From b39330c4873d4c3923a577e89690fc0e43b0c61a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 22 Aug 2007 06:46:34 +0000 Subject: r24614: Merge with current lorikeet-heimdal. This brings us one step closer to an alpha release. Andrew Bartlett (This used to be commit 30e02747d511630659c59eafec8d28f58605943b) --- source4/heimdal/kdc/default_config.c | 2 +- source4/heimdal/kdc/digest.c | 25 +- source4/heimdal/kdc/kaserver.c | 17 +- source4/heimdal/kdc/kerberos4.c | 53 +- source4/heimdal/kdc/kerberos5.c | 140 ++-- source4/heimdal/kdc/kx509.c | 6 +- source4/heimdal/kuser/kinit.c | 10 +- source4/heimdal/lib/asn1/asn1_err.et | 5 +- source4/heimdal/lib/asn1/der_get.c | 25 +- source4/heimdal/lib/asn1/gen.c | 3 +- source4/heimdal/lib/asn1/gen_decode.c | 72 +- source4/heimdal/lib/asn1/gen_encode.c | 19 +- source4/heimdal/lib/asn1/gen_length.c | 13 +- source4/heimdal/lib/asn1/k5.asn1 | 6 +- source4/heimdal/lib/asn1/lex.c | 33 +- source4/heimdal/lib/asn1/parse.c | 795 +++++++++++---------- source4/heimdal/lib/asn1/parse.h | 6 +- source4/heimdal/lib/asn1/rfc2459.asn1 | 23 +- source4/heimdal/lib/asn1/test.asn1 | 9 +- source4/heimdal/lib/asn1/timegm.c | 6 +- source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c | 9 +- source4/heimdal/lib/gssapi/mech/gss_add_cred.c | 12 +- .../lib/gssapi/mech/gss_canonicalize_name.c | 9 +- source4/heimdal/lib/gssapi/mech/gss_compare_name.c | 9 +- .../heimdal/lib/gssapi/mech/gss_duplicate_name.c | 6 +- .../heimdal/lib/gssapi/mech/gss_init_sec_context.c | 8 +- source4/heimdal/lib/gssapi/mech/gss_mech_switch.c | 5 +- source4/heimdal/lib/gssapi/mech/gss_names.c | 27 +- source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c | 5 +- source4/heimdal/lib/gssapi/mech/name.h | 7 +- .../heimdal/lib/gssapi/spnego/accept_sec_context.c | 21 +- source4/heimdal/lib/gssapi/spnego/spnego.asn1 | 45 +- source4/heimdal/lib/hcrypto/hmac.c | 12 +- source4/heimdal/lib/hx509/ca.c | 4 +- source4/heimdal/lib/hx509/cert.c | 4 +- source4/heimdal/lib/hx509/hx509-private.h | 32 - source4/heimdal/lib/hx509/ks_p11.c | 11 +- source4/heimdal/lib/hx509/peer.c | 6 +- source4/heimdal/lib/hx509/print.c | 48 +- source4/heimdal/lib/krb5/cache.c | 39 +- source4/heimdal/lib/krb5/changepw.c | 6 +- source4/heimdal/lib/krb5/get_cred.c | 12 +- source4/heimdal/lib/krb5/init_creds.c | 7 +- source4/heimdal/lib/krb5/init_creds_pw.c | 4 +- source4/heimdal/lib/krb5/krb5-private.h | 4 +- source4/heimdal/lib/krb5/krb5-protos.h | 8 - source4/heimdal/lib/krb5/krb5-v4compat.h | 50 +- source4/heimdal/lib/krb5/krb5.h | 13 +- source4/heimdal/lib/krb5/krb5_locl.h | 10 +- source4/heimdal/lib/krb5/krb_err.et | 63 ++ source4/heimdal/lib/krb5/krbhst.c | 6 +- source4/heimdal/lib/krb5/pkinit.c | 52 +- source4/heimdal/lib/krb5/plugin.c | 16 +- source4/heimdal/lib/krb5/rd_priv.c | 16 +- source4/heimdal/lib/krb5/v4_glue.c | 64 +- source4/heimdal/lib/ntlm/ntlm.c | 4 +- source4/heimdal_build/config.mk | 8 +- source4/static_deps.mk | 1 + 58 files changed, 1145 insertions(+), 786 deletions(-) create mode 100644 source4/heimdal/lib/krb5/krb_err.et (limited to 'source4') diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c index e06366f214..5f336e3275 100644 --- a/source4/heimdal/kdc/default_config.c +++ b/source4/heimdal/kdc/default_config.c @@ -36,7 +36,7 @@ #include #include -RCSID("$Id: default_config.c 21296 2007-06-25 14:49:11Z lha $"); +RCSID("$Id: default_config.c 21405 2007-07-04 10:35:45Z lha $"); krb5_error_code krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) diff --git a/source4/heimdal/kdc/digest.c b/source4/heimdal/kdc/digest.c index 801449fe5e..358ca5ad56 100644 --- a/source4/heimdal/kdc/digest.c +++ b/source4/heimdal/kdc/digest.c @@ -34,7 +34,7 @@ #include "kdc_locl.h" #include -RCSID("$Id: digest.c 21241 2007-06-20 11:30:19Z lha $"); +RCSID("$Id: digest.c 21606 2007-07-17 07:03:25Z lha $"); #define MS_CHAP_V2 0x20 #define CHAP_MD5 0x10 @@ -975,7 +975,7 @@ _kdc_do_digest(krb5_context context, } kdc_log(context, config, 0, "Digest %s request successful %s", - ireq.u.digestRequest.type, from); + ireq.u.digestRequest.type, ireq.u.digestRequest.username); break; } @@ -1227,7 +1227,7 @@ _kdc_do_digest(krb5_context context, version = 1; if (flags & NTLM_NEG_NTLM2_SESSION) { - char sessionhash[MD5_DIGEST_LENGTH]; + unsigned char sessionhash[MD5_DIGEST_LENGTH]; MD5_CTX md5ctx; if ((config->digests_allowed & NTLM_V1_SESSION) == 0) { @@ -1331,10 +1331,24 @@ _kdc_do_digest(krb5_context context, version, ireq.u.ntlmRequest.username); break; } - default: + default: { + char *s; + krb5_set_error_string(context, "unknown operation to digest"); + ret = EINVAL; + failed: + + s = krb5_get_error_message(context, ret); + if (s == NULL) { + krb5_clear_error_string(context); + goto out; + } + + kdc_log(context, config, 0, "Digest failed with: %s", s); + r.element = choice_DigestRepInner_error; - r.u.error.reason = strdup("unknown/failed operation"); + r.u.error.reason = strdup("unknown error"); + krb5_free_error_string(context, s); if (r.u.error.reason == NULL) { krb5_set_error_string(context, "out of memory"); ret = ENOMEM; @@ -1343,6 +1357,7 @@ _kdc_do_digest(krb5_context context, r.u.error.code = EINVAL; break; } + } ASN1_MALLOC_ENCODE(DigestRepInner, buf.data, buf.length, &r, &size, ret); if (ret) { diff --git a/source4/heimdal/kdc/kaserver.c b/source4/heimdal/kdc/kaserver.c index deb32e1019..15624e8e76 100644 --- a/source4/heimdal/kdc/kaserver.c +++ b/source4/heimdal/kdc/kaserver.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kaserver.c 17904 2006-08-23 11:45:16Z lha $"); +RCSID("$Id: kaserver.c 21661 2007-07-22 01:57:17Z lha $"); #include #include @@ -191,19 +191,28 @@ init_reply_header (struct rx_header *hdr, reply_hdr->serviceid = hdr->serviceid; } +/* + * Create an error `reply´ using for the packet `hdr' with the error + * `error´ code. + */ static void make_error_reply (struct rx_header *hdr, - uint32_t ret, + uint32_t error, krb5_data *reply) { - krb5_storage *sp; struct rx_header reply_hdr; + krb5_error_code ret; + krb5_storage *sp; init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST); sp = krb5_storage_emem(); + if (sp == NULL) + return; ret = encode_rx_header (&reply_hdr, sp); - krb5_store_int32(sp, ret); + if (ret) + return; + krb5_store_int32(sp, error); krb5_storage_to_data (sp, reply); krb5_storage_free (sp); } diff --git a/source4/heimdal/kdc/kerberos4.c b/source4/heimdal/kdc/kerberos4.c index 3c76bb99b2..cbba64945b 100644 --- a/source4/heimdal/kdc/kerberos4.c +++ b/source4/heimdal/kdc/kerberos4.c @@ -35,7 +35,7 @@ #include -RCSID("$Id: kerberos4.c 18349 2006-10-08 13:43:52Z lha $"); +RCSID("$Id: kerberos4.c 21577 2007-07-16 08:14:06Z lha $"); #ifndef swap32 static uint32_t @@ -151,7 +151,8 @@ _kdc_do_version4(krb5_context context, if(!config->enable_v4) { kdc_log(context, config, 0, "Rejected version 4 request from %s", from); - make_err_reply(context, reply, KDC_GEN_ERR, "function not enabled"); + make_err_reply(context, reply, KRB4ET_KDC_GEN_ERR, + "Function not enabled"); return 0; } @@ -160,7 +161,7 @@ _kdc_do_version4(krb5_context context, if(pvno != 4){ kdc_log(context, config, 0, "Protocol version mismatch (krb4) (%d)", pvno); - make_err_reply(context, reply, KDC_PKT_VER, "protocol mismatch"); + make_err_reply(context, reply, KRB4ET_KDC_PKT_VER, "protocol mismatch"); goto out; } RCHECK(krb5_ret_int8(sp, &msg_type), out); @@ -196,7 +197,7 @@ _kdc_do_version4(krb5_context context, if(ret) { kdc_log(context, config, 0, "Client not found in database: %s: %s", client_name, krb5_get_err_text(context, ret)); - make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, + make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, "principal unknown"); goto out1; } @@ -205,7 +206,7 @@ _kdc_do_version4(krb5_context context, if(ret){ kdc_log(context, config, 0, "Server not found in database: %s: %s", server_name, krb5_get_err_text(context, ret)); - make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, + make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, "principal unknown"); goto out1; } @@ -216,7 +217,7 @@ _kdc_do_version4(krb5_context context, TRUE); if (ret) { /* good error code? */ - make_err_reply(context, reply, KERB_ERR_NAME_EXP, + make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP, "operation not allowed"); goto out1; } @@ -227,7 +228,7 @@ _kdc_do_version4(krb5_context context, kdc_log(context, config, 0, "Per principal Kerberos 4 flag not turned on for %s", client_name); - make_err_reply(context, reply, KERB_ERR_NULL_KEY, + make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "allow kerberos4 flag required"); goto out1; } @@ -244,7 +245,7 @@ _kdc_do_version4(krb5_context context, "Pre-authentication required for v4-request: " "%s for %s", client_name, server_name); - make_err_reply(context, reply, KERB_ERR_NULL_KEY, + make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "preauth required"); goto out1; } @@ -252,7 +253,7 @@ _kdc_do_version4(krb5_context context, ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey); if(ret){ kdc_log(context, config, 0, "no suitable DES key for client"); - make_err_reply(context, reply, KDC_NULL_KEY, + make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "no suitable DES key for client"); goto out1; } @@ -265,7 +266,7 @@ _kdc_do_version4(krb5_context context, if(ret){ kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s", name, inst, realm); - make_err_reply(context, reply, KDC_NULL_KEY, + make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "No version-4 salted key in database"); goto out1; } @@ -274,8 +275,7 @@ _kdc_do_version4(krb5_context context, ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey); if(ret){ kdc_log(context, config, 0, "no suitable DES key for server"); - /* XXX */ - make_err_reply(context, reply, KDC_NULL_KEY, + make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "no suitable DES key for server"); goto out1; } @@ -400,7 +400,7 @@ _kdc_do_version4(krb5_context context, "tgs-req (krb4) with old kvno %d (current %d) for " "krbtgt.%s@%s", kvno, tgt->entry.kvno % 256, realm, config->v4_realm); - make_err_reply(context, reply, KDC_AUTH_EXP, + make_err_reply(context, reply, KRB4ET_KDC_AUTH_EXP, "old krbtgt kvno used"); goto out2; } @@ -409,8 +409,7 @@ _kdc_do_version4(krb5_context context, if(ret){ kdc_log(context, config, 0, "no suitable DES key for krbtgt (krb4)"); - /* XXX */ - make_err_reply(context, reply, KDC_NULL_KEY, + make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "no suitable DES key for krbtgt"); goto out2; } @@ -456,7 +455,7 @@ _kdc_do_version4(krb5_context context, if(strcmp(ad.prealm, realm)){ kdc_log(context, config, 0, "Can't hop realms (krb4) %s -> %s", realm, ad.prealm); - make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, + make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, "Can't hop realms"); goto out2; } @@ -465,7 +464,7 @@ _kdc_do_version4(krb5_context context, kdc_log(context, config, 0, "krb4 Cross-realm %s -> %s disabled", realm, config->v4_realm); - make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, + make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, "Can't hop realms"); goto out2; } @@ -473,7 +472,7 @@ _kdc_do_version4(krb5_context context, if(strcmp(sname, "changepw") == 0){ kdc_log(context, config, 0, "Bad request for changepw ticket (krb4)"); - make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, + make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, "Can't authorize password change based on TGT"); goto out2; } @@ -485,7 +484,7 @@ _kdc_do_version4(krb5_context context, s = kdc_log_msg(context, config, 0, "Client not found in database: (krb4) %s: %s", client_name, krb5_get_err_text(context, ret)); - make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); + make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s); free(s); goto out2; } @@ -494,7 +493,7 @@ _kdc_do_version4(krb5_context context, s = kdc_log_msg(context, config, 0, "Local client not found in database: (krb4) " "%s", client_name); - make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); + make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s); free(s); goto out2; } @@ -506,7 +505,7 @@ _kdc_do_version4(krb5_context context, s = kdc_log_msg(context, config, 0, "Server not found in database (krb4): %s: %s", server_name, krb5_get_err_text(context, ret)); - make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); + make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s); free(s); goto out2; } @@ -516,8 +515,7 @@ _kdc_do_version4(krb5_context context, server, server_name, FALSE); if (ret) { - /* good error code? */ - make_err_reply(context, reply, KERB_ERR_NAME_EXP, + make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP, "operation not allowed"); goto out2; } @@ -526,8 +524,7 @@ _kdc_do_version4(krb5_context context, if(ret){ kdc_log(context, config, 0, "no suitable DES key for server (krb4)"); - /* XXX */ - make_err_reply(context, reply, KDC_NULL_KEY, + make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "no suitable DES key for server"); goto out2; } @@ -787,7 +784,7 @@ _kdc_get_des_key(krb5_context context, else if(is_server && server_key) *ret_key = server_key; else - return KERB_ERR_NULL_KEY; + return KRB4ET_KDC_NULL_KEY; } else { if(v4_key) *ret_key = v4_key; @@ -798,11 +795,11 @@ _kdc_get_des_key(krb5_context context, else if(is_server && server_key) *ret_key = server_key; else - return KERB_ERR_NULL_KEY; + return KRB4ET_KDC_NULL_KEY; } if((*ret_key)->key.keyvalue.length == 0) - return KERB_ERR_NULL_KEY; + return KRB4ET_KDC_NULL_KEY; return 0; } diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index e34938447a..40a9c9c972 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kerberos5.c 21040 2007-06-10 06:20:59Z lha $"); +RCSID("$Id: kerberos5.c 21529 2007-07-13 12:37:14Z lha $"); #define MAX_TIME ((time_t)((1U << 31) - 1)) @@ -84,6 +84,22 @@ _kdc_find_padata(const KDC_REQ *req, int *start, int type) return NULL; } +/* + * Detect if `key' is the using the the precomputed `default_salt'. + */ + +static krb5_boolean +is_default_salt_p(const krb5_salt *default_salt, const Key *key) +{ + if (key->salt == NULL) + return TRUE; + if (default_salt->salttype != key->salt->type) + return FALSE; + if (krb5_data_cmp(&default_salt->saltvalue, &key->salt->salt)) + return FALSE; + return TRUE; +} + /* * return the first appropriate key of `princ' in `ret_key'. Look for * all the etypes in (`etypes', `len'), stopping as soon as we find @@ -97,6 +113,9 @@ _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ, { int i; krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP; + krb5_salt def_salt; + + krb5_get_pw_salt (context, princ->entry.principal, &def_salt); for(i = 0; ret != 0 && i < len ; i++) { Key *key = NULL; @@ -112,10 +131,13 @@ _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ, *ret_key = key; *ret_etype = etypes[i]; ret = 0; - if (key->salt == NULL) + if (is_default_salt_p(&def_salt, key)) { + krb5_free_salt (context, def_salt); return ret; + } } } + krb5_free_salt (context, def_salt); return ret; } @@ -325,6 +347,43 @@ _kdc_encode_reply(krb5_context context, return 0; } +/* + * Return 1 if the client have only older enctypes, this is for + * determining if the server should send ETYPE_INFO2 or not. + */ + +static int +older_enctype(krb5_enctype enctype) +{ + switch (enctype) { + case ETYPE_DES_CBC_CRC: + case ETYPE_DES_CBC_MD4: + case ETYPE_DES_CBC_MD5: + case ETYPE_DES3_CBC_SHA1: + case ETYPE_ARCFOUR_HMAC_MD5: + case ETYPE_ARCFOUR_HMAC_MD5_56: + return 1; + default: + return 0; + } +} + +static int +only_older_enctype_p(const KDC_REQ *req) +{ + int i; + + for(i = 0; i < req->req_body.etype.len; i++) { + if (!older_enctype(req->req_body.etype.val[i])) + return 0; + } + return 1; +} + +/* + * + */ + static krb5_error_code make_etype_info_entry(krb5_context context, ETYPE_INFO_ENTRY *ent, Key *key) { @@ -395,14 +454,18 @@ get_pa_etype_info(krb5_context context, return ENOMEM; memset(pa.val, 0, pa.len * sizeof(*pa.val)); - for(j = 0; j < etypes_len; j++) { - for (i = 0; i < n; i++) - if (pa.val[i].etype == etypes[j]) + for(i = 0; i < client->keys.len; i++) { + for (j = 0; j < n; j++) + if (pa.val[j].etype == client->keys.val[i].key.keytype) goto skip1; - for(i = 0; i < client->keys.len; i++) { + for(j = 0; j < etypes_len; j++) { if(client->keys.val[i].key.keytype == etypes[j]) { if (krb5_enctype_valid(context, etypes[j]) != 0) continue; + if (!older_enctype(etypes[j])) + continue; + if (n >= pa.len) + krb5_abortx(context, "internal error: n >= p.len"); if((ret = make_etype_info_entry(context, &pa.val[n++], &client->keys.val[i])) != 0) { @@ -420,6 +483,10 @@ get_pa_etype_info(krb5_context context, } if (krb5_enctype_valid(context, client->keys.val[i].key.keytype) != 0) continue; + if (!older_enctype(etypes[j])) + continue; + if (n >= pa.len) + krb5_abortx(context, "internal error: n >= p.len"); if((ret = make_etype_info_entry(context, &pa.val[n++], &client->keys.val[i])) != 0) { @@ -429,16 +496,8 @@ get_pa_etype_info(krb5_context context, skip2:; } - if(n != pa.len) { - char *name; - ret = krb5_unparse_name(context, client->principal, &name); - if (ret) - name = rk_UNCONST(""); - kdc_log(context, config, 0, - "internal error in get_pa_etype_info(%s): %d != %d", - name, n, pa.len); - if (ret == 0) - free(name); + if(n < pa.len) { + /* stripped out newer enctypes */ pa.len = n; } @@ -528,33 +587,9 @@ make_etype_info2_entry(ETYPE_INFO2_ENTRY *ent, Key *key) } /* - * Return 1 if the client have only older enctypes, this is for - * determining if the server should send ETYPE_INFO2 or not. - */ - -static int -only_older_enctype_p(const KDC_REQ *req) -{ - int i; - - for(i = 0; i < req->req_body.etype.len; i++) { - switch (req->req_body.etype.val[i]) { - case ETYPE_DES_CBC_CRC: - case ETYPE_DES_CBC_MD4: - case ETYPE_DES_CBC_MD5: - case ETYPE_DES3_CBC_SHA1: - case ETYPE_ARCFOUR_HMAC_MD5: - case ETYPE_ARCFOUR_HMAC_MD5_56: - break; - default: - return 0; - } - } - return 1; -} - -/* - * + * Return an ETYPE-INFO2. Enctypes are storted the same way as in the + * database (client supported enctypes first, then the unsupported + * enctypes). */ static krb5_error_code @@ -578,11 +613,11 @@ get_pa_etype_info2(krb5_context context, return ENOMEM; memset(pa.val, 0, pa.len * sizeof(*pa.val)); - for(j = 0; j < etypes_len; j++) { - for (i = 0; i < n; i++) - if (pa.val[i].etype == etypes[j]) + for(i = 0; i < client->keys.len; i++) { + for (j = 0; j < n; j++) + if (pa.val[j].etype == client->keys.val[i].key.keytype) goto skip1; - for(i = 0; i < client->keys.len; i++) { + for(j = 0; j < etypes_len; j++) { if(client->keys.val[i].key.keytype == etypes[j]) { if (krb5_enctype_valid(context, etypes[j]) != 0) continue; @@ -595,6 +630,7 @@ get_pa_etype_info2(krb5_context context, } skip1:; } + /* send enctypes that the cliene doesn't know about too */ for(i = 0; i < client->keys.len; i++) { for(j = 0; j < etypes_len; j++) { if(client->keys.val[i].key.keytype == etypes[j]) @@ -959,7 +995,9 @@ _kdc_as_rep(krb5_context context, if (b->cname->name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) { if (b->cname->name_string.len != 1) { kdc_log(context, config, 0, - "AS-REQ malformed canon request from %s", from); + "AS-REQ malformed canon request from %s, " + "enterprise name with %d name components", + from, b->cname->name_string.len); ret = KRB5_PARSE_MALFORMED; goto out; } @@ -1395,6 +1433,12 @@ _kdc_as_rep(krb5_context context, copy_Realm(&server->entry.principal->realm, &rep.ticket.realm); _krb5_principal2principalname(&rep.ticket.sname, server->entry.principal); + /* java 1.6 expects the name to be the same type, lets allow that + * uncomplicated name-types. */ +#define CNT(sp,t) (((sp)->sname->name_type) == KRB5_NT_##t) + if (CNT(b, UNKNOWN) || CNT(b, PRINCIPAL) || CNT(b, SRV_INST) || CNT(b, SRV_HST) || CNT(b, SRV_XHST)) + rep.ticket.sname.name_type = b->sname->name_type; +#undef CNT et.flags.initial = 1; if(client->entry.flags.forwardable && server->entry.flags.forwardable) diff --git a/source4/heimdal/kdc/kx509.c b/source4/heimdal/kdc/kx509.c index 8414ecb4b2..b1b861efef 100644 --- a/source4/heimdal/kdc/kx509.c +++ b/source4/heimdal/kdc/kx509.c @@ -36,7 +36,7 @@ #include #include -RCSID("$Id: kx509.c 19992 2007-01-20 09:06:18Z lha $"); +RCSID("$Id: kx509.c 21607 2007-07-17 07:04:52Z lha $"); /* * @@ -56,7 +56,7 @@ _kdc_try_kx509_request(void *ptr, size_t len, Kx509Request *req, size_t *size) * */ -static const char version_2_0[4] = {0 , 0, 2, 0}; +static const unsigned char version_2_0[4] = {0 , 0, 2, 0}; static krb5_error_code verify_req_hash(krb5_context context, @@ -122,7 +122,7 @@ calculate_reply_hash(krb5_context context, if (rep->certificate) HMAC_Update(&ctx, rep->certificate->data, rep->certificate->length); if (rep->e_text) - HMAC_Update(&ctx, *rep->e_text, strlen(*rep->e_text)); + HMAC_Update(&ctx, (unsigned char *)*rep->e_text, strlen(*rep->e_text)); HMAC_Final(&ctx, rep->hash->data, 0); HMAC_CTX_cleanup(&ctx); diff --git a/source4/heimdal/kuser/kinit.c b/source4/heimdal/kuser/kinit.c index 29a9bdd5c7..23fa7a5baf 100644 --- a/source4/heimdal/kuser/kinit.c +++ b/source4/heimdal/kuser/kinit.c @@ -32,18 +32,10 @@ */ #include "kuser_locl.h" -RCSID("$Id: kinit.c 20517 2007-04-22 10:42:26Z lha $"); +RCSID("$Id: kinit.c 21483 2007-07-10 16:40:46Z lha $"); #include "krb5-v4compat.h" -struct krb5_pk_identity; -struct krb5_pk_cert; -struct ContentInfo; -struct _krb5_krb_auth_data; -struct krb5_dh_moduli; -struct krb5_plugin; -enum plugin_type; -#include "krb5-private.h" #include "heimntlm.h" int forwardable_flag = -1; diff --git a/source4/heimdal/lib/asn1/asn1_err.et b/source4/heimdal/lib/asn1/asn1_err.et index 67af1a44fc..c624e218e7 100644 --- a/source4/heimdal/lib/asn1/asn1_err.et +++ b/source4/heimdal/lib/asn1/asn1_err.et @@ -3,7 +3,7 @@ # # This might look like a com_err file, but is not # -id "$Id: asn1_err.et 20010 2007-01-20 21:52:27Z lha $" +id "$Id: asn1_err.et 21394 2007-07-02 10:14:43Z lha $" error_table asn1 prefix ASN1 @@ -19,4 +19,7 @@ error_code BAD_FORMAT, "ASN.1 badly-formatted encoding" error_code PARSE_ERROR, "ASN.1 parse error" error_code EXTRA_DATA, "ASN.1 extra data past end of end structure" error_code BAD_CHARACTER, "ASN.1 invalid character in string" +error_code MIN_CONSTRAINT, "ASN.1 too few elements" +error_code MAX_CONSTRAINT, "ASN.1 too many elements" +error_code EXACT_CONSTRAINT, "ASN.1 wrong number of elements" end diff --git a/source4/heimdal/lib/asn1/der_get.c b/source4/heimdal/lib/asn1/der_get.c index 3022435b33..f232ce9a29 100644 --- a/source4/heimdal/lib/asn1/der_get.c +++ b/source4/heimdal/lib/asn1/der_get.c @@ -33,7 +33,7 @@ #include "der_locl.h" -RCSID("$Id: der_get.c 20570 2007-04-27 14:06:27Z lha $"); +RCSID("$Id: der_get.c 21369 2007-06-27 10:14:39Z lha $"); #include @@ -336,32 +336,25 @@ generalizedtime2time (const char *s, time_t *t) *t = _der_timegm (&tm); return 0; } -#undef timegm static int der_get_time (const unsigned char *p, size_t len, time_t *data, size_t *size) { - heim_octet_string k; char *times; - size_t ret = 0; - size_t l; int e; - e = der_get_octet_string (p, len, &k, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - times = realloc(k.data, k.length + 1); - if (times == NULL){ - free(k.data); + if (len > len + 1 || len == 0) + return ASN1_BAD_LENGTH; + + times = malloc(len + 1); + if (times == NULL) return ENOMEM; - } - times[k.length] = 0; + memcpy(times, p, len); + times[len] = '\0'; e = generalizedtime2time(times, data); free (times); - if(size) *size = ret; + if(size) *size = len; return e; } diff --git a/source4/heimdal/lib/asn1/gen.c b/source4/heimdal/lib/asn1/gen.c index cc1a3056de..26890212ae 100644 --- a/source4/heimdal/lib/asn1/gen.c +++ b/source4/heimdal/lib/asn1/gen.c @@ -33,7 +33,7 @@ #include "gen_locl.h" -RCSID("$Id: gen.c 20670 2007-05-11 00:39:41Z lha $"); +RCSID("$Id: gen.c 21364 2007-06-27 08:51:06Z lha $"); FILE *headerfile, *codefile, *logfile; @@ -253,6 +253,7 @@ generate_header_of_codefile(const char *name) "#include \n" "#include \n" "#include \n" + "#include \n" "#include \n", orig_filename); diff --git a/source4/heimdal/lib/asn1/gen_decode.c b/source4/heimdal/lib/asn1/gen_decode.c index 7ebef6cdce..face9ba47a 100644 --- a/source4/heimdal/lib/asn1/gen_decode.c +++ b/source4/heimdal/lib/asn1/gen_decode.c @@ -34,7 +34,7 @@ #include "gen_locl.h" #include "lex.h" -RCSID("$Id: gen_decode.c 19572 2006-12-29 17:30:32Z lha $"); +RCSID("$Id: gen_decode.c 21503 2007-07-12 11:57:19Z lha $"); static void decode_primitive (const char *typename, const char *name, const char *forwstr) @@ -202,6 +202,32 @@ find_tag (const Type *t, } } +static void +range_check(const char *name, + const char *length, + const char *forwstr, + struct range *r) +{ + if (r->min == r->max + 2 || r->min < r->max) + fprintf (codefile, + "if ((%s)->%s > %d) {\n" + "e = ASN1_MAX_CONSTRAINT; %s;\n" + "}\n", + name, length, r->max, forwstr); + if (r->min - 1 == r->max || r->min < r->max) + fprintf (codefile, + "if ((%s)->%s < %d) {\n" + "e = ASN1_MIN_CONSTRAINT; %s;\n" + "}\n", + name, length, r->min, forwstr); + if (r->max == r->min) + fprintf (codefile, + "if ((%s)->%s != %d) {\n" + "e = ASN1_EXACT_CONSTRAINT; %s;\n" + "}\n", + name, length, r->min, forwstr); +} + static int decode_type (const char *name, const Type *t, int optional, const char *forwstr, const char *tmpstr) @@ -236,12 +262,14 @@ decode_type (const char *name, const Type *t, int optional, } case TInteger: if(t->members) { - char *s; - asprintf(&s, "(int*)%s", name); - if (s == NULL) - errx (1, "out of memory"); - decode_primitive ("integer", s, forwstr); - free(s); + fprintf(codefile, + "{\n" + "int enumint;\n"); + decode_primitive ("integer", "&enumint", forwstr); + fprintf(codefile, + "*%s = enumint;\n" + "}\n", + name); } else if (t->range == NULL) { decode_primitive ("heim_integer", name, forwstr); } else if (t->range->min == INT_MIN && t->range->max == INT_MAX) { @@ -262,6 +290,8 @@ decode_type (const char *name, const Type *t, int optional, break; case TOctetString: decode_primitive ("octet_string", name, forwstr); + if (t->range) + range_check(name, "length", forwstr, t->range); break; case TBitString: { Member *m; @@ -394,19 +424,31 @@ decode_type (const char *name, const Type *t, int optional, "{\n" "size_t %s_origlen = len;\n" "size_t %s_oldret = ret;\n" + "size_t %s_olen = 0;\n" "void *%s_tmp;\n" "ret = 0;\n" "(%s)->len = 0;\n" - "(%s)->val = NULL;\n" + "(%s)->val = NULL;\n", + tmpstr, + tmpstr, + tmpstr, + tmpstr, + name, + name); + + fprintf (codefile, "while(ret < %s_origlen) {\n" - "%s_tmp = realloc((%s)->val, " - " sizeof(*((%s)->val)) * ((%s)->len + 1));\n" - "if (%s_tmp == NULL) { %s; }\n" + "size_t %s_nlen = %s_olen + sizeof(*((%s)->val));\n" + "if (%s_olen > %s_nlen) { e = ASN1_OVERFLOW; %s; }\n" + "%s_olen = %s_nlen;\n" + "%s_tmp = realloc((%s)->val, %s_olen);\n" + "if (%s_tmp == NULL) { e = ENOMEM; %s; }\n" "(%s)->val = %s_tmp;\n", - tmpstr, tmpstr, tmpstr, - name, name, + tmpstr, + tmpstr, tmpstr, name, + tmpstr, tmpstr, forwstr, tmpstr, tmpstr, - name, name, name, + tmpstr, name, tmpstr, tmpstr, forwstr, name, tmpstr); @@ -425,6 +467,8 @@ decode_type (const char *name, const Type *t, int optional, "}\n", name, tmpstr, tmpstr); + if (t->range) + range_check(name, "len", forwstr, t->range); free (n); free (sname); break; diff --git a/source4/heimdal/lib/asn1/gen_encode.c b/source4/heimdal/lib/asn1/gen_encode.c index b5337b1c43..9544514212 100644 --- a/source4/heimdal/lib/asn1/gen_encode.c +++ b/source4/heimdal/lib/asn1/gen_encode.c @@ -33,7 +33,7 @@ #include "gen_locl.h" -RCSID("$Id: gen_encode.c 19572 2006-12-29 17:30:32Z lha $"); +RCSID("$Id: gen_encode.c 21503 2007-07-12 11:57:19Z lha $"); static void encode_primitive (const char *typename, const char *name) @@ -121,12 +121,12 @@ encode_type (const char *name, const Type *t, const char *tmpstr) break; case TInteger: if(t->members) { - char *s; - asprintf(&s, "(const int*)%s", name); - if(s == NULL) - errx(1, "out of memory"); - encode_primitive ("integer", s); - free(s); + fprintf(codefile, + "{\n" + "int enumint = (int)*%s;\n", + name); + encode_primitive ("integer", "&enumint"); + fprintf(codefile, "}\n;"); } else if (t->range == NULL) { encode_primitive ("heim_integer", name); } else if (t->range->min == INT_MIN && t->range->max == INT_MAX) { @@ -292,6 +292,11 @@ encode_type (const char *name, const Type *t, const char *tmpstr) "size_t elen, totallen = 0;\n" "int eret;\n"); + fprintf(codefile, + "if ((%s)->len > UINT_MAX/sizeof(val[0]))\n" + "return ERANGE;\n", + name); + fprintf(codefile, "val = malloc(sizeof(val[0]) * (%s)->len);\n" "if (val == NULL && (%s)->len != 0) return ENOMEM;\n", diff --git a/source4/heimdal/lib/asn1/gen_length.c b/source4/heimdal/lib/asn1/gen_length.c index a1f7cc6644..4cb5d45089 100644 --- a/source4/heimdal/lib/asn1/gen_length.c +++ b/source4/heimdal/lib/asn1/gen_length.c @@ -33,7 +33,7 @@ #include "gen_locl.h" -RCSID("$Id: gen_length.c 19539 2006-12-28 17:15:05Z lha $"); +RCSID("$Id: gen_length.c 21503 2007-07-12 11:57:19Z lha $"); static void length_primitive (const char *typename, @@ -72,12 +72,11 @@ length_type (const char *name, const Type *t, break; case TInteger: if(t->members) { - char *s; - asprintf(&s, "(const int*)%s", name); - if(s == NULL) - errx (1, "out of memory"); - length_primitive ("integer", s, variable); - free(s); + fprintf(codefile, + "{\n" + "int enumint = *%s;\n", name); + length_primitive ("integer", "&enumint", variable); + fprintf(codefile, "}\n"); } else if (t->range == NULL) { length_primitive ("heim_integer", name, variable); } else if (t->range->min == INT_MIN && t->range->max == INT_MAX) { diff --git a/source4/heimdal/lib/asn1/k5.asn1 b/source4/heimdal/lib/asn1/k5.asn1 index 14e9793fdc..e3fe2b11e9 100644 --- a/source4/heimdal/lib/asn1/k5.asn1 +++ b/source4/heimdal/lib/asn1/k5.asn1 @@ -1,4 +1,4 @@ --- $Id: k5.asn1 21092 2007-06-15 19:47:46Z lha $ +-- $Id: k5.asn1 21400 2007-07-02 19:57:31Z lha $ KERBEROS5 DEFINITIONS ::= BEGIN @@ -332,7 +332,7 @@ ETYPE-INFO2-ENTRY ::= SEQUENCE { s2kparams[2] OCTET STRING OPTIONAL } -ETYPE-INFO2 ::= SEQUENCE OF ETYPE-INFO2-ENTRY +ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY METHOD-DATA ::= SEQUENCE OF PA-DATA @@ -341,7 +341,7 @@ TypedData ::= SEQUENCE { data-value[1] OCTET STRING OPTIONAL } -TYPED-DATA ::= SEQUENCE OF TypedData +TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData KDC-REQ-BODY ::= SEQUENCE { kdc-options[0] KDCOptions, diff --git a/source4/heimdal/lib/asn1/lex.c b/source4/heimdal/lib/asn1/lex.c index fe488eb904..d628e4696f 100644 --- a/source4/heimdal/lib/asn1/lex.c +++ b/source4/heimdal/lib/asn1/lex.c @@ -1,6 +1,5 @@ -#include "config.h" -#line 3 "lex.yy.c" +#line 3 "lex.c" #define YY_INT_ALIGNED short int @@ -343,6 +342,9 @@ FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0; typedef int yy_state_type; extern int yylineno; + +int yylineno = 1; + extern char *yytext; #define yytext_ptr yytext @@ -824,7 +826,7 @@ char *yytext; * SUCH DAMAGE. */ -/* $Id: lex.l,v 1.31 2006/10/21 11:57:22 lha Exp $ */ +/* $Id: lex.l 18738 2006-10-21 11:57:22Z lha $ */ #ifdef HAVE_CONFIG_H #include @@ -849,7 +851,7 @@ static unsigned lineno = 1; static void unterminated(const char *, unsigned); /* This is for broken old lexes (solaris 10 and hpux) */ -#line 852 "lex.yy.c" +#line 855 "lex.c" #define INITIAL 0 @@ -1004,7 +1006,7 @@ YY_DECL #line 68 "lex.l" -#line 1007 "lex.yy.c" +#line 1010 "lex.c" if ( !(yy_init) ) { @@ -1673,7 +1675,7 @@ YY_RULE_SETUP #line 274 "lex.l" ECHO; YY_BREAK -#line 1676 "lex.yy.c" +#line 1679 "lex.c" case YY_STATE_EOF(INITIAL): yyterminate(); @@ -2483,6 +2485,15 @@ static void yy_fatal_error (yyconst char* msg ) /* Accessor methods (get/set functions) to struct members. */ +/** Get the current line number. + * + */ +int yyget_lineno (void) +{ + + return yylineno; +} + /** Get the input stream. * */ @@ -2516,6 +2527,16 @@ char *yyget_text (void) return yytext; } +/** Set the current line number. + * @param line_number + * + */ +void yyset_lineno (int line_number ) +{ + + yylineno = line_number; +} + /** Set the input stream. This does not discard the current * input buffer. * @param in_str A readable stream. diff --git a/source4/heimdal/lib/asn1/parse.c b/source4/heimdal/lib/asn1/parse.c index d9cd23b662..6a3e524e93 100644 --- a/source4/heimdal/lib/asn1/parse.c +++ b/source4/heimdal/lib/asn1/parse.c @@ -16,7 +16,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, see . */ + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301, USA. */ /* As a special exception, you may create a larger work that contains part or all of the Bison parser skeleton and distribute that work @@ -259,7 +261,7 @@ #include "gen_locl.h" #include "der.h" -RCSID("$Id: parse.y 19539 2006-12-28 17:15:05Z lha $"); +RCSID("$Id: parse.y 21597 2007-07-16 18:48:58Z lha $"); static Type *new_type (Typetype t); static struct constraint_spec *new_constraint_spec(enum ctype); @@ -300,7 +302,7 @@ typedef union YYSTYPE { int constant; struct value *value; - struct range range; + struct range *range; char *name; Type *type; Member *member; @@ -538,18 +540,18 @@ union yyalloc #endif /* YYFINAL -- State number of the termination state. */ -#define YYFINAL 4 +#define YYFINAL 6 /* YYLAST -- Last index in YYTABLE. */ -#define YYLAST 169 +#define YYLAST 195 /* YYNTOKENS -- Number of terminals. */ #define YYNTOKENS 98 /* YYNNTS -- Number of nonterminals. */ -#define YYNNTS 67 +#define YYNNTS 68 /* YYNRULES -- Number of rules. */ -#define YYNRULES 131 +#define YYNRULES 136 /* YYNRULES -- Number of states. */ -#define YYNSTATES 202 +#define YYNSTATES 214 /* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX. */ #define YYUNDEFTOK 2 @@ -603,80 +605,83 @@ static const yytype_uint8 yytranslate[] = YYRHS. */ static const yytype_uint16 yyprhs[] = { - 0, 0, 3, 12, 15, 18, 21, 22, 25, 26, - 29, 30, 34, 35, 37, 38, 40, 43, 48, 50, - 53, 55, 57, 61, 63, 67, 69, 71, 73, 75, - 77, 79, 81, 83, 85, 87, 89, 91, 93, 95, - 97, 99, 101, 103, 109, 111, 114, 119, 121, 125, - 129, 134, 139, 141, 144, 150, 153, 156, 158, 163, - 167, 171, 176, 180, 184, 189, 191, 193, 195, 197, - 199, 202, 206, 208, 210, 212, 215, 219, 225, 230, - 234, 239, 240, 242, 244, 246, 247, 249, 251, 256, - 258, 260, 262, 264, 266, 268, 270, 272, 274, 278, - 282, 285, 287, 290, 294, 296, 300, 305, 307, 308, - 312, 313, 316, 321, 323, 325, 327, 329, 331, 333, - 335, 337, 339, 341, 343, 345, 347, 349, 351, 353, - 355, 357 + 0, 0, 3, 13, 16, 19, 22, 23, 26, 27, + 30, 31, 35, 36, 38, 39, 41, 44, 49, 51, + 54, 56, 58, 62, 64, 68, 70, 72, 74, 76, + 78, 80, 82, 84, 86, 88, 90, 92, 94, 96, + 98, 100, 102, 104, 110, 116, 122, 126, 128, 131, + 136, 138, 142, 146, 151, 156, 158, 161, 167, 170, + 174, 176, 177, 180, 185, 189, 194, 199, 203, 207, + 212, 214, 216, 218, 220, 222, 225, 229, 231, 233, + 235, 238, 242, 248, 253, 257, 262, 263, 265, 267, + 269, 270, 272, 274, 279, 281, 283, 285, 287, 289, + 291, 293, 295, 297, 301, 305, 308, 310, 313, 317, + 319, 323, 328, 330, 331, 335, 336, 339, 344, 346, + 348, 350, 352, 354, 356, 358, 360, 362, 364, 366, + 368, 370, 372, 374, 376, 378, 380 }; /* YYRHS -- A `-1'-separated list of the rules' RHS. */ static const yytype_int16 yyrhs[] = { - 99, 0, -1, 86, 21, 100, 101, 84, 8, 102, - 24, -1, 27, 70, -1, 38, 70, -1, 7, 70, - -1, -1, 29, 39, -1, -1, 103, 107, -1, -1, - 40, 104, 90, -1, -1, 105, -1, -1, 106, -1, - 105, 106, -1, 109, 32, 86, 150, -1, 108, -1, - 108, 107, -1, 110, -1, 142, -1, 86, 91, 109, - -1, 86, -1, 86, 84, 111, -1, 112, -1, 129, - -1, 132, -1, 120, -1, 113, -1, 143, -1, 128, - -1, 118, -1, 115, -1, 123, -1, 121, -1, 122, - -1, 124, -1, 125, -1, 126, -1, 127, -1, 138, - -1, 11, -1, 92, 154, 83, 154, 93, -1, 43, - -1, 43, 114, -1, 43, 94, 116, 95, -1, 117, - -1, 116, 91, 117, -1, 116, 91, 85, -1, 86, - 92, 162, 93, -1, 25, 94, 119, 95, -1, 116, - -1, 9, 67, -1, 9, 67, 94, 148, 95, -1, - 51, 37, -1, 52, 67, -1, 49, -1, 64, 94, - 145, 95, -1, 64, 94, 95, -1, 64, 53, 111, - -1, 65, 94, 145, 95, -1, 65, 94, 95, -1, - 65, 53, 111, -1, 14, 94, 145, 95, -1, 130, - -1, 131, -1, 86, -1, 34, -1, 77, -1, 111, - 133, -1, 92, 134, 93, -1, 135, -1, 136, -1, - 137, -1, 19, 111, -1, 23, 12, 154, -1, 19, - 111, 23, 12, 154, -1, 18, 12, 94, 95, -1, - 139, 141, 111, -1, 96, 140, 89, 97, -1, -1, - 76, -1, 6, -1, 60, -1, -1, 27, -1, 38, - -1, 86, 111, 84, 154, -1, 144, -1, 33, -1, - 78, -1, 61, -1, 81, -1, 36, -1, 10, -1, - 79, -1, 147, -1, 145, 91, 147, -1, 145, 91, - 85, -1, 86, 111, -1, 146, -1, 146, 54, -1, - 146, 20, 154, -1, 149, -1, 148, 91, 149, -1, - 86, 92, 89, 93, -1, 151, -1, -1, 94, 152, - 95, -1, -1, 153, 152, -1, 86, 92, 89, 93, - -1, 86, -1, 89, -1, 155, -1, 156, -1, 160, - -1, 159, -1, 161, -1, 164, -1, 163, -1, 157, - -1, 158, -1, 86, -1, 88, -1, 71, -1, 31, - -1, 162, -1, 89, -1, 49, -1, 151, -1 + 99, 0, -1, 86, 151, 21, 100, 101, 84, 8, + 102, 24, -1, 27, 70, -1, 38, 70, -1, 7, + 70, -1, -1, 29, 39, -1, -1, 103, 107, -1, + -1, 40, 104, 90, -1, -1, 105, -1, -1, 106, + -1, 105, 106, -1, 109, 32, 86, 151, -1, 108, + -1, 108, 107, -1, 110, -1, 143, -1, 86, 91, + 109, -1, 86, -1, 86, 84, 111, -1, 112, -1, + 130, -1, 133, -1, 120, -1, 113, -1, 144, -1, + 129, -1, 118, -1, 115, -1, 123, -1, 121, -1, + 122, -1, 125, -1, 126, -1, 127, -1, 128, -1, + 139, -1, 11, -1, 92, 155, 83, 155, 93, -1, + 92, 155, 83, 46, 93, -1, 92, 47, 83, 155, + 93, -1, 92, 155, 93, -1, 43, -1, 43, 114, + -1, 43, 94, 116, 95, -1, 117, -1, 116, 91, + 117, -1, 116, 91, 85, -1, 86, 92, 163, 93, + -1, 25, 94, 119, 95, -1, 116, -1, 9, 67, + -1, 9, 67, 94, 149, 95, -1, 51, 37, -1, + 52, 67, 124, -1, 49, -1, -1, 66, 114, -1, + 64, 94, 146, 95, -1, 64, 94, 95, -1, 64, + 124, 53, 111, -1, 65, 94, 146, 95, -1, 65, + 94, 95, -1, 65, 53, 111, -1, 14, 94, 146, + 95, -1, 131, -1, 132, -1, 86, -1, 34, -1, + 77, -1, 111, 134, -1, 92, 135, 93, -1, 136, + -1, 137, -1, 138, -1, 19, 111, -1, 23, 12, + 155, -1, 19, 111, 23, 12, 155, -1, 18, 12, + 94, 95, -1, 140, 142, 111, -1, 96, 141, 89, + 97, -1, -1, 76, -1, 6, -1, 60, -1, -1, + 27, -1, 38, -1, 86, 111, 84, 155, -1, 145, + -1, 33, -1, 78, -1, 61, -1, 81, -1, 36, + -1, 10, -1, 79, -1, 148, -1, 146, 91, 148, + -1, 146, 91, 85, -1, 86, 111, -1, 147, -1, + 147, 54, -1, 147, 20, 155, -1, 150, -1, 149, + 91, 150, -1, 86, 92, 89, 93, -1, 152, -1, + -1, 94, 153, 95, -1, -1, 154, 153, -1, 86, + 92, 89, 93, -1, 86, -1, 89, -1, 156, -1, + 157, -1, 161, -1, 160, -1, 162, -1, 165, -1, + 164, -1, 158, -1, 159, -1, 86, -1, 88, -1, + 71, -1, 31, -1, 163, -1, 89, -1, 49, -1, + 152, -1 }; /* YYRLINE[YYN] -- source line where rule number YYN was defined. */ static const yytype_uint16 yyrline[] = { - 0, 231, 231, 238, 239, 241, 243, 246, 248, 251, - 252, 255, 256, 259, 260, 263, 264, 267, 278, 279, - 282, 283, 286, 292, 300, 310, 311, 312, 315, 316, - 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, - 327, 328, 331, 338, 348, 353, 360, 368, 374, 379, - 383, 396, 404, 407, 414, 422, 428, 435, 442, 448, - 456, 464, 470, 478, 486, 493, 494, 497, 508, 513, - 520, 536, 542, 545, 546, 549, 555, 563, 573, 579, - 592, 601, 604, 608, 612, 619, 622, 626, 633, 644, - 647, 652, 657, 662, 667, 672, 677, 685, 691, 696, - 707, 718, 724, 730, 738, 744, 751, 764, 765, 768, - 775, 778, 789, 793, 804, 810, 811, 814, 815, 816, - 817, 818, 821, 824, 827, 838, 846, 852, 860, 868, - 871, 876 + 0, 233, 233, 240, 241, 243, 245, 248, 250, 253, + 254, 257, 258, 261, 262, 265, 266, 269, 280, 281, + 284, 285, 288, 294, 302, 312, 313, 314, 317, 318, + 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, + 329, 330, 333, 340, 350, 358, 366, 377, 382, 388, + 396, 402, 407, 411, 424, 432, 435, 442, 450, 456, + 465, 473, 474, 479, 485, 493, 502, 508, 516, 524, + 531, 532, 535, 546, 551, 558, 574, 580, 583, 584, + 587, 593, 601, 611, 617, 630, 639, 642, 646, 650, + 657, 660, 664, 671, 682, 685, 690, 695, 700, 705, + 710, 715, 723, 729, 734, 745, 756, 762, 768, 776, + 782, 789, 802, 803, 806, 813, 816, 827, 831, 842, + 848, 849, 852, 853, 854, 855, 856, 859, 862, 865, + 876, 884, 890, 898, 906, 909, 914 }; #endif @@ -712,7 +717,7 @@ static const char *const yytname[] = "TypeAssignment", "Type", "BuiltinType", "BooleanType", "range", "IntegerType", "NamedNumberList", "NamedNumber", "EnumeratedType", "Enumerations", "BitStringType", "ObjectIdentifierType", - "OctetStringType", "NullType", "SequenceType", "SequenceOfType", + "OctetStringType", "NullType", "size", "SequenceType", "SequenceOfType", "SetType", "SetOfType", "ChoiceType", "ReferencedType", "DefinedType", "UsefulType", "ConstrainedType", "Constraint", "ConstraintSpec", "GeneralConstraint", "ContentsConstraint", "UserDefinedConstraint", @@ -751,35 +756,35 @@ static const yytype_uint8 yyr1[] = 102, 103, 103, 104, 104, 105, 105, 106, 107, 107, 108, 108, 109, 109, 110, 111, 111, 111, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, - 112, 112, 113, 114, 115, 115, 115, 116, 116, 116, - 117, 118, 119, 120, 120, 121, 122, 123, 124, 124, - 125, 126, 126, 127, 128, 129, 129, 130, 131, 131, - 132, 133, 134, 135, 135, 136, 136, 136, 137, 138, - 139, 140, 140, 140, 140, 141, 141, 141, 142, 143, - 144, 144, 144, 144, 144, 144, 144, 145, 145, 145, - 146, 147, 147, 147, 148, 148, 149, 150, 150, 151, - 152, 152, 153, 153, 153, 154, 154, 155, 155, 155, - 155, 155, 156, 157, 158, 159, 160, 160, 161, 162, - 163, 164 + 112, 112, 113, 114, 114, 114, 114, 115, 115, 115, + 116, 116, 116, 117, 118, 119, 120, 120, 121, 122, + 123, 124, 124, 125, 125, 126, 127, 127, 128, 129, + 130, 130, 131, 132, 132, 133, 134, 135, 136, 136, + 137, 137, 137, 138, 139, 140, 141, 141, 141, 141, + 142, 142, 142, 143, 144, 145, 145, 145, 145, 145, + 145, 145, 146, 146, 146, 147, 148, 148, 148, 149, + 149, 150, 151, 151, 152, 153, 153, 154, 154, 154, + 155, 155, 156, 156, 156, 156, 156, 157, 158, 159, + 160, 161, 161, 162, 163, 164, 165 }; /* YYR2[YYN] -- Number of symbols composing right hand side of rule YYN. */ static const yytype_uint8 yyr2[] = { - 0, 2, 8, 2, 2, 2, 0, 2, 0, 2, + 0, 2, 9, 2, 2, 2, 0, 2, 0, 2, 0, 3, 0, 1, 0, 1, 2, 4, 1, 2, 1, 1, 3, 1, 3, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 5, 1, 2, 4, 1, 3, 3, - 4, 4, 1, 2, 5, 2, 2, 1, 4, 3, - 3, 4, 3, 3, 4, 1, 1, 1, 1, 1, - 2, 3, 1, 1, 1, 2, 3, 5, 4, 3, - 4, 0, 1, 1, 1, 0, 1, 1, 4, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 3, 3, - 2, 1, 2, 3, 1, 3, 4, 1, 0, 3, - 0, 2, 4, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 5, 5, 5, 3, 1, 2, 4, + 1, 3, 3, 4, 4, 1, 2, 5, 2, 3, + 1, 0, 2, 4, 3, 4, 4, 3, 3, 4, + 1, 1, 1, 1, 1, 2, 3, 1, 1, 1, + 2, 3, 5, 4, 3, 4, 0, 1, 1, 1, + 0, 1, 1, 4, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 3, 3, 2, 1, 2, 3, 1, + 3, 4, 1, 0, 3, 0, 2, 4, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1 + 1, 1, 1, 1, 1, 1, 1 }; /* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state @@ -787,79 +792,81 @@ static const yytype_uint8 yyr2[] = means the default is an error. */ static const yytype_uint8 yydefact[] = { - 0, 0, 0, 6, 1, 0, 0, 0, 8, 5, - 3, 4, 0, 0, 7, 0, 10, 14, 0, 0, - 23, 0, 13, 15, 0, 2, 0, 9, 18, 20, - 21, 0, 11, 16, 0, 0, 95, 42, 0, 0, - 90, 68, 94, 44, 57, 0, 0, 92, 0, 0, - 69, 91, 96, 93, 0, 67, 81, 0, 25, 29, - 33, 32, 28, 35, 36, 34, 37, 38, 39, 40, - 31, 26, 65, 66, 27, 41, 85, 30, 89, 19, - 22, 108, 53, 0, 0, 0, 0, 45, 55, 56, - 0, 0, 0, 0, 24, 83, 84, 82, 0, 0, - 0, 70, 86, 87, 0, 110, 17, 107, 0, 0, - 0, 101, 97, 0, 52, 47, 0, 127, 130, 126, - 124, 125, 129, 131, 0, 115, 116, 122, 123, 118, - 117, 119, 128, 121, 120, 0, 60, 59, 0, 63, - 62, 0, 0, 88, 0, 0, 0, 0, 72, 73, - 74, 79, 113, 114, 0, 110, 0, 0, 104, 100, - 0, 64, 0, 102, 0, 0, 51, 0, 46, 58, - 61, 80, 0, 75, 0, 71, 0, 109, 111, 0, - 0, 54, 99, 98, 103, 0, 49, 48, 0, 0, - 0, 76, 0, 0, 105, 50, 43, 78, 0, 112, - 106, 77 + 0, 113, 0, 115, 0, 112, 1, 118, 119, 0, + 115, 6, 0, 114, 116, 0, 0, 0, 8, 0, + 5, 3, 4, 0, 0, 117, 7, 0, 10, 14, + 0, 0, 23, 0, 13, 15, 0, 2, 0, 9, + 18, 20, 21, 0, 11, 16, 0, 0, 100, 42, + 0, 0, 95, 73, 99, 47, 60, 0, 0, 97, + 61, 0, 74, 96, 101, 98, 0, 72, 86, 0, + 25, 29, 33, 32, 28, 35, 36, 34, 37, 38, + 39, 40, 31, 26, 70, 71, 27, 41, 90, 30, + 94, 19, 22, 113, 56, 0, 0, 0, 0, 48, + 58, 61, 0, 0, 0, 0, 0, 24, 88, 89, + 87, 0, 0, 0, 75, 91, 92, 0, 17, 0, + 0, 0, 106, 102, 0, 55, 50, 0, 132, 0, + 135, 131, 129, 130, 134, 136, 0, 120, 121, 127, + 128, 123, 122, 124, 133, 126, 125, 0, 59, 62, + 64, 0, 0, 68, 67, 0, 0, 93, 0, 0, + 0, 0, 77, 78, 79, 84, 0, 0, 109, 105, + 0, 69, 0, 107, 0, 0, 54, 0, 0, 46, + 49, 63, 65, 66, 85, 0, 80, 0, 76, 0, + 0, 57, 104, 103, 108, 0, 52, 51, 0, 0, + 0, 0, 0, 81, 0, 110, 53, 45, 44, 43, + 83, 0, 111, 82 }; /* YYDEFGOTO[NTERM-NUM]. */ static const yytype_int16 yydefgoto[] = { - -1, 2, 8, 13, 18, 19, 21, 22, 23, 27, - 28, 24, 29, 57, 58, 59, 87, 60, 114, 115, - 61, 116, 62, 63, 64, 65, 66, 67, 68, 69, - 70, 71, 72, 73, 74, 101, 147, 148, 149, 150, - 75, 76, 98, 104, 30, 77, 78, 110, 111, 112, - 157, 158, 106, 123, 154, 155, 124, 125, 126, 127, - 128, 129, 130, 131, 132, 133, 134 + -1, 2, 18, 24, 30, 31, 33, 34, 35, 39, + 40, 36, 41, 69, 70, 71, 99, 72, 125, 126, + 73, 127, 74, 75, 76, 77, 104, 78, 79, 80, + 81, 82, 83, 84, 85, 86, 114, 161, 162, 163, + 164, 87, 88, 111, 117, 42, 89, 90, 121, 122, + 123, 167, 168, 4, 135, 9, 10, 136, 137, 138, + 139, 140, 141, 142, 143, 144, 145, 146 }; /* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing STATE-NUM. */ -#define YYPACT_NINF -100 +#define YYPACT_NINF -113 static const yytype_int16 yypact[] = { - -65, 19, 33, 5, -100, -29, -17, 11, 53, -100, - -100, -100, 47, 13, -100, 90, -34, 18, 81, 20, - 16, 21, 18, -100, 76, -100, -7, -100, 20, -100, - -100, 18, -100, -100, 23, 43, -100, -100, 24, 25, - -100, -100, -100, -4, -100, 77, 46, -100, -48, -45, - -100, -100, -100, -100, 51, -100, 4, -64, -100, -100, - -100, -100, -100, -100, -100, -100, -100, -100, -100, -100, - -100, -100, -100, -100, -100, -100, -16, -100, -100, -100, - -100, 26, 27, 31, 36, 52, 36, -100, -100, -100, - 51, -71, 51, -70, 32, -100, -100, -100, 37, 52, - 12, -100, -100, -100, 51, -39, -100, -100, 39, 51, - -78, -6, -100, 35, 40, -100, 38, -100, -100, -100, - -100, -100, -100, -100, 56, -100, -100, -100, -100, -100, - -100, -100, -100, -100, -100, -72, 32, -100, -57, 32, - -100, -36, 45, -100, 122, 51, 123, 50, -100, -100, - -100, 32, 44, -100, 49, -39, 57, -22, -100, 32, - -19, -100, 52, -100, 59, 10, -100, 52, -100, -100, - -100, -100, 58, -14, 52, -100, 61, -100, -100, 62, - 39, -100, -100, -100, -100, 60, -100, -100, 63, 64, - 133, -100, 65, 67, -100, -100, -100, -100, 52, -100, - -100, -100 + -74, -67, 38, -69, 23, -113, -113, -44, -113, -41, + -69, 4, -26, -113, -113, -3, 1, 10, 52, -10, + -113, -113, -113, 45, 13, -113, -113, 77, -35, 15, + 64, 19, 17, 20, 15, -113, 85, -113, 25, -113, + 19, -113, -113, 15, -113, -113, 27, 47, -113, -113, + 26, 29, -113, -113, -113, -30, -113, 89, 61, -113, + -57, -47, -113, -113, -113, -113, 82, -113, -4, -68, + -113, -113, -113, -113, -113, -113, -113, -113, -113, -113, + -113, -113, -113, -113, -113, -113, -113, -113, -17, -113, + -113, -113, -113, -67, 35, 33, 46, 51, 46, -113, + -113, 69, 44, -73, 88, 82, -72, 56, -113, -113, + -113, 49, 93, 7, -113, -113, -113, 82, -113, 58, + 82, -76, -13, -113, 57, 59, -113, 60, -113, 68, + -113, -113, -113, -113, -113, -113, -75, -113, -113, -113, + -113, -113, -113, -113, -113, -113, -113, -63, -113, -113, + -113, -62, 82, 56, -113, -46, 65, -113, 141, 82, + 142, 63, -113, -113, -113, 56, 66, -38, -113, 56, + -16, -113, 93, -113, 76, -7, -113, 93, 81, -113, + -113, -113, 56, -113, -113, 72, -19, 93, -113, 83, + 58, -113, -113, -113, -113, 78, -113, -113, 80, 84, + 87, 62, 162, -113, 90, -113, -113, -113, -113, -113, + -113, 93, -113, -113 }; /* YYPGOTO[NTERM-NUM]. */ static const yytype_int16 yypgoto[] = { - -100, -100, -100, -100, -100, -100, -100, -100, 132, 127, - -100, 126, -100, -53, -100, -100, -100, -100, 75, -3, - -100, -100, -100, -100, -100, -100, -100, -100, -100, -100, - -100, -100, -100, -100, -100, -100, -100, -100, -100, -100, - -100, -100, -100, -100, -100, -100, -100, 0, -100, 3, - -100, -15, -100, 83, 14, -100, -99, -100, -100, -100, - -100, -100, -100, -100, 2, -100, -100 + -113, -113, -113, -113, -113, -113, -113, -113, 150, 136, + -113, 143, -113, -65, -113, -113, 86, -113, 91, 16, + -113, -113, -113, -113, -113, -113, 92, -113, -113, -113, + -113, -113, -113, -113, -113, -113, -113, -113, -113, -113, + -113, -113, -113, -113, -113, -113, -113, -113, -60, -113, + 22, -113, -5, 97, 2, 184, -113, -112, -113, -113, + -113, -113, -113, -113, -113, 21, -113, -113 }; /* YYTABLE[YYPACT[STATE-NUM]]. What to do in state STATE-NUM. If @@ -869,71 +876,78 @@ static const yytype_int16 yypgoto[] = #define YYTABLE_NINF -13 static const yytype_int16 yytable[] = { - 143, 94, 35, 36, 37, 90, 17, 38, 92, 190, - 95, 102, 5, 160, 162, 109, 109, 161, 39, 165, - 99, 1, 103, 168, 137, 140, 40, 41, 100, 42, - 144, 145, 6, 4, 160, 146, 43, 136, 169, 139, - 3, 9, 44, 7, 45, 46, 91, 152, 163, 93, - 153, 151, -12, 10, 47, 160, 159, 48, 49, 170, - 35, 36, 37, 184, 96, 38, 182, 109, 188, 180, - 50, 51, 52, 181, 53, 191, 39, 54, 100, 55, - 97, 11, 12, 117, 40, 41, 14, 42, 85, 56, - 86, 138, 173, 141, 43, 186, 113, 15, 16, 201, - 44, 118, 45, 46, 20, 25, 26, 31, 34, 81, - 82, 32, 47, 89, 88, 48, 49, 109, 83, 84, - 105, 108, 113, 119, 100, 156, 142, 164, 50, 51, - 52, 165, 53, 166, 172, 174, 176, 55, 120, 167, - 121, 122, 171, 175, 177, 198, 105, 56, 122, 179, - 192, 193, 189, 195, 33, 79, 196, 80, 199, 197, - 200, 135, 187, 183, 107, 194, 185, 0, 0, 178 + 157, 107, 108, 5, 202, 29, 105, 172, 178, 102, + 115, 15, 1, 120, 120, 170, 112, 7, 179, 171, + 8, 116, 150, 154, 113, 158, 159, 3, 175, 170, + 160, 16, 180, 181, 47, 48, 49, 103, 6, 50, + 153, 173, 17, 151, 11, 170, 155, 106, 12, 183, + 51, -12, 165, 190, 13, 169, 109, 191, 52, 53, + 194, 54, 97, 19, 98, 198, 200, 20, 55, 192, + 120, 21, 110, 113, 56, 203, 57, 58, 196, 124, + 22, 23, 128, 25, 26, 28, 59, 182, 37, 60, + 61, 47, 48, 49, 186, 5, 50, 27, 129, 213, + 130, 32, 62, 63, 64, 38, 65, 51, 43, 66, + 44, 67, 128, 93, 94, 52, 53, 46, 54, 120, + 95, 68, 131, 96, 128, 55, 100, 199, 101, 119, + 130, 56, 124, 57, 58, 102, 97, 132, 156, 133, + 134, 152, 130, 59, 166, 3, 60, 61, 113, 174, + 175, 177, 131, 185, 187, 176, 188, 210, 189, 62, + 63, 64, 184, 65, 131, 134, 201, 132, 67, 133, + 134, 206, 204, 207, 211, 3, 91, 208, 68, 132, + 209, 133, 134, 212, 45, 205, 92, 3, 149, 147, + 118, 197, 193, 148, 14, 195 }; -static const yytype_int16 yycheck[] = +static const yytype_uint8 yycheck[] = { - 99, 54, 9, 10, 11, 53, 40, 14, 53, 23, - 6, 27, 7, 91, 20, 86, 86, 95, 25, 91, - 84, 86, 38, 95, 95, 95, 33, 34, 92, 36, - 18, 19, 27, 0, 91, 23, 43, 90, 95, 92, - 21, 70, 49, 38, 51, 52, 94, 86, 54, 94, - 89, 104, 86, 70, 61, 91, 109, 64, 65, 95, - 9, 10, 11, 162, 60, 14, 85, 86, 167, 91, - 77, 78, 79, 95, 81, 174, 25, 84, 92, 86, - 76, 70, 29, 31, 33, 34, 39, 36, 92, 96, - 94, 91, 145, 93, 43, 85, 86, 84, 8, 198, - 49, 49, 51, 52, 86, 24, 86, 91, 32, 86, - 67, 90, 61, 67, 37, 64, 65, 86, 94, 94, - 94, 94, 86, 71, 92, 86, 89, 92, 77, 78, - 79, 91, 81, 95, 12, 12, 92, 86, 86, 83, - 88, 89, 97, 93, 95, 12, 94, 96, 89, 92, - 89, 89, 94, 93, 22, 28, 93, 31, 93, 95, - 93, 86, 165, 160, 81, 180, 164, -1, -1, 155 + 112, 66, 6, 1, 23, 40, 53, 20, 83, 66, + 27, 7, 86, 86, 86, 91, 84, 86, 93, 95, + 89, 38, 95, 95, 92, 18, 19, 94, 91, 91, + 23, 27, 95, 95, 9, 10, 11, 94, 0, 14, + 105, 54, 38, 103, 21, 91, 106, 94, 92, 95, + 25, 86, 117, 91, 95, 120, 60, 95, 33, 34, + 172, 36, 92, 89, 94, 177, 178, 70, 43, 85, + 86, 70, 76, 92, 49, 187, 51, 52, 85, 86, + 70, 29, 31, 93, 39, 8, 61, 152, 24, 64, + 65, 9, 10, 11, 159, 93, 14, 84, 47, 211, + 49, 86, 77, 78, 79, 86, 81, 25, 91, 84, + 90, 86, 31, 86, 67, 33, 34, 32, 36, 86, + 94, 96, 71, 94, 31, 43, 37, 46, 67, 94, + 49, 49, 86, 51, 52, 66, 92, 86, 89, 88, + 89, 53, 49, 61, 86, 94, 64, 65, 92, 92, + 91, 83, 71, 12, 12, 95, 93, 95, 92, 77, + 78, 79, 97, 81, 71, 89, 94, 86, 86, 88, + 89, 93, 89, 93, 12, 94, 40, 93, 96, 86, + 93, 88, 89, 93, 34, 190, 43, 94, 102, 98, + 93, 175, 170, 101, 10, 174 }; /* YYSTOS[STATE-NUM] -- The (internal number of the) accessing symbol of state STATE-NUM. */ static const yytype_uint8 yystos[] = { - 0, 86, 99, 21, 0, 7, 27, 38, 100, 70, - 70, 70, 29, 101, 39, 84, 8, 40, 102, 103, - 86, 104, 105, 106, 109, 24, 86, 107, 108, 110, - 142, 91, 90, 106, 32, 9, 10, 11, 14, 25, - 33, 34, 36, 43, 49, 51, 52, 61, 64, 65, - 77, 78, 79, 81, 84, 86, 96, 111, 112, 113, - 115, 118, 120, 121, 122, 123, 124, 125, 126, 127, - 128, 129, 130, 131, 132, 138, 139, 143, 144, 107, - 109, 86, 67, 94, 94, 92, 94, 114, 37, 67, - 53, 94, 53, 94, 111, 6, 60, 76, 140, 84, - 92, 133, 27, 38, 141, 94, 150, 151, 94, 86, - 145, 146, 147, 86, 116, 117, 119, 31, 49, 71, - 86, 88, 89, 151, 154, 155, 156, 157, 158, 159, - 160, 161, 162, 163, 164, 116, 111, 95, 145, 111, - 95, 145, 89, 154, 18, 19, 23, 134, 135, 136, - 137, 111, 86, 89, 152, 153, 86, 148, 149, 111, - 91, 95, 20, 54, 92, 91, 95, 83, 95, 95, - 95, 97, 12, 111, 12, 93, 92, 95, 152, 92, - 91, 95, 85, 147, 154, 162, 85, 117, 154, 94, - 23, 154, 89, 89, 149, 93, 93, 95, 12, 93, - 93, 154 + 0, 86, 99, 94, 151, 152, 0, 86, 89, 153, + 154, 21, 92, 95, 153, 7, 27, 38, 100, 89, + 70, 70, 70, 29, 101, 93, 39, 84, 8, 40, + 102, 103, 86, 104, 105, 106, 109, 24, 86, 107, + 108, 110, 143, 91, 90, 106, 32, 9, 10, 11, + 14, 25, 33, 34, 36, 43, 49, 51, 52, 61, + 64, 65, 77, 78, 79, 81, 84, 86, 96, 111, + 112, 113, 115, 118, 120, 121, 122, 123, 125, 126, + 127, 128, 129, 130, 131, 132, 133, 139, 140, 144, + 145, 107, 109, 86, 67, 94, 94, 92, 94, 114, + 37, 67, 66, 94, 124, 53, 94, 111, 6, 60, + 76, 141, 84, 92, 134, 27, 38, 142, 151, 94, + 86, 146, 147, 148, 86, 116, 117, 119, 31, 47, + 49, 71, 86, 88, 89, 152, 155, 156, 157, 158, + 159, 160, 161, 162, 163, 164, 165, 116, 124, 114, + 95, 146, 53, 111, 95, 146, 89, 155, 18, 19, + 23, 135, 136, 137, 138, 111, 86, 149, 150, 111, + 91, 95, 20, 54, 92, 91, 95, 83, 83, 93, + 95, 95, 111, 95, 97, 12, 111, 12, 93, 92, + 91, 95, 85, 148, 155, 163, 85, 117, 155, 46, + 155, 94, 23, 155, 89, 150, 93, 93, 93, 93, + 95, 12, 93, 155 }; #define yyerrok (yyerrstatus = 0) @@ -1748,29 +1762,29 @@ yyreduce: switch (yyn) { case 2: -#line 233 "parse.y" +#line 235 "parse.y" { checkundefined(); } break; case 4: -#line 240 "parse.y" +#line 242 "parse.y" { error_message("implicit tagging is not supported"); } break; case 5: -#line 242 "parse.y" +#line 244 "parse.y" { error_message("automatic tagging is not supported"); } break; case 7: -#line 247 "parse.y" +#line 249 "parse.y" { error_message("no extensibility options supported"); } break; case 17: -#line 268 "parse.y" +#line 270 "parse.y" { struct string_list *sl; for(sl = (yyvsp[(1) - (4)].sl); sl != NULL; sl = sl->next) { @@ -1782,7 +1796,7 @@ yyreduce: break; case 22: -#line 287 "parse.y" +#line 289 "parse.y" { (yyval.sl) = emalloc(sizeof(*(yyval.sl))); (yyval.sl)->string = (yyvsp[(1) - (3)].name); @@ -1791,7 +1805,7 @@ yyreduce: break; case 23: -#line 293 "parse.y" +#line 295 "parse.y" { (yyval.sl) = emalloc(sizeof(*(yyval.sl))); (yyval.sl)->string = (yyvsp[(1) - (1)].name); @@ -1800,7 +1814,7 @@ yyreduce: break; case 24: -#line 301 "parse.y" +#line 303 "parse.y" { Symbol *s = addsym ((yyvsp[(1) - (3)].name)); s->stype = Stype; @@ -1811,7 +1825,7 @@ yyreduce: break; case 42: -#line 332 "parse.y" +#line 334 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_Boolean, TE_EXPLICIT, new_type(TBoolean)); @@ -1819,36 +1833,70 @@ yyreduce: break; case 43: -#line 339 "parse.y" +#line 341 "parse.y" { - if((yyvsp[(2) - (5)].value)->type != integervalue || - (yyvsp[(4) - (5)].value)->type != integervalue) - error_message("Non-integer value used in range"); - (yyval.range).min = (yyvsp[(2) - (5)].value)->u.integervalue; - (yyval.range).max = (yyvsp[(4) - (5)].value)->u.integervalue; + if((yyvsp[(2) - (5)].value)->type != integervalue) + error_message("Non-integer used in first part of range"); + if((yyvsp[(2) - (5)].value)->type != integervalue) + error_message("Non-integer in second part of range"); + (yyval.range) = ecalloc(1, sizeof(*(yyval.range))); + (yyval.range)->min = (yyvsp[(2) - (5)].value)->u.integervalue; + (yyval.range)->max = (yyvsp[(4) - (5)].value)->u.integervalue; } break; case 44: -#line 349 "parse.y" +#line 351 "parse.y" + { + if((yyvsp[(2) - (5)].value)->type != integervalue) + error_message("Non-integer in first part of range"); + (yyval.range) = ecalloc(1, sizeof(*(yyval.range))); + (yyval.range)->min = (yyvsp[(2) - (5)].value)->u.integervalue; + (yyval.range)->max = (yyvsp[(2) - (5)].value)->u.integervalue - 1; + } + break; + + case 45: +#line 359 "parse.y" + { + if((yyvsp[(4) - (5)].value)->type != integervalue) + error_message("Non-integer in second part of range"); + (yyval.range) = ecalloc(1, sizeof(*(yyval.range))); + (yyval.range)->min = (yyvsp[(4) - (5)].value)->u.integervalue + 2; + (yyval.range)->max = (yyvsp[(4) - (5)].value)->u.integervalue; + } + break; + + case 46: +#line 367 "parse.y" + { + if((yyvsp[(2) - (3)].value)->type != integervalue) + error_message("Non-integer used in limit"); + (yyval.range) = ecalloc(1, sizeof(*(yyval.range))); + (yyval.range)->min = (yyvsp[(2) - (3)].value)->u.integervalue; + (yyval.range)->max = (yyvsp[(2) - (3)].value)->u.integervalue; + } + break; + + case 47: +#line 378 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_Integer, TE_EXPLICIT, new_type(TInteger)); } break; - case 45: -#line 354 "parse.y" + case 48: +#line 383 "parse.y" { (yyval.type) = new_type(TInteger); - (yyval.type)->range = emalloc(sizeof(*(yyval.type)->range)); - *((yyval.type)->range) = (yyvsp[(2) - (2)].range); + (yyval.type)->range = (yyvsp[(2) - (2)].range); (yyval.type) = new_tag(ASN1_C_UNIV, UT_Integer, TE_EXPLICIT, (yyval.type)); } break; - case 46: -#line 361 "parse.y" + case 49: +#line 389 "parse.y" { (yyval.type) = new_type(TInteger); (yyval.type)->members = (yyvsp[(3) - (4)].members); @@ -1856,8 +1904,8 @@ yyreduce: } break; - case 47: -#line 369 "parse.y" + case 50: +#line 397 "parse.y" { (yyval.members) = emalloc(sizeof(*(yyval.members))); ASN1_TAILQ_INIT((yyval.members)); @@ -1865,21 +1913,21 @@ yyreduce: } break; - case 48: -#line 375 "parse.y" + case 51: +#line 403 "parse.y" { ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members); (yyval.members) = (yyvsp[(1) - (3)].members); } break; - case 49: -#line 380 "parse.y" + case 52: +#line 408 "parse.y" { (yyval.members) = (yyvsp[(1) - (3)].members); } break; - case 50: -#line 384 "parse.y" + case 53: +#line 412 "parse.y" { (yyval.member) = emalloc(sizeof(*(yyval.member))); (yyval.member)->name = (yyvsp[(1) - (4)].name); @@ -1892,8 +1940,8 @@ yyreduce: } break; - case 51: -#line 397 "parse.y" + case 54: +#line 425 "parse.y" { (yyval.type) = new_type(TInteger); (yyval.type)->members = (yyvsp[(3) - (4)].members); @@ -1901,8 +1949,8 @@ yyreduce: } break; - case 53: -#line 408 "parse.y" + case 56: +#line 436 "parse.y" { (yyval.type) = new_type(TBitString); (yyval.type)->members = emalloc(sizeof(*(yyval.type)->members)); @@ -1911,8 +1959,8 @@ yyreduce: } break; - case 54: -#line 415 "parse.y" + case 57: +#line 443 "parse.y" { (yyval.type) = new_type(TBitString); (yyval.type)->members = (yyvsp[(4) - (5)].members); @@ -1920,32 +1968,44 @@ yyreduce: } break; - case 55: -#line 423 "parse.y" + case 58: +#line 451 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_OID, TE_EXPLICIT, new_type(TOID)); } break; - case 56: -#line 429 "parse.y" + case 59: +#line 457 "parse.y" { - (yyval.type) = new_tag(ASN1_C_UNIV, UT_OctetString, - TE_EXPLICIT, new_type(TOctetString)); + Type *t = new_type(TOctetString); + t->range = (yyvsp[(3) - (3)].range); + (yyval.type) = new_tag(ASN1_C_UNIV, UT_OctetString, + TE_EXPLICIT, t); } break; - case 57: -#line 436 "parse.y" + case 60: +#line 466 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_Null, TE_EXPLICIT, new_type(TNull)); } break; - case 58: -#line 443 "parse.y" + case 61: +#line 473 "parse.y" + { (yyval.range) = NULL; } + break; + + case 62: +#line 475 "parse.y" + { (yyval.range) = (yyvsp[(2) - (2)].range); } + break; + + case 63: +#line 480 "parse.y" { (yyval.type) = new_type(TSequence); (yyval.type)->members = (yyvsp[(3) - (4)].members); @@ -1953,8 +2013,8 @@ yyreduce: } break; - case 59: -#line 449 "parse.y" + case 64: +#line 486 "parse.y" { (yyval.type) = new_type(TSequence); (yyval.type)->members = NULL; @@ -1962,17 +2022,18 @@ yyreduce: } break; - case 60: -#line 457 "parse.y" + case 65: +#line 494 "parse.y" { (yyval.type) = new_type(TSequenceOf); - (yyval.type)->subtype = (yyvsp[(3) - (3)].type); + (yyval.type)->range = (yyvsp[(2) - (4)].range); + (yyval.type)->subtype = (yyvsp[(4) - (4)].type); (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type)); } break; - case 61: -#line 465 "parse.y" + case 66: +#line 503 "parse.y" { (yyval.type) = new_type(TSet); (yyval.type)->members = (yyvsp[(3) - (4)].members); @@ -1980,8 +2041,8 @@ yyreduce: } break; - case 62: -#line 471 "parse.y" + case 67: +#line 509 "parse.y" { (yyval.type) = new_type(TSet); (yyval.type)->members = NULL; @@ -1989,8 +2050,8 @@ yyreduce: } break; - case 63: -#line 479 "parse.y" + case 68: +#line 517 "parse.y" { (yyval.type) = new_type(TSetOf); (yyval.type)->subtype = (yyvsp[(3) - (3)].type); @@ -1998,16 +2059,16 @@ yyreduce: } break; - case 64: -#line 487 "parse.y" + case 69: +#line 525 "parse.y" { (yyval.type) = new_type(TChoice); (yyval.type)->members = (yyvsp[(3) - (4)].members); } break; - case 67: -#line 498 "parse.y" + case 72: +#line 536 "parse.y" { Symbol *s = addsym((yyvsp[(1) - (1)].name)); (yyval.type) = new_type(TType); @@ -2018,24 +2079,24 @@ yyreduce: } break; - case 68: -#line 509 "parse.y" + case 73: +#line 547 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralizedTime, TE_EXPLICIT, new_type(TGeneralizedTime)); } break; - case 69: -#line 514 "parse.y" + case 74: +#line 552 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_UTCTime, TE_EXPLICIT, new_type(TUTCTime)); } break; - case 70: -#line 521 "parse.y" + case 75: +#line 559 "parse.y" { /* if (Constraint.type == contentConstrant) { assert(Constraint.u.constraint.type == octetstring|bitstring-w/o-NamedBitList); // remember to check type reference too @@ -2050,15 +2111,15 @@ yyreduce: } break; - case 71: -#line 537 "parse.y" + case 76: +#line 575 "parse.y" { (yyval.constraint_spec) = (yyvsp[(2) - (3)].constraint_spec); } break; - case 75: -#line 550 "parse.y" + case 80: +#line 588 "parse.y" { (yyval.constraint_spec) = new_constraint_spec(CT_CONTENTS); (yyval.constraint_spec)->u.content.type = (yyvsp[(2) - (2)].type); @@ -2066,8 +2127,8 @@ yyreduce: } break; - case 76: -#line 556 "parse.y" + case 81: +#line 594 "parse.y" { if ((yyvsp[(3) - (3)].value)->type != objectidentifiervalue) error_message("Non-OID used in ENCODED BY constraint"); @@ -2077,8 +2138,8 @@ yyreduce: } break; - case 77: -#line 564 "parse.y" + case 82: +#line 602 "parse.y" { if ((yyvsp[(5) - (5)].value)->type != objectidentifiervalue) error_message("Non-OID used in ENCODED BY constraint"); @@ -2088,15 +2149,15 @@ yyreduce: } break; - case 78: -#line 574 "parse.y" + case 83: +#line 612 "parse.y" { (yyval.constraint_spec) = new_constraint_spec(CT_USER); } break; - case 79: -#line 580 "parse.y" + case 84: +#line 618 "parse.y" { (yyval.type) = new_type(TTag); (yyval.type)->tag = (yyvsp[(1) - (3)].tag); @@ -2109,8 +2170,8 @@ yyreduce: } break; - case 80: -#line 593 "parse.y" + case 85: +#line 631 "parse.y" { (yyval.tag).tagclass = (yyvsp[(2) - (4)].constant); (yyval.tag).tagvalue = (yyvsp[(3) - (4)].constant); @@ -2118,57 +2179,57 @@ yyreduce: } break; - case 81: -#line 601 "parse.y" + case 86: +#line 639 "parse.y" { (yyval.constant) = ASN1_C_CONTEXT; } break; - case 82: -#line 605 "parse.y" + case 87: +#line 643 "parse.y" { (yyval.constant) = ASN1_C_UNIV; } break; - case 83: -#line 609 "parse.y" + case 88: +#line 647 "parse.y" { (yyval.constant) = ASN1_C_APPL; } break; - case 84: -#line 613 "parse.y" + case 89: +#line 651 "parse.y" { (yyval.constant) = ASN1_C_PRIVATE; } break; - case 85: -#line 619 "parse.y" + case 90: +#line 657 "parse.y" { (yyval.constant) = TE_EXPLICIT; } break; - case 86: -#line 623 "parse.y" + case 91: +#line 661 "parse.y" { (yyval.constant) = TE_EXPLICIT; } break; - case 87: -#line 627 "parse.y" + case 92: +#line 665 "parse.y" { (yyval.constant) = TE_IMPLICIT; } break; - case 88: -#line 634 "parse.y" + case 93: +#line 672 "parse.y" { Symbol *s; s = addsym ((yyvsp[(1) - (4)].name)); @@ -2179,64 +2240,64 @@ yyreduce: } break; - case 90: -#line 648 "parse.y" + case 95: +#line 686 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralString, TE_EXPLICIT, new_type(TGeneralString)); } break; - case 91: -#line 653 "parse.y" + case 96: +#line 691 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_UTF8String, TE_EXPLICIT, new_type(TUTF8String)); } break; - case 92: -#line 658 "parse.y" + case 97: +#line 696 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_PrintableString, TE_EXPLICIT, new_type(TPrintableString)); } break; - case 93: -#line 663 "parse.y" + case 98: +#line 701 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_VisibleString, TE_EXPLICIT, new_type(TVisibleString)); } break; - case 94: -#line 668 "parse.y" + case 99: +#line 706 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_IA5String, TE_EXPLICIT, new_type(TIA5String)); } break; - case 95: -#line 673 "parse.y" + case 100: +#line 711 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_BMPString, TE_EXPLICIT, new_type(TBMPString)); } break; - case 96: -#line 678 "parse.y" + case 101: +#line 716 "parse.y" { (yyval.type) = new_tag(ASN1_C_UNIV, UT_UniversalString, TE_EXPLICIT, new_type(TUniversalString)); } break; - case 97: -#line 686 "parse.y" + case 102: +#line 724 "parse.y" { (yyval.members) = emalloc(sizeof(*(yyval.members))); ASN1_TAILQ_INIT((yyval.members)); @@ -2244,16 +2305,16 @@ yyreduce: } break; - case 98: -#line 692 "parse.y" + case 103: +#line 730 "parse.y" { ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members); (yyval.members) = (yyvsp[(1) - (3)].members); } break; - case 99: -#line 697 "parse.y" + case 104: +#line 735 "parse.y" { struct member *m = ecalloc(1, sizeof(*m)); m->name = estrdup("..."); @@ -2264,8 +2325,8 @@ yyreduce: } break; - case 100: -#line 708 "parse.y" + case 105: +#line 746 "parse.y" { (yyval.member) = emalloc(sizeof(*(yyval.member))); (yyval.member)->name = (yyvsp[(1) - (2)].name); @@ -2276,8 +2337,8 @@ yyreduce: } break; - case 101: -#line 719 "parse.y" + case 106: +#line 757 "parse.y" { (yyval.member) = (yyvsp[(1) - (1)].member); (yyval.member)->optional = 0; @@ -2285,8 +2346,8 @@ yyreduce: } break; - case 102: -#line 725 "parse.y" + case 107: +#line 763 "parse.y" { (yyval.member) = (yyvsp[(1) - (2)].member); (yyval.member)->optional = 1; @@ -2294,8 +2355,8 @@ yyreduce: } break; - case 103: -#line 731 "parse.y" + case 108: +#line 769 "parse.y" { (yyval.member) = (yyvsp[(1) - (3)].member); (yyval.member)->optional = 0; @@ -2303,8 +2364,8 @@ yyreduce: } break; - case 104: -#line 739 "parse.y" + case 109: +#line 777 "parse.y" { (yyval.members) = emalloc(sizeof(*(yyval.members))); ASN1_TAILQ_INIT((yyval.members)); @@ -2312,16 +2373,16 @@ yyreduce: } break; - case 105: -#line 745 "parse.y" + case 110: +#line 783 "parse.y" { ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members); (yyval.members) = (yyvsp[(1) - (3)].members); } break; - case 106: -#line 752 "parse.y" + case 111: +#line 790 "parse.y" { (yyval.member) = emalloc(sizeof(*(yyval.member))); (yyval.member)->name = (yyvsp[(1) - (4)].name); @@ -2334,27 +2395,27 @@ yyreduce: } break; - case 108: -#line 765 "parse.y" + case 113: +#line 803 "parse.y" { (yyval.objid) = NULL; } break; - case 109: -#line 769 "parse.y" + case 114: +#line 807 "parse.y" { (yyval.objid) = (yyvsp[(2) - (3)].objid); } break; - case 110: -#line 775 "parse.y" + case 115: +#line 813 "parse.y" { (yyval.objid) = NULL; } break; - case 111: -#line 779 "parse.y" + case 116: +#line 817 "parse.y" { if ((yyvsp[(2) - (2)].objid)) { (yyval.objid) = (yyvsp[(2) - (2)].objid); @@ -2365,15 +2426,15 @@ yyreduce: } break; - case 112: -#line 790 "parse.y" + case 117: +#line 828 "parse.y" { (yyval.objid) = new_objid((yyvsp[(1) - (4)].name), (yyvsp[(3) - (4)].constant)); } break; - case 113: -#line 794 "parse.y" + case 118: +#line 832 "parse.y" { Symbol *s = addsym((yyvsp[(1) - (1)].name)); if(s->stype != SValue || @@ -2386,15 +2447,15 @@ yyreduce: } break; - case 114: -#line 805 "parse.y" + case 119: +#line 843 "parse.y" { (yyval.objid) = new_objid(NULL, (yyvsp[(1) - (1)].constant)); } break; - case 124: -#line 828 "parse.y" + case 129: +#line 866 "parse.y" { Symbol *s = addsym((yyvsp[(1) - (1)].name)); if(s->stype != SValue) @@ -2405,8 +2466,8 @@ yyreduce: } break; - case 125: -#line 839 "parse.y" + case 130: +#line 877 "parse.y" { (yyval.value) = emalloc(sizeof(*(yyval.value))); (yyval.value)->type = stringvalue; @@ -2414,8 +2475,8 @@ yyreduce: } break; - case 126: -#line 847 "parse.y" + case 131: +#line 885 "parse.y" { (yyval.value) = emalloc(sizeof(*(yyval.value))); (yyval.value)->type = booleanvalue; @@ -2423,8 +2484,8 @@ yyreduce: } break; - case 127: -#line 853 "parse.y" + case 132: +#line 891 "parse.y" { (yyval.value) = emalloc(sizeof(*(yyval.value))); (yyval.value)->type = booleanvalue; @@ -2432,8 +2493,8 @@ yyreduce: } break; - case 128: -#line 861 "parse.y" + case 133: +#line 899 "parse.y" { (yyval.value) = emalloc(sizeof(*(yyval.value))); (yyval.value)->type = integervalue; @@ -2441,14 +2502,14 @@ yyreduce: } break; - case 130: -#line 872 "parse.y" + case 135: +#line 910 "parse.y" { } break; - case 131: -#line 877 "parse.y" + case 136: +#line 915 "parse.y" { (yyval.value) = emalloc(sizeof(*(yyval.value))); (yyval.value)->type = objectidentifiervalue; @@ -2458,7 +2519,7 @@ yyreduce: /* Line 1267 of yacc.c. */ -#line 2464 "parse.c" +#line 2523 "parse.c" default: break; } YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc); @@ -2672,7 +2733,7 @@ yyreturn: } -#line 884 "parse.y" +#line 922 "parse.y" void diff --git a/source4/heimdal/lib/asn1/parse.h b/source4/heimdal/lib/asn1/parse.h index a0c26d50f1..5e73094f9e 100644 --- a/source4/heimdal/lib/asn1/parse.h +++ b/source4/heimdal/lib/asn1/parse.h @@ -16,7 +16,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, see . */ + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301, USA. */ /* As a special exception, you may create a larger work that contains part or all of the Bison parser skeleton and distribute that work @@ -224,7 +226,7 @@ typedef union YYSTYPE { int constant; struct value *value; - struct range range; + struct range *range; char *name; Type *type; Member *member; diff --git a/source4/heimdal/lib/asn1/rfc2459.asn1 b/source4/heimdal/lib/asn1/rfc2459.asn1 index 71f197eba7..0ec3b695eb 100644 --- a/source4/heimdal/lib/asn1/rfc2459.asn1 +++ b/source4/heimdal/lib/asn1/rfc2459.asn1 @@ -169,7 +169,7 @@ Extension ::= SEQUENCE { extnValue OCTET STRING } -Extensions ::= SEQUENCE OF Extension -- SIZE (1..MAX) +Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension TBSCertificate ::= SEQUENCE { version [0] Version OPTIONAL, -- EXPLICIT nnn DEFAULT 1, @@ -232,7 +232,7 @@ GeneralName ::= CHOICE { registeredID [8] IMPLICIT OBJECT IDENTIFIER } -GeneralNames ::= SEQUENCE -- SIZE (1..MAX) -- OF GeneralName +GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName id-x509-ce-keyUsage OBJECT IDENTIFIER ::= { id-x509-ce 15 } @@ -320,7 +320,7 @@ DistributionPointReasonFlags ::= BIT STRING { } DistributionPointName ::= CHOICE { - fullName [0] IMPLICIT -- GeneralNames -- SEQUENCE -- SIZE (1..MAX) -- OF GeneralName, + fullName [0] IMPLICIT -- GeneralNames -- SEQUENCE SIZE (1..MAX) OF GeneralName, nameRelativeToCRLIssuer [1] RelativeDistinguishedName } @@ -330,7 +330,7 @@ DistributionPoint ::= SEQUENCE { cRLIssuer [2] IMPLICIT heim_any -- GeneralNames -- OPTIONAL } -CRLDistributionPoints ::= SEQUENCE -- SIZE (1..MAX) -- OF DistributionPoint +CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint -- rfc3279 @@ -449,11 +449,20 @@ id-pkix-kp-emailProtection OBJECT IDENTIFIER ::= { id-pkix-kp 4 } id-pkix-kp-timeStamping OBJECT IDENTIFIER ::= { id-pkix-kp 8 } id-pkix-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-pkix-kp 9 } --- RFC 3820 Proxy Certificate Profile - id-pkix-pe OBJECT IDENTIFIER ::= { id-pkix 1 } -id-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pkix-pe 14 } +id-pkix-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pkix-pe 1 } + +AccessDescription ::= SEQUENCE { + accessMethod OBJECT IDENTIFIER, + accessLocation GeneralName +} + +AuthorityInfoAccessSyntax ::= SEQUENCE SIZE (1..MAX) OF AccessDescription + +-- RFC 3820 Proxy Certificate Profile + +id-pkix-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pkix-pe 14 } id-pkix-ppl OBJECT IDENTIFIER ::= { id-pkix 21 } diff --git a/source4/heimdal/lib/asn1/test.asn1 b/source4/heimdal/lib/asn1/test.asn1 index 98b507a4da..b2f58a20c2 100644 --- a/source4/heimdal/lib/asn1/test.asn1 +++ b/source4/heimdal/lib/asn1/test.asn1 @@ -1,4 +1,4 @@ --- $Id: test.asn1 18013 2006-09-05 14:00:44Z lha $ -- +-- $Id: test.asn1 21455 2007-07-10 12:51:19Z lha $ -- TEST DEFINITIONS ::= @@ -85,4 +85,11 @@ TESTUSERCONSTRAINED ::= OCTET STRING (CONSTRAINED BY { -- meh -- }) TESTSeqOf ::= SEQUENCE OF TESTInteger +TESTSeqSizeOf1 ::= SEQUENCE SIZE (2) OF TESTInteger +TESTSeqSizeOf2 ::= SEQUENCE SIZE (1..2) OF TESTInteger +TESTSeqSizeOf3 ::= SEQUENCE SIZE (1..MAX) OF TESTInteger +TESTSeqSizeOf4 ::= SEQUENCE SIZE (MIN..2) OF TESTInteger + +TESTOSSize1 ::= OCTET STRING SIZE (1..2) + END diff --git a/source4/heimdal/lib/asn1/timegm.c b/source4/heimdal/lib/asn1/timegm.c index a6776458cf..33b9684a5d 100644 --- a/source4/heimdal/lib/asn1/timegm.c +++ b/source4/heimdal/lib/asn1/timegm.c @@ -33,7 +33,7 @@ #include "der_locl.h" -RCSID("$Id: timegm.c 18607 2006-10-19 16:19:32Z lha $"); +RCSID("$Id: timegm.c 21366 2007-06-27 10:06:22Z lha $"); static int is_leap(unsigned y) @@ -43,8 +43,8 @@ is_leap(unsigned y) } /* - * This is a simplifed version of _der_timegm that doesn't accept out - * of bound values that timegm(3) normally accepts but those are not + * This is a simplifed version of timegm(3) that doesn't accept out of + * bound values that timegm(3) normally accepts but those are not * valid in asn1 encodings. */ diff --git a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c index d6e448a223..cb1b62308c 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c @@ -27,7 +27,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_acquire_cred.c 20626 2007-05-08 13:56:49Z lha $"); +RCSID("$Id: gss_acquire_cred.c 21478 2007-07-10 16:32:01Z lha $"); OM_uint32 gss_acquire_cred(OM_uint32 *minor_status, @@ -50,7 +50,7 @@ gss_acquire_cred(OM_uint32 *minor_status, int i; *minor_status = 0; - if (actual_mechs) + if (output_cred_handle) *output_cred_handle = GSS_C_NO_CREDENTIAL; if (actual_mechs) *actual_mechs = GSS_C_NO_OID_SET; @@ -106,8 +106,9 @@ gss_acquire_cred(OM_uint32 *minor_status, continue; if (desired_name != GSS_C_NO_NAME) { - mn = _gss_find_mn(name, &mechs->elements[i]); - if (!mn) + major_status = _gss_find_mn(minor_status, name, + &mechs->elements[i], &mn); + if (major_status != GSS_S_COMPLETE) continue; } diff --git a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c index 4947c5c30e..09b592b5da 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c @@ -27,7 +27,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_add_cred.c 20626 2007-05-08 13:56:49Z lha $"); +RCSID("$Id: gss_add_cred.c 21474 2007-07-10 16:30:23Z lha $"); static struct _gss_mechanism_cred * _gss_copy_cred(struct _gss_mechanism_cred *mc) @@ -136,11 +136,13 @@ gss_add_cred(OM_uint32 *minor_status, * Figure out a suitable mn, if any. */ if (desired_name) { - mn = _gss_find_mn((struct _gss_name *) desired_name, - desired_mech); - if (!mn) { + major_status = _gss_find_mn(minor_status, + (struct _gss_name *) desired_name, + desired_mech, + &mn); + if (major_status != GSS_S_COMPLETE) { free(new_cred); - return (GSS_S_BAD_NAME); + return major_status; } } else { mn = 0; diff --git a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c index 1437a9bc7b..c950c03166 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c @@ -27,7 +27,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_canonicalize_name.c 19928 2007-01-16 10:37:54Z lha $"); +RCSID("$Id: gss_canonicalize_name.c 21476 2007-07-10 16:31:27Z lha $"); OM_uint32 gss_canonicalize_name(OM_uint32 *minor_status, @@ -44,10 +44,9 @@ gss_canonicalize_name(OM_uint32 *minor_status, *minor_status = 0; *output_name = 0; - mn = _gss_find_mn(name, mech_type); - if (!mn) { - return (GSS_S_BAD_MECH); - } + major_status = _gss_find_mn(minor_status, name, mech_type, &mn); + if (major_status) + return major_status; m = mn->gmn_mech; major_status = m->gm_canonicalize_name(minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_compare_name.c b/source4/heimdal/lib/gssapi/mech/gss_compare_name.c index 147ad60c94..617ff13d98 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_compare_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_compare_name.c @@ -27,7 +27,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_compare_name.c 17700 2006-06-28 09:00:26Z lha $"); +RCSID("$Id: gss_compare_name.c 21475 2007-07-10 16:31:03Z lha $"); OM_uint32 gss_compare_name(OM_uint32 *minor_status, @@ -57,8 +57,11 @@ gss_compare_name(OM_uint32 *minor_status, struct _gss_mechanism_name *mn2; SLIST_FOREACH(mn1, &name1->gn_mn, gmn_link) { - mn2 = _gss_find_mn(name2, mn1->gmn_mech_oid); - if (mn2) { + OM_uint32 major_status; + + major_status = _gss_find_mn(minor_status, name2, + mn1->gmn_mech_oid, &mn2); + if (major_status == GSS_S_COMPLETE) { return (mn1->gmn_mech->gm_compare_name( minor_status, mn1->gmn_name, diff --git a/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c b/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c index 4ff81fdf2d..f38c840b31 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c @@ -27,7 +27,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_duplicate_name.c 21219 2007-06-20 08:27:11Z lha $"); +RCSID("$Id: gss_duplicate_name.c 21480 2007-07-10 16:32:32Z lha $"); OM_uint32 gss_duplicate_name(OM_uint32 *minor_status, const gss_name_t src_name, @@ -54,7 +54,9 @@ OM_uint32 gss_duplicate_name(OM_uint32 *minor_status, new_name = (struct _gss_name *) *dest_name; SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { - _gss_find_mn(new_name, mn->gmn_mech_oid); + struct _gss_mechanism_name *mn2; + _gss_find_mn(minor_status, new_name, + mn->gmn_mech_oid, &mn2); } } else { new_name = malloc(sizeof(struct _gss_name)); diff --git a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c index c1c058d146..b9a1680dcb 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c @@ -27,7 +27,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_init_sec_context.c 19957 2007-01-17 13:48:11Z lha $"); +RCSID("$Id: gss_init_sec_context.c 21479 2007-07-10 16:32:19Z lha $"); static gss_cred_id_t _gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type) @@ -109,11 +109,11 @@ gss_init_sec_context(OM_uint32 * minor_status, /* * Find the MN for this mechanism. */ - mn = _gss_find_mn(name, mech_type); - if (mn == NULL) { + major_status = _gss_find_mn(minor_status, name, mech_type, &mn); + if (major_status != GSS_S_COMPLETE) { if (allocated_ctx) free(ctx); - return GSS_S_BAD_NAME; + return major_status; } /* diff --git a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c index 604027490e..f1a18afb13 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c +++ b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c @@ -28,7 +28,7 @@ #include "mech_locl.h" #include -RCSID("$Id: gss_mech_switch.c 20625 2007-05-08 13:55:03Z lha $"); +RCSID("$Id: gss_mech_switch.c 21700 2007-07-26 19:08:34Z lha $"); #ifndef _PATH_GSS_MECH #define _PATH_GSS_MECH "/etc/gss/mech" @@ -223,9 +223,9 @@ _gss_load_mech(void) add_builtin(__gss_spnego_initialize()); add_builtin(__gss_ntlm_initialize()); +#ifdef HAVE_DLOPEN fp = fopen(_PATH_GSS_MECH, "r"); if (!fp) { -/* perror(_PATH_GSS_MECH); */ HEIMDAL_MUTEX_unlock(&_gss_mech_mutex); return; } @@ -316,6 +316,7 @@ _gss_load_mech(void) continue; } fclose(fp); +#endif HEIMDAL_MUTEX_unlock(&_gss_mech_mutex); } diff --git a/source4/heimdal/lib/gssapi/mech/gss_names.c b/source4/heimdal/lib/gssapi/mech/gss_names.c index 3ab609c192..f78672d837 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_names.c +++ b/source4/heimdal/lib/gssapi/mech/gss_names.c @@ -27,15 +27,18 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_names.c 19928 2007-01-16 10:37:54Z lha $"); +RCSID("$Id: gss_names.c 21473 2007-07-10 16:29:53Z lha $"); -struct _gss_mechanism_name * -_gss_find_mn(struct _gss_name *name, gss_OID mech) +OM_uint32 +_gss_find_mn(OM_uint32 *minor_status, struct _gss_name *name, gss_OID mech, + struct _gss_mechanism_name **output_mn) { - OM_uint32 major_status, minor_status; + OM_uint32 major_status; gssapi_mech_interface m; struct _gss_mechanism_name *mn; + *output_mn = NULL; + SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { if (gss_oid_equal(mech, mn->gmn_mech_oid)) break; @@ -47,34 +50,36 @@ _gss_find_mn(struct _gss_name *name, gss_OID mech) * MN but it is from a different mech), give up now. */ if (!name->gn_value.value) - return (0); + return GSS_S_BAD_NAME; m = __gss_get_mechanism(mech); if (!m) - return (0); + return (GSS_S_BAD_MECH); mn = malloc(sizeof(struct _gss_mechanism_name)); if (!mn) - return (0); + return GSS_S_FAILURE; - major_status = m->gm_import_name(&minor_status, + major_status = m->gm_import_name(minor_status, &name->gn_value, (name->gn_type.elements ? &name->gn_type : GSS_C_NO_OID), &mn->gmn_name); if (major_status != GSS_S_COMPLETE) { - _gss_mg_error(m, major_status, minor_status); + _gss_mg_error(m, major_status, *minor_status); free(mn); - return (0); + return major_status; } mn->gmn_mech = m; mn->gmn_mech_oid = &m->gm_mech_oid; SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link); } - return (mn); + *output_mn = mn; + return 0; } + /* * Make a name from an MN. */ diff --git a/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c b/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c index 3195370b77..e2cecaf6b4 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c +++ b/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c @@ -32,7 +32,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_oid_to_str.c 19963 2007-01-17 16:01:22Z lha $"); +RCSID("$Id: gss_oid_to_str.c 21409 2007-07-04 14:19:11Z lha $"); OM_uint32 gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str) @@ -44,6 +44,9 @@ gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str) _mg_buffer_zero(oid_str); + if (oid == GSS_C_NULL_OID) + return GSS_S_FAILURE; + ret = der_get_oid (oid->elements, oid->length, &o, &size); if (ret) { *minor_status = ret; diff --git a/source4/heimdal/lib/gssapi/mech/name.h b/source4/heimdal/lib/gssapi/mech/name.h index 2252150a06..7c9ba33d85 100644 --- a/source4/heimdal/lib/gssapi/mech/name.h +++ b/source4/heimdal/lib/gssapi/mech/name.h @@ -24,7 +24,7 @@ * SUCH DAMAGE. * * $FreeBSD: src/lib/libgssapi/name.h,v 1.1 2005/12/29 14:40:20 dfr Exp $ - * $Id: name.h 18246 2006-10-05 18:36:07Z lha $ + * $Id: name.h 21477 2007-07-10 16:31:44Z lha $ */ struct _gss_mechanism_name { @@ -41,7 +41,8 @@ struct _gss_name { struct _gss_mechanism_name_list gn_mn; /* list of MNs */ }; -struct _gss_mechanism_name * - _gss_find_mn(struct _gss_name *name, gss_OID mech); +OM_uint32 + _gss_find_mn(OM_uint32 *, struct _gss_name *, gss_OID, + struct _gss_mechanism_name **); struct _gss_name * _gss_make_name(gssapi_mech_interface m, gss_name_t new_mn); diff --git a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c index d20c913bf0..1afe26f1e3 100644 --- a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c @@ -33,7 +33,7 @@ #include "spnego/spnego_locl.h" -RCSID("$Id: accept_sec_context.c 21243 2007-06-20 15:16:22Z lha $"); +RCSID("$Id: accept_sec_context.c 21461 2007-07-10 14:01:13Z lha $"); static OM_uint32 send_reject (OM_uint32 *minor_status, @@ -555,23 +555,16 @@ acceptor_start int get_mic = 0; int first_ok = 0; - if (src_name) - *src_name = GSS_C_NO_NAME; - mech_output_token.value = NULL; mech_output_token.length = 0; mech_buf.value = NULL; - if (*context_handle == GSS_C_NO_CONTEXT) { - ret = _gss_spnego_alloc_sec_context(minor_status, - context_handle); - if (ret != GSS_S_COMPLETE) - return ret; - - if (input_token_buffer->length == 0) { - return send_supported_mechs (minor_status, output_token); - } - } + if (input_token_buffer->length == 0) + return send_supported_mechs (minor_status, output_token); + + ret = _gss_spnego_alloc_sec_context(minor_status, context_handle); + if (ret != GSS_S_COMPLETE) + return ret; ctx = (gssspnego_ctx)*context_handle; diff --git a/source4/heimdal/lib/gssapi/spnego/spnego.asn1 b/source4/heimdal/lib/gssapi/spnego/spnego.asn1 index aed67dc4ae..058f10ba3a 100644 --- a/source4/heimdal/lib/gssapi/spnego/spnego.asn1 +++ b/source4/heimdal/lib/gssapi/spnego/spnego.asn1 @@ -1,4 +1,4 @@ --- $Id: spnego.asn1 19420 2006-12-18 18:28:49Z lha $ +-- $Id: spnego.asn1 21403 2007-07-04 08:13:12Z lha $ SPNEGO DEFINITIONS ::= BEGIN @@ -8,34 +8,34 @@ MechType::= OBJECT IDENTIFIER MechTypeList ::= SEQUENCE OF MechType ContextFlags ::= BIT STRING { - delegFlag (0), - mutualFlag (1), - replayFlag (2), - sequenceFlag (3), - anonFlag (4), - confFlag (5), - integFlag (6) + delegFlag (0), + mutualFlag (1), + replayFlag (2), + sequenceFlag (3), + anonFlag (4), + confFlag (5), + integFlag (6) } NegHints ::= SEQUENCE { - hintName [0] GeneralString OPTIONAL, - hintAddress [1] OCTET STRING OPTIONAL + hintName [0] GeneralString OPTIONAL, + hintAddress [1] OCTET STRING OPTIONAL } NegTokenInitWin ::= SEQUENCE { - mechTypes [0] MechTypeList, - reqFlags [1] ContextFlags OPTIONAL, - mechToken [2] OCTET STRING OPTIONAL, - negHints [3] NegHints OPTIONAL - } + mechTypes [0] MechTypeList, + reqFlags [1] ContextFlags OPTIONAL, + mechToken [2] OCTET STRING OPTIONAL, + negHints [3] NegHints OPTIONAL +} NegTokenInit ::= SEQUENCE { - mechTypes [0] MechTypeList, - reqFlags [1] ContextFlags OPTIONAL, - mechToken [2] OCTET STRING OPTIONAL, - mechListMIC [3] OCTET STRING OPTIONAL - } - + mechTypes [0] MechTypeList, + reqFlags [1] ContextFlags OPTIONAL, + mechToken [2] OCTET STRING OPTIONAL, + mechListMIC [3] OCTET STRING OPTIONAL, + ... +} -- NB: negResult is not OPTIONAL in the new SPNEGO spec but -- Windows clients do not always send it @@ -47,7 +47,8 @@ NegTokenResp ::= SEQUENCE { request-mic (3) } OPTIONAL, supportedMech [1] MechType OPTIONAL, responseToken [2] OCTET STRING OPTIONAL, - mechListMIC [3] OCTET STRING OPTIONAL + mechListMIC [3] OCTET STRING OPTIONAL, + ... } NegotiationToken ::= CHOICE { diff --git a/source4/heimdal/lib/hcrypto/hmac.c b/source4/heimdal/lib/hcrypto/hmac.c index 848b987a90..b8156e38d4 100644 --- a/source4/heimdal/lib/hcrypto/hmac.c +++ b/source4/heimdal/lib/hcrypto/hmac.c @@ -52,8 +52,10 @@ HMAC_Init_ex(HMAC_CTX *ctx, if (ctx->md != md) { ctx->md = md; - if (ctx->buf) + if (ctx->buf) { + memset(ctx->buf, 0, ctx->key_length); free (ctx->buf); + } ctx->key_length = EVP_MD_size(ctx->md); ctx->buf = malloc(ctx->key_length); } @@ -67,10 +69,14 @@ HMAC_Init_ex(HMAC_CTX *ctx, keylen = EVP_MD_size(ctx->md); } - if (ctx->opad) + if (ctx->opad) { + memset(ctx->opad, 0, ctx->key_length); free(ctx->opad); - if (ctx->ipad) + } + if (ctx->ipad) { + memset(ctx->ipad, 0, ctx->key_length); free(ctx->ipad); + } ctx->opad = malloc(EVP_MD_block_size(ctx->md)); ctx->ipad = malloc(EVP_MD_block_size(ctx->md)); diff --git a/source4/heimdal/lib/hx509/ca.c b/source4/heimdal/lib/hx509/ca.c index 0e48269aa4..bf8fe1be1a 100644 --- a/source4/heimdal/lib/hx509/ca.c +++ b/source4/heimdal/lib/hx509/ca.c @@ -33,7 +33,7 @@ #include "hx_locl.h" #include -RCSID("$Id: ca.c 20904 2007-06-05 01:58:45Z lha $"); +RCSID("$Id: ca.c 21379 2007-06-28 07:38:17Z lha $"); struct hx509_ca_tbs { hx509_name subject; @@ -1002,7 +1002,7 @@ ca_sign(hx509_context context, if (size != data.length) _hx509_abort("internal ASN.1 encoder error"); ret = add_extension(context, tbsc, 0, - oid_id_pe_proxyCertInfo(), + oid_id_pkix_pe_proxyCertInfo(), &data); free(data.data); if (ret) diff --git a/source4/heimdal/lib/hx509/cert.c b/source4/heimdal/lib/hx509/cert.c index caf163f8e4..b7f19d152a 100644 --- a/source4/heimdal/lib/hx509/cert.c +++ b/source4/heimdal/lib/hx509/cert.c @@ -32,7 +32,7 @@ */ #include "hx_locl.h" -RCSID("$Id: cert.c 21294 2007-06-25 14:37:15Z lha $"); +RCSID("$Id: cert.c 21380 2007-06-28 07:38:38Z lha $"); #include "crypto-headers.h" #include @@ -898,7 +898,7 @@ is_proxy_cert(hx509_context context, if (rinfo) memset(rinfo, 0, sizeof(*rinfo)); - e = find_extension(cert, oid_id_pe_proxyCertInfo(), &i); + e = find_extension(cert, oid_id_pkix_pe_proxyCertInfo(), &i); if (e == NULL) { hx509_clear_error_string(context); return HX509_EXTENSION_NOT_FOUND; diff --git a/source4/heimdal/lib/hx509/hx509-private.h b/source4/heimdal/lib/hx509/hx509-private.h index 451c3c89f2..acbc3218c6 100644 --- a/source4/heimdal/lib/hx509/hx509-private.h +++ b/source4/heimdal/lib/hx509/hx509-private.h @@ -314,14 +314,6 @@ _hx509_pbe_decrypt ( const heim_octet_string */*econtent*/, heim_octet_string */*content*/); -int -_hx509_pbe_encrypt ( - hx509_context /*context*/, - hx509_lock /*lock*/, - const AlgorithmIdentifier */*ai*/, - const heim_octet_string */*content*/, - heim_octet_string */*econtent*/); - void _hx509_pi_printf ( int (*/*func*/)(void *, const char *), @@ -422,35 +414,11 @@ _hx509_request_add_email ( void _hx509_request_free (hx509_request */*req*/); -int -_hx509_request_get_SubjectPublicKeyInfo ( - hx509_context /*context*/, - hx509_request /*req*/, - SubjectPublicKeyInfo */*key*/); - -int -_hx509_request_get_name ( - hx509_context /*context*/, - hx509_request /*req*/, - hx509_name */*name*/); - int _hx509_request_init ( hx509_context /*context*/, hx509_request */*req*/); -int -_hx509_request_parse ( - hx509_context /*context*/, - const char */*path*/, - hx509_request */*req*/); - -int -_hx509_request_print ( - hx509_context /*context*/, - hx509_request /*req*/, - FILE */*f*/); - int _hx509_request_set_SubjectPublicKeyInfo ( hx509_context /*context*/, diff --git a/source4/heimdal/lib/hx509/ks_p11.c b/source4/heimdal/lib/hx509/ks_p11.c index b899005b33..e3066bbcfa 100644 --- a/source4/heimdal/lib/hx509/ks_p11.c +++ b/source4/heimdal/lib/hx509/ks_p11.c @@ -32,7 +32,7 @@ */ #include "hx_locl.h" -RCSID("$Id: ks_p11.c 21085 2007-06-13 06:39:53Z lha $"); +RCSID("$Id: ks_p11.c 21387 2007-06-28 08:53:45Z lha $"); #ifdef HAVE_DLFCN_H #include #endif @@ -1129,8 +1129,17 @@ p11_printinfo(hx509_context context, MECHNAME(CKM_RSA_X_509, "rsa-x-509"); MECHNAME(CKM_MD5_RSA_PKCS, "md5-rsa-pkcs"); MECHNAME(CKM_SHA1_RSA_PKCS, "sha1-rsa-pkcs"); + MECHNAME(CKM_SHA256_RSA_PKCS, "sha256-rsa-pkcs"); + MECHNAME(CKM_SHA384_RSA_PKCS, "sha384-rsa-pkcs"); + MECHNAME(CKM_SHA512_RSA_PKCS, "sha512-rsa-pkcs"); MECHNAME(CKM_RIPEMD160_RSA_PKCS, "ripemd160-rsa-pkcs"); MECHNAME(CKM_RSA_PKCS_OAEP, "rsa-pkcs-oaep"); + MECHNAME(CKM_SHA512_HMAC, "sha512-hmac"); + MECHNAME(CKM_SHA512, "sha512"); + MECHNAME(CKM_SHA384_HMAC, "sha384-hmac"); + MECHNAME(CKM_SHA384, "sha384"); + MECHNAME(CKM_SHA256_HMAC, "sha256-hmac"); + MECHNAME(CKM_SHA256, "sha256"); MECHNAME(CKM_SHA_1, "sha1"); MECHNAME(CKM_MD5, "md5"); MECHNAME(CKM_MD2, "md2"); diff --git a/source4/heimdal/lib/hx509/peer.c b/source4/heimdal/lib/hx509/peer.c index eccedf1043..e90f8f34b0 100644 --- a/source4/heimdal/lib/hx509/peer.c +++ b/source4/heimdal/lib/hx509/peer.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006 Kungliga Tekniska Högskolan + * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ #include "hx_locl.h" -RCSID("$Id: peer.c 20938 2007-06-06 20:51:34Z lha $"); +RCSID("$Id: peer.c 21481 2007-07-10 16:33:23Z lha $"); int hx509_peer_info_alloc(hx509_context context, hx509_peer_info *peer) @@ -143,7 +143,7 @@ hx509_peer_info_parse(hx509_peer_info peer, int hx509_peer_info_unparse(hx509_peer_info peer, - heim_octet_string *data) + heim_octet_string *data) { return 0; } diff --git a/source4/heimdal/lib/hx509/print.c b/source4/heimdal/lib/hx509/print.c index dc9d4cfa58..e6f71ea2ce 100644 --- a/source4/heimdal/lib/hx509/print.c +++ b/source4/heimdal/lib/hx509/print.c @@ -32,7 +32,7 @@ */ #include "hx_locl.h" -RCSID("$Id: print.c 20908 2007-06-05 02:59:33Z lha $"); +RCSID("$Id: print.c 21381 2007-06-28 08:29:22Z lha $"); struct hx509_validate_ctx_data { @@ -591,11 +591,50 @@ check_proxyCertInfo(hx509_validate_ctx ctx, enum critical_flag cf, const Extension *e) { + check_Null(ctx, status, cf, e); status->isproxy = 1; + return 0; +} + +static int +check_authorityInfoAccess(hx509_validate_ctx ctx, + struct cert_status *status, + enum critical_flag cf, + const Extension *e) +{ + AuthorityInfoAccessSyntax aia; + size_t size; + int ret, i; + + check_Null(ctx, status, cf, e); + + ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data, + e->extnValue.length, + &aia, &size); + if (ret) { + printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret); + return 0; + } + + for (i = 0; i < aia.len; i++) { + char *str; + validate_print(ctx, HX509_VALIDATE_F_VERBOSE, + "\ttype: "); + hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx); + hx509_general_name_unparse(&aia.val[i].accessLocation, &str); + validate_print(ctx, HX509_VALIDATE_F_VERBOSE, + "\n\tdirname: %s\n", str); + free(str); + } + free_AuthorityInfoAccessSyntax(&aia); return 0; } +/* + * + */ + struct { const char *name; const heim_oid *(*oid)(void); @@ -628,8 +667,11 @@ struct { { ext(extKeyUsage, Null), D_C }, { ext(freshestCRL, Null), M_N_C }, { ext(inhibitAnyPolicy, Null), M_C }, - { "proxyCertInfo", oid_id_pe_proxyCertInfo, - check_proxyCertInfo, M_C }, +#undef ext +#define ext(name, checkname) #name, &oid_id_pkix_pe_##name, check_##checkname + { ext(proxyCertInfo, proxyCertInfo), M_C }, + { ext(authorityInfoAccess, authorityInfoAccess), M_C }, +#undef ext { "US Fed PKI - PIV Interim", oid_id_uspkicommon_piv_interim, check_Null, D_C }, { "Netscape cert comment", oid_id_netscape_cert_comment, diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c index 5be3935f2b..59aae40d28 100644 --- a/source4/heimdal/lib/krb5/cache.c +++ b/source4/heimdal/lib/krb5/cache.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: cache.c 20503 2007-04-21 22:03:56Z lha $"); +RCSID("$Id: cache.c 21498 2007-07-11 09:41:43Z lha $"); /* * Add a new ccache type with operations `ops', overwriting any @@ -338,6 +338,35 @@ _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res) return 0; } +/* + * Return non-zero if envirnoment that will determine default krb5cc + * name has changed. + */ + +static int +environment_changed(krb5_context context) +{ + const char *e; + + if(issuid()) + return 0; + + e = getenv("KRB5CCNAME"); + if (e == NULL) { + if (context->default_cc_name_env) { + free(context->default_cc_name_env); + context->default_cc_name_env = NULL; + return 1; + } + } else { + if (context->default_cc_name_env == NULL) + return 1; + if (strcmp(e, context->default_cc_name_env) != 0) + return 1; + } + return 0; +} + /* * Set the default cc name for `context' to `name'. */ @@ -353,8 +382,12 @@ krb5_cc_set_default_name(krb5_context context, const char *name) if(!issuid()) { e = getenv("KRB5CCNAME"); - if (e) + if (e) { p = strdup(e); + if (context->default_cc_name_env) + free(context->default_cc_name_env); + context->default_cc_name_env = strdup(e); + } } if (e == NULL) { e = krb5_config_get_string(context, NULL, "libdefaults", @@ -389,7 +422,7 @@ krb5_cc_set_default_name(krb5_context context, const char *name) const char* KRB5_LIB_FUNCTION krb5_cc_default_name(krb5_context context) { - if (context->default_cc_name == NULL) + if (context->default_cc_name == NULL || environment_changed(context)) krb5_cc_set_default_name(context, NULL); return context->default_cc_name; diff --git a/source4/heimdal/lib/krb5/changepw.c b/source4/heimdal/lib/krb5/changepw.c index 3ceb6df89c..703cf43eb6 100644 --- a/source4/heimdal/lib/krb5/changepw.c +++ b/source4/heimdal/lib/krb5/changepw.c @@ -33,7 +33,7 @@ #include -RCSID("$Id: changepw.c 17442 2006-05-05 09:31:15Z lha $"); +RCSID("$Id: changepw.c 21505 2007-07-12 12:28:38Z lha $"); static void str2data (krb5_data *d, @@ -46,10 +46,12 @@ str2data (krb5_data *d, ...) { va_list args; + char *str; va_start(args, fmt); - d->length = vasprintf ((char **)&d->data, fmt, args); + d->length = vasprintf (&str, fmt, args); va_end(args); + d->data = str; } /* diff --git a/source4/heimdal/lib/krb5/get_cred.c b/source4/heimdal/lib/krb5/get_cred.c index 8a0af23e40..7c3f128ae5 100644 --- a/source4/heimdal/lib/krb5/get_cred.c +++ b/source4/heimdal/lib/krb5/get_cred.c @@ -33,7 +33,7 @@ #include -RCSID("$Id: get_cred.c 21327 2007-06-26 10:54:15Z lha $"); +RCSID("$Id: get_cred.c 21669 2007-07-22 11:29:13Z lha $"); /* * Take the `body' and encode it into `padata' using the credentials @@ -1224,9 +1224,10 @@ krb5_get_renewed_creds(krb5_context context, { krb5_error_code ret; krb5_kdc_flags flags; - krb5_creds in, *template; + krb5_creds in, *template, *out = NULL; memset(&in, 0, sizeof(in)); + memset(creds, 0, sizeof(*creds)); ret = krb5_copy_principal(context, client, &in.client); if (ret) @@ -1263,9 +1264,14 @@ krb5_get_renewed_creds(krb5_context context, krb5_free_creds (context, template); } - ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &in, &creds); + ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &in, &out); krb5_free_principal(context, in.client); krb5_free_principal(context, in.server); + if (ret) + return ret; + + ret = krb5_copy_creds_contents(context, out, creds); + krb5_free_creds(context, out); return ret; } diff --git a/source4/heimdal/lib/krb5/init_creds.c b/source4/heimdal/lib/krb5/init_creds.c index 5bdf23d97f..bd250cef2b 100644 --- a/source4/heimdal/lib/krb5/init_creds.c +++ b/source4/heimdal/lib/krb5/init_creds.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: init_creds.c 20541 2007-04-23 12:19:14Z lha $"); +RCSID("$Id: init_creds.c 21712 2007-07-27 14:23:41Z lha $"); void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) @@ -225,9 +225,8 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context, krb5_get_init_creds_opt_set_renew_life(opt, t); krb5_appdefault_boolean(context, appname, realm, "no-addresses", - FALSE, &b); - if (b) - krb5_get_init_creds_opt_set_addressless (context, opt, TRUE); + KRB5_ADDRESSLESS_DEFAULT, &b); + krb5_get_init_creds_opt_set_addressless (context, opt, b); #if 0 krb5_appdefault_boolean(context, appname, realm, "anonymous", FALSE, &b); diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c index 1676da3bd6..0043b5ef3c 100644 --- a/source4/heimdal/lib/krb5/init_creds_pw.c +++ b/source4/heimdal/lib/krb5/init_creds_pw.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: init_creds_pw.c 21061 2007-06-12 17:56:30Z lha $"); +RCSID("$Id: init_creds_pw.c 21428 2007-07-10 12:31:58Z lha $"); typedef struct krb5_get_init_creds_ctx { KDCOptions flags; diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h index a551c42ecd..9a84dde61a 100644 --- a/source4/heimdal/lib/krb5/krb5-private.h +++ b/source4/heimdal/lib/krb5/krb5-private.h @@ -383,7 +383,7 @@ _krb5_pk_verify_sign ( krb5_error_code _krb5_plugin_find ( krb5_context /*context*/, - enum plugin_type /*type*/, + enum krb5_plugin_type /*type*/, const char */*name*/, struct krb5_plugin **/*list*/); @@ -399,7 +399,7 @@ _krb5_plugin_get_symbol (struct krb5_plugin */*p*/); krb5_error_code _krb5_plugin_register ( krb5_context /*context*/, - enum plugin_type /*type*/, + enum krb5_plugin_type /*type*/, const char */*name*/, void */*symbol*/); diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h index 058496434e..740b394be8 100644 --- a/source4/heimdal/lib/krb5/krb5-protos.h +++ b/source4/heimdal/lib/krb5/krb5-protos.h @@ -2243,14 +2243,6 @@ krb5_get_pw_salt ( krb5_const_principal /*principal*/, krb5_salt */*salt*/); -krb5_error_code KRB5_LIB_FUNCTION -krb5_get_renewed_creds ( - krb5_context /*context*/, - krb5_creds */*creds*/, - krb5_const_principal /*client*/, - krb5_ccache /*ccache*/, - const char */*in_tkt_service*/); - krb5_error_code KRB5_LIB_FUNCTION krb5_get_server_rcache ( krb5_context /*context*/, diff --git a/source4/heimdal/lib/krb5/krb5-v4compat.h b/source4/heimdal/lib/krb5/krb5-v4compat.h index 2ea534cfe3..dfd7e94460 100644 --- a/source4/heimdal/lib/krb5/krb5-v4compat.h +++ b/source4/heimdal/lib/krb5/krb5-v4compat.h @@ -31,11 +31,13 @@ * SUCH DAMAGE. */ -/* $Id: krb5-v4compat.h 17442 2006-05-05 09:31:15Z lha $ */ +/* $Id: krb5-v4compat.h 21575 2007-07-16 07:44:54Z lha $ */ #ifndef __KRB5_V4COMPAT_H__ #define __KRB5_V4COMPAT_H__ +#include "krb_err.h" + /* * This file must only be included with v4 compat glue stuff in * heimdal sources. @@ -57,56 +59,10 @@ #define AUTH_MSG_KDC_RENEW (10<<1) #define AUTH_MSG_DIE (63<<1) -/* values for kerb error codes */ - -#define KERB_ERR_OK 0 -#define KERB_ERR_NAME_EXP 1 -#define KERB_ERR_SERVICE_EXP 2 -#define KERB_ERR_AUTH_EXP 3 -#define KERB_ERR_PKT_VER 4 -#define KERB_ERR_NAME_MAST_KEY_VER 5 -#define KERB_ERR_SERV_MAST_KEY_VER 6 -#define KERB_ERR_BYTE_ORDER 7 -#define KERB_ERR_PRINCIPAL_UNKNOWN 8 -#define KERB_ERR_PRINCIPAL_NOT_UNIQUE 9 -#define KERB_ERR_NULL_KEY 10 -#define KERB_ERR_TIMEOUT 11 - - -/* Error codes returned from the KDC */ -#define KDC_OK 0 /* Request OK */ -#define KDC_NAME_EXP 1 /* Principal expired */ -#define KDC_SERVICE_EXP 2 /* Service expired */ -#define KDC_AUTH_EXP 3 /* Auth expired */ -#define KDC_PKT_VER 4 /* Protocol version unknown */ -#define KDC_P_MKEY_VER 5 /* Wrong master key version */ -#define KDC_S_MKEY_VER 6 /* Wrong master key version */ -#define KDC_BYTE_ORDER 7 /* Byte order unknown */ -#define KDC_PR_UNKNOWN 8 /* Principal unknown */ -#define KDC_PR_N_UNIQUE 9 /* Principal not unique */ -#define KDC_NULL_KEY 10 /* Principal has null key */ -#define KDC_GEN_ERR 20 /* Generic error from KDC */ - /* General definitions */ #define KSUCCESS 0 #define KFAILURE 255 -/* Values returned by rd_ap_req */ -#define RD_AP_OK 0 /* Request authentic */ -#define RD_AP_UNDEC 31 /* Can't decode authenticator */ -#define RD_AP_EXP 32 /* Ticket expired */ -#define RD_AP_NYV 33 /* Ticket not yet valid */ -#define RD_AP_REPEAT 34 /* Repeated request */ -#define RD_AP_NOT_US 35 /* The ticket isn't for us */ -#define RD_AP_INCON 36 /* Request is inconsistent */ -#define RD_AP_TIME 37 /* delta_t too big */ -#define RD_AP_BADD 38 /* Incorrect net address */ -#define RD_AP_VERSION 39 /* protocol version mismatch */ -#define RD_AP_MSG_TYPE 40 /* invalid msg type */ -#define RD_AP_MODIFIED 41 /* message stream modified */ -#define RD_AP_ORDER 42 /* message out of order */ -#define RD_AP_UNAUTHOR 43 /* unauthorized request */ - /* */ #define MAX_KTXT_LEN 1250 diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h index 345fe70764..4f9a63bf05 100644 --- a/source4/heimdal/lib/krb5/krb5.h +++ b/source4/heimdal/lib/krb5/krb5.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5.h 21252 2007-06-21 04:18:28Z lha $ */ +/* $Id: krb5.h 21551 2007-07-15 09:03:39Z lha $ */ #ifndef __KRB5_H__ #define __KRB5_H__ @@ -436,11 +436,6 @@ typedef struct krb5_config_binding krb5_config_binding; typedef krb5_config_binding krb5_config_section; -enum { - KRB5_PKINIT_WIN2K = 1, /* wire compatible with Windows 2k */ - KRB5_PKINIT_PACKET_CABLE = 2 /* use packet cable standard */ -}; - typedef struct krb5_ticket { EncTicketPart ticket; krb5_principal client; @@ -766,6 +761,12 @@ typedef struct krb5_sendto_ctx *krb5_sendto_ctx; typedef krb5_error_code (*krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *, const krb5_data *, int *); +struct krb5_plugin; +enum krb5_plugin_type { + PLUGIN_TYPE_DATA = 1, + PLUGIN_TYPE_FUNC +}; + struct credentials; /* this is to keep the compiler happy */ struct getargs; struct sockaddr; diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h index 87169fc430..b41e6e1182 100644 --- a/source4/heimdal/lib/krb5/krb5_locl.h +++ b/source4/heimdal/lib/krb5/krb5_locl.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5_locl.h 20261 2007-02-18 00:32:22Z lha $ */ +/* $Id: krb5_locl.h 21552 2007-07-15 09:04:00Z lha $ */ #ifndef __KRB5_LOCL_H__ #define __KRB5_LOCL_H__ @@ -148,12 +148,6 @@ struct krb5_dh_moduli; /* v4 glue */ struct _krb5_krb_auth_data; -struct krb5_plugin; -enum plugin_type { - PLUGIN_TYPE_DATA = 1, - PLUGIN_TYPE_FUNC -}; - #include #include @@ -236,7 +230,7 @@ typedef struct krb5_context_data { char error_buf[256]; krb5_addresses *ignore_addresses; char *default_cc_name; - int pkinit_flags; + char *default_cc_name_env; void *mutex; /* protects error_string/error_buf */ int large_msg_size; int dns_canonicalize_hostname; diff --git a/source4/heimdal/lib/krb5/krb_err.et b/source4/heimdal/lib/krb5/krb_err.et new file mode 100644 index 0000000000..f7dbb6ce7a --- /dev/null +++ b/source4/heimdal/lib/krb5/krb_err.et @@ -0,0 +1,63 @@ +# +# Error messages for the krb4 library +# +# This might look like a com_err file, but is not +# +id "$Id: krb_err.et,v 1.7 1998/03/29 14:19:52 bg Exp $" + +error_table krb + +prefix KRB4ET +ec KSUCCESS, "Kerberos 4 successful" +ec KDC_NAME_EXP, "Kerberos 4 principal expired" +ec KDC_SERVICE_EXP, "Kerberos 4 service expired" +ec KDC_AUTH_EXP, "Kerberos 4 auth expired" +ec KDC_PKT_VER, "Incorrect Kerberos 4 master key version" +ec KDC_P_MKEY_VER, "Incorrect Kerberos 4 master key version" +ec KDC_S_MKEY_VER, "Incorrect Kerberos 4 master key version" +ec KDC_BYTE_ORDER, "Kerberos 4 byte order unknown" +ec KDC_PR_UNKNOWN, "Kerberos 4 principal unknown" +ec KDC_PR_N_UNIQUE, "Kerberos 4 principal not unique" +ec KDC_NULL_KEY, "Kerberos 4 principal has null key" +index 20 +ec KDC_GEN_ERR, "Generic error from KDC (Kerberos 4)" +ec GC_TKFIL, "Can't read Kerberos 4 ticket file" +ec GC_NOTKT, "Can't find Kerberos 4 ticket or TGT" +index 26 +ec MK_AP_TGTEXP, "Kerberos 4 TGT Expired" +index 31 +ec RD_AP_UNDEC, "Kerberos 4: Can't decode authenticator" +ec RD_AP_EXP, "Kerberos 4 ticket expired" +ec RD_AP_NYV, "Kerberos 4 ticket not yet valid" +ec RD_AP_REPEAT, "Kerberos 4: Repeated request" +ec RD_AP_NOT_US, "The Kerberos 4 ticket isn't for us" +ec RD_AP_INCON, "Kerberos 4 request inconsistent" +ec RD_AP_TIME, "Kerberos 4: delta_t too big" +ec RD_AP_BADD, "Kerberos 4: incorrect net address" +ec RD_AP_VERSION, "Kerberos protocol not version 4" +ec RD_AP_MSG_TYPE, "Kerberos 4: invalid msg type" +ec RD_AP_MODIFIED, "Kerberos 4: message stream modified" +ec RD_AP_ORDER, "Kerberos 4: message out of order" +ec RD_AP_UNAUTHOR, "Kerberos 4: unauthorized request" +index 51 +ec GT_PW_NULL, "Kerberos 4: current PW is null" +ec GT_PW_BADPW, "Kerberos 4: Incorrect current password" +ec GT_PW_PROT, "Kerberos 4 protocol error" +ec GT_PW_KDCERR, "Error returned by KDC (Kerberos 4)" +ec GT_PW_NULLTKT, "Null Kerberos 4 ticket returned by KDC" +ec SKDC_RETRY, "Kerberos 4: Retry count exceeded" +ec SKDC_CANT, "Kerberos 4: Can't send request" +index 61 +ec INTK_W_NOTALL, "Kerberos 4: not all tickets returned" +ec INTK_BADPW, "Kerberos 4: incorrect password" +ec INTK_PROT, "Kerberos 4: Protocol Error" +index 70 +ec INTK_ERR, "Other error in Kerberos 4" +ec AD_NOTGT, "Don't have Kerberos 4 ticket-granting ticket" +index 76 +ec NO_TKT_FIL, "No Kerberos 4 ticket file found" +ec TKT_FIL_ACC, "Couldn't access Kerberos 4 ticket file" +ec TKT_FIL_LCK, "Couldn't lock Kerberos 4 ticket file" +ec TKT_FIL_FMT, "Bad Kerberos 4 ticket file format" +ec TKT_FIL_INI, "Kerberos 4: tf_init not called first" +ec KNAME_FMT, "Bad Kerberos 4 name format" diff --git a/source4/heimdal/lib/krb5/krbhst.c b/source4/heimdal/lib/krb5/krbhst.c index 69b52dd808..094fd4f9c6 100644 --- a/source4/heimdal/lib/krb5/krbhst.c +++ b/source4/heimdal/lib/krb5/krbhst.c @@ -35,7 +35,7 @@ #include #include "locate_plugin.h" -RCSID("$Id: krbhst.c 21131 2007-06-18 20:48:09Z lha $"); +RCSID("$Id: krbhst.c 21457 2007-07-10 12:53:25Z lha $"); static int string_to_proto(const char *string) @@ -919,8 +919,10 @@ gethostlist(krb5_context context, const char *realm, while(krb5_krbhst_next(context, handle, &hostinfo) == 0) nhost++; - if(nhost == 0) + if(nhost == 0) { + krb5_set_error_string(context, "No KDC found for realm %s", realm); return KRB5_KDC_UNREACH; + } *hostlist = calloc(nhost + 1, sizeof(**hostlist)); if(*hostlist == NULL) { krb5_krbhst_free(context, handle); diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c index 105cab554d..c8587770f4 100755 --- a/source4/heimdal/lib/krb5/pkinit.c +++ b/source4/heimdal/lib/krb5/pkinit.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: pkinit.c 21321 2007-06-26 05:21:56Z lha $"); +RCSID("$Id: pkinit.c 21684 2007-07-23 23:09:10Z lha $"); struct krb5_dh_moduli { char *name; @@ -645,8 +645,6 @@ _krb5_pk_mk_padata(krb5_context context, req_body->realm, "pkinit_win2k", NULL); - if (context->pkinit_flags & KRB5_PKINIT_WIN2K) - win2k_compat = 1; if (win2k_compat) { ctx->require_binding = @@ -1721,7 +1719,7 @@ _krb5_free_moduli(struct krb5_dh_moduli **moduli) free(moduli); } -static const char *default_moduli = +static const char *default_moduli_RFC2412_MODP_group2 = /* name */ "RFC2412-MODP-group2 " /* bits */ @@ -1743,6 +1741,37 @@ static const char *default_moduli = "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F67329C0" "FFFFFFFF" "FFFFFFFF"; +static const char *default_moduli_rfc3526_MODP_group14 = + /* name */ + "rfc3526-MODP-group14 " + /* bits */ + "1760 " + /* p */ + "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" + "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" + "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" + "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" + "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D" + "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F" + "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D" + "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B" + "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9" + "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510" + "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF " + /* g */ + "02 " + /* q */ + "7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68" + "94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E" + "F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122" + "F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6" + "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F6722D9E" + "E1003E5C" "50B1DF82" "CC6D241B" "0E2AE9CD" "348B1FD4" "7E9267AF" + "C1B2AE91" "EE51D6CB" "0E3179AB" "1042A95D" "CF6A9483" "B84B4B36" + "B3861AA7" "255E4C02" "78BA3604" "650C10BE" "19482F23" "171B671D" + "F1CF3B96" "0C074301" "CD93C1D1" "7603D147" "DAE2AEF8" "37A62964" + "EF15E5FB" "4AAC0B8C" "1CCAA4BE" "754AB572" "8AE9130C" "4C7D0288" + "0AB9472D" "45565534" "7FFFFFFF" "FFFFFFFF"; krb5_error_code _krb5_parse_moduli(krb5_context context, const char *file, @@ -1757,19 +1786,28 @@ _krb5_parse_moduli(krb5_context context, const char *file, *moduli = NULL; - m = calloc(1, sizeof(m[0]) * 2); + m = calloc(1, sizeof(m[0]) * 3); if (m == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } - strlcpy(buf, default_moduli, sizeof(buf)); + strlcpy(buf, default_moduli_rfc3526_MODP_group14, sizeof(buf)); ret = _krb5_parse_moduli_line(context, "builtin", 1, buf, &m[0]); if (ret) { _krb5_free_moduli(m); return ret; } - n = 1; + n++; + + strlcpy(buf, default_moduli_RFC2412_MODP_group2, sizeof(buf)); + ret = _krb5_parse_moduli_line(context, "builtin", 1, buf, &m[1]); + if (ret) { + _krb5_free_moduli(m); + return ret; + } + n++; + if (file == NULL) file = MODULI_FILE; diff --git a/source4/heimdal/lib/krb5/plugin.c b/source4/heimdal/lib/krb5/plugin.c index 68317a12c0..43fa3f5b45 100644 --- a/source4/heimdal/lib/krb5/plugin.c +++ b/source4/heimdal/lib/krb5/plugin.c @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: plugin.c 21134 2007-06-18 21:02:23Z lha $"); +RCSID("$Id: plugin.c 21702 2007-07-26 19:13:53Z lha $"); #ifdef HAVE_DLFCN_H #include #endif @@ -45,7 +45,7 @@ struct krb5_plugin { }; struct plugin { - enum plugin_type type; + enum krb5_plugin_type type; void *name; void *symbol; struct plugin *next; @@ -76,9 +76,11 @@ _krb5_plugin_get_next(struct krb5_plugin *p) * */ +#ifdef HAVE_DLOPEN + static krb5_error_code loadlib(krb5_context context, - enum plugin_type type, + enum krb5_plugin_type type, const char *name, const char *lib, struct krb5_plugin **e) @@ -113,10 +115,11 @@ loadlib(krb5_context context, return 0; } +#endif /* HAVE_DLOPEN */ krb5_error_code _krb5_plugin_register(krb5_context context, - enum plugin_type type, + enum krb5_plugin_type type, const char *name, void *symbol) { @@ -146,7 +149,7 @@ _krb5_plugin_register(krb5_context context, krb5_error_code _krb5_plugin_find(krb5_context context, - enum plugin_type type, + enum krb5_plugin_type type, const char *name, struct krb5_plugin **list) { @@ -181,6 +184,8 @@ _krb5_plugin_find(krb5_context context, } HEIMDAL_MUTEX_unlock(&plugin_mutex); +#ifdef HAVE_DLOPEN + dirs = krb5_config_get_strings(context, NULL, "libdefaults", "plugin_dir", NULL); if (dirs == NULL) { @@ -213,6 +218,7 @@ _krb5_plugin_find(krb5_context context, } if (dirs != sysdirs) krb5_config_free_strings(dirs); +#endif /* HAVE_DLOPEN */ if (*list == NULL) { krb5_set_error_string(context, "Did not find a plugin for %s", name); diff --git a/source4/heimdal/lib/krb5/rd_priv.c b/source4/heimdal/lib/krb5/rd_priv.c index d3920dd941..47b5df85b2 100644 --- a/source4/heimdal/lib/krb5/rd_priv.c +++ b/source4/heimdal/lib/krb5/rd_priv.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include -RCSID("$Id: rd_priv.c 17056 2006-04-12 16:18:10Z lha $"); +RCSID("$Id: rd_priv.c 21770 2007-08-01 04:04:33Z lha $"); krb5_error_code KRB5_LIB_FUNCTION krb5_rd_priv(krb5_context context, @@ -55,13 +55,17 @@ krb5_rd_priv(krb5_context context, if ((auth_context->flags & (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - outdata == NULL) + outdata == NULL) { + krb5_clear_error_string (context); return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */ + } memset(&priv, 0, sizeof(priv)); ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len); - if (ret) + if (ret) { + krb5_clear_error_string (context); goto failure; + } if (priv.pvno != 5) { krb5_clear_error_string (context); ret = KRB5KRB_AP_ERR_BADVERSION; @@ -94,8 +98,10 @@ krb5_rd_priv(krb5_context context, ret = decode_EncKrbPrivPart (plain.data, plain.length, &part, &len); krb5_data_free (&plain); - if (ret) + if (ret) { + krb5_clear_error_string (context); goto failure; + } /* check sender address */ diff --git a/source4/heimdal/lib/krb5/v4_glue.c b/source4/heimdal/lib/krb5/v4_glue.c index d42fbec3a5..3f99df6391 100644 --- a/source4/heimdal/lib/krb5/v4_glue.c +++ b/source4/heimdal/lib/krb5/v4_glue.c @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: v4_glue.c 17442 2006-05-05 09:31:15Z lha $"); +RCSID("$Id: v4_glue.c 21572 2007-07-16 05:13:08Z lha $"); #include "krb5-v4compat.h" @@ -351,12 +351,12 @@ storage_to_etext(krb5_context context, size = krb5_storage_seek(sp, 0, SEEK_END); if (size < 0) - return EINVAL; + return KRB4ET_RD_AP_UNDEC; size = 8 - (size & 7); ret = krb5_storage_write(sp, eightzeros, size); if (ret != size) - return EINVAL; + return KRB4ET_RD_AP_UNDEC; ret = krb5_storage_to_data(sp, &data); if (ret) @@ -435,7 +435,7 @@ _krb5_krb_create_ticket(krb5_context context, session->keyvalue.data, session->keyvalue.length); if (ret != session->keyvalue.length) { - ret = EINVAL; + ret = KRB4ET_INTK_PROT; goto error; } @@ -487,7 +487,7 @@ _krb5_krb_create_ciph(krb5_context context, session->keyvalue.data, session->keyvalue.length); if (ret != session->keyvalue.length) { - ret = EINVAL; + ret = KRB4ET_INTK_PROT; goto error; } @@ -497,7 +497,7 @@ _krb5_krb_create_ciph(krb5_context context, RCHECK(ret, krb5_store_int8(sp, ticket->length), error); ret = krb5_storage_write(sp, ticket->data, ticket->length); if (ret != ticket->length) { - ret = EINVAL; + ret = KRB4ET_INTK_PROT; goto error; } RCHECK(ret, krb5_store_int32(sp, kdc_time), error); @@ -550,7 +550,7 @@ _krb5_krb_create_auth_reply(krb5_context context, RCHECK(ret, krb5_store_int16(sp, cipher->length), error); ret = krb5_storage_write(sp, cipher->data, cipher->length); if (ret != cipher->length) { - ret = EINVAL; + ret = KRB4ET_INTK_PROT; goto error; } @@ -599,6 +599,9 @@ _krb5_krb_cr_err_reply(krb5_context context, RCHECK(ret, krb5_store_int8(sp, AUTH_MSG_ERR_REPLY), error); RCHECK(ret, put_nir(sp, name, inst, realm), error); RCHECK(ret, krb5_store_int32(sp, time_ws), error); + /* If its a Kerberos 4 error-code, remove the et BASE */ + if (e >= ERROR_TABLE_BASE_krb && e <= ERROR_TABLE_BASE_krb + 255) + e -= ERROR_TABLE_BASE_krb; RCHECK(ret, krb5_store_int32(sp, e), error); RCHECK(ret, krb5_store_stringz(sp, e_string), error); @@ -623,7 +626,7 @@ get_v4_stringz(krb5_storage *sp, char **str, size_t max_len) if (strlen(*str) > max_len) { free(*str); *str = NULL; - return EINVAL; + return KRB4ET_INTK_PROT; } return 0; } @@ -662,7 +665,7 @@ _krb5_krb_decomp_ticket(krb5_context context, return ENOMEM; } - krb5_storage_set_eof_code(sp, EINVAL); /* XXX */ + krb5_storage_set_eof_code(sp, KRB4ET_INTK_PROT); RCHECK(ret, krb5_ret_int8(sp, &ad->k_flags), error); RCHECK(ret, get_v4_stringz(sp, &ad->pname, ANAME_SZ), error); @@ -672,7 +675,7 @@ _krb5_krb_decomp_ticket(krb5_context context, size = krb5_storage_read(sp, des_key, sizeof(des_key)); if (size != sizeof(des_key)) { - ret = EINVAL; /* XXX */ + ret = KRB4ET_INTK_PROT; goto error; } @@ -770,26 +773,32 @@ _krb5_krb_rd_req(krb5_context context, return ENOMEM; } - krb5_storage_set_eof_code(sp, EINVAL); /* XXX */ + krb5_storage_set_eof_code(sp, KRB4ET_INTK_PROT); ret = krb5_ret_int8(sp, &pvno); - if (ret) + if (ret) { + krb5_set_error_string(context, "Failed reading v4 pvno"); goto error; + } if (pvno != KRB_PROT_VERSION) { - ret = EINVAL; /* XXX */ + ret = KRB4ET_RD_AP_VERSION; + krb5_set_error_string(context, "Failed v4 pvno not 4"); goto error; } ret = krb5_ret_int8(sp, &type); - if (ret) + if (ret) { + krb5_set_error_string(context, "Failed readin v4 type"); goto error; + } little_endian = type & 1; type &= ~1; if(type != AUTH_MSG_APPL_REQUEST && type != AUTH_MSG_APPL_REQUEST_MUTUAL) { - ret = EINVAL; /* RD_AP_MSG_TYPE */ + ret = KRB4ET_RD_AP_MSG_TYPE; + krb5_set_error_string(context, "Not a valid v4 request type"); goto error; } @@ -801,7 +810,8 @@ _krb5_krb_rd_req(krb5_context context, size = krb5_storage_read(sp, ticket.data, ticket.length); if (size != ticket.length) { - ret = EINVAL; + ret = KRB4ET_INTK_PROT; + krb5_set_error_string(context, "Failed reading v4 ticket"); goto error; } @@ -815,7 +825,8 @@ _krb5_krb_rd_req(krb5_context context, size = krb5_storage_read(sp, eaut.data, eaut.length); if (size != eaut.length) { - ret = EINVAL; + ret = KRB4ET_INTK_PROT; + krb5_set_error_string(context, "Failed reading v4 authenticator"); goto error; } @@ -828,8 +839,8 @@ _krb5_krb_rd_req(krb5_context context, sp = krb5_storage_from_data(&aut); if (sp == NULL) { - krb5_set_error_string(context, "alloc: out of memory"); ret = ENOMEM; + krb5_set_error_string(context, "alloc: out of memory"); goto error; } @@ -849,19 +860,22 @@ _krb5_krb_rd_req(krb5_context context, if (strcmp(ad->pname, r_name) != 0 || strcmp(ad->pinst, r_instance) != 0 || strcmp(ad->prealm, r_realm) != 0) { - ret = EINVAL; /* RD_AP_INCON */ + krb5_set_error_string(context, "v4 principal mismatch"); + ret = KRB4ET_RD_AP_INCON; goto error; } - if (from_addr && from_addr != ad->address) { - ret = EINVAL; /* RD_AP_BADD */ + if (from_addr && ad->address && from_addr != ad->address) { + krb5_set_error_string(context, "v4 bad address in ticket"); + ret = KRB4ET_RD_AP_BADD; goto error; } gettimeofday(&tv, NULL); delta_t = abs((int)(tv.tv_sec - r_time_sec)); if (delta_t > CLOCK_SKEW) { - ret = EINVAL; /* RD_AP_TIME */ + ret = KRB4ET_RD_AP_TIME; + krb5_set_error_string(context, "v4 clock skew"); goto error; } @@ -870,12 +884,14 @@ _krb5_krb_rd_req(krb5_context context, tkt_age = tv.tv_sec - ad->time_sec; if ((tkt_age < 0) && (-tkt_age > CLOCK_SKEW)) { - ret = EINVAL; /* RD_AP_NYV */ + ret = KRB4ET_RD_AP_NYV; + krb5_set_error_string(context, "v4 clock skew for expiration"); goto error; } if (tv.tv_sec > _krb5_krb_life_to_time(ad->time_sec, ad->life)) { - ret = EINVAL; /* RD_AP_EXP */ + ret = KRB4ET_RD_AP_EXP; + krb5_set_error_string(context, "v4 ticket expired"); goto error; } diff --git a/source4/heimdal/lib/ntlm/ntlm.c b/source4/heimdal/lib/ntlm/ntlm.c index 1961c7fa22..671bf329e8 100644 --- a/source4/heimdal/lib/ntlm/ntlm.c +++ b/source4/heimdal/lib/ntlm/ntlm.c @@ -33,7 +33,7 @@ #include -RCSID("$Id: ntlm.c 21317 2007-06-25 19:22:02Z lha $"); +RCSID("$Id: ntlm.c 21604 2007-07-17 06:48:55Z lha $"); #include #include @@ -1105,7 +1105,7 @@ heim_ntlm_verify_ntlm2(const void *key, size_t len, HMAC_CTX_init(&c); HMAC_Init_ex(&c, ntlmv2, 16, EVP_md5(), NULL); HMAC_Update(&c, serverchallange, 8); - HMAC_Update(&c, ((char *)answer->data) + 16, answer->length - 16); + HMAC_Update(&c, ((unsigned char *)answer->data) + 16, answer->length - 16); HMAC_Final(&c, serveranswer, &hmaclen); HMAC_CTX_cleanup(&c); diff --git a/source4/heimdal_build/config.mk b/source4/heimdal_build/config.mk index 73187c31dc..940d9cdb9c 100644 --- a/source4/heimdal_build/config.mk +++ b/source4/heimdal_build/config.mk @@ -259,7 +259,8 @@ OBJ_FILES = \ ../heimdal/lib/krb5/warn.o \ ../heimdal/lib/krb5/krb5_err.o \ ../heimdal/lib/krb5/heim_err.o \ - ../heimdal/lib/krb5/k524_err.o + ../heimdal/lib/krb5/k524_err.o \ + ../heimdal/lib/krb5/krb_err.o # End SUBSYSTEM HEIMDAL_KRB5 ####################### @@ -568,10 +569,15 @@ include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/asn1/CMS.asn1 cms_asn1 hei include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/hx509/ocsp.asn1 ocsp_asn1 heimdal/lib/hx509 --preserve-binary=OCSPTBSRequest --preserve-binary=OCSPResponseData| include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/asn1/kx509.asn1 kx509_asn1 heimdal/lib/asn1| include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/hx509/pkcs10.asn1 pkcs10_asn1 heimdal/lib/hx509 --preserve-binary=CertificationRequestInfo| + +# +# Ensure to update ../static_deps.mk when you add a new entry here! +# include perl_path_wrapper.sh et_deps.pl heimdal/lib/asn1/asn1_err.et heimdal/lib/asn1| include perl_path_wrapper.sh et_deps.pl heimdal/lib/hdb/hdb_err.et heimdal/lib/hdb| include perl_path_wrapper.sh et_deps.pl heimdal/lib/krb5/heim_err.et heimdal/lib/krb5| include perl_path_wrapper.sh et_deps.pl heimdal/lib/krb5/k524_err.et heimdal/lib/krb5| +include perl_path_wrapper.sh et_deps.pl heimdal/lib/krb5/krb_err.et heimdal/lib/krb5| include perl_path_wrapper.sh et_deps.pl heimdal/lib/krb5/krb5_err.et heimdal/lib/krb5| include perl_path_wrapper.sh et_deps.pl heimdal/lib/gssapi/krb5/gkrb5_err.et heimdal/lib/gssapi| include perl_path_wrapper.sh et_deps.pl heimdal/lib/hx509/hx509_err.et heimdal/lib/hx509| diff --git a/source4/static_deps.mk b/source4/static_deps.mk index 34bb1263c1..1c9173b32c 100644 --- a/source4/static_deps.mk +++ b/source4/static_deps.mk @@ -35,6 +35,7 @@ heimdal_basics: \ heimdal/lib/hdb/hdb_err.h \ heimdal/lib/krb5/heim_err.h \ heimdal/lib/krb5/k524_err.h \ + heimdal/lib/krb5/krb_err.h \ heimdal/lib/krb5/krb5_err.h \ heimdal/lib/gssapi/gkrb5_err.h \ heimdal/lib/hx509/hx509_err.h -- cgit