diff options
Diffstat (limited to 'source4')
64 files changed, 1143 insertions, 668 deletions
diff --git a/source4/heimdal/kdc/524.c b/source4/heimdal/kdc/524.c index 9fcf40a4c2..14969aaa52 100644 --- a/source4/heimdal/kdc/524.c +++ b/source4/heimdal/kdc/524.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: 524.c,v 1.36 2006/04/07 22:12:28 lha Exp $"); +RCSID("$Id: 524.c,v 1.37 2006/04/27 11:33:20 lha Exp $"); #include <krb5-v4compat.h> @@ -66,7 +66,7 @@ fetch_server (krb5_context context, krb5_get_err_text(context, ret)); return ret; } - ret = _kdc_db_fetch(context, config, sprinc, HDB_ENT_TYPE_SERVER, server); + ret = _kdc_db_fetch(context, config, sprinc, HDB_F_GET_SERVER, server); krb5_free_principal(context, sprinc); if (ret) { kdc_log(context, config, 0, diff --git a/source4/heimdal/kdc/kaserver.c b/source4/heimdal/kdc/kaserver.c index 05fedeca29..c08a51b9cc 100644 --- a/source4/heimdal/kdc/kaserver.c +++ b/source4/heimdal/kdc/kaserver.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kaserver.c,v 1.32 2006/04/02 01:54:37 lha Exp $"); +RCSID("$Id: kaserver.c,v 1.35 2006/05/05 10:49:50 lha Exp $"); #include <krb5-v4compat.h> #include <rx.h> @@ -107,38 +107,69 @@ RCSID("$Id: kaserver.c,v 1.32 2006/04/02 01:54:37 lha Exp $"); #define KATOOSOON (180521L) #define KALOCKED (180522L) -static void + +static krb5_error_code decode_rx_header (krb5_storage *sp, struct rx_header *h) { - krb5_ret_int32(sp, &h->epoch); - krb5_ret_int32(sp, &h->connid); - krb5_ret_int32(sp, &h->callid); - krb5_ret_int32(sp, &h->seqno); - krb5_ret_int32(sp, &h->serialno); - krb5_ret_int8(sp, &h->type); - krb5_ret_int8(sp, &h->flags); - krb5_ret_int8(sp, &h->status); - krb5_ret_int8(sp, &h->secindex); - krb5_ret_int16(sp, &h->reserved); - krb5_ret_int16(sp, &h->serviceid); + krb5_error_code ret; + + ret = krb5_ret_uint32(sp, &h->epoch); + if (ret) return ret; + ret = krb5_ret_uint32(sp, &h->connid); + if (ret) return ret; + ret = krb5_ret_uint32(sp, &h->callid); + if (ret) return ret; + ret = krb5_ret_uint32(sp, &h->seqno); + if (ret) return ret; + ret = krb5_ret_uint32(sp, &h->serialno); + if (ret) return ret; + ret = krb5_ret_uint8(sp, &h->type); + if (ret) return ret; + ret = krb5_ret_uint8(sp, &h->flags); + if (ret) return ret; + ret = krb5_ret_uint8(sp, &h->status); + if (ret) return ret; + ret = krb5_ret_uint8(sp, &h->secindex); + if (ret) return ret; + ret = krb5_ret_uint16(sp, &h->reserved); + if (ret) return ret; + ret = krb5_ret_uint16(sp, &h->serviceid); + if (ret) return ret; + + return 0; } -static void +static krb5_error_code encode_rx_header (struct rx_header *h, krb5_storage *sp) { - krb5_store_int32(sp, h->epoch); - krb5_store_int32(sp, h->connid); - krb5_store_int32(sp, h->callid); - krb5_store_int32(sp, h->seqno); - krb5_store_int32(sp, h->serialno); - krb5_store_int8(sp, h->type); - krb5_store_int8(sp, h->flags); - krb5_store_int8(sp, h->status); - krb5_store_int8(sp, h->secindex); - krb5_store_int16(sp, h->reserved); - krb5_store_int16(sp, h->serviceid); + krb5_error_code ret; + + ret = krb5_store_uint32(sp, h->epoch); + if (ret) return ret; + ret = krb5_store_uint32(sp, h->connid); + if (ret) return ret; + ret = krb5_store_uint32(sp, h->callid); + if (ret) return ret; + ret = krb5_store_uint32(sp, h->seqno); + if (ret) return ret; + ret = krb5_store_uint32(sp, h->serialno); + if (ret) return ret; + ret = krb5_store_uint8(sp, h->type); + if (ret) return ret; + ret = krb5_store_uint8(sp, h->flags); + if (ret) return ret; + ret = krb5_store_uint8(sp, h->status); + if (ret) return ret; + ret = krb5_store_uint8(sp, h->secindex); + if (ret) return ret; + ret = krb5_store_uint16(sp, h->reserved); + if (ret) return ret; + ret = krb5_store_uint16(sp, h->serviceid); + if (ret) return ret; + + return 0; } static void @@ -162,7 +193,7 @@ init_reply_header (struct rx_header *hdr, static void make_error_reply (struct rx_header *hdr, - u_int32_t ret, + uint32_t ret, krb5_data *reply) { @@ -171,7 +202,7 @@ make_error_reply (struct rx_header *hdr, init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST); sp = krb5_storage_emem(); - encode_rx_header (&reply_hdr, sp); + ret = encode_rx_header (&reply_hdr, sp); krb5_store_int32(sp, ret); krb5_storage_to_data (sp, reply); krb5_storage_free (sp); @@ -249,11 +280,12 @@ create_reply_ticket (krb5_context context, int kvno, int32_t max_seq_len, const char *sname, const char *sinstance, - u_int32_t challenge, + uint32_t challenge, const char *label, krb5_keyblock *key, krb5_data *reply) { + krb5_error_code ret; krb5_data ticket; krb5_keyblock session; krb5_storage *sp; @@ -339,7 +371,7 @@ create_reply_ticket (krb5_context context, /* create the reply packet */ init_reply_header (hdr, &reply_hdr, HT_DATA, HF_LAST); sp = krb5_storage_emem (); - encode_rx_header (&reply_hdr, sp); + ret = encode_rx_header (&reply_hdr, sp); krb5_store_int32 (sp, max_seq_len); krb5_store_xdr_data (sp, enc_data); krb5_data_free (&enc_data); @@ -410,7 +442,7 @@ do_authenticate (krb5_context context, Key *skey = NULL; krb5_storage *reply_sp; time_t max_life; - u_int8_t life; + uint8_t life; int32_t chal; char client_name[256]; char server_name[256]; @@ -433,8 +465,7 @@ do_authenticate (krb5_context context, client_name, from, server_name); ret = _kdc_db_fetch4 (context, config, name, instance, - config->v4_realm, HDB_ENT_TYPE_CLIENT, - &client_entry); + config->v4_realm, HDB_F_GET_CLIENT, &client_entry); if (ret) { kdc_log(context, config, 0, "Client not found in database: %s: %s", client_name, krb5_get_err_text(context, ret)); @@ -444,7 +475,7 @@ do_authenticate (krb5_context context, ret = _kdc_db_fetch4 (context, config, "krbtgt", config->v4_realm, config->v4_realm, - HDB_ENT_TYPE_SERVER, &server_entry); + HDB_F_GET_KRBTGT, &server_entry); if (ret) { kdc_log(context, config, 0, "Server not found in database: %s: %s", server_name, krb5_get_err_text(context, ret)); @@ -650,8 +681,7 @@ do_getticket (krb5_context context, "%s.%s@%s", name, instance, config->v4_realm); ret = _kdc_db_fetch4 (context, config, name, instance, - config->v4_realm, HDB_ENT_TYPE_SERVER, - &server_entry); + config->v4_realm, HDB_F_GET_SERVER, &server_entry); if (ret) { kdc_log(context, config, 0, "Server not found in database: %s: %s", server_name, krb5_get_err_text(context, ret)); @@ -660,8 +690,7 @@ do_getticket (krb5_context context, } ret = _kdc_db_fetch4 (context, config, "krbtgt", - config->v4_realm, config->v4_realm, - HDB_ENT_TYPE_CLIENT, &krbtgt_entry); + config->v4_realm, config->v4_realm, HDB_F_GET_KRBTGT, &krbtgt_entry); if (ret) { kdc_log(context, config, 0, "Server not found in database: %s.%s@%s: %s", @@ -734,8 +763,8 @@ do_getticket (krb5_context context, client_name, from, server_name); ret = _kdc_db_fetch4 (context, config, - ad.pname, ad.pinst, ad.prealm, - HDB_ENT_TYPE_CLIENT, &client_entry); + ad.pname, ad.pinst, ad.prealm, HDB_F_GET_CLIENT, + &client_entry); if(ret && ret != HDB_ERR_NOENTRY) { kdc_log(context, config, 0, "Client not found in database: (krb4) %s: %s", @@ -842,14 +871,16 @@ _kdc_do_kaserver(krb5_context context, { krb5_error_code ret = 0; struct rx_header hdr; - u_int32_t op; + uint32_t op; krb5_storage *sp; if (len < RX_HEADER_SIZE) return -1; sp = krb5_storage_from_mem (buf, len); - decode_rx_header (sp, &hdr); + ret = decode_rx_header (sp, &hdr); + if (ret) + goto out; buf += RX_HEADER_SIZE; len -= RX_HEADER_SIZE; @@ -875,7 +906,9 @@ _kdc_do_kaserver(krb5_context context, goto out; } - krb5_ret_int32(sp, &op); + ret = krb5_ret_uint32(sp, &op); + if (ret) + goto out; switch (op) { case AUTHENTICATE : case AUTHENTICATE_V2 : diff --git a/source4/heimdal/kdc/kdc-private.h b/source4/heimdal/kdc/kdc-private.h index c718b1fd52..251e06b14a 100644 --- a/source4/heimdal/kdc/kdc-private.h +++ b/source4/heimdal/kdc/kdc-private.h @@ -28,8 +28,8 @@ krb5_error_code _kdc_db_fetch ( krb5_context /*context*/, krb5_kdc_configuration */*config*/, - krb5_principal /*principal*/, - enum hdb_ent_type /*ent_type*/, + krb5_const_principal /*principal*/, + unsigned /*flags*/, hdb_entry_ex **/*h*/); krb5_error_code @@ -39,7 +39,7 @@ _kdc_db_fetch4 ( const char */*name*/, const char */*instance*/, const char */*realm*/, - enum hdb_ent_type /*ent_type*/, + unsigned /*flags*/, hdb_entry_ex **/*ent*/); krb5_error_code diff --git a/source4/heimdal/kdc/kdc.h b/source4/heimdal/kdc/kdc.h index 3d25729d4e..2948570e3a 100644 --- a/source4/heimdal/kdc/kdc.h +++ b/source4/heimdal/kdc/kdc.h @@ -35,7 +35,7 @@ */ /* - * $Id: kdc.h,v 1.5 2005/10/21 17:11:21 lha Exp $ + * $Id: kdc.h,v 1.6 2006/05/03 12:03:29 lha Exp $ */ #ifndef __KDC_H__ @@ -72,6 +72,7 @@ typedef struct krb5_kdc_configuration { krb5_boolean enable_pkinit; krb5_boolean enable_pkinit_princ_in_cert; + char *pkinit_kdc_ocsp_file; krb5_log_facility *logf; diff --git a/source4/heimdal/kdc/kerberos4.c b/source4/heimdal/kdc/kerberos4.c index 030405adc2..4ece1a47d6 100644 --- a/source4/heimdal/kdc/kerberos4.c +++ b/source4/heimdal/kdc/kerberos4.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,11 +35,11 @@ #include <krb5-v4compat.h> -RCSID("$Id: kerberos4.c,v 1.57 2006/04/02 01:54:37 lha Exp $"); +RCSID("$Id: kerberos4.c,v 1.60 2006/05/05 10:50:44 lha Exp $"); #ifndef swap32 -static u_int32_t -swap32(u_int32_t x) +static uint32_t +swap32(uint32_t x) { return ((x << 24) & 0xff000000) | ((x << 8) & 0xff0000) | @@ -62,12 +62,17 @@ make_err_reply(krb5_context context, krb5_data *reply, kdc_time, code, msg, reply); } +struct valid_princ_ctx { + krb5_kdc_configuration *config; + unsigned flags; +}; + static krb5_boolean valid_princ(krb5_context context, void *funcctx, krb5_principal princ) { - krb5_kdc_configuration *config = funcctx; + struct valid_princ_ctx *ctx = funcctx; krb5_error_code ret; char *s; hdb_entry_ex *ent; @@ -75,14 +80,14 @@ valid_princ(krb5_context context, ret = krb5_unparse_name(context, princ, &s); if (ret) return FALSE; - ret = _kdc_db_fetch(context, config, princ, HDB_ENT_TYPE_ANY, &ent); + ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, &ent); if (ret) { - kdc_log(context, config, 7, "Lookup %s failed: %s", s, + kdc_log(context, ctx->config, 7, "Lookup %s failed: %s", s, krb5_get_err_text (context, ret)); free(s); return FALSE; } - kdc_log(context, config, 7, "Lookup %s succeeded", s); + kdc_log(context, ctx->config, 7, "Lookup %s succeeded", s); free(s); _kdc_free_ent(context, ent); return TRUE; @@ -90,19 +95,23 @@ valid_princ(krb5_context context, krb5_error_code _kdc_db_fetch4(krb5_context context, - krb5_kdc_configuration *config, - const char *name, const char *instance, const char *realm, - enum hdb_ent_type ent_type, - hdb_entry_ex **ent) + krb5_kdc_configuration *config, + const char *name, const char *instance, const char *realm, + unsigned flags, + hdb_entry_ex **ent) { krb5_principal p; krb5_error_code ret; + struct valid_princ_ctx ctx; + + ctx.config = config; + ctx.flags = flags; ret = krb5_425_conv_principal_ext2(context, name, instance, realm, - valid_princ, config, 0, &p); + valid_princ, &ctx, 0, &p); if(ret) return ret; - ret = _kdc_db_fetch(context, config, p, ent_type, ent); + ret = _kdc_db_fetch(context, config, p, flags, ent); krb5_free_principal(context, p); return ret; } @@ -135,7 +144,7 @@ _kdc_do_version4(krb5_context context, char *sname = NULL, *sinst = NULL; int32_t req_time; time_t max_life; - u_int8_t life; + uint8_t life; char client_name[256]; char server_name[256]; @@ -171,7 +180,7 @@ _kdc_do_version4(krb5_context context, RCHECK(krb5_ret_int32(sp, &req_time), out1); if(lsb) req_time = swap32(req_time); - RCHECK(krb5_ret_int8(sp, &life), out1); + RCHECK(krb5_ret_uint8(sp, &life), out1); RCHECK(krb5_ret_stringz(sp, &sname), out1); RCHECK(krb5_ret_stringz(sp, &sinst), out1); snprintf (client_name, sizeof(client_name), @@ -182,7 +191,8 @@ _kdc_do_version4(krb5_context context, kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s", client_name, from, server_name); - ret = _kdc_db_fetch4(context, config, name, inst, realm, HDB_ENT_TYPE_CLIENT, &client); + ret = _kdc_db_fetch4(context, config, name, inst, realm, + HDB_F_GET_CLIENT, &client); if(ret) { kdc_log(context, config, 0, "Client not found in database: %s: %s", client_name, krb5_get_err_text(context, ret)); @@ -190,8 +200,8 @@ _kdc_do_version4(krb5_context context, "principal unknown"); goto out1; } - ret = _kdc_db_fetch4(context, config, sname, sinst, - config->v4_realm, HDB_ENT_TYPE_SERVER, &server); + ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm, + HDB_F_GET_SERVER, &server); if(ret){ kdc_log(context, config, 0, "Server not found in database: %s: %s", server_name, krb5_get_err_text(context, ret)); @@ -361,7 +371,8 @@ _kdc_do_version4(krb5_context context, goto out2; } - ret = _kdc_db_fetch(context, config, tgt_princ, HDB_ENT_TYPE_SERVER, &tgt); + ret = _kdc_db_fetch(context, config, tgt_princ, + HDB_F_GET_KRBTGT, &tgt); if(ret){ char *s; s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not " @@ -418,7 +429,7 @@ _kdc_do_version4(krb5_context context, RCHECK(krb5_ret_int32(sp, &req_time), out2); if(lsb) req_time = swap32(req_time); - RCHECK(krb5_ret_int8(sp, &life), out2); + RCHECK(krb5_ret_uint8(sp, &life), out2); RCHECK(krb5_ret_stringz(sp, &sname), out2); RCHECK(krb5_ret_stringz(sp, &sinst), out2); snprintf (server_name, sizeof(server_name), @@ -456,7 +467,8 @@ _kdc_do_version4(krb5_context context, goto out2; } - ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm, HDB_ENT_TYPE_CLIENT, &client); + ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm, + HDB_F_GET_CLIENT, &client); if(ret && ret != HDB_ERR_NOENTRY) { char *s; s = kdc_log_msg(context, config, 0, @@ -476,8 +488,8 @@ _kdc_do_version4(krb5_context context, goto out2; } - ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm, - HDB_ENT_TYPE_SERVER, &server); + ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm, + HDB_F_GET_SERVER, &server); if(ret){ char *s; s = kdc_log_msg(context, config, 0, diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 68720d692e..877b88c155 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kerberos5.c,v 1.206 2006/04/02 01:54:37 lha Exp $"); +RCSID("$Id: kerberos5.c,v 1.211 2006/04/27 12:01:09 lha Exp $"); #define MAX_TIME ((time_t)((1U << 31) - 1)) @@ -120,7 +120,9 @@ static krb5_error_code find_keys(krb5_context context, krb5_kdc_configuration *config, const hdb_entry_ex *client, - const hdb_entry_ex *server, + const char *client_name, + const hdb_entry_ex *server, + const char *server_name, Key **ckey, krb5_enctype *cetype, Key **skey, @@ -128,20 +130,14 @@ find_keys(krb5_context context, krb5_enctype *etypes, unsigned num_etypes) { - char unparse_name[] = "krb5_unparse_name failed"; krb5_error_code ret; - char *name; if(client){ /* find client key */ ret = find_etype(context, client, etypes, num_etypes, ckey, cetype); if (ret) { - if (krb5_unparse_name(context, client->entry.principal, &name) != 0) - name = unparse_name; kdc_log(context, config, 0, - "Client (%s) has no support for etypes", name); - if (name != unparse_name) - free(name); + "Client (%s) has no support for etypes", client_name); return ret; } } @@ -150,12 +146,8 @@ find_keys(krb5_context context, /* find server key */ ret = find_etype(context, server, etypes, num_etypes, skey, setype); if (ret) { - if (krb5_unparse_name(context, server->entry.principal, &name) != 0) - name = unparse_name; kdc_log(context, config, 0, - "Server (%s) has no support for etypes", name); - if (name != unparse_name) - free(name); + "Server (%s) has no support for etypes", server_name); return ret; } } @@ -243,6 +235,9 @@ log_patypes(krb5_context context, return; } } + if (p == NULL) + p = rk_strpoolprintf(p, "none"); + str = rk_strpoolcollect(p); kdc_log(context, config, 0, "Client sent patypes: %s", str); free(str); @@ -899,7 +894,8 @@ _kdc_as_rep(krb5_context context, kdc_log(context, config, 0, "AS-REQ %s from %s for %s", client_name, from, server_name); - ret = _kdc_db_fetch(context, config, client_princ, HDB_ENT_TYPE_CLIENT, &client); + ret = _kdc_db_fetch(context, config, client_princ, + HDB_F_GET_CLIENT, &client); if(ret){ kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, krb5_get_err_text(context, ret)); @@ -907,7 +903,8 @@ _kdc_as_rep(krb5_context context, goto out; } - ret = _kdc_db_fetch(context, config, server_princ, HDB_ENT_TYPE_SERVER, &server); + ret = _kdc_db_fetch(context, config, server_princ, + HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, &server); if(ret){ kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name, krb5_get_err_text(context, ret)); @@ -1166,6 +1163,7 @@ _kdc_as_rep(krb5_context context, * - If the client is 'modern', because it knows about 'new' * enctype types, then only send the 'info2' reply. */ + /* XXX check ret */ if (only_older_enctype_p(req)) ret = get_pa_etype_info(context, config, @@ -1200,12 +1198,12 @@ _kdc_as_rep(krb5_context context, } ret = find_keys(context, config, - client, server, &ckey, &cetype, &skey, &setype, + client, client_name, + server, server_name, + &ckey, &cetype, &skey, &setype, b->etype.val, b->etype.len); - if(ret) { - kdc_log(context, config, 0, "Server/client has no support for etypes"); + if(ret) goto out; - } { struct rk_strpool *p = NULL; @@ -1226,6 +1224,9 @@ _kdc_as_rep(krb5_context context, goto out; } } + if (p == NULL) + p = rk_strpoolprintf(p, "no encryption types"); + str = rk_strpoolcollect(p); kdc_log(context, config, 0, "Client supported enctypes: %s", str); free(str); @@ -1757,6 +1758,7 @@ tgs_make_reply(krb5_context context, AuthorizationData *auth_data, krb5_ticket *tgs_ticket, hdb_entry_ex *server, + const char *server_name, hdb_entry_ex *client, krb5_principal client_principal, hdb_entry_ex *krbtgt, @@ -1788,12 +1790,11 @@ tgs_make_reply(krb5_context context, etype = b->etype.val[i]; }else{ ret = find_keys(context, config, - NULL, server, NULL, NULL, &skey, &etype, + NULL, NULL, server, server_name, + NULL, NULL, &skey, &etype, b->etype.val, b->etype.len); - if(ret) { - kdc_log(context, config, 0, "Server has no support for etypes"); + if(ret) return ret; - } ekey = &skey->key; } @@ -2140,7 +2141,7 @@ tgs_rep2(krb5_context context, ap_req.ticket.sname, ap_req.ticket.realm); - ret = _kdc_db_fetch(context, config, princ, HDB_ENT_TYPE_SERVER, &krbtgt); + ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, &krbtgt); if(ret) { char *p; @@ -2340,7 +2341,8 @@ tgs_rep2(krb5_context context, goto out2; } _krb5_principalname2krb5_principal(&p, t->sname, t->realm); - ret = _kdc_db_fetch(context, config, p, HDB_ENT_TYPE_SERVER, &uu); + ret = _kdc_db_fetch(context, config, p, + HDB_F_GET_CLIENT|HDB_F_GET_SERVER, &uu); krb5_free_principal(context, p); if(ret){ if (ret == HDB_ERR_NOENTRY) @@ -2381,7 +2383,7 @@ tgs_rep2(krb5_context context, kdc_log(context, config, 0, "TGS-REQ %s from %s for %s", cpn, from, spn); server_lookup: - ret = _kdc_db_fetch(context, config, sp, HDB_ENT_TYPE_SERVER, &server); + ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER, &server); if(ret){ const char *new_rlm; @@ -2430,24 +2432,28 @@ tgs_rep2(krb5_context context, goto out; } - ret = _kdc_db_fetch(context, config, cp, HDB_ENT_TYPE_CLIENT, &client); + ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, &client); if(ret) kdc_log(context, config, 1, "Client not found in database: %s: %s", cpn, krb5_get_err_text(context, ret)); -#if 0 - /* XXX check client only if same realm as krbtgt-instance */ - if(ret){ - kdc_log(context, config, 0, - "Client not found in database: %s: %s", - cpn, krb5_get_err_text(context, ret)); - if (ret == HDB_ERR_NOENTRY) - ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; - goto out; - } -#endif + + /* + * If the client belongs to the same realm as our krbtgt, it + * should exist in the local database. + * + * If its not the same, check the "direction" on the krbtgt, + * so its not a backward uni-directional trust. + */ if(strcmp(krb5_principal_get_realm(context, sp), - krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1)) != 0) { + krb5_principal_get_comp_string(context, + krbtgt->entry.principal, 1)) == 0) { + if(ret) { + if (ret == HDB_ERR_NOENTRY) + ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; + goto out; + } + } else { char *tpn; ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn); kdc_log(context, config, 0, @@ -2491,6 +2497,7 @@ tgs_rep2(krb5_context context, auth_data, ticket, server, + spn, client, cp, krbtgt, diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c index 4d38e1f12d..a61c647f71 100644 --- a/source4/heimdal/kdc/misc.c +++ b/source4/heimdal/kdc/misc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,14 +33,15 @@ #include "kdc_locl.h" -RCSID("$Id: misc.c,v 1.27 2006/01/01 23:17:16 lha Exp $"); +RCSID("$Id: misc.c,v 1.29 2006/04/27 11:33:21 lha Exp $"); struct timeval _kdc_now; krb5_error_code _kdc_db_fetch(krb5_context context, krb5_kdc_configuration *config, - krb5_principal principal, enum hdb_ent_type ent_type, + krb5_const_principal principal, + unsigned flags, hdb_entry_ex **h) { hdb_entry_ex *ent; @@ -60,9 +61,8 @@ _kdc_db_fetch(krb5_context context, } ret = config->db[i]->hdb_fetch(context, config->db[i], - HDB_F_DECRYPT, - principal, - ent_type, + principal, + flags | HDB_F_DECRYPT, ent); config->db[i]->hdb_close(context, config->db[i]); if(ret == 0) { diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index 3f064f9d50..c220e70ddd 100755 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: pkinit.c,v 1.59 2006/04/22 12:10:16 lha Exp $"); +RCSID("$Id: pkinit.c,v 1.65 2006/05/06 13:22:33 lha Exp $"); #ifdef PKINIT @@ -82,6 +82,12 @@ static struct krb5_pk_identity *kdc_identity; static struct pk_principal_mapping principal_mappings; static struct krb5_dh_moduli **moduli; +static struct { + krb5_data data; + time_t expire; + time_t next_update; +} ocsp; + /* * */ @@ -260,7 +266,6 @@ get_dh_param(krb5_context context, DomainParameters dhparam; DH *dh = NULL; krb5_error_code ret; - int dhret; memset(&dhparam, 0, sizeof(dhparam)); @@ -338,14 +343,6 @@ get_dh_param(krb5_context context, goto out; } - - if (DH_check_pubkey(dh, client_params->dh_public_key, &dhret) != 1 || - dhret != 0) { - krb5_set_error_string(context, "PKINIT DH data not ok"); - ret = KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; - goto out; - } - client_params->dh = dh; dh = NULL; ret = 0; @@ -754,7 +751,8 @@ pk_mk_pa_reply_dh(krb5_context context, DH *kdc_dh, pk_client_params *client_params, krb5_keyblock *reply_key, - ContentInfo *content_info) + ContentInfo *content_info, + hx509_cert *kdc_cert) { KDCDHKeyInfo dh_info; krb5_data signed_data, buf; @@ -768,6 +766,8 @@ pk_mk_pa_reply_dh(krb5_context context, krb5_data_zero(&buf); krb5_data_zero(&signed_data); + *kdc_cert = NULL; + ret = BN_to_integer(context, kdc_dh->pub_key, &i); if (ret) return ret; @@ -803,8 +803,8 @@ pk_mk_pa_reply_dh(krb5_context context, */ { - hx509_cert cert; hx509_query *q; + hx509_cert cert; ret = hx509_query_alloc(kdc_identity->hx509ctx, &q); if (ret) @@ -830,7 +830,7 @@ pk_mk_pa_reply_dh(krb5_context context, kdc_identity->anchors, kdc_identity->certpool, &signed_data); - hx509_cert_free(cert); + *kdc_cert = cert; } if (ret) goto out; @@ -843,6 +843,11 @@ pk_mk_pa_reply_dh(krb5_context context, goto out; out: + if (ret && *kdc_cert) { + hx509_cert_free(*kdc_cert); + *kdc_cert = NULL; + } + krb5_data_free(&buf); krb5_data_free(&signed_data); free_KDCDHKeyInfo(&dh_info); @@ -869,6 +874,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, size_t len, size; krb5_enctype enctype; int pa_type; + hx509_cert kdc_cert = NULL; int i; if (!config->enable_pkinit) { @@ -947,7 +953,8 @@ _kdc_pk_mk_pa_reply(krb5_context context, ret = pk_mk_pa_reply_dh(context, client_params->dh, client_params, &client_params->reply_key, - &info); + &info, + &kdc_cert); ASN1_MALLOC_ENCODE(ContentInfo, rep.u.dhInfo.dhSignedData.data, rep.u.dhInfo.dhSignedData.length, &info, &size, @@ -982,48 +989,43 @@ _kdc_pk_mk_pa_reply(krb5_context context, } else if (client_params->type == PKINIT_COMPAT_WIN2K) { PA_PK_AS_REP_Win2k rep; - - pa_type = KRB5_PADATA_PK_AS_REP_19; - - memset(&rep, 0, sizeof(rep)); + ContentInfo info; if (client_params->dh) { - krb5_set_error_string(context, "DH -27 not implemented"); + krb5_set_error_string(context, "Windows PK-INIT doesn't support DH"); ret = KRB5KRB_ERR_GENERIC; - } else { - rep.element = choice_PA_PK_AS_REP_encKeyPack; - ContentInfo info; + goto out; + } - krb5_generate_random_keyblock(context, enctype, - &client_params->reply_key); - ret = pk_mk_pa_reply_enckey(context, - client_params, - req, - req_buffer, - &client_params->reply_key, - &info); - if (ret) { - free_PA_PK_AS_REP_Win2k(&rep); - goto out; - } - ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data, - rep.u.encKeyPack.length, &info, &size, - ret); - free_ContentInfo(&info); - if (ret) { - krb5_set_error_string(context, "encoding of Key ContentInfo " - "failed %d", ret); - free_PA_PK_AS_REP_Win2k(&rep); - goto out; - } - if (rep.u.encKeyPack.length != size) - krb5_abortx(context, "Internal ASN.1 encoder error"); + memset(&rep, 0, sizeof(rep)); + pa_type = KRB5_PADATA_PK_AS_REP_19; + rep.element = choice_PA_PK_AS_REP_encKeyPack; + + krb5_generate_random_keyblock(context, enctype, + &client_params->reply_key); + ret = pk_mk_pa_reply_enckey(context, + client_params, + req, + req_buffer, + &client_params->reply_key, + &info); + if (ret) { + free_PA_PK_AS_REP_Win2k(&rep); + goto out; } + ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data, + rep.u.encKeyPack.length, &info, &size, + ret); + free_ContentInfo(&info); if (ret) { + krb5_set_error_string(context, "encoding of Key ContentInfo " + "failed %d", ret); free_PA_PK_AS_REP_Win2k(&rep); goto out; } + if (rep.u.encKeyPack.length != size) + krb5_abortx(context, "Internal ASN.1 encoder error"); ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret); free_PA_PK_AS_REP_Win2k(&rep); @@ -1041,11 +1043,88 @@ _kdc_pk_mk_pa_reply(krb5_context context, ret = krb5_padata_add(context, md, pa_type, buf, len); if (ret) { - krb5_set_error_string(context, "failed adding " - "PA-PK-AS-REP-19 %d", ret); + krb5_set_error_string(context, "failed adding PA-PK-AS-REP %d", ret); free(buf); + goto out; } - out: + + if (config->pkinit_kdc_ocsp_file) { + + if (ocsp.expire == 0 && ocsp.next_update > kdc_time) { + struct stat sb; + int fd; + + krb5_data_free(&ocsp.data); + + ocsp.expire = 0; + + fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY); + if (fd < 0) { + kdc_log(context, config, 0, + "PK-INIT failed to open ocsp data file %d", errno); + goto out_ocsp; + } + ret = fstat(fd, &sb); + if (ret) { + ret = errno; + close(fd); + kdc_log(context, config, 0, + "PK-INIT failed to stat ocsp data %d", ret); + goto out_ocsp; + } + + ret = krb5_data_alloc(&ocsp.data, sb.st_size); + if (ret) { + close(fd); + kdc_log(context, config, 0, + "PK-INIT failed to stat ocsp data %d", ret); + goto out_ocsp; + } + ocsp.data.length = sb.st_size; + ret = read(fd, ocsp.data.data, sb.st_size); + close(fd); + if (ret != sb.st_size) { + kdc_log(context, config, 0, + "PK-INIT failed to read ocsp data %d", errno); + goto out_ocsp; + } + + ret = hx509_ocsp_verify(kdc_identity->hx509ctx, + kdc_time, + kdc_cert, + 0, + ocsp.data.data, ocsp.data.length, + &ocsp.expire); + if (ret) { + kdc_log(context, config, 0, + "PK-INIT failed to verify ocsp data %d", ret); + krb5_data_free(&ocsp.data); + ocsp.expire = 0; + } else if (ocsp.expire > 180) + ocsp.expire -= 180; /* refetch the ocsp before it expire */ + + out_ocsp: + ocsp.next_update = kdc_time + 3600; + ret = 0; + } + + if (ocsp.expire != 0 && ocsp.expire > kdc_time) { + + ret = krb5_padata_add(context, md, + KRB5_PADATA_PA_PK_OCSP_RESPONSE, + ocsp.data.data, ocsp.data.length); + if (ret) { + krb5_set_error_string(context, + "Failed adding OCSP response %d", ret); + goto out; + } + } + } + +out: + if (kdc_cert) + hx509_cert_free(kdc_cert); + if (ret == 0) *reply_key = &client_params->reply_key; return ret; @@ -1120,15 +1199,9 @@ _kdc_pk_check_client(krb5_context context, hx509_name name; int i; - if (config->enable_pkinit_princ_in_cert) { - ret = pk_principal_from_X509(context, config, - client_params->cert, - client_princ); - if (ret == 0) - return 0; - } - - ret = hx509_cert_get_subject(client_params->cert, &name); + ret = hx509_cert_get_base_subject(kdc_identity->hx509ctx, + client_params->cert, + &name); if (ret) return ret; @@ -1141,6 +1214,17 @@ _kdc_pk_check_client(krb5_context context, "Trying to authorize subject DN %s", *subject_name); + if (config->enable_pkinit_princ_in_cert) { + ret = pk_principal_from_X509(context, config, + client_params->cert, + client_princ); + if (ret == 0) { + kdc_log(context, config, 5, + "Found matching PK-INIT SAN in certificate"); + return 0; + } + } + for (i = 0; i < principal_mappings.len; i++) { krb5_boolean b; @@ -1231,6 +1315,14 @@ _kdc_pk_initialize(krb5_context context, return ret; } + ret = krb5_config_get_bool_default(context, + NULL, + FALSE, + "kdc", + "pki-allow-proxy-certificate", + NULL); + _krb5_pk_allow_proxy_certificate(kdc_identity, ret); + file = krb5_config_get_string_default(context, NULL, HDB_DB_DIR "/pki-mapping", diff --git a/source4/heimdal/kdc/rx.h b/source4/heimdal/kdc/rx.h index ab8ec80523..370e33732f 100644 --- a/source4/heimdal/kdc/rx.h +++ b/source4/heimdal/kdc/rx.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: rx.h,v 1.4 1999/12/02 17:05:00 joda Exp $ */ +/* $Id: rx.h,v 1.5 2006/05/05 10:51:10 lha Exp $ */ #ifndef __RX_H__ #define __RX_H__ @@ -59,17 +59,17 @@ enum rx_header_flag { }; struct rx_header { - u_int32_t epoch; - u_int32_t connid; /* And channel ID */ - u_int32_t callid; - u_int32_t seqno; - u_int32_t serialno; + uint32_t epoch; + uint32_t connid; /* And channel ID */ + uint32_t callid; + uint32_t seqno; + uint32_t serialno; u_char type; u_char flags; u_char status; u_char secindex; - u_int16_t reserved; /* ??? verifier? */ - u_int16_t serviceid; + uint16_t reserved; /* ??? verifier? */ + uint16_t serviceid; /* This should be the other way around according to everything but */ /* tcpdump */ }; diff --git a/source4/heimdal/lib/asn1/parse.c b/source4/heimdal/lib/asn1/parse.c index 0bf3cdafdb..e498d8f965 100644 --- a/source4/heimdal/lib/asn1/parse.c +++ b/source4/heimdal/lib/asn1/parse.c @@ -247,7 +247,7 @@ #include "gen_locl.h" #include "der.h" -RCSID("$Id: parse.y,v 1.27 2005/12/14 09:44:36 lha Exp $"); +RCSID("$Id: parse.y,v 1.28 2006/04/28 10:51:35 lha Exp $"); static Type *new_type (Typetype t); static struct constraint_spec *new_constraint_spec(enum ctype); @@ -538,13 +538,13 @@ static const unsigned short int yyrline[] = 327, 328, 331, 338, 348, 353, 360, 368, 374, 379, 383, 396, 404, 407, 414, 422, 428, 435, 442, 448, 456, 464, 470, 478, 486, 493, 494, 497, 508, 513, - 520, 536, 541, 543, 544, 547, 553, 561, 571, 577, - 590, 599, 602, 606, 610, 617, 620, 624, 631, 642, - 645, 650, 655, 660, 665, 670, 678, 684, 689, 700, - 711, 717, 723, 731, 737, 744, 757, 758, 761, 768, - 771, 782, 786, 797, 803, 804, 807, 808, 809, 810, - 811, 814, 817, 820, 831, 839, 845, 853, 861, 864, - 869 + 520, 536, 542, 545, 546, 549, 555, 563, 573, 579, + 592, 601, 604, 608, 612, 619, 622, 626, 633, 644, + 647, 652, 657, 662, 667, 672, 680, 686, 691, 702, + 713, 719, 725, 733, 739, 746, 759, 760, 763, 770, + 773, 784, 788, 799, 805, 806, 809, 810, 811, 812, + 813, 816, 819, 822, 833, 841, 847, 855, 863, 866, + 871 }; #endif @@ -1752,7 +1752,7 @@ yyreduce: break; case 75: -#line 548 "parse.y" +#line 550 "parse.y" { (yyval.constraint_spec) = new_constraint_spec(CT_CONTENTS); (yyval.constraint_spec)->u.content.type = (yyvsp[0].type); @@ -1761,7 +1761,7 @@ yyreduce: break; case 76: -#line 554 "parse.y" +#line 556 "parse.y" { if ((yyvsp[0].value)->type != objectidentifiervalue) error_message("Non-OID used in ENCODED BY constraint"); @@ -1772,7 +1772,7 @@ yyreduce: break; case 77: -#line 562 "parse.y" +#line 564 "parse.y" { if ((yyvsp[0].value)->type != objectidentifiervalue) error_message("Non-OID used in ENCODED BY constraint"); @@ -1783,14 +1783,14 @@ yyreduce: break; case 78: -#line 572 "parse.y" +#line 574 "parse.y" { (yyval.constraint_spec) = new_constraint_spec(CT_USER); } break; case 79: -#line 578 "parse.y" +#line 580 "parse.y" { (yyval.type) = new_type(TTag); (yyval.type)->tag = (yyvsp[-2].tag); @@ -1804,7 +1804,7 @@ yyreduce: break; case 80: -#line 591 "parse.y" +#line 593 "parse.y" { (yyval.tag).tagclass = (yyvsp[-2].constant); (yyval.tag).tagvalue = (yyvsp[-1].constant); @@ -1813,56 +1813,56 @@ yyreduce: break; case 81: -#line 599 "parse.y" +#line 601 "parse.y" { (yyval.constant) = ASN1_C_CONTEXT; } break; case 82: -#line 603 "parse.y" +#line 605 "parse.y" { (yyval.constant) = ASN1_C_UNIV; } break; case 83: -#line 607 "parse.y" +#line 609 "parse.y" { (yyval.constant) = ASN1_C_APPL; } break; case 84: -#line 611 "parse.y" +#line 613 "parse.y" { (yyval.constant) = ASN1_C_PRIVATE; } break; case 85: -#line 617 "parse.y" +#line 619 "parse.y" { (yyval.constant) = TE_EXPLICIT; } break; case 86: -#line 621 "parse.y" +#line 623 "parse.y" { (yyval.constant) = TE_EXPLICIT; } break; case 87: -#line 625 "parse.y" +#line 627 "parse.y" { (yyval.constant) = TE_IMPLICIT; } break; case 88: -#line 632 "parse.y" +#line 634 "parse.y" { Symbol *s; s = addsym ((yyvsp[-3].name)); @@ -1874,7 +1874,7 @@ yyreduce: break; case 90: -#line 646 "parse.y" +#line 648 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralString, TE_EXPLICIT, new_type(TGeneralString)); @@ -1882,7 +1882,7 @@ yyreduce: break; case 91: -#line 651 "parse.y" +#line 653 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_UTF8String, TE_EXPLICIT, new_type(TUTF8String)); @@ -1890,7 +1890,7 @@ yyreduce: break; case 92: -#line 656 "parse.y" +#line 658 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_PrintableString, TE_EXPLICIT, new_type(TPrintableString)); @@ -1898,7 +1898,7 @@ yyreduce: break; case 93: -#line 661 "parse.y" +#line 663 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_IA5String, TE_EXPLICIT, new_type(TIA5String)); @@ -1906,7 +1906,7 @@ yyreduce: break; case 94: -#line 666 "parse.y" +#line 668 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_BMPString, TE_EXPLICIT, new_type(TBMPString)); @@ -1914,7 +1914,7 @@ yyreduce: break; case 95: -#line 671 "parse.y" +#line 673 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_UniversalString, TE_EXPLICIT, new_type(TUniversalString)); @@ -1922,7 +1922,7 @@ yyreduce: break; case 96: -#line 679 "parse.y" +#line 681 "parse.y" { (yyval.members) = emalloc(sizeof(*(yyval.members))); ASN1_TAILQ_INIT((yyval.members)); @@ -1931,7 +1931,7 @@ yyreduce: break; case 97: -#line 685 "parse.y" +#line 687 "parse.y" { ASN1_TAILQ_INSERT_TAIL((yyvsp[-2].members), (yyvsp[0].member), members); (yyval.members) = (yyvsp[-2].members); @@ -1939,7 +1939,7 @@ yyreduce: break; case 98: -#line 690 "parse.y" +#line 692 "parse.y" { struct member *m = ecalloc(1, sizeof(*m)); m->name = estrdup("..."); @@ -1951,7 +1951,7 @@ yyreduce: break; case 99: -#line 701 "parse.y" +#line 703 "parse.y" { (yyval.member) = emalloc(sizeof(*(yyval.member))); (yyval.member)->name = (yyvsp[-1].name); @@ -1963,7 +1963,7 @@ yyreduce: break; case 100: -#line 712 "parse.y" +#line 714 "parse.y" { (yyval.member) = (yyvsp[0].member); (yyval.member)->optional = 0; @@ -1972,7 +1972,7 @@ yyreduce: break; case 101: -#line 718 "parse.y" +#line 720 "parse.y" { (yyval.member) = (yyvsp[-1].member); (yyval.member)->optional = 1; @@ -1981,7 +1981,7 @@ yyreduce: break; case 102: -#line 724 "parse.y" +#line 726 "parse.y" { (yyval.member) = (yyvsp[-2].member); (yyval.member)->optional = 0; @@ -1990,7 +1990,7 @@ yyreduce: break; case 103: -#line 732 "parse.y" +#line 734 "parse.y" { (yyval.members) = emalloc(sizeof(*(yyval.members))); ASN1_TAILQ_INIT((yyval.members)); @@ -1999,7 +1999,7 @@ yyreduce: break; case 104: -#line 738 "parse.y" +#line 740 "parse.y" { ASN1_TAILQ_INSERT_TAIL((yyvsp[-2].members), (yyvsp[0].member), members); (yyval.members) = (yyvsp[-2].members); @@ -2007,7 +2007,7 @@ yyreduce: break; case 105: -#line 745 "parse.y" +#line 747 "parse.y" { (yyval.member) = emalloc(sizeof(*(yyval.member))); (yyval.member)->name = (yyvsp[-3].name); @@ -2021,26 +2021,26 @@ yyreduce: break; case 107: -#line 758 "parse.y" +#line 760 "parse.y" { (yyval.objid) = NULL; } break; case 108: -#line 762 "parse.y" +#line 764 "parse.y" { (yyval.objid) = (yyvsp[-1].objid); } break; case 109: -#line 768 "parse.y" +#line 770 "parse.y" { (yyval.objid) = NULL; } break; case 110: -#line 772 "parse.y" +#line 774 "parse.y" { if ((yyvsp[0].objid)) { (yyval.objid) = (yyvsp[0].objid); @@ -2052,14 +2052,14 @@ yyreduce: break; case 111: -#line 783 "parse.y" +#line 785 "parse.y" { (yyval.objid) = new_objid((yyvsp[-3].name), (yyvsp[-1].constant)); } break; case 112: -#line 787 "parse.y" +#line 789 "parse.y" { Symbol *s = addsym((yyvsp[0].name)); if(s->stype != SValue || @@ -2073,14 +2073,14 @@ yyreduce: break; case 113: -#line 798 "parse.y" +#line 800 "parse.y" { (yyval.objid) = new_objid(NULL, (yyvsp[0].constant)); } break; case 123: -#line 821 "parse.y" +#line 823 "parse.y" { Symbol *s = addsym((yyvsp[0].name)); if(s->stype != SValue) @@ -2092,7 +2092,7 @@ yyreduce: break; case 124: -#line 832 "parse.y" +#line 834 "parse.y" { (yyval.value) = emalloc(sizeof(*(yyval.value))); (yyval.value)->type = stringvalue; @@ -2101,7 +2101,7 @@ yyreduce: break; case 125: -#line 840 "parse.y" +#line 842 "parse.y" { (yyval.value) = emalloc(sizeof(*(yyval.value))); (yyval.value)->type = booleanvalue; @@ -2110,7 +2110,7 @@ yyreduce: break; case 126: -#line 846 "parse.y" +#line 848 "parse.y" { (yyval.value) = emalloc(sizeof(*(yyval.value))); (yyval.value)->type = booleanvalue; @@ -2119,7 +2119,7 @@ yyreduce: break; case 127: -#line 854 "parse.y" +#line 856 "parse.y" { (yyval.value) = emalloc(sizeof(*(yyval.value))); (yyval.value)->type = integervalue; @@ -2128,13 +2128,13 @@ yyreduce: break; case 129: -#line 865 "parse.y" +#line 867 "parse.y" { } break; case 130: -#line 870 "parse.y" +#line 872 "parse.y" { (yyval.value) = emalloc(sizeof(*(yyval.value))); (yyval.value)->type = objectidentifiervalue; @@ -2374,7 +2374,7 @@ yyreturn: } -#line 877 "parse.y" +#line 879 "parse.y" void diff --git a/source4/heimdal/lib/asn1/pkcs9.asn1 b/source4/heimdal/lib/asn1/pkcs9.asn1 index bcc8f50398..e6df32f65d 100644 --- a/source4/heimdal/lib/asn1/pkcs9.asn1 +++ b/source4/heimdal/lib/asn1/pkcs9.asn1 @@ -1,4 +1,4 @@ --- $Id: pkcs9.asn1,v 1.3 2005/07/23 10:38:28 lha Exp $ -- +-- $Id: pkcs9.asn1,v 1.5 2006/04/24 08:59:10 lha Exp $ -- PKCS9 DEFINITIONS ::= @@ -9,6 +9,7 @@ BEGIN id-pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) } +id-pkcs9-emailAddress OBJECT IDENTIFIER ::= {id-pkcs-9 1 } id-pkcs9-contentType OBJECT IDENTIFIER ::= {id-pkcs-9 3 } id-pkcs9-messageDigest OBJECT IDENTIFIER ::= {id-pkcs-9 4 } id-pkcs9-signingTime OBJECT IDENTIFIER ::= {id-pkcs-9 5 } diff --git a/source4/heimdal/lib/des/aes.h b/source4/heimdal/lib/des/aes.h index 8a62c6461d..3ea1c141be 100755 --- a/source4/heimdal/lib/des/aes.h +++ b/source4/heimdal/lib/des/aes.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: aes.h,v 1.5 2006/01/08 21:47:27 lha Exp $ */ +/* $Id: aes.h,v 1.6 2006/05/05 11:06:35 lha Exp $ */ #ifndef HEIM_AES_H #define HEIM_AES_H 1 @@ -54,7 +54,7 @@ #define AES_DECRYPT 0 typedef struct aes_key { - u_int32_t key[(AES_MAXNR+1)*4]; + uint32_t key[(AES_MAXNR+1)*4]; int rounds; } AES_KEY; diff --git a/source4/heimdal/lib/des/des.c b/source4/heimdal/lib/des/des.c index 32d479e372..5b1f5c29f4 100644 --- a/source4/heimdal/lib/des/des.c +++ b/source4/heimdal/lib/des/des.c @@ -45,7 +45,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$Id: des.c,v 1.17 2006/04/14 14:19:36 lha Exp $"); +RCSID("$Id: des.c,v 1.18 2006/04/24 14:26:19 lha Exp $"); #endif #include <stdio.h> @@ -513,9 +513,10 @@ DES_cfb64_encrypt(const void *in, void *out, load(*iv, uiv); + assert(*num >= 0 && *num < DES_CBLOCK_LEN); + if (forward_encrypt) { int i = *num; - assert(i >= 0); while (length > 0) { if (i == 0) @@ -537,7 +538,6 @@ DES_cfb64_encrypt(const void *in, void *out, } else { int i = *num; unsigned char c; - assert(i >= 0); while (length > 0) { if (i == 0) { diff --git a/source4/heimdal/lib/des/dh.h b/source4/heimdal/lib/des/dh.h index 419c7d8902..105d298bc3 100644 --- a/source4/heimdal/lib/des/dh.h +++ b/source4/heimdal/lib/des/dh.h @@ -32,7 +32,7 @@ */ /* - * $Id: dh.h,v 1.5 2006/04/20 18:16:17 lha Exp $ + * $Id: dh.h,v 1.6 2006/05/06 13:11:15 lha Exp $ */ #ifndef _HEIM_DH_H @@ -40,6 +40,7 @@ /* symbol renaming */ #define DH_null_method hc_DH_null_method +#define DH_imath_method hc_DH_imath_method #define DH_new hc_DH_new #define DH_new_method hc_DH_new_method #define DH_free hc_DH_free @@ -113,6 +114,7 @@ struct DH { */ const DH_METHOD *DH_null_method(void); +const DH_METHOD *DH_imath_method(void); DH * DH_new(void); DH * DH_new_method(ENGINE *); diff --git a/source4/heimdal/lib/des/engine.h b/source4/heimdal/lib/des/engine.h index 757d0f75fb..65588f7d78 100644 --- a/source4/heimdal/lib/des/engine.h +++ b/source4/heimdal/lib/des/engine.h @@ -32,7 +32,7 @@ */ /* - * $Id: engine.h,v 1.5 2006/04/17 13:16:17 lha Exp $ + * $Id: engine.h,v 1.6 2006/05/06 12:34:36 lha Exp $ */ #ifndef _HEIM_ENGINE_H @@ -55,6 +55,10 @@ #define ENGINE_set_name hc_ENGINE_set_name #define ENGINE_set_destroy_function hc_ENGINE_set_destroy_function #define ENGINE_up_ref hc_ENGINE_up_ref +#define ENGINE_get_default_DH hc_ENGINE_get_default_DH +#define ENGINE_get_default_RSA hc_ENGINE_get_default_RSA +#define ENGINE_set_default_DH hc_ENGINE_set_default_DH +#define ENGINE_set_default_RSA hc_ENGINE_set_default_RSA /* * diff --git a/source4/heimdal/lib/des/evp.c b/source4/heimdal/lib/des/evp.c index 475bb7314e..fd6ac63ec2 100644 --- a/source4/heimdal/lib/des/evp.c +++ b/source4/heimdal/lib/des/evp.c @@ -841,11 +841,13 @@ EVP_BytesToKey(const EVP_CIPHER *type, EVP_DigestUpdate(&c, salt, PKCS5_SALT_LEN); EVP_DigestFinal_ex(&c, buf, &mds); + assert(mds == EVP_MD_size(md)); for (i = 1; i < count; i++) { EVP_DigestInit_ex(&c, md, NULL); EVP_DigestUpdate(&c, buf, mds); EVP_DigestFinal_ex(&c, buf, &mds); + assert(mds == EVP_MD_size(md)); } i = 0; diff --git a/source4/heimdal/lib/des/hash.h b/source4/heimdal/lib/des/hash.h index 24217a27a5..b6da9bd8e0 100644 --- a/source4/heimdal/lib/des/hash.h +++ b/source4/heimdal/lib/des/hash.h @@ -30,7 +30,7 @@ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: hash.h,v 1.3 2005/04/27 11:53:48 lha Exp $ */ +/* $Id: hash.h,v 1.4 2006/05/05 11:06:49 lha Exp $ */ /* stuff in common between md4, md5, and sha1 */ @@ -61,8 +61,8 @@ #define CRAYFIX(X) (X) #endif -static inline u_int32_t -cshift (u_int32_t x, unsigned int n) +static inline uint32_t +cshift (uint32_t x, unsigned int n) { x = CRAYFIX(x); return CRAYFIX((x << n) | (x >> (32 - n))); diff --git a/source4/heimdal/lib/des/md4.c b/source4/heimdal/lib/des/md4.c index 693b8f5c76..ded4fe12e8 100644 --- a/source4/heimdal/lib/des/md4.c +++ b/source4/heimdal/lib/des/md4.c @@ -34,7 +34,7 @@ #ifdef HAVE_CONFIG_H #include "config.h" -RCSID("$Id: md4.c,v 1.17 2005/04/27 11:54:56 lha Exp $"); +RCSID("$Id: md4.c,v 1.18 2006/05/05 10:22:04 lha Exp $"); #endif #include "hash.h" @@ -69,9 +69,9 @@ a = cshift(a + OP(b,c,d) + X[k] + i, s) #define DO3(a,b,c,d,k,s,i) DOIT(a,b,c,d,k,s,i,H) static inline void -calc (struct md4 *m, u_int32_t *data) +calc (struct md4 *m, uint32_t *data) { - u_int32_t AA, BB, CC, DD; + uint32_t AA, BB, CC, DD; AA = A; BB = B; @@ -155,10 +155,10 @@ calc (struct md4 *m, u_int32_t *data) */ #if defined(WORDS_BIGENDIAN) -static inline u_int32_t -swap_u_int32_t (u_int32_t t) +static inline uint32_t +swap_uint32_t (uint32_t t) { - u_int32_t temp1, temp2; + uint32_t temp1, temp2; temp1 = cshift(t, 16); temp2 = temp1 >> 8; @@ -194,15 +194,15 @@ MD4_Update (struct md4 *m, const void *v, size_t len) if(offset == 64) { #if defined(WORDS_BIGENDIAN) int i; - u_int32_t current[16]; + uint32_t current[16]; struct x32 *u = (struct x32*)m->save; for(i = 0; i < 8; i++){ - current[2*i+0] = swap_u_int32_t(u[i].a); - current[2*i+1] = swap_u_int32_t(u[i].b); + current[2*i+0] = swap_uint32_t(u[i].a); + current[2*i+1] = swap_uint32_t(u[i].b); } calc(m, current); #else - calc(m, (u_int32_t*)m->save); + calc(m, (uint32_t*)m->save); #endif offset = 0; } @@ -241,10 +241,10 @@ MD4_Final (void *res, struct md4 *m) #if 0 { int i; - u_int32_t *r = (u_int32_t *)res; + uint32_t *r = (uint32_t *)res; for (i = 0; i < 4; ++i) - r[i] = swap_u_int32_t (m->counter[i]); + r[i] = swap_uint32_t (m->counter[i]); } #endif } diff --git a/source4/heimdal/lib/des/md4.h b/source4/heimdal/lib/des/md4.h index 79055e0fb0..f8c011b9b7 100644 --- a/source4/heimdal/lib/des/md4.h +++ b/source4/heimdal/lib/des/md4.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: md4.h,v 1.10 2006/01/08 21:47:28 lha Exp $ */ +/* $Id: md4.h,v 1.11 2006/05/05 11:07:01 lha Exp $ */ #ifndef HEIM_MD4_H #define HEIM_MD4_H 1 @@ -49,7 +49,7 @@ struct md4 { unsigned int sz[2]; - u_int32_t counter[4]; + uint32_t counter[4]; unsigned char save[64]; }; diff --git a/source4/heimdal/lib/des/md5.c b/source4/heimdal/lib/des/md5.c index d5b7c245f6..e23d6c8fd7 100644 --- a/source4/heimdal/lib/des/md5.c +++ b/source4/heimdal/lib/des/md5.c @@ -34,7 +34,7 @@ #ifdef HAVE_CONFIG_H #include "config.h" -RCSID("$Id: md5.c,v 1.17 2005/04/27 11:54:35 lha Exp $"); +RCSID("$Id: md5.c,v 1.18 2006/05/05 10:22:35 lha Exp $"); #endif #include "hash.h" @@ -71,9 +71,9 @@ a = b + cshift(a + OP(b,c,d) + X[k] + (i), s) #define DO4(a,b,c,d,k,s,i) DOIT(a,b,c,d,k,s,i,I) static inline void -calc (struct md5 *m, u_int32_t *data) +calc (struct md5 *m, uint32_t *data) { - u_int32_t AA, BB, CC, DD; + uint32_t AA, BB, CC, DD; AA = A; BB = B; @@ -179,10 +179,10 @@ calc (struct md5 *m, u_int32_t *data) */ #if defined(WORDS_BIGENDIAN) -static inline u_int32_t -swap_u_int32_t (u_int32_t t) +static inline uint32_t +swap_uint32_t (uint32_t t) { - u_int32_t temp1, temp2; + uint32_t temp1, temp2; temp1 = cshift(t, 16); temp2 = temp1 >> 8; @@ -218,15 +218,15 @@ MD5_Update (struct md5 *m, const void *v, size_t len) if(offset == 64){ #if defined(WORDS_BIGENDIAN) int i; - u_int32_t current[16]; + uint32_t current[16]; struct x32 *u = (struct x32*)m->save; for(i = 0; i < 8; i++){ - current[2*i+0] = swap_u_int32_t(u[i].a); - current[2*i+1] = swap_u_int32_t(u[i].b); + current[2*i+0] = swap_uint32_t(u[i].a); + current[2*i+1] = swap_uint32_t(u[i].b); } calc(m, current); #else - calc(m, (u_int32_t*)m->save); + calc(m, (uint32_t*)m->save); #endif offset = 0; } @@ -265,10 +265,10 @@ MD5_Final (void *res, struct md5 *m) #if 0 { int i; - u_int32_t *r = (u_int32_t *)res; + uint32_t *r = (uint32_t *)res; for (i = 0; i < 4; ++i) - r[i] = swap_u_int32_t (m->counter[i]); + r[i] = swap_uint32_t (m->counter[i]); } #endif } diff --git a/source4/heimdal/lib/des/md5.h b/source4/heimdal/lib/des/md5.h index 534bc9917e..54c34fe572 100644 --- a/source4/heimdal/lib/des/md5.h +++ b/source4/heimdal/lib/des/md5.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: md5.h,v 1.10 2006/01/08 21:47:28 lha Exp $ */ +/* $Id: md5.h,v 1.11 2006/05/05 11:07:11 lha Exp $ */ #ifndef HEIM_MD5_H #define HEIM_MD5_H 1 @@ -49,7 +49,7 @@ struct md5 { unsigned int sz[2]; - u_int32_t counter[4]; + uint32_t counter[4]; unsigned char save[64]; }; @@ -57,6 +57,6 @@ typedef struct md5 MD5_CTX; void MD5_Init (struct md5 *m); void MD5_Update (struct md5 *m, const void *p, size_t len); -void MD5_Final (void *res, struct md5 *m); /* u_int32_t res[4] */ +void MD5_Final (void *res, struct md5 *m); /* uint32_t res[4] */ #endif /* HEIM_MD5_H */ diff --git a/source4/heimdal/lib/des/pkcs5.c b/source4/heimdal/lib/des/pkcs5.c index 4bfc313741..9ed494ef6f 100644 --- a/source4/heimdal/lib/des/pkcs5.c +++ b/source4/heimdal/lib/des/pkcs5.c @@ -35,7 +35,11 @@ #include <config.h> #endif -RCSID("$Id: pkcs5.c,v 1.1 2006/02/28 14:16:57 lha Exp $"); +RCSID("$Id: pkcs5.c,v 1.3 2006/05/05 10:23:11 lha Exp $"); + +#ifdef KRB5 +#include <krb5-types.h> +#endif #include <stdio.h> #include <stdlib.h> @@ -53,7 +57,7 @@ PKCS5_PBKDF2_HMAC_SHA1(const void * password, size_t password_len, { size_t datalen, leftofkey, checksumsize; char *data, *tmpcksum; - u_int32_t keypart; + uint32_t keypart; const EVP_MD *md; unsigned long i; int j; diff --git a/source4/heimdal/lib/des/rijndael-alg-fst.c b/source4/heimdal/lib/des/rijndael-alg-fst.c index 65b36ab741..d6e4f45c18 100755 --- a/source4/heimdal/lib/des/rijndael-alg-fst.c +++ b/source4/heimdal/lib/des/rijndael-alg-fst.c @@ -31,7 +31,7 @@ #ifdef HAVE_CONFIG_H #include "config.h" -RCSID("$Id: rijndael-alg-fst.c,v 1.2 2004/06/02 20:09:48 lha Exp $"); +RCSID("$Id: rijndael-alg-fst.c,v 1.3 2006/05/05 10:23:41 lha Exp $"); #endif #ifdef KRB5 @@ -41,9 +41,9 @@ RCSID("$Id: rijndael-alg-fst.c,v 1.2 2004/06/02 20:09:48 lha Exp $"); #include <rijndael-alg-fst.h> /* the file should not be used from outside */ -typedef u_int8_t u8; -typedef u_int16_t u16; -typedef u_int32_t u32; +typedef uint8_t u8; +typedef uint16_t u16; +typedef uint32_t u32; /* Te0[x] = S [x].[02, 01, 01, 03]; diff --git a/source4/heimdal/lib/des/rijndael-alg-fst.h b/source4/heimdal/lib/des/rijndael-alg-fst.h index 6b6e2a5cd3..7e2e1935fd 100755 --- a/source4/heimdal/lib/des/rijndael-alg-fst.h +++ b/source4/heimdal/lib/des/rijndael-alg-fst.h @@ -38,9 +38,9 @@ #define RIJNDAEL_MAXKB (256/8) #define RIJNDAEL_MAXNR 14 -int rijndaelKeySetupEnc(u_int32_t rk[/*4*(Nr + 1)*/], const u_int8_t cipherKey[], int keyBits); -int rijndaelKeySetupDec(u_int32_t rk[/*4*(Nr + 1)*/], const u_int8_t cipherKey[], int keyBits); -void rijndaelEncrypt(const u_int32_t rk[/*4*(Nr + 1)*/], int Nr, const u_int8_t pt[16], u_int8_t ct[16]); -void rijndaelDecrypt(const u_int32_t rk[/*4*(Nr + 1)*/], int Nr, const u_int8_t ct[16], u_int8_t pt[16]); +int rijndaelKeySetupEnc(uint32_t rk[/*4*(Nr + 1)*/], const uint8_t cipherKey[], int keyBits); +int rijndaelKeySetupDec(uint32_t rk[/*4*(Nr + 1)*/], const uint8_t cipherKey[], int keyBits); +void rijndaelEncrypt(const uint32_t rk[/*4*(Nr + 1)*/], int Nr, const uint8_t pt[16], uint8_t ct[16]); +void rijndaelDecrypt(const uint32_t rk[/*4*(Nr + 1)*/], int Nr, const uint8_t ct[16], uint8_t pt[16]); #endif /* __RIJNDAEL_ALG_FST_H */ diff --git a/source4/heimdal/lib/des/rnd_keys.c b/source4/heimdal/lib/des/rnd_keys.c index e27b00defa..e58faefcb0 100644 --- a/source4/heimdal/lib/des/rnd_keys.c +++ b/source4/heimdal/lib/des/rnd_keys.c @@ -34,7 +34,7 @@ #ifdef HAVE_CONFIG_H #include "config.h" -RCSID("$Id: rnd_keys.c,v 1.70 2006/01/08 21:47:29 lha Exp $"); +RCSID("$Id: rnd_keys.c,v 1.71 2006/05/05 10:24:31 lha Exp $"); #endif #ifdef KRB5 @@ -82,8 +82,8 @@ static int sumFile (const char *name, int len, void *res) { - u_int32_t sum[2] = { 0, 0 }; - u_int32_t buf[1024*2]; + uint32_t sum[2] = { 0, 0 }; + uint32_t buf[1024*2]; int fd, i; fd = open (name, 0); @@ -148,7 +148,7 @@ md5sumFile (const char *name, int len, int32_t sum[4]) * based on an initial des key used as a seed. */ static DES_key_schedule sequence_seed; -static u_int32_t sequence_index[2]; +static uint32_t sequence_index[2]; /* * Random number generator based on ideas from truerand in cryptolib diff --git a/source4/heimdal/lib/des/sha.c b/source4/heimdal/lib/des/sha.c index ca6c1c16d4..fae0fe01cb 100644 --- a/source4/heimdal/lib/des/sha.c +++ b/source4/heimdal/lib/des/sha.c @@ -34,7 +34,7 @@ #ifdef HAVE_CONFIG_H #include "config.h" -RCSID("$Id: sha.c,v 1.18 2005/04/27 11:55:05 lha Exp $"); +RCSID("$Id: sha.c,v 1.19 2006/05/05 10:25:00 lha Exp $"); #endif #include "hash.h" @@ -72,7 +72,7 @@ SHA1_Init (struct sha *m) #define DO(t,f,k) \ do { \ - u_int32_t temp; \ + uint32_t temp; \ \ temp = cshift(AA, 5) + f(BB,CC,DD) + EE + data[t] + k; \ EE = DD; \ @@ -83,10 +83,10 @@ do { \ } while(0) static inline void -calc (struct sha *m, u_int32_t *in) +calc (struct sha *m, uint32_t *in) { - u_int32_t AA, BB, CC, DD, EE; - u_int32_t data[80]; + uint32_t AA, BB, CC, DD, EE; + uint32_t data[80]; int i; AA = A; @@ -204,11 +204,11 @@ calc (struct sha *m, u_int32_t *in) */ #if !defined(WORDS_BIGENDIAN) || defined(_CRAY) -static inline u_int32_t -swap_u_int32_t (u_int32_t t) +static inline uint32_t +swap_uint32_t (uint32_t t) { #define ROL(x,n) ((x)<<(n))|((x)>>(32-(n))) - u_int32_t temp1, temp2; + uint32_t temp1, temp2; temp1 = cshift(t, 16); temp2 = temp1 >> 8; @@ -244,15 +244,15 @@ SHA1_Update (struct sha *m, const void *v, size_t len) if(offset == 64){ #if !defined(WORDS_BIGENDIAN) || defined(_CRAY) int i; - u_int32_t current[16]; + uint32_t current[16]; struct x32 *u = (struct x32*)m->save; for(i = 0; i < 8; i++){ - current[2*i+0] = swap_u_int32_t(u[i].a); - current[2*i+1] = swap_u_int32_t(u[i].b); + current[2*i+0] = swap_uint32_t(u[i].a); + current[2*i+1] = swap_uint32_t(u[i].b); } calc(m, current); #else - calc(m, (u_int32_t*)m->save); + calc(m, (uint32_t*)m->save); #endif offset = 0; } @@ -291,10 +291,10 @@ SHA1_Final (void *res, struct sha *m) #if 0 { int i; - u_int32_t *r = (u_int32_t *)res; + uint32_t *r = (uint32_t *)res; for (i = 0; i < 5; ++i) - r[i] = swap_u_int32_t (m->counter[i]); + r[i] = swap_uint32_t (m->counter[i]); } #endif } diff --git a/source4/heimdal/lib/des/sha.h b/source4/heimdal/lib/des/sha.h index 6021823f5c..977b9f7bb2 100644 --- a/source4/heimdal/lib/des/sha.h +++ b/source4/heimdal/lib/des/sha.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: sha.h,v 1.10 2006/04/15 07:54:11 lha Exp $ */ +/* $Id: sha.h,v 1.11 2006/05/05 11:06:21 lha Exp $ */ #ifndef HEIM_SHA_H #define HEIM_SHA_H 1 @@ -52,7 +52,7 @@ struct sha { unsigned int sz[2]; - u_int32_t counter[5]; + uint32_t counter[5]; unsigned char save[64]; }; @@ -70,7 +70,7 @@ void SHA1_Final (void *res, struct sha *m); struct hc_sha256state { unsigned int sz[2]; - u_int32_t counter[8]; + uint32_t counter[8]; unsigned char save[64]; }; diff --git a/source4/heimdal/lib/des/sha256.c b/source4/heimdal/lib/des/sha256.c index 8c12ce504c..58fb92815a 100644 --- a/source4/heimdal/lib/des/sha256.c +++ b/source4/heimdal/lib/des/sha256.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995 - 2001, 2006 Kungliga Tekniska Högskolan + * Copyright (c) 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #ifdef HAVE_CONFIG_H #include "config.h" -RCSID("$Id: sha256.c,v 1.1 2006/04/15 07:53:07 lha Exp $"); +RCSID("$Id: sha256.c,v 1.2 2006/05/05 10:25:37 lha Exp $"); #endif #include "hash.h" @@ -59,7 +59,7 @@ RCSID("$Id: sha256.c,v 1.1 2006/04/15 07:53:07 lha Exp $"); #define G m->counter[6] #define H m->counter[7] -static const u_int32_t constant_256[64] = { +static const uint32_t constant_256[64] = { 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, @@ -94,10 +94,10 @@ SHA256_Init (SHA256_CTX *m) } static void -calc (SHA256_CTX *m, u_int32_t *in) +calc (SHA256_CTX *m, uint32_t *in) { - u_int32_t AA, BB, CC, DD, EE, FF, GG, HH; - u_int32_t data[64]; + uint32_t AA, BB, CC, DD, EE, FF, GG, HH; + uint32_t data[64]; int i; AA = A; @@ -116,7 +116,7 @@ calc (SHA256_CTX *m, u_int32_t *in) sigma0(data[i-15]) + data[i - 16]; for (i = 0; i < 64; i++) { - u_int32_t T1, T2; + uint32_t T1, T2; T1 = HH + Sigma1(EE) + Ch(EE, FF, GG) + constant_256[i] + data[i]; T2 = Sigma0(AA) + Maj(AA,BB,CC); @@ -146,11 +146,11 @@ calc (SHA256_CTX *m, u_int32_t *in) */ #if !defined(WORDS_BIGENDIAN) || defined(_CRAY) -static inline u_int32_t -swap_u_int32_t (u_int32_t t) +static inline uint32_t +swap_uint32_t (uint32_t t) { #define ROL(x,n) ((x)<<(n))|((x)>>(32-(n))) - u_int32_t temp1, temp2; + uint32_t temp1, temp2; temp1 = cshift(t, 16); temp2 = temp1 >> 8; @@ -186,15 +186,15 @@ SHA256_Update (SHA256_CTX *m, const void *v, size_t len) if(offset == 64){ #if !defined(WORDS_BIGENDIAN) || defined(_CRAY) int i; - u_int32_t current[16]; + uint32_t current[16]; struct x32 *u = (struct x32*)m->save; for(i = 0; i < 8; i++){ - current[2*i+0] = swap_u_int32_t(u[i].a); - current[2*i+1] = swap_u_int32_t(u[i].b); + current[2*i+0] = swap_uint32_t(u[i].a); + current[2*i+1] = swap_uint32_t(u[i].b); } calc(m, current); #else - calc(m, (u_int32_t*)m->save); + calc(m, (uint32_t*)m->save); #endif offset = 0; } diff --git a/source4/heimdal/lib/gssapi/8003.c b/source4/heimdal/lib/gssapi/8003.c index 0062068d5b..ad580811a5 100644 --- a/source4/heimdal/lib/gssapi/8003.c +++ b/source4/heimdal/lib/gssapi/8003.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: 8003.c,v 1.17 2005/04/01 08:55:36 lha Exp $"); +RCSID("$Id: 8003.c,v 1.18 2006/05/04 11:55:40 lha Exp $"); krb5_error_code gssapi_encode_om_uint32(OM_uint32 n, u_char *p) @@ -56,15 +56,17 @@ gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p) } krb5_error_code -gssapi_decode_om_uint32(u_char *p, OM_uint32 *n) +gssapi_decode_om_uint32(const void *ptr, OM_uint32 *n) { + const u_char *p = ptr; *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); return 0; } krb5_error_code -gssapi_decode_be_om_uint32(u_char *p, OM_uint32 *n) +gssapi_decode_be_om_uint32(const void *ptr, OM_uint32 *n) { + const u_char *p = ptr; *n = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0); return 0; } diff --git a/source4/heimdal/lib/gssapi/arcfour.c b/source4/heimdal/lib/gssapi/arcfour.c index 01c6c75ecc..936a20d403 100644 --- a/source4/heimdal/lib/gssapi/arcfour.c +++ b/source4/heimdal/lib/gssapi/arcfour.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: arcfour.c,v 1.18 2005/11/01 06:55:55 lha Exp $"); +RCSID("$Id: arcfour.c,v 1.19 2006/05/04 11:56:50 lha Exp $"); /* * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt @@ -246,8 +246,8 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, krb5_error_code ret; int32_t seq_number; OM_uint32 omret; - char cksum_data[8], k6_data[16], SND_SEQ[8]; - u_char *p; + u_char SND_SEQ[8], cksum_data[8], *p; + char k6_data[16]; int cmp; if (qop_state) @@ -295,7 +295,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, { RC4_KEY rc4_key; - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); + RC4_set_key (&rc4_key, sizeof(k6_data), (void*)k6_data); RC4 (&rc4_key, 8, p, SND_SEQ); memset(&rc4_key, 0, sizeof(rc4_key)); @@ -480,7 +480,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, if(conf_req_flag) { RC4_KEY rc4_key; - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); + RC4_set_key (&rc4_key, sizeof(k6_data), (void *)k6_data); /* XXX ? */ RC4 (&rc4_key, 8 + datalen, p0 + 24, p0 + 24); /* Confounder + data */ memset(&rc4_key, 0, sizeof(rc4_key)); @@ -526,8 +526,8 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, int32_t seq_number; size_t len, datalen; OM_uint32 omret; - char k6_data[16], SND_SEQ[8], Confounder[8]; - char cksum_data[8]; + u_char k6_data[16], SND_SEQ[8], Confounder[8]; + u_char cksum_data[8]; u_char *p, *p0; int cmp; int conf_flag; diff --git a/source4/heimdal/lib/gssapi/cfx.c b/source4/heimdal/lib/gssapi/cfx.c index 3e7592b3a7..1aebd008a6 100755 --- a/source4/heimdal/lib/gssapi/cfx.c +++ b/source4/heimdal/lib/gssapi/cfx.c @@ -32,7 +32,7 @@ #include "gssapi_locl.h" -RCSID("$Id: cfx.c,v 1.17 2005/04/27 17:47:32 lha Exp $"); +RCSID("$Id: cfx.c,v 1.19 2006/05/05 10:26:43 lha Exp $"); /* * Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt @@ -143,11 +143,10 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, */ static krb5_error_code -rrc_rotate(void *data, size_t len, u_int16_t rrc, krb5_boolean unrotate) +rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate) { - u_char *tmp; + u_char *tmp, buf[256]; size_t left; - char buf[256]; if (len == 0) return 0; @@ -220,7 +219,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, } /* Always rotate encrypted token (if any) and checksum to header */ - rrc = (conf_req_flag ? sizeof(*token) : 0) + (u_int16_t)cksumsize; + rrc = (conf_req_flag ? sizeof(*token) : 0) + (uint16_t)cksumsize; output_message_buffer->length = wrapped_len; output_message_buffer->value = malloc(output_message_buffer->length); @@ -420,7 +419,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, krb5_error_code ret; unsigned usage; krb5_data data; - u_int16_t ec, rrc; + uint16_t ec, rrc; OM_uint32 seq_number_lo, seq_number_hi; size_t len; u_char *p; diff --git a/source4/heimdal/lib/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi.h index b93ad4e481..eac2737f43 100644 --- a/source4/heimdal/lib/gssapi/gssapi.h +++ b/source4/heimdal/lib/gssapi/gssapi.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gssapi.h,v 1.39 2005/12/05 11:52:45 lha Exp $ */ +/* $Id: gssapi.h,v 1.40 2006/05/05 11:08:29 lha Exp $ */ #ifndef GSSAPI_H_ #define GSSAPI_H_ @@ -47,9 +47,9 @@ * Now define the three implementation-dependent types. */ -typedef u_int32_t OM_uint32; +typedef uint32_t OM_uint32; -typedef u_int32_t gss_uint32; +typedef uint32_t gss_uint32; /* * This is to avoid having to include <krb5.h> diff --git a/source4/heimdal/lib/gssapi/gssapi_locl.h b/source4/heimdal/lib/gssapi/gssapi_locl.h index be2277b96f..81169a8500 100644 --- a/source4/heimdal/lib/gssapi/gssapi_locl.h +++ b/source4/heimdal/lib/gssapi/gssapi_locl.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gssapi_locl.h,v 1.44 2006/04/12 17:44:05 lha Exp $ */ +/* $Id: gssapi_locl.h,v 1.45 2006/05/04 11:56:14 lha Exp $ */ #ifndef GSSAPI_LOCL_H #define GSSAPI_LOCL_H @@ -307,9 +307,9 @@ krb5_error_code gssapi_encode_be_om_uint32(OM_uint32, u_char *); krb5_error_code -gssapi_decode_om_uint32(u_char *, OM_uint32 *); +gssapi_decode_om_uint32(const void *, OM_uint32 *); krb5_error_code -gssapi_decode_be_om_uint32(u_char *, OM_uint32 *); +gssapi_decode_be_om_uint32(const void *, OM_uint32 *); #endif diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c index e363ee22f7..dc937daae5 100644 --- a/source4/heimdal/lib/gssapi/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/init_sec_context.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: init_sec_context.c,v 1.62 2006/04/09 18:45:18 lha Exp $"); +RCSID("$Id: init_sec_context.c,v 1.63 2006/05/05 10:27:13 lha Exp $"); /* * copy the addresses from `input_chan_bindings' (if any) to diff --git a/source4/heimdal/lib/gssapi/wrap.c b/source4/heimdal/lib/gssapi/wrap.c index 0c089067b6..7072ca2754 100644 --- a/source4/heimdal/lib/gssapi/wrap.c +++ b/source4/heimdal/lib/gssapi/wrap.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: wrap.c,v 1.32 2006/04/02 02:10:03 lha Exp $"); +RCSID("$Id: wrap.c,v 1.33 2006/05/05 10:27:36 lha Exp $"); OM_uint32 gsskrb5_get_initiator_subkey(OM_uint32 *minor_status, @@ -428,7 +428,7 @@ wrap_des3 u_char seq[8]; int32_t seq_number; size_t len, total_len, padlength, datalen; - u_int32_t ret; + uint32_t ret; krb5_crypto crypto; Checksum cksum; krb5_data encdata; diff --git a/source4/heimdal/lib/hdb/ext.c b/source4/heimdal/lib/hdb/ext.c index 850b23fb04..a8995e4138 100644 --- a/source4/heimdal/lib/hdb/ext.c +++ b/source4/heimdal/lib/hdb/ext.c @@ -34,7 +34,7 @@ #include "hdb_locl.h" #include <der.h> -RCSID("$Id: ext.c,v 1.1 2005/08/11 20:49:31 lha Exp $"); +RCSID("$Id: ext.c,v 1.2 2006/04/25 10:20:22 lha Exp $"); krb5_error_code hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent) @@ -168,10 +168,10 @@ hdb_replace_extension(krb5_context context, ret = copy_HDB_extension(ext, &entry->extensions->val[entry->extensions->len]); - if (ret == 0) { + if (ret == 0) entry->extensions->len++; + else krb5_set_error_string(context, "hdb: failed to copy new extension"); - } return ret; } diff --git a/source4/heimdal/lib/hdb/hdb-private.h b/source4/heimdal/lib/hdb/hdb-private.h index e602f01373..5147d8b90b 100644 --- a/source4/heimdal/lib/hdb/hdb-private.h +++ b/source4/heimdal/lib/hdb/hdb-private.h @@ -8,14 +8,13 @@ krb5_error_code _hdb_fetch ( krb5_context /*context*/, HDB */*db*/, - unsigned /*flags*/, krb5_const_principal /*principal*/, - enum hdb_ent_type /*ent_type*/, + unsigned /*flags*/, hdb_entry_ex */*entry*/); hdb_master_key _hdb_find_master_key ( - u_int32_t */*mkvno*/, + uint32_t */*mkvno*/, hdb_master_key /*mkey*/); int @@ -43,7 +42,7 @@ krb5_error_code _hdb_remove ( krb5_context /*context*/, HDB */*db*/, - hdb_entry_ex */*entry*/); + krb5_const_principal /*principal*/); krb5_error_code _hdb_store ( diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c index b89937f82f..5d2ce8f3bb 100644 --- a/source4/heimdal/lib/hdb/hdb.c +++ b/source4/heimdal/lib/hdb/hdb.c @@ -33,7 +33,7 @@ #include "hdb_locl.h" -RCSID("$Id: hdb.c,v 1.60 2005/12/12 12:35:36 lha Exp $"); +RCSID("$Id: hdb.c,v 1.61 2006/04/24 20:57:58 lha Exp $"); #ifdef HAVE_DLFCN_H #include <dlfcn.h> diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h index 463cbf71f2..d14eea7ddc 100644 --- a/source4/heimdal/lib/hdb/hdb.h +++ b/source4/heimdal/lib/hdb/hdb.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: hdb.h,v 1.36 2005/12/12 12:35:36 lha Exp $ */ +/* $Id: hdb.h,v 1.38 2006/04/28 07:37:11 lha Exp $ */ #ifndef __HDB_H__ #define __HDB_H__ @@ -44,14 +44,16 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; /* flags for various functions */ -#define HDB_F_DECRYPT 1 /* decrypt keys */ -#define HDB_F_REPLACE 2 /* replace entry */ +#define HDB_F_DECRYPT 1 /* decrypt keys */ +#define HDB_F_REPLACE 2 /* replace entry */ +#define HDB_F_GET_CLIENT 4 /* fetch client */ +#define HDB_F_GET_SERVER 8 /* fetch server */ +#define HDB_F_GET_KRBTGT 16 /* fetch krbtgt */ +#define HDB_F_GET_ANY 28 /* fetch any of client,server,krbtgt */ /* key usage for master key */ #define HDB_KU_MKEY 0x484442 -enum hdb_ent_type{ HDB_ENT_TYPE_CLIENT, HDB_ENT_TYPE_SERVER, HDB_ENT_TYPE_ANY }; - typedef struct hdb_master_key_data *hdb_master_key; typedef struct hdb_entry_ex { @@ -87,30 +89,60 @@ typedef struct HDB{ hdb_master_key hdb_master_key; void *hdb_openp; - krb5_error_code (*hdb_open)(krb5_context, struct HDB*, int, mode_t); - krb5_error_code (*hdb_close)(krb5_context, struct HDB*); - void (*hdb_free)(krb5_context,struct HDB*,hdb_entry_ex*); - krb5_error_code (*hdb_fetch)(krb5_context,struct HDB*,unsigned hdb_flags, - krb5_const_principal principal, - enum hdb_ent_type ent_type, hdb_entry_ex*); - krb5_error_code (*hdb_store)(krb5_context,struct HDB*, - unsigned,hdb_entry_ex*); - krb5_error_code (*hdb_remove)(krb5_context, struct HDB*, hdb_entry_ex*); - krb5_error_code (*hdb_firstkey)(krb5_context, struct HDB*, - unsigned, hdb_entry_ex*); - krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*, - unsigned, hdb_entry_ex*); - krb5_error_code (*hdb_lock)(krb5_context, struct HDB*, int operation); - krb5_error_code (*hdb_unlock)(krb5_context, struct HDB*); - krb5_error_code (*hdb_rename)(krb5_context, struct HDB*, const char*); - krb5_error_code (*hdb__get)(krb5_context,struct HDB*,krb5_data,krb5_data*); - krb5_error_code (*hdb__put)(krb5_context, struct HDB*, int, - krb5_data, krb5_data); - krb5_error_code (*hdb__del)(krb5_context, struct HDB*, krb5_data); - krb5_error_code (*hdb_destroy)(krb5_context, struct HDB*); + krb5_error_code (*hdb_open)(krb5_context, + struct HDB*, + int, + mode_t); + krb5_error_code (*hdb_close)(krb5_context, + struct HDB*); + void (*hdb_free)(krb5_context, + struct HDB*, + hdb_entry_ex*); + krb5_error_code (*hdb_fetch)(krb5_context, + struct HDB*, + krb5_const_principal, + unsigned, + hdb_entry_ex*); + krb5_error_code (*hdb_store)(krb5_context, + struct HDB*, + unsigned, + hdb_entry_ex*); + krb5_error_code (*hdb_remove)(krb5_context, + struct HDB*, + krb5_const_principal); + krb5_error_code (*hdb_firstkey)(krb5_context, + struct HDB*, + unsigned, + hdb_entry_ex*); + krb5_error_code (*hdb_nextkey)(krb5_context, + struct HDB*, + unsigned, + hdb_entry_ex*); + krb5_error_code (*hdb_lock)(krb5_context, + struct HDB*, + int operation); + krb5_error_code (*hdb_unlock)(krb5_context, + struct HDB*); + krb5_error_code (*hdb_rename)(krb5_context, + struct HDB*, + const char*); + krb5_error_code (*hdb__get)(krb5_context, + struct HDB*, + krb5_data, + krb5_data*); + krb5_error_code (*hdb__put)(krb5_context, + struct HDB*, + int, + krb5_data, + krb5_data); + krb5_error_code (*hdb__del)(krb5_context, + struct HDB*, + krb5_data); + krb5_error_code (*hdb_destroy)(krb5_context, + struct HDB*); }HDB; -#define HDB_INTERFACE_VERSION 3 +#define HDB_INTERFACE_VERSION 4 struct hdb_so_method { int version; diff --git a/source4/heimdal/lib/hdb/keys.c b/source4/heimdal/lib/hdb/keys.c index 0ca3846f9d..d7c2f2c89b 100644 --- a/source4/heimdal/lib/hdb/keys.c +++ b/source4/heimdal/lib/hdb/keys.c @@ -33,7 +33,7 @@ #include "hdb_locl.h" -RCSID("$Id: keys.c,v 1.4 2006/04/02 00:45:48 lha Exp $"); +RCSID("$Id: keys.c,v 1.5 2006/04/25 08:09:38 lha Exp $"); /* * free all the memory used by (len, keys) @@ -112,23 +112,19 @@ parse_key_set(krb5_context context, const char *key, if(strcmp(buf[i], "des") == 0) { enctypes = all_etypes; num_enctypes = 3; - continue; } else if(strcmp(buf[i], "des3") == 0) { e = ETYPE_DES3_CBC_SHA1; enctypes = &e; num_enctypes = 1; - continue; } else { ret = krb5_string_to_enctype(context, buf[i], &e); if (ret == 0) { enctypes = &e; num_enctypes = 1; - continue; - } + } else + return ret; } - } - - if(salt->salttype == 0) { + } else if(salt->salttype == 0) { /* interpret string as a salt specifier, if no etype is set, this sets default values */ /* XXX should perhaps use string_to_salttype, but that @@ -152,7 +148,7 @@ parse_key_set(krb5_context context, const char *key, v4 compat, and a cell name for afs compat */ salt->saltvalue.data = strdup(buf[i]); if (salt->saltvalue.data == NULL) { - krb5_set_error_string(context, "malloc out of memory"); + krb5_set_error_string(context, "out of memory"); return ENOMEM; } salt->saltvalue.length = strlen(buf[i]); @@ -297,7 +293,7 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal, ret = parse_key_set(context, p, &enctypes, &num_enctypes, &salt, principal); if (ret) { - krb5_warnx(context, "bad value for default_keys `%s'", *kp); + krb5_warn(context, ret, "bad value for default_keys `%s'", *kp); ret = 0; continue; } diff --git a/source4/heimdal/lib/hdb/keytab.c b/source4/heimdal/lib/hdb/keytab.c index 12979eaecf..b4fa5f84c9 100644 --- a/source4/heimdal/lib/hdb/keytab.c +++ b/source4/heimdal/lib/hdb/keytab.c @@ -35,7 +35,7 @@ /* keytab backend for HDB databases */ -RCSID("$Id: keytab.c,v 1.10 2006/04/02 20:20:45 lha Exp $"); +RCSID("$Id: keytab.c,v 1.11 2006/04/27 11:01:30 lha Exp $"); struct hdb_data { char *dbname; @@ -218,8 +218,8 @@ hdb_get_entry(krb5_context context, (*db->hdb_destroy)(context, db); return ret; } + ret = (*db->hdb_fetch)(context, db, principal, HDB_F_DECRYPT, &ent); - ret = (*db->hdb_fetch)(context, db, HDB_F_DECRYPT, principal, HDB_ENT_TYPE_SERVER, &ent); /* Shutdown the hdb on error */ if(ret == HDB_ERR_NOENTRY) { diff --git a/source4/heimdal/lib/hdb/mkey.c b/source4/heimdal/lib/hdb/mkey.c index f12f73e809..40569b29ad 100644 --- a/source4/heimdal/lib/hdb/mkey.c +++ b/source4/heimdal/lib/hdb/mkey.c @@ -36,7 +36,7 @@ #define O_BINARY 0 #endif -RCSID("$Id: mkey.c,v 1.21 2005/08/19 13:07:03 lha Exp $"); +RCSID("$Id: mkey.c,v 1.22 2006/05/05 10:27:59 lha Exp $"); struct hdb_master_key_data { krb5_keytab_entry keytab; @@ -355,7 +355,7 @@ hdb_write_master_key(krb5_context context, const char *filename, } hdb_master_key -_hdb_find_master_key(u_int32_t *mkvno, hdb_master_key mkey) +_hdb_find_master_key(uint32_t *mkvno, hdb_master_key mkey) { hdb_master_key ret = NULL; while(mkey) { diff --git a/source4/heimdal/lib/hdb/ndbm.c b/source4/heimdal/lib/hdb/ndbm.c index f4c2497abc..6c72ea78c5 100644 --- a/source4/heimdal/lib/hdb/ndbm.c +++ b/source4/heimdal/lib/hdb/ndbm.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * diff --git a/source4/heimdal/lib/krb5/addr_families.c b/source4/heimdal/lib/krb5/addr_families.c index ebdbcfed46..895b01f9d8 100644 --- a/source4/heimdal/lib/krb5/addr_families.c +++ b/source4/heimdal/lib/krb5/addr_families.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: addr_families.c,v 1.51 2006/04/02 02:17:31 lha Exp $"); +RCSID("$Id: addr_families.c,v 1.52 2006/05/05 09:26:22 lha Exp $"); struct addr_operations { int af; @@ -199,7 +199,7 @@ ipv4_mask_boundary(krb5_context context, const krb5_address *inaddr, unsigned long len, krb5_address *low, krb5_address *high) { unsigned long ia; - u_int32_t l, h, m = 0xffffffff; + uint32_t l, h, m = 0xffffffff; if (len > 32) { krb5_set_error_string(context, "IPv4 prefix too large (%ld)", len); @@ -391,7 +391,7 @@ ipv6_mask_boundary(krb5_context context, const krb5_address *inaddr, unsigned long len, krb5_address *low, krb5_address *high) { struct in6_addr addr, laddr, haddr; - u_int32_t m; + uint32_t m; int i, sub_len; if (len > 128) { diff --git a/source4/heimdal/lib/krb5/changepw.c b/source4/heimdal/lib/krb5/changepw.c index 7907e1ad9c..ba584a04a4 100644 --- a/source4/heimdal/lib/krb5/changepw.c +++ b/source4/heimdal/lib/krb5/changepw.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: changepw.c,v 1.55 2005/12/12 12:48:57 lha Exp $"); +RCSID("$Id: changepw.c,v 1.56 2006/05/05 09:26:47 lha Exp $"); static void str2data (krb5_data *d, @@ -271,7 +271,7 @@ process_reply (krb5_context context, krb5_error_code ret; u_char reply[1024 * 3]; ssize_t len; - u_int16_t pkt_len, pkt_ver; + uint16_t pkt_len, pkt_ver; krb5_data ap_rep_data; int save_errno; diff --git a/source4/heimdal/lib/krb5/crc.c b/source4/heimdal/lib/krb5/crc.c index c7cedd8c9e..4cfed75154 100644 --- a/source4/heimdal/lib/krb5/crc.c +++ b/source4/heimdal/lib/krb5/crc.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: crc.c,v 1.9 2000/08/03 01:45:14 assar Exp $"); +RCSID("$Id: crc.c,v 1.10 2006/05/05 09:27:09 lha Exp $"); static u_long table[256]; @@ -62,8 +62,8 @@ _krb5_crc_init_table(void) flag = 1; } -u_int32_t -_krb5_crc_update (const char *p, size_t len, u_int32_t res) +uint32_t +_krb5_crc_update (const char *p, size_t len, uint32_t res) { while (len--) res = table[(res ^ *p++) & 0xFF] ^ (res >> 8); diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c index 3a90995283..2e8160518b 100644 --- a/source4/heimdal/lib/krb5/crypto.c +++ b/source4/heimdal/lib/krb5/crypto.c @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: crypto.c,v 1.134 2006/04/10 08:58:53 lha Exp $"); +RCSID("$Id: crypto.c,v 1.135 2006/05/05 09:27:24 lha Exp $"); #undef CRYPTO_DEBUG #ifdef CRYPTO_DEBUG @@ -602,7 +602,7 @@ AES_string_to_key(krb5_context context, krb5_keyblock *key) { krb5_error_code ret; - u_int32_t iter; + uint32_t iter; struct encryption_type *et; struct key_data kd; @@ -611,7 +611,7 @@ AES_string_to_key(krb5_context context, else if (opaque.length == 4) { unsigned long v; _krb5_get_int(opaque.data, &v, 4); - iter = ((u_int32_t)v); + iter = ((uint32_t)v); } else return KRB5_PROG_KEYTYPE_NOSUPP; /* XXX */ @@ -1296,7 +1296,7 @@ CRC32_checksum(krb5_context context, unsigned usage, Checksum *C) { - u_int32_t crc; + uint32_t crc; unsigned char *r = C->checksum.data; _krb5_crc_init_table (); crc = _krb5_crc_update (data, len, 0); @@ -4282,7 +4282,7 @@ _krb5_pk_octetstring2key(krb5_context context, static krb5_error_code krb5_get_keyid(krb5_context context, krb5_keyblock *key, - u_int32_t *keyid) + uint32_t *keyid) { MD5_CTX md5; unsigned char tmp[16]; @@ -4300,7 +4300,7 @@ krb5_crypto_debug(krb5_context context, size_t len, krb5_keyblock *key) { - u_int32_t keyid; + uint32_t keyid; char *kt; krb5_get_keyid(context, key, &keyid); krb5_enctype_to_string(context, key->keytype, &kt); diff --git a/source4/heimdal/lib/krb5/generate_seq_number.c b/source4/heimdal/lib/krb5/generate_seq_number.c index f9e9cded5f..7f79e29858 100644 --- a/source4/heimdal/lib/krb5/generate_seq_number.c +++ b/source4/heimdal/lib/krb5/generate_seq_number.c @@ -33,16 +33,16 @@ #include <krb5_locl.h> -RCSID("$Id: generate_seq_number.c,v 1.9 2004/05/25 21:25:22 lha Exp $"); +RCSID("$Id: generate_seq_number.c,v 1.10 2006/05/05 09:28:06 lha Exp $"); krb5_error_code KRB5_LIB_FUNCTION krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, - u_int32_t *seqno) + uint32_t *seqno) { krb5_error_code ret; krb5_keyblock *subkey; - u_int32_t q; + uint32_t q; u_char *p; int i; diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c index 489a88a31b..70b6c3e4c3 100644 --- a/source4/heimdal/lib/krb5/init_creds_pw.c +++ b/source4/heimdal/lib/krb5/init_creds_pw.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: init_creds_pw.c,v 1.92 2006/04/02 01:20:15 lha Exp $"); +RCSID("$Id: init_creds_pw.c,v 1.94 2006/04/24 08:49:08 lha Exp $"); typedef struct krb5_get_init_creds_ctx { krb5_kdc_flags flags; @@ -1150,6 +1150,7 @@ process_pa_data_to_key(krb5_context context, if (pa && ctx->pk_init_ctx) { #ifdef PKINIT ret = _krb5_pk_rd_pa_reply(context, + a->req_body.realm, ctx->pk_init_ctx, etype, hi, diff --git a/source4/heimdal/lib/krb5/kcm.c b/source4/heimdal/lib/krb5/kcm.c index f4372422ac..8f2d9f7f86 100644 --- a/source4/heimdal/lib/krb5/kcm.c +++ b/source4/heimdal/lib/krb5/kcm.c @@ -43,7 +43,7 @@ #include "kcm.h" -RCSID("$Id: kcm.c,v 1.8 2005/09/19 20:23:05 lha Exp $"); +RCSID("$Id: kcm.c,v 1.9 2006/05/05 09:28:48 lha Exp $"); typedef struct krb5_kcmcache { char *name; @@ -53,7 +53,7 @@ typedef struct krb5_kcmcache { #define KCMCACHE(X) ((krb5_kcmcache *)(X)->data.data) #define CACHENAME(X) (KCMCACHE(X)->name) -#define KCMCURSOR(C) (*(u_int32_t *)(C)) +#define KCMCURSOR(C) (*(uint32_t *)(C)) static krb5_error_code try_door(krb5_context context, const krb5_kcmcache *k, @@ -903,7 +903,7 @@ _krb5_kcm_noop(krb5_context context, krb5_error_code _krb5_kcm_chmod(krb5_context context, krb5_ccache id, - u_int16_t mode) + uint16_t mode) { krb5_error_code ret; krb5_kcmcache *k = KCMCACHE(id); @@ -944,8 +944,8 @@ _krb5_kcm_chmod(krb5_context context, krb5_error_code _krb5_kcm_chown(krb5_context context, krb5_ccache id, - u_int32_t uid, - u_int32_t gid) + uint32_t uid, + uint32_t gid) { krb5_error_code ret; krb5_kcmcache *k = KCMCACHE(id); diff --git a/source4/heimdal/lib/krb5/keytab_file.c b/source4/heimdal/lib/krb5/keytab_file.c index f9a76e634a..1b06387339 100644 --- a/source4/heimdal/lib/krb5/keytab_file.c +++ b/source4/heimdal/lib/krb5/keytab_file.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: keytab_file.c,v 1.22 2006/04/07 21:57:31 lha Exp $"); +RCSID("$Id: keytab_file.c,v 1.23 2006/05/05 12:36:57 lha Exp $"); #define KRB5_KT_VNO_1 1 #define KRB5_KT_VNO_2 2 @@ -428,7 +428,7 @@ loop: * if it's zero, assume that the 8bit one was right, * otherwise trust the new value */ curpos = krb5_storage_seek(cursor->sp, 0, SEEK_CUR); - if(len + 4 + pos - curpos == 4) { + if(len + 4 + pos - curpos >= 4) { ret = krb5_ret_int32(cursor->sp, &tmp32); if (ret == 0 && tmp32 != 0) { entry->vno = tmp32; diff --git a/source4/heimdal/lib/krb5/keytab_keyfile.c b/source4/heimdal/lib/krb5/keytab_keyfile.c index 32fb48a8a2..d7f8a720e1 100644 --- a/source4/heimdal/lib/krb5/keytab_keyfile.c +++ b/source4/heimdal/lib/krb5/keytab_keyfile.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: keytab_keyfile.c,v 1.18 2006/04/02 01:24:52 lha Exp $"); +RCSID("$Id: keytab_keyfile.c,v 1.19 2006/04/24 15:06:57 lha Exp $"); /* afs keyfile operations --------------------------------------- */ @@ -63,8 +63,7 @@ struct akf_data { */ static int -get_cell_and_realm (krb5_context context, - struct akf_data *d) +get_cell_and_realm (krb5_context context, struct akf_data *d) { FILE *f; char buf[BUFSIZ], *cp; @@ -95,6 +94,7 @@ get_cell_and_realm (krb5_context context, if (f != NULL) { if (fgets (buf, sizeof(buf), f) == NULL) { free (d->cell); + d->cell = NULL; fclose (f); krb5_set_error_string (context, "no realm in %s", AFS_SERVERMAGICKRBCONF); @@ -110,6 +110,7 @@ get_cell_and_realm (krb5_context context, d->realm = strdup (buf); if (d->realm == NULL) { free (d->cell); + d->cell = NULL; krb5_set_error_string (context, "malloc: out of memory"); return ENOMEM; } diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h index 00126d60ed..17b282f1d8 100644 --- a/source4/heimdal/lib/krb5/krb5-private.h +++ b/source4/heimdal/lib/krb5/krb5-private.h @@ -30,11 +30,11 @@ _krb5_cc_allocate ( void _krb5_crc_init_table (void); -u_int32_t +uint32_t _krb5_crc_update ( const char */*p*/, size_t /*len*/, - u_int32_t /*res*/); + uint32_t /*res*/); krb5_error_code _krb5_dh_group_ok ( @@ -120,14 +120,14 @@ krb5_error_code _krb5_kcm_chmod ( krb5_context /*context*/, krb5_ccache /*id*/, - u_int16_t /*mode*/); + uint16_t /*mode*/); krb5_error_code _krb5_kcm_chown ( krb5_context /*context*/, krb5_ccache /*id*/, - u_int32_t /*uid*/, - u_int32_t /*gid*/); + uint32_t /*uid*/, + uint32_t /*gid*/); krb5_error_code _krb5_kcm_get_initial_ticket ( @@ -158,8 +158,8 @@ _krb5_krb_cr_err_reply ( const char */*name*/, const char */*inst*/, const char */*realm*/, - u_int32_t /*time_ws*/, - u_int32_t /*e*/, + uint32_t /*time_ws*/, + uint32_t /*e*/, const char */*e_string*/, krb5_data */*data*/); @@ -171,7 +171,7 @@ _krb5_krb_create_auth_reply ( const char */*prealm*/, int32_t /*time_ws*/, int /*n*/, - u_int32_t /*x_date*/, + uint32_t /*x_date*/, unsigned char /*kvno*/, const krb5_data */*cipher*/, krb5_data */*data*/); @@ -183,10 +183,10 @@ _krb5_krb_create_ciph ( const char */*service*/, const char */*instance*/, const char */*realm*/, - u_int32_t /*life*/, + uint32_t /*life*/, unsigned char /*kvno*/, const krb5_data */*ticket*/, - u_int32_t /*kdc_time*/, + uint32_t /*kdc_time*/, const krb5_keyblock */*key*/, krb5_data */*enc_data*/); @@ -299,6 +299,11 @@ _krb5_parse_moduli_line ( struct krb5_dh_moduli **/*m*/); void KRB5_LIB_FUNCTION +_krb5_pk_allow_proxy_certificate ( + struct krb5_pk_identity */*id*/, + int /*boolean*/); + +void KRB5_LIB_FUNCTION _krb5_pk_cert_free (struct krb5_pk_cert */*cert*/); krb5_error_code KRB5_LIB_FUNCTION @@ -341,6 +346,7 @@ _krb5_pk_octetstring2key ( krb5_error_code KRB5_LIB_FUNCTION _krb5_pk_rd_pa_reply ( krb5_context /*context*/, + const char */*realm*/, void */*c*/, krb5_enctype /*etype*/, const krb5_krbhst_info */*hi*/, diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h index 56f43f6c3d..37293ff982 100644 --- a/source4/heimdal/lib/krb5/krb5-protos.h +++ b/source4/heimdal/lib/krb5/krb5-protos.h @@ -1592,7 +1592,7 @@ krb5_error_code KRB5_LIB_FUNCTION krb5_generate_seq_number ( krb5_context /*context*/, const krb5_keyblock */*key*/, - u_int32_t */*seqno*/); + uint32_t */*seqno*/); krb5_error_code KRB5_LIB_FUNCTION krb5_generate_subkey ( @@ -2803,6 +2803,21 @@ krb5_ret_times ( krb5_times */*times*/); krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint16 ( + krb5_storage */*sp*/, + uint16_t */*value*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint32 ( + krb5_storage */*sp*/, + uint32_t */*value*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint8 ( + krb5_storage */*sp*/, + uint8_t */*value*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_salttype_to_string ( krb5_context /*context*/, krb5_enctype /*etype*/, @@ -3087,7 +3102,7 @@ krb5_store_keyblock ( krb5_error_code KRB5_LIB_FUNCTION krb5_store_principal ( krb5_storage */*sp*/, - krb5_principal /*p*/); + krb5_const_principal /*p*/); krb5_error_code KRB5_LIB_FUNCTION krb5_store_string ( @@ -3105,6 +3120,21 @@ krb5_store_times ( krb5_times /*times*/); krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint16 ( + krb5_storage */*sp*/, + uint16_t /*value*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint32 ( + krb5_storage */*sp*/, + uint32_t /*value*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint8 ( + krb5_storage */*sp*/, + uint8_t /*value*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_deltat ( const char */*string*/, krb5_deltat */*deltat*/); diff --git a/source4/heimdal/lib/krb5/krb5-v4compat.h b/source4/heimdal/lib/krb5/krb5-v4compat.h index 1d092dcbc9..3e14c5a38f 100644 --- a/source4/heimdal/lib/krb5/krb5-v4compat.h +++ b/source4/heimdal/lib/krb5/krb5-v4compat.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5-v4compat.h,v 1.6 2005/04/23 19:38:16 lha Exp $ */ +/* $Id: krb5-v4compat.h,v 1.7 2006/05/05 09:29:07 lha Exp $ */ #ifndef __KRB5_V4COMPAT_H__ #define __KRB5_V4COMPAT_H__ @@ -119,7 +119,7 @@ struct ktext { unsigned int length; /* Length of the text */ unsigned char dat[MAX_KTXT_LEN]; /* The data itself */ - u_int32_t mbz; /* zero to catch runaway strings */ + uint32_t mbz; /* zero to catch runaway strings */ }; struct credentials { @@ -157,11 +157,11 @@ struct _krb5_krb_auth_data { char *pname; /* Principal's name */ char *pinst; /* His Instance */ char *prealm; /* His Realm */ - u_int32_t checksum; /* Data checksum (opt) */ + uint32_t checksum; /* Data checksum (opt) */ krb5_keyblock session; /* Session Key */ unsigned char life; /* Life of ticket */ - u_int32_t time_sec; /* Time ticket issued */ - u_int32_t address; /* Address in ticket */ + uint32_t time_sec; /* Time ticket issued */ + uint32_t address; /* Address in ticket */ }; time_t _krb5_krb_life_to_time (int, int); diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h index 9814817600..32fdd6d383 100644 --- a/source4/heimdal/lib/krb5/krb5.h +++ b/source4/heimdal/lib/krb5/krb5.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5.h,v 1.240 2005/11/30 15:20:32 lha Exp $ */ +/* $Id: krb5.h,v 1.241 2006/05/05 09:29:36 lha Exp $ */ #ifndef __KRB5_H__ #define __KRB5_H__ @@ -64,7 +64,7 @@ typedef int32_t krb5_error_code; typedef int krb5_kvno; -typedef u_int32_t krb5_flags; +typedef uint32_t krb5_flags; typedef void *krb5_pointer; typedef const void *krb5_const_pointer; @@ -492,7 +492,7 @@ typedef struct krb5_keytab_entry { krb5_principal principal; krb5_kvno vno; krb5_keyblock keyblock; - u_int32_t timestamp; + uint32_t timestamp; } krb5_keytab_entry; typedef struct krb5_kt_cursor { @@ -536,7 +536,7 @@ typedef struct krb5_keytab_key_proc_args krb5_keytab_key_proc_args; typedef struct krb5_replay_data { krb5_timestamp timestamp; int32_t usec; - u_int32_t seq; + uint32_t seq; } krb5_replay_data; /* flags for krb5_auth_con_setflags */ @@ -569,8 +569,8 @@ typedef struct krb5_auth_context_data { krb5_keyblock *local_subkey; krb5_keyblock *remote_subkey; - u_int32_t local_seqnumber; - u_int32_t remote_seqnumber; + uint32_t local_seqnumber; + uint32_t remote_seqnumber; krb5_authenticator authenticator; diff --git a/source4/heimdal/lib/krb5/krb5_ccapi.h b/source4/heimdal/lib/krb5/krb5_ccapi.h index 29b2ddbecc..d59b589304 100644 --- a/source4/heimdal/lib/krb5/krb5_ccapi.h +++ b/source4/heimdal/lib/krb5/krb5_ccapi.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5_ccapi.h,v 1.2 2006/03/27 04:21:06 lha Exp $ */ +/* $Id: krb5_ccapi.h,v 1.3 2006/05/05 09:29:59 lha Exp $ */ #ifndef KRB5_CCAPI_H #define KRB5_CCAPI_H 1 @@ -84,7 +84,7 @@ enum { }; typedef int32_t cc_int32; -typedef u_int32_t cc_uint32; +typedef uint32_t cc_uint32; typedef struct cc_context_t *cc_context_t; typedef struct cc_ccache_t *cc_ccache_t; typedef struct cc_ccache_iterator_t *cc_ccache_iterator_t; diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h index 92dd3271f5..4dcac40c7a 100644 --- a/source4/heimdal/lib/krb5/krb5_locl.h +++ b/source4/heimdal/lib/krb5/krb5_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * diff --git a/source4/heimdal/lib/krb5/log.c b/source4/heimdal/lib/krb5/log.c index 7e478bf1e0..e6fcb6bbb9 100644 --- a/source4/heimdal/lib/krb5/log.c +++ b/source4/heimdal/lib/krb5/log.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: log.c,v 1.38 2006/04/10 09:41:26 lha Exp $"); +RCSID("$Id: log.c,v 1.39 2006/04/24 15:09:27 lha Exp $"); struct facility { int min; @@ -221,8 +221,10 @@ log_file(const char *timestr, if(f->fd == NULL) return; fprintf(f->fd, "%s %s\n", timestr, msg); - if(f->keep_open == 0) + if(f->keep_open == 0) { fclose(f->fd); + f->fd = NULL; + } } static void diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c index fa4fb4699e..7e91946095 100755 --- a/source4/heimdal/lib/krb5/pkinit.c +++ b/source4/heimdal/lib/krb5/pkinit.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: pkinit.c,v 1.88 2006/04/23 21:30:17 lha Exp $"); +RCSID("$Id: pkinit.c,v 1.98 2006/05/06 13:24:54 lha Exp $"); struct krb5_dh_moduli { char *name; @@ -84,6 +84,7 @@ struct krb5_pk_init_ctx_data { int require_binding; int require_eku; int require_krbtgt_otherName; + int require_hostname_match; }; void KRB5_LIB_FUNCTION @@ -161,6 +162,109 @@ _krb5_pk_create_sign(krb5_context context, return ret; } +static int +cert2epi(hx509_context context, void *ctx, hx509_cert c) +{ + ExternalPrincipalIdentifiers *ids = ctx; + ExternalPrincipalIdentifier id; + hx509_name subject = NULL; + void *p; + int ret; + + memset(&id, 0, sizeof(id)); + + ret = hx509_cert_get_subject(c, &subject); + if (ret) + return ret; + + if (hx509_name_is_null_p(subject) != 0) { + + id.subjectName = calloc(1, sizeof(*id.subjectName)); + if (id.subjectName == NULL) { + hx509_name_free(&subject); + free_ExternalPrincipalIdentifier(&id); + return ENOMEM; + } + + ret = hx509_name_to_der_name(subject, &id.subjectName->data, + &id.subjectName->length); + if (ret) { + hx509_name_free(&subject); + free_ExternalPrincipalIdentifier(&id); + return ret; + } + } + hx509_name_free(&subject); + + + id.issuerAndSerialNumber = calloc(1, sizeof(*id.issuerAndSerialNumber)); + if (id.issuerAndSerialNumber == NULL) { + free_ExternalPrincipalIdentifier(&id); + return ENOMEM; + } + + { + IssuerAndSerialNumber iasn; + hx509_name issuer; + size_t size; + + memset(&iasn, 0, sizeof(iasn)); + + ret = hx509_cert_get_issuer(c, &issuer); + if (ret) { + free_ExternalPrincipalIdentifier(&id); + return ret; + } + + ret = hx509_name_to_Name(issuer, &iasn.issuer); + hx509_name_free(&issuer); + if (ret) { + free_ExternalPrincipalIdentifier(&id); + return ret; + } + + ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber); + if (ret) { + free_IssuerAndSerialNumber(&iasn); + free_ExternalPrincipalIdentifier(&id); + return ret; + } + + ASN1_MALLOC_ENCODE(IssuerAndSerialNumber, + id.issuerAndSerialNumber->data, + id.issuerAndSerialNumber->length, + &iasn, &size, ret); + free_IssuerAndSerialNumber(&iasn); + if (ret) + return ret; + if (id.issuerAndSerialNumber->length != size) + abort(); + } + + id.subjectKeyIdentifier = NULL; + + p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1)); + if (p == NULL) { + free_ExternalPrincipalIdentifier(&id); + return ENOMEM; + } + + ids->val = p; + ids->val[ids->len] = id; + ids->len++; + + return 0; +} + +static krb5_error_code +build_edi(krb5_context context, + hx509_context hx509ctx, + hx509_certs certs, + ExternalPrincipalIdentifiers *ids) +{ + return hx509_certs_iter(hx509ctx, certs, cert2epi, ids); +} + static krb5_error_code build_auth_pack(krb5_context context, unsigned nonce, @@ -446,8 +550,19 @@ pk_mk_padata(krb5_context context, memset(&req, 0, sizeof(req)); req.signedAuthPack = buf; - /* XXX tell the kdc what CAs the client is willing to accept */ - req.trustedCertifiers = NULL; + req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers)); + if (req.trustedCertifiers == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + free_PA_PK_AS_REQ(&req); + goto out; + } + ret = build_edi(context, ctx->id->hx509ctx, + ctx->id->anchors, req.trustedCertifiers); + if (ret) { + krb5_set_error_string(context, "pk-init: failed to build trustedCertifiers"); + free_PA_PK_AS_REQ(&req); + goto out; + } req.kdcPkId = NULL; ASN1_MALLOC_ENCODE(PA_PK_AS_REQ, buf.data, buf.length, @@ -524,6 +639,13 @@ _krb5_pk_mk_padata(krb5_context context, "pkinit_require_krbtgt_otherName", NULL); + ctx->require_hostname_match = + krb5_config_get_bool_default(context, NULL, + FALSE, + "realms", + req_body->realm, + "pkinit_require_hostname_match", + NULL); return pk_mk_padata(context, type, ctx, req_body, nonce, md); } @@ -710,6 +832,8 @@ get_reply_key(krb5_context context, static krb5_error_code pk_verify_host(krb5_context context, + const char *realm, + const krb5_krbhst_info *hi, struct krb5_pk_init_ctx_data *ctx, struct krb5_pk_cert *host) { @@ -719,13 +843,12 @@ pk_verify_host(krb5_context context, ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert, oid_id_pkkdcekuoid(), 0); if (ret) { - krb5_clear_error_string(context); + krb5_set_error_string(context, "No PK-INIT KDC EKU in kdc certificate"); return ret; } } if (ctx->require_krbtgt_otherName) { hx509_octet_string_list list; - krb5_error_code ret; int i; ret = hx509_cert_find_subjectAltName_otherName(host->cert, @@ -738,6 +861,7 @@ pk_verify_host(krb5_context context, for (i = 0; i < list.len; i++) { KRB5PrincipalName r; + ret = decode_KRB5PrincipalName(list.val[i].data, list.val[i].length, &r, @@ -747,13 +871,15 @@ pk_verify_host(krb5_context context, break; } -#if 0 - if (r.principalName.name.len != 2) { - krb5_clear_error_string(context); + if (r.principalName.name_string.len != 2 || + strcmp(r.principalName.name_string.val[0], KRB5_TGS_NAME) != 0 || + strcmp(r.principalName.name_string.val[1], realm) != 0 || + strcmp(r.realm, realm) != 0) + { + krb5_set_error_string(context, "KDC have wrong realm name in " + "the certificate"); ret = EINVAL; } -#endif - /* XXX verify realm */ free_KRB5PrincipalName(&r); if (ret) @@ -761,14 +887,26 @@ pk_verify_host(krb5_context context, } hx509_free_octet_string_list(&list); } + if (ret) + return ret; + + if (hi) { + ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert, + ctx->require_hostname_match, + hi->hostname, + hi->ai->ai_addr, hi->ai->ai_addrlen); + if (ret) + krb5_set_error_string(context, "Address mismatch in the KDC certificate"); + } return ret; } static krb5_error_code pk_rd_pa_reply_enckey(krb5_context context, int type, - ContentInfo *rep, + const ContentInfo *rep, + const char *realm, krb5_pk_init_ctx ctx, krb5_enctype etype, const krb5_krbhst_info *hi, @@ -846,7 +984,7 @@ pk_rd_pa_reply_enckey(krb5_context context, goto out; /* make sure that it is the kdc's certificate */ - ret = pk_verify_host(context, ctx, host); + ret = pk_verify_host(context, realm, hi, ctx, host); if (ret) { krb5_set_error_string(context, "PKINIT: failed verify host: %d", ret); goto out; @@ -894,7 +1032,8 @@ pk_rd_pa_reply_enckey(krb5_context context, static krb5_error_code pk_rd_pa_reply_dh(krb5_context context, - ContentInfo *rep, + const ContentInfo *rep, + const char *realm, krb5_pk_init_ctx ctx, krb5_enctype etype, const krb5_krbhst_info *hi, @@ -938,7 +1077,7 @@ pk_rd_pa_reply_dh(krb5_context context, goto out; /* make sure that it is the kdc's certificate */ - ret = pk_verify_host(context, ctx, host); + ret = pk_verify_host(context, realm, hi, ctx, host); if (ret) goto out; @@ -1066,6 +1205,7 @@ pk_rd_pa_reply_dh(krb5_context context, krb5_error_code KRB5_LIB_FUNCTION _krb5_pk_rd_pa_reply(krb5_context context, + const char *realm, void *c, krb5_enctype etype, const krb5_krbhst_info *hi, @@ -1106,7 +1246,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, free_PA_PK_AS_REP(&rep); break; } - ret = pk_rd_pa_reply_dh(context, &ci, ctx, etype, hi, + ret = pk_rd_pa_reply_dh(context, &ci, realm, ctx, etype, hi, ctx->clientDHNonce, rep.u.dhInfo.serverDHNonce, nonce, pa, key); @@ -1126,7 +1266,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, "ContentInfo: %d", ret); break; } - ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &ci, ctx, + ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &ci, realm, ctx, etype, hi, nonce, req_buffer, pa, key); free_ContentInfo(&ci); return ret; @@ -1173,7 +1313,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, ret); return ret; } - ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &ci, ctx, + ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &ci, realm, ctx, etype, hi, nonce, req_buffer, pa, key); free_ContentInfo(&ci); break; @@ -1204,8 +1344,8 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter) krb5_data password_data; struct prompter *p = data; - password_data.data = prompter->reply->data; - password_data.length = prompter->reply->length; + password_data.data = prompter->reply.data; + password_data.length = prompter->reply.length; prompt.prompt = "Enter your private key passphrase: "; prompt.hidden = 1; prompt.reply = &password_data; @@ -1216,12 +1356,21 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter) ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt); if (ret) { - memset (prompter->reply->data, 0, prompter->reply->length); + memset (prompter->reply.data, 0, prompter->reply.length); return 0; } - return strlen(prompter->reply->data); + return strlen(prompter->reply.data); +} + + +void KRB5_LIB_FUNCTION +_krb5_pk_allow_proxy_certificate(struct krb5_pk_identity *id, + int boolean) +{ + hx509_verify_set_proxy_certificate(id->verify_ctx, boolean); } + krb5_error_code KRB5_LIB_FUNCTION _krb5_pk_load_id(krb5_context context, struct krb5_pk_identity **ret_id, @@ -1715,7 +1864,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, } if (DH_generate_key(opt->opt_private->pk_init_ctx->dh) != 1) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_string(context, "pkinit: failed to generate DH key"); _krb5_get_init_creds_opt_free_pkinit(opt); return ENOMEM; } diff --git a/source4/heimdal/lib/krb5/principal.c b/source4/heimdal/lib/krb5/principal.c index 34086b1fbe..f6e3847cce 100644 --- a/source4/heimdal/lib/krb5/principal.c +++ b/source4/heimdal/lib/krb5/principal.c @@ -41,7 +41,7 @@ #include <fnmatch.h> #include "resolve.h" -RCSID("$Id: principal.c,v 1.94 2006/04/10 10:10:01 lha Exp $"); +RCSID("$Id: principal.c,v 1.95 2006/04/24 15:16:14 lha Exp $"); #define princ_num_comp(P) ((P)->name.name_string.len) #define princ_type(P) ((P)->name.name_type) @@ -829,7 +829,6 @@ krb5_425_conv_principal_ext2(krb5_context context, if (r) { if (r->head && r->head->type == T_AAAA) { inst = strdup(r->head->domain); - dns_free_data(r); passed = TRUE; } dns_free_data(r); diff --git a/source4/heimdal/lib/krb5/store.c b/source4/heimdal/lib/krb5/store.c index 4a567bb379..a6f4a011a1 100644 --- a/source4/heimdal/lib/krb5/store.c +++ b/source4/heimdal/lib/krb5/store.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include "store-int.h" -RCSID("$Id: store.c,v 1.51 2006/04/07 22:23:20 lha Exp $"); +RCSID("$Id: store.c,v 1.58 2006/05/05 07:15:18 lha Exp $"); #define BYTEORDER_IS(SP, V) (((SP)->flags & KRB5_STORAGE_BYTEORDER_MASK) == (V)) #define BYTEORDER_IS_LE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_LE) @@ -181,6 +181,13 @@ krb5_store_int32(krb5_storage *sp, return krb5_store_int(sp, value, 4); } +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint32(krb5_storage *sp, + uint32_t value) +{ + return krb5_store_int32(sp, (int32_t)value); +} + static krb5_error_code krb5_ret_int(krb5_storage *sp, int32_t *value, @@ -212,6 +219,20 @@ krb5_ret_int32(krb5_storage *sp, } krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint32(krb5_storage *sp, + uint32_t *value) +{ + krb5_error_code ret; + int32_t v; + + ret = krb5_ret_int32(sp, &v); + if (ret == 0) + *value = (uint32_t)v; + + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_store_int16(krb5_storage *sp, int16_t value) { @@ -223,6 +244,13 @@ krb5_store_int16(krb5_storage *sp, } krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint16(krb5_storage *sp, + uint16_t value) +{ + return krb5_store_int16(sp, (int16_t)value); +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_int16(krb5_storage *sp, int16_t *value) { @@ -240,6 +268,20 @@ krb5_ret_int16(krb5_storage *sp, } krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint16(krb5_storage *sp, + uint16_t *value) +{ + krb5_error_code ret; + int16_t v; + + ret = krb5_ret_int16(sp, &v); + if (ret == 0) + *value = (uint16_t)v; + + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_store_int8(krb5_storage *sp, int8_t value) { @@ -252,6 +294,13 @@ krb5_store_int8(krb5_storage *sp, } krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint8(krb5_storage *sp, + uint8_t value) +{ + return krb5_store_int8(sp, (int8_t)value); +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_int8(krb5_storage *sp, int8_t *value) { @@ -264,6 +313,20 @@ krb5_ret_int8(krb5_storage *sp, } krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint8(krb5_storage *sp, + uint8_t *value) +{ + krb5_error_code ret; + int8_t v; + + ret = krb5_ret_int8(sp, &v); + if (ret == 0) + *value = (uint8_t)v; + + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_store_data(krb5_storage *sp, krb5_data data) { @@ -380,19 +443,19 @@ krb5_ret_stringz(krb5_storage *sp, krb5_error_code KRB5_LIB_FUNCTION krb5_store_principal(krb5_storage *sp, - krb5_principal p) + krb5_const_principal p) { int i; int ret; if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) { - ret = krb5_store_int32(sp, p->name.name_type); - if(ret) return ret; + ret = krb5_store_int32(sp, p->name.name_type); + if(ret) return ret; } if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)) ret = krb5_store_int32(sp, p->name.name_string.len + 1); else - ret = krb5_store_int32(sp, p->name.name_string.len); + ret = krb5_store_int32(sp, p->name.name_string.len); if(ret) return ret; ret = krb5_store_string(sp, p->realm); @@ -710,7 +773,7 @@ krb5_ret_creds(krb5_storage *sp, krb5_creds *creds) * format. */ { - u_int32_t mask = 0xffff0000; + uint32_t mask = 0xffff0000; creds->flags.i = 0; creds->flags.b.anonymous = 1; if (creds->flags.i & mask) @@ -865,7 +928,7 @@ krb5_ret_creds_tag(krb5_storage *sp, * format. */ { - u_int32_t mask = 0xffff0000; + uint32_t mask = 0xffff0000; creds->flags.i = 0; creds->flags.b.anonymous = 1; if (creds->flags.i & mask) diff --git a/source4/heimdal/lib/krb5/v4_glue.c b/source4/heimdal/lib/krb5/v4_glue.c index dd294c8943..b1e12674dc 100644 --- a/source4/heimdal/lib/krb5/v4_glue.c +++ b/source4/heimdal/lib/krb5/v4_glue.c @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: v4_glue.c,v 1.3 2006/04/02 01:39:54 lha Exp $"); +RCSID("$Id: v4_glue.c,v 1.5 2006/05/05 09:31:00 lha Exp $"); #include "krb5-v4compat.h" @@ -463,10 +463,10 @@ _krb5_krb_create_ciph(krb5_context context, const char *service, const char *instance, const char *realm, - u_int32_t life, + uint32_t life, unsigned char kvno, const krb5_data *ticket, - u_int32_t kdc_time, + uint32_t kdc_time, const krb5_keyblock *key, krb5_data *enc_data) { @@ -523,7 +523,7 @@ _krb5_krb_create_auth_reply(krb5_context context, const char *prealm, int32_t time_ws, int n, - u_int32_t x_date, + uint32_t x_date, unsigned char kvno, const krb5_data *cipher, krb5_data *data) @@ -573,8 +573,8 @@ _krb5_krb_cr_err_reply(krb5_context context, const char *name, const char *inst, const char *realm, - u_int32_t time_ws, - u_int32_t e, + uint32_t time_ws, + uint32_t e, const char *e_string, krb5_data *data) { @@ -668,7 +668,7 @@ _krb5_krb_decomp_ticket(krb5_context context, RCHECK(ret, get_v4_stringz(sp, &ad->pname, ANAME_SZ), error); RCHECK(ret, get_v4_stringz(sp, &ad->pinst, INST_SZ), error); RCHECK(ret, get_v4_stringz(sp, &ad->prealm, REALM_SZ), error); - RCHECK(ret, krb5_ret_int32(sp, &ad->address), error); + RCHECK(ret, krb5_ret_uint32(sp, &ad->address), error); size = krb5_storage_read(sp, des_key, sizeof(des_key)); if (size != sizeof(des_key)) { @@ -676,14 +676,14 @@ _krb5_krb_decomp_ticket(krb5_context context, goto error; } - RCHECK(ret, krb5_ret_int8(sp, &ad->life), error); + RCHECK(ret, krb5_ret_uint8(sp, &ad->life), error); if (ad->k_flags & 1) krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE); else krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE); - RCHECK(ret, krb5_ret_int32(sp, &ad->time_sec), error); + RCHECK(ret, krb5_ret_uint32(sp, &ad->time_sec), error); RCHECK(ret, get_v4_stringz(sp, sname, ANAME_SZ), error); RCHECK(ret, get_v4_stringz(sp, sinstance, INST_SZ), error); @@ -744,9 +744,9 @@ _krb5_krb_rd_req(krb5_context context, int8_t pvno; int8_t type; int8_t s_kvno; - u_int8_t ticket_length; - u_int8_t eaut_length; - u_int8_t time_5ms; + uint8_t ticket_length; + uint8_t eaut_length; + uint8_t time_5ms; char *realm = NULL; char *sname = NULL; char *sinstance = NULL; @@ -754,7 +754,7 @@ _krb5_krb_rd_req(krb5_context context, char *r_name = NULL; char *r_instance = NULL; - u_int32_t r_time_sec; /* Coarse time from authenticator */ + uint32_t r_time_sec; /* Coarse time from authenticator */ unsigned long delta_t; /* Time in authenticator - local time */ long tkt_age; /* Age of ticket */ @@ -795,8 +795,8 @@ _krb5_krb_rd_req(krb5_context context, RCHECK(ret, krb5_ret_int8(sp, &s_kvno), error); RCHECK(ret, get_v4_stringz(sp, &realm, REALM_SZ), error); - RCHECK(ret, krb5_ret_int8(sp, &ticket_length), error); - RCHECK(ret, krb5_ret_int8(sp, &eaut_length), error); + RCHECK(ret, krb5_ret_uint8(sp, &ticket_length), error); + RCHECK(ret, krb5_ret_uint8(sp, &eaut_length), error); RCHECK(ret, krb5_data_alloc(&ticket, ticket_length), error); size = krb5_storage_read(sp, ticket.data, ticket.length); @@ -842,9 +842,9 @@ _krb5_krb_rd_req(krb5_context context, RCHECK(ret, get_v4_stringz(sp, &r_instance, INST_SZ), error); RCHECK(ret, get_v4_stringz(sp, &r_realm, REALM_SZ), error); - RCHECK(ret, krb5_ret_int32(sp, &ad->checksum), error); - RCHECK(ret, krb5_ret_int8(sp, &time_5ms), error); - RCHECK(ret, krb5_ret_int32(sp, &r_time_sec), error); + RCHECK(ret, krb5_ret_uint32(sp, &ad->checksum), error); + RCHECK(ret, krb5_ret_uint8(sp, &time_5ms), error); + RCHECK(ret, krb5_ret_uint32(sp, &r_time_sec), error); if (strcmp(ad->pname, r_name) != 0 || strcmp(ad->pinst, r_instance) != 0 || @@ -853,7 +853,7 @@ _krb5_krb_rd_req(krb5_context context, goto error; } - if (from_addr && from_addr == ad->address) { + if (from_addr && from_addr != ad->address) { ret = EINVAL; /* RD_AP_BADD */ goto error; } diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c index 5fd48c49ef..c1d74ee406 100644 --- a/source4/kdc/hdb-ldb.c +++ b/source4/kdc/hdb-ldb.c @@ -590,195 +590,233 @@ static krb5_error_code LDB_rename(krb5_context context, HDB *db, const char *new return HDB_ERR_DB_INUSE; } -static krb5_error_code LDB_fetch(krb5_context context, HDB *db, unsigned flags, - krb5_const_principal principal, - enum hdb_ent_type ent_type, - hdb_entry_ex *entry_ex) -{ +static krb5_error_code LDB_fetch_client(krb5_context context, HDB *db, + TALLOC_CTX *mem_ctx, + krb5_const_principal principal, + unsigned flags, + hdb_entry_ex *entry_ex) { + NTSTATUS nt_status; + char *principal_string; + krb5_error_code ret; struct ldb_message **msg = NULL; struct ldb_message **realm_ref_msg = NULL; - struct ldb_message **realm_fixed_msg = NULL; - enum hdb_ldb_ent_type ldb_ent_type; - krb5_error_code ret; - - const char *realm; - const struct ldb_dn *realm_dn; - TALLOC_CTX *mem_ctx = talloc_named(db, 0, "LDB_fetch context"); - if (!mem_ctx) { - krb5_set_error_string(context, "LDB_fetch: talloc_named() failed!"); + ret = krb5_unparse_name(context, principal, &principal_string); + + if (ret != 0) { + return ret; + } + + nt_status = sam_get_results_principal((struct ldb_context *)db->hdb_db, + mem_ctx, principal_string, + &msg, &realm_ref_msg); + free(principal_string); + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { + talloc_free(mem_ctx); + return HDB_ERR_NOENTRY; + } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) { + talloc_free(mem_ctx); return ENOMEM; + } else if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return EINVAL; } + + ret = LDB_message2entry(context, db, mem_ctx, + principal, HDB_LDB_ENT_TYPE_CLIENT, + msg[0], realm_ref_msg[0], entry_ex); + return ret; +} - switch (ent_type) { - case HDB_ENT_TYPE_CLIENT: - { - NTSTATUS nt_status; - char *principal_string; - ldb_ent_type = HDB_LDB_ENT_TYPE_CLIENT; +static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, + TALLOC_CTX *mem_ctx, + krb5_const_principal principal, + unsigned flags, + hdb_entry_ex *entry_ex) +{ + krb5_error_code ret; + struct ldb_message **msg = NULL; + struct ldb_message **realm_ref_msg = NULL; + const struct ldb_dn *realm_dn; + + krb5_principal alloc_principal = NULL; + if (principal->name.name_string.len != 2 + || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) { + /* Not a krbtgt */ + return HDB_ERR_NOENTRY; + } - ret = krb5_unparse_name(context, principal, &principal_string); + /* krbtgt case. Either us or a trusted realm */ + if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db, + mem_ctx, principal->name.name_string.val[1], &realm_ref_msg) == 0)) { + /* us */ + /* Cludge, cludge cludge. If the realm part of krbtgt/realm, + * is in our db, then direct the caller at our primary + * krgtgt */ - if (ret != 0) { - talloc_free(mem_ctx); + const char *dnsdomain = ldb_msg_find_string(realm_ref_msg[0], "dnsRoot", NULL); + char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain); + if (!realm_fixed) { + krb5_set_error_string(context, "strupper_talloc: out of memory"); + return ENOMEM; + } + + ret = krb5_copy_principal(context, principal, &alloc_principal); + if (ret) { return ret; } - nt_status = sam_get_results_principal((struct ldb_context *)db->hdb_db, - mem_ctx, principal_string, - &msg, &realm_ref_msg); - free(principal_string); - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { - talloc_free(mem_ctx); - return HDB_ERR_NOENTRY; - } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) { - talloc_free(mem_ctx); + free(alloc_principal->name.name_string.val[1]); + alloc_principal->name.name_string.val[1] = strdup(realm_fixed); + talloc_free(realm_fixed); + if (!alloc_principal->name.name_string.val[1]) { + krb5_set_error_string(context, "LDB_fetch: strdup() failed!"); return ENOMEM; - } else if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); - return EINVAL; } + principal = alloc_principal; + realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL); + + } else { + /* we should lookup trusted domains */ + return HDB_ERR_NOENTRY; + } - ret = LDB_message2entry(context, db, mem_ctx, - principal, ldb_ent_type, - msg[0], realm_ref_msg[0], entry_ex); - - talloc_free(mem_ctx); + realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL); + + ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db, + mem_ctx, + principal, HDB_LDB_ENT_TYPE_KRBTGT, realm_dn, &msg); + + if (ret != 0) { + krb5_warnx(context, "LDB_fetch: could not find principal in DB"); + krb5_set_error_string(context, "LDB_fetch: could not find principal in DB"); return ret; } - case HDB_ENT_TYPE_SERVER: - if (principal->name.name_string.len == 2 - && (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) == 0)) { - /* krbtgt case. Either us or a trusted realm */ - if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db, - mem_ctx, principal->name.name_string.val[1], &realm_fixed_msg) == 0)) { - /* us */ - /* Cludge, cludge cludge. If the realm part of krbtgt/realm, - * is in our db, then direct the caller at our primary - * krgtgt */ - - const char *dnsdomain = ldb_msg_find_string(realm_fixed_msg[0], "dnsRoot", NULL); - char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain); - if (!realm_fixed) { - krb5_set_error_string(context, "strupper_talloc: out of memory"); - talloc_free(mem_ctx); - return ENOMEM; - } - - free(principal->name.name_string.val[1]); - principal->name.name_string.val[1] = strdup(realm_fixed); - talloc_free(realm_fixed); - if (!principal->name.name_string.val[1]) { - krb5_set_error_string(context, "LDB_fetch: strdup() failed!"); - talloc_free(mem_ctx); - return ENOMEM; - } - ldb_ent_type = HDB_LDB_ENT_TYPE_KRBTGT; - break; - } else { - /* we should lookup trusted domains */ - talloc_free(mem_ctx); - return HDB_ERR_NOENTRY; - } - } else if (principal->name.name_string.len >= 2) { - /* 'normal server' case */ - int ldb_ret; - NTSTATUS nt_status; - struct ldb_dn *user_dn, *domain_dn; - char *principal_string; - ldb_ent_type = HDB_LDB_ENT_TYPE_SERVER; - - ret = krb5_unparse_name_norealm(context, principal, &principal_string); - - if (ret != 0) { - talloc_free(mem_ctx); - return ret; - } - - /* At this point we may find the host is known to be - * in a different realm, so we should generate a - * referral instead */ - nt_status = crack_service_principal_name((struct ldb_context *)db->hdb_db, - mem_ctx, principal_string, - &user_dn, &domain_dn); - free(principal_string); - - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); - return HDB_ERR_NOENTRY; - } - - ldb_ret = gendb_search_dn((struct ldb_context *)db->hdb_db, - mem_ctx, user_dn, &msg, krb5_attrs); - - if (ldb_ret != 1) { - talloc_free(mem_ctx); - return HDB_ERR_NOENTRY; - } - - ldb_ret = gendb_search((struct ldb_context *)db->hdb_db, - mem_ctx, NULL, &realm_ref_msg, realm_ref_attrs, - "ncName=%s", ldb_dn_linearize(mem_ctx, domain_dn)); - - if (ldb_ret != 1) { - talloc_free(mem_ctx); - return HDB_ERR_NOENTRY; - } + ret = LDB_message2entry(context, db, mem_ctx, + principal, HDB_LDB_ENT_TYPE_KRBTGT, + msg[0], realm_ref_msg[0], entry_ex); + if (ret != 0) { + krb5_warnx(context, "LDB_fetch: message2entry failed"); + } + return ret; +} - ret = LDB_message2entry(context, db, mem_ctx, - principal, ldb_ent_type, - msg[0], realm_ref_msg[0], entry_ex); - talloc_free(mem_ctx); +static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, + TALLOC_CTX *mem_ctx, + krb5_const_principal principal, + unsigned flags, + hdb_entry_ex *entry_ex) +{ + krb5_error_code ret; + const char *realm; + struct ldb_message **msg = NULL; + struct ldb_message **realm_ref_msg = NULL; + if (principal->name.name_string.len >= 2) { + /* 'normal server' case */ + int ldb_ret; + NTSTATUS nt_status; + struct ldb_dn *user_dn, *domain_dn; + char *principal_string; + + ret = krb5_unparse_name_norealm(context, principal, &principal_string); + if (ret != 0) { return ret; - - } else { - ldb_ent_type = HDB_LDB_ENT_TYPE_SERVER; - /* server as client principal case, but we must not lookup userPrincipalNames */ - break; } - case HDB_ENT_TYPE_ANY: - krb5_warnx(context, "LDB_fetch: ENT_TYPE_ANY is not valid in hdb-ldb!"); - talloc_free(mem_ctx); - return HDB_ERR_NOENTRY; - default: - krb5_warnx(context, "LDB_fetch: invalid ent_type specified!"); - talloc_free(mem_ctx); - return HDB_ERR_NOENTRY; - } - + + /* At this point we may find the host is known to be + * in a different realm, so we should generate a + * referral instead */ + nt_status = crack_service_principal_name((struct ldb_context *)db->hdb_db, + mem_ctx, principal_string, + &user_dn, &domain_dn); + free(principal_string); + + if (!NT_STATUS_IS_OK(nt_status)) { + return HDB_ERR_NOENTRY; + } + + ldb_ret = gendb_search_dn((struct ldb_context *)db->hdb_db, + mem_ctx, user_dn, &msg, krb5_attrs); + + if (ldb_ret != 1) { + return HDB_ERR_NOENTRY; + } + + ldb_ret = gendb_search((struct ldb_context *)db->hdb_db, + mem_ctx, NULL, &realm_ref_msg, realm_ref_attrs, + "ncName=%s", ldb_dn_linearize(mem_ctx, domain_dn)); + + if (ldb_ret != 1) { + return HDB_ERR_NOENTRY; + } + + } else { + const struct ldb_dn *realm_dn; + /* server as client principal case, but we must not lookup userPrincipalNames */ - realm = krb5_principal_get_realm(context, principal); + realm = krb5_principal_get_realm(context, principal); + + ret = LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db, + mem_ctx, realm, &realm_ref_msg); + if (ret != 0) { + return HDB_ERR_NOENTRY; + } + + realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL); + + ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db, + mem_ctx, + principal, HDB_LDB_ENT_TYPE_SERVER, realm_dn, &msg); + + if (ret != 0) { + return ret; + } + } - ret = LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db, - mem_ctx, realm, &realm_ref_msg); + ret = LDB_message2entry(context, db, mem_ctx, + principal, HDB_LDB_ENT_TYPE_SERVER, + msg[0], realm_ref_msg[0], entry_ex); if (ret != 0) { - krb5_warnx(context, "LDB_fetch: could not find realm"); - talloc_free(mem_ctx); - return HDB_ERR_NOENTRY; + krb5_warnx(context, "LDB_fetch: message2entry failed"); } - realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL); + return ret; +} + +static krb5_error_code LDB_fetch(krb5_context context, HDB *db, + krb5_const_principal principal, + unsigned flags, + hdb_entry_ex *entry_ex) +{ + krb5_error_code ret; - ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db, - mem_ctx, - principal, ldb_ent_type, realm_dn, &msg); + TALLOC_CTX *mem_ctx = talloc_named(db, 0, "LDB_fetch context"); - if (ret != 0) { - krb5_warnx(context, "LDB_fetch: could not find principal in DB"); - krb5_set_error_string(context, "LDB_fetch: could not find principal in DB"); - talloc_free(mem_ctx); - return ret; - } else { - ret = LDB_message2entry(context, db, mem_ctx, - principal, ldb_ent_type, - msg[0], realm_ref_msg[0], entry_ex); - if (ret != 0) { - krb5_warnx(context, "LDB_fetch: message2entry failed\n"); - } + if (!mem_ctx) { + krb5_set_error_string(context, "LDB_fetch: talloc_named() failed!"); + return ENOMEM; } - talloc_free(mem_ctx); + if (flags & HDB_F_GET_CLIENT) { + ret = LDB_fetch_client(context, db, mem_ctx, principal, flags, entry_ex); + if (ret != HDB_ERR_NOENTRY) { + talloc_free(mem_ctx); + return ret; + } + } + if (flags & HDB_F_GET_SERVER) { + ret = LDB_fetch_server(context, db, mem_ctx, principal, flags, entry_ex); + if (ret != HDB_ERR_NOENTRY) { + return ret; + } + } + if (flags & HDB_F_GET_KRBTGT) { + ret = LDB_fetch_krbtgt(context, db, mem_ctx, principal, flags, entry_ex); + if (ret != HDB_ERR_NOENTRY) { + return ret; + } + } return ret; } @@ -787,7 +825,7 @@ static krb5_error_code LDB_store(krb5_context context, HDB *db, unsigned flags, return HDB_ERR_DB_INUSE; } -static krb5_error_code LDB_remove(krb5_context context, HDB *db, hdb_entry_ex *entry) +static krb5_error_code LDB_remove(krb5_context context, HDB *db, krb5_const_principal principal) { return HDB_ERR_DB_INUSE; } |