From 835926c87921a0f4186a9331b6e31b2e6f1c0d90 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 7 May 2006 04:51:30 +0000 Subject: r15481: Update heimdal/ to match current lorikeet-heimdal. This includes many useful upstream changes, many of which should reduce warnings in our compile. It also includes a change to the HDB interface, which removes the need for Samba4/lorikeet-heimdal to deviate from upstream for hdb_fetch(). The new flags replace the old entry type enum. (This required the rework in hdb-ldb.c included in this commit) Andrew Bartlett (This used to be commit ef5604b87744c89e66e4d845f45b23563754ec05) --- source4/heimdal/lib/krb5/addr_families.c | 6 +- source4/heimdal/lib/krb5/changepw.c | 4 +- source4/heimdal/lib/krb5/crc.c | 6 +- source4/heimdal/lib/krb5/crypto.c | 12 +- source4/heimdal/lib/krb5/generate_seq_number.c | 6 +- source4/heimdal/lib/krb5/init_creds_pw.c | 3 +- source4/heimdal/lib/krb5/kcm.c | 10 +- source4/heimdal/lib/krb5/keytab_file.c | 4 +- source4/heimdal/lib/krb5/keytab_keyfile.c | 7 +- source4/heimdal/lib/krb5/krb5-private.h | 26 ++-- source4/heimdal/lib/krb5/krb5-protos.h | 34 ++++- source4/heimdal/lib/krb5/krb5-v4compat.h | 10 +- source4/heimdal/lib/krb5/krb5.h | 12 +- source4/heimdal/lib/krb5/krb5_ccapi.h | 4 +- source4/heimdal/lib/krb5/krb5_locl.h | 2 +- source4/heimdal/lib/krb5/log.c | 6 +- source4/heimdal/lib/krb5/pkinit.c | 193 ++++++++++++++++++++++--- source4/heimdal/lib/krb5/principal.c | 3 +- source4/heimdal/lib/krb5/store.c | 79 +++++++++- source4/heimdal/lib/krb5/v4_glue.c | 38 ++--- 20 files changed, 358 insertions(+), 107 deletions(-) (limited to 'source4/heimdal/lib/krb5') diff --git a/source4/heimdal/lib/krb5/addr_families.c b/source4/heimdal/lib/krb5/addr_families.c index ebdbcfed46..895b01f9d8 100644 --- a/source4/heimdal/lib/krb5/addr_families.c +++ b/source4/heimdal/lib/krb5/addr_families.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: addr_families.c,v 1.51 2006/04/02 02:17:31 lha Exp $"); +RCSID("$Id: addr_families.c,v 1.52 2006/05/05 09:26:22 lha Exp $"); struct addr_operations { int af; @@ -199,7 +199,7 @@ ipv4_mask_boundary(krb5_context context, const krb5_address *inaddr, unsigned long len, krb5_address *low, krb5_address *high) { unsigned long ia; - u_int32_t l, h, m = 0xffffffff; + uint32_t l, h, m = 0xffffffff; if (len > 32) { krb5_set_error_string(context, "IPv4 prefix too large (%ld)", len); @@ -391,7 +391,7 @@ ipv6_mask_boundary(krb5_context context, const krb5_address *inaddr, unsigned long len, krb5_address *low, krb5_address *high) { struct in6_addr addr, laddr, haddr; - u_int32_t m; + uint32_t m; int i, sub_len; if (len > 128) { diff --git a/source4/heimdal/lib/krb5/changepw.c b/source4/heimdal/lib/krb5/changepw.c index 7907e1ad9c..ba584a04a4 100644 --- a/source4/heimdal/lib/krb5/changepw.c +++ b/source4/heimdal/lib/krb5/changepw.c @@ -33,7 +33,7 @@ #include -RCSID("$Id: changepw.c,v 1.55 2005/12/12 12:48:57 lha Exp $"); +RCSID("$Id: changepw.c,v 1.56 2006/05/05 09:26:47 lha Exp $"); static void str2data (krb5_data *d, @@ -271,7 +271,7 @@ process_reply (krb5_context context, krb5_error_code ret; u_char reply[1024 * 3]; ssize_t len; - u_int16_t pkt_len, pkt_ver; + uint16_t pkt_len, pkt_ver; krb5_data ap_rep_data; int save_errno; diff --git a/source4/heimdal/lib/krb5/crc.c b/source4/heimdal/lib/krb5/crc.c index c7cedd8c9e..4cfed75154 100644 --- a/source4/heimdal/lib/krb5/crc.c +++ b/source4/heimdal/lib/krb5/crc.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: crc.c,v 1.9 2000/08/03 01:45:14 assar Exp $"); +RCSID("$Id: crc.c,v 1.10 2006/05/05 09:27:09 lha Exp $"); static u_long table[256]; @@ -62,8 +62,8 @@ _krb5_crc_init_table(void) flag = 1; } -u_int32_t -_krb5_crc_update (const char *p, size_t len, u_int32_t res) +uint32_t +_krb5_crc_update (const char *p, size_t len, uint32_t res) { while (len--) res = table[(res ^ *p++) & 0xFF] ^ (res >> 8); diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c index 3a90995283..2e8160518b 100644 --- a/source4/heimdal/lib/krb5/crypto.c +++ b/source4/heimdal/lib/krb5/crypto.c @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: crypto.c,v 1.134 2006/04/10 08:58:53 lha Exp $"); +RCSID("$Id: crypto.c,v 1.135 2006/05/05 09:27:24 lha Exp $"); #undef CRYPTO_DEBUG #ifdef CRYPTO_DEBUG @@ -602,7 +602,7 @@ AES_string_to_key(krb5_context context, krb5_keyblock *key) { krb5_error_code ret; - u_int32_t iter; + uint32_t iter; struct encryption_type *et; struct key_data kd; @@ -611,7 +611,7 @@ AES_string_to_key(krb5_context context, else if (opaque.length == 4) { unsigned long v; _krb5_get_int(opaque.data, &v, 4); - iter = ((u_int32_t)v); + iter = ((uint32_t)v); } else return KRB5_PROG_KEYTYPE_NOSUPP; /* XXX */ @@ -1296,7 +1296,7 @@ CRC32_checksum(krb5_context context, unsigned usage, Checksum *C) { - u_int32_t crc; + uint32_t crc; unsigned char *r = C->checksum.data; _krb5_crc_init_table (); crc = _krb5_crc_update (data, len, 0); @@ -4282,7 +4282,7 @@ _krb5_pk_octetstring2key(krb5_context context, static krb5_error_code krb5_get_keyid(krb5_context context, krb5_keyblock *key, - u_int32_t *keyid) + uint32_t *keyid) { MD5_CTX md5; unsigned char tmp[16]; @@ -4300,7 +4300,7 @@ krb5_crypto_debug(krb5_context context, size_t len, krb5_keyblock *key) { - u_int32_t keyid; + uint32_t keyid; char *kt; krb5_get_keyid(context, key, &keyid); krb5_enctype_to_string(context, key->keytype, &kt); diff --git a/source4/heimdal/lib/krb5/generate_seq_number.c b/source4/heimdal/lib/krb5/generate_seq_number.c index f9e9cded5f..7f79e29858 100644 --- a/source4/heimdal/lib/krb5/generate_seq_number.c +++ b/source4/heimdal/lib/krb5/generate_seq_number.c @@ -33,16 +33,16 @@ #include -RCSID("$Id: generate_seq_number.c,v 1.9 2004/05/25 21:25:22 lha Exp $"); +RCSID("$Id: generate_seq_number.c,v 1.10 2006/05/05 09:28:06 lha Exp $"); krb5_error_code KRB5_LIB_FUNCTION krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, - u_int32_t *seqno) + uint32_t *seqno) { krb5_error_code ret; krb5_keyblock *subkey; - u_int32_t q; + uint32_t q; u_char *p; int i; diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c index 489a88a31b..70b6c3e4c3 100644 --- a/source4/heimdal/lib/krb5/init_creds_pw.c +++ b/source4/heimdal/lib/krb5/init_creds_pw.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: init_creds_pw.c,v 1.92 2006/04/02 01:20:15 lha Exp $"); +RCSID("$Id: init_creds_pw.c,v 1.94 2006/04/24 08:49:08 lha Exp $"); typedef struct krb5_get_init_creds_ctx { krb5_kdc_flags flags; @@ -1150,6 +1150,7 @@ process_pa_data_to_key(krb5_context context, if (pa && ctx->pk_init_ctx) { #ifdef PKINIT ret = _krb5_pk_rd_pa_reply(context, + a->req_body.realm, ctx->pk_init_ctx, etype, hi, diff --git a/source4/heimdal/lib/krb5/kcm.c b/source4/heimdal/lib/krb5/kcm.c index f4372422ac..8f2d9f7f86 100644 --- a/source4/heimdal/lib/krb5/kcm.c +++ b/source4/heimdal/lib/krb5/kcm.c @@ -43,7 +43,7 @@ #include "kcm.h" -RCSID("$Id: kcm.c,v 1.8 2005/09/19 20:23:05 lha Exp $"); +RCSID("$Id: kcm.c,v 1.9 2006/05/05 09:28:48 lha Exp $"); typedef struct krb5_kcmcache { char *name; @@ -53,7 +53,7 @@ typedef struct krb5_kcmcache { #define KCMCACHE(X) ((krb5_kcmcache *)(X)->data.data) #define CACHENAME(X) (KCMCACHE(X)->name) -#define KCMCURSOR(C) (*(u_int32_t *)(C)) +#define KCMCURSOR(C) (*(uint32_t *)(C)) static krb5_error_code try_door(krb5_context context, const krb5_kcmcache *k, @@ -903,7 +903,7 @@ _krb5_kcm_noop(krb5_context context, krb5_error_code _krb5_kcm_chmod(krb5_context context, krb5_ccache id, - u_int16_t mode) + uint16_t mode) { krb5_error_code ret; krb5_kcmcache *k = KCMCACHE(id); @@ -944,8 +944,8 @@ _krb5_kcm_chmod(krb5_context context, krb5_error_code _krb5_kcm_chown(krb5_context context, krb5_ccache id, - u_int32_t uid, - u_int32_t gid) + uint32_t uid, + uint32_t gid) { krb5_error_code ret; krb5_kcmcache *k = KCMCACHE(id); diff --git a/source4/heimdal/lib/krb5/keytab_file.c b/source4/heimdal/lib/krb5/keytab_file.c index f9a76e634a..1b06387339 100644 --- a/source4/heimdal/lib/krb5/keytab_file.c +++ b/source4/heimdal/lib/krb5/keytab_file.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: keytab_file.c,v 1.22 2006/04/07 21:57:31 lha Exp $"); +RCSID("$Id: keytab_file.c,v 1.23 2006/05/05 12:36:57 lha Exp $"); #define KRB5_KT_VNO_1 1 #define KRB5_KT_VNO_2 2 @@ -428,7 +428,7 @@ loop: * if it's zero, assume that the 8bit one was right, * otherwise trust the new value */ curpos = krb5_storage_seek(cursor->sp, 0, SEEK_CUR); - if(len + 4 + pos - curpos == 4) { + if(len + 4 + pos - curpos >= 4) { ret = krb5_ret_int32(cursor->sp, &tmp32); if (ret == 0 && tmp32 != 0) { entry->vno = tmp32; diff --git a/source4/heimdal/lib/krb5/keytab_keyfile.c b/source4/heimdal/lib/krb5/keytab_keyfile.c index 32fb48a8a2..d7f8a720e1 100644 --- a/source4/heimdal/lib/krb5/keytab_keyfile.c +++ b/source4/heimdal/lib/krb5/keytab_keyfile.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: keytab_keyfile.c,v 1.18 2006/04/02 01:24:52 lha Exp $"); +RCSID("$Id: keytab_keyfile.c,v 1.19 2006/04/24 15:06:57 lha Exp $"); /* afs keyfile operations --------------------------------------- */ @@ -63,8 +63,7 @@ struct akf_data { */ static int -get_cell_and_realm (krb5_context context, - struct akf_data *d) +get_cell_and_realm (krb5_context context, struct akf_data *d) { FILE *f; char buf[BUFSIZ], *cp; @@ -95,6 +94,7 @@ get_cell_and_realm (krb5_context context, if (f != NULL) { if (fgets (buf, sizeof(buf), f) == NULL) { free (d->cell); + d->cell = NULL; fclose (f); krb5_set_error_string (context, "no realm in %s", AFS_SERVERMAGICKRBCONF); @@ -110,6 +110,7 @@ get_cell_and_realm (krb5_context context, d->realm = strdup (buf); if (d->realm == NULL) { free (d->cell); + d->cell = NULL; krb5_set_error_string (context, "malloc: out of memory"); return ENOMEM; } diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h index 00126d60ed..17b282f1d8 100644 --- a/source4/heimdal/lib/krb5/krb5-private.h +++ b/source4/heimdal/lib/krb5/krb5-private.h @@ -30,11 +30,11 @@ _krb5_cc_allocate ( void _krb5_crc_init_table (void); -u_int32_t +uint32_t _krb5_crc_update ( const char */*p*/, size_t /*len*/, - u_int32_t /*res*/); + uint32_t /*res*/); krb5_error_code _krb5_dh_group_ok ( @@ -120,14 +120,14 @@ krb5_error_code _krb5_kcm_chmod ( krb5_context /*context*/, krb5_ccache /*id*/, - u_int16_t /*mode*/); + uint16_t /*mode*/); krb5_error_code _krb5_kcm_chown ( krb5_context /*context*/, krb5_ccache /*id*/, - u_int32_t /*uid*/, - u_int32_t /*gid*/); + uint32_t /*uid*/, + uint32_t /*gid*/); krb5_error_code _krb5_kcm_get_initial_ticket ( @@ -158,8 +158,8 @@ _krb5_krb_cr_err_reply ( const char */*name*/, const char */*inst*/, const char */*realm*/, - u_int32_t /*time_ws*/, - u_int32_t /*e*/, + uint32_t /*time_ws*/, + uint32_t /*e*/, const char */*e_string*/, krb5_data */*data*/); @@ -171,7 +171,7 @@ _krb5_krb_create_auth_reply ( const char */*prealm*/, int32_t /*time_ws*/, int /*n*/, - u_int32_t /*x_date*/, + uint32_t /*x_date*/, unsigned char /*kvno*/, const krb5_data */*cipher*/, krb5_data */*data*/); @@ -183,10 +183,10 @@ _krb5_krb_create_ciph ( const char */*service*/, const char */*instance*/, const char */*realm*/, - u_int32_t /*life*/, + uint32_t /*life*/, unsigned char /*kvno*/, const krb5_data */*ticket*/, - u_int32_t /*kdc_time*/, + uint32_t /*kdc_time*/, const krb5_keyblock */*key*/, krb5_data */*enc_data*/); @@ -298,6 +298,11 @@ _krb5_parse_moduli_line ( char */*p*/, struct krb5_dh_moduli **/*m*/); +void KRB5_LIB_FUNCTION +_krb5_pk_allow_proxy_certificate ( + struct krb5_pk_identity */*id*/, + int /*boolean*/); + void KRB5_LIB_FUNCTION _krb5_pk_cert_free (struct krb5_pk_cert */*cert*/); @@ -341,6 +346,7 @@ _krb5_pk_octetstring2key ( krb5_error_code KRB5_LIB_FUNCTION _krb5_pk_rd_pa_reply ( krb5_context /*context*/, + const char */*realm*/, void */*c*/, krb5_enctype /*etype*/, const krb5_krbhst_info */*hi*/, diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h index 56f43f6c3d..37293ff982 100644 --- a/source4/heimdal/lib/krb5/krb5-protos.h +++ b/source4/heimdal/lib/krb5/krb5-protos.h @@ -1592,7 +1592,7 @@ krb5_error_code KRB5_LIB_FUNCTION krb5_generate_seq_number ( krb5_context /*context*/, const krb5_keyblock */*key*/, - u_int32_t */*seqno*/); + uint32_t */*seqno*/); krb5_error_code KRB5_LIB_FUNCTION krb5_generate_subkey ( @@ -2802,6 +2802,21 @@ krb5_ret_times ( krb5_storage */*sp*/, krb5_times */*times*/); +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint16 ( + krb5_storage */*sp*/, + uint16_t */*value*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint32 ( + krb5_storage */*sp*/, + uint32_t */*value*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint8 ( + krb5_storage */*sp*/, + uint8_t */*value*/); + krb5_error_code KRB5_LIB_FUNCTION krb5_salttype_to_string ( krb5_context /*context*/, @@ -3087,7 +3102,7 @@ krb5_store_keyblock ( krb5_error_code KRB5_LIB_FUNCTION krb5_store_principal ( krb5_storage */*sp*/, - krb5_principal /*p*/); + krb5_const_principal /*p*/); krb5_error_code KRB5_LIB_FUNCTION krb5_store_string ( @@ -3104,6 +3119,21 @@ krb5_store_times ( krb5_storage */*sp*/, krb5_times /*times*/); +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint16 ( + krb5_storage */*sp*/, + uint16_t /*value*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint32 ( + krb5_storage */*sp*/, + uint32_t /*value*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint8 ( + krb5_storage */*sp*/, + uint8_t /*value*/); + krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_deltat ( const char */*string*/, diff --git a/source4/heimdal/lib/krb5/krb5-v4compat.h b/source4/heimdal/lib/krb5/krb5-v4compat.h index 1d092dcbc9..3e14c5a38f 100644 --- a/source4/heimdal/lib/krb5/krb5-v4compat.h +++ b/source4/heimdal/lib/krb5/krb5-v4compat.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5-v4compat.h,v 1.6 2005/04/23 19:38:16 lha Exp $ */ +/* $Id: krb5-v4compat.h,v 1.7 2006/05/05 09:29:07 lha Exp $ */ #ifndef __KRB5_V4COMPAT_H__ #define __KRB5_V4COMPAT_H__ @@ -119,7 +119,7 @@ struct ktext { unsigned int length; /* Length of the text */ unsigned char dat[MAX_KTXT_LEN]; /* The data itself */ - u_int32_t mbz; /* zero to catch runaway strings */ + uint32_t mbz; /* zero to catch runaway strings */ }; struct credentials { @@ -157,11 +157,11 @@ struct _krb5_krb_auth_data { char *pname; /* Principal's name */ char *pinst; /* His Instance */ char *prealm; /* His Realm */ - u_int32_t checksum; /* Data checksum (opt) */ + uint32_t checksum; /* Data checksum (opt) */ krb5_keyblock session; /* Session Key */ unsigned char life; /* Life of ticket */ - u_int32_t time_sec; /* Time ticket issued */ - u_int32_t address; /* Address in ticket */ + uint32_t time_sec; /* Time ticket issued */ + uint32_t address; /* Address in ticket */ }; time_t _krb5_krb_life_to_time (int, int); diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h index 9814817600..32fdd6d383 100644 --- a/source4/heimdal/lib/krb5/krb5.h +++ b/source4/heimdal/lib/krb5/krb5.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5.h,v 1.240 2005/11/30 15:20:32 lha Exp $ */ +/* $Id: krb5.h,v 1.241 2006/05/05 09:29:36 lha Exp $ */ #ifndef __KRB5_H__ #define __KRB5_H__ @@ -64,7 +64,7 @@ typedef int32_t krb5_error_code; typedef int krb5_kvno; -typedef u_int32_t krb5_flags; +typedef uint32_t krb5_flags; typedef void *krb5_pointer; typedef const void *krb5_const_pointer; @@ -492,7 +492,7 @@ typedef struct krb5_keytab_entry { krb5_principal principal; krb5_kvno vno; krb5_keyblock keyblock; - u_int32_t timestamp; + uint32_t timestamp; } krb5_keytab_entry; typedef struct krb5_kt_cursor { @@ -536,7 +536,7 @@ typedef struct krb5_keytab_key_proc_args krb5_keytab_key_proc_args; typedef struct krb5_replay_data { krb5_timestamp timestamp; int32_t usec; - u_int32_t seq; + uint32_t seq; } krb5_replay_data; /* flags for krb5_auth_con_setflags */ @@ -569,8 +569,8 @@ typedef struct krb5_auth_context_data { krb5_keyblock *local_subkey; krb5_keyblock *remote_subkey; - u_int32_t local_seqnumber; - u_int32_t remote_seqnumber; + uint32_t local_seqnumber; + uint32_t remote_seqnumber; krb5_authenticator authenticator; diff --git a/source4/heimdal/lib/krb5/krb5_ccapi.h b/source4/heimdal/lib/krb5/krb5_ccapi.h index 29b2ddbecc..d59b589304 100644 --- a/source4/heimdal/lib/krb5/krb5_ccapi.h +++ b/source4/heimdal/lib/krb5/krb5_ccapi.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5_ccapi.h,v 1.2 2006/03/27 04:21:06 lha Exp $ */ +/* $Id: krb5_ccapi.h,v 1.3 2006/05/05 09:29:59 lha Exp $ */ #ifndef KRB5_CCAPI_H #define KRB5_CCAPI_H 1 @@ -84,7 +84,7 @@ enum { }; typedef int32_t cc_int32; -typedef u_int32_t cc_uint32; +typedef uint32_t cc_uint32; typedef struct cc_context_t *cc_context_t; typedef struct cc_ccache_t *cc_ccache_t; typedef struct cc_ccache_iterator_t *cc_ccache_iterator_t; diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h index 92dd3271f5..4dcac40c7a 100644 --- a/source4/heimdal/lib/krb5/krb5_locl.h +++ b/source4/heimdal/lib/krb5/krb5_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * diff --git a/source4/heimdal/lib/krb5/log.c b/source4/heimdal/lib/krb5/log.c index 7e478bf1e0..e6fcb6bbb9 100644 --- a/source4/heimdal/lib/krb5/log.c +++ b/source4/heimdal/lib/krb5/log.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: log.c,v 1.38 2006/04/10 09:41:26 lha Exp $"); +RCSID("$Id: log.c,v 1.39 2006/04/24 15:09:27 lha Exp $"); struct facility { int min; @@ -221,8 +221,10 @@ log_file(const char *timestr, if(f->fd == NULL) return; fprintf(f->fd, "%s %s\n", timestr, msg); - if(f->keep_open == 0) + if(f->keep_open == 0) { fclose(f->fd); + f->fd = NULL; + } } static void diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c index fa4fb4699e..7e91946095 100755 --- a/source4/heimdal/lib/krb5/pkinit.c +++ b/source4/heimdal/lib/krb5/pkinit.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: pkinit.c,v 1.88 2006/04/23 21:30:17 lha Exp $"); +RCSID("$Id: pkinit.c,v 1.98 2006/05/06 13:24:54 lha Exp $"); struct krb5_dh_moduli { char *name; @@ -84,6 +84,7 @@ struct krb5_pk_init_ctx_data { int require_binding; int require_eku; int require_krbtgt_otherName; + int require_hostname_match; }; void KRB5_LIB_FUNCTION @@ -161,6 +162,109 @@ _krb5_pk_create_sign(krb5_context context, return ret; } +static int +cert2epi(hx509_context context, void *ctx, hx509_cert c) +{ + ExternalPrincipalIdentifiers *ids = ctx; + ExternalPrincipalIdentifier id; + hx509_name subject = NULL; + void *p; + int ret; + + memset(&id, 0, sizeof(id)); + + ret = hx509_cert_get_subject(c, &subject); + if (ret) + return ret; + + if (hx509_name_is_null_p(subject) != 0) { + + id.subjectName = calloc(1, sizeof(*id.subjectName)); + if (id.subjectName == NULL) { + hx509_name_free(&subject); + free_ExternalPrincipalIdentifier(&id); + return ENOMEM; + } + + ret = hx509_name_to_der_name(subject, &id.subjectName->data, + &id.subjectName->length); + if (ret) { + hx509_name_free(&subject); + free_ExternalPrincipalIdentifier(&id); + return ret; + } + } + hx509_name_free(&subject); + + + id.issuerAndSerialNumber = calloc(1, sizeof(*id.issuerAndSerialNumber)); + if (id.issuerAndSerialNumber == NULL) { + free_ExternalPrincipalIdentifier(&id); + return ENOMEM; + } + + { + IssuerAndSerialNumber iasn; + hx509_name issuer; + size_t size; + + memset(&iasn, 0, sizeof(iasn)); + + ret = hx509_cert_get_issuer(c, &issuer); + if (ret) { + free_ExternalPrincipalIdentifier(&id); + return ret; + } + + ret = hx509_name_to_Name(issuer, &iasn.issuer); + hx509_name_free(&issuer); + if (ret) { + free_ExternalPrincipalIdentifier(&id); + return ret; + } + + ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber); + if (ret) { + free_IssuerAndSerialNumber(&iasn); + free_ExternalPrincipalIdentifier(&id); + return ret; + } + + ASN1_MALLOC_ENCODE(IssuerAndSerialNumber, + id.issuerAndSerialNumber->data, + id.issuerAndSerialNumber->length, + &iasn, &size, ret); + free_IssuerAndSerialNumber(&iasn); + if (ret) + return ret; + if (id.issuerAndSerialNumber->length != size) + abort(); + } + + id.subjectKeyIdentifier = NULL; + + p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1)); + if (p == NULL) { + free_ExternalPrincipalIdentifier(&id); + return ENOMEM; + } + + ids->val = p; + ids->val[ids->len] = id; + ids->len++; + + return 0; +} + +static krb5_error_code +build_edi(krb5_context context, + hx509_context hx509ctx, + hx509_certs certs, + ExternalPrincipalIdentifiers *ids) +{ + return hx509_certs_iter(hx509ctx, certs, cert2epi, ids); +} + static krb5_error_code build_auth_pack(krb5_context context, unsigned nonce, @@ -446,8 +550,19 @@ pk_mk_padata(krb5_context context, memset(&req, 0, sizeof(req)); req.signedAuthPack = buf; - /* XXX tell the kdc what CAs the client is willing to accept */ - req.trustedCertifiers = NULL; + req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers)); + if (req.trustedCertifiers == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + free_PA_PK_AS_REQ(&req); + goto out; + } + ret = build_edi(context, ctx->id->hx509ctx, + ctx->id->anchors, req.trustedCertifiers); + if (ret) { + krb5_set_error_string(context, "pk-init: failed to build trustedCertifiers"); + free_PA_PK_AS_REQ(&req); + goto out; + } req.kdcPkId = NULL; ASN1_MALLOC_ENCODE(PA_PK_AS_REQ, buf.data, buf.length, @@ -524,6 +639,13 @@ _krb5_pk_mk_padata(krb5_context context, "pkinit_require_krbtgt_otherName", NULL); + ctx->require_hostname_match = + krb5_config_get_bool_default(context, NULL, + FALSE, + "realms", + req_body->realm, + "pkinit_require_hostname_match", + NULL); return pk_mk_padata(context, type, ctx, req_body, nonce, md); } @@ -710,6 +832,8 @@ get_reply_key(krb5_context context, static krb5_error_code pk_verify_host(krb5_context context, + const char *realm, + const krb5_krbhst_info *hi, struct krb5_pk_init_ctx_data *ctx, struct krb5_pk_cert *host) { @@ -719,13 +843,12 @@ pk_verify_host(krb5_context context, ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert, oid_id_pkkdcekuoid(), 0); if (ret) { - krb5_clear_error_string(context); + krb5_set_error_string(context, "No PK-INIT KDC EKU in kdc certificate"); return ret; } } if (ctx->require_krbtgt_otherName) { hx509_octet_string_list list; - krb5_error_code ret; int i; ret = hx509_cert_find_subjectAltName_otherName(host->cert, @@ -738,6 +861,7 @@ pk_verify_host(krb5_context context, for (i = 0; i < list.len; i++) { KRB5PrincipalName r; + ret = decode_KRB5PrincipalName(list.val[i].data, list.val[i].length, &r, @@ -747,13 +871,15 @@ pk_verify_host(krb5_context context, break; } -#if 0 - if (r.principalName.name.len != 2) { - krb5_clear_error_string(context); + if (r.principalName.name_string.len != 2 || + strcmp(r.principalName.name_string.val[0], KRB5_TGS_NAME) != 0 || + strcmp(r.principalName.name_string.val[1], realm) != 0 || + strcmp(r.realm, realm) != 0) + { + krb5_set_error_string(context, "KDC have wrong realm name in " + "the certificate"); ret = EINVAL; } -#endif - /* XXX verify realm */ free_KRB5PrincipalName(&r); if (ret) @@ -761,14 +887,26 @@ pk_verify_host(krb5_context context, } hx509_free_octet_string_list(&list); } + if (ret) + return ret; + + if (hi) { + ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert, + ctx->require_hostname_match, + hi->hostname, + hi->ai->ai_addr, hi->ai->ai_addrlen); + if (ret) + krb5_set_error_string(context, "Address mismatch in the KDC certificate"); + } return ret; } static krb5_error_code pk_rd_pa_reply_enckey(krb5_context context, int type, - ContentInfo *rep, + const ContentInfo *rep, + const char *realm, krb5_pk_init_ctx ctx, krb5_enctype etype, const krb5_krbhst_info *hi, @@ -846,7 +984,7 @@ pk_rd_pa_reply_enckey(krb5_context context, goto out; /* make sure that it is the kdc's certificate */ - ret = pk_verify_host(context, ctx, host); + ret = pk_verify_host(context, realm, hi, ctx, host); if (ret) { krb5_set_error_string(context, "PKINIT: failed verify host: %d", ret); goto out; @@ -894,7 +1032,8 @@ pk_rd_pa_reply_enckey(krb5_context context, static krb5_error_code pk_rd_pa_reply_dh(krb5_context context, - ContentInfo *rep, + const ContentInfo *rep, + const char *realm, krb5_pk_init_ctx ctx, krb5_enctype etype, const krb5_krbhst_info *hi, @@ -938,7 +1077,7 @@ pk_rd_pa_reply_dh(krb5_context context, goto out; /* make sure that it is the kdc's certificate */ - ret = pk_verify_host(context, ctx, host); + ret = pk_verify_host(context, realm, hi, ctx, host); if (ret) goto out; @@ -1066,6 +1205,7 @@ pk_rd_pa_reply_dh(krb5_context context, krb5_error_code KRB5_LIB_FUNCTION _krb5_pk_rd_pa_reply(krb5_context context, + const char *realm, void *c, krb5_enctype etype, const krb5_krbhst_info *hi, @@ -1106,7 +1246,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, free_PA_PK_AS_REP(&rep); break; } - ret = pk_rd_pa_reply_dh(context, &ci, ctx, etype, hi, + ret = pk_rd_pa_reply_dh(context, &ci, realm, ctx, etype, hi, ctx->clientDHNonce, rep.u.dhInfo.serverDHNonce, nonce, pa, key); @@ -1126,7 +1266,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, "ContentInfo: %d", ret); break; } - ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &ci, ctx, + ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &ci, realm, ctx, etype, hi, nonce, req_buffer, pa, key); free_ContentInfo(&ci); return ret; @@ -1173,7 +1313,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, ret); return ret; } - ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &ci, ctx, + ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &ci, realm, ctx, etype, hi, nonce, req_buffer, pa, key); free_ContentInfo(&ci); break; @@ -1204,8 +1344,8 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter) krb5_data password_data; struct prompter *p = data; - password_data.data = prompter->reply->data; - password_data.length = prompter->reply->length; + password_data.data = prompter->reply.data; + password_data.length = prompter->reply.length; prompt.prompt = "Enter your private key passphrase: "; prompt.hidden = 1; prompt.reply = &password_data; @@ -1216,12 +1356,21 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter) ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt); if (ret) { - memset (prompter->reply->data, 0, prompter->reply->length); + memset (prompter->reply.data, 0, prompter->reply.length); return 0; } - return strlen(prompter->reply->data); + return strlen(prompter->reply.data); +} + + +void KRB5_LIB_FUNCTION +_krb5_pk_allow_proxy_certificate(struct krb5_pk_identity *id, + int boolean) +{ + hx509_verify_set_proxy_certificate(id->verify_ctx, boolean); } + krb5_error_code KRB5_LIB_FUNCTION _krb5_pk_load_id(krb5_context context, struct krb5_pk_identity **ret_id, @@ -1715,7 +1864,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, } if (DH_generate_key(opt->opt_private->pk_init_ctx->dh) != 1) { - krb5_set_error_string(context, "malloc: out of memory"); + krb5_set_error_string(context, "pkinit: failed to generate DH key"); _krb5_get_init_creds_opt_free_pkinit(opt); return ENOMEM; } diff --git a/source4/heimdal/lib/krb5/principal.c b/source4/heimdal/lib/krb5/principal.c index 34086b1fbe..f6e3847cce 100644 --- a/source4/heimdal/lib/krb5/principal.c +++ b/source4/heimdal/lib/krb5/principal.c @@ -41,7 +41,7 @@ #include #include "resolve.h" -RCSID("$Id: principal.c,v 1.94 2006/04/10 10:10:01 lha Exp $"); +RCSID("$Id: principal.c,v 1.95 2006/04/24 15:16:14 lha Exp $"); #define princ_num_comp(P) ((P)->name.name_string.len) #define princ_type(P) ((P)->name.name_type) @@ -829,7 +829,6 @@ krb5_425_conv_principal_ext2(krb5_context context, if (r) { if (r->head && r->head->type == T_AAAA) { inst = strdup(r->head->domain); - dns_free_data(r); passed = TRUE; } dns_free_data(r); diff --git a/source4/heimdal/lib/krb5/store.c b/source4/heimdal/lib/krb5/store.c index 4a567bb379..a6f4a011a1 100644 --- a/source4/heimdal/lib/krb5/store.c +++ b/source4/heimdal/lib/krb5/store.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include "store-int.h" -RCSID("$Id: store.c,v 1.51 2006/04/07 22:23:20 lha Exp $"); +RCSID("$Id: store.c,v 1.58 2006/05/05 07:15:18 lha Exp $"); #define BYTEORDER_IS(SP, V) (((SP)->flags & KRB5_STORAGE_BYTEORDER_MASK) == (V)) #define BYTEORDER_IS_LE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_LE) @@ -181,6 +181,13 @@ krb5_store_int32(krb5_storage *sp, return krb5_store_int(sp, value, 4); } +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint32(krb5_storage *sp, + uint32_t value) +{ + return krb5_store_int32(sp, (int32_t)value); +} + static krb5_error_code krb5_ret_int(krb5_storage *sp, int32_t *value, @@ -211,6 +218,20 @@ krb5_ret_int32(krb5_storage *sp, return 0; } +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint32(krb5_storage *sp, + uint32_t *value) +{ + krb5_error_code ret; + int32_t v; + + ret = krb5_ret_int32(sp, &v); + if (ret == 0) + *value = (uint32_t)v; + + return ret; +} + krb5_error_code KRB5_LIB_FUNCTION krb5_store_int16(krb5_storage *sp, int16_t value) @@ -222,6 +243,13 @@ krb5_store_int16(krb5_storage *sp, return krb5_store_int(sp, value, 2); } +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint16(krb5_storage *sp, + uint16_t value) +{ + return krb5_store_int16(sp, (int16_t)value); +} + krb5_error_code KRB5_LIB_FUNCTION krb5_ret_int16(krb5_storage *sp, int16_t *value) @@ -239,6 +267,20 @@ krb5_ret_int16(krb5_storage *sp, return 0; } +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint16(krb5_storage *sp, + uint16_t *value) +{ + krb5_error_code ret; + int16_t v; + + ret = krb5_ret_int16(sp, &v); + if (ret == 0) + *value = (uint16_t)v; + + return ret; +} + krb5_error_code KRB5_LIB_FUNCTION krb5_store_int8(krb5_storage *sp, int8_t value) @@ -251,6 +293,13 @@ krb5_store_int8(krb5_storage *sp, return 0; } +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint8(krb5_storage *sp, + uint8_t value) +{ + return krb5_store_int8(sp, (int8_t)value); +} + krb5_error_code KRB5_LIB_FUNCTION krb5_ret_int8(krb5_storage *sp, int8_t *value) @@ -263,6 +312,20 @@ krb5_ret_int8(krb5_storage *sp, return 0; } +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint8(krb5_storage *sp, + uint8_t *value) +{ + krb5_error_code ret; + int8_t v; + + ret = krb5_ret_int8(sp, &v); + if (ret == 0) + *value = (uint8_t)v; + + return ret; +} + krb5_error_code KRB5_LIB_FUNCTION krb5_store_data(krb5_storage *sp, krb5_data data) @@ -380,19 +443,19 @@ krb5_ret_stringz(krb5_storage *sp, krb5_error_code KRB5_LIB_FUNCTION krb5_store_principal(krb5_storage *sp, - krb5_principal p) + krb5_const_principal p) { int i; int ret; if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) { - ret = krb5_store_int32(sp, p->name.name_type); - if(ret) return ret; + ret = krb5_store_int32(sp, p->name.name_type); + if(ret) return ret; } if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)) ret = krb5_store_int32(sp, p->name.name_string.len + 1); else - ret = krb5_store_int32(sp, p->name.name_string.len); + ret = krb5_store_int32(sp, p->name.name_string.len); if(ret) return ret; ret = krb5_store_string(sp, p->realm); @@ -710,7 +773,7 @@ krb5_ret_creds(krb5_storage *sp, krb5_creds *creds) * format. */ { - u_int32_t mask = 0xffff0000; + uint32_t mask = 0xffff0000; creds->flags.i = 0; creds->flags.b.anonymous = 1; if (creds->flags.i & mask) @@ -865,7 +928,7 @@ krb5_ret_creds_tag(krb5_storage *sp, * format. */ { - u_int32_t mask = 0xffff0000; + uint32_t mask = 0xffff0000; creds->flags.i = 0; creds->flags.b.anonymous = 1; if (creds->flags.i & mask) diff --git a/source4/heimdal/lib/krb5/v4_glue.c b/source4/heimdal/lib/krb5/v4_glue.c index dd294c8943..b1e12674dc 100644 --- a/source4/heimdal/lib/krb5/v4_glue.c +++ b/source4/heimdal/lib/krb5/v4_glue.c @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: v4_glue.c,v 1.3 2006/04/02 01:39:54 lha Exp $"); +RCSID("$Id: v4_glue.c,v 1.5 2006/05/05 09:31:00 lha Exp $"); #include "krb5-v4compat.h" @@ -463,10 +463,10 @@ _krb5_krb_create_ciph(krb5_context context, const char *service, const char *instance, const char *realm, - u_int32_t life, + uint32_t life, unsigned char kvno, const krb5_data *ticket, - u_int32_t kdc_time, + uint32_t kdc_time, const krb5_keyblock *key, krb5_data *enc_data) { @@ -523,7 +523,7 @@ _krb5_krb_create_auth_reply(krb5_context context, const char *prealm, int32_t time_ws, int n, - u_int32_t x_date, + uint32_t x_date, unsigned char kvno, const krb5_data *cipher, krb5_data *data) @@ -573,8 +573,8 @@ _krb5_krb_cr_err_reply(krb5_context context, const char *name, const char *inst, const char *realm, - u_int32_t time_ws, - u_int32_t e, + uint32_t time_ws, + uint32_t e, const char *e_string, krb5_data *data) { @@ -668,7 +668,7 @@ _krb5_krb_decomp_ticket(krb5_context context, RCHECK(ret, get_v4_stringz(sp, &ad->pname, ANAME_SZ), error); RCHECK(ret, get_v4_stringz(sp, &ad->pinst, INST_SZ), error); RCHECK(ret, get_v4_stringz(sp, &ad->prealm, REALM_SZ), error); - RCHECK(ret, krb5_ret_int32(sp, &ad->address), error); + RCHECK(ret, krb5_ret_uint32(sp, &ad->address), error); size = krb5_storage_read(sp, des_key, sizeof(des_key)); if (size != sizeof(des_key)) { @@ -676,14 +676,14 @@ _krb5_krb_decomp_ticket(krb5_context context, goto error; } - RCHECK(ret, krb5_ret_int8(sp, &ad->life), error); + RCHECK(ret, krb5_ret_uint8(sp, &ad->life), error); if (ad->k_flags & 1) krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE); else krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE); - RCHECK(ret, krb5_ret_int32(sp, &ad->time_sec), error); + RCHECK(ret, krb5_ret_uint32(sp, &ad->time_sec), error); RCHECK(ret, get_v4_stringz(sp, sname, ANAME_SZ), error); RCHECK(ret, get_v4_stringz(sp, sinstance, INST_SZ), error); @@ -744,9 +744,9 @@ _krb5_krb_rd_req(krb5_context context, int8_t pvno; int8_t type; int8_t s_kvno; - u_int8_t ticket_length; - u_int8_t eaut_length; - u_int8_t time_5ms; + uint8_t ticket_length; + uint8_t eaut_length; + uint8_t time_5ms; char *realm = NULL; char *sname = NULL; char *sinstance = NULL; @@ -754,7 +754,7 @@ _krb5_krb_rd_req(krb5_context context, char *r_name = NULL; char *r_instance = NULL; - u_int32_t r_time_sec; /* Coarse time from authenticator */ + uint32_t r_time_sec; /* Coarse time from authenticator */ unsigned long delta_t; /* Time in authenticator - local time */ long tkt_age; /* Age of ticket */ @@ -795,8 +795,8 @@ _krb5_krb_rd_req(krb5_context context, RCHECK(ret, krb5_ret_int8(sp, &s_kvno), error); RCHECK(ret, get_v4_stringz(sp, &realm, REALM_SZ), error); - RCHECK(ret, krb5_ret_int8(sp, &ticket_length), error); - RCHECK(ret, krb5_ret_int8(sp, &eaut_length), error); + RCHECK(ret, krb5_ret_uint8(sp, &ticket_length), error); + RCHECK(ret, krb5_ret_uint8(sp, &eaut_length), error); RCHECK(ret, krb5_data_alloc(&ticket, ticket_length), error); size = krb5_storage_read(sp, ticket.data, ticket.length); @@ -842,9 +842,9 @@ _krb5_krb_rd_req(krb5_context context, RCHECK(ret, get_v4_stringz(sp, &r_instance, INST_SZ), error); RCHECK(ret, get_v4_stringz(sp, &r_realm, REALM_SZ), error); - RCHECK(ret, krb5_ret_int32(sp, &ad->checksum), error); - RCHECK(ret, krb5_ret_int8(sp, &time_5ms), error); - RCHECK(ret, krb5_ret_int32(sp, &r_time_sec), error); + RCHECK(ret, krb5_ret_uint32(sp, &ad->checksum), error); + RCHECK(ret, krb5_ret_uint8(sp, &time_5ms), error); + RCHECK(ret, krb5_ret_uint32(sp, &r_time_sec), error); if (strcmp(ad->pname, r_name) != 0 || strcmp(ad->pinst, r_instance) != 0 || @@ -853,7 +853,7 @@ _krb5_krb_rd_req(krb5_context context, goto error; } - if (from_addr && from_addr == ad->address) { + if (from_addr && from_addr != ad->address) { ret = EINVAL; /* RD_AP_BADD */ goto error; } -- cgit