' #ifdef _WIN32 - /* Avoid treating <drive>:<path> as a keytab type * specification */ - || name + 1 == residual #endif ) { - *ptype = "FILE"; - *ptype_len = strlen(*ptype); + *type = "FILE"; + *type_len = strlen(*type); residual = name; } else { - *ptype = name; - *ptype_len = residual - name; + *type = name; + *type_len = residual - name; residual++; } @@ -439,7 +437,7 @@ krb5_kt_get_full_name(krb5_context context, char type[KRB5_KT_PREFIX_MAX_LEN]; char name[MAXPATHLEN]; krb5_error_code ret; - + *str = NULL; ret = krb5_kt_get_type(context, keytab, type, sizeof(type)); @@ -568,16 +566,16 @@ _krb5_kt_principal_not_found(krb5_context context, { char princ[256], kvno_str[25], *kt_name; char *enctype_str = NULL; - + krb5_unparse_name_fixed (context, principal, princ, sizeof(princ)); krb5_kt_get_full_name (context, id, &kt_name); krb5_enctype_to_string(context, enctype, &enctype_str); - + if (kvno) snprintf(kvno_str, sizeof(kvno_str), "(kvno %d)", kvno); else kvno_str[0] = '\0'; - + krb5_set_error_message (context, ret, N_("Failed to find %s%s in keytab %s (%s)", "principal, kvno, keytab file, enctype"), @@ -850,3 +848,46 @@ krb5_kt_remove_entry(krb5_context context, } return (*id->remove)(context, id, entry); } + +/** + * Return true if the keytab exists and have entries + * + * @param context a Keberos context. + * @param id a keytab. + * + * @return Return an error code or 0, see krb5_get_error_message(). + * + * @ingroup krb5_keytab + */ + +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_kt_have_content(krb5_context context, + krb5_keytab id) +{ + krb5_keytab_entry entry; + krb5_kt_cursor cursor; + krb5_error_code ret; + char *name; + + ret = krb5_kt_start_seq_get(context, id, &cursor); + if (ret) + goto notfound; + + ret = krb5_kt_next_entry(context, id, &entry, &cursor); + krb5_kt_end_seq_get(context, id, &cursor); + if (ret) + goto notfound; + + krb5_kt_free_entry(context, &entry); + + return 0; + + notfound: + ret = krb5_kt_get_full_name(context, id, &name); + if (ret == 0) { + krb5_set_error_message(context, KRB5_KT_NOTFOUND, + N_("No entry in keytab: %s", ""), name); + free(name); + } + return KRB5_KT_NOTFOUND; +} diff --git a/source4/heimdal/lib/krb5/keytab_file.c b/source4/heimdal/lib/krb5/keytab_file.c index 2b9ea7f11d..ccaf62fcb4 100644 --- a/source4/heimdal/lib/krb5/keytab_file.c +++ b/source4/heimdal/lib/krb5/keytab_file.c @@ -101,7 +101,7 @@ krb5_kt_store_data(krb5_context context, if(ret < 0) return ret; ret = krb5_storage_write(sp, data.data, data.length); - if(ret != data.length){ + if(ret != (int)data.length){ if(ret < 0) return errno; return KRB5_KT_END; @@ -119,7 +119,7 @@ krb5_kt_store_string(krb5_storage *sp, if(ret < 0) return ret; ret = krb5_storage_write(sp, data, len); - if(ret != len){ + if(ret != (int)len){ if(ret < 0) return errno; return KRB5_KT_END; @@ -182,7 +182,7 @@ krb5_kt_ret_principal(krb5_context context, krb5_storage *sp, krb5_principal *princ) { - int i; + size_t i; int ret; krb5_principal p; int16_t len; @@ -262,7 +262,7 @@ krb5_kt_store_principal(krb5_context context, krb5_storage *sp, krb5_principal p) { - int i; + size_t i; int ret; if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)) @@ -536,7 +536,7 @@ fkt_setup_keytab(krb5_context context, id->version = KRB5_KT_VNO; return krb5_store_int8 (sp, id->version); } - + static krb5_error_code KRB5_CALLCONV fkt_add_entry(krb5_context context, krb5_keytab id, @@ -699,7 +699,7 @@ fkt_add_entry(krb5_context context, } if(len < 0) { len = -len; - if(len >= keytab.length) { + if(len >= (int)keytab.length) { krb5_storage_seek(sp, -4, SEEK_CUR); break; } @@ -749,8 +749,9 @@ fkt_remove_entry(krb5_context context, krb5_store_int32(cursor.sp, -len); memset(buf, 0, sizeof(buf)); while(len > 0) { - krb5_storage_write(cursor.sp, buf, min(len, sizeof(buf))); - len -= min(len, sizeof(buf)); + krb5_storage_write(cursor.sp, buf, + min((size_t)len, sizeof(buf))); + len -= min((size_t)len, sizeof(buf)); } } krb5_kt_free_entry(context, &e); diff --git a/source4/heimdal/lib/krb5/keytab_keyfile.c b/source4/heimdal/lib/krb5/keytab_keyfile.c index 28bbaeee8c..ea74c32780 100644 --- a/source4/heimdal/lib/krb5/keytab_keyfile.c +++ b/source4/heimdal/lib/krb5/keytab_keyfile.c @@ -348,7 +348,7 @@ akf_add_entry(krb5_context context, strerror(ret)); return ret; } - + ret = krb5_ret_int32(sp, &len); if(ret) { krb5_storage_free(sp); @@ -387,7 +387,7 @@ akf_add_entry(krb5_context context, } len++; - + if(krb5_storage_seek(sp, 0, SEEK_SET) < 0) { ret = errno; krb5_set_error_message (context, ret, @@ -395,7 +395,7 @@ akf_add_entry(krb5_context context, strerror(ret)); goto out; } - + ret = krb5_store_int32(sp, len); if(ret) { ret = errno; @@ -410,7 +410,7 @@ akf_add_entry(krb5_context context, N_("seek to end: %s", ""), strerror(ret)); goto out; } - + ret = krb5_store_int32(sp, entry->vno); if(ret) { krb5_set_error_message(context, ret, diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h index 8d671e3d36..2224b92e95 100644 --- a/source4/heimdal/lib/krb5/krb5.h +++ b/source4/heimdal/lib/krb5/krb5.h @@ -53,16 +53,6 @@ #define KRB5KDC_ERR_KEY_EXP KRB5KDC_ERR_KEY_EXPIRED #endif -#ifndef KRB5_DEPRECATED -#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 ))) -#define KRB5_DEPRECATED __attribute__((deprecated)) -#elif defined(_MSC_VER) && (_MSC_VER>1200) -#define KRB5_DEPRECATED __declspec(deprecated) -#else -#define KRB5_DEPRECATED -#endif -#endif - #ifdef _WIN32 #define KRB5_CALLCONV __stdcall #else @@ -128,28 +118,69 @@ typedef struct krb5_enc_data { /* alternative names */ enum { - ENCTYPE_NULL = ETYPE_NULL, - ENCTYPE_DES_CBC_CRC = ETYPE_DES_CBC_CRC, - ENCTYPE_DES_CBC_MD4 = ETYPE_DES_CBC_MD4, - ENCTYPE_DES_CBC_MD5 = ETYPE_DES_CBC_MD5, - ENCTYPE_DES3_CBC_MD5 = ETYPE_DES3_CBC_MD5, - ENCTYPE_OLD_DES3_CBC_SHA1 = ETYPE_OLD_DES3_CBC_SHA1, - ENCTYPE_SIGN_DSA_GENERATE = ETYPE_SIGN_DSA_GENERATE, - ENCTYPE_ENCRYPT_RSA_PRIV = ETYPE_ENCRYPT_RSA_PRIV, - ENCTYPE_ENCRYPT_RSA_PUB = ETYPE_ENCRYPT_RSA_PUB, - ENCTYPE_DES3_CBC_SHA1 = ETYPE_DES3_CBC_SHA1, - ENCTYPE_AES128_CTS_HMAC_SHA1_96 = ETYPE_AES128_CTS_HMAC_SHA1_96, - ENCTYPE_AES256_CTS_HMAC_SHA1_96 = ETYPE_AES256_CTS_HMAC_SHA1_96, - ENCTYPE_ARCFOUR_HMAC = ETYPE_ARCFOUR_HMAC_MD5, - ENCTYPE_ARCFOUR_HMAC_MD5 = ETYPE_ARCFOUR_HMAC_MD5, - ENCTYPE_ARCFOUR_HMAC_MD5_56 = ETYPE_ARCFOUR_HMAC_MD5_56, - ENCTYPE_ENCTYPE_PK_CROSS = ETYPE_ENCTYPE_PK_CROSS, - ENCTYPE_DES_CBC_NONE = ETYPE_DES_CBC_NONE, - ENCTYPE_DES3_CBC_NONE = ETYPE_DES3_CBC_NONE, - ENCTYPE_DES_CFB64_NONE = ETYPE_DES_CFB64_NONE, - ENCTYPE_DES_PCBC_NONE = ETYPE_DES_PCBC_NONE + ENCTYPE_NULL = KRB5_ENCTYPE_NULL, + ENCTYPE_DES_CBC_CRC = KRB5_ENCTYPE_DES_CBC_CRC, + ENCTYPE_DES_CBC_MD4 = KRB5_ENCTYPE_DES_CBC_MD4, + ENCTYPE_DES_CBC_MD5 = KRB5_ENCTYPE_DES_CBC_MD5, + ENCTYPE_DES3_CBC_MD5 = KRB5_ENCTYPE_DES3_CBC_MD5, + ENCTYPE_OLD_DES3_CBC_SHA1 = KRB5_ENCTYPE_OLD_DES3_CBC_SHA1, + ENCTYPE_SIGN_DSA_GENERATE = KRB5_ENCTYPE_SIGN_DSA_GENERATE, + ENCTYPE_ENCRYPT_RSA_PRIV = KRB5_ENCTYPE_ENCRYPT_RSA_PRIV, + ENCTYPE_ENCRYPT_RSA_PUB = KRB5_ENCTYPE_ENCRYPT_RSA_PUB, + ENCTYPE_DES3_CBC_SHA1 = KRB5_ENCTYPE_DES3_CBC_SHA1, + ENCTYPE_AES128_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_AES256_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96, + ENCTYPE_ARCFOUR_HMAC = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5, + ENCTYPE_ARCFOUR_HMAC_MD5 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5, + ENCTYPE_ARCFOUR_HMAC_MD5_56 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56, + ENCTYPE_ENCTYPE_PK_CROSS = KRB5_ENCTYPE_ENCTYPE_PK_CROSS, + ENCTYPE_DES_CBC_NONE = KRB5_ENCTYPE_DES_CBC_NONE, + ENCTYPE_DES3_CBC_NONE = KRB5_ENCTYPE_DES3_CBC_NONE, + ENCTYPE_DES_CFB64_NONE = KRB5_ENCTYPE_DES_CFB64_NONE, + ENCTYPE_DES_PCBC_NONE = KRB5_ENCTYPE_DES_PCBC_NONE, + ETYPE_NULL = KRB5_ENCTYPE_NULL, + ETYPE_DES_CBC_CRC = KRB5_ENCTYPE_DES_CBC_CRC, + ETYPE_DES_CBC_MD4 = KRB5_ENCTYPE_DES_CBC_MD4, + ETYPE_DES_CBC_MD5 = KRB5_ENCTYPE_DES_CBC_MD5, + ETYPE_DES3_CBC_MD5 = KRB5_ENCTYPE_DES3_CBC_MD5, + ETYPE_OLD_DES3_CBC_SHA1 = KRB5_ENCTYPE_OLD_DES3_CBC_SHA1, + ETYPE_SIGN_DSA_GENERATE = KRB5_ENCTYPE_SIGN_DSA_GENERATE, + ETYPE_ENCRYPT_RSA_PRIV = KRB5_ENCTYPE_ENCRYPT_RSA_PRIV, + ETYPE_ENCRYPT_RSA_PUB = KRB5_ENCTYPE_ENCRYPT_RSA_PUB, + ETYPE_DES3_CBC_SHA1 = KRB5_ENCTYPE_DES3_CBC_SHA1, + ETYPE_AES128_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ETYPE_AES256_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96, + ETYPE_ARCFOUR_HMAC_MD5 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5, + ETYPE_ARCFOUR_HMAC_MD5_56 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56, + ETYPE_ENCTYPE_PK_CROSS = KRB5_ENCTYPE_ENCTYPE_PK_CROSS, + ETYPE_ARCFOUR_MD4 = KRB5_ENCTYPE_ARCFOUR_MD4, + ETYPE_ARCFOUR_HMAC_OLD = KRB5_ENCTYPE_ARCFOUR_HMAC_OLD, + ETYPE_ARCFOUR_HMAC_OLD_EXP = KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP, + ETYPE_DES_CBC_NONE = KRB5_ENCTYPE_DES_CBC_NONE, + ETYPE_DES3_CBC_NONE = KRB5_ENCTYPE_DES3_CBC_NONE, + ETYPE_DES_CFB64_NONE = KRB5_ENCTYPE_DES_CFB64_NONE, + ETYPE_DES_PCBC_NONE = KRB5_ENCTYPE_DES_PCBC_NONE, + ETYPE_DIGEST_MD5_NONE = KRB5_ENCTYPE_DIGEST_MD5_NONE, + ETYPE_CRAM_MD5_NONE = KRB5_ENCTYPE_CRAM_MD5_NONE + }; +/* PDU types */ +typedef enum krb5_pdu { + KRB5_PDU_ERROR = 0, + KRB5_PDU_TICKET = 1, + KRB5_PDU_AS_REQUEST = 2, + KRB5_PDU_AS_REPLY = 3, + KRB5_PDU_TGS_REQUEST = 4, + KRB5_PDU_TGS_REPLY = 5, + KRB5_PDU_AP_REQUEST = 6, + KRB5_PDU_AP_REPLY = 7, + KRB5_PDU_KRB_SAFE = 8, + KRB5_PDU_KRB_PRIV = 9, + KRB5_PDU_KRB_CRED = 10, + KRB5_PDU_NONE = 11 /* See krb5_get_permitted_enctypes() */ +} krb5_pdu; + typedef PADATA_TYPE krb5_preauthtype; typedef enum krb5_key_usage { diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h index bdd725e9ea..d0c68927ff 100644 --- a/source4/heimdal/lib/krb5/krb5_locl.h +++ b/source4/heimdal/lib/krb5/krb5_locl.h @@ -188,6 +188,12 @@ struct _krb5_krb_auth_data; #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0) +#ifndef __func__ +#define __func__ "unknown-function" +#endif + +#define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum)) + #ifndef PATH_SEP #define PATH_SEP ":" #endif @@ -240,9 +246,14 @@ struct _krb5_get_init_creds_opt_private { } lr; }; +typedef uint32_t krb5_enctype_set; + typedef struct krb5_context_data { krb5_enctype *etypes; - krb5_enctype *etypes_des; + krb5_enctype *etypes_des;/* deprecated */ + krb5_enctype *as_etypes; + krb5_enctype *tgs_etypes; + krb5_enctype *permitted_enctypes; char **default_realms; time_t max_skew; time_t kdc_timeout; diff --git a/source4/heimdal/lib/krb5/krbhst.c b/source4/heimdal/lib/krb5/krbhst.c index 7d11157848..3242cdb999 100644 --- a/source4/heimdal/lib/krb5/krbhst.c +++ b/source4/heimdal/lib/krb5/krbhst.c @@ -123,7 +123,7 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, (*res)[num_srv++] = hi; hi->proto = proto_num; - + hi->def_port = def_port; if (port != 0) hi->port = port; @@ -134,7 +134,7 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, } *count = num_srv; - + rk_dns_free_data(r); return 0; } @@ -508,7 +508,7 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, ret = asprintf(&host, "%s.%s.", serv_string, kd->realm); else ret = asprintf(&host, "%s-%d.%s.", - serv_string, kd->fallback_count, kd->realm); + serv_string, kd->fallback_count, kd->realm); if (ret < 0 || host == NULL) return ENOMEM; @@ -605,7 +605,7 @@ plugin_get_hosts(krb5_context context, service = _krb5_plugin_get_symbol(e); if (service->minor_version != 0) continue; - + (*service->init)(context, &ctx); ret = (*service->lookup)(ctx, type, kd->realm, 0, 0, add_locate, kd); (*service->fini)(ctx); diff --git a/source4/heimdal/lib/krb5/log.c b/source4/heimdal/lib/krb5/log.c index ca0756fdb9..4b289afd80 100644 --- a/source4/heimdal/lib/krb5/log.c +++ b/source4/heimdal/lib/krb5/log.c @@ -501,7 +501,7 @@ _krb5_debug(krb5_context context, if (context == NULL || context->debug_dest == NULL) return; - + va_start(ap, fmt); krb5_vlog(context, context->debug_dest, level, fmt, ap); va_end(ap); diff --git a/source4/heimdal/lib/krb5/mcache.c b/source4/heimdal/lib/krb5/mcache.c index 19e6b2345e..e4b90c17e7 100644 --- a/source4/heimdal/lib/krb5/mcache.c +++ b/source4/heimdal/lib/krb5/mcache.c @@ -220,7 +220,7 @@ mcc_destroy(krb5_context context, l = m->creds; while (l != NULL) { struct link *old; - + krb5_free_cred_contents (context, &l->cred); old = l; l = l->next; @@ -347,7 +347,7 @@ mcc_set_flags(krb5_context context, { return 0; /* XXX */ } - + struct mcache_iter { krb5_mcache *cache; }; diff --git a/source4/heimdal/lib/krb5/misc.c b/source4/heimdal/lib/krb5/misc.c index f90624cfca..ac6720c4e9 100644 --- a/source4/heimdal/lib/krb5/misc.c +++ b/source4/heimdal/lib/krb5/misc.c @@ -32,6 +32,9 @@ */ #include "krb5_locl.h" +#ifdef HAVE_EXECINFO_H +#include <execinfo.h> +#endif KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_s4u2self_to_checksumdata(krb5_context context, @@ -42,7 +45,7 @@ _krb5_s4u2self_to_checksumdata(krb5_context context, krb5_ssize_t ssize; krb5_storage *sp; size_t size; - int i; + size_t i; sp = krb5_storage_emem(); if (sp == NULL) { @@ -56,20 +59,20 @@ _krb5_s4u2self_to_checksumdata(krb5_context context, for (i = 0; i < self->name.name_string.len; i++) { size = strlen(self->name.name_string.val[i]); ssize = krb5_storage_write(sp, self->name.name_string.val[i], size); - if (ssize != size) { + if (ssize != (krb5_ssize_t)size) { ret = ENOMEM; goto out; } } size = strlen(self->realm); ssize = krb5_storage_write(sp, self->realm, size); - if (ssize != size) { + if (ssize != (krb5_ssize_t)size) { ret = ENOMEM; goto out; } size = strlen(self->auth); ssize = krb5_storage_write(sp, self->auth, size); - if (ssize != size) { + if (ssize != (krb5_ssize_t)size) { ret = ENOMEM; goto out; } @@ -89,3 +92,37 @@ krb5_enomem(krb5_context context) krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; } + +void +_krb5_debug_backtrace(krb5_context context) +{ +#if defined(HAVE_BACKTRACE) && !defined(HEIMDAL_SMALLER) + void *stack[128]; + char **strs = NULL; + int i, frames = backtrace(stack, sizeof(stack) / sizeof(stack[0])); + if (frames > 0) + strs = backtrace_symbols(stack, frames); + if (strs) { + for (i = 0; i < frames; i++) + _krb5_debug(context, 10, "frame %d: %s", i, strs[i]); + free(strs); + } +#endif +} + +krb5_error_code +_krb5_einval(krb5_context context, const char *func, unsigned long argn) +{ +#ifndef HEIMDAL_SMALLER + krb5_set_error_message(context, EINVAL, + N_("programmer error: invalid argument to %s argument %lu", + "function:line"), + func, argn); + if (_krb5_have_debug(context, 10)) { + _krb5_debug(context, 10, "invalid argument to function %s argument %lu", + func, argn); + _krb5_debug_backtrace(context); + } +#endif + return EINVAL; +} diff --git a/source4/heimdal/lib/krb5/mit_glue.c b/source4/heimdal/lib/krb5/mit_glue.c index 93489b607b..803a5bf289 100644 --- a/source4/heimdal/lib/krb5/mit_glue.c +++ b/source4/heimdal/lib/krb5/mit_glue.c @@ -31,8 +31,6 @@ * SUCH DAMAGE. */ -#define KRB5_DEPRECATED - #include "krb5_locl.h" #ifndef HEIMDAL_SMALLER @@ -226,7 +224,7 @@ krb5_c_decrypt(krb5_context context, krb5_crypto_destroy(context, crypto); return ret; } - + if (blocksize > ivec->length) { krb5_crypto_destroy(context, crypto); return KRB5_BAD_MSIZE; @@ -316,12 +314,12 @@ krb5_c_encrypt_length(krb5_context context, * @ingroup krb5_deprecated */ -KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2, krb5_boolean *similar) + KRB5_DEPRECATED_FUNCTION("Use X instead") { *similar = (e1 == e2); return 0; diff --git a/source4/heimdal/lib/krb5/mk_error.c b/source4/heimdal/lib/krb5/mk_error.c index a837b5e290..5fee1d6bed 100644 --- a/source4/heimdal/lib/krb5/mk_error.c +++ b/source4/heimdal/lib/krb5/mk_error.c @@ -48,7 +48,7 @@ krb5_mk_error(krb5_context context, KRB_ERROR msg; krb5_timestamp sec; int32_t usec; - size_t len; + size_t len = 0; krb5_error_code ret = 0; krb5_us_timeofday (context, &sec, &usec); @@ -75,7 +75,8 @@ krb5_mk_error(krb5_context context, msg.realm = server->realm; msg.sname = server->name; }else{ - msg.realm = "<unspecified realm>"; + static char unspec[] = "<unspecified realm>"; + msg.realm = unspec; } if(client){ msg.crealm = &client->realm; diff --git a/source4/heimdal/lib/krb5/mk_priv.c b/source4/heimdal/lib/krb5/mk_priv.c index 833821341d..dede6d2fa4 100644 --- a/source4/heimdal/lib/krb5/mk_priv.c +++ b/source4/heimdal/lib/krb5/mk_priv.c @@ -45,7 +45,7 @@ krb5_mk_priv(krb5_context context, EncKrbPrivPart part; u_char *buf = NULL; size_t buf_size; - size_t len; + size_t len = 0; krb5_crypto crypto; krb5_keyblock *key; krb5_replay_data rdata; diff --git a/source4/heimdal/lib/krb5/mk_rep.c b/source4/heimdal/lib/krb5/mk_rep.c index 2b9c3fbdbb..84c315291c 100644 --- a/source4/heimdal/lib/krb5/mk_rep.c +++ b/source4/heimdal/lib/krb5/mk_rep.c @@ -43,7 +43,7 @@ krb5_mk_rep(krb5_context context, EncAPRepPart body; u_char *buf = NULL; size_t buf_size; - size_t len; + size_t len = 0; krb5_crypto crypto; ap.pvno = 5; diff --git a/source4/heimdal/lib/krb5/n-fold.c b/source4/heimdal/lib/krb5/n-fold.c index f94a1ea125..2e6092c5ca 100644 --- a/source4/heimdal/lib/krb5/n-fold.c +++ b/source4/heimdal/lib/krb5/n-fold.c @@ -64,7 +64,7 @@ rr13(unsigned char *buf, size_t len) /* byte offset and shift count */ b1 = bb / 8; s1 = bb % 8; - + if(bb + 8 > bytes * 8) /* watch for wraparound */ s2 = (len + 8 - s1) % 8; diff --git a/source4/heimdal/lib/krb5/pac.c b/source4/heimdal/lib/krb5/pac.c index 046a89cc6a..f4caaddc26 100644 --- a/source4/heimdal/lib/krb5/pac.c +++ b/source4/heimdal/lib/krb5/pac.c @@ -106,7 +106,7 @@ HMAC_MD5_any_checksum(krb5_context context, ret = _krb5_HMAC_MD5_checksum(context, &local_key, data, len, usage, result); if (ret) krb5_data_free(&result->checksum); - + krb5_free_keyblock(context, local_key.key); return ret; } @@ -464,7 +464,7 @@ verify_checksum(krb5_context context, goto out; } ret = krb5_storage_read(sp, cksum.checksum.data, cksum.checksum.length); - if (ret != cksum.checksum.length) { + if (ret != (int)cksum.checksum.length) { ret = EINVAL; krb5_set_error_message(context, ret, "PAC checksum missing checksum"); goto out; @@ -546,7 +546,7 @@ create_checksum(krb5_context context, * http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx * for Microsoft's explaination */ - if (cksumtype == CKSUMTYPE_HMAC_MD5) { + if (cksumtype == (uint32_t)CKSUMTYPE_HMAC_MD5) { ret = HMAC_MD5_any_checksum(context, key, data, datalen, KRB5_KU_OTHER_CKSUM, &cksum); } else { @@ -748,7 +748,7 @@ build_logon_name(krb5_context context, ret = krb5_storage_write(sp, s2, len * 2); free(s2); - if (ret != len * 2) { + if (ret != (int)(len * 2)) { ret = krb5_enomem(context); goto out; } @@ -932,7 +932,8 @@ _krb5_pac_sign(krb5_context context, size_t server_size, priv_size; uint32_t server_offset = 0, priv_offset = 0; uint32_t server_cksumtype = 0, priv_cksumtype = 0; - int i, num = 0; + int num = 0; + size_t i; krb5_data logon, d; krb5_data_zero(&logon); @@ -1049,7 +1050,7 @@ _krb5_pac_sign(krb5_context context, end += len; e = ((end + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT; - if (end != e) { + if ((int32_t)end != e) { CHECK(ret, fill_zeros(context, spdata, e - end), out); } end = e; @@ -1066,7 +1067,7 @@ _krb5_pac_sign(krb5_context context, goto out; } ret = krb5_storage_write(sp, d.data, d.length); - if (ret != d.length) { + if (ret != (int)d.length) { krb5_data_free(&d); ret = krb5_enomem(context); goto out; diff --git a/source4/heimdal/lib/krb5/padata.c b/source4/heimdal/lib/krb5/padata.c index 98420a7332..babe22cb38 100644 --- a/source4/heimdal/lib/krb5/padata.c +++ b/source4/heimdal/lib/krb5/padata.c @@ -36,8 +36,8 @@ KRB5_LIB_FUNCTION PA_DATA * KRB5_LIB_CALL krb5_find_padata(PA_DATA *val, unsigned len, int type, int *idx) { - for(; *idx < len; (*idx)++) - if(val[*idx].padata_type == type) + for(; *idx < (int)len; (*idx)++) + if(val[*idx].padata_type == (unsigned)type) return val + *idx; return NULL; } diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c index 7a8502727e..1103a17807 100644 --- a/source4/heimdal/lib/krb5/pkinit.c +++ b/source4/heimdal/lib/krb5/pkinit.c @@ -188,7 +188,8 @@ find_cert(krb5_context context, struct krb5_pk_identity *id, { "MS EKU" }, { "any (or no)" } }; - int i, ret, start = 1; + int ret = HX509_CERT_NOT_FOUND; + size_t i, start = 1; unsigned oids[] = { 1, 2, 840, 113635, 100, 3, 2, 1 }; const heim_oid mobileMe = { sizeof(oids)/sizeof(oids[0]), oids }; @@ -298,8 +299,8 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c) { IssuerAndSerialNumber iasn; hx509_name issuer; - size_t size; - + size_t size = 0; + memset(&iasn, 0, sizeof(iasn)); ret = hx509_cert_get_issuer(c, &issuer); @@ -314,7 +315,7 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c) free_ExternalPrincipalIdentifier(&id); return ret; } - + ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber); if (ret) { free_IssuerAndSerialNumber(&iasn); @@ -364,7 +365,7 @@ build_auth_pack(krb5_context context, const KDC_REQ_BODY *body, AuthPack *a) { - size_t buf_size, len; + size_t buf_size, len = 0; krb5_error_code ret; void *buf; krb5_timestamp sec; @@ -413,7 +414,7 @@ build_auth_pack(krb5_context context, const char *moduli_file; unsigned long dh_min_bits; krb5_data dhbuf; - size_t size; + size_t size = 0; krb5_data_zero(&dhbuf); @@ -433,7 +434,7 @@ build_auth_pack(krb5_context context, ret = _krb5_parse_moduli(context, moduli_file, &ctx->m); if (ret) return ret; - + ctx->u.dh = DH_new(); if (ctx->u.dh == NULL) { krb5_set_error_message(context, ENOMEM, @@ -483,9 +484,9 @@ build_auth_pack(krb5_context context, &a->clientPublicValue->algorithm.algorithm); if (ret) return ret; - + memset(&dp, 0, sizeof(dp)); - + ret = BN_to_integer(context, dh->p, &dp.p); if (ret) { free_DomainParameters(&dp); @@ -503,14 +504,14 @@ build_auth_pack(krb5_context context, } dp.j = NULL; dp.validationParms = NULL; - + a->clientPublicValue->algorithm.parameters = malloc(sizeof(*a->clientPublicValue->algorithm.parameters)); if (a->clientPublicValue->algorithm.parameters == NULL) { free_DomainParameters(&dp); return ret; } - + ASN1_MALLOC_ENCODE(DomainParameters, a->clientPublicValue->algorithm.parameters->data, a->clientPublicValue->algorithm.parameters->length, @@ -520,11 +521,11 @@ build_auth_pack(krb5_context context, return ret; if (size != a->clientPublicValue->algorithm.parameters->length) krb5_abortx(context, "Internal ASN1 encoder error"); - + ret = BN_to_integer(context, dh->pub_key, &dh_pub_key); if (ret) return ret; - + ASN1_MALLOC_ENCODE(DHPublicKey, dhbuf.data, dhbuf.length, &dh_pub_key, &size, ret); der_free_heim_integer(&dh_pub_key); @@ -536,7 +537,7 @@ build_auth_pack(krb5_context context, #ifdef HAVE_OPENSSL ECParameters ecp; unsigned char *p; - int len; + int xlen; /* copy in public key, XXX find the best curve that the server support or use the clients curve if possible */ @@ -551,13 +552,13 @@ build_auth_pack(krb5_context context, free_ECParameters(&ecp); return ENOMEM; } - ASN1_MALLOC_ENCODE(ECParameters, p, len, &ecp, &size, ret); + ASN1_MALLOC_ENCODE(ECParameters, p, xlen, &ecp, &size, ret); free_ECParameters(&ecp); if (ret) return ret; - if (size != len) + if ((int)size != xlen) krb5_abortx(context, "asn1 internal error"); - + a->clientPublicValue->algorithm.parameters->data = p; a->clientPublicValue->algorithm.parameters->length = size; @@ -578,18 +579,18 @@ build_auth_pack(krb5_context context, /* encode onto dhkey */ - len = i2o_ECPublicKey(ctx->u.eckey, NULL); - if (len <= 0) + xlen = i2o_ECPublicKey(ctx->u.eckey, NULL); + if (xlen <= 0) abort(); - dhbuf.data = malloc(len); + dhbuf.data = malloc(xlen); if (dhbuf.data == NULL) abort(); - dhbuf.length = len; + dhbuf.length = xlen; p = dhbuf.data; - len = i2o_ECPublicKey(ctx->u.eckey, &p); - if (len <= 0) + xlen = i2o_ECPublicKey(ctx->u.eckey, &p); + if (xlen <= 0) abort(); /* XXX verify that this is right with RFC3279 */ @@ -601,13 +602,14 @@ build_auth_pack(krb5_context context, a->clientPublicValue->subjectPublicKey.length = dhbuf.length * 8; a->clientPublicValue->subjectPublicKey.data = dhbuf.data; } - + { a->supportedCMSTypes = calloc(1, sizeof(*a->supportedCMSTypes)); if (a->supportedCMSTypes == NULL) return ENOMEM; - ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL, NULL, + ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL, + ctx->id->cert, &a->supportedCMSTypes->val, &a->supportedCMSTypes->len); if (ret) @@ -648,10 +650,10 @@ pk_mk_padata(krb5_context context, { struct ContentInfo content_info; krb5_error_code ret; - const heim_oid *oid; - size_t size; + const heim_oid *oid = NULL; + size_t size = 0; krb5_data buf, sd_buf; - int pa_type; + int pa_type = -1; krb5_data_zero(&buf); krb5_data_zero(&sd_buf); @@ -698,7 +700,7 @@ pk_mk_padata(krb5_context context, oid = &asn1_oid_id_pkcs7_data; } else if (ctx->type == PKINIT_27) { AuthPack ap; - + memset(&ap, 0, sizeof(ap)); ret = build_auth_pack(context, nonce, ctx, req_body, &ap); @@ -755,7 +757,7 @@ pk_mk_padata(krb5_context context, pa_type = KRB5_PADATA_PK_AS_REQ; memset(&req, 0, sizeof(req)); - req.signedAuthPack = buf; + req.signedAuthPack = buf; if (ctx->trustedCertifiers) { @@ -926,7 +928,7 @@ pk_verify_sign(krb5_context context, ret = ENOMEM; goto out; } - + ret = hx509_get_one_cert(context->hx509ctx, signer_certs, &(*signer)->cert); if (ret) { pk_copy_error(context, context->hx509ctx, ret, @@ -968,7 +970,7 @@ get_reply_key_win(krb5_context context, return ret; } - if (key_pack.nonce != nonce) { + if ((unsigned)key_pack.nonce != nonce) { krb5_set_error_message(context, ret, N_("PKINIT enckey nonce is wrong", "")); free_ReplyKeyPack_Win2k(&key_pack); @@ -1081,7 +1083,7 @@ pk_verify_host(krb5_context context, } if (ctx->require_krbtgt_otherName) { hx509_octet_string_list list; - int i; + size_t i; ret = hx509_cert_find_subjectAltName_otherName(context->hx509ctx, host->cert, @@ -1203,9 +1205,9 @@ pk_rd_pa_reply_enckey(krb5_context context, size_t ph = 1 + der_length_len(content.length); unsigned char *ptr = malloc(content.length + ph); size_t l; - + memcpy(ptr + ph, content.data, content.length); - + ret = der_put_length_and_tag (ptr + ph - 1, ph, content.length, ASN1_C_UNIV, CONS, UT_Sequence, &l); if (ret) @@ -1424,7 +1426,7 @@ pk_rd_pa_reply_dh(krb5_context context, krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; } - + dh_gen_keylen = DH_compute_key(dh_gen_key, kdc_dh_pubkey, ctx->u.dh); if (dh_gen_keylen == -1) { ret = KRB5KRB_ERR_GENERIC; @@ -1433,7 +1435,7 @@ pk_rd_pa_reply_dh(krb5_context context, N_("PKINIT: Can't compute Diffie-Hellman key", "")); goto out; } - if (dh_gen_keylen < size) { + if (dh_gen_keylen < (int)size) { size -= dh_gen_keylen; memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen); memset(dh_gen_key, 0, size); @@ -1488,7 +1490,7 @@ pk_rd_pa_reply_dh(krb5_context context, ret = EINVAL; #endif } - + if (dh_gen_keylen <= 0) { ret = EINVAL; krb5_set_error_message(context, ret, @@ -1555,7 +1557,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, PA_PK_AS_REP rep; heim_octet_string os, data; heim_oid oid; - + if (pa->padata_type != KRB5_PADATA_PK_AS_REP) { krb5_set_error_message(context, EINVAL, N_("PKINIT: wrong padata recv", "")); @@ -1585,7 +1587,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, PA_PK_AS_REP_BTMM btmm; free_PA_PK_AS_REP(&rep); memset(&rep, 0, sizeof(rep)); - + _krb5_debug(context, 5, "krb5_get_init_creds: using BTMM kinit enc reply key"); ret = decode_PA_PK_AS_REP_BTMM(pa->padata_value.data, @@ -1661,7 +1663,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, #endif memset(&w2krep, 0, sizeof(w2krep)); - + ret = decode_PA_PK_AS_REP_Win2k(pa->padata_value.data, pa->padata_value.length, &w2krep, @@ -1674,12 +1676,12 @@ _krb5_pk_rd_pa_reply(krb5_context context, } krb5_clear_error_message(context); - + switch (w2krep.element) { case choice_PA_PK_AS_REP_Win2k_encKeyPack: { heim_octet_string data; heim_oid oid; - + ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack, &oid, &data, NULL); free_PA_PK_AS_REP_Win2k(&w2krep); @@ -1744,7 +1746,7 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter) default: prompt.type = KRB5_PROMPT_TYPE_PASSWORD; break; - } + } ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt); if (ret) { @@ -1780,10 +1782,10 @@ _krb5_pk_set_user_id(krb5_context context, "Allocate query to find signing certificate"); return ret; } - + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); - + if (principal && strncmp("LKDC:SHA1.", krb5_principal_get_realm(context, principal), 9) == 0) { ctx->id->flags |= PKINIT_BTMM; } @@ -1799,7 +1801,7 @@ _krb5_pk_set_user_id(krb5_context context, ret = hx509_cert_get_subject(ctx->id->cert, &name); if (ret) goto out; - + ret = hx509_name_to_string(name, &str); hx509_name_free(&name); if (ret) @@ -1857,7 +1859,7 @@ _krb5_pk_load_id(krb5_context context, krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; - } + } if (user_id) { hx509_lock lock; @@ -1867,15 +1869,15 @@ _krb5_pk_load_id(krb5_context context, pk_copy_error(context, context->hx509ctx, ret, "Failed init lock"); goto out; } - + if (password && password[0]) hx509_lock_add_password(lock, password); - + if (prompter) { p.context = context; p.prompter = prompter; p.prompter_data = prompter_data; - + ret = hx509_lock_set_prompter(lock, hx_pass_prompter, &p); if (ret) { hx509_lock_free(lock); @@ -2083,7 +2085,7 @@ _krb5_parse_moduli_line(krb5_context context, "bits on line %d", ""), file, lineno); goto out; } - + ret = parse_integer(context, &p, file, lineno, "p", &m1->p); if (ret) goto out; @@ -2249,7 +2251,7 @@ _krb5_parse_moduli(krb5_context context, const char *file, return ENOMEM; } m = m2; - + m[n] = NULL; ret = _krb5_parse_moduli_line(context, file, lineno, buf, &element); @@ -2321,7 +2323,7 @@ _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt) break; case USE_RSA: break; - case USE_ECDH: + case USE_ECDH: #ifdef HAVE_OPENSSL if (ctx->u.eckey) EC_KEY_free(ctx->u.eckey); @@ -2457,7 +2459,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, krb5_set_error_message(context, EINVAL, N_("No anonymous pkinit support in RSA mode", "")); return EINVAL; - } + } } return 0; @@ -2484,7 +2486,7 @@ krb5_get_init_creds_opt_set_pkinit_user_certs(krb5_context context, N_("PKINIT: on pkinit context", "")); return EINVAL; } - + _krb5_pk_set_user_id(context, NULL, opt->opt_private->pk_init_ctx, certs); return 0; @@ -2517,7 +2519,7 @@ get_ms_san(hx509_context context, hx509_cert cert, char **upn) upn, NULL); else ret = 1; - hx509_free_octet_string_list(&list); + hx509_free_octet_string_list(&list); return ret; } @@ -2552,14 +2554,14 @@ krb5_pk_enterprise_cert(krb5_context context, #ifdef PKINIT krb5_error_code ret; hx509_certs certs, result; - hx509_cert cert; + hx509_cert cert = NULL; hx509_query *q; char *name; *principal = NULL; if (res) *res = NULL; - + if (user_id == NULL) { krb5_set_error_message(context, ENOENT, "no user id"); return ENOENT; @@ -2592,7 +2594,7 @@ krb5_pk_enterprise_cert(krb5_context context, "Failed to find PKINIT certificate"); return ret; } - + ret = hx509_get_one_cert(context->hx509ctx, result, &cert); hx509_certs_free(&result); if (ret) { @@ -2617,11 +2619,9 @@ krb5_pk_enterprise_cert(krb5_context context, if (res) { ret = hx509_certs_init(context->hx509ctx, "MEMORY:", 0, NULL, res); - if (ret) { - hx509_cert_free(cert); + if (ret) goto out; - } - + ret = hx509_certs_add(context->hx509ctx, *res, cert); if (ret) { hx509_certs_free(res); diff --git a/source4/heimdal/lib/krb5/plugin.c b/source4/heimdal/lib/krb5/plugin.c index ea47e13a7b..9303b6c615 100644 --- a/source4/heimdal/lib/krb5/plugin.c +++ b/source4/heimdal/lib/krb5/plugin.c @@ -63,7 +63,7 @@ static HEIMDAL_MUTEX plugin_mutex = HEIMDAL_MUTEX_INITIALIZER; static struct plugin *registered = NULL; static int plugins_needs_scan = 1; -static const char *sysplugin_dirs[] = { +static const char *sysplugin_dirs[] = { LIBDIR "/plugin/krb5", #ifdef __APPLE__ "/System/Library/KerberosPlugins/KerberosFrameworkPlugins", @@ -196,9 +196,9 @@ is_valid_plugin_filename(const char * n) return !stricmp(ext, ".dll"); } -#endif - +#else return 1; +#endif } static void @@ -305,7 +305,7 @@ static krb5_error_code add_symbol(krb5_context context, struct krb5_plugin **list, void *symbol) { struct krb5_plugin *e; - + e = calloc(1, sizeof(*e)); if (e == NULL) { krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); @@ -329,7 +329,7 @@ _krb5_plugin_find(krb5_context context, *list = NULL; HEIMDAL_MUTEX_lock(&plugin_mutex); - + load_plugins(context); for (ret = 0, e = registered; e != NULL; e = e->next) { @@ -379,7 +379,7 @@ _krb5_plugin_free(struct krb5_plugin *list) /* * module - dict of { * ModuleName = [ - * plugin = object{ + * plugin = object{ * array = { ptr, ctx } * } * ] @@ -556,7 +556,7 @@ search_modules(void *ctx, heim_object_t key, heim_object_t value) return; pl = heim_alloc(sizeof(*pl), "struct-plug", plug_free); - + cpm = pl->dataptr = dlsym(p->dsohandle, s->name); if (cpm) { int ret; @@ -569,10 +569,10 @@ search_modules(void *ctx, heim_object_t key, heim_object_t value) } else { cpm = pl->dataptr; } - + if (cpm && cpm->version >= s->min_version) heim_array_append_value(s->result, pl); - + heim_release(pl); } @@ -619,11 +619,11 @@ _krb5_plugin_run_f(krb5_context context, s.userctx = userctx; heim_dict_iterate_f(dict, search_modules, &s); - + heim_release(dict); - + HEIMDAL_MUTEX_unlock(&plugin_mutex); - + s.ret = KRB5_PLUGIN_NO_HANDLE; heim_array_iterate_f(s.result, eval_results, &s); diff --git a/source4/heimdal/lib/krb5/principal.c b/source4/heimdal/lib/krb5/principal.c index 42169fc2f9..a10d2d0798 100644 --- a/source4/heimdal/lib/krb5/principal.c +++ b/source4/heimdal/lib/krb5/principal.c @@ -140,7 +140,7 @@ krb5_principal_get_realm(krb5_context context, krb5_const_principal principal) { return princ_realm(principal); -} +} KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_principal_get_comp_string(krb5_context context, @@ -426,7 +426,7 @@ unparse_name_fixed(krb5_context context, int flags) { size_t idx = 0; - int i; + size_t i; int short_form = (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) != 0; int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) != 0; int display = (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) != 0; @@ -549,7 +549,7 @@ unparse_name(krb5_context context, int flags) { size_t len = 0, plen; - int i; + size_t i; krb5_error_code ret; /* count length */ if (princ_realm(principal)) { @@ -917,7 +917,7 @@ krb5_principal_compare_any_realm(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) { - int i; + size_t i; if(princ_num_comp(princ1) != princ_num_comp(princ2)) return FALSE; for(i = 0; i < princ_num_comp(princ1); i++){ @@ -932,7 +932,7 @@ _krb5_principal_compare_PrincipalName(krb5_context context, krb5_const_principal princ1, PrincipalName *princ2) { - int i; + size_t i; if (princ_num_comp(princ1) != princ2->name_string.len) return FALSE; for(i = 0; i < princ_num_comp(princ1); i++){ @@ -1001,7 +1001,7 @@ krb5_principal_match(krb5_context context, krb5_const_principal princ, krb5_const_principal pattern) { - int i; + size_t i; if(princ_num_comp(princ) != princ_num_comp(pattern)) return FALSE; if(fnmatch(princ_realm(pattern), princ_realm(princ), 0) != 0) @@ -1028,7 +1028,7 @@ krb5_principal_match(krb5_context context, * * @ingroup krb5_principal */ - + KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sname_to_principal (krb5_context context, const char *hostname, @@ -1039,7 +1039,7 @@ krb5_sname_to_principal (krb5_context context, krb5_error_code ret; char localhost[MAXHOSTNAMELEN]; char **realms, *host = NULL; - + if(type != KRB5_NT_SRV_HST && type != KRB5_NT_UNKNOWN) { krb5_set_error_message(context, KRB5_SNAME_UNSUPP_NAMETYPE, N_("unsupported name type %d", ""), @@ -1053,7 +1053,7 @@ krb5_sname_to_principal (krb5_context context, krb5_set_error_message(context, ret, N_("Failed to get local hostname", "")); return ret; - } + } localhost[sizeof(localhost) - 1] = '\0'; hostname = localhost; } @@ -1096,7 +1096,7 @@ static const struct { { "ENT_PRINCIPAL_AND_ID", KRB5_NT_ENT_PRINCIPAL_AND_ID }, { "MS_PRINCIPAL", KRB5_NT_MS_PRINCIPAL }, { "MS_PRINCIPAL_AND_ID", KRB5_NT_MS_PRINCIPAL_AND_ID }, - { NULL } + { NULL, 0 } }; /** diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c index 094f748b9f..c08547112b 100644 --- a/source4/heimdal/lib/krb5/rd_cred.c +++ b/source4/heimdal/lib/krb5/rd_cred.c @@ -65,9 +65,10 @@ krb5_rd_cred(krb5_context context, EncKrbCredPart enc_krb_cred_part; krb5_data enc_krb_cred_part_data; krb5_crypto crypto; - int i; + size_t i; memset(&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part)); + krb5_data_zero(&enc_krb_cred_part_data); if ((auth_context->flags & (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && @@ -118,7 +119,7 @@ krb5_rd_cred(krb5_context context, KRB5_KU_KRB_CRED, &cred.enc_part, &enc_krb_cred_part_data); - + krb5_crypto_destroy(context, crypto); } @@ -134,13 +135,13 @@ krb5_rd_cred(krb5_context context, if (ret) goto out; - + ret = krb5_decrypt_EncryptedData(context, crypto, KRB5_KU_KRB_CRED, &cred.enc_part, &enc_krb_cred_part_data); - + krb5_crypto_destroy(context, crypto); } if (ret) @@ -195,7 +196,7 @@ krb5_rd_cred(krb5_context context, auth_context->local_port); if (ret) goto out; - + ret = compare_addrs(context, a, enc_krb_cred_part.r_address, N_("receiver address is wrong " "in received creds", "")); @@ -299,9 +300,9 @@ krb5_rd_cred(krb5_context context, krb5_copy_addresses (context, kci->caddr, &creds->addresses); - + (*ret_creds)[i] = creds; - + } (*ret_creds)[i] = NULL; diff --git a/source4/heimdal/lib/krb5/rd_rep.c b/source4/heimdal/lib/krb5/rd_rep.c index f8963a53b2..391d81c191 100644 --- a/source4/heimdal/lib/krb5/rd_rep.c +++ b/source4/heimdal/lib/krb5/rd_rep.c @@ -65,7 +65,7 @@ krb5_rd_rep(krb5_context context, if (ret) goto out; ret = krb5_decrypt_EncryptedData (context, - crypto, + crypto, KRB5_KU_AP_REQ_ENC_PART, &ap_rep.enc_part, &data); diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c index 25aa8674c7..21daeb596b 100644 --- a/source4/heimdal/lib/krb5/rd_req.c +++ b/source4/heimdal/lib/krb5/rd_req.c @@ -59,7 +59,7 @@ decrypt_tkt_enc_part (krb5_context context, ret = decode_EncTicketPart(plain.data, plain.length, decr_part, &len); if (ret) - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, N_("Failed to decode encrypted " "ticket part", "")); krb5_data_free (&plain); @@ -135,9 +135,9 @@ static krb5_error_code check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) { char **realms; - unsigned int num_realms; + unsigned int num_realms, n; krb5_error_code ret; - + /* * Windows 2000 and 2003 uses this inside their TGT so it's normaly * not seen by others, however, samba4 joined with a Windows AD as @@ -161,6 +161,8 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) ret = krb5_check_transited(context, enc->crealm, ticket->realm, realms, num_realms, NULL); + for (n = 0; n < num_realms; n++) + free(realms[n]); free(realms); return ret; } @@ -175,7 +177,7 @@ find_etypelist(krb5_context context, krb5_authdata adIfRelevant; unsigned i; - adIfRelevant.len = 0; + memset(&adIfRelevant, 0, sizeof(adIfRelevant)); etypes->len = 0; etypes->val = NULL; @@ -250,7 +252,7 @@ krb5_decrypt_ticket(krb5_context context, krb5_clear_error_message (context); return KRB5KRB_AP_ERR_TKT_EXPIRED; } - + if(!t.flags.transited_policy_checked) { ret = check_transited(context, ticket, &t); if(ret) { @@ -402,7 +404,7 @@ krb5_verify_ap_req2(krb5_context context, { krb5_principal p1, p2; krb5_boolean res; - + _krb5_principalname2krb5_principal(context, &p1, ac->authenticator->cname, @@ -466,7 +468,7 @@ krb5_verify_ap_req2(krb5_context context, ac->keytype = ETYPE_NULL; if (etypes.val) { - int i; + size_t i; for (i = 0; i < etypes.len; i++) { if (krb5_enctype_valid(context, etypes.val[i]) == 0) { @@ -508,7 +510,7 @@ krb5_verify_ap_req2(krb5_context context, krb5_auth_con_free (context, ac); return ret; } - + /* * */ @@ -949,7 +951,7 @@ krb5_rd_req_ctx(krb5_context context, &o->ap_req_options, &o->ticket, KRB5_KU_AP_REQ_AUTH); - + if (ret) goto out; @@ -972,7 +974,7 @@ krb5_rd_req_ctx(krb5_context context, goto out; done = 0; - while (!done) { + while (!done) { krb5_principal p; ret = krb5_kt_next_entry(context, id, &entry, &cursor); @@ -1007,14 +1009,14 @@ krb5_rd_req_ctx(krb5_context context, * and update the service principal in the ticket to match * whatever is in the keytab. */ - - ret = krb5_copy_keyblock(context, + + ret = krb5_copy_keyblock(context, &entry.keyblock, &o->keyblock); if (ret) { krb5_kt_free_entry (context, &entry); goto out; - } + } ret = krb5_copy_principal(context, entry.principal, &p); if (ret) { @@ -1023,7 +1025,7 @@ krb5_rd_req_ctx(krb5_context context, } krb5_free_principal(context, o->ticket->server); o->ticket->server = p; - + krb5_kt_free_entry (context, &entry); done = 1; @@ -1045,7 +1047,7 @@ krb5_rd_req_ctx(krb5_context context, krb5_data_free(&data); if (ret) goto out; - + ret = krb5_pac_verify(context, pac, o->ticket->ticket.authtime, diff --git a/source4/heimdal/lib/krb5/replay.c b/source4/heimdal/lib/krb5/replay.c index 375a4aaba6..965dd44437 100644 --- a/source4/heimdal/lib/krb5/replay.c +++ b/source4/heimdal/lib/krb5/replay.c @@ -282,14 +282,14 @@ krb5_rc_get_name(krb5_context context, { return id->name; } - + KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL krb5_rc_get_type(krb5_context context, krb5_rcache id) { return "FILE"; } - + KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_server_rcache(krb5_context context, const krb5_data *piece, diff --git a/source4/heimdal/lib/krb5/salt-arcfour.c b/source4/heimdal/lib/krb5/salt-arcfour.c index b222b47e16..ab5e51270c 100644 --- a/source4/heimdal/lib/krb5/salt-arcfour.c +++ b/source4/heimdal/lib/krb5/salt-arcfour.c @@ -43,7 +43,7 @@ ARCFOUR_string_to_key(krb5_context context, { krb5_error_code ret; uint16_t *s = NULL; - size_t len, i; + size_t len = 0, i; EVP_MD_CTX *m; m = EVP_MD_CTX_create(); diff --git a/source4/heimdal/lib/krb5/salt-des.c b/source4/heimdal/lib/krb5/salt-des.c index 6939b6b50b..56b285f72e 100644 --- a/source4/heimdal/lib/krb5/salt-des.c +++ b/source4/heimdal/lib/krb5/salt-des.c @@ -52,7 +52,7 @@ krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, DES_cblock *key) { char password[8+1]; /* crypt is limited to 8 chars anyway */ - int i; + size_t i; for(i = 0; i < 8; i++) { char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^ @@ -89,7 +89,7 @@ krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw, memcpy(password, pw.data, min(pw.length, sizeof(password))); if(pw.length < sizeof(password)) { int len = min(cell.length, sizeof(password) - pw.length); - int i; + size_t i; memcpy(password + pw.length, cell.data, len); for (i = pw.length; i < pw.length + len; ++i) @@ -138,7 +138,7 @@ static void DES_string_to_key_int(unsigned char *data, size_t length, DES_cblock *key) { DES_key_schedule schedule; - int i; + size_t i; int reverse = 0; unsigned char *p; diff --git a/source4/heimdal/lib/krb5/salt.c b/source4/heimdal/lib/krb5/salt.c index 6f18308743..5e4c8a1c85 100644 --- a/source4/heimdal/lib/krb5/salt.c +++ b/source4/heimdal/lib/krb5/salt.c @@ -33,6 +33,7 @@ #include "krb5_locl.h" +/* coverity[+alloc : arg-*3] */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_salttype_to_string (krb5_context context, krb5_enctype etype, @@ -98,7 +99,7 @@ krb5_get_pw_salt(krb5_context context, krb5_salt *salt) { size_t len; - int i; + size_t i; krb5_error_code ret; char *p; diff --git a/source4/heimdal/lib/krb5/send_to_kdc.c b/source4/heimdal/lib/krb5/send_to_kdc.c index 2ae8153c8d..edf1d33c9d 100644 --- a/source4/heimdal/lib/krb5/send_to_kdc.c +++ b/source4/heimdal/lib/krb5/send_to_kdc.c @@ -88,7 +88,7 @@ recv_loop (krb5_socket_t fd, return 0; if (limit) - nbytes = min(nbytes, limit - rep->length); + nbytes = min((size_t)nbytes, limit - rep->length); tmp = realloc (rep->data, rep->length + nbytes); if (tmp == NULL) { @@ -268,7 +268,7 @@ send_via_proxy (krb5_context context, int ret; krb5_socket_t s = rk_INVALID_SOCKET; char portstr[NI_MAXSERV]; - + if (proxy == NULL) return ENOMEM; if (strncmp (proxy, "http://", 7) == 0) @@ -339,7 +339,7 @@ send_via_plugin(krb5_context context, service = _krb5_plugin_get_symbol(e); if (service->minor_version != 0) continue; - + (*service->init)(context, &ctx); ret = (*service->send_to_kdc)(context, ctx, hi, timeout, send_data, receive); @@ -366,12 +366,12 @@ send_via_plugin(krb5_context context, KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sendto (krb5_context context, const krb5_data *send_data, - krb5_krbhst_handle handle, + krb5_krbhst_handle handle, krb5_data *receive) { krb5_error_code ret; krb5_socket_t fd; - int i; + size_t i; krb5_data_zero(receive); @@ -511,7 +511,7 @@ _krb5_copy_send_to_kdc_func(krb5_context context, krb5_context to) { if (context->send_to_kdc) return krb5_set_send_to_kdc_func(to, - context->send_to_kdc->func, + context->send_to_kdc->func, context->send_to_kdc->data); else return krb5_set_send_to_kdc_func(to, NULL, NULL); @@ -602,7 +602,7 @@ krb5_sendto_context(krb5_context context, type = KRB5_KRBHST_KDC; } - if (send_data->length > context->large_msg_size) + if ((int)send_data->length > context->large_msg_size) ctx->flags |= KRB5_KRBHST_FLAGS_LARGE_MSG; /* loop until we get back a appropriate response */ diff --git a/source4/heimdal/lib/krb5/store-int.c b/source4/heimdal/lib/krb5/store-int.c index 0a18d0dddf..d577629718 100644 --- a/source4/heimdal/lib/krb5/store-int.c +++ b/source4/heimdal/lib/krb5/store-int.c @@ -50,7 +50,7 @@ _krb5_get_int(void *buffer, unsigned long *value, size_t size) { unsigned char *p = buffer; unsigned long v = 0; - int i; + size_t i; for (i = 0; i < size; i++) v = (v << 8) + p[i]; *value = v; diff --git a/source4/heimdal/lib/krb5/store-int.h b/source4/heimdal/lib/krb5/store-int.h index 0b7accb860..877ccc008d 100644 --- a/source4/heimdal/lib/krb5/store-int.h +++ b/source4/heimdal/lib/krb5/store-int.h @@ -43,6 +43,7 @@ struct krb5_storage_data { void (*free)(struct krb5_storage_data*); krb5_flags flags; int eof_code; + size_t max_alloc; }; #endif /* __store_int_h__ */ diff --git a/source4/heimdal/lib/krb5/store.c b/source4/heimdal/lib/krb5/store.c index 0dedba3d72..3aeb8d6281 100644 --- a/source4/heimdal/lib/krb5/store.c +++ b/source4/heimdal/lib/krb5/store.c @@ -120,6 +120,41 @@ krb5_storage_get_byteorder(krb5_storage *sp) } /** + * Set the max alloc value + * + * @param sp the storage buffer set the max allow for + * @param size maximum size to allocate, use 0 to remove limit + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_storage_set_max_alloc(krb5_storage *sp, size_t size) +{ + sp->max_alloc = size; +} + +/* don't allocate unresonable amount of memory */ +static krb5_error_code +size_too_large(krb5_storage *sp, size_t size) +{ + if (sp->max_alloc && sp->max_alloc < size) + return HEIM_ERR_TOO_BIG; + return 0; +} + +static krb5_error_code +size_too_large_num(krb5_storage *sp, size_t count, size_t size) +{ + if (sp->max_alloc == 0 || size == 0) + return 0; + size = sp->max_alloc / size; + if (size < count) + return HEIM_ERR_TOO_BIG; + return 0; +} + +/** * Seek to a new offset. * * @param sp the storage buffer to seek in. @@ -262,10 +297,11 @@ krb5_storage_to_data(krb5_storage *sp, krb5_data *data) pos = sp->seek(sp, 0, SEEK_CUR); if (pos < 0) return HEIM_ERR_NOT_SEEKABLE; - size = (size_t)sp->seek(sp, 0, SEEK_END); - if (size > (size_t)-1) - return HEIM_ERR_TOO_BIG; - ret = krb5_data_alloc (data, size); + size = sp->seek(sp, 0, SEEK_END); + ret = size_too_large(sp, size); + if (ret) + return ret; + ret = krb5_data_alloc(data, size); if (ret) { sp->seek(sp, pos, SEEK_SET); return ret; @@ -290,8 +326,10 @@ krb5_store_int(krb5_storage *sp, return EINVAL; _krb5_put_int(v, value, len); ret = sp->store(sp, v, len); - if (ret != len) - return (ret<0)?errno:sp->eof_code; + if (ret < 0) + return errno; + if ((size_t)ret != len) + return sp->eof_code; return 0; } @@ -346,8 +384,10 @@ krb5_ret_int(krb5_storage *sp, unsigned char v[4]; unsigned long w; ret = sp->fetch(sp, v, len); - if(ret != len) - return (ret<0)?errno:sp->eof_code; + if (ret < 0) + return errno; + if ((size_t)ret != len) + return sp->eof_code; _krb5_get_int(v, &w, len); *value = w; return 0; @@ -612,11 +652,10 @@ krb5_store_data(krb5_storage *sp, if(ret < 0) return ret; ret = sp->store(sp, data.data, data.length); - if(ret != data.length){ - if(ret < 0) - return errno; + if(ret < 0) + return errno; + if((size_t)ret != data.length) return sp->eof_code; - } return 0; } @@ -641,6 +680,9 @@ krb5_ret_data(krb5_storage *sp, ret = krb5_ret_int32(sp, &size); if(ret) return ret; + ret = size_too_large(sp, size); + if (ret) + return ret; ret = krb5_data_alloc (data, size); if (ret) return ret; @@ -722,12 +764,10 @@ krb5_store_stringz(krb5_storage *sp, const char *s) ssize_t ret; ret = sp->store(sp, s, len); - if(ret != len) { - if(ret < 0) - return ret; - else - return sp->eof_code; - } + if(ret < 0) + return ret; + if((size_t)ret != len) + return sp->eof_code; return 0; } @@ -755,6 +795,9 @@ krb5_ret_stringz(krb5_storage *sp, char *tmp; len++; + ret = size_too_large(sp, len); + if (ret) + break; tmp = realloc (s, len); if (tmp == NULL) { free (s); @@ -782,12 +825,10 @@ krb5_store_stringnl(krb5_storage *sp, const char *s) ssize_t ret; ret = sp->store(sp, s, len); - if(ret != len) { - if(ret < 0) - return ret; - else - return sp->eof_code; - } + if(ret < 0) + return ret; + if((size_t)ret != len) + return sp->eof_code; ret = sp->store(sp, "\n", 1); if(ret != 1) { if(ret < 0) @@ -823,6 +864,9 @@ krb5_ret_stringnl(krb5_storage *sp, } len++; + ret = size_too_large(sp, len); + if (ret) + break; tmp = realloc (s, len); if (tmp == NULL) { free (s); @@ -860,7 +904,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_principal(krb5_storage *sp, krb5_const_principal p) { - int i; + size_t i; int ret; if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) { @@ -923,6 +967,11 @@ krb5_ret_principal(krb5_storage *sp, free(p); return EINVAL; } + ret = size_too_large_num(sp, ncomp, sizeof(p->name.name_string.val[0])); + if (ret) { + free(p); + return ret; + } p->name.name_type = type; p->name.name_string.len = ncomp; ret = krb5_ret_string(sp, &p->realm); @@ -930,7 +979,7 @@ krb5_ret_principal(krb5_storage *sp, free(p); return ret; } - p->name.name_string.val = calloc(ncomp, sizeof(*p->name.name_string.val)); + p->name.name_string.val = calloc(ncomp, sizeof(p->name.name_string.val[0])); if(p->name.name_string.val == NULL && ncomp != 0){ free(p->realm); free(p); @@ -1122,7 +1171,7 @@ krb5_ret_address(krb5_storage *sp, krb5_address *adr) KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_addrs(krb5_storage *sp, krb5_addresses p) { - int i; + size_t i; int ret; ret = krb5_store_int32(sp, p.len); if(ret) return ret; @@ -1147,12 +1196,14 @@ krb5_store_addrs(krb5_storage *sp, krb5_addresses p) KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr) { - int i; + size_t i; int ret; int32_t tmp; ret = krb5_ret_int32(sp, &tmp); if(ret) return ret; + ret = size_too_large_num(sp, tmp, sizeof(adr->val[0])); + if (ret) return ret; adr->len = tmp; ALLOC(adr->val, adr->len); if (adr->val == NULL && adr->len != 0) @@ -1179,7 +1230,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_authdata(krb5_storage *sp, krb5_authdata auth) { krb5_error_code ret; - int i; + size_t i; ret = krb5_store_int32(sp, auth.len); if(ret) return ret; for(i = 0; i < auth.len; i++){ @@ -1211,6 +1262,8 @@ krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth) int i; ret = krb5_ret_int32(sp, &tmp); if(ret) return ret; + ret = size_too_large_num(sp, tmp, sizeof(auth->val[0])); + if (ret) return ret; ALLOC_SEQ(auth, tmp); if (auth->val == NULL && tmp != 0) return ENOMEM; @@ -1345,7 +1398,7 @@ krb5_ret_creds(krb5_storage *sp, krb5_creds *creds) ret = krb5_ret_data (sp, &creds->second_ticket); cleanup: if(ret) { -#if 0 +#if 0 krb5_free_cred_contents(context, creds); /* XXX */ #endif } @@ -1530,7 +1583,7 @@ krb5_ret_creds_tag(krb5_storage *sp, cleanup: if(ret) { -#if 0 +#if 0 krb5_free_cred_contents(context, creds); /* XXX */ #endif } diff --git a/source4/heimdal/lib/krb5/store_emem.c b/source4/heimdal/lib/krb5/store_emem.c index ccda751afb..7f91b08486 100644 --- a/source4/heimdal/lib/krb5/store_emem.c +++ b/source4/heimdal/lib/krb5/store_emem.c @@ -45,7 +45,7 @@ static ssize_t emem_fetch(krb5_storage *sp, void *data, size_t size) { emem_storage *s = (emem_storage*)sp->data; - if(s->base + s->len - s->ptr < size) + if((size_t)(s->base + s->len - s->ptr) < size) size = s->base + s->len - s->ptr; memmove(data, s->ptr, size); sp->seek(sp, size, SEEK_CUR); @@ -56,7 +56,7 @@ static ssize_t emem_store(krb5_storage *sp, const void *data, size_t size) { emem_storage *s = (emem_storage*)sp->data; - if(size > s->base + s->size - s->ptr){ + if(size > (size_t)(s->base + s->size - s->ptr)){ void *base; size_t sz, off; off = s->ptr - s->base; @@ -81,12 +81,12 @@ emem_seek(krb5_storage *sp, off_t offset, int whence) emem_storage *s = (emem_storage*)sp->data; switch(whence){ case SEEK_SET: - if(offset > s->size) + if((size_t)offset > s->size) offset = s->size; if(offset < 0) offset = 0; s->ptr = s->base + offset; - if(offset > s->len) + if((size_t)offset > s->len) s->len = offset; break; case SEEK_CUR: @@ -115,14 +115,14 @@ emem_trunc(krb5_storage *sp, off_t offset) s->size = 0; s->base = NULL; s->ptr = NULL; - } else if (offset > s->size || (s->size / 2) > offset) { + } else if ((size_t)offset > s->size || (s->size / 2) > (size_t)offset) { void *base; size_t off; off = s->ptr - s->base; base = realloc(s->base, offset); if(base == NULL) return ENOMEM; - if (offset > s->size) + if ((size_t)offset > s->size) memset((char *)base + s->size, 0, offset - s->size); s->size = offset; s->base = base; @@ -190,5 +190,6 @@ krb5_storage_emem(void) sp->seek = emem_seek; sp->trunc = emem_trunc; sp->free = emem_free; + sp->max_alloc = UINT_MAX/8; return sp; } diff --git a/source4/heimdal/lib/krb5/store_fd.c b/source4/heimdal/lib/krb5/store_fd.c index bd357dbe3b..2b72dea3a3 100644 --- a/source4/heimdal/lib/krb5/store_fd.c +++ b/source4/heimdal/lib/krb5/store_fd.c @@ -73,7 +73,7 @@ fd_free(krb5_storage * sp) } /** - * + * * * @return A krb5_storage on success, or NULL on out of memory error. * @@ -128,5 +128,6 @@ krb5_storage_from_fd(krb5_socket_t fd_in) sp->seek = fd_seek; sp->trunc = fd_trunc; sp->free = fd_free; + sp->max_alloc = UINT_MAX/8; return sp; } diff --git a/source4/heimdal/lib/krb5/store_mem.c b/source4/heimdal/lib/krb5/store_mem.c index b79bc19155..e674a95dba 100644 --- a/source4/heimdal/lib/krb5/store_mem.c +++ b/source4/heimdal/lib/krb5/store_mem.c @@ -44,7 +44,7 @@ static ssize_t mem_fetch(krb5_storage *sp, void *data, size_t size) { mem_storage *s = (mem_storage*)sp->data; - if(size > s->base + s->size - s->ptr) + if(size > (size_t)(s->base + s->size - s->ptr)) size = s->base + s->size - s->ptr; memmove(data, s->ptr, size); sp->seek(sp, size, SEEK_CUR); @@ -55,7 +55,7 @@ static ssize_t mem_store(krb5_storage *sp, const void *data, size_t size) { mem_storage *s = (mem_storage*)sp->data; - if(size > s->base + s->size - s->ptr) + if(size > (size_t)(s->base + s->size - s->ptr)) size = s->base + s->size - s->ptr; memmove(s->ptr, data, size); sp->seek(sp, size, SEEK_CUR); @@ -74,7 +74,7 @@ mem_seek(krb5_storage *sp, off_t offset, int whence) mem_storage *s = (mem_storage*)sp->data; switch(whence){ case SEEK_SET: - if(offset > s->size) + if((size_t)offset > s->size) offset = s->size; if(offset < 0) offset = 0; @@ -95,7 +95,7 @@ static int mem_trunc(krb5_storage *sp, off_t offset) { mem_storage *s = (mem_storage*)sp->data; - if(offset > s->size) + if((size_t)offset > s->size) return ERANGE; s->size = offset; if ((s->ptr - s->base) > offset) @@ -145,6 +145,7 @@ krb5_storage_from_mem(void *buf, size_t len) sp->seek = mem_seek; sp->trunc = mem_trunc; sp->free = NULL; + sp->max_alloc = UINT_MAX/8; return sp; } @@ -203,5 +204,6 @@ krb5_storage_from_readonly_mem(const void *buf, size_t len) sp->seek = mem_seek; sp->trunc = mem_no_trunc; sp->free = NULL; + sp->max_alloc = UINT_MAX/8; return sp; } diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c index d816242f09..09bff30fe9 100644 --- a/source4/heimdal/lib/krb5/ticket.c +++ b/source4/heimdal/lib/krb5/ticket.c @@ -195,7 +195,7 @@ find_type_in_ad(krb5_context context, int level) { krb5_error_code ret = 0; - int i; + size_t i; if (level > 9) { ret = ENOENT; /* XXX */ @@ -639,7 +639,7 @@ decrypt_tkt (krb5_context context, &size); krb5_data_free (&data); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, N_("Failed to decode encpart in ticket", "")); return ret; } @@ -661,7 +661,7 @@ _krb5_extract_ticket(krb5_context context, { krb5_error_code ret; krb5_principal tmp_principal; - size_t len; + size_t len = 0; time_t tmp_time; krb5_timestamp sec_now; @@ -757,7 +757,7 @@ _krb5_extract_ticket(krb5_context context, /* compare nonces */ - if (nonce != rep->enc_part.nonce) { + if (nonce != (unsigned)rep->enc_part.nonce) { ret = KRB5KRB_AP_ERR_MODIFIED; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; @@ -837,7 +837,7 @@ _krb5_extract_ticket(krb5_context context, creds->addresses.val = NULL; } creds->flags.b = rep->enc_part.flags; - + creds->authdata.len = 0; creds->authdata.val = NULL; diff --git a/source4/heimdal/lib/krb5/transited.c b/source4/heimdal/lib/krb5/transited.c index a72adc0351..5e21987bca 100644 --- a/source4/heimdal/lib/krb5/transited.c +++ b/source4/heimdal/lib/krb5/transited.c @@ -55,7 +55,7 @@ free_realms(struct tr_realm *r) r = r->next; free(p->realm); free(p); - } + } } static int @@ -71,7 +71,7 @@ make_path(krb5_context context, struct tr_realm *r, from = to; to = str; } - + if(strcmp(from + strlen(from) - strlen(to), to) == 0){ p = from; while(1){ @@ -84,20 +84,15 @@ make_path(krb5_context context, struct tr_realm *r, if(strcmp(p, to) == 0) break; tmp = calloc(1, sizeof(*tmp)); - if(tmp == NULL){ - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; - } + if(tmp == NULL) + return krb5_enomem(context); tmp->next = r->next; r->next = tmp; tmp->realm = strdup(p); if(tmp->realm == NULL){ r->next = tmp->next; free(tmp); - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM;; + return krb5_enomem(context); } } }else if(strncmp(from, to, strlen(to)) == 0){ @@ -110,20 +105,15 @@ make_path(krb5_context context, struct tr_realm *r, if(strncmp(to, from, p - from) == 0) break; tmp = calloc(1, sizeof(*tmp)); - if(tmp == NULL){ - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; - } + if(tmp == NULL) + return krb5_enomem(context); tmp->next = r->next; r->next = tmp; tmp->realm = malloc(p - from + 1); if(tmp->realm == NULL){ r->next = tmp->next; free(tmp); - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; + return krb5_enomem(context); } memcpy(tmp->realm, from, p - from); tmp->realm[p - from] = '\0'; @@ -187,9 +177,7 @@ expand_realms(krb5_context context, tmp = realloc(r->realm, len); if(tmp == NULL){ free_realms(realms); - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; + return krb5_enomem(context); } r->realm = tmp; strlcat(r->realm, prev_realm, len); @@ -202,9 +190,7 @@ expand_realms(krb5_context context, tmp = malloc(len); if(tmp == NULL){ free_realms(realms); - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; + return krb5_enomem(context); } strlcpy(tmp, prev_realm, len); strlcat(tmp, r->realm, len); @@ -288,19 +274,14 @@ decode_realms(krb5_context context, } if(tr[i] == ','){ tmp = malloc(tr + i - start + 1); - if(tmp == NULL){ - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; - } + if(tmp == NULL) + return krb5_enomem(context); memcpy(tmp, start, tr + i - start); tmp[tr + i - start] = '\0'; r = make_realm(tmp); if(r == NULL){ free_realms(*realms); - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; + return krb5_enomem(context); } *realms = append_realm(*realms, r); start = tr + i + 1; @@ -309,18 +290,14 @@ decode_realms(krb5_context context, tmp = malloc(tr + i - start + 1); if(tmp == NULL){ free(*realms); - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; + return krb5_enomem(context); } memcpy(tmp, start, tr + i - start); tmp[tr + i - start] = '\0'; r = make_realm(tmp); if(r == NULL){ free_realms(*realms); - krb5_set_error_message(context, ENOMEM, - N_("malloc: out of memory", "")); - return ENOMEM; + return krb5_enomem(context); } *realms = append_realm(*realms, r); @@ -370,14 +347,14 @@ krb5_domain_x500_decode(krb5_context context, (*num_realms)++; } } - if (*num_realms < 0 || *num_realms + 1 > UINT_MAX/sizeof(**realms)) + if (*num_realms + 1 > UINT_MAX/sizeof(**realms)) return ERANGE; { char **R; R = malloc((*num_realms + 1) * sizeof(*R)); if (R == NULL) - return ENOMEM; + return krb5_enomem(context); *realms = R; while(r){ *R++ = r->realm; @@ -410,7 +387,7 @@ krb5_domain_x500_encode(char **realms, unsigned int num_realms, return ENOMEM; *s = '\0'; for(i = 0; i < num_realms; i++){ - if(i && i < num_realms - 1) + if(i) strlcat(s, ",", len + 1); if(realms[i][0] == '/') strlcat(s, " ", len + 1); @@ -431,7 +408,7 @@ krb5_check_transited(krb5_context context, { char **tr_realms; char **p; - int i; + size_t i; if(num_realms == 0) return 0; @@ -467,7 +444,7 @@ krb5_check_transited_realms(krb5_context context, unsigned int num_realms, int *bad_realm) { - int i; + size_t i; int ret = 0; char **bad_realms = krb5_config_get_strings(context, NULL, "libdefaults", diff --git a/source4/heimdal/lib/krb5/version-script.map b/source4/heimdal/lib/krb5/version-script.map index c32a094f6d..fad84ebb5b 100644 --- a/source4/heimdal/lib/krb5/version-script.map +++ b/source4/heimdal/lib/krb5/version-script.map @@ -167,6 +167,7 @@ HEIMDAL_KRB5_2.0 { krb5_copy_checksum; krb5_copy_creds; krb5_copy_creds_contents; + krb5_copy_context; krb5_copy_data; krb5_copy_host_realm; krb5_copy_keyblock; @@ -383,10 +384,11 @@ HEIMDAL_KRB5_2.0 { krb5_hmac; krb5_init_context; krb5_init_ets; - krb5_init_etype; krb5_initlog; krb5_is_config_principal; krb5_is_thread_safe; + krb5_kcm_call; + krb5_kcm_storage_request; krb5_kerberos_enctypes; krb5_keyblock_get_enctype; krb5_keyblock_init; @@ -418,6 +420,7 @@ HEIMDAL_KRB5_2.0 { krb5_kt_get_full_name; krb5_kt_get_name; krb5_kt_get_type; + krb5_kt_have_content; krb5_kt_next_entry; krb5_kt_read_service_key; krb5_kt_register; @@ -602,6 +605,7 @@ HEIMDAL_KRB5_2.0 { krb5_storage_set_byteorder; krb5_storage_set_eof_code; krb5_storage_set_flags; + krb5_storage_set_max_alloc; krb5_storage_to_data; krb5_storage_truncate; krb5_storage_write; diff --git a/source4/heimdal/lib/krb5/warn.c b/source4/heimdal/lib/krb5/warn.c index f7581d1f90..cb3be76fcc 100644 --- a/source4/heimdal/lib/krb5/warn.c +++ b/source4/heimdal/lib/krb5/warn.c @@ -37,7 +37,7 @@ static krb5_error_code _warnerr(krb5_context context, int do_errtext, krb5_error_code code, int level, const char *fmt, va_list ap) __attribute__((__format__(__printf__, 5, 0))); - + static krb5_error_code _warnerr(krb5_context context, int do_errtext, krb5_error_code code, int level, const char *fmt, va_list ap) @@ -69,7 +69,7 @@ _warnerr(krb5_context context, int do_errtext, *arg= "<unknown error>"; } } - + if(context && context->warn_dest) krb5_log(context, context->warn_dest, level, xfmt, args[0], args[1]); else diff --git a/source4/heimdal/lib/ntlm/ntlm.c b/source4/heimdal/lib/ntlm/ntlm.c index 6dad519d4a..7aafc8c0aa 100644 --- a/source4/heimdal/lib/ntlm/ntlm.c +++ b/source4/heimdal/lib/ntlm/ntlm.c @@ -109,8 +109,12 @@ static const unsigned char ntlmsigature[8] = "NTLMSSP\x00"; #define CHECK(f, e) \ do { \ - ret = f ; if (ret != (e)) { ret = HNTLM_ERR_DECODE; goto out; } } \ - while(0) + ret = f; \ + if (ret != (ssize_t)(e)) { \ + ret = HNTLM_ERR_DECODE; \ + goto out; \ + } \ + } while(/*CONSTCOND*/0) static struct units ntlm_flag_units[] = { #define ntlm_flag(x) { #x, NTLM_##x } @@ -289,7 +293,7 @@ ret_sec_string(krb5_storage *sp, int ucs2, struct sec_buffer *desc, char **s) CHECK(krb5_storage_seek(sp, desc->offset, SEEK_SET), desc->offset); CHECK(ret_string(sp, ucs2, desc->length, s), 0); out: - return ret; + return ret; } static krb5_error_code @@ -1025,7 +1029,7 @@ splitandenc(unsigned char *hash, key[7] = (hash[6] << 1); EVP_CIPHER_CTX_init(&ctx); - + EVP_CipherInit_ex(&ctx, EVP_des_cbc(), NULL, key, NULL, 1); EVP_Cipher(&ctx, answer, challenge, 8); EVP_CIPHER_CTX_cleanup(&ctx); @@ -1129,7 +1133,7 @@ heim_ntlm_v1_base_session(void *key, size_t len, session->length = 0; return ENOMEM; } - + m = EVP_MD_CTX_create(); if (m == NULL) { heim_ntlm_free_buf(session); @@ -1399,7 +1403,7 @@ static time_t nt2unixtime(uint64_t t) { t = ((t - (uint64_t)NTTIME_EPOCH) / (uint64_t)10000000); - if (t > (((time_t)(~(uint64_t)0)) >> 1)) + if (t > (((uint64_t)(time_t)(~(uint64_t)0)) >> 1)) return 0; return (time_t)t; } diff --git a/source4/heimdal/lib/roken/dumpdata.c b/source4/heimdal/lib/roken/dumpdata.c index f30f0e54cc..844360187f 100644 --- a/source4/heimdal/lib/roken/dumpdata.c +++ b/source4/heimdal/lib/roken/dumpdata.c @@ -81,7 +81,7 @@ rk_undumpdata(const char *filename, void **buf, size_t *size) sret = net_read(fd, *buf, *size); if (sret < 0) ret = errno; - else if (sret != *size) { + else if (sret != (ssize_t)*size) { ret = EINVAL; free(*buf); *buf = NULL; diff --git a/source4/heimdal/lib/roken/get_window_size.c b/source4/heimdal/lib/roken/get_window_size.c index 13e7ebf157..5a4a1753fe 100644 --- a/source4/heimdal/lib/roken/get_window_size.c +++ b/source4/heimdal/lib/roken/get_window_size.c @@ -58,32 +58,46 @@ #include "roken.h" ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL -get_window_size(int fd, struct winsize *wp) +get_window_size(int fd, int *lines, int *columns) { - int ret = -1; - - memset(wp, 0, sizeof(*wp)); + char *s; #if defined(TIOCGWINSZ) - ret = ioctl(fd, TIOCGWINSZ, wp); + { + struct winsize ws; + int ret; + ret = ioctl(fd, TIOCGWINSZ, &ws); + if (ret != -1) { + if (lines) + *lines = ws.ws_row; + if (columns) + *columns = ws.ws_col; + return 0; + } + } #elif defined(TIOCGSIZE) { struct ttysize ts; - + int ret; ret = ioctl(fd, TIOCGSIZE, &ts); - if(ret == 0) { - wp->ws_row = ts.ts_lines; - wp->ws_col = ts.ts_cols; - } + if (ret != -1) { + if (lines) + *lines = ts.ws_lines; + if (columns) + *columns = ts.ts_cols; + return 0; + } } #elif defined(HAVE__SCRSIZE) { int dst[2]; - - _scrsize(dst); - wp->ws_row = dst[1]; - wp->ws_col = dst[0]; - ret = 0; + + _scrsize(dst); + if (lines) + *lines = dst[1]; + if (columns) + *columns = dst[0]; + return 0; } #elif defined(_WIN32) { @@ -93,21 +107,26 @@ get_window_size(int fd, struct winsize *wp) fh = _get_osfhandle(fd); if (fh != (intptr_t) INVALID_HANDLE_VALUE && GetConsoleScreenBufferInfo((HANDLE) fh, &sb_info)) { - wp->ws_row = 1 + sb_info.srWindow.Bottom - sb_info.srWindow.Top; - wp->ws_col = 1 + sb_info.srWindow.Right - sb_info.srWindow.Left; + if (lines) + *lines = 1 + sb_info.srWindow.Bottom - sb_info.srWindow.Top; + if (columns) + *columns = 1 + sb_info.srWindow.Right - sb_info.srWindow.Left; - ret = 0; + return 0; } } #endif - if (ret != 0) { - char *s; - if((s = getenv("COLUMNS"))) - wp->ws_col = atoi(s); - if((s = getenv("LINES"))) - wp->ws_row = atoi(s); - if(wp->ws_col > 0 && wp->ws_row > 0) - ret = 0; + if (columns) { + if ((s = getenv("COLUMNS"))) + *columns = atoi(s); + else + return -1; + } + if (lines) { + if ((s = getenv("LINES"))) + *lines = atoi(s); + else + return -1; } - return ret; + return 0; } diff --git a/source4/heimdal/lib/roken/getarg.c b/source4/heimdal/lib/roken/getarg.c index a96e5c85bf..d6a5048689 100644 --- a/source4/heimdal/lib/roken/getarg.c +++ b/source4/heimdal/lib/roken/getarg.c @@ -114,8 +114,7 @@ mandoc_template(struct getargs *args, printf(".Os OPERATING_SYSTEM\n"); printf(".Sh NAME\n"); printf(".Nm %s\n", p); - printf(".Nd\n"); - printf("in search of a description\n"); + printf(".Nd in search of a description\n"); printf(".Sh SYNOPSIS\n"); printf(".Nm\n"); for(i = 0; i < num_args; i++){ @@ -133,7 +132,7 @@ mandoc_template(struct getargs *args, } if(args[i].long_name) { print_arg(buf, sizeof(buf), 1, 1, args + i, i18n); - printf("Fl -%s%s%s", + printf("Fl Fl %s%s%s", args[i].type == arg_negative_flag ? "no-" : "", args[i].long_name, buf); } @@ -142,7 +141,7 @@ mandoc_template(struct getargs *args, print_arg(buf, sizeof(buf), 1, 0, args + i, i18n); printf(".Oo Fl %c%s \\*(Ba Xo\n", args[i].short_name, buf); print_arg(buf, sizeof(buf), 1, 1, args + i, i18n); - printf(".Fl -%s%s\n.Xc\n.Oc\n", args[i].long_name, buf); + printf(".Fl Fl %s%s\n.Xc\n.Oc\n", args[i].long_name, buf); } /* if(args[i].type == arg_strings) @@ -165,7 +164,7 @@ mandoc_template(struct getargs *args, printf("\n"); } if(args[i].long_name){ - printf(".Fl -%s%s", + printf(".Fl Fl %s%s", args[i].type == arg_negative_flag ? "no-" : "", args[i].long_name); print_arg(buf, sizeof(buf), 1, 1, args + i, i18n); @@ -228,7 +227,6 @@ arg_printusage_i18n (struct getargs *args, size_t i, max_len = 0; char buf[128]; int col = 0, columns; - struct winsize ws; if (progname == NULL) progname = getprogname(); @@ -240,9 +238,7 @@ arg_printusage_i18n (struct getargs *args, mandoc_template(args, num_args, progname, extra_string, i18n); return; } - if(get_window_size(2, &ws) == 0) - columns = ws.ws_col; - else + if(get_window_size(2, NULL, &columns) == -1) columns = 80; col = 0; col += fprintf (stderr, "%s: %s", usage, progname); @@ -352,7 +348,7 @@ static int arg_match_long(struct getargs *args, size_t num_args, char *argv, int argc, char **rargv, int *goptind) { - int i; + size_t i; char *goptarg = NULL; int negate = 0; int partial_match = 0; @@ -477,7 +473,7 @@ static int arg_match_short (struct getargs *args, size_t num_args, char *argv, int argc, char **rargv, int *goptind) { - int j, k; + size_t j, k; for(j = 1; j > 0 && j < strlen(rargv[*goptind]); j++) { for(k = 0; k < num_args; k++) { @@ -500,9 +496,11 @@ arg_match_short (struct getargs *args, size_t num_args, } if(args[k].type == arg_collect) { struct getarg_collect_info *c = args[k].value; + int a = (int)j; - if((*c->func)(TRUE, argc, rargv, goptind, &j, c->data)) + if((*c->func)(TRUE, argc, rargv, goptind, &a, c->data)) return ARG_ERR_BAD_ARG; + j = a; break; } diff --git a/source4/heimdal/lib/roken/hex.c b/source4/heimdal/lib/roken/hex.c index 91590dd49d..c66b324f79 100644 --- a/source4/heimdal/lib/roken/hex.c +++ b/source4/heimdal/lib/roken/hex.c @@ -37,7 +37,7 @@ #include <ctype.h> #include "hex.h" -const static char hexchar[] = "0123456789ABCDEF"; +static const char hexchar[16] = "0123456789ABCDEF"; static int pos(char c) @@ -86,14 +86,13 @@ hex_decode(const char *str, void *data, size_t len) size_t l; unsigned char *p = data; size_t i; - + l = strlen(str); /* check for overflow, same as (l+1)/2 but overflow safe */ if ((l/2) + (l&1) > len) return -1; - i = 0; if (l & 1) { p[0] = pos(str[0]); str++; diff --git a/source4/heimdal/lib/roken/parse_units.c b/source4/heimdal/lib/roken/parse_units.c index d2857cfa07..8b3cdf40e5 100644 --- a/source4/heimdal/lib/roken/parse_units.c +++ b/source4/heimdal/lib/roken/parse_units.c @@ -267,7 +267,7 @@ ROKEN_LIB_FUNCTION void ROKEN_LIB_CALL print_units_table (const struct units *units, FILE *f) { const struct units *u, *u2; - int max_sz = 0; + size_t max_sz = 0; for (u = units; u->name; ++u) { max_sz = max(max_sz, strlen(u->name)); @@ -288,7 +288,7 @@ print_units_table (const struct units *units, FILE *f) if (u2->name == NULL) --u2; unparse_units (u->mult, u2, buf, sizeof(buf)); - fprintf (f, "1 %*s = %s\n", max_sz, u->name, buf); + fprintf (f, "1 %*s = %s\n", (int)max_sz, u->name, buf); } else { fprintf (f, "1 %s\n", u->name); } diff --git a/source4/heimdal/lib/roken/resolve.c b/source4/heimdal/lib/roken/resolve.c index 03715e5ffd..b27f37a6d6 100644 --- a/source4/heimdal/lib/roken/resolve.c +++ b/source4/heimdal/lib/roken/resolve.c @@ -194,7 +194,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, dns_free_rr(rr); return -1; } - if (status + 2 > size) { + if ((size_t)status + 2 > size) { dns_free_rr(rr); return -1; } @@ -217,7 +217,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, dns_free_rr(rr); return -1; } - if (status + 6 > size) { + if ((size_t)status + 6 > size) { dns_free_rr(rr); return -1; } @@ -237,7 +237,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, break; } case rk_ns_t_txt:{ - if(size == 0 || size < *p + 1) { + if(size == 0 || size < (unsigned)(*p + 1)) { dns_free_rr(rr); return -1; } @@ -284,7 +284,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, dns_free_rr(rr); return -1; } - if (status + 18 > size) { + if ((size_t)status + 18 > size) { dns_free_rr(rr); return -1; } @@ -409,7 +409,7 @@ parse_reply(const unsigned char *data, size_t len) { const unsigned char *p; int status; - int i; + size_t i; char host[MAXDNAME]; const unsigned char *end_data = data + len; struct rk_dns_reply *r; @@ -528,7 +528,7 @@ dns_lookup_int(const char *domain, int rr_class, int rr_type) struct sockaddr_storage from; uint32_t fromsize = sizeof(from); dns_handle_t handle; - + handle = dns_open(NULL); if (handle == NULL) return NULL; diff --git a/source4/heimdal/lib/roken/rkpty.c b/source4/heimdal/lib/roken/rkpty.c index 0faf668615..f2c62f23f3 100644 --- a/source4/heimdal/lib/roken/rkpty.c +++ b/source4/heimdal/lib/roken/rkpty.c @@ -107,9 +107,9 @@ open_pty(void) { char *clone[] = { "/dev/ptc", - "/dev/ptmx", + "/dev/ptmx", "/dev/ptm", - "/dev/ptym/clone", + "/dev/ptym/clone", NULL }; char **q; @@ -372,7 +372,7 @@ main(int argc, char **argv) sa.sa_handler = caught_signal; sa.sa_flags = 0; sigemptyset (&sa.sa_mask); - + sigaction(SIGALRM, &sa, NULL); } diff --git a/source4/heimdal/lib/roken/roken.h.in b/source4/heimdal/lib/roken/roken.h.in index 1ca3c10dc9..a6299aee8e 100644 --- a/source4/heimdal/lib/roken/roken.h.in +++ b/source4/heimdal/lib/roken/roken.h.in @@ -105,6 +105,10 @@ typedef int rk_socket_t; #endif +#ifndef IN_LOOPBACKNET +#define IN_LOOPBACKNET 127 +#endif + #ifdef _MSC_VER /* Declarations for Microsoft Visual C runtime on Windows */ @@ -759,7 +763,7 @@ struct winsize { }; #endif -ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL get_window_size(int fd, struct winsize *); +ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL get_window_size(int fd, int *, int *); #ifndef HAVE_VSYSLOG #define vsyslog rk_vsyslog @@ -932,6 +936,7 @@ strptime (const char *, const char *, struct tm *); #endif #ifndef HAVE_GETTIMEOFDAY +#define gettimeofday rk_gettimeofday ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL gettimeofday (struct timeval *, void *); #endif @@ -1098,6 +1103,18 @@ rk_qsort(void *, size_t, size_t, int (*)(const void *, const void *)); #define rk_random() rand() #endif +#ifndef HAVE_TDELETE +#define tdelete(a,b,c) rk_tdelete(a,b,c) +#endif +#ifndef HAVE_TFIND +#define tfind(a,b,c) rk_tfind(a,b,c) +#endif +#ifndef HAVE_TSEARCH +#define tsearch(a,b,c) rk_tsearch(a,b,c) +#endif +#ifndef HAVE_TWALK +#define twalk(a,b) rk_twalk(a,b) +#endif #if defined(__linux__) && defined(SOCK_CLOEXEC) && !defined(SOCKET_WRAPPER_REPLACE) && !defined(__SOCKET_WRAPPER_H__) #undef socket diff --git a/source4/heimdal/lib/roken/roken_gethostby.c b/source4/heimdal/lib/roken/roken_gethostby.c index 1d6c8ffe8a..1bb560d3ba 100644 --- a/source4/heimdal/lib/roken/roken_gethostby.c +++ b/source4/heimdal/lib/roken/roken_gethostby.c @@ -142,6 +142,7 @@ roken_gethostby(const char *hostname) int offset = 0; int n; char *p, *foo; + size_t len; if(dns_addr.sin_family == 0) return NULL; /* no configured host */ @@ -160,7 +161,9 @@ roken_gethostby(const char *hostname) free(request); return NULL; } - if(write(s, request, strlen(request)) != strlen(request)) { + + len = strlen(request); + if(write(s, request, len) != (ssize_t)len) { close(s); free(request); return NULL; @@ -188,12 +191,12 @@ roken_gethostby(const char *hostname) static char addrs[4 * MAX_ADDRS]; static char *addr_list[MAX_ADDRS + 1]; int num_addrs = 0; - + he.h_name = p; he.h_aliases = NULL; he.h_addrtype = AF_INET; he.h_length = 4; - + while((p = strtok_r(NULL, " \t\r\n", &foo)) && num_addrs < MAX_ADDRS) { struct in_addr ip; inet_aton(p, &ip); diff --git a/source4/heimdal/lib/roken/socket.c b/source4/heimdal/lib/roken/socket.c index 8797f95772..017d6252ea 100644 --- a/source4/heimdal/lib/roken/socket.c +++ b/source4/heimdal/lib/roken/socket.c @@ -233,7 +233,7 @@ socket_set_portrange (rk_socket_t sock, int restr, int af) } #endif } - + /* * Enable debug on `sock'. */ diff --git a/source4/heimdal/lib/roken/strsep_copy.c b/source4/heimdal/lib/roken/strsep_copy.c index 9624b5a46f..1228f1a450 100644 --- a/source4/heimdal/lib/roken/strsep_copy.c +++ b/source4/heimdal/lib/roken/strsep_copy.c @@ -49,7 +49,7 @@ strsep_copy(const char **stringp, const char *delim, char *buf, size_t len) if(save == NULL) return -1; *stringp = *stringp + strcspn(*stringp, delim); - l = min(len, *stringp - save); + l = min(len, (size_t)(*stringp - save)); if(len > 0) { memcpy(buf, save, l); buf[l] = '\0'; diff --git a/source4/heimdal/lib/roken/version-script.map b/source4/heimdal/lib/roken/version-script.map index 1baa4b182a..9229a373cd 100644 --- a/source4/heimdal/lib/roken/version-script.map +++ b/source4/heimdal/lib/roken/version-script.map @@ -139,6 +139,10 @@ HEIMDAL_ROKEN_1.0 { rk_timevaladd; rk_timevalfix; rk_timevalsub; + rk_tdelete; + rk_tfind; + rk_tsearch; + rk_twalk; rk_undumpdata; rk_unvis; rk_vasnprintf; diff --git a/source4/heimdal/lib/vers/print_version.c b/source4/heimdal/lib/vers/print_version.c index c702ae0fce..23cd25e0c6 100644 --- a/source4/heimdal/lib/vers/print_version.c +++ b/source4/heimdal/lib/vers/print_version.c @@ -51,6 +51,8 @@ print_version(const char *progname) if(*package_list == '\0') package_list = "no version information"; fprintf(stderr, "%s (%s)\n", progname, package_list); - fprintf(stderr, "Copyright 1995-2010 Kungliga Tekniska Högskolan\n"); + fprintf(stderr, "Copyright 1995-2011 Kungliga Tekniska Högskolan\n"); +#ifdef PACKAGE_BUGREPORT fprintf(stderr, "Send bug-reports to %s\n", PACKAGE_BUGREPORT); +#endif } diff --git a/source4/heimdal/lib/wind/ldap.c b/source4/heimdal/lib/wind/ldap.c index 503ec75a9f..e7cab8eef3 100644 --- a/source4/heimdal/lib/wind/ldap.c +++ b/source4/heimdal/lib/wind/ldap.c @@ -61,7 +61,7 @@ _wind_ldap_case_exact_attribute(const uint32_t *tmp, return WIND_ERR_OVERRUN; while(i < olen && tmp[i] == 0x20) /* skip initial spaces */ i++; - + while (i < olen) { if (tmp[i] == 0x20) { if (put_char(out, &o, 0x20, *out_len) || @@ -72,7 +72,7 @@ _wind_ldap_case_exact_attribute(const uint32_t *tmp, } else { if (put_char(out, &o, tmp[i++], *out_len)) return WIND_ERR_OVERRUN; - } + } } assert(o > 0); diff --git a/source4/heimdal/lib/wind/normalize.c b/source4/heimdal/lib/wind/normalize.c index 3c68ea8660..15274f6855 100644 --- a/source4/heimdal/lib/wind/normalize.c +++ b/source4/heimdal/lib/wind/normalize.c @@ -130,7 +130,7 @@ compat_decomp(const uint32_t *in, size_t in_len, struct translation ts = {in[i]}; size_t sub_len = *out_len - o; int ret; - + ret = hangul_decomp(in + i, in_len - i, out + o, &sub_len); if (ret) { diff --git a/source4/heimdal/lib/wind/stringprep.c b/source4/heimdal/lib/wind/stringprep.c index ec4657665e..002bc72595 100644 --- a/source4/heimdal/lib/wind/stringprep.c +++ b/source4/heimdal/lib/wind/stringprep.c @@ -111,7 +111,7 @@ wind_stringprep(const uint32_t *in, size_t in_len, return ret; } -const static struct { +static const struct { const char *name; wind_profile_flags flags; } profiles[] = { diff --git a/source4/heimdal/lib/wind/utf8.c b/source4/heimdal/lib/wind/utf8.c index d16683645c..6907b3c9d3 100644 --- a/source4/heimdal/lib/wind/utf8.c +++ b/source4/heimdal/lib/wind/utf8.c @@ -183,7 +183,7 @@ wind_ucs4utf8(const uint32_t *in, size_t in_len, char *out, size_t *out_len) for (o = 0, i = 0; i < in_len; i++) { ch = in[i]; - + if (ch < 0x80) { len = 1; } else if (ch < 0x800) { @@ -194,7 +194,7 @@ wind_ucs4utf8(const uint32_t *in, size_t in_len, char *out, size_t *out_len) len = 4; } else return WIND_ERR_INVALID_UTF32; - + o += len; if (out) { @@ -341,7 +341,7 @@ wind_ucs2write(const uint16_t *in, size_t in_len, unsigned int *flags, * first to the output data */ if ((*flags) & WIND_RW_BOM) { uint16_t bom = 0xfffe; - + if (len < 2) return WIND_ERR_OVERRUN; @@ -462,14 +462,14 @@ wind_ucs2utf8(const uint16_t *in, size_t in_len, char *out, size_t *out_len) for (o = 0, i = 0; i < in_len; i++) { ch = in[i]; - + if (ch < 0x80) { len = 1; } else if (ch < 0x800) { len = 2; } else len = 3; - + o += len; if (out) { |