From 2b29b7186459d945ec448694164bfe4239b30d72 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 27 Oct 2008 11:35:07 +0100 Subject: s4: import lorikeet-heimdal-200810271034 metze --- source4/heimdal/lib/krb5/rd_req.c | 159 +++++++++++++++++++------------------- 1 file changed, 81 insertions(+), 78 deletions(-) (limited to 'source4/heimdal/lib/krb5/rd_req.c') diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c index ef91f9fdd6..a416f90c10 100644 --- a/source4/heimdal/lib/krb5/rd_req.c +++ b/source4/heimdal/lib/krb5/rd_req.c @@ -1,34 +1,34 @@ /* - * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include @@ -58,7 +58,7 @@ decrypt_tkt_enc_part (krb5_context context, if (ret) return ret; - ret = krb5_decode_EncTicketPart(context, plain.data, plain.length, + ret = krb5_decode_EncTicketPart(context, plain.data, plain.length, decr_part, &len); krb5_data_free (&plain); return ret; @@ -95,7 +95,7 @@ decrypt_authenticator (krb5_context context, if (ret) return ret; - ret = krb5_decode_Authenticator(context, plain.data, plain.length, + ret = krb5_decode_Authenticator(context, plain.data, plain.length, authenticator, &len); krb5_data_free (&plain); return ret; @@ -113,17 +113,17 @@ krb5_decode_ap_req(krb5_context context, return ret; if (ap_req->pvno != 5){ free_AP_REQ(ap_req); - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5KRB_AP_ERR_BADVERSION; } if (ap_req->msg_type != krb_ap_req){ free_AP_REQ(ap_req); - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5KRB_AP_ERR_MSG_TYPE; } if (ap_req->ticket.tkt_vno != 5){ free_AP_REQ(ap_req); - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5KRB_AP_ERR_BADVERSION; } return 0; @@ -135,8 +135,8 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) char **realms; unsigned int num_realms; krb5_error_code ret; - - /* + + /* * Windows 2000 and 2003 uses this inside their TGT so it's normaly * not seen by others, however, samba4 joined with a Windows AD as * a Domain Controller gets exposed to this. @@ -150,14 +150,14 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) if(enc->transited.contents.length == 0) return 0; - ret = krb5_domain_x500_decode(context, enc->transited.contents, - &realms, &num_realms, + ret = krb5_domain_x500_decode(context, enc->transited.contents, + &realms, &num_realms, enc->crealm, ticket->realm); if(ret) return ret; - ret = krb5_check_transited(context, enc->crealm, - ticket->realm, + ret = krb5_check_transited(context, enc->crealm, + ticket->realm, realms, num_realms, NULL); free(realms); return ret; @@ -209,7 +209,7 @@ find_etypelist(krb5_context context, etypes, NULL); if (ret) - krb5_clear_error_string(context); + krb5_clear_error_message(context); free_AD_IF_RELEVANT(&adIfRelevant); @@ -228,7 +228,7 @@ krb5_decrypt_ticket(krb5_context context, ret = decrypt_tkt_enc_part (context, key, &ticket->enc_part, &t); if (ret) return ret; - + { krb5_timestamp now; time_t start = t.authtime; @@ -240,12 +240,12 @@ krb5_decrypt_ticket(krb5_context context, || (t.flags.invalid && !(flags & KRB5_VERIFY_AP_REQ_IGNORE_INVALID))) { free_EncTicketPart(&t); - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5KRB_AP_ERR_TKT_NYV; } if(now - t.endtime > context->max_skew) { free_EncTicketPart(&t); - krb5_clear_error_string (context); + krb5_clear_error_message (context); return KRB5KRB_AP_ERR_TKT_EXPIRED; } @@ -257,7 +257,7 @@ krb5_decrypt_ticket(krb5_context context, } } } - + if(out) *out = t; else @@ -275,7 +275,7 @@ krb5_verify_authenticator_checksum(krb5_context context, krb5_keyblock *key; krb5_authenticator authenticator; krb5_crypto crypto; - + ret = krb5_auth_con_getauthenticator (context, ac, &authenticator); @@ -343,7 +343,7 @@ krb5_verify_ap_req2(krb5_context context, krb5_auth_context ac; krb5_error_code ret; EtypeList etypes; - + if (ticket) *ticket = NULL; @@ -358,34 +358,34 @@ krb5_verify_ap_req2(krb5_context context, t = calloc(1, sizeof(*t)); if (t == NULL) { ret = ENOMEM; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto out; } if (ap_req->ap_options.use_session_key && ac->keyblock){ - ret = krb5_decrypt_ticket(context, &ap_req->ticket, - ac->keyblock, + ret = krb5_decrypt_ticket(context, &ap_req->ticket, + ac->keyblock, &t->ticket, flags); krb5_free_keyblock(context, ac->keyblock); ac->keyblock = NULL; }else - ret = krb5_decrypt_ticket(context, &ap_req->ticket, - keyblock, + ret = krb5_decrypt_ticket(context, &ap_req->ticket, + keyblock, &t->ticket, flags); - + if(ret) goto out; ret = _krb5_principalname2krb5_principal(context, &t->server, - ap_req->ticket.sname, + ap_req->ticket.sname, ap_req->ticket.realm); if (ret) goto out; ret = _krb5_principalname2krb5_principal(context, &t->client, - t->ticket.cname, + t->ticket.cname, t->ticket.crealm); if (ret) goto out; @@ -406,7 +406,7 @@ krb5_verify_ap_req2(krb5_context context, ac->authenticator->cname, ac->authenticator->crealm); _krb5_principalname2krb5_principal(context, - &p2, + &p2, t->ticket.cname, t->ticket.crealm); res = krb5_principal_compare (context, p1, p2); @@ -414,7 +414,7 @@ krb5_verify_ap_req2(krb5_context context, krb5_free_principal (context, p2); if (!res) { ret = KRB5KRB_AP_ERR_BADMATCH; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto out; } } @@ -427,7 +427,7 @@ krb5_verify_ap_req2(krb5_context context, ac->remote_address, t->ticket.caddr)) { ret = KRB5KRB_AP_ERR_BADADDR; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto out; } @@ -439,7 +439,7 @@ krb5_verify_ap_req2(krb5_context context, if (abs(ac->authenticator->ctime - now) > context->max_skew) { ret = KRB5KRB_AP_ERR_SKEW; - krb5_clear_error_string (context); + krb5_clear_error_message (context); goto out; } } @@ -506,7 +506,7 @@ krb5_verify_ap_req2(krb5_context context, krb5_auth_con_free (context, ac); return ret; } - + /* * */ @@ -532,7 +532,8 @@ krb5_rd_req_in_ctx_alloc(krb5_context context, krb5_rd_req_in_ctx *ctx) { *ctx = calloc(1, sizeof(**ctx)); if (*ctx == NULL) { - krb5_set_error_message(context, ENOMEM, "out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } (*ctx)->check_pac = (context->flags & KRB5_CTX_F_CHECK_PAC) ? 1 : 0; @@ -540,7 +541,7 @@ krb5_rd_req_in_ctx_alloc(krb5_context context, krb5_rd_req_in_ctx *ctx) } krb5_error_code KRB5_LIB_FUNCTION -krb5_rd_req_in_set_keytab(krb5_context context, +krb5_rd_req_in_set_keytab(krb5_context context, krb5_rd_req_in_ctx in, krb5_keytab keytab) { @@ -550,7 +551,7 @@ krb5_rd_req_in_set_keytab(krb5_context context, /** * Set if krb5_rq_red() is going to check the Windows PAC or not - * + * * @param context Keberos 5 context. * @param in krb5_rd_req_in_ctx to check the option on. * @param flag flag to select if to check the pac (TRUE) or not (FALSE). @@ -561,7 +562,7 @@ krb5_rd_req_in_set_keytab(krb5_context context, */ krb5_error_code KRB5_LIB_FUNCTION -krb5_rd_req_in_set_pac_check(krb5_context context, +krb5_rd_req_in_set_pac_check(krb5_context context, krb5_rd_req_in_ctx in, krb5_boolean flag) { @@ -571,7 +572,7 @@ krb5_rd_req_in_set_pac_check(krb5_context context, krb5_error_code KRB5_LIB_FUNCTION -krb5_rd_req_in_set_keyblock(krb5_context context, +krb5_rd_req_in_set_keyblock(krb5_context context, krb5_rd_req_in_ctx in, krb5_keyblock *keyblock) { @@ -580,7 +581,7 @@ krb5_rd_req_in_set_keyblock(krb5_context context, } krb5_error_code KRB5_LIB_FUNCTION -krb5_rd_req_out_get_ap_req_options(krb5_context context, +krb5_rd_req_out_get_ap_req_options(krb5_context context, krb5_rd_req_out_ctx out, krb5_flags *ap_req_options) { @@ -589,7 +590,7 @@ krb5_rd_req_out_get_ap_req_options(krb5_context context, } krb5_error_code KRB5_LIB_FUNCTION -krb5_rd_req_out_get_ticket(krb5_context context, +krb5_rd_req_out_get_ticket(krb5_context context, krb5_rd_req_out_ctx out, krb5_ticket **ticket) { @@ -597,7 +598,7 @@ krb5_rd_req_out_get_ticket(krb5_context context, } krb5_error_code KRB5_LIB_FUNCTION -krb5_rd_req_out_get_keyblock(krb5_context context, +krb5_rd_req_out_get_keyblock(krb5_context context, krb5_rd_req_out_ctx out, krb5_keyblock **keyblock) { @@ -615,7 +616,8 @@ _krb5_rd_req_out_ctx_alloc(krb5_context context, krb5_rd_req_out_ctx *ctx) { *ctx = calloc(1, sizeof(**ctx)); if (*ctx == NULL) { - krb5_set_error_message(context, ENOMEM, "out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } return 0; @@ -648,7 +650,7 @@ krb5_rd_req(krb5_context context, ret = krb5_rd_req_in_ctx_alloc(context, &in); if (ret) return ret; - + ret = krb5_rd_req_in_set_keytab(context, in, keytab); if (ret) { krb5_rd_req_in_ctx_free(context, in); @@ -693,7 +695,7 @@ krb5_rd_req_with_keyblock(krb5_context context, ret = krb5_rd_req_in_ctx_alloc(context, &in); if (ret) return ret; - + ret = krb5_rd_req_in_set_keyblock(context, in, keyblock); if (ret) { krb5_rd_req_in_ctx_free(context, in); @@ -739,7 +741,7 @@ get_key_from_keytab(krb5_context context, krb5_kt_default(context, &real_keytab); else real_keytab = keytab; - + if (ap_req->ticket.enc_part.kvno) kvno = *ap_req->ticket.enc_part.kvno; else @@ -755,10 +757,10 @@ get_key_from_keytab(krb5_context context, goto out; ret = krb5_copy_keyblock(context, &entry.keyblock, out_key); krb5_kt_free_entry (context, &entry); -out: +out: if(keytab == NULL) krb5_kt_close(context, real_keytab); - + return ret; } @@ -805,8 +807,9 @@ krb5_rd_req_ctx(krb5_context context, if (ap_req.ap_options.use_session_key && (*auth_context)->keyblock == NULL) { ret = KRB5KRB_AP_ERR_NOKEY; - krb5_set_error_message(context, ret, "krb5_rd_req: user to user auth " - "without session key given"); + krb5_set_error_message(context, ret, + N_("krb5_rd_req: user to user auth " + "without session key given", "")); goto out; } @@ -828,8 +831,8 @@ krb5_rd_req_ctx(krb5_context context, if (inctx && inctx->keytab) keytab = inctx->keytab; - ret = get_key_from_keytab(context, - auth_context, + ret = get_key_from_keytab(context, + auth_context, &ap_req, server, keytab, @@ -867,10 +870,10 @@ krb5_rd_req_ctx(krb5_context context, goto out; ret = krb5_pac_verify(context, - pac, + pac, o->ticket->ticket.authtime, - o->ticket->client, - o->keyblock, + o->ticket->client, + o->keyblock, NULL); krb5_pac_free(context, pac); if (ret) @@ -881,7 +884,7 @@ krb5_rd_req_ctx(krb5_context context, out: if (ret || outctx == NULL) { krb5_rd_req_out_ctx_free(context, o); - } else + } else *outctx = o; free_AP_REQ(&ap_req); -- cgit