From 255e3e18e00f717d99f3bc57c8a8895ff624f3c3 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 15 Jul 2011 09:10:30 +0200 Subject: s4:heimdal: import lorikeet-heimdal-201107150856 (commit 48936803fae4a2fb362c79365d31f420c917b85b) --- source4/heimdal/lib/gssapi/krb5/8003.c | 2 +- .../heimdal/lib/gssapi/krb5/accept_sec_context.c | 70 +++++++--- source4/heimdal/lib/gssapi/krb5/acquire_cred.c | 153 ++++++++++++++------- source4/heimdal/lib/gssapi/krb5/add_cred.c | 31 ++--- source4/heimdal/lib/gssapi/krb5/aeap.c | 10 +- source4/heimdal/lib/gssapi/krb5/arcfour.c | 14 +- source4/heimdal/lib/gssapi/krb5/cfx.c | 12 +- source4/heimdal/lib/gssapi/krb5/compat.c | 2 +- source4/heimdal/lib/gssapi/krb5/context_time.c | 2 +- source4/heimdal/lib/gssapi/krb5/copy_ccache.c | 2 +- source4/heimdal/lib/gssapi/krb5/creds.c | 8 +- source4/heimdal/lib/gssapi/krb5/encapsulate.c | 4 +- source4/heimdal/lib/gssapi/krb5/external.c | 21 ++- source4/heimdal/lib/gssapi/krb5/import_name.c | 4 +- source4/heimdal/lib/gssapi/krb5/init_sec_context.c | 36 ++--- source4/heimdal/lib/gssapi/krb5/inquire_cred.c | 4 +- .../lib/gssapi/krb5/inquire_names_for_mech.c | 2 +- .../lib/gssapi/krb5/inquire_sec_context_by_oid.c | 53 ++++++- source4/heimdal/lib/gssapi/krb5/prf.c | 24 ++-- .../lib/gssapi/krb5/process_context_token.c | 3 +- source4/heimdal/lib/gssapi/krb5/sequence.c | 4 +- source4/heimdal/lib/gssapi/krb5/set_cred_option.c | 4 +- .../lib/gssapi/krb5/set_sec_context_option.c | 7 +- source4/heimdal/lib/gssapi/krb5/store_cred.c | 2 +- source4/heimdal/lib/gssapi/krb5/unwrap.c | 3 +- source4/heimdal/lib/gssapi/krb5/verify_mic.c | 8 +- source4/heimdal/lib/gssapi/krb5/wrap.c | 2 +- 27 files changed, 310 insertions(+), 177 deletions(-) (limited to 'source4/heimdal/lib/gssapi/krb5') diff --git a/source4/heimdal/lib/gssapi/krb5/8003.c b/source4/heimdal/lib/gssapi/krb5/8003.c index 65db343cad..d4555c5104 100644 --- a/source4/heimdal/lib/gssapi/krb5/8003.c +++ b/source4/heimdal/lib/gssapi/krb5/8003.c @@ -92,7 +92,7 @@ hash_input_chan_bindings (const gss_channel_bindings_t b, _gsskrb5_encode_om_uint32 (b->acceptor_address.length, num); EVP_DigestUpdate(ctx, num, sizeof(num)); if (b->acceptor_address.length) - EVP_DigestUpdate(ctx, + EVP_DigestUpdate(ctx, b->acceptor_address.value, b->acceptor_address.length); _gsskrb5_encode_om_uint32 (b->application_data.length, num); diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c index a5e9d054c4..5a00e124c2 100644 --- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c @@ -36,12 +36,32 @@ HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER; krb5_keytab _gsskrb5_keytab; +static krb5_error_code +validate_keytab(krb5_context context, const char *name, krb5_keytab *id) +{ + krb5_error_code ret; + + ret = krb5_kt_resolve(context, name, id); + if (ret) + return ret; + + ret = krb5_kt_have_content(context, *id); + if (ret) { + krb5_kt_close(context, *id); + *id = NULL; + } + + return ret; +} + OM_uint32 -_gsskrb5_register_acceptor_identity (const char *identity) +_gsskrb5_register_acceptor_identity(OM_uint32 *min_stat, const char *identity) { krb5_context context; krb5_error_code ret; + *min_stat = 0; + ret = _gsskrb5_init(&context); if(ret) return GSS_S_FAILURE; @@ -55,19 +75,29 @@ _gsskrb5_register_acceptor_identity (const char *identity) if (identity == NULL) { ret = krb5_kt_default(context, &_gsskrb5_keytab); } else { - char *p = NULL; - - ret = asprintf(&p, "FILE:%s", identity); - if(ret < 0 || p == NULL) { - HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); - return GSS_S_FAILURE; + /* + * First check if we can the keytab as is and if it has content... + */ + ret = validate_keytab(context, identity, &_gsskrb5_keytab); + /* + * if it doesn't, lets prepend FILE: and try again + */ + if (ret) { + char *p = NULL; + ret = asprintf(&p, "FILE:%s", identity); + if(ret < 0 || p == NULL) { + HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); + return GSS_S_FAILURE; + } + ret = validate_keytab(context, p, &_gsskrb5_keytab); + free(p); } - ret = krb5_kt_resolve(context, p, &_gsskrb5_keytab); - free(p); } HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); - if(ret) + if(ret) { + *min_stat = ret; return GSS_S_FAILURE; + } return GSS_S_COMPLETE; } @@ -93,7 +123,7 @@ _gsskrb5i_is_cfx(krb5_context context, gsskrb5_ctx ctx, int acceptor) if (key == NULL) return; - + switch (key->keytype) { case ETYPE_DES_CBC_CRC: case ETYPE_DES_CBC_MD4: @@ -171,7 +201,7 @@ gsskrb5_accept_delegated_token if (delegated_cred_handle) { gsskrb5_cred handle; - + ret = _gsskrb5_krb5_import_cred(minor_status, ccache, NULL, @@ -541,10 +571,10 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, if(ctx->flags & GSS_C_MUTUAL_FLAG) { krb5_data outbuf; int use_subkey = 0; - + _gsskrb5i_is_cfx(context, ctx, 1); is_cfx = (ctx->more_flags & IS_CFX); - + if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) { use_subkey = 1; } else { @@ -572,7 +602,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, KRB5_AUTH_CONTEXT_USE_SUBKEY, NULL); } - + kret = krb5_mk_rep(context, ctx->auth_context, &outbuf); @@ -580,7 +610,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, *minor_status = kret; return GSS_S_FAILURE; } - + if (IS_DCE_STYLE(ctx)) { output_token->length = outbuf.length; output_token->value = outbuf.data; @@ -659,7 +689,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status, krb5_error_code kret; krb5_data inbuf; int32_t r_seq_number, l_seq_number; - + /* * We know it's GSS_C_DCE_STYLE so we don't need to decapsulate the AP_REP */ @@ -706,7 +736,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status, { krb5_ap_rep_enc_part *repl; int32_t auth_flags; - + krb5_auth_con_removeflags(context, ctx->auth_context, KRB5_AUTH_CONTEXT_DO_TIME, @@ -735,7 +765,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status, if (lifetime_rec == 0) { return GSS_S_CONTEXT_EXPIRED; } - + if (time_rec) *time_rec = lifetime_rec; } @@ -793,7 +823,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status, { kret = krb5_auth_con_setremoteseqnumber(context, ctx->auth_context, - r_seq_number); + r_seq_number); if (kret) { *minor_status = kret; return GSS_S_FAILURE; diff --git a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c index d0042e874b..0f1f5f81cf 100644 --- a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c @@ -46,7 +46,7 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status, memset(&in_cred, 0, sizeof(in_cred)); in_cred.client = principal; - + realm = krb5_principal_get_realm(context, principal); if (realm == NULL) { _gsskrb5_clear_status (); @@ -81,17 +81,18 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status, static krb5_error_code get_keytab(krb5_context context, krb5_keytab *keytab) { - char kt_name[256]; krb5_error_code kret; HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); if (_gsskrb5_keytab != NULL) { - kret = krb5_kt_get_name(context, - _gsskrb5_keytab, - kt_name, sizeof(kt_name)); - if (kret == 0) - kret = krb5_kt_resolve(context, kt_name, keytab); + char *name = NULL; + + kret = krb5_kt_get_full_name(context, _gsskrb5_keytab, &name); + if (kret == 0) { + kret = krb5_kt_resolve(context, name, keytab); + krb5_xfree(name); + } } else kret = krb5_kt_default(context, keytab); @@ -103,13 +104,13 @@ get_keytab(krb5_context context, krb5_keytab *keytab) static OM_uint32 acquire_initiator_cred (OM_uint32 * minor_status, krb5_context context, + gss_const_OID credential_type, + const void *credential_data, const gss_name_t desired_name, OM_uint32 time_req, - const gss_OID_set desired_mechs, + gss_const_OID desired_mech, gss_cred_usage_t cred_usage, - gsskrb5_cred handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec + gsskrb5_cred handle ) { OM_uint32 ret; @@ -132,6 +133,12 @@ static OM_uint32 acquire_initiator_cred * errors while searching. */ + if (credential_type != GSS_C_NO_OID && + !gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) { + kret = KRB5_NOCREDS_SUPPLIED; /* XXX */ + goto end; + } + if (handle->principal) { kret = krb5_cc_cache_match (context, handle->principal, @@ -174,14 +181,29 @@ static OM_uint32 acquire_initiator_cred if (kret) goto end; } - kret = get_keytab(context, &keytab); - if (kret) - goto end; kret = krb5_get_init_creds_opt_alloc(context, &opt); if (kret) goto end; - kret = krb5_get_init_creds_keytab(context, &cred, - handle->principal, keytab, 0, NULL, opt); + if (credential_type != GSS_C_NO_OID && + gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) { + gss_buffer_t password = (gss_buffer_t)credential_data; + + /* XXX are we requiring password to be NUL terminated? */ + + kret = krb5_get_init_creds_password(context, &cred, + handle->principal, + password->value, + NULL, NULL, 0, NULL, opt); + } else { + kret = get_keytab(context, &keytab); + if (kret) { + krb5_get_init_creds_opt_free(context, opt); + goto end; + } + kret = krb5_get_init_creds_keytab(context, &cred, + handle->principal, keytab, + 0, NULL, opt); + } krb5_get_init_creds_opt_free(context, opt); if (kret) goto end; @@ -233,19 +255,25 @@ end: static OM_uint32 acquire_acceptor_cred (OM_uint32 * minor_status, krb5_context context, + gss_const_OID credential_type, + const void *credential_data, const gss_name_t desired_name, OM_uint32 time_req, - const gss_OID_set desired_mechs, + gss_const_OID desired_mech, gss_cred_usage_t cred_usage, - gsskrb5_cred handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec + gsskrb5_cred handle ) { OM_uint32 ret; krb5_error_code kret; ret = GSS_S_FAILURE; + + if (credential_type != GSS_C_NO_OID) { + kret = EINVAL; + goto end; + } + kret = get_keytab(context, &handle->keytab); if (kret) goto end; @@ -299,23 +327,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred OM_uint32 * time_rec ) { - krb5_context context; - gsskrb5_cred handle; OM_uint32 ret; - if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) { - *minor_status = GSS_KRB5_S_G_BAD_USAGE; - return GSS_S_FAILURE; - } - - GSSAPI_KRB5_INIT(&context); - - *output_cred_handle = NULL; - if (time_rec) - *time_rec = 0; - if (actual_mechs) - *actual_mechs = GSS_C_NO_OID_SET; - if (desired_mechs) { int present = 0; @@ -329,6 +342,54 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred } } + ret = _gsskrb5_acquire_cred_ext(minor_status, + desired_name, + GSS_C_NO_OID, + NULL, + time_req, + GSS_KRB5_MECHANISM, + cred_usage, + output_cred_handle); + if (ret) + return ret; + + + ret = _gsskrb5_inquire_cred(minor_status, *output_cred_handle, + NULL, time_rec, NULL, actual_mechs); + if (ret) { + OM_uint32 tmp; + _gsskrb5_release_cred(&tmp, output_cred_handle); + } + + return ret; +} + +OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext +(OM_uint32 * minor_status, + const gss_name_t desired_name, + gss_const_OID credential_type, + const void *credential_data, + OM_uint32 time_req, + gss_const_OID desired_mech, + gss_cred_usage_t cred_usage, + gss_cred_id_t * output_cred_handle + ) +{ + krb5_context context; + gsskrb5_cred handle; + OM_uint32 ret; + + cred_usage &= GSS_C_OPTION_MASK; + + if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) { + *minor_status = GSS_KRB5_S_G_BAD_USAGE; + return GSS_S_FAILURE; + } + + GSSAPI_KRB5_INIT(&context); + + *output_cred_handle = NULL; + handle = calloc(1, sizeof(*handle)); if (handle == NULL) { *minor_status = ENOMEM; @@ -338,7 +399,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred HEIMDAL_MUTEX_init(&handle->cred_id_mutex); if (desired_name != GSS_C_NO_NAME) { - ret = _gsskrb5_canon_name(minor_status, context, 1, NULL, desired_name, &handle->principal); if (ret) { @@ -349,9 +409,9 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred } if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) { ret = acquire_initiator_cred(minor_status, context, + credential_type, credential_data, desired_name, time_req, - desired_mechs, cred_usage, handle, - actual_mechs, time_rec); + desired_mech, cred_usage, handle); if (ret != GSS_S_COMPLETE) { HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); krb5_free_principal(context, handle->principal); @@ -361,8 +421,9 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred } if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { ret = acquire_acceptor_cred(minor_status, context, + credential_type, credential_data, desired_name, time_req, - desired_mechs, cred_usage, handle, actual_mechs, time_rec); + desired_mech, cred_usage, handle); if (ret != GSS_S_COMPLETE) { HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); krb5_free_principal(context, handle->principal); @@ -374,9 +435,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred if (ret == GSS_S_COMPLETE) ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, &handle->mechanisms); - if (ret == GSS_S_COMPLETE) - ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle, - NULL, time_rec, NULL, actual_mechs); if (ret != GSS_S_COMPLETE) { if (handle->mechanisms != NULL) gss_release_oid_set(NULL, &handle->mechanisms); @@ -385,17 +443,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred free(handle); return (ret); } - *minor_status = 0; - if (time_rec) { - ret = _gsskrb5_lifetime_left(minor_status, - context, - handle->lifetime, - time_rec); - - if (ret) - return ret; - } handle->usage = cred_usage; + *minor_status = 0; *output_cred_handle = (gss_cred_id_t)handle; return (GSS_S_COMPLETE); } diff --git a/source4/heimdal/lib/gssapi/krb5/add_cred.c b/source4/heimdal/lib/gssapi/krb5/add_cred.c index a326613edd..00cf55f62d 100644 --- a/source4/heimdal/lib/gssapi/krb5/add_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/add_cred.c @@ -81,7 +81,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( return(GSS_S_FAILURE); } } - + /* check that we have the same name */ if (dname != NULL && krb5_principal_compare(context, dname, @@ -110,7 +110,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( handle->ccache = NULL; handle->mechanisms = NULL; HEIMDAL_MUTEX_init(&handle->cred_id_mutex); - + ret = GSS_S_FAILURE; kret = krb5_copy_principal(context, cred->principal, @@ -123,23 +123,11 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( } if (cred->keytab) { - char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN]; - int len; - - ret = GSS_S_FAILURE; + char *name = NULL; - kret = krb5_kt_get_type(context, cred->keytab, - name, KRB5_KT_PREFIX_MAX_LEN); - if (kret) { - *minor_status = kret; - goto failure; - } - len = strlen(name); - name[len++] = ':'; + ret = GSS_S_FAILURE; - kret = krb5_kt_get_name(context, cred->keytab, - name + len, - sizeof(name) - len); + kret = krb5_kt_get_full_name(context, cred->keytab, &name); if (kret) { *minor_status = kret; goto failure; @@ -147,6 +135,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( kret = krb5_kt_resolve(context, name, &handle->keytab); + krb5_xfree(name); if (kret){ *minor_status = kret; goto failure; @@ -166,7 +155,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( } if (strcmp(type, "MEMORY") == 0) { - ret = krb5_cc_new_unique(context, type, + ret = krb5_cc_new_unique(context, type, NULL, &handle->ccache); if (ret) { *minor_status = ret; @@ -186,20 +175,20 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( *minor_status = ENOMEM; goto failure; } - + kret = asprintf(&type_name, "%s:%s", type, name); if (kret < 0 || type_name == NULL) { *minor_status = ENOMEM; goto failure; } - + kret = krb5_cc_resolve(context, type_name, &handle->ccache); free(type_name); if (kret) { *minor_status = kret; goto failure; - } + } } } ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); diff --git a/source4/heimdal/lib/gssapi/krb5/aeap.c b/source4/heimdal/lib/gssapi/krb5/aeap.c index 040cd3ee76..47913e4aec 100644 --- a/source4/heimdal/lib/gssapi/krb5/aeap.c +++ b/source4/heimdal/lib/gssapi/krb5/aeap.c @@ -69,11 +69,11 @@ _gk_unwrap_iov(OM_uint32 *minor_status, krb5_context context; GSSAPI_KRB5_INIT (&context); - + if (ctx->more_flags & IS_CFX) return _gssapi_unwrap_cfx_iov(minor_status, ctx, context, conf_state, qop_state, iov, iov_count); - + return GSS_S_FAILURE; } @@ -88,13 +88,13 @@ _gk_wrap_iov_length(OM_uint32 * minor_status, { const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; krb5_context context; - + GSSAPI_KRB5_INIT (&context); - + if (ctx->more_flags & IS_CFX) return _gssapi_wrap_iov_length_cfx(minor_status, ctx, context, conf_req_flag, qop_req, conf_state, iov, iov_count); - + return GSS_S_FAILURE; } diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c index dc59e997bd..0264207e4a 100644 --- a/source4/heimdal/lib/gssapi/krb5/arcfour.c +++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c @@ -255,7 +255,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, const gss_buffer_t token_buffer, gss_qop_t * qop_state, krb5_keyblock *key, - char *type) + const char *type) { krb5_error_code ret; uint32_t seq_number; @@ -270,7 +270,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, p = token_buffer->value; omret = _gsskrb5_verify_header (&p, token_buffer->length, - (u_char *)type, + type, GSS_KRB5_MECHANISM); if (omret) return omret; @@ -309,7 +309,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, { EVP_CIPHER_CTX rc4_key; - + EVP_CIPHER_CTX_init(&rc4_key); EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL, 0); EVP_Cipher(&rc4_key, SND_SEQ, p, 8); @@ -462,7 +462,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, if(conf_req_flag) { EVP_CIPHER_CTX rc4_key; - + EVP_CIPHER_CTX_init(&rc4_key); EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); EVP_Cipher(&rc4_key, p0 + 24, p0 + 24, 8 + datalen); @@ -481,7 +481,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, { EVP_CIPHER_CTX rc4_key; - + EVP_CIPHER_CTX_init(&rc4_key); EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); EVP_Cipher(&rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8); @@ -581,7 +581,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, { EVP_CIPHER_CTX rc4_key; - + EVP_CIPHER_CTX_init(&rc4_key); EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); EVP_Cipher(&rc4_key, SND_SEQ, p0 + 8, 8); @@ -629,7 +629,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, if(conf_flag) { EVP_CIPHER_CTX rc4_key; - + EVP_CIPHER_CTX_init(&rc4_key); EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); EVP_Cipher(&rc4_key, Confounder, p0 + 24, 8); diff --git a/source4/heimdal/lib/gssapi/krb5/cfx.c b/source4/heimdal/lib/gssapi/krb5/cfx.c index 1189718adc..3c1536b60e 100755 --- a/source4/heimdal/lib/gssapi/krb5/cfx.c +++ b/source4/heimdal/lib/gssapi/krb5/cfx.c @@ -285,7 +285,8 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, gss_iov_buffer_desc *header, *trailer, *padding; size_t gsshsize, k5hsize; size_t gsstsize, k5tsize; - size_t i, rrc = 0, ec = 0; + size_t rrc = 0, ec = 0; + int i; gss_cfx_wrap_token token; krb5_error_code ret; int32_t seq_number; @@ -424,6 +425,9 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, token->Flags = 0; token->Filler = 0xFF; + if ((ctx->more_flags & LOCAL) == 0) + token->Flags |= CFXSentByAcceptor; + if (ctx->more_flags & ACCEPTOR_SUBKEY) token->Flags |= CFXAcceptorSubkey; @@ -565,7 +569,7 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, plain packet: {data | "header" | gss-trailer (krb5 checksum) - + don't do RRC != 0 */ @@ -647,7 +651,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING || GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER) len += iov[i].buffer.length; - + p = malloc(len); if (p == NULL) { *minor_status = ENOMEM; @@ -666,7 +670,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int q += iov[i].buffer.length; } } - assert((q - p) == len); + assert((size_t)(q - p) == len); /* unrotate first part */ q = p + rrc; diff --git a/source4/heimdal/lib/gssapi/krb5/compat.c b/source4/heimdal/lib/gssapi/krb5/compat.c index 221d219c69..3381dffa19 100644 --- a/source4/heimdal/lib/gssapi/krb5/compat.c +++ b/source4/heimdal/lib/gssapi/krb5/compat.c @@ -59,7 +59,7 @@ check_compat(OM_uint32 *minor_status, *compat = match_val; break; } - + krb5_free_principal(context, match); match = NULL; } diff --git a/source4/heimdal/lib/gssapi/krb5/context_time.c b/source4/heimdal/lib/gssapi/krb5/context_time.c index 7b27906b5b..cb1550011c 100644 --- a/source4/heimdal/lib/gssapi/krb5/context_time.c +++ b/source4/heimdal/lib/gssapi/krb5/context_time.c @@ -88,6 +88,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_context_time if (*time_rec == 0) return GSS_S_CONTEXT_EXPIRED; - + return GSS_S_COMPLETE; } diff --git a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c index 4e65fc1cf3..e332d29c84 100644 --- a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c +++ b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c @@ -100,7 +100,7 @@ _gsskrb5_krb5_import_cred(OM_uint32 *minor_status, *minor_status = kret; return GSS_S_FAILURE; } - + if (keytab_principal) { krb5_boolean match; diff --git a/source4/heimdal/lib/gssapi/krb5/creds.c b/source4/heimdal/lib/gssapi/krb5/creds.c index d2c253e84b..fa45d19b98 100644 --- a/source4/heimdal/lib/gssapi/krb5/creds.c +++ b/source4/heimdal/lib/gssapi/krb5/creds.c @@ -47,7 +47,7 @@ _gsskrb5_export_cred(OM_uint32 *minor_status, char *str; GSSAPI_KRB5_INIT (&context); - + if (handle->usage != GSS_C_INITIATE && handle->usage != GSS_C_BOTH) { *minor_status = GSS_KRB5_S_G_BAD_USAGE; return GSS_S_FAILURE; @@ -93,14 +93,14 @@ _gsskrb5_export_cred(OM_uint32 *minor_status, *minor_status = ret; return GSS_S_FAILURE; } - + ret = krb5_cc_get_full_name(context, handle->ccache, &str); if (ret) { krb5_storage_free(sp); *minor_status = ret; return GSS_S_FAILURE; } - + ret = krb5_store_string(sp, str); free(str); if (ret) { @@ -222,7 +222,7 @@ _gsskrb5_import_cred(OM_uint32 * minor_status, *minor_status = ret; return GSS_S_FAILURE; } - + ret = krb5_cc_resolve(context, str, &id); krb5_xfree(str); if (ret) { diff --git a/source4/heimdal/lib/gssapi/krb5/encapsulate.c b/source4/heimdal/lib/gssapi/krb5/encapsulate.c index 79cd9232e1..fe5dac7c60 100644 --- a/source4/heimdal/lib/gssapi/krb5/encapsulate.c +++ b/source4/heimdal/lib/gssapi/krb5/encapsulate.c @@ -114,7 +114,7 @@ _gssapi_encapsulate( if (output_token->value == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; - } + } p = _gssapi_make_mech_header (output_token->value, len, mech); memcpy (p, in_data->data, in_data->length); @@ -145,7 +145,7 @@ _gsskrb5_encapsulate( if (output_token->value == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; - } + } p = _gsskrb5_make_header (output_token->value, len, type, mech); memcpy (p, in_data->data, in_data->length); diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c index d6f14a48f7..26ede2487d 100644 --- a/source4/heimdal/lib/gssapi/krb5/external.c +++ b/source4/heimdal/lib/gssapi/krb5/external.c @@ -180,7 +180,7 @@ static gss_mo_desc krb5_mo[] = { GSS_C_MA_SASL_MECH_NAME, GSS_MO_MA, "SASL mech name", - "GS2-KRB5", + rk_UNCONST("GS2-KRB5"), _gss_mo_get_ctx_as_string, NULL }, @@ -188,7 +188,7 @@ static gss_mo_desc krb5_mo[] = { GSS_C_MA_MECH_NAME, GSS_MO_MA, "Mechanism name", - "KRB5", + rk_UNCONST("KRB5"), _gss_mo_get_ctx_as_string, NULL }, @@ -196,7 +196,7 @@ static gss_mo_desc krb5_mo[] = { GSS_C_MA_MECH_DESCRIPTION, GSS_MO_MA, "Mechanism description", - "Heimdal Kerberos 5 mech", + rk_UNCONST("Heimdal Kerberos 5 mech"), _gss_mo_get_ctx_as_string, NULL }, @@ -273,7 +273,7 @@ static gss_mo_desc krb5_mo[] = { static gssapi_mech_interface_desc krb5_mech = { GMI_VERSION, "kerberos 5", - {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }, + {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }, 0, _gsskrb5_acquire_cred, _gsskrb5_release_cred, @@ -315,7 +315,7 @@ static gssapi_mech_interface_desc krb5_mech = { _gsskrb5_store_cred, _gsskrb5_export_cred, _gsskrb5_import_cred, - NULL, + _gsskrb5_acquire_cred_ext, NULL, NULL, NULL, @@ -323,7 +323,16 @@ static gssapi_mech_interface_desc krb5_mech = { NULL, NULL, krb5_mo, - sizeof(krb5_mo) / sizeof(krb5_mo[0]) + sizeof(krb5_mo) / sizeof(krb5_mo[0]), + _gsskrb5_pname_to_uid, + _gsskrb5_authorize_localname, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL }; gssapi_mech_interface diff --git a/source4/heimdal/lib/gssapi/krb5/import_name.c b/source4/heimdal/lib/gssapi/krb5/import_name.c index 2a071a305e..5fe512672f 100644 --- a/source4/heimdal/lib/gssapi/krb5/import_name.c +++ b/source4/heimdal/lib/gssapi/krb5/import_name.c @@ -107,9 +107,9 @@ _gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context, return GSS_S_BAD_NAME; else if (p->name.name_string.len > 1) hostname = p->name.name_string.val[1]; - + service = p->name.name_string.val[0]; - + ret = krb5_sname_to_principal(context, hostname, service, diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c index 53855ca045..5f8b01b727 100644 --- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c @@ -41,7 +41,7 @@ static OM_uint32 set_addresses (krb5_context context, krb5_auth_context ac, - const gss_channel_bindings_t input_chan_bindings) + const gss_channel_bindings_t input_chan_bindings) { /* Port numbers are expected to be in application_data.value, * initator's port first */ @@ -422,11 +422,6 @@ init_auth goto failure; } - ret = _gss_DES3_get_mic_compat(minor_status, ctx, context); - if (ret) - goto failure; - - /* * This is hideous glue for (NFS) clients that wants to limit the * available enctypes to what it can support (encryption in @@ -458,17 +453,21 @@ init_auth * DNS canonicalizion. */ ret = gsskrb5_get_creds(minor_status, context, ctx->ccache, - ctx, name, 0, time_req, + ctx, name, 0, time_req, time_rec); if (ret && allow_dns) ret = gsskrb5_get_creds(minor_status, context, ctx->ccache, - ctx, name, 1, time_req, + ctx, name, 1, time_req, time_rec); if (ret) goto failure; ctx->lifetime = ctx->kcred->times.endtime; + ret = _gss_DES3_get_mic_compat(minor_status, ctx, context); + if (ret) + goto failure; + ret = _gsskrb5_lifetime_left(minor_status, context, ctx->lifetime, @@ -530,7 +529,7 @@ init_auth_restart Checksum cksum; krb5_enctype enctype; krb5_data fwd_data, timedata; - int32_t offset = 0, oldoffset; + int32_t offset = 0, oldoffset = 0; uint32_t flagmask; krb5_data_zero(&outbuf); @@ -544,7 +543,7 @@ init_auth_restart */ if (!ctx->kcred->flags.b.ok_as_delegate) { krb5_data data; - + ret = krb5_cc_get_config(context, ctx->ccache, NULL, "realm-config", &data); if (ret == 0) { @@ -676,7 +675,8 @@ init_auth_restart output_token->length = outbuf.length; } else { ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token, - (u_char *)"\x01\x00", GSS_KRB5_MECHANISM); + (u_char *)(intptr_t)"\x01\x00", + GSS_KRB5_MECHANISM); krb5_data_free (&outbuf); if (ret) goto failure; @@ -848,9 +848,9 @@ repl_mutual *minor_status = kret; return GSS_S_FAILURE; } - + /* reset local seq number */ - krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq); + krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq); output_token->length = outbuf.length; output_token->value = outbuf.data; @@ -911,20 +911,20 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context return GSS_S_BAD_MECH; if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) { - OM_uint32 ret; + OM_uint32 ret1; if (*context_handle != GSS_C_NO_CONTEXT) { *minor_status = 0; return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE; } - ret = _gsskrb5_create_ctx(minor_status, + ret1 = _gsskrb5_create_ctx(minor_status, context_handle, context, input_chan_bindings, INITIATOR_START); - if (ret) - return ret; + if (ret1) + return ret1; } if (*context_handle == GSS_C_NO_CONTEXT) { @@ -953,7 +953,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context ret_flags, time_rec); if (ret != GSS_S_COMPLETE) - break; + break; /* FALL THOUGH */ case INITIATOR_RESTART: ret = init_auth_restart(minor_status, diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c index d3798623ff..f88199692c 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c @@ -95,12 +95,12 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_cred if (output_name != NULL) { if (icred && icred->principal != NULL) { gss_name_t name; - + if (acred && acred->principal) name = (gss_name_t)acred->principal; else name = (gss_name_t)icred->principal; - + ret = _gsskrb5_duplicate_name(minor_status, name, output_name); if (ret) goto out; diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c index dc02b99851..65bd49c971 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c @@ -72,6 +72,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_names_for_mech ( if (ret != GSS_S_COMPLETE) gss_release_oid_set(NULL, name_types); - + return GSS_S_COMPLETE; } diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c index 14816e7a05..b57217a4e8 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c @@ -159,10 +159,10 @@ static OM_uint32 inquire_sec_context_get_subkey { gss_buffer_desc value; - + value.length = data.length; value.value = data.data; - + maj_stat = gss_add_buffer_set_member(minor_status, &value, data_set); @@ -179,6 +179,46 @@ out: return maj_stat; } +static OM_uint32 inquire_sec_context_get_sspi_session_key + (OM_uint32 *minor_status, + const gsskrb5_ctx context_handle, + krb5_context context, + gss_buffer_set_t *data_set) +{ + krb5_keyblock *key; + OM_uint32 maj_stat = GSS_S_COMPLETE; + krb5_error_code ret; + gss_buffer_desc value; + + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + ret = _gsskrb5i_get_token_key(context_handle, context, &key); + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + + if (ret) + goto out; + if (key == NULL) { + ret = EINVAL; + goto out; + } + + value.length = key->keyvalue.length; + value.value = key->keyvalue.data; + + maj_stat = gss_add_buffer_set_member(minor_status, + &value, + data_set); + krb5_free_keyblock(context, key); + + /* MIT also returns the enctype encoded as an OID in data_set[1] */ + +out: + if (ret) { + *minor_status = ret; + maj_stat = GSS_S_FAILURE; + } + return maj_stat; +} + static OM_uint32 inquire_sec_context_authz_data (OM_uint32 *minor_status, const gsskrb5_ctx context_handle, @@ -464,10 +504,10 @@ get_service_keyblock { gss_buffer_desc value; - + value.length = data.length; value.value = data.data; - + maj_stat = gss_add_buffer_set_member(minor_status, &value, data_set); @@ -530,6 +570,11 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_sec_context_by_oid context, ACCEPTOR_KEY, data_set); + } else if (gss_oid_equal(desired_object, GSS_C_INQ_SSPI_SESSION_KEY)) { + return inquire_sec_context_get_sspi_session_key(minor_status, + ctx, + context, + data_set); } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_AUTHTIME_X)) { return get_authtime(minor_status, ctx, data_set); } else if (oid_prefix_equal(desired_object, diff --git a/source4/heimdal/lib/gssapi/krb5/prf.c b/source4/heimdal/lib/gssapi/krb5/prf.c index 323b4cc722..162a309709 100644 --- a/source4/heimdal/lib/gssapi/krb5/prf.c +++ b/source4/heimdal/lib/gssapi/krb5/prf.c @@ -47,18 +47,21 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, krb5_crypto crypto; krb5_data input, output; uint32_t num; + OM_uint32 junk; unsigned char *p; krb5_keyblock *key = NULL; + size_t dol; if (ctx == NULL) { *minor_status = 0; return GSS_S_NO_CONTEXT; } - if (desired_output_len <= 0) { + if (desired_output_len <= 0 || prf_in->length + 4 < prf_in->length) { *minor_status = 0; return GSS_S_FAILURE; } + dol = desired_output_len; GSSAPI_KRB5_INIT (&context); @@ -88,21 +91,20 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, return GSS_S_FAILURE; } - prf_out->value = malloc(desired_output_len); + prf_out->value = malloc(dol); if (prf_out->value == NULL) { _gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory"); *minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG; krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } - prf_out->length = desired_output_len; + prf_out->length = dol; HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); input.length = prf_in->length + 4; input.data = malloc(prf_in->length + 4); if (input.data == NULL) { - OM_uint32 junk; _gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory"); *minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG; gss_release_buffer(&junk, prf_out); @@ -110,15 +112,17 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return GSS_S_FAILURE; } - memcpy(((unsigned char *)input.data) + 4, prf_in->value, prf_in->length); + memcpy(((uint8_t *)input.data) + 4, prf_in->value, prf_in->length); num = 0; p = prf_out->value; - while(desired_output_len > 0) { + while(dol > 0) { + size_t tsize; + _gsskrb5_encode_om_uint32(num, input.data); + ret = krb5_crypto_prf(context, crypto, &input, &output); if (ret) { - OM_uint32 junk; *minor_status = ret; free(input.data); gss_release_buffer(&junk, prf_out); @@ -126,9 +130,11 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return GSS_S_FAILURE; } - memcpy(p, output.data, min(desired_output_len, output.length)); + + tsize = min(dol, output.length); + memcpy(p, output.data, tsize); p += output.length; - desired_output_len -= output.length; + dol -= tsize; krb5_data_free(&output); num++; } diff --git a/source4/heimdal/lib/gssapi/krb5/process_context_token.c b/source4/heimdal/lib/gssapi/krb5/process_context_token.c index 4feda0de04..0cc1c07cfb 100644 --- a/source4/heimdal/lib/gssapi/krb5/process_context_token.c +++ b/source4/heimdal/lib/gssapi/krb5/process_context_token.c @@ -52,7 +52,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_process_context_token ( (gsskrb5_ctx)context_handle, context, token_buffer, &empty_buffer, - GSS_C_QOP_DEFAULT, "\x01\x02"); + GSS_C_QOP_DEFAULT, + "\x01\x02"); if (ret == GSS_S_COMPLETE) ret = _gsskrb5_delete_sec_context(minor_status, diff --git a/source4/heimdal/lib/gssapi/krb5/sequence.c b/source4/heimdal/lib/gssapi/krb5/sequence.c index fbbc5b6c70..2e0e7b20f9 100644 --- a/source4/heimdal/lib/gssapi/krb5/sequence.c +++ b/source4/heimdal/lib/gssapi/krb5/sequence.c @@ -64,7 +64,7 @@ msg_order_alloc(OM_uint32 *minor_status, if (*o == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; - } + } *minor_status = 0; return GSS_S_COMPLETE; @@ -141,7 +141,7 @@ OM_uint32 _gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num) { OM_uint32 r; - int i; + size_t i; if (o == NULL) return GSS_S_COMPLETE; diff --git a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c index 5ff6172fb9..bd38716751 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c @@ -209,7 +209,7 @@ no_ci_flags(OM_uint32 *minor_status, cred = (gsskrb5_cred)*cred_handle; cred->cred_flags |= GSS_CF_NO_CI_FLAGS; - + *minor_status = 0; return GSS_S_COMPLETE; @@ -241,7 +241,7 @@ _gsskrb5_set_cred_option if (gss_oid_equal(desired_object, GSS_KRB5_CRED_NO_CI_FLAGS_X)) { return no_ci_flags(minor_status, context, cred_handle, value); } - + *minor_status = EINVAL; return GSS_S_FAILURE; diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c index 237af1a52c..141ff722fb 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c @@ -154,11 +154,10 @@ _gsskrb5_set_sec_context_option if (maj_stat != GSS_S_COMPLETE) return maj_stat; - _gsskrb5_register_acceptor_identity(str); + maj_stat = _gsskrb5_register_acceptor_identity(minor_status, str); free(str); - *minor_status = 0; - return GSS_S_COMPLETE; + return maj_stat; } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) { char *str; @@ -222,7 +221,7 @@ _gsskrb5_set_sec_context_option return maj_stat; t = time(NULL) + offset; - + krb5_set_real_time(context, t, 0); *minor_status = 0; diff --git a/source4/heimdal/lib/gssapi/krb5/store_cred.c b/source4/heimdal/lib/gssapi/krb5/store_cred.c index 21f9f6e8ab..a3aa2fb83e 100644 --- a/source4/heimdal/lib/gssapi/krb5/store_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/store_cred.c @@ -103,7 +103,7 @@ _gsskrb5_store_cred(OM_uint32 *minor_status, *minor_status = ret; return(GSS_S_FAILURE); } - + if (default_cred) krb5_cc_switch(context, id); diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c index 7620d691bd..d6bc204777 100644 --- a/source4/heimdal/lib/gssapi/krb5/unwrap.c +++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c @@ -54,7 +54,7 @@ unwrap_des DES_key_schedule schedule; DES_cblock deskey; DES_cblock zero; - int i; + size_t i; uint32_t seq_number; size_t padlength; OM_uint32 ret; @@ -98,6 +98,7 @@ unwrap_des if(cstate) { /* decrypt data */ memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); + memset (&zero, 0, sizeof(zero)); for (i = 0; i < sizeof(deskey); ++i) deskey[i] ^= 0xf0; diff --git a/source4/heimdal/lib/gssapi/krb5/verify_mic.c b/source4/heimdal/lib/gssapi/krb5/verify_mic.c index 9a5445698b..3123787ff4 100644 --- a/source4/heimdal/lib/gssapi/krb5/verify_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/verify_mic.c @@ -44,7 +44,7 @@ verify_mic_des const gss_buffer_t token_buffer, gss_qop_t * qop_state, krb5_keyblock *key, - char *type + const char *type ) { u_char *p; @@ -142,7 +142,7 @@ verify_mic_des3 const gss_buffer_t token_buffer, gss_qop_t * qop_state, krb5_keyblock *key, - char *type + const char *type ) { u_char *p; @@ -276,7 +276,7 @@ _gsskrb5_verify_mic_internal const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, gss_qop_t * qop_state, - char * type + const char * type ) { krb5_keyblock *key; @@ -348,7 +348,7 @@ _gsskrb5_verify_mic (gsskrb5_ctx)context_handle, context, message_buffer, token_buffer, - qop_state, "\x01\x01"); + qop_state, (void *)(intptr_t)"\x01\x01"); return ret; } diff --git a/source4/heimdal/lib/gssapi/krb5/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c index 54f92df609..efd0d82c49 100644 --- a/source4/heimdal/lib/gssapi/krb5/wrap.c +++ b/source4/heimdal/lib/gssapi/krb5/wrap.c @@ -214,7 +214,7 @@ wrap_des EVP_CIPHER_CTX des_ctx; DES_cblock deskey; DES_cblock zero; - int i; + size_t i; int32_t seq_number; size_t len, total_len, padlength, datalen; -- cgit